8 changed files with 729 additions and 496 deletions
--- a/dovecot-2.0-defaultconfig.patch
+++ b/dovecot-2.0-defaultconfig.patch
@ -1,9 +1,9 @@
-diff -up dovecot-2.4.2-build/dovecot-2.4.2/doc/dovecot.conf.in.default-settings dovecot-2.4.2-build/dovecot-2.4.2/doc/dovecot.conf.in
--- dovecot-2.4.2-build/dovecot-2.4.2/doc/dovecot.conf.in.default-settings	2025-10-29 07:58:41.000000000 +0100
-+++ dovecot-2.4.2-build/dovecot-2.4.2/doc/dovecot.conf.in	2025-11-30 09:24:17.130246956 +0100
+diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/doc/dovecot.conf.in.default-settings dovecot-2.4.1-build/dovecot-2.4.1-4/doc/dovecot.conf.in
+--- dovecot-2.4.1-build/dovecot-2.4.1-4/doc/dovecot.conf.in.default-settings	2025-03-28 12:32:27.000000000 +0100
+++ dovecot-2.4.1-build/dovecot-2.4.1-4/doc/dovecot.conf.in	2025-10-15 12:05:14.570388273 +0200
@@ -16,24 +16,19 @@ dovecot_storage_version = @DOVECOT_CONFI
 # The configuration below is a minimal configuration file using system user authentication.
- # See https://@DOVECOT_ASSET_URL@/latest/core/config/quick.html
+ # See https://@DOVECOT_ASSET_URL@/configuration_manual/quick_configuration/
 
 -!include_try conf.d/*.conf
 -
@ -48,9 +48,9 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/doc/dovecot.conf.in.default-settings
 }
 +
 +!include_try conf.d/*.conf
-diff -up dovecot-2.4.2-build/dovecot-2.4.2/dovecot-pigeonhole/doc/example-config/conf.d/90-sieve.conf.default-settings dovecot-2.4.2-build/dovecot-2.4.2/dovecot-pigeonhole/doc/example-config/conf.d/90-sieve.conf
--- dovecot-2.4.2-build/dovecot-2.4.2/dovecot-pigeonhole/doc/example-config/conf.d/90-sieve.conf.default-settings	2025-10-29 08:00:30.000000000 +0100
-+++ dovecot-2.4.2-build/dovecot-2.4.2/dovecot-pigeonhole/doc/example-config/conf.d/90-sieve.conf	2025-11-30 09:18:17.667869864 +0100
+diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/doc/example-config/conf.d/90-sieve.conf.default-settings dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/doc/example-config/conf.d/90-sieve.conf
+--- dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/doc/example-config/conf.d/90-sieve.conf.default-settings	2025-03-28 12:33:46.000000000 +0100
+++ dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/doc/example-config/conf.d/90-sieve.conf	2025-10-15 12:00:16.233557725 +0200
@@ -21,7 +21,6 @@
 # file or directory. Refer to Pigeonhole wiki or INSTALL file for more
 # information.
@ -76,9 +76,9 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/dovecot-pigeonhole/doc/example-config
   # the source line numbers.
   #sieve_trace_addresses = no 
 -}
-diff -up dovecot-2.4.2-build/dovecot-2.4.2/dovecot-pigeonhole/doc/example-config/conf.d/90-sieve-extprograms.conf.default-settings dovecot-2.4.2-build/dovecot-2.4.2/dovecot-pigeonhole/doc/example-config/conf.d/90-sieve-extprograms.conf
--- dovecot-2.4.2-build/dovecot-2.4.2/dovecot-pigeonhole/doc/example-config/conf.d/90-sieve-extprograms.conf.default-settings	2025-10-29 08:00:30.000000000 +0100
-+++ dovecot-2.4.2-build/dovecot-2.4.2/dovecot-pigeonhole/doc/example-config/conf.d/90-sieve-extprograms.conf	2025-11-30 09:18:17.668131795 +0100
+diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/doc/example-config/conf.d/90-sieve-extprograms.conf.default-settings dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/doc/example-config/conf.d/90-sieve-extprograms.conf
+--- dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/doc/example-config/conf.d/90-sieve-extprograms.conf.default-settings	2025-03-28 12:33:46.000000000 +0100
+++ dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/doc/example-config/conf.d/90-sieve-extprograms.conf	2025-10-15 12:00:16.234048364 +0200
@@ -6,7 +6,6 @@
 # sieve_extensions or sieve_global_extensions settings. Restricting these
 # extensions to a global context using sieve_global_extensions is recommended.
--- a/dovecot-2.4.1-cve-2025-30189.patch
+++ b/dovecot-2.4.1-cve-2025-30189.patch
@ -0,0 +1,463 @@
+From a70ce7d3e2f983979e971414c5892c4e30197231 Mon Sep 17 00:00:00 2001
+From: Aki Tuomi <aki.tuomi@open-xchange.com>
+Date: Fri, 25 Jul 2025 08:16:52 +0300
+Subject: [PATCH 1/7] auth: Use AUTH_CACHE_KEY_USER instead of per-database
+ constants
+
+Fixes cache key issue where users would end up overwriting
+each other in cache due to cache key being essentially static
+string because we no longer support %u.
+
+Forgotten in 2e298e7ee98b6df61cf85117f000290d60a473b8
+---
+ src/auth/auth-settings.h  | 2 ++
+ src/auth/passdb-bsdauth.c | 4 +---
+ src/auth/passdb-oauth2.c  | 2 +-
+ src/auth/passdb-pam.c     | 3 ++-
+ src/auth/passdb-passwd.c  | 3 +--
+ src/auth/userdb-passwd.c  | 3 +--
+ 6 files changed, 8 insertions(+), 9 deletions(-)
+
+diff --git a/src/auth/auth-settings.h b/src/auth/auth-settings.h
+index 1d420eceaaf..90aba17ec38 100644
+--- a/src/auth/auth-settings.h
+++ b/src/auth/auth-settings.h
+@@ -1,6 +1,8 @@
+ #ifndef AUTH_SETTINGS_H
+ #define AUTH_SETTINGS_H
+ 
+#define AUTH_CACHE_KEY_USER "%{user}"
+
+ struct master_service;
+ struct master_service_settings_output;
+ 
+diff --git a/src/auth/passdb-bsdauth.c b/src/auth/passdb-bsdauth.c
+index 68292679b7f..1b86da4053c 100644
+--- a/src/auth/passdb-bsdauth.c
+++ b/src/auth/passdb-bsdauth.c
+@@ -14,8 +14,6 @@
+ #include <login_cap.h>
+ #include <bsd_auth.h>
+ 
+-#define BSDAUTH_CACHE_KEY "%u"
+-
+ struct passdb_bsdauth_settings {
+ 	pool_t pool;
+ };
+@@ -104,7 +102,7 @@ bsdauth_preinit(pool_t pool, struct event *event,
+ 			 &post_set, error_r) < 0)
+ 		return -1;
+ 	module->default_cache_key = auth_cache_parse_key_and_fields(
+-		pool, BSDAUTH_CACHE_KEY, &post_set->fields, "bsdauth");
+		pool, AUTH_CACHE_KEY_USER, &post_set->fields, "bsdauth");
+ 
+ 	settings_free(post_set);
+ 	*module_r = module;
+diff --git a/src/auth/passdb-oauth2.c b/src/auth/passdb-oauth2.c
+index 96d902d323d..91fed060183 100644
+--- a/src/auth/passdb-oauth2.c
+++ b/src/auth/passdb-oauth2.c
+@@ -53,7 +53,7 @@ oauth2_preinit(pool_t pool, struct event *event, struct passdb_module **module_r
+ 	if (db_oauth2_init(event, TRUE, &module->db, error_r) < 0)
+ 		return -1;
+ 	module->module.default_pass_scheme = "PLAIN";
+-	module->module.default_cache_key = "%u";
+	module->module.default_cache_key = AUTH_CACHE_KEY_USER;
+ 	*module_r = &module->module;
+ 	return 0;
+ }
+diff --git a/src/auth/passdb-pam.c b/src/auth/passdb-pam.c
+index 2acbceb80a3..fdf0f573ef4 100644
+--- a/src/auth/passdb-pam.c
+++ b/src/auth/passdb-pam.c
+@@ -415,7 +415,8 @@ static int pam_preinit(pool_t pool, struct event *event,
+ 	module = p_new(pool, struct pam_passdb_module, 1);
+ 	module->module.default_cache_key =
+ 		auth_cache_parse_key_and_fields(pool,
+-						t_strdup_printf("%%u/%s", set->service_name),
+						t_strdup_printf("%"AUTH_CACHE_KEY_USER"\t%s",
+								set->service_name),
+ 						&post_set->fields, "pam");
+ 	module->requests_left = set->max_requests;
+ 	module->pam_setcred = set->setcred;
+diff --git a/src/auth/passdb-passwd.c b/src/auth/passdb-passwd.c
+index 13003151f9c..22e2eae7fa3 100644
+--- a/src/auth/passdb-passwd.c
+++ b/src/auth/passdb-passwd.c
+@@ -10,7 +10,6 @@
+ #include "safe-memset.h"
+ #include "ipwd.h"
+ 
+-#define PASSWD_CACHE_KEY "%u"
+ #define PASSWD_PASS_SCHEME "CRYPT"
+ 
+ #undef DEF
+@@ -142,7 +141,7 @@ static int passwd_preinit(pool_t pool, struct event *event,
+ 			 &post_set, error_r) < 0)
+ 		return -1;
+ 	module->default_cache_key = auth_cache_parse_key_and_fields(pool,
+-								    PASSWD_CACHE_KEY,
+								    AUTH_CACHE_KEY_USER,
+ 								    &post_set->fields,
+ 								    "passwd");
+ 	settings_free(post_set);
+diff --git a/src/auth/userdb-passwd.c b/src/auth/userdb-passwd.c
+index 5241129a0cc..14cf90a6d65 100644
+--- a/src/auth/userdb-passwd.c
+++ b/src/auth/userdb-passwd.c
+@@ -9,7 +9,6 @@
+ #include "ipwd.h"
+ #include "time-util.h"
+ 
+-#define USER_CACHE_KEY "%u"
+ #define PASSWD_SLOW_WARN_MSECS (10*1000)
+ #define PASSWD_SLOW_MASTER_WARN_MSECS 50
+ #define PASSDB_SLOW_MASTER_WARN_COUNT_INTERVAL 100
+@@ -225,7 +224,7 @@ static int passwd_preinit(pool_t pool, struct event *event ATTR_UNUSED,
+ 	struct passwd_userdb_module *module =
+ 		p_new(pool, struct passwd_userdb_module, 1);
+ 
+-	module->module.default_cache_key = USER_CACHE_KEY;
+	module->module.default_cache_key = AUTH_CACHE_KEY_USER;
+ 	*module_r = &module->module;
+ 	return 0;
+ }
+
+From c45ce2c073c9439a9d6366016cb4d41059d737f0 Mon Sep 17 00:00:00 2001
+From: Aki Tuomi <aki.tuomi@open-xchange.com>
+Date: Wed, 30 Jul 2025 09:42:20 +0300
+Subject: [PATCH 2/7] auth: auth-cache - Refactor
+ auth_cache_parse_key_and_fields()
+
+Call auth_cache_parse_key_exclude() at the function end,
+simplifies next commit.
+---
+ src/auth/auth-cache.c | 24 +++++++++++-------------
+ 1 file changed, 11 insertions(+), 13 deletions(-)
+
+diff --git a/src/auth/auth-cache.c b/src/auth/auth-cache.c
+index 360ad8b3f62..3ccd45ff4b9 100644
+--- a/src/auth/auth-cache.c
+++ b/src/auth/auth-cache.c
+@@ -129,20 +129,18 @@ char *auth_cache_parse_key_and_fields(pool_t pool, const char *query,
+ 				      const ARRAY_TYPE(const_string) *fields,
+ 				      const char *exclude_driver)
+ {
+-	if (array_is_empty(fields))
+-		return auth_cache_parse_key_exclude(pool, query, exclude_driver);
+-
+-	string_t *full_query = t_str_new(128);
+-	str_append(full_query, query);
+-
+-	unsigned int i, count;
+-	const char *const *str = array_get(fields, &count);
+-	for (i = 0; i < count; i += 2) {
+-		str_append_c(full_query, '\t');
+-		str_append(full_query, str[i + 1]);
+	if (!array_is_empty(fields)) {
+		unsigned int i, count;
+		const char *const *str = array_get(fields, &count);
+		string_t *full_query = t_str_new(128);
+		str_append(full_query, query);
+		for (i = 0; i < count; i += 2) {
+			str_append_c(full_query, '\t');
+			str_append(full_query, str[i + 1]);
+		}
+		query = str_c(full_query);
+ 	}
+-	return auth_cache_parse_key_exclude(pool, str_c(full_query),
+-					    exclude_driver);
+	return auth_cache_parse_key_exclude(pool, query, exclude_driver);
+ }
+ 
+ static void
+
+From 759ee1af848480987d012de2f7135160156724b6 Mon Sep 17 00:00:00 2001
+From: Aki Tuomi <aki.tuomi@open-xchange.com>
+Date: Fri, 25 Jul 2025 11:48:43 +0300
+Subject: [PATCH 3/7] auth: auth-cache - Deduplicate auth_cache_parse_key() to
+ use auth_cache_parse_key_and_fields()
+
+Simplifies following commit
+---
+ src/auth/auth-cache.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/auth/auth-cache.c b/src/auth/auth-cache.c
+index 3ccd45ff4b9..ad8cbe50784 100644
+--- a/src/auth/auth-cache.c
+++ b/src/auth/auth-cache.c
+@@ -122,14 +122,14 @@ static char *auth_cache_parse_key_exclude(pool_t pool, const char *query,
+ 
+ char *auth_cache_parse_key(pool_t pool, const char *query)
+ {
+-	return auth_cache_parse_key_exclude(pool, query, NULL);
+	return auth_cache_parse_key_and_fields(pool, query, NULL, NULL);
+ }
+ 
+ char *auth_cache_parse_key_and_fields(pool_t pool, const char *query,
+ 				      const ARRAY_TYPE(const_string) *fields,
+ 				      const char *exclude_driver)
+ {
+-	if (!array_is_empty(fields)) {
+	if (fields != NULL && !array_is_empty(fields)) {
+ 		unsigned int i, count;
+ 		const char *const *str = array_get(fields, &count);
+ 		string_t *full_query = t_str_new(128);
+
+From d12bb78b5a235f31c9d5a655bd223c28d44bcadb Mon Sep 17 00:00:00 2001
+From: Aki Tuomi <aki.tuomi@open-xchange.com>
+Date: Fri, 25 Jul 2025 11:51:16 +0300
+Subject: [PATCH 4/7] auth: auth-cache - Change auth_cache_parse_key_exclude()
+ to return error
+
+Simplifies following commit
+---
+ src/auth/auth-cache.c | 25 ++++++++++++++++++-------
+ 1 file changed, 18 insertions(+), 7 deletions(-)
+
+diff --git a/src/auth/auth-cache.c b/src/auth/auth-cache.c
+index ad8cbe50784..407e5d4aa0e 100644
+--- a/src/auth/auth-cache.c
+++ b/src/auth/auth-cache.c
+@@ -64,8 +64,10 @@ static void auth_cache_key_add_tab_idx(string_t *str, unsigned int i)
+ 	str_append_c(str, '}');
+ }
+ 
+-static char *auth_cache_parse_key_exclude(pool_t pool, const char *query,
+-					  const char *exclude_driver)
+static int auth_cache_parse_key_exclude(pool_t pool, const char *query,
+					const char *exclude_driver,
+					char **cache_key_r,
+					const char **error_r)
+ {
+ 	string_t *str;
+ 	bool key_seen[AUTH_REQUEST_VAR_TAB_COUNT];
+@@ -76,9 +78,9 @@ static char *auth_cache_parse_key_exclude(pool_t pool, const char *query,
+ 
+ 	struct var_expand_program *prog;
+ 	if (var_expand_program_create(query, &prog, &error) < 0) {
+-		e_debug(auth_event, "auth-cache: var_expand_program_create('%s') failed: %s",
+-			query, error);
+-		return p_strdup(pool, "");
+		*error_r = t_strdup_printf("var_expand_program_create(%s) failed: %s",
+					   query, error);
+		return -1;
+ 	}
+ 
+ 	const char *const *vars = var_expand_program_variables(prog);
+@@ -117,7 +119,8 @@ static char *auth_cache_parse_key_exclude(pool_t pool, const char *query,
+ 
+ 	var_expand_program_free(&prog);
+ 
+-	return p_strdup(pool, str_c(str));
+	*cache_key_r = p_strdup(pool, str_c(str));
+	return 0;
+ }
+ 
+ char *auth_cache_parse_key(pool_t pool, const char *query)
+@@ -140,7 +143,15 @@ char *auth_cache_parse_key_and_fields(pool_t pool, const char *query,
+ 		}
+ 		query = str_c(full_query);
+ 	}
+-	return auth_cache_parse_key_exclude(pool, query, exclude_driver);
+
+	char *cache_key;
+	const char *error;
+	if (auth_cache_parse_key_exclude(pool, query, exclude_driver,
+					 &cache_key, &error) < 0) {
+		e_debug(auth_event, "auth-cache: %s", error);
+		cache_key = p_strdup(pool, "");
+	}
+	return cache_key;
+ }
+ 
+ static void
+
+From 20d15baa071747f91176eb3115235aa8c78a3d11 Mon Sep 17 00:00:00 2001
+From: Aki Tuomi <aki.tuomi@open-xchange.com>
+Date: Fri, 25 Jul 2025 11:52:36 +0300
+Subject: [PATCH 5/7] auth: auth-cache - Treat cache key parsing errors as
+ fatals
+
+Avoids accidentically turning off caching
+---
+ src/auth/auth-cache.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/src/auth/auth-cache.c b/src/auth/auth-cache.c
+index 407e5d4aa0e..be569349182 100644
+--- a/src/auth/auth-cache.c
+++ b/src/auth/auth-cache.c
+@@ -147,10 +147,8 @@ char *auth_cache_parse_key_and_fields(pool_t pool, const char *query,
+ 	char *cache_key;
+ 	const char *error;
+ 	if (auth_cache_parse_key_exclude(pool, query, exclude_driver,
+-					 &cache_key, &error) < 0) {
+-		e_debug(auth_event, "auth-cache: %s", error);
+-		cache_key = p_strdup(pool, "");
+-	}
+					 &cache_key, &error) < 0)
+		i_fatal("auth-cache: %s", error);
+ 	return cache_key;
+ }
+ 
+
+From 0172f8e8c55aff42c688633b2891cf157641366b Mon Sep 17 00:00:00 2001
+From: Aki Tuomi <aki.tuomi@open-xchange.com>
+Date: Fri, 25 Jul 2025 11:41:03 +0300
+Subject: [PATCH 6/7] auth: auth-cache - Require cache key to contain at least
+ one variable
+
+---
+ src/auth/auth-cache.c      |  7 +++++++
+ src/auth/test-auth-cache.c | 37 ++++++++++++++++++++++++++++++++++++-
+ 2 files changed, 43 insertions(+), 1 deletion(-)
+
+diff --git a/src/auth/auth-cache.c b/src/auth/auth-cache.c
+index be569349182..32959f5d0f4 100644
+--- a/src/auth/auth-cache.c
+++ b/src/auth/auth-cache.c
+@@ -86,6 +86,13 @@ static int auth_cache_parse_key_exclude(pool_t pool, const char *query,
+ 	const char *const *vars = var_expand_program_variables(prog);
+ 	str = t_str_new(32);
+ 
+	if (*vars == NULL && *query != '\0') {
+		var_expand_program_free(&prog);
+		*error_r = t_strdup_printf("%s: Cache key must contain at least one variable",
+					   query);
+		return -1;
+	}
+
+ 	for (; *vars != NULL; vars++) {
+ 		/* ignore any providers */
+ 		if (strchr(*vars, ':') != NULL &&
+diff --git a/src/auth/test-auth-cache.c b/src/auth/test-auth-cache.c
+index 46836defc6d..b36d83ec022 100644
+--- a/src/auth/test-auth-cache.c
+++ b/src/auth/test-auth-cache.c
+@@ -97,7 +97,35 @@ static void test_auth_cache_parse_key(void)
+ 						 tests[i].in);
+ 		test_assert_strcmp_idx(cache_key, tests[i].out, i);
+ 	}
+
+	test_end();
+}
+
+static enum fatal_test_state test_cache_key_missing_variable(unsigned int i)
+{
+	if (i == 0)
+		test_begin("auth cache missing variable");
+
+	/* ensure that we do not accept static string */
+	static const struct {
+		const char *in, *out;
+	} tests_bad[] = {
+		{ "%u", "auth-cache: %u: Cache key must contain at least one variable" },
+		{ "foobar", "auth-cache: foobar: Cache key must contain at least one variable" },
+		{ "%{test", "auth-cache: var_expand_program_create(%{test) " \
+			    "failed: syntax error, unexpected end of file, " \
+			    "expecting CCBRACE or PIPE" },
+	};
+
+	if (i < N_ELEMENTS(tests_bad)) {
+		test_expect_fatal_string(tests_bad[i].out);
+		(void)auth_cache_parse_key(pool_datastack_create(),
+					   tests_bad[i].in);
+		return FATAL_TEST_FAILURE;
+	}
+
+ 	test_end();
+	return FATAL_TEST_FINISHED;
+ }
+ 
+ int main(void)
+@@ -108,7 +136,14 @@ int main(void)
+ 		test_auth_cache_parse_key,
+ 		NULL
+ 	};
+-	int ret = test_run(test_functions);
+
+	static test_fatal_func_t *const fatal_functions[] = {
+		test_cache_key_missing_variable,
+		NULL,
+	};
+
+	int ret = test_run_with_fatals(test_functions, fatal_functions);
+
+ 	event_unref(&auth_event);
+ 	return ret;
+ }
+
+From 34caed79b76a7b82a2a9c94cf35371bec6c2b826 Mon Sep 17 00:00:00 2001
+From: Aki Tuomi <aki.tuomi@open-xchange.com>
+Date: Fri, 25 Jul 2025 12:00:57 +0300
+Subject: [PATCH 7/7] auth: auth-cache - Drop auth_cache_parse_key()
+
+It's only used by tests and can now just call
+auth_cache_parse_key_and_fields().
+---
+ src/auth/auth-cache.c      | 5 -----
+ src/auth/auth-cache.h      | 6 ++----
+ src/auth/test-auth-cache.c | 8 ++++----
+ 3 files changed, 6 insertions(+), 13 deletions(-)
+
+diff --git a/src/auth/auth-cache.c b/src/auth/auth-cache.c
+index 32959f5d0f4..82cc0d526eb 100644
+--- a/src/auth/auth-cache.c
+++ b/src/auth/auth-cache.c
+@@ -130,11 +130,6 @@ static int auth_cache_parse_key_exclude(pool_t pool, const char *query,
+ 	return 0;
+ }
+ 
+-char *auth_cache_parse_key(pool_t pool, const char *query)
+-{
+-	return auth_cache_parse_key_and_fields(pool, query, NULL, NULL);
+-}
+-
+ char *auth_cache_parse_key_and_fields(pool_t pool, const char *query,
+ 				      const ARRAY_TYPE(const_string) *fields,
+ 				      const char *exclude_driver)
+diff --git a/src/auth/auth-cache.h b/src/auth/auth-cache.h
+index 9bdb9185170..d63621b1a4c 100644
+--- a/src/auth/auth-cache.h
+++ b/src/auth/auth-cache.h
+@@ -16,10 +16,8 @@ struct auth_cache_node {
+ struct auth_cache;
+ struct auth_request;
+ 
+-/* Parses all %x variables from query and compresses them into tab-separated
+-   list, so it can be used as a cache key. */
+-char *auth_cache_parse_key(pool_t pool, const char *query);
+-/* Same as auth_cache_parse_key(), but add also variables from "fields",
+/* Parses all %variables from query and compresses them into tab-separated
+   list, so it can be used as a cache key. Adds also variables from "fields",
+    except variables prefixed with <exclude_driver>":" */
+ char *auth_cache_parse_key_and_fields(pool_t pool, const char *query,
+ 				      const ARRAY_TYPE(const_string) *fields,
+diff --git a/src/auth/test-auth-cache.c b/src/auth/test-auth-cache.c
+index b36d83ec022..f58c21f7afb 100644
+--- a/src/auth/test-auth-cache.c
+++ b/src/auth/test-auth-cache.c
+@@ -93,8 +93,8 @@ static void test_auth_cache_parse_key(void)
+ 	test_begin("auth cache parse key");
+ 
+ 	for (i = 0; i < N_ELEMENTS(tests); i++) {
+-		cache_key = auth_cache_parse_key(pool_datastack_create(),
+-						 tests[i].in);
+		cache_key = auth_cache_parse_key_and_fields(pool_datastack_create(),
+							    tests[i].in, NULL, NULL);
+ 		test_assert_strcmp_idx(cache_key, tests[i].out, i);
+ 	}
+ 
+@@ -119,8 +119,8 @@ static enum fatal_test_state test_cache_key_missing_variable(unsigned int i)
+ 
+ 	if (i < N_ELEMENTS(tests_bad)) {
+ 		test_expect_fatal_string(tests_bad[i].out);
+-		(void)auth_cache_parse_key(pool_datastack_create(),
+-					   tests_bad[i].in);
+		(void)auth_cache_parse_key_and_fields(pool_datastack_create(),
+						      tests_bad[i].in, NULL, NULL);
+ 		return FATAL_TEST_FAILURE;
+ 	}
+ 
--- a/dovecot-2.4.1-gssapi.patch
+++ b/dovecot-2.4.1-gssapi.patch
@ -0,0 +1,12 @@
+diff -up dovecot-2.4.1-4/src/auth/mech-gssapi.c.gssapi dovecot-2.4.1-4/src/auth/mech-gssapi.c
+--- dovecot-2.4.1-4/src/auth/mech-gssapi.c.gssapi	2025-06-24 00:07:54.720275640 +0200
+++ dovecot-2.4.1-4/src/auth/mech-gssapi.c	2025-06-24 00:10:04.541651871 +0200
+@@ -672,7 +672,7 @@ mech_gssapi_auth_initial(struct auth_req
+ 
+ 	if (data_size == 0) {
+ 		/* The client should go first */
+-		auth_request_handler_reply_continue(request, NULL, 0);
+		auth_request_handler_reply_continue(request, uchar_empty_ptr, 0);
+ 	} else {
+ 		mech_gssapi_auth_continue(request, data, data_size);
+ 	}
--- a/dovecot-2.4.1-nolibotp.patch
+++ b/dovecot-2.4.1-nolibotp.patch
@ -1,80 +1,134 @@
-diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/auth/test-auth.c.nolibotp dovecot-2.4.2-build/dovecot-2.4.2/src/auth/test-auth.c
--- dovecot-2.4.2-build/dovecot-2.4.2/src/auth/test-auth.c.nolibotp	2025-10-29 07:58:41.000000000 +0100
-+++ dovecot-2.4.2-build/dovecot-2.4.2/src/auth/test-auth.c	2025-11-30 13:38:50.100927373 +0100
-@@ -16,7 +16,7 @@
- static const char *const settings[] = {
- 	"base_dir", ".",
- 	"auth_mechanisms",
-		"ANONYMOUS APOP CRAM-MD5 DIGEST-MD5 EXTERNAL LOGIN PLAIN OTP "
-+		"ANONYMOUS APOP CRAM-MD5 DIGEST-MD5 EXTERNAL LOGIN PLAIN "
- 		"OAUTHBEARER SCRAM-SHA-1 SCRAM-SHA-256 XOAUTH2",
- 	"auth_username_chars", "",
- 	"auth_username_format", "",
-diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/auth/test-mech.c.nolibotp dovecot-2.4.2-build/dovecot-2.4.2/src/auth/test-mech.c
--- dovecot-2.4.2-build/dovecot-2.4.2/src/auth/test-mech.c.nolibotp	2025-10-29 07:58:41.000000000 +0100
-+++ dovecot-2.4.2-build/dovecot-2.4.2/src/auth/test-mech.c	2025-11-30 13:38:50.101130654 +0100
-@@ -46,10 +46,7 @@ request_handler_reply_mock_callback(stru
+diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/main.c.nolibotp dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/main.c
+--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/main.c.nolibotp	2025-03-28 12:32:27.000000000 +0100
+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/main.c	2025-06-05 22:36:50.148155427 +0200
+@@ -20,8 +20,6 @@
+ #include "password-scheme.h"
+ #include "passdb-cache.h"
+ #include "mech.h"
+-#include "otp.h"
+-#include "mech-otp-common.h"
+ #include "auth.h"
+ #include "auth-penalty.h"
+ #include "auth-token.h"
+@@ -272,7 +270,6 @@ static void main_deinit(void)
+ 
+ 	auth_policy_deinit();
+ 	mech_register_deinit(&mech_reg);
+-	mech_otp_deinit();
+ 	db_oauth2_deinit();
+ 	mech_deinit(global_auth_settings);
+ 	settings_free(global_auth_settings);
+diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/mech.c.nolibotp dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/mech.c
+--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/mech.c.nolibotp	2025-03-28 12:32:27.000000000 +0100
+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/mech.c	2025-06-05 22:36:50.148435422 +0200
+@@ -71,7 +71,6 @@ extern const struct mech_module mech_apo
+ extern const struct mech_module mech_cram_md5;
+ extern const struct mech_module mech_digest_md5;
+ extern const struct mech_module mech_external;
+-extern const struct mech_module mech_otp;
+ extern const struct mech_module mech_scram_sha1;
+ extern const struct mech_module mech_scram_sha1_plus;
+ extern const struct mech_module mech_scram_sha256;
+@@ -217,7 +216,6 @@ void mech_init(const struct auth_setting
+ 		mech_register_module(&mech_gssapi_spnego);
+ #endif
+ 	}
+-	mech_register_module(&mech_otp);
+ 	mech_register_module(&mech_scram_sha1);
+ 	mech_register_module(&mech_scram_sha1_plus);
+ 	mech_register_module(&mech_scram_sha256);
+@@ -247,7 +245,6 @@ void mech_deinit(const struct auth_setti
+ 		mech_unregister_module(&mech_gssapi_spnego);
+ #endif
+ 	}
+-	mech_unregister_module(&mech_otp);
+ 	mech_unregister_module(&mech_scram_sha1);
+ 	mech_unregister_module(&mech_scram_sha1_plus);
+ 	mech_unregister_module(&mech_scram_sha256);
+diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/test-auth.c.nolibotp dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/test-auth.c
+--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/test-auth.c.nolibotp	2025-06-05 23:11:23.428522162 +0200
+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/test-auth.c	2025-06-05 23:11:23.443511259 +0200
+@@ -72,7 +72,6 @@ void test_auth_init(void)
+ void test_auth_deinit(void)
+ {
+ 	auth_penalty_deinit(&auth_penalty);
+-	mech_otp_deinit();
+ 	db_oauth2_deinit();
+ 	auths_deinit();
+ 	auth_token_deinit();
+diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/test-mech.c.nolibotp dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/test-mech.c
+--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/test-mech.c.nolibotp	2025-03-28 12:32:27.000000000 +0100
+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/test-mech.c	2025-06-05 22:36:50.148639214 +0200
+@@ -24,7 +24,6 @@ extern const struct mech_module mech_dig
+ extern const struct mech_module mech_external;
+ extern const struct mech_module mech_login;
+ extern const struct mech_module mech_oauthbearer;
+-extern const struct mech_module mech_otp;
+ extern const struct mech_module mech_plain;
+ extern const struct mech_module mech_scram_sha1;
+ extern const struct mech_module mech_scram_sha256;
+@@ -60,10 +59,7 @@ request_handler_reply_mock_callback(stru
 
 	if (request->passdb_result == PASSDB_RESULT_OK)
 		request->failed = FALSE;
-	else if (strcmp(request->fields.mech_name, SASL_MECH_NAME_OTP) == 0) {
+-	else if (request->mech == &mech_otp) {
 -		if (null_strcmp(request->fields.user, "otp_phase_2") == 0)
 -			request->failed = FALSE;
-	} else if (strcmp(request->fields.mech_name,
-+	else if (strcmp(request->fields.mech_name,
- 			  SASL_MECH_NAME_OAUTHBEARER) == 0) {
+-	} else if (request->mech == &mech_oauthbearer) {
+	else if (request->mech == &mech_oauthbearer) {
 	}
 };
-@@ -190,10 +187,6 @@ static void test_mechs(void)
- 		{"PLAIN", UCHAR_LEN("\0testuser\0testpass"), "testuser", TRUE, FALSE, FALSE},
- 		{"PLAIN", UCHAR_LEN("normaluser\0masteruser\0masterpass"), "masteruser", TRUE, FALSE, FALSE},
- 		{"PLAIN", UCHAR_LEN("normaluser\0normaluser\0masterpass"), "normaluser", TRUE, FALSE, FALSE},
-		{"OTP", UCHAR_LEN("hex:5Bf0 75d9 959d 036f"), "otp_phase_2", TRUE, TRUE, FALSE},
-		{"OTP", UCHAR_LEN("word:BOND FOGY DRAB NE RISE MART"), "otp_phase_2", TRUE, TRUE, FALSE},
-		{"OTP", UCHAR_LEN("init-hex:f6bd 6b33 89b8 7203:md5 499 ke6118:23d1 b253 5ae0 2b7e"), "otp_phase_2", TRUE, TRUE, FALSE},
-		{"OTP", UCHAR_LEN("init-word:END KERN BALM NICK EROS WAVY:md5 499 ke1235:BABY FAIN OILY NIL TIDY DADE"), "otp_phase_2", TRUE, TRUE, FALSE},
- 		{"OAUTHBEARER", UCHAR_LEN("n,a=testuser,p=cHJvb2Y=,f=nonstandart\x01host=server\x01port=143\x01""auth=Bearer vF9dft4qmTc2Nvb3RlckBhbHRhdmlzdGEuY29tCg==\x01\x01"), "testuser", FALSE, TRUE, FALSE},
- 		{"SCRAM-SHA-1", UCHAR_LEN("n,,n=testuser,r=rOprNGfwEbeRWgbNEkqO"), "testuser", TRUE, FALSE, FALSE},
- 		{"SCRAM-SHA-256", UCHAR_LEN("n,,n=testuser,r=rOprNGfwEbeRWgbNEkqO"), "testuser",  TRUE, FALSE, FALSE},
-@@ -208,8 +201,6 @@ static void test_mechs(void)
- 		{"EXTERNAL", UCHAR_LEN(""), "testuser", FALSE, TRUE, FALSE},
- 		{"EXTERNAL", UCHAR_LEN(""), NULL, FALSE, FALSE, FALSE},
- 		{"LOGIN", UCHAR_LEN(""), NULL, FALSE, FALSE, FALSE},
-		{"OTP", UCHAR_LEN(""), NULL, FALSE, FALSE, FALSE},
-		{"OTP", UCHAR_LEN(""), "testuser", FALSE, FALSE, FALSE},
- 		{"PLAIN", UCHAR_LEN(""), NULL, FALSE, FALSE, FALSE},
- 		{"OAUTHBEARER", UCHAR_LEN(""), NULL, FALSE, FALSE, FALSE},
- 		{"XOAUTH2", UCHAR_LEN(""), NULL,  FALSE, FALSE, FALSE},
-@@ -221,7 +212,6 @@ static void test_mechs(void)
- 		{"APOP", UCHAR_LEN("1.1.1\0testuser\0tooshort"), NULL, FALSE, FALSE, FALSE},
- 		{"APOP", UCHAR_LEN("1.1.1\0testuser\0responseoflen16-"), NULL, FALSE, FALSE, FALSE},
- 		{"APOP", UCHAR_LEN("1.1.1"), NULL, FALSE, FALSE, FALSE},
-		{"OTP", UCHAR_LEN("somebody\0testuser"), "testuser", FALSE, TRUE, FALSE},
- 		{"CRAM-MD5", UCHAR_LEN("testuser\0response"), "testuser",  FALSE, FALSE, FALSE},
- 		{"PLAIN", UCHAR_LEN("testuser\0"), "testuser", FALSE, FALSE, FALSE},
 
-@@ -264,9 +254,7 @@ static void test_mechs(void)
- 		{"PLAIN", UCHAR_LEN("\0fa\0il\0ing\0withthis"), NULL, FALSE, FALSE, FALSE},
- 		{"PLAIN", UCHAR_LEN("failingwiththis"), NULL, FALSE, FALSE, FALSE},
- 		{"PLAIN", UCHAR_LEN("failing\0withthis"), NULL, FALSE, FALSE, FALSE},
-		{"OTP", UCHAR_LEN("someb\0ody\0testuser"), NULL, FALSE, FALSE, FALSE},
+@@ -181,10 +177,6 @@ static void test_mechs(void)
+ 		{&mech_plain, UCHAR_LEN("\0testuser\0testpass"), "testuser", NULL, TRUE, FALSE, FALSE},
+ 		{&mech_plain, UCHAR_LEN("normaluser\0masteruser\0masterpass"), "masteruser", NULL, TRUE, FALSE, FALSE},
+ 		{&mech_plain, UCHAR_LEN("normaluser\0normaluser\0masterpass"), "normaluser", NULL, TRUE, FALSE, FALSE},
+-		{&mech_otp, UCHAR_LEN("hex:5Bf0 75d9 959d 036f"), "otp_phase_2", NULL, TRUE, TRUE, FALSE},
+-		{&mech_otp, UCHAR_LEN("word:BOND FOGY DRAB NE RISE MART"), "otp_phase_2", NULL, TRUE, TRUE, FALSE},
+-		{&mech_otp, UCHAR_LEN("init-hex:f6bd 6b33 89b8 7203:md5 499 ke6118:23d1 b253 5ae0 2b7e"), "otp_phase_2", NULL, TRUE, TRUE, FALSE},
+-		{&mech_otp, UCHAR_LEN("init-word:END KERN BALM NICK EROS WAVY:md5 499 ke1235:BABY FAIN OILY NIL TIDY DADE"), "otp_phase_2", NULL , TRUE, TRUE, FALSE},
+ 		{&mech_oauthbearer, UCHAR_LEN("n,a=testuser,p=cHJvb2Y=,f=nonstandart\x01host=server\x01port=143\x01""auth=Bearer vF9dft4qmTc2Nvb3RlckBhbHRhdmlzdGEuY29tCg==\x01\x01"), "testuser", NULL, FALSE, TRUE, FALSE},
+ 		{&mech_scram_sha1, UCHAR_LEN("n,,n=testuser,r=rOprNGfwEbeRWgbNEkqO"), "testuser", NULL, TRUE, FALSE, FALSE},
+ 		{&mech_scram_sha256, UCHAR_LEN("n,,n=testuser,r=rOprNGfwEbeRWgbNEkqO"), "testuser",  NULL, TRUE, FALSE, FALSE},
+@@ -199,8 +191,6 @@ static void test_mechs(void)
+ 		{&mech_external, UCHAR_LEN(""), "testuser", NULL, FALSE, TRUE, FALSE},
+ 		{&mech_external, UCHAR_LEN(""), NULL, NULL, FALSE, FALSE, FALSE},
+ 		{&mech_login, UCHAR_LEN(""), NULL, NULL, FALSE, FALSE, FALSE},
+-		{&mech_otp, UCHAR_LEN(""), NULL, "invalid input", FALSE, FALSE, FALSE},
+-		{&mech_otp, UCHAR_LEN(""), "testuser", "invalid input", FALSE, FALSE, FALSE},
+ 		{&mech_plain, UCHAR_LEN(""), NULL, NULL, FALSE, FALSE, FALSE},
+ 		{&mech_oauthbearer, UCHAR_LEN(""), NULL, NULL, FALSE, FALSE, FALSE},
+ 		{&mech_xoauth2, UCHAR_LEN(""), NULL, NULL, FALSE, FALSE, FALSE},
+@@ -212,7 +202,6 @@ static void test_mechs(void)
+ 		{&mech_apop, UCHAR_LEN("1.1.1\0testuser\0tooshort"), NULL, NULL, FALSE, FALSE, FALSE},
+ 		{&mech_apop, UCHAR_LEN("1.1.1\0testuser\0responseoflen16-"), NULL, NULL, FALSE, FALSE, FALSE},
+ 		{&mech_apop, UCHAR_LEN("1.1.1"), NULL, NULL, FALSE, FALSE, FALSE},
+-		{&mech_otp, UCHAR_LEN("somebody\0testuser"), "testuser", "unsupported response type", FALSE, TRUE, FALSE},
+ 		{&mech_cram_md5, UCHAR_LEN("testuser\0response"), "testuser", NULL, FALSE, FALSE, FALSE},
+ 		{&mech_plain, UCHAR_LEN("testuser\0"), "testuser", NULL, FALSE, FALSE, FALSE},
+ 
+@@ -254,9 +243,7 @@ static void test_mechs(void)
+ 		{&mech_plain, UCHAR_LEN("\0fa\0il\0ing\0withthis"), NULL, NULL, FALSE, FALSE, FALSE},
+ 		{&mech_plain, UCHAR_LEN("failingwiththis"), NULL, NULL, FALSE, FALSE, FALSE},
+ 		{&mech_plain, UCHAR_LEN("failing\0withthis"), NULL, NULL, FALSE, FALSE, FALSE},
+-		{&mech_otp, UCHAR_LEN("someb\0ody\0testuser"), NULL, "invalid input", FALSE, FALSE, FALSE},
 		/* phase 2 */
-		{"OTP", UCHAR_LEN("someb\0ody\0testuser"), "testuser", FALSE, TRUE, FALSE},
- 		{"SCRAM-SHA-1", UCHAR_LEN("c=biws,r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,p=v0X8v3Bz2T0CJGbJQyF0X+HI4Ts="), NULL, FALSE, FALSE, FALSE},
- 		{"SCRAM-SHA-1", UCHAR_LEN("iws0X8v3Bz2T0CJGbJQyF0X+HI4Ts=,,,,"), NULL, FALSE, FALSE, FALSE},
- 		{"SCRAM-SHA-1", UCHAR_LEN("n,a=masteruser,,"), NULL, FALSE, FALSE, FALSE},
-diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme.c.nolibotp dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme.c
--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme.c.nolibotp	2025-11-30 13:38:50.093609901 +0100
-+++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme.c	2025-11-30 13:38:50.101359374 +0100
+-		{&mech_otp, UCHAR_LEN("someb\0ody\0testuser"), "testuser", "unsupported response type", FALSE, TRUE, FALSE},
+ 		{&mech_scram_sha1, UCHAR_LEN("c=biws,r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,p=v0X8v3Bz2T0CJGbJQyF0X+HI4Ts="), NULL, NULL, FALSE, FALSE, FALSE},
+ 		{&mech_scram_sha1, UCHAR_LEN("iws0X8v3Bz2T0CJGbJQyF0X+HI4Ts=,,,,"), NULL, NULL, FALSE, FALSE, FALSE},
+ 		{&mech_scram_sha1, UCHAR_LEN("n,a=masteruser,,"), NULL, NULL, FALSE, FALSE, FALSE},
+diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.c.nolibotp dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.c
+--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.c.nolibotp	2025-06-05 22:36:50.142606171 +0200
+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.c	2025-06-05 22:36:50.148822418 +0200
@@ -13,7 +13,6 @@
 #include "randgen.h"
 #include "sha1.h"
 #include "sha2.h"
 -#include "otp.h"
 #include "str.h"
- #include "auth-digest.h"
 #include "password-scheme.h"
-@@ -704,33 +703,6 @@ plain_md5_generate(const char *plaintext
+ #include "password-scheme-private.h"
+@@ -701,33 +700,6 @@ plain_md5_generate(const char *plaintext
 	*size_r = MD5_RESULTLEN;
 }
 
@ -108,7 +162,7 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme.c.nolibo
 static const struct password_scheme builtin_schemes[] = {
 	{
 		.name = "MD5",
-@@ -894,13 +866,6 @@ static const struct password_scheme buil
+@@ -891,13 +863,6 @@ static const struct password_scheme buil
 		.password_generate = plain_md5_generate,
 	},
 	{
@ -122,9 +176,9 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme.c.nolibo
 		.name = "PBKDF2",
 		.default_encoding = PW_ENCODING_NONE,
 		.raw_password_len = 0,
-diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme.h.nolibotp dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme.h
--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme.h.nolibotp	2025-10-29 07:58:41.000000000 +0100
-+++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme.h	2025-11-30 13:38:50.101549260 +0100
+diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.h.nolibotp dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.h
+--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.h.nolibotp	2025-03-28 12:32:27.000000000 +0100
+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.h	2025-06-05 22:36:50.148942954 +0200
@@ -98,9 +98,6 @@ void password_set_encryption_rounds(unsi
 /* INTERNAL: */
 const char *password_generate_salt(size_t len);
@ -133,11 +187,11 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme.h.nolibo
 -			  unsigned int algo, const char **result_r)
 -	ATTR_NULL(2);
 
- int scram_verify(const struct hash_method *hmethod, const char *scheme_name,
- 		 const char *plaintext, const unsigned char *raw_password,
-diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/test-password-scheme.c.nolibotp dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/test-password-scheme.c
--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/test-password-scheme.c.nolibotp	2025-10-29 07:58:41.000000000 +0100
-+++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/test-password-scheme.c	2025-11-30 13:38:50.101711124 +0100
+ int scram_scheme_parse(const struct hash_method *hmethod, const char *name,
+ 		       const unsigned char *credentials, size_t size,
+diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/test-password-scheme.c.nolibotp dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/test-password-scheme.c
+--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/test-password-scheme.c.nolibotp	2025-03-28 12:32:27.000000000 +0100
+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/test-password-scheme.c	2025-06-05 22:36:50.149077275 +0200
@@ -107,7 +107,6 @@ static void test_password_schemes(void)
 	test_password_scheme("SHA512", "{SHA512}7iaw3Ur350mqGo7jwQrpkj9hiYB3Lkc/iBml1JQODbJ6wYX4oOHV+E+IvIh/1nsUNzLDBMxfqa2Ob1f1ACio/w==", "test");
 	test_password_scheme("SSHA", "{SSHA}H/zrDv8FXUu1JmwvVYijfrYEF34jVZcO", "test");
@ -146,140 +200,3 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/test-password-scheme.c.n
 	test_password_scheme("PBKDF2", "{PBKDF2}$1$bUnT4Pl7yFtYX0KU$5000$50a83cafdc517b9f46519415e53c6a858908680a", "test");
 	test_password_scheme("CRAM-MD5", "{CRAM-MD5}e02d374fde0dc75a17a557039a3a5338c7743304777dccd376f332bee68d2cf6", "test");
 	test_password_scheme("DIGEST-MD5", "{DIGEST-MD5}77c1a8c437c9b08ba2f460fe5d58db5d", "test");
-diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/dsasl-client.c.nolibotp dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/dsasl-client.c
--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/dsasl-client.c.nolibotp	2025-11-30 13:39:54.210043386 +0100
-+++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/dsasl-client.c	2025-11-30 13:39:54.217205256 +0100
-@@ -175,7 +175,6 @@ void dsasl_clients_init(void)
- 	dsasl_client_mech_register(&dsasl_client_mech_digest_md5);
- 	dsasl_client_mech_register(&dsasl_client_mech_cram_md5);
- 	dsasl_client_mech_register(&dsasl_client_mech_oauthbearer);
-	dsasl_client_mech_register(&dsasl_client_mech_otp);
- 	dsasl_client_mech_register(&dsasl_client_mech_xoauth2);
- 	dsasl_client_mech_register(&dsasl_client_mech_scram_sha_1);
- 	dsasl_client_mech_register(&dsasl_client_mech_scram_sha_1_plus);
-diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/dsasl-client-private.h.nolibotp dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/dsasl-client-private.h
--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/dsasl-client-private.h.nolibotp	2025-11-30 13:40:22.269119732 +0100
-+++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/dsasl-client-private.h	2025-11-30 13:40:22.275363043 +0100
-@@ -50,7 +50,6 @@ extern const struct dsasl_client_mech ds
- extern const struct dsasl_client_mech dsasl_client_mech_external;
- extern const struct dsasl_client_mech dsasl_client_mech_login;
- extern const struct dsasl_client_mech dsasl_client_mech_oauthbearer;
-extern const struct dsasl_client_mech dsasl_client_mech_otp;
- extern const struct dsasl_client_mech dsasl_client_mech_xoauth2;
- extern const struct dsasl_client_mech dsasl_client_mech_scram_sha_1;
- extern const struct dsasl_client_mech dsasl_client_mech_scram_sha_1_plus;
-diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/fuzz-sasl-authentication.c.nolibotp dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/fuzz-sasl-authentication.c
--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/fuzz-sasl-authentication.c.nolibotp	2025-11-30 13:40:56.823727053 +0100
-+++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/fuzz-sasl-authentication.c	2025-11-30 13:40:56.837864792 +0100
-@@ -635,7 +635,6 @@ static void fuzz_sasl_run(struct istream
- 	sasl_server_mech_register_cram_md5(server_inst);
- 	sasl_server_mech_register_digest_md5(server_inst);
- 	sasl_server_mech_register_login(server_inst);
-	sasl_server_mech_register_otp(server_inst);
- 	sasl_server_mech_register_plain(server_inst);
- 	sasl_server_mech_register_scram_sha1(server_inst);
- 	sasl_server_mech_register_scram_sha1_plus(server_inst);
-diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/sasl-server.h.nolibotp dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/sasl-server.h
--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/sasl-server.h.nolibotp	2025-11-30 13:41:24.035316421 +0100
-+++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/sasl-server.h	2025-11-30 13:41:24.050796571 +0100
-@@ -193,8 +193,6 @@ void sasl_server_mech_register_scram_sha
- void sasl_server_mech_register_scram_sha256_plus(
- 	struct sasl_server_instance *sinst);
- 
-void sasl_server_mech_register_otp(struct sasl_server_instance *sinst);
-
- /* Winbind */
- 
- struct sasl_server_winbind_settings {
-diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/test-sasl-authentication.c.nolibotp dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/test-sasl-authentication.c
--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/test-sasl-authentication.c.nolibotp	2025-11-30 13:42:08.741524883 +0100
-+++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/test-sasl-authentication.c	2025-11-30 13:42:08.757334395 +0100
-@@ -507,7 +507,6 @@ test_sasl_run(const struct test_sasl *te
- 	sasl_server_mech_register_digest_md5(server_inst);
- 	sasl_server_mech_register_external(server_inst);
- 	sasl_server_mech_register_login(server_inst);
-	sasl_server_mech_register_otp(server_inst);
- 	sasl_server_mech_register_plain(server_inst);
- 	sasl_server_mech_register_scram_sha1(server_inst);
- 	sasl_server_mech_register_scram_sha1_plus(server_inst);
-@@ -722,16 +721,6 @@ static const struct test_sasl success_te
- 			.password = "tokentokentoken",
- 		},
- 	},
-	/* OTP */
-	{
-		.mech = "OTP",
-		.authid_type = SASL_SERVER_AUTHID_TYPE_USERNAME,
-		.server = {
-			.authid = "user",
-			.password = "pass",
-		},
-		.repeat = 1050,
-	},
- 	/* EXTERNAL */
- 	{
- 		.mech = "EXTERNAL",
-@@ -1457,31 +1446,6 @@ static const struct test_sasl bad_creds_
- 		},
- 		.failure = TRUE,
- 	},
-	/* OTP */
-	{
-		.mech = "OTP",
-		.authid_type = SASL_SERVER_AUTHID_TYPE_USERNAME,
-		.server = {
-			.authid = "user",
-			.password = "pass",
-		},
-		.client = {
-			.authid = "userb",
-		},
-		.failure = TRUE,
-	},
-	{
-		.mech = "OTP",
-		.authid_type = SASL_SERVER_AUTHID_TYPE_USERNAME,
-		.server = {
-			.authid = "user",
-			.password = "pass",
-		},
-		.client = {
-			.password = "florp",
-		},
-		.failure = TRUE,
-	},
- 	/* EXTERNAL */
- 	{
- 		.mech = "EXTERNAL",
-diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/auth/auth-sasl.c.nolibotp2 dovecot-2.4.2-build/dovecot-2.4.2/src/auth/auth-sasl.c
--- dovecot-2.4.2-build/dovecot-2.4.2/src/auth/auth-sasl.c.nolibotp2	2025-11-30 13:56:23.124460140 +0100
-+++ dovecot-2.4.2-build/dovecot-2.4.2/src/auth/auth-sasl.c	2025-11-30 13:56:39.521935947 +0100
-@@ -472,7 +472,6 @@ MECH_SIMPLE_REGISTER__TEMPLATE(cram_md5)
- MECH_SIMPLE_REGISTER__TEMPLATE(digest_md5)
- MECH_SIMPLE_REGISTER__TEMPLATE(external)
- MECH_SIMPLE_REGISTER__TEMPLATE(login)
-MECH_SIMPLE_REGISTER__TEMPLATE(otp)
- MECH_SIMPLE_REGISTER__TEMPLATE(plain)
- MECH_SIMPLE_REGISTER__TEMPLATE(scram_sha1)
- MECH_SIMPLE_REGISTER__TEMPLATE(scram_sha1_plus)
-@@ -539,12 +538,6 @@ static const struct auth_sasl_mech_modul
- 	.mech_register = mech_login_register,
- };
- 
-static const struct auth_sasl_mech_module mech_otp = {
-	.mech_name = SASL_MECH_NAME_OTP,
-
-	.mech_register = mech_otp_register,
-};
-
- static const struct auth_sasl_mech_module mech_plain = {
- 	.mech_name = SASL_MECH_NAME_PLAIN,
- 
-@@ -612,7 +605,6 @@ static void auth_sasl_mechs_init(const s
- 	if (set->use_winbind)
- 		auth_sasl_mech_register_module(&mech_winbind_ntlm);
- 	auth_sasl_mech_oauth2_register();
-	auth_sasl_mech_register_module(&mech_otp);
- 	auth_sasl_mech_register_module(&mech_plain);
- 	auth_sasl_mech_register_module(&mech_scram_sha1);
- 	auth_sasl_mech_register_module(&mech_scram_sha1_plus);
--- a/dovecot-2.4.1-opensslhmac3.patch
+++ b/dovecot-2.4.1-opensslhmac3.patch
@ -1,6 +1,6 @@
-diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/auth/auth-token.c.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/auth/auth-token.c
--- dovecot-2.4.2-build/dovecot-2.4.2/src/auth/auth-token.c.opensslhmac3	2025-10-29 07:58:41.000000000 +0100
-+++ dovecot-2.4.2-build/dovecot-2.4.2/src/auth/auth-token.c	2025-11-30 09:57:55.178213106 +0100
+diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/auth-token.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/auth-token.c
+--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/auth-token.c.opensslhmac3	2025-03-28 12:32:27.000000000 +0100
+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/auth-token.c	2025-07-30 11:45:19.801515296 +0200
@@ -162,17 +162,17 @@ void auth_token_deinit(void)
 const char *auth_token_get(const char *service, const char *session_pid,
 			   const char *username, const char *session_id)
@ -26,10 +26,10 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/auth/auth-token.c.opensslhmac3 do
 
 	return binary_to_hex(result, sizeof(result));
 }
-diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/auth/Makefile.am.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/auth/Makefile.am
--- dovecot-2.4.2-build/dovecot-2.4.2/src/auth/Makefile.am.opensslhmac3	2025-10-29 07:58:41.000000000 +0100
-+++ dovecot-2.4.2-build/dovecot-2.4.2/src/auth/Makefile.am	2025-11-30 09:57:55.178490134 +0100
-@@ -71,6 +71,7 @@ auth_LDFLAGS = -export-dynamic
+diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/Makefile.am.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/Makefile.am
+--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/Makefile.am.opensslhmac3	2025-03-28 12:32:27.000000000 +0100
+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/Makefile.am	2025-07-30 11:45:19.803705887 +0200
+@@ -66,6 +66,7 @@ auth_LDFLAGS = -export-dynamic
 auth_libs = \
 	../lib-auth/libauth-crypt.la \
 	$(AUTH_LUA_LIBS) \
@ -37,9 +37,35 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/auth/Makefile.am.opensslhmac3 dov
 	$(LIBDOVECOT_SQL)
 
 auth_CPPFLAGS = $(AM_CPPFLAGS) $(BINARY_CFLAGS)
-diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/imap/Makefile.am.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/imap/Makefile.am
--- dovecot-2.4.2-build/dovecot-2.4.2/src/imap/Makefile.am.opensslhmac3	2025-10-29 07:58:41.000000000 +0100
-+++ dovecot-2.4.2-build/dovecot-2.4.2/src/imap/Makefile.am	2025-11-30 09:57:55.179136544 +0100
+diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/mech-cram-md5.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/mech-cram-md5.c
+--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/mech-cram-md5.c.opensslhmac3	2025-03-28 12:32:27.000000000 +0100
+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/mech-cram-md5.c	2025-07-30 11:45:19.801656370 +0200
+@@ -50,7 +50,7 @@ static bool verify_credentials(struct cr
+ 			       const unsigned char *credentials, size_t size)
+ {
+ 	unsigned char digest[MD5_RESULTLEN];
+-        struct hmac_context ctx;
+        struct orig_hmac_context ctx;
+ 	const char *response_hex;
+ 
+ 	if (size != CRAM_MD5_CONTEXTLEN) {
+@@ -59,10 +59,10 @@ static bool verify_credentials(struct cr
+ 		return FALSE;
+ 	}
+ 
+-	hmac_init(&ctx, NULL, 0, &hash_method_md5);
+	orig_hmac_init(&ctx, NULL, 0, &hash_method_md5);
+ 	hmac_md5_set_cram_context(&ctx, credentials);
+-	hmac_update(&ctx, request->challenge, strlen(request->challenge));
+-	hmac_final(&ctx, digest);
+	orig_hmac_update(&ctx, request->challenge, strlen(request->challenge));
+	orig_hmac_final(&ctx, digest);
+ 
+ 	response_hex = binary_to_hex(digest, sizeof(digest));
+ 
+diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/imap/Makefile.am.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/imap/Makefile.am
+--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/imap/Makefile.am.opensslhmac3	2025-03-28 12:32:27.000000000 +0100
+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/imap/Makefile.am	2025-07-30 11:45:19.803805844 +0200
@@ -21,11 +21,13 @@ AM_CPPFLAGS = \
 	$(BINARY_CFLAGS)
 
@ -54,10 +80,10 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/imap/Makefile.am.opensslhmac3 dov
 	$(LIBDOVECOT_STORAGE) \
 	$(LIBDOVECOT)
 imap_DEPENDENCIES = \
-diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/imap-urlauth/Makefile.am.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/imap-urlauth/Makefile.am
--- dovecot-2.4.2-build/dovecot-2.4.2/src/imap-urlauth/Makefile.am.opensslhmac3	2025-10-29 07:58:41.000000000 +0100
-+++ dovecot-2.4.2-build/dovecot-2.4.2/src/imap-urlauth/Makefile.am	2025-11-30 09:57:55.179268682 +0100
-@@ -23,6 +23,7 @@ imap_urlauth_CPPFLAGS = \
+diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/imap-urlauth/Makefile.am.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/imap-urlauth/Makefile.am
+--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/imap-urlauth/Makefile.am.opensslhmac3	2025-03-28 12:32:27.000000000 +0100
+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/imap-urlauth/Makefile.am	2025-07-30 11:45:19.803904279 +0200
+@@ -22,6 +22,7 @@ imap_urlauth_CPPFLAGS = \
 imap_urlauth_LDFLAGS = -export-dynamic
 
 imap_urlauth_LDADD = $(LIBDOVECOT) \
@ -65,7 +91,7 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/imap-urlauth/Makefile.am.opensslh
 	$(BINARY_LDFLAGS)
 
 imap_urlauth_DEPENDENCIES = $(LIBDOVECOT_DEPS)
-@@ -53,7 +54,7 @@ imap_urlauth_worker_LDFLAGS = -export-dy
+@@ -52,7 +53,7 @@ imap_urlauth_worker_LDFLAGS = -export-dy
 urlauth_libs = \
 	$(top_builddir)/src/lib-imap-urlauth/libimap-urlauth.la
 
@ -74,10 +100,10 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/imap-urlauth/Makefile.am.opensslh
 imap_urlauth_worker_DEPENDENCIES = $(urlauth_libs) $(LIBDOVECOT_STORAGE_DEPS) $(LIBDOVECOT_DEPS)
 
 imap_urlauth_worker_SOURCES = \
-diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram-client.c.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram-client.c
--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram-client.c.opensslhmac3	2025-10-29 07:58:41.000000000 +0100
-+++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram-client.c	2025-11-30 09:57:55.179413002 +0100
-@@ -222,7 +222,7 @@ static string_t *auth_scram_get_client_f
+diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram-client.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram-client.c
+--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram-client.c.opensslhmac3	2025-03-28 12:32:27.000000000 +0100
+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram-client.c	2025-07-30 11:45:19.801788468 +0200
+@@ -248,7 +248,7 @@ static string_t *auth_scram_get_client_f
 	unsigned char client_signature[hmethod->digest_size];
 	unsigned char client_proof[hmethod->digest_size];
 	unsigned char server_key[hmethod->digest_size];
@ -86,7 +112,7 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram-client.c.open
 	const void *cbind_input;
 	size_t cbind_input_size;
 	string_t *auth_message, *str;
-@@ -281,9 +281,9 @@ static string_t *auth_scram_get_client_f
+@@ -307,9 +307,9 @@ static string_t *auth_scram_get_client_f
 		      client->iter, salted_password);
 
 	/* ClientKey       := HMAC(SaltedPassword, "Client Key") */
@ -99,7 +125,7 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram-client.c.open
 
 	/* StoredKey       := H(ClientKey) */
 	hash_method_get_digest(hmethod, client_key, sizeof(client_key),
-@@ -301,9 +301,9 @@ static string_t *auth_scram_get_client_f
+@@ -327,9 +327,9 @@ static string_t *auth_scram_get_client_f
 	str_append_str(auth_message, str);
 
 	/* ClientSignature := HMAC(StoredKey, AuthMessage) */
@ -112,7 +138,7 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram-client.c.open
 
 	/* ClientProof     := ClientKey XOR ClientSignature */
 	for (k = 0; k < hmethod->digest_size; k++)
-@@ -314,16 +314,16 @@ static string_t *auth_scram_get_client_f
+@@ -340,16 +340,16 @@ static string_t *auth_scram_get_client_f
 	safe_memset(client_signature, 0, sizeof(client_signature));
 
 	/* ServerKey       := HMAC(SaltedPassword, "Server Key") */
@ -135,9 +161,9 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram-client.c.open
 
 	safe_memset(salted_password, 0, sizeof(salted_password));
 
-diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram.c.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram.c
--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram.c.opensslhmac3	2025-10-29 07:58:41.000000000 +0100
-+++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram.c	2025-11-30 09:57:55.179729815 +0100
+diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram.c
+--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram.c.opensslhmac3	2025-03-28 12:32:27.000000000 +0100
+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram.c	2025-07-30 11:45:19.801918022 +0200
@@ -31,7 +31,7 @@ void auth_scram_hi(const struct hash_met
 		   const unsigned char *salt, size_t salt_size, unsigned int i,
 		   unsigned char *result)
@ -207,10 +233,10 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram.c.opensslhmac
 
 	safe_memset(salted_password, 0, sizeof(salted_password));
 	safe_memset(client_key, 0, sizeof(client_key));
-diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram-server.c.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram-server.c
--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram-server.c.opensslhmac3	2025-10-29 07:58:41.000000000 +0100
-+++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram-server.c	2025-11-30 09:57:55.179862473 +0100
-@@ -288,7 +288,7 @@ auth_scram_server_verify_credentials(str
+diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram-server.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram-server.c
+--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram-server.c.opensslhmac3	2025-03-28 12:32:27.000000000 +0100
+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram-server.c	2025-07-30 11:45:19.802027357 +0200
+@@ -342,7 +342,7 @@ auth_scram_server_verify_credentials(str
 {
 	const struct hash_method *hmethod = server->set.hash_method;
 	struct auth_scram_key_data *kdata = &server->key_data;
@ -219,7 +245,7 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram-server.c.open
 	const char *auth_message;
 	unsigned char client_key[hmethod->digest_size];
 	unsigned char client_signature[hmethod->digest_size];
-@@ -309,9 +309,9 @@ auth_scram_server_verify_credentials(str
+@@ -363,9 +363,9 @@ auth_scram_server_verify_credentials(str
 			server->server_first_message, ",",
 			server->client_final_message_without_proof, NULL);
 
@ -232,7 +258,7 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram-server.c.open
 
 	/* ClientProof     := ClientKey XOR ClientSignature */
 	const unsigned char *proof_data = server->proof->data;
-@@ -440,7 +440,7 @@ auth_scram_get_server_final(struct auth_
+@@ -494,7 +494,7 @@ auth_scram_get_server_final(struct auth_
 {
 	const struct hash_method *hmethod = server->set.hash_method;
 	struct auth_scram_key_data *kdata = &server->key_data;
@ -241,7 +267,7 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram-server.c.open
 	const char *auth_message;
 	unsigned char server_signature[hmethod->digest_size];
 	string_t *str;
-@@ -456,9 +456,9 @@ auth_scram_get_server_final(struct auth_
+@@ -510,9 +510,9 @@ auth_scram_get_server_final(struct auth_
 			server->server_first_message, ",",
 			server->client_final_message_without_proof, NULL);
 
@ -254,10 +280,10 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram-server.c.open
 
 	/* RFC 5802, Section 7:
 
-diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme.c.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme.c
--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme.c.opensslhmac3	2025-10-29 07:58:41.000000000 +0100
-+++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme.c	2025-11-30 09:57:55.180035106 +0100
-@@ -633,11 +633,11 @@ static void
+diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.c
+--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.c.opensslhmac3	2025-03-28 12:32:27.000000000 +0100
+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.c	2025-07-30 11:45:19.802166177 +0200
+@@ -631,11 +631,11 @@ static void
 cram_md5_generate(const char *plaintext, const struct password_generate_params *params ATTR_UNUSED,
 		  const unsigned char **raw_password_r, size_t *size_r)
 {
@ -271,10 +297,10 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme.c.openss
 		  strlen(plaintext), &hash_method_md5);
 	hmac_md5_get_cram_context(&ctx, context_digest);
 
-diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme-scram.c.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme-scram.c
--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme-scram.c.opensslhmac3	2025-10-29 07:58:41.000000000 +0100
-+++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme-scram.c	2025-11-30 09:57:55.180182392 +0100
-@@ -23,7 +23,7 @@ int scram_verify(const struct hash_metho
+diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme-scram.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme-scram.c
+--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme-scram.c.opensslhmac3	2025-03-28 12:32:27.000000000 +0100
+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme-scram.c	2025-07-30 11:45:19.802285591 +0200
+@@ -69,7 +69,7 @@ int scram_verify(const struct hash_metho
 		 const char *plaintext, const unsigned char *raw_password,
 		 size_t size, const char **error_r)
 {
@ -283,7 +309,7 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme-scram.c.
 	const char *salt_base64;
 	unsigned int iter_count;
 	const unsigned char *salt;
-@@ -49,9 +49,9 @@ int scram_verify(const struct hash_metho
+@@ -94,9 +94,9 @@ int scram_verify(const struct hash_metho
 		      salt, salt_len, iter_count, salted_password);
 
 	/* Calculate ClientKey */
@ -296,9 +322,9 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme-scram.c.
 
 	/* Calculate StoredKey */
 	hash_method_get_digest(hmethod, client_key, sizeof(client_key),
-diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac.c.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac.c
--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac.c.opensslhmac3	2025-10-29 07:58:41.000000000 +0100
-+++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac.c	2025-11-30 09:57:55.180318937 +0100
+diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac.c
+--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac.c.opensslhmac3	2025-03-28 12:32:27.000000000 +0100
+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac.c	2025-07-30 11:46:43.346310291 +0200
@@ -7,6 +7,10 @@
  * This software is released under the MIT license.
  */
@ -572,9 +598,9 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac.c.opensslhmac3 dovecot-2
 -	safe_memset(prk, 0, sizeof(prk));
 -	safe_memset(okm, 0, sizeof(okm));
 }
-diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac-cram-md5.c.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac-cram-md5.c
--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac-cram-md5.c.opensslhmac3	2025-10-29 07:58:41.000000000 +0100
-+++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac-cram-md5.c	2025-11-30 09:57:55.180461985 +0100
+diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac-cram-md5.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac-cram-md5.c
+--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac-cram-md5.c.opensslhmac3	2025-03-28 12:32:27.000000000 +0100
+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac-cram-md5.c	2025-07-30 11:45:19.802547733 +0200
@@ -9,10 +9,10 @@
 #include "md5.h"
 #include "hmac-cram-md5.h"
@ -601,9 +627,9 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac-cram-md5.c.opensslhmac3
 	const unsigned char *cdp;
 
 	struct md5_context *ctx = (void*)hmac_ctx->ctx;
-diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac-cram-md5.h.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac-cram-md5.h
--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac-cram-md5.h.opensslhmac3	2025-10-29 07:58:41.000000000 +0100
-+++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac-cram-md5.h	2025-11-30 09:57:55.180563796 +0100
+diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac-cram-md5.h.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac-cram-md5.h
+--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac-cram-md5.h.opensslhmac3	2025-03-28 12:32:27.000000000 +0100
+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac-cram-md5.h	2025-07-30 11:45:19.802643613 +0200
@@ -5,9 +5,9 @@
 
 #define CRAM_MD5_CONTEXTLEN 32
@ -616,9 +642,9 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac-cram-md5.h.opensslhmac3
 		const unsigned char context_digest[CRAM_MD5_CONTEXTLEN]);
 
 
-diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac.h.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac.h
--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac.h.opensslhmac3	2025-10-29 07:58:41.000000000 +0100
-+++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac.h	2025-11-30 09:57:55.180723505 +0100
+diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac.h.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac.h
+--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac.h.opensslhmac3	2025-03-28 12:32:27.000000000 +0100
+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac.h	2025-07-30 11:45:19.802751766 +0200
@@ -4,60 +4,108 @@
 #include "hash-method.h"
 #include "sha1.h"
@ -628,7 +654,7 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac.h.opensslhmac3 dovecot-2
 +#include <openssl/kdf.h>
 +#include <openssl/err.h>
 
- #define HMAC_MAX_CONTEXT_SIZE HASH_METHOD_MAX_CONTEXT_SIZE
+ #define HMAC_MAX_CONTEXT_SIZE sizeof(struct sha512_ctx)
 
 -struct hmac_context_priv {
 +
@ -741,9 +767,9 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac.h.opensslhmac3 dovecot-2
 		  okm_buffer, okm_len);
 	return okm_buffer;
 }
-diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib-imap-urlauth/imap-urlauth.c
--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac3	2025-10-29 07:58:41.000000000 +0100
-+++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-imap-urlauth/imap-urlauth.c	2025-11-30 09:57:55.180863807 +0100
+diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-imap-urlauth/imap-urlauth.c
+--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac3	2025-03-28 12:32:27.000000000 +0100
+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-imap-urlauth/imap-urlauth.c	2025-07-30 11:45:19.802862354 +0200
@@ -87,15 +87,15 @@ imap_urlauth_internal_generate(
 	const unsigned char mailbox_key[IMAP_URLAUTH_KEY_LEN],
 	size_t *token_len_r)
@ -764,10 +790,10 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-imap-urlauth/imap-urlauth.c.o
 
 	*token_len_r = SHA1_RESULTLEN + 1;
 	return token;
-diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib/Makefile.am.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib/Makefile.am
--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib/Makefile.am.opensslhmac3	2025-10-29 07:58:41.000000000 +0100
-+++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib/Makefile.am	2025-11-30 09:57:55.180990124 +0100
-@@ -414,6 +414,9 @@ headers = \
+diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/Makefile.am.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/Makefile.am
+--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/Makefile.am.opensslhmac3	2025-03-28 12:32:27.000000000 +0100
+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/Makefile.am	2025-07-30 11:45:19.802976508 +0200
+@@ -359,6 +359,9 @@ headers = \
 	wildcard-match.h \
 	write-full.h
 
@ -777,9 +803,9 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib/Makefile.am.opensslhmac3 dove
 test_programs = test-lib
 noinst_PROGRAMS = $(test_programs)
 
-diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-oauth2/oauth2-jwt.c.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib-oauth2/oauth2-jwt.c
--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-oauth2/oauth2-jwt.c.opensslhmac3	2025-10-29 07:58:41.000000000 +0100
-+++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-oauth2/oauth2-jwt.c	2025-11-30 09:57:55.181135306 +0100
+diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-oauth2/oauth2-jwt.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-oauth2/oauth2-jwt.c
+--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-oauth2/oauth2-jwt.c.opensslhmac3	2025-03-28 12:32:27.000000000 +0100
+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-oauth2/oauth2-jwt.c	2025-07-30 11:45:19.803097425 +0200
@@ -210,14 +210,14 @@ oauth2_validate_hmac(const struct oauth2
 	if (oauth2_lookup_hmac_key(set, azp, alg, key_id, &key, error_r) < 0)
 		return -1;
@ -801,9 +827,9 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-oauth2/oauth2-jwt.c.opensslhm
 
 	buffer_t *their_digest =
 		t_base64url_decode_str(BASE64_DECODE_FLAG_NO_PADDING, blobs[2]);
-diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib-oauth2/test-oauth2-jwt.c
--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac3	2025-10-29 07:58:41.000000000 +0100
-+++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-oauth2/test-oauth2-jwt.c	2025-11-30 09:57:55.181290025 +0100
+diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-oauth2/test-oauth2-jwt.c
+--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac3	2025-03-28 12:32:27.000000000 +0100
+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-oauth2/test-oauth2-jwt.c	2025-07-30 11:45:19.803224443 +0200
@@ -250,7 +250,7 @@ static void save_key_azp_to(const char *
 static void sign_jwt_token_hs256(buffer_t *tokenbuf, buffer_t *key)
 {
@ -831,9 +857,9 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-oauth2/test-oauth2-jwt.c.open
 				      tokenbuf);
 	buffer_append(tokenbuf, ".", 1);
 	base64url_encode(BASE64_ENCODE_FLAG_NO_PADDING, SIZE_MAX,
-diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib/pkcs5.c.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib/pkcs5.c
--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib/pkcs5.c.opensslhmac3	2025-10-29 07:58:41.000000000 +0100
-+++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib/pkcs5.c	2025-11-30 09:57:55.181492013 +0100
+diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/pkcs5.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/pkcs5.c
+--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/pkcs5.c.opensslhmac3	2025-03-28 12:32:27.000000000 +0100
+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/pkcs5.c	2025-07-30 11:45:19.803357132 +0200
@@ -52,7 +52,7 @@ int pkcs5_pbkdf2(const struct hash_metho
 	size_t l = (length + hash->digest_size - 1)/hash->digest_size; /* same as ceil(length/hash->digest_size) */
 	unsigned char dk[l * hash->digest_size];
@ -868,35 +894,9 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib/pkcs5.c.opensslhmac3 dovecot-
 			for(i = 0; i < hash->digest_size; i++)
 				block[i] ^= U_c[i];
 		}
-diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/sasl-server-mech-cram-md5.c.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/sasl-server-mech-cram-md5.c
--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/sasl-server-mech-cram-md5.c.opensslhmac3	2025-10-29 07:58:41.000000000 +0100
-+++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/sasl-server-mech-cram-md5.c	2025-11-30 10:00:28.967795725 +0100
-@@ -53,7 +53,7 @@ verify_credentials(struct sasl_server_me
- 		container_of(auth_request, struct cram_auth_request,
- 			     auth_request);
- 	unsigned char digest[MD5_RESULTLEN];
-        struct hmac_context ctx;
-+        struct orig_hmac_context ctx;
- 	const char *response_hex;
- 
- 	if (size != CRAM_MD5_CONTEXTLEN) {
-@@ -62,10 +62,10 @@ verify_credentials(struct sasl_server_me
- 		return;
- 	}
- 
-	hmac_init(&ctx, NULL, 0, &hash_method_md5);
-+	orig_hmac_init(&ctx, NULL, 0, &hash_method_md5);
- 	hmac_md5_set_cram_context(&ctx, credentials);
-	hmac_update(&ctx, request->challenge, strlen(request->challenge));
-	hmac_final(&ctx, digest);
-+	orig_hmac_update(&ctx, request->challenge, strlen(request->challenge));
-+	orig_hmac_final(&ctx, digest);
- 
- 	response_hex = binary_to_hex(digest, sizeof(digest));
- 
-diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib/test-hmac.c.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib/test-hmac.c
--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib/test-hmac.c.opensslhmac3	2025-10-29 07:58:41.000000000 +0100
-+++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib/test-hmac.c	2025-11-30 09:57:55.181656401 +0100
+diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/test-hmac.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/test-hmac.c
+--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/test-hmac.c.opensslhmac3	2025-03-28 12:32:27.000000000 +0100
+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/test-hmac.c	2025-07-30 11:45:19.803460807 +0200
@@ -206,11 +206,11 @@ static void test_hmac_rfc(void)
 	test_begin("hmac sha256 rfc4231 vectors");
 	for(size_t i = 0; i < N_ELEMENTS(test_vectors); i++) {
@ -972,10 +972,10 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib/test-hmac.c.opensslhmac3 dove
 				    vec->ikm_len, vec->info, vec->info_len,
 				    vec->okm_len);
 	test_assert(tmp->used == vec->okm_len &&
-diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-var-expand-crypt/Makefile.am.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib-var-expand-crypt/Makefile.am
--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-var-expand-crypt/Makefile.am.opensslhmac3	2025-10-29 07:58:41.000000000 +0100
-+++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-var-expand-crypt/Makefile.am	2025-11-30 09:58:11.669117030 +0100
-@@ -34,13 +34,13 @@ test_libs = \
+diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-var-expand-crypt/Makefile.am.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-var-expand-crypt/Makefile.am
+--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-var-expand-crypt/Makefile.am.opensslhmac3	2025-03-28 12:32:27.000000000 +0100
+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-var-expand-crypt/Makefile.am	2025-07-30 11:45:19.803606280 +0200
+@@ -30,13 +30,13 @@ test_libs = \
 	$(DLLIB)
 
 test_var_expand_crypt_SOURCES = test-var-expand-crypt.c
@ -986,14 +986,14 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-var-expand-crypt/Makefile.am.
 test_var_expand_crypt_LDFLAGS = -export-dynamic -Wl,$(LD_WHOLE_ARCHIVE),../lib/.libs/liblib.a,../lib-json/.libs/libjson.a,../lib-ssl-iostream/.libs/libssl_iostream.a,$(LD_NO_WHOLE_ARCHIVE)
 endif
 
-test_var_expand_crypt_CFLAGS = $(AM_CFLAGS) \
-+test_var_expand_crypt_CFLAGS = $(AM_CFLAGS) $(SSL_CFLAGS) \
+-test_var_expand_crypt_CFLAGS = $(AM_CPPFLAGS) \
+test_var_expand_crypt_CFLAGS = $(AM_CPPFLAGS) $(SSL_CFLAGS) \
 	-DDCRYPT_BUILD_DIR=\"$(top_builddir)/src/lib-dcrypt\"
 
 check-local:
-diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/submission/Makefile.am.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/submission/Makefile.am
--- dovecot-2.4.2-build/dovecot-2.4.2/src/submission/Makefile.am.opensslhmac3	2025-10-29 07:58:41.000000000 +0100
-+++ dovecot-2.4.2-build/dovecot-2.4.2/src/submission/Makefile.am	2025-11-30 09:57:55.182137562 +0100
+diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/submission/Makefile.am.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/submission/Makefile.am
+--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/submission/Makefile.am.opensslhmac3	2025-03-28 12:32:27.000000000 +0100
+++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/submission/Makefile.am	2025-07-30 11:45:19.804003916 +0200
@@ -29,6 +29,7 @@ submission_LDADD = \
 	$(urlauth_libs) \
 	$(LIBDOVECOT_STORAGE) \
@ -1002,24 +1002,3 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/submission/Makefile.am.opensslhma
 	$(MODULE_LIBS)
 submission_DEPENDENCIES = \
 	$(urlauth_libs) \
-diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/dsasl-client-mech-cram-md5.c.fixbuild2 dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/dsasl-client-mech-cram-md5.c
--- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/dsasl-client-mech-cram-md5.c.fixbuild2	2025-11-30 13:11:06.583413762 +0100
-+++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/dsasl-client-mech-cram-md5.c	2025-11-30 13:22:04.883307427 +0100
-@@ -81,13 +81,13 @@ mech_cram_md5_output(struct dsasl_client
- 		return DSASL_CLIENT_RESULT_OK;
- 	}
- 
-	struct hmac_context ctx;
-+	struct openssl_hmac_context ctx;
- 	unsigned char digest[MD5_RESULTLEN];
- 
-	hmac_init(&ctx, (const unsigned char *)client->password,
-+	openssl_hmac_init(&ctx, (const unsigned char *)client->password,
- 		  strlen(client->password), &hash_method_md5);
-	hmac_update(&ctx, cclient->challenge, strlen(cclient->challenge));
-	hmac_final(&ctx, digest);
-+	openssl_hmac_update(&ctx, cclient->challenge, strlen(cclient->challenge));
-+	openssl_hmac_final(&ctx, digest);
- 
- 	str = str_new(client->pool, 256);
- 	str_append(str, client->set.authid);
--- a/dovecot-2.4.2-fixbuild.patch
+++ b/dovecot-2.4.2-fixbuild.patch
@ -1,135 +0,0 @@
-diff -up dovecot-2.4.2/src/lib/istream.c.fixbuild dovecot-2.4.2/src/lib/istream.c
--- dovecot-2.4.2/src/lib/istream.c.fixbuild	2025-10-29 07:58:41.000000000 +0100
-+++ dovecot-2.4.2/src/lib/istream.c	2025-11-30 11:40:37.739536137 +0100
-@@ -85,7 +85,7 @@ void i_stream_add_destroy_callback(struc
- }
- 
- void i_stream_remove_destroy_callback(struct istream *stream,
-				      void (*callback)())
-+				      istream_callback_t *callback)
- {
- 	io_stream_remove_destroy_callback(&stream->real_stream->iostream,
- 					  callback);
-diff -up dovecot-2.4.2/src/lib/istream.h.fixbuild dovecot-2.4.2/src/lib/istream.h
--- dovecot-2.4.2/src/lib/istream.h.fixbuild	2025-10-29 07:58:41.000000000 +0100
-+++ dovecot-2.4.2/src/lib/istream.h	2025-11-30 11:40:37.739798710 +0100
-@@ -100,7 +100,7 @@ void i_stream_add_destroy_callback(struc
- 		(istream_callback_t *)callback, context)
- /* Remove the destroy callback. */
- void i_stream_remove_destroy_callback(struct istream *stream,
-				      void (*callback)());
-+				      istream_callback_t *callback);
- 
- /* Return file descriptor for stream, or -1 if none is available. */
- int i_stream_get_fd(struct istream *stream);
-diff -up dovecot-2.4.2/src/lib/ostream.c.fixbuild dovecot-2.4.2/src/lib/ostream.c
--- dovecot-2.4.2/src/lib/ostream.c.fixbuild	2025-11-30 11:42:21.434063550 +0100
-+++ dovecot-2.4.2/src/lib/ostream.c	2025-11-30 11:42:55.814100259 +0100
-@@ -127,7 +127,7 @@ void o_stream_add_destroy_callback(struc
- }
- 
- void o_stream_remove_destroy_callback(struct ostream *stream,
-				      void (*callback)())
-+				      ostream_callback_t *callback)
- {
- 	io_stream_remove_destroy_callback(&stream->real_stream->iostream,
- 					  callback);
-diff -up dovecot-2.4.2/src/lib/ostream.h.fixbuild dovecot-2.4.2/src/lib/ostream.h
--- dovecot-2.4.2/src/lib/ostream.h.fixbuild	2025-11-30 11:42:29.639009602 +0100
-+++ dovecot-2.4.2/src/lib/ostream.h	2025-11-30 11:43:20.101652841 +0100
-@@ -127,7 +127,7 @@ void o_stream_add_destroy_callback(struc
- 		(ostream_callback_t *)callback, context)
- /* Remove the destroy callback. */
- void o_stream_remove_destroy_callback(struct ostream *stream,
-				      void (*callback)());
-+				      ostream_callback_t *callback);
- 
- /* Mark the stream and all of its parent streams closed. Nothing will be
-    sent after this call. When using ostreams that require writing a trailer,
-diff -up dovecot-2.4.2/src/lib-json/json-istream.c.fixbuild dovecot-2.4.2/src/lib-json/json-istream.c
--- dovecot-2.4.2/src/lib-json/json-istream.c.fixbuild	2025-10-29 07:58:41.000000000 +0100
-+++ dovecot-2.4.2/src/lib-json/json-istream.c	2025-11-30 12:52:15.970430672 +0100
-@@ -706,7 +706,7 @@ static void json_istream_drop_value_stre
- 		if (stream->seekable_stream != NULL) {
- 			i_stream_remove_destroy_callback(
- 				stream->seekable_stream,
-				json_istream_drop_seekable_stream);
-+				(istream_callback_t *)json_istream_drop_seekable_stream);
- 			i_stream_unref(&stream->seekable_stream);
- 		}
- 	}
-@@ -720,12 +720,12 @@ static void json_istream_consumed_value_
- 	if (stream->seekable_stream != NULL) {
- 		i_stream_remove_destroy_callback(
- 			stream->seekable_stream,
-			json_istream_drop_seekable_stream);
-+			(istream_callback_t *)json_istream_drop_seekable_stream);
- 	}
- 	if (stream->value_stream != NULL) {
- 		i_stream_remove_destroy_callback(
- 			stream->value_stream,
-			json_istream_drop_value_stream);
-+			(istream_callback_t *)json_istream_drop_value_stream);
- 	}
- 	stream->value_stream = NULL;
- 	stream->seekable_stream = NULL;
- 		i_stream_remove_destroy_callback(conn->incoming_payload,
-						 http_client_payload_destroyed);
-+						 (istream_callback_t *)http_client_payload_destroyed);
- 		conn->incoming_payload = NULL;
- 	}
- 
-diff -up dovecot-2.4.2/src/lib-http/http-server-connection.c.fixbuild dovecot-2.4.2/src/lib-http/http-server-connection.c
--- dovecot-2.4.2/src/lib-http/http-server-connection.c.fixbuild	2025-11-30 13:02:24.337384848 +0100
-+++ dovecot-2.4.2/src/lib-http/http-server-connection.c	2025-11-30 13:03:14.477064608 +0100
-@@ -1066,7 +1066,7 @@ http_server_connection_disconnect(struct
- 	if (conn->incoming_payload != NULL) {
- 		/* The stream is still accessed by lib-http caller. */
- 		i_stream_remove_destroy_callback(conn->incoming_payload,
-						 http_server_payload_destroyed);
-+						 (istream_callback_t *)http_server_payload_destroyed);
- 		conn->incoming_payload = NULL;
- 	}
- 	if (conn->payload_handler != NULL)
-diff -up dovecot-2.4.2/src/lib-http/http-client-connection.c.fixbuild dovecot-2.4.2/src/lib-http/http-client-connection.c
--- dovecot-2.4.2/src/lib-http/http-client-connection.c.fixbuild	2025-11-30 12:57:42.670247695 +0100
-+++ dovecot-2.4.2/src/lib-http/http-client-connection.c	2025-11-30 13:00:54.862436490 +0100
-@@ -832,7 +832,7 @@ void http_client_connection_request_dest
- 	   is closed and we don't care about it anymore, so act as though it is
- 	   destroyed. */
- 	i_stream_remove_destroy_callback(payload,
-					 http_client_payload_destroyed);
-+					 (istream_callback_t *)http_client_payload_destroyed);
- 	http_client_payload_destroyed(req);
- }
- 
-@@ -888,7 +888,7 @@ http_client_connection_return_response(s
- 		if (response->payload != NULL) {
- 			i_stream_remove_destroy_callback(
- 				conn->incoming_payload,
-				http_client_payload_destroyed);
-+				(istream_callback_t *)http_client_payload_destroyed);
- 			i_stream_unref(&conn->incoming_payload);
- 			connection_input_resume(&conn->conn);
- 		}
-@@ -1731,7 +1731,7 @@ http_client_connection_disconnect(struct
- 	if (conn->incoming_payload != NULL) {
- 		/* The stream is still accessed by lib-http caller. */
- 		i_stream_remove_destroy_callback(conn->incoming_payload,
-						 http_client_payload_destroyed);
-+						 (istream_callback_t *)http_client_payload_destroyed);
- 		conn->incoming_payload = NULL;
- 	}
- 
-diff -up dovecot-2.4.2/src/lib-storage/index/index-mail.c.fixbuild2 dovecot-2.4.2/src/lib-storage/index/index-mail.c
--- dovecot-2.4.2/src/lib-storage/index/index-mail.c.fixbuild2	2025-11-30 13:48:46.658539149 +0100
-+++ dovecot-2.4.2/src/lib-storage/index/index-mail.c	2025-11-30 13:49:47.178158024 +0100
-@@ -1840,7 +1840,7 @@ static void index_mail_close_streams_ful
- 			   allowed to have references until the mail is closed
- 			   (but we can't really check that) */
- 			i_stream_remove_destroy_callback(data->stream,
-				index_mail_stream_destroy_callback);
-+				(istream_callback_t *)index_mail_stream_destroy_callback);
- 		}
- 		i_stream_unref(&data->stream);
- 		/* there must be no references to the mail when the
--- a/dovecot.spec
+++ b/dovecot.spec
@ -4,9 +4,9 @@
 Summary: Secure imap and pop3 server
 Name: dovecot
 Epoch: 1
-Version: 2.4.2
-%global prever %{nil}
-Release: 1%{?dist}
+Version: 2.4.1
+%global prever -4
+Release: 8%{?dist}
 #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2
 License: MIT AND LGPL-2.1-only

@ -47,7 +47,10 @@ Patch18: dovecot-2.3.15-valbasherr.patch

 # Fedora/RHEL specific, drop OTP which uses SHA1 so we dont use SHA1 for crypto purposes
 Patch23: dovecot-2.4.1-nolibotp.patch
-Patch24: dovecot-2.4.2-fixbuild.patch
+Patch24: dovecot-2.4.1-gssapi.patch
+#from upstream, for <= 2.4.1, rhbz#2402122
+#https://github.com/dovecot/core/compare/a70ce7d3e2f983979e971414c5892c4e30197231%5E...34caed79b76a7b82a2a9c94cf35371bec6c2b826.patch
+Patch25: dovecot-2.4.1-cve-2025-30189.patch

 BuildRequires: gcc, gcc-c++, openssl-devel, pam-devel, zlib-devel, bzip2-devel, libcap-devel
 BuildRequires: libtool, autoconf, automake, pkgconfig
@ -153,7 +156,8 @@ mv dovecot-pigeonhole-%{pigeonholever} dovecot-pigeonhole
 %patch -P 17 -p2 -b .fixvalcond
 %patch -P 18 -p1 -b .valbasherr
 %patch -P 23 -p2 -b .nolibotp
-%patch -P 24 -p1 -b .fixbuild
+%patch -P 24 -p1 -b .gssapi
+%patch -P 25 -p1 -b .cve-2025-30189
 cp run-test-valgrind.supp dovecot-pigeonhole/
 # valgrind would fail with shell wrapper
 echo "testsuite" >dovecot-pigeonhole/run-test-valgrind.exclude
@ -164,8 +168,6 @@ echo >src/auth/mech-otp-common.c
 echo >src/auth/mech-otp-common.h
 echo >src/auth/mech-otp.c
 echo >src/lib-auth/password-scheme-otp.c
-echo >src/lib-sasl/sasl-server-mech-otp.c
-echo >src/lib-sasl/dsasl-client-mech-otp.c
 pushd src/lib-otp
 for f in *.c *.h
 do
@ -358,8 +360,7 @@ fi
 # some aarch64 tests timeout, skip for now
 make check
 cd dovecot-pigeonhole
-# FIXME: make check will fail as it requires doveconf to be already installed at /usr/bin/doveconf
-make check ||:
+make check
 %endif

 %files
@ -403,7 +404,6 @@ make check ||:
 %{_libdir}/dovecot/auth/libauthdb_lua.so
 %endif
 %{_libdir}/dovecot/auth/libmech_gssapi.so
-%{_libdir}/dovecot/auth/libmech_gss_spnego.so
 %{_libdir}/dovecot/auth/libdriver_sqlite.so
 %{_libdir}/dovecot/dict/libdriver_sqlite.so
 %{_libdir}/dovecot/dict/libdict_ldap.so
@ -479,9 +479,6 @@ make check ||:
 %{_libdir}/%{name}/dict/libdriver_pgsql.so

 %changelog
-* Sun Nov 30 2025 Michal Hlavinka <mhlavink@redhat.com> - 1:2.4.2-1
- updated to 2.4.2 (#2411846)
-
 * Wed Nov 05 2025 Michal Hlavinka <mhlavink@redhat.com> - 1:2.4.1-8
 - update patch for CVE-2025-30189

--- a/4
+++ b/4
@ -1,2 +1,2 @@
-SHA512 (dovecot-2.4.2.tar.gz) = 0524695341abe711d3a811c56156889d6fef7a09becc684c6f1dc1e5add605969ca8794eb7d44bfbc49f70515f22e8640b5828443addecfe4798fb8b174670ae
-SHA512 (dovecot-pigeonhole-2.4.2.tar.gz) = 82c46c7ac2792aa5c211c8b66309f9f21c05ecd2fa8ab3abf98fb4e05831fd37aaa3edffcfbe1b3defbb9ac8ef9df1c33ece83cf7524e8b226c4deab8c250134
+SHA512 (dovecot-2.4.1-4.tar.gz) = 4915e9282898a4bce4dc3c9781f9aa849e8a2d5bb89dffc2222b417560eaa0135d66342ef342098a86dd5e9b4e76d41145381b7264144411cf45a6f88ca36698
+SHA512 (dovecot-pigeonhole-2.4.1-4.tar.gz) = 47b9cc62b13d710123389c47d13c104e70b815d683dc6b957e86b57b2f175101d07f462d0fdb0488d6dcdcfbbc137c926825ba9a0d798551576aa7f3c9082100