Also show errors above input fields for password reset

Remove superflous quote in html
Show form errors on the top during user activation
2017-03-20 16:50:31 +01:00 · 2017-03-20 16:43:36 +01:00 · 2017-03-20 15:57:02 +01:00 · 2017-03-20 15:26:31 +01:00 · 2017-03-20 14:27:47 +01:00 · 2017-03-20 14:27:39 +01:00
126 changed files with 9576 additions and 2307 deletions
@@ -744,3 +744,64 @@
 * Improve DNS notifications for email
 * Do not enable HSTS for subdomains

+[0.100.1]
+* Fix crash when fetching mail records
+* Fix crash in LDAP server when username and displayName are empty
+
+[0.101.0]
+* New base image 0.10.0
+* Better error handling of unpurchase errors
+* Validate that cloudron domain name is a subdomain of public suffic list
+* Add canada and london to S3 backup regions
+* Bundle Font Awesome as part of webadmin
+* Fix crash in custom certiicate validation
+* Get A+ rating in SSL Check
+* More robust detection and injection of SPF record
+* Add azure, lightsail, linode, ovh, vultr to provider list
+
+[0.102.0]
+* Fix issue where SPF record check was only done 5 times (updated 'async')
+* Make auto-generated self-signed cert load quickly on Firefox
+* Ensure we download docker images and have an app data volume on app re-configure
+* Improve certificate renewal erorr message
+* Fix disk usage graph
+* Show Repair UI for errored apps
+
+[0.102.1]
+* Add terms link when signing up for Cloudron.io account
+* Fix issue where Cloudrons with many apps (> 35) were unable to backup
+* Improve wording of DNS Setup
+
+[0.103.0]
+* Do not send crash logs and other notifications to support@cloudron.io for self-hosted instances
+* Make auto-generated self-signed cert load quickly on Firefox (take 2)
+
+[0.104.0]
+* (mail) Fix crash when sending mails to groups with just 1 user
+* (ldap) Add isadmin attribute to better map users in apps
+* (ldap) Hide users which have not yet set a username in ldap searches
+* (core) Add SSH authorized_keys management
+* (core) Add additional security related headers to the nginx reverse proxy
+* (ui) Add remote SSH support option
+* (ui) Fix eventlog display
+* (ui) Fix CNAME setup information
+
+[0.105.0]
+* Always show email related checks
+* Show outbound SMTP port 25 status
+* Hide remote feature for normal users
+* Only list users via ldap searches who have access to the app
+* Fix installation issue on servers with a differente locale set
+
+[0.105.1]
+* Fix crash when setupToken is not provided in activate API
+* Add inline Docker GPG key
+* Re-download icon when repairing app
+* Fix issue where pre-installed apps were not installed correctly
+* Fix issue where new cloudrons could not be activated
+
+[0.106.0]
+* (mail) Fix email forwarding to external domains
+* (mail) Set maximum email size to 25MB
+* Remove SimpleAuth addon
+
@@ -69,7 +69,7 @@ if [[ ! -f "${ssh_keys}" ]]; then
 fi

 if [[ -z "${image_id}" ]]; then
-    echo "--region is required"
+    echo "--region is required (us-east-1 or eu-central-1)"
    exit 1
 fi

@@ -141,7 +141,7 @@ while true; do
 done

 echo "=> Running cloudron-setup"
-$SSH ubuntu@${server_ip} sudo /bin/bash "cloudron-setup" --env "${deploy_env}" --provider "ec2" --skip-reboot
+$SSH ubuntu@${server_ip} sudo /bin/bash "cloudron-setup" --env "${deploy_env}" --provider "ami" --skip-reboot

 wait_for_ssh

@@ -31,7 +31,7 @@ function create_droplet() {

    local image_region="sfo1"
    local ubuntu_image_slug="ubuntu-16-04-x64"
-    local box_size="512mb"
+    local box_size="1gb"

    local data="{\"name\":\"${box_name}\",\"size\":\"${box_size}\",\"region\":\"${image_region}\",\"image\":\"${ubuntu_image_slug}\",\"ssh_keys\":[ \"${ssh_key_id}\" ],\"backups\":false}"

@@ -52,7 +52,38 @@ apt-get install -y python   # Install python which is required for npm rebuild

 # https://docs.docker.com/engine/installation/linux/ubuntulinux/
 echo "==> Installing Docker"
-apt-key adv --keyserver hkp://ha.pool.sks-keyservers.net:80 --recv-keys 58118E89F3A912897C070ADBF76221572C52609D
+docker_key="-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1
+
+mQINBFWln24BEADrBl5p99uKh8+rpvqJ48u4eTtjeXAWbslJotmC/CakbNSqOb9o
+ddfzRvGVeJVERt/Q/mlvEqgnyTQy+e6oEYN2Y2kqXceUhXagThnqCoxcEJ3+KM4R
+mYdoe/BJ/J/6rHOjq7Omk24z2qB3RU1uAv57iY5VGw5p45uZB4C4pNNsBJXoCvPn
+TGAs/7IrekFZDDgVraPx/hdiwopQ8NltSfZCyu/jPpWFK28TR8yfVlzYFwibj5WK
+dHM7ZTqlA1tHIG+agyPf3Rae0jPMsHR6q+arXVwMccyOi+ULU0z8mHUJ3iEMIrpT
+X+80KaN/ZjibfsBOCjcfiJSB/acn4nxQQgNZigna32velafhQivsNREFeJpzENiG
+HOoyC6qVeOgKrRiKxzymj0FIMLru/iFF5pSWcBQB7PYlt8J0G80lAcPr6VCiN+4c
+NKv03SdvA69dCOj79PuO9IIvQsJXsSq96HB+TeEmmL+xSdpGtGdCJHHM1fDeCqkZ
+hT+RtBGQL2SEdWjxbF43oQopocT8cHvyX6Zaltn0svoGs+wX3Z/H6/8P5anog43U
+65c0A+64Jj00rNDr8j31izhtQMRo892kGeQAaaxg4Pz6HnS7hRC+cOMHUU4HA7iM
+zHrouAdYeTZeZEQOA7SxtCME9ZnGwe2grxPXh/U/80WJGkzLFNcTKdv+rwARAQAB
+tDdEb2NrZXIgUmVsZWFzZSBUb29sIChyZWxlYXNlZG9ja2VyKSA8ZG9ja2VyQGRv
+Y2tlci5jb20+iQI4BBMBAgAiBQJVpZ9uAhsvBgsJCAcDAgYVCAIJCgsEFgIDAQIe
+AQIXgAAKCRD3YiFXLFJgnbRfEAC9Uai7Rv20QIDlDogRzd+Vebg4ahyoUdj0CH+n
+Ak40RIoq6G26u1e+sdgjpCa8jF6vrx+smpgd1HeJdmpahUX0XN3X9f9qU9oj9A4I
+1WDalRWJh+tP5WNv2ySy6AwcP9QnjuBMRTnTK27pk1sEMg9oJHK5p+ts8hlSC4Sl
+uyMKH5NMVy9c+A9yqq9NF6M6d6/ehKfBFFLG9BX+XLBATvf1ZemGVHQusCQebTGv
+0C0V9yqtdPdRWVIEhHxyNHATaVYOafTj/EF0lDxLl6zDT6trRV5n9F1VCEh4Aal8
+L5MxVPcIZVO7NHT2EkQgn8CvWjV3oKl2GopZF8V4XdJRl90U/WDv/6cmfI08GkzD
+YBHhS8ULWRFwGKobsSTyIvnbk4NtKdnTGyTJCQ8+6i52s+C54PiNgfj2ieNn6oOR
+7d+bNCcG1CdOYY+ZXVOcsjl73UYvtJrO0Rl/NpYERkZ5d/tzw4jZ6FCXgggA/Zxc
+jk6Y1ZvIm8Mt8wLRFH9Nww+FVsCtaCXJLP8DlJLASMD9rl5QS9Ku3u7ZNrr5HWXP
+HXITX660jglyshch6CWeiUATqjIAzkEQom/kEnOrvJAtkypRJ59vYQOedZ1sFVEL
+MXg2UCkD/FwojfnVtjzYaTCeGwFQeqzHmM241iuOmBYPeyTY5veF49aBJA1gEJOQ
+TvBR8Q==
+=Fm3p
+-----END PGP PUBLIC KEY BLOCK-----
+"
+echo "$docker_key" | apt-key add -
 echo "deb https://apt.dockerproject.org/repo ubuntu-xenial main" > /etc/apt/sources.list.d/docker.list
 apt-get -y update

@@ -13,8 +13,7 @@ var appHealthMonitor = require('./src/apphealthmonitor.js'),
    async = require('async'),
    config = require('./src/config.js'),
    ldap = require('./src/ldap.js'),
-    server = require('./src/server.js'),
-    simpleauth = require('./src/simpleauth.js');
+    server = require('./src/server.js');

 console.log();
 console.log('==========================================');
@@ -33,7 +32,6 @@ console.log();
 async.series([
    server.start,
    ldap.start,
-    simpleauth.start,
    appHealthMonitor.start,
 ], function (error) {
    if (error) {
@@ -48,13 +46,11 @@ var NOOP_CALLBACK = function () { };
 process.on('SIGINT', function () {
    server.stop(NOOP_CALLBACK);
    ldap.stop(NOOP_CALLBACK);
-    simpleauth.stop(NOOP_CALLBACK);
    setTimeout(process.exit.bind(process), 3000);
 });

 process.on('SIGTERM', function () {
    server.stop(NOOP_CALLBACK);
    ldap.stop(NOOP_CALLBACK);
-    simpleauth.stop(NOOP_CALLBACK);
    setTimeout(process.exit.bind(process), 3000);
 });
@@ -318,67 +318,3 @@ cloudron exec
 > swaks --server "${MAIL_SMTP_SERVER}" -p "${MAIL_SMTP_PORT}" --from "${MAIL_SMTP_USERNAME}@${MAIL_DOMAIN}" --body "Test mail from cloudron app at $(hostname -f)" --auth-user "${MAIL_SMTP_USERNAME}" --auth-password "${MAIL_SMTP_PASSWORD}"
 ```

-## simpleauth
-
-Simple Auth can be used for authenticating users with a HTTP request. This method of authentication is targeted
-at applications, which for whatever reason can't use the ldap addon.
-The response contains an `accessToken` which can then be used to access the [Cloudron API](/references/api.html).
-
-Exported environment variables:
-```
-SIMPLE_AUTH_SERVER=    # the simple auth HTTP server
-SIMPLE_AUTH_PORT=      # the simple auth server port
-SIMPLE_AUTH_URL=       # the simple auth server URL. same as "http://SIMPLE_AUTH_SERVER:SIMPLE_AUTH_PORT
-SIMPLE_AUTH_CLIENT_ID  # a client id for identifying the request originator with the auth server
-```
-
-This addons provides two REST APIs:
-
-**POST /api/v1/login**
-
-Request JSON body:
-```
-{
-  "username": "<username> or <email>",
-  "password": "<password>"
-}
-```
-
-Response 200 with JSON body:
-```
-{
-  "accessToken": "<accessToken>",
-  "user": {
-    "id": "<userId>",
-    "username": "<username>",
-    "email": "<email>",
-    "admin": <admin boolean>,
-    "displayName": "<display name>"
-  }
-}
-```
-
-**GET /api/v1/logout**
-
-Request params:
-```
-?access_token=<accessToken>
-```
-
-Response 200 with JSON body:
-```
-{}
-```
-
-For debugging, [cloudron exec](https://www.npmjs.com/package/cloudron) can be used to run the `curl` tool within the context of the app:
-```
-cloudron exec
-
-> USERNAME=<enter username>
-
-> PASSWORD=<enter password>
-
-> PAYLOAD="{\"clientId\":\"${SIMPLE_AUTH_CLIENT_ID}\", \"username\":\"${USERNAME}\", \"password\":\"${PASSWORD}\"}"
-
-> curl -H "Content-Type: application/json" -X POST -d "${PAYLOAD}" "${SIMPLE_AUTH_ORIGIN}/api/v1/login"
-```
@@ -62,7 +62,7 @@ curl -H "Content-Type: application/json" -H "Authorization: Bearer <token>" http
 ## OAuth

 OAuth authentication is meant to be used by apps. An app can get an OAuth token using the
-[oauth](addons.html#oauth) or [simpleauth](addons.html#simpleauth) addon.
+[oauth](addons.html#oauth) addon.

 Tokens obtained via OAuth have a restricted scope wherein they can only access the user's profile.
 This restriction is so that apps cannot make undesired changes to the user's Cloudron.
@@ -199,7 +199,8 @@ Response (200):
    health: <enum>,                  // health of the application
    location: <string>,              // subdomain on which app is installed
    fqdn: <string>,                  // the FQDN of this app
-    altDomain: <string>              // alternate domain from which this app can be reached
+    altDomain: <string>,             // alternate domain from which this app can be reached
+    cnameTarget: <string> || null,   // If altDomain is set, this contains the CNAME location for the app
    accessRestriction: null || {     // list of users and groups who can access this application
        users: [ ],
        groups: [ ]
@@ -209,7 +210,8 @@ Response (200):
    portBindings: {                  // mapping from application ports to public ports
    },
    iconUrl: <url>,                  // a relative url providing the icon
-    memoryLimit: <number>            // memory constraint in bytes
+    memoryLimit: <number>,           // memory constraint in bytes
+    sso: <boolean>                   // Enable single sign-on
 }
 ```

@@ -257,6 +259,8 @@ is integrated with Cloudron Authentication.

 `manifest` is the [application manifest](/references/manifest.html).

+For apps that support optional single sign-on, the `sso` field can be used to disable Cloudron authentication. By default, single sign-on is enabled.
+
 ### List apps

 GET `/api/v1/apps/:appId` <scope>admin</scope>
@@ -278,7 +282,8 @@ Response (200):
            health: <enum>,                  // health of the application
            location: <string>,              // subdomain on which app is installed
            fqdn: <string>,                  // the FQDN of this app
-            altDomain: <string>              // alternate domain from which this app can be reached
+            altDomain: <string>,             // alternate domain from which this app can be reached
+            cnameTarget: <string> || null,   // If altDomain is set, this contains the CNAME location for the app
            accessRestriction: null || {     // list of users and groups who can access this application
                users: [ ],
                groups: [ ]
@@ -449,7 +454,7 @@ POST `/api/v1/apps/:appId/configure` <scope>admin</scope>

 Re-configures an existing app with id `appId`.

-Configuring an app won't preserve existing data. Cloudron apps are written in a way to support reconfiguring
+Configuring an app preserves existing data. Cloudron apps are written in a way to support reconfiguring
 any of the parameters listed below without loss of data.

 Request:
@@ -654,6 +659,38 @@ curl -L <url> | openssl aes-256-cbc -d -pass "pass:$<backupKey>" | tar -zxf -

 ## Cloudron

+### Activate the Cloudron
+
+POST `/api/v1/cloudron/activate`
+
+Activates the Cloudron with an admin username and password.
+
+Request:
+```
+{
+    username: <string>,     // the admin username
+    password: <string>,     // the admin password
+    email: <email>          // the admin email
+}
+```
+
+Response (201):
+```
+{
+  "token": "771ee724a66aa557f95af06b4e6c27992f9230f6b1d65d5fbaa34cae9318d453",
+  "expires": 1490224113353
+}
+
+```
+
+The `token` parameter can be used to make further API calls.
+
+Curl example to activate the cloudron:
+
+```
+curl -X POST -H "Content-Type: application/json" -d '{"username": "girish", "password":"MySecret123#", "email": "girish@cloudron.io" }' https://my.cloudron.info/api/v1/cloudron/activate
+```
+
 ### Update the Cloudron

 POST `/api/v1/cloudron/update` <scope>admin</scope>
@@ -682,8 +719,9 @@ Gets information about an in-progress Cloudron update or backup.

 `update` or `backup` is `null` when there is no such activity in progress.

-```
 Response (200):
+
+```
 {
    update: null || { percent: <number>, message: <string> },
    backup: null || { percent: <number>, message: <string> }
@@ -806,7 +844,7 @@ Response (200):
 * user.remove
 * user.update

-`source` contains information on the originator of the action. For example, for user.login, this contains the IP address, the appId and the authType (ldap or simpleauth or oauth).
+`source` contains information on the originator of the action. For example, for user.login, this contains the IP address, the appId and the authType (ldap or oauth).

 `data` contains information on the event itself. For example, for user.login, this contains the userId that logged in. For app.install, it contains the manifest and location of the app that was installed.

@@ -1116,7 +1154,7 @@ POST `/api/v1/settings/mail_config` <scope>admin</scope> <scope>internal</scope>

 Sets the email configuration. The Cloudron has a built-in email server for users.
 This configuration can be used to enable or disable the email server. Note that
-the Cloudron will always be able to send email on behalf of apps, regardless of 
+the Cloudron will always be able to send email on behalf of apps, regardless of
 this setting.

 Request:
@@ -29,7 +29,6 @@ Cloudron provides multiple authentication strategies.

 * OAuth 2.0 provided by the [OAuth addon](/references/addons.html#oauth)
 * LDAP provided by the [LDAP addon](/references/addons.html#ldap)
-* Simple Auth provided by [Simple Auth addon](/references/addons.html#simpleauth)

 # Choosing a strategy

@@ -1,6 +1,6 @@
 # Overview

-The application's Dockerfile must specify the FROM base image to be `cloudron/base:0.9.0`.
+The application's Dockerfile must specify the FROM base image to be `cloudron/base:0.10.0`.

 The base image already contains most popular software packages including node, nginx, apache,
 ruby, PHP. Using the base image greatly reduces the size of app images.
@@ -17,16 +17,16 @@ install it yourself.

 * Apache 2.4.18
 * Composer 1.2.0
-* Go 1.5.4, 1.6.3
+* Go 1.6.4, 1.7.5 (install under `/usr/local/go-<version>`)
 * Gunicorn 19.4.5
 * Java 1.8
 * Maven 3.3.9
 * Mongo 2.6.10
-* MySQL Client 5.7.13
+* MySQL Client 5.7.17
 * nginx 1.10.0
-* Node 0.10.40, 0.12.7, 4.2.6, 4.4.7 (installed under `/usr/local/node-<version>`) [more information](#node-js)
+* Node 0.10.48, 0.12.18, 4.7.3, 6.9.5 (installed under `/usr/local/node-<version>`) [more information](#node-js)
 * Perl 5.22.1
-* PHP 7.0.8
+* PHP 7.0.13
 * Postgresql client 9.5.4
 * Python 2.7.12
 * Redis 3.0.6
@@ -41,16 +41,16 @@ The base image can be inspected by installing [Docker](https://docs.docker.com/i

 Once installed, pull down the base image locally using the following command:
 ```
-    docker pull cloudron/base:0.9.0
+    docker pull cloudron/base:0.10.0
 ```

 To inspect the base image:
 ```
-    docker run -ti cloudron/base:0.9.0 /bin/bash
+    docker run -ti cloudron/base:0.10.0 /bin/bash
 ```

 *Note:* Please use `docker 1.9.0` or above to pull the base image. Doing otherwise results in a base
-image with an incorrect image id. The image id of `cloudron/base:0.9.0` is `d038af182821`.
+image with an incorrect image id. The image id of `cloudron/base:0.10.0` is `5ec8ca8525be`.

 # The `cloudron` user

@@ -47,12 +47,14 @@ Type: object
 Required: no

 Allowed keys
+* [email](addons.html#email)
 * [ldap](addons.html#ldap)
 * [localstorage](addons.html#localstorage)
 * [mongodb](addons.html#mongodb)
 * [mysql](addons.html#mysql)
 * [oauth](addons.html#oauth)
 * [postgresql](addons.html#postgresql)
+* [recvmail](addons.html#recvmail)
 * [redis](addons.html#redis)
 * [sendmail](addons.html#sendmail)

@@ -93,26 +95,6 @@ Example:
  "changelog": "* Add support for IE8 \n* New logo"
 ```

-## configurePath
-
-Type: path string
-
-Required: no
-
-The `configurePath` can be used to specify the absolute path to the configuration / settings
-page of the app. When this path is present, an absoluted URL is constructed from the app's
-install location this path and presented to the user in the configuration dialog of the app.
-
-This is useful for apps that have a main page which does not display a configuration / settings
-url (i.e) it's hidden for aesthetic reasons. For example, a blogging app like wordpress might
-keep the admin page url hidden in the main page. Setting the configurationPath makes the
-configuration url discoverable by the user.
-
-Example:
-```
-  "configurePath": "/wp-admin"
-```
-
 ## contactEmail

 Type: email
@@ -298,6 +280,10 @@ The intended use of this field is to display some post installation steps that t
 complete the installation. For example, displaying the default admin credentials and informing the user to
 to change it.

+The message can have the following special tags:
+* `<sso> ... </sso>` - Content in `sso` blocks are shown if SSO enabled.
+* `<nosso> ... </nosso>`- Content in `nosso` blocks are shows when SSO is disabled.
+
 ## optionalSso

 Type: boolean
@@ -19,7 +19,7 @@ The Cloudron requires a domain name when it is installed. Apps are installed int
 The `my` subdomain is special and is the location of the Cloudron web interface. For this to
 work, the Cloudron requires a way to programmatically configure the DNS entries of the domain.
 Note that the Cloudron will never overwrite _existing_ DNS entries and refuse to install
-apps on existing subdomains.
+apps on existing subdomains (so, it is safe to reuse an existing domain that runs other services).

 # Cloud Server

@@ -34,9 +34,10 @@ In addition to those, the Cloudron community has successfully installed the plat
 * [hosttech](https://www.hosttech.ch/?promocode=53619290)
 * [Linode](https://www.linode.com/?r=f68d816692c49141e91dd4cef3305da457ac0f75)
 * [OVH](https://www.ovh.com/)
+* [Rosehosting](https://secure.rosehosting.com/clientarea/?affid=661)
 * [Scaleway](https://www.scaleway.com/)
 * [So you Start](https://www.soyoustart.com/)
-* [Vultr](http://www.vultr.com/?ref=7063201)
+* [Vultr](http://www.vultr.com/?ref=7110116-3B)

 Please let us know if any of them requires tweaks or adjustments.

@@ -44,8 +45,13 @@ Please let us know if any of them requires tweaks or adjustments.

 ## Create server

-Create an `Ubuntu 16.04 (Xenial)` server with at-least `1gb` RAM. Do not make any changes
-to vanilla ubuntu. Be sure to allocate a static IPv4 address for your server.
+Create an `Ubuntu 16.04 (Xenial)` server with at-least `1gb` RAM and 20GB disk space.
+Do not make any changes to vanilla ubuntu. Be sure to allocate a static IPv4 address
+for your server.
+
+Cloudron has a built-in firewall and ports are opened and closed dynamically, as and when
+apps are installed, re-configured or removed. For this reason, be sure to open all TCP and
+UDP traffic to the server and leave the traffic management to the Cloudron.

 ### Linode

@@ -64,7 +70,7 @@ SSH into your server and run the following commands:
 ```
 wget https://cloudron.io/cloudron-setup
 chmod +x cloudron-setup
-./cloudron-setup --provider <digitalocean|ec2|generic|scaleway>
+./cloudron-setup --provider <azure|digitalocean|ec2|lightsail|linode|ovh|rosehosting|scaleway|vultr|generic>
 ```

 The setup will take around 10-15 minutes.
@@ -99,9 +105,9 @@ IP address (`https://ip`) to complete the installation.
 The setup website will show a certificate warning. Accept the self-signed certificate
 and proceed to the domain setup.

-Currently, only Second Level Domains are supported. For example, `example.com`, 
-`example.co.uk` will work fine. Choosing a domain name at any other level like
-`cloudron.example.com` will not work.
+Currently, only subdomains of the [Public Suffix List](https://publicsuffix.org/) are supported.
+For example, `example.com`,  `example.co.uk` will work fine. Choosing other non-registrable
+domain names like `cloudron.example.com` will not work.

 ### Route 53

@@ -194,6 +200,9 @@ for most use-cases.
 }
 ```

+The `Encryption key` is an arbitrary passphrase used to encrypt the backups. Keep the passphrase safe; it is
+required to decrypt the backups when restoring the Cloudron.
+
 ## Minio S3

 [Minio](https://minio.io/) is a distributed object storage server, providing the same API as Amazon S3.
@@ -219,6 +228,8 @@ The information to be copied to the Cloudron's backup settings form may look sim

 <img src="/docs/img/minio_backup_config.png" class="shadow"><br/>

+The `Encryption key` is an arbitrary passphrase used to encrypt the backups. Keep the passphrase safe; it is
+required to decrypt the backups when restoring the Cloudron.

 # Email

@@ -235,15 +246,27 @@ reputation should be easy to get back.

 ## Checklist

-* Once your Cloudron is ready, setup a Reverse DNS PTR record to be setup for the `my` subdomain.
+* If you are unable to receive mail, first thing to check is if your VPS provider lets you
+  receive mail on port 25.

-    * AWS/EC2 - Fill the PTR [request form](https://aws-portal.amazon.com/gp/aws/html-forms-controller/contactus/ec2-email-limit-rdns-request.
+    * Digital Ocean - New accounts frequently have port 25 blocked. Write to their support to
+      unblock your server.
+
+    * EC2, Lightsail & Scaleway - Edit your security group to allow email.
+
+* Setup a Reverse DNS PTR record to be setup for the `my` subdomain.
+  **Note:** PTR records are a feature of your VPS provider and not your domain provider.
+
+    * You can verify the PTR record [https://mxtoolbox.com/ReverseLookup.aspx](here).
+
+    * AWS EC2 & Lightsail - Fill the [PTR request form](https://aws-portal.amazon.com/gp/aws/html-forms-controller/contactus/ec2-email-limit-rdns-request).

    * Digital Ocean - Digital Ocean sets up a PTR record based on the droplet's name. So, simply rename
    your droplet to `my.<domain>`. Note that some new Digital Ocean accounts have [port 25 blocked](https://www.digitalocean.com/community/questions/port-25-smtp-external-access).

-    * Scaleway - Edit your security group to allow email. You can also set a PTR record on the interface with your
-    `my.<domain>`.
+    * Linode - Follow this [guide](https://www.linode.com/docs/networking/dns/setting-reverse-dns).
+
+    * Scaleway - Edit your security group to allow email and [reboot the server](https://community.online.net/t/security-group-not-working/2096) for the change to take effect. You can also set a PTR record on the interface with your `my.<domain>`.

 * Check if your IP is listed in any DNSBL list [here](http://multirbl.valli.org/). In most cases,
 you can apply for removal of your IP by filling out a form at the DNSBL manager site.
@@ -324,9 +347,12 @@ Similar to the initial installation, a Cloudron upgrade looks like:
 $ ssh root@newserverip
 > wget https://cloudron.io/cloudron-setup
 > chmod +x cloudron-setup
-> ./cloudron-setup --provider <digitalocean|ec2|generic|scaleway> --encryption-key <key> --restore-url <publicS3Url>
+> ./cloudron-setup --provider <digitalocean|ec2|generic|scaleway> --domain <example.com> --encryption-key <key> --restore-url <publicS3Url>
 ```

+Note: When upgrading an old version of Cloudron (<= 0.94.0), pass the `--version 0.94.1` flag and then continue updating
+from that.
+
 * Finally, once you see the newest version being displayed in your Cloudron webinterface, you can safely delete the old server instance.

 # Restore
@@ -342,7 +368,7 @@ To restore a Cloudron from a specific backup:
  * `File system` - When storing backups in `/var/backups`, you have to make the box and the app backups available to the new Cloudron instance's `/var/backups`. This can be achieved in a variety of ways depending on the situation: like scp'ing the backup files to the new machine before Cloudron installation OR mounting an external backup hard drive into the new Cloudron's `/var/backup` OR downloading a copy of the backup using `cloudron machine backup download` and uploading them to the new machine. After doing so, pass `file:///var/backups/<path to box backup>` as the `--restore-url` below.

 * Create a new Cloudron by following the [installing](/references/selfhosting.html#installing) section.
-  When running the setup script, pass in the `version`, `encryption-key` and `restore-url` flags.
+  When running the setup script, pass in the `version`, `encryption-key`, `domain` and `restore-url` flags.
  The `version` field is the version of the Cloudron that the backup corresponds to (it is embedded
  in the backup file name).

@@ -75,7 +75,7 @@ A Dockerfile contains commands to assemble an image.
 Create a file named `tutorial/Dockerfile` with the following content:

 ```dockerfile
-FROM cloudron/base:0.9.0
+FROM cloudron/base:0.10.0

 ADD server.js /app/code/server.js

@@ -171,7 +171,7 @@ Login successful.
 Build scheduled with id 76cebfdd-7822-4f3d-af17-b3eb393ae604
 Downloading source
 Building
-Step 0 : FROM cloudron/base:0.9.0
+Step 0 : FROM cloudron/base:0.10.0
 ---> 97583855cc0c
 Step 1 : ADD server.js /app/code
 ---> b09b97ecdfbc
@@ -333,7 +333,7 @@ and modify our Dockerfile to look like this:
 File `tutorial/Dockerfile`

 ```dockerfile
-FROM cloudron/base:0.9.0
+FROM cloudron/base:0.10.0

 ADD server.js /app/code/server.js
 ADD package.json /app/code/package.json
@@ -5,8 +5,8 @@ This tutorial outlines how to package an existing web application for the Cloudr
 If you are aware of Docker and Heroku, you should feel at home packaging for the
 Cloudron. Roughly, the steps involved are:

-* Create a Dockerfile for your application. If your application already has
-  a Dockerfile, you should able to reuse most of it. By virtue of Docker, the Cloudron
+* Create a Dockerfile for your application. If your application already has a Dockerfile, it 
+  is a good starting point for packaging for the Cloudron. By virtue of Docker, the Cloudron
  is able to run apps written in any language/framework.

 * Create a CloudronManifest.json that provides information like title, author, description
@@ -79,7 +79,7 @@ console.log("Server running at port 8000");
 The Dockerfile contains instructions on how to create an image for your application.

 ```Dockerfile
-FROM cloudron/base:0.9.0
+FROM cloudron/base:0.10.0

 ADD server.js /app/code/server.js

@@ -88,7 +88,7 @@ CMD [ "/usr/local/node-4.4.7/bin/node", "/app/code/server.js" ]

 The `FROM` command specifies that we want to start off with Cloudron's [base image](/references/baseimage.html).
 All Cloudron apps **must** start from this base image. This approach conserves space on the Cloudron since
-Docker images tend to be quiet large.
+Docker images tend to be quite large and also helps us to do a security audit on apps more easily.

 The `ADD` command copies the source code of the app into the directory `/app/code`. There is nothing special
 about the `/app/code` directory and it is merely a convention we use to store the application code.
@@ -188,7 +188,7 @@ Build scheduled with id e7706847-f2e3-4ba2-9638-3f334a9453a5
 Waiting for build to begin, this may take a bit...
 Downloading source
 Building
-Step 1 : FROM cloudron/base:0.9.0
+Step 1 : FROM cloudron/base:0.10.0
 ---> be9fc6312b2d
 Step 2 : ADD server.js /app/code/server.js
 ---> 10513e428d7a
@@ -389,6 +389,8 @@ field in the manifest.
 Design your application runtime for concurrent use by 50 users. The Cloudron is not designed for
 concurrent access by 100s or 1000s of users.

+An app can determine it's memory limit by reading `/sys/fs/cgroup/memory/memory.limit_in_bytes`.
+
 ## Authentication

 Apps should integrate with one of the [authentication strategies](/references/authentication.html).
@@ -0,0 +1,15 @@
+'use strict';
+
+exports.up = function(db, callback) {
+    db.runSql('ALTER TABLE backups MODIFY dependsOn TEXT', [], function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};
+
+exports.down = function(db, callback) {
+    db.runSql('ALTER TABLE backups MODIFY dependsOn VARCHAR(4096)', [], function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};
@@ -105,7 +105,7 @@ CREATE TABLE IF NOT EXISTS backups(
    creationTime TIMESTAMP,
    version VARCHAR(128) NOT NULL, /* app version or box version */
    type VARCHAR(16) NOT NULL, /* 'box' or 'app' */
-    dependsOn VARCHAR(4096), /* comma separate list of objects this backup depends on */
+    dependsOn TEXT, /* comma separate list of objects this backup depends on */
    state VARCHAR(16) NOT NULL,

    PRIMARY KEY (filename));
@@ -13,11 +13,11 @@
    "node >=4.0.0 <=4.1.1"
  ],
  "dependencies": {
-    "async": "^1.2.1",
+    "async": "^2.1.4",
    "aws-sdk": "^2.1.46",
    "body-parser": "^1.13.1",
    "checksum": "^0.1.1",
-    "cloudron-manifestformat": "^2.6.0",
+    "cloudron-manifestformat": "^2.8.0",
    "connect-ensure-login": "^0.1.1",
    "connect-lastmile": "^0.1.0",
    "connect-timeout": "^1.5.0",
@@ -67,8 +67,7 @@
    "tldjs": "^1.6.2",
    "underscore": "^1.7.0",
    "valid-url": "^1.0.9",
-    "validator": "^4.9.0",
-    "x509": "^0.2.4"
+    "validator": "^4.9.0"
  },
  "devDependencies": {
    "bootstrap-sass": "^3.3.3",
@@ -14,13 +14,16 @@ fi

 # change this to a hash when we make a upgrade release
 readonly LOG_FILE="/var/log/cloudron-setup.log"
+readonly DATA_FILE="/root/cloudron-install-data.json"
 readonly MINIMUM_DISK_SIZE_GB="19" # this is the size of "/" and required to fit in docker images 19 is a safe bet for different reporting on 20GB min
-readonly MINIMUM_MEMORY="990"      # this is mostly reported for 1GB main memory (DO 992, EC2 990)
+readonly MINIMUM_MEMORY="974"      # this is mostly reported for 1GB main memory (DO 992, EC2 990, Linode 989, Serverdiscounter.com 974)
+
+readonly curl="curl --fail --connect-timeout 20 --retry 10 --retry-delay 2 --max-time 2400"

 # copied from cloudron-resize-fs.sh
-readonly physical_memory=$(free -m | awk '/Mem:/ { print $2 }')
+readonly physical_memory=$(LC_ALL=C free -m | awk '/Mem:/ { print $2 }')
 readonly disk_device="$(for d in $(find /dev -type b); do [ "$(mountpoint -d /)" = "$(mountpoint -x $d)" ] && echo $d && break; done)"
-readonly disk_size_bytes=$(fdisk -l ${disk_device} | grep "Disk ${disk_device}" | awk '{ printf $5 }')
+readonly disk_size_bytes=$(LC_ALL=C fdisk -l ${disk_device} | grep "Disk ${disk_device}" | awk '{ printf $5 }')
 readonly disk_size_gb=$((${disk_size_bytes}/1024/1024/1024))

 # verify the system has minimum requirements met
@@ -91,15 +94,22 @@ done
 # validate arguments in the absence of data
 if [[ -z "${dataJson}" ]]; then
    if [[ -z "${provider}" ]]; then
-        echo "--provider is required (generic, scaleway, ec2, digitalocean)"
+        echo "--provider is required (azure, digitalocean, ec2, lightsail, linode, ovh, scaleway, vultr or generic)"
        exit 1
    elif [[  \
-                "${provider}" != "generic" && \
-                "${provider}" != "scaleway" && \
+                "${provider}" != "ami" && \
+                "${provider}" != "azure" && \
+                "${provider}" != "digitalocean" && \
                "${provider}" != "ec2" && \
-                "${provider}" != "digitalocean" \
+                "${provider}" != "lightsail" && \
+                "${provider}" != "linode" && \
+                "${provider}" != "ovh" && \
+                "${provider}" != "rosehosting" && \
+                "${provider}" != "scaleway" && \
+                "${provider}" != "vultr" && \
+                "${provider}" != "generic" \
            ]]; then
-        echo "--provider must be one of: generic, scaleway, ec2, digitalocean"
+        echo "--provider must be one of: azure, digitalocean, ec2, lightsail, linode, ovh, rosehosting, scaleway, vultr or generic"
        exit 1
    fi

@@ -129,7 +139,7 @@ echo " Join us at https://chat.cloudron.io for any questions."
 echo ""

 if [[ "${initBaseImage}" == "true" ]]; then
-    echo "=> Updating apt and installing script dependancies"
+    echo "=> Updating apt and installing script dependencies"
    if ! apt-get update &>> "${LOG_FILE}"; then
        echo "Could not update package repositories"
        exit 1
@@ -143,7 +153,7 @@ fi

 echo "=> Checking version"
 if [[ "${sourceTarballUrl}" == "" ]]; then
-    releaseJson=$(curl -s "${versionsUrl}")
+    releaseJson=$($curl -s "${versionsUrl}")
    if [[ "$requestedVersion" == "latest" ]]; then
        pre=$([[ "${prerelease}" == "true" ]] && echo "null" || echo "-pre")
        version=$(echo "${releaseJson}" | python3 -c "import json,sys,collections;obj=json.load(sys.stdin, object_pairs_hook=collections.OrderedDict);latest=list(v for v in obj if '${pre}' not in v)[-1];print(latest)")
@@ -206,7 +216,7 @@ fi
 echo "=> Downloading version ${version} ..."
 box_src_tmp_dir=$(mktemp -dt box-src-XXXXXX)

-if ! curl -sL "${sourceTarballUrl}" | tar -zxf - -C "${box_src_tmp_dir}"; then
+if ! $curl -sL "${sourceTarballUrl}" | tar -zxf - -C "${box_src_tmp_dir}"; then
    echo "Could not download source tarball. See ${LOG_FILE} for details"
    exit 1
 fi
@@ -221,15 +231,17 @@ if [[ "${initBaseImage}" == "true" ]]; then
 fi

 echo "=> Installing version ${version} (this takes some time) ..."
-if ! /bin/bash "${box_src_tmp_dir}/scripts/installer.sh" --data "${data}" &>> "${LOG_FILE}"; then
+echo "${data}" > "${DATA_FILE}"
+if ! /bin/bash "${box_src_tmp_dir}/scripts/installer.sh" --data-file "${DATA_FILE}" &>> "${LOG_FILE}"; then
    echo "Failed to install cloudron. See ${LOG_FILE} for details"
    exit 1
 fi
+rm "${DATA_FILE}"

 echo -n "=> Waiting for cloudron to be ready (this takes some time) ..."
 while true; do
    echo -n "."
-    if status=$(curl -q -f "http://localhost:3000/api/v1/cloudron/status" 2>/dev/null); then
+    if status=$($curl -q -f "http://localhost:3000/api/v1/cloudron/status" 2>/dev/null); then
        [[ -z "$domain" ]] && break # with no domain, we are up and running
        [[ "$status" == *"\"tls\": true"* ]] && break # with a domain, wait for the cert
    fi
@@ -237,9 +249,9 @@ while true; do
 done

 if [[ -n "${domain}" ]]; then
-    echo -e "Visit https://my.${domain} to finish setup once the server has rebooted.\n"
+    echo -e "\n\nVisit https://my.${domain} to finish setup once the server has rebooted.\n"
 else
-    echo -e "Visit https://<IP> to finish setup once the server has rebooted.\n"
+    echo -e "\n\nVisit https://<IP> to finish setup once the server has rebooted.\n"
 fi

 if [[ "${rebootServer}" == "true" ]]; then
@@ -52,7 +52,7 @@ fi

 if [[ "${is_update}" == "yes" ]]; then
    echo "Setting up update splash screen"
-    "${box_src_tmp_dir}/setup/splashpage.sh" --data "${arg_data}" # show splash from new code
+    "${box_src_tmp_dir}/setup/splashpage.sh" --data "${arg_data}" || true # show splash from new code
    ${BOX_SRC_DIR}/setup/stop.sh # stop the old code
 fi

@@ -11,6 +11,11 @@ readonly ADMIN_LOCATION="my" # keep this in sync with constants.js

 echo "Setting up nginx update page"

+if [[ ! -f "${DATA_DIR}/nginx/applications/admin.conf" ]]; then
+    echo "No admin.conf found. This Cloudron has no domain yet. Skip splash setup"
+    exit
+fi
+
 source "${script_dir}/argparser.sh" "$@" # this injects the arg_* variables used below

 # keep this is sync with config.js appFqdn()
@@ -97,12 +97,6 @@ if [[ "${arg_provider}" == "caas" ]]; then
 fi

 echo "==> Setup btrfs data"
-if ! grep -q loop.ko /lib/modules/`uname -r`/modules.builtin; then
-    # on scaleway loop is not built-in
-    echo "loop" >> /etc/modules
-    modprobe loop
-fi
-
 if [[ ! -d "${DATA_DIR}" ]]; then
    echo "==> Mounting loopback btrfs"
    truncate -s "8192m" "${DATA_FILE}" # 8gb start (this will get resized dynamically by cloudron-resize-fs.service)
@@ -167,7 +161,7 @@ echo "==> Setting up unbound"
 # DO uses Google nameservers by default. This causes RBL queries to fail (host 2.0.0.127.zen.spamhaus.org)
 # We do not use dnsmasq because it is not a recursive resolver and defaults to the value in the interfaces file (which is Google DNS!)
 # We listen on 0.0.0.0 because there is no way control ordering of docker (which creates the 172.18.0.0/16) and unbound
-echo -e "server:\n\tinterface: 0.0.0.0\n\taccess-control: 127.0.0.1 allow\n\taccess-control: 172.18.0.1/16 allow" > /etc/unbound/unbound.conf.d/cloudron-network.conf
+echo -e "server:\n\tinterface: 0.0.0.0\n\taccess-control: 127.0.0.1 allow\n\taccess-control: 172.18.0.1/16 allow\n\tcache-max-negative-ttl: 30" > /etc/unbound/unbound.conf.d/cloudron-network.conf

 echo "==> Adding systemd services"
 cp -r "${script_dir}/start/systemd/." /etc/systemd/system/
@@ -200,7 +194,7 @@ mkdir -p "${DATA_DIR}/nginx/applications"
 mkdir -p "${DATA_DIR}/nginx/cert"
 cp "${script_dir}/start/nginx/nginx.conf" "${DATA_DIR}/nginx/nginx.conf"
 cp "${script_dir}/start/nginx/mime.types" "${DATA_DIR}/nginx/mime.types"
-if ! grep "^Restart=" /etc/systemd/system/multi-user.target.wants/nginx.service; then
+if ! grep -q "^Restart=" /etc/systemd/system/multi-user.target.wants/nginx.service; then
    # default nginx service file does not restart on crash
    echo -e "\n[Service]\nRestart=always\n" >> /etc/systemd/system/multi-user.target.wants/nginx.service
    systemctl daemon-reload
@@ -216,14 +210,18 @@ echo "==> Cleaning up snapshots"
 find "${DATA_DIR}/snapshots" -mindepth 1 -maxdepth 1 | xargs --no-run-if-empty btrfs subvolume delete

 # restart mysql to make sure it has latest config
-# wait for all running mysql jobs
-cp "${script_dir}/start/mysql.cnf" /etc/mysql/mysql.cnf
-while true; do
-    if ! systemctl list-jobs | grep mysql; then break; fi
-    echo "Waiting for mysql jobs..."
-    sleep 1
-done
-systemctl restart mysql
+if [[ ! -f /etc/mysql/mysql.cnf ]] || ! diff -q "${script_dir}/start/mysql.cnf" /etc/mysql/mysql.cnf >/dev/null; then
+    # wait for all running mysql jobs
+    cp "${script_dir}/start/mysql.cnf" /etc/mysql/mysql.cnf
+    while true; do
+        if ! systemctl list-jobs | grep mysql; then break; fi
+        echo "Waiting for mysql jobs..."
+        sleep 1
+    done
+    systemctl restart mysql
+else
+    systemctl start mysql
+fi

 readonly mysql_root_password="password"
 mysqladmin -u root -ppassword password password # reset default root password
@@ -318,9 +316,14 @@ if [[ ! -z "${arg_tls_config}" ]]; then
        -e "REPLACE INTO settings (name, value) VALUES (\"tls_config\", '$arg_tls_config')" box
 fi

+echo "==> Generating dhparams (takes forever)"
+if [[ ! -f "${BOX_DATA_DIR}/dhparams.pem" ]]; then
+    openssl dhparam -out "${BOX_DATA_DIR}/dhparams.pem" 2048
+fi
+
 set_progress "60" "Starting Cloudron"
 systemctl start cloudron.target

 sleep 2 # give systemd sometime to start the processes

-set_progress "90" "Done"
+set_progress "90" "Almost done"
@@ -13,10 +13,10 @@ disk_device="$(for d in $(find /dev -type b); do [ "$(mountpoint -d /)" = "$(mou
 existing_swap=$(cat /proc/meminfo | grep SwapTotal | awk '{ printf "%.0f", $2/1024 }')

 # all sizes are in mb
-readonly physical_memory=$(free -m | awk '/Mem:/ { print $2 }')
+readonly physical_memory=$(LC_ALL=C free -m | awk '/Mem:/ { print $2 }')
 readonly swap_size=$((${physical_memory} - ${existing_swap})) # if you change this, fix enoughResourcesAvailable() in client.js
 readonly app_count=$((${physical_memory} / 200)) # estimated app count
-readonly disk_size_bytes=$(fdisk -l ${disk_device} | grep "Disk ${disk_device}" | awk '{ printf $5 }') # can't rely on fdisk human readable units, using bytes instead
+readonly disk_size_bytes=$(LC_ALL=C fdisk -l ${disk_device} | grep "Disk ${disk_device}" | awk '{ printf $5 }') # can't rely on fdisk human readable units, using bytes instead
 readonly disk_size=$((${disk_size_bytes}/1024/1024))
 readonly system_size=10240 # 10 gigs for system libs, apps images, installer, box code, data and tmp
 readonly ext4_reserved=$((disk_size * 5 / 100)) # this can be changes using tune2fs -m percent /dev/vda1
@@ -25,12 +25,22 @@ server {
    # https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
    ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don't use SSLv3 ref: POODLE
-    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
+    # ciphers according to https://weakdh.org/sysadmin.html
+    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
+    ssl_dhparam /home/yellowtent/boxdata/dhparams.pem;
    add_header Strict-Transport-Security "max-age=15768000";

    # https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
    add_header X-Frame-Options "<%= xFrameOptions %>";

+    # https://github.com/twitter/secureheaders
+    # https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#tab=Compatibility_Matrix
+    # https://wiki.mozilla.org/Security/Guidelines/Web_Security
+    add_header X-XSS-Protection "1; mode=block";
+    add_header X-Download-Options "noopen";
+    add_header X-Content-Type-Options "nosniff";
+    add_header X-Permitted-Cross-Domain-Policies "none";
+
    proxy_http_version 1.1;
    proxy_intercept_errors on;
    proxy_read_timeout       3500;
@@ -36,3 +36,6 @@ yellowtent ALL=(root) NOPASSWD: /home/yellowtent/box/src/scripts/rmbackup.sh

 Defaults!/home/yellowtent/box/src/scripts/update.sh env_keep="HOME BOX_ENV"
 yellowtent ALL=(root) NOPASSWD: /home/yellowtent/box/src/scripts/update.sh
+
+Defaults!/home/yellowtent/box/src/scripts/authorized_keys.sh env_keep="HOME BOX_ENV"
+yellowtent ALL=(root) NOPASSWD: /home/yellowtent/box/src/scripts/authorized_keys.sh
@@ -106,18 +106,6 @@ var KNOWN_ADDONS = {
        teardown: NOOP,
        backup: NOOP,
        restore: NOOP
-    },
-    simpleauth: {
-        setup: setupSimpleAuth,
-        teardown: teardownSimpleAuth,
-        backup: NOOP,
-        restore: setupSimpleAuth
-    },
-    _docker: {
-        setup: NOOP,
-        teardown: NOOP,
-        backup: NOOP,
-        restore: NOOP
    }
 };

@@ -219,7 +207,6 @@ function getBindsSync(app, addons) {

    for (var addon in addons) {
        switch (addon) {
-        case '_docker': binds.push('/var/run/docker.sock:/var/run/docker.sock:rw'); break;
        case 'localstorage': binds.push(path.join(paths.DATA_DIR, app.id, 'data') + ':/app/data:rw'); break;
        default: break;
        }
@@ -293,51 +280,6 @@ function teardownOauth(app, options, callback) {
    });
 }

-function setupSimpleAuth(app, options, callback) {
-    assert.strictEqual(typeof app, 'object');
-    assert.strictEqual(typeof options, 'object');
-    assert.strictEqual(typeof callback, 'function');
-
-    if (!app.sso) return callback(null);
-
-    var appId = app.id;
-    var scope = 'profile';
-
-    clients.delByAppIdAndType(app.id, clients.TYPE_SIMPLE_AUTH, function (error) { // remove existing creds
-        if (error && error.reason !== ClientsError.NOT_FOUND) return callback(error);
-
-        clients.add(appId, clients.TYPE_SIMPLE_AUTH, '', scope, function (error, result) {
-            if (error) return callback(error);
-
-            var env = [
-                'SIMPLE_AUTH_SERVER=172.18.0.1',
-                'SIMPLE_AUTH_PORT=' + config.get('simpleAuthPort'),
-                'SIMPLE_AUTH_URL=http://172.18.0.1:' + config.get('simpleAuthPort'), // obsolete, remove
-                'SIMPLE_AUTH_ORIGIN=http://172.18.0.1:' + config.get('simpleAuthPort'),
-                'SIMPLE_AUTH_CLIENT_ID=' + result.id
-            ];
-
-            debugApp(app, 'Setting simple auth addon config to %j', env);
-
-            appdb.setAddonConfig(appId, 'simpleauth', env, callback);
-        });
-    });
-}
-
-function teardownSimpleAuth(app, options, callback) {
-    assert.strictEqual(typeof app, 'object');
-    assert.strictEqual(typeof options, 'object');
-    assert.strictEqual(typeof callback, 'function');
-
-    debugApp(app, 'teardownSimpleAuth');
-
-    clients.delByAppIdAndType(app.id, clients.TYPE_SIMPLE_AUTH, function (error) {
-        if (error && error.reason !== ClientsError.NOT_FOUND) debug(error);
-
-        appdb.unsetAddonConfig(app.id, 'simpleauth', callback);
-    });
-}
-
 function setupEmail(app, options, callback) {
    assert.strictEqual(typeof app, 'object');
    assert.strictEqual(typeof options, 'object');
@@ -52,6 +52,7 @@ var assert = require('assert'),
    async = require('async'),
    database = require('./database.js'),
    DatabaseError = require('./databaseerror'),
+    mailboxdb = require('./mailboxdb.js'),
    safe = require('safetydance'),
    util = require('util');

@@ -189,7 +190,7 @@ function add(id, appStoreId, manifest, location, portBindings, data, callback) {
    var sso = 'sso' in data ? data.sso : null;
    var debugModeJson = data.debugMode ? JSON.stringify(data.debugMode) : null;

-    var queries = [ ];
+    var queries = [];
    queries.push({
        query: 'INSERT INTO apps (id, appStoreId, manifestJson, installationState, location, accessRestrictionJson, memoryLimit, altDomain, xFrameOptions, lastBackupId, sso, debugModeJson) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)',
        args: [ id, appStoreId, manifestJson, installationState, location, accessRestrictionJson, memoryLimit, altDomain, xFrameOptions, lastBackupId, sso, debugModeJson ]
@@ -202,6 +203,14 @@ function add(id, appStoreId, manifest, location, portBindings, data, callback) {
        });
    });

+    // only allocate a mailbox if mailboxName is set
+    if (data.mailboxName) {
+        queries.push({
+            query: 'INSERT INTO mailboxes (name, ownerId, ownerType) VALUES (?, ?, ?)',
+            args: [ data.mailboxName, id, mailboxdb.TYPE_APP ]
+        });
+    }
+
    database.transaction(queries, function (error) {
        if (error && error.code === 'ER_DUP_ENTRY') return callback(new DatabaseError(DatabaseError.ALREADY_EXISTS, error.message));
        if (error) return callback(new DatabaseError(DatabaseError.INTERNAL_ERROR, error));
@@ -242,13 +251,14 @@ function del(id, callback) {
    assert.strictEqual(typeof callback, 'function');

    var queries = [
+        { query: 'DELETE FROM mailboxes WHERE ownerId=?', args: [ id ] },
        { query: 'DELETE FROM appPortBindings WHERE appId = ?', args: [ id ] },
        { query: 'DELETE FROM apps WHERE id = ?', args: [ id ] }
    ];

    database.transaction(queries, function (error, results) {
        if (error) return callback(new DatabaseError(DatabaseError.INTERNAL_ERROR, error));
-        if (results[1].affectedRows !== 1) return callback(new DatabaseError(DatabaseError.NOT_FOUND));
+        if (results[2].affectedRows !== 1) return callback(new DatabaseError(DatabaseError.NOT_FOUND));

        callback(null);
    });
@@ -50,7 +50,7 @@ function setHealth(app, health, callback) {

        debugApp(app, 'marking as unhealthy since not seen for more than %s minutes', UNHEALTHY_THRESHOLD/(60 * 1000));

-        if (app.debugMode) mailer.appDied(app); // do not send mails for dev apps
+        if (!app.debugMode) mailer.appDied(app); // do not send mails for dev apps
        gHealthInfo[app.id].emailSent = true;
    } else {
        debugApp(app, 'waiting for sometime to update the app health');
@@ -138,7 +138,7 @@ function run() {

 /*
    OOM can be tested using stress tool like so:
-        docker run -ti -m 100M cloudron/base:0.9.0 /bin/bash
+        docker run -ti -m 100M cloudron/base:0.10.0 /bin/bash
        apt-get update && apt-get install stress
        stress --vm 1 --vm-bytes 200M --vm-hang 0
 */
@@ -152,7 +152,6 @@ function validatePortBindings(portBindings, tcpPorts) {
        config.get('sysadminPort'), /* sysadmin app server (lo) */
        config.get('smtpPort'), /* internal smtp port (lo) */
        config.get('ldapPort'), /* ldap server (lo) */
-        config.get('simpleAuthPort'), /* simple auth server (lo) */
        3306, /* mysql (lo) */
        4190, /* managesieve */
        8000 /* graphite (lo) */
@@ -296,11 +295,9 @@ function hasAccessTo(app, user, callback) {
    if (!app.accessRestriction.groups) return callback(null, false);

    async.some(app.accessRestriction.groups, function (groupId, iteratorDone) {
-        groups.isMember(groupId, user.id, function (error, member) {
-            iteratorDone(!error && member); // async.some does not take error argument in callback
-        });
-    }, function (result) {
-        callback(null, result);
+        groups.isMember(groupId, user.id, iteratorDone);
+    }, function (error, result) {
+        callback(null, !error && result);
    });
 }

@@ -314,6 +311,7 @@ function get(appId, callback) {

        app.iconUrl = getIconUrlSync(app);
        app.fqdn = app.altDomain || config.appFqdn(app.location);
+        app.cnameTarget = app.altDomain ? config.appFqdn(app.location) : null;

        callback(null, app);
    });
@@ -332,6 +330,7 @@ function getByIpAddress(ip, callback) {

            app.iconUrl = getIconUrlSync(app);
            app.fqdn = app.altDomain || config.appFqdn(app.location);
+            app.cnameTarget = app.altDomain ? config.appFqdn(app.location) : null;

            callback(null, app);
        });
@@ -347,6 +346,7 @@ function getAll(callback) {
        apps.forEach(function (app) {
            app.iconUrl = getIconUrlSync(app);
            app.fqdn = app.altDomain || config.appFqdn(app.location);
+            app.cnameTarget = app.altDomain ? config.appFqdn(app.location) : null;
        });

        callback(null, apps);
@@ -360,11 +360,9 @@ function getAllByUser(user, callback) {
    getAll(function (error, result) {
        if (error) return callback(error);

-        async.filter(result, function (app, callback) {
-            hasAccessTo(app, user, function (error, hasAccess) {
-                callback(hasAccess);
-            });
-        }, callback.bind(null, null));  // never error
+        async.filter(result, function (app, iteratorDone) {
+            hasAccessTo(app, user, iteratorDone);
+        }, callback);
    });
 }

@@ -428,10 +426,13 @@ function unpurchase(appId, appstoreId, callback) {

        superagent.get(url).query({ accessToken: appstoreConfig.token }).timeout(30 * 1000).end(function (error, result) {
            if (error && !error.response) return callback(new AppsError(AppsError.EXTERNAL_ERROR, error));
+            if (result.statusCode === 403 || result.statusCode === 401) return callback(new AppsError(AppsError.BILLING_REQUIRED));
            if (result.statusCode === 404) return callback(null);   // was never purchased
+            if (result.statusCode !== 201 && result.statusCode !== 200) return callback(new AppsError(AppsError.EXTERNAL_ERROR, util.format('App purchase failed. %s %j', result.status, result.body)));

            superagent.del(url).query({ accessToken: appstoreConfig.token }).timeout(30 * 1000).end(function (error, result) {
                if (error && !error.response) return callback(new AppsError(AppsError.EXTERNAL_ERROR, error));
+                if (result.statusCode === 403 || result.statusCode === 401) return callback(new AppsError(AppsError.BILLING_REQUIRED));
                if (result.statusCode !== 204) return callback(new AppsError(AppsError.EXTERNAL_ERROR, util.format('App unpurchase failed. %s %j', result.status, result.body)));

                callback(null);
@@ -526,7 +527,7 @@ function install(data, auditSource, callback) {

        if ('sso' in data && !('optionalSso' in manifest)) return callback(new AppsError(AppsError.BAD_FIELD, 'sso can only be specified for apps with optionalSso'));
        // if sso was unspecified, enable it by default if possible
-        if (sso === null) sso = !!manifest.addons['simpleauth'] || !!manifest.addons['ldap'] || !!manifest.addons['oauth'];
+        if (sso === null) sso = !!manifest.addons['ldap'] || !!manifest.addons['oauth'];

        if (altDomain !== null && !validator.isFQDN(altDomain)) return callback(new AppsError(AppsError.BAD_FIELD, 'Invalid alt domain'));

@@ -554,30 +555,25 @@ function install(data, auditSource, callback) {
                altDomain: altDomain,
                xFrameOptions: xFrameOptions,
                sso: sso,
-                debugMode: debugMode
+                debugMode: debugMode,
+                mailboxName: (location ? location : manifest.title.toLowerCase().replace(/[^a-zA-Z0-9]/g, '')) + '.app'
            };

-            var from = (location ? location : manifest.title.toLowerCase().replace(/[^a-zA-Z0-9]/g, '')) + '.app';
-            mailboxdb.add(from, appId, mailboxdb.TYPE_APP, function (error) {
-                if (error && error.reason === DatabaseError.ALREADY_EXISTS) return callback(new AppsError(AppsError.ALREADY_EXISTS, 'Mailbox already exists'));
+            appdb.add(appId, appStoreId, manifest, location, portBindings, data, function (error) {
+                if (error && error.reason === DatabaseError.ALREADY_EXISTS) return callback(getDuplicateErrorDetails(location, portBindings, error));
                if (error) return callback(new AppsError(AppsError.INTERNAL_ERROR, error));

-                appdb.add(appId, appStoreId, manifest, location, portBindings, data, function (error) {
-                    if (error && error.reason === DatabaseError.ALREADY_EXISTS) return callback(getDuplicateErrorDetails(location, portBindings, error));
-                    if (error) return callback(new AppsError(AppsError.INTERNAL_ERROR, error));
+                // save cert to boxdata/certs
+                if (cert && key) {
+                    if (!safe.fs.writeFileSync(path.join(paths.APP_CERTS_DIR, config.appFqdn(location) + '.user.cert'), cert)) return callback(new AppsError(AppsError.INTERNAL_ERROR, 'Error saving cert: ' + safe.error.message));
+                    if (!safe.fs.writeFileSync(path.join(paths.APP_CERTS_DIR, config.appFqdn(location) + '.user.key'), key)) return callback(new AppsError(AppsError.INTERNAL_ERROR, 'Error saving key: ' + safe.error.message));
+                }

-                    // save cert to boxdata/certs
-                    if (cert && key) {
-                        if (!safe.fs.writeFileSync(path.join(paths.APP_CERTS_DIR, config.appFqdn(location) + '.user.cert'), cert)) return callback(new AppsError(AppsError.INTERNAL_ERROR, 'Error saving cert: ' + safe.error.message));
-                        if (!safe.fs.writeFileSync(path.join(paths.APP_CERTS_DIR, config.appFqdn(location) + '.user.key'), key)) return callback(new AppsError(AppsError.INTERNAL_ERROR, 'Error saving key: ' + safe.error.message));
-                    }
+                taskmanager.restartAppTask(appId);

-                    taskmanager.restartAppTask(appId);
+                eventlog.add(eventlog.ACTION_APP_INSTALL, auditSource, { appId: appId, location: location, manifest: manifest });

-                    eventlog.add(eventlog.ACTION_APP_INSTALL, auditSource, { appId: appId, location: location, manifest: manifest });
-
-                    callback(null, { id : appId });
-                });
+                callback(null, { id : appId });
            });
        });
    });
@@ -898,24 +894,19 @@ function clone(appId, data, auditSource, callback) {
                    accessRestriction: app.accessRestriction,
                    xFrameOptions: app.xFrameOptions,
                    lastBackupId: backupId,
-                    sso: !!app.sso
+                    sso: !!app.sso,
+                    mailboxName: (location ? location : manifest.title.toLowerCase().replace(/[^a-zA-Z0-9]/g, '')) + '.app'
                };

-                var from = (location ? location : manifest.title.toLowerCase().replace(/[^a-zA-Z0-9]/g, '')) + '.app';
-                mailboxdb.add(from, newAppId, mailboxdb.TYPE_APP, function (error) {
-                    if (error && error.reason === DatabaseError.ALREADY_EXISTS) return callback(new AppsError(AppsError.ALREADY_EXISTS, 'Mailbox already exists'));
+                appdb.add(newAppId, appStoreId, manifest, location, portBindings, data, function (error) {
+                    if (error && error.reason === DatabaseError.ALREADY_EXISTS) return callback(getDuplicateErrorDetails(location, portBindings, error));
                    if (error) return callback(new AppsError(AppsError.INTERNAL_ERROR, error));

-                    appdb.add(newAppId, appStoreId, manifest, location, portBindings, data, function (error) {
-                        if (error && error.reason === DatabaseError.ALREADY_EXISTS) return callback(getDuplicateErrorDetails(location, portBindings, error));
-                        if (error) return callback(new AppsError(AppsError.INTERNAL_ERROR, error));
+                    taskmanager.restartAppTask(newAppId);

-                        taskmanager.restartAppTask(newAppId);
+                    eventlog.add(eventlog.ACTION_APP_CLONE, auditSource, { appId: newAppId, oldAppId: appId, backupId: backupId, location: location, manifest: manifest });

-                        eventlog.add(eventlog.ACTION_APP_CLONE, auditSource, { appId: newAppId, oldAppId: appId, backupId: backupId, location: location, manifest: manifest });
-
-                        callback(null, { id : newAppId });
-                    });
+                    callback(null, { id : newAppId });
                });
            });
        });
@@ -935,18 +926,14 @@ function uninstall(appId, auditSource, callback) {
        unpurchase(appId, result.appStoreId, function (error) {
            if (error) return callback(error);

-            mailboxdb.delByOwnerId(appId, function (error) {
-                if (error && error.reason !== DatabaseError.NOT_FOUND) return callback(new AppsError(AppsError.INTERNAL_ERROR, error));
+            taskmanager.stopAppTask(appId, function () {
+                appdb.setInstallationCommand(appId, appdb.ISTATE_PENDING_UNINSTALL, function (error) {
+                    if (error && error.reason === DatabaseError.NOT_FOUND) return callback(new AppsError(AppsError.NOT_FOUND, 'No such app'));
+                    if (error) return callback(new AppsError(AppsError.INTERNAL_ERROR, error));

-                taskmanager.stopAppTask(appId, function () {
-                    appdb.setInstallationCommand(appId, appdb.ISTATE_PENDING_UNINSTALL, function (error) {
-                        if (error && error.reason === DatabaseError.NOT_FOUND) return callback(new AppsError(AppsError.NOT_FOUND, 'No such app'));
-                        if (error) return callback(new AppsError(AppsError.INTERNAL_ERROR, error));
+                    eventlog.add(eventlog.ACTION_APP_UNINSTALL, auditSource, { appId: appId });

-                        eventlog.add(eventlog.ACTION_APP_UNINSTALL, auditSource, { appId: appId });
-
-                        taskmanager.startAppTask(appId, callback);
-                    });
+                    taskmanager.startAppTask(appId, callback);
                });
            });
        });
@@ -218,7 +218,7 @@ function registerSubdomain(app, overwrite, callback) {
    assert.strictEqual(typeof overwrite, 'boolean');
    assert.strictEqual(typeof callback, 'function');

-    sysinfo.getIp(function (error, ip) {
+    sysinfo.getPublicIp(function (error, ip) {
        if (error) return callback(error);

        async.retry({ times: 200, interval: 5000 }, function (retryCallback) {
@@ -257,7 +257,7 @@ function unregisterSubdomain(app, location, callback) {
        return callback(null);
    }

-    sysinfo.getIp(function (error, ip) {
+    sysinfo.getPublicIp(function (error, ip) {
        if (error) return callback(error);

        async.retry({ times: 30, interval: 5000 }, function (retryCallback) {
@@ -295,7 +295,7 @@ function waitForDnsPropagation(app, callback) {
        return callback(null);
    }

-    sysinfo.getIp(function (error, ip) {
+    sysinfo.getPublicIp(function (error, ip) {
        if (error) return callback(error);

        subdomains.waitForDns(config.appFqdn(app.location), ip, 'A', { interval: 5000, times: 120 }, callback);
@@ -523,9 +523,18 @@ function configure(app, callback) {

        reserveHttpPort.bind(null, app),

+        updateApp.bind(null, app, { installationProgress: '20, Downloading icon' }),
+        downloadIcon.bind(null, app),
+
        updateApp.bind(null, app, { installationProgress: '35, Registering subdomain' }),
        registerSubdomain.bind(null, app, true /* overwrite */),

+        updateApp.bind(null, app, { installationProgress: '40, Downloading image' }),
+        docker.downloadImage.bind(null, app.manifest),
+
+        updateApp.bind(null, app, { installationProgress: '45, Ensuring volume' }),
+        createVolume.bind(null, app),
+
        // re-setup addons since they rely on the app's fqdn (e.g oauth)
        updateApp.bind(null, app, { installationProgress: '50, Setting up addons' }),
        addons.setupAddons.bind(null, app, app.manifest.addons),
@@ -352,12 +352,16 @@ Acme.prototype.createKeyAndCsr = function (domain, callback) {
 Acme.prototype.downloadChain = function (linkHeader, callback) {
    if (!linkHeader) return new AcmeError(AcmeError.EXTERNAL_ERROR, 'Empty link header when downloading certificate chain');

+    debug('downloadChain: linkHeader %s', linkHeader);
+
    var linkInfo = parseLinks(linkHeader);
    if (!linkInfo || !linkInfo.up) return new AcmeError(AcmeError.EXTERNAL_ERROR, 'Failed to parse link header when downloading certificate chain');

-    debug('downloadChain: downloading from %s', this.caOrigin + linkInfo.up);
+    var intermediateCertUrl = linkInfo.up.startsWith('https://') ? linkInfo.up : (this.caOrigin + linkInfo.up);

-    superagent.get(this.caOrigin + linkInfo.up).buffer().parse(function (res, done) {
+    debug('downloadChain: downloading from %s', intermediateCertUrl);
+
+    superagent.get(intermediateCertUrl).buffer().parse(function (res, done) {
        var data = [ ];
        res.on('data', function(chunk) { data.push(chunk); });
        res.on('end', function () { res.text = Buffer.concat(data); done(); });
@@ -43,8 +43,7 @@ var acme = require('./cert/acme.js'),
    safe = require('safetydance'),
    settings = require('./settings.js'),
    user = require('./user.js'),
-    util = require('util'),
-    x509 = require('x509');
+    util = require('util');

 function CertificatesError(reason, errorOrMessage) {
    assert.strictEqual(typeof reason, 'string');
@@ -268,25 +267,30 @@ function validateCertificate(cert, key, fqdn) {
    if (!cert && key) return new Error('missing cert');
    if (cert && !key) return new Error('missing key');

-    var content;
-    try {
-        content = x509.parseCert(cert);
-    } catch (e) {
-        return new Error('invalid cert: ' + e.message);
-    }
-
-    // check expiration
-    if (content.notAfter < new Date()) return new Error('cert expired');
-
    function matchesDomain(domain) {
+        if (typeof domain !== 'string') return false;
        if (domain === fqdn) return true;
        if (domain.indexOf('*') === 0 && domain.slice(2) === fqdn.slice(fqdn.indexOf('.') + 1)) return true;

        return false;
    }

-    // check domain
-    var domains = content.altNames.concat(content.subject.commonName);
+    // get commonName (http://stackoverflow.com/questions/17353122/parsing-strings-crt-files)
+    var result = safe.child_process.execSync('openssl x509 -noout -subject | sed -r "s|.*CN=(.*)|\\1|; s|/[^/]*=.*$||"', { encoding: 'utf8', input: cert });
+    if (!result) return new Error(util.format('could not get CN'));
+    var commonName = result.trim();
+    debug('validateCertificate: detected commonName as %s', commonName);
+
+    // https://github.com/drwetter/testssl.sh/pull/383
+    var cmd = `openssl x509 -noout -text | grep -A3 "Subject Alternative Name" | \
+               grep "DNS:" | \
+               sed -e "s/DNS://g" -e "s/ //g" -e "s/,/ /g" -e "s/othername:<unsupported>//g"`;
+    result = safe.child_process.execSync(cmd, { encoding: 'utf8', input: cert });
+    var altNames = result ? [ ] : result.trim().split(' '); // might fail if cert has no SAN
+    debug('validateCertificate: detected altNames as %j', altNames);
+
+    // check altNames
+    var domains = altNames.concat(commonName);
    if (!domains.some(matchesDomain)) return new Error(util.format('cert is not valid for this domain. Expecting %s in %j', fqdn, domains));

    // http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#verify
@@ -294,6 +298,10 @@ function validateCertificate(cert, key, fqdn) {
    var keyModulus = safe.child_process.execSync('openssl rsa -noout -modulus', { encoding: 'utf8', input: key });
    if (certModulus !== keyModulus) return new Error('key does not match the cert');

+   // check expiration
+    result = safe.child_process.execSync('openssl x509 -checkend 0', { encoding: 'utf8', input: cert });
+    if (!result) return new Error('cert expired');
+
    return null;
 }

@@ -32,7 +32,6 @@ exports = module.exports = {
    TYPE_EXTERNAL: 'external',
    TYPE_BUILT_IN: 'built-in',
    TYPE_OAUTH: 'addon-oauth',
-    TYPE_SIMPLE_AUTH: 'addon-simpleauth',
    TYPE_PROXY: 'addon-proxy'
 };

@@ -192,7 +191,6 @@ function getAll(callback) {

                if (record.type === exports.TYPE_PROXY) record.name = result.manifest.title + ' Website Proxy';
                if (record.type === exports.TYPE_OAUTH) record.name = result.manifest.title + ' OAuth';
-                if (record.type === exports.TYPE_SIMPLE_AUTH) record.name = result.manifest.title + ' Simple Auth';

                record.location = result.location;

@@ -242,7 +242,8 @@ function configureDefaultServer(callback) {
    if (!fs.existsSync(certFilePath) || !fs.existsSync(keyFilePath)) {
        debug('configureDefaultServer: create new cert');

-        var certCommand = util.format('openssl req -x509 -newkey rsa:2048 -keyout %s -out %s -days 3650 -subj /CN=%s -nodes', keyFilePath, certFilePath, 'localhost');
+        var cn = 'cloudron-' + (new Date()).toISOString(); // randomize date a bit to keep firefox happy
+        var certCommand = util.format('openssl req -x509 -newkey rsa:2048 -keyout %s -out %s -days 3650 -subj /CN=%s -nodes', keyFilePath, certFilePath, cn);
        safe.child_process.execSync(certCommand);
    }

@@ -264,7 +265,7 @@ function configureAdmin(callback) {

    debug('configureAdmin');

-    sysinfo.getIp(function (error, ip) {
+    sysinfo.getPublicIp(function (error, ip) {
        if (error) return callback(error);

        subdomains.waitForDns(config.adminFqdn(), ip, 'A', { interval: 30000, times: 50000 }, function (error) {
@@ -467,7 +468,11 @@ function sendAliveStatus(callback) {
            domain: config.fqdn(),
            version: config.version(),
            provider: config.provider(),
-            backendSettings: backendSettings
+            backendSettings: backendSettings,
+            machine: {
+                cpus: os.cpus(),
+                totalmem: os.totalmem()
+            }
        };

        superagent.post(url).send(data).query({ accessToken: appstoreConfig.token }).timeout(30 * 1000).end(function (error, result) {
@@ -496,7 +501,8 @@ function sendAliveStatus(callback) {
            mailConfig: {
                enabled: result[settings.MAIL_CONFIG_KEY].enabled
            },
-            autoupdatePattern: result[settings.AUTOUPDATE_PATTERN_KEY]
+            autoupdatePattern: result[settings.AUTOUPDATE_PATTERN_KEY],
+            timeZone: result[settings.TIME_ZONE_KEY]
        };

        // Caas Cloudrons do not store appstore credentials in their local database
@@ -568,6 +574,7 @@ function readDkimPublicKeySync() {
 }

 // NOTE: if you change the SPF record here, be sure the wait check in mailer.js
+// https://agari.zendesk.com/hc/en-us/articles/202952749-How-long-can-my-SPF-record-be-
 function txtRecordsWithSpf(callback) {
    assert.strictEqual(typeof callback, 'function');

@@ -576,21 +583,25 @@ function txtRecordsWithSpf(callback) {

        debug('txtRecordsWithSpf: current txt records - %j', txtRecords);

-        var i, validSpf;
+        var i, matches, validSpf;

        for (i = 0; i < txtRecords.length; i++) {
-            if (txtRecords[i].indexOf('"v=spf1 ') !== 0) continue; // not SPF
+            matches = txtRecords[i].match(/^("?v=spf1) /); // DO backend may return without quotes
+            if (matches === null) continue;

-            validSpf = txtRecords[i].indexOf(' a:' + config.adminFqdn() + ' ') !== -1;
-            break;
+            // this won't work if the entry is arbitrarily "split" across quoted strings
+            validSpf = txtRecords[i].indexOf('a:' + config.adminFqdn()) !== -1;
+            break; // there can only be one SPF record
        }

        if (validSpf) return callback(null, null);

-        if (i == txtRecords.length) {
-            txtRecords[i] = '"v=spf1 a:' + config.adminFqdn() + ' ~all"';
-        } else {
-            txtRecords[i] = '"v=spf1 a:' + config.adminFqdn() + ' ' + txtRecords[i].slice('"v=spf1 '.length);
+        if (!matches) { // no spf record was found, create one
+            txtRecords.push('"v=spf1 a:' + config.adminFqdn() + ' ~all"');
+            debug('txtRecordsWithSpf: adding txt record');
+        } else { // just add ourself
+            txtRecords[i] = matches[1] + ' a:' + config.adminFqdn() + txtRecords[i].slice(matches[1].length);
+            debug('txtRecordsWithSpf: inserting txt record');
        }

        return callback(null, txtRecords);
@@ -611,7 +622,7 @@ function addDnsRecords(callback) {
    var dkimKey = readDkimPublicKeySync();
    if (!dkimKey) return callback(new CloudronError(CloudronError.INTERNAL_ERROR, new Error('Failed to read dkim public key')));

-    sysinfo.getIp(function (error, ip) {
+    sysinfo.getPublicIp(function (error, ip) {
        if (error) return callback(new CloudronError(CloudronError.INTERNAL_ERROR, error));

        var webadminRecord = { subdomain: constants.ADMIN_LOCATION, type: 'A', values: [ ip ] };
@@ -947,7 +958,7 @@ function migrate(options, callback) {
 function refreshDNS(callback) {
    callback = callback || NOOP_CALLBACK;

-    sysinfo.getIp(function (error, ip) {
+    sysinfo.getPublicIp(function (error, ip) {
        if (error) return callback(new CloudronError(CloudronError.INTERNAL_ERROR, error));

        debug('refreshDNS: current ip %s', ip);
@@ -84,7 +84,6 @@ function initConfig() {
    data.smtpPort = 2525; // // this value comes from mail container
    data.sysadminPort = 3001;
    data.ldapPort = 3002;
-    data.simpleAuthPort = 3004;
    data.provider = 'caas';
    data.appBundle = [ ];

@@ -85,6 +85,7 @@ function upsert(dnsConfig, zoneName, subdomain, type, values, callback) {
                  .end(function (error, result) {
                    if (error && !error.response) return callback(error);
                    if (result.statusCode === 403 || result.statusCode === 401) return callback(new SubdomainError(SubdomainError.ACCESS_DENIED, util.format('%s %j', result.statusCode, result.body)));
+                    if (result.statusCode === 422) return callback(new SubdomainError(SubdomainError.BAD_FIELD, result.body.message));
                    if (result.statusCode !== 201) return callback(new SubdomainError(SubdomainError.EXTERNAL_ERROR, util.format('%s %j', result.statusCode, result.body)));

                    return callback(null);
@@ -100,6 +101,7 @@ function upsert(dnsConfig, zoneName, subdomain, type, values, callback) {

                    if (error && !error.response) return callback(error);
                    if (result.statusCode === 403 || result.statusCode === 401) return callback(new SubdomainError(SubdomainError.ACCESS_DENIED, util.format('%s %j', result.statusCode, result.body)));
+                    if (result.statusCode === 422) return callback(new SubdomainError(SubdomainError.BAD_FIELD, result.body.message));
                    if (result.statusCode !== 200) return callback(new SubdomainError(SubdomainError.EXTERNAL_ERROR, util.format('%s %j', result.statusCode, result.body)));

                    return callback(null);
@@ -190,6 +192,11 @@ function verifyDnsConfig(dnsConfig, domain, ip, callback) {
        if (error && error.code === 'ENOTFOUND') return callback(new SubdomainError(SubdomainError.BAD_FIELD, 'Unable to resolve nameservers for this domain'));
        if (error || !nameservers) return callback(new SubdomainError(SubdomainError.BAD_FIELD, error ? error.message : 'Unable to get nameservers'));

+        if (nameservers.map(function (n) { return n.toLowerCase(); }).indexOf('ns1.digitalocean.com') === -1) {
+            debug('verifyDnsConfig: %j does not contains DO NS', nameservers);
+            return callback(new SubdomainError(SubdomainError.BAD_FIELD, 'Domain nameservers are not set to Digital Ocean'));
+        }
+
        upsert(credentials, domain, 'my', 'A', [ ip ], function (error, changeId) {
            if (error) return callback(error);

@@ -10,7 +10,7 @@ exports = module.exports = {

 var assert = require('assert'),
    async = require('async'),
-    debug = require('debug')('box:dns/noop'),
+    debug = require('debug')('box:dns/manual'),
    dns = require('native-dns'),
    SubdomainError = require('../subdomains.js').SubdomainError,
    util = require('util');
@@ -60,18 +60,14 @@ function verifyDnsConfig(dnsConfig, domain, ip, callback) {
    dns.resolveNs(domain, function (error, nameservers) {
        if (error || !nameservers) return callback(new SubdomainError(SubdomainError.BAD_FIELD, 'Unable to get nameservers'));

-        // async.every only reports bools
-        var stashedError = null;
-
-        async.every(nameservers, function (nameserver, callback) {
+        async.every(nameservers, function (nameserver, everyNsCallback) {
            // ns records cannot have cname
            dns.resolve4(nameserver, function (error, nsIps) {
                if (error || !nsIps || nsIps.length === 0) {
-                    stashedError = new SubdomainError(SubdomainError.BAD_FIELD, 'Unable to resolve nameservers for this domain');
-                    return callback(false);
+                    return everyNsCallback(new SubdomainError(SubdomainError.BAD_FIELD, 'Unable to resolve nameservers for this domain'));
                }

-                async.every(nsIps, function (nsIp, callback) {
+                async.every(nsIps, function (nsIp, everyIpCallback) {
                    var req = dns.Request({
                        question: dns.Question({ name: adminDomain, type: 'A' }),
                        server: { address: nsIp },
@@ -80,20 +76,20 @@ function verifyDnsConfig(dnsConfig, domain, ip, callback) {

                    req.on('timeout', function () {
                        debug('nameserver %s (%s) timed out when trying to resolve %s', nameserver, nsIp, adminDomain);
-                        return callback(true); // should be ok if dns server is down
+                        return everyIpCallback(null, true); // should be ok if dns server is down
                    });

                    req.on('message', function (error, message) {
                        if (error) {
                            debug('nameserver %s (%s) returned error trying to resolve %s: %s', nameserver, nsIp, adminDomain, error);
-                            return callback(false);
+                            return everyIpCallback(null, false);
                        }

                        var answer = message.answer;

                        if (!answer || answer.length === 0) {
                            debug('bad answer from nameserver %s (%s) resolving %s (%s): %j', nameserver, nsIp, adminDomain, 'A', message);
-                            return callback(false);
+                            return everyIpCallback(null, false);
                        }

                        debug('verifyDnsConfig: ns: %s (%s), name:%s Actual:%j Expecting:%s', nameserver, nsIp, adminDomain, answer, ip);
@@ -102,16 +98,16 @@ function verifyDnsConfig(dnsConfig, domain, ip, callback) {
                            return a.address === ip;
                        });

-                        if (match) return callback(true); // done!
+                        if (match) return everyIpCallback(null, true); // done!

-                        callback(false);
+                        everyIpCallback(null, false);
                    });

                    req.send();
-                }, callback);
+                }, everyNsCallback);
            });
-        }, function (success) {
-            if (stashedError) return callback(stashedError);
+        }, function (error, success) {
+            if (error) return callback(error);
            if (!success) return callback(new SubdomainError(SubdomainError.BAD_FIELD, 'The domain ' + adminDomain + ' does not resolve to the server\'s IP ' + ip));

            callback(null, { provider: dnsConfig.provider, wildcard: !!dnsConfig.wildcard });
@@ -48,8 +48,8 @@ function del(dnsConfig, zoneName, subdomain, type, values, callback) {

 function waitForDns(domain, value, type, options, callback) {
    assert.strictEqual(typeof domain, 'string');
-    assert.strictEqual(typeof value, 'string');
-    assert(type === 'A' || type === 'CNAME');
+    assert(typeof value === 'string' || util.isRegExp(value));
+    assert(type === 'A' || type === 'CNAME' || type === 'TXT');
    assert(options && typeof options === 'object'); // { interval: 5000, times: 50000 }
    assert.strictEqual(typeof callback, 'function');

@@ -241,7 +241,7 @@ function verifyDnsConfig(dnsConfig, domain, ip, callback) {
            }

            upsert(credentials, domain, 'my', 'A', [ ip ], function (error, changeId) {
-                if (error) return callback(new SubdomainError(SubdomainError.INTERNAL_ERROR, error));
+                if (error) return callback(error);

                debug('verifyDnsConfig: A record added with change id %s', changeId);

@@ -7,12 +7,12 @@ var assert = require('assert'),
    debug = require('debug')('box:dns/waitfordns'),
    dns = require('native-dns'),
    SubdomainError = require('../subdomains.js').SubdomainError,
-    tld = require('tldjs');
+    tld = require('tldjs'),
+    util = require('util');

-// the first arg to callback is not an error argument; this is required for async.every
 function isChangeSynced(domain, value, type, nameserver, callback) {
    assert.strictEqual(typeof domain, 'string');
-    assert.strictEqual(typeof value, 'string');
+    assert(util.isRegExp(value));
    assert.strictEqual(typeof type, 'string');
    assert.strictEqual(typeof nameserver, 'string');
    assert.strictEqual(typeof callback, 'function');
@@ -33,31 +33,33 @@ function isChangeSynced(domain, value, type, nameserver, callback) {

            req.on('timeout', function () {
                debug('nameserver %s (%s) timed out when trying to resolve %s', nameserver, nsIp, domain);
-                return iteratorCallback(true); // should be ok if dns server is down
+                return iteratorCallback(null, true); // should be ok if dns server is down
            });

            req.on('message', function (error, message) {
                if (error) {
                    debug('nameserver %s (%s) returned error trying to resolve %s: %s', nameserver, nsIp, domain, error);
-                    return iteratorCallback(false);
+                    return iteratorCallback(null, false);
                }

                var answer = message.answer;

                if (!answer || answer.length === 0) {
                    debug('bad answer from nameserver %s (%s) resolving %s (%s): %j', nameserver, nsIp, domain, type, message);
-                    return iteratorCallback(false);
+                    return iteratorCallback(null, false);
                }

                debug('isChangeSynced: ns: %s (%s), name:%s Actual:%j Expecting:%s', nameserver, nsIp, domain, answer, value);

                var match = answer.some(function (a) {
-                    return ((type === 'A' && a.address === value) || (type === 'CNAME' && a.data === value));
+                    return ((type === 'A' && value.test(a.address)) ||
+                            (type === 'CNAME' && value.test(a.data)) ||
+                            (type === 'TXT' && value.test(a.data.join(''))));
                });

-                if (match) return iteratorCallback(true); // done!
+                if (match) return iteratorCallback(null, true); // done!

-                iteratorCallback(false);
+                iteratorCallback(null, false);
            });

            req.send();
@@ -68,12 +70,16 @@ function isChangeSynced(domain, value, type, nameserver, callback) {
 // check if IP change has propagated to every nameserver
 function waitForDns(domain, value, type, options, callback) {
    assert.strictEqual(typeof domain, 'string');
-    assert.strictEqual(typeof value, 'string');
-    assert(type === 'A' || type === 'CNAME');
+    assert(typeof value === 'string' || util.isRegExp(value));
+    assert(type === 'A' || type === 'CNAME' || type === 'TXT');
    assert(options && typeof options === 'object'); // { interval: 5000, times: 50000 }
    assert.strictEqual(typeof callback, 'function');

    var zoneName = tld.getDomain(domain);
+    if (typeof value === 'string') {
+        // http://stackoverflow.com/questions/3561493/is-there-a-regexp-escape-function-in-javascript
+        value = new RegExp('^' + value.replace(/[-\/\\^$*+?.()|[\]{}]/g, '\\$&') + '$');
+    }
    debug('waitForIp: domain %s to be %s in zone %s.', domain, value, zoneName);

    var attempt = 1;
@@ -83,7 +89,7 @@ function waitForDns(domain, value, type, options, callback) {
        dns.resolveNs(zoneName, function (error, nameservers) {
            if (error || !nameservers) return retryCallback(error || new SubdomainError(SubdomainError.EXTERNAL_ERROR, 'Unable to get nameservers'));

-            async.every(nameservers, isChangeSynced.bind(null, domain, value, type), function (synced) {
+            async.every(nameservers, isChangeSynced.bind(null, domain, value, type), function (error, synced) {
                debug('waitForIp: %s %s ns: %j', domain, synced ? 'done' : 'not done', nameservers);

                retryCallback(synced ? null : new SubdomainError(SubdomainError.EXTERNAL_ERROR, 'ETRYAGAIN'));
@@ -8,7 +8,7 @@ exports = module.exports = {
    getAllPaged: getAllPaged,
    cleanup: cleanup,

-    // keep in sync with webadmin index.js filter
+    // keep in sync with webadmin index.js filter and CLI tool
    ACTION_ACTIVATE: 'cloudron.activate',
    ACTION_APP_CLONE: 'app.clone',
    ACTION_APP_CONFIGURE: 'app.configure',
@@ -16,6 +16,7 @@ exports = module.exports = {
    ACTION_APP_RESTORE: 'app.restore',
    ACTION_APP_UNINSTALL: 'app.uninstall',
    ACTION_APP_UPDATE: 'app.update',
+    ACTION_APP_LOGIN: 'app.login',
    ACTION_BACKUP_FINISH: 'backup.finish',
    ACTION_BACKUP_START: 'backup.start',
    ACTION_CERTIFICATE_RENEWAL: 'certificate.renew',
@@ -25,7 +25,8 @@ exports = module.exports = {
 var assert = require('assert'),
    constants = require('./constants.js'),
    database = require('./database.js'),
-    DatabaseError = require('./databaseerror');
+    DatabaseError = require('./databaseerror'),
+    mailboxdb = require('./mailboxdb.js');

 var GROUPS_FIELDS = [ 'id', 'name' ].join(',');

@@ -88,10 +89,14 @@ function add(id, name, callback) {
    assert.strictEqual(typeof callback, 'function');

    var data = [ id, name ];
-    database.query('INSERT INTO groups (id, name) VALUES (?, ?)',
-           data, function (error, result) {
+
+    var queries = [];
+    queries.push({ query: 'INSERT INTO mailboxes (name, ownerId, ownerType) VALUES (?, ?, ?)', args: [ name, id, mailboxdb.TYPE_GROUP ] });
+    queries.push({ query: 'INSERT INTO groups (id, name) VALUES (?, ?)', args: [ id, name ] });
+
+    database.transaction(queries, function (error, result) {
        if (error && error.code === 'ER_DUP_ENTRY') return callback(new DatabaseError(DatabaseError.ALREADY_EXISTS, error));
-        if (error || result.affectedRows !== 1) return callback(new DatabaseError(DatabaseError.INTERNAL_ERROR, error));
+        if (error || result[1].affectedRows !== 1) return callback(new DatabaseError(DatabaseError.INTERNAL_ERROR, error));

        callback(null);
    });
@@ -105,6 +110,7 @@ function del(id, callback) {
    var queries = [];
    queries.push({ query: 'DELETE FROM groupMembers WHERE groupId = ?', args: [ id ] });
    queries.push({ query: 'DELETE FROM groups WHERE id = ?', args: [ id ] });
+    queries.push({ query: 'DELETE FROM mailboxes WHERE ownerId=?', args: [ id ] });

    database.transaction(queries, function (error, result) {
        if (error) return callback(new DatabaseError(DatabaseError.INTERNAL_ERROR, error));
@@ -24,7 +24,6 @@ var assert = require('assert'),
    constants = require('./constants.js'),
    DatabaseError = require('./databaseerror.js'),
    groupdb = require('./groupdb.js'),
-    mailboxdb = require('./mailboxdb.js'),
    util = require('util'),
    uuid = require('node-uuid');

@@ -85,16 +84,11 @@ function create(name, callback) {
    if (error) return callback(error);

    var id = 'gid-' + uuid.v4();
-    mailboxdb.add(name, id /* owner */, mailboxdb.TYPE_GROUP, function (error) {
+    groupdb.add(id, name, function (error) {
        if (error && error.reason === DatabaseError.ALREADY_EXISTS) return callback(new GroupError(GroupError.ALREADY_EXISTS));
        if (error) return callback(new GroupError(GroupError.INTERNAL_ERROR, error));

-        groupdb.add(id, name, function (error) {
-            if (error && error.reason === DatabaseError.ALREADY_EXISTS) return callback(new GroupError(GroupError.ALREADY_EXISTS));
-            if (error) return callback(new GroupError(GroupError.INTERNAL_ERROR, error));
-
-            callback(null, { id: id, name: name });
-        });
+        callback(null, { id: id, name: name });
    });
 }

@@ -105,16 +99,11 @@ function remove(id, callback) {
    // never allow admin group to be deleted
    if (id === constants.ADMIN_GROUP_ID) return callback(new GroupError(GroupError.NOT_ALLOWED));

-    mailboxdb.delByOwnerId(id, function (error) {
+    groupdb.del(id, function (error) {
        if (error && error.reason === DatabaseError.NOT_FOUND) return callback(new GroupError(GroupError.NOT_FOUND));
        if (error) return callback(new GroupError(GroupError.INTERNAL_ERROR, error));

-        groupdb.del(id, function (error) {
-            if (error && error.reason === DatabaseError.NOT_FOUND) return callback(new GroupError(GroupError.NOT_FOUND));
-            if (error) return callback(new GroupError(GroupError.INTERNAL_ERROR, error));
-
-            callback(null);
-        });
+        callback(null);
    });
 }

@@ -5,20 +5,20 @@
 // Do not require anything here!

 exports = module.exports = {
-    // a version bump means that all containers (apps and addons) are recreated
-    'version': 45,
+    // a version bump means that all app containers are recreated
+    'version': 46,

-    'baseImages': [ 'cloudron/base:0.9.0' ],
+    'baseImages': [ 'cloudron/base:0.10.0' ],

    // Note that if any of the databases include an upgrade, bump the infra version above
    // This is because we upgrade using dumps instead of mysql_upgrade, pg_upgrade etc
    'images': {
-        'mysql': { repo: 'cloudron/mysql', tag: 'cloudron/mysql:0.13.0' },
-        'postgresql': { repo: 'cloudron/postgresql', tag: 'cloudron/postgresql:0.15.0' },
-        'mongodb': { repo: 'cloudron/mongodb', tag: 'cloudron/mongodb:0.11.0' },
-        'redis': { repo: 'cloudron/redis', tag: 'cloudron/redis:0.10.0' },
-        'mail': { repo: 'cloudron/mail', tag: 'cloudron/mail:0.29.0' },
-        'graphite': { repo: 'cloudron/graphite', tag: 'cloudron/graphite:0.10.0' }
+        'mysql': { repo: 'cloudron/mysql', tag: 'cloudron/mysql:0.14.0' },
+        'postgresql': { repo: 'cloudron/postgresql', tag: 'cloudron/postgresql:0.16.0' },
+        'mongodb': { repo: 'cloudron/mongodb', tag: 'cloudron/mongodb:0.12.0' },
+        'redis': { repo: 'cloudron/redis', tag: 'cloudron/redis:0.11.0' },
+        'mail': { repo: 'cloudron/mail', tag: 'cloudron/mail:0.30.3' },
+        'graphite': { repo: 'cloudron/graphite', tag: 'cloudron/graphite:0.11.0' }
    }
 };

@@ -7,6 +7,7 @@ exports = module.exports = {

 var assert = require('assert'),
    apps = require('./apps.js'),
+    async = require('async'),
    config = require('./config.js'),
    DatabaseError = require('./databaseerror.js'),
    debug = require('debug')('box:ldap'),
@@ -15,8 +16,7 @@ var assert = require('assert'),
    UserError = user.UserError,
    ldap = require('ldapjs'),
    mailboxdb = require('./mailboxdb.js'),
-    safe = require('safetydance'),
-    util = require('util');
+    safe = require('safetydance');

 var gServer = null;

@@ -26,6 +26,9 @@ var GROUP_USERS_DN = 'cn=users,ou=groups,dc=cloudron';
 var GROUP_ADMINS_DN = 'cn=admins,ou=groups,dc=cloudron';

 function getAppByRequest(req, callback) {
+    assert.strictEqual(typeof req, 'object');
+    assert.strictEqual(typeof callback, 'function');
+
    var sourceIp = req.connection.ldap.id.split(':')[0];
    if (sourceIp.split('.').length !== 4) return callback(new ldap.InsufficientAccessRightsError('Missing source identifier'));

@@ -38,20 +41,42 @@ function getAppByRequest(req, callback) {
    });
 }

+function getUsersWithAccessToApp(req, callback) {
+    assert.strictEqual(typeof req, 'object');
+    assert.strictEqual(typeof callback, 'function');
+
+    getAppByRequest(req, function (error, app) {
+        if (error) return callback(error);
+
+        user.list(function (error, result){
+            if (error) return callback(new ldap.OperationsError(error.toString()));
+
+            async.filter(result, apps.hasAccessTo.bind(null, app), function (error, result) {
+                if (error) return callback(new ldap.OperationsError(error.toString()));
+
+                callback(null, result);
+            });
+        });
+    });
+}
+
 function userSearch(req, res, next) {
    debug('user search: dn %s, scope %s, filter %s (from %s)', req.dn.toString(), req.scope, req.filter.toString(), req.connection.ldap.id);

-    user.list(function (error, result) {
-        if (error) return next(new ldap.OperationsError(error.toString()));
+    getUsersWithAccessToApp(req, function (error, result) {
+        if (error) return next(error);

        // send user objects
        result.forEach(function (entry) {
+            // skip entries with empty username. Some apps like owncloud can't deal with this
+            if (!entry.username) return;
+
            var dn = ldap.parseDN('cn=' + entry.id + ',ou=users,dc=cloudron');

            var groups = [ GROUP_USERS_DN ];
            if (entry.admin) groups.push(GROUP_ADMINS_DN);

-            var displayName = entry.displayName || entry.username;
+            var displayName = entry.displayName || entry.username || ''; // displayName can be empty and username can be null
            var nameParts = displayName.split(' ');
            var firstName = nameParts[0];
            var lastName = nameParts.length > 1  ? nameParts[nameParts.length - 1] : ''; // choose last part, if it exists
@@ -69,6 +94,7 @@ function userSearch(req, res, next) {
                    givenName: firstName,
                    username: entry.username,
                    samaccountname: entry.username,      // to support ActiveDirectory clients
+                    isadmin: entry.admin ? 1 : 0,
                    memberof: groups
                }
            };
@@ -93,8 +119,8 @@ function userSearch(req, res, next) {
 function groupSearch(req, res, next) {
    debug('group search: dn %s, scope %s, filter %s (from %s)', req.dn.toString(), req.scope, req.filter.toString(), req.connection.ldap.id);

-    user.list(function (error, result){
-        if (error) return next(new ldap.OperationsError(error.toString()));
+    getUsersWithAccessToApp(req, function (error, result) {
+        if (error) return next(error);

        var groups = [{
            name: 'users',
@@ -293,7 +319,7 @@ function authenticateMailbox(req, res, next) {

        if (mailbox.ownerType === mailboxdb.TYPE_APP) {
            if (req.credentials !== mailbox.ownerId) return next(new ldap.NoSuchObjectError(req.dn.toString()));
-            eventlog.add(eventlog.ACTION_USER_LOGIN, { authType: 'ldap', mailboxId: name }, { appId: mailbox.ownerId });
+            eventlog.add(eventlog.ACTION_APP_LOGIN, { authType: 'ldap', mailboxId: name }, { appId: mailbox.ownerId });
            return res.end();
        }

@@ -4,6 +4,12 @@ Dear Cloudron Admin,

 The certificate for <%= domain %> could not be renewed.

+The Cloudron will attempt to renew the certificate every 12 hours
+until the certificate expires (at which point it will switch to
+using the fallback certificate).
+
+The error was:
+
 -------------------------------------

 <%- message %>
@@ -2,10 +2,12 @@

 Dear Cloudron Admin,

-The <%= program %> on <%= fqdn %> exited unexpectedly!
+<%= program %> on <%= fqdn %> exited unexpectedly using too much memory!

-The program has been restarted but should this message appear repeatedly,
-you should give the program more memory.
+The app has been restarted now. Should this message appear repeatedly or
+undefined behavior is observed, give the app more memory.
+This can be done in the advanced settings in the app configuration dialog
+in your Cloudron's web interface.

 Please see some excerpt of the logs below.

@@ -208,7 +208,7 @@ function getAlias(name, callback) {
    assert.strictEqual(typeof name, 'string');
    assert.strictEqual(typeof callback, 'function');

-    database.query('SELECT ' + MAILBOX_FIELDS + ' FROM mailboxes WHERE name = ? AND aliasTarget IS NOT null', [ name ], function (error, results) {
+    database.query('SELECT ' + MAILBOX_FIELDS + ' FROM mailboxes WHERE name = ? AND aliasTarget IS NOT NULL', [ name ], function (error, results) {
        if (error) return callback(new DatabaseError(DatabaseError.INTERNAL_ERROR, error));
        if (results.length === 0) return callback(new DatabaseError(DatabaseError.NOT_FOUND));

@@ -37,7 +37,6 @@ var assert = require('assert'),
    async = require('async'),
    config = require('./config.js'),
    debug = require('debug')('box:mailer'),
-    dns = require('native-dns'),
    docker = require('./docker.js').connection,
    ejs = require('ejs'),
    nodemailer = require('nodemailer'),
@@ -46,6 +45,7 @@ var assert = require('assert'),
    settings = require('./settings.js'),
    showdown = require('showdown'),
    smtpTransport = require('nodemailer-smtp-transport'),
+    subdomains = require('./subdomains.js'),
    users = require('./user.js'),
    util = require('util'),
    _ = require('underscore');
@@ -55,8 +55,7 @@ var NOOP_CALLBACK = function (error) { if (error) debug(error); };
 var MAIL_TEMPLATES_DIR = path.join(__dirname, 'mail_templates');

 var gMailQueue = [ ],
-    gDnsReady = false,
-    gCheckDnsTimerId = null;
+    gDnsReady = false;

 function splatchError(error) {
    var result = { };
@@ -81,8 +80,6 @@ function stop(callback) {
    assert.strictEqual(typeof callback, 'function');

    // TODO: interrupt processQueue as well
-    clearTimeout(gCheckDnsTimerId);
-    gCheckDnsTimerId = null;

    debug(gMailQueue.length + ' mail items dropped');
    gMailQueue = [ ];
@@ -96,60 +93,13 @@ function mailConfig() {
    };
 }

-function getTxtRecords(callback) {
-    dns.resolveNs(config.zoneName(), function (error, nameservers) {
-        if (error || !nameservers) return callback(error || new Error('Unable to get nameservers'));
-
-        var nameserver = nameservers[0];
-
-        dns.resolve4(nameserver, function (error, nsIps) {
-            if (error || !nsIps || nsIps.length === 0) return callback(error);
-
-            var req = dns.Request({
-                question: dns.Question({ name: config.fqdn(), type: 'TXT' }),
-                server: { address: nsIps[0] },
-                timeout: 5000
-            });
-
-            req.on('timeout', function () { return callback(new Error('ETIMEOUT')); });
-
-            req.on('message', function (error, message) {
-                if (error || !message.answer || message.answer.length === 0) return callback(null, null);
-
-                var records = message.answer.map(function (a) { return a.data[0]; });
-                callback(null, records);
-            });
-
-            req.send();
-        });
-    });
-}
-
 // keep this in sync with the cloudron.js dns changes
 function checkDns() {
-    getTxtRecords(function (error, records) {
-        if (error || !records) {
-            debug('checkDns: DNS error or no records looking up TXT records for %s %s', config.fqdn(), error, records);
-            gCheckDnsTimerId = setTimeout(checkDns, 60000);
-            return;
-        }
-
-        var allowedToSendMail = false;
-
-        for (var i = 0; i < records.length; i++) {
-            if (records[i].indexOf('v=spf1 ') !== 0) continue; // not SPF
-
-            allowedToSendMail = records[i].indexOf('a:' + config.adminFqdn()) !== -1;
-            break; // only one SPF record can exist (https://support.google.com/a/answer/4568483?hl=en)
-        }
-
-        if (!allowedToSendMail) {
-            debug('checkDns: SPF records disallow sending email from cloudron. %j', records);
-            gCheckDnsTimerId = setTimeout(checkDns, 60000);
-            return;
-        }
+    subdomains.waitForDns(config.fqdn(), new RegExp('^v=spf1 .*a:' + config.adminFqdn().replace(/[-\/\\^$*+?.()|[\]{}]/g, '\\$&') + '.*'), 'TXT', { interval: 60000, times: Infinity }, function (error) {
+        if (error) return debug(error); // can never happen

        debug('checkDns: SPF check passed. commencing mail processing');
+
        gDnsReady = true;
        processQueue();
    });
@@ -232,7 +182,7 @@ function mailUserEventToAdmins(user, event) {
    assert.strictEqual(typeof event, 'string');

    getAdminEmails(function (error, adminEmails) {
-        if (error) return console.log('Error getting admins', error);
+        if (error) return debug('Error getting admins', error);

        adminEmails = _.difference(adminEmails, [ user.email ]);

@@ -395,7 +345,7 @@ function appDied(app) {

        var mailOptions = {
            from: mailConfig().from,
-            to: config.provider() === 'caas' ? 'support@cloudron.io' : adminEmails.concat('support@cloudron.io').join(', '),
+            to: config.provider() === 'caas' ? 'support@cloudron.io' : adminEmails.join(', '),
            subject: util.format('[%s] App %s is down', config.fqdn(), app.fqdn),
            text: render('app_down.ejs', { fqdn: config.fqdn(), title: app.manifest.title, appFqdn: app.fqdn, format: 'text' })
        };
@@ -491,7 +441,7 @@ function backupFailed(error) {

        var mailOptions = {
            from: mailConfig().from,
-            to: config.provider() === 'caas' ? 'support@cloudron.io' : adminEmails.concat('support@cloudron.io').join(', '),
+            to: config.provider() === 'caas' ? 'support@cloudron.io' : adminEmails.join(', '),
            subject: util.format('[%s] Failed to backup', config.fqdn()),
            text: render('backup_failed.ejs', { fqdn: config.fqdn(), message: message, format: 'text' })
        };
@@ -509,7 +459,7 @@ function certificateRenewalError(domain, message) {

        var mailOptions = {
            from: mailConfig().from,
-            to: config.provider() === 'caas' ? 'support@cloudron.io' : adminEmails.concat('support@cloudron.io').join(', '),
+            to: config.provider() === 'caas' ? 'support@cloudron.io' : adminEmails.join(', '),
            subject: util.format('[%s] Certificate renewal error', domain),
            text: render('certificate_renewal_error.ejs', { domain: domain, message: message, format: 'text' })
        };
@@ -527,7 +477,7 @@ function oomEvent(program, context) {

        var mailOptions = {
            from: mailConfig().from,
-            to: config.provider() === 'caas' ? 'support@cloudron.io' : adminEmails.concat('support@cloudron.io').join(', '),
+            to: config.provider() === 'caas' ? 'support@cloudron.io' : adminEmails.join(', '),
            subject: util.format('[%s] %s exited unexpectedly', config.fqdn(), program),
            text: render('oom_event.ejs', { fqdn: config.fqdn(), program: program, context: context, format: 'text' })
        };
@@ -543,6 +493,8 @@ function unexpectedExit(program, context, callback) {
    assert.strictEqual(typeof context, 'string');
    assert.strictEqual(typeof callback, 'function');

+    if (config.provider() !== 'caas') return callback(); // no way to get admins without db access
+
    var mailOptions = {
        from: mailConfig().from,
        to: 'support@cloudron.io',
@@ -0,0 +1,48 @@
+<% include header %>
+
+<!-- tester -->
+
+<script>
+
+'use strict';
+
+// very basic angular app
+var app = angular.module('Application', []);
+app.controller('Controller', ['$scope', function ($scope) {
+    $scope.success = <%= success %>;
+    $scope.error = '<%= error %>';
+}]);
+
+</script>
+
+<div class="container" ng-app="Application" ng-controller="Controller" ng-cloak>
+    <div class="row">
+        <div class="col-md-12 text-center">
+            <br/>
+            <h4 ng-hide="success">Hello there, welcome to <%= cloudronName %>.</h4>
+            <h2 ng-hide="success">Sign up with your email address.</h2>
+            <h3 ng-show="success">You have received an email invitation to this Cloudron to finish the signup.</h3>
+            <br/><br/>
+        </div>
+    </div>
+    <div class="row">
+        <div class="col-md-6 col-md-offset-3" ng-show="!success">
+            <form action="/api/v1/session/account/create" method="post" name="createForm" autocomplete="off" role="form" novalidate>
+                <input type="password" style="display: none;">
+                <input type="hidden" name="_csrf" value="<%= csrf %>"/>
+
+                <div class="form-group" ng-class="{ 'has-error': (createForm.email.$dirty && createForm.email.$invalid) || (!createForm.email.$dirty && error) }">
+                    <label class="control-label" for="inputEmail">Email</label>
+                    <input type="email" class="form-control" id="inputEmail" ng-model="email" name="email" autofocus required>
+                    <div class="control-label" ng-show="(createForm.email.$dirty && createForm.email.$invalid) || (!createForm.email.$dirty && error)">
+                        <small ng-show="createForm.email.$dirty && createForm.email.$invalid">Must be a valid email address</small>
+                        <small ng-show="!createForm.email.$dirty && error">{{ error }}</small>
+                    </div>
+                </div>
+                <input class="btn btn-primary btn-outline pull-right" type="submit" value="Create" ng-disabled="createForm.$invalid"/>
+            </form>
+        </div>
+    </div>
+</div>
+
+<% include footer %>
@@ -32,19 +32,19 @@ app.controller('Controller', ['$scope', function ($scope) {
                <center><p class="has-error"><%= error %></p></center>

 <% if (user && user.username) { %>
-                <div class="form-group"">
+                <div class="form-group">
                    <label class="control-label">Username</label>
                    <input type="text" class="form-control" ng-model="username" name="username" readonly required>
                </div>
 <% } else { %>
                <div class="form-group" ng-class="{ 'has-error': (setupForm.username.$dirty && setupForm.username.$invalid) }">
                    <label class="control-label">Username</label>
+                    <input type="text" class="form-control" ng-model="username" name="username" required autofocus>
                    <div class="control-label" ng-show="setupForm.username.$dirty && setupForm.username.$invalid">
                        <small ng-show="setupForm.username.$error.minlength">The username is too short</small>
                        <small ng-show="setupForm.username.$error.maxlength">The username is too long</small>
                        <small ng-show="setupForm.username.$dirty && setupForm.username.$invalid">Not a valid username</small>
                    </div>
-                    <input type="text" class="form-control" ng-model="username" name="username" required autofocus>
                </div>
 <% } %>

@@ -55,18 +55,18 @@ app.controller('Controller', ['$scope', function ($scope) {

                <div class="form-group" ng-class="{ 'has-error': (setupForm.password.$dirty && setupForm.password.$invalid) }">
                    <label class="control-label">New Password</label>
+                    <input type="password" class="form-control" ng-model="password" name="password" ng-pattern="/^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[^a-zA-Z0-9])(?!.*\s).{8,30}$/" required>
                    <div class="control-label" ng-show="setupForm.password.$dirty && setupForm.password.$invalid">
                        <small ng-show="setupForm.password.$dirty && setupForm.password.$invalid">Password must be 8-30 character with at least one uppercase, one numeric and one special character</small>
                    </div>
-                    <input type="password" class="form-control" ng-model="password" name="password" ng-pattern="/^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[^a-zA-Z0-9])(?!.*\s).{8,30}$/" required>
                </div>

                <div class="form-group" ng-class="{ 'has-error': (setupForm.passwordRepeat.$dirty && (password !== passwordRepeat)) }">
                    <label class="control-label">Repeat Password</label>
+                    <input type="password" class="form-control" ng-model="passwordRepeat" name="passwordRepeat" required>
                    <div class="control-label" ng-show="setupForm.passwordRepeat.$dirty && (password !== passwordRepeat)">
                        <small ng-show="setupForm.passwordRepeat.$dirty && (password !== passwordRepeat)">Passwords don't match</small>
                    </div>
-                    <input type="password" class="form-control" ng-model="passwordRepeat" name="passwordRepeat" required>
                </div>

                <input class="btn btn-primary btn-outline pull-right" type="submit" value="Create" ng-disabled="setupForm.$invalid || password !== passwordRepeat"/>
@@ -12,7 +12,7 @@
    <link href="<%= adminOrigin %>/theme.css" rel="stylesheet">

    <!-- Custom Fonts -->
-    <link href="//maxcdn.bootstrapcdn.com/font-awesome/4.3.0/css/font-awesome.min.css" rel="stylesheet" type="text/css">
+    <link href="<%= adminOrigin %>/3rdparty/css/font-awesome.min.css" rel="stylesheet" rel="stylesheet" type="text/css">

    <!-- jQuery-->
    <script src="<%= adminOrigin %>/3rdparty/js/jquery.min.js"></script>
@@ -26,17 +26,17 @@ app.controller('Controller', [function () {}]);

                <div class="form-group" ng-class="{ 'has-error': resetForm.password.$dirty && resetForm.password.$invalid }">
                    <label class="control-label" for="inputPassword">New Password</label>
+                    <input type="password" class="form-control" id="inputPassword" ng-model="password" name="password" ng-pattern="/^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[^a-zA-Z0-9])(?!.*\s).{8,30}$/" autofocus required>
                    <div class="control-label" ng-show="resetForm.password.$dirty && resetForm.password.$invalid">
                        <small ng-show="resetForm.password.$dirty && resetForm.password.$invalid">Password must be 8-30 character with at least one uppercase, one numeric and one special character</small>
                    </div>
-                    <input type="password" class="form-control" id="inputPassword" ng-model="password" name="password" ng-pattern="/^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[^a-zA-Z0-9])(?!.*\s).{8,30}$/" autofocus required>
                </div>
                <div class="form-group" ng-class="{ 'has-error': resetForm.passwordRepeat.$dirty && (password !== passwordRepeat) }">
                    <label class="control-label" for="inputPasswordRepeat">Repeat Password</label>
+                    <input type="password" class="form-control" id="inputPasswordRepeat" ng-model="passwordRepeat" name="passwordRepeat" required>
                    <div class="control-label" ng-show="resetForm.passwordRepeat.$dirty && (password !== passwordRepeat)">
                        <small ng-show="resetForm.passwordRepeat.$dirty && (password !== passwordRepeat)">Passwords don't match</small>
                    </div>
-                    <input type="password" class="form-control" id="inputPasswordRepeat" ng-model="passwordRepeat" name="passwordRepeat" required>
                </div>
                <input class="btn btn-primary btn-outline pull-right" type="submit" value="Create" ng-disabled="resetForm.$invalid || password !== passwordRepeat"/>
            </form>
@@ -67,7 +67,7 @@ function start(callback) {
    // short-circuit for the restart case
    if (_.isEqual(infra, existingInfra)) {
        debug('platform is uptodate at version %s', infra.version);
-        process.nextTick(function () { exports.events.emit(exports.EVENT_READY); });
+        emitPlatformReady();
        return callback();
    }

@@ -82,14 +82,7 @@ function start(callback) {
    ], function (error) {
        if (error) return callback(error);

-        // give 30 seconds for the platform to "settle". For example, mysql might still be initing the
-        // database dir and we cannot call service scripts until that's done.
-        // TODO: make this smarter to not wait for 30secs for the crash-restart case
-        gPlatformReadyTimer = setTimeout(function () {
-            debug('emitting platform ready');
-            gPlatformReadyTimer = null;
-            exports.events.emit(exports.EVENT_READY);
-        }, 30000);
+        emitPlatformReady();

        callback();
    });
@@ -104,10 +97,22 @@ function uninitialize(callback) {
    callback();
 }

+function emitPlatformReady() {
+    // give 30 seconds for the platform to "settle". For example, mysql might still be initing the
+    // database dir and we cannot call service scripts until that's done.
+    // TODO: make this smarter to not wait for 30secs for the crash-restart case
+    gPlatformReadyTimer = setTimeout(function () {
+        debug('emitting platform ready');
+        gPlatformReadyTimer = null;
+        exports.events.emit(exports.EVENT_READY);
+    }, 30000);
+}
+
 function removeOldImages(callback) {
    debug('removing old addon images');

    for (var imageName in infra.images) {
+        if (imageName === 'redis') continue; // see #223
        var image = infra.images[imageName];
        debug('cleaning up images of %j', image);
        var cmd = 'docker images "%s" | tail -n +2 | awk \'{ print $1 ":" $2 }\' | grep -v "%s" | xargs --no-run-if-empty docker rmi';
@@ -127,6 +132,7 @@ function stopContainers(existingInfra, callback) {
        assert(typeof infra.images, 'object');
        var changedAddons = [ ];
        for (var imageName in infra.images) {
+            if (imageName === 'redis') continue; // see #223
            if (infra.images[imageName].tag !== existingInfra.images[imageName].tag) changedAddons.push(imageName);
        }

@@ -239,7 +245,8 @@ function createMailConfig(callback) {
    const alertsFrom = 'no-reply@' + config.fqdn();

    user.getOwner(function (error, owner) {
-        var alertsTo = [ 'webmaster@cloudron.io' ].concat(error ? [] : owner.email).join(',');
+        var alertsTo = config.provider() === 'caas' ? [ 'support@cloudron.io' ] : [ ];
+        alertsTo.concat(error ? [] : owner.email).join(',');

        if (!safe.fs.writeFileSync(paths.DATA_DIR + '/addons/mail/mail.ini',
            `mail_domain=${fqdn}\nmail_server_name=${mailFqdn}\nalerts_from=${alertsFrom}\nalerts_to=${alertsTo}`, 'utf8')) {
@@ -340,4 +347,3 @@ function startApps(existingInfra, callback) {
        apps.configureInstalledApps(callback);
    }
 }
-
@@ -54,6 +54,7 @@ function removeInternalAppFields(app) {
        fqdn: app.fqdn,
        memoryLimit: app.memoryLimit,
        altDomain: app.altDomain,
+        cnameTarget: app.cnameTarget,
        xFrameOptions: app.xFrameOptions,
        sso: app.sso,
        debugMode: app.debugMode
@@ -249,6 +250,7 @@ function uninstallApp(req, res, next) {
    debug('Uninstalling app id:%s', req.params.id);

    apps.uninstall(req.params.id, auditSource(req), function (error) {
+        if (error && error.reason === AppsError.BILLING_REQUIRED) return next(new HttpError(402, 'Billing required'));
        if (error && error.reason === AppsError.NOT_FOUND) return next(new HttpError(404, 'No such app'));
        if (error) return next(new HttpError(500, error));

@@ -24,8 +24,6 @@ var assert = require('assert'),
    HttpSuccess = require('connect-lastmile').HttpSuccess,
    progress = require('../progress.js'),
    mailer = require('../mailer.js'),
-    settings = require('../settings.js'),
-    SettingsError = settings.SettingsError,
    superagent = require('superagent'),
    updateChecker = require('../updatechecker.js'),
    _ = require('underscore');
@@ -35,18 +33,8 @@ function auditSource(req) {
    return { ip: ip, username: req.user ? req.user.username : null, userId: req.user ? req.user.id : null };
 }

-/**
- * Creating an admin user and activate the cloudron.
- *
- * @apiParam {string} username The administrator's user name
- * @apiParam {string} password The administrator's password
- * @apiParam {string} email The administrator's email address
- *
- * @apiSuccess (Created 201) {string} token A valid access token
- */
 function activate(req, res, next) {
    assert.strictEqual(typeof req.body, 'object');
-    assert.strictEqual(typeof req.query.setupToken, 'string');

    if (typeof req.body.username !== 'string') return next(new HttpError(400, 'username must be string'));
    if (typeof req.body.password !== 'string') return next(new HttpError(400, 'password must be string'));
@@ -101,21 +89,33 @@ function dnsSetup(req, res, next) {
 function setupTokenAuth(req, res, next) {
    assert.strictEqual(typeof req.query, 'object');

-    // skip setupToken auth for non caas case
-    if (config.provider() !== 'caas') return next();
+    if (config.provider() === 'caas') {
+        if (typeof req.query.setupToken !== 'string' || !req.query.setupToken) return next(new HttpError(400, 'setupToken must be a non empty string'));

-    if (typeof req.query.setupToken !== 'string') return next(new HttpError(400, 'no setupToken provided'));
-
-    superagent.get(config.apiServerOrigin() + '/api/v1/boxes/' + config.fqdn() + '/setup/verify').query({ setupToken:req.query.setupToken })
+        superagent.get(config.apiServerOrigin() + '/api/v1/boxes/' + config.fqdn() + '/setup/verify').query({ setupToken:req.query.setupToken })
        .timeout(30 * 1000)
        .end(function (error, result) {
-        if (error && !error.response) return next(new HttpError(500, error));
-        if (result.statusCode === 403) return next(new HttpError(403, 'Invalid token'));
-        if (result.statusCode === 409) return next(new HttpError(409, 'Already setup'));
-        if (result.statusCode !== 200) return next(new HttpError(500, result.text || 'Internal error'));
+            if (error && !error.response) return next(new HttpError(500, error));
+            if (result.statusCode === 403) return next(new HttpError(403, 'Invalid token'));
+            if (result.statusCode === 409) return next(new HttpError(409, 'Already setup'));
+            if (result.statusCode !== 200) return next(new HttpError(500, result.text || 'Internal error'));

+            next();
+        });
+    } else if (config.provider() === 'ami') {
+        if (typeof req.query.setupToken !== 'string' || !req.query.setupToken) return next(new HttpError(400, 'setupToken must be a non empty string'));
+
+        superagent.get('http://169.254.169.254/latest/meta-data/instance-id').timeout(30 * 1000).end(function (error, result) {
+            if (error && !error.response) return next(new HttpError(500, error));
+            if (result.statusCode !== 200) return next(new HttpError(500, 'Unable to get meta data'));
+
+            if (result.text !== req.query.setupToken) return next(new HttpError(403, 'Invalid token'));
+
+            next();
+        });
+    } else {
        next();
-    });
+    }
 }

 function getStatus(req, res, next) {
@@ -13,5 +13,6 @@ exports = module.exports = {
    profile: require('./profile.js'),
    sysadmin: require('./sysadmin.js'),
    settings: require('./settings.js'),
+    ssh: require('./ssh.js'),
    user: require('./user.js')
 };
@@ -11,6 +11,7 @@ var appdb = require('../appdb'),
    DatabaseError = require('../databaseerror'),
    debug = require('debug')('box:routes/oauth2'),
    eventlog = require('../eventlog.js'),
+    generatePassword = require('../password.js').generate,
    hat = require('hat'),
    HttpError = require('connect-lastmile').HttpError,
    middleware = require('../middleware/index.js'),
@@ -233,7 +234,6 @@ function loginForm(req, res) {
        switch (result.type) {
            case clients.TYPE_BUILT_IN: return renderBuiltIn();
            case clients.TYPE_EXTERNAL: return render(result.appId, '/api/v1/cloudron/avatar');
-            case clients.TYPE_SIMPLE_AUTH: return sendError(req, res, 'Unknown OAuth client');
            default: break;
        }

@@ -358,6 +358,87 @@ function accountSetup(req, res, next) {
    });
 }

+// -> POST /api/v1/session/account/setup
+function accountSetup(req, res, next) {
+    assert.strictEqual(typeof req.body, 'object');
+
+    if (typeof req.body.resetToken !== 'string') return next(new HttpError(400, 'Missing resetToken'));
+    if (typeof req.body.password !== 'string') return next(new HttpError(400, 'Missing password'));
+    if (typeof req.body.username !== 'string') return next(new HttpError(400, 'Missing username'));
+    if (typeof req.body.displayName !== 'string') return next(new HttpError(400, 'Missing displayName'));
+
+    debug('accountSetup: with token %s.', req.body.resetToken);
+
+    user.getByResetToken(req.body.resetToken, function (error, userObject) {
+        if (error) return sendError(req, res, 'Invalid Reset Token');
+
+        var data = _.pick(req.body, 'username', 'displayName');
+        user.update(userObject.id, data, auditSource(req), function (error) {
+            if (error && error.reason === UserError.ALREADY_EXISTS) return renderAccountSetupSite(res, req, userObject, 'Username already exists');
+            if (error && error.reason === UserError.BAD_FIELD) return renderAccountSetupSite(res, req, userObject, error.message);
+            if (error && error.reason === UserError.NOT_FOUND) return renderAccountSetupSite(res, req, userObject, 'No such user');
+            if (error) return next(new HttpError(500, error));
+
+            userObject.username = req.body.username;
+            userObject.displayName = req.body.displayName;
+
+            // setPassword clears the resetToken
+            user.setPassword(userObject.id, req.body.password, function (error, result) {
+                if (error && error.reason === UserError.BAD_FIELD) return renderAccountSetupSite(res, req, userObject, error.message);
+
+                if (error) return next(new HttpError(500, error));
+
+                res.redirect(util.format('%s?accessToken=%s&expiresAt=%s', config.adminOrigin(), result.token, result.expiresAt));
+            });
+        });
+    });
+}
+
+function renderAccountCreateSite(res, req, error, success) {
+    renderTemplate(res, 'account_create', {
+        error: error,
+        success: !!success,
+        csrf: req.csrfToken(),
+        title: 'Account Create'
+    });
+}
+
+// -> GET /api/v1/session/account/create.html
+function accountCreateSite(req, res, next) {
+    settings.getOpenRegistration(function (error, enabled) {
+        if (error) return next(new HttpError(500, error));
+        if (!enabled) return sendError(req, res, 'User creation is not allowed on this Cloudron');
+
+        renderAccountCreateSite(res, req, '', '');
+    });
+}
+
+// -> POST /api/v1/session/account/create
+function accountCreate(req, res, next) {
+    assert.strictEqual(typeof req.body, 'object');
+
+    if (typeof req.body.email !== 'string') return next(new HttpError(400, 'Missing email'));
+
+    debug('accountCreate: with email %s.', req.body.email);
+
+    settings.getOpenRegistration(function (error, enabled) {
+        if (error) return next(new HttpError(500, error));
+        if (!enabled) return sendError(req, res, 'User signup is not allowed on this Cloudron');
+
+        var ip = req.headers['x-forwarded-for'] || req.connection.remoteAddress || null;
+        var auditSource = { ip: ip, username: req.body.email, userId: null };
+
+        user.create(null, generatePassword(), req.body.email, '', auditSource, { sendInvite: true }, function (error, result) {
+            if (error && error.reason === UserError.ALREADY_EXISTS) return renderAccountCreateSite(res, req, 'User with this email address already exists');
+            if (error) return sendError(req, res, 'Internal Error');
+
+            debug('accountCreate: success for email %s now with id %s', req.body.remail, result.id);
+
+            renderAccountCreateSite(res, req, '', true);
+        });
+    });
+}
+
 // -> GET /api/v1/session/password/reset.html
 function passwordResetSite(req, res, next) {
    if (!req.query.reset_token) return next(new HttpError(400, 'Missing reset_token'));
@@ -450,8 +531,6 @@ var authorization = [
        if (type === clients.TYPE_EXTERNAL || type === clients.TYPE_BUILT_IN) {
            eventlog.add(eventlog.ACTION_USER_LOGIN, auditSource(req, req.oauth2.client.appId), { userId: req.oauth2.user.id });
            return next();
-        } else if (type === clients.TYPE_SIMPLE_AUTH) {
-            return sendError(req, res, 'Unknown OAuth client.');
        }

        appdb.get(req.oauth2.client.appId, function (error, appObject) {
@@ -558,6 +637,8 @@ exports = module.exports = {
    passwordReset: passwordReset,
    accountSetupSite: accountSetupSite,
    accountSetup: accountSetup,
+    accountCreateSite: accountCreateSite,
+    accountCreate: accountCreate,
    authorization: authorization,
    token: token,
    validateRequestedScopes: validateRequestedScopes,
@@ -10,7 +10,7 @@ exports = module.exports = {
    getCloudronAvatar: getCloudronAvatar,
    setCloudronAvatar: setCloudronAvatar,

-    getEmailDnsRecords: getEmailDnsRecords,
+    getEmailStatus: getEmailStatus,

    getDnsConfig: getDnsConfig,
    setDnsConfig: setDnsConfig,
@@ -27,6 +27,9 @@ exports = module.exports = {
    getAppstoreConfig: getAppstoreConfig,
    setAppstoreConfig: setAppstoreConfig,

+    getOpenRegistration: getOpenRegistration,
+    setOpenRegistration: setOpenRegistration,
+
    setFallbackCertificate: setFallbackCertificate,
    setAdminCertificate: setAdminCertificate
 };
@@ -150,8 +153,8 @@ function getCloudronAvatar(req, res, next) {
    });
 }

-function getEmailDnsRecords(req, res, next) {
-    settings.getEmailDnsRecords(function (error, records) {
+function getEmailStatus(req, res, next) {
+    settings.getEmailStatus(function (error, records) {
        if (error) return next(new HttpError(500, error));

        next(new HttpSuccess(200, records));
@@ -234,6 +237,27 @@ function setAppstoreConfig(req, res, next) {
    });
 }

+function getOpenRegistration(req, res, next) {
+    settings.getOpenRegistration(function (error, enabled) {
+        if (error) return next(new HttpError(500, error));
+
+        next(new HttpSuccess(200, { enabled: enabled }));
+    });
+}
+
+function setOpenRegistration(req, res, next) {
+    assert.strictEqual(typeof req.body, 'object');
+
+    if (typeof req.body.enabled !== 'boolean') return next(new HttpError(400, 'enabled is required'));
+
+    settings.setOpenRegistration(req.body.enabled, function (error) {
+        if (error && error.reason === SettingsError.BAD_FIELD) return next(new HttpError(400, error.message));
+        if (error) return next(new HttpError(500, error));
+
+        next(new HttpSuccess(200));
+    });
+}
+
 // default fallback cert
 function setFallbackCertificate(req, res, next) {
    assert.strictEqual(typeof req.body, 'object');
@@ -0,0 +1,54 @@
+'use strict';
+
+exports = module.exports = {
+    getAuthorizedKeys: getAuthorizedKeys,
+    getAuthorizedKey: getAuthorizedKey,
+    addAuthorizedKey: addAuthorizedKey,
+    delAuthorizedKey: delAuthorizedKey
+};
+
+var assert = require('assert'),
+    HttpError = require('connect-lastmile').HttpError,
+    HttpSuccess = require('connect-lastmile').HttpSuccess,
+    ssh = require('../ssh.js'),
+    SshError = ssh.SshError;
+
+function getAuthorizedKeys(req, res, next) {
+    ssh.getAuthorizedKeys(function (error, result) {
+        if (error) return next(new HttpError(500, error));
+        next(new HttpSuccess(200, { keys: result }));
+    });
+}
+
+function getAuthorizedKey(req, res, next) {
+    assert.strictEqual(typeof req.params.identifier, 'string');
+
+    ssh.getAuthorizedKey(req.params.identifier, function (error, result) {
+        if (error && error.reason === SshError.NOT_FOUND) return next(new HttpError(404, error.message));
+        if (error) return next(new HttpError(500, error));
+        next(new HttpSuccess(200, { identifier: result.identifier, key: result.key }));
+    });
+}
+
+function addAuthorizedKey(req, res, next) {
+    assert.strictEqual(typeof req.body, 'object');
+
+    if (typeof req.body.key !== 'string' || !req.body.key) return next(new HttpError(400, 'key must be a non empty'));
+
+    ssh.addAuthorizedKey(req.body.key, function (error) {
+        if (error && error.reason === SshError.INVALID_KEY) return next(new HttpError(400, error.message));
+        if (error) return next(new HttpError(500, error));
+
+        next(new HttpSuccess(201, {}));
+    });
+}
+
+function delAuthorizedKey(req, res, next) {
+    assert.strictEqual(typeof req.params.identifier, 'string');
+
+    ssh.delAuthorizedKey(req.params.identifier, function (error) {
+        if (error && error.reason === SshError.NOT_FOUND) return next(new HttpError(404, error.message));
+        if (error) return next(new HttpError(500, error));
+        next(new HttpSuccess(202, {}));
+    });
+}
@@ -30,7 +30,6 @@ var appdb = require('../../appdb.js'),
    safe = require('safetydance'),
    server = require('../../server.js'),
    settings = require('../../settings.js'),
-    simpleauth = require('../../simpleauth.js'),
    superagent = require('superagent'),
    taskmanager = require('../../taskmanager.js'),
    tokendb = require('../../tokendb.js'),
@@ -42,7 +41,7 @@ var SERVER_URL = 'http://localhost:' + config.get('port');

 // Test image information
 var TEST_IMAGE_REPO = 'cloudron/test';
-var TEST_IMAGE_TAG = '18.0.0';
+var TEST_IMAGE_TAG = '20.0.0';
 var TEST_IMAGE = TEST_IMAGE_REPO + ':' + TEST_IMAGE_TAG;
 // var TEST_IMAGE_ID = child_process.execSync('docker inspect --format={{.Id}} ' + TEST_IMAGE).toString('utf8').trim();

@@ -174,7 +173,6 @@ function startBox(done) {

        server.start.bind(server),
        ldap.start,
-        simpleauth.start,

        function (callback) {
            var scope1 = nock(config.apiServerOrigin()).get('/api/v1/boxes/' + config.fqdn() + '/setup/verify?setupToken=somesetuptoken').reply(200, {});
@@ -257,7 +255,6 @@ function stopBox(done) {
        appdb._clear,
        server.stop,
        ldap.stop,
-        simpleauth.stop,
        config._reset
    ], done);
 }
@@ -273,16 +273,6 @@ describe('OAuth2', function () {
            scope: 'profile'
        };

-        // simple auth client
-        var CLIENT_8 = {
-            id: 'cid-client8',
-            appId: APP_2.id,
-            type: clients.TYPE_SIMPLE_AUTH,
-            clientSecret: 'secret8',
-            redirectURI: 'http://redirect8',
-            scope: 'profile'
-        };
-
        // app with accessRestriction allowing group
        var CLIENT_9 = {
            id: 'cid-client9',
@@ -311,7 +301,6 @@ describe('OAuth2', function () {
                clientdb.add.bind(null, CLIENT_5.id, CLIENT_5.appId, CLIENT_5.type, CLIENT_5.clientSecret, CLIENT_5.redirectURI, CLIENT_5.scope),
                clientdb.add.bind(null, CLIENT_6.id, CLIENT_6.appId, CLIENT_6.type, CLIENT_6.clientSecret, CLIENT_6.redirectURI, CLIENT_6.scope),
                clientdb.add.bind(null, CLIENT_7.id, CLIENT_7.appId, CLIENT_7.type, CLIENT_7.clientSecret, CLIENT_7.redirectURI, CLIENT_7.scope),
-                clientdb.add.bind(null, CLIENT_8.id, CLIENT_8.appId, CLIENT_8.type, CLIENT_8.clientSecret, CLIENT_8.redirectURI, CLIENT_8.scope),
                clientdb.add.bind(null, CLIENT_9.id, CLIENT_9.appId, CLIENT_9.type, CLIENT_9.clientSecret, CLIENT_9.redirectURI, CLIENT_9.scope),
                appdb.add.bind(null, APP_0.id, APP_0.appStoreId, APP_0.manifest, APP_0.location, APP_0.portBindings, APP_0),
                appdb.add.bind(null, APP_1.id, APP_1.appStoreId, APP_1.manifest, APP_1.location, APP_1.portBindings, APP_1),
@@ -557,24 +546,6 @@ describe('OAuth2', function () {
                    });
                });
            });
-
-            it('fails when using simple auth credentials', function (done) {
-                var url = SERVER_URL + '/api/v1/oauth/dialog/authorize?redirect_uri=' + CLIENT_8.redirectURI + '&client_id=' + CLIENT_8.id + '&response_type=code';
-                request.get(url, { jar: true }, function (error, response, body) {
-                    expect(error).to.not.be.ok();
-                    expect(response.statusCode).to.eql(200);
-                    expect(body).to.eql('<script>window.location.href = "/api/v1/session/login?returnTo=' + CLIENT_8.redirectURI + '";</script>');
-
-                    request.get(SERVER_URL + '/api/v1/session/login?returnTo=' + CLIENT_8.redirectURI, { jar: true, followRedirect: false }, function (error, response, body) {
-                        expect(error).to.not.be.ok();
-                        expect(response.statusCode).to.eql(200);
-                        expect(body.indexOf('<!-- error tester -->')).to.not.equal(-1);
-                        expect(body.indexOf('Unknown OAuth client')).to.not.equal(-1);
-
-                        done();
-                    });
-                });
-            });
        });

        describe('loginForm submit', function () {
@@ -796,21 +767,6 @@ describe('OAuth2', function () {
                });
            });

-            it('fails for grant type code due to simple auth credentials', function (done) {
-                startAuthorizationFlow(CLIENT_7, 'code', function (jar) {
-                    var url = SERVER_URL + '/api/v1/oauth/dialog/authorize?redirect_uri=' + CLIENT_8.redirectURI + '&client_id=' + CLIENT_8.id + '&response_type=code';
-
-                    request.get(url, { jar: jar, followRedirect: false }, function (error, response, body) {
-                        expect(error).to.not.be.ok();
-                        expect(response.statusCode).to.eql(200);
-                        expect(body.indexOf('<!-- error tester -->')).to.not.equal(-1);
-                        expect(body.indexOf('Unknown OAuth client.')).to.not.equal(-1);
-
-                        done();
-                    });
-                });
-            });
-
            it('succeeds for grant type code with accessRestriction', function (done) {
                startAuthorizationFlow(CLIENT_7, 'code', function (jar) {
                    var url = SERVER_URL + '/api/v1/oauth/dialog/authorize?redirect_uri=' + CLIENT_7.redirectURI + '&client_id=' + CLIENT_7.id + '&response_type=code';
@@ -858,21 +814,6 @@ describe('OAuth2', function () {
                });
            });

-            it('fails for grant type token due to simple auth credentials', function (done) {
-                startAuthorizationFlow(CLIENT_7, 'token', function (jar) {
-                    var url = SERVER_URL + '/api/v1/oauth/dialog/authorize?redirect_uri=' + CLIENT_8.redirectURI + '&client_id=' + CLIENT_8.id + '&response_type=token';
-
-                    request.get(url, { jar: jar, followRedirect: false }, function (error, response, body) {
-                        expect(error).to.not.be.ok();
-                        expect(response.statusCode).to.eql(200);
-                        expect(body.indexOf('<!-- error tester -->')).to.not.equal(-1);
-                        expect(body.indexOf('Unknown OAuth client.')).to.not.equal(-1);
-
-                        done();
-                    });
-                });
-            });
-
            it('succeeds for grant type token', function (done) {
                startAuthorizationFlow(CLIENT_7, 'token', function (jar) {
                    var url = SERVER_URL + '/api/v1/oauth/dialog/authorize?redirect_uri=' + CLIENT_7.redirectURI + '&client_id=' + CLIENT_7.id + '&response_type=token';
@@ -531,7 +531,7 @@ describe('Settings API', function () {
    describe('email DNS records', function () {
        var resolve = null;
        var dnsAnswerQueue = [];
-        var dkimDomain, spfDomain;
+        var dkimDomain, spfDomain, mxDomain, dmarcDomain;

        before(function (done) {
            var dns = require('native-dns');
@@ -542,13 +542,15 @@ describe('Settings API', function () {
                expect(hostname).to.be.a('string');
                expect(callback).to.be.a('function');

-                if (!dnsAnswerQueue[hostname] || !dnsAnswerQueue[hostname][type]) return callback(new Error('no mock answer'));
+                if (!dnsAnswerQueue[hostname] || !(type in dnsAnswerQueue[hostname])) return callback(new Error('no mock answer'));

                callback(null, dnsAnswerQueue[hostname][type]);
            };

            dkimDomain = 'cloudron._domainkey.' + config.fqdn();
            spfDomain = config.fqdn();
+            mxDomain = config.fqdn();
+            dmarcDomain = '_dmarc.' + config.fqdn();

            done();
        });
@@ -571,174 +573,240 @@ describe('Settings API', function () {
        });

        function clearDnsAnswerQueue() {
-          dnsAnswerQueue = { };
-          dnsAnswerQueue[dkimDomain] =  { };
-          dnsAnswerQueue[spfDomain] =  { };
+            dnsAnswerQueue = { };
+            dnsAnswerQueue[dkimDomain] =  { };
+            dnsAnswerQueue[spfDomain] =  { };
+            dnsAnswerQueue[mxDomain] =  { };
+            dnsAnswerQueue[dmarcDomain] =  { };
        }

-        it('succeeds without existing answers', function (done) {
+        it('succeeds with dns errors', function (done) {
            clearDnsAnswerQueue();

            superagent.get(SERVER_URL + '/api/v1/settings/email_dns_records')
                   .query({ access_token: token })
                   .end(function (err, res) {
                expect(res.statusCode).to.equal(200);
-                expect(res.body.dkim).to.be.an('object');
-                expect(res.body.spf).to.be.an('object');

+                expect(res.body.dkim).to.be.an('object');
                expect(res.body.dkim.domain).to.eql(dkimDomain);
                expect(res.body.dkim.type).to.eql('TXT');
                expect(res.body.dkim.value).to.eql(null);
                expect(res.body.dkim.expected).to.eql('v=DKIM1; t=s; p=' + cloudron.readDkimPublicKeySync());
                expect(res.body.dkim.status).to.eql(false);

+                expect(res.body.spf).to.be.an('object');
                expect(res.body.spf.domain).to.eql(spfDomain);
                expect(res.body.spf.type).to.eql('TXT');
                expect(res.body.spf.value).to.eql(null);
                expect(res.body.spf.expected).to.eql('v=spf1 a:' + config.adminFqdn() + ' ~all');
                expect(res.body.spf.status).to.eql(false);

+                expect(res.body.dmarc).to.be.an('object');
+                expect(res.body.dmarc.type).to.eql('TXT');
+                expect(res.body.dmarc.value).to.eql(null);
+                expect(res.body.dmarc.expected).to.eql('v=DMARC1; p=reject; pct=100');
+                expect(res.body.dmarc.status).to.eql(false);
+
+                expect(res.body.mx).to.be.an('object');
+                expect(res.body.mx.type).to.eql('MX');
+                expect(res.body.mx.value).to.eql(null);
+                expect(res.body.mx.expected).to.eql('10 ' + config.mailFqdn());
+                expect(res.body.mx.status).to.eql(false);
+
+                expect(res.body.ptr).to.be.an('object');
+                expect(res.body.ptr.type).to.eql('PTR');
+                // expect(res.body.ptr.value).to.eql(null); this will be anything random
+                expect(res.body.ptr.expected).to.eql(config.mailFqdn());
+                expect(res.body.ptr.status).to.eql(false);
+
                done();
            });
        });

-        it('succeeds with existing dkim and no spf', function (done) {
+        it('succeeds with "undefined" spf, dkim, dmarc, mx, ptr records', function (done) {
            clearDnsAnswerQueue();

-            dnsAnswerQueue[dkimDomain].TXT = [['v=DKIM1;', 't=s;', 'p=' + cloudron.readDkimPublicKeySync()]];
+            dnsAnswerQueue[dkimDomain].TXT = null;
+            dnsAnswerQueue[spfDomain].TXT = null;
+            dnsAnswerQueue[mxDomain].MX = null;
+            dnsAnswerQueue[dmarcDomain].TXT = null;

            superagent.get(SERVER_URL + '/api/v1/settings/email_dns_records')
                   .query({ access_token: token })
                   .end(function (err, res) {
                expect(res.statusCode).to.equal(200);
-                expect(res.body.dkim).to.be.an('object');
+
                expect(res.body.spf).to.be.an('object');
-
-                expect(res.body.dkim.domain).to.eql('cloudron._domainkey.' + config.fqdn());
-                expect(res.body.dkim.type).to.eql('TXT');
-                expect(res.body.dkim.value).to.eql('v=DKIM1; t=s; p=' + cloudron.readDkimPublicKeySync());
-                expect(res.body.dkim.expected).to.eql('v=DKIM1; t=s; p=' + cloudron.readDkimPublicKeySync());
-                expect(res.body.dkim.status).to.eql(true);
-
-                expect(res.body.spf.domain).to.eql(config.fqdn());
-                expect(res.body.spf.type).to.eql('TXT');
-                expect(res.body.spf.value).to.eql(null);
                expect(res.body.spf.expected).to.eql('v=spf1 a:' + config.adminFqdn() + ' ~all');
                expect(res.body.spf.status).to.eql(false);
+                expect(res.body.spf.value).to.eql(null);
+
+                expect(res.body.dkim).to.be.an('object');
+                expect(res.body.dkim.expected).to.eql('v=DKIM1; t=s; p=' + cloudron.readDkimPublicKeySync());
+                expect(res.body.dkim.status).to.eql(false);
+                expect(res.body.dkim.value).to.eql(null);
+
+                expect(res.body.dmarc).to.be.an('object');
+                expect(res.body.dmarc.expected).to.eql('v=DMARC1; p=reject; pct=100');
+                expect(res.body.dmarc.status).to.eql(false);
+                expect(res.body.dmarc.value).to.eql(null);
+
+                expect(res.body.mx).to.be.an('object');
+                expect(res.body.mx.status).to.eql(false);
+                expect(res.body.mx.expected).to.eql('10 ' + config.mailFqdn());
+                expect(res.body.mx.value).to.eql(null);
+
+                expect(res.body.ptr).to.be.an('object');
+                expect(res.body.ptr.expected).to.eql(config.mailFqdn());
+                expect(res.body.ptr.status).to.eql(false);
+                // expect(res.body.ptr.value).to.eql(null); this will be anything random

                done();
            });
        });

-        it('succeeds with no dkim and existing spf', function (done) {
+        it('succeeds with all different spf, dkim, dmarc, mx, ptr records', function (done) {
            clearDnsAnswerQueue();

-            dnsAnswerQueue[spfDomain].TXT = [['v=spf1', 'a:' + config.adminFqdn(), '~all']];
+            dnsAnswerQueue[mxDomain].MX = [ { priority: '20', exchange: config.mailFqdn() }, { priority: '30', exchange: config.mailFqdn() } ];
+            dnsAnswerQueue[dmarcDomain].TXT = [['v=DMARC2; p=reject; pct=100']];
+            dnsAnswerQueue[dkimDomain].TXT = [['v=DKIM2; t=s; p=' + cloudron.readDkimPublicKeySync()]];
+            dnsAnswerQueue[spfDomain].TXT = [['v=spf1 a:random.com ~all']];

            superagent.get(SERVER_URL + '/api/v1/settings/email_dns_records')
                   .query({ access_token: token })
                   .end(function (err, res) {
                expect(res.statusCode).to.equal(200);
-                expect(res.body.dkim).to.be.an('object');
-                expect(res.body.spf).to.be.an('object');

-                expect(res.body.dkim.domain).to.eql('cloudron._domainkey.' + config.fqdn());
-                expect(res.body.dkim.type).to.eql('TXT');
-                expect(res.body.dkim.value).to.eql(null);
+                expect(res.body.spf).to.be.an('object');
+                expect(res.body.spf.expected).to.eql('v=spf1 a:' + config.adminFqdn() + ' a:random.com ~all');
+                expect(res.body.spf.status).to.eql(false);
+                expect(res.body.spf.value).to.eql('v=spf1 a:random.com ~all');
+
+                expect(res.body.dkim).to.be.an('object');
                expect(res.body.dkim.expected).to.eql('v=DKIM1; t=s; p=' + cloudron.readDkimPublicKeySync());
                expect(res.body.dkim.status).to.eql(false);
+                expect(res.body.dkim.value).to.eql('v=DKIM2; t=s; p=' + cloudron.readDkimPublicKeySync());

-                expect(res.body.spf.domain).to.eql(config.fqdn());
+                expect(res.body.dmarc).to.be.an('object');
+                expect(res.body.dmarc.expected).to.eql('v=DMARC1; p=reject; pct=100');
+                expect(res.body.dmarc.status).to.eql(false);
+                expect(res.body.dmarc.value).to.eql('v=DMARC2; p=reject; pct=100');
+
+                expect(res.body.mx).to.be.an('object');
+                expect(res.body.mx.status).to.eql(false);
+                expect(res.body.mx.expected).to.eql('10 ' + config.mailFqdn());
+                expect(res.body.mx.value).to.eql('20 ' + config.mailFqdn() + ' 30 ' + config.mailFqdn());
+
+                expect(res.body.ptr).to.be.an('object');
+                expect(res.body.ptr.expected).to.eql(config.mailFqdn());
+                expect(res.body.ptr.status).to.eql(false);
+                // expect(res.body.ptr.value).to.eql(null); this will be anything random
+
+                done();
+            });
+        });
+
+        it('succeeds with existing embedded spf', function (done) {
+            clearDnsAnswerQueue();
+
+            dnsAnswerQueue[spfDomain].TXT = [['v=spf1 a:example.com a:' + config.mailFqdn() + ' ~all']];
+
+            superagent.get(SERVER_URL + '/api/v1/settings/email_dns_records')
+                   .query({ access_token: token })
+                   .end(function (err, res) {
+                expect(res.statusCode).to.equal(200);
+
+                expect(res.body.spf).to.be.an('object');
+                expect(res.body.spf.domain).to.eql(spfDomain);
                expect(res.body.spf.type).to.eql('TXT');
-                expect(res.body.spf.value).to.eql('v=spf1 a:' + config.adminFqdn() + ' ~all');
-                expect(res.body.spf.expected).to.eql('v=spf1 a:' + config.adminFqdn() + ' ~all');
+                expect(res.body.spf.value).to.eql('v=spf1 a:example.com a:' + config.mailFqdn() + ' ~all');
+                expect(res.body.spf.expected).to.eql('v=spf1 a:example.com a:' + config.mailFqdn() + ' ~all');
                expect(res.body.spf.status).to.eql(true);

                done();
            });
        });

-        it('succeeds with existing extra spf', function (done) {
-            clearDnsAnswerQueue();
-
-            dnsAnswerQueue[spfDomain].TXT = [['v=spf1', 'a:my-example.com', '~all']];
-
-            superagent.get(SERVER_URL + '/api/v1/settings/email_dns_records')
-                   .query({ access_token: token })
-                   .end(function (err, res) {
-                expect(res.statusCode).to.equal(200);
-                expect(res.body.dkim).to.be.an('object');
-                expect(res.body.spf).to.be.an('object');
-
-                expect(res.body.dkim.domain).to.eql('cloudron._domainkey.' + config.fqdn());
-                expect(res.body.dkim.type).to.eql('TXT');
-                expect(res.body.dkim.value).to.eql(null);
-                expect(res.body.dkim.expected).to.eql('v=DKIM1; t=s; p=' + cloudron.readDkimPublicKeySync());
-                expect(res.body.dkim.status).to.eql(false);
-
-                expect(res.body.spf.domain).to.eql(config.fqdn());
-                expect(res.body.spf.type).to.eql('TXT');
-                expect(res.body.spf.value).to.eql('v=spf1 a:my-example.com ~all');
-                expect(res.body.spf.expected).to.eql('v=spf1 a:' + config.adminFqdn() + ' a:my-example.com ~all');
-                expect(res.body.spf.status).to.eql(false);
-
-                done();
-            });
-        });
-
-        it('succeeds with wrong dkim', function (done) {
-            clearDnsAnswerQueue();
-
-            dnsAnswerQueue[dkimDomain].TXT = [['v=DKIM1;', 't=s;', 'p=foobar']];
-
-            superagent.get(SERVER_URL + '/api/v1/settings/email_dns_records')
-                   .query({ access_token: token })
-                   .end(function (err, res) {
-                expect(res.statusCode).to.equal(200);
-                expect(res.body.dkim).to.be.an('object');
-                expect(res.body.spf).to.be.an('object');
-
-                expect(res.body.dkim.domain).to.eql('cloudron._domainkey.' + config.fqdn());
-                expect(res.body.dkim.type).to.eql('TXT');
-                expect(res.body.dkim.value).to.eql('v=DKIM1; t=s; p=foobar');
-                expect(res.body.dkim.expected).to.eql('v=DKIM1; t=s; p=' + cloudron.readDkimPublicKeySync());
-                expect(res.body.dkim.status).to.eql(false);
-
-                expect(res.body.spf.domain).to.eql(config.fqdn());
-                expect(res.body.spf.type).to.eql('TXT');
-                expect(res.body.spf.value).to.eql(null);
-                expect(res.body.spf.expected).to.eql('v=spf1 a:' + config.adminFqdn() + ' ~all');
-                expect(res.body.spf.status).to.eql(false);
-
-                done();
-            });
-        });
-
-        it('succeeds with existing spf and dkim', function (done) {
+        it('succeeds with all correct records', function (done) {
            clearDnsAnswerQueue();

+            dnsAnswerQueue[mxDomain].MX = [ { priority: '10', exchange: config.mailFqdn() } ];
+            dnsAnswerQueue[dmarcDomain].TXT = [['v=DMARC1; p=reject; pct=100']];
            dnsAnswerQueue[dkimDomain].TXT = [['v=DKIM1;', 't=s;', 'p=' + cloudron.readDkimPublicKeySync()]];
-            dnsAnswerQueue[spfDomain].TXT = [['v=spf1', 'a:' + config.adminFqdn(), '~all']];
+            dnsAnswerQueue[spfDomain].TXT = [['v=spf1', ' a:' + config.adminFqdn(), ' ~all']];

            superagent.get(SERVER_URL + '/api/v1/settings/email_dns_records')
                   .query({ access_token: token })
                   .end(function (err, res) {
                expect(res.statusCode).to.equal(200);
-                expect(res.body.dkim).to.be.an('object');
-                expect(res.body.spf).to.be.an('object');

-                expect(res.body.dkim.domain).to.eql('cloudron._domainkey.' + config.fqdn());
+                expect(res.body.dkim).to.be.an('object');
+                expect(res.body.dkim.domain).to.eql(dkimDomain);
                expect(res.body.dkim.type).to.eql('TXT');
                expect(res.body.dkim.value).to.eql('v=DKIM1; t=s; p=' + cloudron.readDkimPublicKeySync());
                expect(res.body.dkim.expected).to.eql('v=DKIM1; t=s; p=' + cloudron.readDkimPublicKeySync());
                expect(res.body.dkim.status).to.eql(true);

-                expect(res.body.spf.domain).to.eql(config.fqdn());
+                expect(res.body.spf).to.be.an('object');
+                expect(res.body.spf.domain).to.eql(spfDomain);
                expect(res.body.spf.type).to.eql('TXT');
                expect(res.body.spf.value).to.eql('v=spf1 a:' + config.adminFqdn() + ' ~all');
                expect(res.body.spf.expected).to.eql('v=spf1 a:' + config.adminFqdn() + ' ~all');
                expect(res.body.spf.status).to.eql(true);

+                expect(res.body.dmarc).to.be.an('object');
+                expect(res.body.dmarc.expected).to.eql('v=DMARC1; p=reject; pct=100');
+                expect(res.body.dmarc.status).to.eql(true);
+                expect(res.body.dmarc.value).to.eql('v=DMARC1; p=reject; pct=100');
+
+                expect(res.body.mx).to.be.an('object');
+                expect(res.body.mx.status).to.eql(true);
+                expect(res.body.mx.expected).to.eql('10 ' + config.mailFqdn());
+                expect(res.body.mx.value).to.eql('10 ' + config.mailFqdn());
+
+                done();
+            });
+        });
+    });
+
+    describe('open_registration', function () {
+        it('get open_registration succeeds without being set', function (done) {
+            superagent.get(SERVER_URL + '/api/v1/settings/open_registration')
+                   .query({ access_token: token })
+                   .end(function (err, res) {
+                expect(res.statusCode).to.equal(200);
+                expect(res.body.enabled).to.equal(false);
+                done();
+            });
+        });
+
+        it('cannot set without data', function (done) {
+            superagent.post(SERVER_URL + '/api/v1/settings/open_registration')
+                   .query({ access_token: token })
+                   .end(function (err, res) {
+                expect(res.statusCode).to.equal(400);
+                done();
+            });
+        });
+
+        it('set succeeds', function (done) {
+            superagent.post(SERVER_URL + '/api/v1/settings/open_registration')
+                   .query({ access_token: token })
+                   .send({ enabled: true })
+                   .end(function (err, res) {
+                expect(res.statusCode).to.equal(200);
+                done();
+            });
+        });
+
+        it('get succeeds', function (done) {
+            superagent.get(SERVER_URL + '/api/v1/settings/open_registration')
+                   .query({ access_token: token })
+                   .end(function (err, res) {
+                expect(res.statusCode).to.equal(200);
+                expect(res.body.enabled).to.equal(true);
                done();
            });
        });
@@ -1,512 +0,0 @@
-/* global it:false */
-/* global describe:false */
-/* global before:false */
-/* global after:false */
-
-'use strict';
-
-var appdb = require('../../appdb.js'),
-    async = require('async'),
-    clientdb = require('../../clientdb.js'),
-    clients = require('../../clients.js'),
-    config = require('../../config.js'),
-    database = require('../../database.js'),
-    expect = require('expect.js'),
-    superagent = require('superagent'),
-    server = require('../../server.js'),
-    simpleauth = require('../../simpleauth.js'),
-    nock = require('nock'),
-    settings = require('../../settings.js');
-
-describe('SimpleAuth API', function () {
-    var SERVER_URL = 'http://localhost:' + config.get('port');
-    var SIMPLE_AUTH_ORIGIN = 'http://localhost:' + config.get('simpleAuthPort');
-
-    var USERNAME = 'superaDMin', PASSWORD = 'Foobar?1337', EMAIL ='silly@ME.com';
-
-    var APP_0 = {
-        id: 'app0',
-        appStoreId: '',
-        manifest: { version: '0.1.0', addons: { } },
-        location: 'test0',
-        portBindings: {},
-        accessRestriction: { users: [ 'foobar', 'someone'] },
-        memoryLimit: 0,
-        altDomain: null
-    };
-
-    var APP_1 = {
-        id: 'app1',
-        appStoreId: '',
-        manifest: { version: '0.1.0', addons: { } },
-        location: 'test1',
-        portBindings: {},
-        accessRestriction: { users: [ 'foobar', 'someone' ] },
-        memoryLimit: 0,
-        altDomain: null
-    };
-
-    var APP_2 = {
-        id: 'app2',
-        appStoreId: '',
-        manifest: { version: '0.1.0', addons: { } },
-        location: 'test2',
-        portBindings: {},
-        accessRestriction: null,
-        memoryLimit: 0,
-        altDomain: null
-    };
-
-    var APP_3 = {
-        id: 'app3',
-        appStoreId: '',
-        manifest: { version: '0.1.0', addons: { } },
-        location: 'test3',
-        portBindings: {},
-        accessRestriction: { groups: [ 'someothergroup', 'admin', 'anothergroup' ] },
-        memoryLimit: 0,
-        altDomain: null
-    };
-
-    var CLIENT_0 = {
-        id: 'someclientid',
-        appId: 'someappid',
-        type: clients.TYPE_SIMPLE_AUTH,
-        clientSecret: 'someclientsecret',
-        redirectURI: '',
-        scope: 'user,profile'
-    };
-
-    var CLIENT_1 = {
-        id: 'someclientid1',
-        appId: APP_0.id,
-        type: clients.TYPE_SIMPLE_AUTH,
-        clientSecret: 'someclientsecret1',
-        redirectURI: '',
-        scope: 'user,profile'
-    };
-
-    var CLIENT_2 = {
-        id: 'someclientid2',
-        appId: APP_1.id,
-        type: clients.TYPE_SIMPLE_AUTH,
-        clientSecret: 'someclientsecret2',
-        redirectURI: '',
-        scope: 'user,profile'
-    };
-
-    var CLIENT_3 = {
-        id: 'someclientid3',
-        appId: APP_2.id,
-        type: clients.TYPE_SIMPLE_AUTH,
-        clientSecret: 'someclientsecret3',
-        redirectURI: '',
-        scope: 'user,profile'
-    };
-
-    var CLIENT_4 = {
-        id: 'someclientid4',
-        appId: APP_2.id,
-        type: clients.TYPE_OAUTH,
-        clientSecret: 'someclientsecret4',
-        redirectURI: '',
-        scope: 'user,profile'
-    };
-
-    var CLIENT_5 = {
-        id: 'someclientid5',
-        appId: APP_3.id,
-        type: clients.TYPE_SIMPLE_AUTH,
-        clientSecret: 'someclientsecret5',
-        redirectURI: '',
-        scope: 'user,profile'
-    };
-
-    before(function (done) {
-        async.series([
-            server.start.bind(server),
-            simpleauth.start.bind(simpleauth),
-
-            database._clear,
-
-            function createAdmin(callback) {
-                var scope1 = nock(config.apiServerOrigin()).get('/api/v1/boxes/' + config.fqdn() + '/setup/verify?setupToken=somesetuptoken').reply(200, {});
-                var scope2 = nock(config.apiServerOrigin()).post('/api/v1/boxes/' + config.fqdn() + '/setup/done?setupToken=somesetuptoken').reply(201, {});
-
-                superagent.post(SERVER_URL + '/api/v1/cloudron/activate')
-                       .query({ setupToken: 'somesetuptoken' })
-                       .send({ username: USERNAME, password: PASSWORD, email: EMAIL })
-                       .end(function (error, result) {
-                    expect(error).to.not.be.ok();
-                    expect(result).to.be.ok();
-                    expect(result.statusCode).to.eql(201);
-                    expect(scope1.isDone()).to.be.ok();
-                    expect(scope2.isDone()).to.be.ok();
-
-                    superagent.get(SERVER_URL + '/api/v1/profile').query({ access_token: result.body.token}).end(function (error, result) {
-                        expect(error).to.not.be.ok();
-                        expect(result.statusCode).to.eql(200);
-
-                        APP_1.accessRestriction.users.push(result.body.id);
-
-                        callback();
-                    });
-                });
-            },
-
-            clientdb.add.bind(null, CLIENT_0.id, CLIENT_0.appId, CLIENT_0.type, CLIENT_0.clientSecret, CLIENT_0.redirectURI, CLIENT_0.scope),
-            clientdb.add.bind(null, CLIENT_1.id, CLIENT_1.appId, CLIENT_1.type, CLIENT_1.clientSecret, CLIENT_1.redirectURI, CLIENT_1.scope),
-            clientdb.add.bind(null, CLIENT_2.id, CLIENT_2.appId, CLIENT_2.type, CLIENT_2.clientSecret, CLIENT_2.redirectURI, CLIENT_2.scope),
-            clientdb.add.bind(null, CLIENT_3.id, CLIENT_3.appId, CLIENT_3.type, CLIENT_3.clientSecret, CLIENT_3.redirectURI, CLIENT_3.scope),
-            clientdb.add.bind(null, CLIENT_4.id, CLIENT_4.appId, CLIENT_4.type, CLIENT_4.clientSecret, CLIENT_4.redirectURI, CLIENT_4.scope),
-            clientdb.add.bind(null, CLIENT_5.id, CLIENT_5.appId, CLIENT_5.type, CLIENT_5.clientSecret, CLIENT_5.redirectURI, CLIENT_5.scope),
-            appdb.add.bind(null, APP_0.id, APP_0.appStoreId, APP_0.manifest, APP_0.location, APP_0.portBindings, APP_0),
-            appdb.add.bind(null, APP_1.id, APP_1.appStoreId, APP_1.manifest, APP_1.location, APP_1.portBindings, APP_1),
-            appdb.add.bind(null, APP_2.id, APP_2.appStoreId, APP_2.manifest, APP_2.location, APP_2.portBindings, APP_2),
-            appdb.add.bind(null, APP_3.id, APP_3.appStoreId, APP_3.manifest, APP_3.location, APP_3.portBindings, APP_3),
-            settings.setBackupConfig.bind(null, { provider: 'caas', token: 'BACKUP_TOKEN', bucket: 'Bucket', prefix: 'Prefix' })
-        ], done);
-    });
-
-    after(function (done) {
-        async.series([
-            database._clear,
-            simpleauth.stop.bind(simpleauth),
-            server.stop.bind(server)
-        ], done);
-    });
-
-    describe('login', function () {
-        it('cannot login without clientId', function (done) {
-            var body = {};
-
-            superagent.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
-            .send(body)
-            .end(function (error, result) {
-                expect(result.statusCode).to.equal(400);
-                done();
-            });
-        });
-
-        it('cannot login without username', function (done) {
-            var body = {
-                clientId: 'someclientid'
-            };
-
-            superagent.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
-            .send(body)
-            .end(function (error, result) {
-                expect(result.statusCode).to.equal(400);
-                done();
-            });
-        });
-
-        it('cannot login without password', function (done) {
-            var body = {
-                clientId: 'someclientid',
-                username: USERNAME
-            };
-
-            superagent.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
-            .send(body)
-            .end(function (error, result) {
-                expect(result.statusCode).to.equal(400);
-                done();
-            });
-        });
-
-        it('cannot login with unkown clientId', function (done) {
-            var body = {
-                clientId: CLIENT_0.id+CLIENT_0.id,
-                username: USERNAME,
-                password: PASSWORD
-            };
-
-            superagent.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
-            .send(body)
-            .end(function (error, result) {
-                expect(result.statusCode).to.equal(401);
-                done();
-            });
-        });
-
-        it('cannot login with unkown user', function (done) {
-            var body = {
-                clientId: CLIENT_0.id,
-                username: USERNAME+USERNAME,
-                password: PASSWORD
-            };
-
-            superagent.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
-            .send(body)
-            .end(function (error, result) {
-                expect(result.statusCode).to.equal(401);
-                done();
-            });
-        });
-
-        it('cannot login with empty password', function (done) {
-            var body = {
-                clientId: CLIENT_0.id,
-                username: USERNAME,
-                password: ''
-            };
-
-            superagent.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
-            .send(body)
-            .end(function (error, result) {
-                expect(result.statusCode).to.equal(401);
-                done();
-            });
-        });
-
-        it('cannot login with wrong password', function (done) {
-            var body = {
-                clientId: CLIENT_0.id,
-                username: USERNAME,
-                password: PASSWORD+PASSWORD
-            };
-
-            superagent.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
-            .send(body)
-            .end(function (error, result) {
-                expect(result.statusCode).to.equal(401);
-                done();
-            });
-        });
-
-        it('fails for unkown app', function (done) {
-            var body = {
-                clientId: CLIENT_0.id,
-                username: USERNAME,
-                password: PASSWORD
-            };
-
-            superagent.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
-            .send(body)
-            .end(function (error, result) {
-                expect(result.statusCode).to.equal(401);
-                done();
-            });
-        });
-
-        it('fails for disallowed app', function (done) {
-            var body = {
-                clientId: CLIENT_1.id,
-                username: USERNAME,
-                password: PASSWORD
-            };
-
-            superagent.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
-            .send(body)
-            .end(function (error, result) {
-                expect(result.statusCode).to.equal(401);
-                done();
-            });
-        });
-
-        it('succeeds for allowed app', function (done) {
-            var body = {
-                clientId: CLIENT_2.id,
-                username: USERNAME,
-                password: PASSWORD
-            };
-
-            superagent.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
-            .send(body)
-            .end(function (error, result) {
-                expect(error).to.be(null);
-                expect(result.statusCode).to.equal(200);
-                expect(result.body.accessToken).to.be.a('string');
-                expect(result.body.user).to.be.an('object');
-                expect(result.body.user.id).to.be.a('string');
-                expect(result.body.user.username).to.be.a('string');
-                expect(result.body.user.email).to.be.a('string');
-                expect(result.body.user.displayName).to.be.a('string');
-                expect(result.body.user.admin).to.be.a('boolean');
-
-                superagent.get(SERVER_URL + '/api/v1/profile')
-                .query({ access_token: result.body.accessToken })
-                .end(function (error, result) {
-                    expect(error).to.be(null);
-                    expect(result.body).to.be.an('object');
-                    expect(result.body.username).to.eql(USERNAME.toLowerCase());
-                    expect(result.body.email).to.eql(EMAIL.toLowerCase());
-
-                    done();
-                });
-            });
-        });
-
-        it('succeeds for allowed app with email', function (done) {
-            var body = {
-                clientId: CLIENT_2.id,
-                username: EMAIL,
-                password: PASSWORD
-            };
-
-            superagent.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
-            .send(body)
-            .end(function (error, result) {
-                expect(error).to.be(null);
-                expect(result.statusCode).to.equal(200);
-                expect(result.body.accessToken).to.be.a('string');
-                expect(result.body.user).to.be.an('object');
-                expect(result.body.user.id).to.be.a('string');
-                expect(result.body.user.username).to.be.a('string');
-                expect(result.body.user.email).to.be.a('string');
-                expect(result.body.user.displayName).to.be.a('string');
-                expect(result.body.user.admin).to.be.a('boolean');
-
-                superagent.get(SERVER_URL + '/api/v1/profile')
-                .query({ access_token: result.body.accessToken })
-                .end(function (error, result) {
-                    expect(error).to.be(null);
-                    expect(result.body).to.be.an('object');
-                    expect(result.body.username).to.eql(USERNAME.toLowerCase());
-                    expect(result.body.email).to.eql(EMAIL.toLowerCase());
-
-                    done();
-                });
-            });
-        });
-
-        it('succeeds for app without accessRestriction', function (done) {
-            var body = {
-                clientId: CLIENT_3.id,
-                username: USERNAME,
-                password: PASSWORD
-            };
-
-            superagent.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
-            .send(body)
-            .end(function (error, result) {
-                expect(error).to.be(null);
-                expect(result.statusCode).to.equal(200);
-                expect(result.body.accessToken).to.be.a('string');
-                expect(result.body.user).to.be.an('object');
-                expect(result.body.user.id).to.be.a('string');
-                expect(result.body.user.username).to.be.a('string');
-                expect(result.body.user.email).to.be.a('string');
-                expect(result.body.user.displayName).to.be.a('string');
-                expect(result.body.user.admin).to.be.a('boolean');
-
-                superagent.get(SERVER_URL + '/api/v1/profile')
-                .query({ access_token: result.body.accessToken })
-                .end(function (error, result) {
-                    expect(error).to.be(null);
-                    expect(result.body).to.be.an('object');
-                    expect(result.body.username).to.eql(USERNAME.toLowerCase());
-                    expect(result.body.email).to.eql(EMAIL.toLowerCase());
-
-                    done();
-                });
-            });
-        });
-
-        it('succeeds for app with group accessRestriction', function (done) {
-            var body = {
-                clientId: CLIENT_5.id,
-                username: USERNAME,
-                password: PASSWORD
-            };
-
-            superagent.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
-            .send(body)
-            .end(function (error, result) {
-                expect(error).to.be(null);
-                expect(result.statusCode).to.equal(200);
-                expect(result.body.accessToken).to.be.a('string');
-                expect(result.body.user).to.be.an('object');
-                expect(result.body.user.id).to.be.a('string');
-                expect(result.body.user.username).to.be.a('string');
-                expect(result.body.user.email).to.be.a('string');
-                expect(result.body.user.displayName).to.be.a('string');
-                expect(result.body.user.admin).to.be.a('boolean');
-
-                superagent.get(SERVER_URL + '/api/v1/profile')
-                .query({ access_token: result.body.accessToken })
-                .end(function (error, result) {
-                    expect(error).to.be(null);
-                    expect(result.body).to.be.an('object');
-                    expect(result.body.username).to.eql(USERNAME.toLowerCase());
-                    expect(result.body.email).to.eql(EMAIL.toLowerCase());
-
-                    done();
-                });
-            });
-        });
-
-        it('fails for wrong client credentials', function (done) {
-            var body = {
-                clientId: CLIENT_4.id,
-                username: USERNAME,
-                password: PASSWORD
-            };
-
-            superagent.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
-            .send(body)
-            .end(function (error, result) {
-                expect(result.statusCode).to.equal(401);
-                done();
-            });
-        });
-    });
-
-    describe('logout', function () {
-        var accessToken;
-
-        before(function (done) {
-            var body = {
-                clientId: CLIENT_3.id,
-                username: USERNAME,
-                password: PASSWORD
-            };
-
-            superagent.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
-            .send(body)
-            .end(function (error, result) {
-                expect(error).to.be(null);
-                expect(result.statusCode).to.equal(200);
-
-                accessToken = result.body.accessToken;
-
-                done();
-            });
-        });
-
-        it('fails without access_token', function (done) {
-            superagent.get(SIMPLE_AUTH_ORIGIN + '/api/v1/logout')
-            .end(function (error, result) {
-                expect(result.statusCode).to.equal(400);
-                done();
-            });
-        });
-
-        it('fails with unkonwn access_token', function (done) {
-            superagent.get(SIMPLE_AUTH_ORIGIN + '/api/v1/logout')
-            .query({ access_token: accessToken+accessToken })
-            .end(function (error, result) {
-                expect(result.statusCode).to.equal(401);
-                done();
-            });
-        });
-
-        it('succeeds', function (done) {
-            superagent.get(SIMPLE_AUTH_ORIGIN + '/api/v1/logout')
-            .query({ access_token: accessToken })
-            .end(function (error, result) {
-                expect(error).to.be(null);
-                expect(result.statusCode).to.equal(200);
-
-                superagent.get(SERVER_URL + '/api/v1/profile')
-                .query({ access_token: accessToken })
-                .end(function (error, result) {
-                    expect(result.statusCode).to.equal(401);
-
-                    done();
-                });
-            });
-        });
-    });
-});
@@ -0,0 +1,240 @@
+/* global it:false */
+/* global describe:false */
+/* global before:false */
+/* global after:false */
+
+'use strict';
+
+var ssh = require('../../ssh.js'),
+    async = require('async'),
+    config = require('../../config.js'),
+    database = require('../../database.js'),
+    expect = require('expect.js'),
+    superagent = require('superagent'),
+    server = require('../../server.js'),
+    nock = require('nock');
+
+var SERVER_URL = 'http://localhost:' + config.get('port');
+
+var USERNAME = 'superadmin', PASSWORD = 'Foobar?1337', EMAIL ='silly@me.com';
+
+var INVALID_KEY_TYPE = 'ssh-foobar AAAAB3NzaC1yc2EAAAADAQABAAABAQCibC8G04mZy3o3AVMxjUMQoEQj0HSsl6AMVZDQK9A0e8qVRWft4HaRZdw0dW3iFDsEdny7s1zSAc5Kp5y38kJdSyEHGKxvcR8TaghUa8jpmu0sEVOTn+X4UtoonkNuJ0Jnl2tjPYsq5BtJmAeYUa1bKH5CjomCYi5OSfXRtnuZV6SiYX0A1OnZPXFWa/iFwwOUJQvDLGbFkgtJxqhxpc7yvzwFK5B9MNs7LJxA8+kRibJ9LTN1OKWNxb0oSk/PE6PFo9M2Q/SL9uj2IRXRipGj2XcOtZlqcAK5i+aq3UjjAGekztK2srQPcBkWbnI3Oim2N8l2purCfe0AoCCQHK7N nebulon@nebulon';
+var INVALID_KEY_VALUE = 'ssh-rsa foobar nebulon@nebulon';
+var INVALID_KEY_IDENTIFIER = 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCibC8G04mZy3o3AVMxjUMQoEQj0HSsl6AMVZDQK9A0e8qVRWft4HaRZdw0dW3iFDsEdny7s1zSAc5Kp5y38kJdSyEHGKxvcR8TaghUa8jpmu0sEVOTn+X4UtoonkNuJ0Jnl2tjPYsq5BtJmAeYUa1bKH5CjomCYi5OSfXRtnuZV6SiYX0A1OnZPXFWa/iFwwOUJQvDLGbFkgtJxqhxpc7yvzwFK5B9MNs7LJxA8+kRibJ9LTN1OKWNxb0oSk/PE6PFo9M2Q/SL9uj2IRXRipGj2XcOtZlqcAK5i+aq3UjjAGekztK2srQPcBkWbnI3Oim2N8l2purCfe0AoCCQHK7N';
+var VALID_KEY = 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCibC8G04mZy3o3AVMxjUMQoEQj0HSsl6AMVZDQK9A0e8qVRWft4HaRZdw0dW3iFDsEdny7s1zSAc5Kp5y38kJdSyEHGKxvcR8TaghUa8jpmu0sEVOTn+X4UtoonkNuJ0Jnl2tjPYsq5BtJmAeYUa1bKH5CjomCYi5OSfXRtnuZV6SiYX0A1OnZPXFWa/iFwwOUJQvDLGbFkgtJxqhxpc7yvzwFK5B9MNs7LJxA8+kRibJ9LTN1OKWNxb0oSk/PE6PFo9M2Q/SL9uj2IRXRipGj2XcOtZlqcAK5i+aq3UjjAGekztK2srQPcBkWbnI3Oim2N8l2purCfe0AoCCQHK7N nebulon@nebulon';
+var VALID_KEY_1 = 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCibC8G04mZy3o3AVMxjUMQoEQj0HSsl6AMVZDQK9A0e8qVRWft4HaRZdw0dW3iFDsEdny7s1zSAc5Kp5y38kJdSyEHGKxvcR8TaghUa8jpmu0sEVOTn+X4UtoonkNuJ0Jnl2tjPYsq5BtJmAeYUa1bKH5CjomCYi5OSfXRtnuZV6SiYX0A1OnZPXFWa/iFwwOUJQvDLGbFkgtJxqhxpc7yvzwFK5B9MNs7LJxA8+kRibJ9LTN1OKWNxb0oSk/PE6PFo9M2Q/SL9uj2IRXRipGj2XcOtZlqcAK5i+aq3UjjAGekztK2srQPcBkWbnI3Oim2N8l2purCfe0AoCCQHK7N muchmore';
+
+var token = null;
+
+var server;
+function setup(done) {
+    config.set('fqdn', 'foobar.com');
+
+    async.series([
+        server.start.bind(server),
+
+        ssh._clear,
+        database._clear,
+
+        function createAdmin(callback) {
+            var scope1 = nock(config.apiServerOrigin()).get('/api/v1/boxes/' + config.fqdn() + '/setup/verify?setupToken=somesetuptoken').reply(200, {});
+            var scope2 = nock(config.apiServerOrigin()).post('/api/v1/boxes/' + config.fqdn() + '/setup/done?setupToken=somesetuptoken').reply(201, {});
+
+            superagent.post(SERVER_URL + '/api/v1/cloudron/activate')
+                   .query({ setupToken: 'somesetuptoken' })
+                   .send({ username: USERNAME, password: PASSWORD, email: EMAIL })
+                   .end(function (error, result) {
+                expect(result).to.be.ok();
+                expect(result.statusCode).to.eql(201);
+                expect(scope1.isDone()).to.be.ok();
+                expect(scope2.isDone()).to.be.ok();
+
+                // stash token for further use
+                token = result.body.token;
+
+                callback();
+            });
+        }
+    ], done);
+}
+
+function cleanup(done) {
+    database._clear(function (error) {
+        expect(!error).to.be.ok();
+
+        server.stop(done);
+    });
+}
+
+describe('SSH API', function () {
+    this.timeout(10000);
+
+    before(setup);
+    after(cleanup);
+
+    describe('add authorized_keys', function () {
+        it('fails due to missing key', function (done) {
+            superagent.put(SERVER_URL + '/api/v1/cloudron/ssh/authorized_keys')
+                   .query({ access_token: token })
+                   .end(function (err, res) {
+                expect(res.statusCode).to.equal(400);
+                done();
+            });
+        });
+
+        it('fails due to empty key', function (done) {
+            superagent.put(SERVER_URL + '/api/v1/cloudron/ssh/authorized_keys')
+                   .query({ access_token: token })
+                   .send({ key: '' })
+                   .end(function (err, res) {
+                expect(res.statusCode).to.equal(400);
+                done();
+            });
+        });
+
+        it('fails due to invalid key', function (done) {
+            superagent.put(SERVER_URL + '/api/v1/cloudron/ssh/authorized_keys')
+                   .query({ access_token: token })
+                   .send({ key: 'foobar' })
+                   .end(function (err, res) {
+                expect(res.statusCode).to.equal(400);
+                done();
+            });
+        });
+
+        it('fails due to invalid key type', function (done) {
+            superagent.put(SERVER_URL + '/api/v1/cloudron/ssh/authorized_keys')
+                   .query({ access_token: token })
+                   .send({ key: INVALID_KEY_TYPE })
+                   .end(function (err, res) {
+                expect(res.statusCode).to.equal(400);
+                done();
+            });
+        });
+
+        it('fails due to invalid key value', function (done) {
+            superagent.put(SERVER_URL + '/api/v1/cloudron/ssh/authorized_keys')
+                   .query({ access_token: token })
+                   .send({ key: INVALID_KEY_VALUE })
+                   .end(function (err, res) {
+                expect(res.statusCode).to.equal(400);
+                done();
+            });
+        });
+
+        it('fails due to invalid key identifier', function (done) {
+            superagent.put(SERVER_URL + '/api/v1/cloudron/ssh/authorized_keys')
+                   .query({ access_token: token })
+                   .send({ key: INVALID_KEY_IDENTIFIER })
+                   .end(function (err, res) {
+                expect(res.statusCode).to.equal(400);
+                done();
+            });
+        });
+
+        it('succeeds', function (done) {
+            superagent.put(SERVER_URL + '/api/v1/cloudron/ssh/authorized_keys')
+                   .query({ access_token: token })
+                   .send({ key: VALID_KEY })
+                   .end(function (err, res) {
+                expect(res.statusCode).to.equal(201);
+                done();
+            });
+        });
+    });
+
+    describe('get authorized_keys', function () {
+        it('fails for non existing key', function (done) {
+            superagent.get(SERVER_URL + '/api/v1/cloudron/ssh/authorized_keys/foobar')
+                   .query({ access_token: token })
+                   .end(function (err, res) {
+                expect(res.statusCode).to.equal(404);
+                done();
+            });
+        });
+
+        it('succeeds', function (done) {
+            superagent.get(SERVER_URL + '/api/v1/cloudron/ssh/authorized_keys/' + VALID_KEY.split(' ')[2])
+                   .query({ access_token: token })
+                   .end(function (err, res) {
+                expect(res.statusCode).to.equal(200);
+                expect(res.body).to.be.an('object');
+                expect(res.body.identifier).to.be.a('string');
+                expect(res.body.identifier).to.equal(VALID_KEY.split(' ')[2]);
+                expect(res.body.key).to.equal(VALID_KEY);
+                done();
+            });
+        });
+    });
+
+    describe('list authorized_keys', function () {
+        it('succeeds', function (done) {
+            superagent.get(SERVER_URL + '/api/v1/cloudron/ssh/authorized_keys')
+                   .query({ access_token: token })
+                   .end(function (err, res) {
+                expect(res.statusCode).to.equal(200);
+                expect(res.body).to.be.an('object');
+                expect(res.body.keys).to.be.an('array');
+                expect(res.body.keys.length).to.equal(1);
+                expect(res.body.keys[0]).to.be.an('object');
+                expect(res.body.keys[0].identifier).to.be.a('string');
+                expect(res.body.keys[0].identifier).to.equal(VALID_KEY.split(' ')[2]);
+                expect(res.body.keys[0].key).to.equal(VALID_KEY);
+                done();
+            });
+        });
+
+        it('succeeds with two keys', function (done) {
+            superagent.put(SERVER_URL + '/api/v1/cloudron/ssh/authorized_keys')
+                   .query({ access_token: token })
+                   .send({ key: VALID_KEY_1 })
+                   .end(function (err, res) {
+                expect(res.statusCode).to.equal(201);
+
+                superagent.get(SERVER_URL + '/api/v1/cloudron/ssh/authorized_keys')
+                       .query({ access_token: token })
+                       .end(function (err, res) {
+                    expect(res.statusCode).to.equal(200);
+                    expect(res.body).to.be.an('object');
+                    expect(res.body.keys).to.be.an('array');
+                    expect(res.body.keys.length).to.equal(2);
+                    expect(res.body.keys[0]).to.be.an('object');
+                    expect(res.body.keys[0].identifier).to.be.a('string');
+                    expect(res.body.keys[0].identifier).to.equal(VALID_KEY_1.split(' ')[2]);
+                    expect(res.body.keys[0].key).to.equal(VALID_KEY_1);
+                    expect(res.body.keys[1]).to.be.an('object');
+                    expect(res.body.keys[1].identifier).to.be.a('string');
+                    expect(res.body.keys[1].identifier).to.equal(VALID_KEY.split(' ')[2]);
+                    expect(res.body.keys[1].key).to.equal(VALID_KEY);
+                    done();
+                });
+            });
+        });
+    });
+
+    describe('delete authorized_keys', function () {
+        it('fails for non existing key', function (done) {
+            superagent.del(SERVER_URL + '/api/v1/cloudron/ssh/authorized_keys/foobar')
+                   .query({ access_token: token })
+                   .end(function (err, res) {
+                expect(res.statusCode).to.equal(404);
+                done();
+            });
+        });
+
+        it('succeeds', function (done) {
+            superagent.del(SERVER_URL + '/api/v1/cloudron/ssh/authorized_keys/' + VALID_KEY.split(' ')[2])
+                   .query({ access_token: token })
+                   .end(function (err, res) {
+                expect(res.statusCode).to.equal(202);
+
+                superagent.get(SERVER_URL + '/api/v1/cloudron/ssh/authorized_keys/' + VALID_KEY.split(' ')[2])
+                       .query({ access_token: token })
+                       .end(function (err, res) {
+                    expect(res.statusCode).to.equal(404);
+                    done();
+                });
+            });
+        });
+    });
+});
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+set -eu -o pipefail
+
+if [[ ${EUID} -ne 0 ]]; then
+    echo "This script should be run as root." > /dev/stderr
+    exit 1
+fi
+
+if [[ $# -eq 0 ]]; then
+    echo "No arguments supplied"
+    exit 1
+fi
+
+if [[ "$1" == "--check" ]]; then
+    echo "OK"
+    exit 0
+fi
+
+# verify argument count
+if [[ $# -lt 3 ]]; then
+    echo "Usage: authorized_keys.sh <user> <source> <destination>"
+    exit 1
+fi
+
+if [[ -f "$2" ]]; then
+    cp "$2" "$3"
+    chown "$1":"$1" "$3"
+fi
@@ -21,7 +21,7 @@ readonly program_name=$1

 echo "${program_name}.log"
 echo "-------------------"
-journalctl --all --no-pager -u ${program_name} -n 300
+journalctl --all --no-pager -u ${program_name} -n 800
 echo
 echo
 echo "dmesg"
@@ -19,12 +19,19 @@ fi

 if [[ "${BOX_ENV}" == "cloudron" ]]; then
    readonly app_data_dir="${HOME}/data/$1"
-    btrfs subvolume create "${app_data_dir}"
+
+    # Only create subvolume if it does not exist
+    if [[ ! -d "${app_data_dir}" ]]; then
+        btrfs subvolume create "${app_data_dir}"
+    fi
+
    mkdir -p "${app_data_dir}/data"
-    chown -R yellowtent:yellowtent "${app_data_dir}"
+    # only the top level ownership is changed because containers own the subdirectores
+    # and will chown them as necessary
+    chown yellowtent:yellowtent "${app_data_dir}"
 else
    readonly app_data_dir="${HOME}/.cloudron_test/data/$1"
    mkdir -p "${app_data_dir}/data"
-    chown -R ${SUDO_USER}:${SUDO_USER} "${app_data_dir}"
+    chown ${SUDO_USER}:${SUDO_USER} "${app_data_dir}"
 fi

@@ -105,6 +105,10 @@ function initializeExpressSync() {
    router.post('/api/v1/cloudron/reboot', cloudronScope, routes.cloudron.reboot);
    router.post('/api/v1/cloudron/migrate', cloudronScope, routes.user.requireAdmin, routes.user.verifyPassword, routes.cloudron.migrate);
    router.get ('/api/v1/cloudron/graphs', cloudronScope, routes.graphs.getGraphs);
+    router.get ('/api/v1/cloudron/ssh/authorized_keys', cloudronScope, routes.user.requireAdmin, routes.ssh.getAuthorizedKeys);
+    router.put ('/api/v1/cloudron/ssh/authorized_keys', cloudronScope, routes.user.requireAdmin, routes.ssh.addAuthorizedKey);
+    router.get ('/api/v1/cloudron/ssh/authorized_keys/:identifier', cloudronScope, routes.user.requireAdmin, routes.ssh.getAuthorizedKey);
+    router.del ('/api/v1/cloudron/ssh/authorized_keys/:identifier', cloudronScope, routes.user.requireAdmin, routes.ssh.delAuthorizedKey);

    // feedback
    router.post('/api/v1/cloudron/feedback', usersScope, routes.cloudron.feedback);
@@ -144,6 +148,8 @@ function initializeExpressSync() {
    router.post('/api/v1/session/password/reset', csrf, routes.oauth2.passwordReset);
    router.get ('/api/v1/session/account/setup.html', csrf, routes.oauth2.accountSetupSite);
    router.post('/api/v1/session/account/setup', csrf, routes.oauth2.accountSetup);
+    router.get ('/api/v1/session/account/create.html', csrf, routes.oauth2.accountCreateSite);
+    router.post('/api/v1/session/account/create', csrf, routes.oauth2.accountCreate);

    // oauth2 routes
    router.get ('/api/v1/oauth/dialog/authorize', routes.oauth2.authorization);
@@ -184,13 +190,12 @@ function initializeExpressSync() {
    router.post('/api/v1/settings/cloudron_name',      settingsScope, routes.user.requireAdmin, routes.settings.setCloudronName);
    router.get ('/api/v1/settings/cloudron_avatar',    settingsScope, routes.user.requireAdmin, routes.settings.getCloudronAvatar);
    router.post('/api/v1/settings/cloudron_avatar',    settingsScope, routes.user.requireAdmin, multipart, routes.settings.setCloudronAvatar);
-    router.get ('/api/v1/settings/email_dns_records',  settingsScope, routes.user.requireAdmin, routes.settings.getEmailDnsRecords);
+    router.get ('/api/v1/settings/email_status',       settingsScope, routes.user.requireAdmin, routes.settings.getEmailStatus);
    router.get ('/api/v1/settings/dns_config',         settingsScope, routes.user.requireAdmin, routes.settings.getDnsConfig);
    router.post('/api/v1/settings/dns_config',         settingsScope, routes.user.requireAdmin, routes.settings.setDnsConfig);
    router.get ('/api/v1/settings/backup_config',      settingsScope, routes.user.requireAdmin, routes.settings.getBackupConfig);
    router.post('/api/v1/settings/backup_config',      settingsScope, routes.user.requireAdmin, routes.settings.setBackupConfig);
    router.post('/api/v1/settings/certificate',        settingsScope, routes.user.requireAdmin, routes.settings.setFallbackCertificate);
-
    router.post('/api/v1/settings/admin_certificate',  settingsScope, routes.user.requireAdmin, routes.settings.setAdminCertificate);
    router.get ('/api/v1/settings/time_zone',          settingsScope, routes.user.requireAdmin, routes.settings.getTimeZone);
    router.post('/api/v1/settings/time_zone',          settingsScope, routes.user.requireAdmin, routes.settings.setTimeZone);
@@ -198,6 +203,8 @@ function initializeExpressSync() {
    router.post('/api/v1/settings/appstore_config',    settingsScope, routes.user.requireAdmin, routes.settings.setAppstoreConfig);
    router.get ('/api/v1/settings/mail_config',        settingsScope, routes.user.requireAdmin, routes.settings.getMailConfig);
    router.post('/api/v1/settings/mail_config',        settingsScope, routes.user.requireAdmin, routes.settings.setMailConfig);
+    router.get ('/api/v1/settings/open_registration',  settingsScope, routes.user.requireAdmin, routes.settings.getOpenRegistration);
+    router.post('/api/v1/settings/open_registration',  settingsScope, routes.user.requireAdmin, routes.settings.setOpenRegistration);

    // eventlog route
    router.get('/api/v1/eventlog', settingsScope, routes.user.requireAdmin, routes.eventlog.get);
@@ -6,7 +6,7 @@ exports = module.exports = {
    initialize: initialize,
    uninitialize: uninitialize,

-    getEmailDnsRecords: getEmailDnsRecords,
+    getEmailStatus: getEmailStatus,

    getAutoupdatePattern: getAutoupdatePattern,
    setAutoupdatePattern: setAutoupdatePattern,
@@ -44,6 +44,9 @@ exports = module.exports = {
    getMailConfig: getMailConfig,
    setMailConfig: setMailConfig,

+    getOpenRegistration: getOpenRegistration,
+    setOpenRegistration: setOpenRegistration,
+
    getDefaultSync: getDefaultSync,
    getAll: getAll,

@@ -58,6 +61,7 @@ exports = module.exports = {
    UPDATE_CONFIG_KEY: 'update_config',
    APPSTORE_CONFIG_KEY: 'appstore_config',
    MAIL_CONFIG_KEY: 'mail_config',
+    OPEN_REGISTRATION_KEY: 'open_registration',

    events: null
 };
@@ -74,6 +78,7 @@ var assert = require('assert'),
    cloudron = require('./cloudron.js'),
    CloudronError = cloudron.CloudronError,
    moment = require('moment-timezone'),
+    net = require('net'),
    paths = require('./paths.js'),
    safe = require('safetydance'),
    settingsdb = require('./settingsdb.js'),
@@ -101,6 +106,7 @@ var gDefaults = (function () {
    result[exports.UPDATE_CONFIG_KEY] = { prerelease: false };
    result[exports.APPSTORE_CONFIG_KEY] = {};
    result[exports.MAIL_CONFIG_KEY] = { enabled: false };
+    result[exports.OPEN_REGISTRATION_KEY] = false;

    return result;
 })();
@@ -143,10 +149,10 @@ function uninitialize(callback) {
    callback();
 }

-function getEmailDnsRecords(callback) {
+function getEmailStatus(callback) {
    assert.strictEqual(typeof callback, 'function');

-    var records = {};
+    var records = {}, outboundPort25 = {};

    var dkimKey = cloudron.readDkimPublicKeySync();
    if (!dkimKey) return callback(new CloudronError(CloudronError.INTERNAL_ERROR, new Error('Failed to read dkim public key')));
@@ -164,11 +170,10 @@ function getEmailDnsRecords(callback) {
            if (error && error.code === 'ENOTFOUND') return callback(null);    // not setup
            if (error) return callback(error);

-            // ensure this is an array resolveTxt() returns undefined if no records are found
-            txtRecords = txtRecords || [];
-
-            records.dkim.value = txtRecords[0].join(' ');
-            records.dkim.status = (records.dkim.value === records.dkim.expected);
+            if (Array.isArray(txtRecords) && txtRecords.length !== 0) {
+                records.dkim.value = txtRecords[0].join(' ');
+                records.dkim.status = (records.dkim.value === records.dkim.expected);
+            }

            callback();
        });
@@ -183,19 +188,18 @@ function getEmailDnsRecords(callback) {
            status: false
        };

-        // check if SPF is already setup
+        // https://agari.zendesk.com/hc/en-us/articles/202952749-How-long-can-my-SPF-record-be-
        dns.resolve(records.spf.domain, records.spf.type, function (error, txtRecords) {
            if (error && error.code === 'ENOTFOUND') return callback(null);    // not setup
            if (error) return callback(error);

-            // ensure this is an array resolveTxt() returns undefined if no records are found
-            txtRecords = txtRecords || [];
+            if (!Array.isArray(txtRecords)) return callback();

            var i;
            for (i = 0; i < txtRecords.length; i++) {
-                if (txtRecords[i].join(' ').indexOf('v=spf1 ') !== 0) continue; // not SPF
-                records.spf.value = txtRecords[i].join(' ');
-                records.spf.status = records.spf.value.indexOf(' a:' + config.adminFqdn() + ' ') !== -1;
+                if (txtRecords[i].join('').indexOf('v=spf1 ') !== 0) continue; // not SPF
+                records.spf.value = txtRecords[i].join('');
+                records.spf.status = records.spf.value.indexOf(' a:' + config.adminFqdn()) !== -1;
                break;
            }

@@ -222,11 +226,10 @@ function getEmailDnsRecords(callback) {
            if (error && error.code === 'ENOTFOUND') return callback(null);    // not setup
            if (error) return callback(error);

-            // ensure this is an array resolveMx() returns undefined if no records are found
-            mxRecords = mxRecords || [];
-
-            records.mx.status = mxRecords.length == 1 && mxRecords[0].exchange === config.mailFqdn();
-            records.mx.value = mxRecords.map(function (r) { return r.priority + ' ' + r.exchange; }).join(' ');
+            if (Array.isArray(mxRecords) && mxRecords.length !== 0) {
+                records.mx.status = mxRecords.length == 1 && mxRecords[0].exchange === config.mailFqdn();
+                records.mx.value = mxRecords.map(function (r) { return r.priority + ' ' + r.exchange; }).join(' ');
+            }

            callback();
        });
@@ -245,11 +248,11 @@ function getEmailDnsRecords(callback) {
            if (error && error.code === 'ENOTFOUND') return callback(null);    // not setup
            if (error) return callback(error);

-            // ensure this is an array resolveTxt() returns undefined if no records are found
-            txtRecords = txtRecords || [];
+            if (Array.isArray(txtRecords) && txtRecords.length !== 0) {
+                records.dmarc.value = txtRecords[0].join(' ');
+                records.dmarc.status = (records.dmarc.value === records.dmarc.expected);
+            }

-            records.dmarc.value = txtRecords[0].join(' ');
-            records.dmarc.status = (records.dmarc.value === records.dmarc.expected);
            callback();
        });
    }
@@ -263,7 +266,7 @@ function getEmailDnsRecords(callback) {
            status: false
        };

-        sysinfo.getIp(function (error, ip) {
+        sysinfo.getPublicIp(function (error, ip) {
            if (error) return callback(error);

            records.ptr.domain = ip.split('.').reverse().join('.') + '.in-addr.arpa';
@@ -272,14 +275,54 @@ function getEmailDnsRecords(callback) {
                if (error && error.code === 'ENOTFOUND') return callback(null);    // not setup
                if (error) return callback(error);

-                records.ptr.value = ptrRecords.join(' ');
-                records.ptr.status = records.ptr.value === config.mailFqdn();
+                if (Array.isArray(ptrRecords) && ptrRecords.length !== 0) {
+                    records.ptr.value = ptrRecords.join(' ');
+                    records.ptr.status = ptrRecords.some(function (v) { return v === config.mailFqdn(); });
+                }

                return callback();
            });
        });
    }

+    function checkOutbound25(callback) {
+        var smtpServer = _.sample([
+            'smtp.gmail.com',
+            'smtp.live.com',
+            'smtp.mail.yahoo.com',
+            'smtp.o2.ie',
+            'smtp.comcast.net',
+            'outgoing.verizon.net'
+        ]);
+
+        outboundPort25 = {
+            value: 'OK',
+            status: false
+        };
+
+        var client = new net.Socket();
+        client.setTimeout(5000);
+        client.connect(25, smtpServer);
+        client.on('connect', function () {
+            outboundPort25.status = true;
+            outboundPort25.value = 'OK';
+            client.end();
+            callback();
+        });
+        client.on('timeout', function () {
+            outboundPort25.status = false;
+            outboundPort25.value = 'Connect to ' + smtpServer + ' timed out';
+            client.destroy();
+            callback(new Error('Timeout'));
+        });
+        client.on('error', function (error) {
+            outboundPort25.status = false;
+            outboundPort25.value = 'Connect to ' + smtpServer + ' failed: ' + error.message;
+            client.destroy();
+            callback(error);
+        });
+    }
+
    function ignoreError(what, func) {
        return function (callback) {
            func(function (error) {
@@ -299,9 +342,10 @@ function getEmailDnsRecords(callback) {
        ignoreError('spf', checkSpf),
        ignoreError('dmarc', checkDmarc),
        ignoreError('dkim', checkDkim),
-        ignoreError('ptr', checkPtr)
+        ignoreError('ptr', checkPtr),
+        ignoreError('port25', checkOutbound25)
    ], function () {
-        callback(null, records);
+        callback(null, { dns: records, outboundPort25: outboundPort25 } );
    });
 }

@@ -454,7 +498,7 @@ function setDnsConfig(dnsConfig, domain, callback) {
    assert.strictEqual(typeof domain, 'string');
    assert.strictEqual(typeof callback, 'function');

-    sysinfo.getIp(function (error, ip) {
+    sysinfo.getPublicIp(function (error, ip) {
        if (error) return callback(new SettingsError(SettingsError.INTERNAL_ERROR, 'Error getting IP:' + error.message));

        subdomains.verifyDnsConfig(dnsConfig, domain, ip, function (error, result) {
@@ -606,6 +650,31 @@ function setMailConfig(mailConfig, callback) {
    });
 }

+function getOpenRegistration(callback) {
+    assert.strictEqual(typeof callback, 'function');
+
+    settingsdb.get(exports.OPEN_REGISTRATION_KEY, function (error, value) {
+        if (error && error.reason === DatabaseError.NOT_FOUND) return callback(null, gDefaults[exports.OPEN_REGISTRATION_KEY]);
+        if (error) return callback(new SettingsError(SettingsError.INTERNAL_ERROR, error));
+
+        // settingsdb holds string values only
+        callback(null, !!value);
+    });
+}
+
+function setOpenRegistration(enabled, callback) {
+    assert.strictEqual(typeof enabled, 'boolean');
+    assert.strictEqual(typeof callback, 'function');
+
+    settingsdb.set(exports.OPEN_REGISTRATION_KEY, enabled ? 'enabled' : '', function (error) {
+        if (error) return callback(new SettingsError(SettingsError.INTERNAL_ERROR, error));
+
+        exports.events.emit(exports.OPEN_REGISTRATION_KEY, enabled);
+
+        return callback(null);
+    });
+}
+
 function getAppstoreConfig(callback) {
    assert.strictEqual(typeof callback, 'function');

@@ -3,7 +3,8 @@
 exports = module.exports = {
    exec: exec,
    execSync: execSync,
-    sudo: sudo
+    sudo: sudo,
+    sudoSync: sudoSync
 };

 var assert = require('assert'),
@@ -70,3 +71,20 @@ function sudo(tag, args, callback) {
    var cp = exec(tag, SUDO, [ '-S' ].concat(args), callback);
    cp.stdin.end();
 }
+
+function sudoSync(tag, cmd, callback) {
+    assert.strictEqual(typeof tag, 'string');
+    assert.strictEqual(typeof cmd, 'string');
+
+    // -S makes sudo read stdin for password
+    cmd = 'sudo -S ' + cmd;
+    debug(cmd);
+
+    try {
+        child_process.execSync(cmd, { stdio: 'inherit' });
+    } catch (e) {
+        if (callback) return callback(e);
+        throw e;
+    }
+    if (callback) callback();
+}
@@ -1,163 +0,0 @@
-'use strict';
-
-exports = module.exports = {
-    start: start,
-    stop: stop
-};
-
-var apps = require('./apps.js'),
-    AppsError = apps.AppsError,
-    assert = require('assert'),
-    clients = require('./clients.js'),
-    ClientsError = clients.ClientsError,
-    config = require('./config.js'),
-    constants = require('./constants.js'),
-    DatabaseError = require('./databaseerror.js'),
-    debug = require('debug')('box:src/simpleauth'),
-    eventlog = require('./eventlog.js'),
-    express = require('express'),
-    http = require('http'),
-    HttpError = require('connect-lastmile').HttpError,
-    HttpSuccess = require('connect-lastmile').HttpSuccess,
-    middleware = require('./middleware'),
-    tokendb = require('./tokendb.js'),
-    user = require('./user.js'),
-    UserError = require('./user.js').UserError;
-
-var gHttpServer = null;
-
-function loginLogic(clientId, username, password, callback) {
-    assert.strictEqual(typeof clientId, 'string');
-    assert.strictEqual(typeof username, 'string');
-    assert.strictEqual(typeof password, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
-    debug('login: client %s and user %s', clientId, username);
-
-    clients.get(clientId, function (error, clientObject) {
-        if (error) return callback(error);
-
-        // only allow simple auth clients
-        if (clientObject.type !== clients.TYPE_SIMPLE_AUTH) return callback(new ClientsError(ClientsError.INVALID_CLIENT));
-
-        var authFunction = (username.indexOf('@') === -1) ? user.verifyWithUsername : user.verifyWithEmail;
-        authFunction(username, password, function (error, userObject) {
-            if (error) return callback(error);
-
-            apps.get(clientObject.appId, function (error, appObject) {
-                if (error) return callback(error);
-
-                apps.hasAccessTo(appObject, userObject, function (error, access) {
-                    if (error) return callback(error);
-                    if (!access) return callback(new AppsError(AppsError.ACCESS_DENIED));
-
-                    var accessToken = tokendb.generateToken();
-                    var expires = Date.now() + constants.DEFAULT_TOKEN_EXPIRATION;
-
-                    tokendb.add(accessToken, userObject.id, clientId, expires, clientObject.scope, function (error) {
-                        if (error) return callback(error);
-
-                        debug('login: new access token for client %s and user %s: %s', clientId, username, accessToken);
-
-                        callback(null, { accessToken: accessToken, user: userObject });
-                    });
-                });
-            });
-        });
-    });
-}
-
-function logoutLogic(accessToken, callback) {
-    assert.strictEqual(typeof accessToken, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
-    debug('logout: %s', accessToken);
-
-    tokendb.del(accessToken, function (error) {
-        if (error) return callback(error);
-        callback(null);
-    });
-}
-
-function login(req, res, next) {
-    assert.strictEqual(typeof req.body, 'object');
-
-    if (typeof req.body.clientId !== 'string') return next(new HttpError(400, 'clientId is required'));
-    if (typeof req.body.username !== 'string') return next(new HttpError(400, 'username is required'));
-    if (typeof req.body.password !== 'string') return next(new HttpError(400, 'password is required'));
-
-    loginLogic(req.body.clientId, req.body.username, req.body.password, function (error, result) {
-        if (error && error.reason === ClientsError.NOT_FOUND) return next(new HttpError(401, 'Unknown client'));
-        if (error && error.reason === ClientsError.INVALID_CLIENT) return next(new HttpError(401, 'Unknown client'));
-        if (error && error.reason === UserError.NOT_FOUND) return next(new HttpError(401, 'Forbidden'));
-        if (error && error.reason === AppsError.NOT_FOUND) return next(new HttpError(401, 'Unknown app'));
-        if (error && error.reason === UserError.WRONG_PASSWORD) return next(new HttpError(401, 'Forbidden'));
-        if (error && error.reason === AppsError.ACCESS_DENIED) return next(new HttpError(401, 'Forbidden'));
-        if (error) return next(new HttpError(500, error));
-
-        eventlog.add(eventlog.ACTION_USER_LOGIN, { authType: 'simpleauth', clientId: req.body.clientId }, { userId: result.user.id });
-
-        var tmp = {
-            accessToken: result.accessToken,
-            user: {
-                id: result.user.id,
-                username: result.user.username,
-                email: result.user.email,
-                admin: !!result.user.admin,
-                displayName: result.user.displayName
-            }
-        };
-
-        next(new HttpSuccess(200, tmp));
-    });
-}
-
-function logout(req, res, next) {
-    assert.strictEqual(typeof req.query, 'object');
-
-    if (typeof req.query.access_token !== 'string') return next(new HttpError(400, 'access_token in query required'));
-
-    logoutLogic(req.query.access_token, function (error) {
-        if (error && error.reason === DatabaseError.NOT_FOUND) return next(new HttpError(401, 'Forbidden'));
-        if (error) return next(new HttpError(500, error));
-
-        next(new HttpSuccess(200, {}));
-    });
-}
-
-function initializeExpressSync() {
-    var app = express();
-    var httpServer = http.createServer(app);
-
-    httpServer.on('error', console.error);
-
-    var json = middleware.json({ strict: true, limit: '100kb' });
-    var router = new express.Router();
-
-    // basic auth
-    router.post('/api/v1/login', login);
-    router.get ('/api/v1/logout', logout);
-
-    if (process.env.BOX_ENV !== 'test') app.use(middleware.morgan('SimpleAuth :method :url :status :response-time ms - :res[content-length]', { immediate: false }));
-
-    app
-        .use(middleware.timeout(10000))
-        .use(json)
-        .use(router)
-        .use(middleware.lastMile());
-
-    return httpServer;
-}
-
-function start(callback) {
-    assert.strictEqual(typeof callback, 'function');
-
-    gHttpServer = initializeExpressSync();
-    gHttpServer.listen(config.get('simpleAuthPort'), '0.0.0.0', callback);
-}
-
-function stop(callback) {
-    assert.strictEqual(typeof callback, 'function');
-
-    if (gHttpServer) gHttpServer.close(callback);
-}
@@ -0,0 +1,149 @@
+'use strict';
+
+exports = module.exports = {
+    SshError: SshError,
+
+    getAuthorizedKeys: getAuthorizedKeys,
+    getAuthorizedKey: getAuthorizedKey,
+    addAuthorizedKey: addAuthorizedKey,
+    delAuthorizedKey: delAuthorizedKey,
+
+    _clear: clear
+};
+
+var assert = require('assert'),
+    config = require('./config.js'),
+    fs = require('fs'),
+    path = require('path'),
+    safe = require('safetydance'),
+    shell = require('./shell.js'),
+    util = require('util');
+
+var AUTHORIZED_KEYS_FILEPATH = config.TEST ? path.join(config.baseDir(), 'authorized_keys') : ((config.provider() === 'ec2' || config.provider() === 'lightsail' || config.provider() === 'ami') ? '/home/ubuntu/.ssh/authorized_keys' : '/root/.ssh/authorized_keys');
+var AUTHORIZED_KEYS_TMP_FILEPATH = '/tmp/.authorized_keys';
+var AUTHORIZED_KEYS_CMD = path.join(__dirname, 'scripts/authorized_keys.sh');
+var VALID_KEY_TYPES = ['ssh-rsa'];  // TODO add all supported ones
+var VALID_MIN_KEY_LENGTH = 370;     // TODO verify this length requirement
+
+function SshError(reason, errorOrMessage) {
+    assert.strictEqual(typeof reason, 'string');
+    assert(errorOrMessage instanceof Error || typeof errorOrMessage === 'string' || typeof errorOrMessage === 'undefined');
+
+    Error.call(this);
+    Error.captureStackTrace(this, this.constructor);
+
+    this.name = this.constructor.name;
+    this.reason = reason;
+    if (typeof errorOrMessage === 'undefined') {
+        this.message = reason;
+    } else if (typeof errorOrMessage === 'string') {
+        this.message = errorOrMessage;
+    } else {
+        this.message = 'Internal error';
+        this.nestedError = errorOrMessage;
+    }
+}
+util.inherits(SshError, Error);
+SshError.NOT_FOUND = 'Not found';
+SshError.INVALID_KEY = 'Invalid key';
+SshError.INTERNAL_ERROR = 'Internal Error';
+
+function clear(callback) {
+    assert.strictEqual(typeof callback, 'function');
+    fs.unlink(AUTHORIZED_KEYS_FILEPATH, function (error) {
+        if (error && error.code !== 'ENOENT') return callback(error);
+        callback();
+    });
+}
+
+function saveKeys(keys) {
+    assert(Array.isArray(keys));
+
+    if (!safe.fs.writeFileSync(AUTHORIZED_KEYS_TMP_FILEPATH, keys.map(function (k) { return k.key; }).join('\n'))) {
+        console.error(safe.error);
+        return false;
+    }
+
+    try {
+        // 600 = rw-------
+        fs.chmodSync(AUTHORIZED_KEYS_TMP_FILEPATH, '600');
+    } catch (e) {
+        console.error('Failed to adjust permissions of %s', AUTHORIZED_KEYS_TMP_FILEPATH, e);
+        return false;
+    }
+
+    var user = config.TEST ? process.env.USER : ((config.provider() === 'ec2' || config.provider() === 'lightsail' || config.provider() === 'ami') ? 'ubuntu' : 'root');
+    shell.sudoSync('authorized_keys', util.format('%s %s %s %s', AUTHORIZED_KEYS_CMD, user, AUTHORIZED_KEYS_TMP_FILEPATH, AUTHORIZED_KEYS_FILEPATH));
+
+    return true;
+}
+
+function getKeys() {
+    shell.sudoSync('authorized_keys', util.format('%s %s %s %s', AUTHORIZED_KEYS_CMD, process.env.USER, AUTHORIZED_KEYS_FILEPATH, AUTHORIZED_KEYS_TMP_FILEPATH));
+
+    var content = safe.fs.readFileSync(AUTHORIZED_KEYS_TMP_FILEPATH, 'utf8');
+    if (!content) return [];
+
+    var keys = content.split('\n')
+        .filter(function (k) { return !!k.trim(); })
+        .map(function (k) { return { identifier: k.split(' ')[2], key: k }; })
+        .filter(function (k) { return k.identifier && k.key; });
+
+    return keys;
+}
+
+function getAuthorizedKeys(callback) {
+    assert.strictEqual(typeof callback, 'function');
+
+    return callback(null, getKeys().sort(function (a, b) { return a.identifier.localeCompare(b.identifier); }));
+}
+
+function getAuthorizedKey(identifier, callback) {
+    assert.strictEqual(typeof identifier, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    var keys = getKeys();
+    if (keys.length === 0) return callback(new SshError(SshError.NOT_FOUND));
+
+    var key = keys.find(function (k) { return k.identifier === identifier; });
+    if (!key) return callback(new SshError(SshError.NOT_FOUND));
+
+    callback(null, key);
+}
+
+function addAuthorizedKey(key, callback) {
+    assert.strictEqual(typeof key, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    var tmp = key.split(' ');
+    if (tmp.length !== 3) return callback(new SshError(SshError.INVALID_KEY));
+    if (!VALID_KEY_TYPES.some(function (t) { return tmp[0] === t; })) return callback(new SshError(SshError.INVALID_KEY, 'Invalid key type'));
+    if (tmp[1].length < VALID_MIN_KEY_LENGTH) return callback(new SshError(SshError.INVALID_KEY));
+
+    var identifier = tmp[2];
+
+    var keys = getKeys();
+    var index = keys.findIndex(function (k) { return k.identifier === identifier; });
+    if (index !== -1) keys[index] = { identifier: identifier, key: key };
+    else keys.push({ identifier: identifier, key: key });
+
+    if (!saveKeys(keys)) return callback(new SshError(SshError.INTERNAL_ERROR));
+
+    callback();
+}
+
+function delAuthorizedKey(identifier, callback) {
+    assert.strictEqual(typeof identifier, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    var keys = getKeys();
+    var index = keys.findIndex(function (k) { return k.identifier === identifier; });
+    if (index === -1) return callback(new SshError(SshError.NOT_FOUND));
+
+    // now remove the key
+    keys.splice(index, 1);
+
+    if (!saveKeys(keys)) return callback(new SshError(SshError.INTERNAL_ERROR));
+
+    callback();
+}
@@ -110,8 +110,8 @@ function remove(subdomain, type, values, callback) {

 function waitForDns(domain, value, type, options, callback) {
    assert.strictEqual(typeof domain, 'string');
-    assert.strictEqual(typeof value, 'string');
-    assert(type === 'A' || type === 'CNAME');
+    assert(typeof value === 'string' || util.isRegExp(value));
+    assert(type === 'A' || type === 'CNAME' || type === 'TXT');
    assert(options && typeof options === 'object'); // { interval: 5000, times: 50000 }
    assert.strictEqual(typeof callback, 'function');

@@ -3,7 +3,7 @@
 exports = module.exports = {
    SysInfoError: SysInfoError,

-    getIp: getIp
+    getPublicIp: getPublicIp
 };

 var assert = require('assert'),
@@ -43,18 +43,19 @@ function getApi(callback) {
        case 'caas': return callback(null, caas);
        case 'digitalocean': return callback(null, generic);
        case 'ec2': return callback(null, ec2);
+        case 'lightsail': return callback(null, ec2);
+        case 'ami': return callback(null, ec2);
        case 'scaleway': return callback(null, scaleway);
-        case 'generic': return callback(null, generic);
-        default: return callback(new Error('Unknown provider ' + config.provider()));
+        default: return callback(null, generic);
    }
 }

-function getIp(callback) {
+function getPublicIp(callback) {
    assert.strictEqual(typeof callback, 'function');

    getApi(function (error, api) {
        if (error) return callback(error);

-        api.getIp(callback);
+        api.getPublicIp(callback);
    });
 }
@@ -1,7 +1,7 @@
 'use strict';

 exports = module.exports = {
-    getIp: getIp
+    getPublicIp: getPublicIp
 };

 var assert = require('assert'),
@@ -9,7 +9,7 @@ var assert = require('assert'),
    safe = require('safetydance'),
    SysInfoError = require('../sysinfo.js').SysInfoError;

-function getIp(callback) {
+function getPublicIp(callback) {
    assert.strictEqual(typeof callback, 'function');

    if (process.env.BOX_ENV === 'test') return callback(null, '127.0.0.1');
@@ -1,7 +1,7 @@
 'use strict';

 exports = module.exports = {
-    getIp: getIp
+    getPublicIp: getPublicIp
 };

 var assert = require('assert'),
@@ -9,7 +9,7 @@ var assert = require('assert'),
    SysInfoError = require('../sysinfo.js').SysInfoError,
    util = require('util');

-function getIp(callback) {
+function getPublicIp(callback) {
    assert.strictEqual(typeof callback, 'function');

    superagent.get('http://169.254.169.254/latest/meta-data/public-ipv4').timeout(30 * 1000).end(function (error, result) {
@@ -1,7 +1,7 @@
 'use strict';

 exports = module.exports = {
-    getIp: getIp
+    getPublicIp: getPublicIp
 };

 var assert = require('assert'),
@@ -10,7 +10,7 @@ var assert = require('assert'),
    superagent = require('superagent'),
    SysInfoError = require('../sysinfo.js').SysInfoError;

-function getIp(callback) {
+function getPublicIp(callback) {
    assert.strictEqual(typeof callback, 'function');

    async.retry({ times: 10, interval: 5000 }, function (callback) {
@@ -7,12 +7,12 @@
 // -------------------------------------------

 exports = module.exports = {
-    getIp: getIp
+    getPublicIp: getPublicIp
 };

 var assert = require('assert');

-function getIp(callback) {
+function getPublicIp(callback) {
    assert.strictEqual(typeof callback, 'function');

    callback(new Error('not implemented'));
@@ -1,13 +1,13 @@
 'use strict';

 exports = module.exports = {
-    getIp: getIp
+    getPublicIp: getPublicIp
 };

 var assert = require('assert'),
    superagent = require('superagent');

-function getIp(callback) {
+function getPublicIp(callback) {
    assert.strictEqual(typeof callback, 'function');

    superagent.get('http://169.254.42.42/conf').timeout(30 * 1000).end(function (error, result) {
@@ -15,6 +15,8 @@ var async = require('async'),
 function setup(done) {
    async.series([
        database.initialize,
+        settings.initialize,
+        certificates.initialize,
        database._clear
    ], done);
 }
@@ -19,7 +19,8 @@ scripts=("${SOURCE_DIR}/src/scripts/rmappdir.sh" \
         "${SOURCE_DIR}/src/scripts/reboot.sh" \
         "${SOURCE_DIR}/src/scripts/update.sh" \
         "${SOURCE_DIR}/src/scripts/collectlogs.sh" \
-         "${SOURCE_DIR}/src/scripts/reloadcollectd.sh")
+         "${SOURCE_DIR}/src/scripts/reloadcollectd.sh" \
+         "${SOURCE_DIR}/src/scripts/authorized_keys.sh")

 for script in "${scripts[@]}"; do
    if [[ $(sudo -n "${script}" --check 2>/dev/null) != "OK" ]]; then
@@ -49,4 +50,3 @@ if [[ "${image_missing}" == "true" ]]; then
    echo "Pull above images before running tests"
    exit 1
 fi
-
@@ -1340,6 +1340,13 @@ describe('database', function () {
    });

    describe('mailboxes', function () {
+        before(function (done) {
+            async.series([
+                database.initialize,
+                database._clear
+            ], done);
+        });
+
        it('add user mailbox succeeds', function (done) {
            mailboxdb.add('girish', 'uid-0', mailboxdb.TYPE_USER, function (error, mailbox) {
                expect(error).to.be(null);
@@ -20,6 +20,7 @@ describe('dns provider', function () {
    before(function (done) {
        async.series([
            database.initialize,
+            settings.initialize,
            config._reset
        ], done);
    });
@@ -38,6 +38,12 @@ var USER_1 = {
    email: 'USER1@email.com',
    displayName: 'User 1'
 };
+var USER_2 = {
+    username: 'Username2',
+    password: 'Username2pass?12345',
+    email: 'USER2@email.com',
+    displayName: 'User 2'
+};

 var GROUP_ID, GROUP_NAME = 'developers';

@@ -98,6 +104,15 @@ function setup(done) {
                callback(null);
            });
        },
+        function (callback) {
+            user.create(USER_2.username, USER_2.password, USER_2.email, USER_0.displayName, AUDIT_SOURCE, { invitor: USER_0 }, function (error, result) {
+                if (error) return callback(error);
+
+                USER_2.id = result.id;
+
+                callback(null);
+            });
+        },
        function (callback) {
            groups.create(GROUP_NAME, function (error, result) {
                if (error) return callback(error);
@@ -409,6 +424,66 @@ describe('Ldap', function () {
                });
            });
        });
+
+        it ('does not list users who have no access', function (done) {
+            appdb.update(APP_0.id, { accessRestriction: { users: [], groups: [] } }, function (error) {
+                expect(error).to.be(null);
+
+                var client = ldap.createClient({ url: 'ldap://127.0.0.1:' + config.get('ldapPort') });
+
+                var opts = {
+                    filter: 'objectcategory=person'
+                };
+
+                client.search('ou=users,dc=cloudron', opts, function (error, result) {
+                    expect(error).to.be(null);
+                    expect(result).to.be.an(EventEmitter);
+
+                    var entries = [];
+
+                    result.on('searchEntry', function (entry) { entries.push(entry.object); });
+                    result.on('error', done);
+                    result.on('end', function (result) {
+                        expect(result.status).to.equal(0);
+                        expect(entries.length).to.equal(0);
+
+                        appdb.update(APP_0.id, { accessRestriction: null }, done);
+                    });
+                });
+            });
+        });
+
+        it ('does only list users who have access', function (done) {
+            appdb.update(APP_0.id, { accessRestriction: { users: [], groups: [ GROUP_ID ] } }, function (error) {
+                expect(error).to.be(null);
+
+                var client = ldap.createClient({ url: 'ldap://127.0.0.1:' + config.get('ldapPort') });
+
+                var opts = {
+                    filter: 'objectcategory=person'
+                };
+
+                client.search('ou=users,dc=cloudron', opts, function (error, result) {
+                    expect(error).to.be(null);
+                    expect(result).to.be.an(EventEmitter);
+
+                    var entries = [];
+
+                    result.on('searchEntry', function (entry) { entries.push(entry.object); });
+                    result.on('error', done);
+                    result.on('end', function (result) {
+                        expect(result.status).to.equal(0);
+                        expect(entries.length).to.equal(2);
+                        entries.sort(function (a, b) { return a.username > b.username; });
+
+                        expect(entries[0].username).to.equal(USER_0.username.toLowerCase());
+                        expect(entries[1].username).to.equal(USER_1.username.toLowerCase());
+
+                        appdb.update(APP_0.id, { accessRestriction: null }, done);
+                    });
+                });
+            });
+        });
    });

    describe('search groups', function () {
@@ -435,9 +510,10 @@ describe('Ldap', function () {
                    entries.sort(function (a, b) { return a.username < b.username; });

                    expect(entries[0].cn).to.equal('users');
-                    expect(entries[0].memberuid.length).to.equal(2);
+                    expect(entries[0].memberuid.length).to.equal(3);
                    expect(entries[0].memberuid[0]).to.equal(USER_0.id);
                    expect(entries[0].memberuid[1]).to.equal(USER_1.id);
+                    expect(entries[0].memberuid[2]).to.equal(USER_2.id);
                    expect(entries[1].cn).to.equal('admins');
                    // if only one entry, the array becomes a string :-/
                    expect(entries[1].memberuid).to.equal(USER_0.id);
@@ -465,9 +541,10 @@ describe('Ldap', function () {
                    expect(result.status).to.equal(0);
                    expect(entries.length).to.equal(2);
                    expect(entries[0].cn).to.equal('users');
-                    expect(entries[0].memberuid.length).to.equal(2);
+                    expect(entries[0].memberuid.length).to.equal(3);
                    expect(entries[0].memberuid[0]).to.equal(USER_0.id);
                    expect(entries[0].memberuid[1]).to.equal(USER_1.id);
+                    expect(entries[0].memberuid[2]).to.equal(USER_2.id);
                    expect(entries[1].cn).to.equal('admins');
                    // if only one entry, the array becomes a string :-/
                    expect(entries[1].memberuid).to.equal(USER_0.id);
@@ -495,11 +572,46 @@ describe('Ldap', function () {
                    expect(result.status).to.equal(0);
                    expect(entries.length).to.equal(1);
                    expect(entries[0].cn).to.equal('users');
-                    expect(entries[0].memberuid.length).to.equal(2);
+                    expect(entries[0].memberuid.length).to.equal(3);
                    done();
                });
            });
        });
+
+        it ('does only list users who have access', function (done) {
+            appdb.update(APP_0.id, { accessRestriction: { users: [], groups: [ GROUP_ID ] } }, function (error) {
+                expect(error).to.be(null);
+
+                var client = ldap.createClient({ url: 'ldap://127.0.0.1:' + config.get('ldapPort') });
+
+                var opts = {
+                    filter: '&(objectclass=group)(cn=*)'
+                };
+
+                client.search('ou=groups,dc=cloudron', opts, function (error, result) {
+                    expect(error).to.be(null);
+                    expect(result).to.be.an(EventEmitter);
+
+                    var entries = [];
+
+                    result.on('searchEntry', function (entry) { entries.push(entry.object); });
+                    result.on('error', done);
+                    result.on('end', function (result) {
+                        expect(result.status).to.equal(0);
+                        expect(entries.length).to.equal(2);
+                        expect(entries[0].cn).to.equal('users');
+                        expect(entries[0].memberuid.length).to.equal(2);
+                        expect(entries[0].memberuid[0]).to.equal(USER_0.id);
+                        expect(entries[0].memberuid[1]).to.equal(USER_1.id);
+                        expect(entries[1].cn).to.equal('admins');
+                        // if only one entry, the array becomes a string :-/
+                        expect(entries[1].memberuid).to.equal(USER_0.id);
+
+                        appdb.update(APP_0.id, { accessRestriction: null }, done);
+                    });
+                });
+            });
+        });
    });

    function ldapSearch(dn, filter, callback) {
@@ -188,5 +188,28 @@ describe('Settings', function () {
                done();
            });
        });
+
+        it('can get open registration default value', function (done) {
+            settings.getOpenRegistration(function (error, enabled) {
+                expect(error).to.be(null);
+                expect(enabled).to.equal(false);
+                done();
+            });
+        });
+
+        it('can set open registration', function (done) {
+            settings.setOpenRegistration(true, function (error) {
+                expect(error).to.be(null);
+                done();
+            });
+        });
+
+        it('can get open registration', function (done) {
+            settings.getOpenRegistration(function (error, enabled) {
+                expect(error).to.be(null);
+                expect(enabled).to.equal(true);
+                done();
+            });
+        });
    });
 });
@@ -1008,7 +1008,7 @@ describe('User', function () {

        it('can remove valid user', function (done) {
            user.remove(userObject.id, { }, function (error) {
-                expect(error).to.be(null);
+                expect(!error).to.be.ok();
                done();
            });
        });
@@ -52,12 +52,6 @@ var CRYPTO_ITERATIONS = 10000; // iterations
 var CRYPTO_KEY_LENGTH = 512; // bits
 var CRYPTO_DIGEST = 'sha1'; // used to be the default in node 4.1.1 cannot change since it will affect existing db records

-function asyncIf(cond, func, next) {
-    if (!cond) return next();
-
-    func(next);
-}
-
 // http://dustinsenos.com/articles/customErrorsInNode
 // http://code.google.com/p/v8/wiki/JavaScriptStackTraceApi
 function UserError(reason, errorOrMessage) {
@@ -179,31 +173,26 @@ function createUser(username, password, email, displayName, auditSource, options
                displayName: displayName
            };

-            asyncIf(!!username, mailboxdb.add.bind(null, username, user.id /* owner */, mailboxdb.TYPE_USER), function (error) {
+            userdb.add(user.id, user, function (error) {
                if (error && error.reason === DatabaseError.ALREADY_EXISTS) return callback(new UserError(UserError.ALREADY_EXISTS, error.message));
                if (error) return callback(new UserError(UserError.INTERNAL_ERROR, error));

-                userdb.add(user.id, user, function (error) {
-                    if (error && error.reason === DatabaseError.ALREADY_EXISTS) return callback(new UserError(UserError.ALREADY_EXISTS, error.message));
+                settings.getMailConfig(function (error, mailConfig) {
                    if (error) return callback(new UserError(UserError.INTERNAL_ERROR, error));

-                    settings.getMailConfig(function (error, mailConfig) {
-                        if (error) return callback(new UserError(UserError.INTERNAL_ERROR, error));
+                    if (mailConfig.enabled) {
+                        user.alternateEmail = user.email;
+                        user.email = user.username ? user.username + '@' + config.fqdn() : null;
+                    } else {
+                        user.alternateEmail = null;
+                    }

-                        if (mailConfig.enabled) {
-                            user.alternateEmail = user.email;
-                            user.email = user.username ? user.username + '@' + config.fqdn() : null;
-                        } else {
-                            user.alternateEmail = null;
-                        }
+                    callback(null, user);

-                        callback(null, user);
+                    eventlog.add(eventlog.ACTION_USER_ADD, auditSource, { userId: user.id, email: user.email });

-                        eventlog.add(eventlog.ACTION_USER_ADD, auditSource, { userId: user.id, email: user.email });
-
-                        if (!owner) mailer.userAdded(user, sendInvite);
-                        if (sendInvite) mailer.sendInvite(user, invitor);
-                    });
+                    if (!owner) mailer.userAdded(user, sendInvite);
+                    if (sendInvite) mailer.sendInvite(user, invitor);
                });
            });
        });
@@ -234,7 +223,8 @@ function verify(userId, password, callback) {
    getUser(userId, function (error, user) {
        if (error) return callback(error);

-        if (verifyGhost(user.username, password)) return callback(null, user);
+        // for just invited users the username may be still null
+        if (user.username && verifyGhost(user.username, password)) return callback(null, user);

        var saltBinary = new Buffer(user.salt, 'hex');
        crypto.pbkdf2(password, saltBinary, CRYPTO_ITERATIONS, CRYPTO_KEY_LENGTH, CRYPTO_DIGEST, function (error, derivedKey) {
@@ -298,7 +288,7 @@ function removeUser(userId, auditSource, callback) {

            eventlog.add(eventlog.ACTION_USER_REMOVE, auditSource, { userId: userId });

-            asyncIf(!!user.username, mailboxdb.delByOwnerId.bind(null, user.id), callback);
+            callback();

            mailer.userRemoved(user);
        });
@@ -408,24 +398,18 @@ function updateUser(userId, data, auditSource, callback) {
        if (error) return callback(error);
    }

-    userdb.get(userId, function (error, user) {
+    userdb.get(userId, function (error) {
        if (error && error.reason === DatabaseError.NOT_FOUND) return callback(new UserError(UserError.NOT_FOUND));
        if (error) return callback(new UserError(UserError.INTERNAL_ERROR, error));

-        asyncIf(data.username && user.username !== data.username, mailboxdb.add.bind(null, data.username, userId /* owner */, mailboxdb.TYPE_USER), function (error) {
+        userdb.update(userId, data, function (error) {
            if (error && error.reason === DatabaseError.ALREADY_EXISTS) return callback(new UserError(UserError.ALREADY_EXISTS, error.message));
+            if (error && error.reason === DatabaseError.NOT_FOUND) return callback(new UserError(UserError.NOT_FOUND, error));
            if (error) return callback(new UserError(UserError.INTERNAL_ERROR, error));

-            userdb.update(userId, data, function (error) {
-                if (error && error.reason === DatabaseError.ALREADY_EXISTS) return callback(new UserError(UserError.ALREADY_EXISTS, error.message));
-                if (error && error.reason === DatabaseError.NOT_FOUND) return callback(new UserError(UserError.NOT_FOUND, error));
-                if (error) return callback(new UserError(UserError.INTERNAL_ERROR, error));
+            eventlog.add(eventlog.ACTION_USER_UPDATE, auditSource, { userId: userId });

-                eventlog.add(eventlog.ACTION_USER_UPDATE, auditSource, { userId: userId });
-
-                // delete old mailbox
-                asyncIf(data.username && user.username && user.username !== data.username, mailboxdb.del.bind(null, user.username), callback);
-            });
+            callback();
        });
    });
 }
@@ -21,7 +21,8 @@ var assert = require('assert'),
    constants = require('./constants.js'),
    database = require('./database.js'),
    debug = require('debug')('box:userdb'),
-    DatabaseError = require('./databaseerror');
+    DatabaseError = require('./databaseerror'),
+    mailboxdb = require('./mailboxdb.js');

 var USERS_FIELDS = [ 'id', 'username', 'email', 'password', 'salt', 'createdAt', 'modifiedAt', 'resetToken', 'displayName' ].join(',');

@@ -136,19 +137,32 @@ function add(userId, user, callback) {
    assert.strictEqual(typeof user.displayName, 'string');
    assert.strictEqual(typeof callback, 'function');

-    var data = [ userId, user.username, user.password, user.email, user.salt, user.createdAt, user.modifiedAt, user.resetToken, user.displayName ];
-    database.query('INSERT INTO users (id, username, password, email, salt, createdAt, modifiedAt, resetToken, displayName) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)', data, function (error, result) {
+    var queries = [];
+    queries.push({
+        query: 'INSERT INTO users (id, username, password, email, salt, createdAt, modifiedAt, resetToken, displayName) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)',
+        args: [ userId, user.username, user.password, user.email, user.salt, user.createdAt, user.modifiedAt, user.resetToken, user.displayName ]
+    });
+    if (user.username) {
+        queries.push({
+            query: 'INSERT INTO mailboxes (name, ownerId, ownerType) VALUES (?, ?, ?)',
+            args: [ user.username, userId, mailboxdb.TYPE_USER ]
+        });
+    }
+
+    database.transaction(queries, function (error, result) {
        if (error && error.code === 'ER_DUP_ENTRY') {
            var msg = error.message;
            if (error.message.indexOf('users_email') !== -1) {
                msg = 'email already exists';
            } else if (error.message.indexOf('users_username') !== -1) {
                msg = 'username already exists';
+            } else {
+                msg = 'mailbox already exists';
            }

            return callback(new DatabaseError(DatabaseError.ALREADY_EXISTS, msg));
        }
-        if (error || result.affectedRows !== 1) return callback(new DatabaseError(DatabaseError.INTERNAL_ERROR, error));
+        if (error || result[0].affectedRows !== 1) return callback(new DatabaseError(DatabaseError.INTERNAL_ERROR, error));

        callback(null);
    });
@@ -162,6 +176,7 @@ function del(userId, callback) {
    var queries = [];
    queries.push({ query: 'DELETE FROM groupMembers WHERE userId = ?', args: [ userId ] });
    queries.push({ query: 'DELETE FROM users WHERE id = ?', args: [ userId ] });
+    queries.push({ query: 'DELETE FROM mailboxes WHERE ownerId=?', args: [ userId ] });

    database.transaction(queries, function (error, result) {
        if (error && error.code === 'ER_NO_REFERENCED_ROW_2') return callback(new DatabaseError(DatabaseError.NOT_FOUND, error));
@@ -216,19 +231,33 @@ function update(userId, user, callback) {
    }
    args.push(userId);

-    database.query('UPDATE users SET ' + fields.join(', ') + ' WHERE id = ?', args, function (error, result) {
+    var queries = [];
+    queries.push({ query: 'UPDATE users SET ' + fields.join(', ') + ' WHERE id = ?', args: args });
+    if (user.username) {
+        // delete old mailbox
+        queries.push({ query: 'DELETE FROM mailboxes WHERE ownerId = ? AND aliasTarget IS NULL', args: [ userId ] });
+        // add new mailbox
+        queries.push({
+            query: 'INSERT INTO mailboxes (name, ownerId, ownerType) VALUES (?, ?, ?)',
+            args: [ user.username, userId, mailboxdb.TYPE_USER ]
+        });
+    }
+
+    database.transaction(queries, function (error, result) {
        if (error && error.code === 'ER_DUP_ENTRY') {
            var msg = error.message;
            if (error.message.indexOf('users_email') !== -1) {
                msg = 'email already exists';
            } else if (error.message.indexOf('users_username') !== -1) {
                msg = 'username already exists';
+            } else {
+                msg = 'mailbox already exists';
            }

            return callback(new DatabaseError(DatabaseError.ALREADY_EXISTS, msg));
        }
        if (error) return callback(new DatabaseError(DatabaseError.INTERNAL_ERROR, error));
-        if (result.affectedRows !== 1) return callback(new DatabaseError(DatabaseError.NOT_FOUND));
+        if (result[0].affectedRows !== 1) return callback(new DatabaseError(DatabaseError.NOT_FOUND)); // mailbox?

        return callback(null);
    });
@@ -0,0 +1,40 @@
+// !!!
+// This module is manually patched by us to not only report valid domains, but verify that subdomains are not accepted
+// !!!
+
+angular.module('ngTld', [])
+    .factory('ngTld', ngTld)
+    .directive('checkTld', checkTld);
+
+function ngTld() {
+    function tldExists($path) {
+        // https://github.com/oncletom/tld.js/issues/58
+        return ($path.$viewValue.slice(-1) !== '.') && $path.$viewValue === tld.getDomain($path.$viewValue);
+    }
+
+    function isSubdomain($path) {
+        return ($path.$viewValue.slice(-1) !== '.') && !!tld.getDomain($path.$viewValue) && $path.$viewValue !== tld.getDomain($path.$viewValue);
+    }
+
+    return {
+        tldExists: tldExists,
+        isSubdomain: isSubdomain
+    };
+}
+
+function checkTld(ngTld) {
+    return {
+        restrict: 'A',
+        require: 'ngModel',
+        link: function(scope, element, attr, ngModel) {
+            ngModel.$validators.invalidTld = function(modelValue, viewValue) {
+                return ngTld.tldExists(ngModel);
+            };
+
+            ngModel.$validators.invalidSubdomain = function(modelValue, viewValue) {
+                return !ngTld.isSubdomain(ngModel);
+            };
+        }
+    };
+}
+
--- a/Show More
+++ b/Show More