Merge remote-tracking branch 'origin/main' into v2.2

set version to 2.2.8 for maintenance release
Signed-off-by: Michael Kaufmann <d00p@froxlor.org>
2025-07-08 09:03:16 +02:00 · 2025-07-08 09:02:19 +02:00 · 2025-07-08 09:00:20 +02:00 · 2025-07-08 08:59:51 +02:00 · 2025-06-24 16:55:50 +02:00 · 2025-06-24 16:53:16 +02:00
113 changed files with 5739 additions and 1332 deletions
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -15,7 +15,8 @@ assignees: ''
 A clear and concise description of what the bug is.

 **System information**
-* Froxlor version: $version/$gitSHA1
+* Froxlor version: \$version/\$gitSHA1
+* PHP sapi & version: php-fpm 8.3 / fcgid 8.0 / etc.
 * Web server: apache2/nginx/lighttpd
 * DNS server: Bind/PowerDNS (standalone)/PowerDNS (Bind-backend)
 * POP/IMAP server: Courier/Dovecot
--- a/.github/workflows/build-mariadb.yml
+++ b/.github/workflows/build-mariadb.yml
@@ -8,7 +8,7 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        php-versions: [ '7.4', '8.2' ]
+        php-versions: [ '7.4', '8.3' ]
        mariadb-version: [ 10.11, 10.5 ]
    steps:
      - name: Checkout
@@ -19,7 +19,7 @@ jobs:
        with:
          php-version: ${{ matrix.php-versions }}
          tools: composer:v2
-          extensions: mbstring, xml, ctype, pdo_mysql, mysql, curl, json, zip, session, filter, posix, openssl, fileinfo, bcmath, gmp, gnupg
+          extensions: mbstring, xml, ctype, pdo_mysql, mysql, curl, json, zip, session, filter, posix, openssl, fileinfo, bcmath, gmp

      - name: Install tools
        run: sudo apt-get install -y ant
@@ -72,7 +72,7 @@ jobs:
      - name: Install Node.js
        uses: actions/setup-node@v4
        with:
-          node-version: '20.x'
+          node-version: '22.x'

      - name: Install npm dependencies
        run: npm install
@@ -120,7 +120,7 @@ jobs:

      - name: Deploy nightly to server
        uses: easingthemes/ssh-deploy@main
-        env:
+        with:
          ARGS: "-rltDzvO --chown=${{ secrets.WEB_USER }}:${{ secrets.WEB_USER }}"
          SOURCE: "dist/"
          SSH_PRIVATE_KEY: ${{ secrets.SERVER_SSH_KEY }}
--- a/.github/workflows/build-mysql.yml
+++ b/.github/workflows/build-mysql.yml
@@ -8,7 +8,7 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        php-versions: ['7.4', '8.2']
+        php-versions: ['7.4', '8.3']
        mysql-version: [8.0, 5.7]
    steps:
      - name: Checkout
@@ -19,7 +19,7 @@ jobs:
        with:
          php-version: ${{ matrix.php-versions }}
          tools: composer:v2
-          extensions: mbstring, xml, ctype, pdo_mysql, mysql, curl, json, zip, session, filter, posix, openssl, fileinfo, bcmath, gmp, gnupg
+          extensions: mbstring, xml, ctype, pdo_mysql, mysql, curl, json, zip, session, filter, posix, openssl, fileinfo, bcmath, gmp

      - name: Install tools
        run: sudo apt-get install -y ant
--- a/.gitignore
+++ b/.gitignore
@@ -10,6 +10,7 @@ logs/*
 .settings/
 .test/
 *.diff
+*.patch
 *~
 .well-known
 .idea
@@ -23,4 +24,5 @@ templates/*
 !templates/index.html
 !templates/Froxlor/
 templates/Froxlor/build/
+templates/Froxlor/hot
 !templates/misc/
--- a/README.md
+++ b/README.md
@@ -10,6 +10,7 @@ Developed by experienced server administrators, this panel simplifies the effort
 ## Installation

 ### Fast install
+
 1. Ensure that your webserver serves /var/www/html
 2. Extract froxlor into /var/www/html
 3. Point your browser to http://[ip-of-webserver]/froxlor
@@ -24,6 +25,7 @@ If you have chosen to do the configuration by hand during the installation, you
 3. Follow the steps for your services

 ### Detailed installation
+
 https://docs.froxlor.org/latest/general/installation/

 ## Help
@@ -49,6 +51,7 @@ May be found in [COPYING](COPYING)
 ## Downloads

 ### Tarball
+
 https://files.froxlor.org/releases/froxlor-latest.tar.gz [MD5](https://files.froxlor.org/releases/froxlor-latest.tar.gz.md5) [SHA1](https://files.froxlor.org/releases/froxlor-latest.tar.gz.sha1)

 ### Debian / Ubuntu repository
--- a/actions/admin/settings/120.system.php
+++ b/actions/admin/settings/120.system.php
@@ -257,7 +257,8 @@ return [
 					'varname' => 'mail_smtp_user',
 					'type' => 'text',
 					'default' => '',
-					'save_method' => 'storeSettingField'
+					'save_method' => 'storeSettingField',
+					'autocomplete' => 'off'
 				],
 				'system_mail_smtp_passwd' => [
 					'label' => lng('serversettings.mail_smtp_passwd'),
@@ -265,7 +266,8 @@ return [
 					'varname' => 'mail_smtp_passwd',
 					'type' => 'password',
 					'default' => '',
-					'save_method' => 'storeSettingField'
+					'save_method' => 'storeSettingField',
+					'autocomplete' => 'new-password'
 				],
 				'system_apply_specialsettings_default' => [
 					'label' => lng('serversettings.apply_specialsettings_default'),
--- a/actions/admin/settings/122.froxlorvhost.php
+++ b/actions/admin/settings/122.froxlorvhost.php
@@ -177,6 +177,10 @@ return [
 					'type' => 'text',
 					'default' => 'froxlorlocal',
 					'string_emptyallowed' => false,
+					'plausibility_check_method' => [
+						'\\Froxlor\\Validate\\Check',
+						'checkSystemUsername'
+					],
 					'save_method' => 'storeSettingWebserverFcgidFpmUser',
 					'websrv_avail' => [
 						'apache2'
@@ -246,6 +250,10 @@ return [
 					'type' => 'text',
 					'default' => 'froxlorlocal',
 					'string_emptyallowed' => false,
+					'plausibility_check_method' => [
+						'\\Froxlor\\Validate\\Check',
+						'checkSystemUsername'
+					],
 					'save_method' => 'storeSettingWebserverFcgidFpmUser',
 					'visible' => Settings::Get('phpfpm.enabled') && call_user_func([
 						'\Froxlor\Settings\FroxlorVhostSettings',
--- a/actions/admin/settings/130.webserver.php
+++ b/actions/admin/settings/130.webserver.php
@@ -49,7 +49,7 @@ return [
 					],
 					'requires_reconf' => ['http']
 				],
-				'system_apache_24' => [
+				'system_apache24' => [
 					'label' => lng('serversettings.apache_24'),
 					'settinggroup' => 'system',
 					'varname' => 'apache24',
@@ -104,6 +104,10 @@ return [
 					'varname' => 'httpuser',
 					'type' => 'text',
 					'default' => 'www-data',
+					'plausibility_check_method' => [
+						'\\Froxlor\\Validate\\Check',
+						'checkSystemUsername'
+					],
 					'save_method' => 'storeSettingWebserverFcgidFpmUser'
 				],
 				'system_httpgroup' => [
--- a/actions/admin/settings/131.ssl.php
+++ b/actions/admin/settings/131.ssl.php
@@ -268,7 +268,7 @@ return [
 						'dovecot' => 'dovecot (imap/pop3)',
 						'proftpd' => 'proftpd (ftp)',
 					],
-					'save_method' => 'storeSettingField',
+					'save_method' => 'storeSettingFieldInsertUpdateServicesTask',
 					'advanced_mode' => true
 				],
 				'system_le_renew_hook' => [
@@ -278,7 +278,7 @@ return [
 					'type' => 'text',
 					'string_regexp' => '/^[a-z0-9\/\._\- ]+$/i',
 					'default' => 'systemctl restart postfix dovecot proftpd',
-					'save_method' => 'storeSettingField',
+					'save_method' => 'storeSettingFieldInsertUpdateServicesTask',
 					'advanced_mode' => true,
 					'required_otp' => true
 				],
--- a/actions/admin/settings/180.antispam.php
+++ b/actions/admin/settings/180.antispam.php
@@ -58,6 +58,51 @@ return [
 					'save_method' => 'storeSettingField',
 					'required_otp' => true
 				],
+				'antispam_default_bypass_spam' => [
+					'label' => lng('antispam.default_bypass_spam'),
+					'settinggroup' => 'antispam',
+					'varname' => 'default_bypass_spam',
+					'type' => 'select',
+					'default' => 2,
+					'select_var' => [
+						1 => lng('antispam.default_select.on_changeable'),
+						2 => lng('antispam.default_select.off_changeable'),
+						3 => lng('antispam.default_select.on_unchangeable'),
+						4 => lng('antispam.default_select.off_unchangeable'),
+					],
+					'save_method' => 'storeSettingField',
+					'advanced_mode' => true
+				],
+				'antispam_default_spam_rewrite_subject' => [
+					'label' => lng('antispam.default_spam_rewrite_subject'),
+					'settinggroup' => 'antispam',
+					'varname' => 'default_spam_rewrite_subject',
+					'type' => 'select',
+					'default' => 1,
+					'select_var' => [
+						1 => lng('antispam.default_select.on_changeable'),
+						2 => lng('antispam.default_select.off_changeable'),
+						3 => lng('antispam.default_select.on_unchangeable'),
+						4 => lng('antispam.default_select.off_unchangeable'),
+					],
+					'save_method' => 'storeSettingField',
+					'advanced_mode' => true
+				],
+				'antispam_default_policy_greylist' => [
+					'label' => lng('antispam.default_policy_greylist'),
+					'settinggroup' => 'antispam',
+					'varname' => 'default_policy_greylist',
+					'type' => 'select',
+					'default' => 1,
+					'select_var' => [
+						1 => lng('antispam.default_select.on_changeable'),
+						2 => lng('antispam.default_select.off_changeable'),
+						3 => lng('antispam.default_select.on_unchangeable'),
+						4 => lng('antispam.default_select.off_unchangeable'),
+					],
+					'save_method' => 'storeSettingField',
+					'advanced_mode' => true
+				],
 				'antispam_dkim_keylength' => [
 					'label' => lng('antispam.dkim_keylength'),
 					'settinggroup' => 'antispam',
@@ -84,7 +129,7 @@ return [
 					'settinggroup' => 'spf',
 					'varname' => 'spf_entry',
 					'type' => 'text',
-					'string_regexp' => '/^v=spf[a-z0-9:~?\s.-]+$/i',
+					'string_regexp' => '/^v=spf[a-z0-9:~?\s\.\-\/]+$/i',
 					'default' => 'v=spf1 a mx -all',
 					'save_method' => 'storeSettingField'
 				],
--- a/admin_apcuinfo.php
+++ b/admin_apcuinfo.php
@@ -118,7 +118,7 @@ if ($page == 'showinfo' && $userinfo['change_serversettings'] == '1') {
 		'uptime' => duration($cache['start_time'])
 	];

-	$overview['mem_used_percentage'] = number_format(($overview['mem_used'] / $overview['mem_avail']) * 100, 1);
+	$overview['mem_used_percentage'] = number_format(($overview['mem_used'] / $overview['mem_size']) * 100, 1);
 	$overview['num_hits_percentage'] = number_format(($overview['num_hits'] / $overview['num_hits_and_misses']) * 100,
 		1);
 	$overview['num_misses_percentage'] = number_format(($overview['num_misses'] / $overview['num_hits_and_misses']) * 100,
--- a/admin_customers.php
+++ b/admin_customers.php
@@ -307,17 +307,20 @@ if (($page == 'customers' || $page == 'overview') && $userinfo['customers'] != '
 					$hosting_plans[$row['id']] = $row['name'];
 				}

-				$available_admins_stmt = Database::prepare("
-					SELECT * FROM `" . TABLE_PANEL_ADMINS . "`
-					WHERE (`customers` = '-1' OR `customers` > `customers_used`)
-					AND adminid <> :currentadmin
-				");
-				Database::pexecute($available_admins_stmt, ['currentadmin' => $result['adminid']]);
-				$admin_select = [
-					0 => "---"
-				];
-				while ($available_admin = $available_admins_stmt->fetch()) {
-					$admin_select[$available_admin['adminid']] = $available_admin['name'] . " (" . $available_admin['loginname'] . ")";
+				$admin_select = [];
+				if ($userinfo['customers_see_all'] == '1') {
+					$available_admins_stmt = Database::prepare("
+						SELECT * FROM `" . TABLE_PANEL_ADMINS . "`
+						WHERE (`customers` = '-1' OR `customers` > `customers_used`)
+						AND adminid <> :currentadmin
+					");
+					Database::pexecute($available_admins_stmt, ['currentadmin' => $result['adminid']]);
+					$admin_select = [
+						0 => "---"
+					];
+					while ($available_admin = $available_admins_stmt->fetch()) {
+						$admin_select[$available_admin['adminid']] = $available_admin['name'] . " (" . $available_admin['loginname'] . ")";
+					}
 				}

 				$customer_edit_data = include_once dirname(__FILE__) . '/lib/formfields/admin/customer/formfield.customer_edit.php';
--- a/admin_domains.php
+++ b/admin_domains.php
@@ -319,7 +319,7 @@ if ($page == 'domains' || $page == 'overview') {
 			$alias_check = $alias_check['count'];

 			$domain_emails_result_stmt = Database::prepare("
-				SELECT `email`, `email_full`, `destination`, `popaccountid` AS `number_email_forwarders`
+				SELECT `email`, `email_full`, `destination`, `popaccountid`
 				FROM `" . TABLE_MAIL_VIRTUAL . "` WHERE `customerid` = :customerid AND `domainid` = :id
 			");
 			Database::pexecute($domain_emails_result_stmt, [
@@ -593,6 +593,23 @@ if ($page == 'domains' || $page == 'overview') {
 		}
 		echo 0;
 		exit();
+	} elseif ($action == 'jqEmaildomainNote') {
+		$domainid = intval(Request::post('id'));
+		$newval = intval(Request::post('newval'));
+		try {
+			$json_result = Domains::getLocal($userinfo, [
+				'id' => $domainid
+			])->get();
+		} catch (Exception $e) {
+			Response::dynamicError($e->getMessage());
+		}
+		$result = json_decode($json_result, true)['data'];
+		if ((int)$newval == 0 && $newval != $result['isemaildomain']) {
+			echo json_encode(['changed' => true, 'info' => lng('admin.emaildomainwarning')]);
+			exit();
+		}
+		echo 0;
+		exit();
 	} elseif ($action == 'import') {
 		if (Request::post('send') == 'send') {
 			$separator = Validate::validate(Request::post('separator'), 'separator');
--- a/admin_message.php
+++ b/admin_message.php
@@ -114,7 +114,7 @@ if ($page == 'message') {
 			$note_msg = lng('message.norecipients');
 		} else {
 			$note_type = 'success';
-			$note_msg = str_replace('%s', $sentitems, lng('message.success'));
+			$note_msg = lng('message.success', [$sentitems]);
 		}
 	}

@@ -128,7 +128,7 @@ if ($page == 'message') {
 	$messages_add_data = include_once dirname(__FILE__) . '/lib/formfields/admin/messages/formfield.messages_add.php';

 	UI::view('user/form-note.html.twig', [
-		'formaction' => $linker->getLink(['section' => 'message']),
+		'formaction' => $linker->getLink(['section' => 'message', 'action' => '']),
 		'formdata' => $messages_add_data['messages_add'],
 		'actions_links' => [
 			[
--- a/composer.json
+++ b/composer.json
@@ -46,7 +46,6 @@
 		"ext-fileinfo": "*",
 		"ext-gmp": "*",
 		"ext-gd": "*",
-		"ext-gnupg": "*",
 		"phpmailer/phpmailer": "~6.0",
 		"monolog/monolog": "^1.24",
 		"robthree/twofactorauth": "^1.6",
@@ -73,9 +72,15 @@
 	"suggest": {
 		"ext-bcmath": "*",
 		"ext-zip": "*",
+		"ext-gnupg": "*",
 		"ext-apcu": "*",
 		"ext-readline": "*"
 	},
+	"config": {
+		"platform": {
+			"php": "7.4"
+		}
+	},
 	"autoload": {
 		"psr-4": {
 			"Froxlor\\": [
@@ -84,6 +89,10 @@
 		}
 	},
 	"scripts": {
+		"dev": [
+			"Composer\\Config::disableProcessTimeout",
+			"npx concurrently -c \"#93c5fd,#fdba74\" \"php -S 127.0.0.1:8000\" \"npm run dev\" --names=server,vite"
+		],
 		"post-install-cmd": "if [ -f ./vendor/bin/phpcs ]; then \"vendor/bin/phpcs\" --config-set installed_paths vendor/phpcompatibility/php-compatibility ; fi",
 		"post-update-cmd" : "if [ -f ./vendor/bin/phpcs ]; then \"vendor/bin/phpcs\" --config-set installed_paths vendor/phpcompatibility/php-compatibility ; fi"
 	}
--- a/composer.lock
+++ b/composer.lock
--- a/customer_domains.php
+++ b/customer_domains.php
@@ -141,7 +141,6 @@ if ($page == 'overview' || $page == 'domains') {
 					WHERE `customerid` = :customerid
 					AND `parentdomainid` = '0'
 					AND `email_only` = '0'
-					AND `caneditdomain` = '1'
 					AND `deactivated` = '0'
 					ORDER BY `domain` ASC");
 				Database::pexecute($stmt, [
--- a/customer_email.php
+++ b/customer_email.php
@@ -30,7 +30,6 @@ use Froxlor\Api\Commands\EmailAccounts;
 use Froxlor\Api\Commands\EmailDomains;
 use Froxlor\Api\Commands\EmailForwarders;
 use Froxlor\Api\Commands\Emails;
-use Froxlor\Cron\Mail\Rspamd;
 use Froxlor\CurrentUser;
 use Froxlor\Database\Database;
 use Froxlor\FroxlorLogger;
@@ -105,7 +104,7 @@ if ($page == 'email_domain') {
 			$email_list_data = include_once dirname(__FILE__) . '/lib/tablelisting/customer/tablelisting.emails.php';
 			$collection = (new Collection(Emails::class, $userinfo, $sql_search))
 				->withPagination($email_list_data['email_list']['columns'],
-					$email_list_data['email_list']['default_sorting']);
+					$email_list_data['email_list']['default_sorting'], ['domainid=' . $email_domainid]);
 		} catch (Exception $e) {
 			Response::dynamicError($e->getMessage());
 		}
@@ -247,11 +246,7 @@ if ($page == 'email_domain') {
 		if (isset($result['email']) && $result['email'] != '') {
 			if (Request::post('send') == 'send') {
 				try {
-					Emails::getLocal($userinfo, [
-						'id' => $id,
-						'spam_tag_level' => Request::post('spam_tag_level', Rspamd::DEFAULT_MARK_LVL),
-						'spam_kill_level' => Request::post('spam_kill_level', Rspamd::DEFAULT_REJECT_LVL)
-					])->update();
+					Emails::getLocal($userinfo, Request::postAll())->update();
 				} catch (Exception $e) {
 					Response::dynamicError($e->getMessage());
 				}
@@ -291,88 +286,12 @@ if ($page == 'email_domain') {

 			$email_edit_data = include_once dirname(__FILE__) . '/lib/formfields/customer/email/formfield.emails_edit.php';

-			if (Settings::Get('catchall.catchall_enabled') != '1') {
-				unset($email_edit_data['emails_edit']['sections']['section_a']['fields']['mail_catchall']);
-			}
-
 			UI::view('user/form.html.twig', [
 				'formaction' => $linker->getLink(['section' => 'email']),
 				'formdata' => $email_edit_data['emails_edit'],
 				'editid' => $id
 			]);
 		}
-	} elseif ($action == 'togglebypass' && $id != 0) {
-		try {
-			$json_result = Emails::getLocal($userinfo, [
-				'id' => $id
-			])->get();
-		} catch (Exception $e) {
-			Response::dynamicError($e->getMessage());
-		}
-		$result = json_decode($json_result, true)['data'];
-
-		try {
-			Emails::getLocal($userinfo, [
-				'id' => $id,
-				'bypass_spam' => ($result['bypass_spam'] == '1' ? 0 : 1)
-			])->update();
-		} catch (Exception $e) {
-			Response::dynamicError($e->getMessage());
-		}
-		Response::redirectTo($filename, [
-			'page' => $page,
-			'domainid' => $email_domainid,
-			'action' => 'edit',
-			'id' => $id,
-		]);
-	} elseif ($action == 'togglegreylist' && $id != 0) {
-		try {
-			$json_result = Emails::getLocal($userinfo, [
-				'id' => $id
-			])->get();
-		} catch (Exception $e) {
-			Response::dynamicError($e->getMessage());
-		}
-		$result = json_decode($json_result, true)['data'];
-
-		try {
-			Emails::getLocal($userinfo, [
-				'id' => $id,
-				'policy_greylist' => ($result['policy_greylist'] == '1' ? 0 : 1)
-			])->update();
-		} catch (Exception $e) {
-			Response::dynamicError($e->getMessage());
-		}
-		Response::redirectTo($filename, [
-			'page' => $page,
-			'domainid' => $email_domainid,
-			'action' => 'edit',
-			'id' => $id,
-		]);
-	} elseif ($action == 'togglecatchall' && $id != 0) {
-		try {
-			$json_result = Emails::getLocal($userinfo, [
-				'id' => $id
-			])->get();
-		} catch (Exception $e) {
-			Response::dynamicError($e->getMessage());
-		}
-		$result = json_decode($json_result, true)['data'];
-
-		try {
-			Emails::getLocal($userinfo, [
-				'id' => $id,
-				'iscatchall' => ($result['iscatchall'] == '1' ? 0 : 1)
-			])->update();
-		} catch (Exception $e) {
-			Response::dynamicError($e->getMessage());
-		}
-		Response::redirectTo($filename, [
-			'page' => $page,
-			'domainid' => $email_domainid,
-			'action' => 'edit',
-			'id' => $id,
-		]);
 	}
 } elseif ($page == 'accounts') {
 	$email_domainid = Request::any('domainid', 0);
--- a/customer_mysql.php
+++ b/customer_mysql.php
@@ -228,7 +228,7 @@ if ($page == 'overview' || $page == 'mysqls') {
 			$new_password = Crypt::validatePassword(Request::post('mysql_password'));
 			foreach ($allowed_mysqlservers as $dbserver) {
 				// require privileged access for target db-server
-				Database::needRoot(true, $dbserver, false);
+				Database::needRoot(true, $dbserver, true);
 				// get DbManager
 				$dbm = new DbManager($log);
 				// give permission to the user on every access-host we have
--- a/index.php
+++ b/index.php
@@ -62,6 +62,7 @@ if ($action == '2fa_entercode') {
 	// show template to enter code
 	UI::view('login/enter2fa.html.twig', [
 		'pagetitle' => lng('login.2fa'),
+		'remember_me' => (Settings::Get('panel.db_version') >= 202407200) ? true : false,
 		'message' => $message
 	]);
 } elseif ($action == '2fa_verify') {
@@ -84,7 +85,8 @@ if ($action == '2fa_entercode') {
 		// verify code set to user's data_2fa field
 		$sel_stmt = Database::prepare("SELECT `data_2fa` FROM " . $table . " WHERE `" . $field . "` = :uid");
 		$userinfo_code = Database::pexecute_first($sel_stmt, ['uid' => $uid]);
-		$result = $tfa->verifyCode($userinfo_code['data_2fa'], $code);
+		// 60sec discrepancy (possible slow email delivery)
+		$result = $tfa->verifyCode($userinfo_code['data_2fa'], $code, 60);
 	} else {
 		$result = $tfa->verifyCode($_SESSION['secret_2fa'], $code, 3);
 	}
@@ -109,7 +111,7 @@ if ($action == '2fa_entercode') {
 		// when using email-2fa, remove the one-time-code
 		if ($userinfo['type_2fa'] == '1') {
 			$del_stmt = Database::prepare("UPDATE " . $table . " SET `data_2fa` = '' WHERE `" . $field . "` = :uid");
-			$userinfo = Database::pexecute_first($del_stmt, [
+			Database::pexecute_first($del_stmt, [
 				'uid' => $uid
 			]);
 		}
@@ -393,6 +395,9 @@ if ($action == '2fa_entercode') {
 					}
 					exit();
 				}
+				// not found or invalid, this cookie is useless, get rid of it
+				unset($_COOKIE['frx_2fa_remember']);
+				setcookie('frx_2fa_remember', "", time()-3600);
 			}

 			// redirect to code-enter-page
--- a/install/froxlor.sql.php
+++ b/install/froxlor.sql.php
@@ -95,6 +95,7 @@ CREATE TABLE `mail_virtual` (
  `iscatchall` tinyint(1) unsigned NOT NULL default '0',
  `description` varchar(255) NOT NULL DEFAULT '',
  `spam_tag_level` float(4,1) NOT NULL DEFAULT 7.0,
+  `rewrite_subject` tinyint(1) NOT NULL default '1',
  `spam_kill_level` float(4,1) NOT NULL DEFAULT 14.0,
  `bypass_spam` tinyint(1) NOT NULL default '0',
  `policy_greylist` tinyint(1) NOT NULL default '1',
@@ -390,6 +391,9 @@ INSERT INTO `panel_settings` (`settinggroup`, `varname`, `value`) VALUES
 	('antispam', 'config_file', '/etc/rspamd/local.d/froxlor_settings.conf'),
 	('antispam', 'reload_command', 'service rspamd restart'),
 	('antispam', 'dkim_keylength', '1024'),
+	('antispam', 'default_bypass_spam', '2'),
+	('antispam', 'default_spam_rewrite_subject', '1'),
+	('antispam', 'default_policy_greylist', '1'),
 	('admin', 'show_news_feed', '0'),
 	('admin', 'show_version_login', '0'),
 	('admin', 'show_version_footer', '0'),
@@ -495,7 +499,6 @@ opcache.save_comments
 opcache.use_cwd
 opcache.fast_shutdown'),
 	('phpfpm', 'ini_admin_values', 'cgi.redirect_status_env
-date.timezone
 disable_classes
 disable_functions
 error_log
@@ -730,8 +733,8 @@ opcache.validate_timestamps'),
 	('panel', 'logo_overridecustom', '0'),
 	('panel', 'settings_mode', '0'),
 	('panel', 'menu_collapsed', '1'),
-	('panel', 'version', '2.2.0-rc3'),
-	('panel', 'db_version', '202407200');
+	('panel', 'version', '2.2.8'),
+	('panel', 'db_version', '202412030');


 DROP TABLE IF EXISTS `panel_tasks`;
@@ -1054,7 +1057,7 @@ CREATE TABLE `panel_loginlinks` (
 DROP TABLE IF EXISTS `panel_2fa_tokens`;
 CREATE TABLE `panel_2fa_tokens` (
  `id` int(11) NOT NULL auto_increment,
-  `selector` varchar(20) NOT NULL,
+  `selector` varchar(200) NOT NULL,
  `token` varchar(200) NOT NULL,
  `userid` int(11) NOT NULL default '0',
  `valid_until` int(15) NOT NULL,
--- a/install/updates/froxlor/update_2.2.inc.php
+++ b/install/updates/froxlor/update_2.2.inc.php
@@ -24,7 +24,9 @@
 */

 use Froxlor\Database\Database;
+use Froxlor\Database\DbManager;
 use Froxlor\Froxlor;
+use Froxlor\FroxlorLogger;
 use Froxlor\Install\Update;
 use Froxlor\Settings;

@@ -150,3 +152,111 @@ if (Froxlor::isFroxlorVersion('2.2.0-rc2')) {
 	Update::showUpdateStep("Updating from 2.2.0-rc2 to 2.2.0-rc3", false);
 	Froxlor::updateToVersion('2.2.0-rc3');
 }
+
+if (Froxlor::isDatabaseVersion('202407200')) {
+
+	Update::showUpdateStep("Adjusting field in 2fa-token table");
+	Database::query("ALTER TABLE `panel_2fa_tokens` CHANGE COLUMN `selector` `selector` varchar(200) NOT NULL;");
+	Update::lastStepStatus(0);
+
+	Froxlor::updateToDbVersion('202408140');
+}
+
+if (Froxlor::isFroxlorVersion('2.2.0-rc3')) {
+	Update::showUpdateStep("Updating from 2.2.0-rc3 to 2.2.0 stable", false);
+	Froxlor::updateToVersion('2.2.0');
+}
+
+if (Froxlor::isFroxlorVersion('2.2.0')) {
+	Update::showUpdateStep("Updating from 2.2.0 to 2.2.1", false);
+	Froxlor::updateToVersion('2.2.1');
+}
+
+if (Froxlor::isDatabaseVersion('202408140')) {
+
+	Update::showUpdateStep("Adding new rewrite-subject field to email table");
+	Database::query("ALTER TABLE `" . TABLE_MAIL_VIRTUAL . "` ADD `rewrite_subject` tinyint(1) NOT NULL default '1' AFTER `spam_tag_level`;");
+	Update::lastStepStatus(0);
+
+	Froxlor::updateToDbVersion('202409280');
+}
+
+if (Froxlor::isFroxlorVersion('2.2.1')) {
+	Update::showUpdateStep("Updating from 2.2.1 to 2.2.2", false);
+	Froxlor::updateToVersion('2.2.2');
+}
+
+if (Froxlor::isFroxlorVersion('2.2.2')) {
+	Update::showUpdateStep("Updating from 2.2.2 to 2.2.3", false);
+	Froxlor::updateToVersion('2.2.3');
+}
+
+if (Froxlor::isFroxlorVersion('2.2.3')) {
+	Update::showUpdateStep("Updating from 2.2.3 to 2.2.4", false);
+	Froxlor::updateToVersion('2.2.4');
+}
+
+if (Froxlor::isFroxlorVersion('2.2.4')) {
+	Update::showUpdateStep("Updating from 2.2.4 to 2.2.5", false);
+	Froxlor::updateToVersion('2.2.5');
+}
+
+if (Froxlor::isDatabaseVersion('202409280')) {
+
+	Update::showUpdateStep("Adding new antispam settings");
+	Settings::AddNew("antispam.default_bypass_spam", "2");
+	Settings::AddNew("antispam.default_spam_rewrite_subject", "1");
+	Settings::AddNew("antispam.default_policy_greylist", "1");
+	Update::lastStepStatus(0);
+
+	Froxlor::updateToDbVersion('202411200');
+}
+
+if (Froxlor::isDatabaseVersion('202411200')) {
+
+	Update::showUpdateStep("Adjusting customer mysql global user");
+	// get all customers that are not deactivated and that have at least one database (hence a global database-user)
+	$customers = Database::query("
+		SELECT DISTINCT c.loginname, c.allowed_mysqlserver
+		FROM `" . TABLE_PANEL_CUSTOMERS . "` c
+		LEFT JOIN `" . TABLE_PANEL_DATABASES . "` d ON c.customerid = d.customerid
+		WHERE c.deactivated = '0' AND d.id IS NOT NULL
+	");
+	while ($customer = $customers->fetch(\PDO::FETCH_ASSOC)) {
+		$current_allowed_mysqlserver = !empty($customer['allowed_mysqlserver']) ? json_decode($customer['allowed_mysqlserver'], true) : [];
+		foreach ($current_allowed_mysqlserver as $dbserver) {
+			// require privileged access for target db-server
+			Database::needRoot(true, $dbserver, false);
+			// get DbManager
+			$dbm = new DbManager(FroxlorLogger::getInstanceOf());
+			foreach (array_map('trim', explode(',', Settings::Get('system.mysql_access_host'))) as $mysql_access_host) {
+				if ($dbm->getManager()->userExistsOnHost($customer['loginname'], $mysql_access_host)) {
+					// deactivate temporarily
+					$dbm->getManager()->disableUser($customer['loginname'], $mysql_access_host);
+					// re-enable
+					$dbm->getManager()->enableUser($customer['loginname'], $mysql_access_host, true);
+				}
+			}
+			$dbm->getManager()->flushPrivileges();
+			Database::needRoot();
+		}
+	}
+	Update::lastStepStatus(0);
+
+	Froxlor::updateToDbVersion('202412030');
+}
+
+if (Froxlor::isFroxlorVersion('2.2.5')) {
+	Update::showUpdateStep("Updating from 2.2.5 to 2.2.6", false);
+	Froxlor::updateToVersion('2.2.6');
+}
+
+if (Froxlor::isFroxlorVersion('2.2.6')) {
+	Update::showUpdateStep("Updating from 2.2.6 to 2.2.7", false);
+	Froxlor::updateToVersion('2.2.7');
+}
+
+if (Froxlor::isFroxlorVersion('2.2.7')) {
+	Update::showUpdateStep("Updating from 2.2.7 to 2.2.8", false);
+	Froxlor::updateToVersion('2.2.8');
+}
--- a/install/updates/preconfig/preconfig_0.10.inc.php
+++ b/install/updates/preconfig/preconfig_0.10.inc.php
@@ -34,7 +34,7 @@ $return = [];
 if (Update::versionInUpdate($current_db_version, '202004140')) {
 	$has_preconfig = true;
 	$description = 'Froxlor can now optionally validate the dns entries of domains that request Lets Encrypt certificates to reduce dns-related problems (e.g. freshly registered domain or updated a-record).';
-	$question = '<strong>Validate DNS of domains when using Lets Encrypt&nbsp;';
+	$question = '<strong>Validate DNS of domains when using Lets Encrypt</strong>';
 	$return['system_le_domain_dnscheck'] = [
 		'type' => 'checkbox',
 		'value' => 1,
--- a/lib/Froxlor/Api/ApiParameter.php
+++ b/lib/Froxlor/Api/ApiParameter.php
@@ -44,7 +44,7 @@ abstract class ApiParameter
 	 *
 	 * @throws Exception
 	 */
-	public function __construct(array $params = null)
+	public function __construct(?array $params = null)
 	{
 		if (!is_null($params)) {
 			$params = $this->trimArray($params);
@@ -91,7 +91,7 @@ abstract class ApiParameter
 	 * @return mixed
 	 * @throws Exception
 	 */
-	protected function getUlParam(string $param = null, string $ul_field = null, bool $optional = false, $default = 0)
+	protected function getUlParam(?string $param = null, ?string $ul_field = null, bool $optional = false, $default = 0)
 	{
 		$param_value = (int)$this->getParam($param, $optional, $default);
 		$ul_field_value = $this->getBoolParam($ul_field, true, 0);
@@ -116,7 +116,7 @@ abstract class ApiParameter
 	 * @return mixed
 	 * @throws Exception
 	 */
-	protected function getParam(string $param = null, bool $optional = false, $default = '')
+	protected function getParam(?string $param = null, bool $optional = false, $default = '')
 	{
 		// does it exist?
 		if (!isset($this->cmd_params[$param])) {
@@ -183,7 +183,7 @@ abstract class ApiParameter
 	 *
 	 * @return string
 	 */
-	protected function getBoolParam(string $param = null, bool $optional = false, $default = false)
+	protected function getBoolParam(?string $param = null, bool $optional = false, $default = false)
 	{
 		$_default = '0';
 		if ($default) {
--- a/lib/Froxlor/Api/Commands/Admins.php
+++ b/lib/Froxlor/Api/Commands/Admins.php
@@ -287,6 +287,15 @@ class Admins extends ApiCommand implements ResourceEntity
 				'login' => $loginname
 			], true, true);

+			// Check for existing email address
+			// do not check via api as we skip any permission checks for this task
+			$email_check_admin_stmt = Database::prepare("
+				SELECT `email` FROM `" . TABLE_PANEL_ADMINS . "` WHERE `email` = :email
+			");
+			$email_check_admin = Database::pexecute_first($email_check_admin_stmt, [
+				'email' => $email
+			], true, true);
+
 			if (($loginname_check && strtolower($loginname_check['loginname']) == strtolower($loginname)) || ($loginname_check_admin && strtolower($loginname_check_admin['loginname']) == strtolower($loginname))) {
 				Response::standardError('loginnameexists', $loginname, true);
 			} elseif (preg_match('/^' . preg_quote(Settings::Get('customer.accountprefix'), '/') . '([0-9]+)/', $loginname)) {
@@ -298,6 +307,8 @@ class Admins extends ApiCommand implements ResourceEntity
 				Response::standardError('loginnameiswrong', $loginname, true);
 			} elseif (!Validate::validateEmail($email)) {
 				Response::standardError('emailiswrong', $email, true);
+			} elseif ($email_check_admin && strtolower($email_check_admin['email']) == strtolower($email)) {
+				Response::standardError('emailexists', $email, true);
 			} else {
 				if ($customers_see_all != '1') {
 					$customers_see_all = '0';
@@ -610,8 +621,20 @@ class Admins extends ApiCommand implements ResourceEntity
 						'admin.email'
 					], '', true);
 				}
+				// Check for existing email address
+				// do not check via api as we skip any permission checks for this task
+				$email_check_admin_stmt = Database::prepare("
+					SELECT `email` FROM `" . TABLE_PANEL_ADMINS . "` WHERE `email` = :email and `adminid` <> :adminid
+				");
+				$email_check_admin = Database::pexecute_first($email_check_admin_stmt, [
+					'email' => $email,
+					'adminid' => $id,
+				], true, true);
+
 				if (!Validate::validateEmail($email)) {
 					Response::standardError('emailiswrong', $email, true);
+				} elseif ($email_check_admin && strtolower($email_check_admin['email']) == strtolower($email)) {
+					Response::standardError('emailexists', $email, true);
 				} else {
 					if ($deactivated != '1') {
 						$deactivated = '0';
--- a/lib/Froxlor/Api/Commands/Customers.php
+++ b/lib/Froxlor/Api/Commands/Customers.php
@@ -505,6 +505,15 @@ class Customers extends ApiCommand implements ResourceEntity
 						'login' => $loginname
 					], true, true);

+					// Check for existing email address
+					// do not check via api as we skip any permission checks for this task
+					$email_check_admin_stmt = Database::prepare("
+						SELECT `email` FROM `" . TABLE_PANEL_ADMINS . "` WHERE `email` = :email
+					");
+					$email_check_admin = Database::pexecute_first($email_check_admin_stmt, [
+						'email' => $email
+					], true, true);
+
 					$mysql_maxlen = Database::getSqlUsernameLength() - strlen(Settings::Get('customer.mysqlprefix'));
 					if (($loginname_check && strtolower($loginname_check['loginname']) == strtolower($loginname)) || ($loginname_check_admin && strtolower($loginname_check_admin['loginname']) == strtolower($loginname))) {
 						Response::standardError('loginnameexists', $loginname, true);
@@ -514,6 +523,8 @@ class Customers extends ApiCommand implements ResourceEntity
 						} else {
 							Response::standardError('loginnameiswrong', $loginname, true);
 						}
+					} elseif ($email_check_admin && strtolower($email_check_admin['email']) == strtolower($email)) {
+						Response::standardError('emailexistsanon', $email, true);
 					}

 					$guid = intval(Settings::Get('system.lastguid')) + 1;
@@ -738,11 +749,12 @@ class Customers extends ApiCommand implements ResourceEntity
 							'adminid' => $this->getUserDetail('adminid'),
 							'docroot' => $documentroot,
 							'phpenabled' => $phpenabled,
-							'openbasedir' => '1'
+							'openbasedir' => '1',
+							'is_stdsubdomain' => 1
 						];
 						$domainid = -1;
 						try {
-							$std_domain = $this->apiCall('Domains.add', $ins_data);
+							$std_domain = $this->apiCall('Domains.add', $ins_data, true);
 							$domainid = $std_domain['id'];
 						} catch (Exception $e) {
 							$this->logger()->logAction(FroxlorLogger::ADM_ACTION, LOG_ERR, "[API] Unable to add standard-subdomain: " . $e->getMessage());
@@ -827,7 +839,7 @@ class Customers extends ApiCommand implements ResourceEntity
 						try {
 							$this->mailer()->Subject = $mail_subject;
 							$this->mailer()->AltBody = $mail_body;
-							$this->mailer()->msgHTML(str_replace("\n", "<br />", $mail_body));
+							$this->mailer()->Body = str_replace("\n", "<br />", $mail_body);
 							$this->mailer()->addAddress($email, User::getCorrectUserSalutation([
 								'firstname' => $firstname,
 								'name' => $name,
@@ -1105,7 +1117,7 @@ class Customers extends ApiCommand implements ResourceEntity
 			$email = $this->getParam('email', true, $idna_convert->decode($result['email']));
 			$name = $this->getParam('name', true, $result['name']);
 			$firstname = $this->getParam('firstname', true, $result['firstname']);
-			$company_required = (!empty($name) && empty($firstname)) || (empty($name) && !empty($firstname)) || (empty($name) && empty($firstname));
+			$company_required = ((!empty($name) && empty($firstname)) || (empty($name) && !empty($firstname)) || (empty($name) && empty($firstname))) && empty($result['company']);
 			$company = $this->getParam('company', !$company_required, $result['company']);
 			$street = $this->getParam('street', true, $result['street']);
 			$zipcode = $this->getParam('zipcode', true, $result['zipcode']);
@@ -1242,6 +1254,18 @@ class Customers extends ApiCommand implements ResourceEntity
 				], '', true);
 			} elseif (!Validate::validateEmail($email)) {
 				Response::standardError('emailiswrong', $email, true);
+			} else {
+				// Check for existing email address
+				// do not check via api as we skip any permission checks for this task
+				$email_check_admin_stmt = Database::prepare("
+						SELECT `email` FROM `" . TABLE_PANEL_ADMINS . "` WHERE `email` = :email
+					");
+				$email_check_admin = Database::pexecute_first($email_check_admin_stmt, [
+					'email' => $email
+				], true, true);
+				if ($email_check_admin && strtolower($email_check_admin['email']) == strtolower($email)) {
+					Response::standardError('emailexistsanon', $email, true);
+				}
 			}
 		}

@@ -1346,7 +1370,7 @@ class Customers extends ApiCommand implements ResourceEntity
 				$current_allowed_mysqlserver =  isset($result['allowed_mysqlserver']) && !empty($result['allowed_mysqlserver']) ? json_decode($result['allowed_mysqlserver'], true) : [];
 				foreach ($current_allowed_mysqlserver as $dbserver) {
 					// require privileged access for target db-server
-					Database::needRoot(true, $dbserver, false);
+					Database::needRoot(true, $dbserver, true);
 					// get DbManager
 					$dbm = new DbManager($this->logger());
 					foreach (array_map('trim', explode(',', Settings::Get('system.mysql_access_host'))) as $mysql_access_host) {
--- a/lib/Froxlor/Api/Commands/DomainZones.php
+++ b/lib/Froxlor/Api/Commands/DomainZones.php
@@ -178,7 +178,7 @@ class DomainZones extends ApiCommand implements ResourceEntity
 				}
 			}
 		} elseif ($type == 'CAA' && !empty($content)) {
-			$re = '/(?\'critical\'\d)\h*(?\'type\'iodef|issue|issuewild)\h*(?\'value\'(?\'issuevalue\'"(?\'domain\'(?=.{3,128}$)(?>(?>[a-zA-Z0-9]+[a-zA-Z0-9-]*[a-zA-Z0-9]+|[a-zA-Z0-9]+)\.)*(?>[a-zA-Z]{2,}|[a-zA-Z0-9]{2,}\.[a-zA-Z]{2,}))[;\h]*(?\'parameters\'(?>[a-zA-Z0-9]{1,60}=[a-zA-Z0-9]{1,60}\h*)+)?")|(?\'iodefvalue\'"(?\'url\'(mailto:.*|http:\/\/.*|https:\/\/.*))"))/';
+			$re = '/(?\'critical\'\d+)\h*(?\'type\'iodef|issue|issuewild)\h*(?\'value\'(?\'issuevalue\'"(?\'domain\'(?=.{3,128}$)(?>(?>[a-zA-Z0-9]+[a-zA-Z0-9-]*[a-zA-Z0-9]+|[a-zA-Z0-9]+)\.)*(?>[a-zA-Z]{2,}|[a-zA-Z0-9]{2,}\.[a-zA-Z]{2,}))[;\h]*(?\'parameters\'(?>[a-zA-Z0-9]{1,60}=[a-zA-Z0-9:\.\/\-]{1,60}\h*)+)?")|(?\'iodefvalue\'"(?\'url\'(mailto:.*|http:\/\/.*|https:\/\/.*))"))/';
 			preg_match($re, $content, $matches);

 			if (empty($matches)) {
--- a/lib/Froxlor/Api/Commands/Domains.php
+++ b/lib/Froxlor/Api/Commands/Domains.php
@@ -201,7 +201,7 @@ class Domains extends ApiCommand implements ResourceEntity
 	 * @param string $zonefile
 	 *            optional, custom dns zone filename (only of nameserver is activated), default empty (auto-generated)
 	 * @param bool $dkim
-	 *            optional, currently not in use, default 0 (false)
+	 *            optional, whether this domain should use dkim if antispam is activated, default 0 (false)
 	 * @param string $specialsettings
 	 *            optional, custom webserver vhost-content which is added to the generated vhost, default empty
 	 * @param string $ssl_specialsettings
@@ -274,7 +274,8 @@ class Domains extends ApiCommand implements ResourceEntity
 	 *            $override_tls is true
 	 * @param string $description
 	 *            optional custom description (currently not used/shown in the frontend), default empty
-	 *
+	 * @param bool $is_stdsubdomain (internally)
+	 *            optional whether this is a standard subdomain for a customer which is being added so no usage is decreased
 	 * @access admin
 	 * @return string json-encoded array
 	 * @throws Exception
@@ -282,7 +283,8 @@ class Domains extends ApiCommand implements ResourceEntity
 	public function add()
 	{
 		if ($this->isAdmin()) {
-			if ($this->getUserDetail('domains_used') < $this->getUserDetail('domains') || $this->getUserDetail('domains') == '-1') {
+			$is_stdsubdomain = $this->isInternal() ? $this->getBoolParam('is_stdsubdomain', true, 0) : false;
+			if ($is_stdsubdomain || $this->getUserDetail('domains_used') < $this->getUserDetail('domains') || $this->getUserDetail('domains') == '-1') {
 				// parameters
 				$p_domain = $this->getParam('domain');

@@ -472,7 +474,6 @@ class Domains extends ApiCommand implements ResourceEntity
 					}
 					$caneditdomain = '1';
 					$zonefile = '';
-					$dkim = '0';
 					$specialsettings = '';
 					$ssl_specialsettings = '';
 					$include_specialsettings = 0;
@@ -548,8 +549,11 @@ class Domains extends ApiCommand implements ResourceEntity
 					}
 				}
 				if (Settings::Get('system.use_ssl') == "1" && $sslenabled == 1 && empty($ssl_ipandports)) {
-					// enabled ssl for the domain but no ssl ip/port is selected
-					Response::standardError('nosslippportgiven', '', true);
+					// if this is a customer standard-subdomain, we simply ignore this and disable ssl-related settings (see if-statement below)
+					if (!$is_stdsubdomain) {
+						// enabled ssl for the domain but no ssl ip/port is selected
+						Response::standardError('nosslippportgiven', '', true);
+					}
 				}
 				if (Settings::Get('system.use_ssl') == "0" || empty($ssl_ipandports)) {
 					$ssl_redirect = 0;
@@ -591,12 +595,18 @@ class Domains extends ApiCommand implements ResourceEntity
 					$ssl_redirect = 2;
 				}

-				if (!preg_match('/^https?\:\/\//', $documentroot)) {
-					if (strstr($documentroot, ":") !== false) {
-						Response::standardError('pathmaynotcontaincolon', '', true);
-					} else {
-						$documentroot = FileDir::makeCorrectDir($documentroot);
+				// Check if given documentroot is either a valid URL or a valid path
+				if (preg_match('/^https?\:\/\//', $documentroot)) {
+					$encoded = $idna_convert->encode($documentroot);
+					if (!Validate::validateUrl($encoded, true)) {
+						Response::standardError('invaliddocumentrooturl', '', true);
 					}
+					$documentroot = $encoded;
+				} else {
+					if (strpos($documentroot, ':') !== false) {
+						Response::standardError('pathmaynotcontaincolon', '', true);
+					}
+					$documentroot = FileDir::makeCorrectDir($documentroot);
 				}

 				$domain_check_stmt = Database::prepare("
@@ -795,12 +805,15 @@ class Domains extends ApiCommand implements ResourceEntity
 					$ins_data['id'] = $domainid;
 					unset($ins_data);

-					$upd_stmt = Database::prepare("
-						UPDATE `" . TABLE_PANEL_ADMINS . "` SET `domains_used` = `domains_used` + 1
-						WHERE `adminid` = :adminid");
-					Database::pexecute($upd_stmt, [
-						'adminid' => $adminid
-					], true, true);
+					if (!$is_stdsubdomain) {
+						$upd_stmt = Database::prepare("
+							UPDATE `" . TABLE_PANEL_ADMINS . "` SET `domains_used` = `domains_used` + 1
+							WHERE `adminid` = :adminid
+						");
+						Database::pexecute($upd_stmt, [
+							'adminid' => $adminid
+						], true, true);
+					}

 					$ins_stmt = Database::prepare("
 						INSERT INTO `" . TABLE_DOMAINTOIP . "` SET
@@ -1058,6 +1071,9 @@ class Domains extends ApiCommand implements ResourceEntity
 	 *            (default yes), 3 = always, default 0 (never)
 	 * @param bool $isemaildomain
 	 *            optional, allow email usage with this domain, default 0 (false)
+	 * @param bool $emaildomainverified
+	 *            optional, when setting $isemaildomain to false, this needs to be set to true to confirm the action in case email addresses exist for this domain,
+	 *            default 0 (false)
 	 * @param bool $email_only
 	 *            optional, restrict domain to email usage, default 0 (false)
 	 * @param int $selectserveralias
@@ -1080,7 +1096,7 @@ class Domains extends ApiCommand implements ResourceEntity
 	 * @param string $zonefile
 	 *            optional, custom dns zone filename (only of nameserver is activated), default empty (auto-generated)
 	 * @param bool $dkim
-	 *            optional, currently not in use, default 0 (false)
+	 *            optional, whether this domain should use dkim if antispam is activated, default 0 (false)
 	 * @param string $specialsettings
 	 *            optional, custom webserver vhost-content which is added to the generated vhost, default empty
 	 * @param string $ssl_specialsettings
@@ -1185,6 +1201,7 @@ class Domains extends ApiCommand implements ResourceEntity

 			$subcanemaildomain = $this->getParam('subcanemaildomain', true, $result['subcanemaildomain']);
 			$isemaildomain = $this->getBoolParam('isemaildomain', true, $result['isemaildomain']);
+			$emaildomainverified = $this->getBoolParam('emaildomainverified', true, 0);
 			$email_only = $this->getBoolParam('email_only', true, $result['email_only']);
 			$p_serveraliasoption = $this->getParam('selectserveralias', true, -1);
 			$speciallogfile = $this->getBoolParam('speciallogfile', true, $result['speciallogfile']);
@@ -1268,7 +1285,7 @@ class Domains extends ApiCommand implements ResourceEntity

 			// count where we are used in email-accounts
 			$domain_emails_result_stmt = Database::prepare("
-				SELECT `email`, `email_full`, `destination`, `popaccountid` AS `number_email_forwarders`
+				SELECT `email`, `email_full`, `destination`, `popaccountid`
 				FROM `" . TABLE_MAIL_VIRTUAL . "` WHERE `customerid` = :customerid AND `domainid` = :id
 			");
 			Database::pexecute($domain_emails_result_stmt, [
@@ -1291,6 +1308,10 @@ class Domains extends ApiCommand implements ResourceEntity
 				}
 			}

+			if ($emails > 0 && (int)$isemaildomain == 0 && (int)$result['isemaildomain'] == 1 && (int)$emaildomainverified == 0) {
+				Response::standardError('emaildomainstillhasaddresses', '', true);
+			}
+
 			// handle change of customer (move domain from customer to customer)
 			if ($customerid > 0 && $customerid != $result['customerid'] && Settings::Get('panel.allow_domain_change_customer') == '1') {
 				// check whether target customer has enough resources
@@ -1399,10 +1420,6 @@ class Domains extends ApiCommand implements ResourceEntity
 				}
 			}

-			if (!preg_match('/^https?\:\/\//', $documentroot) && strstr($documentroot, ":") !== false) {
-				Response::standardError('pathmaynotcontaincolon', '', true);
-			}
-
 			if ($this->getUserDetail('change_serversettings') == '1') {
 				if (Settings::Get('system.bind_enable') == '1') {
 					$zonefile = Validate::validate($zonefile, 'zonefile', '', '', [], true);
@@ -1447,7 +1464,6 @@ class Domains extends ApiCommand implements ResourceEntity
 			} else {
 				$isbinddomain = $result['isbinddomain'];
 				$zonefile = $result['zonefile'];
-				$dkim = $result['dkim'];
 				$specialsettings = $result['specialsettings'];
 				$ssl_specialsettings = $result['ssl_specialsettings'];
 				$include_specialsettings = $result['include_specialsettings'];
@@ -1566,15 +1582,25 @@ class Domains extends ApiCommand implements ResourceEntity
 			}

 			// Temporarily deactivate ssl_redirect until Let's Encrypt certificate was generated
-			if (($result['letsencrypt'] != $letsencrypt || $result['ssl_redirect'] != $ssl_redirect) && $ssl_redirect > 0 && $letsencrypt == 1) {
+			if ($result['letsencrypt'] != $letsencrypt && $ssl_redirect > 0 && $letsencrypt == 1) {
 				$ssl_redirect = 2;
 			}

-			if (!preg_match('/^https?\:\/\//', $documentroot)) {
-				if ($documentroot != $result['documentroot']) {
+			$idna_convert = new IdnaWrapper();
+			if ($documentroot != $result['documentroot']) {
+				if (preg_match('/^https?\:\/\//', $documentroot)) {
+					$encoded = $idna_convert->encode($documentroot);
+					if (!Validate::validateUrl($encoded, true)) {
+						Response::standardError('invaliddocumentrooturl', '', true);
+					}
+					$documentroot = $encoded;
+				} else {
 					if (substr($documentroot, 0, 1) != "/") {
 						$documentroot = $customer['documentroot'] . '/' . $documentroot;
 					}
+					if (strpos($documentroot, ':') !== false) {
+						Response::standardError('pathmaynotcontaincolon', '', true);
+					}
 					$documentroot = FileDir::makeCorrectDir($documentroot);
 				}
 			}
@@ -2085,7 +2111,6 @@ class Domains extends ApiCommand implements ResourceEntity
 				}
 			}

-			$idna_convert = new IdnaWrapper();
 			$this->logger()->logAction(FroxlorLogger::ADM_ACTION, LOG_WARNING, "[API] updated domain '" . $idna_convert->decode($result['domain']) . "'");
 			$result = $this->apiCall('Domains.get', [
 				'domainname' => $result['domain']
--- a/lib/Froxlor/Api/Commands/EmailAccounts.php
+++ b/lib/Froxlor/Api/Commands/EmailAccounts.php
@@ -260,10 +260,12 @@ class EmailAccounts extends ApiCommand implements ResourceEntity
 				$_mailerror = false;
 				$mailerr_msg = "";
 				try {
-					$this->mailer()->setFrom($admin['email'], User::getCorrectUserSalutation($admin));
+					$this->mailer()->setFrom(Settings::Get('panel.adminmail'), User::getCorrectUserSalutation($admin));
+					$this->mailer()->clearReplyTos();
+					$this->mailer()->addReplyTo($admin['email'], User::getCorrectUserSalutation($admin));
 					$this->mailer()->Subject = $mail_subject;
 					$this->mailer()->AltBody = $mail_body;
-					$this->mailer()->msgHTML(str_replace("\n", "<br />", $mail_body));
+					$this->mailer()->Body = str_replace("\n", "<br />", $mail_body);
 					$this->mailer()->addAddress($email_full);
 					$this->mailer()->send();
 				} catch (\PHPMailer\PHPMailer\Exception $e) {
@@ -290,7 +292,9 @@ class EmailAccounts extends ApiCommand implements ResourceEntity

 					$_mailerror = false;
 					try {
-						$this->mailer()->setFrom($admin['email'], User::getCorrectUserSalutation($admin));
+						$this->mailer()->setFrom(Settings::Get('panel.adminmail'), User::getCorrectUserSalutation($admin));
+						$this->mailer()->clearReplyTos();
+						$this->mailer()->addReplyTo($admin['email'], User::getCorrectUserSalutation($admin));
 						$this->mailer()->Subject = $mail_subject;
 						$this->mailer()->AltBody = $mail_body;
 						$this->mailer()->msgHTML(str_replace("\n", "<br />", $mail_body));
--- a/lib/Froxlor/Api/Commands/EmailDomains.php
+++ b/lib/Froxlor/Api/Commands/EmailDomains.php
@@ -69,7 +69,7 @@ class EmailDomains extends ApiCommand implements ResourceEntity
 		$result = [];
 		$query_fields = [];
 		$result_stmt = Database::prepare("
-		SELECT DISTINCT d.domain, e.domainid,
+		SELECT DISTINCT d.domain, d.domain_ace, e.domainid,
 		COUNT(e.email) as addresses,
 		IFNULL(SUM(CASE WHEN e.popaccountid > 0 THEN 1 ELSE 0 END), 0) as accounts,
 		IFNULL(SUM(
--- a/lib/Froxlor/Api/Commands/Emails.php
+++ b/lib/Froxlor/Api/Commands/Emails.php
@@ -53,12 +53,14 @@ class Emails extends ApiCommand implements ResourceEntity
 	 *            domain-name for the email-address
 	 * @param float $spam_tag_level
 	 *            optional, score which is required to tag emails as spam, default: 7.0
+	 * @param bool $rewrite_subject
+	 *            optional, whether to add ***SPAM*** to the email's subject if applicable, default: [antispam.default_spam_rewrite_subject]
 	 * @param float $spam_kill_level
 	 *            optional, score which is required to discard emails, default: 14.0
 	 * @param boolean $bypass_spam
-	 *            optional, disable spam-filter entirely, default: no
+	 *            optional, disable spam-filter entirely, default: [antispam.default_bypass_spam]
 	 * @param boolean $policy_greylist
-	 *            optional, enable grey-listing, default: yes
+	 *            optional, enable grey-listing, default: [antispam.default_policy_greylist]
 	 * @param boolean $iscatchall
 	 *            optional, make this address a catchall address, default: no
 	 * @param int $customerid
@@ -85,17 +87,32 @@ class Emails extends ApiCommand implements ResourceEntity

 			// parameters
 			$spam_tag_level = $this->getParam('spam_tag_level', true, '7.0');
-			$spam_kill_level = $this->getParam('spam_kill_level', true, '14.0');
-			$bypass_spam = $this->getBoolParam('bypass_spam', true, 0);
-			$policy_greylist = $this->getBoolParam('policy_greylist', true, 1);
+			$spam_kill_level = $this->getUlParam('spam_kill_level', 'spam_kill_level_ul', true, '14.0');
 			$iscatchall = $this->getBoolParam('iscatchall', true, 0);
 			$description = $this->getParam('description', true, '');

+			if ((int)Settings::Get('antispam.default_spam_rewrite_subject') <= 2) {
+				$rewrite_subject = $this->getBoolParam('rewrite_subject', true, (int)Settings::Get('antispam.default_spam_rewrite_subject') == 1 ? 1 : 0);
+			} else {
+				$rewrite_subject = (int)Settings::Get('antispam.default_spam_rewrite_subject') == 3 ? 1 : 0;
+			}
+			if ((int)Settings::Get('antispam.default_bypass_spam') <= 2) {
+				$bypass_spam = $this->getBoolParam('bypass_spam', true, (int)Settings::Get('antispam.default_bypass_spam') == 1 ? 1 : 0);
+			} else {
+				$bypass_spam = (int)Settings::Get('antispam.default_bypass_spam') == 3 ? 1 : 0;
+			}
+			if ((int)Settings::Get('antispam.default_policy_greylist') <= 2) {
+				$policy_greylist = $this->getBoolParam('policy_greylist', true, (int)Settings::Get('antispam.default_policy_greylist') == 1 ? 1 : 0);
+			} else {
+				$policy_greylist = (int)Settings::Get('antispam.default_policy_greylist') == 3 ? 1 : 0;
+			}
+
 			// validation
+			$idna_convert = new IdnaWrapper();
 			if (substr($domain, 0, 4) != 'xn--') {
-				$idna_convert = new IdnaWrapper();
 				$domain = $idna_convert->encode(Validate::validate($domain, 'domain', '', '', [], true));
 			}
+			$email_part = $idna_convert->encode($email_part);

 			// check domain and whether it's an email-enabled domain
 			// use internal call because the customer might have 'domains' in customer_hide_options
@@ -103,10 +120,10 @@ class Emails extends ApiCommand implements ResourceEntity
 				'domainname' => $domain
 			], true);
 			if ((int)$domain_check['isemaildomain'] == 0) {
-				Response::standardError('maindomainnonexist', $domain, true);
+				Response::standardError('maindomainnonexist', $idna_convert->decode($domain), true);
 			}
 			if ((int)$domain_check['deactivated'] == 1) {
-				Response::standardError('maindomaindeactivated', $domain, true);
+				Response::standardError('maindomaindeactivated', $idna_convert->decode($domain), true);
 			}

 			if (Settings::Get('catchall.catchall_enabled') != '1') {
@@ -127,7 +144,7 @@ class Emails extends ApiCommand implements ResourceEntity

 			// validate it
 			if (!Validate::validateEmail($email_full)) {
-				Response::standardError('emailiswrong', $email_full, true);
+				Response::standardError('emailiswrong', $idna_convert->decode($email_full), true);
 			}

 			// get needed customer info to reduce the email-address-counter by one
@@ -148,14 +165,16 @@ class Emails extends ApiCommand implements ResourceEntity

 			if ($email_check) {
 				if (strtolower($email_check['email_full']) == strtolower($email_full)) {
-					Response::standardError('emailexistalready', $email_full, true);
+					Response::standardError('emailexistalready', $idna_convert->decode($email_full), true);
 				} elseif ($email_check['email'] == $email) {
 					Response::standardError('youhavealreadyacatchallforthisdomain', '', true);
 				}
 			}

-			$spam_tag_level = Validate::validate($spam_tag_level, 'spam_tag_level', '/^\d{1,}(\.\d{1,2})?$/', '', [7.0], true);
-			$spam_kill_level = Validate::validate($spam_kill_level, 'spam_kill_level', '/^\d{1,}(\.\d{1,2})?$/', '', [14.0], true);
+			$spam_tag_level = Validate::validate($spam_tag_level, 'spam_tag_level', '/^\d{1,}(\.\d{1})?$/', '', [7.0], true);
+			if ($spam_kill_level > -1) {
+				$spam_kill_level = Validate::validate($spam_kill_level, 'spam_kill_level', '/^\d{1,}(\.\d{1})?$/', '', [14.0], true);
+			}
 			$description = Validate::validate(trim($description), 'description', Validate::REGEX_DESC_TEXT, '', [], true);

 			$stmt = Database::prepare("
@@ -164,6 +183,7 @@ class Emails extends ApiCommand implements ResourceEntity
 				`email` = :email,
 				`email_full` = :email_full,
 				`spam_tag_level` = :spam_tag_level,
+				`rewrite_subject` = :rewrite_subject,
 				`spam_kill_level` = :spam_kill_level,
 				`bypass_spam` = :bypass_spam,
 				`policy_greylist` = :policy_greylist,
@@ -176,6 +196,7 @@ class Emails extends ApiCommand implements ResourceEntity
 				"email" => $email,
 				"email_full" => $email_full,
 				"spam_tag_level" => $spam_tag_level,
+				"rewrite_subject" => $rewrite_subject,
 				"spam_kill_level" => $spam_kill_level,
 				"bypass_spam" => $bypass_spam,
 				"policy_greylist" => $policy_greylist,
@@ -226,7 +247,7 @@ class Emails extends ApiCommand implements ResourceEntity
 			LEFT JOIN `" . TABLE_MAIL_USERS . "` u ON v.`popaccountid` = u.`id`
 			WHERE v.`customerid` IN (" . implode(", ", $customer_ids) . ")
 			AND " . (is_numeric($params['idea']) ? "v.`id`= :idea" : "(v.`email` = :idea OR v.`email_full` = :idea)"
-		));
+			));
 		$result = Database::pexecute_first($result_stmt, $params, true, true);
 		if ($result) {
 			$this->logger()->logAction($this->isAdmin() ? FroxlorLogger::ADM_ACTION : FroxlorLogger::USR_ACTION, LOG_INFO, "[API] get email address '" . $result['email_full'] . "'");
@@ -249,12 +270,14 @@ class Emails extends ApiCommand implements ResourceEntity
 	 *            optional, required when called as admin (if $customerid is not specified)
 	 * @param float $spam_tag_level
 	 *            optional, score which is required to tag emails as spam, default: 7.0
+	 * @param bool $rewrite_subject
+	 *              optional, whether to add ***SPAM*** to the email's subject if applicable, default: [antispam.default_spam_rewrite_subject]
 	 * @param float $spam_kill_level
 	 *            optional, score which is required to discard emails, default: 14.0
 	 * @param boolean $bypass_spam
-	 *            optional, disable spam-filter entirely, default: no
+	 *            optional, disable spam-filter entirely, default: [antispam.default_bypass_spam]
 	 * @param boolean $policy_greylist
-	 *            optional, enable grey-listing, default: yes
+	 *            optional, enable grey-listing, default: [antispam.default_policy_greylist]
 	 * @param boolean $iscatchall
 	 *            optional
 	 * @param string $description
@@ -282,12 +305,26 @@ class Emails extends ApiCommand implements ResourceEntity

 		// parameters
 		$spam_tag_level = $this->getParam('spam_tag_level', true, $result['spam_tag_level']);
-		$spam_kill_level = $this->getParam('spam_kill_level', true, $result['spam_kill_level']);
-		$bypass_spam = $this->getBoolParam('bypass_spam', true, $result['bypass_spam']);
-		$policy_greylist = $this->getBoolParam('policy_greylist', true, $result['policy_greylist']);
+		$spam_kill_level = $this->getUlParam('spam_kill_level', 'spam_kill_level_ul', true, $result['spam_kill_level']);
 		$iscatchall = $this->getBoolParam('iscatchall', true, $result['iscatchall']);
 		$description = $this->getParam('description', true, $result['description']);

+		if ((int)Settings::Get('antispam.default_spam_rewrite_subject') <= 2) {
+			$rewrite_subject = $this->getBoolParam('rewrite_subject', true, $result['rewrite_subject']);
+		} else {
+			$rewrite_subject = (int)Settings::Get('antispam.default_spam_rewrite_subject') == 3 ? 1 : 0;
+		}
+		if ((int)Settings::Get('antispam.default_bypass_spam') <= 2) {
+			$bypass_spam = $this->getBoolParam('bypass_spam', true, $result['bypass_spam']);
+		} else {
+			$bypass_spam = (int)Settings::Get('antispam.default_bypass_spam') == 3 ? 1 : 0;
+		}
+		if ((int)Settings::Get('antispam.default_policy_greylist') <= 2) {
+			$policy_greylist = $this->getBoolParam('policy_greylist', true, $result['policy_greylist']);
+		} else {
+			$policy_greylist = (int)Settings::Get('antispam.default_policy_greylist') == 3 ? 1 : 0;
+		}
+
 		// if enabling catchall is not allowed by settings, we do not need
 		// to run update()
 		if ($iscatchall && $result['iscatchall'] == 0 && Settings::Get('catchall.catchall_enabled') != '1') {
@@ -326,13 +363,16 @@ class Emails extends ApiCommand implements ResourceEntity
 		}

 		$spam_tag_level = Validate::validate($spam_tag_level, 'spam_tag_level', '/^\d{1,}(\.\d{1,2})?$/', '', [7.0], true);
-		$spam_kill_level = Validate::validate($spam_kill_level, 'spam_kill_level', '/^\d{1,}(\.\d{1,2})?$/', '', [14.0], true);
+		if ($spam_kill_level > -1) {
+			$spam_kill_level = Validate::validate($spam_kill_level, 'spam_kill_level', '/^\d{1,}(\.\d{1,2})?$/', '', [14.0], true);
+		}
 		$description = Validate::validate(trim($description), 'description', Validate::REGEX_DESC_TEXT, '', [], true);

 		$stmt = Database::prepare("
 			UPDATE `" . TABLE_MAIL_VIRTUAL . "` SET
 			`email` = :email ,
 			`spam_tag_level` = :spam_tag_level,
+			`rewrite_subject` = :rewrite_subject,
 			`spam_kill_level` = :spam_kill_level,
 			`bypass_spam` = :bypass_spam,
 			`policy_greylist` = :policy_greylist,
@@ -343,6 +383,7 @@ class Emails extends ApiCommand implements ResourceEntity
 		$params = [
 			"email" => $email,
 			"spam_tag_level" => $spam_tag_level,
+			"rewrite_subject" => $rewrite_subject,
 			"spam_kill_level" => $spam_kill_level,
 			"bypass_spam" => $bypass_spam,
 			"policy_greylist" => $policy_greylist,
@@ -396,7 +437,10 @@ class Emails extends ApiCommand implements ResourceEntity
 			LEFT JOIN `" . TABLE_MAIL_USERS . "` u ON (m.`popaccountid` = u.`id`)
 			WHERE m.`customerid` IN (" . implode(", ", $customer_ids) . ")" . $this->getSearchWhere($query_fields, true) . $this->getOrderBy() . $this->getLimit());
 		Database::pexecute($result_stmt, $query_fields, true, true);
+		$idna_convert = new IdnaWrapper();
 		while ($row = $result_stmt->fetch(PDO::FETCH_ASSOC)) {
+			$row['email'] = $idna_convert->decode($row['email']);
+			$row['email_full'] = $idna_convert->decode($row['email_full']);
 			$result[] = $row;
 		}
 		$this->logger()->logAction($this->isAdmin() ? FroxlorLogger::ADM_ACTION : FroxlorLogger::USR_ACTION, LOG_INFO, "[API] list email-addresses");
--- a/lib/Froxlor/Api/Commands/Ftps.php
+++ b/lib/Froxlor/Api/Commands/Ftps.php
@@ -288,7 +288,7 @@ class Ftps extends ApiCommand implements ResourceEntity
 					try {
 						$this->mailer()->Subject = $mail_subject;
 						$this->mailer()->AltBody = $mail_body;
-						$this->mailer()->msgHTML(str_replace("\n", "<br />", $mail_body));
+						$this->mailer()->Body = str_replace("\n", "<br />", $mail_body);
 						$this->mailer()->addAddress($customer['email'], User::getCorrectUserSalutation($customer));
 						$this->mailer()->send();
 					} catch (\PHPMailer\PHPMailer\Exception $e) {
--- a/lib/Froxlor/Api/Commands/Mysqls.php
+++ b/lib/Froxlor/Api/Commands/Mysqls.php
@@ -113,9 +113,9 @@ class Mysqls extends ApiCommand implements ResourceEntity
 				if (strlen($newdb_params['loginname'] . '_' . $databasename) > Database::getSqlUsernameLength()) {
 					throw new Exception("Database name cannot be longer than " . (Database::getSqlUsernameLength() - strlen($newdb_params['loginname'] . '_')) . " characters.", 406);
 				}
-				$username = $dbm->createDatabase($newdb_params['loginname'] . '_' . $databasename, $password, $dbserver);
+				$username = $dbm->createDatabase($newdb_params['loginname'] . '_' . $databasename, $password, $dbserver, 0, $newdb_params['loginname']);
 			} else {
-				$username = $dbm->createDatabase($newdb_params['loginname'], $password, $dbserver, $newdb_params['mysql_lastaccountnumber']);
+				$username = $dbm->createDatabase($newdb_params['loginname'], $password, $dbserver, $newdb_params['mysql_lastaccountnumber'], $newdb_params['loginname']);
 			}

 			// we've checked against the password in dbm->createDatabase
@@ -184,7 +184,7 @@ class Mysqls extends ApiCommand implements ResourceEntity
 				try {
 					$this->mailer()->Subject = $mail_subject;
 					$this->mailer()->AltBody = $mail_body;
-					$this->mailer()->msgHTML(str_replace("\n", "<br />", $mail_body));
+					$this->mailer()->Body = str_replace("\n", "<br />", $mail_body);
 					$this->mailer()->addAddress($userinfo['email'], User::getCorrectUserSalutation($userinfo));
 					$this->mailer()->send();
 				} catch (\PHPMailer\PHPMailer\Exception $e) {
@@ -541,7 +541,7 @@ class Mysqls extends ApiCommand implements ResourceEntity
 		// Begin root-session
 		Database::needRoot(true, $result['dbserver'], false);
 		$dbm = new DbManager($this->logger());
-		$dbm->getManager()->deleteDatabase($result['databasename']);
+		$dbm->getManager()->deleteDatabase($result['databasename'], $customer['loginname']);
 		Database::needRoot(false);
 		// End root-session

--- a/lib/Froxlor/Api/Commands/SubDomains.php
+++ b/lib/Froxlor/Api/Commands/SubDomains.php
@@ -503,8 +503,7 @@ class SubDomains extends ApiCommand implements ResourceEntity
 			$this->logger()->logAction($this->isAdmin() ? FroxlorLogger::ADM_ACTION : FroxlorLogger::USR_ACTION, LOG_INFO, "[API] get subdomain '" . $result['domain'] . "'");
 			return $this->response($result);
 		}
-		$key = ($id > 0 ? "id #" . $id : "domainname '" . $domainname . "'");
-		throw new Exception("Subdomain with " . $key . " could not be found", 404);
+		throw new Exception("Requested subdomain could not be found", 404);
 	}

 	private function getHasCertValueForDomain(int $domainid, int $parentdomainid): int
@@ -550,32 +549,33 @@ class SubDomains extends ApiCommand implements ResourceEntity
 	 */
 	private function validateDomainDocumentRoot($path = null, $url = null, $customer = null, $completedomain = null, &$_doredirect = false)
 	{
-		// check whether an URL was specified
 		$_doredirect = false;
-		if (!empty($url) && Validate::validateUrl($url, true)) {
-			$path = $url;
+		$idna = new IdnaWrapper();
+
+		// url mode: either $url or $path begins with http:// or https://
+		$maybeUrl = !empty($url) ? $url : (preg_match('/^https?\:\/\//', $path) ? $path : '');
+		if ($maybeUrl !== '') {
+			$encoded = $idna->encode($maybeUrl);
+			if (!Validate::validateUrl($encoded, true)) {
+				Response::standardError('invaliddocumentrooturl', '', true);
+			}
 			$_doredirect = true;
-		} else {
-			$path = Validate::validate($path, 'path', '', '', [], true);
+			return $encoded;
 		}

-		// check whether path is a real path
-		if (!preg_match('/^https?\:\/\//', $path) || !Validate::validateUrl($path, true)) {
-			if (strstr($path, ":") !== false) {
-				Response::standardError('pathmaynotcontaincolon', '', true);
-			}
-			// If path is empty or '/' and 'Use domain name as default value for DocumentRoot path' is enabled in settings,
-			// set default path to subdomain or domain name
-			if ((($path == '') || ($path == '/')) && Settings::Get('system.documentroot_use_default_value') == 1) {
-				$path = FileDir::makeCorrectDir($customer['documentroot'] . '/' . $completedomain, $customer['documentroot']);
-			} else {
-				$path = FileDir::makeCorrectDir($customer['documentroot'] . '/' . $path, $customer['documentroot']);
-			}
-		} else {
-			// no it's not, create a redirect
-			$_doredirect = true;
+		// path mode: regular directory path
+		$path = Validate::validate($path, 'path', Validate::REGEX_DIR, '', [], true);
+
+		// default path if empty and setting active
+		if (($path === '' || $path === '/') && Settings::Get('system.documentroot_use_default_value') == 1) {
+			return FileDir::makeCorrectDir($customer['documentroot'] . '/' . $completedomain, $customer['documentroot']);
 		}
-		return $path;
+		// check if path does not contain a colon
+		if (strpos($path, ':') !== false) {
+			Response::standardError('pathmaynotcontaincolon', '', true);
+		}
+
+		return FileDir::makeCorrectDir($customer['documentroot'] . '/' . $path, $customer['documentroot']);
 	}

 	/**
--- a/lib/Froxlor/Api/Commands/SysLog.php
+++ b/lib/Froxlor/Api/Commands/SysLog.php
@@ -225,7 +225,7 @@ class SysLog extends ApiCommand implements ResourceEntity
 			}
 			$params['trunc'] = $truncatedate;
 			Database::pexecute($result_stmt, $params, true, true);
-			$this->logger()->logAction($this->isAdmin() ? FroxlorLogger::ADM_ACTION : FroxlorLogger::USR_ACTION, LOG_WARNING, "[API] truncated the froxlor syslog");
+			$this->logger()->logAction(FroxlorLogger::ADM_ACTION, LOG_WARNING, "[API] truncated the froxlor syslog");
 			return $this->response(true);
 		}
 		throw new Exception("Not allowed to execute given command.", 403);
--- a/lib/Froxlor/Api/Response.php
+++ b/lib/Froxlor/Api/Response.php
@@ -34,7 +34,9 @@ class Response

 	public static function jsonResponse($data = null, int $response_code = 200)
 	{
-		http_response_code($response_code);
+		if (!defined('TRAVIS_CI') || TRAVIS_CI == 0) {
+			http_response_code($response_code);
+		}

 		return json_encode($data, JSON_UNESCAPED_SLASHES | JSON_PRETTY_PRINT);
 	}
--- a/lib/Froxlor/Cli/ConfigServices.php
+++ b/lib/Froxlor/Cli/ConfigServices.php
@@ -217,6 +217,10 @@ final class ConfigServices extends CliCommand
 		$_daemons_config['distro'] = $io->choice('Choose distribution', $valid_dists, $os_default);

 		// go through all services and let user check whether to include it or not
+		if (empty($_daemons_config['distro']) || !file_exists($config_dir . '/' . $_daemons_config['distro']. ".xml")) {
+			$output->writeln('<error>Empty or non-existing distribution given.</>');
+			return self::INVALID;
+		}
 		$configfiles = new ConfigParser($config_dir . '/' . $_daemons_config['distro'] . ".xml");
 		$services = $configfiles->getServices();

@@ -352,8 +356,13 @@ final class ConfigServices extends CliCommand
 		}

 		if (!empty($decoded_config)) {
+
 			$config_dir = Froxlor::getInstallDir() . 'lib/configfiles/';
-			$configfiles = new ConfigParser($config_dir . '/' . $decoded_config['distro'] . ".xml");
+			if (empty($decoded_config['distro']) || !file_exists($config_dir . '/' . $decoded_config['distro']. ".xml")) {
+				$output->writeln('<error>Empty or non-existing distribution given. Please login with an admin, go to "System -> Configuration" and select your correct distribution in the top-right corner or specify valid distribution name for "distro" parameter.</>');
+				return self::INVALID;
+			}
+			$configfiles = new ConfigParser($config_dir . '/' . $decoded_config['distro']. ".xml");
 			$services = $configfiles->getServices();
 			$replace_arr = $this->getReplacerArray();

--- a/lib/Froxlor/Cli/MasterCron.php
+++ b/lib/Froxlor/Cli/MasterCron.php
@@ -80,6 +80,7 @@ final class MasterCron extends CliCommand
 				Cronjob::inserttask(TaskId::REBUILD_RSPAMD);
 				Cronjob::inserttask(TaskId::CREATE_QUOTA);
 				Cronjob::inserttask(TaskId::REBUILD_CRON);
+				Cronjob::inserttask(TaskId::UPDATE_LE_SERVICES);
 				$jobs[] = 'tasks';
 			}
 			define('CRON_IS_FORCED', 1);
@@ -214,9 +215,14 @@ final class MasterCron extends CliCommand

 		if (file_exists($this->lockFile)) {
 			$jobinfo = json_decode(file_get_contents($this->lockFile), true);
-			$check_pid_return = null;
-			// get status of process
-			system("kill -CHLD " . (int)$jobinfo['pid'] . " 1> /dev/null 2> /dev/null", $check_pid_return);
+			if ($jobinfo === false || !is_array($jobinfo)) {
+				// looks like an invalid lockfile
+				$check_pid_return = 1;
+			} else {
+				$check_pid_return = null;
+				// get status of process
+				system("kill -CHLD " . (int)$jobinfo['pid'] . " 1> /dev/null 2> /dev/null", $check_pid_return);
+			}
 			if ($check_pid_return == 1) {
 				// Process does not seem to run, most likely it has died
 				$this->unlockJob();
--- a/lib/Froxlor/Cli/RunApiCommand.php
+++ b/lib/Froxlor/Cli/RunApiCommand.php
@@ -42,7 +42,7 @@ final class RunApiCommand extends CliCommand
 		$this->setDescription('Run an API command as given user');
 		$this->addArgument('user', InputArgument::REQUIRED, 'Loginname of the user you want to run the command as')
 			->addArgument('api-command', InputArgument::REQUIRED, 'The command to execute in the form "Module.function"')
-			->addArgument('parameters', InputArgument::OPTIONAL, 'Paramaters to pass to the command as JSON array');
+			->addArgument('parameters', InputArgument::OPTIONAL, 'Parameters to pass to the command as JSON array');
 		$this->addOption('show-params', 's', InputOption::VALUE_NONE, 'Show possible parameters for given api-command (given command will *not* be called)');
 	}

--- a/lib/Froxlor/Cli/UpdateCommand.php
+++ b/lib/Froxlor/Cli/UpdateCommand.php
@@ -28,13 +28,17 @@ namespace Froxlor\Cli;
 use Exception;
 use Froxlor\Froxlor;
 use Froxlor\Install\AutoUpdate;
+use Froxlor\Install\Preconfig;
 use Froxlor\Install\Update;
 use Froxlor\Settings;
 use Froxlor\System\Mailer;
 use Symfony\Component\Console\Input\InputInterface;
 use Symfony\Component\Console\Input\InputOption;
 use Symfony\Component\Console\Output\OutputInterface;
+use Symfony\Component\Console\Question\ChoiceQuestion;
 use Symfony\Component\Console\Question\ConfirmationQuestion;
+use Symfony\Component\Console\Question\Question;
+use Symfony\Component\Console\Style\SymfonyStyle;

 final class UpdateCommand extends CliCommand
 {
@@ -44,6 +48,8 @@ final class UpdateCommand extends CliCommand
 		$this->setName('froxlor:update');
 		$this->setDescription('Check for newer version and update froxlor');
 		$this->addOption('check-only', 'c', InputOption::VALUE_NONE, 'Only check for newer version and exit')
+			->addOption('show-update-options', 'o', InputOption::VALUE_NONE, 'Show possible update option parameter for the update if any. Only usable in combination with "check-only".')
+			->addOption('update-options', 'O', InputOption::VALUE_IS_ARRAY | InputOption::VALUE_REQUIRED, 'Parameter list of update options.')
 			->addOption('database', 'd', InputOption::VALUE_NONE, 'Only run database updates in case updates are done via apt or manually.')
 			->addOption('mail-notify', 'm', InputOption::VALUE_NONE, 'Additionally inform administrator via email if a newer version was found')
 			->addOption('yes-to-all', 'A', InputOption::VALUE_NONE, 'Do not ask for download, extract and database-update, just do it (if not --check-only is set)')
@@ -63,9 +69,13 @@ final class UpdateCommand extends CliCommand
 					$output->writeln('<info>' . lng('update.dbupdate_required') . '</>');
 					if ($input->getOption('check-only')) {
 						$output->writeln('<comment>Doing nothing because of "check-only" flag.</>');
+						$this->askUpdateOptions($input, $output, null, false);
 					} else {
 						$yestoall = $input->getOption('yes-to-all') !== false;
 						$helper = $this->getHelper('question');
+
+						$this->askUpdateOptions($input, $output, $helper, $yestoall);
+
 						$question = new ConfirmationQuestion('Update database? [no] ', false, '/^(y|j)/i');
 						if ($yestoall || $helper->ask($input, $output, $question)) {
 							$result = $this->runUpdate($output, true);
@@ -73,7 +83,7 @@ final class UpdateCommand extends CliCommand
 					}
 					return $result;
 				}
-				$output->writeln('<info>' . lng('update.noupdatesavail', (Settings::Get('system.update_channel') == 'testing' ? lng('serversettings.uc_testing') . ' ' : '')) . '</>');
+				$output->writeln('<info>' . lng('update.noupdatesavail', [(Settings::Get('system.update_channel') == 'testing' ? lng('serversettings.uc_testing') . ' ' : '')]) . '</>');
 			}
 			return $result;
 		}
@@ -101,7 +111,7 @@ final class UpdateCommand extends CliCommand
 					}
 					// there is a new version
 					if ($input->getOption('check-only')) {
-						$text = lng('update.uc_newinfo', [(Settings::Get('system.update_channel') != 'stable' ? Settings::Get('system.update_channel').' ' : ''), AutoUpdate::getFromResult('version'), Froxlor::VERSION]);
+						$text = lng('update.uc_newinfo', [(Settings::Get('system.update_channel') != 'stable' ? Settings::Get('system.update_channel') . ' ' : ''), AutoUpdate::getFromResult('version'), Froxlor::VERSION]);
 					} else {
 						$text = lng('admin.newerversionavailable') . ' ' . lng('admin.newerversiondetails', [AutoUpdate::getFromResult('version'), Froxlor::VERSION]);
 					}
@@ -152,6 +162,7 @@ final class UpdateCommand extends CliCommand
 			// check whether we only wanted to check
 			if ($input->getOption('check-only')) {
 				//$output->writeln('<comment>Not proceeding as "check-only" is specified</>');
+				$this->askUpdateOptions($input, $output, null, false);
 				return $result;
 			} else {
 				$yestoall = $input->getOption('yes-to-all') !== false;
@@ -174,9 +185,13 @@ final class UpdateCommand extends CliCommand
 							if ($auex == 0) {
 								$output->writeln("<info>Froxlor files updated successfully.</>");
 								$result = self::SUCCESS;
+
+								$this->askUpdateOptions($input, $output, $helper, $yestoall);
+
 								$question = new ConfirmationQuestion('Update database? [no] ', false, '/^(y|j)/i');
 								if ($yestoall || $helper->ask($input, $output, $question)) {
-									$result = $this->runUpdate($output, true);
+									// run in separate process to ensure the use of newly unpacked files
+									passthru(Froxlor::getInstallDir() . '/bin/froxlor-cli froxlor:update -dA', $result);
 								}
 							} else {
 								$errmsg = 'error.autoupdate_' . $auex;
@@ -195,12 +210,141 @@ final class UpdateCommand extends CliCommand
 		return $result;
 	}

+	/**
+	 * @param InputInterface $input
+	 * @param OutputInterface $output
+	 * @param $helper
+	 * @param bool $yestoall
+	 * @return void
+	 */
+	private function askUpdateOptions(InputInterface $input, OutputInterface $output, $helper, bool $yestoall = false)
+	{
+		// check for preconfigs
+		$preconfig = Preconfig::getPreConfig(true);
+		$show_options_only = $input->getOption('show-update-options') !== false;
+		if (!is_null($helper) && $show_options_only) {
+			$output->writeln('<comment>Unsetting "show-update-options" due to not being called with "check-only".</>');
+			$show_options_only = false;
+		}
+		$update_options = [];
+		// set parameters
+		$uOptions = $input->getOption('update-options');
+		if (!empty($uOptions)) {
+			$options_value = [];
+			foreach ($uOptions as $givenOption) {
+				$optVal = explode("=", $givenOption);
+				if (count($optVal) == 2) {
+					$options_value[$optVal[0]] = $optVal[1];
+				}
+			}
+		}
+		if (!empty($preconfig)) {
+			krsort($preconfig);
+			foreach ($preconfig as $section) {
+				if (!$show_options_only) {
+					$output->writeln("<info>Updater questions for " . $section['title'] . "</>");
+				}
+				foreach ($section['fields'] as $update_field => $metainfo) {
+					if (isset($options_value[$update_field])) {
+						$output->writeln('Setting given parameter "' . $update_field . '" to "' . $options_value[$update_field] . '"');
+						$_POST[$update_field] = $options_value[$update_field];
+						continue;
+					}
+					$default = null;
+					$question_text = html_entity_decode(strip_tags($metainfo['label']), ENT_QUOTES | ENT_IGNORE, "UTF-8");
+					if ($metainfo['type'] == 'checkbox') {
+						$default = (int)$metainfo['checked'];
+						if ($show_options_only) {
+							$update_options[] = [
+								'name' => $update_field,
+								'question' => $question_text,
+								'default' => $default,
+								'choices' => '0: No' . PHP_EOL . '1: Yes' . PHP_EOL
+							];
+						} else {
+							$question = new ConfirmationQuestion($question_text . ' [' . ($metainfo['checked'] ? 'yes' : 'no') . '] ', (bool)$metainfo['checked'], '/^(y|j)/i');
+						}
+					} elseif ($metainfo['type'] == 'select') {
+						$default = $metainfo['selected'];
+						$choices = "";
+						foreach (array_values($metainfo['select_var'] ?? []) as $index => $choice) {
+							$choices .= $index . ': ' . $choice . PHP_EOL;
+						}
+						if ($show_options_only) {
+							$update_options[] = [
+								'name' => $update_field,
+								'question' => $question_text,
+								'default' => !empty($default) ? $default : '-',
+								'choices' => $choices
+							];
+						} else {
+							$question = new ChoiceQuestion(
+								$question_text,
+								array_values($metainfo['select_var'] ?? []),
+								$metainfo['selected']
+							);
+							$question->setValidator(function ($answer) use ($metainfo): string {
+								$key = array_keys($metainfo['select_var'])[(int)$answer] ?? false; // Find the key based on the selected value
+								if ($key === false) {
+									throw new \RuntimeException('Invalid selection.');
+								}
+								return $key;
+							});
+						}
+					} elseif ($metainfo['type'] == 'text') {
+						$default = $metainfo['value'] ?? '';
+						if ($show_options_only) {
+							$update_options[] = [
+								'name' => $update_field,
+								'question' => $question_text,
+								'default' => $default,
+								'choices' => PHP_EOL
+							];
+						} else {
+							$question = new Question($question_text . (!empty($metainfo['value']) ? ' [' . $metainfo['value'] . ']' : ''), $default);
+							$question->setValidator(function (string $answer) use ($metainfo): string {
+								if (($metainfo['mandatory'] ?? false) && empty($answer)) {
+									throw new \RuntimeException(
+										'Answer cannot be empty'
+									);
+								}
+								if (!empty($metainfo['pattern'] ?? "") && !preg_match("/" . $metainfo['pattern'] . "/", $answer)) {
+									throw new \RuntimeException('Answer does not seem to be in valid format');
+								}
+								return $answer;
+							});
+						}
+					} else {
+						$output->writeln("<error>Unknown type " . $metainfo['type'] . "</error>");
+						continue;
+					}
+
+					if (!$show_options_only) {
+						if ($yestoall) {
+							$_POST[$update_field] = $default;
+						} else {
+							$_POST[$update_field] = $helper->ask($input, $output, $question);
+						}
+					}
+				}
+			}
+
+			if ($show_options_only) {
+				$io = new SymfonyStyle($input, $output);
+				$io->table(
+					['Parameter', 'Description', 'Default', 'Choices'],
+					$update_options
+				);
+			}
+		}
+	}
+
 	private function mailNotify(InputInterface $input, OutputInterface $output)
 	{
 		if ($input->getOption('mail-notify')) {
 			$last_check_version = Settings::Get('system.update_notify_last');
 			if (Update::versionInUpdate($last_check_version, AutoUpdate::getFromResult('version'))) {
-				$text = lng('update.uc_newinfo', [(Settings::Get('system.update_channel') != 'stable' ? Settings::Get('system.update_channel').' ' : ''), AutoUpdate::getFromResult('version'), Froxlor::VERSION]);
+				$text = lng('update.uc_newinfo', [(Settings::Get('system.update_channel') != 'stable' ? Settings::Get('system.update_channel') . ' ' : ''), AutoUpdate::getFromResult('version'), Froxlor::VERSION]);
 				$mail = new Mailer(true);
 				$mail->Body = $text;
 				$mail->Subject = "[froxlor] " . lng('update.notify_subject');
--- a/lib/Froxlor/Cron/Http/Apache.php
+++ b/lib/Froxlor/Cron/Http/Apache.php
@@ -441,7 +441,7 @@ class Apache extends HttpConfigBase
 								if (!empty(Settings::Get('system.dhparams_file'))) {
 									$dhparams = FileDir::makeCorrectFile(Settings::Get('system.dhparams_file'));
 									if (!file_exists($dhparams)) {
-										FileDir::safe_exec('openssl dhparam -out ' . escapeshellarg($dhparams) . ' 4096');
+										file_put_contents($dhparams, self::FFDHE4096);
 									}
 									$this->virtualhosts_data[$vhosts_filename] .= ' SSLOpenSSLConfCmd DHParameters "' . $dhparams . '"' . "\n";
 								}
@@ -754,7 +754,7 @@ class Apache extends HttpConfigBase
 					if (!empty(Settings::Get('system.dhparams_file'))) {
 						$dhparams = FileDir::makeCorrectFile(Settings::Get('system.dhparams_file'));
 						if (!file_exists($dhparams)) {
-							FileDir::safe_exec('openssl dhparam -out ' . escapeshellarg($dhparams) . ' 4096');
+							file_put_contents($dhparams, self::FFDHE4096);
 						}
 						$vhost_content .= '  SSLOpenSSLConfCmd DHParameters "' . $dhparams . '"' . "\n";
 					}
--- a/lib/Froxlor/Cron/Http/HttpConfigBase.php
+++ b/lib/Froxlor/Cron/Http/HttpConfigBase.php
@@ -45,6 +45,26 @@ use PDO;
 class HttpConfigBase
 {

+	/**
+	 * Pre-defined DHE groups to use as fallback if dhparams_file
+	 * is given, but non-existent, see also https://github.com/froxlor/Froxlor/issues/1270
+	 */
+	const FFDHE4096 = <<<EOC
+-----BEGIN DH PARAMETERS-----
+MIICCAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3
+7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32
+nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e
+8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx
+iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K
+zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQI=
+-----END DH PARAMETERS-----
+EOC;
+
 	public function init()
 	{
 		// if Let's Encrypt is activated, run it before regeneration of webserver configfiles
--- a/lib/Froxlor/Cron/Http/LetsEncrypt/AcmeSh.php
+++ b/lib/Froxlor/Cron/Http/LetsEncrypt/AcmeSh.php
@@ -69,7 +69,8 @@ class AcmeSh extends FroxlorCron
 	 * run the task
 	 *
 	 * @param bool $internal
-	 * @return number
+	 * @return int
+	 * @throws \Exception
 	 */
 	public static function run(bool $internal = false)
 	{
@@ -85,6 +86,9 @@ class AcmeSh extends FroxlorCron
 			if ($issue_froxlor || !empty($issue_domains) || !empty($renew_froxlor) || $renew_domains) {
 				// insert task to generate certificates and vhost-configs
 				Cronjob::inserttask(TaskId::REBUILD_VHOST);
+				if ($renew_froxlor) {
+					Cronjob::inserttask(TaskId::UPDATE_LE_SERVICES);
+				}
 			}
 			return 0;
 		}
@@ -217,6 +221,7 @@ class AcmeSh extends FroxlorCron
 	 * check whether we need to issue a new certificate for froxlor itself
 	 *
 	 * @return boolean
+	 * @throws \Exception
 	 */
 	private static function issueFroxlorVhost()
 	{
@@ -228,9 +233,7 @@ class AcmeSh extends FroxlorCron
 			");
 			$froxlor_ssl = Database::pexecute_first($froxlor_ssl_settings_stmt);
 			// also check for possible existing certificate
-			if (($froxlor_ssl && empty($froxlor_ssl['validtodate']))
-				|| (!$froxlor_ssl && !self::checkFsFilesAreNewer(Settings::Get('system.hostname'), date('Y-m-d H:i:s')))
-			) {
+			if (!$froxlor_ssl || empty($froxlor_ssl['validtodate'])) {
 				return true;
 			}
 		}
@@ -321,10 +324,12 @@ EOC;
 			WHERE
 				dom.`customerid` = cust.`customerid`
 				AND cust.deactivated = 0
+				AND dom.deactivated = 0
 				AND dom.`ssl_enabled` = 1
 				AND dom.`letsencrypt` = 1
 				AND dom.`aliasdomain` IS NULL
 				AND dom.`iswildcarddomain` = 0
+				AND dom.`email_only` = 0
 				AND domssl.`validtodate` IS NULL
 		");
 		$customer_ssl = $certificates_stmt->fetchAll(PDO::FETCH_ASSOC);
@@ -338,6 +343,7 @@ EOC;
 	 * check whether we need to renew-check the certificate for froxlor itself
 	 *
 	 * @return boolean
+	 * @throws \Exception
 	 */
 	private static function renewFroxlorVhost()
 	{
@@ -383,10 +389,13 @@ EOC;
 			WHERE
 				dom.`customerid` = cust.`customerid`
 				AND cust.deactivated = 0
+				AND dom.deactivated = 0
 				AND dom.`ssl_enabled` = 1
 				AND dom.`letsencrypt` = 1
 				AND dom.`aliasdomain` IS NULL
 				AND dom.`iswildcarddomain` = 0
+				AND dom.`email_only` = 0
+				AND dom.`ssl_redirect` != 2
 		");
 		$renew_certs = $certificates_stmt->fetchAll(PDO::FETCH_ASSOC);
 		if ($renew_certs) {
@@ -535,6 +544,7 @@ EOC;
 	 * @param array $domains
 	 * @param int $domain_id
 	 * @param FroxlorLogger $cronlog
+	 * @throws \Exception
 	 */
 	private static function validateDns(array &$domains, $domain_id, &$cronlog)
 	{
@@ -615,27 +625,47 @@ EOC;
 				$cronlog->logAction(FroxlorLogger::CRON_ACTION, LOG_DEBUG, "Successful exit-code returned - storing certificate");
 				$cert_stored = self::certToDb($certrow, $cronlog, $acme_result);

-				if ($cert_stored
-					&& $renew_hook
-					&& !empty(trim(Settings::Get('system.le_renew_services') ?? ""))
-					&& !empty(trim(Settings::Get('system.le_renew_hook') ?? ""))
-				) {
-					$cronlog->logAction(FroxlorLogger::CRON_ACTION, LOG_DEBUG, "Renew-hook is enabled - adjusting configurations");
+				if ($cert_stored && $renew_hook) {
+					self::renewHookConfigs($cronlog);
+				}
+			}
+		}
+	}

-					$certificate_folder = self::getCertificateFolder(strtolower(Settings::Get('system.hostname')));
-					$fullchain = FileDir::makeCorrectFile($certificate_folder . '/fullchain.cer');
-					$keyfile = FileDir::makeCorrectFile($certificate_folder . '/' . strtolower(Settings::Get('system.hostname')) . '.key');
-					$ca_file = FileDir::makeCorrectFile($certificate_folder . '/ca.cer');
+	public static function renewHookConfigs($cronlog)
+	{
+		if (!empty(trim(Settings::Get('system.le_renew_services') ?? ""))
+			&& !empty(trim(Settings::Get('system.le_renew_hook') ?? ""))
+		) {

-					if (Settings::IsInList('system.le_renew_services', 'postfix')) {
-						// "postconf -e" for postfix
-						FileDir::safe_exec('postconf -e smtpd_tls_cert_file=' . escapeshellarg($fullchain));
-						FileDir::safe_exec('postconf -e smtpd_tls_key_file=' . escapeshellarg($keyfile));
-					}
-					if (Settings::IsInList('system.le_renew_services', 'dovecot')) {
-						// custom config for dovecot
-						$dovecot_conf = '/etc/dovecot/conf.d/99-froxlor.ssl.conf'; // @fixme setting?
-						$ssl_content = <<<EOSSL
+			$cronlog->logAction(FroxlorLogger::CRON_ACTION, LOG_DEBUG, "Renew-hook is enabled - adjusting configurations");
+
+			$certificate_folder = self::getCertificateFolder(strtolower(Settings::Get('system.hostname')));
+
+			if (empty($certificate_folder)) {
+				$cronlog->logAction(FroxlorLogger::CRON_ACTION, LOG_INFO, "No certificate folder for '" . Settings::Get('system.hostname') . "' found");
+				return;
+			}
+
+			$fullchain = FileDir::makeCorrectFile($certificate_folder . '/fullchain.cer');
+			$keyfile = FileDir::makeCorrectFile($certificate_folder . '/' . strtolower(Settings::Get('system.hostname')) . '.key');
+			$ca_file = FileDir::makeCorrectFile($certificate_folder . '/ca.cer');
+
+			if (!file_exists($fullchain) || !file_exists($keyfile) || !file_exists($ca_file)) {
+				$cronlog->logAction(FroxlorLogger::CRON_ACTION, LOG_INFO, "At least one of the required certificate files for '" . Settings::Get('system.hostname') . "' could not be found");
+				return;
+			}
+
+			$dovecot_conf = '/etc/dovecot/conf.d/99-froxlor.ssl.conf'; // @fixme setting?
+
+			if (Settings::IsInList('system.le_renew_services', 'postfix')) {
+				// "postconf -e" for postfix
+				FileDir::safe_exec('postconf -e smtpd_tls_cert_file=' . escapeshellarg($fullchain));
+				FileDir::safe_exec('postconf -e smtpd_tls_key_file=' . escapeshellarg($keyfile));
+			}
+			if (Settings::IsInList('system.le_renew_services', 'dovecot')) {
+				// custom config for dovecot
+				$ssl_content = <<<EOSSL
 # Autogenerated configuration by froxlor.
 # Do not manually edit this file as it will be overwritten.

@@ -643,33 +673,35 @@ ssl = yes
 ssl_cert = <{$fullchain}
 ssl_key = <{$keyfile}
 EOSSL;
-						file_put_contents($dovecot_conf, $ssl_content);
-					}
-					if (Settings::IsInList('system.le_renew_services', 'proftpd')) {
-						$proftpd_conf = '/etc/proftpd/tls.conf'; // @fixme setting?
-						$rval = false;
-						// ECC certificate or not?
-						if (strpos($certificate_folder, '_ecc') === false) {
-							// comment out ECC related settings
-							FileDir::safe_exec("sed -i.bak 's|^TLSECCertificateFile|# TLSECCertificateFile|' " . escapeshellarg($proftpd_conf), $rval, ['|', '?']);
-							FileDir::safe_exec("sed -i.bak 's|^TLSECCertificateKeyFile|# TLSECCertificateKeyFile|' " . escapeshellarg($proftpd_conf), $rval, ['|', '?']);
-							// add RSA directives
-							FileDir::safe_exec("sed -i.bak 's|^#\?\s\?TLSRSACertificateFile.*|TLSRSACertificateFile " . $fullchain . "|' " . escapeshellarg($proftpd_conf), $rval, ['|', '?']);
-							FileDir::safe_exec("sed -i.bak 's|^#\?\s\?TLSRSACertificateKeyFile.*|TLSRSACertificateKeyFile " . $keyfile . "|' " . escapeshellarg($proftpd_conf), $rval, ['|', '?']);
-						} else {
-							// comment out RSA related settings
-							FileDir::safe_exec("sed -i.bak 's|^TLSRSACertificateFile|# TLSRSACertificateFile|' " . escapeshellarg($proftpd_conf), $rval, ['|', '?']);
-							FileDir::safe_exec("sed -i.bak 's|^TLSRSACertificateKeyFile|# TLSRSACertificateKeyFile|' " . escapeshellarg($proftpd_conf), $rval, ['|', '?']);
-							// add ECC directives
-							FileDir::safe_exec("sed -i.bak 's|^#\?\s\?TLSECCertificateFile.*|TLSECCertificateFile " . $fullchain . "|' " . escapeshellarg($proftpd_conf), $rval, ['|', '?']);
-							FileDir::safe_exec("sed -i.bak 's|^#\?\s\?TLSECCertificateKeyFile.*|TLSECCertificateKeyFile " . $keyfile . "|' " . escapeshellarg($proftpd_conf), $rval, ['|', '?']);
-						}
-						FileDir::safe_exec("sed -i.bak 's|^#\?\s\?TLSCACertificateFile.*|TLSCACertificateFile " . $ca_file . "|' " . escapeshellarg($proftpd_conf), $rval, ['|', '?']);
-					}
-					// reload the services
-					FileDir::safe_exec(Settings::Get('system.le_renew_hook'));
-				}
+				file_put_contents($dovecot_conf, $ssl_content);
+			} elseif (file_exists($dovecot_conf)) {
+				// safely remove the autogenerated config file
+				unlink($dovecot_conf);
 			}
+			if (Settings::IsInList('system.le_renew_services', 'proftpd')) {
+				$proftpd_conf = '/etc/proftpd/tls.conf'; // @fixme setting?
+				$rval = false;
+				// ECC certificate or not?
+				if (strpos($certificate_folder, '_ecc') === false) {
+					// comment out ECC related settings
+					FileDir::safe_exec("sed -i.bak 's|^TLSECCertificateFile|# TLSECCertificateFile|' " . escapeshellarg($proftpd_conf), $rval, ['|', '?']);
+					FileDir::safe_exec("sed -i.bak 's|^TLSECCertificateKeyFile|# TLSECCertificateKeyFile|' " . escapeshellarg($proftpd_conf), $rval, ['|', '?']);
+					// add RSA directives
+					FileDir::safe_exec("sed -i.bak 's|^#\?\s\?TLSRSACertificateFile.*|TLSRSACertificateFile " . $fullchain . "|' " . escapeshellarg($proftpd_conf), $rval, ['|', '?']);
+					FileDir::safe_exec("sed -i.bak 's|^#\?\s\?TLSRSACertificateKeyFile.*|TLSRSACertificateKeyFile " . $keyfile . "|' " . escapeshellarg($proftpd_conf), $rval, ['|', '?']);
+				} else {
+					// comment out RSA related settings
+					FileDir::safe_exec("sed -i.bak 's|^TLSRSACertificateFile|# TLSRSACertificateFile|' " . escapeshellarg($proftpd_conf), $rval, ['|', '?']);
+					FileDir::safe_exec("sed -i.bak 's|^TLSRSACertificateKeyFile|# TLSRSACertificateKeyFile|' " . escapeshellarg($proftpd_conf), $rval, ['|', '?']);
+					// add ECC directives
+					FileDir::safe_exec("sed -i.bak 's|^#\?\s\?TLSECCertificateFile.*|TLSECCertificateFile " . $fullchain . "|' " . escapeshellarg($proftpd_conf), $rval, ['|', '?']);
+					FileDir::safe_exec("sed -i.bak 's|^#\?\s\?TLSECCertificateKeyFile.*|TLSECCertificateKeyFile " . $keyfile . "|' " . escapeshellarg($proftpd_conf), $rval, ['|', '?']);
+				}
+				FileDir::safe_exec("sed -i.bak 's|^#\?\s\?TLSCACertificateFile.*|TLSCACertificateFile " . $ca_file . "|' " . escapeshellarg($proftpd_conf), $rval, ['|', '?']);
+			}
+
+			// reload the services
+			FileDir::safe_exec(Settings::Get('system.le_renew_hook'));
 		}
 	}

--- a/lib/Froxlor/Cron/Http/Lighttpd.php
+++ b/lib/Froxlor/Cron/Http/Lighttpd.php
@@ -273,7 +273,7 @@ class Lighttpd extends HttpConfigBase
 						if (!empty(Settings::Get('system.dhparams_file'))) {
 							$dhparams = FileDir::makeCorrectFile(Settings::Get('system.dhparams_file'));
 							if (!file_exists($dhparams)) {
-								FileDir::safe_exec('openssl dhparam -out ' . escapeshellarg($dhparams) . ' 4096');
+								file_put_contents($dhparams, self::FFDHE4096);
 							}
 							$this->lighttpd_data[$vhost_filename] .= 'ssl.dh-file = "' . $dhparams . '"' . "\n";
 							$this->lighttpd_data[$vhost_filename] .= 'ssl.ec-curve = "secp384r1"' . "\n";
@@ -756,7 +756,7 @@ class Lighttpd extends HttpConfigBase
 				if (!empty(Settings::Get('system.dhparams_file'))) {
 					$dhparams = FileDir::makeCorrectFile(Settings::Get('system.dhparams_file'));
 					if (!file_exists($dhparams)) {
-						FileDir::safe_exec('openssl dhparam -out ' . escapeshellarg($dhparams) . ' 4096');
+						file_put_contents($dhparams, self::FFDHE4096);
 					}
 					$ssl_settings .= 'ssl.dh-file = "' . $dhparams . '"' . "\n";
 					$ssl_settings .= 'ssl.ec-curve = "secp384r1"' . "\n";
--- a/lib/Froxlor/Cron/Http/Nginx.php
+++ b/lib/Froxlor/Cron/Http/Nginx.php
@@ -399,7 +399,7 @@ class Nginx extends HttpConfigBase
 				if (!empty(Settings::Get('system.dhparams_file'))) {
 					$dhparams = FileDir::makeCorrectFile(Settings::Get('system.dhparams_file'));
 					if (!file_exists($dhparams)) {
-						FileDir::safe_exec('openssl dhparam -out ' . escapeshellarg($dhparams) . ' 4096');
+						file_put_contents($dhparams, self::FFDHE4096);
 					}
 					$sslsettings .= "\t" . 'ssl_dhparam ' . $dhparams . ';' . "\n";
 				}
@@ -435,7 +435,7 @@ class Nginx extends HttpConfigBase
 					$sslsettings .= '";' . "\n";
 				}

-				if ((isset($domain_or_ip['ocsp_stapling']) && $domain_or_ip['ocsp_stapling'] == "1") || (isset($domain_or_ip['letsencrypt']) && $domain_or_ip['letsencrypt'] == "1")) {
+				if ((isset($domain_or_ip['ocsp_stapling']) && $domain_or_ip['ocsp_stapling'] == "1")) {
 					$sslsettings .= "\t" . 'ssl_stapling on;' . "\n";
 					$sslsettings .= "\t" . 'ssl_stapling_verify on;' . "\n";
 					$sslsettings .= "\t" . 'ssl_trusted_certificate ' . FileDir::makeCorrectFile($domain_or_ip['ssl_cert_file']) . ';' . "\n";
--- a/lib/Froxlor/Cron/Http/Php/Fpm.php
+++ b/lib/Froxlor/Cron/Http/Php/Fpm.php
@@ -274,8 +274,8 @@ pm.max_children = 1

 			$fpm_config .= "\n\n";
 			foreach ($phpini_array as $inisection) {
-				$is = explode("=", trim($inisection));
-				if (count($is) !== 2 || empty($is[0])) {
+				$is = explode("=", trim($inisection), 2);
+				if (empty($is[0])) {
 					continue;
 				}
 				foreach ($this->ini as $sec => $possibles) {
--- a/lib/Froxlor/Cron/Mail/Rspamd.php
+++ b/lib/Froxlor/Cron/Mail/Rspamd.php
@@ -55,7 +55,7 @@ class Rspamd

 		// get all email addresses
 		$antispam_stmt = Database::prepare("
-			SELECT email, spam_tag_level, spam_kill_level, bypass_spam, policy_greylist, iscatchall
+			SELECT email, spam_tag_level, rewrite_subject, spam_kill_level, bypass_spam, policy_greylist, iscatchall
 			FROM `" . TABLE_MAIL_VIRTUAL . "`
 			ORDER BY email
 		");
@@ -165,7 +165,7 @@ class Rspamd
 		$this->logger->logAction(FroxlorLogger::CRON_ACTION, LOG_DEBUG, 'Generating antispam config for ' . $email['email']);

 		$email['spam_tag_level'] = floatval($email['spam_tag_level']);
-		$email['spam_kill_level'] = floatval($email['spam_kill_level']);
+		$email['spam_kill_level'] = $email['spam_kill_level'] == -1 ? "null" : floatval($email['spam_kill_level']);
 		$email_id = md5($email['email']);

 		$this->frx_settings_file .= '# Email: ' . $email['email'] . "\n";
@@ -185,7 +185,9 @@ class Rspamd
 				$this->frx_settings_file .= '	apply {' . "\n";
 				$this->frx_settings_file .= '		actions {' . "\n";
 				$this->frx_settings_file .= '			"add header" = ' . $email['spam_tag_level'] . ';' . "\n";
-				$this->frx_settings_file .= '			rewrite_subject = ' . $email['spam_tag_level'] . ';' . "\n";
+				if ((int)$email['rewrite_subject'] == 1) {
+					$this->frx_settings_file .= '			rewrite_subject = ' . ($email['spam_tag_level'] + 0.01) . ';' . "\n";
+				}
 				$this->frx_settings_file .= '			reject = ' . $email['spam_kill_level'] . ';' . "\n";
 				if ($type == 'rcpt' && (int)$email['policy_greylist'] == 0) {
 					$this->frx_settings_file .= '			greylist = null;' . "\n";
--- a/lib/Froxlor/Cron/System/TasksCron.php
+++ b/lib/Froxlor/Cron/System/TasksCron.php
@@ -29,6 +29,7 @@ use Exception;
 use Froxlor\Cron\FroxlorCron;
 use Froxlor\Cron\Http\ConfigIO;
 use Froxlor\Cron\Http\HttpConfigBase;
+use Froxlor\Cron\Http\LetsEncrypt\AcmeSh;
 use Froxlor\Cron\Mail\Rspamd;
 use Froxlor\Cron\TaskId;
 use Froxlor\Database\Database;
@@ -125,6 +126,12 @@ class TasksCron extends FroxlorCron
 				 */
 				FroxlorLogger::getInstanceOf()->logAction(FroxlorLogger::CRON_ACTION, LOG_NOTICE, "Removing Let's Encrypt entries for domain " . $row['data']['domain']);
 				Domain::doLetsEncryptCleanUp($row['data']['domain']);
+			} elseif ($row['type'] == TaskId::UPDATE_LE_SERVICES) {
+				/**
+				 * TYPE=13 set configuration for selected services regarding the use of Let's Encrypt certificate
+				 */
+				FroxlorLogger::getInstanceOf()->logAction(FroxlorLogger::CRON_ACTION, LOG_NOTICE, "Updating Let's Encrypt configuration for selected services");
+				AcmeSh::renewHookConfigs(FroxlorLogger::getInstanceOf());
 			}
 		}

@@ -334,10 +341,11 @@ class TasksCron extends FroxlorCron
 				// webserver logs
 				$logsdir = FileDir::makeCorrectFile(Settings::Get('system.logfiles_directory') . '/' . $row['data']['loginname']);

-				if (file_exists($logsdir) && $logsdir != '/' && $logsdir != FileDir::makeCorrectDir(Settings::Get('system.logfiles_directory')) && substr($logsdir, 0, strlen(Settings::Get('system.logfiles_directory'))) == Settings::Get('system.logfiles_directory')) {
+				if (file_exists(dirname($logsdir)) && $logsdir != '/' && $logsdir != FileDir::makeCorrectDir(Settings::Get('system.logfiles_directory')) && substr($logsdir, 0, strlen(Settings::Get('system.logfiles_directory'))) == Settings::Get('system.logfiles_directory')) {
 					// build up wildcard for webX-{access,error}.log{*}
-					$logsdir .= '-*';
-					FileDir::safe_exec('rm -f ' . escapeshellarg($logsdir));
+					$logsdir .= '-*.log';
+					FroxlorLogger::getInstanceOf()->logAction(FroxlorLogger::CRON_ACTION, LOG_NOTICE, 'Running: rm -rf ' .FileDir::makeCorrectFile($logsdir));
+					FileDir::safe_exec('rm -f ' . FileDir::makeCorrectFile($logsdir));
 				}
 			}
 		}
--- a/lib/Froxlor/Cron/TaskId.php
+++ b/lib/Froxlor/Cron/TaskId.php
@@ -87,6 +87,11 @@ final class TaskId
 	 */
 	const DELETE_DOMAIN_SSL = 12;

+	/**
+	 * TYPE=13 set configuration for selected services regarding the use of Let's Encrypt certificate
+	 */
+	const UPDATE_LE_SERVICES = 13;
+
 	/**
 	 * TYPE=20 CUSTUMER DATA DUMP
 	 */
--- a/lib/Froxlor/Cron/Traffic/ReportsCron.php
+++ b/lib/Froxlor/Cron/Traffic/ReportsCron.php
@@ -133,7 +133,9 @@ class ReportsCron extends FroxlorCron
 					$_mailerror = false;
 					$mailerr_msg = "";
 					try {
-						$mail->SetFrom($row['adminmail'], $row['adminname']);
+						$mail->setFrom(Settings::Get('panel.adminmail'), $row['adminname']);
+						$mail->clearReplyTos();
+						$mail->addReplyTo($row['adminmail'], $row['adminname']);
 						$mail->Subject = $mail_subject;
 						$mail->AltBody = $mail_body;
 						$mail->MsgHTML(nl2br($mail_body));
@@ -405,7 +407,9 @@ class ReportsCron extends FroxlorCron
 					$_mailerror = false;
 					$mailerr_msg = "";
 					try {
-						$mail->SetFrom($row['adminmail'], $row['adminname']);
+						$mail->setFrom(Settings::Get('panel.adminmail'), $row['adminname']);
+						$mail->clearReplyTos();
+						$mail->addReplyTo($row['adminmail'], $row['adminname']);
 						$mail->Subject = $mail_subject;
 						$mail->AltBody = $mail_body;
 						$mail->MsgHTML(nl2br($mail_body));
--- a/lib/Froxlor/Database/Database.php
+++ b/lib/Froxlor/Database/Database.php
@@ -133,7 +133,7 @@ class Database
 	 *            if set to false, the error will be logged, but we go on
 	 * @throws Exception
 	 */
-	private static function showerror(Exception $error, bool $showerror = true, bool $json_response = false, PDOStatement $stmt = null)
+	private static function showerror(Exception $error, bool $showerror = true, bool $json_response = false, ?PDOStatement $stmt = null)
 	{
 		global $userinfo, $theme, $linker;

@@ -377,6 +377,14 @@ class Database
 		self::$link = null;
 	}

+	/**
+	 * get the currently used database-server (relevant for root-connection)
+	 */
+	public static function getServer()
+	{
+		return self::$dbserver;
+	}
+
 	/**
 	 * enable the temporary access to sql-access data
 	 * note: if you want root-sqldata you need to
--- a/lib/Froxlor/Database/DbManager.php
+++ b/lib/Froxlor/Database/DbManager.php
@@ -102,8 +102,26 @@ class DbManager
 			$databases[$databases_row['dbserver']][] = $databases_row['databasename'];
 		}

+		$customers_sel = Database::query("
+			SELECT DISTINCT c.loginname
+			FROM `" . TABLE_PANEL_CUSTOMERS . "` c
+			LEFT JOIN `" . TABLE_PANEL_DATABASES . "` d ON c.customerid = d.customerid
+			WHERE c.deactivated = '0' AND d.id IS NOT NULL
+		");
+		$customers = [];
+		while ($customer = $customers_sel->fetch(\PDO::FETCH_ASSOC)) {
+			$customers[] = $customer['loginname'];
+		}
+
 		$dbservers_stmt = Database::query("SELECT DISTINCT `dbserver` FROM `" . TABLE_PANEL_DATABASES . "`");
 		while ($dbserver = $dbservers_stmt->fetch(PDO::FETCH_ASSOC)) {
+
+			// add all customer loginnames to the $databases array for this database-server to correct
+			// a possible existing global mysql-user for that customer
+			foreach ($customers as $customer) {
+				$databases[$dbserver['dbserver']][] = $customer;
+			}
+
 			// require privileged access for target db-server
 			Database::needRoot(true, $dbserver['dbserver'], false);

@@ -136,6 +154,8 @@ class DbManager

 			$dbm->getManager()->flushPrivileges();
 			Database::needRoot(false);
+
+			unset($databases[$dbserver['dbserver']]);
 		}
 	}

@@ -149,11 +169,12 @@ class DbManager
 	 * @param ?string $password
 	 * @param int $dbserver
 	 * @param int $last_accnumber
+	 * @param ?string $global_user
 	 *
 	 * @return string|bool $username if successful or false of username is equal to the password
 	 * @throws Exception
 	 */
-	public function createDatabase(string $loginname = null, string $password = null, int $dbserver = 0, int $last_accnumber = 0)
+	public function createDatabase(string $loginname = null, string $password = null, int $dbserver = 0, int $last_accnumber = 0, string $global_user = "")
 	{
 		Database::needRoot(true, $dbserver, false);

@@ -184,10 +205,13 @@ class DbManager
 		// and give permission to the user on every access-host we have
 		foreach (array_map('trim', explode(',', Settings::Get('system.mysql_access_host'))) as $mysql_access_host) {
 			$this->getManager()->grantPrivilegesTo($username, $password, $mysql_access_host);
+			if (!empty($global_user)) {
+				$this->getManager()->grantCreateToDb($global_user, $username, $mysql_access_host);
+			}
 		}

 		$this->getManager()->flushPrivileges();
-		Database::needRoot(false);
+		Database::needRoot();

 		$this->log->logAction(FroxlorLogger::USR_ACTION, LOG_INFO, "created database '" . $username . "'");

--- a/lib/Froxlor/Database/Manager/DbManagerMySQL.php
+++ b/lib/Froxlor/Database/Manager/DbManagerMySQL.php
@@ -110,13 +110,18 @@ class DbManagerMySQL
 				"password" => $password
 			]);
 			// grant privileges
+			$grants = "ALL";
+			if ($grant_access_prefix) {
+				$grants = "SELECT, INSERT, UPDATE, DELETE, DROP, INDEX, ALTER";
+			}
 			$stmt = Database::prepare("
-				GRANT ALL ON `" . $username . ($grant_access_prefix ? '%' : '') . "`.* TO :username@:host
+				GRANT " . $grants . " ON `" . $username . ($grant_access_prefix ? '%' : '') . "`.* TO `" . $username . "`@`" . $access_host . "`
 			");
-			Database::pexecute($stmt, [
-				"username" => $username,
-				"host" => $access_host
-			]);
+			Database::pexecute($stmt);
+
+			if ($grant_access_prefix) {
+				$this->grantCreateToCustomerDbs($username, $access_host);
+			}
 		} else {
 			// set password
 			if (version_compare(Database::getAttribute(\PDO::ATTR_SERVER_VERSION), '5.7.6', '<') || version_compare(Database::getAttribute(\PDO::ATTR_SERVER_VERSION), '10.0.0', '>=')) {
@@ -145,9 +150,10 @@ class DbManagerMySQL
 	 * takes away any privileges from a user to that db
 	 *
 	 * @param string $dbname
+	 * @param ?string $global_user
 	 * @throws \Exception
 	 */
-	public function deleteDatabase(string $dbname)
+	public function deleteDatabase(string $dbname, string $global_user = "")
 	{
 		if (version_compare(Database::getAttribute(PDO::ATTR_SERVER_VERSION), '5.0.2', '<')) {
 			// failsafe if user has been deleted manually (requires MySQL 4.1.2+)
@@ -167,11 +173,19 @@ class DbManagerMySQL
 		} else {
 			$drop_stmt = Database::prepare("DROP USER IF EXISTS :dbname@:host");
 		}
+		$rev_stmt = Database::prepare("REVOKE ALL PRIVILEGES ON `" . $dbname . "`.* FROM :guser@:host;");
 		while ($host = $host_res_stmt->fetch(PDO::FETCH_ASSOC)) {
 			Database::pexecute($drop_stmt, [
 				'dbname' => $dbname,
 				'host' => $host['Host']
 			], false);
+
+			if (!empty($global_user)) {
+				Database::pexecute($rev_stmt, [
+					'guser' => $global_user,
+					'host' => $host['Host']
+				], false);
+			}
 		}

 		$drop_stmt = Database::prepare("DROP DATABASE IF EXISTS `" . $dbname . "`");
@@ -187,21 +201,23 @@ class DbManagerMySQL
 	 */
 	public function deleteUser(string $username, string $host)
 	{
-		if (Database::getAttribute(PDO::ATTR_SERVER_VERSION) < '5.0.2') {
-			// Revoke privileges (only required for MySQL 4.1.2 - 5.0.1)
-			$stmt = Database::prepare("REVOKE ALL PRIVILEGES ON * . * FROM `" . $username . "`@`" . $host . "`");
-			Database::pexecute($stmt);
+		if ($this->userExistsOnHost($username, $host)) {
+			if (version_compare(Database::getAttribute(PDO::ATTR_SERVER_VERSION), '5.0.2', '<')) {
+				// Revoke privileges (only required for MySQL 4.1.2 - 5.0.1)
+				$stmt = Database::prepare("REVOKE ALL PRIVILEGES ON * . * FROM `" . $username . "`@`" . $host . "`");
+				Database::pexecute($stmt);
+			}
+			// as of MySQL 5.0.2 this also revokes privileges. (requires MySQL 4.1.2+)
+			if (version_compare(Database::getAttribute(PDO::ATTR_SERVER_VERSION), '5.7.0', '<')) {
+				$stmt = Database::prepare("DROP USER :username@:host");
+			} else {
+				$stmt = Database::prepare("DROP USER IF EXISTS :username@:host");
+			}
+			Database::pexecute($stmt, [
+				"username" => $username,
+				"host" => $host
+			]);
 		}
-		// as of MySQL 5.0.2 this also revokes privileges. (requires MySQL 4.1.2+)
-		if (version_compare(Database::getAttribute(PDO::ATTR_SERVER_VERSION), '5.7.0', '<')) {
-			$stmt = Database::prepare("DROP USER :username@:host");
-		} else {
-			$stmt = Database::prepare("DROP USER IF EXISTS :username@:host");
-		}
-		Database::pexecute($stmt, [
-			"username" => $username,
-			"host" => $host
-		]);
 	}

 	/**
@@ -229,8 +245,15 @@ class DbManagerMySQL
 	{
 		// check whether user exists to avoid errors
 		if ($this->userExistsOnHost($username, $host)) {
-			Database::query('GRANT ALL PRIVILEGES ON `' . $username . ($grant_access_prefix ? '%' : '') . '`.* TO `' . $username . '`@`' . $host . '`');
-			Database::query('GRANT ALL PRIVILEGES ON `' . str_replace('_', '\_', $username) . ($grant_access_prefix ? '%' : '') . '` . * TO `' . $username . '`@`' . $host . '`');
+			$grants = "ALL PRIVILEGES";
+			if ($grant_access_prefix) {
+				$grants = "SELECT, INSERT, UPDATE, DELETE, DROP, INDEX, ALTER";
+			}
+			Database::query('GRANT ' . $grants . ' ON `' . $username . ($grant_access_prefix ? '%' : '') . '`.* TO `' . $username . '`@`' . $host . '`');
+			Database::query('GRANT ' . $grants . ' ON `' . str_replace('_', '\_', $username) . ($grant_access_prefix ? '%' : '') . '` . * TO `' . $username . '`@`' . $host . '`');
+			if ($grant_access_prefix) {
+				$this->grantCreateToCustomerDbs($username, $host);
+			}
 		}
 	}

@@ -290,4 +313,54 @@ class DbManagerMySQL
 		}
 		return $allsqlusers;
 	}
+
+	/**
+	 * grant "CREATE" for prefix user to all existing databases of that customer
+	 *
+	 * @param string $username
+	 * @param string $access_host
+	 * @return void
+	 * @throws \Exception
+	 */
+	private function grantCreateToCustomerDbs(string $username, string $access_host)
+	{
+		// remember what (possible remote) db-server we're on
+		$currentDbServer = Database::getServer();
+		// use "unprivileged" connection
+		Database::needRoot();
+		$cus_stmt = Database::prepare("SELECT customerid FROM `" . TABLE_PANEL_CUSTOMERS . "` WHERE loginname = :username");
+		$cust = Database::pexecute_first($cus_stmt, ['username' => $username]);
+		if ($cust) {
+			$sel_stmt = Database::prepare("SELECT databasename FROM `" . TABLE_PANEL_DATABASES . "` WHERE `customerid` = :cid AND `dbserver` = :dbserver");
+			Database::pexecute($sel_stmt, ['cid' => $cust['customerid'], 'dbserver' => $currentDbServer]);
+			// reset to root-connection for used dbserver
+			Database::needRoot(true, $currentDbServer, false);
+			while ($dbdata = $sel_stmt->fetch(\PDO::FETCH_ASSOC)) {
+				$stmt = Database::prepare("
+					GRANT ALL ON `" . $dbdata['databasename'] . "`.* TO `" . $username . "`@`" . $access_host . "`
+				");
+				Database::pexecute($stmt);
+			}
+		}
+	}
+
+	/**
+	 * grant "CREATE" for prefix user to all existing databases of that customer
+	 *
+	 * @param string $username
+	 * @param string $database
+	 * @param string $access_host
+	 * @return void
+	 * @throws \Exception
+	 */
+	public function grantCreateToDb(string $username, string $database, string $access_host)
+	{
+		// only grant permission if the user exists
+		if ($this->userExistsOnHost($username, $access_host)) {
+			$stmt = Database::prepare("
+				GRANT ALL ON `" . $database . "`.* TO `" . $username . "`@`" . $access_host . "`
+			");
+			Database::pexecute($stmt);
+		}
+	}
 }
--- a/lib/Froxlor/Froxlor.php
+++ b/lib/Froxlor/Froxlor.php
@@ -31,10 +31,10 @@ final class Froxlor
 {

 	// Main version variable
-	const VERSION = '2.2.0-rc3';
+	const VERSION = '2.2.8';

 	// Database version (YYYYMMDDC where C is a daily counter)
-	const DBVERSION = '202407200';
+	const DBVERSION = '202412030';

 	// Distribution branding-tag (used for Debian etc.)
 	const BRANDING = '';
@@ -316,7 +316,7 @@ final class Froxlor
 	 * @param array|null $arr
 	 * @return void
 	 */
-	private static function parseVersionArray(array &$arr = null)
+	private static function parseVersionArray(?array &$arr)
 	{
 		// -dev or -beta or -rc ?
 		if (stripos($arr[count($arr) - 1], '-') !== false) {
--- a/lib/Froxlor/FroxlorLogger.php
+++ b/lib/Froxlor/FroxlorLogger.php
@@ -164,7 +164,7 @@ class FroxlorLogger
 	 * @param int $type
 	 * @param ?string $text
 	 */
-	public function logAction($action = FroxlorLogger::USR_ACTION, int $type = LOG_NOTICE, string $text = null)
+	public function logAction($action = FroxlorLogger::USR_ACTION, int $type = LOG_NOTICE, ?string $text = null)
 	{
 		// not logging normal stuff if not set to "paranoid" logging
 		if (!self::$crondebug_flag && Settings::Get('logger.severity') == '1' && $type > LOG_NOTICE) {
--- a/lib/Froxlor/Install/Preconfig.php
+++ b/lib/Froxlor/Install/Preconfig.php
@@ -85,27 +85,31 @@ class Preconfig
 			}
 		}
 	}
+
 	/**
 	 * Function getPreConfig
 	 *
 	 * outputs various form-field-arrays before the update process
 	 * can be continued (asks for agreement whatever is being asked)
 	 *
+	 * @param bool $no_check
 	 * @return array
 	 */
-	public static function getPreConfig(): array
+	public static function getPreConfig(bool $no_check = false): array
 	{
 		$preconfig = new self();

 		if ($preconfig->hasPreConfig()) {
-			$agree = [
-				'title' => 'Check',
-				'fields' => [
-					'update_changesagreed' => ['mandatory' => true, 'type' => 'checkrequired', 'value' => 1, 'label' => '<strong>I have read the update notifications above and I am aware of the changes made to my system.</strong>'],
-					'update_preconfig' => ['type' => 'hidden', 'value' => 1]
-				]
-			];
-			$preconfig->addToPreConfig($agree);
+			if (!$no_check) {
+				$agree = [
+					'title' => 'Check',
+					'fields' => [
+						'update_changesagreed' => ['mandatory' => true, 'type' => 'checkrequired', 'value' => 1, 'label' => '<strong>I have read the update notifications above and I am aware of the changes made to my system.</strong>'],
+						'update_preconfig' => ['type' => 'hidden', 'value' => 1]
+					]
+				];
+				$preconfig->addToPreConfig($agree);
+			}
 			return $preconfig->getData();
 		}
 		return [];
--- a/lib/Froxlor/MailLogParser.php
+++ b/lib/Froxlor/MailLogParser.php
@@ -104,6 +104,10 @@ class MailLogParser
 			unset($matches);
 			$line = fgets($file_handle);

+			if (strpos($line, 'postfix') === false) {
+				continue;
+			}
+
 			$timestamp = $this->getLogTimestamp($line);
 			if ($this->startTime < $timestamp) {
 				if (preg_match("/postfix\/qmgr.*(?::|\])\s([A-Z\d]+).*from=<?(?:.*\@([a-zA-Z\d\.\-]+))?>?, size=(\d+),/", $line, $matches)) {
@@ -112,7 +116,7 @@ class MailLogParser
 						"domainFrom" => strtolower($matches[2]),
 						"size" => $matches[3]
 					];
-				} elseif (preg_match("/postfix\/(?:pipe|smtp).*(?::|\])\s([A-Z\d]+).*to=<?(?:.*\@([a-zA-Z\d\.\-]+))?>?,/", $line, $matches)) {
+				} elseif (preg_match("/postfix\/(?:pipe|smtp|lmtp).*(?::|\])\s([A-Z\d]+).*to=<?(?:.*\@([a-zA-Z\d\.\-]+))?>?,/", $line, $matches)) {
 					// Postfix to
 					if (array_key_exists($matches[1], $this->mails)) {
 						$this->mails[$matches[1]]["domainTo"] = strtolower($matches[2]);
@@ -149,7 +153,7 @@ class MailLogParser
 	private function getLogTimestamp($line)
 	{
 		$matches = null;
-		if (preg_match("/((?:[A-Z]{3}\s{1,2}\d{1,2}|\d{4}-\d{2}-\d{2}) \d{2}:\d{2}:\d{2})/i", $line, $matches)) {
+		if (preg_match("/((?:[A-Z]{3}\s{1,2}\d{1,2}|\d{4}-\d{2}-\d{2}).\d{2}:\d{2}:\d{2})/i", $line, $matches)) {
 			$timestamp = strtotime($matches[1]);
 			if ($timestamp > ($this->startTime + 60 * 60 * 24)) {
 				return strtotime($matches[1] . " -1 year");
@@ -258,6 +262,10 @@ class MailLogParser
 			unset($matches);
 			$line = fgets($file_handle);

+			if (strpos($line, 'dovecot') === false) {
+				continue;
+			}
+
 			$timestamp = $this->getLogTimestamp($line);
 			if ($this->startTime < $timestamp) {
 				if (preg_match("/dovecot.*(?::|\]) imap\(.*@([a-z0-9\.\-]+)\)(<\d+><[a-z0-9+\/=]+>)?:.*(?:in=(\d+) out=(\d+)|bytes=(\d+)\/(\d+))/i", $line, $matches)) {
--- a/lib/Froxlor/PhpHelper.php
+++ b/lib/Froxlor/PhpHelper.php
@@ -199,7 +199,7 @@ class PhpHelper
 	 * @param string|null $nameserver set additional resolver nameserver to use (e.g. 1.1.1.1)
 	 * @return bool|array
 	 */
-	public static function gethostbynamel6(string $host, bool $try_a = true, string $nameserver = null)
+	public static function gethostbynamel6(string $host, bool $try_a = true, ?string $nameserver = null)
 	{
 		$ips = [];

@@ -442,7 +442,7 @@ class PhpHelper
 	 * @param bool $asReturn
 	 * @return string
 	 */
-	public static function parseArrayToPhpFile(array $array, string $comment = null, bool $asReturn = false): string
+	public static function parseArrayToPhpFile(array $array, ?string $comment = null, bool $asReturn = false): string
 	{
 		$str = sprintf("<?php\n// %s\n\n", $comment ?? 'autogenerated froxlor file');

@@ -464,7 +464,7 @@ class PhpHelper
 	 * @param int $depth
 	 * @return string
 	 */
-	public static function parseArrayToString(array $array, string $key = null, int $depth = 1): string
+	public static function parseArrayToString(array $array, ?string $key = null, int $depth = 1): string
 	{
 		$str = '';
 		if (!is_null($key)) {
--- a/lib/Froxlor/Settings/Store.php
+++ b/lib/Froxlor/Settings/Store.php
@@ -125,25 +125,20 @@ class Store
 		}

 		if (count($ids) > 0) {
-			$defaultips_new = explode(',', $newfieldvalue);

-			if (!empty($defaultips_old) && !empty($newfieldvalue)) {
-				$in_value = $defaultips_old . ", " . $newfieldvalue;
-			} elseif (!empty($defaultips_old) && empty($newfieldvalue)) {
-				$in_value = $defaultips_old;
-			} else {
-				$in_value = $newfieldvalue;
+			if (!empty($defaultips_old)) {
+				// Delete the existing mappings linking to default IPs
+				$del_stmt = Database::prepare("
+					DELETE FROM `" . TABLE_DOMAINTOIP . "`
+					WHERE `id_domain` IN (" . implode(', ', $ids) . ")
+					AND `id_ipandports` IN (" . $defaultips_old . ")
+				");
+				Database::pexecute($del_stmt);
 			}

-			// Delete the existing mappings linking to default IPs
-			$del_stmt = Database::prepare("
-				DELETE FROM `" . TABLE_DOMAINTOIP . "`
-				WHERE `id_domain` IN (" . implode(', ', $ids) . ")
-				AND `id_ipandports` IN (" . $in_value . ")
-			");
-			Database::pexecute($del_stmt);
-
+			$defaultips_new = !empty($newfieldvalue) ? explode(",", $newfieldvalue) : [];
 			if (count($defaultips_new) > 0) {
+
 				// Insert the new mappings
 				$ins_stmt = Database::prepare("
 					INSERT INTO `" . TABLE_DOMAINTOIP . "`
@@ -166,6 +161,9 @@ class Store
 	{
 		$defaultips_old = Settings::Get('system.defaultsslip');

+		self::cleanIpSelection($defaultips_old);
+		self::cleanIpSelection($newfieldvalue);
+
 		$returnvalue = self::storeSettingField($fieldname, $fielddata, $newfieldvalue);

 		if ($returnvalue !== false && is_array($fielddata) && isset($fielddata['settinggroup']) && $fielddata['settinggroup'] == 'system' && isset($fielddata['varname']) && $fielddata['varname'] == 'defaultsslip') {
@@ -175,6 +173,14 @@ class Store
 		return $returnvalue;
 	}

+	private static function cleanIpSelection(&$selection)
+	{
+		$selection_arr = array_filter(explode(',', $selection), function ($value) {
+			return !empty($value);
+		});
+		$selection = implode(",", $selection_arr);
+	}
+
 	/**
 	 * updates the setting for the default panel-theme
 	 * and also the user themes (customers and admins) if
@@ -237,6 +243,17 @@ class Store
 		return $returnvalue;
 	}

+	public static function storeSettingFieldInsertUpdateServicesTask($fieldname, $fielddata, $newfieldvalue)
+	{
+		// first save the setting itself
+		$returnvalue = self::storeSettingField($fieldname, $fielddata, $newfieldvalue);
+
+		if ($returnvalue !== false) {
+			Cronjob::inserttask(TaskId::UPDATE_LE_SERVICES);
+		}
+		return $returnvalue;
+	}
+
 	public static function storeSettingHostname($fieldname, $fielddata, $newfieldvalue)
 	{
 		$returnvalue = self::storeSettingField($fieldname, $fielddata, $newfieldvalue);
--- a/lib/Froxlor/System/Cronjob.php
+++ b/lib/Froxlor/System/Cronjob.php
@@ -134,7 +134,7 @@ class Cronjob
 			INSERT INTO `" . TABLE_PANEL_TASKS . "` SET `type` = :type, `data` = :data
 		");

-		if ($type == TaskId::REBUILD_VHOST || $type == TaskId::REBUILD_DNS || $type == TaskId::CREATE_FTP || $type == TaskId::REBUILD_RSPAMD || $type == TaskId::CREATE_QUOTA || $type == TaskId::REBUILD_CRON) {
+		if ($type == TaskId::REBUILD_VHOST || $type == TaskId::REBUILD_DNS || $type == TaskId::CREATE_FTP || $type == TaskId::REBUILD_RSPAMD || $type == TaskId::CREATE_QUOTA || $type == TaskId::REBUILD_CRON || $type == TaskId::UPDATE_LE_SERVICES) {
 			// 4 = bind -> if bind disabled -> no task
 			if ($type == TaskId::REBUILD_DNS && Settings::Get('system.bind_enable') == '0') {
 				return;
@@ -147,6 +147,10 @@ class Cronjob
 			if ($type == TaskId::CREATE_QUOTA && Settings::Get('system.diskquota_enabled') == '0') {
 				return;
 			}
+			// 13 = let's encrypt for services -> if services empty = no task
+			if ($type == TaskId::UPDATE_LE_SERVICES && (Settings::Get('system.le_froxlor_enabled') == '0' || Settings::Get('system.le_renew_services') == '')) {
+				return;
+			}

 			// delete previously inserted tasks if they are the same as we only need ONE
 			$del_stmt = Database::prepare("
--- a/lib/Froxlor/System/Mailer.php
+++ b/lib/Froxlor/System/Mailer.php
@@ -68,9 +68,9 @@ class Mailer extends PHPMailer

 		if (self::ValidateAddress(Settings::Get('panel.adminmail')) !== false) {
 			// set return-to address and custom sender-name, see #76
-			$this->SetFrom(Settings::Get('panel.adminmail'), Settings::Get('panel.adminmail_defname'));
+			$this->setFrom(Settings::Get('panel.adminmail'), Settings::Get('panel.adminmail_defname'));
 			if (Settings::Get('panel.adminmail_return') != '') {
-				$this->AddReplyTo(Settings::Get('panel.adminmail_return'), Settings::Get('panel.adminmail_defname'));
+				$this->addReplyTo(Settings::Get('panel.adminmail_return'), Settings::Get('panel.adminmail_defname'));
 			}
 		}
 	}
--- a/lib/Froxlor/UI/Pagination.php
+++ b/lib/Froxlor/UI/Pagination.php
@@ -162,7 +162,7 @@ class Pagination
 	 *
 	 * @return Pagination
 	 */
-	public function addSearch(string $searchtext = null, string $field = null, string $operator = null): Pagination
+	public function addSearch(?string $searchtext = null, string $field = null, string $operator = null): Pagination
 	{
 		if (!isset($this->data['sql_search'])) {
 			$this->data['sql_search'] = [];
--- a/lib/Froxlor/UI/Panel/UI.php
+++ b/lib/Froxlor/UI/Panel/UI.php
@@ -121,7 +121,7 @@ class UI
 			'domain' => self::getCookieHost(),
 			'secure' => self::requestIsHttps(),
 			'httponly' => true,
-			'samesite' => 'Strict'
+			'samesite' => 'Lax'
 		]);
 		session_start();

--- a/lib/Froxlor/User.php
+++ b/lib/Froxlor/User.php
@@ -152,7 +152,7 @@ class User
 			]);
 			$customer['emails_used_new'] = (int)$customer_emails['number_emails'];

-			$customer_emails_result_stmt = Database::prepare('SELECT `email`, `email_full`, `destination`, `popaccountid` AS `number_email_forwarders` FROM `' . TABLE_MAIL_VIRTUAL . '`
+			$customer_emails_result_stmt = Database::prepare('SELECT `email`, `email_full`, `destination`, `popaccountid` FROM `' . TABLE_MAIL_VIRTUAL . '`
 			WHERE `customerid` = :cid');
 			Database::pexecute($customer_emails_result_stmt, [
 				"cid" => $customer['customerid']
--- a/lib/Froxlor/Validate/Check.php
+++ b/lib/Froxlor/Validate/Check.php
@@ -359,4 +359,41 @@ class Check

 		return [self::FORMFIELDS_PLAUSIBILITY_CHECK_OK];
 	}
+
+	/**
+	 * @param $fieldname
+	 * @param $fielddata
+	 * @param $newfieldvalue
+	 * @param $allnewfieldvalues
+	 * @return array|int[]
+	 * @throws \Exception
+	 */
+	public static function checkSystemUsername($fieldname, $fielddata, $newfieldvalue, $allnewfieldvalues)
+	{
+		if (empty($newfieldvalue) || $fielddata['value'] == $newfieldvalue) {
+			$returnvalue = [
+				self::FORMFIELDS_PLAUSIBILITY_CHECK_OK
+			];
+		} elseif (function_exists('posix_getpwnam') && posix_getpwnam($newfieldvalue) == false) {
+			$returnvalue = [
+				self::FORMFIELDS_PLAUSIBILITY_CHECK_ERROR,
+				'local_user_invalid'
+			];
+		} else {
+			// user exists, but cannot be one of the froxlor-customers
+			$sel_stmt = Database::prepare("SELECT COUNT(*) as numUsers FROM `" . TABLE_PANEL_CUSTOMERS . "` WHERE `loginname` = :username");
+			$result = Database::pexecute_first($sel_stmt, [':username' => $newfieldvalue]);
+			if ($result && $result['numUsers'] > 0) {
+				$returnvalue = [
+					self::FORMFIELDS_PLAUSIBILITY_CHECK_ERROR,
+					'local_user_isfroxloruser'
+				];
+			} else {
+				$returnvalue = [
+					self::FORMFIELDS_PLAUSIBILITY_CHECK_OK
+				];
+			}
+		}
+		return $returnvalue;
+	}
 }
--- a/lib/Froxlor/Validate/Form/Data.php
+++ b/lib/Froxlor/Validate/Form/Data.php
@@ -232,7 +232,7 @@ class Data
 	{
 		$returnvalue = true;

-		if (isset($fielddata['option_mode']) && $fielddata['option_mode'] == 'multiple') {
+		if (isset($fielddata['select_mode']) && $fielddata['select_mode'] == 'multiple') {
 			$options = explode(',', $newfieldvalue);
 			foreach ($options as $option) {
 				$returnvalue = ($returnvalue && isset($fielddata['select_var'][$option]));
@@ -247,7 +247,7 @@ class Data
 			if (isset($fielddata['option_emptyallowed']) && $fielddata['option_emptyallowed']) {
 				return true;
 			}
-			return 'not in option';
+			return 'not in option (field: ' . $fieldname . ')';
 		}
 	}

--- a/lib/Froxlor/Validate/Validate.php
+++ b/lib/Froxlor/Validate/Validate.php
@@ -28,7 +28,6 @@ namespace Froxlor\Validate;
 use Exception;
 use Froxlor\Database\Database;
 use Froxlor\FroxlorLogger;
-use Froxlor\Idna\IdnaWrapper;
 use Froxlor\System\IPTools;
 use Froxlor\UI\Response;

@@ -63,10 +62,11 @@ class Validate
 		string $str,
 		string $fieldname,
 		string $pattern = '',
-		$lng = '',
-		$emptydefault = [],
-		bool $throw_exception = false
-	) {
+			   $lng = '',
+			   $emptydefault = [],
+		bool   $throw_exception = false
+	)
+	{
 		if (!is_array($emptydefault)) {
 			$emptydefault_array = [
 				$emptydefault
@@ -122,14 +122,15 @@ class Validate
 	 */
 	public static function validate_ip2(
 		string $ip,
-		bool $return_bool = false,
+		bool   $return_bool = false,
 		string $lng = 'invalidip',
-		bool $allow_localhost = false,
-		bool $allow_priv = false,
-		bool $allow_cidr = false,
-		bool $cidr_as_netmask = false,
-		bool $throw_exception = false
-	) {
+		bool   $allow_localhost = false,
+		bool   $allow_priv = false,
+		bool   $allow_cidr = false,
+		bool   $cidr_as_netmask = false,
+		bool   $throw_exception = false
+	)
+	{
 		$cidr = "";
 		if ($allow_cidr) {
 			$org_ip = $ip;
@@ -200,20 +201,34 @@ class Validate
 			$url = 'http://' . $url;
 		}

-		// needs converting
-		try {
-			$idna_convert = new IdnaWrapper();
-			$url = $idna_convert->encode($url);
-		} catch (Exception $e) {
+		// Parse parts
+		$parts = parse_url($url);
+		if ($parts === false || !isset($parts['scheme'], $parts['host'])) {
 			return false;
 		}

-		if ($allow_private_ip) {
-			$pattern = '%^(?:(?:https?):\/\/)(?:\S+(?::\S*)?@)?(?:(?:[1-9]\d?|1\d\d|2[01]\d|22[0-3])(?:\.(?:1?\d{1,2}|2[0-4]\d|25[0-5])){2}(?:\.(?:[1-9]\d?|1\d\d|2[0-4]\d|25[0-4]))|(?:(?:[a-z\x{00a1}-\x{ffff}0-9]+-?)*[a-z\x{00a1}-\x{ffff}0-9]+)(?:\.(?:[a-z\x{00a1}-\x{ffff}0-9]+-?)*[a-z\x{00a1}-\x{ffff}0-9]+)*(?:\.(?:[a-z\x{00a1}-\x{ffff}]{2,})))(?::\d{2,5})?(?:\/[^\s]*)?$%iuS';
-		} else {
-			$pattern = '%^(?:(?:https?):\/\/)(?:\S+(?::\S*)?@)?(?:(?!10(?:\.\d{1,3}){3})(?!127(?:\.\d{1,3}){3})(?!169\.254(?:\.\d{1,3}){2})(?!192\.168(?:\.\d{1,3}){2})(?!172\.(?:1[6-9]|2\d|3[0-1])(?:\.\d{1,3}){2})(?:[1-9]\d?|1\d\d|2[01]\d|22[0-3])(?:\.(?:1?\d{1,2}|2[0-4]\d|25[0-5])){2}(?:\.(?:[1-9]\d?|1\d\d|2[0-4]\d|25[0-4]))|(?:(?:[a-z\x{00a1}-\x{ffff}0-9]+-?)*[a-z\x{00a1}-\x{ffff}0-9]+)(?:\.(?:[a-z\x{00a1}-\x{ffff}0-9]+-?)*[a-z\x{00a1}-\x{ffff}0-9]+)*(?:\.(?:[a-z\x{00a1}-\x{ffff}]{2,})))(?::\d{2,5})?(?:/[^\s]*)?$%iuS';
+		// Check allowed schemes
+		if (!in_array(strtolower($parts['scheme']), ['http', 'https'], true)) {
+			return false;
 		}
-		if (preg_match($pattern, $url)) {
+
+		// Check if host is valid domain or valid IP (v4 or v6)
+		$host = $parts['host'];
+		if (substr($host, 0, 1) == '[' && substr($host, -1) == ']') {
+			$host = substr($host, 1, -1);
+		}
+
+		$opts = FILTER_FLAG_IPV4 | FILTER_FLAG_NO_RES_RANGE | FILTER_FLAG_NO_PRIV_RANGE;
+		$opts6 = FILTER_FLAG_IPV6 | FILTER_FLAG_NO_RES_RANGE | FILTER_FLAG_NO_PRIV_RANGE;
+		if ($allow_private_ip) {
+			$opts = FILTER_FLAG_IPV4 | FILTER_FLAG_NO_RES_RANGE;
+			$opts6 = FILTER_FLAG_IPV6 | FILTER_FLAG_NO_RES_RANGE;
+		}
+		if (filter_var($host, FILTER_VALIDATE_IP, $opts)) {
+			return true;
+		} elseif (substr($parts['host'], 0, 1) == '[' && substr($parts['host'], -1) == ']' && filter_var($host, FILTER_VALIDATE_IP, $opts6)) {
+			return true;
+		} elseif (!preg_match('/^([0-9]{1,3}\.)+[0-9]{1,3}$/', $host) && self::validateDomain($host) !== false) {
 			return true;
 		}

@@ -342,7 +357,8 @@ class Validate
 	 * @return bool
 	 * @throws Exception
 	 */
-	public static function validateBase64Image(string $base64string) {
+	public static function validateBase64Image(string $base64string)
+	{

 		if (!extension_loaded('gd')) {
 			Response::standardError('phpgdextensionnotavailable', null, true);
--- a/lib/configfiles/bookworm.xml
+++ b/lib/configfiles/bookworm.xml
@@ -16,7 +16,7 @@
 			<default for="nginx" settinggroup="system" varname="apacheconf_htpasswddir" value="/etc/nginx/froxlor-htpasswd/"></default>
 			<default for="nginx" settinggroup="system" varname="apachereload_command" value="service nginx reload"></default>
 			<default for="nginx" settinggroup="system" varname="letsencryptacmeconf" value="/etc/nginx/acme.conf"></default>
-			<default for="nginx" settinggroup="phpfpm" varname="fastcgi_ipcdir" value="/var/run/nginx/"></default>
+			<default for="nginx" settinggroup="phpfpm" varname="fastcgi_ipcdir" value="/var/run/php/"></default>
 		</defaults>
 		<services>
 			<!-- HTTP -->
@@ -2599,6 +2599,7 @@ try_fallback = true;
 allow_username_mismatch = true;
 path = "/var/lib/rspamd/dkim/$domain.$selector.key";
 selector_map = "/etc/rspamd/dkim_selectors.map";
+use_esld = false;
 ]]>
 						</content>
 					</file>
@@ -3174,7 +3175,7 @@ no
 						</content>
 					</file>
 					<file name="/etc/pure-ftpd/db/mysql.conf" chown="root:0"
-						chmod="0644" backup="true">
+						chmod="0640" backup="true">
 						<content><![CDATA[
 ##############################################
 #                                            #
--- a/lib/configfiles/bullseye.xml
+++ b/lib/configfiles/bullseye.xml
@@ -16,7 +16,7 @@
 			<default for="nginx" settinggroup="system" varname="apacheconf_htpasswddir" value="/etc/nginx/froxlor-htpasswd/"></default>
 			<default for="nginx" settinggroup="system" varname="apachereload_command" value="service nginx reload"></default>
 			<default for="nginx" settinggroup="system" varname="letsencryptacmeconf" value="/etc/nginx/acme.conf"></default>
-			<default for="nginx" settinggroup="phpfpm" varname="fastcgi_ipcdir" value="/var/run/nginx/"></default>
+			<default for="nginx" settinggroup="phpfpm" varname="fastcgi_ipcdir" value="/var/run/php/"></default>
 		</defaults>
 		<services>
 			<!-- HTTP -->
@@ -4168,6 +4168,7 @@ try_fallback = true;
 allow_username_mismatch = true;
 path = "/var/lib/rspamd/dkim/$domain.$selector.key";
 selector_map = "/etc/rspamd/dkim_selectors.map";
+use_esld = false;
 ]]>
 							</content>
 						</file>
@@ -4742,7 +4743,7 @@ no
 						</content>
 					</file>
 					<file name="/etc/pure-ftpd/db/mysql.conf" chown="root:0"
-						chmod="0644" backup="true">
+						chmod="0640" backup="true">
 						<content><![CDATA[
 ##############################################
 #                                            #
--- a/lib/configfiles/focal.xml
+++ b/lib/configfiles/focal.xml
@@ -16,7 +16,7 @@
 			<default for="nginx" settinggroup="system" varname="apacheconf_htpasswddir" value="/etc/nginx/froxlor-htpasswd/"></default>
 			<default for="nginx" settinggroup="system" varname="apachereload_command" value="service nginx reload"></default>
 			<default for="nginx" settinggroup="system" varname="letsencryptacmeconf" value="/etc/nginx/acme.conf"></default>
-			<default for="nginx" settinggroup="phpfpm" varname="fastcgi_ipcdir" value="/var/run/nginx/"></default>
+			<default for="nginx" settinggroup="phpfpm" varname="fastcgi_ipcdir" value="/var/run/php/"></default>
 		</defaults>
 		<services>
 			<!-- HTTP -->
@@ -3391,6 +3391,7 @@ try_fallback = true;
 allow_username_mismatch = true;
 path = "/var/lib/rspamd/dkim/$domain.$selector.key";
 selector_map = "/etc/rspamd/dkim_selectors.map";
+use_esld = false;
 ]]>
 							</content>
 						</file>
@@ -3961,7 +3962,7 @@ no
 						</content>
 					</file>
 					<file name="/etc/pure-ftpd/db/mysql.conf" chown="root:0"
-						chmod="0644" backup="true">
+						chmod="0640" backup="true">
 						<content><![CDATA[
 ##############################################
 #                                            #
--- a/lib/configfiles/jammy.xml
+++ b/lib/configfiles/jammy.xml
@@ -16,7 +16,7 @@
 			<default for="nginx" settinggroup="system" varname="apacheconf_htpasswddir" value="/etc/nginx/froxlor-htpasswd/"></default>
 			<default for="nginx" settinggroup="system" varname="apachereload_command" value="service nginx reload"></default>
 			<default for="nginx" settinggroup="system" varname="letsencryptacmeconf" value="/etc/nginx/acme.conf"></default>
-			<default for="nginx" settinggroup="phpfpm" varname="fastcgi_ipcdir" value="/var/run/nginx/"></default>
+			<default for="nginx" settinggroup="phpfpm" varname="fastcgi_ipcdir" value="/var/run/php/"></default>
 		</defaults>
 		<services>
 			<!-- HTTP -->
@@ -3381,6 +3381,7 @@ try_fallback = true;
 allow_username_mismatch = true;
 path = "/var/lib/rspamd/dkim/$domain.$selector.key";
 selector_map = "/etc/rspamd/dkim_selectors.map";
+use_esld = false;
 ]]>
 							</content>
 						</file>
@@ -3953,7 +3954,7 @@ no
 						</content>
 					</file>
 					<file name="/etc/pure-ftpd/db/mysql.conf" chown="root:0"
-						chmod="0644" backup="true">
+						chmod="0640" backup="true">
 						<content><![CDATA[
 ##############################################
 #                                            #
--- a/lib/configfiles/noble.xml
+++ b/lib/configfiles/noble.xml
@@ -16,7 +16,7 @@
 			<default for="nginx" settinggroup="system" varname="apacheconf_htpasswddir" value="/etc/nginx/froxlor-htpasswd/"></default>
 			<default for="nginx" settinggroup="system" varname="apachereload_command" value="service nginx reload"></default>
 			<default for="nginx" settinggroup="system" varname="letsencryptacmeconf" value="/etc/nginx/acme.conf"></default>
-			<default for="nginx" settinggroup="phpfpm" varname="fastcgi_ipcdir" value="/var/run/nginx/"></default>
+			<default for="nginx" settinggroup="phpfpm" varname="fastcgi_ipcdir" value="/var/run/php/"></default>
 		</defaults>
 		<services>
 			<!-- HTTP -->
@@ -2054,6 +2054,7 @@ try_fallback = true;
 allow_username_mismatch = true;
 path = "/var/lib/rspamd/dkim/$domain.$selector.key";
 selector_map = "/etc/rspamd/dkim_selectors.map";
+use_esld = false;
 ]]>
 							</content>
 						</file>
@@ -2121,7 +2122,7 @@ action = "no action";
 			<service type="ftp" title="{{lng.admin.configfiles.ftp}}">
 				<!-- Proftpd -->
 				<daemon name="proftpd" title="ProFTPd" default="true">
-					<install><![CDATA[apt-get install proftpd-basic proftpd-mod-mysql proftpd-mod-crypto]]></install>
+					<install><![CDATA[apt-get install proftpd-basic proftpd-mod-mysql proftpd-mod-crypto proftpd-mod-wrap]]></install>
 					<file name="/etc/proftpd/create-cert.sh" chown="root:0"
 						chmod="0700">
 						<content><![CDATA[#!/bin/bash
@@ -2628,7 +2629,7 @@ no
 						</content>
 					</file>
 					<file name="/etc/pure-ftpd/db/mysql.conf" chown="root:0"
-						chmod="0644" backup="true">
+						chmod="0640" backup="true">
 						<content><![CDATA[
 ##############################################
 #                                            #
--- a/lib/formfields/admin/admin/formfield.admin_add.php
+++ b/lib/formfields/admin/admin/formfield.admin_add.php
@@ -46,7 +46,7 @@ return [
 						'label' => lng('login.password'),
 						'type' => 'password',
 						'mandatory' => true,
-						'autocomplete' => 'off',
+						'autocomplete' => 'new-password',
 						'next_to' => [
 							'admin_password_suggestion' => [
 								'next_to_prefix' => lng('customer.generated_pwd') . ':',
--- a/lib/formfields/admin/admin/formfield.admin_edit.php
+++ b/lib/formfields/admin/admin/formfield.admin_edit.php
@@ -52,7 +52,7 @@ return [
 					'admin_password' => [
 						'label' => lng('login.password') . '&nbsp;(' . lng('panel.emptyfornochanges') . ')',
 						'type' => 'password',
-						'autocomplete' => 'off',
+						'autocomplete' => 'new-password',
 						'visible' => $result['adminid'] != $userinfo['userid'],
 						'next_to' => [
 							'admin_password_suggestion' => [
--- a/lib/formfields/admin/customer/formfield.customer_add.php
+++ b/lib/formfields/admin/customer/formfield.customer_add.php
@@ -58,7 +58,7 @@ return [
 					'new_customer_password' => [
 						'label' => lng('login.password'),
 						'type' => 'password',
-						'autocomplete' => 'off',
+						'autocomplete' => 'new-password',
 						'placeholder' => lng('admin.password_default_msg'),
 						'next_to' => [
 							'new_customer_password_suggestion' => [
--- a/lib/formfields/admin/customer/formfield.customer_edit.php
+++ b/lib/formfields/admin/customer/formfield.customer_edit.php
@@ -63,7 +63,7 @@ return [
 					'new_customer_password' => [
 						'label' => lng('login.password') . '&nbsp;(' . lng('panel.emptyfornochanges') . ')',
 						'type' => 'password',
-						'autocomplete' => 'off',
+						'autocomplete' => 'new-password',
 						'next_to' => [
 							'new_customer_password_suggestion' => [
 								'next_to_prefix' => lng('customer.generated_pwd') . ':',
--- a/lib/formfields/admin/domains/formfield.domains_add.php
+++ b/lib/formfields/admin/domains/formfield.domains_add.php
@@ -193,7 +193,7 @@ return [
 						'label' => lng('admin.domain_sslenabled'),
 						'type' => 'checkbox',
 						'value' => '1',
-						'checked' => !empty($ssl_ipsandports)
+						'checked' => !empty(Settings::Get('system.defaultsslip'))
 					],
 					'no_ssl_available_info' => [
 						'visible' => empty($ssl_ipsandports),
--- a/lib/formfields/admin/domains/formfield.domains_edit.php
+++ b/lib/formfields/admin/domains/formfield.domains_edit.php
@@ -213,6 +213,10 @@ return [
 						'type' => 'hidden',
 						'value' => '0'
 					],
+					'emaildomainverified' => [
+						'type' => 'hidden',
+						'value' => '0'
+					],
 				]
 			],
 			'section_bssl' => [
@@ -433,34 +437,36 @@ return [
 			'section_d' => [
 				'title' => lng('admin.nameserversettings'),
 				'image' => 'icons/domain_edit.png',
-				'visible' => Settings::Get('system.bind_enable') == '1' && $userinfo['change_serversettings'] == '1',
+				'visible' => ($userinfo['change_serversettings'] == '1' && Settings::Get('system.bind_enable') == '1') || ($result['isemaildomain'] == '1' && (Settings::Get('spf.use_spf') == '1' || Settings::Get('dmarc.use_dmarc') == '1') || Settings::Get('antispam.activated') == '1' && $result['dkim'] == '1' && $result['dkim_pubkey'] != ''),
 				'fields' => [
 					'isbinddomain' => [
+						'visible' => $userinfo['change_serversettings'] == '1' && Settings::Get('system.bind_enable') == '1',
 						'label' => lng('admin.createzonefile'),
 						'type' => 'checkbox',
 						'value' => '1',
 						'checked' => $result['isbinddomain']
 					],
 					'zonefile' => [
+						'visible' => $userinfo['change_serversettings'] == '1' && Settings::Get('system.bind_enable') == '1',
 						'label' => lng('admin.custombindzone'),
 						'desc' => lng('admin.bindzonewarning'),
 						'type' => 'text',
 						'value' => $result['zonefile']
 					],
 					'spf_entry' => [
-						'visible' => (Settings::Get('system.bind_enable') == '0' && Settings::Get('spf.use_spf') == '1' && $result['isemaildomain'] == '1'),
+						'visible' => (Settings::Get('spf.use_spf') == '1' && $result['isemaildomain'] == '1'),
 						'label' => lng('antispam.required_spf_dns'),
 						'type' => 'longtext',
 						'value' => (string)(new \Froxlor\Dns\DnsEntry('@', 'TXT', \Froxlor\Dns\Dns::encloseTXTContent(Settings::Get('spf.spf_entry'))))
 					],
 					'dmarc_entry' => [
-						'visible' => (Settings::Get('system.bind_enable') == '0' && Settings::Get('dmarc.use_dmarc') == '1' && $result['isemaildomain'] == '1'),
+						'visible' => (Settings::Get('dmarc.use_dmarc') == '1' && $result['isemaildomain'] == '1'),
 						'label' => lng('antispam.required_dmarc_dns'),
 						'type' => 'longtext',
 						'value' => (string)(new \Froxlor\Dns\DnsEntry('_dmarc', 'TXT', \Froxlor\Dns\Dns::encloseTXTContent(Settings::Get('dmarc.dmarc_entry'))))
 					],
 					'dkim_entry' => [
-						'visible' => (Settings::Get('system.bind_enable') == '0' && Settings::Get('antispam.activated') == '1' && $result['dkim'] == '1' && $result['dkim_pubkey'] != ''),
+						'visible' => (Settings::Get('antispam.activated') == '1' && $result['dkim'] == '1' && $result['dkim_pubkey'] != ''),
 						'label' => lng('antispam.required_dkim_dns'),
 						'type' => 'longtext',
 						'value' => (string)(new \Froxlor\Dns\DnsEntry('dkim' . $result['dkim_id'] . '._domainkey', 'TXT', \Froxlor\Dns\Dns::encloseTXTContent('v=DKIM1; k=rsa; p='.trim($result['dkim_pubkey']))))
--- a/lib/formfields/customer/email/formfield.emails_accountchangepasswd.php
+++ b/lib/formfields/customer/email/formfield.emails_accountchangepasswd.php
@@ -43,7 +43,7 @@ return [
 					'email_password' => [
 						'label' => lng('login.password'),
 						'type' => 'password',
-						'autocomplete' => 'off',
+						'autocomplete' => 'new-password',
 						'next_to' => [
 							'email_password_suggestion' => [
 								'next_to_prefix' => lng('customer.generated_pwd') . ':',
--- a/lib/formfields/customer/email/formfield.emails_addaccount.php
+++ b/lib/formfields/customer/email/formfield.emails_addaccount.php
@@ -43,7 +43,7 @@ return [
 					'email_password' => [
 						'label' => lng('login.password'),
 						'type' => 'password',
-						'autocomplete' => 'off',
+						'autocomplete' => 'new-password',
 						'mandatory' => true,
 						'next_to' => [
 							'email_password_suggestion' => [
--- a/lib/formfields/customer/email/formfield.emails_edit.php
+++ b/lib/formfields/customer/email/formfield.emails_edit.php
@@ -89,56 +89,49 @@ return [
 							]
 						]
 					],
-					'mail_catchall' => [
+					'iscatchall' => [
+						'visible' => Settings::Get('catchall.catchall_enabled') == '1',
 						'label' => lng('emails.catchall'),
-						'type' => 'label',
-						'value' => ((int)$result['iscatchall'] == 0 ? lng('panel.no') : lng('panel.yes')),
-						'next_to' => [
-							'add_link' => [
-								'type' => 'link',
-								'href' => $filename . '?page=' . $page . '&amp;domainid=' . $result['domainid'] . '&amp;action=togglecatchall&amp;id=' . $result['id'],
-								'label' => '<i class="fa-solid fa-arrow-right-arrow-left"></i> ' . lng('panel.toggle'),
-								'classes' => 'btn btn-sm btn-secondary'
-							]
-						]
-					],
-					'spam_tag_level' => [
-						'label' => lng('antispam.spam_tag_level'),
-						'type' => 'text',
-						'string_regexp' => '/^\d{1,}(\.\d{1,2})?$/',
-						'value' => $result['spam_tag_level']
-					],
-					'spam_kill_level' => [
-						'label' => lng('antispam.spam_kill_level'),
-						'type' => 'text',
-						'string_regexp' => '/^\d{1,}(\.\d{1,2})?$/',
-						'value' => $result['spam_kill_level']
+						'type' => 'checkbox',
+						'value' => '1',
+						'checked' => (int)$result['iscatchall'],
 					],
 					'bypass_spam' => [
+						'visible' => Settings::Get('antispam.activated') == '1' && (int)Settings::Get('antispam.default_bypass_spam') <= 2,
 						'label' => lng('antispam.bypass_spam'),
-						'type' => 'label',
-						'value' => ((int)$result['bypass_spam'] == 0 ? lng('panel.no') : lng('panel.yes')),
-						'next_to' => [
-							'add_link' => [
-								'type' => 'link',
-								'href' => $filename . '?page=' . $page . '&amp;domainid=' . $result['domainid'] . '&amp;action=togglebypass&amp;id=' . $result['id'],
-								'label' => '<i class="fa-solid fa-arrow-right-arrow-left"></i> ' . lng('panel.toggle'),
-								'classes' => 'btn btn-sm btn-secondary'
-							]
-						]
+						'type' => 'checkbox',
+						'value' => '1',
+						'checked' => (int)$result['bypass_spam'],
+					],
+					'spam_tag_level' => [
+						'visible' => Settings::Get('antispam.activated') == '1',
+						'label' => lng('antispam.spam_tag_level'),
+						'type' => 'number',
+						'min' => 0,
+						'step' => 0.1,
+						'value' => $result['spam_tag_level'],
+					],
+					'rewrite_subject' => [
+						'visible' => Settings::Get('antispam.activated') == '1' && (int)Settings::Get('antispam.default_spam_rewrite_subject') <= 2,
+						'label' => lng('antispam.rewrite_subject'),
+						'type' => 'checkbox',
+						'value' => '1',
+						'checked' => (int)$result['rewrite_subject'],
+					],
+					'spam_kill_level' => [
+						'visible' => Settings::Get('antispam.activated') == '1',
+						'label' => lng('antispam.spam_kill_level'),
+						'desc' => lng('panel.use_checkbox_to_disable'),
+						'type' => 'textul',
+						'step' => 0.1,
+						'value' => $result['spam_kill_level']
 					],
 					'policy_greylist' => [
+						'visible' => Settings::Get('antispam.activated') == '1' && (int)Settings::Get('antispam.default_policy_greylist') <= 2,
 						'label' => lng('antispam.policy_greylist'),
-						'type' => 'label',
-						'value' => ((int)$result['policy_greylist'] == 0 ? lng('panel.no') : lng('panel.yes')),
-						'next_to' => [
-							'add_link' => [
-								'type' => 'link',
-								'href' => $filename . '?page=' . $page . '&amp;domainid=' . $result['domainid'] . '&amp;action=togglegreylist&amp;id=' . $result['id'],
-								'label' => '<i class="fa-solid fa-arrow-right-arrow-left"></i> ' . lng('panel.toggle'),
-								'classes' => 'btn btn-sm btn-secondary'
-							]
-						]
+						'type' => 'checkbox',
+						'value' => '1',
+						'checked' => (int)$result['policy_greylist'],
 					],
 					'mail_fwds' => [
 						'label' => lng('emails.forwarders') . ' (' . $forwarders_count . ')',
--- a/lib/formfields/customer/extras/formfield.htpasswd_add.php
+++ b/lib/formfields/customer/extras/formfield.htpasswd_add.php
@@ -54,7 +54,7 @@ return [
 					'directory_password' => [
 						'label' => lng('login.password'),
 						'type' => 'password',
-						'autocomplete' => 'off',
+						'autocomplete' => 'new-password',
 						'mandatory' => true,
 						'next_to' => [
 							'directory_password_suggestion' => [
--- a/lib/formfields/customer/extras/formfield.htpasswd_edit.php
+++ b/lib/formfields/customer/extras/formfield.htpasswd_edit.php
@@ -49,7 +49,7 @@ return [
 					'directory_password' => [
 						'label' => lng('login.password'),
 						'type' => 'password',
-						'autocomplete' => 'off',
+						'autocomplete' => 'new-password',
 						'next_to' => [
 							'directory_password_suggestion' => [
 								'next_to_prefix' => lng('customer.generated_pwd') . ':',
--- a/lib/formfields/customer/ftp/formfield.ftp_add.php
+++ b/lib/formfields/customer/ftp/formfield.ftp_add.php
@@ -58,7 +58,7 @@ return [
 					'ftp_password' => [
 						'label' => lng('login.password'),
 						'type' => 'password',
-						'autocomplete' => 'off',
+						'autocomplete' => 'new-password',
 						'mandatory' => true,
 						'next_to' => [
 							'ftp_password_suggestion' => [
--- a/lib/formfields/customer/ftp/formfield.ftp_edit.php
+++ b/lib/formfields/customer/ftp/formfield.ftp_edit.php
@@ -51,7 +51,7 @@ return [
 						'label' => lng('login.password'),
 						'desc' => lng('ftp.editpassdescription'),
 						'type' => 'password',
-						'autocomplete' => 'off',
+						'autocomplete' => 'new-password',
 						'next_to' => [
 							'ftp_password_suggestion' => [
 								'next_to_prefix' => lng('customer.generated_pwd') . ':',
--- a/lib/formfields/customer/mysql/formfield.mysql_add.php
+++ b/lib/formfields/customer/mysql/formfield.mysql_add.php
@@ -45,7 +45,7 @@ return [
 					'mysql_password' => [
 						'label' => lng('login.password'),
 						'type' => 'password',
-						'autocomplete' => 'off',
+						'autocomplete' => 'new-password',
 						'mandatory' => true,
 						'next_to' => [
 							'mysql_password_suggestion' => [
--- a/lib/formfields/customer/mysql/formfield.mysql_edit.php
+++ b/lib/formfields/customer/mysql/formfield.mysql_edit.php
@@ -52,7 +52,7 @@ return [
 					'mysql_password' => [
 						'label' => lng('changepassword.new_password_ifnotempty'),
 						'type' => 'password',
-						'autocomplete' => 'off',
+						'autocomplete' => 'new-password',
 						'next_to' => [
 							'mysql_password_suggestion' => [
 								'next_to_prefix' => lng('customer.generated_pwd') . ':',
--- a/lib/formfields/customer/mysql/formfield.mysql_global_user.php
+++ b/lib/formfields/customer/mysql/formfield.mysql_global_user.php
@@ -34,7 +34,7 @@ return [
 					'mysql_password' => [
 						'label' => lng('login.password'),
 						'type' => 'password',
-						'autocomplete' => 'off',
+						'autocomplete' => 'new-password',
 						'mandatory' => true,
 						'next_to' => [
 							'mysql_password_suggestion' => [
--- a/lib/functions.php
+++ b/lib/functions.php
@@ -61,7 +61,7 @@ function lng(string $identifier, array $arguments = [])
 * @param string|null $session
 * @return mixed|string|null
 */
-function old(string $identifier, string $default = null, string $session = null)
+function old(string $identifier, ?string $default, ?string $session = null)
 {
 	if ($session && isset($_SESSION[$session])) {
 		return $_SESSION[$session][$identifier] ?? $default;
--- a/lib/init.php
+++ b/lib/init.php
@@ -374,7 +374,7 @@ if (CurrentUser::hasSession()) {
 		'domain' => UI::getCookieHost(),
 		'secure' => UI::requestIsHttps(),
 		'httponly' => true,
-		'samesite' => 'Strict'
+		'samesite' => 'Lax'
 	];
 	setcookie(session_name(), $_COOKIE[session_name()], $cookie_params);
 } else {
--- a/lib/tablelisting/customer/tablelisting.emails_overview.php
+++ b/lib/tablelisting/customer/tablelisting.emails_overview.php
@@ -33,9 +33,9 @@ return [
 		'title' => lng('menue.email.emailsoverview'),
 		'icon' => 'fa-solid fa-envelope',
 		'self_overview' => ['section' => 'email', 'page' => 'overview'],
-		'default_sorting' => ['d.domain' => 'asc'],
+		'default_sorting' => ['d.domain_ace' => 'asc'],
 		'columns' => [
-			'd.domain' => [
+			'd.domain_ace' => [
 				'label' => 'Domain',
 				'field' => 'domain',
 			],
@@ -56,7 +56,7 @@ return [
 			],
 		],
 		'visible_columns' => Listing::getVisibleColumnsForListing('emaildomain_list', [
-			'd.domain',
+			'd.domain_ace',
 			'addresses',
 			'accounts',
 			'forwarder',
--- a/lng/ca.lng.php
+++ b/lng/ca.lng.php
@@ -1143,7 +1143,8 @@ Atentament, el vostre administrador'
 		]
 	],
 	'message' => [
-		'norecipients' => 'No s\'ha enviat cap correu electrònic perquè no hi ha destinataris a la base de dades'
+		'norecipients' => 'No s\'ha enviat cap correu electrònic perquè no hi ha destinataris a la base de dades',
+		'success' => 'Missatge enviat correctament als destinataris de %s',
 	],
 	'mysql' => [
 		'databasename' => 'Usuari/Nom de la base de dades',
@@ -2169,7 +2170,6 @@ Atentament, el vostre administrador'
 		'issuer' => 'Emissor'
 	],
 	'success' => [
-		'messages_success' => 'Missatge enviat correctament als destinataris de %s',
 		'success' => 'Informació',
 		'clickheretocontinue' => 'Feu clic aquí per a continuar',
 		'settingssaved' => 'La configuració s\'ha guardat correctament.',
--- a/lng/cz.lng.php
+++ b/lng/cz.lng.php
@@ -49,6 +49,7 @@ return [
 		'2fa_ga_desc' => 'Váš účet je nastaven tak, aby používal jednorázová hesla založená na čase prostřednictvím autentizační aplikace. Naskenujte níže uvedený QR kód pomocí požadované autentizační aplikace pro vygenerování kódů. Chcete-li deaktivovat, klikněte na "Deaktivovat 2FA"',
 		'2fa_not_activated' => 'Dvoufázové ověřování není povoleno',
 		'2fa_not_activated_for_user' => 'Dvoufaktorové ověření není pro aktuálního uživatele povoleno',
+		'type_2fa' => 'Stav 2FA',
 	],
 	'admin' => [
 		'overview' => 'Přehled',
@@ -681,6 +682,8 @@ return [
 			'title' => 'Použít greylisting',
 			'description' => 'Příchozí e-maily budou chráněny <a href="https://en.wikipedia.org/wiki/Greylisting_(email)" target="_blank">greylisting</a>.<br/>Výchozí: ano'
 		],
+		'required_spf_dns' => 'Požadovaný SPF DNS záznam',
+		'required_dmarc_dns' => 'Požadovaný DMARC DNS záznam',
 		'required_dkim_dns' => 'Požadovaný DKIM DNS záznam',
 	],
 	'dns' => [
@@ -782,6 +785,7 @@ return [
 		'hsts' => 'HSTS povoleno',
 		'aliasdomainid' => 'ID aliasové domény',
 		'nodomainsassignedbyadmin' => 'Váš účet nemá v současné době přiřazeny žádné (aktivní) domény. Pokud si myslíte, že je to špatné, kontaktujte svého správce.',
+		'email_only' => 'Jen emaily',
 	],
 	'emails' => [
 		'description' => 'Zde můžete vytvářet a měnit své e-mailové adresy.<br />Účet je jako poštovní schránka před vaším domem. Pokud vám někdo pošle e-mail, bude vypuštěn na účet.<br /><br />Chcete-li stáhnout své e-maily, použijte následující nastavení ve vašem poštovním programu: (Data v <i>kurzívě</i> musí být změněna na ekvivalenty, které jste zadali!<br />Hostitelské jméno: <b><i>doménové jméno</i></b><br />Uživatelské jméno: <b><i>jméno účtu / e-mailová adresa</i></b><br />heslo: <b><i>heslo, které jste zvolili</i></b>',
@@ -1101,6 +1105,7 @@ return [
 		'combination_not_found' => 'Kombinace uživatele a e-mailové adresy nenalezena.',
 		'2fa' => 'Dvoufázové ověření (2FA)',
 		'2facode' => 'Zadejte prosím 2FA kód',
+		'2faremember' => 'Důvěřovat prohlížeči',
 	],
 	'mails' => [
 		'pop_success' => [
@@ -1208,6 +1213,7 @@ Ach upřímně, váš správce',
 	],
 	'message' => [
 		'norecipients' => 'Nebyl odeslán žádný e-mail, protože v databázi nejsou žádní příjemci',
+		'success' => 'Zpráva byla úspěšně odeslána příjemcům %s',
 	],
 	'mysql' => [
 		'databasename' => 'Uživatel/Jméno databáze',
@@ -1227,7 +1233,7 @@ Ach upřímně, váš správce',
 	],
 	'opcacheinfo' => [
 		'generaltitle' => 'Obecné informace',
-		'resetcache' => 'Resetövat OPcache',
+		'resetcache' => 'Resetovat OPcache',
 		'version' => 'Verze OPCache',
 		'phpversion' => 'Verze PHP',
 		'runtimeconf' => 'Spustitelná konfigurace',
@@ -1941,7 +1947,7 @@ Ach upřímně, váš správce',
 		],
 		'documentroot_use_default_value' => [
 			'title' => 'Použít název domény jako výchozí hodnotu pro cestu kořenového adresáře dokumentu',
-			'description' => 'Pokud je povoleno a cesta DocumentRoot je prázdná, výchozí hodnotou bude název (sub)domény.<br /><br />Příklady: <br />/var/customers/customer_name/example.com/<br />/var /customers/customer_name/subdomain.example.com/',
+			'description' => 'Pokud je povoleno a cesta DocumentRoot je prázdná, výchozí hodnotou bude název (sub)domény.<br /><br />Příklady: <br />/var/customers/webs/customer_name/example.com/<br />/var/customers/webs/customer_name/subdomain.example.com/',
 		],
 		'panel_phpconfigs_hidesubdomains' => [
 			'title' => 'Skrýt subdomény v PHP-konfiguračním přehledu',
@@ -2268,7 +2274,6 @@ Ach upřímně, váš správce',
 		'issuer' => 'Vydavatel',
 	],
 	'success' => [
-		'messages_success' => 'Zpráva byla úspěšně odeslána příjemcům %s',
 		'success' => 'Informace',
 		'clickheretocontinue' => 'Klikněte zde pro pokračování',
 		'settingssaved' => 'Nastavení bylo úspěšně uloženo.',
--- a/lng/de.lng.php
+++ b/lng/de.lng.php
@@ -504,6 +504,7 @@ return [
 		'apiguide' => 'API Guide',
 		'domain_duplicate' => 'Domain duplizieren',
 		'domain_duplicate_named' => '%s duplizieren',
+		'emaildomainwarning' => '<div id="emaildomainnote" class="invalid-feedback">ACHTUNG: Durch die Änderung dieser Einstellung löschen Sie alle bestehenden E-Mail-Adressen und -Konten unwiderruflich.</div>',
 	],
 	'apikeys' => [
 		'no_api_keys' => 'Keine API Keys gefunden',
@@ -621,6 +622,10 @@ return [
 			'title' => 'Spam Level',
 			'description' => 'Erforderliche Punktzahl zum Markieren einer E-Mail als Spam<br/>Standard: 7.0'
 		],
+		'rewrite_subject' => [
+			'title' => 'Betreff ändern',
+			'description' => 'Dem E-Mail Betreff <strong>***SPAM***</strong> hinzufügen, sofern zutreffend',
+		],
 		'spam_kill_level' => [
 			'title' => 'Ablehnungs Level',
 			'description' => 'Erforderliche Punktzahl für das Ablehnen einer E-Mail<br/>Standard: 14.0'
@@ -636,6 +641,24 @@ return [
 		'required_spf_dns' => 'Erforderlicher SPF DNS Eintrag',
 		'required_dmarc_dns' => 'Erforderlicher DMARC DNS Eintrag',
 		'required_dkim_dns' => 'Erforderlicher DKIM DNS Eintrag',
+		'default_select' => [
+			'on_changeable' => 'Aktiviert, einstellbar',
+			'off_changeable' => 'Deaktiviert, einstellbar',
+			'on_unchangeable' => 'Aktiviert, nicht einstellbar',
+			'off_unchangeable' => 'Deaktiviert, nicht einstellbar',
+		],
+		'default_bypass_spam' => [
+			'title' => 'Standardwert: Spamfilter umgehen',
+			'description' => 'Wählen, ob bei neuen E-Mail-Konten "Spamfilter umgehen" standardmäßig aktiviert ist und ob diese Einstellung vom Kunden angepasst werden kann.<br/>Standard: Deaktiviert, einstellbar'
+		],
+		'default_spam_rewrite_subject' => [
+			'title' => 'Standardwert: Betreff ändern',
+			'description' => 'Wählen, ob bei neuen E-Mail-Konten "Betreff ändern" standardmäßig aktiviert ist und ob diese Einstellung vom Kunden angepasst werden kann.<br/>Standard: Aktiviert, einstellbar'
+		],
+		'default_policy_greylist' => [
+			'title' => 'Standardwert: Verwende greylisting',
+			'description' => 'Wählen, ob bei neuen E-Mail-Konten "Verwende greylisting" standardmäßig aktiviert ist und ob diese Einstellung vom Kunden angepasst werden kann.<br/>Standard: Aktiviert, einstellbar'
+		],
 	],
 	'dns' => [
 		'destinationip' => 'Domain-IP-Adresse(n)',
@@ -765,6 +788,8 @@ return [
 		'mydocumentroot' => '\'Documentroot\'',
 		'loginnameexists' => 'Der Login-Name "%s" existiert bereits.',
 		'emailiswrong' => 'Die E-Mail-Adresse "%s" enthält ungültige Zeichen oder ist nicht vollständig.',
+		'emailexists' => 'Die E-Mail-Adresse "%s" wird bereits von einem anderen Admin verwendet',
+		'emailexistsanon' => 'Die E-Mail-Adresse "%s" wird bereits verwendet',
 		'alternativeemailiswrong' => 'Die angegebene alternative E-Mail Adresse "%s", an welche die Zugangsdaten geschickt werden soll, scheint ungültig zu sein.',
 		'loginnameiswrong' => 'Der Login-Name "%s" enthält ungültige Zeichen.',
 		'loginnameiswrong2' => 'Der Login-Name enthält zu viele Zeichen, es sind maximal %s Zeichen erlaubt.',
@@ -853,6 +878,7 @@ return [
 		'plausibilitychecknotunderstood' => 'Die Antwort des Plausibilitätschecks wurde nicht verstanden',
 		'errorwhensaving' => 'Bei dem Speichern des Feldes "%s" trat ein Fehler auf',
 		'pathmaynotcontaincolon' => 'Der eingegebene Pfad sollte keinen Doppelpunkt (":") enthalten. Bitte geben Sie einen korrekten Wert für den Pfad ein.',
+		'invaliddocumentrooturl' => 'Die URL, die Sie für den Pfad eingegeben haben, ist ungültig. Bitte geben Sie eine korrekte URL oder einen Unix-Pfad ein.',
 		'notrequiredpasswordcomplexity' => 'Die vorgegebene Passwort-Komplexität wurde nicht erfüllt.<br />Bitte kontaktieren Sie Ihren Administrator, wenn Sie Fragen zur Komplexitäts-Vorgabe haben.',
 		'stringerrordocumentnotvalidforlighty' => 'Ein Text als Fehlerdokument funktioniert leider in LigHTTPd nicht, bitte geben Sie einen Pfad zu einer Datei an',
 		'urlerrordocumentnotvalidforlighty' => 'Eine URL als Fehlerdokument funktioniert leider in LigHTTPd nicht, bitte geben Sie einen Pfad zu einer Datei an',
@@ -940,6 +966,8 @@ return [
 		'no_wwwcnamae_ifwwwalias' => 'Es kann kein CNAME Eintrag für "www" angelegt werden, da die Domain einen www-Alias aktiviert hat. Ändere diese Einstellung auf "Kein Alias" oder "Wildcard Alias"',
 		'local_group_exists' => 'Die angegebene Gruppe existiert bereits auf dem System',
 		'local_group_invalid' => 'Der angegebene Gruppen-Name ist nicht gültig',
+		'local_user_invalid' => 'Der angegebene Benutzer-Name ist nicht gültig oder existiert nicht',
+		'local_user_isfroxloruser' => 'Der angegebene Benutzer-Name ist ein von froxlor verwalteter Benutzer und kann in diesem Kontext nicht verwendet werden.',
 		'invaliddnsforletsencrypt' => 'Die DNS-Einträge der Domain enthalten keine der gewählten IP Adressen. Let\'s Encrypt Zertifikats-Erstellung ist nicht möglich.',
 		'notallowedphpconfigused' => 'Nutzung einer PHP-Konfiguration welche nicht dem Kunden zugeordnet ist',
 		'pathmustberelative' => 'Der Benutzer hat nicht die benötigten Berechtigungen, um Pfade außerhalb des Kunden-Heimatverzeichnisses anzugeben. Bitte einen relativen Pfad angeben (kein führendes /).',
@@ -952,6 +980,7 @@ return [
 		'invalidpgppublickey' => 'Der angegebene PGP Public Key ist ungültig',
 		'invalid_validtime' => 'Wert der valid_time in Sekunden muss zwischen 10 und 120 liegen.',
 		'customerphpenabledbutnoconfig' => 'Kunde hat PHP aktiviert aber keine PHP-Konfiguration wurde gewählt.',
+		'emaildomainstillhasaddresses' => 'Maildomain-Flag kann nicht deaktiviert werden, da für diese Domain noch E-Mail-Adressen vorhanden sind.',
 	],
 	'extras' => [
 		'description' => 'Hier können Sie zusätzliche Extras einrichten, wie zum Beispiel einen Verzeichnisschutz.<br />Die Änderungen sind erst nach einer kurzen Zeit wirksam.',
@@ -1141,6 +1170,7 @@ Vielen Dank, Ihr Administrator',
 	],
 	'message' => [
 		'norecipients' => 'Es wurde keine E-Mail versendet, da sich keine Empfänger in der Datenbank befinden',
+		'success' => 'Nachricht erfolgreich an "%s" Empfänger gesendet',
 	],
 	'mysql' => [
 		'databasename' => 'Benutzer-/Datenbankname',
@@ -1261,6 +1291,7 @@ Vielen Dank, Ihr Administrator',
 		'upload_import' => 'Hochladen und importieren',
 		'profile' => 'Mein Profil',
 		'use_checkbox_for_unlimited' => 'Der Wert "0" deaktiviert die Resource. Die Checkbox rechts erlaubt "unlimitierte" Nutzung.',
+		'use_checkbox_to_disable' => 'Zum Deaktivieren, klicke die Checkbox auf der rechten Seite des Eingabefeldes',
 	],
 	'phpfpm' => [
 		'vhost_httpuser' => 'Lokaler Benutzer für PHP-FPM (Froxlor-Vhost)',
@@ -2079,7 +2110,7 @@ Vielen Dank, Ihr Administrator',
 			'description' => 'Ist die Nutzung eines hochgeladenen Logos gewünscht, muss diese Einstellung auf "Ja" gesetzt werden. Alternativ kann weiterhin das Theme-basierte Überschreiben via "logo_custom.png" und "logo_custom_login.png" genutzt werden.',
 		],
 		'logo_overridecustom' => [
-			'title' => 'Überschreibe benutzerdefinierte Theme-Logos (logo_custom.png und logo_custom_login.png) mit "Logo Bold" (Header und Login, siehe unten)',
+			'title' => 'Überschreibe benutzerdefinierte Theme-Logos (logo_custom.png und logo_custom_login.png) mit "Logo Bild" (Header und Login, siehe unten)',
 			'description' => 'Ist diese Einstellung aktiv, werden benutzerdefinierte Logos im Theme-Ordner mit dem "Logo Bild" ersetzt',
 		],
 		'createstdsubdom_default' => [
@@ -2139,7 +2170,6 @@ Vielen Dank, Ihr Administrator',
 		'dmarc_entry' => 'DMARC-Eintrag für alle Domains',
 	],
 	'success' => [
-		'messages_success' => 'Nachricht erfolgreich an "%s" Empfänger gesendet',
 		'success' => 'Information',
 		'clickheretocontinue' => 'Hier klicken, um fortzufahren',
 		'settingssaved' => 'Die Einstellungen wurden erfolgreich gespeichert.',
@@ -2169,6 +2199,7 @@ Vielen Dank, Ihr Administrator',
 		'CREATE_CUSTOMER_DATADUMP' => 'Daten-Export für Kunde %s',
 		'DELETE_DOMAIN_PDNS' => 'Lösche Domain %s von PowerDNS Datenbank',
 		'DELETE_DOMAIN_SSL' => 'Lösche SSL Dateien von Domain %s',
+		'UPDATE_LE_SERVICES' => 'Aktualisiere Systemdienste für Let\'s Encrypt',
 	],
 	'terms' => 'AGB',
 	'traffic' => [
@@ -2264,6 +2295,7 @@ Vielen Dank, Ihr Administrator',
 		'critical_error' => 'Kritischer Fehler',
 		'suggestions' => 'Nicht notwendig, aber emfohlen',
 		'phpinfosuccess' => 'Auf dem System ist PHP %s installiert',
+		'suggestionsnote' => 'Es liegen keine kritische Fehler vor, die eine Installation verhindern, allerdings beachten Sie bitte die Empfehlungen weiter unten für ein optimales Erlebnis.',
 		'phpinfowarn' => 'Die genutzte PHP Version ist kleiner als die geforderte Version %s',
 		'phpinfoupdate' => 'Aktualisierung von PHP Version %s auf %s oder höher notwendig',
 		'start_installation' => 'Installation starten',
--- a/lng/en.lng.php
+++ b/lng/en.lng.php
@@ -29,6 +29,7 @@ return [
 		'de' => 'German',
 		'en' => 'English',
 		'fr' => 'French',
+		'hu' => 'Hungarian',
 		'it' => 'Italian',
 		'nl' => 'Dutch',
 		'pt' => 'Portuguese',
@@ -519,6 +520,7 @@ return [
 		'backups' => [
 			'backups' => 'Backups',
 		],
+		'emaildomainwarning' => '<div id="emaildomainnote" class="invalid-feedback">WARNING: By changing this setting you will delete all existing e-mail addresses and -accounts permanently.</div>',
 	],
 	'apcuinfo' => [
 		'clearcache' => 'Clear APCu cache',
@@ -670,6 +672,10 @@ return [
 			'title' => 'Spam tag level',
 			'description' => 'Score that is required to mark an email as spam<br/>Default: 7.0'
 		],
+		'rewrite_subject' => [
+			'title' => 'Rewrite subject',
+			'description' => 'Whether to add <strong>***SPAM***</strong> to the email subject if applicable',
+		],
 		'spam_kill_level' => [
 			'title' => 'Spam kill level',
 			'description' => 'Score that is required to discard an email entirely<br/>Default: 14.0'
@@ -685,6 +691,24 @@ return [
 		'required_spf_dns' => 'Required SPF DNS entry',
 		'required_dmarc_dns' => 'Required DMARC DNS entry',
 		'required_dkim_dns' => 'Required DKIM DNS entry',
+		'default_select' => [
+			'on_changeable' => 'Activated, adjustable',
+			'off_changeable' => 'Deactivated, adjustable',
+			'on_unchangeable' => 'Activated, not adjustable',
+			'off_unchangeable' => 'Deactivated, not adjustable',
+		],
+		'default_bypass_spam' => [
+			'title' => 'Bypass spamfilter default value',
+			'description' => 'Whether new email accounts have "Bypass spamfilter" activated by default and whether this setting is adjustable by the customer.<br/>Default: Deactivated, adjustable'
+		],
+		'default_spam_rewrite_subject' => [
+			'title' => 'Rewrite subject default value',
+			'description' => 'Whether new email accounts have "Rewrite subject" activated by default and whether this setting is adjustable by the customer.<br/>Default: Activated, adjustable'
+		],
+		'default_policy_greylist' => [
+			'title' => 'Use greylisting default value',
+			'description' => 'Whether new email accounts have "Use greylisting" activated by default and whether this setting is adjustable by the customer.<br/>Default: Activated, adjustable'
+		],
 	],
 	'dns' => [
 		'destinationip' => 'Domain IP(s)',
@@ -836,6 +860,8 @@ return [
 		'mydocumentroot' => '\'Documentroot\'',
 		'loginnameexists' => 'Loginname %s already exists',
 		'emailiswrong' => 'Email-address %s contains invalid characters or is incomplete',
+		'emailexists' => 'Email-address %s already in use by another admin',
+		'emailexistsanon' => 'Email-address %s already in use.',
 		'alternativeemailiswrong' => 'The given alternative email address %s to send the credentials to seems to be invalid',
 		'loginnameiswrong' => 'Loginname "%s" contains illegal characters.',
 		'loginnameiswrong2' => 'Loginname contains too many characters. Only %s characters are allowed.',
@@ -925,6 +951,7 @@ return [
 		'notrequiredpasswordlength' => 'The given password is too short. Please enter at least %s characters.',
 		'overviewsettingoptionisnotavalidfield' => 'Whoops, a field that should be displayed as an option in the settings-overview is not an excepted type. You can blame the developers for this. This should not happen!',
 		'pathmaynotcontaincolon' => 'The path you have entered should not contain a colon (":"). Please enter a correct path value.',
+		'invaliddocumentrooturl' => 'The URL you have entered for the documentroot is not valid. Please enter a correct URL or a unix-path.',
 		'exception' => '%s',
 		'notrequiredpasswordcomplexity' => 'The specified password-complexity was not satisfied.<br />Please contact your administrator if you have any questions about the complexity-specification',
 		'stringerrordocumentnotvalidforlighty' => 'A string as ErrorDocument does not work in lighttpd, please specify a path to a file',
@@ -1012,6 +1039,8 @@ return [
 		'no_wwwcnamae_ifwwwalias' => 'Cannot set CNAME record for "www" as domain is set to generate a www-alias. Please change settings to either "No alias" or "Wildcard alias"',
 		'local_group_exists' => 'The given group already exists on the system.',
 		'local_group_invalid' => 'The given group name is invalid',
+		'local_user_invalid' => 'The given user name is invalid or does not exist',
+		'local_user_isfroxloruser' => 'The given user name is a froxlor managed username and cannot be used in this context',
 		'invaliddnsforletsencrypt' => 'The domains DNS does not include any of the chosen IP addresses. Let\'s Encrypt certificate generation not possible.',
 		'notallowedphpconfigused' => 'Trying to use php-config which is not assigned to customer',
 		'pathmustberelative' => 'The user does not have the permission to specify directories outside the customers home-directory. Please specify a relative path (no leading /).',
@@ -1024,6 +1053,7 @@ return [
 		'invalidpgppublickey' => 'The PGP Public Key is not valid',
 		'invalid_validtime' => 'Valid time in seconds can only be between 10 and 120',
 		'customerphpenabledbutnoconfig' => 'Customer has PHP activated but no PHP-configuration was selected.',
+		'emaildomainstillhasaddresses' => 'Cannot deactivate mail-domain flag, as there are still email-addresses for this domain.',
 	],
 	'extras' => [
 		'description' => 'Here you can add some extras, for example directory protection.<br />The system will need some time to apply the new settings after every change.',
@@ -1213,6 +1243,7 @@ Yours sincerely, your administrator',
 	],
 	'message' => [
 		'norecipients' => 'No e-mail has been sent because there are no recipients in the database',
+		'success' => 'Successfully sent message to %s recipients',
 	],
 	'mysql' => [
 		'databasename' => 'User/Database name',
@@ -1376,6 +1407,7 @@ Yours sincerely, your administrator',
 		'upload_import' => 'Upload and import',
 		'profile' => 'My profile',
 		'use_checkbox_for_unlimited' => 'The value "0" deactivates this resource. The checkbox on the right allows "unlimited" usage.',
+		'use_checkbox_to_disable' => 'To disable, activate the checkbox on the right of the input field',
 	],
 	'phpfpm' => [
 		'vhost_httpuser' => 'Local user to use for PHP-FPM (Froxlor vHost)',
@@ -2273,7 +2305,6 @@ Yours sincerely, your administrator',
 		'issuer' => 'Issuer',
 	],
 	'success' => [
-		'messages_success' => 'Successfully sent message to %s recipients',
 		'success' => 'Information',
 		'clickheretocontinue' => 'Click here to continue',
 		'settingssaved' => 'The settings have been successfully saved.',
@@ -2303,6 +2334,7 @@ Yours sincerely, your administrator',
 		'CREATE_CUSTOMER_DATADUMP' => 'Data export job for customer %s',
 		'DELETE_DOMAIN_PDNS' => 'Delete domain %s from PowerDNS database',
 		'DELETE_DOMAIN_SSL' => 'Delete ssl files of domain %s',
+		'UPDATE_LE_SERVICES' => 'Updating system services for Let\'s Encrypt',
 	],
 	'terms' => 'Terms of use',
 	'traffic' => [
@@ -2400,6 +2432,7 @@ Yours sincerely, your administrator',
 		'critical_error' => 'Critical error',
 		'suggestions' => 'Not required but recommended',
 		'phpinfosuccess' => 'Your system is running with PHP %s',
+		'suggestionsnote' => 'There are no critical errors that prevent installation, but please follow the recommendations below for an optimal experience.',
 		'phpinfowarn' => 'Your system is running a lower version than PHP %s',
 		'phpinfoupdate' => 'Update your current PHP version from %s to %s or higher',
 		'start_installation' => 'Start installation',
--- a/lng/es.lng.php
+++ b/lng/es.lng.php
@@ -1132,7 +1132,8 @@ Atentamente, su administrador'
 		]
 	],
 	'message' => [
-		'norecipients' => 'No se ha enviado ningún correo electrónico porque no hay destinatarios en la base de datos'
+		'norecipients' => 'No se ha enviado ningún correo electrónico porque no hay destinatarios en la base de datos',
+		'success' => 'Mensaje enviado correctamente a los destinatarios de %s',
 	],
 	'mysql' => [
 		'databasename' => 'Usuario/Nombre de la base de datos',
@@ -2152,7 +2153,6 @@ Atentamente, su administrador'
 		'issuer' => 'Emisor'
 	],
 	'success' => [
-		'messages_success' => 'Mensaje enviado correctamente a los destinatarios de %s',
 		'success' => 'Información',
 		'clickheretocontinue' => 'Haga clic aquí para continuar',
 		'settingssaved' => 'La configuración se ha guardado correctamente.',
--- a/lng/fr.lng.php
+++ b/lng/fr.lng.php
@@ -466,6 +466,7 @@ return [
 	],
 	'message' => [
 		'norecipients' => 'Aucun e-mail n\'a été envoyé car il n\'existe aucun destinataire dans la base de données',
+		'success' => 'Le message a été envoyé aux destinataires "%s"',
 	],
 	'mysql' => [
 		'databasename' => 'Nom de la base de données',
@@ -749,9 +750,6 @@ return [
 			'description' => 'Les administrateurs / revendeurs peuvent réinitialiser leurs mots de passe et il sera envoyé à leurs propres adresses e-mails',
 		],
 	],
-	'success' => [
-		'messages_success' => 'Le message a été envoyé aux destinataires "%s"',
-	],
 	'traffic' => [
 		'month' => 'Mois',
 		'day' => 'Jour',
--- a/lng/hu.lng.php
+++ b/lng/hu.lng.php
--- a/lng/it.lng.php
+++ b/lng/it.lng.php
@@ -1043,6 +1043,7 @@ Cordiali Saluti, Team Froxlor',
 	],
 	'message' => [
 		'norecipients' => 'Nessuna e-mail è stata inviata perch¸ non ci sono i destinatari nel database',
+		'success' => 'Inviato correttamente il messaggio a %s recipients',
 	],
 	'mysql' => [
 		'description' => 'Qui puoi creare e modificare il tuo database MySQL<br />Le modifiche sono istantanee e puoi usare subito il database.<br />Nel menù a sinistra trovi phpMyAdmin con cui puoi amministrare il tuo database.<br /><br />Per usare i database nei tuoi script php usa le seguenti impostazioni: (Le parole in <i>corsivo</i> devono essere modificate con quello che hai scritto!)<br />Hostname: <b><SQL_HOST></b><br />Utente: <b><i>Nome database</i></b><br />Password: <b><i>La password che hai scelto</i></b><br />Database: <b><i>Nome database</i></b>',
@@ -1703,7 +1704,6 @@ Nota: Perfavore <b>sii sicuro</b> di usare lo stesso nome di file come per il cr
 		'spf_entry' => 'Impostazioni SPF per tutti i domini',
 	],
 	'success' => [
-		'messages_success' => 'Inviato correttamente il messaggio a %s recipients',
 		'success' => 'Informazioni',
 		'clickheretocontinue' => 'Clicca qui per continuare',
 		'settingssaved' => 'Le impostazioni sono state salvate con successo.',
--- a/lng/nl.lng.php
+++ b/lng/nl.lng.php
@@ -619,6 +619,7 @@ Met vriendelijke groet, uw beheerder',
 	],
 	'message' => [
 		'norecipients' => 'Er is geen email verstuurd omdat er geen ontvangers in de database zijn',
+		'success' => 'Bericht verzonden naar ontvangers %s',
 	],
 	'mysql' => [
 		'databasename' => 'gebruiker/database naam',
@@ -1069,7 +1070,6 @@ Met vriendelijke groet, uw beheerder',
 		'spf_entry' => 'SPF regel voor alle domeinen',
 	],
 	'success' => [
-		'messages_success' => 'Bericht verzonden naar ontvangers %s',
 		'success' => 'Informatie',
 		'clickheretocontinue' => 'Klik hier om verder te gaan',
 		'settingssaved' => 'De instellingen zijn opgeslagen.',
--- a/Show More
+++ b/Show More