21 changed files with 553 additions and 1247 deletions
--- a/SOURCES/dovecot-2.0-defaultconfig.patch
+++ b/SOURCES/dovecot-2.0-defaultconfig.patch
@ -1,7 +1,7 @@
-diff -up dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf.default-settings dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf
--- dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf.default-settings	2018-02-28 15:28:57.000000000 +0100
-+++ dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf	2018-03-01 10:29:38.208368555 +0100
-@@ -165,7 +165,7 @@ namespace inbox {
+diff -up dovecot-2.3.16/doc/example-config/conf.d/10-mail.conf.default-settings dovecot-2.3.16/doc/example-config/conf.d/10-mail.conf
+--- dovecot-2.3.16/doc/example-config/conf.d/10-mail.conf.default-settings	2021-08-06 11:25:51.000000000 +0200
+++ dovecot-2.3.16/doc/example-config/conf.d/10-mail.conf	2021-10-27 11:13:45.666956339 +0200
+@@ -175,7 +175,7 @@ namespace inbox {
 # to make sure that users can't log in as daemons or other system users.
 # Note that denying root logins is hardcoded to dovecot binary and can't
 # be done even if first_valid_uid is set to 0.
@ -18,9 +18,9 @@ diff -up dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf.default-settings
 
 # Maximum time to wait for lock (all of them) before aborting.
 #mbox_lock_timeout = 5 mins
-diff -up dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf.default-settings dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf
--- dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf.default-settings	2018-02-28 15:28:57.000000000 +0100
-+++ dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf	2018-03-01 10:33:54.779499044 +0100
+diff -up dovecot-2.3.16/doc/example-config/conf.d/10-ssl.conf.default-settings dovecot-2.3.16/doc/example-config/conf.d/10-ssl.conf
+--- dovecot-2.3.16/doc/example-config/conf.d/10-ssl.conf.default-settings	2021-08-06 11:25:51.000000000 +0200
+++ dovecot-2.3.16/doc/example-config/conf.d/10-ssl.conf	2021-10-27 11:13:02.834533975 +0200
@@ -3,7 +3,9 @@
 ##
 
@ -32,7 +32,7 @@ diff -up dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf.default-settings
 
 # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
 # dropping root privileges, so keep the key file unreadable by anyone but
-@@ -57,6 +59,7 @@ ssl_key = </etc/ssl/private/dovecot.pem
+@@ -64,6 +66,7 @@ ssl_key = </etc/ssl/private/dovecot.pem
 #ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
 # To disable non-EC DH, use:
 #ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
--- a/SOURCES/dovecot-2.2.36-aclfix.patch
+++ b/SOURCES/dovecot-2.2.36-aclfix.patch
@ -1,13 +0,0 @@
-diff -up dovecot-2.2.36/src/plugins/acl/acl-backend-vfile.c.aclfix dovecot-2.2.36/src/plugins/acl/acl-backend-vfile.c
--- dovecot-2.2.36/src/plugins/acl/acl-backend-vfile.c.aclfix	2018-09-18 15:00:08.778823903 +0200
-+++ dovecot-2.2.36/src/plugins/acl/acl-backend-vfile.c	2018-09-18 15:00:08.814823737 +0200
-@@ -161,8 +161,7 @@ acl_backend_vfile_object_init(struct acl
- 	T_BEGIN {
- 		if (*name == '\0' ||
- 		    mailbox_list_is_valid_name(_backend->list, name, &error)) {
-			vname = *name == '\0' ? "" :
-				mailbox_list_get_vname(_backend->list, name);
-+			vname = mailbox_list_get_vname(_backend->list, name);
- 
- 			dir = acl_backend_vfile_get_local_dir(_backend, name, vname);
- 			aclobj->local_path = dir == NULL ? NULL :
--- a/SOURCES/dovecot-2.3-cve-2025-59032.patch
+++ b/SOURCES/dovecot-2.3-cve-2025-59032.patch
@ -1,20 +0,0 @@
-diff --git a/dovecot-pigeonhole/src/managesieve-login/client.c b/dovecot-pigeonhole/src/managesieve-login/client.c
-index 3b2492ca..2ad47b4c 100644
--- a/dovecot-pigeonhole/src/managesieve-login/client.c
-+++ b/dovecot-pigeonhole/src/managesieve-login/client.c
-@@ -345,10 +345,12 @@ static bool managesieve_client_input_next_cmd(struct client *client)
- 			if ( args[0].type != MANAGESIEVE_ARG_EOL )
- 				ret = -1;
- 		}
-	}
-	if (ret > 0) {
-+		if (ret > 0)
-+			ret = client->cmd->func(client, args);
-+	} else {
-+		/* Continue unfinished command */
- 		i_assert(client->cmd != NULL);
-		ret = client->cmd->func(client, args);
-+		ret = client->cmd->func(client, NULL);
- 	}
- 
- 	if (ret != 0)
--- a/SOURCES/dovecot-2.3-cve-2026-27857p1of5.patch
+++ b/SOURCES/dovecot-2.3-cve-2026-27857p1of5.patch
@ -1,257 +0,0 @@
-diff --git a/src/imap-login/imap-login-client.c b/src/imap-login/imap-login-client.c
-index c761f91d6e..84e6a90db4 100644
--- a/src/imap-login/imap-login-client.c
-+++ b/src/imap-login/imap-login-client.c
-@@ -379,7 +379,7 @@ static void imap_client_create(struct cl
- 	imap_client->parser =
- 		imap_parser_create(imap_client->common.input,
- 				   imap_client->common.output,
-				   IMAP_LOGIN_MAX_LINE_LENGTH);
-+				   IMAP_LOGIN_MAX_LINE_LENGTH, NULL);
- 	if (imap_client->set->imap_literal_minus)
- 		imap_parser_enable_literal_minus(imap_client->parser);
- 	client->io = io_add_istream(client->input, client_input, client);
-@@ -473,7 +473,7 @@ static void imap_client_starttls(struct client *client)
- 	imap_client->parser =
- 		imap_parser_create(imap_client->common.input,
- 				   imap_client->common.output,
-				   IMAP_LOGIN_MAX_LINE_LENGTH);
-+				   IMAP_LOGIN_MAX_LINE_LENGTH, NULL);
- 
- 	/* CRLF is lost from buffer when streams are reopened. */
- 	imap_client->skip_line = FALSE;
-diff --git a/src/imap-login/imap-login-cmd-id.c b/src/imap-login/imap-login-cmd-id.c
-index 24b365dc0c..be2097f70b 100644
--- a/src/imap-login/imap-login-cmd-id.c
-+++ b/src/imap-login/imap-login-cmd-id.c
-@@ -391,7 +391,8 @@ int cmd_id(struct imap_client *client)
- 		client->cmd_id = id = i_new(struct imap_client_cmd_id, 1);
- 		id->parser = imap_parser_create(client->common.input,
- 						client->common.output,
-						IMAP_LOGIN_MAX_LINE_LENGTH);
-+						IMAP_LOGIN_MAX_LINE_LENGTH,
-+						NULL);
- 		if (client->set->imap_literal_minus)
- 			imap_parser_enable_literal_minus(id->parser);
- 		parser_flags = IMAP_PARSE_FLAG_STOP_AT_LIST;
-diff --git a/src/imap/cmd-append.c b/src/imap/cmd-append.c
-index 8e1dec27e6..18f16fc119 100644
--- a/src/imap/cmd-append.c
-+++ b/src/imap/cmd-append.c
-@@ -1202,7 +1202,8 @@ static bool cmd_append_full(struct client_command_context *cmd, bool replace)
- 	o_stream_unset_flush_callback(client->output);
- 
- 	ctx->save_parser = imap_parser_create(client->input, client->output,
-					      client->set->imap_max_line_length);
-+					      client->set->imap_max_line_length,
-+					      NULL);
- 	if (client->set->imap_literal_minus)
- 		imap_parser_enable_literal_minus(ctx->save_parser);
- 
-diff --git a/src/imap/cmd-setmetadata.c b/src/imap/cmd-setmetadata.c
-index 4278c8720e..686c72c984 100644
--- a/src/imap/cmd-setmetadata.c
-+++ b/src/imap/cmd-setmetadata.c
-@@ -289,7 +289,8 @@ cmd_setmetadata_start(struct imap_setmetadata_context *ctx)
- 	   asynchronously the same way as APPEND does. */
- 	client->input_lock = cmd;
- 	ctx->parser = imap_parser_create(client->input, client->output,
-					 client->set->imap_max_line_length);
-+					 client->set->imap_max_line_length,
-+					 NULL);
- 	if (client->set->imap_literal_minus)
- 		imap_parser_enable_literal_minus(ctx->parser);
- 	o_stream_unset_flush_callback(client->output);
-diff --git a/src/imap/imap-client.c b/src/imap/imap-client.c
-index 47709aa400..10a8968988 100644
--- a/src/imap/imap-client.c
-+++ b/src/imap/imap-client.c
-@@ -994,7 +994,8 @@ client_command_new(struct client *client)
- 	} else {
- 		cmd->parser =
- 			imap_parser_create(client->input, client->output,
-					   client->set->imap_max_line_length);
-+					   client->set->imap_max_line_length,
-+					   NULL);
- 		if (client->set->imap_literal_minus)
- 			imap_parser_enable_literal_minus(cmd->parser);
- 	}
-diff --git a/src/lib-imap-client/imapc-connection.c b/src/lib-imap-client/imapc-connection.c
-index 17aa54c3b0..25dfd32499 100644
--- a/src/lib-imap-client/imapc-connection.c
-+++ b/src/lib-imap-client/imapc-connection.c
-@@ -1914,7 +1914,8 @@ static void imapc_connection_connect_next_ip(struct imapc_connection *conn)
- 	o_stream_set_flush_callback(conn->output, imapc_connection_connected,
- 				    conn);
- 	conn->parser = imap_parser_create(conn->input, NULL,
-					  conn->client->set.max_line_length);
-+					  conn->client->set.max_line_length,
-+					  NULL);
- 	conn->to = timeout_add(conn->client->set.connect_timeout_msecs,
- 			       imapc_connection_timeout, conn);
- 	conn->to_output = timeout_add(conn->client->set.max_idle_time*1000,
-diff --git a/src/lib-imap-storage/imap-msgpart.c b/src/lib-imap-storage/imap-msgpart.c
-index 0442a345b4..3c0bbf5a81 100644
--- a/src/lib-imap-storage/imap-msgpart.c
-+++ b/src/lib-imap-storage/imap-msgpart.c
-@@ -149,7 +149,7 @@ imap_msgpart_get_header_fields(pool_t pool, const char *header_list,
- 	int result = 0;
- 
- 	input = i_stream_create_from_data(header_list, strlen(header_list));
-	parser = imap_parser_create(input, NULL, SIZE_MAX);
-+	parser = imap_parser_create(input, NULL, SIZE_MAX, NULL);
- 
- 	if (imap_parser_finish_line(parser, 0, 0, &args) > 0 &&
- 	    imap_arg_get_list_full(args, &hdr_list, &list_count) &&
-diff --git a/src/lib-imap/imap-bodystructure.c b/src/lib-imap/imap-bodystructure.c
-index e3d4b3b564..7910bbcee1 100644
--- a/src/lib-imap/imap-bodystructure.c
-+++ b/src/lib-imap/imap-bodystructure.c
-@@ -732,7 +732,7 @@ int imap_bodystructure_parse_full(const char *bodystructure,
- 	input = i_stream_create_from_data(bodystructure, strlen(bodystructure));
- 	(void)i_stream_read(input);
- 
-	parser = imap_parser_create(input, NULL, SIZE_MAX);
-+	parser = imap_parser_create(input, NULL, SIZE_MAX, NULL);
- 	ret = imap_parser_finish_line(parser, 0,
- 				      IMAP_PARSE_FLAG_LITERAL_TYPE, &args);
- 	if (ret < 0) {
-@@ -982,7 +982,7 @@ int imap_body_parse_from_bodystructure(const char *bodystructure,
- 	input = i_stream_create_from_data(bodystructure, strlen(bodystructure));
- 	(void)i_stream_read(input);
- 
-	parser = imap_parser_create(input, NULL, SIZE_MAX);
-+	parser = imap_parser_create(input, NULL, SIZE_MAX, NULL);
- 	ret = imap_parser_finish_line(parser, 0, IMAP_PARSE_FLAG_NO_UNESCAPE |
- 				      IMAP_PARSE_FLAG_LITERAL_TYPE, &args);
- 	if (ret < 0) {
-diff --git a/src/lib-imap/imap-envelope.c b/src/lib-imap/imap-envelope.c
-index 395e189c70..2e305d7c42 100644
--- a/src/lib-imap/imap-envelope.c
-+++ b/src/lib-imap/imap-envelope.c
-@@ -225,7 +225,7 @@ bool imap_envelope_parse(const char *envelope,
- 	input = i_stream_create_from_data(envelope, strlen(envelope));
- 	(void)i_stream_read(input);
- 
-	parser = imap_parser_create(input, NULL, SIZE_MAX);
-+	parser = imap_parser_create(input, NULL, SIZE_MAX, NULL);
- 	ret = imap_parser_finish_line(parser, 0,
- 				      IMAP_PARSE_FLAG_LITERAL_TYPE, &args);
- 	if (ret < 0) {
-diff --git a/src/lib-imap/imap-parser.c b/src/lib-imap/imap-parser.c
-index 643f80ceeb..532cb97dfb 100644
--- a/src/lib-imap/imap-parser.c
-+++ b/src/lib-imap/imap-parser.c
-@@ -69,7 +69,8 @@ struct imap_parser {
- 
- struct imap_parser *
- imap_parser_create(struct istream *input, struct ostream *output,
-		   size_t max_line_size)
-+		   size_t max_line_size,
-+		   const struct imap_parser_params *params ATTR_UNUSED)
- {
- 	struct imap_parser *parser;
- 
-diff --git a/src/lib-imap/imap-parser.h b/src/lib-imap/imap-parser.h
-index cd3748c00f..16ef2c7a34 100644
--- a/src/lib-imap/imap-parser.h
-+++ b/src/lib-imap/imap-parser.h
-@@ -38,6 +38,9 @@ enum imap_parser_error {
- 	IMAP_PARSE_ERROR_LITERAL_TOO_BIG
- };
- 
-+struct imap_parser_params {
-+};
-+
- struct imap_parser;
- 
- /* Create new IMAP argument parser. output is used for sending command
-@@ -53,7 +56,8 @@ struct imap_parser;
-    2 * max_line_size. */
- struct imap_parser *
- imap_parser_create(struct istream *input, struct ostream *output,
-		   size_t max_line_size) ATTR_NULL(2);
-+		   size_t max_line_size,
-+		   const struct imap_parser_params *params);
- void imap_parser_ref(struct imap_parser *parser);
- void imap_parser_unref(struct imap_parser **parser);
- 
-diff --git a/src/lib-imap/test-imap-parser.c b/src/lib-imap/test-imap-parser.c
-index 32f8d89dea..58c5863d67 100644
--- a/src/lib-imap/test-imap-parser.c
-+++ b/src/lib-imap/test-imap-parser.c
-@@ -16,7 +16,7 @@ static void test_imap_parser_crlf(void)
- 
- 	test_begin("imap parser crlf handling");
- 	input = test_istream_create(test_input);
-	parser = imap_parser_create(input, NULL, 1024);
-+	parser = imap_parser_create(input, NULL, 1024, NULL);
- 
- 	/* must return -2 until LF is read */
- 	for (i = 0; test_input[i] != '\n'; i++) {
-@@ -60,7 +60,7 @@ static void test_imap_parser_partial_list(void)
- 
- 	test_begin("imap parser partial list");
- 	input = test_istream_create(test_input);
-	parser = imap_parser_create(input, NULL, 1024);
-+	parser = imap_parser_create(input, NULL, 1024, NULL);
- 
- 	(void)i_stream_read(input);
- 	test_assert(imap_parser_read_args(parser, 0,
-@@ -128,7 +128,7 @@ static void test_imap_parser_read_tag_cmd(void)
- 		if (tests[i].type != COMMAND) {
- 			input = test_istream_create(tests[i].input);
- 			test_assert(i_stream_read(input) > 0);
-			parser = imap_parser_create(input, NULL, 1024);
-+			parser = imap_parser_create(input, NULL, 1024, NULL);
- 			ret = imap_parser_read_tag(parser, &atom);
- 			test_assert_idx(ret == tests[i].ret, i);
- 			test_assert_idx(ret <= 0 || strcmp(tests[i].tag, atom) == 0, i);
-@@ -139,7 +139,7 @@ static void test_imap_parser_read_tag_cmd(void)
- 		if (tests[i].type != TAG) {
- 			input = test_istream_create(tests[i].input);
- 			test_assert(i_stream_read(input) > 0);
-			parser = imap_parser_create(input, NULL, 1024);
-+			parser = imap_parser_create(input, NULL, 1024, NULL);
- 			ret = imap_parser_read_command_name(parser, &atom);
- 			test_assert_idx(ret == tests[i].ret, i);
- 			test_assert_idx(ret <= 0 || strcmp(tests[i].tag, atom) == 0, i);
-diff --git a/src/plugins/virtual/virtual-config.c b/src/plugins/virtual/virtual-config.c
-index f448c81d7d..6ec5aa260e 100644
--- a/src/plugins/virtual/virtual-config.c
-+++ b/src/plugins/virtual/virtual-config.c
-@@ -54,7 +54,7 @@ virtual_search_args_parse(const string_t *rule, const char **error_r)
- 	input = i_stream_create_from_data(str_data(rule), str_len(rule));
- 	(void)i_stream_read(input);
- 
-	imap_parser = imap_parser_create(input, NULL, SIZE_MAX);
-+	imap_parser = imap_parser_create(input, NULL, SIZE_MAX, NULL);
- 	ret = imap_parser_finish_line(imap_parser, 0,  0, &args);
- 	if (ret < 0) {
- 		sargs = NULL;
-diff --git a/src/lib-imap/imap-id.c b/src/lib-imap/imap-id.c
-index f448c81d7d..6ec5aa260e 100644
--- a/src/lib-imap/imap-id.c
-+++ b/src/lib-imap/imap-id.c
-@@ -111,7 +111,7 @@ const char *imap_id_reply_generate(const
- 	input = i_stream_create_from_data(settings, strlen(settings));
- 	(void)i_stream_read(input);
- 
-	parser = imap_parser_create(input, NULL, SIZE_MAX);
-+	parser = imap_parser_create(input, NULL, SIZE_MAX, NULL);
- 	if (imap_parser_finish_line(parser, 0, 0, &args) <= 0)
- 		ret = "NIL";
- 	else
-diff --git a/src/director/director-test.c b/src/director/director-test.c
-index f448c81d7d..6ec5aa260e 100644
--- a/src/director/director-test.c
-+++ b/src/director/director-test.c
-@@ -250,7 +250,7 @@ static void imap_client_create(int fd)
- 	o_stream_set_no_error_handling(client->output, TRUE);
- 	client->io = io_add(fd, IO_READ, imap_client_input, client);
- 	client->parser =
-		imap_parser_create(client->input, client->output, 4096);
-+		imap_parser_create(client->input, client->output, 4096, NULL);
- 	o_stream_nsend_str(client->output,
- 		"* OK [CAPABILITY IMAP4rev1] director-test ready.\r\n");
- 	DLLIST_PREPEND(&imap_clients, client);
--- a/SOURCES/dovecot-2.3-cve-2026-27857p2of5.patch
+++ b/SOURCES/dovecot-2.3-cve-2026-27857p2of5.patch
@ -1,149 +0,0 @@
-diff --git a/src/lib-imap/imap-parser.c b/src/lib-imap/imap-parser.c
-index 532cb97dfb..6212aed33d 100644
--- a/src/lib-imap/imap-parser.c
-+++ b/src/lib-imap/imap-parser.c
-@@ -39,6 +39,7 @@ struct imap_parser {
- 	struct istream *input;
- 	struct ostream *output;
- 	size_t max_line_size;
-+	unsigned int list_count_limit;
-         enum imap_parser_flags flags;
- 
- 	/* reset by imap_parser_reset(): */
-@@ -46,6 +47,7 @@ struct imap_parser {
- 	ARRAY_TYPE(imap_arg_list) root_list;
-         ARRAY_TYPE(imap_arg_list) *cur_list;
- 	struct imap_arg *list_arg;
-+	unsigned int list_count;
- 
- 	enum arg_parse_type cur_type;
- 	size_t cur_pos; /* parser position in input buffer */
-@@ -70,7 +72,7 @@ struct imap_parser {
- struct imap_parser *
- imap_parser_create(struct istream *input, struct ostream *output,
- 		   size_t max_line_size,
-		   const struct imap_parser_params *params ATTR_UNUSED)
-+		   const struct imap_parser_params *params)
- {
- 	struct imap_parser *parser;
- 
-@@ -81,6 +83,10 @@ imap_parser_create(struct istream *input, struct ostream *output,
- 	parser->input = input;
- 	parser->output = output;
- 	parser->max_line_size = max_line_size;
-+	if (params != NULL && params->list_count_limit > 0)
-+		parser->list_count_limit = params->list_count_limit;
-+	else
-+		parser->list_count_limit = UINT_MAX;
- 
- 	p_array_init(&parser->root_list, parser->pool, LIST_INIT_COUNT);
- 	parser->cur_list = &parser->root_list;
-@@ -122,6 +128,7 @@ void imap_parser_reset(struct imap_parser *parser)
- 	p_array_init(&parser->root_list, parser->pool, LIST_INIT_COUNT);
- 	parser->cur_list = &parser->root_list;
- 	parser->list_arg = NULL;
-+	parser->list_count = 0;
- 
- 	parser->cur_type = ARG_PARSE_NONE;
- 	parser->cur_pos = 0;
-@@ -210,6 +217,12 @@ static bool imap_parser_close_list(struct imap_parser *parser)
- 		parser->error = IMAP_PARSE_ERROR_BAD_SYNTAX;
- 		return FALSE;
- 	}
-+	if (parser->list_count >= parser->list_count_limit) {
-+		parser->error_msg = "Too many '('";
-+		parser->error = IMAP_PARSE_ERROR_BAD_SYNTAX;
-+		return FALSE;
-+	}
-+	parser->list_count++;
- 
- 	arg = imap_arg_create(parser);
- 	arg->type = IMAP_ARG_EOL;
-diff --git a/src/lib-imap/imap-parser.h b/src/lib-imap/imap-parser.h
-index 16ef2c7a34..3832cc9b92 100644
--- a/src/lib-imap/imap-parser.h
-+++ b/src/lib-imap/imap-parser.h
-@@ -39,6 +39,12 @@ enum imap_parser_error {
- };
- 
- struct imap_parser_params {
-+	/* How many open lists ('(' chars) to allow before faililng the parsing.
-+	   0 means unlimited. This is mainly used to prevent excessive memory
-+	   usage in imap-login process. In imap process there are many other
-+	   ways to increase memory usage, so we let the max_line_size be the
-+	   only limit. */
-+	unsigned int list_count_limit;
- };
- 
- struct imap_parser;
-diff --git a/src/lib-imap/test-imap-parser.c b/src/lib-imap/test-imap-parser.c
-index 58c5863d67..0350ea7352 100644
--- a/src/lib-imap/test-imap-parser.c
-+++ b/src/lib-imap/test-imap-parser.c
-@@ -2,6 +2,7 @@
- 
- #include "lib.h"
- #include "istream.h"
-+#include "istream-chain.h"
- #include "imap-parser.h"
- #include "test-common.h"
- 
-@@ -79,6 +80,50 @@ static void test_imap_parser_partial_list(void)
- 	test_end();
- }
- 
-+static void test_imap_parser_list_limit(void)
-+{
-+	struct {
-+		const char *input;
-+		int ret;
-+	} tests[] = {
-+		{ "(())\r\n", 1 },
-+		{ "((()))\r\n", -1 },
-+	};
-+	struct istream_chain *chain;
-+	struct istream *chain_input;
-+	struct imap_parser *parser;
-+	const struct imap_arg *args;
-+
-+	test_begin("imap parser list limit");
-+	struct imap_parser_params params = {
-+		.list_count_limit = 2,
-+	};
-+
-+	for (unsigned int i = 0; i < N_ELEMENTS(tests); i++) {
-+		chain_input = i_stream_create_chain(&chain);
-+		parser = imap_parser_create(chain_input, NULL, 1024, &params);
-+
-+		for (unsigned int j = 0; j < 2; j++) {
-+			struct istream *input =
-+				test_istream_create(tests[i].input);
-+			i_stream_chain_append(chain, input);
-+			i_stream_unref(&input);
-+
-+			(void)i_stream_read(chain_input);
-+
-+			test_assert_cmp(imap_parser_read_args(parser, 0, 0, &args), ==, tests[i].ret);
-+			/* skip over CRLF */
-+			i_stream_skip(chain_input, i_stream_get_data_size(chain_input));
-+
-+			/* make sure parser reset works */
-+			imap_parser_reset(parser);
-+		}
-+		imap_parser_unref(&parser);
-+		i_stream_destroy(&chain_input);
-+	}
-+	test_end();
-+}
-+
- static void test_imap_parser_read_tag_cmd(void)
- {
- 	enum read_type {
-@@ -205,6 +250,7 @@ int main(void)
- 	static void (*const test_functions[])(void) = {
- 		test_imap_parser_crlf,
- 		test_imap_parser_partial_list,
-+		test_imap_parser_list_limit,
- 		test_imap_parser_read_tag_cmd,
- 		NULL
- 	};
--- a/SOURCES/dovecot-2.3-cve-2026-27857p3of5.patch
+++ b/SOURCES/dovecot-2.3-cve-2026-27857p3of5.patch
@ -1,71 +0,0 @@
-diff --git a/src/imap-login/imap-login-client.c b/src/imap-login/imap-login-client.c
-index 84e6a90db4..93966b2d15 100644
--- a/src/imap-login/imap-login-client.c
-+++ b/src/imap-login/imap-login-client.c
-@@ -380,11 +380,14 @@ static int imap_client_create(struct client *client)
- {
- 	struct imap_client *imap_client = (struct imap_client *)client;
- 
-+	struct imap_parser_params params = {
-+		.list_count_limit = IMAP_LOGIN_LIST_COUNT_LIMIT,
-+	};
- 	imap_client->set = other_sets[0];
- 	imap_client->parser =
- 		imap_parser_create(imap_client->common.input,
- 				   imap_client->common.output,
-				   IMAP_LOGIN_MAX_LINE_LENGTH, NULL);
-+				   IMAP_LOGIN_MAX_LINE_LENGTH, &params);
- 	if (imap_client->set->imap_literal_minus)
- 		imap_parser_enable_literal_minus(imap_client->parser);
- 	client->io = io_add_istream(client->input, client_input, client);
-@@ -469,11 +472,14 @@ static void imap_client_starttls(struct client *client)
- {
- 	struct imap_client *imap_client = (struct imap_client *)client;
- 
-+	struct imap_parser_params params = {
-+		.list_count_limit = IMAP_LOGIN_LIST_COUNT_LIMIT,
-+	};
- 	imap_parser_unref(&imap_client->parser);
- 	imap_client->parser =
- 		imap_parser_create(imap_client->common.input,
- 				   imap_client->common.output,
-				   IMAP_LOGIN_MAX_LINE_LENGTH, NULL);
-+				   IMAP_LOGIN_MAX_LINE_LENGTH, &params);
- 
- 	/* CRLF is lost from buffer when streams are reopened. */
- 	imap_client->skip_line = FALSE;
-diff --git a/src/imap-login/imap-login-client.h b/src/imap-login/imap-login-client.h
-index ffac6ec855..1ff88015b2 100644
--- a/src/imap-login/imap-login-client.h
-+++ b/src/imap-login/imap-login-client.h
-@@ -11,6 +11,10 @@
- /* maximum length for IMAP command line. */
- #define IMAP_LOGIN_MAX_LINE_LENGTH 8192
- 
-+/* Maximum number of '(' allowed in an IMAP command. Pre-login only uses
-+   lists in the ID command. */
-+#define IMAP_LOGIN_LIST_COUNT_LIMIT 1
-+
- enum imap_client_id_state {
- 	IMAP_CLIENT_ID_STATE_LIST = 0,
- 	IMAP_CLIENT_ID_STATE_KEY,
-diff --git a/src/imap-login/imap-login-cmd-id.c b/src/imap-login/imap-login-cmd-id.c
-index be2097f70b..a07b1f8f56 100644
--- a/src/imap-login/imap-login-cmd-id.c
-+++ b/src/imap-login/imap-login-cmd-id.c
-@@ -389,10 +389,14 @@ int cmd_id(struct imap_client *client)
- 
- 	if (client->cmd_id == NULL) {
- 		client->cmd_id = id = i_new(struct imap_client_cmd_id, 1);
-+
-+		struct imap_parser_params params = {
-+			.list_count_limit = IMAP_LOGIN_LIST_COUNT_LIMIT,
-+		};
- 		id->parser = imap_parser_create(client->common.input,
- 						client->common.output,
- 						IMAP_LOGIN_MAX_LINE_LENGTH,
-						NULL);
-+						&params);
- 		if (client->set->imap_literal_minus)
- 			imap_parser_enable_literal_minus(id->parser);
- 		parser_flags = IMAP_PARSE_FLAG_STOP_AT_LIST;
--- a/SOURCES/dovecot-2.3-cve-2026-27857p4of5.patch
+++ b/SOURCES/dovecot-2.3-cve-2026-27857p4of5.patch
@ -1,48 +0,0 @@
-diff --git a/src/imap-login/imap-login-client.c b/src/imap-login/imap-login-client.c
-index 93966b2d15..7e7578d4d4 100644
--- a/src/imap-login/imap-login-client.c
-+++ b/src/imap-login/imap-login-client.c
-@@ -380,7 +380,7 @@ static int imap_client_create(struct client *client)
- {
- 	struct imap_client *imap_client = (struct imap_client *)client;
- 
-	struct imap_parser_params params = {
-+	const struct imap_parser_params params = {
- 		.list_count_limit = IMAP_LOGIN_LIST_COUNT_LIMIT,
- 	};
- 	imap_client->set = other_sets[0];
-@@ -415,7 +415,7 @@ static void imap_client_starttls(struct
- {
- 	struct imap_client *imap_client = (struct imap_client *)client;
- 
-	struct imap_parser_params params = {
-+	const struct imap_parser_params params = {
- 		.list_count_limit = IMAP_LOGIN_LIST_COUNT_LIMIT,
- 	};
- 	imap_parser_unref(&imap_client->parser);
-diff --git a/src/imap-login/imap-login-cmd-id.c b/src/imap-login/imap-login-cmd-id.c
-index a07b1f8f56..da254a2923 100644
--- a/src/imap-login/imap-login-cmd-id.c
-+++ b/src/imap-login/imap-login-cmd-id.c
-@@ -390,7 +390,7 @@ int cmd_id(struct imap_client *client)
- 	if (client->cmd_id == NULL) {
- 		client->cmd_id = id = i_new(struct imap_client_cmd_id, 1);
- 
-		struct imap_parser_params params = {
-+		const struct imap_parser_params params = {
- 			.list_count_limit = IMAP_LOGIN_LIST_COUNT_LIMIT,
- 		};
- 		id->parser = imap_parser_create(client->common.input,
-diff --git a/src/lib-imap/test-imap-parser.c b/src/lib-imap/test-imap-parser.c
-index 0350ea7352..fb7c308a23 100644
--- a/src/lib-imap/test-imap-parser.c
-+++ b/src/lib-imap/test-imap-parser.c
-@@ -95,7 +95,7 @@ static void test_imap_parser_list_limit(void)
- 	const struct imap_arg *args;
- 
- 	test_begin("imap parser list limit");
-	struct imap_parser_params params = {
-+	const struct imap_parser_params params = {
- 		.list_count_limit = 2,
- 	};
- 
--- a/SOURCES/dovecot-2.3-cve-2026-27857p5of5.patch
+++ b/SOURCES/dovecot-2.3-cve-2026-27857p5of5.patch
@ -1,14 +0,0 @@
-diff --git a/dovecot-pigeonhole/src/plugins/imap-filter-sieve/cmd-filter-sieve.c b/dovecot-pigeonhole/src/plugins/imap-filter-sieve/cmd-filter-sieve.c
-index 6965b511..33d6804c 100644
--- a/dovecot-pigeonhole/src/plugins/imap-filter-sieve/cmd-filter-sieve.c
-+++ b/dovecot-pigeonhole/src/plugins/imap-filter-sieve/cmd-filter-sieve.c
-@@ -379,7 +379,8 @@ bool cmd_filter_sieve(struct client_command_context *cmd)
- 	   asynchronously the same way as APPEND does. */
- 	client->input_lock = cmd;
- 	ctx->parser = imap_parser_create(client->input, client->output,
-					 client->set->imap_max_line_length);
-+					 client->set->imap_max_line_length,
-+					 NULL);
- 	if (client->set->imap_literal_minus)
- 		imap_parser_enable_literal_minus(ctx->parser);
- 	o_stream_unset_flush_callback(client->output);
--- a/SOURCES/dovecot-2.3-cve-2026-27858.patch
+++ b/SOURCES/dovecot-2.3-cve-2026-27858.patch
@ -1,17 +0,0 @@
-diff --git a/dovecot-pigeonhole/src/managesieve-login/client-authenticate.c b/dovecot-pigeonhole/src/managesieve-login/client-authenticate.c
-index cd7739d0..354e6746 100644
--- a/dovecot-pigeonhole/src/managesieve-login/client-authenticate.c
-+++ b/dovecot-pigeonhole/src/managesieve-login/client-authenticate.c
-@@ -189,6 +189,11 @@ static int managesieve_client_auth_read_
- 		if ( i_stream_get_size
- 			(msieve_client->auth_response_input, FALSE, &resp_size) <= 0 )
- 			resp_size = 0;
-+		else if (resp_size > LOGIN_MAX_AUTH_BUF_SIZE) {
-+			client_destroy(client,
-+				       "Authentication response too large");
-+			return -1;
-+		}
- 
- 		if (client->auth_response == NULL)
- 			client->auth_response = str_new(default_pool, I_MAX(resp_size+1, 256));
-
--- a/SOURCES/dovecot-2.3-ph_optglob.patch
+++ b/SOURCES/dovecot-2.3-ph_optglob.patch
@ -0,0 +1,48 @@
+diff -up dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/plugins/include/cmd-include.c.ph_optglob dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/plugins/include/cmd-include.c
+--- dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/plugins/include/cmd-include.c.ph_optglob	2024-06-04 09:11:28.514189662 +0200
+++ dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/plugins/include/cmd-include.c	2024-06-04 09:18:23.219809778 +0200
+@@ -368,11 +368,13 @@ static bool opc_include_dump
+ 		return FALSE;
+ 
+ 	sieve_code_descend(denv);
+-	sieve_code_dumpf(denv, "script: `%s' from %s %s%s[ID: %d, BLOCK: %d]",
+	sieve_code_dumpf(denv, "script: `%s' from %s %s%s%s[ID: %d, BLOCK: %d]",
+ 		sieve_script_name(included->script), sieve_script_location(included->script),
+ 		((flags & EXT_INCLUDE_FLAG_ONCE) != 0 ? "(once) " : ""), 
+ 		((flags & EXT_INCLUDE_FLAG_OPTIONAL) != 0 ? "(optional) " : ""),
+-		include_id, sieve_binary_block_get_id(included->block));
+		(included->block == NULL ? "(missing) " : ""), 
+		include_id, 
+		(included->block == NULL ? -1 : sieve_binary_block_get_id(included->block)));
+ 
+ 	return TRUE;
+ }
+diff -up dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/plugins/include/ext-include-common.c.ph_optglob dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/plugins/include/ext-include-common.c
+--- dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/plugins/include/ext-include-common.c.ph_optglob	2023-09-14 15:18:26.000000000 +0200
+++ dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/plugins/include/ext-include-common.c	2024-06-04 09:10:45.187823805 +0200
+@@ -693,6 +693,25 @@ int ext_include_execute_include(const st
+ 	}
+ 
+ 	ctx = ext_include_get_interpreter_context(this_ext, renv->interp);
+	if (included->block == NULL) {
+		if ((flags & EXT_INCLUDE_FLAG_OPTIONAL) != 0) {
+			sieve_runtime_trace(
+				renv, SIEVE_TRLVL_NONE,
+				"include: skipped include for script '%s' "
+				"[inc id: %d, block: NULL]; optional and unavailable",
+				sieve_script_name(included->script),
+				include_id);
+			return result;
+		} else {
+			sieve_runtime_trace(
+				renv, SIEVE_TRLVL_NONE,
+				"include: unavailable script '%s' "
+				"[inc id: %d, block: NULL]",
+				sieve_script_name(included->script),
+				include_id);
+			return SIEVE_EXEC_BIN_CORRUPT;
+		}
+	}
+ 	block_id = sieve_binary_block_get_id(included->block);
+ 
+ 	/* If :once modifier is specified, check for duplicate include */
--- a/SOURCES/dovecot-2.3-ph_scriptcmp.patch
+++ b/SOURCES/dovecot-2.3-ph_scriptcmp.patch
@ -0,0 +1,12 @@
+diff -up dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/storage/file/sieve-file-script.c.testfix4 dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/storage/file/sieve-file-script.c
+--- dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/storage/file/sieve-file-script.c.testfix4	2024-06-03 13:35:24.408858593 +0200
+++ dovecot-2.3.21/dovecot-pigeonhole/src/lib-sieve/storage/file/sieve-file-script.c	2024-06-03 13:35:24.434858849 +0200
+@@ -800,7 +800,7 @@ static bool sieve_file_script_equals
+ 		(struct sieve_file_script *)other;
+ 
+ 	return ( CMP_DEV_T(fscript->st.st_dev, fother->st.st_dev) &&
+-		fscript->st.st_ino == fother->st.st_ino );
+		fscript->st.st_ino == fother->st.st_ino && (fscript->st.st_ino != 0 || script->location != NULL && other->location != NULL && strcmp(script->location, other->location) == 0));
+ }
+ 
+ /*
--- a/SOURCES/dovecot-2.3.11-bigkey.patch
+++ b/SOURCES/dovecot-2.3.11-bigkey.patch
--- a/SOURCES/dovecot-2.3.14-opensslv3.patch
+++ b/SOURCES/dovecot-2.3.14-opensslv3.patch
@ -0,0 +1,34 @@
+diff -up dovecot-2.3.14/src/lib-dcrypt/dcrypt-openssl.c.opensslv3 dovecot-2.3.14/src/lib-dcrypt/dcrypt-openssl.c
+--- dovecot-2.3.14/src/lib-dcrypt/dcrypt-openssl.c.opensslv3	2021-06-03 18:56:52.573174433 +0200
+++ dovecot-2.3.14/src/lib-dcrypt/dcrypt-openssl.c	2021-06-03 18:56:52.585174274 +0200
+@@ -73,10 +73,30 @@
+   2<tab>key algo oid<tab>1<tab>symmetric algo name<tab>salt<tab>hash algo<tab>rounds<tab>E(RSA = i2d_PrivateKey, EC=Private Point)<tab>key id
+ **/
+ 
+#if OPENSSL_VERSION_MAJOR == 3
+static EC_KEY *EVP_PKEY_get0_EC_KEYv3(EVP_PKEY *key)
+{
+  EC_KEY *eck = EVP_PKEY_get1_EC_KEY(key);
+  EVP_PKEY_set1_EC_KEY(key, eck);
+  EC_KEY_free(eck);
+  return eck;
+}
+
+static EC_KEY *EVP_PKEY_get1_EC_KEYv3(EVP_PKEY *key)
+{
+  EC_KEY *eck = EVP_PKEY_get1_EC_KEY(key);
+  EVP_PKEY_set1_EC_KEY(key, eck);
+  return eck;
+}
+
+#define EVP_PKEY_get0_EC_KEY EVP_PKEY_get0_EC_KEYv3 
+#define EVP_PKEY_get1_EC_KEY EVP_PKEY_get1_EC_KEYv3
+#else
+ #ifndef HAVE_EVP_PKEY_get0
+ #define EVP_PKEY_get0_EC_KEY(x) x->pkey.ec
+ #define EVP_PKEY_get0_RSA(x) x->pkey.rsa
+ #endif
+#endif
+ 
+ #ifndef HAVE_OBJ_LENGTH
+ #define OBJ_length(o) ((o)->length)
--- a/SOURCES/dovecot-2.3.15-fixvalcond.patch
+++ b/SOURCES/dovecot-2.3.15-fixvalcond.patch
@ -0,0 +1,24 @@
+diff -up dovecot-2.3.15/dovecot-pigeonhole/src/lib-sieve/storage/dict/sieve-dict-script.c.fixvalcond dovecot-2.3.15/dovecot-pigeonhole/src/lib-sieve/storage/dict/sieve-dict-script.c
+--- dovecot-2.3.15/dovecot-pigeonhole/src/lib-sieve/storage/dict/sieve-dict-script.c.fixvalcond	2021-06-21 23:07:55.269814896 +0200
+++ dovecot-2.3.15/dovecot-pigeonhole/src/lib-sieve/storage/dict/sieve-dict-script.c	2021-06-21 23:07:55.298814544 +0200
+@@ -109,7 +109,7 @@ static int sieve_dict_script_get_stream
+ {
+ 	struct sieve_dict_script *dscript =
+ 		(struct sieve_dict_script *)script;
+-	const char *path, *name = script->name, *data, *error;
+	const char *path, *name = script->name, *data, *error = NULL;
+ 	int ret;
+ 
+ 	dscript->data_pool =
+diff -up dovecot-2.3.15/src/lib-storage/index/index-attribute.c.fixvalcond dovecot-2.3.15/src/lib-storage/index/index-attribute.c
+--- dovecot-2.3.15/src/lib-storage/index/index-attribute.c.fixvalcond	2021-06-14 15:40:37.000000000 +0200
+++ dovecot-2.3.15/src/lib-storage/index/index-attribute.c	2021-06-21 21:52:22.963171229 +0200
+@@ -249,7 +249,7 @@ int index_storage_attribute_get(struct m
+ 				struct mail_attribute_value *value_r)
+ {
+ 	struct dict *dict;
+-	const char *mailbox_prefix, *error;
+	const char *mailbox_prefix, *error = NULL;
+ 	int ret;
+ 
+ 	i_zero(value_r);
--- a/SOURCES/dovecot-2.3.15-valbasherr.patch
+++ b/SOURCES/dovecot-2.3.15-valbasherr.patch
@ -0,0 +1,20 @@
+diff -up dovecot-2.3.15/run-test-valgrind.supp.valbasherr dovecot-2.3.15/run-test-valgrind.supp
+--- dovecot-2.3.15/run-test-valgrind.supp.valbasherr	2021-06-21 22:52:53.272707239 +0200
+++ dovecot-2.3.15/run-test-valgrind.supp	2021-06-21 22:54:19.786668430 +0200
+@@ -1,4 +1,16 @@
+ {
+   <bashagin>
+   Memcheck:Leak
+   match-leak-kinds: definite
+   fun:malloc
+   fun:make_if_command
+   fun:yyparse
+   fun:parse_command
+   fun:read_command
+   fun:reader_loop
+   fun:main
+}
+{
+    <bash>
+    Memcheck:Leak
+    fun:malloc
--- a/SOURCES/dovecot-2.3.16-keeplzma.patch
+++ b/SOURCES/dovecot-2.3.16-keeplzma.patch
@ -1,353 +0,0 @@
-diff -up dovecot-2.3.16/configure.ac.keeplzma dovecot-2.3.16/configure.ac
--- dovecot-2.3.16/configure.ac.keeplzma	2021-08-06 11:25:51.000000000 +0200
-+++ dovecot-2.3.16/configure.ac	2022-02-28 13:58:02.337149927 +0100
-@@ -173,7 +173,7 @@ AS_HELP_STRING([--with-bzlib], [Build wi
-   want_bzlib=auto)
- 
- AC_ARG_WITH(lzma,
-AS_HELP_STRING([--with-lzma], [Build with LZMA decompression support (auto)]),
-+AS_HELP_STRING([--with-lzma], [Build with LZMA compression support (auto)]),
-   TEST_WITH(lzma, $withval),
-   want_lzma=auto)
- 
-diff -up dovecot-2.3.16/run-test-valgrind.supp.keeplzma dovecot-2.3.16/run-test-valgrind.supp
--- dovecot-2.3.16/run-test-valgrind.supp.keeplzma	2021-08-06 11:25:51.000000000 +0200
-+++ dovecot-2.3.16/run-test-valgrind.supp	2022-02-28 13:58:02.337149927 +0100
-@@ -5,6 +5,17 @@
-    obj:*/bash
- }
- {
-+   <liblzma>
-+   Memcheck:Cond
-+   obj:/lib/x86_64-linux-gnu/liblzma.so.5.*
-+   obj:/lib/x86_64-linux-gnu/liblzma.so.5.*
-+   obj:/lib/x86_64-linux-gnu/liblzma.so.5.*
-+   obj:/lib/x86_64-linux-gnu/liblzma.so.5.*
-+   obj:/lib/x86_64-linux-gnu/liblzma.so.5.*
-+   fun:lzma_stream_encoder
-+   fun:lzma_easy_encoder
-+}
-+{
-    <openssl_centos6_i386_v1_0_1_compression_methods>
-    Memcheck:Leak
-    fun:malloc
-diff -up dovecot-2.3.16/src/lib-compression/compression.c.keeplzma dovecot-2.3.16/src/lib-compression/compression.c
--- dovecot-2.3.16/src/lib-compression/compression.c.keeplzma	2021-08-06 11:25:51.000000000 +0200
-+++ dovecot-2.3.16/src/lib-compression/compression.c	2022-02-28 14:22:32.467944396 +0100
-@@ -25,6 +25,7 @@
- #endif
- #ifndef HAVE_LZMA
- #  define i_stream_create_lzma NULL
-+#  define o_stream_create_lzma NULL
- #endif
- #ifndef HAVE_LZ4
- #  define i_stream_create_lz4 NULL
-@@ -216,7 +217,7 @@ const struct compression_handler compres
- 		.ext = ".xz",
- 		.is_compressed = is_compressed_xz,
- 		.create_istream = i_stream_create_lzma,
-		.create_ostream = NULL,
-+		.create_ostream = o_stream_create_lzma,
- 		.get_min_level = compression_get_min_level_unsupported,
- 		.get_default_level = compression_get_default_level_unsupported,
- 		.get_max_level = compression_get_max_level_unsupported,
-diff -up dovecot-2.3.16/src/lib-compression/Makefile.am.keeplzma dovecot-2.3.16/src/lib-compression/Makefile.am
--- dovecot-2.3.16/src/lib-compression/Makefile.am.keeplzma	2021-08-06 11:25:51.000000000 +0200
-+++ dovecot-2.3.16/src/lib-compression/Makefile.am	2022-02-28 13:58:02.337149927 +0100
-@@ -13,6 +13,7 @@ libcompression_la_SOURCES = \
- 	istream-zlib.c \
- 	istream-bzlib.c \
- 	istream-zstd.c \
-+	ostream-lzma.c \
- 	ostream-lz4.c \
- 	ostream-zlib.c \
- 	ostream-bzlib.c \
-diff -up dovecot-2.3.16/src/lib-compression/ostream-lzma.c.keeplzma dovecot-2.3.16/src/lib-compression/ostream-lzma.c
--- dovecot-2.3.16/src/lib-compression/ostream-lzma.c.keeplzma	2022-02-28 13:58:02.338149934 +0100
-+++ dovecot-2.3.16/src/lib-compression/ostream-lzma.c	2022-02-28 13:58:02.338149934 +0100
-@@ -0,0 +1,263 @@
-+/* Copyright (c) 2010-2018 Dovecot authors, see the included COPYING file */
-+
-+#include "lib.h"
-+
-+#ifdef HAVE_LZMA
-+
-+#include "ostream-private.h"
-+#include "ostream-zlib.h"
-+#include <lzma.h>
-+
-+#define CHUNK_SIZE (1024*64)
-+
-+struct lzma_ostream {
-+	struct ostream_private ostream;
-+	lzma_stream strm;
-+
-+	unsigned char outbuf[CHUNK_SIZE];
-+	unsigned int outbuf_offset, outbuf_used;
-+
-+	bool flushed:1;
-+};
-+
-+static void o_stream_lzma_close(struct iostream_private *stream,
-+				bool close_parent)
-+{
-+	struct lzma_ostream *zstream = (struct lzma_ostream *)stream;
-+	i_assert(zstream->ostream.finished ||
-+		 zstream->ostream.ostream.stream_errno != 0 ||
-+		 zstream->ostream.error_handling_disabled);
-+	lzma_end(&zstream->strm);
-+	if (close_parent)
-+		o_stream_close(zstream->ostream.parent);
-+}
-+
-+static int o_stream_zlib_send_outbuf(struct lzma_ostream *zstream)
-+{
-+	ssize_t ret;
-+	size_t size;
-+
-+	if (zstream->outbuf_used == 0)
-+		return 1;
-+
-+	size = zstream->outbuf_used - zstream->outbuf_offset;
-+	i_assert(size > 0);
-+	ret = o_stream_send(zstream->ostream.parent,
-+			    zstream->outbuf + zstream->outbuf_offset, size);
-+	if (ret < 0) {
-+		o_stream_copy_error_from_parent(&zstream->ostream);
-+		return -1;
-+	}
-+	if ((size_t)ret != size) {
-+		zstream->outbuf_offset += ret;
-+		return 0;
-+	}
-+	zstream->outbuf_offset = 0;
-+	zstream->outbuf_used = 0;
-+	return 1;
-+}
-+
-+static ssize_t
-+o_stream_lzma_send_chunk(struct lzma_ostream *zstream,
-+			  const void *data, size_t size)
-+{
-+	lzma_stream *zs = &zstream->strm;
-+	int ret;
-+
-+	i_assert(zstream->outbuf_used == 0);
-+
-+	zs->next_in = (void *)data;
-+	zs->avail_in = size;
-+	while (zs->avail_in > 0) {
-+		if (zs->avail_out == 0) {
-+			/* previous block was compressed. send it and start
-+			   compression for a new block. */
-+			zs->next_out = zstream->outbuf;
-+			zs->avail_out = sizeof(zstream->outbuf);
-+
-+			zstream->outbuf_used = sizeof(zstream->outbuf);
-+			if ((ret = o_stream_zlib_send_outbuf(zstream)) < 0)
-+				return -1;
-+			if (ret == 0) {
-+				/* parent stream's buffer full */
-+				break;
-+			}
-+		}
-+
-+		ret = lzma_code(zs, LZMA_RUN);
-+		switch (ret) {
-+		case LZMA_OK:
-+			break;
-+		case LZMA_MEM_ERROR:
-+			i_fatal_status(FATAL_OUTOFMEM,
-+				       "lzma.write(%s): Out of memory",
-+				       o_stream_get_name(&zstream->ostream.ostream));
-+		default:
-+			i_panic("lzma.write(%s) failed with unexpected code %d",
-+				o_stream_get_name(&zstream->ostream.ostream), ret);
-+		}
-+	}
-+	size -= zs->avail_in;
-+
-+	return size;
-+}
-+
-+static int o_stream_lzma_send_flush(struct lzma_ostream *zstream, bool final)
-+{
-+	lzma_stream *zs = &zstream->strm;
-+	size_t len;
-+	bool done = FALSE;
-+	int ret;
-+
-+	i_assert(zs->avail_in == 0);
-+
-+	if (zstream->flushed) {
-+		i_assert(zstream->outbuf_used == 0);
-+		return 1;
-+	}
-+
-+	if ((ret = o_stream_flush_parent_if_needed(&zstream->ostream)) <= 0)
-+		return ret;
-+	if ((ret = o_stream_zlib_send_outbuf(zstream)) <= 0)
-+		return ret;
-+
-+	if (!final)
-+		return 1;
-+
-+	i_assert(zstream->outbuf_used == 0);
-+	do {
-+		len = sizeof(zstream->outbuf) - zs->avail_out;
-+		if (len != 0) {
-+			zs->next_out = zstream->outbuf;
-+			zs->avail_out = sizeof(zstream->outbuf);
-+
-+			zstream->outbuf_used = len;
-+			if ((ret = o_stream_zlib_send_outbuf(zstream)) <= 0)
-+				return ret;
-+			if (done)
-+				break;
-+		}
-+		ret = lzma_code(zs, LZMA_FINISH);
-+		switch (ret) {
-+		case LZMA_OK:
-+			/* still unfinished - need to call lzma_code() again */
-+			break;
-+		case LZMA_STREAM_END:
-+			/* output is fully finished */
-+			done = TRUE;
-+			break;
-+		case LZMA_MEM_ERROR:
-+			i_fatal_status(FATAL_OUTOFMEM,
-+				       "lzma.write(%s): Out of memory",
-+				       o_stream_get_name(&zstream->ostream.ostream));
-+		default:
-+			i_panic("lzma.write(%s) flush failed with unexpected code %d",
-+				o_stream_get_name(&zstream->ostream.ostream), ret);
-+		}
-+	} while (zs->avail_out != sizeof(zstream->outbuf));
-+
-+	if (final)
-+		zstream->flushed = TRUE;
-+	i_assert(zstream->outbuf_used == 0);
-+	return 1;
-+}
-+
-+static int o_stream_lzma_flush(struct ostream_private *stream)
-+{
-+	struct lzma_ostream *zstream = (struct lzma_ostream *)stream;
-+	int ret;
-+
-+	if ((ret = o_stream_lzma_send_flush(zstream, stream->finished)) < 0)
-+		return -1;
-+	else if (ret > 0)
-+		return o_stream_flush_parent(stream);
-+	return ret;
-+}
-+
-+static size_t
-+o_stream_lzma_get_buffer_used_size(const struct ostream_private *stream)
-+{
-+	const struct lzma_ostream *zstream =
-+		(const struct lzma_ostream *)stream;
-+
-+	/* outbuf has already compressed data that we're trying to send to the
-+	   parent stream. We're not including lzma's internal compression
-+	   buffer size. */
-+	return (zstream->outbuf_used - zstream->outbuf_offset) +
-+		o_stream_get_buffer_used_size(stream->parent);
-+}
-+
-+static size_t
-+o_stream_lzma_get_buffer_avail_size(const struct ostream_private *stream)
-+{
-+	/* FIXME: not correct - this is counting compressed size, which may be
-+	   too larger than uncompressed size in some situations. Fixing would
-+	   require some kind of additional buffering. */
-+	return o_stream_get_buffer_avail_size(stream->parent);
-+}
-+
-+static ssize_t
-+o_stream_lzma_sendv(struct ostream_private *stream,
-+		    const struct const_iovec *iov, unsigned int iov_count)
-+{
-+	struct lzma_ostream *zstream = (struct lzma_ostream *)stream;
-+	ssize_t ret, bytes = 0;
-+	unsigned int i;
-+
-+	if ((ret = o_stream_zlib_send_outbuf(zstream)) <= 0) {
-+		/* error / we still couldn't flush existing data to
-+		   parent stream. */
-+		return ret;
-+	}
-+
-+	for (i = 0; i < iov_count; i++) {
-+		ret = o_stream_lzma_send_chunk(zstream, iov[i].iov_base,
-+						iov[i].iov_len);
-+		if (ret < 0)
-+			return -1;
-+		bytes += ret;
-+		if ((size_t)ret != iov[i].iov_len)
-+			break;
-+	}
-+	stream->ostream.offset += bytes;
-+
-+	/* avail_in!=0 check is used to detect errors. if it's non-zero here
-+	   it simply means we didn't send all the data */
-+	zstream->strm.avail_in = 0;
-+	return bytes;
-+}
-+
-+struct ostream *o_stream_create_lzma(struct ostream *output, int level)
-+{
-+	struct lzma_ostream *zstream;
-+	lzma_ret ret;
-+
-+	i_assert(level >= 1 && level <= 9);
-+
-+	zstream = i_new(struct lzma_ostream, 1);
-+	zstream->ostream.sendv = o_stream_lzma_sendv;
-+	zstream->ostream.flush = o_stream_lzma_flush;
-+	zstream->ostream.get_buffer_used_size =
-+		o_stream_lzma_get_buffer_used_size;
-+	zstream->ostream.get_buffer_avail_size =
-+		o_stream_lzma_get_buffer_avail_size;
-+	zstream->ostream.iostream.close = o_stream_lzma_close;
-+
-+	ret = lzma_easy_encoder(&zstream->strm, level, LZMA_CHECK_CRC64);
-+	switch (ret) {
-+	case LZMA_OK:
-+		break;
-+	case LZMA_MEM_ERROR:
-+		i_fatal_status(FATAL_OUTOFMEM, "lzma: Out of memory");
-+	case LZMA_OPTIONS_ERROR:
-+		i_fatal("lzma: Invalid level");
-+	default:
-+		i_fatal("lzma_easy_encoder() failed with %d", ret);
-+	}
-+
-+	zstream->strm.next_out = zstream->outbuf;
-+	zstream->strm.avail_out = sizeof(zstream->outbuf);
-+	return o_stream_create(&zstream->ostream, output,
-+			       o_stream_get_fd(output));
-+}
-+#endif
-diff -up dovecot-2.3.16/src/lib-compression/ostream-zlib.h.keeplzma dovecot-2.3.16/src/lib-compression/ostream-zlib.h
--- dovecot-2.3.16/src/lib-compression/ostream-zlib.h.keeplzma	2021-08-06 11:25:51.000000000 +0200
-+++ dovecot-2.3.16/src/lib-compression/ostream-zlib.h	2022-02-28 13:58:02.338149934 +0100
-@@ -4,6 +4,7 @@
- struct ostream *o_stream_create_gz(struct ostream *output, int level);
- struct ostream *o_stream_create_deflate(struct ostream *output, int level);
- struct ostream *o_stream_create_bz2(struct ostream *output, int level);
-+struct ostream *o_stream_create_lzma(struct ostream *output, int level);
- struct ostream *o_stream_create_lz4(struct ostream *output, int level);
- struct ostream *o_stream_create_zstd(struct ostream *output, int level);
- 
-diff -up dovecot-2.3.16/src/lib-compression/test-compression.c.keeplzma dovecot-2.3.16/src/lib-compression/test-compression.c
--- dovecot-2.3.16/src/lib-compression/test-compression.c.keeplzma	2021-08-06 11:25:51.000000000 +0200
-+++ dovecot-2.3.16/src/lib-compression/test-compression.c	2022-02-28 13:58:02.338149934 +0100
-@@ -730,7 +730,6 @@ static void test_compression_int(bool au
- 
- 	for (i = 0; compression_handlers[i].name != NULL; i++) {
- 		if (compression_handlers[i].create_istream != NULL &&
-		    compression_handlers[i].create_ostream != NULL &&
- 		    (!autodetect ||
- 		     compression_handlers[i].is_compressed != NULL)) T_BEGIN {
- 			if (compression_handlers[i].is_compressed != NULL &&
--- a/SOURCES/dovecot-2.3.18-9f300239..4596d399.patch
+++ b/SOURCES/dovecot-2.3.18-9f300239..4596d399.patch
@ -8,10 +8,10 @@ Subject: [PATCH 01/12] lib-sieve: sieve-interpreter - Fix field mixup in debug
 src/lib-sieve/sieve-interpreter.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

-diff --git a/dovecot-pigeonhole/src/lib-sieve/sieve-interpreter.c b/dovecot-pigeonhole/src/lib-sieve/sieve-interpreter.c
+diff --git a/src/lib-sieve/sieve-interpreter.c b/src/lib-sieve/sieve-interpreter.c
 index 9ee6c659..274e142d 100644
--- a/dovecot-pigeonhole/src/lib-sieve/sieve-interpreter.c
-+++ b/dovecot-pigeonhole/src/lib-sieve/sieve-interpreter.c
+--- a/src/lib-sieve/sieve-interpreter.c
+++ b/src/lib-sieve/sieve-interpreter.c
@@ -1003,8 +1003,8 @@ int sieve_interpreter_continue(struct sieve_interpreter *interp,
 		}
 		e_debug(e->event(), "Finished running script `%s' "
@ -33,10 +33,10 @@ Subject: [PATCH 02/12] lib-sieve: sieve-result - Remove success parameter from
 src/lib-sieve/sieve-result.c | 18 ++++++++----------
 1 file changed, 8 insertions(+), 10 deletions(-)

-diff --git a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
+diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c
 index 55eb9f54..d3f2f925 100644
--- a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
-+++ b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
+--- a/src/lib-sieve/sieve-result.c
+++ b/src/lib-sieve/sieve-result.c
@@ -1475,8 +1475,7 @@ void sieve_result_execution_destroy(struct sieve_result_execution **_rexec)
 }
 
@ -108,10 +108,10 @@ Subject: [PATCH 03/12] lib-sieve: sieve-result - Remove success parameter from
 src/lib-sieve/sieve-result.c | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

-diff --git a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
+diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c
 index d3f2f925..3cf2c02a 100644
--- a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
-+++ b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
+--- a/src/lib-sieve/sieve-result.c
+++ b/src/lib-sieve/sieve-result.c
@@ -1603,8 +1603,7 @@ sieve_result_implicit_keep_execute(struct sieve_result_execution *rexec)
 }
 
@ -162,10 +162,10 @@ Subject: [PATCH 04/12] lib-sieve: sieve-result - Move temp failure status
 src/lib-sieve/sieve-result.c | 38 ++++++++++++++++++++++++------------
 1 file changed, 26 insertions(+), 12 deletions(-)

-diff --git a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
+diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c
 index 3cf2c02a..44afeef7 100644
--- a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
-+++ b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
+--- a/src/lib-sieve/sieve-result.c
+++ b/src/lib-sieve/sieve-result.c
@@ -934,6 +934,7 @@ struct sieve_result_execution {
 	bool keep_success:1;
 	bool keep_explicit:1;
@ -243,10 +243,10 @@ Subject: [PATCH 05/12] lib-sieve: sieve-result - Move temp failure status
 src/lib-sieve/sieve-result.c | 56 +++++++++++++++++++++---------------
 1 file changed, 33 insertions(+), 23 deletions(-)

-diff --git a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
+diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c
 index 44afeef7..10cc3b95 100644
--- a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
-+++ b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
+--- a/src/lib-sieve/sieve-result.c
+++ b/src/lib-sieve/sieve-result.c
@@ -1629,7 +1629,20 @@ sieve_result_implicit_keep_finalize(struct sieve_result_execution *rexec)
 	struct sieve_result_action *ract_keep = &rexec->keep_action;
 	struct sieve_action *act_keep = &ract_keep->action;
@ -334,10 +334,10 @@ only be rolled back.
 src/lib-sieve/sieve-result.c | 2 --
 1 file changed, 2 deletions(-)

-diff --git a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
+diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c
 index 10cc3b95..82354831 100644
--- a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
-+++ b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
+--- a/src/lib-sieve/sieve-result.c
+++ b/src/lib-sieve/sieve-result.c
@@ -1494,8 +1494,6 @@ sieve_result_implicit_keep_execute(struct sieve_result_execution *rexec)
 		break;
 	case SIEVE_EXEC_TEMP_FAILURE:
@ -358,10 +358,10 @@ Subject: [PATCH 07/12] lib-sieve: sieve-result - Fix handling of resource
 src/lib-sieve/sieve-result.c | 1 +
 1 file changed, 1 insertion(+)

-diff --git a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
+diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c
 index 82354831..96582075 100644
--- a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
-+++ b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
+--- a/src/lib-sieve/sieve-result.c
+++ b/src/lib-sieve/sieve-result.c
@@ -1980,6 +1980,7 @@ int sieve_result_execute(struct sieve_result_execution *rexec, int status,
 				result_status = SIEVE_EXEC_FAILURE;
 			break;
@ -385,10 +385,10 @@ of delivery when the mail user is destroyed.
 src/lib-sieve/sieve-result.c | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

-diff --git a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
+diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c
 index 96582075..10ea349c 100644
--- a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
-+++ b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
+--- a/src/lib-sieve/sieve-result.c
+++ b/src/lib-sieve/sieve-result.c
@@ -1627,7 +1627,7 @@ sieve_result_implicit_keep_finalize(struct sieve_result_execution *rexec)
 	struct sieve_result_action *ract_keep = &rexec->keep_action;
 	struct sieve_action *act_keep = &ract_keep->action;
@ -439,10 +439,10 @@ Subject: [PATCH 09/12] lib-sieve: sieve-result - Assert that implicit keep is
 src/lib-sieve/sieve-result.c | 2 ++
 1 file changed, 2 insertions(+)

-diff --git a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
+diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c
 index 10ea349c..de97d6ae 100644
--- a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
-+++ b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
+--- a/src/lib-sieve/sieve-result.c
+++ b/src/lib-sieve/sieve-result.c
@@ -1691,6 +1691,8 @@ sieve_result_implicit_keep_finalize(struct sieve_result_execution *rexec)
 	if (act_keep->def == NULL)
 		return rexec->keep_status;
@ -463,10 +463,10 @@ Subject: [PATCH 10/12] lib-sieve: sieve-result - Add debug messages for temp
 src/lib-sieve/sieve-result.c | 28 +++++++++++++++++++++++++---
 1 file changed, 25 insertions(+), 3 deletions(-)

-diff --git a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
+diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c
 index de97d6ae..c21c8017 100644
--- a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
-+++ b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
+--- a/src/lib-sieve/sieve-result.c
+++ b/src/lib-sieve/sieve-result.c
@@ -1494,10 +1494,21 @@ sieve_result_implicit_keep_execute(struct sieve_result_execution *rexec)
 		break;
 	case SIEVE_EXEC_TEMP_FAILURE:
@ -528,10 +528,10 @@ Subject: [PATCH 11/12] lib-sieve: sieve-result - Indicate in
 src/lib-sieve/sieve-result.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

-diff --git a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
+diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c
 index c21c8017..6f3cb954 100644
--- a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
-+++ b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
+--- a/src/lib-sieve/sieve-result.c
+++ b/src/lib-sieve/sieve-result.c
@@ -1796,10 +1796,11 @@ sieve_result_transaction_execute(struct sieve_result_execution *rexec,
 	}
 
@ -558,10 +558,10 @@ Subject: [PATCH 12/12] lib-sieve: sieve-result - Indicate in
 src/lib-sieve/sieve-result.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

-diff --git a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
+diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c
 index 6f3cb954..effd6f28 100644
--- a/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
-+++ b/dovecot-pigeonhole/src/lib-sieve/sieve-result.c
+--- a/src/lib-sieve/sieve-result.c
+++ b/src/lib-sieve/sieve-result.c
@@ -1859,10 +1859,11 @@ sieve_result_transaction_commit_or_rollback(
 	}
 
--- a/SOURCES/dovecot-2.3.6-opensslhmac.patch
+++ b/SOURCES/dovecot-2.3.6-opensslhmac.patch
@ -388,16 +388,16 @@ diff -up dovecot-2.3.14/src/lib/hmac.c.opensslhmac dovecot-2.3.14/src/lib/hmac.c
 
 	/* salt and info can be NULL */
 	i_assert(salt != NULL || salt_len == 0);
-@@ -118,35 +192,30 @@ void hmac_hkdf(const struct hash_method
+@@ -118,35 +192,36 @@ void hmac_hkdf(const struct hash_method
 	i_assert(ikm != NULL && ikm_len > 0);
 	i_assert(okm_r != NULL && okm_len > 0);
 
-	/* but they still need valid pointer, reduces
-	   complains from static analysers */
-	if (salt == NULL)
-		salt = &uchar_nul;
-	if (info == NULL)
-		info = &uchar_nul;
+ 	/* but they still need valid pointer, reduces
+ 	   complains from static analysers */
+ 	if (salt == NULL)
+ 		salt = &uchar_nul;
+ 	if (info == NULL)
+ 		info = &uchar_nul;
 -
 -	/* extract */
 -	hmac_init(&key_mac, salt, salt_len, method);
--- a/SOURCES/dovecot.sysusers
+++ b/SOURCES/dovecot.sysusers
@ -0,0 +1,9 @@
+#Type Name    ID    GECOS                       Home directory       Shell
+g     dovecot 97
+u     dovecot 97   "Dovecot IMAP server"        /usr/libexec/dovecot /sbin/nologin
+m     dovecot dovecot
+
+g     dovenull -
+u     dovenull -   "Dovecot - unauthorized user" /usr/libexec/dovecot /sbin/nologin
+m     dovenull dovenull
+
--- a/SOURCES/dovecot.tmpfilesd
+++ b/SOURCES/dovecot.tmpfilesd
@ -1,2 +1,3 @@
 d /run/dovecot 0755 root dovecot -
+d /var/lib/dovecot 0750 dovecot dovecot - -

--- a/SPECS/dovecot.spec
+++ b/SPECS/dovecot.spec
@ -1,26 +1,28 @@
 %global __provides_exclude_from %{_docdir}
 %global __requires_exclude_from %{_docdir}
+
 Summary: Secure imap and pop3 server
 Name: dovecot
 Epoch: 1
 Version: 2.3.16
 %global prever %{nil}
-Release: 7%{?dist}
+Release: 16%{?dist}
 #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2
 License: MIT and LGPLv2
-Group: System Environment/Daemons

-URL: http://www.dovecot.org/
-Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz
+URL: https://www.dovecot.org/
+Source: https://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz
 Source1: dovecot.init
 Source2: dovecot.pam
 %global pigeonholever 0.5.16
-Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz
+Source8: https://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz
 Source9: dovecot.sysconfig
 Source10: dovecot.tmpfilesd

 #our own
 Source14: dovecot.conf.5
+Source15: prestartscript
+Source16: dovecot.sysusers

 # 3x Fedora/RHEL specific
 Patch1: dovecot-2.0-defaultconfig.patch
@ -32,80 +34,69 @@ Patch6: dovecot-2.1.10-waitonline.patch

 Patch8: dovecot-2.2.20-initbysystemd.patch
 Patch9: dovecot-2.2.22-systemd_w_protectsystem.patch
-
-# sent upstream, rhbz#1630380
-Patch11: dovecot-2.2.36-aclfix.patch
-
-Patch13: dovecot-2.2.36-bigkey.patch
+Patch15: dovecot-2.3.11-bigkey.patch

 # do not use own implementation of HMAC, use OpenSSL for certification purposes
 # not sent upstream as proper fix would use dovecot's lib-dcrypt but it introduces
 # hard to break circular dependency between lib and lib-dcrypt
-Patch14: dovecot-2.3.6-opensslhmac.patch
+Patch16: dovecot-2.3.6-opensslhmac.patch

-# from upstream, for dovecot < 2.3.17, s390x FTBFS fix
-Patch15: dovecot-2.3.16-ftbfsbigend.patch
-Patch16: dovecot-2.3.16-keeplzma.patch
+Patch17: dovecot-2.3.14-opensslv3.patch
+
+# FTBFS
+Patch18: dovecot-2.3.15-fixvalcond.patch
+Patch19: dovecot-2.3.15-valbasherr.patch
+Patch20: dovecot-2.3.16-ftbfsbigend.patch

 # from upstream, for <= 2.3.19.1, rhbz#2106232
-Patch17: dovecot-2.3.19.1-7bad6a24.patch
+Patch21: dovecot-2.3.19.1-7bad6a24.patch

 # from upstream, for < 2.3.19.1, rhbz#2128857
-Patch18: dovecot-2.3.18-9f300239..4596d399.patch
-Patch19: dovecot-2.3.18-bdf447e4.patch
+Patch22: dovecot-2.3.18-bdf447e4.patch
+Patch23: dovecot-2.3.18-9f300239..4596d399.patch

-# from upstream, for < 2.3.21, RHEL-22854
-Patch20: dovecot-2.3.16-d7705bc6.patch
+# from upstream, for < 2.3.21, RHEL-25434
+Patch24: dovecot-2.3.16-d7705bc6.patch

-# from upstream for < 2.3.21.1, RHEL-55206
-# https://github.com/dovecot/core/compare/8e4c42d%5E...1481c04.patch
-Patch21: dovecot-2.3.21.1-CVE-2024-23184.patch
-
-# from upstream for < 2.3.21.1, RHEL-55219
-# https://github.com/dovecot/core/compare/f020e13%5E...ce88c33.patch
-Patch22: dovecot-2.3.21.1-CVE-2024-23185.patch
+# sent upstream, issue #RHEL-52541
+Patch25: dovecot-2.3-ph_optglob.patch
+Patch26: dovecot-2.3-ph_scriptcmp.patch

 # fix test failing due to too long path with all the mock path prefixes
-Patch23: dovecot-2.3.21-test-socket-path.patch
+Patch27: dovecot-2.3.21-test-socket-path.patch

-# from upstream for < 2.4.3, RHEL-161630
-# https://github.com/dovecot/pigeonhole/commit/54f645225a8a7911d7e16e9d50f170d217b0be95
-Patch24: dovecot-2.3-cve-2026-27858.patch
+# from upstream for < 2.3.21.1, RHEL-55212
+# https://github.com/dovecot/core/compare/8e4c42d%5E...1481c04.patch
+Patch28: dovecot-2.3.21.1-CVE-2024-23184.patch

-# from upstream for < 2.4.3, RHEL-162282
-# https://github.com/dovecot/pigeonhole/commit/efb68fac3a9d2d04d38c4ab14dd570cf0c23923c
-Patch25: dovecot-2.3-cve-2025-59032.patch
+# from upstream for < 2.3.21.1, RHEL-55224
+# https://github.com/dovecot/core/compare/f020e13%5E...ce88c33.patch
+Patch29: dovecot-2.3.21.1-CVE-2024-23185.patch

-# from upstream for < 2.4.3, RHEL-161669
-# https://github.com/dovecot/core/commit/825bc297f87b856992aa14beac596ec838248210
-Patch26: dovecot-2.3-cve-2026-27857p1of5.patch
-# https://github.com/dovecot/core/commit/d0f67b52914565a35f3817335ab9633cb291513c
-Patch27: dovecot-2.3-cve-2026-27857p2of5.patch
-# https://github.com/dovecot/core/commit/af1fb4da5c1c5c458dc1d54dee3aefde6d3aa835
-Patch28: dovecot-2.3-cve-2026-27857p3of5.patch
-# https://github.com/dovecot/core/commit/3435e0d44c131eb1046a84fd83798f1e101b725e
-Patch29: dovecot-2.3-cve-2026-27857p4of5.patch
-# https://github.com/dovecot/pigeonhole/commit/5701db04455ee4d8e927d0b225634780a9b656b4
-Patch30: dovecot-2.3-cve-2026-27857p5of5.patch
-
-Source15: prestartscript
-
-BuildRequires: openssl-devel, pam-devel, zlib-devel, bzip2-devel, libcap-devel
+BuildRequires: gcc, gcc-c++, openssl-devel, pam-devel, zlib-devel, bzip2-devel, libcap-devel
 BuildRequires: libtool, autoconf, automake, pkgconfig
 BuildRequires: sqlite-devel
-BuildRequires: postgresql-devel
-#BuildRequires: libpq-devel
+BuildRequires: libpq-devel
 BuildRequires: mariadb-connector-c-devel
-#BuildRequires: libxcrypt-devel
+BuildRequires: libxcrypt-devel
 BuildRequires: openldap-devel
 BuildRequires: krb5-devel
 BuildRequires: quota-devel
+BuildRequires: rpcgen
 BuildRequires: xz-devel
 BuildRequires: lz4-devel
+BuildRequires: libzstd-devel
+%if %{?rhel}0 == 0
+BuildRequires: libsodium-devel
+%endif
+BuildRequires: libicu-devel
+BuildRequires: libexttextcat-devel
+BuildRequires: libstemmer-devel
 BuildRequires: multilib-rpm-config
-#BuildRequires: libsodium-devel
-#BuildRequires: libexttextcat-devel
-#BuildRequires: libstemmer-devel
+BuildRequires: flex, bison
+BuildRequires: systemd-devel
+# for dovecot.sysusers
+BuildRequires: systemd-rpm-macros 

 # gettext-devel is needed for running autoconf because of the
 # presence of AM_ICONV
@ -116,33 +107,19 @@ Requires: openssl >= 0.9.7f-4

 # Package includes an initscript service file, needs to require initscripts package
 Requires(pre): shadow-utils
-%if %{?fedora}0 > 140 || %{?rhel}0 > 60
 Requires: systemd
 Requires(post): systemd-units
 Requires(preun): systemd-units
 Requires(postun): systemd-units
-%else
-Requires: initscripts
-Requires(post): chkconfig
-Requires(preun): chkconfig initscripts
-Requires(postun): initscripts
-%endif

-%if %{?fedora}0 > 150 || %{?rhel}0 >60
-#clucene in fedora <=15 and rhel<=6 is too old
 BuildRequires: clucene-core-devel
-%endif

 %global ssldir %{_sysconfdir}/pki/%{name}

-%if %{?fedora}00%{?rhel} < 6
-%global _initddir %{_initrddir}
-BuildRequires: curl-devel expat-devel
-%else
 BuildRequires: libcurl-devel expat-devel
-%endif
+BuildRequires: make

-%global restart_flag /var/run/%{name}/%{name}-restart-after-rpm-install
+%global restart_flag /run/%{name}/%{name}-restart-after-rpm-install

 %description
 Dovecot is an IMAP server for Linux/UNIX-like systems, written with security 
@ -154,7 +131,6 @@ The SQL drivers and authentication plug-ins are in their subpackages.
 %package pigeonhole
 Requires: %{name} = %{epoch}:%{version}-%{release}
 Summary: Sieve and managesieve plug-in for dovecot
-Group: System Environment/Daemons
 License: MIT and LGPLv2

 %description pigeonhole
@ -163,21 +139,18 @@ This package provides sieve and managesieve plug-in for dovecot LDA.
 %package pgsql
 Requires: %{name} = %{epoch}:%{version}-%{release}
 Summary: Postgres SQL back end for dovecot
-Group: System Environment/Daemons
 %description pgsql
 This package provides the Postgres SQL back end for dovecot-auth etc.

 %package mysql
 Requires: %{name} = %{epoch}:%{version}-%{release}
 Summary: MySQL back end for dovecot
-Group: System Environment/Daemons
 %description mysql
 This package provides the MySQL back end for dovecot-auth etc.

 %package devel
 Requires: %{name} = %{epoch}:%{version}-%{release}
 Summary: Development files for dovecot
-Group: Development/Libraries
 %description devel
 This package provides the development files for dovecot.

@ -193,26 +166,27 @@ mv dovecot-2.3-pigeonhole-%{pigeonholever} dovecot-pigeonhole
 %patch -P 6 -p1 -b .waitonline
 %patch -P 8 -p1 -b .initbysystemd
 %patch -P 9 -p1 -b .systemd_w_protectsystem
-%patch -P 11 -p1 -b .aclfix
-%patch -P 13 -p1 -b .bigkey
-%patch -P 14 -p1 -b .opensslhmac
-%patch -P 15 -p1 -b .ftbfsbigend
-%patch -P 16 -p1 -b .keeplzma
-%patch -P 17 -p1 -b .7bad6a24
-%patch -P 18 -p1 -b .9f300239..4596d399
-%patch -P 19 -p1 -b .bdf447e4
-%patch -P 20 -p1 -b .d7705bc6
-%patch -P 21 -p1 -b .CVE-2024-23184
-%patch -P 22 -p1 -b .CVE-2024-23185
-%patch -P 23 -p1 -b .test-socket-path
-%patch -P 24 -p1 -b .cve-2026-27858
-%patch -P 25 -p1 -b .cve-2025-59032
-%patch -P 26 -p1 -b .cve-2026-27857p1of5
-%patch -P 27 -p1 -b .cve-2026-27857p2of5
-%patch -P 28 -p1 -b .cve-2026-27857p3of5
-%patch -P 29 -p1 -b .cve-2026-27857p4of5
-%patch -P 30 -p1 -b .cve-2026-27857p5of5
+%patch -P 15 -p1 -b .bigkey
+%patch -P 16 -p1 -b .opensslhmac
+%patch -P 17 -p1 -b .opensslv3
+%patch -P 18 -p1 -b .fixvalcond
+%patch -P 19 -p1 -b .valbasherr
+%patch -P 20 -p1 -b .ftbfsbigend
+%patch -P 21 -p1 -b .7bad6a24
+%patch -P 22 -p1 -b .bdf447e4
+%patch -P 24 -p1 -b .d7705bc6
+%patch -P 25 -p1 -b .ph_optglob
+%patch -P 26 -p1 -b .ph_scriptcmp
+%patch -P 27 -p1 -b .test-socket-path
+%patch -P 28 -p1 -b .CVE-2024-23184
+%patch -P 29 -p1 -b .CVE-2024-23185
+cp run-test-valgrind.supp dovecot-pigeonhole/
+# valgrind would fail with shell wrapper
+echo "testsuite" >dovecot-pigeonhole/run-test-valgrind.exclude

+pushd dovecot-pigeonhole
+%patch -P 23 -p1 -b .9f300239..4596d399
+popd
 sed -i '/DEFAULT_INCLUDES *=/s|$| '"$(pkg-config --cflags libclucene-core)|" src/plugins/fts-lucene/Makefile.in

 %build
@ -220,11 +194,8 @@ sed -i '/DEFAULT_INCLUDES *=/s|$| '"$(pkg-config --cflags libclucene-core)|" src
 %global _hardened_build 1
 export CFLAGS="%{__global_cflags} -fno-strict-aliasing -fstack-reuse=none"
 export LDFLAGS="-Wl,-z,now -Wl,-z,relro %{?__global_ldflags}"
-# el6 autoconf too old to regen; use packaged files (#1082384)
-%if %{?fedora}00%{?rhel} > 6
 mkdir -p m4
 autoreconf -I . -fiv #required for aarch64 support
-%endif
 %configure                       \
    INSTALL_DATA="install -c -p -m644" \
    --with-rundir=%{_rundir}/%{name}   \
@ -242,17 +213,18 @@ autoreconf -I . -fiv #required for aarch64 support
    --with-mysql                 \
    --with-sqlite                \
    --with-zlib                  \
+    --with-zstd                  \
    --with-libcap                \
+    --with-icu                   \
    --with-lucene                \
    --with-ssl=openssl           \
    --with-ssldir=%{ssldir}      \
    --with-solr                  \
    --with-systemdsystemunitdir=%{_unitdir}  \
    --with-docs
-
 sed -i 's|/etc/ssl|/etc/pki/dovecot|' doc/mkcert.sh doc/example-config/conf.d/10-ssl.conf

-make %{?_smp_mflags}
+%make_build

 #pigeonhole
 pushd dovecot-pigeonhole
@ -267,13 +239,13 @@ pushd dovecot-pigeonhole
    --with-dovecot=../                 \
    --without-unfinished-features

-make %{?_smp_mflags}
+%make_build
 popd

 %install
 rm -rf $RPM_BUILD_ROOT

-make install DESTDIR=$RPM_BUILD_ROOT
+%make_install

 # move doc dir back to build dir so doc macro in files section can use it
 mv $RPM_BUILD_ROOT/%{_docdir}/%{name} %{_builddir}/%{name}-%{version}%{?prever}/docinstall
@ -282,17 +254,13 @@ mv $RPM_BUILD_ROOT/%{_docdir}/%{name} %{_builddir}/%{name}-%{version}%{?prever}/
 %multilib_fix_c_header --file %{_includedir}/dovecot/config.h

 pushd dovecot-pigeonhole
-make install DESTDIR=$RPM_BUILD_ROOT
+%make_install

 mv $RPM_BUILD_ROOT/%{_docdir}/%{name} $RPM_BUILD_ROOT/%{_docdir}/%{name}-pigeonhole

 install -m 644 AUTHORS ChangeLog COPYING COPYING.LGPL INSTALL NEWS README $RPM_BUILD_ROOT/%{_docdir}/%{name}-pigeonhole
 popd

-%if %{?fedora}00%{?rhel} < 6
-sed -i 's|password-auth|system-auth|' %{SOURCE2}
-%endif
-
 install -p -D -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/dovecot

 #install man pages
@ -301,6 +269,8 @@ install -p -D -m 644 %{SOURCE14} $RPM_BUILD_ROOT%{_mandir}/man5/dovecot.conf.5
 #install waitonline script
 install -p -D -m 755 %{SOURCE15} $RPM_BUILD_ROOT%{_libexecdir}/dovecot/prestartscript

+install -p -D -m 0644 %{SOURCE16} $RPM_BUILD_ROOT%{_sysusersdir}/dovecot.conf
+
 # generate ghost .pem files
 mkdir -p $RPM_BUILD_ROOT%{ssldir}/certs
 mkdir -p $RPM_BUILD_ROOT%{ssldir}/private
@ -309,14 +279,9 @@ chmod 600 $RPM_BUILD_ROOT%{ssldir}/certs/dovecot.pem
 touch $RPM_BUILD_ROOT%{ssldir}/private/dovecot.pem
 chmod 600 $RPM_BUILD_ROOT%{ssldir}/private/dovecot.pem

-%if %{?fedora}0 > 140 || %{?rhel}0 > 60
 install -p -D -m 644 %{SOURCE10} $RPM_BUILD_ROOT%{_tmpfilesdir}/dovecot.conf
-%else
-install -p -D -m 755 %{SOURCE1} $RPM_BUILD_ROOT%{_initddir}/dovecot
-install -p -D -m 600 %{SOURCE9} $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/dovecot
-%endif

-mkdir -p $RPM_BUILD_ROOT/var/run/dovecot/{login,empty,token-login}
+mkdir -p $RPM_BUILD_ROOT/run/dovecot/{login,empty,token-login}

 # Install dovecot configuration and dovecot-openssl.cnf
 mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/dovecot/conf.d
@ -343,82 +308,73 @@ popd

 %pre
 #dovecot uid and gid are reserved, see /usr/share/doc/setup-*/uidgid 
-getent group dovecot >/dev/null || groupadd -r --gid 97 dovecot
-getent passwd dovecot >/dev/null || \
-useradd -r --uid 97 -g dovecot -d /usr/libexec/dovecot -s /sbin/nologin -c "Dovecot IMAP server" dovecot
+%sysusers_create_compat %{SOURCE16}

-getent group dovenull >/dev/null || groupadd -r dovenull
-getent passwd dovenull >/dev/null || \
-useradd -r -g dovenull -d /usr/libexec/dovecot -s /sbin/nologin -c "Dovecot's unauthorized user" dovenull
+if [ -z "$LEAPP_IPU_IN_PROGRESS" ]
+then
+  # during LEAPP upgrade, services are not running anyway

-# do not let dovecot run during upgrade rhbz#134325
-if [ "$1" = "2" ]; then
-  rm -f %restart_flag
-%if %{?fedora}0 > 140 || %{?rhel}0 > 60
-  /bin/systemctl is-active %{name}.service >/dev/null 2>&1 && touch %restart_flag ||:
-  /bin/systemctl stop %{name}.service >/dev/null 2>&1
-%else
-  /sbin/service %{name} status >/dev/null 2>&1 && touch %restart_flag ||:
-  /sbin/service %{name} stop >/dev/null 2>&1
-%endif
+  # do not let dovecot run during upgrade rhbz#134325
+  if [ "$1" = "2" ]; then
+    rm -f %restart_flag
+    /bin/systemctl is-active %{name}.service >/dev/null 2>&1 && touch %restart_flag ||:
+    /bin/systemctl stop %{name}.service >/dev/null 2>&1
+  fi
 fi

 %post
 if [ $1 -eq 1 ]
 then
-%if %{?fedora}0 > 140 || %{?rhel}0 > 60
  %systemd_post dovecot.service
-%else
-  /sbin/chkconfig --add %{name}
-%endif
 fi

-install -d -m 0755 -g dovecot -d /var/run/dovecot
-install -d -m 0755 -d /var/run/dovecot/empty
-install -d -m 0750 -g dovenull -d /var/run/dovecot/login
-install -d -m 0750 -g dovenull -d /var/run/dovecot/token-login
-[ -x /sbin/restorecon ] && /sbin/restorecon -R /var/run/dovecot ||:
+install -d -m 0755 -g dovecot -d /run/dovecot
+install -d -m 0755 -d /run/dovecot/empty
+install -d -m 0750 -g dovenull -d /run/dovecot/login
+install -d -m 0750 -g dovenull -d /run/dovecot/token-login
+[ -x /sbin/restorecon ] && /sbin/restorecon -R /run/dovecot ||:

 %preun
 if [ $1 = 0 ]; then
-%if %{?fedora}0 > 140 || %{?rhel}0 > 60
        /bin/systemctl disable dovecot.service dovecot.socket >/dev/null 2>&1 || :
        /bin/systemctl stop dovecot.service dovecot.socket >/dev/null 2>&1 || :
-%else
-    /sbin/service %{name} stop > /dev/null 2>&1
-    /sbin/chkconfig --del %{name}
-%endif
-    rm -rf /var/run/dovecot
+    rm -rf /run/dovecot
 fi

 %postun
-%if %{?fedora}0 > 140 || %{?rhel}0 > 60
-/bin/systemctl daemon-reload >/dev/null 2>&1 || :
-%endif
+if [ -z "$LEAPP_IPU_IN_PROGRESS" ]
+then
+  # during LEAPP upgrade, services are not running anyway
+  /bin/systemctl daemon-reload >/dev/null 2>&1 || :

-if [ "$1" -ge "1" -a -e %restart_flag ]; then
-%if %{?fedora}0 > 140 || %{?rhel}0 > 60
-    /bin/systemctl start dovecot.service >/dev/null 2>&1 || :
-%else
-    /sbin/service %{name} start >/dev/null 2>&1 || :
-%endif
-rm -f %restart_flag
+  if [ "$1" -ge "1" -a -e %restart_flag ]; then
+      /bin/systemctl start dovecot.service >/dev/null 2>&1 || :
+  rm -f %restart_flag
+  fi
 fi

 %posttrans
-# dovecot should be started again in %%postun, but it's not executed on reinstall
-# if it was already started, restart_flag won't be here, so it's ok to test it again
-if [ -e %restart_flag ]; then
-%if %{?fedora}0 > 140 || %{?rhel}0 > 60
+
+if [ -z "$LEAPP_IPU_IN_PROGRESS" ]
+then
+  # during LEAPP upgrade, services are not running anyway
+
+  # dovecot should be started again in %%postun, but it's not executed on reinstall
+  # if it was already started, restart_flag won't be here, so it's ok to test it again
+  if [ -e %restart_flag ]; then
    /bin/systemctl start dovecot.service >/dev/null 2>&1 || :
-%else
-    /sbin/service %{name} start >/dev/null 2>&1 || :
-%endif
-rm -f %restart_flag
+    rm -f %restart_flag
+  fi
 fi

 %check
+# some time sensitive tests fail on aarch64, just log the result
+%ifarch aarch64
+make check ||:
+%else
 make check
+%endif
+
 cd dovecot-pigeonhole
 make check

@ -432,15 +388,11 @@ make check
 %{_bindir}/dovecot-sysreport


-%if %{?fedora}0 > 140 || %{?rhel}0 > 60
 %_tmpfilesdir/dovecot.conf
+%{_sysusersdir}/dovecot.conf
 %{_unitdir}/dovecot.service
 %{_unitdir}/dovecot-init.service
 %{_unitdir}/dovecot.socket
-%else
-%{_initddir}/dovecot
-%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/dovecot
-%endif

 %dir %{_sysconfdir}/dovecot
 %dir %{_sysconfdir}/dovecot/conf.d
@ -511,10 +463,10 @@ make check
 %{_libexecdir}/%{name}
 %exclude %{_libexecdir}/%{name}/managesieve*

-%dir %attr(0755,root,dovecot) %ghost /var/run/dovecot
-%attr(0750,root,dovenull) %ghost /var/run/dovecot/login
-%attr(0750,root,dovenull) %ghost /var/run/dovecot/token-login
-%attr(0755,root,root) %ghost /var/run/dovecot/empty
+%dir %attr(0755,root,dovecot) %ghost /run/dovecot
+%attr(0750,root,dovenull) %ghost /run/dovecot/login
+%attr(0750,root,dovenull) %ghost /run/dovecot/token-login
+%attr(0755,root,root) %ghost /run/dovecot/empty

 %attr(0750,dovecot,dovecot) /var/lib/dovecot

@ -572,122 +524,270 @@ make check
 %{_libdir}/%{name}/dict/libdriver_pgsql.so

 %changelog
-* Mon Apr 13 2026 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-7
- fix CVE-2026-27858: denial of service via crafted message before authentication (RHEL-161630)
- fix CVE-2025-59032: ManageSieve: Denial of Service via crafted SASL initial response in AUTHENTICATE command (RHEL-162282)
- fix CVE-2026-27857: denial of service via specially crafted NOOP command (RHEL-161669)
+* Mon Jan 12 2026 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-16
+- add /var/lib/dovecot to tmpfiles for image mode (RHEL-139098)
+- fix building with latest openssl (RHEL-140619)

-* Tue Aug 20 2024 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-6
- fix CVE-2024-23185: very large headers can cause resource exhaustion when parsing message (RHEL-55219)
- fix CVE-2024-23184: using a large number of address headers may trigger a denial of service (RHEL-55206)
+* Wed Feb 05 2025 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-15
+- fix sysusers config file name (RHEL-77322)

-* Fri Feb 16 2024 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-5
- fixes assert-crash when IMAP client uses QRESYNC (#RHEL-22854)
+* Tue Aug 20 2024 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-14
+- fix CVE-2024-23184: using a large number of address headers may trigger a denial of service (RHEL-55212)
+- fix CVE-2024-23185: very large headers can cause resource exhaustion when parsing message (RHEL-55224)

-* Fri Aug 04 2023 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-4
- fix leaking mailboxes if virtual mailbox can't be opened (#2128857)
+* Mon Aug 05 2024 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-13
+- rebuild with updated tests

-* Tue Jul 19 2022 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-3
- fix possible privilege escalation when similar master and non-master passdbs are used (#2106231)
+* Mon Aug 05 2024 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-12
+- fix crash when user has sieve script that includes two missing scripts (RHEL-37160)

-* Wed Dec 08 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-2
- do not disable xz/lzma for now despite being deprecated
+* Fri Feb 16 2024 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-11
+- fixes assert-crash when IMAP client uses QRESYNC (#RHEL-25434)

-* Wed Dec 08 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-1
+* Tue Aug 15 2023 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-10
+- fix leaking mailboxes if virtual mailbox can't be opened (#2231408)
+
+* Sat May 27 2023 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-9
+- add buildrequire of rpcgen to enable rquota support(#2157045)
+
+* Tue Sep 13 2022 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-8
+- do not run systemd commands during leapp upgrade (#2119385)
+
+* Tue Jul 12 2022 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-7
+- fix possible privilege escalation when similar master and non-master passdbs are used (#2106232)
+
+* Wed Jul 06 2022 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-6
+- fix possible nonzero return value of postinst script(#2053368)
+
+* Tue Jul 05 2022 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-5
+- workaround sysuers macro defficiency (#2095399)
+
+* Tue Jul 05 2022 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-4
+- use systemd-sysusers for user creation (#2095399)
+
+* Wed Nov 03 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-3
+- re-enable LTO build (#1990080)
+
+* Wed Oct 27 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-2
+- set first_valid_uid to 1000 to match system default (#2009716)
+
+* Fri Aug 20 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-1
 - dovecot updated to 2.3.16, pigeonhole to 0.5.16
- fix CVE-2021-33515 plaintext commands injection (#1980014)
+- fixes several regressions (#1997583)

-* Wed Feb 03 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-9
- fix CVE-2020-24386 IMAP hibernation function allows mail access (#1913534)
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1:2.3.15-2
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688

-* Tue Jan 12 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-8
- fix CVE-2020-25275 denial of service via mail MIME parsing (#1914019)
+* Wed Jul 21 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.15-1
+- dovecot updated to 2.3.15, pigeonhole updated to 0.5.15
+- CVE-2021-29157: Dovecot does not correctly escape kid and azp fields in
+  JWT tokens. This may be used to supply attacker controlled keys to
+  validate tokens, if attacker has local access (#1979833)
+- CVE-2021-33515: On-path attacker could have injected plaintext commands
+  before STARTTLS negotiation that would be executed after STARTTLS
+  finished with the client
+- Add TSLv1.3 support to min_protocols.

-* Thu Jan 07 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-7
- change run directory from /var/run to /run (#1805947)
+* Wed Jul 14 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.14-5
+- fix mail storage block count parsing (#1974281)

-* Wed Dec 02 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-6
- fix mail storage block count parsing (#1894418)
- MIME parser crashed when boundaries were wrong (#1888111)
+* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 1:2.3.14-4
+- Rebuilt for RHEL 9 BETA for openssl 3.0
+  Related: rhbz#1971065

-* Mon Nov 02 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-5
- multilib compatibility (#1853137)
+* Fri Jun 04 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.14-3
+- compatibility with openssl 3.0 (#1962035)

-* Fri Aug 07 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-4
- fix CVE-2020-12100 resource exhaustion via deeply nested MIME parts (#1866756)
- fix CVE-2020-12673 out of bound reads in dovecot NTLM implementation (#1866761)
- fix CVE-2020-12674 crash due to assert in RPA implementation (#1866768)
+* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 1:2.3.14-2
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937

-* Mon Jun 01 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-3
- fix CVE-2020-10957 dovecot: malformed NOOP commands leads to DoS (#1840354)
- fix CVE-2020-10958 dovecot: command followed by sufficient number of newlines
-  leads to use-after-free (#1840357)
- fix CVE-2020-10967 dovecot: sending mail with empty quoted localpart
-  leads to DoS (#1840356)
+* Mon Mar 22 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.14-1
+- dovecot updated to 2.3.14, pigeonhole to 0.5.14
+- use OpenSSL's implementation of HMAC
+- Remove autocreate, expire, snarf and mail-filter plugins.
+- Remove cydir storage driver.
+- Remove XZ/LZMA write support. Read support will be removed in future release.

-* Thu Jan 09 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-2
- fix default attributes for ghost files
+* Mon Feb 08 2021 Pavel Raiskup <praiskup@redhat.com> - 1:2.3.13-7
+- rebuild for libpq ABI fix rhbz#1908268

-* Tue Nov 19 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-1
- dovecot updated to 2.3.8 with pigeonhole updated to 0.5.8 (#1653117)
+* Mon Feb 01 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.13-6
+- use make macros

-* Thu Aug 29 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.36-10
- fix CVE-2019-11500: IMAP protocol parser does not properly handle NUL byte
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.3.13-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Mon Jan 18 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.13-4
+- fix multilib issues
+
+* Mon Jan 18 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.13-3
+- bump release and rebuild
+
+* Thu Jan 07 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.13-2
+- fix rundir location
+
+* Wed Jan 06 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.13-1
+- fix release number
+
+* Mon Jan 04 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.13-0
+- dovecot updated to 2.3.13, pigeonhole to 0.5.13
+- CVE-2020-24386: Specially crafted command can cause IMAP hibernate to
+  allow logged in user to access other people's emails and filesystem
+  information.
+- Metric filter and global event filter variable syntax changed to a
+  SQL-like format. 
+- auth: Added new aliases for %{variables}. Usage of the old ones is
+  possible, but discouraged.
+- auth: Removed RPA auth mechanism, SKEY auth mechanism, NTLM auth
+  mechanism and related password schemes.
+- auth: Removed passdb-sia, passdb-vpopmail and userdb-vpopmail.
+- auth: Removed postfix postmap socket
+
+* Wed Oct 21 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.11.3-7
+- change run directory from /var/run to /run (#1777922)
+
+* Wed Oct 21 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.11.3-6
+- use bigger default key size (#1882939)
+
+* Wed Sep 02 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.11.3-5
+- fix gssapi issue
+
+* Wed Aug 26 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.11.3-4
+- fix FTBFS on 32bit systems
+
+* Mon Aug 17 2020 Jeff Law <law@redhat.com> - 1:2.3.11.3-2
+- Disable LTO
+
+* Sat Aug 15 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.11.3-1
+- CVE-2020-12100: Parsing mails with a large number of MIME parts could
+  have resulted in excessive CPU usage or a crash due to running out of
+  stack memory.
+- CVE-2020-12673: Dovecot's NTLM implementation does not correctly check
+  message buffer size, which leads to reading past allocation which can
+  lead to crash.
+- CVE-2020-10967: lmtp/submission: Issuing the RCPT command with an
+  address that has the empty quoted string as local-part causes the lmtp
+  service to crash.
+- CVE-2020-12674: Dovecot's RPA mechanism implementation accepts
+  zero-length message, which leads to assert-crash later on.
+
+* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.3.10.1-3
+- Second attempt - Rebuilt for
+  https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.3.10.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Mon May 18 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.10.1-1
+- dovecot updated to 2.3.10.1
+- fixes CVE-2020-10967, CVE-2020-10958, CVE-2020-10957
+
+* Tue Apr 21 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.10-1
+- dovecot updated to 2.3.10, pigeonhole updated to 0.5.10
+
+* Wed Feb 12 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.9.3-1
+- dovecot updated to 2.3.9.3
+- fixes CVE-2020-7046: Truncated UTF-8 can be used to DoS
+      submission-login and lmtp processes.
+- fixes CVE-2020-7957: Specially crafted mail can crash snippet generation.
+
+
+* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.3.9.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Thu Dec 19 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.9.2-1
+- CVE-2019-19722: Mails with group addresses in From or To fields
+  caused crash in push notification drivers.
+
+* Wed Dec 04 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.9-1
+- dovecot updated to 2.3.9, pigeonhole updated to 0.5.9 
+
+* Thu Oct 10 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-1
+- dovecot updated to 2.3.8, pigeonhole 0.5.8
+
+* Thu Aug 29 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.7.2-1
+- dovecot updated to 2.3.7.2, pigeonhole 0.5.7.2
+- fixes CVE-2019-11500: IMAP protocol parser does not properly handle NUL byte
  when scanning data in quoted strings, leading to out of bounds heap
-  memory writes (#1741788)
+  memory writes

-* Fri Aug 23 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.36-9
- reset errno before iterating through users (#1630410)
+* Mon Aug 19 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:1-2.3.7.1
+- dovecot updated to 2.3.7.1, pigeonhole updated to 0.5.7.1

-* Mon Jun 17 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.36-8
- fix CVE-2019-3814: improper certificate validation (#1674370)
+* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.3.6-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild

-* Fri Jun 14 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.36-7
- do not print error message when restorecon is not present 
-  during install (#1626395)
- change default config to use minimal UID = 1000 (#1630410)
+* Fri May 31 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.6-3
+- disable gcc 9 stack reuse temporarily

-* Mon Jun 10 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.36-6
- use OpenSSl implementation of HMAC, disable CRAM-MD5 when FIPS is enabled (#1618749)
+* Mon May 13 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.6-2
+- use /run instead of /var/run (#1706372)

-* Tue Oct 16 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.36-5
- make key not that bigger (#1618714)
+* Thu May 02 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.6-1
+- dovecot updated to 2.3.6, pigeonhole updated to 0.5.6

-* Tue Oct 16 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.36-4
- generated key was too small (#1618714)
+* Thu Apr 18 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.5.2-1
+- dovecot updated to 2.3.5.2
+- fixes CVE-2019-10691: Trying to login with 8bit username containing
+  invalid UTF8 input causes auth process to crash if auth policy is enabled.

-* Wed Sep 19 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.36-3
- fix global ACL directory configuration search path (#1630383)
- update first/last_valid_gid range patch (#1630410)
+* Thu Mar 28 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.5.1-1
+- dovecot updated to 2.3.5.1
+- CVE-2019-7524: Missing input buffer size validation leads into
+  arbitrary buffer overflow when reading fts or pop3 uidl header
+  from Dovecot index.

-* Mon Jul 30 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.36-2
- fix defaut permissions of gost run files
+* Wed Mar 06 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.5-1
+- dovecot updated to 2.3.5, pigeonhole updated to 0.5.5

-* Thu Jun 28 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.36-1
- dovecot updated to 2.2.36, pigeonhole to 0.4.24
+* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.3.4-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild

-* Thu May 24 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.35-3
- disable tcp_wrappers as it's not available in rhel8
+* Mon Jan 14 2019 Björn Esser <besser82@fedoraproject.org> - 1:2.3.4-2
+- Rebuilt for libcrypt.so.2 (#1666033)

-* Thu Apr 19 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.35-2
- include crypt.h explicitely
+* Wed Jan 09 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.4-1
+- dovecot updated to 2.3.4, pigeonhole updated to 0.5.4

-* Wed Mar 21 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.35-1
- dovecot updated to 2.2.35, pigeonhole updated to 0.4.23
+* Tue Oct 02 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.3-1
+- dovecot updated to 2.3.3, pigeonhole pdated to 0.5.3
+- doveconf hides more secrets now in the default output
+- NUL bytes in mail headers can cause truncated replies when fetched. 
+- virtual plugin: Some searches used 100% CPU for many seconds 
+- dsync assert-crashed with acl plugin in some situations. 
+- imapc: Fixed various assert-crashes when reconnecting to server. 

-* Thu Mar 01 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.34-1
- dovecot updated to 2.2.34, pigeonhole updated to 0.4.22
- fixes CVE-2017-15130: TLS SNI config lookups may lead to excessive
-  memory usage, causing imap-login/pop3-login VSZ limit to be reached
-  and the process restarted. This happens only if Dovecot config has
-  local_name { } or local { } configuration blocks and attacker uses
-  randomly generated SNI servernames.
- fixes CVE-2017-14461: Parsing invalid email addresses may cause a crash or
-  leak memory contents to attacker. For example, these memory contents
-  might contain parts of an email from another user if the same imap
-  process is reused for multiple users.
- fixes CVE-2017-15132: Aborted SASL authentication leaks memory in login
-  process.
+
+* Tue Oct 02 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.2.1-4
+- fix dovecot-init service syntax error (#1635017)
+
+* Mon Aug 13 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.2.1-3
+- do not try to generate ssl-params as its obsolete (#1614640)
+
+* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.3.2.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Tue Jul 10 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.2.1-1
+- SSL/TLS servers may have crashed during client disconnection
+
+* Mon Jul 09 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.2-1
+- dovecot updated to 2.3.2, pigeonhole to 0.5.2
+
+* Wed Mar 28 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.1-2
+- fix ftbfs - murmurhash3 check fail
+
+* Wed Mar 28 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.1-1
+- dovecot updated to 2.3.1, pigeonhole updated to 0.5.1
+
+* Tue Mar 27 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.0.1-3
+- use libxcrypt for Fedora >= 28, part of ftbfs fix (#1548520)
+
+* Wed Mar 07 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.0.1-2
+- add gcc buildrequire
+
+* Thu Mar 01 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.0.1-1
+- dovecot updated to 2.3.0.1, pigeonhole updated to 0.5.0.1

 * Fri Feb 09 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1:2.2.33.2-5
 - Escape macros in %%changelog