diff --git a/scripts/50-dovecot.sh b/scripts/50-dovecot.sh
index ba3eed2..c3d9a03 100644
--- a/scripts/50-dovecot.sh
+++ b/scripts/50-dovecot.sh
@@ -76,12 +76,22 @@ service auth {
   }
 }
 service imap-login {
-  inet_listener imap  { port = 143 }
-  inet_listener imaps { port = 993; ssl = yes }
+  inet_listener imap  {
+    port = 143
+  }
+  inet_listener imaps {
+    port = 993
+    ssl = yes
+  }
 }
 service pop3-login {
-  inet_listener pop3  { port = 110 }
-  inet_listener pop3s { port = 995; ssl = yes }
+  inet_listener pop3  {
+    port = 110
+  }
+  inet_listener pop3s {
+    port = 995
+    ssl = yes
+  }
 }
 CONF
 
@@ -101,8 +111,10 @@ fi
 
 # Postfix-Socket-Verzeichnis sicherstellen
 mkdir -p /var/spool/postfix/private
-chown postfix:postfix /var/spool/postfix /var/spool/postfix/private
-chmod 0755 /var/spool/postfix /var/spool/postfix/private
+chown root:root /var/spool/postfix
+chmod 0755     /var/spool/postfix
+chown postfix:postfix /var/spool/postfix/private
+chmod 0755            /var/spool/postfix/private
 
 # Nur aktivieren – Start/Reload erst nach App/DB in 90-services.sh
 systemctl enable dovecot >/dev/null 2>&1 || true
\ No newline at end of file
diff --git a/scripts/80-app.sh b/scripts/80-app.sh
index 971d581..5ead5f7 100644
--- a/scripts/80-app.sh
+++ b/scripts/80-app.sh
@@ -32,25 +32,25 @@ sudo -u "$APP_USER" -H bash -lc "cd ${APP_DIR} && php artisan key:generate --for
 # resolve_ok "$host" -> 0/1
 
 # APP_HOST und APP_URL bestimmen
-APP_HOST_VAL="$SERVER_PUBLIC_IPV4"
-if [[ -n "${UI_HOST:-}" ]] && resolve_ok "$UI_HOST"; then
-  APP_HOST_VAL="$UI_HOST"
+SERVER_PUBLIC_IPV4="${SERVER_PUBLIC_IPV4:-}"
+if [[ -z "$SERVER_PUBLIC_IPV4" ]] && command -v curl >/dev/null 2>&1; then
+  SERVER_PUBLIC_IPV4="$(curl -fsS --max-time 2 https://ifconfig.me 2>/dev/null || true)"
+  [[ "$SERVER_PUBLIC_IPV4" =~ ^([0-9]{1,3}\.){3}[0-9]{1,3}$ ]] || SERVER_PUBLIC_IPV4=""
 fi
+[[ -n "$SERVER_PUBLIC_IPV4" ]] || SERVER_PUBLIC_IPV4="$(detect_ip)"
 
+# 2) Domain bevorzugen, wenn UI_HOST gesetzt (z.B. hinter Nginx Proxy Manager)
 UI_CERT="/etc/ssl/ui/fullchain.pem"
 UI_KEY="/etc/ssl/ui/privkey.pem"
-if [[ "$APP_HOST_VAL" = "$UI_HOST" ]]; then
-  if [[ -f "$UI_CERT" && -f "$UI_KEY" ]]; then
-    APP_URL_VAL="https://${UI_HOST}"
-  else
-    APP_URL_VAL="http://${UI_HOST}"
-  fi
+
+if [[ -n "${UI_HOST:-}" ]]; then
+  APP_HOST_VAL="$UI_HOST"
+  APP_URL_VAL="https://${UI_HOST}"   # TLS terminiert am Proxy
 else
-  if [[ -f "$UI_CERT" && -f "$UI_KEY" ]]; then
-    APP_URL_VAL="https://${SERVER_PUBLIC_IPV4}"
-  else
-    APP_URL_VAL="http://${SERVER_PUBLIC_IPV4}"
-  fi
+  APP_HOST_VAL="$SERVER_PUBLIC_IPV4"
+  SCHEME="http"
+  [[ -s "$UI_CERT" && -s "$UI_KEY" ]] && SCHEME="https"
+  APP_URL_VAL="${SCHEME}://${SERVER_PUBLIC_IPV4}"
 fi
 
 [ -z "${REDIS_PASS:-}" ] && REDIS_PASS="$(awk '/^[[:space:]]*requirepass[[:space:]]+/ {print $2}' /etc/redis/redis.conf | tail -n1 || true)"
diff --git a/scripts/90-services.sh b/scripts/90-services.sh
index 6a69a4a..0521d39 100644
--- a/scripts/90-services.sh
+++ b/scripts/90-services.sh
@@ -96,6 +96,7 @@ systemctl reload nginx || true
 systemctl restart php*-fpm || true
 
 # Mail-Dienste JETZT starten (damit 25/465/587 offen sind)
+systemctl enable --now rspamd opendkim || true
 systemctl enable --now postfix
 systemctl enable --now dovecot
 
diff --git a/scripts/99-summary.sh b/scripts/99-summary.sh
index 6ed4053..ac19a8b 100644
--- a/scripts/99-summary.sh
+++ b/scripts/99-summary.sh
@@ -67,6 +67,8 @@ check_port(){
   if timeout 8s bash -lc "$cmd" >/dev/null 2>&1; then ok; else fail; fi
 }
 
+sleep 6 || true
+
 # SMTP family
 check_port "25"  'printf "QUIT\r\n" | nc -w 3 127.0.0.1 25'                  "SMTP (EHLO)"
 check_port "465" 'printf "QUIT\r\n" | openssl s_client -connect 127.0.0.1:465 -quiet -ign_eof' "SMTPS (TLS + EHLO)"
diff --git a/scripts/lib.sh b/scripts/lib.sh
index 30f395a..e36d184 100644
--- a/scripts/lib.sh
+++ b/scripts/lib.sh
@@ -73,6 +73,14 @@ detect_ip(){
   [[ -n "${ip:-}" ]] || die "Konnte Server-IP nicht ermitteln."
   echo "$ip"
 }
+detect_ipv4() {
+  local ext=""
+  if command -v curl >/dev/null 2>&1; then
+    ext="$(curl -fsS --max-time 2 https://ifconfig.me 2>/dev/null || true)"
+    [[ "$ext" =~ ^([0-9]{1,3}\.){3}[0-9]{1,3}$ ]] || ext=""
+  fi
+  echo "$ext"
+}
 detect_ipv6(){
   local ip6
   ip6="$(ip -6 addr show scope global 2>/dev/null | awk '/inet6/{print $2}' | cut -d/ -f1 | head -n1)" || true
@@ -111,4 +119,4 @@ upsert_env(){ # upsert in $ENV_FILE
   else
     printf '%s=%s\n' "$k" "$v" >> "$ENV_FILE"
   fi
-}
\ No newline at end of file
+}