summaryrefslogtreecommitdiffstats
path: root/doc/wiki/Upgrading.2.3.txt
blob: 8cda65fc3bf022274ea0336a29c2cda498909b1c (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
Upgrading Dovecot v2.2 to v2.3
==============================

Downgrading is possible to v2.2.27 and later. (v2.2.27 accidentally broke
dovecot.index* backwards compatibility a bit.)

Settings Changes
----------------

 * 'director_consistent_hashing' setting removed. It's always assumed to be
   "yes" now.
    * *WARNING*: You can't run a director ring with mixed
      'director_consistent_hashing' settings. If you already didn't have it set
      to "yes", upgrading to v2.3 will require you to shutdown the entire
      director ring. It may be safer to first do this setting change in v2.2
      before the upgrade.
       * If you really don't wish to shutdown the ring, an alternative would be
         to set up a whole new director ring. Then start moving users to the
         new ring in the Dovecot proxy. To avoid the same user having
         connections to both rings at the same time (-> two backends at the
         same time), this would need to be done so that passdb moves the user
         to the new ring and old connections are kicked. See
         <PasswordDatabase/ExtraFields/Proxy#moving>
         [PasswordDatabase.ExtraFields.Proxy.txt]
 * 'director_doveadm_port' setting removed. Name the 'inet_listener doveadm {
   .. }' instead.
 * 'mdbox_purge_preserve_alt' setting removed. It's always assumed to be "yes"
   now.
 * 'recipient_delimiter' setting used to be treated as a separator string. Now
   it's instead treated as a list of alternative delimiter characters.
 * Time interval based settings no longer default to "seconds". All numbers
   must explicitly be followed by the time unit (except 0). This is important,
   because some settings now support milliseconds as well.
 * fs-posix: prefix=path parameter no longer automatically appends '/' to the
   path if it's not there. This allows using it properly as a prefix, instead
   of only a directory prefix. Make sure you have the '/' appended to the
   prefix, or the "dir/filename" will be accessed just as "dirnamename".
 * 'ssl_protocols' setting was replaced by 'ssl_min_protocol'. Now you only
   specify the minimum ssl protocol version Dovecot accepts, defaulting to
   TLSv1.
 * 'ssl_parameters' was replaced with 'ssl_dh'. See <Diffie-Hellman Parameters
   for SSL> [Upgrading.2.3.txt].
 * 'SSLv2' is no longer supported in 'ssl_protocols'.

Statistics Redesign
-------------------

The statistics code was redesigned.

 * Statistics is no longer optional - it is always there.
 * The old "stats" plugin was renamed to "old_stats".
 * The "doveadm stats" command was renamed to "doveadm oldstats".
    * There's a new "doveadm stats" command that isn't compatible with the old
      one.
 * The new stats code doesn't require a plugin, so make sure you remove 'stats'
   from 'mail_plugin' setting. For more details see <Statistics.txt>.

Config changes required to 2.2.x config to keep using the "old" stats:

 * 'mail_plugins = stats' -> 'mail_plugins = old_stats'
 * 'mail_plugins = imap_stats' -> 'mail_plugins = imap_old_stats'
 * 'service stats' -> 'service old-stats'
    * 'executable = stats' -> 'executable = old-stats'
    * 'fifo_listener stats-mail' -> 'fifo_listener old-stats-mail'
    * 'fifo_listener stats-user' -> 'fifo_listener old-stats-user'
    * 'unix_listener stats' -> 'unix_listener old-stats'
 * 'plugin { stats_refresh }' -> 'plugin { old_stats_refresh }'
 * 'plugin { stats_notify_path }' -> 'plugin { old_stats_notify_path }'
 * 'plugin { stats_track_cmds }' -> 'plugin { old_stats_track_cmds }'
 * 'auth_stats' -> keep as 'auth_stats'
 * 'stats_*' settings -> 'old_stats_*'

Submission Service (new)
------------------------

Dovecot can now act as a submission service. See <Submission.txt> for more
information.

Localhost Auth Penalty
----------------------

Dovecot no longer disables auth penalty waits for clients connecting from
localhost (or 'login_trusted_networks' in general). The previous idea was that
it would likely be a webmail that would have its own delays, but there are no
guarantees about this.

If the old behavior is still wanted, it's possible to do nowadays even more
generically with e.g. setting following as the first passdb:

---%<-------------------------------------------------------------------------
passdb {
 driver = passwd-file
 args = username_format=%{rip} /etc/dovecot/passdb
 default_fields = noauthenticate=y
}
---%<-------------------------------------------------------------------------

/etc/dovecot/passdb:

---%<-------------------------------------------------------------------------
127.0.0.1:::::::nodelay=yes
192.168.10.124:::::::nodelay=yes
---%<-------------------------------------------------------------------------

Changed Setting Defaults
------------------------

+--------------------------+-----------------------------+----------------------------------------------------------------------------------------------+
| *Setting*                | *Old Default Value*         | *New Default Value*                                                                          |
+--------------------------+-----------------------------+----------------------------------------------------------------------------------------------+
| 'mdbox_rotate_size'      | 2M                          | 10M                                                                                          |
+--------------------------+-----------------------------+----------------------------------------------------------------------------------------------+
| 'mailbox_list_index'     | no                          | yes                                                                                          |
+--------------------------+-----------------------------+----------------------------------------------------------------------------------------------+
| 'imap_logout_format'     | n=%i out=%o                 | in=%i out=%o deleted=%{deleted} expunged=%{expunged} trashed=%{trashed}                      |
|                          |                             | hdr_count=%{fetch_hdr_count} hdr_bytes=%{fetch_hdr_bytes} body_count=%{fetch_body_count}     |
|                          |                             | body_bytes=%{fetch_body_bytes}                                                               |
+--------------------------+-----------------------------+----------------------------------------------------------------------------------------------+
| 'ssl_cipher_list'        | ALL:!LOW:!SSLv2:!EXP:!aNULL | ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH |
+--------------------------+-----------------------------+----------------------------------------------------------------------------------------------+
| 'mail_log_prefix'        | "%s(%u): "                  | "%s(%u)<%{pid}><%{session}>: "                                                               |
+--------------------------+-----------------------------+----------------------------------------------------------------------------------------------+
| mysql:                   | no                          | yes                                                                                          |
| 'ssl_verify_server_cert' |                             |                                                                                              |
+--------------------------+-----------------------------+----------------------------------------------------------------------------------------------+
| 'ssl_options'            |                             | no_compression is now the default, and a new compression option is introduced for enabling   |
|                          |                             | compression                                                                                  |
+--------------------------+-----------------------------+----------------------------------------------------------------------------------------------+

Diffie-Hellman Parameters for SSL
---------------------------------

 * ssl-parameters.dat file is now obsolete. You should use ssl_dh setting
   instead:'ssl_dh=</etc/dovecot/dh.pem'
    * You can convert an existing ssl-parameters.dat to dh.pem:

      ---%<-------------------------------------------------------------------
      dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dhparam
      -inform der > /etc/dovecot/dh.pem
      ---%<-------------------------------------------------------------------

 * ssl-params process has also been removed, as it is no longer used to
   generate these parameters.
 * You are encouraged to create at least 2048 bit parameters. 4096 is industry
   recommendation.
 * Note that it will take LONG TIME to generate the parameters, and it should
   be done with a machine that has GOOD SOURCE OF ENTROPY. Running it on a
   virtual machine is not recommended, unless there is some entropy
   helper/driver installed. Running this on your production proxy can starve
   connections due to lack of entropy.
 * Since v2.3.3+ DH parameter usage is *optional* and can be omitted. You are
   invited to amend ciphers to disallow non-ECC based DH algorithms, but if you
   don't and someone does try to use them, error will be emitted.
    * Example:
      'ssl_cipher_list=ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW:!DH@STRENGTH'

Other Changes
-------------

 * Invalid 'postmaster_address' now causes a failure early on with
   sieve/imap_sieve plugin enabled. It still defaults to 'postmaster@%d', which
   expands to invalid 'postmaster@' address if your usernames do not contain a
   domain, or are converted into domainless usernames by passdb/userdb. See
   <DomainLost.txt>.
 * Linux: Dovecot no longer enables core dumping for "setuid processes", which
   most of them are.
    * To enable them with Linux kernel v3.6+: Make sure core dumps get written
      to a globally shared directory and enable them with:'sysctl -w
      fs.suid_dumpable=2'
       * With older Linux kernel versions you can set it to 1, but that's not
         good for security of your system.
    * You can also revert to old behavior with: 'import_environment =
      $import_environment PR_SET_DUMPABLE'
       * However, this also may have some security implications depending on
         the setup. Mainly if you have system users and you've enabled
         chrooting or mail_access_groups, this could allow the system users to
         gain unintentional access.
 * userdb nss was removed. Use userdb passwd instead.
 * doveadm: table formatter prints the header now to stdout, not stderr
 * doveadm: Removed mount commands
 * OpenSSL version is required to be at least 1.0.1 for Dovecot to build
 * subscriptions file is written in a new version 2 format. Dovecot v2.2.17 and
   newer can read this file.
 * mail_log plugin: Headers are logged as UTF-8 (instead of MIME-encoded)
 * auth: When iterating users in userdb passwd, skip users that aren't in the
   first/last_valid_gid range
 * auth protocol has changed some error fields:
    * temp -> code=temp_fail
    * authz -> code=authz_fail
    * user_disabled -> code=user_disabled
    * pass_expired -> code=pass_expired
 * auth now supports bcrypt algorithm by default.
 * Some API changes have been made, if you have your own plugins please be
   aware that they might require change(s) to be compatible again.
 * Due to the new stats environment, for now some environments may get harmless
   errors about not being able to connect to stats-writer socket. To avoid
   these errors, give enough permissions for the processes to connect to the
   stats-writer, for example:

---%<-------------------------------------------------------------------------
service stats {
  client_limit = 10000 # make this large enough so all Dovecot processes
(especially imap, pop3, lmtp) can connect to it
  unix_listener stats-writer {
    user = vmail
    #mode = 0666 # Use only if nothing else works. It's a bit insecure, since
it allows any user in the system to mess up with the statistics.
  }
}
---%<-------------------------------------------------------------------------

(This file was created from the wiki on 2019-06-19 12:42)