diff options
Diffstat (limited to 'NEWS')
-rw-r--r-- | NEWS | 5768 |
1 files changed, 5768 insertions, 0 deletions
@@ -0,0 +1,5768 @@ +v2.3.21 2023-09-15 Aki Tuomi <aki.tuomi@open-xchange.com> + + * lib-oauth2: Allow JWT tokens to be validated with missing typ field. + The typ field is left out by some key issuers to conserve space, + notably kubernetes. Now missing typ is tolerated, but if present, it + still must be "jwt". + + auth: Auth passdb and userdb reply can contain "event_<name>=value" + which will be added to login event and mail user event respectively. + + lib-master: Set process title during various initialization stages to + clearly describe what the process is waiting on. + + lib-storage: The mail_temp_scan_interval is now fuzzed incrementing it + by 0..30% based on username's hash to reduce the chance of load spikes. + + lib-storage: The temp file scan has been moved from the open of the + mailbox to the close, to reduce the latency perceived by users. + + stats: If metric has fields specified, all these fields are + exported as counters to prometheus exposition. + See https://doc.dovecot.org/configuration_manual/stats/openmetrics/. + - *-login: Processes might have crashed when a SSL connection disconnects + uncleanly. + - acl: When plugin was loaded \HasChildren and \HasNoChildren flags + were calculated incorrectly for mailboxes containing '*' and '%' + in their names. + - auth: Crash occured if a connection to PostgreSQL database server + failed during startup. + - auth: Logins with invalid passwords (e.g. unknown scheme) in passdb + were failing with "password mismatch" instead of "internal error". + - auth: XOAUTH2 and OAUTHBEARER mechanisms were not giving out protocol + specific error message on all errors. This especially broke OIDC + discovery. + - dbox: When last_temp_file_scan header wasn't set (especially after + dsync migration), the next mailbox open always triggers the temp file + scan. This could have caused a load spike after migrations. Fixed by + using the mailbox directory's atime when the header isn't set, which + usually moves the scan time into the future. + - dict-redis: A crash would occur on transaction rollback. + - dsync: Infinite loop causing out of memory would occur when handling + mailbox deletion from remote end and hierarchy separators would differ. + - dsync: Incremental dsync failed for folder names ending with '%', + unless BROKENCHAR was set. Also folder names with '%' elsewhere in + them caused each incremental dsync to unnecessarily rename the folder + to a temporary name and back. v2.3.19 regression. + - imap-hibernate: If an IMAP client unhibernation timed out with + "(version received)", the unhibernation could still have successfully + finished later on and continued working normally. This was rather + confusing, because imap-hibernate already logged that the client got + disconnected. Avoid this by forcing the connection to shutdown on + unhibernation timeout. + - imapc: Crashed when a folder mapped through the virtual plugin + disappears from the storage. + - imapc: EXPUNGE, EXISTS or FETCH replies from a server for a previously + selected mailbox could have been processed as if they belonged to the + new mailbox currently being selected. This could have caused warnings. + - lib-http: Dovecot HTTP server (doveadm, stats/openmetrics) may have + disconnected HTTP clients before the response is fully sent. This + happened only on busy servers where kernel's socket buffers were + rather full. + - lib-http: Fixed a potential crash on http-server if a client + disconnected early. v2.3.18 regression. + - lib-index: Index file corruption could have caused a crash. Fixes: + Panic: file mail-transaction-log-view.c: line 165 (mail_transaction_log_view_set): + assertion failed: (min_file_seq <= max_file_seq). + - lib-index: Purging an existing >1GB cache file can crash. Now cache + files still above 1GB after purging are removed. Fixes: + Panic: file mail-index-util.c: line 10 (mail_index_uint32_to_offset): + assertion failed: (offset < 0x40000000) + - lib-lua: A HTTP client could not resolve DNS names in mail processes, + because it expected "the dns-client" socket to exist in the current + directory. + - lib-oauth2: Dovecot would send client_id and client_secret as POST + parameters to the introspection server. These need to be optionally in + Basic auth instead. + - lib-oauth2: JWT aud validation was not performed if aud was missing + from a token, but was configured on Dovecot. + - lib-oauth2: JWT key type check was too strict. + - lib-oauth2: JWT token audience was not validated against client_id as + required by the specification. + - lib-ssl-iostream: Using the ssl_require_crl=yes setting may have caused + CRL check failures for outgoing SSL/TLS connections, although it was + supposed to affect checking CRLs only for client-side SSL + certificates. v2.3.17 regression. + - lib-sql: MySQL driver leaked memory when connection failed. + - lib-storage: Various fixes when running into out of disk space. + - master: Service idle_kill setting didn't work properly on busy + servers. It was very unlikely that any process was idling long enough + to become killed. Also the idle_kill handling code was using quite a + lot of CPU on the master process when there were a lot of processes + (e.g. imap). The new behavior is to track the lowest number of idling + processes every idle_kill time interval and then kill that many idling + processes. + - mdbox: Temp file scan was done for always empty directories. + - mdbox: The fdatasync() call was done in wrong parent directory when + writing mails. Also on a failure it crashed instead of logging an error. + - notify_status: The plugin crashes if any user initialization fails. + - pop3: Sending command with the ':' character caused an assert-crash. + v2.3.18 regression. Fixes: Panic: event_reason_code_prefix(): name has ':' + - stats: Fix panic when a nonexistent event exporter was referenced while + adding a new metric dynamically via doveadm stats add. This produces + a proper error now. + - stats: If process exported a lot of events and then exited, some of + the last events may have become lost. + - stats: Invalid Prometheus label names were created with specific + histogram group_by configurations. Prometheus rejected these labels. + - welcome: The plugin didn't execute in some situations that created + INBOX but didn't open it, e.g. if GETMETADATA was used before the + INBOX was opened. + +v2.3.20 2022-12-22 Aki Tuomi <aki.tuomi@open-xchange.com> + + + Add dsync_features=no-header-hashes. When this setting is enabled and + one dsync side doesn't support mail GUIDs (i.e. imapc), there is no + fallback to using header hashes. Instead, dsync assumes that all mails + with identical IMAP UIDs contains the same mail contents. This can + significantly improve dsync performance with some IMAP servers that + don't support caching Date/Message-ID headers. + + lua: HTTP client has more settings now, see + https://doc.dovecot.org/admin_manual/lua/#dovecot.http.client + + replicator: "doveadm replicator status" command now outputs when the + next sync is expected for the user. + - LAYOUT=index: duplicate GUIDs were not cleaned out. Also the list + recovery was not optimal. + - auth: Assert crash would occur when iterating multiple userdb + backends. + - director: Logging into director using master user with + auth_master_user_separator character redirected user to a wrong + backend, unless master_user_separator setting was also set to the same + value. Merged these into auth_master_user_separator. + - dsync: Couldn't always fix folder GUID conflicts automatically with + Maildir format. This resulted in replication repeatedly failing + with "Remote lost mailbox GUID". + - dsync: Failed to migrate INBOX when using namespace prefix=INBOX/, + resulting in "Remote lost mailbox GUID" errors. + - dsync: INBOX was created too early with namespace prefix=INBOX/, + resulting a GUID conflict. This may have been resolved automatically, + but not always. + - dsync: v2.3.18 regression: Wrong imapc password with dsync caused + Panic: file lib-event.c: line 506 (event_pop_global): + assertion failed: (event == current_global_event) + - imapc: Requesting STATUS for a mailbox with imapc and INDEXPVT + configured did not return correct (private) unseen counts. + - lib-dict: Process would crash when committing data to redis without + dict proxy. + - lib-mail: Corrupted cached BODYSTRUCTURE caused panic during FETCH. + Fixes: Panic: file message-part-data.c: line 579 (message_part_is_attachment): + assertion failed: (data != NULL). v2.3.13 regression. + - lib-storage: mail_attribute_dict with dict-sql failed when it tried to + lookup empty dict keys. + - lib: ioloop-kqueue was missing include breaking some BSD builds. + - lua-http: Dovecot Lua HTTP client could not resolve DNS names in mail + processes, because it expected "dns-client" socket to exist in the + current directory. + - oauth2: Using %{oauth2:name} variables could cause useless + introspections. + - pop3: Sending POP3 command with ':' character caused an assert-crash. + v2.3.18 regression. + - replicator: Replication queue had various issues, potentially causing + replication requests to become stuck. + - stats: Invalid Prometheus label names were created with specific + histogram group_by configurations. Prometheus rejected these labels. + +v2.3.19.1 2022-06-14 Aki Tuomi <aki.tuomi@open-xchange.com> + + - doveadm deduplicate: Non-duplicate mails were deleted. + v2.3.19 regression. + - auth: Crash would occur when iterating multiple backends. + Fixes: Panic: file userdb-blocking.c: + line 125 (userdb_blocking_iter_next): assertion failed: (ctx->conn != NULL) + +v2.3.19 2022-05-10 Aki Tuomi <aki.tuomi@open-xchange.com> + + + Added mail_user_session_finished event, which is emitted when the mail + user session is finished (e.g. imap, pop3, lmtp). It also includes + fields with some process statistics information. + See https://doc.dovecot.org/admin_manual/list_of_events/ for more + information. + + Added process_shutdown_filter setting. When an event matches the filter, + the process will be shutdown after the current connection(s) have + finished. This is intended to reduce memory usage of long-running imap + processes that keep a lot of memory allocated instead of freeing it to + the OS. + + auth: Add cache hit indicator to auth passdb/userdb finished events. + See https://doc.dovecot.org/admin_manual/list_of_events/ for more + information. + + doveadm deduplicate: Performance is improved significantly. + + imapc: COPY commands were sent one mail at a time to the remote IMAP + server. Now the copying is buffered, so multiple mails can be copied + with a single COPY command. + + lib-lua: Add a Lua interface to Dovecot's HTTP client library. See + https://doc.dovecot.org/admin_manual/lua/ for more information. + - auth: Cache lookup would use incorrect cache key after username change. + - auth: Improve handling unexpected LDAP connection errors/hangs. + Try to fix up these cases by reconnecting to the LDAP server and + aborting LDAP requests earlier. + - auth: Process crashed if userdb iteration was attempted while auth-workers + were already full handling auth requests. + - auth: db-oauth2: Using %{oauth2:name} variables caused unnecessary + introspection requests. + - dict: Timeouts may have been leaked at deinit. + - director: Ring may have become unstable if a backend's tag was changed. + It could also have caused director process to crash. + - doveadm kick: Numeric parameter was treated as IP address. + - doveadm: Proxying can panic when flushing print output. Fixes + Panic: file ioloop.c: line 865 (io_loop_destroy): assertion failed: + (ioloop == current_ioloop). + - doveadm sync: BROKENCHAR was wrongly changed to '_' character when + migrating mailboxes. This was set by default to %, so any mailbox + names containing % characters were modified to "_25". + - imapc: Copying or moving mails with doveadm to an imapc mailbox could + have produced "Error: Syncing mailbox '[...]' failed" Errors. The + operation itself succeeded but attempting to sync the destination + mailbox failed. + - imapc: Prevent index log synchronization errors when two or more imapc + sessions are adding messages to the same mailbox index files, i.e. + INDEX=MEMORY is not used. + - indexer: Process was slowly leaking memory for each indexing request. + - lib-fts: fts header filters caused binary content to be sent to the + indexer with non-default configuration. + - doveadm-server: Process could hang in some situations when printing + output to TCP client, e.g. when printing doveadm sync state. + - lib-index: dovecot.index.log files were often read and parsed entirely, + rather than only the parts that were actually necessary. This mainly + increased CPU usage. + - lmtp-proxy: Session ID forwarding would cause same session IDs being + used when delivering same mail to multiple backends. + - log: Log prefix update may have been lost if log process was busy. + This could have caused log prefixes to be empty or in some cases + reused between sessions, i.e. log lines could have been logged for the + wrong user/session. + - mail_crypt: Plugin crashes if it's loaded only for some users. Fixes + Panic: Module context mail_crypt_user_module missing. + - mail_crypt: When LMTP was delivering mails to both recipients with mail + encryption enabled and not enabled, the non-encrypted recipients may + have gotten mails encrypted anyway. This happened when the first + recipient was encrypted (mail_crypt_save_version=2) and the 2nd + recipient was not encrypted (mail_crypt_save_version=0). + - pop3: Session would crash if empty line was sent. + - stats: HTTP server leaked memory. + - submission-login: Long credentials, such as OAUTH2 tokens, were refused + during SASL interactive due to submission server applying line length + limits. + - submission-login: When proxying to remote host, authentication was not + using interactive SASL when logging in using long credentials such as + OAUTH2 tokens. This caused authentication to fail due to line length + constraints in SMTP protocol. + - submission: Terminating the client connection with QUIT command after + mail transaction is started with MAIL command and before it is + finished with DATA/BDAT can cause a segfault crash. + - virtual: doveadm search queries with mailbox-guid as the only parameter + crashes: Panic: file virtual-search.c: line 77 (virtual_search_get_records): + assertion failed: (result != 0) + +v2.3.18 2022-02-03 Aki Tuomi <aki.tuomi@open-xchange.com> + + * Removed mail_cache_lookup_finished event. This event wasn't especially + useful, but it increased CPU usage significantly. + * fts: Don't index inline base64 encoded content in FTS indexes using + the generic tokenizer. This reduces the FTS index sizes by removing + input that is very unlikely to be searched for. See + https://doc.dovecot.org/configuration_manual/fts/tokenization for + details on how base64 is detected. Only applies when using libfts. + * lmtp: Session IDs are now preserved through proxied connections, so + LMTP sessions can be tracked. This slightly changes the LMTP session + ID format by appending ":Tn" (transaction), ":Pn" (proxy connection) + and ":Rn" (recipient) counters after the session ID prefix. + + Events now have "reason_code" field, which can provide a list of + reasons why the event is happening. See + https://doc.dovecot.org/admin_manual/event_reasons/ + + New events are added. See https://doc.dovecot.org/admin_manual/list_of_events/ + + fts: Added fts_header_excludes and fts_header_includes settings to + specify which headers to index. See + https://doc.dovecot.org/settings/plugin/fts-plugin#plugin-fts-setting-fts-header-excludes + for configuration details. + + fts: Initialize the textcat language detection library only once per + process. This can reduce CPU usage if fts_languages setting has multiple + languages listed and service indexer-worker { service_count } isn't 1. + Only applies when using libfts. + + lib-storage: Reduced CPU usage significantly for some operations that + accessed lots of emails (e.g. fetching all flags in a folder, SORT, ...) + + lib: DOVECOT_PREREQ() - Add micro version which enables compiling + external plugins against different versions of Dovecot. + + lmtp: Added new lmtp_verbose_replies setting that makes errors sent to + the LMTP client much more verbose with details about why exactly + backend proxy connections or commands are failing. + + submission: Support implicit SASL EXTERNAL with + submission_client_workarounds=implicit-auth-external. This allows + automatically logging in when SSL client certificate is present. + - *-login: Statistics were disabled if stats process connection was lost. + - auth: Authentication master user login fails with SCRAM-* SASL mechanisms. + - auth: With auth_cache_verify_password_with_worker=yes, passdb extra + fields in the auth cache got lost. + - doveadm: Fixed crash if zlib_save_level setting was specified, + but zlib_save was unset. v2.3.15 regression. + - doveadm: Proxying can panic when flushing print output. v2.3.17 + regression. Fixes: + Panic: file ioloop.c: line 865 (io_loop_destroy): assertion failed: + (ioloop == current_ioloop) + - doveadm: stats add --group-by parameter didn't work. + - fts: Using email-address fts tokenizer could result in excessive memory + usage with garbage email input. This could cause the indexer-worker + processes to fail due to reaching the VSZ memory size limit. + Only applies when using libfts. + - imap: A SEARCH command timing out while fts returns indexes may timeout + returning "NO [SERVERBUG]", while it should return "NO [INUSE]" instead. + - imap: LIST-EXTENDED doesn't return STATUS for all folders. Sending + LIST .. RETURN (SUBSCRIBED STATUS (...)) did not return STATUS for + folders that are not subscribed when they have a child folder that is + subscribed as mandated by IMAP RFCs. + - imapc: Mailbox vsize calculation crashed with + Panic: file index-mailbox-size.c: line 344 (index_mailbox_vsize_hdr_add_missing): + assertion failed: (mails_left > 0) + - indexer: If indexer-worker crashes, the request it was processing gets + stuck in the indexer process. This stops indexing for the folder until + indexer process is restarted. v2.3.14 regression. + - indexer: Process was slowly leaking memory for each indexing request. + - lib-event: Unnamed events were wrongly filtered out for event/metric + filters like "event=abc OR something_independent_of_event_name". + - lib-index: 64-bit big endian CPUs handle last_used field in + dovecot.index.cache wrong. + - lib-ssl-iostream: Fix buggy OpenSSL error handling without assert-crashing. + If there is no error available, log it as an error instead of crashing. + The previous fix for this in v2.3.11 was incomplete. Fixes + Panic: file istream-openssl.c: line 51 (i_stream_ssl_read_real): + assertion failed: (errno != 0) + - lmtp: Out-of-memory issues can happen when proxying large messages to + LMTP backend servers that accept the message data too slow. + - master: HAProxy header parsing has read buffer overflow if provided + header size is invalid. This happens only if inet_listener + { haproxy=yes } is configured and only if the remote IP address is in + haproxy_trusted_networks. + - old_stats: Plugin kept increasing memory usage, which became + noticeable with long-running imap sessions. + - stats: Dynamically adding same metric multiple times causes multiple stats. + - submission-login: Authentication does not accept OAUTH2 token (or + other very long credentials) because it considers the line to be too long. + - submission-login: Process can crash if HELO is pipelined with an + invalid domain. + - submission-proxy: Don't use SASL-IR if it would make the AUTH command + line longer than 512 bytes. + - submission: Service would crash if relay server authentication failed. + - virtual: FTS search in a virtual folder could crash if there are + duplicate mailbox GUIDs. This mainly happened when user had both INBOX + and INBOX/INBOX folders and the namespace prefix was INBOX/. Fixes + Panic: file hash.c: line 252 (hash_table_insert_node): + assertion failed: (opcode == HASH_TABLE_OP_UPDATE) + - virtual: If mailbox opening fails, the backend mailbox is leaked and + process crashes when client disconnects. Fixes + Panic: file mail-user.c: line 232 (mail_user_deinit): + assertion failed: ((*user)->refcount == 1) + - virtual: Searching headers in virtual folders didn't always use + full-text search indexes, if fts_enforced=no or body. + +v2.3.17.1 2021-12-07 Aki Tuomi <aki.tuomi@open-xchange.com> + + - dsync: Add back accidentically removed parameters. + - lib-ssl-iostream: Fix assert-crash when OpenSSL returned syscall error + without errno. + - master: Dovecot failed to start if ssl_ca was too large. + +v2.3.17 2021-10-28 Aki Tuomi <aki.tuomi@open-xchange.com> + + * Dovecot now logs a warning if time seems to jump forward at least + 100 milliseconds. + * dict: Lines logged by the dict process now contain the dict name as + the prefix. + * lib-index: mail_cache_fields, mail_always_cache_fields and + mail_never_cache_fields now verifies that the listed header names are + valid. Especially the UTF8 "–" character has sometimes been wrongly + used instead of the ASCII "-". + + *-login: Added login_proxy_rawlog_dir setting to capture + rawlogs between proxy and backend. + + dict: The server process now keeps the last 10 idle dict backends + cached for maximum of 30 seconds. Practically this acts as a + connection pool for dict-redis and dict-ldap. Note that this doesn't + affect dict-sql, because it already had its own internal cache. + + doveadm: New stats add/remove commands added to support changing the + metrics configuration on runtime. + + lazy_expunge: Added lazy_expunge_exclude settings to disable + lazy_expunge for specific folders. \Special-use flags can be used as + folder names. + + lib-lua: Added a new helper function dovecot.restrict_global_variables() + to disable or enable defining new global variables. + - LAYOUT=index List index rebuild was missing. + - LAYOUT=index: Duplicate GUIDs were not detected. + - acl: When using acl_ignore_namespace Dovecot attempted to access or + create dovecot-acl-list even when the namespace should have been + ignored. For virtual namespaces this could have yielded errors about + "Read-only file system" or "Permission denied". + - auth: Setting the "master" passdb field to empty value would + cause proxying to fail with an authentication error. + Now an empty "master" field is ignored. + - doveadm-server: Duplicate error lines were sent for failed commands. + This didn't normally cause visible problems, except when using + wildcards in usernames or -A parameter to go through multiple users. + - doveadm-server: Logs written by doveadm-server were often missing log + prefixes, especially mail_log_prefix for mail commands. Logs sent to + doveadm TCP client were also missing log prefixes. + - doveadm: v2.3 regression: batch command always crashes. + - doveadm: v2.3.11 regression: Commands failed if ssl_cert or + ssl_key files weren't readable by the user running doveadm, even + though doveadm didn't actually use these settings + - imap-hibernate: Process may crash at deinit: + Panic: file ioloop.c: line 928 (io_loop_destroy): assertion failed: + (ioloop->cur_ctx == NULL). + - imap: Using imap_fetch_failure=no-after can cause assert-crash + with some IMAP commands if reading the mail fails (e.g. wrong cached + mail size). Fixes: + Panic: file index-mail-headers.c: line 198 (index_mail_parse_header_init): + assertion failed: (!mail->data.header_parser_initialized) + - imap: v2.3.10 regression: When using INDEXPVT to enable private + \Seen flags (for shared or public namespaces) the STORE command did + not send untagged replies for the \Seen flag changes. + - imap: v2.3.15 regression: If PREVIEW/SNIPPET is not the final FETCH + option in the command, the IMAP FETCH response is broken. + - imap: v2.3.15 regression: MOVE command leaks mailbox if it can't be + opened and crashes at deinit: + Panic: file mail-user.c: line 229 (mail_user_deinit): assertion failed: + ((*user)->refcount == 1). + - imapc: Copying nonexistent mail via imapc could have crashed. Fixes: + Panic: file mail-storage.c: line 2385 (mailbox_transaction_commit_get_changes): + assertion failed: (ret < 0 || seq_range_count(&changes_r->saved_uids) == save_count || + array_count(&changes_r->saved_uids) == 0). + - indexer: v2.3.15 regression: Process crashes if indexer-client + disconnects while it's waiting for command reply. This happened for + example if IMAP SEARCH triggered long fts indexing and the IMAP + client disconnected while waiting for the reply. + - indexer: v2.3.15 regression: Process may have crashed in some situations. + - indexer: v2.3.15 regression: indexer-worker processes may not have + reached the process_limit in some situations, possibly even using just + one indexer-worker process even though there were many indexing + requests queued. + - lib-compression: Reading lz4 compressed mdbox mails may crash. Fixes: + Panic: file istream.c: line 345 (i_stream_read_memarea): + assertion failed: (!stream->blocking). + - lib-compression: bench-compress crashes due to xz being read-only. + - lib-lua: Fix linking libdict_lua for non-GNU linkers when Lua support + is disabled. + - lib-mail: There was no limit on how large an email header name could be. + Processable header names are now limited to 1000 bytes. + - lib-oauth2: Dovecot disallowed JWT tokens if their validity time was + older than token creation time (nbf < iat). + - lib-storage: Reduce memory footprint of certain storage operations. + - lib-storage: When listing mailboxes with storage name escape + characters (^ or .) as part of the mailbox name, the listing could + show corrupted mailbox names. Due to an issue in handling escaped + parent folders, the listing of other mailbox names would become + corrupted by prepending parts of the previously listed mailboxes + parent folder as prefix to the actual mailbox names. The corruption + can occur when using LAYOUT=INDEX and maildir or obox, or when using + the listescape plugin. + - mail-crypt: Fix "-O" argument for "doveadm mailbox cryptokey password" + command to be a boolean, and not expect a string. + - submission-login: Add support for not authenticating to next hop in + submission proxying. + - submission-login: EHLO was not sent again after XCLIENT when doing + submission proxying. + - virtual: Mailboxes do not correctly detect underlying mailboxes + getting re-created even though they have a different UIDVALIDITY or + GUID. + +v2.3.16 2021-08-06 Timo Sirainen <timo.sirainen@open-xchange.com> + + * Any unexpected exit() will now result in a core dump. This can + especially help notice problems when a Lua script causes exit(0). + * auth-worker process is now restarted when the number of auth + requests reaches service auth-worker { service_count }. The default + is still unlimited. + + + Event improvements: Added data_stack_grow event and http-client + category. See https://doc.dovecot.org/admin_manual/list_of_events/ + + oauth2: Support RFC 7628 openid-configuration element. This allows + clients to support OAUTH2 for any server, not just a few hardcoded + servers like they do now. See openid_configuration_url setting in + dovecot-oauth2.conf.ext. + + mysql: Single statements are no longer enclosed with BEGIN/COMMIT. + + dovecot-sysreport --core supports multiple core files now and does + not require specifying the binary path. + + imapc: When imap_acl plugin is loaded and imapc_features=acl is used, + IMAP ACL commands are proxied to the remote server. See + https://doc.dovecot.org/configuration_manual/mail_location/imapc/ + + dict-sql now supports the "UPSERT" syntax for SQLite and PostgreSQL. + + imap: If IMAP client disconnects during a COPY command, the copying + is aborted, and changes are reverted. This may help to avoid many + email duplicates if client disconnects during COPY and retries it + after reconnecting. + - master process was using 100% CPU if service attempted to create more + processes due to process_min_avail, but process_limit was already + reached. v2.3.15 regression. + - Using attachment detection flags wrongly logged unnecessary "Failed + to add attachment keywords" errors. v2.3.13 regression. + - IMAP QRESYNC: Expunging UID 1 mail resulted in broken VANISHED + response, which could have confused IMAP clients. v2.3.13 regression. + - imap: STORE didn't send untagged replies for \Seen changes for + (shared) mailboxes using INDEXPVT. v2.3.10 regression. + - rawlog_dir setting would not log input that was pipelined after + authentication command. + - Fixed potential infinite looping with autoexpunging. + - Log event exporter: Truncate long fields to 1000 bytes + - LAYOUT=index: ACL inheritance didn't work when creating mailboxes + - Event filters: Unquoted '?' wildcard caused a crash at startup + - fs-metawrap: Fix to handling zero sized files + - imap-hibernate: Fixed potential crash at deinit. + - acl: dovecot-acl-list files were written for acl_ignore_namespaces + - program-client (used by Sieve extprograms, director_flush_socket) + may have missed status response from UNIX and network sockets, + resulting in unexpected failures. + +v2.3.15 2021-06-21 Aki Tuomi <aki.tuomi@open-xchange.com> + + * CVE-2021-29157: Dovecot does not correctly escape kid and azp fields in + JWT tokens. This may be used to supply attacker controlled keys to + validate tokens, if attacker has local access. + * CVE-2021-33515: On-path attacker could have injected plaintext commands + before STARTTLS negotiation that would be executed after STARTTLS + finished with the client. + * Disconnection log messages are now more standardized across services. + They also always now start with "Disconnected" prefix. + * Dovecot now depends on libsystemd for systemd integration. + * Removed support for Lua 5.2. Use version 5.1 or 5.3 instead. + * config: Some settings are now marked as "hidden". It's discouraged to + change these settings. They will no longer be visible in doveconf + output, except if they have been changed or if doveconf -s parameter + is used. See https://doc.dovecot.org/settings/advanced/ for details. + * imap-compress: Compression level is now algorithm specific. + See https://doc.dovecot.org/settings/plugin/compress-plugin/ + * indexer-worker: Convert "Indexed" info logs to an event named + "indexer_worker_indexing_finished". See + https://doc.dovecot.org/admin_manual/list_of_events/#indexer-worker-indexing-finished + + Add TSLv1.3 support to min_protocols. + + Allow configuring ssl_cipher_suites. (for TLSv1.3+) + + acl: Add acl_ignore_namespace setting which allows to entirely ignore + ACLs for the listed namespaces. + + imap: Support official RFC8970 preview/snippet syntax. Old methods of + retrieving preview information via IMAP commands ("SNIPPET and PREVIEW + with explicit algorithm selection") have been deprecated. + + imapc: Support INDEXPVT for imapc storage to enable private + message flags for cluster wide shared mailboxes. + + lib-storage: Add new events: mail_opened, mail_expunge_requested, + mail_expunged, mail_cache_lookup_finished. See + https://doc.dovecot.org/admin_manual/list_of_events/#mail + + zlib, imap-compression, fs-compress: Support compression levels that + the algorithm supports. Before, we would allow hardcoded value between + 1 to 9 and would default to 6. Now we allow using per-algorithm value + range and default to whatever default the algorithm specifies. + - *-login: Commands pipelined together with and just after the authenticate + command cause these commands to be executed twice. This applies to all + protocols that involve user login, which currently comprises of imap, + pop3, submisision and managesieve. + - *-login: Processes are supposed to disconnect the oldest non-logged in + connection when process_limit was reached. This didn't actually happen + with the default "high-security mode" (with service_count=1) where each + connection is handled by a separate process. + - *-login: When login process reaches client/process limits, oldest + client connections are disconnected. If one of these was still doing + anvil lookup, this caused a crash. This could happen only if the login + process limits were very low or if the server was overloaded. + - Fixed building with link time optimizations (-flto). + - auth: Userdb iteration with passwd driver does not always return all + users with some nss drivers. + - dsync: Shared INBOX not synced when "mail_shared_explicit_inbox" was + disabled. If a user has a shared mailbox which is another user's INBOX, + dsync didn't include the mailbox in syncing unless explicit naming is + enabled with "mail_shared_explicit_inbox" set to "yes". + - dsync: Shared namespaces were not synced with "-n" flag. + - dsync: Syncing shared INBOX failed if mail_attribute_dict was not set. + If a user has a shared mailbox that is another user's INBOX, dsync + failed to export the mailbox if mail attributes are disabled. + - fts-solr, fts-tika: Using both Solr FTS and Tika may have caused HTTP + requests to assert-crash: Panic: file http-client-request.c: line 1232 + (http_client_request_send_more): assertion failed: (req->payload_input != NULL) + - fts-tika: 5xx errors returned by Tika server as indexing failures. + However, Tika can return 5xx for some attachments every time. + So the 5xx error should be retried once, but treated as success if it + happens on the retry as well. v2.3 regression. + - fts-tika: v2.3.11 regression: Indexing messages with fts-tika may have + resulted in Panic: file message-parser.c: line 802 (message_parser_deinit_from_parts): + assertion failed: (ctx->nested_parts_count == 0 || i_stream_have_bytes_left(ctx->input)) + - imap: SETMETADATA could not be used to unset metadata values. + Instead NIL was handled as a "NIL" string. v2.3.14 regression. + - imap: IMAP BINARY FETCH crashes at least on empty base64 body: + Panic: file index-mail-binary.c: line 358 (blocks_count_lines): + assertion failed: (block_count == 0 || block_idx+1 == block_count) + - imap: If IMAP client using the NOTIFY command was disconnected while + sending FETCH notifications to the client, imap could crash with + Panic: Trying to close mailbox INBOX with open transactions. + - imap: Using IMAP COMPRESS extension can cause IMAP connection to hang + when IMAP commands are >8 kB long. + - imapc: If remote server sent BYE but didn't immediately disconnect, it + could cause infinite busy-loop. + - lib-index: Corrupted cache record size in dovecot.index.cache file + could have caused a crash (segfault) when accessing it. + - lib-oauth2: JWT token time validation now works correctly with + 32-bit systems. + - lib-ssl-iostream: Checking hostnames against an SSL certificate was + case-sensitive. + - lib-storage: Corrupted mime.parts in dovecot.index.cache may have + resulted in Panic: file imap-bodystructure.c: line 206 (part_write_body): + assertion failed: (text == ((part->flags & MESSAGE_PART_FLAG_TEXT) != 0)) + - lib-storage: Index rebuilding (e.g. via doveadm force-resync) didn't + preserve the "hdr-pop3-uidl" header. Because of this, the next pop3 + session could have accessed all of the emails' metadata to read their + POP3 UIDL (opening dbox files). + - listescape: When using the listescape plugin and a shared namespace + the plugin didn't work properly anymore resulting in errors like: + "Invalid mailbox name: Name must not have '/' character." + - lmtp: Connection crashes if connection gets disconnected due to + multiple bad commands and the last bad command is BDAT. + - lmtp: The Dovecot-specific LMTP parameter XRCPTFORWARD was blindly + forwarded by LMTP proxy without checking that the backend has support. + This caused a command parameter error from the backend if it was + running an older Dovecot release. This could only occur in more complex + setups where the message was proxied twice; when the proxy generated + the XRCPTFORWARD parameter itself the problem did not occur, so this + only happened when it was forwarded. + - lmtp: The LMTP proxy crashes with a panic when the remote server + replies with an error while the mail is still being forwarded through + a DATA/BDAT command. + - lmtp: Username may have been missing from lmtp log line prefixes when + it was performing autoexpunging. + - master: Dovecot would incorrectly fail with haproxy 2.0.14 service + checks. + - master: Systemd service: Dovecot announces readiness for accepting + connections earlier than it should. The following environment variables + are now imported automatically and can be omitted from + import_environment setting: NOTIFY_SOCKET LISTEN_FDS LISTEN_PID. + - master: service { process_min_avail } was launching processes too + slowly when master was forking a lot of processes. + - util: Make the health-check.sh example script POSIX shell compatible. + +v2.3.14.1 2021-06-21 Aki Tuomi <aki.tuomi@open-xchange.com> + + * CVE-2021-29157: Dovecot does not correctly escape kid and azp fields in + JWT tokens. This may be used to supply attacker controlled keys to + validate tokens, if attacker has local access. + * CVE-2021-33515: On-path attacker could have injected plaintext commands + before STARTTLS negotiation that would be executed after STARTTLS + finished with the client. + - lib-index: Corrupted mime.parts in dovecot.index.cache may have + resulted in Panic: file imap-bodystructure.c: line 206 (part_write_body): + assertion failed: (text == ((part->flags & MESSAGE_PART_FLAG_TEXT) != 0)) + - imap: SETMETADATA could not be used to unset metadata values. + Instead NIL was handled as a "NIL" string. v2.3.14 regression. + +V2.3.14 2021-03-04 Aki Tuomi <aki.tuomi@open-xchange.com> + + * Added new aliases for some variables. Usage of the old ones is possible, + but discouraged. (These were partially added already to v2.3.13.) + See https://doc.dovecot.org/configuration_manual/config_file/config_variables/ + for more information. + * Optimize imap/pop3/submission/managesieve proxies to use less CPU at + the cost of extra memory usage. + * Remove autocreate, expire, snarf and mail-filter plugins. + * Remove cydir storage driver. + * Remove XZ/LZMA write support. Read support will be removed in future release. + * doveadm -D: Add timestamps to debug output even when LOG_STDERR_TIMESTAMP + environment variable is not set. Timestamp format is taken from + log_timestamp setting. + * If BROKENCHAR or listescape plugin is used, the escaped folder names + may be slightly different from before in some situations. This is + unlikely to cause issues, although caching clients may redownload the + folders. + * imapc: It now enables BROKENCHAR=~ by default to escape remote folder + names if necessary. This also means that if there are any '~' + characters in the remote folder names, they will be visible as "~7e". + * imapc: When using local index files folder names were escaped on + filesystem a bit differently. This affects only if there are folder + names that actually require escaping, which isn't so common. The old + style folders will be automatically deleted from filesystem. + * stats: Update exported metrics to be compliant with OpenMetrics standard. + + doveadm: Add an optional '-p' parameter to metadata list command. If + enabled, "/private", and "/shared" metadata prefixes will be prepended + to the keys in the list output. + + doveconf: Support environment variables in config files. See + https://doc.dovecot.org/configuration_manual/config_file/config_file_syntax/#environment-variables + for more details. + + indexer-worker: Change indexer to disconnect from indexer-worker + after each request. This allows service indexer-worker's service_count & + idle_kill settings to work. These can be used to restart indexer-worker + processes once in a while to reduce their memory usage. + - auth: "nodelay" with various authentication mechanisms such as apop + and digest-md5 crashed AUTH process if authentication failed. + - auth: Auth lua script generating an error triggered an assertion + failure: Panic: file db-lua.c: line 630 (auth_lua_call_password_verify): + assertion failed: (lua_gettop(script->L) == 0). + - configure: Fix libunwind detection to work on other than x86_64 systems. + - doveadm-server: Process could crash if logging was done outside command + handling. For example http-client could have done debug logging + afterwards, resulting in either segfault or Panic: + file http-client.c: line 642 (http_client_context_close): + assertion failed: (cctx->clients_list == NULL). + - dsync: Folder name escaping with BROKENCHAR didn't work completely + correctly. This especially caused problems with dsync-migrations using + imapc where some of the remote folder names may not have been accessible. + - dsync: doveadm sync + imapc doesn't always sync all mails when doing + an incremental sync (-1), which could lead to mail loss when it's used + for migration. This happens only when GUIDs aren't used (i.e. + imapc without imapc_features=guid-forced). + - fts-tika: When tika server returns error, some mails cause Panic: + file message-parser.c: line 802 (message_parser_deinit_from_parts): + assertion failed: (ctx->nested_parts_count == 0 || i_stream_have_bytes_left(ctx->input)) + - lib-imap: imapc parsing illegal BODYSTRUCTUREs with NILs could have + resulted in crashes. This exposed that Dovecot was wrongly accepting + atoms in "nstring" handling. Changed the IMAP parsing to be more + strict about this now. + - lib-index: If dovecot.index.cache has corrupted message size, fetching + BODY/BODYSTRUCTURE may cause assert-crash: + Panic: file index-mail.c: line 1140 (index_mail_parse_body_finish): + assertion failed: (mail->data.parts != NULL). + - lib-index: Minor error handling and race condition fixes related to + rotating dovecot.index.log. These didn't usually cause problems, + unless the log files were rotated rapidly. + - lib-lua: Lua scripts using coroutines or lua libraries using coroutines + (e.g., cqueues) panicked. + - Message PREVIEW handled whitespace wrong so first space would get + eaten from between words. + - FTS and message PREVIEW (snippet) parsed HTML &entities case-sensitively. + - lib-mail: When max nested MIME parts were reached, IMAP BODYSTRUCTURE + was written in a way that may have caused confusion for IMAP clients + and also Dovecot itself when parsing it. The truncated part is now + written out using application/octet-stream MIME type. + - lib-oauth2: HS512 and HS384 JWT token algorithms crash when you try to + use them: Panic: file hmac.c: line 26 (hmac_init): assertion failed: + (meth->context_size <= MAC_MAX_CONTEXT_SIZE). + - event filters: NOT keyword did not have the correct associativity. + NOT a AND b were getting parsed as NOT (a AND b) instead of + (NOT a) AND b. + - Ignore ECONNRESET when closing socket. This avoids logging useless + errors on systems like FreeBSD. + - event filters: event filter syntax error may lead to Panic: + file event-filter.c: line 137 (event_filter_parse): assertion failed: + (state.output == NULL) + - lib: timeval_cmp_margin() was broken on 32-bit systems. This could + potentially have caused HTTP timeouts to be handled incorrectly. + - log: instance_name wasn't used as syslog ident by the log process. + - master: After a service reached process_limit and client_limit, it + could have taken up to 1 second to realize that more client connections + became available. During this time client connections could have been + unnecessarily rejected and a warning logged: + Warning: service(...): process_limit (...) reached, client connections are being dropped + - stats: Crash would occur when generating openmetrics data for metrics + using aggregating functions. + - stats: Event filters comparing against empty strings crash the stats + process. + +v2.3.13 2021-01-04 Aki Tuomi <aki.tuomi@open-xchange.com> + + * CVE-2020-24386: Specially crafted command can cause IMAP hibernate to + allow logged in user to access other people's emails and filesystem + information. + * Metric filter and global event filter variable syntax changed to a + SQL-like format. See https://doc.dovecot.org/configuration_manual/event_filter/ + * auth: Added new aliases for %{variables}. Usage of the old ones is + possible, but discouraged. + * auth: Removed RPA auth mechanism, SKEY auth mechanism, NTLM auth + mechanism and related password schemes. + * auth: Removed passdb-sia, passdb-vpopmail and userdb-vpopmail. + * auth: Removed postfix postmap socket + + auth: Added new fields for auth server events. These fields are now + also available for all auth events. See + https://doc.dovecot.org/admin_manual/list_of_events/#authentication-server + for details. + + imap-hibernate: Added imap_client_hibernated, imap_client_unhibernated + and imap_client_unhibernate_retried events. See + https://doc.dovecot.org/admin_manual/list_of_events/ for details. + + lib-index: Added new mail_index_recreated event. See + https://doc.dovecot.org/admin_manual/list_of_events/#mail-index-recreated + + lib-sql: Support TLS options for cassandra driver. This requires + cpp-driver v2.15 (or later) to work reliably. + + lib-storage: Missing $HasAttachment / $HasNoAttachment flags are now + added to existing mails if mail_attachment_detection_option=add-flags + and it can be done inexpensively. + + login proxy: Added login_proxy_max_reconnects setting (default 3) to + control how many reconnections are attempted. + + login proxy: imap/pop3/submission/managesieve proxying now supports + reconnection retrying on more than just connect() failure. Any error + except a non-temporary authentication failure will result in reconnect + attempts. + - auth: Lua passdb/userdb leaks stack elements per call, eventually + causing the stack to become too deep and crashing the auth or + auth-worker process. + - auth: SASL authentication PLAIN mechanism could be used to trigger + read buffer overflow. However, this doesn't seem to be exploitable in + any way. + - auth: v2.3.11 regression: GSSAPI authentication fails because dovecot + disallows NUL bytes for it. + - dict: Process used too much CPU when iterating keys, because each key + used a separate write() syscall. + - doveadm-server: Crash could occur if logging was done outside command + handling. For example http-client could have done debug logging + afterwards, resulting in either segfault or + Panic: file http-client.c: line 642 (http_client_context_close): + assertion failed: (cctx->clients_list == NULL). + - doveadm-server: v2.3.11 regression: Trying to connect to doveadm server + process via starttls assert-crashed if there were no ssl=yes listeners: + Panic: file master-service-ssl.c: line 22 (master_service_ssl_init): + assertion failed: (service->ssl_ctx_initialized). + - fts-solr: HTTP requests may have assert-crashed: + Panic: file http-client-request.c: line 1232 (http_client_request_send_more): + assertion failed: (req->payload_input != NULL) + - imap: IMAP NOTIFY could crash with a segmentation fault due to a bad + configuration that causes errors. Sending the error responses to the + client can cause the segmentation fault. This can for example happen + when several namespaces use the same mail storage location. + - imap: IMAP NOTIFY used on a shared namespace that doesn't actually + exist (e.g. public namespace for a nonexistent user) can crash with a panic: + Panic: Leaked view for index /tmp/home/asdf/mdbox/dovecot.list.index: Opened in (null):0 + - imap: IMAP session can crash with QRESYNC extension if many changes + are done before asking for expunged mails since last sync. + - imap: Process might hang indefinitely if client disconnects after + sending some long-running commands pipelined, for example FETCH+LOGOUT. + - lib-compress: Mitigate crashes when configuring a not compiled in + compression. Errors with compression configuration now distinguish + between not supported and unknown. + - lib-compression: Using xz/lzma compression in v2.3.11 could have + written truncated output in some situations. This would result in + "Broken pipe" read errors when trying to read it back. + - lib-compression: zstd compression could have crashed in some situations: + Panic: file ostream.c: line 287 (o_stream_sendv_int): assertion failed: (!stream->blocking) + - lib-dict: dict client could have crashed in some rare situations when + iterating keys. + - lib-http: Fix several assert-crashes in HTTP client. + - lib-index: v2.3.11 regression: When mails were expunged at the same + time as lots of new content was being saved to the cache (e.g. cache + file was lost and is being re-filled) a deadlock could occur with + dovecot.index.cache / dovecot.index.log. + - lib-index: v2.3.11 regression: dovecot.index.cache file was being + purged (rewritten) too often when it had a field that hadn't been + accessed for over 1 month, but less than 2 months. Every cache file + change caused a purging in this situation. + - lib-mail: MIME parts were not returned correctly by Dovecot MIME parser. + Regression caused by fixing CVE-2020-12100. + - lib-mail: When max nested MIME parts were reached, IMAP BODYSTRUCTURE + was written in a way that may have caused confusion for both IMAP + clients and Dovecot itself when parsing it. The truncated part is now + written out using application/octet-stream MIME type. + - lib-mail: v2.3.11 regression: Mail delivery / parsing crashed when the + 10000th MIME part was message/rfc822 (or if parent was multipart/digest): + Panic: file message-parser.c: line 167 (message_part_append): + assertion failed: (ctx->total_parts_count <= ctx->max_total_mime_parts). + - lib-oauth2: Dovecot incorrectly required oauth2 server introspection + reply to contain username with invalid token. + - lib-ssl-iostream, lib-dcrypt: Fix building with OpenSSL that has + deprecated APIs disabled. + - lib-storage: When mail's size is different from the cached one (in + dovecot.index.cache or Maildir S=size in the filename), this is + handled by logging "Cached message size smaller/larger than expected" + error. However, in some situations this also ended up crashing with: + Panic: file istream.c: line 315 (i_stream_read_memarea): + assertion failed: (old_size <= _stream->pos - _stream->skip). + - lib-storage: v2.3 regression: Copying/moving mails was taking much more + memory than before. This was mainly visible when copying/moving + thousands of mails in a single transaction. + - lib-storage: v2.3.11 regression: Searching messages assert-crashed + (without FTS): Panic: file message-parser.c: line 174 (message_part_finish): + assertion failed: (ctx->nested_parts_count > 0). + - lib: Dovecot v2.3 moved signal handlers around in ioloops, + causing more CPU usage than in v2.2. + - lib: Fixed JSON parsing: '\' escape sequence may have wrongly resulted + in error if it happened to be at read boundary. Any NUL characters and + '\u0000' will now result in parsing error instead of silently + truncating the data. + - lmtp, submission: Server may hang if SSL client connection disconnects + during the delivery. If this happened repeated, it could have ended + up reaching process_limit and preventing any further lmtp/submission + deliveries. + - lmtp: Proxy does not always properly log TLS connection problems as + errors; in some cases, only a debug message is logged if enabled. + - lmtp: The LMTP service can hang when commands are pipelined. This can + particularly occur when one command in the middle of the pipeline fails. + One example of this occurs for proxied LMTP transactions in which the + final DATA or BDAT command is pipelined after a failing RCPT command. + - login-proxy: The login_source_ips setting has no effect, and therefore + the proxy source IPs are not cycled through as they should be. + - master: Process was using 100% CPU in some situations when a broken + service was being throttled. + - pop3-login: POP3 login would fail with "Input buffer full" if the + initial response for SASL was too long. + - stats: Crash would occur when generating openmetrics data for metrics + using aggregating functions. + +v2.3.11.3 2020-07-29 Aki Tuomi <aki.tuomi@open-xchange.com> + + - pop3-login: Login didn't handle commands in multiple IP packets properly. + This mainly affected large XCLIENT commands or a large SASL initial + response parameter in the AUTH command. + - pop3: pop3_deleted_flag setting was broken, causing: + Panic: file seq-range-array.c: line 472 (seq_range_array_invert): + assertion failed: (range[count-1].seq2 <= max_seq) + +v2.3.11.2 2020-07-13 Aki Tuomi <aki.tuomi@open-xchange.com> + + - auth: Lua passdb/userdb leaks stack elements per call, eventually + causing the stack to become too deep and crashing the auth or + auth-worker process. + - lib-mail: v2.3.11 regression: MIME parts not returned correctly by + Dovecot MIME parser. + - pop3-login: Login would fail with "Input buffer full" if the initial + response for SASL was too long. + +v2.3.11 2020-06-17 Aki Tuomi <aki.tuomi@open-xchange.com> + + * CVE-2020-12100: Parsing mails with a large number of MIME parts could + have resulted in excessive CPU usage or a crash due to running out of + stack memory. + * CVE-2020-12673: Dovecot's NTLM implementation does not correctly check + message buffer size, which leads to reading past allocation which can + lead to crash. + * CVE-2020-10967: lmtp/submission: Issuing the RCPT command with an + address that has the empty quoted string as local-part causes the lmtp + service to crash. + * CVE-2020-12674: Dovecot's RPA mechanism implementation accepts + zero-length message, which leads to assert-crash later on. + * Events: Fix inconsistency in events. See event documentation in + https://doc.dovecot.org. + * imap_command_finished event's cmd_name field now contains "unknown" + for unknown commands. A new "cmd_input_name" field contains the + command name exactly as it was sent. + * lib-index: Renamed mail_cache_compress_* settings to mail_cache_purge_*. + Note that these settings are mainly intended for testing and usually + shouldn't be changed. + * events: Renamed "index" event category to "mail-index". + * events: service:<name> category is now using the name from + configuration file. + * dns-client: service dns_client was renamed to dns-client. + * log: Prefixes generally use the service name from configuration file. + For example dict-async service will now use + "dict-async(pid): " log prefix instead of "dict(pid): " + * *-login: Changed logging done by proxying to use a consistent prefix + containing the IP address and port. + * *-login: Changed disconnection log messages to be slightly clearer. + + dict: Add events for dictionaries. + + lib-index: Finish logging with events. + + oauth2: Support local validation of JWT tokens. + + stats: Add support for dynamic histograms and grouping. See + https://doc.dovecot.org/configuration_manual/stats/. + + imap: Implement RFC 8514: IMAP SAVEDATE + + lib-index: If a long-running transaction (e.g. SORT/FETCH on a huge + folder) adds a lot of data to dovecot.index.cache file, commit those + changes periodically to make them visible to other concurrent sessions + as well. + + stats: Add OpenMetrics exporter for statistics. See + https://doc.dovecot.org/configuration_manual/stats/openmetrics/. + + stats: Support disabling stats-writer socket by setting + stats_writer_socket_path="". + - auth-worker: Process keeps slowly increasing its memory usage and + eventually dies with "out of memory" due to reaching vsz_limit. + - auth: Prevent potential timing attacks in authentication secret + comparisons: OAUTH2 JWT-token HMAC, imap-urlauth token, crypt() result. + - auth: Several auth-mechanisms allowed input to be truncated by NUL + which can potentially lead to unintentional issues or even successful + logins which should have failed. + - auth: When auth policy returned a delay, auth_request_finished event + had policy_result=ok field instead of policy_result=delayed. + - auth: auth process crash when auth_policy_server_url is set to an + invalid URL. + - dict-ldap: Crash occurs if var_expand template expansion fails. + - dict: If dict client disconnected while iteration was still running, + dict process could have started using 100% CPU, although it was still + handling clients. + - doveadm: Running doveadm commands via proxying may hang, especially + when doveadm is printing a lot of output. + - imap: "MOVE * destfolder" goes to a loop copying the last mail to the + destination until the imap process dies due to running out of memory. + - imap: Running "UID MOVE 1:* Trash" on an empty folder goes to infinite + loop. + - imap: SEARCH doesn't support $. + - lib-compress: Buffer over-read in zlib stream read. + - lib-dns: If DNS lookup times out, lib-dns can cause crash in calling + process. + - lib-index: Fixed several bugs in dovecot.index.cache handling that + could have caused cached data to be lost. + - lib-index: Writing to >=1 GB dovecot.index.cache files may cause + assert-crashes: + Panic: file mail-index-util.c: line 37 (mail_index_uint32_to_offset): + assertion failed: (offset < 0x40000000) + - lib-ssl-iostream: Fix buggy OpenSSL error handling without + assert-crashing. If there is no error available, log it as an error + instead of crashing: + Panic: file iostream-openssl.c: line 599 (openssl_iostream_handle_error): + assertion failed: (errno != 0) + - lib-ssl-iostream: ssl_key_password setting did not work. + - submission: A segfault crash may occur when the client or server + disconnects while a non-transaction command like NOOP or VRFY is still + being processed. + - virtual: Copying/moving mails with IMAP into a virtual folder assert-crashes: + Panic: file cmd-copy.c: line 152 (fetch_and_copy): assertion failed: + (copy_ctx->copy_count == seq_range_count(©_ctx->saved_uids)) + +v2.3.10 2020-03-06 Aki Tuomi <aki.tuomi@open-xchange.com> + + * Disable retpoline migitations by default. These can cause severe + performance regressions, so they should be only enabled when + applicable. + * IMAP MOVE now commits transactions in batches of 1000 mails. This + helps especially with lazy_expunge when moving a lot of mails. It + mainly avoids situations where multiple IMAP sessions are running the + same MOVE command and duplicating the mails in the lazy_expunge folder. + With this change there can still be some duplication, but the MOVE + always progresses forward. Also if the MOVE fails at some point, the + changes up to the last 1000 mails are still committed instead of + rolled back. Note that the COPY command behavior hasn't changed, + because it is required by IMAP standard to be an atomic operation. + * IMAP EXPUNGE and CLOSE now expunges mails in batches of 1000 mails. + This helps especially with lazy_expunge when expunging a lot of mails + (e.g. millions) to make sure that the progress always moves forward + even if the process is killed. + * Autoexpunging now expunges mails in batches of 1000 mails. This helps + especially with lazy_expunge when expunging a lot of mails + (e.g. millions) to make sure that the progress always moves forward + even if the process is killed. + + Add tool for generating sysreport called dovecot-sysreport. + This generates a bundle of information usually needed for support + requests. + + Add support for the new IMAP \Important SPECIAL-USE flag (RFC 8457). + + Add metric { group_by } setting. This allows automatically creating + new metrics based on the fields you want to group statistics by. + NOTE: This feature is considered experimental and syntax is subject + to change in future release. + + auth: Support SCRAM-SHA-256 authentication mechanism. + + imap: Support the new IMAP STATUS=SIZE extension. + + Use TCP_QUICKACK to reduce latency for some TCP connections. + + quota-status: Made the service more robust against erroneous use with + Postfix ACL policies other than smtpd_recipient_restrictions. + + Add "revision" field support to imap_id_send setting. Using + "revision *" will send in IMAP ID command response the short commit + hash of the Dovecot git source tree HEAD (same as in dovecot --version). + + IMAP ENVELOPE includes now all addresses when there are multiple + headers (From, To, Cc, etc.) The standard way of having multiple + addresses is to just list them all in a single header. It's + non-standard to have multiple headers. However, since MTAs allow these + mails to pass through and different software may handle them in + different ways, it's better from security point of view to show all + the addresses. + + Event filters now support using "field_name=" to match a field that + doesn't exist or has an empty value. For example use "error=" to match + only events that didn't fail. + - acl: INBOX ACLs shouldn't apply for IMAP GETMETADATA/SETMETADATA + commands. + - cassandra: CASS_ERROR_SERVER_WRITE_FAILURE error should also be + treated as "uncertain write failure". + - dict-redis: Using quota_clone configured with dict-redis could have + crashed when Redis responded slowly. + - imap-hibernate: Communication trouble with imap-master leads to + segfault. + - imap-hibernate: Unhibernation retrying wasn't working. + - imap: Fixed auth lookup privilege problem when imap process was reused + and user was being un-hibernated. + - Fix potential crash when copying/moving mails within the same folder. + This happened only when there were a lot of fields in dovecot.index.cache. + - lib-index: Recreating dovecot.index.cache file could have crashed when + merging bitmask fields. + - lib-index: Using public/shared folders with INDEXPVT configured to use + private \Seen flags, trying to search seen/unseen in an empty folder + crashes with segfault. + - lib-mail: Large base64-encoded mails weren't decoded properly. + This could have affected searching/indexing mails and message snippet + generation. + - lib-mail: Message with only quoted text could have caused message + snippet to ignore its 200 character limit and return the entire + message. This was added also to dovecot.index.cache file, which + increased disk space and memory usage unnecessarily. + v2.3.9.2 regression (previous versions cached the quoted snippet as + empty). In a large mail quoted text could have become wrongly added + to the snippet, possibly mixed together with non-quoted text. + - lib-smtp: client could have assert-crashed if STARTTLS handshake + finished earlier than usually. + - lib-ssl-iostream: remove -static flag for lib-ssl-iostream linking to + prevent a compile issue. + - lib-storage: Mailbox synchronization may have assert-crashed in some + rare situations. + - lib-storage: mdbox didn't preserve date.saved with dsync. + - lib: Don't require EAI_{ADDRFAMILY,NODATA}, breaks FreeBSD + - master: Some services could respawn unthrottled if they crash during + startup. + - push-notification: Do not send push_notification_finished event if + nothing was done. This happens when mail transaction is started and + ended with no changes. + - quota-status: Addresses with special characters in the local part caused + problems in the interaction between Postfix and Dovecot. Postfix sent + its own internal representation in the recipient field, while Dovecot + expected a valid RFC5321 mailbox address. + - submission-login: SESSION was not correctly encoded field for the + XCLIENT command. Particularly, a '+' character introduced by the + session ID's Base64 encoding causes problems. + - submission: Fix submission_max_mail_size to work correctly on 32-bit + systems. + - submission: Trusted connections crashed in second connection's EHLO + if submission-login { service_count } is something else than 1 (which + is the default). + - submission: XCLIENT command was never used in the protocol exchange + with the relay MTA when submission_backend_capabilities is configured, + even when the relay MTA was properly configured to accept the XCLIENT + command. + +v2.3.9.3 2020-02-12 Aki Tuomi <aki.tuomi@open-xchange.com> + + * CVE-2020-7046: Truncated UTF-8 can be used to DoS + submission-login and lmtp processes. + * CVE-2020-7957: Specially crafted mail can crash snippet generation. + +v2.3.9.2 2019-12-13 Aki Tuomi <aki.tuomi@open-xchange.com> + + - Mails with empty From/To headers can also cause crash + in push notification drivers. + +v2.3.9.1 2019-12-13 Aki Tuomi <aki.tuomi@open-xchange.com> + + * CVE-2019-19722: Mails with group addresses in From or To fields + caused crash in push notification drivers. + +v2.3.9 2019-12-04 Aki Tuomi <aki.tuomi@open-xchange.com> + + * Changed several event field names for consistency and to avoid + conflicts in parent-child event relationships: + * SMTP server command events: Renamed "name" to "cmd_name" + * Events inheriting from a mailbox: Renamed "name" to "mailbox" + * Server connection events have only "remote_ip", "remote_port", + "local_ip" and "local_port". + * Removed duplicate "client_ip", "ip" and "port". + * Mail storage events: Removed "service" field. + Use "service:<name>" category instead. + * HTTP client connection events: Renamed "host" to "dest_host" and + "port" to "dest_port" + * auth: Drop Postfix socketmap support. It hasn't been working + with recent Postfix versions for a while now. + * push-notification-lua: The "subject" field is now decoded to UTF8 + instead of kept as MIME-encoded. + + push-notification-lua: Added new "from_address", "from_display_name", + "to_address" and "to_display_name" fields. The display names are + decoded to UTF8. + + Added various new fields to existing events. + See http://doc.dovecot.net/admin_manual/list_of_events.html + + Add lmtp_add_received_header setting. It can be used to prevent LMTP + from adding "Received:" headers. + + doveadm: Support SSL/STARTTLS for proxied doveadm connections based on + doveadm_ssl setting and proxy ssl/tls settings. + + Log filters support now "service:<name>", which matches all events for + the given service. It can also be used as a category. + + lib: Use libunwind to get abort backtraces with function names + where available. + + lmtp: When the LMTP proxy changes the username (from passdb lookup) + add an appropriate ORCPT parameter. + - lmtp: Add lmtp_client_workarounds setting to implement workarounds for + clients that send MAIL and RCPT commands with additional spaces before + the path and for clients that omit <> brackets around the path. + See example-config/conf.d/20-lmtp.conf. + - lda/lmtp: Invalid MAIL FROM addresses were rejcted too aggressively. + Now mails from addresses with unicode characters are delivered, but + their Return-Path header will be <> instead of the given MAIL FROM + address. + - lmtp: The lmtp_hdr_delivery_address setting is ignored. + - imap: imap_command_finished event's "args" and "human_args" parameters + were always empty. + - mbox: Seeking in zlib and bzip2 compressed input streams didn't work + correctly. + - imap-hibernate: Process crashed when client got destroyed while it was + attempted to be unhibernated, and the unhibernation fails. + - *-login: Proxying may have crashed if SSL handshake to the backend + failed immediately. This was unlikely to happen in normal operation. + - *-login: If TLS handshake to upstream server failed during proxying, + login process could crash due to invalid memory access. + - *-login: v2.3 regression: Using SASL authentication without initial + response may have caused SSL connections to hang. This happened often + at least with PHP's IMAP library. + - *-login: When login processes are flooded with authentication attempts + it starts logging errors about "Authentication server sent unknown id". + This is still expected. However, it also caused the login process to + disconnect from auth server and potentially log some user's password + in the error message. + - dict-sql: SQL prepared statements were not shared between sessions. + This resulted in creating a lot of prepared statements, which was + especially inefficient when using Cassandra backend with a lot of + Cassandra nodes. + - auth: auth_request_finished event didn't have success=yes parameter + set for successful authentications. + - auth: userdb dict - Trying to list users crashed. + - submission: Service could be configured to allow anonymous + authentication mechanism and anonymous user access. + - LAYOUT=index: Corrupted dovecot.list.index caused folder creation to + panic. + - doveadm: HTTP server crashes if request target starts with double "/". + - dsync: Remote dsync started hanging if the initial doveadm + "dsync-server" command was sent in the same TCP packet as the + following dsync handshake. v2.3.8 regression. + - lib: Several "input streams" had a bug that in some rare situations + might cause it to access freed memory. This could lead to crashes or + corruption. + The only currently known effect of this is that using zlib plugin with + external mail attachments (mail_attachment_dir) could cause fetching + the mail to return a few bytes of garbage data at the beginning of the + header. Note that the mail wasn't saved corrupted, but fetching it + caused corrupted mail to be sent to the client. + - lib-storage: If a mail only has quoted content, use the quoted text + for generating message snippet (IMAP PREVIEW) instead of returning + empty snippet. + - lib-storage: When vsize header was rebuilt, newly calculated message + sizes were added to dovecot.index.cache instead of being directly + saved into vsize records in dovecot.index. + - lib: JSON generator was escaping UTF-8 characters unnecessarily. + +v2.3.8 2019-10-08 Aki Tuomi <aki.tuomi@open-xchange.com> + + + Added mail_delivery_started and mail_delivery_finished events, see + https://doc.dovecot.org/admin_manual/list_of_events/ for details. + + dsync-replication: Don't replicate users who have "noreplicate" extra + field in userdb. + + doveadm service status: Show total number of processes created. + + When logging to syslog, use instance_name setting's value for the + ident. This commonly is added as a log prefix. + + Base64 encoding/decoding code was rewritten with additional features. + It shouldn't cause any user visible changes. + - v2.3.7 regression: If a folder only receives new mails without any + other mail access, dovecot.index.log keeps growing forever and + dovecot.index keeps being rewritten for every mail delivery. + - dsync-replication may lose keywords after syncing mails restored from + another replica. This only happened if the mail only had keywords and + no system flags. + - event filters: Non-textual event fields could not be filtered using + wildcards. + - auth: Scope parameter was missing from OAuth password grant + request. + - doveadm client-server communication may hang in some situations. + It is also using unnecessarily small TCP/IP packet sizes. + - doveadm who and kick did not flush protocol output correctly. + - imap: SETMETADATA with literal value would delete the metadata value + instead of updating it. + - imap: When client issues FETCH PREVIEW (LAZY=FUZZY) command, the + caching decisions should be updated so that newly saved mails will + have the preview cached. + - With mail_nfs_index=yes and/or mail_nfs_storage=yes setuid/setgid + permission bits in some files may have become dropped with some NFS + servers. Changed NFS flushing to now use chmod() instead of chown(). + - quota: warnings did not work if quota root was noenforcing + - acl: Global ACL file ignored the last line if it didn't end with LF. + - doveadm stats dump: With JSON formatter output numbers using the + number type instead of as strings + - lmtp_proxy: Ensure that real_* variables are correctly set when using + lmtp_proxy. + - event exporter: http-post driver had hardcoded timeout and did not + support DNS lookups or TLS connections. + - auth: Fix user iteration to work with userdb passwd with glibc v2.28. + - auth: auth service can crash if auth-policy JSON response is invalid + or returned too fast. + - In some rare situations "ps" output could have shown a lot of "?" + characters after Dovecot process titles. + - When dovecot.index.pvt is empty, an unnecessary error is logged: + Error: .../dovecot.index.pvt reset, view is now inconsistent + - SMTP address encoder duplicated initial double quote character when + the localpart of an address ended in '..'. For example + "user+..@example.com" became ""user+.."@example.com in a + sieve redirect. + +v2.3.7.1 2019-07-23 Timo Sirainen <timo.sirainen@open-xchange.com> + + - Fix TCP_NODELAY errors being logged on non-Linux OSes + - lmtp proxy: Fix assert-crash when client uses BODY=8BITMIME + - Remove wrongly added checks in namespace prefix checking + +v2.3.7 2019-07-12 Aki Tuomi <aki.tuomi@open-xchange.com> + + * fts-solr: Removed break-imap-search parameter + + Added more events for the new statistics, see + https://doc.dovecot.org/admin_manual/list_of_events/ + + mail-lua: Add IMAP metadata accessors, see + https://doc.dovecot.org/admin_manual/lua/ + + Add event exporters that allow exporting raw events to log files and + external systems, see + https://doc.dovecot.org/configuration_manual/event_export/ + + SNIPPET is now PREVIEW and size has been increased to 200 characters. + + Add body option to fts_enforced. This triggers building FTS index only + on body search, and an error using FTS index fails the search rather + than reads through all the mails. + - Submission/LMTP: Fixed crash when domain argument is invalid in a + second EHLO/LHLO command. + - Copying/moving mails using Maildir format loses IMAP keywords in the + destination if the mail also has no system flags. + - mail_attachment_detection_options=add-flags-on-save caused email body + to be unnecessarily opened when FETCHing mail headers that were + already cached. + - mail attachment detection keywords not saved with maildir. + - dovecot.index.cache may have grown excessively large in some + situations. This happened especially when using autoexpunging with + lazy_expunge folders. Also with mdbox format in general the cache file + wasn't recreated as often as it should have. + - Autoexpunged mails weren't immediately deleted from the disk. Instead, + the deletion from disk happened the next time the folder was opened. + This could have caused unnecessary delays if the opening was done by + an interactive IMAP session. + - Dovecot's TCP connections sometimes add extra 40ms latency due to not + enabling TCP_NODELAY. HTTP and SMTP/LMTP connections weren't + affected, but everything else was. This delay wasn't always visible - + only in some situations with some message/packet sizes. + - imapc: Fix various crash conditions + - Dovecot builds were not always reproducible. + - login-proxy: With shutdown_clients=no after config reload the + existing connections could no longer be listed or kicked with doveadm. + - "doveadm proxy kick" with -f parameter caused a crash in some + situations. + - Auth policy can cause segmentation fault crash during auth process + shutdown if all auth requests have not been finished. + - Fix various minor bugs leading into incorrect behaviour in mailbox + list index handling. These rarely caused noticeable problems. + - LDAP auth: Iteration accesses freed memory, possibly crashing + auth-worker + - local_name { .. } filter in dovecot.conf does not correctly support + multiple names and wildcards were matched incorrectly. + - replicator: dsync assert-crashes if it can't connect to remote TCP + server. + - config: Memory leak in config process when ssl_dh setting wasn't + set and there was no ssl-parameters.dat file. + This caused config process to die once in a while + with "out of memory". + +v2.3.6 2019-04-30 Aki Tuomi <aki.tuomi@open-xchange.com> + + * CVE-2019-11494: Submission-login crashed with signal 11 due to null + pointer access when authentication was aborted by disconnecting. + * CVE-2019-11499: Submission-login crashed when authentication was + started over TLS secured channel and invalid authentication message + was sent. + * auth: Support password grant with passdb oauth2. + + Use system default CAs for outbound TLS connections. + + Simplify array handling with new helper macros. + + fts_solr: Enable configuring batch_size and soft_commit features. + - lmtp/submission: Fixed various bugs in XCLIENT handling, including a + hang when XCLIENT commands were sent infinitely to the remote server. + - lmtp/submission: Forwarded multi-line replies were erroneously sent + as two replies to the client. + - lib-smtp: client: Message was not guaranteed to contain CRLF + consistently when CHUNKING was used. + - fts_solr: Plugin was no longer compatible with Solr 7. + - Make it possible to disable certificate checking without + setting ssl_client_ca_* settings. + - pop3c: SSL support was broken. + - mysql: Closing connection twice lead to crash on some systems. + - auth: Multiple oauth2 passdbs crashed auth process on deinit. + - HTTP client connection errors infrequently triggered a segmentation + fault when the connection was idle and not used for a particular + client instance. + +v2.3.5.2 2019-04-18 Timo Sirainen <tss@iki.fi> + + * CVE-2019-10691: Trying to login with 8bit username containing + invalid UTF8 input causes auth process to crash if auth policy is + enabled. This could be used rather easily to cause a DoS. Similar + crash also happens during mail delivery when using invalid UTF8 in + From or Subject header when OX push notification driver is used. + +v2.3.5.1 2019-03-28 Timo Sirainen <tss@iki.fi> + + * CVE-2019-7524: Missing input buffer size validation leads into + arbitrary buffer overflow when reading fts or pop3 uidl header + from Dovecot index. Exploiting this requires direct write access to + the index files. + +v2.3.5 2019-03-05 Timo Sirainen <tss@iki.fi> + + + Lua push notification driver: mail keywords and flags are provided + in MessageNew and MessageAppend events. + + submission: Implement support for plugins. + + auth: When auth_policy_log_only=yes, only log what the policy server + response would do without actually doing it. + + auth: Always log policy server decisions with auth_verbose=yes + - v2.3.[34]: doveadm log errors: Output was missing user/session + - lda: Debug log lines could have shown slightly corrupted + - login proxy: Login processes may have crashed in various ways when + login_proxy_max_disconnect_delay was set. + - imap: Fix crash with Maildir+zlib if client disconnects during APPEND + - lmtp proxy: Fix potential assert-crash + - lmtp/submission: Fix crash when SMTP client transaction times out + - submission: Split large XCLIENT commands to 512 bytes per command, + so Postfix accepts them. + - submission: Fix crash when client sends invalid BURL command + - submission: relay backend: VRFY command: Avoid forwarding 500 and + 502 replies back to client. + - lib-http: Fix potential assert-crash when DNS lookup fails + - lib-fts: Fix search query generation when one language ignores a + token (e.g. via stopwords). + +v2.3.4 2018-11-23 Timo Sirainen <tss@iki.fi> + + * The default postmaster_address is now "postmaster@<user domain or + server hostname>". If username contains the @domain part, that's + used. If not, then the server's hostname is used. + * "doveadm stats dump" now returns two decimals for the "avg" field. + + + Added push notification driver that uses a Lua script + + Added new SQL, DNS and connection events. + See https://wiki2.dovecot.org/Events + + Added "doveadm mailbox cache purge" command. + + Added events API support for Lua scripts + + doveadm force-resync -f parameter performs "index fsck" while opening + the index. This may be useful to fix some types of broken index files. + This may become the default behavior in a later version. + - director: Kicking a user crashes if login process is very slow + - pop3_no_flag_updates=no: Don't expunge DELEted and RETRed messages + unless QUIT is sent. + - auth: Fix crypt() segfault with glibc-2.28+ + - imap: Running UID FILTER script with errors assert-crashes + - dsync, pop3-migration: POP3 UIDLs weren't added to + dovecot.index.cache while mails were saved. + - dict clients may have been using 100% CPU while waiting for dict + server to finish commands. + - doveadm user: Fixed user listing via HTTP API + - All levels of Cassandra log messages were logged as Dovecot errors. + - http/smtp client may have crashed after SSL handshake + - Lua auth converted strings that looked like numbers into numbers. + + +v2.3.3 2018-10-01 Timo Sirainen <tss@iki.fi> + + * doveconf hides more secrets now in the default output. + * ssl_dh setting is no longer enforced at startup. If it's not set and + non-ECC DH key exchange happens, error is logged and client is + disconnected. + + + Added log_debug=<filter> setting. + + Added log_core_filter=<log filter> setting. + + quota-clone: Write to dict asynchronously + + --enable-hardening attempts to use retpoline Spectre 2 mitigations + + lmtp proxy: Support source_ip passdb extra field. + + doveadm stats dump: Support more fields and output stddev by default. + + push-notification: Add SSL support for OX backend. + - NUL bytes in mail headers can cause truncated replies when fetched. + - director: Conflicting host up/down state changes may in some rare + situations ended up in a loop of two directors constantly overwriting + each others' changes. + - director: Fix hang/crash when multiple doveadm commands are being + handled concurrently. + - director: Fix assert-crash if doveadm disconnects too early + - virtual plugin: Some searches used 100% CPU for many seconds + - dsync assert-crashed with acl plugin in some situations. + - mail_attachment_detection_options=add-flags-on-save assert-crashed + with some specific Sieve scripts. + - Mail snippet generation crashed with mails containing invalid + Content-Type:multipart header. + - Log prefix ordering was different for some log lines. + - quota: With noenforcing option current quota usage wasn't updated. + - auth: Kerberos authentication against Samba assert-crashed. + - stats clients were unnecessarily chatty with the stats server. + - imapc: Fixed various assert-crashes when reconnecting to server. + - lmtp, submission: Fix potential crash if client disconnects while + handling a command. + - quota: Fixed compiling with glibc-2.26 / support libtirpc. + - fts-solr: Empty search values resulted in 400 Bad Request errors + - fts-solr: default_ns parameter couldn't be used + - submission server crashed if relay server returned over 7 lines in + a reply (e.g. to EHLO) + +v2.3.2.1 2018-07-09 Timo Sirainen <tss@iki.fi> + + - SSL/TLS servers may have crashed during client disconnection + - lmtp: With lmtp_rcpt_check_quota=yes mail deliveries may have + sometimes assert-crashed. + - v2.3.2: "make check" may have crashed with 32bit systems + +v2.3.2 2018-06-29 Timo Sirainen <tss@iki.fi> + + * old-stats plugin: Don't temporarily enable PR_SET_DUMPABLE while + opening /proc/self/io. This may still cause security problems if the + process is ptrace()d at the same time. Instead, open it while still + running as root. + + doveadm: Added mailbox cache decision&remove commands. See + doveadm-mailbox(1) man page for details. + + doveadm: Added rebuild attachments command for rebuilding + $HasAttachment or $HasNoAttachment flags for matching mails. See + doveadm-rebuild(1) man page for details. + + cassandra: Use fallback_consistency on more types of errors + + lmtp proxy: Support outgoing SSL/TLS connections + + lmtp: Add lmtp_rawlog_dir and lmtp_proxy_rawlog_dir settings. + + submission: Add support for rawlog_dir + + submission: Add submission_client_workarounds setting. + + lua auth: Add password_verify() function and additional fields in + auth request. + - doveadm-server: TCP connections are hanging when there is a lot of + network output. This especially caused hangs in dsync-replication. + - Using multiple type=shared mdbox namespaces crashed + - mail_fsync setting was ignored. It was always set to "optimized". + - lua auth: Fix potential crash at deinit + - SSL/TLS servers may have crashed if client disconnected during + handshake. + - SSL/TLS servers: Don't send extraneous certificates to client when + alt certs are used. + - lda, lmtp: Return-Path header without '<' may have assert-crashed. + - lda, lmtp: Unencoded UTF-8 in email address headers may assert-crash + - lda: -f parameter didn't allow empty/null/domainless address + - lmtp, submission: Message size limit was hardcoded to 40 MB. + Exceeding it caused the connection to get dropped during transfer. + - lmtp: Fix potential crash when delivery fails at DATA stage + - lmtp: login_greeting setting was ignored + - Fix to work with OpenSSL v1.0.2f + - systemd unit restrictions were too strict by default + - Fix potential crashes when a lot of log output was produced + - SMTP client may have assert-crashed when sending mail + - IMAP COMPRESS: Send "end of compression" marker when disconnecting. + - cassandra: Fix consistency=quorum to work + - dsync: Lock file generation failed if home directory didn't exist + - Snippet generation for HTML mails didn't ignore &entities inside + blockquotes, producing strange looking snippets. + - imapc: Fix assert-crash if getting disconnected and after + reconnection all mails in the selected mailbox are gone. + - pop3c: Handle unexpected server disconnections without assert-crash + - fts: Fixes to indexing mails via virtual mailboxes. + - fts: If mails contained NUL characters, the text around it wasn't + indexed. + - Obsolete dovecot.index.cache offsets were sometimes used. Trying to + fetch a field that was just added to cache file may not have always + found it. + +v2.3.1 2018-02-29 Aki Tuomi <aki.tuomi@dovecot.fi> + + * Submission server support improvements and bug fixes + - Lots of bug fixes to submission server + * API CHANGE: array_idx_modifiable will no longer allocate space + - Particularly affects how you should check MODULE_CONTEXT result, or + use REQUIRE_MODULE_CONTEXT. + + + mail_attachment_detection_options setting controls when + $HasAttachment and $HasNoAttachment keywords are set for mails. + + imap: Support fetching body snippets using FETCH (SNIPPET) or + (SNIPPET (LAZY=FUZZY)) + + fs-compress: Automatically detect whether input is compressed or not. + Prefix the compression algorithm with "maybe-" to enable the + detection, for example: "compress:maybe-gz:6:..." + + Added settings to change dovecot.index* files' optimization behavior. + See https://wiki2.dovecot.org/IndexFiles#Settings + + Auth cache can now utilize auth workers to do password hash + verification by setting auth_cache_verify_password_with_worker=yes. + + Added charset_alias plugin. See + https://wiki2.dovecot.org/Plugins/CharsetAlias + + imap_logout_format and pop3_logout_format settings now support all of + the generic variables (e.g. %{rip}, %{session}, etc.) + + Added auth_policy_check_before_auth, auth_policy_check_after_auth + and auth_policy_report_after_auth settings. + + master: Support HAProxy PP2_TYPE_SSL command and set "secured" + variable appropriately + - Invalid UCS4 escape in HTML can cause crashes + - imap: IMAP COMPRESS -enabled clietn crashes on disconnect + - lmtp: Fix crash when user is over quota + - lib-lda: Parsing Return-Path header address fails when it contains + CFWS + - auth: SASL with Exim fails for AUTH commands without an initial + response + - imap: SPECIAL-USE capability isn't automatically added + - auth: LDAP subqueries do not support standard auth variables in + var-expand + - auth: SHA256-CRYPT and SHA512-CRYPT schemes do not work + - lib-index: mail_always/never_cache_fields are not used for existing + cache files + - imap: Fetching headers leaks memory if search doesn't find any mails + - lmtp: ORCPT support in RCPT TO + - imap-login: Process sometimes ends up in infinite loop + - sdbox: Rolled back save/copy transaction doesn't delete temp files + - mail: lock_method=dotlock causes crashes + +v2.3.0.1 2018-02-28 Timo Sirainen <tss@iki.fi> + + * CVE-2017-15130: TLS SNI config lookups may lead to excessive + memory usage, causing imap-login/pop3-login VSZ limit to be reached + and the process restarted. This happens only if Dovecot config has + local_name { } or local { } configuration blocks and attacker uses + randomly generated SNI servernames. + * CVE-2017-14461: Parsing invalid email addresses may cause a crash or + leak memory contents to attacker. For example, these memory contents + might contain parts of an email from another user if the same imap + process is reused for multiple users. First discovered by Aleksandar + Nikolic of Cisco Talos. Independently also discovered by "flxflndy" + via HackerOne. + * CVE-2017-15132: Aborted SASL authentication leaks memory in login + process. + * Linux: Core dumping is no longer enabled by default via + PR_SET_DUMPABLE, because this may allow attackers to bypass + chroot/group restrictions. Found by cPanel Security Team. Nowadays + core dumps can be safely enabled by using "sysctl -w + fs.suid_dumpable=2". If the old behaviour is wanted, it can still be + enabled by setting: + import_environment=$import_environment PR_SET_DUMPABLE=1 + - imap-login with SSL/TLS connections may end up in infinite loop + +v2.3.0 2017-12-22 Timo Sirainen <tss@iki.fi> + + * Various setting changes, see https://wiki2.dovecot.org/Upgrading/2.3 + * Logging rewrite started: Logging is now based on hierarchical events. + This makes it possible to do various things, like: 1) giving + consistent log prefixes, 2) enabling debug logging with finer + granularity, 3) provide logs in more machine readable formats + (e.g. json). Everything isn't finished yet, especially a lot of the + old logging code still needs to be translated to the new way. + * Statistics rewrite started: Stats are now based on (log) events. + It's possible to gather statistics about any event that is logged. + See http://wiki2.dovecot.org/Statistics for details + * ssl_dh setting replaces the old generated ssl-parameters.dat + * IMAP: When BINARY FETCH finds a broken mails, send [PARSE] error + instead of [UNKNOWNCTE] + * Linux: core dumping via PR_SET_DUMPABLE is no longer enabled by + default due to potential security reasons (found by cPanel Security + Team). + + + Added support for SMTP submission proxy server, which includes + support for BURL and CHUNKING extension. + + LMTP rewrite. Supports now CHUNKING extension and mixing of + local/proxy recipients. + + auth: Support libsodium to add support for ARGON2I and ARGON2ID + password schemes. + + auth: Support BLF-CRYPT password scheme in all platforms + + auth: Added LUA scripting support for passdb/userdb. + See https://wiki2.dovecot.org/AuthDatabase/Lua + - Input streams are more reliable now when there are errors or when + the maximum buffer size is reached. Previously in some situations + this could have caused Dovecot to try to read already freed memory. + - Output streams weren't previously handling failures when writing a + trailer at the end of the stream. This mainly affected encrypt and + zlib compress ostreams, which could have silently written truncated + files if the last write happened to fail (which shouldn't normally + have ever happened). + - virtual plugin: Fixed panic when fetching mails from virtual + mailboxes with IMAP BINARY extension. + - doveadm-server: Fix potential hangs with SSL connections + - doveadm proxy: Reading commands' output from v2.2.33+ servers could + have caused the output to be corrupted or caused a crash. + - Many other smaller fixes + +v2.2.36.3 2019-03-28 Timo Sirainen <tss@iki.fi> + + * CVE-2019-7524: Missing input buffer size validation leads into + arbitrary buffer overflow when reading fts or pop3 uidl header + from Dovecot index. Exploiting this requires direct write access to + the index files. + +v2.2.36.1 2019-02-05 Timo Sirainen <tss@iki.fi> + + * CVE-2019-3814: If imap/pop3/managesieve/submission client has + trusted certificate with missing username field + (ssl_cert_username_field), under some configurations Dovecot + mistakenly trusts the username provided via authentication instead + of failing. + * ssl_cert_username_field setting was ignored with external SMTP AUTH, + because none of the MTAs (Postfix, Exim) currently send the + cert_username field. This may have allowed users with trusted + certificate to specify any username in the authentication. This bug + didn't affect Dovecot's Submission service. + + - pop3_no_flag_updates=no: Don't expunge RETRed messages without QUIT + - director: Kicking a user assert-crashes if login process is very slow + - lda/lmtp: Fix assert-crash with some Sieve scripts when + mail_attachment_detection_options=add-flags-on-save + - fs-compress: Using maybe-gz assert-crashed when reading 0 sized file + - Snippet generation crashed with invalid Content-Type:multipart + +v2.2.36 2018-05-23 Timo Sirainen <tss@iki.fi> + + * login-proxy: If ssl_require_crl=no, allow revoked certificates. + Also don't do CRL checks for incoming client certificates. + * stats plugin: Don't temporarily enable PR_SET_DUMPABLE while opening + /proc/self/io. This may still cause security problems if the process + is ptrace()d at the same time. Instead, open it while still running + as root. + + + doveadm: Added mailbox cache decision&remove commands. See + doveadm-mailbox(1) man page for details. + + doveadm: Added rebuild attachments command for rebuilding + $HasAttachment or $HasNoAttachment flags for matching mails. See + doveadm-rebuild(1) man page for details. + + cassandra: Use fallback_consistency on more types of errors + - cassandra: Fix consistency=quorum to work + - dsync: Lock file generation failed if home directory didn't exist + - In some configs if namespace root directory didn't yet exist, Dovecot + failed to create mailboxes.lock when trying to create mailboxes + - Snippet generation for HTML mails didn't ignore &entities inside + blockquotes, producing strange looking snippets. + - imapc: Fix assert-crash if getting disconnected and after + reconnection all mails in the selected mailbox are gone. + - pop3c: Handle unexpected server disconnections without assert-crash + - fts: Fixes to indexing mails via virtual mailboxes. + - fts: If mails contained NUL characters, the text around it wasn't + indexed. + - Obsolete dovecot.index.cache offsets were sometimes used. Trying to + fetch a field that was just added to cache file may not have always + found it. + - dict-sql: Fix crash when reading NULL value from database + +v2.2.35 2018-03-19 Aki Tuomi <aki.tuomi@dovecot.fi> + + - charset_alias: compile fails with Solaris Studio, reported by + John Woods. + - Fix local name handling in v2.2.34 SNI code, bug found by cPanel. + - imapc: Don't try to add mails to index if they already exist there. + - imapc: If email is modified in istream_opened hook, mail size isn't + updated. + - lib-dcrypt: When reading encrypted data, more data would not be + read if buffer was not consumed causing panic or hang. + - notify: When notify plugin is used and transaction commit fails in + dsync, crash occurs. + - sdbox: When delivering to a mailbox that is over quota, temp files + are not cleaned up when saving or copying fails. + +v2.2.34 2018-02-28 Timo Sirainen <tss@iki.fi> + + * CVE-2017-15130: TLS SNI config lookups may lead to excessive + memory usage, causing imap-login/pop3-login VSZ limit to be reached + and the process restarted. This happens only if Dovecot config has + local_name { } or local { } configuration blocks and attacker uses + randomly generated SNI servernames. + * CVE-2017-14461: Parsing invalid email addresses may cause a crash or + leak memory contents to attacker. For example, these memory contents + might contain parts of an email from another user if the same imap + process is reused for multiple users. First discovered by Aleksandar + Nikolic of Cisco Talos. Independently also discovered by "flxflndy" + via HackerOne. + * CVE-2017-15132: Aborted SASL authentication leaks memory in login + process. + * Linux: Core dumping is no longer enabled by default via + PR_SET_DUMPABLE, because this may allow attackers to bypass + chroot/group restrictions. Found by cPanel Security Team. Nowadays + core dumps can be safely enabled by using "sysctl -w + fs.suid_dumpable=2". If the old behaviour is wanted, it can still be + enabled by setting: + import_environment=$import_environment PR_SET_DUMPABLE=1 + * doveconf output now includes the hostname. + + + mail_attachment_detection_options setting controls when + $HasAttachment and $HasNoAttachment keywords are set for mails. + + imap: Support fetching body snippets using FETCH (SNIPPET) or + (SNIPPET (LAZY=FUZZY)) + + fs-compress: Automatically detect whether input is compressed or not. + Prefix the compression algorithm with "maybe-" to enable the + detection, for example: "compress:maybe-gz:6:..." + + Added settings to change dovecot.index* files' optimization behavior. + See https://wiki2.dovecot.org/IndexFiles#Settings + + Auth cache can now utilize auth workers to do password hash + verification by setting auth_cache_verify_password_with_worker=yes. + + Added charset_alias plugin. See + https://wiki2.dovecot.org/Plugins/CharsetAlias + + imap_logout_format and pop3_logout_format settings now support all of + the generic variables (e.g. %{rip}, %{session}, etc.) + + Added auth_policy_check_before_auth, auth_policy_check_after_auth + and auth_policy_report_after_auth settings. + - v2.2.33: doveadm-server: Various fixes related to log handling. + - v2.2.33: doveadm failed when trying to access UNIX socket that didn't + require authentication. + - v2.2.33: doveadm log reopen stopped working + - v2.2.30+: IMAP stopped advertising SPECIAL-USE capability + - v2.2.30+: IMAP stopped sending untagged OK/NO storage notifications + - replication: dsync sends unnecessary replication notification for + changes it does internally. NOTE: Folder creates, renames, deletes + and subscribes still trigger unnecessary replication notifications, + but these should be rather rare. + - mail_always/never_cache_fields setting changes weren't applied for + existing dovecot.index.cache files. + - Fix compiling and other problems with OpenSSL v1.1 + - auth policy: With master user logins, lookup using login username. + - FTS reindexed all mails unnecessarily after loss of + dovecot.index.cache file + - mdbox rebuild repeatedly fails with "missing map extension" + - SSL connections may have been hanging with imapc or doveadm client. + - cassandra: Using protocol v3 (Cassandra v2.1) caused memory leaks and + also timestamps weren't set to queries. + - fs-crypt silently ignored public/private keys specified in + configuration (mail_crypt_global_public/private_key) and just + emitted plaintext output. + - lock_method=dotlock caused crashes + - imapc: Reconnection may cause crashes and other errors + +v2.2.33.2 2017-10-20 Timo Sirainen <tss@iki.fi> + + - doveadm: Fix crash in proxying (or dsync replication) if remote is + running older than v2.2.33 + - auth: Fix memory leak in %{ldap_dn} + - dict-sql: Fix data types to work correctly with Cassandra + +v2.2.33.1 2017-10-10 Timo Sirainen <tss@iki.fi> + + - dovecot-lda was logging to stderr instead of to the log file. + +v2.2.33 2017-10-10 Timo Sirainen <tss@iki.fi> + + * doveadm director commands wait for the changes to be visible in the + whole ring before they return. This is especially useful in testing. + * Environments listed in import_environment setting are now set or + preserved when executing standalone commands (e.g. doveadm) + + + doveadm proxy: Support proxying logs. Previously the logs were + visible only in the backend's logs. + + Added %{if}, see https://wiki2.dovecot.org/Variables#Conditionals + + Added a new notify_status plugin, which can be used to update dict + with current status of a mailbox when it changes. See + https://wiki2.dovecot.org/Plugins/NotifyStatus + + Mailbox list index can be disabled for a namespace by appending + ":LISTINDEX=" to location setting. + + dsync/imapc: Added dsync_hashed_headers setting to specify which + headers are used to match emails. + + pop3-migration: Add pop3_migration_ignore_extra_uidls=yes to ignore + mails that are visible in POP3 but not IMAP. This could happen if + new mails were delivered during the migration run. + + pop3-migration: Further improvements to help with Zimbra + + pop3-migration: Cache POP3 UIDLs in imapc's dovecot.index.cache + if indexes are enabled. These are used to optimize incremental syncs. + + cassandra, dict-sql: Use prepared statements if protocol version>3. + + auth: Added %{ldap_dn} variable for passdb/userdb ldap + - acl: The "create" (k) permission in global acl-file was sometimes + ignored, allowing users to create mailboxes when they shouldn't have. + - sdbox: Mails were always opened when expunging, unless + mail_attachment_fs was explicitly set to empty. + - lmtp/doveadm proxy: hostip passdb field was ignored, which caused + unnecessary DNS lookups if host field wasn't an IP + - lmtp proxy: Fix crash when receiving unexpected reply in RCPT TO + - quota_clone: Update also when quota is unlimited (broken in v2.2.31) + - mbox, zlib: Fix assert-crash when accessing compressed mbox + - doveadm director kick -f parameter didn't work + - doveadm director flush <host> resulted flushing all hosts, if <host> + wasn't an IP address. + - director: Various fixes to handling backend/director changes at + abnormal times, especially while ring was unsynced. These could have + resulted in crashes, non-optimal behavior or ignoring some of the + changes. + - director: Use less CPU in imap-login processes when moving/kicking + many users. + - lmtp: Session IDs were duplicated/confusing with multiple RCPT TOs + when lmtp_rcpt_check_quota=yes + - doveadm sync -1 fails when local mailboxes exist that do not exist + remotely. This commonly happened when lazy_expunge mailbox was + autocreated when incremental sync expunged mails. + - pop3: rawlog_dir setting didn't work + + +v2.2.32 2017-08-24 Timo Sirainen <tss@iki.fi> + + * imapc: Info-level line is logged every time when successfully + connected to the remote server. This includes local/remote IP/port, + which can be useful for matching against external logs. + * config: Log a warning if plugin { key=no } is used explicitly. + v2.3 will support "no" properly in plugin settings, but for now + any value at all for a boolean plugin setting is treated as "yes", + even if it's written as explicit "no". This change will now warn + that it most likely won't work as intended. + + + Various optimizations to avoid accessing files/directories when it's + not necessary. Especially avoid accessing mail root directories when + INDEX directories point to a different filesystem. + + mail_location can now include ITERINDEX parameter. This tells Dovecot + to perform mailbox listing from the INDEX path instead of from the + mail root path. It's mainly useful when the INDEX storage is on a + faster storage. + + mail_location can now include VOLATILEDIR=<path> parameter. This + is used for creating lock files and in future potentially other + files that don't need to exist permanently. The path could point to + tmpfs for example. This is especially useful to avoid creating lock + files to NFS or other remote filesystems. For example: + mail_location=sdbox:~/sdbox:VOLATILEDIR=/tmp/volatile/%2.256Nu/%u + + mail_location's LISTINDEX=<path> can now contain a full path. + This allows storing mailbox list index to a different storage + than the rest of the indexes, for example to tmpfs. + + mail_location can now include NO-NOSELECT parameter. This + automatically deletes any \NoSelect mailboxes that have no children. + These mailboxes are sometimes confusing to users. + + mail_location can now include BROKENCHAR=<char> parameter. This can + be useful with imapc to access mailbox names that aren't valid mUTF-7 + charset from remote servers. + + If mailbox_list_index_very_dirty_syncs=yes, the list index is no + longer refreshed against filesystem when listing mailboxes. This + allows the mailbox listing to be done entirely by only reading the + mailbox list index. + + Added mailbox_list_index_include_inbox setting to control whether + INBOX's STATUS information should be cached in the mailbox list + index. The default is "no", but it may be useful to change it to + "yes", especially if LISTINDEX points to tmpfs. + + userdb can return chdir=<path>, which override mail_home for the + chdir location. This can be useful to avoid accessing home directory + on login. + + userdb can return postlogin=<socket> to specify per-user imap/pop3 + postlogin socket path. + + cassandra: Add support for result paging by adding page_size=<n> + parameter to the connect setting. + + dsync/imapc, pop3-migration plugin: Strip also trailing tabs from + headers when matching mails. This helps with migrations from Zimbra. + + imap_logout_format supports now %{appended} and %{autoexpunged} + + virtual plugin: Optimize IDLE to use mailbox list index for finding + out when something has changed. + + Added apparmor plugin. See https://wiki2.dovecot.org/Plugins/Apparmor + - virtual plugin: A lot of fixes. In many cases it was also working + very inefficiently or even incorrectly. + - imap: NOTIFY parameter parsing was incorrectly "fixed" in v2.2.31. + It was actually (mostly) working in previous versions, but broken + in v2.2.31. + - Modseq tracking didn't always work correctly. This could have caused + imap unhibernation to fail or IMAP QRESYNC/CONDSTORE extensions to + not work perfectly. + - mdbox: "Inconsistency in map index" wasn't fixed automatically + - dict-ldap: %variable values used in the LDAP filter weren't escaped. + - quota=count: quota_warning = -storage=.. was never executed (try #2). + v2.2.31 fixed it for -messages, but not for -storage. + - imapc: >= 32 kB mail bodies were supposed to be cached for subsequent + FETCHes, but weren't. + - quota-status service didn't support recipient_delimiter + - acl: Don't access dovecot-acl-list files with acl_globals_only=yes + - mail_location: If INDEX dir is set, mailbox deletion deletes its + childrens' indexes. For example if "box" is deleted, "box/child" + index directory was deleted as well (but mails were preserved). + - director: v2.2.31 caused rapid reconnection loops to directors + that were down. + +v2.2.31 2017-06-26 Timo Sirainen <tss@iki.fi> + + * LMTP: Removed "(Dovecot)" from added Received headers. Some + installations want to hide it, and there's not really any good reason + for anyone to have it. + + + Add ssl_alt_cert and ssl_alt_key settings to add support for + having both RSA and ECDSA certificates. + + dsync/imapc, pop3-migration plugin: Strip trailing whitespace from + headers when matching mails. This helps with migrations from Zimbra. + + acl: Add acl_globals_only setting to disable looking up + per-mailbox dovecot-acl files. + + Parse invalid message addresses better. This mainly affects the + generated IMAP ENVELOPE replies. + - v2.2.30 wasn't fixing corrupted dovecot.index.cache files properly. + It could have deleted wrong mail's cache or assert-crashed. + - v2.2.30 mail-crypt-acl plugin was assert-crashing + - v2.2.30 welcome plugin wasn't working + - Various fixes to handling mailbox listing. Especially related to + handling nonexistent autocreated/autosubscribed mailboxes and ACLs. + - Global ACL file was parsed as if it was local ACL file. This caused + some of the ACL rule interactions to not work exactly as intended. + - auth: forward_* fields didn't work properly: Only the first forward + field was working, and only if the first passdb lookup succeeded. + - Using mail_sort_max_read_count sometimes caused "Broken sort-* + indexes, resetting" errors. + - Using mail_sort_max_read_count may have caused very high CPU usage. + - Message address parsing could have crashed on invalid input. + - imapc_features=fetch-headers wasn't always working correctly and + caused the full header to be fetched. + - imapc: Various bugfixes related to connection failure handling. + - quota=imapc sent unnecessary FETCH RFC822.SIZE to server when + expunging mails. + - quota=count: quota_warning = -storage=.. was never executed + - quota=count: Add support for "ns" parameter + - dsync: Fix incremental syncing for mails that don't have Date or + Message-ID headers. + - imap: Fix hang when client sends pipelined SEARCH + + EXPUNGE/CLOSE/LOGOUT. + - oauth2: Token validation didn't accept empty server responses. + - imap: NOTIFY command has been almost completely broken since the + beginning. I guess nobody has been trying to use it. + + +v2.2.30.2 2017-06-06 Timo Sirainen <tss@iki.fi> + + - auth: Multiple failed authentications within short time caused + crashes + - push-notification: OX driver crashed at deinit + +v2.2.30.1 2017-05-31 Timo Sirainen <tss@iki.fi> + + - quota_warning scripts weren't working in v2.2.30 + - vpopmail still wasn't compiling + +v2.2.30 2017-05-30 Timo Sirainen <tss@iki.fi> + + * auth: Use timing safe comparisons for everything related to + passwords. It's unlikely that these could have been used for + practical attacks, especially because Dovecot delays and flushes all + failed authentications in 2 second intervals. Also it could have + worked only when passwords were stored in plaintext in the passdb. + * master process sends SIGQUIT to all running children at shutdown, + which instructs them to close all the socket listeners immediately. + This way restarting Dovecot should no longer fail due to some + processes keeping the listeners open for a long time. + + + auth: Add passdb { mechanisms=none } to match separate passdb lookup + + auth: Add passdb { username_filter } to use passdb only if user + matches the filter. See https://wiki2.dovecot.org/PasswordDatabase + + dsync: Add dsync_commit_msgs_interval setting. It attempts to commit + the transaction after saving this many new messages. Because of the + way dsync works, it may not always be possible if mails are copied + or UIDs need to change. + + imapc: Support imapc_features=search without ESEARCH extension. + + imapc: Add imapc_features=fetch-bodystructure to pass through remote + server's FETCH BODY and BODYSTRUCTURE. + + imapc: Add quota=imapc backend to use GETQUOTA/GETQUOTAROOT on the + remote server. + + passdb imap: Add allow_invalid_cert and ssl_ca_file parameters. + + If dovecot.index.cache corruption is detected, reset only the one + corrupted mail instead of the whole file. + + doveadm mailbox status: Add "firstsaved" field. + + director_flush_socket: Add old host's up/down and vhost count as parameters + - More fixes to automatically fix corruption in dovecot.list.index + - dsync-server: Fix support for dsync_features=empty-header-workaround + - imapc: Various bugfixes, including infinite loops on some errors + - IMAP NOTIFY wasn't working for non-INBOX if IMAP client hadn't + enabled modseq tracking via CONDSTORE/QRESYNC. + - fts-lucene: Fix it to work again with mbox format + - Some internal error messages may have contained garbage in v2.2.29 + - mail-crypt: Re-encrypt when copying/moving mails and per-mailbox keys + are used. Otherwise the copied mails can't be opened. + - vpopmail: Fix compiling + +v2.2.29.1 2017-04-12 Timo Sirainen <tss@iki.fi> + + - imapc reconnection fix was forgotten from 2.2.29 release, which also + made "make check" fail in a unit test + - dict-sql: Merging multiple UPDATEs to a single statement wasn't + actually working. + - Fixed building with vpopmail + +v2.2.29 2017-04-10 Timo Sirainen <tss@iki.fi> + + * passdb/userdb dict: Don't double-expand %variables in keys. If dict + was used as the authentication passdb, using specially crafted + %variables in the username could be used to cause DoS (CVE-2017-2669) + * When Dovecot encounters an internal error, it logs the real error and + usually logs another line saying what function failed. Previously the + second log line's error message was a rather uninformative "Internal + error occurred. Refer to server log for more information." Now the + real error message is duplicated in this second log line. + * lmtp: If a delivery has multiple recipients, run autoexpunging only + for the last recipient. This avoids a problem where a long + autoexpunge run causes LMTP client to timeout between the DATA + replies, resulting in duplicate mail deliveries. + * config: Don't stop the process due to idling. Otherwise the + configuration is reloaded when the process restarts. + * mail_log plugin: Differentiate autoexpunges from regular expunges + * imapc: Use LOGOUT to cleanly disconnect from server. + * lib-http: Internal status codes (>9000) are no longer visible in logs + * director: Log vhost count changes and HOST-UP/DOWN + + + quota: Add plugin { quota_max_mail_size } setting to limit the + maximum individual mail size that can be saved. + + imapc: Add imapc_features=delay-login. If set, connecting to the + remote IMAP server isn't done until it's necessary. + + imapc: Add imapc_connection_retry_count and + imapc_connection_retry_interval settings. + + imap, pop3, indexer-worker: Add (deinit) to process title before + autoexpunging runs. + + Added %{encrypt} and %{decrypt} variables + + imap/pop3 proxy: Log proxy state in errors as human-readable string. + + imap/pop3-login: All forward_* extra fields returned by passdb are + sent to the next hop when proxying using ID/XCLIENT commands. On the + receiving side these fields are imported and sent to auth process + where they're accessible via %{passdb:forward_*}. This is done only + if the sending IP address matches login_trusted_networks. + + imap-login: If imap_id_retain=yes, send the IMAP ID string to + auth process. %{client_id} expands to it in auth process. The ID + string is also sent to the next hop when proxying. + + passdb imap: Use ssl_client_ca_* settings for CA validation. + - fts-tika: Fixed crash when parsing attachment without + Content-Disposition header. Broken by 2.2.28. + - trash plugin was broken in 2.2.28 + - auth: When passdb/userdb lookups were done via auth-workers, too much + data was added to auth cache. This could have resulted in wrong + replies when using multiple passdbs/userdbs. + - auth: passdb { skip & mechanisms } were ignored for the first passdb + - oauth2: Various fixes, including fixes to crashes + - dsync: Large Sieve scripts (or other large metadata) weren't always + synced. + - Index rebuild (e.g. doveadm force-resync) set all mails as \Recent + - imap-hibernate: %{userdb:*} wasn't expanded in mail_log_prefix + - doveadm: Exit codes weren't preserved when proxying commands via + doveadm-server. Almost all errors used exit code 75 (tempfail). + - ACLs weren't applied to not-yet-existing autocreated mailboxes. + - Fixed a potential crash when parsing a broken message header. + - cassandra: Fallback consistency settings weren't working correctly. + - doveadm director status <user>: "Initial config" was always empty + - imapc: Various reconnection fixes. + +v2.2.28 2017-02-24 Timo Sirainen <tss@iki.fi> + + * director: "doveadm director move" to same host now refreshes user's + timeout. This allows keeping user constantly in the same backend by + just periodically moving the user there. + * When new mailbox is created, use initially INBOX's + dovecot.index.cache caching decisions. + * Expunging mails writes GUID to dovecot.index.log now only if the + GUID is quickly available from index/cache. + * pop3c: Increase timeout for PASS command to 5 minutes. + * Mail access errors are no longer ignored when searching or sorting. + With IMAP the untagged SEARCH/SORT reply is still sent the same as + before, but NO reply is returned instead of OK. + + + Make dovecot.list.index's filename configurable. This is needed when + there are multiple namespaces pointing to the same mail root + (e.g. lazy_expunge namespace for mdbox). + + Add size.virtual to dovecot.index when folder vsizes are accessed + (e.g. quota=count). This is mainly a workaround to avoid slow quota + recalculation performance when message sizes get lost from + dovecot.index.cache due to corruption or some other reason. + + auth: Support OAUTHBEARER and XOAUTH2 mechanisms. Also support them + in lib-dsasl for client side. + + auth: Support filtering by SASL mechanism: passdb { mechanisms } + + Shrink the mail processes' memory usage by not storing settings + duplicated unnecessarily many times. + + imap: Add imap_fetch_failure setting to control what happens when + FETCH fails for some mails (see example-config). + + imap: Include info about last command in disconnection log line. + + imap: Created new SEARCH=X-MIMEPART extension. It's currently not + advertised by default, since it's not fully implemented. + + fts-solr: Add support for basic authentication. + + Cassandra: Support automatically retrying failed queries if + execution_retry_interval and execution_retry_times are set. + + doveadm: Added "mailbox path" command. + + mail_log plugin: If plugin { mail_log_cached_only=yes }, log the + wanted fields only if it doesn't require opening the email. + + mail_vsize_bg_after_count setting added (see example-config). + + mail_sort_max_read_count setting added (see example-config). + + pop3c: Added pop3c_features=no-pipelining setting to prevent using + PIPELINING extension even though it's advertised. + + - Index files: day_first_uid wasn't updated correctly since v2.2.26. + This caused dovecot.index.cache to be non-optimal. + - imap: SEARCH/SORT may have assert-crashed in + client_check_command_hangs + - imap: FETCH X-MAILBOX may have assert-crashed in virtual mailboxes. + - imap: Running time in tagged command reply was often wrongly 0. + - search: Using NOT n:* or NOT UID n:* wasn't handled correctly + - director: doveadm director kick was broken + - director: Fix crash when using director_flush_socket + - director: Fix some bugs when moving users between backends + - imapc: Various error handling fixes and improvements + - master: doveadm process status output had a lot of duplicates. + - autoexpunge: If mailbox's rename timestamp is newer than mail's + save-timestamp, use it instead. This is useful when autoexpunging + e.g. Trash/* and an entire mailbox is deleted by renaming it under + Trash to prevent it from being autoexpunged too early. + - autoexpunge: Multiple processes may have been trying to expunge the + same mails simultaneously. This was problematic especially with + lazy_expunge plugin. + - auth: %{passdb:*} was empty in auth-worker processes + - auth-policy: hashed_password was always sent empty. + - dict-sql: Merge multiple UPDATEs to a single statement if possible. + - fts-solr: Escape {} chars when sending queries + - fts: fts_autoindex_exclude = \Special-use caused crashes + - doveadm-server: Fix leaks and other problems when process is reused + for multiple requests (service_count != 1) + - sdbox: Fix assert-crash on mailbox create race + - lda/lmtp: deliver_log_format values weren't entirely correct if Sieve + was used. especially %{storage_id} was broken. + - lmtp_user_concurrency_limit didn't work if userdb changed username + +v2.2.27 2016-12-03 Timo Sirainen <tss@iki.fi> + + * dovecot.list.index.log rotation sizes/times were changed so that + the .log file stays smaller and .log.2 is deleted sooner. + + + Added mail_crypt plugin that allows encryption of stored emails. + See http://wiki2.dovecot.org/Plugins/MailCrypt + + stats: Global stats can be sent to Carbon server by setting + stats_carbon_server=ip:port + + imap/pop3 proxy: If passdb returns proxy_not_trusted, don't send + ID/XCLIENT + + Added generic hash modifier for %variables: + %{<hash algorithm>;rounds=<n>,truncate=<bits>,salt=s>:field} + Hash algorithm is any of the supported ones, e.g. md5, sha1, sha256. + Also "pkcs5" is supported using SHA256. For example: %{sha256:user} + or %{md5;truncate=32:user}. + + Added support for SHA3-256 and SHA3-512 hashes. + + config: Support DNS wildcards in local_name, e.g. + local_name *.example.com { .. } matches anything.example.com, but + not multiple.anything.example.com. + + config: Support multiple names in local_name, e.g. + local_name "1.example.com 2.example.com" { .. } + - Fixed crash in auth process when auth-policy was configured and + authentication was aborted/failed without a username set. + - director: If two users had different tags but the same hash, + the users may have been redirected to the wrong tag's hosts. + - Index files may have been thought incorrectly lost, causing + "Missing middle file seq=.." to be logged and index rebuild. + This happened more easily with IMAP hibernation enabled. + - Various fixes to restoring state correctly in un-hibernation. + - dovecot.index files were commonly 4 bytes per email too large. This + is because 3 bytes per email were being wasted that could have been + used for IMAP keywords. + - Various fixes to handle dovecot.list.index corruption better. + - lib-fts: Fixed assert-crash in address tokenizer with specific input. + - Fixed assert-crash in HTML to text parsing with specific input + (e.g. for FTS indexing or snippet generation) + - doveadm sync -1: Fixed handling mailbox GUID conflicts. + - sdbox, mdbox: Perform full index rebuild if corruption is detected + inside lib-index, which runs index fsck. + - quota: Don't skip quota checks when moving mails between different + quota roots. + - search: Multiple sequence sets or UID sets in search parameters + weren't handled correctly. They were incorrectly merged together. + +v2.2.26.0 2016-10-28 Timo Sirainen <tss@iki.fi> + + - Fixed some compiling issues. + - auth: Fixed assert-crash when using NTLM or SKEY mechanisms and + multiple passdbs. + - auth: Fixed crash when exporting to auth-worker passdb extra fields + that had empty values. + - dsync: Fixed assert-crash in dsync_brain_sync_mailbox_deinit + +v2.2.26 2016-10-27 Timo Sirainen <tss@iki.fi> + + * master: Removed hardcoded 511 backlog limit for listen(). The kernel + should limit this as needed. + * doveadm import: Source user is now initialized the same as target + user. Added -U parameter to override the source user. + * Mailbox names are no longer limited to 16 hierarchy levels. We'll + check another way to make sure mailbox names can't grow larger than + 4096 bytes. + + + Added a concept of "alternative usernames" by returning user_* extra + field(s) in passdb. doveadm proxy list shows these alt usernames in + "doveadm proxy list" output. "doveadm director&proxy kick" adds + -f <passdb field> parameter. The alt usernames don't have to be + unique, so this allows creation of user groups and kicking them in + one command. + + auth: passdb/userdb dict allows now %variables in key settings. + + auth: If passdb returns noauthenticate=yes extra field, assume that + it only set extra fields and authentication wasn't actually performed. + + auth: passdb static now supports password={scheme} prefix. + + auth, login_log_format_elements: Added %{local_name} variable, which + expands to TLS SNI hostname if given. + + imapc: Added imapc_max_line_length to limit maximum memory usage. + + imap, pop3: Added rawlog_dir setting to store IMAP/POP3 traffic logs. + This replaces at least partially the rawlog plugin. + + dsync: Added dsync_features=empty-header-workaround setting. This + makes incremental dsyncs work better for servers that randomly return + empty headers for mails. When an empty header is seen for an existing + mail, dsync assumes that it matches the local mail. + + doveadm sync/backup: Added -I <max size> parameter to skip too + large mails. + + doveadm sync/backup: Fixed -t parameter and added -e for "end date". + + doveadm mailbox metadata: Added -s parameter to allow accessing + server metadata by using empty mailbox name. + + Added "doveadm service status" and "doveadm process status" commands. + + director: Added director_flush_socket. See + http://wiki2.dovecot.org/Director#Flush_socket + + doveadm director flush: Users are now moved only max 100 at a time to + avoid load spikes. --max-parallel parameter overrides this. + + Added FILE_LOCK_SLOW_WARNING_MSECS environment, which logs a warning + if any lock is waited on or kept for this many milliseconds. + + - master process's listener socket was leaked to all child processes. + This might have allowed untrusted processes to capture and prevent + "doveadm service stop" comands from working. + - login proxy: Fixed crash when outgoing SSL connections were hanging. + - auth: userdb fields weren't passed to auth-workers, so %{userdb:*} + from previous userdbs didn't work there. + - auth: Each userdb lookup from cache reset its TTL. + - auth: Fixed auth_bind=yes + sasl_bind=yes to work together + - auth: Blocking userdb lookups reset extra fields set by previous + userdbs. + - auth: Cache keys didn't include %{passdb:*} and %{userdb:*} + - auth-policy: Fixed crash due to using already-freed memory if policy + lookup takes longer than auth request exists. + - lib-auth: Unescape passdb/userdb extra fields. Mainly affected + returning extra fields with LFs or TABs. + - lmtp_user_concurrency_limit>0 setting was logging unnecessary + anvil errors. + - lmtp_user_concurrency_limit is now checked before quota check with + lmtp_rcpt_check_quota=yes to avoid unnecessary quota work. + - lmtp: %{userdb:*} variables didn't work in mail_log_prefix + - autoexpunge settings for mailboxes with wildcards didn't work when + namespace prefix was non-empty. + - Fixed writing >2GB to iostream-temp files (used by fs-compress, + fs-metawrap, doveadm-http) + - director: Ignore duplicates in director_servers setting. + - director: Many fixes related to connection handshaking, user moving + and error handling. + - director: Don't break with shutdown_clients=no + - zlib, IMAP BINARY: Fixed internal caching when accessing multiple + newly created mails. They all had UID=0 and the next mail could have + wrongly used the previously cached mail. + - doveadm stats reset wasn't reseting all the stats. + - auth_stats=yes: Don't update num_logins, since it doubles them when + using with mail stats. + - quota count: Fixed deadlocks when updating vsize header. + - dict-quota: Fixed crashes happening due to memory corruption. + - dict proxy: Fixed various timeout-related bugs. + - doveadm proxying: Fixed -A and -u wildcard handling. + - doveadm proxying: Fixed hangs and bugs related to printing. + - imap: Fixed wrongly triggering assert-crash in + client_check_command_hangs. + - imap proxy: Don't send ID command pipelined with nopipelining=yes + - imap-hibernate: Don't execute quota_over_script or last_login after + un-hibernation. + - imap-hibernate: Don't un-hibernate if client sends DONE+IDLE in one + IP packet. + - imap-hibernate: Fixed various failures when un-hibernating. + - fts: fts_autoindex=yes was broken in 2.2.25 unless + fts_autoindex_exclude settings existed. + - fts-solr: Fixed searching multiple mailboxes (patch by x16a0) + - doveadm fetch body.snippet wasn't working in 2.2.25. Also fixed a + crash with certain emails. + - pop3-migration + dbox: Various fixes related to POP3 UIDL + optimization in 2.2.25. + - pop3-migration: Fixed "truncated email header" workaround. + +v2.2.25 2016-07-01 Timo Sirainen <tss@iki.fi> + + * lmtp: Start tracking lmtp_user_concurrency_limit and reject already + at RCPT TO stage. This avoids MTA unnecessarily completing DATA only + to get an error. + * doveadm: Previously only mail settings were read from protocol + doveadm { .. } section. Now all settings are. + + + quota: Added quota_over_flag_lazy_check setting. It avoids checking + quota_over_flag always at startup. Instead it's checked only when + quota is being read for some other purpose. + + auth: Added a new auth policy service: + http://wiki2.dovecot.org/Authentication/Policy + + auth: Added PBKDF2 password scheme + + auth: Added %{auth_user}, %{auth_username} and %{auth_domain} + + auth: Added ":remove" suffix to extra field names to remove them. + + auth: Added "delay_until=<timestamp>[+<max random secs>]" passdb + extra field. The auth will wait until <timestamp> and optionally some + randomness and then return success. + + dict proxy: Added idle_msecs=<n> parameter. Support async operations. + + Performance improvements for handling large mailboxes. + + Added lib-dcrypt API for providing cryptographic functions. + + Added "doveadm mailbox update" command + + imap commands' output now includes timing spent on the "syncing" + stage if it's larger than 0. + + cassandra: Added metrics=<path> to connect setting to output internal + statistics in JSON format every second to <path>. + + doveadm mailbox delete: Added -e parameter to delete only empty + mailboxes. Added --unsafe option to quickly delete a mailbox, + bypassing lazy_expunge and quota plugins. + + doveadm user & auth cache flush are now available via doveadm-server. + + doveadm service stop <services> will stop specified services while + leaving the rest of Dovecot running. + + quota optimization: Avoid reading mail sizes for backends which + don't need them (count, fs, dirsize) + + Added mailbox { autoexpunge_max_mails=<n> } setting. + + Added welcome plugin: http://wiki2.dovecot.org/Plugins/Welcome + + fts: Added fts_autoindex_exclude setting. + - v2.2.24's MIME parser was assert-crashing on mails having truncated + MIME headers. + - auth: With multiple userdbs the final success/failure result wasn't + always correct. The last userdb's result was always used. + - doveadm backup was sometimes deleting entire mailboxes unnecessarily. + - doveadm: Command -parameters weren't being sent to doveadm-server. + - If dovecot.index read failed e.g. because mmap() reached VSZ limit, + an empty index could have been opened instead, corrupting the + mailbox state. + - imapc: Fixed EXPUNGE handling when imapc_features didn't have modseq. + - lazy-expunge: Fixed a crash when copying failed. Various other fixes. + - fts-lucene: Fixed crash on index rescan. + - auth_stats=yes produced broken output + - dict-ldap: Various fixes + - dict-sql: NULL values crashed. Now they're treated as "not found". + +v2.2.24 2016-04-26 Timo Sirainen <tss@iki.fi> + + * doveconf now warns if it sees a global setting being changed when + the same setting was already set inside some filters. (A common + mistake has been adding more plugins to a global mail_plugins + setting after it was already set inside protocol { .. }, which + caused the global setting to be ignored for that protocol.) + * LMTP proxy: Increased default timeout 30s -> 125s. This makes it + less likely to reach the timeout and cause duplicate deliveries. + * LMTP and indexer now append ":suffix" to session IDs to make it + unique for the specific user's delivery. (Fixes duplicate session + ID warnings in stats process.) + + + Added dict-ldap for performing read-only LDAP dict lookups. + + lazy-expunge: All mails can be saved to a single specified mailbox. + + mailbox { autoexpunge } supports now wildcards in mailbox names. + + doveadm HTTP API: Added support for proxy commands + + imapc: Reconnect when getting disconnected in non-selected state. + + imapc: Added imapc_features=modseq to access MODSEQs/HIGHESTMODSEQ. + This is especially useful for incremental dsync. + + doveadm auth/user: Auth lookup performs debug logging if + -o auth_debug=yes is given to doveadm. + + Added passdb/userdb { auth_verbose=yes|no } setting. + + Cassandra: Added user, password, num_threads, connect_timeout and + request_timeout settings. + + doveadm user -e <value>: Print <value> with %variables expanded. + - Huge header lines could have caused Dovecot to use too much memory + (depending on config and used IMAP commands). (Typically this would + result in only the single user's process dying with out of memory + due to reaching service { vsz_limit } - not a global DoS). + - dsync: Detect and handle invalid/stale -s state string better. + - dsync: Fixed crash caused by specific mailbox renames + - auth: Auth cache is now disabled passwd-file. It was unnecessary and + it broke %variables in extra fields. + - fts-tika: Don't crash if it returns 500 error + - dict-redis: Fixed timeout handling + - SEARCH INTHREAD was crashing + - stats: Only a single fifo_listeners was supported, making it + impossible to use both auth_stats=yes and mail stats plugin. + - SSL errors were logged in separate "Stacked error" log lines + instead of as part of the disconnection reason. + - MIME body parser didn't handle properly when a child MIME part's + --boundary had the same prefix as the parent. + +v2.2.23 2016-03-30 Timo Sirainen <tss@iki.fi> + + - Various fixes to doveadm. Especially running commands via + doveadm-server was broken. + - director: Fixed user weakness getting stuck in some situations + - director: Fixed a situation where directors keep re-sending + different states to each others and never becoming synced. + - director: Fixed assert-crash related to a slow "user killed" reply + - Fixed assert-crash related to istream-concat, which could have + been triggered at least by a Sieve script. + +v2.2.22 2016-03-16 Timo Sirainen <tss@iki.fi> + + + Added doveadm HTTP API: See + http://wiki2.dovecot.org/Design/DoveadmProtocol/HTTP + + virtual plugin: Mailbox filtering can now be done based on the + mailbox metadata. See http://wiki2.dovecot.org/Plugins/Virtual + + stats: Added doveadm stats reset to reset global stats. + + stats: Added authentication statistics if auth_stats=yes. + + dsync, imapc, pop3c & pop3-migration: Many optimizations, + improvements and error handling fixes. + + doveadm: Most commands now stop soon after SIGINT/SIGTERM. + - auth: Auth caching was done too aggressively when %variables were + used in default_fields, override_fields or LDAP pass/user_attrs. + userdb result_* were also ignored when user was found from cache. + - imap: Fixed various assert-crashes caused v2.2.20+. Some of them + caught actual hangs or otherwise unwanted behavior towards IMAP + clients. + - Expunges were forgotten in some situations, for example when + pipelining multiple IMAP MOVE commands. + - quota: Per-namespaces quota were broken for dict and count backends + in v2.2.20+ + - fts-solr: Search queries were using OR instead of AND as the + separator for multi-token search queries in v2.2.20+. + - Single instance storage support wasn't really working in v2.2.16+ + - dbox: POP3 message ordering wasn't working correctly. + - virtual plugin: Fixed crashes related to backend mailbox deletions. + +v2.2.21 2015-12-11 Timo Sirainen <tss@iki.fi> + + - doveadm mailbox list (and some others) were broken in v2.2.20 + - director: Fixed making backend changes when running with only a + single director server. + - virtual plugin: Fixed crash when trying to open nonexistent + autocreated backend mailbox. + +v2.2.20 2015-12-07 Timo Sirainen <tss@iki.fi> + + + Added mailbox { autoexpunge=<time> } setting. See + http://wiki2.dovecot.org/MailboxSettings for details. + + ssl_options: Added support for no_ticket + + imap/pop3/managesieve-login: Added postlogin_socket=path passdb extra + field. This allows replacing the default service + imap/pop3/managesieve {} settings for specific users (e.g. running + their imap process via valgrind or strace). + + doveadm fetch: Added date.sent/received/saved.unixtime + + fs-posix: Added mode=auto parameter to set the created files' and + directories' mode based on the parent dir if it has setgid-bit. + + director: Support backends having hostnames, which makes it possible + to verify their SSL certificates. + - director: Directors' state became desynchronized if doveadm director + commands were used to modify the same backend in multiple directors + at the same time with conflicting changes. This fix includes some + extra checks, which makes sure that if such a conflict still happens + it's automatically fixed. In some situations such an automatic fix + may now be unnecessarily triggered and an error logged. + - director: Backend tags weren't working correctly. + - ldap: tls_* settings weren't used for ldaps URIs. + - ldap, mysql: Fixed setting connect timeout. + - auth: userdb lookups via auth-worker couldn't change username + - dsync: Fixed handling deleted directories. Make sure we don't go to + infinite mailbox renaming loop. + - imap: Fixed crash in NOTIFY when there were watched namespaces that + didn't support NOTIFY. + - imap: After SETMETADATA was used, various commands (especially FETCH) + could have started hanging when their output was large. + - stats: Idle sessions weren't refreshed often enough, causing stats + process to forget them and log errors about unknown sessions when + they were updated later. + - stats: Fixed "Duplicate session ID" errors when LMTP delivered to + multiple recipients and fts_autoindex=yes. + - zlib plugin: Fixed copying causing cache corruption when zlib_save + wasn't set, but the source message was compressed. + - fts-solr: Fixed escaping Solr query parameters. + - lmtp: quota_full_tempfail=yes was ignored with + lmtp_rcpt_check_quota=yes + +v2.2.19 2015-10-02 Timo Sirainen <tss@iki.fi> + + * pop3_deleted_flag has been broken since v2.2.10. Using it would + cause buffer overflows, which could be exploitable. However, this + bug would have become visible quite soon after users had deleted + some POP3 mails, because the pop3 processes would have started + crashing all the time even in normal use. + * "doveadm director flush" command has a changed meaning now: + It safely moves users to their wanted backends, instead of simply + forgetting the mapping entirely and leaving the existing connections + untouched. Use -F parameter to get the original unsafe behavior. + + + Added imap-hibernate processes (see imap_hibernate_timeout setting). + IDLEing IMAP connections can be hibernated, which saves memory. + + Optimized tracking mailboxes' vsizes (= sum of all messages' sizes). + If mailbox_list_index=yes, it's also stored in there. This makes it + very efficient to look up vsizes for all mailboxes. + + Added a quota "count" backend, which uses the mailbox vsizes to get + the current quota usage. It requires using the new quota_vsizes=yes + setting, which tracks the messages' "virtual sizes" rather than + "physical sizes". Their distiction is minor and mostly irrelevant + nowadays (if mail sizes should be counted with LF or CRLF newlines). + + "doveadm director up/down" commands added. The monitoring script + should be using these commands instead of changing the vhost count. + This allows admin to manually disable a server by changing the vhost + count to 0 without the monitoring script changing it back. + + Added support for HAProxy protocol: http://wiki2.dovecot.org/HAProxy + + Added push-notification plugin framework, which can be used to + easily implement push notifications to various backends. Implemented + "ox" backend for notifying Open-Xchange via HTTP/json. + + imap_logout_format supports more variables now, e.g. number of + deleted messages. + + pop3: Added pop3_delete_type setting (related to pop3_deleted_flag). + + plugin { fts_enforced=yes } setting now fails body searches unless + it can be done via the full text search engine. + + Added %{passdb:*} and %{userdb:*} variables to various places + + auth: Added ":protected" suffix for passdb and userdb fields. If + used, the field doesn't overwrite an existing field. + + IMAP/POP3 proxy: If a backend server dies, avoid client reconnection + spikes by slowly disconnecting clients over time. This is enabled by + setting login_proxy_max_disconnect_delay=secs passdb extra field. + + imap: Added new read-only METADATA entries: /private/specialuse, + /shared/comment, /shared/admin + + imap: If client disconnects in the middle of a command, log how long + the command had been running. + - mdbox: Rebuilding could have caused message's reference count to + overflow the 16bit number in some situations, causing problems when + trying to expunge the duplicates. + - Various search fixes (fts, solr, tika, lib-charset, indexer) + - Various virtual plugin fixes + - Various fixes and optimizations to dsync, imapc and pop3-migration + - imap: Various RFC compliancy and crash fixes to NOTIFY + +v2.2.18 2015-05-15 Timo Sirainen <tss@iki.fi> + + - director: Login UNIX sockets were normally detected as doveadm or + director ring sockets, causing it to break in existing installations. + - sdbox: When copying a mail in alt storage, place the destination to + alt storage as well. + +v2.2.17 2015-05-13 Timo Sirainen <tss@iki.fi> + + * Dovecot no longer checks or warns if a mountpoint is removed. This + was causing more trouble than it was worth. Make sure that all the + mountpoints that Dovecot accesses aren't writable by mail processes + when they're unmounted. + * dict server wasn't properly escaping/unescaping data. Fixing this + broke backwards compatibility with data that contains line feeds. + This hopefully affects only very few installations. If you're using + dict to save multiline data (Sieve scripts to SQL), you may be + affected. + * imap: SPECIAL-USE capability is no longer advertised if there are + no special_use flags specified for any mailboxes. + + + lmtp: Added lmtp_hdr_delivery_address setting to specify whether + to include email address in Delivered-To: and Received: headers. + + Added initial version of full text search library, which includes + language-specific text normalization and filtering. This is still + in development, but it's already possible to use for testing with + fts-lucene and fts-solr. + + lda, lmtp: deliver_log_format can now include %{delivery_time}, + which expands to how many milliseconds it took to deliver the mail. + With LMTP %{session_time} also expands to how many milliseconds the + LMTP session took, not including the delivery time. + + lmtp proxy: Mail delivery logging includes timing information. + + imap: Most IMAP commands now include in the tagged reply how many + milliseconds it took to run the command (not counting the time spent + on waiting for the IMAP client to read/write data). + + director: Implemented director_proxy_maybe passdb extra field to + be able to run director and backend in the same Dovecot instance. + (LMTP doesn't support mixed proxy/non-proxy destinations currently.) + + doveadm: Added -F <file> parameter to read a list of users from the + given file and run the command for all the users. This is similar to + -A parameter reading the list of users from userdb lookup. + + Implemented initial Cassandra CQL support as lib-sql backend. It's + only usable as dict backend currently. + + Added quota-clone plugin to copy current quota usage to a dict. + - auth: If auth_master_user_separator was set, auth process could be + crashed by trying to log in with empty master username. + - imap-login, pop3-login: Fixed crash on handshake failures with new + OpenSSL versions (v1.0.2) when SSLv3 was disabled. + - auth: If one passdb fails allow_nets check, it shouldn't have failed + all the other passdb checks later on. + - imap: Server METADATA couldn't be accessed + - imapc: Fixed \Muted label handling in gmail-migration. + - imapc: Various bugfixes and improvements. + - Trash plugin fixes by Alexei Gradinari + - mbox: Fixed crash/corruption in some situations + +v2.2.16 2015-03-12 Timo Sirainen <tss@iki.fi> + + * dbox: Resyncing (e.g. doveadm force-resync) no longer deletes + dovecot.index.cache file. The cache file was rarely the problem + so this just caused unnecessary slowness. + * Mailbox name limits changed during mailbox creation: Each part of + a hierarchical name (e.g. "x" or "y" in "x/y") can now be up to 255 + chars long (instead of 200). This also reduces the max number of + hierarchical levels to 16 (instead of 20) to keep the maximum name + length 4096 (a common PATH_MAX limit). The 255 char limit is + hopefully large enough for migrations from all existing systems. + It's also the limit on many filesystems. + + + director: Added director_consistent_hashing setting to enable + consistent hashing (instead of the mostly-random MD5 hashing). + This causes fewer user moves between backends when backend counts + are changed, which may improve performance (mainly due to caching). + + director: Added support for "tags", which allows one director ring + to serve multiple backend clusters with different sets of users. + + LMTP server: Added lmtp_user_concurrency_limit setting to limit how + many LMTP deliveries can be done concurrently for a single user. + + LMTP server: Added support for STARTTLS command. + + If logging data is generated faster than it can be written, log a + warning about it and show information about it in log process's + process title in ps output. Also don't allow a single service to + flood too long at the cost of delaying other services' logging. + + stats: Added support for getting global statistics. + + stats: Use the same session IDs as the rest of Dovecot. + + stats: Plugins can now create their own statistics fields + + doveadm server: Non-mail related commands can now also be used + via doveadm server (TCP socket). + + doveadm proxying: passdb lookup can now override doveadm_port and + change the username. + + doveadm: Search query supports now "oldestonly" parameter to stop + immediately on the first non-match. This can be used to optimize: + doveadm expunge mailbox Trash savedbefore 30d oldestonly + + doveadm: Added "save" command to directly save mails to specified + mailbox (bypassing Sieve). + + doveadm fetch: Added body.snippet field, which returns the first + 100 chars of a message without whitespace or HTML tags. The result + is stored into dovecot.index.cache, so it can be fetched efficiently. + + dsync: Added -t <timestamp> parameter to sync only mails newer than + the given received-timestamp. + + dsync: Added -F [-]<flag> parameter to sync only mails with[out] the + given flag/keyword. + + dsync: Added -a <mailbox> parameter to specify the virtual mailbox + containing user's all mails. If this mailbox is already found to + contain the wanted mail (by its GUID), the message is copied from + there instead of being re-saved. (This isn't efficient enough yet + for incremental replication.) + + dsync: -m parameter can now specify \Special-use names for mailboxes. + + imapc: Added imapc_features=gmail-migration to help migrations from + GMail. See http://wiki2.dovecot.org/Migration/Gmail + + imapc: Added imapc_features=search to support IMAP SEARCH command. + (Currently requires ESEARCH support from remote server.) + + expire plugin: Added expire_cache=yes setting to cache most of the + database lookups in dovecot index files. + + quota: If overquota-flag in userdb doesn't match the current quota + usage, execute a configured script. + + redis dict: Added support for expiring keys (:expire_secs=n) and + specifying the database number (:db=n) + - auth: Don't crash if master user login is attempted without + any configured master=yes passdbs + - Parsing UTF-8 text for mails could have caused broken results + sometimes if buffering was split in the middle of a UTF-8 character. + This affected at least searching messages. + - String sanitization for some logged output wasn't done properly: + UTF-8 text could have been truncated wrongly or the truncation may + not have happened at all. + - fts-lucene: Lookups from virtual mailbox consisting of over 32 + physical mailboxes could have caused crashes. + +v2.2.15 2014-10-24 Timo Sirainen <tss@iki.fi> + + * Plugins can now print a banner comment in doveconf output + (typically the plugin version) + * Replication plugin now triggers low (instead of high) priority for + mail copying operations. + * IMAP/POP3/ManageSieve proxy: If destination server can't be + connected to, retry connecting once per second up to the value of + proxy_timeout. This allows quick restarts/upgrades on the backend + server without returning login failures. + * Internal passdb lookups (e.g. done by lmtp/doveadm proxy) wasn't + returning failure in some situations where it should have (e.g. + allow_nets mismatch) + * LMTP uses mail_log_prefix now for logging mail deliveries instead of + a hardcoded prefix. The non-delivery log prefix is still hardcoded + though. + + + passdb allow_nets=local matches lookups that don't contain an IP + address (internally done by Dovecot services) + + Various debug logging and error logging improvements + - Various race condition fixes to LAYOUT=index + - v2.2.14 virtual plugin crashed in some situations + +v2.2.14 2014-10-14 Timo Sirainen <tss@iki.fi> + + * lmtp: Delivered-To: header no longer contains <> around the email + address. Other MDAs don't have it either. + * "Out of disk space" errors are now treated as temporary errors + (not the same as "Out of disk quota"). + * replication plugin: Use replication only for users who have a + non-empty mail_replica setting. + + + lmtp proxy: Log a line about each mail delivery. + + Added login_source_ips setting. This can be used to set the source IP + address round-robin from a pool of IPs (in case you run out of TCP + ports). + + Rawlog settings can use tcp:<host>:<port> as the path. + + virtual plugin: Don't keep more than virtual_max_open_mailboxes + (default 64) number of backend mailboxes open. + + SSL/TLS compression can be disabled with ssl_options=no_compression + + acl: Global ACL file now supports "quotes" around patterns. + + Added last-login plugin to set user's last-login timestamp on login. + + LDAP auth: Allow passdb credentials lookup also with auth_bind=yes + - IMAP: MODSEQ was sent in FETCH reply even if CONDSTORE/QRESYNC wasn't + enabled. This broke at least old Outlooks. + - passdb static treated missing password field the same as an empty + password field. + - mdbox: Fixed potential infinite looping when scanning a broken + mdbox file. + - imap-login, pop3-login: Fixed potential crashes when client + disconnected unexpectedly. + - imap proxy: The connection was hanging in some usage patterns. This + mainly affected older Outlooks. + - lmtp proxy: The proxy sometimes delivered empty mails in error + situations or potentially delivered truncated mails. + - fts-lucene: If whitespace_chars was set, we may have ended up + indexing some garbage words, growing the index size unnecessarily. + - -c and -i parameters for dovecot/doveadm commands were ignored if + the config socket was readable. + - quota: Quota recalculation didn't include INBOX in some setups. + - Mail headers were sometimes added to dovecot.index.cache in wrong + order. The main problem this caused was with dsync+imapc incremental + syncing when the second sync thought the local mailbox had changed. + - Fixed several race conditions with dovecot.index.cache handling that + may have caused unnecessary "cache is corrupted" errors. + - doveadm backup didn't notice if emails were missing from the middle + of the destination mailbox. Now it deletes and resyncs the mailbox. + - auth: If auth client listed userdb and disconnected before finishing, + the auth worker process got stuck (and eventually all workers could + get used up and requests would start failing). + +v2.2.13 2014-05-11 Timo Sirainen <tss@iki.fi> + + * Fixed a DoS attack against imap/pop3-login processes. If SSL/TLS + handshake was started but wasn't finished, the login process + attempted to eventually forcibly disconnect the client, but failed + to do it correctly. This could have left the connections hanging + arond for a long time. (Affected Dovecot v1.1+) + + + mdbox: Added mdbox_purge_preserve_alt setting to keep the file + within alt storage during purge. (Should become enforced in v2.3.0?) + + fts: Added support for parsing attachments via Apache Tika. Enable + with: plugin { fts_tika = http://tikahost:9998/tika/ } + + virtual plugin: Delay opening backend mailboxes until it's necessary. + This requires mailbox_list_index=yes to work. (Currently IMAP IDLE + command still causes all backend mailboxes to be opened.) + + mail_never_cache_fields=* means now to disable all caching. This may + be a useful optimization as doveadm/dsync parameter for some admin + tasks which shouldn't really update the cache file. + + IMAP: Return SPECIAL-USE flags always for LSUB command. + - pop3 server was still crashing in v2.2.12 with some settings + - maildir: Various fixes and improvements to handling compressed mails, + especially when they have broken/missing S=sizes in filenames. + - fts-lucene, fts-solr: Fixed crash on search when the index contained + duplicate entries. + - Many fixes and performance improvements to dsync and replication + - director was somewhat broken when there were exactly two directors + in the ring. It caused errors about "weak users" getting stuck. + - mail_attachment_dir: Attachments with the last base64-encoded line + longer than the rest wasn't handled correctly. + - IMAP: SEARCH/SORT PARTIAL was handled completely wrong in v2.2.11+ + - acl: Global ACL file handling was broken when multiple entries + matched the mailbox name. (Only the first entry was used.) + +v2.2.12 2014-02-14 Timo Sirainen <tss@iki.fi> + + - pop3 server was crashing in v2.2.11 + +v2.2.11 2014-02-12 Timo Sirainen <tss@iki.fi> + + + acl plugin: Added an alternative global ACL file that can contain + mailbox patterns. See http://wiki2.dovecot.org/ACL for details. + + imap proxy: Added proxy_nopipelining passdb setting to work around + other IMAP servers' bugs (MS Exchange 2013 especially). + + Added %{auth_user}, %{auth_username} and %{auth_domain} variables. + See http://wiki2.dovecot.org/Variables for details. + + Added support for LZ4 compression. + + stats: Track also wall clock time for commands. + + pop3_migration plugin improvements to try harder to match the UIDLs + correctly. + - imap: SEARCH/SORT PARTIAL responses may have been too large. + - doveadm backup: Fixed assert-crash when syncing mailbox deletion. + +v2.2.10 2013-11-25 Timo Sirainen <tss@iki.fi> + + + auth: passdb/userdb dict rewrite to support much more complex + setups. See doc/example-config/dovecot-dict-auth.conf.ext. + The old settings will continue to work. + + auth: Added userdb result_success/failure/tempfail and skip + settings, similar to passdb's. See + http://wiki2.dovecot.org/UserDatabase + + imap: Implemented SETQUOTA command for admin user when quota_set is + configured. See http://master.wiki2.dovecot.org/Quota/Configuration + + quota: Support "*" and "?" wildcards in mailbox names in quota_rules + + mysql: Added ssl_verify_server_cert=no|yes parameter. This currently + defaults to "no" to make sure nothing breaks, but likely will become + "yes" in Dovecot v2.3. + + ldap: Added blocking=yes setting to use auth worker processes for + ldap lookups. This is a workaround for now to be able to use multiple + simultaneous LDAP connections. + + pop3c+dsync performance improvements + - quota-status: quota_grace was ignored + - ldap: Fixed memory leak with auth_bind=yes and without + auth_bind_userdn. + - imap: Don't send HIGHESTMODSEQ anymore on SELECT/EXAMINE when + CONDSTORE/QRESYNC has never before been enabled for the mailbox. + - imap: Fixes to handling mailboxes without permanent modseqs. + (When [NOMODSEQ] is returned by SELECT, mainly with in-memory + indexes.) + - imap: Various fixes to METADATA support. + - stats plugin: Processes that only temporarily dropped privileges + (e.g. indexer-worker) may have been logging errors about not being + able to open /proc/self/io. + +v2.2.9 2013-11-25 Timo Sirainen <tss@iki.fi> + + + Full text search indexing can now be done automatically after + saving/copying mails by setting plugin { fts_autoindex=yes } + + replicator: Added replication_dsync_parameters setting to pass + "doveadm sync" parameters (for controlling what to replicate). + + Added mail-filter plugin + + Added liblzma/xz support (zlib_save=xz) + - v2.2.8's improved cache file handling exposed several old bugs + related to fetching mail headers. + - v2.2.7's iostream handling changes were causing some connections + to be disconnected before flushing their output (e.g. POP3 logout + message wasn't being sent) + +v2.2.8 2013-11-19 Timo Sirainen <tss@iki.fi> + + + Mail cache lookups work for the mail being saved. This improves + performance by avoiding the need to parse the mail multiple times + when using some plugins (e.g. mail_log). + + Mail cache works for recently cached data also with in-memory + indexes. + + imapc: Many performance improvements, especially when working with + dsync. Also added imapc_feature=fetch-headers which allows using + FETCH BODY.PEEK[HEADER.FIELDS (..)] to avoid reading the entire + header. + + mail_location = ..:FULLDIRNAME=dbox-Mails is the same as + :DIRNAME=dbox-Mails, but it will also be used for + :INDEX and :CONTROL directories. (It should have worked this way + from the beginning, but can't be changed anymore without breaking + existing installations). + - Fixed infinite loop in message parsing if message ends with + "--boundary" and CR (without LF). Messages saved via SMTP/LMTP can't + trigger this, because messages must end with an "LF.". A user could + trigger this for him/herself though. + - lmtp: Client was sometimes disconnected before all the output was + sent to it. + - imap_zlib plugin caused crashes during client disconnection in + v2.2.7 + - replicator: Database wasn't being exported to disk every 15 minutes + as it should have. Instead it was being imported, causing "doveadm + replicator remove" commands to not work very well. + +v2.2.7 2013-11-03 Timo Sirainen <tss@iki.fi> + + * Some usage of passdb checkpassword could have been exploitable by + local users. You may need to modify your setup to keep it working. + See http://wiki2.dovecot.org/AuthDatabase/CheckPassword#Security + + + auth: Added ability to truncate values logged by + auth_verbose_passwords (see 10-logging.conf comment) + + mdbox: Added "mdbox_deleted" storage, which can be used to access + messages with refcount=0. For example: doveadm import + mdbox_deleted:~/mdbox "" mailbox inbox subject oops + + ssl-params: Added ssl_dh_parameters_length setting. + - master process was doing a hostname.domain lookup for each created + process, which may have caused a lot of unnecessary DNS lookups. + - dsync: Syncing over 100 messages at once caused problems in some + situations, causing messages to get new UIDs. + - fts-solr: Different Solr hosts for different users didn't work. + +v2.2.6 2013-09-25 Timo Sirainen <tss@iki.fi> + + * acl: If public/shared namespace has a shared subscriptions file for + all users, don't list subscription entries that are not visible to + the user accessing it. + + + doveadm: Added "auth lookup" command for doing passdb lookup. + + login_log_format_elements: Added %{orig_user}, %{orig_username} + and %{orig_domain} expanding to the username exactly as sent by + the client (before any changes auth process made). + + Added ssl_prefer_server_ciphers setting. + + auth_verbose_passwords: Log the password also for unknown users. + + Linux: Added optional support for SO_REUSEPORT with + inet_listener { reuse_port=yes } + - director: v2.2.5 changes caused "SYNC lost" errors + - dsync: Many fixes and error handling improvements + - doveadm -A: Don't waste CPU by doing a separate config lookup + for each user + - Long-running ssl-params process no longer prevents Dovecot restart + - mbox: Fixed mailbox_list_index=yes to work correctly + +v2.2.5 2013-08-05 Timo Sirainen <tss@iki.fi> + + + SSL: Added support for ECDH/ECDHE cipher suites (by David Hicks) + + Added some missing man pages (by Pascal Volk) + + quota-status: Added quota_status_toolarge setting (by Ulrich Zehl) + - director: Users near expiration could have been redirected to + different servers at the same time. + - pop3: Avoid assert-crash if client disconnects during LIST. + - mdbox: Corrupted index header still wasn't automatically fixed. + - dsync: Various fixes to work better with imapc and pop3c storages. + - ldap: sasl_bind=yes caused crashes, because Dovecot's lib-sasl + symbols conflicted with Cyrus SASL library. + - imap: Various error handling fixes to CATENATE. (Found using + Apple's stress test script.) + +v2.2.4 2013-06-25 Timo Sirainen <tss@iki.fi> + + + doveadm: Added "flags" command to modify message flags. + + doveadm: Added "deduplicate" command to expunge message duplicates. + + dsync: Show the state in process title with verbose_proctitle=yes. + - imap/pop3 proxy: Master user logins were broken in v2.2.3 + - sdbox/mdbox: A corrupted index header with wrong size was never + automatically fixed in v2.2.3. + - mbox: Fixed assert-crashes related to locking. + +v2.2.3 2013-06-17 Timo Sirainen <tss@iki.fi> + + * LDA/LMTP: If new mail delivery first fails with "temporary + failure", tempfail the whole delivery instead of falling back to + delivering the mail to INBOX. (Requires new Pigeonhole as well.) + * doc/solr-schema.xml was updated to Solr v4.x format. Also the + default analyzers were changed, hopefully for the better. Note that + the schema can't be changed for existing Solr indexes without + rebuilding everything. + * Solr plugin does only soft commits from now on. You'll need a + cronjob to send a hard commit command to it every few minutes. + + + Added %N modifier for variables as %H-like "new hash" + + sdbox, mdbox: Support POP3 message order field (for migrations) + + Added mailbox { driver } to specify a different mail storage + format for the mailbox than generally used within the namespace. + + Added initial lib-sasl library for client side SASL support. + Currently supports only PLAIN, LOGIN and plugins. Used currently + by IMAP and POP3 proxying when authenticating to the remote server. + - IMAP: If subject contained only whitespace, Dovecot returned an + ENVELOPE reply with a huge literal value, effectively causing the + IMAP client to wait for more data forever. + - IMAP: Various URLAUTH fixes. + - imapc: Various bugfixes and improvements + - pop3c: Various fixes to make it work in dsync (without imapc) + - dsync: Fixes to syncing subscriptions. Fixes to syncing mailbox + renames. + +v2.2.2 2013-05-20 Timo Sirainen <tss@iki.fi> + + + zlib: Keep the last mail cached uncompressed in a temp file. This + fixes performance when doing small partial fetches from a large + mail. + + acl: If plugin { acl_defaults_from_inbox = yes } is set, get the + default ACLs for private and shared namespaces from the user's INBOX. + (This probably will become default in v2.3.) + + pop3: Added pop3_deleted_flag setting to switch POP3 deletions to + only hide the messages from POP3, but still be visible via IMAP. + - ACL plugin: Mailbox creation wasn't actually checking any ACLs + and always succeeded (due to some v2.2 API changes). The created + mailbox couldn't have been accessed though, so this couldn't have + caused any data leak. + - IMAP: Various URLAUTH fixes. + - IMAP: Fixed a hang with invalid APPEND parameters. + - IMAP LIST-EXTENDED: INBOX was never listed with \Subscribed flag. + - mailbox_list_index=yes still caused crashes. + - maildir: Fixed a crash after dovecot-keywords file was re-read. + - maildir: If files had reappeared unexpectedly to a Maildir, they + were ignored until index files were deleted. + - Maildir: Fixed handling over 26 keywords in a mailbox. + - Maildir++: Fixed mail_shared_explicit_inbox=no + - namespace { prefix="" list=no } was listing mailboxes. + - imap/pop3-login proxying: Fixed a crash if TCP connection succeeded, + but the remote login timed out. + - Case-insensitive search/sort didn't work correctly for all unicode + characters, as specified by i;unicode-casemap comparator. If full + text search indexes were used, they need to be rebuilt for old mails + to be handled correctly. (This bug has existed always in Dovecot.) + +v2.2.1 2013-04-19 Timo Sirainen <tss@iki.fi> + + - mailbox_list_index=yes was broken. + - LAYOUT=index didn't list subscriptions. + - auth: Multiple master passdbs didn't work. + - Message parsing (e.g. during search) crashed when multipart message + didn't actually contain any parts. + +v2.2.0 2013-04-11 Timo Sirainen <tss@iki.fi> + + * When creating home directories, the permissions are copied from the + parent directory if it has setgid-bit set. For full details, see + http://wiki2.dovecot.org/SharedMailboxes/Permissions + * "doveadm auth" command was renamed to "doveadm auth test" + * IMAP: ID command now advertises server name as Dovecot by default. + It was already trivial to guess this from command replies. + * dovecot.index.cache files can be safely accessed only by v2.1.11+. + Older versions may think they're corrupted and delete them. + * LDA/LMTP: If saving a mail brings user from under quota to over + quota, allow it based on quota_grace setting (default: 10% + above quota limit). + * pop3_lock_session=yes now uses a POP3-only dovecot-pop3-session.lock + file instead of actually locking the mailbox (and causing + IMAP/LDA/LMTP to wait for the POP3 session to close). + * mail_shared_explicit_inbox setting's default switched to "no". + * ssl_client_ca_dir setting replaced imapc_ssl_ca_dir and + pop3c_ssl_ca_dir settings. + + + Implemented IMAP MOVE and BINARY extensions + + Implemented IMAP CATENATE, URLAUTH and URLAUTH=BINARY extensions + (by Stephan Bosch). + + Implemented IMAP NOTIFY extension. Requires mailbox_list_index=yes + to be enabled. + + Redesigned and rewritten dsync. The new design makes the syncing + faster, more reliable and more featureful. The new dsync protocol + isn't backwards compatible with old dsync versions (but is designed + to be forwards compatible with future versions). + + All mailbox formats now support per-user message flags for shared + mailboxes by using a private index. It can be enabled by adding + :INDEXPVT=<path> to mail location. This should be used instead of + :INDEX also for Maildir/mbox to improve performance. + + Improved mailbox list indexes. They should be usable now, although + still disabled by default. + + Added LAYOUT=index. The mailbox directories are created using their + GUIDs in the filesystem, while the actual GUID <-> name mapping + exists only in the index. + + LMTP proxy: Implemented XCLIENT extension for passing remote IP + address through proxy. + +v2.2.rc7 2013-04-10 Timo Sirainen <tss@iki.fi> + + * checkpasword: AUTH_PASSWORD environment is no longer set. + * Running dsync no longer triggers quota warnings. + + + dsync: Commit large transactions every 100 new messages, so if a + large sync crashes it doesn't have to be restarted from the + beginning. + - replicator: doveadm commands and user list export may have skipped + some users. + - Various fixes to mailbox_list_index=yes + +v2.2.rc6 2013-04-08 Timo Sirainen <tss@iki.fi> + + * replicator: Don't create replicator-doveadm socket by default. + This way doveadm replicator commands don't accidentally start an + unconfigured replicator server. + + replicator: Have remote dsync notify the remote replicator that + a user was just synced. This way the replicators are kept roughly + in sync. + + Added ssl_client_ca_file to specify the CA certs as a file. This is + needed (instead of ssl_client_ca_dir) in RedHat-based systems. + + Added "doveadm fs" commands, mainly to debug lib-fs backends. + - Mailbox list indexes weren't using proper file permissions based + on the root directory. + +v2.2.rc5 2013-04-05 Timo Sirainen <tss@iki.fi> + + - A few small random fixes + +v2.2.rc4 2013-04-05 Timo Sirainen <tss@iki.fi> + + + Added "doveadm replicator" commands + - Larger changes to lib-http and lib-ssl-iostream error handling. + The API caller can now get the exact error message as a string. + - Various bugfixes to LDAP changes in rc3 + +v2.2.rc3 2013-03-20 Timo Sirainen <tss@iki.fi> + + + dsync: Support syncing ACLs (and Sieve scripts with Pigeonhole) + + ldap: Support subqueries and value pointers, see + http://wiki2.dovecot.org/AuthDatabase/LDAP/Userdb + + postmaster_address setting: Expand %d to recipient's domain + - Fixed a crash when decoding quoted-printable content. + - dsync: Various bugfixes + +v2.2.rc2 2013-02-15 Timo Sirainen <tss@iki.fi> + + - rc1 wasn't actually usable in most configurations. + +v2.2.rc1 2013-02-15 Timo Sirainen <tss@iki.fi> + + * See v2.2.0 notes + +v2.1.13 2013-01-06 Timo Sirainen <tss@iki.fi> + + - Some fixes to cache file changes in v2.1.11. + - fts-solr: Overlong UTF8 sequences in mails were rejected by Solr and + caused the mails to not be indexed. + - virtual storage: Sorting mailbox by from/to/cc/bcc didn't work. + +v2.1.12 2012-11-30 Timo Sirainen <tss@iki.fi> + + - dovecot-config in v2.1.11 caused build problems with Pigeonhole + +v2.1.11 2012-11-29 Timo Sirainen <tss@iki.fi> + + * lmtp/lda: dovecot.index.cache file is no longer fully mapped to + memory, allowing mail deliveries to work even if the file is huge. + * auth: userdb passwd lookups are now done by auth worker processes + instead of auth master process (as it was documented, but + accidentally didn't work that way). + + + lmtp: lmtp_rcpt_check_quota=yes setting checks quota on RCPT TO. + - lmtp: After successful proxying RCPT TO, the next one to a + nonexistent user gave tempfail error instead of "user not found". + - lmtp proxy: Fixed hanging if remote server was down. + - imap: Fixed crash when SEARCH contained multiple KEYWORD parameters. + - doveadm: Various fixes to handling doveadm-server connections. + - -i <instance name> parameter for Dovecot tools didn't work correctly. + - director was somewhat broken in v2.1.10. This version also includes + various reliability enhancements. + - auth: passdb imap was broken in v2.1.10. + +v2.1.10 2012-09-18 Timo Sirainen <tss@iki.fi> + + + imap: Implemented THREAD=ORDEREDSUBJECT extension. + + Added "doveadm exec" command to easily execute commands from + libexec_dir, e.g. "doveadm exec imap -u user@domain" + + Added "doveadm copy" command. + + doveadm copy/move: Added optional user parameter to specify the + source username. This allows easily copying mails between different + users. + + Added namespace { disabled } setting to quickly enable/disable + namespaces. This is especially useful when its value is returned by + userdb. + + Added mailbox_alias plugin. It allows creating mailbox aliases using + symlinks. + + imapc storage: Added imapc_max_idle_time setting to force activity + on connection. + + fts-solr: Expunging multiple messages is now faster. + - director: In some conditions director may have disconnected from + another director (without logging about it), thinking it was sending + invalid data. + - imap: Various fixes to listing mailboxes. + - pop3-migration plugin: Avoid disconnection from POP3 server due + to idling. + - login processes crashed if there were a lot of local {} or remote {} + settings blocks. + +v2.1.9 2012-08-01 Timo Sirainen <tss@iki.fi> + + * mail-log plugin: Log mailbox names with UTF-8 everywhere + (instead of mUTF-7 in some places and UTF-8 in other places) + * director: Changed director_username_hash setting's default from %u + to %Lu (= lowercase usernames). This doesn't break any existing + installations, but might fix some of them. + + + doveadm: Added "auth cache flush [<username>]" command. + + Implemented dict passdb/userdb + + Implemented Redis and memcached dict backends, which can be used as + auth backends. Redis can also be used as dict-quota backend. + + Added plugin { quota_ignore_save_errors=yes } setting to allow saving + a mail when quota lookup fails with temporary failure. + - Full text search indexing might have failed for some messages, + always causing indexer-worker process to run out of memory. + - fts-lucene: Fixed handling SEARCH HEADER FROM/TO/SUBJECT/CC/BCC when + the header wasn't lowercased. + - fts-squat: Fixed crash when searching a virtual mailbox. + - pop3: Fixed assert crash when doing UIDL on empty mailbox on some + setups. + - auth: GSSAPI RFC compliancy and error handling fixes. + - Various fixes related to handling shared namespaces + +v2.1.8 2012-07-03 Timo Sirainen <tss@iki.fi> + + + pop3c: Added pop3c_master_user setting. + - imap: Mailbox names were accidentally sent as UTF-8 instead of mUTF-7 + in previous v2.1.x releases for STATUS, MYRIGHTS and GETQUOTAROOT + commands. + - lmtp proxy: Don't timeout connections too early when mail has a lot + of RCPT TOs. + - director: Don't crash if the director is working alone. + - shared mailboxes: Avoid doing "@domain" userdb lookups. + - doveadm: Fixed crash with proxying some commands. + - fts-squat: Fixed handling multiple SEARCH parameters. + - imapc: Fixed a crash when message had more than 8 keywords. + - imapc: Don't crash on APPEND/COPY if server doesn't support UIDPLUS. + +v2.1.7 2012-05-29 Timo Sirainen <tss@iki.fi> + + * LDAP: Compatibility fix for v2.0: ldap: If attributes contain + ldapAttr=key=template%$ and ldapAttr doesn't exist, skip the key + instead of using "template" value with empty %$ part for the key. + + + pop3: Added pop3_uidl_duplicates setting for changing the behavior + for duplicate UIDLs. + + director: Added "doveadm director ring remove" command. + - director: Don't crash with quickly disconnecting incoming director + connections. + - mdbox: If mail was originally saved to non-INBOX, and namespace + prefix is non-empty, don't assert-crash when rebuilding indexes. + - sdbox: Don't use more fds than necessary when copying mails. + - auth: Fixed crash with DIGEST-MD5 when attempting to do master user + login without master passdbs. + - Several fixes to mail_shared_explicit_inbox=no + - imapc: Use imapc_list_prefix also for listing subscriptions. + +v2.1.6 2012-05-07 Timo Sirainen <tss@iki.fi> + + * Session ID is now included by default in auth and login process + log lines. It can be added to mail processes also by adding + %{session} to mail_log_prefix. + + + Added ssl_require_crl setting, which specifies if CRL check must + be successful when verifying client certificates. + + Added mail_shared_explicit_inbox setting to specify if a shared INBOX + should be accessible as "shared/$user" or "shared/$user/INBOX". + - v2.1.5: Using "~/" as mail_location or elsewhere failed to actually + expand it to home directory. + - dbox: Fixed potential assert-crash when reading dbox files. + - trash plugin: Fixed behavior when quota is already over limit. + - mail_log plugin: Logging "copy" event didn't work. + - Proxying to backend server with SSL: Verifying server certificate + name always failed, because it was compared to an IP address. + +v2.1.5 2012-04-23 Timo Sirainen <tss@iki.fi> + + * IMAP: When neither the session nor the mailbox has modseq tracking + enabled, return the mailbox as having NOMODSEQ in SELECT/EXAMINE + reply. Old versions in this situation always simply returned + HIGHESTMODSEQ as 1, which could have broken some clients. + + + dict file: Added optional fcntl/flock locking (default is dotlock) + + fts-solr: doveadm fts rescan now resets indexes, which allows + reindexing mails. (This isn't a full rescan implementation like + fts-lucene has.) + + doveadm expunge: Added -d parameter to delete mailbox if it's + empty after expunging. + - IMAP: Several fixes related to mailbox listing in some configs + - director: A lot of fixes and performance improvements + - v2.1.4 didn't work without a mail home directory set + - mbox: Deleting a mailbox didn't delete its index files. + - pop3c: TOP command was sent incorrectly + - trash plugin didn't work properly + - LMTP: Don't add a duplicate Return-Path: header when proxying. + - listescape: Don't unescape namespace prefixes. + +v2.1.4 2012-04-09 Timo Sirainen <tss@iki.fi> + + + Added mail_temp_scan_interval setting and changed its default value + from 8 hours to 1 week. + + Added pop3-migration plugin for easily doing a transparent IMAP+POP3 + migration to Dovecot: http://wiki2.dovecot.org/Migration/Dsync + + doveadm user: Added -m parameter to show some of the mail settings. + - Proxying SSL connections crashed in v2.1.[23] + - fts-solr: Indexing mail bodies was broken. + - director: Several changes to significantly improve error handling + - doveadm import didn't import messages' flags + - mail_full_filesystem_access=yes was broken + - Make sure IMAP clients can't create directories when accessing + nonexistent users' mailboxes via shared namespace. + - Dovecot auth clients authenticating via TCP socket could have failed + with bogus "PID already in use" errors. + +v2.1.3 2012-03-16 Timo Sirainen <tss@iki.fi> + + - mdbox was broken in v2.1.2 + +v2.1.2 2012-03-15 Timo Sirainen <tss@iki.fi> + + + Initial implementation of dsync-based replication. For now this + should be used only on non-critical systems. + + Proxying: POP3 now supports sending remote IP+port from proxy to + backend server via Dovecot-specific XCLIENT extension. + + Proxying: proxy_maybe=yes with host=<hostname> (instead of IP) + works now properly. + + Proxying: Added auth_proxy_self setting + + Proxying: Added proxy_always extra field (see wiki docs) + + Added director_username_hash setting to specify what part of the + username is hashed. This can be used to implement per-domain + backends (which allows safely accessing shared mailboxes within + domain). + + Added a "session ID" string for imap/pop3 connections, available + in %{session} variable. The session ID passes through Dovecot + IMAP/POP3 proxying to backend server. The same session ID is can be + reused after a long time (currently a bit under 9 years). + + passdb checkpassword: Support "credentials lookups" (for + non-plaintext auth and for lmtp_proxy lookups) + + fts: Added fts_index_timeout setting to abort search if indexing + hasn't finished by then (default is to wait forever). + - doveadm sync: If mailbox was expunged empty, messages may have + become back instead of also being expunged in the other side. + - director: If user logged into two directors while near user + expiration, the directors might have redirected the user to two + different backends. + - imap_id_* settings were ignored before login. + - Several fixes to mailbox_list_index=yes + - Previous v2.1.x didn't log all messages at shutdown. + - mbox: Fixed accessing Dovecot v1.x mbox index files without errors. + +v2.1.1 2012-02-23 Timo Sirainen <tss@iki.fi> + + + dsync: If message with same GUID is saved multiple times in session, + copy it instead of re-saving. + - acl plugin + autocreated mailboxes crashed when listing mailboxes + - doveadm force-resync: Don't skip autocreated mailboxes (especially + INBOX). + - If process runs out of fds, stop listening for new connections only + temporarily, not permanently (avoids hangs with process_limit=1 + services) + - auth: passdb imap crashed for non-login authentication (e.g. smtp). + +v2.1.0 2012-02-16 Timo Sirainen <tss@iki.fi> + + * Plugins now use UTF-8 mailbox names rather than mUTF-7: + acl, autocreate, expire, trash, virtual + * auth_username_format default changed to %Lu. If you really want + case sensitive usernames, set it back to empty. + * Solr full text search backend changed to use mailbox GUIDs instead of + mailbox names, requiring reindexing everything. solr_old backend can + be used with old indexes to avoid reindexing, but it doesn't support + some newer features. + * Expire plugin: Only go through users listed by userdb iteration. + Delete dict rows for nonexistent users, unless + expire_keep_nonexistent_users=yes. + * Temporary authentication failures sent to IMAP/POP3 clients + now includes the server's hostname and timestamp. This makes it + easier to find the error message from logs. + * dsync was merged into doveadm. There is still "dsync" symlink + pointing to "doveadm", which you can use the old way for now. + The preferred ways to run dsync are "doveadm sync" (for old "dsync + mirror") and "doveadm backup". + + + imapc (= IMAP client) storage allows using a remote IMAP server to + be used as storage. This allows using Dovecot as a smart (caching) + proxy or using dsync to do migration from remote IMAP server. + + Mailbox indexing via queuing indexer service (required for Lucene) + + Lucene full text search (FTS) backend rewritten with support for + different languages + + FTS finally supports "OR" search operation + + FTS supports indexing attachments via external programs + + IMAP FUZZY extension, supported by Lucene and Solr FTS backends + + IMAP SPECIAL-USE extension to describe mailboxes + + Mailbox list indexes + + Statistics tracking via stats service. Exported via doveadm stats. + + Autocreate plugin creates/subscribes mailboxes physically only when + the mailbox is opened for the first time. Mailbox listing shows the + autocreated mailboxes even if they don't physically exist. + + Password and user databases now support default_fields and + override_fields settings to specify template defaults/overrides. + + SCRAM-SHA-1 authentication mechanism by Florian Zeitz + + LDAP: Allow building passdb/userdb extra fields from multiple LDAP + attributes by using %{ldap:attributeName} variables in the template. + + Improved multi-instance support: Track automatically which instances + are started up and manage the list with doveadm instance commands. + All Dovecot commands now support -i <instance_name> parameter to + select the instance (instead of having to use -c <config path>). + See instance_name setting. + + auth: Implemented support for Postfix's "TCP map" sockets for + user existence lookups. + - listescape plugin works perfectly now + +v2.1.rc7 2012-02-15 Timo Sirainen <tss@iki.fi> + + + Added ignore_on_failure setting for namespaces. If namespace + initialization fails with this enabled (e.g. permission denied), + the namespace is silently skipped for the user. + +v2.1.rc6 2012-02-12 Timo Sirainen <tss@iki.fi> + + * Added automatic mountpoint tracking and doveadm mount commands to + manage the list. If a mountpoint is unmounted, error handling is + done by assuming that the files are only temporarily lost. This is + especially helpful if dbox alt storage becomes unmounted. + * Expire plugin: Only go through users listed by userdb iteration. + Delete dict rows for nonexistent users, unless + expire_keep_nonexistent_users=yes. + * LDA's out-of-quota and Sieve's reject mails now include DSN report + instead of MDN report. + + + LDAP: Allow building passdb/userdb extra fields from multiple LDAP + attributes by using %{ldap:attributeName} variables in the template. + + doveadm log errors shows the last 1000 warnings and errors since + Dovecot was started. + + Improved multi-instance support: Track automatically which instances + are started up and manage the list with doveadm instance commands. + All Dovecot commands now support -i <instance_name> parameter to + select the instance (instead of having to use -c <config path>). + See instance_name setting. + + doveadm mailbox delete: Added -r parameter to delete recursively + + doveadm acl: Added "add" and "remove" commands. + + Updated to Unicode v6.1 + - mdbox: When saving to alt storage, Dovecot didn't append as much + data to m.* files as it could have. + - dbox: Fixed error handling when saving failed or was aborted + - IMAP: Using COMPRESS extension may have caused assert-crashes + - IMAP: THREAD REFS sometimes returned invalid (0) nodes. + - dsync: Fixed handling non-ASCII characters in mailbox names. + +v2.1.rc5 2012-01-26 Timo Sirainen <tss@iki.fi> + + * Temporary authentication failures sent to IMAP/POP3 clients + now includes the server's hostname and timestamp. This makes it + easier to find the error message from logs. + + + auth: Implemented support for Postfix's "TCP map" sockets for + user existence lookups. + + auth: Idling auth worker processes are now stopped. This reduces + error messages about MySQL disconnections. + - director: With >2 directors ring syncing might have stalled during + director connect/disconnect, causing logins to fail. + - LMTP client/proxy: Fixed potential hanging when sending (big) mails + - Compressed mails with external attachments (dbox + SIS + zlib) failed + sometimes with bogus "cached message size wrong" errors. + +v2.1.rc4 was never actually released, but was accidentally tagged in hg. + +v2.1.rc3 2012-01-06 Timo Sirainen <tss@iki.fi> + + - Added missing file that prevented v2.1.rc2 from compiling.. + +v2.1.rc2 2012-01-06 Timo Sirainen <tss@iki.fi> + + * dsync was merged into doveadm. There is still "dsync" symlink + pointing to "doveadm", which you can use the old way for now. + The preferred ways to run dsync are "doveadm sync" (for old "dsync + mirror") and "doveadm backup". + + + IMAP SPECIAL-USE extension to describe mailboxes + + Added mailbox {} sections, which deprecate autocreate plugin + + lib-fs: Added "mode" parameter to "posix" backend to specify mode + for created files/dirs (for mail_attachment_dir). + + inet_listener names are now used to figure out what type the socket + is when useful. For example naming service auth { inet_listener } to + auth-client vs. auth-userdb has different behavior. + + Added pop3c (= POP3 client) storage backend. + - LMTP proxying code was simplified, hopefully fixing its problems. + - dsync: Don't remove user's subscriptions for subscriptions=no + namespaces. + +v2.1.rc1 2011-11-24 Timo Sirainen <tss@iki.fi> + + * Plugins now use UTF-8 mailbox names rather than mUTF-7: + acl, autocreate, expire, trash, virtual + * auth_username_format default changed to %Lu. If you really want + case sensitive usernames, set it back to empty. + * Solr full text search backend changed to use mailbox GUIDs instead of + mailbox names, requiring reindexing everything. solr_old backend can + be used with old indexes to avoid reindexing, but it doesn't support + some newer features. + + + imapc (= IMAP client) storage allows using a remote IMAP server to + be used as storage. This allows using Dovecot as a smart (caching) + proxy or using dsync to do migration from remote IMAP server. + + Mailbox indexing via queuing indexer service (required for Lucene) + + Lucene full text search (FTS) backend rewritten with support for + different languages + + FTS finally supports "OR" search operation + + FTS supports indexing attachments via external programs + + IMAP FUZZY extension, supported by Lucene and Solr FTS backends + + IMAP SPECIAL-USE extension to describe mailboxes + + Mailbox list indexes + + Statistics tracking via stats service. Exported via doveadm stats. + + Autocreate plugin creates/subscribes mailboxes physically only when + the mailbox is opened for the first time. Mailbox listing shows the + autocreated mailboxes even if they don't physically exist. + + Password and user databases now support default_fields and + override_fields settings to specify template defaults/overrides. + + SCRAM-SHA-1 authentication mechanism by Florian Zeitz + - listescape plugin works perfectly now + +v2.0.15 2011-09-16 Timo Sirainen <tss@iki.fi> + + + doveadm altmove: Added -r parameter to move mails back to primary + storage. + - v2.0.14: Index reading could have eaten a lot of memory in some + situations + - doveadm index no longer affects future caching decisions + - mbox: Fixed crash during mail delivery when mailbox didn't yet have + GUID assigned to it. + - zlib+mbox: Fetching last message from compressed mailboxes crashed. + - lib-sql: Fixed load balancing and error handling when multiple hosts + are used. + +v2.0.14 2011-08-29 Timo Sirainen <tss@iki.fi> + + + doveadm: Added support for running mail commands by proxying to + another doveadm server. + + Added "doveadm proxy list" and "doveadm proxy kick" commands to + list/kick proxy connections (via a new "ipc" service). + + Added "doveadm director move" to assign user from one server to + another, killing any existing connections. + + Added "doveadm director ring status" command. + + userdb extra fields can now return name+=value to append to an + existing name, e.g. "mail_plugins+= quota". + - script-login attempted an unnecessary config lookup, which usually + failed with "Permission denied". + - lmtp: Fixed parsing quoted strings with spaces as local-part for + MAIL FROM and RCPT TO. + - imap: FETCH BODY[HEADER.FIELDS (..)] may have crashed or not + returned all data sometimes. + - ldap: Fixed random assert-crashing with with sasl_bind=yes. + - Fixes to handling mail chroots + - Fixed renaming mailboxes under different parent with FS layout when + using separate ALT, INDEX or CONTROL paths. + - zlib: Fixed reading concatenated .gz files. + +v2.0.13 2011-05-11 Timo Sirainen <tss@iki.fi> + + + Added "doveadm index" command to add unindexed messages into + index/cache. If full text search is enabled, it also adds unindexed + messages to the fts database. + + added "doveadm director dump" command. + + pop3: Added support for showing messages in "POP3 order", which can + be different from IMAP message order. This can be useful for + migrations from other servers. Implemented it for Maildir as 'O' + field in dovecot-uidlist. + - doveconf: Fixed a wrong "subsection has ssl=yes" warning. + - mdbox purge: Fixed wrong warning about corrupted extrefs. + - sdbox: INBOX GUID changed when INBOX was autocreated, leading to + trouble with dsync. + - script-login binary wasn't actually dropping privileges to the + user/group/chroot specified by its service settings. + - Fixed potential crashes and other problems when parsing header names + that contained NUL characters. + +v2.0.12 2011-04-12 Timo Sirainen <tss@iki.fi> + + + doveadm: Added "move" command for moving mails between mailboxes. + + virtual: Added support for "+mailbox" entries that clear \Recent + flag from messages (default is to preserve them). + - dbox: Fixes to handling external attachments + - dsync: More fixes to avoid hanging with remote syncs + - dsync: Many other syncing/correctness fixes + - doveconf: v2.0.10 and v2.0.11 didn't output plugin {} section right + +v2.0.11 2011-03-07 Timo Sirainen <tss@iki.fi> + + * dotlock_use_excl setting's default was accidentally "no" in all + v2.0.x releases, instead of "yes" as in v1.1 and v1.2. Changed it + back to "yes." + + - v2.0.10: LDAP support was broken + - v2.0.10: dsyncing to remote often hanged (timed out in 15 mins) + +v2.0.10 2011-03-04 Timo Sirainen <tss@iki.fi> + + * LMTP: For user+detail@domain deliveries, the +detail is again written + to Delivered-To: header. + * Skip auth penalty checks from IPs in login_trusted_networks. + + + Added import_environment setting. + + Added submission_host setting to send mails via SMTP instead of + via sendmail binary. + + Added doveadm acl get/set/delete commands for ACL manipulation, + similar to how IMAP ACL extension works. + + Added doveadm acl debug command to help debug and fix problems + with why shared mailboxes aren't working as expected. + - IMAP: Fixed hangs with COMPRESS extension + - IMAP: Fixed a hang when trying to COPY to a nonexistent mailbox. + - IMAP: Fixed hang/crash with SEARCHRES + pipelining $. + - IMAP: Fixed assert-crash if IDLE+DONE is sent in same TCP packet. + - LMTP: Fixed sending multiple messages in a session. + - doveadm: Fixed giving parameters to mail commands. + - doveadm import: Settings weren't correctly used for the + import storage. + - dsync: Fixed somewhat random failures with saving messages to + remote dsync. + - v2.0.9: Config reload didn't notify running processes with + shutdown_clients=no, so they could have kept serving new clients + with old settings. + +v2.0.9 2011-01-13 Timo Sirainen <tss@iki.fi> + + - Linux: Fixed a high system CPU usage / high context switch count + performance problem + - Maildir: Avoid unnecessarily reading dovecot-uidlist while opening + mailbox. + - Maildir: Fixed renaming child mailboxes when namespace had a prefix. + - mdbox: Don't leave partially written messages to mdbox files when + aborting saving. + - Fixed master user logins when using userdb prefetch + - lda: Fixed a crash when trying to send "out of quota" reply + - lmtp: If delivering duplicate messages to same user's INBOX, + create different GUIDs for them. This helps to avoid duplicate + POP3 UIDLs when pop3_uidl_format=%g. + - virtual storage: Fixed saving multiple mails in a transaction + (e.g. copy multiple messages). + - dsync: Saved messages' save-date was set to 1970-01-01. + +v2.0.8 2010-12-03 Timo Sirainen <tss@iki.fi> + + * Services' default vsz_limits weren't being enforced correctly in + earlier v2.0 releases. Now that they are enforced, you might notice + that the default limits are too low and you need to increase them. + This problem will show up in logs as "out of memory" errors. + See default_vsz_limit and service { vsz_limit } settings. + * LMTP: In earlier versions if mail was delivered to user+detail@domain + address, LMTP server always attempted to deliver the mail to mailbox + named "detail". This was rather unintentional and shouldn't have been + the default. lmtp_save_to_detail_mailbox=yes setting now preserves + this behavior (default is no). + + + Added systemd support (configure --with-systemdsystemunitdir). + Based on patch by Christophe Fergeau. + + Replaced broken mbox-snarf plugin with a new more generic snarf + plugin. + - dbox: Fixes to handling external mail attachments + - verbose_proctitle=yes didn't work for all processes in v2.0.7 + - imap, pop3: When service { client_count } was larger than 1, the + log messages didn't use the correct prefix. Last logged in user's + prefix was always used, regardless of what user's session actually + logged it. Now the proper log prefix is always used. + - MySQL: Only the first specified host was ever used + +v2.0.7 2010-11-08 Timo Sirainen <tss@iki.fi> + + * master: default_process_limit wasn't actually used anywhere, + rather the default was unlimited. Now that it is enforced, you might + notice that the default limit is too low and you need to increase it. + Dovecot logs a warning when this happens. + * mail-log plugin: Log mailbox name as virtual name rather than + physical name (e.g. namespace prefix is included in the name) + + + doveadm dump: Added imapzlib type to uncompress IMAP's + COMPRESS DEFLATE I/O traffic (e.g. from rawlog). + - IMAP: Fixed LIST-STATUS when listing subscriptions with + subscriptions=no namespaces. + - IMAP: Fixed SELECT QRESYNC not to crash on mailbox close if a lot of + changes were being sent. + - quota: Don't count virtual mailboxes in quota + - doveadm expunge didn't always actually do the physical expunging + - Fixed some index reading optimizations introduced by v2.0.5. + - LMTP proxying fixes + +v2.0.6 2010-10-21 Timo Sirainen <tss@iki.fi> + + * Pre-login CAPABILITY includes IDLE again. Mainly to make Blackberry + servers happy. + * auth: auth_cache_negative_ttl default was 0 in earlier v2.0.x, but it + was supposed to be 1 hour as in v1.x. Changed it back to 1h. + If you want it disabled, make sure doveconf shows it as 0. + + + dbox: Added support for saving mail attachments to external files, + with also support for single instance storage. This feature hasn't + had much testing yet, so be careful with it. + + doveadm: Added import command for importing mails from other storages. + + Reduced NFS I/O operations for index file accesses + + dbox, Maildir: When copying messages, copy also already cached fields + from dovecot.index.cache + + mdbox: Added mdbox_preallocate_space setting (Linux+ext4/XFS only) + - Maildir: LDA/LMTP assert-crashed sometimes when saving a mail. + - Fixed leaking fds when writing to dovecot.mailbox.log. + - Fixed rare dovecot.index.cache corruption + - IMAP: SEARCH YOUNGER/OLDER wasn't working correctly + +v2.0.5 2010-10-01 Timo Sirainen <tss@iki.fi> + + * acl: Fixed the logic of merging multiple ACL entries. Now it works as + documented, while previously it could have done slightly different + things depending on the order of the entries. + * virtual: Allow opening virtual mailboxes that refer to non-existing + mailboxes. It seems that the benefits of this outweigh the lack of + error message when typoing a mailbox name. + + + Added some disk I/O optimizations to Maildir and index code. They're + especially helpful with short-lived connections like POP3. + + pop3: Added pop3_fast_size_lookups setting. + - doveconf sometimes failed with complaining about missing ssl_key + setting, causing e.g. dovecot-lda to fail. + - lda: If there's an error in configuration, doveconf didn't exit with + EX_TEMPFAIL as it should have. + - sdbox: Fixed memory leak when copying messages with hard links. + - zlib + sdbox combination didn't work + - zlib: Fixed several crashes, which mainly showed up with mbox. + - quota: Don't crash if user has quota disabled, but plugin loaded. + - doveadm fetch uid was actually returning sequence, not uid. + - v2.0.4's subscription listing ignored (and logged a warning about) + subscriptions=no namespaces' entries in some configurations. + (So listing shared mailboxes' subscriptions could have been broken.) + - acl: Fixed crashing when sometimes listing shared mailboxes via + dict proxy. + +v2.0.4 2010-09-26 Timo Sirainen <tss@iki.fi> + + * multi-dbox: If :INDEX=path is specified, keep + storage/dovecot.map.index* files also in the index path rather than + in the main storage directory. + + WARNING: if you specified :INDEX= with earlier mdbox installation, + you must now manually move the storage indexes to the expected + directory! Otherwise Dovecot won't see them and will rebuild the + indexes, possibly unexpunging some mails. + + - Maildir: Copying messages with hard links sometimes caused the + source maildir's entire tmp/ directory to be renamed to destination + maildir as if it were a message. + - Maildir: v2.0.3 broke expunging copied messages sometimes + - Maildir: INBOX whose tmp/ directory was lost couldn't be opened + - single-dbox: Messages weren't copied with hard links + - vpopmail support is hopefully working again. + - dsync: POP3 UIDLs weren't copied with Maildir + - dict file: Fixed fd leak (showed up easily with LMTP + quota) + +v2.0.3 2010-09-17 Timo Sirainen <tss@iki.fi> + + * dovecot-lda: Removed use of non-standard Envelope-To: header as a + default for -a. Set lda_original_recipient_header=Envelope-To to + returns the old behavior. + + + Added support for reverse quota warnings (i.e. when quota goes back + under the limit). This is enabled by adding '-' to beginning of + quota_warning value. Based on patch by Jeroen Koekkoek. + + dovecot-lda: Added lda_original_recipient_header setting, which is + used for getting original recipient if -a isn't used. + + dovecot-lda: Added -r parameter to specify final recipient address. + (It may differ from original address for e.g. aliases.) + + Maildir: uidlist file can now override message's GUID, making it + possible for multiple messages in a mailbox to have the same GUID. + This also fixes dsync's message conflict resolution. + - dovecot-lda: If destination user isn't found, exit with EX_NOUSER, + not EX_TEMPFAIL. + - dsync: Fixed handling \Noselect mailboxes + - Fixed an infinite loop introduced by v2.0.2's message parser changes. + - Fixed a crash introduced by v2.0.2's istream-crlf changes. + +v2.0.2 2010-09-08 Timo Sirainen <tss@iki.fi> + + * vpopmail support is disabled for now, since it's broken. You can use + it via checkpassword support or its sql/ldap database directly. + + - maildir: Fixed "duplicate uidlist entry" errors that happened at + least with LMTP when mail was delivered to multiple recipients + - Deleting ACLs didn't cause entries to be removed from acl_shared_dict + - mail_max_lock_timeout setting wasn't working with all locks + - auth_cache_size setting's old-style value wasn't autoconverted + and it usually also caused a crash + +v2.0.1 2010-08-24 Timo Sirainen <tss@iki.fi> + + * When dsync is started as root, remote dsync command is now also + executed as root instead of with dropped privileges. + + - IMAP: QRESYNC parameters for SELECT weren't handled correctly. + - UTF-8 string validity checking wasn't done correctly (e.g. + mailbox names in Sieve fileinto) + - dsync: Fixed a random assert-crash with remote dsyncing + +v2.0.0 2010-08-16 Timo Sirainen <tss@iki.fi> + + * Dovecot uses two system users for internal purposes now by default: + dovenull and dovecot. You need to create the dovenull user or change + default_login_user setting. + * Global ACLs are now looked up using namespace prefixes. For example + if you previously had INBOX. namespace prefix and a global ACL for + "INBOX.Sent", it's now looked up from "INBOX.Sent" file instead of + "Sent" as before. + * Maildir: File permissions are no longer based on dovecot-shared file, + but the mailbox directory. + + + Redesigned master process. It's now more modular and there is less + code running as root. + + Configuration supports now per-local/remote ip/network settings. + + dsync utility does a two-way mailbox synchronization. + + LMTP server and proxying. + + Added mdbox (multi-dbox) mail storage backend. + + doveadm utility can be used to do all kinds of administration + functions. Old dovecotpw and *view utilities now exist in its + subcommands. + + imap and pop3 processes can now handle multiple connections. + + IMAP: COMPRESS=DEFLATE is supported by imap_zlib plugin + + director service helps NFS installations to redirect users always + to same server to avoid corruption + +v2.0.rc6 2010-08-13 Timo Sirainen <tss@iki.fi> + + - dict quota didn't always decrease quota when messages were expunged + - Shared INBOX wasn't always listed with FS layout + +v2.0.rc5 2010-08-09 Timo Sirainen <tss@iki.fi> + + - Using more than 2 plugins could have caused broken behavior + (more fixes for this) + - Listescape plugin fixes + - mbox: Fixed a couple of assert-crashes + - mdbox: Fixed potential assert-crash when saving multiple messages + in one transaction. + +v2.0.rc4 2010-08-04 Timo Sirainen <tss@iki.fi> + + + director: Added director_doveadm_port for accepting doveadm + TCP connections. + + doveadm: Added client/server architecture support for running mail + commands. Enable this by setting doveadm_worker_count to non-zero. + + mail-log: Added support for mailbox_create event. + + imap_capability = +XFOO BAR can be used to add capabilities instead + of replacing the whole capability string. + + virtual storage: Added support for IDLE notifications. + - doveadm mailbox status: Fixed listing non-ASCII mailbox names. + - doveadm fetch: Fixed output when fetching message header or body + - doveadm director map/add/remove: Fixed handling IP address as + parameter. + - dsync: A few more fixes + +v2.0.rc3 2010-07-20 Timo Sirainen <tss@iki.fi> + + * Single-dbox is now called "sdbox" instead of "dbox". + "dbox" will stay as an alias for it for now. + + + Added mail_temp_dir setting, used by deliver and lmtp for creating + temporary mail files. Default is /tmp. + + doveadm: Added "director map" command to list user -> host mappings. + - imap: Fixed checking if list=children namespace has children. + - director: If all login processes died, director stopped reading + proxy-notify input and caused future login processes to hang + - mail_log plugin configuration was broken + - Using more than 2 plugins could have caused broken behavior + - mdbox: Race condition fixes related to copying and purging + - dsync: Lots of fixes + +v2.0.rc2 2010-07-09 Timo Sirainen <tss@iki.fi> + + - Fixed a crash with empty mail_plugins + - Fixed sharing INBOX to other users + - mdbox: Rebuilding storage was broken in rc1 + - dsync was broken for remote syncs in rc1 + - director+LMTP proxy wasn't working correctly + - v1.x config parser failed with some settings if pigeonhole wasn't + installed. + - virtual: If non-matching messages weren't expunged within same + session, they never got expunged. + +v2.0.rc1 2010-07-02 Timo Sirainen <tss@iki.fi> + + * See v2.0.0 notes + +v1.2.6 2009-10-05 Timo Sirainen <tss@iki.fi> + + * Upgraded to Unicode 5.2.0 + + + Added authtest utility for doing passdb and userdb lookups. + + login: ssl_security string now also shows the used compression. + - quota: Don't crash with non-Maildir++ quota backend. + - imap proxy: Fixed crashing with some specific password characters. + - dovecot --exec-mail was broken. + - Avoid assert-crashing when two processes try to create index at the + same time. + +v1.2.5 2009-09-13 Timo Sirainen <tss@iki.fi> + + * Authentication: DIGEST-MD5 and RPA mechanisms no longer require + user's login realm to be listed in auth_realms. It only made + configuration more difficult without really providing extra security. + * zlib plugin: Don't allow clients to save compressed data directly. + This prevents users from exploiting (most of the) potential security + holes in zlib/bzlib. + + + Added pop3_save_uidl setting. + + dict quota: When updating quota and user isn't already in dict, + recalculate and save the quota. + - file_set_size() was broken with OSes that didn't support + posix_fallocate() (almost everyone except Linux), causing all kinds + of index file errors. + - v1.2.4 index file handling could have caused an assert-crash + - IMAP: Fixes to QRESYNC extension. + - virtual plugin: Crashfix + - deliver: Don't send rejects to any messages that have Auto-Submitted + header. This avoids emails loops. + - Maildir: Performance fixes, especially with maildir_very_dirty_syncs. + - Maildir++ quota: Limits weren't read early enough from maildirsize + file (when quota limits not enforced by Dovecot) + - Message decoding fixes (mainly for IMAP SEARCH, Sieve). + +v1.2.4 2009-08-17 Timo Sirainen <tss@iki.fi> + + * acl: When looking up ACL defaults, use global/local default files + if they exist. So it's now possible to set default ACLs by creating + dovecot-acl file to the mail root directory. + + + imap/pop3 proxy: If proxy destination is known to be down, + fail connections to it immediately. + + imap/pop3 proxy: Added proxy_timeout passdb extra field to specify + proxy's connect timeout. + - Fixed a crash in index file handling. + - Fixed a crash in saving messages where message contained a CR + character that wasn't followed by LF (and the CR happened to be the + last character in an internal buffer). + - v1.2.3 crashed when listing shared namespace prefix. + - listescape plugin: Several fixes. + - autocreate plugin: Fixed autosubscribing to mailboxes in + subscriptions=no namespaces. + +v1.2.3 2009-08-07 Timo Sirainen <tss@iki.fi> + + * Mailbox names with control characters can't be created anymore. + Existing mailboxes can still be accessed though. + + + Allow namespace prefix to be opened as mailbox, if a mailbox + already exists in the root dir. + - Maildir: dovecot-uidlist was being recreated every time a mailbox + was accessed, even if nothing changed. + - listescape plugin was somewhat broken + - Compiling fixes for non-Linux/BSDs + - imap: tb-extra-mailbox-sep workaround was broken. + - ldap: Fixed hang when >128 requests were sent at once. + - fts_squat: Fixed crashing when searching virtual mailbox. + - imap: Fixed THREAD .. INTHREAD crashing. + +v1.2.2 2009-07-27 Timo Sirainen <tss@iki.fi> + + * GSSAPI: More changes to authentication. Hopefully good now. + * lazy_expunge plugin: Drop \Deleted flag when moving message. + + + dovecot -n/-a now outputs also lda settings. + + dovecot.conf !include now supports globs (e.g. + !include /etc/dovecot/*.conf). Based on patch by Thomas Guthmann. + + acl: Support spaces in user/group identifiers. + + shared mailboxes: If only %%n is specified in prefix, default to + current user's domain. + - Dovecot master process could hang if it received signals too rapidly. + - Fixed "corrupted index cache file" errors (and perhaps others) caused + by e.g. IMAP's FETCH BODY[] command. + - IMAP: When QRESYNC is enabled, don't crash when a new mail is + received while IDLEing. + - IMAP: FETCH X-* parameters weren't working. + - Maildir++ quota: Quota was sometimes updated wrong when it was + being recalculated. + - Searching quoted-printable message body internally converted "_" + characters to spaces and didn't match search keys with "_". + - Messages in year's first/last day may have had broken timezones + with OSes not having struct tm->tm_gmtoff (e.g. Solaris). + - virtual plugin: If another session adds a new mailbox to index, + don't crash. + +v1.2.1 2009-07-09 Timo Sirainen <tss@iki.fi> + + * GSSAPI: Changed logging levels and improved the messages. + Changed the way cross-realm authentication handling is done, + hopefully it's working now for everyone. + * imap/pop3 logins now fail if home directory path is relative. + v1.2.0 deliver was already failing with these and they could have + caused problems even with v1.1. + * IMAP: Custom authentication failure messages are now prefixed with + [ALERT] to get more clients to actually show them. + + + Improved some error messages. + - pop3: AUTH PLAIN was broken when SASL initial response wasn't given. + - mbox: New mailboxes were created with UIDVALIDITY 1. + - quota-fs was defaulting to group quota instead of user quota. + - Fixed ACLs to work with mbox. + - Fixed fchmod(-1, -1) errors with BSDs + - convert plugin / convert-tool: Fixed changing hierarchy separators + in mailbox names when alt_hierarchy_char isn't set. + +v1.2.0 2009-07-01 Timo Sirainen <tss@iki.fi> + + * When creating files or directories to mailboxes, Dovecot now uses + the mailbox directory's permissions and GID for them. Previous + versions simply used 0600 mode always. For backwards compatibility + dovecot-shared file's permissions still override these with Maildir. + * SQL dictionary (quota) configuration file is different than in v1.1. + See doc/dovecot-dict-sql-example.conf for the new format. + * deliver -m: Mailbox name is now assumed to be in UTF-8 format, + not modified-UTF7. Stephan Bosch's new Sieve implementation also + assumes UTF-8 format in fileinto parameters. + + + Full support for shared mailboxes and IMAP ACL extension. + The code is mainly from Sascha Wilde and Bernhard Herzog. + + IMAP: Added support for extensions: CONDSTORE, QRESYNC, ESEARCH, + ESORT, SEARCHRES, WITHIN, ID and CONTEXT=SEARCH. + + SEARCH supports INTHREAD search key, but the rest of the INTHREAD + draft isn't implemented yet so it's not advertised in capability. + + THREAD REFS algorithm where threads are sorted by their latest + message instead of the thread root message. There is also no base + subject merging. + + IMAP: Implemented imap-response-codes draft. + + Thread indexes for optimizing IMAP THREAD command and INTHREAD + search key. + + Added userdb checkpassword (by Sascha Wilde) + + Virtual mailboxes: http://wiki.dovecot.org/Plugins/Virtual + + Autocreate plugin: http://wiki.dovecot.org/Plugins/Autocreate + + Listescape plugin: http://wiki.dovecot.org/Plugins/Listescape + +v1.2.rc8 2009-06-30 Timo Sirainen <tss@iki.fi> + + - Fixed building LDAP as plugin + - Fixed starting up in OS X + +v1.2.rc7 2009-06-27 Timo Sirainen <tss@iki.fi> + + * Removed configure --with-deliver, --with-pop3d and --disable-ipv6 + parameters. + + + Improved permission related error messages. + - mbox: Don't write garbage to mbox if message doesn't have a body. + - virtual: Fixed saving messages with keywords. + - virtual: Fixed infinite looping bug. + - zlib: Fixed error handling. + +v1.2.rc6 2009-06-22 Timo Sirainen <tss@iki.fi> + + * imap proxy: Pass through to client unexpected untagged replies + from remote server (e.g. alerts). + * Solr: Don't use "any" copyfield, it doubles the index size. + * mail_location: Allow using ":" characters in dir names by escaping + it as "::". + + - mbox: Don't crash with invalid From_-lines. + - IMAP: Don't crash if IDLE command is pipelined after a long-running + UID FETCH or UID SEARCH. + - ACL / shared mailbox fixes + - Some metadata files were incorrectly getting 0666 permissions. + +v1.2.rc5 2009-06-04 Timo Sirainen <tss@iki.fi> + + * auth_cache_negative_ttl is now used also for password mismatches + (currently only with plaintext authentication mechanisms). + + + Added support for EXTERNAL SASL mechanism. + + FETCH X-SAVEDATE can now be used to get messages' save timestamps + + deliver_log_format: %s is now in UTF8 + - If message body started with a space, some operations could have + assert-crashed. + - Fixed using LDAP support as a plugin + - Fixes to virtual mailboxes. + +v1.2.rc4 2009-05-17 Timo Sirainen <tss@iki.fi> + + * If /dev/arandom exists, use it instead of /dev/urandom (OpenBSD). + * When logging to a file, the lines now start with a timestamp instead + of "dovecot: " prefix. + + + IMAP: When multiple commands are pipelined, try harder to combine + their mailbox syncing together. For example with Maildir pipelining + STORE 1:* +FLAGS \Deleted and EXPUNGE commands the files won't + be unnecessarily rename()d before being unlink()ed. + + imap-proxy: Send backend's CAPABILITY if it's different from what + was sent to client before. + + IMAP: struct mail now keeps track of all kinds of statistics, such + as number of open()s, stat()s, bytes read, etc. These fields could + be exported by some kind of a statistics plugin (not included yet). + + IMAP: SEARCH command now dynamically figures out how to run about + 0.20 .. 0.25 seconds before seeing if there's other work to do. + This makes the SEARCH performance much better. + - Fixes to shared mailbox handling. + - Fixes to virtual mailboxes. + - THREAD command could have crashed. + - Fixes to expire-tool. + - mbox: Don't break if From_-line is preceded by CRLF (instead of LF). + - dict process wasn't restarted after SIGHUP was sent to master. + +v1.2.rc3 2009-04-16 Timo Sirainen <tss@iki.fi> + + * IMAP proxy no longer simply forwards tagged reply from + remote authentication command. It's now done only if the remote + server sent a [resp-code], otherwise all failure strings are + converted to Dovecot's "Authentication failed." to make sure that + if remote isn't using Dovecot it won't reveal user's existence. + + + Quota roots can now specify which namespace's quota they're + tracking. This is probably the most useful for giving public + namespaces a quota. + + Added imap_idle_notify_interval setting. + - Fixes to shared mailbox handling + - Fixes to virtual mailboxes + - Fixed compiling with some FreeBSD and NetBSD versions + - THREAD REFS still might have returned one (0) at the beginning. + - deliver wasn't using mail_access_groups setting. + - Fixed some error handling in maildir and index code. + +v1.2.rc2 2009-04-03 Timo Sirainen <tss@iki.fi> + + - rquota.x file was missing from rc1 distribution, causing compiling + to fail. + +v1.2.rc1 2009-04-03 Timo Sirainen <tss@iki.fi> + + * See v1.2.0 notes + +v1.1.5 2008-10-22 Timo Sirainen <tss@iki.fi> + + * Dovecot prints an informational message about authentication problems + at startup. The message goes away after the first successful + authentication. This hopefully reduces the number of "Why doesn't + my authentication work?" questions. + + + Maildir/dbox: Try harder to assign unique UIDVALIDITY values to + mailboxes to avoid potential problems when recreating or renaming + mailboxes. The UIDVALIDITY is tracked using dovecot-uidvalidity* + files in the mail root directory. + + Many logging improvements + - In some conditions Dovecot could have stopped using existing cache + file and never used it again until it was deleted. + - pop3 + Maildir: Make sure virtual sizes are always written to + dovecot-uidlist. This way if the indexes are lost Dovecot will never + do a huge amount of work to recalculate them. + - mbox: Fixed listing mailboxes in namespaces with prefix beginning + with '~' or '/' (i.e. UW-IMAP compatibility namespaces didn't work). + - dict quota: Don't crash when recalculating quota (when quota warnings + enabled). + - Fixes to handling "out of disk space/quota" failures. + - Blocking passdbs/userdbs (e.g. PAM, MySQL) could have failed lookups + sometimes when auth_worker_max_request_count was non-zero. + - Fixed compiling with OpenBSD + +v1.1.4 2008-10-05 Timo Sirainen <tss@iki.fi> + + - SORT: Yet another assert-crashfix when renumbering index sort IDs. + - ACL plugin fixes: Negative rights were actually treated as positive + rights. 'k' right didn't prevent creating parent/child/child mailbox. + ACL groups weren't working. + - Maildir++ quota: Fixes to rebuilding when quota limit wasn't + specified in Dovecot (0 limit or limit read from maildirsize). + - mbox: Several bugfixes causing errors and crashes. + - Several fixes to expire plugin / expire-tool. + - lock_method=dotlock could have deadlocked with itself. + - Many error handling fixes and log message improvements. + +v1.1.3 2008-09-02 Timo Sirainen <tss@iki.fi> + + * mail_max_userip_connections limit no longer applies to master user + logins. + + + login_log_format_elements: Added %k to show SSL protocol/cipher + information. Not included by default. + + imap/pop3-proxy: If auth_verbose=yes, log proxy login failures. + + deliver: Added -s parameter to autosubscribe to autocreated mailboxes. + - message parser fixes - hopefully fixes an infinite looping problem + - SORT: One more assert-crashfix when renumbering index sort IDs. + - mbox: Saving may have truncated the mail being saved + - mbox: Several other bugfixes + - mail_full_filesystem_access=yes was broken when listing mailboxes + (it still is with maildir++ layout). + - maildirlock utility was somewhat broken + - zlib plugin: bzip2 support was somewhat broken + - NFS: Make sure writing to files via output streams don't + assert-crash when write() returns only partial success. + +v1.1.2 2008-07-24 Timo Sirainen <tss@iki.fi> + + + Added full text search indexing support for Apache Lucene Solr + server: http://wiki.dovecot.org/Plugins/FTS/Solr + + IMAP SORT: Added X-SCORE sort key for use with Solr searches. + + zlib plugin supports now bzip2 also. + + quota: All backends now take noenforcing parameter. + + Maildir: Add ,S=<size> to maildir filename whenever quota plugin + is loaded, even when not using Maildir++ quota. + + deliver: Allow lda section to override plugin settings. + + deliver: Giving a -m <namespace prefix> parameter now silently saves + the mail to INBOX. This is useful for e.g. -m INBOX/${extension} + + Added a new maildirlock utility for write-locking Dovecot Maildir. + + dict-sql: Support non-MySQL databases by assuming they implement the + "INSERT .. ON DUPLICATE KEY" using an INSERT trigger. + - SORT: Fixed several crashes/errors with sort indexing. + - IMAP: BODYSTRUCTURE is finally RFC 3501 compliant. Earlier versions + didn't include Content-Location support. + - IMAP: Fixed bugs with listing INBOX. + - Maildir: maildirfolder file wasn't created when dovecot-shared + file existed on the root directory + - deliver didn't expand %variables in namespace location settings. + - zlib: Copying non-compressed messages resulted in empty mails + (except when hardlink-copying between maildirs). + - mbox-snarf plugin was somewhat broken + - deliver + Maildir: If uidlist couldn't be locked while saving, + we might have assert-crashed + - mbox: Fixed an assert-crash with \Recent flag handling + +v1.1.1 2008-06-22 Timo Sirainen <tss@iki.fi> + + - Maildir: When migrating from v1.0 with old format dovecot-uidlist + files, Dovecot may have appended lines to it using the new format and + later broken with "UID larger than next_uid" error. + +v1.1.0 2008-06-21 Timo Sirainen <tss@iki.fi> + +No changes since v1.1.rc13. Below are the largest changes since v1.0: + + * After Dovecot v1.1 has modified index or dovecot-uidlist files, + they can't be opened anymore with Dovecot versions earlier than + v1.0.2. + * See doc/wiki/Upgrading.1.1.txt (or for latest changes, + http://wiki.dovecot.org/Upgrading/1.1) for list of changes since + v1.0 that you should be aware of when upgrading. + + + IMAP: Added support for UIDPLUS and LIST-EXTENDED extensions. + + IMAP SORT: Sort keys are indexed, which makes SORT commands faster. + + When saving messages, update cache file immediately with the data + that we expect client to fetch later. + + NFS caches are are flushed whenever needed. See mail_nfs_storage and + mail_nfs_index settings. + + Out of order command execution (SEARCH, FETCH, LIST), nonstandard + command cancellation (X-CANCEL <tag>) + + IMAP: STATUS-IN-LIST draft implementation + + Expire plugin can be used to keep track of oldest messages in + specific mailboxes. A nightly run can then quickly expunge old + messages from the mailboxes that have them. The tracking is done + using lib-dict, so you can use either Berkeley DB or SQL database. + + Namespaces are supported everywhere now. + + Namespaces have new list and subscriptions settings. + + Full text search indexing support with Lucene and Squat backends. + + OTP and S/KEY authentication mechanisms (by Andrey Panin). + + mbox and Maildir works with both Maildir++ and FS layouts. You can + change these by appending :LAYOUT=maildir++ or :LAYOUT=fs to + mail_location. + + LDAP: Support templates in pass_attrs and user_attrs + + Support for listening in multiple IPs/ports. + + Quota plugin rewrite: Support for multiple quota roots, warnings, + allow giving storage size in bytes or kilo/mega/giga/terabytes, + per-mailbox quota rules. + + Filesystem quota backend supports inode limits, group quota and + RPC quota for NFS. + + SEARCH and SORT finally compare non-ASCII characters + case-insensitively. We use i;unicode-casemap algorithm. + + Config files support splitting values to multiple lines with \ + +v1.1.rc13 2008-06-20 Timo Sirainen <tss@iki.fi> + + - mbox: Fixed a crash when adding a new X-IMAPbase: header with + keywords. + - Message parser: Fixed assert-crash if cached MIME structure was + broken. + - Squat: Potential crashfix with mmap_disable=yes. + +v1.1.rc12 2008-06-19 Timo Sirainen <tss@iki.fi> + + - mbox: Don't give "Can't find next message offset" warnings when + plugin (e.g. quota) accesses the message being saved. + - deliver: Settings inside protocol imap {} weren't ignored. + +v1.1.rc11 2008-06-19 Timo Sirainen <tss@iki.fi> + + - dovecot-uidlist is now recreated if it results in file shrinking + over 25%. + - Some other minor fixes + +v1.1.rc10 2008-06-13 Timo Sirainen <tss@iki.fi> + + * LIST X-STATUS renamed to LIST STATUS and fixed its behavior with + LIST-EXTENDED options. It's now compatible with STATUS-IN-LIST + draft 00. + + - Message parsing could have sometimes produced incorrect results, + corrupting BODY/BODYSTRUCTURE replies and perhaps others. + - SORT: Fixed several bugs + - FreeBSD 7.0: Environment clearing wasn't working correctly. + This caused "environment corrupted" problems at least with deliver + trying to call sendmail and running Dovecot from inetd. + - HP-UX: Several fixes to get it to work (by Christian Corti) + - Fixes to using expire plugin with SQL dictionary. + - dbox fixes + +v1.1.rc9 2008-06-09 Timo Sirainen <tss@iki.fi> + + + Maildir: When hardlink-copying a file, copy the W=<vsize> in the + filename if it exists in the original filename. + - mbox: With rc8 empty lines were inserted in the middle of saved + mails' headers. + - maildir: Fixed problems with opening newly saved messages which we + saw in index file but couldn't see in dovecot-uidlist. Happened only + when messages weren't saved via Dovecot (deliver or IMAP). + - Several bugfixes to handling sort indexes + - deliver: Boolean settings that were supposed to default to "yes" were + set to "no" unless explicitly defined in dovecot.conf: + dotlock_use_excl, maildir_copy_with_hardlinks, mbox_dirty_syncs, + mbox_lazy_writes. + +v1.1.rc8 2008-06-03 Timo Sirainen <tss@iki.fi> + + + deliver: Added -p parameter to provide path to delivered mail. + This allows maildir to save identical mails to multiple recipients + using hard links. + - rc6/rc7 broke POP3 with non-Maildir formats + - mbox: Saving a message without a body or the end-of-headers line + could have caused an assert-crash later. + - Several dbox fixes + +v1.1.rc7 2008-05-30 Timo Sirainen <tss@iki.fi> + + - Fixed compiling problems with non-Linux OSes + +v1.1.rc6 2008-05-30 Timo Sirainen <tss@iki.fi> + + * Index file format changed a bit. If an older Dovecot v1.1 reads + index files updated by rc6+, they may give "Invalid header record + size" or "ext reset: invalid record size" warnings. v1.0 won't give + these errors. + * IMAP: LIST .. RETURN (X-STATUS) command return now LIST entries + before STATUS entries. + * zlib plugin: Uncompress if the message begins with zlib header + instead of looking at the 'Z' flag. This fixes copying with hard + links. Based on a patch by Richard Platel. + + + IMAP: SORT index handling code was half-rewritten to fix several bugs + when multiple sessions were sorting at the same time. The new code is + hopefully also faster. + + Maildir: If POP3 UIDL extra field is found from dovecot-uidlist, + it's used instead of the default UIDL format (or X-UIDL: header). + This allows easily preserving UIDLs when migrating from other POP3 + servers. Patch by Nicholas Von Hollen @ Mailtrust. + + Maildir: ,W=<vsize> is now always added to maildir filenames + + deliver: Avoid reading dovecot-uidlist's contents if possible. + + Added %T modifier = Trim whitespace from end of string + - IMAP: Fixed some bugs in LIST-EXTENDED implementation. + - IMAP: If client tries to change the selected mailbox state while + another command is still running, wait until the command is finished. + This fixes some crashes and other unwanted behavior. + - allow_nets userdb setting was broken with big endian CPUs + +v1.1.rc5 2008-05-05 Timo Sirainen <tss@iki.fi> + + + Support cross-realm Kerberos 5 authentication. Based on patch by + Zachary Kotlarek. + + Added dict_db_config setting to point to a Berkeley DB config file. + + If mail_chroot ends with "/.", remove chroot prefix from home + directory. + - Fixed several bugs and memory leaks in ACL plugin. LIST and LSUB + may have listed mailboxes where user had no 'l' access. STORE could + have been used to update any flags without appropriate access. + - mbox: Valid-looking From_-lines in message bodies caused the message + to be split to two messages (broken since v1.0). + - Plugin initialization hooks were called in wrong order, possibly + causing problems when multiple plugins were used at the same time. + - Expire plugin was broken + - LIST-EXTENDED options were ignored. + - LDAP: Static attribute names weren't working correctly + - deliver: mail_uid and mail_gid settings weren't used. + - pop3 + maildir++ quota: maildirsize file wasn't created if it + didn't exist already. + - dnotify: Waiting for dotlock to be deleted used 100% CPU + +v1.1.rc4 2008-04-01 Timo Sirainen <tss@iki.fi> + + * Fixed two buffer overflows in str_find_init(). It was used by + SEARCH code when searching for headers or message body. Added code + to catch these kind of overflows when compiling with --enable-debug. + Found by Diego Liziero. + + + LDAP: Added debug_level and ldaprc_path settings (OpenLDAP-only) + + Squat: Added fts_squat = partial=n full=m settings. See the wiki. + - dbox metadata updating fixes. + - quota: backend=n didn't work + - SEARCH RECENT may have returned non-recent messages if index files + were created by v1.0. + - If mailbox was opened as read-only with EXAMINE, STOREs were + permanently saved. + - LDAP: Templates were somewhat broken (by richs at whidbey.net) + +v1.1.rc3 2008-03-09 Timo Sirainen <tss@iki.fi> + + * Fixed a security hole in blocking passdbs (MySQL always. PAM, passwd + and shadow if blocking=yes) where user could specify extra fields + in the password. The main problem here is when specifying + "skip_password_check" introduced in v1.0.11 for fixing master user + logins, allowing the user to log in as anyone without a valid + password. + + - mail_privileged_group was broken in some systems (OS X, Solaris?) + +v1.1.rc2 2008-03-08 Timo Sirainen <tss@iki.fi> + + * mail_extra_groups setting was commonly used insecurely. This setting + is now deprecated. Most users should switch to using + mail_privileged_group setting, but if you really need the old + functionality use mail_access_groups instead. + + + Expire plugin now supports wildcards in mailbox names. + + dbox: Expire plugin supports moving old mails to alternative + dbox directory + + Maildir++ quota: quota_rule=?:<rule> specifies a default rule + which is used only if the maildirsize file doesn't exist. + + If SSL/TLS connection isn't closed cleanly, log the last error + in the disconnection line. + + EXPUNGE: If new \Deleted messages were found while expunging, + do it again and expunge them as well (Outlook workaround) + - IMAP: SEARCH, LIST and THREAD command correctness fixes + - Maildir++ quota: Quota rules and warnings with % rules didn't work + if the default limits were taken from maildirsize file. + - Maildir++ quota: If both byte and message limits weren't specified, + maildirsize file was recalculated all the time + - mbox: Flag and keyword updates may have gotten lost in some + situations (happens with v1.0 too) + - ldap: Don't crash if userdb lookup fails + - Squat fixes and performance improvements + +v1.1.rc1 2008-02-21 Timo Sirainen <tss@iki.fi> + + * See v1.1.0 notes + +v1.0.10 2007-12-29 Timo Sirainen <tss@iki.fi> + + * Security hole with LDAP+auth cache: If base setting contained + %variables they weren't included in auth cache key, which broke + caching. This could have caused different users with same passwords + to log in as each other. + + - LDAP: Fixed potential infinite looping when connection to LDAP + server was lost and there were queued requests. + - mbox: More changes to fix problems caused by v1.0.8 and v1.0.9. + - Maildir: Fixed a UIDLIST_IS_LOCKED() assert-crash in some conditions + (caused by changes in v1.0.9) + - If protocols=none, don't require imap executables to exist + +v1.0.9 2007-12-11 Timo Sirainen <tss@iki.fi> + + + Maildir: Don't wait on dovecot-uidlist.lock when we just want to + find out a new filename for the message. + - mbox: v1.0.8 changes sometimes caused FETCH to fail with + "got too little data", disconnecting the client. + - Fixed a memory leak when FETCHing message header/body multiple + times within a command (e.g. BODY[1] BODY[2]) + - IMAP: Partial body fetching was still slow with mboxes + +v1.0.8 2007-11-28 Timo Sirainen <tss@iki.fi> + + + Authentication: Added "password_noscheme" field that can be used + instead of "password". "password" treats "{prefix}" as a password + scheme while "password_noscheme" treats it as part of the password + itself. So "password_noscheme" should be used if you're storing + passwords as plaintext. Non-plaintext passwords never begin + with "{", so this isn't a problem with them. + - IMAP: Partial body fetching was sometimes non-optimal, causing + the entire message to be read for every FETCH command. + - deliver failed to save the message when envelope sender address + contained spaces. + - Maildir++ quota: We could have randomly recalculated quota when + it wasn't necessary. + - Login process could have crashed after logging in if client sent + data before "OK Logged in" reply was sent (i.e. before master had + replied that login succeeded). + - Don't assert-crash when reading dovecot.index.logs generated by + Dovecot v1.1. + - Authentication: Don't assert-crash if password beings with "{" but + doesn't contain "}". + - Authentication cache didn't work when using settings that changed + the username (e.g. auth_username_format). + +v1.0.7 2007-10-29 Timo Sirainen <tss@iki.fi> + + - deliver: v1.0.6's "From " line ignoring could have written to a + bad location in stack, possibly causing problems. + +v1.0.6 2007-10-28 Timo Sirainen <tss@iki.fi> + + * IDLE: Interval between mailbox change notifies is now 1 second, + because some clients keep a long-running IDLE connection and use + other connections to actually read the mails. + * SORT: If Date: header is missing or broken, fallback to using + INTERNALDATE (as the SORT draft nowadays specifies). + + + deliver: If message begins with a "From " line, ignore it. + + zlib plugin: If maildir file has a "Z" flag, open it with zlib. + - CREATE: Don't assert-crash if trying to create namespace prefix. + - SEARCH: Fixes to handling NOT operator with sequence ranges. + - LDAP reconnection fixes + - Maildir: Don't break when renaming mailboxes with '*' or '%' + characters and children. + - mbox: Fixed "file size unexpectedly shrinked" error in some + conditions. + - quota+mbox: Don't fail if trying to delete a directory. + - Fixes to running from inetd + +v1.0.5 2007-09-09 Timo Sirainen <tss@iki.fi> + + - deliver: v1.0.4 broke home directory handling + - maildir: Creating mailboxes didn't use dovecot-shared's group for + cur/new/tmp directories. + +v1.0.4 2007-09-08 Timo Sirainen <tss@iki.fi> + + * Assume a MIME message if Content-Type: header exists, even if + Mime-Version: header doesn't. + + - IMAP: CREATE ns_prefix/box/ didn't work right when namespace prefix + existed. + - deliver: plugin {} settings were overriding settings from userdb. + - mbox: Expunging the first message might not have worked always + - PostgreSQL: If we can't connect to server, timeout queries after + a while instead of trying forever. + - Solaris: sendfile() support was broken and could have caused + 100% CPU usage and the connection hanging. + +v1.0.3 2007-08-01 Timo Sirainen <tss@iki.fi> + + - deliver: v1.0.2's bounce fix caused message to be always saved to + INBOX even if Sieve script had discard, reject or redirect commands. + - LDAP: auth_bind=yes and empty auth_bind_userdn leaked memory + - ACL plugin: If user was given i (insert) right for a mailbox, but + not all s/t/w (seen, deleted, other flags) rights, COPY and APPEND + commands weren't supposed to allow saving those flags. This is + technically a security fix, but it's unlikely this caused problems + for anyone. + - ACL plugin: i (insert) right didn't work unless user was also given + l (lookup) right. + - Solaris: Fixed filesystem quota for autofs mounts. + +v1.0.2 2007-07-15 Timo Sirainen <tss@iki.fi> + + * dbox isn't built anymore by default. It will be redesigned so it + shouldn't be used. + + + Maildir: Support reading dovecot-uidlist (v3) files created by + Dovecot v1.1. + - Maildir: "UIDVALIDITY changed" errors could happen with newly + created mailboxes + - If "INBOX." namespace was used, LIST returned it with \HasNoChildren + which caused some clients not to show any other mailboxes. + - Maildir++ quota: If multiple processes were updating maildirsize + at the same time, we failed with "Unknown error". + - IMAP: IDLE didn't actually disconnect client after 30 minutes of + inactivity. + - LDAP passdb/userdb was leaking memory + - deliver: %variables in plugin {} weren't expanded + - deliver: Don't bounce the mail if Sieve plugin returns failure + +v1.0.1 2007-06-15 Timo Sirainen <tss@iki.fi> + + * deliver: If Return-Path doesn't contain user and domain, don't try + to bounce the mail (this is how it was supposed to work earlier too) + * deliver: %variables in mail setting coming from userdb aren't + expanded anymore (again how it should have worked). The expansion + could have caused problems if paths contained any '%' characters. + + + Print Dovecot version number with dovecot -n and -a + + deliver: Added -e parameter to write rejection error to stderr and + exit with EX_NOPERM instead of sending the rejection by executing + sendmail. + + dovecot --log-error logs now a warning, an error and a fatal + - Trying to start Dovecot while it's already running doesn't anymore + wipe out login_dir and break the running Dovecot. + - maildir: Fixed "UID larger than next_uid" errors which happened + sometimes when dovecot-uidlist file didn't exist but index files did + (usually because mailbox didn't have any messages when it was + selected for the first time) + - maildir: We violated maildir spec a bit by not having keyword + characters sorted in the filename. + - maildir: If we don't have write access to cur/ directory, treat the + mailbox as read-only. This fixes some internal error problems with + trying to use read-only maildirs. + - maildir: Deleting a symlinked maildir failed with internal error. + - mbox: pop3_uidl_format=%m wasn't working right + - mbox: If non-filesystem quota was enabled, we could have failed + with "Unexpectedly lost From-line" errors while saving new messages + - mysql auth: %c didn't work. Patch by Andrey Panin + - APPEND / SEARCH: If internaldate was outside valid value for time_t, + we returned BAD error for APPEND and SEARCH never matched. With 64bit + systems this shouldn't have happened. With 32bit systems the valid + range is usually for years 1902..2037. + - COPY: We sent "Hang in there.." too early sometimes and checked it + too often (didn't break anything, but was slower than needed). + - deliver: Postfix's sendmail binary wasn't working with mail_debug=yes + - Don't corrupt ssl-parameters.dat files when running multiple Dovecot + instances. + - Cache compression caused dovecot.index.cache to be completely deleted + with big endian CPUs if 64bit file offsets were used (default) + - Fixed "(index_mail_parse_header): assertion failed" crash + +v1.0.0 2007-04-13 Timo Sirainen <tss@iki.fi> + + + Documentation updated. + +v1.0.rc32 2007-04-12 Timo Sirainen <tss@iki.fi> + + - LDAP, auth_bind=no: Don't crash if doing non-plaintext ldap passdb + lookup for unknown user. This also broke deliver when userdb static + was used. + - LDAP, auth_bind=yes and userdb ldap: We didn't wait until bind was + finished before sending the userdb request, which could have caused + problems. + - LDAP: Don't break when compiling with OpenLDAP v2.3 library + - Convert plugin: Don't create "maildirfolder" file to Maildir root. + +v1.0.rc31 2007-04-08 Timo Sirainen <tss@iki.fi> + + - mbox: Give "mbox file was modified while we were syncing" error only + if we detect some problems in the mbox file. The check can't be + trusted with NFS. + - Convert plugin: If directory for destination storage doesn't exist, + create it. + - Convert plugin: Mailbox names weren't converted in subscription list. + +v1.0.rc30 2007-04-06 Timo Sirainen <tss@iki.fi> + + * PAM: Lowercase the PAM service name when calling with "args = *". + Linux PAM did this internally already, but at least BSD didn't. + If your PAM file used to be in /etc/pam.d/IMAP or POP3 file you'll + need to lowercase it now. + + + Send list of CA names to client when using + ssl_verify_client_cert=yes. + - IMAP: If message body started with line feed, it wasn't counted + in BODY and BODYSTRUCTURE replies' line count field. + - deliver didn't load plugins before chrooting + +v1.0.rc29 2007-03-28 Timo Sirainen <tss@iki.fi> + + * Security fix: If zlib plugin was loaded, it was possible to open + gzipped mbox files outside the user's mail directory. + + + Added auth_gssapi_hostname setting. + - IMAP: LIST "" "" didn't return anything if there didn't exist a + namespace with empty prefix. This broke some clients. + - If Dovecot is tried to be started when it's already running, don't + delete existing auth sockets and break the running Dovecot + - If deliver failed too early it still returned exit code 89 instead + of EX_TEMPFAIL. + - deliver: INBOX fallbacking with -n parameter wasn't working. + - passdb passwd and shadow couldn't be used as master or deny databases + - IDLE: inotify didn't notice changes in mbox file + - If index file directory couldn't be created, disable indexes instead + of failing to open the mailbox. + - rawlog wasn't working with chrooting + - Several other minor fixes + +v1.0.rc28 2007-03-23 Timo Sirainen <tss@iki.fi> + + * deliver + userdb static: Verify the user's existence from passdb, + unless allow_all_users=yes + * dovecot --exec-mail: Log to configured log files instead of stderr + * Added "-example" part to doc/dovecot-sql-example.conf and + doc/dovecot-ldap-example.conf. They are now also installed to + $sysconfdir with "make install". + + + When copying/syncing a lot of mails, send "* OK Hang in there" + replies to client every 15 seconds so it doesn't just timeout the + connection. + + Added idxview and logview utilities to examine Dovecot's index files + + passdb passwd and shadow support blocking=yes setting now also + + mbox: If mbox file changes unexpectedly while we're writing to it, + log an error. + + deliver: Ignore -m "" parameter to make calling it easier. + + deliver: Added new -n parameter to disable autocreating mailboxes. + It affects both -m parameter and Sieve plugin's fileinto action + - mbox: Using ~/ in the mail root directory caused a ~ directory to be + created (instead of expanding it to home directory) + - auth cache: If unknown user was found from cache, we didn't properly + return "unknown user" status, which could have caused problems in + deliver. + - mbox: Fixed "UID inserted in the middle of mailbox" in some + conditions with broken X-UID headers + - Index view syncing fixes + - rc27 didn't compile with some non-GCC compilers + - vpopmail support didn't compile in rc27 + - NFS check with chrooting broke home direcotry for the first login + - deliver: If user lookup returned "unknown user", it logged + "BUG: Unexpected input" + - convert plugin didn't convert INBOX + +v1.0.rc27 2007-03-13 Timo Sirainen <tss@iki.fi> + + + mbox and index file code handles silently out of quota/disk + space errors (maildir still has problems). They will give the user + a "Not enough disk space" error instead of flooding the log file. + + Added fsync_disable setting. + + mail-log plugin: Log the mailbox name, except if it's INBOX + + dovecot-auth: Added a lot more debug logging to passdbs and userdbs + + dovecot-auth: Added %c variable which expands to "secured" with + SSL/TLS/localhost. + + dovecot-auth: Added %m variable which expands to auth mechanism name + - maildir++ quota: With ignore=box setting the quota was still updated + for the mailbox even though it was allowed to go over quota (but + quota recalculation ignored the box). + - Index file handling fixes + - mbox syncing fixes + - Wrong endianness index files still weren't silently rebuilt + - IMAP quota plugin: GETQUOTAROOT returned the mailbox name wrong the + namespace had a prefix or if its separator was non-default + - IMAP: If client was appending multiple messages with MULTIAPPEND + and LITERAL+ extensions and one of the appends failed, Dovecot + treated the rest of the mail data as IMAP commands. + - If mail was sent to client with sendfile() call, we could have + hanged the connection. This could happen only if mails were saved + with CR+LF linefeeds. + +v1.0.rc26 2007-03-07 Timo Sirainen <tss@iki.fi> + + * Changed --with-headers to --enable-header-install + * If time moves backwards only max. 5 seconds, sleep until we're back + in the original present instead of killing ourself. An error is + still logged. + + - IMAP: With namespace prefixes LSUB prefix.* listed INBOX.INBOX. + - deliver: Ignore mbox metadata headers from the message input. + X-IMAP header crashed deliver. + - deliver: If mail_debug=yes, drop out DEBUG environment before + calling sendmail binary. Postfix's sendmail didn't really like it. + - mbox: X-UID brokenness fixes broke rc25 even with valid X-UID headers. + Now the code should finally work right. + - Maildir: When syncing a huge maildir, touch dovecot-uidlist.lock file + once in a while to make sure it doesn't get overwritten by another + process. + - Maildir++ quota: We didn't handle NUL bytes in maildirsize files very + well. Now the file is rebuilt when they're seen (NFS problem). + - Index/view handling fix should fix some crashes/errors + - If index files were moved to a different endianness machine, Dovecot + logged all sorts of errors instead of silently rebuilding them. + - Convert plugin didn't change hierarchy separators in mailbox names. + - PostgreSQL authentication could have lost requests once in a while + with a heavily loaded server. + - Login processes could have crashed in some situations + - auth cache crashed with non-plaintext mechanisms + +v1.0.rc25 2007-03-01 Timo Sirainen <tss@iki.fi> + + * If time moves backwards, Dovecot kills itself instead of giving + random problems. + + + Added --with-headers configure option to install .h files. + Binary package builders could use this to create some dovecot-dev + package to make compiling plugins easier. + - PLAIN authentication: Don't crash dovecot-auth with invalid input. + - IMAP APPEND: Don't crash if saving fails + - IMAP LIST: If prefix.INBOX has children and we're listing under + prefix.%, don't drop the prefix. + - mbox: Broken X-UID headers still weren't handled correctly. + - mail-log plugin: Fixed deleted/undeleted logging. + +v1.0.rc24 2007-02-22 Timo Sirainen <tss@iki.fi> + + * Dovecot now fails to load plugins that were compiled for different + Dovecot version, unless version_ignore=yes is set. This needs to be + explicitly set in plugins, so out-of-tree plugins won't have this + check by default. + + - pop3_lock_session=yes could cause deadlocks, and with maildir the + uidlist lock could have been overridden after 2 minutes causing + problems + - PAM wasted CPU by calling a timeout function 1000x too often + - Trash plugin was more or less broken with multiple namespaces and + with multiple trash mailboxes + +v1.0.rc23 2007-02-20 Timo Sirainen <tss@iki.fi> + + * deliver doesn't ever exit with Dovecot's internal exit codes anymore. + All its internal exit codes are changed to EX_TEMPFAIL. + * mbox: X-Delivery-ID header is now dropped when saving mails. + * mbox: If pop3_uidl_format=%m, we generate a unique X-Delivery-ID + header when saving mails to make sure the UIDL is unique. + + + PAM: blocking=yes in args uses an alternative way to do PAM checks. + Try it if you're having problems with PAM. + + userdb passwd: blocking=yes in args makes the userdb lookups be done + in auth worker processes. Set it if you're doing remote NSS lookups + (eg. nss_ldap problems are fixed by this). + + If PAM child process hasn't responded in two minutes, send KILL + signal to it (only with blocking=no) + - IMAP: APPEND ate all CPU while waiting for more data from the client + (broken in rc22) + - mbox: Broken X-UID headers assert-crashed sometimes + - mbox: When saving a message to an empty mbox file it got an UID + which immediately got incremented. + - mbox: Fixed some wrong "uid-last unexpectedly lost" errors. + - auth cache: In some situations we crashed if passdb had extra_fields. + - auth cache: Special extra_fields weren't saved to auth cache. + For example allow_nets restrictions were ignored for cached entries. + - A lot of initial login processes could cause auth socket errors + in log file at startup, if dovecot-auth started slowly. Now the + login processes are started only after dovecot-auth has finished + initializing itself. + - imap/pop3 proxy: Don't crash if the remote server disconnects before + we're logged in. + - deliver: Don't bother trying to save the mail twice into the default + mailbox (eg. if it's over quota). + - mmap_disable=yes + non-Linux was really slow with large + dovecot.index.cache files + - MySQL couldn't be used as a masterdb + - Trash plugin was more or less broken + - imap/pop3 couldn't load plugins if they chrooted + - imap/pop3-login process could crash in some conditions + - checkpassword-reply crashed if USER/HOME wasn't set + +v1.0.rc22 2007-02-06 Timo Sirainen <tss@iki.fi> + + + pop3: Commit the transaction even if client didn't QUIT so cached + data gets saved. + - Fixed another indexing bug in rc19 and later which caused + transactions to be skipped in some situations, causing all kinds of + problems. + - mail_log_max_lines_per_sec was a bit broken and caused crashes with + dovecot -a + - BSD filesystem quota was counted wrong. Patch by Manuel Bouyer + - LIST: If namespace has a prefix and inbox=no, don't list + prefix.inbox if it happens to exist when listing for %. + +v1.0.rc21 2007-02-02 Timo Sirainen <tss@iki.fi> + + - Cache file handling could have crashed rc20 + +v1.0.rc20 2007-02-02 Timo Sirainen <tss@iki.fi> + + + dovecot: Added --log-error command line option to log an error, so + the error log is easily found. + + Added mail_log_max_lines_per_sec setting. Change it to avoid log + throttling with mail_log plugin. + - Changing message flags was more or less broken in rc19 + - ACL plugin still didn't work without separate control directory + - Some mbox handling fixes, including fixing an infinite loop + - Some index file handling fixes + - maildir quota: Fixed a file descriptor leak + - If auth_cache was enabled and userdb returned "user unknown" + (typically only deliver can do that), dovecot-auth crashed. + - mail_log plugin didn't work with pop3 + +v1.0.rc19 2007-01-23 Timo Sirainen <tss@iki.fi> + + - ACL plugin didn't work unless control dir was separate from maildir + - More index file handling fixes + +v1.0.rc18 2007-01-22 Timo Sirainen <tss@iki.fi> + + * ACL plugin + Maildir: Moved dovecot-acl file from control directory + to maildir. To prevent accidents caused by this change, Dovecot + kills itself if it finds dovecot-acl file from the control directory. + * When opening a maildir, check if tmp/'s atime is over 8h old. If it + is, delete files in it with ctime older than 36h. However if + atime - ctime > 36h, it means that there's nothing to be deleted and + the scanning isn't done. We update atime ourself if filesystem is + mounted with noatime. + * base_dir doesn't need to be group-readable, don't force it. + * mail_read_mmaped setting is deprecated and possibly broken. It's now + removed from dovecot-example.conf, but it still works for now. + * Removed also umask setting from dovecot-example.conf since currently + it doesn't do what it's supposed to. + + + Authentication cache caches now also userdb data. + + Added mail_log plugin to log various mail operations. Currently it + logs mail copies, deletions, expunges and mailbox deletions. + - dict quota: messages=n parameter actually changed storage limit. + - A lot of fixes to handling index files. This should fix almost all + of the problems ever reported. + - LDAP: auth_bind=yes was more or less broken. + - Saved mails and dovecot-keywords file didn't set the group from + dovecot-shared file. + - Fixed potential assert-crash while searching messages + - Fixed some crashes with invalid X-UID headers in mboxes + - If you didn't have a namespace with empty prefix, giving STATUS + command for a non-existing namespace caused the connection to give + "NO Unknown namespace" errors for all the future commands. + +v1.0.rc17 2007-01-07 Timo Sirainen <tss@iki.fi> + + - MySQL authentication caused username to show up as "OK" in rc16. + +v1.0.rc16 2007-01-05 Timo Sirainen <tss@iki.fi> + + * IMAP: When trying to fetch an already expunged message, Dovecot used + to just disconnect client. Now it instead replies with dummy NIL + data. + * Priority numbers in plugin names have changed. If you're installing + from source, you should delete the existing plugin files before + installing the new ones, otherwise you'll get errors. + * Maildir: We're using rename() to move files from tmp/ to new/ now. + See http://wiki.dovecot.org/MailboxFormat/Maildir -> "Issues with + the specification" for reasoning why this is safe. This makes saving + mails faster, and also makes Dovecot usable with Mac OS X's HFS+ + (after you also set dotlock_use_excl=yes, see below). + + + Added dotlock_use_excl setting. If enabled, dotlocks are created + directly using O_EXCL flag, instead of by creating a temporary file + which is hardlinked. O_EXCL is faster, but may not work with NFS. + + If Dovecot crashes with Linux or Solaris, it'll log a + "Raw backtrace". It's worse than gdb's backtrace, but better than + nothing. + + Added maildir_copy_preserve_filename=yes setting. + + Added a lazy-expunge plugin to allow users to unexpunge their mails. + + maildir quota: Added ignore setting to maildir quota, which allows + ignoring quota in Trash mailbox. + + dict quota: If dictionary doesn't yet contain the quota, calculate + it by going through all the mails in all the mailboxes. + + login_log_format_elements: Added %a=local port and %b=remote port + + Added -i and -o options to rawlog to restrict logging only to + input or output. + - Doing a STATUS command for a selected mailbox (not a recommended + IMAP client behavior) caused Dovecot to sync the mailbox silently. + This could have lost eg. EXPUNGE events from clients, causing them + to use wrong sequence numbers. + - deliver was treating boolean settings set to "no" as if they were + "yes" (they were supposed to be commented out for "no") + - Running "dovecot" with -a or -n option while Dovecot was running + deleted all authentication sockets, which caused all the future + logins to fail. + - maildir: RENAME and DELETE didn't touch control directory if it was + different from maildir or index dir. + - We treated internal userdb lookup errors as "user unknown" errors. + In such situations this caused deliver to think the user didn't + exist and the mail get bounced. + - pam: Setting cache_key crashed + - shared maildir: dovecot-keywords file's mode wasn't taken from + dovecot-shared file. + - dovecotpw wasn't working with PowerPC + +v1.0.rc15 2006-11-19 Timo Sirainen <tss@iki.fi> + + * Fixed an off-by-one buffer overflow in cache file handling. The + code is executed only with mmap_disable=yes and only if index files + are used (ie. INDEX=MEMORY is safe). + * passdb checkpassword: Handle vpopmail's non-standard exit codes. + + - rc14 sometimes assert-crashed if .log.2 file existed in a mailbox + (earlier versions leaked memory and file descriptors) + - io_add() assert-crashfixes + - Potential SSL hang fix at the beginning of the connection + +v1.0.rc14 2006-11-12 Timo Sirainen <tss@iki.fi> + + * LDAP: Don't try to use ldap_bind() with empty passwords, since + Windows 2003 AD skips password checking with them and just returns + success. + * verbose_ssl=yes: Don't bother logging "syscall failed: EOF" + messages. No-one cares about them. + + + Dovecot sources should now compile without any warnings with gcc 3.2+ + - rc13 crashed if client disconnected while IDLEing + - LDAP: auth_bind=yes fixes + - %variables: Fixed zero padding handling and documented it. %0.1n + shouldn't enable it, and it really shouldn't stay for the next + %variable. -sign also shouldn't stay for the next variable. + - Don't leak opened .log.2 transaction logs. + - Fixed a potential hang in IDLE command (probably really rare). + - Fixed potential problems with client disconnecting while master was + handling the login. + - quota plugin didn't work in Mac OS X + +v1.0.rc13 2006-11-08 Timo Sirainen <tss@iki.fi> + + + deliver: If we're executing as a normal system user, get the HOME + environment from passwd if it's not set. This makes it possible to + run deliver from .forward. + - Older compilers caused LDAP authentication to crash + - Dying LDAP connections weren't handled exactly correctly in rc11, + although it seemed to work usually + - Fixed crashes and memory leaks with AUTHENTICATE command + - Fixed crashes and leaks with IMAP/POP3 proxying + - maildir: Changing a mailbox while another process was saving a + message there at the same may have caused the changes to not be made + into the maildir, which could have caused other problems later.. + +v1.0.rc12 2006-11-05 Timo Sirainen <tss@iki.fi> + + - rc11 didn't compile with some compilers + - default_mail_env fallbacking was broken with --exec-mail + +v1.0.rc11 2006-11-05 Timo Sirainen <tss@iki.fi> + + * Renamed default_mail_env to mail_location. default_mail_env still + works for backwards compatibility. + * deliver: When sending rejects, don't include Content-Type in the + rejected mail's headers. + * LDAP changes: + * If auth binds are used, bind back to the default dn before doing + a search. Otherwise it could fail if a user gave an invalid + password. + * Initial binding at connect is now done asynchronously. + * Use pass_attrs even with auth_bind=yes since it may contain + useful non-password fields. + + + passdb checkpassword: Give TCPLOCALIP and TCPREMOTEIP and PROTO=TCP + environments to the checkpassword binary so we're UCSPI (and vchkpw) + compatible. + - mbox handling was a bit broken in rc10 + - Using Dovecot via inetd kept crashing dovecot master + - deliver: Don't crash with -f "". Changed the default from envelope + to be "MAILER-DAEMON". + - INBOX wasn't shown with LSUB command if only prefixed namespaces + were used. + - passdb ldap: Reconnecting to LDAP server wasn't working with + auth binds. + - passdb sql: Non-plaintext authentication didn't work + - MySQL passdb ignored all non-password checks, such as allow_nets + - trash plugin was broken + +v1.0.rc10 2006-10-16 Timo Sirainen <tss@iki.fi> + + * When matching allowed_nets IPs, convert IPv6-mapped-IPv4 addresses + to actual IPv4 addresses first. + + + IMAP: Try to avoid sending duplicate/useless message flag updates + + Added support for non-plaintext authentication for vpopmail if it + returns plaintext passwords. Based on patch by Remi Gacogne. + + Added %D modified to return "sub.domain.org" as + "sub,dc=domain,dc=org" (for LDAP queries). Patch by Andrey Panin. + - rc9 broke cache files in 64bit systems + - deliver works now with mail_chroot + - auth cache didn't work properly with multiple passdbs + - Fixes to handling CRLF linefeeds in mboxes. + +v1.0.rc9 2006-10-14 Timo Sirainen <tss@iki.fi> + + * 64bit systems: dovecot.index.cache file will be rebuilt because + some time fields have been changed from 64bit fields to 32bit + fields. Now the same cache file can be used in both 32bit and + 64bit systems without it being rebuilt. + * Added libmysqlclient workaround to conflicting sha1_result symbol, + which caused Dovecot to fail logging into MySQL. + + + dovecot.index.cache file opening is delayed until it's actually + needed. This reduces disk accesses a bit with eg. STATUS commands. + + auth_cache: Try to handle changing passwords automatically: If + password verification fails, but the last one had succeeded, don't + use the cache. This works only with plaintext auth. + - dovecot.index.cache: We didn't properly detect if some fields were + different length than we expected, which caused assert crashes + - Lots of fixes to login/master process handling + - mbox: Fixed a bug causing "X-IMAPbase uid-last unexpectedly lost + in mbox file" errors, and possibly others. + +v1.0.rc8 2006-10-09 Timo Sirainen <tss@iki.fi> + + * GSSAPI: Changed POP3 service name to "pop", which is what the + standard says + * "mbox:/var/mail/%u" no longer works as the mail location. You'll + have to specify the mail root explicitly, just like the examples + always have: "mbox:~/mail:INBOX=/var/mail/%u" + + + SHA1, LDAP-MD5, PLAIN-MD5, PLAIN-MD4: The password can be now either + hex or base64 encoded. The encoding is detected automatically based + on the password string length. + + Allow running only Dovecot master and dovecot-auth processes with + protocols=none setting + + deliver: -f <envelope sender> parameter can be used to set mbox + From_-line's sender address + + deliver: Log all mail saves and failures + + Tru64 SIA passdb support. Patch by Simon L Jackson. + - INBOX was listed twice in mailbox list if namespace prefix was used + - INBOX-prefixed namespaces were a bit broken + - kqueue: Fix 100% CPU usage + - deliver: Duplicate storage was a bit broken + - dictionary code was broken (ie. dict quota) + - SIGHUP caused crashes sometimes + +v1.0.rc7 2006-08-18 Timo Sirainen <tss@iki.fi> + + * Require that Dovecot master process's version number matches the + child process's, unless version_ignore=yes. Usually it's an + accidental installation problem if the version numbers don't match. + * Maildir: Create maildirfolder file when creating new maildirs. + + + ldap+prefetch: Use global uid/gid settings if LDAP query doesn't + return them + + %variables: Negative offsets count from the end of the string. + Patch by Johannes Berg. + - kqueue ioloop code rewrite + - notify=kqueue might have caused connection hangs sometimes + - deliver: If message body contained a valid mbox From_ line, it + and the rest of the message was skipped. + - mbox: We got into infinite loops if trying to open a 2 byte sized + file as mbox. + - Don't crash with ssl_disable=yes + - quota plugin caused compiling problems with some OSes + - mbox: After saving a mail to a synced mbox, we lost the sync which + caused worse performance + +v1.0.rc6 2006-08-07 Timo Sirainen <tss@iki.fi> + + * Removed login_max_logging_users setting since it was somewhat weird + in how it worked. Added login_max_connections to replace it with + login_process_per_connection=no, and with =yes its functionality + is now within login_max_processes_count. + + + Added --with-linux-quota configure option to specify which Linux + quota version to use, in case it's not correct in sys/quota.h. + Usually used as --with-linux-quota=2 + + acl plugins: If .DEFAULT file exists in global ACL root directory, + use it as the default ACLs for all mailboxes. + - Fixes to login process handling, especially with + login_process_per_connection=no. + - Back to the original SSL proxy code but with one small fix, which + hopefully fixes the occational hangs with it + - Several fixes to handling LIST command more correctly. + +v1.0.rc5 2006-08-02 Timo Sirainen <tss@iki.fi> + + - Saving to mboxes still caused assert-crashes + +v1.0.rc4 2006-08-02 Timo Sirainen <tss@iki.fi> + + - Saving to mboxes caused assert-crashes + +v1.0.rc3 2006-08-02 Timo Sirainen <tss@iki.fi> + + - SSL connections hanged sometimes, especially when saving messages. + - mbox: Mail bodies were saved with CR+LF linefeeds + - Mail forwarding was broken with deliver/Sieve + - dbox fixes. Might actually be usable now. + - Index file handling fixes with keywords + - Cache file was incorrectly used in some situations, which probably + caused problems sometimes. + - Maildir++ quota: Don't count "." and ".." directory sizes to quota. + After rewriting maildirsize file keep its fd open so that we can + later update it. Patch by Alexander Zagrebin + +v1.0.rc2 2006-07-04 Timo Sirainen <tss@iki.fi> + + * disable_plaintext_auth=yes: Removed hardcoded 127.* and ::1 IP + checks. Now we just assume that the connection is secure if the + local IP matches the remote IP address. + * SSL code rewrite which hopefully makes it work better than before. + Seems to work correctly, but if you suddently have trouble with SSL + connections this is likely the reason. + + + verbose_ssl=yes: Log also SSL alerts and BIO errors + - If namespace's location field wasn't set, the default location + was supposed to be used but it wasn't. + - When copying ssl-parameters.dat file from /var/lib to /var/run its + permissions went wrong if it couldn't be copied with hard linking. + - Fixed filesystem quota plugin to work with BSDs. + - Maildir: Saving mails didn't work if quota plugin was enabled (again) + - Maildir: Messages' received time wasn't saved properly when + saving/copying multiple messages at a time. Also if using quota + plugin the S= size was only set for the first saved file, and even + that was wrong. + - passdb passwd-file: Don't require valid uid/gid fields if file + isn't also being used as a userdb. + - PostgreSQL: Handle failures better so that there won't be + "invalid fd" errors in logs. + - Don't try to expunge messages if the mailbox is read-only. It'll + just cause our index files to go out of sync with the real + mailbox and cause errors. + - ANONYMOUS authentication mechanism couldn't work because + anonymous_username setting wasn't passed from master process. + +v1.0.rc1 2006-06-28 Timo Sirainen <tss@iki.fi> + + * PAM: If user's password is expired, give "Password expired" error + message to the user. Now actually working thanks to Vaidas Pilkauskas + * Relicensed dovecot-auth, lib-sql and lib-ntlm to MIT license. See + COPYING file for more information. + * Abuse prevention: When creating a mailbox, limit the number of + hierarchies (up to 20) and the length of the mailbox name within + a hierarchy (up to 200 characters). + * mbox: If saved mail doesn't end with LF, add it ourself so that the + mails always have one empty line before the next From-line. + + + Added --with-statedir configure option which defaults to + $localstatedir/lib/dovecot. ssl-parameters.dat is permanently + stored in that directory and is copied to login_dirs from there. + + IMAP: Support SASL-IR extension (SASL initial response) + + Support initial SASL response with LOGIN mechanism. Patch by Anders + Karlsson + + Added PLAIN-MD4 password scheme. Patch by Andrey Panin. + + Added support for XFS disk quotas. Patch by Pawel Jarosz + + If another process deletes the opened mailbox, try to handle it + without writing errors to log file. Handles the most common cases. + + Added TLS support for LDAP if the library supports it. + - SEARCH command was more or less broken with OR and NOT conditions + - Dovecot corrupted mbox files which had CR+LF linefeeds in headers + - MySQL code could have crashed while escaping strings + - MD4 code with NTLM authentication was broken with 64bit systems. + Patch by Andrey Panin + - Plugin loading was broken in some OSes (eg. FreeBSD) + - Several fixes to handling empty values in configuration file + - Several fixes to dictionary quota backend and dict server. + Also changed how they're configured. + - deliver: Fixed plugin handling settings + - mbox_min_index_size handling was somewhat broken + - passdb passwd-file: extra_args field wasn't read unless the file + was also used as userdb. + +v1.0.beta9 2006-06-13 Timo Sirainen <tss@iki.fi> + + * PAM: Don't call pam_setcred() unless setcred=yes PAM passdb + argument was given. + * Moved around settings in dovecot-example.conf to be in more logical + groups. + + + Local delivery agent (deliver binary) works again. + + LDAP: Added support for SASL binding. Patch by Geert Jansen + + ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log + invalid sent certificates. If verbose_ssl=yes, log even the valid + certificates. When using the username from the certificate, use + CommonName. Based on patch by HenkJan Wolthuis + + PAM: Set PAM_TTY which is needed by some PAM plugins + + dovecot --exec-mail ext <binary path> can now be used to start + binaries which want dovecot.conf to be read, for example the + convert-tool. + - Expunging needed to be done twice if client used STORE +FLAGS.SILENT + command to set the \Deleted flags + - Added sql_escape_string() to lib-sql API and use it instead of + normal \-escaping. + - ACL plugin fixes + - DIGEST-MD5: Trying to use subsequent authentication crashed + dovecot-auth. + - Fetching BODY when BODYSTRUCTURE was already cached caused the + reply to be broken in some cases + - Lots of fixes for index file handling + - dbox fixes and changes + - mbox syncing broke if some extraneous/broken headers were removed + (eg. extra X-IMAPbase headers in mails) + - Running Dovecot from inetd work now properly with POP3 + - Quota plugin fixes for calculating the quota correctly + +v1.0.beta8 2006-05-12 Timo Sirainen <tss@iki.fi> + + * Fixed a security hole with mbox: "1 LIST .. *" command could + list all directories and files under the mbox root directory, so + if your mails were stored in eg. /var/mail/%u/ directory, the + command would list everything under /var/mail. + + + Unless nfs_check=no or mmap_disable=yes, check for the first login + if the user's index directory exists in NFS mount. If so, refuse to + run. This is done only on first login to avoid constant extra + overhead. + + If we have plugins set and imap_capability unset, figure out the + IMAP capabilities automatically by running imap binary at startup. + The generated capability list isn't updated until Dovecot is + restarted completely, so if you add or remove IMAP plugins you + should restart. If you have problems related to this, set + imap_capabilities setting manually to work around it. + + Added auth_username_format setting + - pop3_lock_session setting wasn't really working + - Lots of fixes related to quota handling. It's still not working + perfectly though. + - Lots of index handling fixes, especially with mmap_disable=yes + - Maildir: saving mails could have sometimes caused "Append with UID + n, but next_uid = m" errors + - flock() locking never timeouted because ignoring SIGALRM caused the + system call just to be restarted when SIGALRM occurred (probably not + with all OSes though?) + - kqueue: Fixed "Unrecognized event". Patch by Vaclav Haisman + +v1.0.beta7 2006-04-12 Timo Sirainen <tss@iki.fi> + + + Added shutdown_clients setting to control if existing imap/pop3 + processes should be killed when master is. + - Master login fixes, PLAIN authentication was still broken.. + +v1.0.beta6 2006-04-12 Timo Sirainen <tss@iki.fi> + + * The login and master usernames were reversed when using + master_user_separator (now the order is UW-IMAP compatible). + * Killing dovecot master process now kills all IMAP and POP3 + processes also. + + + -a parameter to dovecot prints now all settings that Dovecot uses. + -n prints all settings that are different from defaults. + + Added pop3_lock_session setting + + %M modifier returns string's MD5 sum. Patch by Ben Winslow + - PLAIN SASL authentication wasn't working properly, causing failed + logins with some clients (broken in beta4) + - Fixes to Maildir++ quota, should actually work now + - Don't crash if passwd-file has entries without passwords + (eg. deny=yes databases) + - Fixed prefetch userdb to work nicely with other userdbs + - If master process runs out of file descriptors, don't go to + infinite loop (unlikely to have happened unless the OS's default + fd limit was too low) + - Fixed non-plaintext password lookups from LDAP. Patch by Lior Okman + - %U modifier was actually lowercasing the string. Patch by Ben Winslow + +v1.0.beta5 2006-04-04 Timo Sirainen <tss@iki.fi> + + - Beta4's SSL proxying rewrite worked worse than I thought. + Reverted it back to original code. + +v1.0.beta4 2006-04-02 Timo Sirainen <tss@iki.fi> + + * Changed the default lock_method back to fcntl. Apparently flock + gives problems with some systems. + * mbox: mailboxes beginning with '.' are now also listed + * Replaced mail_use_modules and mail_modules settings with mail_plugins + and mail_plugin_dir. Now instead of loading all plugins from the + directory, you'll have to give a list of plugins to load. If the + plugin couldn't be loaded, the process exits instead of just + ignoring the problem (this is important with ACL plugin). + + + Added support for "master users" who can log in as other people. + The master username can be given either in authorization ID + string with SASL PLAIN mechanism or by setting + auth_master_user_separator and giving it within the normal username + string. + + Added ACL plugin with ACL file backend. This however doesn't mean + that there yet exists a proper shared folder support. If master user + logged in as someone else, the ACLs are checked as the master user. + + Added some Dovecot extensions to checkpassword passdb, see ChangeLog + + Updated passwd-file format to allow specifying any key=value fields + + Maildir++ quota support and several quota fixes + + passdb supporting extra fields: Added "allow_nets" option which takes + a comma separated list of IPs/networks where to allow user to log in. + + NFS: Handle ESTALE errors the best way we can + + IMAP now writes to log when client disconnects + + In shared mailboxes (if dovecot-shared file exists) \Seen flags are + now kept only in index files, so as long as each user has a separate + index file they have separate \Seen flags. + - Fixes to DIGEST-MD5 realm handling so it works with more clients + - BODYSTRUCTURE -> BODY conversion from cache file was broken with + mails containing message/rfc822 parts. + - Fixed several memory leaks + - We could have sent client FETCH notifications about messages before + telling about them with EXISTS + - Compiling fixes for Solaris and some other OSes + - Fixed problem with internal timeout handling code, which caused eg. + outlook-idle workaround to break. + - If /dev/urandom didn't exist, we didn't seed OpenSSL's random number + generator properly. Patch by Vilmos Nebehaj. + - Maildir: Recent flags weren't always immediately removed from mails + when mailbox was opened. + - Several changes to SSL proxying code, hopefully making it work + better. + +v1.0.beta3 2006-02-08 Timo Sirainen <tss@iki.fi> + + * Dotlock code changed to timeout faster in some situations when + the lock file is old. + + Added support for loading SQL drivers dynamically (see INSTALL file + for how to build them) + + Keywords are stored to dboxes, and other dbox improvements. + + dict-sql could actually work now, making quota-in-sql-database + possibly working now (not fully tested) + + Added mail storage conversion plugin to convert automatically from + one mailbox format to another while user logs in. Doesn't preserve + UIDVALIDITY/UIDs though. + + Added plugin { .. } section to dovecot.conf for passing parameters + to plugins (see dovecot-example.conf). + + Added ssl-build-param binary which is used to generate + ssl-parameters.dat. Main dovecot binary doesn't anymore link to + SSL libraries, and this also makes the process title be clearer + about why the process is eating all the CPU. + - Fix building without OpenSSL + - Fixed memory leak in MySQL driver + - Fixes to checkpassword + - Broken Content-Length header could have broken mbox opening + - Fixed potential hangs after APPEND command + - Fixed potential crashes in dovecot-auth and imap/pop3-login + - zlib plugin now links with -lz so it could actually work + - kqueue fixes by Vaclav Haisman + +v1.0.beta2 2006-01-22 Timo Sirainen <tss@iki.fi> + + + Added SQLite support. Patch by Jakob Hirsch. + + Added auth_debug_passwords setting. If it's not enabled, hide all + password strings from logs. + + Added mail_cache_min_mail_count and mbox_min_index_size settings + which can be used to make Dovecot do less disk writes in small + mailboxes where they don't benefit that much. + + Added --build-ssl-parameters parameter to dovecot binary + - SSL parameters were being regenerated every 10 minutes, although + not with all systems. + - Fixed dovecot-auth crashing at startup. Happened only with some + specific compilers. + - base_dir was supposed to be set world-readable, not world-writable + +v1.0.beta1 2006-01-16 Timo Sirainen <tss@iki.fi> + + * Almost a complete rewrite since 0.99.x, but some of the major + changes are: + + + Index file code rewritten to do less disk I/O, wait locks less and + in generate be smarter. They also support being in clustered + filesystems and NFS support is mostly working also. + + Mail caching is smarter. Only the data that client requests is + cached. Before Dovecot opened and cached all mails when mailbox was + opened the first time, which was slow. + + Mbox handling code rewritten to be much faster, safer and correct + + New authentication mechanisms: APOP, GSSAPI, LOGIN, NTLM and RPA. + + LDAP supports authentication binds + + Authentication server can cache password database lookups + + Support for multiple authentication databases + + Namespace configuration + + Dovecot works with shared + +v0.99.10 2003-06-26 Timo Sirainen <tss@iki.fi> + + * Default PAM service name changed to "dovecot". This means that + if you're using PAM, you most likely have to do + mv /etc/pam.d/imap /etc/pam.d/dovecot + If you wish to keep using imap, see doc/auth.txt. + + * ~/rawlog directory changed to ~/dovecot.rawlog + + + Faster and better maildir synchronization. We support read-only + maildirs and out-of-quota conditions are handled a lot better. + dovecot-uidlist file still isn't out-of-quota-safe though, but you + can keep it in another location where quota isn't checked. For + example: + default_mail_env = Maildir:~/Maildir: + INDEX=/noquota/%u:CONTROL=/noquota/%u + + Read-only mboxes are supported now. + + Only NOOP and CHECK now always do a mailbox sync checking. Other + commands sync max. once in 5 seconds, plus always from indexes. + This should reduce I/O a bit. + + All NUL characters are translated to ascii #128 before sending to + client. RFC prohibits sending NULs and this is how UW-IMAP handles + it as well. + + Make ENVELOPE, BODY and BODYSTRUCTURE replies more compact by + removing multiple LWSPs and translating TABs to spaces. RFC doesn't + specifically require this, but this seems to be the wanted + behaviour.. + + Added ANONYMOUS SASL mechanism. + + More flexible user chrooting configuration in home directories: + "<chroot>/./<homedir>" + + Added support for dynamically loadable IMAP/POP3 modules. See + INSTALL file for more information. + - Partial fetches were broken if mails had CR+LF linefeeds + - SEARCH DELETED didn't return anything if all messages were deleted + - OpenSSL support was broken in many installations because we were + chrooted and it couldn't open /dev/urandom. + - PAM: Giving wrong password blocked the whole process for two + seconds. Now we create a new process for each check. + - Lots of other smaller bugfixes and better error handling + +v0.99.9.1 2003-05-03 Timo Sirainen <tss@iki.fi> + + - Messages having lines longer than 8192 bytes caused problems. + - There was some problems when opening a mbox first time that had been + empty for a while. + - Didn't compile with OpenBSD. + - POP3 server crashed sometimes instead of printing error message. + - If cached IMAP envelope contained literals, SEARCHing in it wrote + errors to log file. For example if subject contained highascii, '"' + or '\' characters this happened. + +v0.99.9 2003-04-28 Timo Sirainen <tss@iki.fi> + + * WARNING: mbox rewriting works now faster, but it's less likely to + notice external message flag changes (it wasn't perfect before + either). This also means that if you're not using index files, + Dovecot may not notice changes made by another Dovecot process. + This will be fixed later. + + + Message UIDs are now permanently stored outside index files. + Deleting indexes is now possible without any kind of data loss and + in-memory indexes are now usable. + + mbox rewriting leaves extra space into X-Keywords header. It's + shrinked or grown when updating message flag headers to avoid + rewriting the rest of the file. + + imap-login and pop3-login can now be started from inetd. Privilege + separation is still used, so it executes dovecot and dovecot-auth + processes which are left on the background. + + PostgreSQL authentication support, patch by Alex Howansky + - Large multiline headers (over 8kB) broke Dovecot before. Now they're + parsed one line at a time and we try to avoid reading them fully into + memory. + - SEARCH OR was broken + - Partial BODY[] fetches were broken + - Timezones were still set wrong when parsing dates + - Using non-synchronized literals (LITERAL+) broke APPEND + - Renaming maildir subfolders inserted extra "." in the middle. + - Subfolders were a bit broken with maildir + - Invalid PLAIN auth request crashed auth process. + +v0.99.8 2003-02-25 Timo Sirainen <tss@iki.fi> + + * NOTE: Configuration file has changed a bit: auth_userinfo was + replaced by userdb and passdb. *_port were merged into *_listen. + Disabling listening in imaps port is now done by changing protocols + setting. + + * Maildir: .customflags location has changed for INBOX. If you have + set any custom flags, move Maildir/.INBOX/.customflags into + Maildir/.customflags or they will be lost. + + * mbox: Autodetect /var/mail/%u and /var/spool/mail/%u as INBOXes + if they're found and mail_default_env isn't set. + + * passwd-file: File format changed a bit. If you used realm or mail + fields, you'll have to fix the file. See doc/auth.txt for description + of the format. + + + Fully featured POP3 server included. Disabled by default. + + Support for LITERAL+, MULTIAPPEND, UNSELECT, IDLE, CHILDREN and + LISTEXT extensions. + + LDAP authentication support. + + Internal API cleanups made Dovecot faster and take less memory + + auth_verbose logs now all authentication failures + + Support for Solaris 9 sendfilev() + + New setting: mail_full_filesystem_access allows clients to access the + whole filesystem by simply giving the path before the mailbox name + (eg. SELECT ~user/mail/box, LIST "" /tmp/%). While this allows users + to share mailboxes, it's not recommended since Dovecot's index files + can't be safely shared. + + New setting: client_workarounds. + + Dynamically loadable authentication modules. Binary package builders + should consider using it for at least LDAP. + + mbox: Content-Length is saved now to each saved message, so it's + now safe to have lines beginning with "From ". + + mbox: mail_read_mmaped = no works with it now + + Indexes can be kept in memory by adding :INDEX=MEMORY to MAIL + environment. There's not much point to do this now though, since the + UIDs won't be saved. + - COPY now behaves as RFC2060 says: "If the COPY command is + unsuccessful for any reason, server implementations MUST restore the + destination mailbox to its state before the COPY attempt." + - LIST and LSUB rewrite, should fix several bugs in them + - maildir_copy_with_hardlinks = yes was broken. + - mboxes in subfolders weren't selectable. + - STORE didn't accept multiple flags without () around them + - PLAIN SASL-authentication was a bit broken. + - IMAP dates were parsed a few hours wrong + - STATUS command removed \Recent flags from messages + - Several bugfixes to SEARCH command, especially related to multiple + search conditions + - If auth/login process died unexpectedly at startup, the exit status + or killing signal wasn't logged. + - mbox parsing might have crashed sometimes + - mbox: when saving mails, internal headers were allowed in input, + sometimes causing problems (eg. duplicate headers) when appending + and copying messages + - mbox: X-Keywords headers were duplicated + - Some small fixes to how messages are saved to Maildir + - Next command after STARTTLS was ignored which left the connection + stuck sometimes + - Dovecot was pretty much broken with FreeBSD + +v0.99.7 2003-01-14 Timo Sirainen <tss@iki.fi> + + + Rewrote doc/index.txt, small updates to doc/design.txt and + doc/multiaccess.txt + - New hash table code was broken with removing, which broke several + things. Fixed, but it's still a bit ugly code though.. + +v0.99.6 2003-01-13 Timo Sirainen <tss@iki.fi> + + + THREAD=REFERENCES extension support. ORDEREDSUBJECT would be easy to + add, but I think it's pretty useless. + + SORT is much faster now. + + mbox: If ~/mail directory isn't found, create it. + + Log login usernames + * Some coding style changes (less typedefs) + - Mails with nested MIME parts might have caused incorrect BODY and + BODYSTRUCTURE fetches and sometimes might have crashed dovecot + (assert at imap-bodystructure.c). If client had already successfully + done the BODY fetching a couple of times, the bug couldn't happen + anymore since Dovecot then began caching the BODY data. So, this + mostly happened with new users. + - non-UID SEARCH might gave wrong replies in certain conditions. + - SORT replied always with UIDs instead of sequences. + - If authentication was aborted by client ("*" reply to AUTHENTICATE), + the login process crashed later. + - STATUS command gave invalid reply for mailboxes with spaces in name + - Timezones were parsed wrong with message dates + - Digest-MD5: We used "qop-options" instead of "qop", which was + incompatible with at least Cyrus SASL. + - Realms in passwd-file were buggy + - Literals didn't work when logging in + - Crashed if it had to wait for mbox lock + - With invalid configuration auth and login processes were just dying + and master filling log files infinitely. + - We didn't work with some 64bit systems + +v0.99.5 2003-01-02 Timo Sirainen <tss@iki.fi> + + * This release includes a lot of code cleanups, especially related to + security. Direct buffer modifying was replaced in several places + with a new buffer API, which provides a safe way to do it. Code that + looks unsafe contains @UNSAFE tag to make auditing easier. + + + Support for SORT extension. Originally I thought about not + implementing any extensions before 1.0, but too many people want + webmails which want SORT. THREAD is another extension which they + want, but we don't support it yet. + + imap_listen and imaps_listen settings now accept "*" and "::" to + specify if we want to listen in IPv4 or IPv6 addresses. "::" may + also listen in all IPv4 addresses depending on the OS (Linux does, + BSD doesn't) + + New setting: default_mail_env can be used to specify where to find + users mailbox. Default is still to use autodetection. + + New setting: imap_log_path to log logins etc. informational messages + to different file. + + We support now separate mbox file for INBOX folder, no need for + symlink kludging anymore. + + Support for keeping index files in different location than actual + mailboxes. + ? Disabled mailbox_check_interval setting by default, it breaks + Evolution. + - SEARCH was still somewhat buggy, especially with laggy networks. + Also body/header searches might have crashed or at least used + memory too much + - Deleting messages in the middle of mbox caused dovecot to reindex + the following messages as new messages (ie. change UIDs and set + \Recent flag). + - Digest-MD5 auth: Initial server challenge packet was missing a comma, + which might have made it incompatible with some implementations. + - Some more fixes to unnecessarily high memory usage + - SELECT and EXAMINE often printed UNSEEN reply or maybe complained + about corrupted indexes. Happened usually only with mbox. + - FETCH BODYSTRUCTURE gave incorrect reply, breaking pine + - LIST was pretty buggy with mbox subfolders + - CHECK command returned just "missing parameters" error + - DELETE didn't work with mbox folders + - CREATE mailbox<hierarchy separator> failed always. + - CREATE and RENAME didn't create required hierarchies with mbox + - RFC822 date parser didn't handle single digit days correctly. + - login_process_per_connection = yes didn't work with imaps port + connections which is exactly where it was mostly wanted. + - ssl_disabled = yes didn't disable listening in imaps port + - process limiting code didn't compile everywhere (eg. FreeBSD). + - Linux sendfile() was never detected + - We didn't work at all with gcc/PowerPC + +v0.99.4 2002-12-01 Timo Sirainen <tss@iki.fi> + + - Command parser had several bugs when it didn't have enough data to + parse the full command in one call, ie. network lags etc. triggered + those bugs sometimes. This was the last "weird bug" I know of. + - Mbox indexes got broken when updating cached fields + - Fixed a few memory leaks and unneededly high memory usage while + caching envelopes + - Fixes to searching from message body and header + - --with-ssldir didn't do anything and the default was empty + +v0.99.3 2002-11-26 Timo Sirainen <tss@iki.fi> + + - mail_read_mmaped = no (default) caused mbox corruption with EXPUNGE. + mmap()ing is forced for now. + +v0.99.2 2002-11-26 Timo Sirainen <tss@iki.fi> + + + If we have to wait for a lock longer, the client is now notified + about it every 30 seconds. + - Default settings still pointed to lib directory instead of the + libexec directory where the binaries were actually installed + - vpopmail support had to be kludged to fix a bug in vpopmail library + which sometimes left extra character after the user name. + - Login process crashed if master process didn't let some user login. + Normally this couldn't happen without error in configuration. + - select() based I/O loop wasn't working so Dovecot didn't work in + eg. OSX. Also PAM authentication wasn't detected with OSX. + - Didn't compile with NetBSD-current + +v0.99.1 2002-11-25 Timo Sirainen <tss@iki.fi> + + + Added doc/mkcert.sh script to easily generate yourself a self-signed + certificate. Modify doc/dovecot-openssl.cnf before running it. + + --with-ssldir configure option to specify default path for /etc/ssl + + Added ssl_disable setting to config file + - OpenSSL wasn't checked properly by configure + - vpopmail authentication module didn't compile + - We should install the binaries into libexec dir, not lib + - doc/configuration.txt and doc/mail-storages.txt were missing + +v0.99.0 2002-11-24 Timo Sirainen <tss@iki.fi> + + + Replaced hash file with binary tree file which makes Dovecot stay + fast with large mailboxes after expunging multiple mails. + + Several speed improvements with SEARCH + + SEARCH CHARSET support using iconv(), although case-insensitive + searching is currently supported only for ASCII characters. + + OpenSSL support. + + Support for regenerating Diffie Hellman and RSA parameters with + specified intervals. NOTE: currently doesn't work with OpenSSL. + + Support for each login connection being handled in it's own process. + This is the default as it's more safe especially with SSL. + + mbox locking is now safe, other processes can't modify the mbox file + while we're reading it. + + Notify clients with "EXISTS" almost immediately after new mail is + received. + + Rawlog: Support for saving user connections into files - useful for + debugging. + + Content-Language is finally parsed correctly + + Lots of smaller speed optimizations + - Partial BODY[] fetches weren't working properly + - BODY[section] was buggy with message/rfc822 MIME parts + - STARTTLS wasn't working + - \* flag was missing from PERMANENTFLAGS. + - Comments inside <> mail addresses crashed. + - imap-login printed UTC timestamps to logfiles + - passwd-file wasn't reread the the file changed + - PAM authentication was implemented wrong, which caused it to break + with some PAM plugins. + - Lots of smaller fixes, mostly to do with reliability + +v0.98.4 2002-10-06 Timo Sirainen <tss@iki.fi> + + * Just a final release before replacing hash file with a binary tree. + + - When fetching messages larger than 256k, sometimes Dovecot missed + to send CR causing corrupted data at end of message and possibly + complete failure depending on IMAP client. + - Fetching BODY or BODYSTRUCTURE for message having content-type of + message/rfc822 didn't correctly add () around the envelope data. + - Several fixes to make it compile with HP/UX ANSI C compiler. + Also fixed several warnings it showed up. + +v0.98.3 2002-10-01 Timo Sirainen <tss@iki.fi> + + * Sorry, just noticed a very stupid bug which caused evolution 1.2 + beta to crash. I always thought it was just evolution's fault :) + - Several fields in BODY / BODYSTRUCTURE replies weren't quoted + +v0.98.2 2002-09-30 Timo Sirainen <tss@iki.fi> + + + --with-file-offset-size=32 can now be used to select 32bit file + offsets. Using them should be a bit faster and take a bit less + disk and memory (also needed to compile Dovecot successfully with + TinyCC). + + maildir_copy_with_hardlinks option works now + + Check new mail and notify about it to client also after + commands which don't allow full syncing (FETCH, STORE, SEARCH). + Also always send RECENT after EXISTS notify. + + If we're out of disk space while opening mailbox, notify about it + with ALERT. + - STORE and SEARCH didn't handle properly message sequence numbers + when some in the middle were externally deleted + - SEARCH: Only first search condition was checked. + - mbox: Message flags given to APPEND were ignored. + - mbox: index was corrupted when changing flags for multipart MIME + messages + - Out of disk space-handling wasn't working properly with .customflags + file + - if auth processes were killed, login processes weren't reconnecting + to them + +v0.98.1 2002-09-24 Timo Sirainen <tss@iki.fi> + + + Faster and safer mbox rewriting when flags are updated + - Didn't save messages larger then 8192 bytes + - Several mbox breakages + +v0.98 2002-09-23 Timo Sirainen <tss@iki.fi> + + + mbox support is finally working. There's still some reliability + fixes left but overall it should be quite usable. + + vpopmail authentication support + + We should be able to deal with "out of diskspace/quota" conditions + properly, by keeping the indexes in memory and allowing user to + delete mails to get more space. + + Several speed enhancements + + New configuration file option: overwrite_incompatible_index to force + using ".imap.index" file, overwriting it if it isn't compatible + - Handle invalid message headers reliably + - Tons of bugfixes and code cleanups everywhere + +v0.97 2002-08-29 Timo Sirainen <tss@iki.fi> + + + Large mails are handled in 256kB blocks, so mail size no longer + has hardly any effect on memory usage + + 64bit file offsets are used if supported by system. This means + Dovecot is fully capable of handling >2G mails in those systems. + With 32bit offsets >2G mails may not behave too well, but should + not crash either. + + I fixed lots of potential integer overflows. This should make us + fully crash-free no matter what happens (index file corruption + mostly). I didn't verify everything too carefully yet, so more + auditing is still needed before we fully reach that goal. + + Implemented several missing tasks / optimizations to index handling. + It should now stay fast after longer usage periods. + + New configuration file options: log_path, log_timestamp, imaps_listen + + "Critical errors" are now hidden from users, ie. any error message + that is not a direct reply to user error is written into log file + and user gets only "Internal error [timestamp]". + + Nonblocking SSL handshaking + + Lots of code cleanups + - Lots of mbox fixes, it seems to be somewhat reliable now + - Year in Date-field was parsed wrong + - Appending mail to mbox didn't work right + - Always verify that mailbox names are valid (especially they shouldn't + contain "../") + +v0.96 2002-08-08 Timo Sirainen <tss@iki.fi> + + * Changed to LGPL v2.1 license + + + STARTTLS support and optional disabling of plaintext authentication + (LOGINDISABLED capability) + + Support for custom message flags, each folder can have 26 different. + + New configuration file options: imap_listen, max_logging_users, + max_imap_processes + + You can specify config file location to imap-master with -c <path> + + All IMAP processes can now write to specified log file instead of + syslog. Either do this by setting IMAP_LOGFILE environment, or + give -l <path> parameter to imap-master. + + Some cleanups to remove warnings with BSDs + + Changed all %s .. strerror(errno) -> %m + + Rewritten memory pool code + - imap-master didn't close all the fds for executed processes + - iobuffer code was buggy and caused the connection to terminate + sometimes + - make install overwrote the existing dovecot.conf file, so it's now + named as dovecot-example.conf + +v0.95 2002-07-31 Timo Sirainen <tss@iki.fi> + + + Initial SSL support using GNU TLS, tested with v0.5.1. + TLS support is still missing. + + Digest-MD5 authentication method + + passwd-file authentication backend + + Code cleanups + - Found several bugs from mempool and ioloop code, now we should + be stable? :) + - A few corrections for long header field handling + +v0.94 2002-07-29 Timo Sirainen <tss@iki.fi> + + * Supports running completely non-root now. imap-auth however is a + bit problematic as we don't support passwd-file yet. + - Memory alignment fixes mostly + - Other misc. bugfixes |