summaryrefslogtreecommitdiffstats
path: root/debian/patches
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-15 17:36:49 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-15 17:36:49 +0000
commit35283b11095f157c99b0e5dcd115de15fe61d3a4 (patch)
treef9673e8aa4515bd1d93fd3ae7ed6f6f795e4db27 /debian/patches
parentAdding upstream version 1:2.3.21+dfsg1. (diff)
downloaddovecot-35283b11095f157c99b0e5dcd115de15fe61d3a4.tar.xz
dovecot-35283b11095f157c99b0e5dcd115de15fe61d3a4.zip
Adding debian version 1:2.3.21+dfsg1-2.debian/1%2.3.21+dfsg1-2
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'debian/patches')
-rw-r--r--debian/patches/Avoid-usage-of-PATH_MAX-not-available-on-hurd.patch22
-rw-r--r--debian/patches/Cleanup-temporary-build-files.patch28
-rw-r--r--debian/patches/Correct-misspellings.patch138
-rw-r--r--debian/patches/Debug-flaky-unit-test.patch65
-rw-r--r--debian/patches/Fix-32bit-sign-comparisons.patch25
-rw-r--r--debian/patches/Fix-uninitialized-read-in-doveadm-oldstats.patch33
-rw-r--r--debian/patches/Improve-cross-compile-support.patch116
-rw-r--r--debian/patches/Silence-LTO-related-compiler-warning.patch28
-rw-r--r--debian/patches/Silence-prototype-conflicts.patch67
-rw-r--r--debian/patches/Support-openssl-3.0.patch45
-rw-r--r--debian/patches/Use-_FORTIFY_SOURCE-level-3.patch57
-rw-r--r--debian/patches/auth-Add-a-comment-about-updating-userdb_find.patch22
-rw-r--r--debian/patches/auth-Fix-handling-passdbs-with-identical-driver-args-but-.patch130
-rw-r--r--debian/patches/default-mail_location.patch35
-rw-r--r--debian/patches/doveadm-director.1-drop-acute-accent.patch46
-rw-r--r--debian/patches/dovecot_name.patch121
-rw-r--r--debian/patches/fix-mail_plugin_dir-default.patch24
-rw-r--r--debian/patches/mboxlocking.patch60
-rw-r--r--debian/patches/md4-md5-disable-optimization-causing-unaligned-access.patch51
-rw-r--r--debian/patches/series25
-rw-r--r--debian/patches/skip-rfc-subdir.patch47
-rw-r--r--debian/patches/split-protocols.patch56
-rw-r--r--debian/patches/ssl-cert-location.patch73
-rw-r--r--debian/patches/ssl-dh-params-location.patch24
-rw-r--r--debian/patches/tcpwrapper.patch45
-rw-r--r--debian/patches/test-backtrace.patch53
26 files changed, 1436 insertions, 0 deletions
diff --git a/debian/patches/Avoid-usage-of-PATH_MAX-not-available-on-hurd.patch b/debian/patches/Avoid-usage-of-PATH_MAX-not-available-on-hurd.patch
new file mode 100644
index 0000000..8d7f9a1
--- /dev/null
+++ b/debian/patches/Avoid-usage-of-PATH_MAX-not-available-on-hurd.patch
@@ -0,0 +1,22 @@
+From: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Mon, 6 Jun 2022 15:29:38 +0200
+Subject: Avoid usage of PATH_MAX not available on hurd
+
+Forwarded: https://github.com/dovecot/core/pull/208
+---
+ src/lib/test-net.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/lib/test-net.c b/src/lib/test-net.c
+index fb19d5b..28398fe 100644
+--- a/src/lib/test-net.c
++++ b/src/lib/test-net.c
+@@ -145,7 +145,7 @@ static void test_net_unix_long_paths(void)
+
+ test_begin("net_*_unix() - long paths");
+
+- char path[PATH_MAX];
++ char path[4096];
+ memset(path, 'x', sizeof(path)-1);
+ path[sizeof(path)-1] = '\0';
+
diff --git a/debian/patches/Cleanup-temporary-build-files.patch b/debian/patches/Cleanup-temporary-build-files.patch
new file mode 100644
index 0000000..288eb92
--- /dev/null
+++ b/debian/patches/Cleanup-temporary-build-files.patch
@@ -0,0 +1,28 @@
+From: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Mon, 14 Aug 2023 16:25:09 +0200
+Subject: Cleanup temporary build files
+
+Forwarded: https://github.com/dovecot/core/pull/207
+
+Support building twice:
+
+ dpkg-source: info: local changes detected, the modified files are:
+ source/src/plugins/quota/rquota.h.tmp
+ source/src/plugins/quota/rquota_xdr.c.tmp
+---
+ src/plugins/quota/Makefile.am | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/plugins/quota/Makefile.am b/src/plugins/quota/Makefile.am
+index ad08d50..d8bd86d 100644
+--- a/src/plugins/quota/Makefile.am
++++ b/src/plugins/quota/Makefile.am
+@@ -127,7 +127,7 @@ clean-generic:
+ if [ "$(top_srcdir)" != "$(top_builddir)" ]; then \
+ rm -f $(top_builddir)/src/plugins/quota/rquota.x; \
+ fi; \
+- rm -f rquota_xdr.c rquota.h
++ rm -f rquota_xdr.c rquota_xdr.c.tmp rquota.h rquota.h.tmp
+
+ test_programs = \
+ test-quota-util
diff --git a/debian/patches/Correct-misspellings.patch b/debian/patches/Correct-misspellings.patch
new file mode 100644
index 0000000..5a01652
--- /dev/null
+++ b/debian/patches/Correct-misspellings.patch
@@ -0,0 +1,138 @@
+From: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Sun, 31 May 2020 00:55:07 +0200
+Subject: Correct misspellings
+
+Found by Lintian
+---
+ ChangeLog | 6 +++---
+ NEWS | 2 +-
+ pigeonhole/src/lib-sieve/sieve-address.c | 2 +-
+ src/director/director-connection.c | 2 +-
+ src/lib-index/mail-index-transaction-finish.c | 2 +-
+ src/lib-index/mail-index.h | 2 +-
+ src/lib-index/mail-transaction-log-file.c | 2 +-
+ src/lib-storage/index/index-sync-pvt.c | 2 +-
+ 8 files changed, 10 insertions(+), 10 deletions(-)
+
+Index: dovecot/ChangeLog
+===================================================================
+--- dovecot.orig/ChangeLog
++++ dovecot/ChangeLog
+@@ -70625,7 +70625,7 @@ M src/lib-storage/index/index-mail.c
+ lib-index: Add mail_cache_close_mail() to smartly drop cached data with
+ INDEX=MEMORY
+
+- Instead of reseting the entire transaction buffer when 256 kB is reached,
++ Instead of resetting the entire transaction buffer when 256 kB is reached,
+ just drop mails have have been marked closed with mail_cache_close_mail().
+ If that's not enough, continue deleting forcibly until the buffer is below
+ 256 kB.
+@@ -90525,7 +90525,7 @@ M src/lib-storage/index/dbox-single/sdbo
+
+ 2016-09-21 20:50:24 +0300 Timo Sirainen <timo.sirainen@dovecot.fi> (2e5e2047af)
+
+- login-proxy: Fixed "Host is down" never reseting itself.
++ login-proxy: Fixed "Host is down" never resetting itself.
+
+ Broken by c8eb8314a, which moved adding num_waiting_connections earlier.
+ After that it was never 0 at the check time.
+@@ -107467,7 +107467,7 @@ M src/login-common/ssl-proxy-openssl.c
+
+ 2015-12-07 11:29:29 +0200 Timo Sirainen <tss@iki.fi> (975c2cdc1b)
+
+- doveadm: Fixed reseting getopt() with glibc when processing multiple
++ doveadm: Fixed resetting getopt() with glibc when processing multiple
+ commands in a single process. This means commands run with doveadm batch or
+ multiple commands in a single doveadm-server connection.
+
+Index: dovecot/NEWS
+===================================================================
+--- dovecot.orig/NEWS
++++ dovecot/NEWS
+@@ -2010,7 +2010,7 @@ v2.2.26 2016-10-27 Timo Sirainen <tss@i
+ - zlib, IMAP BINARY: Fixed internal caching when accessing multiple
+ newly created mails. They all had UID=0 and the next mail could have
+ wrongly used the previously cached mail.
+- - doveadm stats reset wasn't reseting all the stats.
++ - doveadm stats reset wasn't resetting all the stats.
+ - auth_stats=yes: Don't update num_logins, since it doubles them when
+ using with mail stats.
+ - quota count: Fixed deadlocks when updating vsize header.
+Index: dovecot/pigeonhole/src/lib-sieve/sieve-address.c
+===================================================================
+--- dovecot.orig/pigeonhole/src/lib-sieve/sieve-address.c
++++ dovecot/pigeonhole/src/lib-sieve/sieve-address.c
+@@ -449,7 +449,7 @@ parse_mailbox_address(struct sieve_messa
+ if (ctx->parser.data != ctx->parser.end) {
+ if (*ctx->parser.data == ',') {
+ sieve_address_error(
+- ctx, "not a single addres (found ',')");
++ ctx, "not a single address (found ',')");
+ } else {
+ sieve_address_error(
+ ctx, "address ends in invalid characters");
+Index: dovecot/src/director/director-connection.c
+===================================================================
+--- dovecot.orig/src/director/director-connection.c
++++ dovecot/src/director/director-connection.c
+@@ -896,7 +896,7 @@ static bool director_cmd_director(struct
+
+ /* already have this. just reset its last_network_failure
+ timestamp, since it might be up now, but only if this
+- isn't part of the handshake. (if it was, reseting the
++ isn't part of the handshake. (if it was, resetting the
+ timestamp could cause us to rapidly keep trying to connect
+ to it) */
+ if (conn->handshake_received)
+Index: dovecot/src/lib-index/mail-index-transaction-finish.c
+===================================================================
+--- dovecot.orig/src/lib-index/mail-index-transaction-finish.c
++++ dovecot/src/lib-index/mail-index-transaction-finish.c
+@@ -53,7 +53,7 @@ ext_reset_update_atomic(struct mail_inde
+
+ array_idx_set(&t->ext_reset_ids, ext_id, &reset_id);
+
+- /* reseting existing data is optional */
++ /* resetting existing data is optional */
+ if (array_is_created(&t->ext_resets)) {
+ reset = array_idx_modifiable(&t->ext_resets, ext_id);
+ if (reset->new_reset_id == (uint32_t)-1)
+Index: dovecot/src/lib-index/mail-index.h
+===================================================================
+--- dovecot.orig/src/lib-index/mail-index.h
++++ dovecot/src/lib-index/mail-index.h
+@@ -384,7 +384,7 @@ void mail_index_set_lock_method(struct m
+ use the default. */
+ void mail_index_set_optimization_settings(struct mail_index *index,
+ const struct mail_index_optimization_settings *set);
+-/* When creating a new index file or reseting an existing one, add the given
++/* When creating a new index file or resetting an existing one, add the given
+ extension header data immediately to it. */
+ void mail_index_set_ext_init_data(struct mail_index *index, uint32_t ext_id,
+ const void *data, size_t size);
+Index: dovecot/src/lib-index/mail-transaction-log-file.c
+===================================================================
+--- dovecot.orig/src/lib-index/mail-transaction-log-file.c
++++ dovecot/src/lib-index/mail-transaction-log-file.c
+@@ -760,7 +760,7 @@ mail_transaction_log_file_create2(struct
+ return -1;
+
+ if (reset) {
+- /* don't reset modseqs. if we're reseting due to rebuilding
++ /* don't reset modseqs. if we're resetting due to rebuilding
+ indexes we'll probably want to keep uidvalidity and in such
+ cases we really don't want to shrink modseqs. */
+ file->hdr.prev_file_seq = 0;
+Index: dovecot/src/lib-storage/index/index-sync-pvt.c
+===================================================================
+--- dovecot.orig/src/lib-storage/index/index-sync-pvt.c
++++ dovecot/src/lib-storage/index/index-sync-pvt.c
+@@ -185,7 +185,7 @@ index_mailbox_sync_pvt_index(struct inde
+ } else {
+ /* mailbox created/recreated */
+ reset = TRUE;
+- i_info("Mailbox %s UIDVALIDITY changed (%u -> %u), reseting private index",
++ i_info("Mailbox %s UIDVALIDITY changed (%u -> %u), resetting private index",
+ ctx->box->vname, hdr_pvt->uid_validity,
+ hdr_shared->uid_validity);
+ }
diff --git a/debian/patches/Debug-flaky-unit-test.patch b/debian/patches/Debug-flaky-unit-test.patch
new file mode 100644
index 0000000..a30e596
--- /dev/null
+++ b/debian/patches/Debug-flaky-unit-test.patch
@@ -0,0 +1,65 @@
+From: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Mon, 6 Jun 2022 17:24:19 +0200
+Subject: Debug flaky unit test
+
+See #1007744
+---
+ src/lib-smtp/test-smtp-server-errors.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/src/lib-smtp/test-smtp-server-errors.c b/src/lib-smtp/test-smtp-server-errors.c
+index d3e528c..5240d30 100644
+--- a/src/lib-smtp/test-smtp-server-errors.c
++++ b/src/lib-smtp/test-smtp-server-errors.c
+@@ -3712,13 +3712,14 @@ static void server_connection_accept(void *context ATTR_UNUSED)
+
+ static void test_server_timeout(void *context ATTR_UNUSED)
+ {
+- i_fatal("Server timed out");
++ i_fatal("Server timed out [current_ioloop=%p ioloop=%p]", current_ioloop, ioloop);
+ }
+
+ static void test_server_run(const struct smtp_server_settings *smtp_set)
+ {
+ struct timeout *to;
+
++ i_debug("Adding timeout to server [current_ioloop=%p ioloop=%p]", current_ioloop, ioloop);
+ to = timeout_add(SERVER_MAX_TIMEOUT_MSECS,
+ test_server_timeout, NULL);
+
+@@ -3729,8 +3730,7 @@ static void test_server_run(const struct smtp_server_settings *smtp_set)
+
+ io_loop_run(ioloop);
+
+- if (debug)
+- i_debug("Server finished");
++ i_debug("Server finished [current_ioloop=%p ioloop=%p]", current_ioloop, ioloop);
+
+ /* close server socket */
+ io_remove(&io_listen);
+@@ -3770,9 +3770,12 @@ static int test_run_client(struct test_client_data *data)
+ /* wait a little for server setup */
+ i_sleep_msecs(100);
+
++ i_debug("test_run_client: pre create [current_ioloop=%p ioloop=%p]", current_ioloop, ioloop);
+ ioloop = io_loop_create();
++ i_debug("test_run_client: post create [current_ioloop=%p ioloop=%p]", current_ioloop, ioloop);
+ data->client_test(data->index);
+ io_loop_destroy(&ioloop);
++ i_debug("test_run_client: post destroy [current_ioloop=%p ioloop=%p]", current_ioloop, ioloop);
+
+ if (debug)
+ i_debug("Terminated");
+@@ -3794,9 +3797,12 @@ test_run_server(const struct smtp_server_settings *server_set,
+ i_zero(&server_callbacks);
+
+ server_pending = client_tests_count;
++ i_debug("test_run_server: pre create [current_ioloop=%p ioloop=%p]", current_ioloop, ioloop);
+ ioloop = io_loop_create();
++ i_debug("test_run_server: post create [current_ioloop=%p ioloop=%p]", current_ioloop, ioloop);
+ server_test(server_set);
+ io_loop_destroy(&ioloop);
++ i_debug("test_run_server: post destroy create [current_ioloop=%p ioloop=%p]", current_ioloop, ioloop);
+
+ if (debug)
+ i_debug("Terminated");
diff --git a/debian/patches/Fix-32bit-sign-comparisons.patch b/debian/patches/Fix-32bit-sign-comparisons.patch
new file mode 100644
index 0000000..4cf271e
--- /dev/null
+++ b/debian/patches/Fix-32bit-sign-comparisons.patch
@@ -0,0 +1,25 @@
+From: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Mon, 4 Jan 2021 16:06:43 +0100
+Subject: Fix 32bit sign comparisons
+
+sieve-binary.c: In function 'sieve_binary_get_resource_usage':
+sieve-binary.c:199:54: warning: comparison of integer expressions of different signedness: 'time_t' {aka 'long int'} and 'unsigned int' [-Wsign-compare]
+ 199 | if (update_time != 0 && (ioloop_time - update_time) > timeout)
+ | ^
+---
+ pigeonhole/src/lib-sieve/sieve-binary.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/pigeonhole/src/lib-sieve/sieve-binary.c b/pigeonhole/src/lib-sieve/sieve-binary.c
+index 06cf598..c971921 100644
+--- a/pigeonhole/src/lib-sieve/sieve-binary.c
++++ b/pigeonhole/src/lib-sieve/sieve-binary.c
+@@ -196,7 +196,7 @@ void sieve_binary_get_resource_usage(struct sieve_binary *sbin,
+ time_t update_time = header->resource_usage.update_time;
+ unsigned int timeout = sbin->svinst->resource_usage_timeout_secs;
+
+- if (update_time != 0 && (ioloop_time - update_time) > timeout)
++ if (update_time != 0 && (ioloop_time - update_time) > (time_t)timeout)
+ i_zero(&header->resource_usage);
+
+ sieve_resource_usage_init(rusage_r);
diff --git a/debian/patches/Fix-uninitialized-read-in-doveadm-oldstats.patch b/debian/patches/Fix-uninitialized-read-in-doveadm-oldstats.patch
new file mode 100644
index 0000000..ff85b51
--- /dev/null
+++ b/debian/patches/Fix-uninitialized-read-in-doveadm-oldstats.patch
@@ -0,0 +1,33 @@
+From: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Sat, 23 Jul 2022 16:38:23 +0200
+Subject: Fix uninitialized read in doveadm-oldstats
+
+The third argument to doveadm_cmd_param_bool() is only set on a return
+value of TRUE.
+Since disk_input_field and disk_output_field should be set if the value
+of show-disk-io is specified and specified to true, fix the condition.
+
+ doveadm-oldstats.c: In function 'cmd_stats_top':
+ doveadm-oldstats.c:551:63: warning: 'b' may be used uninitialized [-Wmaybe-uninitialized]
+ 551 | if (!doveadm_cmd_param_bool(cctx, "show-disk-io", &b) && b) {
+ | ^
+ doveadm-oldstats.c:545:14: note: 'b' was declared here
+ 545 | bool b;
+ | ^
+---
+ src/doveadm/doveadm-oldstats.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/doveadm/doveadm-oldstats.c b/src/doveadm/doveadm-oldstats.c
+index 4be575e..ff6dcf5 100644
+--- a/src/doveadm/doveadm-oldstats.c
++++ b/src/doveadm/doveadm-oldstats.c
+@@ -548,7 +548,7 @@ static void cmd_stats_top(struct doveadm_cmd_context *cctx)
+ path = t_strconcat(doveadm_settings->base_dir,
+ "/old-stats", NULL);
+ }
+- if (!doveadm_cmd_param_bool(cctx, "show-disk-io", &b) && b) {
++ if (doveadm_cmd_param_bool(cctx, "show-disk-io", &b) && b) {
+ disk_input_field = "read_bytes";
+ disk_output_field = "write_bytes";
+ }
diff --git a/debian/patches/Improve-cross-compile-support.patch b/debian/patches/Improve-cross-compile-support.patch
new file mode 100644
index 0000000..708336f
--- /dev/null
+++ b/debian/patches/Improve-cross-compile-support.patch
@@ -0,0 +1,116 @@
+From: Helmut Grohne <helmut@subdivi.de>
+Date: Tue, 5 Jan 2021 22:25:00 +0100
+Subject: Improve cross-compile support
+
+The check for the signedness of size_t really doesn't have to be run as
+that is a compile time property.
+
+Beyond that, dovecot uses mysql_config. I've looked into that and
+mysql_config is unfixably broken during cross builds. It will not be
+fixed. Instead, please use pkg-config. My patch implements that with a
+fallback to mysql_config to avoid breaking other users.
+
+Last but not least, src/lib-lua/Makefile.am adds $(LUA_LIBS) to
+libdovecot_lua_la_DEPENDENCIES. As it happens, LUA_LIBS contains a -L
+flag and when that flag shows up in a dependency, make gives up. I have
+no clue why one would add LUA_LIBS to DEPENDENCIES as it already is
+being correctly added to LIBADD. My patch suggests to quite simply drop
+that.
+---
+ m4/want_mysql.m4 | 54 ++++++++++++++++++++++++-------------------------
+ src/lib-lua/Makefile.am | 4 +---
+ 2 files changed, 27 insertions(+), 31 deletions(-)
+
+diff --git a/m4/want_mysql.m4 b/m4/want_mysql.m4
+index 98e6f93..425bcdd 100644
+--- a/m4/want_mysql.m4
++++ b/m4/want_mysql.m4
+@@ -1,26 +1,28 @@
+ AC_DEFUN([DOVECOT_WANT_MYSQL], [
+ have_mysql=no
+- if test $want_mysql != no; then
+- AC_CHECK_PROG(MYSQL_CONFIG, mysql_config, mysql_config, NO)
+- if test $MYSQL_CONFIG = NO; then
+- # based on code from PHP
+- MYSQL_LIBS="-lmysqlclient -lz -lm"
+- for i in /usr /usr/local /usr/local/mysql; do
+- for j in include include/mysql ""; do
+- if test -r "$i/$j/mysql.h"; then
+- MYSQL_INCLUDE="-I$i/$j"
+- fi
+- done
+- for j in lib lib/mysql lib64 lib64/mysql ""; do
+- if test -f "$i/$j/libmysqlclient.so" || test -f "$i/$j/libmysqlclient.a"; then
+- MYSQL_LIBS="-L$i/$j -lmysqlclient -lz -lm"
+- fi
+- done
+- done
+- else
+- MYSQL_INCLUDE="`$MYSQL_CONFIG --include`"
+- MYSQL_LIBS="`$MYSQL_CONFIG --libs`"
+- fi
++ AS_IF([test $want_mysql != no],[
++ PKG_CHECK_MODULES([MYSQL],[mysqlclient],,[
++ AC_CHECK_PROG(MYSQL_CONFIG, mysql_config, mysql_config, NO)
++ if test $MYSQL_CONFIG = NO; then
++ # based on code from PHP
++ MYSQL_LIBS="-lmysqlclient -lz -lm"
++ for i in /usr /usr/local /usr/local/mysql; do
++ for j in include include/mysql ""; do
++ if test -r "$i/$j/mysql.h"; then
++ MYSQL_CFLAGS="-I$i/$j"
++ fi
++ done
++ for j in lib lib/mysql lib64 lib64/mysql ""; do
++ if test -f "$i/$j/libmysqlclient.so" || test -f "$i/$j/libmysqlclient.a"; then
++ MYSQL_LIBS="-L$i/$j -lmysqlclient -lz -lm"
++ fi
++ done
++ done
++ else
++ MYSQL_CFLAGS="`$MYSQL_CONFIG --include`"
++ MYSQL_LIBS="`$MYSQL_CONFIG --libs`"
++ fi
++ ])
+
+ old_LIBS=$LIBS
+ if test "$MYSQL_LIBS" != ""; then
+@@ -31,14 +33,10 @@ AC_DEFUN([DOVECOT_WANT_MYSQL], [
+ LIBS="$LIBS -lz -lm"
+ AC_CHECK_LIB(mysqlclient, mysql_init, [
+ old_CPPFLAGS=$CPPFLAGS
+- if test "$MYSQL_INCLUDE" != ""; then
+- CPPFLAGS="$CPPFLAGS $MYSQL_INCLUDE"
++ if test "$MYSQL_CFLAGS" != ""; then
++ CPPFLAGS="$CPPFLAGS $MYSQL_CFLAGS"
+ fi
+ AC_CHECK_HEADER(mysql.h, [
+- if test "$MYSQL_INCLUDE" != ""; then
+- MYSQL_CFLAGS="$MYSQL_CFLAGS $MYSQL_INCLUDE"
+- fi
+-
+ AC_CHECK_LIB(mysqlclient, mysql_ssl_set, [
+ AC_DEFINE(HAVE_MYSQL_SSL,, [Define if your MySQL library has SSL functions])
+ if test "x$have_openssl" = "yes"; then
+@@ -85,5 +83,5 @@ AC_DEFUN([DOVECOT_WANT_MYSQL], [
+ MYSQL_CFLAGS=
+ fi
+ LIBS=$old_LIBS
+- fi
++ ])
+ ])
+diff --git a/src/lib-lua/Makefile.am b/src/lib-lua/Makefile.am
+index 20ce311..7d44e89 100644
+--- a/src/lib-lua/Makefile.am
++++ b/src/lib-lua/Makefile.am
+@@ -24,9 +24,7 @@ test_programs += test-dict-lua
+ endif
+
+ # Note: the only things this lib should depend on are libdovecot and lua.
+-libdovecot_lua_la_DEPENDENCIES = \
+- ../lib-dovecot/libdovecot.la \
+- $(LIBDICT_LUA)
++libdovecot_lua_la_DEPENDENCIES = ../lib-dovecot/libdovecot.la
+ libdovecot_lua_la_LIBADD = \
+ ../lib-dovecot/libdovecot.la \
+ $(LIBDICT_LUA) \
diff --git a/debian/patches/Silence-LTO-related-compiler-warning.patch b/debian/patches/Silence-LTO-related-compiler-warning.patch
new file mode 100644
index 0000000..c674492
--- /dev/null
+++ b/debian/patches/Silence-LTO-related-compiler-warning.patch
@@ -0,0 +1,28 @@
+From: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Mon, 21 Jun 2021 15:59:02 +0200
+Subject: Silence LTO related compiler warning
+
+master-service-settings-cache.c: In function 'master_service_settings_cache_init_filter':
+master-service-settings-cache.c:94:3: warning: 'error' may be used uninitialized in this function [-Wmaybe-uninitialized]
+ 94 | i_error("master-service: cannot get filters: %s", error);
+ | ^
+master-service-settings-cache.c:89:14: note: 'error' was declared here
+ 89 | const char *error;
+ | ^
+---
+ src/lib-master/master-service-settings-cache.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/lib-master/master-service-settings-cache.c b/src/lib-master/master-service-settings-cache.c
+index 11dd66b..d60f392 100644
+--- a/src/lib-master/master-service-settings-cache.c
++++ b/src/lib-master/master-service-settings-cache.c
+@@ -86,7 +86,7 @@ master_service_settings_cache_init(struct master_service *service,
+ int master_service_settings_cache_init_filter(struct master_service_settings_cache *cache)
+ {
+ const char *const *filters;
+- const char *error;
++ const char *error = NULL;
+
+ if (cache->filters != NULL)
+ return 0;
diff --git a/debian/patches/Silence-prototype-conflicts.patch b/debian/patches/Silence-prototype-conflicts.patch
new file mode 100644
index 0000000..2b5d77e
--- /dev/null
+++ b/debian/patches/Silence-prototype-conflicts.patch
@@ -0,0 +1,67 @@
+From: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Fri, 15 Sep 2023 14:08:56 +0200
+Subject: Silence prototype conflicts
+
+Forwarded: https://github.com/dovecot/core/pull/206
+
+ program-client.c:705:5: warning: conflicting types for 'program_client_run' due to enum/integer mismatch; have 'int(struct program_client *)' [-Wenum-int-mismatch]
+ 705 | int program_client_run(struct program_client *pclient)
+ | ^~~~~~~~~~~~~~~~~~
+ In file included from program-client-private.h:4,
+ from program-client.c:17:
+ program-client.h:93:1: note: previous declaration of 'program_client_run' with type 'enum program_client_exit_status(struct program_client *)'
+ 93 | program_client_run(struct program_client *pclient);
+ | ^~~~~~~~~~~~~~~~~~
+
+ db-lua.c:599:1: warning: conflicting types for 'auth_lua_call_password_verify' due to enum/integer mismatch; have 'enum passdb_result(struct dlua_script *, struct auth_request *, const char *, const char **)' [-Wenum-int-mismatch]
+ 599 | auth_lua_call_password_verify(struct dlua_script *script,
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ In file included from db-lua.c:28:
+ db-lua.h:14:5: note: previous declaration of 'auth_lua_call_password_verify' with type 'int(struct dlua_script *, struct auth_request *, const char *, const char **)'
+ 14 | int auth_lua_call_password_verify(struct dlua_script *script,
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+---
+ src/auth/db-lua.h | 7 ++++---
+ src/lib-program-client/program-client.c | 4 ++--
+ 2 files changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/src/auth/db-lua.h b/src/auth/db-lua.h
+index ebb697a..cf859fb 100644
+--- a/src/auth/db-lua.h
++++ b/src/auth/db-lua.h
+@@ -11,9 +11,10 @@ struct dlua_script;
+
+ int auth_lua_script_init(struct dlua_script *script, const char **error_r);
+
+-int auth_lua_call_password_verify(struct dlua_script *script,
+- struct auth_request *req, const char *password,
+- const char **error_r);
++enum passdb_result
++auth_lua_call_password_verify(struct dlua_script *script,
++ struct auth_request *req, const char *password,
++ const char **error_r);
+
+ enum passdb_result
+ auth_lua_call_passdb_lookup(struct dlua_script *script,
+diff --git a/src/lib-program-client/program-client.c b/src/lib-program-client/program-client.c
+index c6c6ff6..cf55a6f 100644
+--- a/src/lib-program-client/program-client.c
++++ b/src/lib-program-client/program-client.c
+@@ -702,7 +702,7 @@ program_client_run_callback(int result, int *context)
+ io_loop_stop(current_ioloop);
+ }
+
+-int program_client_run(struct program_client *pclient)
++enum program_client_exit_status program_client_run(struct program_client *pclient)
+ {
+ int ret = -2;
+ struct ioloop *prev_ioloop = current_ioloop;
+@@ -722,7 +722,7 @@ int program_client_run(struct program_client *pclient)
+ io_loop_destroy(&ioloop);
+
+ if (pclient->error != PROGRAM_CLIENT_ERROR_NONE)
+- return -1;
++ return PROGRAM_CLIENT_EXIT_STATUS_INTERNAL_FAILURE;
+
+ return pclient->exit_status;
+ }
diff --git a/debian/patches/Support-openssl-3.0.patch b/debian/patches/Support-openssl-3.0.patch
new file mode 100644
index 0000000..8f39a7d
--- /dev/null
+++ b/debian/patches/Support-openssl-3.0.patch
@@ -0,0 +1,45 @@
+From: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Wed, 11 May 2022 20:27:53 +0200
+Author: Michal Hlavinka
+Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1962035
+Subject: Support openssl 3.0
+
+---
+ src/lib-dcrypt/dcrypt-openssl.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+diff --git a/src/lib-dcrypt/dcrypt-openssl.c b/src/lib-dcrypt/dcrypt-openssl.c
+index 1cbe352..5570d62 100644
+--- a/src/lib-dcrypt/dcrypt-openssl.c
++++ b/src/lib-dcrypt/dcrypt-openssl.c
+@@ -73,10 +73,30 @@
+ 2<tab>key algo oid<tab>1<tab>symmetric algo name<tab>salt<tab>hash algo<tab>rounds<tab>E(RSA = i2d_PrivateKey, EC=Private Point)<tab>key id
+ **/
+
++#if OPENSSL_VERSION_MAJOR == 3
++static EC_KEY *EVP_PKEY_get0_EC_KEYv3(EVP_PKEY *key)
++{
++ EC_KEY *eck = EVP_PKEY_get1_EC_KEY(key);
++ EVP_PKEY_set1_EC_KEY(key, eck);
++ EC_KEY_free(eck);
++ return eck;
++}
++
++static EC_KEY *EVP_PKEY_get1_EC_KEYv3(EVP_PKEY *key)
++{
++ EC_KEY *eck = EVP_PKEY_get1_EC_KEY(key);
++ EVP_PKEY_set1_EC_KEY(key, eck);
++ return eck;
++}
++
++#define EVP_PKEY_get0_EC_KEY EVP_PKEY_get0_EC_KEYv3
++#define EVP_PKEY_get1_EC_KEY EVP_PKEY_get1_EC_KEYv3
++#else
+ #ifndef HAVE_EVP_PKEY_get0
+ #define EVP_PKEY_get0_EC_KEY(x) x->pkey.ec
+ #define EVP_PKEY_get0_RSA(x) x->pkey.rsa
+ #endif
++#endif
+
+ #ifndef HAVE_OBJ_LENGTH
+ #define OBJ_length(o) ((o)->length)
diff --git a/debian/patches/Use-_FORTIFY_SOURCE-level-3.patch b/debian/patches/Use-_FORTIFY_SOURCE-level-3.patch
new file mode 100644
index 0000000..262de9a
--- /dev/null
+++ b/debian/patches/Use-_FORTIFY_SOURCE-level-3.patch
@@ -0,0 +1,57 @@
+From: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Thu, 22 Dec 2022 17:00:53 +0100
+Subject: Use _FORTIFY_SOURCE level 3
+
+---
+ m4/dovecot.m4 | 6 +++---
+ pigeonhole/m4/dovecot.m4 | 6 +++---
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/m4/dovecot.m4 b/m4/dovecot.m4
+index 8092bf5..558aee4 100644
+--- a/m4/dovecot.m4
++++ b/m4/dovecot.m4
+@@ -9,7 +9,7 @@ dnl modifications, as long as this notice is preserved.
+ # serial 34
+
+ dnl
+-dnl Check for support for D_FORTIFY_SOURCE=2
++dnl Check for support for D_FORTIFY_SOURCE=3
+ dnl
+
+ AC_DEFUN([AC_CC_D_FORTIFY_SOURCE],[
+@@ -17,8 +17,8 @@ AC_DEFUN([AC_CC_D_FORTIFY_SOURCE],[
+ AS_IF([test "$enable_hardening" = yes], [
+ case "$host" in
+ *)
+- gl_COMPILER_OPTION_IF([-O2 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2], [
+- CFLAGS="$CFLAGS -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2"
++ gl_COMPILER_OPTION_IF([-O2 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3], [
++ CFLAGS="$CFLAGS -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3"
+ ],
+ [],
+ [AC_LANG_PROGRAM()]
+diff --git a/pigeonhole/m4/dovecot.m4 b/pigeonhole/m4/dovecot.m4
+index 037d5e4..a3e0883 100644
+--- a/pigeonhole/m4/dovecot.m4
++++ b/pigeonhole/m4/dovecot.m4
+@@ -9,7 +9,7 @@ dnl modifications, as long as this notice is preserved.
+ # serial 34
+
+ dnl
+-dnl Check for support for D_FORTIFY_SOURCE=2
++dnl Check for support for D_FORTIFY_SOURCE=3
+ dnl
+
+ AC_DEFUN([AC_CC_D_FORTIFY_SOURCE],[
+@@ -17,8 +17,8 @@ AC_DEFUN([AC_CC_D_FORTIFY_SOURCE],[
+ AS_IF([test "$enable_hardening" = yes], [
+ case "$host" in
+ *)
+- gl_COMPILER_OPTION_IF([-O2 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2], [
+- CFLAGS="$CFLAGS -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2"
++ gl_COMPILER_OPTION_IF([-O2 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3], [
++ CFLAGS="$CFLAGS -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3"
+ ],
+ [],
+ [AC_LANG_PROGRAM()]
diff --git a/debian/patches/auth-Add-a-comment-about-updating-userdb_find.patch b/debian/patches/auth-Add-a-comment-about-updating-userdb_find.patch
new file mode 100644
index 0000000..70a405f
--- /dev/null
+++ b/debian/patches/auth-Add-a-comment-about-updating-userdb_find.patch
@@ -0,0 +1,22 @@
+From: Timo Sirainen <timo.sirainen@open-xchange.com>
+Date: Mon, 16 May 2022 14:58:45 +0200
+Subject: auth: Add a comment about updating userdb_find()
+
+---
+ src/auth/userdb.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/auth/userdb.c b/src/auth/userdb.c
+index 21751f9..c71a479 100644
+--- a/src/auth/userdb.c
++++ b/src/auth/userdb.c
+@@ -158,7 +158,8 @@ userdb_preinit(pool_t pool, const struct auth_userdb_settings *set)
+ userdb->id = ++auth_userdb_id;
+ userdb->iface = iface;
+ userdb->args = p_strdup(pool, set->args);
+-
++ /* NOTE: if anything else than driver & args are added here,
++ userdb_find() also needs to be updated. */
+ array_push_back(&userdb_modules, &userdb);
+ return userdb;
+ }
diff --git a/debian/patches/auth-Fix-handling-passdbs-with-identical-driver-args-but-.patch b/debian/patches/auth-Fix-handling-passdbs-with-identical-driver-args-but-.patch
new file mode 100644
index 0000000..7f0dd36
--- /dev/null
+++ b/debian/patches/auth-Fix-handling-passdbs-with-identical-driver-args-but-.patch
@@ -0,0 +1,130 @@
+From: Timo Sirainen <timo.sirainen@open-xchange.com>
+Date: Mon, 9 May 2022 15:23:33 +0300
+Subject: auth: Fix handling passdbs with identical driver/args but different
+ mechanisms/username_filter
+
+The passdb was wrongly deduplicated in this situation, causing wrong
+mechanisms or username_filter setting to be used. This would be a rather
+unlikely configuration though.
+
+Fixed by moving mechanisms and username_filter from struct passdb_module
+to struct auth_passdb, which is where they should have been in the first
+place.
+---
+ src/auth/auth-request.c | 6 +++---
+ src/auth/auth.c | 18 ++++++++++++++++++
+ src/auth/auth.h | 5 +++++
+ src/auth/passdb.c | 15 ++-------------
+ src/auth/passdb.h | 4 ----
+ 5 files changed, 28 insertions(+), 20 deletions(-)
+
+diff --git a/src/auth/auth-request.c b/src/auth/auth-request.c
+index ee89e75..cd44cd4 100644
+--- a/src/auth/auth-request.c
++++ b/src/auth/auth-request.c
+@@ -553,8 +553,8 @@ auth_request_want_skip_passdb(struct auth_request *request,
+ struct auth_passdb *passdb)
+ {
+ /* if mechanism is not supported, skip */
+- const char *const *mechs = passdb->passdb->mechanisms;
+- const char *const *username_filter = passdb->passdb->username_filter;
++ const char *const *mechs = passdb->mechanisms;
++ const char *const *username_filter = passdb->username_filter;
+ const char *username;
+
+ username = request->fields.user;
+@@ -567,7 +567,7 @@ auth_request_want_skip_passdb(struct auth_request *request,
+ return TRUE;
+ }
+
+- if (passdb->passdb->username_filter != NULL &&
++ if (passdb->username_filter != NULL &&
+ !auth_request_username_accepted(username_filter, username)) {
+ auth_request_log_debug(request,
+ request->mech != NULL ? AUTH_SUBSYS_MECH
+diff --git a/src/auth/auth.c b/src/auth/auth.c
+index 845c43c..a5a4c81 100644
+--- a/src/auth/auth.c
++++ b/src/auth/auth.c
+@@ -93,6 +93,24 @@ auth_passdb_preinit(struct auth *auth, const struct auth_passdb_settings *set,
+ auth_passdb->override_fields_tmpl =
+ passdb_template_build(auth->pool, set->override_fields);
+
++ if (*set->mechanisms == '\0') {
++ auth_passdb->mechanisms = NULL;
++ } else if (strcasecmp(set->mechanisms, "none") == 0) {
++ auth_passdb->mechanisms = (const char *const[]){ NULL };
++ } else {
++ auth_passdb->mechanisms =
++ (const char *const *)p_strsplit_spaces(auth->pool,
++ set->mechanisms, " ,");
++ }
++
++ if (*set->username_filter == '\0') {
++ auth_passdb->username_filter = NULL;
++ } else {
++ auth_passdb->username_filter =
++ (const char *const *)p_strsplit_spaces(auth->pool,
++ set->username_filter, " ,");
++ }
++
+ /* for backwards compatibility: */
+ if (set->pass)
+ auth_passdb->result_success = AUTH_DB_RULE_CONTINUE;
+diff --git a/src/auth/auth.h b/src/auth/auth.h
+index 3ca5a9b..6208e4d 100644
+--- a/src/auth/auth.h
++++ b/src/auth/auth.h
+@@ -41,6 +41,11 @@ struct auth_passdb {
+ struct passdb_template *default_fields_tmpl;
+ struct passdb_template *override_fields_tmpl;
+
++ /* Supported authentication mechanisms, NULL is all, {NULL} is none */
++ const char *const *mechanisms;
++ /* Username filter, NULL is no filter */
++ const char *const *username_filter;
++
+ enum auth_passdb_skip skip;
+ enum auth_db_rule result_success;
+ enum auth_db_rule result_failure;
+diff --git a/src/auth/passdb.c b/src/auth/passdb.c
+index 9bc2b87..d3c61cc 100644
+--- a/src/auth/passdb.c
++++ b/src/auth/passdb.c
+@@ -224,19 +224,8 @@ passdb_preinit(pool_t pool, const struct auth_passdb_settings *set)
+ passdb->id = ++auth_passdb_id;
+ passdb->iface = *iface;
+ passdb->args = p_strdup(pool, set->args);
+- if (*set->mechanisms == '\0') {
+- passdb->mechanisms = NULL;
+- } else if (strcasecmp(set->mechanisms, "none") == 0) {
+- passdb->mechanisms = (const char *const[]){NULL};
+- } else {
+- passdb->mechanisms = (const char* const*)p_strsplit_spaces(pool, set->mechanisms, " ,");
+- }
+-
+- if (*set->username_filter == '\0') {
+- passdb->username_filter = NULL;
+- } else {
+- passdb->username_filter = (const char* const*)p_strsplit_spaces(pool, set->username_filter, " ,");
+- }
++ /* NOTE: if anything else than driver & args are added here,
++ passdb_find() also needs to be updated. */
+ array_push_back(&passdb_modules, &passdb);
+ return passdb;
+ }
+diff --git a/src/auth/passdb.h b/src/auth/passdb.h
+index b405aa7..8f50050 100644
+--- a/src/auth/passdb.h
++++ b/src/auth/passdb.h
+@@ -63,10 +63,6 @@ struct passdb_module {
+ /* Default password scheme for this module.
+ If default_cache_key is set, must not be NULL. */
+ const char *default_pass_scheme;
+- /* Supported authentication mechanisms, NULL is all, [NULL] is none*/
+- const char *const *mechanisms;
+- /* Username filter, NULL is no filter */
+- const char *const *username_filter;
+
+ /* If blocking is set to TRUE, use child processes to access
+ this passdb. */
diff --git a/debian/patches/default-mail_location.patch b/debian/patches/default-mail_location.patch
new file mode 100644
index 0000000..eb10c53
--- /dev/null
+++ b/debian/patches/default-mail_location.patch
@@ -0,0 +1,35 @@
+From: "Jaldhar H. Vyas" <jaldhar@debian.org>
+Date: Fri, 16 Sep 2011 00:55:02 +0200
+Subject: default location for user mailboxes
+
+Bug: #623440
+Last-Update: 2017-09-20
+
+Set a default for the case where a user has no mail so auto-
+detection of mailboxes doesn't work.
+---
+ doc/example-config/conf.d/10-mail.conf | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/doc/example-config/conf.d/10-mail.conf b/doc/example-config/conf.d/10-mail.conf
+index 24daa04..a69224f 100644
+--- a/doc/example-config/conf.d/10-mail.conf
++++ b/doc/example-config/conf.d/10-mail.conf
+@@ -27,7 +27,7 @@
+ #
+ # <doc/wiki/MailLocation.txt>
+ #
+-#mail_location =
++mail_location = mbox:~/mail:INBOX=/var/mail/%u
+
+ # If you need to set multiple mailbox locations or want to change default
+ # namespace settings, you can do it by defining namespace sections.
+@@ -111,7 +111,7 @@ namespace inbox {
+ # Group to enable temporarily for privileged operations. Currently this is
+ # used only with INBOX when either its initial creation or dotlocking fails.
+ # Typically this is set to "mail" to give access to /var/mail.
+-#mail_privileged_group =
++mail_privileged_group = mail
+
+ # Grant access to these supplementary groups for mail processes. Typically
+ # these are used to set up access to shared mailboxes. Note that it may be
diff --git a/debian/patches/doveadm-director.1-drop-acute-accent.patch b/debian/patches/doveadm-director.1-drop-acute-accent.patch
new file mode 100644
index 0000000..36ff84f
--- /dev/null
+++ b/debian/patches/doveadm-director.1-drop-acute-accent.patch
@@ -0,0 +1,46 @@
+From: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Fri, 14 Aug 2020 12:50:51 +0200
+Subject: doveadm-director.1: drop acute accent
+
+Found by Lintian:
+
+ This manual page uses the \' groff sequence. Usually, the intent to
+ generate an apostrophe, but that sequence actually renders as a an acute
+ accent.
+
+ For an apostrophe or a single closing quote, use plain '. For single
+ opening quote, i.e. a straight downward line ' like the one used in
+ shell commands, use &#92;(aq.
+---
+ doc/man/doveadm-director.1.in | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/doc/man/doveadm-director.1.in b/doc/man/doveadm-director.1.in
+index 2a2c688..4b1855f 100644
+--- a/doc/man/doveadm-director.1.in
++++ b/doc/man/doveadm-director.1.in
+@@ -108,7 +108,7 @@ hosts. All the existing connections will be kicked. If
+ is specified, a flush script is also automatically executed.
+ .PP
+ Because the kicking and moving of users to new backends creates a temporary
+-load spike, all the users aren\'t moved at once. The
++load spike, all the users aren't moved at once. The
+ .B \-\-max\-parallel
+ parameter specifies how many users can be moved concurrently.
+ The default is 100.
+@@ -116,7 +116,7 @@ The default is 100.
+ If the
+ .B \-F
+ parameter is used, the user associations are simply dropped. Existing
+-connections won\'t be kicked and flush scripts aren\'t run.
++connections won't be kicked and flush scripts aren't run.
+ .\"-------------------------------------
+ .SS director kick
+ .B doveadm director kick
+@@ -280,4 +280,4 @@ user would be redirected to 192.168.10.3.
+ @INCLUDE:reporting-bugs@
+ .\"------------------------------------------------------------------------
+ .SH SEE ALSO
+-.BR doveadm (1)
+\ No newline at end of file
++.BR doveadm (1)
diff --git a/debian/patches/dovecot_name.patch b/debian/patches/dovecot_name.patch
new file mode 100644
index 0000000..d9d6ebf
--- /dev/null
+++ b/debian/patches/dovecot_name.patch
@@ -0,0 +1,121 @@
+From: "Jaldhar H. Vyas" <jaldhar@debian.org>
+Date: Sat, 7 Sep 2013 01:16:14 -0400
+Subject: Update Dovecot name to include Distribution in login greeting
+ message
+
+This patch was found at: https://blueprints.launchpad.net/ubuntu/+spec/servercloud-s-server-app-banner-updates
+and originally provided by Ubuntu for their 2.1.7 package. The original
+author is Yolanda Robla <yolanda.robla@canonical.com>. I updated it
+for Debian's 2.2.5 package.
+
+Last-Update: 2020-05-23
+---
+ configure.ac | 7 ++++++-
+ src/config/all-settings.c | 6 +++---
+ src/lib-smtp/smtp-server.c | 2 +-
+ src/lmtp/lmtp-settings.c | 2 +-
+ src/login-common/login-settings.c | 2 +-
+ src/submission/submission-settings.c | 2 +-
+ 6 files changed, 13 insertions(+), 8 deletions(-)
+
+Index: dovecot/configure.ac
+===================================================================
+--- dovecot.orig/configure.ac
++++ dovecot/configure.ac
+@@ -287,7 +287,12 @@ AM_ICONV
+ # SIZE_MAX is missing without this
+ CXXFLAGS="$CXXFLAGS -D__STDC_LIMIT_MACROS"
+
+-AC_DEFINE_UNQUOTED(DOVECOT_NAME, "$PACKAGE_NAME", [Dovecot name])
++if test -x /usr/bin/lsb_release && lsb_release -si; then
++ DOVECOT_DISTRIBUTION=" ($(lsb_release -si))"
++else
++ DOVECOT_DISTRIBUTION=""
++fi
++AC_DEFINE_UNQUOTED(DOVECOT_NAME, "$PACKAGE_NAME$DOVECOT_DISTRIBUTION", [Dovecot name])
+ AC_DEFINE_UNQUOTED(DOVECOT_STRING, "$PACKAGE_STRING", [Dovecot string])
+ AC_DEFINE_UNQUOTED(DOVECOT_VERSION, "$PACKAGE_VERSION", [Dovecot version])
+
+Index: dovecot/src/config/all-settings.c
+===================================================================
+--- dovecot.orig/src/config/all-settings.c
++++ dovecot/src/config/all-settings.c
+@@ -2320,7 +2320,7 @@ static const struct submission_settings
+
+ .hostname = "",
+
+- .login_greeting = PACKAGE_NAME" ready.",
++ .login_greeting = DOVECOT_NAME" ready.",
+ .login_trusted_networks = "",
+
+ .recipient_delimiter = "+",
+@@ -4182,7 +4182,7 @@ static const struct setting_define login
+ static const struct login_settings login_default_settings = {
+ .login_trusted_networks = "",
+ .login_source_ips = "",
+- .login_greeting = PACKAGE_NAME" ready.",
++ .login_greeting = DOVECOT_NAME" ready.",
+ .login_log_format_elements = "user=<%u> method=%m rip=%r lip=%l mpid=%e %c session=<%{session}>",
+ .login_log_format = "%$: %s",
+ .login_access_sockets = "",
+@@ -4396,7 +4396,7 @@ static const struct lmtp_settings lmtp_d
+
+ .lmtp_client_workarounds = "",
+
+- .login_greeting = PACKAGE_NAME" ready.",
++ .login_greeting = DOVECOT_NAME" ready.",
+ .login_trusted_networks = "",
+
+ .mail_plugins = "",
+Index: dovecot/src/lib-smtp/smtp-server.c
+===================================================================
+--- dovecot.orig/src/lib-smtp/smtp-server.c
++++ dovecot/src/lib-smtp/smtp-server.c
+@@ -49,7 +49,7 @@ struct smtp_server *smtp_server_init(con
+ if (set->login_greeting != NULL && *set->login_greeting != '\0')
+ server->set.login_greeting = p_strdup(pool, set->login_greeting);
+ else
+- server->set.login_greeting = PACKAGE_NAME" ready.";
++ server->set.login_greeting = DOVECOT_NAME" ready.";
+ if (set->capabilities == 0) {
+ server->set.capabilities = SMTP_SERVER_DEFAULT_CAPABILITIES;
+ } else {
+Index: dovecot/src/lmtp/lmtp-settings.c
+===================================================================
+--- dovecot.orig/src/lmtp/lmtp-settings.c
++++ dovecot/src/lmtp/lmtp-settings.c
+@@ -93,7 +93,7 @@ static const struct lmtp_settings lmtp_d
+
+ .lmtp_client_workarounds = "",
+
+- .login_greeting = PACKAGE_NAME" ready.",
++ .login_greeting = DOVECOT_NAME" ready.",
+ .login_trusted_networks = "",
+
+ .mail_plugins = "",
+Index: dovecot/src/login-common/login-settings.c
+===================================================================
+--- dovecot.orig/src/login-common/login-settings.c
++++ dovecot/src/login-common/login-settings.c
+@@ -51,7 +51,7 @@ static const struct setting_define login
+ static const struct login_settings login_default_settings = {
+ .login_trusted_networks = "",
+ .login_source_ips = "",
+- .login_greeting = PACKAGE_NAME" ready.",
++ .login_greeting = DOVECOT_NAME" ready.",
+ .login_log_format_elements = "user=<%u> method=%m rip=%r lip=%l mpid=%e %c session=<%{session}>",
+ .login_log_format = "%$: %s",
+ .login_access_sockets = "",
+Index: dovecot/src/submission/submission-settings.c
+===================================================================
+--- dovecot.orig/src/submission/submission-settings.c
++++ dovecot/src/submission/submission-settings.c
+@@ -103,7 +103,7 @@ static const struct submission_settings
+
+ .hostname = "",
+
+- .login_greeting = PACKAGE_NAME" ready.",
++ .login_greeting = DOVECOT_NAME" ready.",
+ .login_trusted_networks = "",
+
+ .recipient_delimiter = "+",
diff --git a/debian/patches/fix-mail_plugin_dir-default.patch b/debian/patches/fix-mail_plugin_dir-default.patch
new file mode 100644
index 0000000..19c3d8d
--- /dev/null
+++ b/debian/patches/fix-mail_plugin_dir-default.patch
@@ -0,0 +1,24 @@
+From: Marco Nenciarini <mnencia@debian.org>
+Date: Fri, 16 Sep 2011 00:55:02 +0200
+Subject: fix mail_plugin_dir default
+
+Bug: #624294
+
+Fix mail_plugin_dir default value in conf.d/10-mail.conf
+---
+ doc/example-config/conf.d/10-mail.conf | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/doc/example-config/conf.d/10-mail.conf b/doc/example-config/conf.d/10-mail.conf
+index de48f92..24daa04 100644
+--- a/doc/example-config/conf.d/10-mail.conf
++++ b/doc/example-config/conf.d/10-mail.conf
+@@ -211,7 +211,7 @@ namespace inbox {
+ #auth_socket_path = /var/run/dovecot/auth-userdb
+
+ # Directory where to look up mail plugins.
+-#mail_plugin_dir = /usr/lib/dovecot
++#mail_plugin_dir = /usr/lib/dovecot/modules
+
+ # Space separated list of plugins to load for all services. Plugins specific to
+ # IMAP, LDA, etc. are added to this list in their own .conf files.
diff --git a/debian/patches/mboxlocking.patch b/debian/patches/mboxlocking.patch
new file mode 100644
index 0000000..8920a3a
--- /dev/null
+++ b/debian/patches/mboxlocking.patch
@@ -0,0 +1,60 @@
+From: "Jaldhar H. Vyas" <jaldhar@debian.org>
+Date: Thu, 22 Aug 2013 22:44:48 -0400
+Subject: policy 22.6 compliant mbox write locking
+
+For NFS safety, prefer fcntl to dotlocks.
+Dovecots default is the other way around.
+
+Bug: #720502
+---
+ doc/example-config/conf.d/10-mail.conf | 8 +++++++-
+ src/config/all-settings.c | 2 +-
+ src/lib-storage/index/mbox/mbox-settings.c | 2 +-
+ 3 files changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/doc/example-config/conf.d/10-mail.conf b/doc/example-config/conf.d/10-mail.conf
+index a69224f..b47235f 100644
+--- a/doc/example-config/conf.d/10-mail.conf
++++ b/doc/example-config/conf.d/10-mail.conf
+@@ -320,8 +320,14 @@ protocol !indexer-worker {
+ # in is important to avoid deadlocks if other MTAs/MUAs are using multiple
+ # locking methods as well. Some operating systems don't allow using some of
+ # them simultaneously.
++#
++# The Debian value for mbox_write_locks differs from upstream Dovecot. It is
++# changed to be compliant with Debian Policy (section 11.6) for NFS safety.
++# Dovecot: mbox_write_locks = dotlock fcntl
++# Debian: mbox_write_locks = fcntl dotlock
++#
+ #mbox_read_locks = fcntl
+-#mbox_write_locks = dotlock fcntl
++#mbox_write_locks = fcntl dotlock
+
+ # Maximum time to wait for lock (all of them) before aborting.
+ #mbox_lock_timeout = 5 mins
+diff --git a/src/config/all-settings.c b/src/config/all-settings.c
+index 391da6d..231100f 100644
+--- a/src/config/all-settings.c
++++ b/src/config/all-settings.c
+@@ -1239,7 +1239,7 @@ static const struct setting_define mbox_setting_defines[] = {
+ };
+ static const struct mbox_settings mbox_default_settings = {
+ .mbox_read_locks = "fcntl",
+- .mbox_write_locks = "dotlock fcntl",
++ .mbox_write_locks = "fcntl dotlock",
+ .mbox_lock_timeout = 5*60,
+ .mbox_dotlock_change_timeout = 2*60,
+ .mbox_min_index_size = 0,
+diff --git a/src/lib-storage/index/mbox/mbox-settings.c b/src/lib-storage/index/mbox/mbox-settings.c
+index 1df2452..b4eb520 100644
+--- a/src/lib-storage/index/mbox/mbox-settings.c
++++ b/src/lib-storage/index/mbox/mbox-settings.c
+@@ -27,7 +27,7 @@ static const struct setting_define mbox_setting_defines[] = {
+
+ static const struct mbox_settings mbox_default_settings = {
+ .mbox_read_locks = "fcntl",
+- .mbox_write_locks = "dotlock fcntl",
++ .mbox_write_locks = "fcntl dotlock",
+ .mbox_lock_timeout = 5*60,
+ .mbox_dotlock_change_timeout = 2*60,
+ .mbox_min_index_size = 0,
diff --git a/debian/patches/md4-md5-disable-optimization-causing-unaligned-access.patch b/debian/patches/md4-md5-disable-optimization-causing-unaligned-access.patch
new file mode 100644
index 0000000..1582b9e
--- /dev/null
+++ b/debian/patches/md4-md5-disable-optimization-causing-unaligned-access.patch
@@ -0,0 +1,51 @@
+From: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Tue, 7 Dec 2021 13:01:10 +0100
+Subject: md4/md5: disable optimization causing unaligned access
+
+This restores unit tests with GCC 11 and LTO.
+
+ md5.c:92:23: warning: cast from 'const unsigned char *' to 'const uint32_t *' (aka 'const unsigned int *') increases required alignment from 1 to 4 [-Wcast-align]
+ STEP(F, a, b, c, d, SET(0), 0xd76aa478, 7)
+ ~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~
+ md5.c:51:4: note: expanded from macro 'SET'
+ (*(const uint32_t *)&ptr[(n) * 4])
+ ^
+ md5.c:37:29: note: expanded from macro 'STEP'
+ (a) += f((b), (c), (d)) + (x) + (t); \
+ ^
+
+ md5.c:92:3: runtime error: load of misaligned address 0x61900000008b for type 'const uint32_t' (aka 'const unsigned int'), which requires 4 byte alignment
+ 0x61900000008b: note: pointer points here
+ 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
+ ^
+---
+ src/lib/md4.c | 2 +-
+ src/lib/md5.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/lib/md4.c b/src/lib/md4.c
+index 06e3231..798292a 100644
+--- a/src/lib/md4.c
++++ b/src/lib/md4.c
+@@ -42,7 +42,7 @@
+ * memory accesses is just an optimization. Nothing will break if it
+ * doesn't work.
+ */
+-#if defined(__i386__) || defined(__x86_64__) || defined(__vax__)
++#if 0 //defined(__i386__) || defined(__x86_64__) || defined(__vax__)
+ /* uint_fast32_t might be 64 bit, and thus may read 4 more bytes
+ * beyond the end of the buffer. So only read precisely 32 bits
+ */
+diff --git a/src/lib/md5.c b/src/lib/md5.c
+index 6b5da6c..c605639 100644
+--- a/src/lib/md5.c
++++ b/src/lib/md5.c
+@@ -46,7 +46,7 @@
+ * memory accesses is just an optimization. Nothing will break if it
+ * doesn't work.
+ */
+-#if defined(__i386__) || defined(__x86_64__) || defined(__vax__)
++#if 0 //defined(__i386__) || defined(__x86_64__) || defined(__vax__)
+ #define SET(n) \
+ (*(const uint32_t *)&ptr[(n) * 4])
+ #define GET(n) \
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..3318c1a
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,25 @@
+split-protocols.patch
+fix-mail_plugin_dir-default.patch
+ssl-cert-location.patch
+tcpwrapper.patch
+default-mail_location.patch
+mboxlocking.patch
+dovecot_name.patch
+ssl-dh-params-location.patch
+skip-rfc-subdir.patch
+Correct-misspellings.patch
+test-backtrace.patch
+doveadm-director.1-drop-acute-accent.patch
+Fix-32bit-sign-comparisons.patch
+Improve-cross-compile-support.patch
+Silence-LTO-related-compiler-warning.patch
+md4-md5-disable-optimization-causing-unaligned-access.patch
+Support-openssl-3.0.patch
+Debug-flaky-unit-test.patch
+Avoid-usage-of-PATH_MAX-not-available-on-hurd.patch
+auth-Fix-handling-passdbs-with-identical-driver-args-but-.patch
+auth-Add-a-comment-about-updating-userdb_find.patch
+Fix-uninitialized-read-in-doveadm-oldstats.patch
+Use-_FORTIFY_SOURCE-level-3.patch
+Cleanup-temporary-build-files.patch
+Silence-prototype-conflicts.patch
diff --git a/debian/patches/skip-rfc-subdir.patch b/debian/patches/skip-rfc-subdir.patch
new file mode 100644
index 0000000..34dfc68
--- /dev/null
+++ b/debian/patches/skip-rfc-subdir.patch
@@ -0,0 +1,47 @@
+From: Noah Meyerhans <noahm@debian.org>
+Date: Thu, 21 May 2020 21:48:59 -0700
+Subject: Don't try to build doc/rfc subdir components
+
+Forwarded: no (Debian-specific)
+---
+ pigeonhole/configure.ac | 1 -
+ pigeonhole/doc/Makefile.am | 1 -
+ pigeonhole/doc/Makefile.in | 1 -
+ 3 files changed, 3 deletions(-)
+
+diff --git a/pigeonhole/configure.ac b/pigeonhole/configure.ac
+index 227746a..38671ed 100644
+--- a/pigeonhole/configure.ac
++++ b/pigeonhole/configure.ac
+@@ -176,7 +176,6 @@ doc/Makefile
+ doc/man/Makefile
+ doc/example-config/Makefile
+ doc/example-config/conf.d/Makefile
+-doc/rfc/Makefile
+ doc/extensions/Makefile
+ doc/locations/Makefile
+ doc/plugins/Makefile
+diff --git a/pigeonhole/doc/Makefile.am b/pigeonhole/doc/Makefile.am
+index 5131ece..258c135 100644
+--- a/pigeonhole/doc/Makefile.am
++++ b/pigeonhole/doc/Makefile.am
+@@ -1,7 +1,6 @@
+ SUBDIRS = \
+ man \
+ example-config \
+- rfc \
+ extensions \
+ locations \
+ plugins
+diff --git a/pigeonhole/doc/Makefile.in b/pigeonhole/doc/Makefile.in
+index bf2b89c..a849848 100644
+--- a/pigeonhole/doc/Makefile.in
++++ b/pigeonhole/doc/Makefile.in
+@@ -404,7 +404,6 @@ top_srcdir = @top_srcdir@
+ SUBDIRS = \
+ man \
+ example-config \
+- rfc \
+ extensions \
+ locations \
+ plugins
diff --git a/debian/patches/split-protocols.patch b/debian/patches/split-protocols.patch
new file mode 100644
index 0000000..4d48d5c
--- /dev/null
+++ b/debian/patches/split-protocols.patch
@@ -0,0 +1,56 @@
+From: Marco Nenciarini <mnencia@debian.org>
+Date: Sat, 5 Mar 2011 11:19:07 +0100
+Subject: split-protocols
+
+Updated: Mon, 25 Nov 2013 20:11:59 -0500
+Forwarded: no (Debian-specific)
+
+Set default protocols value as empty and enable each
+protocol in its own configuration file
+---
+ doc/example-config/dovecot.conf | 4 ++--
+ src/config/all-settings.c | 2 +-
+ src/master/master-settings.c | 2 +-
+ 3 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/doc/example-config/dovecot.conf b/doc/example-config/dovecot.conf
+index b67e9eb..7e9953f 100644
+--- a/doc/example-config/dovecot.conf
++++ b/doc/example-config/dovecot.conf
+@@ -20,8 +20,8 @@
+ # options. The paths listed here are for configure --prefix=/usr
+ # --sysconfdir=/etc --localstatedir=/var
+
+-# Protocols we want to be serving.
+-#protocols = imap pop3 lmtp submission
++# Enable installed protocols
++!include_try /usr/share/dovecot/protocols.d/*.protocol
+
+ # A comma separated list of IPs or hosts where to listen in for connections.
+ # "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces.
+diff --git a/src/config/all-settings.c b/src/config/all-settings.c
+index a76242c..fbac595 100644
+--- a/src/config/all-settings.c
++++ b/src/config/all-settings.c
+@@ -4100,7 +4100,7 @@ struct master_settings master_default_settings = {
+ .state_dir = PKG_STATEDIR,
+ .libexec_dir = PKG_LIBEXECDIR,
+ .instance_name = PACKAGE,
+- .protocols = "imap pop3 lmtp",
++ .protocols = "",
+ .listen = "*, ::",
+ .ssl = "yes:no:required",
+ .default_internal_user = "dovecot",
+diff --git a/src/master/master-settings.c b/src/master/master-settings.c
+index 7cfaa35..48a9121 100644
+--- a/src/master/master-settings.c
++++ b/src/master/master-settings.c
+@@ -207,7 +207,7 @@ static const struct master_settings master_default_settings = {
+ .state_dir = PKG_STATEDIR,
+ .libexec_dir = PKG_LIBEXECDIR,
+ .instance_name = PACKAGE,
+- .protocols = "imap pop3 lmtp",
++ .protocols = "",
+ .listen = "*, ::",
+ .ssl = "yes:no:required",
+ .default_internal_user = "dovecot",
diff --git a/debian/patches/ssl-cert-location.patch b/debian/patches/ssl-cert-location.patch
new file mode 100644
index 0000000..446dd87
--- /dev/null
+++ b/debian/patches/ssl-cert-location.patch
@@ -0,0 +1,73 @@
+From: "Jaldhar H. Vyas" <jaldhar@debian.org>
+Date: Tue, 25 Sep 2012 01:12:07 -0400
+Subject: SSL cert location
+
+Last-Update: Sun, 30 Nov 2014 23:59:07 -0500
+Bug: #608719
+
+Move dovecots generated X.509 certificate out of /etc/ssl where
+it doesn't belong.
+---
+ doc/example-config/conf.d/10-ssl.conf | 7 ++++---
+ doc/mkcert.sh | 10 +++++-----
+ 2 files changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/doc/example-config/conf.d/10-ssl.conf b/doc/example-config/conf.d/10-ssl.conf
+index ad84766..4867a07 100644
+--- a/doc/example-config/conf.d/10-ssl.conf
++++ b/doc/example-config/conf.d/10-ssl.conf
+@@ -3,14 +3,14 @@
+ ##
+
+ # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
+-#ssl = yes
++ssl = yes
+
+ # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
+ # dropping root privileges, so keep the key file unreadable by anyone but
+ # root. Included doc/mkcert.sh can be used to easily generate self-signed
+ # certificate, just make sure to update the domains in dovecot-openssl.cnf
+-ssl_cert = </etc/ssl/certs/dovecot.pem
+-ssl_key = </etc/ssl/private/dovecot.pem
++ssl_cert = </etc/dovecot/private/dovecot.pem
++ssl_key = </etc/dovecot/private/dovecot.key
+
+ # If key file is password protected, give the password here. Alternatively
+ # give it when starting dovecot with -p parameter. Since this file is often
+@@ -33,6 +33,7 @@ ssl_key = </etc/ssl/private/dovecot.pem
+ # RedHat-based systems. Note that ssl_client_ca_file isn't recommended with
+ # large CA bundles, because it leads to excessive memory usage.
+ #ssl_client_ca_dir =
++ssl_client_ca_dir = /etc/ssl/certs
+ #ssl_client_ca_file =
+
+ # Require valid cert when connecting to a remote server
+diff --git a/doc/mkcert.sh b/doc/mkcert.sh
+index f7e484c..efcf85e 100644
+--- a/doc/mkcert.sh
++++ b/doc/mkcert.sh
+@@ -8,19 +8,19 @@ OPENSSL=${OPENSSL-openssl}
+ SSLDIR=${SSLDIR-/etc/ssl}
+ OPENSSLCONFIG=${OPENSSLCONFIG-dovecot-openssl.cnf}
+
+-CERTDIR=$SSLDIR/certs
+-KEYDIR=$SSLDIR/private
++CERTDIR=/etc/dovecot/ssl
++KEYDIR=/etc/dovecot/ssl
+
+ CERTFILE=$CERTDIR/dovecot.pem
+-KEYFILE=$KEYDIR/dovecot.pem
++KEYFILE=$KEYDIR/dovecot.key
+
+ if [ ! -d $CERTDIR ]; then
+- echo "$SSLDIR/certs directory doesn't exist"
++ echo "$CERTDIR directory doesn't exist"
+ exit 1
+ fi
+
+ if [ ! -d $KEYDIR ]; then
+- echo "$SSLDIR/private directory doesn't exist"
++ echo "$KEYDIR directory doesn't exist"
+ exit 1
+ fi
+
diff --git a/debian/patches/ssl-dh-params-location.patch b/debian/patches/ssl-dh-params-location.patch
new file mode 100644
index 0000000..10589ea
--- /dev/null
+++ b/debian/patches/ssl-dh-params-location.patch
@@ -0,0 +1,24 @@
+From: Apollon Oikonomopoulos <apoikos@debian.org>
+Date: Sat, 24 Mar 2018 00:24:55 +0200
+Subject: Set DH params location
+
+Forwarded: not-needed
+
+This is mandatory for SSL support in 2.3
+---
+ doc/example-config/conf.d/10-ssl.conf | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/doc/example-config/conf.d/10-ssl.conf b/doc/example-config/conf.d/10-ssl.conf
+index 4867a07..c4502fc 100644
+--- a/doc/example-config/conf.d/10-ssl.conf
++++ b/doc/example-config/conf.d/10-ssl.conf
+@@ -52,7 +52,7 @@ ssl_client_ca_dir = /etc/ssl/certs
+ # Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096`
+ # Or migrate from old ssl-parameters.dat file with the command dovecot
+ # gives on startup when ssl_dh is unset.
+-#ssl_dh = </etc/dovecot/dh.pem
++ssl_dh = </usr/share/dovecot/dh.pem
+
+ # Minimum SSL protocol version to use. Potentially recognized values are SSLv3,
+ # TLSv1, TLSv1.1, TLSv1.2 and TLSv1.3, depending on the OpenSSL version used.
diff --git a/debian/patches/tcpwrapper.patch b/debian/patches/tcpwrapper.patch
new file mode 100644
index 0000000..f58a282
--- /dev/null
+++ b/debian/patches/tcpwrapper.patch
@@ -0,0 +1,45 @@
+From: Joerg Dorchain <joerg@dorchain.net>
+Date: Sun, 26 Aug 2012 10:10:28 +0200
+Subject: Add TCP wrapper support
+
+Bug: #685850
+
+Configuration file for TCP wrapper support.
+---
+ doc/example-config/conf.d/10-tcpwrapper.conf | 14 ++++++++++++++
+ doc/example-config/conf.d/Makefile.am | 1 +
+ 2 files changed, 15 insertions(+)
+ create mode 100644 doc/example-config/conf.d/10-tcpwrapper.conf
+
+diff --git a/doc/example-config/conf.d/10-tcpwrapper.conf b/doc/example-config/conf.d/10-tcpwrapper.conf
+new file mode 100644
+index 0000000..b237d96
+--- /dev/null
++++ b/doc/example-config/conf.d/10-tcpwrapper.conf
+@@ -0,0 +1,14 @@
++# 10-tcpwrapper.conf
++#
++# service name for hosts.{allow|deny} are those defined as
++# inet_listener in master.conf
++#
++#login_access_sockets = tcpwrap
++#
++#service tcpwrap {
++# unix_listener login/tcpwrap {
++# group = $default_login_user
++# mode = 0600
++# user = $default_login_user
++# }
++#}
+diff --git a/doc/example-config/conf.d/Makefile.am b/doc/example-config/conf.d/Makefile.am
+index 1950fd5..b78c21a 100644
+--- a/doc/example-config/conf.d/Makefile.am
++++ b/doc/example-config/conf.d/Makefile.am
+@@ -18,6 +18,7 @@ example_DATA = \
+ 10-master.conf \
+ 10-metrics.conf \
+ 10-ssl.conf \
++ 10-tcpwrapper.conf \
+ 15-lda.conf \
+ 15-mailboxes.conf \
+ 20-imap.conf \
diff --git a/debian/patches/test-backtrace.patch b/debian/patches/test-backtrace.patch
new file mode 100644
index 0000000..e0a921b
--- /dev/null
+++ b/debian/patches/test-backtrace.patch
@@ -0,0 +1,53 @@
+From: Noah Meyerhans <noahm@debian.org>
+Date: Fri, 12 Jun 2020 16:51:06 -0700
+Subject: Updates the symbol to check for in the backtrace unit tests
+
+Updates the symbol to check for in the backtrace unit tests to
+something that appears in all the traces on the platforms we support.
+
+Also dump the actual backtrace for debugging buildd failures.
+---
+ src/lib/test-backtrace.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/src/lib/test-backtrace.c b/src/lib/test-backtrace.c
+index fdebe0f..78492c7 100644
+--- a/src/lib/test-backtrace.c
++++ b/src/lib/test-backtrace.c
+@@ -11,14 +11,15 @@ static void test_backtrace_append(void)
+ /* Check that there's a usable function in the backtrace.
+ Note that this function may be inlined, so don't check for
+ test_backtrace_get() */
++ i_debug("backtrace: '%s'", str_c(bt));
+ test_assert(strstr(str_c(bt), "test_backtrace") != NULL);
+ /* make sure the backtrace_append is not */
+ test_assert(strstr(str_c(bt), " backtrace_append") == NULL);
+ #elif (defined(HAVE_BACKTRACE_SYMBOLS) && defined(HAVE_EXECINFO_H)) || \
+ (defined(HAVE_WALKCONTEXT) && defined(HAVE_UCONTEXT_H))
+ test_assert(backtrace_append(bt) == 0);
+- /* it should have some kind of main in it */
+- test_assert(strstr(str_c(bt), "main") != NULL);
++ i_debug("backtrace: '%s'", str_c(bt));
++ test_assert(strstr(str_c(bt), "test_backtrace_append") != NULL || strstr(str_c(bt), "main") != NULL);
+ #else
+ /* should not work in this context */
+ test_assert(backtrace_append(bt) == -1);
+@@ -35,14 +36,15 @@ static void test_backtrace_get(void)
+ /* Check that there's a usable function in the backtrace.
+ Note that this function may be inlined, so don't check for
+ test_backtrace_get() */
+- test_assert(strstr(bt, "test_backtrace") != NULL);
++ i_debug("backtrace: '%s'", bt);
++ test_assert(strstr(bt, "test_backtrace") != NULL);
+ /* make sure the backtrace_get is not */
+ test_assert(strstr(bt, " backtrace_get") == NULL);
+ #elif (defined(HAVE_BACKTRACE_SYMBOLS) && defined(HAVE_EXECINFO_H)) || \
+ (defined(HAVE_WALKCONTEXT) && defined(HAVE_UCONTEXT_H))
+ test_assert(backtrace_get(&bt) == 0);
+- /* it should have some kind of main in it */
+- test_assert(strstr(bt, "main") != NULL);
++ i_debug("backtrace: '%s'", bt);
++ test_assert(strstr(bt, "test_backtrace_get") != NULL || strstr(bt, "main") != NULL);
+ #else
+ /* should not work in this context */
+ test_assert(backtrace_get(&bt) == -1);