interface/web/admin/lib/lang/pl_system_config.lng

@@ -22,6 +22,7 @@ $wb['dashboard_atom_url_client_txt'] = 'Dashboard atom feed URL (client)';
 $wb['webdavuser_prefix_txt'] = 'Prefiks użytkownika webdav';
 $wb['webdavuser_prefix_error_regex'] = 'Niedozwolony znak w prefiksie użytkownika webdav.';
 $wb['webftp_url_txt'] = 'Link do WebFTP';
+$wb['enable_welcome_mail_txt'] = 'Enable welcome email';
 $wb['enable_custom_login_txt'] = 'Zezwalaj na dowolną nazwę loginu';
 $wb['mailmailinglist_link_txt'] = 'Link do listy mailingowej na liście list mailingowych';
 $wb['mailmailinglist_url_txt'] = 'URL listy mailingowej';

interface/web/admin/lib/lang/pt_system_config.lng

@@ -23,6 +23,7 @@ $wb['dashboard_atom_url_client_txt'] = 'Dashboard atom feed URL (client)';
 $wb['webdavuser_prefix_txt'] = 'Webdav user prefix';
 $wb['webdavuser_prefix_error_regex'] = 'Char not allowed in webdav user prefix.';
 $wb['webftp_url_txt'] = 'WebFTP URL';
+$wb['enable_welcome_mail_txt'] = 'Enable welcome email';
 $wb['enable_custom_login_txt'] = 'Allow custom login name';
 $wb['mailmailinglist_link_txt'] = 'Link to mailing list in Mailing list list';
 $wb['mailmailinglist_url_txt'] = 'Mailing list URL';

interface/web/admin/lib/lang/ro_system_config.lng

@@ -23,6 +23,7 @@ $wb['dashboard_atom_url_client_txt'] = 'Dashboard atom feed URL (client)';
 $wb['webdavuser_prefix_txt'] = 'Webdav user prefix';
 $wb['webdavuser_prefix_error_regex'] = 'Char not allowed in webdav user prefix.';
 $wb['webftp_url_txt'] = 'WebFTP URL';
+$wb['enable_welcome_mail_txt'] = 'Enable welcome email';
 $wb['enable_custom_login_txt'] = 'Allow custom login name';
 $wb['mailmailinglist_link_txt'] = 'Link to mailing list in Mailing list list';
 $wb['mailmailinglist_url_txt'] = 'Mailing list URL';

interface/web/admin/lib/lang/ru_system_config.lng

@@ -23,6 +23,7 @@ $wb['webftp_url_txt'] = 'URL WebFTP';
 $wb['dashboard_atom_url_admin_txt'] = 'Dashboard atom feed URL (admin)';
 $wb['dashboard_atom_url_reseller_txt'] = 'Dashboard atom feed URL (reseller)';
 $wb['dashboard_atom_url_client_txt'] = 'Dashboard atom feed URL (client)';
+$wb['enable_welcome_mail_txt'] = 'Enable welcome email';
 $wb['enable_custom_login_txt'] = 'Разрешить пользовательское имя входа в систему';
 $wb['mailmailinglist_link_txt'] = 'Ссылка на почтовую рассылку в списке рассылок';
 $wb['mailmailinglist_url_txt'] = 'URL почтовой рассылки';

interface/web/admin/lib/lang/se_system_config.lng

@@ -23,6 +23,7 @@ $wb['dashboard_atom_url_client_txt'] = 'Kontrolpanelens nyhetsflöde URL (kund)'
 $wb['webdavuser_prefix_txt'] = 'Prefix för WebDAV-användare';
 $wb['webdavuser_prefix_error_regex'] = 'Otillåtet tecken i prefix för WebDAV-användare';
 $wb['webftp_url_txt'] = 'WebbFTP URL';
+$wb['enable_welcome_mail_txt'] = 'Enable welcome email';
 $wb['enable_custom_login_txt'] = 'Tillåt valfritt inloggningsnamn';
 $wb['mailmailinglist_link_txt'] = 'Länka till epostlista i listan över epostlistor';
 $wb['mailmailinglist_url_txt'] = 'Adress till epostlista';

interface/web/admin/lib/lang/sk_system_config.lng

@@ -23,6 +23,7 @@ $wb['use_domain_module_txt'] = 'Use the domain-module to add new domains';
 $wb['use_domain_module_hint'] = 'If you use this module, your customers can only select one of the domains the admin creates for them. They cannot free edit the domain-field.You have to re-login after changing this value, to make the changes visible.';
 $wb['new_domain_txt'] = 'HTML to create a new domain';
 $wb['webftp_url_txt'] = 'WebFTP URL';
+$wb['enable_welcome_mail_txt'] = 'Enable welcome email';
 $wb['enable_custom_login_txt'] = 'Allow custom login name';
 $wb['mailmailinglist_link_txt'] = 'Link to mailing list in Mailing list list';
 $wb['mailmailinglist_url_txt'] = 'Mailing list URL';

interface/web/admin/lib/lang/tr_system_config.lng

@@ -24,6 +24,7 @@ $wb['ftpuser_prefix_error_regex'] = 'FTP kullanıcısı ön ekinde izin verilmey
 $wb['shelluser_prefix_error_regex'] = 'Kabuk kullanıcısı ön ekinde izin verilmeyen karakterler var';
 $wb['webdavuser_prefix_error_regex'] = 'Webdav kullanıcısı ön ekinde izin verilmeyen karakterler var.';
 $wb['dblist_phpmyadmin_link_txt'] = 'Veritabanı listesinde phpMyAdmin bağlantısı';
+$wb['enable_welcome_mail_txt'] = 'Enable welcome email';
 $wb['enable_custom_login_txt'] = 'Özel oturum açma kullanıcı adı kullanılabilsin';
 $wb['mailboxlist_webmail_link_txt'] = 'E-posta kutusu listesinde Webmail bağlantısı';
 $wb['webmail_url_txt'] = 'Webmail Adresi';

interface/web/admin/templates/system_config_mail_edit.htm

@@ -5,6 +5,12 @@
                 </div>
             </div>
             <div class="form-group">
+                <label class="col-sm-3 control-label">{tmpl_var name='enable_welcome_mail_txt'}</label>
+                <div class="col-sm-9">
+                    {tmpl_var name='enable_welcome_mail'}
+                </div>
+            </div>
+            <div class ="form-group">
               <label class="col-sm-3 control-label">{tmpl_var name='show_per_domain_relay_options_txt'}</label>
               <div class="col-sm-9">
                 {tmpl_var name='show_per_domain_relay_options'}

interface/web/dns/dns_dmarc_edit.php

@@ -226,16 +226,20 @@ class page_action extends tform_actions {
 
 		$domain_name = rtrim($soa['origin'], '.');
 		// DMARC requieres at least one active dkim-record...
-		$sql = "SELECT * FROM dns_rr WHERE name LIKE ? AND type='TXT' AND data like 'v=DKIM1;%' AND active='Y'";
-		$temp = $app->db->queryAllRecords($sql, '%._domainkey.'.$domain_name.'.');
+		$sql = "SELECT * FROM dns_rr
+					LEFT JOIN dns_soa ON (dns_rr.zone=dns_soa.id)
+					WHERE dns_soa.origin = ? AND dns_rr.name LIKE ? AND type='TXT' AND data like 'v=DKIM1;%' AND dns_rr.active='Y'";
+		$temp = $app->db->queryAllRecords($sql, $soa['origin'], '%._domainkey%');
 		if (empty($temp)) {
 			if (isset($app->tform->errorMessage )) $app->tform->errorMessage = '<br/>' . $app->tform->errorMessage;
 			$app->tform->errorMessage .= $app->tform->wordbook['dmarc_no_dkim_txt'].$email;
 		}
 
 		// ... and an active spf-record (this breaks the current draft but DMARC is useless if you use DKIM or SPF
-		$sql = "SELECT * FROM dns_rr WHERE name LIKE ? AND type='TXT' AND (data LIKE 'v=spf1%' AND active = 'y')";
-		$temp = $app->db->queryAllRecords($sql, $domain_name.'.');
+		$sql = "SELECT * FROM dns_rr
+					LEFT JOIN dns_soa ON (dns_rr.zone=dns_soa.id)
+					WHERE dns_soa.origin = ? AND (dns_rr.name LIKE ? OR dns_rr.name = '') AND type='TXT' AND data like 'v=spf1%' AND dns_rr.active='Y'";
+		$temp = $app->db->queryAllRecords($sql, $soa['origin'], $soa['origin']);
 		// abort if more than 1 active spf-records (backward-compatibility)
 		if (is_array($temp[1])) {
 			if (isset($app->tform->errorMessage )) $app->tform->errorMessage = '<br/>' . $app->tform->errorMessage;

interface/web/sites/ajax_get_ip.php

@@ -45,7 +45,7 @@ $ip_type = $_GET['ip_type'];
 	$web_config = $app->getconf->get_server_config($server_id, 'web');
 	
 	$tmp = $app->db->queryOneRecord("SELECT client_id FROM sys_group WHERE groupid = ?", $client_group_id);
-	$sql = "SELECT ip_address FROM server_ip WHERE ip_type = ? AND server_id = ? AND (client_id = 0 OR client_id=?)";
+	$sql = "SELECT ip_address FROM server_ip WHERE ip_type = ? AND server_id = ? AND virtualhost = 'y' AND (client_id = 0 OR client_id=?)";
 
 	$ips = $app->db->queryAllRecords($sql, $ip_type, $server_id, $tmp['client_id']);
 	// $ip_select = "<option value=''></option>";

interface/web/sites/templates/web_vhost_domain_redirect.htm

@@ -86,7 +86,7 @@
                 jQuery('#redirect_type option[value="redirect"]').hide();
                 jQuery('#redirect_type option[value="permanent"]').hide();
 				//jQuery('#redirect_type option[value="proxy"]').hide();
-                if(selected != "no" && selected != "" && selected != "R" && selected != "L" && selected != "R,L" && selected != "R=301,L") jQuery('#redirect_type option[value="no"]').attr('selected', 'selected');
+                if(selected != "no" && selected != "" && selected != "R" && selected != "L" && selected != "R,L" && selected != "R=301,L" && selected != "proxy") jQuery('#redirect_type option[value="no"]').attr('selected', 'selected');
 				jQuery('.nginx').hide();
             }
         });

server/conf/rspamd_options.inc.master

+# Addrs local to this server.
+local_addrs = [
+	"127.0.0.0/8",
+	"::1",
+<tmpl_loop name="local_addrs">	<tmpl_var name='quoted_ip'></tmpl_loop>];
+
+# This list is generated by ISPConfig, place custom addresses/networks in local_networks.inc.
+local_networks = "/etc/rspamd/local.d/local_networks.inc";
+
+dns {
+	nameserver = ["127.0.0.1:53:10"];
+}

server/conf/rspamd_users.conf.master

-settings {
-	authenticated {
-		priority = 10;
-		authenticated = yes;
-		#apply "default" { groups_disabled = ["rbl", "spf"]; }
-		apply "default" {
-			#symbols_enabled = [];
-			symbols_disabled = [];
-			#groups_enabled = [];
-			groups_disabled = ["rbl"];
-		}
-	}
-	whitelist {
-		priority = 10;
-		rcpt = "postmaster";
-		rcpt = "hostmaster";
-		rcpt = "abuse";
-		want_spam = yes;
-	}
-	whitelist-ip {
-		priority = 10;
-<tmpl_loop name="whitelist_ips">
-		ip = "<tmpl_var name='ip'>";
-</tmpl_loop>
-		
-		want_spam = yes;
-	}
-#	whitelist-timmehosting {
-#		priority = 20;
-#		from = "@xxx";
-#		from = "@xxx";
-#		want_spam = yes;
-#	}
-	whitelist-ca {
-		priority = 20;
-		from = "@comodo.com";
-		from = "@geotrust.com";
-		from = "@geotrusteurope.com";
-		want_spam = yes;
-	}
-	.include(try=true; glob=true) "$LOCAL_CONFDIR/local.d/users/*.conf"
-	.include(try=true; priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/users.local.conf"
-}

server/lib/classes/ispcmail.inc.php

@@ -612,6 +612,9 @@ class ispcmail {
 			if (stream_socket_enable_crypto($this->_smtp_conn, true, $crypto_method) != true) {
 				return false;
 			}
+
+			fputs($this->_smtp_conn, 'HELO ' . $this->smtp_helo . $this->_crlf);
+			$response = fgets($this->_smtp_conn, 515);
 		}
 
 		//AUTH LOGIN

server/lib/classes/letsencrypt.inc.php

@@ -137,6 +137,7 @@ class letsencrypt {
 			return false;
 		}
 
+		$primary_domain = $domains[0];
 		$matches = array();
 		$ret = null;
 		$val = 0;
@@ -151,18 +152,22 @@ class letsencrypt {
 			$acme_version = 'https://acme-v01.api.letsencrypt.org/directory';
 		}
 		if (version_compare($letsencrypt_version, '0.30', '>=')) {
-			$app->log("LE version is " . $letsencrypt_version . ", so using certificates command", LOGLEVEL_DEBUG);
+			$app->log("LE version is " . $letsencrypt_version . ", so using certificates command and --cert-name instead of --expand", LOGLEVEL_DEBUG);
 			$this->certbot_use_certcommand = true;
 			$webroot_map = array();
 			for($i = 0; $i < count($domains); $i++) {
 				$webroot_map[$domains[$i]] = '/usr/local/ispconfig/interface/acme';
 			}
 			$webroot_args = "--webroot-map " . escapeshellarg(str_replace(array("\r", "\n"), '', json_encode($webroot_map)));
+			// --cert-name might be working with earlier versions of certbot, but there is no exact version documented
+			// So for safety reasons we add it to the 0.30 version check as it is documented to work as expected in this version
+			$cert_selection_command = "--cert-name $primary_domain";
 		} else {
 			$webroot_args = "$cmd --webroot-path /usr/local/ispconfig/interface/acme";
+			$cert_selection_command = "--expand";
 		}
 
-		$cmd = $letsencrypt . " certonly -n --text --agree-tos --expand --authenticator webroot --server $acme_version --rsa-key-size 4096 --email postmaster@$domain $webroot_args";
+		$cmd = $letsencrypt . " certonly -n --text --agree-tos $cert_selection_command --authenticator webroot --server $acme_version --rsa-key-size 4096 --email webmaster@$primary_domain $webroot_args";
 
 		return $cmd;
 	}

server/plugins-available/bind_plugin.inc.php

@@ -452,7 +452,7 @@ class bind_plugin {
 
 		//* Ensure that the named slave directory is writable by the named user
 		$slave_record_dir = $dns_config['bind_zonefiles_dir'].'/'.$this->slave_zone_file_prefix();
-		if(!@is_dir($slave_record_dir)) mkdir($slave_record_dir, 0770);
+		if(!@is_dir($slave_record_dir)) mkdir($slave_record_dir, 0770, true);
 		chown($slave_record_dir, $dns_config['bind_user']);
 		chgrp($slave_record_dir, $dns_config['bind_group']);
 

server/plugins-available/mail_plugin.inc.php

@@ -136,7 +136,7 @@ class mail_plugin {
 			$app->system->exec_safe("su -c 'doveadm mailbox create -u ? Trash'", $data["new"]["email"]);
 			$app->system->exec_safe("su -c 'doveadm mailbox create -u ? Junk'", $data["new"]["email"]);
 			$app->system->exec_safe("su -c 'doveadm mailbox create -u ? Drafts'", $data["new"]["email"]);
-			
+
 			$app->system->exec_safe("su -c 'doveadm mailbox subscribe -u ? INBOX'", $data["new"]["email"]);
 			$app->system->exec_safe("su -c 'doveadm mailbox subscribe -u ? Sent'", $data["new"]["email"]);
 			$app->system->exec_safe("su -c 'doveadm mailbox subscribe -u ? Trash'", $data["new"]["email"]);
@@ -150,26 +150,26 @@ class mail_plugin {
 				$app->log('Created Directory: '.$maildomain_path, LOGLEVEL_DEBUG);
 				$maildomain_path .= '/Maildir';
 			}
-					
+
 			//* When the mail user dir exists but it is not a valid maildir, move it to corrupted maildir folder
 			if(!empty($maildomain_path) && is_dir($maildomain_path) && !is_dir($maildomain_path.'/new') && !is_dir($maildomain_path.'/cur')) {
 				if(!is_dir($mail_config['homedir_path'].'/corrupted/'.$data['new']['mailuser_id'])) $app->system->mkdirpath($mail_config['homedir_path'].'/corrupted/'.$data['new']['mailuser_id'], 0700, $mail_config['mailuser_name'], $mail_config['mailuser_group']);
 				$app->system->exec_safe("su -c ? vmail", "mv -f " . $data['new']['maildir']." ".$mail_config['homedir_path'].'/corrupted/'.$data['new']['mailuser_id']);
 				$app->log('Moved invalid maildir to corrupted Maildirs folder: '.$data['new']['maildir'], LOGLEVEL_WARN);
 			}
-	
+
 			//* Create the maildir, if it doesn not exist, set permissions, set quota.
 			if(!empty($maildomain_path) && !is_dir($maildomain_path)) {
-	
+
 				$app->system->maildirmake($maildomain_path, $user, '', $group);
-	
+
 				//* This is to fix the maildrop quota not being rebuilt after the quota is changed.
 				if($mail_config['pop3_imap_daemon'] != 'dovecot') {
 					if(is_dir($maildomain_path)) $app->system->exec_safe("su -c ? ?", "maildirmake -q ".$data['new']['quota']."S ".$maildomain_path, $user); // Avoid maildirmake quota bug, see debian bug #214911
 					$app->log('Created Maildir: '."su -c 'maildirmake -q ".$data['new']['quota']."S ".$maildomain_path."' ".$user, LOGLEVEL_DEBUG);
 				}
 			}
-	
+
 			if(!is_dir($data['new']['maildir'].'/.Sent')) {
 				$app->system->maildirmake($maildomain_path, $user, 'Sent', $group);
 			}
@@ -182,11 +182,11 @@ class mail_plugin {
 			if(!is_dir($data['new']['maildir'].'/.Junk')) {
 				$app->system->maildirmake($maildomain_path, $user, 'Junk', $group);
 			}
-	
+
 			// Set permissions now recursive
 			$app->system->exec_safe('chown -R ?:? ?', $user, $group, $data['new']['maildir']);
 			$app->log('Set ownership on '.$data['new']['maildir'], LOGLEVEL_DEBUG);
-	
+
 			//* Set the maildir quota
 			if(is_dir($data['new']['maildir'].'/new') && $mail_config['pop3_imap_daemon'] != 'dovecot') {
 				if($data['new']['quota'] > 0) {
@@ -263,9 +263,10 @@ class mail_plugin {
 			$additionalParameters = '-f '.$matches[1];
 		}
 
-		// Send the welcome email only on a "master" mail server to avoid duplicate emails
+		// Send the welcome email only on a "master" mail server to avoid duplicate emails, and only send them when welcome emails are enabled.
 		// (bypass the normal ispcmail class when creating mail accounts)
-		if($conf['mirror_server_id'] == 0) mail($mailTarget, $mailSubject, $welcome_mail_message, $mailHeaders, $additionalParameters);
+		$global_config = $app->getconf->get_global_config('mail');
+		if($conf['mirror_server_id'] == 0 && $global_config['enable_welcome_mail'] == 'y') mail($mailTarget, $mailSubject, $welcome_mail_message, $mailHeaders, $additionalParameters);
 
 	}
 
@@ -278,7 +279,7 @@ class mail_plugin {
 
 		// Maildir-Format must not be changed on this way !!
 		$data['new']['maildir_format'] = $data['old']['maildir_format'];
-		
+
 		$maildomain_path = $data['new']['maildir'];
 		$tmp_basepath = $data['new']['maildir'];
 		$tmp_basepath_parts = explode('/', $tmp_basepath);
@@ -332,7 +333,7 @@ class mail_plugin {
 				$app->system->exec_safe('mv -f ? ?'. $data['old']['maildir'], $data['new']['maildir']);
 				$app->log('Moved Maildir from: '.$data['old']['maildir'].' to '.$data['new']['maildir'], LOGLEVEL_DEBUG);
 			}
-				
+
 			//* Create the maildir, if it doesn not exist, set permissions, set quota.
 			if(!is_dir($data['new']['maildir'].'/mdbox')) {
 				$app->system->exec_safe("su -c 'doveadm mailbox create -u ? INBOX'", $data["new"]["email"]);
@@ -340,7 +341,7 @@ class mail_plugin {
 				$app->system->exec_safe("su -c 'doveadm mailbox create -u ? Trash'", $data["new"]["email"]);
 				$app->system->exec_safe("su -c 'doveadm mailbox create -u ? Junk'", $data["new"]["email"]);
 				$app->system->exec_safe("su -c 'doveadm mailbox create -u ? Drafts'", $data["new"]["email"]);
-					
+
 				$app->system->exec_safe("su -c 'doveadm mailbox subscribe -u ? INBOX'", $data["new"]["email"]);
 				$app->system->exec_safe("su -c 'doveadm mailbox subscribe -u ? Sent'", $data["new"]["email"]);
 				$app->system->exec_safe("su -c 'doveadm mailbox subscribe -u ? Trash'", $data["new"]["email"]);
@@ -355,18 +356,18 @@ class mail_plugin {
 				$app->log('Created Directory: '.$base_path, LOGLEVEL_DEBUG);
 				$maildomain_path .= '/Maildir';
 			}
-	
+
 			//* When the mail user dir exists but it is not a valid maildir, move it to corrupted maildir folder
 			if(!empty($maildomain_path) && is_dir($maildomain_path) && !is_dir($maildomain_path.'/new') && !is_dir($maildomain_path.'/cur')) {
 				if(!is_dir($mail_config['homedir_path'].'/corrupted/'.$data['new']['mailuser_id'])) $app->system->mkdirpath($mail_config['homedir_path'].'/corrupted/'.$data['new']['mailuser_id'], 0700, $mail_config['mailuser_name'], $mail_config['mailuser_group']);
 				$app->system->exec_safe("su -c ? ?", "mv -f ".$data['new']['maildir']." ".$mail_config['homedir_path'].'/corrupted/'.$data['new']['mailuser_id'], 'vmail');
 				$app->log('Moved invalid maildir to corrupted Maildirs folder: '.$data['new']['maildir'], LOGLEVEL_WARN);
 			}
-	
+
 			//* Create the maildir, if it doesn not exist, set permissions, set quota.
 			if(!empty($maildomain_path) && !is_dir($maildomain_path.'/new')) {
 				$app->system->maildirmake($maildomain_path, $user, '', $group);
-	
+
 				//* This is to fix the maildrop quota not being rebuilt after the quota is changed.
 				if($mail_config['pop3_imap_daemon'] != 'dovecot') {
 					if($data['new']['quota'] > 0) {
@@ -378,7 +379,7 @@ class mail_plugin {
 					}
 				}
 			}
-	
+
 			if(!is_dir($data['new']['maildir'].'/.Sent')) {
 				$app->system->maildirmake($maildomain_path, $user, 'Sent', $group);
 			}
@@ -391,11 +392,11 @@ class mail_plugin {
 			if(!is_dir($data['new']['maildir'].'/.Junk')) {
 				$app->system->maildirmake($maildomain_path, $user, 'Junk', $group);
 			}
-	
+
 			// Set permissions now recursive
 			$app->system->exec_safe('chown -R ?:? ?', $user, $group, $data['new']['maildir']);
 			$app->log('Set ownership on '.$data['new']['maildir'], LOGLEVEL_DEBUG);
-	
+
 			// Move mailbox, if domain has changed and delete old mailbox
 			if($data['new']['maildir'] != $data['old']['maildir'] && is_dir($data['old']['maildir'])) {
 				if(is_dir($data['new']['maildir'])) {
@@ -487,7 +488,7 @@ class mail_plugin {
 		} else {
 			$app->log('Possible security violation when deleting the mail domain mailfilter directory: '.$old_maildomain_path, LOGLEVEL_ERROR);
 		}
-		
+
 		//* Delete the mail-backups
 		$server_config = $app->getconf->get_server_config($conf['server_id'], 'server');
 		$backup_dir = $server_config['backup_dir'];

server/plugins-available/rspamd_plugin.inc.php

@@ -224,11 +224,10 @@ class rspamd_plugin {
 				unlink($settings_file);
 			}
 		} else {
-			$settings_priority = 20;
 			if(isset($data[$use_data]['priority'])) {
-				$settings_priority = intval($data[$use_data]['priority']);
-			} elseif($is_domain === true) {
-				$settings_priority = 18;
+				$settings_priority = ($is_domain ? 10 : 20) + intval($data[$use_data]['priority']);
+			} else {
+				$settings_priority = ($is_domain ? 10 : 20) + 5;
 			}
 
 			// get policy for entry
@@ -405,8 +404,8 @@ class rspamd_plugin {
 					$tpl->newTemplate('rspamd_wblist.inc.conf.master');
 					$tpl->setVar('list_scope', ($global_filter ? 'global' : 'spamfilter'));
 					$tpl->setVar('record_id', $record_id);
-					// we need to add 10 to priority to avoid mailbox/domain spamfilter settings overriding white/blacklists
-					$tpl->setVar('priority', intval($data['new']['priority']) + ($global_filter ? 10 : 20));
+					// add 30/40 to priority to avoid collisions and prefer white/blacklists above mailbox/domain spamfilter settings
+					$tpl->setVar('priority', intval($data['new']['priority']) + ($global_filter ? 30 : 40));
 					$tpl->setVar('from', $filter_from);
 					$tpl->setVar('recipient', $filter_rcpt);
 					$tpl->setVar('hostname', $filter['hostname']);
@@ -459,17 +458,17 @@ class rspamd_plugin {
 
 		if(is_dir('/etc/rspamd')) {
 			$tpl = new tpl();
-			$tpl->newTemplate('rspamd_users.conf.master');
+			$tpl->newTemplate('rspamd_options.inc.master');
 
-			$whitelist_ips = array();
-			$ips = $app->db->queryAllRecords("SELECT * FROM server_ip WHERE server_id = ?", $conf['server_id']);
+			$local_addrs = array();
+			$ips = $app->db->queryAllRecords('SELECT `ip_address`, `ip_type` FROM ?? WHERE `server_id` = ?', $conf['mysql']['database'].'.server_ip', $conf['server_id']);
 			if(is_array($ips) && !empty($ips)){
 				foreach($ips as $ip){
-					$whitelist_ips[] = array('ip' => $ip['ip_address']);
+					$local_addrs[] = array('quoted_ip' => "\"".$ip['ip_address']."\",\n");
 				}
 			}
-			$tpl->setLoop('whitelist_ips', $whitelist_ips);
-			$app->system->file_put_contents('/etc/rspamd/local.d/users.conf', $tpl->grab());
+			$tpl->setLoop('local_addrs', $local_addrs);
+			$app->system->file_put_contents('/etc/rspamd/local.d/options.inc', $tpl->grab());
 
 			if($mail_config['content_filter'] == 'rspamd'){
 				$app->services->restartServiceDelayed('rspamd', 'reload');