diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 3a7579e7..0ad064d2 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -14,3 +14,39 @@ jobs:
       uses: ludeeus/action-shellcheck@master
       env:
         SHELLCHECK_OPTS: -s bash -e SC1004,SC1091,SC2009,SC2016,SC2039,SC2086,SC2119,SC2153
+
+  bats:
+    name: Bats
+    runs-on: ubuntu-latest
+    steps:
+    - name: checkout
+      uses: actions/checkout@v4
+    - name: Setup Bats
+      run: git submodule update --init --recursive
+    - name: bats test
+      run: ./test/bats/bin/bats test
+
+  freebsd:
+    if: false
+    runs-on: ubuntu-latest
+    name: FreeBSD
+    env:
+      MYTOKEN : ${{ secrets.MYTOKEN }}
+      MYTOKEN2: "value2"
+    steps:
+    - uses: actions/checkout@v4
+    - name: Test in FreeBSD
+      id: test
+      uses: vmactions/freebsd-vm@v1
+      with:
+        envs: 'MYTOKEN MYTOKEN2'
+        usesh: true
+        prepare: |
+          pkg install -y curl
+
+        run: |
+          pwd
+          ls -lah
+          whoami
+          env
+          freebsd-version
\ No newline at end of file
diff --git a/.gitmodules b/.gitmodules
new file mode 100644
index 00000000..b7efcb44
--- /dev/null
+++ b/.gitmodules
@@ -0,0 +1,9 @@
+[submodule "test/bats"]
+	path = test/bats
+	url = https://github.com/bats-core/bats-core.git
+[submodule "test/test_helper/bats-support"]
+	path = test/test_helper/bats-support
+	url = https://github.com/bats-core/bats-support.git
+[submodule "test/test_helper/bats-assert"]
+	path = test/test_helper/bats-assert
+	url = https://github.com/bats-core/bats-assert.git
diff --git a/include/djb.sh b/include/djb.sh
index 53a50448..3374553e 100644
--- a/include/djb.sh
+++ b/include/djb.sh
@@ -54,7 +54,6 @@ cd djbdns-1.05
 xzcat ../djbdns-1.05-test32.diff.xz | patch
 echo "cc" > conf-cc
 echo 'cc -s' > conf-ld
-#sed -i .bak -e 's/uint16.h/uint16.h uint32.h/g' Makefile
 sed -i .bak -e 's/"\/"/auto_home/; s/02755/0755/g' hier.c
 fetch -q -o - https://www.internic.net/domain/named.root \
     | grep ' A ' \
diff --git a/include/editor.sh b/include/editor.sh
new file mode 100755
index 00000000..0ce907f5
--- /dev/null
+++ b/include/editor.sh
@@ -0,0 +1,88 @@
+#!/bin/sh
+
+configure_vim_tiny()
+{
+	if jail_is_running stage; then
+		stage_pkg_install vim-tiny
+	else
+		pkg install vim-tiny
+	fi
+
+	install_vimrc
+
+	# vim-tiny has no syntax or color files, so disable some stuff
+	sed -i '' \
+		-e 's/^syntax on/" syntax on/' \
+		-e 's/^colorscheme/" colorscheme/' \
+		-e 's/^set number/" set number/' \
+		-e 's/^set cursorline/" set cursorline/' \
+		-e 's/^set relativenumber/" set relativenumber/' \
+		"$_base/vimrc"
+}
+
+configure_vim()
+{
+	if jail_is_running stage; then
+		stage_pkg_install vim
+	else
+		pkg install vim
+	fi
+
+	install_vimrc
+
+	sed -i '' \
+		-e 's/set termguicolors/" set termguicolors/' \
+		-e 's/^set number/" set number/' \
+		-e 's/^set cursorline/" set cursorline/' \
+		-e 's/^set relativenumber/" set relativenumber/' \
+		"$_base/vimrc"
+
+	if fetch -m -o /usr/local/share/vim/vim91/colors/gruvbox.vim https://raw.githubusercontent.com/morhetz/gruvbox/master/colors/gruvbox.vim;
+	then
+		sed -i '' \
+			-e 's/^colorscheme.*/colorscheme gruvbox/' \
+			"$_base/vimrc"
+	fi
+}
+
+install_vimrc()
+{
+	tell_status "installing vimrc"
+
+	local _vimdir="$_base/usr/local/etc/vim"
+	if [ ! -d "$_vimdir" ]; then
+		mkdir -p "$_vimdir" || exit
+	fi
+
+	fetch -m -o "$_vimdir/vimrc" https://raw.githubusercontent.com/nandalopes/vim-for-server/main/vimrc
+}
+
+configure_neovim()
+{
+	if jail_is_running stage; then
+		stage_pkg_install neovim
+	else
+		pkg install neovim
+	fi
+
+	# todo
+}
+
+configure_editor()
+{
+	local _base=${1:-""}
+
+	case "$TOASTER_EDITOR" in
+		neovim)
+			configure_neovim
+			;;
+		vim-tiny)
+			configure_vim_tiny
+			;;
+		vim)
+			configure_vim
+			;;
+		vi) ;;
+		*)  ;;
+	esac
+}
diff --git a/include/mta.sh b/include/mta.sh
new file mode 100755
index 00000000..f702b8b0
--- /dev/null
+++ b/include/mta.sh
@@ -0,0 +1,123 @@
+#!/bin/sh
+
+configure_mta()
+{
+	local _base=${1:-""}
+	local _mta=${2:-"$TOASTER_BASE_MTA"}
+
+	if [ "$_mta" = "dma" ] && [ -x "$_base/usr/libexec/dma" ]; then
+		disable_sendmail
+		enable_dma
+	elif [ "$_mta" = "sendmail" ]; then
+		enable_sendmail
+	elif [ -x "$_base/usr/libexec/dma" ]; then
+		disable_sendmail
+		enable_dma
+	else
+		disable_sendmail
+		install_ssmtp
+	fi
+}
+
+enable_sendmail()
+{
+	local _sysrc="sysrc -f $_base/etc/rc.conf"
+
+	if [ "$($_sysrc -n sendmail_enable)" != "YES" ]; then
+		$_sysrc sendmail_enable=YES
+	fi
+
+	if [ "$($_sysrc -n sendmail_outbound_enable)" != "YES" ]; then
+		$_sysrc sendmail_outbound_enable=YES
+	fi
+
+	if jail_is_running stage; then
+		stage_exec service sendmail start
+	else
+		service sendmail start
+	fi
+
+	set_root_alias
+
+	cp "$_base/usr/share/examples/sendmail/mailer.conf" "$_base/etc/mail/mailer.conf"
+}
+
+disable_sendmail()
+{
+	if jail_is_running stage; then
+		if pgrep -j stage sendmail; then stage_exec service sendmail onestop; fi
+	else
+		if pgrep -j none sendmail; then service sendmail onestop; fi
+	fi
+
+	local _sysrc="sysrc -f $_base/etc/rc.conf"
+
+	if [ "$($_sysrc -n sendmail_enable)" != "NONE" ]; then
+		$_sysrc sendmail_enable=NONE
+	fi
+
+	if [ "$($_sysrc -n sendmail_outbound_enable)" != "NO" ]; then
+		$_sysrc sendmail_outbound_enable=NO
+	fi
+}
+
+set_root_alias()
+{
+	local _aliases="$_base/etc/mail/aliases"
+
+	if grep -q my.domain "$_aliases"; then
+		tell_status "setting root email in $_aliases to $TOASTER_ADMIN_EMAIL"
+
+		sed -i '' \
+			-e "/^# root:/ s/^# //" \
+			-e "/^root/ s/me@my.domain/$TOASTER_ADMIN_EMAIL/" \
+			"$_aliases"
+	fi
+}
+
+enable_dma()
+{
+	tell_status "setting up dma"
+	cp "$_base/usr/share/examples/dma/mailer.conf" "$_base/etc/mail/mailer.conf"
+
+	echo "dma.conf: $_base/etc/dma/dma.conf"
+	sed -i '' \
+		-e "s/^#SMARTHOST/SMARTHOST $TOASTER_MSA/" \
+		"$_base/etc/dma/dma.conf"
+
+	set_root_alias
+}
+
+install_ssmtp()
+{
+	tell_status "installing ssmtp"
+
+	if jail_is_running stage; then
+		stage_pkg_install ssmtp
+	else
+		pkg install ssmtp
+	fi
+
+	tell_status "configuring ssmtp"
+	if [ ! -f "$_base/usr/local/etc/ssmtp/revaliases" ]; then
+		cp "$_base/usr/local/etc/ssmtp/revaliases.sample" \
+		   "$_base/usr/local/etc/ssmtp/revaliases"
+	fi
+
+	sed -e "/^root=/ s/postmaster/$TOASTER_ADMIN_EMAIL/" \
+		-e "/^mailhub=/ s/=mail/=$TOASTER_MSA/" \
+		-e "/^rewriteDomain=/ s/=\$/=$TOASTER_MAIL_DOMAIN/" \
+		-e '/^#FromLineOverride=YES/ s/#//' \
+		"$_base/usr/local/etc/ssmtp/ssmtp.conf.sample" \
+		> "$_base/usr/local/etc/ssmtp/ssmtp.conf" || exit
+
+	tee "$_base/etc/mail/mailer.conf" <<EO_MAILER_CONF
+sendmail	/usr/local/sbin/ssmtp
+send-mail	/usr/local/sbin/ssmtp
+mailq		/usr/local/sbin/ssmtp
+newaliases	/usr/local/sbin/ssmtp
+hoststat	/usr/bin/true
+purgestat	/usr/bin/true
+EO_MAILER_CONF
+
+}
diff --git a/include/mysql.sh b/include/mysql.sh
old mode 100644
new mode 100755
diff --git a/include/nginx.sh b/include/nginx.sh
old mode 100644
new mode 100755
diff --git a/include/php.sh b/include/php.sh
old mode 100644
new mode 100755
diff --git a/include/shell.sh b/include/shell.sh
old mode 100644
new mode 100755
index 33629081..b070096b
--- a/include/shell.sh
+++ b/include/shell.sh
@@ -41,6 +41,7 @@ export HISTIGNORE="&:[bf]g:exit"
 shopt -s histappend
 shopt -s cdspell
 alias h="history 200"
+alias ll="ls -alFG"
 EO_BASH_PROFILE
 
 	if ! grep -qs profile "$1"; then
@@ -66,6 +67,13 @@ case $(id -u) in
     0) PS1="${PS1}# ";;
     *) PS1="${PS1}$ ";;
 esac
+
+jexecl() {
+  if   [ -z "$1" ]; then /usr/sbin/jexec;
+  elif [ -n "$2" ]; then /usr/sbin/jexec ${@:1};
+  else /usr/sbin/jexec $1 login -f -h $(hostname) root;
+  fi
+}
 EO_BOURNE_SHELL
 	fi
 
diff --git a/include/user.sh b/include/user.sh
old mode 100644
new mode 100755
diff --git a/include/vpopmail.sh b/include/vpopmail.sh
old mode 100644
new mode 100755
diff --git a/mail-toaster.sh b/mail-toaster.sh
index 784041b3..046fa5d3 100755
--- a/mail-toaster.sh
+++ b/mail-toaster.sh
@@ -77,6 +77,7 @@ export JAIL_NET6="$(get_random_ip6net)"
 export ZFS_VOL="zroot"
 export ZFS_JAIL_MNT="/jails"
 export ZFS_DATA_MNT="/data"
+export TOASTER_EDITOR="vim-tiny"
 export TOASTER_MSA="haraka"
 export TOASTER_MYSQL="1"
 export TOASTER_MYSQL_PASS=""
@@ -168,6 +169,9 @@ export ZFS_JAIL_MNT=${ZFS_JAIL_MNT:="/jails"}
 export ZFS_DATA_MNT=${ZFS_DATA_MNT:="/data"}
 export FBSD_MIRROR=${FBSD_MIRROR:="ftp://ftp.freebsd.org"}
 
+export TOASTER_BASE_MTA=${TOASTER_BASE_MTA:=""}
+export TOASTER_BASE_PKGS=${TOASTER_BASE_PKGS:="pkg ca_root_nss"}
+export TOASTER_EDITOR=${TOASTER_EDITOR:="vi"}
 # See https://github.com/msimerson/Mail-Toaster-6/wiki/MySQL
 export TOASTER_MYSQL=${TOASTER_MYSQL:="1"}
 export TOASTER_MARIADB=${TOASTER_MARIADB:="0"}
@@ -243,7 +247,7 @@ export BASE_MNT="$ZFS_JAIL_MNT/$BASE_NAME"
 
 export STAGE_MNT="$ZFS_JAIL_MNT/stage"
 
-fatal_err() { echo; echo "FATAL: $1"; echo; exit; }
+fatal_err() { echo; echo "FATAL: $1"; echo; exit 1; }
 
 safe_jailname()
 {
@@ -265,9 +269,11 @@ zfs_filesystem_exists()
 
 zfs_snapshot_exists()
 {
-	zfs list -t snapshot "$1" 2>/dev/null | grep -q "$1" || return 1
-	echo "$1 snapshot exists"
-	return 0
+	if zfs list -t snapshot "$1" 2>/dev/null | grep -q "$1"; then
+		echo "$1 snapshot exists"
+		return
+	fi
+	false
 }
 
 zfs_mountpoint_exists()
@@ -483,15 +489,17 @@ add_jail_conf_d()
 	fi
 
 	tell_status "creating $_safe_path"
-	echo "$(jail_conf_header)
+	tee "$_safe_path" <<EO_JAIL_RC
+$(jail_conf_header)
 
 $(safe_jailname $1)	{$(get_safe_jail_path $1)
-		mount.fstab = \"$ZFS_DATA_MNT/$1/etc/fstab\";
+		mount.fstab = "$ZFS_DATA_MNT/$1/etc/fstab";
 		ip4.addr = $JAIL_NET_INTERFACE|${_jail_ip};
 		ip6.addr = $JAIL_NET_INTERFACE|$(get_jail_ip6 $1);${JAIL_CONF_EXTRA}
-		exec.created = \"$ZFS_DATA_MNT/$1/etc/pf.conf.d/pfrule.sh load\";
-		exec.poststop = \"$ZFS_DATA_MNT/$1/etc/pf.conf.d/pfrule.sh unload\";
-	}" | tee -a $_safe_path
+		exec.created = "$ZFS_DATA_MNT/$1/etc/pf.conf.d/pfrule.sh load";
+		exec.poststop = "$ZFS_DATA_MNT/$1/etc/pf.conf.d/pfrule.sh unload";
+	}
+EO_JAIL_RC
 }
 
 add_automount()
@@ -523,14 +531,17 @@ stop_jail()
 {
 	tell_status "stopping jail $1"
 	local _safe; _safe=$(safe_jailname "$1")
-	if jls -j $_safe -d 2>/dev/null | grep -q $_safe; then
+	if jail_is_running "$_safe"; then
 		echo "service jail stop $_safe"
-		service jail stop "$_safe"
+		if ! service jail stop "$_safe"; then
+			echo "jail -r $_safe"
+			if jail -r "$_safe" 2>/dev/null; then echo "removed"; fi
+		fi
 	fi
 
-	if jls -j $_safe -d 2>/dev/null | grep -q $_safe; then
+	if jail_is_running "$_safe"; then
 		echo "jail -r $_safe"
-		if jail -r "$_safe"; then echo "removed"; fi
+		if jail -r "$_safe" 2>/dev/null; then echo "removed"; fi
 	fi
 }
 
@@ -569,7 +580,44 @@ install_pfrule()
 	if [ ! -d "$_dir" ]; then
 		mkdir -p "$_dir" || exit 1
 	fi
-	fetch -m -o "$_dir/pfrule.sh" "$TOASTER_SRC_URL/contrib/pfrule.sh"
+
+	cat <<'EO_PF_RULE' > "$_dir/pfrule.sh"
+#!/bin/sh
+
+# pfrule.sh
+#
+# Matt Simerson, matt@tnpi.net, 2023-06
+#
+# Use pfctl to load and unload PF rules into named anchors from config
+# files. See https://github.com/msimerson/Mail-Toaster-6/wiki/PF
+
+_etcpath="$(dirname -- "$( readlink -f -- "$0"; )";)"
+
+usage() {
+    echo "   usage: $0 [ load | unload ]"
+    echo " "
+    exit 1
+}
+
+for _f in "$_etcpath"/*.conf; do
+    [ -f "$_f" ] || continue
+
+    _anchor=$(basename $_f .conf)  # nat, rdr, allow
+    _jailname=$(basename "$(dirname "$(dirname $_etcpath)")")
+    _pfctl="pfctl -a $_anchor/$_jailname"
+
+    case "$1" in
+        "load"   ) _cmd="$_pfctl -f $_f" ;;
+        "unload" ) _cmd="$_pfctl -F all" ;;
+        *        ) usage                 ;;
+    esac
+
+    echo "$_cmd"
+    $_cmd || exit 1
+done
+
+exit
+EO_PF_RULE
 	chmod 755 "$_dir/pfrule.sh"
 }
 
@@ -633,8 +681,10 @@ create_staged_fs()
 	fi
 
 	stage_sysrc hostname="$1"
-	sed -i '' -e "/^hostname=/ s/_HOSTNAME_/$1/" \
-		"$STAGE_MNT/usr/local/etc/ssmtp/ssmtp.conf" || exit 1
+	if [ -f "$STAGE_MNT/usr/local/etc/ssmtp/ssmtp.conf" ]; then
+		sed -i '' -e "/^hostname=/ s/_HOSTNAME_/$1/" \
+			"$STAGE_MNT/usr/local/etc/ssmtp/ssmtp.conf"
+	fi
 
 	assure_ip6_addr_is_declared "$1"
 	stage_resolv_conf
@@ -647,9 +697,8 @@ create_staged_fs()
 
 enable_bsd_cache()
 {
-	# see if jails are running
-	if ! jls | grep -q bsd_cache; then return; fi
-	if ! jls | grep -q dns; then return; fi
+	if ! jail_is_running bsd_cache; then return; fi
+	if ! jail_is_running dns; then return; fi
 
 	# assure services are available
 	sockstat -4 -6 -p 80 -q -j bsd_cache | grep -q . || return
@@ -730,7 +779,7 @@ rename_staged_to_ready()
 	local _zfs_rename="zfs rename $ZFS_JAIL_VOL/stage $_new_vol"
 	echo "$_zfs_rename"
 	until $_zfs_rename; do
-		if [ "$_tries" -gt 10 ]; then
+		if [ "$_tries" -gt 5 ]; then
 			echo "trying to force rename"
 			_zfs_rename="zfs rename -f $ZFS_JAIL_VOL/stage $_new_vol"
 		fi
@@ -793,7 +842,8 @@ stage_clear_caches()
 
 stage_resolv_conf()
 {
-	jls | grep -q dns || return;
+	if ! jail_is_running dns; then return; fi
+
 	tell_status "configuring DNS for local recursor"
 	echo "nameserver $(get_jail_ip  dns)" >  "$STAGE_MNT/etc/resolv.conf"
 	echo "nameserver $(get_jail_ip6 dns)" >> "$STAGE_MNT/etc/resolv.conf"
@@ -889,11 +939,8 @@ stage_exec()
 stage_listening()
 {
 	echo "checking for port $1 listener in staged jail"
-	if [ -z "$2" ]; then
-		sockstat -l -4 -6 -p "$1" -j "$(jls -j stage jid)" | grep -v PROTO || exit
-		return
-	fi
 
+	local _max_tries=${2:-"1"}
 	local _tries=0
 	local _listening=""
 	local _sleep="$3"
@@ -902,7 +949,7 @@ stage_listening()
 	until [ -n "$_listening" ]; do
 		_tries=$((_tries + 1))
 
-		if [ "$_tries" -gt "$2" ]; then
+		if [ "$_tries" -gt "$_max_tries" ]; then
 			echo "port $1 is NOT listening"
 			exit
 		fi
@@ -912,7 +959,7 @@ stage_listening()
 	done
 
 	echo
-	echo "Success! Port $1 is listening in staging jail"
+	echo "Success! Port $1 is listening"
 }
 
 stage_test_running()
@@ -1066,7 +1113,7 @@ reverse_list()
 {
 	# shellcheck disable=2068
 	for _j in $@; do
-		_rev_list="${_j} ${_rev_list}"
+		local _rev_list="${_j} ${_rev_list}"
 	done
 	echo "$_rev_list"
 }
@@ -1203,6 +1250,11 @@ mt6-include()
 	. "include/$1.sh"
 }
 
+jail_is_running()
+{
+	jls -d -j $1 name 2>/dev/null | grep -q $1
+}
+
 jail_rename()
 {
 	if [ -z "$1" ] || [ -z "$2" ]; then
@@ -1267,7 +1319,7 @@ assure_ip6_addr_is_declared()
 	sed -i.bak \
 		-e "/^$1/,/ip4/ s/ip4.*;/&\\
 		ip6.addr = $JAIL_NET_INTERFACE|$(get_jail_ip6 "$1");/" \
-		/etc/jail.conf || exit
+		/etc/jail.conf
 }
 
 assure_jail()
@@ -1280,18 +1332,20 @@ assure_jail()
 }
 
 preserve_file() {
-	# $1 is the jail name
-	# $2 is a path to a file within a jail
-	local _active_cfg="$ZFS_JAIL_MNT/$1/$2"
-	local _stage_cfg="${STAGE_MNT}/$2"
+	local _jail_name=$1
+	local _file_path=$2
+
+	local _active_cfg="$ZFS_JAIL_MNT/$_jail_name/$_file_path"
+	local _stage_cfg="${STAGE_MNT}/$_file_path"
+
 	if [ -f "$_active_cfg" ]; then
 		tell_status "preserving $_active_cfg"
 		cp "$_active_cfg" "$_stage_cfg" || return 1
 		return
 	fi
 
-	if [ -d "$ZFS_JAIL_MNT/$1.last" ]; then
-		_active_cfg="$ZFS_JAIL_MNT/$1.last/$2"
+	if [ -d "$ZFS_JAIL_MNT/$_jail_name.last" ]; then
+		_active_cfg="$ZFS_JAIL_MNT/$_jail_name.last/$_file_path"
 		if [ -f "$_active_cfg" ]; then
 			tell_status "preserving $_active_cfg"
 			cp "$_active_cfg" "$_stage_cfg" || return 1
@@ -1299,3 +1353,9 @@ preserve_file() {
 		fi
 	fi
 }
+
+onexit() { while caller $((n++)); do :; done; }
+
+if [ "$TOASTER_BUILD_DEBUG" = "1" ]; then
+	trap onexit EXIT
+fi
diff --git a/provision/base.sh b/provision/base.sh
index 56727b72..8a4fb4f1 100755
--- a/provision/base.sh
+++ b/provision/base.sh
@@ -1,19 +1,18 @@
 #!/bin/sh
 
-. mail-toaster.sh || exit
+set -e
 
-ifconfig ${JAIL_NET_INTERFACE} 2>&1 | grep -q 'does not exist' && {
-	echo; echo "ERROR: did you run 'provision host' yet?"; echo;
-	exit 1
-}
+. mail-toaster.sh
 
 mt6-include shell
+mt6-include mta
+mt6-include editor
 
 create_base_filesystem()
 {
 	if [ -e "$BASE_MNT/dev/null" ]; then
 		echo "unmounting $BASE_MNT/dev"
-		umount "$BASE_MNT/dev" || exit
+		umount "$BASE_MNT/dev"
 	fi
 
 	if zfs_filesystem_exists "$BASE_VOL"; then
@@ -51,33 +50,7 @@ install_freebsd()
 		stage_fbsd_package base "$BASE_MNT"
 	fi
 
-	touch "$BASE_MNT/etc/fstab"
-}
-
-install_ssmtp()
-{
-	tell_status "installing ssmtp"
-	stage_pkg_install ssmtp || exit
-
-	tell_status "configuring ssmtp"
-	cp "$BASE_MNT/usr/local/etc/ssmtp/revaliases.sample" \
-	   "$BASE_MNT/usr/local/etc/ssmtp/revaliases" || exit
-
-	sed -e "/^root=/ s/postmaster/$TOASTER_ADMIN_EMAIL/" \
-		-e "/^mailhub=/ s/=mail/=$TOASTER_MSA/" \
-		-e "/^rewriteDomain=/ s/=\$/=$TOASTER_MAIL_DOMAIN/" \
-		-e '/^#FromLineOverride=YES/ s/#//' \
-		"$BASE_MNT/usr/local/etc/ssmtp/ssmtp.conf.sample" \
-		> "$BASE_MNT/usr/local/etc/ssmtp/ssmtp.conf" || exit
-
-	tee "$BASE_MNT/etc/mail/mailer.conf" <<EO_MAILER_CONF
-sendmail	/usr/local/sbin/ssmtp
-send-mail	/usr/local/sbin/ssmtp
-mailq		/usr/local/sbin/ssmtp
-newaliases	/usr/local/sbin/ssmtp
-hoststat	/usr/bin/true
-purgestat	/usr/bin/true
-EO_MAILER_CONF
+	configure_fstab
 }
 
 configure_syslog()
@@ -115,7 +88,7 @@ disable_root_password()
 	# prevent a nightly email notice about the empty root password
 	tell_status "disabling passwordless root account"
 	sed -i.bak -e 's/^root::/root:*:/' "$BASE_MNT/etc/master.passwd"
-	stage_exec pwd_mkdb /etc/master.passwd || exit
+	stage_exec pwd_mkdb /etc/master.passwd
 }
 
 disable_cron_jobs()
@@ -132,7 +105,7 @@ disable_cron_jobs()
 		-e '/^1.*adjkerntz/ s/^1/#1/'  \
 		-e '/^\*.*entropy/  s/^\*/#*/' \
 		-e '/^\*.*atrun/    s/^\*/#*/' \
-		"$BASE_MNT/etc/crontab" || exit
+		"$BASE_MNT/etc/crontab"
 
 	echo "done"
 }
@@ -145,7 +118,7 @@ enable_security_periodic()
 	fi
 
 	tell_status "setting up auto package security"
-	tee "$_daily/auto_security_upgrades" <<'EO_PKG_SECURITY'
+	cat <<'EO_PKG_SECURITY' > "$_daily/auto_security_upgrades"
 #!/bin/sh
 
 auto_remove="vim-console vim-lite"
@@ -191,10 +164,10 @@ configure_tls_dhparams()
 	if [ ! -f "$DHP" ]; then
 		# for upgrade compatibilty
 		tell_status "Generating a 2048 bit $DHP"
-		openssl dhparam -out "$DHP" 2048 || exit
+		openssl dhparam -out "$DHP" 2048
 	fi
 
-	cp "$DHP" "$BASE_MNT/etc/ssl/dhparam.pem" || exit
+	cp "$DHP" "$BASE_MNT/etc/ssl/dhparam.pem"
 }
 
 configure_make_conf() {
@@ -211,23 +184,29 @@ EO_MAKE_CONF
 }
 
 configure_fstab() {
-	if [ ! -d "$BASE_MNT/data/etc" ]; then
-		mkdir -p "$BASE_MNT/data/etc" || exit 1
+	local _sub_dir=${1:-""}
+	local _etc_path="$BASE_MNT/${_sub_dir}etc"
+	if [ ! -d "$_etc_path" ]; then
+		mkdir -p "$_etc_path"
 	fi
-	touch "$BASE_MNT/data/etc/fstab"
+
+	tee "$_etc_path/fstab" <<EO_FSTAB
+# Device                Mountpoint      FStype  Options         Dump    Pass#
+devfs                   $BASE_MNT/dev  devfs   rw              0       0
+EO_FSTAB
 }
 
 configure_base()
 {
 	if [ ! -d "$BASE_MNT/usr/ports" ]; then
-		mkdir "$BASE_MNT/usr/ports" || exit
+		mkdir "$BASE_MNT/usr/ports"
 	fi
 
 	tell_status "adding base jail resolv.conf"
-	cp /etc/resolv.conf "$BASE_MNT/etc" || exit
+	cp /etc/resolv.conf "$BASE_MNT/etc"
 
 	tell_status "setting base jail timezone (to hosts)"
-	cp /etc/localtime "$BASE_MNT/etc" || exit
+	cp /etc/localtime "$BASE_MNT/etc"
 
 	configure_make_conf
 
@@ -237,7 +216,6 @@ configure_base()
 		hostname=base \
 		cron_flags='$cron_flags -J 15' \
 		syslogd_flags="-s -cc" \
-		sendmail_enable=NONE \
 		update_motd=NO
 
 	configure_pkg_latest "$BASE_MNT"
@@ -248,7 +226,7 @@ configure_base()
 	configure_syslog
 	configure_bourne_shell "$BASE_MNT"
 	configure_csh_shell "$BASE_MNT"
-	configure_fstab
+	configure_fstab "data/"
 }
 
 install_periodic_conf()
@@ -325,27 +303,10 @@ monthly_show_badconfig="YES"
 EO_PERIODIC
 }
 
-install_vimrc()
-{
-	tell_status "installing a jail-wide vimrc"
-	local _vimdir="$BASE_MNT/usr/local/etc/vim"
-	if [ ! -d "$_vimdir" ]; then
-		mkdir -p "$_vimdir" || exit
-	fi
-
-	fetch -m -o "$_vimdir/vimrc" https://raw.githubusercontent.com/nandalopes/vim-for-server/main/vimrc
-	sed -i '' \
-		-e 's/^syntax on/" syntax on/' \
-		-e 's/^colorscheme/" colorscheme/' \
-		-e 's/^set number/" set number/' \
-		-e 's/^set relativenumber/" set relativenumber/' \
-		"$_vimdir/vimrc"
-}
-
 install_base()
 {
 	tell_status "installing packages desired in every jail"
-	stage_pkg_install pkg vim-tiny ca_root_nss || exit
+	stage_pkg_install $TOASTER_BASE_PKGS
 
 	stage_exec newaliases
 
@@ -356,29 +317,42 @@ install_base()
 		configure_zsh_shell "$BASE_MNT"
 	fi
 
-	install_ssmtp
+	configure_mta "$BASE_MNT"
 	disable_root_password
 	install_periodic_conf
-	install_vimrc
+	configure_editor "$BASE_MNT"
 
 	tell_status "updating packages in base jail"
 	stage_exec pkg upgrade -y
 }
 
+assure_jail_nic()
+{
+	tell_status "assure_jail_nic: $JAIL_NET_INTERFACE exists"
+
+	if ifconfig ${JAIL_NET_INTERFACE} 2>&1 | grep -q 'does not exist'; then
+		echo; echo "ERROR: did you run 'provision host' yet?"; echo;
+		exit 1
+	else
+		echo "ok"
+	fi
+}
+
+assure_jail_nic
 zfs_snapshot_exists "$BASE_SNAP" && exit 0
-jail -r stage 2>/dev/null
+stop_jail stage
 create_base_filesystem
 install_freebsd
 freebsd_update
 configure_base
-start_staged_jail base "$BASE_MNT" || exit
+start_staged_jail base "$BASE_MNT"
 install_base
 stop_jail stage
 if [ -e "$BASE_MNT/dev/null" ]; then umount "$BASE_MNT/dev"; fi
 rm -rf "$BASE_MNT/var/cache/pkg/*"
 rm -rf "$BASE_MNT/var/db/freebsd-update/*"
 echo "zfs snapshot ${BASE_SNAP}"
-zfs snapshot "${BASE_SNAP}" || exit
+zfs snapshot "${BASE_SNAP}"
 add_jail_conf base
 
 proclaim_success base
diff --git a/provision/clamav.sh b/provision/clamav.sh
index 18d5e387..b2c8d809 100755
--- a/provision/clamav.sh
+++ b/provision/clamav.sh
@@ -1,6 +1,8 @@
 #!/bin/sh
 
-. mail-toaster.sh || exit
+set -e
+
+. mail-toaster.sh
 
 install_clamav_fangfrisch()
 {
@@ -9,7 +11,7 @@ install_clamav_fangfrisch()
 	stage_pkg_install python sqlite3 py39-sqlite3 sudo
 	_fdir="/usr/local/fangfrisch"
 	stage_exec mkdir "$_fdir"
-	stage_exec bash -c 'cd /usr/local/fangfrisch && python3 -m venv venv && source venv/bin/activate && pip install fangfrisch' || exit 1
+	stage_exec bash -c 'cd /usr/local/fangfrisch && python3 -m venv venv && source venv/bin/activate && pip install fangfrisch'
 	stage_exec chown -R clamav:clamav $_fdir
 	store_config "${STAGE_MNT}${_fdir}/fangfrisch.conf" <<EO_FANG_CONF
 [DEFAULT]
@@ -40,8 +42,8 @@ customer_id = abcdef123456
 enabled = yes
 max_size = 2MB
 EO_FANG_CONF
-	stage_exec sudo -u clamav -- $_fdir/venv/bin/fangfrisch --conf $_fdir/fangfrisch.conf initdb || exit 1
-	stage_exec sudo -u clamav -- $_fdir/venv/bin/fangfrisch --conf $_fdir/fangfrisch.conf refresh || exit 1
+	stage_exec sudo -u clamav -- $_fdir/venv/bin/fangfrisch --conf $_fdir/fangfrisch.conf initdb
+	stage_exec sudo -u clamav -- $_fdir/venv/bin/fangfrisch --conf $_fdir/fangfrisch.conf refresh
 }
 
 install_clamav_unofficial()
@@ -72,19 +74,19 @@ install_clamav_unofficial()
 	stage_pkg_install gnupg1 rsync bind-tools gtar
 	fetch -m -o "$STAGE_MNT/tmp/" \
 	  "https://github.com/extremeshok/clamav-unofficial-sigs/archive/$CLAMAV_UV.tar.gz"
-	tar -xz -C "$STAGE_MNT/tmp/" -f "$STAGE_MNT/tmp/$CLAMAV_UV.tar.gz" || exit
+	tar -xz -C "$STAGE_MNT/tmp/" -f "$STAGE_MNT/tmp/$CLAMAV_UV.tar.gz"
 
 	local _dist="$STAGE_MNT/tmp/clamav-unofficial-sigs-$CLAMAV_UV"
 	local _conf="$STAGE_MNT/etc/clamav-unofficial-sigs"
 
 	tell_status "installing config files"
-	mkdir -p "$_conf" || exit
-	cp -r "$_dist/config/" "$_conf/" || exit
-	cp "$_conf/os/os.freebsd.conf" "$_conf/os.conf" || exit
+	mkdir -p "$_conf"
+	cp -r "$_dist/config/" "$_conf/"
+	cp "$_conf/os/os.freebsd.conf" "$_conf/os.conf"
 
 	if [ -f "$ZFS_JAIL_MNT/clamav/etc/clamav-unofficial-sigs/user.conf" ]; then
 		tell_status "preserving user.conf"
-		cp "$ZFS_JAIL_MNT/clamav/etc/clamav-unofficial-sigs/user.conf" "$_conf/" || exit
+		cp "$ZFS_JAIL_MNT/clamav/etc/clamav-unofficial-sigs/user.conf" "$_conf/"
 		echo "done"
 	else
 		tell_status "completing user configuration"
@@ -106,10 +108,10 @@ install_clamav_unofficial()
 	tell_status "installing clamav-unofficial-sigs.sh"
 	local _sigs_sh="$_dist/clamav-unofficial-sigs.sh"
 	sed -i.bak -e 's/^#!\/bin\/bash/#!\/usr\/local\/bin\/bash/' "$_sigs_sh"
-	chmod 755 "$_sigs_sh" || exit
-	cp "$_sigs_sh" "$STAGE_MNT/usr/local/bin" || exit
+	chmod 755 "$_sigs_sh"
+	cp "$_sigs_sh" "$STAGE_MNT/usr/local/bin"
 
-	mkdir -p "$STAGE_MNT/var/log/clamav-unofficial-sigs" || exit
+	mkdir -p "$STAGE_MNT/var/log/clamav-unofficial-sigs"
 	stage_exec /usr/local/bin/clamav-unofficial-sigs.sh --install-cron
 	stage_exec /usr/local/bin/clamav-unofficial-sigs.sh --install-logrotate
 	stage_exec /usr/local/bin/clamav-unofficial-sigs.sh --install-man
@@ -166,7 +168,7 @@ PATH="$PATH:/usr/local/bin"|' \
 
 install_clamav()
 {
-	stage_pkg_install clamav || exit
+	stage_pkg_install clamav
 	echo "done"
 
 	for _d in etc db log; do
@@ -209,7 +211,7 @@ configure_clamd()
 		-e 's/^#StructuredMinSSNCount 5/StructuredMinSSNCount 10/' \
 		-e 's/^#StructuredSSNFormatStripped yes/StructuredSSNFormatStripped no/' \
 		-e '/^#ScanArchive/ s/^#ScanArchive/ScanArchive/' \
-		"$_conf" || exit
+		"$_conf"
 
 	echo "done"
 
@@ -235,7 +237,7 @@ configure_freshclam()
 			-e 's/^#LogFacility/LogFacility/' \
 			-e 's/^#SafeBrowsing/SafeBrowsing/' \
 			-e 's/^#DatabaseMirror/DatabaseMirror/; s/XY/us/' \
-			"$_conf" || exit
+			"$_conf"
 	fi
 
 	echo "done"
@@ -282,10 +284,10 @@ migrate_clamav_dbs()
 
 	Proceed?
 	"
-	dialog --yesno "$_confirm_msg" 13 70 || exit
+	dialog --yesno "$_confirm_msg" 13 70
 
 	if [ ! -d "$ZFS_DATA_MNT/clamav/db" ]; then
-		mkdir "$ZFS_DATA_MNT/clamav/db" || exit 1
+		mkdir "$ZFS_DATA_MNT/clamav/db"
 	fi
 
 	service jail stop clamav
@@ -305,7 +307,7 @@ test_clamav()
 	echo "It works! (clamd is listening)"
 }
 
-base_snapshot_exists || exit
+base_snapshot_exists || exit 1
 migrate_clamav_dbs
 create_staged_fs clamav
 start_staged_jail clamav
diff --git a/provision/dcc.sh b/provision/dcc.sh
index b53ed594..af7c1415 100755
--- a/provision/dcc.sh
+++ b/provision/dcc.sh
@@ -1,6 +1,8 @@
 #!/bin/sh
 
-. mail-toaster.sh || exit
+set -e
+
+. mail-toaster.sh
 
 export JAIL_START_EXTRA=""
 export JAIL_CONF_EXTRA=""
@@ -40,7 +42,7 @@ install_dcc()
 	install_dcc_port_options
 
 	tell_status "install dcc"
-	stage_port_install mail/dcc-dccd || exit
+	stage_port_install mail/dcc-dccd
 
 	install_dcc_cleanup
 }
@@ -80,7 +82,7 @@ test_dcc()
 	stage_listening 1025 3
 }
 
-base_snapshot_exists || exit
+base_snapshot_exists || exit 1
 create_staged_fs dcc
 start_staged_jail dcc
 install_dcc
diff --git a/provision/dns.sh b/provision/dns.sh
index c6e34ce2..79de352c 100755
--- a/provision/dns.sh
+++ b/provision/dns.sh
@@ -1,6 +1,8 @@
 #!/bin/sh
 
-. mail-toaster.sh || exit
+set -e
+
+. mail-toaster.sh
 
 export JAIL_START_EXTRA=""
 export JAIL_CONF_EXTRA="
@@ -9,7 +11,7 @@ export JAIL_CONF_EXTRA="
 install_unbound()
 {
 	tell_status "installing unbound"
-	stage_pkg_install unbound || exit
+	stage_pkg_install unbound
 }
 
 get_mt6_data()
@@ -97,7 +99,7 @@ include: "/data/mt6-local.conf" \
 		-e '/^remote-control:/ a\ 
 	include: "/data/control.conf" \
 ' \
-		"$UNBOUND_DIR/unbound.conf" || exit
+		"$UNBOUND_DIR/unbound.conf"
 }
 
 enable_control()
@@ -108,7 +110,7 @@ enable_control()
 	fi
 
 	tell_status "creating $ZFS_DATA_MNT/dns/control"
-	mkdir "$ZFS_DATA_MNT/dns/control" || exit
+	mkdir "$ZFS_DATA_MNT/dns/control"
 
 	tell_status "configuring unbound-control"
 	tee "$ZFS_DATA_MNT/dns/control.conf" <<EO_CONTROL_CONF
@@ -135,10 +137,10 @@ configure_unbound()
 	UNBOUND_DIR="$STAGE_MNT/usr/local/etc/unbound"
 	UNBOUND_LOCAL=""
 
-	cp "$UNBOUND_DIR/unbound.conf.sample" "$UNBOUND_DIR/unbound.conf" || exit
+	cp "$UNBOUND_DIR/unbound.conf.sample" "$UNBOUND_DIR/unbound.conf"
 	if [ -f 'unbound.conf.local' ]; then
 		tell_status "moving unbound.conf.local to data volume"
-		mv unbound.conf.local "$ZFS_DATA_MNT/dns/" || exit
+		mv unbound.conf.local "$ZFS_DATA_MNT/dns/"
 	fi
 
 	if [ -f "$ZFS_DATA_MNT/dns/unbound.conf.local" ]; then
@@ -158,7 +160,7 @@ start_unbound()
 {
 	tell_status "starting unbound"
 	stage_sysrc unbound_enable=YES
-	stage_exec service unbound start || exit
+	stage_exec service unbound start
 }
 
 test_unbound()
@@ -170,7 +172,7 @@ test_unbound()
 	echo "nameserver $(get_jail_ip stage)" | tee "$STAGE_MNT/etc/resolv.conf"
 
 	# test if we get an answer
-	stage_exec host dns || exit
+	stage_exec host dns
 
 	# set it back to production value
 	echo "nameserver $(get_jail_ip dns)" | tee "$STAGE_MNT/etc/resolv.conf"
@@ -188,7 +190,7 @@ nameserver $(get_jail_ip6 dns)" | resolvconf -a "$PUBLIC_NIC"
 	sysrc -f /etc/resolvconf.conf resolvconf=NO
 }
 
-base_snapshot_exists || exit
+base_snapshot_exists || exit 1
 create_staged_fs dns
 start_staged_jail dns
 install_unbound
diff --git a/provision/dovecot.sh b/provision/dovecot.sh
index 925f45c0..e8dd6c6e 100755
--- a/provision/dovecot.sh
+++ b/provision/dovecot.sh
@@ -1,6 +1,8 @@
 #!/bin/sh
 
-. mail-toaster.sh || exit
+set -e
+
+. mail-toaster.sh
 
 export JAIL_START_EXTRA="allow.sysvipc=1"
 export JAIL_FSTAB="$ZFS_DATA_MNT/vpopmail/home $ZFS_JAIL_MNT/dovecot/usr/local/vpopmail nullfs rw 0 0"
@@ -10,13 +12,13 @@ mt6-include vpopmail
 allow_sysvipc_stage()
 {
     tell_status "allow sysvipc for the staged jail"
-    jail -m name=stage allow.sysvipc=1 || exit 1
+    jail -m name=stage allow.sysvipc=1
 }
 
 install_dovecot()
 {
 	tell_status "installing dovecot package"
-	stage_pkg_install dovecot dovecot-pigeonhole curl perl5 gmake mysql80-client || exit
+	stage_pkg_install dovecot dovecot-pigeonhole curl perl5 gmake mysql80-client
 
 	tell_status "configure dovecot port options"
 	stage_make_conf dovecot2_SET 'mail_dovecot2_SET=MYSQL LIBWRAP EXAMPLES'
@@ -33,8 +35,8 @@ install_dovecot()
 	tell_status "building dovecot"
 
 	export BATCH=${BATCH:="1"}
-	stage_port_install mail/dovecot || exit 1
-	stage_port_install mail/dovecot-pigeonhole || exit 1
+	stage_port_install mail/dovecot
+	stage_port_install mail/dovecot-pigeonhole
 }
 
 configure_dovecot_local_conf() {
@@ -265,10 +267,10 @@ configure_example_config()
 	fi
 
 	tell_status "installing example config files"
-	cp -R "$STAGE_MNT/usr/local/etc/dovecot/example-config/" "$_dcdir/" || exit
+	cp -R "$STAGE_MNT/usr/local/etc/dovecot/example-config/" "$_dcdir/"
 	sed -i.bak \
 		-e 's/^#listen = \*, ::/listen = \*/' \
-		"$_dcdir/dovecot.conf" || exit
+		"$_dcdir/dovecot.conf"
 }
 
 configure_system_auth()
@@ -282,7 +284,7 @@ configure_system_auth()
 	tell_status "disabling auth-system"
 	sed -i.bak \
 		-e '/^\!include auth-system/ s/\!/#!/' \
-		"$_authconf" || exit
+		"$_authconf"
 }
 
 configure_vsz_limit()
@@ -320,13 +322,13 @@ configure_tls_certs()
 
 	local _ssldir="$ZFS_DATA_MNT/dovecot/etc/ssl"
 	if [ ! -d "$_ssldir/certs" ]; then
-		mkdir -p "$_ssldir/certs" || exit
-		chmod 644 "$_ssldir/certs" || exit
+		mkdir -p "$_ssldir/certs"
+		chmod 644 "$_ssldir/certs"
 	fi
 
 	if [ ! -d "$_ssldir/private" ]; then
-		mkdir "$_ssldir/private" || exit
-		chmod 644 "$_ssldir/private" || exit
+		mkdir "$_ssldir/private"
+		chmod 644 "$_ssldir/private"
 	fi
 
 	local _installed_crt="$_ssldir/certs/${TOASTER_MAIL_DOMAIN}.pem"
@@ -336,18 +338,18 @@ configure_tls_certs()
 	fi
 
 	tell_status "installing dovecot TLS certificates"
-	cp /etc/ssl/certs/server.crt "$_ssldir/certs/${TOASTER_MAIL_DOMAIN}.pem" || exit
+	cp /etc/ssl/certs/server.crt "$_ssldir/certs/${TOASTER_MAIL_DOMAIN}.pem"
 	# sunset after Dovecot 2.3 released
-	cat /etc/ssl/dhparam.pem >> "$_ssldir/certs/${TOASTER_MAIL_DOMAIN}.pem" || exit
+	cat /etc/ssl/dhparam.pem >> "$_ssldir/certs/${TOASTER_MAIL_DOMAIN}.pem"
 	# /sunset
-	cp /etc/ssl/private/server.key "$_ssldir/private/${TOASTER_MAIL_DOMAIN}.pem" || exit
+	cp /etc/ssl/private/server.key "$_ssldir/private/${TOASTER_MAIL_DOMAIN}.pem"
 }
 
 configure_postfix_with_sasl()
 {
 	# ignore this, it doesn't exist. Yet. Maybe not ever. It's one way to
 	# configure a MSA with dovecot auth.
-	stage_pkg_install postfix || exit
+	stage_pkg_install postfix
 
 	stage_exec postconf -e "relayhost = $TOASTER_MSA"
 	stage_exec postconf -e 'smtpd_sasl_type = dovecot'
@@ -359,10 +361,10 @@ configure_postfix_with_sasl()
 	stage_exec postconf -e 'smtp_tls_security_level = may'
 
 	for _s in 512 1024 2048; do
-		openssl dhparam -out /tmp/dh$_s.tmp $_s || exit
-		chmod 644 /tmp/dh${_s}.tmp || exit
-		mv /tmp/dh${_s}.tmp "$STAGE_MNT/usr/local/etc/postfix/dh${_s}.pem" || exit
-		stage_exec postconf -e "smtpd_tls_dh${_s}_param_file = \${config_directory}/dh${_s}.pem" || exit
+		openssl dhparam -out /tmp/dh$_s.tmp $_s
+		chmod 644 /tmp/dh${_s}.tmp
+		mv /tmp/dh${_s}.tmp "$STAGE_MNT/usr/local/etc/postfix/dh${_s}.pem"
+		stage_exec postconf -e "smtpd_tls_dh${_s}_param_file = \${config_directory}/dh${_s}.pem"
 	done
 
 	stage_sysrc postfix_enable="YES"
@@ -371,7 +373,7 @@ configure_postfix_with_sasl()
 
 compile_sieve()
 {
-	stage_exec /usr/local/bin/sievec -c /data/etc/dovecot.conf "/usr/local/lib/dovecot/sieve/$1" || exit
+	stage_exec /usr/local/bin/sievec -c /data/etc/dovecot.conf "/usr/local/lib/dovecot/sieve/$1"
 }
 
 configure_sieve_report_ham()
@@ -426,7 +428,7 @@ configure_sieve_learn_rspamd()
 	tee "$SIEVE_DIR/learn-ham-rspamd.sh" <<EO_RSPAM_LEARN_HAM
 exec /usr/local/bin/curl -s -S -XPOST --data-binary @- http://$(get_jail_ip rspamd):11334/learnham
 EO_RSPAM_LEARN_HAM
-	chmod +x "$SIEVE_DIR/learn-ham-rspamd.sh" || exit
+	chmod +x "$SIEVE_DIR/learn-ham-rspamd.sh"
 
 	if ! grep rspamd "$SIEVE_DIR/report-ham.sieve"; then
 		tell_status "enabling rspamd learning in report-ham.sieve"
@@ -440,7 +442,7 @@ EO_REPORT_HAM_RSPAMD
 	tee "$SIEVE_DIR/learn-spam-rspamd.sh" <<EO_RSPAM_LEARN_SPAM
 exec /usr/local/bin/curl -s -S -XPOST --data-binary @- http://$(get_jail_ip rspamd):11334/learnspam
 EO_RSPAM_LEARN_SPAM
-	chmod +x "$SIEVE_DIR/learn-spam-rspamd.sh" || exit
+	chmod +x "$SIEVE_DIR/learn-spam-rspamd.sh"
 
 	if ! grep rspamd "$SIEVE_DIR/report-spam.sieve"; then
 		tell_status "enabling rspamd learning in report-spam.sieve"
@@ -461,14 +463,14 @@ configure_sieve_learn_spamassassin()
 	if [ ! -x "$ZFS_DATA_MNT/dovecot/bin/spamc" ]; then
 		tell_status "copying spamc into /data/bin"
 		cp "$ZFS_JAIL_MNT/spamassassin/usr/local/bin/spamc" \
-			"$ZFS_DATA_MNT/dovecot/bin/spamc" || exit
+			"$ZFS_DATA_MNT/dovecot/bin/spamc"
 	fi
 
 	tell_status "creating learn-ham-sa.sh"
 	tee "$SIEVE_DIR/learn-ham-sa.sh" <<EO_RSPAM_LEARN_HAM
 exec /data/bin/spamc -d $(get_jail_ip spamassassin) --learntype=ham -u \${1}
 EO_RSPAM_LEARN_HAM
-	chmod +x "$SIEVE_DIR/learn-ham-sa.sh" || exit
+	chmod +x "$SIEVE_DIR/learn-ham-sa.sh"
 
 	if ! grep learn-ham-sa "$SIEVE_DIR/report-ham.sieve"; then
 		tell_status "enabling spamassassin learning in report-ham.sieve"
@@ -482,7 +484,7 @@ EO_REPORT_HAM_SA
 	tee "$SIEVE_DIR/learn-spam-sa.sh" <<EO_RSPAM_LEARN_SPAM
 exec /data/bin/spamc -d $(get_jail_ip spamassassin) --learntype=spam -u \${1}
 EO_RSPAM_LEARN_SPAM
-	chmod +x "$SIEVE_DIR/learn-spam-sa.sh" || exit
+	chmod +x "$SIEVE_DIR/learn-spam-sa.sh"
 
 	if ! grep learn-spam-sa "$SIEVE_DIR/report-spam.sieve"; then
 		tell_status "enabling spamassassin learning in report-spam.sieve"
@@ -497,7 +499,7 @@ configure_sieve()
 {
 	SIEVE_DIR="$STAGE_MNT/usr/local/lib/dovecot/sieve"
 	if [ ! -d "$SIEVE_DIR" ]; then
-		mkdir "$SIEVE_DIR" || exit
+		mkdir "$SIEVE_DIR"
 	fi
 
 	local _lc="$ZFS_DATA_MNT/dovecot/etc/local.conf"
@@ -548,7 +550,7 @@ configure_dovecot()
 		if [ ! -d "$_dcdir" ]; then
 			tell_status "creating $_dcdir"
 			echo "mkdir $_dcdir"
-			mkdir "$_dcdir" || exit
+			mkdir "$_dcdir"
 		fi
 	done
 
@@ -569,21 +571,18 @@ start_dovecot()
 	tell_status "starting dovecot"
 	stage_sysrc dovecot_enable=YES
 	stage_sysrc dovecot_config="/data/etc/dovecot.conf"
-	stage_exec service dovecot start || exit
+	stage_exec service dovecot start
 }
 
-test_imap()
+test_imap_empty()
 {
-	pkg install -y empty
+	pkg info | grep -q ^empty || pkg install -y empty
 
-	POST_USER="postmaster@${TOASTER_MAIL_DOMAIN}"
-	POST_PASS=$(jexec vpopmail /usr/local/vpopmail/bin/vuserinfo -C "${POST_USER}")
-	rm -f in out
-
-	echo "testing IMAP AUTH as $POST_USER"
+	if [ -f in ]; then rm -f in; fi
+	if [ -f out ]; then rm -f out; fi
 
 	# empty -v -f -i in -o out telnet "$(get_jail_ip stage)" 143
-	empty -v -f -i in -o out openssl s_client -quiet -crlf -connect "$(get_jail_ip stage):993"
+	empty -v -f -i in -o out openssl s_client -quiet -verify_quiet -crlf -connect "$(get_jail_ip stage):993"
 	if [ ! -e out ]; then exit; fi
 	empty -v -w -i out -o in "ready"             ". LOGIN $POST_USER $POST_PASS"$'\n'
 	empty -v -w -i out -o in "Logged in"         $'. LIST \"\" \"*\"\n'
@@ -602,13 +601,36 @@ test_imap()
 	fi
 }
 
-test_pop3()
+test_imap_openssl()
 {
-	pkg install -y empty
+	openssl s_client -quiet -verify_quiet -crlf -connect "$(get_jail_ip stage):993" <<EOF
+. login $POST_USER $POST_PASS
+. LIST "" "*"
+. SELECT INBOX
+. LOGOUT
+EOF
+}
 
-	POST_USER="postmaster@${TOASTER_MAIL_DOMAIN}"
-	POST_PASS=$(jexec vpopmail /usr/local/vpopmail/bin/vuserinfo -C "${POST_USER}")
-	rm -f in out
+test_imap_curl()
+{
+	# shellcheck disable=SC2001
+	curl -k -v --login-options 'AUTH=PLAIN' "imaps://$(echo $POST_USER | sed -e 's/@/%40/'):${POST_PASS}@stage/"
+}
+
+test_imap()
+{
+	echo "testing IMAP AUTH as $POST_USER"
+	test_imap_curl
+	# test_imap_openssl
+	# test_imap_empty
+}
+
+test_pop3_empty()
+{
+	pkg info | grep -q ^empty || pkg install -y empty
+
+	if [ -f in ]; then rm -f in; fi
+	if [ -f out ]; then rm -f out; fi
 
 	echo "testing POP3 AUTH as $POST_USER"
 
@@ -626,11 +648,21 @@ test_pop3()
 	fi
 }
 
+test_pop3()
+{
+	# shellcheck disable=SC2001
+	curl -k -v --login-options 'AUTH=PLAIN' "pop3s://$(echo $POST_USER | sed -e 's/@/%40/'):${POST_PASS}@stage/"
+}
+
 test_dovecot()
 {
 	tell_status "testing dovecot"
 	stage_listening 993 3
 	stage_listening 995 3
+
+	POST_USER="postmaster@${TOASTER_MAIL_DOMAIN}"
+	POST_PASS=$(jexec vpopmail /usr/local/vpopmail/bin/vuserinfo -C "${POST_USER}")
+
 	test_imap
 	test_pop3
 	echo "it worked"
diff --git a/provision/elasticsearch.sh b/provision/elasticsearch.sh
index e8b193e2..d8e25eed 100755
--- a/provision/elasticsearch.sh
+++ b/provision/elasticsearch.sh
@@ -1,22 +1,24 @@
 #!/bin/sh
 
-. mail-toaster.sh || exit
+set -e
+
+. mail-toaster.sh
 
 export JAIL_START_EXTRA="enforce_statfs=1"
 # shellcheck disable=2016
-export JAIL_CONF_EXTRA="
-		mount.fdescfs;
-		mount.procfs;
-		enforce_statfs = 1;"
+export JAIL_CONF_EXTRA="\n\t\tenforce_statfs = 1;"
+export JAIL_FSTAB="fdescfs $ZFS_JAIL_MNT/elasticsearch/dev/fd fdescfs rw 0 0
+proc     $ZFS_JAIL_MNT/elasticsearch/proc   procfs  rw 0 0"
 
 create_data_dirs()
 {
-	for dir in etc db log plugins run; do
-		if [ ! -d "$STAGE_MNT/data/${dir}" ]; then
-			tell_status "creating $STAGE_MNT/data/${dir}"
-			mkdir "$STAGE_MNT/data/${dir}"
-			chown 965:965 "$STAGE_MNT/data/${dir}"
+	for _dir in etc db log plugins run; do
+		local _sub_dir=$STAGE_MNT/data/${_dir}
+		if [ ! -d "$_sub_dir" ]; then
+			tell_status "creating $_sub_dir"
+			mkdir "$_sub_dir"
 		fi
+		chown 965:965 "$_sub_dir"
 	done
 }
 
@@ -41,7 +43,9 @@ install_elasticsearch6()
 	tell_status "installing kibana"
 	stage_pkg_install kibana6
 
-	mkdir "$STAGE_MNT/usr/local/www/kibana6/config"
+	if [ ! -d "$STAGE_MNT/usr/local/www/kibana6/config" ]; then
+		mkdir "$STAGE_MNT/usr/local/www/kibana6/config"
+	fi
 	touch "$STAGE_MNT/usr/local/www/kibana6/config/kibana.yml"
 	chown -R 80:80 "$STAGE_MNT/usr/local/www/kibana6"
 }
@@ -57,11 +61,11 @@ install_elasticsearch7()
 	tell_status "installing kibana"
 	stage_pkg_install kibana7
 
-	mkdir "$STAGE_MNT/usr/local/www/kibana7/config"
+	if [ ! -d "$STAGE_MNT/usr/local/www/kibana7/config" ]; then
+		mkdir "$STAGE_MNT/usr/local/www/kibana7/config"
+	fi
 	touch "$STAGE_MNT/usr/local/www/kibana7/config/kibana.yml"
 	chown -R 80:80 "$STAGE_MNT/usr/local/www/kibana7"
-
-	install_beats
 }
 
 install_elasticsearch8()
@@ -75,11 +79,11 @@ install_elasticsearch8()
 	tell_status "installing kibana"
 	stage_pkg_install kibana8
 
-	mkdir "$STAGE_MNT/usr/local/www/kibana8/config"
+	if [ ! -d "$STAGE_MNT/usr/local/www/kibana8/config" ]; then
+		mkdir "$STAGE_MNT/usr/local/www/kibana8/config"
+	fi
 	touch "$STAGE_MNT/usr/local/www/kibana8/config/kibana.yml"
 	chown -R 80:80 "$STAGE_MNT/usr/local/www/kibana8"
-
-	install_beats
 }
 
 install_elasticsearch()
@@ -93,14 +97,17 @@ install_elasticsearch()
 install_beats()
 {
 	stage_pkg_install beats8
-	local _xcfg="$STAGE_MNT/usr/local/etc/beats/metricbeat.modules.d/elasticsearch-xpack.yml"
 
+	local _xcfg="$STAGE_MNT/usr/local/etc/beats/metricbeat.modules.d/elasticsearch-xpack.yml"
 	cp "$STAGE_MNT/usr/local/share/examples/beats/metricbeat.modules.d/elasticsearch-xpack.yml.disabled" "$_xcfg"
 	sed -i '' \
-		-e '/hosts:/ s/localhost/172.16.15.27/' \
+		-e "/hosts:/ s/localhost/$(get_jail_ip elasticsearch)/" \
 		"$_xcfg"
 
-	stage_exec -c 'cd "$STAGE_MNT/usr/local/etc/beats" && metricbeat modules enable elasticsearch-xpack'
+	if ! stage_exec -c 'cd /usr/local/etc/beats && metricbeat modules enable elasticsearch-xpack'; then
+		echo "KNOWN ERROR: see https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=272701"
+		return
+	fi
 	stage_sysrc metricbeat_enable=YES
 }
 
@@ -116,7 +123,7 @@ configure_elasticsearch()
 	local _conf="$STAGE_MNT/usr/local/etc/elasticsearch/elasticsearch.yml"
 	mkdir -p "$STAGE_MNT/data/etc"
 	echo "cp $_conf $_data_conf"
-	cp "$_conf" "$_data_conf" || exit
+	cp "$_conf" "$_data_conf"
 	chown 965 "$_data_conf"
 
 	if [ ! -f "$STAGE_MNT/data/etc/jvm.options" ]; then
@@ -133,6 +140,12 @@ configure_elasticsearch()
 		chown 965 "$STAGE_MNT/data/etc/log4j2.properties"
 	fi
 
+	sed -i.bak \
+		-e "/^#network.host:/ s/#//; s/192.168.0.1/$(get_jail_ip stage)/" \
+		-e '/^#node.name/ s/^#//; s/node-1/stage/' \
+		-e '/^#cluster.initial/ s/^#//; s/node-1/stage/; s/, "node-2"//' \
+			"$_conf"
+
 	sed -i.bak \
 		-e "/^#network.host:/ s/#//; s/192.168.0.1/$(get_jail_ip elasticsearch)/" \
 		-e '/^path.data: / s/var/data/' \
@@ -152,53 +165,63 @@ configure_kibana()
 {
 	tell_status "configuring kibana"
 
-	stage_sysrc kibana_syslog_output_flags=YES
+	stage_sysrc kibana_syslog_output_enable=YES
 
 	if [ -f "$STAGE_MNT/data/etc/kibana.yml" ]; then
 		tell_status "preserving kibana.yml"
 		return
 	fi
 
+	chown 80:80 "$STAGE_MNT/usr/local/etc/kibana/kibana.yml"
+
 	tell_status "installing default kibana.yml"
+	sed -i '' \
+		-e 's/^#server.basePath: ""/server.basePath: "\/kibana"/' \
+		"$STAGE_MNT/usr/local/etc/kibana/kibana.yml"
+
 	cp "$STAGE_MNT/usr/local/etc/kibana/kibana.yml" "$STAGE_MNT/data/etc/"
 
-	sed -i '' \
-		-e '/^#server.basePath/ s/^#//; s/""/"\/kibana"/' \
-		"$STAGE_MNT/data/etc/kibana.yml" || exit
+	stage_sysrc kibana_enable=YES
 }
 
 start_elasticsearch()
 {
 	tell_status "configuring Elasticsearch"
 	stage_sysrc elasticsearch_enable=YES
-	stage_sysrc elasticsearch_config=/data/etc
 
-	if jls | grep -qs elasticsearch; then
-		# bad things happen if two ES instances access the data dir
-		# so don't actually start it
-		tell_status "NOT starting Elasticsearch"
-	else
-		tell_status "starting Elasticsearch"
-		stage_exec service elasticsearch start
-	fi
+	tell_status "starting Elasticsearch"
+	stage_exec service elasticsearch start
+
+	tell_status "generating a Kibana setup token"
+	echo
+	export ES_JAVA_HOME=/usr/local/openjdk17
+	stage_exec /usr/local/lib/elasticsearch/bin/elasticsearch-create-enrollment-token --scope kibana
+	echo
 
 	tell_status "starting Kibana"
-	stage_sysrc kibana_enable=YES
-	stage_sysrc kibana_config=/data/etc/kibana.yml
+	stage_exec service kibana start
+	stage_exec bash -c "cd /usr/local/www/kibana8 && su -m www -c /usr/local/www/kibana8/bin/kibana"
 	stage_exec service kibana start
 }
 
 test_elasticsearch()
 {
 	tell_status "testing Elasticsearch (listening 9200)"
-	#stage_listening 9200 10 3
+	stage_listening 9200 10 3
 
 	tell_status "testing Kibana (listening 5601)"
-	echo "kibana has initial setup to do, it make take a while..."
+	echo "kibana has initial setup to do, it takes a few..."
 	stage_listening 5601 30 5
 }
 
-base_snapshot_exists || exit
+post_configure()
+{
+	tell_status "switching configuration to /data"
+	stage_sysrc elasticsearch_config=/data/etc
+	stage_sysrc kibana_config=/data/etc/kibana.yml
+}
+
+base_snapshot_exists
 create_staged_fs elasticsearch
 start_staged_jail elasticsearch
 install_elasticsearch
@@ -206,4 +229,6 @@ configure_elasticsearch
 configure_kibana
 start_elasticsearch
 test_elasticsearch
+install_beats
+post_configure
 promote_staged_jail elasticsearch
diff --git a/provision/geoip.sh b/provision/geoip.sh
index 488edf26..fc5b1cd4 100755
--- a/provision/geoip.sh
+++ b/provision/geoip.sh
@@ -1,6 +1,8 @@
 #!/bin/sh
 
-. mail-toaster.sh || exit
+set -e
+
+. mail-toaster.sh
 
 preflight_check() {
 	if [ -z "$MAXMIND_LICENSE_KEY" ]; then
@@ -12,16 +14,14 @@ preflight_check() {
 install_geoip_geoipupdate()
 {
 	tell_status "install geoipupdate"
-	stage_pkg_install geoipupdate || exit
+	stage_pkg_install geoipupdate
 }
 
 install_geoip_mm_mirror()
 {
 	tell_status "install maxmind-geolite-mirror"
-	stage_pkg_install npm-node20 || exit
-	stage_exec npm set user 0
-	stage_exec npm set -g unsafe-perm true
-	stage_exec npm install -g maxmind-geolite-mirror || exit
+	stage_pkg_install npm-node20
+	stage_exec npm install -g maxmind-geolite-mirror
 }
 
 install_geoip()
@@ -94,7 +94,7 @@ test_geoip()
 	echo "testing geoip..."
 	stage_exec ls /data/db/
 
-	test -f "$STAGE_MNT/data/db/GeoLite2-Country.mmdb" || exit
+	test -f "$STAGE_MNT/data/db/GeoLite2-Country.mmdb"
 	echo "it worked"
 }
 
@@ -119,7 +119,7 @@ migrate_geoip_dbs()
 
 	Proceed?
 	"
-	dialog --yesno "$_confirm_msg" 19 70 || exit
+	dialog --yesno "$_confirm_msg" 19 70 || return
 
 	service jail stop geoip spamassassin haraka
 
@@ -136,7 +136,7 @@ migrate_geoip_dbs()
 }
 
 preflight_check
-base_snapshot_exists || exit
+base_snapshot_exists || exit 1
 migrate_geoip_dbs
 create_staged_fs geoip
 start_staged_jail geoip
diff --git a/provision/haproxy.sh b/provision/haproxy.sh
index d4dff0f5..8e1fe904 100755
--- a/provision/haproxy.sh
+++ b/provision/haproxy.sh
@@ -1,6 +1,8 @@
 #!/bin/sh
 
-. mail-toaster.sh || exit
+set -e
+
+. mail-toaster.sh
 
 install_haproxy()
 {
@@ -17,23 +19,23 @@ install_haproxy()
 install_haproxy_pkg()
 {
 	tell_status "installing haproxy"
-	stage_pkg_install haproxy || exit 1
+	stage_pkg_install haproxy
 }
 
 install_haproxy_openssl()
 {
 	tell_status "compiling haproxy against openssl $TLS_LIBRARY"
 	echo "DEFAULT_VERSIONS+=ssl=$TLS_LIBRARY" >> "$STAGE_MNT/etc/make.conf"
-	stage_pkg_install pcre gmake "$TLS_LIBRARY" || exit 1
-	stage_port_install net/haproxy || exit 1
+	stage_pkg_install pcre gmake "$TLS_LIBRARY"
+	stage_port_install net/haproxy
 }
 
 install_haproxy_libressl()
 {
 	tell_status "compiling haproxy against libressl"
 	echo 'DEFAULT_VERSIONS+=ssl=libressl' >> "$STAGE_MNT/etc/make.conf"
-	stage_pkg_install pcre gmake libressl || exit 1
-	stage_port_install net/haproxy || exit 1
+	stage_pkg_install pcre gmake libressl
+	stage_port_install net/haproxy
 }
 
 configure_haproxy_dot_conf()
@@ -293,17 +295,17 @@ configure_haproxy_tls()
 	if [ ! -f "$STAGE_MNT/etc/ssl/private/server.pem" ]; then
 		tell_status "concatenating TLS key and crt to PEM"
 		cat /etc/ssl/private/server.key /etc/ssl/certs/server.crt \
-			> "$STAGE_MNT/etc/ssl/private/server.pem" || exit 1
+			> "$STAGE_MNT/etc/ssl/private/server.pem"
 	fi
 
 	if [ ! -d "$ZFS_DATA_MNT/haproxy/ssl" ]; then
 		tell_status "creating /data/ssl"
-		mkdir -p "$ZFS_DATA_MNT/haproxy/ssl" || exit 1
+		mkdir -p "$ZFS_DATA_MNT/haproxy/ssl"
 	fi
 
 	if [ ! -d "$ZFS_DATA_MNT/haproxy/ssl.d" ]; then
 		tell_status "creating /data/ssl.d"
-		mkdir -p "$ZFS_DATA_MNT/haproxy/ssl.d" || exit 1
+		mkdir -p "$ZFS_DATA_MNT/haproxy/ssl.d"
 	fi
 
 	if [ ! -d "$STAGE_MNT/usr/local/etc/periodic/daily" ]; then
@@ -316,7 +318,7 @@ configure_haproxy()
 {
 	if [ ! -d "$ZFS_DATA_MNT/haproxy/etc" ]; then
 		tell_status "creating /data/etc"
-		mkdir -p "$ZFS_DATA_MNT/haproxy/etc" || exit
+		mkdir -p "$ZFS_DATA_MNT/haproxy/etc"
 	fi
 
 	configure_haproxy_dot_conf
@@ -336,6 +338,11 @@ configure_haproxy()
 	store_config "$_pf_etc/rdr.conf" <<EO_PF
 rdr inet  proto tcp from any to <ext_ip4> port { 80 443 } -> $(get_jail_ip  haproxy)
 rdr inet6 proto tcp from any to <ext_ip6> port { 80 443 } -> $(get_jail_ip6 haproxy)
+EO_PF
+
+	store_config "$_pf_etc/allow.conf" <<EO_PF
+pass in quick inet  proto tcp from any to <ext_ip4> port { 80 443 }
+pass in quick inet6 proto tcp from any to <ext_ip6> port { 80 443 }
 EO_PF
 
 	configure_haproxy_tls
diff --git a/provision/haraka.sh b/provision/haraka.sh
index 3c873e04..7ad9af8e 100755
--- a/provision/haraka.sh
+++ b/provision/haraka.sh
@@ -1,6 +1,8 @@
 #!/bin/sh
 
-. mail-toaster.sh || exit
+set -e
+
+. mail-toaster.sh
 
 export JAIL_START_EXTRA="devfs_ruleset=7"
 export JAIL_CONF_EXTRA="
@@ -12,27 +14,27 @@ HARAKA_CONF="$ZFS_DATA_MNT/haraka/config"
 install_haraka()
 {
 	tell_status "installing node & npm"
-	stage_pkg_install npm-node18 gmake pkgconf git-lite || exit
+	stage_pkg_install npm-node18 gmake pkgconf git-tiny
 	if [ "$BOURNE_SHELL" != "bash" ]; then
 		tell_status "Install bash since not in base"
-		stage_pkg_install bash || exit
+		stage_pkg_install bash
 	fi
 	# export PYTHON=/usr/local/bin/python3
 	# stage_exec ln -s /usr/local/bin/python3 /usr/local/bin/python
-	# stage_exec npm install -g --omit=dev node-gyp || exit
+	# stage_exec npm install -g --omit=dev node-gyp
 
 	# Workaround for NPM bug https://github.com/npm/cli/issues/2610
 	stage_exec bash -c 'git config --global url."https://github.com/".insteadOf git@github.com:'
 	stage_exec bash -c 'git config --global url."https://".insteadOf git://'
 
 	tell_status "installing Haraka"
-	stage_exec bash -c "npm install -g --omit=dev https://github.com/haraka/Haraka.git" || exit
+	stage_exec bash -c "npm install -g --omit=dev https://github.com/haraka/Haraka.git"
 
 	local _plugins="ws express"
 	for _p in log-reader dmarc-perl; do
 		_plugins="$_plugins haraka-plugin-$_p"
 	done
-	stage_exec rm /data/package.json
+	stage_exec bash -c "if [ -f /data/package.json ]; then rm /data/package.json; fi"
 	stage_exec bash -c "cd /data && npm install --omit=dev $_plugins"
 }
 
@@ -76,12 +78,12 @@ install_p0f()
 	tell_status "installing p0f startup file"
 	mkdir -p "$STAGE_MNT/usr/local/etc/rc.d"
 	local _start="$STAGE_MNT/usr/local/etc/rc.d/p0f"
-	cp "$STAGE_MNT/usr/local/lib/node_modules/Haraka/node_modules/haraka-plugin-p0f/contrib/bsd-rc.d/p0f" "$_start" || exit
-	chmod 755 "$_start" || exit
+	cp "$STAGE_MNT/usr/local/lib/node_modules/Haraka/node_modules/haraka-plugin-p0f/contrib/bsd-rc.d/p0f" "$_start"
+	chmod 755 "$_start"
 
 	get_public_facing_nic
 	if [ "$PUBLIC_NIC" != "bce1" ]; then
-		sed -i '' -e "s/ bce1 / $PUBLIC_NIC /" "$_start" || exit
+		sed -i '' -e "s/ bce1 / $PUBLIC_NIC /" "$_start"
 	fi
 
 	stage_sysrc p0f_enable=YES
@@ -219,7 +221,7 @@ relay_reject_threshold=7
 
 configure_haraka_avg()
 {
-	mkdir -p "$STAGE_MNT/data/avg/spool" || exit
+	mkdir -p "$STAGE_MNT/data/avg/spool"
 
 	tell_status "configuring Haraka avg plugin"
 	if ! grep -qs ^host "$HARAKA_CONF/avg.ini"; then
@@ -345,7 +347,7 @@ configure_haraka_rspamd()
 		tell_status "configure Haraka rspamd plugin"
 		echo "host = $(get_jail_ip rspamd)
 add_headers = always
-" | tee -a "$HARAKA_CONF/rspamd.ini" || exit
+" | tee -a "$HARAKA_CONF/rspamd.ini"
 	fi
 
 	if ! grep -qs ^rspamd "$HARAKA_CONF/plugins"; then
@@ -353,7 +355,7 @@ add_headers = always
 		# shellcheck disable=1004
 		sed -i '' -e '/spamassassin$/a\
 rspamd
-' "$HARAKA_CONF/plugins" || exit
+' "$HARAKA_CONF/plugins"
 	fi
 }
 
@@ -361,7 +363,7 @@ configure_haraka_watch()
 {
 	if ! grep -qs ^watch "$HARAKA_CONF/plugins"; then
 		tell_status "enabling watch plugin"
-		echo 'watch' >> "$HARAKA_CONF/plugins" || exit
+		echo 'watch' >> "$HARAKA_CONF/plugins"
 	fi
 
 	if [ ! -f "$HARAKA_CONF/watch.ini" ]; then
@@ -381,7 +383,7 @@ configure_haraka_smtp_ini()
 		-e 's/^;daemonize=true/daemonize=true/' \
 		-e 's/^;daemon_pid_file/daemon_pid_file/' \
 		-e 's/^;daemon_log_file/daemon_log_file/' \
-		"$HARAKA_CONF/smtp.ini" || exit
+		"$HARAKA_CONF/smtp.ini"
 }
 
 configure_haraka_plugins()
@@ -459,7 +461,7 @@ configure_haraka_dkim()
 
 	if [ ! -d "$HARAKA_CONF/dkim/$TOASTER_MAIL_DOMAIN" ]; then
 		tell_status "generating DKIM keys"
-		cd "$HARAKA_CONF/dkim" || exit
+		cd "$HARAKA_CONF/dkim"
 		sh dkim_key_gen.sh "$TOASTER_MAIL_DOMAIN"
 		cat "$HARAKA_CONF/dkim/$TOASTER_MAIL_DOMAIN/dns"
 
@@ -597,7 +599,7 @@ configure_haraka_log_rotation()
 	enable_newsyslog
 
 	tell_status "configuring haraka.log rotation"
-	mkdir -p "$STAGE_MNT/etc/newsyslog.conf.d" || exit
+	mkdir -p "$STAGE_MNT/etc/newsyslog.conf.d"
 	tee -a "$STAGE_MNT/etc/newsyslog.conf.d/haraka.log" <<EO_HARAKA
 /var/log/haraka.log			644  7	   *	@T00  JC
 EO_HARAKA
@@ -647,7 +649,7 @@ EO_SPF_RELAY
 configure_haraka()
 {
 	tell_status "installing Haraka, stage 2"
-	stage_exec haraka -i /data || exit
+	stage_exec haraka -i /data
 
 	tell_status "configuring Haraka"
 	echo 'LOGINFO' > "$HARAKA_CONF/loglevel"
@@ -724,10 +726,10 @@ start_haraka()
 	sysrc -f "$STAGE_MNT/etc/rc.conf" haraka_flags='-c /data'
 
 	if [ ! -d "$HARAKA_CONF/queue" ]; then
-		mkdir -p "$HARAKA_CONF/queue" || exit
+		mkdir -p "$HARAKA_CONF/queue"
 	fi
 
-	stage_exec service haraka start || exit
+	stage_exec service haraka start
 }
 
 test_haraka()
@@ -737,7 +739,7 @@ test_haraka()
 }
 
 preinstall_checks() {
-	base_snapshot_exists || exit
+	base_snapshot_exists || exit 1
 
 	if ! zfs_filesystem_exists "$ZFS_DATA_VOL/redis"; then
 		tell_status "FATAL: redis jail required but not provisioned."
diff --git a/provision/host.sh b/provision/host.sh
index d96fd151..a2f0bd33 100755
--- a/provision/host.sh
+++ b/provision/host.sh
@@ -1,11 +1,14 @@
 #!/bin/sh
 
-. mail-toaster.sh || exit
+set -e
+
+. mail-toaster.sh
 
 export JAIL_START_EXTRA=""
 export JAIL_CONF_EXTRA=""
 
 mt6-include shell
+mt6-include mta
 
 configure_ntp()
 {
@@ -34,7 +37,7 @@ configure_ntpd()
 	fi
 
 	tell_status "enabling NTPd"
-	sysrc ntpd_enable=YES || exit
+	sysrc ntpd_enable=YES
 	sysrc ntpd_sync_on_start=YES
 	/etc/rc.d/ntpd restart
 }
@@ -58,18 +61,6 @@ update_syslogd()
 	service syslogd restart
 }
 
-update_sendmail()
-{
-	if grep -q ^sendmail_enable /etc/rc.conf; then
-		tell_status "preserving sendmail config"
-		return
-	fi
-
-	tell_status "disable sendmail network listening"
-	sysrc sendmail_enable=NO
-	service sendmail onestop
-}
-
 install_periodic_conf()
 {
 	store_config /etc/periodic.conf <<EO_PERIODIC
@@ -165,14 +156,17 @@ constrain_sshd_to_host()
 		sysrc sshd_flags+=" \-o ListenAddress=$PUBLIC_IP6"
 	fi
 
-	service sshd configtest || exit 1
+	service sshd configtest
 	service sshd restart
 }
 
 sshd_reorder()
 {
 	_file="/usr/local/etc/rc.d/sshd_reorder"
-	if [ -x "$_file" ]; then return; fi
+	if [ -x "$_file" ]; then
+		tell_status "preserving sshd_reorder"
+		return
+	fi
 
 	tell_status "starting sshd earlier"
 	tee "$_file" <<EO_SSHD_REORDER
@@ -266,7 +260,7 @@ configure_dhparams()
 	fi
 
 	tell_status "Generating a 2048 bit dhparams file"
-	openssl dhparam -out "$DHP" 2048 || exit
+	openssl dhparam -out "$DHP" 2048
 }
 
 install_sshguard()
@@ -293,7 +287,7 @@ install_sshguard()
 check_timezone()
 {
 	if [ ! -e "/etc/localtime" ]; then
-		tzsetup || exit
+		tzsetup
 	fi
 }
 
@@ -302,8 +296,7 @@ check_global_listeners()
 	tell_status "checking for host listeners on all IPs"
 
 	if sockstat -L -4 | grep -E '\*:[0-9]' | grep -v 123; then
-		echo "oops!, you should not having anything listening
-on all your IP addresses!"
+		echo "oops!, you should not having anything listening on all your IP addresses!"
 		if [ -t 0 ]; then exit 2; fi
 
 		echo "Not interactive, continuing anyway."
@@ -355,14 +348,14 @@ block in quick inet6 proto tcp from <sshguard> to any port { 22 }
 anchor "allow/*"
 EO_PF_RULES
 
-	kldstat -q -m pf || kldload pf || exit 1
+	kldstat -q -m pf || kldload pf
 
 	grep -q ^pf_enable /etc/rc.conf || sysrc pf_enable=YES
 	if ! /etc/rc.d/pf status | grep -q Enabled; then
-		/etc/rc.d/pf start || exit 1
+		/etc/rc.d/pf start
 	fi
 
-	pfctl -f /etc/pf.conf || exit 1
+	pfctl -f /etc/pf.conf
 }
 
 install_jailmanage()
@@ -458,12 +451,12 @@ update_ports_tree()
 		cd - || return
 	else
 		tell_status "updating FreeBSD ports tree (portsnap)"
-		portsnap fetch || exit
+		portsnap fetch
 
 		if [ -d /usr/ports/mail/vpopmail ]; then
-			portsnap update || portsnap extract || exit
+			portsnap update || portsnap extract
 		else
-			portsnap extract || exit
+			portsnap extract
 		fi
 	fi
 }
@@ -484,7 +477,7 @@ update_freebsd()
 	freebsd-update fetch install
 
 	tell_status "updating FreeBSD pkg collection"
-	pkg update || exit
+	pkg update
 
 	if ! pkg info -e ca_root_nss; then
 		tell_status "install CA root certs, so https URLs work"
@@ -506,14 +499,12 @@ plumb_jail_nic()
 
 	if ! grep -q cloned_interfaces /etc/rc.conf; then
 		tell_status "plumb lo1 interface at startup"
-		sysrc cloned_interfaces+=lo1 || exit
+		sysrc cloned_interfaces+=lo1
 	fi
 
-	local _missing;
-	_missing=$(ifconfig lo1 2>&1 | grep 'does not exist')
-	if [ -n "$_missing" ]; then
+	if ifconfig lo1 2>&1 | grep -q 'does not exist'; then
 		tell_status "plumb lo1 interface"
-		ifconfig lo1 create || exit
+		ifconfig lo1 create
 	fi
 }
 
@@ -521,14 +512,12 @@ assign_syslog_ip()
 {
 	if ! grep -q ifconfig_lo1 /etc/rc.conf; then
 		tell_status "adding syslog IP to lo1"
-		sysrc ifconfig_lo1="$JAIL_NET_PREFIX.1 netmask 255.255.255.0" || exit
+		sysrc ifconfig_lo1="$JAIL_NET_PREFIX.1 netmask 255.255.255.0"
 	fi
 
-	local _present
-	_present=$(ifconfig lo1 2>&1 | grep "$JAIL_NET_PREFIX.1 ")
-	if [ -z "$_present" ]; then
+	if ! ifconfig lo1 2>&1 | grep -q "$JAIL_NET_PREFIX.1 "; then
 		echo "assigning $JAIL_NET_PREFIX.1 to lo1"
-		ifconfig lo1 "$JAIL_NET_PREFIX.1" netmask 255.255.255.0 || exit
+		ifconfig lo1 "$JAIL_NET_PREFIX.1" netmask 255.255.255.0
 	fi
 }
 
@@ -549,7 +538,7 @@ configure_etc_hosts()
 $(get_jail_ip "$_j")		$_j"
 	done
 
-	echo "$_hosts" | tee -a "/etc/hosts"
+	echo "$_hosts" >> "/etc/hosts"
 }
 
 update_host() {
@@ -557,7 +546,7 @@ update_host() {
 	update_freebsd
 	configure_pkg_latest ""
 	configure_ntp
-	update_sendmail
+	configure_mta
 	install_periodic_conf
 	constrain_sshd_to_host
 	sshd_reorder
diff --git a/provision/letsencrypt.sh b/provision/letsencrypt.sh
index 3c412ae5..c3142bbf 100755
--- a/provision/letsencrypt.sh
+++ b/provision/letsencrypt.sh
@@ -1,6 +1,8 @@
 #!/bin/sh
 
-. mail-toaster.sh || exit
+set -e
+
+. mail-toaster.sh
 
 install_letsencrypt()
 {
diff --git a/provision/mailtest.sh b/provision/mailtest.sh
index e7f9230d..acf290ee 100755
--- a/provision/mailtest.sh
+++ b/provision/mailtest.sh
@@ -1,6 +1,8 @@
 #!/bin/sh
 
-. mail-toaster.sh || exit
+set -e
+
+. mail-toaster.sh
 
 export JAIL_START_EXTRA=""
 export JAIL_CONF_EXTRA="
@@ -10,7 +12,7 @@ export JAIL_CONF_EXTRA="
 install_mailtest()
 {
 	tell_status "installing swaks"
-	stage_pkg_install swaks p5-Net-SSLeay || exit 1
+	stage_pkg_install swaks p5-Net-SSLeay
 }
 
 configure_mailtest()
@@ -34,11 +36,11 @@ test_mailtest()
 	_pass=$(jexec vpopmail /usr/local/vpopmail/bin/vuserinfo -C "$_email")
 
 	tell_status "sending an email to $_email"
-	stage_exec swaks -from "$_email" -to "$_email" -server "$_server" -timeout 50 || exit 1
+	stage_exec swaks -from "$_email" -to "$_email" -server "$_server" -timeout 50
 
 	tell_status "sending a TLS encrypted and authenticated email"
 	stage_exec swaks -from "$_email" -to "$_email" -server "$_server" -timeout 50 \
-		-tls -au "$_email" -ap "$_pass" || exit 1
+		-tls -au "$_email" -ap "$_pass"
 
 	echo "it worked"
 }
diff --git a/provision/mongodb.sh b/provision/mongodb.sh
index bd5259e1..1f227300 100755
--- a/provision/mongodb.sh
+++ b/provision/mongodb.sh
@@ -1,5 +1,7 @@
 #!/bin/sh
 
+set -e
+
 . mail-toaster.sh || exit
 
 export JAIL_START_EXTRA="allow.sysvipc=1 allow.mlock=1"
@@ -10,25 +12,32 @@ export JAIL_CONF_EXTRA="
 
 install_mongodb()
 {
+	if [ "$(uname -p)" = "amd64" ]; then
+		if ! grep Features /var/run/dmesg.boot | grep AVX; then
+			tell_status "WARNING: your CPU isn't supported by MongoDB 5+, installing 4.4"
+			stage_pkg_install mongodb44 mongodb-tools
+			return
+		fi
+	fi
+
 	tell_status "installing mongodb"
-	stage_pkg_install mongodb50 || exit
+	stage_pkg_install mongodb50 mongodb-tools
+}
 
-	#stage_pkg_install python scons-py37 boost-libs snappy pcre cyrus-sasl binutils gmp mongodb44 || exit 1
-	#stage_port_install databases/mongodb50 || exit 1
+install_mongodb_port()
+{
+	stage_pkg_install python scons-py37 boost-libs snappy pcre cyrus-sasl binutils gmp
+	stage_port_install databases/mongodb50
 }
 
 check_max_wired() {
 	local _fbsd_major; _fbsd_major=$(freebsd-version | cut -f1 -d'.')
-	if [ "$_fbsd_major" -gt "12" ]; then
-		return
-	fi
+	if [ "$_fbsd_major" -gt "12" ]; then return; fi
 
 	_count=$(sysctl -n vm.stats.vm.v_wire_count)
 	_wired=$(sysctl -n vm.max_wired)
 
-	if [ "$_count" -lt "$_wired" ]; then
-		return
-	fi
+	if [ "$_count" -lt "$_wired" ]; then return; fi
 
 	echo "increase vm.max_wired > $_count"
 	echo "sysctl vm.max_wired $((_count * 2))"
@@ -61,10 +70,6 @@ start_mongodb()
 {
 	tell_status "starting mongodb"
 	stage_sysrc mongod_enable=YES
-	stage_sysrc mongod_config=/data/etc/mongodb.conf
-	stage_sysrc mongod_dbpath=/data/db
-	stage_sysrc mongod_flags="--logpath /data/log/mongod.log --logappend"
-
 	stage_exec service mongod start
 }
 
@@ -72,10 +77,17 @@ test_mongodb()
 {
 	echo "testing mongodb"
 	sleep 1
-	stage_listening 27017
+	stage_listening 27017 3
 	echo "it worked"
 }
 
+post_install_config()
+{
+	stage_sysrc mongod_config=/data/etc/mongodb.conf
+	stage_sysrc mongod_dbpath=/data/db
+	stage_sysrc mongod_flags="--logpath /data/log/mongod.log --logappend"
+}
+
 base_snapshot_exists || exit
 create_staged_fs mongodb
 start_staged_jail mongodb
@@ -83,4 +95,5 @@ install_mongodb
 configure_mongodb
 start_mongodb
 test_mongodb
+post_install_config
 promote_staged_jail mongodb
diff --git a/provision/mysql.sh b/provision/mysql.sh
index e2628ac4..07524e88 100755
--- a/provision/mysql.sh
+++ b/provision/mysql.sh
@@ -1,13 +1,15 @@
 #!/bin/sh
 
-. mail-toaster.sh || exit
+set -e
+
+. mail-toaster.sh
 
 install_db_server()
 {
 	for _d in etc db; do
 		_path="$STAGE_MNT/data/$_d"
 		if [ ! -d "$_path" ]; then
-			mkdir "$_path" || exit 1
+			mkdir "$_path"
 			chown 88:88 "$_path"
 		fi
 	done
@@ -23,13 +25,13 @@ install_db_server()
 install_mysql()
 {
 	tell_status "installing mysql"
-	stage_pkg_install mysql80-server || exit 1
+	stage_pkg_install mysql80-server
 }
 
 install_mariadb()
 {
 	tell_status "installing mariadb"
-	stage_pkg_install mariadb1011-server || exit 1
+	stage_pkg_install mariadb1011-server
 }
 
 write_pass_to_conf()
@@ -37,7 +39,7 @@ write_pass_to_conf()
 	if grep -sq TOASTER_MYSQL_PASS mail-toaster.conf; then
 		sed -i '' \
 			-e "/^export TOASTER_MYSQL_PASS=/ s|=\"\"|=\"$TOASTER_MYSQL_PASS\"|" \
-			mail-toaster.conf || exit
+			mail-toaster.conf
 	else
 		echo "export TOASTER_MYSQL_PASS=\"$TOASTER_MYSQL_PASS\"" >> mail-toaster.conf
 	fi
@@ -80,7 +82,7 @@ configure_mysql_root_password()
 
 	echo 'SHOW DATABASES' | stage_exec mysql --password="$TOASTER_MYSQL_PASS" \
 		|| echo "ALTER USER 'root'@'localhost' IDENTIFIED BY '$TOASTER_MYSQL_PASS';" \
-			| stage_exec mysql -u root || exit 1
+			| stage_exec mysql -u root
 
 	write_pass_to_conf
 }
@@ -127,7 +129,7 @@ start_mysql()
 		unmount_data mysql
 	fi
 
-	stage_exec service mysql-server start || exit
+	stage_exec service mysql-server start
 	configure_mysql_root_password
 	configure_mysql_keys
 }
@@ -136,7 +138,7 @@ test_mysql()
 {
 	tell_status "testing mysql"
 	stage_listening 3306 2
-	echo 'SHOW DATABASES' | stage_exec mysql --password="$TOASTER_MYSQL_PASS" || exit 1
+	echo 'SHOW DATABASES' | stage_exec mysql --password="$TOASTER_MYSQL_PASS"
 	echo "it worked"
 }
 
@@ -177,7 +179,7 @@ else
 	exit
 fi
 
-base_snapshot_exists || exit
+base_snapshot_exists || exit 1
 migrate_mysql_dbs
 create_staged_fs mysql
 start_staged_jail mysql
diff --git a/provision/nagios.sh b/provision/nagios.sh
index 2b5c44d5..85ad66ec 100755
--- a/provision/nagios.sh
+++ b/provision/nagios.sh
@@ -3,7 +3,8 @@
 . mail-toaster.sh || exit
 
 export JAIL_START_EXTRA=""
-export JAIL_CONF_EXTRA=""
+export JAIL_CONF_EXTRA="
+		allow.raw_sockets;"
 
 mt6-include php
 mt6-include nginx
diff --git a/provision/nictool.sh b/provision/nictool.sh
index d43d1aff..7e91f524 100755
--- a/provision/nictool.sh
+++ b/provision/nictool.sh
@@ -29,7 +29,7 @@ install_nt_prereqs()
 
 install_nt_from_git()
 {
-	stage_pkg_install git-lite || exit
+	stage_pkg_install git-tiny || exit
 	cd "$STAGE_MNT/usr/local" || exit
 	stage_exec git clone --depth=1 https://github.com/msimerson/NicTool.git /usr/local/nictool || exit
 	stage_pkg_install p5-App-Cpanminus
diff --git a/provision/roundcube.sh b/provision/roundcube.sh
index 85f85c90..33cf8667 100755
--- a/provision/roundcube.sh
+++ b/provision/roundcube.sh
@@ -1,6 +1,8 @@
 #!/bin/sh
 
-. mail-toaster.sh || exit
+set -e
+
+. mail-toaster.sh
 
 export JAIL_START_EXTRA=""
 export JAIL_CONF_EXTRA=""
@@ -49,7 +51,7 @@ install_roundcube_mysql()
 	sed -i.bak \
 		-e "s/roundcube:pass@/roundcube:${_rcpass}@/" \
 		-e "s/@localhost\//@$(get_jail_ip mysql)\//" \
-		"$_rcc_dir/config.inc.php" || exit
+		"$_rcc_dir/config.inc.php"
 
 	if [ "$_init_db" = "1" ]; then
 		tell_status "configuring roundcube mysql permissions"
@@ -57,8 +59,8 @@ install_roundcube_mysql()
 		for _jail in roundcube stage; do
 			for _ip in $(get_jail_ip "$_jail") $(get_jail_ip6 "$_jail");
 			do
-				echo "CREATE USER IF NOT EXISTS 'roundcube'@'${_ip}' IDENTIFIED BY '${_rcpass}';" | mysql_query || exit 1
-				echo "GRANT ALL PRIVILEGES ON roundcubemail.* to 'roundcube'@'${_ip}';" | mysql_query || exit 1
+				echo "CREATE USER IF NOT EXISTS 'roundcube'@'${_ip}' IDENTIFIED BY '${_rcpass}';" | mysql_query
+				echo "GRANT ALL PRIVILEGES ON roundcubemail.* to 'roundcube'@'${_ip}';" | mysql_query
 			done
 		done
 
@@ -69,10 +71,10 @@ install_roundcube_mysql()
 roundcube_init_db()
 {
 	tell_status "initializing roundcube db"
-	pkg install -y curl || exit
+	pkg install -y curl
 	start_roundcube
 	curl -i --haproxy-protocol -F initdb='Initialize database' -XPOST \
-		"http://$(get_jail_ip stage)/installer/index.php?_step=3" || exit
+		"http://$(get_jail_ip stage)/installer/index.php?_step=3"
 }
 
 install_roundcube_plugins()
@@ -96,11 +98,11 @@ install_roundcube()
 		_php_modules="$_php_modules pdo_mysql"
 	fi
 
-	install_php $PHP_VER "$_php_modules" || exit
-	install_nginx || exit
+	install_php $PHP_VER "$_php_modules"
+	install_nginx
 
 	tell_status "installing roundcube"
-	stage_pkg_install roundcube-php${PHP_VER} || exit 1
+	stage_pkg_install roundcube-php${PHP_VER}
 
 	install_roundcube_plugins
 }
@@ -174,25 +176,25 @@ configure_roundcube_php()
 		-e "/^session.gc_maxlifetime/ s/= *[1-9][0-9]*/= 21600/" \
 		-e "/^post_max_size/ s/= *[1-9][0-9]*M/= ${ROUNDCUBE_ATTACHMENT_SIZE_MB}M/" \
 		-e "/^upload_max_filesize/ s/= *[1-9][0-9]*M/= ${ROUNDCUBE_ATTACHMENT_SIZE_MB}M/" \
-		"$STAGE_MNT/usr/local/etc/php.ini" || exit
+		"$STAGE_MNT/usr/local/etc/php.ini"
 }
 
 configure_roundcube_plugins()
 {
 	tell_status "configure the managesieve plugin"
 	cp "$STAGE_MNT/usr/local/www/roundcube/plugins/managesieve/config.inc.php.dist" \
-		"$STAGE_MNT/usr/local/www/roundcube/plugins/managesieve/config.inc.php" || exit 1
+		"$STAGE_MNT/usr/local/www/roundcube/plugins/managesieve/config.inc.php"
 	sed -i.bak \
 		-e "/'managesieve_host'/s/localhost/dovecot/" \
-		"$STAGE_MNT/usr/local/www/roundcube/plugins/managesieve/config.inc.php"  || exit 1
+		"$STAGE_MNT/usr/local/www/roundcube/plugins/managesieve/config.inc.php"
 
 	tell_status "configure the password plugin"
 	cp "$STAGE_MNT/usr/local/www/roundcube/plugins/password/config.inc.php.dist" \
-		"$STAGE_MNT/usr/local/www/roundcube/plugins/password/config.inc.php" || exit 1
+		"$STAGE_MNT/usr/local/www/roundcube/plugins/password/config.inc.php"
 	sed -i.bak \
 		-e "/'password_driver'/s/sql/vpopmaild/" \
 		-e "/'password_vpopmaild_host'/s/localhost/vpopmail/" \
-		"$STAGE_MNT/usr/local/www/roundcube/plugins/password/config.inc.php" || exit 1
+		"$STAGE_MNT/usr/local/www/roundcube/plugins/password/config.inc.php"
 }
 
 configure_roundcube()
@@ -211,7 +213,7 @@ configure_roundcube()
 	if [ -f "$_stage_cfg" ]; then return; fi
 
 	tell_status "installing default $_stage_cfg"
-	cp "$_stage_cfg.sample" "$_stage_cfg" || exit
+	cp "$_stage_cfg.sample" "$_stage_cfg"
 
 	tell_status "customizing $_stage_cfg"
 	local _dovecot_ip
@@ -232,7 +234,7 @@ configure_roundcube()
 		-e "/'smtp_pass'/    s/'';/'%p';/" \
 		-e "/'archive',/     s/,$/, 'managesieve',/" \
 		-e "/'product_name'/ s|'Roundcube Webmail'|'$ROUNDCUBE_PRODUCT_NAME'|" \
-		"$_stage_cfg" || exit
+		"$_stage_cfg"
 
 	tee -a "$_stage_cfg" <<'EO_RC_ADD'
 
@@ -257,7 +259,7 @@ EO_RC_ADD
 	else
 		sed -i.bak \
 			-e "/^\$config\['db_dsnw'/ s/= .*/= 'sqlite:\/\/\/\/data\/sqlite.db?mode=0646';/" \
-			"$_stage_cfg" || exit
+			"$_stage_cfg"
 
 		if [ ! -f "$ZFS_DATA_MNT/roundcube/sqlite.db" ]; then
 			mkdir -p "$STAGE_MNT/data"
diff --git a/provision/rspamd.sh b/provision/rspamd.sh
index 7ca8bcd6..4d88cce9 100755
--- a/provision/rspamd.sh
+++ b/provision/rspamd.sh
@@ -1,6 +1,8 @@
 #!/bin/sh
 
-. mail-toaster.sh || exit
+set -e
+
+. mail-toaster.sh
 
 export JAIL_START_EXTRA=""
 export JAIL_CONF_EXTRA=""
@@ -10,7 +12,7 @@ RSPAMD_ETC="$STAGE_MNT/usr/local/etc/rspamd"
 install_rspamd()
 {
 	tell_status "installing rspamd"
-	stage_pkg_install rspamd || exit
+	stage_pkg_install rspamd
 
 	if [ "$TOASTER_USE_TMPFS" = 1 ]; then
 		tee -a $STAGE_MNT/etc/rc.local <<'EO_RC_LOCAL'
@@ -212,7 +214,7 @@ test_rspamd()
 	echo "it worked"
 }
 
-base_snapshot_exists || exit
+base_snapshot_exists || exit 1
 create_staged_fs rspamd
 start_staged_jail rspamd
 install_rspamd
diff --git a/provision/snappymail.sh b/provision/snappymail.sh
index e08c9f9d..1d27ec98 100755
--- a/provision/snappymail.sh
+++ b/provision/snappymail.sh
@@ -1,6 +1,8 @@
 #!/bin/sh
 
-. mail-toaster.sh || exit
+set -e
+
+. mail-toaster.sh
 
 export JAIL_START_EXTRA=""
 export JAIL_CONF_EXTRA=""
@@ -27,13 +29,13 @@ install_snappymail()
 		stage_make_conf snappymail_UNSET 'mail_snappymail_UNSET=SQLITE3 PGSQL REDIS LDAP'
 	fi
 
-	install_php "$PHP_VER" "$_php_modules" || exit
-	install_nginx || exit
+	install_php "$PHP_VER" "$_php_modules"
+	install_nginx
 
 	tell_status "installing snappymail"
 	# stage_pkg_install snappymail-php$PHP_VER
 	stage_pkg_install gnupg
-	stage_port_install mail/snappymail || exit
+	stage_port_install mail/snappymail
 }
 
 configure_nginx_server()
@@ -87,7 +89,7 @@ install_default_json()
 	local _rlconfdir="$ZFS_DATA_MNT/snappymail/_data_/_default_"
 	if [ ! -d "$_rlconfdir/domains" ]; then
 		tell_status "creating default/domains dir"
-		mkdir -p "$_rlconfdir/domains" || exit
+		mkdir -p "$_rlconfdir/domains"
 	fi
 
 	local _djson="$_rlconfdir/domains/default.json"
diff --git a/provision/spamassassin.sh b/provision/spamassassin.sh
index 5ebe9db9..7e51fabd 100755
--- a/provision/spamassassin.sh
+++ b/provision/spamassassin.sh
@@ -1,6 +1,8 @@
 #!/bin/sh
 
-. mail-toaster.sh || exit
+set -e
+
+. mail-toaster.sh
 
 export JAIL_FSTAB="$ZFS_DATA_MNT/geoip/db $ZFS_JAIL_MNT/spamassassin/usr/local/share/GeoIP nullfs rw 0 0"
 
@@ -29,21 +31,21 @@ install_sought_rules() {
 	fi
 
 	tell_status "installing sought rules"
-	fetch -o - http://yerp.org/rules/GPG.KEY | stage_exec sa-update --import - || exit
-	stage_exec sa-update --gpgkey 6C6191E3 --channel sought.rules.yerp.org || exit
+	fetch -o - http://yerp.org/rules/GPG.KEY | stage_exec sa-update --import -
+	stage_exec sa-update --gpgkey 6C6191E3 --channel sought.rules.yerp.org
 }
 
 install_spamassassin_port()
 {
 	tell_status "install SpamAssassin from ports (w/opts)"
-	stage_pkg_install p5-Encode-Detect p5-Test-NoWarnings || exit
+	stage_pkg_install p5-Encode-Detect p5-Test-NoWarnings
 
-	local _SA_OPTS="DCC DKIM DOCS RAZOR SPF_QUERY GNUPG_NONE"
+	local _SA_OPTS="AS_ROOT DCC DKIM RAZOR SPF_QUERY GNUPG_NONE"
 	if [    "$TOASTER_MYSQL" = "1" ]; then _SA_OPTS="MYSQL $_SA_OPTS"; fi
 	if [ -n "$MAXMIND_LICENSE_KEY" ]; then _SA_OPTS="RELAY_COUNTRY $_SA_OPTS"; fi
 
 	stage_make_conf mail_spamassassin_SET "mail_spamassassin_SET=$_SA_OPTS"
-	stage_make_conf mail_spamassassin_UNSET 'mail_spamassassin_UNSET=SSL GNUPG GNUPG2 PYZOR PGSQL RLIMIT'
+	stage_make_conf mail_spamassassin_UNSET 'mail_spamassassin_UNSET=DOCS SSL GNUPG GNUPG2 PYZOR DMARC PGSQL RLIMIT'
 	stage_make_conf dcc-dccd_SET 'mail_dcc-dccd_SET=DCCIFD IPV6'
 	stage_make_conf dcc-dccd_UNSET 'mail_dcc-dccd_UNSET=DCCGREY DCCD DCCM PORTS_MILTER'
 	stage_make_conf LICENSES_ACCEPTED 'LICENSES_ACCEPTED=DCC'
@@ -56,7 +58,7 @@ install_spamassassin_port()
 	if [ -x "$STAGE_MNT/usr/local/bin/perl5.26.2" ]; then
 		stage_exec ln /usr/local/bin/perl5.26.2 /usr/local/bin/perl5.26.1
 	fi
-	stage_port_install mail/spamassassin || exit 1
+	stage_port_install mail/spamassassin
 }
 
 install_spamassassin_nrpe()
@@ -75,7 +77,7 @@ install_spamassassin_data_fs()
 	for _d in $ZFS_DATA_MNT/spamassassin/etc $ZFS_DATA_MNT/spamassassin/var $STAGE_MNT/usr/local/etc/mail; do
 		if [ ! -d "$_d" ]; then
 			tell_status "creating $_d"
-			mkdir "$_d" || exit
+			mkdir "$_d"
 		fi
 	done
 
@@ -85,7 +87,7 @@ install_spamassassin_data_fs()
 
 install_spamassassin_razor()
 {
-	stage_pkg_install razor-agents || exit
+	stage_pkg_install razor-agents
 
 	stage_exec razor-admin -home=/etc/razor -create -d
 	stage_exec razor-admin -home=/etc/razor -register -d
@@ -101,7 +103,7 @@ install_spamassassin_razor()
 
 	tell_status "setting up razor-agent log rotation"
 	if [ ! -d "$STAGE_MNT/etc/newsyslog.conf.d" ]; then
-		mkdir "$STAGE_MNT/etc/newsyslog.conf.d" || exit
+		mkdir "$STAGE_MNT/etc/newsyslog.conf.d"
 	fi
 
 	tee "$STAGE_MNT/etc/newsyslog.conf.d/razor-agent" <<EO_RAZOR
@@ -112,8 +114,8 @@ EO_RAZOR
 install_spamassassin()
 {
 	tell_status "install SpamAssassin optional dependencies"
-	stage_pkg_install p5-Mail-SPF p5-Mail-DKIM p5-Net-Patricia p5-libwww p5-GeoIP2 p5-Net-CIDR-Lite p5-IO-Socket-INET6 || exit
-	stage_pkg_install gnupg1 re2c libidn || exit
+	stage_pkg_install p5-Mail-SPF p5-Mail-DKIM p5-Net-Patricia p5-libwww p5-GeoIP2 p5-Net-CIDR-Lite p5-IO-Socket-INET6
+	stage_pkg_install gnupg1 re2c libidn
 	install_spamassassin_razor
 
 	if [ "$TOASTER_MYSQL" = "1" ]; then
@@ -271,22 +273,22 @@ configure_spamassassin_mysql()
     # user_awl_sql_table           awl
 EO_MYSQL_CONF
 
-	mysql_create_db spamassassin || exit
+	mysql_create_db spamassassin
 
 	# bayes_mysql
 	for _import_file in awl_mysql userpref_mysql;
 	do
 		local _f="$STAGE_MNT/usr/local/share/doc/spamassassin/sql/${_import_file}.sql"
 		# shellcheck disable=SC2002
-		cat "$_f" | sed -e 's/TYPE=MyISAM//' | mysql_query spamassassin || exit
+		cat "$_f" | sed -e 's/TYPE=MyISAM//' | mysql_query spamassassin
 	done
 
 	for _jail in spamassassin stage squirrelmail;
 	do
 		for _ip in $(get_jail_ip "$_jail") $(get_jail_ip6 "$_jail");
 		do
-			echo "CREATE USER IF NOT EXISTS 'spamassassin'@'$_ip' IDENTIFIED BY '$_my_pass'; FLUSH PRIVILEGES;" | mysql_query || exit 1
-			echo "GRANT ALL PRIVILEGES ON spamassassin.* to 'spamassassin'@'$_ip'" | mysql_query || exit 1
+			echo "CREATE USER IF NOT EXISTS 'spamassassin'@'$_ip' IDENTIFIED BY '$_my_pass'; FLUSH PRIVILEGES;" | mysql_query
+			echo "GRANT ALL PRIVILEGES ON spamassassin.* to 'spamassassin'@'$_ip'" | mysql_query
 		done
 	done
 }
@@ -314,7 +316,7 @@ test_spamassassin()
 	echo "it worked"
 }
 
-base_snapshot_exists || exit
+base_snapshot_exists || exit 1
 create_staged_fs spamassassin
 mkdir -p "$STAGE_MNT/usr/local/share/GeoIP"
 start_staged_jail spamassassin
diff --git a/provision/unifi.sh b/provision/unifi.sh
index aa15e9b8..e15f607a 100755
--- a/provision/unifi.sh
+++ b/provision/unifi.sh
@@ -2,11 +2,9 @@
 
 . mail-toaster.sh || exit
 
-export JAIL_CONF_EXTRA="
-                mount.fdescfs;
-                mount.procfs;"
-export JAIL_FSTAB="fdescfs /jails/unifi/dev/fd fdescfs rw 0 0
-proc     /jails/unifi/proc   procfs  rw 0 0"
+export JAIL_CONF_EXTRA=""
+export JAIL_FSTAB="fdescfs $ZFS_JAIL_MNT/unifi/dev/fd fdescfs rw 0 0
+proc     $ZFS_JAIL_MNT/unifi/proc   procfs  rw 0 0"
 
 install_unifi()
 {
diff --git a/provision/vpopmail.sh b/provision/vpopmail.sh
index f6bb5fa5..990c5a5d 100755
--- a/provision/vpopmail.sh
+++ b/provision/vpopmail.sh
@@ -1,6 +1,8 @@
 #!/bin/sh
 
-. mail-toaster.sh || exit
+set -e
+
+. mail-toaster.sh
 
 export VPOPMAIL_OPTIONS_SET=""
 export VPOPMAIL_OPTIONS_UNSET="ROAMING"
@@ -29,7 +31,7 @@ EO_MAILDROP_310
 	fi
 
 	export BATCH=${BATCH:="1"}
-	stage_port_install mail/maildrop || exit 1
+	stage_port_install mail/maildrop
 }
 
 install_maildrop()
@@ -39,15 +41,15 @@ install_maildrop()
 	install_maildrop_port
 
 	tell_status "installing maildrop filter file"
-	fetch -o "$STAGE_MNT/etc/mailfilter" "$TOASTER_SRC_URL/qmail/filter.txt" || exit 1
+	fetch -o "$STAGE_MNT/etc/mailfilter" "$TOASTER_SRC_URL/qmail/filter.txt"
 
 	tell_status "adding legacy mailfilter for MT5 compatibility"
-	mkdir -p "$STAGE_MNT/usr/local/etc/mail" || exit 1
-	cp "$STAGE_MNT/etc/mailfilter" "$STAGE_MNT/usr/local/etc/mail/" || exit 1
+	mkdir -p "$STAGE_MNT/usr/local/etc/mail"
+	cp "$STAGE_MNT/etc/mailfilter" "$STAGE_MNT/usr/local/etc/mail/"
 
 	tell_status "setting permissions on mailfilter files"
-	chown 89:89 "$STAGE_MNT/etc/mailfilter" "$STAGE_MNT/usr/local/etc/mail/mailfilter" || exit 1
-	chmod 600 "$STAGE_MNT/etc/mailfilter" "$STAGE_MNT/usr/local/etc/mail/mailfilter" || exit 1
+	chown 89:89 "$STAGE_MNT/etc/mailfilter" "$STAGE_MNT/usr/local/etc/mail/mailfilter"
+	chmod 600 "$STAGE_MNT/etc/mailfilter" "$STAGE_MNT/usr/local/etc/mail/mailfilter"
 }
 
 install_lighttpd()
@@ -120,7 +122,8 @@ mail_qmailadmin_UNSET=CATCHALL CRACKLIB IDX_SQL SPAM_DETECTION SPAM_NEEDS_EMAIL
 
 	export WEBDATADIR=www/data CGIBINDIR=www/cgi-bin CGIBINSUBDIR=qmailadmin SPAM_COMMAND="| /usr/local/bin/maildrop /usr/local/etc/mail/mailfilter"
 
-	stage_port_install mail/qmailadmin || exit
+	stage_port_install devel/autoconf
+	stage_port_install mail/qmailadmin
 
 	install_lighttpd
 }
@@ -131,7 +134,7 @@ install_vqadmin()
 
 	tell_status "installing vqadmin"
 	export WEBDATADIR=www/data CGIBINDIR=www/cgi-bin
-	stage_port_install mail/vqadmin || exit 1
+	stage_port_install mail/vqadmin
 	stage_exec ln /usr/local/www/cgi-bin/vqadmin/html/en-us /usr/local/www/cgi-bin/vqadmin/html/en-US
 }
 
@@ -176,17 +179,17 @@ install_vpopmail_mysql_grants()
 		-e "s/^localhost/$(get_jail_ip mysql)/" \
 		-e 's/root/vpopmail/' \
 		-e "s/secret/$_vpass/" \
-		"$_vpe" || exit
+		"$_vpe"
 
 	tell_status "setting up mysql user vpopmail"
 	for _jail in stage vpopmail dovecot sqwebmail; do
 		for _ip in $(get_jail_ip "$_jail") $(get_jail_ip6 "$_jail");
 		do
 			mysql_user_exists vpopmail $_ip \
-				|| echo "CREATE USER 'vpopmail'@'$_ip' IDENTIFIED BY '$_vpass'; FLUSH PRIVILEGES;" | mysql_query \
-				|| exit 1
+				|| echo "CREATE USER 'vpopmail'@'$_ip' IDENTIFIED BY '$_vpass'; FLUSH PRIVILEGES;" | mysql_query
+
 
-			echo "GRANT ALL PRIVILEGES ON vpopmail.* to 'vpopmail'@'$_ip'" | mysql_query || exit
+			echo "GRANT ALL PRIVILEGES ON vpopmail.* to 'vpopmail'@'$_ip'" | mysql_query
 		done
 	done
 }
@@ -219,9 +222,9 @@ install_quota_report()
 	_qr="$STAGE_MNT/usr/local/etc/periodic/daily/toaster-quota-report"
 
 	tell_status "installing quota_report"
-	mkdir -p "$STAGE_MNT/usr/local/etc/periodic/daily" || exit
-	fetch -o "$_qr" "$TOASTER_SRC_URL/qmail/toaster-quota-report" || exit
-	chmod 755 "$_qr" || exit
+	mkdir -p "$STAGE_MNT/usr/local/etc/periodic/daily"
+	fetch -o "$_qr" "$TOASTER_SRC_URL/qmail/toaster-quota-report"
+	chmod 755 "$_qr"
 
 	sed -i '' \
 		-e "/\$admin/ s/postmaster@example.com/$TOASTER_ADMIN_EMAIL/" \
@@ -244,9 +247,9 @@ install_vpopmail()
 	fi
 
 	tell_status "installing vpopmail package"
-	stage_pkg_install vpopmail || exit
+	stage_pkg_install vpopmail
 
-	stage_port_install devel/gmake || exit
+	stage_port_install devel/gmake
 
 	install_vpopmail_port
 	#install_vpopmail_source
@@ -278,8 +281,9 @@ configure_vpopmail()
 	fetch -o - "$TOASTER_SRC_URL/qmail/run.sh" | stage_exec sh
 
 	if [ ! -d "$STAGE_MNT/usr/local/vpopmail/domains/$TOASTER_MAIL_DOMAIN" ]; then
-		tell_status "ATTN: Your postmaster password is..."
-		stage_exec /usr/local/vpopmail/bin/vadddomain -r14 "$TOASTER_MAIL_DOMAIN"
+		local _ppass; _ppass=$(openssl rand -base64 12)
+		tell_status "ATTN: Your postmaster password is: $_ppass"
+		stage_exec /usr/local/vpopmail/bin/vadddomain "$TOASTER_MAIL_DOMAIN" "$_ppass"
 	fi
 }
 
@@ -372,7 +376,7 @@ migrate_vpopmail_home()
 }
 
 migrate_vpopmail_home
-base_snapshot_exists || exit
+base_snapshot_exists || exit 1
 create_staged_fs vpopmail
 
 mkdir -p "$STAGE_MNT/usr/local/vpopmail" \
diff --git a/provision/webmail.sh b/provision/webmail.sh
index 43f62e85..d2623bd4 100755
--- a/provision/webmail.sh
+++ b/provision/webmail.sh
@@ -1,6 +1,8 @@
 #!/bin/sh
 
-. mail-toaster.sh || exit
+set -e
+
+. mail-toaster.sh
 
 export JAIL_START_EXTRA=""
 export JAIL_CONF_EXTRA=""
@@ -86,9 +88,9 @@ EO_LIGHTTPD_MT6
 install_webmail()
 {
 	if [ "$WEBMAIL_HTTPD" = "lighttpd" ]; then
-		install_lighttpd || exit
+		install_lighttpd
 	else
-		install_nginx || exit
+		install_nginx
 		configure_nginx_server
 	fi
 }
@@ -273,9 +275,9 @@ EO_INDEX
 configure_webmail()
 {
 	if [ "$WEBMAIL_HTTPD" = "lighttpd" ]; then
-		configure_lighttpd || exit
+		configure_lighttpd
 	else
-		configure_nginx webmail || exit
+		configure_nginx webmail
 		configure_nginx_server
 	fi
 
diff --git a/provision/wildduck.sh b/provision/wildduck.sh
index dc27ed69..e3e73e82 100755
--- a/provision/wildduck.sh
+++ b/provision/wildduck.sh
@@ -16,7 +16,7 @@ install_webmail()
 install_wildduck()
 {
 	tell_status "installing node.js"
-	stage_pkg_install npm-node16 git-lite || exit
+	stage_pkg_install npm-node16 git-tiny || exit
 
 	tell_status "installing wildduck"
 	stage_exec bash -c "cd /data && git clone https://github.com/nodemailer/wildduck.git" || exit 1
diff --git a/provision/zonemta.sh b/provision/zonemta.sh
index 86580e27..ec2346c2 100755
--- a/provision/zonemta.sh
+++ b/provision/zonemta.sh
@@ -22,7 +22,7 @@ install_zonemta_webadmin()
 install_zonemta()
 {
 	tell_status "installing node.js"
-	stage_pkg_install npm-node16 git-lite || exit
+	stage_pkg_install npm-node16 git-tiny || exit
 
 	tell_status "installing ZoneMTA"
 	stage_exec bash -c "cd /data && git clone https://github.com/zone-eu/zone-mta-template.git zone-mta"
diff --git a/qmail/toaster-quota-report b/qmail/toaster-quota-report
index 421ba25e..6f83eeba 100755
--- a/qmail/toaster-quota-report
+++ b/qmail/toaster-quota-report
@@ -37,7 +37,7 @@ foreach my $domain ( `$vpopdir/bin/vdominfo -n` ) {
     foreach my $user ( `$vpopdir/bin/vuserinfo -n -D $domain` ) {
         chomp $user;
 
-# Get quota/info for user
+        # Get quota/info for user
         my $info    = `$vpopdir/bin/vuserinfo $user\@$domain`;
         my ($dir)   = $info =~ m/dir:\s+(.*)/;
         my ($name)  = $info =~ m/comment\/gecos:\s+(.*)/;
diff --git a/test/bats b/test/bats
new file mode 160000
index 00000000..af6eb009
--- /dev/null
+++ b/test/bats
@@ -0,0 +1 @@
+Subproject commit af6eb009bdd3005f22224a73fb0e10f592f0bc88
diff --git a/test/include.bats b/test/include.bats
new file mode 100644
index 00000000..a2c13927
--- /dev/null
+++ b/test/include.bats
@@ -0,0 +1,50 @@
+
+setup() {
+  load 'test_helper/bats-support/load'
+  load 'test_helper/bats-assert/load'
+}
+
+@test "./include/djb.sh" {
+  run ./include/djb.sh
+  assert_success
+}
+
+@test "./include/editor.sh" {
+  run ./include/editor.sh
+  assert_success
+}
+
+@test "./include/mta.sh" {
+  run ./include/mta.sh
+  assert_success
+}
+
+@test "./include/mysql.sh" {
+  run ./include/mysql.sh
+  assert_success
+}
+
+@test "./include/nginx.sh" {
+  run ./include/nginx.sh
+  assert_success
+}
+
+@test "./include/php.sh" {
+  run ./include/php.sh
+  assert_success
+}
+
+@test "./include/shell.sh" {
+  run ./include/shell.sh
+  assert_success
+}
+
+@test "./include/user.sh" {
+  run ./include/user.sh
+  assert_success
+}
+
+@test "./include/vpopmail.sh" {
+  run ./include/vpopmail.sh
+  assert_success
+}
diff --git a/test/mail-toaster.bats b/test/mail-toaster.bats
new file mode 100644
index 00000000..16b5c311
--- /dev/null
+++ b/test/mail-toaster.bats
@@ -0,0 +1,31 @@
+# https://bats-core.readthedocs.io/en/stable/writing-tests.html
+
+setup() {
+  load 'test_helper/bats-support/load'
+  load 'test_helper/bats-assert/load'
+  load ../mail-toaster.sh
+}
+
+@test "mt6_version_check" {
+  run mt6_version_check
+  #[ "$status" -eq 0 ]
+  assert_success
+}
+
+@test "safe_jailname replaces . with _" {
+  run safe_jailname bad.chars
+  assert_success
+  assert_output "bad_chars"
+}
+
+@test "reverse_list" {
+  run reverse_list tic tac toe
+  #echo "# $output" >&3
+  assert_success
+  assert_output --partial "toe tac tic"
+}
+
+@test "tell_status" {
+  run tell_status "BATS testing"
+  assert_success
+}
diff --git a/test/test_helper/bats-assert b/test/test_helper/bats-assert
new file mode 160000
index 00000000..e2d855bc
--- /dev/null
+++ b/test/test_helper/bats-assert
@@ -0,0 +1 @@
+Subproject commit e2d855bc78619ee15b0c702b5c30fb074101159f
diff --git a/test/test_helper/bats-support b/test/test_helper/bats-support
new file mode 160000
index 00000000..9bf10e87
--- /dev/null
+++ b/test/test_helper/bats-support
@@ -0,0 +1 @@
+Subproject commit 9bf10e876dd6b624fe44423f0b35e064225f7556
diff --git a/test/vmware.sh b/test/vmware.sh
index 09af3363..a63a957a 100755
--- a/test/vmware.sh
+++ b/test/vmware.sh
@@ -67,7 +67,7 @@ cleanstart() {
 
 vm_setup() {
 	# install, no options, Auto ZFS, 8gb swap, sshd & powerd
-	pkg install -y vim-tiny sudo open-vm-tools-nox11 git-lite
+	pkg install -y vim-tiny sudo open-vm-tools-nox11 git-tiny
 	chpass -s sh root
 	echo 'autoboot_delay="1"' >> /boot/loader.conf