diff --git a/dovecot-2.3.20-nolibotp.patch b/dovecot-2.3.20-nolibotp.patch
new file mode 100644
index 0000000..4ec0b78
--- /dev/null
+++ b/dovecot-2.3.20-nolibotp.patch
@@ -0,0 +1,295 @@
+diff -up dovecot-2.3.20/configure.ac.nolibotp dovecot-2.3.20/configure.ac
+--- dovecot-2.3.20/configure.ac.nolibotp	2022-12-21 09:49:12.000000000 +0100
++++ dovecot-2.3.20/configure.ac	2023-02-14 16:54:02.118531016 +0100
+@@ -854,7 +854,6 @@ src/lib-lua/Makefile
+ src/lib-mail/Makefile
+ src/lib-master/Makefile
+ src/lib-program-client/Makefile
+-src/lib-otp/Makefile
+ src/lib-dovecot/Makefile
+ src/lib-sasl/Makefile
+ src/lib-settings/Makefile
+diff -up dovecot-2.3.20/src/auth/main.c.nolibotp dovecot-2.3.20/src/auth/main.c
+--- dovecot-2.3.20/src/auth/main.c.nolibotp	2022-12-21 09:49:12.000000000 +0100
++++ dovecot-2.3.20/src/auth/main.c	2023-02-14 16:54:02.118531016 +0100
+@@ -19,8 +19,6 @@
+ #include "password-scheme.h"
+ #include "passdb-cache.h"
+ #include "mech.h"
+-#include "otp.h"
+-#include "mech-otp-common.h"
+ #include "auth.h"
+ #include "auth-penalty.h"
+ #include "auth-token.h"
+@@ -283,7 +281,6 @@ static void main_deinit(void)
+ 
+ 	auth_policy_deinit();
+ 	mech_register_deinit(&mech_reg);
+-	mech_otp_deinit();
+ 	mech_deinit(global_auth_settings);
+ 
+ 	/* allow modules to unregister their dbs/drivers/etc. before freeing
+diff -up dovecot-2.3.20/src/auth/Makefile.am.nolibotp dovecot-2.3.20/src/auth/Makefile.am
+--- dovecot-2.3.20/src/auth/Makefile.am.nolibotp	2022-12-21 09:49:12.000000000 +0100
++++ dovecot-2.3.20/src/auth/Makefile.am	2023-02-14 16:54:02.118531016 +0100
+@@ -45,7 +45,6 @@ AM_CPPFLAGS = \
+ 	-I$(top_srcdir)/src/lib-sql \
+ 	-I$(top_srcdir)/src/lib-settings \
+ 	-I$(top_srcdir)/src/lib-old-stats \
+-	-I$(top_srcdir)/src/lib-otp \
+ 	-I$(top_srcdir)/src/lib-master \
+ 	-I$(top_srcdir)/src/lib-oauth2 \
+ 	-I$(top_srcdir)/src/lib-ssl-iostream \
+@@ -67,7 +66,6 @@ libpassword_la_SOURCES = \
+ 	password-scheme-crypt.c \
+ 	password-scheme-md5crypt.c \
+ 	password-scheme-scram.c \
+-	password-scheme-otp.c \
+ 	password-scheme-pbkdf2.c \
+ 	password-scheme-sodium.c
+ libpassword_la_CFLAGS = $(AM_CPPFLAGS) $(LIBSODIUM_CFLAGS)
+@@ -76,7 +74,6 @@ auth_libs = \
+ 	libauth.la \
+ 	libstats_auth.la \
+ 	libpassword.la \
+-	../lib-otp/libotp.la \
+ 	$(AUTH_LUA_LIBS) \
+ 	$(LIBDOVECOT_SQL)
+ 
+@@ -95,7 +92,6 @@ libauth_la_SOURCES = \
+ 	auth-client-connection.c \
+ 	auth-master-connection.c \
+ 	auth-policy.c \
+-	mech-otp-common.c \
+ 	mech-plain-common.c \
+ 	auth-penalty.c \
+ 	auth-request.c \
+@@ -122,7 +118,6 @@ libauth_la_SOURCES = \
+ 	mech-digest-md5.c \
+ 	mech-external.c \
+ 	mech-gssapi.c \
+-	mech-otp.c \
+ 	mech-scram.c \
+ 	mech-apop.c \
+ 	mech-winbind.c \
+@@ -161,7 +156,6 @@ headers = \
+ 	auth-client-connection.h \
+ 	auth-common.h \
+ 	auth-master-connection.h \
+-	mech-otp-common.h \
+ 	mech-plain-common.h \
+ 	mech-digest-md5-private.h \
+ 	mech-scram.h \
+@@ -260,7 +254,6 @@ test_libs = \
+ test_libpassword_SOURCES = test-libpassword.c
+ test_libpassword_LDADD = \
+ 	libpassword.la \
+-        ../lib-otp/libotp.la \
+ 	$(CRYPT_LIBS) \
+ 	$(LIBDOVECOT_SQL) \
+ 	$(LIBSODIUM_LIBS) \
+diff -up dovecot-2.3.20/src/auth/mech.c.nolibotp dovecot-2.3.20/src/auth/mech.c
+--- dovecot-2.3.20/src/auth/mech.c.nolibotp	2023-02-14 16:55:38.421231797 +0100
++++ dovecot-2.3.20/src/auth/mech.c	2023-02-14 16:55:38.434231892 +0100
+@@ -71,7 +71,6 @@ extern const struct mech_module mech_apo
+ extern const struct mech_module mech_cram_md5;
+ extern const struct mech_module mech_digest_md5;
+ extern const struct mech_module mech_external;
+-extern const struct mech_module mech_otp;
+ extern const struct mech_module mech_scram_sha1;
+ extern const struct mech_module mech_scram_sha256;
+ extern const struct mech_module mech_anonymous;
+@@ -206,7 +205,6 @@ void mech_init(const struct auth_setting
+ 		mech_register_module(&mech_gssapi_spnego);
+ #endif
+ 	}
+-	mech_register_module(&mech_otp);
+ 	mech_register_module(&mech_scram_sha1);
+ 	mech_register_module(&mech_scram_sha256);
+ 	mech_register_module(&mech_anonymous);
+@@ -233,7 +231,6 @@ void mech_deinit(const struct auth_setti
+ 		mech_unregister_module(&mech_gssapi_spnego);
+ #endif
+ 	}
+-	mech_unregister_module(&mech_otp);
+ 	mech_unregister_module(&mech_scram_sha1);
+ 	mech_unregister_module(&mech_scram_sha256);
+ 	mech_unregister_module(&mech_anonymous);
+diff -up dovecot-2.3.20/src/auth/password-scheme.c.nolibotp dovecot-2.3.20/src/auth/password-scheme.c
+--- dovecot-2.3.20/src/auth/password-scheme.c.nolibotp	2023-02-14 16:54:02.109530950 +0100
++++ dovecot-2.3.20/src/auth/password-scheme.c	2023-02-14 16:54:02.119531023 +0100
+@@ -13,7 +13,6 @@
+ #include "randgen.h"
+ #include "sha1.h"
+ #include "sha2.h"
+-#include "otp.h"
+ #include "str.h"
+ #include "password-scheme.h"
+ 
+@@ -709,32 +708,6 @@ plain_md5_generate(const char *plaintext
+ 	*size_r = MD5_RESULTLEN;
+ }
+ 
+-static int otp_verify(const char *plaintext, const struct password_generate_params *params ATTR_UNUSED,
+-		      const unsigned char *raw_password, size_t size,
+-		      const char **error_r)
+-{
+-	const char *password, *generated;
+-
+-	password = t_strndup(raw_password, size);
+-	if (password_generate_otp(plaintext, password, UINT_MAX, &generated) < 0) {
+-		*error_r = "Invalid OTP data in passdb";
+-		return -1;
+-	}
+-
+-	return strcasecmp(password, generated) == 0 ? 1 : 0;
+-}
+-
+-static void
+-otp_generate(const char *plaintext, const struct password_generate_params *params ATTR_UNUSED,
+-	     const unsigned char **raw_password_r, size_t *size_r)
+-{
+-	const char *password;
+-
+-	if (password_generate_otp(plaintext, NULL, OTP_HASH_SHA1, &password) < 0)
+-		i_unreached();
+-	*raw_password_r = (const unsigned char *)password;
+-	*size_r = strlen(password);
+-}
+ 
+ static const struct password_scheme builtin_schemes[] = {
+ 	{ "MD5", PW_ENCODING_NONE, 0, md5_verify, md5_crypt_generate },
+@@ -770,7 +743,6 @@ static const struct password_scheme buil
+ 	  NULL, plain_md5_generate },
+ 	{ "LDAP-MD5", PW_ENCODING_BASE64, MD5_RESULTLEN,
+ 	  NULL, plain_md5_generate },
+-	{ "OTP", PW_ENCODING_NONE, 0, otp_verify, otp_generate },
+         { "PBKDF2", PW_ENCODING_NONE, 0, pbkdf2_verify, pbkdf2_generate },
+ };
+ 
+diff -up dovecot-2.3.20/src/auth/password-scheme.h.nolibotp dovecot-2.3.20/src/auth/password-scheme.h
+--- dovecot-2.3.20/src/auth/password-scheme.h.nolibotp	2023-02-14 16:56:50.929759540 +0100
++++ dovecot-2.3.20/src/auth/password-scheme.h	2023-02-14 16:56:50.947759671 +0100
+@@ -92,9 +92,6 @@ void password_set_encryption_rounds(unsi
+ /* INTERNAL: */
+ const char *password_generate_salt(size_t len);
+ const char *password_generate_md5_crypt(const char *pw, const char *salt);
+-int password_generate_otp(const char *pw, const char *state_data,
+-			  unsigned int algo, const char **result_r)
+-	ATTR_NULL(2);
+ 
+ int crypt_verify(const char *plaintext,
+ 		 const struct password_generate_params *params,
+diff -up dovecot-2.3.20/src/auth/test-libpassword.c.nolibotp dovecot-2.3.20/src/auth/test-libpassword.c
+--- dovecot-2.3.20/src/auth/test-libpassword.c.nolibotp	2023-02-14 16:54:55.880922175 +0100
++++ dovecot-2.3.20/src/auth/test-libpassword.c	2023-02-14 16:54:55.896922291 +0100
+@@ -106,7 +106,6 @@ static void test_password_schemes(void)
+ 	test_password_scheme("SHA512", "{SHA512}7iaw3Ur350mqGo7jwQrpkj9hiYB3Lkc/iBml1JQODbJ6wYX4oOHV+E+IvIh/1nsUNzLDBMxfqa2Ob1f1ACio/w==", "test");
+ 	test_password_scheme("SSHA", "{SSHA}H/zrDv8FXUu1JmwvVYijfrYEF34jVZcO", "test");
+ 	test_password_scheme("MD5-CRYPT", "{MD5-CRYPT}$1$GgvxyNz8$OjZhLh4P.gF1lxYEbLZ3e/", "test");
+-	test_password_scheme("OTP", "{OTP}sha1 1024 ae6b49aa481f7233 f69fc7f98b8fbf54", "test");
+ 	test_password_scheme("PBKDF2", "{PBKDF2}$1$bUnT4Pl7yFtYX0KU$5000$50a83cafdc517b9f46519415e53c6a858908680a", "test");
+ 	test_password_scheme("CRAM-MD5", "{CRAM-MD5}e02d374fde0dc75a17a557039a3a5338c7743304777dccd376f332bee68d2cf6", "test");
+ 	test_password_scheme("DIGEST-MD5", "{DIGEST-MD5}77c1a8c437c9b08ba2f460fe5d58db5d", "test");
+diff -up dovecot-2.3.20/src/auth/test-mech.c.nolibotp dovecot-2.3.20/src/auth/test-mech.c
+--- dovecot-2.3.20/src/auth/test-mech.c.nolibotp	2022-12-21 09:49:12.000000000 +0100
++++ dovecot-2.3.20/src/auth/test-mech.c	2023-02-14 16:54:02.119531023 +0100
+@@ -8,8 +8,6 @@
+ #include "auth-request-handler-private.h"
+ #include "auth-settings.h"
+ #include "mech-digest-md5-private.h"
+-#include "otp.h"
+-#include "mech-otp-common.h"
+ #include "settings-parser.h"
+ #include "password-scheme.h"
+ #include "auth-token.h"
+@@ -27,7 +25,6 @@ extern const struct mech_module mech_dov
+ extern const struct mech_module mech_external;
+ extern const struct mech_module mech_login;
+ extern const struct mech_module mech_oauthbearer;
+-extern const struct mech_module mech_otp;
+ extern const struct mech_module mech_plain;
+ extern const struct mech_module mech_scram_sha1;
+ extern const struct mech_module mech_scram_sha256;
+@@ -65,10 +62,7 @@ request_handler_reply_mock_callback(stru
+ 
+ 	if (request->passdb_result == PASSDB_RESULT_OK)
+ 		request->failed = FALSE;
+-	else if (request->mech == &mech_otp) {
+-		if (null_strcmp(request->fields.user, "otp_phase_2") == 0)
+-			request->failed = FALSE;
+-	} else if (request->mech == &mech_oauthbearer) {
++	else if (request->mech == &mech_oauthbearer) {
+ 	}
+ };
+ 
+@@ -224,10 +218,6 @@ static void test_mechs(void)
+ 		{&mech_plain, UCHAR_LEN("\0testuser\0testpass"), "testuser", NULL, TRUE, FALSE, FALSE},
+ 		{&mech_plain, UCHAR_LEN("normaluser\0masteruser\0masterpass"), "masteruser", NULL, TRUE, FALSE, FALSE},
+ 		{&mech_plain, UCHAR_LEN("normaluser\0normaluser\0masterpass"), "normaluser", NULL, TRUE, FALSE, FALSE},
+-		{&mech_otp, UCHAR_LEN("hex:5Bf0 75d9 959d 036f"), "otp_phase_2", NULL, TRUE, TRUE, FALSE},
+-		{&mech_otp, UCHAR_LEN("word:BOND FOGY DRAB NE RISE MART"), "otp_phase_2", NULL, TRUE, TRUE, FALSE},
+-		{&mech_otp, UCHAR_LEN("init-hex:f6bd 6b33 89b8 7203:md5 499 ke6118:23d1 b253 5ae0 2b7e"), "otp_phase_2", NULL, TRUE, TRUE, FALSE},
+-		{&mech_otp, UCHAR_LEN("init-word:END KERN BALM NICK EROS WAVY:md5 499 ke1235:BABY FAIN OILY NIL TIDY DADE"), "otp_phase_2", NULL , TRUE, TRUE, FALSE},
+ 		{&mech_oauthbearer, UCHAR_LEN("n,a=testuser,p=cHJvb2Y=,f=nonstandart\x01host=server\x01port=143\x01""auth=Bearer vF9dft4qmTc2Nvb3RlckBhbHRhdmlzdGEuY29tCg==\x01\x01"), "testuser", NULL, FALSE, TRUE, FALSE},
+ 		{&mech_scram_sha1, UCHAR_LEN("n,,n=testuser,r=rOprNGfwEbeRWgbNEkqO"), "testuser", NULL, TRUE, FALSE, FALSE},
+ 		{&mech_scram_sha256, UCHAR_LEN("n,,n=testuser,r=rOprNGfwEbeRWgbNEkqO"), "testuser",  NULL, TRUE, FALSE, FALSE},
+@@ -242,8 +232,6 @@ static void test_mechs(void)
+ 		{&mech_external, UCHAR_LEN(""), "testuser", NULL, FALSE, TRUE, FALSE},
+ 		{&mech_external, UCHAR_LEN(""), NULL, NULL, FALSE, FALSE, FALSE},
+ 		{&mech_login, UCHAR_LEN(""), NULL, NULL, FALSE, FALSE, FALSE},
+-		{&mech_otp, UCHAR_LEN(""), NULL, "invalid input", FALSE, FALSE, FALSE},
+-		{&mech_otp, UCHAR_LEN(""), "testuser", "invalid input", FALSE, FALSE, FALSE},
+ 		{&mech_plain, UCHAR_LEN(""), NULL, NULL, FALSE, FALSE, FALSE},
+ 		{&mech_oauthbearer, UCHAR_LEN(""), NULL, NULL, FALSE, FALSE, FALSE},
+ 		{&mech_xoauth2, UCHAR_LEN(""), NULL, NULL, FALSE, FALSE, FALSE},
+@@ -255,7 +243,6 @@ static void test_mechs(void)
+ 		{&mech_apop, UCHAR_LEN("1.1.1\0testuser\0tooshort"), NULL, NULL, FALSE, FALSE, FALSE},
+ 		{&mech_apop, UCHAR_LEN("1.1.1\0testuser\0responseoflen16-"), NULL, NULL, FALSE, FALSE, FALSE},
+ 		{&mech_apop, UCHAR_LEN("1.1.1"), NULL, NULL, FALSE, FALSE, FALSE},
+-		{&mech_otp, UCHAR_LEN("somebody\0testuser"), "testuser", "otp(testuser): unsupported response type", FALSE, TRUE, FALSE},
+ 		{&mech_cram_md5, UCHAR_LEN("testuser\0response"), "testuser", NULL, FALSE, FALSE, FALSE},
+ 		{&mech_plain, UCHAR_LEN("testuser\0"), "testuser", NULL, FALSE, FALSE, FALSE},
+ 
+@@ -297,9 +284,7 @@ static void test_mechs(void)
+ 		{&mech_plain, UCHAR_LEN("\0fa\0il\0ing\0withthis"), NULL, NULL, FALSE, FALSE, FALSE},
+ 		{&mech_plain, UCHAR_LEN("failingwiththis"), NULL, NULL, FALSE, FALSE, FALSE},
+ 		{&mech_plain, UCHAR_LEN("failing\0withthis"), NULL, NULL, FALSE, FALSE, FALSE},
+-		{&mech_otp, UCHAR_LEN("someb\0ody\0testuser"), NULL, "invalid input", FALSE, FALSE, FALSE},
+ 		/* phase 2 */
+-		{&mech_otp, UCHAR_LEN("someb\0ody\0testuser"), "testuser", "otp(testuser): unsupported response type", FALSE, TRUE, FALSE},
+ 		{&mech_scram_sha1, UCHAR_LEN("c=biws,r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,p=v0X8v3Bz2T0CJGbJQyF0X+HI4Ts="), NULL, NULL, FALSE, FALSE, FALSE},
+ 		{&mech_scram_sha1, UCHAR_LEN("iws0X8v3Bz2T0CJGbJQyF0X+HI4Ts=,,,,"), NULL, NULL, FALSE, FALSE, FALSE},
+ 		{&mech_scram_sha1, UCHAR_LEN("n,a=masteruser,,"), NULL, NULL, FALSE, FALSE, FALSE},
+@@ -387,7 +372,6 @@ static void test_mechs(void)
+ 
+ 		test_end();
+ 	} T_END;
+-	mech_otp_deinit();
+ 	auths_deinit();
+ 	auth_token_deinit();
+ 	password_schemes_deinit();
+diff -up dovecot-2.3.20/src/doveadm/Makefile.am.nolibotp dovecot-2.3.20/src/doveadm/Makefile.am
+--- dovecot-2.3.20/src/doveadm/Makefile.am.nolibotp	2022-12-21 09:49:12.000000000 +0100
++++ dovecot-2.3.20/src/doveadm/Makefile.am	2023-02-14 16:54:02.119531023 +0100
+@@ -36,8 +36,7 @@ AM_CPPFLAGS = \
+ 	$(BINARY_CFLAGS)
+ 
+ cmd_pw_libs = \
+-	../auth/libpassword.la \
+-	../lib-otp/libotp.la
++	../auth/libpassword.la
+ 
+ libs = \
+ 	dsync/libdsync.la \
+diff -up dovecot-2.3.20/src/Makefile.am.nolibotp dovecot-2.3.20/src/Makefile.am
+--- dovecot-2.3.20/src/Makefile.am.nolibotp	2022-12-21 09:49:12.000000000 +0100
++++ dovecot-2.3.20/src/Makefile.am	2023-02-14 16:54:02.119531023 +0100
+@@ -40,7 +40,6 @@ SUBDIRS = \
+ 	lib-index \
+ 	lib-storage \
+ 	lib-sql \
+-	lib-otp \
+ 	lib-lda \
+ 	lib-dict-backend \
+ 	anvil \
diff --git a/dovecot.spec b/dovecot.spec
index 4ef6d27..bcb7526 100644
--- a/dovecot.spec
+++ b/dovecot.spec
@@ -6,7 +6,7 @@ Name: dovecot
 Epoch: 1
 Version: 2.3.20
 %global prever %{nil}
-Release: 2%{?dist}
+Release: 3%{?dist}
 #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2
 License: MIT and LGPLv2
 
@@ -44,9 +44,12 @@ Patch16: dovecot-2.3.6-opensslhmac.patch
 Patch17: dovecot-2.3.15-fixvalcond.patch
 Patch18: dovecot-2.3.15-valbasherr.patch
 Patch20: dovecot-2.3.14-opensslv3.patch
-Patch21:	dovecot-2.3.19.1-7bad6a24.patch
+Patch21: dovecot-2.3.19.1-7bad6a24.patch
 Patch22: dovecot-configure-c99.patch
 
+# Fedora/RHEL specific, drop OTP which uses SHA1 so we dont use SHA1 for crypto purposes
+Patch23: dovecot-2.3.20-nolibotp.patch
+
 Source15: prestartscript
 
 BuildRequires: gcc, gcc-c++, openssl-devel, pam-devel, zlib-devel, bzip2-devel, libcap-devel
@@ -147,6 +150,7 @@ This package provides the development files for dovecot.
 %patch20 -p1 -b .opensslv3
 %patch21 -p1 -b .7bad6a24
 %patch22 -p1 -b .c99
+%patch23 -p1 -b .nolibotp
 cp run-test-valgrind.supp dovecot-2.3-pigeonhole-%{pigeonholever}/
 # valgrind would fail with shell wrapper
 echo "testsuite" >dovecot-2.3-pigeonhole-%{pigeonholever}/run-test-valgrind.exclude
@@ -155,6 +159,10 @@ echo "testsuite" >dovecot-2.3-pigeonhole-%{pigeonholever}/run-test-valgrind.excl
 #popd
 sed -i '/DEFAULT_INCLUDES *=/s|$| '"$(pkg-config --cflags libclucene-core)|" src/plugins/fts-lucene/Makefile.in
 
+
+# drop OTP which uses SHA1 so we dont use SHA1 for crypto purposes
+rm -rf src/lib-otp
+
 %build
 #required for fdpass.c line 125,190: dereferencing type-punned pointer will break strict-aliasing rules
 %global _hardened_build 1
@@ -482,6 +490,9 @@ make check
 %{_libdir}/%{name}/dict/libdriver_pgsql.so
 
 %changelog
+* Tue Feb 14 2023 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.20-3
+- drop SHA1 OTP
+
 * Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.3.20-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild