diff --git a/include/mua.sh b/include/mua.sh
index a42c0710..65323de5 100755
--- a/include/mua.sh
+++ b/include/mua.sh
@@ -40,22 +40,26 @@ test_imap_openssl()
 EOF
 }
 
-test_imap_curl()
+get_curl_cmd()
 {
-	local _test_uri
-	_test_uri="imaps://$(uriencode $MUA_TEST_USER):$(uriencode $MUA_TEST_PASS)@${MUA_TEST_HOST}/"
-
 	if [ -x /usr/local/bin/curl ]; then
-		curl -k -v --login-options 'AUTH=PLAIN' "$_test_uri"
+		echo "curl"
 	elif [ -x "$STAGE_MNT/usr/local/bin/curl" ]; then
-		_test_uri="imaps://$(uriencode $MUA_TEST_USER):$(uriencode $MUA_TEST_PASS)@localhost/"
-		stage_exec curl -k -v --login-options 'AUTH=PLAIN' "$_test_uri"
+		echo "stage_exec curl"
 	else
-		pkg install -y curl
-		curl -k -v --login-options 'AUTH=PLAIN' "$_test_uri"
+		pkg install -qy curl
+		echo "curl"
 	fi
 }
 
+test_imap_curl()
+{
+	local _test_uri
+	_test_uri="imaps://$(uriencode $MUA_TEST_USER):$(uriencode $MUA_TEST_PASS)@${MUA_TEST_HOST}/"
+	_curl_cmd="$(get_curl_cmd)"
+	$_curl_cmd -k -v --login-options 'AUTH=PLAIN' "$_test_uri"
+}
+
 test_imap()
 {
 	echo "testing IMAP AUTH as $MUA_TEST_USER"
@@ -90,9 +94,11 @@ test_pop3_empty()
 
 test_pop3()
 {
+	local _test_uri
+	_test_uri="pop3s://$(uriencode $MUA_TEST_USER):$(uriencode $MUA_TEST_PASS)@${MUA_TEST_HOST}/"
+	_curl_cmd="$(get_curl_cmd)"
 	# shellcheck disable=2001
-	curl -k -v --login-options 'AUTH=PLAIN' \
-		"pop3s://$(uriencode $MUA_TEST_USER):$(uriencode $MUA_TEST_PASS)@${MUA_TEST_HOST}/"
+	$_curl_cmd -k -v --login-options 'AUTH=PLAIN' "$_test_uri"
 }
 
 uriencode() {
diff --git a/include/nginx.sh b/include/nginx.sh
index f30bb879..c94c088c 100755
--- a/include/nginx.sh
+++ b/include/nginx.sh
@@ -37,8 +37,10 @@ install_nginx()
 
 install_nginx_newsyslog()
 {
+	stage_enable_newsyslog
+
 	tell_status "enabling nginx log file rotation"
-	tee "$STAGE_MNT/etc/newsyslog.conf.d/nginx" <<EO_NG_NSL
+	tee "$STAGE_MNT/etc/newsyslog.conf.d/nginx.conf" <<EO_NG_NSL
 # rotate nightly (default)
 /var/log/nginx/*.log		root:wheel	644	 7     *   @T00   BCGX  /var/run/nginx.pid 30
 
@@ -69,10 +71,20 @@ configure_nginx_server_d()
 	fi
 
 	# most calls get enclosing server block
-	local _prefix='server {
-		listen       80 proxy_protocol;
-		listen  [::]:80 proxy_protocol;
+	local _prefix
+	if [ "$TOASTER_WEBMAIL_PROXY" = "haproxy" ]; then
+		_prefix='server {
+			listen       80;
+			listen  [::]:80;
+'
+	else
+		# nginx can't send proxy protocol AND route URIs at the same time
+		_prefix='server {
+			listen       80;
+			listen  [::]:80;
 '
+	fi
+
 	local _suffix='location ~ /\.ht {
 			deny  all;
 		}
@@ -136,8 +148,10 @@ http {
 	keepalive_timeout  65;
 
 	set_real_ip_from $(get_jail_ip haproxy);
+	set_real_ip_from $(get_jail_ip webmail);
 	set_real_ip_from $(get_jail_ip6 haproxy);
-	real_ip_header   proxy_protocol;
+	set_real_ip_from $(get_jail_ip6 webmail);
+	real_ip_header   X-Forwarded-For;
 	real_ip_recursive on;
 	client_max_body_size 25m;
 
diff --git a/include/php.sh b/include/php.sh
index 5f5de7a7..9cb382dd 100755
--- a/include/php.sh
+++ b/include/php.sh
@@ -29,8 +29,10 @@ install_php()
 }
 
 install_php_newsyslog() {
+	stage_enable_newsyslog
+
 	tell_status "enabling PHP-FPM log file rotation"
-	tee "$STAGE_MNT/etc/newsyslog.conf.d/php-fpm" <<EO_FPM_NSL
+	tee "$STAGE_MNT/etc/newsyslog.conf.d/php-fpm.conf" <<EO_FPM_NSL
 # rotate the file after it reaches 1M
 /var/log/php-fpm.log 600 7	1024	*	BCX	/var/run/php-fpm.pid 30
 EO_FPM_NSL
diff --git a/include/shell.sh b/include/shell.sh
index 85f2a756..a2938fc6 100755
--- a/include/shell.sh
+++ b/include/shell.sh
@@ -51,7 +51,7 @@ export HISTIGNORE="&:[bf]g:exit"
 
 shopt -s histappend
 shopt -s cdspell
-set -o vi
+#set -o vi
 
 if [[ $- == *i* ]]
 then
diff --git a/mail-toaster.sh b/mail-toaster.sh
index f2bf092d..900b7312 100755
--- a/mail-toaster.sh
+++ b/mail-toaster.sh
@@ -88,7 +88,10 @@ export TOASTER_PKG_BRANCH="latest"
 export TOASTER_USE_TMPFS="0"
 export TOASTER_VPOPMAIL_CLEAR="1"
 export TOASTER_VPOPMAIL_EXT="0"
+export TOASTER_WEBMAIL_PROXY="haproxy"
 export CLAMAV_FANGFRISCH="0"
+export GEOIP_UPDATER="geoipupdate"
+export MAXMIND_ACCOUNT_ID=""
 export MAXMIND_LICENSE_KEY=""
 export ROUNDCUBE_SQL="0"
 export ROUNDCUBE_DEFAULT_HOST=""
@@ -188,6 +191,7 @@ export TOASTER_USE_TMPFS=${TOASTER_USE_TMPFS:="0"}
 export TOASTER_VPOPMAIL_CLEAR=${TOASTER_VPOPMAIL_CLEAR:="1"}
 export TOASTER_VPOPMAIL_EXT=${TOASTER_VPOPMAIL_EXT:="0"}
 export TOASTER_VQADMIN=${TOASTER_VQADMIN:="0"}
+export TOASTER_WEBMAIL_PROXY=${TOASTER_WEBMAIL_PROXY:="haproxy"}
 export CLAMAV_FANGFRISCH=${CLAMAV_FANGFRISCH:="0"}
 export CLAMAV_UNOFFICIAL=${CLAMAV_UNOFFICIAL:="0"}
 export ROUNDCUBE_SQL=${ROUNDCUBE_SQL:="$TOASTER_MYSQL"}
@@ -1012,6 +1016,38 @@ stage_fbsd_package()
 	echo "done"
 }
 
+stage_setup_tls()
+{
+	# static TLS certificates (installed at deploy)
+	if [ ! -f "$STAGE_MNT/etc/ssl/certs/${TOASTER_MAIL_DOMAIN}.pem" ]; then
+		tell_status "installing TLS certificate"
+		cp /etc/ssl/certs/server.crt "$STAGE_MNT/etc/ssl/certs/${TOASTER_MAIL_DOMAIN}.pem"
+		cp /etc/ssl/private/server.key "$STAGE_MNT/etc/ssl/private/${TOASTER_MAIL_DOMAIN}.pem"
+	fi
+
+	# dynamic TLS certs, kept up-to-date by acme.sh or certbot
+	if [ ! -f "$STAGE_MNT/data/etc/tls/certs" ]; then
+		# shellcheck disable=SC2174
+		mkdir -m 0644 -p "$STAGE_MNT/data/etc/tls/certs"
+		cp /etc/ssl/certs/server.crt "$STAGE_MNT/data/etc/tls/certs/${TOASTER_MAIL_DOMAIN}.pem"
+	fi
+
+	if [ ! -f "$STAGE_MNT/data/etc/tls/private" ]; then
+		# shellcheck disable=SC2174
+		mkdir -m 0640 -p "$STAGE_MNT/data/etc/tls/private"
+		cp /etc/ssl/private/server.key "$STAGE_MNT/data/etc/tls/private/${TOASTER_MAIL_DOMAIN}.pem"
+	fi
+}
+
+stage_enable_newsyslog()
+{
+	tell_status "enabling newsyslog"
+	sysrc -f "$STAGE_MNT/etc/rc.conf" newsyslog_enable=YES
+	sed -i.bak \
+		-e '/^#0.*newsyslog/ s/^#0/0/' \
+		"$STAGE_MNT/etc/crontab"
+}
+
 unmount_data()
 {
 	# $1 is ZFS fs (eg: /data/mysql)
@@ -1348,7 +1384,8 @@ assure_jail()
 	fi
 }
 
-preserve_file() {
+preserve_file()
+{
 	local _jail_name=$1
 	local _file_path=$2
 
diff --git a/provision/base.sh b/provision/base.sh
index ace88585..f937e5a4 100755
--- a/provision/base.sh
+++ b/provision/base.sh
@@ -125,7 +125,7 @@ do
 done
 
 # packages to be updated automatically
-auto_upgrade="curl expat libxml2 pkg sudo vim-tiny"
+auto_upgrade="curl expat libxml2 pkg sudo unbound vim-tiny"
 
 # add packages with:
 #   sysrc -f /usr/local/etc/periodic/daily/auto_security_upgrades auto_upgrade+=" $NEW"
@@ -137,17 +137,15 @@ done
 EO_PKG_SECURITY
 }
 
-configure_ssl_dirs()
+configure_tls_dirs()
 {
 	if [ ! -d "$BASE_MNT/etc/ssl/certs" ]; then
-		mkdir "$BASE_MNT/etc/ssl/certs"
+		mkdir -m 0644 "$BASE_MNT/etc/ssl/certs"
 	fi
 
 	if [ ! -d "$BASE_MNT/etc/ssl/private" ]; then
-		mkdir "$BASE_MNT/etc/ssl/private"
+		mkdir -m 0640 "$BASE_MNT/etc/ssl/private"
 	fi
-
-	chmod o-r "$BASE_MNT/etc/ssl/private"
 }
 
 configure_tls_dhparams()
@@ -215,7 +213,7 @@ configure_base()
 		update_motd=NO
 
 	configure_pkg_latest "$BASE_MNT"
-	configure_ssl_dirs
+	configure_tls_dirs
 	configure_tls_dhparams
 	disable_cron_jobs
 	enable_security_periodic
diff --git a/provision/dovecot.sh b/provision/dovecot.sh
index 26032e1e..a219876a 100755
--- a/provision/dovecot.sh
+++ b/provision/dovecot.sh
@@ -112,13 +112,13 @@ protocol lmtp {
 }
 
 # default TLS certificate (no SNI)
-ssl_cert = </data/etc/ssl/certs/dovecot.pem
-ssl_key = </data/etc/ssl/private/dovecot.pem
+ssl_cert = </data/etc/tls/certs/dovecot.pem
+ssl_key = </data/etc/tls/private/dovecot.pem
 
 # example TLS SNI (see https://wiki.dovecot.org/SSL/DovecotConfiguration)
 #local_name mail.example.com {
-#  ssl_cert = </data/etc/ssl/certs/mail.example.com.pem
-#  ssl_key = </data/etc/ssl/private/mail.example.com.pem
+#  ssl_cert = </data/etc/tls/certs/mail.example.com.pem
+#  ssl_key = </data/etc/tls/private/mail.example.com.pem
 #}
 
 # dovecot 2.3+ supports a ssl_dh file
@@ -322,7 +322,7 @@ configure_tls_certs()
 			"$_localconf"
 	fi
 
-	local _ssldir="$ZFS_DATA_MNT/dovecot/etc/ssl"
+	local _ssldir="$ZFS_DATA_MNT/dovecot/etc/tls"
 	if [ ! -d "$_ssldir/certs" ]; then
 		# shellcheck disable=SC2174
 		mkdir -m 644 -p "$_ssldir/certs"
@@ -351,8 +351,8 @@ configure_postfix_with_sasl()
 	stage_exec postconf -e 'smtpd_sasl_path = private/auth'
 	stage_exec postconf -e 'smtpd_sasl_auth_enable = yes'
 	stage_exec postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
-	stage_exec postconf -e "smtpd_tls_cert_file = /data/etc/ssl/certs/$TOASTER_HOSTNAME.pem"
-	stage_exec postconf -e "smtpd_tls_key_file = /data/etc/ssl/private/$TOASTER_HOSTNAME.pem"
+	stage_exec postconf -e "smtpd_tls_cert_file = /data/etc/tls/certs/$TOASTER_HOSTNAME.pem"
+	stage_exec postconf -e "smtpd_tls_key_file = /data/etc/tls/private/$TOASTER_HOSTNAME.pem"
 	stage_exec postconf -e 'smtp_tls_security_level = may'
 
 	for _s in 512 1024 2048; do
diff --git a/provision/haproxy.sh b/provision/haproxy.sh
index 156583fd..b6fad8e9 100755
--- a/provision/haproxy.sh
+++ b/provision/haproxy.sh
@@ -82,7 +82,7 @@ defaults
 frontend http-in
 	#mode tcp
 	bind :::80 v4v6 alpn http/1.1
-	bind :::443 v4v6 alpn http/1.1 ssl crt /etc/ssl/private crt /data/ssl.d
+	bind :::443 v4v6 alpn http/1.1 ssl crt /data/etc/tls.d
 	# ciphers AES128+EECDH:AES128+EDH
 
 	http-request  set-header X-Forwarded-Proto https if { ssl_fc }
@@ -173,21 +173,21 @@ frontend http-in
 	server haraka $(get_jail_ip haraka):80
 
 	backend www_webmail
-	server webmail $(get_jail_ip webmail):80 send-proxy-v2
+	server webmail $(get_jail_ip webmail):80
 
 	backend www_roundcube
-	server roundcube $(get_jail_ip roundcube):80 send-proxy-v2
+	server roundcube $(get_jail_ip roundcube):80
 	http-request replace-path /roundcube/(.*) /\1
 
 	backend www_squirrelmail
-	server squirrelmail $(get_jail_ip squirrelmail):80 send-proxy-v2
+	server squirrelmail $(get_jail_ip squirrelmail):80
 
 	backend www_rainloop
-	server rainloop $(get_jail_ip rainloop):80 send-proxy-v2
+	server rainloop $(get_jail_ip rainloop):80
 	http-request replace-path /rainloop/(.*) /\1
 
 	backend www_snappymail
-	server snappymail $(get_jail_ip snappymail):80 send-proxy-v2
+	server snappymail $(get_jail_ip snappymail):80
 	http-response del-header X-Frame-Options
 
 	backend www_munin
@@ -202,19 +202,19 @@ frontend http-in
 	http-request replace-path /nictool/(.*) /\1
 
 	backend www_mediawiki
-	server mediawiki $(get_jail_ip mediawiki):80 send-proxy-v2
+	server mediawiki $(get_jail_ip mediawiki):80
 
 	backend www_smf
-	server smf $(get_jail_ip smf):80 send-proxy-v2
+	server smf $(get_jail_ip smf):80
 
 	backend www_wordpress
-	server wordpress $(get_jail_ip wordpress):80 send-proxy-v2
+	server wordpress $(get_jail_ip wordpress):80
 
 	backend www_stage
-	server stage $(get_jail_ip stage):80 send-proxy-v2
+	server stage $(get_jail_ip stage):80
 
 	backend www_horde
-	server horde $(get_jail_ip horde):80 send-proxy-v2
+	server horde $(get_jail_ip horde):80
 
 	backend www_prometheus
 	server prometheus $(get_jail_ip prometheus):9090
@@ -228,7 +228,7 @@ frontend http-in
 	server dmarc $(get_jail_ip mail_dmarc):8080
 
 	backend www_nagios
-	server nagios $(get_jail_ip nagios):80 send-proxy-v2
+	server nagios $(get_jail_ip nagios):80
 
 	backend www_kibana
 	server kibana $(get_jail_ip elasticsearch):5601
@@ -253,17 +253,21 @@ global
 defaults
     mode        http
     log         global
+    option      forwardfor
+    timeout     connect 5s
+    timeout     server 30s
+    timeout     client 30s
 
 frontend default-http
     bind $(get_jail_ip stage):80
-    bind $(get_jail_ip stage):443 alpn http/1.1 ssl crt /data/ssl.d
+    bind $(get_jail_ip stage):443 alpn http/1.1 ssl crt /data/etc/tls.d
     bind [$(get_jail_ip6 stage)]:80
-    bind [$(get_jail_ip6 stage)]:443 alpn http/1.1 ssl crt /data/ssl.d
+    bind [$(get_jail_ip6 stage)]:443 alpn http/1.1 ssl crt /data/etc/tls.d
 
     default_backend www_webmail
 
 backend www_webmail
-    server webmail80 172.16.15.10:80 send-proxy
+    server webmail80 172.16.15.10:80
 
 EO_HAPROXY_STAGE_CONF
 }
@@ -283,18 +287,18 @@ install_ocsp_stapler()
 OPENSSL=/usr/bin/openssl
 
 # Path to certificates
-PEMSDIR=/data/ssl.d
+PEMSDIR=/data/etc/tls.d
 
 # Path to log output to
 LOGDIR=/var/log/haproxy
 
 # Create the log path if it doesn't already exist
-[ -d ${LOGDIR} ] || mkdir ${LOGDIR}
+[ -d $LOGDIR ] || mkdir $LOGDIR
 UPDATED=0
 
-cd ${PEMSDIR}
+cd $PEMSDIR
 for pem in *.pem; do
-    echo "= $(date)" >> ${LOGDIR}/${pem}.log
+    echo "= $(date)" >> "$LOGDIR/${pem}.log"
 
     # Get the OCSP URL from the certificate
     ocsp_url=$($OPENSSL x509 -noout -ocsp_uri -in $pem)
@@ -318,10 +322,10 @@ for pem in *.pem; do
 done
 
 if [ $UPDATED -gt 0 ]; then
-    echo "= $(date) - Updated $UPDATED OCSP responses" >> ${LOGDIR}/${pem}.log
-    service haproxy reload > ${LOGDIR}/service-reload.log 2>&1
+    echo "= $(date) - Updated $UPDATED OCSP responses" >> "$LOGDIR/${pem}.log"
+    service haproxy reload > $LOGDIR/service-reload.log 2>&1
 else
-    echo "= $(date) - No updates" >> ${LOGDIR}/${pem}.log
+    echo "= $(date) - No updates" >> $LOGDIR/${pem}.log
 fi
 
 EO_OCSP
@@ -329,20 +333,16 @@ EO_OCSP
 
 configure_haproxy_tls()
 {
-	if [ ! -f "$STAGE_MNT/etc/ssl/private/server.pem" ]; then
-		tell_status "concatenating TLS key and crt to PEM"
-		cat /etc/ssl/private/server.key /etc/ssl/certs/server.crt \
-			> "$STAGE_MNT/etc/ssl/private/server.pem"
-	fi
-
-	if [ ! -d "$ZFS_DATA_MNT/haproxy/ssl" ]; then
-		tell_status "creating /data/ssl"
-		mkdir -p "$ZFS_DATA_MNT/haproxy/ssl"
+	local _tls_dir="$ZFS_DATA_MNT/haproxy/etc/tls.d"
+	if [ ! -d "$_tls_dir" ]; then
+		tell_status "creating $_tls_dir"
+		mkdir -p "$_tls_dir"
 	fi
 
-	if [ ! -d "$ZFS_DATA_MNT/haproxy/ssl.d" ]; then
-		tell_status "creating /data/ssl.d"
-		mkdir -p "$ZFS_DATA_MNT/haproxy/ssl.d"
+	if [ ! -f "$_tls_dir/$TOASTER_HOSTNAME.pem" ]; then
+		tell_status "concatenating TLS key and crt to PEM"
+		cat /etc/ssl/private/server.key /etc/ssl/certs/server.crt \
+			> "$_tls_dir/$TOASTER_HOSTNAME.pem"
 	fi
 
 	install_ocsp_stapler "$STAGE_MNT/usr/local/etc/periodic/daily/501.ocsp-staple.sh"
diff --git a/provision/haraka.sh b/provision/haraka.sh
index 2b403c3d..3b3b7abd 100755
--- a/provision/haraka.sh
+++ b/provision/haraka.sh
@@ -377,7 +377,8 @@ configure_haraka_watch()
 	fi
 
 	if [ ! -f "$HARAKA_CONF/watch.ini" ]; then
-		echo '[wss]' > "$HARAKA_CONF/watch.ini"
+		echo "[wss]
+url=wss://$TOASTER_DOMAIN_NAME/watch" > "$HARAKA_CONF/watch.ini"
 	fi
 }
 
@@ -601,13 +602,6 @@ order=fail,pass,msg
 EO_RESULTS
 }
 
-enable_newsyslog() {
-	tell_status "enabling newsyslog"
-	stage_sysrc newsyslog_enable=YES
-	sed -i.bak \
-		-e '/^#0.*newsyslog/ s/^#0/0/' \
-		"$STAGE_MNT/etc/crontab"
-}
 
 configure_haraka_log_reader()
 {
@@ -621,11 +615,11 @@ configure_haraka_log_reader()
 
 configure_haraka_log_rotation()
 {
-	enable_newsyslog
+	stage_enable_newsyslog
 
 	tell_status "configuring haraka.log rotation"
 	mkdir -p "$STAGE_MNT/etc/newsyslog.conf.d"
-	tee -a "$STAGE_MNT/etc/newsyslog.conf.d/haraka.log" <<EO_HARAKA
+	tee -a "$STAGE_MNT/etc/newsyslog.conf.d/haraka.conf" <<EO_HARAKA
 /var/log/haraka.log			644  7	   *	@T00  JC
 EO_HARAKA
 }
diff --git a/provision/letsencrypt.sh b/provision/letsencrypt.sh
index e0e6dfc7..151a785a 100755
--- a/provision/letsencrypt.sh
+++ b/provision/letsencrypt.sh
@@ -11,8 +11,7 @@ export JAIL_FSTAB=""
 install_letsencrypt()
 {
 	tell_status "installing ACME.sh & Let's Encrypt"
-	pkg install -y curl socat
-	fetch -o - https://get.acme.sh | sh
+	pkg install -y curl socat acme.sh
 }
 
 install_deploy_haproxy()
@@ -64,8 +63,14 @@ haproxy_deploy() {
 		return 2
 	fi
 
-	if [ ! -d /data/haproxy/ssl.d ]; then
-		_debug "no /data/haproxy/ssl.d dir"
+	local _tls_dir="/data/haproxy/etc/tls.d"
+	if [ -d "/data/haproxy/ssl.d" ]; then
+		_debug "using legacy /data/ssl.d (new: /data/etc/tls.d)"
+		_tls_dir="/data/haproxy/ssl.d"
+	fi
+
+	if [ ! -d "$_tls_dir" ]; then
+		_debug "no /data/haproxy/etc/tls.d dir"
 		return 0
 	fi
 
@@ -77,7 +82,7 @@ haproxy_deploy() {
 	fi
 
 	_debug "$_tmp created"
-	local _installed="/data/haproxy/ssl.d/$_cdomain.pem"
+	local _installed="$_tls_dir/$_cdomain.pem"
 	has_differences "$_tmp" "$_installed" || return 0
 	install_file "$_tmp" "$_installed" || return 1
 	install_file "$_cca" "${_installed}.issuer"
@@ -144,9 +149,14 @@ dovecot_deploy() {
 
 	assure_file "$_ccert" || return 2
 
-	_ssl_dir="/data/dovecot/etc/ssl"
+	_ssl_dir="/data/dovecot/etc/tls"
+	if [ -d "/data/dovecot/etc/ssl" ]; then
+		_debug "using legacy /data/etc/ssl (new: /data/etc/tls)"
+		_ssl_dir="/data/dovecot/etc/ssl"
+	fi
+
 	if [ ! -d "$_ssl_dir" ]; then
-		_debug "no TLS/SSL dir: $_ssl_dir"
+		_debug "no TLS/SSL dir: /data/dovecot/etc/tls"
 		return 0
 	fi
 
@@ -355,7 +365,7 @@ mailtoaster_deploy() {
 	_cca="$4"
 	_cfullchain="$5"
 
-	for _target in haraka haproxy dovecot
+	for _target in haraka haproxy dovecot webmail
 	do
 		echo "deploying $_target"
 		. "/root/.acme.sh/deploy/$_target"
@@ -367,6 +377,82 @@ mailtoaster_deploy() {
 EO_LE_MT
 }
 
+install_deploy_webmail()
+{
+	store_config "$_deploy/webmail" <<'EO_LE_WEBMAIL'
+#!/bin/sh
+
+assure_file() {
+
+	if [ ! -s "$1" ]; then
+		_err "File doesn't exist: $1"
+		return 1
+	fi
+
+	_debug "file exists: $1"
+	return 0
+}
+
+has_differences() {
+
+	if [ ! -f "$2" ]; then
+		_debug "non-existent, deploying: $2"
+		return 0
+	fi
+
+	if diff -q "$1" "$2"; then
+		_debug "file contents identical, skip deploy of $2"
+		return 1
+	fi
+
+	_debug "file has changes, deploying"
+	return 0
+}
+
+install_file() {
+	cp "$1" "$2" || return 1
+
+	if [ ! -s "$2" ]; then
+		_err "install to $2 failed"
+		return 1
+	fi
+
+	_debug "installed as $2"
+	return 0
+}
+
+#domain keyfile certfile cafile fullchain
+webmail_deploy() {
+	_cdomain="$1"
+	_ckey="$2"
+	_ccert="$3"
+	_cca="$4"
+	_cfullchain="$5"
+
+	assure_file "$_ccert" || return 2
+
+	_ssl_dir="/data/webmail/etc/tls"
+	if [ ! -d "$_ssl_dir" ]; then
+		_debug "no TLS/SSL dir: /data/webmail/etc/tls"
+		return 0
+	fi
+
+	assure_file "$_cfullchain" || return 1;
+
+	local _crt_installed="$_ssl_dir/certs/${_cdomain}.pem"
+	local _key_installed="$_ssl_dir/private/${_cdomain}.pem"
+
+	has_differences "$_cfullchain" "$_crt_installed" || return 0
+	install_file    "$_cfullchain" "$_crt_installed" || return 1
+	install_file    "$_ckey"       "$_key_installed" || return 1
+
+	_debug "restarting webmail"
+	jexec webmail service nginx restart
+	return 0
+}
+EO_LE_WEBMAIL
+}
+
 install_deploy_scripts()
 {
 	tell_status "installing deployment scripts"
@@ -377,6 +463,7 @@ install_deploy_scripts()
 	install_deploy_haraka
 	install_deploy_mailtoaster
 	install_deploy_mysql
+	install_deploy_webmail
 }
 
 update_haproxy_ssld()
@@ -389,7 +476,7 @@ update_haproxy_ssld()
 
 	tell_status "switching haproxy TLS cert dir to /data/ssl.d"
 	sed -i.bak \
-		-e 's!ssl crt /etc.*!ssl crt /data/ssl.d!' \
+		-e 's!ssl crt /etc.*!ssl crt /data/etc/tls.d!' \
 		"$_haconf"
 }
 
@@ -399,7 +486,7 @@ configure_letsencrypt()
 
 	tell_status "configuring acme.sh"
 
-	local _HTTPDIR="$ZFS_DATA_MNT/webmail"
+	local _HTTPDIR="$ZFS_DATA_MNT/webmail/htdocs"
 	local _acme="/root/.acme.sh/acme.sh"
 
 	$_acme --set-default-ca --server letsencrypt
@@ -415,7 +502,7 @@ configure_letsencrypt()
 
 test_letsencrypt()
 {
-	if [ ! -f "/root/.acme.sh/acme.sh" ]; then
+	if [ ! -f "~root/.acme.sh/acme.sh" ]; then
 		echo "not installed!"
 		exit
 	fi
diff --git a/provision/mail_dmarc.sh b/provision/mail_dmarc.sh
index b94ee735..f969c808 100755
--- a/provision/mail_dmarc.sh
+++ b/provision/mail_dmarc.sh
@@ -34,7 +34,7 @@ EO_DMARC
 
 install_dmarc_config()
 {
-	local _data_cf="$ZFS_DATA_MNT/mail-dmarc.ini"
+	local _data_cf="$ZFS_DATA_MNT/mail_dmarc/mail-dmarc.ini"
 	if [ -f "$_data_cf" ]; then
 		tell_status "preserving $_data_cf"
 	else
diff --git a/provision/mongodb.sh b/provision/mongodb.sh
index 0f641d56..2680ce7f 100755
--- a/provision/mongodb.sh
+++ b/provision/mongodb.sh
@@ -63,8 +63,10 @@ configure_mongodb()
 
 	check_max_wired
 
+	stage_enable_newsyslog
+
 	echo '/data/log/mongod.log   mongodb:mongodb 644  7  *  @T00   JC   /var/run/mongod/mongod.pid' \
-		> "$STAGE_MNT/usr/local/etc/newsyslog.conf.d/mongod"
+		> "$STAGE_MNT/usr/local/etc/newsyslog.conf.d/mongod.conf"
 }
 
 start_mongodb()
diff --git a/provision/mysql.sh b/provision/mysql.sh
index 2117d0dc..422fa78d 100755
--- a/provision/mysql.sh
+++ b/provision/mysql.sh
@@ -170,7 +170,7 @@ migrate_mysql_dbs()
 		exit 1
 	fi
 
-	if jls -j mysql | grep -qs mysql; then
+	if jail_is_running mysql; then
 		echo "mysql jail is running"
 
 		_my_ver=$(pkg -j mysql info | grep mysql | grep server | cut -f1 -d' ' | cut -d- -f3)
diff --git a/provision/redis.sh b/provision/redis.sh
index 9fb4b33b..c78b6112 100755
--- a/provision/redis.sh
+++ b/provision/redis.sh
@@ -1,6 +1,8 @@
 #!/bin/sh
 
-. mail-toaster.sh || exit
+set -e
+
+. mail-toaster.sh
 
 export JAIL_START_EXTRA=""
 export JAIL_CONF_EXTRA=""
@@ -17,11 +19,13 @@ configure_redis()
 	tell_status "configuring redis"
 
 	for _dir in db log etc; do
-		mkdir -p "$STAGE_MNT/data/$_dir" || exit
+		mkdir -p "$STAGE_MNT/data/$_dir"
 	done
 
-	mkdir -p "$STAGE_MNT/usr/local/etc/newsyslog.conf.d" || exit
-	stage_exec chown redis:redis /data/db /data/log /data/etc || exit
+	stage_enable_newsyslog
+
+	mkdir -p "$STAGE_MNT/usr/local/etc/newsyslog.conf.d"
+	stage_exec chown redis:redis /data/db /data/log /data/etc
 
 	sed -i.bak \
 		-e '/^stop-writes-on-bgsave-error/ s/yes/no/' \
@@ -33,7 +37,7 @@ configure_redis()
 		"$STAGE_MNT/usr/local/etc/redis.conf"
 
 	echo '/data/log/redis.log   redis:redis 644  7  *  @T00   JC   /var/run/redis/redis.pid' \
-   		> "$STAGE_MNT/usr/local/etc/newsyslog.conf.d/redis"
+		> "$STAGE_MNT/usr/local/etc/newsyslog.conf.d/redis.conf"
 }
 
 start_redis()
@@ -49,7 +53,7 @@ test_redis()
 	stage_listening 6379 3 2
 }
 
-base_snapshot_exists || exit
+base_snapshot_exists
 create_staged_fs redis
 start_staged_jail redis
 install_redis
diff --git a/provision/roundcube.sh b/provision/roundcube.sh
index 87bcc9f7..5ac1d71b 100755
--- a/provision/roundcube.sh
+++ b/provision/roundcube.sh
@@ -196,6 +196,19 @@ configure_roundcube_plugins()
 		-e "/'password_driver'/s/sql/vpopmaild/" \
 		-e "/'password_vpopmaild_host'/s/localhost/vpopmail/" \
 		"$STAGE_MNT/usr/local/www/roundcube/plugins/password/config.inc.php"
+
+	tell_status "configure the SA UserPrefs plugin"
+	if [ ! -f "$STAGE_MNT/usr/local/www/roundcube/plugins/sauserprefs/config.inc.php" ]; then
+		cp "$STAGE_MNT/usr/local/www/roundcube/plugins/sauserprefs/config.inc.php.dist" \
+			"$STAGE_MNT/usr/local/www/roundcube/plugins/sauserprefs/config.inc.php"
+	fi
+	local _sapass
+	_sapass=$(grep user_scores_sql_password /data/spamassassin/etc/sql.cf | awk '{ print $2 }')
+	if [ -n "$_sapass" ]; then
+		sed -i.bak \
+			-e "/'sauserprefs_db_dsnw'/s|mysql://username:password@localhost/database|mysql://spamassassin:${_sapass}@mysql/spamassassin|" \
+			"$STAGE_MNT/usr/local/www/roundcube/plugins/sauserprefs/config.inc.php"
+	fi
 }
 
 configure_roundcube()
@@ -233,7 +246,7 @@ configure_roundcube()
 		-e "/'smtp_host'/    s/localhost:587/ssl:\/\/$TOASTER_MSA:465/" \
 		-e "/'smtp_user'/    s/'';/'%u';/" \
 		-e "/'smtp_pass'/    s/'';/'%p';/" \
-		-e "/'archive',/     s/,$/, 'managesieve',/" \
+		-e "/'archive',/     s|,$|, 'managesieve', 'sauserprefs',|" \
 		-e "/'product_name'/ s|'Roundcube Webmail'|'$ROUNDCUBE_PRODUCT_NAME'|" \
 		"$_stage_cfg"
 
diff --git a/provision/rspamd.sh b/provision/rspamd.sh
index f2b1ed92..68b7249e 100755
--- a/provision/rspamd.sh
+++ b/provision/rspamd.sh
@@ -144,7 +144,7 @@ level = "notice";
 EO_SYSLOG
 	else
 		tell_status "configuring log rotation"
-		stage_sysrc newsyslog_enable="YES"
+		stage_enable_newsyslog
 	fi
 }
 
diff --git a/provision/snappymail.sh b/provision/snappymail.sh
index d3477b51..4328edd0 100755
--- a/provision/snappymail.sh
+++ b/provision/snappymail.sh
@@ -76,10 +76,6 @@ configure_nginx_server()
 			fastcgi_pass   php;
 		}
 
-		location ~ /\.ht {
-			deny  all;
-		}
-
 		location ^~ /data {
 			deny all;
 		}
diff --git a/provision/spamassassin.sh b/provision/spamassassin.sh
index bd31b4a8..073fedc1 100755
--- a/provision/spamassassin.sh
+++ b/provision/spamassassin.sh
@@ -89,12 +89,14 @@ install_spamassassin_razor()
 		'/^logfile/ s/= /= \/var\/log\//' \
 		"$STAGE_MNT/etc/razor/razor-agent.conf"
 
+	stage_enable_newsyslog
+
 	tell_status "setting up razor-agent log rotation"
-	if [ ! -d "$STAGE_MNT/etc/newsyslog.conf.d" ]; then
-		mkdir "$STAGE_MNT/etc/newsyslog.conf.d"
+	if [ ! -d "$STAGE_MNT/usr/local/etc/newsyslog.conf.d" ]; then
+		mkdir -p "$STAGE_MNT/usr/local/etc/newsyslog.conf.d"
 	fi
 
-	tee "$STAGE_MNT/etc/newsyslog.conf.d/razor-agent" <<EO_RAZOR
+	tee "$STAGE_MNT/usr/local/etc/newsyslog.conf.d/razor-agent.conf" <<EO_RAZOR
 /var/log/razor-agent.log    600 5   1000 *  Z
 EO_RAZOR
 }
@@ -241,7 +243,7 @@ configure_spamassassin_mysql()
 	local _my_pass; _my_pass=$(get_random_pass 18 safe)
 
 	tee -a "$_sa_etc/sql.cf" <<EO_MYSQL_CONF
-	# Users scores is useful with the Squirrelmail SASQL plugin
+    # Users scores is useful with the Squirrelmail SASQL plugin
     # user_scores_dsn                 DBI:mysql:spamassassin:$(get_jail_ip mysql)
     # user_scores_sql_username        spamassassin
     # user_scores_sql_password        $_my_pass
diff --git a/provision/vpopmail.sh b/provision/vpopmail.sh
index 964616e0..5c81aa2c 100755
--- a/provision/vpopmail.sh
+++ b/provision/vpopmail.sh
@@ -253,9 +253,9 @@ install_vpopmail()
 	fi
 
 	tell_status "installing vpopmail package"
-	stage_pkg_install vpopmail
+	stage_pkg_install vpopmail gmake autoconf
 
-	stage_port_install devel/gmake
+	#stage_port_install devel/gmake
 
 	install_vpopmail_port
 	#install_vpopmail_source
diff --git a/provision/webmail.sh b/provision/webmail.sh
index c0d91fc7..ef28c71a 100755
--- a/provision/webmail.sh
+++ b/provision/webmail.sh
@@ -13,16 +13,15 @@ mt6-include nginx
 configure_nginx_server()
 {
 	_NGINX_SERVER='
-		server_name  webmail;
+		server_name webmail default_server;
+		root /data/htdocs;
 
 		# serve ACME requests from /data
 		location /.well-known/acme-challenge {
-		  root /data;
 			try_files $uri =404;
 		}
 
 		location /.well-known/pki-validation {
-			root /data;
 			try_files $uri =404;
 		}
 
@@ -32,12 +31,103 @@ configure_nginx_server()
 		}
 
 		location / {
-			root   /data/htdocs;
+			# redirect to HTTPS, use with TOASTER_WEBMAIL_PROXY=nginx
+			#return 301 https://$server_name$request_uri;
 			index  index.html index.htm;
 		}
 '
 	export _NGINX_SERVER
 	configure_nginx_server_d webmail
+
+	if [ "$TOASTER_WEBMAIL_PROXY" = "nginx" ]; then
+		# shellcheck disable=SC2089
+		_NGINX_SERVER="
+	server {
+		listen	    443 ssl;
+		listen [::]:443 ssl;
+
+		server_name  $TOASTER_HOSTNAME;
+
+		ssl_certificate	/data/etc/tls/certs/$TOASTER_MAIL_DOMAIN.pem;
+		ssl_certificate_key /data/etc/tls/private/$TOASTER_MAIL_DOMAIN.pem;
+
+		proxy_set_header X-Forwarded-For \$remote_addr;
+		proxy_set_header X-Forwarded-Proto \$scheme;
+		proxy_set_header Host \$host;
+
+		# Forbid access to other dotfiles
+		location ~ /\.(?!well-known).* {
+			return 403;
+		}
+
+		location ~ /\.ht {
+			deny  all;
+		}
+
+		location /roundcube {
+			rewrite /roundcube/(.*) /\$1  break;
+			proxy_redirect     off;
+			proxy_pass         http://$(get_jail_ip roundcube):80;
+		}
+
+		location /snappymail {
+			proxy_pass	http://$(get_jail_ip snappymail):80;
+		}
+
+		location /haraka/ {
+			rewrite /haraka/(.*) /\$1  break;
+			proxy_redirect     off;
+			proxy_pass	http://$(get_jail_ip haraka):80;
+		}
+
+		location /watch/ {
+			proxy_pass	http://$(get_jail_ip haraka):80;
+			proxy_http_version 1.1;
+			proxy_set_header Upgrade \$http_upgrade;
+			proxy_set_header Connection \"upgrade\";
+			proxy_read_timeout 86400;
+		}
+
+		location /logs/ {
+			proxy_pass	http://$(get_jail_ip haraka):80;
+		}
+
+		location ~ /(qmailadmin|vqadmin) {
+			proxy_pass	http://$(get_jail_ip vpopmail):80;
+		}
+
+		location /images/mt {
+			proxy_pass	http://$(get_jail_ip vpopmail):80;
+		}
+
+		location ~ /sqwebmail {
+			proxy_pass	http://$(get_jail_ip sqwebmail):80;
+		}
+
+		location /rspamd/ {
+			proxy_pass	http://$(get_jail_ip rspamd):11334/;
+		}
+
+		location /dmarc {
+			proxy_pass	http://$(get_jail_ip mail_dmarc):8080/;
+		}
+
+		location / {
+			root   /data/htdocs;
+			index  index.html index.htm;
+		}
+
+		error_page   500 502 503 504  /50x.html;
+		location = /50x.html {
+			root   /usr/local/www/nginx-dist;
+		}
+	}
+"
+		# shellcheck disable=SC2090
+		export _NGINX_SERVER
+
+		configure_nginx_server_d webmail webmail-tls
+	fi
 }
 
 install_lighttpd()
@@ -57,7 +147,7 @@ configure_lighttpd()
 	# shellcheck disable=2016
 	sed -i.bak \
 		-e 's/^#include_shell "cat/include_shell "cat/' \
-		-e '/^var.server_root/ s/\/usr\/local\/www\/data/\/data\/htdocs/' \
+		-e '/^var.server_root/ s|/usr/local/www/data|/data/htdocs|' \
 		"$_lighttpd_conf"
 
 	store_config "$_lighttpd_dir/vhosts.d/mail-toaster.conf" <<EO_LIGHTTPD_MT6
@@ -88,6 +178,8 @@ EO_LIGHTTPD_MT6
 
 install_webmail()
 {
+	stage_setup_tls
+
 	if [ "$WEBMAIL_HTTPD" = "lighttpd" ]; then
 		install_lighttpd
 	else
@@ -204,11 +296,7 @@ install_index()
     checkStats();
   }
   </script>
-  <style>
-body {
-  font-size: 9pt;
-}
-  </style>
+  <style>body { font-size: 9pt; }</style>
 </head>
 <body onLoad="checkAll()">
 <div id="tabs">
@@ -273,6 +361,31 @@ body {
 EO_INDEX
 }
 
+configure_webmail_pf()
+{
+	_pf_etc="$ZFS_DATA_MNT/webmail/etc/pf.conf.d"
+
+	if [ "$TOASTER_WEBMAIL_PROXY" = "nginx" ]; then
+		store_config "$_pf_etc/rdr.conf" <<EO_HTTP_RDR
+int_ip4 = "$(get_jail_ip webmail)"
+int_ip6 = "$(get_jail_ip6 webmail)"
+
+rdr inet  proto tcp from any to <ext_ip4> port { 80 443 } -> \$int_ip4
+rdr inet6 proto tcp from any to <ext_ip6> port { 80 443 } -> \$int_ip6
+EO_HTTP_RDR
+	fi
+
+	store_config "$_pf_etc/allow.conf" <<EO_HTTP_ALLOW
+int_ip4 = "$(get_jail_ip webmail)"
+int_ip6 = "$(get_jail_ip6 webmail)"
+
+table <webmail_int> persist { \$int_ip4, \$int_ip6 }
+
+pass in quick proto tcp from any to <ext_ip> port { 80 443 }
+pass in quick proto tcp from any to <webmail_int> port { 80 443 }
+EO_HTTP_ALLOW
+}
+
 configure_webmail()
 {
 	if [ "$WEBMAIL_HTTPD" = "lighttpd" ]; then
@@ -282,10 +395,11 @@ configure_webmail()
 		configure_nginx_server
 	fi
 
-	_htdocs="$ZFS_DATA_MNT/webmail/htdocs"
-	if [ ! -d "$_htdocs" ]; then
-	   mkdir -p "$_htdocs"
-	fi
+	configure_webmail_pf
+
+	_data="$ZFS_DATA_MNT/webmail"
+	_htdocs="$_data/htdocs"
+	if [ ! -d "$_htdocs" ]; then mkdir -p "$_htdocs"; fi
 
 	if [ -f "$_htdocs/index.html" ]; then
 		tell_status "backing up index.html"