diff --git a/dovecot.spec b/dovecot.spec
index 05c6aa2..48998ae 100644
--- a/dovecot.spec
+++ b/dovecot.spec
@@ -3,7 +3,7 @@
 Summary: Secure imap and pop3 server
 Name: dovecot
 Epoch: 1
-Version: 2.3.5.2
+Version: 2.3.6
 %global prever %{nil}
 Release: 1%{?dist}
 #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2
@@ -13,7 +13,7 @@ URL: http://www.dovecot.org/
 Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz
 Source1: dovecot.init
 Source2: dovecot.pam
-%global pigeonholever 0.5.5
+%global pigeonholever 0.5.6
 Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz
 Source9: dovecot.sysconfig
 Source10: dovecot.tmpfilesd
@@ -493,6 +493,9 @@ make check
 %{_libdir}/%{name}/dict/libdriver_pgsql.so
 
 %changelog
+* Thu May 02 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.6-1
+- dovecot updated to 2.3.6, pigeonhole updated to 0.5.6
+
 * Thu Apr 18 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.5.2-1
 - dovecot updated to 2.3.5.2
 - fixes CVE-2019-10691: Trying to login with 8bit username containing
diff --git a/sources b/sources
index 2af39ad..f5c7b43 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-SHA512 (dovecot-2.3.5.2.tar.gz) = 041ec1c33c6accb5c89d96d7ab2f7dd59795f496c17faea1906e7977983e4a387aa855a238376515c09532731634d9d42e6d6be22659062855241847ea0213d5
-SHA512 (dovecot-2.3-pigeonhole-0.5.5.tar.gz) = 21519fc9b1152a947b64ce4251e1a4bdbe003b48233b1856a32696f9c1e29f730268c56eb38f9431bbfac345e6cd42e8c78c87d0702f39ebf20c6d326dcdbb94
+SHA512 (dovecot-2.3.6.tar.gz) = ec28af2efcbd4ab534298c3342709251074dcdb0f0f4bcad0d24b996b273387e2ce557d7ab54abafb69be3ed7dd61f25c82b9710d78156932e2eff7f941c9eb2
+SHA512 (dovecot-2.3-pigeonhole-0.5.6.tar.gz) = 998a046d2eb5ff7bba615fd1a3efdfb1e7e1dabf191257f7fa2882074acc1735a0a4c11c5f31bab1e964b0118f1a8e9e51b3d5529b8fff6d1312c9a8257d9c20