diff --git a/.htaccess b/.htaccess
index 4421654aa..46cac62c4 100644
--- a/.htaccess
+++ b/.htaccess
@@ -28,7 +28,7 @@ FileETag MTime Size
 
 <IfModule mod_autoindex.c>
 Options -Indexes
-</ifModule>
+</IfModule>
 
 <IfModule mod_headers.c>
 # Disable page indexing
diff --git a/CHANGELOG b/CHANGELOG
index 68fa8b349..80543659b 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,6 +1,27 @@
 CHANGELOG Roundcube Webmail
 ===========================
 
+- Removed referer_check option (#6440)
+- Update to TinyMCE 4.8.2
+- Plugin API: Added 'raise_error' hook (#6199)
+- Managesieve: Added support for 'editheader' extension - RFC5293 (#5954)
+- Password: Added 'modoboa' driver (#6361)
+- Password: Fix bug where password_dovecotpw_with_method setting could be ignored (#6436)
+- Password: Fix bug where new users could skip forced password change (#6434)
+- Elastic: Improved UX of search dialogs (#6416)
+- Elastic: Fix unwanted thread expanding when selecting a collapsed thread in non-mobile mode (#6445)
+- Log errors caused by low pcre.backtrack_limit when sending a mail message (#6433)
+- Fix style/navigation on error page depending on authentication state (#6362)
+- Fix so invalid smtp_helo_host is never used, fallback to localhost (#6408)
+- Fix custom logo size in Elastic (#6424)
+- Fix listing the same attachment multiple times on forwarded messages
+- Fix compatibility with MySQL 8 - error on 'system' table use
+- Managesieve: Fix bug where show_real_foldernames setting wasn't respected (#6422)
+- New_user_identity: Fix %fu/%u vars substitution in user specific LDAP params (#6419)
+- Fix support for "allow-from <uri>" in "x_frame_options" config option (#6449)
+
+RELEASE 1.4-beta
+----------------
 - Added new skin with mobile support - the Elastic
 - Support Redis cache
 - Email Resent (Bounce) feature (#4985)
@@ -90,6 +111,15 @@ CHANGELOG Roundcube Webmail
 - Fix touch event issue on messages list in IE/Edge (#5781)
 - Fix so links over images are not removed in plain text signatures converted from HTML (#4473)
 - Fix various issues when downloading files with names containing non-ascii chars, use RFC 2231 (#5772)
+- Fix PHP warnings on dummy QUOTA responses in Courier-IMAP 4.17.1 (#6374)
+- Fix so fallback from BINARY to BODY FETCH is used also on [PARSE] errors in dovecot 2.3 (#6383)
+- Enigma: Fix deleting keys with authentication subkeys (#6381)
+- Fix invalid regular expressions that throw warnings on PHP 7.3 (#6398)
+- Fix so Classic skin splitter does not escape out of window (#6397)
+- Fix XSS issue in handling invalid style tag content (#6410)
+
+RELEASE 1.3.7
+-------------
 - Fix PHP Warning: Use of undefined constant IDNA_DEFAULT on systems without php-intl (#6244)
 - Fix bug where some parts of quota information could have been ignored (#6280)
 - Fix bug where some escape sequences in html styles could bypass security checks
diff --git a/INSTALL b/INSTALL
index aab83e65f..9c62bbb14 100644
--- a/INSTALL
+++ b/INSTALL
@@ -33,6 +33,7 @@ REQUIREMENTS
    - session.auto_start disabled
    - suhosin.session.encrypt disabled
    - mbstring.func_overload disabled
+   - pcre.backtrack_limit >= 100000
 * A MySQL, PostgreSQL, MS SQL Server (2005 or newer), Oracle database
   or SQLite support in PHP - with permission to create tables
 * Composer installed either locally or globally (https://getcomposer.org)
diff --git a/README.md b/README.md
index 1638b895e..3cb9246c7 100644
--- a/README.md
+++ b/README.md
@@ -25,8 +25,8 @@ which are pure XHTML and CSS 2.
 The code is mainly written in PHP and is designed to run on a webserver.
 It includes other open-source classes/libraries from [PEAR][pear],
 an IMAP library derived from [IlohaMail][iloha] the [TinyMCE][tinymce] rich
-text editor, [Googiespell][googiespell] library for spell checking or
-the [WASHTML][washtml] sanitizer by Frederic Motte.
+text editor, [Googiespell][googiespell] (archive) library for spell checking or
+the [HTML5-PHP][html5-php] sanitizer by Masterminds.
 
 The current default skin 'Larry' was kindly created by FLINT / Büro für
 Gestaltung, Berne, Switzerland.
@@ -41,6 +41,19 @@ If you're updating an older version of Roundcube please follow the steps
 described in the UPGRADING file.
 
 
+BROWSER SUPPORT
+---------------
+Roundcube uses jQuery 3.x for its client and therefore inherits the browser
+support from there. This currently includes:
+
+- Chrome: (Current - 1) and Current
+- Edge: (Current - 1) and Current
+- Firefox: (Current - 1) and Current, ESR
+- Internet Explorer: 9+
+- Safari: (Current - 1) and Current
+- Opera: Current
+
+
 LICENSE
 -------
 This program is free software: you can redistribute it and/or modify
@@ -89,13 +102,12 @@ You're always welcome to send a message to the project admin:
 hello(at)roundcube(dot)net
 
 
-[pear]:         http://pear.php.net
-[iloha]:        http://sourceforge.net/projects/ilohamail/
-[tinymce]:      http://www.tinymce.com/
-[googiespell]:  http://orangoo.com/labs/GoogieSpell/
-[washtml]:      http://www.ubixis.com/washtml/
-[kmgerich]:     http://kmgerich.com/
-[gpl]:          http://www.gnu.org/licenses/
+[pear]:         https://pear.php.net/
+[iloha]:        https://sourceforge.net/projects/ilohamail/
+[tinymce]:      https://www.tiny.cloud/
+[googiespell]:  https://web.archive.org/web/20170314162746/orangoo.com/labs/GoogieSpell/
+[html5-php]:    https://github.com/Masterminds/html5-php
+[gpl]:          https://www.gnu.org/licenses/
 [license]:      https://roundcube.net/license
 [contrib]:      https://roundcube.net/contribute
 [support]:      https://roundcube.net/support
diff --git a/SQL/mysql.initial.sql b/SQL/mysql.initial.sql
index f3b81029c..d3a9f731d 100644
--- a/SQL/mysql.initial.sql
+++ b/SQL/mysql.initial.sql
@@ -222,4 +222,4 @@ CREATE TABLE `system` (
 
 /*!40014 SET FOREIGN_KEY_CHECKS=1 */;
 
-INSERT INTO system (name, value) VALUES ('roundcube-version', '2018021600');
+INSERT INTO `system` (`name`, `value`) VALUES ('roundcube-version', '2018021600');
diff --git a/SQL/postgres.initial.sql b/SQL/postgres.initial.sql
index 5fda9e7ff..3ced2e78a 100644
--- a/SQL/postgres.initial.sql
+++ b/SQL/postgres.initial.sql
@@ -313,4 +313,4 @@ CREATE TABLE "system" (
     value text
 );
 
-INSERT INTO system (name, value) VALUES ('roundcube-version', '2018021600');
+INSERT INTO "system" (name, value) VALUES ('roundcube-version', '2018021600');
diff --git a/composer.json-dist b/composer.json-dist
index 5874c0c41..97d0f4abd 100644
--- a/composer.json-dist
+++ b/composer.json-dist
@@ -15,7 +15,7 @@
         "pear/auth_sasl": "~1.1.0",
         "pear/net_idna2": "~0.2.0",
         "pear/mail_mime": "~1.10.0",
-        "pear/net_smtp": "~1.7.1",
+        "pear/net_smtp": "~1.8.0",
         "pear/crypt_gpg": "~1.6.3",
         "pear/net_sieve": "~1.4.3",
         "roundcube/plugin-installer": "~0.1.6",
diff --git a/config/defaults.inc.php b/config/defaults.inc.php
index aa337615c..312a7ec35 100644
--- a/config/defaults.inc.php
+++ b/config/defaults.inc.php
@@ -1,11 +1,15 @@
 <?php
 
+// ---------------------------------------------------------------------
+// WARNING: Do not edit this file! Copy configuration to config.inc.php.
+// ---------------------------------------------------------------------
+
 /*
  +-----------------------------------------------------------------------+
- | Main configuration file with default settings                         |
+ | Default settings for all configuration options                        |
  |                                                                       |
  | This file is part of the Roundcube Webmail client                     |
- | Copyright (C) 2005-2013, The Roundcube Dev Team                       |
+ | Copyright (C) 2005-2018, The Roundcube Dev Team                       |
  |                                                                       |
  | Licensed under the GNU General Public License version 3 or            |
  | any later version with exceptions for skins & plugins.                |
@@ -493,9 +497,6 @@ $config['trusted_host_patterns'] = array();
 // check client IP in session authorization
 $config['ip_check'] = false;
 
-// check referer of incoming requests
-$config['referer_check'] = false;
-
 // X-Frame-Options HTTP header value sent to prevent from Clickjacking.
 // Possible values: sameorigin|deny|allow-from <uri>.
 // Set to false in order to disable sending the header.
diff --git a/jsdeps.json b/jsdeps.json
index 6b62c4a66..c7e11cd2b 100644
--- a/jsdeps.json
+++ b/jsdeps.json
@@ -36,10 +36,10 @@
     },
     {
       "lib": "tinymce",
-      "version": "4.7.13",
+      "version": "4.8.2",
       "url": "http://download.ephox.com/tinymce/community/tinymce_$v.zip",
       "dest": "program/js",
-      "sha1": "7f988f3899aebee6d49bd55e981331da07eee6c5",
+      "sha1": "d7fced05acdeeb78299585ea9909b0de2b3d759d",
       "license": "LGPL",
       "copyright": "Copyright (c) 1999-2015 Ephox Corp. All rights reserved",
       "rm": "program/js/tinymce",
@@ -56,7 +56,7 @@
     },
     {
       "lib": "tinymce-langs",
-      "version": "4.7.13",
+      "version": "4.8.2",
       "url": "https://tinymce-services.azurewebsites.net/1/i18n/download?langs=ar,hy,az,eu,be,bs,bg_BG,ca,zh_CN,zh_TW,hr,cs,cs_CZ,da,nl,en_CA,en_GB,eo,et,fo,fi,fr_FR,fr_CH,gd,gl,ka_GE,de,de_AT,el,he_IL,hi_IN,hu_HU,is_IS,id,ga,it,ja,kab,km_KH,ko_KR,ku,ku_IQ,lv,lt,lb,mk_MK,ml_IN,nb_NO,oc,fa,fa_IR,pl,pt_BR,pt_PT,ro,ru,sk,sl_SI,es,es_MX,sv_SE,tg,ta,ta_IN,tt,th_TH,tr,tr_TR,ug,uk,uk_UA,vi,vi_VN,cy&extension=.zip",
       "dest": "program/js/tinymce"
     },
@@ -88,10 +88,10 @@
     {
       "lib": "bootstrap",
       "name": "Bootstrap",
-      "version": "4.1.0",
+      "version": "4.1.2",
       "url": "https://github.com/twbs/bootstrap/releases/download/v$v/bootstrap-$v-dist.zip",
       "dest": "skins/elastic/deps",
-      "sha1": "90abd51cf27a3dc4823eed6c1de620725f068b6c",
+      "sha1": "d43982739f8f2bb05ef2a2fa55c358ce7e30a72b",
       "license": "MIT",
       "flat": true,
       "map": {
diff --git a/plugins/enigma/enigma.php b/plugins/enigma/enigma.php
index cab792676..5a5bbc03d 100644
--- a/plugins/enigma/enigma.php
+++ b/plugins/enigma/enigma.php
@@ -442,15 +442,14 @@ class enigma extends rcube_plugin
             // find private keys for this identity
             if ($p['record']['email']) {
                 $listing = array();
-                $engine = $this->load_engine();
-                $keys = (array)$engine->list_keys($p['record']['email']);
+                $engine  = $this->load_engine();
+                $keys    = (array)$engine->list_keys($p['record']['email']);
 
                 foreach ($keys as $key) {
                     if ($key->get_type() === enigma_key::TYPE_KEYPAIR) {
                         $listing[] = html::tag('li', null,
-                            html::tag('span', 'identity', html::quote($key->name)) .
-                            ' ' .
                             html::tag('strong', 'uid', html::quote($key->id))
+                            . ' ' . html::tag('span', 'identity', html::quote($key->name))
                         );
                     }
                 }
@@ -464,16 +463,12 @@ class enigma extends rcube_plugin
             }
 
             // add button linking to enigma key management
-            $content .= html::p(
-                null,
-                html::a(
-                    array(
-                        'class' => 'button',
-                        'href' => $this->rc->url(array('action' => 'plugin.enigmakeys')),
-                        'target' => '_parent',
-                    ),
-                    $this->gettext('managekeys'))
+            $button_attr = array(
+                'class'  => 'button',
+                'href'   => $this->rc->url(array('action' => 'plugin.enigmakeys')),
+                'target' => '_parent',
             );
+            $content .= html::p(null, html::a($button_attr, $this->gettext('managekeys')));
 
             // rename class to avoid Mailvelope key management to kick in
             $p['form']['encryption']['attrs'] = array('class' => 'enigma-identity-encryption');
diff --git a/plugins/enigma/lib/enigma_driver_gnupg.php b/plugins/enigma/lib/enigma_driver_gnupg.php
index 74e206c53..5e02297fb 100644
--- a/plugins/enigma/lib/enigma_driver_gnupg.php
+++ b/plugins/enigma/lib/enigma_driver_gnupg.php
@@ -388,13 +388,10 @@ class enigma_driver_gnupg extends enigma_driver
             }
             // need to delete private key first
             else if ($code == enigma_error::DELKEY) {
-                $key = $this->get_key($keyid);
-                for ($i = count($key->subkeys) - 1; $i >= 0; $i--) {
-                    $type = ($key->subkeys[$i]->usage & enigma_key::CAN_ENCRYPT) ? 'priv' : 'pub';
-                    $result = $this->{'delete_' . $type . 'key'}($key->subkeys[$i]->id);
-                    if ($result !== true) {
-                        break;
-                    }
+                $result = $this->delete_privkey($keyid);
+
+                if ($result === true) {
+                    $result = $this->delete_pubkey($keyid);
                 }
             }
         }
diff --git a/plugins/enigma/lib/enigma_ui.php b/plugins/enigma/lib/enigma_ui.php
index 7c0867cf0..447804a9f 100644
--- a/plugins/enigma/lib/enigma_ui.php
+++ b/plugins/enigma/lib/enigma_ui.php
@@ -1119,6 +1119,11 @@ class enigma_ui
      */
     function message_ready($p)
     {
+        // The message might have been already encrypted by Mailvelope
+        if (strpos($p['message']->getParam('ctype'), 'multipart/encrypted') === 0) {
+            return $p;
+        }
+
         $savedraft      = !empty($_POST['_draft']) && empty($_GET['_saveonly']);
         $sign_enable    = (bool) rcube_utils::get_input_value('_enigma_sign', rcube_utils::INPUT_POST);
         $encrypt_enable = (bool) rcube_utils::get_input_value('_enigma_encrypt', rcube_utils::INPUT_POST);
diff --git a/plugins/enigma/skins/elastic/templates/keys.html b/plugins/enigma/skins/elastic/templates/keys.html
index 6f2667add..4dd498581 100644
--- a/plugins/enigma/skins/elastic/templates/keys.html
+++ b/plugins/enigma/skins/elastic/templates/keys.html
@@ -14,7 +14,8 @@
 	<roundcube:object name="searchform" id="keysearch" wrapper="searchbar toolbar"
 		label="keysearchform" buttontitle="findkeys" ariatag="h2" />
 	<div class="scroller">
-		<roundcube:object name="keyslist" id="keys-table" class="listing" role="listbox" noheader="true" data-list="keys_list" />
+		<roundcube:object name="keyslist" id="keys-table" class="listing" role="listbox" noheader="true"
+		data-list="keys_list"data-label-msg="listempty" />
 	</div>
 	<div class="pagenav footer toolbar small" role="toolbar">
 		<roundcube:button command="firstpage" type="link"
diff --git a/plugins/krb_authentication/krb_authentication.php b/plugins/krb_authentication/krb_authentication.php
index 57e10136a..66a3581ad 100644
--- a/plugins/krb_authentication/krb_authentication.php
+++ b/plugins/krb_authentication/krb_authentication.php
@@ -114,6 +114,9 @@ class krb_authentication extends rcube_plugin
     function managesieve_connect($args)
     {
         if ((!isset($args['auth_type']) || $args['auth_type'] == 'GSSAPI') && !empty($_SERVER['REMOTE_USER']) && !empty($_SERVER['KRB5CCNAME'])) {
+            // Load plugin's config file
+            $this->load_config();
+
             $rcmail  = rcmail::get_instance();
             $context = $rcmail->config->get('krb_authentication_context');
 
diff --git a/plugins/managesieve/Changelog b/plugins/managesieve/Changelog
index 7f5f37ea8..ee94ca07c 100644
--- a/plugins/managesieve/Changelog
+++ b/plugins/managesieve/Changelog
@@ -1,3 +1,6 @@
+- Added support for 'editheader' extension - RFC5293 (#5954)
+- Fix bug where show_real_foldernames setting wasn't respected (#6422)
+
 * version 9.1 [2018-05-19]
 -----------------------------------------------------------
 - Added GSSAPI support (#5779)
diff --git a/plugins/managesieve/lib/Roundcube/rcube_sieve.php b/plugins/managesieve/lib/Roundcube/rcube_sieve.php
index 6c751696a..fb610e8da 100644
--- a/plugins/managesieve/lib/Roundcube/rcube_sieve.php
+++ b/plugins/managesieve/lib/Roundcube/rcube_sieve.php
@@ -313,14 +313,10 @@ class rcube_sieve
 
         if ($this->script) {
             $supported = $this->script->get_extensions();
-            foreach ($ext as $idx => $ext_name) {
-                if (!in_array($ext_name, $supported)) {
-                    unset($ext[$idx]);
-                }
-            }
+            $ext       = array_values(array_intersect($ext, $supported));
         }
 
-        return array_values($ext);
+        return $ext;
     }
 
     /**
diff --git a/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php b/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php
index 599e6e77c..067dbc017 100644
--- a/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php
+++ b/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php
@@ -688,6 +688,15 @@ class rcube_sieve_engine
             $notifymessages = rcube_utils::get_input_value('_action_notifymessage', rcube_utils::INPUT_POST, true);
             $notifyfrom     = rcube_utils::get_input_value('_action_notifyfrom', rcube_utils::INPUT_POST);
             $notifyimp      = rcube_utils::get_input_value('_action_notifyimportance', rcube_utils::INPUT_POST);
+            $addheader_name  = rcube_utils::get_input_value('_action_addheader_name', rcube_utils::INPUT_POST);
+            $addheader_value = rcube_utils::get_input_value('_action_addheader_value', rcube_utils::INPUT_POST, true);
+            $addheader_pos   = rcube_utils::get_input_value('_action_addheader_pos', rcube_utils::INPUT_POST);
+            $delheader_name  = rcube_utils::get_input_value('_action_delheader_name', rcube_utils::INPUT_POST);
+            $delheader_value = rcube_utils::get_input_value('_action_delheader_value', rcube_utils::INPUT_POST, true);
+            $delheader_pos   = rcube_utils::get_input_value('_action_delheader_pos', rcube_utils::INPUT_POST);
+            $delheader_index = rcube_utils::get_input_value('_action_delheader_index', rcube_utils::INPUT_POST);
+            $delheader_op    = rcube_utils::get_input_value('_action_delheader_op', rcube_utils::INPUT_POST);
+            $delheader_comp  = rcube_utils::get_input_value('_action_delheader_comp', rcube_utils::INPUT_POST);
 
             // we need a "hack" for radiobuttons
             foreach ($sizeitems as $item)
@@ -1091,6 +1100,47 @@ class rcube_sieve_engine
                     $this->form['actions'][$i]['target'] = $_target;
                     break;
 
+                case 'addheader':
+                case 'deleteheader':
+                    $this->form['actions'][$i]['name']  = trim($type == 'addheader' ? $addheader_name[$idx] : $delheader_name[$idx]);
+                    $this->form['actions'][$i]['value'] = $type == 'addheader' ? $addheader_value[$idx] : $delheader_value[$idx];
+                    $this->form['actions'][$i]['last']  = ($type == 'addheader' ? $addheader_pos[$idx] : $delheader_pos[$idx]) == 'last';
+
+                    if (empty($this->form['actions'][$i]['name'])) {
+                        $this->errors['actions'][$i]['name'] = $this->plugin->gettext('cannotbeempty');
+                    }
+                    else if (!preg_match('/^[0-9a-z_-]+$/i', $this->form['actions'][$i]['name'])) {
+                        $this->errors['actions'][$i]['name'] = $this->plugin->gettext('forbiddenchars');
+                    }
+
+                    if ($type == 'deleteheader') {
+                        foreach ((array) $this->form['actions'][$i]['value'] as $pidx => $pattern) {
+                            if (empty($pattern)) {
+                                unset($this->form['actions'][$i]['value'][$pidx]);
+                            }
+                        }
+
+                        $this->form['actions'][$i]['match-type'] = $delheader_op[$idx];
+                        $this->form['actions'][$i]['comparator'] = $delheader_comp[$idx];
+                        $this->form['actions'][$i]['index']      = $delheader_index[$idx];
+
+                        if (empty($this->form['actions'][$i]['index'])) {
+                            if (!empty($this->form['actions'][$i]['last'])) {
+                                $this->errors['actions'][$i]['index'] = $this->plugin->gettext('lastindexempty');
+                            }
+                        }
+                        else if (!preg_match('/^[0-9]+$/i', $this->form['actions'][$i]['index'])) {
+                            $this->errors['actions'][$i]['index'] = $this->plugin->gettext('forbiddenchars');
+                        }
+                    }
+                    else {
+                        if (empty($this->form['actions'][$i]['value'])) {
+                            $this->errors['actions'][$i]['value'] = $this->plugin->gettext('cannotbeempty');
+                        }
+                    }
+
+                    break;
+
                 case 'vacation':
                     $reason        = $this->strip_value($reasons[$idx]);
                     $interval_type = $interval_types[$idx] == 'seconds' ? 'seconds' : 'days';
@@ -1714,38 +1764,6 @@ class rcube_sieve_engine
         $aout .= $this->list_input($id, 'custom_var', $customv, isset($customv),
             $this->error_class($id, 'test', 'header', 'custom_var'), 15) . "\n";
 
-        // matching type select (operator)
-        $select_op = new html_select(array('name' => "_rule_op[]", 'id' => 'rule_op'.$id,
-            'style' => 'display:' .(!in_array($rule['test'], array('size', 'duplicate')) ? 'inline' : 'none'),
-            'class' => 'operator_selector',
-            'onchange' => 'rule_op_select(this, '.$id.')'));
-        $select_op->add(rcube::Q($this->plugin->gettext('filtercontains')), 'contains');
-        $select_op->add(rcube::Q($this->plugin->gettext('filternotcontains')), 'notcontains');
-        $select_op->add(rcube::Q($this->plugin->gettext('filteris')), 'is');
-        $select_op->add(rcube::Q($this->plugin->gettext('filterisnot')), 'notis');
-        $select_op->add(rcube::Q($this->plugin->gettext('filterexists')), 'exists');
-        $select_op->add(rcube::Q($this->plugin->gettext('filternotexists')), 'notexists');
-        $select_op->add(rcube::Q($this->plugin->gettext('filtermatches')), 'matches');
-        $select_op->add(rcube::Q($this->plugin->gettext('filternotmatches')), 'notmatches');
-        if (in_array('regex', $this->exts)) {
-            $select_op->add(rcube::Q($this->plugin->gettext('filterregex')), 'regex');
-            $select_op->add(rcube::Q($this->plugin->gettext('filternotregex')), 'notregex');
-        }
-        if (in_array('relational', $this->exts)) {
-            $select_op->add(rcube::Q($this->plugin->gettext('countisgreaterthan')), 'count-gt');
-            $select_op->add(rcube::Q($this->plugin->gettext('countisgreaterthanequal')), 'count-ge');
-            $select_op->add(rcube::Q($this->plugin->gettext('countislessthan')), 'count-lt');
-            $select_op->add(rcube::Q($this->plugin->gettext('countislessthanequal')), 'count-le');
-            $select_op->add(rcube::Q($this->plugin->gettext('countequals')), 'count-eq');
-            $select_op->add(rcube::Q($this->plugin->gettext('countnotequals')), 'count-ne');
-            $select_op->add(rcube::Q($this->plugin->gettext('valueisgreaterthan')), 'value-gt');
-            $select_op->add(rcube::Q($this->plugin->gettext('valueisgreaterthanequal')), 'value-ge');
-            $select_op->add(rcube::Q($this->plugin->gettext('valueislessthan')), 'value-lt');
-            $select_op->add(rcube::Q($this->plugin->gettext('valueislessthanequal')), 'value-le');
-            $select_op->add(rcube::Q($this->plugin->gettext('valueequals')), 'value-eq');
-            $select_op->add(rcube::Q($this->plugin->gettext('valuenotequals')), 'value-ne');
-        }
-
         $test   = self::rule_test($rule);
         $target = '';
 
@@ -1796,7 +1814,7 @@ class rcube_sieve_engine
             $tout .= $select_msg->show($test);
         }
 
-        $tout .= $select_op->show($test);
+        $tout .= $this->match_type_selector('rule_op', $id, $test, $rule['test']);
         $tout .= $this->list_input($id, 'rule_target', $target,
             $rule['test'] != 'size' && $rule['test'] != 'exists' && $rule['test'] != 'duplicate',
             $this->error_class($id, 'test', 'target', 'rule_target')) . "\n";
@@ -1854,18 +1872,10 @@ class rcube_sieve_engine
         $mout .= '</div>';
 
         // Advanced modifiers (comparators)
-        $select_comp = new html_select(array('name' => "_rule_comp[]", 'id' => 'rule_comp_op'.$id));
-        $select_comp->add(rcube::Q($this->plugin->gettext('default')), '');
-        $select_comp->add(rcube::Q($this->plugin->gettext('octet')), 'i;octet');
-        $select_comp->add(rcube::Q($this->plugin->gettext('asciicasemap')), 'i;ascii-casemap');
-        if (in_array('comparator-i;ascii-numeric', $this->exts)) {
-            $select_comp->add(rcube::Q($this->plugin->gettext('asciinumeric')), 'i;ascii-numeric');
-        }
-
         $need_comp = $rule['test'] != 'size' && $rule['test'] != 'duplicate';
         $mout .= '<div id="rule_comp' .$id. '" class="adv input-group"' . (!$need_comp ? ' style="display:none"' : '') . '>';
         $mout .= html::span('label input-group-prepend', html::span('input-group-text', rcube::Q($this->plugin->gettext('comparator'))));
-        $mout .= $select_comp->show($rule['comparator']);
+        $mout .= $this->comparator_selector($rule['comparator'], 'rule_comp', $id);
         $mout .= '</div>';
 
         // Advanced modifiers (mime)
@@ -2096,32 +2106,36 @@ class rcube_sieve_engine
         $select_action = new html_select(array('name' => "_action_type[$id]", 'id' => 'action_type'.$id,
             'onchange' => 'action_type_select(' .$id .')'));
         if (in_array('fileinto', $this->exts))
-            $select_action->add(rcube::Q($this->plugin->gettext('messagemoveto')), 'fileinto');
+            $select_action->add($this->plugin->gettext('messagemoveto'), 'fileinto');
         if (in_array('fileinto', $this->exts) && in_array('copy', $this->exts))
-            $select_action->add(rcube::Q($this->plugin->gettext('messagecopyto')), 'fileinto_copy');
-        $select_action->add(rcube::Q($this->plugin->gettext('messageredirect')), 'redirect');
+            $select_action->add($this->plugin->gettext('messagecopyto'), 'fileinto_copy');
+        $select_action->add($this->plugin->gettext('messageredirect'), 'redirect');
         if (in_array('copy', $this->exts))
-            $select_action->add(rcube::Q($this->plugin->gettext('messagesendcopy')), 'redirect_copy');
+            $select_action->add($this->plugin->gettext('messagesendcopy'), 'redirect_copy');
         if (in_array('reject', $this->exts))
-            $select_action->add(rcube::Q($this->plugin->gettext('messagediscard')), 'reject');
+            $select_action->add($this->plugin->gettext('messagediscard'), 'reject');
         else if (in_array('ereject', $this->exts))
-            $select_action->add(rcube::Q($this->plugin->gettext('messagediscard')), 'ereject');
+            $select_action->add($this->plugin->gettext('messagediscard'), 'ereject');
         if (in_array('vacation', $this->exts))
-            $select_action->add(rcube::Q($this->plugin->gettext('messagereply')), 'vacation');
-        $select_action->add(rcube::Q($this->plugin->gettext('messagedelete')), 'discard');
+            $select_action->add($this->plugin->gettext('messagereply'), 'vacation');
+        $select_action->add($this->plugin->gettext('messagedelete'), 'discard');
         if (in_array('imapflags', $this->exts) || in_array('imap4flags', $this->exts)) {
-            $select_action->add(rcube::Q($this->plugin->gettext('setflags')), 'setflag');
-            $select_action->add(rcube::Q($this->plugin->gettext('addflags')), 'addflag');
-            $select_action->add(rcube::Q($this->plugin->gettext('removeflags')), 'removeflag');
+            $select_action->add($this->plugin->gettext('setflags'), 'setflag');
+            $select_action->add($this->plugin->gettext('addflags'), 'addflag');
+            $select_action->add($this->plugin->gettext('removeflags'), 'removeflag');
+        }
+        if (in_array('editheader', $this->exts)) {
+            $select_action->add($this->plugin->gettext('addheader'), 'addheader');
+            $select_action->add($this->plugin->gettext('deleteheader'), 'deleteheader');
         }
         if (in_array('variables', $this->exts)) {
-            $select_action->add(rcube::Q($this->plugin->gettext('setvariable')), 'set');
+            $select_action->add($this->plugin->gettext('setvariable'), 'set');
         }
         if (in_array('enotify', $this->exts) || in_array('notify', $this->exts)) {
-            $select_action->add(rcube::Q($this->plugin->gettext('notify')), 'notify');
+            $select_action->add($this->plugin->gettext('notify'), 'notify');
         }
-        $select_action->add(rcube::Q($this->plugin->gettext('messagekeep')), 'keep');
-        $select_action->add(rcube::Q($this->plugin->gettext('rulestop')), 'stop');
+        $select_action->add($this->plugin->gettext('messagekeep'), 'keep');
+        $select_action->add($this->plugin->gettext('rulestop'), 'stop');
 
         $select_type = $action['type'];
         if (in_array($action['type'], array('fileinto', 'redirect')) && $action['copy']) {
@@ -2190,7 +2204,7 @@ class rcube_sieve_engine
             }
         }
 
-        $out .= '<div id="action_vacation' .$id.'" style="display:' .($action['type']=='vacation' ? 'inline' : 'none') .'">';
+        $out .= '<div id="action_vacation' .$id.'" style="display:' .($action['type']=='vacation' ? 'inline' : 'none') .'" class="composite">';
         $out .= '<span class="label">'. rcube::Q($this->plugin->gettext('vacationreason')) .'</span><br>';
         $out .= html::tag('textarea', array(
                 'name'  => '_action_reason[' . $id . ']',
@@ -2353,7 +2367,7 @@ class rcube_sieve_engine
         }
 
         // @TODO: nice UI for mailto: (other methods too) URI parameters
-        $out .= '<div id="action_notify' .$id.'" style="display:' .($action['type'] == 'notify' ? 'inline' : 'none') .'">';
+        $out .= '<div id="action_notify' .$id.'" style="display:' .($action['type'] == 'notify' ? 'inline' : 'none') .'" class="composite">';
         $out .= '<span class="label">' .rcube::Q($this->plugin->gettext('notifytarget')) . '</span><br>';
         $out .= '<div class="input-group">';
         $out .= $select_method->show($method);
@@ -2393,6 +2407,85 @@ class rcube_sieve_engine
                 $this->error_class($id, 'action', 'options', 'action_notifyoption'), 30) . '</div>';
         $out .= '</div>';
 
+        if (in_array('editheader', $this->exts)) {
+            $action['pos'] = $action['last'] ? 'last' : '';
+            $pos1_selector = new html_select(array(
+                    'name'  => "_action_addheader_pos[$id]",
+                    'id'    => "action_addheader_pos$id",
+                    'class' => $this->error_class($id, 'action', 'pos', 'action_addheader_pos')
+            ));
+            $pos1_selector->add($this->plugin->gettext('headeratstart'), '');
+            $pos1_selector->add($this->plugin->gettext('headeratend'), 'last');
+            $pos2_selector = new html_select(array(
+                    'name'  => "_action_delheader_pos[$id]",
+                    'id'    => "action_delheader_pos$id",
+                    'class' => $this->error_class($id, 'action', 'pos', 'action_delheader_pos')
+            ));
+            $pos2_selector->add($this->plugin->gettext('headerfromstart'), '');
+            $pos2_selector->add($this->plugin->gettext('headerfromend'), 'last');
+
+            // addheader
+            $out .= '<div id="action_addheader' .$id.'" style="display:' .($action['type'] == 'addheader' ? 'inline' : 'none') .'" class="composite">';
+            $out .= '<label class="label" for="action_addheader_name' . $id .'">' .rcube::Q($this->plugin->gettext('headername')) . '</label><br>';
+            $out .= html::tag('input', array(
+                    'type'  => 'text',
+                    'name'  => '_action_addheader_name[' . $id . ']',
+                    'id'    => 'action_addheader_name' . $id,
+                    'value' => $action['name'],
+                    'size'  => 35,
+                    'class' => $this->error_class($id, 'action', 'name', 'action_addheader_name'),
+                ));
+            $out .= '<br><label class="label" for="action_addheader_value' . $id .'">'. rcube::Q($this->plugin->gettext('headervalue')) .'</label><br>';
+            $out .= html::tag('input', array(
+                    'type'  => 'text',
+                    'name'  => '_action_addheader_value[' . $id . ']',
+                    'id'    => 'action_addheader_value' . $id,
+                    'value' => $action['value'],
+                    'size'  => 35,
+                    'class' => $this->error_class($id, 'action', 'value', 'action_addheader_value'),
+                ));
+            $out .= '<br><label class="label" for="action_addheader_pos' . $id .'">'. rcube::Q($this->plugin->gettext('headerpos')) .'</label><br>';
+            $out .= $pos1_selector->show($action['pos']);
+            $out .= '</div>';
+
+            // deleteheader
+            $out .= '<div id="action_deleteheader' .$id.'" style="display:' .($action['type'] == 'deleteheader' ? 'inline' : 'none') .'" class="composite">';
+            $out .= '<label class="label" for="action_delheader_name' . $id .'">' .rcube::Q($this->plugin->gettext('headername')) . '</label><br>';
+            $out .= html::tag('input', array(
+                    'type'  => 'text',
+                    'name'  => '_action_delheader_name[' . $id . ']',
+                    'id'    => 'action_delheader_name' . $id,
+                    'value' => $action['name'],
+                    'size'  => 35,
+                    'class' => $this->error_class($id, 'action', 'name', 'action_delheader_name'),
+                ));
+            $out .= '<br><label class="label" for="action_delheader_value' . $id .'">'. rcube::Q($this->plugin->gettext('headerpatterns')) .'</label><br>';
+            $out .= $this->list_input($id, 'action_delheader_value', $action['value'], true,
+                $this->error_class($id, 'action', 'value', 'action_delheader_value')) . "\n";
+            $out .= '<br><div class="adv input-group">';
+            $out .= html::span('label input-group-prepend', html::label(array(
+                    'class' => 'input-group-text', 'for' => 'action_delheader_op'.$id), rcube::Q($this->plugin->gettext('headermatchtype'))));
+            $out .= $this->match_type_selector('action_delheader_op', $id, $action['match-type'], null, 'basic');
+            $out .= '</div>';
+            $out .= '<div class="adv input-group">';
+            $out .= html::span('label input-group-prepend', html::label(array(
+                    'class' => 'input-group-text', 'for' => 'action_delheader_comp_op'.$id), rcube::Q($this->plugin->gettext('comparator'))));
+            $out .= $this->comparator_selector($action['comparator'], 'action_delheader_comp', $id);
+            $out .= '</div>';
+            $out .= '<br><label class="label" for="action_delheader_index' . $id .'">'. rcube::Q($this->plugin->gettext('headeroccurrence')) .'</label><br>';
+            $out .= '<div class="input-group">';
+            $out .= html::tag('input', array(
+                    'type'  => 'text',
+                    'name'  => '_action_delheader_index[' . $id . ']',
+                    'id'    => 'action_delheader_index' . $id,
+                    'value' => $action['index'] ? intval($action['index']) : '',
+                    'size'  => 5,
+                    'class' => $this->error_class($id, 'action', 'index', 'action_delheader_index'),
+                ));
+            $out .= ' ' . $pos2_selector->show($action['pos']);
+            $out .= '</div></div>';
+        }
+
         // mailbox select
         if ($action['type'] == 'fileinto') {
             // make sure non-existing (or unsubscribed) mailbox is listed (#1489956)
@@ -2405,7 +2498,6 @@ class rcube_sieve_engine
         }
 
         $select = $this->rc->folder_selector(array(
-            'realnames'  => false,
             'maxlength'  => 100,
             'id'         => 'action_mailbox' . $id,
             'name'       => "_action_mailbox[$id]",
@@ -2935,4 +3027,63 @@ class rcube_sieve_engine
 
         return $headers;
     }
+
+    /**
+     * Match type selector
+     */
+    protected function match_type_selector($name, $id, $test, $rule = null, $mode = 'all')
+    {
+        // matching type select (operator)
+        $select_op = new html_select(array(
+                'name'     => "_{$name}[]",
+                'id'       => "{$name}{$id}",
+                'style'    => 'display:' .(!in_array($rule, array('size', 'duplicate')) ? 'inline' : 'none'),
+                'class'    => 'operator_selector',
+                'onchange' => "{$name}_select(this, '{$id}')",
+        ));
+
+        $select_op->add(rcube::Q($this->plugin->gettext('filtercontains')), 'contains');
+        $select_op->add(rcube::Q($this->plugin->gettext('filternotcontains')), 'notcontains');
+        $select_op->add(rcube::Q($this->plugin->gettext('filteris')), 'is');
+        $select_op->add(rcube::Q($this->plugin->gettext('filterisnot')), 'notis');
+        if ($mode == 'all') {
+            $select_op->add(rcube::Q($this->plugin->gettext('filterexists')), 'exists');
+            $select_op->add(rcube::Q($this->plugin->gettext('filternotexists')), 'notexists');
+        }
+        $select_op->add(rcube::Q($this->plugin->gettext('filtermatches')), 'matches');
+        $select_op->add(rcube::Q($this->plugin->gettext('filternotmatches')), 'notmatches');
+        if (in_array('regex', $this->exts)) {
+            $select_op->add(rcube::Q($this->plugin->gettext('filterregex')), 'regex');
+            $select_op->add(rcube::Q($this->plugin->gettext('filternotregex')), 'notregex');
+        }
+        if ($mode == 'all' && in_array('relational', $this->exts)) {
+            $select_op->add(rcube::Q($this->plugin->gettext('countisgreaterthan')), 'count-gt');
+            $select_op->add(rcube::Q($this->plugin->gettext('countisgreaterthanequal')), 'count-ge');
+            $select_op->add(rcube::Q($this->plugin->gettext('countislessthan')), 'count-lt');
+            $select_op->add(rcube::Q($this->plugin->gettext('countislessthanequal')), 'count-le');
+            $select_op->add(rcube::Q($this->plugin->gettext('countequals')), 'count-eq');
+            $select_op->add(rcube::Q($this->plugin->gettext('countnotequals')), 'count-ne');
+            $select_op->add(rcube::Q($this->plugin->gettext('valueisgreaterthan')), 'value-gt');
+            $select_op->add(rcube::Q($this->plugin->gettext('valueisgreaterthanequal')), 'value-ge');
+            $select_op->add(rcube::Q($this->plugin->gettext('valueislessthan')), 'value-lt');
+            $select_op->add(rcube::Q($this->plugin->gettext('valueislessthanequal')), 'value-le');
+            $select_op->add(rcube::Q($this->plugin->gettext('valueequals')), 'value-eq');
+            $select_op->add(rcube::Q($this->plugin->gettext('valuenotequals')), 'value-ne');
+        }
+
+        return $select_op->show($test);
+    }
+
+    protected function comparator_selector($comparator, $name, $id)
+    {
+        $select_comp = new html_select(array('name' => "_{$name}[]", 'id' => "{$name}_op{$id}"));
+        $select_comp->add(rcube::Q($this->plugin->gettext('default')), '');
+        $select_comp->add(rcube::Q($this->plugin->gettext('octet')), 'i;octet');
+        $select_comp->add(rcube::Q($this->plugin->gettext('asciicasemap')), 'i;ascii-casemap');
+        if (in_array('comparator-i;ascii-numeric', $this->exts)) {
+            $select_comp->add(rcube::Q($this->plugin->gettext('asciinumeric')), 'i;ascii-numeric');
+        }
+
+        return $select_comp->show($comparator);
+    }
 }
diff --git a/plugins/managesieve/lib/Roundcube/rcube_sieve_forward.php b/plugins/managesieve/lib/Roundcube/rcube_sieve_forward.php
index 9ca3a011a..967cb1622 100644
--- a/plugins/managesieve/lib/Roundcube/rcube_sieve_forward.php
+++ b/plugins/managesieve/lib/Roundcube/rcube_sieve_forward.php
@@ -312,7 +312,7 @@ class rcube_sieve_forward extends rcube_sieve_engine
         $table = new html_table(array('cols' => 2));
 
         $table->add('title', html::label('forward_action', $this->plugin->gettext('forward.action')));
-        $table->add('forward', $action->show($this->forward['action']) . ' ' . $action_target);
+        $table->add('forward input-group input-group-combo', $action->show($this->forward['action']) . ' ' . $action_target);
 
         $table->add('title', html::label('forward_status', $this->plugin->gettext('forward.status')));
         $table->add(null, $status->show(!isset($this->forward['disabled']) || $this->forward['disabled'] ? 'off' : 'on'));
diff --git a/plugins/managesieve/lib/Roundcube/rcube_sieve_script.php b/plugins/managesieve/lib/Roundcube/rcube_sieve_script.php
index 369f1da9d..fdfbf6e25 100644
--- a/plugins/managesieve/lib/Roundcube/rcube_sieve_script.php
+++ b/plugins/managesieve/lib/Roundcube/rcube_sieve_script.php
@@ -31,6 +31,7 @@ class rcube_sieve_script
         'copy',                     // RFC3894
         'date',                     // RFC5260
         'duplicate',                // RFC7352
+        'editheader',               // RFC5293
         'enotify',                  // RFC5435
         'envelope',                 // RFC5228
         'ereject',                  // RFC5429
@@ -422,6 +423,26 @@ class rcube_sieve_script
                             . self::escape_string($action['target']);
                         break;
 
+                    case 'addheader':
+                    case 'deleteheader':
+                        array_push($exts, 'editheader');
+                        $action_script .= $action['type'];
+                        if (!empty($action['index'])) {
+                            $action_script .= " :index " . intval($action['index']);
+                        }
+                        if (!empty($action['last']) && (!empty($action['index']) || $action['type'] == 'addheader')) {
+                            $action_script .= " :last";
+                        }
+                        if ($action['type'] == 'deleteheader') {
+                            $action['type'] = $action['match-type'];
+                            $this->add_operator($action, $action_script, $exts);
+                        }
+                        $action_script .= " " . self::escape_string($action['name']);
+                        if ((is_string($action['value']) && strlen($action['value']) > 0) || (is_array($action['value']) && !empty($action['value']))) {
+                            $action_script .= " " . self::escape_string($action['value']);
+                        }
+                        break;
+
                     case 'keep':
                     case 'discard':
                     case 'stop':
@@ -908,6 +929,21 @@ class rcube_sieve_script
                 $result[] = $action;
                 break;
 
+            case 'addheader':
+            case 'deleteheader':
+                $args = $this->test_tokens($tokens);
+                if ($token == 'deleteheader') {
+                    $args['match-type'] = $args['type'];
+                }
+                if (($index = array_search(':last', $tokens)) !== false) {
+                    $args['last'] = true;
+                    unset($tokens[$index]);
+                }
+                $action = array('type' => $token, 'name' => array_shift($tokens), 'value' => array_shift($tokens));
+
+                $result[] = $action + $args;
+                break;
+
             case 'reject':
             case 'ereject':
             case 'setflag':
diff --git a/plugins/managesieve/lib/Roundcube/rcube_sieve_vacation.php b/plugins/managesieve/lib/Roundcube/rcube_sieve_vacation.php
index 1cca437c2..5fcbfb3f0 100644
--- a/plugins/managesieve/lib/Roundcube/rcube_sieve_vacation.php
+++ b/plugins/managesieve/lib/Roundcube/rcube_sieve_vacation.php
@@ -381,7 +381,7 @@ class rcube_sieve_vacation extends rcube_sieve_engine
         if ($this->rc->config->get('managesieve_vacation') != 2 && !empty($this->vacation['list'])) {
             $after = new html_select(array('name' => 'vacation_after', 'id' => 'vacation_after'));
 
-            $after->add('', '');
+            $after->add('---', '');
             foreach ($this->vacation['list'] as $idx => $rule) {
                 $after->add($rule, $idx);
             }
@@ -461,7 +461,7 @@ class rcube_sieve_vacation extends rcube_sieve_engine
         }
 
         // redirect target
-        $action_target = ' <span id="action_target_span" class="input-group" style="display:' . ($redirect ? 'inline' : 'none') . '">'
+        $action_target = ' <span id="action_target_span" class="input-group"' . (!$redirect ? ' style="display:none"' : '') . '>'
             . '<input type="text" name="action_target" id="action_target"'
             . ' value="' .($redirect ? rcube::Q($this->vacation['target'], 'strict', false) : '') . '"'
             . (!empty($domains) ? ' size="20"' : ' size="35"') . '/>'
@@ -505,7 +505,7 @@ class rcube_sieve_vacation extends rcube_sieve_engine
         }
 
         $table->add('title', html::label('vacation_action', $this->plugin->gettext('vacation.action')));
-        $table->add('vacation', $action->show($this->vacation['action']) . $action_target);
+        $table->add('vacation input-group input-group-combo', $action->show($this->vacation['action']) . $action_target);
 
         $out .= html::tag('fieldset', $class, html::tag('legend', null, $this->plugin->gettext('vacation.advanced')) . $table->show($attrib));
 
diff --git a/plugins/managesieve/localization/en_US.inc b/plugins/managesieve/localization/en_US.inc
index 3fa9d89c8..3814d237a 100644
--- a/plugins/managesieve/localization/en_US.inc
+++ b/plugins/managesieve/localization/en_US.inc
@@ -113,6 +113,18 @@ $labels['flagdeleted'] = 'Deleted';
 $labels['flaganswered'] = 'Answered';
 $labels['flagflagged'] = 'Flagged';
 $labels['flagdraft'] = 'Draft';
+$labels['addheader'] = 'Add header to the message';
+$labels['deleteheader'] = 'Remove header from the message';
+$labels['headername'] = 'Header name';
+$labels['headervalue'] = 'Header value';
+$labels['headerpos'] = 'Header position';
+$labels['headeratstart'] = 'at the beginning';
+$labels['headeratend'] = 'at the end';
+$labels['headeroccurrence'] = 'Header occurrence/position';
+$labels['headerfromstart'] = 'from start';
+$labels['headerfromend'] = 'from end';
+$labels['headerpatterns'] = 'Header value patterns';
+$labels['headermatchtype'] = 'match type:';
 $labels['setvariable'] = 'Set variable';
 $labels['setvarname'] = 'Variable name:';
 $labels['setvarvalue'] = 'Variable value:';
@@ -264,5 +276,6 @@ $messages['forwardsaved'] = 'Forward data saved successfully.';
 $messages['emptyvacationbody'] = 'Body of vacation message is required!';
 $messages['duplicate.conflict.err'] = 'Both header and unique identifier are not allowed.';
 $messages['disabledaction'] = 'Action not permitted.';
+$messages['lastindexempty'] = 'Index is required when counting from end';
 
 ?>
diff --git a/plugins/managesieve/managesieve.js b/plugins/managesieve/managesieve.js
index 6aad573e9..6775bb6c8 100644
--- a/plugins/managesieve/managesieve.js
+++ b/plugins/managesieve/managesieve.js
@@ -766,7 +766,9 @@ function action_type_select(id)
       vacation: document.getElementById('action_vacation' + id),
       forward: document.getElementById('action_forward' + id),
       set: document.getElementById('action_set' + id),
-      notify: document.getElementById('action_notify' + id)
+      notify: document.getElementById('action_notify' + id),
+      addheader: document.getElementById('action_addheader' + id),
+      deleteheader: document.getElementById('action_deleteheader' + id)
     };
 
   if (v == 'fileinto' || v == 'fileinto_copy') {
@@ -781,17 +783,8 @@ function action_type_select(id)
   else if (v.match(/^(add|set|remove)flag$/)) {
     enabled.flags = 1;
   }
-  else if (v == 'vacation') {
-    enabled.vacation = 1;
-  }
-  else if (v == 'forward') {
-    enabled.forward = 1;
-  }
-  else if (v == 'set') {
-    enabled.set = 1;
-  }
-  else if (v == 'notify') {
-    enabled.notify = 1;
+  else if (v.match(/^(vacation|forward|set|notify|addheader|deleteheader)$/)) {
+    enabled[v] = 1;
   }
 
   for (var x in elems) {
diff --git a/plugins/managesieve/skins/classic/managesieve.css b/plugins/managesieve/skins/classic/managesieve.css
index cc4b6c07b..fdf80f683 100644
--- a/plugins/managesieve/skins/classic/managesieve.css
+++ b/plugins/managesieve/skins/classic/managesieve.css
@@ -244,12 +244,6 @@ td.rowtargets div.adv input
   margin-bottom: 1px;
 }
 
-html.mozilla #filter-form select
-{
-  padding-top: 3px;
-  padding-bottom: 3px;
-}
-
 input.disabled, input.disabled:hover
 {
   color: #999999;
diff --git a/plugins/managesieve/tests/src/parser_editheader b/plugins/managesieve/tests/src/parser_editheader
new file mode 100644
index 000000000..ed713a53e
--- /dev/null
+++ b/plugins/managesieve/tests/src/parser_editheader
@@ -0,0 +1,36 @@
+require ["editheader"];
+# rule:[test-addheader1]
+if true
+{
+	addheader "X-Sieve-Filtered" "<test@test.com>";
+}
+# rule:[test-addheader2]
+if not header :contains "X-Sieve-Filtered" "<test@test.com>"
+{
+	addheader :last "X-Sieve-Filtered" "<test@test.com>";
+}
+# rule:[test-deleteheader1]
+if true
+{
+	deleteheader :index 1 :contains "Delivered-To" ["bob@example.com","test@test.com"];
+}
+# rule:[test-deleteheader2]
+if true
+{
+	deleteheader :index 2 :last :contains :comparator "i;octet" "Delivered-To" "test@test.com";
+}
+# rule:[test-deleteheader3]
+if true
+{
+	deleteheader "Delivered-To";
+}
+# rule:[test-deleteheader4]
+if true
+{
+	deleteheader :index 3 :last :contains "Delivered-To";
+}
+# rule:[test-deleteheader5]
+if true
+{
+	deleteheader "Delivered-To" "test";
+}
diff --git a/plugins/new_user_identity/new_user_identity.php b/plugins/new_user_identity/new_user_identity.php
index 8c686ede0..1c56466ea 100644
--- a/plugins/new_user_identity/new_user_identity.php
+++ b/plugins/new_user_identity/new_user_identity.php
@@ -26,7 +26,7 @@ class new_user_identity extends rcube_plugin
 
     function lookup_user_name($args)
     {
-        if ($this->init_ldap($args['host'])) {
+        if ($this->init_ldap($args['host'], $args['user'])) {
             $results = $this->ldap->search('*', $args['user'], true);
 
             if (count($results->records) == 1) {
@@ -96,7 +96,7 @@ class new_user_identity extends rcube_plugin
         return $args;
     }
 
-    private function init_ldap($host)
+    private function init_ldap($host, $user)
     {
         if ($this->ldap) {
             return $this->ldap->ready;
@@ -112,11 +112,17 @@ class new_user_identity extends rcube_plugin
             return false;
         }
 
-        $this->ldap = new new_user_identity_ldap_backend(
-            $ldap_config[$addressbook],
-            $this->rc->config->get('ldap_debug'),
-            $this->rc->config->mail_domain($host),
-            $match);
+        $debug  = $this->rc->config->get('ldap_debug');
+        $domain = $this->rc->config->mail_domain($host);
+        $props  = $ldap_config[$addressbook];
+
+        // Set 'username' prop for correct variables substitution (#6419)
+        $props['username'] = $user;
+        if (!strpos($user, '@')) {
+            $props['username'] .= '@' . $domain;
+        }
+
+        $this->ldap = new new_user_identity_ldap_backend($props, $debug, $domain, $match);
 
         return $this->ldap->ready;
     }
diff --git a/plugins/password/README b/plugins/password/README
index 675e69baf..769f42959 100644
--- a/plugins/password/README
+++ b/plugins/password/README
@@ -46,6 +46,7 @@
  2.19. Vpopmail daemon (vpopmaild)
  2.20. Plesk (Plesk RPC-API)
  2.21. Kpasswd
+ 2.22. Modoboa
  3. Driver API
  4. Sudo setup
 
@@ -355,13 +356,20 @@
  Set the RPC-Path in $config['password_plesk_rpc_path']. Normally this is: enterprise/control/agent.php.
 
 
- 2.21.  Kpasswd
+ 2.21. Kpasswd
  -----------------------------------
 
  Driver to change the password in Kerberos environments via the 'kpasswd' command.
  See config.inc.php.dist file for configuration description.
 
 
+ 2.22. Modoboa
+ -----------------------------------
+
+ Driver to change the password in Modoboa servers.
+ See config.inc.php.dist file for configuration description.
+
+
  3. Driver API
  -------------
 
diff --git a/plugins/password/composer.json b/plugins/password/composer.json
index 465f17c27..bed2c5574 100644
--- a/plugins/password/composer.json
+++ b/plugins/password/composer.json
@@ -3,7 +3,7 @@
     "type": "roundcube-plugin",
     "description": "Password Change for Roundcube. Plugin adds a possibility to change user password using many methods (drivers) via Settings/Password tab.",
     "license": "GPLv3+",
-    "version": "4.4",
+    "version": "4.5",
     "authors": [
         {
             "name": "Aleksander Machniak",
diff --git a/plugins/password/config.inc.php.dist b/plugins/password/config.inc.php.dist
index 5a23b4874..e6e1f736e 100644
--- a/plugins/password/config.inc.php.dist
+++ b/plugins/password/config.inc.php.dist
@@ -482,3 +482,8 @@ $config['password_plesk_rpc_path'] = 'enterprise/control/agent.php';
 // ---------------------
 // Command to use
 $config['password_kpasswd_cmd'] = '/usr/bin/kpasswd';
+
+// Modoboa Driver options
+// ---------------------
+// put token number from Modoboa server
+$config['password_modoboa_api_token'] = '';
diff --git a/plugins/password/drivers/modoboa.php b/plugins/password/drivers/modoboa.php
new file mode 100644
index 000000000..18ed0576a
--- /dev/null
+++ b/plugins/password/drivers/modoboa.php
@@ -0,0 +1,119 @@
+<?php
+
+/**
+ * Modoboa Password Driver
+ *
+ * Payload is json string containing username, oldPassword and newPassword
+ * Return value is a json string saying result: true if success.
+ *
+ * @version 1.0.1
+ * @author stephane @actionweb.fr
+ *
+ * Copyright (C) 2018, The Roundcube Dev Team
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see http://www.gnu.org/licenses/.
+ *
+ * The driver need modoboa core 1.10.6 or later 
+ *
+ * You need to define theses variables in plugin/password/config.inc.php
+ *
+ * $config['password_driver'] = 'modoboa'; // use modoboa as driver
+ * $config['password_modoboa_api_token'] = ''; // put token number from Modoboa server
+ * $config['password_minimum_length'] = 8; // select same number as in Modoboa server
+ */
+
+class rcube_modoboa_password
+{
+    function save($curpass, $passwd)
+    {
+        // Init config access
+        $rcmail           = rcmail::get_instance();
+        $ModoboaToken     = $rcmail->config->get('password_modoboa_api_token');
+        $RoudCubeUsername = $_SESSION['username'];
+        $IMAPhost         = $_SESSION['imap_host'];
+
+        // Call GET to fetch values from modoboa server
+        $curl = curl_init();
+
+        curl_setopt_array($curl, array(
+            CURLOPT_URL            => "https://" . $IMAPhost . "/api/v1/accounts/?search=" . urlencode($RoudCubeUsername),
+            CURLOPT_RETURNTRANSFER => true,
+            CURLOPT_ENCODING       => "",
+            CURLOPT_MAXREDIRS      => 10,
+            CURLOPT_TIMEOUT        => 30,
+            CURLOPT_HTTP_VERSION   => CURL_HTTP_VERSION_1_1,
+            CURLOPT_CUSTOMREQUEST  => "GET",
+            CURLOPT_HTTPHEADER     => array(
+                "Authorization: Token " . $ModoboaToken,
+                "Cache-Control: no-cache",
+                "Content-Type: application/json"
+            ),
+        ));
+
+        $response = curl_exec($curl);
+        $err      = curl_error($curl);
+
+        curl_close($curl);
+
+        if ($err) {
+            return PASSWORD_CONNECT_ERROR;
+        }
+
+        // Decode json string
+        $decoded = json_decode($response);
+
+        if (!is_array($decoded)) {
+            return PASSWORD_CONNECT_ERROR;
+        }
+
+        // Get user ID (pk)
+        $userid = $decoded[0]->pk;
+
+        // Encode json with new password
+        $ret['username'] = $decoded[0]->username;
+        $ret['role']     = $decoded[0]->role;
+        $ret['password'] = $passwd; // new password
+        $encoded         = json_encode($ret);
+
+        // Call HTTP API Modoboa
+        $curl = curl_init();
+
+        curl_setopt_array($curl, array(
+            CURLOPT_URL            => "https://" . $IMAPhost . "/api/v1/accounts/" . $userid . "/",
+            CURLOPT_RETURNTRANSFER => true,
+            CURLOPT_ENCODING       => "",
+            CURLOPT_MAXREDIRS      => 10,
+            CURLOPT_TIMEOUT        => 30,
+            CURLOPT_HTTP_VERSION   => CURL_HTTP_VERSION_1_1,
+            CURLOPT_CUSTOMREQUEST  => "PUT",
+            CURLOPT_POSTFIELDS     => "" . $encoded . "",
+            CURLOPT_HTTPHEADER     => array(
+                "Authorization: Token " . $ModoboaToken,
+                "Cache-Control: no-cache",
+                "Content-Type: application/json"
+            ),
+        ));
+
+        $response = curl_exec($curl);
+        $err      = curl_error($curl);
+
+        curl_close($curl);
+
+        if ($err) {
+            return PASSWORD_CONNECT_ERROR;
+        }
+
+        return PASSWORD_SUCCESS;
+    }
+}
diff --git a/plugins/password/password.php b/plugins/password/password.php
index c43e3aa64..5b9b384b8 100644
--- a/plugins/password/password.php
+++ b/plugins/password/password.php
@@ -41,7 +41,7 @@ define('PASSWORD_SUCCESS', 0);
  */
 class password extends rcube_plugin
 {
-    public $task    = 'settings|login';
+    public $task    = '?(?!logout).*';
     public $noframe = true;
     public $noajax  = true;
 
@@ -65,7 +65,14 @@ class password extends rcube_plugin
             $this->register_action('plugin.password', array($this, 'password_init'));
             $this->register_action('plugin.password-save', array($this, 'password_save'));
         }
-        else if ($rcmail->config->get('password_force_new_user')) {
+
+        if ($rcmail->config->get('password_force_new_user')) {
+            if ($rcmail->config->get('newuserpassword') && $this->check_host_login_exceptions()) {
+                if (!($rcmail->task == 'settings' && strpos($rcmail->action, 'plugin.password') === 0)) {
+                    $rcmail->output->command('redirect', '?_task=settings&_action=plugin.password&_first=1', false);
+                }
+            }
+
             $this->add_hook('user_create', array($this, 'user_create'));
             $this->add_hook('login_after', array($this, 'login_after'));
         }
@@ -179,6 +186,10 @@ class password extends rcube_plugin
                 // Reset session password
                 $_SESSION['password'] = $rcmail->encrypt($plugin['new_pass']);
 
+                if ($rcmail->config->get('newuserpassword')) {
+                    $rcmail->user->save_prefs(array('newuserpassword' => false));
+                }
+
                 // Log password change
                 if ($rcmail->config->get('password_log')) {
                     rcube::write_log('password', sprintf('Password changed for user %s (ID: %d) from %s',
@@ -375,6 +386,9 @@ class password extends rcube_plugin
     function login_after($args)
     {
         if ($this->newuser && $this->check_host_login_exceptions()) {
+            $rcmail = rcmail::get_instance();
+            $rcmail->user->save_prefs(array('newuserpassword' => true));
+
             $args['_task']   = 'settings';
             $args['_action'] = 'plugin.password';
             $args['_first']  = 'true';
@@ -428,12 +442,10 @@ class password extends rcube_plugin
         $rcmail = rcmail::get_instance();
         $prefix = '';
         $crypted = '';
-        $default = false;
 
         if (empty($method) || $method == 'default') {
             $method   = $rcmail->config->get('password_algorithm');
             $prefixed = $rcmail->config->get('password_algorithm_prefix');
-            $default  = true;
         }
         else if ($method == 'crypt') { // deprecated
             if (!($method = $rcmail->config->get('password_crypt_hash'))) {
@@ -622,7 +634,7 @@ class password extends rcube_plugin
                 return false;
             }
 
-            if (!$default) {
+            if (!$prefixed) {
                 $prefixed = (bool) $rcmail->config->get('password_dovecotpw_with_method');
             }
 
diff --git a/program/include/rcmail.php b/program/include/rcmail.php
index be44cf4cc..f823fab51 100644
--- a/program/include/rcmail.php
+++ b/program/include/rcmail.php
@@ -458,7 +458,7 @@ class rcmail extends rcube
 
         // add some basic labels to client
         $this->output->add_label('loading', 'servererror', 'connerror', 'requesttimedout',
-            'refreshing', 'windowopenerror', 'uploadingmany', 'close', 'save', 'cancel',
+            'refreshing', 'windowopenerror', 'uploadingmany', 'uploading', 'close', 'save', 'cancel',
             'alerttitle', 'confirmationtitle', 'delete', 'continue', 'ok');
 
         return $this->output;
@@ -926,12 +926,6 @@ class rcmail extends rcube
             $error = array('code' => 403, 'message' => "Request security check failed");
             self::raise_error($error, false, true);
         }
-
-        // check referer if configured
-        if ($this->config->get('referer_check') && !rcube_utils::check_referer()) {
-            $error = array('code' => 403, 'message' => "Referer check failed");
-            self::raise_error($error, true, true);
-        }
     }
 
     /**
diff --git a/program/include/rcmail_install.php b/program/include/rcmail_install.php
index df08db944..d8795dbb5 100644
--- a/program/include/rcmail_install.php
+++ b/program/include/rcmail_install.php
@@ -5,7 +5,7 @@
  | rcmail_install.php                                                    |
  |                                                                       |
  | This file is part of the Roundcube Webmail package                    |
- | Copyright (C) 2008-2016, The Roundcube Dev Team                       |
+ | Copyright (C) 2008-2018, The Roundcube Dev Team                       |
  |                                                                       |
  | Licensed under the GNU General Public License version 3 or            |
  | any later version with exceptions for skins & plugins.                |
@@ -33,7 +33,7 @@ class rcmail_install
     public $bool_config_props = array();
 
     public $local_config    = array('db_dsnw', 'default_host', 'support_url', 'des_key', 'plugins');
-    public $obsolete_config = array('db_backend', 'db_max_length', 'double_auth', 'preview_pane');
+    public $obsolete_config = array('db_backend', 'db_max_length', 'double_auth', 'preview_pane', 'debug_level', 'referer_check');
     public $replaced_config = array(
         'skin_path'            => 'skin',
         'locale_string'        => 'language',
diff --git a/program/include/rcmail_output_html.php b/program/include/rcmail_output_html.php
index ffec00c2e..41f2c808e 100644
--- a/program/include/rcmail_output_html.php
+++ b/program/include/rcmail_output_html.php
@@ -483,8 +483,26 @@ EOF;
     public function reset($all = false)
     {
         $framed = $this->framed;
+        $task   = $this->env['task'];
         $env    = $all ? null : array_intersect_key($this->env, array('extwin'=>1, 'framed'=>1));
 
+        // keep jQuery-UI files
+        $css_files = $script_files = array();
+
+        foreach ($this->css_files as $file) {
+            if (strpos($file, 'plugins/jqueryui') === 0) {
+                $css_files[] = $file;
+            }
+        }
+
+        foreach ($this->script_files as $position => $files) {
+            foreach ($files as $file) {
+                if (strpos($file, 'plugins/jqueryui') === 0) {
+                    $script_files[$position][] = $file;
+                }
+            }
+        }
+
         parent::reset();
 
         // let some env variables survive
@@ -492,16 +510,23 @@ EOF;
         $this->framed       = $framed || $this->env['framed'];
         $this->js_labels    = array();
         $this->js_commands  = array();
-        $this->script_files = array();
         $this->scripts      = array();
         $this->header       = '';
         $this->footer       = '';
         $this->body         = '';
+        $this->css_files    = array();
+        $this->script_files = array();
 
         // load defaults
         if (!$all) {
             $this->__construct();
         }
+
+        // Note: we merge jQuery-UI scripts after jQuery...
+        $this->css_files    = array_merge($this->css_files, $css_files);
+        $this->script_files = array_merge_recursive($this->script_files, $script_files);
+
+        $this->set_env('orig_task', $task);
     }
 
     /**
@@ -573,7 +598,8 @@ EOF;
 
         // if all js commands go to parent window we can ignore all
         // script files and skip rcube_webmail initialization (#1489792)
-        if ($framed) {
+        // but not on error pages where skins may need jQuery, etc.
+        if ($framed && empty($this->js_env['server_error'])) {
             $this->scripts      = array();
             $this->script_files = array();
             $this->header       = '';
@@ -588,7 +614,7 @@ EOF;
         // allow (legal) iframe content to be loaded
         $iframe = $this->framed || $this->env['framed'];
         if (!headers_sent() && $iframe && ($xopt = $this->app->config->get('x_frame_options', 'sameorigin'))) {
-            if (strtolower($xopt) != 'sameorigin') {
+            if (strtolower($xopt) === 'deny') {
                 header('X-Frame-Options: sameorigin', true);
             }
         }
@@ -1263,7 +1289,7 @@ EOF;
                     }
                 }
                 // execute object handler function
-                else if (function_exists($handler)) {
+                else if (is_callable($handler)) {
                     $this->prepare_object_attribs($attrib);
                     $content = call_user_func($handler, $attrib);
                 }
@@ -1649,11 +1675,11 @@ EOF;
      * Link an external script file
      *
      * @param string $file     File URL
-     * @param string $position Target position [head|foot]
+     * @param string $position Target position [head|head_bottom|foot]
      */
-    public function include_script($file, $position='head')
+    public function include_script($file, $position = 'head', $add_path = true)
     {
-        if (!preg_match('|^https?://|i', $file) && $file[0] != '/') {
+        if ($add_path && !preg_match('|^https?://|i', $file) && $file[0] != '/') {
             $file = $this->file_mod($this->scripts_path . $file);
         }
 
@@ -1742,6 +1768,19 @@ EOF;
             }
         }
 
+        $merge_script_files = function($output, $script) {
+            return $output . html::script($script);
+        };
+
+        $merge_scripts = function($output, $script) {
+            return $output . html::script(array(), $script);
+        };
+
+        // put docready commands into page footer
+        if (!empty($this->scripts['docready'])) {
+            $this->add_script('$(document).ready(function(){ ' . $this->scripts['docready'] . "\n});", 'foot');
+        }
+
         // replace specialchars in content
         $page_title  = html::quote($this->pagetitle);
         $page_header = '';
@@ -1757,40 +1796,15 @@ EOF;
             $page_header.= $this->charset . '" />'."\n";
         }
 
-        // definition of the code to be placed in the document header and footer
-        if (is_array($this->script_files['head'])) {
-            foreach ($this->script_files['head'] as $file) {
-                $page_header .= html::script($file);
-            }
-        }
-
-        $head_script = $this->scripts['head_top'] . $this->scripts['head'];
-        if (!empty($head_script)) {
-            $page_header .= html::script(array(), $head_script);
-        }
-
-        if (!empty($this->header)) {
-            $page_header .= $this->header;
-        }
-
-        // put docready commands into page footer
-        if (!empty($this->scripts['docready'])) {
-            $this->add_script('$(document).ready(function(){ ' . $this->scripts['docready'] . "\n});", 'foot');
-        }
-
-        if (is_array($this->script_files['foot'])) {
-            foreach ($this->script_files['foot'] as $file) {
-                $page_footer .= html::script($file);
-            }
-        }
-
-        if (!empty($this->footer)) {
-            $page_footer .= $this->footer . "\n";
-        }
+        // include scripts into header/footer
+        $page_header .= array_reduce((array) $this->script_files['head'], $merge_script_files);
+        $page_header .= array_reduce(array($this->scripts['head_top'] . $this->scripts['head']), $merge_scripts);
+        $page_header .= $this->header . "\n";
+        $page_header .= array_reduce((array) $this->script_files['head_bottom'], $merge_script_files);
 
-        if (!empty($this->scripts['foot'])) {
-            $page_footer .= html::script(array(), $this->scripts['foot']);
-        }
+        $page_footer .= array_reduce((array) $this->script_files['foot'], $merge_script_files);
+        $page_footer .= $this->footer . "\n";
+        $page_footer .= array_reduce((array) $this->scripts['foot'], $merge_scripts);
 
         // find page header
         if ($hpos = stripos($output, '</head>')) {
diff --git a/program/js/app.js b/program/js/app.js
index be071e7c7..2f0c3625f 100644
--- a/program/js/app.js
+++ b/program/js/app.js
@@ -1526,7 +1526,7 @@ function rcube_webmail()
 
     if (task == 'mail')
       url += '&_mbox=INBOX';
-    else if (task == 'logout' && !this.env.server_error) {
+    else if (task == 'logout') {
       url = this.secure_url(url);
       this.clear_compose_data();
     }
@@ -4109,8 +4109,8 @@ function rcube_webmail()
           var ul = $('<ul>').addClass('keylist').appendTo(content);
           $.each(private_keys, function(i, key) {
             $('<li>').appendTo(ul)
-              .append($('<span>').addClass('identity').text('<' + identity_email + '> '))
-              .append($('<strong>').addClass('fingerprint').text(String(key.fingerprint).toUpperCase()));
+              .append($('<strong>').addClass('fingerprint').text(String(key.fingerprint).toUpperCase()))
+              .append($('<span>').addClass('identity').text('<' + identity_email + '> '));
           });
         } else {
           $('<p>').text(ref.get_label('encryptionnoprivkeysinmailvelope')).appendTo(content);
@@ -9680,7 +9680,7 @@ function rcube_webmail()
 
     // catch Error: Permission denied to access property rcmail
     try {
-      if (win && !win.closed) {
+      if (win && !win.closed && win !== window) {
         // try parent of the opener window, e.g. preview frame
         if (deep && (!win.rcmail || win.rcmail.env.framed) && win.parent && win.parent.rcmail)
           win = win.parent;
@@ -10016,12 +10016,12 @@ function rcube_webmail()
 
 
 // some static methods
-rcube_webmail.long_subject_title = function(elem, indent)
+rcube_webmail.long_subject_title = function(elem, indent, text_elem)
 {
   if (!elem.title) {
-    var $elem = $(elem);
+    var $elem = $(text_elem || elem);
     if ($elem.width() + (indent || 0) * 15 > $elem.parent().width())
-      elem.title = rcube_webmail.subject_text(elem);
+      elem.title = rcube_webmail.subject_text($elem[0]);
   }
 };
 
diff --git a/program/js/editor.js b/program/js/editor.js
index 09b3de1d5..9ee78d628 100644
--- a/program/js/editor.js
+++ b/program/js/editor.js
@@ -39,7 +39,7 @@ function rcube_text_editor(config, id)
     abs_url = location.href.replace(/[?#].*$/, '').replace(/\/$/, ''),
     conf = {
       selector: '#' + ($('#' + id).is('.mce_editor') ? id : 'fake-editor-id'),
-      cache_suffix: 's=4071300',
+      cache_suffix: 's=4080200',
       theme: 'modern',
       language: config.lang,
       content_css: rcmail.assets_path('program/resources/tinymce/content.css'),
diff --git a/program/lib/Roundcube/rcube.php b/program/lib/Roundcube/rcube.php
index 011e4cbe3..736a7df5b 100644
--- a/program/lib/Roundcube/rcube.php
+++ b/program/lib/Roundcube/rcube.php
@@ -1303,6 +1303,7 @@ class rcube
      */
     public static function raise_error($arg = array(), $log = false, $terminate = false)
     {
+        // handle PHP exceptions
         if ($arg instanceof Exception) {
             $arg = array(
                 'code' => $arg->getCode(),
@@ -1328,6 +1329,13 @@ class rcube
 
         $cli = php_sapi_name() == 'cli';
 
+        $arg['cli'] = $cli;
+        $arg['log'] = $log;
+        $arg['terminate'] = $terminate;
+
+        // send error to external error tracking tool
+        $arg = self::$instance->plugins->exec_hook('raise_error', $arg);
+
         // installer
         if (!$cli && class_exists('rcmail_install', false)) {
             $rci = rcmail_install::get_instance();
@@ -1590,14 +1598,15 @@ class rcube
     /**
      * Send the given message using the configured method.
      *
-     * @param object $message   Reference to Mail_MIME object
-     * @param string $from      Sender address string
-     * @param array  $mailto    Array of recipient address strings
-     * @param array  $error     SMTP error array (reference)
-     * @param string $body_file Location of file with saved message body (reference),
-     *                          used when delay_file_io is enabled
-     * @param array  $options   SMTP options (e.g. DSN request)
-     * @param bool   $disconnect Close SMTP connection ASAP
+     * @param object       $message    Reference to Mail_MIME object
+     * @param string       $from       Sender address string
+     * @param array|string $mailto     Either a comma-separated list of recipients (RFC822 compliant),
+     *                                 or an array of recipients, each RFC822 valid
+     * @param array        $error      SMTP error array (reference)
+     * @param string       $body_file  Location of file with saved message body (reference),
+     *                                 used when delay_file_io is enabled
+     * @param array        $options    SMTP options (e.g. DSN request)
+     * @param bool         $disconnect Close SMTP connection ASAP
      *
      * @return boolean Send status.
      */
diff --git a/program/lib/Roundcube/rcube_imap_generic.php b/program/lib/Roundcube/rcube_imap_generic.php
index 48f62e884..6c637b90f 100644
--- a/program/lib/Roundcube/rcube_imap_generic.php
+++ b/program/lib/Roundcube/rcube_imap_generic.php
@@ -2822,7 +2822,7 @@ class rcube_imap_generic
             }
 
             // handle UNKNOWN-CTE response - RFC 3516, try again with standard BODY request
-            if ($binary && !$found && preg_match('/^' . $key . ' NO \[UNKNOWN-CTE\]/i', $line)) {
+            if ($binary && !$found && preg_match('/^' . $key . ' NO \[(UNKNOWN-CTE|PARSE)\]/i', $line)) {
                 $binary = $initiated = false;
                 continue;
             }
@@ -3131,6 +3131,11 @@ class rcube_imap_generic
                     list(, , $quota_root) = $this->tokenizeResponse($line, 3);
 
                     $quotas = $this->tokenizeResponse($line, 1);
+
+                    if (empty($quotas)) {
+                        continue;
+                    }
+
                     foreach (array_chunk($quotas, 3) as $quota) {
                         list($type, $used, $total) = $quota;
                         $type = strtolower($type);
diff --git a/program/lib/Roundcube/rcube_ldap.php b/program/lib/Roundcube/rcube_ldap.php
index 5bdc8d611..045659fdd 100644
--- a/program/lib/Roundcube/rcube_ldap.php
+++ b/program/lib/Roundcube/rcube_ldap.php
@@ -300,7 +300,7 @@ class rcube_ldap extends rcube_addressbook
                 }
 
                 // Get the pieces needed for variable replacement.
-                if ($fu = $rcube->get_user_email()) {
+                if ($fu = ($rcube->get_user_email() ?: $this->prop['username'])) {
                     list($u, $d) = explode('@', $fu);
                 }
                 else {
diff --git a/program/lib/Roundcube/rcube_message.php b/program/lib/Roundcube/rcube_message.php
index e6679649d..069942d6c 100644
--- a/program/lib/Roundcube/rcube_message.php
+++ b/program/lib/Roundcube/rcube_message.php
@@ -948,9 +948,11 @@ class rcube_message
     private function add_part($part, $type = null)
     {
         if ($this->check_context($part)) {
+            // It may happen that we add the same part to the array many times
+            // use part ID index to prevent from duplicates
             switch ($type) {
-                case 'inline': $this->inline_parts[] = $part; break;
-                case 'attachment': $this->attachments[] = $part; break;
+                case 'inline': $this->inline_parts[(string) $part->mime_id] = $part; break;
+                case 'attachment': $this->attachments[(string) $part->mime_id] = $part; break;
                 default: $this->parts[] = $part; break;
             }
         }
diff --git a/program/lib/Roundcube/rcube_plugin_api.php b/program/lib/Roundcube/rcube_plugin_api.php
index eb79f3e0d..5575935dc 100644
--- a/program/lib/Roundcube/rcube_plugin_api.php
+++ b/program/lib/Roundcube/rcube_plugin_api.php
@@ -596,8 +596,7 @@ class rcube_plugin_api
     {
         if (is_object($this->output) && $this->output->type == 'html') {
             $src = $this->resource_url($fn);
-            $this->output->add_header(html::tag('script',
-                array('type' => "text/javascript", 'src' => $src)));
+            $this->output->include_script($src, 'head_bottom', false);
         }
     }
 
diff --git a/program/lib/Roundcube/rcube_smtp.php b/program/lib/Roundcube/rcube_smtp.php
index a57dca155..6be2510ea 100644
--- a/program/lib/Roundcube/rcube_smtp.php
+++ b/program/lib/Roundcube/rcube_smtp.php
@@ -98,13 +98,10 @@ class rcube_smtp
         // Handle per-host socket options
         rcube_utils::parse_socket_options($CONFIG['smtp_conn_options'], $smtp_host);
 
-        if (!empty($CONFIG['smtp_helo_host'])) {
-            $helo_host = $CONFIG['smtp_helo_host'];
-        }
-        else if (!empty($_SERVER['SERVER_NAME'])) {
-            $helo_host = rcube_utils::server_name();
-        }
-        else {
+        // Use valid EHLO/HELO host (#6408)
+        $helo_host = $CONFIG['smtp_helo_host'] ?: rcube_utils::server_name();
+        $helo_host = rcube_utils::idn_to_ascii($helo_host);
+        if (!preg_match('/^[a-zA-Z0-9.:-]+$/', $helo_host)) {
             $helo_host = 'localhost';
         }
 
diff --git a/program/lib/Roundcube/rcube_utils.php b/program/lib/Roundcube/rcube_utils.php
index c8272eb67..6113f4393 100644
--- a/program/lib/Roundcube/rcube_utils.php
+++ b/program/lib/Roundcube/rcube_utils.php
@@ -153,19 +153,6 @@ class rcube_utils
         return filter_var($ip, FILTER_VALIDATE_IP) !== false;
     }
 
-    /**
-     * Check whether the HTTP referer matches the current request
-     *
-     * @return boolean True if referer is the same host+path, false if not
-     */
-    public static function check_referer()
-    {
-        $uri     = parse_url($_SERVER['REQUEST_URI']);
-        $referer = parse_url(self::request_header('Referer'));
-
-        return $referer['host'] == self::request_header('Host') && $referer['path'] == $uri['path'];
-    }
-
     /**
      * Replacing specials characters to a specific encoding type
      *
@@ -1364,4 +1351,41 @@ class rcube_utils
 
         return $max_filesize;
     }
+
+    /**
+     * Detect and log last PREG operation error
+     *
+     * @param array $error     Error data (line, file, code, message)
+     * @param bool  $terminate Stop script execution
+     *
+     * @return bool True on error, False otherwise
+     */
+    public static function preg_error($error = array(), $terminate = false)
+    {
+        if (($preg_error = preg_last_error()) != PREG_NO_ERROR) {
+            $errstr = "PCRE Error: $preg_error.";
+
+            if ($preg_error == PREG_BACKTRACK_LIMIT_ERROR) {
+                $errstr .= " Consider raising pcre.backtrack_limit!";
+            }
+            if ($preg_error == PREG_RECURSION_LIMIT_ERROR) {
+                $errstr .= " Consider raising pcre.recursion_limit!";
+            }
+
+            $error = array_merge(array('code' => 620, 'line' => __LINE__, 'file' => __FILE__), $error);
+
+            if (!empty($error['message'])) {
+                $error['message'] .= ' ' . $errstr;
+            }
+            else {
+                $error['message'] = $errstr;
+            }
+
+            rcube::raise_error($error, true, $terminate);
+
+            return true;
+        }
+
+        return false;
+    }
 }
diff --git a/program/lib/Roundcube/rcube_vcard.php b/program/lib/Roundcube/rcube_vcard.php
index 75a24127b..9138ba5fa 100644
--- a/program/lib/Roundcube/rcube_vcard.php
+++ b/program/lib/Roundcube/rcube_vcard.php
@@ -525,14 +525,14 @@ class rcube_vcard
     {
         // convert Apple X-ABRELATEDNAMES into X-* fields for better compatibility
         $vcard = preg_replace_callback(
-            '/item(\d+)\.(X-ABRELATEDNAMES)([^:]*?):(.*?)item\1.X-ABLabel:(?:_\$!<)?([\w-() ]*)(?:>!\$_)?./s',
+            '/item(\d+)\.(X-ABRELATEDNAMES)([^:]*?):(.*?)item\1.X-ABLabel:(?:_\$!<)?([\w() -]*)(?:>!\$_)?./s',
             array('self', 'x_abrelatednames_callback'),
             $vcard);
 
         // Cleanup
         $vcard = preg_replace(array(
                 // convert special types (like Skype) to normal type='skype' classes with this simple regex ;)
-                '/item(\d+)\.(TEL|EMAIL|URL)([^:]*?):(.*?)item\1.X-ABLabel:(?:_\$!<)?([\w-() ]*)(?:>!\$_)?./si',
+                '/item(\d+)\.(TEL|EMAIL|URL)([^:]*?):(.*?)item\1.X-ABLabel:(?:_\$!<)?([\w() -]*)(?:>!\$_)?./si',
                 '/^item\d*\.X-AB.*$/mi',  // remove cruft like item1.X-AB*
                 '/^item\d*\./mi',         // remove item1.ADR instead of ADR
                 '/\n+/',                 // remove empty lines
diff --git a/program/lib/Roundcube/rcube_washtml.php b/program/lib/Roundcube/rcube_washtml.php
index 856027265..8837a917f 100644
--- a/program/lib/Roundcube/rcube_washtml.php
+++ b/program/lib/Roundcube/rcube_washtml.php
@@ -615,7 +615,12 @@ class rcube_washtml
             '<html>',
         );
 
-        $html = preg_replace($html_search, $html_replace, trim($html));
+        $html = preg_replace($html_search, $html_replace, $html);
+
+        $err = array('line' => __LINE__, 'file' => __FILE__, 'message' => "Could not clean up HTML!");
+        if ($html === null && rcube_utils::preg_error($err)) {
+            return '';
+        }
 
         // Replace all of those weird MS Word quotes and other high characters
         $badwordchars = array(
@@ -638,24 +643,6 @@ class rcube_washtml
 
         $html = str_replace($badwordchars, $fixedwordchars, $html);
 
-        // PCRE errors handling (#1486856), should we use something like for every preg_* use?
-        if ($html === null && ($preg_error = preg_last_error()) != PREG_NO_ERROR) {
-            $errstr = "Could not clean up HTML message! PCRE Error: $preg_error.";
-
-            if ($preg_error == PREG_BACKTRACK_LIMIT_ERROR) {
-                $errstr .= " Consider raising pcre.backtrack_limit!";
-            }
-            if ($preg_error == PREG_RECURSION_LIMIT_ERROR) {
-                $errstr .= " Consider raising pcre.recursion_limit!";
-            }
-
-            rcube::raise_error(array('code' => 620, 'type' => 'php',
-                'line' => __LINE__, 'file' => __FILE__,
-                'message' => $errstr), true, false);
-
-            return '';
-        }
-
         // fix (unknown/malformed) HTML tags before "wash"
         $html = preg_replace_callback('/(<(?!\!)[\/]*)([^\s>]+)([^>]*)/', array($this, 'html_tag_callback'), $html);
 
diff --git a/program/steps/mail/compose.inc b/program/steps/mail/compose.inc
index 775f6160c..6488ebeb0 100644
--- a/program/steps/mail/compose.inc
+++ b/program/steps/mail/compose.inc
@@ -75,13 +75,13 @@ if (!is_array($COMPOSE)) {
 
 // add some labels to client
 $OUTPUT->add_label('notuploadedwarning', 'savingmessage', 'siginserted', 'responseinserted',
-    'messagesaved', 'converting', 'editorwarning', 'uploading', 'uploadingmany',
+    'messagesaved', 'converting', 'editorwarning', 'discard',
     'fileuploaderror', 'sendmessage', 'newresponse', 'responsename', 'responsetext', 'save',
     'savingresponse', 'restoresavedcomposedata', 'restoremessage', 'delete', 'restore', 'ignore',
     'selectimportfile', 'messageissent', 'loadingdata', 'nopubkeyfor', 'nopubkeyforsender',
     'encryptnoattachments','encryptedsendialog','searchpubkeyservers', 'importpubkeys',
     'encryptpubkeysfound',  'search', 'close', 'import', 'keyid', 'keylength', 'keyexpired',
-    'keyrevoked', 'keyimportsuccess', 'keyservererror', 'attaching', 'namex', 'attachmentrename', 'discard'
+    'keyrevoked', 'keyimportsuccess', 'keyservererror', 'attaching', 'namex', 'attachmentrename'
 );
 
 $OUTPUT->set_pagetitle($RCMAIL->gettext('compose'));
diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc
index e9971d67e..a2fa8242a 100644
--- a/program/steps/mail/func.inc
+++ b/program/steps/mail/func.inc
@@ -1003,7 +1003,8 @@ function rcmail_washtml_callback($tagname, $attrib, $content, $washtml)
         }
 
         // decode all escaped entities and reduce to ascii strings
-        $stripped = preg_replace('/[^a-zA-Z\(:;]/', '', rcube_utils::xss_entity_decode($content));
+        $decoded  = rcube_utils::xss_entity_decode($content);
+        $stripped = preg_replace('/[^a-zA-Z\(:;]/', '', $decoded);
 
         // now check for evil strings like expression, behavior or url()
         if (!preg_match('/expression|behavior|javascript:|import[^a]/i', $stripped)) {
@@ -1011,7 +1012,7 @@ function rcmail_washtml_callback($tagname, $attrib, $content, $washtml)
                 $washtml->extlinks = true;
             }
             else {
-                $out = html::tag('style', array('type' => 'text/css'), $content);
+                $out = html::tag('style', array('type' => 'text/css'), $decoded);
             }
             break;
         }
@@ -1606,7 +1607,9 @@ function rcmail_search_filter($attrib)
         $attrib['id'] = 'rcmlistfilter';
     }
 
-    $attrib['onchange'] = rcmail_output::JS_OBJECT_NAME.'.filter_mailbox(this.value)';
+    if (!rcube_utils::get_boolean($attrib['noevent'])) {
+        $attrib['onchange'] = rcmail_output::JS_OBJECT_NAME.'.filter_mailbox(this.value)';
+    }
 
     // Content-Type values of messages with attachments
     // the same as in app.js:add_message_row()
@@ -1669,18 +1672,22 @@ function rcmail_message_error()
 {
     global $RCMAIL;
 
-    // Set env variables for messageerror.html template
-    if ($RCMAIL->action == 'show') {
-        $mbox_name = $RCMAIL->storage->get_folder();
+    // ... display message error page
+    if ($RCMAIL->output->template_exists('messageerror')) {
+        // Set env variables for messageerror.html template
+        if ($RCMAIL->action == 'show') {
+            $mbox_name = $RCMAIL->storage->get_folder();
 
-        $RCMAIL->output->set_env('mailbox', $mbox_name);
-        $RCMAIL->output->set_env('uid', null);
-    }
+            $RCMAIL->output->set_env('mailbox', $mbox_name);
+            $RCMAIL->output->set_env('uid', null);
+        }
 
-    // display error message
-    $RCMAIL->output->show_message('messageopenerror', 'error');
-    // ... display message error page
-    $RCMAIL->output->send('messageerror');
+        $RCMAIL->output->show_message('messageopenerror', 'error');
+        $RCMAIL->output->send('messageerror');
+    }
+    else {
+        $RCMAIL->raise_error(array('code' => 410), false, true);
+    }
 }
 
 function rcmail_message_import_form($attrib = array())
diff --git a/program/steps/mail/sendmail.inc b/program/steps/mail/sendmail.inc
index 69dcca43c..f85b8fcb6 100644
--- a/program/steps/mail/sendmail.inc
+++ b/program/steps/mail/sendmail.inc
@@ -115,6 +115,12 @@ if (!$savedraft) {
                 '<p><br /></p>',
             ),
             $message_body);
+
+        rcube_utils::preg_error(array(
+                'line'    => __LINE__,
+                'file'    => __FILE__,
+                'message' => "Could not format HTML!"
+            ), true);
     }
 
     // Check spelling before send
@@ -199,6 +205,12 @@ if (is_array($COMPOSE['attachments'])) {
 
             $message_body = preg_replace($dispurl, '"cid:' . $cid . '"', $message_body);
 
+            rcube_utils::preg_error(array(
+                    'line'    => __LINE__,
+                    'file'    => __FILE__,
+                    'message' => "Could not replace an image reference!"
+                ), true);
+
             $MAIL_MIME->setHTMLBody($message_body);
 
             if ($attachment['data'])
diff --git a/program/steps/settings/about.inc b/program/steps/settings/about.inc
index d7a3745cd..226a8c50f 100644
--- a/program/steps/settings/about.inc
+++ b/program/steps/settings/about.inc
@@ -20,11 +20,20 @@
  +-----------------------------------------------------------------------+
 */
 
+define('RC_COPYRIGHT', 'Copyright &copy; 2005-2018, The Roundcube Dev Team');
+define('RC_LICENSE', 'This program is free software; you can redistribute it and/or modify it under the terms of the '
+            . '<a href="http://www.gnu.org/licenses/gpl.html" target="_blank">GNU General Public License</a> '
+            . 'as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.'
+            . '<br/>Some <a href="https://roundcube.net/license" target="_blank">exceptions</a> for skins &amp; plugins apply.');
 
 $OUTPUT->set_pagetitle($RCMAIL->gettext('about'));
 
-$OUTPUT->add_handler('supportlink', 'rcmail_supportlink');
-$OUTPUT->add_handler('pluginlist', 'rcmail_plugins_list');
+$OUTPUT->add_handlers(array(
+        'supportlink' => 'rcmail_supportlink',
+        'pluginlist'  => 'rcmail_plugins_list',
+        'copyright'   => function() { return RC_COPYRIGHT; },
+        'license'     => function() { return RC_LICENSE; },
+));
 
 $OUTPUT->send('about');
 
diff --git a/program/steps/settings/edit_folder.inc b/program/steps/settings/edit_folder.inc
index e9fb7873d..ba55772ca 100644
--- a/program/steps/settings/edit_folder.inc
+++ b/program/steps/settings/edit_folder.inc
@@ -98,11 +98,13 @@ function rcmail_folder_form($attrib)
         }
 
         $foldername = new html_inputfield(array('name' => '_name', 'id' => '_name', 'size' => 30));
-        $foldername = $foldername->show($folder);
+        $foldername = '<span class="input-group">' . $foldername->show($folder);
 
         if ($options['special'] && ($sname = $RCMAIL->localize_foldername($mbox, false, true)) != $folder) {
-            $foldername .= '&nbsp;(' . rcube::Q($sname) .')';
+            $foldername .= ' <span class="input-group-append"><span class="input-group-text">(' . rcube::Q($sname) .')</span></span>';
         }
+
+        $foldername .= '</span>';
     }
 
     $form['props']['fieldsets']['location'] = array(
diff --git a/program/steps/settings/edit_identity.inc b/program/steps/settings/edit_identity.inc
index ee22b75f2..71b7c491b 100644
--- a/program/steps/settings/edit_identity.inc
+++ b/program/steps/settings/edit_identity.inc
@@ -52,7 +52,7 @@ else {
 $OUTPUT->include_script('list.js');
 $OUTPUT->add_handler('identityform', 'rcube_identity_form');
 $OUTPUT->set_env('identities_level', IDENTITIES_LEVEL);
-$OUTPUT->add_label('deleteidentityconfirm', 'uploading', 'generate',
+$OUTPUT->add_label('deleteidentityconfirm', 'generate',
     'encryptioncreatekey', 'openmailvelopesettings', 'encryptionprivkeysinmailvelope',
     'encryptionnoprivkeysinmailvelope', 'keypaircreatesuccess');
 
diff --git a/program/steps/settings/folders.inc b/program/steps/settings/folders.inc
index 5b0d1fe7e..8902fa28c 100644
--- a/program/steps/settings/folders.inc
+++ b/program/steps/settings/folders.inc
@@ -433,7 +433,9 @@ function rcmail_folder_filter($attrib)
         $attrib['id'] = 'rcmfolderfilter';
     }
 
-    $attrib['onchange'] = rcmail_output::JS_OBJECT_NAME . '.folder_filter(this.value)';
+    if (!rcube_utils::get_boolean($attrib['noevent'])) {
+        $attrib['onchange'] = rcmail_output::JS_OBJECT_NAME . '.folder_filter(this.value)';
+    }
 
     $roots  = array();
     $select = new html_select($attrib);
diff --git a/program/steps/settings/save_prefs.inc b/program/steps/settings/save_prefs.inc
index 09d4dc247..a6e1691d5 100644
--- a/program/steps/settings/save_prefs.inc
+++ b/program/steps/settings/save_prefs.inc
@@ -242,7 +242,6 @@ function rcmail_prefs_input($name, $regex)
     }
 
     if ($value !== null && strlen($value) && !preg_match($regex, $value)) {
-rcube::console($name);
         $value = $RCMAIL->config->get($name);
     }
 
diff --git a/program/steps/utils/error.inc b/program/steps/utils/error.inc
index 773fe71fe..af075173b 100644
--- a/program/steps/utils/error.inc
+++ b/program/steps/utils/error.inc
@@ -21,28 +21,8 @@
 
 $rcmail = rcmail::get_instance();
 
-// browser is not compatible with this application
-if ($ERROR_CODE == 409) {
-    $user_agent    = htmlentities($_SERVER['HTTP_USER_AGENT']);
-    $__error_title = 'Your browser does not suit the requirements for this application';
-    $__error_text  = <<<EOF
-<i>Supported browsers:</i><br />
-&raquo; &nbsp;Microsoft Internet Explorer 7+<br />
-&raquo; &nbsp;Mozilla Firefox 3+<br />
-&raquo; &nbsp;Chrome 10+<br />
-&raquo; &nbsp;Safari 4+<br />
-&raquo; &nbsp;Opera 8+<br />
-<br />
-&raquo; &nbsp;JavaScript enabled<br />
-&raquo; &nbsp;Support for XMLHTTPRequest<br />
-
-<p><i>Your configuration:</i><br />
-$user_agent</p>
-EOF;
-}
-
 // authorization error
-else if ($ERROR_CODE == 401) {
+if ($ERROR_CODE == 401) {
     $__error_title = mb_strtoupper($rcmail->gettext('errauthorizationfailed'));
     $__error_text  = nl2br($rcmail->gettext('errunauthorizedexplain') . "\n" .
                         $rcmail->gettext('errcontactserveradmin'));
@@ -72,6 +52,20 @@ else if ($ERROR_CODE == 404) {
     $__error_text .= '<p><i>' . $rcmail->gettext('errfailedrequest') . ": $request_url</i></p>";
 }
 
+// browser is not compatible with this application
+else if ($ERROR_CODE == 409) {
+    $user_agent    = htmlentities($_SERVER['HTTP_USER_AGENT']);
+    $__error_title = 'Your browser does not suit the requirements for this application';
+    $__error_text  = "Required features: <i>JavaScript enabled</i> and <i>XMLHTTPRequest support</i>."
+        . "<p><i>Your configuration:</i><br>$user_agent</p>";
+}
+
+// Gone, e.g. message cached but not in the storage
+else if ($ERROR_CODE == 410) {
+    $__error_title = 'INTERNAL ERROR';
+    $__error_text  = $rcmail->gettext('messageopenerror');
+}
+
 // invalid compose ID
 else if ($ERROR_CODE == 450 && $_SERVER['REQUEST_METHOD'] == 'GET' && $rcmail->action == 'compose') {
     $url = $rcmail->url('compose');
@@ -102,15 +96,17 @@ else {
 // inform plugins
 if ($rcmail && $rcmail->plugins) {
     $plugin = $rcmail->plugins->exec_hook('error_page', array(
-        'code' => $ERROR_CODE,
+        'code'  => $ERROR_CODE,
         'title' => $__error_title,
-        'text' => $__error_text,
+        'text'  => $__error_text,
     ));
 
-    if (!empty($plugin['title']))
+    if (!empty($plugin['title'])) {
         $__error_title = $plugin['title'];
-    if (!empty($plugin['text']))
+    }
+    if (!empty($plugin['text'])) {
         $__error_text = $plugin['text'];
+    }
 }
 
 $HTTP_ERR_CODE = $ERROR_CODE && $ERROR_CODE < 600 ? $ERROR_CODE : 500;
@@ -131,6 +127,7 @@ EOF;
 
 if ($rcmail->output && $rcmail->output->template_exists('error')) {
     $rcmail->output->reset();
+    $rcmail->output->set_env('error_task', 'error' . (empty($rcmail->user) || empty($rcmail->user->ID) ? '-login' : ''));
     $rcmail->output->set_env('server_error', $ERROR_CODE);
     $rcmail->output->set_env('comm_path', $rcmail->comm_path);
     $rcmail->output->send('error');
diff --git a/skins/classic/splitter.js b/skins/classic/splitter.js
index 4117b2c29..460c35a21 100644
--- a/skins/classic/splitter.js
+++ b/skins/classic/splitter.js
@@ -56,6 +56,9 @@ function rcube_splitter(attrib)
 
     // add the mouse event listeners
     $(this.elm).mousedown(onDragStart);
+
+    // Update splitter position and elements with on window resize
+    $(window).resize(function(e) { if (e.target === window) me.resize(); });
     if (bw.ie)
       $(window).resize(onResize);
 
@@ -88,9 +91,12 @@ function rcube_splitter(attrib)
       }
     }
     else {
-      this.p1.style.width = Math.floor(this.pos - this.p1pos.left - this.layer.width / 2) + 'px';
-      this.p2.style.left = Math.ceil(this.pos + this.layer.width / 2) + 'px';
-      this.layer.move(Math.round(this.pos - this.layer.width / 2 + 1), this.layer.y);
+      var max_width = $(window).width() - $(this.p1).offset().left - 150,
+        pos = Math.min(this.pos, max_width);
+
+      this.p1.style.width = Math.floor(pos - this.p1pos.left - this.layer.width / 2) + 'px';
+      this.p2.style.left = Math.ceil(pos + this.layer.width / 2) + 'px';
+      this.layer.move(Math.round(pos - this.layer.width / 2 + 1), this.layer.y);
       if (bw.ie) {
         var new_width = parseInt(this.p2.parentNode.offsetWidth, 10) - parseInt(this.p2.style.left, 10) ;
         this.p2.style.width = (new_width > 0 ? new_width : 0) + 'px';
diff --git a/skins/classic/templates/about.html b/skins/classic/templates/about.html
index 849309596..f3584589f 100644
--- a/skins/classic/templates/about.html
+++ b/skins/classic/templates/about.html
@@ -20,12 +20,8 @@
 <div id="license">
 <roundcube:object name="aboutcontent" />
 <h2 class="sysname">Roundcube Webmail <roundcube:object name="version" /></h2>
-<p class="copyright">Copyright &copy; 2005-2018, The Roundcube Dev Team</p>
-<p class="license">This program is free software; you can redistribute it and/or modify
-it under the terms of the <a href="http://www.gnu.org/licenses/gpl.html" target="_blank">GNU General Public License</a>
-as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.<br/>
-Some <a href="http://roundcube.net/license">exceptions</a> for skins &amp; plugins apply.
-</p>
+<p class="copyright"><roundcube:object name="copyright" /></p>
+<p class="license"><roundcube:object name="license" /></p>
 <p class="links"><roundcube:object name="supportlink" label="support" target="_blank" /></p>
 </div>
 
diff --git a/skins/elastic/images/favicon.ico b/skins/elastic/images/favicon.ico
index 9ef2f3b9e..405df39e4 100644
Binary files a/skins/elastic/images/favicon.ico and b/skins/elastic/images/favicon.ico differ
diff --git a/skins/elastic/images/logo.png b/skins/elastic/images/logo.png
deleted file mode 100644
index 627c2f614..000000000
Binary files a/skins/elastic/images/logo.png and /dev/null differ
diff --git a/skins/elastic/images/logo.svg b/skins/elastic/images/logo.svg
new file mode 100644
index 000000000..1f50dd8a3
--- /dev/null
+++ b/skins/elastic/images/logo.svg
@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="utf-8"?>
+<svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="9.14 141.8 573.65 573.65">
+<style type="text/css">
+.st0{fill-rule:evenodd;clip-rule:evenodd;fill:#404F54;}
+.st1{fill-rule:evenodd;clip-rule:evenodd;fill:#E5E5E5;}
+.st2{fill-rule:evenodd;clip-rule:evenodd;fill:#CCCCCC;}
+.st3{fill-rule:evenodd;clip-rule:evenodd;fill:#37BEFF;}
+</style>
+<polygon class="st3" points="582.79,549.77 295.96,384.1 295.96,207.27 582.79,372.95 "/>
+<polygon class="st0" points="9.14,549.77 295.96,384.1 295.96,207.27 9.14,372.95 "/>
+<path class="st2" d="M295.96,141.8c109.56,0,198.41,88.85,198.41,198.41c0,109.56-88.85,198.41-198.41,198.41 c-109.56,0-198.41-88.85-198.41-198.41C97.55,230.65,186.4,141.8,295.96,141.8"/>
+<path class="st1" d="M295.96,141.8c109.6,0,198.48,88.85,198.48,198.41c0,109.56-88.88,198.41-198.48,198.41	c-62.91-42.34-88.94-127.64-88.94-198.3S233.05,184.22,295.96,141.8"/>
+<polygon class="st3" points="582.79,372.95 295.96,538.62 295.96,715.45 582.79,549.77 "/>
+<polygon class="st0" points="9.14,372.95 295.96,538.62 295.96,715.45 9.14,549.77 "/>
+</svg>
diff --git a/skins/elastic/images/watermark.jpg b/skins/elastic/images/watermark.jpg
deleted file mode 100644
index d4ea39278..000000000
Binary files a/skins/elastic/images/watermark.jpg and /dev/null differ
diff --git a/skins/elastic/styles/colors.less b/skins/elastic/styles/colors.less
index 9acf5706a..2aeb30eb3 100644
--- a/skins/elastic/styles/colors.less
+++ b/skins/elastic/styles/colors.less
@@ -39,7 +39,7 @@
 @color-layout-mobile-footer-background: @color-layout-header-background;
 
 // Task menu
-@color-taskmenu-background:                     #414e54;
+@color-taskmenu-background:                     #2f3a3f;
 @color-taskmenu-button:                         #fff;
 @color-taskmenu-button-selected:                @color-taskmenu-button;
 @color-taskmenu-button-action:                  @color-main;
diff --git a/skins/elastic/styles/layout.less b/skins/elastic/styles/layout.less
index 996a4ca26..ad843d6b6 100644
--- a/skins/elastic/styles/layout.less
+++ b/skins/elastic/styles/layout.less
@@ -248,6 +248,7 @@ html.iframe {
         // FIXME: we set background color here not in taskmenu.less, because
         // otherwise background is partially white on Android/iOS
         background-color: @color-taskmenu-background;
+        width: @layout-menu-width/2;
     }
 }
 
@@ -258,10 +259,6 @@ html.iframe {
     a.toolbar-menu-button {
         display: none;
     }
-
-    body > #layout > .menu {
-        width: @layout-menu-width/2;
-    }
 }
 
 @media screen and (min-width: (@screen-width-medium + 1px)) {
diff --git a/skins/elastic/styles/styles.less b/skins/elastic/styles/styles.less
index 75cd2ccac..2316db40a 100644
--- a/skins/elastic/styles/styles.less
+++ b/skins/elastic/styles/styles.less
@@ -135,13 +135,19 @@ a {
 .task-login #layout > .content {
     text-align: center;
     width: 100%;
-    background: url(../images/watermark.jpg) center -20px no-repeat;
-    background-size: auto 40%;
+    display: block;
+}
+
+.task-login #layout .content #logo {
+    display: inline-block;
+    position: relative;
+    top: 18vh;
+    max-height: 90px;
 }
 
 #login-form {
     margin: 0 auto;
-    top: 35vh;
+    top: 22vh;
     width: 95%;
     max-width: 280px;
     position: relative;
@@ -176,6 +182,12 @@ a {
     }
 }
 
+body.task-error-login #layout {
+    & > .menu,
+    & > .content > .header {
+        display: none;
+    }
+}
 
 /*** Addressbook UI ***/
 
diff --git a/skins/elastic/styles/widgets/buttons.less b/skins/elastic/styles/widgets/buttons.less
index bb5d7e990..683bab444 100644
--- a/skins/elastic/styles/widgets/buttons.less
+++ b/skins/elastic/styles/widgets/buttons.less
@@ -210,8 +210,8 @@ html.touch {
     }
 
     &:hover {
-        background: darken(@color-btn-secondary-background, 8%);
-        border-color: darken(@color-btn-secondary-background, 10%);
+        background: darken(@color-btn-secondary-background, 5%);
+        border-color: darken(@color-btn-secondary-background, 7%);
     }
 
     &.disabled,
@@ -221,15 +221,16 @@ html.touch {
         opacity: 1;
     }
 
-    &:not(:disabled):not(.disabled):active {
-        background: darken(@color-btn-secondary-background, 11%);
-        border-color: darken(@color-btn-secondary-background, 13%);
-        box-shadow: 0 0 0 .2rem fade(@color-btn-secondary-background, 53%);
-    }
+    &:not(:disabled):not(.disabled) {
+        &:active,
+        &.active {
+            background: darken(@color-btn-secondary-background, 10%);
+            border-color: darken(@color-btn-secondary-background, 12%);
 
-    &:not(:disabled):not(.disabled).active {
-        background: darken(@color-btn-secondary-background, 20%);
-        border-color: darken(@color-btn-secondary-background, 22%);
+            &:focus {
+                box-shadow: 0 0 0 .2rem fade(@color-btn-secondary-background, 53%);
+            }
+        }
     }
 }
 
@@ -243,8 +244,8 @@ html.touch {
     }
 
     &:hover {
-        background: darken(@color-btn-primary-background, 8%);
-        border-color: darken(@color-btn-primary-background, 10%);
+        background: darken(@color-btn-primary-background, 5%);
+        border-color: darken(@color-btn-primary-background, 7%);
     }
 
     &.disabled,
@@ -254,15 +255,16 @@ html.touch {
         opacity: 1;
     }
 
-    &:not(:disabled):not(.disabled):active {
-        background: darken(@color-btn-primary-background, 11%);
-        border-color: darken(@color-btn-primary-background, 13%);
-        box-shadow: 0 0 0 .2rem fade(@color-btn-primary-background, 53%);
-    }
+    &:not(:disabled):not(.disabled) {
+        &:active,
+        &.active {
+            background: darken(@color-btn-primary-background, 10%);
+            border-color: darken(@color-btn-primary-background, 12%);
 
-    &:not(:disabled):not(.disabled).active {
-        background: darken(@color-btn-primary-background, 20%);
-        border-color: darken(@color-btn-primary-background, 22%);
+            &:focus {
+                box-shadow: 0 0 0 .2rem fade(@color-btn-primary-background, 53%);
+            }
+        }
     }
 }
 
@@ -276,8 +278,8 @@ html.touch {
     }
 
     &:hover {
-        background: darken(@color-btn-danger-background, 8%);
-        border-color: darken(@color-btn-danger-background, 10%);
+        background: darken(@color-btn-danger-background, 5%);
+        border-color: darken(@color-btn-danger-background, 7%);
     }
 
     &.disabled,
@@ -287,14 +289,15 @@ html.touch {
         opacity: 1;
     }
 
-    &:not(:disabled):not(.disabled):active {
-        background: darken(@color-btn-danger-background, 11%);
-        border-color: darken(@color-btn-danger-background, 13%);
-        box-shadow: 0 0 0 .2rem fade(@color-btn-danger-background, 53%);
-    }
+    &:not(:disabled):not(.disabled) {
+        &:active,
+        &.active {
+            background: darken(@color-btn-danger-background, 10%);
+            border-color: darken(@color-btn-danger-background, 12%);
 
-    &:not(:disabled):not(.disabled).active {
-        background: darken(@color-btn-danger-background, 20%);
-        border-color: darken(@color-btn-danger-background, 22%);
+            &:focus {
+                box-shadow: 0 0 0 .2rem fade(@color-btn-danger-background, 53%);
+            }
+        }
     }
 }
diff --git a/skins/elastic/styles/widgets/common.less b/skins/elastic/styles/widgets/common.less
index 6642d6712..7e7500054 100644
--- a/skins/elastic/styles/widgets/common.less
+++ b/skins/elastic/styles/widgets/common.less
@@ -189,12 +189,6 @@ fieldset.image-attachment {
     overflow-y: auto;
 }
 
-#layout > .content .watermark {
-    background: url(../images/watermark.jpg) center no-repeat;
-    width: 100%;
-    height: 100%;
-}
-
 .noselect {
     user-select: none;
     -moz-user-select: none;
diff --git a/skins/elastic/styles/widgets/editor.less b/skins/elastic/styles/widgets/editor.less
index af7cbd74b..d4ad6b96c 100644
--- a/skins/elastic/styles/widgets/editor.less
+++ b/skins/elastic/styles/widgets/editor.less
@@ -463,6 +463,14 @@
         color: @color-toolbarmenu-hover;
         background-color: @color-toolbarmenu-hover-background;
     }
+
+    .popover-header {
+        display: none !important;
+    }
+}
+
+div.mce-menubtn.mce-opened {
+    z-index: 65530 !important; // BUG: https://github.com/tinymce/tinymce/issues/4542
 }
 
 #mce-modal-block.mce-in {
@@ -615,18 +623,88 @@
     }
 
     .mce-menu {
-        width: auto !important;
+        width: @layout-mobile-menu-width !important;
         right: 0;
-        left: 0 !important;
-        margin: 0 1rem !important;
+        top: 0 !important;
+        left: auto !important;
+        height: 100% !important;
+        max-height: unset !important;
+        padding: 0 !important;
+        margin: 0 !important;
+        border-radius: 0;
+        border: 0 !important;
+
+        .popover-header {
+            display: block !important;
+
+            a {
+                font-size: 1.2rem;
+                line-height: @layout-touch-header-height;
+
+                &:before {
+                    content: @fa-var-times;
+                }
+            }
+        }
 
         .mce-container-body {
             width: 100% !important;
         }
-    }
 
-    div.mce-menubtn.mce-opened {
-        z-index: 65530 !important;
+        .mce-menu-item {
+            height: @layout-touch-menu-record-height;
+            line-height: @layout-touch-menu-record-height;
+            padding: 0 .5rem;
+            border-left: 0;
+            border-bottom: 1px solid @color-list-border;
+            margin: 0;
+
+            .mce-ico {
+                font-size: 150%;
+                padding: 0 .7rem 0 .25rem;
+                margin-top: -.2rem;
+            }
+
+            .mce-text {
+                font-size: 1.2rem;
+                .font-family;
+                line-height: @layout-touch-menu-record-height;
+                color: @color-font;
+            }
+
+            .mce-caret {
+                display: none;
+            }
+
+            &.mce-menu-item-preview {
+                &.mce-active {
+                    border-left: none;
+                    position: relative;
+
+                    &:after {
+                        .font-icon-class; // :extend() does not work here
+                        content: @fa-var-check;
+                        position: absolute;
+                        right: .5rem;
+                        top: 0;
+                        color: @color-font;
+                    }
+                }
+            }
+
+            &.mce-menu-item-expand {
+                position: relative;
+
+                &:after {
+                    .font-icon-class; // :extend() does not work here
+                    content: @fa-var-angle-right;
+                    position: absolute;
+                    right: .5rem;
+                    top: 0;
+                    color: @color-font;
+                }
+            }
+        }
     }
 
     .mce-menu-item-sep,
diff --git a/skins/elastic/styles/widgets/forms.less b/skins/elastic/styles/widgets/forms.less
index 7a1af4569..7054b919d 100644
--- a/skins/elastic/styles/widgets/forms.less
+++ b/skins/elastic/styles/widgets/forms.less
@@ -98,6 +98,22 @@ input.smart-upload {
     }
 
     td.rowtargets {
+        .composite {
+            input, textarea, select, .multi-input, .input-group {
+                margin-bottom: .5rem;
+            }
+
+            .input-group {
+                input, textarea, select, .multi-input {
+                    margin-bottom: 0;
+                }
+            }
+
+            br {
+                display: block;
+            }
+        }
+
         .input-group {
             margin-bottom: .25rem;
 
@@ -384,11 +400,6 @@ html.ms .propform {
             display: flex;
         }
     }
-    @media screen and (max-width: (@screen-width-bs-phone - 1px)) {
-        .row {
-            display: block;
-        }
-    }
 }
 
 
@@ -575,6 +586,10 @@ html.ms .propform {
     text-decoration: none;
     padding: .375rem .5rem;
 
+    &.input-group-text {
+        min-width: 2.4rem;
+    }
+
     &:before {
         &:extend(.font-icon-class);
         margin: 0 !important;
@@ -617,16 +632,11 @@ html.ms .propform {
     }
 }
 
-td.editfield { width: 99%;  /* TODO */ }
 
 @proplist-record-height: 2rem;
 .proplist {
     margin-bottom: 0;
-
-    .formcontent > &,
-    fieldset > & {
-        padding-left: 0;
-    }
+    padding: 0;
 
     li {
         list-style-type: none;
@@ -647,7 +657,7 @@ td.editfield { width: 99%;  /* TODO */ }
             }
         }
 
-        label {
+        label:not(.input-group-text) {
             margin: 0;
             line-height: @proplist-record-height;
         }
@@ -1166,6 +1176,10 @@ input.icon-checkbox {
         cursor: pointer;
         width: 1.5em;
 
+        html.touch & {
+            font-size: 1.5rem;
+        }
+
         &:before {
             &:extend(.font-icon-class);
             content: @fa-var-toggle-off;
@@ -1216,8 +1230,28 @@ input.icon-checkbox {
     }
 }
 
-html.touch input.icon-checkbox + label {
-    font-size: 1.5rem;
+.input-group-combo {
+    select:first-of-type {
+        &.alone {
+            border-radius: .25rem !important;
+        }
+
+        &:not(.alone) {
+            flex: unset;
+            width: auto;
+        }
+    }
+
+    .input-group {
+        padding: 0 !important;
+        flex: 2;
+    }
+
+    select + select,
+    .input-group :first-child {
+        border-top-left-radius: 0;
+        border-bottom-left-radius: 0;
+    }
 }
 
 
diff --git a/skins/elastic/styles/widgets/jqueryui.less b/skins/elastic/styles/widgets/jqueryui.less
index f18e96c0e..022c629d8 100644
--- a/skins/elastic/styles/widgets/jqueryui.less
+++ b/skins/elastic/styles/widgets/jqueryui.less
@@ -27,6 +27,8 @@
     overflow-x: hidden;
     max-height: 400px;
     border-radius: .3rem;
+    z-index: 240;
+    position: absolute;
 
    .ui-state-active {
         border: 0 !important;
@@ -35,6 +37,7 @@
 
     .ui-menu-item {
         white-space: nowrap;
+        cursor: default;
     }
 
     .ui-menu-item-wrapper {
@@ -117,14 +120,16 @@
                 padding-right: 0;
                 padding-left: 0;
                 text-decoration: none;
+                color: @color-font;
 
                 &:focus {
-                    background-color: @color-input-border-focus-shadow;
+                    background-color: fade(@color-btn-primary-background, 50%);
                 }
 
                 &.options {
                     order: -1;
                     padding: .375rem .25rem;
+                    margin-right: .3rem;
 
                     &:before {
                         // this icon is for mobile version
diff --git a/skins/elastic/styles/widgets/lists.less b/skins/elastic/styles/widgets/lists.less
index f06489828..85a0a1edf 100644
--- a/skins/elastic/styles/widgets/lists.less
+++ b/skins/elastic/styles/widgets/lists.less
@@ -453,9 +453,9 @@ ul.treelist {
     li {
         &.mailbox {
             &.unread {
-                // TODO
                 & > a {
                     padding-right: 2.8em;
+                    font-weight: bold;
                 }
             }
 
@@ -483,10 +483,6 @@ ul.treelist {
                 }
             }
 
-            &.selected .unreadcount {
-                // todo
-            }
-
             &.recent > .unreadcount {
                 background: @color-list-recent-badge-background;
                 color: @color-list-recent-badge;
diff --git a/skins/elastic/styles/widgets/messages.less b/skins/elastic/styles/widgets/messages.less
index 3e0b12618..97452a557 100644
--- a/skins/elastic/styles/widgets/messages.less
+++ b/skins/elastic/styles/widgets/messages.less
@@ -210,6 +210,10 @@
         & > i.icon:before {
             color: #fff;
         }
+
+        &.chat > i.icon:before {
+            content: @fa-var-comment;
+        }
     }
 
     .alert-success {
diff --git a/skins/elastic/styles/widgets/taskmenu.less b/skins/elastic/styles/widgets/taskmenu.less
index 29c4f45a4..1cce2e3a9 100644
--- a/skins/elastic/styles/widgets/taskmenu.less
+++ b/skins/elastic/styles/widgets/taskmenu.less
@@ -116,7 +116,7 @@
             position: absolute;
             bottom: 0;
             left: 0;
-            width: @layout-menu-width;
+            background-color: @color-taskmenu-background;
         }
 
         .action-buttons {
@@ -154,6 +154,7 @@
                 width: @layout-menu-width;
                 height: 1.75rem;
                 line-height: 1.5;
+                float: none; // fixed overflowing text in Edge
             }
         }
 
@@ -168,14 +169,19 @@
 .menu {
     .popover-header {
         height: @layout-header-height;
-        display: flex !important;
-        align-items: center;
-        justify-content: center;
+        line-height: @layout-header-height;
         border: 0;
         border-radius: 0;
+        text-align: center;
 
         img {
             max-height: @layout-header-height;
+            max-width: @layout-menu-width;
+            padding: .25rem;
+
+            @media screen and (min-width: (@screen-width-xs + 1px)) and (max-width: @screen-width-medium) {
+                max-width: @layout-menu-width/2;
+            }
         }
 
         @media screen and (min-width: (@screen-width-xs + 1px)) {
@@ -185,23 +191,15 @@
             a {
                 display: none !important;
             }
-
-            img {
-                max-width: @layout-menu-width/2;
-            }
-        }
-
-        @media screen and (min-width: (@screen-width-medium + 1px)) {
-            img {
-                max-width: @layout-menu-width;
-            }
         }
 
         html.layout-phone & {
+            display: flex !important;
+            align-items: center;
+            justify-content: center;
             padding: 0 .5rem;
 
             img {
-                max-height: @layout-touch-header-height;
                 max-width: @layout-mobile-menu-width - 50px;
             }
 
diff --git a/skins/elastic/styles/widgets/toolbar.less b/skins/elastic/styles/widgets/toolbar.less
index 21160d8d8..325683cc1 100644
--- a/skins/elastic/styles/widgets/toolbar.less
+++ b/skins/elastic/styles/widgets/toolbar.less
@@ -553,7 +553,7 @@
         content: @fa-var-flag;
     }
     a.select.unread:before {
-        content: @fa-var-star;
+        content: @fa-var-circle;
     }
     a.select.invert:before {
         .font-icon-regular(@fa-var-square);
diff --git a/skins/elastic/templates/about.html b/skins/elastic/templates/about.html
index 21d26402f..94c795525 100644
--- a/skins/elastic/templates/about.html
+++ b/skins/elastic/templates/about.html
@@ -6,13 +6,8 @@
 
 <div class="content frame-content">
 	<h2 class="sysname">Roundcube Webmail <roundcube:object name="version" /></h2>
-	<p class="copyright">Copyright &copy; 2005-2018, The Roundcube Dev Team</p>
-	<p class="license">This program is free software;
-		you can redistribute it and/or modify it under the terms of the 
-		<a href="http://www.gnu.org/licenses/gpl.html" target="_blank">GNU General Public License</a>
-		as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.<br/>
-		Some <a href="https://roundcube.net/license" target="_blank">exceptions</a> for skins &amp; plugins apply.
-	</p>
+	<p class="copyright"><roundcube:object name="copyright" /></p>
+	<p class="license"><roundcube:object name="license" /></p>
 	<div class="readtext">
 		<h3><roundcube:label name="installedplugins" /></h3>
 		<roundcube:object name="pluginlist" id="pluginlist" class="records-table" />
diff --git a/skins/elastic/templates/error.html b/skins/elastic/templates/error.html
index 3f8663496..0ae156091 100644
--- a/skins/elastic/templates/error.html
+++ b/skins/elastic/templates/error.html
@@ -3,8 +3,9 @@
 <roundcube:if condition="!env:framed && !env:extwin" />
 	<roundcube:include file="includes/menu.html" />
 	<div class="content selected" role="main">
-		<div class="header">
+		<div class="header" role="toolbar">
 			<a class="button icon menu-button" href="#menu"><span class="inner"><roundcube:label name="menu" /></span></a>
+			<span class="header-title"></span>
 		</div>
 		<div class="frame-content scroller">
 <roundcube:else />
diff --git a/skins/elastic/templates/folders.html b/skins/elastic/templates/folders.html
index 8b61e5919..94f1ebccc 100644
--- a/skins/elastic/templates/folders.html
+++ b/skins/elastic/templates/folders.html
@@ -16,10 +16,10 @@
 	<div id="foldersearchmenu" class="hidden searchoptions scroller propform formcontainer" aria-labelledby="aria-label-search-menu" aria-controls="subscription-table">
 		<h3 id="aria-label-search-menu" class="voice"><roundcube:label name="searchmod" /></h3>
 		<div class="formcontent">
-			<roundcube:object name="folderfilter" id="folderlist-filter" noheader="true" />
+			<roundcube:object name="folderfilter" id="folderlist-filter" noheader="true" noevent="true" />
 		</div>
 		<div class="formbuttons">
-			<button class="btn btn-primary icon search" href="#" onclick="return rcmail.command('search')"><roundcube:label name="search" /></button>
+			<button class="btn btn-primary icon search" href="#" onclick="rcmail.folder_filter($('#folderlist-filter').val())"><roundcube:label name="search" /></button>
 		</div>
 	</div>
 	<div class="scroller" tabindex="-1">
diff --git a/skins/elastic/templates/includes/layout.html b/skins/elastic/templates/includes/layout.html
index 3627b19b6..63bcb9ab1 100644
--- a/skins/elastic/templates/includes/layout.html
+++ b/skins/elastic/templates/includes/layout.html
@@ -6,6 +6,7 @@
 <roundcube:add_label name="previous" />
 <roundcube:add_label name="next" />
 <roundcube:add_label name="select" />
+<roundcube:add_label name="close" />
 <roundcube:object name="doctype" value="html5" />
 <roundcube:if condition="!env:framed || env:extwin" />
 <html>
@@ -25,11 +26,8 @@
 		<link rel="stylesheet" href="/styles/styles.css">
 		<roundcube:link rel="stylesheet" href="/styles/print.css" condition="env:action == 'print'" />
 	<roundcube:endif />
-	<roundcube:if condition="template:name == 'error'" />
-		<script src="program/js/jquery.min.js"></script>
-	<roundcube:endif />
 </head>
-<body class="task-<roundcube:exp expression="env:task ?: 'error'">">
+<body class="task-<roundcube:exp expression="env:error_task ?: env:task ?: 'error'">">
 	<roundcube:if condition="!env:framed || env:extwin" />
 		<div id="<roundcube:exp expression="env:action == 'print' ? 'print-' : ''">layout">
 	<roundcube:endif />
diff --git a/skins/elastic/templates/includes/menu.html b/skins/elastic/templates/includes/menu.html
index 3d2e6fb54..561e94e71 100644
--- a/skins/elastic/templates/includes/menu.html
+++ b/skins/elastic/templates/includes/menu.html
@@ -1,7 +1,7 @@
 <div class="menu">
 	<h2 id="aria-label-tasknav" class="voice"><roundcube:label name="arialabeltasknav" /></h2>
 	<div class="popover-header">
-		<roundcube:object name="logo" src="/images/logo.png" data-src-small="0" id="logo" alt="Logo" />
+		<roundcube:object name="logo" src="/images/logo.svg" data-src-small="0" id="logo" alt="Logo" />
 		<a class="button icon cancel"><span class="inner"><roundcube:label name="close" /></span></a>
 	</div>
 	<div id="taskmenu" role="navigation" aria-labelledby="aria-label-tasknav">
diff --git a/skins/elastic/templates/login.html b/skins/elastic/templates/login.html
index d600e29cc..5a04be8d8 100644
--- a/skins/elastic/templates/login.html
+++ b/skins/elastic/templates/login.html
@@ -3,6 +3,7 @@
 <h1 class="voice"><roundcube:object name="productname" /> <roundcube:label name="login" /></h1>
 
 <div class="content selected no-navbar" role="main">
+	<roundcube:object name="logo" src="/images/logo.svg" data-src-small="0" id="logo" alt="Logo" />
 	<roundcube:form id="login-form" name="login-form" method="post" class="propform">
 	<roundcube:object name="loginform" form="login-form" size="40" submit=true />
 		<div id="login-footer" role="contentinfo">
diff --git a/skins/elastic/templates/mail.html b/skins/elastic/templates/mail.html
index 40dc4aec7..42962e98d 100644
--- a/skins/elastic/templates/mail.html
+++ b/skins/elastic/templates/mail.html
@@ -61,13 +61,13 @@
 				<div class="input-group-prepend">
 					<label for="searchfilter" class="input-group-text"><roundcube:label name="type" /></label>
 				</div>
-				<roundcube:object name="searchfilter" id="searchfilter" />
+				<roundcube:object name="searchfilter" id="searchfilter" noevent="true" />
 			</div>
 			<div class="input-group">
 				<div class="input-group-prepend">
 					<label for="s_interval" class="input-group-text"><roundcube:label name="date" /></label>
 				</div>
-				<roundcube:object name="searchinterval" id="s_interval" onchange="rcmail.set_searchinterval($(this).val())" />
+				<roundcube:object name="searchinterval" id="s_interval" />
 			</div>
 			<div class="input-group">
 				<div class="input-group-prepend">
diff --git a/skins/elastic/templates/messageerror.html b/skins/elastic/templates/messageerror.html
deleted file mode 100644
index 848290e8e..000000000
--- a/skins/elastic/templates/messageerror.html
+++ /dev/null
@@ -1,16 +0,0 @@
-<roundcube:include file="includes/layout.html" />
-<roundcube:include file="includes/menu.html" condition="!env:framed && !env:extwin" />
-
-<h1 class="voice"><roundcube:label name="messageopenerror" /></h1>
-
-<div class="content selected">
-	<roundcube:if condition="env:action == 'show'" />
-		<h2 id="aria-label-toolbar" class="voice"><roundcube:label name="arialabeltoolbar" /></h2>
-		<div class="header" role="toolbar" aria-labelledby="aria-label-toolbar">
-			<a class="button icon back-list-button" href="#back"><span class="inner"><roundcube:label name="back" /></span></a>
-		</div>
-	<roundcube:endif />
-	<div class="watermark"></div>
-</div>
-
-<roundcube:include file="includes/footer.html" />
diff --git a/skins/elastic/thumbnail.png b/skins/elastic/thumbnail.png
index 5b6f54a6e..0c16cbeb9 100644
Binary files a/skins/elastic/thumbnail.png and b/skins/elastic/thumbnail.png differ
diff --git a/skins/elastic/ui.js b/skins/elastic/ui.js
index bbf70a0d6..84abaf966 100644
--- a/skins/elastic/ui.js
+++ b/skins/elastic/ui.js
@@ -260,6 +260,8 @@ function rcube_elastic_ui()
                 $(this).addClass('button ' + name);
                 $('.button-inner', this).addClass('inner');
             }
+
+            $(this).on('mouseover', function() { rcube_webmail.long_subject_title(this, 0, $('span.inner', this)); });
         });
 
         // Some plugins use 'listbubtton' class, we'll replace it with 'button'
@@ -512,8 +514,15 @@ function rcube_elastic_ui()
                         .on('click', function() { if ($(this).is('.active')) table.toggleClass('withselection'); })
                         .append($('<span class="inner">').text(rcmail.gettext('select')));
 
-                    if (toolbar.is('.toolbar')) {
+                    if (toolbar.is('.toolbar') || toolbar.is('.toolbarmenu')) {
                         button.prependTo(toolbar).wrap('<li role="menuitem">');
+
+                        // Add a button to the content toolbar menu too
+                        if (layout.content) {
+                            var button2 = create_cloned_button(button, true, 'hidden-big hidden-large');
+                            $('<li role="menuitem">').append(button2).appendTo('#toolbar-menu');
+                            button = button.add(button2);
+                        }
                     }
                     else {
                         button.appendTo(toolbar).addClass('icon');
@@ -657,7 +666,7 @@ function rcube_elastic_ui()
                     $('a.button.attach, a.button.responses')[e.active ? 'addClass' : 'removeClass']('disabled');
                 });
 
-                $('.sidebar > .footer > a.button').click(function() {
+                $('.sidebar > .footer:not(.pagenav) > a.button').click(function() {
                     if ($(this).is('.disabled')) {
                         rcmail.display_message(rcmail.gettext('nocontactselected'), 'warning');
                     }
@@ -932,6 +941,19 @@ function rcube_elastic_ui()
             $('input[type=checkbox]', context).each(function() { pretty_checkbox(this); });
         }
 
+        // Input-group combo is an element with a select field on the left
+        // and input(s) on right, and where the whole right side can be hidden
+        // depending on the select position. This code fixes border radius on select
+        $('.input-group-combo > select:first', context).on('change', function() {
+            var select = $(this),
+                fn = function() {
+                    select[select.next().is(':visible') ? 'removeClass' : 'addClass']('alone');
+                };
+
+            setTimeout(fn, 50);
+            setTimeout(fn, 2000); // for devel mode
+        }).trigger('change');
+
         // Make message-objects alerts pretty (the same as UI alerts)
         $('#message-objects', context).children(':not(.ui.alert)').each(function() {
             // message objects with notice class are really warnings
@@ -974,11 +996,12 @@ function rcube_elastic_ui()
     };
 
     /**
-     * Detects if the element is TinyMCE dialog window
+     * Detects if the element is TinyMCE dialog/menu
      * and adds Elastic styling to it
      */
     function tinymce_style(elem)
     {
+        // TinyMCE dialog widnows
         if ($(elem).is('.mce-window')) {
             var body = $(elem).find('.mce-window-body'),
                 foot = $(elem).find('.mce-foot > .mce-container-body');
@@ -1024,6 +1047,32 @@ function rcube_elastic_ui()
                 }
             }
         }
+        // TinyMCE menus on mobile
+        else if ($(elem).is('.mce-menu')) {
+            $(elem).prepend(
+                $('<h3 class="popover-header">').append(
+                    $('<a class="button icon "' + 'cancel' + '">')
+                        .text(rcmail.gettext('close'))
+                        .on('click', function() { $(document.body).click(); })));
+
+            if (window.MutationObserver) {
+                var callback = function() {
+                        if (mode != 'phone') {
+                            return;
+                        }
+                        if (!$('.mce-menu:visible').length) {
+                            $('div.mce-overlay').click();
+                        }
+                        else if (!$('div.mce-overlay').length) {
+                            $('<div>').attr('class', 'popover-overlay mce-overlay')
+                                .appendTo('body')
+                                .click(function() { $(this).remove(); });
+                        }
+                    };
+
+                (new MutationObserver(callback)).observe(elem, {attributes: true});
+            }
+        }
     };
 
     /**
@@ -1054,7 +1103,9 @@ function rcube_elastic_ui()
         // display or reset the content frame
         var common_content_handler = function(e, href, show, title)
         {
-            content_frame_navigation(href, e);
+            if (is_mobile()) {
+                content_frame_navigation(href, e);
+            }
 
             if (show && !layout.content.is(':visible')) {
                 env.last_selected = layout.content[0];
@@ -1675,9 +1726,13 @@ function rcube_elastic_ui()
                 warning: 'alert-warning',
                 error: 'alert-danger',
                 loading: 'alert-info loading',
+                uploading: 'alert-info loading',
                 vcardattachment: 'alert-info' /* vcard_attachments plugin */
             };
 
+        // Type can be e.g. 'notice chat'
+        type = type.split(' ')[0];
+
         if (wrap && addicon && !$(object).is('.aligned-buttons')) {
             // we need the content to be non-text node for best alignment
             tmp = $(object).html();
@@ -1741,6 +1796,10 @@ function rcube_elastic_ui()
                     return true;
                 }
 
+                if (rcmail.task == 'mail' && $('#s_interval').val()) {
+                    return true;
+                }
+
                 if (rcmail.gui_objects.search_filter && $(rcmail.gui_objects.search_filter).val() != 'ALL') {
                     return true;
                 }
@@ -1775,19 +1834,22 @@ function rcube_elastic_ui()
 
                 $('button.search', options).off('click.search').on('click.search', function() {
                     options_button.trigger('click');
+                    update_func();
                 });
             }
         });
 
         input.on('input change', update_func)
-            .on('focus', function() { input.attr('placeholder', ''); })
-            .on('blur', function() { input.attr('placeholder', placeholder); });
+            .on('focus blur', function(e) { input.attr('placeholder', e.type == 'blur' ? placeholder : ''); });
 
         // Search reset action
         $('a.reset', bar).on('click', function(e) {
             // for treelist widget's search setting val and keyup.treelist is needed
             // in normal search form reset-search command will do the trick
             input.val('').change().trigger('keyup.treelist', {keyCode: 27});
+            if ($(bar).is('.open')) {
+                options_button.click();
+            }
 
             // Reset filter
             if (rcmail.gui_objects.search_filter) {
@@ -1796,22 +1858,21 @@ function rcube_elastic_ui()
 
             if (rcmail.gui_objects.foldersfilter) {
                 $(rcmail.gui_objects.foldersfilter).val('---').change();
+                rcmail.folder_filter('---');
             }
 
             update_func();
         });
 
-        rcmail.addEventListener('init', function() {
-            update_func();
-
-            if (rcmail.gui_objects.search_filter) {
-                $(rcmail.gui_objects.search_filter).on('change', update_func);
-            }
-
-            if (rcmail.gui_objects.foldersfilter) {
-                $(rcmail.gui_objects.foldersfilter).on('change', update_func);
-            }
-        });
+        rcmail.addEventListener('init', function() { update_func(); })
+            .addEventListener('beforelist', function() {
+                if ($(bar).is('.open')) {
+                    options_button.click(); // close options form on 'list' request
+                }
+            })
+            .addEventListener('responsebeforesearch', function() {
+                update_func();
+            });
     };
 
     /**
@@ -2335,7 +2396,7 @@ function rcube_elastic_ui()
     {
         var content = $('#listoptions-menu'),
             width = content.width() + 25,
-            dialog = content.clone();
+            dialog = content.clone(true);
 
         // set form values
         $('select[name="sort_col"]', dialog).val(rcmail.env.sort_col || '');
@@ -2436,15 +2497,17 @@ function rcube_elastic_ui()
     {
         var n, all,
             list = $('input[name="s_mods[]"]', obj),
-            scope_select = $('select[name=s_scope]', obj),
+            scope_select = $('#s_scope', obj),
             mbox = rcmail.env.mailbox,
             mods = rcmail.env.search_mods,
             scope = rcmail.env.search_scope || 'base';
 
         if (!$(obj).data('initialized')) {
-            list.on('click', function() { set_searchmod(this, obj); });
-            scope_select.on('click', function() { rcmail.set_searchscope($(this).val()); });
             $(obj).data('initialized', true);
+            if (list.length) {
+                list.on('change', function() { set_searchmod(obj, this); });
+                rcmail.addEventListener('beforesearch', function() { set_searchmod(obj); });
+            }
         }
 
         if (rcmail.env.search_mods) {
@@ -2476,12 +2539,13 @@ function rcube_elastic_ui()
         }
     };
 
-    function set_searchmod(elem, menu)
+    function set_searchmod(menu, elem)
     {
         var all, m, task = rcmail.env.task,
             mods = rcmail.env.search_mods,
             mbox = rcmail.env.mailbox,
-            scope = $('select[name=s_scope]', menu).val();
+            scope = $('#s_scope', menu).val(),
+            interval = $('#s_interval', menu).val();
 
         if (scope == 'all') {
             mbox = '*';
@@ -2497,12 +2561,19 @@ function rcube_elastic_ui()
             }
             m = mods[mbox];
             all = 'text';
+
+            rcmail.env.search_scope = scope;
+            rcmail.env.search_interval = interval;
         }
         else { //addressbook
             m = mods;
             all = '*';
         }
 
+        if (!elem) {
+            return;
+        }
+
         if (!elem.checked) {
             delete(m[elem.value]);
         }
diff --git a/skins/elastic/watermark.html b/skins/elastic/watermark.html
index 015e05c06..3a5c8e0b3 100644
--- a/skins/elastic/watermark.html
+++ b/skins/elastic/watermark.html
@@ -1,11 +1,12 @@
 <!DOCTYPE html>
 <html>
 <head>
-<meta charset="utf-8">
+<meta charset="UTF-8">
 <title></title>
 <style type="text/css">
 html, body { height: 100%; overflow: hidden; }
-body { background: url(images/watermark.jpg) center no-repeat #fff; }
+body { background: url(images/logo.svg) center no-repeat #fff; background-size: 30%; }
+body:before { content: ""; position: absolute; top: 0; bottom: 0; left: 0; right: 0; background: rgba(255, 255, 255, .85); }
 </style>
 </head>
 <body></body>
diff --git a/skins/larry/templates/about.html b/skins/larry/templates/about.html
index a63d57b6a..6b2d7a598 100644
--- a/skins/larry/templates/about.html
+++ b/skins/larry/templates/about.html
@@ -8,15 +8,9 @@
 
 <div class="readtext">
 <roundcube:object name="aboutcontent" />
-
 <h2 class="sysname">Roundcube Webmail <roundcube:object name="version" /></h2>
-<p class="copyright">Copyright &copy; 2005-2018, The Roundcube Dev Team</p>
-<p class="license">This program is free software; you can redistribute it and/or modify
-it under the terms of the <a href="http://www.gnu.org/licenses/gpl.html" target="_blank">GNU General Public License</a>
-as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.<br/>
-Some <a href="https://roundcube.net/license" target="_blank">exceptions</a> for skins &amp; plugins apply.
-</p>
-
+<p class="copyright"><roundcube:object name="copyright" /></p>
+<p class="license"><roundcube:object name="license" /></p>
 </div>
 
 <div class="readtext">
diff --git a/skins/larry/templates/error.html b/skins/larry/templates/error.html
index 85fb4e7a9..70b69b2df 100644
--- a/skins/larry/templates/error.html
+++ b/skins/larry/templates/error.html
@@ -4,8 +4,8 @@
 <title><roundcube:object name="pagetitle" /></title>
 <roundcube:include file="/includes/links.html" />
 </head>
-<roundcube:if condition="!env:framed" />
-<roundcube:if condition="env:extwin" /><body class="error extwin"><roundcube:else /><body class="error"><roundcube:endif />
+<roundcube:if condition="!env:framed && env:error_task != 'error-login'" />
+<body class="error<roundcube:exp expression="env:extwin ? ' extwin' : ''" />">
 <roundcube:include file="/includes/header.html" />
 <roundcube:else />
 <body class="error iframe">
diff --git a/tests/MailFunc.php b/tests/MailFunc.php
index 2689001e2..fb4749196 100644
--- a/tests/MailFunc.php
+++ b/tests/MailFunc.php
@@ -75,6 +75,7 @@ class MailFunc extends PHPUnit_Framework_TestCase
 
         $this->assertNotRegExp('/src="skins/', $washed, "Remove local references");
         $this->assertNotRegExp('/\son[a-z]+/', $washed, "Remove on* attributes");
+        $this->assertNotContains('onload', $washed, "Handle invalid style");
 
         $html = rcmail_html4inline($washed, array('container_id' => 'foo'));
         $this->assertNotRegExp('/onclick="return rcmail.command(\'compose\',\'xss@somehost.net\',this)"/', $html, "Clean mailto links");
diff --git a/tests/src/htmlxss.txt b/tests/src/htmlxss.txt
index f6c43e353..a81c5776e 100644
--- a/tests/src/htmlxss.txt
+++ b/tests/src/htmlxss.txt
@@ -18,5 +18,7 @@ Have a nice Christmas time.<br />
 Thomas
 </p>
 
+<html><svg><style><//><body onload=alert(1)>
+
 </body>
 </html>