CVE-2021-29157: Dovecot does not correctly escape kid and azp fields in
JWT tokens. This may be used to supply attacker controlled keys to
validate tokens, if attacker has local access.
CVE-2021-33515: On-path attacker could have injected plaintext commands
before STARTTLS negotiation that would be executed after STARTTLS
finished with the client.
Add TSLv1.3 support to min_protocols.
Allow configuring ssl_cipher_suites. (for TLSv1.3+)
use OpenSSL's implementation of HMAC
Remove autocreate, expire, snarf and mail-filter plugins.
Remove cydir storage driver.
Remove XZ/LZMA write support. Read support will be removed in future release.
- auth: Auth caching was done too aggressively when %variables were
used in default_fields, override_fields or LDAP pass/user_attrs.
userdb result_* were also ignored when user was found from cache.
- imap: Fixed various assert-crashes caused v2.2.20+. Some of them
caught actual hangs or otherwise unwanted behavior towards IMAP
clients.
- Expunges were forgotten in some situations, for example when
pipelining multiple IMAP MOVE commands.
- quota: Per-namespaces quota were broken for dict and count backends
in v2.2.20+
- fts-solr: Search queries were using OR instead of AND as the
separator for multi-token search queries in v2.2.20+.
- Single instance storage support wasn't really working in v2.2.16+
- dbox: POP3 message ordering wasn't working correctly.
- virtual plugin: Fixed crashes related to backend mailbox deletions.
