diff --git a/dovecot.spec b/dovecot.spec
index 6621c76..e53cb88 100644
--- a/dovecot.spec
+++ b/dovecot.spec
@@ -6,7 +6,7 @@ Name: dovecot
 Epoch: 1
 Version: 2.3.21
 %global prever %{nil}
-Release: 16%{?dist}.1
+Release: 19%{?dist}
 #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2
 License: MIT AND LGPL-2.1-only
 
@@ -69,15 +69,15 @@ Patch28: dovecot-2.3.21.1-CVE-2024-23184.patch
 # https://github.com/dovecot/core/compare/f020e13%5E...ce88c33.patch
 Patch29: dovecot-2.3.21.1-CVE-2024-23185.patch
 
-# from upstream for < 2.4.3, RHEL-161625
+# from upstream for < 2.4.3, RHEL-161626
 # https://github.com/dovecot/pigeonhole/commit/54f645225a8a7911d7e16e9d50f170d217b0be95
 Patch30: dovecot-2.3-cve-2026-27858.patch
 
-# from upstream for < 2.4.3, RHEL-162273
+# from upstream for < 2.4.3, RHEL-162274
 # https://github.com/dovecot/pigeonhole/commit/efb68fac3a9d2d04d38c4ab14dd570cf0c23923c
 Patch31: dovecot-2.3-cve-2025-59032.patch
 
-# from upstream for < 2.4.3, RHEL-161664
+# from upstream for < 2.4.3, RHEL-161665
 # https://github.com/dovecot/core/commit/825bc297f87b856992aa14beac596ec838248210
 Patch32: dovecot-2.3-cve-2026-27857p1of5.patch
 # https://github.com/dovecot/core/commit/d0f67b52914565a35f3817335ab9633cb291513c
@@ -562,10 +562,17 @@ make check
 %{_libdir}/%{name}/dict/libdriver_pgsql.so
 
 %changelog
-* Tue Apr 07 2026 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.21-16.1
-- fix CVE-2026-27858: denial of service via crafted message before authentication (RHEL-161625)
-- fix CVE-2025-59032: ManageSieve: Denial of Service via crafted SASL initial response in AUTHENTICATE command (RHEL-162273)
-- fix CVE-2026-27857: denial of service via specially crafted NOOP command (RHEL-161664)
+* Mon May 11 2026 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.21-19
+- update release for rebuild
+
+* Thu Apr 30 2026 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.21-18
+- fix CVE-2026-27858: denial of service via crafted message before authentication (RHEL-161626)
+- fix CVE-2025-59032: ManageSieve: Denial of Service via crafted SASL initial response in AUTHENTICATE command (RHEL-162274)
+- fix CVE-2026-27857: denial of service via specially crafted NOOP command (RHEL-161665)
+
+* Mon Jan 12 2026 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.21-17
+- fix building with latest openssl (RHEL-117460)
+- add /var/lib/dovecot to tmpfiles for image mode (RHEL-130953)
 
 * Wed Feb 05 2025 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.21-16
 - fix sysusers config file name (RHEL-77323)
diff --git a/dovecot.tmpfilesd b/dovecot.tmpfilesd
index d96639a..e46a5ff 100644
--- a/dovecot.tmpfilesd
+++ b/dovecot.tmpfilesd
@@ -1,2 +1,3 @@
 d /run/dovecot 0755 root dovecot -
+d /var/lib/dovecot 0750 dovecot dovecot - -
 
diff --git a/prestartscript b/prestartscript
old mode 100755
new mode 100644