From 2555af94201c387eba4c1b110667afc03c64c015 Mon Sep 17 00:00:00 2001
From: eleith <eleith@users.noreply.github.com>
Date: Wed, 19 Jan 2022 02:05:21 -0800
Subject: [PATCH 01/19] Support rspamd (#96)

* install rspamd and control turning it on through RSPAMD_ENABLE

* add rspamd to TOC

* ensure RSPAMD_ENABLE is mutually exclusive to DKIM_ENABLE or DMARC_ENABLE
---
 Dockerfile                              |   5 +-
 README.md                               |   9 +-
 examples/rspamd/.env                    |   3 +
 examples/rspamd/anonaddy.env            |  37 +++++++
 examples/rspamd/docker-compose.yml      |  51 +++++++++
 rootfs/etc/cont-init.d/03-config.sh     | 136 ++++++++++++++++++++++--
 rootfs/etc/cont-init.d/05-svc-rspamd.sh |  25 +++++
 7 files changed, 255 insertions(+), 11 deletions(-)
 create mode 100644 examples/rspamd/.env
 create mode 100644 examples/rspamd/anonaddy.env
 create mode 100644 examples/rspamd/docker-compose.yml
 create mode 100644 rootfs/etc/cont-init.d/05-svc-rspamd.sh

diff --git a/Dockerfile b/Dockerfile
index 854f5dc..c85f08e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -51,6 +51,9 @@ RUN apk --update --no-cache add \
     php8-zlib \
     postfix \
     postfix-mysql \
+    rspamd \
+    rspamd-controller \
+    rspamd-proxy \
     shadow \
     tar \
     tzdata \
@@ -111,7 +114,7 @@ RUN apk --update --no-cache add -t build-dependencies \
 
 COPY rootfs /
 
-EXPOSE 25 8000
+EXPOSE 25 8000 11334
 VOLUME [ "/data" ]
 
 ENTRYPOINT [ "/init" ]
diff --git a/README.md b/README.md
index 7efa343..4e55ab0 100644
--- a/README.md
+++ b/README.md
@@ -31,6 +31,7 @@ ___
   * [Postfix](#postfix)
   * [DKIM](#dkim)
   * [DMARC](#dmarc)
+  * [RSPAMD](#rspamd)
 * [Volumes](#volumes)
 * [Ports](#ports)
 * [Usage](#usage)
@@ -176,6 +177,11 @@ Image: anonaddy/anonaddy:latest
 * `DMARC_FAILURE_REPORTS`: Enables generation of failure reports when the DMARC test fails (default `false`)
 * `DMARC_MILTER_DEBUG`: Sets the debug level to be requested from the milter library (default `0`)
 
+### RSPAMD
+
+* `RSPAMD_ENABLE`: Enable Rspamd service. (default `false`)
+* `RSPAMD_WEB_PASSWORD`: Rspamd web password (default `null`)
+
 ## Volumes
 
 * `/data`: Contains storage
@@ -185,7 +191,8 @@ Image: anonaddy/anonaddy:latest
 
 ## Ports
 
-* `8000`: HTTP port
+* `8000`: HTTP port (anonaddy web)
+* `11334`: HTTP port (rspamd web dashboard)
 * `25`: SMTP port (postfix)
 
 ## Usage
diff --git a/examples/rspamd/.env b/examples/rspamd/.env
new file mode 100644
index 0000000..8637e7d
--- /dev/null
+++ b/examples/rspamd/.env
@@ -0,0 +1,3 @@
+MYSQL_DATABASE=anonaddy
+MYSQL_USER=anonaddy
+MYSQL_PASSWORD=anonaddy
diff --git a/examples/rspamd/anonaddy.env b/examples/rspamd/anonaddy.env
new file mode 100644
index 0000000..cfeb044
--- /dev/null
+++ b/examples/rspamd/anonaddy.env
@@ -0,0 +1,37 @@
+TZ=Europe/Paris
+PUID=1000
+PGID=1000
+
+MEMORY_LIMIT=256M
+UPLOAD_MAX_SIZE=16M
+OPCACHE_MEM_SIZE=128
+REAL_IP_FROM=0.0.0.0/32
+REAL_IP_HEADER=X-Forwarded-For
+LOG_IP_VAR=remote_addr
+
+APP_KEY=base64:KJ1LX0w15ItOoMWdC+DNW2Bt0Z4sT98zu0XQ8Zfaf9o=
+APP_DEBUG=false
+APP_URL=http://127.0.0.1:8000
+
+ANONADDY_RETURN_PATH=bounces@example.com
+ANONADDY_ADMIN_USERNAME=anonaddy
+ANONADDY_ENABLE_REGISTRATION=true
+ANONADDY_DOMAIN=example.com
+ANONADDY_ALL_DOMAINS=example.com
+ANONADDY_HOSTNAME=mail.example.com
+ANONADDY_DNS_RESOLVER=127.0.0.1
+ANONADDY_SECRET=lksjflk2u3j4oij2elkru23oi4uj2lkjflsakfjoi23u4
+ANONADDY_LIMIT=200
+ANONADDY_BANDWIDTH_LIMIT=104857600
+ANONADDY_NEW_ALIAS_LIMIT=10
+ANONADDY_ADDITIONAL_USERNAME_LIMIT=3
+
+MAIL_FROM_NAME=AnonAddy
+MAIL_FROM_ADDRESS=anonaddy@example.com
+
+POSTFIX_DEBUG=false
+POSTFIX_SMTPD_TLS=false
+POSTFIX_SMTP_TLS=false
+
+RSPAMD_ENABLE=true
+RSPAMD_WEB_PASSWORD=abc
diff --git a/examples/rspamd/docker-compose.yml b/examples/rspamd/docker-compose.yml
new file mode 100644
index 0000000..a8c3e13
--- /dev/null
+++ b/examples/rspamd/docker-compose.yml
@@ -0,0 +1,51 @@
+version: "3.5"
+
+services:
+  db:
+    image: mariadb:10.5
+    container_name: anonaddy_db
+    command:
+      - "mysqld"
+      - "--character-set-server=utf8mb4"
+      - "--collation-server=utf8mb4_unicode_ci"
+    volumes:
+      - "./db:/var/lib/mysql"
+    environment:
+      - "MYSQL_ALLOW_EMPTY_PASSWORD=yes"
+      - "MYSQL_DATABASE"
+      - "MYSQL_USER"
+      - "MYSQL_PASSWORD"
+    restart: always
+
+  redis:
+    image: redis:4.0-alpine
+    container_name: anonaddy_redis
+    restart: always
+
+  anonaddy:
+    image: anonaddy/anonaddy:latest
+    container_name: anonaddy
+    depends_on:
+      - db
+      - redis
+    ports:
+      - target: 25
+        published: 25
+        protocol: tcp
+      - target: 8000
+        published: 8000
+        protocol: tcp
+      - target: 11334
+        published: 11334
+        protocol: tcp
+    volumes:
+      - "./data:/data"
+    env_file:
+      - "./anonaddy.env"
+    environment:
+      - "DB_HOST=db"
+      - "DB_DATABASE=${MYSQL_DATABASE}"
+      - "DB_USERNAME=${MYSQL_USER}"
+      - "DB_PASSWORD=${MYSQL_PASSWORD}"
+      - "REDIS_HOST=redis"
+    restart: always
diff --git a/rootfs/etc/cont-init.d/03-config.sh b/rootfs/etc/cont-init.d/03-config.sh
index d8edb3d..5bddb72 100644
--- a/rootfs/etc/cont-init.d/03-config.sh
+++ b/rootfs/etc/cont-init.d/03-config.sh
@@ -90,6 +90,9 @@ DMARC_ENABLE=${DMARC_ENABLE:-false}
 DMARC_FAILURE_REPORTS=${DMARC_FAILURE_REPORTS:-false}
 DMARC_MILTER_DEBUG=${DMARC_MILTER_DEBUG:-0}
 
+RSPAMD_ENABLE=${RSPAMD_ENABLE:-false}
+RSPAMD_WEB_PASSWORD=${RSPAMD_WEB_PASSWORD:-null}
+
 echo "Setting timezone to ${TZ}..."
 ln -snf /usr/share/zoneinfo/${TZ} /etc/localtime
 echo ${TZ} >/etc/timezone
@@ -260,11 +263,118 @@ echo "Trust all proxies"
 anonaddy vendor:publish --no-interaction --provider="Fideloper\Proxy\TrustedProxyServiceProvider"
 sed -i "s|^    'proxies'.*|    'proxies' => '\*',|g" /var/www/anonaddy/config/trustedproxy.php
 
+##
+## RSPAMD
+##
+
+if [[ "$RSPAMD_ENABLE" = "true" && ("$DKIM_ENABLE" = "true" || "$DMARC_ENABLE" = "true") ]]; then
+  echo "action needed: RSPAMD_ENABLE must be mutually exclusive with DKIM_ENABLE or DMARC_ENABLE"
+fi
+
+if [ "$RSPAMD_ENABLE" = "true" ]; then
+  if [ -f "$DKIM_PRIVATE_KEY" ]; then
+    echo "Copying DKIM private key for Rspamd"
+    mkdir /var/lib/rspamd/dkim
+    cp -f "${DKIM_PRIVATE_KEY}" "/var/lib/rspamd/dkim/${ANONADDY_DOMAIN}.default.key"
+
+    echo "Setting Rspamd dkim_signing.conf"
+    cat >/etc/rspamd/local.d/dkim_signing.conf <<EOL
+signing_table = [
+"*@${ANONADDY_DOMAIN} ${ANONADDY_DOMAIN}",
+"*@*.${ANONADDY_DOMAIN} ${ANONADDY_DOMAIN}",
+];
+
+key_table = [
+"${ANONADDY_DOMAIN} ${ANONADDY_DOMAIN}:default:/var/lib/rspamd/dkim/${ANONADDY_DOMAIN}.default.key",
+];
+
+use_domain = "envelope";
+allow_hdrfrom_mismatch = true;
+allow_hdrfrom_mismatch_sign_networks = true;
+allow_username_mismatch = true;
+use_esld = true;
+sign_authenticated = false;
+EOL
+
+    echo "Setting Rspamd arc.conf"
+    cp /etc/rspamd/local.d/dkim_signing.conf /etc/rspamd/local.d/arc.conf
+  fi
+
+  echo "Setting Rspamd classifier-bayes.conf"
+  cat >/etc/rspamd/local.d/classifier-bayes.conf <<EOL
+backend = "redis";
+EOL
+
+  echo "Setting Rspamd logging.inc"
+  cat >/etc/rspamd/local.d/logging.inc <<EOL
+level = "error";
+debug_modules = [];
+EOL
+
+  if [ -n "$REDIS_HOST" ]; then
+    echo "Setting Rspamd redis.conf"
+    cat >/etc/rspamd/local.d/redis.conf <<EOL
+write_servers = "${REDIS_HOST}";
+password = "${REDIS_PASSWORD}";
+read_servers = "${REDIS_HOST}";
+EOL
+
+    echo "Setting Rspamd greylist.conf"
+    cat >/etc/rspamd/local.d/greylist.conf <<EOL
+servers = "${REDIS_HOST}:${REDIS_PORT}";
+EOL
+
+    echo "Setting Rspamd history_redis.conf"
+    cat >/etc/rspamd/local.d/history_redis.conf <<EOL
+subject_privacy = true;
+EOL
+  fi
+
+  echo "Setting Rspamd groups.conf"
+  cat >/etc/rspamd/local.d/groups.conf <<EOL
+group "headers" {
+  symbols {
+    "FAKE_REPLY" {
+      weight = 0.0;
+    }
+
+    "FROM_NEQ_DISPLAY_NAME" {
+      weight = 0.0;
+    }
+
+    "FORGED_RECIPIENTS" {
+      weight = 0.0;
+    }
+  }
+}
+EOL
+
+  if [ -n "$RSPAMD_WEB_PASSWORD" ]; then
+    echo "Setting Rspamd worker-controller.inc"
+    cat >/etc/rspamd/local.d/worker-controller.inc <<EOL
+bind_socket = "*:11334";
+secure_ip = "127.0.0.1/32";
+password = "${RSPAMD_WEB_PASSWORD}";
+enable_password = "${RSPAMD_WEB_PASSWORD}";
+EOL
+  fi
+
+  echo "Disabling a variety of Rspamd modules"
+  echo "enabled = false;" | tee -a /etc/rspamd/override.d/fuzzy_check.conf
+  echo "enabled = false;" | tee -a /etc/rspamd/override.d/asn.conf
+  echo "enabled = false;" | tee -a /etc/rspamd/override.d/metadata_exporter.conf
+  echo "enabled = false;" | tee -a /etc/rspamd/override.d/trie.conf
+  echo "enabled = false;" | tee -a /etc/rspamd/override.d/neural.conf
+  echo "enabled = false;" | tee -a /etc/rspamd/override.d/chartable.conf
+  echo "enabled = false;" | tee -a /etc/rspamd/override.d/ratelimit.conf
+  echo "enabled = false;" | tee -a /etc/rspamd/override.d/replies.conf
+fi
+
 ##
 ## OpenDKIM
 ##
 
-if [ "$DKIM_ENABLE" = "true" ] && [ -f "$DKIM_PRIVATE_KEY" ]; then
+if [ "$RSPAMD_ENABLE" = "false" ] && [ "$DKIM_ENABLE" = "true" ] && [ -f "$DKIM_PRIVATE_KEY" ]; then
   echo "Copying OpenDKIM private key"
   mkdir -p /var/db/dkim
   cp -f "${DKIM_PRIVATE_KEY}" "/var/db/dkim/${ANONADDY_DOMAIN}.private"
@@ -320,7 +430,7 @@ fi
 ## OpenDMARC
 ##
 
-if [ "$DMARC_ENABLE" = "true" ]; then
+if [ "$RSPAMD_ENABLE" = "false" ] && [ "$DMARC_ENABLE" = "true" ]; then
   echo "Setting OpenDMARC configuration"
   cat >/etc/opendmarc/opendmarc.conf <<EOL
 BaseDirectory               /var/spool/postfix/opendmarc
@@ -448,14 +558,21 @@ maillog_file = /dev/stdout
 EOL
 
 SMTPD_MILTERS=""
-if [ "$DKIM_ENABLE" = "true" ] && [ -f "$DKIM_PRIVATE_KEY" ]; then
-  if [ -n "$SMTPD_MILTERS" ]; then SMTPD_MILTERS="${SMTPD_MILTERS},"; fi
-  SMTPD_MILTERS="${SMTPD_MILTERS}unix:opendkim/opendkim.sock"
-fi
-if [ "$DMARC_ENABLE" = "true" ]; then
-  if [ -n "$SMTPD_MILTERS" ]; then SMTPD_MILTERS="${SMTPD_MILTERS},"; fi
-  SMTPD_MILTERS="${SMTPD_MILTERS}unix:opendmarc/opendmarc.sock"
+
+if [ "$RSPAMD_ENABLE" = "true" ]; then
+  SMTPD_MILTERS="inet:127.0.0.1:11332"
+else
+  if [ "$DKIM_ENABLE" = "true" ] && [ -f "$DKIM_PRIVATE_KEY" ]; then
+    if [ -n "$SMTPD_MILTERS" ]; then SMTPD_MILTERS="${SMTPD_MILTERS},"; fi
+    SMTPD_MILTERS="${SMTPD_MILTERS}unix:opendkim/opendkim.sock"
+  fi
+
+  if [ "$DMARC_ENABLE" = "true" ]; then
+    if [ -n "$SMTPD_MILTERS" ]; then SMTPD_MILTERS="${SMTPD_MILTERS},"; fi
+    SMTPD_MILTERS="${SMTPD_MILTERS}unix:opendmarc/opendmarc.sock"
+  fi
 fi
+
 if [ -n "$SMTPD_MILTERS" ]; then
   echo "Setting Postfix milter configuration"
   cat >>/etc/postfix/main.cf <<EOL
@@ -465,6 +582,7 @@ milter_default_action = accept
 milter_protocol = 6
 smtpd_milters = ${SMTPD_MILTERS}
 non_smtpd_milters = \$smtpd_milters
+milter_mail_macros =  i {mail_addr} {client_addr} {client_name} {auth_authen}
 EOL
 fi
 
diff --git a/rootfs/etc/cont-init.d/05-svc-rspamd.sh b/rootfs/etc/cont-init.d/05-svc-rspamd.sh
new file mode 100644
index 0000000..133c4d8
--- /dev/null
+++ b/rootfs/etc/cont-init.d/05-svc-rspamd.sh
@@ -0,0 +1,25 @@
+#!/usr/bin/with-contenv bash
+# shellcheck shell=bash
+
+RSPAMD_ENABLE=${RSPAMD_ENABLE:-false}
+
+if [ "$RSPAMD_ENABLE" != "true" ]; then
+  echo "INFO: Rspamd service disabled."
+  exit 0
+fi
+
+# Init
+mkdir -m o-rwx /var/run/rspamd
+chown rspamd. /var/run/rspamd
+
+# Fix perms
+chown -R rspamd. /etc/rspamd /var/lib/rspamd
+
+# Create service
+mkdir -p /etc/services.d/rspamd
+cat >/etc/services.d/rspamd/run <<EOL
+#!/usr/bin/execlineb -P
+with-contenv
+/usr/sbin/rspamd -i -f -u rspamd -g rspamd
+EOL
+chmod +x /etc/services.d/rspamd/run

From 5105c5c627f8ab0ee3117d19544a9654fd570a3c Mon Sep 17 00:00:00 2001
From: CrazyMax <github@crazymax.dev>
Date: Wed, 19 Jan 2022 18:09:34 +0100
Subject: [PATCH 02/19] Split configuration (#98)

Co-authored-by: CrazyMax <crazy-max@users.noreply.github.com>
---
 README.md                                     |  11 +
 rootfs/etc/cont-init.d/00-env                 | 113 +++
 rootfs/etc/cont-init.d/00-fix-logs.sh         |   0
 rootfs/etc/cont-init.d/01-fix-uidgid.sh       |   0
 rootfs/etc/cont-init.d/02-fix-perms.sh        |   0
 rootfs/etc/cont-init.d/03-config.sh           | 802 ------------------
 rootfs/etc/cont-init.d/10-config.sh           |  48 ++
 rootfs/etc/cont-init.d/11-config-php.sh       |  21 +
 rootfs/etc/cont-init.d/12-config-nginx.sh     |  15 +
 rootfs/etc/cont-init.d/13-config-anonaddy.sh  |  83 ++
 rootfs/etc/cont-init.d/14-config-rspamd.sh    | 108 +++
 rootfs/etc/cont-init.d/15-config-opendkim.sh  |  63 ++
 rootfs/etc/cont-init.d/16-config-opendmarc.sh |  43 +
 rootfs/etc/cont-init.d/17-config-postfix.sh   | 322 +++++++
 .../{04-svc-main.sh => 50-svc-main.sh}        |   0
 ...{05-svc-opendkim.sh => 60-svc-opendkim.sh} |   3 +-
 ...6-svc-opendmarc.sh => 61-svc-opendmarc.sh} |   2 +-
 .../{05-svc-rspamd.sh => 62-svc-rspamd.sh}    |   6 +-
 .../{07-svc-postfix.sh => 63-svc-postfix.sh}  |   0
 .../{08-svc-cron.sh => 80-svc-cron.sh}        |   0
 rootfs/etc/cont-init.d/99-clean.sh            |  14 +-
 21 files changed, 841 insertions(+), 813 deletions(-)
 create mode 100755 rootfs/etc/cont-init.d/00-env
 mode change 100644 => 100755 rootfs/etc/cont-init.d/00-fix-logs.sh
 mode change 100644 => 100755 rootfs/etc/cont-init.d/01-fix-uidgid.sh
 mode change 100644 => 100755 rootfs/etc/cont-init.d/02-fix-perms.sh
 delete mode 100644 rootfs/etc/cont-init.d/03-config.sh
 create mode 100755 rootfs/etc/cont-init.d/10-config.sh
 create mode 100755 rootfs/etc/cont-init.d/11-config-php.sh
 create mode 100755 rootfs/etc/cont-init.d/12-config-nginx.sh
 create mode 100755 rootfs/etc/cont-init.d/13-config-anonaddy.sh
 create mode 100755 rootfs/etc/cont-init.d/14-config-rspamd.sh
 create mode 100755 rootfs/etc/cont-init.d/15-config-opendkim.sh
 create mode 100755 rootfs/etc/cont-init.d/16-config-opendmarc.sh
 create mode 100755 rootfs/etc/cont-init.d/17-config-postfix.sh
 rename rootfs/etc/cont-init.d/{04-svc-main.sh => 50-svc-main.sh} (100%)
 mode change 100644 => 100755
 rename rootfs/etc/cont-init.d/{05-svc-opendkim.sh => 60-svc-opendkim.sh} (88%)
 mode change 100644 => 100755
 rename rootfs/etc/cont-init.d/{06-svc-opendmarc.sh => 61-svc-opendmarc.sh} (93%)
 mode change 100644 => 100755
 rename rootfs/etc/cont-init.d/{05-svc-rspamd.sh => 62-svc-rspamd.sh} (77%)
 mode change 100644 => 100755
 rename rootfs/etc/cont-init.d/{07-svc-postfix.sh => 63-svc-postfix.sh} (100%)
 mode change 100644 => 100755
 rename rootfs/etc/cont-init.d/{08-svc-cron.sh => 80-svc-cron.sh} (100%)
 mode change 100644 => 100755
 mode change 100644 => 100755 rootfs/etc/cont-init.d/99-clean.sh

diff --git a/README.md b/README.md
index 4e55ab0..4cf8f57 100644
--- a/README.md
+++ b/README.md
@@ -166,6 +166,8 @@ Image: anonaddy/anonaddy:latest
 * `DKIM_ENABLE`: Enable OpenDKIM service. (default `false`)
 * `DKIM_REPORT_ADDRESS`: Specifies the string to use in the `From:` header field for outgoing reports (default `postmaster@${ANONADDY_DOMAIN}`)
 
+> :warning: Rspamd and OpenDKIM/OpenDMARC services are mutually exclusive.
+
 > :warning: DKIM private key must be located in `/data/dkim/${ANONADDY_DOMAIN}.private`. You can generate a DKIM
 > private/public keypair by following [this note](#generate-dkim-privatepublic-keypair).
 
@@ -177,11 +179,20 @@ Image: anonaddy/anonaddy:latest
 * `DMARC_FAILURE_REPORTS`: Enables generation of failure reports when the DMARC test fails (default `false`)
 * `DMARC_MILTER_DEBUG`: Sets the debug level to be requested from the milter library (default `0`)
 
+> :warning: Rspamd and OpenDKIM/OpenDMARC services are mutually exclusive.
+
 ### RSPAMD
 
 * `RSPAMD_ENABLE`: Enable Rspamd service. (default `false`)
 * `RSPAMD_WEB_PASSWORD`: Rspamd web password (default `null`)
 
+> :warning: Rspamd and OpenDKIM/OpenDMARC services are mutually exclusive.
+
+> :warning: DKIM private key must be located in `/data/dkim/${ANONADDY_DOMAIN}.private`. You can generate a DKIM
+> private/public keypair by following [this note](#generate-dkim-privatepublic-keypair).
+
+> :warning: Rspamd service is disabled if DKIM private key is not found
+
 ## Volumes
 
 * `/data`: Contains storage
diff --git a/rootfs/etc/cont-init.d/00-env b/rootfs/etc/cont-init.d/00-env
new file mode 100755
index 0000000..580545e
--- /dev/null
+++ b/rootfs/etc/cont-init.d/00-env
@@ -0,0 +1,113 @@
+#!/usr/bin/with-contenv bash
+# shellcheck shell=bash
+
+# From https://github.com/docker-library/mariadb/blob/master/docker-entrypoint.sh#L21-L41
+# usage: file_env VAR [DEFAULT]
+#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+  local var="$1"
+  local fileVar="${var}_FILE"
+  local def="${2:-}"
+  if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+    echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+    exit 1
+  fi
+  local val="$def"
+  if [ "${!var:-}" ]; then
+    val="${!var}"
+  elif [ "${!fileVar:-}" ]; then
+    val="$(<"${!fileVar}")"
+  fi
+  export "$var"="$val"
+  unset "$fileVar"
+}
+
+TZ=${TZ:-UTC}
+MEMORY_LIMIT=${MEMORY_LIMIT:-256M}
+UPLOAD_MAX_SIZE=${UPLOAD_MAX_SIZE:-16M}
+CLEAR_ENV=${CLEAR_ENV:-yes}
+OPCACHE_MEM_SIZE=${OPCACHE_MEM_SIZE:-128}
+LISTEN_IPV6=${LISTEN_IPV6:-true}
+REAL_IP_FROM=${REAL_IP_FROM:-0.0.0.0/32}
+REAL_IP_HEADER=${REAL_IP_HEADER:-X-Forwarded-For}
+LOG_IP_VAR=${LOG_IP_VAR:-remote_addr}
+
+APP_NAME=${APP_NAME:-AnonAddy}
+#APP_KEY=${APP_KEY:-base64:Gh8/RWtNfXTmB09pj6iEflt/L6oqDf9ZxXIh4I9MS7A=}
+APP_DEBUG=${APP_DEBUG:-false}
+APP_URL=${APP_URL:-http://localhost}
+
+#DB_HOST=${DB_HOST:-localhost}
+DB_PORT=${DB_PORT:-3306}
+DB_DATABASE=${DB_DATABASE:-anonaddy}
+DB_USERNAME=${DB_USERNAME:-anonaddy}
+#DB_PASSWORD=${DB_PASSWORD:-asupersecretpassword}
+DB_TIMEOUT=${DB_TIMEOUT:-60}
+
+REDIS_HOST=${REDIS_HOST:-null}
+REDIS_PASSWORD=${REDIS_PASSWORD:-null}
+REDIS_PORT=${REDIS_PORT:-6379}
+
+#PUSHER_APP_ID=${PUSHER_APP_ID}
+#PUSHER_APP_KEY=${PUSHER_APP_KEY}
+#PUSHER_APP_SECRET=${PUSHER_APP_SECRET}
+PUSHER_APP_CLUSTER=${PUSHER_APP_CLUSTER:-mt1}
+
+ANONADDY_RETURN_PATH=${ANONADDY_RETURN_PATH:-null}
+ANONADDY_ADMIN_USERNAME=${ANONADDY_ADMIN_USERNAME:-null}
+ANONADDY_ENABLE_REGISTRATION=${ANONADDY_ENABLE_REGISTRATION:-true}
+#ANONADDY_DOMAIN=${ANONADDY_DOMAIN:-null}
+ANONADDY_HOSTNAME=${ANONADDY_HOSTNAME:-null}
+ANONADDY_DNS_RESOLVER=${ANONADDY_DNS_RESOLVER:-127.0.0.1}
+ANONADDY_ALL_DOMAINS=${ANONADDY_ALL_DOMAINS:-$ANONADDY_DOMAIN}
+#ANONADDY_SECRET=${ANONADDY_SECRET:-long-random-string}
+ANONADDY_LIMIT=${ANONADDY_LIMIT:-200}
+ANONADDY_BANDWIDTH_LIMIT=${ANONADDY_BANDWIDTH_LIMIT:-104857600}
+ANONADDY_NEW_ALIAS_LIMIT=${ANONADDY_NEW_ALIAS_LIMIT:-10}
+ANONADDY_ADDITIONAL_USERNAME_LIMIT=${ANONADDY_ADDITIONAL_USERNAME_LIMIT:-10}
+#ANONADDY_SIGNING_KEY_FINGERPRINT=${ANONADDY_SIGNING_KEY_FINGERPRINT:-your-signing-key-fingerprint}
+#ANONADDY_DKIM_SIGNING_KEY=${ANONADDY_DKIM_SIGNING_KEY:-dkim-signing-key}
+#ANONADDY_DKIM_SELECTOR=${ANONADDY_DKIM_SELECTOR:-default}
+
+MAIL_FROM_NAME=${MAIL_FROM_NAME:-AnonAddy}
+MAIL_FROM_ADDRESS=${MAIL_FROM_ADDRESS:-anonaddy@${ANONADDY_DOMAIN}}
+MAIL_ENCRYPTION=${MAIL_ENCRYPTION:-null}
+
+POSTFIX_DEBUG=${POSTFIX_DEBUG:-false}
+POSTFIX_SMTPD_TLS=${POSTFIX_SMTPD_TLS:-false}
+POSTFIX_SMTP_TLS=${POSTFIX_SMTP_TLS:-false}
+POSTFIX_RELAYHOST_AUTH_ENABLE=${POSTFIX_RELAYHOST_AUTH_ENABLE:-false}
+POSTFIX_RELAYHOST_USERNAME=${POSTFIX_RELAYHOST_USERNAME:-null}
+POSTFIX_RELAYHOST_PASSWORD=${POSTFIX_RELAYHOST_PASSWORD:-null}
+
+DKIM_ENABLE=${DKIM_ENABLE:-false}
+DKIM_PRIVATE_KEY=/data/dkim/${ANONADDY_DOMAIN}.private
+DKIM_REPORT_ADDRESS=${DKIM_REPORT_ADDRESS:-postmaster@${ANONADDY_DOMAIN}}
+
+DMARC_ENABLE=${DMARC_ENABLE:-false}
+DMARC_FAILURE_REPORTS=${DMARC_FAILURE_REPORTS:-false}
+DMARC_MILTER_DEBUG=${DMARC_MILTER_DEBUG:-0}
+
+RSPAMD_ENABLE=${RSPAMD_ENABLE:-false}
+RSPAMD_WEB_PASSWORD=${RSPAMD_WEB_PASSWORD:-null}
+
+SMTPD_MILTERS=""
+if [ "$RSPAMD_ENABLE" = "true" ] && [ -f "$DKIM_PRIVATE_KEY" ]; then
+  SMTPD_MILTERS="inet:127.0.0.1:11332"
+fi
+if [ "$DKIM_ENABLE" = "true" ] && [ -f "$DKIM_PRIVATE_KEY" ]; then
+  if [ -n "$SMTPD_MILTERS" ]; then SMTPD_MILTERS="${SMTPD_MILTERS},"; fi
+  SMTPD_MILTERS="${SMTPD_MILTERS}unix:opendkim/opendkim.sock"
+fi
+if [ "$DMARC_ENABLE" = "true" ]; then
+  if [ -n "$SMTPD_MILTERS" ]; then SMTPD_MILTERS="${SMTPD_MILTERS},"; fi
+  SMTPD_MILTERS="${SMTPD_MILTERS}unix:opendmarc/opendmarc.sock"
+fi
+
+file_env 'APP_KEY'
+file_env 'DB_USERNAME'
+file_env 'DB_PASSWORD'
+file_env 'ANONADDY_SECRET'
+file_env 'PUSHER_APP_SECRET'
diff --git a/rootfs/etc/cont-init.d/00-fix-logs.sh b/rootfs/etc/cont-init.d/00-fix-logs.sh
old mode 100644
new mode 100755
diff --git a/rootfs/etc/cont-init.d/01-fix-uidgid.sh b/rootfs/etc/cont-init.d/01-fix-uidgid.sh
old mode 100644
new mode 100755
diff --git a/rootfs/etc/cont-init.d/02-fix-perms.sh b/rootfs/etc/cont-init.d/02-fix-perms.sh
old mode 100644
new mode 100755
diff --git a/rootfs/etc/cont-init.d/03-config.sh b/rootfs/etc/cont-init.d/03-config.sh
deleted file mode 100644
index 5bddb72..0000000
--- a/rootfs/etc/cont-init.d/03-config.sh
+++ /dev/null
@@ -1,802 +0,0 @@
-#!/usr/bin/with-contenv bash
-# shellcheck shell=bash
-
-# From https://github.com/docker-library/mariadb/blob/master/docker-entrypoint.sh#L21-L41
-# usage: file_env VAR [DEFAULT]
-#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
-# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
-#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
-file_env() {
-  local var="$1"
-  local fileVar="${var}_FILE"
-  local def="${2:-}"
-  if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
-    echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
-    exit 1
-  fi
-  local val="$def"
-  if [ "${!var:-}" ]; then
-    val="${!var}"
-  elif [ "${!fileVar:-}" ]; then
-    val="$(<"${!fileVar}")"
-  fi
-  export "$var"="$val"
-  unset "$fileVar"
-}
-
-TZ=${TZ:-UTC}
-MEMORY_LIMIT=${MEMORY_LIMIT:-256M}
-UPLOAD_MAX_SIZE=${UPLOAD_MAX_SIZE:-16M}
-CLEAR_ENV=${CLEAR_ENV:-yes}
-OPCACHE_MEM_SIZE=${OPCACHE_MEM_SIZE:-128}
-LISTEN_IPV6=${LISTEN_IPV6:-true}
-REAL_IP_FROM=${REAL_IP_FROM:-0.0.0.0/32}
-REAL_IP_HEADER=${REAL_IP_HEADER:-X-Forwarded-For}
-LOG_IP_VAR=${LOG_IP_VAR:-remote_addr}
-
-APP_NAME=${APP_NAME:-AnonAddy}
-#APP_KEY=${APP_KEY:-base64:Gh8/RWtNfXTmB09pj6iEflt/L6oqDf9ZxXIh4I9MS7A=}
-APP_DEBUG=${APP_DEBUG:-false}
-APP_URL=${APP_URL:-http://localhost}
-
-#DB_HOST=${DB_HOST:-localhost}
-DB_PORT=${DB_PORT:-3306}
-DB_DATABASE=${DB_DATABASE:-anonaddy}
-DB_USERNAME=${DB_USERNAME:-anonaddy}
-#DB_PASSWORD=${DB_PASSWORD:-asupersecretpassword}
-DB_TIMEOUT=${DB_TIMEOUT:-60}
-
-REDIS_HOST=${REDIS_HOST:-null}
-REDIS_PASSWORD=${REDIS_PASSWORD:-null}
-REDIS_PORT=${REDIS_PORT:-6379}
-
-#PUSHER_APP_ID=${PUSHER_APP_ID}
-#PUSHER_APP_KEY=${PUSHER_APP_KEY}
-#PUSHER_APP_SECRET=${PUSHER_APP_SECRET}
-PUSHER_APP_CLUSTER=${PUSHER_APP_CLUSTER:-mt1}
-
-ANONADDY_RETURN_PATH=${ANONADDY_RETURN_PATH:-null}
-ANONADDY_ADMIN_USERNAME=${ANONADDY_ADMIN_USERNAME:-null}
-ANONADDY_ENABLE_REGISTRATION=${ANONADDY_ENABLE_REGISTRATION:-true}
-#ANONADDY_DOMAIN=${ANONADDY_DOMAIN:-null}
-ANONADDY_HOSTNAME=${ANONADDY_HOSTNAME:-null}
-ANONADDY_DNS_RESOLVER=${ANONADDY_DNS_RESOLVER:-127.0.0.1}
-ANONADDY_ALL_DOMAINS=${ANONADDY_ALL_DOMAINS:-$ANONADDY_DOMAIN}
-#ANONADDY_SECRET=${ANONADDY_SECRET:-long-random-string}
-ANONADDY_LIMIT=${ANONADDY_LIMIT:-200}
-ANONADDY_BANDWIDTH_LIMIT=${ANONADDY_BANDWIDTH_LIMIT:-104857600}
-ANONADDY_NEW_ALIAS_LIMIT=${ANONADDY_NEW_ALIAS_LIMIT:-10}
-ANONADDY_ADDITIONAL_USERNAME_LIMIT=${ANONADDY_ADDITIONAL_USERNAME_LIMIT:-10}
-#ANONADDY_SIGNING_KEY_FINGERPRINT=${ANONADDY_SIGNING_KEY_FINGERPRINT:-your-signing-key-fingerprint}
-#ANONADDY_DKIM_SIGNING_KEY=${ANONADDY_DKIM_SIGNING_KEY:-dkim-signing-key}
-#ANONADDY_DKIM_SELECTOR=${ANONADDY_DKIM_SELECTOR:-default}
-
-MAIL_FROM_NAME=${MAIL_FROM_NAME:-AnonAddy}
-MAIL_FROM_ADDRESS=${MAIL_FROM_ADDRESS:-anonaddy@${ANONADDY_DOMAIN}}
-MAIL_ENCRYPTION=${MAIL_ENCRYPTION:-null}
-
-POSTFIX_DEBUG=${POSTFIX_DEBUG:-false}
-POSTFIX_SMTPD_TLS=${POSTFIX_SMTPD_TLS:-false}
-POSTFIX_SMTP_TLS=${POSTFIX_SMTP_TLS:-false}
-POSTFIX_RELAYHOST_AUTH_ENABLE=${POSTFIX_RELAYHOST_AUTH_ENABLE:-false}
-POSTFIX_RELAYHOST_USERNAME=${POSTFIX_RELAYHOST_USERNAME:-null}
-POSTFIX_RELAYHOST_PASSWORD=${POSTFIX_RELAYHOST_PASSWORD:-null}
-
-DKIM_ENABLE=${DKIM_ENABLE:-false}
-DKIM_PRIVATE_KEY=/data/dkim/${ANONADDY_DOMAIN}.private
-DKIM_REPORT_ADDRESS=${DKIM_REPORT_ADDRESS:-postmaster@${ANONADDY_DOMAIN}}
-
-DMARC_ENABLE=${DMARC_ENABLE:-false}
-DMARC_FAILURE_REPORTS=${DMARC_FAILURE_REPORTS:-false}
-DMARC_MILTER_DEBUG=${DMARC_MILTER_DEBUG:-0}
-
-RSPAMD_ENABLE=${RSPAMD_ENABLE:-false}
-RSPAMD_WEB_PASSWORD=${RSPAMD_WEB_PASSWORD:-null}
-
-echo "Setting timezone to ${TZ}..."
-ln -snf /usr/share/zoneinfo/${TZ} /etc/localtime
-echo ${TZ} >/etc/timezone
-
-##
-## PHP
-##
-
-echo "Init PHP extensions"
-cp -Rf /tpls/etc/php8/conf.d /etc/php8
-
-echo "Setting PHP-FPM configuration"
-sed -e "s/@MEMORY_LIMIT@/$MEMORY_LIMIT/g" \
-  -e "s/@UPLOAD_MAX_SIZE@/$UPLOAD_MAX_SIZE/g" \
-  -e "s/@CLEAR_ENV@/$CLEAR_ENV/g" \
-  /tpls/etc/php8/php-fpm.d/www.conf >/etc/php8/php-fpm.d/www.conf
-
-echo "Setting PHP INI configuration"
-sed -i "s|memory_limit.*|memory_limit = ${MEMORY_LIMIT}|g" /etc/php8/php.ini
-sed -i "s|;date\.timezone.*|date\.timezone = ${TZ}|g" /etc/php8/php.ini
-
-echo "Setting OpCache configuration"
-sed -e "s/@OPCACHE_MEM_SIZE@/$OPCACHE_MEM_SIZE/g" \
-  /tpls/etc/php8/conf.d/opcache.ini >/etc/php8/conf.d/opcache.ini
-
-##
-## Nginx
-##
-
-echo "Setting Nginx configuration"
-sed -e "s#@UPLOAD_MAX_SIZE@#$UPLOAD_MAX_SIZE#g" \
-  -e "s#@REAL_IP_FROM@#$REAL_IP_FROM#g" \
-  -e "s#@REAL_IP_HEADER@#$REAL_IP_HEADER#g" \
-  -e "s#@LOG_IP_VAR@#$LOG_IP_VAR#g" \
-  /tpls/etc/nginx/nginx.conf >/etc/nginx/nginx.conf
-
-if [ "$LISTEN_IPV6" != "true" ]; then
-  sed -e '/listen \[::\]:/d' -i /etc/nginx/nginx.conf
-fi
-
-##
-## Init
-##
-
-echo "Initializing files and folders"
-cp -Rf /var/www/anonaddy/storage /data
-rm -rf /var/www/anonaddy/storage
-ln -sf /data/storage /var/www/anonaddy/storage
-chown -h anonaddy. /var/www/anonaddy/storage
-chown -R anonaddy. /data/storage
-mkdir -p /data/.gnupg
-ln -sf /data/.gnupg /var/www/anonaddy/.gnupg
-chown -h anonaddy. /var/www/anonaddy/.gnupg
-chown -R anonaddy. /data/.gnupg
-chmod 700 /data/.gnupg
-
-##
-## Database
-##
-
-echo "Checking database connection..."
-if [ -z "$DB_HOST" ]; then
-  echo >&2 "ERROR: DB_HOST must be defined"
-  exit 1
-fi
-file_env 'DB_USERNAME'
-file_env 'DB_PASSWORD'
-if [ -z "$DB_PASSWORD" ]; then
-  echo >&2 "ERROR: Either DB_PASSWORD or DB_PASSWORD_FILE must be defined"
-  exit 1
-fi
-dbcmd="mysql -h ${DB_HOST} -P ${DB_PORT} -u "${DB_USERNAME}" "-p${DB_PASSWORD}""
-
-echo "Waiting ${DB_TIMEOUT}s for database to be ready..."
-counter=1
-while ! ${dbcmd} -e "show databases;" >/dev/null 2>&1; do
-  sleep 1
-  counter=$((counter + 1))
-  if [ ${counter} -gt ${DB_TIMEOUT} ]; then
-    echo >&2 "ERROR: Failed to connect to database on $DB_HOST"
-    exit 1
-  fi
-done
-echo "Database ready!"
-
-##
-## AnonAddy
-##
-
-file_env 'APP_KEY'
-if [ -z "$APP_KEY" ]; then
-  echo >&2 "ERROR: Either APP_KEY or APP_KEY_FILE must be defined"
-  exit 1
-fi
-if [ -z "$ANONADDY_DOMAIN" ]; then
-  echo >&2 "ERROR: ANONADDY_DOMAIN must be defined"
-  exit 1
-fi
-file_env 'ANONADDY_SECRET'
-if [ -z "$ANONADDY_SECRET" ]; then
-  echo >&2 "ERROR: Either ANONADDY_SECRET or ANONADDY_SECRET_FILE must be defined"
-  exit 1
-fi
-file_env 'PUSHER_APP_SECRET'
-
-echo "Creating AnonAddy env file"
-cat >/var/www/anonaddy/.env <<EOL
-APP_NAME=${APP_NAME}
-APP_ENV=production
-APP_KEY=${APP_KEY}
-APP_DEBUG=${APP_DEBUG}
-APP_URL=${APP_URL}
-
-LOG_CHANNEL=stack
-
-DB_CONNECTION=mysql
-DB_HOST=${DB_HOST}
-DB_PORT=${DB_PORT}
-DB_DATABASE=${DB_DATABASE}
-DB_USERNAME=${DB_USERNAME}
-DB_PASSWORD=${DB_PASSWORD}
-
-BROADCAST_DRIVER=log
-CACHE_DRIVER=file
-QUEUE_CONNECTION=sync
-SESSION_DRIVER=file
-SESSION_LIFETIME=120
-
-REDIS_CLIENT=phpredis
-REDIS_HOST=${REDIS_HOST}
-REDIS_PASSWORD=${REDIS_PASSWORD}
-REDIS_PORT=${REDIS_PORT}
-
-MAIL_FROM_NAME=${MAIL_FROM_NAME}
-MAIL_FROM_ADDRESS=${MAIL_FROM_ADDRESS}
-MAIL_DRIVER=smtp
-MAIL_HOST=127.0.0.1
-MAIL_PORT=25
-MAIL_ENCRYPTION=${MAIL_ENCRYPTION}
-
-PUSHER_APP_ID=${PUSHER_APP_ID}
-PUSHER_APP_KEY=${PUSHER_APP_KEY}
-PUSHER_APP_SECRET=${PUSHER_APP_SECRET}
-PUSHER_APP_CLUSTER=${PUSHER_APP_CLUSTER}
-
-MIX_PUSHER_APP_KEY="\${PUSHER_APP_KEY}"
-MIX_PUSHER_APP_CLUSTER="\${PUSHER_APP_CLUSTER}"
-
-ANONADDY_RETURN_PATH=${ANONADDY_RETURN_PATH}
-ANONADDY_ADMIN_USERNAME=${ANONADDY_ADMIN_USERNAME}
-ANONADDY_ENABLE_REGISTRATION=${ANONADDY_ENABLE_REGISTRATION}
-ANONADDY_DOMAIN=${ANONADDY_DOMAIN}
-ANONADDY_HOSTNAME=${ANONADDY_HOSTNAME}
-ANONADDY_DNS_RESOLVER=${ANONADDY_DNS_RESOLVER}
-ANONADDY_ALL_DOMAINS=${ANONADDY_ALL_DOMAINS}
-ANONADDY_SECRET=${ANONADDY_SECRET}
-ANONADDY_LIMIT=${ANONADDY_LIMIT}
-ANONADDY_BANDWIDTH_LIMIT=${ANONADDY_BANDWIDTH_LIMIT}
-ANONADDY_NEW_ALIAS_LIMIT=${ANONADDY_NEW_ALIAS_LIMIT}
-ANONADDY_ADDITIONAL_USERNAME_LIMIT=${ANONADDY_ADDITIONAL_USERNAME_LIMIT}
-ANONADDY_SIGNING_KEY_FINGERPRINT=${ANONADDY_SIGNING_KEY_FINGERPRINT}
-ANONADDY_DKIM_SIGNING_KEY=${ANONADDY_DKIM_SIGNING_KEY}
-ANONADDY_DKIM_SELECTOR=${ANONADDY_DKIM_SELECTOR}
-EOL
-chown anonaddy. /var/www/anonaddy/.env
-
-echo "Trust all proxies"
-anonaddy vendor:publish --no-interaction --provider="Fideloper\Proxy\TrustedProxyServiceProvider"
-sed -i "s|^    'proxies'.*|    'proxies' => '\*',|g" /var/www/anonaddy/config/trustedproxy.php
-
-##
-## RSPAMD
-##
-
-if [[ "$RSPAMD_ENABLE" = "true" && ("$DKIM_ENABLE" = "true" || "$DMARC_ENABLE" = "true") ]]; then
-  echo "action needed: RSPAMD_ENABLE must be mutually exclusive with DKIM_ENABLE or DMARC_ENABLE"
-fi
-
-if [ "$RSPAMD_ENABLE" = "true" ]; then
-  if [ -f "$DKIM_PRIVATE_KEY" ]; then
-    echo "Copying DKIM private key for Rspamd"
-    mkdir /var/lib/rspamd/dkim
-    cp -f "${DKIM_PRIVATE_KEY}" "/var/lib/rspamd/dkim/${ANONADDY_DOMAIN}.default.key"
-
-    echo "Setting Rspamd dkim_signing.conf"
-    cat >/etc/rspamd/local.d/dkim_signing.conf <<EOL
-signing_table = [
-"*@${ANONADDY_DOMAIN} ${ANONADDY_DOMAIN}",
-"*@*.${ANONADDY_DOMAIN} ${ANONADDY_DOMAIN}",
-];
-
-key_table = [
-"${ANONADDY_DOMAIN} ${ANONADDY_DOMAIN}:default:/var/lib/rspamd/dkim/${ANONADDY_DOMAIN}.default.key",
-];
-
-use_domain = "envelope";
-allow_hdrfrom_mismatch = true;
-allow_hdrfrom_mismatch_sign_networks = true;
-allow_username_mismatch = true;
-use_esld = true;
-sign_authenticated = false;
-EOL
-
-    echo "Setting Rspamd arc.conf"
-    cp /etc/rspamd/local.d/dkim_signing.conf /etc/rspamd/local.d/arc.conf
-  fi
-
-  echo "Setting Rspamd classifier-bayes.conf"
-  cat >/etc/rspamd/local.d/classifier-bayes.conf <<EOL
-backend = "redis";
-EOL
-
-  echo "Setting Rspamd logging.inc"
-  cat >/etc/rspamd/local.d/logging.inc <<EOL
-level = "error";
-debug_modules = [];
-EOL
-
-  if [ -n "$REDIS_HOST" ]; then
-    echo "Setting Rspamd redis.conf"
-    cat >/etc/rspamd/local.d/redis.conf <<EOL
-write_servers = "${REDIS_HOST}";
-password = "${REDIS_PASSWORD}";
-read_servers = "${REDIS_HOST}";
-EOL
-
-    echo "Setting Rspamd greylist.conf"
-    cat >/etc/rspamd/local.d/greylist.conf <<EOL
-servers = "${REDIS_HOST}:${REDIS_PORT}";
-EOL
-
-    echo "Setting Rspamd history_redis.conf"
-    cat >/etc/rspamd/local.d/history_redis.conf <<EOL
-subject_privacy = true;
-EOL
-  fi
-
-  echo "Setting Rspamd groups.conf"
-  cat >/etc/rspamd/local.d/groups.conf <<EOL
-group "headers" {
-  symbols {
-    "FAKE_REPLY" {
-      weight = 0.0;
-    }
-
-    "FROM_NEQ_DISPLAY_NAME" {
-      weight = 0.0;
-    }
-
-    "FORGED_RECIPIENTS" {
-      weight = 0.0;
-    }
-  }
-}
-EOL
-
-  if [ -n "$RSPAMD_WEB_PASSWORD" ]; then
-    echo "Setting Rspamd worker-controller.inc"
-    cat >/etc/rspamd/local.d/worker-controller.inc <<EOL
-bind_socket = "*:11334";
-secure_ip = "127.0.0.1/32";
-password = "${RSPAMD_WEB_PASSWORD}";
-enable_password = "${RSPAMD_WEB_PASSWORD}";
-EOL
-  fi
-
-  echo "Disabling a variety of Rspamd modules"
-  echo "enabled = false;" | tee -a /etc/rspamd/override.d/fuzzy_check.conf
-  echo "enabled = false;" | tee -a /etc/rspamd/override.d/asn.conf
-  echo "enabled = false;" | tee -a /etc/rspamd/override.d/metadata_exporter.conf
-  echo "enabled = false;" | tee -a /etc/rspamd/override.d/trie.conf
-  echo "enabled = false;" | tee -a /etc/rspamd/override.d/neural.conf
-  echo "enabled = false;" | tee -a /etc/rspamd/override.d/chartable.conf
-  echo "enabled = false;" | tee -a /etc/rspamd/override.d/ratelimit.conf
-  echo "enabled = false;" | tee -a /etc/rspamd/override.d/replies.conf
-fi
-
-##
-## OpenDKIM
-##
-
-if [ "$RSPAMD_ENABLE" = "false" ] && [ "$DKIM_ENABLE" = "true" ] && [ -f "$DKIM_PRIVATE_KEY" ]; then
-  echo "Copying OpenDKIM private key"
-  mkdir -p /var/db/dkim
-  cp -f "${DKIM_PRIVATE_KEY}" "/var/db/dkim/${ANONADDY_DOMAIN}.private"
-
-  echo "Setting OpenDKIM configuration"
-  cat >/etc/opendkim/opendkim.conf <<EOL
-BaseDirectory         /var/spool/postfix/opendkim
-
-LogWhy                yes
-Syslog                yes
-SyslogSuccess         yes
-
-Canonicalization      simple
-Mode                  sv
-SubDomains            yes
-
-KeyTable              refile:/etc/opendkim/key.table
-SigningTable          refile:/etc/opendkim/signing.table
-RequireSafeKeys       false
-
-ExternalIgnoreList    /etc/opendkim/trusted.hosts
-InternalHosts         /etc/opendkim/trusted.hosts
-
-Socket                local:/var/spool/postfix/opendkim/opendkim.sock
-UMask                 007
-PidFile               /var/spool/postfix/opendkim/opendkim.pid
-UserID                opendkim
-
-ReportAddress         ${DKIM_REPORT_ADDRESS}
-SendReports           yes
-EOL
-
-  echo "Setting OpenDKIM trusted hosts"
-  cat >/etc/opendkim/trusted.hosts <<EOL
-127.0.0.1
-localhost
-*.${ANONADDY_DOMAIN}
-EOL
-
-  echo "Setting OpenDKIM signing table"
-  cat >/etc/opendkim/signing.table <<EOL
-*@${ANONADDY_DOMAIN}    default._domainkey.${ANONADDY_DOMAIN}
-*@*.${ANONADDY_DOMAIN}    default._domainkey.${ANONADDY_DOMAIN}
-EOL
-
-  echo "Setting OpenDKIM key table"
-  cat >/etc/opendkim/key.table <<EOL
-default._domainkey.${ANONADDY_DOMAIN}    ${ANONADDY_DOMAIN}:default:/var/db/dkim/${ANONADDY_DOMAIN}.private
-EOL
-fi
-
-##
-## OpenDMARC
-##
-
-if [ "$RSPAMD_ENABLE" = "false" ] && [ "$DMARC_ENABLE" = "true" ]; then
-  echo "Setting OpenDMARC configuration"
-  cat >/etc/opendmarc/opendmarc.conf <<EOL
-BaseDirectory               /var/spool/postfix/opendmarc
-
-AuthservID                  OpenDMARC
-TrustedAuthservIDs          ${ANONADDY_HOSTNAME}
-
-Syslog                      yes
-DNSTimeout                  10
-
-FailureReports              ${DMARC_FAILURE_REPORTS}
-FailureReportsOnNone        false
-FailureReportsSentBy        postmaster@${ANONADDY_DOMAIN}
-
-HistoryFile                 /data/dmarc/opendmarc.dat
-RecordAllMessages           false
-
-IgnoreAuthenticatedClients  true
-
-MilterDebug                 ${DMARC_MILTER_DEBUG}
-
-RejectFailures              true
-RequiredHeaders             true
-
-Socket                      local:/var/spool/postfix/opendmarc/opendmarc.sock
-UMask                       007
-PidFile                     /var/spool/postfix/opendmarc/opendmarc.pid
-UserID                      opendmarc
-
-SoftwareHeader              true
-SPFIgnoreResults            true
-SPFSelfValidate             true
-EOL
-fi
-
-##
-## Postfix
-##
-
-cp -f /etc/postfix/master.cf.orig /etc/postfix/master.cf
-cp -f /etc/postfix/main.cf.orig /etc/postfix/main.cf
-
-echo "Setting Postfix master configuration"
-POSTFIX_DEBUG_ARG=""
-if [ "$POSTFIX_DEBUG" = "true" ]; then
-  POSTFIX_DEBUG_ARG=" -v"
-fi
-sed -i "s|^smtp.*inet.*|25 inet n - - - - smtpd${POSTFIX_DEBUG_ARG}|g" /etc/postfix/master.cf
-cat >>/etc/postfix/master.cf <<EOL
-anonaddy unix - n n - - pipe
-  flags=F user=anonaddy argv=php /var/www/anonaddy/artisan anonaddy:receive-email --sender=\${sender} --recipient=\${recipient} --local_part=\${user} --extension=\${extension} --domain=\${domain} --size=\${size}
-EOL
-
-echo "Setting Postfix main configuration"
-VBOX_DOMAINS=""
-IFS=","
-for domain in $ANONADDY_ALL_DOMAINS; do
-  if [ -n "$VBOX_DOMAINS" ]; then VBOX_DOMAINS="${VBOX_DOMAINS},"; fi
-  VBOX_DOMAINS="${VBOX_DOMAINS}${domain},unsubscribe.${domain}"
-done
-sed -i 's/compatibility_level.*/compatibility_level = 2/g' /etc/postfix/main.cf
-sed -i 's/inet_interfaces = localhost/inet_interfaces = all/g' /etc/postfix/main.cf
-sed -i 's/readme_directory.*/readme_directory = no/g' /etc/postfix/main.cf
-cat >>/etc/postfix/main.cf <<EOL
-myhostname = ${ANONADDY_HOSTNAME}
-mydomain = ${ANONADDY_DOMAIN}
-alias_maps = hash:/etc/aliases
-alias_database = hash:/etc/aliases
-myorigin = \$myhostname
-mydestination = localhost.\$mydomain, localhost
-
-smtpd_banner = \$myhostname ESMTP
-biff = no
-readme_directory = no
-append_dot_mydomain = no
-
-virtual_transport = anonaddy:
-virtual_mailbox_domains = ${VBOX_DOMAINS},mysql:/etc/postfix/mysql-virtual-alias-domains-and-subdomains.cf
-
-relayhost = ${POSTFIX_RELAYHOST}
-mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
-mailbox_size_limit = 0
-recipient_delimiter = +
-
-local_recipient_maps =
-
-smtpd_relay_restrictions =
-    permit_mynetworks,
-    permit_sasl_authenticated,
-    defer_unauth_destination
-
-smtpd_delay_reject = yes
-smtpd_helo_required = yes
-smtpd_helo_restrictions =
-    permit_mynetworks,
-    permit_sasl_authenticated,
-    reject_invalid_helo_hostname,
-    reject_non_fqdn_helo_hostname,
-    reject_unknown_helo_hostname
-
-smtpd_sender_restrictions =
-    permit_mynetworks,
-    permit_sasl_authenticated,
-    reject_non_fqdn_sender,
-    reject_unknown_sender_domain,
-    reject_unknown_reverse_client_hostname
-
-smtpd_recipient_restrictions =
-    permit_mynetworks,
-    reject_unauth_destination,
-    check_recipient_access mysql:/etc/postfix/mysql-recipient-access.cf,
-    #check_policy_service unix:private/policyd-spf
-    reject_rhsbl_helo dbl.spamhaus.org,
-    reject_rhsbl_reverse_client dbl.spamhaus.org,
-    reject_rhsbl_sender dbl.spamhaus.org,
-    reject_rbl_client zen.spamhaus.org
-    reject_rbl_client dul.dnsbl.sorbs.net
-
-# Block clients that speak too early.
-smtpd_data_restrictions = reject_unauth_pipelining
-
-disable_vrfy_command = yes
-strict_rfc821_envelopes = yes
-maillog_file = /dev/stdout
-EOL
-
-SMTPD_MILTERS=""
-
-if [ "$RSPAMD_ENABLE" = "true" ]; then
-  SMTPD_MILTERS="inet:127.0.0.1:11332"
-else
-  if [ "$DKIM_ENABLE" = "true" ] && [ -f "$DKIM_PRIVATE_KEY" ]; then
-    if [ -n "$SMTPD_MILTERS" ]; then SMTPD_MILTERS="${SMTPD_MILTERS},"; fi
-    SMTPD_MILTERS="${SMTPD_MILTERS}unix:opendkim/opendkim.sock"
-  fi
-
-  if [ "$DMARC_ENABLE" = "true" ]; then
-    if [ -n "$SMTPD_MILTERS" ]; then SMTPD_MILTERS="${SMTPD_MILTERS},"; fi
-    SMTPD_MILTERS="${SMTPD_MILTERS}unix:opendmarc/opendmarc.sock"
-  fi
-fi
-
-if [ -n "$SMTPD_MILTERS" ]; then
-  echo "Setting Postfix milter configuration"
-  cat >>/etc/postfix/main.cf <<EOL
-
-# Milter configuration
-milter_default_action = accept
-milter_protocol = 6
-smtpd_milters = ${SMTPD_MILTERS}
-non_smtpd_milters = \$smtpd_milters
-milter_mail_macros =  i {mail_addr} {client_addr} {client_name} {auth_authen}
-EOL
-fi
-
-if [ "$POSTFIX_SMTPD_TLS" = "true" ]; then
-  echo "Setting Postfix smtpd TLS configuration"
-  cat >>/etc/postfix/main.cf <<EOL
-
-# SMTPD
-smtpd_use_tls=yes
-smtpd_tls_session_cache_database = lmdb:\${data_directory}/smtpd_scache
-smtpd_tls_CApath = /etc/ssl/certs
-smtpd_tls_security_level = may
-smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1
-smtpd_tls_loglevel = 1
-smtpd_tls_session_cache_database = lmdb:\${data_directory}/smtpd_scache
-smtpd_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
-smtpd_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
-smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1
-smtpd_tls_mandatory_ciphers = high
-smtpd_tls_ciphers = high
-smtpd_tls_eecdh_grade = ultra
-tls_high_cipherlist=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
-tls_preempt_cipherlist = yes
-tls_ssl_options = NO_COMPRESSION
-EOL
-  if [ -n "$POSTFIX_SMTPD_TLS_CERT_FILE" ]; then
-    echo "smtpd_tls_cert_file=${POSTFIX_SMTPD_TLS_CERT_FILE}" >>/etc/postfix/main.cf
-  fi
-  if [ -n "$POSTFIX_SMTPD_TLS_KEY_FILE" ]; then
-    echo "smtpd_tls_key_file=${POSTFIX_SMTPD_TLS_KEY_FILE}" >>/etc/postfix/main.cf
-  fi
-fi
-
-if [ "$POSTFIX_SMTP_TLS" = "true" ]; then
-  echo "Setting Postfix smtp TLS configuration"
-  cat >>/etc/postfix/main.cf <<EOL
-
-# SMTP
-smtp_tls_CApath = /etc/ssl/certs
-smtp_use_tls=yes
-smtp_tls_loglevel = 1
-smtp_tls_session_cache_database = lmdb:\${data_directory}/smtp_scache
-smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1
-smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1
-smtp_tls_mandatory_ciphers = high
-smtp_tls_ciphers = high
-smtp_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
-smtp_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
-smtp_tls_security_level = may
-EOL
-fi
-
-if [ "$POSTFIX_RELAYHOST_AUTH_ENABLE" = "true" ]; then
-  echo "Setting Postfix SASL configuration"
-  cat >>/etc/postfix/main.cf <<EOL
-
-smtp_sasl_auth_enable = yes
-smtp_sasl_password_maps = texthash:/etc/postfix/sasl_passwd
-smtp_sasl_security_options = noanonymous
-smtp_sasl_tls_security_options = noanonymous
-header_size_limit = 4096000
-EOL
-
-  cat >/etc/postfix/sasl_passwd <<EOL
-
-${POSTFIX_RELAYHOST} ${POSTFIX_RELAYHOST_USERNAME}:${POSTFIX_RELAYHOST_PASSWORD}
-EOL
-
-  chmod 600 /etc/postfix/sasl_passwd
-  postmap /etc/postfix/sasl_passwd
-
-fi
-
-echo "Creating Postfix virtual alias domains and subdomains configuration"
-QUERY_USERS=""
-QUERY_USERNAMES=""
-IFS=","
-for domain in $ANONADDY_ALL_DOMAINS; do
-  if [ -n "$QUERY_USERS" ]; then QUERY_USERS="${QUERY_USERS} OR "; fi
-  if [ -n "$QUERY_USERNAMES" ]; then QUERY_USERNAMES="${QUERY_USERNAMES} OR "; fi
-  QUERY_USERS="${QUERY_USERS}CONCAT(username, '.${domain}') = '%s'"
-  QUERY_USERNAMES="${QUERY_USERNAMES}CONCAT(additional_usernames.username, '.${domain}') = '%s'"
-done
-cat >/etc/postfix/mysql-virtual-alias-domains-and-subdomains.cf <<EOL
-user = ${DB_USERNAME}
-password = ${DB_PASSWORD}
-hosts = ${DB_HOST}:${DB_PORT}
-dbname = ${DB_DATABASE}
-query = SELECT (SELECT 1 FROM users WHERE ${QUERY_USERS}) AS users, (SELECT 1 FROM additional_usernames WHERE ${QUERY_USERNAMES}) AS usernames, (SELECT 1 FROM domains WHERE domains.domain = '%s' AND domains.domain_verified_at IS NOT NULL) AS domains LIMIT 1;
-EOL
-chmod o= /etc/postfix/mysql-virtual-alias-domains-and-subdomains.cf
-chgrp postfix /etc/postfix/mysql-virtual-alias-domains-and-subdomains.cf
-
-echo "Creating Postfix recipient access configuration"
-cat >/etc/postfix/mysql-recipient-access.cf <<EOL
-user = ${DB_USERNAME}
-password = ${DB_PASSWORD}
-hosts = ${DB_HOST}:${DB_PORT}
-dbname = ${DB_DATABASE}
-query = CALL check_access('%s')
-EOL
-chmod o= /etc/postfix/mysql-recipient-access.cf
-chgrp postfix /etc/postfix/mysql-recipient-access.cf
-
-echo "Checking Postfix hostname"
-postconf myhostname
-
-echo "Creating check_access stored procedure"
-QUERY_USERNAMES=""
-IFS=","
-for domain in $ANONADDY_ALL_DOMAINS; do
-  if [ -n "$QUERY_USERNAMES" ]; then QUERY_USERNAMES="${QUERY_USERNAMES},"; fi
-  QUERY_USERNAMES="${QUERY_USERNAMES}CONCAT(username, '.${domain}')"
-done
-mysql -h ${DB_HOST} -P ${DB_PORT} -u "${DB_USERNAME}" "-p${DB_PASSWORD}" ${DB_DATABASE} <<EOL
-DELIMITER //
-
-DROP PROCEDURE IF EXISTS \`block_alias\`//
-DROP PROCEDURE IF EXISTS \`check_access\`//
-
-CREATE PROCEDURE \`check_access\`(alias_email VARCHAR(254) charset utf8)
-BEGIN
-    DECLARE no_alias_exists int(1);
-    DECLARE alias_action varchar(7) charset utf8;
-    DECLARE username_action varchar(7) charset utf8;
-    DECLARE additional_username_action varchar(7) charset utf8;
-    DECLARE domain_action varchar(7) charset utf8;
-    DECLARE alias_domain varchar(254) charset utf8;
-
-    SET alias_domain = SUBSTRING_INDEX(alias_email, '@', -1);
-
-    # We only want to carry out the checks if it is a full RCPT TO address without any + extension
-    IF LOCATE('+',alias_email) = 0 THEN
-
-        SET no_alias_exists = CASE WHEN NOT EXISTS(SELECT NULL FROM aliases WHERE email = alias_email) THEN 1 ELSE 0 END;
-
-        # If there is an alias, check if it is deactivated or deleted
-        IF NOT no_alias_exists THEN
-            SET alias_action = (SELECT
-                IF(deleted_at IS NULL,
-                'DISCARD',
-                'REJECT')
-            FROM
-                aliases
-            WHERE
-                email = alias_email
-                AND (active = 0
-                OR deleted_at IS NOT NULL));
-        END IF;
-
-        # If the alias is deactivated or deleted then increment its blocked count and return the alias_action
-        IF alias_action IN('DISCARD','REJECT') THEN
-            UPDATE
-                aliases
-            SET
-                emails_blocked = emails_blocked + 1
-            WHERE
-                email = alias_email;
-
-            SELECT alias_action;
-        ELSE
-            SELECT
-            (
-            SELECT
-                CASE
-                    WHEN no_alias_exists
-                    AND catch_all = 0 THEN "REJECT"
-                    ELSE NULL
-                END
-            FROM
-                users
-            WHERE
-                alias_domain IN (${QUERY_USERNAMES}) ) AS users,
-            (
-            SELECT
-                CASE
-                    WHEN no_alias_exists
-                    AND catch_all = 0 THEN "REJECT"
-                    WHEN active = 0 THEN "DISCARD"
-                    ELSE NULL
-                END
-            FROM
-                additional_usernames
-            WHERE
-                alias_domain IN (${QUERY_USERNAMES}) ) AS usernames,
-            (
-            SELECT
-                CASE
-                    WHEN no_alias_exists
-                    AND catch_all = 0 THEN "REJECT"
-                    WHEN active = 0 THEN "DISCARD"
-                    ELSE NULL
-                END
-            FROM
-                domains
-            WHERE
-                domain = alias_domain) INTO username_action, additional_username_action, domain_action;
-
-            # If all actions are NULL then we can return 'DUNNO' which will prevent Postfix from trying substrings of the alias
-            IF username_action IS NULL AND additional_username_action IS NULL AND domain_action IS NULL THEN
-                SELECT 'DUNNO';
-            ELSEIF username_action IN('DISCARD','REJECT') THEN
-                SELECT username_action;
-            ELSEIF additional_username_action IN('DISCARD','REJECT') THEN
-                SELECT additional_username_action;
-            ELSE
-                SELECT domain_action;
-            END IF;
-        END IF;
-    ELSE
-        # This means the alias must have a + extension so we will ignore it
-        SELECT NULL;
-    END IF;
- END//
-
-DELIMITER ;
-EOL
diff --git a/rootfs/etc/cont-init.d/10-config.sh b/rootfs/etc/cont-init.d/10-config.sh
new file mode 100755
index 0000000..a276015
--- /dev/null
+++ b/rootfs/etc/cont-init.d/10-config.sh
@@ -0,0 +1,48 @@
+#!/usr/bin/with-contenv bash
+# shellcheck shell=bash
+
+. $(dirname $0)/00-env
+
+if [[ "$RSPAMD_ENABLE" = "true" && ("$DKIM_ENABLE" = "true" || "$DMARC_ENABLE" = "true") ]]; then
+  echo >&2 "ERROR: Rspamd and OpenDKIM/OpenDMARC are mutually exclusive"
+  exit 1
+fi
+
+echo "Setting timezone to ${TZ}..."
+ln -snf /usr/share/zoneinfo/${TZ} /etc/localtime
+echo ${TZ} >/etc/timezone
+
+echo "Initializing files and folders"
+cp -Rf /var/www/anonaddy/storage /data
+rm -rf /var/www/anonaddy/storage
+ln -sf /data/storage /var/www/anonaddy/storage
+chown -h anonaddy. /var/www/anonaddy/storage
+chown -R anonaddy. /data/storage
+mkdir -p /data/.gnupg
+ln -sf /data/.gnupg /var/www/anonaddy/.gnupg
+chown -h anonaddy. /var/www/anonaddy/.gnupg
+chown -R anonaddy. /data/.gnupg
+chmod 700 /data/.gnupg
+
+echo "Checking database connection..."
+if [ -z "$DB_HOST" ]; then
+  echo >&2 "ERROR: DB_HOST must be defined"
+  exit 1
+fi
+if [ -z "$DB_PASSWORD" ]; then
+  echo >&2 "ERROR: Either DB_PASSWORD or DB_PASSWORD_FILE must be defined"
+  exit 1
+fi
+dbcmd="mysql -h ${DB_HOST} -P ${DB_PORT} -u "${DB_USERNAME}" "-p${DB_PASSWORD}""
+
+echo "Waiting ${DB_TIMEOUT}s for database to be ready..."
+counter=1
+while ! ${dbcmd} -e "show databases;" >/dev/null 2>&1; do
+  sleep 1
+  counter=$((counter + 1))
+  if [ ${counter} -gt ${DB_TIMEOUT} ]; then
+    echo >&2 "ERROR: Failed to connect to database on $DB_HOST"
+    exit 1
+  fi
+done
+echo "Database ready!"
diff --git a/rootfs/etc/cont-init.d/11-config-php.sh b/rootfs/etc/cont-init.d/11-config-php.sh
new file mode 100755
index 0000000..a7e54cc
--- /dev/null
+++ b/rootfs/etc/cont-init.d/11-config-php.sh
@@ -0,0 +1,21 @@
+#!/usr/bin/with-contenv bash
+# shellcheck shell=bash
+
+. $(dirname $0)/00-env
+
+echo "Init PHP extensions"
+cp -Rf /tpls/etc/php8/conf.d /etc/php8
+
+echo "Setting PHP-FPM configuration"
+sed -e "s/@MEMORY_LIMIT@/$MEMORY_LIMIT/g" \
+  -e "s/@UPLOAD_MAX_SIZE@/$UPLOAD_MAX_SIZE/g" \
+  -e "s/@CLEAR_ENV@/$CLEAR_ENV/g" \
+  /tpls/etc/php8/php-fpm.d/www.conf >/etc/php8/php-fpm.d/www.conf
+
+echo "Setting PHP INI configuration"
+sed -i "s|memory_limit.*|memory_limit = ${MEMORY_LIMIT}|g" /etc/php8/php.ini
+sed -i "s|;date\.timezone.*|date\.timezone = ${TZ}|g" /etc/php8/php.ini
+
+echo "Setting OpCache configuration"
+sed -e "s/@OPCACHE_MEM_SIZE@/$OPCACHE_MEM_SIZE/g" \
+  /tpls/etc/php8/conf.d/opcache.ini >/etc/php8/conf.d/opcache.ini
diff --git a/rootfs/etc/cont-init.d/12-config-nginx.sh b/rootfs/etc/cont-init.d/12-config-nginx.sh
new file mode 100755
index 0000000..4ecdc17
--- /dev/null
+++ b/rootfs/etc/cont-init.d/12-config-nginx.sh
@@ -0,0 +1,15 @@
+#!/usr/bin/with-contenv bash
+# shellcheck shell=bash
+
+. $(dirname $0)/00-env
+
+echo "Setting Nginx configuration"
+sed -e "s#@UPLOAD_MAX_SIZE@#$UPLOAD_MAX_SIZE#g" \
+  -e "s#@REAL_IP_FROM@#$REAL_IP_FROM#g" \
+  -e "s#@REAL_IP_HEADER@#$REAL_IP_HEADER#g" \
+  -e "s#@LOG_IP_VAR@#$LOG_IP_VAR#g" \
+  /tpls/etc/nginx/nginx.conf >/etc/nginx/nginx.conf
+
+if [ "$LISTEN_IPV6" != "true" ]; then
+  sed -e '/listen \[::\]:/d' -i /etc/nginx/nginx.conf
+fi
diff --git a/rootfs/etc/cont-init.d/13-config-anonaddy.sh b/rootfs/etc/cont-init.d/13-config-anonaddy.sh
new file mode 100755
index 0000000..8b107b0
--- /dev/null
+++ b/rootfs/etc/cont-init.d/13-config-anonaddy.sh
@@ -0,0 +1,83 @@
+#!/usr/bin/with-contenv bash
+# shellcheck shell=bash
+
+. $(dirname $0)/00-env
+
+if [ -z "$APP_KEY" ]; then
+  echo >&2 "ERROR: Either APP_KEY or APP_KEY_FILE must be defined"
+  exit 1
+fi
+if [ -z "$ANONADDY_DOMAIN" ]; then
+  echo >&2 "ERROR: ANONADDY_DOMAIN must be defined"
+  exit 1
+fi
+
+if [ -z "$ANONADDY_SECRET" ]; then
+  echo >&2 "ERROR: Either ANONADDY_SECRET or ANONADDY_SECRET_FILE must be defined"
+  exit 1
+fi
+
+echo "Creating AnonAddy env file"
+cat >/var/www/anonaddy/.env <<EOL
+APP_NAME=${APP_NAME}
+APP_ENV=production
+APP_KEY=${APP_KEY}
+APP_DEBUG=${APP_DEBUG}
+APP_URL=${APP_URL}
+
+LOG_CHANNEL=stack
+
+DB_CONNECTION=mysql
+DB_HOST=${DB_HOST}
+DB_PORT=${DB_PORT}
+DB_DATABASE=${DB_DATABASE}
+DB_USERNAME=${DB_USERNAME}
+DB_PASSWORD=${DB_PASSWORD}
+
+BROADCAST_DRIVER=log
+CACHE_DRIVER=file
+QUEUE_CONNECTION=sync
+SESSION_DRIVER=file
+SESSION_LIFETIME=120
+
+REDIS_CLIENT=phpredis
+REDIS_HOST=${REDIS_HOST}
+REDIS_PASSWORD=${REDIS_PASSWORD}
+REDIS_PORT=${REDIS_PORT}
+
+MAIL_FROM_NAME=${MAIL_FROM_NAME}
+MAIL_FROM_ADDRESS=${MAIL_FROM_ADDRESS}
+MAIL_DRIVER=smtp
+MAIL_HOST=127.0.0.1
+MAIL_PORT=25
+MAIL_ENCRYPTION=${MAIL_ENCRYPTION}
+
+PUSHER_APP_ID=${PUSHER_APP_ID}
+PUSHER_APP_KEY=${PUSHER_APP_KEY}
+PUSHER_APP_SECRET=${PUSHER_APP_SECRET}
+PUSHER_APP_CLUSTER=${PUSHER_APP_CLUSTER}
+
+MIX_PUSHER_APP_KEY="\${PUSHER_APP_KEY}"
+MIX_PUSHER_APP_CLUSTER="\${PUSHER_APP_CLUSTER}"
+
+ANONADDY_RETURN_PATH=${ANONADDY_RETURN_PATH}
+ANONADDY_ADMIN_USERNAME=${ANONADDY_ADMIN_USERNAME}
+ANONADDY_ENABLE_REGISTRATION=${ANONADDY_ENABLE_REGISTRATION}
+ANONADDY_DOMAIN=${ANONADDY_DOMAIN}
+ANONADDY_HOSTNAME=${ANONADDY_HOSTNAME}
+ANONADDY_DNS_RESOLVER=${ANONADDY_DNS_RESOLVER}
+ANONADDY_ALL_DOMAINS=${ANONADDY_ALL_DOMAINS}
+ANONADDY_SECRET=${ANONADDY_SECRET}
+ANONADDY_LIMIT=${ANONADDY_LIMIT}
+ANONADDY_BANDWIDTH_LIMIT=${ANONADDY_BANDWIDTH_LIMIT}
+ANONADDY_NEW_ALIAS_LIMIT=${ANONADDY_NEW_ALIAS_LIMIT}
+ANONADDY_ADDITIONAL_USERNAME_LIMIT=${ANONADDY_ADDITIONAL_USERNAME_LIMIT}
+ANONADDY_SIGNING_KEY_FINGERPRINT=${ANONADDY_SIGNING_KEY_FINGERPRINT}
+ANONADDY_DKIM_SIGNING_KEY=${ANONADDY_DKIM_SIGNING_KEY}
+ANONADDY_DKIM_SELECTOR=${ANONADDY_DKIM_SELECTOR}
+EOL
+chown anonaddy. /var/www/anonaddy/.env
+
+echo "Trust all proxies"
+anonaddy vendor:publish --no-interaction --provider="Fideloper\Proxy\TrustedProxyServiceProvider"
+sed -i "s|^    'proxies'.*|    'proxies' => '\*',|g" /var/www/anonaddy/config/trustedproxy.php
diff --git a/rootfs/etc/cont-init.d/14-config-rspamd.sh b/rootfs/etc/cont-init.d/14-config-rspamd.sh
new file mode 100755
index 0000000..5e033d6
--- /dev/null
+++ b/rootfs/etc/cont-init.d/14-config-rspamd.sh
@@ -0,0 +1,108 @@
+#!/usr/bin/with-contenv bash
+# shellcheck shell=bash
+
+. $(dirname $0)/00-env
+
+if [ "$RSPAMD_ENABLE" != "true" ]; then
+  echo "INFO: Rspamd service disabled."
+  exit 0
+fi
+if [ ! -f "$DKIM_PRIVATE_KEY" ]; then
+  echo "WRN: $DKIM_PRIVATE_KEY not found. Rspamd service disabled."
+  exit 0
+fi
+
+echo "Copying DKIM private key for Rspamd"
+mkdir /var/lib/rspamd/dkim
+cp -f "${DKIM_PRIVATE_KEY}" "/var/lib/rspamd/dkim/${ANONADDY_DOMAIN}.default.key"
+
+echo "Setting Rspamd dkim_signing.conf"
+cat >/etc/rspamd/local.d/dkim_signing.conf <<EOL
+signing_table = [
+"*@${ANONADDY_DOMAIN} ${ANONADDY_DOMAIN}",
+"*@*.${ANONADDY_DOMAIN} ${ANONADDY_DOMAIN}",
+];
+
+key_table = [
+"${ANONADDY_DOMAIN} ${ANONADDY_DOMAIN}:default:/var/lib/rspamd/dkim/${ANONADDY_DOMAIN}.default.key",
+];
+
+use_domain = "envelope";
+allow_hdrfrom_mismatch = true;
+allow_hdrfrom_mismatch_sign_networks = true;
+allow_username_mismatch = true;
+use_esld = true;
+sign_authenticated = false;
+EOL
+
+echo "Setting Rspamd arc.conf"
+cp /etc/rspamd/local.d/dkim_signing.conf /etc/rspamd/local.d/arc.conf
+
+echo "Setting Rspamd classifier-bayes.conf"
+cat >/etc/rspamd/local.d/classifier-bayes.conf <<EOL
+backend = "redis";
+EOL
+
+echo "Setting Rspamd logging.inc"
+cat >/etc/rspamd/local.d/logging.inc <<EOL
+level = "error";
+debug_modules = [];
+EOL
+
+if [ -n "$REDIS_HOST" ]; then
+  echo "Setting Rspamd redis.conf"
+  cat >/etc/rspamd/local.d/redis.conf <<EOL
+write_servers = "${REDIS_HOST}";
+password = "${REDIS_PASSWORD}";
+read_servers = "${REDIS_HOST}";
+EOL
+
+  echo "Setting Rspamd greylist.conf"
+  cat >/etc/rspamd/local.d/greylist.conf <<EOL
+servers = "${REDIS_HOST}:${REDIS_PORT}";
+EOL
+
+  echo "Setting Rspamd history_redis.conf"
+  cat >/etc/rspamd/local.d/history_redis.conf <<EOL
+subject_privacy = true;
+EOL
+fi
+
+echo "Setting Rspamd groups.conf"
+cat >/etc/rspamd/local.d/groups.conf <<EOL
+group "headers" {
+  symbols {
+    "FAKE_REPLY" {
+      weight = 0.0;
+    }
+
+    "FROM_NEQ_DISPLAY_NAME" {
+      weight = 0.0;
+    }
+
+    "FORGED_RECIPIENTS" {
+      weight = 0.0;
+    }
+  }
+}
+EOL
+
+if [ -n "$RSPAMD_WEB_PASSWORD" ]; then
+  echo "Setting Rspamd worker-controller.inc"
+  cat >/etc/rspamd/local.d/worker-controller.inc <<EOL
+bind_socket = "*:11334";
+secure_ip = "127.0.0.1/32";
+password = "${RSPAMD_WEB_PASSWORD}";
+enable_password = "${RSPAMD_WEB_PASSWORD}";
+EOL
+fi
+
+echo "Disabling a variety of Rspamd modules"
+echo "enabled = false;" > /etc/rspamd/override.d/fuzzy_check.conf
+echo "enabled = false;" > /etc/rspamd/override.d/asn.conf
+echo "enabled = false;" > /etc/rspamd/override.d/metadata_exporter.conf
+echo "enabled = false;" > /etc/rspamd/override.d/trie.conf
+echo "enabled = false;" > /etc/rspamd/override.d/neural.conf
+echo "enabled = false;" > /etc/rspamd/override.d/chartable.conf
+echo "enabled = false;" > /etc/rspamd/override.d/ratelimit.conf
+echo "enabled = false;" > /etc/rspamd/override.d/replies.conf
diff --git a/rootfs/etc/cont-init.d/15-config-opendkim.sh b/rootfs/etc/cont-init.d/15-config-opendkim.sh
new file mode 100755
index 0000000..e25b6c4
--- /dev/null
+++ b/rootfs/etc/cont-init.d/15-config-opendkim.sh
@@ -0,0 +1,63 @@
+#!/usr/bin/with-contenv bash
+# shellcheck shell=bash
+
+. $(dirname $0)/00-env
+
+if [ "$DKIM_ENABLE" != "true" ]; then
+  echo "INFO: OpenDKIM service disabled."
+  exit 0
+fi
+if [ ! -f "$DKIM_PRIVATE_KEY" ]; then
+  echo "WRN: $DKIM_PRIVATE_KEY not found. OpenDKIM service disabled."
+  exit 0
+fi
+
+echo "Copying OpenDKIM private key"
+mkdir -p /var/db/dkim
+cp -f "${DKIM_PRIVATE_KEY}" "/var/db/dkim/${ANONADDY_DOMAIN}.private"
+
+echo "Setting OpenDKIM configuration"
+cat >/etc/opendkim/opendkim.conf <<EOL
+BaseDirectory         /var/spool/postfix/opendkim
+
+LogWhy                yes
+Syslog                yes
+SyslogSuccess         yes
+
+Canonicalization      simple
+Mode                  sv
+SubDomains            yes
+
+KeyTable              refile:/etc/opendkim/key.table
+SigningTable          refile:/etc/opendkim/signing.table
+RequireSafeKeys       false
+
+ExternalIgnoreList    /etc/opendkim/trusted.hosts
+InternalHosts         /etc/opendkim/trusted.hosts
+
+Socket                local:/var/spool/postfix/opendkim/opendkim.sock
+UMask                 007
+PidFile               /var/spool/postfix/opendkim/opendkim.pid
+UserID                opendkim
+
+ReportAddress         ${DKIM_REPORT_ADDRESS}
+SendReports           yes
+EOL
+
+echo "Setting OpenDKIM trusted hosts"
+cat >/etc/opendkim/trusted.hosts <<EOL
+127.0.0.1
+localhost
+*.${ANONADDY_DOMAIN}
+EOL
+
+echo "Setting OpenDKIM signing table"
+cat >/etc/opendkim/signing.table <<EOL
+*@${ANONADDY_DOMAIN}    default._domainkey.${ANONADDY_DOMAIN}
+*@*.${ANONADDY_DOMAIN}    default._domainkey.${ANONADDY_DOMAIN}
+EOL
+
+echo "Setting OpenDKIM key table"
+cat >/etc/opendkim/key.table <<EOL
+default._domainkey.${ANONADDY_DOMAIN}    ${ANONADDY_DOMAIN}:default:/var/db/dkim/${ANONADDY_DOMAIN}.private
+EOL
diff --git a/rootfs/etc/cont-init.d/16-config-opendmarc.sh b/rootfs/etc/cont-init.d/16-config-opendmarc.sh
new file mode 100755
index 0000000..9a34932
--- /dev/null
+++ b/rootfs/etc/cont-init.d/16-config-opendmarc.sh
@@ -0,0 +1,43 @@
+#!/usr/bin/with-contenv bash
+# shellcheck shell=bash
+
+. $(dirname $0)/00-env
+
+if [ "$DMARC_ENABLE" != "true" ]; then
+  echo "INFO: OpenDMARC service disabled."
+  exit 0
+fi
+
+echo "Setting OpenDMARC configuration"
+cat >/etc/opendmarc/opendmarc.conf <<EOL
+BaseDirectory               /var/spool/postfix/opendmarc
+
+AuthservID                  OpenDMARC
+TrustedAuthservIDs          ${ANONADDY_HOSTNAME}
+
+Syslog                      yes
+DNSTimeout                  10
+
+FailureReports              ${DMARC_FAILURE_REPORTS}
+FailureReportsOnNone        false
+FailureReportsSentBy        postmaster@${ANONADDY_DOMAIN}
+
+HistoryFile                 /data/dmarc/opendmarc.dat
+RecordAllMessages           false
+
+IgnoreAuthenticatedClients  true
+
+MilterDebug                 ${DMARC_MILTER_DEBUG}
+
+RejectFailures              true
+RequiredHeaders             true
+
+Socket                      local:/var/spool/postfix/opendmarc/opendmarc.sock
+UMask                       007
+PidFile                     /var/spool/postfix/opendmarc/opendmarc.pid
+UserID                      opendmarc
+
+SoftwareHeader              true
+SPFIgnoreResults            true
+SPFSelfValidate             true
+EOL
diff --git a/rootfs/etc/cont-init.d/17-config-postfix.sh b/rootfs/etc/cont-init.d/17-config-postfix.sh
new file mode 100755
index 0000000..d7d68bb
--- /dev/null
+++ b/rootfs/etc/cont-init.d/17-config-postfix.sh
@@ -0,0 +1,322 @@
+#!/usr/bin/with-contenv bash
+# shellcheck shell=bash
+
+. $(dirname $0)/00-env
+
+# Restore original config
+cp -f /etc/postfix/master.cf.orig /etc/postfix/master.cf
+cp -f /etc/postfix/main.cf.orig /etc/postfix/main.cf
+
+echo "Setting Postfix master configuration"
+POSTFIX_DEBUG_ARG=""
+if [ "$POSTFIX_DEBUG" = "true" ]; then
+  POSTFIX_DEBUG_ARG=" -v"
+fi
+sed -i "s|^smtp.*inet.*|25 inet n - - - - smtpd${POSTFIX_DEBUG_ARG}|g" /etc/postfix/master.cf
+cat >>/etc/postfix/master.cf <<EOL
+anonaddy unix - n n - - pipe
+  flags=F user=anonaddy argv=php /var/www/anonaddy/artisan anonaddy:receive-email --sender=\${sender} --recipient=\${recipient} --local_part=\${user} --extension=\${extension} --domain=\${domain} --size=\${size}
+EOL
+
+echo "Setting Postfix main configuration"
+VBOX_DOMAINS=""
+IFS=","
+for domain in $ANONADDY_ALL_DOMAINS; do
+  if [ -n "$VBOX_DOMAINS" ]; then VBOX_DOMAINS="${VBOX_DOMAINS},"; fi
+  VBOX_DOMAINS="${VBOX_DOMAINS}${domain},unsubscribe.${domain}"
+done
+
+sed -i 's/compatibility_level.*/compatibility_level = 2/g' /etc/postfix/main.cf
+sed -i 's/inet_interfaces = localhost/inet_interfaces = all/g' /etc/postfix/main.cf
+sed -i 's/readme_directory.*/readme_directory = no/g' /etc/postfix/main.cf
+
+cat >>/etc/postfix/main.cf <<EOL
+myhostname = ${ANONADDY_HOSTNAME}
+mydomain = ${ANONADDY_DOMAIN}
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+myorigin = \$myhostname
+mydestination = localhost.\$mydomain, localhost
+
+smtpd_banner = \$myhostname ESMTP
+biff = no
+readme_directory = no
+append_dot_mydomain = no
+
+virtual_transport = anonaddy:
+virtual_mailbox_domains = ${VBOX_DOMAINS},mysql:/etc/postfix/mysql-virtual-alias-domains-and-subdomains.cf
+
+relayhost = ${POSTFIX_RELAYHOST}
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
+mailbox_size_limit = 0
+recipient_delimiter = +
+
+local_recipient_maps =
+
+smtpd_relay_restrictions =
+    permit_mynetworks,
+    permit_sasl_authenticated,
+    defer_unauth_destination
+
+smtpd_delay_reject = yes
+smtpd_helo_required = yes
+smtpd_helo_restrictions =
+    permit_mynetworks,
+    permit_sasl_authenticated,
+    reject_invalid_helo_hostname,
+    reject_non_fqdn_helo_hostname,
+    reject_unknown_helo_hostname
+
+smtpd_sender_restrictions =
+    permit_mynetworks,
+    permit_sasl_authenticated,
+    reject_non_fqdn_sender,
+    reject_unknown_sender_domain,
+    reject_unknown_reverse_client_hostname
+
+smtpd_recipient_restrictions =
+    permit_mynetworks,
+    reject_unauth_destination,
+    check_recipient_access mysql:/etc/postfix/mysql-recipient-access.cf,
+    #check_policy_service unix:private/policyd-spf
+    reject_rhsbl_helo dbl.spamhaus.org,
+    reject_rhsbl_reverse_client dbl.spamhaus.org,
+    reject_rhsbl_sender dbl.spamhaus.org,
+    reject_rbl_client zen.spamhaus.org
+    reject_rbl_client dul.dnsbl.sorbs.net
+
+# Block clients that speak too early.
+smtpd_data_restrictions = reject_unauth_pipelining
+
+disable_vrfy_command = yes
+strict_rfc821_envelopes = yes
+maillog_file = /dev/stdout
+EOL
+
+if [ -n "$SMTPD_MILTERS" ]; then
+  echo "Setting Postfix milter configuration"
+  cat >>/etc/postfix/main.cf <<EOL
+
+# Milter configuration
+milter_default_action = accept
+milter_protocol = 6
+smtpd_milters = ${SMTPD_MILTERS}
+non_smtpd_milters = \$smtpd_milters
+milter_mail_macros =  i {mail_addr} {client_addr} {client_name} {auth_authen}
+EOL
+fi
+
+if [ "$POSTFIX_SMTPD_TLS" = "true" ]; then
+  echo "Setting Postfix smtpd TLS configuration"
+  cat >>/etc/postfix/main.cf <<EOL
+
+# SMTPD
+smtpd_use_tls=yes
+smtpd_tls_session_cache_database = lmdb:\${data_directory}/smtpd_scache
+smtpd_tls_CApath = /etc/ssl/certs
+smtpd_tls_security_level = may
+smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1
+smtpd_tls_loglevel = 1
+smtpd_tls_session_cache_database = lmdb:\${data_directory}/smtpd_scache
+smtpd_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
+smtpd_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
+smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1
+smtpd_tls_mandatory_ciphers = high
+smtpd_tls_ciphers = high
+smtpd_tls_eecdh_grade = ultra
+tls_high_cipherlist=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
+tls_preempt_cipherlist = yes
+tls_ssl_options = NO_COMPRESSION
+EOL
+  if [ -n "$POSTFIX_SMTPD_TLS_CERT_FILE" ]; then
+    echo "smtpd_tls_cert_file=${POSTFIX_SMTPD_TLS_CERT_FILE}" >>/etc/postfix/main.cf
+  fi
+  if [ -n "$POSTFIX_SMTPD_TLS_KEY_FILE" ]; then
+    echo "smtpd_tls_key_file=${POSTFIX_SMTPD_TLS_KEY_FILE}" >>/etc/postfix/main.cf
+  fi
+fi
+
+if [ "$POSTFIX_SMTP_TLS" = "true" ]; then
+  echo "Setting Postfix smtp TLS configuration"
+  cat >>/etc/postfix/main.cf <<EOL
+
+# SMTP
+smtp_tls_CApath = /etc/ssl/certs
+smtp_use_tls=yes
+smtp_tls_loglevel = 1
+smtp_tls_session_cache_database = lmdb:\${data_directory}/smtp_scache
+smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1
+smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1
+smtp_tls_mandatory_ciphers = high
+smtp_tls_ciphers = high
+smtp_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
+smtp_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
+smtp_tls_security_level = may
+EOL
+fi
+
+if [ "$POSTFIX_RELAYHOST_AUTH_ENABLE" = "true" ]; then
+  echo "Setting Postfix SASL configuration"
+  cat >>/etc/postfix/main.cf <<EOL
+
+smtp_sasl_auth_enable = yes
+smtp_sasl_password_maps = texthash:/etc/postfix/sasl_passwd
+smtp_sasl_security_options = noanonymous
+smtp_sasl_tls_security_options = noanonymous
+header_size_limit = 4096000
+EOL
+
+  cat >/etc/postfix/sasl_passwd <<EOL
+
+${POSTFIX_RELAYHOST} ${POSTFIX_RELAYHOST_USERNAME}:${POSTFIX_RELAYHOST_PASSWORD}
+EOL
+
+  chmod 600 /etc/postfix/sasl_passwd
+  postmap /etc/postfix/sasl_passwd
+fi
+
+echo "Creating Postfix virtual alias domains and subdomains configuration"
+QUERY_USERS=""
+QUERY_USERNAMES=""
+IFS=","
+for domain in $ANONADDY_ALL_DOMAINS; do
+  if [ -n "$QUERY_USERS" ]; then QUERY_USERS="${QUERY_USERS} OR "; fi
+  if [ -n "$QUERY_USERNAMES" ]; then QUERY_USERNAMES="${QUERY_USERNAMES} OR "; fi
+  QUERY_USERS="${QUERY_USERS}CONCAT(username, '.${domain}') = '%s'"
+  QUERY_USERNAMES="${QUERY_USERNAMES}CONCAT(additional_usernames.username, '.${domain}') = '%s'"
+done
+
+cat >/etc/postfix/mysql-virtual-alias-domains-and-subdomains.cf <<EOL
+user = ${DB_USERNAME}
+password = ${DB_PASSWORD}
+hosts = ${DB_HOST}:${DB_PORT}
+dbname = ${DB_DATABASE}
+query = SELECT (SELECT 1 FROM users WHERE ${QUERY_USERS}) AS users, (SELECT 1 FROM additional_usernames WHERE ${QUERY_USERNAMES}) AS usernames, (SELECT 1 FROM domains WHERE domains.domain = '%s' AND domains.domain_verified_at IS NOT NULL) AS domains LIMIT 1;
+EOL
+chmod o= /etc/postfix/mysql-virtual-alias-domains-and-subdomains.cf
+chgrp postfix /etc/postfix/mysql-virtual-alias-domains-and-subdomains.cf
+
+echo "Creating Postfix recipient access configuration"
+cat >/etc/postfix/mysql-recipient-access.cf <<EOL
+user = ${DB_USERNAME}
+password = ${DB_PASSWORD}
+hosts = ${DB_HOST}:${DB_PORT}
+dbname = ${DB_DATABASE}
+query = CALL check_access('%s')
+EOL
+chmod o= /etc/postfix/mysql-recipient-access.cf
+chgrp postfix /etc/postfix/mysql-recipient-access.cf
+
+echo "Checking Postfix hostname"
+postconf myhostname
+
+echo "Creating check_access stored procedure"
+QUERY_USERNAMES=""
+IFS=","
+for domain in $ANONADDY_ALL_DOMAINS; do
+  if [ -n "$QUERY_USERNAMES" ]; then QUERY_USERNAMES="${QUERY_USERNAMES},"; fi
+  QUERY_USERNAMES="${QUERY_USERNAMES}CONCAT(username, '.${domain}')"
+done
+mysql -h ${DB_HOST} -P ${DB_PORT} -u "${DB_USERNAME}" "-p${DB_PASSWORD}" ${DB_DATABASE} <<EOL
+DELIMITER //
+
+DROP PROCEDURE IF EXISTS \`block_alias\`//
+DROP PROCEDURE IF EXISTS \`check_access\`//
+
+CREATE PROCEDURE \`check_access\`(alias_email VARCHAR(254) charset utf8)
+BEGIN
+    DECLARE no_alias_exists int(1);
+    DECLARE alias_action varchar(7) charset utf8;
+    DECLARE username_action varchar(7) charset utf8;
+    DECLARE additional_username_action varchar(7) charset utf8;
+    DECLARE domain_action varchar(7) charset utf8;
+    DECLARE alias_domain varchar(254) charset utf8;
+
+    SET alias_domain = SUBSTRING_INDEX(alias_email, '@', -1);
+
+    # We only want to carry out the checks if it is a full RCPT TO address without any + extension
+    IF LOCATE('+',alias_email) = 0 THEN
+
+        SET no_alias_exists = CASE WHEN NOT EXISTS(SELECT NULL FROM aliases WHERE email = alias_email) THEN 1 ELSE 0 END;
+
+        # If there is an alias, check if it is deactivated or deleted
+        IF NOT no_alias_exists THEN
+            SET alias_action = (SELECT
+                IF(deleted_at IS NULL,
+                'DISCARD',
+                'REJECT')
+            FROM
+                aliases
+            WHERE
+                email = alias_email
+                AND (active = 0
+                OR deleted_at IS NOT NULL));
+        END IF;
+
+        # If the alias is deactivated or deleted then increment its blocked count and return the alias_action
+        IF alias_action IN('DISCARD','REJECT') THEN
+            UPDATE
+                aliases
+            SET
+                emails_blocked = emails_blocked + 1
+            WHERE
+                email = alias_email;
+
+            SELECT alias_action;
+        ELSE
+            SELECT
+            (
+            SELECT
+                CASE
+                    WHEN no_alias_exists
+                    AND catch_all = 0 THEN "REJECT"
+                    ELSE NULL
+                END
+            FROM
+                users
+            WHERE
+                alias_domain IN (${QUERY_USERNAMES}) ) AS users,
+            (
+            SELECT
+                CASE
+                    WHEN no_alias_exists
+                    AND catch_all = 0 THEN "REJECT"
+                    WHEN active = 0 THEN "DISCARD"
+                    ELSE NULL
+                END
+            FROM
+                additional_usernames
+            WHERE
+                alias_domain IN (${QUERY_USERNAMES}) ) AS usernames,
+            (
+            SELECT
+                CASE
+                    WHEN no_alias_exists
+                    AND catch_all = 0 THEN "REJECT"
+                    WHEN active = 0 THEN "DISCARD"
+                    ELSE NULL
+                END
+            FROM
+                domains
+            WHERE
+                domain = alias_domain) INTO username_action, additional_username_action, domain_action;
+
+            # If all actions are NULL then we can return 'DUNNO' which will prevent Postfix from trying substrings of the alias
+            IF username_action IS NULL AND additional_username_action IS NULL AND domain_action IS NULL THEN
+                SELECT 'DUNNO';
+            ELSEIF username_action IN('DISCARD','REJECT') THEN
+                SELECT username_action;
+            ELSEIF additional_username_action IN('DISCARD','REJECT') THEN
+                SELECT additional_username_action;
+            ELSE
+                SELECT domain_action;
+            END IF;
+        END IF;
+    ELSE
+        # This means the alias must have a + extension so we will ignore it
+        SELECT NULL;
+    END IF;
+ END//
+
+DELIMITER ;
+EOL
diff --git a/rootfs/etc/cont-init.d/04-svc-main.sh b/rootfs/etc/cont-init.d/50-svc-main.sh
old mode 100644
new mode 100755
similarity index 100%
rename from rootfs/etc/cont-init.d/04-svc-main.sh
rename to rootfs/etc/cont-init.d/50-svc-main.sh
diff --git a/rootfs/etc/cont-init.d/05-svc-opendkim.sh b/rootfs/etc/cont-init.d/60-svc-opendkim.sh
old mode 100644
new mode 100755
similarity index 88%
rename from rootfs/etc/cont-init.d/05-svc-opendkim.sh
rename to rootfs/etc/cont-init.d/60-svc-opendkim.sh
index 2c6ebab..1394b98
--- a/rootfs/etc/cont-init.d/05-svc-opendkim.sh
+++ b/rootfs/etc/cont-init.d/60-svc-opendkim.sh
@@ -1,8 +1,7 @@
 #!/usr/bin/with-contenv bash
 # shellcheck shell=bash
 
-DKIM_ENABLE=${DKIM_ENABLE:-false}
-DKIM_PRIVATE_KEY=/data/dkim/${ANONADDY_DOMAIN}.private
+. $(dirname $0)/00-env
 
 if [ "$DKIM_ENABLE" != "true" ]; then
   echo "INFO: OpenDKIM service disabled."
diff --git a/rootfs/etc/cont-init.d/06-svc-opendmarc.sh b/rootfs/etc/cont-init.d/61-svc-opendmarc.sh
old mode 100644
new mode 100755
similarity index 93%
rename from rootfs/etc/cont-init.d/06-svc-opendmarc.sh
rename to rootfs/etc/cont-init.d/61-svc-opendmarc.sh
index ba9a01c..8fd90fc
--- a/rootfs/etc/cont-init.d/06-svc-opendmarc.sh
+++ b/rootfs/etc/cont-init.d/61-svc-opendmarc.sh
@@ -1,7 +1,7 @@
 #!/usr/bin/with-contenv bash
 # shellcheck shell=bash
 
-DMARC_ENABLE=${DMARC_ENABLE:-false}
+. $(dirname $0)/00-env
 
 if [ "$DMARC_ENABLE" != "true" ]; then
   echo "INFO: OpenDMARC service disabled."
diff --git a/rootfs/etc/cont-init.d/05-svc-rspamd.sh b/rootfs/etc/cont-init.d/62-svc-rspamd.sh
old mode 100644
new mode 100755
similarity index 77%
rename from rootfs/etc/cont-init.d/05-svc-rspamd.sh
rename to rootfs/etc/cont-init.d/62-svc-rspamd.sh
index 133c4d8..6e93d8c
--- a/rootfs/etc/cont-init.d/05-svc-rspamd.sh
+++ b/rootfs/etc/cont-init.d/62-svc-rspamd.sh
@@ -1,12 +1,16 @@
 #!/usr/bin/with-contenv bash
 # shellcheck shell=bash
 
-RSPAMD_ENABLE=${RSPAMD_ENABLE:-false}
+. $(dirname $0)/00-env
 
 if [ "$RSPAMD_ENABLE" != "true" ]; then
   echo "INFO: Rspamd service disabled."
   exit 0
 fi
+if [ ! -f "$DKIM_PRIVATE_KEY" ]; then
+  echo "WRN: $DKIM_PRIVATE_KEY not found. Rspamd service disabled."
+  exit 0
+fi
 
 # Init
 mkdir -m o-rwx /var/run/rspamd
diff --git a/rootfs/etc/cont-init.d/07-svc-postfix.sh b/rootfs/etc/cont-init.d/63-svc-postfix.sh
old mode 100644
new mode 100755
similarity index 100%
rename from rootfs/etc/cont-init.d/07-svc-postfix.sh
rename to rootfs/etc/cont-init.d/63-svc-postfix.sh
diff --git a/rootfs/etc/cont-init.d/08-svc-cron.sh b/rootfs/etc/cont-init.d/80-svc-cron.sh
old mode 100644
new mode 100755
similarity index 100%
rename from rootfs/etc/cont-init.d/08-svc-cron.sh
rename to rootfs/etc/cont-init.d/80-svc-cron.sh
diff --git a/rootfs/etc/cont-init.d/99-clean.sh b/rootfs/etc/cont-init.d/99-clean.sh
old mode 100644
new mode 100755
index 8bca4c0..72ce2ea
--- a/rootfs/etc/cont-init.d/99-clean.sh
+++ b/rootfs/etc/cont-init.d/99-clean.sh
@@ -2,10 +2,10 @@
 # shellcheck shell=sh
 
 # Unset sensitive vars
-unset APP_KEY \
-  DB_USERNAME \
-  DB_PASSWORD \
-  REDIS_PASSWORD \
-  PUSHER_APP_SECRET \
-  ANONADDY_SECRET \
-  ANONADDY_SIGNING_KEY_FINGERPRINT
+unset APP_KEY
+unset DB_USERNAME
+unset DB_PASSWORD
+unset REDIS_PASSWORD
+unset PUSHER_APP_SECRET
+unset ANONADDY_SECRET
+unset ANONADDY_SIGNING_KEY_FINGERPRINT

From 324723ba01d87d477b4dfecf51e2e6a54352d43a Mon Sep 17 00:00:00 2001
From: eleith <eleith@users.noreply.github.com>
Date: Wed, 19 Jan 2022 09:28:22 -0800
Subject: [PATCH 03/19] nginx example for ssl proxying (#99)

* add an example of how to wire up nginx as an ssl proxy for both anonaddy and rspamd

* don't unnecessarily expose ports
---
 examples/nginx/README.md                      | 21 ++++++
 examples/nginx/anonaddy.env                   | 37 +++++++++++
 examples/nginx/docker-compose.yml             | 58 +++++++++++++++++
 .../nginx/templates/default.conf.template     | 64 +++++++++++++++++++
 .../nginx/templates/mta-sts.conf.template     | 34 ++++++++++
 5 files changed, 214 insertions(+)
 create mode 100644 examples/nginx/README.md
 create mode 100644 examples/nginx/anonaddy.env
 create mode 100644 examples/nginx/docker-compose.yml
 create mode 100644 examples/nginx/nginx/templates/default.conf.template
 create mode 100644 examples/nginx/nginx/templates/mta-sts.conf.template

diff --git a/examples/nginx/README.md b/examples/nginx/README.md
new file mode 100644
index 0000000..d92e0d5
--- /dev/null
+++ b/examples/nginx/README.md
@@ -0,0 +1,21 @@
+# Prequisites
+
+read [self-hosting docs](https://anonaddy.com/self-hosting/)
+
+## Let's Encrypt
+
+generate your certificates and make note of where they are stored. if you use certbot, they are generally in `/etc/letsencrypt/live`
+
+## Generate strong dhparam
+
+```sh
+sudo openssl dhparam -out dhparam.pem 4096
+```
+
+## Configure mounts for nginx
+
+the `docker-compose.yml` may need some adjusting to properly mount your specific let's encrypt and dhparam certs
+
+## Rspamd web ui
+
+this nginx configuration supports rspamd web ui out of the box. if you choose to not run rspamd, make sure to remove the `RSPAMD_ENABLE` variable in `anonaddy.env` and remove the proxy block in `nginx/templates/default.conf.template`
diff --git a/examples/nginx/anonaddy.env b/examples/nginx/anonaddy.env
new file mode 100644
index 0000000..cfeb044
--- /dev/null
+++ b/examples/nginx/anonaddy.env
@@ -0,0 +1,37 @@
+TZ=Europe/Paris
+PUID=1000
+PGID=1000
+
+MEMORY_LIMIT=256M
+UPLOAD_MAX_SIZE=16M
+OPCACHE_MEM_SIZE=128
+REAL_IP_FROM=0.0.0.0/32
+REAL_IP_HEADER=X-Forwarded-For
+LOG_IP_VAR=remote_addr
+
+APP_KEY=base64:KJ1LX0w15ItOoMWdC+DNW2Bt0Z4sT98zu0XQ8Zfaf9o=
+APP_DEBUG=false
+APP_URL=http://127.0.0.1:8000
+
+ANONADDY_RETURN_PATH=bounces@example.com
+ANONADDY_ADMIN_USERNAME=anonaddy
+ANONADDY_ENABLE_REGISTRATION=true
+ANONADDY_DOMAIN=example.com
+ANONADDY_ALL_DOMAINS=example.com
+ANONADDY_HOSTNAME=mail.example.com
+ANONADDY_DNS_RESOLVER=127.0.0.1
+ANONADDY_SECRET=lksjflk2u3j4oij2elkru23oi4uj2lkjflsakfjoi23u4
+ANONADDY_LIMIT=200
+ANONADDY_BANDWIDTH_LIMIT=104857600
+ANONADDY_NEW_ALIAS_LIMIT=10
+ANONADDY_ADDITIONAL_USERNAME_LIMIT=3
+
+MAIL_FROM_NAME=AnonAddy
+MAIL_FROM_ADDRESS=anonaddy@example.com
+
+POSTFIX_DEBUG=false
+POSTFIX_SMTPD_TLS=false
+POSTFIX_SMTP_TLS=false
+
+RSPAMD_ENABLE=true
+RSPAMD_WEB_PASSWORD=abc
diff --git a/examples/nginx/docker-compose.yml b/examples/nginx/docker-compose.yml
new file mode 100644
index 0000000..e616edc
--- /dev/null
+++ b/examples/nginx/docker-compose.yml
@@ -0,0 +1,58 @@
+version: "3.5"
+
+services:
+  db:
+    image: mariadb:10.5
+    container_name: anonaddy_db
+    command:
+      - "mysqld"
+      - "--character-set-server=utf8mb4"
+      - "--collation-server=utf8mb4_unicode_ci"
+    volumes:
+      - "./db:/var/lib/mysql"
+    environment:
+      - "MYSQL_ALLOW_EMPTY_PASSWORD=yes"
+      - "MYSQL_DATABASE"
+      - "MYSQL_USER"
+      - "MYSQL_PASSWORD"
+    restart: always
+
+  redis:
+    image: redis:4.0-alpine
+    container_name: anonaddy_redis
+    restart: always
+
+  anonaddy:
+    image: anonaddy/anonaddy:latest
+    container_name: anonaddy
+    depends_on:
+      - db
+      - redis
+    ports:
+      - target: 25
+        published: 25
+        protocol: tcp
+    volumes:
+      - "./data:/data"
+    env_file:
+      - "./anonaddy.env"
+    environment:
+      - "DB_HOST=db"
+      - "DB_DATABASE=${MYSQL_DATABASE}"
+      - "DB_USERNAME=${MYSQL_USER}"
+      - "DB_PASSWORD=${MYSQL_PASSWORD}"
+      - "REDIS_HOST=redis"
+    restart: always
+
+  nginx:
+    image: nginx:1.20.1-alpine
+    container_name: anonaddy_nginx
+    restart: unless-stopped
+    ports:
+      - '443:443'
+    volumes:
+      - /etc/ssl/dhparam.pem:/etc/ssl/dhparam.pem
+      - ./nginx/templates:/etc/nginx/templates
+      - /etc/letsencrypt:/etc/letsencrypt
+    depends_on:
+      - anonaddy
diff --git a/examples/nginx/nginx/templates/default.conf.template b/examples/nginx/nginx/templates/default.conf.template
new file mode 100644
index 0000000..ce59f68
--- /dev/null
+++ b/examples/nginx/nginx/templates/default.conf.template
@@ -0,0 +1,64 @@
+server {
+   listen 80;
+   listen [::]:80;
+
+   server_name example.com;
+   return 301 https://$server_name$request_uri;
+}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name example.com;   
+    server_tokens off;
+
+    add_header X-Frame-Options "SAMEORIGIN";
+    add_header X-XSS-Protection "1; mode=block";
+    add_header X-Content-Type-Options "nosniff";
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; font-src 'self'; object-src 'none'";
+    add_header Referrer-Policy "origin-when-cross-origin";
+    add_header Expect-CT "enforce, max-age=604800";
+
+    charset utf-8;
+
+    ssl_certificate           /etc/letsencrypt/live/example.com/fullchain.pem;
+    ssl_certificate_key       /etc/letsencrypt/live/example.com/privkey.pem;
+    ssl_trusted_certificate 	/etc/letsencrypt/live/example.com/chain.pem;
+
+    ssl_prefer_server_ciphers   on;
+    ssl_session_timeout         5m;
+    ssl_protocols               TLSv1.2 TLSv1.3;
+    ssl_stapling                on;
+    ssl_stapling_verify         on;
+    ssl_ciphers                 "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
+    ssl_ecdh_curve              secp384r1;
+    ssl_session_cache           shared:SSL:20m;
+    ssl_session_tickets         off;
+    ssl_dhparam                 /etc/ssl/dhparam.pem;
+
+    location = /robots.txt {
+  	  add_header  Content-Type  text/plain;
+  	  return 200 "User-agent: *\nDisallow: /\n";
+    }
+
+    location /rspamd {
+    	proxy_pass http://anonaddy:11334;
+
+    	proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    location / {
+        proxy_pass http://anonaddy:8000;
+
+        proxy_redirect off;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_read_timeout 90s;
+     }
+}
diff --git a/examples/nginx/nginx/templates/mta-sts.conf.template b/examples/nginx/nginx/templates/mta-sts.conf.template
new file mode 100644
index 0000000..e7649a5
--- /dev/null
+++ b/examples/nginx/nginx/templates/mta-sts.conf.template
@@ -0,0 +1,34 @@
+server {
+  listen 443 ssl;
+  server_name mta-sts.example.com;
+  error_log /var/log/nginx/error.log;
+  access_log /var/log/nginx/access.log;
+
+  ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
+  ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
+
+  ssl_prefer_server_ciphers On;
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+  ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
+  ssl_session_cache shared:SSL:20m;
+  ssl_session_timeout 10m;
+  add_header Strict-Transport-Security "max-age=31536000";
+
+  location = /robots.txt {
+    add_header  Content-Type  text/plain;
+    return 200 "User-agent: *\nDisallow: /\n";
+  }
+
+  location ^~ /.well-known/mta-sts.txt {
+    try_files $uri @mta-sts;
+  }
+
+  location @mta-sts {
+    return 200 "version: STSv1
+mode: enforce
+max_age: 86400
+mx: example.com
+mx: example.com\n";
+  }
+}

From a6d37813843fd64f8aa1f21a0472850825d4c351 Mon Sep 17 00:00:00 2001
From: CrazyMax <crazy-max@users.noreply.github.com>
Date: Wed, 19 Jan 2022 18:32:57 +0100
Subject: [PATCH 04/19] Update CODEOWNERS

---
 .github/CODEOWNERS | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index f7b8e1d..50fb7b4 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -1 +1,2 @@
-*	@crazy-max
+*                       @crazy-max
+examples/nginx/         @eleith

From 5611b9ca0fe75189d3d785774b184fb96b164ea1 Mon Sep 17 00:00:00 2001
From: CrazyMax <crazy-max@users.noreply.github.com>
Date: Wed, 19 Jan 2022 18:31:13 +0100
Subject: [PATCH 05/19] Small typo and lint

---
 examples/nginx/README.md | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/examples/nginx/README.md b/examples/nginx/README.md
index d92e0d5..373e36f 100644
--- a/examples/nginx/README.md
+++ b/examples/nginx/README.md
@@ -1,10 +1,11 @@
-# Prequisites
+# Prerequisites
 
-read [self-hosting docs](https://anonaddy.com/self-hosting/)
+Read [self-hosting docs](https://anonaddy.com/self-hosting/)
 
 ## Let's Encrypt
 
-generate your certificates and make note of where they are stored. if you use certbot, they are generally in `/etc/letsencrypt/live`
+Generate your certificates and make note of where they are stored. if you use
+certbot, they are generally in `/etc/letsencrypt/live`.
 
 ## Generate strong dhparam
 
@@ -14,8 +15,11 @@ sudo openssl dhparam -out dhparam.pem 4096
 
 ## Configure mounts for nginx
 
-the `docker-compose.yml` may need some adjusting to properly mount your specific let's encrypt and dhparam certs
+The `docker-compose.yml` may need some adjusting to properly mount your
+specific let's encrypt and dhparam certs.
 
 ## Rspamd web ui
 
-this nginx configuration supports rspamd web ui out of the box. if you choose to not run rspamd, make sure to remove the `RSPAMD_ENABLE` variable in `anonaddy.env` and remove the proxy block in `nginx/templates/default.conf.template`
+This nginx configuration supports rspamd web ui out of the box. if you choose
+to not run rspamd, make sure to remove the `RSPAMD_ENABLE` variable in
+`anonaddy.env` and remove the proxy block in `nginx/templates/default.conf.template`.

From 6f5d003884be059018d841151e5d2a862229dd67 Mon Sep 17 00:00:00 2001
From: eleith <eleith@users.noreply.github.com>
Date: Wed, 19 Jan 2022 14:50:54 -0800
Subject: [PATCH 06/19] align with anonaddy self hosting docs and generate dkim
 using rspamd (#100)

---
 README.md                     | 12 ++++++++----
 rootfs/usr/local/bin/gen-dkim |  9 ++++++---
 2 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/README.md b/README.md
index 4cf8f57..920a59f 100644
--- a/README.md
+++ b/README.md
@@ -255,11 +255,15 @@ docker-compose exec anonaddy anonaddy anonaddy:create-user "username" "webmaster
 ```shell
 docker-compose run --entrypoint '' anonaddy gen-dkim
 ```
+
 ```text
-opendkim-genkey: generating private key
-opendkim-genkey: private key written to example.com.private
-opendkim-genkey: extracting public key
-opendkim-genkey: DNS TXT record written to example.com.txt
+generating private and storing in data/dkim/example.com.private
+generating DNS TXT record with public key and storing it in data/dkim/example.com.txt
+
+default._domainkey IN TXT ( "v=DKIM1; k=rsa; "
+        "p=***"
+        "***"
+) ;
 ```
 
 The keypair will be available in `/data/dkim`.
diff --git a/rootfs/usr/local/bin/gen-dkim b/rootfs/usr/local/bin/gen-dkim
index 982a86c..9fc0c38 100755
--- a/rootfs/usr/local/bin/gen-dkim
+++ b/rootfs/usr/local/bin/gen-dkim
@@ -4,14 +4,17 @@
 DKIM_PRIVATE_KEY=/data/dkim/${ANONADDY_DOMAIN}.private
 
 if [ -z "$ANONADDY_DOMAIN" ]; then
-  >&2 echo "ERROR: ANONADDY_DOMAIN must be defined"
+  echo >&2 "ERROR: ANONADDY_DOMAIN must be defined"
   exit 1
 fi
 if [ -f "$DKIM_PRIVATE_KEY" ]; then
-  >&2 echo "ERROR: $DKIM_PRIVATE_KEY already exists"
+  echo >&2 "ERROR: $DKIM_PRIVATE_KEY already exists"
   exit 1
 fi
 
 mkdir -p /data/dkim
-opendkim-genkey -b 2048 -d "${ANONADDY_DOMAIN}" -D /data/dkim -s "${ANONADDY_DOMAIN}" -v
+echo "generating private and storing in ${DKIM_PRIVATE_KEY}"
+echo "generating DNS TXT record with public key and storing it in /data/dkim/${ANONADDY_DOMAIN}.txt"
+echo ""
+rspamadm dkim_keygen -s 'default' -b 2048 -d "${ANONADDY_DOMAIN}" -k "${DKIM_PRIVATE_KEY}" | tee -a "/data/dkim/${ANONADDY_DOMAIN}.txt"
 chown -R anonaddy. /data/dkim

From 004bcd9000f7ad3c0868c0eb23a7e12f1136cfd2 Mon Sep 17 00:00:00 2001
From: CrazyMax <github@crazymax.dev>
Date: Thu, 20 Jan 2022 00:13:20 +0100
Subject: [PATCH 07/19] AnonAddy 0.8.10 (#101)

Co-authored-by: CrazyMax <crazy-max@users.noreply.github.com>
---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index c85f08e..e0eda24 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-ARG ANONADDY_VERSION=0.8.9
+ARG ANONADDY_VERSION=0.8.10
 
 FROM crazymax/yasu:latest AS yasu
 FROM crazymax/alpine-s6:3.15-2.2.0.3

From 7a60736d35dbd00d63fba407a65e7c56a167f6eb Mon Sep 17 00:00:00 2001
From: CrazyMax <crazy-max@users.noreply.github.com>
Date: Thu, 20 Jan 2022 00:22:32 +0100
Subject: [PATCH 08/19] Update CHANGELOG

---
 CHANGELOG.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e71130a..b077756 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,12 @@
 # Changelog
 
+## 0.8.10-r0 (2022/01/20)
+
+* AnonAddy 0.8.10 (#101)
+* Nginx example for SSL proxying (#99)
+* Split configuration (#98)
+* Support Rspamd (#96 #100)
+
 ## 0.8.9-r1 (2022/01/11)
 
 * Alpine Linux 3.15 (#95)

From 9ac89c4156993cffac167558f115ba15570d1fd9 Mon Sep 17 00:00:00 2001
From: eleith <eleith@users.noreply.github.com>
Date: Fri, 4 Feb 2022 16:06:44 -0800
Subject: [PATCH 09/19] AnonAddy 0.9.0 (#106)

Also update rspamd configuration according to new requirements
---
 Dockerfile                                 |  2 +-
 rootfs/etc/cont-init.d/14-config-rspamd.sh | 34 ++++++++++++++++++++++
 2 files changed, 35 insertions(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index e0eda24..6592b31 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-ARG ANONADDY_VERSION=0.8.10
+ARG ANONADDY_VERSION=0.9.0
 
 FROM crazymax/yasu:latest AS yasu
 FROM crazymax/alpine-s6:3.15-2.2.0.3
diff --git a/rootfs/etc/cont-init.d/14-config-rspamd.sh b/rootfs/etc/cont-init.d/14-config-rspamd.sh
index 5e033d6..2781ae1 100755
--- a/rootfs/etc/cont-init.d/14-config-rspamd.sh
+++ b/rootfs/etc/cont-init.d/14-config-rspamd.sh
@@ -97,6 +97,40 @@ enable_password = "${RSPAMD_WEB_PASSWORD}";
 EOL
 fi
 
+echo "Setting Rspamd dmarc.conf"
+cat >/etc/rspamd/local.d/dmarc.conf <<EOL
+actions = {
+  quarantine = "add_header";
+  reject = "reject";
+}
+EOL
+
+echo "Setting Rspamd milter_headers.conf"
+cat >/etc/rspamd/local.d/milter_headers.conf <<EOL
+use = ["authentication-results", "remove-headers", "spam-header"];
+
+routines {
+  remove-headers {
+    headers {
+      "X-Spam" = 0;
+      "X-Spamd-Bar" = 0;
+      "X-Spam-Level" = 0;
+      "X-Spam-Status" = 0;
+      "X-Spam-Flag" = 0;
+    }
+  }
+  authentication-results {
+    header = "X-AnonAddy-Authentication-Results";
+    remove = 0;
+  }
+  spam-header {
+    header = "X-AnonAddy-Spam";
+    value = "Yes";
+    remove = 0;
+  }
+}
+EOL
+
 echo "Disabling a variety of Rspamd modules"
 echo "enabled = false;" > /etc/rspamd/override.d/fuzzy_check.conf
 echo "enabled = false;" > /etc/rspamd/override.d/asn.conf

From 0d508d7ce728209cbc290a31674f20b2fd0fccbb Mon Sep 17 00:00:00 2001
From: CrazyMax <crazy-max@users.noreply.github.com>
Date: Sat, 5 Feb 2022 01:07:44 +0100
Subject: [PATCH 10/19] Update CHANGELOG

---
 CHANGELOG.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index b077756..44039f5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Changelog
 
+## 0.9.0-r0 (2022/02/05)
+
+* AnonAddy 0.9.0 (#106)
+
 ## 0.8.10-r0 (2022/01/20)
 
 * AnonAddy 0.8.10 (#101)

From 6fd7ade0417f90285f3eb895f9d6dcd8011e30b3 Mon Sep 17 00:00:00 2001
From: CrazyMax <github@crazymax.dev>
Date: Thu, 10 Feb 2022 17:48:35 +0100
Subject: [PATCH 11/19] AnonAddy 0.9.1 (#109)

Co-authored-by: CrazyMax <crazy-max@users.noreply.github.com>
---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 6592b31..9df87ad 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-ARG ANONADDY_VERSION=0.9.0
+ARG ANONADDY_VERSION=0.9.1
 
 FROM crazymax/yasu:latest AS yasu
 FROM crazymax/alpine-s6:3.15-2.2.0.3

From 427058c4b792ce79ac3fef606e7fb9b87a5c6c1e Mon Sep 17 00:00:00 2001
From: CrazyMax <crazy-max@users.noreply.github.com>
Date: Thu, 10 Feb 2022 17:49:55 +0100
Subject: [PATCH 12/19] Update CHANGELOG

---
 CHANGELOG.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 44039f5..f7bb073 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Changelog
 
+## 0.9.1-r0 (2022/02/10)
+
+* AnonAddy 0.9.1 (#109)
+
 ## 0.9.0-r0 (2022/02/05)
 
 * AnonAddy 0.9.0 (#106)

From 76f8ee40dd239881d8383d611f2921b94a5ce97e Mon Sep 17 00:00:00 2001
From: CrazyMax <github@crazymax.dev>
Date: Sun, 20 Feb 2022 01:40:40 +0100
Subject: [PATCH 13/19] AnonAddy 0.10.0 (#112)

Co-authored-by: CrazyMax <crazy-max@users.noreply.github.com>
---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 9df87ad..903e149 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-ARG ANONADDY_VERSION=0.9.1
+ARG ANONADDY_VERSION=0.10.0
 
 FROM crazymax/yasu:latest AS yasu
 FROM crazymax/alpine-s6:3.15-2.2.0.3

From c26c63a6b70a33814ec6e96d57f52642ba1d1c6c Mon Sep 17 00:00:00 2001
From: CrazyMax <crazy-max@users.noreply.github.com>
Date: Sun, 20 Feb 2022 01:41:23 +0100
Subject: [PATCH 14/19] Update CHANGELOG

---
 CHANGELOG.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index f7bb073..d774919 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Changelog
 
+## 0.10.0-r0 (2022/02/20)
+
+* AnonAddy 0.10.0 (#112)
+
 ## 0.9.1-r0 (2022/02/10)
 
 * AnonAddy 0.9.1 (#109)

From 9bd0db01e4e64d9639525f0928fd40de42ad11ca Mon Sep 17 00:00:00 2001
From: Will Browning <20662079+willbrowningme@users.noreply.github.com>
Date: Thu, 24 Feb 2022 10:20:59 +0000
Subject: [PATCH 15/19] Closes #113

Added required Rspamd `milter_headers.conf` changes for [v0.10.0](https://github.com/anonaddy/anonaddy/releases/tag/v0.10.0)
---
 rootfs/etc/cont-init.d/14-config-rspamd.sh | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/rootfs/etc/cont-init.d/14-config-rspamd.sh b/rootfs/etc/cont-init.d/14-config-rspamd.sh
index 2781ae1..1b4d9ae 100755
--- a/rootfs/etc/cont-init.d/14-config-rspamd.sh
+++ b/rootfs/etc/cont-init.d/14-config-rspamd.sh
@@ -107,7 +107,7 @@ EOL
 
 echo "Setting Rspamd milter_headers.conf"
 cat >/etc/rspamd/local.d/milter_headers.conf <<EOL
-use = ["authentication-results", "remove-headers", "spam-header"];
+use = ["authentication-results", "remove-headers", "spam-header", "add_dmarc_allow_header"];
 
 routines {
   remove-headers {
@@ -129,6 +129,24 @@ routines {
     remove = 0;
   }
 }
+
+custom {
+  add_dmarc_allow_header = <<EOD
+return function(task, common_meta)
+  if task:has_symbol('DMARC_POLICY_ALLOW') then
+    return nil,
+    {['X-AnonAddy-Dmarc-Allow'] = 'Yes'},
+    {['X-AnonAddy-Dmarc-Allow'] = 0},
+    {}
+  end
+
+  return nil,
+  {},
+  {['X-AnonAddy-Dmarc-Allow'] = 0},
+  {}
+end
+EOD;
+}
 EOL
 
 echo "Disabling a variety of Rspamd modules"

From 3896ad872951bf6b6c3c22cf3b7514128084d429 Mon Sep 17 00:00:00 2001
From: CrazyMax <crazy-max@users.noreply.github.com>
Date: Thu, 24 Feb 2022 11:37:49 +0100
Subject: [PATCH 16/19] Update CHANGELOG

---
 CHANGELOG.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d774919..8027f03 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Changelog
 
+## 0.10.0-r1 (2022/02/24)
+
+* Fix Rspamd config (#113)
+
 ## 0.10.0-r0 (2022/02/20)
 
 * AnonAddy 0.10.0 (#112)

From 14b584f46a3698056a645f6c55ccc9cc4add6e7c Mon Sep 17 00:00:00 2001
From: CrazyMax <github@crazymax.dev>
Date: Sun, 27 Feb 2022 02:40:12 +0100
Subject: [PATCH 17/19] AnonAddy 0.10.1 (#115)

Co-authored-by: CrazyMax <crazy-max@users.noreply.github.com>
---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 903e149..1c4b133 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-ARG ANONADDY_VERSION=0.10.0
+ARG ANONADDY_VERSION=0.10.1
 
 FROM crazymax/yasu:latest AS yasu
 FROM crazymax/alpine-s6:3.15-2.2.0.3

From 7aa003ad1d61b634288695285dedfce4bc773294 Mon Sep 17 00:00:00 2001
From: CrazyMax <github@crazymax.dev>
Date: Sun, 27 Feb 2022 03:32:01 +0100
Subject: [PATCH 18/19] Drop support for OpenDKIM/OpenDMARC (#116)

* Drop support for OpenDKIM/OpenDMARC

* Test Rspamd service

Co-authored-by: CrazyMax <crazy-max@users.noreply.github.com>
---
 .github/workflows/test.yml                    |  9 +++
 Dockerfile                                    |  9 ---
 README.md                                     | 24 -------
 rootfs/etc/cont-init.d/00-env                 | 22 ++-----
 rootfs/etc/cont-init.d/02-fix-perms.sh        |  1 -
 rootfs/etc/cont-init.d/10-config.sh           |  4 +-
 rootfs/etc/cont-init.d/15-config-opendkim.sh  | 63 -------------------
 ...config-postfix.sh => 15-config-postfix.sh} |  0
 rootfs/etc/cont-init.d/16-config-opendmarc.sh | 43 -------------
 rootfs/etc/cont-init.d/60-svc-opendkim.sh     | 29 ---------
 .../{62-svc-rspamd.sh => 60-svc-rspamd.sh}    |  0
 rootfs/etc/cont-init.d/61-svc-opendmarc.sh    | 25 --------
 .../{63-svc-postfix.sh => 61-svc-postfix.sh}  |  0
 13 files changed, 17 insertions(+), 212 deletions(-)
 delete mode 100755 rootfs/etc/cont-init.d/15-config-opendkim.sh
 rename rootfs/etc/cont-init.d/{17-config-postfix.sh => 15-config-postfix.sh} (100%)
 delete mode 100755 rootfs/etc/cont-init.d/16-config-opendmarc.sh
 delete mode 100755 rootfs/etc/cont-init.d/60-svc-opendkim.sh
 rename rootfs/etc/cont-init.d/{62-svc-rspamd.sh => 60-svc-rspamd.sh} (100%)
 delete mode 100755 rootfs/etc/cont-init.d/61-svc-opendmarc.sh
 rename rootfs/etc/cont-init.d/{63-svc-postfix.sh => 61-svc-postfix.sh} (100%)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 134013e..21ca064 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -54,6 +54,13 @@ jobs:
             -e "MYSQL_USER=anonaddy" \
             -e "MYSQL_PASSWORD=anonaddy" \
             mariadb:10.5
+      -
+        name: Generate DKIM private key
+        run: |
+          docker run --rm -t --entrypoint "" \
+            -e "ANONADDY_DOMAIN=example.com" \
+            -v "/tmp/data:/data" \
+            ${{ steps.prep.outputs.build_tag }} gen-dkim
       -
         name: Start container
         run: |
@@ -67,6 +74,8 @@ jobs:
             -e "APP_KEY=base64:Gh8/RWtNfXTmB09pj6iEflt/L6oqDf9ZxXIh4I9MS7A=" \
             -e "ANONADDY_DOMAIN=example.com" \
             -e "ANONADDY_SECRET=0123456789abcdefghijklmnopqrstuvwxyz" \
+            -e "RSPAMD_ENABLE=true" \
+            -v "/tmp/data:/data" \
             ${{ steps.prep.outputs.build_tag }}
       -
         name: Test run
diff --git a/Dockerfile b/Dockerfile
index 1c4b133..a20dac7 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -14,11 +14,6 @@ RUN apk --update --no-cache add \
     libgd \
     mysql-client \
     nginx \
-    opendkim \
-    opendkim-libs \
-    opendkim-utils \
-    opendmarc \
-    opendmarc-libs \
     openssl \
     php8 \
     php8-cli \
@@ -70,9 +65,6 @@ RUN apk --update --no-cache add \
     php8-pear \
   && ln -s /usr/bin/php8 /usr/bin/php \
   && pecl8 install gnupg \
-  && addgroup opendkim postfix \
-  && addgroup postfix opendkim \
-  && addgroup opendmarc postfix \
   && apk del build-dependencies \
   && rm -rf /tmp/* /var/www/*
 
@@ -92,7 +84,6 @@ RUN apk --update --no-cache add -t build-dependencies \
   && npm --version \
   && addgroup -g ${PGID} anonaddy \
   && adduser -D -h /var/www/anonaddy -u ${PUID} -G anonaddy -s /bin/sh -D anonaddy \
-  && addgroup anonaddy opendkim \
   && addgroup anonaddy mail \
   && curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/bin --filename=composer \
   && git clone --branch v${ANONADDY_VERSION} https://github.com/anonaddy/anonaddy . \
diff --git a/README.md b/README.md
index 920a59f..dad4be7 100644
--- a/README.md
+++ b/README.md
@@ -29,8 +29,6 @@ ___
   * [Redis](#redis)
   * [Mail](#mail)
   * [Postfix](#postfix)
-  * [DKIM](#dkim)
-  * [DMARC](#dmarc)
   * [RSPAMD](#rspamd)
 * [Volumes](#volumes)
 * [Ports](#ports)
@@ -161,33 +159,11 @@ Image: anonaddy/anonaddy:latest
 * `POSTFIX_RELAYHOST_USERNAME`: Postfix SMTP Client username for relayhost authentication
 * `POSTFIX_RELAYHOST_PASSWORD`: Postfix SMTP Client password for relayhost authentication
 
-### DKIM
-
-* `DKIM_ENABLE`: Enable OpenDKIM service. (default `false`)
-* `DKIM_REPORT_ADDRESS`: Specifies the string to use in the `From:` header field for outgoing reports (default `postmaster@${ANONADDY_DOMAIN}`)
-
-> :warning: Rspamd and OpenDKIM/OpenDMARC services are mutually exclusive.
-
-> :warning: DKIM private key must be located in `/data/dkim/${ANONADDY_DOMAIN}.private`. You can generate a DKIM
-> private/public keypair by following [this note](#generate-dkim-privatepublic-keypair).
-
-> :warning: OpenDKIM service is disabled if DKIM private key is not found
-
-### DMARC
-
-* `DMARC_ENABLE`: Enable OpenDMARC service. (default `false`)
-* `DMARC_FAILURE_REPORTS`: Enables generation of failure reports when the DMARC test fails (default `false`)
-* `DMARC_MILTER_DEBUG`: Sets the debug level to be requested from the milter library (default `0`)
-
-> :warning: Rspamd and OpenDKIM/OpenDMARC services are mutually exclusive.
-
 ### RSPAMD
 
 * `RSPAMD_ENABLE`: Enable Rspamd service. (default `false`)
 * `RSPAMD_WEB_PASSWORD`: Rspamd web password (default `null`)
 
-> :warning: Rspamd and OpenDKIM/OpenDMARC services are mutually exclusive.
-
 > :warning: DKIM private key must be located in `/data/dkim/${ANONADDY_DOMAIN}.private`. You can generate a DKIM
 > private/public keypair by following [this note](#generate-dkim-privatepublic-keypair).
 
diff --git a/rootfs/etc/cont-init.d/00-env b/rootfs/etc/cont-init.d/00-env
index 580545e..435cd8e 100755
--- a/rootfs/etc/cont-init.d/00-env
+++ b/rootfs/etc/cont-init.d/00-env
@@ -82,29 +82,19 @@ POSTFIX_RELAYHOST_AUTH_ENABLE=${POSTFIX_RELAYHOST_AUTH_ENABLE:-false}
 POSTFIX_RELAYHOST_USERNAME=${POSTFIX_RELAYHOST_USERNAME:-null}
 POSTFIX_RELAYHOST_PASSWORD=${POSTFIX_RELAYHOST_PASSWORD:-null}
 
-DKIM_ENABLE=${DKIM_ENABLE:-false}
-DKIM_PRIVATE_KEY=/data/dkim/${ANONADDY_DOMAIN}.private
-DKIM_REPORT_ADDRESS=${DKIM_REPORT_ADDRESS:-postmaster@${ANONADDY_DOMAIN}}
-
-DMARC_ENABLE=${DMARC_ENABLE:-false}
-DMARC_FAILURE_REPORTS=${DMARC_FAILURE_REPORTS:-false}
-DMARC_MILTER_DEBUG=${DMARC_MILTER_DEBUG:-0}
-
 RSPAMD_ENABLE=${RSPAMD_ENABLE:-false}
 RSPAMD_WEB_PASSWORD=${RSPAMD_WEB_PASSWORD:-null}
 
+DKIM_PRIVATE_KEY=/data/dkim/${ANONADDY_DOMAIN}.private
+
 SMTPD_MILTERS=""
 if [ "$RSPAMD_ENABLE" = "true" ] && [ -f "$DKIM_PRIVATE_KEY" ]; then
   SMTPD_MILTERS="inet:127.0.0.1:11332"
 fi
-if [ "$DKIM_ENABLE" = "true" ] && [ -f "$DKIM_PRIVATE_KEY" ]; then
-  if [ -n "$SMTPD_MILTERS" ]; then SMTPD_MILTERS="${SMTPD_MILTERS},"; fi
-  SMTPD_MILTERS="${SMTPD_MILTERS}unix:opendkim/opendkim.sock"
-fi
-if [ "$DMARC_ENABLE" = "true" ]; then
-  if [ -n "$SMTPD_MILTERS" ]; then SMTPD_MILTERS="${SMTPD_MILTERS},"; fi
-  SMTPD_MILTERS="${SMTPD_MILTERS}unix:opendmarc/opendmarc.sock"
-fi
+
+# Keep them to check if users are still using an old configuration
+DKIM_ENABLE=${DKIM_ENABLE:-false}
+DMARC_ENABLE=${DMARC_ENABLE:-false}
 
 file_env 'APP_KEY'
 file_env 'DB_USERNAME'
diff --git a/rootfs/etc/cont-init.d/02-fix-perms.sh b/rootfs/etc/cont-init.d/02-fix-perms.sh
index ccd5c02..ec40e6d 100755
--- a/rootfs/etc/cont-init.d/02-fix-perms.sh
+++ b/rootfs/etc/cont-init.d/02-fix-perms.sh
@@ -4,7 +4,6 @@
 echo "Fixing perms..."
 mkdir -p /data \
   /data/dkim \
-  /data/dmarc \
   /var/run/nginx \
   /var/run/php-fpm
 chown anonaddy. /data
diff --git a/rootfs/etc/cont-init.d/10-config.sh b/rootfs/etc/cont-init.d/10-config.sh
index a276015..fdc9fb2 100755
--- a/rootfs/etc/cont-init.d/10-config.sh
+++ b/rootfs/etc/cont-init.d/10-config.sh
@@ -3,8 +3,8 @@
 
 . $(dirname $0)/00-env
 
-if [[ "$RSPAMD_ENABLE" = "true" && ("$DKIM_ENABLE" = "true" || "$DMARC_ENABLE" = "true") ]]; then
-  echo >&2 "ERROR: Rspamd and OpenDKIM/OpenDMARC are mutually exclusive"
+if [[ "$DKIM_ENABLE" = "true" || "$DMARC_ENABLE" = "true" ]]; then
+  echo >&2 "ERROR: OpenDKIM/OpenDMARC are not supported anymore. Please use Rspamd instead."
   exit 1
 fi
 
diff --git a/rootfs/etc/cont-init.d/15-config-opendkim.sh b/rootfs/etc/cont-init.d/15-config-opendkim.sh
deleted file mode 100755
index e25b6c4..0000000
--- a/rootfs/etc/cont-init.d/15-config-opendkim.sh
+++ /dev/null
@@ -1,63 +0,0 @@
-#!/usr/bin/with-contenv bash
-# shellcheck shell=bash
-
-. $(dirname $0)/00-env
-
-if [ "$DKIM_ENABLE" != "true" ]; then
-  echo "INFO: OpenDKIM service disabled."
-  exit 0
-fi
-if [ ! -f "$DKIM_PRIVATE_KEY" ]; then
-  echo "WRN: $DKIM_PRIVATE_KEY not found. OpenDKIM service disabled."
-  exit 0
-fi
-
-echo "Copying OpenDKIM private key"
-mkdir -p /var/db/dkim
-cp -f "${DKIM_PRIVATE_KEY}" "/var/db/dkim/${ANONADDY_DOMAIN}.private"
-
-echo "Setting OpenDKIM configuration"
-cat >/etc/opendkim/opendkim.conf <<EOL
-BaseDirectory         /var/spool/postfix/opendkim
-
-LogWhy                yes
-Syslog                yes
-SyslogSuccess         yes
-
-Canonicalization      simple
-Mode                  sv
-SubDomains            yes
-
-KeyTable              refile:/etc/opendkim/key.table
-SigningTable          refile:/etc/opendkim/signing.table
-RequireSafeKeys       false
-
-ExternalIgnoreList    /etc/opendkim/trusted.hosts
-InternalHosts         /etc/opendkim/trusted.hosts
-
-Socket                local:/var/spool/postfix/opendkim/opendkim.sock
-UMask                 007
-PidFile               /var/spool/postfix/opendkim/opendkim.pid
-UserID                opendkim
-
-ReportAddress         ${DKIM_REPORT_ADDRESS}
-SendReports           yes
-EOL
-
-echo "Setting OpenDKIM trusted hosts"
-cat >/etc/opendkim/trusted.hosts <<EOL
-127.0.0.1
-localhost
-*.${ANONADDY_DOMAIN}
-EOL
-
-echo "Setting OpenDKIM signing table"
-cat >/etc/opendkim/signing.table <<EOL
-*@${ANONADDY_DOMAIN}    default._domainkey.${ANONADDY_DOMAIN}
-*@*.${ANONADDY_DOMAIN}    default._domainkey.${ANONADDY_DOMAIN}
-EOL
-
-echo "Setting OpenDKIM key table"
-cat >/etc/opendkim/key.table <<EOL
-default._domainkey.${ANONADDY_DOMAIN}    ${ANONADDY_DOMAIN}:default:/var/db/dkim/${ANONADDY_DOMAIN}.private
-EOL
diff --git a/rootfs/etc/cont-init.d/17-config-postfix.sh b/rootfs/etc/cont-init.d/15-config-postfix.sh
similarity index 100%
rename from rootfs/etc/cont-init.d/17-config-postfix.sh
rename to rootfs/etc/cont-init.d/15-config-postfix.sh
diff --git a/rootfs/etc/cont-init.d/16-config-opendmarc.sh b/rootfs/etc/cont-init.d/16-config-opendmarc.sh
deleted file mode 100755
index 9a34932..0000000
--- a/rootfs/etc/cont-init.d/16-config-opendmarc.sh
+++ /dev/null
@@ -1,43 +0,0 @@
-#!/usr/bin/with-contenv bash
-# shellcheck shell=bash
-
-. $(dirname $0)/00-env
-
-if [ "$DMARC_ENABLE" != "true" ]; then
-  echo "INFO: OpenDMARC service disabled."
-  exit 0
-fi
-
-echo "Setting OpenDMARC configuration"
-cat >/etc/opendmarc/opendmarc.conf <<EOL
-BaseDirectory               /var/spool/postfix/opendmarc
-
-AuthservID                  OpenDMARC
-TrustedAuthservIDs          ${ANONADDY_HOSTNAME}
-
-Syslog                      yes
-DNSTimeout                  10
-
-FailureReports              ${DMARC_FAILURE_REPORTS}
-FailureReportsOnNone        false
-FailureReportsSentBy        postmaster@${ANONADDY_DOMAIN}
-
-HistoryFile                 /data/dmarc/opendmarc.dat
-RecordAllMessages           false
-
-IgnoreAuthenticatedClients  true
-
-MilterDebug                 ${DMARC_MILTER_DEBUG}
-
-RejectFailures              true
-RequiredHeaders             true
-
-Socket                      local:/var/spool/postfix/opendmarc/opendmarc.sock
-UMask                       007
-PidFile                     /var/spool/postfix/opendmarc/opendmarc.pid
-UserID                      opendmarc
-
-SoftwareHeader              true
-SPFIgnoreResults            true
-SPFSelfValidate             true
-EOL
diff --git a/rootfs/etc/cont-init.d/60-svc-opendkim.sh b/rootfs/etc/cont-init.d/60-svc-opendkim.sh
deleted file mode 100755
index 1394b98..0000000
--- a/rootfs/etc/cont-init.d/60-svc-opendkim.sh
+++ /dev/null
@@ -1,29 +0,0 @@
-#!/usr/bin/with-contenv bash
-# shellcheck shell=bash
-
-. $(dirname $0)/00-env
-
-if [ "$DKIM_ENABLE" != "true" ]; then
-  echo "INFO: OpenDKIM service disabled."
-  exit 0
-fi
-if [ ! -f "$DKIM_PRIVATE_KEY" ]; then
-  echo "WRN: $DKIM_PRIVATE_KEY not found. OpenDKIM service disabled."
-  exit 0
-fi
-
-# Init
-mkdir -m o-rwx /var/spool/postfix/opendkim
-chown opendkim. /var/spool/postfix/opendkim
-
-# Fix perms
-chown -R opendkim. /etc/opendkim /var/db/dkim
-
-# Create service
-mkdir -p /etc/services.d/opendkim
-cat > /etc/services.d/opendkim/run <<EOL
-#!/usr/bin/execlineb -P
-with-contenv
-/usr/sbin/opendkim -f -u opendkim -x /etc/opendkim/opendkim.conf
-EOL
-chmod +x /etc/services.d/opendkim/run
diff --git a/rootfs/etc/cont-init.d/62-svc-rspamd.sh b/rootfs/etc/cont-init.d/60-svc-rspamd.sh
similarity index 100%
rename from rootfs/etc/cont-init.d/62-svc-rspamd.sh
rename to rootfs/etc/cont-init.d/60-svc-rspamd.sh
diff --git a/rootfs/etc/cont-init.d/61-svc-opendmarc.sh b/rootfs/etc/cont-init.d/61-svc-opendmarc.sh
deleted file mode 100755
index 8fd90fc..0000000
--- a/rootfs/etc/cont-init.d/61-svc-opendmarc.sh
+++ /dev/null
@@ -1,25 +0,0 @@
-#!/usr/bin/with-contenv bash
-# shellcheck shell=bash
-
-. $(dirname $0)/00-env
-
-if [ "$DMARC_ENABLE" != "true" ]; then
-  echo "INFO: OpenDMARC service disabled."
-  exit 0
-fi
-
-# Init
-mkdir -m o-rwx /var/spool/postfix/opendmarc
-chown opendmarc:postfix /var/spool/postfix/opendmarc
-
-# Fix perms
-chown -R opendmarc. /data/dmarc /etc/opendmarc
-
-# Create service
-mkdir -p /etc/services.d/opendmarc
-cat > /etc/services.d/opendmarc/run <<EOL
-#!/usr/bin/execlineb -P
-with-contenv
-/usr/sbin/opendmarc -f -u opendmarc -c /etc/opendmarc/opendmarc.conf
-EOL
-chmod +x /etc/services.d/opendmarc/run
diff --git a/rootfs/etc/cont-init.d/63-svc-postfix.sh b/rootfs/etc/cont-init.d/61-svc-postfix.sh
similarity index 100%
rename from rootfs/etc/cont-init.d/63-svc-postfix.sh
rename to rootfs/etc/cont-init.d/61-svc-postfix.sh

From f1ee9f8844c3c1513fe9038a33829b9154d164d8 Mon Sep 17 00:00:00 2001
From: CrazyMax <crazy-max@users.noreply.github.com>
Date: Sun, 27 Feb 2022 05:32:39 +0100
Subject: [PATCH 19/19] Update CHANGELOG

---
 CHANGELOG.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8027f03..3410ec8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,10 @@
 # Changelog
 
+## 0.10.1-r0 (2022/02/27)
+
+* AnonAddy 0.10.1 (#115)
+* Drop support for OpenDKIM/OpenDMARC (#116)
+
 ## 0.10.0-r1 (2022/02/24)
 
 * Fix Rspamd config (#113)