set version to 0.9.35.1; fix updater :x

Signed-off-by: Michael Kaufmann (d00p) <d00p@froxlor.org>
set version to 0.9.35 final for upcoming release
2016-04-08 13:52:06 +02:00 · 2016-04-08 12:54:17 +02:00 · 2016-04-07 07:56:16 +02:00 · 2016-03-31 15:43:15 +02:00 · 2016-03-31 15:02:04 +02:00 · 2016-03-23 18:40:54 +01:00
118 changed files with 5685 additions and 1968 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -6,3 +6,6 @@ install/update.log
 .settings/
 *.diff
 *~
+.well-known
+.idea
+*.iml
--- a/README.md
+++ b/README.md
@@ -51,10 +51,24 @@ http://files.froxlor.org/releases/froxlor-latest.tar.gz [MD5](http://files.froxl
 [HowTo](http://redmine.froxlor.org/projects/froxlor/wiki/Installationdebian)

 /etc/apt/sources.list.d/froxlor.list
-> deb http://debian.froxlor.org [squeeze|wheezy] main
+> deb http://debian.froxlor.org {wheezy|jessie} main

 ### Gentoo repository

 [HowTo](http://redmine.froxlor.org/projects/froxlor/wiki/Installationgentoo)

 http://files.froxlor.org/gentoo/repositories.xml
+
+## Let's Encrypt support
+
+This version of Froxlor contains a test implementation of support for [Let's Encrypt](https://letsencrypt.org). This is (as Let's Encrypt is in itself)
+still a beta version and may break your system. The way it currently works is by creating a (sub-)domain with the default system - certificate,
+after which the Let's Encrypt cronjob orders the certificate for this (sub-)domain and inserts the certificates in the database. With the next run
+of the default cronjob, the certificates will be updated on the disk and the webserver reloaded.
+
+This has 2 known side-effects at the moment:
+* The basic ip/port combinations don't work with the Froxlor - integration of Let's Encrypt, since it needs a certificate for the very first creation
+* After creating a domain, it will have the default certificate for a short time (by default 5 minutes until the cronjob runs the next time)
+
+It may be possible to fix these issues, but they are not a priority at the moment
+
--- a/actions/admin/settings/100.panel.php
+++ b/actions/admin/settings/100.panel.php
@@ -182,7 +182,7 @@ return array(
 					'settinggroup' => 'admin',
 					'varname' => 'show_news_feed',
 					'type' => 'bool',
-					'default' => true,
+					'default' => false,
 					'save_method' => 'storeSettingField',
 					),
 				'customer_show_news_feed' => array(
@@ -190,7 +190,7 @@ return array(
 					'settinggroup' => 'customer',
 					'varname' => 'show_news_feed',
 					'type' => 'bool',
-					'default' => true,
+					'default' => false,
 					'save_method' => 'storeSettingField',
 					),
 				'customer_news_feed_url' => array(
--- a/actions/admin/settings/120.system.php
+++ b/actions/admin/settings/120.system.php
@@ -55,7 +55,7 @@ return array(
 					'settinggroup' => 'system',
 					'varname' => 'defaultip',
 					'type' => 'option',
-					'option_mode' => 'one',
+					'option_mode' => 'multiple',
 					'option_options_method' => 'getIpPortCombinations',
 					'default' => '',
 					'save_method' => 'storeSettingDefaultIp',
--- a/actions/admin/settings/125.cronjob.php
+++ b/actions/admin/settings/125.cronjob.php
@@ -29,20 +29,12 @@ return array(
 					'default' => '/etc/cron.d/froxlor',
 					'save_method' => 'storeSettingField',
 					),
-				'system_send_cron_errors' => array(
-					'label' => $lng['serversettings']['system_send_cron_errors'],
-					'settinggroup' => 'system',
-					'varname' => 'send_cron_errors',
-					'type' => 'bool',
-					'default' => false,
-					'save_method' => 'storeSettingField',
-				),
 				'system_croncmdline' => array(
 					'label' => $lng['serversettings']['system_croncmdline'],
 					'settinggroup' => 'system',
 					'varname' => 'croncmdline',
 					'type' => 'string',
-					'default' => '/usr/bin/nice -n 5 /usr/bin/php5 -q',
+					'default' => '/usr/bin/nice -n 5 /usr/bin/php -q',
 					'save_method' => 'storeSettingField',
 					),
 				'system_crondreload' => array(
--- a/actions/admin/settings/131.ssl.php
+++ b/actions/admin/settings/131.ssl.php
@@ -79,7 +79,70 @@ return array(
 									'string_emptyallowed' => true,
 									'default' => '',
 									'save_method' => 'storeSettingField',
-							)
+							),
+							'system_leenabled' => array(
+							        'label' => $lng['serversettings']['leenabled'],
+							        'settinggroup' => 'system',
+							        'varname' => 'leenabled',
+							        'type' => 'bool',
+							        'default' => false,
+							        'cronmodule' => 'froxlor/letsencrypt',
+							        'save_method' => 'storeSettingField'
+							),
+							'system_letsencryptca' => array(
+									'label' => $lng['serversettings']['letsencryptca'],
+									'settinggroup' => 'system',
+									'varname' => 'letsencryptca',
+									'type' => 'option',
+									'default' => 'testing',
+									'option_mode' => 'one',
+									'option_options' => array('testing' => 'https://acme-staging.api.letsencrypt.org (Test)', 'production' => 'https://acme-v01.api.letsencrypt.org (Live)'),
+									'save_method' => 'storeSettingField',
+							),
+							'system_letsencryptcountrycode' => array(
+									'label' => $lng['serversettings']['letsencryptcountrycode'],
+									'settinggroup' => 'system',
+									'varname' => 'letsencryptcountrycode',
+									'type' => 'string',
+									'string_emptyallowed' => false,
+									'default' => 'DE',
+									'save_method' => 'storeSettingField',
+							),
+							'system_letsencryptstate' => array(
+									'label' => $lng['serversettings']['letsencryptstate'],
+									'settinggroup' => 'system',
+									'varname' => 'letsencryptstate',
+									'type' => 'string',
+									'string_emptyallowed' => false,
+									'default' => 'Germany',
+									'save_method' => 'storeSettingField',
+							),
+							'system_letsencryptchallengepath' => array(
+									'label' => $lng['serversettings']['letsencryptchallengepath'],
+									'settinggroup' => 'system',
+									'varname' => 'letsencryptchallengepath',
+									'type' => 'string',
+									'string_emptyallowed' => false,
+									'default' => FROXLOR_INSTALL_DIR,
+									'save_method' => 'storeSettingField',
+							),
+							'system_letsencryptkeysize' => array(
+									'label' => $lng['serversettings']['letsencryptkeysize'],
+									'settinggroup' => 'system',
+									'varname' => 'letsencryptkeysize',
+									'type' => 'int',
+									'int_min' => 2048,
+									'default' => 4096,
+									'save_method' => 'storeSettingField',
+							),
+							'system_letsencryptreuseold' => array(
+									'label' => $lng['serversettings']['letsencryptreuseold'],
+									'settinggroup' => 'system',
+									'varname' => 'letsencryptreuseold',
+									'type' => 'bool',
+									'default' => false,
+									'save_method' => 'storeSettingField',
+							),
 					)
 			)
 		)
--- a/actions/admin/settings/160.nameserver.php
+++ b/actions/admin/settings/160.nameserver.php
@@ -73,7 +73,7 @@ return array(
 					'settinggroup' => 'system',
 					'varname' => 'axfrservers',
 					'type' => 'string',
-					'string_type' => 'validate_ip',
+					'string_type' => 'validate_ip_incl_private',
 					'string_delimiter' => ',',
 					'string_emptyallowed' => true,
 					'default' => '',
--- a/actions/admin/settings/170.logger.php
+++ b/actions/admin/settings/170.logger.php
@@ -65,8 +65,14 @@ return array(
 					'label' => $lng['serversettings']['logger']['logcron'],
 					'settinggroup' => 'logger',
 					'varname' => 'log_cron',
-					'type' => 'bool',
-					'default' => false,
+					'type' => 'option',
+					'default' => 0,
+					'option_mode' => 'one',
+					'option_options' => array(
+							0 => $lng['serversettings']['logger']['logcronoption']['never'],
+							1 => $lng['serversettings']['logger']['logcronoption']['once'],
+							2 => $lng['serversettings']['logger']['logcronoption']['always']
+						),
 					'save_method' => 'storeSettingField',
 					),
 				),
@@ -74,4 +80,4 @@ return array(
 		)
 	);

-?>
+?>
--- a/admin_admins.php
+++ b/admin_admins.php
@@ -155,7 +155,6 @@ if ($page == 'admins'
 		if ($result['loginname'] != '') {
 			if ($result['adminid'] == $userinfo['userid']) {
 				standard_error('youcantdeleteyourself');
-				exit;
 			}

 			if (isset($_POST['send'])
--- a/admin_apcuinfo.php
+++ b/admin_apcuinfo.php
@@ -46,7 +46,6 @@ if (!function_exists('apcu_cache_info') ||
        !function_exists('apcu_sma_info')
 ) {
    standard_error($lng['error']['no_apcuinfo']);
-    exit();
 }

 if ($page == 'showinfo'
@@ -73,6 +72,15 @@ if ($page == 'showinfo'
    $uptime_duration = duration($cache['start_time']);
    $size_vars = bsize($cache['mem_size']);

+    // check for possible empty values that are used in the templates
+    if (!isset($cache['file_upload_progress'])) {
+        $cache['file_upload_progress'] = $lng['logger']['unknown'];
+    }
+
+    if (!isset($cache['num_expunges'])) {
+        $cache['num_expunges'] = $lng['logger']['unknown'];
+    }
+
    $runtimelines = '';
    foreach (ini_get_all('apcu') as $name => $v) {
        $value = $v['local_value'];
@@ -334,7 +342,7 @@ function fill_arc($im, $centerX, $centerY, $diameter, $start, $end, $color1, $co


    if (function_exists("imagefilledarc")) {
-        // exists only if GD 2.0.1 is avaliable
+        // exists only if GD 2.0.1 is available
        imagefilledarc($im, $centerX + 1, $centerY + 1, $diameter, $diameter, $start, $end, $color1, IMG_ARC_PIE);
        imagefilledarc($im, $centerX, $centerY, $diameter, $diameter, $start, $end, $color2, IMG_ARC_PIE);
        imagefilledarc($im, $centerX, $centerY, $diameter, $diameter, $start, $end, $color1, IMG_ARC_NOFILL | IMG_ARC_EDGED);
--- a/admin_autoupdate.php
+++ b/admin_autoupdate.php
@@ -0,0 +1,209 @@
+<?php
+
+/**
+ * This file is part of the Froxlor project.
+ * Copyright (c) 2016 the Froxlor Team (see authors).
+ *
+ * For the full copyright and license information, please view the COPYING
+ * file that was distributed with this source code. You can also view the
+ * COPYING file online at http://files.froxlor.org/misc/COPYING.txt
+ *
+ * @copyright  (c) the authors
+ * @author     Michael Kaufmann <mkaufmann@nutime.de>
+ * @author     Froxlor team <team@froxlor.org> (2010-)
+ * @license    GPLv2 http://files.froxlor.org/misc/COPYING.txt
+ * @package    Frontend
+ *
+ * @since      0.9.35
+ *
+ */
+
+define('AREA', 'admin');
+require './lib/init.php';
+
+// define update-uri
+define('UPDATE_URI', "https://version.froxlor.org/Froxlor/legacy/" . $version);
+define('RELEASE_URI', "https://autoupdate.froxlor.org/froxlor-{version}.zip");
+define('CHECKSUM_URI', "https://autoupdate.froxlor.org/froxlor-{version}.zip.sha256");
+
+// check for allow_url_fopen
+if (ini_get('allow_url_fopen') === false) {
+	redirectTo($filename, array('s' => $s, 'page' => 'error', 'errno' => 1));
+}
+
+// check for archive-stuff
+if (function_exists('gzopen') === false) {
+	redirectTo($filename, array('s' => $s, 'page' => 'error', 'errno' => 2));
+}
+
+// display initial version check
+if ($page == 'overview') {
+
+	// log our actions
+	$log->logAction(ADM_ACTION, LOG_NOTICE, "checking auto-update");
+
+	// check for new version
+	$latestversion = @file(UPDATE_URI);
+
+	if (isset($latestversion[0])) {
+		$latestversion = explode('|', $latestversion[0]);
+
+		if (is_array($latestversion)
+				&& count($latestversion) >= 1
+		) {
+			$_version = $latestversion[0];
+			$_message = isset($latestversion[1]) ? $latestversion[1] : '';
+			$_link = isset($latestversion[2]) ? $latestversion[2] : htmlspecialchars($filename . '?s=' . urlencode($s) . '&page=' . urlencode($page) . '&lookfornewversion=yes');
+
+			// add the branding so debian guys are not gettings confused
+			// about their version-number
+			$version_label = $_version.$branding;
+			$version_link = $_link;
+			$message_addinfo = $_message;
+
+			// not numeric -> error-message
+			if (!preg_match('/^((\d+\\.)(\d+\\.)(\d+\\.)?(\d+)?(\-(svn|dev|rc)(\d+))?)$/', $_version)) {
+				// check for customized version to not output
+				// "There is a newer version of froxlor" besides the error-message
+				redirectTo($filename, array('s' => $s, 'page' => 'error', 'errno' => 3));
+			} elseif (version_compare2($version, $_version) == -1) {
+				// there is a newer version - yay
+				$isnewerversion = 1;
+			} else {
+				// nothing new
+				$isnewerversion = 0;
+			}
+
+			// anzeige über version-status mit ggfls. formular
+			// zum update schritt #1 -> download
+			if ($isnewerversion == 1) {
+				$text = 'There is a newer version available. Update to version <b>'.$_version.'</b> now?<br/>(Your current version is: '.$version.')';
+				$hiddenparams = '<input type="hidden" name="newversion" value="'.$_version.'" />';
+				$yesfile = $filename.'?s='.$s.'&amp;page=getdownload';
+				eval("echo \"" . getTemplate("misc/question_yesno", true) . "\";");
+				exit;
+			}
+			elseif ($isnewerversion == 0) {
+				// all good
+			    standard_success ('noupdatesavail');
+			} else {
+				standard_error ('customized_version');
+			}
+		}
+	}
+	// error (something weird came from version.froxlor.org)
+	redirectTo($filename, array('s' => $s, 'page' => 'error', 'errno' => 5));
+}
+// download the new archive
+elseif ($page == 'getdownload') {
+
+	// retrieve the new version from the form
+	$newversion = isset($_POST['newversion']) ? $_POST['newversion'] : null;
+
+	// valid?
+	if ($newversion !== null) {
+
+		// define files to get
+		$toLoad = str_replace('{version}', $newversion, RELEASE_URI);
+		$toCheck = str_replace('{version}', $newversion, CHECKSUM_URI);
+
+		// get archive data
+		$newArchive = @file_get_contents($toLoad);
+
+		// check for local destination folder
+		if (!is_dir(FROXLOR_INSTALL_DIR.'/updates/')) {
+			mkdir(FROXLOR_INSTALL_DIR.'/updates/');
+		}
+
+		// name archive
+		$localArchive = FROXLOR_INSTALL_DIR.'/updates/'.basename($toLoad);
+
+		$log->logAction(ADM_ACTION, LOG_NOTICE, "Downloading ".$toLoad." to ".$localArchive);
+
+		// remove old archive
+		if (file_exists($localArchive)) {
+		    @unlink($localArchive);
+		}
+
+		// store archive
+		$fh = fopen($localArchive, 'w');
+		if (!fwrite($fh, $newArchive)) {
+			redirectTo($filename, array('s' => $s, 'page' => 'error', 'errno' => 4));
+		}
+
+		// close file-handle
+		fclose($fh);
+
+		// validate the integrity of the downloaded file
+		$_shouldsum = @file_get_contents($toCheck);
+		if (!empty($_shouldsum)) {
+		    $_t = explode(" ", $_shouldsum);
+		    $shouldsum = $_t[0];
+		} else {
+		    $shouldsum = null;
+		}
+		$filesum = hash_file('sha256', $localArchive);
+
+		if ($filesum != $shouldsum) {
+		    redirectTo($filename, array('s' => $s, 'page' => 'error', 'errno' => 9));
+		}
+
+		// to the next step
+		redirectTo($filename, array('s' => $s, 'page' => 'extract', 'archive' => basename($localArchive)));
+	}
+	redirectTo($filename, array('s' => $s, 'page' => 'error', 'errno' => 6));
+}
+// extract and install new version
+elseif ($page == 'extract') {
+
+	$toExtract = isset($_GET['archive']) ? $_GET['archive'] : null;
+	$localArchive = FROXLOR_INSTALL_DIR.'/updates/'.$toExtract;
+
+	if (isset($_POST['send'])
+			&& $_POST['send'] == 'send'
+	) {
+		// decompress from zip
+		$zip = new ZipArchive;
+		$res = $zip->open($localArchive);
+		if ($res === true) {
+		    $log->logAction(ADM_ACTION, LOG_NOTICE, "Extracting ".$localArchive." to ".dirname(FROXLOR_INSTALL_DIR));
+			$zip->extractTo(dirname(FROXLOR_INSTALL_DIR));
+			$zip->close();
+			// success - remove unused archive
+			@unlink($localArchive);
+		} else {
+			// error
+			redirectTo($filename, array('s' => $s, 'page' => 'error', 'errno' => 8));
+		}
+
+		// redirect to update-page?
+		redirectTo('admin_updates.php', array('s' => $s));
+	}
+
+	if (!file_exists($localArchive)) {
+		redirectTo($filename, array('s' => $s, 'page' => 'error', 'errno' => 7));
+	}
+
+	$text = 'Extract downloaded archive "'.$toExtract.'"?';
+	$hiddenparams = '';
+	$yesfile = $filename.'?s='.$s.'&amp;page=extract&amp;archive='.$toExtract;
+	eval("echo \"" . getTemplate("misc/question_yesno", true) . "\";");
+}
+
+// display error
+elseif ($page == 'error') {
+
+	// retrieve error-number via url-parameter
+	$errno = isset($_GET['errno']) ? (int)$_GET['errno'] : 0;
+
+	// 1 = no allow_url_fopen
+	// 2 = no Zlib
+	// 3 = custom version detected
+	// 4 = could not store archive to local hdd
+	// 5 = some weird value came from version.froxlor.org
+	// 6 = download without valid version
+	// 7 = local archive does not exist
+	// 8 = could not extract archive
+	// 9 = checksum mismatch
+	standard_error ('autoupdate_'.$errno);
+}
--- a/admin_configfiles.php
+++ b/admin_configfiles.php
@@ -43,9 +43,9 @@ if ($userinfo['change_serversettings'] == '1') {
    );
    
    // get distro from URL param
-    $distribution = isset($_GET['distribution']) ? $_GET['distribution'] : "";
-    $service = isset($_GET['service']) ? $_GET['service'] : "";
-    $daemon = isset($_GET['daemon']) ? $_GET['daemon'] : "";
+    $distribution = (isset($_GET['distribution']) && $_GET['distribution'] != 'choose') ? $_GET['distribution'] : "";
+    $service = (isset($_GET['service']) && $_GET['service'] != 'choose') ? $_GET['service'] : "";
+    $daemon = (isset($_GET['daemon']) && $_GET['daemon'] != 'choose') ? $_GET['daemon'] : "";
    $distributions_select = "";
    $services_select = "";
    $daemons_select = "";
--- a/admin_customers.php
+++ b/admin_customers.php
@@ -554,7 +554,6 @@ if ($page == 'customers'
 				   || ($subdomains == '-1' && $userinfo['subdomains'] != '-1')
 				) {
 					standard_error('youcantallocatemorethanyouhave');
-					exit;
 				}

 				// Either $name and $firstname or the $company must be inserted
@@ -913,10 +912,13 @@ if ($page == 'customers'
 						$domainid = Database::lastInsertId();

 						// set ip <-> domain connection
+						$defaultips = explode(',', Settings::Get('system.defaultip'));
 						$ins_stmt = Database::prepare("
-							INSERT INTO `".TABLE_DOMAINTOIP."` SET `id_domain` = :domainid, `id_ipandports` = :ipid"
+							  INSERT INTO `" . TABLE_DOMAINTOIP . "` SET `id_domain` = :domainid, `id_ipandports` = :ipid"
 						);
-						Database::pexecute($ins_stmt, array('domainid' => $domainid, 'ipid' => Settings::Get('system.defaultip')));
+						foreach ($defaultips as $defaultip) {
+							Database::pexecute($ins_stmt, array('domainid' => $domainid, 'ipid' => $defaultip));
+						}

 						$upd_stmt = Database::prepare("
 							UPDATE `" . TABLE_PANEL_CUSTOMERS . "` SET `standardsubdomain` = :domainid WHERE `customerid` = :customerid"
@@ -937,7 +939,7 @@ if ($page == 'customers'
 							SELECT ip, port FROM `".TABLE_PANEL_IPSANDPORTS."`
 							WHERE `id` = :defaultip
 						");
-						$srv_ip = Database::pexecute_first($srv_ip_stmt, array('defaultip' => Settings::Get('system.defaultip')));
+						$srv_ip = Database::pexecute_first($srv_ip_stmt, array('defaultip' => reset(explode(',', Settings::Get('system.defaultip')))));

 						$replace_arr = array(
 							'FIRSTNAME' => $firstname,
@@ -1205,7 +1207,6 @@ if ($page == 'customers'
 				   || ($subdomains == '-1' && $userinfo['subdomains'] != '-1')
 				) {
 					standard_error('youcantallocatemorethanyouhave');
-					exit;
 				}

 				// Either $name and $firstname or the $company must be inserted
@@ -1272,10 +1273,13 @@ if ($page == 'customers'
 						$domainid = Database::lastInsertId();

 						// set ip <-> domain connection
+						$defaultips = explode(',', Settings::Get('system.defaultip'));
 						$ins_stmt = Database::prepare("
-							INSERT INTO `".TABLE_DOMAINTOIP."` SET `id_domain` = :domainid, `id_ipandports` = :ipid"
+							  INSERT INTO `" . TABLE_DOMAINTOIP . "` SET `id_domain` = :domainid, `id_ipandports` = :ipid"
 						);
-						Database::pexecute($ins_stmt, array('domainid' => $domainid, 'ipid' => Settings::Get('system.defaultip')));
+						foreach ($defaultips as $defaultip) {
+							Database::pexecute($ins_stmt, array('domainid' => $domainid, 'ipid' => $defaultip));
+						}

 						$upd_stmt = Database::prepare("
 							UPDATE `" . TABLE_PANEL_CUSTOMERS . "` SET `standardsubdomain` = :domainid WHERE `customerid` = :customerid"
--- a/admin_domains.php
+++ b/admin_domains.php
@@ -96,6 +96,22 @@ if ($page == 'domains'
 				}
 			}
 			$row['ipandport'] = substr($row['ipandport'], 0, -1);
+                        $row['termination_date'] = str_replace("0000-00-00", "", $row['termination_date']);
+                        
+                        if($row['termination_date'] != "")
+                        {
+                            $cdate = strtotime($row['termination_date'] . " 23:59:59");
+                            $today = time();
+
+                            if($cdate < $today)
+                            {
+                                $row['termination_css'] = 'domain-expired';
+                            }
+                            else
+                                {
+                                $row['termination_css'] = 'domain-canceled';
+                            }
+                        }

 			if (!isset($domain_array[$row['domain']])) {
 				$domain_array[$row['domain']] = $row;
@@ -252,6 +268,13 @@ if ($page == 'domains'
 				);
 				Database::pexecute($del_stmt, array('domainid' => $id));

+				// remove certificate from domain_ssl_settings, fixes #1596
+				$del_stmt = Database::prepare("
+					DELETE FROM `" . TABLE_PANEL_DOMAIN_SSL_SETTINGS . "`
+					WHERE `domainid` = :domainid"
+				);
+				Database::pexecute($del_stmt, array('domainid' => $id));
+
 				$log->logAction(ADM_ACTION, LOG_INFO, "deleted domain/subdomains (#" . $result['id'] . ")");
 				updateCounters();
 				inserttask('1');
@@ -285,7 +308,6 @@ if ($page == 'domains'

 				if ($_POST['domain'] == Settings::Get('system.hostname')) {
 					standard_error('admin_domain_emailsystemhostname');
-					exit;
 				}

 				$domain = $idna_convert->encode(preg_replace(array('/\:(\d)+$/', '/^https?\:\/\//'), '', validate($_POST['domain'], 'domain')));
@@ -362,6 +384,9 @@ if ($page == 'domains'
 				$registration_date = trim($_POST['registration_date']);
 				$registration_date = validate($registration_date, 'registration_date', '/^(19|20)\d\d[-](0[1-9]|1[012])[-](0[1-9]|[12][0-9]|3[01])$/', '', array('0000-00-00', '0', ''));

+                                $termination_date = trim($_POST['termination_date']);
+                                $termination_date = validate($termination_date, 'termination_date', '/^(19|20)\d\d[-](0[1-9]|1[012])[-](0[1-9]|[12][0-9]|3[01])$/', '', array('0000-00-00', '0', ''));
+
 				if ($userinfo['change_serversettings'] == '1') {

 					$caneditdomain = isset($_POST['caneditdomain']) ? intval($_POST['caneditdomain']) : 0;
@@ -516,6 +541,11 @@ if ($page == 'domains'
 						$ssl_redirect = (int)$_POST['ssl_redirect'];
 					}

+					$letsencrypt = 0;
+					if (isset($_POST['letsencrypt'])) {
+						$letsencrypt = (int)$_POST['letsencrypt'];
+					}
+
 					$ssl_ipandports = array();
 					if (isset($_POST['ssl_ipandport']) && !is_array($_POST['ssl_ipandport'])) {
 						$_POST['ssl_ipandport'] = unserialize($_POST['ssl_ipandport']);
@@ -547,17 +577,29 @@ if ($page == 'domains'
 						}
 					} else {
 						$ssl_redirect = 0;
+						$letsencrypt = 0;
 						// we need this for the serialize
 						// if ssl is disabled or no ssl-ip/port exists
 						$ssl_ipandports[] = -1;
 					}
 				} else {
 					$ssl_redirect = 0;
+					$letsencrypt = 0;
 					// we need this for the serialize
 					// if ssl is disabled or no ssl-ip/port exists
 					$ssl_ipandports[] = -1;
 				}

+				// We can't enable let's encrypt for wildcard - domains
+				if ($serveraliasoption == '0' && $letsencrypt == '1') {
+				    standard_error('nowildcardwithletsencrypt');
+				}
+
+				// Temporarily deactivate ssl_redirect until Let's Encrypt certificate was generated
+				if ($ssl_redirect > 0 && $letsencrypt == 1) {
+					$ssl_redirect = 2;
+				}
+
 				if (!preg_match('/^https?\:\/\//', $documentroot)) {
 					if (strstr($documentroot, ":") !== false) {
 						standard_error('pathmaynotcontaincolon');
@@ -661,6 +703,11 @@ if ($page == 'domains'
 					$issubof = '0';
 				}

+				if ($aliasdomain != 0 && $letsencrypt != 0)
+				{
+					standard_error('letsencryptdoesnotworkwithaliasdomains');
+				}
+
 				if ($domain == '') {
 					standard_error(array('stringisempty', 'mydomain'));
 				}
@@ -702,7 +749,9 @@ if ($page == 'domains'
 						'mod_fcgid_maxrequests' => $mod_fcgid_maxrequests,
 						'specialsettings' => $specialsettings,
 						'registration_date' => $registration_date,
-						'issubof' => $issubof
+						'termination_date' => $termination_date,
+						'issubof' => $issubof,
+						'letsencrypt' => $letsencrypt
 					);

 					$security_questions = array(
@@ -718,7 +767,6 @@ if ($page == 'domains'
 								|| $_POST[$question_name] != $question_name
 							) {
 								ask_yesno('admin_domain_' . $question_name, $filename, $params, $question_nr);
-								exit;
 							}
 						}
 						$question_nr++;
@@ -748,10 +796,12 @@ if ($page == 'domains'
 						'ssl_redirect' => $ssl_redirect,
 						'add_date' => time(),
 						'registration_date' => $registration_date,
+                                                'termination_date' => $termination_date,
 						'phpsettingid' => $phpsettingid,
 						'mod_fcgid_starter' => $mod_fcgid_starter,
 						'mod_fcgid_maxrequests' => $mod_fcgid_maxrequests,
-						'ismainbutsubto' => $issubof
+						'ismainbutsubto' => $issubof,
+						'letsencrypt' => $letsencrypt
 					);

 					$ins_stmt = Database::prepare("
@@ -779,10 +829,12 @@ if ($page == 'domains'
 						`ssl_redirect` = :ssl_redirect,
 						`add_date` = :add_date,
 						`registration_date` = :registration_date,
+                                                `termination_date` = :termination_date,
 						`phpsettingid` = :phpsettingid,
 						`mod_fcgid_starter` = :mod_fcgid_starter,
 						`mod_fcgid_maxrequests` = :mod_fcgid_maxrequests,
-						`ismainbutsubto` = :ismainbutsubto
+						`ismainbutsubto` = :ismainbutsubto,
+						`letsencrypt` = :letsencrypt
 					");
 					Database::pexecute($ins_stmt, $ins_data);
 					$domainid = Database::lastInsertId();
@@ -1139,6 +1191,8 @@ if ($page == 'domains'
 				$caneditdomain = isset($_POST['caneditdomain']) ? intval($_POST['caneditdomain']) : 0;
 				$registration_date = trim($_POST['registration_date']);
 				$registration_date = validate($registration_date, 'registration_date', '/^(19|20)\d\d[-](0[1-9]|1[012])[-](0[1-9]|[12][0-9]|3[01])$/', '', array('0000-00-00', '0', ''));
+				$termination_date = trim($_POST['termination_date']);
+				$termination_date = validate($termination_date, 'termination_date', '/^(19|20)\d\d[-](0[1-9]|1[012])[-](0[1-9]|[12][0-9]|3[01])$/', '', array('0000-00-00', '0', ''));

 				$isemaildomain = 0;
 				if (isset($_POST['isemaildomain'])) {
@@ -1184,6 +1238,7 @@ if ($page == 'domains'
 					}

 					$specialsettings = validate(str_replace("\r\n", "\n", $_POST['specialsettings']), 'specialsettings', '/^[^\0]*$/');
+					$ssfs = (isset($_POST['specialsettingsforsubdomains']) && intval($_POST['specialsettingsforsubdomains']) == 1) ? 1 : 0;
 					$documentroot = validate($_POST['documentroot'], 'documentroot');

 					if ($documentroot == '') {
@@ -1207,6 +1262,7 @@ if ($page == 'domains'
 					$zonefile = $result['zonefile'];
 					$dkim = $result['dkim'];
 					$specialsettings = $result['specialsettings'];
+					$ssfs = (empty($specialsettings) ? 0 : 1);
 					$documentroot = $result['documentroot'];
 				}

@@ -1288,6 +1344,11 @@ if ($page == 'domains'
 						$ssl_redirect = (int)$_POST['ssl_redirect'];
 					}

+					$letsencrypt = 0;
+					if (isset($_POST['letsencrypt'])) {
+						$letsencrypt = (int)$_POST['letsencrypt'];
+					}
+
 					$ssl_ipandports = array();
 					if (isset($_POST['ssl_ipandport']) && !is_array($_POST['ssl_ipandport'])) {
 						$_POST['ssl_ipandport'] = unserialize($_POST['ssl_ipandport']);
@@ -1314,17 +1375,29 @@ if ($page == 'domains'
 						}
 					} else {
 						$ssl_redirect = 0;
+						$letsencrypt = 0;
 						// we need this for the serialize
 						// if ssl is disabled or no ssl-ip/port exists
 						$ssl_ipandports[] = -1;
 					}
 				} else {
 					$ssl_redirect = 0;
+					$letsencrypt = 0;
 					// we need this for the serialize
 					// if ssl is disabled or no ssl-ip/port exists
 					$ssl_ipandports[] = -1;
 				}

+				// We can't enable let's encrypt for wildcard domains
+				if ($serveraliasoption == '0' && $letsencrypt == '1') {
+					standard_error('nowildcardwithletsencrypt');
+				}
+
+				// Temporarily deactivate ssl_redirect until Let's Encrypt certificate was generated
+				if ($ssl_redirect > 0 && $letsencrypt == 1 && $result['letsencrypt'] != $letsencrypt) {
+					$ssl_redirect = 2;
+				}
+
 				if (!preg_match('/^https?\:\/\//', $documentroot)) {
 					$documentroot = makeCorrectDir($documentroot);
 				}
@@ -1412,6 +1485,11 @@ if ($page == 'domains'
 					$issubof = '0';
 				}

+				if ($aliasdomain != 0 && $letsencrypt != 0)
+				{
+					standard_error('letsencryptdoesnotworkwithaliasdomains');
+				}
+
 				if ($serveraliasoption != '1' && $serveraliasoption != '2') {
 					$serveraliasoption = '0';
 				}
@@ -1438,12 +1516,15 @@ if ($page == 'domains'
 					'mod_fcgid_starter' => $mod_fcgid_starter,
 					'mod_fcgid_maxrequests' => $mod_fcgid_maxrequests,
 					'specialsettings' => $specialsettings,
+					'specialsettingsforsubdomains' => $ssfs,
 					'registration_date' => $registration_date,
+					'termination_date' => $termination_date,
 					'issubof' => $issubof,
 					'speciallogfile' => $speciallogfile,
 					'speciallogverified' => $speciallogverified,
 					'ipandport' => serialize($ipandports),
-					'ssl_ipandport' => serialize($ssl_ipandports)
+					'ssl_ipandport' => serialize($ssl_ipandports),
+					'letsencrypt' => $letsencrypt
 				);

 				$security_questions = array(
@@ -1457,7 +1538,6 @@ if ($page == 'domains'
 							|| $_POST[$question_name] != $question_name
 						) {
 							ask_yesno('admin_domain_' . $question_name, $filename, $params);
-							exit;
 						}
 					}
 				}
@@ -1478,6 +1558,7 @@ if ($page == 'domains'
 					|| $issubof != $result['ismainbutsubto']
 					|| $email_only != $result['email_only']
 					|| ($speciallogfile != $result['speciallogfile'] && $speciallogverified == '1')
+					|| $letsencrypt != $result['letsencrypt']
 				) {
 					inserttask('1');
 				}
@@ -1612,7 +1693,9 @@ if ($page == 'domains'
 				$update_data['mod_fcgid_maxrequests'] = $mod_fcgid_maxrequests;
 				$update_data['specialsettings'] = $specialsettings;
 				$update_data['registration_date'] = $registration_date;
+				$update_data['termination_date'] = $termination_date;
 				$update_data['ismainbutsubto'] = $issubof;
+				$update_data['letsencrypt'] = $letsencrypt;
 				$update_data['id'] = $id;

 				$update_stmt = Database::prepare("
@@ -1638,7 +1721,9 @@ if ($page == 'domains'
 					`mod_fcgid_maxrequests` = :mod_fcgid_maxrequests,
 					`specialsettings` = :specialsettings,
 					`registration_date` = :registration_date,
-					`ismainbutsubto` = :ismainbutsubto
+					`termination_date` = :termination_date,
+					`ismainbutsubto` = :ismainbutsubto,
+					`letsencrypt` = :letsencrypt
 					WHERE `id` = :id
 				");
 				Database::pexecute($update_stmt, $update_data);
@@ -1653,9 +1738,10 @@ if ($page == 'domains'

 				// if we have no more ssl-ip's for this domain,
 				// all its subdomains must have "ssl-redirect = 0"
+				// and disable let's encrypt
 				$update_sslredirect = '';
 				if (count($ssl_ipandports) == 1 && $ssl_ipandports[0] == -1) {
-					$update_sslredirect = ", `ssl_redirect` = '0' ";
+					$update_sslredirect = ", `ssl_redirect` = '0', `letsencrypt` = '0' ";
 				}

 				$_update_stmt = Database::prepare("
@@ -1867,9 +1953,15 @@ if ($page == 'domains'
 				$_value = '2';
 				if ($result['iswildcarddomain'] == '1') {
 					$_value = '0';
+					$letsencrypt = 0;
 				} elseif ($result['wwwserveralias'] == '1') {
 					$_value = '1';
 				}
+
+				// Fudge the result for ssl_redirect to hide the Let's Encrypt steps
+				$result['temporary_ssl_redirect'] = $result['ssl_redirect'];
+				$result['ssl_redirect'] = ($result['ssl_redirect'] == 0 ? 0 : 1);
+				
 				$serveraliasoptions .= makeoption($lng['domains']['serveraliasoption_wildcard'], '0', $_value, true, true);
 				$serveraliasoptions .= makeoption($lng['domains']['serveraliasoption_www'], '1', $_value, true, true);
 				$serveraliasoptions .= makeoption($lng['domains']['serveraliasoption_none'], '2', $_value, true, true);
--- a/admin_index.php
+++ b/admin_index.php
@@ -42,7 +42,6 @@ if ($action == 'logout')  {
 	Database::pexecute($stmt, $params);

 	redirectTo('index.php');
-	exit;
 }

 if (isset($_POST['id'])) {
@@ -201,7 +200,6 @@ if ($page == 'overview') {

 		if (!validatePasswordLogin($userinfo,$old_password,TABLE_PANEL_ADMINS,'adminid')) {
 			standard_error('oldpasswordnotcorrect');
-			exit;
 		}

 		$new_password = validate($_POST['new_password'], 'new password');
--- a/admin_ipsandports.php
+++ b/admin_ipsandports.php
@@ -29,6 +29,10 @@ if (isset($_POST['id'])) {
 if ($page == 'ipsandports'
 	|| $page == 'overview'
 ) {
+	// Do not display attributes that are not used by the current webserver
+	$websrv = Settings::Get('system.webserver');
+	$is_nginx = ($websrv == 'nginx');
+	$is_apache = ($websrv == 'apache2');

 	if ($action == '') {

@@ -79,7 +83,7 @@ if ($page == 'ipsandports'
 			$result_checkdomain = Database::pexecute_first($result_checkdomain_stmt, array('id' => $id));

 			if ($result_checkdomain['id'] == '') {
-				if ($result['id'] != Settings::Get('system.defaultip')) {
+				if (!in_array($result['id'], explode(',', Settings::Get('system.defaultip')))) {

 					$result_sameipotherport_stmt = Database::prepare("
 						SELECT `id` FROM `" . TABLE_PANEL_IPSANDPORTS . "`
@@ -320,7 +324,7 @@ if ($page == 'ipsandports'
 					$ssl_ca_file = '';
 					$ssl_cert_chainfile = '';
 				}
-				
+
 				if ($listen_statement != '1') {
 					$listen_statement = '0';
 				}
@@ -340,7 +344,7 @@ if ($page == 'ipsandports'
 				if ($ssl != '1') {
 					$ssl = '0';
 				}
-				
+
 				if ($ssl_cert_file != '') {
 					$ssl_cert_file = makeCorrectFile($ssl_cert_file);
 				}
@@ -422,7 +426,7 @@ if ($page == 'ipsandports'

 				$ipsandports_edit_data = include_once dirname(__FILE__).'/lib/formfields/admin/ipsandports/formfield.ipsandports_edit.php';
 				$ipsandports_edit_form = htmlform::genHTMLForm($ipsandports_edit_data);
-	
+
 				$title = $ipsandports_edit_data['ipsandports_edit']['title'];
 				$image = $ipsandports_edit_data['ipsandports_edit']['image'];

--- a/admin_logger.php
+++ b/admin_logger.php
@@ -34,7 +34,8 @@ if ($page == 'log'
 		$result_stmt = Database::query('
 			SELECT * FROM `' . TABLE_PANEL_LOG . '` ' . $paging->getSqlWhere(false) . ' ' . $paging->getSqlOrderBy() . ' ' . $paging->getSqlLimit()
 		);
-		$paging->setEntries(Database::num_rows());
+		$logs_count = Database::num_rows();
+		$paging->setEntries($logs_count);
 		$sortcode = $paging->getHtmlSortCode($lng);
 		$arrowcode = $paging->getHtmlArrowCode($filename . '?page=' . $page . '&s=' . $s);
 		$searchcode = $paging->getHtmlSearchCode($lng);
@@ -100,35 +101,12 @@ if ($page == 'log'
 					}

 					$log_count++;
-					$type = $row['type'];
-					$_type = 'unknown';
-
-					switch ($type) {
-						case LOG_INFO:
-							$_type = 'Information';
-							break;
-						case LOG_NOTICE:
-							$_type = 'Notice';
-							break;
-						case LOG_WARNING:
-							$_type = 'Warning';
-							break;
-						case LOG_ERR:
-							$_type = 'Error';
-							break;
-						case LOG_CRIT:
-							$_type = 'Critical';
-							break;
-						default:
-							$_type = 'Unknown';
-							break;
-					}
-
-					$row['type'] = $_type;
+					$row['type'] = getLogLevelDesc($row['type']);
 					eval("\$log.=\"" . getTemplate('logger/logger_log') . "\";");
 					$count++;
 					$_action = $action;
 				}
+				$i++;
 			}
 			$i++;
 		}
--- a/admin_opcacheinfo.php
+++ b/admin_opcacheinfo.php
@@ -0,0 +1,158 @@
+<?php
+
+/**
+ * This file is part of the Froxlor project.
+ * Copyright (c) 2010 the Froxlor Team (see authors).
+ *
+ * For the full copyright and license information, please view the COPYING
+ * file that was distributed with this source code. You can also view the
+ * COPYING file online at http://files.froxlor.org/misc/COPYING.txt
+ *
+ * @copyright  (c) the authors
+ * @author     Janos Muzsi <muzsij@hypernics.hu> (2016)
+ * @author     Froxlor team <team@froxlor.org> (2010-)
+ * @license    GPLv2 http://files.froxlor.org/misc/COPYING.txt
+ * @package    Panel
+ *
+ * Based on https://github.com/amnuts/opcache-gui
+ *
+ */
+
+define('AREA', 'admin');
+require './lib/init.php';
+
+
+if ($action == 'reset' &&
+        function_exists('opcache_reset') &&
+        $userinfo['change_serversettings'] == '1'
+) {
+    opcache_reset();
+    $log->logAction(ADM_ACTION, LOG_INFO, "reseted OPcache");
+    header('Location: ' . $linker->getLink(array('section' => 'opcacheinfo', 'page' => 'showinfo')));
+    exit();
+}
+
+if (!function_exists('opcache_get_configuration')
+) {
+    standard_error($lng['error']['no_opcacheinfo']);
+}
+
+if ($page == 'showinfo'
+) {
+    
+    $opcache_info = opcache_get_configuration();
+    $opcache_status = opcache_get_status(false);
+    $time = time();
+    $log->logAction(ADM_ACTION, LOG_NOTICE, "viewed OPcache info");
+    
+    $runtimelines = '';
+    if (isset($opcache_info['directives']) && is_array($opcache_info['directives'])) {
+        foreach ($opcache_info['directives'] as $name => $value) {
+            $linkname=  str_replace('_', '-', $name);
+            if ($name=='opcache.optimization_level' && is_integer($value)) {
+                $value='0x'.dechex($value);
+            }
+            if ($name=='opcache.memory_consumption' && is_integer($value) && $value%(1024*1024)==0) {
+                $value=$value/(1024*1024);
+            }
+            if ($value===null || $value==='') {
+                $value=$lng['opcacheinfo']['novalue'];
+            }
+            if ($value===true) {
+                $value=$lng['opcacheinfo']['true'];
+            }
+            if ($value===false) {
+                $value=$lng['opcacheinfo']['false'];
+            }
+            if (is_integer($value)) {
+                $value=number_format($value,0,'.',' ');
+            }
+            $name=str_replace('_', ' ', $name);
+            eval("\$runtimelines.=\"" . getTemplate("settings/opcacheinfo/runtime_line") . "\";");
+        }
+    }
+    
+    $cachehits=@$opcache_status['opcache_statistics']['hits'] ?: 0;
+    $cachemiss=@$opcache_status['opcache_statistics']['misses'] ?: 0;
+    $blacklistmiss=@$opcache_status['opcache_statistics']['blacklist_misses'] ?: 0;
+    $cachetotal=$cachehits+$cachemiss+$blacklistmiss;
+    
+    $general=array(
+        'version' => (isset($opcache_info['version']['opcache_product_name']) ? $opcache_info['version']['opcache_product_name'].' ' : '').$opcache_info['version']['version'],
+        'phpversion' => phpversion(),
+        'start_time'         => @$opcache_status['opcache_statistics']['start_time'] ? date('Y-m-d H:i:s',$opcache_status['opcache_statistics']['start_time']) : '',
+        'last_restart_time'  => @$opcache_status['opcache_statistics']['last_restart_time'] ? date('Y-m-d H:i:s',$opcache_status['opcache_statistics']['last_restart_time']) : $lng['opcacheinfo']['never'],
+        'oom_restarts' => number_format(@$opcache_status['opcache_statistics']['oom_restarts'] ?: 0,0,'.',' '),
+        'hash_restarts' => number_format(@$opcache_status['opcache_statistics']['hash_restarts'] ?: 0,0,'.',' '),
+        'manual_restarts' => number_format(@$opcache_status['opcache_statistics']['manual_restarts'] ?: 0,0,'.',' '),
+        'status' => (@$opcache_status['restart_in_progress'] ? $lng['opcacheinfo']['restartinprogress'] :
+            (@$opcache_status['restart_pending'] ? $lng['opcacheinfo']['restartpending'] :
+            (@$opcache_status['cache_full'] ? $lng['opcacheinfo']['cachefull'] :
+            (@$opcache_status['opcache_enabled'] ? $lng['opcacheinfo']['enabled'] : $lng['opcacheinfo']['novalue'])))),
+        'cachedscripts' => number_format(@$opcache_status['opcache_statistics']['num_cached_scripts'] ?: 0,0,'.',' '),
+        'cachehits' => number_format($cachehits,0,'.',' ') . ($cachetotal>0 ? sprintf(" (%.1f %%)", $cachehits/($cachetotal)*100) : ''),
+        'cachemiss' => number_format($cachemiss,0,'.',' ') . ($cachetotal>0 ? sprintf(" (%.1f %%)", $cachemiss/($cachetotal)*100) : ''),
+        'blacklistmiss' => number_format($blacklistmiss,0,'.',' ') . ($cachetotal>0 ? sprintf(" (%.1f %%)", $blacklistmiss/($cachetotal)*100) : ''),
+    );
+    
+    $usedmem=@$opcache_status['memory_usage']['used_memory'] ?: 0;
+    $usedmemstr=bsize($usedmem);
+    $freemem=@$opcache_status['memory_usage']['free_memory'] ?: 0;
+    $freememstr=bsize($freemem);
+    $totalmem=$usedmem+$freemem;
+    $wastedmem=@$opcache_status['memory_usage']['wasted_memory'] ?: 0;
+    $wastedmemstr=bsize($wastedmem);
+    if ($totalmem) {
+        $memory=array(
+            'total' => bsize($totalmem),
+            'used' => $usedmemstr . ($totalmem>0 ? sprintf(" (%.1f %%)", $usedmem/($totalmem)*100) : ''),
+            'free' => $freememstr . ($totalmem>0 ? sprintf(" (%.1f %%)", $freemem/($totalmem)*100) : ''),
+            'wasted' => $wastedmemstr . ($totalmem>0 ? sprintf(" (%.1f %%)", $wastedmem/($totalmem)*100) : ''),
+        );
+    }
+    
+    if (isset($opcache_status['interned_strings_usage'])) {
+        $usedstring=@$opcache_status['interned_strings_usage']['used_memory'] ?: 0;
+        $usedstringstr=bsize($usedstring);
+        $freestring=@$opcache_status['interned_strings_usage']['free_memory'] ?: 0;
+        $freestringstr=bsize($freestring);
+        $totalstring=$usedstring+$freestring;
+        $stringbuffer=array(
+            'total' => bsize($totalstring),
+            'used' => $usedstringstr . ($totalstring>0 ? sprintf(" (%.1f %%)", $usedstring/$totalstring*100) : ''),
+            'free' => $freestringstr . ($totalstring>0 ? sprintf(" (%.1f %%)", $freestring/$totalstring*100) : ''),
+            'strcount' => number_format(@$opcache_status['interned_strings_usage']['number_of_strings'] ?: 0,0,'.',' '),
+        );
+    }
+
+    $usedkey=@$opcache_status['opcache_statistics']['num_cached_keys'] ?: 0;
+    $usedkeystr=number_format($usedkey,0,'.',' ');
+    $totalkey=@$opcache_status['opcache_statistics']['max_cached_keys'] ?: 0;
+    $wastedkey=$usedkey - (@$opcache_status['opcache_statistics']['num_cached_scripts'] ?: 0);
+    if (isset($opcache_status['opcache_statistics'])) {
+        $keystat=array(
+            'total' => number_format($totalkey,0,'.',' '),
+            'used' => $usedkeystr . ($totalkey>0 ? sprintf(" (%.1f %%)", $usedkey/($totalkey)*100) : ''),
+            'wasted' => number_format($wastedkey,0,'.',' ') . ($totalkey>0 ? sprintf(" (%.1f %%)", $wastedkey/($totalkey)*100) : ''),
+        );
+    }
+    
+    $blacklistlines = '';
+    if (isset($opcache_info['blacklist']) && is_array($opcache_info['blacklist'])) {
+        foreach ($opcache_info['blacklist'] as $value) {
+            eval("\$blacklistlines.=\"" . getTemplate("settings/opcacheinfo/blacklist_line") . "\";");
+        }
+    }
+    
+    eval("echo \"" . getTemplate("settings/opcacheinfo/showinfo") . "\";");
+    
+}
+
+function bsize($s) {
+    foreach (array('', 'K', 'M', 'G') as $i => $k) {
+        if ($s < 1024)
+            break;
+        $s/=1024;
+    }
+    return sprintf("%5.1f %sBytes", $s, $k);
+}
--- a/admin_templates.php
+++ b/admin_templates.php
@@ -201,7 +201,6 @@ if ($action == '') {

 	} else {
 		standard_error('templatenotfound');
-		exit;
 	}

 } elseif($action == 'add') {
@@ -358,7 +357,6 @@ if ($action == '') {
 			eval("echo \"" . getTemplate("templates/templates_add_1") . "\";");
 		} else {
 			standard_error('alltemplatesdefined');
-			exit;
 		}

 	} else {
@@ -371,7 +369,6 @@ if ($action == '') {

 		if (Database::num_rows() == count($file_templates)) {
 			standard_error('alltemplatesdefined');
-			exit;

 		} else {

@@ -514,6 +511,5 @@ if ($action == '') {

 	} else {
 		standard_error('templatenotfound');
-		exit;
 	}
 }
--- a/admin_traffic.php
+++ b/admin_traffic.php
@@ -27,7 +27,6 @@ if ($action == 'logout') {
 	);
 	Database::pexecute($logout_stmt, array('adminid' => $userinfo['adminid']));
 	redirectTo('index.php');
-	exit;
 }

 if (isset($_POST['id'])) {
--- a/admin_updates.php
+++ b/admin_updates.php
@@ -54,7 +54,7 @@ if ($page == 'overview') {
 		}
 	}

-	if (hasUpdates($version)) {
+	if (hasDbUpdates($dbversion) || hasUpdates($version)) {
 		$successful_update = false;
 		$message = '';

@@ -67,16 +67,16 @@ if ($page == 'overview') {
 				|| !isset($_POST['update_preconfig'])
 			) {
 				eval("echo \"" . getTemplate('update/update_start') . "\";");
-	
+
 				include_once './install/updatesql.php';
-	
+
 				$redirect_url = 'admin_index.php?s=' . $s;
 				eval("echo \"" . getTemplate('update/update_end') . "\";");
-	
+
 				updateCounters();
 				inserttask('1');
 				@chmod('./lib/userdata.inc.php', 0440);
-				
+
 				$successful_update = true;
 			} else {
 				$message = '<br /><strong class="red">You have to agree that you have read the update notifications.</strong>';
@@ -85,15 +85,26 @@ if ($page == 'overview') {

 		if (!$successful_update) {
 			$current_version = Settings::Get('panel.version');
+			$current_db_version = Settings::Get('panel.db_version');
+			if (empty($current_db_version)) {
+			    $current_db_version = "0";
+			}
 			$new_version = $version;
+			$new_db_version = $dbversion;

 			$ui_text = $lng['update']['update_information']['part_a'];
-			$ui_text = str_replace('%curversion', $current_version, $ui_text);
-			$ui_text = str_replace('%newversion', $new_version, $ui_text);
+			if ($version != $current_version) {
+			     $ui_text = str_replace('%curversion', $current_version, $ui_text);
+			     $ui_text = str_replace('%newversion', $new_version, $ui_text);
+			} else {
+			    // show db version
+			    $ui_text = str_replace('%curversion', $current_db_version, $ui_text);
+			    $ui_text = str_replace('%newversion', $new_db_version, $ui_text);
+			}
 			$update_information = $ui_text;

 			include_once './install/updates/preconfig.php';
-			$preconfig = getPreConfig($current_version);
+			$preconfig = getPreConfig($current_version, $current_db_version);
 			if ($preconfig != '') {
 				$update_information .= '<br />' . $preconfig . $message;
 			}
--- a/customer_domains.php
+++ b/customer_domains.php
@@ -36,7 +36,7 @@ if ($page == 'overview') {
 			'd.domain' => $lng['domains']['domainname']
 		);
 		$paging = new paging($userinfo, TABLE_PANEL_DOMAINS, $fields);
-		$domains_stmt = Database::prepare("SELECT `d`.`id`, `d`.`customerid`, `d`.`domain`, `d`.`documentroot`, `d`.`isemaildomain`, `d`.`caneditdomain`, `d`.`iswildcarddomain`, `d`.`parentdomainid`, `ad`.`id` AS `aliasdomainid`, `ad`.`domain` AS `aliasdomain`, `da`.`id` AS `domainaliasid`, `da`.`domain` AS `domainalias` FROM `" . TABLE_PANEL_DOMAINS . "` `d`
+		$domains_stmt = Database::prepare("SELECT `d`.`id`, `d`.`customerid`, `d`.`domain`, `d`.`documentroot`, `d`.`isemaildomain`, `d`.`caneditdomain`, `d`.`iswildcarddomain`, `d`.`parentdomainid`, `d`.`letsencrypt`, `d`.`termination_date`, `ad`.`id` AS `aliasdomainid`, `ad`.`domain` AS `aliasdomain`, `da`.`id` AS `domainaliasid`, `da`.`domain` AS `domainalias` FROM `" . TABLE_PANEL_DOMAINS . "` `d`
 			LEFT JOIN `" . TABLE_PANEL_DOMAINS . "` `ad` ON `d`.`aliasdomain`=`ad`.`id`
 			LEFT JOIN `" . TABLE_PANEL_DOMAINS . "` `da` ON `da`.`aliasdomain`=`d`.`id`
 			WHERE `d`.`customerid`= :customerid
@@ -87,6 +87,18 @@ if ($page == 'overview') {
 				}
 			}

+			$row['termination_date'] = str_replace("0000-00-00", "", $row['termination_date']);
+			if($row['termination_date'] != "") {
+				$cdate = strtotime($row['termination_date'] . " 23:59:59");
+				$today = time();
+
+				if($cdate < $today) {
+					$row['termination_css'] = 'domain-expired';
+				} else {
+					$row['termination_css'] = 'domain-canceled';
+				}
+			}
+
 			$domains_count++;
 			$domain_array[$row['domain']] = $row;
 		}
@@ -146,7 +158,7 @@ if ($page == 'overview') {

 					// get ssl-ips if activated
 					$show_ssledit = false;
-					if (Settings::Get('system.use_ssl') == '1' && domainHasSslIpPort($row['id']) && $row['caneditdomain'] == '1') {
+					if (Settings::Get('system.use_ssl') == '1' && domainHasSslIpPort($row['id']) && $row['caneditdomain'] == '1' && $row['letsencrypt'] == 0) {
 						$show_ssledit = true;
 					}
 					$row = htmlentities_array($row);
@@ -211,6 +223,13 @@ if ($page == 'overview') {
 				);
 				Database::pexecute($del_stmt, array('domainid' => $id));

+				// remove certificate from domain_ssl_settings, fixes #1596
+				$del_stmt = Database::prepare("
+					DELETE FROM `" . TABLE_PANEL_DOMAIN_SSL_SETTINGS . "`
+					WHERE `domainid` = :domainid"
+				);
+				Database::pexecute($del_stmt, array('domainid' => $id));
+
 				inserttask('1');

 				// Using nameserver, insert a task which rebuilds the server config
@@ -241,7 +260,6 @@ if ($page == 'overview') {

 				if ($completedomain == Settings::Get('system.hostname')) {
 					standard_error('admin_domain_emailsystemhostname');
-					exit;
 				}

 				$completedomain_stmt = Database::prepare("SELECT * FROM `" . TABLE_PANEL_DOMAINS . "`
@@ -303,7 +321,7 @@ if ($page == 'overview') {

 				$ssl_redirect = '0';
 				if (isset($_POST['ssl_redirect']) && $_POST['ssl_redirect'] == '1') {
-					// a ssl-redirect only works of there actually is a
+					// a ssl-redirect only works if there actually is a
 					// ssl ip/port assigned to the domain
 					if (domainHasSslIpPort($domain_check['id']) == true) {
 						$ssl_redirect = '1';
@@ -313,6 +331,27 @@ if ($page == 'overview') {
 					}
 				}

+				$letsencrypt = '0';
+				if (isset($_POST['letsencrypt']) && $_POST['letsencrypt'] == '1') {
+					// let's encrypt only works if there actually is a
+					// ssl ip/port assigned to the domain
+					if (domainHasSslIpPort($domain_check['id']) == true) {
+						$letsencrypt = '1';
+					} else {
+						standard_error('letsencryptonlypossiblewithsslipport');
+					}
+				}
+
+				if ($aliasdomain != 0 && $letsencrypt != 0)
+				{
+					standard_error('letsencryptdoesnotworkwithaliasdomains');
+				}
+
+				// Temporarily deactivate ssl_redirect until Let's Encrypt certificate was generated
+				if ($ssl_redirect > 0 && $letsencrypt == 1) {
+					$ssl_redirect = 2;
+				}
+
 				if ($path == '') {
 					standard_error('patherror');
 				} elseif ($subdomain == '') {
@@ -354,7 +393,8 @@ if ($page == 'overview') {
 						`speciallogfile` = :speciallogfile,
 						`specialsettings` = :specialsettings,
 						`ssl_redirect` = :ssl_redirect,
-						`phpsettingid` = :phpsettingid"
+						`phpsettingid` = :phpsettingid,
+						`letsencrypt` = :letsencrypt"
 					);
 					$params = array(
 						"customerid" => $userinfo['customerid'],
@@ -370,7 +410,8 @@ if ($page == 'overview') {
 						"speciallogfile" => $domain_check['speciallogfile'],
 						"specialsettings" => $domain_check['specialsettings'],
 						"ssl_redirect" => $ssl_redirect,
-						"phpsettingid" => $phpsid_result['phpsettingid']
+						"phpsettingid" => $phpsid_result['phpsettingid'],
+						"letsencrypt" => $letsencrypt
 					);
 					Database::pexecute($stmt, $params);

@@ -403,7 +444,7 @@ if ($page == 'overview') {
 					redirectTo($filename, array('page' => $page, 's' => $s));
 				}
 			} else {
-				$stmt = Database::prepare("SELECT `id`, `domain`, `documentroot`, `ssl_redirect`,`isemaildomain` FROM `" . TABLE_PANEL_DOMAINS . "`
+				$stmt = Database::prepare("SELECT `id`, `domain`, `documentroot`, `ssl_redirect`,`isemaildomain`,`letsencrypt` FROM `" . TABLE_PANEL_DOMAINS . "`
 					WHERE `customerid` = :customerid
 					AND `parentdomainid` = '0'
 					AND `email_only` = '0'
@@ -465,7 +506,7 @@ if ($page == 'overview') {
 	} elseif ($action == 'edit' && $id != 0) {

 		$stmt = Database::prepare("SELECT `d`.`id`, `d`.`customerid`, `d`.`domain`, `d`.`documentroot`, `d`.`isemaildomain`, `d`.`wwwserveralias`, `d`.`iswildcarddomain`,
-			`d`.`parentdomainid`, `d`.`ssl_redirect`, `d`.`aliasdomain`, `d`.`openbasedir`, `d`.`openbasedir_path`, `pd`.`subcanemaildomain`
+			`d`.`parentdomainid`, `d`.`ssl_redirect`, `d`.`aliasdomain`, `d`.`openbasedir`, `d`.`openbasedir_path`, `d`.`letsencrypt`, `pd`.`subcanemaildomain`
 			FROM `" . TABLE_PANEL_DOMAINS . "` `d`, `" . TABLE_PANEL_DOMAINS . "` `pd`
 			WHERE `d`.`customerid` = :customerid
 			AND `d`.`id` = :id
@@ -507,7 +548,7 @@ if ($page == 'overview') {

 				$aliasdomain = intval($_POST['alias']);

-				if (isset($_POST['selectserveralias']) && $result['parentdomainid'] == '0' ) {
+				if (isset($_POST['selectserveralias'])) {
 					$iswildcarddomain = ($_POST['selectserveralias'] == '0') ? '1' : '0';
 					$wwwserveralias = ($_POST['selectserveralias'] == '1') ? '1' : '0';
 				} else {
@@ -545,7 +586,7 @@ if ($page == 'overview') {
 				}

 				if (isset($_POST['ssl_redirect']) && $_POST['ssl_redirect'] == '1') {
-					// a ssl-redirect only works of there actually is a
+					// a ssl-redirect only works if there actually is a
 					// ssl ip/port assigned to the domain
 					if (domainHasSslIpPort($id) == true) {
 						$ssl_redirect = '1';
@@ -557,6 +598,33 @@ if ($page == 'overview') {
 					$ssl_redirect = '0';
 				}

+				if (isset($_POST['letsencrypt']) && $_POST['letsencrypt'] == '1') {
+					// let's encrypt only works if there actually is a
+					// ssl ip/port assigned to the domain
+					if (domainHasSslIpPort($id) == true) {
+						$letsencrypt = '1';
+					} else {
+						standard_error('letsencryptonlypossiblewithsslipport');
+					}
+				} else {
+					$letsencrypt = '0';
+				}
+
+				if ($aliasdomain != 0 && $letsencrypt != 0)
+				{
+					standard_error('letsencryptdoesnotworkwithaliasdomains');
+				}
+
+				// We can't enable let's encrypt for wildcard - domains
+				if ($iswildcarddomain == '1' && $letsencrypt == '1') {
+				    standard_error('nowildcardwithletsencrypt');
+				}
+
+				// Temporarily deactivate ssl_redirect until Let's Encrypt certificate was generated
+				if ($ssl_redirect > 0 && $letsencrypt == 1 && $result['letsencrypt'] != $letsencrypt) {
+					$ssl_redirect = 2;
+				}
+
 				if ($path == '') {
 					standard_error('patherror');
 				} else {
@@ -580,7 +648,8 @@ if ($page == 'overview') {
 						|| $iswildcarddomain != $result['iswildcarddomain']
 						|| $aliasdomain != $result['aliasdomain']
 						|| $openbasedir_path != $result['openbasedir_path']
-						|| $ssl_redirect != $result['ssl_redirect']) {
+						|| $ssl_redirect != $result['ssl_redirect']
+						|| $letsencrypt != $result['letsencrypt']) {
 						$log->logAction(USR_ACTION, LOG_INFO, "edited domain '" . $idna_convert->decode($result['domain']) . "'");

 						$stmt = Database::prepare("UPDATE `" . TABLE_PANEL_DOMAINS . "` SET
@@ -590,7 +659,8 @@ if ($page == 'overview') {
 							`iswildcarddomain`= :iswildcarddomain,
 							`aliasdomain`= :aliasdomain,
 							`openbasedir_path`= :openbasedir_path,
-							`ssl_redirect`= :ssl_redirect
+							`ssl_redirect`= :ssl_redirect,
+							`letsencrypt`= :letsencrypt
 							WHERE `customerid`= :customerid
 							AND `id`= :id"
 						);
@@ -602,6 +672,7 @@ if ($page == 'overview') {
 							"aliasdomain" => ($aliasdomain != 0 && $alias_check == 0) ? $aliasdomain : null,
 							"openbasedir_path" => $openbasedir_path,
 							"ssl_redirect" => $ssl_redirect,
+							"letsencrypt" => $letsencrypt,
 							"customerid" => $userinfo['customerid'],
 							"id" => $id
 						);
@@ -671,6 +742,10 @@ if ($page == 'overview') {
 					$ssl_ipsandports = 'notempty';
 				}

+				// Fudge the result for ssl_redirect to hide the Let's Encrypt steps
+				$result['temporary_ssl_redirect'] = $result['ssl_redirect'];
+				$result['ssl_redirect'] = ($result['ssl_redirect'] == 0 ? 0 : 1);
+
 				$openbasedir = makeoption($lng['domain']['docroot'], 0, $result['openbasedir_path'], true) . makeoption($lng['domain']['homedir'], 1, $result['openbasedir_path'], true);

 				// create serveralias options
--- a/customer_email.php
+++ b/customer_email.php
@@ -244,7 +244,6 @@ if ($page == 'overview') {
 					standard_error('emailexistalready', $email_full);
 				} elseif ($email_check['email'] == $email) {
 					standard_error('youhavealreadyacatchallforthisdomain');
-					exit;
 				} else {
 					$stmt = Database::prepare("INSERT INTO `" . TABLE_MAIL_VIRTUAL . "`
 						(`customerid`, `email`, `email_full`, `iscatchall`, `domainid`)
@@ -377,7 +376,6 @@ if ($page == 'overview') {

 					if ($email_check['email'] == $email) {
 						standard_error('youhavealreadyacatchallforthisdomain');
-						exit;
 					} else {
 						$stmt = Database::prepare("UPDATE `" . TABLE_MAIL_VIRTUAL . "`
 							SET `email` = :email , `iscatchall` = '1'
@@ -414,10 +412,11 @@ if ($page == 'overview') {
 				standard_error('notallowedtouseaccounts');
 			}

-			$stmt = Database::prepare("SELECT `id`, `email`, `email_full`, `iscatchall`, `destination`, `customerid`, `popaccountid`, `domainid` FROM `" . TABLE_MAIL_VIRTUAL . "`
-				WHERE `customerid`= :cid
-				AND `id`= :id"
-			);
+			$stmt = Database::prepare("
+			    SELECT `id`, `email`, `email_full`, `iscatchall`, `destination`, `customerid`, `popaccountid`, `domainid`
+			    FROM `" . TABLE_MAIL_VIRTUAL . "`
+			    WHERE `customerid`= :cid AND `id`= :id
+			");
 			$result = Database::pexecute_first($stmt, array("cid" => $userinfo['customerid'], "id" => $id));

 			if (isset($result['email']) && $result['email'] != '' && $result['popaccountid'] == '0') {
@@ -461,7 +460,9 @@ if ($page == 'overview') {
 						$maildirname=trim(Settings::Get('system.vmail_maildirname'));
 						// Add trailing slash to Maildir if needed
 						$maildirpath=$maildirname;
-						if (!empty($maildirname) and substr($maildirname,-1) != "/") $maildirpath.="/";
+						if (!empty($maildirname) && substr($maildirname,-1) != "/") {
+							$maildirpath.="/";
+						}

 						$stmt = Database::prepare("INSERT INTO `" . TABLE_MAIL_USERS . "`
 							(`customerid`, `email`, `username`, " . (Settings::Get('system.mailpwcleartext') == '1' ? '`password`, ' : '') . " `password_enc`, `homedir`, `maildir`, `uid`, `gid`, `domainid`, `postfix`, `quota`, `imap`, `pop3`) ".
@@ -595,7 +596,7 @@ if ($page == 'overview') {

 							if ($_mailerror) {
 								$log->logAction(USR_ACTION, LOG_ERR, "Error sending mail: " . $mailerr_msg);
-								standard_error(array('errorsendingmail', $alternative_email));
+								standard_error(array('errorsendingmail'), $alternative_email);
 							}

 							$mail->ClearAddresses();
@@ -604,6 +605,11 @@ if ($page == 'overview') {
 						redirectTo($filename, array('page' => 'emails', 'action' => 'edit', 'id' => $id, 's' => $s));
 					}
 				} else {
+
+					if (checkMailAccDeletionState($result['email_full'])) {
+					   standard_error(array('mailaccistobedeleted'), $result['email_full']);
+					}
+
 					$result['email_full'] = $idna_convert->decode($result['email_full']);
 					$result = htmlentities_array($result);
 					$quota = Settings::Get('system.mail_quota');
@@ -633,11 +639,9 @@ if ($page == 'overview') {

 				if ($password == '') {
 					standard_error(array('stringisempty', 'mypassword'));
-					exit;
 				}
 				elseif ($password == $result['email_full']) {
 					standard_error('passwordshouldnotbeusername');
-					exit;
 				}

 				$password = validatePassword($password);
--- a/customer_extras.php
+++ b/customer_extras.php
@@ -53,9 +53,9 @@ if ($page == 'overview') {
 		while ($row = $result_stmt->fetch(PDO::FETCH_ASSOC)) {
 			if ($paging->checkDisplay($i)) {
 				if (strpos($row['path'], $userinfo['documentroot']) === 0) {
-					$row['path'] = substr($row['path'], strlen($userinfo['documentroot']) - 1);
+					$row['path'] = str_replace($userinfo['documentroot'], "/", $row['path']);
 				}
-
+				$row['path'] = makeCorrectDir($row['path']);
 				$row = htmlentities_array($row);
 				eval("\$htpasswds.=\"" . getTemplate("extras/htpasswds_htpasswd") . "\";");
 				$count++;
@@ -86,7 +86,7 @@ if ($page == 'overview') {
 				redirectTo($filename, array('page' => $page, 's' => $s));
 			} else {
 				if (strpos($result['path'], $userinfo['documentroot']) === 0) {
-					$result['path'] = substr($result['path'], strlen($userinfo['documentroot']) - 1);
+				    $result['path'] = str_replace($userinfo['documentroot'], "/", $result['path']);
 				}

 				ask_yesno('extras_reallydelete', $filename, array('id' => $id, 'page' => $page, 'action' => $action), $result['username'] . ' (' . $result['path'] . ')');
@@ -224,7 +224,7 @@ if ($page == 'overview') {
 				}
 			} else {
 				if (strpos($result['path'], $userinfo['documentroot']) === 0) {
-					$result['path'] = substr($result['path'], strlen($userinfo['documentroot']));
+					$result['path'] = str_replace($userinfo['documentroot'], "/", $result['path']);
 				}

 				$result = htmlentities_array($result);
@@ -269,11 +269,9 @@ if ($page == 'overview') {
 		while ($row = $result_stmt->fetch(PDO::FETCH_ASSOC)) {
 			if ($paging->checkDisplay($i)) {
 				if (strpos($row['path'], $userinfo['documentroot']) === 0) {
-					$row['path'] = substr($row['path'], strlen($userinfo['documentroot']));
-					// don't show nothing when it's the docroot, show slash
-					if ($row['path'] == '') { $row['path'] = '/'; }
+					$row['path'] = str_replace($userinfo['documentroot'], "/", $row['path']);
 				}
-
+				$row['path'] = makeCorrectDir($row['path']);
 				$row['options_indexes'] = str_replace('1', $lng['panel']['yes'], $row['options_indexes']);
 				$row['options_indexes'] = str_replace('0', $lng['panel']['no'], $row['options_indexes']);
 				$row['options_cgi'] = str_replace('1', $lng['panel']['yes'], $row['options_cgi']);
@@ -460,9 +458,7 @@ if ($page == 'overview') {
 				redirectTo($filename, array('page' => $page, 's' => $s));
 			} else {
 				if (strpos($result['path'], $userinfo['documentroot']) === 0) {
-					$result['path'] = substr($result['path'], strlen($userinfo['documentroot']));
-					// don't show nothing when it's the docroot, show slash
-					if ($result['path'] == '') { $result['path'] = '/'; }
+					$result['path'] = str_replace($userinfo['documentroot'], "/", $result['path']);
 				}

 				$result['error404path'] = $result['error404path'];
--- a/customer_ftp.php
+++ b/customer_ftp.php
@@ -363,10 +363,8 @@ if ($page == 'overview') {
 				if ($_setnewpass) {
 					if ($password == '') {
 						standard_error(array('stringisempty', 'mypassword'));
-						exit;
 					} elseif ($result['username'] == $password) {
 						standard_error('passwordshouldnotbeusername');
-						exit;
 					}
 					$log->logAction(USR_ACTION, LOG_INFO, "updated ftp-account password for '" . $result['username'] . "'");
 					$cryptPassword = makeCryptPassword($password);
--- a/customer_index.php
+++ b/customer_index.php
@@ -40,7 +40,6 @@ if ($action == 'logout') {
 	Database::pexecute($stmt, $params);

 	redirectTo('index.php');
-	exit;
 }

 if ($page == 'overview') {
@@ -101,7 +100,6 @@ if ($page == 'overview') {
 		$old_password = validate($_POST['old_password'], 'old password');
 		if (!validatePasswordLogin($userinfo,$old_password,TABLE_PANEL_CUSTOMERS,'customerid')) {
 			standard_error('oldpasswordnotcorrect');
-			exit;
 		}

 		$new_password = validatePassword($_POST['new_password'], 'new password');
--- a/customer_logger.php
+++ b/customer_logger.php
@@ -0,0 +1,117 @@
+<?php
+
+/**
+ * This file is part of the Froxlor project.
+ * Copyright (c) 2003-2009 the SysCP Team (see authors).
+ * Copyright (c) 2010 the Froxlor Team (see authors).
+ *
+ * For the full copyright and license information, please view the COPYING
+ * file that was distributed with this source code. You can also view the
+ * COPYING file online at http://files.froxlor.org/misc/COPYING.txt
+ *
+ * @copyright  (c) the authors
+ * @author     Florian Lippert <flo@syscp.org> (2003-2009)
+ * @author     Froxlor team <team@froxlor.org> (2010-)
+ * @license    GPLv2 http://files.froxlor.org/misc/COPYING.txt
+ * @package    Panel
+ *
+ */
+
+define('AREA', 'customer');
+require './lib/init.php';
+
+if ($page == 'log'
+) {
+	if ($action == '') {
+		$fields = array(
+			'date' => $lng['logger']['date'],
+			'type' => $lng['logger']['type'],
+			'user' => $lng['logger']['user'],
+			'text' => $lng['logger']['action']
+		);
+		$paging = new paging($userinfo, TABLE_PANEL_LOG, $fields, null, null, 0, 'desc');
+		$result_stmt = Database::prepare('
+			SELECT * FROM `' . TABLE_PANEL_LOG . '` WHERE `user` = :loginname ' . $paging->getSqlWhere(true) . ' ' . $paging->getSqlOrderBy() . ' ' . $paging->getSqlLimit()
+		);
+		Database::pexecute($result_stmt, array("loginname" => $userinfo['loginname']));
+		$logs_count = Database::num_rows();
+		$paging->setEntries($logs_count);
+		$sortcode = $paging->getHtmlSortCode($lng);
+		$arrowcode = $paging->getHtmlArrowCode($filename . '?page=' . $page . '&s=' . $s);
+		$searchcode = $paging->getHtmlSearchCode($lng);
+		$pagingcode = $paging->getHtmlPagingCode($filename . '?page=' . $page . '&s=' . $s);
+		$clog = array();
+
+		while ($row = $result_stmt->fetch(PDO::FETCH_ASSOC)) {
+
+			if (!isset($clog[$row['action']])
+				|| !is_array($clog[$row['action']])
+			) {
+				$clog[$row['action']] = array();
+			}
+			$clog[$row['action']][$row['logid']] = $row;
+		}
+
+		if ($paging->sortfield == 'date'
+			&& $paging->sortorder == 'desc'
+		) {
+			krsort($clog);
+		} else {
+			ksort($clog);
+		}
+
+		$i = 0;
+		$count = 0;
+		$log_count = 0;
+		$log = '';
+		foreach ($clog as $action => $logrows) {
+			$_action = 0;
+			foreach ($logrows as $row) {
+				if ($paging->checkDisplay($i)) {
+					$row = htmlentities_array($row);
+					$row['date'] = date("d.m.y H:i:s", $row['date']);
+
+					if ($_action != $action) {
+						switch ($action) {
+							case USR_ACTION:
+								$_action = $lng['admin']['customer'];
+								break;
+							case RES_ACTION:
+								$_action = $lng['logger']['reseller'];
+								break;
+							case ADM_ACTION:
+								$_action = $lng['logger']['admin'];
+								break;
+							case CRON_ACTION:
+								$_action = $lng['logger']['cron'];
+								break;
+							case LOGIN_ACTION:
+								$_action = $lng['logger']['login'];
+								break;
+							case LOG_ERROR:
+								$_action = $lng['logger']['intern'];
+								break;
+							default:
+								$_action = $lng['logger']['unknown'];
+								break;
+						}
+
+						$row['action'] = $_action;
+						eval("\$log.=\"" . getTemplate('logger/logger_action') . "\";");
+					}
+
+					$log_count++;
+					$row['type'] = getLogLevelDesc($row['type']);
+					eval("\$log.=\"" . getTemplate('logger/logger_log') . "\";");
+					$count++;
+					$_action = $action;
+				}
+				$i++;
+			}
+			$i++;
+		}
+
+		eval("echo \"" . getTemplate('logger/logger') . "\";");
+
+	}
+}
--- a/index.php
+++ b/index.php
@@ -69,13 +69,13 @@ if ($action == 'login') {
 			}
 		}

-		if (hasUpdates($version) && $is_admin == false) {
+		if ((hasUpdates($version) || hasDbUpdates($dbversion)) && $is_admin == false) {
 			redirectTo('index.php');
 			exit;
 		}

 		if ($is_admin) {
-			if (hasUpdates($version)) {
+			if (hasUpdates($version) || hasDbUpdates($dbversion)) {
 				$stmt = Database::prepare("SELECT `loginname` AS `admin` FROM `" . TABLE_PANEL_ADMINS . "`
 					WHERE `loginname`= :loginname
 					AND `change_serversettings` = '1'"
@@ -222,11 +222,15 @@ if ($action == 'login') {
 			$qryparams['s'] = $s;

 			if ($userinfo['adminsession'] == '1') {
-				if (hasUpdates($version)) {
+				if (hasUpdates($version) || hasDbUpdates($dbversion)) {
 					redirectTo('admin_updates.php', array('s' => $s));
 				} else {
 					if (isset($_POST['script']) && $_POST['script'] != "") {
-						redirectTo($_POST['script'], $qryparams);
+						if (preg_match("/customer\_/", $_POST['script']) === 1) {
+							redirectTo('admin_customers.php', array("page" => "customers"));
+						} else {
+							redirectTo($_POST['script'], $qryparams);
+						}
 					} else {
 						redirectTo('admin_index.php', $qryparams);
 					}
@@ -283,7 +287,7 @@ if ($action == 'login') {
 		}

 		$update_in_progress = '';
-		if (hasUpdates($version)) {
+		if (hasUpdates($version) || hasDbUpdates($dbversion)) {
 			$update_in_progress = $lng['update']['updateinprogress_onlyadmincanlogin'];
 		}
 		
@@ -345,8 +349,8 @@ if ($action == 'forgotpwd') {
 				if ($user !== false) {
 					// build a activation code
 					$timestamp = time();
-					$first = substr(md5($user['loginname'] . $timestamp . rand(0, $timestamp)), 0, 15);
-					$third = substr(md5($user['email'] . $timestamp . rand(0, $timestamp)), -15);
+					$first = substr(md5($user['loginname'] . $timestamp . randomStr(16)), 0, 15);
+					$third = substr(md5($user['email'] . $timestamp . randomStr(16)), -15);
 					$activationcode = $first . $timestamp . $third . substr(md5($third . $timestamp), 0, 10);

 					// Drop all existing activation codes for this user
--- a/install/froxlor.sql
+++ b/install/froxlor.sql
@@ -194,6 +194,8 @@ CREATE TABLE `panel_customers` (
  `theme` varchar(255) NOT NULL default 'Sparkle',
  `custom_notes` text,
  `custom_notes_show` tinyint(1) NOT NULL default '0',
+  `lepublickey` mediumtext DEFAULT NULL,
+  `leprivatekey` mediumtext DEFAULT NULL,
   PRIMARY KEY  (`customerid`),
   UNIQUE KEY `loginname` (`loginname`)
 ) ENGINE=MyISAM CHARSET=utf8 COLLATE=utf8_general_ci;
@@ -243,10 +245,15 @@ CREATE TABLE `panel_domains` (
  `bindserial` varchar(10) NOT NULL default '2000010100',
  `add_date` int( 11 ) NOT NULL default '0',
  `registration_date` date NOT NULL,
+  `termination_date` date NOT NULL,
  `phpsettingid` INT( 11 ) UNSIGNED NOT NULL DEFAULT '1',
  `mod_fcgid_starter` int(4) default '-1',
  `mod_fcgid_maxrequests` int(4) default '-1',
  `ismainbutsubto` int(11) unsigned NOT NULL default '0',
+  `letsencrypt` tinyint(1) NOT NULL default '0',
+  `hsts` varchar(10) NOT NULL default '0',
+  `hsts_sub` tinyint(1) NOT NULL default '0',
+  `hsts_preload` tinyint(1) NOT NULL default '1',
  PRIMARY KEY  (`id`),
  KEY `customerid` (`customerid`),
  KEY `parentdomain` (`parentdomainid`),
@@ -365,7 +372,7 @@ INSERT INTO `panel_settings` (`settinggroup`, `varname`, `value`) VALUES
 	('dkim', 'dkim_domains', 'domains'),
 	('dkim', 'dkim_dkimkeys', 'dkim-keys.conf'),
 	('dkim', 'dkimrestart_command', '/etc/init.d/dkim-filter restart'),
-	('admin', 'show_news_feed', '1'),
+	('admin', 'show_news_feed', '0'),
 	('admin', 'show_version_login', '0'),
 	('admin', 'show_version_footer', '0'),
 	('spf', 'use_spf', '0'),
@@ -504,11 +511,20 @@ INSERT INTO `panel_settings` (`settinggroup`, `varname`, `value`) VALUES
 	('system', 'mailtraffic_enabled', '1'),
 	('system', 'cronconfig', '/etc/cron.d/froxlor'),
 	('system', 'crondreload', '/etc/init.d/cron reload'),
-	('system', 'croncmdline', '/usr/bin/nice -n 5 /usr/bin/php5 -q'),
+	('system', 'croncmdline', '/usr/bin/nice -n 5 /usr/bin/php -q'),
 	('system', 'cron_allowautoupdate', '0'),
 	('system', 'dns_createhostnameentry', '0'),
 	('system', 'send_cron_errors', '0'),
 	('system', 'apacheitksupport', '0'),
+	('system', 'leprivatekey', 'unset'),
+	('system', 'lepublickey', 'unset'),
+	('system', 'letsencryptca', 'production'),
+	('system', 'letsencryptcountrycode', 'DE'),
+	('system', 'letsencryptstate', 'Germany'),
+	('system', 'letsencryptchallengepath', '/var/www/froxlor'),
+	('system', 'letsencryptkeysize', '4096'),
+	('system', 'letsencryptreuseold', 0),
+	('system', 'leenabled', '0'),
 	('panel', 'decimal_places', '4'),
 	('panel', 'adminmail', 'admin@SERVERNAME'),
 	('panel', 'phpmyadmin_url', ''),
@@ -539,7 +555,8 @@ INSERT INTO `panel_settings` (`settinggroup`, `varname`, `value`) VALUES
 	('panel', 'password_numeric', '0'),
 	('panel', 'password_special_char_required', '0'),
 	('panel', 'password_special_char', '!?<>§$%+#=@'),
-	('panel', 'version', '0.9.34.2');
+	('panel', 'version', '0.9.35.1'),
+	('panel', 'db_version', '201603150');


 DROP TABLE IF EXISTS `panel_tasks`;
@@ -724,8 +741,8 @@ CREATE TABLE `panel_phpconfigs` (


 INSERT INTO `panel_phpconfigs` (`id`, `description`, `binary`, `file_extensions`, `mod_fcgid_starter`, `mod_fcgid_maxrequests`, `phpsettings`) VALUES
-(1, 'Default Config', '/usr/bin/php-cgi', 'php', '-1', '-1', 'allow_call_time_pass_reference = Off\r\nallow_url_fopen = Off\r\nasp_tags = Off\r\ndisable_classes =\r\ndisable_functions = curl_exec,curl_multi_exec,exec,parse_ini_file,passthru,popen,proc_close,proc_get_status,proc_nice,proc_open,proc_terminate,shell_exec,show_source,system\r\ndisplay_errors = Off\r\ndisplay_startup_errors = Off\r\nenable_dl = Off\r\nerror_reporting = E_ALL & ~E_NOTICE\r\nexpose_php = Off\r\nfile_uploads = On\r\ncgi.force_redirect = 1\r\ngpc_order = "GPC"\r\nhtml_errors = Off\r\nignore_repeated_errors = Off\r\nignore_repeated_source = Off\r\ninclude_path = ".:{PEAR_DIR}"\r\nlog_errors = On\r\nlog_errors_max_len = 1024\r\nmagic_quotes_gpc = Off\r\nmagic_quotes_runtime = Off\r\nmagic_quotes_sybase = Off\r\nmax_execution_time = 30\r\nmax_input_time = 60\r\nmemory_limit = 128M\r\n{OPEN_BASEDIR_C}open_basedir = "{OPEN_BASEDIR}"\r\noutput_buffering = 4096\r\npost_max_size = 16M\r\nprecision = 14\r\nregister_argc_argv = Off\r\nregister_globals = Off\r\nreport_memleaks = On\r\nsendmail_path = "/usr/sbin/sendmail -t -i -f {CUSTOMER_EMAIL}"\r\nsession.auto_start = 0\r\nsession.bug_compat_42 = 0\r\nsession.bug_compat_warn = 1\r\nsession.cache_expire = 180\r\nsession.cache_limiter = nocache\r\nsession.cookie_domain =\r\nsession.cookie_lifetime = 0\r\nsession.cookie_path = /\r\nsession.entropy_file = /dev/urandom\r\nsession.entropy_length = 16\r\nsession.gc_divisor = 1000\r\nsession.gc_maxlifetime = 1440\r\nsession.gc_probability = 1\r\nsession.name = PHPSESSID\r\nsession.referer_check =\r\nsession.save_handler = files\r\nsession.save_path = "{TMP_DIR}"\r\nsession.serialize_handler = php\r\nsession.use_cookies = 1\r\nsession.use_trans_sid = 0\r\nshort_open_tag = On\r\nsuhosin.mail.protect = 1\r\nsuhosin.simulation = Off\r\ntrack_errors = Off\r\nupload_max_filesize = 32M\r\nupload_tmp_dir = "{TMP_DIR}"\r\nvariables_order = "GPCS"\r\n;mail.add_x_header = On\r\n;mail.log = "/var/log/phpmail.log"\r\n'),
-(2, 'Froxlor Vhost Config', '/usr/bin/php-cgi', 'php', '-1', '-1', 'allow_call_time_pass_reference = Off\r\nallow_url_fopen = On\r\nasp_tags = Off\r\ndisable_classes =\r\ndisable_functions = curl_multi_exec,exec,parse_ini_file,passthru,popen,proc_close,proc_get_status,proc_nice,proc_open,proc_terminate,shell_exec,show_source,system\r\ndisplay_errors = Off\r\ndisplay_startup_errors = Off\r\nenable_dl = Off\r\nerror_reporting = E_ALL & ~E_NOTICE\r\nexpose_php = Off\r\nfile_uploads = On\r\ncgi.force_redirect = 1\r\ngpc_order = "GPC"\r\nhtml_errors = Off\r\nignore_repeated_errors = Off\r\nignore_repeated_source = Off\r\ninclude_path = ".:{PEAR_DIR}"\r\nlog_errors = On\r\nlog_errors_max_len = 1024\r\nmagic_quotes_gpc = Off\r\nmagic_quotes_runtime = Off\r\nmagic_quotes_sybase = Off\r\nmax_execution_time = 60\r\nmax_input_time = 60\r\nmemory_limit = 128M\r\nnoutput_buffering = 4096\r\npost_max_size = 16M\r\nprecision = 14\r\nregister_argc_argv = Off\r\nregister_globals = Off\r\nreport_memleaks = On\r\nsendmail_path = "/usr/sbin/sendmail -t -i -f {CUSTOMER_EMAIL}"\r\nsession.auto_start = 0\r\nsession.bug_compat_42 = 0\r\nsession.bug_compat_warn = 1\r\nsession.cache_expire = 180\r\nsession.cache_limiter = nocache\r\nsession.cookie_domain =\r\nsession.cookie_lifetime = 0\r\nsession.cookie_path = /\r\nsession.entropy_file = /dev/urandom\r\nsession.entropy_length = 16\r\nsession.gc_divisor = 1000\r\nsession.gc_maxlifetime = 1440\r\nsession.gc_probability = 1\r\nsession.name = PHPSESSID\r\nsession.referer_check =\r\nsession.save_handler = files\r\nsession.save_path = "{TMP_DIR}"\r\nsession.serialize_handler = php\r\nsession.use_cookies = 1\r\nsession.use_trans_sid = 0\r\nshort_open_tag = On\r\nsuhosin.mail.protect = 1\r\nsuhosin.simulation = Off\r\ntrack_errors = Off\r\nupload_max_filesize = 32M\r\nupload_tmp_dir = "{TMP_DIR}"\r\nvariables_order = "GPCS"\r\n;mail.add_x_header = On\r\n;mail.log = "/var/log/phpmail.log"\r\n');
+(1, 'Default Config', '/usr/bin/php-cgi', 'php', '-1', '-1', 'allow_call_time_pass_reference = Off\r\nallow_url_fopen = Off\r\nasp_tags = Off\r\ndisable_classes =\r\ndisable_functions = curl_exec,curl_multi_exec,exec,parse_ini_file,passthru,popen,proc_close,proc_get_status,proc_nice,proc_open,proc_terminate,shell_exec,show_source,system\r\ndisplay_errors = Off\r\ndisplay_startup_errors = Off\r\nenable_dl = Off\r\nerror_reporting = E_ALL & ~E_NOTICE\r\nexpose_php = Off\r\nfile_uploads = On\r\ncgi.force_redirect = 1\r\ngpc_order = "GPC"\r\nhtml_errors = Off\r\nignore_repeated_errors = Off\r\nignore_repeated_source = Off\r\ninclude_path = ".:{PEAR_DIR}"\r\nlog_errors = On\r\nlog_errors_max_len = 1024\r\nmagic_quotes_gpc = Off\r\nmagic_quotes_runtime = Off\r\nmagic_quotes_sybase = Off\r\nmax_execution_time = 30\r\nmax_input_time = 60\r\nmemory_limit = 128M\r\n{OPEN_BASEDIR_C}open_basedir = "{OPEN_BASEDIR}"\r\noutput_buffering = 4096\r\npost_max_size = 16M\r\nprecision = 14\r\nregister_argc_argv = Off\r\nregister_globals = Off\r\nreport_memleaks = On\r\nsendmail_path = "/usr/sbin/sendmail -t -i -f {CUSTOMER_EMAIL}"\r\nsession.auto_start = 0\r\nsession.bug_compat_42 = 0\r\nsession.bug_compat_warn = 1\r\nsession.cache_expire = 180\r\nsession.cache_limiter = nocache\r\nsession.cookie_domain =\r\nsession.cookie_lifetime = 0\r\nsession.cookie_path = /\r\nsession.entropy_file = /dev/urandom\r\nsession.entropy_length = 16\r\nsession.gc_divisor = 1000\r\nsession.gc_maxlifetime = 1440\r\nsession.gc_probability = 1\r\nsession.name = PHPSESSID\r\nsession.referer_check =\r\nsession.save_handler = files\r\nsession.save_path = "{TMP_DIR}"\r\nsession.serialize_handler = php\r\nsession.use_cookies = 1\r\nsession.use_trans_sid = 0\r\nshort_open_tag = On\r\nsuhosin.mail.protect = 1\r\nsuhosin.simulation = Off\r\ntrack_errors = Off\r\nupload_max_filesize = 32M\r\nupload_tmp_dir = "{TMP_DIR}"\r\nvariables_order = "GPCS"\r\n;mail.add_x_header = On\r\n;mail.log = "/var/log/phpmail.log"\r\nopcache.restrict_api = "{DOCUMENT_ROOT}"\r\n'),
+(2, 'Froxlor Vhost Config', '/usr/bin/php-cgi', 'php', '-1', '-1', 'allow_call_time_pass_reference = Off\r\nallow_url_fopen = On\r\nasp_tags = Off\r\ndisable_classes =\r\ndisable_functions = curl_multi_exec,exec,parse_ini_file,passthru,popen,proc_close,proc_get_status,proc_nice,proc_open,proc_terminate,shell_exec,show_source,system\r\ndisplay_errors = Off\r\ndisplay_startup_errors = Off\r\nenable_dl = Off\r\nerror_reporting = E_ALL & ~E_NOTICE\r\nexpose_php = Off\r\nfile_uploads = On\r\ncgi.force_redirect = 1\r\ngpc_order = "GPC"\r\nhtml_errors = Off\r\nignore_repeated_errors = Off\r\nignore_repeated_source = Off\r\ninclude_path = ".:{PEAR_DIR}"\r\nlog_errors = On\r\nlog_errors_max_len = 1024\r\nmagic_quotes_gpc = Off\r\nmagic_quotes_runtime = Off\r\nmagic_quotes_sybase = Off\r\nmax_execution_time = 60\r\nmax_input_time = 60\r\nmemory_limit = 128M\r\nnoutput_buffering = 4096\r\npost_max_size = 16M\r\nprecision = 14\r\nregister_argc_argv = Off\r\nregister_globals = Off\r\nreport_memleaks = On\r\nsendmail_path = "/usr/sbin/sendmail -t -i -f {CUSTOMER_EMAIL}"\r\nsession.auto_start = 0\r\nsession.bug_compat_42 = 0\r\nsession.bug_compat_warn = 1\r\nsession.cache_expire = 180\r\nsession.cache_limiter = nocache\r\nsession.cookie_domain =\r\nsession.cookie_lifetime = 0\r\nsession.cookie_path = /\r\nsession.entropy_file = /dev/urandom\r\nsession.entropy_length = 16\r\nsession.gc_divisor = 1000\r\nsession.gc_maxlifetime = 1440\r\nsession.gc_probability = 1\r\nsession.name = PHPSESSID\r\nsession.referer_check =\r\nsession.save_handler = files\r\nsession.save_path = "{TMP_DIR}"\r\nsession.serialize_handler = php\r\nsession.use_cookies = 1\r\nsession.use_trans_sid = 0\r\nshort_open_tag = On\r\nsuhosin.mail.protect = 1\r\nsuhosin.simulation = Off\r\ntrack_errors = Off\r\nupload_max_filesize = 32M\r\nupload_tmp_dir = "{TMP_DIR}"\r\nvariables_order = "GPCS"\r\n;mail.add_x_header = On\r\n;mail.log = "/var/log/phpmail.log"\r\nopcache.restrict_api = ""\r\n');


 DROP TABLE IF EXISTS `cronjobs_run`;
@@ -747,7 +764,8 @@ INSERT INTO `cronjobs_run` (`id`, `module`, `cronfile`, `interval`, `isactive`,
 	(3, 'froxlor/ticket', 'used_tickets_reset', '1 DAY', '1', 'cron_ticketsreset'),
 	(4, 'froxlor/ticket', 'ticketarchive', '1 MONTH', '1', 'cron_ticketarchive'),
 	(5, 'froxlor/reports', 'usage_report', '1 DAY', '1', 'cron_usage_report'),
-	(6, 'froxlor/core', 'mailboxsize', '6 HOUR', '1', 'cron_mailboxsize');
+	(6, 'froxlor/core', 'mailboxsize', '6 HOUR', '1', 'cron_mailboxsize'),
+	(7, 'froxlor/letsencrypt', 'letsencrypt', '5 MINUTE', '0', 'cron_letsencrypt');



@@ -822,6 +840,8 @@ CREATE TABLE IF NOT EXISTS `domain_ssl_settings` (
  `ssl_key_file` mediumtext NOT NULL,
  `ssl_ca_file` mediumtext,
  `ssl_cert_chainfile` mediumtext,
+  `ssl_csr_file` mediumtext,
+  `expirationdate` datetime DEFAULT NULL,
  PRIMARY KEY  (`id`)
 ) ENGINE=MyISAM CHARSET=utf8 COLLATE=utf8_general_ci;

--- a/install/lib/class.FroxlorInstall.php
+++ b/install/lib/class.FroxlorInstall.php
@@ -160,6 +160,7 @@ class FroxlorInstall {
 		$this->_getPostField('admin_user', 'admin');
 		$this->_getPostField('admin_pass1');
 		$this->_getPostField('admin_pass2');
+		$this->_getPostField('activate_newsfeed', 1);
 		$posixusername = posix_getpwuid(posix_getuid());
 		$this->_getPostField('httpuser', $posixusername['name']);
 		$posixgroup = posix_getgrgid(posix_getgid());
@@ -470,8 +471,11 @@ class FroxlorInstall {
 			$this->_updateSetting($upd_stmt, '/etc/nginx/froxlor-htpasswd/', 'system', 'apacheconf_htpasswddir');
 			$this->_updateSetting($upd_stmt, '/etc/init.d/nginx reload', 'system', 'apachereload_command');
 			$this->_updateSetting($upd_stmt, '/etc/nginx/nginx.pem', 'system', 'ssl_cert_file');
-			$this->_updateSetting($upd_stmt, '/var/run/nginx/', 'phpfpm', 'fastcgi_ipcdir');
+			$this->_updateSetting($upd_stmt, '/var/run/', 'phpfpm', 'fastcgi_ipcdir');
 		}
+		
+		$this->_updateSetting($upd_stmt, $this->_data['activate_newsfeed'], 'admin', 'show_news_feed');
+		$this->_updateSetting($upd_stmt, dirname(dirname(dirname(__FILE__))), 'system', 'letsencryptchallengepath');

 		// insert the lastcronrun to be the installation date
 		$this->_updateSetting($upd_stmt, time(), 'system', 'lastcronrun');
@@ -744,6 +748,8 @@ class FroxlorInstall {
 		} else { $style = '';
 		}
 		$formdata .= $this->_getSectionItemString('admin_pass2', true, $style, 'password');
+		// activate newsfeed?
+		$formdata .= $this->_getSectionItemYesNo('activate_newsfeed', true);

 		/**
 		 * Server data
@@ -817,10 +823,10 @@ class FroxlorInstall {
 	}

 	/**
-	 * generate form checkbox field
+	 * generate form radio field for webserver-selection
 	 *
 	 * @param string $fieldname
-	 * @param boolean $required
+	 * @param boolean $checked
 	 * @param string $style
 	 *
 	 * @return string
@@ -835,6 +841,25 @@ class FroxlorInstall {
 		return $sectionitem;
 	}

+	/**
+	 * generate form checkbox field
+	 *
+	 * @param string $fieldname
+	 * @param boolean $checked
+	 * @param string $style
+	 *
+	 * @return string
+	 */
+	private function _getSectionItemYesNo($fieldname = null, $checked = false, $style = "") {
+	    $fieldlabel = $this->_lng['install'][$fieldname];
+	    if ($checked) {
+	        $checked = 'checked="checked"';
+	    }
+	    $sectionitem = "";
+	    eval("\$sectionitem .= \"" . $this->_getTemplate("dataitemyesno") . "\";");
+	    return $sectionitem;
+	}
+
 	/**
 	 * check for requirements froxlor needs
 	 */
--- a/install/lng/english.lng.php
+++ b/install/lng/english.lng.php
@@ -56,6 +56,7 @@ $lng['install']['admin_account'] = 'Administrator Account';
 $lng['install']['admin_user'] = 'Administrator Username';
 $lng['install']['admin_pass1'] = 'Administrator Password';
 $lng['install']['admin_pass2'] = 'Administrator-Password (confirm)';
+$lng['install']['activate_newsfeed'] = 'Enable the official newsfeed<br><small>(https://inside.froxlor.org/news/)</small>';
 $lng['install']['serversettings'] = 'Server settings';
 $lng['install']['servername'] = 'Server name (FQDN, no ip-address)';
 $lng['install']['serverip'] = 'Server IP';
--- a/install/lng/german.lng.php
+++ b/install/lng/german.lng.php
@@ -56,6 +56,7 @@ $lng['install']['admin_account'] = 'Admin-Zugang';
 $lng['install']['admin_user'] = 'Administrator-Benutzername';
 $lng['install']['admin_pass1'] = 'Administrator-Passwort';
 $lng['install']['admin_pass2'] = 'Administrator-Passwort (Bestätigung)';
+$lng['install']['activate_newsfeed'] = 'Aktiviere das offizielle Newsfeed<br><small>(https://inside.froxlor.org/news/)</small>';
 $lng['install']['serversettings'] = 'Servereinstellungen';
 $lng['install']['servername'] = 'Servername (FQDN, keine IP-Adresse)';
 $lng['install']['serverip'] = 'Server-IP';
--- a/install/scripts/language-check.php
+++ b/install/scripts/language-check.php
@@ -56,7 +56,7 @@ if ($dh = opendir($path)) {
 } else {
 	print "ERROR: The path you requested cannot be read! \n ";
 	print "\n";
-	print_help();
+	print_help($argv);
 	exit;
 }

@@ -64,7 +64,7 @@ if ($dh = opendir($path)) {
 if (!isset($files[$baseLanguage])) {
 	print "ERROR: The baselanguage cannot be found! \n";
 	print "\n";
-	print_help();
+	print_help($argv);
 	exit;
 }

--- a/install/templates/dataitemyesno.tpl
+++ b/install/templates/dataitemyesno.tpl
@@ -0,0 +1,4 @@
+<p>
+	<label for="{$fieldname}" class="install-block {$style}">{$fieldlabel}:</label>
+	<input type="checkbox" name="{$fieldname}" id="{$fieldname}" value="1" {$checked} />
+</p>
--- a/install/updates/froxlor/0.9/update_0.9.inc.php
+++ b/install/updates/froxlor/0.9/update_0.9.inc.php
--- a/install/updates/preconfig.php
+++ b/install/updates/preconfig.php
@@ -21,17 +21,18 @@
 * outputs various content before the update process
 * can be continued (askes for agreement whatever is being asked)
 *
- * @param string version
+ * @param string $current_version
+ * @param int $current_db_version
 *
 * @return string
 */
-function getPreConfig($current_version)
+function getPreConfig($current_version, $current_db_version)
 {
 	$has_preconfig = false;
 	$return = '<div class="preconfig"><h3 class="red">PLEASE NOTE - Important update notifications</h3>';

 	include_once makeCorrectFile(dirname(__FILE__).'/preconfig/0.9/preconfig_0.9.inc.php');
-	parseAndOutputPreconfig($has_preconfig, $return, $current_version);
+	parseAndOutputPreconfig($has_preconfig, $return, $current_version, $current_db_version);

 	$return .= '<br /><br />'.makecheckbox('update_changesagreed', '<strong>I have read the update notifications above and I am aware of the changes made to my system.</strong>', '1', true, '0', true);
 	$return .= '</div>';
--- a/install/updates/preconfig/0.9/preconfig_0.9.inc.php
+++ b/install/updates/preconfig/0.9/preconfig_0.9.inc.php
@@ -24,7 +24,7 @@
 *
 * @return null
 */
-function parseAndOutputPreconfig(&$has_preconfig, &$return, $current_version) {
+function parseAndOutputPreconfig(&$has_preconfig, &$return, $current_version, $current_db_version) {

 	global $lng;

@@ -700,4 +700,12 @@ function parseAndOutputPreconfig(&$has_preconfig, &$return, $current_version) {
 	    $question .= '<br>';
 	    eval("\$return.=\"" . getTemplate("update/preconfigitem") . "\";");
 	}
+
+	if (versionInUpdate($current_db_version, '201603070')) {
+	    $has_preconfig = true;
+	    $description  = 'You can chose whether you want to enable or disable our Let\'s Encrypt implementation.<br />Please remember that you need to go through the webserver-configuration when enabled because this feature needs a special configuration.<br /><br />';
+	    $question = '<strong>Do you want to enable Let\'s Encrypt? (default: yes):</strong>&nbsp;';
+	    $question.= makeyesno('enable_letsencrypt', '1', '0', '1').'<br />';
+	    eval("\$return.=\"" . getTemplate("update/preconfigitem") . "\";");
+	}
 }
--- a/lib/ajax.php
+++ b/lib/ajax.php
@@ -40,7 +40,7 @@ if ($action == "newsfeed") {
 	if (isset($_GET['role']) && $_GET['role'] == "customer") {
 		$feed = Settings::Get("customer.news_feed_url");
 	} else {
-		$feed = "http://inside.froxlor.org/news/";
+		$feed = "https://inside.froxlor.org/news/";
 	}

 	if (function_exists("simplexml_load_file") == false) {
--- a/lib/classes/config/class.ConfigDaemon.php
+++ b/lib/classes/config/class.ConfigDaemon.php
@@ -393,7 +393,9 @@ class ConfigDaemon {
 		$return = 0;
 		switch ($attributes['mode']) {
 			case "isfile": if (!is_file($order)) { $return = -1; }; break;
+			case "notisfile": if (is_file($order)) { $return = -1; }; break;
 			case "isdir": if (!is_dir($order)) { $return = -1; }; break;
+			case "notisdir": if (is_dir($order)) { $return = -1; }; break;
 			case "false": if ($order == true) { $return = -1; }; break;
 			case "true": if ($order == false) { $return = -1; }; break;
 			case "notempty": if ($order == "") { $return = -1; }; break;
--- a/lib/classes/integrity/class.IntegrityCheck.php
+++ b/lib/classes/integrity/class.IntegrityCheck.php
@@ -15,7 +15,7 @@
 * @license    GPLv2 http://files.froxlor.org/misc/COPYING.txt
 * @package    Integrity
 *
- * IntegrityCheck - class 
+ * IntegrityCheck - class
 */

 class IntegrityCheck {
@@ -28,7 +28,7 @@ class IntegrityCheck {

 	/**
 	 * Constructor
-	 * Parses all available checks into $this->available 
+	 * Parses all available checks into $this->available
 	 */
 	public function __construct() {
 		global $userinfo;
@@ -41,7 +41,7 @@ class IntegrityCheck {
 		unset($this->available[array_search('checkAll', $this->available)]);
 		unset($this->available[array_search('fixAll', $this->available)]);
 		sort($this->available);
-		
+
 	}

 	/**
@@ -130,9 +130,9 @@ class IntegrityCheck {
 			while ($row = $adm_stmt->fetch(PDO::FETCH_ASSOC)) {
 				if ($row['ip'] < 0 || is_null($row['ip']) || empty($row['ip'])) {
 					// Admin uses default-IP
-					$admips[$row['adminid']] = Settings::Get('system.defaultip');
+					$admips[$row['adminid']] = explode(',', Settings::Get('system.defaultip'));
 				} else {
-					$admips[$row['adminid']] = $row['ip'];
+					$admips[$row['adminid']] = [ $row['ip'] ];
 				}
 			}
 		}
@@ -143,19 +143,19 @@ class IntegrityCheck {
 		while ($row = $result_stmt->fetch(PDO::FETCH_ASSOC)) {
 			$ips[$row['id']] = $row['ip'] . ':' . $row['port'];
 		}
-		
+
 		// Cache all configured domains
 		$result_stmt = Database::prepare("SELECT `id`, `adminid` FROM `" . TABLE_PANEL_DOMAINS . "` ORDER BY `id` ASC");
 		Database::pexecute($result_stmt);
 		while ($row = $result_stmt->fetch(PDO::FETCH_ASSOC)) {
 			$domains[$row['id']] = $row['adminid'];
 		}
-		
+
 		// Check if every domain to ip/port - association is valid in TABLE_DOMAINTOIP
 		$result_stmt = Database::prepare("SELECT `id_domain`, `id_ipandports` FROM `" . TABLE_DOMAINTOIP . "`");
 		Database::pexecute($result_stmt);
 		while ($row = $result_stmt->fetch(PDO::FETCH_ASSOC)) {
-			if (!array_key_exists($row['id_ipandports'], $ips)) { 
+			if (!array_key_exists($row['id_ipandports'], $ips)) {
 				if ($fix) {
 					Database::pexecute($del_stmt, array('domainid' => $row['id_domain'], 'ipandportid' => $row['id_ipandports']));
 					$this->_log->logAction(ADM_ACTION, LOG_WARNING, "found an ip/port-id in domain <> ip table which does not exist, integrity check fixed this");
@@ -170,18 +170,20 @@ class IntegrityCheck {
 					$this->_log->logAction(ADM_ACTION, LOG_WARNING, "found a domain-id in domain <> ip table which does not exist, integrity check fixed this");
 				} else {
 					$this->_log->logAction(ADM_ACTION, LOG_NOTICE, "found a domain-id in domain <> ip table which does not exist, integrity check can fix this");
-					return false; 
+					return false;
 				}
 			}
 			// Save one IP/Port combination per domain, so we know, if one domain is missing an IP
 			$ipstodomains[$row['id_domain']] = $row['id_ipandports'];
 		}
-		
+
 		// Check that all domains have at least one IP/Port combination
 		foreach ($domains as $domainid => $adminid) {
 			if (!array_key_exists($domainid, $ipstodomains)) {
 				if ($fix) {
-					Database::pexecute($ins_stmt, array('domainid' => $domainid, 'ipandportid' => $admips[$adminid]));
+					foreach ($admips[$adminid] as $defaultip) {
+						Database::pexecute($ins_stmt, array('domainid' => $domainid, 'ipandportid' => $defaultip));
+					}
 					$this->_log->logAction(ADM_ACTION, LOG_WARNING, "found a domain-id with no entry in domain <> ip table, integrity check fixed this");
 				} else {
 					$this->_log->logAction(ADM_ACTION, LOG_NOTICE, "found a domain-id with no entry in domain <> ip table, integrity check can fix this");
@@ -198,7 +200,7 @@ class IntegrityCheck {
 	}

 	/**
-	 * Check if all subdomain have ssl-redirect = 0 if domain has no ssl-port
+	 * Check if all subdomains have ssl-redirect = 0 if domain has no ssl-port
 	 * @param $fix Fix everything found directly
 	 */
 	public function SubdomainSslRedirect($fix = false) {
@@ -220,7 +222,7 @@ class IntegrityCheck {
 		while ($row = $result_stmt->fetch(PDO::FETCH_ASSOC)) {
 			$ips[$row['id']] = $row['ip'] . ':' . $row['port'];
 		}
-		
+
 		// Cache all configured domains
 		$result_stmt = Database::prepare("SELECT `id`, `parentdomainid`, `ssl_redirect` FROM `" . TABLE_PANEL_DOMAINS . "` ORDER BY `id` ASC");
 		$ip_stmt = Database::prepare("SELECT `id_domain`, `id_ipandports` FROM `" . TABLE_DOMAINTOIP . "` WHERE `id_domain` = :domainid");
@@ -232,7 +234,7 @@ class IntegrityCheck {
 				Database::pexecute($ip_stmt, array('domainid' => $row['id']));
 				while ($iprow = $ip_stmt->fetch(PDO::FETCH_ASSOC)) {
 					// If the parentdomain has an ip/port assigned which we know is SSL enabled, set the parentdomain to "true"
-					if (array_key_exists($iprow['id_ipandports'], $ips)) { $parentdomains[$row['id']] = true; } 
+					if (array_key_exists($iprow['id_ipandports'], $ips)) { $parentdomains[$row['id']] = true; }
 				}
 			} elseif ($row['ssl_redirect'] == 1)  {
 				// All subdomains with enabled ssl_redirect enabled are stored
@@ -240,14 +242,14 @@ class IntegrityCheck {
 				$subdomains[$row['parentdomainid']][] = $row['id'];
 			}
 		}
-		
+
 		// Check if every parentdomain with enabled ssl_redirect as SSL enabled
 		foreach ($parentdomains as $id => $sslavailable) {
 			// This parentdomain has no subdomains
 			if (!isset($subdomains[$id])) { continue; }
 			// This parentdomain has SSL enabled, doesn't matter what status the subdomains have
 			if ($sslavailable) { continue; }
-			
+
 			// At this point only parentdomains reside which have ssl_redirect enabled subdomains
 			if ($fix) {
 				// We make a blanket update to all subdomains of this parentdomain, doesn't matter which one is wrong, all have to be disabled
@@ -259,7 +261,7 @@ class IntegrityCheck {
 				return false;
 			}
 		}
-		
+
 		if ($fix) {
 			return $this->SubdomainSslRedirect();
 		} else {
@@ -267,6 +269,76 @@ class IntegrityCheck {
 		}
 	}

+	/**
+	 * Check if all subdomain have letsencrypt = 0 if domain has no ssl-port
+	 * @param $fix Fix everything found directly
+	 */
+	public function SubdomainLetsencrypt($fix = false) {
+		$ips = array();
+		$parentdomains = array();
+		$subdomains = array();
+
+		if ($fix) {
+			// Prepare update statement for the fixes
+			$upd_stmt = Database::prepare("
+				UPDATE `" . TABLE_PANEL_DOMAINS . "`
+				SET `letsencrypt` = 0 WHERE `parentdomainid` = :domainid"
+			);
+		}
+
+		// Cache all ssl ip/port - combinations
+		$result_stmt = Database::prepare("SELECT `id`, `ip`, `port` FROM `" . TABLE_PANEL_IPSANDPORTS . "` WHERE `ssl` = 1 ORDER BY `id` ASC");
+		Database::pexecute($result_stmt);
+		while ($row = $result_stmt->fetch(PDO::FETCH_ASSOC)) {
+			$ips[$row['id']] = $row['ip'] . ':' . $row['port'];
+		}
+		
+		// Cache all configured domains
+		$result_stmt = Database::prepare("SELECT `id`, `parentdomainid`, `letsencrypt` FROM `" . TABLE_PANEL_DOMAINS . "` ORDER BY `id` ASC");
+		$ip_stmt = Database::prepare("SELECT `id_domain`, `id_ipandports` FROM `" . TABLE_DOMAINTOIP . "` WHERE `id_domain` = :domainid");
+		Database::pexecute($result_stmt);
+		while ($row = $result_stmt->fetch(PDO::FETCH_ASSOC)) {
+			if ($row['parentdomainid'] == 0) {
+				// All parentdomains by default have no ssl - ip/port
+				$parentdomains[$row['id']] = false;
+				Database::pexecute($ip_stmt, array('domainid' => $row['id']));
+				while ($iprow = $ip_stmt->fetch(PDO::FETCH_ASSOC)) {
+					// If the parentdomain has an ip/port assigned which we know is SSL enabled, set the parentdomain to "true"
+					if (array_key_exists($iprow['id_ipandports'], $ips)) { $parentdomains[$row['id']] = true; } 
+				}
+			} elseif ($row['letsencrypt'] == 1)  {
+				// All subdomains with enabled letsencrypt enabled are stored
+				if (!isset($subdomains[$row['parentdomainid']])) { $subdomains[$row['parentdomainid']] = array(); }
+				$subdomains[$row['parentdomainid']][] = $row['id'];
+			}
+		}
+		
+		// Check if every parentdomain with enabled letsencrypt as SSL enabled
+		foreach ($parentdomains as $id => $sslavailable) {
+			// This parentdomain has no subdomains
+			if (!isset($subdomains[$id])) { continue; }
+			// This parentdomain has SSL enabled, doesn't matter what status the subdomains have
+			if ($sslavailable) { continue; }
+			
+			// At this point only parentdomains reside which have letsencrypt enabled subdomains
+			if ($fix) {
+				// We make a blanket update to all subdomains of this parentdomain, doesn't matter which one is wrong, all have to be disabled
+				Database::pexecute($upd_stmt, array('domainid' => $id));
+				$this->_log->logAction(ADM_ACTION, LOG_WARNING, "found a subdomain with letsencrypt=1 but parent-domain has ssl=0, integrity check fixed this");
+			} else {
+				// It's just the check, let the function fail
+				$this->_log->logAction(ADM_ACTION, LOG_NOTICE, "found a subdomain with letsencrypt=1 but parent-domain has ssl=0, integrity check can fix this");
+				return false;
+			}
+		}
+		
+		if ($fix) {
+			return $this->SubdomainLetsencrypt();
+		} else {
+			return true;
+		}
+	}
+
 	/**
 	 * check whether the webserveruser is in
 	 * the customers groups when fcgid / php-fpm is used
--- a/lib/classes/logger/class.FileLogger.php
+++ b/lib/classes/logger/class.FileLogger.php
@@ -106,29 +106,7 @@ class FileLogger extends AbstractLogger {
 					break;
 			}

-			$_type = 'unknown';
-
-			switch($type)
-			{
-				case LOG_INFO:
-					$_type = 'information';
-					break;
-				case LOG_NOTICE:
-					$_type = 'notice';
-					break;
-				case LOG_WARNING:
-					$_type = 'warning';
-					break;
-				case LOG_ERR:
-					$_type = 'error';
-					break;
-				case LOG_CRIT:
-					$_type = 'critical';
-					break;
-				default:
-					$_type = 'unknown';
-					break;
-			}
+			$_type = getLogLevelDesc($type);

 			if(!isset($this->userinfo['loginname'])
 					|| $this->userinfo['loginname'] == '')
--- a/lib/classes/logger/class.FroxlorLogger.php
+++ b/lib/classes/logger/class.FroxlorLogger.php
@@ -40,6 +40,12 @@ class FroxlorLogger {
 	 */
 	static private $loggers = null;

+	/**
+	 * whether to output log-messages to STDOUT (cron)
+	 * @var bool
+	 */
+	static private $crondebug_flag = false;
+
 	/**
 	 * Class constructor.
 	 *
@@ -98,8 +104,14 @@ class FroxlorLogger {
 			return;
 		}

+		if (self::$crondebug_flag
+			|| ($action == CRON_ACTION && $type <= LOG_WARNING)) {
+			echo "[".getLogLevelDesc($type)."] ".$text.PHP_EOL;
+		}
+
 		if (Settings::Get('logger.log_cron') == '0'
-		   && $action == CRON_ACTION
+			&& $action == CRON_ACTION
+			&& $type > LOG_WARNING // warnings, errors and critical mesages WILL be logged
 		) {
 			return;
 		}
@@ -158,12 +170,21 @@ class FroxlorLogger {

 		$_cronlog = (int)$_cronlog;

-		if ($_cronlog != 0
-		   && $_cronlog != 1
-		) {
+		if ($_cronlog < 0 || $_cronlog > 2) {
 			$_cronlog = 0;
 		}
 		Settings::Set('logger.log_cron', $_cronlog);
-		return true;
+		return $_cronlog;
+	}
+
+	/**
+	 * setter for crondebug-flag
+	 *
+	 * @param bool $_flag
+	 *
+	 * @return void
+	 */
+	public function setCronDebugFlag($_flag = false) {
+	    self::$crondebug_flag = (bool)$_flag;
 	}
 }
--- a/lib/classes/logger/class.SysLogger.php
+++ b/lib/classes/logger/class.SysLogger.php
@@ -114,9 +114,9 @@ class SysLogger extends AbstractLogger {
 			if ($text != null
 					&& $text != ''
 			) {
-				syslog((int)$type, "[" . ucfirst($_action) . " Action " . $name . "] " . $text);
+				syslog((int)$type, "[" . ucfirst($_action) . " Action " . $name . "] [".getLogLevelDesc($type)."] " . $text);
 			} else {
-				syslog((int)$type, "[" . ucfirst($_action) . " Action " . $name . "] No text given!!! Check scripts!");
+				syslog((int)$type, "[" . ucfirst($_action) . " Action " . $name . "] [".getLogLevelDesc($type)."] No text given!!! Check scripts!");
 			}

 			closelog();
--- a/lib/classes/phpinterface/class.phpinterface_fcgid.php
+++ b/lib/classes/phpinterface/class.phpinterface_fcgid.php
@@ -153,15 +153,16 @@ class phpinterface_fcgid {
 		$php_ini_variables = array(
 				'SAFE_MODE' => 'Off', // keep this for compatibility, just in case
 				'PEAR_DIR' => Settings::Get('system.mod_fcgid_peardir'),
-				'OPEN_BASEDIR' => $openbasedir,
-				'OPEN_BASEDIR_C' => $openbasedirc,
-				'OPEN_BASEDIR_GLOBAL' => Settings::Get('system.hpappendopenbasedir'),
 				'TMP_DIR' => $this->getTempDir(),
 				'CUSTOMER_EMAIL' => $this->_domain['email'],
 				'ADMIN_EMAIL' => $admin['email'],
 				'DOMAIN' => $this->_domain['domain'],
 				'CUSTOMER' => $this->_domain['loginname'],
-				'ADMIN' => $admin['loginname']
+				'ADMIN' => $admin['loginname'],
+				'OPEN_BASEDIR' => $openbasedir,
+				'OPEN_BASEDIR_C' => $openbasedirc,
+				'OPEN_BASEDIR_GLOBAL' => Settings::Get('system.phpappendopenbasedir'),
+				'DOCUMENT_ROOT' => makeCorrectDir($this->_domain['documentroot'])
 		);

 		//insert a small header for the file
--- a/lib/classes/phpinterface/class.phpinterface_fpm.php
+++ b/lib/classes/phpinterface/class.phpinterface_fpm.php
@@ -92,7 +92,7 @@ class phpinterface_fpm {
 				'suhosin.cookie.cryptua',
 				'suhosin.cookie.cryptdocroot',
 				'suhosin.executor.disable_eval',
-                'mbstring.func_overload'				
+				'mbstring.func_overload'
 			),
 			'php_admin_value' => array(
 				'cgi.redirect_status_env',
@@ -111,7 +111,9 @@ class phpinterface_fpm {
 				'sendmail_path',
 				'session.gc_divisor',
 				'session.gc_probability',
-				'variables_order'
+				'variables_order',
+				'opcache.log_verbosity_level',
+				'opcache.restrict_api'
 			),
 			'php_admin_flag' => array(
 				'allow_call_time_pass_reference',
@@ -127,7 +129,15 @@ class phpinterface_fpm {
 				'ignore_repeated_source',
 				'log_errors',
 				'register_argc_argv',
-				'report_memleaks'
+				'report_memleaks',
+				'opcache.enable',
+				'opcache.consistency_checks',
+				'opcache.dups_fix',
+				'opcache.load_comments',
+				'opcache.revalidate_path',
+				'opcache.save_comments',
+				'opcache.use_cwd',
+				'opcache.validate_timestamps'
 			)
 	);

@@ -197,7 +207,7 @@ class phpinterface_fpm {
 					$fpm_start_servers = $fpm_min_spare_servers;
 				}
 				if ($fpm_start_servers > $fpm_max_spare_servers) {
-					$fpm_start_servers = $fpm_start_servers - (($fpm_start_servers - $fpm_max_spare_servers) + 1);
+					$fpm_start_servers = $fpm_max_spare_servers;
 				}
 				$fpm_config.= 'pm.start_servers = '.$fpm_start_servers."\n";
 				$fpm_config.= 'pm.min_spare_servers = '.$fpm_min_spare_servers."\n";
@@ -267,7 +277,6 @@ class phpinterface_fpm {
 			$fpm_config.= 'php_admin_value[upload_tmp_dir] = ' . makeCorrectDir(Settings::Get('phpfpm.tmpdir') . '/' . $this->_domain['loginname'] . '/') . "\n";

 			$admin = $this->_getAdminData($this->_domain['adminid']);
-
 			$php_ini_variables = array(
 					'SAFE_MODE' => 'Off', // keep this for compatibility, just in case
 					'PEAR_DIR' => Settings::Get('phpfpm.peardir'),
@@ -278,7 +287,9 @@ class phpinterface_fpm {
 					'CUSTOMER' => $this->_domain['loginname'],
 					'ADMIN' => $admin['loginname'],
 					'OPEN_BASEDIR' => $openbasedir,
-					'OPEN_BASEDIR_C' => ''
+					'OPEN_BASEDIR_C' => '',
+					'OPEN_BASEDIR_GLOBAL' => Settings::Get('system.phpappendopenbasedir'),
+					'DOCUMENT_ROOT' => makeCorrectDir($this->_domain['documentroot'])
 			);

 			$phpini = replace_variables($phpconfig['phpsettings'], $php_ini_variables);
@@ -348,7 +359,7 @@ class phpinterface_fpm {
 	public function getSocketFile($createifnotexists = true) {

 		$socketdir = makeCorrectDir(Settings::Get('phpfpm.fastcgi_ipcdir'));
-		$socket = makeCorrectFile($socketdir.'/'.$this->_domain['loginname'].'-'.$this->_domain['domain'].'-php-fpm.socket');
+		$socket = strtolower(makeCorrectFile($socketdir.'/'.$this->_domain['loginname'].'-'.$this->_domain['domain'].'-php-fpm.socket'));

 		if (!is_dir($socketdir) && $createifnotexists) {
 			safe_exec('mkdir -p '.escapeshellarg($socketdir));
--- a/lib/classes/phpmailer/class.PHPMailer.php
+++ b/lib/classes/phpmailer/class.PHPMailer.php
--- a/lib/classes/phpmailer/class.SMTP.php
+++ b/lib/classes/phpmailer/class.SMTP.php
@@ -21,32 +21,32 @@
 * PHPMailer RFC821 SMTP email transport class.
 * Implements RFC 821 SMTP commands and provides some utility methods for sending mail to an SMTP server.
 * @package PHPMailer
- * @author Chris Ryan <unknown@example.com>
+ * @author Chris Ryan
 * @author Marcus Bointon <phpmailer@synchromedia.co.uk>
 */
 class SMTP
 {
    /**
     * The PHPMailer SMTP version number.
-     * @type string
+     * @var string
     */
-    const VERSION = '5.2.9';
+    const VERSION = '5.2.14';

    /**
     * SMTP line break constant.
-     * @type string
+     * @var string
     */
    const CRLF = "\r\n";

    /**
     * The SMTP port to use if one is not specified.
-     * @type integer
+     * @var integer
     */
    const DEFAULT_SMTP_PORT = 25;

    /**
     * The maximum line length allowed by RFC 2822 section 2.1.1
-     * @type integer
+     * @var integer
     */
    const MAX_LINE_LENGTH = 998;

@@ -77,15 +77,15 @@ class SMTP

    /**
     * The PHPMailer SMTP Version number.
-     * @type string
+     * @var string
     * @deprecated Use the `VERSION` constant instead
     * @see SMTP::VERSION
     */
-    public $Version = '5.2.9';
+    public $Version = '5.2.14';

    /**
     * SMTP server port number.
-     * @type integer
+     * @var integer
     * @deprecated This is only ever used as a default value, so use the `DEFAULT_SMTP_PORT` constant instead
     * @see SMTP::DEFAULT_SMTP_PORT
     */
@@ -93,7 +93,7 @@ class SMTP

    /**
     * SMTP reply line ending.
-     * @type string
+     * @var string
     * @deprecated Use the `CRLF` constant instead
     * @see SMTP::CRLF
     */
@@ -107,7 +107,7 @@ class SMTP
     * * self::DEBUG_SERVER (`2`) Client commands and server responses
     * * self::DEBUG_CONNECTION (`3`) As DEBUG_SERVER plus connection status
     * * self::DEBUG_LOWLEVEL (`4`) Low-level data output, all messages
-     * @type integer
+     * @var integer
     */
    public $do_debug = self::DEBUG_OFF;

@@ -122,7 +122,7 @@ class SMTP
     * <code>
     * $smtp->Debugoutput = function($str, $level) {echo "debug level $level; message: $str";};
     * </code>
-     * @type string|callable
+     * @var string|callable
     */
    public $Debugoutput = 'echo';

@@ -130,7 +130,7 @@ class SMTP
     * Whether to use VERP.
     * @link http://en.wikipedia.org/wiki/Variable_envelope_return_path
     * @link http://www.postfix.org/VERP_README.html Info on VERP
-     * @type boolean
+     * @var boolean
     */
    public $do_verp = false;

@@ -139,38 +139,55 @@ class SMTP
     * Default of 5 minutes (300sec) is from RFC2821 section 4.5.3.2
     * This needs to be quite high to function correctly with hosts using greetdelay as an anti-spam measure.
     * @link http://tools.ietf.org/html/rfc2821#section-4.5.3.2
-     * @type integer
+     * @var integer
     */
    public $Timeout = 300;

    /**
-     * The SMTP timelimit value for reads, in seconds.
-     * @type integer
+     * How long to wait for commands to complete, in seconds.
+     * Default of 5 minutes (300sec) is from RFC2821 section 4.5.3.2
+     * @var integer
     */
-    public $Timelimit = 30;
+    public $Timelimit = 300;

    /**
     * The socket for the server connection.
-     * @type resource
+     * @var resource
     */
    protected $smtp_conn;

    /**
-     * Error message, if any, for the last call.
-     * @type array
+     * Error information, if any, for the last SMTP command.
+     * @var array
     */
-    protected $error = array();
+    protected $error = array(
+        'error' => '',
+        'detail' => '',
+        'smtp_code' => '',
+        'smtp_code_ex' => ''
+    );

    /**
     * The reply the server sent to us for HELO.
     * If null, no HELO string has yet been received.
-     * @type string|null
+     * @var string|null
     */
    protected $helo_rply = null;

+    /**
+     * The set of SMTP extensions sent in reply to EHLO command.
+     * Indexes of the array are extension names.
+     * Value at index 'HELO' or 'EHLO' (according to command that was sent)
+     * represents the server name. In case of HELO it is the only element of the array.
+     * Other values can be boolean TRUE or an array containing extension options.
+     * If null, no HELO/EHLO string has yet been received.
+     * @var array|null
+     */
+    protected $server_caps = null;
+
    /**
     * The most recent reply received from the server.
-     * @type string
+     * @var string
     */
    protected $last_reply = '';

@@ -187,7 +204,8 @@ class SMTP
        if ($level > $this->do_debug) {
            return;
        }
-        if (is_callable($this->Debugoutput)) {
+        //Avoid clash with built-in function names
+        if (!in_array($this->Debugoutput, array('error_log', 'html', 'echo')) and is_callable($this->Debugoutput)) {
            call_user_func($this->Debugoutput, $str, $this->do_debug);
            return;
        }
@@ -235,11 +253,11 @@ class SMTP
            $streamok = function_exists('stream_socket_client');
        }
        // Clear errors to avoid confusion
-        $this->error = array();
+        $this->setError('');
        // Make sure we are __not__ connected
        if ($this->connected()) {
            // Already connected, generate error
-            $this->error = array('error' => 'Already connected to a server');
+            $this->setError('Already connected to a server');
            return false;
        }
        if (empty($port)) {
@@ -247,7 +265,7 @@ class SMTP
        }
        // Connect to the SMTP server
        $this->edebug(
-            "Connection: opening to $host:$port, t=$timeout, opt=".var_export($options, true),
+            "Connection: opening to $host:$port, timeout=$timeout, options=".var_export($options, true),
            self::DEBUG_CONNECTION
        );
        $errno = 0;
@@ -279,10 +297,10 @@ class SMTP
        }
        // Verify we connected properly
        if (!is_resource($this->smtp_conn)) {
-            $this->error = array(
-                'error' => 'Failed to connect to server',
-                'errno' => $errno,
-                'errstr' => $errstr
+            $this->setError(
+                'Failed to connect to server',
+                $errno,
+                $errstr
            );
            $this->edebug(
                'SMTP ERROR: ' . $this->error['error']
@@ -296,7 +314,8 @@ class SMTP
        // Windows does not have support for this timeout function
        if (substr(PHP_OS, 0, 3) != 'WIN') {
            $max = ini_get('max_execution_time');
-            if ($max != 0 && $timeout > $max) { // Don't bother if unlimited
+            // Don't bother if unlimited
+            if ($max != 0 && $timeout > $max) {
                @set_time_limit($timeout);
            }
            stream_set_timeout($this->smtp_conn, $timeout, 0);
@@ -332,22 +351,62 @@ class SMTP
     * Perform SMTP authentication.
     * Must be run after hello().
     * @see hello()
-     * @param string $username    The user name
-     * @param string $password    The password
-     * @param string $authtype    The auth type (PLAIN, LOGIN, NTLM, CRAM-MD5)
-     * @param string $realm       The auth realm for NTLM
+     * @param string $username The user name
+     * @param string $password The password
+     * @param string $authtype The auth type (PLAIN, LOGIN, NTLM, CRAM-MD5, XOAUTH2)
+     * @param string $realm The auth realm for NTLM
     * @param string $workstation The auth workstation for NTLM
-     * @access public
-     * @return boolean True if successfully authenticated.
+     * @param null|OAuth $OAuth An optional OAuth instance (@see PHPMailerOAuth)
+     * @return bool True if successfully authenticated.* @access public
     */
    public function authenticate(
        $username,
        $password,
-        $authtype = 'LOGIN',
+        $authtype = null,
        $realm = '',
-        $workstation = ''
+        $workstation = '',
+        $OAuth = null
    ) {
-        if (empty($authtype)) {
+        if (!$this->server_caps) {
+            $this->setError('Authentication is not allowed before HELO/EHLO');
+            return false;
+        }
+
+        if (array_key_exists('EHLO', $this->server_caps)) {
+        // SMTP extensions are available. Let's try to find a proper authentication method
+
+            if (!array_key_exists('AUTH', $this->server_caps)) {
+                $this->setError('Authentication is not allowed at this stage');
+                // 'at this stage' means that auth may be allowed after the stage changes
+                // e.g. after STARTTLS
+                return false;
+            }
+
+            self::edebug('Auth method requested: ' . ($authtype ? $authtype : 'UNKNOWN'), self::DEBUG_LOWLEVEL);
+            self::edebug(
+                'Auth methods available on the server: ' . implode(',', $this->server_caps['AUTH']),
+                self::DEBUG_LOWLEVEL
+            );
+
+            if (empty($authtype)) {
+                foreach (array('LOGIN', 'CRAM-MD5', 'NTLM', 'PLAIN', 'XOAUTH2') as $method) {
+                    if (in_array($method, $this->server_caps['AUTH'])) {
+                        $authtype = $method;
+                        break;
+                    }
+                }
+                if (empty($authtype)) {
+                    $this->setError('No supported authentication methods found');
+                    return false;
+                }
+                self::edebug('Auth method selected: '.$authtype, self::DEBUG_LOWLEVEL);
+            }
+
+            if (!in_array($authtype, $this->server_caps['AUTH'])) {
+                $this->setError("The requested authentication method \"$authtype\" is not supported by the server");
+                return false;
+            }
+        } elseif (empty($authtype)) {
            $authtype = 'LOGIN';
        }
        switch ($authtype) {
@@ -378,6 +437,19 @@ class SMTP
                    return false;
                }
                break;
+            case 'XOAUTH2':
+                //If the OAuth Instance is not set. Can be a case when PHPMailer is used
+                //instead of PHPMailerOAuth
+                if (is_null($OAuth)) {
+                    return false;
+                }
+                $oauth = $OAuth->getOauth64();
+
+                // Start authentication
+                if (!$this->sendCommand('AUTH', 'AUTH XOAUTH2 ' . $oauth, 235)) {
+                    return false;
+                }
+                break;
            case 'NTLM':
                /*
                 * ntlm_sasl_client.php
@@ -388,11 +460,11 @@ class SMTP
                 * PROTOCOL Docs http://curl.haxx.se/rfc/ntlm.html#ntlmSmtpAuthentication
                 */
                require_once 'extras/ntlm_sasl_client.php';
-                $temp = new stdClass();
+                $temp = new stdClass;
                $ntlm_client = new ntlm_sasl_client_class;
                //Check that functions are available
                if (!$ntlm_client->Initialize($temp)) {
-                    $this->error = array('error' => $temp->error);
+                    $this->setError($temp->error);
                    $this->edebug(
                        'You need to enable some modules in your php.ini file: '
                        . $this->error['error'],
@@ -441,6 +513,9 @@ class SMTP

                // send encoded credentials
                return $this->sendCommand('Username', base64_encode($response), 235);
+            default:
+                $this->setError("Authentication method \"$authtype\" is not supported");
+                return false;
        }
        return true;
    }
@@ -513,7 +588,8 @@ class SMTP
     */
    public function close()
    {
-        $this->error = array();
+        $this->setError('');
+        $this->server_caps = null;
        $this->helo_rply = null;
        if (is_resource($this->smtp_conn)) {
            // close the connection and cleanup
@@ -537,9 +613,11 @@ class SMTP
     */
    public function data($msg_data)
    {
+        //This will use the standard timelimit
        if (!$this->sendCommand('DATA', 'DATA', 354)) {
            return false;
        }
+
        /* The server is ready to accept data!
         * According to rfc821 we should not send more than 1000 characters on a single line (including the CRLF)
         * so we will break the data up into lines by \r and/or \n then if needed we will break each of those into
@@ -567,13 +645,14 @@ class SMTP
            if ($in_headers and $line == '') {
                $in_headers = false;
            }
-            // ok we need to break this line up into several smaller lines
-            //This is a small micro-optimisation: isset($str[$len]) is equivalent to (strlen($str) > $len)
+            //Break this line up into several smaller lines if it's too long
+            //Micro-optimisation: isset($str[$len]) is faster than (strlen($str) > $len),
            while (isset($line[self::MAX_LINE_LENGTH])) {
                //Working backwards, try to find a space within the last MAX_LINE_LENGTH chars of the line to break on
                //so as to avoid breaking in the middle of a word
                $pos = strrpos(substr($line, 0, self::MAX_LINE_LENGTH), ' ');
-                if (!$pos) { //Deliberately matches both false and 0
+                //Deliberately matches both false and 0
+                if (!$pos) {
                    //No nice break found, add a hard break
                    $pos = self::MAX_LINE_LENGTH - 1;
                    $lines_out[] = substr($line, 0, $pos);
@@ -584,16 +663,14 @@ class SMTP
                    //Move along by the amount we dealt with
                    $line = substr($line, $pos + 1);
                }
-                /* If processing headers add a LWSP-char to the front of new line
-                 * RFC822 section 3.1.1
-                 */
+                //If processing headers add a LWSP-char to the front of new line RFC822 section 3.1.1
                if ($in_headers) {
                    $line = "\t" . $line;
                }
            }
            $lines_out[] = $line;

-            // Send the lines to the server
+            //Send the lines to the server
            foreach ($lines_out as $line_out) {
                //RFC2821 section 4.5.2
                if (!empty($line_out) and $line_out[0] == '.') {
@@ -603,8 +680,14 @@ class SMTP
            }
        }

-        // Message data has been sent, complete the command
-        return $this->sendCommand('DATA END', '.', 250);
+        //Message data has been sent, complete the command
+        //Increase timelimit for end of DATA command
+        $savetimelimit = $this->Timelimit;
+        $this->Timelimit = $this->Timelimit * 2;
+        $result = $this->sendCommand('DATA END', '.', 250);
+        //Restore timelimit
+        $this->Timelimit = $savetimelimit;
+        return $result;
    }

    /**
@@ -619,7 +702,7 @@ class SMTP
     */
    public function hello($host = '')
    {
-        // Try extended hello first (RFC 2821)
+        //Try extended hello first (RFC 2821)
        return (boolean)($this->sendHello('EHLO', $host) or $this->sendHello('HELO', $host));
    }

@@ -636,9 +719,56 @@ class SMTP
    {
        $noerror = $this->sendCommand($hello, $hello . ' ' . $host, 250);
        $this->helo_rply = $this->last_reply;
+        if ($noerror) {
+            $this->parseHelloFields($hello);
+        } else {
+            $this->server_caps = null;
+        }
        return $noerror;
    }

+    /**
+     * Parse a reply to HELO/EHLO command to discover server extensions.
+     * In case of HELO, the only parameter that can be discovered is a server name.
+     * @access protected
+     * @param string $type - 'HELO' or 'EHLO'
+     */
+    protected function parseHelloFields($type)
+    {
+        $this->server_caps = array();
+        $lines = explode("\n", $this->last_reply);
+
+        foreach ($lines as $n => $s) {
+            //First 4 chars contain response code followed by - or space
+            $s = trim(substr($s, 4));
+            if (empty($s)) {
+                continue;
+            }
+            $fields = explode(' ', $s);
+            if (!empty($fields)) {
+                if (!$n) {
+                    $name = $type;
+                    $fields = $fields[0];
+                } else {
+                    $name = array_shift($fields);
+                    switch ($name) {
+                        case 'SIZE':
+                            $fields = ($fields ? $fields[0] : 0);
+                            break;
+                        case 'AUTH':
+                            if (!is_array($fields)) {
+                                $fields = array();
+                            }
+                            break;
+                        default:
+                            $fields = true;
+                    }
+                }
+                $this->server_caps[$name] = $fields;
+            }
+        }
+    }
+
    /**
     * Send an SMTP MAIL command.
     * Starts a mail transaction from the email address specified in
@@ -684,15 +814,15 @@ class SMTP
     * Sets the TO argument to $toaddr.
     * Returns true if the recipient was accepted false if it was rejected.
     * Implements from rfc 821: RCPT <SP> TO:<forward-path> <CRLF>
-     * @param string $toaddr The address the message is being sent to
+     * @param string $address The address the message is being sent to
     * @access public
     * @return boolean
     */
-    public function recipient($toaddr)
+    public function recipient($address)
    {
        return $this->sendCommand(
            'RCPT TO',
-            'RCPT TO:<' . $toaddr . '>',
+            'RCPT TO:<' . $address . '>',
            array(250, 251)
        );
    }
@@ -711,32 +841,52 @@ class SMTP

    /**
     * Send a command to an SMTP server and check its return code.
-     * @param string $command       The command name - not sent to the server
+     * @param string $command The command name - not sent to the server
     * @param string $commandstring The actual command to send
-     * @param integer|array $expect     One or more expected integer success codes
+     * @param integer|array $expect One or more expected integer success codes
     * @access protected
     * @return boolean True on success.
     */
    protected function sendCommand($command, $commandstring, $expect)
    {
        if (!$this->connected()) {
-            $this->error = array(
-                'error' => "Called $command without being connected"
-            );
+            $this->setError("Called $command without being connected");
+            return false;
+        }
+        //Reject line breaks in all commands
+        if (strpos($commandstring, "\n") !== false or strpos($commandstring, "\r") !== false) {
+            $this->setError("Command '$command' contained line breaks");
            return false;
        }
        $this->client_send($commandstring . self::CRLF);

        $this->last_reply = $this->get_lines();
-        $code = substr($this->last_reply, 0, 3);
+        // Fetch SMTP code and possible error code explanation
+        $matches = array();
+        if (preg_match("/^([0-9]{3})[ -](?:([0-9]\\.[0-9]\\.[0-9]) )?/", $this->last_reply, $matches)) {
+            $code = $matches[1];
+            $code_ex = (count($matches) > 2 ? $matches[2] : null);
+            // Cut off error code from each response line
+            $detail = preg_replace(
+                "/{$code}[ -]".($code_ex ? str_replace('.', '\\.', $code_ex).' ' : '')."/m",
+                '',
+                $this->last_reply
+            );
+        } else {
+            // Fall back to simple parsing if regex fails
+            $code = substr($this->last_reply, 0, 3);
+            $code_ex = null;
+            $detail = substr($this->last_reply, 4);
+        }

        $this->edebug('SERVER -> CLIENT: ' . $this->last_reply, self::DEBUG_SERVER);

        if (!in_array($code, (array)$expect)) {
-            $this->error = array(
-                'error' => "$command command failed",
-                'smtp_code' => $code,
-                'detail' => substr($this->last_reply, 4)
+            $this->setError(
+                "$command command failed",
+                $detail,
+                $code,
+                $code_ex
            );
            $this->edebug(
                'SMTP ERROR: ' . $this->error['error'] . ': ' . $this->last_reply,
@@ -745,7 +895,7 @@ class SMTP
            return false;
        }

-        $this->error = array();
+        $this->setError('');
        return true;
    }

@@ -800,9 +950,7 @@ class SMTP
     */
    public function turn()
    {
-        $this->error = array(
-            'error' => 'The SMTP TURN command is not implemented'
-        );
+        $this->setError('The SMTP TURN command is not implemented');
        $this->edebug('SMTP NOTICE: ' . $this->error['error'], self::DEBUG_CLIENT);
        return false;
    }
@@ -829,6 +977,57 @@ class SMTP
        return $this->error;
    }

+    /**
+     * Get SMTP extensions available on the server
+     * @access public
+     * @return array|null
+     */
+    public function getServerExtList()
+    {
+        return $this->server_caps;
+    }
+
+    /**
+     * A multipurpose method
+     * The method works in three ways, dependent on argument value and current state
+     *   1. HELO/EHLO was not sent - returns null and set up $this->error
+     *   2. HELO was sent
+     *     $name = 'HELO': returns server name
+     *     $name = 'EHLO': returns boolean false
+     *     $name = any string: returns null and set up $this->error
+     *   3. EHLO was sent
+     *     $name = 'HELO'|'EHLO': returns server name
+     *     $name = any string: if extension $name exists, returns boolean True
+     *       or its options. Otherwise returns boolean False
+     * In other words, one can use this method to detect 3 conditions:
+     *  - null returned: handshake was not or we don't know about ext (refer to $this->error)
+     *  - false returned: the requested feature exactly not exists
+     *  - positive value returned: the requested feature exists
+     * @param string $name Name of SMTP extension or 'HELO'|'EHLO'
+     * @return mixed
+     */
+    public function getServerExt($name)
+    {
+        if (!$this->server_caps) {
+            $this->setError('No HELO/EHLO was sent');
+            return null;
+        }
+
+        // the tight logic knot ;)
+        if (!array_key_exists($name, $this->server_caps)) {
+            if ($name == 'HELO') {
+                return $this->server_caps['EHLO'];
+            }
+            if ($name == 'EHLO' || array_key_exists('EHLO', $this->server_caps)) {
+                return false;
+            }
+            $this->setError('HELO handshake was used. Client knows nothing about server extensions');
+            return null;
+        }
+
+        return $this->server_caps[$name];
+    }
+
    /**
     * Get the last reply from the server.
     * @access public
@@ -862,10 +1061,9 @@ class SMTP
        }
        while (is_resource($this->smtp_conn) && !feof($this->smtp_conn)) {
            $str = @fgets($this->smtp_conn, 515);
-            $this->edebug("SMTP -> get_lines(): \$data was \"$data\"", self::DEBUG_LOWLEVEL);
-            $this->edebug("SMTP -> get_lines(): \$str is \"$str\"", self::DEBUG_LOWLEVEL);
-            $data .= $str;
            $this->edebug("SMTP -> get_lines(): \$data is \"$data\"", self::DEBUG_LOWLEVEL);
+            $this->edebug("SMTP -> get_lines(): \$str is  \"$str\"", self::DEBUG_LOWLEVEL);
+            $data .= $str;
            // If 4th character is a space, we are done reading, break the loop, micro-optimisation over strlen
            if ((isset($str[3]) and $str[3] == ' ')) {
                break;
@@ -910,9 +1108,26 @@ class SMTP
        return $this->do_verp;
    }

+    /**
+     * Set error messages and codes.
+     * @param string $message The error message
+     * @param string $detail Further detail on the error
+     * @param string $smtp_code An associated SMTP error code
+     * @param string $smtp_code_ex Extended SMTP code
+     */
+    protected function setError($message, $detail = '', $smtp_code = '', $smtp_code_ex = '')
+    {
+        $this->error = array(
+            'error' => $message,
+            'detail' => $detail,
+            'smtp_code' => $smtp_code,
+            'smtp_code_ex' => $smtp_code_ex
+        );
+    }
+
    /**
     * Set debug output method.
-     * @param string $method The function/method to use for debugging output.
+     * @param string|callable $method The name of the mechanism to use for debugging output, or a callable to handle it.
     */
    public function setDebugOutput($method = 'echo')
    {
--- a/lib/classes/settings/class.Settings.php
+++ b/lib/classes/settings/class.Settings.php
@@ -184,6 +184,8 @@ class Settings {
 					'value' => $value
 			);
 			Database::pexecute($ins_stmt, $ins_data);
+			// also set new value to internal array and make it available
+			self::$_data[$sstr[0]][$sstr[1]] = $value;
 			return true;
 		}
 		return false;
--- a/lib/classes/ssl/class.lescript.php
+++ b/lib/classes/ssl/class.lescript.php
@@ -0,0 +1,502 @@
+<?php
+// Copyright (c) 2015, Stanislav Humplik <sh@analogic.cz>
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are met:
+//     * Redistributions of source code must retain the above copyright
+//       notice, this list of conditions and the following disclaimer.
+//     * Redistributions in binary form must reproduce the above copyright
+//       notice, this list of conditions and the following disclaimer in the
+//       documentation and/or other materials provided with the distribution.
+//     * Neither the name of the <organization> nor the
+//       names of its contributors may be used to endorse or promote products
+//       derived from this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+// ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+// WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+// DISCLAIMED. IN NO EVENT SHALL <COPYRIGHT HOLDER> BE LIABLE FOR ANY
+// DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+// LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+// ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+// SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+// This file is copied from https://github.com/analogic/lescript
+// and modified to work without files and integrate in Froxlor
+class lescript
+{
+    public $license = 'https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf';
+
+    private $logger;
+    private $client;
+    private $accountKey;
+
+    public function __construct($logger)
+    {
+        $this->logger = $logger;
+        if (Settings::Get('system.letsencryptca') == 'production') {
+            $ca = 'https://acme-v01.api.letsencrypt.org';
+        } else {
+            $ca = 'https://acme-staging.api.letsencrypt.org';
+        }
+        $this->client = new Client($ca);
+        $this->log("Using '$ca' to generate certificate");
+    }
+
+    public function initAccount($certrow)
+    {
+        // Let's see if we have the private accountkey
+        $this->accountKey = $certrow['leprivatekey'];
+        if (!$this->accountKey || $this->accountKey == 'unset' || Settings::Get('system.letsencryptca') != 'production') {
+
+            // generate and save new private key for account
+            // ---------------------------------------------
+
+            $this->log('Starting new account registration');
+            $keys = $this->generateKey();
+            // Only store the accountkey in production, in staging always generate a new key
+            if (Settings::Get('system.letsencryptca') == 'production') {
+                    $upd_stmt = Database::prepare("
+                    UPDATE `".TABLE_PANEL_CUSTOMERS."` SET `lepublickey` = :public, `leprivatekey` = :private WHERE `customerid` = :customerid;
+                ");
+                Database::pexecute($upd_stmt, array('public' => $keys['public'], 'private' => $keys['private'], 'customerid' => $certrow['customerid']));
+            }
+            $this->accountKey = $keys['private'];
+            $this->postNewReg();
+            $this->log('New account certificate registered');
+
+        } else {
+
+            $this->log('Account already registered. Continuing.');
+
+        }
+    }
+
+    public function signDomains(array $domains, $domainkey = null, $csr = null)
+    {
+
+        if (!$this->accountKey) {
+            throw new \RuntimeException("Account not initiated");
+        }
+
+        $this->log('Starting certificate generation process for domains');
+
+        $privateAccountKey = openssl_pkey_get_private($this->accountKey);
+        $accountKeyDetails = openssl_pkey_get_details($privateAccountKey);
+
+        // start domains authentication
+        // ----------------------------
+
+        foreach($domains as $domain) {
+
+            // 1. getting available authentication options
+            // -------------------------------------------
+
+            $this->log("Requesting challenge for $domain");
+
+            $response = $this->signedRequest(
+                "/acme/new-authz",
+                array("resource" => "new-authz", "identifier" => array("type" => "dns", "value" => $domain))
+            );
+
+            // if response is not an array but a string, it's most likely a server-error, e.g.
+            // <HTML><HEAD><TITLE>Error</TITLE></HEAD><BODY>An error occurred while processing your request.
+            // <p>Reference&#32;&#35;179&#46;d8be1402&#46;1458059103&#46;3613c4db</BODY></HTML>
+            if (!is_array($response)) {
+                throw new RuntimeException("Invalid response from LE for domain $domain. Whole response: ".$response);
+            }
+
+            if (!array_key_exists('challenges', $response)) {
+                throw new RuntimeException("No challenges received for $domain. Whole response: ".json_encode($response));
+            }
+
+            // choose http-01 challenge only
+            $challenge = array_reduce($response['challenges'], function($v, $w) { return $v ? $v : ($w['type'] == 'http-01' ? $w : false); });
+            if(!$challenge) throw new RuntimeException("HTTP Challenge for $domain is not available. Whole response: ".json_encode($response));
+
+            $this->log("Got challenge token for $domain");
+            $location = $this->client->getLastLocation();
+
+
+            // 2. saving authentication token for web verification
+            // ---------------------------------------------------
+
+            $directory = Settings::Get('system.letsencryptchallengepath').'/.well-known/acme-challenge';
+            $tokenPath = $directory.'/'.$challenge['token'];
+
+            if(!file_exists($directory) && !@mkdir($directory, 0755, true)) {
+                throw new \RuntimeException("Couldn't create directory to expose challenge: ${tokenPath}");
+            }
+
+            $header = array(
+                // need to be in precise order!
+                "e" => Base64UrlSafeEncoder::encode($accountKeyDetails["rsa"]["e"]),
+                "kty" => "RSA",
+                "n" => Base64UrlSafeEncoder::encode($accountKeyDetails["rsa"]["n"])
+
+            );
+            $payload = $challenge['token'] . '.' . Base64UrlSafeEncoder::encode(hash('sha256', json_encode($header), true));
+
+            file_put_contents($tokenPath, $payload);
+            chmod($tokenPath, 0644);
+
+            // 3. verification process itself
+            // -------------------------------
+
+            $uri = "http://${domain}/.well-known/acme-challenge/${challenge['token']}";
+
+            $this->log("Token for $domain saved at $tokenPath and should be available at $uri");
+
+            // simple self check
+            if($payload !== trim(@file_get_contents($uri))) {
+		$errmsg = json_encode(error_get_last());
+		if ($errmsg != "null") {
+			$errmsg = "; PHP error: " . $errmsg;
+		} else {
+			$errmsg = "";
+		}
+                @unlink($tokenPath);
+                throw new \RuntimeException("Please check $uri - token not available" . $errmsg);
+            }
+
+            $this->log("Sending request to challenge");
+
+            // send request to challenge
+            $result = $this->signedRequest(
+                $challenge['uri'],
+                array(
+                    "resource" => "challenge",
+                    "type" => "http-01",
+                    "keyAuthorization" => $payload,
+                    "token" => $challenge['token']
+                )
+            );
+
+            // waiting loop
+            // we wait for a maximum of 30 seconds to avoid endless loops
+            $count = 0;
+            do {
+                if(empty($result['status']) || $result['status'] == "invalid") {
+                    @unlink($tokenPath);
+                    throw new \RuntimeException("Verification ended with error: ".json_encode($result));
+                }
+                $ended = !($result['status'] === "pending");
+
+                if(!$ended) {
+                    $this->log("Verification pending, sleeping 1s");
+                    sleep(1);
+                    $count++;
+                }
+
+                $result = $this->client->get($location);
+
+            } while (!$ended && $count < 30);
+
+            $this->log("Verification ended with status: ${result['status']}");
+            @unlink($tokenPath);
+        }
+
+        // requesting certificate
+        // ----------------------
+
+        // generate private key for domain if not exist
+        if(empty($domainkey) || Settings::Get('system.letsencryptreuseold') == 0) {
+            $keys = $this->generateKey();
+            $domainkey = $keys['private'];
+        }
+
+        // load domain key
+        $privateDomainKey = openssl_pkey_get_private($domainkey);
+
+        $this->client->getLastLinks();
+
+        if (empty($csrfile) || Settings::Get('system.letsencryptreuseold') == 0) {
+            $csr = $this->generateCSR($privateDomainKey, $domains);
+        }
+
+        // request certificates creation
+        $result = $this->signedRequest(
+            "/acme/new-cert",
+            array('resource' => 'new-cert', 'csr' => $csr)
+        );
+        if ($this->client->getLastCode() !== 201) {
+            throw new \RuntimeException("Invalid response code: ".$this->client->getLastCode().", ".json_encode($result));
+        }
+        $location = $this->client->getLastLocation();
+
+        // waiting loop
+        $certificates = array();
+        while(1) {
+            $this->client->getLastLinks();
+
+            $result = $this->client->get($location);
+
+            if($this->client->getLastCode() == 202) {
+
+                $this->log("Certificate generation pending, sleeping 1s");
+                sleep(1);
+
+            } else if ($this->client->getLastCode() == 200) {
+
+                $this->log("Got certificate! YAY!");
+                $certificates[] = $this->parsePemFromBody($result);
+
+
+                foreach($this->client->getLastLinks() as $link) {
+                    $this->log("Requesting chained cert at $link");
+                    $result = $this->client->get($link);
+                    $certificates[] = $this->parsePemFromBody($result);
+                }
+
+                break;
+            } else {
+
+                throw new \RuntimeException("Can't get certificate: HTTP code ".$this->client->getLastCode());
+
+            }
+        }
+
+        if(empty($certificates)) throw new \RuntimeException('No certificates generated');
+
+        $fullchain = implode("\n", $certificates);
+        $crt = array_shift($certificates);
+        $chain = implode("\n", $certificates);
+
+        $this->log("Done, returning new certificates and key");
+        return array('fullchain' => $fullchain, 'crt' => $crt, 'chain' => $chain, 'key' => $domainkey, 'csr' => $csr);
+    }
+
+    private function parsePemFromBody($body)
+    {
+        $pem = chunk_split(base64_encode($body), 64, "\n");
+        return "-----BEGIN CERTIFICATE-----\n" . $pem . "-----END CERTIFICATE-----\n";
+    }
+
+    private  function postNewReg()
+    {
+        $this->log('Sending registration to letsencrypt server');
+
+        return $this->signedRequest(
+            '/acme/new-reg',
+            array('resource' => 'new-reg', 'agreement' => $this->license)
+        );
+    }
+
+    private function generateCSR($privateKey, array $domains)
+    {
+        $domain = reset($domains);
+        $san = implode(",", array_map(function ($dns) { return "DNS:" . $dns; }, $domains));
+        $tmpConf = tmpfile();
+        $tmpConfMeta =  stream_get_meta_data($tmpConf);
+        $tmpConfPath = $tmpConfMeta["uri"];
+
+        // workaround to get SAN working
+        fwrite($tmpConf,
+'HOME = .
+RANDFILE = $ENV::HOME/.rnd
+[ req ]
+default_bits = ' . Settings::Get('system.letsencryptkeysize') . '
+default_keyfile = privkey.pem
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+[ v3_req ]
+basicConstraints = CA:FALSE
+subjectAltName = '.$san.'
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment');
+
+        $csr = openssl_csr_new(
+            array(
+                "CN" => $domain,
+                "ST" => Settings::Get('system.letsencryptstate'),
+                "C" => Settings::Get('system.letsencryptcountrycode'),
+                "O" => "Unknown",
+            ),
+            $privateKey,
+            array(
+                "config" => $tmpConfPath,
+                "digest_alg" => "sha256"
+            )
+        );
+
+        if (!$csr) throw new \RuntimeException("CSR couldn't be generated! ".openssl_error_string());
+
+        openssl_csr_export($csr, $csr);
+        fclose($tmpConf);
+
+        preg_match('~REQUEST-----(.*)-----END~s', $csr, $matches);
+
+        return trim(Base64UrlSafeEncoder::encode(base64_decode($matches[1])));
+    }
+
+    private function generateKey()
+    {
+        $res = openssl_pkey_new(array(
+            "private_key_type" => OPENSSL_KEYTYPE_RSA,
+            "private_key_bits" => (int)Settings::Get('system.letsencryptkeysize'),
+        ));
+
+        if(!openssl_pkey_export($res, $privateKey)) {
+            throw new \RuntimeException("Key export failed!");
+        }
+
+        $details = openssl_pkey_get_details($res);
+
+        return array('private' => $privateKey, 'public' => $details['key']);
+    }
+
+    private function signedRequest($uri, array $payload)
+    {
+        $privateKey = openssl_pkey_get_private($this->accountKey);
+        $details = openssl_pkey_get_details($privateKey);
+
+        $header = array(
+            "alg" => "RS256",
+            "jwk" => array(
+                "kty" => "RSA",
+                "n" => Base64UrlSafeEncoder::encode($details["rsa"]["n"]),
+                "e" => Base64UrlSafeEncoder::encode($details["rsa"]["e"]),
+            )
+        );
+
+        $protected = $header;
+        $protected["nonce"] = $this->client->getLastNonce();
+
+
+        $payload64 = Base64UrlSafeEncoder::encode(str_replace('\\/', '/', json_encode($payload)));
+        $protected64 = Base64UrlSafeEncoder::encode(json_encode($protected));
+
+        openssl_sign($protected64.'.'.$payload64, $signed, $privateKey, "SHA256");
+
+        $signed64 = Base64UrlSafeEncoder::encode($signed);
+
+        $data = array(
+            'header' => $header,
+            'protected' => $protected64,
+            'payload' => $payload64,
+            'signature' => $signed64
+        );
+
+        $this->log("Sending signed request to $uri");
+
+        return $this->client->post($uri, json_encode($data));
+    }
+
+    protected function log($message)
+    {
+        $this->logger->logAction(CRON_ACTION, LOG_INFO, "letsencrypt " . $message);
+    }
+}
+
+class Client
+{
+    private $lastCode;
+    private $lastHeader;
+
+    private $base;
+
+    public function __construct($base)
+    {
+        $this->base = $base;
+    }
+
+    private function curl($method, $url, $data = null)
+    {
+        $headers = array('Accept: application/json', 'Content-Type: application/json');
+        $handle = curl_init();
+        curl_setopt($handle, CURLOPT_URL, preg_match('~^http~', $url) ? $url : $this->base.$url);
+        curl_setopt($handle, CURLOPT_HTTPHEADER, $headers);
+        curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);
+        curl_setopt($handle, CURLOPT_HEADER, true);
+
+        // DO NOT DO THAT!
+        // curl_setopt($handle, CURLOPT_SSL_VERIFYHOST, false);
+        // curl_setopt($handle, CURLOPT_SSL_VERIFYPEER, false);
+
+        switch ($method) {
+            case 'GET':
+                break;
+            case 'POST':
+                curl_setopt($handle, CURLOPT_POST, true);
+                curl_setopt($handle, CURLOPT_POSTFIELDS, $data);
+                break;
+        }
+        $response = curl_exec($handle);
+
+        if(curl_errno($handle)) {
+            throw new \RuntimeException('Curl: '.curl_error($handle));
+        }
+
+        $header_size = curl_getinfo($handle, CURLINFO_HEADER_SIZE);
+
+        $header = substr($response, 0, $header_size);
+        $body = substr($response, $header_size);
+
+        $this->lastHeader = $header;
+        $this->lastCode = curl_getinfo($handle, CURLINFO_HTTP_CODE);
+
+        $data = json_decode($body, true);
+        return $data === null ? $body : $data;
+    }
+
+    public function post($url, $data)
+    {
+        return $this->curl('POST', $url, $data);
+    }
+
+    public function get($url)
+    {
+        return $this->curl('GET', $url);
+    }
+
+    public function getLastNonce()
+    {
+        if(preg_match('~Replay\-Nonce: (.+)~i', $this->lastHeader, $matches)) {
+            return trim($matches[1]);
+        }
+
+        $this->curl('GET', '/directory');
+        return $this->getLastNonce();
+    }
+
+    public function getLastLocation()
+    {
+        if(preg_match('~Location: (.+)~i', $this->lastHeader, $matches)) {
+            return trim($matches[1]);
+        }
+        return null;
+    }
+
+    public function getLastCode()
+    {
+        return $this->lastCode;
+    }
+
+    public function getLastLinks()
+    {
+        preg_match_all('~Link: <(.+)>;rel="up"~', $this->lastHeader, $matches);
+        return $matches[1];
+    }
+}
+
+class Base64UrlSafeEncoder
+{
+    public static function encode($input)
+    {
+        return str_replace('=', '', strtr(base64_encode($input), '+/', '-_'));
+    }
+
+    public static function decode($input)
+    {
+        $remainder = strlen($input) % 4;
+        if ($remainder) {
+            $padlen = 4 - $remainder;
+            $input .= str_repeat('=', $padlen);
+        }
+        return base64_decode(strtr($input, '-_', '+/'));
+    }
+}
--- a/lib/configfiles/gentoo.xml
+++ b/lib/configfiles/gentoo.xml
@@ -61,6 +61,18 @@
        Allow from env=REDIRECT_STATUS
    </Location>
 </IfModule>
+]]>
+						</content>
+					</file>
+					<file name="/etc/apache2/modules.d/80_acme.conf">
+						<visibility mode="true">{{settings.system.leenabled}}
+						</visibility>
+						<content><![CDATA[
+Alias "/.well-known/acme-challenge" "{{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge"
+<Directory "{{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge">
+	Order allow,deny
+	Allow from all
+</Directory>
 ]]>
 						</content>
 					</file>
@@ -81,6 +93,17 @@
        Require env REDIRECT_STATUS
    </Location>
 </IfModule>
+]]>
+						</content>
+					</file>
+					<file name="/etc/apache2/modules.d/80_acme.conf">
+						<visibility mode="true">{{settings.system.leenabled}}
+						</visibility>
+						<content><![CDATA[
+Alias "/.well-known/acme-challenge" "{{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge"
+<Directory "{{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge">
+	Require all granted
+</Directory>
 ]]>
 						</content>
 					</file>
@@ -107,6 +130,7 @@ server.modules = (
 	"mod_auth",
 	"mod_fastcgi",
 	"mod_cgi",
+	"mod_setenv",
 	"mod_accesslog"
 )

@@ -119,7 +143,7 @@ server.errorlog      = var.logdir  + "/error.log"

 server.indexfiles    = ("index.php", "index.html",
 						"index.htm", "default.htm")
-						
+
 server.name			 = "<SERVERNAME>"
 server.port          = 80
 server.bind          = "<SERVERIP>"
@@ -147,7 +171,10 @@ fastcgi.server = (
 			"bin-copy-environment" => ( "" )
 		)
 	)
-)						
+)
+
+alias.url           += ("/.well-known/acme-challenge/" => "{{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge/")
+
 ]]>
 						</content>
 					</file>
@@ -210,8 +237,6 @@ http {
 					</file>
 					<file name="/etc/nginx/fastcgi_params">
 						<content><![CDATA[
-fastcgi_index index.php;
-
 fastcgi_connect_timeout 65;
 fastcgi_send_timeout    180;
 fastcgi_read_timeout    180;
@@ -239,6 +264,20 @@ fastcgi_param  SERVER_NAME        $server_name;

 # PHP only, required if PHP was built with --enable-force-cgi-redirect
 fastcgi_param  REDIRECT_STATUS    200;
+]]>
+						</content>
+					</file>
+					<file name="/etc/nginx/acme.conf">
+						<visibility mode="true">{{settings.system.leenabled}}
+						</visibility>
+						<content><![CDATA[
+location /.well-known/acme-challenge {
+	alias {{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge;
+
+	location ~ /.well-known/acme-challenge/(.*) {
+		default_type text/plain;
+	}
+}
 ]]>
 						</content>
 					</file>
@@ -318,27 +357,27 @@ exit "$RETVAL"
 					<install><![CDATA[emerge net-dns/bind]]></install>
 					<file name="/etc/bind/default.zone">
 						<content><![CDATA[
-$TTL 1W 
-@ IN SOA ns root ( 
-	2015020101 ; serial 
-	8H ; refresh 
-	2H ; retry 
-	1W ; expiry 
-	11h) ; minimum 
+$TTL 1W
+@ IN SOA ns root (
+	2015020101 ; serial
+	8H ; refresh
+	2H ; retry
+	1W ; expiry
+	11h) ; minimum

-	IN		NS		ns 
-	IN		MX		10 mail 
+	IN		NS		ns
+	IN		MX		10 mail

-	IN		A		<SERVERIP> 
-	IN		MX		10 mail 
+	IN		A		<SERVERIP>
+	IN		MX		10 mail

 *	IN		A		<SERVERIP>
-	IN		MX		10 mail 
+	IN		MX		10 mail

-ns	IN		A		<SERVERIP> 
+ns	IN		A		<SERVERIP>

 mail	IN		A	<SERVERIP>
-		IN		MX	10 mail 
+		IN		MX	10 mail
 ]]>
 						</content>
 					</file>
@@ -1028,11 +1067,11 @@ program_directory = /usr/libexec/postfix
 sendmail_path = /usr/sbin/sendmail

 ## General Postfix configuration
-# should be the default domain from your provider eg. "server100.provider.tld"
+# FQDN from Froxlor
 mydomain = <SERVERNAME>

-# should be different from $mydomain eg. "mail.$mydomain"
-myhostname = mail.$mydomain
+# set myhostname to $mydomain because Froxlor alrady uses a FQDN
+myhostname = $mydomain

 mydestination = $myhostname,
 	$mydomain,
@@ -1058,9 +1097,9 @@ smtpd_recipient_restrictions = permit_mynetworks,
 	reject_non_fqdn_recipient
 smtpd_sender_restrictions = permit_mynetworks,
 	reject_sender_login_mismatch,
-	permit_sasl_authenticated, 
-	reject_unknown_hostname, 
-	reject_unknown_recipient_domain, 
+	permit_sasl_authenticated,
+	reject_unknown_hostname,
+	reject_unknown_recipient_domain,
 	reject_unknown_sender_domain
 smtpd_client_restrictions = permit_mynetworks,
 	permit_sasl_authenticated,
@@ -1359,9 +1398,9 @@ smtpd_recipient_restrictions = permit_mynetworks,
 	reject_non_fqdn_recipient
 smtpd_sender_restrictions = permit_mynetworks,
 	reject_sender_login_mismatch,
-	permit_sasl_authenticated, 
-	reject_unknown_hostname, 
-	reject_unknown_recipient_domain, 
+	permit_sasl_authenticated,
+	reject_unknown_hostname,
+	reject_unknown_recipient_domain,
 	reject_unknown_sender_domain
 smtpd_client_restrictions = permit_mynetworks,
 	permit_sasl_authenticated,
@@ -1456,7 +1495,7 @@ mail_debug = no
 protocols = imap pop3 sieve

 ### SSL Settings
-### After you obtained an SSL-certificate enable ssl here and 
+### After you obtained an SSL-certificate enable ssl here and
 ### set disable_plaintext_auth to yes (see above)
 ssl = no
 #ssl_cert = </etc/ssl/server/<SERVERNAME>.pem
@@ -1469,7 +1508,7 @@ passdb {

 plugin {
 	quota = maildir:User Quota
-	
+
 	# Sieve-Configuration
 	sieve = ~/sieve/.dovecot.sieve
 	sieve_dir = ~/sieve
@@ -1508,7 +1547,7 @@ userdb {

 protocol imap {
 	mail_plugins = quota imap_quota
-	
+
 	# IMAP logout format string:
 	#  %i - total number of bytes read from client
 	#  %o - total number of bytes sent to client
@@ -1518,7 +1557,7 @@ protocol imap {
 protocol pop3 {
 	mail_plugins = quota
 	pop3_uidl_format = UID%u-%v
-	
+
 	# POP3 logout format string:
 	# %i - total number of bytes read from client
 	# %o - total number of bytes sent to client
@@ -1663,7 +1702,7 @@ protocol sieve {
 #
 # location = [<type>:]path[;<option>[=<value>][;...]]
 #
-# If the type prefix is omitted, the script location type is 'file' and the 
+# If the type prefix is omitted, the script location type is 'file' and the
 # location is interpreted as a local filesystem path pointing to a Sieve script
 # file or directory. Refer to Pigeonhole wiki or INSTALL file for more
 # information.
@@ -1674,7 +1713,7 @@ plugin {
  # delivery. The "include" extension uses this location for retrieving
  # :personal" scripts. This is also where the  ManageSieve service will store
  # the user's scripts, if supported.
-  # 
+  #
  # Currently only the 'file:' location type supports ManageSieve operation.
  # Other location types like 'dict:' and 'ldap:' can currently only
  # be used as a read-only script source ().
@@ -1694,15 +1733,15 @@ plugin {
  #     script.
  #sieve_default = /var/lib/dovecot/sieve/default.sieve

-  # The name by which the default Sieve script (as configured by the 
-  # sieve_default setting) is visible to the user through ManageSieve. 
-  #sieve_default_name = 
+  # The name by which the default Sieve script (as configured by the
+  # sieve_default setting) is visible to the user through ManageSieve.
+  #sieve_default_name =

  # Location for ":global" include scripts as used by the "include" extension.
  #sieve_global =

  # Location Sieve of scripts that need to be executed before the user's
-  # personal script. If a 'file' location path points to a directory, all the 
+  # personal script. If a 'file' location path points to a directory, all the
  # Sieve scripts contained therein (with the proper `.sieve' extension) are
  # executed. The order of execution within that directory is determined by the
  # file names, using a normal 8bit per-character comparison.
@@ -2519,7 +2558,7 @@ POP3_TLS_REQUIRED=0
 COURIERTLS=/usr/sbin/couriertls

 ##NAME: TLS_PROTOCOL:0
-# 
+#
 # TLS_PROTOCOL sets the protocol version.  The possible versions are:
 #
 # SSL2 - SSLv2
@@ -2529,7 +2568,7 @@ COURIERTLS=/usr/sbin/couriertls
 TLS_PROTOCOL=SSL3

 ##NAME: TLS_STARTTLS_PROTOCOL:0
-# 
+#
 # TLS_STARTTLS_PROTOCOL is used instead of TLS_PROTOCOL for the POP3 STARTTLS
 # extension, as opposed to POP3 over SSL on port 995.
 #
@@ -2723,7 +2762,7 @@ IMAP_TLS_REQUIRED=0
 COURIERTLS=/usr/sbin/couriertls

 ##NAME: TLS_PROTOCOL:0
-# 
+#
 # TLS_PROTOCOL sets the protocol version.  The possible versions are:
 #
 # SSL2 - SSLv2
@@ -2733,7 +2772,7 @@ COURIERTLS=/usr/sbin/couriertls
 TLS_PROTOCOL=SSL3

 ##NAME: TLS_STARTTLS_PROTOCOL:0
-# 
+#
 # TLS_STARTTLS_PROTOCOL is used instead of TLS_PROTOCOL for the IMAP STARTTLS
 # extension, as opposed to IMAP over SSL on port 993.
 #
@@ -2838,6 +2877,11 @@ MAILDIRPATH=.maildir
 				<daemon name="proftpd" title="ProFTPd" default="true">
 					<command><![CDATA[echo "net-ftp/proftpd mysql" >> /etc/portage/package.use]]></command>
 					<install><![CDATA[emerge net-ftp/proftpd]]></install>
+					<commands>
+						<command><![CDATA[[ -f /etc/ssl/certs/proftpd.crt ] || openssl req -new -x509 -newkey rsa:4096 -days 3650 -nodes -out /etc/ssl/certs/proftpd.crt -keyout /etc/ssl/private/proftpd.key -subj "/C=US/ST=Some-State/O=Internet Widgits Pty Ltd/CN=<SERVERNAME>"]]></command>
+						<command><![CDATA[[ -f /etc/ssl/certs/proftpd_ec.crt ] || openssl req -new -x509 -nodes -newkey ec:<(openssl ecparam -name secp521r1) -keyout /etc/ssl/private/proftpd_ec.key -out /etc/ssl/certs/proftpd_ec.crt -days 3650 -subj "/C=US/ST=Some-State/O=Internet Widgits Pty Ltd/CN=<SERVERNAME>"]]></command>
+						<command><![CDATA[chmod 0600 /etc/ssl/private/proftpd.key /etc/ssl/private/proftpd_ec.key]]></command>
+					</commands>
 					<file name="/etc/proftpd/proftpd.conf" chown="root:0" chmod="0600"
 						backup="true">
 						<content><![CDATA[
@@ -2914,20 +2958,23 @@ SQLNamedQuery update-quota-tally UPDATE "bytes_in_used = bytes_in_used + %{0}, b
 SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4},%{5}, %{6}, %{7}" ftp_quotatallies

 # TLS settings
-#<IfModule mod_tls.c>
-#TLSEngine					on
-#TLSLog						/var/log/proftpd-tls.log
-#TLSProtocol					SSLv23
-#TLSTimeoutHandshake				120
+<IfModule mod_tls.c>
+TLSEngine on
+TLSLog /var/log/proftpd-tls.log
+TLSProtocol TLSv1 TLSv1.1 TLSv1.2
+#TLSTimeoutHandshake 120
 # Really important for WinClients and some clients
-#TLSOptions					NoCertRequest NoSessionReuseRequired
-#TLSRSACertificateFile		/etc/ssl/server/<SERVERNAME>.crt
-#TLSRSACertificateKeyFile	/etc/ssl/server/<SERVERNAME>.key
+TLSOptions NoCertRequest NoSessionReuseRequired
+TLSRSACertificateFile /etc/ssl/certs/proftpd.crt
+TLSRSACertificateKeyFile /etc/ssl/private/proftpd.key
+TLSECCertificateFile /etc/ssl/certs/proftpd_ec.crt
+TLSECCertificateKeyFile /etc/ssl/private/proftpd_ec.key
+
 # Authenticate client that want to use FTP over TLS?
-#TLSVerifyClient			off
+TLSVerifyClient off
 # Uncomment the following line to force tls login
-#TLSRequired				off
-#</IfModule>
+#TLSRequired on
+</IfModule>

 # LOG settings
 # Logging Formats
@@ -3174,7 +3221,7 @@ password	<SQL_UNPRIVILEGED_PASSWORD>
 					</file>
 					<file name="/etc/nsswitch.conf" backup="true">
 						<content><![CDATA[
-# Make sure that `passwd`, `group` and `shadow` have mysql in their lines 
+# Make sure that `passwd`, `group` and `shadow` have mysql in their lines
 # You should place mysql at the end, so that it is queried after the other mechanisams
 #
 passwd:         compat mysql
@@ -3244,7 +3291,7 @@ aliases:     files
 					<commands index="2">
 						<visibility mode="equals" value="apache2">{{settings.system.webserver}}
 						</visibility>
-						<command><![CDATA[a2enmod suexec fcgid]]></command>
+						<command><![CDATA[# add "-D SUEXEC -D FCGID" to /etc/conf.d/apache2]]></command>
 					</commands>
 					<commands index="3">
 						<visibility mode="true">{{settings.system.mod_fcgid_ownvhost}}
@@ -3259,7 +3306,7 @@ aliases:     files
 							<content><![CDATA[# remove "-D PHP5" from /etc/conf.d/apache2]]></content>
 						</command>
 					</commands>
-					<!-- instead of just restarting apache, we let the cronjob do all the 
+					<!-- instead of just restarting apache, we let the cronjob do all the
 						dirty work -->
 					<command><![CDATA[php {{const.FROXLOR_INSTALL_DIR}}/scripts/froxlor_master_cronjob.php --force]]></command>
 				</daemon>
@@ -3297,7 +3344,7 @@ aliases:     files
 						</visibility>
 						<command><![CDATA[# remove "-D PHP5" from /etc/conf.d/apache2]]></command>
 					</commands>
-					<!-- instead of just restarting apache, we let the cronjob do all the 
+					<!-- instead of just restarting apache, we let the cronjob do all the
 						dirty work -->
 					<command><![CDATA[php {{const.FROXLOR_INSTALL_DIR}}/scripts/froxlor_master_cronjob.php --force]]></command>
 				</daemon>
--- a/lib/configfiles/jessie.xml
+++ b/lib/configfiles/jessie.xml
@@ -38,9 +38,10 @@
 						<command>
 							<visibility mode="notempty">{{settings.system.deactivateddocroot}}
 							</visibility>
-							<content><![CDATA['mkdir -p {{settings.system.deactivateddocroot}}]]></content>
+							<content><![CDATA[mkdir -p {{settings.system.deactivateddocroot}}]]></content>
 						</command>
 						<command><![CDATA[a2dismod userdir]]></command>
+						<command><![CDATA[a2enmod headers]]></command>
 					</commands>
 				</general>
 				<!-- HTTP Apache -->
@@ -64,6 +65,17 @@
        Require env REDIRECT_STATUS
    </Location>
 </IfModule>
+]]>
+						</content>
+					</file>
+					<file name="/etc/apache2/conf-enabled/acme.conf">
+						<visibility mode="true">{{settings.system.leenabled}}
+						</visibility>
+						<content><![CDATA[
+Alias "/.well-known/acme-challenge" "{{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge"
+<Directory "{{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge">
+	Require all granted
+</Directory>
 ]]>
 						</content>
 					</file>
@@ -80,6 +92,7 @@ server.modules = (
 	"mod_compress",
 	"mod_redirect",
 	"mod_rewrite",
+	"mod_setenv",
 )

 server.document-root        = "/var/www"
@@ -98,6 +111,8 @@ static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )
 compress.cache-dir          = "/var/cache/lighttpd/compress/"
 compress.filetype           = ( "application/javascript", "text/css", "text/html", "text/plain" )

+alias.url                  += ("/.well-known/acme-challenge/" => "{{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge/")
+
 # default listening port for IPv6 falls back to the IPv4 port
 include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port
 include_shell "/usr/share/lighttpd/create-mime.assign.pl"
@@ -204,7 +219,7 @@ http {
 	##
 	# Uncomment it if you installed nginx-passenger
 	##
-	
+
 	#passenger_root /usr;
 	#passenger_ruby /usr/bin/ruby;

@@ -220,17 +235,17 @@ http {
 #mail {
 #	# See sample authentication script at:
 #	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
-# 
+#
 #	# auth_http localhost/auth.php;
 #	# pop3_capabilities "TOP" "USER";
 #	# imap_capabilities "IMAP4rev1" "UIDPLUS";
-# 
+#
 #	server {
 #		listen     localhost:110;
 #		protocol   pop3;
 #		proxy      on;
 #	}
-# 
+#
 #	server {
 #		listen     localhost:143;
 #		protocol   imap;
@@ -242,8 +257,6 @@ http {
 					</file>
 					<file name="/etc/nginx/fastcgi_params">
 						<content><![CDATA[
-fastcgi_index index.php;
-
 fastcgi_connect_timeout 65;
 fastcgi_send_timeout    180;
 fastcgi_read_timeout    180;
@@ -271,6 +284,20 @@ fastcgi_param  SERVER_NAME        $server_name;

 # PHP only, required if PHP was built with --enable-force-cgi-redirect
 fastcgi_param  REDIRECT_STATUS    200;
+]]>
+						</content>
+					</file>
+					<file name="/etc/nginx/acme.conf">
+						<visibility mode="true">{{settings.system.leenabled}}
+						</visibility>
+						<content><![CDATA[
+location /.well-known/acme-challenge {
+	alias {{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge;
+
+	location ~ /.well-known/acme-challenge/(.*) {
+		default_type text/plain;
+	}
+}
 ]]>
 						</content>
 					</file>
@@ -1092,25 +1119,14 @@ data_directory = /var/lib/postfix
 #
 #default_privs = nobody

-# INTERNET HOST AND DOMAIN NAMES
-# 
-# The myhostname parameter specifies the internet hostname of this
-# mail system. The default is to use the fully-qualified domain name
-# from gethostname(). $myhostname is used as a default value for many
-# other configuration parameters.
-#
-myhostname = mail.$mydomain
-#myhostname = virtual.domain.tld
-
-# The mydomain parameter specifies the local internet domain name.
-# The default is to use $myhostname minus the first component.
-# $mydomain is used as a default value for many other configuration
-# parameters.
-#
+# FQDN from Froxlor
 mydomain = <SERVERNAME>

+# set myhostname to $mydomain because Froxlor alrady uses a FQDN
+myhostname = $mydomain
+
 # SENDING MAIL
-# 
+#
 # The myorigin parameter specifies the domain that locally-posted
 # mail appears to come from. The default is to append $myhostname,
 # which is fine for small sites.  If you run a domain with multiple
@@ -1212,7 +1228,7 @@ mydomain = <SERVERNAME>
 #
 # - You define $mydestination domain recipients in files other than
 #   /etc/passwd, /etc/aliases, or the $virtual_alias_maps files.
-#   For example, you define $mydestination domain recipients in    
+#   For example, you define $mydestination domain recipients in
 #   the $virtual_mailbox_maps files.
 #
 # - You redefine the local delivery agent in master.cf.
@@ -1232,7 +1248,7 @@ mydomain = <SERVERNAME>
 # The right-hand side of the lookup tables is conveniently ignored.
 # In the left-hand side, specify a bare username, an @domain.tld
 # wild-card, or specify a user@domain.tld address.
-# 
+#
 #local_recipient_maps = unix:passwd.byname $alias_maps
 #local_recipient_maps = proxy:unix:passwd.byname $alias_maps
 #local_recipient_maps =
@@ -1264,16 +1280,16 @@ unknown_local_recipient_reject_code = 550
 # clients in the same IP subnetworks as the local machine.
 # On Linux, this does works correctly only with interfaces specified
 # with the "ifconfig" command.
-# 
+#
 # Specify "mynetworks_style = class" when Postfix should "trust" SMTP
 # clients in the same IP class A/B/C networks as the local machine.
 # Don't do this with a dialup site - it would cause Postfix to "trust"
 # your entire provider's network.  Instead, specify an explicit
 # mynetworks list by hand, as described below.
-#  
+#
 # Specify "mynetworks_style = host" when Postfix should "trust"
 # only the local machine.
-# 
+#
 #mynetworks_style = class
 #mynetworks_style = subnet
 #mynetworks_style = host
@@ -1303,7 +1319,7 @@ mynetworks = 127.0.0.0/8
 # - from "untrusted" clients to destinations that match $relay_domains or
 #   subdomains thereof, except addresses with sender-specified routing.
 # The default relay_domains value is $mydestination.
-# 
+#
 # In addition to the above, the Postfix SMTP server by default accepts mail
 # that Postfix is final destination for:
 # - destinations that match $inet_interfaces or $proxy_interfaces,
@@ -1311,7 +1327,7 @@ mynetworks = 127.0.0.0/8
 # - destinations that match $virtual_alias_domains,
 # - destinations that match $virtual_mailbox_domains.
 # These destinations do not need to be listed in $relay_domains.
-# 
+#
 # Specify a list of hosts or domains, /file/name patterns or type:name
 # lookup tables, separated by commas and/or whitespace.  Continue
 # long lines by starting the next line with whitespace. A file name
@@ -1356,7 +1372,7 @@ mynetworks = 127.0.0.0/8
 # The right-hand side of the lookup tables is conveniently ignored.
 # In the left-hand side, specify an @domain.tld wild-card, or specify
 # a user@domain.tld address.
-# 
+#
 #relay_recipient_maps = hash:/etc/postfix/relay_recipients

 # INPUT RATE CONTROL
@@ -1365,15 +1381,15 @@ mynetworks = 127.0.0.0/8
 # flow control. This feature is turned on by default, although it
 # still needs further development (it's disabled on SCO UNIX due
 # to an SCO bug).
-# 
+#
 # A Postfix process will pause for $in_flow_delay seconds before
 # accepting a new message, when the message arrival rate exceeds the
 # message delivery rate. With the default 100 SMTP server process
 # limit, this limits the mail inflow to 100 messages a second more
 # than the number of messages delivered per second.
-# 
+#
 # Specify 0 to disable the feature. Valid delays are 0..10.
-# 
+#
 #in_flow_delay = 1s

 # ADDRESS REWRITING
@@ -1403,7 +1419,7 @@ mynetworks = 127.0.0.0/8
 # On systems with NIS, the default is to search the local alias
 # database, then the NIS alias database. See aliases(5) for syntax
 # details.
-# 
+#
 # If you change the alias database, run "postalias /etc/aliases" (or
 # wherever your system stores the mail alias file), or simply run
 # "newaliases" to build the necessary DBM or DB file.
@@ -1446,7 +1462,7 @@ mynetworks = 127.0.0.0/8
 #
 #home_mailbox = Mailbox
 #home_mailbox = Maildir/
- 
+
 # The mail_spool_directory parameter specifies the directory where
 # UNIX-style mailboxes are kept. The default setting depends on the
 # system type.
@@ -1488,7 +1504,7 @@ mynetworks = 127.0.0.0/8
 #
 # NOTE: if you use this feature for accounts not in the UNIX password
 # file, then you must update the "local_recipient_maps" setting in
-# the main.cf file, otherwise the SMTP server will reject mail for    
+# the main.cf file, otherwise the SMTP server will reject mail for
 # non-UNIX accounts with "User unknown in local recipient table".
 #
 # Cyrus IMAP over LMTP. Specify ``lmtpunix      cmd="lmtpd"
@@ -1510,7 +1526,7 @@ mynetworks = 127.0.0.0/8
 #
 # NOTE: if you use this feature for accounts not in the UNIX password
 # file, then you must update the "local_recipient_maps" setting in
-# the main.cf file, otherwise the SMTP server will reject mail for    
+# the main.cf file, otherwise the SMTP server will reject mail for
 # non-UNIX accounts with "User unknown in local recipient table".
 #
 #fallback_transport = lmtp:unix:/file/name
@@ -1533,15 +1549,15 @@ mynetworks = 127.0.0.0/8
 #
 # NOTE: if you use this feature for accounts not in the UNIX password
 # file, then you must specify "local_recipient_maps =" (i.e. empty) in
-# the main.cf file, otherwise the SMTP server will reject mail for    
+# the main.cf file, otherwise the SMTP server will reject mail for
 # non-UNIX accounts with "User unknown in local recipient table".
 #
 #luser_relay = $user@other.host
 #luser_relay = $local@other.host
 #luser_relay = admin+$local
-  
+
 # JUNK MAIL CONTROLS
-# 
+#
 # The controls listed here are only a very small subset. The file
 # SMTPD_ACCESS_README provides an overview.

@@ -1563,11 +1579,11 @@ mynetworks = 127.0.0.0/8
 # deferred mail, so that mail can be flushed quickly with the SMTP
 # "ETRN domain.tld" command, or by executing "sendmail -qRdomain.tld".
 # See the ETRN_README document for a detailed description.
-# 
+#
 # The fast_flush_domains parameter controls what destinations are
 # eligible for this service. By default, they are all domains that
 # this server is willing to relay mail to.
-# 
+#
 #fast_flush_domains = $relay_domains

 # SHOW SOFTWARE VERSION OR NOT
@@ -1593,7 +1609,7 @@ smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
 # too many are run at the same time. With SMTP deliveries, 10
 # simultaneous connections to the same domain could be sufficient to
 # raise eyebrows.
-# 
+#
 # Each message delivery transport has its XXX_destination_concurrency_limit
 # parameter.  The default is $default_destination_concurrency_limit for
 # most delivery transports. For the local delivery agent the default is 2.
@@ -1651,10 +1667,10 @@ debugger_command =
 # INSTALL-TIME CONFIGURATION INFORMATION
 #
 # The following parameters are used when installing a new Postfix version.
-# 
+#
 # sendmail_path: The full pathname of the Postfix sendmail command.
 # This is the Sendmail-compatible mail posting interface.
-# 
+#
 sendmail_path = /usr/sbin/sendmail

 # newaliases_path: The full pathname of the Postfix newaliases command.
@@ -1664,7 +1680,7 @@ newaliases_path = /usr/bin/newaliases

 # mailq_path: The full pathname of the Postfix mailq command.  This
 # is the Sendmail-compatible mail queue listing command.
-# 
+#
 mailq_path = /usr/bin/mailq

 # setgid_group: The group for mail submission and queue management
@@ -1701,9 +1717,9 @@ smtpd_recipient_restrictions = permit_mynetworks,
 	reject_non_fqdn_recipient
 smtpd_sender_restrictions = permit_mynetworks,
 	reject_sender_login_mismatch,
-	permit_sasl_authenticated, 
-	reject_unknown_helo_hostname, 
-	reject_unknown_recipient_domain, 
+	permit_sasl_authenticated,
+	reject_unknown_helo_hostname,
+	reject_unknown_recipient_domain,
 	reject_unknown_sender_domain
 smtpd_client_restrictions = permit_mynetworks,
 	permit_sasl_authenticated,
@@ -1711,7 +1727,7 @@ smtpd_client_restrictions = permit_mynetworks,

 # Postfix 2.10 requires this option. Postfix < 2.10 ignores this.
 # The option is intentionally left empty.
-smtpd_relay_restrictions = 
+smtpd_relay_restrictions =

 # Maximum size of Message in bytes (50MB)
 message_size_limit = 52428800
@@ -1931,7 +1947,7 @@ dovecot	  unix	-	n	n	-	-	pipe
 # Enable installed protocols
 !include_try /usr/share/dovecot/protocols.d/*.protocol

-# A comma separated list of IPs or hosts where to listen in for connections. 
+# A comma separated list of IPs or hosts where to listen in for connections.
 # "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces.
 # If you want to specify non-default ports or anything more complex,
 # edit conf.d/master.conf.
@@ -1956,7 +1972,7 @@ dovecot	  unix	-	n	n	-	-	pipe
 #login_trusted_networks =

 # Space separated list of login access check sockets (e.g. tcpwrap)
-#login_access_sockets = 
+#login_access_sockets =

 # With proxy_maybe=yes if proxy destination matches any of these IPs, don't do
 # proxying. This isn't necessary normally, but may be useful if the destination
@@ -2045,7 +2061,7 @@ dict {
 # );

 # Database driver: mysql, pgsql, sqlite
-driver = mysql 
+driver = mysql

 # Database connection string. This is driver-specific setting.
 #
@@ -2072,7 +2088,7 @@ driver = mysql
 #     option_file            - Read options from the given file instead of
 #                              the default my.cnf location
 #     option_group           - Read options from the given group (default: client)
-# 
+#
 #   You can connect to UNIX sockets by using host: host=/var/run/mysql.sock
 #   Note that currently you can't use spaces in parameters.
 #
@@ -2111,7 +2127,7 @@ default_pass_scheme = CRYPT
 #   %u = entire user@domain
 #   %n = user part of user@domain
 #   %d = domain part of user@domain
-# 
+#
 # Note that these can be used only as input to SQL query. If the query outputs
 # any of these substitutions, they're not touched. Otherwise it would be
 # difficult to have eg. usernames containing '%' characters.
@@ -2195,7 +2211,7 @@ password_query = SELECT username AS user, password_enc AS password, CONCAT(homed

 # Default realm/domain to use if none was specified. This is used for both
 # SASL realms and appending @domain to username in plaintext logins.
-#auth_default_realm = 
+#auth_default_realm =

 # List of allowed characters in username. If the user-given username contains
 # a character not listed in here, the login automatically fails. This is just
@@ -2238,7 +2254,7 @@ password_query = SELECT username AS user, password_enc AS password, CONCAT(homed
 # Kerberos keytab to use for the GSSAPI mechanism. Will use the system
 # default (usually /etc/krb5.keytab) if not specified. You may need to change
 # the auth service to run as root to be able to read this file.
-#auth_krb5_keytab = 
+#auth_krb5_keytab =

 # Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and
 # ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt>
@@ -2253,9 +2269,9 @@ password_query = SELECT username AS user, password_enc AS password, CONCAT(homed
 # Require a valid SSL client certificate or the authentication fails.
 #auth_ssl_require_client_cert = no

-# Take the username from client's SSL certificate, using 
+# Take the username from client's SSL certificate, using
 # X509_NAME_get_text_by_NID() which returns the subject's DN's
-# CommonName. 
+# CommonName.
 #auth_ssl_username_from_cert = no

 # Space separated list of wanted authentication mechanisms:
@@ -2345,11 +2361,11 @@ namespace inbox {
  # Hierarchy separator to use. You should use the same separator for all
  # namespaces or some clients get confused. '/' is usually a good one.
  # The default however depends on the underlying mail storage format.
-  #separator = 
+  #separator =

  # Prefix required to access this namespace. This needs to be different for
  # all namespaces. For example "Public/".
-  #prefix = 
+  #prefix =

  # Physical location of the mailbox. This is in same format as
  # mail_location, which is also the default for it.
@@ -2478,7 +2494,7 @@ mail_access_groups = vmail
 # WARNING: Never add directories here which local users can modify, that
 # may lead to root exploit. Usually this should be done only if you don't
 # allow shell access for users. <doc/wiki/Chrooting.txt>
-#valid_chroot_dirs = 
+#valid_chroot_dirs =

 # Default chroot directory for mail processes. This can be overridden for
 # specific users in user database by giving /./ in user's home directory
@@ -2486,7 +2502,7 @@ mail_access_groups = vmail
 # need to do chrooting, Dovecot doesn't allow users to access files outside
 # their mail directory anyway. If your home directories are prefixed with
 # the chroot directory, append "/." to mail_chroot. <doc/wiki/Chrooting.txt>
-#mail_chroot = 
+#mail_chroot =

 # UNIX socket path to master authentication server to find users.
 # This is used by imap (for shared users) and lda.
@@ -2497,7 +2513,7 @@ mail_access_groups = vmail

 # Space separated list of plugins to load for all services. Plugins specific to
 # IMAP, LDA, etc. are added to this list in their own .conf files.
-#mail_plugins = 
+#mail_plugins =

 ##
 ## Mailbox handling optimizations
@@ -2603,7 +2619,7 @@ mail_access_groups = vmail
 # fallbacks to re-reading the whole mbox file whenever something in mbox isn't
 # how it's expected to be. The only real downside to this setting is that if
 # some other MUA changes message flags, Dovecot doesn't notice it immediately.
-# Note that a full sync is done with SELECT, EXAMINE, EXPUNGE and CHECK 
+# Note that a full sync is done with SELECT, EXAMINE, EXPUNGE and CHECK
 # commands.
 #mbox_dirty_syncs = yes

@@ -2730,7 +2746,7 @@ service lmtp {
  #inet_listener lmtp {
    # Avoid making LMTP visible for the entire internet
    #address =
-    #port = 
+    #port =
  #}
 }

@@ -2764,8 +2780,8 @@ service auth {
  # permissions (e.g. 0777 allows everyone full permissions).
  unix_listener auth-userdb {
    #mode = 0666
-    #user = 
-    #group = 
+    #user =
+    #group =
  }

  # Postfix smtp-auth
@@ -2798,8 +2814,8 @@ service dict {
  # For example: mode=0660, group=vmail and global mail_access_groups=vmail
  unix_listener dict {
    #mode = 0600
-    #user = 
-    #group = 
+    #user =
+    #group =
  }
 }
 ]]>
@@ -2818,7 +2834,7 @@ postmaster_address = postmaster@<SERVERNAME>

 # Hostname to use in various parts of sent mails (e.g. in Message-Id) and
 # in LMTP replies. Default is the system's real hostname@domain.
-#hostname = 
+#hostname =

 # If user is over quota, return with temporary failure instead of
 # bouncing the mail.
@@ -2842,7 +2858,7 @@ postmaster_address = postmaster@<SERVERNAME>
 #recipient_delimiter = +

 # Header where the original recipient address (SMTP's RCPT TO: address) is taken
-# from if not available elsewhere. With dovecot-lda -a parameter overrides this. 
+# from if not available elsewhere. With dovecot-lda -a parameter overrides this.
 # A commonly used header for this is X-Original-To.
 #lda_original_recipient_header =

@@ -2878,7 +2894,7 @@ protocol lda {

 # Override the IMAP CAPABILITY response. If the value begins with '+',
 # add the given capabilities on top of the defaults (e.g. +XFOO XBAR).
-#imap_capability = 
+#imap_capability =

 # How long to wait between "OK Still here" notifications when client is
 # IDLEing.
@@ -2887,7 +2903,7 @@ protocol lda {
 # ID field names and values to send to clients. Using * as the value makes
 # Dovecot use the default value. The following fields have default values
 # currently: name, version, os, os-version, support-url, support-email.
-#imap_id_send = 
+#imap_id_send =

 # ID fields sent by client to log. * means everything.
 #imap_id_log =
@@ -2910,7 +2926,7 @@ protocol lda {
 #     greyed out, instead of only later giving "not selectable" popup error.
 #
 # The list is space-separated.
-#imap_client_workarounds = 
+#imap_client_workarounds =

 # Host allowed in URLAUTH URLs sent by client. "*" allows all.
 #imap_urlauth_host =
@@ -3099,7 +3115,7 @@ protocol sieve {
 #     Outlook Express and Netscape Mail breaks if end of headers-line is
 #     missing. This option simply sends it if it's missing.
 # The list is space-separated.
-#pop3_client_workarounds = 
+#pop3_client_workarounds =

 protocol pop3 {
  # Space separated list of plugins to load (default is global mail_plugins).
@@ -3253,6 +3269,11 @@ plugin {
 				<!-- Proftpd -->
 				<daemon name="proftpd" title="ProFTPd" default="true">
 					<install><![CDATA[apt-get install proftpd-basic proftpd-mod-mysql]]></install>
+					<commands>
+						<command><![CDATA[[ -f /etc/ssl/certs/proftpd.crt ] || openssl req -new -x509 -newkey rsa:4096 -days 3650 -nodes -out /etc/ssl/certs/proftpd.crt -keyout /etc/ssl/private/proftpd.key -subj "/C=US/ST=Some-State/O=Internet Widgits Pty Ltd/CN=<SERVERNAME>"]]></command>
+						<command><![CDATA[[ -f /etc/ssl/certs/proftpd_ec.crt ] || openssl req -new -x509 -nodes -newkey ec:<(openssl ecparam -name secp521r1) -keyout /etc/ssl/private/proftpd_ec.key -out /etc/ssl/certs/proftpd_ec.crt -days 3650 -subj "/C=US/ST=Some-State/O=Internet Widgits Pty Ltd/CN=<SERVERNAME>"]]></command>
+						<command><![CDATA[chmod 0600 /etc/ssl/private/proftpd.key /etc/ssl/private/proftpd_ec.key]]></command>
+					</commands>
 					<file name="/etc/proftpd/proftpd.conf" chown="root:0" chmod="0600"
 						backup="true">
 						<content><![CDATA[
@@ -3260,7 +3281,7 @@ plugin {
 # /etc/proftpd/proftpd.conf -- This is a basic ProFTPD configuration file.
 # To really apply changes, reload proftpd after modifications, if
 # it runs in daemon mode. It is not required in inetd/xinetd mode.
-# 
+#

 # Includes DSO modules
 Include /etc/proftpd/modules.conf
@@ -3288,7 +3309,7 @@ ListOptions                	"-l"

 DenyFilter			\*.*/

-# Use this to jail all users in their homes 
+# Use this to jail all users in their homes
 # DefaultRoot			~

 # Users require a valid shell listed in /etc/shells to login.
@@ -3367,7 +3388,7 @@ Ratios off

 # Delay engine reduces impact of the so-called Timing Attack described in
 # http://www.securityfocus.com/bid/11430/discuss
-# It is on by default. 
+# It is on by default.
 <IfModule mod_delay.c>
 DelayEngine on
 </IfModule>
@@ -3393,7 +3414,7 @@ Include /etc/proftpd/sql.conf
 #
 # This is used for FTPS connections
 #
-#Include /etc/proftpd/tls.conf
+Include /etc/proftpd/tls.conf

 #
 # Useful to keep VirtualHost/VirtualRoot directives separated
@@ -3410,24 +3431,24 @@ Include /etc/proftpd/sql.conf
 #   # Cosmetic changes, all files belongs to ftp user
 #   DirFakeUser	on ftp
 #   DirFakeGroup on ftp
-# 
+#
 #   RequireValidShell		off
-# 
+#
 #   # Limit the maximum number of anonymous logins
 #   MaxClients			10
-# 
+#
 #   # We want 'welcome.msg' displayed at login, and '.message' displayed
 #   # in each newly chdired directory.
 #   DisplayLogin			welcome.msg
 #   DisplayChdir		.message
-# 
+#
 #   # Limit WRITE everywhere in the anonymous chroot
 #   <Directory *>
 #     <Limit WRITE>
 #       DenyAll
 #     </Limit>
 #   </Directory>
-# 
+#
 #   # Uncomment this if you're brave.
 #   # <Directory incoming>
 #   #   # Umask 022 is a good standard umask to prevent new files and dirs
@@ -3440,7 +3461,7 @@ Include /etc/proftpd/sql.conf
 #   #            AllowAll
 #   #            </Limit>
 #   # </Directory>
-# 
+#
 # </Anonymous>

 # Include other custom configuration files
@@ -3478,7 +3499,7 @@ LoadModule mod_sql.c
 #LoadModule mod_ldap.c

 #
-# 'SQLBackend mysql' or 'SQLBackend postgres' (or any other valid backend) directives 
+# 'SQLBackend mysql' or 'SQLBackend postgres' (or any other valid backend) directives
 # are required to have SQL authorization working. You can also comment out the
 # unused module here, in alternative.
 #
@@ -3487,7 +3508,7 @@ LoadModule mod_sql.c
 # mod_sql.c module to use this.
 LoadModule mod_sql_mysql.c

-# Install proftpd-mod-pgsql and decomment the previous 
+# Install proftpd-mod-pgsql and decomment the previous
 # mod_sql.c module to use this.
 #LoadModule mod_sql_postgres.c

@@ -3499,7 +3520,7 @@ LoadModule mod_sql_mysql.c
 # mod_sql.c module to use this
 #LoadModule mod_sql_odbc.c

-# Install one of the previous SQL backends and decomment 
+# Install one of the previous SQL backends and decomment
 # the previous mod_sql.c module to use this
 #LoadModule mod_sql_passwd.c

@@ -3510,7 +3531,7 @@ LoadModule mod_quotatab_file.c
 # Install proftpd-mod-ldap to use this
 #LoadModule mod_quotatab_ldap.c

-# Install one of the previous SQL backends and decomment 
+# Install one of the previous SQL backends and decomment
 # the previous mod_sql.c module to use this
 LoadModule mod_quotatab_sql.c
 LoadModule mod_quotatab_radius.c
@@ -3520,7 +3541,7 @@ LoadModule mod_load.c
 LoadModule mod_ban.c
 LoadModule mod_wrap2.c
 LoadModule mod_wrap2_file.c
-# Install one of the previous SQL backends and decomment 
+# Install one of the previous SQL backends and decomment
 # the previous mod_sql.c module to use this
 #LoadModule mod_wrap2_sql.c
 LoadModule mod_dynmasq.c
@@ -3531,7 +3552,7 @@ LoadModule mod_site_misc.c

 LoadModule mod_sftp.c
 LoadModule mod_sftp_pam.c
-# Install one of the previous SQL backends and decomment 
+# Install one of the previous SQL backends and decomment
 # the previous mod_sql.c module to use this
 #LoadModule mod_sftp_sql.c

@@ -3567,7 +3588,7 @@ AuthOrder mod_sql.c

 #
 # Choose a SQL backend among MySQL or PostgreSQL.
-# Both modules are loaded in default configuration, so you have to specify the backend 
+# Both modules are loaded in default configuration, so you have to specify the backend
 # or comment out the unused module in /etc/proftpd/modules.conf.
 # Use 'mysql' or 'postgres' as possible values.
 #
@@ -3576,13 +3597,13 @@ SQLBackend	mysql
 SQLEngine on
 SQLAuthenticate on
 #
-# Use both a crypted or plaintext password 
+# Use both a crypted or plaintext password
 SQLAuthTypes Crypt

 SQLAuthenticate users* groups*

 #
-# Connection 
+# Connection
 SQLConnectInfo <SQL_DB>@<SQL_HOST> <SQL_UNPRIVILEGED_USER> <SQL_UNPRIVILEGED_PASSWORD>
 #
 # Describes both users/groups tables
@@ -3612,6 +3633,33 @@ SQLNamedQuery get-quota-tally SELECT "name, quota_type, bytes_in_used,bytes_out_
 SQLNamedQuery update-quota-tally UPDATE "bytes_in_used = bytes_in_used + %{0}, bytes_out_used = bytes_out_used + %{1}, bytes_xfer_used = bytes_xfer_used + %{2}, files_in_used = files_in_used + %{3}, files_out_used= files_out_used + %{4}, files_xfer_used = files_xfer_used + %{5} WHERE name= '%{6}' AND quota_type = '%{7}'" ftp_quotatallies
 SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4},%{5}, %{6}, %{7}" ftp_quotatallies

+</IfModule>
+]]>
+						</content>
+					</file>
+					<file name="/etc/proftpd/tls.conf" chown="root:root" chmod="0644" backup="true">
+						<content><![CDATA[
+<IfModule mod_tls.c>
+TLSEngine                               on
+TLSLog                                  /var/log/proftpd/tls.log
+TLSProtocol                             TLSv1 TLSv1.1 TLSv1.2
+TLSRSACertificateFile                   /etc/ssl/certs/proftpd.crt
+TLSRSACertificateKeyFile                /etc/ssl/private/proftpd.key
+TLSECCertificateFile                    /etc/ssl/certs/proftpd_ec.crt
+TLSECCertificateKeyFile                 /etc/ssl/private/proftpd_ec.key
+TLSOptions                              NoCertRequest NoSessionReuseRequired
+TLSVerifyClient                         off
+
+# Are clients required to use FTP over TLS when talking to this server?
+#TLSRequired                             on
+
+# Allow SSL/TLS renegotiations when the client requests them, but
+# do not force the renegotations.  Some clients do not support
+# SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
+# clients will close the data connection, or there will be a timeout
+# on an idle data connection.
+#
+#TLSRenegotiate                          required off
 </IfModule>
 ]]>
 						</content>
@@ -3754,7 +3802,7 @@ MYSQLGetGID     SELECT gid FROM ftp_users WHERE username="\L" AND login_enabled=
 MYSQLGetDir     SELECT homedir FROM ftp_users WHERE username="\L" AND login_enabled="y"


-# Optional : query to get the maximal number of files 
+# Optional : query to get the maximal number of files
 # Pure-FTPd must have been compiled with virtual quotas support.

 # MySQLGetQTAFS  SELECT QuotaFiles FROM users WHERE User='\L'
@@ -3858,7 +3906,7 @@ PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
 #
 # Please check that all following paths are correct
 #
-*/5 * * * *	root	/usr/bin/nice -n 5 /usr/bin/php5 -q <BASE_PATH>scripts/froxlor_master_cronjob.php
+*/5 * * * *	root	/usr/bin/nice -n 5 /usr/bin/php -q <BASE_PATH>scripts/froxlor_master_cronjob.php
 ]]>
 						</content>
 					</file>
@@ -3948,7 +3996,7 @@ password	<SQL_UNPRIVILEGED_PASSWORD>
 					</file>
 					<file name="/etc/nsswitch.conf" backup="true">
 						<content><![CDATA[
-# Make sure that `passwd`, `group` and `shadow` have mysql in their lines 
+# Make sure that `passwd`, `group` and `shadow` have mysql in their lines
 # You should place mysql at the end, so that it is queried after the other mechanisams
 #
 passwd:         compat mysql
@@ -3974,6 +4022,72 @@ aliases:     files
 					<command><![CDATA[/etc/init.d/nscd restart]]></command>
 					<!-- clear group chache -->
 					<command><![CDATA[nscd --invalidate=group]]></command>
+					<file /><!-- separate the following mkdir command from the previous nscd -->
+					<command>
+						<visibility mode="notisdir">/etc/insserv/overrides</visibility>
+						<content><![CDATA[mkdir -p /etc/insserv/overrides]]></content>
+					</command>
+					<file name="/etc/insserv/overrides/apache2" chown="root:root" chmod="0644">
+						<visibility mode="equals" value="apache2">{{settings.system.webserver}}</visibility>
+						<content><![CDATA[
+#!/bin/sh
+### BEGIN INIT INFO
+# Provides:          apache2
+# Required-Start:    $local_fs $remote_fs $network $syslog nscd
+# Required-Stop:     $local_fs $remote_fs $network $syslog
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: Start/stop apache2 web server
+### END INIT INFO
+]]>
+						</content>
+					</file>
+					<file name="/etc/insserv/overrides/lighttpd" chown="root:root" chmod="0644">
+						<visibility mode="equals" value="lighttpd">{{settings.system.webserver}}</visibility>
+						<content><![CDATA[
+#!/bin/sh
+### BEGIN INIT INFO
+# Provides:          lighttpd
+# Required-Start:    $local_fs $remote_fs $network $syslog nscd
+# Required-Stop:     $local_fs $remote_fs $network $syslog
+# Should-Start:      fam
+# Should-Stop:       fam
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: Start the lighttpd web server.
+### END INIT INFO
+]]>
+						</content>
+					</file>
+					<file name="/etc/insserv/overrides/nginx" chown="root:root" chmod="0644">
+						<visibility mode="equals" value="nginx">{{settings.system.webserver}}</visibility>
+						<content><![CDATA[
+#!/bin/sh
+### BEGIN INIT INFO
+# Provides:       nginx
+# Required-Start:    $local_fs $remote_fs $network $syslog $named nscd
+# Required-Stop:     $local_fs $remote_fs $network $syslog $named
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: starts the nginx web server
+### END INIT INFO
+]]>
+						</content>
+					</file>
+					<file name="/etc/insserv/overrides/nscd" chown="root:root" chmod="0644">
+						<content><![CDATA[
+#!/bin/sh
+### BEGIN INIT INFO
+# Provides:          nscd
+# Required-Start:    $remote_fs $syslog mysql
+# Required-Stop:     $remote_fs $syslog
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: Starts the Name Service Cache Daemon
+### END INIT INFO
+]]>
+						</content>
+					</file>
 				</daemon>
 				<!-- Logrotate -->
 				<daemon name="logrotate" title="Logrotate">
@@ -4013,7 +4127,7 @@ aliases:     files
 						<command><![CDATA[mkdir -p {{settings.system.mod_fcgid_tmpdir}}]]></command>
 						<command><![CDATA[a2dismod php5]]></command>
 					</commands>
-					<!-- instead of just restarting apache, we let the cronjob do all the 
+					<!-- instead of just restarting apache, we let the cronjob do all the
 						dirty work -->
 					<command><![CDATA[php {{const.FROXLOR_INSTALL_DIR}}/scripts/froxlor_master_cronjob.php --force]]></command>
 				</daemon>
@@ -4051,7 +4165,7 @@ aliases:     files
 						</visibility>
 						<command><![CDATA[a2dismod php5]]></command>
 					</commands>
-					<!-- instead of just restarting apache, we let the cronjob do all the 
+					<!-- instead of just restarting apache, we let the cronjob do all the
 						dirty work -->
 					<command><![CDATA[php {{const.FROXLOR_INSTALL_DIR}}/scripts/froxlor_master_cronjob.php --force]]></command>
 				</daemon>
--- a/lib/configfiles/precise.xml
+++ b/lib/configfiles/precise.xml
@@ -38,9 +38,10 @@
 						<command>
 							<visibility mode="notempty">{{settings.system.deactivateddocroot}}
 							</visibility>
-							<content><![CDATA['mkdir -p {{settings.system.deactivateddocroot}}]]></content>
+							<content><![CDATA[mkdir -p {{settings.system.deactivateddocroot}}]]></content>
 						</command>
 						<command><![CDATA[a2dismod userdir]]></command>
+						<command><![CDATA[a2enmod headers]]></command>
 					</commands>
 				</general>
 				<!-- HTTP Apache -->
@@ -62,6 +63,18 @@
        Allow from env=REDIRECT_STATUS
    </Location>
 </IfModule>
+]]>
+						</content>
+					</file>
+					<file name="/etc/apache2/conf-enabled/acme.conf">
+						<visibility mode="true">{{settings.system.leenabled}}
+						</visibility>
+						<content><![CDATA[
+Alias "/.well-known/acme-challenge" "{{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge"
+<Directory "{{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge">
+	Order allow,deny
+	Allow from all
+</Directory>
 ]]>
 						</content>
 					</file>
@@ -87,6 +100,7 @@ server.modules = (
 	"mod_auth",
 	"mod_fastcgi",
 	"mod_cgi",
+	"mod_setenv",
 	"mod_accesslog"
 )

@@ -99,7 +113,7 @@ server.errorlog      = var.logdir  + "/error.log"

 server.indexfiles    = ("index.php", "index.html",
 						"index.htm", "default.htm")
-						
+
 server.name			 = "<SERVERNAME>"
 server.port          = 80
 server.bind          = "<SERVERIP>"
@@ -126,6 +140,8 @@ fastcgi.server = (
 	)
 )

+alias.url           += ("/.well-known/acme-challenge/" => "{{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge/")
+
 #### external configuration files
 ## mimetype mapping
 include_shell "/usr/share/lighttpd/create-mime.assign.pl"
@@ -200,8 +216,6 @@ http {
 					</file>
 					<file name="/etc/nginx/fastcgi_params">
 						<content><![CDATA[
-fastcgi_index index.php;
-
 fastcgi_connect_timeout 65;
 fastcgi_send_timeout    180;
 fastcgi_read_timeout    180;
@@ -229,6 +243,20 @@ fastcgi_param  SERVER_NAME        $server_name;

 # PHP only, required if PHP was built with --enable-force-cgi-redirect
 fastcgi_param  REDIRECT_STATUS    200;
+]]>
+						</content>
+					</file>
+					<file name="/etc/nginx/acme.conf">
+						<visibility mode="true">{{settings.system.leenabled}}
+						</visibility>
+						<content><![CDATA[
+location /.well-known/acme-challenge {
+	alias {{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge;
+
+	location ~ /.well-known/acme-challenge/(.*) {
+		default_type text/plain;
+	}
+}
 ]]>
 						</content>
 					</file>
@@ -246,7 +274,7 @@ fastcgi_param  REDIRECT_STATUS    200;
 # Default-Start:     2 3 4 5
 # Default-Stop:      0 1 6
 # Short-Description: php-fcgi initscript
-# Description:       Custom php-fcgi initscript for Froxlor    
+# Description:       Custom php-fcgi initscript for Froxlor
 ### END INIT INFO

 BIND="127.0.0.1:8888"
@@ -488,11 +516,11 @@ root:               root@<SERVERNAME>
 						backup="true">
 						<content><![CDATA[
 ## General Postfix configuration
-# should be the default domain from your provider eg. "server100.provider.tld"
+# FQDN from Froxlor
 mydomain = <SERVERNAME>

-# should be different from $mydomain eg. "mail.$mydomain"
-myhostname = mail.$mydomain
+# set myhostname to $mydomain because Froxlor alrady uses a FQDN
+myhostname = $mydomain

 mydestination = $myhostname,
 	$mydomain,
@@ -518,9 +546,9 @@ smtpd_recipient_restrictions = permit_mynetworks,
 	reject_non_fqdn_recipient
 smtpd_sender_restrictions = permit_mynetworks,
 	reject_sender_login_mismatch,
-	permit_sasl_authenticated, 
-	reject_unknown_helo_hostname, 
-	reject_unknown_recipient_domain, 
+	permit_sasl_authenticated,
+	reject_unknown_helo_hostname,
+	reject_unknown_recipient_domain,
 	reject_unknown_sender_domain
 smtpd_client_restrictions = permit_mynetworks,
 	permit_sasl_authenticated,
@@ -528,7 +556,7 @@ smtpd_client_restrictions = permit_mynetworks,

 # Postfix 2.10 requires this option. Postfix < 2.10 ignores this.
 # The option is intentionally left empty.
-smtpd_relay_restrictions = 
+smtpd_relay_restrictions =

 # Maximum size of Message in bytes (50MB)
 message_size_limit = 52428800
@@ -636,9 +664,9 @@ smtpd_recipient_restrictions = permit_mynetworks,
 	reject_non_fqdn_recipient
 smtpd_sender_restrictions = permit_mynetworks,
 	reject_sender_login_mismatch,
-	permit_sasl_authenticated, 
-	reject_unknown_helo_hostname, 
-	reject_unknown_recipient_domain, 
+	permit_sasl_authenticated,
+	reject_unknown_helo_hostname,
+	reject_unknown_recipient_domain,
 	reject_unknown_sender_domain
 smtpd_client_restrictions = permit_mynetworks,
 	permit_sasl_authenticated,
@@ -646,7 +674,7 @@ smtpd_client_restrictions = permit_mynetworks,

 # Postfix 2.10 requires this option. Postfix < 2.10 ignores this.
 # The option is intentionally left empty.
-smtpd_relay_restrictions = 
+smtpd_relay_restrictions =

 # Maximum size of Message in bytes (50MB)
 message_size_limit = 52428800
@@ -737,7 +765,7 @@ protocol imap {
        mail_plugins = quota imap_quota
        mail_max_userip_connections = 10
 	imap_client_workarounds = delay-newmail
-	
+
 	# IMAP logout format string:
 	#  %i - total number of bytes read from client
 	#  %o - total number of bytes sent to client
@@ -750,7 +778,7 @@ protocol pop3 {
        pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
 	pop3_uidl_format = UID%u-%v
 	mail_plugins = quota
-	
+
 	# POP3 logout format string:
 	# %i - total number of bytes read from client
 	# %o - total number of bytes sent to client
@@ -842,7 +870,7 @@ service auth {

 # Default realm/domain to use if none was specified. This is used for both
 # SASL realms and appending @domain to username in plaintext logins.
-#auth_default_realm = 
+#auth_default_realm =

 # List of allowed characters in username. If the user-given username contains
 # a character not listed in here, the login automatically fails. This is just
@@ -885,7 +913,7 @@ service auth {
 # Kerberos keytab to use for the GSSAPI mechanism. Will use the system
 # default (usually /etc/krb5.keytab) if not specified. You may need to change
 # the auth service to run as root to be able to read this file.
-#auth_krb5_keytab = 
+#auth_krb5_keytab =

 # Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and
 # ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt>
@@ -900,9 +928,9 @@ service auth {
 # Require a valid SSL client certificate or the authentication fails.
 #auth_ssl_require_client_cert = no

-# Take the username from client's SSL certificate, using 
+# Take the username from client's SSL certificate, using
 # X509_NAME_get_text_by_NID() which returns the subject's DN's
-# CommonName. 
+# CommonName.
 #auth_ssl_username_from_cert = no

 # Space separated list of wanted authentication mechanisms:
@@ -1074,13 +1102,18 @@ MYSQL_AUXOPTIONS_FIELD CONCAT("allowimap=",imap,",allowpop3=",pop3)
 				<!-- Proftpd -->
 				<daemon name="proftpd" title="ProFTPd" default="true">
 					<install><![CDATA[apt-get install proftpd-basic proftpd-mod-mysql]]></install>
+					<commands>
+						<command><![CDATA[[ -f /etc/ssl/certs/proftpd.crt ] || openssl req -new -x509 -newkey rsa:4096 -days 3650 -nodes -out /etc/ssl/certs/proftpd.crt -keyout /etc/ssl/private/proftpd.key -subj "/C=US/ST=Some-State/O=Internet Widgits Pty Ltd/CN=<SERVERNAME>"]]></command>
+						<command><![CDATA[[ -f /etc/ssl/certs/proftpd_ec.crt ] || openssl req -new -x509 -nodes -newkey ec:<(openssl ecparam -name secp521r1) -keyout /etc/ssl/private/proftpd_ec.key -out /etc/ssl/certs/proftpd_ec.crt -days 3650 -subj "/C=US/ST=Some-State/O=Internet Widgits Pty Ltd/CN=<SERVERNAME>"]]></command>
+						<command><![CDATA[chmod 0600 /etc/ssl/private/proftpd.key /etc/ssl/private/proftpd_ec.key]]></command>
+					</commands>
 					<file name="/etc/proftpd/proftpd.conf" chown="root:0" chmod="0600"
 						backup="true">
 						<content><![CDATA[
 #
 # /etc/proftpd/proftpd.conf -- This is a basic ProFTPD configuration file.
 # To really apply changes reload proftpd after modifications.
-# 
+#

 # Includes DSO modules
 Include /etc/proftpd/modules.conf
@@ -1106,7 +1139,7 @@ ListOptions                	"-l"

 DenyFilter			\*.*/

-# Use this to jail all users in their homes 
+# Use this to jail all users in their homes
 # DefaultRoot			~

 # Users require a valid shell listed in /etc/shells to login.
@@ -1180,7 +1213,7 @@ Ratios off

 # Delay engine reduces impact of the so-called Timing Attack described in
 # http://security.lss.hr/index.php?page=details&ID=LSS-2004-10-02
-# It is on by default. 
+# It is on by default.
 <IfModule mod_delay.c>
 DelayEngine off
 </IfModule>
@@ -1206,7 +1239,7 @@ Include /etc/proftpd/sql.conf
 #
 # This is used for FTPS connections
 #
-#Include /etc/proftpd/tls.conf
+Include /etc/proftpd/tls.conf
 ]]>
 						</content>
 					</file>
@@ -1237,7 +1270,7 @@ LoadModule mod_sql.c
 #LoadModule mod_ldap.c

 #
-# 'SQLBackend mysql' or 'SQLBackend postgres' directives are required 
+# 'SQLBackend mysql' or 'SQLBackend postgres' directives are required
 # to have SQL authorization working. You can also comment out the
 # unused module here, in alternative.
 #
@@ -1313,6 +1346,33 @@ SQLNamedQuery get-quota-tally SELECT "name, quota_type, bytes_in_used,bytes_out_
 SQLNamedQuery update-quota-tally UPDATE "bytes_in_used = bytes_in_used + %{0}, bytes_out_used = bytes_out_used + %{1}, bytes_xfer_used = bytes_xfer_used + %{2}, files_in_used = files_in_used + %{3}, files_out_used= files_out_used + %{4}, files_xfer_used = files_xfer_used + %{5} WHERE name= '%{6}' AND quota_type = '%{7}'" ftp_quotatallies
 SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4},%{5}, %{6}, %{7}" ftp_quotatallies

+</IfModule>
+]]>
+						</content>
+					</file>
+					<file name="/etc/proftpd/tls.conf" chown="root:root" chmod="0644" backup="true">
+						<content><![CDATA[
+<IfModule mod_tls.c>
+TLSEngine                               on
+TLSLog                                  /var/log/proftpd/tls.log
+TLSProtocol                             TLSv1 TLSv1.1 TLSv1.2
+TLSRSACertificateFile                   /etc/ssl/certs/proftpd.crt
+TLSRSACertificateKeyFile                /etc/ssl/private/proftpd.key
+TLSECCertificateFile                    /etc/ssl/certs/proftpd_ec.crt
+TLSECCertificateKeyFile                 /etc/ssl/private/proftpd_ec.key
+TLSOptions                              NoCertRequest NoSessionReuseRequired
+TLSVerifyClient                         off
+
+# Are clients required to use FTP over TLS when talking to this server?
+#TLSRequired                             on
+
+# Allow SSL/TLS renegotiations when the client requests them, but
+# do not force the renegotations.  Some clients do not support
+# SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
+# clients will close the data connection, or there will be a timeout
+# on an idle data connection.
+#
+#TLSRenegotiate                          required off
 </IfModule>
 ]]>
 						</content>
@@ -1422,7 +1482,7 @@ PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
 #
 # Please check that all following paths are correct
 #
-*/5 * * * *	root	/usr/bin/nice -n 5 /usr/bin/php5 -q <BASE_PATH>scripts/froxlor_master_cronjob.php
+*/5 * * * *	root	/usr/bin/nice -n 5 /usr/bin/php -q <BASE_PATH>scripts/froxlor_master_cronjob.php
 ]]>
 						</content>
 					</file>
@@ -1505,7 +1565,7 @@ password	<SQL_UNPRIVILEGED_PASSWORD>
 					</file>
 					<file name="/etc/nsswitch.conf" backup="true">
 						<content><![CDATA[
-# Make sure that `passwd`, `group` and `shadow` have mysql in their lines 
+# Make sure that `passwd`, `group` and `shadow` have mysql in their lines
 # You should place mysql at the end, so that it is queried after the other mechanisams
 #
 passwd:         compat mysql
@@ -1570,7 +1630,7 @@ aliases:     files
 						<command><![CDATA[mkdir -p {{settings.system.mod_fcgid_tmpdir}}]]></command>
 						<command><![CDATA[a2dismod php5]]></command>
 					</commands>
-					<!-- instead of just restarting apache, we let the cronjob do all the 
+					<!-- instead of just restarting apache, we let the cronjob do all the
 						dirty work -->
 					<command><![CDATA[php {{const.FROXLOR_INSTALL_DIR}}/scripts/froxlor_master_cronjob.php --force]]></command>
 				</daemon>
@@ -1608,7 +1668,7 @@ aliases:     files
 						</visibility>
 						<command><![CDATA[a2dismod php5]]></command>
 					</commands>
-					<!-- instead of just restarting apache, we let the cronjob do all the 
+					<!-- instead of just restarting apache, we let the cronjob do all the
 						dirty work -->
 					<command><![CDATA[php {{const.FROXLOR_INSTALL_DIR}}/scripts/froxlor_master_cronjob.php --force]]></command>
 				</daemon>
--- a/lib/configfiles/rhel_centos.xml
+++ b/lib/configfiles/rhel_centos.xml
@@ -38,15 +38,27 @@
 						<command>
 							<visibility mode="notempty">{{settings.system.deactivateddocroot}}
 							</visibility>
-							<content><![CDATA['mkdir -p {{settings.system.deactivateddocroot}}]]></content>
+							<content><![CDATA[mkdir -p {{settings.system.deactivateddocroot}}]]></content>
 						</command>
 						<command><![CDATA[a2dismod userdir]]></command>
+						<command><![CDATA[a2enmod headers]]></command>
 					</commands>
 				</general>
 				<!-- HTTP Apache -->
 				<daemon name="apache" version="2.4" title="Apache 2.4"
 					default="true">
 					<include>//service[@type='http']/general/commands</include>
+					<file name="/etc/httpd/conf.d/acme.conf">
+						<visibility mode="true">{{settings.system.leenabled}}
+						</visibility>
+						<content><![CDATA[
+Alias "/.well-known/acme-challenge" "{{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge"
+<Directory "{{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge">
+	Require all granted
+</Directory>
+]]>
+						</content>
+					</file>
 					<command><![CDATA[systemctl reload-or-restart httpd.service]]></command>
 				</daemon>
 			</service>
@@ -166,11 +178,11 @@ query = SELECT gid FROM mail_users WHERE email = '%s'
 						backup="true">
 						<content><![CDATA[
 ## General Postfix configuration
-
+# FQDN from Froxlor
 mydomain = <SERVERNAME>

-# should be different from $mydomain eg. "mail.$mydomain"
-myhostname = mail.$mydomain
+# set myhostname to $mydomain because Froxlor alrady uses a FQDN
+myhostname = $mydomain

 mydestination = $myhostname,
 	$mydomain,
--- a/lib/configfiles/trusty.xml
+++ b/lib/configfiles/trusty.xml
@@ -38,9 +38,10 @@
 						<command>
 							<visibility mode="notempty">{{settings.system.deactivateddocroot}}
 							</visibility>
-							<content><![CDATA['mkdir -p {{settings.system.deactivateddocroot}}]]></content>
+							<content><![CDATA[mkdir -p {{settings.system.deactivateddocroot}}]]></content>
 						</command>
 						<command><![CDATA[a2dismod userdir]]></command>
+						<command><![CDATA[a2enmod headers]]></command>
 					</commands>
 				</general>
 				<!-- HTTP Apache -->
@@ -62,6 +63,18 @@
        Allow from env=REDIRECT_STATUS
    </Location>
 </IfModule>
+]]>
+						</content>
+					</file>
+					<file name="/etc/apache2/conf-enabled/acme.conf">
+						<visibility mode="true">{{settings.system.leenabled}}
+						</visibility>
+						<content><![CDATA[
+Alias "/.well-known/acme-challenge" "{{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge"
+<Directory "{{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge">
+	Order allow,deny
+	Allow from all
+</Directory>
 ]]>
 						</content>
 					</file>
@@ -82,6 +95,17 @@
        Require env REDIRECT_STATUS
    </Location>
 </IfModule>
+]]>
+						</content>
+					</file>
+					<file name="/etc/apache2/conf-enabled/acme.conf">
+						<visibility mode="true">{{settings.system.leenabled}}
+						</visibility>
+						<content><![CDATA[
+Alias "/.well-known/acme-challenge" "{{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge"
+<Directory "{{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge">
+	Require all granted
+</Directory>
 ]]>
 						</content>
 					</file>
@@ -107,6 +131,7 @@ server.modules = (
 	"mod_auth",
 	"mod_fastcgi",
 	"mod_cgi",
+	"mod_setenv",
 	"mod_accesslog"
 )

@@ -119,7 +144,7 @@ server.errorlog      = var.logdir  + "/error.log"

 server.indexfiles    = ("index.php", "index.html",
 						"index.htm", "default.htm")
-						
+
 server.name			 = "<SERVERNAME>"
 server.port          = 80
 server.bind          = "<SERVERIP>"
@@ -146,6 +171,8 @@ fastcgi.server = (
 	)
 )

+alias.url           += ("/.well-known/acme-challenge/" => "{{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge/")
+
 #### external configuration files
 ## mimetype mapping
 include_shell "/usr/share/lighttpd/create-mime.assign.pl"
@@ -220,8 +247,6 @@ http {
 					</file>
 					<file name="/etc/nginx/fastcgi_params">
 						<content><![CDATA[
-fastcgi_index index.php;
-
 fastcgi_connect_timeout 65;
 fastcgi_send_timeout    180;
 fastcgi_read_timeout    180;
@@ -249,6 +274,20 @@ fastcgi_param  SERVER_NAME        $server_name;

 # PHP only, required if PHP was built with --enable-force-cgi-redirect
 fastcgi_param  REDIRECT_STATUS    200;
+]]>
+						</content>
+					</file>
+					<file name="/etc/nginx/acme.conf">
+						<visibility mode="true">{{settings.system.leenabled}}
+						</visibility>
+						<content><![CDATA[
+location /.well-known/acme-challenge {
+	alias {{settings.system.letsencryptchallengepath}}/.well-known/acme-challenge;
+
+	location ~ /.well-known/acme-challenge/(.*) {
+		default_type text/plain;
+	}
+}
 ]]>
 						</content>
 					</file>
@@ -266,7 +305,7 @@ fastcgi_param  REDIRECT_STATUS    200;
 # Default-Start:     2 3 4 5
 # Default-Stop:      0 1 6
 # Short-Description: php-fcgi initscript
-# Description:       Custom php-fcgi initscript for Froxlor    
+# Description:       Custom php-fcgi initscript for Froxlor
 ### END INIT INFO

 BIND="127.0.0.1:8888"
@@ -508,11 +547,11 @@ root:               root@<SERVERNAME>
 						backup="true">
 						<content><![CDATA[
 ## General Postfix configuration
-# should be the default domain from your provider eg. "server100.provider.tld"
+# FQDN from Froxlor
 mydomain = <SERVERNAME>

-# should be different from $mydomain eg. "mail.$mydomain"
-myhostname = mail.$mydomain
+# set myhostname to $mydomain because Froxlor alrady uses a FQDN
+myhostname = $mydomain

 mydestination = $myhostname,
 	$mydomain,
@@ -538,9 +577,9 @@ smtpd_recipient_restrictions = permit_mynetworks,
 	reject_non_fqdn_recipient
 smtpd_sender_restrictions = permit_mynetworks,
 	reject_sender_login_mismatch,
-	permit_sasl_authenticated, 
-	reject_unknown_helo_hostname, 
-	reject_unknown_recipient_domain, 
+	permit_sasl_authenticated,
+	reject_unknown_helo_hostname,
+	reject_unknown_recipient_domain,
 	reject_unknown_sender_domain
 smtpd_client_restrictions = permit_mynetworks,
 	permit_sasl_authenticated,
@@ -548,7 +587,7 @@ smtpd_client_restrictions = permit_mynetworks,

 # Postfix 2.10 requires this option. Postfix < 2.10 ignores this.
 # The option is intentionally left empty.
-smtpd_relay_restrictions = 
+smtpd_relay_restrictions =

 # Maximum size of Message in bytes (50MB)
 message_size_limit = 52428800
@@ -656,9 +695,9 @@ smtpd_recipient_restrictions = permit_mynetworks,
 	reject_non_fqdn_recipient
 smtpd_sender_restrictions = permit_mynetworks,
 	reject_sender_login_mismatch,
-	permit_sasl_authenticated, 
-	reject_unknown_helo_hostname, 
-	reject_unknown_recipient_domain, 
+	permit_sasl_authenticated,
+	reject_unknown_helo_hostname,
+	reject_unknown_recipient_domain,
 	reject_unknown_sender_domain
 smtpd_client_restrictions = permit_mynetworks,
 	permit_sasl_authenticated,
@@ -666,7 +705,7 @@ smtpd_client_restrictions = permit_mynetworks,

 # Postfix 2.10 requires this option. Postfix < 2.10 ignores this.
 # The option is intentionally left empty.
-smtpd_relay_restrictions = 
+smtpd_relay_restrictions =

 # Maximum size of Message in bytes (50MB)
 message_size_limit = 52428800
@@ -757,7 +796,7 @@ protocol imap {
        mail_plugins = quota imap_quota
        mail_max_userip_connections = 10
 	imap_client_workarounds = delay-newmail
-	
+
 	# IMAP logout format string:
 	#  %i - total number of bytes read from client
 	#  %o - total number of bytes sent to client
@@ -770,7 +809,7 @@ protocol pop3 {
        pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
 	pop3_uidl_format = UID%u-%v
 	mail_plugins = quota
-	
+
 	# POP3 logout format string:
 	# %i - total number of bytes read from client
 	# %o - total number of bytes sent to client
@@ -849,7 +888,7 @@ service auth {

 # Default realm/domain to use if none was specified. This is used for both
 # SASL realms and appending @domain to username in plaintext logins.
-#auth_default_realm = 
+#auth_default_realm =

 # List of allowed characters in username. If the user-given username contains
 # a character not listed in here, the login automatically fails. This is just
@@ -892,7 +931,7 @@ service auth {
 # Kerberos keytab to use for the GSSAPI mechanism. Will use the system
 # default (usually /etc/krb5.keytab) if not specified. You may need to change
 # the auth service to run as root to be able to read this file.
-#auth_krb5_keytab = 
+#auth_krb5_keytab =

 # Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and
 # ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt>
@@ -907,9 +946,9 @@ service auth {
 # Require a valid SSL client certificate or the authentication fails.
 #auth_ssl_require_client_cert = no

-# Take the username from client's SSL certificate, using 
+# Take the username from client's SSL certificate, using
 # X509_NAME_get_text_by_NID() which returns the subject's DN's
-# CommonName. 
+# CommonName.
 #auth_ssl_username_from_cert = no

 # Space separated list of wanted authentication mechanisms:
@@ -1068,13 +1107,18 @@ MYSQL_AUXOPTIONS_FIELD CONCAT("allowimap=",imap,",allowpop3=",pop3)
 				<!-- Proftpd -->
 				<daemon name="proftpd" title="ProFTPd" default="true">
 					<install><![CDATA[apt-get install proftpd-basic proftpd-mod-mysql]]></install>
+					<commands>
+						<command><![CDATA[[ -f /etc/ssl/certs/proftpd.crt ] || openssl req -new -x509 -newkey rsa:4096 -days 3650 -nodes -out /etc/ssl/certs/proftpd.crt -keyout /etc/ssl/private/proftpd.key -subj "/C=US/ST=Some-State/O=Internet Widgits Pty Ltd/CN=<SERVERNAME>"]]></command>
+						<command><![CDATA[[ -f /etc/ssl/certs/proftpd_ec.crt ] || openssl req -new -x509 -nodes -newkey ec:<(openssl ecparam -name secp521r1) -keyout /etc/ssl/private/proftpd_ec.key -out /etc/ssl/certs/proftpd_ec.crt -days 3650 -subj "/C=US/ST=Some-State/O=Internet Widgits Pty Ltd/CN=<SERVERNAME>"]]></command>
+						<command><![CDATA[chmod 0600 /etc/ssl/private/proftpd.key /etc/ssl/private/proftpd_ec.key]]></command>
+					</commands>
 					<file name="/etc/proftpd/proftpd.conf" chown="root:0" chmod="0600"
 						backup="true">
 						<content><![CDATA[
 #
 # /etc/proftpd/proftpd.conf -- This is a basic ProFTPD configuration file.
 # To really apply changes reload proftpd after modifications.
-# 
+#

 # Includes DSO modules
 Include /etc/proftpd/modules.conf
@@ -1100,7 +1144,7 @@ ListOptions                	"-l"

 DenyFilter			\*.*/

-# Use this to jail all users in their homes 
+# Use this to jail all users in their homes
 # DefaultRoot			~

 # Users require a valid shell listed in /etc/shells to login.
@@ -1174,7 +1218,7 @@ Ratios off

 # Delay engine reduces impact of the so-called Timing Attack described in
 # http://security.lss.hr/index.php?page=details&ID=LSS-2004-10-02
-# It is on by default. 
+# It is on by default.
 <IfModule mod_delay.c>
 DelayEngine off
 </IfModule>
@@ -1200,7 +1244,7 @@ Include /etc/proftpd/sql.conf
 #
 # This is used for FTPS connections
 #
-#Include /etc/proftpd/tls.conf
+Include /etc/proftpd/tls.conf
 ]]>
 						</content>
 					</file>
@@ -1231,7 +1275,7 @@ LoadModule mod_sql.c
 #LoadModule mod_ldap.c

 #
-# 'SQLBackend mysql' or 'SQLBackend postgres' directives are required 
+# 'SQLBackend mysql' or 'SQLBackend postgres' directives are required
 # to have SQL authorization working. You can also comment out the
 # unused module here, in alternative.
 #
@@ -1307,6 +1351,33 @@ SQLNamedQuery get-quota-tally SELECT "name, quota_type, bytes_in_used,bytes_out_
 SQLNamedQuery update-quota-tally UPDATE "bytes_in_used = bytes_in_used + %{0}, bytes_out_used = bytes_out_used + %{1}, bytes_xfer_used = bytes_xfer_used + %{2}, files_in_used = files_in_used + %{3}, files_out_used= files_out_used + %{4}, files_xfer_used = files_xfer_used + %{5} WHERE name= '%{6}' AND quota_type = '%{7}'" ftp_quotatallies
 SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4},%{5}, %{6}, %{7}" ftp_quotatallies

+</IfModule>
+]]>
+						</content>
+					</file>
+					<file name="/etc/proftpd/tls.conf" chown="root:root" chmod="0644" backup="true">
+						<content><![CDATA[
+<IfModule mod_tls.c>
+TLSEngine                               on
+TLSLog                                  /var/log/proftpd/tls.log
+TLSProtocol                             TLSv1 TLSv1.1 TLSv1.2
+TLSRSACertificateFile                   /etc/ssl/certs/proftpd.crt
+TLSRSACertificateKeyFile                /etc/ssl/private/proftpd.key
+TLSECCertificateFile                    /etc/ssl/certs/proftpd_ec.crt
+TLSECCertificateKeyFile                 /etc/ssl/private/proftpd_ec.key
+TLSOptions                              NoCertRequest NoSessionReuseRequired
+TLSVerifyClient                         off
+
+# Are clients required to use FTP over TLS when talking to this server?
+#TLSRequired                             on
+
+# Allow SSL/TLS renegotiations when the client requests them, but
+# do not force the renegotations.  Some clients do not support
+# SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
+# clients will close the data connection, or there will be a timeout
+# on an idle data connection.
+#
+#TLSRenegotiate                          required off
 </IfModule>
 ]]>
 						</content>
@@ -1416,7 +1487,7 @@ PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
 #
 # Please check that all following paths are correct
 #
-*/5 * * * *	root	/usr/bin/nice -n 5 /usr/bin/php5 -q <BASE_PATH>scripts/froxlor_master_cronjob.php
+*/5 * * * *	root	/usr/bin/nice -n 5 /usr/bin/php -q <BASE_PATH>scripts/froxlor_master_cronjob.php
 ]]>
 						</content>
 					</file>
@@ -1499,7 +1570,7 @@ password	<SQL_UNPRIVILEGED_PASSWORD>
 					</file>
 					<file name="/etc/nsswitch.conf" backup="true">
 						<content><![CDATA[
-# Make sure that `passwd`, `group` and `shadow` have mysql in their lines 
+# Make sure that `passwd`, `group` and `shadow` have mysql in their lines
 # You should place mysql at the end, so that it is queried after the other mechanisams
 #
 passwd:         compat mysql
@@ -1564,7 +1635,7 @@ aliases:     files
 						<command><![CDATA[mkdir -p {{settings.system.mod_fcgid_tmpdir}}]]></command>
 						<command><![CDATA[a2dismod php5]]></command>
 					</commands>
-					<!-- instead of just restarting apache, we let the cronjob do all the 
+					<!-- instead of just restarting apache, we let the cronjob do all the
 						dirty work -->
 					<command><![CDATA[php {{const.FROXLOR_INSTALL_DIR}}/scripts/froxlor_master_cronjob.php --force]]></command>
 				</daemon>
@@ -1602,7 +1673,7 @@ aliases:     files
 						</visibility>
 						<command><![CDATA[a2dismod php5]]></command>
 					</commands>
-					<!-- instead of just restarting apache, we let the cronjob do all the 
+					<!-- instead of just restarting apache, we let the cronjob do all the
 						dirty work -->
 					<command><![CDATA[php {{const.FROXLOR_INSTALL_DIR}}/scripts/froxlor_master_cronjob.php --force]]></command>
 				</daemon>
--- a/lib/configfiles/wheezy.xml
+++ b/lib/configfiles/wheezy.xml
--- a/lib/cron_init.php
+++ b/lib/cron_init.php
@@ -177,8 +177,7 @@ if (((int)Settings::Get('system.mod_fcgid') == 1 && (int)Settings::Get('system.m
 $cronlog = FroxlorLogger::getInstanceOf(array('loginname' => 'cronjob'));
 fwrite($debugHandler, 'Logger has been included' . "\n");

-if (Settings::Get('panel.version') == null
-	|| Settings::Get('panel.version') != $version
+if (hasUpdates($version) || hasDbUpdates($dbversion)
 ) {
 	if (Settings::Get('system.cron_allowautoupdate') == null
 		|| Settings::Get('system.cron_allowautoupdate') == 0
@@ -190,7 +189,7 @@ if (Settings::Get('panel.version') == null
 		unlink($lockfile);
 		$errormessage = "Version of file doesn't match version of database. Exiting...\n\n";
 		$errormessage.= "Possible reason: Froxlor update\n";
-		$errormessage.= "Information: Current version in database: ".Settings::Get('panel.version')." - version of Froxlor files: ".$version."\n";
+		$errormessage.= "Information: Current version in database: ".Settings::Get('panel.version')." (DB: ".Settings::Get('panel.db_version').") - version of Froxlor files: ".$version." (DB: ".$dbversion.")\n";
 		$errormessage.= "Solution: Please visit your Foxlor admin interface for further information.\n";
 		dieWithMail($errormessage);
 	}
--- a/lib/formfields/admin/domains/formfield.domains_add.php
+++ b/lib/formfields/admin/domains/formfield.domains_add.php
@@ -73,6 +73,12 @@ return array(
 						'desc' => $lng['panel']['dateformat'],
 						'type' => 'text',
 						'size' => 10
+					),
+					'termination_date' => array(
+						'label' => $lng['domains']['termination_date'],
+						'desc' => $lng['panel']['dateformat'],
+						'type' => 'text',
+						'size' => 10
 					)
 				)
 			),
@@ -91,7 +97,7 @@ return array(
 						'desc' => $lng['domains']['ipandport_multi']['description'],
 						'type' => 'checkbox',
 						'values' => $ipsandports,
-						'value' => array(Settings::Get('system.defaultip')),
+						'value' => explode(',', Settings::Get('system.defaultip')),
 						'is_array' => 1,
 						'mandatory' => true
 					),
@@ -113,6 +119,16 @@ return array(
 						),
 						'value' => array()
 					),
+					'letsencrypt' => array(
+						'visible' => (Settings::Get('system.use_ssl') == '1' ? (Settings::Get('system.leenabled') == '1' ? ($ssl_ipsandports != '' ? true : false) : false) : false),
+						'label' => $lng['admin']['letsencrypt']['title'],
+						'desc' => $lng['admin']['letsencrypt']['description'],
+						'type' => 'checkbox',
+						'values' => array(
+							array ('label' => $lng['panel']['yes'], 'value' => '1')
+						),
+						'value' => array()
+					),
 					'no_ssl_available_info' => array(
 						'visible' => (Settings::Get('system.use_ssl') == '1' ? ($ssl_ipsandports == '' ? true : false) : false),
 						'label' => 'SSL',
--- a/lib/formfields/admin/domains/formfield.domains_edit.php
+++ b/lib/formfields/admin/domains/formfield.domains_edit.php
@@ -83,6 +83,13 @@ return array(
 						'type' => 'text',
 						'value' => $result['registration_date'],
 						'size' => 10
+					),
+                                        'termination_date' => array(
+						'label' => $lng['domains']['termination_date'],
+						'desc' => $lng['panel']['dateformat'],
+						'type' => 'text',
+						'value' => $result['termination_date'],
+						'size' => 10
 					)
 				)
 			),
@@ -117,13 +124,23 @@ return array(
 					'ssl_redirect' => array(
 						'visible' => (Settings::Get('system.use_ssl') == '1' ? ($ssl_ipsandports != '' ? true : false) : false),
 						'label' => $lng['domains']['ssl_redirect']['title'],
-						'desc' => $lng['domains']['ssl_redirect']['description'],
+						'desc' => $lng['domains']['ssl_redirect']['description'] . ($result['temporary_ssl_redirect'] > 1 ? $lng['domains']['ssl_redirect_temporarilydisabled'] : ''),
 						'type' => 'checkbox',
 						'values' => array(
 							array ('label' => $lng['panel']['yes'], 'value' => '1')
 						),
 						'value' => array($result['ssl_redirect'])
 					),
+					'letsencrypt' => array(
+						'visible' => (Settings::Get('system.use_ssl') == '1' ? (Settings::Get('system.leenabled') == '1' ? ($ssl_ipsandports != '' ? true : false) : false) : false),
+						'label' => $lng['admin']['letsencrypt']['title'],
+						'desc' => $lng['admin']['letsencrypt']['description'],
+						'type' => 'checkbox',
+						'values' => array(
+							array ('label' => $lng['panel']['yes'], 'value' => '1')
+						),
+						'value' => array($result['letsencrypt'])
+					),
 					'no_ssl_available_info' => array(
 						'visible' => (Settings::Get('system.use_ssl') == '1' ? ($ssl_ipsandports == '' ? true : false) : false),
 						'label' => 'SSL',
--- a/lib/formfields/admin/ipsandports/formfield.ipsandports_add.php
+++ b/lib/formfields/admin/ipsandports/formfield.ipsandports_add.php
@@ -40,6 +40,7 @@ return array(
 				'image' => 'icons/ipsports_add.png',
 				'fields' => array(
 					'listen_statement' => array(
+						'visible' => !$is_nginx,
 						'label' => $lng['admin']['ipsandports']['create_listen_statement'],
 						'type' => 'checkbox',
 						'values' => array(
@@ -48,6 +49,7 @@ return array(
 						'value' => array('1')
 					),
 					'namevirtualhost_statement' => array(
+						'visible' => $is_apache,
 						'label' => $lng['admin']['ipsandports']['create_namevirtualhost_statement'],
 						'type' => 'checkbox',
 						'values' => array(
@@ -77,6 +79,7 @@ return array(
 						'rows' => 12
 					),
 					'vhostcontainer_servername_statement' => array(
+						'visible' => $is_apache,
 						'label' => $lng['admin']['ipsandports']['create_vhostcontainer_servername_statement'],
 						'type' => 'checkbox',
 						'values' => array(
--- a/lib/formfields/admin/ipsandports/formfield.ipsandports_edit.php
+++ b/lib/formfields/admin/ipsandports/formfield.ipsandports_edit.php
@@ -42,6 +42,7 @@ return array(
 				'image' => 'icons/ipsports_edit.png',
 				'fields' => array(
 					'listen_statement' => array(
+						'visible' => !$is_nginx,
 						'label' => $lng['admin']['ipsandports']['create_listen_statement'],
 						'type' => 'checkbox',
 						'values' => array(
@@ -50,6 +51,7 @@ return array(
 						'value' => array($result['listen_statement'])
 					),
 					'namevirtualhost_statement' => array(
+						'visible' => $is_apache,
 						'label' => $lng['admin']['ipsandports']['create_namevirtualhost_statement'],
 						'type' => 'checkbox',
 						'values' => array(
@@ -81,6 +83,7 @@ return array(
 						'value' => $result['specialsettings']
 					),
 					'vhostcontainer_servername_statement' => array(
+						'visible' => $is_apache,
 						'label' => $lng['admin']['ipsandports']['create_vhostcontainer_servername_statement'],
 						'type' => 'checkbox',
 						'values' => array(
--- a/lib/formfields/customer/domains/formfield.domains_add.php
+++ b/lib/formfields/customer/domains/formfield.domains_add.php
@@ -60,6 +60,12 @@ return array(
 						'type' => 'select',
 						'select_var' => isset($redirectcode) ? $redirectcode : null
 					),
+					'selectserveralias' => array(
+						'label' => $lng['admin']['selectserveralias'],
+						'desc' => $lng['admin']['selectserveralias_desc'],
+						'type' => 'label',
+						'value' => $lng['customer']['selectserveralias_addinfo']
+					),
 					'ssl_redirect' => array(
 						'visible' => (Settings::Get('system.use_ssl') == '1' ? ($ssl_ipsandports != '' ? true : false) : false),
 						'label' => $lng['domains']['ssl_redirect']['title'],
@@ -70,6 +76,16 @@ return array(
 									),
 						'value' => array()
 					),
+					'letsencrypt' => array(
+						'visible' => (Settings::Get('system.use_ssl') == '1' ? (Settings::Get('system.leenabled') == '1' ? ($ssl_ipsandports != '' ? true : false) : false) : false),
+						'label' => $lng['customer']['letsencrypt']['title'],
+						'desc' => $lng['customer']['letsencrypt']['description'],
+						'type' => 'checkbox',
+						'values' => array(
+										array ('label' => $lng['panel']['yes'], 'value' => '1')
+									),
+						'value' => array()
+					),
 					'openbasedir_path' => array(
 						'label' => $lng['domain']['openbasedirpath'],
 						'type' => 'select',
--- a/lib/formfields/customer/domains/formfield.domains_edit.php
+++ b/lib/formfields/customer/domains/formfield.domains_edit.php
@@ -61,7 +61,7 @@ return array(
 						'select_var' => $redirectcode
 					),
 					'selectserveralias' => array(
-						'visible' => (($result['parentdomainid'] == '0' && $userinfo['subdomains'] != '0') ? true : false),
+						'visible' => ((($result['parentdomainid'] == '0' && $userinfo['subdomains'] != '0') || $result['parentdomainid'] != '0') ? true : false),
 						'label' => $lng['admin']['selectserveralias'],
 						'desc' => $lng['admin']['selectserveralias_desc'],
 						'type' => 'select',
@@ -79,13 +79,23 @@ return array(
 					'ssl_redirect' => array(
 						'visible' => (Settings::Get('system.use_ssl') == '1' ? ($ssl_ipsandports != '' ? (domainHasSslIpPort($result['id']) ? true : false) : false) : false),
 						'label' => $lng['domains']['ssl_redirect']['title'],
-						'desc' => $lng['domains']['ssl_redirect']['description'],
+						'desc' => $lng['domains']['ssl_redirect']['description'] . ($result['temporary_ssl_redirect'] > 1 ? $lng['domains']['ssl_redirect_temporarilydisabled'] : ''),
 						'type' => 'checkbox',
 						'values' => array(
 										array ('label' => $lng['panel']['yes'], 'value' => '1')
 									),
 						'value' => array($result['ssl_redirect'])
 					),
+					'letsencrypt' => array(
+						'visible' => (Settings::Get('system.use_ssl') == '1' ? (Settings::Get('system.leenabled') == '1' ? ($ssl_ipsandports != '' ? (domainHasSslIpPort($result['id']) ? true : false) : false) : false) : false),
+						'label' => $lng['customer']['letsencrypt']['title'],
+						'desc' => $lng['customer']['letsencrypt']['description'],
+						'type' => 'checkbox',
+						'values' => array(
+										array ('label' => $lng['panel']['yes'], 'value' => '1')
+									),
+						'value' => array($result['letsencrypt'])
+					),
 					'openbasedir_path' => array(
 						'visible' => ($result['openbasedir'] == '1') ? true : false,
 						'label' => $lng['domain']['openbasedirpath'],
--- a/lib/functions.php
+++ b/lib/functions.php
@@ -42,11 +42,6 @@ function includeFunctions($dirname)
 	closedir($dirhandle);
 }

-function exportDetails($fielddata, $newfieldvalue)
-{
-	print_r($newfieldvalue);
-}
-
 Autoloader::init();

 /**
--- a/lib/functions/filedir/function.makeSecurePath.php
+++ b/lib/functions/filedir/function.makeSecurePath.php
@@ -26,15 +26,21 @@
 */
 function makeSecurePath($path) {

+	// check for bad characters, some are allowed with escaping
+	// but we generally don't want them in our directory-names,
+	// thx to aaronmueller for this snipped
+	$badchars = array(':', ';', '|', '&', '>', '<', '`', '$', '~', '?', "\0");
+	foreach ($badchars as $bc) {
+		$path = str_replace($bc, "", $path);
+	}
+
 	$search = array(
 		'#/+#',
-		'#\.+#',
-		'#\0+#'
+		'#\.+#'
 	);
 	$replace = array(
 		'/',
-		'.',
-		''
+		'.'
 	);
 	$path = preg_replace($search, $replace, $path);
 	// don't just replace a space with an escaped space
@@ -42,13 +48,5 @@ function makeSecurePath($path) {
 	$path = str_replace("\ ", " ", $path);
 	$path = str_replace(" ", "\ ", $path);

-	// check for bad characters, some are allowed with escaping
-	// but we generally don't want them in our directory-names,
-	// thx to aaronmueller for this snipped
-	$badchars = array(':', ';', '|', '&', '>', '<', '`', '$', '~', '?');
-	foreach ($badchars as $bc) {
-		str_replace($bc, "", $path);
-	}
-
 	return $path;
 }
--- a/lib/functions/formfields/string/function.validateFormFieldString.php
+++ b/lib/functions/formfields/string/function.validateFormFieldString.php
@@ -116,6 +116,17 @@ function validateFormFieldString($fieldname, $fielddata, $newfieldvalue)
 		        $returnvalue = ($newfieldvalue !== false ? true : 'invalidip');
 		    }
 		}
+                elseif (isset($fielddata['string_type']) && $fielddata['string_type'] == 'validate_ip_incl_private') {
+                    // check for empty value (it might be allowed)
+                    if (trim($newfieldvalue) == '') {
+                        $newfieldvalue = '';
+                        $returnvalue = 'stringmustntbeempty';
+                    } else {
+                        $newfieldvalue = validate_ip2($newfieldvalue, true, true, true);
+                        $returnvalue = ($newfieldvalue !== false ? true : 'invalidip');
+                    }
+                }
+
 		elseif (preg_match('/^[^\r\n\t\f\0]*$/D', $newfieldvalue)) {
 			$returnvalue = true;
 		}
--- a/lib/functions/formfields/text/function.getFormFieldDataText.php
+++ b/lib/functions/formfields/text/function.getFormFieldDataText.php
@@ -0,0 +1,26 @@
+<?php
+
+/**
+ * This file is part of the Froxlor project.
+ * Copyright (c) 2010 the Froxlor Team (see authors).
+ *
+ * For the full copyright and license information, please view the COPYING
+ * file that was distributed with this source code. You can also view the
+ * COPYING file online at http://files.froxlor.org/misc/COPYING.txt
+ *
+ * @copyright  (c) the authors
+ * @author     Daniel Reichelt <hacking@nachtgeist.net> (2016-)
+ * @license    GPLv2 http://files.froxlor.org/misc/COPYING.txt
+ * @package    Functions
+ *
+ */
+
+function getFormFieldDataText($fieldname, $fielddata, &$input) {
+	if(isset($input[$fieldname])) {
+		$newfieldvalue = str_replace("\r\n", "\n", $input[$fieldname]);
+	} else {
+		$newfieldvalue = $fielddata['default'];
+	}
+
+	return $newfieldvalue;
+}
--- a/lib/functions/froxlor/function.checkMailAccDeletionState.php
+++ b/lib/functions/froxlor/function.checkMailAccDeletionState.php
@@ -0,0 +1,43 @@
+<?php
+
+/**
+ * This file is part of the Froxlor project.
+ * Copyright (c) 2016 the Froxlor Team (see authors).
+ *
+ * For the full copyright and license information, please view the COPYING
+ * file that was distributed with this source code. You can also view the
+ * COPYING file online at http://files.froxlor.org/misc/COPYING.txt
+ *
+ * @copyright  (c) the authors
+ * @author     Froxlor team <team@froxlor.org> (2010-)
+ * @license    GPLv2 http://files.froxlor.org/misc/COPYING.txt
+ * @package    Functions
+ *
+ */
+
+/**
+ * check whether an email account is to be deleted
+ * reference: #1519
+ *
+ * @return bool true if the domain is to be deleted, false otherwise
+ *        
+ */
+function checkMailAccDeletionState($email_addr = null)
+{
+	// example data of task 7: a:2:{s:9:"loginname";s:4:"webX";s:5:"email";s:20:"deleteme@example.tld";}
+	
+	// check for task
+	$result_tasks_stmt = Database::prepare("
+		SELECT * FROM `" . TABLE_PANEL_TASKS . "` WHERE `type` = '7' AND `data` LIKE :emailaddr
+	");
+	Database::pexecute($result_tasks_stmt, array(
+		'emailaddr' => "%" . $email_addr . "%"
+	));
+	$num_results = Database::num_rows();
+	
+	// is there a task for deleting this email account?
+	if ($num_results > 0) {
+		return true;
+	}
+	return false;
+}
--- a/lib/functions/froxlor/function.phpErrHandler.php
+++ b/lib/functions/froxlor/function.phpErrHandler.php
@@ -11,7 +11,7 @@
 *
 * @return void|boolean
 */
-function phpErrHandler($errno, $errstr, $errfile, $errline, array $errcontext) {
+function phpErrHandler($errno, $errstr, $errfile, $errline, $errcontext) {

 	if (!(error_reporting() & $errno)) {
 		// This error code is not included in error_reporting
--- a/lib/functions/froxlor/function.updateFunctions.php
+++ b/lib/functions/froxlor/function.updateFunctions.php
@@ -188,3 +188,65 @@ function validateUpdateLogFile($filename) {
 	}
 	return '/tmp/froxlor_update.log';
 }
+
+/**
+ * Function isDatabaseVersion
+ *
+ * checks if a given database-version is the current one
+ *
+ * @param int $to_check version to check
+ *
+ * @return bool true if version to check matches, else false
+ */
+function isDatabaseVersion($to_check = null) {
+
+    if (Settings::Get('panel.frontend') == 'froxlor'
+        && Settings::Get('panel.db_version') == $to_check
+        ) {
+            return true;
+        }
+        return false;
+}
+
+/**
+ * Function hasUpdates
+ *
+ * checks if a given database-version is not equal the current one
+ *
+ * @param int $to_check version to check
+ *
+ * @return bool true if version to check does not match, else false
+ */
+function hasDbUpdates($to_check = null) {
+
+    if (Settings::Get('panel.db_version') == null
+        || Settings::Get('panel.db_version') != $to_check
+        ) {
+            return true;
+        }
+        return false;
+}
+
+/**
+ * Function updateToDbVersion
+ *
+ * updates the panel.version field
+ * to the given value (no checks here!)
+ *
+ * @param string $new_version new-version
+ *
+ * @return bool true on success, else false
+ */
+function updateToDbVersion($new_version = null) {
+
+    if ($new_version !== null && $new_version != '') {
+        $upd_stmt = Database::prepare("
+				UPDATE `".TABLE_PANEL_SETTINGS."` SET `value` = :newversion
+				WHERE `settinggroup` = 'panel' AND `varname` = 'db_version'"
+            );
+        Database::pexecute($upd_stmt, array('newversion' => $new_version));
+        Settings::Set('panel.db_version', $new_version);
+        return true;
+    }
+    return false;
+}
--- a/lib/functions/logger/function.getLogLevelDesc.php
+++ b/lib/functions/logger/function.getLogLevelDesc.php
@@ -0,0 +1,44 @@
+<?php
+
+/**
+ * This file is part of the Froxlor project.
+ * Copyright (c) 2010 the Froxlor Team (see authors).
+ *
+ * For the full copyright and license information, please view the COPYING
+ * file that was distributed with this source code. You can also view the
+ * COPYING file online at http://files.froxlor.org/misc/COPYING.txt
+ *
+ * @copyright  (c) the authors
+ * @author     Michael Kaufmann <mkaufmann@nutime.de>
+ * @author     Daniel Reichelt <hacking@nachtgeist.net> (2016-)
+ * @license    GPLv2 http://files.froxlor.org/misc/COPYING.txt
+ * @package    Functions
+ *
+ */
+
+function getLogLevelDesc($type) {
+	switch($type) {
+		case LOG_INFO:
+			$_type = 'information';
+			break;
+		case LOG_NOTICE:
+			$_type = 'notice';
+			break;
+		case LOG_WARNING:
+			$_type = 'warning';
+			break;
+		case LOG_ERR:
+			$_type = 'error';
+			break;
+		case LOG_CRIT:
+			$_type = 'critical';
+			break;
+		case LOG_DEBUG:
+			$_type = 'debug';
+			break;
+		default:
+			$_type = 'unknown';
+			break;
+	}
+	return $_type;
+}
--- a/lib/functions/settings/function.storeSettingDefaultIp.php
+++ b/lib/functions/settings/function.storeSettingDefaultIp.php
@@ -17,6 +17,7 @@
 *
 */
 function storeSettingDefaultIp($fieldname, $fielddata, $newfieldvalue) {
+	$defaultips_old = Settings::Get('system.defaultip');

 	$returnvalue = storeSettingField($fieldname, $fielddata, $newfieldvalue);

@@ -40,13 +41,27 @@ function storeSettingDefaultIp($fieldname, $fielddata, $newfieldvalue) {
 		}

 		if (count($ids) > 0) {
-			$upd_stmt = Database::prepare("
-				UPDATE `" . TABLE_DOMAINTOIP . "` SET
-				`id_ipandports` = :newval
-				WHERE `id_domain` IN ('" . implode(', ', $ids) . "')
-				AND `id_ipandports` = :defaultip
+			$defaultips_new = explode(',', $newfieldvalue);
+
+			// Delete the existing mappings linking to default IPs
+			$del_stmt = Database::prepare("
+					DELETE FROM `" . TABLE_DOMAINTOIP . "`
+					WHERE `id_domain` IN (" . implode(', ', $ids) . ")
+					AND `id_ipandports` IN (" . $defaultips_old . ", " . $newfieldvalue . ")
 			");
-			Database::pexecute($upd_stmt, array('newval' => $newfieldvalue, 'defaultip' => Settings::Get('system.defaultip')));
+			Database::pexecute($del_stmt);
+
+			// Insert the new mappings
+			$ins_stmt = Database::prepare("
+				INSERT INTO `" . TABLE_DOMAINTOIP . "`
+				SET `id_domain` = :domainid, `id_ipandports` = :ipandportid
+			");
+
+			foreach ($ids as $id) {
+				foreach ($defaultips_new as $defaultip_new) {
+					Database::pexecute($ins_stmt, array('domainid' => $id, 'ipandportid' => $defaultip_new));
+				}
+			}
 		}
 	}

--- a/lib/functions/system/function.randomStr.php
+++ b/lib/functions/system/function.randomStr.php
@@ -0,0 +1,44 @@
+<?php
+
+/**
+ * This file is part of the Froxlor project.
+ * Copyright (c) 2010 the Froxlor Team (see authors).
+ *
+ * For the full copyright and license information, please view the COPYING
+ * file that was distributed with this source code. You can also view the
+ * COPYING file online at http://files.froxlor.org/misc/COPYING.txt
+ *
+ * @copyright  (c) the authors
+ * @author     Froxlor team <team@froxlor.org> (2016-)
+ * @license    GPLv2 http://files.froxlor.org/misc/COPYING.txt
+ * @package    Functions
+ *
+ */
+
+/**
+ * Function randomStr
+ *
+ * generate a pseudo-random string of bytes
+ *
+ * @param int $length            
+ *
+ * @return string
+ */
+function randomStr($length)
+{
+    if (version_compare(PHP_VERSION, '7.0.0') >= 0) {
+        return random_bytes($length);
+    } elseif (function_exists('openssl_random_pseudo_bytes')) {
+        return openssl_random_pseudo_bytes($length);
+    } else {
+        $pr_bits = '';
+        $fp = @fopen('/dev/urandom', 'rb');
+        if ($fp !== false) {
+            $pr_bits .= @fread($fp, $length);
+            @fclose($fp);
+        } else {
+            $pr_bits = substr(rand(time(), getrandmax()).rand(time(), getrandmax()), 0, $length);
+        }
+        return $pr_bits;
+    }
+}
--- a/lib/functions/validate/function.appendOpenbasedirPath.php
+++ b/lib/functions/validate/function.appendOpenbasedirPath.php
@@ -19,42 +19,42 @@
 * checks give path for security issues
 * and returns a string that can be appended
 * to a line for a open_basedir directive
- * 
- * @param string  $path  the path to check and append
- * @param boolean $first if true, no ':' will be prefixed to the path
- * 
+ *
+ * @param string $path
+ *            the path to check and append
+ * @param boolean $first
+ *            if true, no ':' will be prefixed to the path
+ *            
 * @return string
 */
-function appendOpenBasedirPath($path = '', $first = false) {
-
-	$path = makeCorrectDir($path);
-
-	// check for php-version that requires the trailing
-	// slash to be removed as it does not allow the usage
-	// of the subfolders within the given folder, fixes #797
-	if ((PHP_MINOR_VERSION == 2 && PHP_VERSION_ID >= 50216)
-		|| PHP_VERSION_ID >= 50304
-	) {
-		// check trailing slash
-		if (substr($path, -1, 1) == '/') {
-			// remove it
-			$path = substr($path, 0, -1);
-		}
-	}
-
-	if($path != ''
-		&& $path != '/'
-		&& (!preg_match("#^/dev#i", $path) || preg_match("#^/dev/urandom#i", $path))
-		&& !preg_match("#^/proc#i", $path)
-		&& !preg_match("#^/etc#i", $path)
-		&& !preg_match("#^/sys#i", $path)
-		&& !preg_match("#:#", $path)
-	) {
-		if ($first) {
-			return $path;
-		}
-
-		return ':' . $path;
-	}
-	return '';
+function appendOpenBasedirPath($path = '', $first = false)
+{
+    if ($path != '' && $path != '/'
+        && (! preg_match("#^/dev#i", $path) || preg_match("#^/dev/urandom#i", $path))
+        && ! preg_match("#^/proc#i", $path)
+        && ! preg_match("#^/etc#i", $path)
+        && ! preg_match("#^/sys#i", $path)
+        && ! preg_match("#:#", $path)
+    ) {
+        
+        $path = makeCorrectDir($path);
+        
+        // check for php-version that requires the trailing
+        // slash to be removed as it does not allow the usage
+        // of the subfolders within the given folder, fixes #797
+        if ((PHP_MINOR_VERSION == 2 && PHP_VERSION_ID >= 50216) || PHP_VERSION_ID >= 50304) {
+            // check trailing slash
+            if (substr($path, - 1, 1) == '/') {
+                // remove it
+                $path = substr($path, 0, - 1);
+            }
+        }
+        
+        if ($first) {
+            return $path;
+        }
+        
+        return ':' . $path;
+    }
+    return '';
 }
--- a/lib/init.php
+++ b/lib/init.php
@@ -275,7 +275,7 @@ foreach ($langs as $key => $value) {
 	$languages[$key] = $key;
 }

-// set default langauge before anything else to
+// set default language before anything else to
 // ensure that we can display messages
 $language = Settings::Get('panel.standardlanguage');

@@ -408,7 +408,7 @@ if (isset($userinfo['loginname'])
 */
 $navigation = "";
 if (AREA == 'admin' || AREA == 'customer') {
-	if (hasUpdates($version)) {
+	if (hasUpdates($version) || hasDbUpdates($dbversion)) {
 		/*
 		 * if froxlor-files have been updated
 		 * but not yet configured by the admin
--- a/lib/navigation/00.froxlor.main.php
+++ b/lib/navigation/00.froxlor.main.php
@@ -124,6 +124,11 @@ return array (
 					'url' => 'customer_extras.php?page=htaccess',
 					'label' => $lng['menue']['extras']['pathoptions'],
 				),
+			    array (
+			        'url' => 'customer_logger.php?page=log',
+			        'label' => $lng['menue']['logger']['logger'],
+			        'show_element' => ( Settings::Get('logger.enabled') == true )
+			    ),
 			),
 		),
 		'traffic' => array (
@@ -173,16 +178,26 @@ return array (
 					'label' => $lng['admin']['customers'],
 					'required_resources' => 'customers',
 				),
-				array (
-					'url' => 'admin_domains.php?page=domains',
-					'label' => $lng['admin']['domains'],
-					'required_resources' => 'domains',
-				),
 				array (
 					'url' => 'admin_admins.php?page=admins',
 					'label' => $lng['admin']['admins'],
 					'required_resources' => 'change_serversettings',
 				),
+			    array (
+			        'url' => 'admin_domains.php?page=domains',
+			        'label' => $lng['admin']['domains'],
+			        'required_resources' => 'domains',
+			    ),
+			    array (
+			        'url' => 'admin_ipsandports.php?page=ipsandports',
+			        'label' => $lng['admin']['ipsandports']['ipsandports'],
+			        'required_resources' => 'change_serversettings',
+			    ),
+			    array (
+			        'url' => 'admin_settings.php?page=updatecounters',
+			        'label' => $lng['admin']['updatecounters'],
+			        'required_resources' => 'change_serversettings',
+			    ),
 			),
 		),
 		'traffic' => array (
@@ -210,67 +225,76 @@ return array (
 					'label' => $lng['admin']['serversettings'],
 					'required_resources' => 'change_serversettings',
 				),
-				array (
-					'url' => 'admin_settings.php?page=phpinfo',
-					'label' => $lng['admin']['phpinfo'],
-					'required_resources' => 'change_serversettings',
-				),
-				array (
-					'url' => 'admin_apcuinfo.php?page=showinfo',
-					'label' => $lng['admin']['apcuinfo'],
-					'required_resources' => 'change_serversettings',
-					'show_element' => (
-						function_exists('apcu_cache_info') === true
-					),
-				),
-				array (
-					'url' => 'admin_ipsandports.php?page=ipsandports',
-					'label' => $lng['admin']['ipsandports']['ipsandports'],
-					'required_resources' => 'change_serversettings',
-				),
 				array (
 					'url' => 'admin_cronjobs.php?page=overview',
 					'label' => $lng['admin']['cron']['cronsettings'],
 					'required_resources' => 'change_serversettings',
 				),
+			    array (
+			        'url' => 'admin_logger.php?page=log',
+			        'label' => $lng['menue']['logger']['logger'],
+			        'required_resources' => 'change_serversettings',
+			        'show_element' => ( Settings::Get('logger.enabled') == true ),
+			    ),
 				array (
 					'url' => 'admin_settings.php?page=rebuildconfigs',
 					'label' => $lng['admin']['rebuildconf'],
 					'required_resources' => 'change_serversettings',
 				),
-				array (
-					'url' => 'admin_settings.php?page=updatecounters',
-					'label' => $lng['admin']['updatecounters'],
-					'required_resources' => 'change_serversettings',
-				),
-				array (
-					'url' => 'admin_settings.php?page=integritycheck',
-					'label' => $lng['admin']['integritycheck'],
-					'required_resources' => 'change_serversettings',
-				),
-				array (
-					'url' => 'admin_phpsettings.php?page=overview',
-					'label' => $lng['menue']['phpsettings']['maintitle'],
-					'show_element' => (
-						Settings::Get('system.mod_fcgid') == true ||
-						Settings::Get('phpfpm.enabled') == true
-					),
-				),
+			    array (
+			        'url' => 'admin_autoupdate.php?page=overview',
+			        'label' => $lng['admin']['autoupdate'],
+			        'required_resources' => 'change_serversettings',
+			    ),
 			),
 		),
+	    'server_php' => array (
+	        'label' => $lng['admin']['server_php'],
+	        'required_resources' => 'change_serversettings',
+	        'elements' => array (
+	            array (
+	                'url' => 'admin_phpsettings.php?page=overview',
+	                'label' => $lng['menue']['phpsettings']['maintitle'],
+	                'show_element' => (
+	                    Settings::Get('system.mod_fcgid') == true ||
+	                    Settings::Get('phpfpm.enabled') == true
+	                ),
+	            ),
+	            array (
+	                'url' => 'admin_settings.php?page=phpinfo',
+	                'label' => $lng['admin']['phpinfo'],
+	                'required_resources' => 'change_serversettings',
+	            ),
+	            array (
+	                'url' => 'admin_apcuinfo.php?page=showinfo',
+	                'label' => $lng['admin']['apcuinfo'],
+	                'required_resources' => 'change_serversettings',
+	                'show_element' => (
+	                    function_exists('apcu_cache_info') === true
+	                ),
+	            ),
+	            array (
+	                'url' => 'admin_opcacheinfo.php?page=showinfo',
+	                'label' => $lng['admin']['opcacheinfo'],
+	                'required_resources' => 'change_serversettings',
+	                'show_element' => (
+	                    function_exists('opcache_get_configuration') === true
+	                ),
+	            ),
+	        ),
+	    ),
 		'misc' => array (
 			'label' => $lng['admin']['misc'],
 			'elements' => array (
-				array (
-					'url' => 'admin_templates.php?page=email',
-					'label' => $lng['admin']['templates']['email'],
-				),
-				array (
-					'url' => 'admin_logger.php?page=log',
-					'label' => $lng['menue']['logger']['logger'],
-					'required_resources' => 'change_serversettings',
-					'show_element' => ( Settings::Get('logger.enabled') == true ),
-				),
+			    array (
+			        'url' => 'admin_settings.php?page=integritycheck',
+			        'label' => $lng['admin']['integritycheck'],
+			        'required_resources' => 'change_serversettings',
+			    ),
+			    array (
+			        'url' => 'admin_templates.php?page=email',
+			        'label' => $lng['admin']['templates']['email'],
+			    ),
 				array (
 					'url' => 'admin_message.php?page=message',
 					'label' => $lng['admin']['message'],
--- a/lib/version.inc.php
+++ b/lib/version.inc.php
@@ -16,10 +16,10 @@
 */

 // Main version variable
-$version = '0.9.34.2';
+$version = '0.9.35.1';

-// Database version (unused, old stuff from SysCP)
-$dbversion = '2';
+// Database version (YYYYMMDDC where C is a daily counter)
+$dbversion = '201603150';

 // Distribution branding-tag (used for Debian etc.)
 $branding = '';
--- a/lng/dutch.lng.php
+++ b/lng/dutch.lng.php
@@ -259,7 +259,6 @@ $lng['admin']['admin_edit'] = 'Bewerk beheerder';
 $lng['admin']['customers_see_all'] = 'Kan alle klanten zien?';
 $lng['admin']['domains_see_all'] = 'Kan alle domeinen zien?';
 $lng['admin']['change_serversettings'] = 'Kan server instellingen aanpassen?';
-$lng['admin']['server'] = 'Server';
 $lng['admin']['serversettings'] = 'Instellingen';
 $lng['admin']['rebuildconf'] = 'Configuratie bestanden opnieuw aanmaken';
 $lng['admin']['stdsubdomain'] = 'Standaard subdomein';
@@ -689,10 +688,12 @@ $lng['serversettings']['logger']['types']['title'] = 'Log-type(s)';
 $lng['serversettings']['logger']['types']['description'] = 'Om meerdere types te selecteren, houd u CTRL ingedrukt terwijl u selecteert.<br />Beschikbare types zijn: syslog, bestand, mysql';
 $lng['serversettings']['logger']['logfile'] = 'Pad naar logfile, inclusief bestandsnaam';
 $lng['error']['logerror'] = 'Log-Fout: %s';
-$lng['serversettings']['logger']['logcron'] = 'Cronjobs loggen (eenmalig)';
+$lng['serversettings']['logger']['logcron'] = 'Cronjobs loggen';
+$lng['serversettings']['logger']['logcronoption']['never'] = 'Nooit';
+$lng['serversettings']['logger']['logcronoption']['once'] = 'Eeenmalig';
+$lng['serversettings']['logger']['logcronoption']['always'] = 'Altijd';
 $lng['question']['logger_reallytruncate'] = 'Weet u zeker dat u de tabel "%s" wilt legen?';
 $lng['admin']['loggersystem'] = 'Systeemlog';
-$lng['menue']['logger']['logger'] = 'Systeemlog';
 $lng['logger']['date'] = 'Datum';
 $lng['logger']['type'] = 'Type';
 $lng['logger']['action'] = 'Actie';
--- a/lng/english.lng.php
+++ b/lng/english.lng.php
@@ -289,7 +289,7 @@ $lng['admin']['admin_edit'] = 'Edit admin';
 $lng['admin']['customers_see_all'] = 'Can see all customers?';
 $lng['admin']['domains_see_all'] = 'Can see all domains?';
 $lng['admin']['change_serversettings'] = 'Can change server settings?';
-$lng['admin']['server'] = 'Server';
+$lng['admin']['server'] = 'System';
 $lng['admin']['serversettings'] = 'Settings';
 $lng['admin']['rebuildconf'] = 'Rebuild config files';
 $lng['admin']['stdsubdomain'] = 'Standard subdomain';
@@ -336,7 +336,7 @@ $lng['serversettings']['documentroot_prefix']['description'] = 'Where should all
 $lng['serversettings']['logfiles_directory']['title'] = 'Logfiles directory';
 $lng['serversettings']['logfiles_directory']['description'] = 'Where should all log files be stored?';
 $lng['serversettings']['ipaddress']['title'] = 'IP-address';
-$lng['serversettings']['ipaddress']['description'] = 'What\'s the IP-address of this server?';
+$lng['serversettings']['ipaddress']['description'] = 'What\'s the main IP-address of this server?';
 $lng['serversettings']['hostname']['title'] = 'Hostname';
 $lng['serversettings']['hostname']['description'] = 'What\'s the Hostname of this server?';
 $lng['serversettings']['apachereload_command']['title'] = 'Webserver reload command';
@@ -435,7 +435,7 @@ $lng['error']['webmailiswrong'] = 'The webmail-link is not a valid link.';
 $lng['error']['webftpiswrong'] = 'The WebFTP-link is not a valid link.';
 $lng['domains']['hasaliasdomains'] = 'Has alias domain(s)';
 $lng['serversettings']['defaultip']['title'] = 'Default IP/Port';
-$lng['serversettings']['defaultip']['description'] = 'What\'s the default IP/Port combination?';
+$lng['serversettings']['defaultip']['description'] = 'Select all IP-addresses you want to use as default for new domains';
 $lng['domains']['statstics'] = 'Usage Statistics';
 $lng['panel']['ascending'] = 'ascending';
 $lng['panel']['decending'] = 'decending';
@@ -738,10 +738,12 @@ $lng['serversettings']['logger']['types']['title'] = 'Log-type(s)';
 $lng['serversettings']['logger']['types']['description'] = 'Specify logtypes. To select multiple types, hold down CTRL while selecting.<br />Available logtypes are: syslog, file, mysql';
 $lng['serversettings']['logger']['logfile'] = 'Logfile path including filename';
 $lng['error']['logerror'] = 'Log-Error: %s';
-$lng['serversettings']['logger']['logcron'] = 'Log cronjobs (one run)';
+$lng['serversettings']['logger']['logcron'] = 'Log cronjobs';
+$lng['serversettings']['logger']['logcronoption']['never'] = 'Never';
+$lng['serversettings']['logger']['logcronoption']['once'] = 'Once';
+$lng['serversettings']['logger']['logcronoption']['always'] = 'Always';
 $lng['question']['logger_reallytruncate'] = 'Do you really want to truncate the table "%s"?';
-$lng['admin']['loggersystem'] = 'System-logging';
-$lng['menue']['logger']['logger'] = 'System-logging';
+$lng['admin']['loggersystem'] = 'System log';
 $lng['logger']['date'] = 'Date';
 $lng['logger']['type'] = 'Type';
 $lng['logger']['action'] = 'Action';
@@ -950,6 +952,7 @@ $lng['admin']['phpconfig']['admin_email'] = 'Will be replaced with e-mail addres
 $lng['admin']['phpconfig']['domain'] = 'Will be replaced with the domain.';
 $lng['admin']['phpconfig']['customer'] = 'Will be replaced with the loginname of the customer who owns this domain.';
 $lng['admin']['phpconfig']['admin'] = 'Will be replaced with the loginname of the admin who owns this domain.';
+$lng['admin']['phpconfig']['docroot'] = 'Will be replaces with the customer\'s document-root.';
 $lng['login']['backtologin'] = 'Back to login';
 $lng['serversettings']['mod_fcgid']['starter']['title'] = 'Processes per domain';
 $lng['serversettings']['mod_fcgid']['starter']['description'] = 'How many processes should be started/allowed per domain? The value 0 is recommended cause PHP will then manage the amount of processes itself very efficiently.';
@@ -1170,7 +1173,7 @@ $lng['serversettings']['ftpserver']['desc'] = 'If pureftpd is selected the .ftpq
 $lng['mails']['new_ftpaccount_by_customer']['subject'] = 'New ftp-user created';
 $lng['mails']['new_ftpaccount_by_customer']['mailbody'] = "Hello {CUST_NAME},\n\nyou have just added a new ftp-user. Here is the entered information:\n\nUsername: {USR_NAME}\nPassword: {USR_PASS}\nPath: {USR_PATH}\n\nYours sincerely, your administrator";
 $lng['domains']['redirectifpathisurl'] = 'Redirect code (default: empty)';
-$lng['domains']['redirectifpathisurlinfo'] = 'You only need to select one of these if you entered an URL as path';
+$lng['domains']['redirectifpathisurlinfo'] = 'You only need to select one of these if you entered an URL as path<br/><strong class="red">NOTE:</strong>Changes are only applied if the given path is an URL.';
 $lng['serversettings']['customredirect_enabled']['title'] = 'Allow customer redirects';
 $lng['serversettings']['customredirect_enabled']['description'] = 'Allow customers to choose the http-status code for redirects which will be used';
 $lng['serversettings']['customredirect_default']['title'] = 'Default redirect';
@@ -1759,7 +1762,9 @@ $lng['admin']['templates']['SERVER_HOSTNAME'] = 'Replaces the system-hostname (U
 $lng['admin']['templates']['SERVER_IP'] = 'Replaces the default server ip-address';
 $lng['admin']['templates']['SERVER_PORT'] = 'Replaces the default server port';
 $lng['admin']['templates']['DOMAINNAME'] = 'Replaces the customers standard-subdomain (can be empty if none is generated)';
-$lng['admin']['show_news_feed'] = 'Show news-feed on admin-dashboard';
+$lng['admin']['show_news_feed']['title'] = 'Show news-feed on admin-dashboard';
+$lng['admin']['show_news_feed']['description'] = 'Enable this to show the official froxlor newsfeed (https://inside.froxlor.org/news/) on your dashboard and never miss important information or release-announcements.';
+$lng['panel']['newsfeed_disabled'] = 'The newsfeed is disabled. Click the edit icon to go to the settings.';

 // Added in Froxlor 0.9.32
 $lng['logger']['reseller'] = "Reseller";
@@ -1801,8 +1806,9 @@ $lng['serversettings']['system_cron_allowautoupdate']['description'] = '<div cla
 $lng['error']['passwordshouldnotbeusername'] = 'The password should not be the same as the username.';

 // Added in Froxlor 0.9.33
-$lng['admin']['customer_show_news_feed'] = "Show custom newsfeed on customer-dashboard";
-$lng['admin']['customer_news_feed_url'] = "RSS-Feed for the custom newsfeed";
+$lng['admin']['customer_show_news_feed'] = "Show newsfeed on customer-dashboard";
+$lng['admin']['customer_news_feed_url']['title'] = "Use custom RSS-feed";
+$lng['admin']['customer_news_feed_url']['description'] = "Specify a custom RSS-feed that will be shown to your customers on their dashboard.<br /><small>Leave this empty to use the official froxlor newsfeed (https://inside.froxlor.org/news/).</small>";
 $lng['serversettings']['dns_createhostnameentry'] = "Create bind-zone/config for system hostname";
 $lng['serversettings']['panel_password_alpha_lower']['title'] = 'Lowercase character';
 $lng['serversettings']['panel_password_alpha_lower']['description'] = 'Password must contain at least one lowercase letter (a-z).';
@@ -1833,8 +1839,6 @@ $lng['domains']['import_description'] = 'Detailed information about the structur
 $lng['usersettings']['custom_notes']['title'] = 'Custom notes';
 $lng['usersettings']['custom_notes']['description'] = 'Feel free to put any notes you want/need in here. They will show up in the admin/customer overview for the corresponding user.';
 $lng['usersettings']['custom_notes']['show'] = 'Show your notes on the dashboard of the user';
-$lng['serversettings']['system_send_cron_errors']['title'] = 'Send cron-errors to froxlor-admin via e-mail';
-$lng['serversettings']['system_send_cron_errors']['description'] = 'Choose whether you want to receive an e-mail on cronjob errors. Keep in mind that this can lead to an e-mail being sent every 5 minutes depending on the error and your cronjob settings.';
 $lng['error']['fcgidandphpfpmnogoodtogether'] = 'FCGID and PHP-FPM cannot be activated at the same time';

 // Added in Froxlor 0.9.34
@@ -1848,6 +1852,7 @@ $lng['integrity_check']['DomainIpTable'] = 'IP &lt;&dash;&gt; domain references'
 $lng['integrity_check']['SubdomainSslRedirect'] = 'False SSL-redirect flag for non-ssl domains';
 $lng['integrity_check']['FroxlorLocalGroupMemberForFcgidPhpFpm'] = 'froxlor-user in the customer groups (for FCGID/php-fpm)';
 $lng['integrity_check']['WebserverGroupMemberForFcgidPhpFpm'] = 'Webserver-user in the customer groups (for FCGID/php-fpm)';
+$lng['integrity_check']['SubdomainLetsencrypt'] = 'Main domains with no SSL-Port assigned don\'t have any subdomains with active SSL redirect';
 $lng['admin']['specialsettings_replacements'] = "You can use the following variables:<br/><code>{DOMAIN}</code>, <code>{DOCROOT}</code>, <code>{CUSTOMER}</code>, <code>{IP}</code>, <code>{PORT}</code>, <code>{SCHEME}</code><br/>";
 $lng['serversettings']['default_vhostconf']['description'] = 'The content of this field will be included into this ip/port vHost container directly. '.$lng['admin']['specialsettings_replacements'].' Attention: The code won\'t be checked for any errors. If it contains errors, webserver might not start again!';
 $lng['serversettings']['default_vhostconf_domain']['description'] = 'The content of this field will be included into the domain vHost container directly. '.$lng['admin']['specialsettings_replacements'].' Attention: The code won\'t be checked for any errors. If it contains errors, webserver might not start again!';
@@ -1883,3 +1888,90 @@ $lng['apcuinfo']['used'] = 'Used';
 $lng['apcuinfo']['hitmiss'] = 'Hits & Misses';
 $lng['apcuinfo']['detailmem'] = 'Detailed Memory Usage and Fragmentation';
 $lng['apcuinfo']['fragment'] = 'Fragmentation';
+
+// Added for opcache info
+$lng['admin']['opcacheinfo'] = 'OPcache Info';
+$lng['error']['no_opcacheinfo'] = 'No cache info available. OPCache does not appear to be running.';
+$lng['opcacheinfo']['generaltitle'] = 'General Information';
+$lng['opcacheinfo']['resetcache'] = 'Reset OPcache';
+$lng['opcacheinfo']['version'] = 'OPCache version';
+$lng['opcacheinfo']['phpversion'] = 'PHP version';
+$lng['opcacheinfo']['runtimeconf'] = 'Runtime Configuration';
+$lng['opcacheinfo']['start'] = 'Start time';
+$lng['opcacheinfo']['lastreset'] = 'Last restart';
+$lng['opcacheinfo']['oomrestarts'] = 'OOM restart count';
+$lng['opcacheinfo']['hashrestarts'] = 'Hash restart count';
+$lng['opcacheinfo']['manualrestarts'] = 'Manual restart count';
+$lng['opcacheinfo']['hitsc'] = 'Hits count';
+$lng['opcacheinfo']['missc'] = 'Miss count';
+$lng['opcacheinfo']['blmissc'] = 'Blacklist miss count';
+$lng['opcacheinfo']['status'] = 'Status';
+$lng['opcacheinfo']['never'] = 'never';
+$lng['opcacheinfo']['enabled'] = 'OPcache Enabled';
+$lng['opcacheinfo']['cachefull'] = 'Cache full';
+$lng['opcacheinfo']['restartpending'] = 'Pending restart';
+$lng['opcacheinfo']['restartinprogress'] = 'Restart in progress';
+$lng['opcacheinfo']['cachedscripts'] = 'Cached scripts count';
+$lng['opcacheinfo']['memusage'] = 'Memory usage';
+$lng['opcacheinfo']['totalmem'] = 'Total memory';
+$lng['opcacheinfo']['usedmem'] = 'Used memory';
+$lng['opcacheinfo']['freemem'] = 'Free memory';
+$lng['opcacheinfo']['wastedmem'] = 'Wasted memory';
+$lng['opcacheinfo']['maxkey'] = 'Maximum keys';
+$lng['opcacheinfo']['usedkey'] = 'Used keys';
+$lng['opcacheinfo']['wastedkey'] = 'Wasted keys';
+$lng['opcacheinfo']['strinterning'] = 'String interning';
+$lng['opcacheinfo']['strcount'] = 'String count';
+$lng['opcacheinfo']['keystat'] = 'Cached keys statistic';
+$lng['opcacheinfo']['used'] = 'Used';
+$lng['opcacheinfo']['free'] = 'Free';
+$lng['opcacheinfo']['blacklist'] = 'Blacklist';
+$lng['opcacheinfo']['novalue'] = '<i>no value</i>';
+$lng['opcacheinfo']['true'] = '<i>true</i>';
+$lng['opcacheinfo']['false'] = '<i>false</i>';
+
+// Added for let's encrypt
+$lng['admin']['letsencrypt']['title'] = 'Use Let\'s Encrypt';
+$lng['admin']['letsencrypt']['description'] = 'Get a free certificate from <a href="https://letsencrypt.org">Let\'s Encrypt</a>. The certificate will be created and renewed automatically.<br><strong class="red">ATTENTION:</strong> If wildcards are enabled, this option will automatically be disabled. This feature is still in beta.';
+$lng['customer']['letsencrypt']['title'] = 'Use Let\'s Encrypt';
+$lng['customer']['letsencrypt']['description'] = 'Get a free certificate from <a href="https://letsencrypt.org">Let\'s Encrypt</a>. The certificate will be created and renewed automatically.<br><strong class="red">ATTENTION:</strong> This feature is still in beta.';
+$lng['error']['sslredirectonlypossiblewithsslipport'] = 'Using Let\'s Encrypt is only possible when the domain has at least one ssl-enabled IP/port combination assigned.';
+$lng['error']['nowildcardwithletsencrypt'] = 'Let\'s Encrypt cannot (yet) handle wildcard-domains. Please set the ServerAlias to WWW or disable it completely';
+$lng['error']['letsencryptdoesnotworkwithaliasdomains'] = "Usage of Let's Encrypt is not possible for aliasdomains at the moment. Please disable Let's Encrypt or AliasDomain";
+$lng['panel']['letsencrypt'] = 'Using Let\'s encrypt';
+$lng['crondesc']['cron_letsencrypt'] = 'updating Let\'s Encrypt certificates';
+$lng['serversettings']['letsencryptca']['title'] = "Let's Encrypt environment";
+$lng['serversettings']['letsencryptca']['description'] = "Environment to be used for Let's Encrypt certificates.<br><strong class=\"red\">ATTENTION:</strong> Let's Encrypt is still in beta</strong>";
+$lng['serversettings']['letsencryptcountrycode']['title'] = "Let's Encrypt country code";
+$lng['serversettings']['letsencryptcountrycode']['description'] = "2 letter country code used to generate Let's Encrypt certificates.<br><strong class=\"red\">ATTENTION:</strong> Let's Encrypt is still in beta</strong>";
+$lng['serversettings']['letsencryptstate']['title'] = "Let's Encrypt state";
+$lng['serversettings']['letsencryptstate']['description'] = "State used to generate Let's Encrypt certificates.<br><strong class=\"red\">ATTENTION:</strong> Let's Encrypt is still in beta</strong>";
+$lng['serversettings']['letsencryptchallengepath']['title'] = "Path for Let's Encrypt challenges";
+$lng['serversettings']['letsencryptchallengepath']['description'] = "Directory where the Let's Encrypt challenges should be offered from via a global alias.<br><strong class=\"red\">ATTENTION:</strong> Let's Encrypt is still in beta</strong>";
+$lng['serversettings']['letsencryptkeysize']['title'] = "Key size for new Let's Encrypt certificates";
+$lng['serversettings']['letsencryptkeysize']['description'] = "Size of the key in Bits for new Let's Encrypt certificates.<br><strong class=\"red\">ATTENTION:</strong> Let's Encrypt is still in beta</strong>";
+$lng['serversettings']['letsencryptreuseold']['title'] = "Re-use Let's Encrypt key / CSR";
+$lng['serversettings']['letsencryptreuseold']['description'] = "If activated, the same key and CSR will be used for every renew, otherwise a new key / CSR will be generated every time.<br><strong class=\"red\">ATTENTION:</strong> Let's Encrypt is still in beta</strong>";
+$lng['serversettings']['leenabled']['title'] = "Enable Let's Encrypt";
+$lng['serversettings']['leenabled']['description'] = "If activated, customers are able to let froxlor automatically generate and renew Let's Encrypt ssl-certificates for domains with a ssl IP/port.<br /><br />Please remember that you need to go through the webserver-configuration when eabled because this feature needs a special configuration.";
+$lng['domains']['ssl_redirect_temporarilydisabled'] = "<br>The SSL redirect is temporarily deactivated while a new Let's Encrypt certificate is generated. It will be activated again after the certificate was generated.";
+
+// Autoupdate
+$lng['admin']['autoupdate'] = 'Auto-Update';
+$lng['error']['customized_version'] = 'It looks like your Froxlor installation has been customized, no support sorry.';
+$lng['error']['autoupdate_0'] = 'Unknown error';
+$lng['error']['autoupdate_1'] = 'PHP setting allow_url_fopen is disabled. Autoupdate needs this setting to be enabled in php.ini';
+$lng['error']['autoupdate_2'] = 'PHP extension Zlib not found, please ensure it is installed and activated';
+$lng['error']['autoupdate_4'] = 'The froxlor archive could not be stored to the disk :(';
+$lng['error']['autoupdate_5'] = 'version.froxlor.org returned inacceptable values :(';
+$lng['error']['autoupdate_6'] = 'Woops, there was no (valid) version given to download :(';
+$lng['error']['autoupdate_7'] = 'The downloaded archive could not be found :(';
+$lng['error']['autoupdate_8'] = 'The archive could not be extracted :(';
+$lng['error']['autoupdate_9'] = 'The downloaded file did not pass the integrity check. Please try to update again.';
+
+$lng['admin']['server_php'] = 'PHP';
+$lng['domains']['termination_date'] = 'Date of termination';
+$lng['domains']['termination_date_overview'] = 'canceled until ';
+$lng['panel']['set'] = 'Apply';
+$lng['customer']['selectserveralias_addinfo'] = 'This option can be set when editing the domain. Its initial value is inherited from the parent-domain.';
+$lng['error']['mailaccistobedeleted'] = "Another account with the same name (%s) is currently being deleted and can therefore not be added at this moment.";
--- a/lng/french.lng.php
+++ b/lng/french.lng.php
@@ -291,7 +291,7 @@ $lng['admin']['admin_edit'] = 'Modifier un administrateur';
 $lng['admin']['customers_see_all'] = 'Peut voir tous les comptes ?';
 $lng['admin']['domains_see_all'] = 'Peut voir tous les Domaines ?';
 $lng['admin']['change_serversettings'] = 'Peut modifier la configuration du serveur ?';
-$lng['admin']['server'] = 'Serveur';
+$lng['admin']['server'] = 'Système';
 $lng['admin']['serversettings'] = 'Paramètres';
 $lng['admin']['rebuildconf'] = 'Régénérer la configuration';
 $lng['admin']['stdsubdomain'] = 'Sous-domaine type';
@@ -728,10 +728,12 @@ $lng['serversettings']['logger']['types']['title'] = 'Type(s) de log';
 $lng['serversettings']['logger']['types']['description'] = 'Spécifiez les types de log séparés par des virgules.<br />Les types de log disponible sont : syslog, file, mysql';
 $lng['serversettings']['logger']['logfile'] = 'Nom du fichier de log, dossier + nom du fichier';
 $lng['error']['logerror'] = 'Erreur log : %s';
-$lng['serversettings']['logger']['logcron'] = 'Loguer les travaux de cron (lancer une fois)';
+$lng['serversettings']['logger']['logcron'] = 'Loguer les travaux de cron';
+$lng['serversettings']['logger']['logcronoption']['never'] = 'Jamais';
+$lng['serversettings']['logger']['logcronoption']['once'] = 'Une fois';
+$lng['serversettings']['logger']['logcronoption']['always'] = 'Toujours';
 $lng['question']['logger_reallytruncate'] = 'Etes-vous sûr de vouloir vider la table "%s" ?';
 $lng['admin']['loggersystem'] = 'Log système';
-$lng['menue']['logger']['logger'] = 'Log système';
 $lng['logger']['date'] = 'Date';
 $lng['logger']['type'] = 'Type';
 $lng['logger']['action'] = 'Action';
--- a/lng/german.lng.php
+++ b/lng/german.lng.php
@@ -190,10 +190,10 @@ $lng['error']['firstdeleteallsubdomains'] = 'Sie müssen zuerst alle Subdomains
 $lng['error']['youhavealreadyacatchallforthisdomain'] = 'Sie haben bereits eine E-Mail-Adresse als Catchall für diese Domain definiert.';
 $lng['error']['ftp_cantdeletemainaccount'] = 'Sie können Ihren Hauptaccount nicht löschen.';
 $lng['error']['login'] = 'Die Kombination aus Benutzername und Passwort ist ungültig.';
-$lng['error']['login_blocked'] = 'Dieser Account wurde aufgrund zu vieler Fehlversuche vorrübergehend geschlossen.<br />Bitte versuchen Sie es in "%s" Sekunden erneut.';
+$lng['error']['login_blocked'] = 'Dieser Account wurde aufgrund zu vieler Fehlversuche vorübergehend geschlossen.<br />Bitte versuchen Sie es in "%s" Sekunden erneut.';
 $lng['error']['notallreqfieldsorerrors'] = 'Sie haben nicht alle Felder bzw. ein Feld mit fehlerhaften Angaben ausgefüllt.';
 $lng['error']['oldpasswordnotcorrect'] = 'Das alte Passwort ist nicht korrekt.';
-$lng['error']['youcantallocatemorethanyouhave'] = 'Sie können nicht mehr Ressourcen verteilen als Ihnen noch zu Verfügung stehen.';
+$lng['error']['youcantallocatemorethanyouhave'] = 'Sie können nicht mehr Ressourcen verteilen als Ihnen noch zur Verfügung stehen.';
 $lng['error']['mustbeurl'] = 'Sie müssen eine vollständige URL angeben (z. B. http://domain.de/error404.htm).';
 $lng['error']['invalidpath'] = 'Sie haben keine gültige URL angegeben (evtl. Probleme beim Verzeichnislisting?).';
 $lng['error']['stringisempty'] = 'Fehlende Eingabe im Feld';
@@ -219,11 +219,11 @@ $lng['error']['wwwnotallowed'] = 'Ihre Subdomain darf nicht \'www\' heißen.';
 $lng['error']['subdomainiswrong'] = 'Die Subdomain "%s" enthält ungültige Zeichen.';
 $lng['error']['domaincantbeempty'] = 'Der Domainname darf nicht leer sein.';
 $lng['error']['domainexistalready'] = 'Die Domain "%s" existiert bereits.';
-$lng['error']['domainisaliasorothercustomer'] = 'Die ausgewählte Aliasdomain ist entweder selber eine Aliasdomain, hat nicht die gleiche IP/Port-Kombination oder gehört einem anderen Kunden.';
+$lng['error']['domainisaliasorothercustomer'] = 'Die ausgewählte Aliasdomain ist entweder selbst eine Aliasdomain, hat nicht die gleiche IP/Port-Kombination oder gehört einem anderen Kunden.';
 $lng['error']['emailexistalready'] = 'Die E-Mail-Adresse "%s" existiert bereits.';
 $lng['error']['maindomainnonexist'] = 'Die Hauptdomain "%s" existiert nicht.';
 $lng['error']['destinationnonexist'] = 'Bitte geben Sie Ihre Weiterleitungsadresse im Feld \'Nach\' ein.';
-$lng['error']['destinationalreadyexistasmail'] = 'Die Weiterleitung zu "%s" exisitiert bereits als aktive E-Mail-Adresse.';
+$lng['error']['destinationalreadyexistasmail'] = 'Die Weiterleitung zu "%s" existiert bereits als aktive E-Mail-Adresse.';
 $lng['error']['destinationalreadyexist'] = 'Es existiert bereits eine Weiterleitung nach "%s".';
 $lng['error']['destinationiswrong'] = 'Die Weiterleitungsadresse "%s" enthält ungültige Zeichen oder ist nicht vollständig.';
 $lng['error']['ticketnotaccessible'] = 'Sie können sich das Ticket nicht ansehen.';
@@ -233,7 +233,7 @@ $lng['error']['ticketnotaccessible'] = 'Sie können sich das Ticket nicht ansehe
 */

 $lng['question']['question'] = 'Sicherheitsabfrage';
-$lng['question']['admin_customer_reallydelete'] = 'Wollen Sie den Kunden "%s" wirklich löschen?<br />ACHTUNG! Alle Daten gehen unwiderruflich verloren! Nach dem Vorgang müssen die Daten manuell aus dem Dateisystem entfernen werden.';
+$lng['question']['admin_customer_reallydelete'] = 'Wollen Sie den Kunden "%s" wirklich löschen?<br />ACHTUNG! Alle Daten gehen unwiderruflich verloren! Nach dem Vorgang müssen die Daten manuell aus dem Dateisystem entfernt werden.';
 $lng['question']['admin_domain_reallydelete'] = 'Wollen Sie die Domain "%s" wirklich löschen?';
 $lng['question']['admin_domain_reallydisablesecuritysetting'] = 'Wollen Sie die wichtige Sicherheitseinstellung \'OpenBasedir\' wirklich deaktivieren?';
 $lng['question']['admin_admin_reallydelete'] = 'Wollen Sie den Admin "%s" wirklich löschen?<br />Alle Kunden und Domains dieses Admins werden Ihnen zugeteilt.';
@@ -288,7 +288,6 @@ $lng['admin']['admin_edit'] = 'Admin bearbeiten';
 $lng['admin']['customers_see_all'] = 'Kann alle Kunden sehen?';
 $lng['admin']['domains_see_all'] = 'Kann alle Domains sehen?';
 $lng['admin']['change_serversettings'] = 'Kann Servereinstellungen bearbeiten?';
-$lng['admin']['server'] = 'Server';
 $lng['admin']['serversettings'] = 'Einstellungen';
 $lng['admin']['rebuildconf'] = 'Configs neu schreiben';
 $lng['admin']['stdsubdomain'] = 'Standardsubdomain';
@@ -334,7 +333,7 @@ $lng['serversettings']['documentroot_prefix']['description'] = 'Wo sollen die He
 $lng['serversettings']['logfiles_directory']['title'] = 'Webserver-Logdateien-Verzeichnis';
 $lng['serversettings']['logfiles_directory']['description'] = 'Wo sollen die Logdateien des Webservers liegen?';
 $lng['serversettings']['ipaddress']['title'] = 'IP-Adresse';
-$lng['serversettings']['ipaddress']['description'] = 'Welche IP-Adresse hat der Server?';
+$lng['serversettings']['ipaddress']['description'] = 'Welche Haupt-IP-Adresse hat der Server?';
 $lng['serversettings']['hostname']['title'] = 'Hostname';
 $lng['serversettings']['hostname']['description'] = 'Welchen Hostnamen hat der Server?';
 $lng['serversettings']['apachereload_command']['title'] = 'Webserver-Reload-Command';
@@ -390,7 +389,7 @@ $lng['error']['cantdeletedefaultip'] = 'Sie können die Standard-IP/Port-Kombina
 $lng['error']['cantdeletesystemip'] = 'Sie können die letzte System-IP nicht löschen. Entweder legen Sie eine neue IP/Port-Kombination an oder Sie ändern die System-IP.';
 $lng['error']['myipaddress'] = '\'IP\'';
 $lng['error']['myport'] = '\'Port\'';
-$lng['error']['myipdefault'] = 'Sie müssen eine IP/Port-Kombination auswählen, die den Standard defninieren soll.';
+$lng['error']['myipdefault'] = 'Sie müssen eine IP/Port-Kombination auswählen, die den Standard definieren soll.';
 $lng['error']['myipnotdouble'] = 'Diese Kombination aus IP und Port existiert bereits.';
 $lng['question']['admin_ip_reallydelete'] = 'Wollen Sie wirklich die IP "%s" löschen?';
 $lng['admin']['ipsandports']['ipsandports'] = 'IPs und Ports';
@@ -432,7 +431,7 @@ $lng['error']['webmailiswrong'] = 'Die "Webmail-URL" ist keine gültige URL.';
 $lng['error']['webftpiswrong'] = 'Die "WebFTP-URL" ist keine gültige URL.';
 $lng['domains']['hasaliasdomains'] = 'Hat Aliasdomain(s)';
 $lng['serversettings']['defaultip']['title'] = 'Standard-IP/Port';
-$lng['serversettings']['defaultip']['description'] = 'Welche IP/Port-Kombination soll standardmäßig verwendet werden?';
+$lng['serversettings']['defaultip']['description'] = 'Welche IP/Port-Kombination sollen standardmäßig verwendet werden?';
 $lng['domains']['statstics'] = 'Statistiken';
 $lng['panel']['ascending'] = 'aufsteigend';
 $lng['panel']['decending'] = 'absteigend';
@@ -735,10 +734,12 @@ $lng['serversettings']['logger']['types']['title'] = 'Log-Art(en)';
 $lng['serversettings']['logger']['types']['description'] = 'Wählen Sie hier die gewünschten Logtypen. Für Mehrfachauswahl, halten Sie während der Auswahl STRG gedrückt<br />Mögliche Logtypen sind: syslog, file, mysql';
 $lng['serversettings']['logger']['logfile'] = 'Log-Datei Pfad inklusive Dateinamen';
 $lng['error']['logerror'] = 'Log-Fehler: "%s"';
-$lng['serversettings']['logger']['logcron'] = 'Logge Cronjobs (einen Durchgang)';
+$lng['serversettings']['logger']['logcron'] = 'Logge Cronjobs';
+$lng['serversettings']['logger']['logcronoption']['never'] = 'Nie';
+$lng['serversettings']['logger']['logcronoption']['once'] = 'Einmalig';
+$lng['serversettings']['logger']['logcronoption']['always'] = 'Immer';
 $lng['question']['logger_reallytruncate'] = 'Wollen Sie die Tabelle "%s" wirklich leeren?';
-$lng['admin']['loggersystem'] = 'System-Logging';
-$lng['menue']['logger']['logger'] = 'System-Logging';
+$lng['admin']['loggersystem'] = 'System-Log';
 $lng['logger']['date'] = 'Datum';
 $lng['logger']['type'] = 'Typ';
 $lng['logger']['action'] = 'Aktion';
@@ -903,7 +904,7 @@ $lng['customer']['email_pop3'] = 'POP3';
 $lng['customer']['mail_quota'] = 'E-Mail-Kontingent';
 $lng['panel']['megabyte'] = 'Megabyte';
 $lng['emails']['quota_edit'] = 'E-Mail-Kontingent ändern';
-$lng['panel']['not_supported'] = 'Nicht unterstüzt in: ';
+$lng['panel']['not_supported'] = 'Nicht unterstützt in: ';
 $lng['error']['allocatetoomuchquota'] = 'Sie versuchen "%s" MB Kontingent zu zuweisen, haben aber nicht genug übrig.';

 $lng['error']['missingfields'] = 'Es wurden nicht alle Felder augefüllt.';
@@ -946,6 +947,7 @@ $lng['admin']['phpconfig']['admin_email'] = 'Wird mit der E-Mail-Adresse des Adm
 $lng['admin']['phpconfig']['domain'] = 'Wird mit der Domain ersetzt.';
 $lng['admin']['phpconfig']['customer'] = 'Wird mit dem Loginnamen des Kunden ersetzt, dem die Domain gehört.';
 $lng['admin']['phpconfig']['admin'] = 'Wird mit dem Loginnamen des Admins ersetzt, dem die Domain gehört.';
+$lng['admin']['phpconfig']['docroot'] = 'Wird mit dem Heimatverzeichnis des Kunden ersetzt.';
 $lng['login']['backtologin'] = 'Zurück zum Login';
 $lng['serversettings']['mod_fcgid']['starter']['title'] = 'Prozesse je Domain';
 $lng['serversettings']['mod_fcgid']['starter']['description'] = 'Wieviele PHP-Prozesse pro Domain sollen gestartet/erlaubt werden. Der Wert 0 wird empfohlen, da PHP die Anzahl dann selbst effizient verwaltet.';
@@ -995,7 +997,7 @@ $lng['admin']['phpserversettings'] = 'PHP-Einstellungen';
 $lng['admin']['phpsettings']['binary'] = 'PHP-Binary';
 $lng['admin']['phpsettings']['file_extensions'] = 'Dateiendungen';
 $lng['admin']['phpsettings']['file_extensions_note'] = '(ohne Punkt, durch Leerzeichen getrennt)';
-$lng['admin']['mod_fcgid_maxrequests']['title'] = 'Maxmale PHP-Requests für diese Domain (leer für Standardwert)';
+$lng['admin']['mod_fcgid_maxrequests']['title'] = 'Maximale PHP-Requests für diese Domain (leer für Standardwert)';
 $lng['serversettings']['mod_fcgid']['maxrequests']['title'] = 'Maximale Requests pro Domain';
 $lng['serversettings']['mod_fcgid']['maxrequests']['description'] = 'Wieviele PHP-Requests pro Domain sollen erlaubt werden?';

@@ -1141,12 +1143,12 @@ $lng['ticket']['orderdesc'] = 'Hier kann eine logische Sortierung für die Ticke
 // ADDED IN FROXLOR 0.9.6-svn3
 $lng['serversettings']['defaultwebsrverrhandler_enabled'] = 'Verwende Standard-Fehlerdokumente für alle Kunden';
 $lng['serversettings']['defaultwebsrverrhandler_err401']['title'] = 'Datei/URL für Fehler 401';
-$lng['serversettings']['defaultwebsrverrhandler_err401']['description'] = '<div class="red">Nicht unterstüzt in: lighttpd</div>';
+$lng['serversettings']['defaultwebsrverrhandler_err401']['description'] = '<div class="red">Nicht unterstützt in: lighttpd</div>';
 $lng['serversettings']['defaultwebsrverrhandler_err403']['title'] = 'Datei/URL für Fehler 403';
-$lng['serversettings']['defaultwebsrverrhandler_err403']['description'] = '<div class="red">Nicht unterstüzt in: lighttpd</div>';
+$lng['serversettings']['defaultwebsrverrhandler_err403']['description'] = '<div class="red">Nicht unterstützt in: lighttpd</div>';
 $lng['serversettings']['defaultwebsrverrhandler_err404'] = 'Datei/URL für Fehler 404';
 $lng['serversettings']['defaultwebsrverrhandler_err500']['title'] = 'Datei/URL für Fehler 500';
-$lng['serversettings']['defaultwebsrverrhandler_err500']['description'] = '<div class="red">Nicht unterstüzt in: lighttpd</div>';
+$lng['serversettings']['defaultwebsrverrhandler_err500']['description'] = '<div class="red">Nicht unterstützt in: lighttpd</div>';

 // ADDED IN FROXLOR 0.9.6-svn4
 $lng['serversettings']['ticket']['default_priority'] = 'Voreingestellte Support-Ticket Priorität';
@@ -1163,7 +1165,7 @@ $lng['serversettings']['ftpserver']['desc'] = 'Wenn pureftpd ausgewählt ist, we
 $lng['mails']['new_ftpaccount_by_customer']['subject'] = 'Neuer FTP-Benutzer erstellt';
 $lng['mails']['new_ftpaccount_by_customer']['mailbody'] = "Hallo {CUST_NAME},\n\ndu hast gerade einen neuen FTP-Benutzer angelegt. Hier die angegebenen Informationen:\n\nBenutzername: {USR_NAME}\nPasswort: {USR_PASS}\nPfad: {USR_PATH}\n\nVielen Dank, Ihr Administrator";
 $lng['domains']['redirectifpathisurl'] = 'Redirect-Code (Standard: leer)';
-$lng['domains']['redirectifpathisurlinfo'] = 'Der Redirect-Code kann gewählt werden, wenn der eingegebene Pfad eine URL ist';
+$lng['domains']['redirectifpathisurlinfo'] = 'Der Redirect-Code kann gewählt werden, wenn der eingegebene Pfad eine URL ist.<br/><strong class="red">HINWEIS:</strong>Änderungen werden nur wirksam wenn der Pfad eine URL ist.';
 $lng['serversettings']['customredirect_enabled']['title'] = 'Erlaube Kunden-Redirect';
 $lng['serversettings']['customredirect_enabled']['description'] = 'Erlaubt es Kunden den HTTP-Status Code für einen Redirect zu wählen';
 $lng['serversettings']['customredirect_default']['title'] = 'Standard-Redirect';
@@ -1454,7 +1456,7 @@ $lng['domains']['serveraliasoption_www'] = 'www (www.domain.tld)';
 $lng['domains']['serveraliasoption_none'] = 'Kein Alias';
 $lng['error']['givendirnotallowed'] = 'Das angegebene Verzeichnis im Feld %s ist nicht erlaubt.';
 $lng['serversettings']['ssl']['ssl_cipher_list']['title'] = 'Erlaubte SSL Ciphers festlegen';
-$lng['serversettings']['ssl']['ssl_cipher_list']['description'] = 'Dies ist eine Liste von Ciphers die genutzt werden sollen (oder auch nicht genutzt werden sollen) wenn eine SSL Verbindung besteht. Eine Liste aller Ciphers und wie diese hinzugefügt/ausgeschlossen werden ist in den Abschnitten "CIPHER LIST FORMAT" und "CIPHER STRINGS" in <a href="http://openssl.org/docs/apps/ciphers.html">der man-page für Ciphers</a> zu finden.<br /><br /><b>Standard-Wert ist:</b><pre>ECDH+AESGCM:ECDH+AES256:!aNULL:!MD5:!DSS:!DH:!AES128</pre>';
+$lng['serversettings']['ssl']['ssl_cipher_list']['description'] = 'Dies ist eine Liste von Ciphers, die genutzt werden sollen (oder auch nicht genutzt werden sollen), wenn eine SSL Verbindung besteht. Eine Liste aller Ciphers und wie diese hinzugefügt/ausgeschlossen werden ist in den Abschnitten "CIPHER LIST FORMAT" und "CIPHER STRINGS" in <a href="http://openssl.org/docs/apps/ciphers.html">der man-page für Ciphers</a> zu finden.<br /><br /><b>Standard-Wert ist:</b><pre>ECDH+AESGCM:ECDH+AES256:!aNULL:!MD5:!DSS:!DH:!AES128</pre>';

 // Added in Froxlor 0.9.31
 $lng['panel']['dashboard'] = 'Dashboard';
@@ -1476,9 +1478,9 @@ $lng['pwdreminder']['wrongcode'] = 'Der verwendete Aktivierungscode ist entweder
 $lng['admin']['templates']['LINK'] = 'Wird mit dem Link zum Zurücksetzen des Passworts ersetzt.';
 $lng['pwdreminder']['choosenew'] = 'Neues Passwort auswählen';
 $lng['serversettings']['allow_error_report_admin']['title'] = 'Erlaube Administrator/Reseller das Melden von Datenbankfehlern an Froxlor';
-$lng['serversettings']['allow_error_report_admin']['description'] = 'Bitte beachten: Senden Sie zu keiner Zeit irgendwelche datenschutzrelevanten/persönliche (Kunden-)Daten an uns!';
-$lng['serversettings']['allow_error_report_customer']['title'] = 'Erlaube Kunden das Melden von Datenbankfehler an Froxlor';
-$lng['serversettings']['allow_error_report_customer']['description'] = 'Bitte beachten: Senden Sie zu keiner Zeit irgendwelche datenschutzrelevanten/persönliche (Kunden-)Daten an uns!';
+$lng['serversettings']['allow_error_report_admin']['description'] = 'Bitte beachten: Senden Sie zu keiner Zeit irgendwelche datenschutzrelevanten/persönlichen (Kunden-)Daten an uns!';
+$lng['serversettings']['allow_error_report_customer']['title'] = 'Erlaube Kunden das Melden von Datenbankfehlern an Froxlor';
+$lng['serversettings']['allow_error_report_customer']['description'] = 'Bitte beachten: Senden Sie zu keiner Zeit irgendwelche datenschutzrelevanten/persönlichen (Kunden-)Daten an uns!';
 $lng['admin']['phpsettings']['enable_slowlog'] = 'FPM-slowlog pro Domain aktivieren';
 $lng['admin']['phpsettings']['request_terminate_timeout'] = 'request_terminate_timeout';
 $lng['admin']['phpsettings']['request_slowlog_timeout'] = 'request_slowlog_timeout';
@@ -1486,7 +1488,9 @@ $lng['admin']['templates']['SERVER_HOSTNAME'] = 'Wird mit dem System-Hostname (U
 $lng['admin']['templates']['SERVER_IP'] = 'Wird mit der Standard-System-IP-Adresse ersetzt';
 $lng['admin']['templates']['SERVER_PORT'] = 'Wird mit dem Standard-Port ersetzt';
 $lng['admin']['templates']['DOMAINNAME'] = 'Wird mit der Standardsubdomain des Kunden ersetzt (kann leer sein, wenn keine erstellt werden soll)';
-$lng['admin']['show_news_feed'] = 'Zeige Newsfeed im Admin-Dashboard';
+$lng['admin']['show_news_feed']['title'] = 'Zeige Newsfeed im Admin-Dashboard';
+$lng['admin']['show_news_feed']['description'] = 'Aktiviere diese Option, um das offizielle Froxlor newsfeed (https://inside.froxlor.org/news/) auf deinem Dashboard anzuzeigen und verpasse keine wichtigen Informationen oder Release-Announcements.';
+$lng['panel']['newsfeed_disabled'] = 'Das Newsfeed ist deaktiviert. Klicke das Editier-Icon, um zu den Einstellungen zu gelangen.';

 // Added in Froxlfor 0.9.32
 $lng['logger']['reseller'] = "Reseller";
@@ -1495,7 +1499,7 @@ $lng['logger']['cron'] = "Cronjob";
 $lng['logger']['login'] = "Login";
 $lng['logger']['intern'] = "Intern";
 $lng['logger']['unknown'] = "Unbekannt";
-$lng['serversettings']['mailtraffic_enabled']['title'] = "Analysiere Mailtraffic"; 
+$lng['serversettings']['mailtraffic_enabled']['title'] = "Analysiere Mailtraffic";
 $lng['serversettings']['mailtraffic_enabled']['description'] = "Aktiviere das analysieren der Logdateien des Mailsystems um den verbrauchten Traffic zu berechnen";
 $lng['serversettings']['mdaserver']['title'] = "Typ des MDA";
 $lng['serversettings']['mdaserver']['description'] = "Der eingesetzte Mail Delivery Server";
@@ -1528,8 +1532,9 @@ $lng['serversettings']['system_cron_allowautoupdate']['description'] = '<strong
 $lng['error']['passwordshouldnotbeusername'] = 'Das Passwort sollte nicht mit dem Benutzernamen übereinstimmen.';

 // Added in Froxlor 0.9.33
-$lng['admin']['customer_show_news_feed'] = "Zeige benutzerdefinierten Newsfeed im Kunden-Dashboard";
-$lng['admin']['customer_news_feed_url'] = "RSS-Feed für den benutzerdefinierten Newsfeed";
+$lng['admin']['customer_show_news_feed'] = "Zeige Newsfeed im Kunden-Dashboard";
+$lng['admin']['customer_news_feed_url']['title'] = "Benutzerdefiniertes RSS-Feed";
+$lng['admin']['customer_news_feed_url']['description'] = "Hier kann ein eigenes RSS-Feed angegeben werden, welches den Kunden auf dem Dashboard angezeigt wird.<br /><small>Leerlassen um das offizielle Froxlor Newsfeed (https://inside.froxlor.org/news/) zu verwenden.</small>";
 $lng['serversettings']['dns_createhostnameentry'] = "Erstelle bind-Zone/Konfiguration für den System-Hostnamen";
 $lng['serversettings']['panel_password_alpha_lower']['title'] = 'Kleinbuchstaben';
 $lng['serversettings']['panel_password_alpha_lower']['description'] = 'Das Passwort muss mindestens einen Kleinbuchstaben (a-z) enthalten.';
@@ -1560,22 +1565,66 @@ $lng['domains']['import_description'] = 'Detaillierte Informationen über den Au
 $lng['usersettings']['custom_notes']['title'] = 'Eigene Notizen';
 $lng['usersettings']['custom_notes']['description'] = 'Hier können Notizen je nach Lust und Laune eingetragen werden. Diese werden in der Administrator/Kunden-Übersicht bei dem jeweiligen Benutzer angezeigt.';
 $lng['usersettings']['custom_notes']['show'] = 'Zeige die Notizen auf dem Dashboard des Benutzers';
-$lng['serversettings']['system_send_cron_errors']['title'] = 'Sende Cron-Fehler via E-Mail an den Froxlor-Admin';
-$lng['serversettings']['system_send_cron_errors']['description'] = 'Gib an, ob bei einem Cron-Fehler eine E-Mail versendet werden soll. Beachte das es je nach Fehler und Cronjob-Einstellungen dazu kommen kann, dass diese E-Mail alle 5 Minuten gesendet wird.';
 $lng['error']['fcgidandphpfpmnogoodtogether'] = 'FCGID und PHP-FPM können nicht gleichzeitig aktiviert werden.';

 // Added in Froxlor 0.9.34
 $lng['admin']['configfiles']['legend'] = 'Du konfigurierst nun einen Service/Daemon. Die folgende Legende zeigt unsere Nomenklatur.';
 $lng['admin']['configfiles']['commands'] = '<span class="red">Kommandos:</span> Die angezeigten Befehle müssen als Benutzer root in einer Shell ausgeführt werden. Es kann auch problemlos der ganze Block kopiert und in die Shell eingefügt werden.';
-$lng['admin']['configfiles']['files'] = '<span class="red">Konfigurationsdateien:</span> Dies ist der Inhalt einer Konfigurationsdatei. Der Befehl direkt vor dem Textfeld sollte einen Editor mit der Zeildatei öffnen. Der Inhalt kann nun einfach kopiert und in den Editor eingefügt und die Datei gespeichert werden.<br><br><span class="red">Beachten Sie:</span> Das MySQL-Passwort wurde aus Sicherheitsgründen nicht ersetzt. Bitte ersetzen Sie "MYSQL_PASSWORD" manuell durch das entsprechende Passwort. Falls Sie es vergessen haben sollten, finden Sie es in der Datei "lib/userdata.inc.php".';
+$lng['admin']['configfiles']['files'] = '<span class="red">Konfigurationsdateien:</span> Dies ist der Inhalt einer Konfigurationsdatei. Der Befehl direkt vor dem Textfeld sollte einen Editor mit der Zieldatei öffnen. Der Inhalt kann nun einfach kopiert und in den Editor eingefügt und die Datei gespeichert werden.<br><br><span class="red">Beachten Sie:</span> Das MySQL-Passwort wurde aus Sicherheitsgründen nicht ersetzt. Bitte ersetzen Sie "MYSQL_PASSWORD" manuell durch das entsprechende Passwort. Falls Sie es vergessen haben sollten, finden Sie es in der Datei "lib/userdata.inc.php".';
 $lng['serversettings']['apache_itksupport']['title'] = 'Anpassungen für Apache ITK-MPM verwenden';
 $lng['serversettings']['apache_itksupport']['description'] = '<div class="red">Achtung: Bitte nur verwenden, wenn wirklich Apache itk-mpm verwendet wird, ansonsten wird der Webserver nicht starten.</div>';
 $lng['integrity_check']['DatabaseCharset'] = 'Characterset der Datenbank (sollte UTF-8 sein)';
 $lng['integrity_check']['DomainIpTable'] = 'IP &lt;&dash;&gt; Domain Verkn&uuml;pfung';
 $lng['integrity_check']['SubdomainSslRedirect'] = 'Falsches SSL-redirect Flag bei nicht-ssl Domains';
-$lng['integrity_check']['FroxlorLocalGroupMemberForFcgidPhpFpm'] = 'froxlor-Benutzer in Kunden Gruppen (f&uuml;r FCGID/php-fpm)';
-$lng['integrity_check']['WebserverGroupMemberForFcgidPhpFpm'] = 'Webserver-Benutzer in Kunden Gruppen (f&uuml;r FCGID/php-fpm)';
+$lng['integrity_check']['FroxlorLocalGroupMemberForFcgidPhpFpm'] = 'froxlor-Benutzer in Kunden-Gruppen (f&uuml;r FCGID/php-fpm)';
+$lng['integrity_check']['WebserverGroupMemberForFcgidPhpFpm'] = 'Webserver-Benutzer in Kunden-Gruppen (f&uuml;r FCGID/php-fpm)';
+$lng['integrity_check']['SubdomainLetsencrypt'] = 'Hauptdomains ohne zugewiesenen SSL-Port haben keine Subdomain mit aktiviertem SSL-Redirect';
 $lng['admin']['specialsettings_replacements'] = "Die folgenden Variablen können verwendet werden:<br/><code>{DOMAIN}</code>, <code>{DOCROOT}</code>, <code>{CUSTOMER}</code>, <code>{IP}</code>, <code>{PORT}</code>, <code>{SCHEME}</code><br/>";
 $lng['serversettings']['default_vhostconf']['description'] = 'Der Inhalt dieses Feldes wird direkt in den IP/Port-vHost-Container übernommen. '.$lng['admin']['specialsettings_replacements'].'<br /><strong>ACHTUNG:</strong> Der Code wird nicht auf Fehler geprüft. Etwaige Fehler werden also auch übernommen. Der Webserver könnte nicht mehr starten!';
 $lng['serversettings']['default_vhostconf_domain']['description'] = 'Der Inhalt dieses Feldes wird direkt in jeden Domain-vHost-Container übernommen. '. $lng['admin']['specialsettings_replacements'].'<strong>ACHTUNG:</strong> Der Code wird nicht auf Fehler geprüft. Etwaige Fehler werden also auch übernommen. Der Webserver könnte nicht mehr starten!';
 $lng['admin']['mod_fcgid_umask']['title'] = 'Umask (Standard: 022)';
+
+// Added for let's encrypt
+$lng['admin']['letsencrypt']['title'] = 'Benutze Let\'s Encrypt';
+$lng['admin']['letsencrypt']['description'] = 'Holt ein kostenloses Zertifikat von <a href="https://letsencrypt.org">Let\'s Encrypt</a>. Das Zertifikat wird automatisch erstellt und verlängert.<br><strong class="red">ACHTUNG:</strong> Wenn Wildcards aktiviert sind, wird diese Option automatisch deaktiviert. Dieses Feature befindet sich noch im Test.';
+$lng['customer']['letsencrypt']['title'] = 'Benutze Let\'s Encrypt';
+$lng['customer']['letsencrypt']['description'] = 'Holt ein kostenloses Zertifikat von <a href="https://letsencrypt.org">Let\'s Encrypt</a>. Das Zertifikat wird automatisch erstellt und verlängert.<br><strong class="red">ACHTUNG:</strong> Dieses Feature befindet sich noch im Test.';
+$lng['error']['sslredirectonlypossiblewithsslipport'] = 'Die Nutzung von Let\'s Encrypt ist nur möglich, wenn die Domain mindestens eine IP/Port - Kombination mit aktiviertem SSL zugewiesen hat.';
+$lng['error']['nowildcardwithletsencrypt'] = 'Let\'s Encrypt kann (noch) nicht mit Wildcard-Domains umgehen. Bitte den ServerAlias auf WWW setzen oder deaktivieren';
+$lng['error']['letsencryptdoesnotworkwithaliasdomains'] = "Die Nutzung von Let's Encrypt ist mit AliasDomains derzeit nicht möglich. Bitte Let's Encrypt oder AliasDomain deaktivieren";
+$lng['panel']['letsencrypt'] = 'Benutzt Let\'s encrypt';
+$lng['crondesc']['cron_letsencrypt'] = 'aktualisiert Let\'s Encrypt Zertifikate';
+$lng['serversettings']['letsencryptca']['title'] = "Let's Encrypt Umgebung";
+$lng['serversettings']['letsencryptca']['description'] = "Let's Encrypt - Umgebung, welche genutzt wird um Zertifikate zu bestellen.<br><strong class=\"red\">ACHTUNG:</strong> Let's Encrypt befindet sich noch im Test";
+$lng['serversettings']['letsencryptcountrycode']['title'] = "Let's Encrypt Ländercode";
+$lng['serversettings']['letsencryptcountrycode']['description'] = "2 - stelliger Ländercode, welcher benutzt wird um Let's Encrypt - Zertifikate zu bestellen.<br><strong class=\"red\">ACHTUNG:</strong> Let's Encrypt befindet sich noch im Test";
+$lng['serversettings']['letsencryptstate']['title'] = "Let's Encrypt Bundesland";
+$lng['serversettings']['letsencryptstate']['description'] = "Bundesland, welches benutzt wird um Let's Encrypt - Zertifikate zu bestellen.<br><strong class=\"red\">ACHTUNG:</strong> Let's Encrypt befindet sich noch im Test";
+$lng['serversettings']['letsencryptchallengepath']['title'] = "Verzeichnis für Let's Encrypt challenges";
+$lng['serversettings']['letsencryptchallengepath']['description'] = "Let's Encrypt challenges werden aus diesem Verzeichnis über einen globalen Alias ausgeliefert.<br><strong class=\"red\">ACHTUNG:</strong> Let's Encrypt befindet sich noch im Test";
+$lng['serversettings']['letsencryptkeysize']['title'] = "Schlüsselgröße für neue Let's Encrypt Zertifikate";
+$lng['serversettings']['letsencryptkeysize']['description'] = "Größe des Schlüssels in Bit für neue Let's Encrypt Zertifikate.<br><strong class=\"red\">ACHTUNG:</strong> Let's Encrypt befindet sich noch im Test";
+$lng['serversettings']['letsencryptreuseold']['title'] = "Let's Encrypt Schlüssel / CSR wiederverwenden";
+$lng['serversettings']['letsencryptreuseold']['description'] = "Wenn dies aktiviert ist, werden der alte Schlüssel und CSR bei jeder Verlängerung verwendet, andernfalls wird ein neues Paar generiert.<br><strong class=\"red\">ACHTUNG:</strong> Let's Encrypt befindet sich noch im Test";
+$lng['serversettings']['leenabled']['title'] = "Let's Encrypt verwenden";
+$lng['serversettings']['leenabled']['description'] = "Wenn dies aktiviert ist, können Kunden durch Froxlor automatisch generierte und verlängerbare Let's Encrypt SSL-Zertifikate für Domains mit SSL IP/port nutzen.<br /><br />Bitte die Webserver-Konfiguration beachten wenn aktiviert, da dieses Feature eine spezielle Konfiguration benötigt.";
+$lng['domains']['ssl_redirect_temporarilydisabled'] = "<br>Die SSL-Umleitung ist, während ein neues Let's Encrypt - Zertifikat erstellt wird, temporär deaktiviert. Die Umleitung wird nach der Zertifikatserstellung wieder aktiviert.";
+
+// Autoupdate
+$lng['admin']['autoupdate'] = 'Auto-Update';
+$lng['error']['customized_version'] = 'Es scheint als wäre die Froxlor Installation angepasst worden. Kein Support, sorry.';
+$lng['error']['autoupdate_0'] = 'Unbekannter Fehler';
+$lng['error']['autoupdate_1'] = 'PHP Einstellung allow_url_fopen ist deaktiviert. Autoupdate benötigt diese Option, bitte in der php.ini aktivieren.';
+$lng['error']['autoupdate_2'] = 'PHP Extension Zlib nicht gefunden, bitte prüfen, ob diese installiert und aktiviert ist.';
+$lng['error']['autoupdate_4'] = 'Das froxlor Archiv konnte nicht auf der Festplatte gespeichert werden :(';
+$lng['error']['autoupdate_5'] = 'version.froxlor.org gab ungültige Werte zurück :(';
+$lng['error']['autoupdate_6'] = 'Woops, keine (gültige) Version angegeben für den Download :(';
+$lng['error']['autoupdate_7'] = 'Das heruntergeladene Archiv konnte nicht gefunden werden :(';
+$lng['error']['autoupdate_8'] = 'Das Archiv konnte nicht entpackt werden :(';
+$lng['error']['autoupdate_9'] = 'Die heruntergeladene Datei konnte nicht verifiziert werden. Bitte erneut versuchen zu aktualisieren.';
+
+$lng['domains']['termination_date'] = 'Kündigungsdatum';
+$lng['domains']['termination_date_overview'] = 'gekündigt zum ';
+$lng['panel']['set'] = 'Setzen';
+$lng['customer']['selectserveralias_addinfo'] = 'Diese Option steht beim Bearbeiten der Domain zur Verfügung. Als Initial-Wert wird die Einstellung der Hauptdomain vererbt.';
+$lng['error']['mailaccistobedeleted'] = "Ein vorheriges Konto mit dem gleichen Namen (%s) wird aktuell noch gelöscht und kann daher derzeit nicht angelegt werden";
--- a/lng/italian.lng.php
+++ b/lng/italian.lng.php
@@ -282,7 +282,7 @@ $lng['admin']['admin_edit'] = 'Modifica admin';
 $lng['admin']['customers_see_all'] = 'Può vedere tutti i clienti?';
 $lng['admin']['domains_see_all'] = 'Può vedere tutti i domini?';
 $lng['admin']['change_serversettings'] = 'Può cambiare le impostazioni del server?';
-$lng['admin']['server'] = 'Server';
+$lng['admin']['server'] = 'Sistema';
 $lng['admin']['serversettings'] = 'Opzioni';
 $lng['admin']['rebuildconf'] = 'Rigenera configurazione';
 $lng['admin']['stdsubdomain'] = 'Sottodominio standard';
@@ -716,7 +716,6 @@ $lng['error']['logerror'] = 'Errore Log: %s';
 $lng['serversettings']['logger']['logcron'] = 'Log cronjobs (one run)';
 $lng['question']['logger_reallytruncate'] = 'Sei sicuro di voler troncare la tabella "%s"?';
 $lng['admin']['loggersystem'] = 'Log di Sistema';
-$lng['menue']['logger']['logger'] = 'Log di Sistema';
 $lng['logger']['date'] = 'Data';
 $lng['logger']['type'] = 'Tipo';
 $lng['logger']['action'] = 'Azione';
@@ -1330,7 +1329,7 @@ $lng['error']['ticketnotaccessible'] = 'Non puoi accedere a questo ticket.';
 $lng['question']['admin_customer_alsoremovemail'] = 'Eliminare completamente i dati della posta elettronica dal filesystem??';
 $lng['question']['admin_customer_alsoremoveftphomedir'] = 'Rimuovere anche la cartella homedir dell\'utente FTP?';
 $lng['admin']['templates']['SALUTATION'] = 'Sostituito con un saluto corretto (nome o azienda)';
-$$lng['admin']['templates']['COMPANY'] = 'Sostituisce con il nome dell \'azienda del cliente';
+$lng['admin']['templates']['COMPANY'] = 'Sostituisce con il nome dell \'azienda del cliente';
 $lng['serversettings']['bindenable']['title'] = 'Abilita Nameserver';
 $lng['serversettings']['bindenable']['description'] = 'Qui il Nameserver può essere abilitato e disabilitato globalmente.';
 $lng['admin']['serversoftware'] = 'Software per Server';
@@ -1802,5 +1801,3 @@ $lng['domains']['import_description'] = 'Per ottenere informazioni dettagliate s
 $lng['usersettings']['custom_notes']['title'] = 'Note personali';
 $lng['usersettings']['custom_notes']['description'] = 'Sentiti libero di inserire qualsi nota vuoi o necessiti qui. Apparirano nel riepilogo dell\'amministratore/cliente perl \'utente corrispondente.';
 $lng['usersettings']['custom_notes']['show'] = 'Mostra le tue note nel cruscotto dell\'utente';
-$lng['serversettings']['system_send_cron_errors']['title'] = 'Inviaa gli errori cron all \'amministratore di froxlor via e-mail';
-$lng['serversettings']['system_send_cron_errors']['description'] = 'Scegli se ricevere una email sugli errori di cronjob. Ricorda che questo potrebbe causare l\'invio di una mail ogni 5 minuti in dipendenza all \'errore e alle tue impostazioni di cronjob.';
--- a/lng/lng_references.php
+++ b/lng/lng_references.php
@@ -38,3 +38,7 @@ $lng['error']['notmorethanxopentickets'] = $lng['ticket']['notmorethanxopenticke
 * other language-strings which need no translation
 */
 $lng['domains']['ipandport_ssl_multi']['description'] = $lng['domains']['ipandport_multi']['description'];
+
+$lng['success']['noupdatesavail'] = $lng['update']['noupdatesavail'];
+$lng['error']['autoupdate_3'] = $lng['error']['customized_version'];
+$lng['menue']['logger']['logger'] = $lng['admin']['loggersystem'];
--- a/lng/portugues.lng.php
+++ b/lng/portugues.lng.php
@@ -286,7 +286,7 @@ $lng['admin']['admin_edit'] = 'Editar administrador';
 $lng['admin']['customers_see_all'] = 'Mostrar todos os clientes';
 $lng['admin']['domains_see_all'] = 'Mostrar todos os domínios';
 $lng['admin']['change_serversettings'] = 'Alterar configuraççes do servidor?';
-$lng['admin']['server'] = 'Servidor';
+$lng['admin']['server'] = 'Sistema';
 $lng['admin']['serversettings'] = 'Configurações';
 $lng['admin']['rebuildconf'] = 'Escrever de novo os configs';
 $lng['admin']['stdsubdomain'] = 'Subdomínio padrão';
@@ -642,9 +642,11 @@ $lng['serversettings']['logger']['types']['description'] = 'Especificar tipos de
 $lng['serversettings']['logger']['logfile'] = 'Caminho do Arquivo de Log incluindo nome de arquivo';
 $lng['error']['logerror'] = 'Log-Erro: %s';
 $lng['serversettings']['logger']['logcron'] = 'Logar tarefas do cron';
+$lng['serversettings']['logger']['logcronoption']['never'] = 'Nunca';
+$lng['serversettings']['logger']['logcronoption']['once'] = 'Uma vez';
+$lng['serversettings']['logger']['logcronoption']['always'] = 'Sempre';
 $lng['question']['logger_reallytruncate'] = 'Você realmente deseja dividir a tabela "%s"?';
-$lng['admin']['loggersystem'] = 'Systema-Logging';
-$lng['menue']['logger']['logger'] = 'Systema-Logging';
+$lng['admin']['loggersystem'] = 'Sistema-Log';
 $lng['logger']['date'] = 'Data';
 $lng['logger']['type'] = 'Tipo';
 $lng['logger']['action'] = 'Ação';
--- a/lng/swedish.lng.php
+++ b/lng/swedish.lng.php
@@ -275,7 +275,7 @@ $lng['admin']['admin_edit'] = 'Ändra admin';
 $lng['admin']['customers_see_all'] = 'Kan se alla kunder?';
 $lng['admin']['domains_see_all'] = 'Kan se alla domäner?';
 $lng['admin']['change_serversettings'] = 'Kan ändra serverinställningar?';
-$lng['admin']['server'] = 'Server';
+$lng['admin']['server'] = 'Systemet';
 $lng['admin']['serversettings'] = 'Inställningar';
 $lng['admin']['rebuildconf'] = 'Uppdatera konfig filer';
 $lng['admin']['stdsubdomain'] = 'Standard subdomän';
--- a/scripts/froxlor_master_cronjob.php
+++ b/scripts/froxlor_master_cronjob.php
@@ -20,16 +20,16 @@ define('MASTER_CRONJOB', 1);
 include_once dirname(dirname(__FILE__)) . '/lib/cron_init.php';

 $jobs_to_run = array();
-$lastrun_update = array();

 /**
 * check for --help
 */
-if (isset($argv[1]) && strtolower($argv[1]) == '--help') {
+if (count($argv) < 2 || (isset($argv[1]) && strtolower($argv[1]) == '--help')) {
 	echo "\n*** Froxlor Master Cronjob ***\n\n";
 	echo "Below are possible parameters for this file\n\n";
-	echo "--[cronname]\t\t\tincludes the given cron-file\n";
-	echo "--force\t\t\tforces re-generating of config-files (webserver, nameserver, etc.)\n\n";
+	echo "--[cronname]\t\tincludes the given cron-file\n";
+	echo "--force\t\t\tforces re-generating of config-files (webserver, nameserver, etc.)\n";
+	echo "--debug\t\t\toutput debug information about what is going on to STDOUT.\n\n";
 }

 /**
@@ -37,13 +37,13 @@ if (isset($argv[1]) && strtolower($argv[1]) == '--help') {
 *
 * --[cronname] include [cronname]
 * --force to include cron_tasks even if it's not its turn
+ * --debug to output debug information
 */
 for ($x = 1; $x < count($argv); $x++) {
 	// check argument
 	if (isset($argv[$x])) {
 		// --force
 		if (strtolower($argv[$x]) == '--force') {
-			$crontasks = makeCorrectFile(FROXLOR_INSTALL_DIR.'/scripts/jobs/cron_tasks.php');
 			// really force re-generating of config-files by
 			// inserting task 1
 			inserttask('1');
@@ -51,26 +51,30 @@ for ($x = 1; $x < count($argv); $x++) {
 			inserttask('4');
 			// also regenerate cron.d-file
 			inserttask('99');
-			addToQueue($jobs_to_run, $crontasks);
-			$lastrun_update['tasks'] = $crontasks;
+			addToQueue($jobs_to_run, 'tasks');
+		}
+		elseif (strtolower($argv[$x]) == '--debug') {
+		    define('CRON_DEBUG_FLAG', 1);
 		}
 		// --[cronname]
 		elseif (substr(strtolower($argv[$x]), 0, 2) == '--') {
 			if (strlen($argv[$x]) > 3) {
-				$cronfile = makeCorrectFile(FROXLOR_INSTALL_DIR.'/scripts/jobs/cron_'.substr(strtolower($argv[$x]), 2).'.php');
-				addToQueue($jobs_to_run, $cronfile);
-				$lastrun_update[substr(strtolower($argv[$x]), 2)] = $cronfile;
+				$cronname = substr(strtolower($argv[$x]), 2);
+				addToQueue($jobs_to_run, $cronname);
 			}
 		}
 	}
 }

+$cronlog->setCronDebugFlag(defined('CRON_DEBUG_FLAG'));
+
 // do we have anything to include?
 if (count($jobs_to_run) > 0) {
 	// include all jobs we want to execute
 	foreach ($jobs_to_run as $cron) {
-		updateLastRunOfCron($lastrun_update, $cron);
-		require_once $cron;
+		updateLastRunOfCron($cron);
+		$cronfile = getCronFile($cron);
+		require_once $cronfile;
 	}
 }

@@ -88,21 +92,22 @@ checkLastGuid();
 include_once FROXLOR_INSTALL_DIR . '/lib/cron_shutdown.php';

 // -- helper function
-function addToQueue(&$jobs_to_run, $cronfile = null, $checkExists = true) {
-	if ($checkExists == false || ($checkExists && file_exists($cronfile))) {
-		if (!in_array($cronfile, $jobs_to_run)) {
-			array_unshift($jobs_to_run, $cronfile);
+function getCronFile($cronname) {
+	return makeCorrectFile(FROXLOR_INSTALL_DIR.'/scripts/jobs/cron_'.$cronname.'.php');
+}
+
+function addToQueue(&$jobs_to_run, $cronname) {
+	if (!in_array($cronname, $jobs_to_run)) {
+		$cronfile = getCronFile($cronname);
+		if (file_exists($cronfile)) {
+			array_unshift($jobs_to_run, $cronname);
 		}
 	}
 }

-function updateLastRunOfCron($update_arr, $cronfile) {
-	foreach ($update_arr as $cron => $cronf) {
-		if ($cronf == $cronfile) {
-			$upd_stmt = Database::prepare("
-				UPDATE `".TABLE_PANEL_CRONRUNS."` SET `lastrun` = UNIX_TIMESTAMP() WHERE `cronfile` = :cron;
-			");
-			Database::pexecute($upd_stmt, array('cron' => $cron));
-		}
-	}
+function updateLastRunOfCron($cronname) {
+	$upd_stmt = Database::prepare("
+		UPDATE `".TABLE_PANEL_CRONRUNS."` SET `lastrun` = UNIX_TIMESTAMP() WHERE `cronfile` = :cron;
+	");
+	Database::pexecute($upd_stmt, array('cron' => $cronname));
 }
--- a/scripts/jobs/cron_letsencrypt.php
+++ b/scripts/jobs/cron_letsencrypt.php
@@ -0,0 +1,123 @@
+<?php if (!defined('MASTER_CRONJOB')) die('You cannot access this file directly!');
+
+/**
+ * This file is part of the Froxlor project.
+ * Copyright (c) 2016 the Froxlor Team (see authors).
+ *
+ * For the full copyright and license information, please view the COPYING
+ * file that was distributed with this source code. You can also view the
+ * COPYING file online at http://files.froxlor.org/misc/COPYING.txt
+ *
+ * @copyright  (c) the authors
+ * @author     Florian Aders  <kontakt-froxlor@neteraser.de>
+ * @author     Froxlor team <team@froxlor.org> (2016-)
+ * @license    GPLv2 http://files.froxlor.org/misc/COPYING.txt
+ * @package    Cron
+ *
+ * @since      0.9.35
+ *
+ */
+
+$cronlog->logAction(CRON_ACTION, LOG_INFO, "Updating Let's Encrypt certificates");
+
+$certificates_stmt = Database::query("
+	SELECT domssl.`id`, domssl.`domainid`, domssl.expirationdate, domssl.`ssl_cert_file`, domssl.`ssl_key_file`, domssl.`ssl_ca_file`, domssl.`ssl_csr_file`, dom.`domain`, dom.`iswildcarddomain`, dom.`wwwserveralias`,
+	dom.`documentroot`, dom.`id` as 'domainid', dom.`ssl_redirect`, cust.`leprivatekey`, cust.`lepublickey`, cust.customerid, cust.loginname
+	FROM `".TABLE_PANEL_CUSTOMERS."` as cust, `".TABLE_PANEL_DOMAINS."` dom LEFT JOIN `".TABLE_PANEL_DOMAIN_SSL_SETTINGS."` domssl ON (dom.id = domssl.domainid)
+	WHERE dom.customerid = cust.customerid AND dom.letsencrypt = 1 AND (domssl.expirationdate < DATE_ADD(NOW(), INTERVAL 30 DAY) OR domssl.expirationdate IS NULL)
+");
+
+$updcert_stmt = Database::prepare("
+	REPLACE INTO `".TABLE_PANEL_DOMAIN_SSL_SETTINGS."` SET `id` = :id, `domainid` = :domainid, `ssl_cert_file` = :crt, `ssl_key_file` = :key, `ssl_ca_file` = :ca, `ssl_cert_chainfile` = :chain, `ssl_csr_file` = :csr, expirationdate = :expirationdate
+");
+
+$upddom_stmt = Database::prepare("
+	UPDATE `".TABLE_PANEL_DOMAINS."` SET `ssl_redirect` = '1' WHERE `id` = :domainid
+");
+
+$changedetected = 0;
+$certrows = $certificates_stmt->fetchAll(PDO::FETCH_ASSOC);
+foreach($certrows AS $certrow) {
+
+    // set logger to corresponding loginname for the log to appear in the users system-log
+    $cronlog = FroxlorLogger::getInstanceOf(array('loginname' => $certrow['loginname']));
+
+	// Only renew let's encrypt certificate if no broken ssl_redirect is enabled
+	if ($certrow['ssl_redirect'] != 2)
+	{
+		$cronlog->logAction(CRON_ACTION, LOG_DEBUG, "Updating " . $certrow['domain']);
+
+		if ($certrow['ssl_cert_file']) {
+			$cronlog->logAction(CRON_ACTION, LOG_DEBUG, "letsencrypt using old key / SAN for " . $certrow['domain']);
+			// Parse the old certificate
+			$x509data = openssl_x509_parse($certrow['ssl_cert_file']);
+
+			// We are interessted in the old SAN - data
+			$san = explode(', ', $x509data['extensions']['subjectAltName']);
+			$domains = array();
+			foreach($san as $dnsname) {
+				$domains[] = substr($dnsname, 4);
+			}
+		} else {
+			$cronlog->logAction(CRON_ACTION, LOG_DEBUG, "letsencrypt generating new key / SAN for " . $certrow['domain']);
+			$domains = array($certrow['domain']);
+			// Add www.<domain> for SAN
+			if ($certrow['wwwserveralias'] == 1) {
+				$domains[] = 'www.' . $certrow['domain'];
+			}
+		}
+
+		try {
+			// Initialize Lescript with documentroot
+			$le = new lescript($cronlog);
+
+			// Initialize Lescript
+			$le->initAccount($certrow);
+
+			// Request the new certificate (old key may be used)
+			$return = $le->signDomains($domains, $certrow['ssl_key_file'], $certrow['ssl_csr_file']);
+
+			// We are interessted in the expirationdate
+			$newcert = openssl_x509_parse($return['crt']);
+
+			// Store the new data
+			Database::pexecute($updcert_stmt, array(
+					'id' => $certrow['id'],
+					'domainid' => $certrow['domainid'],
+					'crt' => $return['crt'],
+					'key' => $return['key'],
+					'ca' => $return['chain'],
+					'chain' => $return['chain'],
+					'csr' => $return['csr'],
+					'expirationdate' => date('Y-m-d H:i:s', $newcert['validTo_time_t'])
+				)
+			);
+
+			if ($certrow['ssl_redirect'] == 3) {
+				Database::pexecute($upddom_stmt, array(
+						'domainid' => $certrow['domainid']
+					)
+				);
+			}
+
+			$cronlog->logAction(CRON_ACTION, LOG_INFO, "Updated Let's Encrypt certificate for " . $certrow['domain']);
+
+			$changedetected = 1;
+
+		} catch (Exception $e) {
+			$cronlog->logAction(CRON_ACTION, LOG_ERR, "Could not get Let's Encrypt certificate for " . $certrow['domain'] . ": " . $e->getMessage());
+		}
+	} else {
+		$cronlog->logAction(CRON_ACTION, LOG_WARNING, "Skipping Let's Encrypt generation for " . $certrow['domain'] . " due to an enabled ssl_redirect");
+	}
+}
+
+// If we have a change in a certificate, we need to update the webserver - configs
+// This is easiest done by just creating a new task ;)
+if ($changedetected) {
+	inserttask(1);
+}
+
+// reset logger
+$cronlog = FroxlorLogger::getInstanceOf(array('loginname' => 'cronjob'));
+$cronlog->logAction(CRON_ACTION, LOG_INFO, "Let's Encrypt certificates have been updated");
--- a/scripts/jobs/cron_mailboxsize.php
+++ b/scripts/jobs/cron_mailboxsize.php
@@ -18,7 +18,7 @@
 *
 */

-fwrite($debugHandler, "calculating mailspace usage\n");
+$cronlog->logAction(CRON_ACTION, LOG_NOTICE, 'calculating mailspace usage');

 $maildirs_stmt = Database::query("
 	SELECT `id`, CONCAT(`homedir`, `maildir`) AS `maildirpath` FROM `".TABLE_MAIL_USERS."` ORDER BY `id`
@@ -50,6 +50,6 @@ while ($maildir = $maildirs_stmt->fetch(PDO::FETCH_ASSOC)) {
 		unset($back);
 		Database::pexecute($upd_stmt, array('size' => $emailusage, 'id' => $maildir['id']));
 	} else {
-		fwrite($debugHandler, 'maildir ' . $_maildir . ' does not exist' . "\n");
+		$cronlog->logAction(CRON_ACTION, LOG_WARNING, 'maildir ' . $_maildir . ' does not exist');
 	}
 }
--- a/scripts/jobs/cron_tasks.inc.dns.10.bind.php
+++ b/scripts/jobs/cron_tasks.inc.dns.10.bind.php
@@ -19,28 +19,36 @@

 class bind {
 	public $logger = false;
-	public $debugHandler = false;
 	public $nameservers = array();
 	public $mxservers = array();
 	public $axfrservers = array();

 	private $_known_filenames = array();
+	private $_bindconf_file = '';

-	public function __construct($logger, $debugHandler) {
+	public function __construct($logger) {

 		$this->logger = $logger;
-		$this->debugHandler = $debugHandler;

 		if (Settings::Get('system.nameservers') != '') {
 			$nameservers = explode(',', Settings::Get('system.nameservers'));
 			foreach ($nameservers as $nameserver) {
-				$nameserver_ip = gethostbyname(trim($nameserver));
+				$nameserver = trim($nameserver);
+				// DNS servers might be multi homed; allow transfer from all ip
+				// addresses of the DNS server
+				$nameserver_ips = gethostbynamel($nameserver);
+				// append dot to hostname
 				if (substr($nameserver, -1, 1) != '.') {
 					$nameserver.= '.';
 				}
+				// ignore invalid responses
+				if (!is_array($nameserver_ips)) {
+					// act like gethostbyname() and return unmodified hostname on error
+					$nameserver_ips = array($nameserver);
+				}
 				$this->nameservers[] = array(
-					'hostname' => trim($nameserver),
-					'ip' => trim($nameserver_ip)
+					'hostname' => $nameserver,
+					'ips' => $nameserver_ips
 				);
 			}
 		}
@@ -66,7 +74,6 @@ class bind {


 	public function writeConfigs() {
-		fwrite($this->debugHandler, '  cron_tasks: Task4 started - Rebuilding froxlor_bind.conf' . "\n");
 		$this->logger->logAction(CRON_ACTION, LOG_INFO, 'Task4 started - Rebuilding froxlor_bind.conf');

 		if (!file_exists(makeCorrectDir(Settings::Get('system.bindconf_directory') . '/domains/'))) {
@@ -76,16 +83,23 @@ class bind {

 		$this->_known_filenames = array();

-		$bindconf_file = '# ' . Settings::Get('system.bindconf_directory') . 'froxlor_bind.conf' . "\n" . '# Created ' . date('d.m.Y H:i') . "\n" . '# Do NOT manually edit this file, all changes will be deleted after the next domain change at the panel.' . "\n" . "\n";
+		$this->_bindconf_file = '# ' . Settings::Get('system.bindconf_directory') . 'froxlor_bind.conf' . "\n" .
+				'# Created ' . date('d.m.Y H:i') . "\n" .
+				'# Do NOT manually edit this file, all changes will be deleted after the next domain change at the panel.' . "\n" . "\n";
 		$result_domains_stmt = Database::query("
-			SELECT `d`.`id`, `d`.`domain`, `d`.`iswildcarddomain`, `d`.`wwwserveralias`, `d`.`customerid`, `d`.`zonefile`, `d`.`bindserial`, `d`.`dkim`, `d`.`dkim_id`, `d`.`dkim_pubkey`, `c`.`loginname`, `c`.`guid`
+			SELECT `d`.`id`, `d`.`domain`, `d`.`isemaildomain`, `d`.`iswildcarddomain`, `d`.`wwwserveralias`, `d`.`customerid`,
+				`d`.`zonefile`, `d`.`bindserial`, `d`.`dkim`, `d`.`dkim_id`, `d`.`dkim_pubkey`, `d`.`ismainbutsubto`,
+				`c`.`loginname`, `c`.`guid`
 			FROM `" . TABLE_PANEL_DOMAINS . "` `d` LEFT JOIN `" . TABLE_PANEL_CUSTOMERS . "` `c` USING(`customerid`)
 			WHERE `d`.`isbinddomain` = '1' ORDER BY `d`.`domain` ASC
 		");

-		// customer-domains
+		$domains = array();
+
+		// don't use fetchall() to be able to set the first column to the domain id and use it later on to set the rows'
+		// array of direct children without having to search the outer array
 		while ($domain = $result_domains_stmt->fetch(PDO::FETCH_ASSOC)) {
-			$bindconf_file .= $this->_generateDomainConfig($domain);
+			$domains[$domain["id"]] = $domain;
 		}

 		// frolxor-hostname (#1090)
@@ -93,23 +107,71 @@ class bind {
 			$hostname_arr = array(
 				'id' => 'none',
 				'domain' => Settings::Get('system.hostname'),
+				'isemaildomain' => Settings::Get('system.dns_createmailentry'),
 				'customerid' => 'none',
 				'loginname' => 'froxlor.panel',
 				'bindserial' => date('Ymd').'00',
 				'dkim' => '0',
 				'iswildcarddomain' => '1',
-				'zonefile' => ''
+				'ismainbutsubto' => '0',
+				'zonefile' => '',
+				'froxlorhost' => '1'
 			);
-			$bindconf_file .= $this->_generateDomainConfig($hostname_arr, true);
+			$domains['none'] = $hostname_arr;
+		}
+
+		if (empty($domains)) {
+		    $this->logger->logAction(CRON_ACTION, LOG_INFO, 'No domains found for nameserver-config, skipping...');
+		    return;
+		}
+
+		// collect domain IDs of direct child domains as arrays in ['children'] column
+		foreach (array_keys($domains) as $key) {
+			if (!isset($domains[$key]['children'])) {
+				$domains[$key]['children'] = array();
+			}
+			if ($domains[$key]['ismainbutsubto'] > 0) {
+				if (isset($domains[  $domains[$key]['ismainbutsubto']  ])) {
+					$domains[  $domains[$key]['ismainbutsubto']  ]['children'][] = $domains[$key]['id'];
+				} else {
+					$this->logger->logAction(CRON_ACTION, LOG_ERR,
+						'Database inconsistency: domain ' . $domain['domain'] . ' (ID #' . $key .
+						') is set to to be subdomain to non-existent domain ID #' .
+						$domains[$key]['ismainbutsubto'] .
+						'. No DNS record(s) will be created for this domain.');
+				}
+			}
+		}
+
+		$this->logger->logAction(CRON_ACTION, LOG_DEBUG,
+			str_pad('domId', 9, ' ') . str_pad('domain', 40, ' ') .
+			'ismainbutsubto ' . str_pad('parent domain', 40, ' ') .
+			"list of child domain ids");
+		foreach ($domains as $domain) {
+			$logLine =
+				str_pad($domain['id'], 9, ' ') .
+				str_pad($domain['domain'], 40, ' ') .
+				str_pad($domain['ismainbutsubto'], 15, ' ') .
+				str_pad(((isset($domains[  $domain['ismainbutsubto']   ])) ?
+						$domains[  $domain['ismainbutsubto']   ]['domain'] :
+						'-'), 40, ' ') .
+				join(', ', $domain['children']);
+			$this->logger->logAction(CRON_ACTION, LOG_DEBUG, $logLine);
+		}
+
+		foreach ($domains as $domain) {
+			if ($domain['ismainbutsubto'] > 0) {
+				// domains with ismainbutsubto>0 are handled by recursion within walkDomainList()
+				continue;
+			}
+			$this->walkDomainList($domain, $domains);
 		}

 		$bindconf_file_handler = fopen(makeCorrectFile(Settings::Get('system.bindconf_directory') . '/froxlor_bind.conf'), 'w');
-		fwrite($bindconf_file_handler, $bindconf_file);
+		fwrite($bindconf_file_handler, $this->_bindconf_file);
 		fclose($bindconf_file_handler);
-		fwrite($this->debugHandler, '  cron_tasks: Task4 - froxlor_bind.conf written' . "\n");
 		$this->logger->logAction(CRON_ACTION, LOG_INFO, 'froxlor_bind.conf written');
 		safe_exec(escapeshellcmd(Settings::Get('system.bindreload_command')));
-		fwrite($this->debugHandler, '  cron_tasks: Task4 - Bind9 reloaded' . "\n");
 		$this->logger->logAction(CRON_ACTION, LOG_INFO, 'Bind9 reloaded');
 		$domains_dir = makeCorrectDir(Settings::Get('system.bindconf_directory') . '/domains/');

@@ -125,33 +187,48 @@ class bind {
 					&& !in_array($domain_filename, $this->_known_filenames)
 					&& is_file($full_filename)
 					&& file_exists($full_filename)) {
-					fwrite($this->debugHandler, '  cron_tasks: Task4 - unlinking ' . $domain_filename . "\n");
 					$this->logger->logAction(CRON_ACTION, LOG_WARNING, 'Deleting ' . $domain_filename);
 					unlink(makeCorrectFile($domains_dir . '/' . $domain_filename));
 				}
 			}
 		}
+		$this->logger->logAction(CRON_ACTION, LOG_INFO, 'Task4 finished');
 	}

-	private function _generateDomainConfig($domain = array(), $froxlorhost = false) {
+	private function walkDomainList($domain, $domains) {
+		$zonefile = '';
+		$subzones = '';

-		$bindconf_file = '';
+		foreach($domain['children'] as $child_domain_id) {
+			$subzones.= $this->walkDomainList($domains[$child_domain_id], $domains);
+		}

-		fwrite($this->debugHandler, '  cron_tasks: Task4 - Writing ' . $domain['id'] . '::' . $domain['domain'] . "\n");
-		$this->logger->logAction(CRON_ACTION, LOG_INFO, 'Writing ' . $domain['id'] . '::' . $domain['domain']);
-
-		if ($domain['zonefile'] == '') {
-			$zonefile = $this->generateZone($domain, $froxlorhost);
+		if ($domain['ismainbutsubto'] == 0 &&  $domain['zonefile'] == '') {
+			$zonefile = $this->generateZone($domain);
 			$domain['zonefile'] = 'domains/' . $domain['domain'] . '.zone';
 			$zonefile_name = makeCorrectFile(Settings::Get('system.bindconf_directory') . '/' . $domain['zonefile']);
 			$this->_known_filenames[] = basename($zonefile_name);
 			$zonefile_handler = fopen($zonefile_name, 'w');
-			fwrite($zonefile_handler, $zonefile);
+			fwrite($zonefile_handler, $zonefile.$subzones);
 			fclose($zonefile_handler);
-			fwrite($this->debugHandler, '  cron_tasks: Task4 - `' . $zonefile_name . '` zone written' . "\n");
+			$this->logger->logAction(CRON_ACTION, LOG_INFO, '`' . $zonefile_name . '` zone written');
+		} else {
+			return $this->generateZone($domain);
 		}

-		$bindconf_file.= '# Domain ID: ' . $domain['id'] . ' - CustomerID: ' . $domain['customerid'] . ' - CustomerLogin: ' . $domain['loginname'] . "\n";
+		if ($zonefile !== '') {
+			$this->_bindconf_file .= $this->_generateDomainConfig($domain);
+		}
+	}
+
+	private function _generateDomainConfig($domain = array()) {
+		if (isset($domain['froxlorhost']) && $domain['froxlorhost'] === '1') {
+			$froxlorhost = true;
+		} else {
+			$froxlorhost = false;
+		}
+
+		$bindconf_file = '# Domain ID: ' . $domain['id'] . ' - CustomerID: ' . $domain['customerid'] . ' - CustomerLogin: ' . $domain['loginname'] . "\n";
 		$bindconf_file.= 'zone "' . $domain['domain'] . '" in {' . "\n";
 		$bindconf_file.= '	type master;' . "\n";
 		$bindconf_file.= '	file "' . makeCorrectFile(Settings::Get('system.bindconf_directory') . '/' . $domain['zonefile']) . '";' . "\n";
@@ -165,7 +242,9 @@ class bind {
 			// put nameservers in allow-transfer
 			if (count($this->nameservers) > 0) {
 				foreach ($this->nameservers as $ns) {
-					$bindconf_file.= '		' . $ns['ip'] . ';' . "\n";
+					foreach($ns["ips"] as $ip) {
+						$bindconf_file.= '		' . $ip . ";\n";
+					}
 				}
 			}
 			// AXFR server #100
@@ -187,15 +266,19 @@ class bind {
 	}

 	/**
-	 * generate bind zone content. If froxlorhost is true,
-	 * we will use ALL available IP addresses
+	 * generate bind zone content.
 	 *
 	 * @param array $domain
-	 * @param boolean $froxlorhost
 	 *
 	 * @return string
 	 */
-	protected function generateZone($domain, $froxlorhost = false) {
+	protected function generateZone($domain) {
+		if (isset($domain['froxlorhost']) && $domain['froxlorhost'] === '1') {
+			$froxlorhost = true;
+		} else {
+			$froxlorhost = false;
+		}
+
 		// Array to save all ips needed in the records (already including IN A/AAAA)
 		$ip_a_records = array();
 		// Array to save DNS records
@@ -235,71 +318,77 @@ class bind {
 			}
 		}

-		$date = date('Ymd');
-		$bindserial = (preg_match('/^' . $date . '/', $domain['bindserial']) ? $domain['bindserial'] + 1 : $date . '00');
+		if ($domain['ismainbutsubto'] == 0) {
+			$date = date('Ymd');
+			$bindserial = (preg_match('/^' . $date . '/', $domain['bindserial']) ? $domain['bindserial'] + 1 : $date . '00');

-		if (!$froxlorhost) {
-			$upd_stmt = Database::prepare("
-				UPDATE `" . TABLE_PANEL_DOMAINS . "` SET
-				`bindserial` = :serial
-				 WHERE `id` = :id
-			");
-			Database::pexecute($upd_stmt, array('serial' => $bindserial, 'id' => $domain['id']));
-		}
+			if (!$froxlorhost) {
+				$upd_stmt = Database::prepare("
+					UPDATE `" . TABLE_PANEL_DOMAINS . "` SET
+					`bindserial` = :serial
+					 WHERE `id` = :id
+				");
+				Database::pexecute($upd_stmt, array('serial' => $bindserial, 'id' => $domain['id']));
+			}

-		$zonefile = '$TTL ' . (int)Settings::Get('system.defaultttl') . "\n";
-		if (count($this->nameservers) == 0) {
-			$zonefile.= '@ IN SOA ns ' . str_replace('@', '.', Settings::Get('panel.adminmail')) . '. (' . "\n";
-		} else {
-			$zonefile.= '@ IN SOA ' . $this->nameservers[0]['hostname'] . ' ' . str_replace('@', '.', Settings::Get('panel.adminmail')) . '. (' . "\n";
-		}
+			$zonefile = '$TTL ' . (int)Settings::Get('system.defaultttl') . "\n";
+			if (count($this->nameservers) == 0) {
+				$zonefile.= '@ IN SOA ns ' . str_replace('@', '.', Settings::Get('panel.adminmail')) . '. (' . "\n";
+			} else {
+				$zonefile.= '@ IN SOA ' . $this->nameservers[0]['hostname'] . ' ' . str_replace('@', '.', Settings::Get('panel.adminmail')) . '. (' . "\n";
+			}

-		$zonefile.= '	' . $bindserial . ' ; serial' . "\n" . '	8H ; refresh' . "\n" . '	2H ; retry' . "\n" . '	1W ; expiry' . "\n" . '	11h) ; minimum' . "\n";
+			$zonefile.= '	' . $bindserial . ' ; serial' . "\n" . '	8H ; refresh' . "\n" . '	2H ; retry' . "\n" . '	1W ; expiry' . "\n" . '	11h) ; minimum' . "\n";

-		// no nameservers given, use all if the A/AAAA entries
-		if (count($this->nameservers) == 0) {
-			$zonefile .= '@    IN    NS    ns' . "\n";
-			foreach ($ip_a_records as $ip_a_record) {
-				$zonefile .= 'ns    IN    ' . $ip_a_record . "\n";
+			// no nameservers given, use all of the A/AAAA entries
+			if (count($this->nameservers) == 0) {
+				$zonefile .= '@    IN    NS    ns' . "\n";
+				foreach ($ip_a_records as $ip_a_record) {
+					$zonefile .= 'ns    IN    ' . $ip_a_record . "\n";
+				}
+			} else {
+				foreach ($this->nameservers as $nameserver) {
+					$zonefile.= '@    IN    NS    ' . trim($nameserver['hostname']) . "\n";
+				}
 			}
 		} else {
-			foreach ($this->nameservers as $nameserver) {
-				$zonefile.= '@    IN    NS    ' . trim($nameserver['hostname']) . "\n";
-			}
+			$zonefile = '$ORIGIN ' . $domain["domain"] . ".\n";
 		}

-		if (count($this->mxservers) == 0) {
-			$zonefile.= '@	IN	MX	10 mail' . "\n";
-			$records[] = 'mail';
-			if ($domain['iswildcarddomain'] != '1') {
-				$records[] = 'imap';
-				$records[] = 'smtp';
-				$records[] = 'pop3';
-			}
-		} else {
-			foreach ($this->mxservers as $mxserver) {
-				$zonefile.= '@    IN    MX    ' . trim($mxserver) . "\n";
-			}
-
-			if (Settings::Get('system.dns_createmailentry') == '1') {
+		if ($domain['isemaildomain'] === '1') {
+			if (count($this->mxservers) == 0) {
+				$zonefile.= '@	IN	MX	10 mail' . "\n";
 				$records[] = 'mail';
 				if ($domain['iswildcarddomain'] != '1') {
 					$records[] = 'imap';
 					$records[] = 'smtp';
 					$records[] = 'pop3';
 				}
-			}
-		}
+			} else {
+				foreach ($this->mxservers as $mxserver) {
+					$zonefile.= '@    IN    MX    ' . trim($mxserver) . "\n";
+				}

-		/*
-		 * @TODO domain-based spf-settings
-		*/
-		if (Settings::Get('spf.use_spf') == '1'
-			/*&& $domain['spf'] == '1' */
-		) {
-			$zonefile.= Settings::Get('spf.spf_entry') . "\n";
-			if (in_array('mail', $records)) {
-				$zonefile.= str_replace('@', 'mail', Settings::Get('spf.spf_entry')) . "\n";
+				if (Settings::Get('system.dns_createmailentry') == '1') {
+					$records[] = 'mail';
+					if ($domain['iswildcarddomain'] != '1') {
+						$records[] = 'imap';
+						$records[] = 'smtp';
+						$records[] = 'pop3';
+					}
+				}
+			}
+
+			/*
+			 * @TODO domain-based spf-settings
+			*/
+			if (Settings::Get('spf.use_spf') == '1'
+				/*&& $domain['spf'] == '1' */
+			) {
+				$zonefile.= Settings::Get('spf.spf_entry') . "\n";
+				if (in_array('mail', $records)) {
+					$zonefile.= str_replace('@', 'mail', Settings::Get('spf.spf_entry')) . "\n";
+				}
 			}
 		}

@@ -311,7 +400,7 @@ class bind {
 		if (!$froxlorhost) {
 			$nssubdomains_stmt = Database::prepare("
 				SELECT `domain` FROM `" . TABLE_PANEL_DOMAINS . "`
-				WHERE `isbinddomain` = '1' AND `domain` LIKE :domain
+				WHERE `isbinddomain` = '1' AND `ismainbutsubto` = '0' AND `domain` LIKE :domain
 			");
 			Database::pexecute($nssubdomains_stmt, array('domain' => '%.' . $domain['domain']));

@@ -333,10 +422,11 @@ class bind {
 		}

 		$records[] = '@';
-		$records[] = 'www';

 		if ($domain['iswildcarddomain'] == '1') {
 			$records[] = '*';
+		} else if ($domain['wwwserveralias'] == '1') {
+			$records[] = 'www';
 		}

 		if (!$froxlorhost) {
@@ -521,7 +611,6 @@ class bind {
 			fclose($dkimkeys_file_handler);

 			safe_exec(escapeshellcmd(Settings::Get('dkim.dkimrestart_command')));
-			fwrite($this->debugHandler, '  cron_tasks: Task4 - Dkim-milter reloaded' . "\n");
 			$this->logger->logAction(CRON_ACTION, LOG_INFO, 'Dkim-milter reloaded');
 		}
 	}
--- a/scripts/jobs/cron_tasks.inc.http.10.apache.php
+++ b/scripts/jobs/cron_tasks.inc.http.10.apache.php
@@ -21,7 +21,6 @@ require_once(dirname(__FILE__).'/../classes/class.HttpConfigBase.php');

 class apache extends HttpConfigBase {
 	private $logger = false;
-	private $debugHandler = false;
 	private $idnaConvert = false;

 	// protected
@@ -40,21 +39,18 @@ class apache extends HttpConfigBase {
 	 */
 	private $_deactivated = false;

-	public function __construct($logger, $debugHandler, $idnaConvert) {
+	public function __construct($logger, $idnaConvert) {
 		$this->logger = $logger;
-		$this->debugHandler = $debugHandler;
 		$this->idnaConvert = $idnaConvert;
 	}


 	public function reload() {
 		if ((int)Settings::Get('phpfpm.enabled') == 1) {
-			fwrite($this->debugHandler, '   apache::reload: reloading php-fpm' . "\n");
-			$this->logger->logAction(CRON_ACTION, LOG_INFO, 'reloading php-fpm');
+			$this->logger->logAction(CRON_ACTION, LOG_INFO, 'apache::reload: reloading php-fpm');
 			safe_exec(escapeshellcmd(Settings::Get('phpfpm.reload')));
 		}
-		fwrite($this->debugHandler, '   apache::reload: reloading apache' . "\n");
-		$this->logger->logAction(CRON_ACTION, LOG_INFO, 'reloading apache');
+		$this->logger->logAction(CRON_ACTION, LOG_INFO, 'apache::reload: reloading apache');
 		safe_exec(escapeshellcmd(Settings::Get('system.apachereload_command')));
 	}

@@ -76,8 +72,7 @@ class apache extends HttpConfigBase {
 		) {
 			// if we use fcgid or php-fpm we don't need this file
 			if (file_exists($vhosts_filename)) {
-				fwrite($this->debugHandler, '  apache::_createStandardDirectoryEntry: unlinking ' . basename($vhosts_filename) . "\n");
-				$this->logger->logAction(CRON_ACTION, LOG_NOTICE, 'unlinking ' . basename($vhosts_filename));
+				$this->logger->logAction(CRON_ACTION, LOG_NOTICE, 'apache::_createStandardDirectoryEntry: unlinking ' . basename($vhosts_filename));
 				unlink(makeCorrectFile($vhosts_filename));
 			}
 		} else {
@@ -89,6 +84,7 @@ class apache extends HttpConfigBase {
 			// >=apache-2.4 enabled?
 			if (Settings::Get('system.apache24') == '1') {
 				$this->virtualhosts_data[$vhosts_filename].= '    Require all granted' . "\n";
+				$this->virtualhosts_data[$vhosts_filename].= '    AllowOverride All' . "\n";
 			} else {
 				$this->virtualhosts_data[$vhosts_filename].= '    Order allow,deny' . "\n";
 				$this->virtualhosts_data[$vhosts_filename].= '    allow from all' . "\n";
@@ -147,8 +143,7 @@ class apache extends HttpConfigBase {
 				$ipport = $row_ipsandports['ip'] . ':' . $row_ipsandports['port'];
 			}

-			fwrite($this->debugHandler, '  apache::createIpPort: creating ip/port settings for  ' . $ipport . "\n");
-			$this->logger->logAction(CRON_ACTION, LOG_INFO, 'creating ip/port settings for  ' . $ipport);
+			$this->logger->logAction(CRON_ACTION, LOG_INFO, 'apache::createIpPort: creating ip/port settings for  ' . $ipport);
 			$vhosts_filename = makeCorrectFile(Settings::Get('system.apacheconf_vhost') . '/10_froxlor_ipandport_' . trim(str_replace(':', '.', $row_ipsandports['ip']), '.') . '.' . $row_ipsandports['port'] . '.conf');

 			if (!isset($this->virtualhosts_data[$vhosts_filename])) {
@@ -236,6 +231,7 @@ class apache extends HttpConfigBase {
 							// for this path, as this would be the first require and therefore grant all access
 							if ($mypath_dir->isUserProtected() == false) {
 								$this->virtualhosts_data[$vhosts_filename].= '    Require all granted' . "\n";
+								$this->virtualhosts_data[$vhosts_filename].= '    AllowOverride All' . "\n";
 							}
 						} else {
 							$this->virtualhosts_data[$vhosts_filename].= '    Order allow,deny' . "\n";
@@ -265,7 +261,7 @@ class apache extends HttpConfigBase {
 					if ($row_ipsandports['ssl']) {
 						$srvName = substr(md5($ipport),0,4).'.ssl-fpm.external';
 					}
-					
+
 					// mod_proxy stuff for apache-2.4
 					if (Settings::Get('system.apache24') == '1'
 							&& Settings::Get('phpfpm.use_mod_proxy') == '1'
@@ -273,7 +269,7 @@ class apache extends HttpConfigBase {
 						$this->virtualhosts_data[$vhosts_filename] .= '  <FilesMatch \.php$>'. "\n";
 						$this->virtualhosts_data[$vhosts_filename] .= '  SetHandler proxy:unix:' . $php->getInterface()->getSocketFile()  . '|fcgi://localhost'. "\n";
 						$this->virtualhosts_data[$vhosts_filename] .= '  </FilesMatch>' . "\n";
-					
+
 					} else {
 						$this->virtualhosts_data[$vhosts_filename] .= '  FastCgiExternalServer ' . $php->getInterface()->getAliasConfigDir() . $srvName .' -socket ' . $php->getInterface()->getSocketFile() . ' -idle-timeout ' . Settings::Get('phpfpm.idle_timeout') . "\n";
 						$this->virtualhosts_data[$vhosts_filename] .= '  <Directory "' . $mypath . '">' . "\n";
@@ -290,6 +286,7 @@ class apache extends HttpConfigBase {
 							// for this path, as this would be the first require and therefore grant all access
 							if ($mypath_dir->isUserProtected() == false) {
 								$this->virtualhosts_data[$vhosts_filename] .= '    Require all granted' . "\n";
+								$this->virtualhosts_data[$vhosts_filename] .= '    AllowOverride All' . "\n";
 							}
 						} else {
 							$this->virtualhosts_data[$vhosts_filename] .= '    Order allow,deny' . "\n";
@@ -358,51 +355,51 @@ class apache extends HttpConfigBase {

 					if ($row_ipsandports['ssl_cert_file'] != '') {

-					    // check for existence, #1485
-					    if (!file_exists($row_ipsandports['ssl_cert_file'])) {
-					        $this->logger->logAction(CRON_ACTION, LOG_ERROR, $ipport . ' :: certificate file "'.$row_ipsandports['ssl_cert_file'].'" does not exist! Cannot create ssl-directives');
-					        echo $ipport . ' :: certificate file "'.$row_ipsandports['ssl_cert_file'].'" does not exist! Cannot create SSL-directives'."\n";
-					    } else {
+						// check for existence, #1485
+						if (!file_exists($row_ipsandports['ssl_cert_file'])) {
+							$this->logger->logAction(CRON_ACTION, LOG_ERR, $ipport . ' :: certificate file "'.$row_ipsandports['ssl_cert_file'].'" does not exist! Cannot create ssl-directives');
+							echo $ipport . ' :: certificate file "'.$row_ipsandports['ssl_cert_file'].'" does not exist! Cannot create SSL-directives'."\n";
+						} else {

-                            $this->virtualhosts_data[$vhosts_filename] .= ' SSLEngine On' . "\n";
-                            $this->virtualhosts_data[$vhosts_filename] .= ' SSLProtocol ALL -SSLv2 -SSLv3' . "\n";
-                            // this makes it more secure, thx to Marcel (08/2013)
-                            $this->virtualhosts_data[$vhosts_filename] .= ' SSLHonorCipherOrder On' . "\n";
-                            $this->virtualhosts_data[$vhosts_filename] .= ' SSLCipherSuite ' . Settings::Get('system.ssl_cipher_list') . "\n";
-                            $this->virtualhosts_data[$vhosts_filename] .= ' SSLVerifyDepth 10' . "\n";
-                            $this->virtualhosts_data[$vhosts_filename] .= ' SSLCertificateFile ' . makeCorrectFile($row_ipsandports['ssl_cert_file']) . "\n";
+							$this->virtualhosts_data[$vhosts_filename] .= ' SSLEngine On' . "\n";
+							$this->virtualhosts_data[$vhosts_filename] .= ' SSLProtocol ALL -SSLv2 -SSLv3' . "\n";
+							// this makes it more secure, thx to Marcel (08/2013)
+							$this->virtualhosts_data[$vhosts_filename] .= ' SSLHonorCipherOrder On' . "\n";
+							$this->virtualhosts_data[$vhosts_filename] .= ' SSLCipherSuite ' . Settings::Get('system.ssl_cipher_list') . "\n";
+							$this->virtualhosts_data[$vhosts_filename] .= ' SSLVerifyDepth 10' . "\n";
+							$this->virtualhosts_data[$vhosts_filename] .= ' SSLCertificateFile ' . makeCorrectFile($row_ipsandports['ssl_cert_file']) . "\n";

-                            if ($row_ipsandports['ssl_key_file'] != '') {
-                                // check for existence, #1485
-                                if (!file_exists($row_ipsandports['ssl_key_file'])) {
-                                    $this->logger->logAction(CRON_ACTION, LOG_ERROR, $ipport . ' :: certificate key file "'.$row_ipsandports['ssl_key_file'].'" does not exist! Cannot create ssl-directives');
-                                    echo $ipport . ' :: certificate key file "'.$row_ipsandports['ssl_key_file'].'" does not exist! SSL-directives might not be working'."\n";
-                                } else {
-                                    $this->virtualhosts_data[$vhosts_filename] .= ' SSLCertificateKeyFile ' . makeCorrectFile($row_ipsandports['ssl_key_file']) . "\n";
-                                }
-                            }
+							if ($row_ipsandports['ssl_key_file'] != '') {
+								// check for existence, #1485
+								if (!file_exists($row_ipsandports['ssl_key_file'])) {
+									$this->logger->logAction(CRON_ACTION, LOG_ERR, $ipport . ' :: certificate key file "'.$row_ipsandports['ssl_key_file'].'" does not exist! Cannot create ssl-directives');
+									echo $ipport . ' :: certificate key file "'.$row_ipsandports['ssl_key_file'].'" does not exist! SSL-directives might not be working'."\n";
+								} else {
+									$this->virtualhosts_data[$vhosts_filename] .= ' SSLCertificateKeyFile ' . makeCorrectFile($row_ipsandports['ssl_key_file']) . "\n";
+								}
+							}

-                            if ($row_ipsandports['ssl_ca_file'] != '') {
-                                // check for existence, #1485
-                                if (!file_exists($row_ipsandports['ssl_ca_file'])) {
-                                    $this->logger->logAction(CRON_ACTION, LOG_ERROR, $ipport . ' :: certificate CA file "'.$row_ipsandports['ssl_ca_file'].'" does not exist! Cannot create ssl-directives');
-                                    echo $ipport . ' :: certificate CA file "'.$row_ipsandports['ssl_ca_file'].'" does not exist! SSL-directives might not be working'."\n";
-                                } else {
-                                    $this->virtualhosts_data[$vhosts_filename] .= ' SSLCACertificateFile ' . makeCorrectFile($row_ipsandports['ssl_ca_file']) . "\n";
-                                }
-                            }
+							if ($row_ipsandports['ssl_ca_file'] != '') {
+								// check for existence, #1485
+								if (!file_exists($row_ipsandports['ssl_ca_file'])) {
+									$this->logger->logAction(CRON_ACTION, LOG_ERR, $ipport . ' :: certificate CA file "'.$row_ipsandports['ssl_ca_file'].'" does not exist! Cannot create ssl-directives');
+									echo $ipport . ' :: certificate CA file "'.$row_ipsandports['ssl_ca_file'].'" does not exist! SSL-directives might not be working'."\n";
+								} else {
+									$this->virtualhosts_data[$vhosts_filename] .= ' SSLCACertificateFile ' . makeCorrectFile($row_ipsandports['ssl_ca_file']) . "\n";
+								}
+							}

-                            // #418
-                            if ($row_ipsandports['ssl_cert_chainfile'] != '') {
-                                // check for existence, #1485
-                                if (!file_exists($row_ipsandports['ssl_cert_chainfile'])) {
-                                    $this->logger->logAction(CRON_ACTION, LOG_ERROR, $ipport . ' :: certificate chain file "'.$row_ipsandports['ssl_cert_chainfile'].'" does not exist! Cannot create ssl-directives');
-                                    echo $ipport . ' :: certificate chain file "'.$row_ipsandports['ssl_cert_chainfile'].'" does not exist! SSL-directives might not be working'."\n";
-                                } else {
-                                    $this->virtualhosts_data[$vhosts_filename] .= '  SSLCertificateChainFile ' . makeCorrectFile($row_ipsandports['ssl_cert_chainfile']) . "\n";
-                                }
-                            }
-					    }
+							// #418
+							if ($row_ipsandports['ssl_cert_chainfile'] != '') {
+								// check for existence, #1485
+								if (!file_exists($row_ipsandports['ssl_cert_chainfile'])) {
+									$this->logger->logAction(CRON_ACTION, LOG_ERR, $ipport . ' :: certificate chain file "'.$row_ipsandports['ssl_cert_chainfile'].'" does not exist! Cannot create ssl-directives');
+									echo $ipport . ' :: certificate chain file "'.$row_ipsandports['ssl_cert_chainfile'].'" does not exist! SSL-directives might not be working'."\n";
+								} else {
+									$this->virtualhosts_data[$vhosts_filename] .= ' SSLCertificateChainFile ' . makeCorrectFile($row_ipsandports['ssl_cert_chainfile']) . "\n";
+								}
+							}
+						}
 					}
 				}

@@ -817,13 +814,24 @@ class apache extends HttpConfigBase {
 				if ($domain['ssl_cert_chainfile'] != '') {
 					$vhost_content .= '  SSLCertificateChainFile ' . makeCorrectFile($domain['ssl_cert_chainfile']) . "\n";
 				}
-			}
-			else
-			{
-			    // if there is no cert-file specified but we are generating a ssl-vhost,
-			    // we should return an empty string because this vhost would suck dick, ref #1583
-			    $this->logger->logAction(CRON_ACTION, LOG_ERROR, $domain['domain'] . ' :: empty certificate file! Cannot create ssl-directives');
-			    return '# no ssl-certificate was specified for this domain, therefore no explicit vhost is being generated';
+
+				if ($domain['hsts'] > 0) {
+					$vhost_content .= '  <IfModule mod_headers.c>' . "\n";
+					$vhost_content .= '    Header always set Strict-Transport-Security "max-age=' . $domain['hsts'];
+					if ($domain['hsts_sub'] == 1) {
+						$vhost_content .= '; includeSubdomains';
+					}
+					if ($domain['hsts_preload'] == 1) {
+						$vhost_content .= '; preload';
+					}
+					$vhost_content .= '"' . "\n";
+					$vhost_content .= '  </IfModule>' . "\n";
+				}
+			} else {
+				// if there is no cert-file specified but we are generating a ssl-vhost,
+				// we should return an empty string because this vhost would suck dick, ref #1583
+				$this->logger->logAction(CRON_ACTION, LOG_ERR, $domain['domain'] . ' :: empty certificate file! Cannot create ssl-directives');
+				return '# no ssl-certificate was specified for this domain, therefore no explicit vhost is being generated';
 			}
 		}

@@ -834,7 +842,7 @@ class apache extends HttpConfigBase {
 			$code = getDomainRedirectCode($domain['id']);
 			$modrew_red = '';
 			if ($code != '') {
-				$modrew_red = '[R='. $code . ';L,NE]';
+				$modrew_red = ' [R='. $code . ';L,NE]';
 			}

 			// redirect everything, not only root-directory, #541
@@ -843,7 +851,7 @@ class apache extends HttpConfigBase {
 			if (!$ssl_vhost) {
 				$vhost_content .= '    RewriteCond %{HTTPS} off' . "\n";
 			}
-			$vhost_content .= '    RewriteRule ^/(.*) '. $corrected_docroot.'$1 ' . $modrew_red . "\n";
+			$vhost_content .= '    RewriteRule ^/(.*) '. $corrected_docroot.'$1' . $modrew_red . "\n";
 			$vhost_content .= '  </IfModule>' . "\n";

 			$vhost_content .= '  Redirect '.$code.' / ' . $this->idnaConvert->encode($domain['documentroot']) . "\n";
@@ -895,8 +903,7 @@ class apache extends HttpConfigBase {
 		$domains = WebserverBase::getVhostsToCreate();
 		foreach ($domains as $domain) {

-			fwrite($this->debugHandler, '  apache::createVirtualHosts: creating vhost container for domain ' . $domain['id'] . ', customer ' . $domain['loginname'] . "\n");
-			$this->logger->logAction(CRON_ACTION, LOG_INFO, 'creating vhost container for domain ' . $domain['id'] . ', customer ' . $domain['loginname']);
+			$this->logger->logAction(CRON_ACTION, LOG_INFO, 'apache::createVirtualHosts: creating vhost container for domain ' . $domain['id'] . ', customer ' . $domain['loginname']);
 			$vhosts_filename = $this->getVhostFilename($domain);

 			// Apply header
@@ -995,7 +1002,7 @@ class apache extends HttpConfigBase {
 					} else {
 						$this->diroptions_data[$diroptions_filename] .= "\n";
 					}
-					fwrite($this->debugHandler, '  cron_tasks: Task3 - Setting Options +Indexes' . "\n");
+					$this->logger->logAction(CRON_ACTION, LOG_INFO, 'Setting Options +Indexes for ' . $row_diroptions['path']);
 				}

 				if (isset($row_diroptions['options_indexes'])
@@ -1012,7 +1019,7 @@ class apache extends HttpConfigBase {
 					} else {
 						$this->diroptions_data[$diroptions_filename] .= "\n";
 					}
-					fwrite($this->debugHandler, '  cron_tasks: Task3 - Setting Options -Indexes' . "\n");
+					$this->logger->logAction(CRON_ACTION, LOG_INFO, 'Setting Options -Indexes for ' . $row_diroptions['path']);
 				}

 				$statusCodes = array('404', '403', '500');
@@ -1043,12 +1050,13 @@ class apache extends HttpConfigBase {
 						// for this path, as this would be the first require and therefore grant all access
 						if ($mypath_dir->isUserProtected() == false) {
 							$this->diroptions_data[$diroptions_filename] .= '  Require all granted' . "\n";
+							//$this->diroptions_data[$diroptions_filename] .= '  AllowOverride All' . "\n";
 						}
 					} else {
 						$this->diroptions_data[$diroptions_filename] .= '  Order allow,deny' . "\n";
 						$this->diroptions_data[$diroptions_filename] .= '  Allow from all' . "\n";
 					}
-					fwrite($this->debugHandler, '  cron_tasks: Task3 - Enabling perl execution' . "\n");
+					$this->logger->logAction(CRON_ACTION, LOG_INFO, 'Enabling perl execution for ' . $row_diroptions['path']);

 					// check for suexec-workaround, #319
 					if ((int)Settings::Get('perl.suexecworkaround') == 1) {
@@ -1116,8 +1124,7 @@ class apache extends HttpConfigBase {
 	 */
 	public function writeConfigs() {
 		// Write diroptions
-		fwrite($this->debugHandler, '  apache::writeConfigs: rebuilding ' . Settings::Get('system.apacheconf_diroptions') . "\n");
-		$this->logger->logAction(CRON_ACTION, LOG_INFO, "rebuilding " . Settings::Get('system.apacheconf_diroptions'));
+		$this->logger->logAction(CRON_ACTION, LOG_INFO, "apache::writeConfigs: rebuilding " . Settings::Get('system.apacheconf_diroptions'));

 		if (count($this->diroptions_data) > 0) {
 			$optsDir = new frxDirectory(Settings::Get('system.apacheconf_diroptions'));
@@ -1138,8 +1145,7 @@ class apache extends HttpConfigBase {
 				fclose($diroptions_file_handler);
 			} else {
 				if (!file_exists(Settings::Get('system.apacheconf_diroptions'))) {
-					fwrite($this->debugHandler, '  apache::writeConfigs: mkdir ' . escapeshellarg(makeCorrectDir(Settings::Get('system.apacheconf_diroptions'))) . "\n");
-					$this->logger->logAction(CRON_ACTION, LOG_NOTICE, 'mkdir ' . escapeshellarg(makeCorrectDir(Settings::Get('system.apacheconf_diroptions'))));
+					$this->logger->logAction(CRON_ACTION, LOG_NOTICE, 'apache::writeConfigs: mkdir ' . escapeshellarg(makeCorrectDir(Settings::Get('system.apacheconf_diroptions'))));
 					safe_exec('mkdir ' . escapeshellarg(makeCorrectDir(Settings::Get('system.apacheconf_diroptions'))));
 				}

@@ -1157,8 +1163,7 @@ class apache extends HttpConfigBase {
 		}

 		// Write htpasswds
-		fwrite($this->debugHandler, '  apache::writeConfigs: rebuilding ' . Settings::Get('system.apacheconf_htpasswddir') . "\n");
-		$this->logger->logAction(CRON_ACTION, LOG_INFO, "rebuilding " . Settings::Get('system.apacheconf_htpasswddir'));
+		$this->logger->logAction(CRON_ACTION, LOG_INFO, "apache::writeConfigs: rebuilding " . Settings::Get('system.apacheconf_htpasswddir'));

 		if (count($this->htpasswds_data) > 0) {
 			if (!file_exists(Settings::Get('system.apacheconf_htpasswddir'))) {
@@ -1177,15 +1182,12 @@ class apache extends HttpConfigBase {
 					fclose($htpasswd_file_handler);
 				}
 			} else {
-				fwrite($this->debugHandler, '  cron_tasks: WARNING!!! ' . Settings::Get('system.apacheconf_htpasswddir') . ' is not a directory. htpasswd directory protection is disabled!!!' . "\n");
-				echo 'WARNING!!! ' . Settings::Get('system.apacheconf_htpasswddir') . ' is not a directory. htpasswd directory protection is disabled!!!';
 				$this->logger->logAction(CRON_ACTION, LOG_WARNING, 'WARNING!!! ' . Settings::Get('system.apacheconf_htpasswddir') . ' is not a directory. htpasswd directory protection is disabled!!!');
 			}
 		}

 		// Write virtualhosts
-		fwrite($this->debugHandler, '  apache::writeConfigs: rebuilding ' . Settings::Get('system.apacheconf_vhost') . "\n");
-		$this->logger->logAction(CRON_ACTION, LOG_INFO, "rebuilding " . Settings::Get('system.apacheconf_vhost'));
+		$this->logger->logAction(CRON_ACTION, LOG_INFO, "apache::writeConfigs: rebuilding " . Settings::Get('system.apacheconf_vhost'));

 		if (count($this->virtualhosts_data) > 0) {
 			$vhostDir = new frxDirectory(Settings::Get('system.apacheconf_vhost'));
@@ -1218,8 +1220,7 @@ class apache extends HttpConfigBase {
 				fclose($vhosts_file_handler);
 			} else {
 				if (!file_exists(Settings::Get('system.apacheconf_vhost'))) {
-					fwrite($this->debugHandler, '  apache::writeConfigs: mkdir ' . escapeshellarg(makeCorrectDir(Settings::Get('system.apacheconf_vhost'))) . "\n");
-					$this->logger->logAction(CRON_ACTION, LOG_NOTICE, 'mkdir ' . escapeshellarg(makeCorrectDir(Settings::Get('system.apacheconf_vhost'))));
+					$this->logger->logAction(CRON_ACTION, LOG_NOTICE, 'apache::writeConfigs: mkdir ' . escapeshellarg(makeCorrectDir(Settings::Get('system.apacheconf_vhost'))));
 					safe_exec('mkdir ' . escapeshellarg(makeCorrectDir(Settings::Get('system.apacheconf_vhost'))));
 				}

--- a/scripts/jobs/cron_tasks.inc.http.15.apache_fcgid.php
+++ b/scripts/jobs/cron_tasks.inc.http.15.apache_fcgid.php
@@ -55,6 +55,7 @@ class apache_fcgid extends apache
 				    if ($mypath_dir->isUserProtected() == false) {
 						$php_options_text.= '  <Directory "' . makeCorrectDir($domain['documentroot']) . '">' . "\n";
 					    $php_options_text.= '    Require all granted' . "\n";
+						$php_options_text.= '    AllowOverride All' . "\n";
 						$php_options_text.= '  </Directory>' . "\n";
 				    }

@@ -73,6 +74,7 @@ class apache_fcgid extends apache
 					    // for this path, as this would be the first require and therefore grant all access
 					    if ($mypath_dir->isUserProtected() == false) {
 						    $php_options_text.= '    Require all granted' . "\n";
+							$php_options_text.= '    AllowOverride All' . "\n";
 					    }
 					} else {
 						$php_options_text.= '    Order allow,deny' . "\n";
@@ -110,6 +112,7 @@ class apache_fcgid extends apache
 					    // for this path, as this would be the first require and therefore grant all access
 					    if ($mypath_dir->isUserProtected() == false) {
 						    $php_options_text.= '    Require all granted' . "\n";
+							$php_options_text.= '    AllowOverride All' . "\n";
 					    }
 					} else {
 						$php_options_text.= '    Order allow,deny' . "\n";
--- a/scripts/jobs/cron_tasks.inc.http.20.lighttpd.php
+++ b/scripts/jobs/cron_tasks.inc.http.20.lighttpd.php
@@ -22,7 +22,6 @@ require_once(dirname(__FILE__).'/../classes/class.HttpConfigBase.php');

 class lighttpd extends HttpConfigBase {
 	private $logger = false;
-	private $debugHandler = false;
 	private $idnaConvert = false;

 	// protected
@@ -40,21 +39,18 @@ class lighttpd extends HttpConfigBase {
 	 */
 	private $_deactivated = false;

-	public function __construct($logger, $debugHandler, $idnaConvert) {
+	public function __construct($logger, $idnaConvert) {
 		$this->logger = $logger;
-		$this->debugHandler = $debugHandler;
 		$this->idnaConvert = $idnaConvert;
 	}


 	public function reload() {
 		if ((int)Settings::Get('phpfpm.enabled') == 1) {
-			fwrite($this->debugHandler, '   lighttpd::reload: reloading php-fpm' . "\n");
-			$this->logger->logAction(CRON_ACTION, LOG_INFO, 'reloading php-fpm');
+			$this->logger->logAction(CRON_ACTION, LOG_INFO, 'lighttpd::reload: reloading php-fpm');
 			safe_exec(escapeshellcmd(Settings::Get('phpfpm.reload')));
 		}
-		fwrite($this->debugHandler, '   lighttpd::reload: reloading lighttpd' . "\n");
-		$this->logger->logAction(CRON_ACTION, LOG_INFO, 'reloading lighttpd');
+		$this->logger->logAction(CRON_ACTION, LOG_INFO, 'lighttpd::reload: reloading lighttpd');
 		safe_exec(escapeshellcmd(Settings::Get('system.apachereload_command')));
 	}

@@ -73,8 +69,7 @@ class lighttpd extends HttpConfigBase {
 				$ipv6 = '';
 			}

-			fwrite($this->debugHandler, '  lighttpd::createIpPort: creating ip/port settings for  ' . $ip . ":" . $port . "\n");
-			$this->logger->logAction(CRON_ACTION, LOG_INFO, 'creating ip/port settings for  ' . $ip . ":" . $port);
+			$this->logger->logAction(CRON_ACTION, LOG_INFO, 'lighttpd::createIpPort: creating ip/port settings for  ' . $ip . ":" . $port);
 			$vhost_filename = makeCorrectFile(Settings::Get('system.apacheconf_vhost') . '/10_froxlor_ipandport_' . trim(str_replace(':', '.', $row_ipsandports['ip']), '.') . '.' . $row_ipsandports['port'] . '.conf');

 			if (!isset($this->lighttpd_data[$vhost_filename])) {
@@ -172,7 +167,7 @@ class lighttpd extends HttpConfigBase {
 				    
 				    // check for existence, #1485
 				    if (!file_exists($row_ipsandports['ssl_cert_file'])) {
-				        $this->logger->logAction(CRON_ACTION, LOG_ERROR, $ip.':'.$port . ' :: certificate file "'.$row_ipsandports['ssl_cert_file'].'" does not exist! Cannot create ssl-directives');
+				        $this->logger->logAction(CRON_ACTION, LOG_ERR, $ip.':'.$port . ' :: certificate file "'.$row_ipsandports['ssl_cert_file'].'" does not exist! Cannot create ssl-directives');
 				        echo $ip.':'.$port . ' :: certificate file "'.$row_ipsandports['ssl_cert_file'].'" does not exist! Cannot create SSL-directives'."\n";
 				    } else {
    					$this->lighttpd_data[$vhost_filename].= 'ssl.engine = "enable"' . "\n";
@@ -184,7 +179,7 @@ class lighttpd extends HttpConfigBase {
    					if ($row_ipsandports['ssl_ca_file'] != '') {
    					    // check for existence, #1485
    					    if (!file_exists($row_ipsandports['ssl_ca_file'])) {
-    					        $this->logger->logAction(CRON_ACTION, LOG_ERROR, $ip.':'.$port . ' :: certificate CA file "'.$row_ipsandports['ssl_ca_file'].'" does not exist! Cannot create ssl-directives');
+    					        $this->logger->logAction(CRON_ACTION, LOG_ERR, $ip.':'.$port . ' :: certificate CA file "'.$row_ipsandports['ssl_ca_file'].'" does not exist! Cannot create ssl-directives');
    					        echo $ip.':'.port . ' :: certificate CA file "'.$row_ipsandports['ssl_ca_file'].'" does not exist! SSL-directives might not be working'."\n";
    					    } else {
    						  $this->lighttpd_data[$vhost_filename].= 'ssl.ca-file = "' . makeCorrectFile($row_ipsandports['ssl_ca_file']) . '"' . "\n";
@@ -523,6 +518,18 @@ class lighttpd extends HttpConfigBase {
 				if ($domain['ssl_ca_file'] != '') {
 					$ssl_settings.= 'ssl.ca-file = "' . makeCorrectFile($domain['ssl_ca_file']) . '"' . "\n";
 				}
+				
+				if ($domain['hsts'] > 0) {
+
+					$vhost_content .= '$HTTP["scheme"] == "https" { setenv.add-response-header  = ( "Strict-Transport-Security" => "max-age=' . $domain['hsts'];
+					if ($domain['hsts_sub'] == 1) {
+						$vhost_content .= '; includeSubdomains';
+					}
+					if ($domain['hsts_preload'] == 1) {
+						$vhost_content .= '; preload';
+					}
+					$vhost_content .= '") }' . "\n";
+				}
 			}
 		}
 		return $ssl_settings;
@@ -861,8 +868,7 @@ class lighttpd extends HttpConfigBase {


 	public function writeConfigs() {
-		fwrite($this->debugHandler, '  lighttpd::writeConfigs: rebuilding ' . Settings::Get('system.apacheconf_vhost') . "\n");
-		$this->logger->logAction(CRON_ACTION, LOG_INFO, "rebuilding " . Settings::Get('system.apacheconf_vhost'));
+		$this->logger->logAction(CRON_ACTION, LOG_INFO, "lighttpd::writeConfigs: rebuilding " . Settings::Get('system.apacheconf_vhost'));

 		$vhostDir = new frxDirectory(Settings::Get('system.apacheconf_vhost'));
 		if (!$vhostDir->isConfigDir()) {
@@ -889,8 +895,7 @@ class lighttpd extends HttpConfigBase {
 			fclose($vhosts_file_handler);
 		} else {
 			if (!file_exists(Settings::Get('system.apacheconf_vhost'))) {
-				fwrite($this->debugHandler, '  lighttpd::writeConfigs: mkdir ' . escapeshellarg(makeCorrectDir(Settings::Get('system.apacheconf_vhost'))) . "\n");
-				$this->logger->logAction(CRON_ACTION, LOG_NOTICE, 'mkdir ' . escapeshellarg(makeCorrectDir(Settings::Get('system.apacheconf_vhost'))));
+				$this->logger->logAction(CRON_ACTION, LOG_NOTICE, 'lighttpd::writeConfigs: mkdir ' . escapeshellarg(makeCorrectDir(Settings::Get('system.apacheconf_vhost'))));
 				safe_exec('mkdir ' . escapeshellarg(makeCorrectDir(Settings::Get('system.apacheconf_vhost'))));
 			}

--- a/scripts/jobs/cron_tasks.inc.http.30.nginx.php
+++ b/scripts/jobs/cron_tasks.inc.http.30.nginx.php
@@ -19,7 +19,6 @@ require_once(dirname(__FILE__).'/../classes/class.HttpConfigBase.php');

 class nginx extends HttpConfigBase {
 	private $logger = false;
-	private $debugHandler = false;
 	private $idnaConvert = false;
 	private $nginx_server = array();

@@ -40,17 +39,15 @@ class nginx extends HttpConfigBase {
 	 */
 	private $_deactivated = false;

-	public function __construct($logger, $debugHandler, $idnaConvert, $nginx_server=array()) {
+	public function __construct($logger, $idnaConvert, $nginx_server=array()) {
 		$this->logger = $logger;
-		$this->debugHandler = $debugHandler;
 		$this->idnaConvert = $idnaConvert;
 		$this->nginx_server = $nginx_server;
 	}


 	public function reload() {
-		fwrite($this->debugHandler, '   nginx::reload: reloading nginx' . "\n");
-		$this->logger->logAction(CRON_ACTION, LOG_INFO, 'reloading nginx');
+		$this->logger->logAction(CRON_ACTION, LOG_INFO, 'nginx::reload: reloading nginx');
 		safe_exec(Settings::Get('system.apachereload_command'));

 		/**
@@ -59,12 +56,10 @@ class nginx extends HttpConfigBase {
 		if (Settings::Get('system.phpreload_command') != ''
 			&& (int)Settings::Get('phpfpm.enabled') == 0
 		) {
-			fwrite($this->debugHandler, '   nginx::reload: restarting php processes' . "\n");
-			$this->logger->logAction(CRON_ACTION, LOG_INFO, 'restarting php processes');
+			$this->logger->logAction(CRON_ACTION, LOG_INFO, 'nginx::reload: restarting php processes');
 			safe_exec(Settings::Get('system.phpreload_command'));
 		} elseif ((int)Settings::Get('phpfpm.enabled') == 1) {
-			fwrite($this->debugHandler, '   nginx::reload: reloading php-fpm' . "\n");
-			$this->logger->logAction(CRON_ACTION, LOG_INFO, 'reloading php-fpm');
+			$this->logger->logAction(CRON_ACTION, LOG_INFO, 'nginx::reload: reloading php-fpm');
 			safe_exec(escapeshellcmd(Settings::Get('phpfpm.reload')));
 		}
 	}
@@ -128,8 +123,7 @@ class nginx extends HttpConfigBase {
 			}
 			$port = $row_ipsandports['port'];

-			fwrite($this->debugHandler, '  nginx::createIpPort: creating ip/port settings for  ' . $ip . ":" . $port . "\n");
-			$this->logger->logAction(CRON_ACTION, LOG_INFO, 'creating ip/port settings for  ' . $ip . ":" . $port);
+			$this->logger->logAction(CRON_ACTION, LOG_INFO, 'nginx::createIpPort: creating ip/port settings for  ' . $ip . ":" . $port);
 			$vhost_filename = makeCorrectFile(Settings::Get('system.apacheconf_vhost') . '/10_froxlor_ipandport_' . trim(str_replace(':', '.', $row_ipsandports['ip']), '.') . '.' . $row_ipsandports['port'] . '.conf');

 			if (!isset($this->nginx_data[$vhost_filename])) {
@@ -184,8 +178,8 @@ class nginx extends HttpConfigBase {
 				}

 				$this->nginx_data[$vhost_filename] .= "\t".'root     '.$mypath.';'."\n";
+				$this->nginx_data[$vhost_filename] .= "\t".'index    index.php index.html index.htm;'."\n\n";
 				$this->nginx_data[$vhost_filename] .= "\t".'location / {'."\n";
-				$this->nginx_data[$vhost_filename] .= "\t\t".'index    index.php index.html index.htm;'."\n";
 				$this->nginx_data[$vhost_filename] .= "\t".'}'."\n";

 				if ($row_ipsandports['specialsettings'] != '') {
@@ -209,7 +203,6 @@ class nginx extends HttpConfigBase {

 				$this->nginx_data[$vhost_filename] .= "\tlocation ~ \.php {\n";
 				$this->nginx_data[$vhost_filename] .= "\t\tfastcgi_split_path_info ^(.+\.php)(/.+)\$;\n";
-				$this->nginx_data[$vhost_filename] .= "\t\tinclude fastcgi_params;\n";
 				$this->nginx_data[$vhost_filename] .= "\t\tinclude ".Settings::Get('nginx.fastcgiparams').";\n";
 				$this->nginx_data[$vhost_filename] .= "\t\tfastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;\n";
 				$this->nginx_data[$vhost_filename] .= "\t\tfastcgi_param PATH_INFO \$fastcgi_path_info;\n";
@@ -278,6 +271,8 @@ class nginx extends HttpConfigBase {
 					&& !is_dir(Settings::Get('system.apacheconf_vhost')))
 				|| is_dir(Settings::Get('system.apacheconf_vhost'))
 			) {
+				$domain['nonexistinguri'] = '/' . md5(uniqid(microtime(), 1)) . '.htm';
+
 				// Create non-ssl host
 				$this->nginx_data[$vhost_filename].= $this->getVhostContent($domain, false);
 				if ($domain['ssl'] == '1' || $domain['ssl_redirect'] == '1') {
@@ -328,7 +323,7 @@ class nginx extends HttpConfigBase {
 			return '';
 		}

-		// check whether the customer is deactivated an NO docroot for deactivated users has been set#
+		// check whether the customer is deactivated and NO docroot for deactivated users has been set#
 		$ddr = Settings::Get('system.deactivateddocroot');
 		if ($domain['deactivated'] == '1' && empty($ddr)) {
 		    return '# Customer deactivated and a docroot for deactivated users hasn\'t been set.' . "\n";
@@ -427,6 +422,7 @@ class nginx extends HttpConfigBase {
 		) {
 			$vhost_content.= "\n" . $this->composeSslSettings($domain) . "\n";
 		}
+		$vhost_content.= "\t".'include /etc/nginx/acme.conf;'."\n";

 		// if the documentroot is an URL we just redirect
 		if (preg_match('/^https?\:\/\//', $domain['documentroot'])) {
@@ -434,7 +430,7 @@ class nginx extends HttpConfigBase {
 			if (substr($uri, -1) == '/') {
 				$uri = substr($uri, 0, -1);
 			}
-			$vhost_content .= "\t".'rewrite ^(.*) '.$uri.'$1 permanent;'."\n";
+			$vhost_content .= "\t".'return 301 '.$uri.'$request_uri;'."\n";
 		} else {
 			mkDirWithCorrectOwnership($domain['customerroot'], $domain['documentroot'], $domain['guid'], $domain['guid'], true);

@@ -569,20 +565,21 @@ class nginx extends HttpConfigBase {
 		    
 		    // check for existence, #1485
 		    if (!file_exists($domain_or_ip['ssl_cert_file'])) {
-		        $this->logger->logAction(CRON_ACTION, LOG_ERROR, $domain_or_ip['domain'] . ' :: certificate file "'.$domain_or_ip['ssl_cert_file'].'" does not exist! Cannot create ssl-directives');
+		        $this->logger->logAction(CRON_ACTION, LOG_ERR, $domain_or_ip['domain'] . ' :: certificate file "'.$domain_or_ip['ssl_cert_file'].'" does not exist! Cannot create ssl-directives');
 		        echo $domain_or_ip['domain'] . ' :: certificate file "'.$domain_or_ip['ssl_cert_file'].'" does not exist! Cannot create SSL-directives'."\n";
 		    } else {
-    			// obsolete: ssl on now belongs to the listen block as 'ssl' at the end
+			// obsolete: ssl on now belongs to the listen block as 'ssl' at the end
    			//$sslsettings .= "\t" . 'ssl on;' . "\n";
    			$sslsettings .= "\t" . 'ssl_protocols TLSv1 TLSv1.1 TLSv1.2;' . "\n";
    			$sslsettings .= "\t" . 'ssl_ciphers ' . Settings::Get('system.ssl_cipher_list') . ';' . "\n";
+					$sslsettings .= "\t" . 'ssl_ecdh_curve secp384r1;' . "\n";
    			$sslsettings .= "\t" . 'ssl_prefer_server_ciphers on;' . "\n";
    			$sslsettings .= "\t" . 'ssl_certificate ' . makeCorrectFile($domain_or_ip['ssl_cert_file']) . ';' . "\n";
    
    			if ($domain_or_ip['ssl_key_file'] != '') {
    			    // check for existence, #1485
    			    if (!file_exists($domain_or_ip['ssl_key_file'])) {
-    			        $this->logger->logAction(CRON_ACTION, LOG_ERROR, $domain_or_ip['domain'] . ' :: certificate key file "'.$domain_or_ip['ssl_key_file'].'" does not exist! Cannot create ssl-directives');
+    			        $this->logger->logAction(CRON_ACTION, LOG_ERR, $domain_or_ip['domain'] . ' :: certificate key file "'.$domain_or_ip['ssl_key_file'].'" does not exist! Cannot create ssl-directives');
    			        echo $domain_or_ip['domain'] . ' :: certificate key file "'.$domain_or_ip['ssl_key_file'].'" does not exist! SSL-directives might not be working'."\n";
    			    } else {
    				    $sslsettings .= "\t" . 'ssl_certificate_key ' .makeCorrectFile($domain_or_ip['ssl_key_file']) . ';' .  "\n";
@@ -592,12 +589,24 @@ class nginx extends HttpConfigBase {
    			if ($domain_or_ip['ssl_ca_file'] != '') {
    			    // check for existence, #1485
    			    if (!file_exists($domain_or_ip['ssl_ca_file'])) {
-    			        $this->logger->logAction(CRON_ACTION, LOG_ERROR, $domain_or_ip['domain'] . ' :: certificate CA file "'.$domain_or_ip['ssl_ca_file'].'" does not exist! Cannot create ssl-directives');
+    			        $this->logger->logAction(CRON_ACTION, LOG_ERR, $domain_or_ip['domain'] . ' :: certificate CA file "'.$domain_or_ip['ssl_ca_file'].'" does not exist! Cannot create ssl-directives');
    			        echo $domain_or_ip['domain'] . ' :: certificate CA file "'.$domain_or_ip['ssl_ca_file'].'" does not exist! SSL-directives might not be working'."\n";
    			    } else {
    				    $sslsettings.= "\t" . 'ssl_client_certificate ' . makeCorrectFile($domain_or_ip['ssl_ca_file']) . ';' . "\n";
    			    }
    			}
+    			
+				if (isset($domain_or_ip['hsts']) && $domain_or_ip['hsts'] > 0) {
+
+					$vhost_content .= 'add_header Strict-Transport-Security "max-age=' . $domain_or_ip['hsts'];
+					if ($domain_or_ip['hsts_sub'] == 1) {
+						$vhost_content .= '; includeSubdomains';
+					}
+					if ($domain_or_ip['hsts_preload'] == 1) {
+						$vhost_content .= '; preload';
+					}
+					$vhost_content .= '";' . "\n";
+				}
 		    }
 		}

@@ -658,9 +667,6 @@ class nginx extends HttpConfigBase {
 					$path_options .= "\t\t" . 'autoindex  on;' . "\n";
 					$this->vhost_root_autoindex = false;
 				}
-				else {
-					$path_options.= "\t\t" . 'index    index.php index.html index.htm;'."\n";
-				}
 				//     $path_options.= "\t\t" . 'try_files $uri $uri/ @rewrites;'."\n";
 				// check if we have a htpasswd for this path
 				// (damn nginx does not like more than one
@@ -676,6 +682,9 @@ class nginx extends HttpConfigBase {
 							if ($single['path'] == '/') {
 								$path_options .= "\t\t" . 'auth_basic            "' . $single['authname']  . '";' . "\n";
 								$path_options .= "\t\t" . 'auth_basic_user_file  ' . makeCorrectFile($single['usrf']) . ';'."\n";
+								$path_options .= "\t\t" . 'location ~ ^(.+?\.php)(/.*)?$ {' . "\n";
+								$path_options .= "\t\t\t" . 'try_files ' . $domain['nonexistinguri'] . ' @php;' . "\n";
+								$path_options .= "\t\t" . '}' . "\n";
 								// remove already used entries so we do not have doubles
 								unset($htpasswds[$idx]);
 							}
@@ -691,9 +700,6 @@ class nginx extends HttpConfigBase {
 					$path_options .= "\t\t" . 'autoindex  on;' . "\n";
 					$this->vhost_root_autoindex = false;
 				}
-				else {
-					$path_options .= "\t\t" . 'index    index.php index.html index.htm;'."\n";
-				}
 				$path_options .= "\t".'} ' . "\n";
 			}
 			//   }
@@ -736,6 +742,9 @@ class nginx extends HttpConfigBase {
 					$path_options .= "\t" . 'location ' . makeCorrectDir($single['path']) . ' {' . "\n";
 					$path_options .= "\t\t" . 'auth_basic            "' . $single['authname']  . '";' . "\n";
 					$path_options .= "\t\t" . 'auth_basic_user_file  ' . makeCorrectFile($single['usrf']) . ';'."\n";
+					$path_options .= "\t\t" . 'location ~ ^(.+?\.php)(/.*)?$ {' . "\n";
+					$path_options .= "\t\t\t" . 'try_files ' . $domain['nonexistinguri'] . ' @php;' . "\n";
+					$path_options .= "\t\t" . '}' . "\n";
 					$path_options .= "\t".'}' . "\n";
 				}
 				//}
@@ -783,7 +792,18 @@ class nginx extends HttpConfigBase {

 				$returnval[$x]['path'] = $path;
 				$returnval[$x]['root'] = makeCorrectDir($domain['documentroot']);
-				$returnval[$x]['authname'] = $row_htpasswds['authname'];
+
+				// Ensure there is only one auth name per password block, otherwise
+				// the directives are inserted multiple times -> invalid config
+				$authname = $row_htpasswds['authname'];
+				for ($i = 0; $i < $x; $i++) {
+					if ($returnval[$i]['usrf'] == $htpasswd_filename) {
+						$authname = $returnval[$i]['authname'];
+						break;
+					}
+				}
+				$returnval[$x]['authname'] = $authname;
+
 				$returnval[$x]['usrf'] = $htpasswd_filename;
 				$x++;
 			}
@@ -799,7 +819,11 @@ class nginx extends HttpConfigBase {
 	protected function composePhpOptions($domain, $ssl_vhost = false) {
 		$phpopts = '';
 		if ($domain['phpenabled'] == '1') {
-			$phpopts = "\tlocation ~ \.php {\n";
+			$phpopts  = "\tlocation ~ \.php {\n";
+			$phpopts .= "\t\t" . 'try_files ' . $domain['nonexistinguri'] . ' @php;' . "\n";
+			$phpopts .= "\t" . '}' . "\n\n";
+
+			$phpopts .= "\tlocation @php {\n";
 			$phpopts .= "\t\tfastcgi_split_path_info ^(.+\.php)(/.+)\$;\n";
 			$phpopts .= "\t\tinclude ".Settings::Get('nginx.fastcgiparams').";\n";
 			$phpopts .= "\t\tfastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;\n";
@@ -831,8 +855,8 @@ class nginx extends HttpConfigBase {
 			$this->_deactivated = false;
 		}

+		$webroot_text .= "\t" . 'index    index.php index.html index.htm;'."\n";
 		$webroot_text .= "\n\t".'location / {'."\n";
-		$webroot_text .= "\t\t".'index    index.php index.html index.htm;'."\n";
 		$webroot_text .= "\t\t" . 'try_files $uri $uri/ @rewrites;'."\n";

 		if ($this->vhost_root_autoindex) {
@@ -1003,8 +1027,7 @@ class nginx extends HttpConfigBase {


 	public function writeConfigs() {
-		fwrite($this->debugHandler, '  nginx::writeConfigs: rebuilding ' . Settings::Get('system.apacheconf_vhost') . "\n");
-		$this->logger->logAction(CRON_ACTION, LOG_INFO, "rebuilding " . Settings::Get('system.apacheconf_vhost'));
+		$this->logger->logAction(CRON_ACTION, LOG_INFO, "nginx::writeConfigs: rebuilding " . Settings::Get('system.apacheconf_vhost'));

 		$vhostDir = new frxDirectory(Settings::Get('system.apacheconf_vhost'));
 		if (!$vhostDir->isConfigDir()) {
@@ -1030,8 +1053,7 @@ class nginx extends HttpConfigBase {
 			fclose($vhosts_file_handler);
 		} else {
 			if (!file_exists(Settings::Get('system.apacheconf_vhost'))) {
-				fwrite($this->debugHandler, '  nginx::writeConfigs: mkdir ' . escapeshellarg(makeCorrectDir(Settings::Get('system.apacheconf_vhost'))) . "\n");
-				$this->logger->logAction(CRON_ACTION, LOG_NOTICE, 'mkdir ' . escapeshellarg(makeCorrectDir(Settings::Get('system.apacheconf_vhost'))));
+				$this->logger->logAction(CRON_ACTION, LOG_NOTICE, 'nginx::writeConfigs: mkdir ' . escapeshellarg(makeCorrectDir(Settings::Get('system.apacheconf_vhost'))));
 				safe_exec('mkdir -p ' . escapeshellarg(makeCorrectDir(Settings::Get('system.apacheconf_vhost'))));
 			}

@@ -1059,8 +1081,6 @@ class nginx extends HttpConfigBase {
 				mkdir(Settings::Get('system.apacheconf_htpasswddir'), 0751);
 				umask($umask);
 			} elseif (!is_dir(Settings::Get('system.apacheconf_htpasswddir'))) {
-				fwrite($this->debugHandler, '  cron_tasks: WARNING!!! ' . Settings::Get('system.apacheconf_htpasswddir') . ' is not a directory. htpasswd directory protection is disabled!!!' . "\n");
-				echo 'WARNING!!! ' . Settings::Get('system.apacheconf_htpasswddir') . ' is not a directory. htpasswd directory protection is disabled!!!';
 				$this->logger->logAction(CRON_ACTION, LOG_WARNING, 'WARNING!!! ' . Settings::Get('system.apacheconf_htpasswddir') . ' is not a directory. htpasswd directory protection is disabled!!!');
 			}

--- a/scripts/jobs/cron_tasks.inc.http.35.nginx_phpfpm.php
+++ b/scripts/jobs/cron_tasks.inc.http.35.nginx_phpfpm.php
@@ -25,6 +25,10 @@ class nginx_phpfpm extends nginx
 			$phpconfig = $php->getPhpConfig((int)$domain['phpsettingid']);
 			
 			$php_options_text = "\t" . 'location ~ ^(.+?\.php)(/.*)?$ {' . "\n";
+			$php_options_text .= "\t\t" . 'try_files ' . $domain['nonexistinguri'] . ' @php;' . "\n";
+			$php_options_text .= "\t" . '}' . "\n\n";
+
+			$php_options_text .= "\t" . 'location @php {' . "\n";
 			$php_options_text .= "\t\t" . 'try_files $1 = 404;' . "\n\n";
 			$php_options_text .= "\t\t" . 'include ' . Settings::Get('nginx.fastcgiparams') . ";\n";
 			$php_options_text .= "\t\t" . 'fastcgi_split_path_info ^(.+\.php)(/.+)\$;' . "\n";
--- a/scripts/jobs/cron_tasks.php
+++ b/scripts/jobs/cron_tasks.php
@@ -29,8 +29,7 @@ require_once makeCorrectFile(dirname(__FILE__) . '/cron_tasks.inc.http.35.nginx_
 /**
 * LOOK INTO TASKS TABLE TO SEE IF THERE ARE ANY UNDONE JOBS
 */
-fwrite($debugHandler, '  cron_tasks: Searching for tasks to do' . "\n");
-$cronlog->logAction(CRON_ACTION, LOG_INFO, "Searching for tasks to do");
+$cronlog->logAction(CRON_ACTION, LOG_INFO, "cron_tasks: Searching for tasks to do");
 $result_tasks_stmt = Database::query("
 	SELECT `id`, `type`, `data` FROM `" . TABLE_PANEL_TASKS . "` WHERE `type` <> '99' ORDER BY `id` ASC
 ");
@@ -73,7 +72,7 @@ while ($row = $result_tasks_stmt->fetch(PDO::FETCH_ASSOC)) {
 				}
 			}

-			$webserver = new $websrv($cronlog, $debugHandler, $idna_convert);
+			$webserver = new $websrv($cronlog, $idna_convert);
 		}

 		if (isset($webserver)) {
@@ -99,21 +98,23 @@ while ($row = $result_tasks_stmt->fetch(PDO::FETCH_ASSOC)) {
 			) {
 				// webserver has no access, add it
 				if (isFreeBSD()) {
-					safe_exec('pw user mod '.escapeshellarg(Settings::Get('system.httpuser')).' -G '.escapeshellarg(Settings::Get('phpfpm.vhost_httpgroup')));
+					safe_exec('pw usermod '.escapeshellarg(Settings::Get('system.httpuser')).' -G '.escapeshellarg(Settings::Get('phpfpm.vhost_httpgroup')));
 				} else {
 					safe_exec('usermod -a -G ' . escapeshellarg(Settings::Get('phpfpm.vhost_httpgroup')).' '.escapeshellarg(Settings::Get('system.httpuser')));
 				}
 			}
 		}

+		// Tell the Let's Encrypt cron it's okay to generate the certificate and enable the redirect afterwards
+		$upd_stmt = Database::prepare("UPDATE `" . TABLE_PANEL_DOMAINS . "` SET `ssl_redirect` = '3' WHERE `ssl_redirect` = '2'");
+		Database::pexecute($upd_stmt);
 	}

 	/**
 	 * TYPE=2 MEANS TO CREATE A NEW HOME AND CHOWN
 	 */
 	elseif ($row['type'] == '2') {
-		fwrite($debugHandler, '  cron_tasks: Task2 started - create new home' . "\n");
-		$cronlog->logAction(CRON_ACTION, LOG_INFO, 'Task2 started - create new home');
+		$cronlog->logAction(CRON_ACTION, LOG_INFO, 'cron_tasks: Task2 started - create new home');

 		if (is_array($row['data'])) {
 			// define paths
@@ -172,7 +173,7 @@ while ($row = $result_tasks_stmt->fetch(PDO::FETCH_ASSOC)) {
 	 */
 	elseif ($row['type'] == '4' && (int)Settings::Get('system.bind_enable') != 0) {
 		if (!isset($nameserver)) {
-			$nameserver = new bind($cronlog, $debugHandler);
+			$nameserver = new bind($cronlog);
 		}

 		if (Settings::Get('dkim.use_dkim') == '1') {
@@ -201,8 +202,7 @@ while ($row = $result_tasks_stmt->fetch(PDO::FETCH_ASSOC)) {
 	 * TYPE=6 MEANS THAT A CUSTOMER HAS BEEN DELETED AND THAT WE HAVE TO REMOVE ITS FILES
 	 */
 	elseif ($row['type'] == '6') {
-		fwrite($debugHandler, '  cron_tasks: Task6 started - deleting customer data' . "\n");
-		$cronlog->logAction(CRON_ACTION, LOG_INFO, 'Task6 started - deleting customer data');
+		$cronlog->logAction(CRON_ACTION, LOG_INFO, 'cron_tasks: Task6 started - deleting customer data');

 		if (is_array($row['data'])) {
 			if (isset($row['data']['loginname'])) {
@@ -268,8 +268,7 @@ while ($row = $result_tasks_stmt->fetch(PDO::FETCH_ASSOC)) {
 	 * TYPE=7 Customer deleted an email account and wants the data to be deleted on the filesystem
 	 */
 	elseif ($row['type'] == '7') {
-		fwrite($debugHandler, '  cron_tasks: Task7 started - deleting customer e-mail data' . "\n");
-		$cronlog->logAction(CRON_ACTION, LOG_INFO, 'Task7 started - deleting customer e-mail data');
+		$cronlog->logAction(CRON_ACTION, LOG_INFO, 'cron_tasks: Task7 started - deleting customer e-mail data');

 		if (is_array($row['data'])) {

@@ -334,8 +333,7 @@ while ($row = $result_tasks_stmt->fetch(PDO::FETCH_ASSOC)) {
 	 * refs #293
 	 */
 	elseif ($row['type'] == '8') {
-		fwrite($debugHandler, '  cron_tasks: Task8 started - deleting customer ftp homedir' . "\n");
-		$cronlog->logAction(CRON_ACTION, LOG_INFO, 'Task8 started - deleting customer ftp homedir');
+		$cronlog->logAction(CRON_ACTION, LOG_INFO, 'cron_tasks: Task8 started - deleting customer ftp homedir');

 		if (is_array($row['data'])) {

@@ -363,8 +361,7 @@ while ($row = $result_tasks_stmt->fetch(PDO::FETCH_ASSOC)) {
 	 */
 	elseif ($row['type'] == '10' && (int)Settings::Get('system.diskquota_enabled') != 0) {

-		fwrite($debugHandler, '  cron_tasks: Task10 started - setting filesystem quota' . "\n");
-		$cronlog->logAction(CRON_ACTION, LOG_INFO, 'Task10 started - setting filesystem quota');
+		$cronlog->logAction(CRON_ACTION, LOG_INFO, 'cron_tasks: Task10 started - setting filesystem quota');

 		$usedquota = getFilesystemQuota();

--- a/scripts/jobs/cron_ticketarchive.php
+++ b/scripts/jobs/cron_ticketarchive.php
@@ -20,7 +20,7 @@
 /**
 * ARCHIVING CLOSED TICKETS
 */
-fwrite($debugHandler, 'Ticket-archiving run started...' . "\n");
+$cronlog->logAction(CRON_ACTION, LOG_INFO, 'Ticket-archiving run started...');
 $result_tickets_stmt = Database::query("
 	SELECT `id`, `lastchange`, `subject` FROM `" . TABLE_PANEL_TICKETS . "`
 	WHERE `status` = '3' AND `answerto` = '0';"
@@ -35,7 +35,7 @@ while ($row_ticket = $result_tickets_stmt->fetch(PDO::FETCH_ASSOC)) {

 	if ($days >= Settings::Get('ticket.archiving_days')) {

-		fwrite($debugHandler, 'archiving ticket "' . $row_ticket['subject'] . '" (ID #' . $row_ticket['id'] . ')' . "\n");
+		$cronlog->logAction(CRON_ACTION, LOG_INFO, 'archiving ticket "' . $row_ticket['subject'] . '" (ID #' . $row_ticket['id'] . ')');
 		$mainticket = ticket::getInstanceOf(null, (int)$row_ticket['id']);
 		$mainticket->Set('lastchange', $now, true, true);
 		$mainticket->Set('lastreplier', '1', true, true);
@@ -46,7 +46,7 @@ while ($row_ticket = $result_tickets_stmt->fetch(PDO::FETCH_ASSOC)) {
 	}
 }

-fwrite($debugHandler, 'Archived ' . $archiving_count . ' tickets' . "\n");
+$cronlog->logAction(CRON_ACTION, LOG_INFO, 'Archived ' . $archiving_count . ' tickets');
 Database::query("
 	UPDATE `" . TABLE_PANEL_SETTINGS . "` SET `value` = UNIX_TIMESTAMP()
 	WHERE `settinggroup` = 'system' AND `varname` = 'last_archive_run'"
--- a/scripts/jobs/cron_traffic.php
+++ b/scripts/jobs/cron_traffic.php
@@ -30,7 +30,7 @@ if (function_exists('pcntl_fork')) {
 			$TrafficPidStatus = $TrafficPidStatus ? false : true;
 		}
 		if ($TrafficPidStatus) {
-			fwrite($debugHandler,"Traffic Run already in progress\n");
+			$cronlog->logAction(CRON_ACTION, LOG_INFO, 'Traffic Run already in progress');
 			return 1;
 		}
 	}
@@ -49,7 +49,6 @@ if (function_exists('pcntl_fork')) {
 	elseif ($TrafficPid == 0) {
 		posix_setsid();
 		fclose($debugHandler);
-		$debugHandler = fopen("/tmp/froxlor_traffic.log", "w");
 		// re-create db
 		Database::needRoot(false);
 	}
@@ -64,7 +63,7 @@ if (function_exists('pcntl_fork')) {
 	} else {
 		$msg = "PHP compiled without pcntl.";
 	}
-	fwrite($debugHandler, $msg." Not forking traffic-cron, this may take a long time!");
+	$cronlog->logAction(CRON_ACTION, LOG_INFO, $msg." Not forking traffic-cron, this may take a long time!");
 }

 require_once makeCorrectFile(dirname(__FILE__) . '/cron_traffic.inc.functions.php');
@@ -72,7 +71,7 @@ require_once makeCorrectFile(dirname(__FILE__) . '/cron_traffic.inc.functions.ph
 /**
 * TRAFFIC AND DISKUSAGE MESSURE
 */
-fwrite($debugHandler, 'Traffic run started...' . "\n");
+$cronlog->logAction(CRON_ACTION, LOG_INFO, 'Traffic run started...');
 $admin_traffic = array();
 $domainlist = array();
 $speciallogfile_domainlist = array();
@@ -164,7 +163,7 @@ while ($row = $result_stmt->fetch(PDO::FETCH_ASSOC)) {
 	/**
 	 * HTTP-Traffic
 	 */
-	fwrite($debugHandler, 'http traffic for ' . $row['loginname'] . ' started...' . "\n");
+	$cronlog->logAction(CRON_ACTION, LOG_INFO, 'http traffic for ' . $row['loginname'] . ' started...');
 	$httptraffic = 0;

 	if (isset($domainlist[$row['customerid']])
@@ -225,7 +224,7 @@ while ($row = $result_stmt->fetch(PDO::FETCH_ASSOC)) {
 	/**
 	 * FTP-Traffic
 	 */
-	fwrite($debugHandler, 'ftp traffic for ' . $row['loginname'] . ' started...' . "\n");
+	$cronlog->logAction(CRON_ACTION, LOG_INFO, 'ftp traffic for ' . $row['loginname'] . ' started...');
 	$ftptraffic_stmt = Database::prepare("
 		SELECT SUM(`up_bytes`) AS `up_bytes_sum`, SUM(`down_bytes`) AS `down_bytes_sum`
 		FROM `" . TABLE_FTP_USERS . "` WHERE `customerid` = :customerid
@@ -249,7 +248,7 @@ while ($row = $result_stmt->fetch(PDO::FETCH_ASSOC)) {
 	 */
 	$mailtraffic = 0;
 	if (Settings::Get("system.mailtraffic_enabled")) {
-		fwrite($debugHandler, 'mail traffic usage for ' . $row['loginname'] . " started...\n");
+		$cronlog->logAction(CRON_ACTION, LOG_INFO, 'mail traffic usage for ' . $row['loginname'] . " started...");

 		$currentDate = date("Y-m-d");

@@ -294,7 +293,7 @@ while ($row = $result_stmt->fetch(PDO::FETCH_ASSOC)) {
 	/**
 	 * Total Traffic
 	 */
-	fwrite($debugHandler, 'total traffic for ' . $row['loginname'] . ' started' . "\n");
+	$cronlog->logAction(CRON_ACTION, LOG_INFO, 'total traffic for ' . $row['loginname'] . ' started');
 	$current_traffic = array();
 	$current_traffic['http'] = floatval($httptraffic);
 	$current_traffic['ftp_up'] = floatval(($ftptraffic['up_bytes_sum'] / 1024));
@@ -355,7 +354,7 @@ while ($row = $result_stmt->fetch(PDO::FETCH_ASSOC)) {
 	/**
 	 * WebSpace-Usage
 	 */
-	fwrite($debugHandler, 'calculating webspace usage for ' . $row['loginname'] . "\n");
+	$cronlog->logAction(CRON_ACTION, LOG_INFO, 'calculating webspace usage for ' . $row['loginname']);
 	$webspaceusage = 0;

 	// Using repquota, it's faster using this tool than using du traversing the complete directory
@@ -381,14 +380,14 @@ while ($row = $result_stmt->fetch(PDO::FETCH_ASSOC)) {
 			unset($back);

 		} else {
-			fwrite($debugHandler, 'documentroot ' . $row['documentroot'] . ' does not exist' . "\n");
+			$cronlog->logAction(CRON_ACTION, LOG_WARNING, 'documentroot ' . $row['documentroot'] . ' does not exist');
 		}
 	}

 	/**
 	 * MailSpace-Usage
 	 */
-	fwrite($debugHandler, 'calculating mailspace usage for ' . $row['loginname'] . "\n");
+	$cronlog->logAction(CRON_ACTION, LOG_INFO, 'calculating mailspace usage for ' . $row['loginname']);
 	$emailusage = 0;

 	$maildir = makeCorrectDir(Settings::Get('system.vmail_homedir') . $row['loginname']);
@@ -402,13 +401,13 @@ while ($row = $result_stmt->fetch(PDO::FETCH_ASSOC)) {
 		unset($back);

 	} else {
-		fwrite($debugHandler, 'maildir ' . $maildir . ' does not exist' . "\n");
+		$cronlog->logAction(CRON_ACTION, LOG_WARNING, 'maildir ' . $maildir . ' does not exist');
 	}

 	/**
 	 * MySQLSpace-Usage
 	 */
-	fwrite($debugHandler, 'calculating mysqlspace usage for ' . $row['loginname'] . "\n");
+	$cronlog->logAction(CRON_ACTION, LOG_INFO, 'calculating mysqlspace usage for ' . $row['loginname']);
 	$mysqlusage = 0;

 	if (isset($mysqlusage_all[$row['customerid']])) {
--- a/scripts/jobs/cron_usage_report.php
+++ b/scripts/jobs/cron_usage_report.php
@@ -17,7 +17,7 @@
 *
 */

-fwrite($debugHandler, 'Web- and Traffic-usage reporting started...' . "\n");
+$cronlog->logAction(CRON_ACTION, LOG_INFO, 'Web- and Traffic-usage reporting started...');
 $yesterday = time() - (60 * 60 * 24);

 /**
--- a/scripts/jobs/cron_used_tickets_reset.php
+++ b/scripts/jobs/cron_used_tickets_reset.php
@@ -20,6 +20,5 @@
 /**
 * RESET USED TICKETS COUNTER
 */
-fwrite($debugHandler, 'Resetting customers used ticket counter' . "\n");
 $cronlog->logAction(CRON_ACTION, LOG_INFO, "Resetting customers used ticket counter");
 Database::query("UPDATE `" . TABLE_PANEL_CUSTOMERS . "` SET `tickets_used` = '0'");
--- a/templates/Sparkle/admin/configfiles/configfiles.tpl
+++ b/templates/Sparkle/admin/configfiles/configfiles.tpl
@@ -26,6 +26,10 @@ ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero
 eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren,
 no sea takimata sanctus est Lorem ipsum dolor sit amet.</textarea>
 				</p>
+				<form id="configfiles_setmysqlpw" action="#">
+					MYSQL_PASSWORD: <input type="text" class="text" id="configfiles_mysqlpw" name="configfiles_mysqlpw" value="" />
+					<input type="submit" value="{$lng['panel']['set']}" />
+				</form>
 			</div>
 		</section>

--- a/templates/Sparkle/admin/domains/domains_domain.tpl
+++ b/templates/Sparkle/admin/domains/domains_domain.tpl
@@ -1,8 +1,19 @@
-<tr>
+<if $row['termination_date'] != ''>
+    <tr class="{$row['termination_css']}">
+</if>
+<if $row['termination_date'] == ''>
+    <tr>
+</if>
+
+
 	<td>{$row['domain']}
 		<if (isset($row['standardsubdomain']) && $row['standardsubdomain'] == $row['id'])>
 			&nbsp;({$lng['admin']['stdsubdomain']})
 		</if>
+                <if $row['termination_date'] != ''>
+                    <br><small><div class="red">({$lng['domains']['termination_date_overview']} {$row['termination_date']})</div></small>
+            </if>
+
 	</td>
 	<td>{$row['ipandport']}</td>
 	<td>{$row['customername']}&nbsp;
@@ -12,6 +23,9 @@
 		<a href="{$linker->getLink(array('section' => 'domains', 'page' => $page, 'action' => 'edit', 'id' => $row['id']))}">
 			<img src="templates/{$theme}/assets/img/icons/edit.png" alt="{$lng['panel']['edit']}" title="{$lng['panel']['edit']}" />
 		</a>
+		<if $row['letsencrypt'] == '1'>
+			<img src="templates/{$theme}/assets/img/icons/ssl_letsencrypt.png" alt="{$lng['panel']['letsencrypt']}" title="{$lng['panel']['letsencrypt']}" />
+		</if>
 		<if !(isset($row['domainaliasid']) && $row['domainaliasid'] != 0)>
 			<if !(isset($row['standardsubdomain']) && $row['standardsubdomain'] == $row['id'])>
 				&nbsp;<a href="{$linker->getLink(array('section' => 'domains', 'page' => $page, 'action' => 'delete', 'id' => $row['id']))}">
--- a/Show More
+++ b/Show More