fix(open-xchange): Optimize Dovecot EE caches

Signed-off-by: Milton Moura (Nordeck) <milton.moura@nordeck.net>

.gitlab-ci.yml

@@ -762,7 +762,7 @@ import-default-accounts:
     - if: >
           $CI_PIPELINE_SOURCE =~ "web|schedules|trigger|api" && $NAMESPACE =~ /.+/ && $CREATE_DEFAULT_ACCOUNTS == "yes"
       when: "on_success"
-  image: "registry.opencode.de/bmi/opendesk/components/platform-development/images/user-import:3.3.2"
+  image: "registry.opencode.de/bmi/opendesk/components/platform-development/images/user-import:3.4.1"
   script:
     - "echo \"Starting default account import for ${DOMAIN}\""
     - "cd /app"

README.md

@@ -41,7 +41,7 @@ openDesk currently features the following functional main components:
 | Groupware            | OX App Suite                | GPL-2.0-only (backend), AGPL-3.0-or-later (frontend)                                   | [8.41](https://documentation.open-xchange.com/appsuite/releases/8.41/)                        | Online documentation available from within the installed application; [Additional resources](https://documentation.open-xchange.com/) |
 | Knowledge management | XWiki                       | LGPL-2.1-or-later                                                                      | [17.4.4](https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/17.4.4/)                | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation)                                                     |
 | Portal & IAM         | Nubus                       | AGPL-3.0-or-later                                                                      | [1.14.0](https://docs.software-univention.de/nubus-kubernetes-release-notes/1.x/en/1.14.html) | [Univention's documentation website](https://docs.software-univention.de/n/en/nubus.html)                                             |
-| Project management   | OpenProject                 | GPL-3.0-only                                                                           | [16.4.1](https://www.openproject.org/docs/release-notes/16-4-1/)                              | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                           |
+| Project management   | OpenProject                 | GPL-3.0-only                                                                           | [16.5.1](https://www.openproject.org/docs/release-notes/16-5-1/)                              | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                           |
 | Videoconferencing    | Jitsi                       | Apache-2.0                                                                             | [2.0.10431](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_10431)       | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/)                                            |
 | Weboffice            | Collabora                   | MPL-2.0                                                                                | [25.04.5](https://www.collaboraoffice.com/code-25-04-release-notes/)                          | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)        |
 

docs/architecture.md

@@ -449,4 +449,4 @@ While the IAM manages users centrally, some applications come with local account
 
 # Footnotes
 
-[^1]: We are working on a new approach to provision the OpenProject filestore, therefore the accounts are planned to be deactivated/removed with openDesk 1.2.
+[^1]: We are working on a new approach to provision the OpenProject filestore, therefore the accounts are planned to be deactivated/removed in the future.

docs/data-storage.md

@@ -67,9 +67,10 @@ XWiki,PersistentVolume,1
 # Details
 
 | Application          | Data Storage | Backup   | Content                                                                           | (Default) Identifier                           | Details                                                                                                   |
-|----------------------|--------------|----------|-----------------------------------------------------------------------------------|------------------------------------------------|-----------------------------------------------------------------------------------------------------------|
+| -------------------- | ------------ | -------- | --------------------------------------------------------------------------------- | ---------------------------------------------- | --------------------------------------------------------------------------------------------------------- |
 | **ClamAV**           | PVC          | No       | ClamAV Database                                                                   | `clamav-database-clamav-simple-0`              | `/var/lib/clamav`                                                                                         |
 | **Dovecot**          | PVC          | Yes      | openDesk CE only: User mail directories                                           | `dovecot`                                      | `/srv/mail`                                                                                               |
+|                      | PVC          | No       | openDesk EE only: Metacache directory                                             | `var-lib-dovecot-dovecot-0`                    | `/var/lib/dovecot`                                                                                        |
 |                      | S3           | Yes      | openDesk EE only: User mail                                                       | `dovecot`                                      | `dovecot`                                                                                                 |
 |                      | Cassandra    | Yes      | openDesk EE only: Metadata and ACLs                                               | `dovecot_dictmap`, `dovecot_acl`               |                                                                                                           |
 | **Element/Synapse**  | PostgreSQL   | Yes      | Application's main database                                                       | `matrix`                                       |                                                                                                           |
@@ -105,8 +106,8 @@ XWiki,PersistentVolume,1
 |                      |              | Yes      | OX Guard related settings                                                         | `oxguard*`                                     |                                                                                                           |
 |                      | S3           | Yes      | Attachments of meetings, contacts and tasks                                       | `openxchange`                                  |                                                                                                           |
 |                      | Redis        | Optional | Cache, session related data, distributed maps                                     |                                                |                                                                                                           |
-|                      | PVC          | Yes      | OX Connector: OXAPI access details                                                | `ox-connector-appcenter-ox-connector-0`        | `/var/lib/univention-appcenter/apps/ox-connector`                                                         |
+|                      | PVC          | Optional | OX Connector: Caching of OX object data                                           | for backup        | `/var/lib/univention-appcenter/apps/ox-connector`                                                         |
-|                      |              | Yes      | OX Connector: Application's meta data                                             | `ox-connector-ox-contexts-ox-connector-0`      | `/etc/ox-secrets`                                                                                         |
+|                      |              | Yes      | OX Connector: OX SOAP API credentials                                             | `ox-connector-ox-contexts-ox-connector-0`      | `/etc/ox-secrets`                                                                                         |
 | **Postfix**          | PVC          | Yes      | Mail spool                                                                        | `postfix`                                      | `/var/spool/postfix`                                                                                      |
 | **XWiki**            | PostgreSQL   | Yes      | Application's main database                                                       | `xwiki`                                        |                                                                                                           |
 |                      | PVC          | Yes      | Attachments                                                                       | `xwiki-data-xwiki-0`                           | `/usr/local/xwiki/data`                                                                                   |

docs/migrations.md

@@ -10,6 +10,10 @@ SPDX-License-Identifier: Apache-2.0
 * [Deprecation warnings](#deprecation-warnings)
 * [Automated migrations - Overview and mandatory upgrade path](#automated-migrations---overview-and-mandatory-upgrade-path)
 * [Manual checks/actions](#manual-checksactions)
+  * [v1.8.0+](#v180)
+    * [Pre-upgrade to v1.8.0+](#pre-upgrade-to-v180)
+      * [Helmfile fix: Cassandra passwords read from `databases.*`](#helmfile-fix-cassandra-passwords-read-from-databases)
+      * [Helmfile new feature: `functional.groupware.externalClients.*`](#helmfile-new-feature-functionalgroupwareexternalclients)
   * [v1.7.1+](#v171)
     * [Pre-upgrade to v1.7.1+](#pre-upgrade-to-v171)
       * [New application default: Default group for two-factor authentication is now "2FA Users"](#new-application-default-default-group-for-two-factor-authentication-is-now-2fa-users)
@@ -137,6 +141,46 @@ If you would like more details about the automated migrations, please read secti
 
 # Manual checks/actions
 
+## v1.8.0+
+
+### Pre-upgrade to v1.8.0+
+
+#### Helmfile fix: Cassandra passwords read from `databases.*`
+
+**Target group:** All of the below must apply to your deployment:
+1. Enterprise Edition
+2. Using external Cassandra DB
+3. Defined the Cassandra passwords in `databases.*` (`database.yaml.gotmpl`) which got ignored until now
+4. Defined the Cassandra passwords then in `secrets.*` (`secrets.yaml.gotmpl`)
+
+The Cassandra passwords
+- `databases.dovecotDictmap.password`
+- `databases.dovecotACL.password`
+
+are no longer ignored. So please move the passwords from
+- `secrets.cassandra.dovecotDictmapUser`
+- `secrets.cassandra.dovecotACLUser`
+
+to the `databases.*` structure.
+
+#### Helmfile new feature: `functional.groupware.externalClients.*`
+
+**Target group:**
+Deployments that allow access to groupware emails via external mail clients (e.g. Thunderbird) using IMAP and SMTP.
+
+OX App Suite can display a dialog with configuration details for connecting external mail clients. In previous versions,
+this dialog was automatically enabled when Dovecot was deployed with a service type of `NodePort` or `LoadBalancer`.
+
+From now on, the dialog can be explicitly controlled via the setting
+`functional.groupware.externalClients.enabledOnboardingInfo`, which is set to `false` by default.
+If you want your users to see this dialog, set the attribute to `true`.
+
+Additionally, it is now possible to explicitly define the hostnames shown in the client onboarding dialog using the following values:
+- `functional.groupware.externalClients.fqdnImap`
+- `functional.groupware.externalClients.fqdnSmtp`
+
+If these values are not explicitly set, openDesk will use `.Values.global.domain` as in previous releases.
+
 ## v1.7.1+
 
 ### Pre-upgrade to v1.7.1+

helmfile/apps/element/values-synapse.yaml.gotmpl

@@ -25,6 +25,14 @@ configuration:
       address:
         per_second: 2
         burst_count: 12
+    # Set higher limits for messages and media due to non-chat Matrix apps and widgets (such as NeoBoard)
+    # https://github.com/nordeck/matrix-neoboard/blob/main/docs/configuration.md#rate-limiting-settings
+    rc_message:
+      per_second: 5
+      burst_count: 25
+    rc_media_create:
+      per_second: 20
+      burst_count: 100
 
   database:
     host: {{ .Values.databases.synapse.host | quote }}

helmfile/apps/nubus/values-nubus.yaml.gotmpl

@@ -1325,6 +1325,7 @@ nubusStackDataUms:
     portalLinkSupport: {{ .Values.functional.portal.linkSupport | quote }}
     portalLinkFeedback: {{ .Values.functional.portal.linkFeedback | quote }}
     oxDefaultContext: "1"
+    oxDefaultLanguage: {{ .Values.functional.internationalization.defaultLanguage | quote }}
     oxContextHidden: true
     oxSystemUserPassword: {{ .Values.secrets.nubus.ldapSearch.ox }}
     portalOxLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openxchange .Values.global.domain }}

helmfile/apps/open-xchange/values-dovecot-enterprise.yaml.gotmpl

@@ -23,7 +23,7 @@ dovecot:
     port: {{ .Values.databases.dovecotDictmap.port }}
     username: {{ .Values.databases.dovecotDictmap.username | quote }}
     password:
-      value: {{ .Values.secrets.cassandra.dovecotDictmapUser | quote }}
+      value: {{ .Values.databases.dovecotDictmap.password | default .Values.secrets.cassandra.dovecotDictmapUser | quote }}
     keyspace: {{ .Values.databases.dovecotDictmap.name | quote }}
   sharedMailboxes:
     enabled: true
@@ -31,15 +31,18 @@ dovecot:
     port: {{ .Values.databases.dovecotACL.port }}
     username: {{ .Values.databases.dovecotACL.username | quote }}
     password:
-      value: {{ .Values.secrets.cassandra.dovecotACLUser | quote }}
+      value: {{ .Values.databases.dovecotACL.password | default .Values.secrets.cassandra.dovecotACLUser | quote }}
     keyspace: {{ .Values.databases.dovecotACL.name | quote }}
   objectStorage:
     bucket: {{ .Values.objectstores.dovecot.bucket | quote }}
+    cacheTmpfs: {{ if .Values.technical.dovecot.objectStorage.cacheTmpfs }}true{{ else }}false{{ end }}
     encryption:
       privateKey:
         value: {{ requiredEnv "DOVECOT_CRYPT_PRIVATE_KEY" | quote }}
       publicKey:
         value: {{ requiredEnv "DOVECOT_CRYPT_PUBLIC_KEY" | quote }}
+    fsCacheSize: {{ .Values.technical.dovecot.objectStorage.fsCacheSize | quote }}
+    ftsCacheSize: {{ .Values.technical.dovecot.objectStorage.ftsCacheSize | quote }}
     fqdn: {{ .Values.objectstores.dovecot.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
     username: {{ .Values.objectstores.dovecot.username | quote }}
     password:

helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl

@@ -256,6 +256,10 @@ appsuite:
               open-xchange-authentication-masterpassword: "enabled"
           properties:
             com.openexchange.calendar.allowOrganizerPartStatChanges: "true"
+            # Mailfilter
+            com.openexchange.mail.filter.passwordSource: global
+            com.openexchange.mail.filter.masterPassword:  {{ .Values.secrets.oxAppSuite.migrationsMasterPassword | quote }}
+            com.openexchange.mail.filter.preferredSaslMech: ""
           propertiesFiles:
             /opt/open-xchange/etc/masterpassword-authentication.properties:
               com.openexchange.authentication.masterpassword.password: {{ .Values.secrets.oxAppSuite.migrationsMasterPassword | quote }}
@@ -393,6 +397,9 @@ appsuite:
       com.openexchange.share.guestHostname: {{ printf "%s.%s" .Values.global.hosts.openxchange .Values.global.domain }}
       com.openexchange.UIWebPath: "/appsuite/"
       com.openexchange.showAdmin: "false"
+      # Various Mail settings
+      com.openexchange.mail.deleteDraftOnTransport: "true"
+      com.openexchange.capability.document_preview_xrechnung: "true"
       # PDF Export
       com.openexchange.capability.mail_export_pdf: "true"
       com.openexchange.mail.exportpdf.gotenberg.enabled: "true"
@@ -449,6 +456,11 @@ appsuite:
       com.openexchange.mail.login.resolver.ldap.contextNameAttribute: "oxContextIDNum"
       com.openexchange.mail.login.resolver.ldap.entitySearchFilter: "(&(oxContextIDNum=[cid])(uid=[uname]))"
       com.openexchange.mail.login.resolver.ldap.mailLoginAttribute: "entryUUID"
+      # Contacts collector
+      # Ref.: https://documentation.open-xchange.com/components/middleware/config/8/#mode=search&term=contactCollect
+      com.openexchange.contactcollector.enabled: "true"
+      com.openexchange.user.contactCollectOnMailTransport: "true"
+      com.openexchange.user.contactCollectOnMailAccess: "false"
       # Requirements for OX Connector
       com.openexchange.user.enforceUniqueDisplayName: "false"
       com.openexchange.folderstorage.database.preferDisplayName: "false"
@@ -549,19 +561,16 @@ appsuite:
       # await http.POST({ module: 'oxguard/smime', params: { action: 'test' } })
       com.openexchange.smime.test: {{ .Values.debug.enabled | quote }}
       {{- end }}
-      {{- if or (eq (coalesce .Values.service.type.dovecot .Values.cluster.service.type) "NodePort") (eq (coalesce .Values.service.type.dovecot .Values.cluster.service.type) "LoadBalancer") }}
       # Client Onboarding
-      com.openexchange.client.onboarding.mail.imap.host: {{ .Values.global.domain | quote }}
+      com.openexchange.client.onboarding.enabled: {{ .Values.functional.groupware.externalClients.enabledOnboardingInfo | quote }}
+      com.openexchange.client.onboarding.mail.imap.host: {{ default .Values.global.domain .Values.functional.groupware.externalClients.fqdnImap | quote }}
       com.openexchange.client.onboarding.mail.imap.port: "993"
       com.openexchange.client.onboarding.mail.imap.secure: "true"
       com.openexchange.client.onboarding.mail.imap.requireTls: "false"
-      com.openexchange.client.onboarding.mail.smtp.host: {{ .Values.global.domain | quote }}
+      com.openexchange.client.onboarding.mail.smtp.host: {{ default .Values.global.domain .Values.functional.groupware.externalClients.fqdnSmtp | quote }}
       com.openexchange.client.onboarding.mail.smtp.port: "587"
       com.openexchange.client.onboarding.mail.smtp.secure: "false"
       com.openexchange.client.onboarding.mail.smtp.requireTls: "true"
-      {{- else }}
-      com.openexchange.client.onboarding.enabled: "false"
-      {{- end }}
       # DAV
       {{- if .Values.functional.groupware.davSupport.enabled }}
       com.openexchange.caldav.enabled: "true"
@@ -678,9 +687,6 @@ appsuite:
       io.ox/core//coloredIcons: "false"
       # Mail templates
       io.ox/core//features/templates: "true"
-      # Contact Collector
-      io.ox/mail//contactCollectOnMailTransport: "true"
-      # io.ox/mail//contactCollectOnMailAccess: "true"
       # Dynamic theme
       io.ox/dynamic-theme//mainColor: {{ .Values.theme.colors.primary | quote }}
       io.ox/dynamic-theme//logoURL: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/univention/portal/icons/logos/domain.svg"

helmfile/apps/open-xchange/values-oxconnector.yaml.gotmpl

@@ -45,7 +45,7 @@ oxConnector:
   oxDefaultContext: "1"
   oxImapServer: "imap://127.0.0.1:143"
   oxLocalTimezone: "Europe/Berlin"
-  oxLanguage: "de_DE"
+  oxLanguage: {{ .Values.functional.internationalization.defaultLanguage | quote }}
   oxMasterAdmin: "admin"
   oxMasterPassword: {{ .Values.secrets.oxAppSuite.adminPassword | quote }}
   oxSmtpServer: "smtp://127.0.0.1:587"

helmfile/apps/xwiki/values.yaml.gotmpl

@@ -184,9 +184,9 @@ properties:
   "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.addOIDCObject": 1
   "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.OIDCIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
   "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.colorTheme": "FlamingoThemes.Iceberg"
-  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.default_language": "de_DE"
+  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.default_language": {{ .Values.functional.internationalization.defaultLanguage | quote }}
   "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.timezone": "Europe/Berlin"
-  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.languages": "de_DE"
+  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.languages": {{ .Values.functional.internationalization.defaultLanguage | quote }}
   "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.link-color": "@brand-primary"
   "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.btn-primary-bg": "@brand-primary"
   "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-color": "@brand-primary"

helmfile/environments/default-enterprise-overrides/charts.yaml.gotmpl

@@ -6,7 +6,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "zendis/opendesk-enterprise/components/product-development/charts/opendesk-dovecot-pro"
     name: "dovecot"
-    version: "3.2.0-authcache"
+    version: "3.2.3"
     verify: true
   oxAppSuite:
     registry: "registry.opencode.de"

helmfile/environments/default/charts.yaml.gotmpl

@@ -169,7 +169,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets"
     name: "matrix-neoboard-widget"
-    version: "3.5.1"
+    version: "3.5.2"
     verify: true
   matrixNeochoiceWidget:
     # providerCategory: "Platform"
@@ -179,7 +179,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets"
     name: "matrix-neochoice-widget"
-    version: "3.5.1"
+    version: "3.5.2"
     verify: true
   matrixNeodatefixBot:
     # providerCategory: "Platform"
@@ -189,7 +189,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets"
     name: "matrix-neodatefix-bot"
-    version: "3.5.1"
+    version: "3.5.2"
     verify: true
   matrixNeodatefixWidget:
     # providerCategory: "Platform"
@@ -199,7 +199,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets"
     name: "matrix-neodatefix-widget"
-    version: "3.5.1"
+    version: "3.5.2"
     verify: true
   matrixUserVerificationService:
     # providerCategory: "Platform"

helmfile/environments/default/functional.yaml.gotmpl

@@ -105,6 +105,16 @@ functional:
         # If the LDAP entryUUID should be used for the localpart of user's Matrix IDs following setting must be `true`.
         useImmutableIdentifierForLocalpart: false
 
+  dataProtection:
+    matrixPresence:
+      # Enable to allow information about the user presence status to be shared.
+      # Ref.: https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#presence
+      enabled: false
+    jitsiRoomHistory:
+      # Disable to avoid the room history to be stored in the user's browser local storage.
+      # Ref.: https://github.com/jitsi/docker-jitsi-meet/issues/898
+      enabled: true
+
   externalServices:
     nubus:
       udmRestApi:
@@ -117,16 +127,6 @@ functional:
         # List of matrix homeserver domains you want to allow federation with
         domainAllowList: []
 
-  dataProtection:
-    matrixPresence:
-      # Enable to allow information about the user presence status to be shared.
-      # Ref.: https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#presence
-      enabled: false
-    jitsiRoomHistory:
-      # Disable to avoid the room history to be stored in the user's browser local storage.
-      # Ref.: https://github.com/jitsi/docker-jitsi-meet/issues/898
-      enabled: true
-
   filestore:
     # Settings related to directory and filenames
     naming:
@@ -200,10 +200,24 @@ functional:
     # Related settings for the CalDAV and CardCAV support of the groupware module.
     davSupport:
       # Enabled by default CalDAV and CardDAV support is available at:
-      # - https://<.Values.global.hosts.openxchangeDav>.<.Values.global.domain>/caldav/[folderId]"
+      # - `https://<.Values.global.hosts.openxchangeDav>.<.Values.global.domain>/caldav/[folderId]`
-      # - https://<.Values.global.hosts.openxchangeDav>.<.Values.global.domain>/carddav/[folderId]"
+      # - `https://<.Values.global.hosts.openxchangeDav>.<.Values.global.domain>/carddav/[folderId]`
       # Can be switched off using the below feature toggle.
       enabled: true
+    # Setting related to external clients using SMTP/IMAP protocols (like Thunderbird)
+    externalClients:
+      # To fully support external mail clients in your openDesk deployment you need to ensure they can
+      # access the IMAP and SMTP services. Either on <.Values.global.domain> or on the FQDNs defined
+      # below.
+      # How to achive this depends on what service types you are using in your deployment. These service
+      # types can be set explicitly for IMAP (Dovecot) and SMTP (Postfix) using `service.yaml.gotmpl` and
+      # how these services, especially when using type `LoadBalancer`, behave in your setup.
+      # Toggle the client onboarding info dialog in the groupware module.
+      enabledOnboardingInfo: false
+      # Set the FQDN of the IMAP endpoint if none is provided `<.Values.global.domain>` is used.
+      fqdnImap: ~
+      # Set the FQDN of the SMTP endpoint if none is provided `<.Values.global.domain>` is used.
+      fqdnSmtp: ~
     # Control access for external users to groupware data
     # Ref.: https://documentation.open-xchange.com/8/middleware/miscellaneous/sharing_and_guest_mode.html
     externalSharing:
@@ -251,6 +265,18 @@ functional:
       # Ref.: https://documentation.open-xchange.com/8/ui/configuration/settings-list-of.html#mail-misc
       editRealName: false
 
+  internationalization:
+    # Most openDesk applications render their user interface in the language the user's browser is set to. But there
+    # are exceptions that can be controlled by the following setting.
+    # Beside the `de_DE` default `en_GB` has been tested.
+    # - OX App Suite: Users can set their preferred language in the App Suite's UI by navigating to
+    #   "All settings" > "General" > "Language & Time zone" > "Language", though the default language for the first
+    #   login will be set globally based on the setting below.
+    # - XWiki: The UI language of XWiki is set automatically by the language the wiki content is provided in. As XWiki
+    #   does not autodetect that content language, it has to be predefined by the setting below.
+    #   Note: For multi-language XWiki setups a customization is required for now.
+    defaultLanguage: "de_DE"
+
   migration:
     oxAppSuite:
       # Note: Only available in openDesk Enterprise.

helmfile/environments/default/images.yaml.gotmpl

@@ -354,7 +354,7 @@ images:
     # upstreamRepository: "lasuite/impress-backend"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-notes"
-    tag: "1.11.0-docs-v3.4.0-backend@sha256:a07acb86ee260fd9242c4173a01c67c36552d149a2af91220348bdb588c19bf5"
+    tag: "1.12.1-docs-v3.4.0-backend@sha256:9d611d924056bd945499ef038ee7ac4c7a1196adfe0fc464d600d163dc42291a"
   notesFrontend:
     # providerCategory: "Supplier"
     # providerResponsible: "DINUM"
@@ -362,7 +362,7 @@ images:
     # upstreamRepository: "lasuite/impress-frontend"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-notes"
-    tag: "1.11.0-docs-v3.4.0-frontend@sha256:e7316700442455419ebb2e37fe2ae246bb90a7d09ad30477df608b5eb6089095"
+    tag: "1.12.1-docs-v3.4.0-frontend@sha256:51cb96a97dd5668366d9f664977cbb869e4a59499bf30bc1766528dd41843ac7"
   notesYProvider:
     # providerCategory: "Supplier"
     # providerResponsible: "DINUM"
@@ -370,7 +370,7 @@ images:
     # upstreamRepository: "lasuite/impress-y-provider"
     registry: "registry-1.docker.io"
     repository: "lasuite/impress-y-provider"
-    tag: "v3.2.1@sha256:9dd7068336c02fe71806bc3576e7dc8636d7ccb139667c6303f0753e18d3ab7e"
+    tag: "v3.4.0@sha256:fce38ca22cdc80c06803ded6f7147b6d1df22dd21f58ef834adef1d3aa83d667"
   nubusBlocklistCleanup:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -560,7 +560,7 @@ images:
     # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nubus"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-nubus"
-    tag: "1.15.0@sha256:5ffb3106bf896a215fd7ae5d6646f19b50f0e46c11561d763938479d95aaa807"
+    tag: "1.15.1@sha256:e9c46d93abe6d7a8abcd2dc5cd38f178cd3b78f971f81b34fa5bd27270604db8"
   nubusOpendeskExtensionA2gMapper:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"
@@ -762,7 +762,7 @@ images:
     # upstreamMirrorStartFrom: ["13", "1", "1"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/openproject/images-mirror/open_desk"
-    tag: "16.4.1@sha256:b80443fc9fe1bf9ed475897316208b394cca4e730ae8ca34944373245cc0a4f5"
+    tag: "16.5.1@sha256:0e29ae9fcee825b76d62e10e374c10ad40da20ba9c0e584839645bb68e6167bf"
   openprojectBootstrap:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"

helmfile/environments/default/persistence.yaml.gotmpl

@@ -16,6 +16,8 @@ persistence:
       size: "1Gi"
       storageClassName: ~
     dovecot:
+      # With Dovecot CE this is used for the mail storage.
+      # Dovecot Pro (EE) uses this storage for the metacache,
       size: "1Gi"
       storageClassName: ~
     mariadb:

helmfile/environments/default/technical.yaml.gotmpl

@@ -6,6 +6,17 @@ technical:
   collabora:
     # Defines the value for the start parameter `-o:num_prespawn_children`
     numPrespawnChildren: 4
+  # Dovecot EE related settings
+  dovecot:
+    objectStorage:
+      # Size of objectstore fs cache
+      fsCacheSize: "2G"
+      # Size of fts cache
+      ftsCacheSize: "2G"
+      # Wether fs and fts cache should reside in RAM (tmpfs) or not
+      # If this value is true, the cache sizes of the fs cache + fts cache
+      # must be considered additionally to Dovecot's memory footprint.
+      cacheTmpfs: false
   # Groupware related technical settings
   oxAppSuite:
     provisioning: