diff --git a/client_software/0020_nextcloud_mozilla_pre/test_ipaapi.sh b/client_software/0020_nextcloud_mozilla_pre/test_ipaapi.sh
new file mode 100755
index 0000000..bf94cd5
--- /dev/null
+++ b/client_software/0020_nextcloud_mozilla_pre/test_ipaapi.sh
@@ -0,0 +1,14 @@
+#!/usr/bin/env python3
+from ipalib import api
+from os import environ
+
+api.bootstrap(context="cli", in_server=False)
+api.finalize()
+api.Backend.rpcclient.connect()
+
+result = api.Command.user_show(environ['USER'])
+user_email = result['result']['mail'][0]
+user_full_name = result['result']['givenname'][0] + " " + result['result']['sn'][0]
+print(result)
+print(f"user_email: {user_email}")
+print(f"user_full_name: {user_full_name}")
diff --git a/client_software/0020_nextcloud_mozilla_pre/user_run.sh b/client_software/0020_nextcloud_mozilla_pre/user_run.sh
index b266be2..5fee70d 100755
--- a/client_software/0020_nextcloud_mozilla_pre/user_run.sh
+++ b/client_software/0020_nextcloud_mozilla_pre/user_run.sh
@@ -4,6 +4,7 @@
 #
 # Will prepare local mozilla and thunderbird folders with given tar.files
 #
+import re
 import sys
 import subprocess
 import certifi
@@ -11,6 +12,8 @@ import tarfile
 import shutil
 import os
 from os import environ
+#see FreeIPA APIs: https://freeipa.readthedocs.io/en/latest/api/basic_usage.html
+from ipalib import api
 # See https://pypi.org/project/webdavclient3/
 # needs pip install webdavclient3
 from webdav3.client import Client
@@ -78,6 +81,7 @@ if 'PROFILE_FIREFOX_SRC' in environ: # Check and setup mozilla
     #Next sync will be executed by logon script
 
 #Thunderbird first profile setup
+tb_profile_dir = environ['PROFILE_TB_DST'] + "/default"
 if 'PROFILE_TB_SRC' in environ: # Check and setup mozilla
   pathstr = environ['PROFILE_TB_SRC'] + "/default"
   if not client.check(pathstr):
@@ -93,8 +97,8 @@ if 'PROFILE_TB_SRC' in environ: # Check and setup mozilla
     client.execute_request("mkdir", "/" + pathstr)
     print("Done.")
     #Check and create local Folder
-    if not os.path.exists(environ['PROFILE_TB_DST'] + "/default"):
-      os.makedirs(environ['PROFILE_TB_DST'] + "/default")
+    if not os.path.exists(tb_profile_dir):
+      os.makedirs(tb_profile_dir)
     #First sync to initialise sync-db
     print("Call " + environ['SYSCONFIGPATH'] + "/system_setup/mozilla_starter.sh thunderbird sync")
     retstr = subprocess.call(['sh', environ['SYSCONFIGPATH'] + '/system_setup/mozilla_starter.sh', 'thunderbird', 'sync'])
@@ -106,4 +110,90 @@ if 'PROFILE_TB_SRC' in environ: # Check and setup mozilla
     print("Done.")
     #Next sync will be executed by logon script
 
+# Check and auto-provision IMAP account for DAVTOKEN_USER@TLDOMAIN in Thunderbird
+if ('PROFILE_TB_DST' in environ and 'TLDOMAIN' in environ and
+        'SERVERFQDN_IMAP' in environ and 'DAVTOKEN_USER' in environ):
+  prefs_path = environ['PROFILE_TB_DST'] + "/default/prefs.js"
+  imap_host = environ['SERVERFQDN_IMAP']
+  account_name = environ['DAVTOKEN_USER'] + "@" + environ['TLDOMAIN']
+
+  #Call IPA api to get the Values
+  api.bootstrap(context="cli", in_server=False)
+  api.finalize()
+  api.Backend.rpcclient.connect()
+  api_userinfo = api.Command.user_show(environ['DAVTOKEN_USER'])
+  user_full_name = api_userinfo['result']['givenname'][0] + " " + api_userinfo['result']['sn'][0]
+  user_email = api_userinfo['result']['mail'][0]
+
+  if not os.path.exists(prefs_path):
+    print("Thunderbird prefs.js not found, skipping mail account setup.")
+  else:
+    with open(prefs_path, 'r') as f:
+      prefs = f.read()
+
+    account_exists = bool(re.search(
+      r'mail\.server\.server\d+\.userName",\s*"' + re.escape(account_name) + '"',
+      prefs
+    ))
+    if account_exists:
+      print(f"Thunderbird IMAP account {account_name} already configured.")
+    else:
+      print(f"Adding Thunderbird IMAP account {account_name} ...")
+
+      server_nums  = [int(x) for x in re.findall(r'mail\.server\.server(\d+)\.type', prefs)]
+      account_nums = [int(x) for x in re.findall(r'mail\.account\.account(\d+)\.server', prefs)]
+      id_nums      = [int(x) for x in re.findall(r'mail\.identity\.id(\d+)\.useremail', prefs)]
+
+      ns = (max(server_nums)  + 1) if server_nums  else 1
+      na = (max(account_nums) + 1) if account_nums else 1
+      ni = (max(id_nums)      + 1) if id_nums      else 1
+      sn, an, idn = f"server{ns}", f"account{na}", f"id{ni}"
+
+      new_lines = [
+        f'user_pref("mail.server.{sn}.check_new_mail", true);',
+        f'user_pref("mail.server.{sn}.cleanup_inbox_on_exit", true);',
+        f'user_pref("mail.server.{sn}.directory", "{tb_profile_dir}/ImapMail/{imap_host}");',
+        f'user_pref("mail.server.{sn}.directory-rel", "[ProfD]ImapMail/{imap_host}");',
+        f'user_pref("mail.server.{sn}.hostname", "{imap_host}");',
+        f'user_pref("mail.server.{sn}.login_at_startup", true);',
+        f'user_pref("mail.server.{sn}.max_cached_connections", 5);',
+        f'user_pref("mail.server.{sn}.name", "{account_name}");',
+        f'user_pref("mail.server.{sn}.port", 993);',
+        f'user_pref("mail.server.{sn}.socketType", 3);',
+        f'user_pref("mail.server.{sn}.storeContractID", "@mozilla.org/msgstore/maildirstore;1");',
+        f'user_pref("mail.server.{sn}.timeout", 29);',
+        f'user_pref("mail.server.{sn}.trash_folder_name", "Trash");',
+        f'user_pref("mail.server.{sn}.type", "imap");',
+        f'user_pref("mail.server.{sn}.userName", "{environ["DAVTOKEN_USER"]}");',
+        f'user_pref("mail.identity.{idn}.draft_folder", "imap://{environ["DAVTOKEN_USER"]}@{imap_host}/Drafts");',
+        f'user_pref("mail.identity.{idn}.drafts_folder_picker_mode", "0");',
+        f'user_pref("mail.identity.{idn}.fcc_folder", "imap://{environ["DAVTOKEN_USER"]}@{imap_host}/Sent");',
+        f'user_pref("mail.identity.{idn}.fcc_folder_picker_mode", "0");',
+        f'user_pref("mail.identity.{idn}.fullName", "{user_full_name}");',
+        f'user_pref("mail.identity.{idn}.reply_on_top", 1);',
+        f'user_pref("mail.identity.{idn}.stationery_folder", "imap://{environ["DAVTOKEN_USER"]}@{imap_host}/Templates");',
+        f'user_pref("mail.identity.{idn}.tmpl_folder_picker_mode", "0");',
+        f'user_pref("mail.identity.{idn}.useremail", "{user_email}");',
+        f'user_pref("mail.identity.{idn}.valid", true);',
+        f'user_pref("mail.account.{an}.identities", "{idn}");',
+        f'user_pref("mail.account.{an}.server", "{sn}");',
+      ]
+
+      # Append account to mail.accountmanager.accounts
+      m = re.search(r'(mail\.accountmanager\.accounts",\s*")([^"]+)(")', prefs)
+      if m:
+        prefs = prefs[:m.start(2)] + m.group(2) + ',' + an + prefs[m.end(2):]
+      else:
+        new_lines.append(f'user_pref("mail.accountmanager.accounts", "{an}");')
+
+      # Update mail.account.lastKey
+      m = re.search(r'(mail\.account\.lastKey",\s*)(\d+)', prefs)
+      if m:
+        prefs = prefs[:m.start(2)] + str(max(int(m.group(2)), na)) + prefs[m.end(2):]
+
+      prefs = prefs.rstrip('\n') + '\n' + '\n'.join(new_lines) + '\n'
+      with open(prefs_path, 'w') as f:
+        f.write(prefs)
+      print(f"Thunderbird IMAP account {account_name} added successfully.")
+
 sys.exit(0)
diff --git a/client_software/0110_nextcloud_talk_app/user_run.sh b/client_software/0110_nextcloud_talk_app/user_run.sh
index 5314e80..12f7f57 100755
--- a/client_software/0110_nextcloud_talk_app/user_run.sh
+++ b/client_software/0110_nextcloud_talk_app/user_run.sh
@@ -5,6 +5,11 @@ if [[ $? -eq 0 ]]; then
     /usr/bin/flatpak uninstall -y --user com.nextcloud.talk
 fi
 
+# Ensure session bus and KWallet D-Bus access (may be blocked by Flatseal or missing from manifest)
+/usr/bin/flatpak override --user --socket=session-bus \
+    --talk-name=org.kde.kwalletd5 --talk-name=org.kde.kwalletd6 \
+    com.nextcloud.talk
+
 # Start Nextcloud Talk in Background
 #Current Version of Talk is dumping Core
 echo "Starting Nextcloud Talk in Background."
diff --git a/config/setup_system.conf.dist b/config/setup_system.conf.dist
index 8c04d4a..6cb1fcd 100644
--- a/config/setup_system.conf.dist
+++ b/config/setup_system.conf.dist
@@ -77,6 +77,9 @@ if [ "$EUID" -ne 0 ]; then
   #Thunderbird Profiles
   export PROFILE_TB_SRC="mozilla_profiles/thunderbird"
   export PROFILE_TB_DST="${DECRYPTEDDATADIR}/thunderbird"
+
+  # Mail account auto-provisioning for DAVTOKEN_USER@TLDOMAIN in Thunderbird
+  export SERVERFQDN_IMAP="imap.${TLDOMAIN}"  # IMAP server hostname (e.g. imap.strato.de)
 fi
 
 #Basic commons not needing change
diff --git a/system_setup/logon_script.sh b/system_setup/logon_script.sh
index 3dad6b2..a2431cb 100755
--- a/system_setup/logon_script.sh
+++ b/system_setup/logon_script.sh
@@ -18,11 +18,18 @@ if [ "$EUID" -eq 0 ]; then
 fi
 
 #Check for needed python-modules
+#For WEBDAV
 python -c "import webdav3">/dev/null 2>&1
 if [[ $? -ne 0 ]]; then
     echo "Installing pip module webdav3"
     pip install webdavclient3>/dev/null
 fi
+#For IPA (system package python3-ipaclient, cannot be pip-installed)
+python -c "import ipalib">/dev/null 2>&1
+if [[ $? -ne 0 ]]; then
+    echo "Error: python3-ipaclient is not installed. Please install it via: sudo dnf install python3-ipaclient"
+fi
+
 
 #TODO C: Check if Desktop is KDE/Plasma and support other Displays
 # Make kdesu use sudo