diff --git a/.fmf/version b/.fmf/version new file mode 100644 index 0000000..d00491f --- /dev/null +++ b/.fmf/version @@ -0,0 +1 @@ +1 diff --git a/.gitignore b/.gitignore index e659068..0628189 100644 --- a/.gitignore +++ b/.gitignore @@ -1,117 +1,2 @@ -dovecot-2.0.rc3.tar.gz -pigeonhole-snap01ee63b788c9.tar.bz2 -dovecot-2.0.rc4.tar.gz -pigeonhole-snapcac6acdc4d0e.tar.bz2 -dovecot-2.0.rc5.tar.gz -pigeonhole-snap0592366457df.tar.bz2 -/dovecot-2.0.0.tar.gz -/pigeonhole-snap1ae9569b0383.tar.bz2 -/dovecot-2.0.1.tar.gz -/pigeonhole-snapd51650c8af85.tar.bz2 -/dovecot-2.0.2.tar.gz -/pigeonhole-snapfbcb05e7eda1.tar.bz2 -/dovecot-2.0.3.tar.gz -/pigeonhole-snapcb4c1ebecff3.tar.bz2 -/dovecot-2.0.4.tar.gz -/pigeonhole-snap824454514f08.tar.bz2 -/dovecot-2.0.5.tar.gz -/pigeonhole-snapa50464354f5a.tar.bz2 -/dovecot-2.0.6.tar.gz -/pigeonhole-snap2023f8c74250.tar.bz2 -/dovecot-2.0.7.tar.gz -/pigeonhole-snapa8cc6294071e.tar.bz2 -/dovecot-2.0.8.tar.gz -/pigeonhole-snap67d2240966ec.tar.bz2 -/dovecot-2.0-pigeonhole-0.2.2.tar.gz -/dovecot-2.0.9.tar.gz -/dovecot-2.0.11.tar.gz -/dovecot-2.0.12.tar.gz -/dovecot-2.0-pigeonhole-0.2.3.tar.gz -/dovecot-2.0.13.tar.gz -/dovecot-2.0.14.tar.gz -/dovecot-2.0.15.tar.gz -/dovecot-2.0.16.tar.gz -/dovecot-2.1.rc1.tar.gz -/dovecot-2.1-pigeonhole-b3bff60a18da.tar.bz2 -/dovecot-2.1.rc3.tar.gz -/dovecot-2.1.rc5.tar.gz -/dovecot-2.1-pigeonhole-a130a50f82e1.tar.bz2 -/dovecot-2.1.rc6.tar.gz -/dovecot-2.1-pigeonhole-b2a456e15ed5.tar.bz2 -/dovecot-2.1.0.tar.gz -/dovecot-2.1-pigeonhole-0.3.0.tar.gz -/dovecot-2.1.1.tar.gz -/pigeonhole-snap67950c9d3675.tar.bz2 -/dovecot-2.1.2.tar.gz -/pigeonhole-snap08a2d2718a65.tar.bz2 -/dovecot-2.1.3.tar.gz -/dovecot-2.1.4.tar.gz -/dovecot-2.1.5.tar.gz -/dovecot-2.1.6.tar.gz -/dovecot-2.1.7.tar.gz -/dovecot-2.1-pigeonhole-0.3.1.tar.gz -/dovecot-2.1.8.tar.gz -/dovecot-2.1.9.tar.gz -/dovecot-2.1.10.tar.gz -/dovecot-2.1-pigeonhole-0.3.3.tar.gz -/dovecot-2.1.12.tar.gz -/dovecot-2.1.13.tar.gz -/dovecot-2.1.14.tar.gz -/dovecot-2.1.15.tar.gz -/dovecot-2.2.rc2.tar.gz -/pigeonhole-99eec511aa2c.tar.bz2 -/dovecot-2.2.rc3.tar.gz -/dovecot-2.2.rc4.tar.gz -/dovecot-2.2.0.tar.gz -/dovecot-2.2.1.tar.gz -/pigeonhole-snape42a38f02d28.tar.bz2 -/dovecot-2.2-pigeonhole-0.4.0.tar.gz -/dovecot-2.2.2.tar.gz -/dovecot-2.2.3.tar.gz -/dovecot-2.2.4.tar.gz -/dovecot-2.2-pigeonhole-0.4.1.tar.gz -/dovecot-2.2.5.tar.gz -/dovecot-2.2.6.tar.gz -/dovecot-2.2-pigeonhole-0.4.2.tar.gz -/dovecot-2.2.7.tar.gz -/dovecot-2.2.8.tar.gz -/dovecot-2.2.9.tar.gz -/dovecot-2.2.10.tar.gz -/dovecot-2.2.11.tar.gz -/dovecot-2.2.12.tar.gz -/dovecot-2.2.13.tar.gz -/dovecot-2.2.14.tar.gz -/dovecot-2.2-pigeonhole-0.4.3.tar.gz -/dovecot-2.2.15.tar.gz -/pigeonhole-snapded0c5a467aa.tar.bz2 -/dovecot-2.2-pigeonhole-0.4.6.tar.gz -/dovecot-2.2.16.tar.gz -/dovecot-2.2.17.tar.gz -/dovecot-2.2.18.tar.gz -/dovecot-2.2-pigeonhole-0.4.7.tar.gz -/dovecot-2.2-pigeonhole-0.4.8.tar.gz -/dovecot-2.2.19.tar.gz -/dovecot-2.2-pigeonhole-0.4.9.tar.gz -/dovecot-2.2.20.tar.gz -/dovecot-2.2.21.tar.gz -/dovecot-2.2-pigeonhole-0.4.10.tar.gz -/dovecot-2.2-pigeonhole-0.4.11.tar.gz -/dovecot-2.2-pigeonhole-0.4.12.tar.gz -/dovecot-2.2.22.tar.gz -/dovecot-2.2.23.tar.gz -/dovecot-2.2-pigeonhole-0.4.13.tar.gz -/dovecot-2.2.24.tar.gz -/dovecot-2.2-pigeonhole-0.4.14.tar.gz -/dovecot-2.2.25.tar.gz -/dovecot-2.2.26.0.tar.gz -/dovecot-2.2-pigeonhole-0.4.16.tar.gz -/dovecot-2.2.27.tar.gz -/dovecot-2.2.28.tar.gz -/dovecot-2.2-pigeonhole-0.4.17.tar.gz -/dovecot-2.2.29.tar.gz -/dovecot-2.2.29.1.tar.gz -/dovecot-2.2-pigeonhole-0.4.18.tar.gz -/dovecot-2.2.30.1.tar.gz -/dovecot-2.2.30.2.tar.gz -/dovecot-2.2.31.tar.gz -/dovecot-2.2-pigeonhole-0.4.19.tar.gz +/dovecot-*.tar.gz +/pigeonhole-*.tar.bz2 diff --git a/dovecot-2.0-defaultconfig.patch b/dovecot-2.0-defaultconfig.patch index 1f537f7..c7e145e 100644 --- a/dovecot-2.0-defaultconfig.patch +++ b/dovecot-2.0-defaultconfig.patch @@ -1,33 +1,97 @@ -diff -up dovecot-2.2.18/doc/example-config/conf.d/10-mail.conf.default-settings dovecot-2.2.18/doc/example-config/conf.d/10-mail.conf ---- dovecot-2.2.18/doc/example-config/conf.d/10-mail.conf.default-settings 2014-06-02 13:50:10.000000000 +0200 -+++ dovecot-2.2.18/doc/example-config/conf.d/10-mail.conf 2015-08-24 17:09:03.866648631 +0200 -@@ -283,6 +283,7 @@ namespace inbox { - # them simultaneously. - #mbox_read_locks = fcntl - #mbox_write_locks = dotlock fcntl -+mbox_write_locks = fcntl +diff -up dovecot-2.4.2-build/dovecot-2.4.2/doc/dovecot.conf.in.default-settings dovecot-2.4.2-build/dovecot-2.4.2/doc/dovecot.conf.in +--- dovecot-2.4.2-build/dovecot-2.4.2/doc/dovecot.conf.in.default-settings 2025-10-29 07:58:41.000000000 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/doc/dovecot.conf.in 2025-11-30 09:24:17.130246956 +0100 +@@ -16,24 +16,19 @@ dovecot_storage_version = @DOVECOT_CONFI + # The configuration below is a minimal configuration file using system user authentication. + # See https://@DOVECOT_ASSET_URL@/latest/core/config/quick.html - # Maximum time to wait for lock (all of them) before aborting. - #mbox_lock_timeout = 5 mins -diff -up dovecot-2.2.18/doc/example-config/conf.d/10-ssl.conf.default-settings dovecot-2.2.18/doc/example-config/conf.d/10-ssl.conf ---- dovecot-2.2.18/doc/example-config/conf.d/10-ssl.conf.default-settings 2014-10-03 16:36:00.000000000 +0200 -+++ dovecot-2.2.18/doc/example-config/conf.d/10-ssl.conf 2015-08-24 17:10:49.536071649 +0200 -@@ -3,7 +3,9 @@ - ## +-!include_try conf.d/*.conf +- + # Enable wanted protocols: + protocols { + imap = yes + lmtp = yes + } - # SSL/TLS support: yes, no, required. --#ssl = yes -+# disable plain pop3 and imap, allowed are only pop3+TLS, pop3s, imap+TLS and imaps -+# plain imap and pop3 are still allowed for local connections +-mail_home = /srv/mail/%{user} +-mail_driver = sdbox ++mail_home = /home/%{user} ++mail_driver = maildir + mail_path = ~/mail + +-mail_uid = vmail +-mail_gid = vmail +- +-# By default first_valid_uid is 500. If your vmail user's UID is smaller, ++# By default first_valid_uid is 1000. If your vmail user's UID is smaller, + # you need to modify this: +-#first_valid_uid = uid-number-of-vmail-user ++first_valid_uid = 1000 + + namespace inbox { + inbox = yes +@@ -44,7 +39,15 @@ namespace inbox { + passdb pam { + } + ++userdb passwd { ++} ++ +ssl = required - - # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before - # dropping root privileges, so keep the key file unreadable by anyone but -@@ -50,6 +52,7 @@ ssl_key = &1;\ -+fi;\ -+if [ ! -f /var/lib/dovecot/ssl-parameters.dat ]; \ -+then\ -+ /usr/libexec/dovecot/ssl-params >/dev/null 2>&1; \ +fi' + -diff -up dovecot-2.2.22/dovecot.service.in.initbysystemd dovecot-2.2.22/dovecot.service.in ---- dovecot-2.2.22/dovecot.service.in.initbysystemd 2016-03-16 13:48:25.996297203 +0100 -+++ dovecot-2.2.22/dovecot.service.in 2016-03-16 13:49:17.619039641 +0100 -@@ -20,7 +20,8 @@ +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot.service.in.initbysystemd dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot.service.in +--- dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot.service.in.initbysystemd 2025-06-02 23:32:10.685195261 +0200 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot.service.in 2025-06-02 23:34:03.123174934 +0200 +@@ -11,7 +11,8 @@ Description=Dovecot IMAP/POP3 email server Documentation=man:dovecot(1) - Documentation=http://wiki2.dovecot.org/ --After=local-fs.target network-online.target -+After=local-fs.target network-online.target dovecot-init.service + Documentation=https://doc.dovecot.org/ +-After=local-fs.target network-online.target remote-fs.target time-sync.target ++After=local-fs.target network-online.target remote-fs.target time-sync.target dovecot-init.service +Requires=dovecot-init.service + Wants=network-online.target [Service] - Type=forking -diff -up dovecot-2.2.22/Makefile.am.initbysystemd dovecot-2.2.22/Makefile.am ---- dovecot-2.2.22/Makefile.am.initbysystemd 2016-03-04 12:04:33.000000000 +0100 -+++ dovecot-2.2.22/Makefile.am 2016-03-16 13:48:25.996297203 +0100 -@@ -51,9 +51,10 @@ if HAVE_SYSTEMD - +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/Makefile.am.initbysystemd dovecot-2.4.1-build/dovecot-2.4.1-4/Makefile.am +--- dovecot-2.4.1-build/dovecot-2.4.1-4/Makefile.am.initbysystemd 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/Makefile.am 2025-06-02 23:33:22.221675050 +0200 +@@ -19,6 +19,7 @@ EXTRA_DIST = \ + update-version.sh \ + run-test-valgrind.supp \ + dovecot.service.in \ ++ dovecot-init.service \ + dovecot.socket \ + version \ + build-aux/git-abi-version-gen \ +@@ -67,7 +68,8 @@ dovecot-config: dovecot-config.in Makefi + if WANT_SYSTEMD systemdsystemunit_DATA = \ dovecot.socket \ - dovecot.service + dovecot.service \ + dovecot-init.service - else --EXTRA_DIST += dovecot.socket dovecot.service.in -+EXTRA_DIST += dovecot.socket dovecot.service.in dovecot-init.service endif install-exec-hook: diff --git a/dovecot-2.2.22-systemd_w_protectsystem.patch b/dovecot-2.2.22-systemd_w_protectsystem.patch index 6fcddac..d00a9b9 100644 --- a/dovecot-2.2.22-systemd_w_protectsystem.patch +++ b/dovecot-2.2.22-systemd_w_protectsystem.patch @@ -1,14 +1,11 @@ -diff -up dovecot-2.2.28/dovecot.service.in.systemd_w_protectsystem dovecot-2.2.28/dovecot.service.in ---- dovecot-2.2.28/dovecot.service.in.systemd_w_protectsystem 2017-02-27 10:00:14.647423500 +0100 -+++ dovecot-2.2.28/dovecot.service.in 2017-02-27 10:02:18.051377067 +0100 -@@ -20,8 +20,8 @@ ExecReload=@bindir@/doveadm reload +diff -up dovecot-2.3.2/dovecot.service.in.systemd_w_protectsystem dovecot-2.3.2/dovecot.service.in +--- dovecot-2.3.2/dovecot.service.in.systemd_w_protectsystem 2018-07-09 12:00:13.359193526 +0200 ++++ dovecot-2.3.2/dovecot.service.in 2018-07-09 12:00:46.387716884 +0200 +@@ -23,6 +23,7 @@ ExecReload=@bindir@/doveadm reload ExecStop=@bindir@/doveadm stop PrivateTmp=true NonBlocking=yes --# Enable this if your systemd is new enough to support it: --#ProtectSystem=full -+# Enable this if your systemd is new enough to support it: (it will make /usr /boot /etc read only for dovecot) -+ProtectSystem=full - - # You can add environment variables with e.g.: - #Environment='CORE_OUTOFMEM=1' ++# this will make /usr /boot /etc read only for dovecot + ProtectSystem=full + ProtectHome=no + PrivateDevices=true diff --git a/dovecot-2.2.31-notifyrevert.patch b/dovecot-2.2.31-notifyrevert.patch deleted file mode 100644 index a0fa251..0000000 --- a/dovecot-2.2.31-notifyrevert.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 64d2efdc4b0bdf92249840e9db89b91c8dc0f3a3 Mon Sep 17 00:00:00 2001 -From: Timo Sirainen -Date: Sat, 17 Jun 2017 14:38:22 +0300 -Subject: [PATCH] imap: Fix NOTIFY to parse more than just the first - event-group - ---- - src/imap/cmd-notify.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/imap/cmd-notify.c b/src/imap/cmd-notify.c -index 4c6aad975..94cf103b8 100644 ---- a/src/imap/cmd-notify.c -+++ b/src/imap/cmd-notify.c -@@ -292,10 +292,10 @@ cmd_notify_set(struct imap_notify_context *ctx, const struct imap_arg *args) - ctx->send_immediate_status = TRUE; - args++; - } -+ for (; args->type != IMAP_ARG_EOL; args++) { -+ if (!imap_arg_get_list(args, &event_group)) -+ return -1; - -- if (!imap_arg_get_list(args, &event_group)) -- return -1; -- for (; event_group->type != IMAP_ARG_EOL; event_group++) { - /* filter-mailboxes */ - if (!imap_arg_get_atom(event_group, &filter_mailboxes)) - return -1; diff --git a/dovecot-2.3.11-bigkey.patch b/dovecot-2.3.11-bigkey.patch new file mode 100644 index 0000000..dc81a33 --- /dev/null +++ b/dovecot-2.3.11-bigkey.patch @@ -0,0 +1,10 @@ +diff -up dovecot-2.3.15/doc/dovecot-openssl.cnf.bigkey dovecot-2.3.15/doc/dovecot-openssl.cnf +--- dovecot-2.3.15/doc/dovecot-openssl.cnf.bigkey 2021-06-21 20:24:51.913456628 +0200 ++++ dovecot-2.3.15/doc/dovecot-openssl.cnf 2021-06-21 20:25:36.352912123 +0200 +@@ -1,5 +1,5 @@ + [ req ] +-default_bits = 2048 ++default_bits = 3072 + encrypt_key = yes + distinguished_name = req_dn + x509_extensions = cert_type diff --git a/dovecot-2.3.15-fixvalcond.patch b/dovecot-2.3.15-fixvalcond.patch new file mode 100644 index 0000000..4ef5447 --- /dev/null +++ b/dovecot-2.3.15-fixvalcond.patch @@ -0,0 +1,24 @@ +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/src/lib-sieve/storage/dict/sieve-dict-script.c.fixvalcond dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/src/lib-sieve/storage/dict/sieve-dict-script.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/src/lib-sieve/storage/dict/sieve-dict-script.c.fixvalcond 2025-06-02 23:36:21.897399891 +0200 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/src/lib-sieve/storage/dict/sieve-dict-script.c 2025-06-02 23:38:13.748569461 +0200 +@@ -102,7 +102,7 @@ sieve_dict_script_get_stream(struct siev + container_of(script, struct sieve_dict_script, script); + struct sieve_dict_storage *dstorage = + container_of(storage, struct sieve_dict_storage, storage); +- const char *path, *name = script->name, *data, *error; ++ const char *path, *name = script->name, *data, *error = NULL; + int ret; + + dscript->data_pool = +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-storage/index/index-attribute.c.fixvalcond dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-storage/index/index-attribute.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-storage/index/index-attribute.c.fixvalcond 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-storage/index/index-attribute.c 2025-06-02 23:36:21.897571934 +0200 +@@ -250,7 +250,7 @@ int index_storage_attribute_get(struct m + struct mail_attribute_value *value_r) + { + struct dict *dict; +- const char *mailbox_prefix, *error; ++ const char *mailbox_prefix, *error = NULL; + int ret; + + i_zero(value_r); diff --git a/dovecot-2.3.15-valbasherr.patch b/dovecot-2.3.15-valbasherr.patch new file mode 100644 index 0000000..bbcb86f --- /dev/null +++ b/dovecot-2.3.15-valbasherr.patch @@ -0,0 +1,20 @@ +diff -up dovecot-2.3.15/run-test-valgrind.supp.valbasherr dovecot-2.3.15/run-test-valgrind.supp +--- dovecot-2.3.15/run-test-valgrind.supp.valbasherr 2021-06-21 22:52:53.272707239 +0200 ++++ dovecot-2.3.15/run-test-valgrind.supp 2021-06-21 22:54:19.786668430 +0200 +@@ -1,4 +1,16 @@ + { ++ ++ Memcheck:Leak ++ match-leak-kinds: definite ++ fun:malloc ++ fun:make_if_command ++ fun:yyparse ++ fun:parse_command ++ fun:read_command ++ fun:reader_loop ++ fun:main ++} ++{ + + Memcheck:Leak + fun:malloc diff --git a/dovecot-2.3.21.1-fixicu.patch b/dovecot-2.3.21.1-fixicu.patch new file mode 100644 index 0000000..19f0658 --- /dev/null +++ b/dovecot-2.3.21.1-fixicu.patch @@ -0,0 +1,13 @@ +diff -up dovecot-2.3.20/m4/want_icu.m4.fixicu dovecot-2.3.20/m4/want_icu.m4 +--- dovecot-2.3.20/m4/want_icu.m4.fixicu 2022-12-21 09:49:12.000000000 +0100 ++++ dovecot-2.3.20/m4/want_icu.m4 2025-01-29 10:47:25.765768562 +0100 +@@ -1,7 +1,7 @@ + AC_DEFUN([DOVECOT_WANT_ICU], [ + if test "$want_icu" != "no"; then +- if test "$PKG_CONFIG" != "" && $PKG_CONFIG --exists icu-i18n 2>/dev/null; then +- PKG_CHECK_MODULES(LIBICU, icu-i18n) ++ if test "$PKG_CONFIG" != "" && $PKG_CONFIG --exists icu-i18n icu-uc 2>/dev/null; then ++ PKG_CHECK_MODULES(LIBICU, icu-i18n icu-uc) + have_icu=yes + AC_DEFINE(HAVE_LIBICU,, [Define if you want ICU normalization support for FTS]) + elif test "$want_icu" = "yes"; then diff --git a/dovecot-2.4.1-nolibotp.patch b/dovecot-2.4.1-nolibotp.patch new file mode 100644 index 0000000..aea6ada --- /dev/null +++ b/dovecot-2.4.1-nolibotp.patch @@ -0,0 +1,285 @@ +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/auth/test-auth.c.nolibotp dovecot-2.4.2-build/dovecot-2.4.2/src/auth/test-auth.c +--- dovecot-2.4.2-build/dovecot-2.4.2/src/auth/test-auth.c.nolibotp 2025-10-29 07:58:41.000000000 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/auth/test-auth.c 2025-11-30 13:38:50.100927373 +0100 +@@ -16,7 +16,7 @@ + static const char *const settings[] = { + "base_dir", ".", + "auth_mechanisms", +- "ANONYMOUS APOP CRAM-MD5 DIGEST-MD5 EXTERNAL LOGIN PLAIN OTP " ++ "ANONYMOUS APOP CRAM-MD5 DIGEST-MD5 EXTERNAL LOGIN PLAIN " + "OAUTHBEARER SCRAM-SHA-1 SCRAM-SHA-256 XOAUTH2", + "auth_username_chars", "", + "auth_username_format", "", +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/auth/test-mech.c.nolibotp dovecot-2.4.2-build/dovecot-2.4.2/src/auth/test-mech.c +--- dovecot-2.4.2-build/dovecot-2.4.2/src/auth/test-mech.c.nolibotp 2025-10-29 07:58:41.000000000 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/auth/test-mech.c 2025-11-30 13:38:50.101130654 +0100 +@@ -46,10 +46,7 @@ request_handler_reply_mock_callback(stru + + if (request->passdb_result == PASSDB_RESULT_OK) + request->failed = FALSE; +- else if (strcmp(request->fields.mech_name, SASL_MECH_NAME_OTP) == 0) { +- if (null_strcmp(request->fields.user, "otp_phase_2") == 0) +- request->failed = FALSE; +- } else if (strcmp(request->fields.mech_name, ++ else if (strcmp(request->fields.mech_name, + SASL_MECH_NAME_OAUTHBEARER) == 0) { + } + }; +@@ -190,10 +187,6 @@ static void test_mechs(void) + {"PLAIN", UCHAR_LEN("\0testuser\0testpass"), "testuser", TRUE, FALSE, FALSE}, + {"PLAIN", UCHAR_LEN("normaluser\0masteruser\0masterpass"), "masteruser", TRUE, FALSE, FALSE}, + {"PLAIN", UCHAR_LEN("normaluser\0normaluser\0masterpass"), "normaluser", TRUE, FALSE, FALSE}, +- {"OTP", UCHAR_LEN("hex:5Bf0 75d9 959d 036f"), "otp_phase_2", TRUE, TRUE, FALSE}, +- {"OTP", UCHAR_LEN("word:BOND FOGY DRAB NE RISE MART"), "otp_phase_2", TRUE, TRUE, FALSE}, +- {"OTP", UCHAR_LEN("init-hex:f6bd 6b33 89b8 7203:md5 499 ke6118:23d1 b253 5ae0 2b7e"), "otp_phase_2", TRUE, TRUE, FALSE}, +- {"OTP", UCHAR_LEN("init-word:END KERN BALM NICK EROS WAVY:md5 499 ke1235:BABY FAIN OILY NIL TIDY DADE"), "otp_phase_2", TRUE, TRUE, FALSE}, + {"OAUTHBEARER", UCHAR_LEN("n,a=testuser,p=cHJvb2Y=,f=nonstandart\x01host=server\x01port=143\x01""auth=Bearer vF9dft4qmTc2Nvb3RlckBhbHRhdmlzdGEuY29tCg==\x01\x01"), "testuser", FALSE, TRUE, FALSE}, + {"SCRAM-SHA-1", UCHAR_LEN("n,,n=testuser,r=rOprNGfwEbeRWgbNEkqO"), "testuser", TRUE, FALSE, FALSE}, + {"SCRAM-SHA-256", UCHAR_LEN("n,,n=testuser,r=rOprNGfwEbeRWgbNEkqO"), "testuser", TRUE, FALSE, FALSE}, +@@ -208,8 +201,6 @@ static void test_mechs(void) + {"EXTERNAL", UCHAR_LEN(""), "testuser", FALSE, TRUE, FALSE}, + {"EXTERNAL", UCHAR_LEN(""), NULL, FALSE, FALSE, FALSE}, + {"LOGIN", UCHAR_LEN(""), NULL, FALSE, FALSE, FALSE}, +- {"OTP", UCHAR_LEN(""), NULL, FALSE, FALSE, FALSE}, +- {"OTP", UCHAR_LEN(""), "testuser", FALSE, FALSE, FALSE}, + {"PLAIN", UCHAR_LEN(""), NULL, FALSE, FALSE, FALSE}, + {"OAUTHBEARER", UCHAR_LEN(""), NULL, FALSE, FALSE, FALSE}, + {"XOAUTH2", UCHAR_LEN(""), NULL, FALSE, FALSE, FALSE}, +@@ -221,7 +212,6 @@ static void test_mechs(void) + {"APOP", UCHAR_LEN("1.1.1\0testuser\0tooshort"), NULL, FALSE, FALSE, FALSE}, + {"APOP", UCHAR_LEN("1.1.1\0testuser\0responseoflen16-"), NULL, FALSE, FALSE, FALSE}, + {"APOP", UCHAR_LEN("1.1.1"), NULL, FALSE, FALSE, FALSE}, +- {"OTP", UCHAR_LEN("somebody\0testuser"), "testuser", FALSE, TRUE, FALSE}, + {"CRAM-MD5", UCHAR_LEN("testuser\0response"), "testuser", FALSE, FALSE, FALSE}, + {"PLAIN", UCHAR_LEN("testuser\0"), "testuser", FALSE, FALSE, FALSE}, + +@@ -264,9 +254,7 @@ static void test_mechs(void) + {"PLAIN", UCHAR_LEN("\0fa\0il\0ing\0withthis"), NULL, FALSE, FALSE, FALSE}, + {"PLAIN", UCHAR_LEN("failingwiththis"), NULL, FALSE, FALSE, FALSE}, + {"PLAIN", UCHAR_LEN("failing\0withthis"), NULL, FALSE, FALSE, FALSE}, +- {"OTP", UCHAR_LEN("someb\0ody\0testuser"), NULL, FALSE, FALSE, FALSE}, + /* phase 2 */ +- {"OTP", UCHAR_LEN("someb\0ody\0testuser"), "testuser", FALSE, TRUE, FALSE}, + {"SCRAM-SHA-1", UCHAR_LEN("c=biws,r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,p=v0X8v3Bz2T0CJGbJQyF0X+HI4Ts="), NULL, FALSE, FALSE, FALSE}, + {"SCRAM-SHA-1", UCHAR_LEN("iws0X8v3Bz2T0CJGbJQyF0X+HI4Ts=,,,,"), NULL, FALSE, FALSE, FALSE}, + {"SCRAM-SHA-1", UCHAR_LEN("n,a=masteruser,,"), NULL, FALSE, FALSE, FALSE}, +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme.c.nolibotp dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme.c +--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme.c.nolibotp 2025-11-30 13:38:50.093609901 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme.c 2025-11-30 13:38:50.101359374 +0100 +@@ -13,7 +13,6 @@ + #include "randgen.h" + #include "sha1.h" + #include "sha2.h" +-#include "otp.h" + #include "str.h" + #include "auth-digest.h" + #include "password-scheme.h" +@@ -704,33 +703,6 @@ plain_md5_generate(const char *plaintext + *size_r = MD5_RESULTLEN; + } + +-static int otp_verify(const char *plaintext, const struct password_generate_params *params ATTR_UNUSED, +- const unsigned char *raw_password, size_t size, +- const char **error_r) +-{ +- const char *password, *generated; +- +- password = t_strndup(raw_password, size); +- if (password_generate_otp(plaintext, password, UINT_MAX, &generated) < 0) { +- *error_r = "Invalid OTP data in passdb"; +- return -1; +- } +- +- return strcasecmp(password, generated) == 0 ? 1 : 0; +-} +- +-static void +-otp_generate(const char *plaintext, const struct password_generate_params *params ATTR_UNUSED, +- const unsigned char **raw_password_r, size_t *size_r) +-{ +- const char *password; +- +- if (password_generate_otp(plaintext, NULL, OTP_HASH_SHA1, &password) < 0) +- i_unreached(); +- *raw_password_r = (const unsigned char *)password; +- *size_r = strlen(password); +-} +- + static const struct password_scheme builtin_schemes[] = { + { + .name = "MD5", +@@ -894,13 +866,6 @@ static const struct password_scheme buil + .password_generate = plain_md5_generate, + }, + { +- .name = "OTP", +- .default_encoding = PW_ENCODING_NONE, +- .raw_password_len = 0, +- .password_verify = otp_verify, +- .password_generate = otp_generate, +- }, +- { + .name = "PBKDF2", + .default_encoding = PW_ENCODING_NONE, + .raw_password_len = 0, +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme.h.nolibotp dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme.h +--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme.h.nolibotp 2025-10-29 07:58:41.000000000 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme.h 2025-11-30 13:38:50.101549260 +0100 +@@ -98,9 +98,6 @@ void password_set_encryption_rounds(unsi + /* INTERNAL: */ + const char *password_generate_salt(size_t len); + const char *password_generate_md5_crypt(const char *pw, const char *salt); +-int password_generate_otp(const char *pw, const char *state_data, +- unsigned int algo, const char **result_r) +- ATTR_NULL(2); + + int scram_verify(const struct hash_method *hmethod, const char *scheme_name, + const char *plaintext, const unsigned char *raw_password, +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/test-password-scheme.c.nolibotp dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/test-password-scheme.c +--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/test-password-scheme.c.nolibotp 2025-10-29 07:58:41.000000000 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/test-password-scheme.c 2025-11-30 13:38:50.101711124 +0100 +@@ -107,7 +107,6 @@ static void test_password_schemes(void) + test_password_scheme("SHA512", "{SHA512}7iaw3Ur350mqGo7jwQrpkj9hiYB3Lkc/iBml1JQODbJ6wYX4oOHV+E+IvIh/1nsUNzLDBMxfqa2Ob1f1ACio/w==", "test"); + test_password_scheme("SSHA", "{SSHA}H/zrDv8FXUu1JmwvVYijfrYEF34jVZcO", "test"); + test_password_scheme("MD5-CRYPT", "{MD5-CRYPT}$1$GgvxyNz8$OjZhLh4P.gF1lxYEbLZ3e/", "test"); +- test_password_scheme("OTP", "{OTP}sha1 1024 ae6b49aa481f7233 f69fc7f98b8fbf54", "test"); + test_password_scheme("PBKDF2", "{PBKDF2}$1$bUnT4Pl7yFtYX0KU$5000$50a83cafdc517b9f46519415e53c6a858908680a", "test"); + test_password_scheme("CRAM-MD5", "{CRAM-MD5}e02d374fde0dc75a17a557039a3a5338c7743304777dccd376f332bee68d2cf6", "test"); + test_password_scheme("DIGEST-MD5", "{DIGEST-MD5}77c1a8c437c9b08ba2f460fe5d58db5d", "test"); +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/dsasl-client.c.nolibotp dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/dsasl-client.c +--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/dsasl-client.c.nolibotp 2025-11-30 13:39:54.210043386 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/dsasl-client.c 2025-11-30 13:39:54.217205256 +0100 +@@ -175,7 +175,6 @@ void dsasl_clients_init(void) + dsasl_client_mech_register(&dsasl_client_mech_digest_md5); + dsasl_client_mech_register(&dsasl_client_mech_cram_md5); + dsasl_client_mech_register(&dsasl_client_mech_oauthbearer); +- dsasl_client_mech_register(&dsasl_client_mech_otp); + dsasl_client_mech_register(&dsasl_client_mech_xoauth2); + dsasl_client_mech_register(&dsasl_client_mech_scram_sha_1); + dsasl_client_mech_register(&dsasl_client_mech_scram_sha_1_plus); +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/dsasl-client-private.h.nolibotp dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/dsasl-client-private.h +--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/dsasl-client-private.h.nolibotp 2025-11-30 13:40:22.269119732 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/dsasl-client-private.h 2025-11-30 13:40:22.275363043 +0100 +@@ -50,7 +50,6 @@ extern const struct dsasl_client_mech ds + extern const struct dsasl_client_mech dsasl_client_mech_external; + extern const struct dsasl_client_mech dsasl_client_mech_login; + extern const struct dsasl_client_mech dsasl_client_mech_oauthbearer; +-extern const struct dsasl_client_mech dsasl_client_mech_otp; + extern const struct dsasl_client_mech dsasl_client_mech_xoauth2; + extern const struct dsasl_client_mech dsasl_client_mech_scram_sha_1; + extern const struct dsasl_client_mech dsasl_client_mech_scram_sha_1_plus; +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/fuzz-sasl-authentication.c.nolibotp dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/fuzz-sasl-authentication.c +--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/fuzz-sasl-authentication.c.nolibotp 2025-11-30 13:40:56.823727053 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/fuzz-sasl-authentication.c 2025-11-30 13:40:56.837864792 +0100 +@@ -635,7 +635,6 @@ static void fuzz_sasl_run(struct istream + sasl_server_mech_register_cram_md5(server_inst); + sasl_server_mech_register_digest_md5(server_inst); + sasl_server_mech_register_login(server_inst); +- sasl_server_mech_register_otp(server_inst); + sasl_server_mech_register_plain(server_inst); + sasl_server_mech_register_scram_sha1(server_inst); + sasl_server_mech_register_scram_sha1_plus(server_inst); +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/sasl-server.h.nolibotp dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/sasl-server.h +--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/sasl-server.h.nolibotp 2025-11-30 13:41:24.035316421 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/sasl-server.h 2025-11-30 13:41:24.050796571 +0100 +@@ -193,8 +193,6 @@ void sasl_server_mech_register_scram_sha + void sasl_server_mech_register_scram_sha256_plus( + struct sasl_server_instance *sinst); + +-void sasl_server_mech_register_otp(struct sasl_server_instance *sinst); +- + /* Winbind */ + + struct sasl_server_winbind_settings { +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/test-sasl-authentication.c.nolibotp dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/test-sasl-authentication.c +--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/test-sasl-authentication.c.nolibotp 2025-11-30 13:42:08.741524883 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/test-sasl-authentication.c 2025-11-30 13:42:08.757334395 +0100 +@@ -507,7 +507,6 @@ test_sasl_run(const struct test_sasl *te + sasl_server_mech_register_digest_md5(server_inst); + sasl_server_mech_register_external(server_inst); + sasl_server_mech_register_login(server_inst); +- sasl_server_mech_register_otp(server_inst); + sasl_server_mech_register_plain(server_inst); + sasl_server_mech_register_scram_sha1(server_inst); + sasl_server_mech_register_scram_sha1_plus(server_inst); +@@ -722,16 +721,6 @@ static const struct test_sasl success_te + .password = "tokentokentoken", + }, + }, +- /* OTP */ +- { +- .mech = "OTP", +- .authid_type = SASL_SERVER_AUTHID_TYPE_USERNAME, +- .server = { +- .authid = "user", +- .password = "pass", +- }, +- .repeat = 1050, +- }, + /* EXTERNAL */ + { + .mech = "EXTERNAL", +@@ -1457,31 +1446,6 @@ static const struct test_sasl bad_creds_ + }, + .failure = TRUE, + }, +- /* OTP */ +- { +- .mech = "OTP", +- .authid_type = SASL_SERVER_AUTHID_TYPE_USERNAME, +- .server = { +- .authid = "user", +- .password = "pass", +- }, +- .client = { +- .authid = "userb", +- }, +- .failure = TRUE, +- }, +- { +- .mech = "OTP", +- .authid_type = SASL_SERVER_AUTHID_TYPE_USERNAME, +- .server = { +- .authid = "user", +- .password = "pass", +- }, +- .client = { +- .password = "florp", +- }, +- .failure = TRUE, +- }, + /* EXTERNAL */ + { + .mech = "EXTERNAL", +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/auth/auth-sasl.c.nolibotp2 dovecot-2.4.2-build/dovecot-2.4.2/src/auth/auth-sasl.c +--- dovecot-2.4.2-build/dovecot-2.4.2/src/auth/auth-sasl.c.nolibotp2 2025-11-30 13:56:23.124460140 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/auth/auth-sasl.c 2025-11-30 13:56:39.521935947 +0100 +@@ -472,7 +472,6 @@ MECH_SIMPLE_REGISTER__TEMPLATE(cram_md5) + MECH_SIMPLE_REGISTER__TEMPLATE(digest_md5) + MECH_SIMPLE_REGISTER__TEMPLATE(external) + MECH_SIMPLE_REGISTER__TEMPLATE(login) +-MECH_SIMPLE_REGISTER__TEMPLATE(otp) + MECH_SIMPLE_REGISTER__TEMPLATE(plain) + MECH_SIMPLE_REGISTER__TEMPLATE(scram_sha1) + MECH_SIMPLE_REGISTER__TEMPLATE(scram_sha1_plus) +@@ -539,12 +538,6 @@ static const struct auth_sasl_mech_modul + .mech_register = mech_login_register, + }; + +-static const struct auth_sasl_mech_module mech_otp = { +- .mech_name = SASL_MECH_NAME_OTP, +- +- .mech_register = mech_otp_register, +-}; +- + static const struct auth_sasl_mech_module mech_plain = { + .mech_name = SASL_MECH_NAME_PLAIN, + +@@ -612,7 +605,6 @@ static void auth_sasl_mechs_init(const s + if (set->use_winbind) + auth_sasl_mech_register_module(&mech_winbind_ntlm); + auth_sasl_mech_oauth2_register(); +- auth_sasl_mech_register_module(&mech_otp); + auth_sasl_mech_register_module(&mech_plain); + auth_sasl_mech_register_module(&mech_scram_sha1); + auth_sasl_mech_register_module(&mech_scram_sha1_plus); diff --git a/dovecot-2.4.1-opensslhmac3.patch b/dovecot-2.4.1-opensslhmac3.patch new file mode 100644 index 0000000..1947856 --- /dev/null +++ b/dovecot-2.4.1-opensslhmac3.patch @@ -0,0 +1,1025 @@ +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/auth/auth-token.c.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/auth/auth-token.c +--- dovecot-2.4.2-build/dovecot-2.4.2/src/auth/auth-token.c.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/auth/auth-token.c 2025-11-30 09:57:55.178213106 +0100 +@@ -162,17 +162,17 @@ void auth_token_deinit(void) + const char *auth_token_get(const char *service, const char *session_pid, + const char *username, const char *session_id) + { +- struct hmac_context ctx; ++ struct openssl_hmac_context ctx; + unsigned char result[SHA1_RESULTLEN]; + +- hmac_init(&ctx, (const unsigned char*)username, strlen(username), ++ openssl_hmac_init(&ctx, (const unsigned char*)username, strlen(username), + &hash_method_sha1); +- hmac_update(&ctx, session_pid, strlen(session_pid)); ++ openssl_hmac_update(&ctx, session_pid, strlen(session_pid)); + if (session_id != NULL && *session_id != '\0') +- hmac_update(&ctx, session_id, strlen(session_id)); +- hmac_update(&ctx, service, strlen(service)); +- hmac_update(&ctx, auth_token_secret, sizeof(auth_token_secret)); +- hmac_final(&ctx, result); ++ openssl_hmac_update(&ctx, session_id, strlen(session_id)); ++ openssl_hmac_update(&ctx, service, strlen(service)); ++ openssl_hmac_update(&ctx, auth_token_secret, sizeof(auth_token_secret)); ++ openssl_hmac_final(&ctx, result); + + return binary_to_hex(result, sizeof(result)); + } +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/auth/Makefile.am.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/auth/Makefile.am +--- dovecot-2.4.2-build/dovecot-2.4.2/src/auth/Makefile.am.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/auth/Makefile.am 2025-11-30 09:57:55.178490134 +0100 +@@ -71,6 +71,7 @@ auth_LDFLAGS = -export-dynamic + auth_libs = \ + ../lib-auth/libauth-crypt.la \ + $(AUTH_LUA_LIBS) \ ++ $(SSL_LIBS) \ + $(LIBDOVECOT_SQL) + + auth_CPPFLAGS = $(AM_CPPFLAGS) $(BINARY_CFLAGS) +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/imap/Makefile.am.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/imap/Makefile.am +--- dovecot-2.4.2-build/dovecot-2.4.2/src/imap/Makefile.am.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/imap/Makefile.am 2025-11-30 09:57:55.179136544 +0100 +@@ -21,11 +21,13 @@ AM_CPPFLAGS = \ + $(BINARY_CFLAGS) + + imap_LDFLAGS = -export-dynamic \ ++ $(SSL_LIBS) \ + $(BINARY_LDFLAGS) + + imap_LDADD = \ + ../lib-imap-urlauth/libimap-urlauth.la \ + ../lib-compression/libcompression.la \ ++ $(SSL_LIBS) \ + $(LIBDOVECOT_STORAGE) \ + $(LIBDOVECOT) + imap_DEPENDENCIES = \ +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/imap-urlauth/Makefile.am.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/imap-urlauth/Makefile.am +--- dovecot-2.4.2-build/dovecot-2.4.2/src/imap-urlauth/Makefile.am.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/imap-urlauth/Makefile.am 2025-11-30 09:57:55.179268682 +0100 +@@ -23,6 +23,7 @@ imap_urlauth_CPPFLAGS = \ + imap_urlauth_LDFLAGS = -export-dynamic + + imap_urlauth_LDADD = $(LIBDOVECOT) \ ++ $(SSL_LIBS) + $(BINARY_LDFLAGS) + + imap_urlauth_DEPENDENCIES = $(LIBDOVECOT_DEPS) +@@ -53,7 +54,7 @@ imap_urlauth_worker_LDFLAGS = -export-dy + urlauth_libs = \ + $(top_builddir)/src/lib-imap-urlauth/libimap-urlauth.la + +-imap_urlauth_worker_LDADD = $(urlauth_libs) $(LIBDOVECOT_STORAGE) $(LIBDOVECOT) ++imap_urlauth_worker_LDADD = $(urlauth_libs) $(SSL_LIBS) $(LIBDOVECOT_STORAGE) $(LIBDOVECOT) + imap_urlauth_worker_DEPENDENCIES = $(urlauth_libs) $(LIBDOVECOT_STORAGE_DEPS) $(LIBDOVECOT_DEPS) + + imap_urlauth_worker_SOURCES = \ +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram-client.c.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram-client.c +--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram-client.c.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram-client.c 2025-11-30 09:57:55.179413002 +0100 +@@ -222,7 +222,7 @@ static string_t *auth_scram_get_client_f + unsigned char client_signature[hmethod->digest_size]; + unsigned char client_proof[hmethod->digest_size]; + unsigned char server_key[hmethod->digest_size]; +- struct hmac_context ctx; ++ struct openssl_hmac_context ctx; + const void *cbind_input; + size_t cbind_input_size; + string_t *auth_message, *str; +@@ -281,9 +281,9 @@ static string_t *auth_scram_get_client_f + client->iter, salted_password); + + /* ClientKey := HMAC(SaltedPassword, "Client Key") */ +- hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod); +- hmac_update(&ctx, "Client Key", 10); +- hmac_final(&ctx, client_key); ++ openssl_hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod); ++ openssl_hmac_update(&ctx, "Client Key", 10); ++ openssl_hmac_final(&ctx, client_key); + + /* StoredKey := H(ClientKey) */ + hash_method_get_digest(hmethod, client_key, sizeof(client_key), +@@ -301,9 +301,9 @@ static string_t *auth_scram_get_client_f + str_append_str(auth_message, str); + + /* ClientSignature := HMAC(StoredKey, AuthMessage) */ +- hmac_init(&ctx, stored_key, sizeof(stored_key), hmethod); +- hmac_update(&ctx, str_data(auth_message), str_len(auth_message)); +- hmac_final(&ctx, client_signature); ++ openssl_hmac_init(&ctx, stored_key, sizeof(stored_key), hmethod); ++ openssl_hmac_update(&ctx, str_data(auth_message), str_len(auth_message)); ++ openssl_hmac_final(&ctx, client_signature); + + /* ClientProof := ClientKey XOR ClientSignature */ + for (k = 0; k < hmethod->digest_size; k++) +@@ -314,16 +314,16 @@ static string_t *auth_scram_get_client_f + safe_memset(client_signature, 0, sizeof(client_signature)); + + /* ServerKey := HMAC(SaltedPassword, "Server Key") */ +- hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod); +- hmac_update(&ctx, "Server Key", 10); +- hmac_final(&ctx, server_key); ++ openssl_hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod); ++ openssl_hmac_update(&ctx, "Server Key", 10); ++ openssl_hmac_final(&ctx, server_key); + + /* ServerSignature := HMAC(ServerKey, AuthMessage) */ + client->server_signature = + p_malloc(client->pool, hmethod->digest_size); +- hmac_init(&ctx, server_key, sizeof(server_key), hmethod); +- hmac_update(&ctx, str_data(auth_message), str_len(auth_message)); +- hmac_final(&ctx, client->server_signature); ++ openssl_hmac_init(&ctx, server_key, sizeof(server_key), hmethod); ++ openssl_hmac_update(&ctx, str_data(auth_message), str_len(auth_message)); ++ openssl_hmac_final(&ctx, client->server_signature); + + safe_memset(salted_password, 0, sizeof(salted_password)); + +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram.c.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram.c +--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram.c.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram.c 2025-11-30 09:57:55.179729815 +0100 +@@ -31,7 +31,7 @@ void auth_scram_hi(const struct hash_met + const unsigned char *salt, size_t salt_size, unsigned int i, + unsigned char *result) + { +- struct hmac_context ctx; ++ struct openssl_hmac_context ctx; + unsigned char U[hmethod->digest_size]; + unsigned int j, k; + +@@ -51,18 +51,18 @@ void auth_scram_hi(const struct hash_met + */ + + /* Calculate U1 */ +- hmac_init(&ctx, str, str_size, hmethod); +- hmac_update(&ctx, salt, salt_size); +- hmac_update(&ctx, "\0\0\0\1", 4); +- hmac_final(&ctx, U); ++ openssl_hmac_init(&ctx, str, str_size, hmethod); ++ openssl_hmac_update(&ctx, salt, salt_size); ++ openssl_hmac_update(&ctx, "\0\0\0\1", 4); ++ openssl_hmac_final(&ctx, U); + + memcpy(result, U, hmethod->digest_size); + + /* Calculate U2 to Ui and Hi */ + for (j = 2; j <= i; j++) { +- hmac_init(&ctx, str, str_size, hmethod); +- hmac_update(&ctx, U, sizeof(U)); +- hmac_final(&ctx, U); ++ openssl_hmac_init(&ctx, str, str_size, hmethod); ++ openssl_hmac_update(&ctx, U, sizeof(U)); ++ openssl_hmac_final(&ctx, U); + for (k = 0; k < hmethod->digest_size; k++) + result[k] ^= U[k]; + } +@@ -75,7 +75,7 @@ void auth_scram_generate_key_data(const + unsigned char stored_key_r[], + unsigned char server_key_r[]) + { +- struct hmac_context ctx; ++ struct openssl_hmac_context ctx; + unsigned char salt[16]; + unsigned char salted_password[hmethod->digest_size]; + unsigned char client_key[hmethod->digest_size]; +@@ -97,18 +97,18 @@ void auth_scram_generate_key_data(const + salt, sizeof(salt), rounds, salted_password); + + /* Calculate ClientKey */ +- hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod); +- hmac_update(&ctx, "Client Key", 10); +- hmac_final(&ctx, client_key); ++ openssl_hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod); ++ openssl_hmac_update(&ctx, "Client Key", 10); ++ openssl_hmac_final(&ctx, client_key); + + /* Calculate StoredKey */ + hash_method_get_digest(hmethod, client_key, sizeof(client_key), + stored_key_r); + + /* Calculate ServerKey */ +- hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod); +- hmac_update(&ctx, "Server Key", 10); +- hmac_final(&ctx, server_key_r); ++ openssl_hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod); ++ openssl_hmac_update(&ctx, "Server Key", 10); ++ openssl_hmac_final(&ctx, server_key_r); + + safe_memset(salted_password, 0, sizeof(salted_password)); + safe_memset(client_key, 0, sizeof(client_key)); +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram-server.c.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram-server.c +--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram-server.c.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram-server.c 2025-11-30 09:57:55.179862473 +0100 +@@ -288,7 +288,7 @@ auth_scram_server_verify_credentials(str + { + const struct hash_method *hmethod = server->set.hash_method; + struct auth_scram_key_data *kdata = &server->key_data; +- struct hmac_context ctx; ++ struct openssl_hmac_context ctx; + const char *auth_message; + unsigned char client_key[hmethod->digest_size]; + unsigned char client_signature[hmethod->digest_size]; +@@ -309,9 +309,9 @@ auth_scram_server_verify_credentials(str + server->server_first_message, ",", + server->client_final_message_without_proof, NULL); + +- hmac_init(&ctx, kdata->stored_key, hmethod->digest_size, hmethod); +- hmac_update(&ctx, auth_message, strlen(auth_message)); +- hmac_final(&ctx, client_signature); ++ openssl_hmac_init(&ctx, kdata->stored_key, hmethod->digest_size, hmethod); ++ openssl_hmac_update(&ctx, auth_message, strlen(auth_message)); ++ openssl_hmac_final(&ctx, client_signature); + + /* ClientProof := ClientKey XOR ClientSignature */ + const unsigned char *proof_data = server->proof->data; +@@ -440,7 +440,7 @@ auth_scram_get_server_final(struct auth_ + { + const struct hash_method *hmethod = server->set.hash_method; + struct auth_scram_key_data *kdata = &server->key_data; +- struct hmac_context ctx; ++ struct openssl_hmac_context ctx; + const char *auth_message; + unsigned char server_signature[hmethod->digest_size]; + string_t *str; +@@ -456,9 +456,9 @@ auth_scram_get_server_final(struct auth_ + server->server_first_message, ",", + server->client_final_message_without_proof, NULL); + +- hmac_init(&ctx, kdata->server_key, hmethod->digest_size, hmethod); +- hmac_update(&ctx, auth_message, strlen(auth_message)); +- hmac_final(&ctx, server_signature); ++ openssl_hmac_init(&ctx, kdata->server_key, hmethod->digest_size, hmethod); ++ openssl_hmac_update(&ctx, auth_message, strlen(auth_message)); ++ openssl_hmac_final(&ctx, server_signature); + + /* RFC 5802, Section 7: + +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme.c.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme.c +--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme.c.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme.c 2025-11-30 09:57:55.180035106 +0100 +@@ -633,11 +633,11 @@ static void + cram_md5_generate(const char *plaintext, const struct password_generate_params *params ATTR_UNUSED, + const unsigned char **raw_password_r, size_t *size_r) + { +- struct hmac_context ctx; ++ struct orig_hmac_context ctx; + unsigned char *context_digest; + + context_digest = t_malloc_no0(CRAM_MD5_CONTEXTLEN); +- hmac_init(&ctx, (const unsigned char *)plaintext, ++ orig_hmac_init(&ctx, (const unsigned char *)plaintext, + strlen(plaintext), &hash_method_md5); + hmac_md5_get_cram_context(&ctx, context_digest); + +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme-scram.c.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme-scram.c +--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme-scram.c.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme-scram.c 2025-11-30 09:57:55.180182392 +0100 +@@ -23,7 +23,7 @@ int scram_verify(const struct hash_metho + const char *plaintext, const unsigned char *raw_password, + size_t size, const char **error_r) + { +- struct hmac_context ctx; ++ struct openssl_hmac_context ctx; + const char *salt_base64; + unsigned int iter_count; + const unsigned char *salt; +@@ -49,9 +49,9 @@ int scram_verify(const struct hash_metho + salt, salt_len, iter_count, salted_password); + + /* Calculate ClientKey */ +- hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod); +- hmac_update(&ctx, "Client Key", 10); +- hmac_final(&ctx, client_key); ++ openssl_hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod); ++ openssl_hmac_update(&ctx, "Client Key", 10); ++ openssl_hmac_final(&ctx, client_key); + + /* Calculate StoredKey */ + hash_method_get_digest(hmethod, client_key, sizeof(client_key), +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac.c.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac.c +--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac.c.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac.c 2025-11-30 09:57:55.180318937 +0100 +@@ -7,6 +7,10 @@ + * This software is released under the MIT license. + */ + ++#include ++#include ++#include ++#include + #include "lib.h" + #include "hmac.h" + #include "safe-memset.h" +@@ -14,10 +18,103 @@ + + #include "hex-binary.h" + +-void hmac_init(struct hmac_context *_ctx, const unsigned char *key, ++#ifndef HAVE_HMAC_CTX_NEW ++# define HMAC_Init_ex(ctx, key, key_len, md, impl) \ ++ HMAC_Init_ex(&(ctx), key, key_len, md, impl) ++# define HMAC_Update(ctx, data, len) HMAC_Update(&(ctx), data, len) ++# define HMAC_Final(ctx, md, len) HMAC_Final(&(ctx), md, len) ++# define HMAC_CTX_free(ctx) HMAC_cleanup(&(ctx)) ++#else ++# define HMAC_CTX_free(ctx) \ ++ STMT_START { HMAC_CTX_free(ctx); (ctx) = NULL; } STMT_END ++#endif ++ ++ ++void openssl_hmac_init(struct openssl_hmac_context *_ctx, const unsigned char *key, //DONE ++ size_t key_len, const struct hash_method *meth) ++{ ++#ifdef USE_OPENSSL3_METHODS ++ struct openssl_hmac_context_priv *ctx = &_ctx->u.priv; ++ ++ ++ const EVP_MD *md; ++ const char *ebuf = NULL; ++ const char **error_r = &ebuf; ++ OSSL_PARAM params[2]; ++ ++ md = EVP_get_digestbyname(meth->name); ++ if(md == NULL) { ++ if (error_r != NULL) { ++ *error_r = t_strdup_printf("Invalid digest %s", ++ meth->name); ++ } ++ //return FALSE; ++ } ++ ++ ctx->mac = EVP_MAC_fetch(NULL, "HMAC", NULL); ++ ++ ctx->ctx = EVP_MAC_CTX_new(ctx->mac); ++ if (ctx->ctx == NULL) { ++ EVP_MAC_free(ctx->mac); ++ } ++ ++ params[0] = OSSL_PARAM_construct_utf8_string("digest", (char *)meth->name, 0); ++ params[1] = OSSL_PARAM_construct_end(); ++ ++ if (EVP_MAC_init(ctx->ctx, key, key_len, ++ params) == 0) { ++ if (error_r != NULL) { ++ *error_r = t_strdup_printf("Invalid digest %s", ++ meth->name); ++ } ++ } ++ ++#else ++ struct openssl_hmac_context_priv *ctx = &_ctx->u.priv; ++ ++ const EVP_MD *md; ++ const char *ebuf = NULL; ++ const char **error_r = &ebuf; ++ ++ md = EVP_get_digestbyname(meth->name); ++ if(md == NULL) { ++ if (error_r != NULL) { ++ *error_r = t_strdup_printf("Invalid digest %s", ++ meth->name); ++ } ++ //return FALSE; ++ } ++ ++// int ec; ++ ++ i_assert(md != NULL); ++#ifdef HAVE_HMAC_CTX_NEW ++ ctx->ctx = HMAC_CTX_new(); ++/* if (ctx->ctx == NULL) ++ dcrypt_openssl_error(error_r);*/ ++#endif ++ /*ec = */HMAC_Init_ex(ctx->ctx, key, key_len, md, NULL); ++#endif ++} ++ ++void orig_hmac_init(struct orig_hmac_context *_ctx, const unsigned char *key, //DONE + size_t key_len, const struct hash_method *meth) + { +- struct hmac_context_priv *ctx = &_ctx->u.priv; ++ static int no_fips = -1; ++ if (no_fips == -1) { ++ int fd = open("/proc/sys/crypto/fips_enabled", O_RDONLY); ++ if (fd != -1) ++ { ++ char buf[4]; ++ if (read(fd, buf, 4) > 0) ++ { ++ no_fips = buf[0] == '0'; ++ } ++ close(fd); ++ } ++ } ++ i_assert(no_fips); ++ struct orig_hmac_context_priv *ctx = &_ctx->u.priv; + unsigned int i; + unsigned char k_ipad[meth->block_size]; + unsigned char k_opad[meth->block_size]; +@@ -54,9 +151,33 @@ void hmac_init(struct hmac_context *_ctx + safe_memset(k_opad, 0, meth->block_size); + } + +-void hmac_final(struct hmac_context *_ctx, unsigned char *digest) ++void openssl_hmac_final(struct openssl_hmac_context *_ctx, unsigned char *digest) //FIXME + { +- struct hmac_context_priv *ctx = &_ctx->u.priv; ++ int ec; ++ unsigned char buf[EVP_MAX_MD_SIZE]; ++ size_t outl; ++// const char *ebuf = NULL; ++// const char **error_r = &ebuf; ++ ++ struct openssl_hmac_context_priv *ctx = &_ctx->u.priv; ++#ifdef USE_OPENSSL3_METHODS ++ ec = EVP_MAC_final(ctx->ctx, buf, &outl, sizeof buf); ++ EVP_MAC_CTX_free(ctx->ctx); ++ EVP_MAC_free(ctx->mac); ++#else ++ ec = HMAC_Final(ctx->ctx, buf, &outl); ++ HMAC_CTX_free(ctx->ctx); ++#endif ++ if (ec == 1) ++ memcpy(digest, buf, outl); ++// else ++// dcrypt_openssl_error(error_r); ++ ++} ++ ++void orig_hmac_final(struct orig_hmac_context *_ctx, unsigned char *digest) //DONE ++{ ++ struct orig_hmac_context_priv *ctx = &_ctx->u.priv; + + ctx->hash->result(ctx->ctx, digest); + +@@ -64,53 +185,50 @@ void hmac_final(struct hmac_context *_ct + ctx->hash->result(ctx->ctxo, digest); + } + +-buffer_t *t_hmac_data(const struct hash_method *meth, ++buffer_t *openssl_t_hmac_data(const struct hash_method *meth, //FIXME + const unsigned char *key, size_t key_len, + const void *data, size_t data_len) + { +- struct hmac_context ctx; ++ struct openssl_hmac_context ctx; + i_assert(meth != NULL); + i_assert(key != NULL && key_len > 0); + i_assert(data != NULL || data_len == 0); + + buffer_t *res = t_buffer_create(meth->digest_size); +- hmac_init(&ctx, key, key_len, meth); ++ openssl_hmac_init(&ctx, key, key_len, meth); + if (data_len > 0) +- hmac_update(&ctx, data, data_len); ++ openssl_hmac_update(&ctx, data, data_len); + unsigned char *buf = buffer_get_space_unsafe(res, 0, meth->digest_size); +- hmac_final(&ctx, buf); ++ openssl_hmac_final(&ctx, buf); + return res; + } + +-buffer_t *t_hmac_buffer(const struct hash_method *meth, ++buffer_t *openssl_t_hmac_buffer(const struct hash_method *meth, //DONE + const unsigned char *key, size_t key_len, + const buffer_t *data) + { +- return t_hmac_data(meth, key, key_len, data->data, data->used); ++ return openssl_t_hmac_data(meth, key, key_len, data->data, data->used); + } + +-buffer_t *t_hmac_str(const struct hash_method *meth, ++buffer_t *openssl_t_hmac_str(const struct hash_method *meth, //DONE + const unsigned char *key, size_t key_len, + const char *data) + { +- return t_hmac_data(meth, key, key_len, data, strlen(data)); ++ return openssl_t_hmac_data(meth, key, key_len, data, strlen(data)); + } + +-void hmac_hkdf(const struct hash_method *method, ++void openssl_hmac_hkdf(const struct hash_method *method, //FIXME + const unsigned char *salt, size_t salt_len, + const unsigned char *ikm, size_t ikm_len, + const unsigned char *info, size_t info_len, + buffer_t *okm_r, size_t okm_len) + { ++ const EVP_MD *md; ++ EVP_PKEY_CTX *pctx; ++ int r = 1; ++ + i_assert(method != NULL); + i_assert(okm_len < 255*method->digest_size); +- struct hmac_context key_mac; +- struct hmac_context info_mac; +- size_t remain = okm_len; +- unsigned char prk[method->digest_size]; +- unsigned char okm[method->digest_size]; +- /* N = ceil(L/HashLen) */ +- unsigned int rounds = (okm_len + method->digest_size - 1)/method->digest_size; + + /* salt and info can be NULL */ + i_assert(salt != NULL || salt_len == 0); +@@ -126,28 +244,29 @@ void hmac_hkdf(const struct hash_method + if (info == NULL) + info = &uchar_nul; + +- /* extract */ +- hmac_init(&key_mac, salt, salt_len, method); +- hmac_update(&key_mac, ikm, ikm_len); +- hmac_final(&key_mac, prk); +- +- /* expand */ +- for (unsigned int i = 0; remain > 0 && i < rounds; i++) { +- unsigned char round = (i+1); +- size_t amt = remain; +- if (amt > method->digest_size) +- amt = method->digest_size; +- hmac_init(&info_mac, prk, method->digest_size, method); +- if (i > 0) +- hmac_update(&info_mac, okm, method->digest_size); +- hmac_update(&info_mac, info, info_len); +- hmac_update(&info_mac, &round, 1); +- memset(okm, 0, method->digest_size); +- hmac_final(&info_mac, okm); +- buffer_append(okm_r, okm, amt); +- remain -= amt; ++ md = EVP_get_digestbyname(method->name); ++ pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL); ++ unsigned char *okm_buf = buffer_get_space_unsafe(okm_r, 0, okm_len); ++ ++ if ((r=EVP_PKEY_derive_init(pctx)) <= 0) ++ goto out; ++ if ((r=EVP_PKEY_CTX_set_hkdf_md(pctx, md)) <= 0) ++ goto out; ++ if ((r=EVP_PKEY_CTX_set1_hkdf_salt(pctx, salt, salt_len)) <= 0) ++ goto out; ++ if ((r=EVP_PKEY_CTX_set1_hkdf_key(pctx, ikm, ikm_len)) <= 0) ++ goto out; ++ if ((r=EVP_PKEY_CTX_add1_hkdf_info(pctx, info, info_len)) <= 0) ++ goto out; ++ if ((r=EVP_PKEY_derive(pctx, okm_buf, &okm_len)) <= 0) ++ goto out; ++ ++ out: ++ EVP_PKEY_CTX_free(pctx); ++ if (r <= 0) { ++ unsigned long ec = ERR_get_error(); ++ unsigned char *error = t_strdup_printf("%s", ERR_error_string(ec, NULL)); ++ i_error("%s", error); + } + +- safe_memset(prk, 0, sizeof(prk)); +- safe_memset(okm, 0, sizeof(okm)); + } +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac-cram-md5.c.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac-cram-md5.c +--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac-cram-md5.c.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac-cram-md5.c 2025-11-30 09:57:55.180461985 +0100 +@@ -9,10 +9,10 @@ + #include "md5.h" + #include "hmac-cram-md5.h" + +-void hmac_md5_get_cram_context(struct hmac_context *_hmac_ctx, ++void hmac_md5_get_cram_context(struct orig_hmac_context *_hmac_ctx, + unsigned char context_digest[CRAM_MD5_CONTEXTLEN]) + { +- struct hmac_context_priv *hmac_ctx = &_hmac_ctx->u.priv; ++ struct orig_hmac_context_priv *hmac_ctx = &_hmac_ctx->u.priv; + unsigned char *cdp; + + struct md5_context *ctx = (void*)hmac_ctx->ctx; +@@ -35,10 +35,10 @@ void hmac_md5_get_cram_context(struct hm + CDPUT(cdp, ctx->d); + } + +-void hmac_md5_set_cram_context(struct hmac_context *_hmac_ctx, ++void hmac_md5_set_cram_context(struct orig_hmac_context *_hmac_ctx, + const unsigned char context_digest[CRAM_MD5_CONTEXTLEN]) + { +- struct hmac_context_priv *hmac_ctx = &_hmac_ctx->u.priv; ++ struct orig_hmac_context_priv *hmac_ctx = &_hmac_ctx->u.priv; + const unsigned char *cdp; + + struct md5_context *ctx = (void*)hmac_ctx->ctx; +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac-cram-md5.h.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac-cram-md5.h +--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac-cram-md5.h.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac-cram-md5.h 2025-11-30 09:57:55.180563796 +0100 +@@ -5,9 +5,9 @@ + + #define CRAM_MD5_CONTEXTLEN 32 + +-void hmac_md5_get_cram_context(struct hmac_context *ctx, ++void hmac_md5_get_cram_context(struct orig_hmac_context *ctx, + unsigned char context_digest[CRAM_MD5_CONTEXTLEN]); +-void hmac_md5_set_cram_context(struct hmac_context *ctx, ++void hmac_md5_set_cram_context(struct orig_hmac_context *ctx, + const unsigned char context_digest[CRAM_MD5_CONTEXTLEN]); + + +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac.h.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac.h +--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac.h.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac.h 2025-11-30 09:57:55.180723505 +0100 +@@ -4,60 +4,108 @@ + #include "hash-method.h" + #include "sha1.h" + #include "sha2.h" ++#include ++#include ++#include ++#include + + #define HMAC_MAX_CONTEXT_SIZE HASH_METHOD_MAX_CONTEXT_SIZE + +-struct hmac_context_priv { ++ ++#define USE_OPENSSL3_METHODS 1 ++ ++struct openssl_hmac_context_priv { ++#ifdef USE_OPENSSL3_METHODS ++ EVP_MAC *mac; ++ EVP_MAC_CTX *ctx; ++#else ++#ifdef HAVE_HMAC_CTX_NEW ++ HMAC_CTX *ctx; ++#else ++ HMAC_CTX ctx; ++#endif ++#endif ++ const struct hash_method *hash; ++}; ++struct orig_hmac_context_priv { + char ctx[HMAC_MAX_CONTEXT_SIZE]; + char ctxo[HMAC_MAX_CONTEXT_SIZE]; + const struct hash_method *hash; + }; + +-struct hmac_context { ++struct openssl_hmac_context { + union { +- struct hmac_context_priv priv; ++ struct openssl_hmac_context_priv priv; + uint64_t padding_requirement; + } u; + }; + +-void hmac_init(struct hmac_context *ctx, const unsigned char *key, ++struct orig_hmac_context { ++ union { ++ struct orig_hmac_context_priv priv; ++ uint64_t padding_requirement; ++ } u; ++}; ++ ++void openssl_hmac_init(struct openssl_hmac_context *ctx, const unsigned char *key, ++ size_t key_len, const struct hash_method *meth); ++void openssl_hmac_final(struct openssl_hmac_context *ctx, unsigned char *digest); ++ ++static inline void ++openssl_hmac_update(struct openssl_hmac_context *_ctx, const void *data, size_t size) ++{ ++ struct openssl_hmac_context_priv *ctx = &_ctx->u.priv; ++#ifdef USE_OPENSSL3_METHODS ++ EVP_MAC_update(ctx->ctx, data, size); ++#else ++ HMAC_Update(ctx->ctx, data, size); ++#endif ++/* if (ec != 1) ++ { ++ const char *ebuf = NULL; ++ const char **error_r = &ebuf; ++ dcrypt_openssl_error(error_r); ++ }*/ ++} ++ ++void orig_hmac_init(struct orig_hmac_context *ctx, const unsigned char *key, + size_t key_len, const struct hash_method *meth); +-void hmac_final(struct hmac_context *ctx, unsigned char *digest); ++void orig_hmac_final(struct orig_hmac_context *ctx, unsigned char *digest); + + + static inline void +-hmac_update(struct hmac_context *_ctx, const void *data, size_t size) ++orig_hmac_update(struct orig_hmac_context *_ctx, const void *data, size_t size) + { +- struct hmac_context_priv *ctx = &_ctx->u.priv; ++ struct orig_hmac_context_priv *ctx = &_ctx->u.priv; + + ctx->hash->loop(ctx->ctx, data, size); + } + +-buffer_t *t_hmac_data(const struct hash_method *meth, ++buffer_t *openssl_t_hmac_data(const struct hash_method *meth, + const unsigned char *key, size_t key_len, + const void *data, size_t data_len); +-buffer_t *t_hmac_buffer(const struct hash_method *meth, ++buffer_t *openssl_t_hmac_buffer(const struct hash_method *meth, + const unsigned char *key, size_t key_len, + const buffer_t *data); +-buffer_t *t_hmac_str(const struct hash_method *meth, ++buffer_t *openssl_t_hmac_str(const struct hash_method *meth, + const unsigned char *key, size_t key_len, + const char *data); + +-void hmac_hkdf(const struct hash_method *method, ++void openssl_hmac_hkdf(const struct hash_method *method, + const unsigned char *salt, size_t salt_len, + const unsigned char *ikm, size_t ikm_len, + const unsigned char *info, size_t info_len, + buffer_t *okm_r, size_t okm_len); + + static inline buffer_t * +-t_hmac_hkdf(const struct hash_method *method, ++openssl_t_hmac_hkdf(const struct hash_method *method, + const unsigned char *salt, size_t salt_len, + const unsigned char *ikm, size_t ikm_len, + const unsigned char *info, size_t info_len, + size_t okm_len) + { + buffer_t *okm_buffer = t_buffer_create(okm_len); +- hmac_hkdf(method, salt, salt_len, ikm, ikm_len, info, info_len, ++ openssl_hmac_hkdf(method, salt, salt_len, ikm, ikm_len, info, info_len, + okm_buffer, okm_len); + return okm_buffer; + } +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib-imap-urlauth/imap-urlauth.c +--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-imap-urlauth/imap-urlauth.c 2025-11-30 09:57:55.180863807 +0100 +@@ -87,15 +87,15 @@ imap_urlauth_internal_generate( + const unsigned char mailbox_key[IMAP_URLAUTH_KEY_LEN], + size_t *token_len_r) + { +- struct hmac_context hmac; ++ struct openssl_hmac_context hmac; + unsigned char *token; + + token = t_new(unsigned char, SHA1_RESULTLEN + 1); + token[0] = IMAP_URLAUTH_MECH_INTERNAL_VERSION; + +- hmac_init(&hmac, mailbox_key, IMAP_URLAUTH_KEY_LEN, &hash_method_sha1); +- hmac_update(&hmac, rumpurl, strlen(rumpurl)); +- hmac_final(&hmac, token+1); ++ openssl_hmac_init(&hmac, mailbox_key, IMAP_URLAUTH_KEY_LEN, &hash_method_sha1); ++ openssl_hmac_update(&hmac, rumpurl, strlen(rumpurl)); ++ openssl_hmac_final(&hmac, token+1); + + *token_len_r = SHA1_RESULTLEN + 1; + return token; +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib/Makefile.am.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib/Makefile.am +--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib/Makefile.am.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib/Makefile.am 2025-11-30 09:57:55.180990124 +0100 +@@ -414,6 +414,9 @@ headers = \ + wildcard-match.h \ + write-full.h + ++liblib_la_LIBADD = $(SSL_LIBS) ++liblib_la_CFLAGS = $(SSL_CFLAGS) ++ + test_programs = test-lib + noinst_PROGRAMS = $(test_programs) + +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-oauth2/oauth2-jwt.c.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib-oauth2/oauth2-jwt.c +--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-oauth2/oauth2-jwt.c.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-oauth2/oauth2-jwt.c 2025-11-30 09:57:55.181135306 +0100 +@@ -210,14 +210,14 @@ oauth2_validate_hmac(const struct oauth2 + if (oauth2_lookup_hmac_key(set, azp, alg, key_id, &key, error_r) < 0) + return -1; + +- struct hmac_context ctx; ++ struct openssl_hmac_context ctx; + unsigned char digest[method->digest_size]; + +- hmac_init(&ctx, key->data, key->used, method); +- hmac_update(&ctx, blobs[0], strlen(blobs[0])); +- hmac_update(&ctx, ".", 1); +- hmac_update(&ctx, blobs[1], strlen(blobs[1])); +- hmac_final(&ctx, digest); ++ openssl_hmac_init(&ctx, key->data, key->used, method); ++ openssl_hmac_update(&ctx, blobs[0], strlen(blobs[0])); ++ openssl_hmac_update(&ctx, ".", 1); ++ openssl_hmac_update(&ctx, blobs[1], strlen(blobs[1])); ++ openssl_hmac_final(&ctx, digest); + + buffer_t *their_digest = + t_base64url_decode_str(BASE64_DECODE_FLAG_NO_PADDING, blobs[2]); +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib-oauth2/test-oauth2-jwt.c +--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-oauth2/test-oauth2-jwt.c 2025-11-30 09:57:55.181290025 +0100 +@@ -250,7 +250,7 @@ static void save_key_azp_to(const char * + static void sign_jwt_token_hs256(buffer_t *tokenbuf, buffer_t *key) + { + i_assert(key != NULL); +- buffer_t *sig = t_hmac_buffer(&hash_method_sha256, key->data, key->used, ++ buffer_t *sig = openssl_t_hmac_buffer(&hash_method_sha256, key->data, key->used, + tokenbuf); + buffer_append(tokenbuf, ".", 1); + base64url_encode(BASE64_ENCODE_FLAG_NO_PADDING, SIZE_MAX, +@@ -260,7 +260,7 @@ static void sign_jwt_token_hs256(buffer_ + static void sign_jwt_token_hs384(buffer_t *tokenbuf, buffer_t *key) + { + i_assert(key != NULL); +- buffer_t *sig = t_hmac_buffer(&hash_method_sha384, key->data, key->used, ++ buffer_t *sig = openssl_t_hmac_buffer(&hash_method_sha384, key->data, key->used, + tokenbuf); + buffer_append(tokenbuf, ".", 1); + base64url_encode(BASE64_ENCODE_FLAG_NO_PADDING, SIZE_MAX, +@@ -270,7 +270,7 @@ static void sign_jwt_token_hs384(buffer_ + static void sign_jwt_token_hs512(buffer_t *tokenbuf, buffer_t *key) + { + i_assert(key != NULL); +- buffer_t *sig = t_hmac_buffer(&hash_method_sha512, key->data, key->used, ++ buffer_t *sig = openssl_t_hmac_buffer(&hash_method_sha512, key->data, key->used, + tokenbuf); + buffer_append(tokenbuf, ".", 1); + base64url_encode(BASE64_ENCODE_FLAG_NO_PADDING, SIZE_MAX, +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib/pkcs5.c.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib/pkcs5.c +--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib/pkcs5.c.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib/pkcs5.c 2025-11-30 09:57:55.181492013 +0100 +@@ -52,7 +52,7 @@ int pkcs5_pbkdf2(const struct hash_metho + size_t l = (length + hash->digest_size - 1)/hash->digest_size; /* same as ceil(length/hash->digest_size) */ + unsigned char dk[l * hash->digest_size]; + unsigned char *block; +- struct hmac_context hctx; ++ struct openssl_hmac_context hctx; + unsigned int c,i,t; + unsigned char U_c[hash->digest_size]; + +@@ -60,17 +60,17 @@ int pkcs5_pbkdf2(const struct hash_metho + block = &(dk[t*hash->digest_size]); + /* U_1 = PRF(Password, Salt|| INT_BE32(Block_Number)) */ + c = htonl(t+1); +- hmac_init(&hctx, password, password_len, hash); +- hmac_update(&hctx, salt, salt_len); +- hmac_update(&hctx, &c, sizeof(c)); +- hmac_final(&hctx, U_c); ++ openssl_hmac_init(&hctx, password, password_len, hash); ++ openssl_hmac_update(&hctx, salt, salt_len); ++ openssl_hmac_update(&hctx, &c, sizeof(c)); ++ openssl_hmac_final(&hctx, U_c); + /* block = U_1 ^ .. ^ U_iter */ + memcpy(block, U_c, hash->digest_size); + /* U_c = PRF(Password, U_c-1) */ + for(c = 1; c < iter; c++) { +- hmac_init(&hctx, password, password_len, hash); +- hmac_update(&hctx, U_c, hash->digest_size); +- hmac_final(&hctx, U_c); ++ openssl_hmac_init(&hctx, password, password_len, hash); ++ openssl_hmac_update(&hctx, U_c, hash->digest_size); ++ openssl_hmac_final(&hctx, U_c); + for(i = 0; i < hash->digest_size; i++) + block[i] ^= U_c[i]; + } +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/sasl-server-mech-cram-md5.c.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/sasl-server-mech-cram-md5.c +--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/sasl-server-mech-cram-md5.c.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/sasl-server-mech-cram-md5.c 2025-11-30 10:00:28.967795725 +0100 +@@ -53,7 +53,7 @@ verify_credentials(struct sasl_server_me + container_of(auth_request, struct cram_auth_request, + auth_request); + unsigned char digest[MD5_RESULTLEN]; +- struct hmac_context ctx; ++ struct orig_hmac_context ctx; + const char *response_hex; + + if (size != CRAM_MD5_CONTEXTLEN) { +@@ -62,10 +62,10 @@ verify_credentials(struct sasl_server_me + return; + } + +- hmac_init(&ctx, NULL, 0, &hash_method_md5); ++ orig_hmac_init(&ctx, NULL, 0, &hash_method_md5); + hmac_md5_set_cram_context(&ctx, credentials); +- hmac_update(&ctx, request->challenge, strlen(request->challenge)); +- hmac_final(&ctx, digest); ++ orig_hmac_update(&ctx, request->challenge, strlen(request->challenge)); ++ orig_hmac_final(&ctx, digest); + + response_hex = binary_to_hex(digest, sizeof(digest)); + +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib/test-hmac.c.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib/test-hmac.c +--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib/test-hmac.c.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib/test-hmac.c 2025-11-30 09:57:55.181656401 +0100 +@@ -206,11 +206,11 @@ static void test_hmac_rfc(void) + test_begin("hmac sha256 rfc4231 vectors"); + for(size_t i = 0; i < N_ELEMENTS(test_vectors); i++) { + const struct test_vector *vec = &(test_vectors[i]); +- struct hmac_context ctx; +- hmac_init(&ctx, vec->key, vec->key_len, hash_method_lookup(vec->prf)); +- hmac_update(&ctx, vec->data, vec->data_len); ++ struct openssl_hmac_context ctx; ++ openssl_hmac_init(&ctx, vec->key, vec->key_len, hash_method_lookup(vec->prf)); ++ openssl_hmac_update(&ctx, vec->data, vec->data_len); + unsigned char res[SHA256_RESULTLEN]; +- hmac_final(&ctx, res); ++ openssl_hmac_final(&ctx, res); + test_assert_idx(memcmp(res, vec->res, vec->res_len) == 0, i); + } + test_end(); +@@ -221,11 +221,11 @@ static void test_hmac384_rfc(void) + test_begin("hmac sha384 rfc4231 vectors"); + for (size_t i = 0; i < N_ELEMENTS(test_vectors_hmac384); i++) { + const struct test_vector *vec = &(test_vectors_hmac384[i]); +- struct hmac_context ctx; +- hmac_init(&ctx, vec->key, vec->key_len, hash_method_lookup(vec->prf)); +- hmac_update(&ctx, vec->data, vec->data_len); ++ struct openssl_hmac_context ctx; ++ openssl_hmac_init(&ctx, vec->key, vec->key_len, hash_method_lookup(vec->prf)); ++ openssl_hmac_update(&ctx, vec->data, vec->data_len); + unsigned char res[SHA384_RESULTLEN]; +- hmac_final(&ctx, res); ++ openssl_hmac_final(&ctx, res); + test_assert_idx(memcmp(res, vec->res, vec->res_len) == 0, i); + } + test_end(); +@@ -236,11 +236,11 @@ static void test_hmac512_rfc(void) + test_begin("hmac sha512 rfc4231 vectors"); + for (size_t i = 0; i < N_ELEMENTS(test_vectors_hmac512); i++) { + const struct test_vector *vec = &(test_vectors_hmac512[i]); +- struct hmac_context ctx; +- hmac_init(&ctx, vec->key, vec->key_len, hash_method_lookup(vec->prf)); +- hmac_update(&ctx, vec->data, vec->data_len); ++ struct openssl_hmac_context ctx; ++ openssl_hmac_init(&ctx, vec->key, vec->key_len, hash_method_lookup(vec->prf)); ++ openssl_hmac_update(&ctx, vec->data, vec->data_len); + unsigned char res[SHA512_RESULTLEN]; +- hmac_final(&ctx, res); ++ openssl_hmac_final(&ctx, res); + test_assert_idx(memcmp(res, vec->res, vec->res_len) == 0, i); + } + test_end(); +@@ -253,7 +253,7 @@ static void test_hmac_buffer(void) + + buffer_t *tmp; + +- tmp = t_hmac_data(hash_method_lookup(vec->prf), vec->key, vec->key_len, ++ tmp = openssl_t_hmac_data(hash_method_lookup(vec->prf), vec->key, vec->key_len, + vec->data, vec->data_len); + + test_assert(tmp->used == vec->res_len && +@@ -270,7 +270,7 @@ static void test_hkdf_rfc(void) + buffer_set_used_size(res, 0); + const struct test_vector_5869 *vec = &(test_vectors_5869[i]); + const struct hash_method *m = hash_method_lookup(vec->prf); +- hmac_hkdf(m, vec->salt, vec->salt_len, vec->ikm, vec->ikm_len, ++ openssl_hmac_hkdf(m, vec->salt, vec->salt_len, vec->ikm, vec->ikm_len, + vec->info, vec->info_len, res, vec->okm_len); + test_assert_idx(memcmp(res->data, vec->okm, vec->okm_len) == 0, i); + } +@@ -283,7 +283,7 @@ static void test_hkdf_buffer(void) + test_begin("hkdf temporary buffer"); + const struct test_vector_5869 *vec = &(test_vectors_5869[0]); + const struct hash_method *m = hash_method_lookup(vec->prf); +- buffer_t *tmp = t_hmac_hkdf(m, vec->salt, vec->salt_len, vec->ikm, ++ buffer_t *tmp = openssl_t_hmac_hkdf(m, vec->salt, vec->salt_len, vec->ikm, + vec->ikm_len, vec->info, vec->info_len, + vec->okm_len); + test_assert(tmp->used == vec->okm_len && +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-var-expand-crypt/Makefile.am.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib-var-expand-crypt/Makefile.am +--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-var-expand-crypt/Makefile.am.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-var-expand-crypt/Makefile.am 2025-11-30 09:58:11.669117030 +0100 +@@ -34,13 +34,13 @@ test_libs = \ + $(DLLIB) + + test_var_expand_crypt_SOURCES = test-var-expand-crypt.c +-test_var_expand_crypt_LDADD = $(test_libs) ++test_var_expand_crypt_LDADD = $(test_libs) $(SSL_LIBS) + test_var_expand_crypt_DEPENDENCIES = $(module_LTLIBRARIES) + if HAVE_WHOLE_ARCHIVE + test_var_expand_crypt_LDFLAGS = -export-dynamic -Wl,$(LD_WHOLE_ARCHIVE),../lib/.libs/liblib.a,../lib-json/.libs/libjson.a,../lib-ssl-iostream/.libs/libssl_iostream.a,$(LD_NO_WHOLE_ARCHIVE) + endif + +-test_var_expand_crypt_CFLAGS = $(AM_CFLAGS) \ ++test_var_expand_crypt_CFLAGS = $(AM_CFLAGS) $(SSL_CFLAGS) \ + -DDCRYPT_BUILD_DIR=\"$(top_builddir)/src/lib-dcrypt\" + + check-local: +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/submission/Makefile.am.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/submission/Makefile.am +--- dovecot-2.4.2-build/dovecot-2.4.2/src/submission/Makefile.am.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/submission/Makefile.am 2025-11-30 09:57:55.182137562 +0100 +@@ -29,6 +29,7 @@ submission_LDADD = \ + $(urlauth_libs) \ + $(LIBDOVECOT_STORAGE) \ + $(LIBDOVECOT) \ ++ $(SSL_LIBS) \ + $(MODULE_LIBS) + submission_DEPENDENCIES = \ + $(urlauth_libs) \ +diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/dsasl-client-mech-cram-md5.c.fixbuild2 dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/dsasl-client-mech-cram-md5.c +--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/dsasl-client-mech-cram-md5.c.fixbuild2 2025-11-30 13:11:06.583413762 +0100 ++++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/dsasl-client-mech-cram-md5.c 2025-11-30 13:22:04.883307427 +0100 +@@ -81,13 +81,13 @@ mech_cram_md5_output(struct dsasl_client + return DSASL_CLIENT_RESULT_OK; + } + +- struct hmac_context ctx; ++ struct openssl_hmac_context ctx; + unsigned char digest[MD5_RESULTLEN]; + +- hmac_init(&ctx, (const unsigned char *)client->password, ++ openssl_hmac_init(&ctx, (const unsigned char *)client->password, + strlen(client->password), &hash_method_md5); +- hmac_update(&ctx, cclient->challenge, strlen(cclient->challenge)); +- hmac_final(&ctx, digest); ++ openssl_hmac_update(&ctx, cclient->challenge, strlen(cclient->challenge)); ++ openssl_hmac_final(&ctx, digest); + + str = str_new(client->pool, 256); + str_append(str, client->set.authid); diff --git a/dovecot-2.4.2-fixbuild.patch b/dovecot-2.4.2-fixbuild.patch new file mode 100644 index 0000000..ad5530b --- /dev/null +++ b/dovecot-2.4.2-fixbuild.patch @@ -0,0 +1,135 @@ +diff -up dovecot-2.4.2/src/lib/istream.c.fixbuild dovecot-2.4.2/src/lib/istream.c +--- dovecot-2.4.2/src/lib/istream.c.fixbuild 2025-10-29 07:58:41.000000000 +0100 ++++ dovecot-2.4.2/src/lib/istream.c 2025-11-30 11:40:37.739536137 +0100 +@@ -85,7 +85,7 @@ void i_stream_add_destroy_callback(struc + } + + void i_stream_remove_destroy_callback(struct istream *stream, +- void (*callback)()) ++ istream_callback_t *callback) + { + io_stream_remove_destroy_callback(&stream->real_stream->iostream, + callback); +diff -up dovecot-2.4.2/src/lib/istream.h.fixbuild dovecot-2.4.2/src/lib/istream.h +--- dovecot-2.4.2/src/lib/istream.h.fixbuild 2025-10-29 07:58:41.000000000 +0100 ++++ dovecot-2.4.2/src/lib/istream.h 2025-11-30 11:40:37.739798710 +0100 +@@ -100,7 +100,7 @@ void i_stream_add_destroy_callback(struc + (istream_callback_t *)callback, context) + /* Remove the destroy callback. */ + void i_stream_remove_destroy_callback(struct istream *stream, +- void (*callback)()); ++ istream_callback_t *callback); + + /* Return file descriptor for stream, or -1 if none is available. */ + int i_stream_get_fd(struct istream *stream); +diff -up dovecot-2.4.2/src/lib/ostream.c.fixbuild dovecot-2.4.2/src/lib/ostream.c +--- dovecot-2.4.2/src/lib/ostream.c.fixbuild 2025-11-30 11:42:21.434063550 +0100 ++++ dovecot-2.4.2/src/lib/ostream.c 2025-11-30 11:42:55.814100259 +0100 +@@ -127,7 +127,7 @@ void o_stream_add_destroy_callback(struc + } + + void o_stream_remove_destroy_callback(struct ostream *stream, +- void (*callback)()) ++ ostream_callback_t *callback) + { + io_stream_remove_destroy_callback(&stream->real_stream->iostream, + callback); +diff -up dovecot-2.4.2/src/lib/ostream.h.fixbuild dovecot-2.4.2/src/lib/ostream.h +--- dovecot-2.4.2/src/lib/ostream.h.fixbuild 2025-11-30 11:42:29.639009602 +0100 ++++ dovecot-2.4.2/src/lib/ostream.h 2025-11-30 11:43:20.101652841 +0100 +@@ -127,7 +127,7 @@ void o_stream_add_destroy_callback(struc + (ostream_callback_t *)callback, context) + /* Remove the destroy callback. */ + void o_stream_remove_destroy_callback(struct ostream *stream, +- void (*callback)()); ++ ostream_callback_t *callback); + + /* Mark the stream and all of its parent streams closed. Nothing will be + sent after this call. When using ostreams that require writing a trailer, +diff -up dovecot-2.4.2/src/lib-json/json-istream.c.fixbuild dovecot-2.4.2/src/lib-json/json-istream.c +--- dovecot-2.4.2/src/lib-json/json-istream.c.fixbuild 2025-10-29 07:58:41.000000000 +0100 ++++ dovecot-2.4.2/src/lib-json/json-istream.c 2025-11-30 12:52:15.970430672 +0100 +@@ -706,7 +706,7 @@ static void json_istream_drop_value_stre + if (stream->seekable_stream != NULL) { + i_stream_remove_destroy_callback( + stream->seekable_stream, +- json_istream_drop_seekable_stream); ++ (istream_callback_t *)json_istream_drop_seekable_stream); + i_stream_unref(&stream->seekable_stream); + } + } +@@ -720,12 +720,12 @@ static void json_istream_consumed_value_ + if (stream->seekable_stream != NULL) { + i_stream_remove_destroy_callback( + stream->seekable_stream, +- json_istream_drop_seekable_stream); ++ (istream_callback_t *)json_istream_drop_seekable_stream); + } + if (stream->value_stream != NULL) { + i_stream_remove_destroy_callback( + stream->value_stream, +- json_istream_drop_value_stream); ++ (istream_callback_t *)json_istream_drop_value_stream); + } + stream->value_stream = NULL; + stream->seekable_stream = NULL; + i_stream_remove_destroy_callback(conn->incoming_payload, +- http_client_payload_destroyed); ++ (istream_callback_t *)http_client_payload_destroyed); + conn->incoming_payload = NULL; + } + +diff -up dovecot-2.4.2/src/lib-http/http-server-connection.c.fixbuild dovecot-2.4.2/src/lib-http/http-server-connection.c +--- dovecot-2.4.2/src/lib-http/http-server-connection.c.fixbuild 2025-11-30 13:02:24.337384848 +0100 ++++ dovecot-2.4.2/src/lib-http/http-server-connection.c 2025-11-30 13:03:14.477064608 +0100 +@@ -1066,7 +1066,7 @@ http_server_connection_disconnect(struct + if (conn->incoming_payload != NULL) { + /* The stream is still accessed by lib-http caller. */ + i_stream_remove_destroy_callback(conn->incoming_payload, +- http_server_payload_destroyed); ++ (istream_callback_t *)http_server_payload_destroyed); + conn->incoming_payload = NULL; + } + if (conn->payload_handler != NULL) +diff -up dovecot-2.4.2/src/lib-http/http-client-connection.c.fixbuild dovecot-2.4.2/src/lib-http/http-client-connection.c +--- dovecot-2.4.2/src/lib-http/http-client-connection.c.fixbuild 2025-11-30 12:57:42.670247695 +0100 ++++ dovecot-2.4.2/src/lib-http/http-client-connection.c 2025-11-30 13:00:54.862436490 +0100 +@@ -832,7 +832,7 @@ void http_client_connection_request_dest + is closed and we don't care about it anymore, so act as though it is + destroyed. */ + i_stream_remove_destroy_callback(payload, +- http_client_payload_destroyed); ++ (istream_callback_t *)http_client_payload_destroyed); + http_client_payload_destroyed(req); + } + +@@ -888,7 +888,7 @@ http_client_connection_return_response(s + if (response->payload != NULL) { + i_stream_remove_destroy_callback( + conn->incoming_payload, +- http_client_payload_destroyed); ++ (istream_callback_t *)http_client_payload_destroyed); + i_stream_unref(&conn->incoming_payload); + connection_input_resume(&conn->conn); + } +@@ -1731,7 +1731,7 @@ http_client_connection_disconnect(struct + if (conn->incoming_payload != NULL) { + /* The stream is still accessed by lib-http caller. */ + i_stream_remove_destroy_callback(conn->incoming_payload, +- http_client_payload_destroyed); ++ (istream_callback_t *)http_client_payload_destroyed); + conn->incoming_payload = NULL; + } + +diff -up dovecot-2.4.2/src/lib-storage/index/index-mail.c.fixbuild2 dovecot-2.4.2/src/lib-storage/index/index-mail.c +--- dovecot-2.4.2/src/lib-storage/index/index-mail.c.fixbuild2 2025-11-30 13:48:46.658539149 +0100 ++++ dovecot-2.4.2/src/lib-storage/index/index-mail.c 2025-11-30 13:49:47.178158024 +0100 +@@ -1840,7 +1840,7 @@ static void index_mail_close_streams_ful + allowed to have references until the mail is closed + (but we can't really check that) */ + i_stream_remove_destroy_callback(data->stream, +- index_mail_stream_destroy_callback); ++ (istream_callback_t *)index_mail_stream_destroy_callback); + } + i_stream_unref(&data->stream); + /* there must be no references to the mail when the diff --git a/dovecot.spec b/dovecot.spec index 51cc853..11efa4b 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -1,26 +1,28 @@ %global __provides_exclude_from %{_docdir} %global __requires_exclude_from %{_docdir} + Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.2.31 +Version: 2.4.2 %global prever %{nil} -Release: 5%{?dist} +Release: 1%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 -License: MIT and LGPLv2 -Group: System Environment/Daemons +License: MIT AND LGPL-2.1-only -URL: http://www.dovecot.org/ -Source: http://www.dovecot.org/releases/2.2/%{name}-%{version}%{?prever}.tar.gz +URL: https://www.dovecot.org/ +Source: https://www.dovecot.org/releases/2.4/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever 0.4.19 -Source8: http://pigeonhole.dovecot.org/releases/2.2/dovecot-2.2-pigeonhole-%{pigeonholever}.tar.gz +%global pigeonholever %{version}%{?prever} +Source8: https://pigeonhole.dovecot.org/releases/2.4/dovecot-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd #our own Source14: dovecot.conf.5 +Source15: prestartscript +Source16: dovecot.sysusers # 3x Fedora/RHEL specific Patch1: dovecot-2.0-defaultconfig.patch @@ -29,24 +31,51 @@ Patch3: dovecot-1.0.rc7-mkcert-paths.patch #wait for network Patch6: dovecot-2.1.10-waitonline.patch -Patch7: dovecot-2.2.13-online.patch Patch8: dovecot-2.2.20-initbysystemd.patch Patch9: dovecot-2.2.22-systemd_w_protectsystem.patch -Patch10: dovecot-2.2.31-notifyrevert.patch +Patch15: dovecot-2.3.11-bigkey.patch -Source15: prestartscript +# do not use own implementation of HMAC, use OpenSSL for certification purposes +# not sent upstream as proper fix would use dovecot's lib-dcrypt but it introduces +# hard to break circular dependency between lib and lib-dcrypt +Patch16: dovecot-2.4.1-opensslhmac3.patch -BuildRequires: openssl-devel, pam-devel, zlib-devel, bzip2-devel, libcap-devel +# FTBFS +Patch17: dovecot-2.3.15-fixvalcond.patch +Patch18: dovecot-2.3.15-valbasherr.patch + +# Fedora/RHEL specific, drop OTP which uses SHA1 so we dont use SHA1 for crypto purposes +Patch23: dovecot-2.4.1-nolibotp.patch +Patch24: dovecot-2.4.2-fixbuild.patch + +BuildRequires: gcc, gcc-c++, openssl-devel, pam-devel, zlib-devel, bzip2-devel, libcap-devel BuildRequires: libtool, autoconf, automake, pkgconfig BuildRequires: sqlite-devel -BuildRequires: postgresql-devel -BuildRequires: mysql-devel +BuildRequires: libpq-devel +BuildRequires: mariadb-connector-c-devel +BuildRequires: libxcrypt-devel BuildRequires: openldap-devel BuildRequires: krb5-devel BuildRequires: quota-devel BuildRequires: xz-devel -BuildRequires: tcp_wrappers-devel +BuildRequires: lz4-devel +BuildRequires: libzstd-devel +%if %{?rhel}0 == 0 +BuildRequires: libsodium-devel +BuildRequires: lua-devel +BuildRequires: lua-json +%endif +BuildRequires: libicu-devel +%if %{?rhel}0 == 0 +BuildRequires: libstemmer-devel +BuildRequires: xapian-core-devel +%endif +BuildRequires: multilib-rpm-config +BuildRequires: flex, bison +BuildRequires: perl-version +BuildRequires: systemd-devel +BuildRequires: systemd-rpm-macros # gettext-devel is needed for running autoconf because of the # presence of AM_ICONV @@ -57,33 +86,22 @@ Requires: openssl >= 0.9.7f-4 # Package includes an initscript service file, needs to require initscripts package Requires(pre): shadow-utils -%if %{?fedora}0 > 140 || %{?rhel}0 > 60 Requires: systemd Requires(post): systemd-units Requires(preun): systemd-units Requires(postun): systemd-units -%else -Requires: initscripts -Requires(post): chkconfig -Requires(preun): chkconfig initscripts -Requires(postun): initscripts -%endif - -%if %{?fedora}0 > 150 || %{?rhel}0 >60 -#clucene in fedora <=15 and rhel<=6 is too old -BuildRequires: clucene-core-devel -%endif %global ssldir %{_sysconfdir}/pki/%{name} -%if %{?fedora}00%{?rhel} < 6 -%global _initddir %{_initrddir} -BuildRequires: curl-devel expat-devel -%else BuildRequires: libcurl-devel expat-devel +BuildRequires: make + +%if 0%{?fedora} > 39 +# as per https://fedoraproject.org/wiki/Changes/EncourageI686LeafRemoval +ExcludeArch: %{ix86} %endif -%global restart_flag /var/run/%{name}/%{name}-restart-after-rpm-install +%global restart_flag /run/%{name}/%{name}-restart-after-rpm-install %description Dovecot is an IMAP server for Linux/UNIX-like systems, written with security @@ -95,8 +113,7 @@ The SQL drivers and authentication plug-ins are in their subpackages. %package pigeonhole Requires: %{name} = %{epoch}:%{version}-%{release} Summary: Sieve and managesieve plug-in for dovecot -Group: System Environment/Daemons -License: MIT and LGPLv2 +License: MIT AND LGPL-2.1-only %description pigeonhole This package provides sieve and managesieve plug-in for dovecot LDA. @@ -104,51 +121,77 @@ This package provides sieve and managesieve plug-in for dovecot LDA. %package pgsql Requires: %{name} = %{epoch}:%{version}-%{release} Summary: Postgres SQL back end for dovecot -Group: System Environment/Daemons %description pgsql This package provides the Postgres SQL back end for dovecot-auth etc. %package mysql Requires: %{name} = %{epoch}:%{version}-%{release} Summary: MySQL back end for dovecot -Group: System Environment/Daemons %description mysql This package provides the MySQL back end for dovecot-auth etc. %package devel Requires: %{name} = %{epoch}:%{version}-%{release} Summary: Development files for dovecot -Group: Development/Libraries %description devel This package provides the development files for dovecot. %prep %setup -q -n %{name}-%{version}%{?prever} -a 8 -%patch1 -p1 -b .default-settings -%patch2 -p1 -b .mkcert-permissions -%patch3 -p1 -b .mkcert-paths -%patch6 -p1 -b .waitonline -%patch7 -p1 -b .online -%patch8 -p1 -b .initbysystemd -%patch9 -p1 -b .systemd_w_protectsystem -%patch10 -p1 -b .notifyrevert -#pushd dovecot-2*2-pigeonhole-%{pigeonholever} -#popd -sed -i '/DEFAULT_INCLUDES *=/s|$| '"$(pkg-config --cflags libclucene-core)|" src/plugins/fts-lucene/Makefile.in +# standardize name, so we don't have to update patches and scripts +mv dovecot-pigeonhole-%{pigeonholever} dovecot-pigeonhole + +%patch -P 1 -p2 -b .default-settings +%patch -P 2 -p1 -b .mkcert-permissions +%patch -P 3 -p1 -b .mkcert-paths +%patch -P 6 -p2 -b .waitonline +%patch -P 8 -p2 -b .initbysystemd +%patch -P 9 -p1 -b .systemd_w_protectsystem +%patch -P 15 -p1 -b .bigkey +%patch -P 16 -p2 -b .opensslhmac3 +%patch -P 17 -p2 -b .fixvalcond +%patch -P 18 -p1 -b .valbasherr +%patch -P 23 -p2 -b .nolibotp +%patch -P 24 -p1 -b .fixbuild +cp run-test-valgrind.supp dovecot-pigeonhole/ +# valgrind would fail with shell wrapper +echo "testsuite" >dovecot-pigeonhole/run-test-valgrind.exclude + +# drop OTP which uses SHA1 so we dont use SHA1 for crypto purposes +#rm -rf src/lib-otp +echo >src/auth/mech-otp-common.c +echo >src/auth/mech-otp-common.h +echo >src/auth/mech-otp.c +echo >src/lib-auth/password-scheme-otp.c +echo >src/lib-sasl/sasl-server-mech-otp.c +echo >src/lib-sasl/dsasl-client-mech-otp.c +pushd src/lib-otp +for f in *.c *.h +do + echo >$f +done +popd %build #required for fdpass.c line 125,190: dereferencing type-punned pointer will break strict-aliasing rules %global _hardened_build 1 -export CFLAGS="%{__global_cflags} -fno-strict-aliasing" +export CFLAGS="%{__global_cflags} -fno-strict-aliasing -fstack-reuse=none" export LDFLAGS="-Wl,-z,now -Wl,-z,relro %{?__global_ldflags}" -# el6 autoconf too old to regen; use packaged files (#1082384) -%if %{?fedora}00%{?rhel} > 6 mkdir -p m4 -autoreconf -I . -fiv #required for aarch64 support -%endif +if [ -d /usr/share/gettext/m4 ] +then + #required for aarch64 support + # point to gettext explicitely, autoreconf cant find iconv.m4 otherwise + autoreconf -I . -I /usr/share/gettext/m4 +else + autoreconf -I . -fiv #required for aarch64 support +fi + %configure \ INSTALL_DATA="install -c -p -m644" \ + --with-rundir=%{_rundir}/%{name} \ + --with-systemd \ --docdir=%{_docdir}/%{name} \ --disable-static \ --disable-rpath \ @@ -162,25 +205,31 @@ autoreconf -I . -fiv #required for aarch64 support --with-mysql \ --with-sqlite \ --with-zlib \ + --with-zstd \ --with-libcap \ - --with-libwrap \ -%if %{?fedora}0 > 150 || %{?rhel}0 >60 - --with-lucene \ + --with-icu \ +%if %{?rhel}0 == 0 + --with-libstemmer \ + --with-flatcurve \ + --with-lua=plugin \ +%else + --without-libstemmer \ + --without-lua \ %endif + --without-lucene \ + --without-exttextcat \ --with-ssl=openssl \ --with-ssldir=%{ssldir} \ --with-solr \ -%if %{?fedora}0 > 140 || %{?rhel}0 > 60 - --with-systemdsystemunitdir=%{_unitdir} \ -%endif - --with-docs + --with-docs \ + systemdsystemunitdir=%{_unitdir} -sed -i 's|/etc/ssl|/etc/pki/dovecot|' doc/mkcert.sh doc/example-config/conf.d/10-ssl.conf +sed -i 's|/etc/ssl|/etc/pki/dovecot|' doc/mkcert.sh # doc/example-config/conf.d/10-ssl.conf -make %{?_smp_mflags} +%make_build #pigeonhole -pushd dovecot-2*2-pigeonhole-%{pigeonholever} +pushd dovecot-pigeonhole # required for snapshot [ -f configure ] || autoreconf -fiv @@ -192,31 +241,28 @@ pushd dovecot-2*2-pigeonhole-%{pigeonholever} --with-dovecot=../ \ --without-unfinished-features -make %{?_smp_mflags} +%make_build popd %install rm -rf $RPM_BUILD_ROOT -make install DESTDIR=$RPM_BUILD_ROOT +%make_install -#move doc dir back to build dir so doc macro in files section can use it +# move doc dir back to build dir so doc macro in files section can use it mv $RPM_BUILD_ROOT/%{_docdir}/%{name} %{_builddir}/%{name}-%{version}%{?prever}/docinstall +# fix multilib issues +%multilib_fix_c_header --file %{_includedir}/dovecot/config.h -pushd dovecot-2*2-pigeonhole-%{pigeonholever} -make install DESTDIR=$RPM_BUILD_ROOT +pushd dovecot-pigeonhole +%make_install mv $RPM_BUILD_ROOT/%{_docdir}/%{name} $RPM_BUILD_ROOT/%{_docdir}/%{name}-pigeonhole install -m 644 AUTHORS ChangeLog COPYING COPYING.LGPL INSTALL NEWS README $RPM_BUILD_ROOT/%{_docdir}/%{name}-pigeonhole popd - -%if %{?fedora}00%{?rhel} < 6 -sed -i 's|password-auth|system-auth|' %{SOURCE2} -%endif - install -p -D -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/dovecot #install man pages @@ -225,6 +271,8 @@ install -p -D -m 644 %{SOURCE14} $RPM_BUILD_ROOT%{_mandir}/man5/dovecot.conf.5 #install waitonline script install -p -D -m 755 %{SOURCE15} $RPM_BUILD_ROOT%{_libexecdir}/dovecot/prestartscript +install -p -D -m 0644 %{SOURCE16} $RPM_BUILD_ROOT%{_sysusersdir}/dovecot.conf + # generate ghost .pem files mkdir -p $RPM_BUILD_ROOT%{ssldir}/certs mkdir -p $RPM_BUILD_ROOT%{ssldir}/private @@ -233,21 +281,13 @@ chmod 600 $RPM_BUILD_ROOT%{ssldir}/certs/dovecot.pem touch $RPM_BUILD_ROOT%{ssldir}/private/dovecot.pem chmod 600 $RPM_BUILD_ROOT%{ssldir}/private/dovecot.pem -%if %{?fedora}0 > 140 || %{?rhel}0 > 60 install -p -D -m 644 %{SOURCE10} $RPM_BUILD_ROOT%{_tmpfilesdir}/dovecot.conf -%else -install -p -D -m 755 %{SOURCE1} $RPM_BUILD_ROOT%{_initddir}/dovecot -install -p -D -m 600 %{SOURCE9} $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/dovecot -%endif -mkdir -p $RPM_BUILD_ROOT/var/run/dovecot/{login,empty,token-login} +mkdir -p $RPM_BUILD_ROOT/run/dovecot/{login,empty,token-login} # Install dovecot configuration and dovecot-openssl.cnf mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/dovecot/conf.d -install -p -m 644 docinstall/example-config/dovecot.conf $RPM_BUILD_ROOT%{_sysconfdir}/dovecot -install -p -m 644 docinstall/example-config/conf.d/*.conf $RPM_BUILD_ROOT%{_sysconfdir}/dovecot/conf.d install -p -m 644 $RPM_BUILD_ROOT/%{_docdir}/%{name}-pigeonhole/example-config/conf.d/*.conf $RPM_BUILD_ROOT%{_sysconfdir}/dovecot/conf.d -install -p -m 644 docinstall/example-config/conf.d/*.conf.ext $RPM_BUILD_ROOT%{_sysconfdir}/dovecot/conf.d install -p -m 644 $RPM_BUILD_ROOT/%{_docdir}/%{name}-pigeonhole/example-config/conf.d/*.conf.ext $RPM_BUILD_ROOT%{_sysconfdir}/dovecot/conf.d ||: install -p -m 644 doc/dovecot-openssl.cnf $RPM_BUILD_ROOT%{ssldir}/dovecot-openssl.cnf @@ -266,66 +306,42 @@ popd %pre +%if 0%{?fedora} < 42 #dovecot uid and gid are reserved, see /usr/share/doc/setup-*/uidgid -getent group dovecot >/dev/null || groupadd -r --gid 97 dovecot -getent passwd dovecot >/dev/null || \ -useradd -r --uid 97 -g dovecot -d /usr/libexec/dovecot -s /sbin/nologin -c "Dovecot IMAP server" dovecot - -getent group dovenull >/dev/null || groupadd -r dovenull -getent passwd dovenull >/dev/null || \ -useradd -r -g dovenull -d /usr/libexec/dovecot -s /sbin/nologin -c "Dovecot's unauthorized user" dovenull +%sysusers_create_compat %{SOURCE16} +%endif # do not let dovecot run during upgrade rhbz#134325 if [ "$1" = "2" ]; then rm -f %restart_flag -%if %{?fedora}0 > 140 || %{?rhel}0 > 60 /bin/systemctl is-active %{name}.service >/dev/null 2>&1 && touch %restart_flag ||: /bin/systemctl stop %{name}.service >/dev/null 2>&1 -%else - /sbin/service %{name} status >/dev/null 2>&1 && touch %restart_flag ||: - /sbin/service %{name} stop >/dev/null 2>&1 -%endif fi %post if [ $1 -eq 1 ] then -%if %{?fedora}0 > 140 || %{?rhel}0 > 60 %systemd_post dovecot.service -%else - /sbin/chkconfig --add %{name} -%endif fi -install -d -m 0755 -g dovecot -d /var/run/dovecot -install -d -m 0755 -d /var/run/dovecot/empty -install -d -m 0750 -g dovenull -d /var/run/dovecot/login -install -d -m 0755 -g dovenull -d /var/run/dovecot/token-login -[ -x /sbin/restorecon ] && /sbin/restorecon -R /var/run/dovecot +install -d -m 0755 -g dovecot -d /run/dovecot +install -d -m 0755 -d /run/dovecot/empty +install -d -m 0750 -g dovenull -d /run/dovecot/login +install -d -m 0750 -g dovenull -d /run/dovecot/token-login +[ -x /sbin/restorecon ] && /sbin/restorecon -R /run/dovecot ||: %preun if [ $1 = 0 ]; then -%if %{?fedora}0 > 140 || %{?rhel}0 > 60 /bin/systemctl disable dovecot.service dovecot.socket >/dev/null 2>&1 || : /bin/systemctl stop dovecot.service dovecot.socket >/dev/null 2>&1 || : -%else - /sbin/service %{name} stop > /dev/null 2>&1 - /sbin/chkconfig --del %{name} -%endif - rm -rf /var/run/dovecot + rm -rf /run/dovecot fi %postun -%if %{?fedora}0 > 140 || %{?rhel}0 > 60 /bin/systemctl daemon-reload >/dev/null 2>&1 || : -%endif if [ "$1" -ge "1" -a -e %restart_flag ]; then -%if %{?fedora}0 > 140 || %{?rhel}0 > 60 /bin/systemctl start dovecot.service >/dev/null 2>&1 || : -%else - /sbin/service %{name} start >/dev/null 2>&1 || : -%endif rm -f %restart_flag fi @@ -333,67 +349,36 @@ fi # dovecot should be started again in %%postun, but it's not executed on reinstall # if it was already started, restart_flag won't be here, so it's ok to test it again if [ -e %restart_flag ]; then -%if %{?fedora}0 > 140 || %{?rhel}0 > 60 /bin/systemctl start dovecot.service >/dev/null 2>&1 || : -%else - /sbin/service %{name} start >/dev/null 2>&1 || : -%endif rm -f %restart_flag fi %check +%ifnarch aarch64 +# some aarch64 tests timeout, skip for now make check -cd dovecot-2*2-pigeonhole-%{pigeonholever} -make check +cd dovecot-pigeonhole +# FIXME: make check will fail as it requires doveconf to be already installed at /usr/bin/doveconf +make check ||: +%endif %files -%doc docinstall/* AUTHORS ChangeLog COPYING COPYING.LGPL COPYING.MIT NEWS README +%doc docinstall/* AUTHORS ChangeLog COPYING COPYING.LGPL COPYING.MIT INSTALL.md NEWS README.md SECURITY.md %{_sbindir}/dovecot %{_bindir}/doveadm %{_bindir}/doveconf -%{_bindir}/dsync +%{_bindir}/dovecot-sysreport - -%if %{?fedora}0 > 140 || %{?rhel}0 > 60 %_tmpfilesdir/dovecot.conf +%{_sysusersdir}/dovecot.conf %{_unitdir}/dovecot.service %{_unitdir}/dovecot-init.service %{_unitdir}/dovecot.socket -%else -%{_initddir}/dovecot -%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/dovecot -%endif %dir %{_sysconfdir}/dovecot %dir %{_sysconfdir}/dovecot/conf.d %config(noreplace) %{_sysconfdir}/dovecot/dovecot.conf -#list all so we'll be noticed if upstream changes anything -%config(noreplace) %{_sysconfdir}/dovecot/conf.d/10-auth.conf -%config(noreplace) %{_sysconfdir}/dovecot/conf.d/10-director.conf -%config(noreplace) %{_sysconfdir}/dovecot/conf.d/10-logging.conf -%config(noreplace) %{_sysconfdir}/dovecot/conf.d/10-mail.conf -%config(noreplace) %{_sysconfdir}/dovecot/conf.d/10-master.conf -%config(noreplace) %{_sysconfdir}/dovecot/conf.d/10-ssl.conf -%config(noreplace) %{_sysconfdir}/dovecot/conf.d/15-lda.conf -%config(noreplace) %{_sysconfdir}/dovecot/conf.d/15-mailboxes.conf -%config(noreplace) %{_sysconfdir}/dovecot/conf.d/20-imap.conf -%config(noreplace) %{_sysconfdir}/dovecot/conf.d/20-lmtp.conf -%config(noreplace) %{_sysconfdir}/dovecot/conf.d/20-pop3.conf -%config(noreplace) %{_sysconfdir}/dovecot/conf.d/90-acl.conf -%config(noreplace) %{_sysconfdir}/dovecot/conf.d/90-quota.conf -%config(noreplace) %{_sysconfdir}/dovecot/conf.d/90-plugin.conf -%config(noreplace) %{_sysconfdir}/dovecot/conf.d/auth-checkpassword.conf.ext -%config(noreplace) %{_sysconfdir}/dovecot/conf.d/auth-deny.conf.ext -%config(noreplace) %{_sysconfdir}/dovecot/conf.d/auth-dict.conf.ext -%config(noreplace) %{_sysconfdir}/dovecot/conf.d/auth-ldap.conf.ext -%config(noreplace) %{_sysconfdir}/dovecot/conf.d/auth-master.conf.ext -%config(noreplace) %{_sysconfdir}/dovecot/conf.d/auth-passwdfile.conf.ext -%config(noreplace) %{_sysconfdir}/dovecot/conf.d/auth-sql.conf.ext -%config(noreplace) %{_sysconfdir}/dovecot/conf.d/auth-static.conf.ext -%config(noreplace) %{_sysconfdir}/dovecot/conf.d/auth-system.conf.ext -%config(noreplace) %{_sysconfdir}/dovecot/conf.d/auth-vpopmail.conf.ext - %config(noreplace) %{_sysconfdir}/pam.d/dovecot %config(noreplace) %{ssldir}/dovecot-openssl.cnf @@ -406,36 +391,39 @@ make check %dir %{_libdir}/dovecot %dir %{_libdir}/dovecot/auth %dir %{_libdir}/dovecot/dict -%dir %{_libdir}/dovecot/stats %{_libdir}/dovecot/doveadm %exclude %{_libdir}/dovecot/doveadm/*sieve* %{_libdir}/dovecot/*.so.* #these (*.so files) are plugins, not devel files %{_libdir}/dovecot/*_plugin.so %exclude %{_libdir}/dovecot/*_sieve_plugin.so -%{_libdir}/dovecot/auth/lib20_auth_var_expand_crypt.so %{_libdir}/dovecot/auth/libauthdb_imap.so %{_libdir}/dovecot/auth/libauthdb_ldap.so +%if %{?rhel}0 == 0 +%{_libdir}/dovecot/auth/libauthdb_lua.so +%endif %{_libdir}/dovecot/auth/libmech_gssapi.so +%{_libdir}/dovecot/auth/libmech_gss_spnego.so %{_libdir}/dovecot/auth/libdriver_sqlite.so %{_libdir}/dovecot/dict/libdriver_sqlite.so %{_libdir}/dovecot/dict/libdict_ldap.so -%{_libdir}/dovecot/stats/libstats_auth.so -%{_libdir}/dovecot/stats/libstats_mail.so %{_libdir}/dovecot/libdriver_sqlite.so %{_libdir}/dovecot/libssl_iostream_openssl.so %{_libdir}/dovecot/libfs_compress.so %{_libdir}/dovecot/libfs_crypt.so -%{_libdir}/dovecot/libfs_mail_crypt.so %{_libdir}/dovecot/libdcrypt_openssl.so -%{_libdir}/dovecot/lib20_var_expand_crypt.so +%{_libdir}/dovecot//var_expand_crypt.so %dir %{_libdir}/dovecot/settings %{_libexecdir}/%{name} %exclude %{_libexecdir}/%{name}/managesieve* -%ghost /var/run/dovecot +%dir %attr(0755,root,dovecot) %ghost /run/dovecot +%attr(0750,root,dovenull) %ghost /run/dovecot/login +%attr(0750,root,dovenull) %ghost /run/dovecot/token-login +%attr(0755,root,root) %ghost /run/dovecot/empty + %attr(0750,dovecot,dovecot) /var/lib/dovecot %{_datadir}/%{name} @@ -444,7 +432,6 @@ make check %{_mandir}/man1/doveadm*.1* %{_mandir}/man1/doveconf.1* %{_mandir}/man1/dovecot*.1* -%{_mandir}/man1/dsync.1* %{_mandir}/man5/dovecot.conf.5* %{_mandir}/man7/doveadm-search-query.7* @@ -492,1833 +479,218 @@ make check %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog -* Wed Aug 02 2017 Fedora Release Engineering - 1:2.2.31-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild +* Sun Nov 30 2025 Michal Hlavinka - 1:2.4.2-1 +- updated to 2.4.2 (#2411846) -* Wed Jul 26 2017 Fedora Release Engineering - 1:2.2.31-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild +* Wed Nov 05 2025 Michal Hlavinka - 1:2.4.1-8 +- update patch for CVE-2025-30189 -* Tue Jul 11 2017 Michal Hlavinka - 1:2.2.31-3 -- enable tcpwrap support (#1450587) +* Wed Oct 15 2025 Michal Hlavinka - 1:2.4.1-7 +- enable fts flatcurve -* Tue Jul 04 2017 Michal Hlavinka - 1:2.2.31-2 -- revert commit breaking NOTIFY support +* Thu Oct 09 2025 Michal Hlavinka - 1:2.4.1-6 +- fix CVE-2025-30189: users would end up overwriting each other in cache (rhbz#2402122) -* Tue Jun 27 2017 Michal Hlavinka - 1:2.2.31-1 -- dovecot updated to 2.2.31 -- Various fixes to handling mailbox listing. Especially related to - handling nonexistent autocreated/autosubscribed mailboxes and ACLs. -- Global ACL file was parsed as if it was local ACL file. This caused - some of the ACL rule interactions to not work exactly as intended. -- Using mail_sort_max_read_count may have caused very high CPU usage. -- Message address parsing could have crashed on invalid input. -- imapc_features=fetch-headers wasn't always working correctly and - caused the full header to be fetched. -- imapc: Various bugfixes related to connection failure handling. -- quota=count: quota_warning = -storage=.. was never executed -- quota=count: Add support for "ns" parameter -- dsync: Fix incremental syncing for mails that don't have Date or - Message-ID headers. -- imap: Fix hang when client sends pipelined SEARCH + - EXPUNGE/CLOSE/LOGOUT. -- oauth2: Token validation didn't accept empty server responses. -- imap: NOTIFY command has been almost completely broken since the - beginning. -- pigeonhole updated to 0.4.19 -- Fixed bug in handling of implicit keep in some cases. -- include extension: Fixed segfault that (sometimes) occurred when the - global script location was left unconfigured. +* Wed Aug 06 2025 FrantiÅ¡ek Zatloukal - 1:2.4.1-5 +- Rebuilt for icu 77.1 -* Wed Jun 07 2017 Michal Hlavinka - 1:2.2.30.2-1 -- dovecot updated to 2.2.30.2 -- auth: Multiple failed authentications within short time caused crashes -- push-notification: OX driver crashed at deinit +* Wed Jul 30 2025 Michal Hlavinka - 1:2.4.1-4 +- fix compatibility with latest openssl (#2383209) -* Thu Jun 01 2017 Michal Hlavinka - 1:2.2.30.1-1 -- dovecot updated to 2.2.30.1 -- More fixes to automatically fix corruption in dovecot.list.index -- dsync-server: Fix support for dsync_features=empty-header-workaround -- imapc: Various bugfixes, including infinite loops on some errors -- IMAP NOTIFY wasn't working for non-INBOX if IMAP client hadn't - enabled modseq tracking via CONDSTORE/QRESYNC. -- fts-lucene: Fix it to work again with mbox format -- Some internal error messages may have contained garbage in v2.2.29 -- mail-crypt: Re-encrypt when copying/moving mails and per-mailbox keys - are used. Otherwise the copied mails can't be opened. +* Wed Jul 23 2025 Fedora Release Engineering - 1:2.4.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild -* Wed Apr 12 2017 Michal Hlavinka - 1:2.2.29.1-1 -- dovecot updated to 2.2.29.1 -- dict-sql: Merging multiple UPDATEs to a single statement wasn't - actually working. -- pigeonhole updated to 0.4.18 -- imapsieve plugin: Implemented the copy_source_after rule action. When this - is enabled for a mailbox rule, the specified Sieve script is executed for - the message in the source mailbox during a "COPY" event. This happens only - after the Sieve script that is executed for the corresponding message in the - destination mailbox finishes running successfully. -- imapsieve plugin: Added non-standard Sieve environment items for the source - and destination mailbox. -- multiscript: The execution of the discard script had an implicit "keep", - rather than an implicit "discard". +* Tue Jun 24 2025 Michal Hlavinka - 1:2.4.1-2 +- fix dovecot 2.4 gssapi regression (rhbz#2374419) -* Tue Apr 11 2017 Michal Hlavinka - 1:2.2.29-1 -- dovecot updated to 2.2.29 -- fts-tika: Fixed crash when parsing attachment without - Content-Disposition header. Broken by 2.2.28. -- trash plugin was broken in 2.2.28 -- auth: When passdb/userdb lookups were done via auth-workers, too much - data was added to auth cache. This could have resulted in wrong - replies when using multiple passdbs/userdbs. -- auth: passdb { skip & mechanisms } were ignored for the first passdb -- oauth2: Various fixes, including fixes to crashes -- dsync: Large Sieve scripts (or other large metadata) weren't always - synced. -- Index rebuild (e.g. doveadm force-resync) set all mails as \Recent -- imap-hibernate: %{userdb:*} wasn't expanded in mail_log_prefix -- doveadm: Exit codes weren't preserved when proxying commands via - doveadm-server. Almost all errors used exit code 75 (tempfail). -- ACLs weren't applied to not-yet-existing autocreated mailboxes. -- Fixed a potential crash when parsing a broken message header. -- cassandra: Fallback consistency settings weren't working correctly. -- doveadm director status : "Initial config" was always empty -- imapc: Various reconnection fixes. +* Tue Jun 03 2025 Michal Hlavinka - 1:2.4.1-1 +- updated to 2.4.1 release +- note: configuration is incompatible with 2.3.x version +- trim changelog +- revert previous change, only if-guard it -* Mon Feb 27 2017 Michal Hlavinka - 1:2.2.28-1 -- dovecot updated to 2.2.28, pigeonhole to 0.4.17 -- auth: Support OAUTHBEARER and XOAUTH2 mechanisms. Also support them - in lib-dsasl for client side. -- imap: SEARCH/SORT may have assert-crashed in - client_check_command_hangs -- imap: FETCH X-MAILBOX may have assert-crashed in virtual mailboxes. -- search: Using NOT n:* or NOT UID n:* wasn't handled correctly -- fts: fts_autoindex_exclude = \Special-use caused crashes -- doveadm-server: Fix leaks and other problems when process is reused - for multiple requests (service_count != 1) -- sdbox: Fix assert-crash on mailbox create race -- lda/lmtp: deliver_log_format values weren't entirely correct if Sieve - was used. especially %{storage_id} was broken. -- imapsieve plugin: Fixed assert failure occurring when used with virtual - mailboxes. -- doveadm sieve plugin: Fixed crash when setting Sieve script via attribute's - string value. +* Tue Feb 11 2025 Zbigniew JÄ™drzejewski-Szmek - 1:2.3.21.1-6 +- Drop call to %%sysusers_create_compat -* Fri Feb 10 2017 Fedora Release Engineering - 1:2.2.27-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild +* Wed Feb 05 2025 Michal Hlavinka - 1:2.3.21.1-5 +- fix sysusers config file name -* Wed Dec 14 2016 Than Ngo - 1:2.2.27-2 -- fixed bz#1403760, big endian issue +* Wed Jan 29 2025 Michal Hlavinka - 1:2.3.21.1-4 +- fix ftbfs -* Mon Dec 05 2016 Michal Hlavinka - 1:2.2.27-1 -- Fixed crash in auth process when auth-policy was configured and - authentication was aborted/failed without a username set. -- director: If two users had different tags but the same hash, - the users may have been redirected to the wrong tag's hosts. -- Index files may have been thought incorrectly lost, causing - "Missing middle file seq=.." to be logged and index rebuild. - This happened more easily with IMAP hibernation enabled. -- Various fixes to restoring state correctly in un-hibernation. -- dovecot.index files were commonly 4 bytes per email too large. This - is because 3 bytes per email were being wasted that could have been - used for IMAP keywords. -- Various fixes to handle dovecot.list.index corruption better. -- lib-fts: Fixed assert-crash in address tokenizer with specific input. -- Fixed assert-crash in HTML to text parsing with specific input - (e.g. for FTS indexing or snippet generation) -- doveadm sync -1: Fixed handling mailbox GUID conflicts. -- sdbox, mdbox: Perform full index rebuild if corruption is detected - inside lib-index, which runs index fsck. -- quota: Don't skip quota checks when moving mails between different - quota roots. -- search: Multiple sequence sets or UID sets in search parameters - weren't handled correctly. They were incorrectly merged together. +* Thu Jan 16 2025 Fedora Release Engineering - 1:2.3.21.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild -* Fri Dec 02 2016 Michal Hlavinka - 1:2.2.26.0-2 -- fix remote crash when auth-policy component is activated (CVE-2016-8652,#1401025) +* Wed Oct 02 2024 Michal Hlavinka - 1:2.3.21.1-2 +- pigeonhole updated to 0.5.21.1 -* Mon Oct 31 2016 Michal Hlavinka - 1:2.2.26.0-1 -- dovecot updated to 2.2.26.0, pigeonhole updated to 0.4.16 -- master process's listener socket was leaked to all child processes. - This might have allowed untrusted processes to capture and prevent - "doveadm service stop" comands from working. -- login proxy: Fixed crash when outgoing SSL connections were hanging. -- auth: userdb fields weren't passed to auth-workers, so %{userdb:*} - from previous userdbs didn't work there. -- auth: Fixed auth_bind=yes + sasl_bind=yes to work together -- lmtp: %{userdb:*} variables didn't work in mail_log_prefix -- Fixed writing >2GB to iostream-temp files (used by fs-compress, - fs-metawrap, doveadm-http) -- fts-solr: Fixed searching multiple mailboxes -- and more... +* Mon Aug 19 2024 Michal Hlavinka - 1:2.3.21.1-1 +- updated to 2.3.21.1(2304907) -* Mon Jul 04 2016 Michal Hlavinka - 1:2.2.25-1 -- dovecot updated to 2.2.25 -- doveadm backup was sometimes deleting entire mailboxes unnecessarily. -- doveadm: Command -parameters weren't being sent to doveadm-server. -- if dovecot.index read failed e.g. because mmap() reached VSZ limit, - an empty index could have been opened instead, corrupting the - mailbox state. -- lazy-expunge: Fixed a crash when copying failed. Various other fixes. -- fts-lucene: Fixed crash on index rescan. -- dict-ldap: Various fixes -- dict-sql: NULL values crashed. Now they're treated as "not found". +* Wed Jul 17 2024 Fedora Release Engineering - 1:2.3.21-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild +* Tue Jun 18 2024 Michal Hlavinka - 1:2.3.21-8 +- fix sieve crash when there are two missing optional scripts +- Do not use deprecated OpenSSL v3 ENGINE API +- Drop dependency on libstemmer on RHEL -* Wed Apr 27 2016 Michal Hlavinka - 1:2.2.24-1 -- dovecot updated to 2.2.24 -- Huge header lines could have caused Dovecot to use too much memory -- dsync: Detect and handle invalid/stale -s state string better. -- dsync: Fixed crash caused by specific mailbox renames -- auth: Auth cache is now disabled passwd-file. -- fts-tika: Don't crash if it returns 500 error -- dict-redis: Fixed timeout handling -- SEARCH INTHREAD was crashing -- stats: Only a single fifo_listeners was supported, making it impossible to - use both auth_stats=yes and mail stats plugin. -- SSL errors were logged in separate "Stacked error" log lines instead of as - part of the disconnection reason. -- MIME body parser didn't handle properly when a child MIME part's --boundary - had the same prefix as the parent. -- pigeonhole updated to 0.4.14 -- extprograms plugin: Fixed epoll() panic caused by closing the output - FD before the output stream. -- Made sure that the local part of a mail address is encoded properly - using quoted string syntax when it is not a dot-atom. +* Tue Mar 26 2024 Michal Hlavinka - 1:2.3.21-7 +- drop i686 build as per https://fedoraproject.org/wiki/Changes/EncourageI686LeafRemoval -* Thu Mar 31 2016 Michal Hlavinka - 1:2.2.23-1 -- dovecot updated to 2.2.23, pigeonhole updated to 0.4.13 -- Various fixes to doveadm. Especially running commands via - doveadm-server was broken. -- director: Fixed user weakness getting stuck in some situations -- director: Fixed a situation where directors keep re-sending - different states to each others and never becoming synced. -- director: Fixed assert-crash related to a slow "user killed" reply -- Fixed assert-crash related to istream-concat, which could have - been triggered at least by a Sieve script. +* Wed Jan 31 2024 Pete Walter - 1:2.3.21-6 +- Rebuild for ICU 74 -* Wed Mar 16 2016 Michal Hlavinka - 1:2.2.22-1 -- dovecot updated to 2.2.22 -- auth: Auth caching was done too aggressively when %variables were - used in default_fields, override_fields or LDAP pass/user_attrs. - userdb result_* were also ignored when user was found from cache. -- imap: Fixed various assert-crashes caused v2.2.20+. Some of them - caught actual hangs or otherwise unwanted behavior towards IMAP - clients. -- Expunges were forgotten in some situations, for example when - pipelining multiple IMAP MOVE commands. -- quota: Per-namespaces quota were broken for dict and count backends - in v2.2.20+ -- fts-solr: Search queries were using OR instead of AND as the - separator for multi-token search queries in v2.2.20+. -- Single instance storage support wasn't really working in v2.2.16+ -- dbox: POP3 message ordering wasn't working correctly. -- virtual plugin: Fixed crashes related to backend mailbox deletions. +* Wed Jan 24 2024 Fedora Release Engineering - 1:2.3.21-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild -* Mon Feb 08 2016 Michal Hlavinka - 1:2.2.21-4 -- pigeonhole updated to 0.4.12 -- multiscript: Fixed bug in handling of (implicit) keep; final keep action was - always executed as though there was a failure. -- managesieve-login: Fixed proxy to allow SASL mechanisms other than PLAIN. -- ldap storage: Prevent segfault occurring when assigning certain (global) - configuration options. +* Fri Jan 19 2024 Fedora Release Engineering - 1:2.3.21-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild -* Wed Feb 03 2016 Fedora Release Engineering - 1:2.2.21-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild +* Tue Oct 24 2023 Michal Hlavinka - 1:2.3.21-3 +- drop lucene to reduce dependency, use solr for fts instead -* Thu Jan 28 2016 Michal Hlavinka - 1:2.2.21-2 -- pigeonhole updated to 0.4.11 -- Sieve mime extension: Fixed the header :mime :anychild test to work properly - outside a foreverypart loop. -- Fixed assert failure occurring when text extraction is attempted on a - empty or broken text part. -- Fixed assert failure in handling of body parts that are converted to text. -- Fixed header unfolding for (mime) headers parsed from any mime part. -- Fixed trimming for (mime) headers parsed from any mime part. -- Fixed erroneous changes to the message part tree structure performed when - re-parsing the message. -- LDA Sieve plugin: Fixed bug in error handling of script storage initialization -- Fixed duplication of discard actions in the script result. -- Made sure that quota errors never get logged as errors in syslog. +* Thu Oct 05 2023 Remi Collet - 1:2.3.21-2 +- rebuild for new libsodium -* Wed Dec 16 2015 Michal Hlavinka - 1:2.2.21-1 -- dovecot updated to 2.2.21 -- doveadm mailbox list (and some others) were broken in v2.2.20 -- director: Fixed making backend changes when running with only a - single director server. -- virtual plugin: Fixed crash when trying to open nonexistent - autocreated backend mailbox. -- pigeonhole updated to 0.4.10 -- implemented the Sieve mime and foreverypart extensions (RFC 5703). -+ sieve body extension: Properly implemented the `:text' body - transform. It now extracts text for HTML message parts. -- variables extension: Fixed handling of empty string by the `:length' - set modifier. An empty string yielded an empty string rather than "0". -- Fixed memory leak in the Sieve script byte code dumping facility. - Extension contexts were never actually freed. -- doveadm sieve plugin: Fixed crashes caused by incorrect context - allocation in the sieve command implementations. +* Mon Sep 18 2023 Michal Hlavinka - 1:2.3.21-1 +- updated to 2.3.21(2239134) -* Tue Dec 08 2015 Michal Hlavinka - 1:2.2.20-2 -- move ssl initialization from %post to dovecot-init.service +* Wed Jul 19 2023 Fedora Release Engineering - 1:2.3.20-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild -* Tue Dec 08 2015 Michal Hlavinka - 1:2.2.20-1 -- dovecot updated to 2.2.20 -- director: Backend tags weren't working correctly. -- ldap: tls_* settings weren't used for ldaps URIs. -- ldap, mysql: Fixed setting connect timeout. -- auth: userdb lookups via auth-worker couldn't change username -- dsync: Fixed handling deleted directories. Make sure we don't go to - infinite mailbox renaming loop. -- imap: Fixed crash in NOTIFY when there were watched namespaces that - didn't support NOTIFY. -- imap: After SETMETADATA was used, various commands (especially FETCH) - could have started hanging when their output was large. -- stats: Idle sessions weren't refreshed often enough, causing stats - process to forget them and log errors about unknown sessions when - they were updated later. -- stats: Fixed "Duplicate session ID" errors when LMTP delivered to - multiple recipients and fts_autoindex=yes. -- zlib plugin: Fixed copying causing cache corruption when zlib_save - wasn't set, but the source message was compressed. -- fts-solr: Fixed escaping Solr query parameters. -- lmtp: quota_full_tempfail=yes was ignored with - lmtp_rcpt_check_quota=yes +* Tue Jul 11 2023 FrantiÅ¡ek Zatloukal - 1:2.3.20-5 +- Rebuilt for ICU 73.2 -* Mon Oct 05 2015 Michal Hlavinka - 1:2.2.19-1 -- dovecot updated to 2.2.19 -- mdbox: Rebuilding could have caused message's reference count to - overflow the 16bit number in some situations, causing problems when - trying to expunge the duplicates. -- Various search fixes (fts, solr, tika, lib-charset, indexer) -- Various virtual plugin fixes -- Various fixes and optimizations to dsync, imapc and pop3-migration -- imap: Various RFC compliancy and crash fixes to NOTIFY -- pigeonhole updated to 0.4.9 -- ManageSieve: Fixed an assert failure occurring when a client - disconnects during the GETSCRIPT command. -- doveadm sieve plugin: Fixed incorrect initialization (mem leaks) of mail user. -- sieve-filter command line tool: Fixed handling of failure-related - implicit keep when there is an explicit default destination folder. -- lib-sieve: Fixed bug in RFC5322 header folding. +* Wed Apr 26 2023 Michal Hlavinka - 1:2.3.20-4 +- update license tag format (SPDX migration) for https://fedoraproject.org/wiki/Changes/SPDX_Licenses_Phase_1 -* Mon Aug 24 2015 Michal Hlavinka - 1:2.2.18-5 -- use the system crypto policy (#1109114) +* Tue Feb 14 2023 Michal Hlavinka - 1:2.3.20-3 +- drop SHA1 OTP -* Fri Jun 19 2015 Michal Hlavinka - 1:2.2.18-4 -- fix build for s390x and ppc64 (#1232650) +* Thu Jan 19 2023 Fedora Release Engineering - 1:2.3.20-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild -* Wed Jun 17 2015 Fedora Release Engineering - 1:2.2.18-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild +* Mon Jan 02 2023 Michal Hlavinka - 1:2.3.20-1 +- updated to 2.3.20, pigeonhole to 0.5.20 -* Mon May 18 2015 Michal Hlavinka - 1:2.2.18-2 -- update pigeonhole to 0.4.8 -- Fixed problem in address test: erroneously decoded mime-encoded words in - address headers. -- extprograms plugin: Fixed failure occurring when connecting to script - service without the need to read back the output from the external program. -- Fixed bug in script storage path normalization occurring with relative - symbolic links below root. +* Mon Jan 02 2023 Florian Weimer - 1:2.3.19.1-8 +- Port configure script to C99 -* Fri May 15 2015 Michal Hlavinka - 1:2.2.18-1 -- director: Login UNIX sockets were normally detected as doveadm or - director ring sockets, causing it to break in existing installations. -- sdbox: When copying a mail in alt storage, place the destination to - alt storage as well. +* Sat Dec 31 2022 Pete Walter - 1:2.3.19.1-7 +- Rebuild for ICU 72 -* Thu May 14 2015 Michal Hlavinka - 1:2.2.17-1 -- dovecot updated to 2.2.17 -- pigeonhole updated to 0.4.7 -- auth: If auth_master_user_separator was set, auth process could be - crashed by trying to log in with empty master username. -- imap-login, pop3-login: Fixed crash on handshake failures with new - OpenSSL versions (v1.0.2) when SSLv3 was disabled. -- auth: If one passdb fails allow_nets check, it shouldn't have failed - all the other passdb checks later on. -- imap: Server METADATA couldn't be accessed -- imapc: Fixed \Muted label handling in gmail-migration. -- imapc: Various bugfixes and improvements. -- Trash plugin fixes by Alexei Gradinari -- mbox: Fixed crash/corruption in some situations +* Tue Nov 08 2022 Michal Hlavinka - 1:2.3.19.1-6 +- use Wants=network-online.target instead of preexec nm-online (#2095949) -* Tue Apr 28 2015 Michal Hlavinka - 1:2.2.16-2 -- fix CVE-2015-3420: SSL/TLS handshake failures leading to a crash of the login process +* Tue Oct 11 2022 Michal Hlavinka - 1:2.3.19.1-5 +- build with lua support (#2132420) -* Mon Mar 16 2015 Michal Hlavinka - 1:2.2.16-1 -- dovecot updated to 2.2.16 -- auth: Don't crash if master user login is attempted without - any configured master=yes passdbs -- Parsing UTF-8 text for mails could have caused broken results - sometimes if buffering was split in the middle of a UTF-8 character. - This affected at least searching messages. -- String sanitization for some logged output wasn't done properly: - UTF-8 text could have been truncated wrongly or the truncation may - not have happened at all. -- fts-lucene: Lookups from virtual mailbox consisting of over 32 - physical mailboxes could have caused crashes. +* Mon Aug 01 2022 Frantisek Zatloukal - 1:2.3.19.1-4 +- Rebuilt for ICU 71.1 -* Thu Feb 05 2015 Michal Hlavinka - 1:2.2.15-3 -- fix mbox istream crashes (#1189198, #1186504) +* Thu Jul 21 2022 Fedora Release Engineering - 1:2.3.19.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild -* Mon Jan 05 2015 Michal Hlavinka - 1:2.2.15-2 -- fix crash related to logging BYE notifications (#1176282) -- update pigeonhole to 0.4.6 +* Tue Jul 12 2022 Michal Hlavinka - 1:2.3.19.1-2 +- fix possible privilege escalation when similar master and non-master passdbs are used -* Thu Oct 30 2014 Michal Hlavinka - 1:2.2.15-1 -- dovecot updated to 2.2.15 -- various race condition fixes to LAYOUT=index -- v2.2.14 virtual plugin crashed in some situations +* Mon Jun 20 2022 Michal Hlavinka - 1:2.3.19.1-1 +- updated to 2.3.19.1 -* Fri Oct 17 2014 Michal Hlavinka - 1:2.2.14-1 -- dovecot updated to 2.2.14, pigeonhole updated to 0.4.3 -- fixed several race conditions with dovecot.index.cache handling that - may have caused unnecessary "cache is corrupted" errors. -- auth: If auth client listed userdb and disconnected before finishing, - the auth worker process got stuck -- imap-login, pop3-login: Fixed potential crashes when client - disconnected unexpectedly. -- imap proxy: The connection was hanging in some usage patterns. +* Mon May 30 2022 Michal Hlavinka - 1:2.3.19-1 +- updated to 2.3.19, pigeonhole to 0.5.19 -* Thu Aug 21 2014 Michal Hlavinka - 1:2.2.13-4 -- use network-online target instead of just network (#1119814) +* Wed Feb 09 2022 Michal Hlavinka - 1:2.3.18-1 +- updated to 2.3.18, pigeonhole to 0.5.18 -* Sat Aug 16 2014 Fedora Release Engineering - 1:2.2.13-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild +* Thu Jan 20 2022 Fedora Release Engineering - 1:2.3.17.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild -* Sat Jun 07 2014 Fedora Release Engineering - 1:2.2.13-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild +* Tue Dec 07 2021 Michal Hlavinka - 1:2.3.17.1-1 +- dovecot updated to 2.3.17.1, pigeonhole to 0.5.17.1 +- dsync: Add back accidentically removed parameters. +- lib-ssl-iostream: Fix assert-crash when OpenSSL returned syscall error + without errno. +- dovecot, managesieve and sieve-tool failed to run if ssl_ca was too large. -* Mon May 12 2014 Michal Hlavinka - 1:2.2.13-1 -- dovecot updated to 2.2.13 -- fixes CVE-2014-3430: denial of service through maxxing out SSL connections -- pop3 server was still crashing in v2.2.12 -- maildir: Various fixes and improvements to handling compressed mails -- fts-lucene, fts-solr: Fixed crash on search when the index contained - duplicate entries. -- mail_attachment_dir: Attachments with the last base64-encoded line - longer than the rest wasn't handled correctly. -- IMAP: SEARCH/SORT PARTIAL was handled completely wrong in v2.2.11+ -- acl: Global ACL file handling was broken when multiple entries - matched the mailbox name +* Tue Nov 02 2021 Michal Hlavinka - 1:2.3.17-1 +- dovecot updated to 2.3.17, pigeonhole to 0.5.17 -* Sun Mar 30 2014 John Morris - 1:2.2.12-2 -- el6 build fixes (#1082384): -- el6 autoconf too old to regen; use packaged files -- fix compile error when __global_ldflags macro undefined +* Tue Sep 28 2021 Michal Hlavinka - 1:2.3.16-4 +- reenable LTO -* Fri Feb 14 2014 Michal Hlavinka - 1:2.2.12-1 -- dovecot updated to 2.2.12 -- fixes pop3 crash +* Mon Sep 27 2021 Michal Hlavinka - 1:2.3.16-3 +- fix OpenSSLv3 issues 2005884 -* Thu Feb 13 2014 Michal Hlavinka - 1:2.2.11-1 -- dovecot updated to 2.2.11 -- imap: SEARCH/SORT PARTIAL reponses may have been too large. -- doveadm backup: Fixed assert-crash when syncing mailbox deletion. +* Tue Sep 14 2021 Sahana Prasad - 1:2.3.16-2 +- Rebuilt with OpenSSL 3.0.0 -* Thu Jan 02 2014 Michal Hlavinka - 1:2.2.10-1 -- dovecot updated to 2.2.10 -- quota-status: quota_grace was ignored -- ldap: Fixed memory leak with auth_bind=yes and without - auth_bind_userdn. -- imap: Don't send HIGHESTMODSEQ anymore on SELECT/EXAMINE when - CONDSTORE/QRESYNC has never before been enabled for the mailbox. -- imap: Fixes to handling mailboxes without permanent modseqs. - (When [NOMODSEQ] is returned by SELECT, mainly with in-memory - indexes.) -- imap: Various fixes to METADATA support. -- stats plugin: Processes that only temporarily dropped privileges - (e.g. indexer-worker) may have been logging errors about not being - able to open /proc/self/io. +* Fri Aug 20 2021 Michal Hlavinka - 1:2.3.16-1 +- dovecot updated to 2.3.16, pigeonhole to 0.5.16 +- fixes several regressions -* Mon Nov 25 2013 Michal Hlavinka - 1:2.2.9-1 -- improved cache file handling exposed several old bugs related to fetching - mail headers. -- iostream handling changes were causing some connections to be disconnected - before flushing their output +* Wed Jul 21 2021 Fedora Release Engineering - 1:2.3.15-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild -* Wed Nov 20 2013 Michal Hlavinka - 1:2.2.8-1 -- Fixed infinite loop in message parsing if message ends with - "--boundary" and CR (without LF). Messages saved via SMTP/LMTP can't - trigger this, because messages must end with an "LF.". A user could - trigger this for him/herself though. -- lmtp: Client was sometimes disconnected before all the output was - sent to it. -- replicator: Database wasn't being exported to disk every 15 minutes - as it should have. Instead it was being imported, causing "doveadm - replicator remove" commands to not work very well. +* Mon Jun 21 2021 Michal Hlavinka - 1:2.3.15-1 +- dovecot updated to 2.3.15, pigeonhole updated to 0.5.15 +- CVE-2021-29157: Dovecot does not correctly escape kid and azp fields in + JWT tokens. This may be used to supply attacker controlled keys to + validate tokens, if attacker has local access. +- CVE-2021-33515: On-path attacker could have injected plaintext commands + before STARTTLS negotiation that would be executed after STARTTLS + finished with the client. +- Add TSLv1.3 support to min_protocols. +- Allow configuring ssl_cipher_suites. (for TLSv1.3+) -* Thu Nov 14 2013 Michal Hlavinka - 1:2.2.7-2 -- fix ostream infinite loop (#1029906) +* Wed May 19 2021 Pete Walter - 1:2.3.14-4 +- Rebuild for ICU 69 -* Mon Nov 04 2013 Michal Hlavinka - 1:2.2.7-1 -- dovecot updated to 2.2.7 -- master process was doing a hostname.domain lookup for each created - process, which may have caused a lot of unnecessary DNS lookups. -- dsync: Syncing over 100 messages at once caused problems in some - situations, causing messages to get new UIDs. -- fts-solr: Different Solr hosts for different users didn't work. +* Wed May 19 2021 Pete Walter - 1:2.3.14-3 +- Rebuild for ICU 69 -* Tue Oct 01 2013 Michal Hlavinka - 1:2.2.6-1 -- dovecot updated to 2.2.6, pigeonhole updated to 0.4.2 -- director: v2.2.5 changes caused "SYNC lost" errors -- dsync: Many fixes and error handling improvements -- doveadm -A: Don't waste CPU by doing a separate config lookup - for each user -- Long-running ssl-params process no longer prevents Dovecot restart -- mbox: Fixed mailbox_list_index=yes to work correctly +* Mon May 10 2021 Jeff Law - 1:2.3.14-2 +- Re-enable LTO -* Thu Aug 08 2013 Michal Hlavinka - 1:2.2.5-2 -- use unversioned doc dir (#993731) +* Mon Mar 22 2021 Michal Hlavinka - 1:2.3.14-1 +- dovecot updated to 2.3.14, pigeonhole to 0.5.14 +- use OpenSSL's implementation of HMAC +- Remove autocreate, expire, snarf and mail-filter plugins. +- Remove cydir storage driver. +- Remove XZ/LZMA write support. Read support will be removed in future release. -* Wed Aug 07 2013 Michal Hlavinka - 1:2.2.5-1 -- dovecot updated to 2.2.5 -- added some missing man pages (by Pascal Volk) -- director: Users near expiration could have been redirected to - different servers at the same time. -- pop3: Avoid assert-crash if client disconnects during LIST. -- mdbox: Corrupted index header still wasn't automatically fixed. -- dsync: Various fixes to work better with imapc and pop3c storages. -- ldap: sasl_bind=yes caused crashes, because Dovecot's lib-sasl - symbols conflicted with Cyrus SASL library. +* Mon Feb 08 2021 Pavel Raiskup - 1:2.3.13-7 +- rebuild for libpq ABI fix rhbz#1908268 -* Tue Jul 30 2013 Michal Hlavinka - 1:2.2.4-3 -- dovecot pigeonhole updated to 0.4.1 +* Mon Feb 01 2021 Michal Hlavinka - 1:2.3.13-6 +- use make macros -* Wed Jul 10 2013 Michal Hlavinka - 1:2.2.4-2 -- fix name conflict with cyrus-sasl (#975869) +* Tue Jan 26 2021 Fedora Release Engineering - 1:2.3.13-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild -* Tue Jun 25 2013 Michal Hlavinka - 1:2.2.4-1 -- dovecot updated to 2.2.4 -- imap/pop3 proxy: Master user logins were broken in v2.2.3 -- sdbox/mdbox: A corrupted index header with wrong size was never - automatically fixed in v2.2.3. -- mbox: Fixed assert-crashes related to locking. +* Mon Jan 18 2021 Michal Hlavinka - 1:2.3.13-4 +- fix multilib issues -* Mon Jun 17 2013 Michal Hlavinka - 1:2.2.3-1 -- dovecot updated to 2.2.3 -- IMAP: If subject contained only whitespace, Dovecot returned an - ENVELOPE reply with a huge literal value, effectively causing the - IMAP client to wait for more data forever. -- IMAP: Various URLAUTH fixes. -- imapc: Various bugfixes and improvements -- pop3c: Various fixes to make it work in dsync (without imapc) -- dsync: Fixes to syncing subscriptions. Fixes to syncing mailbox - renames. +* Mon Jan 18 2021 Michal Hlavinka - 1:2.3.13-3 +- bump release and rebuild -* Tue May 21 2013 Michal Hlavinka - 1:2.2.2-2 -- fix location of tmpfiles configuration (#964448) +* Thu Jan 07 2021 Michal Hlavinka - 1:2.3.13-2 +- fix rundir location -* Mon May 20 2013 Michal Hlavinka - 1:2.2.2-1 -- dovecot updated to 2.2.2 -- IMAP: Various URLAUTH fixes. -- IMAP: Fixed a hang with invalid APPEND parameters. -- IMAP LIST-EXTENDED: INBOX was never listed with \Subscribed flag. -- mailbox_list_index=yes still caused crashes. -- maildir: Fixed a crash after dovecot-keywords file was re-read. -- maildir: If files had reappeared unexpectedly to a Maildir, they - were ignored until index files were deleted. -- Maildir: Fixed handling over 26 keywords in a mailbox. -- imap/pop3-login proxying: Fixed a crash if TCP connection succeeded, - but the remote login timed out. +* Wed Jan 06 2021 Michal Hlavinka - 1:2.3.13-1 +- fix release number -* Thu May 16 2013 Michal Hlavinka - 1:2.2.1-4 -- update pigeonhole to 0.4.0 - -* Mon Apr 29 2013 Michal Hlavinka - 1:2.2.1-3 -- revert last change and use different fix - -* Wed Apr 24 2013 Kalev Lember - 1:2.2.1-2 -- Filter out autogenerated perl deps (#956194) - -* Fri Apr 19 2013 Michal Hlavinka - 1:2.2.1-1 -- dovecot updated to 2.2.1 -- mailbox_list_index=yes was broken. -- LAYOUT=index didn't list subscriptions. -- auth: Multiple master passdbs didn't work. -- Message parsing (e.g. during search) crashed when multipart message - didn't actually contain any parts. -- dovecot updated to 2.2.1 - -* Mon Apr 15 2013 Michal Hlavinka - 1:2.2.0-1 -- dovecot updated to 2.2.0 -- Mailbox list indexes weren't using proper file permissions based - on the root directory. -- replicator: doveadm commands and user list export may have skipped - some users. -- Various fixes to mailbox_list_index=yes - -* Fri Apr 05 2013 Michal Hlavinka - 1:2.2-0.4 -- dovecot updated to 2.2 RC4 -- various bugfixes to LDAP changes in rc3 - -* Wed Mar 27 2013 Michal Hlavinka - 1:2.2-0.3 -- dovecot updated to 2.2 RC3 -- Fixed a crash when decoding quoted-printable content. -- dsync: Various bugfixes - -* Thu Feb 28 2013 Michal Hlavinka - 1:2.2-0.2 -- do not print error when NetworkManager is not installed (#916456) - -* Wed Feb 27 2013 Michal Hlavinka - 1:2.2-0.1 -- major update to dovecot 2.2 RC2 - -* Mon Feb 11 2013 Michal Hlavinka - 1:2.1.15-1 -- dovecot updated to 2.1.15 -- v2.1.14's dovecot.index.cache fixes caused Dovecot to use more disk I/O - and memory than was necessary. - -* Tue Feb 05 2013 Michal Hlavinka - 1:2.1.14-2 -- spec clean up - -* Thu Jan 31 2013 Michal Hlavinka - 1:2.1.14-1 -- dovecot updated to 2.1.14 -- v2.1.11+ had a race condition where it sometimes overwrote data in - dovecot.index.cache file. This could have caused Dovecot to return - the same cached data to two different messages. -- mdbox: Fixes to handling duplicate GUIDs during index rebuild - -* Tue Jan 15 2013 Michal Hlavinka - 1:2.1.13-1 -- dovecot updated to 2.1.13 -- Some fixes to cache file changes in v2.1.11. -- virtual storage: Sorting mailbox by from/to/cc/bcc didn't work. - -* Mon Dec 03 2012 Michal Hlavinka - 1:2.1.12-1 -- dovecot updated to 2.1.12 -- lmtp proxy: Fixed hanging if remote server was down. -- doveadm: Various fixes to handling doveadm-server connections. -- auth: passdb imap was broken in v2.1.10. - -* Thu Nov 08 2012 Michal Hlavinka - 1:2.1.10-3 -- fix network still not ready race condition (#871623) - -* Fri Nov 02 2012 Michal Hlavinka - 1:2.1.10-2 -- add reload command to service file - -* Wed Sep 19 2012 Michal Hlavinka - 1:2.1.10-1 -- dovecot updated to 2.1.10, pigeonhole updated to 0.3.3 -- director: In some conditions director may have disconnected from - another director (without logging about it), thinking it was sending - invalid data. -- imap: Various fixes to listing mailboxes. -- login processes crashed if there were a lot of local {} or remote {} - settings blocks. - -* Fri Aug 24 2012 Michal Hlavinka - 1:2.1.9-2 -- use new systemd rpm macros (#851238) - -* Thu Aug 02 2012 Michal Hlavinka - 1:2.1.9-1 -- dovecot updated to 2.1.9 -- Full text search indexing might have failed for some messages, - always causing indexer-worker process to run out of memory. -- fts-lucene: Fixed handling SEARCH HEADER FROM/TO/SUBJECT/CC/BCC when - the header wasn't lowercased. -- fts-squat: Fixed crash when searching a virtual mailbox. -- pop3: Fixed assert crash when doing UIDL on empty mailbox on some - setups. -- auth: GSSAPI RFC compliancy and error handling fixes. -- Various fixes related to handling shared namespaces - -* Wed Jul 18 2012 Fedora Release Engineering - 1:2.1.8-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild - -* Tue Jul 03 2012 Michal Hlavinka - 1:2.1.8-2 -- pigeonhole updated to 0.3.1 -- Fixed several small issues, including a few potential segfault bugs, based - on static source code analysis. - -* Tue Jul 03 2012 Michal Hlavinka - 1:2.1.8-1 -- dovecot updated to 2.1.8 -- imap: Mailbox names were accidentally sent as UTF-8 instead of mUTF-7 - in previous v2.1.x releases for STATUS, MYRIGHTS and GETQUOTAROOT commands. -- lmtp proxy: Don't timeout connections too early when mail has a lot of RCPT TOs. -- director: Don't crash if the director is working alone. -- shared mailboxes: Avoid doing "@domain" userdb lookups. -- doveadm: Fixed crash with proxying some commands. -- fts-squat: Fixed handling multiple SEARCH parameters. -- imapc: Fixed a crash when message had more than 8 keywords. -- imapc: Don't crash on APPEND/COPY if server doesn't support UIDPLUS. - - -* Mon Jul 02 2012 Michal Hlavinka - 1:2.1.7-5 -- make quota work with NFS mounted mailboxes - -* Fri Jun 22 2012 Michal Hlavinka - 1:2.1.7-4 -- posttrans argument is always zero - -* Fri Jun 15 2012 Michal Hlavinka - 1:2.1.7-3 -- do not let dovecot run during upgrade (#134325) - -* Wed May 30 2012 Michal Hlavinka - 1:2.1.7-2 -- fix changelog, 2.1.7-1 had copy-pasted upstream changelog, which was wrong -- director: Don't crash with quickly disconnecting incoming director - connections. -- mdbox: If mail was originally saved to non-INBOX, and namespace - prefix is non-empty, don't assert-crash when rebuilding indexes. -- sdbox: Don't use more fds than necessary when copying mails. -- auth: Fixed crash with DIGEST-MD5 when attempting to do master user - login without master passdbs. -- Several fixes to mail_shared_explicit_inbox=no -- imapc: Use imapc_list_prefix also for listing subscriptions. - -* Wed May 30 2012 Michal Hlavinka - 1:2.1.7-1 -- updated to 2.1.7 -- v2.1.5: Using "~/" as mail_location or elsewhere failed to actually - expand it to home directory. -- dbox: Fixed potential assert-crash when reading dbox files. -- trash plugin: Fixed behavior when quota is already over limit. -- mail_log plugin: Logging "copy" event didn't work. -- Proxying to backend server with SSL: Verifying server certificate - name always failed, because it was compared to an IP address. - -* Wed May 09 2012 Michal Hlavinka - 1:2.1.6-2 -- fix socket activation again, fix in 2.1.6 is incomplete - -* Wed May 09 2012 Michal Hlavinka - 1:2.1.6-1 -- v2.1.5: Using "~/" as mail_location or elsewhere failed to actually - expand it to home directory. -- dbox: Fixed potential assert-crash when reading dbox files. -- trash plugin: Fixed behavior when quota is already over limit. -- Proxying to backend server with SSL: Verifying server certificate - name always failed, because it was compared to an IP address. - -* Tue Apr 24 2012 Michal Hlavinka - 1:2.1.5-1 -- IMAP: Several fixes related to mailbox listing in some configs -- director: A lot of fixes and performance improvements -- mbox: Deleting a mailbox didn't delete its index files. -- pop3c: TOP command was sent incorrectly -- trash plugin didn't work properly -- LMTP: Don't add a duplicate Return-Path: header when proxying. -- listescape: Don't unescape namespace prefixes. - -* Tue Apr 24 2012 Michal Hlavinka - 1:2.1.4-2 -- close systemd extra sockets that are not configured - -* Tue Apr 10 2012 Michal Hlavinka - 1:2.1.4-1 -- dovecot updated to 2.1.4 -- Proxying SSL connections crashed in v2.1.[23] -- fts-solr: Indexing mail bodies was broken. -- director: Several changes to significantly improve error handling -- doveadm import didn't import messages' flags -- mail_full_filesystem_access=yes was broken -- Make sure IMAP clients can't create directories when accessing - nonexistent users' mailboxes via shared namespace. -- Dovecot auth clients authenticating via TCP socket could have failed - with bogus "PID already in use" errors. - -* Mon Mar 19 2012 Michal Hlavinka - 1:2.1.3-1 -- dovecot updated to 2.1.3 -- multi-dbox format in dovecot 2.1.2 was broken -- temporarily disable check phase until bug #798968 is fixed - -* Fri Mar 16 2012 Michal Hlavinka - 1:2.1.2-1 -- dovecot updated to 2.1.2 -- doveadm sync: If mailbox was expunged empty, messages may have - become back instead of also being expunged in the other side. -- imap_id_* settings were ignored before login. -- Several fixes to mailbox_list_index=yes -- Previous v2.1.x didn't log all messages at shutdown. - -* Thu Mar 01 2012 Michal Hlavinka - 1:2.1.1-2 -- enable fts_lucene plugin (#798661) - -* Fri Feb 24 2012 Michal Hlavinka - 1:2.1.1-1 -- dovecot updated to 2.1.1 -- acl plugin + autocreated mailboxes crashed when listing mailboxes -- doveadm force-resync: Don't skip autocreated mailboxes (especially - INBOX). -- If process runs out of fds, stop listening for new connections only - temporarily, not permanently (avoids hangs with process_limit=1 - services) -- auth: passdb imap crashed for non-login authentication (e.g. smtp). - - -* Mon Feb 20 2012 Michal Hlavinka - 1:2.1.0-1 -- updated to 2.1.0 (no major changes since .rc6) -- include pigeonhole doc files (NEWS, README, ...) - -* Tue Feb 14 2012 Michal Hlavinka - 1:2.1-0.7.rc6 -- updated to 2.1.rc6 -- dbox: Fixed error handling when saving failed or was aborted -- IMAP: Using COMPRESS extension may have caused assert-crashes -- IMAP: THREAD REFS sometimes returned invalid (0) nodes. -- dsync: Fixed handling non-ASCII characters in mailbox names. - -* Tue Feb 07 2012 Michal Hlavinka - 1:2.1-0.6.rc5 -- use PrivateTmp in systemd unit file - -* Tue Feb 07 2012 Michal Hlavinka - 1:2.1-0.5.rc5 -- updated to 2.1.rc5 -- director: With >2 directors ring syncing might have stalled during - director connect/disconnect, causing logins to fail. -- LMTP client/proxy: Fixed potential hanging when sending (big) mails -- Compressed mails with external attachments (dbox + SIS + zlib) failed - sometimes with bogus "cached message size wrong" errors. - -* Mon Jan 09 2012 Michal Hlavinka - 1:2.1-0.4.rc3 -- updated to 2.1.rc3 -- dsync was merged into doveadm -- added pop3c (= POP3 client) storage backend - -* Wed Dec 14 2011 Michal Hlavinka - 1:2.1-0.3.rc1 -- allow imap+TLS and pop3+TLS by default - -* Fri Dec 02 2011 Michal Hlavinka - 1:2.1-0.2.rc1 -- call systemd reload in postun - -* Wed Nov 30 2011 Michal Hlavinka - 1:2.1-0.1.rc1 -- updated to 2.1.rc1 -- major changes since 2.0.x: -- plugins now use UTF-8 mailbox names rather than mUTF-7 -- auth_username_format default changed to %Lu -- solr full text search backend changed to use mailbox GUIDs instead of - mailbox names, requiring reindexing everything - -* Mon Nov 21 2011 Michal Hlavinka - 1:2.0.16-1 -- dovecot updated to 2.0.16 - -* Mon Oct 24 2011 Michal Hlavinka - 1:2.0.15-2 -- do not use obsolete settings in default configuration (#743444) - -* Mon Sep 19 2011 Michal Hlavinka - 1:2.0.15-1 -- dovecot updated to 2.0.15 -- v2.0.14: Index reading could have eaten a lot of memory in some - situations -- mbox: Fixed crash during mail delivery when mailbox didn't yet have - GUID assigned to it. -- zlib+mbox: Fetching last message from compressed mailboxes crashed. - -* Tue Sep 13 2011 Michal Hlavinka - 1:2.0.14-2 -- do not enable insecure connections by default - -* Mon Aug 29 2011 Michal Hlavinka - 1:2.0.14-1 -- dovecot updated to 2.0.14 -- userdb extra fields can now return name+=value to append to an - existing name -- script-login attempted an unnecessary config lookup, which usually - failed with "Permission denied". -- lmtp: Fixed parsing quoted strings with spaces as local-part for - MAIL FROM and RCPT TO. -- imap: FETCH BODY[HEADER.FIELDS (..)] may have crashed or not - returned all data sometimes. -- ldap: Fixed random assert-crashing with with sasl_bind=yes. -- Fixes to handling mail chroots -- Fixed renaming mailboxes under different parent with FS layout when - using separate ALT, INDEX or CONTROL paths. -- zlib: Fixed reading concatenated .gz files. - -* Fri Jul 15 2011 Michal Hlavinka - 1:2.0.13-2 -- do not include sysv init script - -* Thu May 12 2011 Michal Hlavinka - 1:2.0.13-1 -- dovecot updated to 2.0.13 -- mdbox purge: Fixed wrong warning about corrupted extrefs. -- script-login binary wasn't actually dropping privileges to the - user/group/chroot specified by its service settings. -- Fixed potential crashes and other problems when parsing header names - that contained NUL characters. - -* Fri Apr 15 2011 Michal Hlavinka - 1:2.0.12-2 -- pigeonhole updated to 0.2.3, which includes: -- managesieve: fixed bug in UTF-8 checking of string values -- sieve command line tools now avoid initializing the mail store unless necessary -- removed header MIME-decoding to fix erroneous address parsing -- fixed segfault bug in extension configuration, triggered when unknown - extension is mentioned in sieve_extensions setting. - -* Wed Apr 13 2011 Michal Hlavinka - 1:2.0.12-1 -- dbox: Fixes to handling external attachments -- dsync: More fixes to avoid hanging with remote syncs -- dsync: Many other syncing/correctness fixes -- doveconf: v2.0.10 and v2.0.11 didn't output plugin {} section right - -* Mon Mar 28 2011 Michal Hlavinka - 1:2.0.11-5 -- rebuild with new patch - -* Mon Mar 28 2011 Michal Hlavinka - 1:2.0.11-4 -- fix regression in config file parsing (#690401) - -* Wed Mar 23 2011 Dan HorĂ¡k - 1:2.0.11-3 -- rebuilt for mysql 5.5.10 (soname bump in libmysqlclient) - -* Wed Mar 23 2011 Michal Hlavinka - 1:2.0.11-2 -- rebuild because of updated dependencies - -* Mon Mar 07 2011 Michal Hlavinka - 1:2.0.11-1 -- IMAP: Fixed hangs with COMPRESS extension -- IMAP: Fixed a hang when trying to COPY to a nonexistent mailbox. -- IMAP: Fixed hang/crash with SEARCHRES + pipelining $. -- IMAP: Fixed assert-crash if IDLE+DONE is sent in same TCP packet. - -* Thu Feb 17 2011 Michal Hlavinka - 1:2.0.9-3 -- add missing section to dovecot's systemd service file - -* Tue Feb 08 2011 Fedora Release Engineering - 1:2.0.9-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild - -* Thu Jan 13 2011 Michal Hlavinka - 1:2.0.9-1 -- dovecot updated to 2.0.9 -- fixed a high system CPU usage / high context switch count performance problem -- lda: Fixed a crash when trying to send "out of quota" reply - -* Mon Dec 20 2010 Michal Hlavinka - 1:2.0.8-3 -- add full path and check to restorecon in post - -* Tue Dec 07 2010 Michal Hlavinka - 1:2.0.8-2 -- fix s/foobar/dovecot/ typo in post script - -* Tue Dec 07 2010 Michal Hlavinka - 1:2.0.8-1 -- dovecot updated to 2.0.8, pigeonhole updated to 0.2.2 -- services' default vsz_limits weren't being enforced correctly -- added systemd support -- dbox: Fixes to handling external mail attachments -- imap, pop3: When service { client_count } was larger than 1, the - log messages didn't use the correct prefix -- MySQL: Only the first specified host was ever used - -* Mon Nov 29 2010 Michal Hlavinka - 1:2.0.7-3 -- make it work with /var/run on tmpfs (#656577) - -* Tue Nov 23 2010 Michal Hlavinka - 1:2.0.7-2 -- fix regression with valid_chroot_dirs being ignored (#654083) - -* Tue Nov 09 2010 Michal Hlavinka - 1:2.0.7-1 -- dovecot updated to 2.0.7 -- IMAP: Fixed LIST-STATUS when listing subscriptions with subscriptions=no namespaces. -- IMAP: Fixed SELECT QRESYNC not to crash on mailbox close if a lot of changes were being sent. -- quota: Don't count virtual mailboxes in quota -- doveadm expunge didn't always actually do the physical expunging -- Fixed some index reading optimizations introduced by v2.0.5. -- LMTP proxying fixes - -* Fri Oct 22 2010 Michal Hlavinka - 1:2.0.6-1 -- dovecot updated to 2.0.6 -- Pre-login CAPABILITY includes IDLE again. Mainly to make Blackberry - servers happy. -- auth: auth_cache_negative_ttl default was 0 in earlier v2.0.x, but it - was supposed to be 1 hour as in v1.x. Changed it back to 1h. -- doveadm: Added import command for importing mails from other storages. -- Reduced NFS I/O operations for index file accesses -- dbox, Maildir: When copying messages, copy also already cached fields - from dovecot.index.cache -- Maildir: LDA/LMTP assert-crashed sometimes when saving a mail. -- Fixed leaking fds when writing to dovecot.mailbox.log. -- Fixed rare dovecot.index.cache corruption -- IMAP: SEARCH YOUNGER/OLDER wasn't working correctly - -* Mon Oct 04 2010 Michal Hlavinka - 1:2.0.5-1 -- dovecot updated to 2.0.5 -- acl: Fixed the logic of merging multiple ACL entries -- sdbox: Fixed memory leak when copying messages with hard links. -- zlib: Fixed several crashes, which mainly showed up with mbox. -- quota: Don't crash if user has quota disabled, but plugin loaded. -- acl: Fixed crashing when sometimes listing shared mailboxes via dict proxy. - -* Tue Sep 28 2010 Michal Hlavinka - 1:2.0.4-1 -- dovecot updated to 2.0.4 -- multi-dbox: If :INDEX=path is specified, keep storage/dovecot.map.index* - files also in the index path rather than in the main storage directory. -- dsync: POP3 UIDLs weren't copied with Maildir -- dict file: Fixed fd leak (showed up easily with LMTP + quota) - -* Mon Sep 20 2010 Michal Hlavinka - 1:2.0.3-1 -- dovecot updated to 2.0.3 -- dovecot-lda: Removed use of non-standard Envelope-To: header as - a default for -a -- dsync: Fixed handling \Noselect mailboxes -- Fixed an infinite loop introduced by v2.0.2's message parser changes. -- Fixed a crash introduced by v2.0.2's istream-crlf changes. - -* Thu Sep 16 2010 Michal Hlavinka - 1:2.0.2-1 -- dovecot updated -- vpopmail support is disabled for now, since it's broken. You can use - it via checkpassword support or its sql/ldap database directly. -- maildir: Fixed "duplicate uidlist entry" errors that happened at - least with LMTP when mail was delivered to multiple recipients -- Deleting ACLs didn't cause entries to be removed from acl_shared_dict -- mail_max_lock_timeout setting wasn't working with all locks - -* Wed Aug 25 2010 Michal Hlavinka - 1:2.0.1-1 -- dovecot and pigeonhole updated -- sieve: sieved renamed to sieve-dump -- when dsync is started as root, remote dsync command is now also executed - as root instead of with dropped privileges. -- IMAP: QRESYNC parameters for SELECT weren't handled correctly. -- UTF-8 string validity checking wasn't done correctly -- dsync: Fixed a random assert-crash with remote dsyncing - -* Tue Aug 17 2010 Michal Hlavinka - 1:2.0-1 -- dovecot and pigeonhole updated -- dict quota didn't always decrease quota when messages were expunged -- Shared INBOX wasn't always listed with FS layout - -* Wed Aug 11 2010 Michal Hlavinka - 1:2.0-0.21.rc5 -- dovecot and pigeonhole updated -- Using more than 2 plugins could have caused broken behavior -- Listescape plugin fixes -- mbox: Fixed a couple of assert-crashes -- mdbox: Fixed potential assert-crash when saving multiple messages - in one transaction - -* Thu Aug 05 2010 Michal Hlavinka - 1:2.0-0.20.rc4 -- dovecot and pigeonhole updated -- doveadm mailbox status: Fixed listing non-ASCII mailbox names. -- doveadm fetch: Fixed output when fetching message header or body -- doveadm director map/add/remove: Fixed handling IP address as parameter. -- dsync: A few more fixes - -* Wed Jul 21 2010 Michal Hlavinka - 1:2.0-0.19.rc3 -- dovecot and pigeonhole updated -- fixed lda + sieve crash -- added mail_temp_dir setting, used by deliver and lmtp for creating - temporary mail files. Default is /tmp. -- imap: Fixed checking if list=children namespace has children. -- mdbox: Race condition fixes related to copying and purging - -* Fri Jul 16 2010 Michal Hlavinka - 1:2.0-0.18.rc2.20100716 -- dovecot and pigeonhole updated -- enabled pigeonhole's build time test suite -- acl: Fixed crashon FS layout with non-default hierarchy separator -- dbox renamed to sdbox -- dsync fixes and improvements - -* Mon Jul 12 2010 Michal Hlavinka - 1:2.0-0.17.rc2.20100712 -- dovecot and pigeonhole updated -- fixed a crash with empty mail_plugins -- fixed sharing INBOX to other users -- director+LMTP proxy wasn't working correctly -- v1.x config parser failed with some settings if pigeonhole wasn't installed. -- virtual: If non-matching messages weren't expunged within same session, - they never got expunged. - -* Wed Jul 07 2010 Michal Hlavinka - 1:2.0-0.16.rc1.20100707 -- updated dovecot and pigeonhole -- a lot of dsync fixes -- improved (m)dbox recovery - -* Mon Jun 28 2010 Michal Hlavinka - 1:2.0-0.15.beta6.20100626 -- updated dovecot, pigeonhole and man pages -- moved disable_plaintext_auth to 10-auth.conf -- mdbox: Fixed assert-crash on storage rebuild if file got lost -- lib-charset: Don't assert-crash when iconv() skips lots of invalid input -- master: Fixed crash on deinit (maybe also on reload) - -* Thu Jun 10 2010 Michal Hlavinka - 1:2.0-0.14.beta5.20100610 -- dovecot updated -- lib-storage: Fixed accessing uncommitted saved mails with dsync -- example-config: Moved ACL and quota settings to a separate .conf files -- dbox, mdbox: Fixed race conditions when creating mailboxes - -* Mon May 31 2010 Michal Hlavinka - 1:2.0-0.13.beta5.20100529 -- dovecot and pigeonhole updated -- enable solr fulltext search -- master: Fixed crash on config reload -- lib-storage: Don't assert-crash when copying a mail fails - -* Tue May 18 2010 Michal Hlavinka - 1:2.0-0.12.beta5.20100515 -- dovenull is unauthorized user, needs own dovenull group - -* Tue May 18 2010 Michal Hlavinka - 1:2.0-0.11.beta5.20100515 -- fix typo in dovenull username - -* Mon May 17 2010 Michal Hlavinka - 1:2.0-0.9.beta5.20100515 -- pigeonhole and dovecot updated to snapshot 20100515 -- fix crash for THREAD command - -* Wed May 05 2010 Michal Hlavinka - 1:2.0-0.8.beta4.20100505 -- pigeonhole and dovecot updated to snapshot 20100505 -- mdbox: Avoid rebuilding storage if another process already did it -- lib-storage: Fixed () sublists in IMAP SEARCH parser -- example-config: auth-checkpassword include wasn't listed in 10-auth.conf -- doveadm: Added search command -- lib-master: Don't crash after timeouting an auth-master request -- master: If inet listener uses DNS name, which returns multiple IPs, - listen in all of them - -* Wed Apr 28 2010 Michal Hlavinka - 1:2.0-0.7.beta4.20100427 -- updated to snapshot 20100427 -- doveconf now prints only the one setting's value -- mdbox: Automatically delete old temp.* files from storage/ directory -- mdbox: use flock locking by default - -* Wed Apr 21 2010 Michal Hlavinka - 1:2.0-0.6.beta4.20100421 -- updated to snapshot 20100421 -- mdbox: Purge crashed if it purged all messages from a file -- lib-storage: Shared namespace's prefix_len wasn't updated after prefix was truncated -- imap-quota: Iterate quota roots only once when replying to GETQUOTAROOT -- idle: Do cork/uncork when sending "OK Still here" notification -- login: If proxy returns ssl=yes and no port, switch port to imaps/pop3s - -* Wed Apr 14 2010 Michal Hlavinka - 1:2.0-0.5.beta4.20100414 -- add make check -- updated to snapshot 20100414 -- config: Added nn- prefix to *.conf files so the sort ordering makes more sense -- lib-master: Log an error if login client disconnects too early -- mdbox: If purging found corrupted files, it didn't auto-rebuild storage -- lib-storage: Added support for searching save date -- and more... -- pigeonhole updated: -- Mailbox extension: fixed memory leak in the mailboxexists test -- added login failure handler - -* Tue Apr 06 2010 Michal Hlavinka - 1:2.0-0.4.beta4.20100406 -- updated to snapshot 20100406 -- auth: If userdb lookup fails internally, don't cache the result. -- Added support for userdb lookup to fail with a reason -- sdbox: mailbox_update() could have changed UIDVALIDITY incorrectly -- layout=maildir++: Fixed deleting mailboxes with mailbox=file storages -- Fixed potential problems with parsing invalid address groups. -- dsync: Don't repeatedly try to keep opening the same failing mailbox -- lib-storage: Don't crash if root mail directory isn't given. - -* Tue Mar 30 2010 Michal Hlavinka - 1:2.0-0.3.beta4.20100330 -- fix certs location in ssl.conf - -* Mon Mar 29 2010 Michal Hlavinka - 1:2.0-0.2.beta4.aefa279e2c70 -- update to snapshot aefa279e2c70 from 2010-03-27 -- fixes complains about missing tcpwrap (#577426) - -* Thu Mar 25 2010 Michal Hlavinka - 1:2.0-0.1.beta4 -- dovecot updated to 2.0 beta 4 - -* Fri Mar 12 2010 Michal Hlavinka - 1:1.2.11-2 -- fix missing bzip2 support in zlib plugin (#572797) - -* Tue Mar 09 2010 Michal Hlavinka - 1:1.2.11-1 -- updated to 1.2.11 -- mbox: Message header reading was unnecessarily slow. Fetching a - huge header could have resulted in Dovecot eating a lot of CPU. - Also searching messages was much slower than necessary. -- maildir: Reading uidlist could have ended up in an infinite loop. -- IMAP IDLE: v1.2.7+ caused extra load by checking changes every - 0.5 seconds after a change had occurred in mailbox - -* Tue Feb 23 2010 Michal Hlavinka - 1:1.2.10-4 -- move libs to correct package - -* Fri Feb 19 2010 Michal Hlavinka - 1:1.2.10-3 -- merged dovecot-sieve and dovecot-managesieve into dovecot-pigeonhole -- merged dovecot-sqlite, dovecot-gssapi and dovecot-ldap into dovecot - -* Mon Jan 25 2010 Michal Hlavinka - 1:1.2.10-2 -- updated sive and managesieve -- Added preliminary support for Sieve plugins and added support for - installing Sieve development headers -- Variables extension: added support for variable namespaces. -- Added configurable script size limit. Compiler will refuse to - compile files larger than sieve_max_script_size. -- Fixed a bug in the i;ascii-numeric comparator. If one of the - strings started with a non-digit character, the comparator would - always yield less-than. -- Imap4flags extension: fixed bug in removeflag: removing a single - flag failed due to off-by-one error (bug report by Julian Cowley). -- Fixed parser recovery. In particular cases it would trigger spurious - errors after an initial valid error and sometimes additional errors - were inappropriately ignored. -- Implemented ManageSieve QUOTA enforcement. -- Added MAXREDIRECTS capability after login. -- Implemented new script name rules specified in most recent - ManageSieve draft. -- Fixed assertion failure occuring with challenge-response SASL - mechanisms. - -* Mon Jan 25 2010 Michal Hlavinka - 1:1.2.10-1 -- updated to 1.2.10 -- %%variables now support %%{host}, %%{pid} and %%{env:ENVIRONMENT_NAME} - everywhere. -- LIST-STATUS capability is now advertised -- maildir: Fixed several assert-crashes. -- imap: LIST "" inbox shouldn't crash when using namespace with - "INBOX." prefix. -- lazy_expunge now ignores non-private namespaces. - -* Tue Dec 22 2009 Michal Hlavinka - 1:1.2.9-2 -- sieve updated to 0.1.14 -- managesieve updated to 0.11.10 - -* Fri Dec 18 2009 Michal Hlavinka - 1:1.2.9-1 -- updated to 1.2.9 -- maildir: When saving, filenames now always contain ,S=. - Previously this was done only when quota plugin was loaded. It's - required for zlib plugin and may be useful for other things too. -- maildir: v1.2.7 and v1.2.8 caused assert-crashes in - maildir_uidlist_records_drop_expunges() -- maildir_copy_preserve_filename=yes could have caused crashes. -- Maildir++ quota: % limits weren't updated when limits were read - from maildirsize. -- virtual: v1.2.8 didn't fully fix the "lots of mailboxes" bug -- virtual: Fixed updating virtual mailbox based on flag changes. -- fts-squat: Fixed searching multi-byte characters. - -* Wed Nov 25 2009 Michal Hlavinka - 1:1.2.8-4 -- spec cleanup - -* Tue Nov 24 2009 Michal Hlavinka - 1:1.2.8-3 -- fix dovecot's restart after update (#518753) - -* Tue Nov 24 2009 Michal Hlavinka - 1:1.2.8-2 -- fix initdddir typo (for rhel rebuilds) - -* Fri Nov 20 2009 Michal Hlavinka - 1:1.2.8-1 -- update to dovecot 1.2.8 - -* Mon Nov 16 2009 Michal Hlavinka - 1:1.2.7-2 -- use originall managesieve to dovecot diff -- EPEL-ize spec for rhel5 rebuilds (#537666) - -* Fri Nov 13 2009 Michal Hlavinka - 1:1.2.7-1 -- updated to dovecot 1.2.7 -- add man pages -- IMAP: IDLE now sends "Still here" notifications to same user's - connections at the same time. This hopefully reduces power usage - of some mobile clients that use multiple IDLEing connections. -- IMAP: If imap_capability is set, show it in the login banner. -- IMAP: Implemented SORT=DISPLAY extension. -- Login process creation could have sometimes failed with epoll_ctl() - errors or without epoll probably some other strange things could - have happened. -- Maildir: Fixed some performance issues -- Maildir: Fixed crash when using a lot of keywords. -- Several fixes to QRESYNC extension and modseq handling -- mbox: Make sure failed saves get rolled back with NFS. -- dbox: Several fixes. - -* Mon Nov 02 2009 Michal Hlavinka - 1:1.2.6-5 -- spec cleanup - -* Wed Oct 21 2009 Michal Hlavinka - 1:1.2.6-4 -- imap-login: If imap_capability is set, show it in the banner - instead of the default (#524485) - -* Mon Oct 19 2009 Michal Hlavinka - 1:1.2.6-3 -- sieve updated to 0.1.13 which brings these changes: -- Body extension: implemented proper handling of the :raw transform - and added various new tests to the test suite. However, :content - "multipart" and :content "message/rfc822" are still not working. -- Fixed race condition occuring when multiple instances are saving the - same binary (patch by Timo Sirainen). -- Body extension: don't give SKIP_BODY_BLOCK flag to message parser, - we want the body! -- Fixed bugs in multiscript support; subsequent keep actions were not - always merged correctly and implicit side effects were not always - handled correctly. -- Fixed a segfault bug in the sieve-test tool occuring when compile - fails. -- Fixed segfault bug in action procesing. It was triggered while - merging side effects in duplicate actions. -- Fixed bug in the Sieve plugin that caused it to try to stat() a NULL - path, yielding a 'Bad address' error. - -* Fri Oct 09 2009 Michal Hlavinka - 1:1.2.6-2 -- fix init script for case when no action was specified - -* Tue Oct 06 2009 Michal Hlavinka - 1:1.2.6-1 -- dovecot updated to 1.2.6 -- Added authtest utility for doing passdb and userdb lookups. -- login: ssl_security string now also shows the used compression. -- quota: Don't crash with non-Maildir++ quota backend. -- imap proxy: Fixed crashing with some specific password characters. -- fixed broken dovecot --exec-mail. -- Avoid assert-crashing when two processes try to create index at the - same time. - -* Tue Sep 29 2009 Michal Hlavinka - 1:1.2.5-2 -- build with libcap enabled - -* Thu Sep 17 2009 Michal Hlavinka - 1:1.2.5-1 -- updated to dovecot 1.2.5 -- Authentication: DIGEST-MD5 and RPA mechanisms no longer require - user's login realm to be listed in auth_realms. It only made - configuration more difficult without really providing extra security. -- zlib plugin: Don't allow clients to save compressed data directly. - This prevents users from exploiting (most of the) potential security - holes in zlib/bzlib. -- fix index file handling that could have caused an assert-crash -- IMAP: Fixes to QRESYNC extension. -- deliver: Don't send rejects to any messages that have Auto-Submitted - header. This avoids emails loops. - -* Wed Sep 16 2009 Tomas Mraz - 1:1.2.4-3 -- use password-auth common PAM configuration instead of system-auth - -* Fri Aug 21 2009 Tomas Mraz - 1:1.2.4-2 -- rebuilt with new openssl - -* Fri Aug 21 2009 Michal Hlavinka - 1:1.2.4-1 -- updated: dovecot 1.2.4, managesieve 0.11.9, sieve 0.1.12 -- fixed a crash in index file handling -- fixed a crash in saving messages where message contained a CR - character that wasn't followed by LF -- fixed a crash when listing shared namespace prefix -- sieve: implemented the new date extension. This allows matching - against date values in header fields and the current date at - the time of script evaluation -- managesieve: reintroduced ability to abort SASL with "*" response - -* Mon Aug 10 2009 Michal Hlavinka - 1:1.2.3-1 -- updated: dovecot 1.2.3, managesieve 0.11.8, sieve 0.1.11 -- Mailbox names with control characters can't be created anymore. - Existing mailboxes can still be accessed though. -- Allow namespace prefix to be opened as mailbox, if a mailbox - already exists in the root dir. -- Maildir: dovecot-uidlist was being recreated every time a mailbox - was accessed, even if nothing changed. -- listescape plugin was somewhat broken -- ldap: Fixed hang when >128 requests were sent at once. -- fts_squat: Fixed crashing when searching virtual mailbox. -- imap: Fixed THREAD .. INTHREAD crashing. - -* Tue Jul 28 2009 Michal Hlavinka - 1:1.2.2-1.20090728snap -- updated to post 1.2.2 snapshot (including post release GSSAPI fix) -- Fixed "corrupted index cache file" errors -- IMAP: FETCH X-* parameters weren't working. -- Maildir++ quota: Quota was sometimes updated wrong -- Dovecot master process could hang if it received signals too rapidly - -* Fri Jul 24 2009 Fedora Release Engineering - 1:1.2.1-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild - -* Thu Jul 23 2009 Michal Hlavinka - 1:1.2.1-2 -- updated sieve plugin to 0.1.9 - -* Mon Jul 13 2009 Michal Hlavinka - 1:1.2.1-1 -- updated to 1.2.1 -- GSSAPI authentication is fixed (#506782) -- logins now fail if home directory path is relative, because it was - not working correctly and never was expected to work -- sieve and managesieve update - -* Mon Apr 20 2009 Michal Hlavinka - 1:1.2-0.rc3.1 -- updated to 1.2.rc3 - -* Mon Apr 06 2009 Michal Hlavinka - 1:1.2-0.rc2.1 -- updated to 1.2.rc2 - -* Mon Mar 30 2009 Michal Hlavinka - 1:1.2-0.beta4.2 -- fix typo and rebuild - -* Mon Mar 30 2009 Michal Hlavinka - 1:1.2-0.beta4.1 -- spec clean-up -- updated to 1.2.beta4 - -* Tue Feb 24 2009 Fedora Release Engineering - 1:1.1.11-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild - -* Wed Feb 11 2009 Michal Hlavinka - 1:1.1.11-1 -- updated to 1.1.11 -- IMAP: PERMANENTFLAGS list didn't contain \*, causing some clients - not to save keywords. -- auth: Using "username" or "domain" passdb fields caused problems - with cache and blocking passdbs in v1.1.8 .. v1.1.10. -- userdb prefetch + blocking passdbs was broken with non-plaintext - auth in v1.1.8 .. v1.1.10. - -* Tue Jan 27 2009 Michal Hlavinka - 1:1.1.10-1 -- updated to 1.1.10 - -* Sat Jan 24 2009 Dan Horak - 1:1.1.8-3 -- rebuild with new mysql - -* Tue Jan 13 2009 Michal Hlavinka - 1:1.1.8-2 -- added managesieve support (thanks Helmut K. C. Tessarek) - -* Thu Jan 8 2009 Michal Hlavinka - 1:1.1.8-1 -- dovecot updated to 1.1.8 -- sieve-plugin updated to 1.1.6 - -* Tue Dec 2 2008 Michal Hlavinka - 1:1.1.7-2 -- revert changes from 1:1.1.6-2 and 1:1.1.6-1 -- password can be stored in different file readable only for root - via !include_try directive - -* Tue Dec 2 2008 Michal Hlavinka - 1:1.1.7-1 -- update to upstream version 1.1.7 - -* Mon Nov 3 2008 Michal Hlavinka - 1:1.1.6-2 -- changed comment in sysconfig to match actual state - -* Mon Nov 3 2008 Michal Hlavinka - 1:1.1.6-1 -- update to upstream version 1.1.6 -- change permissions of deliver and dovecot.conf to prevent possible password exposure - -* Wed Oct 29 2008 Michal Hlavinka - 1:1.1.5-1 -- update to upstream version 1.1.5 (Resolves: CVE-2008-4577, CVE-2008-4578) - -* Tue Sep 2 2008 Dan Horak - 1:1.1.3-1 -- update to upstream version 1.1.3 - -* Tue Jul 29 2008 Dan Horak - 1:1.1.2-2 -- really ask for the password during start-up - -* Tue Jul 29 2008 Dan Horak - 1:1.1.2-1 -- update to upstream version 1.1.2 -- final solution for #445200 (add /etc/sysconfig/dovecot for start-up options) - -* Fri Jun 27 2008 Dan Horak - 1:1.1.1-2 -- update default settings to listen on both IPv4 and IPv6 instead of IPv6 only - -* Sun Jun 22 2008 Dan Horak - 1:1.1.1-1 -- update to upstream version 1.1.1 - -* Sat Jun 21 2008 Dan Horak - 1:1.1.0-1 -- update to upstream version 1.1.0 -- update sieve plugin to 1.1.5 -- remove unnecessary patches -- enable ldap and gssapi plugins -- change ownership of dovecot.conf (Resolves: #452088) - -* Wed Jun 18 2008 Dan Horak - 1:1.0.14-4 -- update init script (Resolves: #451838) - -* Fri Jun 6 2008 Dan Horak - 1:1.0.14-3 -- build devel subpackage (Resolves: #306881) - -* Thu Jun 5 2008 Dan Horak - 1:1.0.14-2 -- install convert-tool (Resolves: #450010) - -* Tue Jun 3 2008 Dan Horak - 1:1.0.14-1 -- update to upstream version 1.0.14 -- remove setcred patch (use of setcred must be explictly enabled in config) - -* Thu May 29 2008 Dan Horak - 1:1.0.13-8 -- update scriptlets to follow UsersAndGroups guideline -- remove support for upgrading from version < 1.0 from scriptlets -- Resolves: #448095 - -* Tue May 20 2008 Dan Horak - 1:1.0.13-7 -- spec file cleanup -- update sieve plugin to 1.0.3 -- Resolves: #445200, #238018 - -* Sun Mar 09 2008 Tomas Janousek - 1:1.0.13-6 -- update to latest upstream stable (1.0.13) - -* Wed Feb 20 2008 Fedora Release Engineering - 1:1.0.10-5 -- Autorebuild for GCC 4.3 - -* Mon Jan 07 2008 Tomas Janousek - 1:1.0.10-4 -- update to latest upstream stable (1.0.10) - -* Wed Dec 05 2007 Jesse Keating - 1:1.0.7-3 -- Bump for deps - -* Mon Nov 05 2007 Tomas Janousek - 1:1.0.7-2 -- update to latest upstream stable (1.0.7) -- added the winbind patch (#286351) - -* Tue Sep 25 2007 Tomas Janousek - 1:1.0.5-1 -- downgraded to lastest upstream stable (1.0.5) - -* Wed Aug 22 2007 Tomas Janousek - 1.1-16.1.alpha3 -- updated license tags - -* Mon Aug 13 2007 Tomas Janousek - 1.1-16.alpha3 -- updated to latest upstream alpha -- update dovecot-sieve to 0367450c9382 from hg - -* Fri Aug 10 2007 Tomas Janousek - 1.1-15.alpha2 -- updated to latest upstream alpha -- split ldap and gssapi plugins to subpackages - -* Wed Jul 25 2007 Tomas Janousek - 1.1-14.6.hg.a744ae38a9e1 -- update to a744ae38a9e1 from hg -- update dovecot-sieve to 131e25f6862b from hg and enable it again - -* Thu Jul 19 2007 Tomas Janousek - 1.1-14.5.alpha1 -- update to latest upstream alpha -- don't build dovecot-sieve, it's only for 1.0 - -* Sun Jul 15 2007 Tomas Janousek - 1.0.2-13.5 -- update to latest upstream - -* Mon Jun 18 2007 Tomas Janousek - 1.0.1-12.5 -- update to latest upstream - -* Fri Jun 08 2007 Tomas Janousek - 1.0.0-11.7 -- specfile merge from 145241 branch - - new sql split patch - - support for not building all sql modules - - split sql libraries to separate packages - -* Sat Apr 14 2007 Tomas Janousek - 1.0.0-11.1 -- dovecot-1.0.beta2-pam-tty.patch is no longer needed - -* Fri Apr 13 2007 Tomas Janousek - 1.0.0-11 -- update to latest upstream - -* Tue Apr 10 2007 Tomas Janousek - 1.0-10.rc31 -- update to latest upstream - -* Fri Apr 06 2007 Tomas Janousek - 1.0-9.rc30 -- update to latest upstream - -* Fri Mar 30 2007 Tomas Janousek - 1.0-8.1.rc28 -- spec file cleanup (fixes docs path) - -* Fri Mar 23 2007 Tomas Janousek - 1.0-8.rc28 -- update to latest upstream - -* Mon Mar 19 2007 Tomas Janousek - 1.0-7.rc27 -- use dovecot-sieve's version for the package - -* Mon Mar 19 2007 Tomas Janousek - 1.0-6.rc27 -- update to latest upstream -- added dovecot-sieve - -* Fri Mar 02 2007 Tomas Janousek - 1.0-5.rc25 -- update to latest upstream - -* Sun Feb 25 2007 Jef Spaleta - 1.0-4.rc22 -- Merge review changes - -* Thu Feb 08 2007 Tomas Janousek - 1.0-3.rc22 -- update to latest upstream, fixes a few bugs - -* Mon Jan 08 2007 Tomas Janousek - 1.0-2.rc17 -- update to latest upstream, fixes a few bugs - -* Thu Dec 21 2006 Tomas Janousek - 1.0-1.1.rc15 -- reenabled GSSAPI (#220377) - -* Tue Dec 05 2006 Tomas Janousek - 1.0-1.rc15 -- update to latest upstream, fixes a few bugs, plus a security - vulnerability (#216508, CVE-2006-5973) - -* Tue Oct 10 2006 Petr Rockai - 1.0-0.3.rc7 -- fix few inconsistencies in specfile, fixes #198940 - -* Wed Oct 04 2006 Petr Rockai - 1.0-0.2.rc7 -- fix default paths in the example mkcert.sh to match configuration - defaults (fixes #183151) - -* Sun Oct 01 2006 Jesse Keating - 1.0-0.1.rc7 -- rebuilt for unwind info generation, broken in gcc-4.1.1-21 - -* Fri Sep 22 2006 Petr Rockai - 1.0-0.rc7 -- update to latest upstream release candidate, should fix occasional - hangs and mbox issues... INBOX. namespace is still broken though -- do not run over symlinked certificates in new locations on upgrade - -* Tue Aug 15 2006 Petr Rockai - 1.0-0.rc2.2 -- include /var/lib/dovecot in the package, prevents startup failure - on new installs - -* Mon Jul 17 2006 Petr Rockai - 1.0-0.rc2.1 -- reenable inotify and see what happens - -* Thu Jul 13 2006 Petr Rockai - 1.0-0.rc2 -- update to latest upstream release candidate -- disable inotify for now, doesn't build -- this needs fixing though - -* Wed Jul 12 2006 Jesse Keating - 1.0-0.beta8.2.1 -- rebuild - -* Thu Jun 08 2006 Petr Rockai - 1.0-0.beta8.2 -- put back pop3_uidl_format default that got lost - in the beta2->beta7 upgrade (would cause pop3 to not work - at all in many situations) - -* Thu May 04 2006 Petr Rockai - 1.0-0.beta8.1 -- upgrade to latest upstream beta release (beta8) -- contains a security fix in mbox handling - -* Thu May 04 2006 Petr Rockai - 1.0-0.beta7.1 -- upgrade to latest upstream beta release -- fixed BR 173048 - -* Fri Mar 17 2006 Petr Rockai - 1.0-0.beta2.8 -- fix sqlite detection in upstream configure checks, second part - of #182240 - -* Wed Mar 8 2006 Bill Nottingham - 1.0-0.beta2.7 -- fix scriplet noise some more - -* Mon Mar 6 2006 Jeremy Katz - 1.0-0.beta2.6 -- fix scriptlet error (mitr, #184151) - -* Mon Feb 27 2006 Petr Rockai - 1.0-0.beta2.5 -- fix #182240 by looking in lib64 for libs first and then lib -- fix comment #1 in #182240 by copying over the example config files - to documentation directory - -* Fri Feb 10 2006 Jesse Keating - 1.0-0.beta2.4.1 -- bump again for double-long bug on ppc(64) - -* Thu Feb 09 2006 Petr Rockai - 1.0-0.beta2.4 -- enable inotify as it should work now (#179431) - -* Tue Feb 07 2006 Jesse Keating - 1.0-0.beta2.3.1 -- rebuilt for new gcc4.1 snapshot and glibc changes - -* Thu Feb 02 2006 Petr Rockai - 1.0-0.beta2.3 -- change the compiled-in defaults and adjust the default's configfile - commented-out example settings to match compiled-in defaults, - instead of changing the defaults only in the configfile, as per #179432 -- fix #179574 by providing a default uidl_format for pop3 -- half-fix #179620 by having plaintext auth enabled by default... this - needs more thinking (which one we really want) and documentation - either way - -* Tue Jan 31 2006 Petr Rockai - 1.0-0.beta2.2 -- update URL in description -- call dovecot --build-ssl-parameters in postinst as per #179430 - -* Mon Jan 30 2006 Petr Rockai - 1.0-0.beta2.1 -- fix spec to work with BUILD_DIR != SOURCE_DIR -- forward-port and split pam-nocred patch - -* Mon Jan 23 2006 Petr Rockai - 1.0-0.beta2 -- new upstream version, hopefully fixes #173928, #163550 -- fix #168866, use install -p to install documentation - -* Fri Dec 09 2005 Jesse Keating -- rebuilt - -* Sat Nov 12 2005 Tom Lane - 0.99.14-10.fc5 -- Rebuild due to mysql update. - -* Wed Nov 9 2005 Tomas Mraz - 0.99.14-9.fc5 -- rebuilt with new openssl - -* Fri Sep 30 2005 Tomas Mraz - 0.99.14-8.fc5 -- use include instead of pam_stack in pam config - -* Wed Jul 27 2005 John Dennis - 0.99.14-7.fc5 -- fix bug #150888, log authenication failures with ip address - -* Fri Jul 22 2005 John Dennis - 0.99.14-6.fc5 -- fix bug #149673, add dummy PAM_TTY - -* Thu Apr 28 2005 John Dennis - 0.99.14-5.fc4 -- fix bug #156159 insecure location of restart flag file - -* Fri Apr 22 2005 John Dennis - 0.99.14-4.fc4 -- openssl moved its certs, CA, etc. from /usr/share/ssl to /etc/pki - -* Tue Apr 12 2005 Tom Lane 0.99.14-3.fc4 -- Rebuild for Postgres 8.0.2 (new libpq major version). - -* Mon Mar 7 2005 John Dennis 0.99.14-2.fc4 -- bump rev for gcc4 build - -* Mon Feb 14 2005 John Dennis - 0.99.14-1.fc4 -- fix bug #147874, update to 0.99.14 release - v0.99.14 2005-02-11 Timo Sirainen - - Message address fields are now parsed differently, fixing some - issues with spaces. Affects only clients which use FETCH ENVELOPE - command. - - Message MIME parser was somewhat broken with missing MIME boundaries - - mbox: Don't allow X-UID headers in mails to override the UIDs we - would otherwise set. Too large values can break some clients and - cause other trouble. - - passwd-file userdb wasn't working - - PAM crashed with 64bit systems - - non-SSL inetd startup wasn't working - - If UID FETCH notices and skips an expunged message, don't return - a NO reply. It's not needed and only makes clients give error - messages. - -* Wed Feb 2 2005 John Dennis - 0.99.13-4.devel -- fix bug #146198, clean up temp kerberos tickets - -* Mon Jan 17 2005 John Dennis 0.99.13-3.devel -- fix bug #145214, force mbox_locks to fcntl only -- fix bug #145241, remove prereq on postgres and mysql, allow rpm auto - dependency generator to pick up client lib dependency if needed. - -* Thu Jan 13 2005 John Dennis 0.99.13-2.devel -- make postgres & mysql conditional build -- remove execute bit on migration example scripts so rpm does not pull - in additional dependences on perl and perl modules that are not present - in dovecot proper. -- add REDHAT-FAQ.txt to doc directory - -* Thu Jan 6 2005 John Dennis 0.99.13-1.devel -- bring up to date with latest upstream, 0.99.13, bug #143707 - also fix bug #14462, bad dovecot-uid macro name - -* Thu Jan 6 2005 John Dennis 0.99.11-10.devel -- fix bug #133618, removed LITERAL+ capability from capability string - -* Wed Jan 5 2005 John Dennis 0.99.11-9.devel -- fix bug #134325, stop dovecot during installation - -* Wed Jan 5 2005 John Dennis 0.99.11-8.devel -- fix bug #129539, dovecot starts too early, - set chkconfig to 65 35 to match cyrus-imapd -- also delete some old commented out code from SSL certificate creation - -* Thu Dec 23 2004 John Dennis 0.99.11-7.devel -- add UW to Dovecot migration documentation and scripts, bug #139954 - fix SSL documentation and scripts, add missing documentation, bug #139276 - -* Mon Nov 15 2004 Warren Togami 0.99.11-2.FC4.1 -- rebuild against MySQL4 - -* Thu Oct 21 2004 John Dennis -- fix bug #136623 - Change License field from GPL to LGPL to reflect actual license - -* Thu Sep 30 2004 John Dennis 0.99.11-1.FC3.3 -- fix bug #124786, listen to ipv6 as well as ipv4 - -* Wed Sep 8 2004 John Dennis 0.99.11-1.FC3.1 -- bring up to latest upstream, - comments from Timo Sirainen on release v0.99.11 2004-09-04 - + 127.* and ::1 IP addresses are treated as secured with - disable_plaintext_auth = yes - + auth_debug setting for extra authentication debugging - + Some documentation and error message updates - + Create PID file in /var/run/dovecot/master.pid - + home setting is now optional in static userdb - + Added mail setting to static userdb - - After APPENDing to selected mailbox Dovecot didn't always notice the - new mail immediately which broke some clients - - THREAD and SORT commands crashed with some mails - - If APPENDed mail ended with CR character, Dovecot aborted the saving - - Output streams sometimes sent data duplicated and lost part of it. - This could have caused various strange problems, but looks like in - practise it rarely caused real problems. - -* Wed Aug 4 2004 John Dennis -- change release field separator from comma to dot, bump build number - -* Mon Aug 2 2004 John Dennis 0.99.10.9-1,FC3,1 -- bring up to date with latest upstream, fixes include: -- LDAP support compiles now with Solaris LDAP library -- IMAP BODY and BODYSTRUCTURE replies were wrong for MIME parts which - didn't contain Content-Type header. -- MySQL and PostgreSQL auth didn't reconnect if connection was lost - to SQL server -- Linking fixes for dovecot-auth with some systems -- Last fix for disconnecting client when downloading mail longer than - 30 seconds actually made it never disconnect client. Now it works - properly: disconnect when client hasn't read _any_ data for 30 - seconds. -- MySQL compiling got broken in last release -- More PostgreSQL reconnection fixing - - -* Mon Jul 26 2004 John Dennis 0.99.10.7-1,FC3,1 -- enable postgres and mySQL in build -- fix configure to look for mysql in alternate locations -- nuke configure script in tar file, recreate from configure.in using autoconf - -- bring up to latest upstream, which included: -- Added outlook-pop3-no-nuls workaround to fix Outlook hang in mails with NULs. -- Config file lines can now contain quoted strings ("value ") -- If client didn't finish downloading a single mail in 30 seconds, - Dovecot closed the connection. This was supposed to work so that - if client hasn't read data at all in 30 seconds, it's disconnected. -- Maildir: LIST now doesn't skip symlinks - - -* Wed Jun 30 2004 John Dennis -- bump rev for build -- change rev for FC3 build - -* Fri Jun 25 2004 John Dennis - 0.99.10.6-1 -- bring up to date with upstream, - recent change log comments from Timo Sirainen were: - SHA1 password support using OpenSSL crypto library - mail_extra_groups setting - maildir_stat_dirs setting - Added NAMESPACE capability and command - Autocreate missing maildirs (instead of crashing) - Fixed occational crash in maildir synchronization - Fixed occational assertion crash in ioloop.c - Fixed FreeBSD compiling issue - Fixed issues with 64bit Solaris binary - -* Tue Jun 15 2004 Elliot Lee -- rebuilt - -* Thu May 27 2004 David Woodhouse 0.99.10.5-1 -- Update to 0.99.10.5 to fix maildir segfaults (#123022) - -* Fri May 07 2004 Warren Togami 0.99.10.4-4 -- default auth config that is actually usable -- Timo Sirainen (author) suggested functionality fixes - maildir, imap-fetch-body-section, customflags-fix - -* Mon Feb 23 2004 Tim Waugh -- Use ':' instead of '.' as separator for chown. - -* Tue Feb 17 2004 Jeremy Katz - 0.99.10.4-3 -- restart properly if it dies (#115594) - -* Fri Feb 13 2004 Elliot Lee -- rebuilt - -* Mon Nov 24 2003 Jeremy Katz 0.99.10.4-1 -- update to 0.99.10.4 - -* Mon Oct 6 2003 Jeremy Katz 0.99.10-7 -- another patch from upstream to fix returning invalid data on partial - BODY[part] fetches -- patch to avoid confusion of draft/deleted in indexes - -* Tue Sep 23 2003 Jeremy Katz 0.99.10-6 -- add some patches from upstream (#104288) - -* Thu Sep 4 2003 Jeremy Katz 0.99.10-5 -- fix startup with 2.6 with patch from upstream (#103801) - -* Tue Sep 2 2003 Jeremy Katz 0.99.10-4 -- fix assert in search code (#103383) - -* Tue Jul 22 2003 Nalin Dahyabhai 0.99.10-3 -- rebuild - -* Thu Jul 17 2003 Bill Nottingham 0.99.10-2 -- don't run by default - -* Thu Jun 26 2003 Jeremy Katz 0.99.10-1 -- 0.99.10 - -* Mon Jun 23 2003 Jeremy Katz 0.99.10-0.2 -- 0.99.10-rc2 (includes ssl detection fix) -- a few tweaks from fedora - - noreplace the config file - - configure --with-ldap to get LDAP enabled - -* Mon Jun 23 2003 Jeremy Katz 0.99.10-0.1 -- 0.99.10-rc1 -- add fix for ssl detection -- add zlib-devel to BuildRequires -- change pam service name to dovecot -- include pam config - -* Thu May 8 2003 Jeremy Katz 0.99.9.1-1 -- update to 0.99.9.1 -- add patch from upstream to fix potential bug when fetching with - CR+LF linefeeds -- tweak some things in the initscript and config file noticed by the - fedora folks - -* Sun Mar 16 2003 Jeremy Katz 0.99.8.1-2 -- fix ssl dir -- own /var/run/dovecot/login with the correct perms -- fix chmod/chown in post - -* Fri Mar 14 2003 Jeremy Katz 0.99.8.1-1 -- update to 0.99.8.1 - -* Tue Mar 11 2003 Jeremy Katz 0.99.8-2 -- add a patch to fix quoting problem from CVS - -* Mon Mar 10 2003 Jeremy Katz 0.99.8-1 -- 0.99.8 -- add some buildrequires -- fixup to build with openssl 0.9.7 -- now includes a pop3 daemon (off by default) -- clean up description and %%preun -- add dovecot user (uid/gid of 97) -- add some buildrequires -- move the ssl cert to %%{_datadir}/ssl/certs -- create a dummy ssl cert in %%post -- own /var/run/dovecot -- make the config file a source so we get default mbox locks of fcntl - -* Sun Dec 1 2002 Seth Vidal -- 0.99.4 and fix startup so it starts imap-master not vsftpd :) - -* Tue Nov 26 2002 Seth Vidal -- first build +* Mon Jan 04 2021 Michal Hlavinka - 1:2.3.13-0 +- dovecot updated to 2.3.13, pigeonhole to 0.5.13 +- CVE-2020-24386: Specially crafted command can cause IMAP hibernate to + allow logged in user to access other people's emails and filesystem + information. +- Metric filter and global event filter variable syntax changed to a + SQL-like format. +- auth: Added new aliases for %%{variables}. Usage of the old ones is + possible, but discouraged. +- auth: Removed RPA auth mechanism, SKEY auth mechanism, NTLM auth + mechanism and related password schemes. +- auth: Removed passdb-sia, passdb-vpopmail and userdb-vpopmail. +- auth: Removed postfix postmap socket diff --git a/dovecot.sysusers b/dovecot.sysusers new file mode 100644 index 0000000..c286ee4 --- /dev/null +++ b/dovecot.sysusers @@ -0,0 +1,9 @@ +#Type Name ID GECOS Home directory Shell +g dovecot 97 +u dovecot 97 "Dovecot IMAP server" /usr/libexec/dovecot /sbin/nologin +m dovecot dovecot + +g dovenull - +u dovenull - "Dovecot - unauthorized user" /usr/libexec/dovecot /sbin/nologin +m dovenull dovenull + diff --git a/dovecot.tmpfilesd b/dovecot.tmpfilesd index 7178498..d96639a 100644 --- a/dovecot.tmpfilesd +++ b/dovecot.tmpfilesd @@ -1,2 +1,2 @@ -d /var/run/dovecot 0755 root dovecot - +d /run/dovecot 0755 root dovecot - diff --git a/plans/main.fmf b/plans/main.fmf new file mode 100644 index 0000000..ae0c305 --- /dev/null +++ b/plans/main.fmf @@ -0,0 +1,6 @@ +summary: Run all tests +execute: + how: tmt +discover: + how: fmf + diff --git a/rpminspect.yaml b/rpminspect.yaml new file mode 100644 index 0000000..15a5d00 --- /dev/null +++ b/rpminspect.yaml @@ -0,0 +1,7 @@ +--- +runpath: + allowed_paths: + # dovecot only plugins + - /usr/lib/dovecot/old-stats + - /usr/lib64/dovecot/old-stats + diff --git a/sources b/sources index ebcda8b..54fc50d 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.2.31.tar.gz) = 071797e260a75de9117b03c0fa9d903de82b1f1c039c2aece2d7313587e6673c49174bfce17b80fe3f3725fcbc42ed3a1bd1f1c22efef5bc016752277eff3266 -SHA512 (dovecot-2.2-pigeonhole-0.4.19.tar.gz) = c1211a3c65b25995770309c427ec5cd888ddb962f2f64884640163b492a11ffa8937aac1eb66d25e48f0e00131da1cc98c1cb307781576780de47b8816333ff1 +SHA512 (dovecot-2.4.2.tar.gz) = 0524695341abe711d3a811c56156889d6fef7a09becc684c6f1dc1e5add605969ca8794eb7d44bfbc49f70515f22e8640b5828443addecfe4798fb8b174670ae +SHA512 (dovecot-pigeonhole-2.4.2.tar.gz) = 82c46c7ac2792aa5c211c8b66309f9f21c05ecd2fa8ab3abf98fb4e05831fd37aaa3edffcfbe1b3defbb9ac8ef9df1c33ece83cf7524e8b226c4deab8c250134 diff --git a/tests/got-audit/got-audit.gdb b/tests/got-audit/got-audit.gdb new file mode 100644 index 0000000..6661297 --- /dev/null +++ b/tests/got-audit/got-audit.gdb @@ -0,0 +1,2 @@ +gef config gef.disable_color True +got-audit --all diff --git a/tests/got-audit/main.fmf b/tests/got-audit/main.fmf new file mode 100644 index 0000000..a90b249 --- /dev/null +++ b/tests/got-audit/main.fmf @@ -0,0 +1,10 @@ +summary: Audit the GOT for signs of tampering +description: | + Pointers in the server process GOT will be checked to ensure that + each function pointer's value is within a shared object file + that exports a symbol of that name, and that no shared object + files export conflicting symbols. +contact: Gordon Messmer +require+: + - gdb-gef # needed to test got-audit + diff --git a/tests/got-audit/runtest.sh b/tests/got-audit/runtest.sh new file mode 100755 index 0000000..0c98471 --- /dev/null +++ b/tests/got-audit/runtest.sh @@ -0,0 +1,41 @@ +#!/bin/bash +# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/dovecot/Sanity/got-audit +# Description: Check pointers in the server process GOT for signs of tampering +# Author: Gordon Messmer +# + +# Include Beaker environment +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +rlJournalStart + rlPhaseStartSetup + rlServiceStart dovecot + rlRun "TestDir=\$(pwd)" + rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory" + rlRun "pushd $TmpDir" + rlRun "auditfile=\$(mktemp --tmpdir=${TmpDir})" + rlPhaseEnd + + rlPhaseStartTest "Run GEF got-audit" + rlRun "SERVICE_PID=\$( systemctl show --property=MainPID dovecot.service | cut -f2 -d= )" + rlRun "echo SERVICE_PID is '$SERVICE_PID'" + [ -n "$SERVICE_PID" ] || rlFail "No service pid was found" + rlRun "gdb-gef --pid '$SERVICE_PID' --command='$TestDir'/got-audit.gdb --batch > '$auditfile'" + # Basic test: ensure that at least one symbol is found in libc.so, + # to verify that the report looks plausible. + rlAssertGrep " : /.*/libc.so" "$auditfile" + # Ensure the got-audit did not report any errors + rlAssertNotGrep " :: ERROR" "$auditfile" + rlRun "cp '$auditfile' '$TMT_TEST_DATA'/got-audit.txt" + rlPhaseEnd + + rlPhaseStartCleanup + rlServiceRestore dovecot + rlRun "popd" + rlRun "rm -r $TmpDir" 0 "Removing tmp directory" + rlPhaseEnd +rlJournalPrintText +rlJournalEnd diff --git a/tests/main.fmf b/tests/main.fmf new file mode 100644 index 0000000..f225a72 --- /dev/null +++ b/tests/main.fmf @@ -0,0 +1,2 @@ +test: ./runtest.sh +framework: beakerlib