Merge branch 'feature/update-composev2' into hotfix

2022-06-23 11:24:54 +02:00
37 changed files with 735 additions and 1185 deletions
--- a/.drone.yml
+++ b/.drone.yml
@@ -0,0 +1,120 @@
 ---
 kind: pipeline
 name: integration-testing
 platform:
  os: linux
  arch: amd64
 clone:
  disable: true
 steps:
 - name: prepare-tests
  pull: default
  image: timovibritannia/ansible
  commands:
  - git clone https://github.com/mailcow/mailcow-integration-tests.git --branch $(curl -sL https://api.github.com/repos/mailcow/mailcow-integration-tests/releases/latest | jq -r '.tag_name') --single-branch .
  - chmod +x ci.sh
  - chmod +x ci-ssh.sh
  - chmod +x ci-piprequierments.sh
  - ./ci.sh
  - wget -O group_vars/all/secrets.yml $SECRETS_DOWNLOAD_URL --quiet
  environment:
    SECRETS_DOWNLOAD_URL:
      from_secret: SECRETS_DOWNLOAD_URL
    VAULT_PW:
      from_secret: VAULT_PW
  when:
    branch:
    - master
    - staging
    event:
    - push
 - name: lint
  pull: default
  image: timovibritannia/ansible
  commands:
  - ansible-lint ./
  when:
    branch:
    - master
    - staging
    event:
    - push
 - name: create-server
  pull: default
  image: timovibritannia/ansible
  commands:
  - ./ci-piprequierments.sh
  - ansible-playbook mailcow-start-server.yml --diff
  - ./ci-ssh.sh
  environment:
    ANSIBLE_HOST_KEY_CHECKING: false
    ANSIBLE_FORCE_COLOR: true
  when:
    branch:
    - master
    - staging
    event:
    - push
 - name: setup-server
  pull: default
  image: timovibritannia/ansible
  commands:
  - sleep 120
  - ./ci-piprequierments.sh
  - ansible-playbook mailcow-setup-server.yml --private-key /drone/src/id_ssh_rsa --diff
  environment:
    ANSIBLE_HOST_KEY_CHECKING: false
    ANSIBLE_FORCE_COLOR: true
  when:
    branch:
    - master
    - staging
    event:
    - push
 - name: run-tests
  pull: default
  image: timovibritannia/ansible
  commands:
  - ./ci-piprequierments.sh
  - ansible-playbook mailcow-integration-tests.yml --private-key /drone/src/id_ssh_rsa --diff
  environment:
    ANSIBLE_HOST_KEY_CHECKING: false
    ANSIBLE_FORCE_COLOR: true
  when:
    branch:
    - master
    - staging
    event:
    - push
 - name: delete-server
  pull: default
  image: timovibritannia/ansible
  commands:
  - ./ci-piprequierments.sh
  - ansible-playbook mailcow-delete-server.yml --diff
  environment:
    ANSIBLE_HOST_KEY_CHECKING: false
    ANSIBLE_FORCE_COLOR: true
  when:
    branch:
    - master
    - staging
    event:
    - push
    status:
    - failure
    - success
 ---
 kind: signature
 hmac: f6619243fe2a27563291c9f2a46d93ffbc3b6dced9a05f23e64b555ce03a31e5
 ...
--- a/.github/workflows/close_old_issues_and_prs.yml
+++ b/.github/workflows/close_old_issues_and_prs.yml
@@ -14,7 +14,7 @@ jobs:
      pull-requests: write
    steps:
      - name: Mark/Close Stale Issues and Pull Requests 🗑️
-        uses: actions/stale@v5.1.0
+        uses: actions/stale@v5.0.0
        with:
          repo-token: ${{ secrets.STALE_ACTION_PAT }}
          days-before-stale: 60
@@ -30,7 +30,6 @@ jobs:
          stale-issue-label: "stale"
          stale-pr-label: "stale"
          exempt-draft-pr: "true"
          close-issue-reason: "not_planned"
          operations-per-run: "250"
          ascending: "true"
          #DRY-RUN
--- a/.github/workflows/image_builds.yml
+++ b/.github/workflows/image_builds.yml
@@ -1,42 +0,0 @@
 name: Build mailcow Docker Images
 on:
  push:
    branches: [ "master", "staging" ]
  workflow_dispatch:
 jobs:
  docker_image_builds:
    strategy:
      matrix:
        images:
          - "acme-mailcow"
          - "clamd-mailcow"
          - "dockerapi-mailcow"
          - "dovecot-mailcow"
          - "netfilter-mailcow"
          - "olefy-mailcow"
          - "php-fpm-mailcow"
          - "postfix-mailcow"
          - "rspamd-mailcow"
          - "sogo-mailcow"
          - "solr-mailcow"
          - "unbound-mailcow"
          - "watchdog-mailcow"
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Setup Docker
        run: |
          curl -sSL https://get.docker.com/ | CHANNEL=stable sudo sh
          sudo service docker start
          sudo curl -L https://github.com/docker/compose/releases/download/v$(curl -Ls https://www.servercow.de/docker-compose/latest.php)/docker-compose-$(uname -s)-$(uname -m) > /usr/local/bin/docker-compose
          sudo chmod +x /usr/local/bin/docker-compose
      - name: Prepair Image Builds
        run: |
          cp helper-scripts/docker-compose.override.yml.d/BUILD_FLAGS/docker-compose.override.yml docker-compose.override.yml
      - name: Build Docker Images
        run: |
          docker-compose build ${image}
        env:
          image: ${{ matrix.images }}
--- a/.github/workflows/integration_tests.yml
+++ b/.github/workflows/integration_tests.yml
@@ -1,60 +0,0 @@
 name: mailcow Integration Tests
 on:
  push:
    branches: [ "master", "staging" ]
  workflow_dispatch:
 jobs:
  integration_tests:
    runs-on: ubuntu-latest
    steps:
      - name: Setup Ansible
        run: |
          export DEBIAN_FRONTEND=noninteractive
          sudo apt-get update
          sudo apt-get install python3 python3-pip git
          sudo pip3 install ansible
      - name: Prepair Test Environment
        run: |
          git clone https://github.com/mailcow/mailcow-integration-tests.git --branch $(curl -sL https://api.github.com/repos/mailcow/mailcow-integration-tests/releases/latest | jq -r '.tag_name') --single-branch .
          ./fork_check.sh
          ./ci.sh
          ./ci-pip-requirements.sh
        env:
          VAULT_PW: ${{ secrets.MAILCOW_TESTS_VAULT_PW }}
          VAULT_FILE: ${{ secrets.MAILCOW_TESTS_VAULT_FILE }}
      - name: Start Integration Test Server
        run: |
          ./fork_check.sh
          ansible-playbook mailcow-start-server.yml --diff
        env:
          PY_COLORS: '1'
          ANSIBLE_FORCE_COLOR: '1'
          ANSIBLE_HOST_KEY_CHECKING: 'false'
      - name: Setup Integration Test Server
        run: |
          ./fork_check.sh
          sleep 30
          ansible-playbook mailcow-setup-server.yml --private-key id_ssh_rsa --diff
        env:
          PY_COLORS: '1'
          ANSIBLE_FORCE_COLOR: '1'
          ANSIBLE_HOST_KEY_CHECKING: 'false'
      - name: Run Integration Tests
        run: |
          ./fork_check.sh
          ansible-playbook mailcow-integration-tests.yml --private-key id_ssh_rsa --diff
        env:
          PY_COLORS: '1'
          ANSIBLE_FORCE_COLOR: '1'
          ANSIBLE_HOST_KEY_CHECKING: 'false'
      - name: Delete Integration Test Server
        if: always()
        run: |
          ./fork_check.sh
          ansible-playbook mailcow-delete-server.yml --diff
        env:
          PY_COLORS: '1'
          ANSIBLE_FORCE_COLOR: '1'
          ANSIBLE_HOST_KEY_CHECKING: 'false'
--- a/.github/workflows/tweet-trigger-publish-release.yml
+++ b/.github/workflows/tweet-trigger-publish-release.yml
@@ -1,17 +0,0 @@
 name: "Tweet trigger release"
 on:
  release:
    types: [published]
 jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Tweet-trigger-publish-release
        uses: mugi111/tweet-trigger-release@v1.1
        with:
          consumer_key: ${{ secrets.CONSUMER_KEY }}
          consumer_secret: ${{ secrets.CONSUMER_SECRET }}
          access_token_key: ${{ secrets.ACCESS_TOKEN_KEY }}
          access_token_secret: ${{ secrets.ACCESS_TOKEN_SECRET }}
          tweet_body: 'A new mailcow-dockerized Release has been Released on GitHub! Checkout our GitHub Page for the latest Release: github.com/mailcow/mailcow-dockerized/releases/latest'
--- a/.travis.yml
+++ b/.travis.yml
@@ -0,0 +1,16 @@
 sudo: required
 services:
 - docker
 script:
 - echo 'Europe/Berlin' | MAILCOW_HOSTNAME=build.mailcow ./generate_config.sh
 - docker-compose pull --ignore-pull-failures --parallel
 - docker-compose build
 - docker login --username=$DOCKER_HUB_USERNAME --password=$DOCKER_HUB_PASSWORD
 - docker-compose push
 branches:
  only:
  - master_disabled
 env:
  global:
  - secure: MpxpTwD7f0CNEVLitSpVmocK7O9r+BwFE1deEHK4AlQo/oc9cOlhGe1EL3mx9zbglPmjlDg/8kMUGv6vSirIabfBo9Szjps76bHckFr9lr2Ykkg0e29oC8pgPpSXD1eY/1ZIN/FvIkxpUFLETo1okS/j9q/A0DCGFmti0n3EoMORsgRz9CpNAiEh0zpSd6+euPAGHuczuCrDuO84my9bIOCjA/+aPunHNeXiuM8yIM2SxCSyGtIKT0+jvquIvLF58VxivysXBlRfhDn8fhB09nXA2Ru/derYQACfcmNSn9Pd4bDpebPJW5B9H/XA8xjb58uKinUlncbAMB/QnxoT75j9YRWJZRSQ+34XNYP6ZgK9soZ2TC6djQyEKTUu45Kp/1s+poSn42m9jytJJTmmK0KxsZTRcC8JD5nrjIMZWPUNNTwC5L4+I7ZRWg2WooK3LNyq1Ng8Hn6W77wSgsvAJw2HD3Lx58AprGUhHuBeaIZRuSN9aKwZrl9vKQJLqPnOp/nF2EC6kot5HYYtcotGtETXPUDih21gWD5ZM2BqVqYfQQnJnNMgeYmMdj6QQuTFqhuNJf7hXRIRkTnD3j1gDOLKQZazW0+N2JE8XWDFwi6fKScDsxT85lJti9HmzHa7+k4RVHmUYuDgRoPuzUgjWHvPsiz3/Z8WQ9JYpH84S8w=
  - secure: fWzZisT6nGDNL4lf6tXB07eFG2drgBakHxzdF/NFVvzuP861RFR6omuL+ED0PgXrEHDJBxaBLv52je8irmUXrAH1CNr7T8DWiZo/h5h609Uzr+38T1NnIu4krL0Wo6/CDwlLKnzqTq9yBIZLQSHVJmo8AOpo1JPIi2ajodqj9ZfmAxDQTQl+G6zvQjtqIkYHsHY7A44Rto0f14ykn7w2S82Jn6Ry89VNI5V1WEO3sMpM/XekNP/HokNcRIuntL/0+kuLvTJ5akGoTjBQxSnSW95opzPeGky74HRU2obExJYqKvF0VfVJRNAqejwjIiFIbbjqV0Sk5391kFuhuBErQQDM1bOHGdxZ41HsJH29qNWIl7C33Yl10qERoqecgsJ1N/bS2ZEmWqm/zQh5GClCXPvYmzEqMYsMGM3vjbKdjDlc1Wh2w/eFclsXN9LSXh1mc35rtj46frcT6e5Kof87AIfC9hTgDvk9kAsyjaHMkSHSZthbZXCIcsD8qriNm5UqfFBYD79mPIP1S2YMQ2jscCsjHOZgYVrcm0kzDF21J1w6H0Lo7d1jw37LYlegBdtLQ9gYgqY2D5m+nxWuVoD5FZmpR+5JGtK+ootyLFF8aiFoHXd4op1JCxRLjgkmnZKXzw3kTQSpE7oa7CgzchtQmK2nqcqla1b5Qk7ilVcjooo=
--- a/README.md
+++ b/README.md
@@ -2,8 +2,7 @@
 ## We stand with 🇺🇦
-[![Mailcow Integration Tests](https://github.com/mailcow/mailcow-dockerized/actions/workflows/integration_tests.yml/badge.svg?branch=master)](https://github.com/mailcow/mailcow-dockerized/actions/workflows/integration_tests.yml)
+[![master build status](https://img.shields.io/drone/build/mailcow/mailcow-dockerized/master?label=master%20build&server=https%3A%2F%2Fdrone.mailcow.email)](https://drone.mailcow.email/mailcow/mailcow-dockerized) [![staging build status](https://img.shields.io/drone/build/mailcow/mailcow-dockerized/staging?label=staging%20build&server=https%3A%2F%2Fdrone.mailcow.email)](https://drone.mailcow.email/mailcow/mailcow-dockerized) [![Translation status](https://translate.mailcow.email/widgets/mailcow-dockerized/-/translation/svg-badge.svg)](https://translate.mailcow.email/engage/mailcow-dockerized/)
 [![Translation status](https://translate.mailcow.email/widgets/mailcow-dockerized/-/translation/svg-badge.svg)](https://translate.mailcow.email/engage/mailcow-dockerized/)
 [![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/mailcow_email.svg?style=social&label=Follow%20%40mailcow_email)](https://twitter.com/mailcow_email)
 ## Want to support mailcow?
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -1,42 +0,0 @@
 # Security Policies and Procedures
 This document outlines security procedures and general policies for the _mailcow: dockerized_ project as found on [mailcow-dockerized](https://github.com/mailcow/mailcow-dockerized).
  * [Reporting a Vulnerability](#reporting-a-vulnerability)
  * [Disclosure Policy](#disclosure-policy)
  * [Comments on this Policy](#comments-on-this-policy)
 ## Reporting a Vulnerability 
 The mailcow team and community take all security vulnerabilities
 seriously. Thank you for improving the security of our open source 
 software. We appreciate your efforts and responsible disclosure and will
 make every effort to acknowledge your contributions.
 Report security vulnerabilities by emailing the mailcow team at:
    info at servercow.de
 mailcow team will acknowledge your email as soon as possible, and will
 send a more detailed response afterwards indicating the next steps in 
 handling your report. After the initial reply to your report, the mailcow
 team will endeavor to keep you informed of the progress towards a fix and
 full announcement, and may ask for additional information or guidance.
 Report security vulnerabilities in third-party modules to the person or 
 team maintaining the module.
 ## Disclosure Policy
 When the mailcow team receives a security bug report, they will assign it
 to a primary handler. This person will coordinate the fix and release
 process, involving the following steps:
  * Confirm the problem and determine the affected versions.
  * Audit code to find any potential similar problems.
  * Prepare fixes for all releases still under maintenance.
 ## Comments on this Policy
 If you have suggestions on how this process could be improved please submit a
 pull request.
--- a/create_cold_standby.sh
+++ b/create_cold_standby.sh
--- a/data/Dockerfiles/clamd/Dockerfile
+++ b/data/Dockerfiles/clamd/Dockerfile
@@ -1,4 +1,4 @@
-FROM clamav/clamav:0.105.1_base
+FROM clamav/clamav:0.105.0_base
 LABEL maintainer "André Peters <andre.peters@servercow.de>"
@@ -8,14 +8,8 @@ RUN apk upgrade --no-cache \
  bind-tools \
  bash 
-# init
+COPY clamd.sh ./
 COPY clamd.sh /clamd.sh
 RUN chmod +x /sbin/tini
 # healthcheck
 COPY healthcheck.sh /healthcheck.sh
 RUN chmod +x /healthcheck.sh
 HEALTHCHECK --start-period=6m CMD "/healthcheck.sh"
 ENTRYPOINT []
 CMD ["/sbin/tini", "-g", "--", "/clamd.sh"]
--- a/data/Dockerfiles/clamd/healthcheck.sh
+++ b/data/Dockerfiles/clamd/healthcheck.sh
@@ -1,9 +0,0 @@
 #!/bin/bash
 if [[ "${SKIP_CLAMD}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
  echo "SKIP_CLAMD=y, skipping ClamAV..."
  exit 0
 fi
 # run clamd healthcheck
 /usr/local/bin/clamdcheck.sh
--- a/data/Dockerfiles/dovecot/Dockerfile
+++ b/data/Dockerfiles/dovecot/Dockerfile
@@ -2,7 +2,7 @@ FROM debian:bullseye-slim
 LABEL maintainer "Andre Peters <andre.peters@servercow.de>"
 ARG DEBIAN_FRONTEND=noninteractive
-ARG DOVECOT=2.3.19.1
+ARG DOVECOT=2.3.18
 ENV LC_ALL C
 ENV GOSU_VERSION 1.14
--- a/data/conf/rspamd/local.d/groups.conf
+++ b/data/conf/rspamd/local.d/groups.conf
@@ -18,9 +18,6 @@ symbols {
  "ENCRYPTED_CHAT" {
    score = -20.0;
  }
  "SOGO_CONTACT" {
    score = -99.0;
  }
 }
 group "MX" {
--- a/data/web/api/openapi.yaml
+++ b/data/web/api/openapi.yaml
@@ -518,9 +518,6 @@ paths:
                        - domain.tld
                      type: success
              schema:
                type: array
                items:
                  type: object
                properties:
                  log:
                    description: contains request object
@@ -535,6 +532,7 @@ paths:
                      - danger
                      - error
                    type: string
                type: object
          description: OK
          headers: {}
      tags:
@@ -581,11 +579,6 @@ paths:
                domain:
                  description: Fully qualified domain name
                  type: string
                gal:
                  description: >-
                    is domain global address list active or not, it enables
                    shared contacts accross domain in SOGo webmail
                  type: boolean
                mailboxes:
                  description: limit count of mailboxes associated with this domain
                  type: number
@@ -603,9 +596,6 @@ paths:
                    if not, them you have to create "dummy" mailbox for each
                    address to relay
                  type: boolean
                relay_unknown_only:
                  description: Relay non-existing mailboxes only. Existing mailboxes will be delivered locally.
                  type: boolean
                rl_frame:
                  enum:
                    - s
@@ -616,11 +606,6 @@ paths:
                rl_value:
                  description: rate limit value
                  type: number
                tags:
                  description: tags for this Domain
                  type: array
                  items:
                    type: string
              type: object
      summary: Create domain
  /api/v1/add/domain-admin:
@@ -1967,9 +1952,6 @@ paths:
                        - domain2.tld
                      type: success
              schema:
                type: array
                items:
                  type: object
                properties:
                  log:
                    description: contains request object
@@ -1984,6 +1966,7 @@ paths:
                      - danger
                      - error
                    type: string
                type: object
          description: OK
          headers: {}
      tags:
@@ -1994,15 +1977,14 @@ paths:
        content:
          application/json:
            schema:
              type: object
              example:
                - domain.tld
                - domain2.tld
              properties:
                items:
-                  type: array
+                  description: contains list of domains you want to delete
-                  items:
+                  type: object
-                    type: string
+              type: object
      summary: Delete domain
  /api/v1/delete/domain-admin:
    post:
@@ -2990,25 +2972,23 @@ paths:
          $ref: "#/components/responses/Unauthorized"
        "200":
          content:
-            application/json:
+            "*/*":
              schema:
                type: array
                items: 
                  type: object
                properties:
                  log:
                      type: array
                    description: contains request object
                    items: {}
                    msg:
                    type: array
                  msg:
                    items: {}
                    type: array
                  type:
                    enum:
                      - success
                      - danger
                      - error
                    type: string
                type: object
          description: OK
          headers: {}
      tags:
@@ -3076,33 +3056,13 @@ paths:
                        if not, them you have to create "dummy" mailbox for each
                        address to relay
                      type: boolean
                    relay_unknown_only:
                      description: Relay non-existing mailboxes only. Existing mailboxes will be delivered locally.
                      type: boolean
                    relayhost:
                      description: id of relayhost
                      type: number
                    rl_frame:
                      enum:
                        - s
                        - m
                        - h
                        - d
                      type: string
                    rl_value:
                      description: rate limit value
                      type: number
                    tags:
                      description: tags for this Domain
                      type: array
                      items:
                        type: string
                  type: object
                items:
                  description: contains list of domain names you want update
-                  type: array
+                  type: object
                  items:
                    type: string
              type: object
      summary: Update domain
  /api/v1/edit/fail2ban:
@@ -3993,8 +3953,6 @@ paths:
          in: query
          name: tags
          required: false
          schema:
            type: string
        - description: e.g. api-key-string
          example: api-key-string
          in: header
@@ -4554,8 +4512,6 @@ paths:
          in: query
          name: tags
          required: false
          schema:
            type: string
        - description: e.g. api-key-string
          example: api-key-string
          in: header
--- a/data/web/css/build/008-mailcow.css
+++ b/data/web/css/build/008-mailcow.css
@@ -260,17 +260,6 @@ code {
  margin-right: 5px;
 }
 .list-group-item.webauthn-authenticator-selection,
 .list-group-item.totp-authenticator-selection,
 .list-group-item.yubi_otp-authenticator-selection {
  border-radius: 0px !important;
 }
 .pending-tfa-collapse {
  padding: 10px;
  background: #fbfbfb;
  border: 1px solid #ededed;
 }
 .tag-box {
  display: flex;
  flex-wrap: wrap;
@@ -307,3 +296,4 @@ code {
  align-items: center;
  display: inline-flex;
 }
--- a/data/web/inc/ajax/destroy_tfa_auth.php
+++ b/data/web/inc/ajax/destroy_tfa_auth.php
@@ -2,5 +2,5 @@
 session_start();
 unset($_SESSION['pending_mailcow_cc_username']);
 unset($_SESSION['pending_mailcow_cc_role']);
-unset($_SESSION['pending_tfa_methods']);
+unset($_SESSION['pending_tfa_method']);
 ?>
--- a/data/web/inc/footer.inc.php
+++ b/data/web/inc/footer.inc.php
@@ -23,27 +23,6 @@ if (is_array($alertbox_log_parser)) {
  unset($_SESSION['return']);
 }
 // map tfa details for twig
 $pending_tfa_authmechs = [];
 foreach($_SESSION['pending_tfa_methods'] as $authdata){
  $pending_tfa_authmechs[$authdata['authmech']] = false;
 }
 if (isset($pending_tfa_authmechs['webauthn'])) {
  $pending_tfa_authmechs['webauthn'] = true;
 }
 if (!isset($pending_tfa_authmechs['webauthn']) 
    && isset($pending_tfa_authmechs['yubi_otp'])) {
  $pending_tfa_authmechs['yubi_otp'] = true;
 }
 if (!isset($pending_tfa_authmechs['webauthn']) 
    && !isset($pending_tfa_authmechs['yubi_otp'])
    && isset($pending_tfa_authmechs['totp'])) {
  $pending_tfa_authmechs['totp'] = true;
 }
 if (isset($pending_tfa_authmechs['u2f'])) {
  $pending_tfa_authmechs['u2f'] = true;
 }
 // globals
 $globalVariables = [
  'mailcow_info' => array(
@@ -51,8 +30,7 @@ $globalVariables = [
    'git_project_url' => $GLOBALS['MAILCOW_GIT_URL']
  ),
  'js_path' => '/cache/'.basename($JSPath),
-  'pending_tfa_methods' => @$_SESSION['pending_tfa_methods'],
+  'pending_tfa_method' => @$_SESSION['pending_tfa_method'],
  'pending_tfa_authmechs' => $pending_tfa_authmechs,
  'pending_mailcow_cc_username' => @$_SESSION['pending_mailcow_cc_username'],
  'lang_footer' => json_encode($lang['footer']),
  'lang_acl' => json_encode($lang['acl']),
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -830,15 +830,11 @@ function check_login($user, $pass, $app_passwd_data = false) {
  $stmt->execute(array(':user' => $user));
  $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
  foreach ($rows as $row) {
    // verify password
    if (verify_hash($row['password'], $pass)) {
-      // check for tfa authenticators
+      if (get_tfa($user)['name'] != "none") {
      $authenticators = get_tfa($user);
      if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0) {
        // active tfa authenticators found, set pending user login
        $_SESSION['pending_mailcow_cc_username'] = $user;
        $_SESSION['pending_mailcow_cc_role'] = "admin";
-        $_SESSION['pending_tfa_methods'] = $authenticators['additional'];
+        $_SESSION['pending_tfa_method'] = get_tfa($user)['name'];
        unset($_SESSION['ldelay']);
        $_SESSION['return'][] =  array(
          'type' => 'info',
@@ -846,7 +842,8 @@ function check_login($user, $pass, $app_passwd_data = false) {
          'msg' => 'awaiting_tfa_confirmation'
        );
        return "pending";
-      } else {
+      }
      else {
        unset($_SESSION['ldelay']);
        // Reactivate TFA if it was set to "deactivate TFA for next login"
        $stmt = $pdo->prepare("UPDATE `tfa` SET `active`='1' WHERE `username` = :user");
@@ -869,14 +866,11 @@ function check_login($user, $pass, $app_passwd_data = false) {
  $stmt->execute(array(':user' => $user));
  $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
  foreach ($rows as $row) {
    // verify password
    if (verify_hash($row['password'], $pass) !== false) {
-      // check for tfa authenticators
+      if (get_tfa($user)['name'] != "none") {
      $authenticators = get_tfa($user);
      if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0) {
        $_SESSION['pending_mailcow_cc_username'] = $user;
        $_SESSION['pending_mailcow_cc_role'] = "domainadmin";
-        $_SESSION['pending_tfa_methods'] = $authenticators['additional'];
+        $_SESSION['pending_tfa_method'] = get_tfa($user)['name'];
        unset($_SESSION['ldelay']);
        $_SESSION['return'][] =  array(
          'type' => 'info',
@@ -936,22 +930,13 @@ function check_login($user, $pass, $app_passwd_data = false) {
    $rows = array_merge($rows, $stmt->fetchAll(PDO::FETCH_ASSOC));
  }
  foreach ($rows as $row) {
    // verify password
    if (verify_hash($row['password'], $pass) !== false) {
      // check for tfa authenticators
      $authenticators = get_tfa($user);
      if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0) {
        $_SESSION['pending_mailcow_cc_username'] = $user;
        $_SESSION['pending_mailcow_cc_role'] = "user";
        $_SESSION['pending_tfa_methods'] = $authenticators['additional'];
      unset($_SESSION['ldelay']);
      $_SESSION['return'][] =  array(
        'type' => 'success',
        'log' => array(__FUNCTION__, $user, '*'),
        'msg' => array('logged_in_as', $user)
      );
        return "pending";
      } else {
      if ($app_passwd_data['eas'] === true || $app_passwd_data['dav'] === true) {
        $service = ($app_passwd_data['eas'] === true) ? 'EAS' : 'DAV';
        $stmt = $pdo->prepare("REPLACE INTO sasl_log (`service`, `app_password`, `username`, `real_rip`) VALUES (:service, :app_id, :username, :remote_addr)");
@@ -962,15 +947,9 @@ function check_login($user, $pass, $app_passwd_data = false) {
          ':remote_addr' => ($_SERVER['HTTP_X_REAL_IP'] ?? $_SERVER['REMOTE_ADDR'])
        ));
      }
        unset($_SESSION['ldelay']);
        // Reactivate TFA if it was set to "deactivate TFA for next login"
        $stmt = $pdo->prepare("UPDATE `tfa` SET `active`='1' WHERE `username` = :user");
        $stmt->execute(array(':user' => $user));
      return "user";
    }
  }
  }
  if (!isset($_SESSION['ldelay'])) {
    $_SESSION['ldelay'] = "0";
@@ -1163,39 +1142,9 @@ function set_tfa($_data) {
  global $yubi;
  global $tfa;
  $_data_log = $_data;
  $access_denied = null;
  !isset($_data_log['confirm_password']) ?: $_data_log['confirm_password'] = '*';
  $username = $_SESSION['mailcow_cc_username'];
-
+  if (!isset($_SESSION['mailcow_cc_role']) || empty($username)) {
  // check for empty user and role
  if (!isset($_SESSION['mailcow_cc_role']) || empty($username)) $access_denied = true;
  // check admin confirm password
  if ($access_denied === null) {
    $stmt = $pdo->prepare("SELECT `password` FROM `admin`
        WHERE `username` = :username");
    $stmt->execute(array(':username' => $username));
    $row = $stmt->fetch(PDO::FETCH_ASSOC);
    if ($row) {
      if (!verify_hash($row['password'], $_data["confirm_password"])) $access_denied = true;
      else $access_denied = false;
    }
  }
  // check mailbox confirm password
  if ($access_denied === null) {
    $stmt = $pdo->prepare("SELECT `password` FROM `mailbox`
        WHERE `username` = :username");
    $stmt->execute(array(':username' => $username));
    $row = $stmt->fetch(PDO::FETCH_ASSOC);
    if ($row) {
      if (!verify_hash($row['password'], $_data["confirm_password"])) $access_denied = true;
      else $access_denied = false;
    }
  }
  // set access_denied error
  if ($access_denied){
      $_SESSION['return'][] =  array(
        'type' => 'danger',
        'log' => array(__FUNCTION__, $_data_log),
@@ -1203,6 +1152,37 @@ function set_tfa($_data) {
      );
      return false;
  }
  $stmt = $pdo->prepare("SELECT `password` FROM `admin`
      WHERE `username` = :username");
  $stmt->execute(array(':username' => $username));
  $row = $stmt->fetch(PDO::FETCH_ASSOC);
  $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC));
  if (!empty($num_results)) {
    if (!verify_hash($row['password'], $_data["confirm_password"])) {
      $_SESSION['return'][] =  array(
        'type' => 'danger',
        'log' => array(__FUNCTION__, $_data_log),
        'msg' => 'access_denied'
      );
      return false;
    }
  }
  $stmt = $pdo->prepare("SELECT `password` FROM `mailbox`
      WHERE `username` = :username");
  $stmt->execute(array(':username' => $username));
  $row = $stmt->fetch(PDO::FETCH_ASSOC);
  $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC));
  if (!empty($num_results)) {
    if (!verify_hash($row['password'], $_data["confirm_password"])) {
      $_SESSION['return'][] =  array(
        'type' => 'danger',
        'log' => array(__FUNCTION__, $_data_log),
        'msg' => 'access_denied'
      );
      return false;
    }
  }
  switch ($_data["tfa_method"]) {
    case "yubi_otp":
@@ -1240,7 +1220,8 @@ function set_tfa($_data) {
        $yubico_modhex_id = substr($_data["otp_token"], 0, 12);
        $stmt = $pdo->prepare("DELETE FROM `tfa`
          WHERE `username` = :username
-            AND (`authmech` = 'yubi_otp' AND `secret` LIKE :modhex)");
+            AND (`authmech` != 'yubi_otp')
            OR (`authmech` = 'yubi_otp' AND `secret` LIKE :modhex)");
        $stmt->execute(array(':username' => $username, ':modhex' => '%' . $yubico_modhex_id));
        $stmt = $pdo->prepare("INSERT INTO `tfa` (`key_id`, `username`, `authmech`, `active`, `secret`) VALUES
          (:key_id, :username, 'yubi_otp', '1', :secret)");
@@ -1284,6 +1265,9 @@ function set_tfa($_data) {
    case "webauthn":
        $key_id = (!isset($_data["key_id"])) ? 'unidentified' : $_data["key_id"];
        $stmt = $pdo->prepare("DELETE FROM `tfa` WHERE `username` = :username AND `authmech` != 'webauthn'");
        $stmt->execute(array(':username' => $username));
        $stmt = $pdo->prepare("INSERT INTO `tfa` (`username`, `key_id`, `authmech`, `keyHandle`, `publicKey`, `certificate`, `counter`, `active`)
        VALUES (?, ?, 'webauthn', ?, ?, ?, ?, '1')");
        $stmt->execute(array(
@@ -1455,18 +1439,18 @@ function unset_tfa_key($_data) {
  global $pdo;
  global $lang;
  $_data_log = $_data;
  $access_denied = null;
  $id = intval($_data['unset_tfa_key']);
  $username = $_SESSION['mailcow_cc_username'];
-
+  if (!isset($_SESSION['mailcow_cc_role']) || empty($username)) {
-  // check for empty user and role
+    $_SESSION['return'][] =  array(
-  if (!isset($_SESSION['mailcow_cc_role']) || empty($username)) $access_denied = true;
+      'type' => 'danger',
-
+      'log' => array(__FUNCTION__, $_data_log),
-  try {
+      'msg' => 'access_denied'
-    if (!is_numeric($id)) $access_denied = true;
+    );
-    
+    return false;
-    // set access_denied error
+  }
-    if ($access_denied){
+  try {
    if (!is_numeric($id)) {
      $_SESSION['return'][] =  array(
        'type' => 'danger',
        'log' => array(__FUNCTION__, $_data_log),
@@ -1474,8 +1458,6 @@ function unset_tfa_key($_data) {
      );
      return false;
    }
    // check if it's last key
    $stmt = $pdo->prepare("SELECT COUNT(*) AS `keys` FROM `tfa`
      WHERE `username` = :username AND `active` = '1'");
    $stmt->execute(array(':username' => $username));
@@ -1488,8 +1470,6 @@ function unset_tfa_key($_data) {
      );
      return false;
    }
    // delete key
    $stmt = $pdo->prepare("DELETE FROM `tfa` WHERE `username` = :username AND `id` = :id");
    $stmt->execute(array(':username' => $username, ':id' => $id));
    $_SESSION['return'][] =  array(
@@ -1507,7 +1487,7 @@ function unset_tfa_key($_data) {
    return false;
  }
 }
-function get_tfa($username = null, $id = null) {
+function get_tfa($username = null) {
  global $pdo;
  if (isset($_SESSION['mailcow_cc_username'])) {
    $username = $_SESSION['mailcow_cc_username'];
@@ -1515,29 +1495,9 @@ function get_tfa($username = null, $id = null) {
  elseif (empty($username)) {
    return false;
  }
-
+  $stmt = $pdo->prepare("SELECT * FROM `tfa`
  if (!isset($id)){
    // fetch all tfa methods - just get information about possible authenticators
    $stmt = $pdo->prepare("SELECT `id`, `key_id`, `authmech` FROM `tfa`
      WHERE `username` = :username AND `active` = '1'");
  $stmt->execute(array(':username' => $username));
    $results = $stmt->fetchAll(PDO::FETCH_ASSOC);
    // no tfa methods found
    if (count($results) == 0) {
        $data['name'] = 'none';
        $data['pretty'] = "-";
        $data['additional'] = array();
        return $data;
    }
    $data['additional'] = $results;
    return $data;
  } else {
    // fetch specific authenticator details by id
    $stmt = $pdo->prepare("SELECT * FROM `tfa`
    WHERE `username` = :username AND `id` = :id AND `active` = '1'");
    $stmt->execute(array(':username' => $username, ':id' => $id));
  $row = $stmt->fetch(PDO::FETCH_ASSOC);
  if (isset($row["authmech"])) {
@@ -1545,10 +1505,9 @@ function get_tfa($username = null, $id = null) {
      case "yubi_otp":
        $data['name'] = "yubi_otp";
        $data['pretty'] = "Yubico OTP";
-            $stmt = $pdo->prepare("SELECT `id`, `key_id`, RIGHT(`secret`, 12) AS 'modhex' FROM `tfa` WHERE `authmech` = 'yubi_otp' AND `username` = :username AND `id` = :id");
+        $stmt = $pdo->prepare("SELECT `id`, `key_id`, RIGHT(`secret`, 12) AS 'modhex' FROM `tfa` WHERE `authmech` = 'yubi_otp' AND `username` = :username");
        $stmt->execute(array(
          ':username' => $username,
              ':id' => $id
        ));
        $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
        while($row = array_shift($rows)) {
@@ -1560,10 +1519,9 @@ function get_tfa($username = null, $id = null) {
      case "u2f":
        $data['name'] = "u2f";
        $data['pretty'] = "Fido U2F";
-            $stmt = $pdo->prepare("SELECT `id`, `key_id` FROM `tfa` WHERE `authmech` = 'u2f' AND `username` = :username AND `id` = :id");
+        $stmt = $pdo->prepare("SELECT `id`, `key_id` FROM `tfa` WHERE `authmech` = 'u2f' AND `username` = :username");
        $stmt->execute(array(
          ':username' => $username,
              ':id' => $id
        ));
        $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
        while($row = array_shift($rows)) {
@@ -1579,10 +1537,9 @@ function get_tfa($username = null, $id = null) {
      case "totp":
        $data['name'] = "totp";
        $data['pretty'] = "Time-based OTP";
-            $stmt = $pdo->prepare("SELECT `id`, `key_id`, `secret` FROM `tfa` WHERE `authmech` = 'totp' AND `username` = :username AND `id` = :id");
+        $stmt = $pdo->prepare("SELECT `id`, `key_id`, `secret` FROM `tfa` WHERE `authmech` = 'totp' AND `username` = :username");
        $stmt->execute(array(
          ':username' => $username,
              ':id' => $id
        ));
        $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
        while($row = array_shift($rows)) {
@@ -1593,10 +1550,9 @@ function get_tfa($username = null, $id = null) {
      case "webauthn":
        $data['name'] = "webauthn";
        $data['pretty'] = "WebAuthn";
-            $stmt = $pdo->prepare("SELECT `id`, `key_id` FROM `tfa` WHERE `authmech` = 'webauthn' AND `username` = :username AND `id` = :id");
+        $stmt = $pdo->prepare("SELECT `id`, `key_id` FROM `tfa` WHERE `authmech` = 'webauthn' AND `username` = :username");
        $stmt->execute(array(
          ':username' => $username,
              ':id' => $id
        ));
        $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
        while($row = array_shift($rows)) {
@@ -1617,18 +1573,14 @@ function get_tfa($username = null, $id = null) {
    return $data;
  }
 }
-}
+function verify_tfa_login($username, $_data, $WebAuthn) {
 function verify_tfa_login($username, $_data) {
    global $pdo;
    global $yubi;
    global $u2f;
    global $tfa;
  global $WebAuthn;
  if ($_data['tfa_method'] != 'u2f'){
    $stmt = $pdo->prepare("SELECT `authmech` FROM `tfa`
-        WHERE `username` = :username AND `id` = :id AND `active` = '1'");
+        WHERE `username` = :username AND `active` = '1'");
-    $stmt->execute(array(':username' => $username, ':id' => $_data['id']));
+    $stmt->execute(array(':username' => $username));
    $row = $stmt->fetch(PDO::FETCH_ASSOC);
    switch ($row["authmech"]) {
@@ -1645,10 +1597,9 @@ function verify_tfa_login($username, $_data) {
            $stmt = $pdo->prepare("SELECT `id`, `secret` FROM `tfa`
                WHERE `username` = :username
                AND `authmech` = 'yubi_otp'
                AND `id` = :id
                AND `active`='1'
                AND `secret` LIKE :modhex");
-            $stmt->execute(array(':username' => $username, ':modhex' => '%' . $yubico_modhex_id, ':id' => $_data['id']));
+            $stmt->execute(array(':username' => $username, ':modhex' => '%' . $yubico_modhex_id));
            $row = $stmt->fetch(PDO::FETCH_ASSOC);
            $yubico_auth = explode(':', $row['secret']);
            $yubi = new Auth_Yubico($yubico_auth[0], $yubico_auth[1]);
@@ -1685,9 +1636,8 @@ function verify_tfa_login($username, $_data) {
            $stmt = $pdo->prepare("SELECT `id`, `secret` FROM `tfa`
                WHERE `username` = :username
                AND `authmech` = 'totp'
                AND `id` = :id
                AND `active`='1'");
-            $stmt->execute(array(':username' => $username, ':id' => $_data['id']));
+            $stmt->execute(array(':username' => $username));
            $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
            foreach ($rows as $row) {
                if ($tfa->verifyCode($row['secret'], $_data['token']) === true) {
@@ -1716,6 +1666,13 @@ function verify_tfa_login($username, $_data) {
            return false;
            }
        break;
        // u2f - deprecated, should be removed
        case "u2f":
            // delete old keys that used u2f
            $stmt = $pdo->prepare("DELETE FROM `tfa` WHERE `authmech` = :authmech AND `username` = :username");
            $stmt->execute(array(':authmech' => 'u2f', ':username' => $username));
            return true;
        case "webauthn":
            $tokenData = json_decode($_data['token']);
            $clientDataJSON = base64_decode($tokenData->clientDataJSON);
@@ -1724,20 +1681,13 @@ function verify_tfa_login($username, $_data) {
            $id = base64_decode($tokenData->id);
            $challenge = $_SESSION['challenge'];
-            $stmt = $pdo->prepare("SELECT `id`, `key_id`, `keyHandle`, `username`, `publicKey` FROM `tfa` WHERE `id` = :id AND `active`='1'");
+            $stmt = $pdo->prepare("SELECT `key_id`, `keyHandle`, `username`, `publicKey` FROM `tfa` WHERE `keyHandle` = :tokenId");
-            $stmt->execute(array(':id' => $_data['id']));
+            $stmt->execute(array(':tokenId' => $tokenData->id));
            $process_webauthn = $stmt->fetch(PDO::FETCH_ASSOC);
-            if (empty($process_webauthn)){
+            if (empty($process_webauthn) || empty($process_webauthn['publicKey']) || empty($process_webauthn['username'])) return false;
              $_SESSION['return'][] =  array(
                  'type' => 'danger',
                  'log' => array(__FUNCTION__, $username, '*'),
                  'msg' => array('webauthn_verification_failed', 'authenticator not found')
              );
              return false;
            } 
-            if (empty($process_webauthn['publicKey']) || $process_webauthn['publicKey'] === false) {
+            if ($process_webauthn['publicKey'] === false) {
                $_SESSION['return'][] =  array(
                    'type' => 'danger',
                    'log' => array(__FUNCTION__, $username, '*'),
@@ -1745,7 +1695,6 @@ function verify_tfa_login($username, $_data) {
                );
                return false;
            }
            try {
                $WebAuthn->processGet($clientDataJSON, $authenticatorData, $signature, $process_webauthn['publicKey'], $challenge, null, $GLOBALS['WEBAUTHN_UV_FLAG_LOGIN'], $GLOBALS['WEBAUTHN_USER_PRESENT_FLAG']);
            }
@@ -1758,6 +1707,7 @@ function verify_tfa_login($username, $_data) {
                return false;
            }
            $stmt = $pdo->prepare("SELECT `superadmin` FROM `admin` WHERE `username` = :username");
            $stmt->execute(array(':username' => $process_webauthn['username']));
            $obj_props = $stmt->fetch(PDO::FETCH_ASSOC);
@@ -1771,18 +1721,12 @@ function verify_tfa_login($username, $_data) {
                $stmt = $pdo->prepare("SELECT `username` FROM `mailbox` WHERE `username` = :username");
                $stmt->execute(array(':username' => $process_webauthn['username']));
                $row = $stmt->fetch(PDO::FETCH_ASSOC);
-              if (!empty($row['username'])) {
+                if ($row['username'] == $process_webauthn['username']) {
                $_SESSION["mailcow_cc_role"] = "user";
              } else {
                $_SESSION['return'][] =  array(
                  'type' => 'danger',
                  'log' => array(__FUNCTION__, $username, '*'),
                  'msg' => array('webauthn_verification_failed', 'could not determine user role')
                );
                return false;
                }
            }
            if ($process_webauthn['username'] != $_SESSION['pending_mailcow_cc_username']){
                $_SESSION['return'][] =  array(
                    'type' => 'danger',
@@ -1792,8 +1736,9 @@ function verify_tfa_login($username, $_data) {
                return false;
            }
            $_SESSION["mailcow_cc_username"] = $process_webauthn['username'];
-            $_SESSION['tfa_id'] = $process_webauthn['id'];
+            $_SESSION['tfa_id'] = $process_webauthn['key_id'];
            $_SESSION['authReq'] = null;
            unset($_SESSION["challenge"]);
            $_SESSION['return'][] =  array(
@@ -1814,17 +1759,6 @@ function verify_tfa_login($username, $_data) {
    }
    return false;
  } else {
    // delete old keys that used u2f
    $stmt = $pdo->prepare("SELECT * FROM `tfa` WHERE `authmech` = 'u2f' AND `username` = :username");
    $stmt->execute(array(':username' => $username));
    $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
    if (count($rows) == 0) return false;
    $stmt = $pdo->prepare("DELETE FROM `tfa` WHERE `authmech` = 'u2f' AND `username` = :username");
    $stmt->execute(array(':username' => $username));
    return true;
  }
 }
 function admin_api($access, $action, $data = null) {
  global $pdo;
--- a/data/web/inc/functions.mailbox.inc.php
+++ b/data/web/inc/functions.mailbox.inc.php
@@ -339,14 +339,6 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
          // validate custom params
          foreach (explode(' -', $custom_params) as $param){
            if(empty($param)) continue;
            // extract option
            if (str_contains($param, '=')) $param = explode('=', $param)[0];
            else $param = rtrim($param, ' ');
            // remove first char if first char is -
            if ($param[0] == '-') $param = ltrim($param, $param[0]);
            if (str_contains($param, ' ')) {
              // bad char
              $_SESSION['return'][] = array(
@@ -357,6 +349,11 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
              return false;
            }
            // extract option
            if (str_contains($param, '=')) $param = explode('=', $param)[0];
            // remove first char if first char is -
            if ($param[0] == '-') $param = ltrim($param, $param[0]);
            // check if param is whitelisted
            if (!in_array(strtolower($param), $GLOBALS["IMAPSYNC_OPTIONS"]["whitelist"])){
              // bad option
@@ -1795,14 +1792,6 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
            // validate custom params
            foreach (explode(' -', $custom_params) as $param){
              if(empty($param)) continue;
              // extract option
              if (str_contains($param, '=')) $param = explode('=', $param)[0];
              else $param = rtrim($param, ' ');
              // remove first char if first char is -
              if ($param[0] == '-') $param = ltrim($param, $param[0]);
              if (str_contains($param, ' ')) {
                // bad char
                $_SESSION['return'][] = array(
@@ -1813,6 +1802,11 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
                return false;
              }
              // extract option
              if (str_contains($param, '=')) $param = explode('=', $param)[0];
              // remove first char if first char is -
              if ($param[0] == '-') $param = ltrim($param, $param[0]);
              // check if param is whitelisted
              if (!in_array(strtolower($param), $GLOBALS["IMAPSYNC_OPTIONS"]["whitelist"])){
                // bad option
--- a/data/web/inc/init_db.inc.php
+++ b/data/web/inc/init_db.inc.php
@@ -3,7 +3,7 @@ function init_db_schema() {
  try {
    global $pdo;
-    $db_version = "25072022_2300";
+    $db_version = "18062022_1153";
    $stmt = $pdo->query("SHOW TABLES LIKE 'versions'");
    $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC));
@@ -738,8 +738,8 @@ function init_db_schema() {
          "username" => "VARCHAR(255) NOT NULL",
          "authmech" => "ENUM('yubi_otp', 'u2f', 'hotp', 'totp', 'webauthn')",
          "secret" => "VARCHAR(255) DEFAULT NULL",
-          "keyHandle" => "VARCHAR(1023) DEFAULT NULL",
+          "keyHandle" => "VARCHAR(255) DEFAULT NULL",
-          "publicKey" => "VARCHAR(4096) DEFAULT NULL",
+          "publicKey" => "VARCHAR(255) DEFAULT NULL",
          "counter" => "INT NOT NULL DEFAULT '0'",
          "certificate" => "TEXT",
          "active" => "TINYINT(1) NOT NULL DEFAULT '0'"
@@ -1227,7 +1227,7 @@ function init_db_schema() {
      $pdo->query($create);
    }
-    // Mitigate imapsync argument injection issue
+    // Mitigate imapsync pipemess issue
    $pdo->query("UPDATE `imapsync` SET `custom_params` = '' 
      WHERE `custom_params` LIKE '%pipemess%' 
        OR custom_params LIKE '%skipmess%' 
@@ -1238,6 +1238,7 @@ function init_db_schema() {
        OR custom_params LIKE '%regextrans2%' 
        OR custom_params LIKE '%maxlinelengthcmd%';");
    // Migrate webauthn tfa
    $stmt = $pdo->query("ALTER TABLE `tfa` MODIFY COLUMN `authmech` ENUM('yubi_otp', 'u2f', 'hotp', 'totp', 'webauthn')");
--- a/data/web/inc/prerequisites.inc.php
+++ b/data/web/inc/prerequisites.inc.php
@@ -66,9 +66,8 @@ $qrprovider = new RobThree\Auth\Providers\Qr\QRServerProvider();
 $tfa = new RobThree\Auth\TwoFactorAuth($OTP_LABEL, 6, 30, 'sha1', $qrprovider);
 // FIDO2
 $server_name = parse_url('https://' . $_SERVER['HTTP_HOST'], PHP_URL_HOST);
 $formats = $GLOBALS['FIDO2_FORMATS'];
-$WebAuthn = new lbuchs\WebAuthn\WebAuthn('WebAuthn Library', $server_name, $formats);
+$WebAuthn = new lbuchs\WebAuthn\WebAuthn('WebAuthn Library', $_SERVER['HTTP_HOST'], $formats);
 // only include root ca's when needed
 if (getenv('WEBAUTHN_ONLY_TRUSTED_VENDORS') == 'y') $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates');
--- a/data/web/inc/triggers.inc.php
+++ b/data/web/inc/triggers.inc.php
@@ -1,24 +1,24 @@
 <?php
 if (isset($_POST["verify_tfa_login"])) {
-  if (verify_tfa_login($_SESSION['pending_mailcow_cc_username'], $_POST)) {
+  if (verify_tfa_login($_SESSION['pending_mailcow_cc_username'], $_POST, $WebAuthn)) {
    $_SESSION['mailcow_cc_username'] = $_SESSION['pending_mailcow_cc_username'];
    $_SESSION['mailcow_cc_role'] = $_SESSION['pending_mailcow_cc_role'];
    unset($_SESSION['pending_mailcow_cc_username']);
    unset($_SESSION['pending_mailcow_cc_role']);
-    unset($_SESSION['pending_tfa_methods']);
+    unset($_SESSION['pending_tfa_method']);
    header("Location: /user");
  } else {
    unset($_SESSION['pending_mailcow_cc_username']);
    unset($_SESSION['pending_mailcow_cc_role']);
-    unset($_SESSION['pending_tfa_methods']);
+    unset($_SESSION['pending_tfa_method']);
  }
 }
 if (isset($_GET["cancel_tfa_login"])) {
    unset($_SESSION['pending_mailcow_cc_username']);
    unset($_SESSION['pending_mailcow_cc_role']);
-    unset($_SESSION['pending_tfa_methods']);
+    unset($_SESSION['pending_tfa_method']);
    header("Location: /");
 }
@@ -34,7 +34,6 @@ if (isset($_POST["quick_delete"])) {
 if (isset($_POST["login_user"]) && isset($_POST["pass_user"])) {
 	$login_user = strtolower(trim($_POST["login_user"]));
 	$as = check_login($login_user, $_POST["pass_user"]);
 	if ($as == "admin") {
 		$_SESSION['mailcow_cc_username'] = $login_user;
 		$_SESSION['mailcow_cc_role'] = "admin";
@@ -63,7 +62,7 @@ if (isset($_POST["login_user"]) && isset($_POST["pass_user"])) {
 	elseif ($as != "pending") {
    unset($_SESSION['pending_mailcow_cc_username']);
    unset($_SESSION['pending_mailcow_cc_role']);
-    unset($_SESSION['pending_tfa_methods']);
+    unset($_SESSION['pending_tfa_method']);
 		unset($_SESSION['mailcow_cc_username']);
 		unset($_SESSION['mailcow_cc_role']);
 	}
--- a/data/web/inc/vars.inc.php
+++ b/data/web/inc/vars.inc.php
@@ -232,95 +232,25 @@ $RSPAMD_MAPS = array(
 $IMAPSYNC_OPTIONS = array(
  'whitelist' => array(
      'log',
      'showpasswords',   
      'nossl1',            
      'nossl2',            
      'ssl2',              
      'notls1',             
      'notls2',            
      'tls2',              
      'debugssl', 
      'sslargs1',
      'sslargs2', 
      'authmech1',
      'authmech2',
      'authuser1', 
      'authuser2',  
    'debugcontent', 
    'disarmreadreceipts', 
    'logdir',
    'debugcrossduplicates', 
    'maxsize',
    'minsize',
    'minage',
    'search', 
    'noabletosearch', 
    'pidfile', 
    'pidfilelocking', 
    'search1',
    'search2', 
    'sslargs1',
    'sslargs2', 
    'syncduplicates',
    'usecache', 
    'synclabels', 
    'truncmess',  
    'domino2',  
    'expunge1',  
    'filterbuggyflags',  
    'justconnect',  
    'justfolders',  
    'maxlinelength',
    'useheader',  
    'noabletosearch1',  
    'nolog',  
    'prefix1',
    'prefix2',
    'sep1',
    'sep2',
    'nofoldersizesatend',
    'justfoldersizes',  
      'proxyauth1',        
    'skipemptyfolders',
    'include',
    'subfolder1',
    'subscribed',
    'subscribe',   
    'debug',   
    'debugimap2',   
    'domino1',   
    'exchange1',   
    'exchange2',   
    'justlogin',   
    'keepalive1',   
    'keepalive2',   
    'noabletosearch2',   
    'noexpunge2',   
    'noresyncflags',   
    'nossl1',   
    'nouidexpunge2',   
    'syncinternaldates',
    'idatefromheader',   
    'useuid',    
    'debugflags',    
    'debugimap',    
    'delete1emptyfolders',
    'delete2folders',    
    'gmail2',    
    'office1',    
    'testslive6',     
    'debugimap1',     
    'errorsmax',
    'tests',     
    'gmail1',     
    'maxmessagespersecond',
    'maxbytesafter',
    'maxsleep',
    'abort',     
    'resyncflags',     
    'resynclabels',     
    'syncacls',
    'nosyncacls',      
    'nousecache',      
    'office2',      
    'testslive',       
    'debugmemory',       
    'exitwhenover',
    'noid',       
    'noexpunge1',        
    'authmd51',        
    'logfile',        
      'proxyauth2',        
      'authmd51',          
      'authmd52',         
      'domain1',
      'domain2',
      'oauthaccesstoken1',
@@ -328,22 +258,96 @@ $IMAPSYNC_OPTIONS = array(
      'oauthdirect1',
      'oauthdirect2',
      'folder',
      'folder', 
      'folderrec',
      'folderrec', 
      'folderfirst',
      'folderfirst', 
      'folderlast',
      'folderlast',
      'nomixfolders',  
-    'authmd52',           
+      'skipemptyfolders',
      'include',
      'include',
      'subfolder1',
      'subscribed',
      'subscribe',  
      'prefix1',
      'prefix2',
      'sep1',
      'sep2',
      'nofoldersizesatend',
      'justfoldersizes', 
      'pidfile', 
      'pidfilelocking',  
      'nolog',        
      'logfile', 
      'logdir',
      'debugcrossduplicates', 
      'disarmreadreceipts', 
      'truncmess', 
      'synclabels',     
      'resynclabels',     
      'resyncflags',   
      'noresyncflags',  
      'filterbuggyflags',  
      'expunge1',       
      'noexpunge1',    
      'delete1emptyfolders',
      'delete2folders',   
      'noexpunge2',   
      'nouidexpunge2',   
      'syncinternaldates',
      'idatefromheader', 
      'maxsize',
      'minsize',
      'minage',
      'search', 
      'search1',
      'search2', 
      'noabletosearch',  
      'noabletosearch1',   
      'noabletosearch2',  
      'maxlinelength',
      'useheader',
      'useheader',   
      'syncduplicates',
      'usecache',      
      'nousecache',   
      'useuid',     
      'syncacls',
      'nosyncacls',   
      'debug',           
      'debugfolders', 
-    'nossl2',            
+      'debugcontent',    
-    'ssl2',            
+      'debugflags',     
-    'tls2',             
+      'debugimap1',   
-    'notls2',              
+      'debugimap2',    
-    'debugssl',              
+      'debugimap',       
-    'notls1', 
+      'debugmemory',     
-    'inet4',
+      'errorsmax',
-    'inet6',
+      'tests',      
-    'log',
+      'testslive',    
-    'showpasswords'
+      'testslive6',     
      'gmail1',    
      'gmail2',    
      'office1',      
      'office2',   
      'exchange1',   
      'exchange2',   
      'domino1',  
      'domino2',   
      'keepalive1',   
      'keepalive2',     
      'maxmessagespersecond',
      'maxbytesafter',
      'maxsleep',
      'abort',       
      'exitwhenover',
      'noid',  
      'justconnect',   
      'justlogin',  
      'justfolders'
  ),
  'blacklist' => array(
      'skipmess',
--- a/data/web/json_api.php
+++ b/data/web/json_api.php
@@ -179,21 +179,14 @@ if (isset($_GET['query'])) {
              $post = trim(file_get_contents('php://input'));
              if ($post) $post = json_decode($post);
              // process registration data from authenticator
              try {
              // decode base64 strings
              $clientDataJSON = base64_decode($post->clientDataJSON);
              $attestationObject = base64_decode($post->attestationObject);             
              // process registration data from authenticator
              try {
                // processCreate($clientDataJSON, $attestationObject, $challenge, $requireUserVerification=false, $requireUserPresent=true, $failIfRootMismatch=true)
                $data = $WebAuthn->processCreate($clientDataJSON, $attestationObject, $_SESSION['challenge'], false, true);
                // safe authenticator in mysql `tfa` table
                $_data['tfa_method'] = $post->tfa_method;
                $_data['key_id'] = $post->key_id;
                $_data['confirm_password'] = $post->confirm_password;
                $_data['registration'] = $data;
                set_tfa($_data);
              }
              catch (Throwable $ex) {
                // err
@@ -204,6 +197,11 @@ if (isset($_GET['query'])) {
                exit;
              }
              // safe authenticator in mysql `tfa` table
              $_data['tfa_method'] = $post->tfa_method;
              $_data['key_id'] = $post->key_id;
              $_data['registration'] = $data;
              set_tfa($_data);
              // send response
              $return = new stdClass();
@@ -421,7 +419,7 @@ if (isset($_GET['query'])) {
          // }
          $ids = NULL;
-          $getArgs = $WebAuthn->getGetArgs($ids, 30, false, false, false, false, $GLOBALS['FIDO2_UV_FLAG_LOGIN']);
+          $getArgs = $WebAuthn->getGetArgs($ids, 30, true, true, true, true, $GLOBALS['FIDO2_UV_FLAG_LOGIN']);
          print(json_encode($getArgs));
          $_SESSION['challenge'] = $WebAuthn->getChallenge();
          return;
@@ -430,11 +428,8 @@ if (isset($_GET['query'])) {
        case "webauthn-tfa-registration":
          if (isset($_SESSION["mailcow_cc_role"])) {
              // Exclude existing CredentialIds, if any
-              $stmt = $pdo->prepare("SELECT `keyHandle` FROM `tfa` WHERE username = :username AND authmech = :authmech");
+              $stmt = $pdo->prepare("SELECT `keyHandle` FROM `tfa` WHERE username = :username");
-              $stmt->execute(array(
+              $stmt->execute(array(':username' => $_SESSION['mailcow_cc_username']));
                ':username' => $_SESSION['mailcow_cc_username'],
                ':authmech' => 'webauthn'
              ));
              $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
              while($row = array_shift($rows)) {
                $excludeCredentialIds[] = base64_decode($row['keyHandle']);
@@ -455,24 +450,20 @@ if (isset($_GET['query'])) {
          }
        break;
        case "webauthn-tfa-get-args":
-          $stmt = $pdo->prepare("SELECT `keyHandle` FROM `tfa` WHERE username = :username AND authmech = :authmech");
+          $stmt = $pdo->prepare("SELECT `keyHandle` FROM `tfa` WHERE username = :username");
-          $stmt->execute(array(
+          $stmt->execute(array(':username' => $_SESSION['pending_mailcow_cc_username']));
            ':username' => $_SESSION['pending_mailcow_cc_username'],
            ':authmech' => 'webauthn'
          ));
          $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
-          if (count($rows) == 0) {
+          while($row = array_shift($rows)) {
            $cids[] = base64_decode($row['keyHandle']);
          }
          if (count($cids) == 0) {
            print(json_encode(array(
                'type' => 'error',
                'msg' => 'Cannot find matching credentialIds'
            )));
            exit;
          }
          while($row = array_shift($rows)) {
            $cids[] = base64_decode($row['keyHandle']);
          }
-          $getArgs = $WebAuthn->getGetArgs($cids, 30, false, false, false, false, $GLOBALS['WEBAUTHN_UV_FLAG_LOGIN']);
+          $getArgs = $WebAuthn->getGetArgs($cids, 30, true, true, true, true, $GLOBALS['WEBAUTHN_UV_FLAG_LOGIN']);
          $getArgs->publicKey->extensions = array('appid' => "https://".$getArgs->publicKey->rpId);
          print(json_encode($getArgs));
          $_SESSION['challenge'] = $WebAuthn->getChallenge();
--- a/data/web/lang/lang.es.json
+++ b/data/web/lang/lang.es.json
@@ -19,8 +19,7 @@
        "syncjobs": "Trabajos de sincronización",
        "tls_policy": "Póliza de TLS",
        "unlimited_quota": "Cuota ilimitada para buzones",
-        "app_passwds": "Gestionar las contraseñas de aplicaciones",
+        "app_passwds": "Gestionar las contraseñas de aplicaciones"
        "domain_desc": "Cambiar descripción del dominio"
    },
    "add": {
        "activate_filter_warn": "Todos los demás filtros se desactivarán cuando este filtro se active.",
--- a/data/web/lang/lang.ru.json
+++ b/data/web/lang/lang.ru.json
@@ -988,7 +988,7 @@
        "enter_qr_code": "Ваш код TOTP, если устройство не может отсканировать QR-код",
        "error_code": "Код ошибки",
        "init_webauthn": "Инициализация, пожалуйста, подождите...",
-        "key_id": "Идентификатор вашего устройства",
+        "key_id": "Идентификатор YubiKey ключа",
        "key_id_totp": "Идентификатор TOTP ключа",
        "none": "Отключить",
        "reload_retry": "- (перезагрузить страницу браузера или почистите кеш/cookies, если ошибка повторяется)",
@@ -1002,8 +1002,7 @@
        "webauthn": "WebAuthn аутентификация",
        "waiting_usb_auth": "<i>Ожидание устройства USB...</i><br><br>Пожалуйста, нажмите кнопку на USB устройстве сейчас.",
        "waiting_usb_register": "<i>Ожидание устройства USB...</i><br><br>Пожалуйста, введите пароль выше и подтвердите регистрацию, нажав кнопку на USB устройстве.",
-        "yubi_otp": "Yubico OTP аутентификация",
+        "yubi_otp": "Yubico OTP аутентификация"
        "u2f_deprecated": "Похоже, что ваш ключ был зарегистрирован с использованием устаревшего метода U2F. Мы деактивируем для вас двухфакторную аутентификацию и удалим ваш ключ."
    },
    "user": {
        "action": "Действия",
--- a/data/web/lang/lang.uk.json
+++ b/data/web/lang/lang.uk.json
@@ -980,8 +980,7 @@
        "resource_modified": "Зміни поштового акаунту %s збережено",
        "settings_map_added": "Правило додано",
        "tls_policy_map_entry_deleted": "Політику TLS ID %s видалено",
-        "verified_totp_login": "Авторизацію TOTP пройдено",
+        "verified_totp_login": "Авторизацію TOTP пройдено"
        "domain_add_dkim_available": "Ключ DKIM вже існує"
    },
    "tfa": {
        "confirm": "Підтвердьте",
--- a/data/web/templates/base.twig
+++ b/data/web/templates/base.twig
@@ -176,62 +176,15 @@ function recursiveBase64StrToArrayBuffer(obj) {
    {% endfor %}
    // Confirm TFA modal
-  {% if pending_tfa_methods %}
+  {% if pending_tfa_method %}
    $('#ConfirmTFAModal').modal({
      backdrop: 'static',
      keyboard: false
    });
    // validate Yubi OTP tfa
    $("#pending_tfa_tab_yubi_otp").click(function(){
      $(".totp-authenticator-selection").removeClass("active");
      $(".webauthn-authenticator-selection").removeClass("active");
      $("#collapseTotpTFA").collapse('hide');
      $("#collapseWebAuthnTFA").collapse('hide');
    });
    $(".yubi-authenticator-selection").click(function(){
      $(".yubi-authenticator-selection").removeClass("active");
      $(this).addClass("active");
      var id = $(this).children('input').first().val();
      $("#yubi_selected_id").val(id);
      $("#collapseYubiTFA").collapse('show');
    });
    // validate Time based OTP tfa
    $("#pending_tfa_tab_totp").click(function(){
      $(".yubi-authenticator-selection").removeClass("active");
      $(".webauthn-authenticator-selection").removeClass("active");
      $("#collapseYubiTFA").collapse('hide');
      $("#collapseWebAuthnTFA").collapse('hide');
    });
    $(".totp-authenticator-selection").click(function(){
      $(".totp-authenticator-selection").removeClass("active");
      $(this).addClass("active");
      var id = $(this).children('input').first().val();
      $("#totp_selected_id").val(id);
      $("#collapseTotpTFA").collapse('show');
    });
    // validate WebAuthn tfa
-    $("#pending_tfa_tab_webauthn").click(function(){
+    $('#start_webauthn_confirmation').click(function(){
-      $(".totp-authenticator-selection").removeClass("active");
+      $('#webauthn_status_auth').html('<p><i class="bi bi-arrow-repeat icon-spin"></i> ' + lang_tfa.init_webauthn + '</p>');
      $(".yubi-authenticator-selection").removeClass("active");
      $("#collapseTotpTFA").collapse('hide');
      $("#collapseYubiTFA").collapse('hide');
    });
    $(".webauthn-authenticator-selection").click(function(){
      $(".webauthn-authenticator-selection").removeClass("active");
      $(this).addClass("active");
      var id = $(this).children('input').first().val();
      $("#webauthn_selected_id").val(id);
      $("#collapseWebAuthnTFA").collapse('show');
      $(this).find('input[name=token]').focus();
      if(document.getElementById("webauthn_auth_data") !== null) {
@@ -245,9 +198,7 @@ function recursiveBase64StrToArrayBuffer(obj) {
        window.fetch("/api/v1/get/webauthn-tfa-get-args", {method:'GET',cache:'no-cache'}).then(response => {
            return response.json();
        }).then(json => {
          console.log(json);
            if (json.success === false) throw new Error();
          if (json.type === "error") throw new Error(json.msg);
            recursiveBase64StrToArrayBuffer(json);
            return json;
@@ -287,8 +238,6 @@ function recursiveBase64StrToArrayBuffer(obj) {
      });
    });
    {% endif %}
    // Validate FIDO2
  $("#fido2-login").click(function(){
    $('#fido2-alerts').html();
@@ -409,13 +358,11 @@ function recursiveBase64StrToArrayBuffer(obj) {
        $("#start_webauthn_register").click(() => {
            var key_id = document.getElementsByName('key_id')[1].value;
            var confirm_password = document.getElementsByName('confirm_password')[1].value;
            // fetch WebAuthn create args
            window.fetch("/api/v1/get/webauthn-tfa-registration/{{ mailcow_cc_username|url_encode(true)|default('null') }}", {method:'GET',cache:'no-cache'}).then(response => {
                return response.json();
            }).then(json => {
                console.log(json);
                if (json.success === false) throw new Error(json.msg);
                recursiveBase64StrToArrayBuffer(json);
@@ -428,8 +375,7 @@ function recursiveBase64StrToArrayBuffer(obj) {
                    clientDataJSON: cred.response.clientDataJSON  ? arrayBufferToBase64(cred.response.clientDataJSON) : null,
                    attestationObject: cred.response.attestationObject ? arrayBufferToBase64(cred.response.attestationObject) : null,
                    key_id: key_id,
-                    tfa_method: "webauthn",
+                    tfa_method: "webauthn"
                    confirm_password: confirm_password
                };
            }).then(JSON.stringify).then(AuthenticatorAttestationResponse => {
                // send request
--- a/data/web/templates/domainadmin.twig
+++ b/data/web/templates/domainadmin.twig
@@ -28,7 +28,7 @@
      <div class="col-sm-9 col-xs-7">
        <select id="selectTFA" class="selectpicker" title="{{ lang.tfa.select }}">
          <option value="yubi_otp">{{ lang.tfa.yubi_otp }}</option>
-          <option value="webauthn">{{ lang.tfa.webauthn }}</option>
+          <option value="u2f">{{ lang.tfa.u2f }}</option>
          <option value="totp">{{ lang.tfa.totp }}</option>
          <option value="none">{{ lang.tfa.none }}</option>
        </select>
--- a/data/web/templates/modals/footer.twig
+++ b/data/web/templates/modals/footer.twig
@@ -133,174 +133,73 @@
  </div>
 </div>
 {% endif %}
-{% if pending_tfa_methods %}
+{% if pending_tfa_method %}
 <div class="modal fade" id="ConfirmTFAModal" tabindex="-1" role="dialog" aria-labelledby="ConfirmTFAModalLabel">
  <div class="modal-dialog" role="document">
    <div class="modal-content">
      <div class="modal-header">
        <button type="button" class="close" data-dismiss="modal"><span aria-hidden="true">×</span></button>
-        <h3 class="modal-title">{{ lang.tfa.tfa }}</h3>
+        <h3 class="modal-title">{{ lang.tfa[pending_tfa_method] }}</h3>
      </div>
-      
+      <div class="modal-body">
-        <ul class="nav nav-tabs" id="tabContent">
+        {% if pending_tfa_method == 'yubi_otp' %}
            {% if pending_tfa_authmechs["webauthn"] is defined and pending_tfa_authmechs["u2f"] is not defined %}
              <li class="active"><a href="#tfa_tab_webauthn" data-toggle="tab" id="pending_tfa_tab_webauthn"><i class="bi bi-fingerprint"></i> WebAuthn</a></li>
            {% endif %}
            {% if pending_tfa_authmechs["yubi_otp"] is defined and pending_tfa_authmechs["u2f"] is not defined %}
              <li class="tab-pane {% if pending_tfa_authmechs["yubi_otp"] %}active{% endif %}">
                <a href="#tfa_tab_yubi_otp" data-toggle="tab" id="pending_tfa_tab_yubi_otp"><i class="bi bi-usb-drive"></i> Yubi OTP</a>
              </li>
            {% endif %}
            {% if pending_tfa_authmechs["totp"] is defined and pending_tfa_authmechs["u2f"] is not defined %}
              <li class="tab-pane {% if pending_tfa_authmechs["totp"] %}active{% endif %}">
                <a href="#tfa_tab_totp" data-toggle="tab" id="pending_tfa_tab_totp"><i class="bi bi-clock-history"></i> Time based OTP</a>
              </li>
            {% endif %}
            <!-- <li><a href="#tfa_tab_hotp" data-toggle="tab">HOTP</a></li> -->
            {% if pending_tfa_authmechs["u2f"] is defined %}
              <li class="active"><a href="#tfa_tab_u2f" data-toggle="tab"><i class="bi bi-x-octagon"></i> U2F</a></li>
            {% endif %}
        </ul>
        <div class="tab-content">
          {% if pending_tfa_authmechs["webauthn"] is defined and pending_tfa_authmechs["u2f"] is not defined %}
            <div role="tabpanel" class="tab-pane active" id="tfa_tab_webauthn">
              <div class="panel panel-default" style="margin-bottom: 0px;">
                  <div class="panel-body">
                    <form role="form" method="post" id="webauthn_auth_form">
                      <legend>
                          <i class="bi bi-shield-fill-check"></i>
                          Authenticators
                      </legend>
                      <div class="list-group">
                        {% for authenticator in pending_tfa_methods %}
                          {% if authenticator["authmech"] == "webauthn" %}
                            <a href="#" class="list-group-item webauthn-authenticator-selection">
                              <i class="bi bi-key-fill" style="margin-right: 5px"></i>
                              <span>{{ authenticator["key_id"] }}</span>
                              <input type="hidden" value="{{ authenticator["id"] }}" /><br/>
                            </a>
                          {% endif %}
                        {% endfor %}
                      </div>
                      <div class="collapse pending-tfa-collapse" id="collapseWebAuthnTFA">
                        <p id="webauthn_status_auth"><p><i class="bi bi-arrow-repeat icon-spin"></i> {{ lang.tfa.init_webauthn }}</p></p>
                        <div class="alert alert-danger" style="display:none" id="webauthn_return_code"></div>
                      </div>
                      <input type="hidden" name="token" id="webauthn_auth_data"/>
                      <input type="hidden" name="tfa_method" value="webauthn">
                      <input type="hidden" name="verify_tfa_login"/><br/>
                      <input type="hidden" name="id" id="webauthn_selected_id" /><br/>
                    </form>
                  </div>
              </div>
            </div>
          {% endif %}
          {% if pending_tfa_authmechs["yubi_otp"] is defined and pending_tfa_authmechs["u2f"] is not defined %}
            <div role="tabpanel" class="tab-pane {% if pending_tfa_authmechs["yubi_otp"] %}active{% endif %}" id="tfa_tab_yubi_otp">
              <div class="panel panel-default" style="margin-bottom: 0px;">
                  <div class="panel-body">
        <form role="form" method="post">
                      <legend>
                          <i class="bi bi-shield-fill-check"></i>
                          Authenticators
                      </legend>
                      <div class="list-group">
                        {% for authenticator in pending_tfa_methods %}
                          {% if authenticator["authmech"] == "yubi_otp" %}
                            <a href="#" class="list-group-item yubi-authenticator-selection">
                              <i class="bi bi-key-fill" style="margin-right: 5px"></i>
                              <span>{{ authenticator["key_id"] }}</span>
                              <input type="hidden" value="{{ authenticator["id"] }}" />
                            </a>
                          {% endif %}
                        {% endfor %}
                      </div>
                      <div class="collapse pending-tfa-collapse" id="collapseYubiTFA">
          <div class="form-group">
            <div class="input-group">
              <span class="input-group-addon" id="yubi-addon"><img alt="Yubicon Icon" src="/img/yubi.ico"></span>
              <input type="text" name="token" class="form-control" autocomplete="off" placeholder="Touch Yubikey" aria-describedby="yubi-addon">
              <input type="hidden" name="tfa_method" value="yubi_otp">
                            <input type="hidden" name="id" id="yubi_selected_id" />
            </div>
          </div>
          <button class="btn btn-sm visible-xs-block visible-sm-inline visible-md-inline visible-lg-inline btn-sm btn-default" type="submit" name="verify_tfa_login">{{ lang.login.login }}</button>
                      </div>
        </form>
                  </div>
              </div>
            </div>
        {% endif %}
-          {% if pending_tfa_authmechs["totp"] is defined and pending_tfa_authmechs["u2f"] is not defined %}
+        {% if pending_tfa_method == 'totp' %}
            <div role="tabpanel" class="tab-pane {% if pending_tfa_authmechs["totp"] %}active{% endif %}" id="tfa_tab_totp">
              <div class="panel panel-default" style="margin-bottom: 0px;">
                  <div class="panel-body">
        <form role="form" method="post">
                      <legend>
                          <i class="bi bi-shield-fill-check"></i>
                          Authenticators
                      </legend>
                      <div class="list-group">
                        {% for authenticator in pending_tfa_methods %}
                          {% if authenticator["authmech"] == "totp" %}
                            <a href="#" class="list-group-item totp-authenticator-selection">
                              <i class="bi bi-key-fill" style="margin-right: 5px"></i>
                              <span>{{ authenticator["key_id"] }}</span>
                              <input type="hidden" value="{{ authenticator["id"] }}" />
                            </a>
                          {% endif %}
                        {% endfor %}
                      </div>
                      <div class="collapse pending-tfa-collapse" id="collapseTotpTFA">
          <div class="form-group">
            <div class="input-group">
              <span class="input-group-addon" id="tfa-addon"><i class="bi bi-shield-lock-fill"></i></span>
              <input type="number" min="000000" max="999999" name="token" class="form-control" placeholder="123456" autocomplete="one-time-code" aria-describedby="tfa-addon">
              <input type="hidden" name="tfa_method" value="totp">
                            <input type="hidden" name="id" id="totp_selected_id" /><br/>
            </div>
          </div>
          <button class="btn btn-sm visible-xs-block visible-sm-inline visible-md-inline visible-lg-inline btn-default" type="submit" name="verify_tfa_login">{{ lang.login.login }}</button>
                      </div>
        </form>
                  </div>
              </div>
            </div>
        {% endif %}
-            <!--
+        {% if pending_tfa_method == 'hotp' %}
            <div role="tabpanel" class="tab-pane" id="tfa_tab_hotp">
              <div class="panel panel-default" style="margin-bottom: 0px;">
                  <div class="panel-body">
        <div class="empty"></div>
        {% endif %}
        {% if pending_tfa_method == 'webauthn' %}
        <form role="form" method="post" id="webauthn_auth_form">
          <center>
            <div style="cursor:pointer" id="start_webauthn_confirmation">
              <svg xmlns="http://www.w3.org/2000/svg" width="64" height="64" viewBox="0 0 24 24">
                <path d="M17.81 4.47c-.08 0-.16-.02-.23-.06C15.66 3.42 14 3 12.01 3c-1.98 0-3.86.47-5.57 1.41-.24.13-.54.04-.68-.2-.13-.24-.04-.55.2-.68C7.82 2.52 9.86 2 12.01 2c2.13 0 3.99.47 6.03 1.52.25.13.34.43.21.67-.09.18-.26.28-.44.28zM3.5 9.72c-.1 0-.2-.03-.29-.09-.23-.16-.28-.47-.12-.7.99-1.4 2.25-2.5 3.75-3.27C9.98 4.04 14 4.03 17.15 5.65c1.5.77 2.76 1.86 3.75 3.25.16.22.11.54-.12.7-.23.16-.54.11-.7-.12-.9-1.26-2.04-2.25-3.39-2.94-2.87-1.47-6.54-1.47-9.4.01-1.36.7-2.5 1.7-3.4 2.96-.08.14-.23.21-.39.21zm6.25 12.07c-.13 0-.26-.05-.35-.15-.87-.87-1.34-1.43-2.01-2.64-.69-1.23-1.05-2.73-1.05-4.34 0-2.97 2.54-5.39 5.66-5.39s5.66 2.42 5.66 5.39c0 .28-.22.5-.5.5s-.5-.22-.5-.5c0-2.42-2.09-4.39-4.66-4.39-2.57 0-4.66 1.97-4.66 4.39 0 1.44.32 2.77.93 3.85.64 1.15 1.08 1.64 1.85 2.42.19.2.19.51 0 .71-.11.1-.24.15-.37.15zm7.17-1.85c-1.19 0-2.24-.3-3.1-.89-1.49-1.01-2.38-2.65-2.38-4.39 0-.28.22-.5.5-.5s.5.22.5.5c0 1.41.72 2.74 1.94 3.56.71.48 1.54.71 2.54.71.24 0 .64-.03 1.04-.1.27-.05.53.13.58.41.05.27-.13.53-.41.58-.57.11-1.07.12-1.21.12zM14.91 22c-.04 0-.09-.01-.13-.02-1.59-.44-2.63-1.03-3.72-2.1-1.4-1.39-2.17-3.24-2.17-5.22 0-1.62 1.38-2.94 3.08-2.94 1.7 0 3.08 1.32 3.08 2.94 0 1.07.93 1.94 2.08 1.94s2.08-.87 2.08-1.94c0-3.77-3.25-6.83-7.25-6.83-2.84 0-5.44 1.58-6.61 4.03-.39.81-.59 1.76-.59 2.8 0 .78.07 2.01.67 3.61.1.26-.03.55-.29.64-.26.1-.55-.04-.64-.29-.49-1.31-.73-2.61-.73-3.96 0-1.2.23-2.29.68-3.24 1.33-2.79 4.28-4.6 7.51-4.6 4.55 0 8.25 3.51 8.25 7.83 0 1.62-1.38 2.94-3.08 2.94s-3.08-1.32-3.08-2.94c0-1.07-.93-1.94-2.08-1.94s-2.08.87-2.08 1.94c0 1.71.66 3.31 1.87 4.51.95.94 1.86 1.46 3.27 1.85.27.07.42.35.35.61-.05.23-.26.38-.47.38z"></path>
              </svg>
              <p>{{ lang.tfa.start_webauthn_validation }}</p>
              <hr>
            </div>
-              </div>
+          </center>
-            </div>
+          <p id="webauthn_status_auth"></p>
-            -->
+          <div class="alert alert-danger" style="display:none" id="webauthn_return_code"></div>
-          {% if pending_tfa_authmechs["u2f"] is defined %}
+          <input type="hidden" name="token" id="webauthn_auth_data"/>
-            <div role="tabpanel" class="tab-pane active" id="tfa_tab_u2f">
+          <input type="hidden" name="tfa_method" value="webauthn">
-              <div class="panel panel-default" style="margin-bottom: 0px;">
+          <input type="hidden" name="verify_tfa_login"/><br/>
-                  <div class="panel-body">
+        </form>
        {% endif %}
        {# leave this here to inform users that u2f is deprecated #}
        {% if pending_tfa_method == 'u2f' %}
        <form role="form" method="post" id="u2f_auth_form">
                      <div>
          <p>{{ lang.tfa.u2f_deprecated }}</p>
          <p><b>{{ lang.tfa.u2f_deprecated_important }}</b></p>
          <input type="hidden" name="token" value="destroy" />
          <input type="hidden" name="tfa_method" value="u2f">
          <input type="hidden" name="verify_tfa_login"/><br/>
          <button type="submit" class="btn btn-xs-lg btn-success" value="Login">{{ lang.login.login }}</button>
                      </div>
        </form>
                  </div>
              </div>
            </div>
        {% endif %}
      </div>
    </div>
  </div>
 </div>
--- a/data/web/templates/modals/mailbox.twig
+++ b/data/web/templates/modals/mailbox.twig
@@ -435,11 +435,11 @@
      </div>
      <div class="modal-body">
        <p class="help-block">{{ lang.add.syncjob_hint }}</p>
-        <form class="form-horizontal" data-cached-form="false" role="form" data-id="add_syncjob">
+        <form class="form-horizontal" data-cached-form="true" role="form" data-id="add_syncjob">
          <div class="form-group">
            <label class="control-label col-sm-2" for="username">{{ lang.add.username }}</label>
            <div class="col-sm-10">
-              <select data-live-search="true" name="username" title="{{ lang.add.select }}" required>
+              <select data-live-search="true" name="username" required>
                {% for mailbox in mailboxes %}
                  <option>{{ mailbox }}</option>
                {% endfor %}
--- a/data/web/templates/user/tab-user-auth.twig
+++ b/data/web/templates/user/tab-user-auth.twig
@@ -18,10 +18,6 @@
              <i class="bi bi-inbox-fill"></i> {{ lang.user.open_webmail_sso }}
            </a>
          {% endif %}
          <div>
            <hr>
            <p><a href="#pwChangeModal" data-toggle="modal"><i class="bi bi-pencil-fill"></i> {{ lang.user.change_password }}</a></p>
          </div>
        </div>
      </div>
      <hr>
@@ -47,27 +43,8 @@
            </div>
          </div>
          <p>{{ mailboxdata.quota_used|formatBytes(2) }} / {% if mailboxdata.quota == 0 %}∞{% else %}{{ mailboxdata.quota|formatBytes(2) }}{% endif %}<br>{{ mailboxdata.messages }} {{ lang.user.messages }}</p>
        </div>
      </div>
          <hr>
-      {# TFA #}
+          <p><a href="#pwChangeModal" data-toggle="modal"><i class="bi bi-pencil-fill"></i> {{ lang.user.change_password }}</a></p>
      <div class="row">
        <div class="col-sm-3 col-xs-5 text-right">{{ lang.tfa.tfa }}:</div>
        <div class="col-sm-9 col-xs-7">
          <p id="tfa_pretty">{{ tfa_data.pretty }}</p>
          {% include 'tfa_keys.twig' %}
          <br>
        </div>
      </div>
      <div class="row">
        <div class="col-sm-3 col-xs-5 text-right">{{ lang.tfa.set_tfa }}:</div>
        <div class="col-sm-9 col-xs-7">
          <select data-style="btn btn-sm dropdown-toggle bs-placeholder btn-default" data-width="fit" id="selectTFA" class="selectpicker" title="{{ lang.tfa.select }}">
            <option value="yubi_otp">{{ lang.tfa.yubi_otp }}</option>
            <option value="webauthn">{{ lang.tfa.webauthn }}</option>
            <option value="totp">{{ lang.tfa.totp }}</option>
            <option value="none">{{ lang.tfa.none }}</option>
          </select>
        </div>
      </div>
      <hr>
--- a/data/web/user.php
+++ b/data/web/user.php
@@ -76,7 +76,6 @@ elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == '
    'acl_json' => json_encode($_SESSION['acl']),
    'user_spam_score' => mailbox('get', 'spam_score', $username),
    'tfa_data' => $tfa_data,
    'tfa_id' => @$_SESSION['tfa_id'],
    'fido2_data' => $fido2_data,
    'mailboxdata' => $mailboxdata,
    'clientconfigstr' => $clientconfigstr,
@@ -91,7 +90,8 @@ elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == '
    'number_of_app_passwords' => $number_of_app_passwords,
  ];
 }
-else {
+
 if (!isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == 'admin') {
  header('Location: /');
  exit();
 }
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -58,7 +58,7 @@ services:
            - redis
    clamd-mailcow:
-      image: mailcow/clamd:1.54
+      image: mailcow/clamd:1.52
      restart: always
      depends_on:
        - unbound-mailcow
@@ -168,7 +168,7 @@ services:
            - phpfpm
    sogo-mailcow:
-      image: mailcow/sogo:1.109
+      image: mailcow/sogo:1.108
      environment:
        - DBNAME=${DBNAME}
        - DBUSER=${DBUSER}
@@ -215,7 +215,7 @@ services:
            - sogo
    dovecot-mailcow:
-      image: mailcow/dovecot:1.17
+      image: mailcow/dovecot:1.162
      depends_on:
        - mysql-mailcow
      dns:
--- a/helper-scripts/_cold-standby.sh
+++ b/helper-scripts/_cold-standby.sh
@@ -271,13 +271,4 @@ if ! ssh -o StrictHostKeyChecking=no \
    >&2 echo -e "\e[31m[ERR]\e[0m - Could not cleanup old images on remote"
 fi
 echo -e "\033[1mExecuting update script and checking for new docker-compose Version on remote...\033[0m"
 if ! ssh -o StrictHostKeyChecking=no \
  -i "${REMOTE_SSH_KEY}" \
  ${REMOTE_SSH_HOST} \
  -p ${REMOTE_SSH_PORT} \
  ${SCRIPT_DIR}/../update.sh -f --update-compose ; then
    >&2 echo -e "\e[31m[ERR]\e[0m - Could not fetch docker-compose on remote"
 fi
 echo -e "\e[32mDone\e[0m"
--- a/helper-scripts/backup_and_restore.sh
+++ b/helper-scripts/backup_and_restore.sh
@@ -76,6 +76,13 @@ else
  CMPS_PRJ=$(echo ${COMPOSE_PROJECT_NAME} | tr -cd "[0-9A-Za-z-_]")
 fi
 for bin in docker docker-compose; do
  if [[ -z $(which ${bin}) ]]; then
    >&2 echo -e "\e[31mCannot find ${bin} in local PATH, exiting...\e[0m"
    exit 1
  fi
 done
 if grep --help 2>&1 | head -n 1 | grep -q -i "busybox"; then
  >&2 echo -e "\e[31mBusyBox grep detected on local system, please install GNU grep\e[0m"
  exit 1
@@ -87,12 +94,6 @@ function backup() {
  mkdir -p "${BACKUP_LOCATION}/mailcow-${DATE}"
  chmod 755 "${BACKUP_LOCATION}/mailcow-${DATE}"
  cp "${SCRIPT_DIR}/../mailcow.conf" "${BACKUP_LOCATION}/mailcow-${DATE}"
  for bin in docker; do
  if [[ -z $(which ${bin}) ]]; then
    >&2 echo -e "\e[31mCannot find ${bin} in local PATH, exiting...\e[0m"
    exit 1
  fi
  done
  while (( "$#" )); do
    case "$1" in
    vmail|all)
@@ -160,12 +161,6 @@ function backup() {
 }
 function restore() {
  for bin in docker docker-compose; do
  if [[ -z $(which ${bin}) ]]; then
    >&2 echo -e "\e[31mCannot find ${bin} in local PATH, exiting...\e[0m"
    exit 1
  fi
  done  
  echo
  echo "Stopping watchdog-mailcow..."
  docker stop $(docker ps -qf name=watchdog-mailcow)
--- a/update.sh
+++ b/update.sh
@@ -1,6 +1,64 @@
 #!/usr/bin/env bash
-############## Begin Function Section ##############
+# Check permissions
 if [ "$(id -u)" -ne "0" ]; then
  echo "You need to be root"
  exit 1
 fi
 SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 # Run pre-update-hook
 if [ -f "${SCRIPT_DIR}/pre_update_hook.sh" ]; then
  bash "${SCRIPT_DIR}/pre_update_hook.sh"
 fi
 if [[ "$(uname -r)" =~ ^4\.15\.0-60 ]]; then
  echo "DO NOT RUN mailcow ON THIS UBUNTU KERNEL!";
  echo "Please update to 5.x or use another distribution."
  exit 1
 fi
 if [[ "$(uname -r)" =~ ^4\.4\. ]]; then
  if grep -q Ubuntu <<< $(uname -a); then
    echo "DO NOT RUN mailcow ON THIS UBUNTU KERNEL!"
    echo "Please update to linux-generic-hwe-16.04 by running \"apt-get install --install-recommends linux-generic-hwe-16.04\""
    exit 1
  fi
  echo "mailcow on a 4.4.x kernel is not supported. It may or may not work, please upgrade your kernel or continue at your own risk."
  read -p "Press any key to continue..." < /dev/tty
 fi
 # Exit on error and pipefail
 set -o pipefail
 # Setting high dc timeout
 export COMPOSE_HTTP_TIMEOUT=600
 # Add /opt/bin to PATH
 PATH=$PATH:/opt/bin
 umask 0022
 for bin in curl docker git awk sha1sum; do
  if [[ -z $(which ${bin}) ]]; then 
  echo "Cannot find ${bin}, exiting..." 
  exit 1;
  elif [[ -z $(which docker-compose) ]]; then
  echo "Cannot find docker-compose Standalone. Installing..."
  sleep 3
   if [[ -e /etc/alpine-release ]]; then
    echo -e "\e[33mNot installing latest docker-compose, because you are using Alpine Linux without glibc support. Install docker-compose via apk!\e[0m"
    exit 1
   fi 
  curl -#L https://github.com/docker/compose/releases/download/v$(curl -Ls https://www.servercow.de/docker-compose/latest.php)/docker-compose-$(uname -s)-$(uname -m) > /usr/local/bin/docker-compose
  chmod +x /usr/local/bin/docker-compose  
  fi
 done
 export LC_ALL=C
 DATE=$(date +%Y-%m-%d_%H_%M_%S)
 BRANCH=$(cd ${SCRIPT_DIR}; git rev-parse --abbrev-ref HEAD)
 check_online_status() {
  CHECK_ONLINE_IPS=(1.1.1.1 9.9.9.9 8.8.8.8)
@@ -156,16 +214,12 @@ remove_obsolete_nginx_ports() {
    for override in docker-compose.override.yml docker-compose.override.yaml; do
    if [ -s $override ] ; then
        if cat $override | grep nginx-mailcow > /dev/null 2>&1; then
-          if cat $override | grep -E '(\[::])' > /dev/null 2>&1; then
+          if cat $override | grep -w [::] > /dev/null 2>&1; then
            if cat $override | grep -w 80:80 > /dev/null 2>&1 && cat $override | grep -w 443:443 > /dev/null 2>&1 ; then
              echo -e "\e[33mBacking up ${override} to preserve custom changes...\e[0m"
              echo -e "\e[33m!!! Manual Merge needed (if other overrides are set) !!!\e[0m"
              sleep 3
              cp $override ${override}_backup
              sed -i '/nginx-mailcow:$/,/^$/d' $override
-              echo -e "\e[33mRemoved obsolete NGINX IPv6 Bind from original override File.\e[0m"
+              echo -e "\e[33mRemoved obsolete NGINX IPv6 Bind from override File.\e[0m"
                if [[ "$(cat $override | sed '/^\s*$/d' | wc -l)" == "2" ]]; then
-                  mv $override ${override}_empty
+                  mv $override ${override}_backup
                  echo -e "\e[31m${override} is empty. Renamed it to ensure mailcow is startable.\e[0m"
                fi
            fi
@@ -183,13 +237,6 @@ elif [[ -e /etc/alpine-release ]]; then
  echo -e "\e[33mNot fetching latest docker-compose, because you are using Alpine Linux without glibc support. Please update docker-compose via apk!\e[0m"
  return 0
 else
  if [ ! $FORCE ]; then
    read -r -p "Do you want to update your docker-compose Version? It will automatic upgrade your docker-compose installation (recommended)? [y/N] " updatecomposeresponse 
    if [[ ! "${updatecomposeresponse}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
      echo "OK, not updating docker-compose."
      return 0
    fi
  fi 
  echo -e "\e[32mFetching new docker-compose version...\e[0m"
  echo -e "\e[32mTrying to determine GLIBC version...\e[0m"
  if ldd --version > /dev/null; then
@@ -203,18 +250,14 @@ else
    DC_DL_SUFFIX=legacy
  fi
  sleep 1
-  if [[ $(command -v pip 2>&1) && $(pip list --local 2>&1 | grep -v DEPRECATION | grep -c docker-compose) == 1 || $(command -v pip3 2>&1) && $(pip3 list --local 2>&1 | grep -v DEPRECATION | grep -c docker-compose) == 1 ]]; then
+  if [[ ! -z $(which pip) && $(pip list --local 2>&1 | grep -v DEPRECATION | grep -c docker-compose) == 1 ]]; then
-    echo -e "\e[33mFound a docker-compose Version installed with pip!\e[0m"
+    true
    echo -e "\e[31mPlease uninstall the pip Version of docker-compose since it doesn´t support Versions higher than 1.29.2.\e[0m"
    sleep 2
    echo -e "\e[33mExiting...\e[0m"
    exit 1
    #prevent breaking a working docker-compose installed with pip
  elif [[ $(curl -sL -w "%{http_code}" https://www.servercow.de/docker-compose/latest.php?vers=${DC_DL_SUFFIX} -o /dev/null) == "200" ]]; then
    LATEST_COMPOSE=$(curl -#L https://www.servercow.de/docker-compose/latest.php)
    COMPOSE_VERSION=$(docker-compose version --short)
    if [[ "$LATEST_COMPOSE" != "$COMPOSE_VERSION" ]]; then
-      COMPOSE_PATH=$(command -v docker-compose)
+      COMPOSE_PATH=$(which docker-compose)
      if [[ -w ${COMPOSE_PATH} ]]; then
        curl -#L https://github.com/docker/compose/releases/download/v${LATEST_COMPOSE}/docker-compose-$(uname -s)-$(uname -m) > $COMPOSE_PATH
        chmod +x $COMPOSE_PATH
@@ -230,66 +273,6 @@ else
 fi
 }
 ############## End Function Section ##############
 # Check permissions
 if [ "$(id -u)" -ne "0" ]; then
  echo "You need to be root"
  exit 1
 fi
 SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 # Run pre-update-hook
 if [ -f "${SCRIPT_DIR}/pre_update_hook.sh" ]; then
  bash "${SCRIPT_DIR}/pre_update_hook.sh"
 fi
 if [[ "$(uname -r)" =~ ^4\.15\.0-60 ]]; then
  echo "DO NOT RUN mailcow ON THIS UBUNTU KERNEL!";
  echo "Please update to 5.x or use another distribution."
  exit 1
 fi
 if [[ "$(uname -r)" =~ ^4\.4\. ]]; then
  if grep -q Ubuntu <<< $(uname -a); then
    echo "DO NOT RUN mailcow ON THIS UBUNTU KERNEL!"
    echo "Please update to linux-generic-hwe-16.04 by running \"apt-get install --install-recommends linux-generic-hwe-16.04\""
    exit 1
  fi
  echo "mailcow on a 4.4.x kernel is not supported. It may or may not work, please upgrade your kernel or continue at your own risk."
  read -p "Press any key to continue..." < /dev/tty
 fi
 # Exit on error and pipefail
 set -o pipefail
 # Setting high dc timeout
 export COMPOSE_HTTP_TIMEOUT=600
 # Add /opt/bin to PATH
 PATH=$PATH:/opt/bin
 umask 0022
 for bin in curl docker git awk sha1sum; do
  if [[ -z $(command -v ${bin}) ]]; then 
  echo "Cannot find ${bin}, exiting..." 
  exit 1;
  fi  
 done
 if [[ -z $(command -v docker-compose) ]]; then
  echo -e "\e[31mCannot find docker-compose Standalone.\e[0m" 
  echo -e "\e[31mPlease install it manually regarding to this doc site: https://mailcow.github.io/mailcow-dockerized-docs/i_u_m/i_u_m_install/\e[0m"
  sleep 3
  exit 1;
 fi
 export LC_ALL=C
 DATE=$(date +%Y-%m-%d_%H_%M_%S)
 BRANCH=$(cd ${SCRIPT_DIR}; git rev-parse --abbrev-ref HEAD)
 while (($#)); do
  case "${1}" in
    --check|-c)
@@ -331,33 +314,19 @@ while (($#)); do
    --no-update-compose)
      NO_UPDATE_COMPOSE=y
    ;;
    --update-compose)
      LATEST_COMPOSE=$(curl -#L https://www.servercow.de/docker-compose/latest.php)
      COMPOSE_VERSION=$(docker-compose version --short) 
      if [[ "$LATEST_COMPOSE" != "$COMPOSE_VERSION" ]]; then
        echo -e "\e[33mA new docker-compose Version is available: $LATEST_COMPOSE\e[0m"
        echo -e "\e[33mYour Version is: $COMPOSE_VERSION\e[0m"
        update_compose
        echo -e "\e[32mYour docker-compose Version is now up to date!\e[0m" 
      else
      echo -e "\e[32mYour docker-compose Version is up to date! Not updating it...\e[0m" 
      fi
      exit 0
    ;;
    --skip-ping-check)
      SKIP_PING_CHECK=y
    ;;
    --help|-h)
-    echo './update.sh [-c|--check, --ours, --gc, --no-update-compose, --update-compose, --prefetch, --skip-start, --skip-ping-check, -f|--force, -h|--help]
+    echo './update.sh [-c|--check, --ours, --gc, --no-update-compose, --prefetch, --skip-start, --skip-ping-check, -f|--force, -h|--help]
  -c|--check           -   Check for updates and exit (exit codes => 0: update available, 3: no updates)
  --ours               -   Use merge strategy option "ours" to solve conflicts in favor of non-mailcow code (local changes over remote changes), not recommended!
  --gc                 -   Run garbage collector to delete old image tags
-  --no-update-compose  -   Skip the docker-compose Updates during the mailcow Update process
+  --no-update-compose  -   Do not update docker-compose  
  --update-compose     -   Only run the docker-compose Update process (don´t updates your mailcow itself)
  --prefetch           -   Only prefetch new images and exit (useful to prepare updates)
  --skip-start         -   Do not start mailcow after update
-  --skip-ping-check    -   Skip ICMP Check to public DNS resolvers (Use it only if you´ve blocked any ICMP Connections to your mailcow machine)
+  --skip-ping-check    -   Skip ICMP Check to public DNS resolvers (Use it only if you´ve blocked any ICMP Connections to your mailcow machine).
  -f|--force           -   Force update, do not ask questions
 '
    exit 1
@@ -365,21 +334,6 @@ while (($#)); do
  shift
 done
 # Check if Docker-Compose is older then v2 before continuing
 if ! docker-compose version --short | grep "^2." > /dev/null 2>&1; then
  echo -e "\e[33mYour docker-compose Version is not up to date!\e[0m"
  echo -e "\e[33mmailcow needs docker-compose > 2.X.X!\e[0m"
  echo -e "\e[33mYour current installed Version: $(docker-compose version --short)\e[0m"
  sleep 3
  update_compose
  if [[ ! "${updatecomposeresponse}" =~ ^([yY][eE][sS]|[yY])+$ ]] && [[ ! ${FORCE} ]]; then
     echo -e "\e[31mmailcow does not work with docker-compose < 2.X.X anymore!\e[0m"
     echo -e "\e[31mPlease update your docker-compose manually, to run mailcow.\e[0m"
     echo -e "\e[31mExiting...\e[0m"
     exit 1
  fi
 fi
 [[ ! -f mailcow.conf ]] && { echo "mailcow.conf is missing"; exit 1;}
 chmod 600 mailcow.conf
 source mailcow.conf
@@ -675,7 +629,7 @@ fi
 echo -e "\e[32mChecking for newer update script...\e[0m"
 SHA1_1=$(sha1sum update.sh)
 git fetch origin #${BRANCH}
-git checkout origin/${BRANCH} update.sh
+git checkout origin/${BRANCH} update.sh docker-compose.yml
 SHA1_2=$(sha1sum update.sh)
 if [[ ${SHA1_1} != ${SHA1_2} ]]; then
  echo "update.sh changed, please run this script again, exiting."
@@ -699,21 +653,11 @@ if [ ! $FORCE ]; then
  migrate_docker_nat
 fi
 LATEST_COMPOSE=$(curl -#L https://www.servercow.de/docker-compose/latest.php)
 COMPOSE_VERSION=$(docker-compose version --short)
 if [[ "$LATEST_COMPOSE" != "$COMPOSE_VERSION" ]]; then
  echo -e "\e[33mA new docker-compose Version is available: $LATEST_COMPOSE\e[0m"
  echo -e "\e[33mYour Version is: $COMPOSE_VERSION\e[0m"
 update_compose
 else
  echo -e "\e[32mYour docker-compose Version is up to date! Not updating it...\e[0m" 
 fi
 remove_obsolete_nginx_ports
 echo -e "\e[32mValidating docker-compose stack configuration...\e[0m"
 sed -i 's/HTTPS_BIND:-:/HTTPS_BIND:-/g' docker-compose.yml
 sed -i 's/HTTP_BIND:-:/HTTP_BIND:-/g' docker-compose.yml
 if ! docker-compose config -q; then
  echo -e "\e[31m\nOh no, something went wrong. Please check the error message above.\e[0m"
  exit 1