install/dist/lib/centos90.lib.php

+<?php
+
+/*
+Copyright (c) 2014, Till Brehm, ISPConfig UG
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+    * Redistributions of source code must retain the above copyright notice,
+      this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright notice,
+      this list of conditions and the following disclaimer in the documentation
+      and/or other materials provided with the distribution.
+    * Neither the name of ISPConfig nor the names of its contributors
+      may be used to endorse or promote products derived from this software without
+      specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
+require_once realpath(dirname(__FILE__)) . '/centos_base.lib.php';
+
+class installer extends installer_centos {
+
+	protected $clamav_socket = '/var/run/clamd.amavisd/clamd.sock';
+	
+	// everything else is inherited from installer_centos class
+}
+
+?>

install/dist/lib/centos_base.lib.php

@@ -83,31 +83,28 @@ class installer_centos extends installer_dist {
 
 		$config_dir = $conf['postfix']['config_dir'];
 
-		// Adding amavis-services to the master.cf file if the service does not already exists
-		$add_amavis = !$this->get_postfix_service('amavis','unix');
-		$add_amavis_10025 = !$this->get_postfix_service('127.0.0.1:10025','inet');
-		$add_amavis_10027 = !$this->get_postfix_service('127.0.0.1:10027','inet');
-
-		if ($add_amavis || $add_amavis_10025 || $add_amavis_10027) {
-			//* backup master.cf
-			if(is_file($config_dir.'/master.cf')) copy($config_dir.'/master.cf', $config_dir.'/master.cf~');
-			// adjust amavis-config
-			if($add_amavis) {
-				$content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/master_cf_amavis.master', 'tpl/master_cf_amavis.master');
-				af($config_dir.'/master.cf', $content);
-				unset($content);
-			}
-			if ($add_amavis_10025) {
-				$content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/master_cf_amavis10025.master', 'tpl/master_cf_amavis10025.master');
-				af($config_dir.'/master.cf', $content);
-				unset($content);
-			}
-			if ($add_amavis_10027) {
-				$content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/master_cf_amavis10027.master', 'tpl/master_cf_amavis10027.master');
-				af($config_dir.'/master.cf', $content);
-				unset($content);
-			}
-		}
+		// Adding amavis-services to the master.cf file
+
+		// backup master.cf
+		if(is_file($config_dir.'/master.cf')) copy($config_dir.'/master.cf', $config_dir.'/master.cf~');
+
+		// first remove the old service definitions
+		$this->remove_postfix_service('amavis','unix');
+		$this->remove_postfix_service('127.0.0.1:10025','inet');
+		$this->remove_postfix_service('127.0.0.1:10027','inet');
+
+		// then add them back
+		$content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/master_cf_amavis.master', 'tpl/master_cf_amavis.master');
+		af($config_dir.'/master.cf', $content);
+		unset($content);
+
+		$content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/master_cf_amavis10025.master', 'tpl/master_cf_amavis10025.master');
+		af($config_dir.'/master.cf', $content);
+		unset($content);
+
+		$content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/master_cf_amavis10027.master', 'tpl/master_cf_amavis10027.master');
+		af($config_dir.'/master.cf', $content);
+		unset($content);
 
 		removeLine('/etc/sysconfig/freshclam', 'FRESHCLAM_DELAY=disabled-warn   # REMOVE ME', 1);
 		replaceLine('/etc/freshclam.conf', 'Example', '# Example', 1);

install/dist/lib/debian60.lib.php

@@ -33,7 +33,7 @@ class installer extends installer_base {
 	public function configure_dovecot()
 	{
 		global $conf;
-	
+
 		$virtual_transport = 'dovecot';
 
 		$configure_lmtp = false;
@@ -48,7 +48,7 @@ class installer extends installer_base {
 			$tmp = $this->db->queryOneRecord("SELECT * FROM ?? WHERE server_id = ?", $conf["mysql"]["database"] . ".server", $conf['server_id']);
 			$ini_array = ini_to_array(stripslashes($tmp['config']));
 			// ini_array needs not to be checked, because already done in update.php -> updateDbAndIni()
-			
+
 			if(isset($ini_array['mail']['mailbox_virtual_uidgid_maps']) && $ini_array['mail']['mailbox_virtual_uidgid_maps'] == 'y') {
 				$virtual_transport = 'lmtp:unix:private/dovecot-lmtp';
 				$configure_lmtp = true;
@@ -61,7 +61,7 @@ class installer extends installer_base {
 			if(is_file($config_dir.'/master.cf')){
 				copy($config_dir.'/master.cf', $config_dir.'/master.cf~2');
 			}
-			if(is_file($config_dir.'/master.cf~')){
+			if(is_file($config_dir.'/master.cf~2')){
 				chmod($config_dir.'/master.cf~2', 0400);
 			}
 			//* Configure master.cf and add a line for deliver
@@ -108,6 +108,13 @@ class installer extends installer_base {
 			} else {
 				copy('tpl/debian6_dovecot2.conf.master', $config_dir.'/'.$configfile);
 			}
+			// Copy custom config file
+			if(is_file($conf['ispconfig_install_dir'].'/server/conf-custom/install/dovecot_custom.conf.master')) {
+				if(!@is_dir($config_dir . '/conf.d')) {
+					mkdir($config_dir . '/conf.d');
+				}
+				copy($conf['ispconfig_install_dir'].'/server/conf-custom/install/dovecot_custom.conf.master', $config_dir.'/conf.d/99-ispconfig-custom-config.conf');
+			}
 			replaceLine($config_dir.'/'.$configfile, 'postmaster_address = postmaster@example.com', 'postmaster_address = postmaster@'.$conf['hostname'], 1, 0);
 			replaceLine($config_dir.'/'.$configfile, 'postmaster_address = webmaster@localhost', 'postmaster_address = postmaster@'.$conf['hostname'], 1, 0);
 			if(version_compare($dovecot_version,2.1) < 0) {
@@ -123,7 +130,7 @@ class installer extends installer_base {
 			if(version_compare($dovecot_version,2.3) >= 0) {
 				// Remove deprecated setting(s)
 				removeLine($config_dir.'/'.$configfile, 'ssl_protocols =');
-				
+
 				// Check if we have a dhparams file and if not, create it
 				if(!file_exists('/etc/dovecot/dh.pem')) {
 					swriteln('Creating new DHParams file, this takes several minutes. Do not interrupt the script.');
@@ -146,7 +153,7 @@ class installer extends installer_base {
 				$content = str_replace('#2.3+ ','',$content);
 				file_put_contents($config_dir.'/'.$configfile,$content);
 				unset($content);
-				
+
 			} else {
 				// remove settings which are not supported in Dovecot < 2.3
 				removeLine($config_dir.'/'.$configfile, 'ssl_min_protocol =');
@@ -159,7 +166,7 @@ class installer extends installer_base {
 				copy('tpl/debian6_dovecot.conf.master', $config_dir.'/'.$configfile);
 			}
 		}
-		
+
 		$dovecot_protocols = 'imap pop3';
 
 		//* dovecot-lmtpd
@@ -196,20 +203,12 @@ class installer extends installer_base {
 		chmod($config_dir.'/'.$configfile, 0600);
 		chown($config_dir.'/'.$configfile, 'root');
 		chgrp($config_dir.'/'.$configfile, 'root');
-		
+
 		// Dovecot shall ignore mounts in website directory
 		if(is_installed('doveadm')) exec("doveadm mount add '/var/www/*' ignore > /dev/null 2> /dev/null");
 
 	}
 
-	public function configure_apache() {
-		global $conf;
-
-		if(file_exists('/etc/apache2/mods-available/fcgid.conf')) replaceLine('/etc/apache2/mods-available/fcgid.conf', 'MaxRequestLen', 'MaxRequestLen 15728640', 0, 1);
-
-		parent::configure_apache();
-	}
-
 	public function configure_fail2ban() {
 		/*
         copy('tpl/dovecot-pop3imap.conf.master',"/etc/fail2ban/filter.d/dovecot-pop3imap.conf");

install/dist/lib/fedora.lib.php

@@ -47,282 +47,6 @@ class installer_dist extends installer_base {
 		}
 	}
 
-	function configure_postfix($options = '')
-	{
-		global $conf,$autoinstall;
-		$cf = $conf['postfix'];
-		$config_dir = $cf['config_dir'];
-
-		if(!is_dir($config_dir)){
-			$this->error("The postfix configuration directory '$config_dir' does not exist.");
-		}
-
-		//* mysql-virtual_domains.cf
-		$this->process_postfix_config('mysql-virtual_domains.cf');
-
-		//* mysql-virtual_forwardings.cf
-		$this->process_postfix_config('mysql-virtual_forwardings.cf');
-
-		//* mysql-virtual_alias_domains.cf
-		$this->process_postfix_config('mysql-virtual_alias_domains.cf');
-
-		//* mysql-virtual_alias_maps.cf
-		$this->process_postfix_config('mysql-virtual_alias_maps.cf');
-
-		//* mysql-virtual_mailboxes.cf
-		$this->process_postfix_config('mysql-virtual_mailboxes.cf');
-
-		//* mysql-virtual_email2email.cf
-		$this->process_postfix_config('mysql-virtual_email2email.cf');
-
-		//* mysql-virtual_transports.cf
-		$this->process_postfix_config('mysql-virtual_transports.cf');
-
-		//* mysql-virtual_recipient.cf
-		$this->process_postfix_config('mysql-virtual_recipient.cf');
-
-		//* mysql-virtual_sender.cf
-		$this->process_postfix_config('mysql-virtual_sender.cf');
-
-		//* mysql-virtual_sender_login_maps.cf
-		$this->process_postfix_config('mysql-virtual_sender_login_maps.cf');
-
-		//* mysql-virtual_client.cf
-		$this->process_postfix_config('mysql-virtual_client.cf');
-
-		//* mysql-virtual_relaydomains.cf
-		$this->process_postfix_config('mysql-virtual_relaydomains.cf');
-
-		//* mysql-virtual_relayrecipientmaps.cf
-		$this->process_postfix_config('mysql-virtual_relayrecipientmaps.cf');
-
-		//* mysql-virtual_outgoing_bcc.cf
-		$this->process_postfix_config('mysql-virtual_outgoing_bcc.cf');
-
-		//* mysql-virtual_policy_greylist.cf
-		$this->process_postfix_config('mysql-virtual_policy_greylist.cf');
-
-		//* mysql-virtual_gids.cf.master
-		$this->process_postfix_config('mysql-virtual_gids.cf');
-
-		//* mysql-virtual_uids.cf
-		$this->process_postfix_config('mysql-virtual_uids.cf');
-
-		//* mysql-virtual_alias_domains.cf
-		$this->process_postfix_config('mysql-verify_recipients.cf');
-
-		//* postfix-dkim
-		$filename='tag_as_originating.re';
-		$full_file_name=$config_dir.'/'.$filename;
-		if(is_file($full_file_name)) copy($full_file_name, $full_file_name.'~');
-		$content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/postfix-'.$filename.'.master', 'tpl/postfix-'.$filename.'.master');
-		wf($full_file_name, $content);
-
-		$filename='tag_as_foreign.re';
-		$full_file_name=$config_dir.'/'.$filename;
-		if(is_file($full_file_name)) copy($full_file_name, $full_file_name.'~');
-		$content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/postfix-'.$filename.'.master', 'tpl/postfix-'.$filename.'.master');
-		wf($full_file_name, $content);
-
-		//* Creating virtual mail user and group
-		$command = 'groupadd -g '.$cf['vmail_groupid'].' '.$cf['vmail_groupname'];
-		if(!is_group($cf['vmail_groupname'])) caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
-
-		$command = 'useradd -g '.$cf['vmail_groupname'].' -u '.$cf['vmail_userid'].' '.$cf['vmail_username'].' -d '.$cf['vmail_mailbox_base'].' -m';
-		if(!is_user($cf['vmail_username'])) caselog("$command &> /dev/null", __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
-
-		//* These postconf commands will be executed on installation and update
-		$server_ini_rec = $this->db->queryOneRecord("SELECT config FROM server WHERE server_id = ?", $conf['server_id']);
-		$server_ini_array = ini_to_array(stripslashes($server_ini_rec['config']));
-		unset($server_ini_rec);
-
-		//* If there are RBL's defined, format the list and add them to smtp_recipient_restrictions to prevent removeal after an update
-		$rbl_list = '';
-		if (@isset($server_ini_array['mail']['realtime_blackhole_list']) && $server_ini_array['mail']['realtime_blackhole_list'] != '') {
-			$rbl_hosts = explode(",", str_replace(" ", "", $server_ini_array['mail']['realtime_blackhole_list']));
-			foreach ($rbl_hosts as $key => $value) {
-				$rbl_list .= ", reject_rbl_client ". $value;
-			}
-		}
-		unset($rbl_hosts);
-
-		//* If Postgrey is installed, configure it
-		$greylisting = '';
-		if($conf['postgrey']['installed'] == true) {
-			$greylisting = ', check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf';
-		}
-
-		$reject_sender_login_mismatch = '';
-		$reject_authenticated_sender_login_mismatch = '';
-		if(isset($server_ini_array['mail']['reject_sender_login_mismatch']) && ($server_ini_array['mail']['reject_sender_login_mismatch'] == 'y')) {
-			$reject_sender_login_mismatch = ', reject_sender_login_mismatch';
-			$reject_authenticated_sender_login_mismatch = 'reject_authenticated_sender_login_mismatch, ';
-		}
-
-		# placeholder includes comment char
-		$stress_adaptive_placeholder = '#{stress_adaptive} ';
-		$stress_adaptive = (isset($server_ini_array['mail']['stress_adaptive']) && ($server_ini_array['mail']['stress_adaptive'] == 'y')) ? '' : $stress_adaptive_placeholder;
-
-		$reject_unknown_client_hostname='';
-		if (isset($server_ini_array['mail']['reject_unknown']) && ($server_ini_array['mail']['reject_unknown'] == 'client' || $server_ini_array['mail']['reject_unknown'] == 'client_helo')) {
-			$reject_unknown_client_hostname=',reject_unknown_client_hostname';
-		}
-		$reject_unknown_helo_hostname='';
-		if ((!isset($server_ini_array['mail']['reject_unknown'])) || $server_ini_array['mail']['reject_unknown'] == 'helo' || $server_ini_array['mail']['reject_unknown'] == 'client_helo') {
-			$reject_unknown_helo_hostname=',reject_unknown_helo_hostname';
-		}
-
-		unset($server_ini_array);
-
-		$myhostname = str_replace('.','\.',$conf['hostname']);
-
-		$postconf_placeholders = array('{config_dir}' => $config_dir,
-			'{vmail_mailbox_base}' => $cf['vmail_mailbox_base'],
-			'{vmail_userid}' => $cf['vmail_userid'],
-			'{vmail_groupid}' => $cf['vmail_groupid'],
-			'{rbl_list}' => $rbl_list,
-			'{greylisting}' => $greylisting,
-			'{reject_slm}' => $reject_sender_login_mismatch,
-			'{reject_aslm}' => $reject_authenticated_sender_login_mismatch,
-			'{myhostname}' => $myhostname,
-			$stress_adaptive_placeholder => $stress_adaptive,
-			'{reject_unknown_client_hostname}' => $reject_unknown_client_hostname,
-			'{reject_unknown_helo_hostname}' => $reject_unknown_helo_hostname,
-		);
-
-		$postconf_tpl = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/fedora_postfix.conf.master', 'tpl/fedora_postfix.conf.master');
-		$postconf_tpl = strtr($postconf_tpl, $postconf_placeholders);
-		$postconf_commands = array_filter(explode("\n", $postconf_tpl)); // read and remove empty lines
-
-		//* These postconf commands will be executed on installation only
-		if($this->is_update == false) {
-			$postconf_commands = array_merge($postconf_commands, array(
-					'myhostname = '.$conf['hostname'],
-					'mydestination = '.$conf['hostname'].', localhost, localhost.localdomain',
-					'mynetworks = 127.0.0.0/8 [::1]/128'
-				));
-		}
-
-		//* Create the header and body check files
-		touch($config_dir.'/header_checks');
-		touch($config_dir.'/mime_header_checks');
-		touch($config_dir.'/nested_header_checks');
-		touch($config_dir.'/body_checks');
-
-		//* Create the mailman files
-		if(!is_dir('/var/lib/mailman/data')) exec('mkdir -p /var/lib/mailman/data');
-		//if(!is_file('/var/lib/mailman/data/aliases')) touch('/var/lib/mailman/data/aliases');
-		if(is_file('/var/lib/mailman/data/aliases')) unlink('/var/lib/mailman/data/aliases');
-		if(!is_link('/var/lib/mailman/data/aliases')) symlink('/etc/mailman/aliases', '/var/lib/mailman/data/aliases');
-		if(!is_dir('/etc/mailman')) mkdir('/etc/mailman');
-		if(!is_file('/etc/mailman/aliases')) touch('/etc/mailman/aliases');
-		exec('postalias /var/lib/mailman/data/aliases');
-		if(!is_file('/etc/mailman/virtual-mailman')) touch('/etc/mailman/virtual-mailman');
-		exec('postmap /etc/mailman/virtual-mailman');
-		if(!is_file('/var/lib/mailman/data/transport-mailman')) touch('/var/lib/mailman/data/transport-mailman');
-		exec('/usr/sbin/postmap /var/lib/mailman/data/transport-mailman');
-
-		//* Create auxillary postfix conf files
-		$configfile = 'helo_access';
-		if(is_file($config_dir.'/'.$configfile)) {
-			copy($config_dir.'/'.$configfile, $config_dir.'/'.$configfile.'~');
-			chmod($config_dir.'/'.$configfile.'~', 0400);
-		}
-		$content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/'.$configfile.'.master', 'tpl/'.$configfile.'.master');
-		$content = strtr($content, $postconf_placeholders);
-		# todo: look up this server's ip addrs and loop through each
-		# todo: look up domains hosted on this server and loop through each
-		wf($config_dir.'/'.$configfile, $content);
-
-		$configfile = 'blacklist_helo';
-		if(is_file($config_dir.'/'.$configfile)) {
-			copy($config_dir.'/'.$configfile, $config_dir.'/'.$configfile.'~');
-			chmod($config_dir.'/'.$configfile.'~', 0400);
-		}
-		$content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/'.$configfile.'.master', 'tpl/'.$configfile.'.master');
-		$content = strtr($content, $postconf_placeholders);
-		wf($config_dir.'/'.$configfile, $content);
-
-		//* Make a backup copy of the main.cf file
-		copy($config_dir.'/main.cf', $config_dir.'/main.cf~');
-
-		//* Executing the postconf commands
-		foreach($postconf_commands as $cmd) {
-			$command = "postconf -e '$cmd'";
-			caselog($command." &> /dev/null", __FILE__, __LINE__, 'EXECUTED: '.$command, 'Failed to execute the command '.$command);
-		}
-
-		if(!stristr($options, 'dont-create-certs')) {
-			//* Create the SSL certificate
-			if(AUTOINSTALL){
-				$command = 'cd '.$config_dir.'; '
-					."openssl req -new -subj '/C=".escapeshellcmd($autoinstall['ssl_cert_country'])."/ST=".escapeshellcmd($autoinstall['ssl_cert_state'])."/L=".escapeshellcmd($autoinstall['ssl_cert_locality'])."/O=".escapeshellcmd($autoinstall['ssl_cert_organisation'])."/OU=".escapeshellcmd($autoinstall['ssl_cert_organisation_unit'])."/CN=".escapeshellcmd($autoinstall['ssl_cert_common_name'])."' -outform PEM -out smtpd.cert -newkey rsa:4096 -nodes -keyout smtpd.key -keyform PEM -days 3650 -x509";
-			} else {
-				$command = 'cd '.$config_dir.'; '
-					.'openssl req -new -outform PEM -out smtpd.cert -newkey rsa:4096 -nodes -keyout smtpd.key -keyform PEM -days 3650 -x509';
-			}
-			exec($command);
-
-			$command = 'chmod o= '.$config_dir.'/smtpd.key';
-			caselog($command.' &> /dev/null', __FILE__, __LINE__, 'EXECUTED: '.$command, 'Failed to execute the command '.$command);
-		}
-
-		//** We have to change the permissions of the courier authdaemon directory to make it accessible for maildrop.
-		$command = 'chmod 755 /var/spool/authdaemon';
-		caselog($command.' &> /dev/null', __FILE__, __LINE__, 'EXECUTED: '.$command, 'Failed to execute the command '.$command);
-
-		//* Changing maildrop lines in posfix master.cf
-		if(is_file($config_dir.'/master.cf')){
-			copy($config_dir.'/master.cf', $config_dir.'/master.cf~');
-		}
-		if(is_file($config_dir.'/master.cf~')){
-			exec('chmod 400 '.$config_dir.'/master.cf~');
-		}
-		$configfile = $config_dir.'/master.cf';
-		$content = rf($configfile);
-		// if postfix package is from fedora or centios main repo
-		$content = str_replace('#  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}',
-			'  flags=DRhu user='.$cf['vmail_username'].' argv=/usr/bin/maildrop -d ${recipient} ${extension} ${recipient} ${user} ${nexthop} ${sender}',
-			$content);
-
-		// If postfix package is from centos plus repo
-		$content = str_replace('#  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}',
-			'  flags=DRhu user='.$cf['vmail_username'].' argv=/usr/bin/maildrop -d ${recipient} ${extension} ${recipient} ${user} ${nexthop} ${sender}',
-			$content);
-
-		$content = str_replace('  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}',
-			'  flags=DRhu user='.$cf['vmail_username'].' argv=/usr/bin/maildrop -d ${recipient} ${extension} ${recipient} ${user} ${nexthop} ${sender}',
-			$content);
-
-
-		$content = str_replace('#maildrop  unix  -       n       n       -       -       pipe',
-			'maildrop  unix  -       n       n       -       -       pipe',
-			$content);
-
-		wf($configfile, $content);
-
-		//* Writing the Maildrop mailfilter file
-		$configfile = 'mailfilter';
-		if(is_file($cf['vmail_mailbox_base'].'/.'.$configfile)){
-			copy($cf['vmail_mailbox_base'].'/.'.$configfile, $cf['vmail_mailbox_base'].'/.'.$configfile.'~');
-		}
-		$content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/'.$configfile.'.master', "tpl/$configfile.master");
-		$content = str_replace('{dist_postfix_vmail_mailbox_base}', $cf['vmail_mailbox_base'], $content);
-		wf($cf['vmail_mailbox_base'].'/.'.$configfile, $content);
-
-		//* Create the directory for the custom mailfilters
-		$command = 'mkdir '.$cf['vmail_mailbox_base'].'/mailfilters';
-		caselog($command." &> /dev/null", __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
-
-		//* Chmod and chown the .mailfilter file
-		$command = 'chown -R '.$cf['vmail_username'].':'.$cf['vmail_groupname'].' '.$cf['vmail_mailbox_base'].'/.mailfilter';
-		caselog($command." &> /dev/null", __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
-
-		$command = 'chmod -R 600 '.$cf['vmail_mailbox_base'].'/.mailfilter';
-		caselog($command." &> /dev/null", __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
-
-	}
-
 	public function configure_saslauthd() {
 		global $conf;
 
@@ -420,7 +144,7 @@ class installer_dist extends installer_base {
 			if(is_file($config_dir.'/master.cf')){
 				copy($config_dir.'/master.cf', $config_dir.'/master.cf~2');
 			}
-			if(is_file($config_dir.'/master.cf~')){
+			if(is_file($config_dir.'/master.cf~2')){
 				chmod($config_dir.'/master.cf~2', 0400);
 			}
 			//* Configure master.cf and add a line for deliver
@@ -606,31 +330,28 @@ class installer_dist extends installer_base {
 
 		$config_dir = $conf['postfix']['config_dir'];
 
-		// Adding amavis-services to the master.cf file if the service does not already exists
-		$add_amavis = !$this->get_postfix_service('amavis','unix');
-		$add_amavis_10025 = !$this->get_postfix_service('127.0.0.1:10025','inet');
-		$add_amavis_10027 = !$this->get_postfix_service('127.0.0.1:10027','inet');
-
-		if ($add_amavis || $add_amavis_10025 || $add_amavis_10027) {
-			//* backup master.cf
-			if(is_file($config_dir.'/master.cf')) copy($config_dir.'/master.cf', $config_dir.'/master.cf~');
-			// adjust amavis-config
-			if($add_amavis) {
-				$content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/master_cf_amavis.master', 'tpl/master_cf_amavis.master');
-				af($config_dir.'/master.cf', $content);
-				unset($content);
-			}
-			if ($add_amavis_10025) {
-				$content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/master_cf_amavis10025.master', 'tpl/master_cf_amavis10025.master');
-				af($config_dir.'/master.cf', $content);
-				unset($content);
-			}
-			if ($add_amavis_10027) {
-				$content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/master_cf_amavis10027.master', 'tpl/master_cf_amavis10027.master');
-				af($config_dir.'/master.cf', $content);
-				unset($content);
-			}
-		}
+		// Adding amavis-services to the master.cf file
+
+		// backup master.cf
+		if(is_file($config_dir.'/master.cf')) copy($config_dir.'/master.cf', $config_dir.'/master.cf~');
+
+		// first remove the old service definitions
+		$this->remove_postfix_service('amavis','unix');
+		$this->remove_postfix_service('127.0.0.1:10025','inet');
+		$this->remove_postfix_service('127.0.0.1:10027','inet');
+
+		// then add them back
+		$content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/master_cf_amavis.master', 'tpl/master_cf_amavis.master');
+		af($config_dir.'/master.cf', $content);
+		unset($content);
+
+		$content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/master_cf_amavis10025.master', 'tpl/master_cf_amavis10025.master');
+		af($config_dir.'/master.cf', $content);
+		unset($content);
+
+		$content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/master_cf_amavis10027.master', 'tpl/master_cf_amavis10027.master');
+		af($config_dir.'/master.cf', $content);
+		unset($content);
 
 		removeLine('/etc/sysconfig/freshclam', 'FRESHCLAM_DELAY=disabled-warn   # REMOVE ME', 1);
 		replaceLine('/etc/freshclam.conf', 'Example', '# Example', 1);
@@ -1132,6 +853,10 @@ class installer_dist extends installer_base {
 		$command = 'chown -R ispconfig:ispconfig '.$install_dir.'/interface';
 		caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
 
+		//* chown the extensions directory to the ispconfig user and group
+		$command = 'chown ispconfig:ispconfig '.$install_dir.'/extensions';
+		caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
+
 		//* chown the server files to the root user and group
 		$command = 'chown -R root:root '.$install_dir.'/server';
 		caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
@@ -1227,8 +952,8 @@ class installer_dist extends installer_base {
 		caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
 
 		if ($this->install_ispconfig_interface == true && isset($conf['interface_password']) && $conf['interface_password']!='admin') {
-			$sql = "UPDATE sys_user SET passwort = md5(?) WHERE username = 'admin';";
-			$this->db->query($sql, $conf['interface_password']);
+			$sql = "UPDATE sys_user SET passwort = ? WHERE username = 'admin';";
+			$this->db->query($sql, $this->crypt_password($conf['interface_password']));
 		}
 
 		if($conf['apache']['installed'] == true && $this->install_ispconfig_interface == true){
@@ -1355,6 +1080,12 @@ class installer_dist extends installer_base {
 		if(!is_link('/usr/local/bin/ispconfig_update_from_dev.sh')) exec('ln -s /usr/local/ispconfig/server/scripts/ispconfig_update.sh /usr/local/bin/ispconfig_update_from_dev.sh');
 		if(!is_link('/usr/local/bin/ispconfig_update.sh')) exec('ln -s /usr/local/ispconfig/server/scripts/ispconfig_update.sh /usr/local/bin/ispconfig_update.sh');
 
+		// Install ISPConfig cli command
+		if(is_file('/usr/local/bin/ispc')) unlink('/usr/local/bin/ispc');
+		chown($install_dir.'/server/cli/ispc', 'root');
+		chmod($install_dir.'/server/cli/ispc', 0700);
+		symlink($install_dir.'/server/cli/ispc', '/usr/local/bin/ispc');
+
 		// set the fast cgi starter script to executable
 		// exec('chmod 755 '.$install_dir.'/interface/bin/php-fcgi');
 
@@ -1372,6 +1103,7 @@ class installer_dist extends installer_base {
 		//* Create the ispconfig log directory
 		if(!is_dir($conf['ispconfig_log_dir'])) mkdir($conf['ispconfig_log_dir']);
 		if(!is_file($conf['ispconfig_log_dir'].'/ispconfig.log')) exec('touch '.$conf['ispconfig_log_dir'].'/ispconfig.log');
+		chmod($conf['ispconfig_log_dir'].'/ispconfig.log', 0600);
 
 		if(is_user('getmail')) {
 			exec('mv /usr/local/ispconfig/server/scripts/run-getmail.sh /usr/local/bin/run-getmail.sh');

install/dist/lib/fedora32.lib.php

+<?php
+
+/*
+Copyright (c) 2014, Till Brehm, ISPConfig UG
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+    * Redistributions of source code must retain the above copyright notice,
+      this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright notice,
+      this list of conditions and the following disclaimer in the documentation
+      and/or other materials provided with the distribution.
+    * Neither the name of ISPConfig nor the names of its contributors
+      may be used to endorse or promote products derived from this software without
+      specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
+require_once realpath(dirname(__FILE__)) . '/centos_base.lib.php';
+
+class installer extends installer_centos {
+
+	protected $clamav_socket = '/var/run/clamd.amavisd/clamd.sock';
+	
+	// everything else is inherited from installer_centos class
+}
+
+?>

install/dist/lib/fedora33.lib.php

+<?php
+
+/*
+Copyright (c) 2014, Till Brehm, ISPConfig UG
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+    * Redistributions of source code must retain the above copyright notice,
+      this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright notice,
+      this list of conditions and the following disclaimer in the documentation
+      and/or other materials provided with the distribution.
+    * Neither the name of ISPConfig nor the names of its contributors
+      may be used to endorse or promote products derived from this software without
+      specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
+require_once realpath(dirname(__FILE__)) . '/centos_base.lib.php';
+
+class installer extends installer_centos {
+
+	protected $clamav_socket = '/var/run/clamd.amavisd/clamd.sock';
+	
+	// everything else is inherited from installer_centos class
+}
+
+?>

install/dist/lib/gentoo.lib.php

@@ -47,8 +47,7 @@ class installer extends installer_base
 		caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
 	}
 
-	public function configure_postfix($options = '')
-	{
+	public function configure_postfix($options = '') {
 		global $conf,$autoinstall;
 
 		$cf = $conf['postfix'];
@@ -57,35 +56,61 @@ class installer extends installer_base
 		if(!is_dir($config_dir)){
 			$this->error("The postfix configuration directory '$config_dir' does not exist.");
 		}
+    
+    //* Get postfix version
+		exec('postconf -d mail_version 2>&1', $out);
+		$postfix_version = preg_replace('/.*=\s*/', '', $out[0]);
+		unset($out);
 
 		//* Install virtual mappings
 		foreach (glob('tpl/mysql-virtual_*.master') as $filename) {
 			$this->process_postfix_config( basename($filename, '.master') );
 		}
 
+		//* mysql-verify_recipients.cf
+		$this->process_postfix_config('mysql-verify_recipients.cf');
+    
+    // test if lmtp if available
+		$configure_lmtp = $this->get_postfix_service('lmtp','unix');
+
+		//* postfix-dkim
+		$filename='tag_as_originating.re';
+		$full_file_name=$config_dir.'/'.$filename;
+		if(is_file($full_file_name)) copy($full_file_name, $full_file_name.'~');
+		$content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/postfix-'.$filename.'.master', 'tpl/postfix-'.$filename.'.master');
+		if($configure_lmtp) {
+			$content = preg_replace('/amavis:/', 'lmtp:', $content);
+		}
+		wf($full_file_name, $content);
+    
+    $filename='tag_as_foreign.re';
+		$full_file_name=$config_dir.'/'.$filename;
+		if(is_file($full_file_name)) copy($full_file_name, $full_file_name.'~');
+		$content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/postfix-'.$filename.'.master', 'tpl/postfix-'.$filename.'.master');
+		if($configure_lmtp) {
+			$content = preg_replace('/amavis:/', 'lmtp:', $content);
+		}
+		wf($full_file_name, $content);    
+    
 		//* Changing mode and group of the new created config files.
-		caselog('chmod o= '.$config_dir.'/mysql-virtual_*.cf* &> /dev/null',
+		/*caselog('chmod o= '.$config_dir.'/mysql-virtual_*.cf* &> /dev/null',
 			__FILE__, __LINE__, 'chmod on mysql-virtual_*.cf*', 'chmod on mysql-virtual_*.cf* failed');
 		caselog('chgrp '.$cf['group'].' '.$config_dir.'/mysql-virtual_*.cf* &> /dev/null',
-			__FILE__, __LINE__, 'chgrp on mysql-virtual_*.cf*', 'chgrp on mysql-virtual_*.cf* failed');
+			__FILE__, __LINE__, 'chgrp on mysql-virtual_*.cf*', 'chgrp on mysql-virtual_*.cf* failed');*/
 
 		//* Creating virtual mail user and group
 		$command = 'groupadd -g '.$cf['vmail_groupid'].' '.$cf['vmail_groupname'];
-		if (!is_group($cf['vmail_groupname'])) {
-			caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
-		}
+		if(!is_group($cf['vmail_groupname'])) caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
 
 		$command = 'useradd -g '.$cf['vmail_groupname'].' -u '.$cf['vmail_userid'].' '.$cf['vmail_username'].' -d '.$cf['vmail_mailbox_base'].' -m';
-		if (!is_user($cf['vmail_username'])) {
-			caselog("$command &> /dev/null", __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
-		}
+		if(!is_user($cf['vmail_username'])) caselog("$command &> /dev/null", __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
 
 		//* These postconf commands will be executed on installation and update
 		$server_ini_rec = $this->db->queryOneRecord("SELECT config FROM ?? WHERE server_id = ?", $conf["mysql"]["database"].'.server', $conf['server_id']);
 		$server_ini_array = ini_to_array(stripslashes($server_ini_rec['config']));
 		unset($server_ini_rec);
 
-		//* If there are RBL's defined, format the list and add them to smtp_recipient_restrictions to prevent removeal after an update
+    //* If there are RBL's defined, format the list and add them to smtp_recipient_restrictions to prevent removal after an update
 		$rbl_list = '';
 		if (@isset($server_ini_array['mail']['realtime_blackhole_list']) && $server_ini_array['mail']['realtime_blackhole_list'] != '') {
 			$rbl_hosts = explode(",", str_replace(" ", "", $server_ini_array['mail']['realtime_blackhole_list']));
@@ -104,7 +129,7 @@ class installer extends installer_base
 		$reject_sender_login_mismatch = '';
 		$reject_authenticated_sender_login_mismatch = '';
 		if(isset($server_ini_array['mail']['reject_sender_login_mismatch']) && ($server_ini_array['mail']['reject_sender_login_mismatch'] == 'y')) {
-			$reject_sender_login_mismatch = ', reject_sender_login_mismatch';
+      $reject_sender_login_mismatch = ',reject_sender_login_mismatch,';
 			$reject_authenticated_sender_login_mismatch = 'reject_authenticated_sender_login_mismatch, ';
 		}
 
@@ -142,7 +167,42 @@ class installer extends installer_base
 		$postconf_tpl = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/gentoo_postfix.conf.master', 'tpl/gentoo_postfix.conf.master');
 		$postconf_tpl = strtr($postconf_tpl, $postconf_placeholders);
 		$postconf_commands = array_filter(explode("\n", $postconf_tpl)); // read and remove empty lines
-
+        
+    //* Merge version-specific postfix config
+		if(version_compare($postfix_version , '2.5', '>=')) {
+		    $configfile = 'postfix_2-5.conf';
+		    $content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/'.$configfile.'.master', 'tpl/'.$configfile.'.master');
+		    $content = strtr($content, $postconf_placeholders);
+		    $postconf_commands = array_merge($postconf_commands, array_filter(explode("\n", $content)));
+		}
+		if(version_compare($postfix_version , '2.10', '>=')) {
+		    $configfile = 'postfix_2-10.conf';
+		    $content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/'.$configfile.'.master', 'tpl/'.$configfile.'.master');
+		    $content = strtr($content, $postconf_placeholders);
+		    $postconf_commands = array_merge($postconf_commands, array_filter(explode("\n", $content)));
+		}
+		if(version_compare($postfix_version , '3.0', '>=')) {
+		    $configfile = 'postfix_3-0.conf';
+		    $content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/'.$configfile.'.master', 'tpl/'.$configfile.'.master');
+		    $content = strtr($content, $postconf_placeholders);
+		    $postconf_commands = array_merge($postconf_commands, array_filter(explode("\n", $content)));
+		}
+		if(version_compare($postfix_version , '3.3', '>=')) {
+		    $configfile = 'postfix_3-3.conf';
+		    $content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/'.$configfile.'.master', 'tpl/'.$configfile.'.master');
+		    $content = strtr($content, $postconf_placeholders);
+		    $postconf_commands = array_merge($postconf_commands, array_filter(explode("\n", $content)));
+		}
+		$configfile = 'postfix_custom.conf';
+		if(file_exists($conf['ispconfig_install_dir'].'/server/conf-custom/install/' . $configfile . '.master')) {
+			$content = file_get_contents($conf['ispconfig_install_dir'].'/server/conf-custom/install/'.$configfile.'.master');
+			$content = strtr($content, $postconf_placeholders);
+			$postconf_commands = array_merge($postconf_commands, array_filter(explode("\n", $content)));
+		}
+
+		// Remove comment lines, these would give fatal errors when passed to postconf.
+		$postconf_commands = array_filter($postconf_commands, function($line) { return preg_match('/^[^#]/', $line); });
+    
 		//* These postconf commands will be executed on installation only
 		if($this->is_update == false) {
 			$postconf_commands = array_merge($postconf_commands, array(
@@ -157,6 +217,16 @@ class installer extends installer_base
 		touch($config_dir.'/mime_header_checks');
 		touch($config_dir.'/nested_header_checks');
 		touch($config_dir.'/body_checks');
+		touch($config_dir.'/sasl_passwd');
+    
+    //* Create the mailman files
+		if(!is_dir('/var/lib/mailman/data')) exec('mkdir -p /var/lib/mailman/data');
+		if(!is_file('/var/lib/mailman/data/aliases')) touch('/var/lib/mailman/data/aliases');
+		exec('postalias /var/lib/mailman/data/aliases');
+		if(!is_file('/var/lib/mailman/data/virtual-mailman')) touch('/var/lib/mailman/data/virtual-mailman');
+		exec('postmap /var/lib/mailman/data/virtual-mailman');
+		if(!is_file('/var/lib/mailman/data/transport-mailman')) touch('/var/lib/mailman/data/transport-mailman');
+		exec('/usr/sbin/postmap /var/lib/mailman/data/transport-mailman');
 
 		//* Create auxillary postfix conf files
 		$configfile = 'helo_access';
@@ -185,13 +255,13 @@ class installer extends installer_base
 		//* Executing the postconf commands
 		foreach($postconf_commands as $cmd) {
 			$command = "postconf -e '$cmd'";
-			caselog($command.' &> /dev/null', __FILE__, __LINE__, 'EXECUTED: '.$command, 'Failed to execute the command '.$command);
+      swriteln($command);
+      caselog($command." &> /dev/null", __FILE__, __LINE__, 'EXECUTED: '.$command, 'Failed to execute the command '.$command);
 		}
-
-		//* Create the SSL certificate
-		if (!stristr($options, 'dont-create-certs'))
-		{
-			if(AUTOINSTALL){
+		
+		if (!stristr($options, 'dont-create-certs')){
+			//* Create the SSL certificate
+      if(AUTOINSTALL){
 				$command = 'cd '.$config_dir.'; '
 					."openssl req -new -subj '/C=".escapeshellcmd($autoinstall['ssl_cert_country'])."/ST=".escapeshellcmd($autoinstall['ssl_cert_state'])."/L=".escapeshellcmd($autoinstall['ssl_cert_locality'])."/O=".escapeshellcmd($autoinstall['ssl_cert_organisation'])."/OU=".escapeshellcmd($autoinstall['ssl_cert_organisation_unit'])."/CN=".escapeshellcmd($autoinstall['ssl_cert_common_name'])."' -outform PEM -out smtpd.cert -newkey rsa:4096 -nodes -keyout smtpd.key -keyform PEM -days 3650 -x509";
 			} else {
@@ -204,58 +274,59 @@ class installer extends installer_base
 			caselog($command.' &> /dev/null', __FILE__, __LINE__, 'EXECUTED: '.$command, 'Failed to execute the command '.$command);
 		}
 
-		//* We have to change the permissions of the courier authdaemon directory to make it accessible for maildrop.
-		$command = 'chmod 755  /var/lib/courier/authdaemon/';
-		if (is_dir('/var/lib/courier/authdaemon')) {
-			caselog($command.' &> /dev/null', __FILE__, __LINE__, 'EXECUTED: '.$command, 'Failed to execute the command '.$command);
-		}
+		//** We have to change the permissions of the courier authdaemon directory to make it accessible for maildrop.
+		$command = 'chmod 755  /var/run/courier/authdaemon/';
+		if(is_file('/var/run/courier/authdaemon/')) caselog($command.' &> /dev/null', __FILE__, __LINE__, 'EXECUTED: '.$command, 'Failed to execute the command '.$command);
 
-		//* Changing maildrop lines in posfix master.cf
+		//* Check maildrop service in posfix master.cf
+		$quoted_regex = '^maildrop   unix.*pipe flags=DRhu user=vmail '.preg_quote('argv=/usr/bin/maildrop -d '.$cf['vmail_username'].' ${extension} ${recipient} ${user} ${nexthop} ${sender}', '/');
 		$configfile = $config_dir.'/master.cf';
-		$content = rf($configfile);
-
-		$content = preg_replace('/^#?maildrop/m', 'maildrop', $content);
-		$content = preg_replace('/^#?(\s+)flags=DRhu user=vmail argv=\/usr\/bin\/maildrop -d/m',
-			'$1flags=DRhu user=vmail argv=/usr/bin/maildrop -d vmail \${extension} \${recipient} \${user} \${nexthop} \${sender}',
-			$content);
-
-		$this->write_config_file($configfile, $content);
-
-		//* Writing the Maildrop mailfilter file
-		$content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/mailfilter.master', 'tpl/mailfilter.master');
+		if($this->get_postfix_service('maildrop', 'unix')) {
+			exec ("postconf -M maildrop.unix 2> /dev/null", $out, $ret);
+			$change_maildrop_flags = @(preg_match("/$quoted_regex/", $out[0]) && $out[0] !='')?false:true;
+		} else {
+			$change_maildrop_flags = @(preg_match("/$quoted_regex/", $configfile))?false:true;
+		}
+		if ($change_maildrop_flags) {
+			//* Change maildrop service in posfix master.cf
+			if(is_file($config_dir.'/master.cf')) {
+				copy($config_dir.'/master.cf', $config_dir.'/master.cf~');
+			}
+			if(is_file($config_dir.'/master.cf~')) {
+				chmod($config_dir.'/master.cf~', 0400);
+ 			}
+			$configfile = $config_dir.'/master.cf';
+			$content = rf($configfile);
+			$content =	str_replace('flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}',
+						'flags=DRhu user='.$cf['vmail_username'].' argv=/usr/bin/maildrop -d '.$cf['vmail_username'].' ${extension} ${recipient} ${user} ${nexthop} ${sender}',
+						$content);
+			wf($configfile, $content);
+		}
+    
+    //* Writing the Maildrop mailfilter file
+		$configfile = 'mailfilter';
+		if(is_file($cf['vmail_mailbox_base'].'/.'.$configfile)) {
+			copy($cf['vmail_mailbox_base'].'/.'.$configfile, $cf['vmail_mailbox_base'].'/.'.$configfile.'~');
+		}
+		$content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/'.$configfile.'.master', 'tpl/'.$configfile.'.master');
 		$content = str_replace('{dist_postfix_vmail_mailbox_base}', $cf['vmail_mailbox_base'], $content);
-
-		$this->write_config_file($cf['vmail_mailbox_base'].'/.mailfilter', $content);
+		wf($cf['vmail_mailbox_base'].'/.'.$configfile, $content);     
 
 		//* Create the directory for the custom mailfilters
-		if (!is_dir($cf['vmail_mailbox_base'].'/mailfilters'))
-		{
+		if(!is_dir($cf['vmail_mailbox_base'].'/mailfilters')) {
 			$command = 'mkdir '.$cf['vmail_mailbox_base'].'/mailfilters';
-			caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
-		}
-
-		//* postfix-dkim
-		$filename='tag_as_originating.re';
-		$full_file_name=$config_dir.'/'.$filename;
-		if(is_file($full_file_name)) copy($full_file_name, $full_file_name.'~');
-		$content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/postfix-'.$filename.'.master', 'tpl/postfix-'.$filename.'.master');
-		wf($full_file_name, $content);
-
-		$filename='tag_as_foreign.re';
-		$full_file_name=$config_dir.'/'.$filename;
-		if(is_file($full_file_name)) copy($full_file_name, $full_file_name.'~');
-		$content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/postfix-'.$filename.'.master', 'tpl/postfix-'.$filename.'.master');
-		wf($full_file_name, $content);
+			caselog($command." &> /dev/null", __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
+		}	
 
 		//* Chmod and chown the .mailfilter file
-		$command = 'chown -R '.$cf['vmail_username'].':'.$cf['vmail_groupname'].' '.$cf['vmail_mailbox_base'].'/.mailfilter';
+		$command = 'chown '.$cf['vmail_username'].':'.$cf['vmail_groupname'].' '.$cf['vmail_mailbox_base'].'/.mailfilter';
 		caselog($command." &> /dev/null", __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
 
-		$command = 'chmod -R 600 '.$cf['vmail_mailbox_base'].'/.mailfilter';
+		$command = 'chmod 600 '.$cf['vmail_mailbox_base'].'/.mailfilter';
 		caselog($command." &> /dev/null", __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
 
 	}
-
+  
 	public function configure_saslauthd()
 	{
 		global $conf;
@@ -293,17 +364,21 @@ class installer extends installer_base
 		caselog($command." &> /dev/null", __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
 	}
 
-	public function configure_dovecot()
-	{
+	public function configure_dovecot() {
 		global $conf;
 
 		$virtual_transport = 'dovecot';
 
 		$configure_lmtp = false;
 
+		// use lmtp if installed
+		if($configure_lmtp = (is_file('/usr/lib/dovecot/lmtp') || is_file('/usr/libexec/dovecot/lmtp'))) {
+			$virtual_transport = 'lmtp:unix:private/dovecot-lmtp';
+		}
+
 		// check if virtual_transport must be changed
 		if ($this->is_update) {
-			$tmp = $this->db->queryOneRecord("SELECT * FROM ?? WHERE server_id = ?", $conf["mysql"]["database"].".server", $conf['server_id']);
+			$tmp = $this->db->queryOneRecord("SELECT * FROM ?? WHERE server_id = ?", $conf["mysql"]["database"] . ".server", $conf['server_id']);
 			$ini_array = ini_to_array(stripslashes($tmp['config']));
 			// ini_array needs not to be checked, because already done in update.php -> updateDbAndIni()
 
@@ -314,25 +389,29 @@ class installer extends installer_base
 		}
 
 		$config_dir = $conf['postfix']['config_dir'];
+		$quoted_config_dir = preg_quote($config_dir, '|');
+		$postfix_version = `postconf -d mail_version 2>/dev/null`;
+		$postfix_version = preg_replace( '/mail_version\s*=\s*(.*)\s*/', '$1', $postfix_version );
 
 		//* Configure master.cf and add a line for deliver
 		if(!$this->get_postfix_service('dovecot', 'unix')) {
-			//* backup
+ 			//* backup
 			if(is_file($config_dir.'/master.cf')){
 				copy($config_dir.'/master.cf', $config_dir.'/master.cf~2');
 			}
-			if(is_file($config_dir.'/master.cf~')){
+			if(is_file($config_dir.'/master.cf~2')){
 				chmod($config_dir.'/master.cf~2', 0400);
 			}
 			//* Configure master.cf and add a line for deliver
-			$content = rf($conf["postfix"]["config_dir"].'/master.cf');
-			$deliver_content = 'dovecot   unix  -       n       n       -       -       pipe'."\n".'  flags=DROhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${user}@${nexthop}'."\n";
+			$content = rf($config_dir.'/master.cf');
+			$deliver_content = 'dovecot   unix  -       n       n       -       -       pipe'."\n".'  flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${nexthop}'."\n";
 			af($config_dir.'/master.cf', $deliver_content);
 			unset($content);
 			unset($deliver_content);
 		}
 
 		//* Reconfigure postfix to use dovecot authentication
+		// Adding the amavisd commands to the postfix configuration
 		$postconf_commands = array (
 			'dovecot_destination_recipient_limit = 1',
 			'virtual_transport = '.$virtual_transport,
@@ -340,25 +419,44 @@ class installer extends installer_base
 			'smtpd_sasl_path = private/auth'
 		);
 
-		//* Make a backup copy of the main.cf file
-		copy($conf['postfix']['config_dir'].'/main.cf', $conf['postfix']['config_dir'].'/main.cf~3');
+		// Make a backup copy of the main.cf file
+		copy($config_dir.'/main.cf', $config_dir.'/main.cf~3');
 
-		//* Executing the postconf commands
-		foreach($postconf_commands as $cmd)
-		{
+		$options = preg_split("/,\s*/", exec("postconf -h smtpd_recipient_restrictions"));
+		$new_options = array();
+		foreach ($options as $value) {
+			$value = trim($value);
+			if ($value == '') continue;
+      if (preg_match("|check_recipient_access\s+proxy:mysql:{$quoted_config_dir}/mysql-verify_recipients.cf|", $value)) {
+				continue;
+			}
+			$new_options[] = $value;
+		}
+    if ($configure_lmtp && (!isset($conf['mail']['content_filter']) || $conf['mail']['content_filter'] === 'amavisd')) {
+			for ($i = 0; isset($new_options[$i]); $i++) {
+				if ($new_options[$i] == 'reject_unlisted_recipient') {
+          array_splice($new_options, $i+1, 0, array("check_recipient_access proxy:mysql:{$config_dir}/mysql-verify_recipients.cf"));
+					break;
+				}
+			}
+			# postfix < 3.3 needs this when using reject_unverified_recipient:
+			if(version_compare($postfix_version, 3.3, '<')) {
+				$postconf_commands[] = "enable_original_recipient = yes";
+			}
+		}
+		$postconf_commands[] = "smtpd_recipient_restrictions = ".implode(", ", $new_options);
+
+		// Executing the postconf commands
+		foreach($postconf_commands as $cmd) {
 			$command = "postconf -e '$cmd'";
-			caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
+			caselog($command." &> /dev/null", __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
 		}
 
+		//* backup dovecot.conf
 		$config_dir = $conf['dovecot']['config_dir'];
-		//* copy dovecot.conf
-		$configfile = $config_dir.'/dovecot.conf';
-		$content = $this->get_template_file('dovecot.conf', true);
-		$this->write_config_file($configfile, $content);
-
-		//* dovecot-lmtpd
-		if($configure_lmtp) {
-			replaceLine($config_dir.'/'.$configfile, 'protocols = imap pop3', 'protocols = imap pop3 lmtp', 1, 0);
+		$configfile = 'dovecot.conf';
+		if(is_file($config_dir.'/'.$configfile)) {
+			copy($config_dir.'/'.$configfile, $config_dir.'/'.$configfile.'~');
 		}
 
 		//* Get the dovecot version
@@ -366,15 +464,118 @@ class installer extends installer_base
 		$dovecot_version = $tmp[0];
 		unset($tmp);
 
+		//* Copy dovecot configuration file
+		if(version_compare($dovecot_version,1, '<=')) {	//* Dovecot 1.x
+			if(is_file($conf['ispconfig_install_dir'].'/server/conf-custom/install/gentoo_dovecot.conf.master')) {
+				copy($conf['ispconfig_install_dir'].'/server/conf-custom/install/gentoo_dovecot.conf.master', $config_dir.'/'.$configfile);
+			} else {
+				copy('dist/tpl/gentoo/dovecot.conf.master', $config_dir.'/'.$configfile);
+			}
+		} else {	//* Dovecot 2.x
+			if(is_file($conf['ispconfig_install_dir'].'/server/conf-custom/install/gentoo_dovecot2.conf.master')) {
+				copy($conf['ispconfig_install_dir'].'/server/conf-custom/install/gentoo_dovecot2.conf.master', $config_dir.'/'.$configfile);
+			} else {
+				copy('dist/tpl/gentoo/dovecot2.conf.master', $config_dir.'/'.$configfile);
+			}
+			// Copy custom config file
+			if(is_file($conf['ispconfig_install_dir'].'/server/conf-custom/install/dovecot_custom.conf.master')) {
+				if(!@is_dir($config_dir . '/conf.d')) {
+					mkdir($config_dir . '/conf.d');
+				}
+				copy($conf['ispconfig_install_dir'].'/server/conf-custom/install/dovecot_custom.conf.master', $config_dir.'/conf.d/99-ispconfig-custom-config.conf');
+			}
+			replaceLine($config_dir.'/'.$configfile, 'postmaster_address = postmaster@example.com', 'postmaster_address = postmaster@'.$conf['hostname'], 1, 0);
+			replaceLine($config_dir.'/'.$configfile, 'postmaster_address = webmaster@localhost', 'postmaster_address = postmaster@'.$conf['hostname'], 1, 0);
+			if(version_compare($dovecot_version, 2.1, '<')) {
+				removeLine($config_dir.'/'.$configfile, 'ssl_protocols =');
+			}
+			if(version_compare($dovecot_version,2.2) >= 0) {
+				// Dovecot > 2.2 does not recognize !SSLv2 anymore on Debian 9
+				$content = file_get_contents($config_dir.'/'.$configfile);
+				$content = str_replace('!SSLv2','',$content);
+				file_put_contents($config_dir.'/'.$configfile,$content);
+				unset($content);
+			}
+			if(version_compare($dovecot_version,2.3) >= 0) {
+				// Remove deprecated setting(s)
+				removeLine($config_dir.'/'.$configfile, 'ssl_protocols =');
+
+				// Check if we have a dhparams file and if not, create it
+				if(!file_exists('/etc/dovecot/dh.pem')) {
+					// Create symlink to ISPConfig dhparam file
+					swriteln('Creating symlink /etc/dovecot/dh.pem to ISPConfig DHParam file.');
+					symlink('/usr/local/ispconfig/interface/ssl/dhparam4096.pem', '/etc/dovecot/dh.pem');
+          
+          /*
+          swriteln('Creating new DHParams file, this takes several minutes. Do not interrupt the script.');
+					if(file_exists('/var/lib/dovecot/ssl-parameters.dat')) {
+						// convert existing ssl parameters file
+						$command = 'dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dhparam -inform der > /etc/dovecot/dh.pem';
+						caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
+					} else {
+						
+						   //Create a new dhparams file. We use 2048 bit only as it simply takes too long
+						   //on smaller systems to generate a 4096 bit dh file (> 30 minutes). If you need
+						  // a 4096 bit file, create it manually before you install ISPConfig
+						
+						$command = 'openssl dhparam -out /etc/dovecot/dh.pem 2048';
+						caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
+					}
+          */
+				}
+				//remove #2.3+ comment
+				$content = file_get_contents($config_dir.'/'.$configfile);
+				$content = str_replace('#2.3+ ','',$content);
+				file_put_contents($config_dir.'/'.$configfile,$content);
+				unset($content);
+
+			} else {
+				// remove settings which are not supported in Dovecot < 2.3
+				removeLine($config_dir.'/'.$configfile, 'ssl_min_protocol =');
+				removeLine($config_dir.'/'.$configfile, 'ssl_dh =');
+			}
+		}
+
+		$dovecot_protocols = 'imap pop3';
+
+		//* dovecot-lmtpd
+		if($configure_lmtp) {
+			$dovecot_protocols .= ' lmtp';
+		}
+
+		//* dovecot-managesieved
+		if(is_file('/usr/lib/dovecot/managesieve') || is_file('/usr/libexec/dovecot/managesieve')) {
+			$dovecot_protocols .= ' sieve';
+		}
+
+		replaceLine($config_dir.'/'.$configfile, 'protocols = imap pop3', "protocols = $dovecot_protocols", 1, 0);
+
 		//* dovecot-sql.conf
-		$configfile = $config_dir.'/dovecot-sql.conf';
-		$content = $this->get_template_file('debian_dovecot-sql.conf', true, true);
+		$configfile = 'dovecot-sql.conf';
+		if(is_file($config_dir.'/'.$configfile)) {
+			copy($config_dir.'/'.$configfile, $config_dir.'/'.$configfile.'~');
+		}
+		if(is_file($config_dir.'/'.$configfile.'~')) chmod($config_dir.'/'.$configfile.'~', 0400);
+		$content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/debian_dovecot-sql.conf.master', 'tpl/debian_dovecot-sql.conf.master');
+		$content = str_replace('{mysql_server_ispconfig_user}', $conf['mysql']['ispconfig_user'], $content);
+		$content = str_replace('{mysql_server_ispconfig_password}', $conf['mysql']['ispconfig_password'], $content);
+		$content = str_replace('{mysql_server_database}', $conf['mysql']['database'], $content);
+		$content = str_replace('{mysql_server_host}', $conf['mysql']['host'], $content);
+		$content = str_replace('{mysql_server_port}', $conf['mysql']['port'], $content);
+		$content = str_replace('{server_id}', $conf['server_id'], $content);
 		# enable iterate_query for dovecot2
 		if(version_compare($dovecot_version,2, '>=')) {
 			$content = str_replace('# iterate_query', 'iterate_query', $content);
 		}
-		$content = str_replace('{server_id}', $conf['server_id'], $content);
-		$this->write_config_file($configfile, $content);
+		wf($config_dir.'/'.$configfile, $content);
+
+		chmod($config_dir.'/'.$configfile, 0600);
+		chown($config_dir.'/'.$configfile, 'root');
+		chgrp($config_dir.'/'.$configfile, 'root');
+
+		// Dovecot shall ignore mounts in website directory
+		if(is_installed('doveadm')) exec("doveadm mount add '/var/www/*' ignore > /dev/null 2> /dev/null");
+
 	}
 
 	public function configure_spamassassin()
@@ -440,31 +641,28 @@ class installer extends installer_base
 
 		$config_dir = $conf['postfix']['config_dir'];
 
-		// Adding amavis-services to the master.cf file if the service does not already exists
-		$add_amavis = !$this->get_postfix_service('amavis','unix');
-		$add_amavis_10025 = !$this->get_postfix_service('127.0.0.1:10025','inet');
-		$add_amavis_10027 = !$this->get_postfix_service('127.0.0.1:10027','inet');
-
-		if ($add_amavis || $add_amavis_10025 || $add_amavis_10027) {
-			//* backup master.cf
-			if(is_file($config_dir.'/master.cf')) copy($config_dir.'/master.cf', $config_dir.'/master.cf~');
-			// adjust amavis-config
-			if($add_amavis) {
-				$content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/master_cf_amavis.master', 'tpl/master_cf_amavis.master');
-				af($config_dir.'/master.cf', $content);
-				unset($content);
-			}
-			if ($add_amavis_10025) {
-				$content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/master_cf_amavis10025.master', 'tpl/master_cf_amavis10025.master');
-				af($config_dir.'/master.cf', $content);
-				unset($content);
-			}
-			if ($add_amavis_10027) {
-				$content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/master_cf_amavis10027.master', 'tpl/master_cf_amavis10027.master');
-				af($config_dir.'/master.cf', $content);
-				unset($content);
-			}
-		}
+		// Adding amavis-services to the master.cf file
+
+		// backup master.cf
+		if(is_file($config_dir.'/master.cf')) copy($config_dir.'/master.cf', $config_dir.'/master.cf~');
+
+		// first remove the old service definitions
+		$this->remove_postfix_service('amavis','unix');
+		$this->remove_postfix_service('127.0.0.1:10025','inet');
+		$this->remove_postfix_service('127.0.0.1:10027','inet');
+
+		// then add them back
+		$content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/master_cf_amavis.master', 'tpl/master_cf_amavis.master');
+		af($config_dir.'/master.cf', $content);
+		unset($content);
+
+		$content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/master_cf_amavis10025.master', 'tpl/master_cf_amavis10025.master');
+		af($config_dir.'/master.cf', $content);
+		unset($content);
+
+		$content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/master_cf_amavis10027.master', 'tpl/master_cf_amavis10027.master');
+		af($config_dir.'/master.cf', $content);
+		unset($content);
 
 		//* Add the clamav user to the amavis group
 		exec('usermod -a -G amavis clamav');
@@ -505,9 +703,45 @@ class installer extends installer_base
 		 */
 
 
-		$content = preg_replace('/MISC_OTHER="[^"]+"/', 'MISC_OTHER="-b -A -E -Z -D -H -O clf:'.$logdir.'/transfer.log"', $content);
+		 //* Enable TLS if certificate file exists
+		 $enable_tls = '';
+		 if(file_exists('/etc/ssl/private/pure-ftpd.pem')) {
+			 $enable_tls = ' -Y 1';
+		 }
+
+		 $content = preg_replace('/MISC_OTHER="[^"]+"/', 'MISC_OTHER="-b -A -E -Z -D -H -O clf:'.$logdir.'/transfer.log'.$enable_tls.'"', $content);
 
 		$this->write_config_file($conf['pureftpd']['config_file'], $content);
+    
+    //* Since version 1.0.50: Configuration through /etc/conf.d/pure-ftpd is now deprecated!    
+    exec("/usr/sbin/pure-ftpd --help | head -1",$out);
+    if(preg_match("#v([0-9\.]+)\s#",$out[0],$matches)){
+      $pureftpd_version = $matches[1];
+      
+      if(version_compare($pureftpd_version, '1.0.50', '>=')) { 
+        $configfile = $conf['pureftpd']['main_config_file'];
+    		if(is_file($configfile)) {
+    			copy($configfile, $configfile.'~');
+    		}
+    		
+        $content = rf($configfile);
+        $content = preg_replace('/BrokenClientsCompatibility\s+(yes|no)/', 'BrokenClientsCompatibility   yes', $content);
+        $content = preg_replace('/ChrootEveryone\s+(yes|no)/', 'ChrootEveryone               yes', $content);
+        $content = preg_replace('/NoAnonymous\s+(yes|no)/', 'NoAnonymous                  yes', $content);
+        $content = preg_replace('/#? AltLog\s+clf.*\s/', 'AltLog                       clf:/var/log/pureftpd.log', $content);
+        $content = preg_replace('/CustomerProof\s+(yes|no)/', 'CustomerProof                yes', $content);
+        $content = preg_replace('/DisplayDotFiles\s+(yes|no)/', 'DisplayDotFiles              yes', $content);
+        $content = preg_replace('/DontResolve\s+(yes|no)/', 'DontResolve                  yes', $content);
+        $content = preg_replace('/#? MySQLConfigFile\s+\/.*\s/', 'MySQLConfigFile              ' . $conf['pureftpd']['mysql_config_file'], $content);
+        
+        if(file_exists('/etc/ssl/private/pure-ftpd.pem')) {
+          $content = preg_replace('/(#?) TLS\s+(0|1)/', 'TLS                          1', $content);
+        }
+        
+        wf($configfile, $content);
+      }
+    }
+    
 	}
 
 	public function configure_powerdns()
@@ -527,10 +761,10 @@ class installer extends installer_base
 
 		//* load the powerdns databse dump
 		if($conf['mysql']['admin_password'] == '') {
-			caselog("mysql --default-character-set=".$conf['mysql']['charset']." -h '".$conf['mysql']['host']."' -u '".$conf['mysql']['admin_user']."' '".$conf['powerdns']['database']."' < '".ISPC_INSTALL_ROOT."/install/sql/powerdns.sql' &> /dev/null",
+			caselog("mysql --default-character-set=".$conf['mysql']['charset']." -h '".$conf['mysql']['host']."' -u '".$conf['mysql']['admin_user']."' --force '".$conf['powerdns']['database']."' < '".ISPC_INSTALL_ROOT."/install/sql/powerdns.sql' &> /dev/null",
 				__FILE__, __LINE__, 'read in ispconfig3.sql', 'could not read in powerdns.sql');
 		} else {
-			caselog("mysql --default-character-set=".$conf['mysql']['charset']." -h '".$conf['mysql']['host']."' -u '".$conf['mysql']['admin_user']."' -p'".$conf['mysql']['admin_password']."' '".$conf['powerdns']['database']."' < '".ISPC_INSTALL_ROOT."/install/sql/powerdns.sql' &> /dev/null",
+			caselog("mysql --default-character-set=".$conf['mysql']['charset']." -h '".$conf['mysql']['host']."' -u '".$conf['mysql']['admin_user']."' -p'".$conf['mysql']['admin_password']."' --force '".$conf['powerdns']['database']."' < '".ISPC_INSTALL_ROOT."/install/sql/powerdns.sql' &> /dev/null",
 				__FILE__, __LINE__, 'read in ispconfig3.sql', 'could not read in powerdns.sql');
 		}
 
@@ -714,7 +948,8 @@ class installer extends installer_base
 				caselog($command.' &> /dev/null 2> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
 			}
 
-			$command = 'adduser '.$conf['apache']['user'].' '.$apps_vhost_group;
+			//$command = 'adduser '.$conf['apache']['user'].' '.$apps_vhost_group;
+      $command = 'usermod -a -G '.$apps_vhost_group.' '.$conf['apache']['user'];
 			caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
 
 			if(!@is_dir($install_dir)){
@@ -774,7 +1009,8 @@ class installer extends installer_base
 			if(!is_user($apps_vhost_user)) caselog($command.' &> /dev/null 2> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
 
 
-			$command = 'adduser '.$conf['nginx']['user'].' '.$apps_vhost_group;
+			//$command = 'adduser '.$conf['nginx']['user'].' '.$apps_vhost_group;
+      $command = 'usermod -a -G '.$apps_vhost_group.' '.$conf['nginx']['user'];
 			caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
 
 			if(!@is_dir($install_dir)){
@@ -838,39 +1074,46 @@ class installer extends installer_base
 
 		}
 	}
+  
+  public function get_host_ips() {
+		$out = array();
+		exec("ip addr show | awk '/global/ { print $2 }' | cut -d '/' -f 1", $ret, $val);
+		if($val == 0) {
+			if(is_array($ret) && !empty($ret)){				
+				foreach($ret as $ip) {
+					$ip = trim($ip);
+          $out[] = $ip;
+				}
+			}
+		}
 
-	public function install_ispconfig()
-	{
+		return $out;
+	}
+  
+	public function install_ispconfig() {
 		global $conf;
 
 		$install_dir = $conf['ispconfig_install_dir'];
 
 		//* Create the ISPConfig installation directory
-		if(!is_dir($install_dir))
-		{
+		if(!@is_dir($install_dir)) {
 			$command = "mkdir $install_dir";
 			caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
 		}
 
 		//* Create a ISPConfig user and group
-		if (!is_group('ispconfig'))
-		{
-			$command = 'groupadd ispconfig';
-			caselog($command.' &> /dev/null 2> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
-		}
+		$command = 'groupadd ispconfig';
+		if(!is_group('ispconfig')) caselog($command.' &> /dev/null 2> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
 
-		if (!is_user('ispconfig'))
-		{
-			$command = "useradd -g ispconfig -d $install_dir ispconfig";
-			caselog($command.' &> /dev/null 2> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
-		}
+		$command = 'useradd -g ispconfig -d '.$install_dir.' ispconfig';
+		if(!is_user('ispconfig')) caselog($command.' &> /dev/null 2> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
 
 		//* copy the ISPConfig interface part
-		$command = "cp -rf ../interface $install_dir";
+		$command = 'cp -rf ../interface '.$install_dir;
 		caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
 
 		//* copy the ISPConfig server part
-		$command = "cp -rf ../server $install_dir";
+		$command = 'cp -rf ../server '.$install_dir;
 		caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
 
 		//* Make a backup of the security settings
@@ -880,28 +1123,29 @@ class installer extends installer_base
 		$command = 'cp -rf ../security '.$install_dir;
 		caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
 
-		//* Apply changed security_settings.ini values to new security_settings.ini file
-		if(is_file('/usr/local/ispconfig/security/security_settings.ini~')) {
-			$security_settings_old = ini_to_array(file_get_contents('/usr/local/ispconfig/security/security_settings.ini~'));
-			$security_settings_new = ini_to_array(file_get_contents('/usr/local/ispconfig/security/security_settings.ini'));
-			if(is_array($security_settings_new) && is_array($security_settings_old)) {
-				foreach($security_settings_new as $section => $sval) {
-					if(is_array($sval)) {
-						foreach($sval as $key => $val) {
-							if(isset($security_settings_old[$section]) && isset($security_settings_old[$section][$key])) {
-								$security_settings_new[$section][$key] = $security_settings_old[$section][$key];
-							}
-						}
-					}
-				}
-				file_put_contents('/usr/local/ispconfig/security/security_settings.ini',array_to_ini($security_settings_new));
-			}
+		$configfile = 'security_settings.ini';
+		if(is_file($install_dir.'/security/'.$configfile)) {
+			copy($install_dir.'/security/'.$configfile, $install_dir.'/security/'.$configfile.'~');
 		}
+		$content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/'.$configfile.'.master', 'tpl/'.$configfile.'.master');
+		wf($install_dir.'/security/'.$configfile, $content);
 
+		//* Create a symlink, so ISPConfig is accessible via web
+		// Replaced by a separate vhost definition for port 8080
+		// $command = "ln -s $install_dir/interface/web/ /var/www/ispconfig";
+		// caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
 
 		//* Create the config file for ISPConfig interface
 		$configfile = 'config.inc.php';
-		$content = $this->get_template_file($configfile, true, true); //* get contents & insert db cred
+		if(is_file($install_dir.'/interface/lib/'.$configfile)) {
+			copy($install_dir.'/interface/lib/'.$configfile, $install_dir.'/interface/lib/'.$configfile.'~');
+		}
+		$content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/'.$configfile.'.master', 'tpl/'.$configfile.'.master');
+		$content = str_replace('{mysql_server_ispconfig_user}', $conf['mysql']['ispconfig_user'], $content);
+		$content = str_replace('{mysql_server_ispconfig_password}', $conf['mysql']['ispconfig_password'], $content);
+		$content = str_replace('{mysql_server_database}', $conf['mysql']['database'], $content);
+		$content = str_replace('{mysql_server_host}', $conf['mysql']['host'], $content);
+		$content = str_replace('{mysql_server_port}', $conf['mysql']['port'], $content);
 
 		$content = str_replace('{mysql_master_server_ispconfig_user}', $conf['mysql']['master_ispconfig_user'], $content);
 		$content = str_replace('{mysql_master_server_ispconfig_password}', $conf['mysql']['master_ispconfig_password'], $content);
@@ -916,10 +1160,34 @@ class installer extends installer_base
 		$content = str_replace('{theme}', $conf['theme'], $content);
 		$content = str_replace('{language_file_import_enabled}', ($conf['language_file_import_enabled'] == true)?'true':'false', $content);
 
-		$this->write_config_file("$install_dir/interface/lib/$configfile", $content);
+		wf($install_dir.'/interface/lib/'.$configfile, $content);
 
 		//* Create the config file for ISPConfig server
-		$this->write_config_file("$install_dir/server/lib/$configfile", $content);
+		$configfile = 'config.inc.php';
+		if(is_file($install_dir.'/server/lib/'.$configfile)) {
+			copy($install_dir.'/server/lib/'.$configfile, $install_dir.'/interface/lib/'.$configfile.'~');
+		}
+		$content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/'.$configfile.'.master', 'tpl/'.$configfile.'.master');
+		$content = str_replace('{mysql_server_ispconfig_user}', $conf['mysql']['ispconfig_user'], $content);
+		$content = str_replace('{mysql_server_ispconfig_password}', $conf['mysql']['ispconfig_password'], $content);
+		$content = str_replace('{mysql_server_database}', $conf['mysql']['database'], $content);
+		$content = str_replace('{mysql_server_host}', $conf['mysql']['host'], $content);
+		$content = str_replace('{mysql_server_port}', $conf['mysql']['port'], $content);
+
+		$content = str_replace('{mysql_master_server_ispconfig_user}', $conf['mysql']['master_ispconfig_user'], $content);
+		$content = str_replace('{mysql_master_server_ispconfig_password}', $conf['mysql']['master_ispconfig_password'], $content);
+		$content = str_replace('{mysql_master_server_database}', $conf['mysql']['master_database'], $content);
+		$content = str_replace('{mysql_master_server_host}', $conf['mysql']['master_host'], $content);
+		$content = str_replace('{mysql_master_server_port}', $conf['mysql']['master_port'], $content);
+
+		$content = str_replace('{server_id}', $conf['server_id'], $content);
+		$content = str_replace('{ispconfig_log_priority}', $conf['ispconfig_log_priority'], $content);
+		$content = str_replace('{language}', $conf['language'], $content);
+		$content = str_replace('{timezone}', $conf['timezone'], $content);
+		$content = str_replace('{theme}', $conf['theme'], $content);
+		$content = str_replace('{language_file_import_enabled}', ($conf['language_file_import_enabled'] == true)?'true':'false', $content);
+
+		wf($install_dir.'/server/lib/'.$configfile, $content);
 
 		//* Create the config file for remote-actions (but only, if it does not exist, because
 		//  the value is a autoinc-value and so changed by the remoteaction_core_module
@@ -928,7 +1196,7 @@ class installer extends installer_base
 			wf($install_dir.'/server/lib/remote_action.inc.php', $content);
 		}
 
-		// Enable the server modules and plugins.
+		//* Enable the server modules and plugins.
 		// TODO: Implement a selector which modules and plugins shall be enabled.
 		$dir = $install_dir.'/server/mods-available/';
 		if (is_dir($dir)) {
@@ -970,10 +1238,12 @@ class installer extends installer_base
 						if(method_exists($tmp, 'onInstall') && $tmp->onInstall()) {
 							if(!@is_link($install_dir.'/server/plugins-enabled/'.$file)) {
 								@symlink($install_dir.'/server/plugins-available/'.$file, $install_dir.'/server/plugins-enabled/'.$file);
+								//@symlink($install_dir.'/server/plugins-available/'.$file, '../plugins-enabled/'.$file);
 							}
 							if (strpos($file, '_core_plugin') !== false) {
 								if(!@is_link($install_dir.'/server/plugins-core/'.$file)) {
 									@symlink($install_dir.'/server/plugins-available/'.$file, $install_dir.'/server/plugins-core/'.$file);
+									//@symlink($install_dir.'/server/plugins-available/'.$file, '../plugins-core/'.$file);
 								}
 							}
 						}
@@ -984,21 +1254,25 @@ class installer extends installer_base
 			}
 		}
 
-		//* Update the server config
+		// Update the server config
 		$mail_server_enabled = ($conf['services']['mail'])?1:0;
 		$web_server_enabled = ($conf['services']['web'])?1:0;
 		$dns_server_enabled = ($conf['services']['dns'])?1:0;
 		$file_server_enabled = ($conf['services']['file'])?1:0;
 		$db_server_enabled = ($conf['services']['db'])?1:0;
-		$vserver_server_enabled = ($conf['services']['vserver'])?1:0;
+		$vserver_server_enabled = ($conf['openvz']['installed'])?1:0;
+		$proxy_server_enabled = ($conf['services']['proxy'])?1:0;
+		$firewall_server_enabled = ($conf['services']['firewall'])?1:0;
+		$xmpp_server_enabled = ($conf['services']['xmpp'])?1:0;
 
-		$sql = "UPDATE `server` SET mail_server = ?, web_server = ?, dns_server = ?, file_server = ?, db_server = ?, vserver_server = ? WHERE server_id = ?";
+		$sql = "UPDATE `server` SET mail_server = '$mail_server_enabled', web_server = '$web_server_enabled', dns_server = '$dns_server_enabled', file_server = '$file_server_enabled', db_server = '$db_server_enabled', vserver_server = '$vserver_server_enabled', proxy_server = '$proxy_server_enabled', firewall_server = '$firewall_server_enabled', xmpp_server = '$xmpp_server_enabled' WHERE server_id = ?";
 
-		$this->db->query($sql, $mail_server_enabled, $web_server_enabled, $dns_server_enabled, $file_server_enabled, $db_server_enabled, $vserver_server_enabled, $conf['server_id']);
+		$this->db->query($sql, $conf['server_id']);
 		if($conf['mysql']['master_slave_setup'] == 'y') {
-			$this->dbmaster->query($sql, $mail_server_enabled, $web_server_enabled, $dns_server_enabled, $file_server_enabled, $db_server_enabled, $vserver_server_enabled, $conf['server_id']);
+			$this->dbmaster->query($sql, $conf['server_id']);
 		}
 
+
 		// chown install dir to root and chmod 755
 		$command = 'chown root:root '.$install_dir;
 		caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
@@ -1013,6 +1287,14 @@ class installer extends installer_base
 		$command = 'chown -R ispconfig:ispconfig '.$install_dir.'/interface';
 		caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
 
+		//* chown the extensions directory to the ispconfig user and group
+		$command = 'chown ispconfig:ispconfig '.$install_dir.'/extensions';
+		caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
+
+		//* Chmod the files and directories in the acme dir
+		$command = 'chmod -R 755 '.$install_dir.'/interface/acme';
+		caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
+
 		//* chown the server files to the root user and group
 		$command = 'chown -R root:root '.$install_dir.'/server';
 		caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
@@ -1039,9 +1321,7 @@ class installer extends installer_base
 		exec("chmod -R 770 $install_dir/interface/lib/lang");
 
 		//* Make the temp directory for language file exports writable
-		if(is_dir($install_dir.'/interface/web/temp')) {
-			exec("chmod -R 770 $install_dir/interface/web/temp");
-		}
+		if(is_dir($install_dir.'/interface/web/temp')) exec("chmod -R 770 $install_dir/interface/web/temp");
 
 		//* Make all interface language file directories group writable
 		$handle = @opendir($install_dir.'/interface/web');
@@ -1097,15 +1377,15 @@ class installer extends installer_base
 			$command = 'usermod -a -G ispconfig '.$conf['apache']['user'];
 			caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
 			if(is_group('ispapps')){
-				$command = 'usermod -a -G ispapps '.$conf['apache']['user'];
+        $command = 'usermod -a -G ispapps '.$conf['apache']['user'];
 				caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
 			}
 		}
 		if($conf['nginx']['installed'] == true){
-			$command = 'usermod -a -G ispconfig '.$conf['nginx']['user'];
+      $command = 'usermod -a -G ispconfig '.$conf['nginx']['user'];
 			caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
 			if(is_group('ispapps')){
-				$command = 'usermod -a -G ispapps '.$conf['nginx']['user'];
+        $command = 'usermod -a -G ispapps '.$conf['nginx']['user'];
 				caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
 			}
 		}
@@ -1115,49 +1395,68 @@ class installer extends installer_base
 		caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
 
 		if ($this->install_ispconfig_interface == true && isset($conf['interface_password']) && $conf['interface_password']!='admin') {
-			$sql = "UPDATE sys_user SET passwort = md5(?) WHERE username = 'admin';";
-			$this->db->query($sql, $conf['interface_password']);
+			$sql = "UPDATE sys_user SET passwort = ? WHERE username = 'admin';";
+			$this->db->query($sql, $this->crypt_password($conf['interface_password']));
 		}
 
 		if($conf['apache']['installed'] == true && $this->install_ispconfig_interface == true){
 			//* Copy the ISPConfig vhost for the controlpanel
-			$content = $this->get_template_file("apache_ispconfig.vhost", true);
-			$content = str_replace('{vhost_port}', $conf['apache']['vhost_port'], $content);
+			$vhost_conf_dir = $conf['apache']['vhost_conf_dir'];
+			//$vhost_conf_enabled_dir = $conf['apache']['vhost_conf_enabled_dir'];
 
-			//* comment out the listen directive if port is 80 or 443
-			if ($conf['apache']['vhost_port'] == 80 or $conf['apache']['vhost_port'] == 443) {
-				$content = str_replace('{vhost_port_listen}', '#', $content);
+			// Dont just copy over the virtualhost template but add some custom settings
+			$tpl = new tpl();
+  		if (file_exists($conf['ispconfig_install_dir']."/server/conf-custom/install/apache_ispconfig.vhost.master")) {
+  			$tpl->newTemplate($conf['ispconfig_install_dir']."/server/conf-custom/install/apache_ispconfig.vhost.master");
+  		} else {
+  			$tpl->newTemplate("dist/tpl/gentoo/apache_ispconfig.vhost.master");
+  		}
+			$tpl->setVar('vhost_port',$conf['apache']['vhost_port']);
+
+			// comment out the listen directive if port is 80 or 443
+			if($conf['apache']['vhost_port'] == 80 or $conf['apache']['vhost_port'] == 443) {
+				$tpl->setVar('vhost_port_listen','#');
 			} else {
-				$content = str_replace('{vhost_port_listen}', '', $content);
+				$tpl->setVar('vhost_port_listen','');
 			}
 
 			if(is_file($install_dir.'/interface/ssl/ispserver.crt') && is_file($install_dir.'/interface/ssl/ispserver.key')) {
-				$content = str_replace('{ssl_comment}', '', $content);
+				$tpl->setVar('ssl_comment','');
 			} else {
-				$content = str_replace('{ssl_comment}', '#', $content);
+				$tpl->setVar('ssl_comment','#');
 			}
 			if(is_file($install_dir.'/interface/ssl/ispserver.crt') && is_file($install_dir.'/interface/ssl/ispserver.key') && is_file($install_dir.'/interface/ssl/ispserver.bundle')) {
-				$content = str_replace('{ssl_bundle_comment}', '', $content);
+				$tpl->setVar('ssl_bundle_comment','');
 			} else {
-				$content = str_replace('{ssl_bundle_comment}', '#', $content);
+				$tpl->setVar('ssl_bundle_comment','#');
 			}
 
-			$vhost_path = $conf['apache']['vhost_conf_dir'].'/ispconfig.vhost';
-			$this->write_config_file($vhost_path, $content);
-
-			if(!is_file('/var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter')) {
-				$content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/apache_ispconfig_fcgi_starter.master', 'tpl/apache_ispconfig_fcgi_starter.master');
-				$content = str_replace('{fastcgi_bin}', $conf['fastcgi']['fastcgi_bin'], $content);
-				$content = str_replace('{fastcgi_phpini_path}', $conf['fastcgi']['fastcgi_phpini_path'], $content);
-				@mkdir('/var/www/php-fcgi-scripts/ispconfig', 0755, true);
-				$this->set_immutable('/var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter', false);
-				wf('/var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter', $content);
-				exec('chmod +x /var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter');
-				chmod('/var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter', 0755);
-				@symlink($install_dir.'/interface/web', '/var/www/ispconfig');
-				exec('chown -R ispconfig:ispconfig /var/www/php-fcgi-scripts/ispconfig');
-				$this->set_immutable('/var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter', true);
-			}
+			$tpl->setVar('apache_version',getapacheversion());
+
+			wf($vhost_conf_dir.'/ispconfig.vhost', $tpl->grab());
+
+			//* and create the symlink
+			/*if($this->is_update == false) {
+				if(@is_link($vhost_conf_enabled_dir.'/ispconfig.vhost')) unlink($vhost_conf_enabled_dir.'/ispconfig.vhost');
+				if(!@is_link($vhost_conf_enabled_dir.'/000-ispconfig.vhost')) {
+					symlink($vhost_conf_dir.'/ispconfig.vhost', $vhost_conf_enabled_dir.'/000-ispconfig.vhost');
+				}
+			}*/
+			//if(!is_file('/var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter')) {
+			$content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/apache_ispconfig_fcgi_starter.master', 'tpl/apache_ispconfig_fcgi_starter.master');
+			$content = str_replace('{fastcgi_bin}', $conf['fastcgi']['fastcgi_bin'], $content);
+			$content = str_replace('{fastcgi_phpini_path}', $conf['fastcgi']['fastcgi_phpini_path'], $content);
+			@mkdir('/var/www/php-fcgi-scripts/ispconfig', 0755, true);
+			$this->set_immutable('/var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter', false);
+			wf('/var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter', $content);
+			exec('chmod +x /var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter');
+			@symlink($install_dir.'/interface/web', '/var/www/ispconfig');
+			exec('chown -R ispconfig:ispconfig /var/www/php-fcgi-scripts/ispconfig');
+			$this->set_immutable('/var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter', true);
+			//}
+      
+      // unlink acme vhost symlink
+      if(is_link($vhost_conf_dir . '/999-acme.conf') && file_exists($vhost_conf_dir . '/acme.conf')) unlink($vhost_conf_dir . '/999-acme.conf');
 		}
 
 		if($conf['nginx']['installed'] == true && $this->install_ispconfig_interface == true){
@@ -1170,7 +1469,7 @@ class installer extends installer_base
 			$content = str_replace('{vhost_port}', $conf['nginx']['vhost_port'], $content);
 
 			if(is_file($install_dir.'/interface/ssl/ispserver.crt') && is_file($install_dir.'/interface/ssl/ispserver.key')) {
-				$content = str_replace('{ssl_on}', 'ssl', $content);
+				$content = str_replace('{ssl_on}', 'ssl http2', $content);
 				$content = str_replace('{ssl_comment}', '', $content);
 				$content = str_replace('{fastcgi_ssl}', 'on', $content);
 			} else {
@@ -1212,46 +1511,50 @@ class installer extends installer_base
 		}
 
 		//* Install the update script
-		if (is_file('/usr/local/bin/ispconfig_update_from_dev.sh')) {
-			unlink('/usr/local/bin/ispconfig_update_from_dev.sh');
-		}
-
+		if(is_file('/usr/local/bin/ispconfig_update_from_dev.sh')) unlink('/usr/local/bin/ispconfig_update_from_dev.sh');
 		chown($install_dir.'/server/scripts/update_from_dev.sh', 'root');
 		chmod($install_dir.'/server/scripts/update_from_dev.sh', 0700);
-		chown($install_dir.'/server/scripts/update_from_tgz.sh', 'root');
-		chmod($install_dir.'/server/scripts/update_from_tgz.sh', 0700);
+//		chown($install_dir.'/server/scripts/update_from_tgz.sh', 'root');
+//		chmod($install_dir.'/server/scripts/update_from_tgz.sh', 0700);
 		chown($install_dir.'/server/scripts/ispconfig_update.sh', 'root');
 		chmod($install_dir.'/server/scripts/ispconfig_update.sh', 0700);
-
-		if (!is_link('/usr/local/bin/ispconfig_update_from_dev.sh')) {
-			symlink($install_dir.'/server/scripts/ispconfig_update.sh', '/usr/local/bin/ispconfig_update_from_dev.sh');
-		}
-
-		if (!is_link('/usr/local/bin/ispconfig_update.sh')) {
-			symlink($install_dir.'/server/scripts/ispconfig_update.sh', '/usr/local/bin/ispconfig_update.sh');
-		}
+		if(!is_link('/usr/local/bin/ispconfig_update_from_dev.sh')) symlink($install_dir.'/server/scripts/ispconfig_update.sh', '/usr/local/bin/ispconfig_update_from_dev.sh');
+		if(!is_link('/usr/local/bin/ispconfig_update.sh')) symlink($install_dir.'/server/scripts/ispconfig_update.sh', '/usr/local/bin/ispconfig_update.sh');
+
+		// Install ISPConfig cli command
+		if(is_file('/usr/local/bin/ispc')) unlink('/usr/local/bin/ispc');
+		chown($install_dir.'/server/cli/ispc', 'root');
+		chmod($install_dir.'/server/cli/ispc', 0700);
+		symlink($install_dir.'/server/cli/ispc', '/usr/local/bin/ispc');
+
+		// Make executable then unlink and symlink letsencrypt pre, post and renew hook scripts
+		chown($install_dir.'/server/scripts/letsencrypt_pre_hook.sh', 'root');
+		chown($install_dir.'/server/scripts/letsencrypt_post_hook.sh', 'root');
+		chown($install_dir.'/server/scripts/letsencrypt_renew_hook.sh', 'root');
+		chmod($install_dir.'/server/scripts/letsencrypt_pre_hook.sh', 0700);
+		chmod($install_dir.'/server/scripts/letsencrypt_post_hook.sh', 0700);
+		chmod($install_dir.'/server/scripts/letsencrypt_renew_hook.sh', 0700);
+		if(is_link('/usr/local/bin/letsencrypt_pre_hook.sh')) unlink('/usr/local/bin/letsencrypt_pre_hook.sh');
+		if(is_link('/usr/local/bin/letsencrypt_post_hook.sh')) unlink('/usr/local/bin/letsencrypt_post_hook.sh');
+		if(is_link('/usr/local/bin/letsencrypt_renew_hook.sh')) unlink('/usr/local/bin/letsencrypt_renew_hook.sh');
+		symlink($install_dir.'/server/scripts/letsencrypt_pre_hook.sh', '/usr/local/bin/letsencrypt_pre_hook.sh');
+		symlink($install_dir.'/server/scripts/letsencrypt_post_hook.sh', '/usr/local/bin/letsencrypt_post_hook.sh');
+		symlink($install_dir.'/server/scripts/letsencrypt_renew_hook.sh', '/usr/local/bin/letsencrypt_renew_hook.sh');
 
 		//* Make the logs readable for the ispconfig user
-		if (is_file('/var/log/maillog')) {
-			exec('chmod +r /var/log/maillog');
-		}
-		if (is_file('/var/log/messages')) {
-			exec('chmod +r /var/log/messages');
-		}
-		if (is_file('/var/log/clamav/clamav.log')) {
-			exec('chmod +r /var/log/clamav/clamav.log');
-		}
-		if (is_file('/var/log/clamav/freshclam.log')) {
-			exec('chmod +r /var/log/clamav/freshclam.log');
-		}
-
-		//* Create the ispconfig log directory
-		if (!is_dir($conf['ispconfig_log_dir'])) {
-			mkdir($conf['ispconfig_log_dir']);
-		}
-		if (!is_file($conf['ispconfig_log_dir'].'/ispconfig.log')) {
+		if(@is_file('/var/log/mail.log')) exec('chmod +r /var/log/mail.log');
+		if(@is_file('/var/log/mail.warn')) exec('chmod +r /var/log/mail.warn');
+		if(@is_file('/var/log/mail.err')) exec('chmod +r /var/log/mail.err');
+		if(@is_file('/var/log/messages')) exec('chmod +r /var/log/messages');
+		if(@is_file('/var/log/clamav/clamav.log')) exec('chmod +r /var/log/clamav/clamav.log');
+		if(@is_file('/var/log/clamav/freshclam.log')) exec('chmod +r /var/log/clamav/freshclam.log');
+
+		//* Create the ispconfig log file and directory
+		if(!is_file($conf['ispconfig_log_dir'].'/ispconfig.log')) {
+			if(!is_dir($conf['ispconfig_log_dir'])) mkdir($conf['ispconfig_log_dir'], 0755);
 			touch($conf['ispconfig_log_dir'].'/ispconfig.log');
 		}
+		chmod($conf['ispconfig_log_dir'].'/ispconfig.log', 0600);
 
 		//* Create the ispconfig auth log file and set uid/gid
 		if(!is_file($conf['ispconfig_log_dir'].'/auth.log')) {
@@ -1260,16 +1563,45 @@ class installer extends installer_base
 		exec('chown ispconfig:ispconfig '. $conf['ispconfig_log_dir'].'/auth.log');
 		exec('chmod 660 '. $conf['ispconfig_log_dir'].'/auth.log');
 
-		rename($install_dir.'/server/scripts/run-getmail.sh', '/usr/local/bin/run-getmail.sh');
-
-		if (is_user('getmail')) {
-			chown('/usr/local/bin/run-getmail.sh', 'getmail');
+		if(is_user('getmail')) {
+			rename($install_dir.'/server/scripts/run-getmail.sh', '/usr/local/bin/run-getmail.sh');
+			if(is_user('getmail')) chown('/usr/local/bin/run-getmail.sh', 'getmail');
+			chmod('/usr/local/bin/run-getmail.sh', 0744);
+		}
+
+		//* Add Log-Rotation
+		if (is_dir('/etc/logrotate.d')) {
+			@unlink('/etc/logrotate.d/logispc3'); // ignore, if the file is not there
+			/* We rotate these logs in cron_daily.php
+			$fh = fopen('/etc/logrotate.d/logispc3', 'w');
+			fwrite($fh,
+					"$conf['ispconfig_log_dir']/ispconfig.log { \n" .
+					"	weekly \n" .
+					"	missingok \n" .
+					"	rotate 4 \n" .
+					"	compress \n" .
+					"	delaycompress \n" .
+					"} \n" .
+					"$conf['ispconfig_log_dir']/cron.log { \n" .
+					"	weekly \n" .
+					"	missingok \n" .
+					"	rotate 4 \n" .
+					"	compress \n" .
+					"	delaycompress \n" .
+					"}");
+			fclose($fh);
+			*/
 		}
-		chmod('/usr/local/bin/run-getmail.sh', 0744);
 
 		//* Remove Domain module as its functions are available in the client module now
 		if(@is_dir('/usr/local/ispconfig/interface/web/domain')) exec('rm -rf /usr/local/ispconfig/interface/web/domain');
 
+		//* Disable rkhunter run and update in debian cronjob as ispconfig is running and updating rkhunter
+		if(is_file('/etc/default/rkhunter')) {
+			replaceLine('/etc/default/rkhunter', 'CRON_DAILY_RUN="yes"', 'CRON_DAILY_RUN="no"', 1, 0);
+			replaceLine('/etc/default/rkhunter', 'CRON_DB_UPDATE="yes"', 'CRON_DB_UPDATE="no"', 1, 0);
+		}
+
 		// Add symlink for patch tool
 		if(!is_link('/usr/local/bin/ispconfig_patch')) exec('ln -s /usr/local/ispconfig/server/scripts/ispconfig_patch /usr/local/bin/ispconfig_patch');
 
@@ -1278,9 +1610,9 @@ class installer extends installer_base
 		if(is_file($conf['amavis']['config_dir'].'/50-user~')) chmod($conf['amavis']['config_dir'].'/50-user~', 0400);
 		if(is_file($conf['amavis']['config_dir'].'/amavisd.conf')) chmod($conf['amavis']['config_dir'].'/amavisd.conf', 0640);
 		if(is_file($conf['amavis']['config_dir'].'/amavisd.conf~')) chmod($conf['amavis']['config_dir'].'/amavisd.conf~', 0400);
-
 	}
 
 }
 
 ?>
+

install/dist/lib/opensuse.lib.php

@@ -57,55 +57,12 @@ class installer_dist extends installer_base {
 			$this->error("The postfix configuration directory '$config_dir' does not exist.");
 		}
 
-		//* mysql-virtual_domains.cf
-		$this->process_postfix_config('mysql-virtual_domains.cf');
-
-		//* mysql-virtual_forwardings.cf
-		$this->process_postfix_config('mysql-virtual_forwardings.cf');
-
-		//* mysql-virtual_alias_domains.cf
-		$this->process_postfix_config('mysql-virtual_alias_domains.cf');
-
-		//* mysql-virtual_alias_maps.cf
-		$this->process_postfix_config('mysql-virtual_alias_maps.cf');
-
-		//* mysql-virtual_mailboxes.cf
-		$this->process_postfix_config('mysql-virtual_mailboxes.cf');
-
-		//* mysql-virtual_email2email.cf
-		$this->process_postfix_config('mysql-virtual_email2email.cf');
-
-		//* mysql-virtual_transports.cf
-		$this->process_postfix_config('mysql-virtual_transports.cf');
-
-		//* mysql-virtual_recipient.cf
-		$this->process_postfix_config('mysql-virtual_recipient.cf');
-
-		//* mysql-virtual_sender.cf
-		$this->process_postfix_config('mysql-virtual_sender.cf');
-
-		//* mysql-virtual_sender_login_maps.cf
-		$this->process_postfix_config('mysql-virtual_sender_login_maps.cf');
-
-		//* mysql-virtual_client.cf
-		$this->process_postfix_config('mysql-virtual_client.cf');
-
-		//* mysql-virtual_relaydomains.cf
-		$this->process_postfix_config('mysql-virtual_relaydomains.cf');
-
-		//* mysql-virtual_relayrecipientmaps.cf
-		$this->process_postfix_config('mysql-virtual_relayrecipientmaps.cf');
-
-		//* mysql-virtual_policy_greylist.cf
-		$this->process_postfix_config('mysql-virtual_policy_greylist.cf');
-
-		//* mysql-virtual_gids.cf.master
-		$this->process_postfix_config('mysql-virtual_gids.cf');
-
-		//* mysql-virtual_uids.cf
-		$this->process_postfix_config('mysql-virtual_uids.cf');
+		//* Install virtual mappings
+		foreach (glob('tpl/mysql-virtual_*.master') as $filename) {
+			$this->process_postfix_config( basename($filename, '.master') );
+		}
 
-		//* mysql-virtual_alias_domains.cf
+		//* mysql-verify_recipients.cf
 		$this->process_postfix_config('mysql-verify_recipients.cf');
 
 		//* postfix-dkim
@@ -219,6 +176,7 @@ class installer_dist extends installer_base {
 		touch($config_dir.'/mime_header_checks');
 		touch($config_dir.'/nested_header_checks');
 		touch($config_dir.'/body_checks');
+		touch($config_dir.'/sasl_passwd');
 
 		//* Create the mailman files
 		if(!is_dir('/var/lib/mailman/data')) exec('mkdir -p /var/lib/mailman/data');
@@ -425,7 +383,7 @@ class installer_dist extends installer_base {
 			if(is_file($config_dir.'/master.cf')){
 				copy($config_dir.'/master.cf', $config_dir.'/master.cf~2');
 			}
-			if(is_file($config_dir.'/master.cf~')){
+			if(is_file($config_dir.'/master.cf~2')){
 				chmod($config_dir.'/master.cf~2', 0400);
 			}
 			//* Configure master.cf and add a line for deliver
@@ -555,31 +513,28 @@ class installer_dist extends installer_base {
 
 		$config_dir = $conf['postfix']['config_dir'];
 
-		// Adding amavis-services to the master.cf file if the service does not already exists
-		$add_amavis = !$this->get_postfix_service('amavis','unix');
-		$add_amavis_10025 = !$this->get_postfix_service('127.0.0.1:10025','inet');
-		$add_amavis_10027 = !$this->get_postfix_service('127.0.0.1:10027','inet');
-
-		if ($add_amavis || $add_amavis_10025 || $add_amavis_10027) {
-			//* backup master.cf
-			if(is_file($config_dir.'/master.cf')) copy($config_dir.'/master.cf', $config_dir.'/master.cf~');
-			// adjust amavis-config
-			if($add_amavis) {
-				$content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/master_cf_amavis.master', 'tpl/master_cf_amavis.master');
-				af($config_dir.'/master.cf', $content);
-				unset($content);
-			}
-			if ($add_amavis_10025) {
-				$content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/master_cf_amavis10025.master', 'tpl/master_cf_amavis10025.master');
-				af($config_dir.'/master.cf', $content);
-				unset($content);
-			}
-			if ($add_amavis_10027) {
-				$content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/master_cf_amavis10027.master', 'tpl/master_cf_amavis10027.master');
-				af($config_dir.'/master.cf', $content);
-				unset($content);
-			}
-		}
+		// Adding amavis-services to the master.cf file
+
+		// backup master.cf
+		if(is_file($config_dir.'/master.cf')) copy($config_dir.'/master.cf', $config_dir.'/master.cf~');
+
+		// first remove the old service definitions
+		$this->remove_postfix_service('amavis','unix');
+		$this->remove_postfix_service('127.0.0.1:10025','inet');
+		$this->remove_postfix_service('127.0.0.1:10027','inet');
+
+		// then add them back
+		$content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/master_cf_amavis.master', 'tpl/master_cf_amavis.master');
+		af($config_dir.'/master.cf', $content);
+		unset($content);
+
+		$content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/master_cf_amavis10025.master', 'tpl/master_cf_amavis10025.master');
+		af($config_dir.'/master.cf', $content);
+		unset($content);
+
+		$content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/master_cf_amavis10027.master', 'tpl/master_cf_amavis10027.master');
+		af($config_dir.'/master.cf', $content);
+		unset($content);
 
 		// Add the clamav user to the vscan group
 		//exec('groupmod --add-user clamav vscan');
@@ -1117,6 +1072,10 @@ class installer_dist extends installer_base {
 		$command = 'chown -R ispconfig:ispconfig '.$install_dir.'/interface';
 		caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
 
+		//* chown the extensions directory to the ispconfig user and group
+		$command = 'chown ispconfig:ispconfig '.$install_dir.'/extensions';
+		caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
+
 		//* chown the server files to the root user and group
 		$command = 'chown -R root:root '.$install_dir.'/server';
 		caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
@@ -1215,8 +1174,8 @@ class installer_dist extends installer_base {
 		caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
 
 		if ($this->install_ispconfig_interface == true && isset($conf['interface_password']) && $conf['interface_password']!='admin') {
-			$sql = "UPDATE sys_user SET passwort = md5(?) WHERE username = 'admin';";
-			$this->db->query($sql, $conf['interface_password']);
+			$sql = "UPDATE sys_user SET passwort = ? WHERE username = 'admin';";
+			$this->db->query($sql, $this->crypt_password($conf['interface_password']));
 		}
 
 		if($conf['apache']['installed'] == true && $this->install_ispconfig_interface == true){
@@ -1369,6 +1328,7 @@ class installer_dist extends installer_base {
 		//* Create the ispconfig log directory
 		if(!is_dir($conf['ispconfig_log_dir'])) mkdir($conf['ispconfig_log_dir']);
 		if(!is_file($conf['ispconfig_log_dir'].'/ispconfig.log')) exec('touch '.$conf['ispconfig_log_dir'].'/ispconfig.log');
+		chmod($conf['ispconfig_log_dir'].'/ispconfig.log', 0600);
 
 		if(is_user('getmail')) {
 			exec('mv /usr/local/ispconfig/server/scripts/run-getmail.sh /usr/local/bin/run-getmail.sh');

install/dist/tpl/gentoo/amavisd-ispconfig.conf.master

@@ -51,7 +51,8 @@ use strict;
 $sql_select_policy =
    'SELECT *,spamfilter_users.id'.
    ' FROM spamfilter_users LEFT JOIN spamfilter_policy ON spamfilter_users.policy_id=spamfilter_policy.id'.
-   ' WHERE spamfilter_users.email IN (%k) ORDER BY spamfilter_users.priority DESC';
+   ' WHERE spamfilter_users.email IN (%k) AND spamfilter_users.policy_id != 0'.
+   ' ORDER BY spamfilter_users.priority DESC';
 
 
 $sql_select_white_black_list = 'SELECT wb FROM spamfilter_wblist'.
@@ -104,6 +105,9 @@ $policy_bank{'ORIGINATING'} = {
   originating => 1,
   smtpd_discard_ehlo_keywords => ['8BITMIME'],
 };
+$policy_bank{'MYNETS'} = {
+  originating => 1,
+};
 
 # IP-Addresses for internal networks => load policy MYNETS
 # - requires -o smtp_send_xforward_command=yes in postfix master.cf

install/dist/tpl/gentoo/apache_ispconfig.vhost.master

@@ -4,41 +4,83 @@
 # for the ISPConfig controlpanel
 ######################################################
 
-{vhost_port_listen} Listen {vhost_port}
-<tmpl_if name='apache_version' op='<' value='2.4' format='version'>
-  NameVirtualHost *:{vhost_port}
-</tmpl_if>
+<tmpl_var name="vhost_port_listen"> Listen <tmpl_var name="vhost_port">
+NameVirtualHost *:<tmpl_var name="vhost_port">
 
-<VirtualHost _default_:{vhost_port}>
+<VirtualHost _default_:<tmpl_var name="vhost_port">>
   ServerAdmin webmaster@localhost
 
   Alias /mail /var/www/ispconfig/mail
   
+  <Directory /var/www/ispconfig/>
+    <FilesMatch "\.ph(p3?|tml)$">
+      SetHandler None
+    </FilesMatch>
+  </Directory>
+  <Directory /usr/local/ispconfig/interface/web/>
+    <FilesMatch "\.ph(p3?|tml)$">
+      SetHandler None
+    </FilesMatch>
+  </Directory>
+  
   <IfModule mod_fcgid.c>
     DocumentRoot /var/www/ispconfig/
     SuexecUserGroup ispconfig ispconfig
     <Directory /var/www/ispconfig/>
-      Options +Indexes +FollowSymLinks +MultiViews +ExecCGI
+      Options -Indexes +FollowSymLinks +MultiViews +ExecCGI
       AllowOverride AuthConfig Indexes Limit Options FileInfo
-      <FilesMatch "\.ph(p[3-5]?|tml)$">
+      <FilesMatch "\.php$">
            SetHandler fcgid-script
       </FilesMatch>
       FCGIWrapper /var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter .php
+      <tmpl_if name='apache_version' op='>' value='2.2' format='version'>
+      Require all granted
+      <tmpl_else>
       Order allow,deny
       Allow from all
+      </tmpl_if>
     </Directory>
     DirectoryIndex index.php
+    IPCCommTimeout  7200
+    MaxRequestLen 15728640
+  </IfModule>
+  
+  <IfModule mod_proxy_fcgi.c>
+    DocumentRoot /usr/local/ispconfig/interface/web
+    SuexecUserGroup ispconfig ispconfig
+    DirectoryIndex index.php
+
+    <Directory /usr/local/ispconfig/interface/web>
+      Options -Indexes +FollowSymLinks +MultiViews +ExecCGI
+      AllowOverride AuthConfig Indexes Limit Options FileInfo
+      <tmpl_if name='apache_version' op='>' value='2.2' format='version'>
+      Require all granted
+      <tmpl_else>
+      Order allow,deny
+      Allow from all
+      </tmpl_if>
+      <FilesMatch \.php$>
+         #SetHandler "proxy:unix:/var/lib/php5-fpm/ispconfig.sock|fcgi://localhost"
+         SetHandler "proxy:fcgi://127.0.0.1:9000"
+      </FilesMatch>
+    </Directory>
   </IfModule>
 
-  <IfModule mod_php5.c>
+  <IfModule mpm_itk_module>
     DocumentRoot /usr/local/ispconfig/interface/web/
+    AssignUserId ispconfig ispconfig
     AddType application/x-httpd-php .php
     <Directory /usr/local/ispconfig/interface/web>
+      # php_admin_value open_basedir "/usr/local/ispconfig/interface:/usr/share:/tmp"
       Options +FollowSymLinks
       AllowOverride None
+      <tmpl_if name='apache_version' op='>' value='2.2' format='version'>
+      Require all granted
+      <tmpl_else>
       Order allow,deny
       Allow from all
-	  php_value magic_quotes_gpc        0
+      </tmpl_if>
+      php_value magic_quotes_gpc        0
     </Directory>
   </IfModule>
 
@@ -51,20 +93,53 @@
   </IfModule>
 
   # SSL Configuration
-  {ssl_comment}SSLEngine On
-  {ssl_comment}SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
-  {ssl_comment}SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
+  <tmpl_var name="ssl_comment">SSLEngine On
+  <tmpl_if name='apache_version' op='>=' value='2.3.16' format='version'>
+  <tmpl_var name="ssl_comment">SSLProtocol All -SSLv3 -TLSv1 -TLSv1.1
+  <tmpl_else>
+  <tmpl_var name="ssl_comment">SSLProtocol All -SSLv2 -SSLv3
+  </tmpl_if>
+  <tmpl_var name="ssl_comment">SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
+  <tmpl_var name="ssl_comment">SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
+  <tmpl_var name="ssl_bundle_comment">SSLCACertificateFile /usr/local/ispconfig/interface/ssl/ispserver.bundle
 
-</VirtualHost>
+  <tmpl_var name="ssl_comment">SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+  <tmpl_var name="ssl_comment">SSLHonorCipherOrder On
+  <tmpl_if name='apache_version' op='>=' value='2.4.3' format='version'>
+  <tmpl_var name="ssl_comment">SSLCompression Off
+  </tmpl_if>
+  <tmpl_if name='apache_version' op='>=' value='2.4.11' format='version'>
+  <tmpl_var name="ssl_comment">SSLSessionTickets Off
+  </tmpl_if>
 
-<Directory /var/www/php-cgi-scripts>
-    AllowOverride None
-    Order Deny,Allow
-    Deny from all
-</Directory>
+  <IfModule mod_headers.c>
+    # ISPConfig 3.1 currently requires unsafe-line for both scripts and styles, as well as unsafe-eval
+    Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'"
+    <tmpl_var name="ssl_comment">Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'; upgrade-insecure-requests"
+    Header set X-Content-Type-Options: nosniff
+    Header set X-Frame-Options: SAMEORIGIN
+    Header set X-XSS-Protection: "1; mode=block"
+    Header always edit Set-Cookie (.*) "$1; HTTPOnly"
+    <tmpl_var name="ssl_comment">Header always edit Set-Cookie (.*) "$1; Secure"
+    <IfModule mod_version.c>
+      <IfVersion >= 2.4.7>
+          Header setifempty Strict-Transport-Security "max-age=15768000"
+      </IfVersion>
+      <IfVersion < 2.4.7>
+          Header set Strict-Transport-Security "max-age=15768000"
+      </IfVersion>
+    </IfModule>
+    RequestHeader unset Proxy early
+  </IfModule>
+
+  <tmpl_if name='apache_version' op='>=' value='2.3.3' format='version'>
+  <tmpl_var name="ssl_comment">SSLUseStapling On
+  <tmpl_var name="ssl_comment">SSLStaplingResponderTimeout 5
+  <tmpl_var name="ssl_comment">SSLStaplingReturnResponderErrors Off
+  </tmpl_if>
+  
+  # Redirect http to https
+  ErrorDocument 400 "<script>document.location.href='https://'+location.hostname+':'+location.port';</script><h1>Error 400 - trying to redirect</h1>"
+
+</VirtualHost>
 
-<Directory /var/www/php-fcgi-scripts>
-    AllowOverride None
-    Order Deny,Allow
-    Deny from all
-</Directory>

install/dist/tpl/gentoo/dovecot2.conf.master

+# Do not change this file, as changes will be overwritten by any ISPConfig update.
+# Put your custom settings in /usr/local/ispconfig/server/conf-custom/install/dovecot_custom.conf.master.
+# To start using those changes, do a force upgrade and let it reconfigure your services. (ispconfig_update.sh --force)
+listen = *,[::]
+protocols = imap pop3
+auth_mechanisms = plain login
+disable_plaintext_auth = no
+log_timestamp = "%Y-%m-%d %H:%M:%S "
+mail_privileged_group = vmail
+postmaster_address = postmaster@example.com
+ssl_cert = </etc/postfix/smtpd.cert
+ssl_key = </etc/postfix/smtpd.key
+ssl_dh = </etc/dovecot/dh.pem
+ssl_min_protocol = TLSv1.2
+ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+ssl_prefer_server_ciphers = no
+mail_max_userip_connections = 100
+mail_plugins = quota
+passdb {
+  args = /etc/dovecot/dovecot-sql.conf
+  driver = sql
+}
+userdb {
+  driver = prefetch
+}
+userdb {
+  args = /etc/dovecot/dovecot-sql.conf
+  driver = sql
+}
+plugin {
+  quota = dict:user::file:/var/vmail/%d/%n/.quotausage
+
+  # no longer needed, as 'sieve' is in userdb extra fields:
+  sieve=/var/vmail/%d/%n/.sieve
+
+  sieve_before=/var/vmail/%d/%n/.ispconfig-before.sieve
+  sieve_after=/var/vmail/%d/%n/.ispconfig.sieve
+  sieve_max_script_size = 2M
+  sieve_max_actions = 100
+  sieve_max_redirects = 25
+}
+service auth {
+  unix_listener /var/spool/postfix/private/auth {
+    group = postfix
+    mode = 0660
+    user = postfix
+  }
+  unix_listener auth-userdb {
+    group = vmail
+    mode = 0600
+    user = vmail
+  }
+  user = root
+}
+service lmtp {
+  unix_listener /var/spool/postfix/private/dovecot-lmtp {
+   group = postfix
+   mode = 0600
+   user = postfix
+  }
+}
+lmtp_rcpt_check_quota = yes
+service imap-login {
+  client_limit = 1000
+  process_limit = 512
+}
+protocol imap {
+  mail_plugins = $mail_plugins quota imap_quota
+  auth_verbose = yes
+}
+protocol pop3 {
+  pop3_uidl_format = %08Xu%08Xv
+  mail_plugins = $mail_plugins quota
+  auth_verbose = yes
+}
+protocol lda {
+  postmaster_address = webmaster@localhost
+  mail_plugins = $mail_plugins sieve quota
+}
+protocol lmtp {
+  postmaster_address = webmaster@localhost
+  mail_plugins = $mail_plugins quota sieve
+}
+
+
+#2.3+ service stats {
+#2.3+     unix_listener stats-reader {
+#2.3+         user = vmail
+#2.3+         group = vmail
+#2.3+         mode = 0660
+#2.3+     }
+#2.3+
+#2.3+     unix_listener stats-writer {
+#2.3+         user = vmail
+#2.3+         group = vmail
+#2.3+         mode = 0660
+#2.3+     }
+#2.3+ }
+
+service quota-status {
+  executable = quota-status -p postfix
+  unix_listener /var/spool/postfix/private/quota-status {
+    group = postfix
+    mode = 0660
+    user = postfix
+  }
+  client_limit = 1
+}
+plugin {
+  quota_status_success = DUNNO
+  quota_status_nouser = DUNNO
+  quota_status_overquota = "552 5.2.2 Mailbox is full"
+}
+
+!include_try conf.d/99-ispconfig-custom-config.conf
\ No newline at end of file

install/dist/tpl/gentoo/jk_init.ini.master

@@ -96,8 +96,8 @@ regularfiles = /etc/vimrc
 directories = /etc/joe, /etc/terminfo, /usr/share/vim, /usr/share/terminfo, /usr/lib/terminfo
 
 [netutils]
-comment = several internet utilities like wget, ftp, rsync, scp, ssh
-executables = /usr/bin/wget, /usr/bin/lynx, /usr/bin/ftp, /usr/bin/host, /usr/bin/rsync, /usr/bin/smbclient
+comment = several internet utilities like curl, wget, ftp, rsync, scp, ssh
+executables = /usr/bin/curl /usr/bin/wget, /usr/bin/lynx, /usr/bin/ftp, /usr/bin/host, /usr/bin/rsync, /usr/bin/smbclient
 includesections = netbasics, ssh, sftp, scp
 directories = /etc/ssl/certs/
 regularfiles = /usr/lib/ssl/certs

install/install.php

@@ -85,8 +85,6 @@ if(realpath(dirname(__FILE__)) != $cur_dir) {
 	chdir( realpath(dirname(__FILE__)) );
 }
 
-//** Install logfile
-define('ISPC_LOG_FILE', '/var/log/ispconfig_install.log');
 define('ISPC_INSTALL_ROOT', realpath(dirname(__FILE__).'/../'));
 
 //** Include the templating lib
@@ -146,7 +144,6 @@ include_once 'dist/conf/'.$dist['confid'].'.conf.php';
 //** Installer Interface
 //****************************************************************************************************
 $inst = new installer();
-if (!$inst->get_php_version()) die('ISPConfig requires PHP '.$inst->min_php."\n");
 $retval=shell_exec("which which");
 if (empty($retval)) die ("ISPConfig requires which \n");
 
@@ -157,12 +154,22 @@ swriteln($inst->lng('    Default values are in [brackets] and can be accepted wi
 swriteln($inst->lng('    Tap in "quit" (without the quotes) to stop the installer.'."\n\n"));
 
 //** Check log file is writable (probably not root or sudo)
-if(!is_writable(dirname(ISPC_LOG_FILE))){
-	die("ERROR: Cannot write to the ".dirname(ISPC_LOG_FILE)." directory. Are you root or sudo ?\n\n");
+if(!is_writable(dirname($conf['ispconfig_log_dir']))){
+	die("ERROR: Cannot write to the ".$conf['ispconfig_log_dir']." directory. Are you root or sudo ?\n\n");
 }
 
+if(!is_dir($conf['ispconfig_log_dir'])) {
+	mkdir($conf['ispconfig_log_dir'], 0755, true);
+}
+define('ISPC_LOG_FILE', $conf['ispconfig_log_dir'] . '/install.log');
+
+//** Check for ISPConfig 2.x versions
 if(is_dir('/root/ispconfig') || is_dir('/home/admispconfig')) {
-	die('This software cannot be installed on a server wich runs ISPConfig 2.x.');
+	if(is_dir('/home/admispconfig')) {
+		die('This software cannot be installed on a server which runs ISPConfig 2.x.');
+	} else {
+		die('This software cannot be installed on a server which runs ISPConfig 2.x; the presence of the /root/ispconfig/ directory may indicate an ISPConfig 2.x installation, otherwise you can remove or rename it to continue.');
+	}
 }
 
 if(is_dir('/usr/local/ispconfig')) {
@@ -172,6 +179,11 @@ if(is_dir('/usr/local/ispconfig')) {
 //** Detect the installed applications
 $inst->find_installed_apps();
 
+//* crontab required by ISPConfig
+if(!$conf['cron']['installed']) {
+	die("crontab not found; please install a compatible cron daemon before ISPConfig\n\n");
+}
+
 //** Select the language and set default timezone
 $conf['language'] = $inst->simple_query('Select language', array('en', 'de'), 'en','language');
 $conf['timezone'] = get_system_timezone();
@@ -243,6 +255,9 @@ unset($tmp);
 include_once 'lib/mysql.lib.php';
 $inst->db = new db();
 
+//* Check MySQL version
+$inst->check_mysql_version();
+
 //** Begin with standard or expert installation
 
 $conf['services']['mail'] = false;
@@ -491,8 +506,17 @@ if($force) {
 	swriteln('Configuring OpenVZ');
 }
 
+// Configure AppArmor
+if($conf['apparmor']['installed']){
+  swriteln('Configuring AppArmor');
+  $inst->configure_apparmor();
+}
+
 if($install_mode == 'standard' || strtolower($inst->simple_query('Configure Firewall Server', array('y', 'n'), 'y','configure_firewall')) == 'y') {
 	//* Check for Firewall
+	if(!isset($conf['firewall']['installed'])) {
+		$conf['firewall']['installed'] = false;
+	}
 	if(!$conf['ufw']['installed'] && !$conf['firewall']['installed']) {
 		$conf['ufw']['installed'] = $inst->force_configure_app('Ubuntu Firewall', ($install_mode == 'expert'));
 		$conf['firewall']['installed'] = $inst->force_configure_app('Bastille Firewall', ($install_mode == 'expert'));
@@ -593,6 +617,9 @@ if(!$issue_asked) {
     }
 }
 
+// update acme.sh if installed
+$inst->update_acme();
+
 if($conf['services']['web'] == true) {
 	//** Configure apps vhost
 	swriteln('Configuring Apps vhost');
@@ -607,21 +634,18 @@ $inst->configure_dbserver();
 
 //* Configure ISPConfig
 swriteln('Installing ISPConfig crontab');
-if($conf['cron']['installed']) {
-	swriteln('Installing ISPConfig crontab');
-	$inst->install_crontab();
-} else swriteln('[ERROR] Cron not found');
+$inst->install_crontab();
 
 swriteln('Detect IP addresses');
 $inst->detect_ips();
 
 swriteln('Restarting services ...');
-if($conf['mysql']['installed'] == true && $conf['mysql']['init_script'] != '') system($inst->getinitcommand($conf['mysql']['init_script'], 'restart').' >/dev/null 2>&1');
-if($conf['postfix']['installed'] == true && $conf['postfix']['init_script'] != '') system($inst->getinitcommand($conf['postfix']['init_script'], 'restart'));
-if($conf['saslauthd']['installed'] == true && $conf['saslauthd']['init_script'] != '') system($inst->getinitcommand($conf['saslauthd']['init_script'], 'restart'));
-if($conf['amavis']['installed'] == true && $conf['amavis']['init_script'] != '') system($inst->getinitcommand($conf['amavis']['init_script'], 'restart'));
-if($conf['rspamd']['installed'] == true && $conf['rspamd']['init_script'] != '') system($inst->getinitcommand($conf['rspamd']['init_script'], 'restart'));
-if($conf['clamav']['installed'] == true && $conf['clamav']['init_script'] != '' && $conf['amavis']['installed'] == true) system($inst->getinitcommand($conf['clamav']['init_script'], 'restart'));
+if($conf['mysql']['installed'] == true && isset($conf['mysql']['init_script']) && $conf['mysql']['init_script'] != '') system($inst->getinitcommand($conf['mysql']['init_script'], 'restart').' >/dev/null 2>&1');
+if($conf['postfix']['installed'] == true && isset($conf['postfix']['init_script']) && $conf['postfix']['init_script'] != '') system($inst->getinitcommand($conf['postfix']['init_script'], 'restart'));
+if($conf['saslauthd']['installed'] == true && isset($conf['saslauthd']['init_script']) && $conf['saslauthd']['init_script'] != '') system($inst->getinitcommand($conf['saslauthd']['init_script'], 'restart'));
+if($conf['amavis']['installed'] == true && isset($conf['amavis']['init_script']) && $conf['amavis']['init_script'] != '') system($inst->getinitcommand($conf['amavis']['init_script'], 'restart'));
+if($conf['rspamd']['installed'] == true && isset($conf['rspamd']['init_script']) && $conf['rspamd']['init_script'] != '') system($inst->getinitcommand($conf['rspamd']['init_script'], 'restart'));
+if($conf['clamav']['installed'] == true && isset($conf['clamav']['init_script']) && $conf['clamav']['init_script'] != '' && $conf['amavis']['installed'] == true) system($inst->getinitcommand($conf['clamav']['init_script'], 'restart'));
 if($conf['courier']['installed'] == true){
 	if($conf['courier']['courier-authdaemon'] != '') system($inst->getinitcommand($conf['courier']['courier-authdaemon'], 'restart'));
 	if($conf['courier']['courier-imap'] != '') system($inst->getinitcommand($conf['courier']['courier-imap'], 'restart'));
@@ -629,22 +653,22 @@ if($conf['courier']['installed'] == true){
 	if($conf['courier']['courier-pop'] != '') system($inst->getinitcommand($conf['courier']['courier-pop'], 'restart'));
 	if($conf['courier']['courier-pop-ssl'] != '') system($inst->getinitcommand($conf['courier']['courier-pop-ssl'], 'restart'));
 }
-if($conf['dovecot']['installed'] == true && $conf['dovecot']['init_script'] != '') system($inst->getinitcommand($conf['dovecot']['init_script'], 'restart'));
-if($conf['mailman']['installed'] == true && $conf['mailman']['init_script'] != '') system('nohup '.$inst->getinitcommand($conf['mailman']['init_script'], 'restart').' >/dev/null 2>&1 &');
-if($conf['apache']['installed'] == true && $conf['apache']['init_script'] != '') system($inst->getinitcommand($conf['apache']['init_script'], 'restart'));
+if($conf['dovecot']['installed'] == true && isset($conf['dovecot']['init_script']) && $conf['dovecot']['init_script'] != '') system($inst->getinitcommand($conf['dovecot']['init_script'], 'restart'));
+if($conf['mailman']['installed'] == true && isset($conf['mailman']['init_script']) && $conf['mailman']['init_script'] != '') system('nohup '.$inst->getinitcommand($conf['mailman']['init_script'], 'restart').' >/dev/null 2>&1 &');
+if($conf['apache']['installed'] == true && isset($conf['apache']['init_script']) && $conf['apache']['init_script'] != '') system($inst->getinitcommand($conf['apache']['init_script'], 'restart'));
 //* Reload is enough for nginx
 if($conf['nginx']['installed'] == true){
 	if($conf['nginx']['php_fpm_init_script'] != '') system($inst->getinitcommand($conf['nginx']['php_fpm_init_script'], 'reload'));
-	if($conf['nginx']['init_script'] != '') system($inst->getinitcommand($conf['nginx']['init_script'], 'reload'));
+	if(isset($conf['nginx']['init_script']) && $conf['nginx']['init_script'] != '') system($inst->getinitcommand($conf['nginx']['init_script'], 'reload'));
 }
-if($conf['pureftpd']['installed'] == true && $conf['pureftpd']['init_script'] != '') system($inst->getinitcommand($conf['pureftpd']['init_script'], 'restart'));
-if($conf['mydns']['installed'] == true && $conf['mydns']['init_script'] != '') system($inst->getinitcommand($conf['mydns']['init_script'], 'restart').' &> /dev/null');
-if($conf['powerdns']['installed'] == true && $conf['powerdns']['init_script'] != '') system($inst->getinitcommand($conf['powerdns']['init_script'], 'restart').' &> /dev/null');
-if($conf['bind']['installed'] == true && $conf['bind']['init_script'] != '') system($inst->getinitcommand($conf['bind']['init_script'], 'restart').' &> /dev/null');
-//if($conf['squid']['installed'] == true && $conf['squid']['init_script'] != '' && is_file($conf['init_scripts'].'/'.$conf['squid']['init_script']))     system($conf['init_scripts'].'/'.$conf['squid']['init_script'].' restart &> /dev/null');
-if($conf['nginx']['installed'] == true && $conf['nginx']['init_script'] != '') system($inst->getinitcommand($conf['nginx']['init_script'], 'restart').' &> /dev/null');
-if($conf['ufw']['installed'] == true && $conf['ufw']['init_script'] != '') system($inst->getinitcommand($conf['ufw']['init_script'], 'restart').' &> /dev/null');
-if($conf['xmpp']['installed'] == true && $conf['xmpp']['init_script'] != '') system($inst->getinitcommand($conf['xmpp']['init_script'], 'restart').' &> /dev/null');
+if($conf['pureftpd']['installed'] == true && isset($conf['pureftpd']['init_script']) && $conf['pureftpd']['init_script'] != '') system($inst->getinitcommand($conf['pureftpd']['init_script'], 'restart'));
+if($conf['mydns']['installed'] == true && isset($conf['mydns']['init_script']) && $conf['mydns']['init_script'] != '') system($inst->getinitcommand($conf['mydns']['init_script'], 'restart').' &> /dev/null');
+if($conf['powerdns']['installed'] == true && isset($conf['powerdns']['init_script']) && $conf['powerdns']['init_script'] != '') system($inst->getinitcommand($conf['powerdns']['init_script'], 'restart').' &> /dev/null');
+if($conf['bind']['installed'] == true && isset($conf['bind']['init_script']) && $conf['bind']['init_script'] != '') system($inst->getinitcommand($conf['bind']['init_script'], 'restart').' &> /dev/null');
+//if($conf['squid']['installed'] == true && isset($conf['squid']['init_script']) && $conf['squid']['init_script'] != '' && is_file($conf['init_scripts'].'/'.$conf['squid']['init_script']))     system($conf['init_scripts'].'/'.$conf['squid']['init_script'].' restart &> /dev/null');
+if($conf['nginx']['installed'] == true && isset($conf['nginx']['init_script']) && $conf['nginx']['init_script'] != '') system($inst->getinitcommand($conf['nginx']['init_script'], 'restart').' &> /dev/null');
+if(isset($conf['ufw']['installed']) && $conf['ufw']['installed'] == true && isset($conf['ufw']['init_script']) && $conf['ufw']['init_script'] != '') system($inst->getinitcommand($conf['ufw']['init_script'], 'restart').' &> /dev/null');
+if($conf['xmpp']['installed'] == true && isset($conf['xmpp']['init_script']) && $conf['xmpp']['init_script'] != '') system($inst->getinitcommand($conf['xmpp']['init_script'], 'restart').' &> /dev/null');
 
 
 $inst->create_mount_script();

install/lib/classes/tpl.inc.php

@@ -30,7 +30,7 @@ if (!defined('vlibTemplateClassLoaded')) {
 	include_once ISPC_INSTALL_ROOT.'/install/lib/classes/tpl_error.inc.php';
 	include_once ISPC_INSTALL_ROOT.'/install/lib/classes/tpl_ini.inc.php';
 
-	class tpl{
+	class tpl extends stdClass{
 
 		/*-----------------------------------------------------------------------------\
         |                                 ATTENTION                                    |
@@ -931,7 +931,7 @@ if (!defined('vlibTemplateClassLoaded')) {
 		{
 			array_push($this->_namespace, $varname);
 			$tempvar = count($this->_namespace) - 1;
-			$retstr = "for (\$_".$tempvar."=0 ; \$_".$tempvar." < count(\$this->_arrvars";
+			$retstr = "for (\$_".$tempvar."=0 ; \$_".$tempvar." < \$this->_tpl_count(\$this->_arrvars";
 			for ($i=0; $i < count($this->_namespace); $i++) {
 				$retstr .= "['".$this->_namespace[$i]."']";
 				if ($this->_namespace[$i] != $varname) $retstr .= "[\$_".$i."]";
@@ -1170,7 +1170,15 @@ if (!defined('vlibTemplateClassLoaded')) {
 
 			array_push($this->_currentincludedir, dirname($this->_tmplfilename));
 			$this->_includedepth++;
-			$success = @eval($this->_tmplfilep);
+			try {
+				$success = @eval($this->_tmplfilep);
+			} catch(Exception $ex) {
+				print $this->_tmplfilep;
+				throw $ex;
+			} catch(TypeError $ex) {
+				print $this->_tmplfilep;
+				throw $ex;
+			}
 			$this->_includedepth--;
 			array_pop($this->_currentincludedir);
 
@@ -1268,6 +1276,27 @@ if (!defined('vlibTemplateClassLoaded')) {
 			return $return;
 		}
 
+		/**
+		* Used during in evaled code to replace PHP count function for PHP 8 compatibility
+		* @var variable to be counted
+		*/
+		private function _tpl_count($var)
+		{
+			$retvar = 0;
+			if(isset($var)) {
+				if(is_array($var)) {
+					$retvar = count($var);
+				} elseif(is_null($var)) {
+					$retvar = 0;
+				} else {
+					$retvar = 1;
+				}
+			} else {
+				$retvar = 0;
+			}
+			return $retvar;
+		}
+
 		/*- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
     The following functions have no use and are included just so that if the user
     is making use of vlibTemplateCache functions, this doesn't crash when changed to

install/lib/compatibility.inc.php

+<?php
+
+/*
+Copyright (c) 2021, Jesse Norell <jesse@kci.net>
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+    * Redistributions of source code must retain the above copyright notice,
+      this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright notice,
+      this list of conditions and the following disclaimer in the documentation
+      and/or other materials provided with the distribution.
+    * Neither the name of ISPConfig nor the names of its contributors
+      may be used to endorse or promote products derived from this software without
+      specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
+/* random_bytes can be dropped when php 5.6 support is dropped */
+if (! function_exists('random_bytes')) {
+	function random_bytes($length) {
+		return openssl_random_pseudo_bytes($length);
+	}
+}
+
+/* random_int can be dropped when php 5.6 support is dropped */
+if (! function_exists('random_int')) {
+	function random_int($min=null, $max=null) {
+		if (null === $min) {
+			$min = PHP_INT_MIN;
+		}
+
+		if (null === $max) {
+			$min = PHP_INT_MAX;
+		}
+
+		if (!is_int($min) || !is_int($max)) {
+			trigger_error('random_int: $min and $max must be integer values', E_USER_NOTICE);
+			$min = (int)$min;
+			$max = (int)$max;
+		}
+
+		if ($min > $max) {
+			trigger_error('random_int: $max can\'t be lesser than $min', E_USER_WARNING);
+			return null;
+		}
+
+		$range = $counter = $max - $min;
+		$bits = 1;
+
+		while ($counter >>= 1) {
+			++$bits;
+		}
+
+		$bytes = (int)max(ceil($bits/8), 1);
+		$bitmask = pow(2, $bits) - 1;
+
+		if ($bitmask >= PHP_INT_MAX) {
+			$bitmask = PHP_INT_MAX;
+		}
+
+		do {
+			$result = hexdec(bin2hex(random_bytes($bytes))) & $bitmask;
+		} while ($result > $range);
+
+		return $result + $min;
+	}
+}

install/lib/install.lib.php

@@ -29,6 +29,9 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
 error_reporting(E_ALL|E_STRICT);
 
+if(version_compare(phpversion(), '7.0', '<')) {
+	require_once 'compatibility.inc.php';
+}
 
 $FILE = realpath('../install.php');
 
@@ -82,7 +85,7 @@ function get_distname() {
 				}
 				
 				$distname = 'Ubuntu';
-				$distid = 'debian40';
+				$distid = 'debian60';
 				$distbaseid = 'debian';
 
 				preg_match("/.*VERSION=\"(.*)\".*/ui", $os_release, $ver);
@@ -95,6 +98,14 @@ function get_distname() {
 				$mainver = current($mainver).'.'.next($mainver);
 			}
 			switch ($mainver){
+			case "24.04":
+				$relname = "(Noble Numbat)";
+				$distconfid = 'ubuntu2404';
+				break;
+			case "22.04":
+				$relname = "(Jammy Jellyfish)";
+				$distconfid = 'ubuntu2204';
+				break;
 			case "20.04":
 				$relname = "(Focal Fossa)";
 				$distconfid = 'ubuntu2004';
@@ -238,6 +249,20 @@ function get_distname() {
 			$distid = 'debian60';
 			$distbaseid = 'debian';
 			swriteln("Operating System: Debian 10.0 (Buster) or compatible\n");
+		} elseif(substr(trim(file_get_contents('/etc/debian_version')),0,2) == '11') {
+			$distname = 'Debian';
+			$distver = 'Bullseye';
+			$distconfid = 'debian110';
+			$distid = 'debian60';
+			$distbaseid = 'debian';
+			swriteln("Operating System: Debian 11.0 (Bullseye) or compatible\n");
+		} elseif(substr(trim(file_get_contents('/etc/debian_version')),0,2) == '12') {
+			$distname = 'Debian';
+			$distver = 'Bookworm';
+			$distconfid = 'debian120';
+			$distid = 'debian60';
+			$distbaseid = 'debian';
+			swriteln("Operating System: Debian 12.0 (Bookworm) or compatible\n");
 		} elseif(strstr(trim(file_get_contents('/etc/debian_version')), '/sid')) {
 			$distname = 'Debian';
 			$distver = 'Testing';
@@ -249,7 +274,7 @@ function get_distname() {
 			$distname = 'Debian';
 			$distver = 'Unknown';
 			$distid = 'debian60';
-			$distconfid = 'debian100';
+			$distconfid = 'debian120';
 			$distbaseid = 'debian';
 			swriteln("Operating System: Debian or compatible, unknown version.\n");
 		}
@@ -284,82 +309,92 @@ function get_distname() {
 		}
 	}
 
-
-	//** Redhat
-	elseif(file_exists('/etc/redhat-release')) {
+	//** RHEL (including compatible clones) & Fedora
+	elseif(file_exists('/etc/redhat-release') && file_exists('/etc/os-release')) {
+
+	$content = file_get_contents('/etc/os-release');
+
+	preg_match('/(?<=PRETTY_NAME=\").+?(?=\")/', $content, $prettyname);
+	preg_match('/(?<=NAME=\").+?(?=\")/', $content, $name);
+	preg_match('/(?<=VERSION=\").+?(?=\")/', $content, $version);
+	preg_match('/(?<=VERSION_ID=\").+?(?=\")/', $content, $versionid);
+
+	if(stristr($prettyname[0], 'Fedora 32 (Thirty Two)')) {
+		$distname = 'Fedora';
+		$distver = '32';
+		$distid = 'fedora32';
+		$distbaseid = 'fedora';
+		swriteln("Operating System: Fedora 32 or compatible\n");
+	} elseif(stristr($prettyname[0], 'Fedora 33 (Thirty Three)')) {
+		$distname = 'Fedora';
+		$distver = '33';
+		$distid = 'fedora33';
+		$distbaseid = 'fedora';
+		swriteln("Operating System: Fedora 33 or compatible\n");
+	//** RHEL 7 and compatible clones
+	} elseif(preg_match('/^(?:7|7\.[0-9]{1,2})$/', $versionid[0])) {
+		preg_match_all('/([0-9]{1,2})\.?([0-9]{0,2})\.?([0-9]*)/', file_get_contents('/etc/redhat-release'), $centos7_version);
+		$distname = $name[0];
+		$distver = is_array($centos7_version)? implode('.', array_filter(array($centos7_version[1][0],$centos7_version[2][0],$centos7_version[3][0]),'strlen')) : $version[0];
+		$distid = 'centos72';
+		$distbaseid = 'fedora';
+		swriteln("Operating System: " . $distname . " " .  $distver . "\n");
+	//** RHEL 8 and compatible clones
+	} elseif(preg_match('/^(?:8|8\.[0-9]{1,2})$/', $versionid[0])) {
+		$distname = $name[0];
+		$distver = $version[0];
+		$distid = 'centos80';
+		$distbaseid = 'fedora';
+		swriteln("Operating System: " . $prettyname[0] . "\n");
+	//** RHEL 9 and compatible clones
+	} elseif(preg_match('/^(?:9|9\.[0-9]{1,2})$/', $versionid[0])) {
+		$distname = $name[0];
+		$distver = $version[0];
+		$distid = 'centos90';
+		$distbaseid = 'fedora';
+		swriteln("Operating System: " . $prettyname[0] . "\n");
+	} else {
+		$distname = 'Redhat';
+		$distver = 'Unknown';
+		$distid = 'fedora9';
+		$distbaseid = 'fedora';
+		swriteln("Operating System: Redhat or compatible\n");
+	}
+	//** CentOS 6
+	} elseif(file_exists('/etc/redhat-release') && !file_exists('/etc/os-release') && !file_exists('/etc/els-release')) {
 
 		$content = file_get_contents('/etc/redhat-release');
 
-		if(stristr($content, 'Fedora release 9 (Sulphur)')) {
-			$distname = 'Fedora';
-			$distver = '9';
-			$distid = 'fedora9';
-			$distbaseid = 'fedora';
-			swriteln("Operating System: Fedora 9 or compatible\n");
-		} elseif(stristr($content, 'Fedora release 10 (Cambridge)')) {
-			$distname = 'Fedora';
-			$distver = '10';
-			$distid = 'fedora9';
-			$distbaseid = 'fedora';
-			swriteln("Operating System: Fedora 10 or compatible\n");
-		} elseif(stristr($content, 'Fedora release 10')) {
-			$distname = 'Fedora';
-			$distver = '11';
-			$distid = 'fedora9';
-			$distbaseid = 'fedora';
-			swriteln("Operating System: Fedora 11 or compatible\n");
-		} elseif(stristr($content, 'CentOS release 5.2 (Final)')) {
-			$distname = 'CentOS';
-			$distver = '5.2';
-			$distid = 'centos52';
-			$distbaseid = 'fedora';
-			swriteln("Operating System: CentOS 5.2 or compatible\n");
-		} elseif(stristr($content, 'CentOS release 5.3 (Final)')) {
-			$distname = 'CentOS';
-			$distver = '5.3';
+		if(stristr($content, 'CentOS Linux release 6') || stristr($content, 'CentOS release 6')) {
+			preg_match_all('/(6\.?([0-9]{0,2})\.?(\s)?([a-zA-Z()]+))$/', $content, $centos6_version);
+			$distname = 'CentOS Linux';
+			$distver = $centos6_version[0][0] ? $centos6_version[0][0] : '6';
 			$distid = 'centos53';
 			$distbaseid = 'fedora';
-			swriteln("Operating System: CentOS 5.3 or compatible\n");
-		} elseif(stristr($content, 'CentOS release 5')) {
-			$distname = 'CentOS';
+			swriteln("Operating System: " . $distname . " " .  $distver . "\n");
+        } else {
+			$distname = 'Redhat';
 			$distver = 'Unknown';
-			$distid = 'centos53';
+			$distid = 'fedora9';
 			$distbaseid = 'fedora';
-			swriteln("Operating System: CentOS 5 or compatible\n");
-		} elseif(stristr($content, 'CentOS Linux release 6') || stristr($content, 'CentOS release 6')) {
-			$distname = 'CentOS';
-			$distver = 'Unknown';
+		}
+	//** CentOS 6 Extended Lifecycle Support by CloudLinux
+	} elseif(file_exists('/etc/redhat-release') && file_exists('/etc/els-release') && !file_exists('/etc/os-release')) {
+
+		$content = file_get_contents('/etc/els-release');
+
+		if(stristr($content, 'CentOS Linux release 6') || stristr($content, 'CentOS release 6')) {
+			preg_match_all('/(6)\.?([0-9]{0,2})?\.?\s([a-zA-Z(), ]+)?$/', $content, $centos6_version);
+			$distname = 'CentOS Linux';
+			$distver = $centos6_version[0][0] ? $centos6_version[0][0] : '6';
 			$distid = 'centos53';
 			$distbaseid = 'fedora';
-			swriteln("Operating System: CentOS 6 or compatible\n");
-		} elseif(stristr($content, 'CentOS Linux release 7')) {
-			$distname = 'CentOS';
-			$distver = 'Unknown';
-			$distbaseid = 'fedora';
-			$var=explode(" ", $content);
-			$var=explode(".", $var[3]);
-			$var=$var[0].".".$var[1];
-			if($var=='7.0' || $var=='7.1') {
-				$distid = 'centos70';
-			} else {
-				$distid = 'centos72';
-			}
-			swriteln("Operating System: CentOS $var\n");
-        } elseif(stristr($content, 'CentOS Linux release 8')) {
-			$distname = 'CentOS';
-			$distver = 'Unknown';
-			$distbaseid = 'fedora';
-			$distid = 'centos80';
-			$var=explode(" ", $content);
-			$var=explode(".", $var[3]);
-			$var=$var[0].".".$var[1];
-			swriteln("Operating System: CentOS $var\n");
+			swriteln("Operating System: " . $distname . " " .  $distver . "\n");
 		} else {
 			$distname = 'Redhat';
 			$distver = 'Unknown';
 			$distid = 'fedora9';
 			$distbaseid = 'fedora';
-			swriteln("Operating System: Redhat or compatible, unknown version.\n");
 		}
 	}
 
@@ -523,16 +558,15 @@ function remove_blank_lines($input, $file = 1){
 		$content = $input;
 	}
 	$lines = explode("\n", $content);
+	$new_lines = array();
 	if(!empty($lines)){
 		foreach($lines as $line){
 			if(trim($line) != '') $new_lines[] = $line;
 		}
 	}
-	if(is_array($new_lines)){
-		$content = implode("\n", $new_lines);
-	} else {
-		$content = '';
-	}
+
+	$content = implode("\n", $new_lines);
+
 	if($file){
 		wf($input, $content);
 	}else{
@@ -823,7 +857,7 @@ function is_installed($appname) {
 
 function get_ispconfig_port_number() {
 	global $conf;
-	if($conf['nginx']['installed'] == true){
+	if(is_file($conf['nginx']['vhost_conf_dir'].'/ispconfig.vhost')) {
 		$ispconfig_vhost_file = $conf['nginx']['vhost_conf_dir'].'/ispconfig.vhost';
 		$regex = '/listen (\d+)/';
 	} else {
@@ -849,7 +883,7 @@ function get_ispconfig_port_number() {
 
 function get_apps_vhost_port_number() {
 	global $conf;
-	if($conf['nginx']['installed'] == true){
+	if(is_file($conf['nginx']['vhost_conf_dir'].'/apps.vhost')) {
 		$ispconfig_vhost_file = $conf['nginx']['vhost_conf_dir'].'/apps.vhost';
 		$regex = '/listen (\d+)/';
 	} else {
@@ -870,9 +904,8 @@ function get_apps_vhost_port_number() {
 }
 
 /*
-* Get the port number of the ISPConfig controlpanel vhost
-*/
-
+ * Check if SSL is anabled in the ISPConfig controlpanel vhost.
+ */
 function is_ispconfig_ssl_enabled() {
 	global $conf;
 	$ispconfig_vhost_file = $conf['apache']['vhost_conf_dir'].'/ispconfig.vhost';

install/lib/installer_base.lib.php

@@ -28,14 +28,13 @@ NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
 EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
 
-class installer_base {
+class installer_base extends stdClass {
 
 	var $wb = array();
 	var $language = 'en';
 	var $db;
 	public $install_ispconfig_interface = true;
-	public $is_update = false; // true if it is an update, falsi if it is a new install
-	public $min_php = '5.4'; // minimal php-version for update / install
+	public $is_update = false; // true if it is an update, false if it is a new install
 	protected $mailman_group = 'list';
 
 
@@ -43,6 +42,30 @@ class installer_base {
 		global $conf; //TODO: maybe $conf  should be passed to constructor
 	}
 
+	private function install_acme() {
+		$install_cmd = 'wget -O -  https://get.acme.sh | sh';
+		$ret = null;
+		$val = 0;
+		exec($install_cmd . ' 2>&1', $ret, $val);
+
+		return ($val == 0 ? true : false);
+	}
+
+	public function update_acme() {
+		$acme = explode("\n", (string)shell_exec('which acme.sh /usr/local/ispconfig/server/scripts/acme.sh /root/.acme.sh/acme.sh 2> /dev/null'));
+		$acme = reset($acme);
+		$val = 0;
+
+		if($acme && is_executable($acme)) {
+			$cmd = $acme . ' --upgrade --auto-upgrade ; ' . $acme . ' --set-default-ca --server letsencrypt';
+			$ret = null;
+			$val = 0;
+			exec($cmd. ' 2>&1', $ret, $val);
+		}
+
+		return ($val == 0 ? true : false);
+	}
+
 	//: TODO  Implement the translation function and language files for the installer.
 	public function lng($text) {
 		return $text;
@@ -60,13 +83,13 @@ class installer_base {
 		global $autoinstall, $autoupdate;
 		$finished = false;
 		do {
-			if($name != '' && $autoinstall[$name] != '') {
+			if($name != '' && isset($autoinstall[$name]) && $autoinstall[$name] != '') {
 				if($autoinstall[$name] == 'default') {
 					$input = $default;
 				} else {
 					$input = $autoinstall[$name];
 				}
-			} elseif($name != '' && $autoupdate[$name] != '') {
+			} elseif($name != '' && isset($autoupdate[$name]) && $autoupdate[$name] != '') {
 				if($autoupdate[$name] == 'default') {
 					$input = $default;
 				} else {
@@ -103,13 +126,13 @@ class installer_base {
 
 	public function free_query($query, $default, $name = '') {
 		global $autoinstall, $autoupdate;
-		if($name != '' && $autoinstall[$name] != '') {
+		if($name != '' && isset($autoinstall[$name]) && $autoinstall[$name] != '') {
 			if($autoinstall[$name] == 'default') {
 				$input = $default;
 			} else {
 				$input = $autoinstall[$name];
 			}
-		} elseif($name != '' && $autoupdate[$name] != '') {
+		} elseif($name != '' && isset($autoupdate[$name]) && $autoupdate[$name] != '') {
 			if($autoupdate[$name] == 'default') {
 				$input = $default;
 			} else {
@@ -151,10 +174,33 @@ class installer_base {
 		}
 	}
 
-	//** Detect PHP-Version
-	public function get_php_version() {
-		if(version_compare(PHP_VERSION, $this->min_php, '<')) return false;
-		else return true;
+	public function crypt_password($cleartext_password, $charset = 'UTF-8') {
+		if($charset != 'UTF-8') {
+			$cleartext_password = mb_convert_encoding($cleartext_password, $charset, 'UTF-8');
+		}
+
+		if(defined('CRYPT_SHA512') && CRYPT_SHA512 == 1) {
+			$salt = '$6$rounds=5000$';
+			$salt_length = 16;
+		} elseif(defined('CRYPT_SHA256') && CRYPT_SHA256 == 1) {
+			$salt = '$5$rounds=5000$';
+			$salt_length = 16;
+		} else {
+			$salt = '$1$';
+			$salt_length = 12;
+		}
+
+		// todo: replace the below with password_hash() when we drop php5.4 support
+		if(function_exists('openssl_random_pseudo_bytes')) {
+			$salt .= substr(bin2hex(openssl_random_pseudo_bytes($salt_length)), 0, $salt_length);
+		} else {
+			$base64_alphabet = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789./';
+			for($n = 0; $n < $salt_length; $n++) {
+				$salt .= $base64_alphabet[mt_rand(0, 63)];
+			}
+		}
+		$salt .= "$";
+		return crypt($cleartext_password, $salt);
 	}
 
 	//** Detect installed applications
@@ -180,6 +226,7 @@ class installer_base {
 		if(is_installed('named') || is_installed('bind') || is_installed('bind9')) $conf['bind']['installed'] = true;
 		if(is_installed('squid')) $conf['squid']['installed'] = true;
 		if(is_installed('nginx')) $conf['nginx']['installed'] = true;
+		if(is_installed('apparmor_status')) $conf['apparmor']['installed'] = true;
 		if(is_installed('iptables') && is_installed('ufw')) {
 			$conf['ufw']['installed'] = true;
 		} elseif(is_installed('iptables')) {
@@ -192,23 +239,64 @@ class installer_base {
 		// if(is_installed('vlogger')) $conf['vlogger']['installed'] = true;
 		// ISPConfig ships with vlogger, so it is always installed.
 		$conf['vlogger']['installed'] = true;
-		if(is_installed('cron') || is_installed('anacron')) $conf['cron']['installed'] = true;
+		if(is_installed('crontab')) $conf['cron']['installed'] = true;
 
 		if (($conf['apache']['installed'] && is_file($conf['apache']["vhost_conf_enabled_dir"]."/000-ispconfig.vhost")) || ($conf['nginx']['installed'] && is_file($conf['nginx']["vhost_conf_enabled_dir"]."/000-ispconfig.vhost"))) $this->ispconfig_interface_installed = true;
 	}
 
 	//** Check prerequisites
 	public function check_prerequisites() {
+		global $conf;
+
 		$msg = '';
 
-		if(version_compare(phpversion(), '5.4', '<')) $msg .= "PHP Version 5.4 or newer is required. The currently used PHP version is ".phpversion().".\n";
+		if ($conf['default_php'] != '') {
+			if(version_compare(phpversion('tidy'), $conf['default_php'], '==')) $msg .= "Your PHP version is not the OS default. Change the PHP version back to the default version of the OS. The currently used PHP version is " . phpversion() . "The default version for your OS is PHP " . $conf['default_php'] . ".\n";
+		}
+		if(version_compare(phpversion(), '7.0', '<')) $msg .= "PHP Version 7.0 or newer is required. The currently used PHP version is " . phpversion() . ".\n";
+		//if(version_compare(phpversion(), '8.2', '>=')) $msg .= "PHP Version 8.2+ is not supported yet. Change the PHP version back to the default version of the OS. The currently used PHP version is " . phpversion() . ".\n";
 		if(!function_exists('curl_init')) $msg .= "PHP Curl Module is missing.\n";
 		if(!function_exists('mysqli_connect')) $msg .= "PHP MySQLi Module is nmissing.\n";
 		if(!function_exists('mb_detect_encoding')) $msg .= "PHP Multibyte Module (MB) is missing.\n";
+        if(!function_exists('openssl_pkey_get_details')) $msg .= "PHP OpenSSL fiúnctions are missing.\n";
 
 		if($msg != '') die($msg);
 	}
 
+	//** Check MySQL version
+	public function check_mysql_version() {
+		global $conf;
+
+		// Set MariaDB version to 10.0.5 and MySQL version to 8.0.4 after CentOS 7 support ended to allow preg_* functions in SQL queries
+		$min_mariadb_version = '5.5';
+		$min_mysql_version = '5.5';
+
+		$rec = $this->db->queryOneRecord('SELECT VERSION() as mysql_version');
+		if(is_array($rec)) {
+			$version = $rec['mysql_version'];
+		} else {
+			die("Unable to get MySQL or compatible version\n");
+		}
+
+		if(strpos($version,'MariaDB')) {
+			// We have MariaDB
+			$parts = explode('-',$version);
+			$version = $parts[0];
+			if(version_compare($version, $min_mariadb_version, '<')) {
+				die("Minimum required MariaDB version is " . $min_mariadb_version . ",found " . $version . "\n");
+			} else {
+				swriteln("Checking MariaDB version " . $version . " .. OK");
+			}
+		} else {
+			// We have MySQL or Percona
+			if(version_compare($version, $min_mysql_version, '<')) {
+				die("Minimum required MySQL or compatible version is " . $min_mysql_version . ",found " . $version . "\n");
+			} else {
+				swriteln("Checking MySQL or compatible version " . $version . " .. OK");
+			}
+		}
+	}
+
     public function force_configure_app($service, $enable_force=true) {
 		$force = false;
 		if(AUTOINSTALL == true) return false;
@@ -349,7 +437,7 @@ class installer_base {
 		$tpl_ini_array['fastcgi']['fastcgi_bin'] = $conf['fastcgi']['fastcgi_bin'];
 		$tpl_ini_array['server']['hostname'] = $conf['hostname'];
 		$tpl_ini_array['server']['ip_address'] = @gethostbyname($conf['hostname']);
-		$tpl_ini_array['server']['firewall'] = ($conf['ufw']['installed'] == true)?'ufw':'bastille';
+		$tpl_ini_array['server']['firewall'] = (@$conf['ufw']['installed'] == true)?'ufw':'bastille';
 		$tpl_ini_array['web']['website_basedir'] = $conf['web']['website_basedir'];
 		$tpl_ini_array['web']['website_path'] = $conf['web']['website_path'];
 		$tpl_ini_array['web']['website_symlinks'] = $conf['web']['website_symlinks'];
@@ -493,7 +581,7 @@ class installer_base {
 						0,
 						?,
 						?,
-						"y",
+						"n",
 						"80,443"
 					)', $conf['server_id'], $ip_type, $line);
 					$server_ip_id = $this->dbmaster->insertID();
@@ -512,7 +600,7 @@ class installer_base {
 						0,
 						?,
 						?,
-						"y",
+						"n",
 						"80,443"
 					)', $server_ip_id, $conf['server_id'], $ip_type, $line);
 				} else {
@@ -530,7 +618,7 @@ class installer_base {
 						0,
 						?,
 						?,
-						"y",
+						"n",
 						"80,443"
 					)', $conf['server_id'], $ip_type, $line);
 				}
@@ -646,9 +734,6 @@ class installer_base {
 				if ($verbose){
 					echo $query ."\n";
 				}
-				if(!$this->dbmaster->query($query, $value['db'] . '.software_update_inst', $value['user'], $host)) {
-					$this->warning('Unable to set rights of user in master database: '.$value['db']."\n Query: ".$query."\n Error: ".$this->dbmaster->errorMessage);
-				}
 
 				$query = "GRANT SELECT, UPDATE(`updated`) ON ?? TO ?@?";
 				if ($verbose){
@@ -666,6 +751,14 @@ class installer_base {
 					$this->warning('Unable to set rights of user in master database: '.$value['db']."\n Query: ".$query."\n Error: ".$this->dbmaster->errorMessage);
 				}
 
+				$query = "GRANT SELECT ON ?? TO ?@?";
+				if ($verbose){
+					echo $query ."\n";
+				}
+				if(!$this->dbmaster->query($query, $value['db'] . '.web_database', $value['user'], $host)) {
+					$this->warning('Unable to set rights of user in master database: '.$value['db']."\n Query: ".$query."\n Error: ".$this->dbmaster->errorMessage);
+				}
+
 				$query = "GRANT SELECT ON ?? TO ?@?";
 				if ($verbose){
 					echo $query ."\n";
@@ -682,7 +775,7 @@ class installer_base {
 					$this->warning('Unable to set rights of user in master database: '.$value['db']."\n Query: ".$query."\n Error: ".$this->dbmaster->errorMessage);
 				}
 
-				$query = "GRANT SELECT, INSERT , DELETE ON ?? TO ?@?";
+				$query = "GRANT SELECT, INSERT, UPDATE, DELETE ON ?? TO ?@?";
 				if ($verbose){
 					echo $query ."\n";
 				}
@@ -738,7 +831,7 @@ class installer_base {
 					$this->warning('Unable to set rights of user in master database: '.$value['db']."\n Query: ".$query."\n Error: ".$this->dbmaster->errorMessage);
 				}
 
-				$query = "GRANT SELECT, UPDATE(`dnssec_initialized`, `dnssec_info`, `dnssec_last_signed`) ON ?? TO ?@?";
+				$query = "GRANT SELECT, UPDATE(`dnssec_initialized`, `dnssec_info`, `dnssec_last_signed`, `rendered_zone`) ON ?? TO ?@?";
 				if ($verbose){
 					echo $query ."\n";
 				}
@@ -754,6 +847,14 @@ class installer_base {
 					$this->warning('Unable to set rights of user in master database: '.$value['db']."\n Query: ".$query."\n Error: ".$this->dbmaster->errorMessage);
 				}
 
+				$query = "GRANT SELECT, INSERT ON ?? TO ?@?";
+				if ($verbose){
+					echo $query ."\n";
+				}
+				if(!$this->dbmaster->query($query, $value['db'] . '.server_php', $value['user'], $host)) {
+					$this->warning('Unable to set rights of user in master database: '.$value['db']."\n Query: ".$query."\n Error: ".$this->dbmaster->errorMessage);
+				}
+
 			}
 
 		}
@@ -780,9 +881,9 @@ class installer_base {
 			$addr_cleanup = "'%u'";
 			foreach (str_split($out[0]) as $delim) {
 				$recipient_delimiter = $this->db->escape( str_replace('%', '%%', $delim) );
-				$addr_cleanup = "SUBSTRING_INDEX(${addr_cleanup}, '${recipient_delimiter}', 1)";
+				$addr_cleanup = "SUBSTRING_INDEX({$addr_cleanup}, '{$recipient_delimiter}', 1)";
 			}
-			$no_addr_extension = "CONCAT(${addr_cleanup}, '@%d')";
+			$no_addr_extension = "CONCAT({$addr_cleanup}, '@%d')";
 		} else {
 			$no_addr_extension = "''";
 		}
@@ -813,20 +914,22 @@ class installer_base {
 		$config_dir = $cf['config_dir'];
 		$jk_init = $cf['jk_init'];
 		$jk_chrootsh = $cf['jk_chrootsh'];
+		$dest_jk_init = 'jk_init.ini';
+		$dest_jk_chrootsh = 'jk_chrootsh.ini';
 
 		if (is_dir($config_dir)) {
-			if(is_file($config_dir.'/'.$jk_init)) copy($config_dir.'/'.$jk_init, $config_dir.'/'.$jk_init.'~');
-			if(is_file($config_dir.'/'.$jk_chrootsh.'.master')) copy($config_dir.'/'.$jk_chrootsh.'.master', $config_dir.'/'.$jk_chrootsh.'~');
+			if(is_file($config_dir.'/'.$jk_init)) copy($config_dir.'/'.$jk_init, $config_dir.'/'.$dest_jk_init.'~');
+			if(is_file($config_dir.'/'.$jk_chrootsh)) copy($config_dir.'/'.$jk_chrootsh, $config_dir.'/'.$dest_jk_chrootsh.'~');
 
 			if(is_file($conf['ispconfig_install_dir'].'/server/conf-custom/install/'.$jk_init.'.master')) {
-				copy($conf['ispconfig_install_dir'].'/server/conf-custom/install/'.$jk_init.'.master', $config_dir.'/'.$jk_init);
+				copy($conf['ispconfig_install_dir'].'/server/conf-custom/install/'.$jk_init.'.master', $config_dir.'/'.$dest_jk_init);
 			} else {
-				copy('tpl/'.$jk_init.'.master', $config_dir.'/'.$jk_init);
+				copy('tpl/'.$jk_init.'.master', $config_dir.'/'.$dest_jk_init);
 			}
 			if(is_file($conf['ispconfig_install_dir'].'/server/conf-custom/install/'.$jk_chrootsh.'.master')) {
-				copy($conf['ispconfig_install_dir'].'/server/conf-custom/install/'.$jk_chrootsh.'.master', $config_dir.'/'.$jk_chrootsh);
+				copy($conf['ispconfig_install_dir'].'/server/conf-custom/install/'.$jk_chrootsh.'.master', $config_dir.'/'.$dest_jk_chrootsh);
 			} else {
-				copy('tpl/'.$jk_chrootsh.'.master', $config_dir.'/'.$jk_chrootsh);
+				copy('tpl/'.$jk_chrootsh.'.master', $config_dir.'/'.$dest_jk_chrootsh);
 			}
 		}
 
@@ -839,6 +942,20 @@ class installer_base {
 	public function configure_mailman($status = 'insert') {
 		global $conf;
 
+		// Fix for #6314: bug on Debian 11 systems where Mailman3 is not available and broken routes exist in the Mailman config
+		$data_dir = '/var/lib/mailman';
+		if (($conf['mailman']['installed'] != true) && is_dir($data_dir)) {
+			rename($data_dir, $data_dir . '-bk');
+			//* Create the mailman files
+			if(!is_dir('/var/lib/mailman/data')) exec('mkdir -p /var/lib/mailman/data');
+			if(!is_file('/var/lib/mailman/data/aliases')) touch('/var/lib/mailman/data/aliases');
+			exec('postmap /var/lib/mailman/data/aliases');
+			if(!is_file('/var/lib/mailman/data/virtual-mailman')) touch('/var/lib/mailman/data/virtual-mailman');
+			exec('postmap /var/lib/mailman/data/virtual-mailman');
+			if(!is_file('/var/lib/mailman/data/transport-mailman')) touch('/var/lib/mailman/data/transport-mailman');
+			exec('postmap /var/lib/mailman/data/transport-mailman');
+		}
+
 		$config_dir = $conf['mailman']['config_dir'].'/';
 		$full_file_name = $config_dir.'mm_cfg.py';
 		//* Backup exiting file
@@ -955,6 +1072,7 @@ class installer_base {
 
 			# reduce 3 or more newlines to 2
 			$content = rf($conf['postfix']['config_dir'].'/master.cf');
+			$content = preg_replace( '/^# Data returning from Amavis .*$/m', '', $content );  # Cleanup comment we generated
 			$content = preg_replace( '/(\r?\n){3,}/', '$1$1', $content );
 			wf( $conf['postfix']['config_dir'].'/master.cf', $content );
 
@@ -1001,6 +1119,14 @@ class installer_base {
 		return true;
 	}
 
+	public function get_postfix_version() {
+		//* Get postfix version
+		exec('postconf -d mail_version 2>&1', $out);
+		$postfix_version = preg_replace('/.*=\s*/', '', $out[0]);
+		unset($out);
+		return $postfix_version;
+	}
+
 	public function configure_postfix($options = '') {
 		global $conf,$autoinstall;
 		$cf = $conf['postfix'];
@@ -1010,63 +1136,14 @@ class installer_base {
 			$this->error("The postfix configuration directory '$config_dir' does not exist.");
 		}
 
-		//* Get postfix version
-		exec('postconf -d mail_version 2>&1', $out);
-		$postfix_version = preg_replace('/.*=\s*/', '', $out[0]);
-		unset($out);
-
-		//* mysql-virtual_domains.cf
-		$this->process_postfix_config('mysql-virtual_domains.cf');
-
-		//* mysql-virtual_forwardings.cf
-		$this->process_postfix_config('mysql-virtual_forwardings.cf');
-
-		//* mysql-virtual_alias_domains.cf
-		$this->process_postfix_config('mysql-virtual_alias_domains.cf');
-
-		//* mysql-virtual_alias_maps.cf
-		$this->process_postfix_config('mysql-virtual_alias_maps.cf');
-
-		//* mysql-virtual_mailboxes.cf
-		$this->process_postfix_config('mysql-virtual_mailboxes.cf');
-
-		//* mysql-virtual_email2email.cf
-		$this->process_postfix_config('mysql-virtual_email2email.cf');
-
-		//* mysql-virtual_transports.cf
-		$this->process_postfix_config('mysql-virtual_transports.cf');
-
-		//* mysql-virtual_recipient.cf
-		$this->process_postfix_config('mysql-virtual_recipient.cf');
-
-		//* mysql-virtual_sender.cf
-		$this->process_postfix_config('mysql-virtual_sender.cf');
-
-		//* mysql-virtual_sender_login_maps.cf
-		$this->process_postfix_config('mysql-virtual_sender_login_maps.cf');
-
-		//* mysql-virtual_client.cf
-		$this->process_postfix_config('mysql-virtual_client.cf');
-
-		//* mysql-virtual_relaydomains.cf
-		$this->process_postfix_config('mysql-virtual_relaydomains.cf');
-
-		//* mysql-virtual_relayrecipientmaps.cf
-		$this->process_postfix_config('mysql-virtual_relayrecipientmaps.cf');
-
-		//* mysql-virtual_outgoing_bcc.cf
-		$this->process_postfix_config('mysql-virtual_outgoing_bcc.cf');
-
-		//* mysql-virtual_policy_greylist.cf
-		$this->process_postfix_config('mysql-virtual_policy_greylist.cf');
+		$postfix_version = $this->get_postfix_version();
 
-		//* mysql-virtual_gids.cf.master
-		$this->process_postfix_config('mysql-virtual_gids.cf');
-
-		//* mysql-virtual_uids.cf
-		$this->process_postfix_config('mysql-virtual_uids.cf');
+		//* Install virtual mappings
+		foreach (glob('tpl/mysql-virtual_*.master') as $filename) {
+			$this->process_postfix_config( basename($filename, '.master') );
+		}
 
-		//* mysql-virtual_alias_domains.cf
+		//* mysql-verify_recipients.cf
 		$this->process_postfix_config('mysql-verify_recipients.cf');
 
 		// test if lmtp if available
@@ -1103,9 +1180,9 @@ class installer_base {
 		$server_ini_array = ini_to_array(stripslashes($server_ini_rec['config']));
 		unset($server_ini_rec);
 
-		//* If there are RBL's defined, format the list and add them to smtp_recipient_restrictions to prevent removeal after an update
+		//* If there are RBL's defined, format the list and add them to smtp_recipient_restrictions to prevent removal after an update
 		$rbl_list = '';
-		if (@isset($server_ini_array['mail']['realtime_blackhole_list']) && $server_ini_array['mail']['realtime_blackhole_list'] != '') {
+		if(@isset($server_ini_array['mail']['realtime_blackhole_list']) && $server_ini_array['mail']['realtime_blackhole_list'] != '') {
 			$rbl_hosts = explode(",", str_replace(" ", "", $server_ini_array['mail']['realtime_blackhole_list']));
 			foreach ($rbl_hosts as $key => $value) {
 				$rbl_list .= ", reject_rbl_client ". $value;
@@ -1115,13 +1192,13 @@ class installer_base {
 
 		//* If Postgrey is installed, configure it
 		$greylisting = '';
-		if($conf['postgrey']['installed'] == true) {
+		if(isset($conf['postgrey']['installed']) && ($conf['postgrey']['installed'] == true)) {
 			$greylisting = ', check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf';
 		}
 
 		$reject_sender_login_mismatch = '';
 		$reject_authenticated_sender_login_mismatch = '';
-		if (isset($server_ini_array['mail']['reject_sender_login_mismatch']) && ($server_ini_array['mail']['reject_sender_login_mismatch'] == 'y')) {
+		if(isset($server_ini_array['mail']['reject_sender_login_mismatch']) && ($server_ini_array['mail']['reject_sender_login_mismatch'] == 'y')) {
 			$reject_sender_login_mismatch = ',reject_sender_login_mismatch,';
 			$reject_authenticated_sender_login_mismatch = 'reject_authenticated_sender_login_mismatch, ';
 		}
@@ -1131,11 +1208,11 @@ class installer_base {
 		$stress_adaptive = (isset($server_ini_array['mail']['stress_adaptive']) && ($server_ini_array['mail']['stress_adaptive'] == 'y')) ? '' : $stress_adaptive_placeholder;
 
 		$reject_unknown_client_hostname='';
-		if (isset($server_ini_array['mail']['reject_unknown']) && ($server_ini_array['mail']['reject_unknown'] == 'client' || $server_ini_array['mail']['reject_unknown'] == 'client_helo')) {
+		if(isset($server_ini_array['mail']['reject_unknown']) && ($server_ini_array['mail']['reject_unknown'] == 'client' || $server_ini_array['mail']['reject_unknown'] == 'client_helo')) {
 			$reject_unknown_client_hostname=',reject_unknown_client_hostname';
 		}
 		$reject_unknown_helo_hostname='';
-		if ((!isset($server_ini_array['mail']['reject_unknown'])) || $server_ini_array['mail']['reject_unknown'] == 'helo' || $server_ini_array['mail']['reject_unknown'] == 'client_helo') {
+		if((!isset($server_ini_array['mail']['reject_unknown'])) || $server_ini_array['mail']['reject_unknown'] == 'helo' || $server_ini_array['mail']['reject_unknown'] == 'client_helo') {
 			$reject_unknown_helo_hostname=',reject_unknown_helo_hostname';
 		}
 
@@ -1186,6 +1263,12 @@ class installer_base {
 		    $content = strtr($content, $postconf_placeholders);
 		    $postconf_commands = array_merge($postconf_commands, array_filter(explode("\n", $content)));
 		}
+		$configfile = 'postfix_custom.conf';
+		if(file_exists($conf['ispconfig_install_dir'].'/server/conf-custom/install/' . $configfile . '.master')) {
+			$content = file_get_contents($conf['ispconfig_install_dir'].'/server/conf-custom/install/'.$configfile.'.master');
+			$content = strtr($content, $postconf_placeholders);
+			$postconf_commands = array_merge($postconf_commands, array_filter(explode("\n", $content)));
+		}
 
 		// Remove comment lines, these would give fatal errors when passed to postconf.
 		$postconf_commands = array_filter($postconf_commands, function($line) { return preg_match('/^[^#]/', $line); });
@@ -1204,6 +1287,7 @@ class installer_base {
 		touch($config_dir.'/mime_header_checks');
 		touch($config_dir.'/nested_header_checks');
 		touch($config_dir.'/body_checks');
+		touch($config_dir.'/sasl_passwd');
 
 		//* Create the mailman files
 		if(!is_dir('/var/lib/mailman/data')) exec('mkdir -p /var/lib/mailman/data');
@@ -1273,7 +1357,7 @@ class installer_base {
 			$change_maildrop_flags = @(preg_match("/$quoted_regex/", $configfile))?false:true;
 		}
 		if ($change_maildrop_flags) {
-			//* Change maildrop service in posfix master.cf
+			//* Change maildrop service in postfix master.cf
 			if(is_file($config_dir.'/master.cf')) {
 				copy($config_dir.'/master.cf', $config_dir.'/master.cf~');
 			}
@@ -1282,8 +1366,8 @@ class installer_base {
  			}
 			$configfile = $config_dir.'/master.cf';
 			$content = rf($configfile);
-			$content =	str_replace('flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}',
-						'flags=DRhu user='.$cf['vmail_username'].' argv=/usr/bin/maildrop -d '.$cf['vmail_username'].' ${extension} ${recipient} ${user} ${nexthop} ${sender}',
+			$content =	preg_replace('/flags=(DRX?hu) user=vmail argv=\/usr\/bin\/maildrop -d \${recipient}/',
+						'flags=$1 user='.$cf['vmail_username'].' argv=/usr/bin/maildrop -d '.$cf['vmail_username'].' \${extension} \${recipient} \${user} \${nexthop} \${sender}',
 						$content);
 			wf($configfile, $content);
 		}
@@ -1450,9 +1534,8 @@ class installer_base {
 		}
 
 		$config_dir = $conf['postfix']['config_dir'];
-		$quoted_config_dir = preg_quote($config_dir, '/');
-		$postfix_version = `postconf -d mail_version 2>/dev/null`;
-		$postfix_version = preg_replace( '/mail_version\s*=\s*(.*)\s*/', '$1', $postfix_version );
+		$quoted_config_dir = preg_quote($config_dir, '|');
+		$postfix_version = $this->get_postfix_version();
 
 		//* Configure master.cf and add a line for deliver
 		if(!$this->get_postfix_service('dovecot', 'unix')) {
@@ -1460,7 +1543,7 @@ class installer_base {
 			if(is_file($config_dir.'/master.cf')){
 				copy($config_dir.'/master.cf', $config_dir.'/master.cf~2');
 			}
-			if(is_file($config_dir.'/master.cf~')){
+			if(is_file($config_dir.'/master.cf~2')){
 				chmod($config_dir.'/master.cf~2', 0400);
 			}
 			//* Configure master.cf and add a line for deliver
@@ -1488,15 +1571,15 @@ class installer_base {
 		foreach ($options as $value) {
 			$value = trim($value);
 			if ($value == '') continue;
-			if (preg_match("|check_recipient_access\s+proxy:mysql:${quoted_config_dir}/mysql-verify_recipients.cf|", $value)) {
+			if (preg_match("|check_recipient_access\s+proxy:mysql:{$quoted_config_dir}/mysql-verify_recipients.cf|", $value)) {
 				continue;
 			}
 			$new_options[] = $value;
 		}
-		if ($configure_lmtp && $conf['mail']['content_filter'] === 'amavisd') {
+		if ($configure_lmtp && (!isset($conf['mail']['content_filter']) || $conf['mail']['content_filter'] === 'amavisd')) {
 			for ($i = 0; isset($new_options[$i]); $i++) {
 				if ($new_options[$i] == 'reject_unlisted_recipient') {
-					array_splice($new_options, $i+1, 0, array("check_recipient_access proxy:mysql:${quoted_config_dir}/mysql-verify_recipients.cf"));
+					array_splice($new_options, $i+1, 0, array("check_recipient_access proxy:mysql:{$config_dir}/mysql-verify_recipients.cf"));
 					break;
 				}
 			}
@@ -1538,6 +1621,13 @@ class installer_base {
 			} else {
 				copy('tpl/debian_dovecot2.conf.master', $config_dir.'/'.$configfile);
 			}
+			// Copy custom config file
+			if(is_file($conf['ispconfig_install_dir'].'/server/conf-custom/install/dovecot_custom.conf.master')) {
+				if(!@is_dir($config_dir . '/conf.d')) {
+					mkdir($config_dir . '/conf.d');
+				}
+				copy($conf['ispconfig_install_dir'].'/server/conf-custom/install/dovecot_custom.conf.master', $config_dir.'/conf.d/99-ispconfig-custom-config.conf');
+			}
 			replaceLine($config_dir.'/'.$configfile, 'postmaster_address = postmaster@example.com', 'postmaster_address = postmaster@'.$conf['hostname'], 1, 0);
 			replaceLine($config_dir.'/'.$configfile, 'postmaster_address = webmaster@localhost', 'postmaster_address = postmaster@'.$conf['hostname'], 1, 0);
 			if(version_compare($dovecot_version, 2.1, '<')) {
@@ -1556,20 +1646,24 @@ class installer_base {
 
 				// Check if we have a dhparams file and if not, create it
 				if(!file_exists('/etc/dovecot/dh.pem')) {
+					// Create symlink to ISPConfig dhparam file
+					swriteln('Creating symlink /etc/dovecot/dh.pem to ISPConfig DHParam file.');
+					symlink('/usr/local/ispconfig/interface/ssl/dhparam4096.pem', '/etc/dovecot/dh.pem');
+
+					/*
 					swriteln('Creating new DHParams file, this takes several minutes. Do not interrupt the script.');
 					if(file_exists('/var/lib/dovecot/ssl-parameters.dat')) {
 						// convert existing ssl parameters file
 						$command = 'dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dhparam -inform der > /etc/dovecot/dh.pem';
 						caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
 					} else {
-						/*
-						   Create a new dhparams file. We use 2048 bit only as it simply takes too long
-						   on smaller systems to generate a 4096 bit dh file (> 30 minutes). If you need
-						   a 4096 bit file, create it manually before you install ISPConfig
-						*/
+						//Create a new dhparams file. We use 2048 bit only as it simply takes too long
+						//   on smaller systems to generate a 4096 bit dh file (> 30 minutes). If you need
+						//   a 4096 bit file, create it manually before you install ISPConfig
 						$command = 'openssl dhparam -out /etc/dovecot/dh.pem 2048';
 						caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
 					}
+					*/
 				}
 				//remove #2.3+ comment
 				$content = file_get_contents($config_dir.'/'.$configfile);
@@ -1629,6 +1723,12 @@ class installer_base {
 	public function configure_amavis() {
 		global $conf;
 
+		//* These postconf commands will be executed on installation and update
+		$server_ini_rec = $this->db->queryOneRecord("SELECT mail_server, config FROM ?? WHERE server_id = ?", $conf["mysql"]["database"] . '.server', $conf['server_id']);
+		$server_ini_array = ini_to_array(stripslashes($server_ini_rec['config']));
+		$mail_server = $conf['services']['mail'];
+		unset($server_ini_rec);
+
 		// amavisd user config file
 		$configfile = 'amavisd_user_config';
 		if(is_file($conf['amavis']['config_dir'].'/conf.d/50-user')) copy($conf['amavis']['config_dir'].'/conf.d/50-user', $conf['amavis']['config_dir'].'/50-user~');
@@ -1641,64 +1741,85 @@ class installer_base {
 		$content = str_replace('{mysql_server_ip}', $conf['mysql']['ip'], $content);
 		wf($conf['amavis']['config_dir'].'/conf.d/50-user', $content);
 		chmod($conf['amavis']['config_dir'].'/conf.d/50-user', 0640);
+		chgrp($conf['amavis']['config_dir'].'/conf.d/50-user', 'amavis');
 
-		// TODO: chmod and chown on the config file
+		$config_dir = $conf['postfix']['config_dir'];
+		$quoted_config_dir = preg_quote($config_dir, '|');
 
-		// test if lmtp if available
-		$configure_lmtp = $this->get_postfix_service('lmtp','unix');
+		$mail_config = $server_ini_array['mail'];
+		//* only change postfix config if amavisd is active filter
+		if($mail_server && $mail_config['content_filter'] === 'amavisd') {
+			// test if lmtp if available
+			$configure_lmtp = $this->get_postfix_service('lmtp','unix');
+
+			// Adding the amavisd commands to the postfix configuration
+			$postconf_commands = array ();
+
+			// Check for amavisd -> pure webserver with postfix for mailing without antispam
+			if ($conf['amavis']['installed']) {
+				$content_filter_service = ($configure_lmtp) ? 'lmtp' : 'amavis';
+				$postconf_commands[] = "content_filter = {$content_filter_service}:[127.0.0.1]:10024";
+				$postconf_commands[] = 'receive_override_options = no_address_mappings';
+				$postconf_commands[] = 'address_verify_virtual_transport = smtp:[127.0.0.1]:10025';
+				$postconf_commands[] = 'address_verify_transport_maps = static:smtp:[127.0.0.1]:10025';
+			}
 
-		// Adding the amavisd commands to the postfix configuration
-		// Add array for no error in foreach and maybe future options
-		$postconf_commands = array ();
+			$options = preg_split("/,\s*/", exec("postconf -h smtpd_recipient_restrictions"));
+			$new_options = array();
+			foreach ($options as $value) {
+				$value = trim($value);
+				if ($value == '') continue;
+				if (preg_match("|check_recipient_access\s+proxy:mysql:{$quoted_config_dir}/mysql-verify_recipients.cf|", $value)) {
+					continue;
+				}
+				$new_options[] = $value;
+			}
+			if ($configure_lmtp) {
+				for ($i = 0; isset($new_options[$i]); $i++) {
+					if ($new_options[$i] == 'reject_unlisted_recipient') {
+						array_splice($new_options, $i+1, 0, array("check_recipient_access proxy:mysql:{$config_dir}/mysql-verify_recipients.cf"));
+						break;
+					}
+				}
+				$postfix_version = $this->get_postfix_version();
+				# postfix < 3.3 needs this when using reject_unverified_recipient:
+				if(version_compare($postfix_version, 3.3, '<')) {
+					$postconf_commands[] = "enable_original_recipient = yes";
+				}
+			}
+			$postconf_commands[] = "smtpd_recipient_restrictions = ".implode(", ", $new_options);
 
-		// Check for amavisd -> pure webserver with postfix for mailing without antispam
-		if ($conf['amavis']['installed']) {
-			$content_filter_service = ($configure_lmtp) ? 'lmtp' : 'amavis';
-			$postconf_commands[] = "content_filter = ${content_filter_service}:[127.0.0.1]:10024";
-			$postconf_commands[] = 'receive_override_options = no_address_mappings';
-		}
+			// Make a backup copy of the main.cf file
+			copy($conf['postfix']['config_dir'].'/main.cf', $conf['postfix']['config_dir'].'/main.cf~2');
 
-		// Make a backup copy of the main.cf file
-		copy($conf['postfix']['config_dir'].'/main.cf', $conf['postfix']['config_dir'].'/main.cf~2');
+			// Executing the postconf commands
+			foreach($postconf_commands as $cmd) {
+				$command = "postconf -e '$cmd'";
+				caselog($command." &> /dev/null", __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
+			}
 
-		// Executing the postconf commands
-		foreach($postconf_commands as $cmd) {
-			$command = "postconf -e '$cmd'";
-			caselog($command." &> /dev/null", __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
-		}
+			// Adding amavis-services to the master.cf file
 
-		$config_dir = $conf['postfix']['config_dir'];
+			// backup master.cf
+			if(is_file($config_dir.'/master.cf')) copy($config_dir.'/master.cf', $config_dir.'/master.cf~');
 
-		// Adding amavis-services to the master.cf file if the service does not already exists
-//		$add_amavis = !$this->get_postfix_service('amavis','unix');
-//		$add_amavis_10025 = !$this->get_postfix_service('127.0.0.1:10025','inet');
-//		$add_amavis_10027 = !$this->get_postfix_service('127.0.0.1:10027','inet');
-		//*TODO: check templates against existing postfix-services to make sure we use the template
+			// first remove the old service definitions
+			$this->remove_postfix_service('amavis','unix');
+			$this->remove_postfix_service('127.0.0.1:10025','inet');
+			$this->remove_postfix_service('127.0.0.1:10027','inet');
 
-		// Or just remove the old service definitions and add them again?
-		$add_amavis = $this->remove_postfix_service('amavis','unix');
-		$add_amavis_10025 = $this->remove_postfix_service('127.0.0.1:10025','inet');
-		$add_amavis_10027 = $this->remove_postfix_service('127.0.0.1:10027','inet');
+			// then add them back
+			$content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/master_cf_amavis.master', 'tpl/master_cf_amavis.master');
+			af($config_dir.'/master.cf', $content);
+			unset($content);
 
-		if ($add_amavis || $add_amavis_10025 || $add_amavis_10027) {
-			//* backup master.cf
-			if(is_file($config_dir.'/master.cf')) copy($config_dir.'/master.cf', $config_dir.'/master.cf~');
-			// adjust amavis-config
-			if($add_amavis) {
-				$content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/master_cf_amavis.master', 'tpl/master_cf_amavis.master');
-				af($config_dir.'/master.cf', $content);
-				unset($content);
-			}
-			if ($add_amavis_10025) {
-				$content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/master_cf_amavis10025.master', 'tpl/master_cf_amavis10025.master');
-				af($config_dir.'/master.cf', $content);
-				unset($content);
-			}
-			if ($add_amavis_10027) {
-				$content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/master_cf_amavis10027.master', 'tpl/master_cf_amavis10027.master');
-				af($config_dir.'/master.cf', $content);
-				unset($content);
-    		}
+			$content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/master_cf_amavis10025.master', 'tpl/master_cf_amavis10025.master');
+			af($config_dir.'/master.cf', $content);
+			unset($content);
+
+			$content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/master_cf_amavis10027.master', 'tpl/master_cf_amavis10027.master');
+			af($config_dir.'/master.cf', $content);
+			unset($content);
 		}
 
 		// Add the clamav user to the amavis group
@@ -1728,14 +1849,21 @@ class installer_base {
 		global $conf;
 
 		//* These postconf commands will be executed on installation and update
-		$server_ini_rec = $this->db->queryOneRecord("SELECT config FROM ?? WHERE server_id = ?", $conf["mysql"]["database"] . '.server', $conf['server_id']);
+		$server_ini_rec = $this->db->queryOneRecord("SELECT mail_server, config FROM ?? WHERE server_id = ?", $conf["mysql"]["database"] . '.server', $conf['server_id']);
 		$server_ini_array = ini_to_array(stripslashes($server_ini_rec['config']));
+		$mail_server = $conf['services']['mail'];
 		unset($server_ini_rec);
 
+		$config_dir = $conf['postfix']['config_dir'];
+		$quoted_config_dir = preg_quote($config_dir, '|');
+
 		$mail_config = $server_ini_array['mail'];
-		if($mail_config['content_filter'] === 'rspamd') {
-			exec("postconf -X 'receive_override_options'");
-			exec("postconf -X 'content_filter'");
+		//* only change postfix config if rspamd is active filter
+		if($mail_server && $mail_config['content_filter'] === 'rspamd') {
+			exec("postconf -X receive_override_options");
+			exec("postconf -X content_filter");
+			exec("postconf -X address_verify_virtual_transport");
+			exec("postconf -X address_verify_transport_maps");
 
 			exec("postconf -e 'smtpd_milters = inet:localhost:11332'");
 			exec("postconf -e 'non_smtpd_milters = inet:localhost:11332'");
@@ -1760,11 +1888,18 @@ class installer_base {
 				$new_options[] = $value;
 			}
 			if ($mail_config['reject_sender_login_mismatch'] == 'y') {
-				array_splice($new_options, 0, 0, array('reject_authenticated_sender_login_mismatch'));
-
+				// insert before permit_mynetworks
 				for ($i = 0; isset($new_options[$i]); $i++) {
 					if ($new_options[$i] == 'permit_mynetworks') {
-						array_splice($new_options, $i+1, 0, array('reject_sender_login_mismatch'));
+						array_splice($new_options, $i, 0, array('reject_authenticated_sender_login_mismatch'));
+						break;
+					}
+				}
+
+				// insert before permit_sasl_authenticated
+				for ($i = 0; isset($new_options[$i]); $i++) {
+					if ($new_options[$i] == 'permit_sasl_authenticated') {
+						array_splice($new_options, $i, 0, array('reject_sender_login_mismatch'));
 						break;
 					}
 				}
@@ -1779,6 +1914,9 @@ class installer_base {
 				if (preg_match('/check_policy_service\s+inet:127.0.0.1:10023/', $value)) {
 					continue;
 				}
+				if (preg_match("|check_recipient_access\s+proxy:mysql:{$quoted_config_dir}/mysql-verify_recipients.cf|", $value)) {
+					continue;
+				}
 				$new_options[] = $value;
 			}
 			exec("postconf -e 'smtpd_recipient_restrictions = ".implode(", ", $new_options)."'");
@@ -1786,23 +1924,31 @@ class installer_base {
 		}
 
 		if(is_user('_rspamd') && is_group('amavis')) {
-			exec("usermod -G amavis _rspamd");
+			exec("usermod -a -G amavis _rspamd");
 		} elseif(is_user('rspamd') && is_group('amavis')) {
-			exec("usermod -G amavis rspamd");
+			exec("usermod -a -G amavis rspamd");
 		}
 
 		if(!is_dir('/etc/rspamd/local.d/')){
 			mkdir('/etc/rspamd/local.d/', 0755, true);
+			chmod('/etc/rspamd/local.d/', 0755);
+		}
+
+		if(!is_dir('/etc/rspamd/local.d/maps.d/')){
+			mkdir('/etc/rspamd/local.d/maps.d/', 0755, true);
+			chmod('/etc/rspamd/local.d/maps.d/', 0755);
 		}
 
 		if(!is_dir('/etc/rspamd/override.d/')){
 			mkdir('/etc/rspamd/override.d/', 0755, true);
+			chmod('/etc/rspamd/override.d/', 0755);
 		}
 
 		if ( substr($mail_config['dkim_path'], strlen($mail_config['dkim_path'])-1) == '/' ) {
 			$mail_config['dkim_path'] = substr($mail_config['dkim_path'], 0, strlen($mail_config['dkim_path'])-1);
 		}
 		$dkim_domains = $this->db->queryAllRecords('SELECT `dkim_selector`, `domain` FROM ?? WHERE `dkim` = ? ORDER BY `domain` ASC', $conf['mysql']['database'] . '.mail_domain', 'y');
+		# should move maps to local.d/maps.d/ ?
 		$fpp = fopen('/etc/rspamd/local.d/dkim_domains.map', 'w');
 		$fps = fopen('/etc/rspamd/local.d/dkim_selectors.map', 'w');
 		foreach($dkim_domains as $dkim_domain) {
@@ -1813,107 +1959,116 @@ class installer_base {
 		fclose($fps);
 		unset($dkim_domains);
 
-		$tpl = new tpl();
-		$tpl->newTemplate('rspamd_users.conf.master');
-
-		$whitelist_ips = array();
-		$ips = $this->db->queryAllRecords("SELECT * FROM server_ip WHERE server_id = ?", $conf['server_id']);
+		# look up values for use in template tags
+		$local_addrs = array();
+		$ips = $this->db->queryAllRecords('SELECT `ip_address`, `ip_type` FROM ?? WHERE `server_id` = ?', $conf['mysql']['database'].'.server_ip', $conf['server_id']);
 		if(is_array($ips) && !empty($ips)){
 			foreach($ips as $ip){
-				$whitelist_ips[] = array('ip' => $ip['ip_address']);
+				$local_addrs[] = array(
+					'ip' => $ip['ip_address'],
+					'quoted_ip' => "\"".$ip['ip_address']."\",\n"
+				);
 			}
 		}
-		$tpl->setLoop('whitelist_ips', $whitelist_ips);
-		wf('/etc/rspamd/local.d/users.conf', $tpl->grab());
 
-		if(file_exists($conf['ispconfig_install_dir'].'/server/conf-custom/install/rspamd_groups.conf.master')) {
-			exec('cp '.$conf['ispconfig_install_dir'].'/server/conf-custom/install/rspamd_groups.conf.master /etc/rspamd/local.d/groups.conf');
-		} else {
-			exec('cp tpl/rspamd_groups.conf.master /etc/rspamd/local.d/groups.conf');
-		}
-
-		if(file_exists($conf['ispconfig_install_dir'].'/server/conf-custom/install/rspamd_antivirus.conf.master')) {
-			exec('cp '.$conf['ispconfig_install_dir'].'/server/conf-custom/install/rspamd_antivirus.conf.master /etc/rspamd/local.d/antivirus.conf');
-		} else {
-			exec('cp tpl/rspamd_antivirus.conf.master /etc/rspamd/local.d/antivirus.conf');
-		}
-
-		if(file_exists($conf['ispconfig_install_dir'].'/server/conf-custom/install/rspamd_classifier-bayes.conf.master')) {
-			exec('cp '.$conf['ispconfig_install_dir'].'/server/conf-custom/install/rspamd_classifier-bayes.conf.master /etc/rspamd/local.d/classifier-bayes.conf');
-		} else {
-			exec('cp tpl/rspamd_classifier-bayes.conf.master /etc/rspamd/local.d/classifier-bayes.conf');
-		}
+		# local.d templates with template tags
+		# note: ensure these template files are in server/conf/ and symlinked in install/tpl/
+		$local_d = array(
+			'dkim_signing.conf',	# dkim_signing.conf no longer uses template tags, could move below
+			'options.inc',
+			'redis.conf',
+			'classifier-bayes.conf',
+		);
+		foreach ($local_d as $f) {
+			$tpl = new tpl();
+			if (file_exists($conf['ispconfig_install_dir']."/server/conf-custom/install/rspamd_{$f}.master")) {
+				$tpl->newTemplate($conf['ispconfig_install_dir']."/server/conf-custom/install/rspamd_{$f}.master");
+			} else {
+				$tpl->newTemplate("rspamd_{$f}.master");
+			}
 
-		if(file_exists($conf['ispconfig_install_dir'].'/server/conf-custom/install/rspamd_greylist.conf.master')) {
-			exec('cp '.$conf['ispconfig_install_dir'].'/server/conf-custom/install/rspamd_greylist.conf.master /etc/rspamd/local.d/greylist.conf');
-		} else {
-			exec('cp tpl/rspamd_greylist.conf.master /etc/rspamd/local.d/greylist.conf');
-		}
+			$tpl->setVar('dkim_path', $mail_config['dkim_path']);
+			$tpl->setVar('rspamd_redis_servers', (isset($mail_config['rspamd_redis_servers']) ? $mail_config['rspamd_redis_servers'] : ''));
+			$tpl->setVar('rspamd_redis_password', (isset($mail_config['rspamd_redis_password']) ? $mail_config['rspamd_redis_password'] : ''));
+			$tpl->setVar('rspamd_redis_bayes_servers', (isset($mail_config['rspamd_redis_bayes_servers']) ? $mail_config['rspamd_redis_bayes_servers'] : ''));
+			$tpl->setVar('rspamd_redis_bayes_password', (isset($mail_config['rspamd_redis_bayes_password']) ? $mail_config['rspamd_redis_bayes_password'] : ''));
+			if(count($local_addrs) > 0) {
+				$tpl->setLoop('local_addrs', $local_addrs);
+			}
 
-		if(file_exists($conf['ispconfig_install_dir'].'/server/conf-custom/install/rspamd_symbols_antivirus.conf.master')) {
-			exec('cp '.$conf['ispconfig_install_dir'].'/server/conf-custom/install/rspamd_symbols_antivirus.conf.master /etc/rspamd/local.d/antivirus_group.conf');
-		} else {
-			exec('cp tpl/rspamd_symbols_antivirus.conf.master /etc/rspamd/local.d/antivirus_group.conf');
+			wf("/etc/rspamd/local.d/{$f}", $tpl->grab());
 		}
 
-		if(file_exists($conf['ispconfig_install_dir'].'/server/conf-custom/install/rspamd_override_rbl.conf.master')) {
-			exec('cp '.$conf['ispconfig_install_dir'].'/server/conf-custom/install/rspamd_override_rbl.conf.master /etc/rspamd/override.d/rbl_group.conf');
-		} else {
-			exec('cp tpl/rspamd_override_rbl.conf.master /etc/rspamd/override.d/rbl_group.conf');
-		}
 
-		if(file_exists($conf['ispconfig_install_dir'].'/server/conf-custom/install/rspamd_override_surbl.conf.master')) {
-			exec('cp '.$conf['ispconfig_install_dir'].'/server/conf-custom/install/rspamd_override_surbl.conf.master /etc/rspamd/override.d/surbl_group.conf');
-		} else {
-			exec('cp tpl/rspamd_override_surbl.conf.master /etc/rspamd/override.d/surbl_group.conf');
+		# local.d templates without template tags
+		$local_d = array(
+			'groups.conf',
+			'antivirus.conf',
+			'mx_check.conf',
+			'milter_headers.conf',
+			'neural.conf',
+			'neural_group.conf',
+			'users.conf',
+			'groups.conf',
+			'arc.conf',
+		);
+		foreach ($local_d as $f) {
+			if(file_exists($conf['ispconfig_install_dir']."/server/conf-custom/install/rspamd_{$f}.master")) {
+				exec('cp '.$conf['ispconfig_install_dir']."/server/conf-custom/install/rspamd_{$f}.master /etc/rspamd/local.d/{$f}");
+			} else {
+				exec("cp tpl/rspamd_{$f}.master /etc/rspamd/local.d/{$f}");
+			}
 		}
 
-		if(file_exists($conf['ispconfig_install_dir'].'/server/conf-custom/install/rspamd_mx_check.conf.master')) {
-			exec('cp '.$conf['ispconfig_install_dir'].'/server/conf-custom/install/rspamd_mx_check.conf.master /etc/rspamd/local.d/mx_check.conf');
-		} else {
-			exec('cp tpl/rspamd_mx_check.conf.master /etc/rspamd/local.d/mx_check.conf');
+		# override.d templates without template tags
+		$override_d = array(
+			'rbl_group.conf',
+			'surbl_group.conf',
+		);
+		foreach ($override_d as $f) {
+			if(file_exists($conf['ispconfig_install_dir']."/server/conf-custom/install/rspamd_{$f}.master")) {
+				exec('cp '.$conf['ispconfig_install_dir']."/server/conf-custom/install/rspamd_{$f}.master /etc/rspamd/override.d/{$f}");
+			} else {
+				exec("cp tpl/rspamd_{$f}.master /etc/rspamd/override.d/{$f}");
+			}
 		}
 
-		if(file_exists($conf['ispconfig_install_dir'].'/server/conf-custom/install/rspamd_redis.conf.master')) {
-			exec('cp '.$conf['ispconfig_install_dir'].'/server/conf-custom/install/rspamd_redis.conf.master /etc/rspamd/local.d/redis.conf');
-		} else {
-			exec('cp tpl/rspamd_redis.conf.master /etc/rspamd/local.d/redis.conf');
+		# local.d/maps.d templates without template tags
+		$maps_d = array(
+			'dkim_whitelist.inc.ispc',
+			'dmarc_whitelist.inc.ispc',
+			'spf_dkim_whitelist.inc.ispc',
+			'spf_whitelist.inc.ispc',
+		);
+		foreach ($maps_d as $f) {
+			if(file_exists($conf['ispconfig_install_dir']."/server/conf-custom/install/rspamd_{$f}.master")) {
+				exec('cp '.$conf['ispconfig_install_dir']."/server/conf-custom/install/rspamd_{$f}.master /etc/rspamd/local.d/maps.d/{$f}");
+			} else {
+				exec("cp tpl/rspamd_{$f}.master /etc/rspamd/local.d/maps.d/{$f}");
+			}
 		}
 
-		if(file_exists($conf['ispconfig_install_dir'].'/server/conf-custom/install/rspamd_milter_headers.conf.master')) {
-			exec('cp '.$conf['ispconfig_install_dir'].'/server/conf-custom/install/rspamd_milter_headers.conf.master /etc/rspamd/local.d/milter_headers.conf');
-		} else {
-			exec('cp tpl/rspamd_milter_headers.conf.master /etc/rspamd/local.d/milter_headers.conf');
+		# rename rspamd templates we no longer use
+		if(file_exists("/etc/rspamd/local.d/greylist.conf")) {
+			rename("/etc/rspamd/local.d/greylist.conf", "/etc/rspamd/local.d/greylist.old");
 		}
 
-		if(file_exists($conf['ispconfig_install_dir'].'/server/conf-custom/install/rspamd_options.inc.master')) {
-			exec('cp '.$conf['ispconfig_install_dir'].'/server/conf-custom/install/rspamd_options.inc.master /etc/rspamd/local.d/options.inc');
-		} else {
-			exec('cp tpl/rspamd_options.inc.master /etc/rspamd/local.d/options.inc');
-		}
+		exec('chmod a+r,-x+X /etc/rspamd/local.d/* /etc/rspamd/local.d/maps.d/* /etc/rspamd/override.d/*');
+		# protect passwords in these files
+		exec('chgrp _rspamd /etc/rspamd/local.d/redis.conf /etc/rspamd/local.d/classifier-bayes.conf');
+		exec('chmod 640 /etc/rspamd/local.d/redis.conf /etc/rspamd/local.d/classifier-bayes.conf');
 
-		if(file_exists($conf['ispconfig_install_dir'].'/server/conf-custom/install/rspamd_neural.conf.master')) {
-			exec('cp '.$conf['ispconfig_install_dir'].'/server/conf-custom/install/rspamd_neural.conf.master /etc/rspamd/local.d/neural.conf');
-		} else {
-			exec('cp tpl/rspamd_neural.conf.master /etc/rspamd/local.d/neural.conf');
+		if(file_exists('/etc/rspamd/local.d/worker-controller.inc')) {
+			exec('chgrp _rspamd /etc/rspamd/local.d/worker-controller.inc');
+			exec('chmod 640 /etc/rspamd/local.d/worker-controller.inc');
 		}
 
-		if(file_exists($conf['ispconfig_install_dir'].'/server/conf-custom/install/rspamd_neural_group.conf.master')) {
-			exec('cp '.$conf['ispconfig_install_dir'].'/server/conf-custom/install/rspamd_neural_group.conf.master /etc/rspamd/local.d/neural_group.conf');
-		} else {
-			exec('cp tpl/rspamd_neural_group.conf.master /etc/rspamd/local.d/neural_group.conf');
+		# unneccesary, since this was done above?
+		if(is_user('_rspamd') && is_group('amavis')) {
+			$command = 'usermod -a -G amavis _rspamd';
+			caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
 		}
 
-		$tpl = new tpl();
-		$tpl->newTemplate('rspamd_dkim_signing.conf.master');
-		$tpl->setVar('dkim_path', $mail_config['dkim_path']);
-		wf('/etc/rspamd/local.d/dkim_signing.conf', $tpl->grab());
-
-		exec('chmod a+r /etc/rspamd/local.d/* /etc/rspamd/override.d/*');
-
-		$command = 'usermod -a -G amavis _rspamd';
-		caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
-
 		if(strpos(rf('/etc/rspamd/rspamd.conf'), '.include "$LOCAL_CONFDIR/local.d/users.conf"') === false){
 			af('/etc/rspamd/rspamd.conf', '.include "$LOCAL_CONFDIR/local.d/users.conf"');
 		}
@@ -1934,7 +2089,11 @@ class installer_base {
 		unset($server_ini_string);
 
 		$tpl = new tpl();
-		$tpl->newTemplate('rspamd_worker-controller.inc.master');
+		if (file_exists($conf['ispconfig_install_dir']."/server/conf-custom/install/rspamd_worker-controller.inc.master")) {
+			$tpl->newTemplate($conf['ispconfig_install_dir']."/server/conf-custom/install/rspamd_worker-controller.inc.master");
+		} else {
+			$tpl->newTemplate("rspamd_worker-controller.inc.master");
+		}
 		$rspamd_password = $mail_config['rspamd_password'];
 		$crypted_password = trim(exec('rspamadm pw -p ' . escapeshellarg($rspamd_password)));
 		if($crypted_password) {
@@ -1943,6 +2102,18 @@ class installer_base {
 		$tpl->setVar('rspamd_password', $rspamd_password);
 		wf('/etc/rspamd/local.d/worker-controller.inc', $tpl->grab());
 		chmod('/etc/rspamd/local.d/worker-controller.inc', 0644);
+
+		// rspamd.local.lua
+		if(file_exists($conf['ispconfig_install_dir']."/server/conf-custom/install/rspamd.local.lua.master")) {
+			exec('cp '.$conf['ispconfig_install_dir']."/server/conf-custom/install/rspamd.local.lua.master /etc/rspamd/rspamd.local.lua");
+		} else {
+			exec("cp tpl/rspamd.local.lua.master /etc/rspamd/rspamd.local.lua");
+		}
+		if(file_exists('/etc/rspamd/rspamd.local.lua')) {
+			exec('chgrp _rspamd /etc/rspamd/rspamd.local.lua');
+			exec('chmod 640 /etc/rspamd/rspamd.local.lua');
+		}
+
 	}
 
 	public function configure_spamassassin() {
@@ -2049,17 +2220,17 @@ class installer_base {
 		}
 
 		//* Create the ISPConfig database user in the local database
-		$query = "GRANT ALL ON ?? TO ?@'localhost'";
-		if(!$this->db->query($query, $conf['powerdns']['database'] . '.*', $conf['mysql']['ispconfig_user'])) {
+		$query = "GRANT ALL ON ??.* TO ?@?";
+		if(!$this->db->query($query, $conf['powerdns']['database'], $conf['mysql']['ispconfig_user'], 'localhost')) {
 			$this->error('Unable to create user for powerdns database Error: '.$this->db->errorMessage);
 		}
 
 		//* load the powerdns databse dump
 		if($conf['mysql']['admin_password'] == '') {
-			caselog("mysql --default-character-set=".$conf['mysql']['charset']." -h '".$conf['mysql']['host']."' -u '".$conf['mysql']['admin_user']."' '".$conf['powerdns']['database']."' < '".ISPC_INSTALL_ROOT."/install/sql/powerdns.sql' &> /dev/null",
+			caselog("mysql --default-character-set=".$conf['mysql']['charset']." -h '".$conf['mysql']['host']."' -u '".$conf['mysql']['admin_user']."' --force '".$conf['powerdns']['database']."' < '".ISPC_INSTALL_ROOT."/install/sql/powerdns.sql' &> /dev/null",
 				__FILE__, __LINE__, 'read in ispconfig3.sql', 'could not read in powerdns.sql');
 		} else {
-			caselog("mysql --default-character-set=".$conf['mysql']['charset']." -h '".$conf['mysql']['host']."' -u '".$conf['mysql']['admin_user']."' -p'".$conf['mysql']['admin_password']."' '".$conf['powerdns']['database']."' < '".ISPC_INSTALL_ROOT."/install/sql/powerdns.sql' &> /dev/null",
+			caselog("mysql --default-character-set=".$conf['mysql']['charset']." -h '".$conf['mysql']['host']."' -u '".$conf['mysql']['admin_user']."' -p'".$conf['mysql']['admin_password']."' --force '".$conf['powerdns']['database']."' < '".ISPC_INSTALL_ROOT."/install/sql/powerdns.sql' &> /dev/null",
 				__FILE__, __LINE__, 'read in ispconfig3.sql', 'could not read in powerdns.sql');
 		}
 
@@ -2090,7 +2261,7 @@ class installer_base {
 
 		//* Backup exiting file
 		if(is_file($full_file_name)) {
-			copy($full_file_name, $config_dir.$configfile.'~');
+			copy($full_file_name, $full_file_name.'~');
 		}
 		$content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/'.$configfile.'.master', 'tpl/'.$configfile.'.master');
 		$content = str_replace('{mysql_server_ispconfig_user}', $conf['mysql']['ispconfig_user'], $content);
@@ -2241,13 +2412,17 @@ class installer_base {
 			replaceLine('/etc/apache2/ports.conf', 'Listen 443', 'Listen 443', 1);
 
 			// Comment out the namevirtualhost lines, as they were added by ispconfig in ispconfig.conf file again
-			replaceLine('/etc/apache2/ports.conf', 'NameVirtualHost *:80', '# NameVirtualHost *:80', 1);
-			replaceLine('/etc/apache2/ports.conf', 'NameVirtualHost *:443', '# NameVirtualHost *:443', 1);
+			replaceLine('/etc/apache2/ports.conf', 'NameVirtualHost *:80', '# NameVirtualHost *:80', 1, 0);
+			replaceLine('/etc/apache2/ports.conf', 'NameVirtualHost *:443', '# NameVirtualHost *:443', 1, 0);
 		}
 
 		if(is_file('/etc/apache2/mods-available/fcgid.conf')) {
 			// add or modify the parameters for fcgid.conf
-			replaceLine('/etc/apache2/mods-available/fcgid.conf','MaxRequestLen','MaxRequestLen 15728640',1);
+			if(hasLine('/etc/apache2/mods-available/fcgid.conf','MaxRequestLen')) {
+				replaceLine('/etc/apache2/mods-available/fcgid.conf','MaxRequestLen','  MaxRequestLen 15728640',1);
+			} else {
+				preg_replace('/^(.*\n)(.*)$/sU', '$1  MaxRequestLen 15728640\n$2', '/etc/apache2/mods-available/fcgid.conf');
+			}
 		}
 
 		if(is_file('/etc/apache2/apache.conf')) {
@@ -2402,6 +2577,13 @@ class installer_base {
 		exec('chown root:root '.$conf["squid"]["config_dir"].'/'.$configfile);
 	}
 
+	public function configure_apparmor() {
+		$configfile = 'apparmor_usr.sbin.named';
+		if(is_file('/etc/apparmor.d/local/usr.sbin.named')) copy('/etc/apparmor.d/local/usr.sbin.named', '/etc/apparmor.d/local/usr.sbin.named~');
+		$content = rf("tpl/".$configfile.".master");
+		wf('/etc/apparmor.d/local/usr.sbin.named', $content);
+	}
+
 	public function configure_ufw_firewall()
 	{
 		if($this->is_update == false) {
@@ -2437,17 +2619,20 @@ class installer_base {
 
 		$row = $this->db->queryOneRecord('SELECT * FROM ?? WHERE server_id = ?', $conf["mysql"]["database"] . '.firewall', $conf['server_id']);
 
-		if(trim($row['tcp_port']) != '' || trim($row['udp_port']) != '') {
-			$tcp_public_services = trim(str_replace(',', ' ', $row['tcp_port']));
-			$udp_public_services = trim(str_replace(',', ' ', $row['udp_port']));
-		} else {
-			$tcp_public_services = '21 22 25 53 80 110 143 443 3306 8080 10000';
-			$udp_public_services = '53';
-		}
+		$tcp_public_services = '21 22 25 53 80 110 143 443 3306 8080 10000';
+		$udp_public_services = '53';
+
+		if (!empty($row)) {
+			if(trim($row['tcp_port']) != '' || trim($row['udp_port']) != '') {
+				$tcp_public_services = trim(str_replace(',', ' ', $row['tcp_port']));
+				$udp_public_services = trim(str_replace(',', ' ', $row['udp_port']));
+			}
+
+			if(!stristr($tcp_public_services, $conf['apache']['vhost_port'])) {
+				$tcp_public_services .= ' '.intval($conf['apache']['vhost_port']);
+				if($row['tcp_port'] != '') $this->db->query("UPDATE firewall SET tcp_port = tcp_port + ? WHERE server_id = ?", ',' . intval($conf['apache']['vhost_port']), $conf['server_id']);
+			}
 
-		if(!stristr($tcp_public_services, $conf['apache']['vhost_port'])) {
-			$tcp_public_services .= ' '.intval($conf['apache']['vhost_port']);
-			if($row['tcp_port'] != '') $this->db->query("UPDATE firewall SET tcp_port = tcp_port + ? WHERE server_id = ?", ',' . intval($conf['apache']['vhost_port']), $conf['server_id']);
 		}
 
 		$content = str_replace('{TCP_PUBLIC_SERVICES}', $tcp_public_services, $content);
@@ -2522,7 +2707,7 @@ class installer_base {
 
 			//$command = 'adduser '.$conf['apache']['user'].' '.$apps_vhost_group;
 			$command = 'usermod -a -G '.$apps_vhost_group.' '.$conf['apache']['user'];
-			caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
+			caselog($command.' &> /dev/null 2>&1', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
 
 			if(!@is_dir($install_dir)){
 				mkdir($install_dir, 0755, true);
@@ -2549,7 +2734,7 @@ class installer_base {
 			$tpl->setVar('apps_vhost_dir',$conf['web']['website_basedir'].'/apps');
 			$tpl->setVar('apps_vhost_basedir',$conf['web']['website_basedir']);
 			$tpl->setVar('apps_vhost_servername',$apps_vhost_servername);
-			if(is_file($install_dir.'/interface/ssl/ispserver.crt') && is_file($install_dir.'/interface/ssl/ispserver.key')) {
+			if(is_file($conf['ispconfig_install_dir'].'/interface/ssl/ispserver.crt') && is_file($conf['ispconfig_install_dir'].'/interface/ssl/ispserver.key')) {
 				$tpl->setVar('ssl_comment','');
 			} else {
 				$tpl->setVar('ssl_comment','#');
@@ -2605,6 +2790,11 @@ class installer_base {
 			$apps_vhost_group = escapeshellcmd($conf['web']['apps_vhost_group']);
 			$install_dir = escapeshellcmd($conf['web']['website_basedir'].'/apps');
 
+			//* Get the apps vhost port
+			if($this->is_update == true) {
+				$conf['web']['apps_vhost_port'] = get_apps_vhost_port_number();
+			}
+
 			$command = 'groupadd '.$apps_vhost_user;
 			if(!is_group($apps_vhost_group)) caselog($command.' &> /dev/null 2> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
 
@@ -2614,7 +2804,7 @@ class installer_base {
 
 			//$command = 'adduser '.$conf['nginx']['user'].' '.$apps_vhost_group;
 			$command = 'usermod -a -G '.$apps_vhost_group.' '.$conf['nginx']['user'];
-			caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
+			caselog($command.' &> /dev/null 2>&1', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
 
 			if(!@is_dir($install_dir)){
 				mkdir($install_dir, 0755, true);
@@ -2632,6 +2822,15 @@ class installer_base {
 			// Dont just copy over the virtualhost template but add some custom settings
 			$content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/nginx_apps.vhost.master', 'tpl/nginx_apps.vhost.master');
 
+			// Enable SSL if a cert is in place.
+			if(is_file($conf['ispconfig_install_dir'].'/interface/ssl/ispserver.crt') && is_file($conf['ispconfig_install_dir'].'/interface/ssl/ispserver.key')) {
+				$content = str_replace('{ssl_on}', 'ssl http2', $content);
+				$content = str_replace('{ssl_comment}', '', $content);
+			} else {
+				$content = str_replace('{ssl_on}', '', $content);
+				$content = str_replace('{ssl_comment}', '#', $content);
+			}
+
 			if($conf['web']['apps_vhost_ip'] == '_default_'){
 				$apps_vhost_ip = '';
 			} else {
@@ -2674,16 +2873,18 @@ class installer_base {
 			$content = str_replace('{use_tcp}', $use_tcp, $content);
 			$content = str_replace('{use_socket}', $use_socket, $content);
 
-			// SSL in apps vhost is off by default. Might change later.
-			$content = str_replace('{ssl_on}', '', $content);
-			$content = str_replace('{ssl_comment}', '#', $content);
-
 			// Fix socket path on PHP 7 systems
-			if(file_exists('/var/run/php/php7.0-fpm.sock'))	$content = str_replace('/var/run/php5-fpm.sock', '/var/run/php/php7.0-fpm.sock', $content);
-			if(file_exists('/var/run/php/php7.1-fpm.sock'))	$content = str_replace('/var/run/php5-fpm.sock', '/var/run/php/php7.1-fpm.sock', $content);
-			if(file_exists('/var/run/php/php7.2-fpm.sock'))	$content = str_replace('/var/run/php5-fpm.sock', '/var/run/php/php7.2-fpm.sock', $content);
-			if(file_exists('/var/run/php/php7.3-fpm.sock'))	$content = str_replace('/var/run/php5-fpm.sock', '/var/run/php/php7.3-fpm.sock', $content);
-			if(file_exists('/var/run/php/php7.4-fpm.sock'))	$content = str_replace('/var/run/php5-fpm.sock', '/var/run/php/php7.4-fpm.sock', $content);
+			if (file_exists('/var/run/php/php7.4-fpm.sock')) {
+				$content = str_replace('/var/run/php5-fpm.sock', '/var/run/php/php7.4-fpm.sock', $content);
+			} elseif(file_exists('/var/run/php/php7.3-fpm.sock')) {
+				$content = str_replace('/var/run/php5-fpm.sock', '/var/run/php/php7.3-fpm.sock', $content);
+			} elseif (file_exists('/var/run/php/php7.2-fpm.sock')) {
+				$content = str_replace('/var/run/php5-fpm.sock', '/var/run/php/php7.2-fpm.sock', $content);
+			} elseif (file_exists('/var/run/php/php7.1-fpm.sock')) {
+				$content = str_replace('/var/run/php5-fpm.sock', '/var/run/php/php7.1-fpm.sock', $content);
+			} elseif (file_exists('/var/run/php/php7.0-fpm.sock')) {
+				$content = str_replace('/var/run/php5-fpm.sock', '/var/run/php/php7.0-fpm.sock', $content);
+			}
 
 			wf($vhost_conf_dir.'/apps.vhost', $content);
 
@@ -2780,7 +2981,7 @@ class installer_base {
 		if(@is_link($vhost_conf_enabled_dir.'/' . $use_symlink)) {
 			unlink($vhost_conf_enabled_dir.'/' . $use_symlink);
 		}
-		if(!@is_link($vhost_conf_enabled_dir.'' . $use_symlink)) {
+		if(!@is_file($vhost_conf_enabled_dir.'/' . $use_symlink)) {
 			symlink($vhost_conf_dir.'/' . $use_name, $vhost_conf_enabled_dir.'/' . $use_symlink);
 		}
 	}
@@ -2807,33 +3008,33 @@ class installer_base {
 			}
 		}
 		$dns_ips = array();
-		if (checkdnsrr($hostname, 'A')) {
-			$dnsa=dns_get_record($hostname, DNS_A);
+		if(checkdnsrr($hostname, 'A')) {
+			$dnsa = dns_get_record($hostname, DNS_A);
 			if($dnsa) {
-				foreach ($dnsa as $rec) {
-					$dns_ips[] = $rec['ip'];
+				foreach($dnsa as $rec) {
+					if(is_array($rec) && isset($rec['ip'])) $dns_ips[] = $rec['ip'];
 				}
 			}
 		}
-		if (checkdnsrr($hostname, 'AAAA')) {
-			$dnsaaaa=dns_get_record($hostname, DNS_AAAA);
+		if(checkdnsrr($hostname, 'AAAA')) {
+			$dnsaaaa = dns_get_record($hostname, DNS_AAAA);
 			if($dnsaaaa) {
-				foreach ($dnsaaaa as $rec) {
-					$dns_ips[] = $rec['ip'];
+				foreach($dnsaaaa as $rec) {
+					if(is_array($rec) && isset($rec['ip'])) $dns_ips[] = $rec['ip'];
 				}
 			}
 		}
 
 		//* Define and check ISPConfig SSL folder */
-		$ssl_dir = $conf['ispconfig_install_dir'].'/interface/ssl';
+		$ssl_dir = $conf['ispconfig_install_dir'] . '/interface/ssl';
 		if(!@is_dir($ssl_dir)) {
 			mkdir($ssl_dir, 0755, true);
 		}
 
-		$ssl_crt_file = $ssl_dir.'/ispserver.crt';
-		$ssl_csr_file = $ssl_dir.'/ispserver.csr';
-		$ssl_key_file = $ssl_dir.'/ispserver.key';
-		$ssl_pem_file = $ssl_dir.'/ispserver.pem';
+		$ssl_crt_file = $ssl_dir . '/ispserver.crt';
+		$ssl_csr_file = $ssl_dir . '/ispserver.csr';
+		$ssl_key_file = $ssl_dir . '/ispserver.key';
+		$ssl_pem_file = $ssl_dir . '/ispserver.pem';
 
 		$date = new DateTime();
 
@@ -2841,70 +3042,183 @@ class installer_base {
 
 		swriteln('Checking / creating certificate for ' . $hostname);
 
-		$acme_cert_dir = '/usr/local/ispconfig/server/scripts/' . $hostname;
-		$check_acme_file = $acme_cert_dir . '/' . $hostname . '.cer';
-		if(!@is_dir($acme_cert_dir)) {
-			$acme_cert_dir = '/root/.acme.sh/' . $hostname;
-			$check_acme_file = $acme_cert_dir . '/' . $hostname . '.cer';
-			if(!@is_dir($acme_cert_dir)) {
+		// Get the default LE client name and version
+		$which_certbot = shell_exec('which certbot /root/.local/share/letsencrypt/bin/letsencrypt /opt/eff.org/certbot/venv/bin/certbot letsencrypt');
+		$certbot = explode("\n", $which_certbot ?: '');
+		$certbot = reset($certbot);
+		$certbot_version = '0.0.0-unknown';
+		if($certbot) {
+			$matches = [];
+			$output = shell_exec($certbot . ' --version  2>&1');
+			if(preg_match('/^(\S+|\w+)\s+(\d+(\.\d+)+)$/', $output, $matches)) {
+				$certbot_version = $matches[2];
+				swriteln('Discovered certbot version ' . $certbot_version . ' with certificate home /etc/letsencrypt');
+			} else {
+				$certbot = '';
+			}
+		}
+
+		// Check for Neilpang acme.sh as well and install it when we did not find certbot
+		$which_acme = shell_exec('which acme.sh /usr/local/ispconfig/server/scripts/acme.sh /root/.acme.sh/acme.sh');
+		$acme = explode("\n", $which_acme ? $which_acme : '');
+		$acme = reset($acme);
+		$acme_version = '0.0.0-unknown';
+
+		if(!$certbot && !$acme) {
+			$this->install_acme();
+			$which_acme = shell_exec('which acme.sh /usr/local/ispconfig/server/scripts/acme.sh /root/.acme.sh/acme.sh');
+			$acme = explode("\n", $which_acme ?: '');
+			$acme = reset($acme);
+		}
+		if($acme) {
+			// always update acme.sh
+			$this->update_acme();
+			$matches = [];
+			$output = shell_exec($acme . ' --version  2>&1') ?: '';
+			if(preg_match('/^v(\d+(\.\d+)+)$/m', $output, $matches)) {
+				$acme_version = $matches[1];
+			} else {
+				$acme = '';
+			}
+			if($acme) {
+				$ret = 0;
+				$acme_cert_home = [];
+				exec(join(' ; ', [
+					'_info() { :',
+					'  _info_stdout=$(' . escapeshellarg($acme) . ' --info 2>/dev/null)',
+					'  _info_ret=$?',
+					'}',
+					'_echo_home() { :',
+					'  eval "$_info_stdout"',
+					'  _info_ret=$?',
+					'  if [ $_info_ret -eq 0 ]; then :',
+					'    if [ -z "$CERT_HOME" ]',
+					'      then echo "$LE_CONFIG_HOME"',
+					'      else echo "$CERT_HOME"',
+					'    fi',
+					'   else :',
+					'     echo "Error eval-ing --info output (exit code $_info_ret). stdout was: $_info_stdout"',
+					'     exit 1',
+					'  fi',
+					'}',
+					'_info',
+					'if [ $_info_ret -eq 0 ]; then :',
+					'  _echo_home',
+					'else :',
+					'  echo "--info failed. stdout was: $_info_stdout"',
+					'  exit 1',
+					'fi',
+				]), $acme_cert_home, $ret);
+				$acme_cert_home = trim(implode("\n", $acme_cert_home));
+				if($ret != 0 || empty($acme_cert_home) || !is_dir($acme_cert_home)) {
+					swriteln('Cannot find acme.sh certificate home: ' . $acme_cert_home);
+					$acme = '';
+				} else {
+					swriteln('Discovered acme.sh version ' . $acme_version . ' with certificate home ' . $acme_cert_home);
+				}
+			}
+		}
+
+		$acme_cert_dir = 'not found';
+		$check_acme_file = '';
+		if($certbot) {
+			if(version_compare($certbot_version, '2.0', '>=')) {
+				$acme_cert_dir = '/etc/letsencrypt/live/' . $hostname . '_ecc';
+			} else {
 				$acme_cert_dir = '/etc/letsencrypt/live/' . $hostname;
-				$check_acme_file = $acme_cert_dir . '/cert.pem';
 			}
+			$check_acme_file = $acme_cert_dir . '/cert.pem';
+			swriteln('Using certificate path ' . $acme_cert_dir . ' / ' . $check_acme_file);
+		} elseif($acme) {
+			$acme_cert_dir = $acme_cert_home . '/' . $hostname . '_ecc'; // always use ECC since we updated acme.sh
+			$check_acme_file = $acme_cert_dir . '/' . $hostname . '.cer';
+			swriteln('Using certificate path ' . $acme_cert_dir . ' / ' . $check_acme_file);
+		} else {
+			swriteln('Failed discovering certbot or acme.sh and installing acme.sh. Will not be able to issue certificate during install.');
 		}
 
-		swriteln('Using certificate path ' . $acme_cert_dir);
+		if(!is_dir($conf['ispconfig_log_dir'])) {
+			mkdir($conf['ispconfig_log_dir'], 0755, true);
+		}
+		$acme_log = $conf['ispconfig_log_dir'] . '/acme.log';
+
 		$ip_address_match = false;
 		if(!(($svr_ip4 && in_array($svr_ip4, $dns_ips)) || ($svr_ip6 && in_array($svr_ip6, $dns_ips)))) {
-			swriteln('Server\'s public ip(s) (' . $svr_ip4 . ($svr_ip6 ? ', ' . $svr_ip6 : '') . ') not found in A/AAAA records for ' . $hostname . ': ' . implode(', ', $dns_ips));
-			if(strtolower($this->simple_query('Ignore DNS check and continue to request certificate?', array('y', 'n') , 'n','ignore_hostname_dns')) == 'y') {
+			swriteln('Server\'s public ip(s) (' . implode(', ', array_filter([$svr_ip4, $svr_ip6])) . ') not found in A/AAAA records for ' . $hostname . ': ' . implode(', ', $dns_ips));
+			if(strtolower($this->simple_query('Ignore DNS check and continue to request certificate?', array('y', 'n'), 'n', 'ignore_hostname_dns')) == 'y') {
 				$ip_address_match = true;
 			}
 		} else {
 			$ip_address_match = true;
 		}
 
+		// Get subject and issuer of ispserver.crt to check if it is self-signed cert
+		$self_signed = false;
+		if(file_exists($ssl_crt_file)) {
+			$crt_subject = exec("openssl x509 -in " . escapeshellarg($ssl_crt_file) . " -inform PEM -noout -subject");
+			$crt_issuer = exec("openssl x509 -in " . escapeshellarg($ssl_crt_file) . " -inform PEM -noout -issuer");
+			// strip the subject= and issuer= prefix to check for equality
+			if(is_string($crt_subject) && strpos($crt_subject, 'subject=') !== false) {
+				$crt_subject = explode('=', $crt_subject, 2)[1];
+			}
+			if(is_string($crt_issuer) && strpos($crt_issuer, 'issuer=') !== false) {
+				$crt_issuer = explode('=', $crt_issuer, 2)[1];
+			}
+			$self_signed = $crt_subject == $crt_issuer;
+			if ($self_signed) {
+				swriteln('ISPConfig currently is using a self-signed certificate.');
+			}
+		}
 
-		if ((!@is_dir($acme_cert_dir) || !@file_exists($check_acme_file) || !@file_exists($ssl_crt_file) || md5_file($check_acme_file) != md5_file($ssl_crt_file)) && $ip_address_match == true) {
+		$issued_successfully = false;
+
+		// if we have certbot or acme.sh, the required DNS records and our desired certificate is not the current one, try to get it
+		if(
+			($acme || $certbot) && $ip_address_match
+			&& ($self_signed ||
+				(!@is_dir($acme_cert_dir) || !@file_exists($check_acme_file) || !@file_exists($ssl_crt_file) || md5_file($check_acme_file) != md5_file($ssl_crt_file)))
+		) {
 
 			// This script is needed earlier to check and open http port 80 or standalone might fail
 			// Make executable and temporary symlink latest letsencrypt pre, post and renew hook script before install
 			if(file_exists(ISPC_INSTALL_ROOT . '/server/scripts/letsencrypt_pre_hook.sh') && !file_exists('/usr/local/bin/letsencrypt_pre_hook.sh')) {
+				if(is_link('/usr/local/bin/letsencrypt_pre_hook.sh')) {
+					unlink('/usr/local/bin/letsencrypt_pre_hook.sh');
+				}
 				symlink(ISPC_INSTALL_ROOT . '/server/scripts/letsencrypt_pre_hook.sh', '/usr/local/bin/letsencrypt_pre_hook.sh');
 				chown('/usr/local/bin/letsencrypt_pre_hook.sh', 'root');
 				chmod('/usr/local/bin/letsencrypt_pre_hook.sh', 0700);
 			}
 			if(file_exists(ISPC_INSTALL_ROOT . '/server/scripts/letsencrypt_post_hook.sh') && !file_exists('/usr/local/bin/letsencrypt_post_hook.sh')) {
+				if(is_link('/usr/local/bin/letsencrypt_post_hook.sh')) {
+					unlink('/usr/local/bin/letsencrypt_post_hook.sh');
+				}
 				symlink(ISPC_INSTALL_ROOT . '/server/scripts/letsencrypt_post_hook.sh', '/usr/local/bin/letsencrypt_post_hook.sh');
 				chown('/usr/local/bin/letsencrypt_post_hook.sh', 'root');
 				chmod('/usr/local/bin/letsencrypt_post_hook.sh', 0700);
 			}
 			if(file_exists(ISPC_INSTALL_ROOT . '/server/scripts/letsencrypt_renew_hook.sh') && !file_exists('/usr/local/bin/letsencrypt_renew_hook.sh')) {
+				if(is_link('/usr/local/bin/letsencrypt_renew_hook.sh')) {
+					unlink('/usr/local/bin/letsencrypt_renew_hook.sh');
+				}
 				symlink(ISPC_INSTALL_ROOT . '/server/scripts/letsencrypt_renew_hook.sh', '/usr/local/bin/letsencrypt_renew_hook.sh');
 				chown('/usr/local/bin/letsencrypt_renew_hook.sh', 'root');
 				chmod('/usr/local/bin/letsencrypt_renew_hook.sh', 0700);
 			}
 
-			// Check http port 80 status as it cannot be determined at post hook stage
-			$port80_status=exec('true &>/dev/null </dev/tcp/127.0.0.1/80 && echo open || echo close');
+			// Check http port 80 status (open when any IP listens on port 80) as it cannot be determined at post hook stage
+			$port80_status = exec('netstat -tln | awk \'BEGIN{open=0} $6 == "LISTEN" && $4~/:80$/{open=1} END{if (open>0) print "open"; else print "close";}\'');
 
-			// Set pre-, post- and renew hook
-			$pre_hook = "--pre-hook \"letsencrypt_pre_hook.sh\"";
-			$renew_hook = "  --renew-hook \"letsencrypt_renew_hook.sh\"";
+			// Set pre-, post- and renew hook (acme.sh and certbot use the same arguments)
+			$pre_hook = '--pre-hook "letsencrypt_pre_hook.sh"';
+			$renew_hook = '  --renew-hook "letsencrypt_renew_hook.sh"';
 			if($port80_status == 'close') {
-				$post_hook = " --post-hook \"letsencrypt_post_hook.sh\"";
+				$post_hook = ' --post-hook "letsencrypt_post_hook.sh"';
 				$hook = $pre_hook . $post_hook . $renew_hook;
 			} else {
 				$hook = $pre_hook . $renew_hook;
 			}
 
-			// Get the default LE client name and version
-			$le_client = explode("\n", shell_exec('which letsencrypt certbot /root/.local/share/letsencrypt/bin/letsencrypt /opt/eff.org/certbot/venv/bin/certbot'));
-			$le_client = reset($le_client);
-
-			// Check for Neilpang acme.sh as well
-			$acme = explode("\n", shell_exec('which /usr/local/ispconfig/server/scripts/acme.sh /root/.acme.sh/acme.sh'));
-			$acme = reset($acme);
-
 			$restore_conf_symlink = false;
 
 			// we only need this for apache, so use fixed conf index
@@ -2917,124 +3231,150 @@ class installer_base {
 				$server = 'nginx';
 			} elseif($conf['apache']['installed'] == true) {
 				swriteln('Using apache for certificate validation');
-				if($this->is_update == false && @is_link($vhost_conf_enabled_dir.'/000-ispconfig.conf')) {
+				if($this->is_update == false && @is_link($vhost_conf_enabled_dir . '/000-ispconfig.conf')) {
 					$restore_conf_symlink = true;
-					unlink($vhost_conf_enabled_dir.'/000-ispconfig.conf');
+					unlink($vhost_conf_enabled_dir . '/000-ispconfig.conf');
 				}
 				$server = 'apache';
 			}
 
 			if($conf[$server]['installed'] == true && $conf[$server]['init_script'] != '') {
 				if($this->is_update) {
-					system($this->getinitcommand($conf[$server]['init_script'], 'force-reload').' &> /dev/null || ' . $this->getinitcommand($conf[$server]['init_script'], 'restart').' &> /dev/null');
+					system($this->getinitcommand($conf[$server]['init_script'], 'force-reload') . ' &> /dev/null || ' . $this->getinitcommand($conf[$server]['init_script'], 'restart') . ' &> /dev/null');
 				} else {
-					system($this->getinitcommand($conf[$server]['init_script'], 'restart').' &> /dev/null');
+					system($this->getinitcommand($conf[$server]['init_script'], 'restart') . ' &> /dev/null');
 				}
 			}
 
-			$issued_successfully = false;
+			// Backup existing ispserver ssl files
+			//
+			// We may find valid or broken symlinks or actual files here.
+			//
+			// - dangling links are broken and get perm renamed (should just delete?).
+			//   possibly web server can't start because vhost file points to non-existing cert files,
+			//   we're not trying to catch or fix that (and not making it worse)
+			//
+			// - link to valid file is tmp renamed, and file copied to original name.
+			//   if cert request is successful, remove the old symlink;
+			//   if cert request fails, remove file copy and rename symlink to original name
+			//
+			// - actual file copied to tmp name.
+			//   if cert request is successful, rename tmp copy to perm rename;
+			//   if cert request fails, delete tmp copy
+			$cert_files = array($ssl_crt_file, $ssl_key_file, $ssl_pem_file);
+			foreach($cert_files as $f) {
+				if(is_link($f) && !file_exists($f)) {
+					rename($f, $f . '-' . $date->format('YmdHis') . '.bak');
+				} elseif(is_link($f)) {
+					rename($f, $f . '-temporary.bak');
+					copy($f . '-temporary.bak', $f);
+				} elseif(file_exists($f)) {
+					copy($f, $f . '-temporary.bak');
+				}
+			}
 
 			// Attempt to use Neilpang acme.sh first, as it is now the preferred LE client
-			if (is_executable($acme)) {
+			if($acme) {
+				# acme.sh does not set umask, resulting in incorrect permissions (ispconfig issue #6015)
+				$old_umask = umask(0022);
+
+				// Switch from zerossl to letsencrypt CA
+				exec("$acme --set-default-ca  --server  letsencrypt");
 
 				$out = null;
 				$ret = null;
 				if($conf['nginx']['installed'] == true || $conf['apache']['installed'] == true) {
-					exec("$acme --issue -w /usr/local/ispconfig/interface/acme -d " . escapeshellarg($hostname) . " $renew_hook", $out, $ret);
-				}
-				// Else, it is not webserver, so we use standalone
-				else {
-					exec("$acme --issue --standalone -d " . escapeshellarg($hostname) . " $hook", $out, $ret);
+					exec("$acme --issue --keylength ec-256 --ecc --log $acme_log -w /usr/local/ispconfig/interface/acme -d " . escapeshellarg($hostname) . " $renew_hook", $out, $ret);
+				} else { // Else, it is not webserver, so we use standalone
+					exec("$acme --issue --keylength ec-256 --ecc --log $acme_log --standalone -d " . escapeshellarg($hostname) . " $hook", $out, $ret);
 				}
-
+				umask($old_umask);
 				if($ret == 0 || ($ret == 2 && file_exists($check_acme_file))) {
 					// acme.sh returns with 2 on issue for already existing certificate
 
-
-					// Backup existing ispserver ssl files
-					if(file_exists($ssl_crt_file) || is_link($ssl_crt_file)) {
-						rename($ssl_crt_file, $ssl_crt_file . '-' . $date->format('YmdHis') . '.bak');
-					}
-					if(file_exists($ssl_key_file) || is_link($ssl_key_file)) {
-						rename($ssl_key_file, $ssl_key_file . '-' . $date->format('YmdHis') . '.bak');
-					}
-					if(file_exists($ssl_pem_file) || is_link($ssl_pem_file)) {
-						rename($ssl_pem_file, $ssl_pem_file . '-' . $date->format('YmdHis') . '.bak');
-					}
-
 					$check_acme_file = $ssl_crt_file;
 
 					// Define LE certs name and path, then install them
 					//$acme_cert = "--cert-file $acme_cert_dir/cert.pem";
 					$acme_key = "--key-file " . escapeshellarg($ssl_key_file);
 					$acme_chain = "--fullchain-file " . escapeshellarg($ssl_crt_file);
-					exec("$acme --install-cert -d " . escapeshellarg($hostname) . " $acme_key $acme_chain");
+					exec("$acme --install-cert --log $acme_log -d " . escapeshellarg($hostname) . " --ecc $acme_key $acme_chain");
 					$issued_successfully = true;
 				} else {
 					swriteln('Issuing certificate via acme.sh failed. Please check that your hostname can be verified by letsencrypt');
 				}
-			// Else, we attempt to use the official LE certbot client certbot
-			} else {
-
-				//  But only if it is otherwise available
-				if(is_executable($le_client)) {
-					$out = null;
-					$ret = null;
 
-					// Get its version info due to be used for webroot arguement issues
-					$le_info = exec($le_client . ' --version  2>&1', $ret, $val);
-					if(preg_match('/^(\S+|\w+)\s+(\d+(\.\d+)+)$/', $le_info, $matches)) {
-						$le_version = $matches[2];
-					}
+				// Else, we attempt to use the official LE certbot client certbot
+			} else {
+				$out = null;
+				$ret = null;
 
-					// Define certbot commands
-					$acme_version = '--server https://acme-v0' . (($le_version >=0.22) ? '2' : '1') . '.api.letsencrypt.org/directory';
+				if(version_compare($certbot_version, '0.22', '>=')) {
+					$acme_version = '--server https://acme-v02.api.letsencrypt.org/directory';
+				} else {
+					$acme_version = '--server https://acme-v01.api.letsencrypt.org/directory';
+				}
+				if(version_compare($certbot_version, '2.0', '>=')) {
+					$certonly = 'certonly --agree-tos --non-interactive --expand --cert-name ' . escapeshellarg($hostname . '_ecc') . ' --elliptic-curve secp256r1';
+				} elseif(version_compare($certbot_version, '0.30', '>=')) {
+					$certonly = 'certonly --agree-tos --non-interactive --expand --cert-name ' . escapeshellarg($hostname) . ' --rsa-key-size 4096';
+				} else {
 					$certonly = 'certonly --agree-tos --non-interactive --expand --rsa-key-size 4096';
+				}
 
-					// If this is a webserver
-					if($conf['nginx']['installed'] == true || $conf['apache']['installed'] == true) {
-						exec("$le_client $certonly $acme_version --authenticator webroot --webroot-path /usr/local/ispconfig/interface/acme --email " . escapeshellarg('postmaster@' . $hostname) . " -d " . escapeshellarg($hostname) . " $renew_hook", $out, $ret);
-					}
-					// Else, it is not webserver, so we use standalone
-					else {
-						exec("$le_client $certonly $acme_version --standalone --email " . escapeshellarg('postmaster@' . $hostname) . " -d " . escapeshellarg($hostname) . " $hook", $out, $ret);
-					}
+				// If this is a webserver
+				if($conf['nginx']['installed'] == true || $conf['apache']['installed'] == true) {
+					exec("$certbot $certonly $acme_version --authenticator webroot --webroot-path /usr/local/ispconfig/interface/acme --email " . escapeshellarg('postmaster@' . $hostname) . " -d " . escapeshellarg($hostname) . " $renew_hook", $out, $ret);
+				} else { // Else, it is not webserver, so we use standalone
+					exec("$certbot $certonly $acme_version --standalone --email " . escapeshellarg('postmaster@' . $hostname) . " -d " . escapeshellarg($hostname) . " $hook", $out, $ret);
+				}
 
-					if($ret == 0) {
-						// certbot returns with 0 on issue for already existing certificate
+				if($ret == 0 && is_dir($acme_cert_dir)) {
+					// certbot returns with 0 on issue for already existing certificate
 
-						// Backup existing ispserver ssl files
-						if(file_exists($ssl_crt_file) || is_link($ssl_crt_file)) {
-							rename($ssl_crt_file, $ssl_crt_file . '-' . $date->format('YmdHis') . '.bak');
-						}
-						if(file_exists($ssl_key_file) || is_link($ssl_key_file)) {
-							rename($ssl_key_file, $ssl_key_file . '-' . $date->format('YmdHis') . '.bak');
-						}
-						if(file_exists($ssl_pem_file) || is_link($ssl_pem_file)) {
-							rename($ssl_pem_file, $ssl_pem_file . '-' . $date->format('YmdHis') . '.bak');
+					foreach(array($ssl_crt_file, $ssl_key_file) as $f) {
+						if(file_exists($f) && !is_link($f)) {
+							unlink($f);
 						}
-
-						$acme_cert_dir = '/etc/letsencrypt/live/' . $hostname;
-						symlink($acme_cert_dir . '/fullchain.pem', $ssl_crt_file);
-						symlink($acme_cert_dir . '/privkey.pem', $ssl_key_file);
-
-						$issued_successfully = true;
-					} else {
-						swriteln('Issuing certificate via certbot failed. Please check log files and make sure that your hostname can be verified by letsencrypt');
 					}
+					symlink($acme_cert_dir . '/fullchain.pem', $ssl_crt_file);
+					symlink($acme_cert_dir . '/privkey.pem', $ssl_key_file);
+
+					$issued_successfully = true;
 				} else {
-					swriteln('Did not find any valid acme client (acme.sh or certbot)');
+					swriteln('Issuing certificate via certbot failed. Please check log files and make sure that your hostname can be verified by letsencrypt');
 				}
 			}
 
 			if($restore_conf_symlink) {
-				if(!@is_link($vhost_conf_enabled_dir.'/000-ispconfig.conf')) {
-					symlink($vhost_conf_dir.'/ispconfig.conf', $vhost_conf_enabled_dir.'/000-ispconfig.conf');
+				if(!@is_link($vhost_conf_enabled_dir . '/000-ispconfig.conf')) {
+					symlink($vhost_conf_dir . '/ispconfig.conf', $vhost_conf_enabled_dir . '/000-ispconfig.conf');
+				}
+			}
+
+			if($issued_successfully) {
+				// Make temporary backup of self-signed certs permanent
+				foreach($cert_files as $f) {
+					if(is_link($f . '-temporary.bak')) {
+						unlink($f . '-temporary.bak');
+					} elseif(file_exists($f . '-temporary.bak')) {
+						rename($f . '-temporary.bak', $f . '-' . $date->format('YmdHis') . '.bak');
+					}
+				}
+			} else {
+				// Restore/cleanup temporary backup of self-signed certs
+				foreach($cert_files as $f) {
+					if(is_link($f . '-temporary.bak')) {
+						@unlink($f);
+						rename($f . '-temporary.bak', $f);
+					} elseif(file_exists($f . '-temporary.bak')) {
+						unlink($f . '-temporary.bak');
+					}
 				}
 			}
 		} else {
 			if($ip_address_match) {
-				// the directory already exists so we have to assume that it was created previously
+				// the directory already exists, so we have to assume that it was created previously
 				$issued_successfully = true;
 			}
 		}
@@ -3048,17 +3388,11 @@ class installer_base {
 			}
 
 			// We can still use the old self-signed method
-			$ssl_pw = substr(md5(mt_rand()), 0, 6);
-			exec("openssl genrsa -des3 -passout pass:$ssl_pw -out $ssl_key_file 4096");
-			if(AUTOINSTALL){
-				exec("openssl req -new -passin pass:$ssl_pw -passout pass:$ssl_pw -subj '/C=".escapeshellcmd($autoinstall['ssl_cert_country'])."/ST=".escapeshellcmd($autoinstall['ssl_cert_state'])."/L=".escapeshellcmd($autoinstall['ssl_cert_locality'])."/O=".escapeshellcmd($autoinstall['ssl_cert_organisation'])."/OU=".escapeshellcmd($autoinstall['ssl_cert_organisation_unit'])."/CN=".escapeshellcmd($autoinstall['ssl_cert_common_name'])."' -key $ssl_key_file -out $ssl_csr_file");
-			} else {
-				exec("openssl req -new -passin pass:$ssl_pw -passout pass:$ssl_pw -key $ssl_key_file -out $ssl_csr_file");
+			$openssl_cmd = 'openssl req -nodes -newkey rsa:4096 -x509 -days 3650 -keyout ' . escapeshellarg($ssl_key_file) . ' -out ' . escapeshellarg($ssl_crt_file);
+			if(AUTOINSTALL) {
+				$openssl_cmd .= ' -subj ' . escapeshellarg('/C=' . $autoinstall['ssl_cert_country'] . '/ST=' . $autoinstall['ssl_cert_state'] . '/L=' . $autoinstall['ssl_cert_locality'] . '/O=' . $autoinstall['ssl_cert_organisation'] . '/OU=' . $autoinstall['ssl_cert_organisation_unit'] . '/CN=' . $autoinstall['ssl_cert_common_name']);
 			}
-			exec("openssl req -x509 -passin pass:$ssl_pw -passout pass:$ssl_pw -key $ssl_key_file -in $ssl_csr_file -out $ssl_crt_file -days 3650");
-			exec("openssl rsa -passin pass:$ssl_pw -in $ssl_key_file -out $ssl_key_file.insecure");
-			rename($ssl_key_file, $ssl_key_file.'.secure');
-			rename($ssl_key_file.'.insecure', $ssl_key_file);
+			exec($openssl_cmd);
 		}
 
 		// Build ispserver.pem file and chmod it
@@ -3066,18 +3400,18 @@ class installer_base {
 			exec("cat $ssl_key_file $ssl_crt_file > $ssl_pem_file; chmod 600 $ssl_pem_file");
 
 			// Extend LE SSL certs to postfix
-			if ($conf['postfix']['installed'] == true && strtolower($this->simple_query('Symlink ISPConfig SSL certs to Postfix?', array('y', 'n'), 'y','ispconfig_postfix_ssl_symlink')) == 'y') {
+			if($conf['postfix']['installed'] == true && strtolower($this->simple_query('Symlink ISPConfig SSL certs to Postfix?', array('y', 'n'), 'y', 'ispconfig_postfix_ssl_symlink')) == 'y') {
 
 				// Define folder, file(s)
 				$cf = $conf['postfix'];
 				$postfix_dir = $cf['config_dir'];
 				if(!is_dir($postfix_dir)) $this->error("The Postfix configuration directory '$postfix_dir' does not exist.");
-				$smtpd_crt = $postfix_dir.'/smtpd.cert';
-				$smtpd_key = $postfix_dir.'/smtpd.key';
+				$smtpd_crt = $postfix_dir . '/smtpd.cert';
+				$smtpd_key = $postfix_dir . '/smtpd.key';
 
 				// Backup existing postfix ssl files
-				if (file_exists($smtpd_crt)) rename($smtpd_crt, $smtpd_crt . '-' .$date->format('YmdHis') . '.bak');
-				if (file_exists($smtpd_key)) rename($smtpd_key, $smtpd_key . '-' .$date->format('YmdHis') . '.bak');
+				if(file_exists($smtpd_crt)) rename($smtpd_crt, $smtpd_crt . '-' . $date->format('YmdHis') . '.bak');
+				if(file_exists($smtpd_key)) rename($smtpd_key, $smtpd_key . '-' . $date->format('YmdHis') . '.bak');
 
 				// Create symlink to ISPConfig SSL files
 				symlink($ssl_crt_file, $smtpd_crt);
@@ -3085,25 +3419,25 @@ class installer_base {
 			}
 
 			// Extend LE SSL certs to pureftpd
-			if ($conf['pureftpd']['installed'] == true && strtolower($this->simple_query('Symlink ISPConfig SSL certs to Pure-FTPd? Creating dhparam file may take some time.', array('y', 'n'), 'y','ispconfig_pureftpd_ssl_symlink')) == 'y') {
+			if($conf['pureftpd']['installed'] == true && strtolower($this->simple_query('Symlink ISPConfig SSL certs to Pure-FTPd? Creating dhparam file may take some time.', array('y', 'n'), 'y', 'ispconfig_pureftpd_ssl_symlink')) == 'y') {
 
 				// Define folder, file(s)
 				$pureftpd_dir = '/etc/ssl/private';
 				if(!is_dir($pureftpd_dir)) mkdir($pureftpd_dir, 0755, true);
-				$pureftpd_pem = $pureftpd_dir.'/pure-ftpd.pem';
+				$pureftpd_pem = $pureftpd_dir . '/pure-ftpd.pem';
 
 				// Backup existing pureftpd ssl files
-				if (file_exists($pureftpd_pem)) rename($pureftpd_pem, $pureftpd_pem . '-' .$date->format('YmdHis') . '.bak');
+				if(file_exists($pureftpd_pem)) rename($pureftpd_pem, $pureftpd_pem . '-' . $date->format('YmdHis') . '.bak');
 
 				// Create symlink to ISPConfig SSL files
 				symlink($ssl_pem_file, $pureftpd_pem);
-				if (!file_exists("$pureftpd_dir/pure-ftpd-dhparams.pem"))
-					exec("cd $pureftpd_dir; openssl dhparam -out dhparam2048.pem 2048; ln -sf dhparam2048.pem pure-ftpd-dhparams.pem");
+				if(!file_exists("$pureftpd_dir/pure-ftpd-dhparams.pem"))
+					symlink('/usr/local/ispconfig/interface/ssl/dhparam4096.pem', $pureftpd_dir . '/pure-ftpd-dhparams.pem');
+				//exec("cd $pureftpd_dir; openssl dhparam -out dhparam2048.pem 2048; ln -sf dhparam2048.pem pure-ftpd-dhparams.pem");
 			}
 		}
 
 		exec("chown -R root:root $ssl_dir");
-
 	}
 
 	public function install_ispconfig() {
@@ -3303,6 +3637,10 @@ class installer_base {
 		$command = 'chown -R ispconfig:ispconfig '.$install_dir.'/interface';
 		caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
 
+		//* chown the extensions directory to the ispconfig user and group
+		$command = 'chown ispconfig:ispconfig '.$install_dir.'/extensions';
+		caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
+
 		//* Chmod the files and directories in the acme dir
 		$command = 'chmod -R 755 '.$install_dir.'/interface/acme';
 		caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
@@ -3386,20 +3724,32 @@ class installer_base {
 		// and must be fixed as this will allow the apache user to read the ispconfig files.
 		// Later this must run as own apache server or via suexec!
 		if($conf['apache']['installed'] == true){
-			$command = 'adduser '.$conf['apache']['user'].' ispconfig';
-			caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
-			if(is_group('ispapps')){
-				$command = 'adduser '.$conf['apache']['user'].' ispapps';
+			$ispc_groupinfo = posix_getgrnam('ispconfig');
+			if(!in_array($conf['apache']['user'],$ispc_groupinfo['members'])) {
+				$command = 'adduser '.$conf['apache']['user'].' ispconfig';
 				caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
 			}
+			if(is_group('ispapps')){
+				$ispapps_groupinfo = posix_getgrnam('ispapps');
+				if(!in_array($conf['apache']['user'],$ispapps_groupinfo['members'])) {
+					$command = 'adduser '.$conf['apache']['user'].' ispapps';
+					caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
+				}
+			}
 		}
 		if($conf['nginx']['installed'] == true){
-			$command = 'adduser '.$conf['nginx']['user'].' ispconfig';
-			caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
-			if(is_group('ispapps')){
-				$command = 'adduser '.$conf['nginx']['user'].' ispapps';
+			$ispc_groupinfo = posix_getgrnam('ispconfig');
+			if(!in_array($conf['nginx']['user'],$ispc_groupinfo['members'])) {
+				$command = 'adduser '.$conf['nginx']['user'].' ispconfig';
 				caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
 			}
+			if(is_group('ispapps')){
+				$ispapps_groupinfo = posix_getgrnam('ispapps');
+				if(!in_array($conf['nginx']['user'],$ispapps_groupinfo['members'])) {
+					$command = 'adduser '.$conf['nginx']['user'].' ispapps';
+					caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
+				}
+			}
 		}
 
 		//* Make the shell scripts executable
@@ -3407,8 +3757,8 @@ class installer_base {
 		caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
 
 		if ($this->install_ispconfig_interface == true && isset($conf['interface_password']) && $conf['interface_password']!='admin') {
-			$sql = "UPDATE sys_user SET passwort = md5(?) WHERE username = 'admin';";
-			$this->db->query($sql, $conf['interface_password']);
+			$sql = "UPDATE sys_user SET passwort = ? WHERE username = 'admin';";
+			$this->db->query($sql, $this->crypt_password($conf['interface_password']));
 		}
 
 		if($conf['apache']['installed'] == true && $this->install_ispconfig_interface == true){
@@ -3473,7 +3823,7 @@ class installer_base {
 			$content = str_replace('{vhost_port}', $conf['nginx']['vhost_port'], $content);
 
 			if(is_file($install_dir.'/interface/ssl/ispserver.crt') && is_file($install_dir.'/interface/ssl/ispserver.key')) {
-				$content = str_replace('{ssl_on}', 'ssl', $content);
+				$content = str_replace('{ssl_on}', 'ssl http2', $content);
 				$content = str_replace('{ssl_comment}', '', $content);
 				$content = str_replace('{fastcgi_ssl}', 'on', $content);
 			} else {
@@ -3525,6 +3875,12 @@ class installer_base {
 		if(!is_link('/usr/local/bin/ispconfig_update_from_dev.sh')) symlink($install_dir.'/server/scripts/ispconfig_update.sh', '/usr/local/bin/ispconfig_update_from_dev.sh');
 		if(!is_link('/usr/local/bin/ispconfig_update.sh')) symlink($install_dir.'/server/scripts/ispconfig_update.sh', '/usr/local/bin/ispconfig_update.sh');
 
+		// Install ISPConfig cli command
+		if(is_file('/usr/local/bin/ispc')) unlink('/usr/local/bin/ispc');
+		chown($install_dir.'/server/cli/ispc', 'root');
+		chmod($install_dir.'/server/cli/ispc', 0700);
+		symlink($install_dir.'/server/cli/ispc', '/usr/local/bin/ispc');
+
 		// Make executable then unlink and symlink letsencrypt pre, post and renew hook scripts
 		chown($install_dir.'/server/scripts/letsencrypt_pre_hook.sh', 'root');
 		chown($install_dir.'/server/scripts/letsencrypt_post_hook.sh', 'root');
@@ -3552,6 +3908,7 @@ class installer_base {
 			if(!is_dir($conf['ispconfig_log_dir'])) mkdir($conf['ispconfig_log_dir'], 0755);
 			touch($conf['ispconfig_log_dir'].'/ispconfig.log');
 		}
+		chmod($conf['ispconfig_log_dir'].'/ispconfig.log', 0600);
 
 		//* Create the ispconfig auth log file and set uid/gid
 		if(!is_file($conf['ispconfig_log_dir'].'/auth.log')) {
@@ -3640,7 +3997,7 @@ class installer_base {
 		$install_dir = $conf['ispconfig_install_dir'];
 
 		//* Root Crontab
-		exec('crontab -u root -l > crontab.txt');
+		exec('crontab -u root -l > crontab.txt 2>/dev/null');
 		$existing_root_cron_jobs = file('crontab.txt');
 
 		// remove existing ispconfig cronjobs, in case the syntax has changed
@@ -3669,7 +4026,7 @@ class installer_base {
 		//* Getmail crontab
 		if(is_user('getmail')) {
 			$cf = $conf['getmail'];
-			exec('crontab -u getmail -l > crontab.txt');
+			exec('crontab -u getmail -l > crontab.txt 2>/dev/null');
 			$existing_cron_jobs = file('crontab.txt');
 
 			$cron_jobs = array(

install/lib/mysql.lib.php

@@ -64,9 +64,11 @@ class db
 	public function __destruct() {
 		if($this->_iConnId) mysqli_close($this->_iConnId);
 	}
-	
+
 	private function do_connect() {
 		global $conf;
+
+		mysqli_report(MYSQLI_REPORT_OFF);
 		
 		if($this->_iConnId) return true;
 		$this->dbHost = $conf['mysql']['host'];
@@ -77,7 +79,7 @@ class db
 		$this->dbCharset = $conf["mysql"]["charset"];
 		$this->dbNewLink = false;
 		$this->dbClientFlags = null;
-		
+
 		$this->_iConnId = mysqli_connect($this->dbHost, $this->dbUser, $this->dbPass, '', (int)$this->dbPort);
 		$try = 0;
 		while((!is_object($this->_iConnId) || mysqli_connect_error()) && $try < 5) {
@@ -92,19 +94,19 @@ class db
 			$this->_sqlerror('Zugriff auf Datenbankserver fehlgeschlagen! / Database server not accessible!');
 			return false;
 		}
-		
+
 		if($this->dbName) $this->setDBName($this->dbName);
 
 		$this->_setCharset();
 	}
-	
+
 	public function setDBData($host, $user, $password, $port) {
 		$this->dbHost = $host;
 		$this->dbUser = $user;
 		$this->dbPass = $password;
 		$this->dbPort = $port;
 	}
-	
+
 	public function setDBName($name) {
 		$this->dbName = $name;
 		$this->_iConnId = mysqli_connect($this->dbHost, $this->dbUser, $this->dbPass, '', (int)$this->dbPort);
@@ -114,7 +116,7 @@ class db
 			return false;
 		}
 	}
-	
+
 	public function close() {
 		if($this->_iConnId) mysqli_close($this->_iConnId);
 		$this->_iConnId = null;
@@ -192,7 +194,7 @@ class db
 	}
 
 	private function _query($sQuery = '') {
-		
+
 		$aArgs = func_get_args();
 		$this->do_connect();
 
@@ -284,7 +286,7 @@ class db
 	 * @return array result row or NULL if none found
 	 */
 	public function queryOneRecord($sQuery = '') {
-		
+
 		$aArgs = func_get_args();
 		if(!empty($aArgs)) {
 			$sQuery = array_shift($aArgs);
@@ -293,7 +295,7 @@ class db
 		}
 		array_unshift($aArgs, $sQuery);
 		}
-  
+
 		$oResult = call_user_func_array([&$this, 'query'], $aArgs);
 		if(!$oResult) return null;
 
@@ -534,7 +536,7 @@ class db
 			if($debug == 1) echo "mySQL Error Message: ".$this->errorMessage;
 		}
 	}
-	
+
 	/* TODO: rewrite SQL */
 	function update($tablename, $form, $bedingung, $debug = 0)
 	{
@@ -761,14 +763,14 @@ class db
 			break;
 		}
 	}
-	
+
 	/**
 	 * Get the database type (mariadb or mysql)
 	 *
 	 * @access public
 	 * @return string 'mariadb' or string 'mysql'
 	 */
-	
+
 	public function getDatabaseType() {
 		$tmp = $this->queryOneRecord('SELECT VERSION() as version');
 		if(stristr($tmp['version'],'mariadb')) {
@@ -777,7 +779,7 @@ class db
 			return 'mysql';
 		}
 	}
-	
+
 	/**
 	 * Get the database version
 	 *
@@ -785,7 +787,7 @@ class db
 	 * @param bool   $major_version_only = true will return the major version only, e.g. 8 for MySQL 8
 	 * @return string version number
 	 */
-	
+
 	public function getDatabaseVersion($major_version_only = false) {
 		$tmp = $this->queryOneRecord('SELECT VERSION() as version');
 		$version = explode('-', $tmp['version']);

install/lib/update.lib.php

@@ -185,9 +185,9 @@ function updateDbAndIni() {
 			else $next_db_version = intval($current_db_version + 1);
 			$sql_patch_filename = realpath(dirname(__FILE__).'/../').'/sql/incremental/upd_'.str_pad($next_db_version, 4, '0', STR_PAD_LEFT).'.sql';
 			$php_patch_filename = realpath(dirname(__FILE__).'/../').'/patches/upd_'.str_pad($next_db_version, 4, '0', STR_PAD_LEFT).'.php';
-			
+
 			// comma separated list of version numbers were a update has to be done silently
-			$silent_update_versions = 'dev_collection,75';
+			$silent_update_versions = 'dev_collection,75,91';
 
 			if(is_file($sql_patch_filename)) {
 
@@ -214,14 +214,14 @@ function updateDbAndIni() {
 				} else {
 					$cmd = "mysql --default-character-set=".escapeshellarg($conf['mysql']['charset'])." --force -h ".escapeshellarg($conf['mysql']['host'])." -u ".escapeshellarg($conf['mysql']['admin_user'])." -P ".escapeshellarg($conf['mysql']['port'])." ".escapeshellarg($conf['mysql']['database'])." < ".$sql_patch_filename;
 				}
-				
+
 				if(in_array($next_db_version,explode(',',$silent_update_versions))) {
 					$cmd .= ' > /dev/null 2> /dev/null';
 				} else {
 					$cmd .= ' >> /var/log/ispconfig_install.log 2>> /var/log/ispconfig_install.log';
 				}
 				system($cmd);
-				
+
 				swriteln($inst->lng('Loading SQL patch file').': '.$sql_patch_filename);
 
 				//* Exec onAfterSQL function
@@ -231,7 +231,7 @@ function updateDbAndIni() {
 
 				if($dev_patch == false) $current_db_version = $next_db_version;
 				else $found = false;
-				
+
 				if(isset($php_patch)) unset($php_patch);
 			} elseif($dev_patch == false) {
 				$dev_patch = true;
@@ -416,7 +416,7 @@ function updateDbAndIni() {
 
 function setDefaultServers(){
 	global $inst, $conf;
-	
+
 	// clients
 	$clients = $inst->db->queryAllRecords("SELECT * FROM ".$conf["mysql"]["database"].".client");
 	if(is_array($clients) && !empty($clients)){
@@ -431,7 +431,7 @@ function setDefaultServers(){
 			if(trim($client['db_servers']) == '') $inst->db->query("UPDATE ?? SET db_servers = ? WHERE client_id = ?", $conf["mysql"]["database"].".client", trim($client['default_dbserver']), $client['client_id']);
 		}
 	}
-	
+
 }
 
 
@@ -442,13 +442,13 @@ function setDefaultServers(){
  */
 function check_service_config_state($servicename, $detected_value) {
 	global $current_svc_config, $inst, $conf;
-	
+
 	if ($current_svc_config[$servicename] == 1) $current_state = 1;
 	else $current_state = 0;
 
 	if ($detected_value) $detected_value = 1;
 	else $detected_value = 0;
-	
+
 	if ($detected_value != $current_state) {
 		$answer = $inst->simple_query('Service \''.$servicename.'\' '.($detected_value ? 'has been' : 'has not been').' detected ('.($current_state ? 'strongly recommended, currently enabled' : 'currently disabled').') do you want to '.($detected_value ? 'enable and configure' : 'disable').' it? ', array('yes', 'no'), ($current_state ? 'yes' : 'no'), 'svc_detect_change_'.$servicename);
 		if ($answer == 'yes') return $detected_value;
@@ -473,12 +473,22 @@ function checkAndRenameCustomTemplates($default_prompt='no') {
 		'/usr/local/ispconfig/server/conf-custom/install',
 	);
 
+	$override_templates = array(
+		'postfix_custom.conf.master',
+		'dovecot_custom.conf.master',
+	);
+
 	$found_templates = array();
+	$found_override_templates = array();
 	foreach ($template_directories as $dir) {
 		if (!is_dir($dir)) { continue; }
 		foreach (glob("$dir/*.master") as $f) {
 			if (is_file($f)) {
-				$found_templates[] = $f;
+				if (in_array( basename($f), $override_templates )) {
+					$found_override_templates[] = $f;
+				} else {
+					$found_templates[] = $f;
+				}
 			}
 		}
 	}
@@ -501,6 +511,11 @@ function checkAndRenameCustomTemplates($default_prompt='no') {
 		}
 	}
 
+	if (count($found_override_templates) > 0) {
+		echo "The following local config override templates were found, be sure to incorporate upstream changes if needed:\n\n";
+		echo implode("\n", $found_override_templates) . "\n\n";
+	}
+
 	return $ret;
 }
 

install/patches/upd_0094.php

+<?php
+
+if(!defined('INSTALLER_RUN')) die('Patch update file access violation.');
+
+class upd_0094 extends installer_patch_update {
+
+	public function onBeforeSQL() {
+		global $inst;
+
+		// Remove any duplicate mail_forwardings prior to adding unique key
+		//$inst->db->query("DELETE FROM mail_forwarding WHERE forwarding_id NOT IN (SELECT MIN(forwarding_id) FROM mail_forwarding GROUP BY source)");
+
+		// Remove any duplicate mail_transports prior to adding unique key
+		$inst->db->query("DELETE FROM mail_transport WHERE transport_id NOT IN (SELECT MIN(transport_id) FROM mail_transport GROUP BY domain, server_id)");
+	}
+
+}