set empty auth mechanism explicitly

.gitlab/issue_templates/Default.md

@@ -1,59 +0,0 @@
-## 🐛 Issue Report Template
-
-Thank you for reporting an issue!
-Please provide the details below to help us investigate and resolve it efficiently.
-If you have a feature request, please select the "Feature Request" template.
-
-### 📦 Deployment Details
-- **Release version deployed**:
-  _(e.g. v1.4.2, commit hash, or branch name)_
-
-- **Deployment type**:
-  - [ ] Fresh installation
-  - [ ] Upgrade (from version: ___ )
-
-### ☸️ Kubernetes Environment
-- **Kubernetes distribution** (select one):
-  - [ ] Rancher RKE / RKE2
-  - [ ] OpenShift
-  - [ ] k3s
-  - [ ] kind / minikube
-  - [ ] Other: ___________
-
-- **Kubernetes version**:
-  _(e.g. v1.27.3)_
-
-### 🌐 Ingress & Certificates
-- **Ingress controller in use**:
-  - [ ] Ingress NGINX Controller version: ___
-  - [ ] Other: Currently only Ingress NGINX is supported
-
-- **Certificate status**:
-  - [ ] Let’s Encrypt
-  - [ ] Other publicly verifiable certificate (issuer: ___ )
-  - [ ] Self-signed certificate (see [`self-signed-certificated.md`](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/develop/docs/enhanced-configuration/self-signed-certificates.md))
-    - [ ] Option 1
-    - [ ] Option 2a
-    - [ ] Option 2b
-
-### 🔧 Tooling Versions
-- **Helm version (`helm version`)**: ___________
-- **Helmfile version (`helmfile --version`)**: ___________
-
-### 🔍 Problem Description
-- **Expected behavior**:
-
-- **Observed behavior / error message**:
-
-- **Steps to reproduce**:
-  1.
-  2.
-  3.
-
-### 📄 Additional context
-
-- Relevant logs (please redact sensitive info):
-- Screenshots (if applicable):
-- Other notes that might help:
-
-## 🙌 Thank you for contributing to the project!

.gitlab/issue_templates/Feature_Request.md

@@ -1,37 +0,0 @@
-## 💡 Feature Request Template
-
-Thank you for suggesting an improvement!
-To help us understand and evaluate your idea, please provide the details below.
-
-### 📝 Summary
-
-- **Short description of the feature**:
-  _(One or two sentences that capture the core idea)_
-
-### 🎯 Use Case / Motivation
-
-- **Who would benefit from this feature?**
-  - [ ] Operators / Administrators
-  - [ ] Developers
-  - [ ] End users
-  - [ ] Other: ___________
-
-- **Why is this feature needed?**
-  _(Describe the problem, pain point, or gap this would address)_
-
-### 🔧 Proposed Solution
-
-- **How should it work?**
-  _(Describe the desired functionality. If relevant, provide examples, CLI flags, configuration snippets, or workflows.)_
-
-### 📊 Alternatives Considered
-
-- **Other approaches you’ve tried or thought of**:
-  _(What’s possible now, and why is it not sufficient?)_
-
-### 📄 Additional Context
-
-- Links to related issues, merge requests, or external references:
-- Screenshots, diagrams, or mockups (if available):
-
-## 🙌 Thank you for helping improve the project!

README.md

@@ -43,7 +43,7 @@ openDesk currently features the following functional main components:
 | Portal & IAM         | Nubus                       | AGPL-3.0-or-later                                                                      | [1.14.0](https://docs.software-univention.de/nubus-kubernetes-release-notes/1.x/en/1.14.html) | [Univention's documentation website](https://docs.software-univention.de/n/en/nubus.html)                                             |
 | Project management   | OpenProject                 | GPL-3.0-only                                                                           | [16.4.1](https://www.openproject.org/docs/release-notes/16-4-1/)                              | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                           |
 | Videoconferencing    | Jitsi                       | Apache-2.0                                                                             | [2.0.10431](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_10431)       | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/)                                            |
-| Weboffice            | Collabora                   | MPL-2.0                                                                                | [25.04.5](https://www.collaboraoffice.com/code-25-04-release-notes/)                          | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)        |
+| Weboffice            | Collabora                   | MPL-2.0                                                                                | [25.04.4](https://www.collaboraoffice.com/code-25-04-release-notes/)                          | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)        |
 
 While not all components are perfectly designed for the execution inside containers, one of the project's objectives is to
 align the applications with best practices regarding container design and operations.

REUSE.toml

@@ -37,8 +37,3 @@ SPDX-License-Identifier = "CC-BY-SA-4.0"
 path = ".gitlab/merge_request_templates/*.md"
 SPDX-FileCopyrightText = "2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH"
 SPDX-License-Identifier = "Apache-2.0"
-
-[[annotations]]
-path = ".gitlab/issue_templates/*.md"
-SPDX-FileCopyrightText = "2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH"
-SPDX-License-Identifier = "Apache-2.0"

docs/debugging.md

@@ -168,7 +168,7 @@ While you will find all the details for the CLI tool in the [MariaDB documentati
 
 ## Nextcloud
 
-`occ` is the CLI for Nextcloud; all the details can be found in the [upstream documentation](https://docs.nextcloud.com/server/stable/admin_manual/occ_command.html).
+`occ` is the CLI for Nextcloud; all the details can be found in the [upstream documentation](https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/occ_command.html).
 
 You can run occ commands in the `opendesk-nextcloud-aio` pod like this: `php /var/www/html/occ config:list`
 

docs/developer/development.md

@@ -108,9 +108,9 @@ If you follow the "push early, push often" paradigm to save your work to the cen
 existing documentation, you can avoid the CI and its linting being executed, as it might not offer additional value.
 
 GitLab offers two options to skip the CI on a commit/push:
-1. Add `[ci skip]` to your commit message ([details](https://docs.gitlab.com/ee/ci/pipelines/#skip-a-pipeline)).
+- Add `[ci skip]` to your commit message ([details](https://docs.gitlab.com/ee/ci/pipelines/#skip-a-pipeline)).
 **Note:** The string has to be removed before merging your feature branch into `develop`.
-2. Use the related git push option `git push -o ci.skip` ([details](https://docs.gitlab.com/topics/git/commit/#push-options)).
+- Use the related git push option `git push -o ci.skip` ([details](https://docs.gitlab.com/ee/user/project/push_options.html#push-options-for-gitlab-cicd)).
 
 ## Renovate
 

docs/requirements.md

@@ -139,6 +139,6 @@ Helmfile requires [HelmDiff](https://github.com/databus23/helm-diff) to compare
 
 [^1]: Due to a [Helm bug](https://github.com/helm/helm/issues/30890) Helm 3.18.0 is not supported.
 
-[^2]: Due to [restrictions on Kubernetes `emptyDir`](https://github.com/kubernetes/kubernetes/pull/130277) you need a volume provisioner that has sticky bit support, otherwise the OpenProject seeder job will fail. E.g. the `local-path-provisioner` does not have sticky bit support.
+[^2]: Due to [restrictions on Kubernetes `emptyDir`](https://github.com/kubernetes/kubernetes/pull/130277) you need a volume provisioner that has sticky bit support, otherwise the OpenProject seeder job will fail.
 
 [^3]: Required for Dovecot Pro as part of openDesk Enterprise Edition.

helmfile/apps/notes/values.yaml.gotmpl

@@ -149,7 +149,7 @@ backend:
       subPath: "theme.json"
     {{- if .Values.certificate.selfSigned }}
     - name: "trusted-cert-secret-volume"
-      mountPath: "/usr/local/lib/python3.13/site-packages/certifi/cacert.pem"
+      mountPath: "/usr/local/lib/python3.12/site-packages/certifi/cacert.pem"
       subPath: "ca-certificates.crt"
     {{- end }}
 

helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl

@@ -256,6 +256,10 @@ appsuite:
               open-xchange-authentication-masterpassword: "enabled"
           properties:
             com.openexchange.calendar.allowOrganizerPartStatChanges: "true"
+            # Mailfilter
+            com.openexchange.mail.filter.passwordSource: global
+            com.openexchange.mail.filter.masterPassword:  {{ .Values.secrets.oxAppSuite.migrationsMasterPassword | quote }}
+            com.openexchange.mail.filter.preferredSaslMech: ""
           propertiesFiles:
             /opt/open-xchange/etc/masterpassword-authentication.properties:
               com.openexchange.authentication.masterpassword.password: {{ .Values.secrets.oxAppSuite.migrationsMasterPassword | quote }}

helmfile/apps/open-xchange/values-oxconnector.yaml.gotmpl

@@ -49,11 +49,11 @@ oxConnector:
   oxMasterAdmin: "admin"
   oxMasterPassword: {{ .Values.secrets.oxAppSuite.adminPassword | quote }}
   oxSmtpServer: "smtp://127.0.0.1:587"
-  oxSoapServer: {{ printf "http://%s.%s.svc.%s" "open-xchange-core-mw-admin" (.Values.apps.oxAppSuite.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
+  oxSoapServer: "http://open-xchange-core-mw-admin"
 
 provisioningApi:
   connection:
-    baseUrl: {{ printf "http://%s.%s.svc.%s" "ums-provisioning-api" (.Values.apps.nubus.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
+    baseUrl: "http://ums-provisioning-api"
   auth:
     username: "ox-connector"
     password: {{ .Values.secrets.oxConnector.provisioningApiPassword | quote }}

helmfile/apps/open-xchange/values-postfix.yaml.gotmpl

@@ -63,9 +63,10 @@ postfix:
         value: {{ .Values.smtp.username }}
       password:
         value: {{ .Values.smtp.password }}
-  smtpSASLAuthEnable: "yes"
   {{- end }}
   allowRelayNets: false
+  smtpSASLAuthEnable: "yes"
+  smtpSASLPasswordMaps: "lmdb:/etc/postfix/sasl_passwd.map"
   smtpTLSSecurityLevel: "encrypt"
   smtpdSASLAuthEnable: "yes"
   smtpdSASLSecurityOptions: "noanonymous"

helmfile/apps/services-external/values-postfix.yaml.gotmpl

@@ -68,13 +68,14 @@ postfix:
         value: {{ .Values.smtp.username }}
       password:
         value: {{ .Values.smtp.password }}
-  smtpSASLAuthEnable: "yes"
   {{- end }}
   # Warning: This setting allows unauthenticated mail relay from relayNets!
   allowRelayNets: true
   relayNets: {{ join " " .Values.cluster.networking.cidr | quote }}
   minTLSVersion: "TLSv1.2"
   smtpdTLSMandatoryCiphers: "medium"
+  smtpSASLAuthEnable: "yes"
+  smtpSASLPasswordMaps: "lmdb:/etc/postfix/sasl_passwd.map"
   smtpTLSSecurityLevel: "encrypt"
   smtpdSASLAuthEnable: "yes"
   smtpdSASLSecurityOptions: "noanonymous"

helmfile/environments/default-enterprise-overrides/images.yaml.gotmpl

@@ -5,7 +5,7 @@ images:
   collabora:
     registry: "registry.opencode.de"
     repository: "zendis/opendesk-enterprise/components/supplier/collabora/images/collabora-online-for-opendesk"
-    tag: "25.04.5.3.1@sha256:d22407cd3bd83dd832f986a697d81c1a4642f55129c76a5a20e637274ce7bf62"
+    tag: "25.04.4.3.1@sha256:b0b5fa9b061df1e8473dff9bb2cf295ab41bd7b35a78b785de518883b07e97c2"
   dovecot:
     registry: "registry.opencode.de"
     repository: "zendis/opendesk-enterprise/components/supplier/open-xchange/images-mirror/dovecot-pro"

helmfile/environments/default/charts.yaml.gotmpl

@@ -437,7 +437,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-postfix"
     name: "postfix"
-    version: "5.0.1"
+    version: "5.0.0"
     verify: true
   postgresql:
     # providerCategory: "Platform"

helmfile/environments/default/images.yaml.gotmpl

@@ -50,7 +50,7 @@ images:
     # upstreamRepository: "bmi/opendesk/components/supplier/collabora/images/collabora-online-for-opendesk"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/collabora/images/collabora-online-for-opendesk"
-    tag: "25.04.5.3.1@sha256:0e1ccf43308121c657936510de27244057c3826777a491495a0f7e55a196bc59"
+    tag: "25.04.4.3.1@sha256:2ba934fb0dc18965bfaf19151017205b0a85af8b069bc34c994a8eae0b4bee34"
   collaboraController:
     # Enterprise Component
     # providerCategory: "Supplier"
@@ -330,7 +330,7 @@ images:
     # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud"
-    tag: "2.10.13-boekhorst-images@sha256:4845421d10effe2e152021c7b8002dcf9a852c501be576eb38633e10f5a763d8"
+    tag: "2.10.12@sha256:8a4cd73fdceb1da2c58a22a85d605eba575a2b1487e3927ab1971c9f1120549a"
   nextcloudExporter:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"

helmfile/files/theme/files/favicon.svg

@@ -1,5 +1,5 @@
-<svg width="16" height="16" version="1.1" viewBox="0 0 16 16" xmlns="http://www.w3.org/2000/svg">
- <rect width="16" height="16" rx="2.9091" fill="#fff" stroke-width="32"/>
- <path d="m3.4286 6.3013h7.9334c0.62528 0 1.1338 0.50853 1.1338 1.1338v3.3997c0 0.62528-0.50853 1.1338-1.1338 1.1338h-6.7997c-0.62525 0-1.1338-0.50853-1.1338-1.1338z" fill="#571efa"/>
- <path d="m7.281 5.1675h-3.8525v-0.67966c0-0.62687 0.50694-1.1338 1.1338-1.1338h1.8135l0.90675 1.8135z" fill="#341291"/>
+<svg width="111" height="111" viewBox="0 0 111 111" fill="none" xmlns="http://www.w3.org/2000/svg">
+<rect x="0.5" y="0.5" width="110" height="110" rx="20" fill="white"/>
+<path d="M24.0718 43.8214H78.6146C82.9134 43.8214 86.4096 47.3176 86.4096 51.6164V74.9903C86.4096 79.2891 82.9134 82.7852 78.6146 82.7852H31.8667C27.568 82.7852 24.0718 79.2891 24.0718 74.9903V43.8214Z" fill="#571EFA"/>
+<path d="M50.5571 36.0266H24.0718V31.354C24.0718 27.0442 27.557 23.559 31.8667 23.559H44.3343L50.5681 36.0266H50.5571Z" fill="#341291"/>
 </svg>