dsync: Add back accidentically removed parameters.
lib-ssl-iostream: Fix assert-crash when OpenSSL returned syscall error
without errno.
dovecot, managesieve and sieve-tool failed to run if ssl_ca was too large.
CVE-2021-29157: Dovecot does not correctly escape kid and azp fields in
JWT tokens. This may be used to supply attacker controlled keys to
validate tokens, if attacker has local access.
CVE-2021-33515: On-path attacker could have injected plaintext commands
before STARTTLS negotiation that would be executed after STARTTLS
finished with the client.
Add TSLv1.3 support to min_protocols.
Allow configuring ssl_cipher_suites. (for TLSv1.3+)
use OpenSSL's implementation of HMAC
Remove autocreate, expire, snarf and mail-filter plugins.
Remove cydir storage driver.
Remove XZ/LZMA write support. Read support will be removed in future release.
CVE-2020-24386: Specially crafted command can cause IMAP hibernate to
allow logged in user to access other people's emails and filesystem
information.
Metric filter and global event filter variable syntax changed to a
SQL-like format.
auth: Added new aliases for %{variables}. Usage of the old ones is
possible, but discouraged.
auth: Removed RPA auth mechanism, SKEY auth mechanism, NTLM auth
mechanism and related password schemes.
auth: Removed passdb-sia, passdb-vpopmail and userdb-vpopmail.
auth: Removed postfix postmap socket
have resulted in excessive CPU usage or a crash due to running out of
stack memory.
CVE-2020-12673: Dovecot's NTLM implementation does not correctly check
message buffer size, which leads to reading past allocation which can
lead to crash.
CVE-2020-10967: lmtp/submission: Issuing the RCPT command with an
address that has the empty quoted string as local-part causes the lmtp
service to crash.
CVE-2020-12674: Dovecot's RPA mechanism implementation accepts
zero-length message, which leads to assert-crash later on.
fixes CVE-2020-7046: Truncated UTF-8 can be used to DoS
submission-login and lmtp processes.
fixes CVE-2020-7957: Specially crafted mail can crash snippet generation.
fixes CVE-2019-11500: IMAP protocol parser does not properly handle NUL byte
when scanning data in quoted strings, leading to out of bounds heap
memory writes
doveconf hides more secrets now in the default output
NUL bytes in mail headers can cause truncated replies when fetched.
virtual plugin: Some searches used 100% CPU for many seconds
dsync assert-crashed with acl plugin in some situations.
imapc: Fixed various assert-crashes when reconnecting to server.
doveadm: Fix crash in proxying (or dsync replication) if remote is
running older than v2.2.33
auth: Fix memory leak in %{ldap_dn}
dict-sql: Fix data types to work correctly with Cassandra
Added %{if}, see https://wiki2.dovecot.org/Variables#Conditionals
sdbox: Mails were always opened when expunging, unless
mail_attachment_fs was explicitly set to empty.
lmtp/doveadm proxy: hostip passdb field was ignored, which caused
unnecessary DNS lookups if host field wasn't an IP
lmtp proxy: Fix crash when receiving unexpected reply in RCPT TO
quota_clone: Update also when quota is unlimited (broken in v2.2.31)
mbox, zlib: Fix assert-crash when accessing compressed mbox
doveadm director kick -f parameter didn't work
doveadm director flush <host> resulted flushing all hosts, if <host>
wasn't an IP address.
director: Various fixes to handling backend/director changes at
abnormal times, especially while ring was unsynced.
director: Use less CPU in imap-login processes when moving/kicking
many users.
lmtp: Session IDs were duplicated/confusing with multiple RCPT TOs
when lmtp_rcpt_check_quota=yes
LDA Sieve plugin: Fixed sequential execution of LDAP-based scripts. A
missing LDAP-based script could cause the script sequence to exit earlier.
sieve-filter: Removed the (now) duplicate utf8 to mutf7 mailbox name
conversion. This caused problems with mailbox names containing UTF-8
characters.
Made the retention period for redirect duplicate identifiers
configurable. Changed the default retention period from 24 to 12 hours.
sieve-filter: Fixed memory leak: forgot to clean up script binary at
end of execution
managesieve-login: Fixed handling of AUTHENTICATE command. A second
authenticate command would be parsed wrong.
Modseq tracking didn't always work correctly. This could have caused
imap unhibernation to fail or IMAP QRESYNC/CONDSTORE extensions to
not work perfectly.
mdbox: "Inconsistency in map index" wasn't fixed automatically
dict-ldap: %variable values used in the LDAP filter weren't escaped.
quota=count: quota_warning = -storage=.. was never executed (try #2).
imapc: >= 32 kB mail bodies were supposed to be cached for subsequent
FETCHes, but weren't.
quota-status service didn't support recipient_delimiter
acl: Don't access dovecot-acl-list files with acl_globals_only=yes
mail_location: If INDEX dir is set, mailbox deletion deletes its
childrens' indexes.
director: v2.2.31 caused rapid reconnection loops to directors
that were down.
Various fixes to handling mailbox listing. Especially related to
handling nonexistent autocreated/autosubscribed mailboxes and ACLs.
Global ACL file was parsed as if it was local ACL file. This caused
some of the ACL rule interactions to not work exactly as intended.
Using mail_sort_max_read_count may have caused very high CPU usage.
Message address parsing could have crashed on invalid input.
imapc_features=fetch-headers wasn't always working correctly and
caused the full header to be fetched.
imapc: Various bugfixes related to connection failure handling.
quota=count: quota_warning = -storage=.. was never executed
quota=count: Add support for "ns" parameter
dsync: Fix incremental syncing for mails that don't have Date or
Message-ID headers.
imap: Fix hang when client sends pipelined SEARCH +
EXPUNGE/CLOSE/LOGOUT.
oauth2: Token validation didn't accept empty server responses.
imap: NOTIFY command has been almost completely broken since the
beginning.
pigeonhole updated to 0.4.19
Fixed bug in handling of implicit keep in some cases.
include extension: Fixed segfault that (sometimes) occurred when the
global script location was left unconfigured.
More fixes to automatically fix corruption in dovecot.list.index
dsync-server: Fix support for dsync_features=empty-header-workaround
imapc: Various bugfixes, including infinite loops on some errors
IMAP NOTIFY wasn't working for non-INBOX if IMAP client hadn't
enabled modseq tracking via CONDSTORE/QRESYNC.
fts-lucene: Fix it to work again with mbox format
Some internal error messages may have contained garbage in v2.2.29
mail-crypt: Re-encrypt when copying/moving mails and per-mailbox keys
are used. Otherwise the copied mails can't be opened.
dict-sql: Merging multiple UPDATEs to a single statement wasn't
actually working.
pigeonhole updated to 0.4.18
imapsieve plugin: Implemented the copy_source_after rule action. When this
is enabled for a mailbox rule, the specified Sieve script is executed for
the message in the source mailbox during a "COPY" event. This happens only
after the Sieve script that is executed for the corresponding message in the
destination mailbox finishes running successfully.
imapsieve plugin: Added non-standard Sieve environment items for the source
and destination mailbox.
multiscript: The execution of the discard script had an implicit "keep",
rather than an implicit "discard".
fts-tika: Fixed crash when parsing attachment without
Content-Disposition header. Broken by 2.2.28.
trash plugin was broken in 2.2.28
auth: When passdb/userdb lookups were done via auth-workers, too much
data was added to auth cache. This could have resulted in wrong
replies when using multiple passdbs/userdbs.
auth: passdb { skip & mechanisms } were ignored for the first passdb
oauth2: Various fixes, including fixes to crashes
dsync: Large Sieve scripts (or other large metadata) weren't always
synced.
Index rebuild (e.g. doveadm force-resync) set all mails as \Recent
imap-hibernate: %{userdb:*} wasn't expanded in mail_log_prefix
doveadm: Exit codes weren't preserved when proxying commands via
doveadm-server. Almost all errors used exit code 75 (tempfail).
ACLs weren't applied to not-yet-existing autocreated mailboxes.
Fixed a potential crash when parsing a broken message header.
cassandra: Fallback consistency settings weren't working correctly.
doveadm director status <user>: "Initial config" was always empty
imapc: Various reconnection fixes.
auth: Support OAUTHBEARER and XOAUTH2 mechanisms. Also support them
in lib-dsasl for client side.
imap: SEARCH/SORT may have assert-crashed in
client_check_command_hangs
imap: FETCH X-MAILBOX may have assert-crashed in virtual mailboxes.
search: Using NOT n:* or NOT UID n:* wasn't handled correctly
fts: fts_autoindex_exclude = \Special-use caused crashes
doveadm-server: Fix leaks and other problems when process is reused
for multiple requests (service_count != 1)
sdbox: Fix assert-crash on mailbox create race
lda/lmtp: deliver_log_format values weren't entirely correct if Sieve
was used. especially %{storage_id} was broken.
imapsieve plugin: Fixed assert failure occurring when used with virtual
mailboxes.
doveadm sieve plugin: Fixed crash when setting Sieve script via attribute's
string value.
authentication was aborted/failed without a username set.
- director: If two users had different tags but the same hash,
the users may have been redirected to the wrong tag's hosts.
- Index files may have been thought incorrectly lost, causing
"Missing middle file seq=.." to be logged and index rebuild.
This happened more easily with IMAP hibernation enabled.
- Various fixes to restoring state correctly in un-hibernation.
- dovecot.index files were commonly 4 bytes per email too large. This
is because 3 bytes per email were being wasted that could have been
used for IMAP keywords.
- Various fixes to handle dovecot.list.index corruption better.
- lib-fts: Fixed assert-crash in address tokenizer with specific input.
- Fixed assert-crash in HTML to text parsing with specific input
(e.g. for FTS indexing or snippet generation)
- doveadm sync -1: Fixed handling mailbox GUID conflicts.
- sdbox, mdbox: Perform full index rebuild if corruption is detected
inside lib-index, which runs index fsck.
- quota: Don't skip quota checks when moving mails between different
quota roots.
- search: Multiple sequence sets or UID sets in search parameters
weren't handled correctly. They were incorrectly merged together.
- master process's listener socket was leaked to all child processes.
This might have allowed untrusted processes to capture and prevent
"doveadm service stop" comands from working.
- login proxy: Fixed crash when outgoing SSL connections were hanging.
- auth: userdb fields weren't passed to auth-workers, so %{userdb:*}
from previous userdbs didn't work there.
- auth: Fixed auth_bind=yes + sasl_bind=yes to work together
- lmtp: %{userdb:*} variables didn't work in mail_log_prefix
- Fixed writing >2GB to iostream-temp files (used by fs-compress,
fs-metawrap, doveadm-http)
- fts-solr: Fixed searching multiple mailboxes
- and more...
- doveadm backup was sometimes deleting entire mailboxes unnecessarily.
- doveadm: Command -parameters weren't being sent to doveadm-server.
- if dovecot.index read failed e.g. because mmap() reached VSZ limit,
an empty index could have been opened instead, corrupting the
mailbox state.
- lazy-expunge: Fixed a crash when copying failed. Various other fixes.
- fts-lucene: Fixed crash on index rescan.
- dict-ldap: Various fixes
- dict-sql: NULL values crashed. Now they're treated as "not found".
- Huge header lines could have caused Dovecot to use too much memory
- dsync: Detect and handle invalid/stale -s state string better.
- dsync: Fixed crash caused by specific mailbox renames
- auth: Auth cache is now disabled passwd-file.
- fts-tika: Don't crash if it returns 500 error
- dict-redis: Fixed timeout handling
- SEARCH INTHREAD was crashing
- stats: Only a single fifo_listeners was supported, making it impossible to
use both auth_stats=yes and mail stats plugin.
- SSL errors were logged in separate "Stacked error" log lines instead of as
part of the disconnection reason.
- MIME body parser didn't handle properly when a child MIME part's --boundary
had the same prefix as the parent.
- pigeonhole updated to 0.4.14
- extprograms plugin: Fixed epoll() panic caused by closing the output
FD before the output stream.
- Made sure that the local part of a mail address is encoded properly
using quoted string syntax when it is not a dot-atom.
- Various fixes to doveadm. Especially running commands via
doveadm-server was broken.
- director: Fixed user weakness getting stuck in some situations
- director: Fixed a situation where directors keep re-sending
different states to each others and never becoming synced.
- director: Fixed assert-crash related to a slow "user killed" reply
- Fixed assert-crash related to istream-concat, which could have
been triggered at least by a Sieve script.
- auth: Auth caching was done too aggressively when %variables were
used in default_fields, override_fields or LDAP pass/user_attrs.
userdb result_* were also ignored when user was found from cache.
- imap: Fixed various assert-crashes caused v2.2.20+. Some of them
caught actual hangs or otherwise unwanted behavior towards IMAP
clients.
- Expunges were forgotten in some situations, for example when
pipelining multiple IMAP MOVE commands.
- quota: Per-namespaces quota were broken for dict and count backends
in v2.2.20+
- fts-solr: Search queries were using OR instead of AND as the
separator for multi-token search queries in v2.2.20+.
- Single instance storage support wasn't really working in v2.2.16+
- dbox: POP3 message ordering wasn't working correctly.
- virtual plugin: Fixed crashes related to backend mailbox deletions.
- multiscript: Fixed bug in handling of (implicit) keep; final keep action was
always executed as though there was a failure.
- managesieve-login: Fixed proxy to allow SASL mechanisms other than PLAIN.
- ldap storage: Prevent segfault occurring when assigning certain (global)
configuration options.
- Sieve mime extension: Fixed the header :mime :anychild test to work properly
outside a foreverypart loop.
- Fixed assert failure occurring when text extraction is attempted on a
empty or broken text part.
- Fixed assert failure in handling of body parts that are converted to text.
- Fixed header unfolding for (mime) headers parsed from any mime part.
- Fixed trimming for (mime) headers parsed from any mime part.
- Fixed erroneous changes to the message part tree structure performed when
re-parsing the message.
- LDA Sieve plugin: Fixed bug in error handling of script storage initialization
- Fixed duplication of discard actions in the script result.
- Made sure that quota errors never get logged as errors in syslog.
