diff --git a/bundles/dovecot/files/dovecot-sql.conf b/bundles/dovecot/files/dovecot-sql.conf
deleted file mode 100644
index 8f26825..0000000
--- a/bundles/dovecot/files/dovecot-sql.conf
+++ /dev/null
@@ -1,17 +0,0 @@
-connect = host=${host} dbname=${name} user=${user} password=${password}
-driver = pgsql
-default_pass_scheme = ARGON2ID
-
-user_query = SELECT '/var/vmail/%u' AS home, 'vmail' AS uid, 'vmail' AS gid
-
-iterate_query = SELECT CONCAT(users.name, '@', domains.name) AS user \
-  FROM users \
-  LEFT JOIN domains ON users.domain_id = domains.id \
-  WHERE redirect IS NULL
-
-password_query = SELECT CONCAT(users.name, '@', domains.name) AS user, password \
-  FROM users \
-  LEFT JOIN domains ON users.domain_id = domains.id \
-  WHERE redirect IS NULL \
-  AND users.name = SPLIT_PART('%u', '@', 1) \
-  AND domains.name = SPLIT_PART('%u', '@', 2)
diff --git a/bundles/dovecot/files/dovecot.conf b/bundles/dovecot/files/dovecot.conf
index 2051535..bfcfb74 100644
--- a/bundles/dovecot/files/dovecot.conf
+++ b/bundles/dovecot/files/dovecot.conf
@@ -1,13 +1,17 @@
+dovecot_config_version = ${config_version}
+dovecot_storage_version = ${storage_version}
+
 protocols = imap lmtp sieve
 auth_mechanisms = plain login
-mail_privileged_group = mail
 ssl = required
-ssl_cert = </var/lib/dehydrated/certs/${node.metadata.get('mailserver/hostname')}/fullchain.pem
-ssl_key = </var/lib/dehydrated/certs/${node.metadata.get('mailserver/hostname')}/privkey.pem
-ssl_dh = </etc/dovecot/dhparam.pem
+ssl_server_cert_file = /var/lib/dehydrated/certs/${hostname}/fullchain.pem
+ssl_server_key_file = /var/lib/dehydrated/certs/${hostname}/privkey.pem
+ssl_server_dh_file = /etc/dovecot/dhparam.pem
 ssl_client_ca_dir = /etc/ssl/certs
-mail_location = maildir:${node.metadata.get('mailserver/maildir')}/%u:INDEX=${node.metadata.get('mailserver/maildir')}/index/%u
-mail_plugins = fts fts_xapian
+mail_driver     = maildir
+mail_path       = ${maildir}/%{user}
+mail_index_path = ${maildir}/index/%{user}
+mail_plugins = fts fts_flatcurve
 
 namespace inbox {
   inbox = yes
@@ -30,14 +34,46 @@ namespace inbox {
   }
 }
 
-passdb {
-  driver = sql
-  args = /etc/dovecot/dovecot-sql.conf
+# postgres passdb userdb
+
+sql_driver = pgsql
+
+pgsql main {
+  parameters {
+    host     = ${db_host}
+    dbname   = ${db_name}
+    user     = ${db_user}
+    password = ${db_password}
+  }
 }
-# use sql for userdb too, to enable iterate_query
-userdb {
-  driver = sql
-  args = /etc/dovecot/dovecot-sql.conf
+
+passdb sql {
+  passdb_default_password_scheme = ARGON2ID
+
+  query = SELECT \
+            CONCAT(users.name, '@', domains.name) AS "user", \
+            password \
+          FROM users \
+          LEFT JOIN domains ON users.domain_id = domains.id \
+          WHERE redirect IS NULL \
+            AND users.name   = SPLIT_PART('%{user}', '@', 1) \
+            AND domains.name = SPLIT_PART('%{user}', '@', 2)
+}
+
+mail_uid = vmail
+mail_gid = vmail
+
+userdb sql {
+  query = SELECT \
+            '/var/vmail/%{user}' AS home, \
+            'vmail'              AS uid, \
+            'vmail'              AS gid
+
+  iterate_query = SELECT \
+                    CONCAT(users.name, '@', domains.name) AS username \
+                  FROM users \
+                  LEFT JOIN domains ON users.domain_id = domains.id \
+                  WHERE redirect IS NULL
 }
 
 service auth {
@@ -67,10 +103,9 @@ service stats {
   }
 }
 service managesieve-login {
-  inet_listener sieve {
-  }
-  process_min_avail = 0
-  service_count = 1
+  #inet_listener sieve {}
+  process_min_avail = 1
+  process_limit = 1
   vsz_limit = 64 M
 }
 service managesieve {
@@ -78,31 +113,53 @@ service managesieve {
 }
 
 protocol imap {
-   mail_plugins = $mail_plugins imap_sieve
-   mail_max_userip_connections = 50
-   imap_idle_notify_interval = 29 mins
+  mail_plugins = fts fts_flatcurve imap_sieve
+  mail_max_userip_connections = 50
+  imap_idle_notify_interval = 29 mins
 }
 protocol lmtp {
-   mail_plugins = $mail_plugins sieve
+  mail_plugins = fts fts_flatcurve sieve
 }
-protocol sieve {
-  plugin {
-    sieve = /var/vmail/sieve/%u.sieve
-    sieve_storage = /var/vmail/sieve/%u/
-  }
+
+# Persönliches Skript (deine alte Datei /var/vmail/sieve/%u.sieve)
+sieve_script personal {
+  driver      = file
+  # Verzeichnis mit (evtl. mehreren) Sieve-Skripten des Users
+  path        = /var/vmail/sieve/%{user}/
+  # Aktives Skript (entspricht früher "sieve = /var/vmail/sieve/%u.sieve")
+  active_path = /var/vmail/sieve/%{user}.sieve
+}
+
+# Globales After-Skript (dein früheres "sieve_after = …")
+sieve_script after {
+  type   = after
+  driver = file
+  path   = /var/vmail/sieve/global/spam-to-folder.sieve
 }
 
 # fulltext search
-plugin {
-    fts = xapian
-    fts_xapian = partial=3 full=20 verbose=0
-    fts_autoindex = yes
-    fts_enforced = yes
-    # Index attachements
-    fts_decoder = decode2text
+language en {
 }
+language de {
+  default = yes
+}
+language_tokenizers =  generic email-address
+
+fts flatcurve {
+  substring_search = yes
+  # rotate_count     = 5000   # DB-Rotation nach X Mails
+  # rotate_time      = 5s     # oder zeitbasiert rotieren
+  # optimize_limit   = 10
+  # min_term_size    = 3
+}
+
+fts_autoindex = yes
+fts_decoder_driver = script
+fts_decoder_script_socket_path = decode2text
+
 service indexer-worker {
-    vsz_limit = ${indexer_ram}
+  process_limit = ${indexer_cores}
+  vsz_limit = ${indexer_ram}M
 }
 service decode2text {
     executable = script /usr/local/libexec/dovecot/decode2text.sh
@@ -112,24 +169,39 @@ service decode2text {
     }
 }
 
-# spam filter
-plugin {
-  sieve_plugins = sieve_imapsieve sieve_extprograms
-  sieve_dir = /var/vmail/sieve/%u/
-  sieve = /var/vmail/sieve/%u.sieve
-  sieve_pipe_bin_dir = /var/vmail/sieve/bin
-  sieve_extensions = +vnd.dovecot.pipe
-
-  sieve_after = /var/vmail/sieve/global/spam-to-folder.sieve
-
-  # From elsewhere to Spam folder
-  imapsieve_mailbox1_name = Junk
-  imapsieve_mailbox1_causes = COPY
-  imapsieve_mailbox1_before = file:/var/vmail/sieve/global/learn-spam.sieve
-
-  # From Spam folder to elsewhere
-  imapsieve_mailbox2_name = *
-  imapsieve_mailbox2_from = Junk
-  imapsieve_mailbox2_causes = COPY
-  imapsieve_mailbox2_before = file:/var/vmail/sieve/global/learn-ham.sieve
+mailbox Junk {
+  sieve_script learn_spam {
+    driver = file
+    type   = before
+    cause  = copy
+    path   = /var/vmail/sieve/global/learn-spam.sieve
+  }
 }
+
+imapsieve_from Junk {
+  sieve_script learn_ham {
+    driver = file
+    type   = before
+    cause  = copy
+    path   = /var/vmail/sieve/global/learn-ham.sieve
+  }
+}
+
+# Extprograms-Plugin einschalten
+sieve_plugins {
+  sieve_extprograms = yes
+}
+
+# Welche Sieve-Erweiterungen dürfen genutzt werden?
+# Empfehlung: nur global erlauben (nicht in User-Skripten):
+sieve_global_extensions {
+  vnd.dovecot.pipe = yes
+  # vnd.dovecot.filter = yes      # nur falls gebraucht
+  # vnd.dovecot.execute = yes     # nur falls gebraucht
+}
+
+# Verzeichnis mit deinen Skripten/Binaries für :pipe
+sieve_pipe_bin_dir = /var/vmail/sieve/bin
+# (optional, analog für :filter / :execute)
+# sieve_filter_bin_dir  = /var/vmail/sieve/filter
+# sieve_execute_bin_dir = /var/vmail/sieve/execute
\ No newline at end of file
diff --git a/bundles/dovecot/items.py b/bundles/dovecot/items.py
index de1791f..daf1429 100644
--- a/bundles/dovecot/items.py
+++ b/bundles/dovecot/items.py
@@ -44,6 +44,16 @@ files = {
         'context': {
             'admin_email': node.metadata.get('mailserver/admin_email'),
             'indexer_ram': node.metadata.get('dovecot/indexer_ram'),
+            'config_version': node.metadata.get('dovecot/config_version'),
+            'storage_version': node.metadata.get('dovecot/storage_version'),
+            'maildir': node.metadata.get('mailserver/maildir'),
+            'hostname': node.metadata.get('mailserver/hostname'),
+            'db_host': node.metadata.get('mailserver/database/host'),
+            'db_name': node.metadata.get('mailserver/database/name'),
+            'db_user': node.metadata.get('mailserver/database/user'),
+            'db_password': node.metadata.get('mailserver/database/password'),
+            'indexer_cores': node.metadata.get('vm/cores'),
+            'indexer_ram': node.metadata.get('vm/ram')//2,
         },
         'needs': {
             'pkg_apt:'
@@ -52,29 +62,9 @@ files = {
             'svc_systemd:dovecot:restart',
         },
     },
-    '/etc/dovecot/dovecot-sql.conf': {
-        'content_type': 'mako',
-        'context': node.metadata.get('mailserver/database'),
-        'needs': {
-            'pkg_apt:'
-        },
-        'triggers': {
-            'svc_systemd:dovecot:restart',
-        },
-    },
     '/etc/dovecot/dhparam.pem': {
         'content_type': 'any',
     },
-    '/etc/dovecot/dovecot-sql.conf': {
-        'content_type': 'mako',
-        'context': node.metadata.get('mailserver/database'),
-        'needs': {
-            'pkg_apt:'
-        },
-        'triggers': {
-            'svc_systemd:dovecot:restart',
-        },
-    },
     '/var/vmail/sieve/global/spam-to-folder.sieve': {
         'owner': 'vmail',
         'group': 'vmail',
@@ -131,7 +121,6 @@ svc_systemd = {
             'action:letsencrypt_update_certificates',
             'action:dovecot_generate_dhparam',
             'file:/etc/dovecot/dovecot.conf',
-            'file:/etc/dovecot/dovecot-sql.conf',
         },
     },
 }
diff --git a/bundles/dovecot/metadata.py b/bundles/dovecot/metadata.py
index 65344e4..f0f5e1a 100644
--- a/bundles/dovecot/metadata.py
+++ b/bundles/dovecot/metadata.py
@@ -8,7 +8,7 @@ defaults = {
             'dovecot-sieve':        {},
             'dovecot-managesieved': {},
             # fulltext search
-            'dovecot-fts-xapian':   {}, # buster-backports
+            'dovecot-flatcurve':    {}, # buster-backports
             'poppler-utils':        {}, # pdftotext
             'catdoc':               {}, # catdoc, catppt, xls2csv
         },
diff --git a/bundles/mailserver/metadata.py b/bundles/mailserver/metadata.py
index e32c492..bc82537 100644
--- a/bundles/mailserver/metadata.py
+++ b/bundles/mailserver/metadata.py
@@ -32,10 +32,14 @@ defaults = {
             'tank/vmail': {
                 'mountpoint': '/var/vmail',
                 'compression': 'on',
+                'atime': 'off',
+                'recordsize': '16384',
             },
             'tank/vmail/index': {
                 'mountpoint': '/var/vmail/index',
                 'compression': 'on',
+                'atime': 'off',
+                'recordsize': '4096',
                 'com.sun:auto-snapshot': 'false',
                 'backup': False,
             },
diff --git a/bundles/redis/items.py b/bundles/redis/items.py
index 12b8a6e..3192d5e 100644
--- a/bundles/redis/items.py
+++ b/bundles/redis/items.py
@@ -9,6 +9,7 @@ directories = {
     },
     '/var/lib/redis': {
         'owner': 'redis',
+        'group': 'redis',
         'mode': '0750',
         'needs': [
             'pkg_apt:redis-server',
diff --git a/bundles/roundcube/files/config.inc.php b/bundles/roundcube/files/config.inc.php
index 8ab67d1..c4bba77 100644
--- a/bundles/roundcube/files/config.inc.php
+++ b/bundles/roundcube/files/config.inc.php
@@ -7,18 +7,16 @@ $config['enable_installer'] = true;
 /* Local configuration for Roundcube Webmail */
 
 $config['db_dsnw'] = '${database['provider']}://${database['user']}:${database['password']}@${database['host']}/${database['name']}';
-$config['imap_host'] = 'localhost';
+$config['imap_host'] = 'ssl://${imap_host}';
+$config['imap_port'] = 993;
 $config['smtp_host'] = 'tls://localhost';
+$config['smtp_port'] = 587;
 $config['smtp_user'] = '%u';
 $config['smtp_pass'] = '%p';
+#$config['imap_debug'] = true;
+#$config['smtp_debug'] = true;
 $config['support_url'] = '';
 $config['des_key'] = '${des_key}';
 $config['product_name'] = '${product_name}';
 $config['plugins'] = array(${', '.join(f'"{plugin}"' for plugin in plugins)});
 $config['language'] = 'de_DE';
-$config['smtp_conn_options'] = array(
-   'ssl' => array(
-   'verify_peer' => false,
-   'verify_peer_name' => false,
-  ),
-);
diff --git a/bundles/roundcube/items.py b/bundles/roundcube/items.py
index cbe8487..8a8e1cc 100644
--- a/bundles/roundcube/items.py
+++ b/bundles/roundcube/items.py
@@ -61,6 +61,7 @@ files['/opt/roundcube/config/config.inc.php'] = {
         'des_key': node.metadata.get('roundcube/des_key'),
         'database': node.metadata.get('roundcube/database'),
         'plugins': node.metadata.get('roundcube/plugins'),
+        'imap_host': node.metadata.get('mailserver/hostname'),
     },
     'needs': [
         'action:chown_roundcube',
diff --git a/bundles/systemd-swap/metadata.py b/bundles/systemd-swap/metadata.py
index 0a2b735..286fdde 100644
--- a/bundles/systemd-swap/metadata.py
+++ b/bundles/systemd-swap/metadata.py
@@ -1,5 +1,5 @@
 defaults = {
-    'systemd-swap': 2*10**9,
+    'systemd-swap': 2*(2**30), # 2GiB
     'systemd': {
         'units': {
             'swapfile.swap': {
diff --git a/nodes/htz.mails.py b/nodes/htz.mails.py
index a00a874..cbbda44 100644
--- a/nodes/htz.mails.py
+++ b/nodes/htz.mails.py
@@ -2,7 +2,7 @@
     'hostname': '49.12.184.229',
     'groups': [
         'backup',
-        'debian-12',
+        'debian-13',
         'hetzner-cloud',
         'mailserver',
         'monitored',
@@ -18,6 +18,7 @@
         #'nginx-rtmps',
         'wireguard',
         'zfs',
+        'systemd-swap',
     ],
     'metadata': {
         'id': 'ea29bdf0-0b47-4bf4-8346-67d60c9dc4ae',
@@ -34,6 +35,7 @@
                 'gateway6': 'fe80::1',
             }
         },
+        'systemd-swap': 4*2**30, # clamav alleine braucht 1,3G
         'bind': {
             'hostname': 'resolver.name',
             'acme_zone': 'acme.sublimity.de',
@@ -108,6 +110,10 @@
                 'elimu-kwanza.de',
             },
         },
+        'dovecot': {
+            'config_version': '2.4.1',
+            'storage_version': '2.4.1',
+        },
         'rspamd': {
             'hostname': 'rspamd.sublimity.de',
         },
@@ -162,7 +168,7 @@
         },
         'roundcube': {
             'product_name': 'Sublimity Mail',
-            'version': '1.6.7',
+            'version': '1.6.11',
             'installer': False,
         },
         'vm': {