No OneTemporary
Actions

Size

102 KB

Referenced Files

None

订阅者

None

View Options

	diff --git a/data/Dockerfiles/watchdog/watchdog.sh b/data/Dockerfiles/watchdog/watchdog.sh
	index 177a5304..c4b22506 100755
	--- a/data/Dockerfiles/watchdog/watchdog.sh
	+++ b/data/Dockerfiles/watchdog/watchdog.sh
	@@ -1,1126 +1,1126 @@
	#!/bin/bash

	trap "exit" INT TERM
	trap "kill 0" EXIT

	# Prepare
	BACKGROUND_TASKS=()
	echo "Waiting for containers to settle..."
	sleep 30

	if [[ "${USE_WATCHDOG}" =~ ^([nN][oO]\|[nN])+$ ]]; then
	echo -e "$(date) - USE_WATCHDOG=n, skipping watchdog..."
	sleep 365d
	exec $(readlink -f "$0")
	fi

	# Checks pipe their corresponding container name in this pipe
	if [[ ! -p /tmp/com_pipe ]]; then
	mkfifo /tmp/com_pipe
	fi

	# Wait for containers
	while ! mysqladmin status --socket=/var/run/mysqld/mysqld.sock -u${DBUSER} -p${DBPASS} --silent; do
	echo "Waiting for SQL..."
	sleep 2
	done

	# Do not attempt to write to slave
	if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
	REDIS_CMDLINE="redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT}"
	else
	REDIS_CMDLINE="redis-cli -h redis -p 6379"
	fi

	until [[ $(${REDIS_CMDLINE} PING) == "PONG" ]]; do
	echo "Waiting for Redis..."
	sleep 2
	done

	${REDIS_CMDLINE} DEL F2B_RES > /dev/null

	# Common functions
	get_ipv6(){
	local IPV6=
	local IPV6_SRCS=
	local TRY=
	IPV6_SRCS[0]="ip6.mailcow.email"
	IPV6_SRCS[1]="ip6.nevondo.com"
	until [[ ! -z ${IPV6} ]] \|\| [[ ${TRY} -ge 10 ]]; do
	IPV6=$(curl --connect-timeout 3 -m 10 -L6s ${IPV6_SRCS[$RANDOM % ${#IPV6_SRCS[@]} ]} \| grep "^$[0-9a-fA-F]\{0,4\}:$\{1,7\}[0-9a-fA-F]\{0,4\}$")
	[[ ! -z ${TRY} ]] && sleep 1
	TRY=$((TRY+1))
	done
	echo ${IPV6}
	}

	array_diff() {
	# https://stackoverflow.com/questions/2312762, Alex Offshore
	eval local ARR1=$\"\${$2[@]}\"$
	eval local ARR2=$\"\${$3[@]}\"$
	local IFS=$'\n'
	mapfile -t $1 < <(comm -23 <(echo "${ARR1[]}" \| sort) <(echo "${ARR2[]}" \| sort))
	}

	progress() {
	SERVICE=${1}
	TOTAL=${2}
	CURRENT=${3}
	DIFF=${4}
	[[ -z ${DIFF} ]] && DIFF=0
	[[ -z ${TOTAL} \|\| -z ${CURRENT} ]] && return
	[[ ${CURRENT} -gt ${TOTAL} ]] && return
	[[ ${CURRENT} -lt 0 ]] && CURRENT=0
	PERCENT=$(( 200 * ${CURRENT} / ${TOTAL} % 2 + 100 * ${CURRENT} / ${TOTAL} ))
	${REDIS_CMDLINE} LPUSH WATCHDOG_LOG "{\"time\":\"$(date +%s)\",\"service\":\"${SERVICE}\",\"lvl\":\"${PERCENT}\",\"hpnow\":\"${CURRENT}\",\"hptotal\":\"${TOTAL}\",\"hpdiff\":\"${DIFF}\"}" > /dev/null
	log_msg "${SERVICE} health level: ${PERCENT}% (${CURRENT}/${TOTAL}), health trend: ${DIFF}" no_redis
	# Return 10 to indicate a dead service
	[ ${CURRENT} -le 0 ] && return 10
	}

	log_msg() {
	if [[ ${2} != "no_redis" ]]; then
	${REDIS_CMDLINE} LPUSH WATCHDOG_LOG "{\"time\":\"$(date +%s)\",\"message\":\"$(printf '%s' "${1}" \| \
	tr '\r\n%&;$"_[]{}-' ' ')\"}" > /dev/null
	fi
	echo $(date) $(printf '%s\n' "${1}")
	}

	function mail_error() {
	THROTTLE=
	[[ -z ${1} ]] && return 1
	# If exists, body will be the content of "/tmp/${1}", even if ${2} is set
	[[ -z ${2} ]] && BODY="Service was restarted on $(date), please check your mailcow installation." \|\| BODY="$(date) - ${2}"
	# If exists, mail will be throttled by argument in seconds
	[[ ! -z ${3} ]] && THROTTLE=${3}
	if [[ ! -z ${THROTTLE} ]]; then
	TTL_LEFT="$(${REDIS_CMDLINE} TTL THROTTLE_${1} 2> /dev/null)"
	if [[ "${TTL_LEFT}" == "-2" ]]; then
	# Delay key not found, setting a delay key now
	${REDIS_CMDLINE} SET THROTTLE_${1} 1 EX ${THROTTLE}
	else
	log_msg "Not sending notification email now, blocked for ${TTL_LEFT} seconds..."
	return 1
	fi
	fi
	WATCHDOG_NOTIFY_EMAIL=$(echo "${WATCHDOG_NOTIFY_EMAIL}" \| sed 's/"//;s\|"$\|\|')
	# Some exceptions for subject and body formats
	if [[ ${1} == "fail2ban" ]]; then
	SUBJECT="${BODY}"
	BODY="Please see netfilter-mailcow for more details and triggered rules."
	else
	- SUBJECT="Watchdog ALERT: ${1}"
	+ SUBJECT="${WATCHDOG_SUBJECT}: ${1}"
	fi
	IFS=',' read -r -a MAIL_RCPTS <<< "${WATCHDOG_NOTIFY_EMAIL}"
	for rcpt in "${MAIL_RCPTS[@]}"; do
	RCPT_DOMAIN=
	#RCPT_MX=
	RCPT_DOMAIN=$(echo ${rcpt} \| awk -F @ {'print $NF'})
	# Latest smtp-cli looks up mx via dns
	#RCPT_MX=$(dig +short ${RCPT_DOMAIN} mx \| sort -n \| awk '{print $2; exit}')
	#if [[ -z ${RCPT_MX} ]]; then
	# log_msg "Cannot determine MX for ${rcpt}, skipping email notification..."
	# return 1
	#fi
	[ -f "/tmp/${1}" ] && BODY="/tmp/${1}"
	timeout 10s ./smtp-cli --missing-modules-ok \
	--charset=UTF-8 \
	--subject="${SUBJECT}" \
	--body-plain="${BODY}" \
	--add-header="X-Priority: 1" \
	--to=${rcpt} \
	--from="watchdog@${MAILCOW_HOSTNAME}" \
	--hello-host=${MAILCOW_HOSTNAME} \
	--ipv4
	#--server="${RCPT_MX}"
	log_msg "Sent notification email to ${rcpt}"
	done
	}

	get_container_ip() {
	# ${1} is container
	CONTAINER_ID=()
	CONTAINER_IPS=()
	CONTAINER_IP=
	LOOP_C=1
	until [[ ${CONTAINER_IP} =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]] \|\| [[ ${LOOP_C} -gt 5 ]]; do
	if [ ${IP_BY_DOCKER_API} -eq 0 ]; then
	CONTAINER_IP=$(dig a "${1}" +short)
	else
	sleep 0.5
	# get long container id for exact match
	CONTAINER_ID=($(curl --silent --insecure https://dockerapi/containers/json \| jq -r ".[] \| {name: .Config.Labels[\"com.docker.compose.service\"], project: .Config.Labels[\"com.docker.compose.project\"], id: .Id}" \| jq -rc "select( .name \| tostring == \"${1}\") \| select( .project \| tostring \| contains(\"${COMPOSE_PROJECT_NAME,,}\")) \| .id"))
	# returned id can have multiple elements (if scaled), shuffle for random test
	CONTAINER_ID=($(printf "%s\n" "${CONTAINER_ID[@]}" \| shuf))
	if [[ ! -z ${CONTAINER_ID} ]]; then
	for matched_container in "${CONTAINER_ID[@]}"; do
	CONTAINER_IPS=($(curl --silent --insecure https://dockerapi/containers/${matched_container}/json \| jq -r '.NetworkSettings.Networks[].IPAddress'))
	for ip_match in "${CONTAINER_IPS[@]}"; do
	# grep will do nothing if one of these vars is empty
	[[ -z ${ip_match} ]] && continue
	[[ -z ${IPV4_NETWORK} ]] && continue
	# only return ips that are part of our network
	if ! grep -q ${IPV4_NETWORK} <(echo ${ip_match}); then
	continue
	else
	CONTAINER_IP=${ip_match}
	break
	fi
	done
	[[ ! -z ${CONTAINER_IP} ]] && break
	done
	fi
	fi
	LOOP_C=$((LOOP_C + 1))
	done
	[[ ${LOOP_C} -gt 5 ]] && echo 240.0.0.0 \|\| echo ${CONTAINER_IP}
	}

	# One-time check
	if grep -qi "$(echo ${IPV6_NETWORK} \| cut -d: -f1-3)" <<< "$(ip a s)"; then
	if [[ -z "$(get_ipv6)" ]]; then
	mail_error "ipv6-config" "enable_ipv6 is true in docker-compose.yml, but an IPv6 link could not be established. Please verify your IPv6 connection."
	fi
	fi

	external_checks() {
	err_count=0
	diff_c=0
	THRESHOLD=${EXTERNAL_CHECKS_THRESHOLD}
	# Reduce error count by 2 after restarting an unhealthy container
	GUID=$(mysql -u${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT version FROM versions WHERE application = 'GUID'" -BN)
	trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
	while [ ${err_count} -lt ${THRESHOLD} ]; do
	err_c_cur=${err_count}
	CHECK_REPONSE="$(curl --connect-timeout 3 -m 10 -4 -s https://checks.mailcow.email -X POST -dguid=${GUID} 2> /dev/null)"
	if [[ ! -z "${CHECK_REPONSE}" ]] && [[ "$(echo ${CHECK_REPONSE} \| jq -r .response)" == "critical" ]]; then
	echo ${CHECK_REPONSE} \| jq -r .out > /tmp/external_checks
	err_count=$(( ${err_count} + 1 ))
	fi
	CHECK_REPONSE6="$(curl --connect-timeout 3 -m 10 -6 -s https://checks.mailcow.email -X POST -dguid=${GUID} 2> /dev/null)"
	if [[ ! -z "${CHECK_REPONSE6}" ]] && [[ "$(echo ${CHECK_REPONSE6} \| jq -r .response)" == "critical" ]]; then
	echo ${CHECK_REPONSE} \| jq -r .out > /tmp/external_checks
	err_count=$(( ${err_count} + 1 ))
	fi
	[ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
	[ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
	progress "External checks" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
	if [[ $? == 10 ]]; then
	diff_c=0
	sleep 60
	else
	diff_c=0
	sleep $(( ( RANDOM % 20 ) + 120 ))
	fi
	done
	return 1
	}

	nginx_checks() {
	err_count=0
	diff_c=0
	THRESHOLD=${NGINX_THRESHOLD}
	# Reduce error count by 2 after restarting an unhealthy container
	trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
	while [ ${err_count} -lt ${THRESHOLD} ]; do
	touch /tmp/nginx-mailcow; echo "$(tail -50 /tmp/nginx-mailcow)" > /tmp/nginx-mailcow
	host_ip=$(get_container_ip nginx-mailcow)
	err_c_cur=${err_count}
	/usr/lib/nagios/plugins/check_http -4 -H ${host_ip} -u / -p 8081 2>> /tmp/nginx-mailcow 1>&2; err_count=$(( ${err_count} + $? ))
	[ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
	[ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
	progress "Nginx" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
	if [[ $? == 10 ]]; then
	diff_c=0
	sleep 1
	else
	diff_c=0
	sleep $(( ( RANDOM % 60 ) + 20 ))
	fi
	done
	return 1
	}

	unbound_checks() {
	err_count=0
	diff_c=0
	THRESHOLD=${UNBOUND_THRESHOLD}
	# Reduce error count by 2 after restarting an unhealthy container
	trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
	while [ ${err_count} -lt ${THRESHOLD} ]; do
	touch /tmp/unbound-mailcow; echo "$(tail -50 /tmp/unbound-mailcow)" > /tmp/unbound-mailcow
	host_ip=$(get_container_ip unbound-mailcow)
	err_c_cur=${err_count}
	/usr/lib/nagios/plugins/check_dns -s ${host_ip} -H stackoverflow.com 2>> /tmp/unbound-mailcow 1>&2; err_count=$(( ${err_count} + $? ))
	DNSSEC=$(dig com +dnssec \| egrep 'flags:.+ad')
	if [[ -z ${DNSSEC} ]]; then
	echo "DNSSEC failure" 2>> /tmp/unbound-mailcow 1>&2
	err_count=$(( ${err_count} + 1))
	else
	echo "DNSSEC check succeeded" 2>> /tmp/unbound-mailcow 1>&2
	fi
	[ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
	[ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
	progress "Unbound" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
	if [[ $? == 10 ]]; then
	diff_c=0
	sleep 1
	else
	diff_c=0
	sleep $(( ( RANDOM % 60 ) + 20 ))
	fi
	done
	return 1
	}

	redis_checks() {
	# A check for the local redis container
	err_count=0
	diff_c=0
	THRESHOLD=${REDIS_THRESHOLD}
	# Reduce error count by 2 after restarting an unhealthy container
	trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
	while [ ${err_count} -lt ${THRESHOLD} ]; do
	touch /tmp/redis-mailcow; echo "$(tail -50 /tmp/redis-mailcow)" > /tmp/redis-mailcow
	host_ip=$(get_container_ip redis-mailcow)
	err_c_cur=${err_count}
	/usr/lib/nagios/plugins/check_tcp -4 -H redis-mailcow -p 6379 -E -s "PING\n" -q "QUIT" -e "PONG" 2>> /tmp/redis-mailcow 1>&2; err_count=$(( ${err_count} + $? ))
	[ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
	[ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
	progress "Redis" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
	if [[ $? == 10 ]]; then
	diff_c=0
	sleep 1
	else
	diff_c=0
	sleep $(( ( RANDOM % 60 ) + 20 ))
	fi
	done
	return 1
	}

	mysql_checks() {
	err_count=0
	diff_c=0
	THRESHOLD=${MYSQL_THRESHOLD}
	# Reduce error count by 2 after restarting an unhealthy container
	trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
	while [ ${err_count} -lt ${THRESHOLD} ]; do
	touch /tmp/mysql-mailcow; echo "$(tail -50 /tmp/mysql-mailcow)" > /tmp/mysql-mailcow
	err_c_cur=${err_count}
	/usr/lib/nagios/plugins/check_mysql -s /var/run/mysqld/mysqld.sock -u ${DBUSER} -p ${DBPASS} -d ${DBNAME} 2>> /tmp/mysql-mailcow 1>&2; err_count=$(( ${err_count} + $? ))
	/usr/lib/nagios/plugins/check_mysql_query -s /var/run/mysqld/mysqld.sock -u ${DBUSER} -p ${DBPASS} -d ${DBNAME} -q "SELECT COUNT(*) FROM information_schema.tables" 2>> /tmp/mysql-mailcow 1>&2; err_count=$(( ${err_count} + $? ))
	[ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
	[ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
	progress "MySQL/MariaDB" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
	if [[ $? == 10 ]]; then
	diff_c=0
	sleep 1
	else
	diff_c=0
	sleep $(( ( RANDOM % 60 ) + 20 ))
	fi
	done
	return 1
	}

	mysql_repl_checks() {
	err_count=0
	diff_c=0
	THRESHOLD=${MYSQL_REPLICATION_THRESHOLD}
	# Reduce error count by 2 after restarting an unhealthy container
	trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
	while [ ${err_count} -lt ${THRESHOLD} ]; do
	touch /tmp/mysql_repl_checks; echo "$(tail -50 /tmp/mysql_repl_checks)" > /tmp/mysql_repl_checks
	err_c_cur=${err_count}
	/usr/lib/nagios/plugins/check_mysql_slavestatus.sh -S /var/run/mysqld/mysqld.sock -u root -p ${DBROOT} 2>> /tmp/mysql_repl_checks 1>&2; err_count=$(( ${err_count} + $? ))
	[ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
	[ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
	progress "MySQL/MariaDB replication" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
	if [[ $? == 10 ]]; then
	diff_c=0
	sleep 60
	else
	diff_c=0
	sleep $(( ( RANDOM % 60 ) + 20 ))
	fi
	done
	return 1
	}

	sogo_checks() {
	err_count=0
	diff_c=0
	THRESHOLD=${SOGO_THRESHOLD}
	# Reduce error count by 2 after restarting an unhealthy container
	trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
	while [ ${err_count} -lt ${THRESHOLD} ]; do
	touch /tmp/sogo-mailcow; echo "$(tail -50 /tmp/sogo-mailcow)" > /tmp/sogo-mailcow
	host_ip=$(get_container_ip sogo-mailcow)
	err_c_cur=${err_count}
	/usr/lib/nagios/plugins/check_http -4 -H ${host_ip} -u /SOGo.index/ -p 20000 -R "SOGo\.MainUI" 2>> /tmp/sogo-mailcow 1>&2; err_count=$(( ${err_count} + $? ))
	[ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
	[ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
	progress "SOGo" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
	if [[ $? == 10 ]]; then
	diff_c=0
	sleep 1
	else
	diff_c=0
	sleep $(( ( RANDOM % 60 ) + 20 ))
	fi
	done
	return 1
	}

	postfix_checks() {
	err_count=0
	diff_c=0
	THRESHOLD=${POSTFIX_THRESHOLD}
	# Reduce error count by 2 after restarting an unhealthy container
	trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
	while [ ${err_count} -lt ${THRESHOLD} ]; do
	touch /tmp/postfix-mailcow; echo "$(tail -50 /tmp/postfix-mailcow)" > /tmp/postfix-mailcow
	host_ip=$(get_container_ip postfix-mailcow)
	err_c_cur=${err_count}
	/usr/lib/nagios/plugins/check_smtp -4 -H ${host_ip} -p 589 -f "watchdog@invalid" -C "RCPT TO:watchdog@localhost" -C DATA -C . -R 250 2>> /tmp/postfix-mailcow 1>&2; err_count=$(( ${err_count} + $? ))
	/usr/lib/nagios/plugins/check_smtp -4 -H ${host_ip} -p 589 -S 2>> /tmp/postfix-mailcow 1>&2; err_count=$(( ${err_count} + $? ))
	[ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
	[ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
	progress "Postfix" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
	if [[ $? == 10 ]]; then
	diff_c=0
	sleep 1
	else
	diff_c=0
	sleep $(( ( RANDOM % 60 ) + 20 ))
	fi
	done
	return 1
	}

	clamd_checks() {
	err_count=0
	diff_c=0
	THRESHOLD=${CLAMD_THRESHOLD}
	# Reduce error count by 2 after restarting an unhealthy container
	trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
	while [ ${err_count} -lt ${THRESHOLD} ]; do
	touch /tmp/clamd-mailcow; echo "$(tail -50 /tmp/clamd-mailcow)" > /tmp/clamd-mailcow
	host_ip=$(get_container_ip clamd-mailcow)
	err_c_cur=${err_count}
	/usr/lib/nagios/plugins/check_clamd -4 -H ${host_ip} 2>> /tmp/clamd-mailcow 1>&2; err_count=$(( ${err_count} + $? ))
	[ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
	[ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
	progress "Clamd" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
	if [[ $? == 10 ]]; then
	diff_c=0
	sleep 1
	else
	diff_c=0
	sleep $(( ( RANDOM % 120 ) + 20 ))
	fi
	done
	return 1
	}

	dovecot_checks() {
	err_count=0
	diff_c=0
	THRESHOLD=${DOVECOT_THRESHOLD}
	# Reduce error count by 2 after restarting an unhealthy container
	trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
	while [ ${err_count} -lt ${THRESHOLD} ]; do
	touch /tmp/dovecot-mailcow; echo "$(tail -50 /tmp/dovecot-mailcow)" > /tmp/dovecot-mailcow
	host_ip=$(get_container_ip dovecot-mailcow)
	err_c_cur=${err_count}
	/usr/lib/nagios/plugins/check_smtp -4 -H ${host_ip} -p 24 -f "watchdog@invalid" -C "RCPT TO:<watchdog@invalid>" -L -R "User doesn't exist" 2>> /tmp/dovecot-mailcow 1>&2; err_count=$(( ${err_count} + $? ))
	/usr/lib/nagios/plugins/check_imap -4 -H ${host_ip} -p 993 -S -e "OK " 2>> /tmp/dovecot-mailcow 1>&2; err_count=$(( ${err_count} + $? ))
	/usr/lib/nagios/plugins/check_imap -4 -H ${host_ip} -p 143 -e "OK " 2>> /tmp/dovecot-mailcow 1>&2; err_count=$(( ${err_count} + $? ))
	/usr/lib/nagios/plugins/check_tcp -4 -H ${host_ip} -p 10001 -e "VERSION" 2>> /tmp/dovecot-mailcow 1>&2; err_count=$(( ${err_count} + $? ))
	/usr/lib/nagios/plugins/check_tcp -4 -H ${host_ip} -p 4190 -e "Dovecot ready" 2>> /tmp/dovecot-mailcow 1>&2; err_count=$(( ${err_count} + $? ))
	[ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
	[ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
	progress "Dovecot" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
	if [[ $? == 10 ]]; then
	diff_c=0
	sleep 1
	else
	diff_c=0
	sleep $(( ( RANDOM % 60 ) + 20 ))
	fi
	done
	return 1
	}

	dovecot_repl_checks() {
	err_count=0
	diff_c=0
	THRESHOLD=${DOVECOT_REPL_THRESHOLD}
	D_REPL_STATUS=$(redis-cli -h redis -r GET DOVECOT_REPL_HEALTH)
	# Reduce error count by 2 after restarting an unhealthy container
	trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
	while [ ${err_count} -lt ${THRESHOLD} ]; do
	err_c_cur=${err_count}
	D_REPL_STATUS=$(redis-cli --raw -h redis GET DOVECOT_REPL_HEALTH)
	if [[ "${D_REPL_STATUS}" != "1" ]]; then
	err_count=$(( ${err_count} + 1 ))
	fi
	[ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
	[ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
	progress "Dovecot replication" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
	if [[ $? == 10 ]]; then
	diff_c=0
	sleep 60
	else
	diff_c=0
	sleep $(( ( RANDOM % 60 ) + 20 ))
	fi
	done
	return 1
	}

	cert_checks() {
	err_count=0
	diff_c=0
	THRESHOLD=7
	# Reduce error count by 2 after restarting an unhealthy container
	trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
	while [ ${err_count} -lt ${THRESHOLD} ]; do
	touch /tmp/certcheck; echo "$(tail -50 /tmp/certcheck)" > /tmp/certcheck
	host_ip_postfix=$(get_container_ip postfix)
	host_ip_dovecot=$(get_container_ip dovecot)
	err_c_cur=${err_count}
	/usr/lib/nagios/plugins/check_smtp -H ${host_ip_postfix} -p 589 -4 -S -D 7 2>> /tmp/certcheck 1>&2; err_count=$(( ${err_count} + $? ))
	/usr/lib/nagios/plugins/check_imap -H ${host_ip_dovecot} -p 993 -4 -S -D 7 2>> /tmp/certcheck 1>&2; err_count=$(( ${err_count} + $? ))
	[ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
	[ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
	progress "Primary certificate expiry check" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
	# Always sleep 5 minutes, mail notifications are limited
	sleep 300
	done
	return 1
	}

	phpfpm_checks() {
	err_count=0
	diff_c=0
	THRESHOLD=${PHPFPM_THRESHOLD}
	# Reduce error count by 2 after restarting an unhealthy container
	trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
	while [ ${err_count} -lt ${THRESHOLD} ]; do
	touch /tmp/php-fpm-mailcow; echo "$(tail -50 /tmp/php-fpm-mailcow)" > /tmp/php-fpm-mailcow
	host_ip=$(get_container_ip php-fpm-mailcow)
	err_c_cur=${err_count}
	/usr/lib/nagios/plugins/check_tcp -H ${host_ip} -p 9001 2>> /tmp/php-fpm-mailcow 1>&2; err_count=$(( ${err_count} + $? ))
	/usr/lib/nagios/plugins/check_tcp -H ${host_ip} -p 9002 2>> /tmp/php-fpm-mailcow 1>&2; err_count=$(( ${err_count} + $? ))
	[ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
	[ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
	progress "PHP-FPM" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
	if [[ $? == 10 ]]; then
	diff_c=0
	sleep 1
	else
	diff_c=0
	sleep $(( ( RANDOM % 60 ) + 20 ))
	fi
	done
	return 1
	}

	ratelimit_checks() {
	err_count=0
	diff_c=0
	THRESHOLD=${RATELIMIT_THRESHOLD}
	RL_LOG_STATUS=$(redis-cli -h redis LRANGE RL_LOG 0 0 \| jq .qid)
	# Reduce error count by 2 after restarting an unhealthy container
	trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
	while [ ${err_count} -lt ${THRESHOLD} ]; do
	err_c_cur=${err_count}
	RL_LOG_STATUS_PREV=${RL_LOG_STATUS}
	RL_LOG_STATUS=$(redis-cli -h redis LRANGE RL_LOG 0 0 \| jq .qid)
	if [[ ${RL_LOG_STATUS_PREV} != ${RL_LOG_STATUS} ]]; then
	err_count=$(( ${err_count} + 1 ))
	echo 'Last 10 applied ratelimits (may overlap with previous reports).' > /tmp/ratelimit
	echo 'Full ratelimit buckets can be emptied by deleting the ratelimit hash from within mailcow UI (see /debug -> Protocols -> Ratelimit):' >> /tmp/ratelimit
	echo >> /tmp/ratelimit
	redis-cli --raw -h redis LRANGE RL_LOG 0 10 \| jq . >> /tmp/ratelimit
	fi
	[ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
	[ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
	progress "Ratelimit" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
	if [[ $? == 10 ]]; then
	diff_c=0
	sleep 1
	else
	diff_c=0
	sleep $(( ( RANDOM % 60 ) + 20 ))
	fi
	done
	return 1
	}

	mailq_checks() {
	err_count=0
	diff_c=0
	THRESHOLD=${MAILQ_THRESHOLD}
	# Reduce error count by 2 after restarting an unhealthy container
	trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
	while [ ${err_count} -lt ${THRESHOLD} ]; do
	touch /tmp/mail_queue_status; echo "$(tail -50 /tmp/mail_queue_status)" > /tmp/mail_queue_status
	MAILQ_LOG_STATUS=$(find /var/spool/postfix/deferred -type f \| wc -l)
	echo "Mail queue contains ${MAILQ_LOG_STATUS} items (critical limit is ${MAILQ_CRIT}) at $(date)" >> /tmp/mail_queue_status
	err_c_cur=${err_count}
	if [ ${MAILQ_LOG_STATUS} -ge ${MAILQ_CRIT} ]; then
	err_count=$(( ${err_count} + 1 ))
	echo "Mail queue contains ${MAILQ_LOG_STATUS} items (critical limit is ${MAILQ_CRIT}) at $(date)" >> /tmp/mail_queue_status
	fi
	[ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
	[ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
	progress "Mail queue" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
	if [[ $? == 10 ]]; then
	diff_c=0
	sleep 60
	else
	diff_c=0
	sleep $(( ( RANDOM % 60 ) + 20 ))
	fi
	done
	return 1
	}

	fail2ban_checks() {
	err_count=0
	diff_c=0
	THRESHOLD=${FAIL2BAN_THRESHOLD}
	F2B_LOG_STATUS=($(${REDIS_CMDLINE} --raw HKEYS F2B_ACTIVE_BANS))
	F2B_RES=
	# Reduce error count by 2 after restarting an unhealthy container
	trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
	while [ ${err_count} -lt ${THRESHOLD} ]; do
	err_c_cur=${err_count}
	F2B_LOG_STATUS_PREV=(${F2B_LOG_STATUS[@]})
	F2B_LOG_STATUS=($(${REDIS_CMDLINE} --raw HKEYS F2B_ACTIVE_BANS))
	array_diff F2B_RES F2B_LOG_STATUS F2B_LOG_STATUS_PREV
	if [[ ! -z "${F2B_RES}" ]]; then
	err_count=$(( ${err_count} + 1 ))
	echo -n "${F2B_RES[@]}" \| tr -cd "[a-fA-F0-9.:/] " \| timeout 3s ${REDIS_CMDLINE} -x SET F2B_RES > /dev/null
	if [ $? -ne 0 ]; then
	${REDIS_CMDLINE} -x DEL F2B_RES
	fi
	fi
	[ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
	[ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
	progress "Fail2ban" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
	if [[ $? == 10 ]]; then
	diff_c=0
	sleep 1
	else
	diff_c=0
	sleep $(( ( RANDOM % 60 ) + 20 ))
	fi
	done
	return 1
	}

	acme_checks() {
	err_count=0
	diff_c=0
	THRESHOLD=${ACME_THRESHOLD}
	ACME_LOG_STATUS=$(redis-cli -h redis GET ACME_FAIL_TIME)
	if [[ -z "${ACME_LOG_STATUS}" ]]; then
	${REDIS_CMDLINE} SET ACME_FAIL_TIME 0
	ACME_LOG_STATUS=0
	fi
	# Reduce error count by 2 after restarting an unhealthy container
	trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
	while [ ${err_count} -lt ${THRESHOLD} ]; do
	err_c_cur=${err_count}
	ACME_LOG_STATUS_PREV=${ACME_LOG_STATUS}
	ACME_LC=0
	until [[ ! -z ${ACME_LOG_STATUS} ]] \|\| [ ${ACME_LC} -ge 3 ]; do
	ACME_LOG_STATUS=$(redis-cli -h redis GET ACME_FAIL_TIME 2> /dev/null)
	sleep 3
	ACME_LC=$((ACME_LC+1))
	done
	if [[ ${ACME_LOG_STATUS_PREV} != ${ACME_LOG_STATUS} ]]; then
	err_count=$(( ${err_count} + 1 ))
	fi
	[ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
	[ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
	progress "ACME" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
	if [[ $? == 10 ]]; then
	diff_c=0
	sleep 1
	else
	diff_c=0
	sleep $(( ( RANDOM % 60 ) + 20 ))
	fi
	done
	return 1
	}

	ipv6nat_checks() {
	err_count=0
	diff_c=0
	THRESHOLD=${IPV6NAT_THRESHOLD}
	# Reduce error count by 2 after restarting an unhealthy container
	trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
	while [ ${err_count} -lt ${THRESHOLD} ]; do
	err_c_cur=${err_count}
	CONTAINERS=$(curl --silent --insecure https://dockerapi/containers/json)
	IPV6NAT_CONTAINER_ID=$(echo ${CONTAINERS} \| jq -r ".[] \| {name: .Config.Labels[\"com.docker.compose.service\"], project: .Config.Labels[\"com.docker.compose.project\"], id: .Id}" \| jq -rc "select( .name \| tostring \| contains(\"ipv6nat-mailcow\")) \| select( .project \| tostring \| contains(\"${COMPOSE_PROJECT_NAME,,}\")) \| .id")
	if [[ ! -z ${IPV6NAT_CONTAINER_ID} ]]; then
	LATEST_STARTED="$(echo ${CONTAINERS} \| jq -r ".[] \| {name: .Config.Labels[\"com.docker.compose.service\"], project: .Config.Labels[\"com.docker.compose.project\"], StartedAt: .State.StartedAt}" \| jq -rc "select( .project \| tostring \| contains(\"${COMPOSE_PROJECT_NAME,,}\")) \| select( .name \| tostring \| contains(\"ipv6nat-mailcow\") \| not)" \| jq -rc .StartedAt \| xargs -n1 date +%s -d \| sort \| tail -n1)"
	LATEST_IPV6NAT="$(echo ${CONTAINERS} \| jq -r ".[] \| {name: .Config.Labels[\"com.docker.compose.service\"], project: .Config.Labels[\"com.docker.compose.project\"], StartedAt: .State.StartedAt}" \| jq -rc "select( .project \| tostring \| contains(\"${COMPOSE_PROJECT_NAME,,}\")) \| select( .name \| tostring \| contains(\"ipv6nat-mailcow\"))" \| jq -rc .StartedAt \| xargs -n1 date +%s -d \| sort \| tail -n1)"
	DIFFERENCE_START_TIME=$(expr ${LATEST_IPV6NAT} - ${LATEST_STARTED} 2>/dev/null)
	if [[ "${DIFFERENCE_START_TIME}" -lt 30 ]]; then
	err_count=$(( ${err_count} + 1 ))
	fi
	fi
	[ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
	[ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
	progress "IPv6 NAT" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
	if [[ $? == 10 ]]; then
	diff_c=0
	sleep 30
	else
	diff_c=0
	sleep 300
	fi
	done
	return 1
	}


	rspamd_checks() {
	err_count=0
	diff_c=0
	THRESHOLD=${RSPAMD_THRESHOLD}
	# Reduce error count by 2 after restarting an unhealthy container
	trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
	while [ ${err_count} -lt ${THRESHOLD} ]; do
	touch /tmp/rspamd-mailcow; echo "$(tail -50 /tmp/rspamd-mailcow)" > /tmp/rspamd-mailcow
	host_ip=$(get_container_ip rspamd-mailcow)
	err_c_cur=${err_count}
	SCORE=$(echo 'To: null@localhost
	From: watchdog@localhost

	Empty
	' \| usr/bin/curl --max-time 10 -s --data-binary @- --unix-socket /var/lib/rspamd/rspamd.sock http://rspamd/scan \| jq -rc .default.required_score)
	if [[ ${SCORE} != "9999" ]]; then
	echo "Rspamd settings check failed, score returned: ${SCORE}" 2>> /tmp/rspamd-mailcow 1>&2
	err_count=$(( ${err_count} + 1))
	else
	echo "Rspamd settings check succeeded, score returned: ${SCORE}" 2>> /tmp/rspamd-mailcow 1>&2
	fi
	# A dirty hack until a PING PONG event is implemented to worker proxy
	# We expect an empty response, not a timeout
	if [ "$(curl -s --max-time 10 ${host_ip}:9900 2> /dev/null ; echo $?)" == "28" ]; then
	echo "Milter check failed" 2>> /tmp/rspamd-mailcow 1>&2; err_count=$(( ${err_count} + 1 ));
	else
	echo "Milter check succeeded" 2>> /tmp/rspamd-mailcow 1>&2
	fi
	[ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
	[ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
	progress "Rspamd" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
	if [[ $? == 10 ]]; then
	diff_c=0
	sleep 1
	else
	diff_c=0
	sleep $(( ( RANDOM % 60 ) + 20 ))
	fi
	done
	return 1
	}

	olefy_checks() {
	err_count=0
	diff_c=0
	THRESHOLD=${OLEFY_THRESHOLD}
	# Reduce error count by 2 after restarting an unhealthy container
	trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
	while [ ${err_count} -lt ${THRESHOLD} ]; do
	touch /tmp/olefy-mailcow; echo "$(tail -50 /tmp/olefy-mailcow)" > /tmp/olefy-mailcow
	host_ip=$(get_container_ip olefy-mailcow)
	err_c_cur=${err_count}
	/usr/lib/nagios/plugins/check_tcp -4 -H ${host_ip} -p 10055 -s "PING\n" 2>> /tmp/olefy-mailcow 1>&2; err_count=$(( ${err_count} + $? ))
	[ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
	[ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
	progress "Olefy" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
	if [[ $? == 10 ]]; then
	diff_c=0
	sleep 1
	else
	diff_c=0
	sleep $(( ( RANDOM % 60 ) + 20 ))
	fi
	done
	return 1
	}

	# Notify about start
	if [[ ! -z ${WATCHDOG_NOTIFY_EMAIL} ]]; then
	mail_error "watchdog-mailcow" "Watchdog started monitoring mailcow."
	fi

	# Create watchdog agents

	(
	while true; do
	if ! nginx_checks; then
	log_msg "Nginx hit error limit"
	echo nginx-mailcow > /tmp/com_pipe
	fi
	done
	) &
	PID=$!
	echo "Spawned nginx_checks with PID ${PID}"
	BACKGROUND_TASKS+=(${PID})

	if [[ ${WATCHDOG_EXTERNAL_CHECKS} =~ ^([yY][eE][sS]\|[yY])+$ ]]; then
	(
	while true; do
	if ! external_checks; then
	log_msg "External checks hit error limit"
	echo external_checks > /tmp/com_pipe
	fi
	done
	) &
	PID=$!
	echo "Spawned external_checks with PID ${PID}"
	BACKGROUND_TASKS+=(${PID})
	fi

	if [[ ${WATCHDOG_MYSQL_REPLICATION_CHECKS} =~ ^([yY][eE][sS]\|[yY])+$ ]]; then
	(
	while true; do
	if ! mysql_repl_checks; then
	log_msg "MySQL replication check hit error limit"
	echo mysql_repl_checks > /tmp/com_pipe
	fi
	done
	) &
	PID=$!
	echo "Spawned mysql_repl_checks with PID ${PID}"
	BACKGROUND_TASKS+=(${PID})
	fi

	(
	while true; do
	if ! mysql_checks; then
	log_msg "MySQL hit error limit"
	echo mysql-mailcow > /tmp/com_pipe
	fi
	done
	) &
	PID=$!
	echo "Spawned mysql_checks with PID ${PID}"
	BACKGROUND_TASKS+=(${PID})

	(
	while true; do
	if ! redis_checks; then
	log_msg "Local Redis hit error limit"
	echo redis-mailcow > /tmp/com_pipe
	fi
	done
	) &
	PID=$!
	echo "Spawned redis_checks with PID ${PID}"
	BACKGROUND_TASKS+=(${PID})

	(
	while true; do
	if ! phpfpm_checks; then
	log_msg "PHP-FPM hit error limit"
	echo php-fpm-mailcow > /tmp/com_pipe
	fi
	done
	) &
	PID=$!
	echo "Spawned phpfpm_checks with PID ${PID}"
	BACKGROUND_TASKS+=(${PID})

	if [[ "${SKIP_SOGO}" =~ ^([nN][oO]\|[nN])+$ ]]; then
	(
	while true; do
	if ! sogo_checks; then
	log_msg "SOGo hit error limit"
	echo sogo-mailcow > /tmp/com_pipe
	fi
	done
	) &
	PID=$!
	echo "Spawned sogo_checks with PID ${PID}"
	BACKGROUND_TASKS+=(${PID})
	fi

	if [ ${CHECK_UNBOUND} -eq 1 ]; then
	(
	while true; do
	if ! unbound_checks; then
	log_msg "Unbound hit error limit"
	echo unbound-mailcow > /tmp/com_pipe
	fi
	done
	) &
	PID=$!
	echo "Spawned unbound_checks with PID ${PID}"
	BACKGROUND_TASKS+=(${PID})
	fi

	if [[ "${SKIP_CLAMD}" =~ ^([nN][oO]\|[nN])+$ ]]; then
	(
	while true; do
	if ! clamd_checks; then
	log_msg "Clamd hit error limit"
	echo clamd-mailcow > /tmp/com_pipe
	fi
	done
	) &
	PID=$!
	echo "Spawned clamd_checks with PID ${PID}"
	BACKGROUND_TASKS+=(${PID})
	fi

	(
	while true; do
	if ! postfix_checks; then
	log_msg "Postfix hit error limit"
	echo postfix-mailcow > /tmp/com_pipe
	fi
	done
	) &
	PID=$!
	echo "Spawned postfix_checks with PID ${PID}"
	BACKGROUND_TASKS+=(${PID})

	(
	while true; do
	if ! mailq_checks; then
	log_msg "Mail queue hit error limit"
	echo mail_queue_status > /tmp/com_pipe
	fi
	done
	) &
	PID=$!
	echo "Spawned mailq_checks with PID ${PID}"
	BACKGROUND_TASKS+=(${PID})

	(
	while true; do
	if ! dovecot_checks; then
	log_msg "Dovecot hit error limit"
	echo dovecot-mailcow > /tmp/com_pipe
	fi
	done
	) &
	PID=$!
	echo "Spawned dovecot_checks with PID ${PID}"
	BACKGROUND_TASKS+=(${PID})

	(
	while true; do
	if ! dovecot_repl_checks; then
	log_msg "Dovecot hit error limit"
	echo dovecot_repl_checks > /tmp/com_pipe
	fi
	done
	) &
	PID=$!
	echo "Spawned dovecot_repl_checks with PID ${PID}"
	BACKGROUND_TASKS+=(${PID})

	(
	while true; do
	if ! rspamd_checks; then
	log_msg "Rspamd hit error limit"
	echo rspamd-mailcow > /tmp/com_pipe
	fi
	done
	) &
	PID=$!
	echo "Spawned rspamd_checks with PID ${PID}"
	BACKGROUND_TASKS+=(${PID})

	(
	while true; do
	if ! ratelimit_checks; then
	log_msg "Ratelimit hit error limit"
	echo ratelimit > /tmp/com_pipe
	fi
	done
	) &
	PID=$!
	echo "Spawned ratelimit_checks with PID ${PID}"
	BACKGROUND_TASKS+=(${PID})

	(
	while true; do
	if ! fail2ban_checks; then
	log_msg "Fail2ban hit error limit"
	echo fail2ban > /tmp/com_pipe
	fi
	done
	) &
	PID=$!
	echo "Spawned fail2ban_checks with PID ${PID}"
	BACKGROUND_TASKS+=(${PID})

	(
	while true; do
	if ! cert_checks; then
	log_msg "Cert check hit error limit"
	echo certcheck > /tmp/com_pipe
	fi
	done
	) &
	PID=$!
	echo "Spawned cert_checks with PID ${PID}"
	BACKGROUND_TASKS+=(${PID})

	(
	while true; do
	if ! olefy_checks; then
	log_msg "Olefy hit error limit"
	echo olefy-mailcow > /tmp/com_pipe
	fi
	done
	) &
	PID=$!
	echo "Spawned olefy_checks with PID ${PID}"
	BACKGROUND_TASKS+=(${PID})

	(
	while true; do
	if ! acme_checks; then
	log_msg "ACME client hit error limit"
	echo acme-mailcow > /tmp/com_pipe
	fi
	done
	) &
	PID=$!
	echo "Spawned acme_checks with PID ${PID}"
	BACKGROUND_TASKS+=(${PID})

	(
	while true; do
	if ! ipv6nat_checks; then
	log_msg "IPv6 NAT warning: ipv6nat-mailcow container was not started at least 30s after siblings (not an error)"
	echo ipv6nat-mailcow > /tmp/com_pipe
	fi
	done
	) &
	PID=$!
	echo "Spawned ipv6nat_checks with PID ${PID}"
	BACKGROUND_TASKS+=(${PID})

	# Monitor watchdog agents, stop script when agents fails and wait for respawn by Docker (restart:always:n)
	(
	while true; do
	for bg_task in ${BACKGROUND_TASKS[*]}; do
	if ! kill -0 ${bg_task} 1>&2; then
	log_msg "Worker ${bg_task} died, stopping watchdog and waiting for respawn..."
	kill -TERM 1
	fi
	sleep 10
	done
	done
	) &

	# Monitor dockerapi
	(
	while true; do
	while nc -z dockerapi 443; do
	sleep 3
	done
	log_msg "Cannot find dockerapi-mailcow, waiting to recover..."
	kill -STOP ${BACKGROUND_TASKS[*]}
	until nc -z dockerapi 443; do
	sleep 3
	done
	kill -CONT ${BACKGROUND_TASKS[*]}
	kill -USR1 ${BACKGROUND_TASKS[*]}
	done
	) &

	# Actions when threshold limit is reached
	while true; do
	CONTAINER_ID=
	HAS_INITDB=
	read com_pipe_answer </tmp/com_pipe
	if [ -s "/tmp/${com_pipe_answer}" ]; then
	cat "/tmp/${com_pipe_answer}"
	fi
	if [[ ${com_pipe_answer} == "ratelimit" ]]; then
	log_msg "At least one ratelimit was applied"
	[[ ! -z ${WATCHDOG_NOTIFY_EMAIL} ]] && mail_error "${com_pipe_answer}"
	elif [[ ${com_pipe_answer} == "mail_queue_status" ]]; then
	log_msg "Mail queue status is critical"
	[[ ! -z ${WATCHDOG_NOTIFY_EMAIL} ]] && mail_error "${com_pipe_answer}"
	elif [[ ${com_pipe_answer} == "external_checks" ]]; then
	log_msg "Your mailcow is an open relay!"
	# Define $2 to override message text, else print service was restarted at ...
	[[ ! -z ${WATCHDOG_NOTIFY_EMAIL} ]] && mail_error "${com_pipe_answer}" "Please stop mailcow now and check your network configuration!"
	elif [[ ${com_pipe_answer} == "mysql_repl_checks" ]]; then
	log_msg "MySQL replication is not working properly"
	# Define $2 to override message text, else print service was restarted at ...
	# Once mail per 10 minutes
	[[ ! -z ${WATCHDOG_NOTIFY_EMAIL} ]] && mail_error "${com_pipe_answer}" "Please check the SQL replication status" 600
	elif [[ ${com_pipe_answer} == "dovecot_repl_checks" ]]; then
	log_msg "Dovecot replication is not working properly"
	# Define $2 to override message text, else print service was restarted at ...
	# Once mail per 10 minutes
	[[ ! -z ${WATCHDOG_NOTIFY_EMAIL} ]] && mail_error "${com_pipe_answer}" "Please check the Dovecot replicator status" 600
	elif [[ ${com_pipe_answer} == "certcheck" ]]; then
	log_msg "Certificates are about to expire"
	# Define $2 to override message text, else print service was restarted at ...
	# Only mail once a day
	[[ ! -z ${WATCHDOG_NOTIFY_EMAIL} ]] && mail_error "${com_pipe_answer}" "Please renew your certificate" 86400
	elif [[ ${com_pipe_answer} == "acme-mailcow" ]]; then
	log_msg "acme-mailcow did not complete successfully"
	# Define $2 to override message text, else print service was restarted at ...
	[[ ! -z ${WATCHDOG_NOTIFY_EMAIL} ]] && mail_error "${com_pipe_answer}" "Please check acme-mailcow for further information."
	elif [[ ${com_pipe_answer} == "fail2ban" ]]; then
	F2B_RES=($(timeout 4s ${REDIS_CMDLINE} --raw GET F2B_RES 2> /dev/null))
	if [[ ! -z "${F2B_RES}" ]]; then
	${REDIS_CMDLINE} DEL F2B_RES > /dev/null
	host=
	for host in "${F2B_RES[@]}"; do
	log_msg "Banned ${host}"
	rm /tmp/fail2ban 2> /dev/null
	timeout 2s whois "${host}" > /tmp/fail2ban
	[[ ! -z ${WATCHDOG_NOTIFY_EMAIL} ]] && [[ ${WATCHDOG_NOTIFY_BAN} =~ ^([yY][eE][sS]\|[yY])+$ ]] && mail_error "${com_pipe_answer}" "IP ban: ${host}"
	done
	fi
	elif [[ ${com_pipe_answer} =~ .+-mailcow ]]; then
	kill -STOP ${BACKGROUND_TASKS[*]}
	sleep 10
	CONTAINER_ID=$(curl --silent --insecure https://dockerapi/containers/json \| jq -r ".[] \| {name: .Config.Labels[\"com.docker.compose.service\"], project: .Config.Labels[\"com.docker.compose.project\"], id: .Id}" \| jq -rc "select( .name \| tostring \| contains(\"${com_pipe_answer}\")) \| select( .project \| tostring \| contains(\"${COMPOSE_PROJECT_NAME,,}\")) \| .id")
	if [[ ! -z ${CONTAINER_ID} ]]; then
	if [[ "${com_pipe_answer}" == "php-fpm-mailcow" ]]; then
	HAS_INITDB=$(curl --silent --insecure -XPOST https://dockerapi/containers/${CONTAINER_ID}/top \| jq '.msg.Processes[] \| contains(["php -c /usr/local/etc/php -f /web/inc/init_db.inc.php"])' \| grep true)
	fi
	S_RUNNING=$(($(date +%s) - $(curl --silent --insecure https://dockerapi/containers/${CONTAINER_ID}/json \| jq .State.StartedAt \| xargs -n1 date +%s -d)))
	if [ ${S_RUNNING} -lt 360 ]; then
	log_msg "Container is running for less than 360 seconds, skipping action..."
	elif [[ ! -z ${HAS_INITDB} ]]; then
	log_msg "Database is being initialized by php-fpm-mailcow, not restarting but delaying checks for a minute..."
	sleep 60
	else
	log_msg "Sending restart command to ${CONTAINER_ID}..."
	curl --silent --insecure -XPOST https://dockerapi/containers/${CONTAINER_ID}/restart
	if [[ ${com_pipe_answer} != "ipv6nat-mailcow" ]]; then
	[[ ! -z ${WATCHDOG_NOTIFY_EMAIL} ]] && mail_error "${com_pipe_answer}"
	fi
	log_msg "Wait for restarted container to settle and continue watching..."
	sleep 35
	fi
	fi
	kill -CONT ${BACKGROUND_TASKS[*]}
	sleep 1
	kill -USR1 ${BACKGROUND_TASKS[*]}
	fi
	done
	diff --git a/docker-compose.yml b/docker-compose.yml
	index 0d027d3d..dc69c57c 100644
	--- a/docker-compose.yml
	+++ b/docker-compose.yml
	@@ -1,619 +1,620 @@
	version: '2.1'
	services:

	unbound-mailcow:
	image: mailcow/unbound:1.13
	environment:
	- TZ=${TZ}
	volumes:
	- ./data/hooks/unbound:/hooks:Z
	- ./data/conf/unbound/unbound.conf:/etc/unbound/unbound.conf:ro,Z
	restart: always
	tty: true
	networks:
	mailcow-network:
	ipv4_address: ${IPV4_NETWORK:-172.22.1}.254
	aliases:
	- unbound

	mysql-mailcow:
	image: mariadb:10.4
	depends_on:
	- unbound-mailcow
	stop_grace_period: 45s
	volumes:
	- mysql-vol-1:/var/lib/mysql/:Z
	- mysql-socket-vol-1:/var/run/mysqld/:z
	- ./data/conf/mysql/:/etc/mysql/conf.d/:ro,Z
	environment:
	- TZ=${TZ}
	- MYSQL_ROOT_PASSWORD=${DBROOT}
	- MYSQL_DATABASE=${DBNAME}
	- MYSQL_USER=${DBUSER}
	- MYSQL_PASSWORD=${DBPASS}
	- MYSQL_INITDB_SKIP_TZINFO=1
	restart: always
	ports:
	- "${SQL_PORT:-127.0.0.1:13306}:3306"
	networks:
	mailcow-network:
	aliases:
	- mysql

	redis-mailcow:
	image: redis:5-alpine
	volumes:
	- redis-vol-1:/data/:Z
	restart: always
	ports:
	- "${REDIS_PORT:-127.0.0.1:7654}:6379"
	environment:
	- TZ=${TZ}
	networks:
	mailcow-network:
	ipv4_address: ${IPV4_NETWORK:-172.22.1}.249
	aliases:
	- redis

	clamd-mailcow:
	image: mailcow/clamd:1.38
	restart: always
	dns:
	- ${IPV4_NETWORK:-172.22.1}.254
	environment:
	- TZ=${TZ}
	- SKIP_CLAMD=${SKIP_CLAMD:-n}
	volumes:
	- ./data/conf/clamav/:/etc/clamav/:Z
	networks:
	mailcow-network:
	aliases:
	- clamd

	rspamd-mailcow:
	image: mailcow/rspamd:1.76
	stop_grace_period: 30s
	depends_on:
	- dovecot-mailcow
	environment:
	- TZ=${TZ}
	- IPV4_NETWORK=${IPV4_NETWORK:-172.22.1}
	- IPV6_NETWORK=${IPV6_NETWORK:-fd4d:6169:6c63:6f77::/64}
	- REDIS_SLAVEOF_IP=${REDIS_SLAVEOF_IP:-}
	- REDIS_SLAVEOF_PORT=${REDIS_SLAVEOF_PORT:-}
	volumes:
	- ./data/hooks/rspamd:/hooks:Z
	- ./data/conf/rspamd/custom/:/etc/rspamd/custom:z
	- ./data/conf/rspamd/override.d/:/etc/rspamd/override.d:Z
	- ./data/conf/rspamd/local.d/:/etc/rspamd/local.d:Z
	- ./data/conf/rspamd/plugins.d/:/etc/rspamd/plugins.d:Z
	- ./data/conf/rspamd/lua/:/etc/rspamd/lua/:ro,Z
	- ./data/conf/rspamd/rspamd.conf.local:/etc/rspamd/rspamd.conf.local:Z
	- ./data/conf/rspamd/rspamd.conf.override:/etc/rspamd/rspamd.conf.override:Z
	- rspamd-vol-1:/var/lib/rspamd:z
	restart: always
	hostname: rspamd
	dns:
	- ${IPV4_NETWORK:-172.22.1}.254
	networks:
	mailcow-network:
	aliases:
	- rspamd

	php-fpm-mailcow:
	image: mailcow/phpfpm:1.73
	command: "php-fpm -d date.timezone=${TZ} -d expose_php=0"
	depends_on:
	- redis-mailcow
	volumes:
	- ./data/hooks/phpfpm:/hooks:Z
	- ./data/web:/web:z
	- ./data/conf/rspamd/dynmaps:/dynmaps:ro,z
	- ./data/conf/rspamd/custom/:/rspamd_custom_maps:z
	- rspamd-vol-1:/var/lib/rspamd:z
	- mysql-socket-vol-1:/var/run/mysqld/:z
	- ./data/conf/sogo/:/etc/sogo/:z
	- ./data/conf/rspamd/meta_exporter:/meta_exporter:ro,z
	- ./data/conf/phpfpm/sogo-sso/:/etc/sogo-sso/:z
	- ./data/conf/phpfpm/php-fpm.d/pools.conf:/usr/local/etc/php-fpm.d/z-pools.conf:Z
	- ./data/conf/phpfpm/php-conf.d/opcache-recommended.ini:/usr/local/etc/php/conf.d/opcache-recommended.ini:Z
	- ./data/conf/phpfpm/php-conf.d/upload.ini:/usr/local/etc/php/conf.d/upload.ini:Z
	- ./data/conf/phpfpm/php-conf.d/other.ini:/usr/local/etc/php/conf.d/zzz-other.ini:Z
	- ./data/conf/dovecot/global_sieve_before:/global_sieve/before:z
	- ./data/conf/dovecot/global_sieve_after:/global_sieve/after:z
	- ./data/assets/templates:/tpls:z
	- ./data/conf/ejabberd/autogen:/ejabberd/:z
	- ./data/conf/nginx/:/etc/nginx/conf.d/:z
	dns:
	- ${IPV4_NETWORK:-172.22.1}.254
	environment:
	- REDIS_SLAVEOF_IP=${REDIS_SLAVEOF_IP:-}
	- REDIS_SLAVEOF_PORT=${REDIS_SLAVEOF_PORT:-}
	- LOG_LINES=${LOG_LINES:-9999}
	- TZ=${TZ}
	- DBNAME=${DBNAME}
	- DBUSER=${DBUSER}
	- DBPASS=${DBPASS}
	- MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME}
	- MAILCOW_PASS_SCHEME=${MAILCOW_PASS_SCHEME:-BLF-CRYPT}
	- IMAP_PORT=${IMAP_PORT:-143}
	- IMAPS_PORT=${IMAPS_PORT:-993}
	- POP_PORT=${POP_PORT:-110}
	- POPS_PORT=${POPS_PORT:-995}
	- SIEVE_PORT=${SIEVE_PORT:-4190}
	- IPV4_NETWORK=${IPV4_NETWORK:-172.22.1}
	- IPV6_NETWORK=${IPV6_NETWORK:-fd4d:6169:6c63:6f77::/64}
	- SUBMISSION_PORT=${SUBMISSION_PORT:-587}
	- SMTPS_PORT=${SMTPS_PORT:-465}
	- SMTP_PORT=${SMTP_PORT:-25}
	- XMPP_C2S_PORT=${XMPP_C2S_PORT:-5222}
	- XMPP_S2S_PORT=${XMPP_S2S_PORT:-5269}
	- API_KEY=${API_KEY:-invalid}
	- API_KEY_READ_ONLY=${API_KEY_READ_ONLY:-invalid}
	- API_ALLOW_FROM=${API_ALLOW_FROM:-invalid}
	- COMPOSE_PROJECT_NAME=${COMPOSE_PROJECT_NAME:-mailcow-dockerized}
	- SKIP_SOLR=${SKIP_SOLR:-y}
	- SKIP_CLAMD=${SKIP_CLAMD:-n}
	- SKIP_SOGO=${SKIP_SOGO:-n}
	- ALLOW_ADMIN_EMAIL_LOGIN=${ALLOW_ADMIN_EMAIL_LOGIN:-n}
	- MASTER=${MASTER:-y}
	restart: always
	networks:
	mailcow-network:
	aliases:
	- phpfpm

	sogo-mailcow:
	image: mailcow/sogo:1.95
	environment:
	- DBNAME=${DBNAME}
	- DBUSER=${DBUSER}
	- DBPASS=${DBPASS}
	- TZ=${TZ}
	- LOG_LINES=${LOG_LINES:-9999}
	- MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME}
	- MAILCOW_PASS_SCHEME=${MAILCOW_PASS_SCHEME:-BLF-CRYPT}
	- ACL_ANYONE=${ACL_ANYONE:-disallow}
	- ALLOW_ADMIN_EMAIL_LOGIN=${ALLOW_ADMIN_EMAIL_LOGIN:-n}
	- IPV4_NETWORK=${IPV4_NETWORK:-172.22.1}
	- SOGO_EXPIRE_SESSION=${SOGO_EXPIRE_SESSION:-480}
	- SKIP_SOGO=${SKIP_SOGO:-n}
	- MASTER=${MASTER:-y}
	- REDIS_SLAVEOF_IP=${REDIS_SLAVEOF_IP:-}
	- REDIS_SLAVEOF_PORT=${REDIS_SLAVEOF_PORT:-}
	dns:
	- ${IPV4_NETWORK:-172.22.1}.254
	volumes:
	- ./data/conf/sogo/:/etc/sogo/:z
	- ./data/web/inc/init_db.inc.php:/init_db.inc.php:Z
	- ./data/conf/sogo/custom-favicon.ico:/usr/lib/GNUstep/SOGo/WebServerResources/img/sogo.ico:z
	- ./data/conf/sogo/custom-theme.js:/usr/lib/GNUstep/SOGo/WebServerResources/js/theme.js:z
	- ./data/conf/sogo/custom-sogo.js:/usr/lib/GNUstep/SOGo/WebServerResources/js/custom-sogo.js:z
	- mysql-socket-vol-1:/var/run/mysqld/:z
	- sogo-web-vol-1:/sogo_web:z
	- sogo-userdata-backup-vol-1:/sogo_backup:Z
	restart: always
	networks:
	mailcow-network:
	ipv4_address: ${IPV4_NETWORK:-172.22.1}.248
	aliases:
	- sogo

	dovecot-mailcow:
	image: mailcow/dovecot:1.141
	depends_on:
	- mysql-mailcow
	dns:
	- ${IPV4_NETWORK:-172.22.1}.254
	cap_add:
	- NET_BIND_SERVICE
	volumes:
	- ./data/hooks/dovecot:/hooks:Z
	- ./data/conf/dovecot:/etc/dovecot:z
	- ./data/assets/ssl:/etc/ssl/mail/:ro,z
	- ./data/conf/sogo/:/etc/sogo/:z
	- ./data/conf/phpfpm/sogo-sso/:/etc/phpfpm/:z
	- vmail-vol-1:/var/vmail:Z
	- vmail-index-vol-1:/var/vmail_index:Z
	- crypt-vol-1:/mail_crypt/:z
	- ./data/conf/rspamd/custom/:/etc/rspamd/custom:z
	- ./data/assets/templates:/templates:z
	- rspamd-vol-1:/var/lib/rspamd:z
	- mysql-socket-vol-1:/var/run/mysqld/:z
	environment:
	- DOVECOT_MASTER_USER=${DOVECOT_MASTER_USER:-}
	- DOVECOT_MASTER_PASS=${DOVECOT_MASTER_PASS:-}
	- LOG_LINES=${LOG_LINES:-9999}
	- DBNAME=${DBNAME}
	- DBUSER=${DBUSER}
	- DBPASS=${DBPASS}
	- TZ=${TZ}
	- MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME}
	- MAILCOW_PASS_SCHEME=${MAILCOW_PASS_SCHEME:-BLF-CRYPT}
	- IPV4_NETWORK=${IPV4_NETWORK:-172.22.1}
	- ALLOW_ADMIN_EMAIL_LOGIN=${ALLOW_ADMIN_EMAIL_LOGIN:-n}
	- MAILDIR_GC_TIME=${MAILDIR_GC_TIME:-1440}
	- ACL_ANYONE=${ACL_ANYONE:-disallow}
	- SKIP_SOLR=${SKIP_SOLR:-y}
	- MAILDIR_SUB=${MAILDIR_SUB:-}
	- MASTER=${MASTER:-y}
	- REDIS_SLAVEOF_IP=${REDIS_SLAVEOF_IP:-}
	- REDIS_SLAVEOF_PORT=${REDIS_SLAVEOF_PORT:-}
	- COMPOSE_PROJECT_NAME=${COMPOSE_PROJECT_NAME:-mailcow-dockerized}
	ports:
	- "${DOVEADM_PORT:-127.0.0.1:19991}:12345"
	- "${IMAP_PORT:-143}:143"
	- "${IMAPS_PORT:-993}:993"
	- "${POP_PORT:-110}:110"
	- "${POPS_PORT:-995}:995"
	- "${SIEVE_PORT:-4190}:4190"
	restart: always
	tty: true
	ulimits:
	nproc: 65535
	nofile:
	soft: 20000
	hard: 40000
	networks:
	mailcow-network:
	ipv4_address: ${IPV4_NETWORK:-172.22.1}.250
	aliases:
	- dovecot

	postfix-mailcow:
	image: mailcow/postfix:1.59
	depends_on:
	- mysql-mailcow
	volumes:
	- ./data/hooks/postfix:/hooks:Z
	- ./data/conf/postfix:/opt/postfix/conf:z
	- ./data/assets/ssl:/etc/ssl/mail/:ro,z
	- postfix-vol-1:/var/spool/postfix:z
	- crypt-vol-1:/var/lib/zeyple:z
	- rspamd-vol-1:/var/lib/rspamd:z
	- mysql-socket-vol-1:/var/run/mysqld/:z
	environment:
	- LOG_LINES=${LOG_LINES:-9999}
	- TZ=${TZ}
	- DBNAME=${DBNAME}
	- DBUSER=${DBUSER}
	- DBPASS=${DBPASS}
	- REDIS_SLAVEOF_IP=${REDIS_SLAVEOF_IP:-}
	- REDIS_SLAVEOF_PORT=${REDIS_SLAVEOF_PORT:-}
	- MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME}
	cap_add:
	- NET_BIND_SERVICE
	ports:
	- "${SMTP_PORT:-25}:25"
	- "${SMTPS_PORT:-465}:465"
	- "${SUBMISSION_PORT:-587}:587"
	restart: always
	dns:
	- ${IPV4_NETWORK:-172.22.1}.254
	networks:
	mailcow-network:
	aliases:
	- postfix

	memcached-mailcow:
	image: memcached:alpine
	restart: always
	environment:
	- TZ=${TZ}
	networks:
	mailcow-network:
	aliases:
	- memcached

	nginx-mailcow:
	depends_on:
	- sogo-mailcow
	- php-fpm-mailcow
	- redis-mailcow
	image: nginx:mainline-alpine
	dns:
	- ${IPV4_NETWORK:-172.22.1}.254
	command: /bin/sh -c "envsubst < /etc/nginx/conf.d/templates/listen_plain.template > /etc/nginx/conf.d/listen_plain.active &&
	envsubst < /etc/nginx/conf.d/templates/listen_ssl.template > /etc/nginx/conf.d/listen_ssl.active &&
	envsubst < /etc/nginx/conf.d/templates/sogo.template > /etc/nginx/conf.d/sogo.active &&
	. /etc/nginx/conf.d/templates/sogo.auth_request.template.sh > /etc/nginx/conf.d/sogo_proxy_auth.active &&
	. /etc/nginx/conf.d/templates/server_name.template.sh > /etc/nginx/conf.d/server_name.active &&
	. /etc/nginx/conf.d/templates/sites.template.sh > /etc/nginx/conf.d/sites.active &&
	. /etc/nginx/conf.d/templates/sogo_eas.template.sh > /etc/nginx/conf.d/sogo_eas.active &&
	nginx -qt &&
	until ping phpfpm -c1 > /dev/null; do sleep 1; done &&
	until ping sogo -c1 > /dev/null; do sleep 1; done &&
	until ping redis -c1 > /dev/null; do sleep 1; done &&
	until ping rspamd -c1 > /dev/null; do sleep 1; done &&
	until ping ejabberd -c1 > /dev/null; do sleep 1; done &&
	exec nginx -g 'daemon off;'"
	environment:
	- HTTPS_PORT=${HTTPS_PORT:-443}
	- HTTP_PORT=${HTTP_PORT:-80}
	- MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME}
	- IPV4_NETWORK=${IPV4_NETWORK:-172.22.1}
	- TZ=${TZ}
	- SKIP_SOGO=${SKIP_SOGO:-n}
	- ALLOW_ADMIN_EMAIL_LOGIN=${ALLOW_ADMIN_EMAIL_LOGIN:-n}
	- ADDITIONAL_SERVER_NAMES=${ADDITIONAL_SERVER_NAMES:-}
	volumes:
	- ./data/web:/web:ro,z
	- ./data/conf/rspamd/dynmaps:/dynmaps:ro,z
	- ./data/assets/ssl/:/etc/ssl/mail/:ro,z
	- ./data/conf/nginx/:/etc/nginx/conf.d/:z
	- ./data/conf/rspamd/meta_exporter:/meta_exporter:ro,z
	- sogo-web-vol-1:/usr/lib/GNUstep/SOGo/:z
	ports:
	- "${HTTPS_BIND:-:}:${HTTPS_PORT:-443}:${HTTPS_PORT:-443}"
	- "${HTTP_BIND:-:}:${HTTP_PORT:-80}:${HTTP_PORT:-80}"
	restart: always
	networks:
	mailcow-network:
	aliases:
	- nginx

	acme-mailcow:
	depends_on:
	- nginx-mailcow
	image: mailcow/acme:1.78
	dns:
	- ${IPV4_NETWORK:-172.22.1}.254
	environment:
	- LOG_LINES=${LOG_LINES:-9999}
	- ADDITIONAL_SAN=${ADDITIONAL_SAN}
	- MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME}
	- DBNAME=${DBNAME}
	- DBUSER=${DBUSER}
	- DBPASS=${DBPASS}
	- SKIP_LETS_ENCRYPT=${SKIP_LETS_ENCRYPT:-n}
	- COMPOSE_PROJECT_NAME=${COMPOSE_PROJECT_NAME:-mailcow-dockerized}
	- DIRECTORY_URL=${DIRECTORY_URL:-}
	- ENABLE_SSL_SNI=${ENABLE_SSL_SNI:-n}
	- SKIP_IP_CHECK=${SKIP_IP_CHECK:-n}
	- SKIP_HTTP_VERIFICATION=${SKIP_HTTP_VERIFICATION:-n}
	- ONLY_MAILCOW_HOSTNAME=${ONLY_MAILCOW_HOSTNAME:-n}
	- LE_STAGING=${LE_STAGING:-n}
	- TZ=${TZ}
	- REDIS_SLAVEOF_IP=${REDIS_SLAVEOF_IP:-}
	- REDIS_SLAVEOF_PORT=${REDIS_SLAVEOF_PORT:-}
	- SNAT_TO_SOURCE=${SNAT_TO_SOURCE:-n}
	- SNAT6_TO_SOURCE=${SNAT6_TO_SOURCE:-n}
	volumes:
	- ./data/web/.well-known/acme-challenge:/var/www/acme:z
	- ./data/assets/ssl:/var/lib/acme/:z
	- ./data/assets/ssl-example:/var/lib/ssl-example/:ro,Z
	- mysql-socket-vol-1:/var/run/mysqld/:z
	restart: always
	networks:
	mailcow-network:
	aliases:
	- acme

	netfilter-mailcow:
	image: mailcow/netfilter:1.39
	stop_grace_period: 30s
	depends_on:
	- dovecot-mailcow
	- postfix-mailcow
	- sogo-mailcow
	- php-fpm-mailcow
	- redis-mailcow
	restart: always
	privileged: true
	environment:
	- TZ=${TZ}
	- IPV4_NETWORK=${IPV4_NETWORK:-172.22.1}
	- IPV6_NETWORK=${IPV6_NETWORK:-fd4d:6169:6c63:6f77::/64}
	- SNAT_TO_SOURCE=${SNAT_TO_SOURCE:-n}
	- SNAT6_TO_SOURCE=${SNAT6_TO_SOURCE:-n}
	- REDIS_SLAVEOF_IP=${REDIS_SLAVEOF_IP:-}
	- REDIS_SLAVEOF_PORT=${REDIS_SLAVEOF_PORT:-}
	network_mode: "host"
	volumes:
	- /lib/modules:/lib/modules:ro

	watchdog-mailcow:
	image: mailcow/watchdog:1.90
	# Debug
	#command: /watchdog.sh
	dns:
	- ${IPV4_NETWORK:-172.22.1}.254
	tmpfs:
	- /tmp
	volumes:
	- rspamd-vol-1:/var/lib/rspamd:z
	- mysql-socket-vol-1:/var/run/mysqld/:z
	- postfix-vol-1:/var/spool/postfix:z
	- ./data/assets/ssl:/etc/ssl/mail/:ro,z
	restart: always
	environment:
	- IPV6_NETWORK=${IPV6_NETWORK:-fd4d:6169:6c63:6f77::/64}
	- LOG_LINES=${LOG_LINES:-9999}
	- TZ=${TZ}
	- DBNAME=${DBNAME}
	- DBUSER=${DBUSER}
	- DBPASS=${DBPASS}
	- DBROOT=${DBROOT}
	- USE_WATCHDOG=${USE_WATCHDOG:-n}
	- WATCHDOG_NOTIFY_EMAIL=${WATCHDOG_NOTIFY_EMAIL}
	- WATCHDOG_NOTIFY_BAN=${WATCHDOG_NOTIFY_BAN:-y}
	+ - WATCHDOG_SUBJECT=${WATCHDOG_SUBJECT:-Watchdog ALERT}
	- WATCHDOG_EXTERNAL_CHECKS=${WATCHDOG_EXTERNAL_CHECKS:-n}
	- WATCHDOG_MYSQL_REPLICATION_CHECKS=${WATCHDOG_MYSQL_REPLICATION_CHECKS:-n}
	- MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME}
	- COMPOSE_PROJECT_NAME=${COMPOSE_PROJECT_NAME:-mailcow-dockerized}
	- IPV4_NETWORK=${IPV4_NETWORK:-172.22.1}
	- IP_BY_DOCKER_API=${IP_BY_DOCKER_API:-0}
	- CHECK_UNBOUND=${CHECK_UNBOUND:-1}
	- SKIP_CLAMD=${SKIP_CLAMD:-n}
	- SKIP_LETS_ENCRYPT=${SKIP_LETS_ENCRYPT:-n}
	- SKIP_SOGO=${SKIP_SOGO:-n}
	- HTTPS_PORT=${HTTPS_PORT:-443}
	- REDIS_SLAVEOF_IP=${REDIS_SLAVEOF_IP:-}
	- REDIS_SLAVEOF_PORT=${REDIS_SLAVEOF_PORT:-}
	- EXTERNAL_CHECKS_THRESHOLD=${EXTERNAL_CHECKS_THRESHOLD:-1}
	- NGINX_THRESHOLD=${NGINX_THRESHOLD:-5}
	- UNBOUND_THRESHOLD=${UNBOUND_THRESHOLD:-5}
	- REDIS_THRESHOLD=${REDIS_THRESHOLD:-5}
	- MYSQL_THRESHOLD=${MYSQL_THRESHOLD:-5}
	- MYSQL_REPLICATION_THRESHOLD=${MYSQL_REPLICATION_THRESHOLD:-1}
	- SOGO_THRESHOLD=${SOGO_THRESHOLD:-3}
	- POSTFIX_THRESHOLD=${POSTFIX_THRESHOLD:-8}
	- CLAMD_THRESHOLD=${CLAMD_THRESHOLD:-15}
	- DOVECOT_THRESHOLD=${DOVECOT_THRESHOLD:-12}
	- DOVECOT_REPL_THRESHOLD=${DOVECOT_REPL_THRESHOLD:-20}
	- PHPFPM_THRESHOLD=${PHPFPM_THRESHOLD:-5}
	- RATELIMIT_THRESHOLD=${RATELIMIT_THRESHOLD:-1}
	- FAIL2BAN_THRESHOLD=${FAIL2BAN_THRESHOLD:-1}
	- ACME_THRESHOLD=${ACME_THRESHOLD:-1}
	- IPV6NAT_THRESHOLD=${IPV6NAT_THRESHOLD:-1}
	- RSPAMD_THRESHOLD=${RSPAMD_THRESHOLD:-5}
	- OLEFY_THRESHOLD=${OLEFY_THRESHOLD:-5}
	- MAILQ_THRESHOLD=${MAILQ_THRESHOLD:-20}
	- MAILQ_CRIT=${MAILQ_CRIT:-30}
	networks:
	mailcow-network:
	aliases:
	- watchdog

	dockerapi-mailcow:
	image: mailcow/dockerapi:1.38
	security_opt:
	- label=disable
	restart: always
	oom_kill_disable: true
	dns:
	- ${IPV4_NETWORK:-172.22.1}.254
	environment:
	- DBROOT=${DBROOT}
	- TZ=${TZ}
	volumes:
	- /var/run/docker.sock:/var/run/docker.sock:ro
	networks:
	mailcow-network:
	aliases:
	- dockerapi

	solr-mailcow:
	image: mailcow/solr:1.7
	restart: always
	volumes:
	- solr-vol-1:/opt/solr/server/solr/dovecot-fts/data:Z
	ports:
	- "${SOLR_PORT:-127.0.0.1:18983}:8983"
	environment:
	- TZ=${TZ}
	- SOLR_HEAP=${SOLR_HEAP:-1024}
	- SKIP_SOLR=${SKIP_SOLR:-y}
	networks:
	mailcow-network:
	aliases:
	- solr

	olefy-mailcow:
	image: mailcow/olefy:1.6
	restart: always
	environment:
	- TZ=${TZ}
	- OLEFY_BINDADDRESS=0.0.0.0
	- OLEFY_BINDPORT=10055
	- OLEFY_TMPDIR=/tmp
	- OLEFY_PYTHON_PATH=/usr/bin/python3
	- OLEFY_OLEVBA_PATH=/usr/bin/olevba3
	- OLEFY_LOGLVL=20
	- OLEFY_MINLENGTH=500
	- OLEFY_DEL_TMP=1
	networks:
	mailcow-network:
	aliases:
	- olefy

	ejabberd-mailcow:
	image: mailcow/ejabberd:1.4
	volumes:
	- ./data/conf/ejabberd/ejabberd.yml:/home/ejabberd/conf/ejabberd.yml:z
	- xmpp-vol-1:/home/ejabberd/database:z
	- xmpp-upload-vol-1:/var/www/upload:z
	- ./data/assets/ejabberd/sqlite:/sqlite:z
	- ./data/conf/ejabberd/autogen:/ejabberd/:z
	- mysql-socket-vol-1:/var/run/mysqld/:z
	- ./data/assets/ssl:/ssl:ro,z
	restart: always
	dns:
	- ${IPV4_NETWORK:-172.22.1}.254
	hostname: ejabberd.mailcow.local
	extra_hosts:
	- "${MAILCOW_HOSTNAME}:127.0.0.1"
	environment:
	- TZ=${TZ}
	- MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME}
	- MASTER=${MASTER:-y}
	- IPV4_NETWORK=${IPV4_NETWORK:-172.22.1}
	- XMPP_HTTPS_PORT=${XMPP_HTTPS_PORT:-5443}
	- DBNAME=${DBNAME}
	- DBUSER=${DBUSER}
	- DBPASS=${DBPASS}
	ports:
	- "${XMPP_C2S_PORT:-5222}:5222"
	- "${XMPP_S2S_PORT:-5269}:5269"
	- "${XMPP_HTTPS_PORT:-5443}:5443"
	networks:
	mailcow-network:
	aliases:
	- ejabberd

	ipv6nat-mailcow:
	depends_on:
	- unbound-mailcow
	- mysql-mailcow
	- redis-mailcow
	- clamd-mailcow
	- rspamd-mailcow
	- php-fpm-mailcow
	- sogo-mailcow
	- dovecot-mailcow
	- postfix-mailcow
	- memcached-mailcow
	- nginx-mailcow
	- acme-mailcow
	- netfilter-mailcow
	- watchdog-mailcow
	- dockerapi-mailcow
	- solr-mailcow
	environment:
	- TZ=${TZ}
	image: robbertkl/ipv6nat
	security_opt:
	- label=disable
	restart: always
	privileged: true
	network_mode: "host"
	volumes:
	- /var/run/docker.sock:/var/run/docker.sock:ro
	- /lib/modules:/lib/modules:ro

	networks:
	mailcow-network:
	driver: bridge
	driver_opts:
	com.docker.network.bridge.name: br-mailcow
	enable_ipv6: true
	ipam:
	driver: default
	config:
	- subnet: ${IPV4_NETWORK:-172.22.1}.0/24
	- subnet: ${IPV6_NETWORK:-fd4d:6169:6c63:6f77::/64}

	volumes:
	vmail-vol-1:
	vmail-index-vol-1:
	mysql-vol-1:
	mysql-socket-vol-1:
	redis-vol-1:
	rspamd-vol-1:
	solr-vol-1:
	postfix-vol-1:
	crypt-vol-1:
	sogo-web-vol-1:
	sogo-userdata-backup-vol-1:
	xmpp-vol-1:
	xmpp-upload-vol-1:
	diff --git a/generate_config.sh b/generate_config.sh
	index 978a32fa..61a90aa0 100755
	--- a/generate_config.sh
	+++ b/generate_config.sh
	@@ -1,347 +1,350 @@
	#!/usr/bin/env bash

	set -o pipefail

	if [[ "$(uname -r)" =~ ^4\.15\.0-60 ]]; then
	echo "DO NOT RUN mailcow ON THIS UBUNTU KERNEL!";
	echo "Please update to 5.x or use another distribution."
	exit 1
	fi

	if [[ "$(uname -r)" =~ ^4\.4\. ]]; then
	if grep -q Ubuntu <<< $(uname -a); then
	echo "DO NOT RUN mailcow ON THIS UBUNTU KERNEL!";
	echo "Please update to linux-generic-hwe-16.04 by running \"apt-get install --install-recommends linux-generic-hwe-16.04\""
	fi
	exit 1
	fi

	if grep --help 2>&1 \| grep -q -i "busybox"; then
	echo "BusyBox grep detected, please install gnu grep, \"apk add --no-cache --upgrade grep\""
	exit 1
	fi
	if cp --help 2>&1 \| grep -q -i "busybox"; then
	echo "BusyBox cp detected, please install coreutils, \"apk add --no-cache --upgrade coreutils\""
	exit 1
	fi

	for bin in openssl curl docker-compose docker git awk sha1sum; do
	if [[ -z $(which ${bin}) ]]; then echo "Cannot find ${bin}, exiting..."; exit 1; fi
	done

	if [ -f mailcow.conf ]; then
	read -r -p "A config file exists and will be overwritten, are you sure you want to continue? [y/N] " response
	case $response in
	[yY][eE][sS]\|[yY])
	mv mailcow.conf mailcow.conf_backup
	chmod 600 mailcow.conf_backup
	;;
	*)
	exit 1
	;;
	esac
	fi

	echo "Press enter to confirm the detected value '[value]' where applicable or enter a custom value."
	while [ -z "${MAILCOW_HOSTNAME}" ]; do
	read -p "Mail server hostname (FQDN) - this is not your mail domain, but your mail servers hostname: " -e MAILCOW_HOSTNAME
	DOTS=${MAILCOW_HOSTNAME//[^.]};
	if [ ${#DOTS} -lt 2 ] && [ ! -z ${MAILCOW_HOSTNAME} ]; then
	echo "${MAILCOW_HOSTNAME} is not a FQDN"
	MAILCOW_HOSTNAME=
	fi
	done

	if [ -a /etc/timezone ]; then
	DETECTED_TZ=$(cat /etc/timezone)
	elif [ -a /etc/localtime ]; then
	DETECTED_TZ=$(readlink /etc/localtime\|sed -n 's\|^.*zoneinfo/\|\|p')
	fi

	while [ -z "${MAILCOW_TZ}" ]; do
	if [ -z "${DETECTED_TZ}" ]; then
	read -p "Timezone: " -e MAILCOW_TZ
	else
	read -p "Timezone [${DETECTED_TZ}]: " -e MAILCOW_TZ
	[ -z "${MAILCOW_TZ}" ] && MAILCOW_TZ=${DETECTED_TZ}
	fi
	done

	MEM_TOTAL=$(awk '/MemTotal/ {print $2}' /proc/meminfo)

	if [ ${MEM_TOTAL} -le "2621440" ]; then
	echo "Installed memory is <= 2.5 GiB. It is recommended to disable ClamAV to prevent out-of-memory situations."
	echo "ClamAV can be re-enabled by setting SKIP_CLAMD=n in mailcow.conf."
	read -r -p "Do you want to disable ClamAV now? [Y/n] " response
	case $response in
	[nN][oO]\|[nN])
	SKIP_CLAMD=n
	;;
	*)
	SKIP_CLAMD=y
	;;
	esac
	else
	SKIP_CLAMD=n
	fi

	if [ ${MEM_TOTAL} -le "2097152" ]; then
	echo "Disabling Solr on low-memory system."
	SKIP_SOLR=y
	elif [ ${MEM_TOTAL} -le "3670016" ]; then
	echo "Installed memory is <= 3.5 GiB. It is recommended to disable Solr to prevent out-of-memory situations."
	echo "Solr is a prone to run OOM and should be monitored. The default Solr heap size is 1024 MiB and should be set in mailcow.conf according to your expected load."
	echo "Solr can be re-enabled by setting SKIP_SOLR=n in mailcow.conf but will refuse to start with less than 2 GB total memory."
	read -r -p "Do you want to disable Solr now? [Y/n] " response
	case $response in
	[nN][oO]\|[nN])
	SKIP_SOLR=n
	;;
	*)
	SKIP_SOLR=y
	;;
	esac
	else
	SKIP_SOLR=n
	fi

	[ ! -f ./data/conf/rspamd/override.d/worker-controller-password.inc ] && echo '# Placeholder' > ./data/conf/rspamd/override.d/worker-controller-password.inc

	cat << EOF > mailcow.conf
	# ------------------------------
	# mailcow web ui configuration
	# ------------------------------
	# example.org is _not_ a valid hostname, use a fqdn here.
	# Default admin user is "admin"
	# Default password is "moohoo"

	MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME}

	# Password hash algorithm
	# Only certain password hash algorithm are supported. For a fully list of supported schemes,
	# see https://mailcow.github.io/mailcow-dockerized-docs/model-passwd/
	MAILCOW_PASS_SCHEME=BLF-CRYPT

	# ------------------------------
	# SQL database configuration
	# ------------------------------

	DBNAME=mailcow
	DBUSER=mailcow

	# Please use long, random alphanumeric strings (A-Za-z0-9)

	DBPASS=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 \| head -c 28)
	DBROOT=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 \| head -c 28)

	# ------------------------------
	# HTTP/S Bindings
	# ------------------------------

	# You should use HTTPS, but in case of SSL offloaded reverse proxies:
	# Might be important: This will also change the binding within the container.
	# If you use a proxy within Docker, point it to the ports you set below.
	# Do _not_ use IP:PORT in HTTP(S)_BIND or HTTP(S)_PORT
	# IMPORTANT: Do not use port 8081, 9081 or 65510!
	# Example: HTTP_BIND=1.2.3.4
	# For IPv6 see https://mailcow.github.io/mailcow-dockerized-docs/firststeps-ip_bindings/

	HTTP_PORT=80
	HTTP_BIND=

	HTTPS_PORT=443
	HTTPS_BIND=

	# ------------------------------
	# Other bindings
	# ------------------------------
	# You should leave that alone
	# Format: 11.22.33.44:25 or 12.34.56.78:465 etc.

	SMTP_PORT=25
	SMTPS_PORT=465
	SUBMISSION_PORT=587
	IMAP_PORT=143
	IMAPS_PORT=993
	POP_PORT=110
	POPS_PORT=995
	SIEVE_PORT=4190
	DOVEADM_PORT=127.0.0.1:19991
	SQL_PORT=127.0.0.1:13306
	SOLR_PORT=127.0.0.1:18983
	REDIS_PORT=127.0.0.1:7654
	XMPP_C2S_PORT=5222
	XMPP_S2S_PORT=5269
	XMPP_HTTPS_PORT=5443

	# Your timezone
	# See https://en.wikipedia.org/wiki/List_of_tz_database_time_zones for a list of timezones
	# Use the row named 'TZ database name' + pay attention for 'Notes' row

	TZ=${MAILCOW_TZ}

	# Fixed project name
	# Please use lowercase letters only

	COMPOSE_PROJECT_NAME=mailcowdockerized

	# Set this to "allow" to enable the anyone pseudo user. Disabled by default.
	# When enabled, ACL can be created, that apply to "All authenticated users"
	# This should probably only be activated on mail hosts, that are used exclusivly by one organisation.
	# Otherwise a user might share data with too many other users.
	ACL_ANYONE=disallow

	# Garbage collector cleanup
	# Deleted domains and mailboxes are moved to /var/vmail/_garbage/timestamp_sanitizedstring
	# How long should objects remain in the garbage until they are being deleted? (value in minutes)
	# Check interval is hourly

	MAILDIR_GC_TIME=7200

	# Additional SAN for the certificate
	#
	# You can use wildcard records to create specific names for every domain you add to mailcow.
	# Example: Add domains "example.com" and "example.net" to mailcow, change ADDITIONAL_SAN to a value like:
	#ADDITIONAL_SAN=imap.,smtp.
	# This will expand the certificate to "imap.example.com", "smtp.example.com", "imap.example.net", "imap.example.net"
	# plus every domain you add in the future.
	#
	# You can also just add static names...
	#ADDITIONAL_SAN=srv1.example.net
	# ...or combine wildcard and static names:
	#ADDITIONAL_SAN=imap.*,srv1.example.com
	#

	ADDITIONAL_SAN=

	# Additional server names for mailcow UI
	#
	# Specify alternative addresses for the mailcow UI to respond to
	# This is useful when you set mail.* as ADDITIONAL_SAN and want to make sure mail.maildomain.com will always point to the mailcow UI.
	# If the server name does not match a known site, Nginx decides by best-guess and may redirect users to the wrong web root.
	# You can understand this as server_name directive in Nginx.
	# Comma separated list without spaces! Example: ADDITIONAL_SERVER_NAMES=a.b.c,d.e.f

	ADDITIONAL_SERVER_NAMES=

	# Skip running ACME (acme-mailcow, Let's Encrypt certs) - y/n

	SKIP_LETS_ENCRYPT=n

	# Create seperate certificates for all domains - y/n
	# this will allow adding more than 100 domains, but some email clients will not be able to connect with alternative hostnames
	# see https://wiki.dovecot.org/SSL/SNIClientSupport
	ENABLE_SSL_SNI=n

	# Skip IPv4 check in ACME container - y/n

	SKIP_IP_CHECK=n

	# Skip HTTP verification in ACME container - y/n

	SKIP_HTTP_VERIFICATION=n

	# Skip ClamAV (clamd-mailcow) anti-virus (Rspamd will auto-detect a missing ClamAV container) - y/n

	SKIP_CLAMD=${SKIP_CLAMD}

	# Skip SOGo: Will disable SOGo integration and therefore webmail, DAV protocols and ActiveSync support (experimental, unsupported, not fully implemented) - y/n

	SKIP_SOGO=n

	# Skip Solr on low-memory systems or if you do not want to store a readable index of your mails in solr-vol-1.

	SKIP_SOLR=${SKIP_SOLR}

	# Solr heap size in MB, there is no recommendation, please see Solr docs.
	# Solr is a prone to run OOM and should be monitored. Unmonitored Solr setups are not recommended.

	SOLR_HEAP=1024

	# Allow admins to log into SOGo as email user (without any password)

	ALLOW_ADMIN_EMAIL_LOGIN=n

	# Enable watchdog (watchdog-mailcow) to restart unhealthy containers

	USE_WATCHDOG=y

	# Send watchdog notifications by mail (sent from watchdog@MAILCOW_HOSTNAME)
	# CAUTION:
	# 1. You should use external recipients
	# 2. Mails are sent unsigned (no DKIM)
	# 3. If you use DMARC, create a separate DMARC policy ("v=DMARC1; p=none;" in _dmarc.MAILCOW_HOSTNAME)
	# Multiple rcpts allowed, NO quotation marks, NO spaces

	#WATCHDOG_NOTIFY_EMAIL=a@example.com,b@example.com,c@example.com
	#WATCHDOG_NOTIFY_EMAIL=

	# Notify about banned IP (includes whois lookup)
	WATCHDOG_NOTIFY_BAN=n

	+# Subject for watchdog mails. Defaults to "Watchdog ALERT" followed by the error message.
	+#WATCHDOG_SUBJECT=
	+
	# Checks if mailcow is an open relay. Requires a SAL. More checks will follow.
	# https://www.servercow.de/mailcow?lang=en
	# https://www.servercow.de/mailcow?lang=de
	# No data is collected. Opt-in and anonymous.
	# Will only work with unmodified mailcow setups.
	WATCHDOG_EXTERNAL_CHECKS=n

	# Max log lines per service to keep in Redis logs

	LOG_LINES=9999

	# Internal IPv4 /24 subnet, format n.n.n (expands to n.n.n.0/24)
	# Use private IPv4 addresses only, see https://en.wikipedia.org/wiki/Private_network#Private_IPv4_addresses

	IPV4_NETWORK=172.22.1

	# Internal IPv6 subnet in fc00::/7
	# Use private IPv6 addresses only, see https://en.wikipedia.org/wiki/Private_network#Private_IPv6_addresses

	IPV6_NETWORK=fd4d:6169:6c63:6f77::/64

	# Use this IPv4 for outgoing connections (SNAT)

	#SNAT_TO_SOURCE=

	# Use this IPv6 for outgoing connections (SNAT)

	#SNAT6_TO_SOURCE=

	# Create or override an API key for the web UI
	# You _must_ define API_ALLOW_FROM, which is a comma separated list of IPs
	# An API key defined as API_KEY has read-write access
	# An API key defined as API_KEY_READ_ONLY has read-only access
	# Allowed chars for API_KEY and API_KEY_READ_ONLY: a-z, A-Z, 0-9, -
	# You can define API_KEY and/or API_KEY_READ_ONLY

	#API_KEY=
	#API_KEY_READ_ONLY=
	#API_ALLOW_FROM=172.22.1.1,127.0.0.1

	# mail_home is ~/Maildir
	MAILDIR_SUB=Maildir

	# SOGo session timeout in minutes
	SOGO_EXPIRE_SESSION=480

	# DOVECOT_MASTER_USER and DOVECOT_MASTER_PASS must both be provided. No special chars.
	# Empty by default to auto-generate master user and password on start.
	# User expands to DOVECOT_MASTER_USER@mailcow.local
	# LEAVE EMPTY IF UNSURE
	DOVECOT_MASTER_USER=
	# LEAVE EMPTY IF UNSURE
	DOVECOT_MASTER_PASS=

	EOF

	mkdir -p data/assets/ssl

	chmod 600 mailcow.conf

	# copy but don't overwrite existing certificate
	echo "Generating snake-oil certificate..."
	# Making Willich more popular
	openssl req -x509 -newkey rsa:4096 -keyout data/assets/ssl-example/key.pem -out data/assets/ssl-example/cert.pem -days 365 -subj "/C=DE/ST=NRW/L=Willich/O=mailcow/OU=mailcow/CN=${MAILCOW_HOSTNAME}" -sha256 -nodes
	echo "Copying snake-oil certificate..."
	cp -n -d data/assets/ssl-example/*.pem data/assets/ssl/
	diff --git a/update.sh b/update.sh
	index 138e01f3..d5114c9f 100755
	--- a/update.sh
	+++ b/update.sh
	@@ -1,635 +1,642 @@
	#!/usr/bin/env bash

	# Check permissions
	if [ "$(id -u)" -ne "0" ]; then
	echo "You need to be root"
	exit 1
	fi

	if [[ "$(uname -r)" =~ ^4\.15\.0-60 ]]; then
	echo "DO NOT RUN mailcow ON THIS UBUNTU KERNEL!";
	echo "Please update to 5.x or use another distribution."
	exit 1
	fi

	if [[ "$(uname -r)" =~ ^4\.4\. ]]; then
	if grep -q Ubuntu <<< $(uname -a); then
	echo "DO NOT RUN mailcow ON THIS UBUNTU KERNEL!"
	echo "Please update to linux-generic-hwe-16.04 by running \"apt-get install --install-recommends linux-generic-hwe-16.04\""
	exit 1
	fi
	echo "mailcow on a 4.4.x kernel is not supported. It may or may not work, please upgrade your kernel or continue at your own risk."
	read -p "Press any key to continue..." < /dev/tty
	fi

	# Exit on error and pipefail
	set -o pipefail

	# Setting high dc timeout
	export COMPOSE_HTTP_TIMEOUT=600

	# Add /opt/bin to PATH
	PATH=$PATH:/opt/bin

	umask 0022

	for bin in curl docker-compose docker git awk sha1sum; do
	if [[ -z $(which ${bin}) ]]; then echo "Cannot find ${bin}, exiting..."; exit 1; fi
	done

	export LC_ALL=C
	DATE=$(date +%Y-%m-%d_%H_%M_%S)
	BRANCH=$(git rev-parse --abbrev-ref HEAD)

	check_online_status() {
	CHECK_ONLINE_IPS=(1.1.1.1 9.9.9.9 8.8.8.8)
	for ip in "${CHECK_ONLINE_IPS[@]}"; do
	if timeout 3 ping -c 1 ${ip} > /dev/null; then
	return 0
	fi
	done
	return 1
	}

	prefetch_images() {
	[[ -z ${BRANCH} ]] && { echo -e "\e[33m\nUnknown branch...\e[0m"; exit 1; }
	git fetch origin #${BRANCH}
	while read image; do
	RET_C=0
	until docker pull ${image}; do
	RET_C=$((RET_C + 1))
	echo -e "\e[33m\nError pulling $image, retrying...\e[0m"
	[ ${RET_C} -gt 3 ] && { echo -e "\e[31m\nToo many failed retries, exiting\e[0m"; exit 1; }
	sleep 1
	done
	done < <(git show origin/${BRANCH}:docker-compose.yml \| grep "image:" \| awk '{ gsub("image:","", $3); print $2 }')
	}

	docker_garbage() {
	IMGS_TO_DELETE=()
	for container in $(grep -oP "image: \Kmailcow.+" docker-compose.yml); do
	REPOSITORY=${container/:*}
	TAG=${container/*:}
	V_MAIN=${container/*.}
	V_SUB=${container/*.}
	EXISTING_TAGS=$(docker images \| grep ${REPOSITORY} \| awk '{ print $2 }')
	for existing_tag in ${EXISTING_TAGS[@]}; do
	V_MAIN_EXISTING=${existing_tag/*.}
	V_SUB_EXISTING=${existing_tag/*.}
	# Not an integer
	[[ ! $V_MAIN_EXISTING =~ ^[0-9]+$ ]] && continue
	[[ ! $V_SUB_EXISTING =~ ^[0-9]+$ ]] && continue

	if [[ $V_MAIN_EXISTING == "latest" ]]; then
	echo "Found deprecated label \"latest\" for repository $REPOSITORY, it should be deleted."
	IMGS_TO_DELETE+=($REPOSITORY:$existing_tag)
	elif [[ $V_MAIN_EXISTING -lt $V_MAIN ]]; then
	echo "Found tag $existing_tag for $REPOSITORY, which is older than the current tag $TAG and should be deleted."
	IMGS_TO_DELETE+=($REPOSITORY:$existing_tag)
	elif [[ $V_SUB_EXISTING -lt $V_SUB ]]; then
	echo "Found tag $existing_tag for $REPOSITORY, which is older than the current tag $TAG and should be deleted."
	IMGS_TO_DELETE+=($REPOSITORY:$existing_tag)
	fi
	done
	done

	if [[ ! -z ${IMGS_TO_DELETE[*]} ]]; then
	echo "Run the following command to delete unused image tags:"
	echo
	echo " docker rmi ${IMGS_TO_DELETE[*]}"
	echo
	if [ ! $FORCE ]; then
	read -r -p "Do you want to delete old image tags right now? [y/N] " response
	if [[ "$response" =~ ^([yY][eE][sS]\|[yY])+$ ]]; then
	docker rmi ${IMGS_TO_DELETE[*]}
	else
	echo "OK, skipped."
	fi
	else
	echo "Skipped image removal because of force mode."
	fi
	fi
	echo -e "\e[32mFurther cleanup...\e[0m"
	echo "If you want to cleanup further garbage collected by Docker, please make sure all containers are up and running before cleaning your system by executing \"docker system prune\""
	}

	while (($#)); do
	case "${1}" in
	--check\|-c)
	echo "Checking remote code for updates..."
	LATEST_REV=$(git ls-remote --exit-code --refs --quiet https://github.com/mailcow/mailcow-dockerized ${BRANCH} \| cut -f1)
	if [ $? -ne 0 ]; then
	echo "A problem occurred while trying to fetch the latest revision from github."
	exit 99
	fi
	if [[ -z $(git log HEAD --pretty=format:"%H" \| grep "${LATEST_REV}") ]]; then
	echo "Updated code is available."
	git log --date=short --pretty=format:"%ad - %s" $(git rev-parse --short HEAD)..origin/master
	exit 0
	else
	echo "No updates available."
	exit 3
	fi
	;;
	--ours)
	MERGE_STRATEGY=ours
	;;
	--skip-start)
	SKIP_START=y
	;;
	--gc)
	echo -e "\e[32mCollecting garbage...\e[0m"
	docker_garbage
	exit 0
	;;
	--prefetch)
	echo -e "\e[32mPrefetching images...\e[0m"
	prefetch_images
	exit 0
	;;
	-f\|--force)
	echo -e "\e[32mForcing Update...\e[0m"
	FORCE=y
	;;
	--no-update-compose)
	NO_UPDATE_COMPOSE=y
	;;
	--help\|-h)
	echo './update.sh [-c\|--check, --ours, --gc, --no-update-compose, --prefetch, --skip-start, -f\|--force, -h\|--help]

	-c\|--check - Check for updates and exit (exit codes => 0: update available, 3: no updates)
	--ours - Use merge strategy option "ours" to solve conflicts in favor of non-mailcow code (local changes over remote changes), not recommended!
	--gc - Run garbage collector to delete old image tags
	--no-update-compose - Do not update docker-compose
	--prefetch - Only prefetch new images and exit (useful to prepare updates)
	--skip-start - Do not start mailcow after update
	-f\|--force - Force update, do not ask questions
	'
	exit 1
	esac
	shift
	done

	[[ ! -f mailcow.conf ]] && { echo "mailcow.conf is missing"; exit 1;}
	chmod 600 mailcow.conf
	source mailcow.conf
	DOTS=${MAILCOW_HOSTNAME//[^.]};
	if [ ${#DOTS} -lt 2 ]; then
	echo "MAILCOW_HOSTNAME (${MAILCOW_HOSTNAME}) is not a FQDN!"
	echo "Please change it to a FQDN and run docker-compose down followed by docker-compose up -d"
	exit 1
	fi

	if grep --help 2>&1 \| head -n 1 \| grep -q -i "busybox"; then echo "BusyBox grep detected, please install gnu grep, \"apk add --no-cache --upgrade grep\""; exit 1; fi
	if cp --help 2>&1 \| head -n 1 \| grep -q -i "busybox"; then echo "BusyBox cp detected, please install coreutils, \"apk add --no-cache --upgrade coreutils\""; exit 1; fi
	if sed --help 2>&1 \| head -n 1 \| grep -q -i "busybox"; then echo "BusyBox sed detected, please install gnu sed, \"apk add --no-cache --upgrade sed\""; exit 1; fi

	CONFIG_ARRAY=(
	"SKIP_LETS_ENCRYPT"
	"SKIP_SOGO"
	"USE_WATCHDOG"
	"WATCHDOG_NOTIFY_EMAIL"
	"WATCHDOG_NOTIFY_BAN"
	"WATCHDOG_EXTERNAL_CHECKS"
	+ "WATCHDOG_SUBJECT"
	"SKIP_CLAMD"
	"SKIP_IP_CHECK"
	"ADDITIONAL_SAN"
	"DOVEADM_PORT"
	"IPV4_NETWORK"
	"IPV6_NETWORK"
	"LOG_LINES"
	"SNAT_TO_SOURCE"
	"SNAT6_TO_SOURCE"
	"COMPOSE_PROJECT_NAME"
	"SQL_PORT"
	"API_KEY"
	"API_KEY_READ_ONLY"
	"API_ALLOW_FROM"
	"MAILDIR_GC_TIME"
	"MAILDIR_SUB"
	"ACL_ANYONE"
	"SOLR_HEAP"
	"SKIP_SOLR"
	"ENABLE_SSL_SNI"
	"ALLOW_ADMIN_EMAIL_LOGIN"
	"SKIP_HTTP_VERIFICATION"
	"SOGO_EXPIRE_SESSION"
	"REDIS_PORT"
	"DOVECOT_MASTER_USER"
	"DOVECOT_MASTER_PASS"
	"MAILCOW_PASS_SCHEME"
	"XMPP_C2S_PORT"
	"XMPP_S2S_PORT"
	"XMPP_HTTPS_PORT"
	"ADDITIONAL_SERVER_NAMES"
	)

	sed -i --follow-symlinks '$a\' mailcow.conf
	for option in ${CONFIG_ARRAY[@]}; do
	if [[ ${option} == "ADDITIONAL_SAN" ]]; then
	if ! grep -q ${option} mailcow.conf; then
	echo "Adding new option \"${option}\" to mailcow.conf"
	echo "${option}=" >> mailcow.conf
	fi
	elif [[ ${option} == "COMPOSE_PROJECT_NAME" ]]; then
	if ! grep -q ${option} mailcow.conf; then
	echo "Adding new option \"${option}\" to mailcow.conf"
	echo "COMPOSE_PROJECT_NAME=mailcowdockerized" >> mailcow.conf
	fi
	elif [[ ${option} == "DOVEADM_PORT" ]]; then
	if ! grep -q ${option} mailcow.conf; then
	echo "Adding new option \"${option}\" to mailcow.conf"
	echo "DOVEADM_PORT=127.0.0.1:19991" >> mailcow.conf
	fi
	elif [[ ${option} == "WATCHDOG_NOTIFY_EMAIL" ]]; then
	if ! grep -q ${option} mailcow.conf; then
	echo "Adding new option \"${option}\" to mailcow.conf"
	echo "WATCHDOG_NOTIFY_EMAIL=" >> mailcow.conf
	fi
	elif [[ ${option} == "LOG_LINES" ]]; then
	if ! grep -q ${option} mailcow.conf; then
	echo "Adding new option \"${option}\" to mailcow.conf"
	echo '# Max log lines per service to keep in Redis logs' >> mailcow.conf
	echo "LOG_LINES=9999" >> mailcow.conf
	fi
	elif [[ ${option} == "IPV4_NETWORK" ]]; then
	if ! grep -q ${option} mailcow.conf; then
	echo "Adding new option \"${option}\" to mailcow.conf"
	echo '# Internal IPv4 /24 subnet, format n.n.n. (expands to n.n.n.0/24)' >> mailcow.conf
	echo "IPV4_NETWORK=172.22.1" >> mailcow.conf
	fi
	elif [[ ${option} == "IPV6_NETWORK" ]]; then
	if ! grep -q ${option} mailcow.conf; then
	echo "Adding new option \"${option}\" to mailcow.conf"
	echo '# Internal IPv6 subnet in fc00::/7' >> mailcow.conf
	echo "IPV6_NETWORK=fd4d:6169:6c63:6f77::/64" >> mailcow.conf
	fi
	elif [[ ${option} == "SQL_PORT" ]]; then
	if ! grep -q ${option} mailcow.conf; then
	echo "Adding new option \"${option}\" to mailcow.conf"
	echo '# Bind SQL to 127.0.0.1 on port 13306' >> mailcow.conf
	echo "SQL_PORT=127.0.0.1:13306" >> mailcow.conf
	fi
	elif [[ ${option} == "API_KEY" ]]; then
	if ! grep -q ${option} mailcow.conf; then
	echo "Adding new option \"${option}\" to mailcow.conf"
	echo '# Create or override API key for web UI' >> mailcow.conf
	echo "#API_KEY=" >> mailcow.conf
	fi
	elif [[ ${option} == "API_KEY_READ_ONLY" ]]; then
	if ! grep -q ${option} mailcow.conf; then
	echo "Adding new option \"${option}\" to mailcow.conf"
	echo '# Create or override read-only API key for web UI' >> mailcow.conf
	echo "#API_KEY_READ_ONLY=" >> mailcow.conf
	fi
	elif [[ ${option} == "API_ALLOW_FROM" ]]; then
	if ! grep -q ${option} mailcow.conf; then
	echo "Adding new option \"${option}\" to mailcow.conf"
	echo '# Must be set for API_KEY to be active' >> mailcow.conf
	echo '# IPs only, no networks (networks can be set via UI)' >> mailcow.conf
	echo "#API_ALLOW_FROM=" >> mailcow.conf
	fi
	elif [[ ${option} == "SNAT_TO_SOURCE" ]]; then
	if ! grep -q ${option} mailcow.conf; then
	echo "Adding new option \"${option}\" to mailcow.conf"
	echo '# Use this IPv4 for outgoing connections (SNAT)' >> mailcow.conf
	echo "#SNAT_TO_SOURCE=" >> mailcow.conf
	fi
	elif [[ ${option} == "SNAT6_TO_SOURCE" ]]; then
	if ! grep -q ${option} mailcow.conf; then
	echo "Adding new option \"${option}\" to mailcow.conf"
	echo '# Use this IPv6 for outgoing connections (SNAT)' >> mailcow.conf
	echo "#SNAT6_TO_SOURCE=" >> mailcow.conf
	fi
	elif [[ ${option} == "MAILDIR_GC_TIME" ]]; then
	if ! grep -q ${option} mailcow.conf; then
	echo "Adding new option \"${option}\" to mailcow.conf"
	echo '# Garbage collector cleanup' >> mailcow.conf
	echo '# Deleted domains and mailboxes are moved to /var/vmail/_garbage/timestamp_sanitizedstring' >> mailcow.conf
	echo '# How long should objects remain in the garbage until they are being deleted? (value in minutes)' >> mailcow.conf
	echo '# Check interval is hourly' >> mailcow.conf
	echo 'MAILDIR_GC_TIME=1440' >> mailcow.conf
	fi
	elif [[ ${option} == "ACL_ANYONE" ]]; then
	if ! grep -q ${option} mailcow.conf; then
	echo "Adding new option \"${option}\" to mailcow.conf"
	echo '# Set this to "allow" to enable the anyone pseudo user. Disabled by default.' >> mailcow.conf
	echo '# When enabled, ACL can be created, that apply to "All authenticated users"' >> mailcow.conf
	echo '# This should probably only be activated on mail hosts, that are used exclusivly by one organisation.' >> mailcow.conf
	echo '# Otherwise a user might share data with too many other users.' >> mailcow.conf
	echo 'ACL_ANYONE=disallow' >> mailcow.conf
	fi
	elif [[ ${option} == "SOLR_HEAP" ]]; then
	if ! grep -q ${option} mailcow.conf; then
	echo "Adding new option \"${option}\" to mailcow.conf"
	echo '# Solr heap size, there is no recommendation, please see Solr docs.' >> mailcow.conf
	echo '# Solr is a prone to run OOM on large systems and should be monitored. Unmonitored Solr setups are not recommended.' >> mailcow.conf
	echo '# Solr will refuse to start with total system memory below or equal to 2 GB.' >> mailcow.conf
	echo "SOLR_HEAP=1024" >> mailcow.conf
	fi
	elif [[ ${option} == "SKIP_SOLR" ]]; then
	if ! grep -q ${option} mailcow.conf; then
	echo "Adding new option \"${option}\" to mailcow.conf"
	echo '# Solr is disabled by default after upgrading from non-Solr to Solr-enabled mailcows.' >> mailcow.conf
	echo '# Disable Solr or if you do not want to store a readable index of your mails in solr-vol-1.' >> mailcow.conf
	echo "SKIP_SOLR=y" >> mailcow.conf
	fi
	elif [[ ${option} == "ENABLE_SSL_SNI" ]]; then
	if ! grep -q ${option} mailcow.conf; then
	echo "Adding new option \"${option}\" to mailcow.conf"
	echo '# Create seperate certificates for all domains - y/n' >> mailcow.conf
	echo '# this will allow adding more than 100 domains, but some email clients will not be able to connect with alternative hostnames' >> mailcow.conf
	echo '# see https://wiki.dovecot.org/SSL/SNIClientSupport' >> mailcow.conf
	echo "ENABLE_SSL_SNI=n" >> mailcow.conf
	fi
	elif [[ ${option} == "SKIP_SOGO" ]]; then
	if ! grep -q ${option} mailcow.conf; then
	echo "Adding new option \"${option}\" to mailcow.conf"
	echo '# Skip SOGo: Will disable SOGo integration and therefore webmail, DAV protocols and ActiveSync support (experimental, unsupported, not fully implemented) - y/n' >> mailcow.conf
	echo "SKIP_SOGO=n" >> mailcow.conf
	fi
	elif [[ ${option} == "MAILDIR_SUB" ]]; then
	if ! grep -q ${option} mailcow.conf; then
	echo "Adding new option \"${option}\" to mailcow.conf"
	echo '# MAILDIR_SUB defines a path in a users virtual home to keep the maildir in. Leave empty for updated setups.' >> mailcow.conf
	echo "#MAILDIR_SUB=Maildir" >> mailcow.conf
	echo "MAILDIR_SUB=" >> mailcow.conf
	fi
	elif [[ ${option} == "WATCHDOG_NOTIFY_BAN" ]]; then
	if ! grep -q ${option} mailcow.conf; then
	echo "Adding new option \"${option}\" to mailcow.conf"
	echo '# Notify about banned IP. Includes whois lookup.' >> mailcow.conf
	echo "WATCHDOG_NOTIFY_BAN=y" >> mailcow.conf
	fi
	+ elif [[ ${option} == "WATCHDOG_SUBJECT" ]]; then
	+ if ! grep -q ${option} mailcow.conf; then
	+ echo "Adding new option \"${option}\" to mailcow.conf"
	+ echo '# Subject for watchdog mails. Defaults to "Watchdog ALERT" followed by the error message.' >> mailcow.conf
	+ echo "#WATCHDOG_SUBJECT=" >> mailcow.conf
	+ fi
	elif [[ ${option} == "WATCHDOG_EXTERNAL_CHECKS" ]]; then
	if ! grep -q ${option} mailcow.conf; then
	echo "Adding new option \"${option}\" to mailcow.conf"
	echo '# Checks if mailcow is an open relay. Requires a SAL. More checks will follow.' >> mailcow.conf
	echo '# No data is collected. Opt-in and anonymous.' >> mailcow.conf
	echo '# Will only work with unmodified mailcow setups.' >> mailcow.conf
	echo "WATCHDOG_EXTERNAL_CHECKS=n" >> mailcow.conf
	fi
	elif [[ ${option} == "SOGO_EXPIRE_SESSION" ]]; then
	if ! grep -q ${option} mailcow.conf; then
	echo "Adding new option \"${option}\" to mailcow.conf"
	echo '# SOGo session timeout in minutes' >> mailcow.conf
	echo "SOGO_EXPIRE_SESSION=480" >> mailcow.conf
	fi
	elif [[ ${option} == "REDIS_PORT" ]]; then
	if ! grep -q ${option} mailcow.conf; then
	echo "Adding new option \"${option}\" to mailcow.conf"
	echo "REDIS_PORT=127.0.0.1:7654" >> mailcow.conf
	fi
	elif [[ ${option} == "DOVECOT_MASTER_USER" ]]; then
	if ! grep -q ${option} mailcow.conf; then
	echo "Adding new option \"${option}\" to mailcow.conf"
	echo '# DOVECOT_MASTER_USER and _PASS must _both_ be provided. No special chars.' >> mailcow.conf
	echo '# Empty by default to auto-generate master user and password on start.' >> mailcow.conf
	echo '# User expands to DOVECOT_MASTER_USER@mailcow.local' >> mailcow.conf
	echo '# LEAVE EMPTY IF UNSURE' >> mailcow.conf
	echo "DOVECOT_MASTER_USER=" >> mailcow.conf
	fi
	elif [[ ${option} == "DOVECOT_MASTER_PASS" ]]; then
	if ! grep -q ${option} mailcow.conf; then
	echo "Adding new option \"${option}\" to mailcow.conf"
	echo '# LEAVE EMPTY IF UNSURE' >> mailcow.conf
	echo "DOVECOT_MASTER_PASS=" >> mailcow.conf
	fi
	elif [[ ${option} == "MAILCOW_PASS_SCHEME" ]]; then
	if ! grep -q ${option} mailcow.conf; then
	echo "Adding new option \"${option}\" to mailcow.conf"
	echo '# Password hash algorithm' >> mailcow.conf
	echo '# Only certain password hash algorithm are supported. For a fully list of supported schemes,' >> mailcow.conf
	echo '# see https://mailcow.github.io/mailcow-dockerized-docs/model-passwd/' >> mailcow.conf
	echo "MAILCOW_PASS_SCHEME=BLF-CRYPT" >> mailcow.conf
	fi
	elif [[ ${option} == "XMPP_C2S_PORT" ]]; then
	if ! grep -q ${option} mailcow.conf; then
	echo "XMPP_C2S_PORT=5222" >> mailcow.conf
	fi
	elif [[ ${option} == "XMPP_S2S_PORT" ]]; then
	if ! grep -q ${option} mailcow.conf; then
	echo "XMPP_S2S_PORT=5269" >> mailcow.conf
	fi
	elif [[ ${option} == "ADDITIONAL_SERVER_NAMES" ]]; then
	if ! grep -q ${option} mailcow.conf; then
	echo '# Additional server names for mailcow UI' >> mailcow.conf
	echo '#' >> mailcow.conf
	echo '# Specify alternative addresses for the mailcow UI to respond to' >> mailcow.conf
	echo '# This is useful when you set mail.* as ADDITIONAL_SAN and want to make sure mail.maildomain.com will always point to the mailcow UI.' >> mailcow.conf
	echo '# If the server name does not match a known site, Nginx decides by best-guess and may redirect users to the wrong web root.' >> mailcow.conf
	echo '# You can understand this as server_name directive in Nginx.' >> mailcow.conf
	echo '# Comma separated list without spaces! Example: ADDITIONAL_SERVER_NAMES=a.b.c,d.e.f' >> mailcow.conf
	echo 'ADDITIONAL_SERVER_NAMES=' >> mailcow.conf
	fi
	elif [[ ${option} == "XMPP_HTTPS_PORT" ]]; then
	if ! grep -q ${option} mailcow.conf; then
	echo "XMPP_HTTPS_PORT=5443" >> mailcow.conf
	fi
	elif ! grep -q ${option} mailcow.conf; then
	echo "Adding new option \"${option}\" to mailcow.conf"
	echo "${option}=n" >> mailcow.conf
	fi
	done

	echo -en "Checking internet connection... "
	if ! check_online_status; then
	echo -e "\e[31mfailed\e[0m"
	exit 1
	else
	echo -e "\e[32mOK\e[0m"
	fi

	echo -e "\e[32mChecking for newer update script...\e[0m"
	SHA1_1=$(sha1sum update.sh)
	git fetch origin #${BRANCH}
	git checkout origin/${BRANCH} update.sh
	SHA1_2=$(sha1sum update.sh)
	if [[ ${SHA1_1} != ${SHA1_2} ]]; then
	echo "update.sh changed, please run this script again, exiting."
	chmod +x update.sh
	exit 2
	fi

	if [[ -f mailcow.conf ]]; then
	source mailcow.conf
	else
	echo -e "\e[31mNo mailcow.conf - is mailcow installed?\e[0m"
	exit 1
	fi

	if [ ! $FORCE ]; then
	read -r -p "Are you sure you want to update mailcow: dockerized? All containers will be stopped. [y/N] " response
	if [[ ! "$response" =~ ^([yY][eE][sS]\|[yY])+$ ]]; then
	echo "OK, exiting."
	exit 0
	fi
	fi

	echo -e "\e[32mValidating docker-compose stack configuration...\e[0m"
	if ! docker-compose config -q; then
	echo -e "\e[31m\nOh no, something went wrong. Please check the error message above.\e[0m"
	exit 1
	fi

	echo -e "\e[32mChecking for conflicting bridges...\e[0m"
	MAILCOW_BRIDGE=$(docker-compose config \| grep -i com.docker.network.bridge.name \| cut -d':' -f2)
	while read NAT_ID; do
	iptables -t nat -D POSTROUTING $NAT_ID
	done < <(iptables -L -vn -t nat --line-numbers \| grep $IPV4_NETWORK \| grep -E 'MASQUERADE.*all' \| grep -v ${MAILCOW_BRIDGE} \| cut -d' ' -f1)

	DIFF_DIRECTORY=update_diffs
	DIFF_FILE=${DIFF_DIRECTORY}/diff_before_update_$(date +"%Y-%m-%d-%H-%M-%S")
	mv diff_before_update* ${DIFF_DIRECTORY}/ 2> /dev/null
	if ! git diff-index --quiet HEAD; then
	echo -e "\e[32mSaving diff to ${DIFF_FILE}...\e[0m"
	mkdir -p ${DIFF_DIRECTORY}
	git diff --stat > ${DIFF_FILE}
	git diff >> ${DIFF_FILE}
	fi

	echo -e "\e[32mPrefetching images...\e[0m"
	prefetch_images

	echo -e "\e[32mStopping mailcow...\e[0m"
	sleep 2
	MAILCOW_CONTAINERS=($(docker-compose ps -q))
	docker-compose down
	echo -e "\e[32mChecking for remaining containers...\e[0m"
	sleep 2
	for container in "${MAILCOW_CONTAINERS[@]}"; do
	docker rm -f "$container" 2> /dev/null
	done

	[[ -f data/conf/nginx/ejabberd.conf ]] && mv data/conf/nginx/ejabberd.conf data/conf/nginx/ZZZ-ejabberd.conf

	# Silently fixing remote url from andryyy to mailcow
	git remote set-url origin https://github.com/mailcow/mailcow-dockerized
	echo -e "\e[32mCommitting current status...\e[0m"
	[[ -z "$(git config user.name)" ]] && git config user.name moo
	[[ -z "$(git config user.email)" ]] && git config user.email moo@cow.moo
	[[ ! -z $(git ls-files data/conf/rspamd/override.d/worker-controller-password.inc) ]] && git rm data/conf/rspamd/override.d/worker-controller-password.inc
	git add -u
	git commit -am "Before update on ${DATE}" > /dev/null
	echo -e "\e[32mFetching updated code from remote...\e[0m"
	git fetch origin #${BRANCH}
	echo -e "\e[32mMerging local with remote code (recursive, strategy: \"${MERGE_STRATEGY:-theirs}\", options: \"patience\"...\e[0m"
	git config merge.defaultToUpstream true
	git merge -X${MERGE_STRATEGY:-theirs} -Xpatience -m "After update on ${DATE}"
	# Need to use a variable to not pass return codes of if checks
	MERGE_RETURN=$?
	if [[ ${MERGE_RETURN} == 128 ]]; then
	echo -e "\e[31m\nOh no, what happened?\n=> You most likely added files to your local mailcow instance that were now added to the official mailcow repository. Please move them to another location before updating mailcow.\e[0m"
	exit 1
	elif [[ ${MERGE_RETURN} == 1 ]]; then
	echo -e "\e[93mPotenial conflict, trying to fix...\e[0m"
	git status --porcelain \| grep -E "UD\|DU" \| awk '{print $2}' \| xargs rm -v
	git add -A
	git commit -m "After update on ${DATE}" > /dev/null
	git checkout .
	echo -e "\e[32mRemoved and recreated files if necessary.\e[0m"
	elif [[ ${MERGE_RETURN} != 0 ]]; then
	echo -e "\e[31m\nOh no, something went wrong. Please check the error message above.\e[0m"
	echo
	echo "Run docker-compose up -d to restart your stack without updates or try again after fixing the mentioned errors."
	exit 1
	fi

	if [[ ${NO_UPDATE_COMPOSE} == "y" ]]; then
	echo -e "\e[33mNot fetching latest docker-compose, please check for updates manually!\e[0m"
	elif [[ -e /etc/alpine-release ]]; then
	echo -e "\e[33mNot fetching latest docker-compose, because you are using Alpine Linux without glibc support. Please update docker-compose via apk!\e[0m"
	else
	echo -e "\e[32mFetching new docker-compose version...\e[0m"
	echo -e "\e[32mTrying to determine GLIBC version...\e[0m"
	if ldd --version > /dev/null; then
	GLIBC_V=$(ldd --version \| grep -E '(GLIBC\|GNU libc)' \| rev \| cut -d ' ' -f1 \| rev \| cut -d '.' -f2)
	if [ ! -z "${GLIBC_V}" ] && [ ${GLIBC_V} -gt 27 ]; then
	DC_DL_SUFFIX=
	else
	DC_DL_SUFFIX=legacy
	fi
	else
	DC_DL_SUFFIX=legacy
	fi
	sleep 1
	if [[ ! -z $(which pip) && $(pip list --local 2>&1 \| grep -v DEPRECATION \| grep -c docker-compose) == 1 ]]; then
	true
	#prevent breaking a working docker-compose installed with pip
	elif [[ $(curl -sL -w "%{http_code}" https://www.servercow.de/docker-compose/latest.php?vers=${DC_DL_SUFFIX} -o /dev/null) == "200" ]]; then
	LATEST_COMPOSE=$(curl -#L https://www.servercow.de/docker-compose/latest.php)
	COMPOSE_VERSION=$(docker-compose version --short)
	if [[ "$LATEST_COMPOSE" != "$COMPOSE_VERSION" ]]; then
	COMPOSE_PATH=$(which docker-compose)
	if [[ -w ${COMPOSE_PATH} ]]; then
	curl -#L https://github.com/docker/compose/releases/download/${LATEST_COMPOSE}/docker-compose-$(uname -s)-$(uname -m) > $COMPOSE_PATH
	chmod +x $COMPOSE_PATH
	else
	echo -e "\e[33mWARNING: $COMPOSE_PATH is not writable, but new version $LATEST_COMPOSE is available (installed: $COMPOSE_VERSION)\e[0m"
	fi
	fi
	else
	echo -e "\e[33mCannot determine latest docker-compose version, skipping...\e[0m"
	fi
	fi

	echo -e "\e[32mFetching new images, if any...\e[0m"
	sleep 2
	docker-compose pull

	# Fix missing SSL, does not overwrite existing files
	[[ ! -d data/assets/ssl ]] && mkdir -p data/assets/ssl
	cp -n -d data/assets/ssl-example/*.pem data/assets/ssl/

	echo -e "Checking IPv6 settings... "
	if grep -q 'SYSCTL_IPV6_DISABLED=1' mailcow.conf; then
	echo
	echo '!! IMPORTANT !!'
	echo
	echo 'SYSCTL_IPV6_DISABLED was removed due to complications. IPv6 can be disabled by editing "docker-compose.yml" and setting "enable_ipv6: true" to "enable_ipv6: false".'
	echo 'This setting will only be active after a complete shutdown of mailcow by running "docker-compose down" followed by "docker-compose up -d".'
	echo
	echo '!! IMPORTANT !!'
	echo
	read -p "Press any key to continue..." < /dev/tty
	fi

	# Checking for old project name bug
	sed -i --follow-symlinks 's#COMPOSEPROJECT_NAME#COMPOSE_PROJECT_NAME#g' mailcow.conf
	# Checking old, wrong bindings
	sed -i --follow-symlinks 's/HTTP_BIND=0.0.0.0/HTTP_BIND=/g' mailcow.conf
	sed -i --follow-symlinks 's/HTTPS_BIND=0.0.0.0/HTTPS_BIND=/g' mailcow.conf

	# Fix Rspamd maps
	if [ -f data/conf/rspamd/custom/global_from_blacklist.map ]; then
	mv data/conf/rspamd/custom/global_from_blacklist.map data/conf/rspamd/custom/global_smtp_from_blacklist.map
	fi
	if [ -f data/conf/rspamd/custom/global_from_whitelist.map ]; then
	mv data/conf/rspamd/custom/global_from_whitelist.map data/conf/rspamd/custom/global_smtp_from_whitelist.map
	fi

	# Fix deprecated metrics.conf
	if [ -f "data/conf/rspamd/local.d/metrics.conf" ]; then
	if [ ! -z "$(git diff --name-only origin/master data/conf/rspamd/local.d/metrics.conf)" ]; then
	echo -e "\e[33mWARNING\e[0m - Please migrate your customizations of data/conf/rspamd/local.d/metrics.conf to actions.conf and groups.conf after this update."
	echo "The deprecated configuration file metrics.conf will be moved to metrics.conf_deprecated after updating mailcow."
	fi
	mv data/conf/rspamd/local.d/metrics.conf data/conf/rspamd/local.d/metrics.conf_deprecated
	fi

	if [[ ${SKIP_START} == "y" ]]; then
	echo -e "\e[33mNot starting mailcow, please run \"docker-compose up -d --remove-orphans\" to start mailcow.\e[0m"
	else
	echo -e "\e[32mStarting mailcow...\e[0m"
	sleep 2
	docker-compose up -d --remove-orphans
	fi

	echo -e "\e[32mCollecting garbage...\e[0m"
	docker_garbage

	#echo "In case you encounter any problem, hard-reset to a state before updating mailcow:"
	#echo
	#git reflog --color=always \| grep "Before update on "
	#echo
	#echo "Use \"git reset --hard hash-on-the-left\" and run docker-compose up -d afterwards."

File Metadata

Mime Type: text/x-diff
Expires: 9月 12 Fri, 2:47 AM (1 d, 11 h)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 5652
默认替代文本: (102 KB)

No OneTemporaryActions

View Options

File Metadata

Event Timeline

No OneTemporary
Actions