diff --git a/core/admin/mailu/internal/nginx.py b/core/admin/mailu/internal/nginx.py
index daef8b9e..b9cbe879 100644
--- a/core/admin/mailu/internal/nginx.py
+++ b/core/admin/mailu/internal/nginx.py
@@ -18,7 +18,11 @@ STATUSES = {
         "sieve": "AuthFailed"
     }),
     "encryption": ("Must issue a STARTTLS command first", {
-        "smtp": "530 5.7.0"
+        "imap": "PRIVACYREQUIRED",
+        "smtp": "530 5.7.0",
+        "submission": "530 5.7.0",
+        "pop3": "-ERR Authentication canceled.",
+        "sieve": "ENCRYPT-NEEDED"
     }),
     "ratelimit": ("Temporary authentication failure (rate-limit)", {
         "imap": "LIMIT",
@@ -68,7 +72,7 @@ def handle_authentication(headers):
     # Incoming mail, no authentication
     if method in ['', 'none'] and protocol in ['smtp', 'lmtp']:
         server, port = get_server(protocol, False)
-        if app.config["INBOUND_TLS_ENFORCE"]:
+        if app.config["INBOUND_TLS_ENFORCE"] and protocol == 'smtp':
             if "Auth-SSL" in headers and headers["Auth-SSL"] == "on":
                 return {
                     "Auth-Status": "OK",
diff --git a/core/admin/mailu/ui/views/users.py b/core/admin/mailu/ui/views/users.py
index 6487c326..85f7c577 100644
--- a/core/admin/mailu/ui/views/users.py
+++ b/core/admin/mailu/ui/views/users.py
@@ -24,7 +24,7 @@ def user_create(domain_name):
             flask.url_for('.user_list', domain_name=domain.name))
     form = forms.UserForm()
     form.pw.validators = [wtforms.validators.DataRequired()]
-    form.quota_bytes.default = app.config['DEFAULT_QUOTA']
+    form.quota_bytes.default = int(app.config['DEFAULT_QUOTA'])
     if domain.max_quota_bytes:
         form.quota_bytes.validators = [
             wtforms.validators.NumberRange(max=domain.max_quota_bytes)]
diff --git a/core/base/libs/socrate/socrate/system.py b/core/base/libs/socrate/socrate/system.py
index 8ea770a3..c5046f4c 100644
--- a/core/base/libs/socrate/socrate/system.py
+++ b/core/base/libs/socrate/socrate/system.py
@@ -158,7 +158,7 @@ def forward_text_lines(src, dst):
 
 # runs a process and passes its standard/error output to the standard/error output of the current python script
 def run_process_and_forward_output(cmd):
-    process = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True)
+    process = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, encoding='utf-8')
 
     stdout_thread = threading.Thread(target=forward_text_lines, args=(process.stdout, sys.stdout))
     stdout_thread.daemon = True
diff --git a/docs/maintain.rst b/docs/maintain.rst
index eff8f5c4..a2041a86 100644
--- a/docs/maintain.rst
+++ b/docs/maintain.rst
@@ -47,6 +47,7 @@ In the case of *certbot* you could write a script to be executed as `deploy hook
   cp /etc/letsencrypt/live/domain.com/privkey.pem /mailu/certs/key.pem || exit 1
   cp /etc/letsencrypt/live/domain.com/fullchain.pem /mailu/certs/cert.pem || exit 1
   docker exec mailu_front_1 nginx -s reload
+  docker exec mailu_front_1 doveadm reload
 
 And the certbot command you will use in crontab would look something like:
 
diff --git a/optional/fetchmail/fetchmail.py b/optional/fetchmail/fetchmail.py
index 410ce4fb..96f387dd 100755
--- a/optional/fetchmail/fetchmail.py
+++ b/optional/fetchmail/fetchmail.py
@@ -1,5 +1,6 @@
 #!/usr/bin/env python3
 
+import binascii
 import time
 import os
 from pathlib import Path
@@ -32,6 +33,19 @@ poll "{host}" proto {protocol}  port {port}
     {lmtp}
 """
 
+def imaputf7encode(s):
+    """Encode a string into RFC2060 aka IMAP UTF7"""
+    out = ''
+    enc = ''
+    for c in s.replace('&','&-') + 'X':
+        if '\x20' <= c <= '\x7f':
+            if enc:
+                out += f'&{binascii.b2a_base64(enc.encode("utf-16-be")).rstrip(b"\n=").replace(b"/", b",").decode("ascii")}-'
+                enc = ''
+            out += c
+        else:
+            enc += c
+    return out[:-1]
 
 def escape_rc_string(arg):
     return "".join("\\x%2x" % ord(char) for char in arg)
@@ -54,7 +68,7 @@ def run(debug):
             options = "options antispam 501, 504, 550, 553, 554"
             options += " ssl" if fetch["tls"] else ""
             options += " keep" if fetch["keep"] else " fetchall"
-            folders = "folders %s" % ((','.join('"' + item + '"' for item in fetch['folders'])) if fetch['folders'] else '"INBOX"')
+            folders = f"folders {",".join(f'"{imaputf7encode(item).replace('"',r"\34")}"' for item in fetch["folders"]) or '"INBOX"'}"
             fetchmailrc += RC_LINE.format(
                 user_email=escape_rc_string(fetch["user_email"]),
                 protocol=fetch["protocol"],
diff --git a/towncrier/newsfragments/2296.bugfix b/towncrier/newsfragments/2296.bugfix
new file mode 100644
index 00000000..493238ff
--- /dev/null
+++ b/towncrier/newsfragments/2296.bugfix
@@ -0,0 +1 @@
+Ensure fetchmail can deal with special characters in folder names
diff --git a/towncrier/newsfragments/3272.bugfix b/towncrier/newsfragments/3272.bugfix
new file mode 100644
index 00000000..726e9e78
--- /dev/null
+++ b/towncrier/newsfragments/3272.bugfix
@@ -0,0 +1 @@
+Increase the size of buffers for webmail
diff --git a/towncrier/newsfragments/3379.bugfix b/towncrier/newsfragments/3379.bugfix
new file mode 100644
index 00000000..c1842c52
--- /dev/null
+++ b/towncrier/newsfragments/3379.bugfix
@@ -0,0 +1 @@
+Fix #3379: DEFAULT_QUOTA
diff --git a/towncrier/newsfragments/3401.bugfix b/towncrier/newsfragments/3401.bugfix
new file mode 100644
index 00000000..5309408d
--- /dev/null
+++ b/towncrier/newsfragments/3401.bugfix
@@ -0,0 +1 @@
+Fix an error that can occur when using snappymail
diff --git a/towncrier/newsfragments/3403.bugfix b/towncrier/newsfragments/3403.bugfix
new file mode 100644
index 00000000..d8169ba1
--- /dev/null
+++ b/towncrier/newsfragments/3403.bugfix
@@ -0,0 +1 @@
+fix INBOUND_TLS_ENFORCE
diff --git a/towncrier/newsfragments/3405.bugfix b/towncrier/newsfragments/3405.bugfix
new file mode 100644
index 00000000..07db93a8
--- /dev/null
+++ b/towncrier/newsfragments/3405.bugfix
@@ -0,0 +1 @@
+Update the documentation: ensure that users reload dovecot too if they manually configure certificates
diff --git a/webmails/nginx-webmail.conf b/webmails/nginx-webmail.conf
index 8772c8c8..d403eea4 100644
--- a/webmails/nginx-webmail.conf
+++ b/webmails/nginx-webmail.conf
@@ -55,6 +55,16 @@ server {
         {% else %}
         fastcgi_param SCRIPT_NAME {{WEB_WEBMAIL}}/$fastcgi_script_name;
         {% endif %}
+
+        # fastcgi buffers for php-fpm #
+        fastcgi_buffers 16 32k;
+        fastcgi_buffer_size 64k;
+        fastcgi_busy_buffers_size 64k;
+
+        # nginx buffers #
+        proxy_buffer_size 128k;
+        proxy_buffers 4 256k;
+        proxy_busy_buffers_size 256k;
     }
 
     location ~ (^|/)\. {
diff --git a/webmails/snuffleupagus.rules b/webmails/snuffleupagus.rules
index 10390d45..3d4713f8 100644
--- a/webmails/snuffleupagus.rules
+++ b/webmails/snuffleupagus.rules
@@ -130,6 +130,7 @@ sp.disable_function.function("move_uploaded_file").param("to").value_r("\\.ht").
 
 # Logging lockdown
 sp.disable_function.function("ini_set").param("option").value_r("error_log").drop()
+sp.disable_function.function("ini_set").param("option").value_r("display_errors").filename_r("/var/www/snappymail/snappymail/v/[0-9]+\.[0-9]+\.[0-9]+/app/libraries/snappymail/shutdown.php").allow();
 sp.disable_function.function("ini_set").param("option").value_r("display_errors").drop()
 
 sp.auto_cookie_secure.enable();