# HG changeset patch # User Aki Tuomi # Date 1521451814 -7200 # Node ID 6bd0377538562b7d43cc480ec9c26bb52d09df3e # Parent cfadc7f529533899c6826ce99263fe237cc31441 NEWS: Update up to 2.2.34 diff -r cfadc7f52953 -r 6bd037753856 NEWS --- a/NEWS Wed Mar 07 11:24:30 2018 +0200 +++ b/NEWS Mon Mar 19 11:30:14 2018 +0200 @@ -1,3 +1,732 @@ +v2.2.34 2018-02-28 Timo Sirainen + + * CVE-2017-15130: TLS SNI config lookups may lead to excessive + memory usage, causing imap-login/pop3-login VSZ limit to be reached + and the process restarted. This happens only if Dovecot config has + local_name { } or local { } configuration blocks and attacker uses + randomly generated SNI servernames. + * CVE-2017-14461: Parsing invalid email addresses may cause a crash or + leak memory contents to attacker. For example, these memory contents + might contain parts of an email from another user if the same imap + process is reused for multiple users. First discovered by Aleksandar + Nikolic of Cisco Talos. Independently also discovered by "flxflndy" + via HackerOne. + * CVE-2017-15132: Aborted SASL authentication leaks memory in login + process. + * Linux: Core dumping is no longer enabled by default via + PR_SET_DUMPABLE, because this may allow attackers to bypass + chroot/group restrictions. Found by cPanel Security Team. Nowadays + core dumps can be safely enabled by using "sysctl -w + fs.suid_dumpable=2". If the old behaviour is wanted, it can still be + enabled by setting: + import_environment=$import_environment PR_SET_DUMPABLE=1 + * doveconf output now includes the hostname. + + + mail_attachment_detection_options setting controls when + $HasAttachment and $HasNoAttachment keywords are set for mails. + + imap: Support fetching body snippets using FETCH (SNIPPET) or + (SNIPPET (LAZY=FUZZY)) + + fs-compress: Automatically detect whether input is compressed or not. + Prefix the compression algorithm with "maybe-" to enable the + detection, for example: "compress:maybe-gz:6:..." + + Added settings to change dovecot.index* files' optimization behavior. + See https://wiki2.dovecot.org/IndexFiles#Settings + + Auth cache can now utilize auth workers to do password hash + verification by setting auth_cache_verify_password_with_worker=yes. + + Added charset_alias plugin. See + https://wiki2.dovecot.org/Plugins/CharsetAlias + + imap_logout_format and pop3_logout_format settings now support all of + the generic variables (e.g. %{rip}, %{session}, etc.) + + Added auth_policy_check_before_auth, auth_policy_check_after_auth + and auth_policy_report_after_auth settings. + - v2.2.33: doveadm-server: Various fixes related to log handling. + - v2.2.33: doveadm failed when trying to access UNIX socket that didn't + require authentication. + - v2.2.33: doveadm log reopen stopped working + - v2.2.30+: IMAP stopped advertising SPECIAL-USE capability + - v2.2.30+: IMAP stopped sending untagged OK/NO storage notifications + - replication: dsync sends unnecessary replication notification for + changes it does internally. NOTE: Folder creates, renames, deletes + and subscribes still trigger unnecessary replication notifications, + but these should be rather rare. + - mail_always/never_cache_fields setting changes weren't applied for + existing dovecot.index.cache files. + - Fix compiling and other problems with OpenSSL v1.1 + - auth policy: With master user logins, lookup using login username. + - FTS reindexed all mails unnecessarily after loss of + dovecot.index.cache file + - mdbox rebuild repeatedly fails with "missing map extension" + - SSL connections may have been hanging with imapc or doveadm client. + - cassandra: Using protocol v3 (Cassandra v2.1) caused memory leaks and + also timestamps weren't set to queries. + - fs-crypt silently ignored public/private keys specified in + configuration (mail_crypt_global_public/private_key) and just + emitted plaintext output. + - lock_method=dotlock caused crashes + - imapc: Reconnection may cause crashes and other errors + +v2.2.33.2 2017-10-20 Timo Sirainen + + - doveadm: Fix crash in proxying (or dsync replication) if remote is + running older than v2.2.33 + - auth: Fix memory leak in %{ldap_dn} + - dict-sql: Fix data types to work correctly with Cassandra + +v2.2.33.1 2017-10-10 Timo Sirainen + + - dovecot-lda was logging to stderr instead of to the log file. + +v2.2.33 2017-10-10 Timo Sirainen + + * doveadm director commands wait for the changes to be visible in the + whole ring before they return. This is especially useful in testing. + * Environments listed in import_environment setting are now set or + preserved when executing standalone commands (e.g. doveadm) + + + doveadm proxy: Support proxying logs. Previously the logs were + visible only in the backend's logs. + + Added %{if}, see https://wiki2.dovecot.org/Variables#Conditionals + + Added a new notify_status plugin, which can be used to update dict + with current status of a mailbox when it changes. See + https://wiki2.dovecot.org/Plugins/NotifyStatus + + Mailbox list index can be disabled for a namespace by appending + ":LISTINDEX=" to location setting. + + dsync/imapc: Added dsync_hashed_headers setting to specify which + headers are used to match emails. + + pop3-migration: Add pop3_migration_ignore_extra_uidls=yes to ignore + mails that are visible in POP3 but not IMAP. This could happen if + new mails were delivered during the migration run. + + pop3-migration: Further improvements to help with Zimbra + + pop3-migration: Cache POP3 UIDLs in imapc's dovecot.index.cache + if indexes are enabled. These are used to optimize incremental syncs. + + cassandra, dict-sql: Use prepared statements if protocol version>3. + + auth: Added %{ldap_dn} variable for passdb/userdb ldap + - acl: The "create" (k) permission in global acl-file was sometimes + ignored, allowing users to create mailboxes when they shouldn't have. + - sdbox: Mails were always opened when expunging, unless + mail_attachment_fs was explicitly set to empty. + - lmtp/doveadm proxy: hostip passdb field was ignored, which caused + unnecessary DNS lookups if host field wasn't an IP + - lmtp proxy: Fix crash when receiving unexpected reply in RCPT TO + - quota_clone: Update also when quota is unlimited (broken in v2.2.31) + - mbox, zlib: Fix assert-crash when accessing compressed mbox + - doveadm director kick -f parameter didn't work + - doveadm director flush resulted flushing all hosts, if + wasn't an IP address. + - director: Various fixes to handling backend/director changes at + abnormal times, especially while ring was unsynced. These could have + resulted in crashes, non-optimal behavior or ignoring some of the + changes. + - director: Use less CPU in imap-login processes when moving/kicking + many users. + - lmtp: Session IDs were duplicated/confusing with multiple RCPT TOs + when lmtp_rcpt_check_quota=yes + - doveadm sync -1 fails when local mailboxes exist that do not exist + remotely. This commonly happened when lazy_expunge mailbox was + autocreated when incremental sync expunged mails. + - pop3: rawlog_dir setting didn't work + + +v2.2.32 2017-08-24 Timo Sirainen + + * imapc: Info-level line is logged every time when successfully + connected to the remote server. This includes local/remote IP/port, + which can be useful for matching against external logs. + * config: Log a warning if plugin { key=no } is used explicitly. + v2.3 will support "no" properly in plugin settings, but for now + any value at all for a boolean plugin setting is treated as "yes", + even if it's written as explicit "no". This change will now warn + that it most likely won't work as intended. + + + Various optimizations to avoid accessing files/directories when it's + not necessary. Especially avoid accessing mail root directories when + INDEX directories point to a different filesystem. + + mail_location can now include ITERINDEX parameter. This tells Dovecot + to perform mailbox listing from the INDEX path instead of from the + mail root path. It's mainly useful when the INDEX storage is on a + faster storage. + + mail_location can now include VOLATILEDIR= parameter. This + is used for creating lock files and in future potentially other + files that don't need to exist permanently. The path could point to + tmpfs for example. This is especially useful to avoid creating lock + files to NFS or other remote filesystems. For example: + mail_location=sdbox:~/sdbox:VOLATILEDIR=/tmp/volatile/%2.256Nu/%u + + mail_location's LISTINDEX= can now contain a full path. + This allows storing mailbox list index to a different storage + than the rest of the indexes, for example to tmpfs. + + mail_location can now include NO-NOSELECT parameter. This + automatically deletes any \NoSelect mailboxes that have no children. + These mailboxes are sometimes confusing to users. + + mail_location can now include BROKENCHAR= parameter. This can + be useful with imapc to access mailbox names that aren't valid mUTF-7 + charset from remote servers. + + If mailbox_list_index_very_dirty_syncs=yes, the list index is no + longer refreshed against filesystem when listing mailboxes. This + allows the mailbox listing to be done entirely by only reading the + mailbox list index. + + Added mailbox_list_index_include_inbox setting to control whether + INBOX's STATUS information should be cached in the mailbox list + index. The default is "no", but it may be useful to change it to + "yes", especially if LISTINDEX points to tmpfs. + + userdb can return chdir=, which override mail_home for the + chdir location. This can be useful to avoid accessing home directory + on login. + + userdb can return postlogin= to specify per-user imap/pop3 + postlogin socket path. + + cassandra: Add support for result paging by adding page_size= + parameter to the connect setting. + + dsync/imapc, pop3-migration plugin: Strip also trailing tabs from + headers when matching mails. This helps with migrations from Zimbra. + + imap_logout_format supports now %{appended} and %{autoexpunged} + + virtual plugin: Optimize IDLE to use mailbox list index for finding + out when something has changed. + + Added apparmor plugin. See https://wiki2.dovecot.org/Plugins/Apparmor + - virtual plugin: A lot of fixes. In many cases it was also working + very inefficiently or even incorrectly. + - imap: NOTIFY parameter parsing was incorrectly "fixed" in v2.2.31. + It was actually (mostly) working in previous versions, but broken + in v2.2.31. + - Modseq tracking didn't always work correctly. This could have caused + imap unhibernation to fail or IMAP QRESYNC/CONDSTORE extensions to + not work perfectly. + - mdbox: "Inconsistency in map index" wasn't fixed automatically + - dict-ldap: %variable values used in the LDAP filter weren't escaped. + - quota=count: quota_warning = -storage=.. was never executed (try #2). + v2.2.31 fixed it for -messages, but not for -storage. + - imapc: >= 32 kB mail bodies were supposed to be cached for subsequent + FETCHes, but weren't. + - quota-status service didn't support recipient_delimiter + - acl: Don't access dovecot-acl-list files with acl_globals_only=yes + - mail_location: If INDEX dir is set, mailbox deletion deletes its + childrens' indexes. For example if "box" is deleted, "box/child" + index directory was deleted as well (but mails were preserved). + - director: v2.2.31 caused rapid reconnection loops to directors + that were down. + +v2.2.31 2017-06-26 Timo Sirainen + + * LMTP: Removed "(Dovecot)" from added Received headers. Some + installations want to hide it, and there's not really any good reason + for anyone to have it. + + + Add ssl_alt_cert and ssl_alt_key settings to add support for + having both RSA and ECDSA certificates. + + dsync/imapc, pop3-migration plugin: Strip trailing whitespace from + headers when matching mails. This helps with migrations from Zimbra. + + acl: Add acl_globals_only setting to disable looking up + per-mailbox dovecot-acl files. + + Parse invalid message addresses better. This mainly affects the + generated IMAP ENVELOPE replies. + - v2.2.30 wasn't fixing corrupted dovecot.index.cache files properly. + It could have deleted wrong mail's cache or assert-crashed. + - v2.2.30 mail-crypt-acl plugin was assert-crashing + - v2.2.30 welcome plugin wasn't working + - Various fixes to handling mailbox listing. Especially related to + handling nonexistent autocreated/autosubscribed mailboxes and ACLs. + - Global ACL file was parsed as if it was local ACL file. This caused + some of the ACL rule interactions to not work exactly as intended. + - auth: forward_* fields didn't work properly: Only the first forward + field was working, and only if the first passdb lookup succeeded. + - Using mail_sort_max_read_count sometimes caused "Broken sort-* + indexes, resetting" errors. + - Using mail_sort_max_read_count may have caused very high CPU usage. + - Message address parsing could have crashed on invalid input. + - imapc_features=fetch-headers wasn't always working correctly and + caused the full header to be fetched. + - imapc: Various bugfixes related to connection failure handling. + - quota=imapc sent unnecessary FETCH RFC822.SIZE to server when + expunging mails. + - quota=count: quota_warning = -storage=.. was never executed + - quota=count: Add support for "ns" parameter + - dsync: Fix incremental syncing for mails that don't have Date or + Message-ID headers. + - imap: Fix hang when client sends pipelined SEARCH + + EXPUNGE/CLOSE/LOGOUT. + - oauth2: Token validation didn't accept empty server responses. + - imap: NOTIFY command has been almost completely broken since the + beginning. I guess nobody has been trying to use it. + + +v2.2.30.2 2017-06-06 Timo Sirainen + + - auth: Multiple failed authentications within short time caused + crashes + - push-notification: OX driver crashed at deinit + +v2.2.30.1 2017-05-31 Timo Sirainen + + - quota_warning scripts weren't working in v2.2.30 + - vpopmail still wasn't compiling + +v2.2.30 2017-05-30 Timo Sirainen + + * auth: Use timing safe comparisons for everything related to + passwords. It's unlikely that these could have been used for + practical attacks, especially because Dovecot delays and flushes all + failed authentications in 2 second intervals. Also it could have + worked only when passwords were stored in plaintext in the passdb. + * master process sends SIGQUIT to all running children at shutdown, + which instructs them to close all the socket listeners immediately. + This way restarting Dovecot should no longer fail due to some + processes keeping the listeners open for a long time. + + + auth: Add passdb { mechanisms=none } to match separate passdb lookup + + auth: Add passdb { username_filter } to use passdb only if user + matches the filter. See https://wiki2.dovecot.org/PasswordDatabase + + dsync: Add dsync_commit_msgs_interval setting. It attempts to commit + the transaction after saving this many new messages. Because of the + way dsync works, it may not always be possible if mails are copied + or UIDs need to change. + + imapc: Support imapc_features=search without ESEARCH extension. + + imapc: Add imapc_features=fetch-bodystructure to pass through remote + server's FETCH BODY and BODYSTRUCTURE. + + imapc: Add quota=imapc backend to use GETQUOTA/GETQUOTAROOT on the + remote server. + + passdb imap: Add allow_invalid_cert and ssl_ca_file parameters. + + If dovecot.index.cache corruption is detected, reset only the one + corrupted mail instead of the whole file. + + doveadm mailbox status: Add "firstsaved" field. + + director_flush_socket: Add old host's up/down and vhost count as parameters + - More fixes to automatically fix corruption in dovecot.list.index + - dsync-server: Fix support for dsync_features=empty-header-workaround + - imapc: Various bugfixes, including infinite loops on some errors + - IMAP NOTIFY wasn't working for non-INBOX if IMAP client hadn't + enabled modseq tracking via CONDSTORE/QRESYNC. + - fts-lucene: Fix it to work again with mbox format + - Some internal error messages may have contained garbage in v2.2.29 + - mail-crypt: Re-encrypt when copying/moving mails and per-mailbox keys + are used. Otherwise the copied mails can't be opened. + - vpopmail: Fix compiling + +v2.2.29.1 2017-04-12 Timo Sirainen + + - imapc reconnection fix was forgotten from 2.2.29 release, which also + made "make check" fail in a unit test + - dict-sql: Merging multiple UPDATEs to a single statement wasn't + actually working. + - Fixed building with vpopmail + +v2.2.29 2017-04-10 Timo Sirainen + + * passdb/userdb dict: Don't double-expand %variables in keys. If dict + was used as the authentication passdb, using specially crafted + %variables in the username could be used to cause DoS (CVE-2017-2669) + * When Dovecot encounters an internal error, it logs the real error and + usually logs another line saying what function failed. Previously the + second log line's error message was a rather uninformative "Internal + error occurred. Refer to server log for more information." Now the + real error message is duplicated in this second log line. + * lmtp: If a delivery has multiple recipients, run autoexpunging only + for the last recipient. This avoids a problem where a long + autoexpunge run causes LMTP client to timeout between the DATA + replies, resulting in duplicate mail deliveries. + * config: Don't stop the process due to idling. Otherwise the + configuration is reloaded when the process restarts. + * mail_log plugin: Differentiate autoexpunges from regular expunges + * imapc: Use LOGOUT to cleanly disconnect from server. + * lib-http: Internal status codes (>9000) are no longer visible in logs + * director: Log vhost count changes and HOST-UP/DOWN + + + quota: Add plugin { quota_max_mail_size } setting to limit the + maximum individual mail size that can be saved. + + imapc: Add imapc_features=delay-login. If set, connecting to the + remote IMAP server isn't done until it's necessary. + + imapc: Add imapc_connection_retry_count and + imapc_connection_retry_interval settings. + + imap, pop3, indexer-worker: Add (deinit) to process title before + autoexpunging runs. + + Added %{encrypt} and %{decrypt} variables + + imap/pop3 proxy: Log proxy state in errors as human-readable string. + + imap/pop3-login: All forward_* extra fields returned by passdb are + sent to the next hop when proxying using ID/XCLIENT commands. On the + receiving side these fields are imported and sent to auth process + where they're accessible via %{passdb:forward_*}. This is done only + if the sending IP address matches login_trusted_networks. + + imap-login: If imap_id_retain=yes, send the IMAP ID string to + auth process. %{client_id} expands to it in auth process. The ID + string is also sent to the next hop when proxying. + + passdb imap: Use ssl_client_ca_* settings for CA validation. + - fts-tika: Fixed crash when parsing attachment without + Content-Disposition header. Broken by 2.2.28. + - trash plugin was broken in 2.2.28 + - auth: When passdb/userdb lookups were done via auth-workers, too much + data was added to auth cache. This could have resulted in wrong + replies when using multiple passdbs/userdbs. + - auth: passdb { skip & mechanisms } were ignored for the first passdb + - oauth2: Various fixes, including fixes to crashes + - dsync: Large Sieve scripts (or other large metadata) weren't always + synced. + - Index rebuild (e.g. doveadm force-resync) set all mails as \Recent + - imap-hibernate: %{userdb:*} wasn't expanded in mail_log_prefix + - doveadm: Exit codes weren't preserved when proxying commands via + doveadm-server. Almost all errors used exit code 75 (tempfail). + - ACLs weren't applied to not-yet-existing autocreated mailboxes. + - Fixed a potential crash when parsing a broken message header. + - cassandra: Fallback consistency settings weren't working correctly. + - doveadm director status : "Initial config" was always empty + - imapc: Various reconnection fixes. + +v2.2.28 2017-02-24 Timo Sirainen + + * director: "doveadm director move" to same host now refreshes user's + timeout. This allows keeping user constantly in the same backend by + just periodically moving the user there. + * When new mailbox is created, use initially INBOX's + dovecot.index.cache caching decisions. + * Expunging mails writes GUID to dovecot.index.log now only if the + GUID is quickly available from index/cache. + * pop3c: Increase timeout for PASS command to 5 minutes. + * Mail access errors are no longer ignored when searching or sorting. + With IMAP the untagged SEARCH/SORT reply is still sent the same as + before, but NO reply is returned instead of OK. + + + Make dovecot.list.index's filename configurable. This is needed when + there are multiple namespaces pointing to the same mail root + (e.g. lazy_expunge namespace for mdbox). + + Add size.virtual to dovecot.index when folder vsizes are accessed + (e.g. quota=count). This is mainly a workaround to avoid slow quota + recalculation performance when message sizes get lost from + dovecot.index.cache due to corruption or some other reason. + + auth: Support OAUTHBEARER and XOAUTH2 mechanisms. Also support them + in lib-dsasl for client side. + + auth: Support filtering by SASL mechanism: passdb { mechanisms } + + Shrink the mail processes' memory usage by not storing settings + duplicated unnecessarily many times. + + imap: Add imap_fetch_failure setting to control what happens when + FETCH fails for some mails (see example-config). + + imap: Include info about last command in disconnection log line. + + imap: Created new SEARCH=X-MIMEPART extension. It's currently not + advertised by default, since it's not fully implemented. + + fts-solr: Add support for basic authentication. + + Cassandra: Support automatically retrying failed queries if + execution_retry_interval and execution_retry_times are set. + + doveadm: Added "mailbox path" command. + + mail_log plugin: If plugin { mail_log_cached_only=yes }, log the + wanted fields only if it doesn't require opening the email. + + mail_vsize_bg_after_count setting added (see example-config). + + mail_sort_max_read_count setting added (see example-config). + + pop3c: Added pop3c_features=no-pipelining setting to prevent using + PIPELINING extension even though it's advertised. + + - Index files: day_first_uid wasn't updated correctly since v2.2.26. + This caused dovecot.index.cache to be non-optimal. + - imap: SEARCH/SORT may have assert-crashed in + client_check_command_hangs + - imap: FETCH X-MAILBOX may have assert-crashed in virtual mailboxes. + - imap: Running time in tagged command reply was often wrongly 0. + - search: Using NOT n:* or NOT UID n:* wasn't handled correctly + - director: doveadm director kick was broken + - director: Fix crash when using director_flush_socket + - director: Fix some bugs when moving users between backends + - imapc: Various error handling fixes and improvements + - master: doveadm process status output had a lot of duplicates. + - autoexpunge: If mailbox's rename timestamp is newer than mail's + save-timestamp, use it instead. This is useful when autoexpunging + e.g. Trash/* and an entire mailbox is deleted by renaming it under + Trash to prevent it from being autoexpunged too early. + - autoexpunge: Multiple processes may have been trying to expunge the + same mails simultaneously. This was problematic especially with + lazy_expunge plugin. + - auth: %{passdb:*} was empty in auth-worker processes + - auth-policy: hashed_password was always sent empty. + - dict-sql: Merge multiple UPDATEs to a single statement if possible. + - fts-solr: Escape {} chars when sending queries + - fts: fts_autoindex_exclude = \Special-use caused crashes + - doveadm-server: Fix leaks and other problems when process is reused + for multiple requests (service_count != 1) + - sdbox: Fix assert-crash on mailbox create race + - lda/lmtp: deliver_log_format values weren't entirely correct if Sieve + was used. especially %{storage_id} was broken. + - lmtp_user_concurrency_limit didn't work if userdb changed username + +v2.2.27 2016-12-03 Timo Sirainen + + * dovecot.list.index.log rotation sizes/times were changed so that + the .log file stays smaller and .log.2 is deleted sooner. + + + Added mail_crypt plugin that allows encryption of stored emails. + See http://wiki2.dovecot.org/Plugins/MailCrypt + + stats: Global stats can be sent to Carbon server by setting + stats_carbon_server=ip:port + + imap/pop3 proxy: If passdb returns proxy_not_trusted, don't send + ID/XCLIENT + + Added generic hash modifier for %variables: + %{;rounds=,truncate=,salt=s>:field} + Hash algorithm is any of the supported ones, e.g. md5, sha1, sha256. + Also "pkcs5" is supported using SHA256. For example: %{sha256:user} + or %{md5;truncate=32:user}. + + Added support for SHA3-256 and SHA3-512 hashes. + + config: Support DNS wildcards in local_name, e.g. + local_name *.example.com { .. } matches anything.example.com, but + not multiple.anything.example.com. + + config: Support multiple names in local_name, e.g. + local_name "1.example.com 2.example.com" { .. } + - Fixed crash in auth process when auth-policy was configured and + authentication was aborted/failed without a username set. + - director: If two users had different tags but the same hash, + the users may have been redirected to the wrong tag's hosts. + - Index files may have been thought incorrectly lost, causing + "Missing middle file seq=.." to be logged and index rebuild. + This happened more easily with IMAP hibernation enabled. + - Various fixes to restoring state correctly in un-hibernation. + - dovecot.index files were commonly 4 bytes per email too large. This + is because 3 bytes per email were being wasted that could have been + used for IMAP keywords. + - Various fixes to handle dovecot.list.index corruption better. + - lib-fts: Fixed assert-crash in address tokenizer with specific input. + - Fixed assert-crash in HTML to text parsing with specific input + (e.g. for FTS indexing or snippet generation) + - doveadm sync -1: Fixed handling mailbox GUID conflicts. + - sdbox, mdbox: Perform full index rebuild if corruption is detected + inside lib-index, which runs index fsck. + - quota: Don't skip quota checks when moving mails between different + quota roots. + - search: Multiple sequence sets or UID sets in search parameters + weren't handled correctly. They were incorrectly merged together. + +v2.2.26.0 2016-10-28 Timo Sirainen + + - Fixed some compiling issues. + - auth: Fixed assert-crash when using NTLM or SKEY mechanisms and + multiple passdbs. + - auth: Fixed crash when exporting to auth-worker passdb extra fields + that had empty values. + - dsync: Fixed assert-crash in dsync_brain_sync_mailbox_deinit + +v2.2.26 2016-10-27 Timo Sirainen + + * master: Removed hardcoded 511 backlog limit for listen(). The kernel + should limit this as needed. + * doveadm import: Source user is now initialized the same as target + user. Added -U parameter to override the source user. + * Mailbox names are no longer limited to 16 hierarchy levels. We'll + check another way to make sure mailbox names can't grow larger than + 4096 bytes. + + + Added a concept of "alternative usernames" by returning user_* extra + field(s) in passdb. doveadm proxy list shows these alt usernames in + "doveadm proxy list" output. "doveadm director&proxy kick" adds + -f parameter. The alt usernames don't have to be + unique, so this allows creation of user groups and kicking them in + one command. + + auth: passdb/userdb dict allows now %variables in key settings. + + auth: If passdb returns noauthenticate=yes extra field, assume that + it only set extra fields and authentication wasn't actually performed. + + auth: passdb static now supports password={scheme} prefix. + + auth, login_log_format_elements: Added %{local_name} variable, which + expands to TLS SNI hostname if given. + + imapc: Added imapc_max_line_length to limit maximum memory usage. + + imap, pop3: Added rawlog_dir setting to store IMAP/POP3 traffic logs. + This replaces at least partially the rawlog plugin. + + dsync: Added dsync_features=empty-header-workaround setting. This + makes incremental dsyncs work better for servers that randomly return + empty headers for mails. When an empty header is seen for an existing + mail, dsync assumes that it matches the local mail. + + doveadm sync/backup: Added -I parameter to skip too + large mails. + + doveadm sync/backup: Fixed -t parameter and added -e for "end date". + + doveadm mailbox metadata: Added -s parameter to allow accessing + server metadata by using empty mailbox name. + + Added "doveadm service status" and "doveadm process status" commands. + + director: Added director_flush_socket. See + http://wiki2.dovecot.org/Director#Flush_socket + + doveadm director flush: Users are now moved only max 100 at a time to + avoid load spikes. --max-parallel parameter overrides this. + + Added FILE_LOCK_SLOW_WARNING_MSECS environment, which logs a warning + if any lock is waited on or kept for this many milliseconds. + + - master process's listener socket was leaked to all child processes. + This might have allowed untrusted processes to capture and prevent + "doveadm service stop" comands from working. + - login proxy: Fixed crash when outgoing SSL connections were hanging. + - auth: userdb fields weren't passed to auth-workers, so %{userdb:*} + from previous userdbs didn't work there. + - auth: Each userdb lookup from cache reset its TTL. + - auth: Fixed auth_bind=yes + sasl_bind=yes to work together + - auth: Blocking userdb lookups reset extra fields set by previous + userdbs. + - auth: Cache keys didn't include %{passdb:*} and %{userdb:*} + - auth-policy: Fixed crash due to using already-freed memory if policy + lookup takes longer than auth request exists. + - lib-auth: Unescape passdb/userdb extra fields. Mainly affected + returning extra fields with LFs or TABs. + - lmtp_user_concurrency_limit>0 setting was logging unnecessary + anvil errors. + - lmtp_user_concurrency_limit is now checked before quota check with + lmtp_rcpt_check_quota=yes to avoid unnecessary quota work. + - lmtp: %{userdb:*} variables didn't work in mail_log_prefix + - autoexpunge settings for mailboxes with wildcards didn't work when + namespace prefix was non-empty. + - Fixed writing >2GB to iostream-temp files (used by fs-compress, + fs-metawrap, doveadm-http) + - director: Ignore duplicates in director_servers setting. + - director: Many fixes related to connection handshaking, user moving + and error handling. + - director: Don't break with shutdown_clients=no + - zlib, IMAP BINARY: Fixed internal caching when accessing multiple + newly created mails. They all had UID=0 and the next mail could have + wrongly used the previously cached mail. + - doveadm stats reset wasn't reseting all the stats. + - auth_stats=yes: Don't update num_logins, since it doubles them when + using with mail stats. + - quota count: Fixed deadlocks when updating vsize header. + - dict-quota: Fixed crashes happening due to memory corruption. + - dict proxy: Fixed various timeout-related bugs. + - doveadm proxying: Fixed -A and -u wildcard handling. + - doveadm proxying: Fixed hangs and bugs related to printing. + - imap: Fixed wrongly triggering assert-crash in + client_check_command_hangs. + - imap proxy: Don't send ID command pipelined with nopipelining=yes + - imap-hibernate: Don't execute quota_over_script or last_login after + un-hibernation. + - imap-hibernate: Don't un-hibernate if client sends DONE+IDLE in one + IP packet. + - imap-hibernate: Fixed various failures when un-hibernating. + - fts: fts_autoindex=yes was broken in 2.2.25 unless + fts_autoindex_exclude settings existed. + - fts-solr: Fixed searching multiple mailboxes (patch by x16a0) + - doveadm fetch body.snippet wasn't working in 2.2.25. Also fixed a + crash with certain emails. + - pop3-migration + dbox: Various fixes related to POP3 UIDL + optimization in 2.2.25. + - pop3-migration: Fixed "truncated email header" workaround. + +v2.2.25 2016-07-01 Timo Sirainen + + * lmtp: Start tracking lmtp_user_concurrency_limit and reject already + at RCPT TO stage. This avoids MTA unnecessarily completing DATA only + to get an error. + * doveadm: Previously only mail settings were read from protocol + doveadm { .. } section. Now all settings are. + + + quota: Added quota_over_flag_lazy_check setting. It avoids checking + quota_over_flag always at startup. Instead it's checked only when + quota is being read for some other purpose. + + auth: Added a new auth policy service: + http://wiki2.dovecot.org/Authentication/Policy + + auth: Added PBKDF2 password scheme + + auth: Added %{auth_user}, %{auth_username} and %{auth_domain} + + auth: Added ":remove" suffix to extra field names to remove them. + + auth: Added "delay_until=[+]" passdb + extra field. The auth will wait until and optionally some + randomness and then return success. + + dict proxy: Added idle_msecs= parameter. Support async operations. + + Performance improvements for handling large mailboxes. + + Added lib-dcrypt API for providing cryptographic functions. + + Added "doveadm mailbox update" command + + imap commands' output now includes timing spent on the "syncing" + stage if it's larger than 0. + + cassandra: Added metrics= to connect setting to output internal + statistics in JSON format every second to . + + doveadm mailbox delete: Added -e parameter to delete only empty + mailboxes. Added --unsafe option to quickly delete a mailbox, + bypassing lazy_expunge and quota plugins. + + doveadm user & auth cache flush are now available via doveadm-server. + + doveadm service stop will stop specified services while + leaving the rest of Dovecot running. + + quota optimization: Avoid reading mail sizes for backends which + don't need them (count, fs, dirsize) + + Added mailbox { autoexpunge_max_mails= } setting. + + Added welcome plugin: http://wiki2.dovecot.org/Plugins/Welcome + + fts: Added fts_autoindex_exclude setting. + - v2.2.24's MIME parser was assert-crashing on mails having truncated + MIME headers. + - auth: With multiple userdbs the final success/failure result wasn't + always correct. The last userdb's result was always used. + - doveadm backup was sometimes deleting entire mailboxes unnecessarily. + - doveadm: Command -parameters weren't being sent to doveadm-server. + - If dovecot.index read failed e.g. because mmap() reached VSZ limit, + an empty index could have been opened instead, corrupting the + mailbox state. + - imapc: Fixed EXPUNGE handling when imapc_features didn't have modseq. + - lazy-expunge: Fixed a crash when copying failed. Various other fixes. + - fts-lucene: Fixed crash on index rescan. + - auth_stats=yes produced broken output + - dict-ldap: Various fixes + - dict-sql: NULL values crashed. Now they're treated as "not found". + +v2.2.24 2016-04-26 Timo Sirainen + + * doveconf now warns if it sees a global setting being changed when + the same setting was already set inside some filters. (A common + mistake has been adding more plugins to a global mail_plugins + setting after it was already set inside protocol { .. }, which + caused the global setting to be ignored for that protocol.) + * LMTP proxy: Increased default timeout 30s -> 125s. This makes it + less likely to reach the timeout and cause duplicate deliveries. + * LMTP and indexer now append ":suffix" to session IDs to make it + unique for the specific user's delivery. (Fixes duplicate session + ID warnings in stats process.) + + + Added dict-ldap for performing read-only LDAP dict lookups. + + lazy-expunge: All mails can be saved to a single specified mailbox. + + mailbox { autoexpunge } supports now wildcards in mailbox names. + + doveadm HTTP API: Added support for proxy commands + + imapc: Reconnect when getting disconnected in non-selected state. + + imapc: Added imapc_features=modseq to access MODSEQs/HIGHESTMODSEQ. + This is especially useful for incremental dsync. + + doveadm auth/user: Auth lookup performs debug logging if + -o auth_debug=yes is given to doveadm. + + Added passdb/userdb { auth_verbose=yes|no } setting. + + Cassandra: Added user, password, num_threads, connect_timeout and + request_timeout settings. + + doveadm user -e : Print with %variables expanded. + - Huge header lines could have caused Dovecot to use too much memory + (depending on config and used IMAP commands). (Typically this would + result in only the single user's process dying with out of memory + due to reaching service { vsz_limit } - not a global DoS). + - dsync: Detect and handle invalid/stale -s state string better. + - dsync: Fixed crash caused by specific mailbox renames + - auth: Auth cache is now disabled passwd-file. It was unnecessary and + it broke %variables in extra fields. + - fts-tika: Don't crash if it returns 500 error + - dict-redis: Fixed timeout handling + - SEARCH INTHREAD was crashing + - stats: Only a single fifo_listeners was supported, making it + impossible to use both auth_stats=yes and mail stats plugin. + - SSL errors were logged in separate "Stacked error" log lines + instead of as part of the disconnection reason. + - MIME body parser didn't handle properly when a child MIME part's + --boundary had the same prefix as the parent. + +v2.2.23 2016-03-30 Timo Sirainen + + - Various fixes to doveadm. Especially running commands via + doveadm-server was broken. + - director: Fixed user weakness getting stuck in some situations + - director: Fixed a situation where directors keep re-sending + different states to each others and never becoming synced. + - director: Fixed assert-crash related to a slow "user killed" reply + - Fixed assert-crash related to istream-concat, which could have + been triggered at least by a Sieve script. + +v2.2.22 2016-03-16 Timo Sirainen + + + Added doveadm HTTP API: See + http://wiki2.dovecot.org/Design/DoveadmProtocol/HTTP + + virtual plugin: Mailbox filtering can now be done based on the + mailbox metadata. See http://wiki2.dovecot.org/Plugins/Virtual + + stats: Added doveadm stats reset to reset global stats. + + stats: Added authentication statistics if auth_stats=yes. + + dsync, imapc, pop3c & pop3-migration: Many optimizations, + improvements and error handling fixes. + + doveadm: Most commands now stop soon after SIGINT/SIGTERM. + - auth: Auth caching was done too aggressively when %variables were + used in default_fields, override_fields or LDAP pass/user_attrs. + userdb result_* were also ignored when user was found from cache. + - imap: Fixed various assert-crashes caused v2.2.20+. Some of them + caught actual hangs or otherwise unwanted behavior towards IMAP + clients. + - Expunges were forgotten in some situations, for example when + pipelining multiple IMAP MOVE commands. + - quota: Per-namespaces quota were broken for dict and count backends + in v2.2.20+ + - fts-solr: Search queries were using OR instead of AND as the + separator for multi-token search queries in v2.2.20+. + - Single instance storage support wasn't really working in v2.2.16+ + - dbox: POP3 message ordering wasn't working correctly. + - virtual plugin: Fixed crashes related to backend mailbox deletions. + v2.2.21 2015-12-11 Timo Sirainen - doveadm mailbox list (and some others) were broken in v2.2.20