fix(open-xchange): Optimize Dovecot EE caches

Signed-off-by: Milton Moura (Nordeck) <milton.moura@nordeck.net>

.gitlab-ci.yml

@@ -762,7 +762,7 @@ import-default-accounts:
     - if: >
           $CI_PIPELINE_SOURCE =~ "web|schedules|trigger|api" && $NAMESPACE =~ /.+/ && $CREATE_DEFAULT_ACCOUNTS == "yes"
       when: "on_success"
-  image: "registry.opencode.de/bmi/opendesk/components/platform-development/images/user-import:3.3.2"
+  image: "registry.opencode.de/bmi/opendesk/components/platform-development/images/user-import:3.4.1"
   script:
     - "echo \"Starting default account import for ${DOMAIN}\""
     - "cd /app"

.gitlab/issue_templates/Default.md

@@ -0,0 +1,59 @@
+## 🐛 Issue Report Template
+
+Thank you for reporting an issue!
+Please provide the details below to help us investigate and resolve it efficiently.
+If you have a feature request, please select the "Feature Request" template.
+
+### 📦 Deployment Details
+- **Release version deployed**:
+  _(e.g. v1.4.2, commit hash, or branch name)_
+
+- **Deployment type**:
+  - [ ] Fresh installation
+  - [ ] Upgrade (from version: ___ )
+
+### ☸️ Kubernetes Environment
+- **Kubernetes distribution** (select one):
+  - [ ] Rancher RKE / RKE2
+  - [ ] OpenShift
+  - [ ] k3s
+  - [ ] kind / minikube
+  - [ ] Other: ___________
+
+- **Kubernetes version**:
+  _(e.g. v1.27.3)_
+
+### 🌐 Ingress & Certificates
+- **Ingress controller in use**:
+  - [ ] Ingress NGINX Controller version: ___
+  - [ ] Other: Currently only Ingress NGINX is supported
+
+- **Certificate status**:
+  - [ ] Let’s Encrypt
+  - [ ] Other publicly verifiable certificate (issuer: ___ )
+  - [ ] Self-signed certificate (see [`self-signed-certificated.md`](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/develop/docs/enhanced-configuration/self-signed-certificates.md))
+    - [ ] Option 1
+    - [ ] Option 2a
+    - [ ] Option 2b
+
+### 🔧 Tooling Versions
+- **Helm version (`helm version`)**: ___________
+- **Helmfile version (`helmfile --version`)**: ___________
+
+### 🔍 Problem Description
+- **Expected behavior**:
+
+- **Observed behavior / error message**:
+
+- **Steps to reproduce**:
+  1.
+  2.
+  3.
+
+### 📄 Additional context
+
+- Relevant logs (please redact sensitive info):
+- Screenshots (if applicable):
+- Other notes that might help:
+
+## 🙌 Thank you for contributing to the project!

.gitlab/issue_templates/Feature_Request.md

@@ -0,0 +1,37 @@
+## 💡 Feature Request Template
+
+Thank you for suggesting an improvement!
+To help us understand and evaluate your idea, please provide the details below.
+
+### 📝 Summary
+
+- **Short description of the feature**:
+  _(One or two sentences that capture the core idea)_
+
+### 🎯 Use Case / Motivation
+
+- **Who would benefit from this feature?**
+  - [ ] Operators / Administrators
+  - [ ] Developers
+  - [ ] End users
+  - [ ] Other: ___________
+
+- **Why is this feature needed?**
+  _(Describe the problem, pain point, or gap this would address)_
+
+### 🔧 Proposed Solution
+
+- **How should it work?**
+  _(Describe the desired functionality. If relevant, provide examples, CLI flags, configuration snippets, or workflows.)_
+
+### 📊 Alternatives Considered
+
+- **Other approaches you’ve tried or thought of**:
+  _(What’s possible now, and why is it not sufficient?)_
+
+### 📄 Additional Context
+
+- Links to related issues, merge requests, or external references:
+- Screenshots, diagrams, or mockups (if available):
+
+## 🙌 Thank you for helping improve the project!

README.md

@@ -41,9 +41,9 @@ openDesk currently features the following functional main components:
 | Groupware            | OX App Suite                | GPL-2.0-only (backend), AGPL-3.0-or-later (frontend)                                   | [8.41](https://documentation.open-xchange.com/appsuite/releases/8.41/)                        | Online documentation available from within the installed application; [Additional resources](https://documentation.open-xchange.com/) |
 | Knowledge management | XWiki                       | LGPL-2.1-or-later                                                                      | [17.4.4](https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/17.4.4/)                | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation)                                                     |
 | Portal & IAM         | Nubus                       | AGPL-3.0-or-later                                                                      | [1.14.0](https://docs.software-univention.de/nubus-kubernetes-release-notes/1.x/en/1.14.html) | [Univention's documentation website](https://docs.software-univention.de/n/en/nubus.html)                                             |
-| Project management   | OpenProject                 | GPL-3.0-only                                                                           | [16.4.1](https://www.openproject.org/docs/release-notes/16-4-1/)                              | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                           |
+| Project management   | OpenProject                 | GPL-3.0-only                                                                           | [16.5.1](https://www.openproject.org/docs/release-notes/16-5-1/)                              | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                           |
 | Videoconferencing    | Jitsi                       | Apache-2.0                                                                             | [2.0.10431](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_10431)       | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/)                                            |
-| Weboffice            | Collabora                   | MPL-2.0                                                                                | [25.04.4](https://www.collaboraoffice.com/code-25-04-release-notes/)                          | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)        |
+| Weboffice            | Collabora                   | MPL-2.0                                                                                | [25.04.5](https://www.collaboraoffice.com/code-25-04-release-notes/)                          | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)        |
 
 While not all components are perfectly designed for the execution inside containers, one of the project's objectives is to
 align the applications with best practices regarding container design and operations.

REUSE.toml

@@ -37,3 +37,8 @@ SPDX-License-Identifier = "CC-BY-SA-4.0"
 path = ".gitlab/merge_request_templates/*.md"
 SPDX-FileCopyrightText = "2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH"
 SPDX-License-Identifier = "Apache-2.0"
+
+[[annotations]]
+path = ".gitlab/issue_templates/*.md"
+SPDX-FileCopyrightText = "2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH"
+SPDX-License-Identifier = "Apache-2.0"

docs/architecture.md

@@ -449,4 +449,4 @@ While the IAM manages users centrally, some applications come with local account
 
 # Footnotes
 
-[^1]: We are working on a new approach to provision the OpenProject filestore, therefore the accounts are planned to be deactivated/removed with openDesk 1.2.
+[^1]: We are working on a new approach to provision the OpenProject filestore, therefore the accounts are planned to be deactivated/removed in the future.

docs/data-storage.md

@@ -67,9 +67,10 @@ XWiki,PersistentVolume,1
 # Details
 
 | Application          | Data Storage | Backup   | Content                                                                           | (Default) Identifier                           | Details                                                                                                   |
-|----------------------|--------------|----------|-----------------------------------------------------------------------------------|------------------------------------------------|-----------------------------------------------------------------------------------------------------------|
+| -------------------- | ------------ | -------- | --------------------------------------------------------------------------------- | ---------------------------------------------- | --------------------------------------------------------------------------------------------------------- |
 | **ClamAV**           | PVC          | No       | ClamAV Database                                                                   | `clamav-database-clamav-simple-0`              | `/var/lib/clamav`                                                                                         |
 | **Dovecot**          | PVC          | Yes      | openDesk CE only: User mail directories                                           | `dovecot`                                      | `/srv/mail`                                                                                               |
+|                      | PVC          | No       | openDesk EE only: Metacache directory                                             | `var-lib-dovecot-dovecot-0`                    | `/var/lib/dovecot`                                                                                        |
 |                      | S3           | Yes      | openDesk EE only: User mail                                                       | `dovecot`                                      | `dovecot`                                                                                                 |
 |                      | Cassandra    | Yes      | openDesk EE only: Metadata and ACLs                                               | `dovecot_dictmap`, `dovecot_acl`               |                                                                                                           |
 | **Element/Synapse**  | PostgreSQL   | Yes      | Application's main database                                                       | `matrix`                                       |                                                                                                           |
@@ -105,8 +106,8 @@ XWiki,PersistentVolume,1
 |                      |              | Yes      | OX Guard related settings                                                         | `oxguard*`                                     |                                                                                                           |
 |                      | S3           | Yes      | Attachments of meetings, contacts and tasks                                       | `openxchange`                                  |                                                                                                           |
 |                      | Redis        | Optional | Cache, session related data, distributed maps                                     |                                                |                                                                                                           |
-|                      | PVC          | Yes      | OX Connector: OXAPI access details                                                | `ox-connector-appcenter-ox-connector-0`        | `/var/lib/univention-appcenter/apps/ox-connector`                                                         |
-|                      |              | Yes      | OX Connector: Application's meta data                                             | `ox-connector-ox-contexts-ox-connector-0`      | `/etc/ox-secrets`                                                                                         |
+|                      | PVC          | Optional | OX Connector: Caching of OX object data                                           | for backup        | `/var/lib/univention-appcenter/apps/ox-connector`                                                         |
+|                      |              | Yes      | OX Connector: OX SOAP API credentials                                             | `ox-connector-ox-contexts-ox-connector-0`      | `/etc/ox-secrets`                                                                                         |
 | **Postfix**          | PVC          | Yes      | Mail spool                                                                        | `postfix`                                      | `/var/spool/postfix`                                                                                      |
 | **XWiki**            | PostgreSQL   | Yes      | Application's main database                                                       | `xwiki`                                        |                                                                                                           |
 |                      | PVC          | Yes      | Attachments                                                                       | `xwiki-data-xwiki-0`                           | `/usr/local/xwiki/data`                                                                                   |

docs/debugging.md

@@ -168,7 +168,7 @@ While you will find all the details for the CLI tool in the [MariaDB documentati
 
 ## Nextcloud
 
-`occ` is the CLI for Nextcloud; all the details can be found in the [upstream documentation](https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/occ_command.html).
+`occ` is the CLI for Nextcloud; all the details can be found in the [upstream documentation](https://docs.nextcloud.com/server/stable/admin_manual/occ_command.html).
 
 You can run occ commands in the `opendesk-nextcloud-aio` pod like this: `php /var/www/html/occ config:list`
 

docs/developer/development.md

@@ -108,9 +108,9 @@ If you follow the "push early, push often" paradigm to save your work to the cen
 existing documentation, you can avoid the CI and its linting being executed, as it might not offer additional value.
 
 GitLab offers two options to skip the CI on a commit/push:
-- Add `[ci skip]` to your commit message ([details](https://docs.gitlab.com/ee/ci/pipelines/#skip-a-pipeline)).
+1. Add `[ci skip]` to your commit message ([details](https://docs.gitlab.com/ee/ci/pipelines/#skip-a-pipeline)).
 **Note:** The string has to be removed before merging your feature branch into `develop`.
-- Use the related git push option `git push -o ci.skip` ([details](https://docs.gitlab.com/ee/user/project/push_options.html#push-options-for-gitlab-cicd)).
+2. Use the related git push option `git push -o ci.skip` ([details](https://docs.gitlab.com/topics/git/commit/#push-options)).
 
 ## Renovate
 

docs/migrations.md

@@ -10,6 +10,10 @@ SPDX-License-Identifier: Apache-2.0
 * [Deprecation warnings](#deprecation-warnings)
 * [Automated migrations - Overview and mandatory upgrade path](#automated-migrations---overview-and-mandatory-upgrade-path)
 * [Manual checks/actions](#manual-checksactions)
+  * [v1.8.0+](#v180)
+    * [Pre-upgrade to v1.8.0+](#pre-upgrade-to-v180)
+      * [Helmfile fix: Cassandra passwords read from `databases.*`](#helmfile-fix-cassandra-passwords-read-from-databases)
+      * [Helmfile new feature: `functional.groupware.externalClients.*`](#helmfile-new-feature-functionalgroupwareexternalclients)
   * [v1.7.1+](#v171)
     * [Pre-upgrade to v1.7.1+](#pre-upgrade-to-v171)
       * [New application default: Default group for two-factor authentication is now "2FA Users"](#new-application-default-default-group-for-two-factor-authentication-is-now-2fa-users)
@@ -137,6 +141,46 @@ If you would like more details about the automated migrations, please read secti
 
 # Manual checks/actions
 
+## v1.8.0+
+
+### Pre-upgrade to v1.8.0+
+
+#### Helmfile fix: Cassandra passwords read from `databases.*`
+
+**Target group:** All of the below must apply to your deployment:
+1. Enterprise Edition
+2. Using external Cassandra DB
+3. Defined the Cassandra passwords in `databases.*` (`database.yaml.gotmpl`) which got ignored until now
+4. Defined the Cassandra passwords then in `secrets.*` (`secrets.yaml.gotmpl`)
+
+The Cassandra passwords
+- `databases.dovecotDictmap.password`
+- `databases.dovecotACL.password`
+
+are no longer ignored. So please move the passwords from
+- `secrets.cassandra.dovecotDictmapUser`
+- `secrets.cassandra.dovecotACLUser`
+
+to the `databases.*` structure.
+
+#### Helmfile new feature: `functional.groupware.externalClients.*`
+
+**Target group:**
+Deployments that allow access to groupware emails via external mail clients (e.g. Thunderbird) using IMAP and SMTP.
+
+OX App Suite can display a dialog with configuration details for connecting external mail clients. In previous versions,
+this dialog was automatically enabled when Dovecot was deployed with a service type of `NodePort` or `LoadBalancer`.
+
+From now on, the dialog can be explicitly controlled via the setting
+`functional.groupware.externalClients.enabledOnboardingInfo`, which is set to `false` by default.
+If you want your users to see this dialog, set the attribute to `true`.
+
+Additionally, it is now possible to explicitly define the hostnames shown in the client onboarding dialog using the following values:
+- `functional.groupware.externalClients.fqdnImap`
+- `functional.groupware.externalClients.fqdnSmtp`
+
+If these values are not explicitly set, openDesk will use `.Values.global.domain` as in previous releases.
+
 ## v1.7.1+
 
 ### Pre-upgrade to v1.7.1+

docs/requirements.md

@@ -139,6 +139,6 @@ Helmfile requires [HelmDiff](https://github.com/databus23/helm-diff) to compare
 
 [^1]: Due to a [Helm bug](https://github.com/helm/helm/issues/30890) Helm 3.18.0 is not supported.
 
-[^2]: Due to [restrictions on Kubernetes `emptyDir`](https://github.com/kubernetes/kubernetes/pull/130277) you need a volume provisioner that has sticky bit support, otherwise the OpenProject seeder job will fail.
+[^2]: Due to [restrictions on Kubernetes `emptyDir`](https://github.com/kubernetes/kubernetes/pull/130277) you need a volume provisioner that has sticky bit support, otherwise the OpenProject seeder job will fail. E.g. the `local-path-provisioner` does not have sticky bit support.
 
 [^3]: Required for Dovecot Pro as part of openDesk Enterprise Edition.

helmfile/apps/element/values-synapse.yaml.gotmpl

@@ -25,6 +25,14 @@ configuration:
       address:
         per_second: 2
         burst_count: 12
+    # Set higher limits for messages and media due to non-chat Matrix apps and widgets (such as NeoBoard)
+    # https://github.com/nordeck/matrix-neoboard/blob/main/docs/configuration.md#rate-limiting-settings
+    rc_message:
+      per_second: 5
+      burst_count: 25
+    rc_media_create:
+      per_second: 20
+      burst_count: 100
 
   database:
     host: {{ .Values.databases.synapse.host | quote }}

helmfile/apps/notes/values.yaml.gotmpl

@@ -149,7 +149,7 @@ backend:
       subPath: "theme.json"
     {{- if .Values.certificate.selfSigned }}
     - name: "trusted-cert-secret-volume"
-      mountPath: "/usr/local/lib/python3.12/site-packages/certifi/cacert.pem"
+      mountPath: "/usr/local/lib/python3.13/site-packages/certifi/cacert.pem"
       subPath: "ca-certificates.crt"
     {{- end }}
 

helmfile/apps/nubus/values-nubus.yaml.gotmpl

@@ -1325,6 +1325,7 @@ nubusStackDataUms:
     portalLinkSupport: {{ .Values.functional.portal.linkSupport | quote }}
     portalLinkFeedback: {{ .Values.functional.portal.linkFeedback | quote }}
     oxDefaultContext: "1"
+    oxDefaultLanguage: {{ .Values.functional.internationalization.defaultLanguage | quote }}
     oxContextHidden: true
     oxSystemUserPassword: {{ .Values.secrets.nubus.ldapSearch.ox }}
     portalOxLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openxchange .Values.global.domain }}

helmfile/apps/open-xchange/values-dovecot-enterprise.yaml.gotmpl

@@ -23,7 +23,7 @@ dovecot:
     port: {{ .Values.databases.dovecotDictmap.port }}
     username: {{ .Values.databases.dovecotDictmap.username | quote }}
     password:
-      value: {{ .Values.secrets.cassandra.dovecotDictmapUser | quote }}
+      value: {{ .Values.databases.dovecotDictmap.password | default .Values.secrets.cassandra.dovecotDictmapUser | quote }}
     keyspace: {{ .Values.databases.dovecotDictmap.name | quote }}
   sharedMailboxes:
     enabled: true
@@ -31,15 +31,18 @@ dovecot:
     port: {{ .Values.databases.dovecotACL.port }}
     username: {{ .Values.databases.dovecotACL.username | quote }}
     password:
-      value: {{ .Values.secrets.cassandra.dovecotACLUser | quote }}
+      value: {{ .Values.databases.dovecotACL.password | default .Values.secrets.cassandra.dovecotACLUser | quote }}
     keyspace: {{ .Values.databases.dovecotACL.name | quote }}
   objectStorage:
     bucket: {{ .Values.objectstores.dovecot.bucket | quote }}
+    cacheTmpfs: {{ if .Values.technical.dovecot.objectStorage.cacheTmpfs }}true{{ else }}false{{ end }}
     encryption:
       privateKey:
         value: {{ requiredEnv "DOVECOT_CRYPT_PRIVATE_KEY" | quote }}
       publicKey:
         value: {{ requiredEnv "DOVECOT_CRYPT_PUBLIC_KEY" | quote }}
+    fsCacheSize: {{ .Values.technical.dovecot.objectStorage.fsCacheSize | quote }}
+    ftsCacheSize: {{ .Values.technical.dovecot.objectStorage.ftsCacheSize | quote }}
     fqdn: {{ .Values.objectstores.dovecot.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
     username: {{ .Values.objectstores.dovecot.username | quote }}
     password:

helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl

@@ -256,6 +256,10 @@ appsuite:
               open-xchange-authentication-masterpassword: "enabled"
           properties:
             com.openexchange.calendar.allowOrganizerPartStatChanges: "true"
+            # Mailfilter
+            com.openexchange.mail.filter.passwordSource: global
+            com.openexchange.mail.filter.masterPassword:  {{ .Values.secrets.oxAppSuite.migrationsMasterPassword | quote }}
+            com.openexchange.mail.filter.preferredSaslMech: ""
           propertiesFiles:
             /opt/open-xchange/etc/masterpassword-authentication.properties:
               com.openexchange.authentication.masterpassword.password: {{ .Values.secrets.oxAppSuite.migrationsMasterPassword | quote }}
@@ -393,6 +397,9 @@ appsuite:
       com.openexchange.share.guestHostname: {{ printf "%s.%s" .Values.global.hosts.openxchange .Values.global.domain }}
       com.openexchange.UIWebPath: "/appsuite/"
       com.openexchange.showAdmin: "false"
+      # Various Mail settings
+      com.openexchange.mail.deleteDraftOnTransport: "true"
+      com.openexchange.capability.document_preview_xrechnung: "true"
       # PDF Export
       com.openexchange.capability.mail_export_pdf: "true"
       com.openexchange.mail.exportpdf.gotenberg.enabled: "true"
@@ -449,6 +456,11 @@ appsuite:
       com.openexchange.mail.login.resolver.ldap.contextNameAttribute: "oxContextIDNum"
       com.openexchange.mail.login.resolver.ldap.entitySearchFilter: "(&(oxContextIDNum=[cid])(uid=[uname]))"
       com.openexchange.mail.login.resolver.ldap.mailLoginAttribute: "entryUUID"
+      # Contacts collector
+      # Ref.: https://documentation.open-xchange.com/components/middleware/config/8/#mode=search&term=contactCollect
+      com.openexchange.contactcollector.enabled: "true"
+      com.openexchange.user.contactCollectOnMailTransport: "true"
+      com.openexchange.user.contactCollectOnMailAccess: "false"
       # Requirements for OX Connector
       com.openexchange.user.enforceUniqueDisplayName: "false"
       com.openexchange.folderstorage.database.preferDisplayName: "false"
@@ -549,19 +561,16 @@ appsuite:
       # await http.POST({ module: 'oxguard/smime', params: { action: 'test' } })
       com.openexchange.smime.test: {{ .Values.debug.enabled | quote }}
       {{- end }}
-      {{- if or (eq (coalesce .Values.service.type.dovecot .Values.cluster.service.type) "NodePort") (eq (coalesce .Values.service.type.dovecot .Values.cluster.service.type) "LoadBalancer") }}
       # Client Onboarding
-      com.openexchange.client.onboarding.mail.imap.host: {{ .Values.global.domain | quote }}
+      com.openexchange.client.onboarding.enabled: {{ .Values.functional.groupware.externalClients.enabledOnboardingInfo | quote }}
+      com.openexchange.client.onboarding.mail.imap.host: {{ default .Values.global.domain .Values.functional.groupware.externalClients.fqdnImap | quote }}
       com.openexchange.client.onboarding.mail.imap.port: "993"
       com.openexchange.client.onboarding.mail.imap.secure: "true"
       com.openexchange.client.onboarding.mail.imap.requireTls: "false"
-      com.openexchange.client.onboarding.mail.smtp.host: {{ .Values.global.domain | quote }}
+      com.openexchange.client.onboarding.mail.smtp.host: {{ default .Values.global.domain .Values.functional.groupware.externalClients.fqdnSmtp | quote }}
       com.openexchange.client.onboarding.mail.smtp.port: "587"
       com.openexchange.client.onboarding.mail.smtp.secure: "false"
       com.openexchange.client.onboarding.mail.smtp.requireTls: "true"
-      {{- else }}
-      com.openexchange.client.onboarding.enabled: "false"
-      {{- end }}
       # DAV
       {{- if .Values.functional.groupware.davSupport.enabled }}
       com.openexchange.caldav.enabled: "true"
@@ -678,9 +687,6 @@ appsuite:
       io.ox/core//coloredIcons: "false"
       # Mail templates
       io.ox/core//features/templates: "true"
-      # Contact Collector
-      io.ox/mail//contactCollectOnMailTransport: "true"
-      # io.ox/mail//contactCollectOnMailAccess: "true"
       # Dynamic theme
       io.ox/dynamic-theme//mainColor: {{ .Values.theme.colors.primary | quote }}
       io.ox/dynamic-theme//logoURL: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/univention/portal/icons/logos/domain.svg"

helmfile/apps/open-xchange/values-oxconnector.yaml.gotmpl

@@ -45,15 +45,15 @@ oxConnector:
   oxDefaultContext: "1"
   oxImapServer: "imap://127.0.0.1:143"
   oxLocalTimezone: "Europe/Berlin"
-  oxLanguage: "de_DE"
+  oxLanguage: {{ .Values.functional.internationalization.defaultLanguage | quote }}
   oxMasterAdmin: "admin"
   oxMasterPassword: {{ .Values.secrets.oxAppSuite.adminPassword | quote }}
   oxSmtpServer: "smtp://127.0.0.1:587"
-  oxSoapServer: "http://open-xchange-core-mw-admin"
+  oxSoapServer: {{ printf "http://%s.%s.svc.%s" "open-xchange-core-mw-admin" (.Values.apps.oxAppSuite.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
 
 provisioningApi:
   connection:
-    baseUrl: "http://ums-provisioning-api"
+    baseUrl: {{ printf "http://%s.%s.svc.%s" "ums-provisioning-api" (.Values.apps.nubus.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
   auth:
     username: "ox-connector"
     password: {{ .Values.secrets.oxConnector.provisioningApiPassword | quote }}

helmfile/apps/open-xchange/values-postfix.yaml.gotmpl

@@ -63,10 +63,9 @@ postfix:
         value: {{ .Values.smtp.username }}
       password:
         value: {{ .Values.smtp.password }}
+  smtpSASLAuthEnable: "yes"
   {{- end }}
   allowRelayNets: false
-  smtpSASLAuthEnable: "yes"
-  smtpSASLPasswordMaps: "lmdb:/etc/postfix/sasl_passwd.map"
   smtpTLSSecurityLevel: "encrypt"
   smtpdSASLAuthEnable: "yes"
   smtpdSASLSecurityOptions: "noanonymous"

helmfile/apps/services-external/values-postfix.yaml.gotmpl

@@ -68,14 +68,13 @@ postfix:
         value: {{ .Values.smtp.username }}
       password:
         value: {{ .Values.smtp.password }}
+  smtpSASLAuthEnable: "yes"
   {{- end }}
   # Warning: This setting allows unauthenticated mail relay from relayNets!
   allowRelayNets: true
   relayNets: {{ join " " .Values.cluster.networking.cidr | quote }}
   minTLSVersion: "TLSv1.2"
   smtpdTLSMandatoryCiphers: "medium"
-  smtpSASLAuthEnable: "yes"
-  smtpSASLPasswordMaps: "lmdb:/etc/postfix/sasl_passwd.map"
   smtpTLSSecurityLevel: "encrypt"
   smtpdSASLAuthEnable: "yes"
   smtpdSASLSecurityOptions: "noanonymous"

helmfile/apps/xwiki/values.yaml.gotmpl

@@ -184,9 +184,9 @@ properties:
   "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.addOIDCObject": 1
   "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.OIDCIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
   "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.colorTheme": "FlamingoThemes.Iceberg"
-  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.default_language": "de_DE"
+  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.default_language": {{ .Values.functional.internationalization.defaultLanguage | quote }}
   "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.timezone": "Europe/Berlin"
-  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.languages": "de_DE"
+  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.languages": {{ .Values.functional.internationalization.defaultLanguage | quote }}
   "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.link-color": "@brand-primary"
   "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.btn-primary-bg": "@brand-primary"
   "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-color": "@brand-primary"

helmfile/environments/default-enterprise-overrides/charts.yaml.gotmpl

@@ -6,7 +6,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "zendis/opendesk-enterprise/components/product-development/charts/opendesk-dovecot-pro"
     name: "dovecot"
-    version: "3.2.0-authcache"
+    version: "3.2.3"
     verify: true
   oxAppSuite:
     registry: "registry.opencode.de"

helmfile/environments/default-enterprise-overrides/images.yaml.gotmpl

@@ -5,7 +5,7 @@ images:
   collabora:
     registry: "registry.opencode.de"
     repository: "zendis/opendesk-enterprise/components/supplier/collabora/images/collabora-online-for-opendesk"
-    tag: "25.04.4.3.1@sha256:b0b5fa9b061df1e8473dff9bb2cf295ab41bd7b35a78b785de518883b07e97c2"
+    tag: "25.04.5.3.1@sha256:d22407cd3bd83dd832f986a697d81c1a4642f55129c76a5a20e637274ce7bf62"
   dovecot:
     registry: "registry.opencode.de"
     repository: "zendis/opendesk-enterprise/components/supplier/open-xchange/images-mirror/dovecot-pro"

helmfile/environments/default/charts.yaml.gotmpl

@@ -169,7 +169,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets"
     name: "matrix-neoboard-widget"
-    version: "3.5.1"
+    version: "3.5.2"
     verify: true
   matrixNeochoiceWidget:
     # providerCategory: "Platform"
@@ -179,7 +179,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets"
     name: "matrix-neochoice-widget"
-    version: "3.5.1"
+    version: "3.5.2"
     verify: true
   matrixNeodatefixBot:
     # providerCategory: "Platform"
@@ -189,7 +189,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets"
     name: "matrix-neodatefix-bot"
-    version: "3.5.1"
+    version: "3.5.2"
     verify: true
   matrixNeodatefixWidget:
     # providerCategory: "Platform"
@@ -199,7 +199,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets"
     name: "matrix-neodatefix-widget"
-    version: "3.5.1"
+    version: "3.5.2"
     verify: true
   matrixUserVerificationService:
     # providerCategory: "Platform"
@@ -437,7 +437,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-postfix"
     name: "postfix"
-    version: "5.0.0"
+    version: "5.0.1"
     verify: true
   postgresql:
     # providerCategory: "Platform"

helmfile/environments/default/functional.yaml.gotmpl

@@ -105,6 +105,16 @@ functional:
         # If the LDAP entryUUID should be used for the localpart of user's Matrix IDs following setting must be `true`.
         useImmutableIdentifierForLocalpart: false
 
+  dataProtection:
+    matrixPresence:
+      # Enable to allow information about the user presence status to be shared.
+      # Ref.: https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#presence
+      enabled: false
+    jitsiRoomHistory:
+      # Disable to avoid the room history to be stored in the user's browser local storage.
+      # Ref.: https://github.com/jitsi/docker-jitsi-meet/issues/898
+      enabled: true
+
   externalServices:
     nubus:
       udmRestApi:
@@ -117,16 +127,6 @@ functional:
         # List of matrix homeserver domains you want to allow federation with
         domainAllowList: []
 
-  dataProtection:
-    matrixPresence:
-      # Enable to allow information about the user presence status to be shared.
-      # Ref.: https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#presence
-      enabled: false
-    jitsiRoomHistory:
-      # Disable to avoid the room history to be stored in the user's browser local storage.
-      # Ref.: https://github.com/jitsi/docker-jitsi-meet/issues/898
-      enabled: true
-
   filestore:
     # Settings related to directory and filenames
     naming:
@@ -200,10 +200,24 @@ functional:
     # Related settings for the CalDAV and CardCAV support of the groupware module.
     davSupport:
       # Enabled by default CalDAV and CardDAV support is available at:
-      # - https://<.Values.global.hosts.openxchangeDav>.<.Values.global.domain>/caldav/[folderId]"
-      # - https://<.Values.global.hosts.openxchangeDav>.<.Values.global.domain>/carddav/[folderId]"
+      # - `https://<.Values.global.hosts.openxchangeDav>.<.Values.global.domain>/caldav/[folderId]`
+      # - `https://<.Values.global.hosts.openxchangeDav>.<.Values.global.domain>/carddav/[folderId]`
       # Can be switched off using the below feature toggle.
       enabled: true
+    # Setting related to external clients using SMTP/IMAP protocols (like Thunderbird)
+    externalClients:
+      # To fully support external mail clients in your openDesk deployment you need to ensure they can
+      # access the IMAP and SMTP services. Either on <.Values.global.domain> or on the FQDNs defined
+      # below.
+      # How to achive this depends on what service types you are using in your deployment. These service
+      # types can be set explicitly for IMAP (Dovecot) and SMTP (Postfix) using `service.yaml.gotmpl` and
+      # how these services, especially when using type `LoadBalancer`, behave in your setup.
+      # Toggle the client onboarding info dialog in the groupware module.
+      enabledOnboardingInfo: false
+      # Set the FQDN of the IMAP endpoint if none is provided `<.Values.global.domain>` is used.
+      fqdnImap: ~
+      # Set the FQDN of the SMTP endpoint if none is provided `<.Values.global.domain>` is used.
+      fqdnSmtp: ~
     # Control access for external users to groupware data
     # Ref.: https://documentation.open-xchange.com/8/middleware/miscellaneous/sharing_and_guest_mode.html
     externalSharing:
@@ -251,6 +265,18 @@ functional:
       # Ref.: https://documentation.open-xchange.com/8/ui/configuration/settings-list-of.html#mail-misc
       editRealName: false
 
+  internationalization:
+    # Most openDesk applications render their user interface in the language the user's browser is set to. But there
+    # are exceptions that can be controlled by the following setting.
+    # Beside the `de_DE` default `en_GB` has been tested.
+    # - OX App Suite: Users can set their preferred language in the App Suite's UI by navigating to
+    #   "All settings" > "General" > "Language & Time zone" > "Language", though the default language for the first
+    #   login will be set globally based on the setting below.
+    # - XWiki: The UI language of XWiki is set automatically by the language the wiki content is provided in. As XWiki
+    #   does not autodetect that content language, it has to be predefined by the setting below.
+    #   Note: For multi-language XWiki setups a customization is required for now.
+    defaultLanguage: "de_DE"
+
   migration:
     oxAppSuite:
       # Note: Only available in openDesk Enterprise.

helmfile/environments/default/images.yaml.gotmpl

@@ -50,7 +50,7 @@ images:
     # upstreamRepository: "bmi/opendesk/components/supplier/collabora/images/collabora-online-for-opendesk"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/collabora/images/collabora-online-for-opendesk"
-    tag: "25.04.4.3.1@sha256:2ba934fb0dc18965bfaf19151017205b0a85af8b069bc34c994a8eae0b4bee34"
+    tag: "25.04.5.3.1@sha256:0e1ccf43308121c657936510de27244057c3826777a491495a0f7e55a196bc59"
   collaboraController:
     # Enterprise Component
     # providerCategory: "Supplier"
@@ -354,7 +354,7 @@ images:
     # upstreamRepository: "lasuite/impress-backend"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-notes"
-    tag: "1.11.0-docs-v3.4.0-backend@sha256:a07acb86ee260fd9242c4173a01c67c36552d149a2af91220348bdb588c19bf5"
+    tag: "1.12.1-docs-v3.4.0-backend@sha256:9d611d924056bd945499ef038ee7ac4c7a1196adfe0fc464d600d163dc42291a"
   notesFrontend:
     # providerCategory: "Supplier"
     # providerResponsible: "DINUM"
@@ -362,7 +362,7 @@ images:
     # upstreamRepository: "lasuite/impress-frontend"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-notes"
-    tag: "1.11.0-docs-v3.4.0-frontend@sha256:e7316700442455419ebb2e37fe2ae246bb90a7d09ad30477df608b5eb6089095"
+    tag: "1.12.1-docs-v3.4.0-frontend@sha256:51cb96a97dd5668366d9f664977cbb869e4a59499bf30bc1766528dd41843ac7"
   notesYProvider:
     # providerCategory: "Supplier"
     # providerResponsible: "DINUM"
@@ -370,7 +370,7 @@ images:
     # upstreamRepository: "lasuite/impress-y-provider"
     registry: "registry-1.docker.io"
     repository: "lasuite/impress-y-provider"
-    tag: "v3.2.1@sha256:9dd7068336c02fe71806bc3576e7dc8636d7ccb139667c6303f0753e18d3ab7e"
+    tag: "v3.4.0@sha256:fce38ca22cdc80c06803ded6f7147b6d1df22dd21f58ef834adef1d3aa83d667"
   nubusBlocklistCleanup:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -560,7 +560,7 @@ images:
     # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nubus"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-nubus"
-    tag: "1.15.0@sha256:5ffb3106bf896a215fd7ae5d6646f19b50f0e46c11561d763938479d95aaa807"
+    tag: "1.15.1@sha256:e9c46d93abe6d7a8abcd2dc5cd38f178cd3b78f971f81b34fa5bd27270604db8"
   nubusOpendeskExtensionA2gMapper:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"
@@ -762,7 +762,7 @@ images:
     # upstreamMirrorStartFrom: ["13", "1", "1"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/openproject/images-mirror/open_desk"
-    tag: "16.4.1@sha256:b80443fc9fe1bf9ed475897316208b394cca4e730ae8ca34944373245cc0a4f5"
+    tag: "16.5.1@sha256:0e29ae9fcee825b76d62e10e374c10ad40da20ba9c0e584839645bb68e6167bf"
   openprojectBootstrap:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"

helmfile/environments/default/persistence.yaml.gotmpl

@@ -16,6 +16,8 @@ persistence:
       size: "1Gi"
       storageClassName: ~
     dovecot:
+      # With Dovecot CE this is used for the mail storage.
+      # Dovecot Pro (EE) uses this storage for the metacache,
       size: "1Gi"
       storageClassName: ~
     mariadb:

helmfile/environments/default/technical.yaml.gotmpl

@@ -6,6 +6,17 @@ technical:
   collabora:
     # Defines the value for the start parameter `-o:num_prespawn_children`
     numPrespawnChildren: 4
+  # Dovecot EE related settings
+  dovecot:
+    objectStorage:
+      # Size of objectstore fs cache
+      fsCacheSize: "2G"
+      # Size of fts cache
+      ftsCacheSize: "2G"
+      # Wether fs and fts cache should reside in RAM (tmpfs) or not
+      # If this value is true, the cache sizes of the fs cache + fts cache
+      # must be considered additionally to Dovecot's memory footprint.
+      cacheTmpfs: false
   # Groupware related technical settings
   oxAppSuite:
     provisioning:

publiccode.yml

@@ -22,8 +22,8 @@ name: "openDesk"
 platforms:
   - "web"
 developmentStatus: "stable"
-softwareVersion: "1.7.1"
-releaseDate: "2025-08-26"
+softwareVersion: "1.8.0"
+releaseDate: "2025-09-25"
 softwareType: "standalone/web"
 url: "https://gitlab.opencode.de/bmi/opendesk/"
 logo: ".opencode/openDesk-logo-rgb-color.svg"