.dovecot.metadata

@@ -0,0 +1,2 @@
+b5c598ae8b9901bfabdf2c93271f57cde0bde73e dovecot-2.3.16.tar.gz
+4673c244c6ea73ee3da0bb61d0206a1fe3d0be0e dovecot-2.3-pigeonhole-0.5.16.tar.gz

.gitignore

@@ -1,2 +1,2 @@
-SOURCES/dovecot-2.3-pigeonhole-0.5.16.tar.gz
+/dovecot-*.tar.gz
-SOURCES/dovecot-2.3.16.tar.gz
+/pigeonhole-*.tar.bz2

SOURCES/dovecot-2.2.36-aclfix.patch

@@ -1,13 +0,0 @@
-diff -up dovecot-2.2.36/src/plugins/acl/acl-backend-vfile.c.aclfix dovecot-2.2.36/src/plugins/acl/acl-backend-vfile.c
---- dovecot-2.2.36/src/plugins/acl/acl-backend-vfile.c.aclfix	2018-09-18 15:00:08.778823903 +0200
-+++ dovecot-2.2.36/src/plugins/acl/acl-backend-vfile.c	2018-09-18 15:00:08.814823737 +0200
-@@ -161,8 +161,7 @@ acl_backend_vfile_object_init(struct acl
- 	T_BEGIN {
- 		if (*name == '\0' ||
- 		    mailbox_list_is_valid_name(_backend->list, name, &error)) {
--			vname = *name == '\0' ? "" :
--				mailbox_list_get_vname(_backend->list, name);
-+			vname = mailbox_list_get_vname(_backend->list, name);
- 
- 			dir = acl_backend_vfile_get_local_dir(_backend, name, vname);
- 			aclobj->local_path = dir == NULL ? NULL :

SOURCES/dovecot-2.3.16-keeplzma.patch

@@ -1,353 +0,0 @@
-diff -up dovecot-2.3.16/configure.ac.keeplzma dovecot-2.3.16/configure.ac
---- dovecot-2.3.16/configure.ac.keeplzma	2021-08-06 11:25:51.000000000 +0200
-+++ dovecot-2.3.16/configure.ac	2022-02-28 13:58:02.337149927 +0100
-@@ -173,7 +173,7 @@ AS_HELP_STRING([--with-bzlib], [Build wi
-   want_bzlib=auto)
- 
- AC_ARG_WITH(lzma,
--AS_HELP_STRING([--with-lzma], [Build with LZMA decompression support (auto)]),
-+AS_HELP_STRING([--with-lzma], [Build with LZMA compression support (auto)]),
-   TEST_WITH(lzma, $withval),
-   want_lzma=auto)
- 
-diff -up dovecot-2.3.16/run-test-valgrind.supp.keeplzma dovecot-2.3.16/run-test-valgrind.supp
---- dovecot-2.3.16/run-test-valgrind.supp.keeplzma	2021-08-06 11:25:51.000000000 +0200
-+++ dovecot-2.3.16/run-test-valgrind.supp	2022-02-28 13:58:02.337149927 +0100
-@@ -5,6 +5,17 @@
-    obj:*/bash
- }
- {
-+   <liblzma>
-+   Memcheck:Cond
-+   obj:/lib/x86_64-linux-gnu/liblzma.so.5.*
-+   obj:/lib/x86_64-linux-gnu/liblzma.so.5.*
-+   obj:/lib/x86_64-linux-gnu/liblzma.so.5.*
-+   obj:/lib/x86_64-linux-gnu/liblzma.so.5.*
-+   obj:/lib/x86_64-linux-gnu/liblzma.so.5.*
-+   fun:lzma_stream_encoder
-+   fun:lzma_easy_encoder
-+}
-+{
-    <openssl_centos6_i386_v1_0_1_compression_methods>
-    Memcheck:Leak
-    fun:malloc
-diff -up dovecot-2.3.16/src/lib-compression/compression.c.keeplzma dovecot-2.3.16/src/lib-compression/compression.c
---- dovecot-2.3.16/src/lib-compression/compression.c.keeplzma	2021-08-06 11:25:51.000000000 +0200
-+++ dovecot-2.3.16/src/lib-compression/compression.c	2022-02-28 14:22:32.467944396 +0100
-@@ -25,6 +25,7 @@
- #endif
- #ifndef HAVE_LZMA
- #  define i_stream_create_lzma NULL
-+#  define o_stream_create_lzma NULL
- #endif
- #ifndef HAVE_LZ4
- #  define i_stream_create_lz4 NULL
-@@ -216,7 +217,7 @@ const struct compression_handler compres
- 		.ext = ".xz",
- 		.is_compressed = is_compressed_xz,
- 		.create_istream = i_stream_create_lzma,
--		.create_ostream = NULL,
-+		.create_ostream = o_stream_create_lzma,
- 		.get_min_level = compression_get_min_level_unsupported,
- 		.get_default_level = compression_get_default_level_unsupported,
- 		.get_max_level = compression_get_max_level_unsupported,
-diff -up dovecot-2.3.16/src/lib-compression/Makefile.am.keeplzma dovecot-2.3.16/src/lib-compression/Makefile.am
---- dovecot-2.3.16/src/lib-compression/Makefile.am.keeplzma	2021-08-06 11:25:51.000000000 +0200
-+++ dovecot-2.3.16/src/lib-compression/Makefile.am	2022-02-28 13:58:02.337149927 +0100
-@@ -13,6 +13,7 @@ libcompression_la_SOURCES = \
- 	istream-zlib.c \
- 	istream-bzlib.c \
- 	istream-zstd.c \
-+	ostream-lzma.c \
- 	ostream-lz4.c \
- 	ostream-zlib.c \
- 	ostream-bzlib.c \
-diff -up dovecot-2.3.16/src/lib-compression/ostream-lzma.c.keeplzma dovecot-2.3.16/src/lib-compression/ostream-lzma.c
---- dovecot-2.3.16/src/lib-compression/ostream-lzma.c.keeplzma	2022-02-28 13:58:02.338149934 +0100
-+++ dovecot-2.3.16/src/lib-compression/ostream-lzma.c	2022-02-28 13:58:02.338149934 +0100
-@@ -0,0 +1,263 @@
-+/* Copyright (c) 2010-2018 Dovecot authors, see the included COPYING file */
-+
-+#include "lib.h"
-+
-+#ifdef HAVE_LZMA
-+
-+#include "ostream-private.h"
-+#include "ostream-zlib.h"
-+#include <lzma.h>
-+
-+#define CHUNK_SIZE (1024*64)
-+
-+struct lzma_ostream {
-+	struct ostream_private ostream;
-+	lzma_stream strm;
-+
-+	unsigned char outbuf[CHUNK_SIZE];
-+	unsigned int outbuf_offset, outbuf_used;
-+
-+	bool flushed:1;
-+};
-+
-+static void o_stream_lzma_close(struct iostream_private *stream,
-+				bool close_parent)
-+{
-+	struct lzma_ostream *zstream = (struct lzma_ostream *)stream;
-+	i_assert(zstream->ostream.finished ||
-+		 zstream->ostream.ostream.stream_errno != 0 ||
-+		 zstream->ostream.error_handling_disabled);
-+	lzma_end(&zstream->strm);
-+	if (close_parent)
-+		o_stream_close(zstream->ostream.parent);
-+}
-+
-+static int o_stream_zlib_send_outbuf(struct lzma_ostream *zstream)
-+{
-+	ssize_t ret;
-+	size_t size;
-+
-+	if (zstream->outbuf_used == 0)
-+		return 1;
-+
-+	size = zstream->outbuf_used - zstream->outbuf_offset;
-+	i_assert(size > 0);
-+	ret = o_stream_send(zstream->ostream.parent,
-+			    zstream->outbuf + zstream->outbuf_offset, size);
-+	if (ret < 0) {
-+		o_stream_copy_error_from_parent(&zstream->ostream);
-+		return -1;
-+	}
-+	if ((size_t)ret != size) {
-+		zstream->outbuf_offset += ret;
-+		return 0;
-+	}
-+	zstream->outbuf_offset = 0;
-+	zstream->outbuf_used = 0;
-+	return 1;
-+}
-+
-+static ssize_t
-+o_stream_lzma_send_chunk(struct lzma_ostream *zstream,
-+			  const void *data, size_t size)
-+{
-+	lzma_stream *zs = &zstream->strm;
-+	int ret;
-+
-+	i_assert(zstream->outbuf_used == 0);
-+
-+	zs->next_in = (void *)data;
-+	zs->avail_in = size;
-+	while (zs->avail_in > 0) {
-+		if (zs->avail_out == 0) {
-+			/* previous block was compressed. send it and start
-+			   compression for a new block. */
-+			zs->next_out = zstream->outbuf;
-+			zs->avail_out = sizeof(zstream->outbuf);
-+
-+			zstream->outbuf_used = sizeof(zstream->outbuf);
-+			if ((ret = o_stream_zlib_send_outbuf(zstream)) < 0)
-+				return -1;
-+			if (ret == 0) {
-+				/* parent stream's buffer full */
-+				break;
-+			}
-+		}
-+
-+		ret = lzma_code(zs, LZMA_RUN);
-+		switch (ret) {
-+		case LZMA_OK:
-+			break;
-+		case LZMA_MEM_ERROR:
-+			i_fatal_status(FATAL_OUTOFMEM,
-+				       "lzma.write(%s): Out of memory",
-+				       o_stream_get_name(&zstream->ostream.ostream));
-+		default:
-+			i_panic("lzma.write(%s) failed with unexpected code %d",
-+				o_stream_get_name(&zstream->ostream.ostream), ret);
-+		}
-+	}
-+	size -= zs->avail_in;
-+
-+	return size;
-+}
-+
-+static int o_stream_lzma_send_flush(struct lzma_ostream *zstream, bool final)
-+{
-+	lzma_stream *zs = &zstream->strm;
-+	size_t len;
-+	bool done = FALSE;
-+	int ret;
-+
-+	i_assert(zs->avail_in == 0);
-+
-+	if (zstream->flushed) {
-+		i_assert(zstream->outbuf_used == 0);
-+		return 1;
-+	}
-+
-+	if ((ret = o_stream_flush_parent_if_needed(&zstream->ostream)) <= 0)
-+		return ret;
-+	if ((ret = o_stream_zlib_send_outbuf(zstream)) <= 0)
-+		return ret;
-+
-+	if (!final)
-+		return 1;
-+
-+	i_assert(zstream->outbuf_used == 0);
-+	do {
-+		len = sizeof(zstream->outbuf) - zs->avail_out;
-+		if (len != 0) {
-+			zs->next_out = zstream->outbuf;
-+			zs->avail_out = sizeof(zstream->outbuf);
-+
-+			zstream->outbuf_used = len;
-+			if ((ret = o_stream_zlib_send_outbuf(zstream)) <= 0)
-+				return ret;
-+			if (done)
-+				break;
-+		}
-+		ret = lzma_code(zs, LZMA_FINISH);
-+		switch (ret) {
-+		case LZMA_OK:
-+			/* still unfinished - need to call lzma_code() again */
-+			break;
-+		case LZMA_STREAM_END:
-+			/* output is fully finished */
-+			done = TRUE;
-+			break;
-+		case LZMA_MEM_ERROR:
-+			i_fatal_status(FATAL_OUTOFMEM,
-+				       "lzma.write(%s): Out of memory",
-+				       o_stream_get_name(&zstream->ostream.ostream));
-+		default:
-+			i_panic("lzma.write(%s) flush failed with unexpected code %d",
-+				o_stream_get_name(&zstream->ostream.ostream), ret);
-+		}
-+	} while (zs->avail_out != sizeof(zstream->outbuf));
-+
-+	if (final)
-+		zstream->flushed = TRUE;
-+	i_assert(zstream->outbuf_used == 0);
-+	return 1;
-+}
-+
-+static int o_stream_lzma_flush(struct ostream_private *stream)
-+{
-+	struct lzma_ostream *zstream = (struct lzma_ostream *)stream;
-+	int ret;
-+
-+	if ((ret = o_stream_lzma_send_flush(zstream, stream->finished)) < 0)
-+		return -1;
-+	else if (ret > 0)
-+		return o_stream_flush_parent(stream);
-+	return ret;
-+}
-+
-+static size_t
-+o_stream_lzma_get_buffer_used_size(const struct ostream_private *stream)
-+{
-+	const struct lzma_ostream *zstream =
-+		(const struct lzma_ostream *)stream;
-+
-+	/* outbuf has already compressed data that we're trying to send to the
-+	   parent stream. We're not including lzma's internal compression
-+	   buffer size. */
-+	return (zstream->outbuf_used - zstream->outbuf_offset) +
-+		o_stream_get_buffer_used_size(stream->parent);
-+}
-+
-+static size_t
-+o_stream_lzma_get_buffer_avail_size(const struct ostream_private *stream)
-+{
-+	/* FIXME: not correct - this is counting compressed size, which may be
-+	   too larger than uncompressed size in some situations. Fixing would
-+	   require some kind of additional buffering. */
-+	return o_stream_get_buffer_avail_size(stream->parent);
-+}
-+
-+static ssize_t
-+o_stream_lzma_sendv(struct ostream_private *stream,
-+		    const struct const_iovec *iov, unsigned int iov_count)
-+{
-+	struct lzma_ostream *zstream = (struct lzma_ostream *)stream;
-+	ssize_t ret, bytes = 0;
-+	unsigned int i;
-+
-+	if ((ret = o_stream_zlib_send_outbuf(zstream)) <= 0) {
-+		/* error / we still couldn't flush existing data to
-+		   parent stream. */
-+		return ret;
-+	}
-+
-+	for (i = 0; i < iov_count; i++) {
-+		ret = o_stream_lzma_send_chunk(zstream, iov[i].iov_base,
-+						iov[i].iov_len);
-+		if (ret < 0)
-+			return -1;
-+		bytes += ret;
-+		if ((size_t)ret != iov[i].iov_len)
-+			break;
-+	}
-+	stream->ostream.offset += bytes;
-+
-+	/* avail_in!=0 check is used to detect errors. if it's non-zero here
-+	   it simply means we didn't send all the data */
-+	zstream->strm.avail_in = 0;
-+	return bytes;
-+}
-+
-+struct ostream *o_stream_create_lzma(struct ostream *output, int level)
-+{
-+	struct lzma_ostream *zstream;
-+	lzma_ret ret;
-+
-+	i_assert(level >= 1 && level <= 9);
-+
-+	zstream = i_new(struct lzma_ostream, 1);
-+	zstream->ostream.sendv = o_stream_lzma_sendv;
-+	zstream->ostream.flush = o_stream_lzma_flush;
-+	zstream->ostream.get_buffer_used_size =
-+		o_stream_lzma_get_buffer_used_size;
-+	zstream->ostream.get_buffer_avail_size =
-+		o_stream_lzma_get_buffer_avail_size;
-+	zstream->ostream.iostream.close = o_stream_lzma_close;
-+
-+	ret = lzma_easy_encoder(&zstream->strm, level, LZMA_CHECK_CRC64);
-+	switch (ret) {
-+	case LZMA_OK:
-+		break;
-+	case LZMA_MEM_ERROR:
-+		i_fatal_status(FATAL_OUTOFMEM, "lzma: Out of memory");
-+	case LZMA_OPTIONS_ERROR:
-+		i_fatal("lzma: Invalid level");
-+	default:
-+		i_fatal("lzma_easy_encoder() failed with %d", ret);
-+	}
-+
-+	zstream->strm.next_out = zstream->outbuf;
-+	zstream->strm.avail_out = sizeof(zstream->outbuf);
-+	return o_stream_create(&zstream->ostream, output,
-+			       o_stream_get_fd(output));
-+}
-+#endif
-diff -up dovecot-2.3.16/src/lib-compression/ostream-zlib.h.keeplzma dovecot-2.3.16/src/lib-compression/ostream-zlib.h
---- dovecot-2.3.16/src/lib-compression/ostream-zlib.h.keeplzma	2021-08-06 11:25:51.000000000 +0200
-+++ dovecot-2.3.16/src/lib-compression/ostream-zlib.h	2022-02-28 13:58:02.338149934 +0100
-@@ -4,6 +4,7 @@
- struct ostream *o_stream_create_gz(struct ostream *output, int level);
- struct ostream *o_stream_create_deflate(struct ostream *output, int level);
- struct ostream *o_stream_create_bz2(struct ostream *output, int level);
-+struct ostream *o_stream_create_lzma(struct ostream *output, int level);
- struct ostream *o_stream_create_lz4(struct ostream *output, int level);
- struct ostream *o_stream_create_zstd(struct ostream *output, int level);
- 
-diff -up dovecot-2.3.16/src/lib-compression/test-compression.c.keeplzma dovecot-2.3.16/src/lib-compression/test-compression.c
---- dovecot-2.3.16/src/lib-compression/test-compression.c.keeplzma	2021-08-06 11:25:51.000000000 +0200
-+++ dovecot-2.3.16/src/lib-compression/test-compression.c	2022-02-28 13:58:02.338149934 +0100
-@@ -730,7 +730,6 @@ static void test_compression_int(bool au
- 
- 	for (i = 0; compression_handlers[i].name != NULL; i++) {
- 		if (compression_handlers[i].create_istream != NULL &&
--		    compression_handlers[i].create_ostream != NULL &&
- 		    (!autodetect ||
- 		     compression_handlers[i].is_compressed != NULL)) T_BEGIN {
- 			if (compression_handlers[i].is_compressed != NULL &&

dovecot-2.0-defaultconfig.patch

@@ -1,7 +1,7 @@
-diff -up dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf.default-settings dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf
+diff -up dovecot-2.3.16/doc/example-config/conf.d/10-mail.conf.default-settings dovecot-2.3.16/doc/example-config/conf.d/10-mail.conf
---- dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf.default-settings	2018-02-28 15:28:57.000000000 +0100
+--- dovecot-2.3.16/doc/example-config/conf.d/10-mail.conf.default-settings	2021-08-06 11:25:51.000000000 +0200
-+++ dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf	2018-03-01 10:29:38.208368555 +0100
++++ dovecot-2.3.16/doc/example-config/conf.d/10-mail.conf	2021-10-27 11:13:45.666956339 +0200
-@@ -165,7 +165,7 @@ namespace inbox {
+@@ -175,7 +175,7 @@ namespace inbox {
  # to make sure that users can't log in as daemons or other system users.
  # Note that denying root logins is hardcoded to dovecot binary and can't
  # be done even if first_valid_uid is set to 0.
@@ -18,9 +18,9 @@ diff -up dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf.default-settings
  
  # Maximum time to wait for lock (all of them) before aborting.
  #mbox_lock_timeout = 5 mins
-diff -up dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf.default-settings dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf
+diff -up dovecot-2.3.16/doc/example-config/conf.d/10-ssl.conf.default-settings dovecot-2.3.16/doc/example-config/conf.d/10-ssl.conf
---- dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf.default-settings	2018-02-28 15:28:57.000000000 +0100
+--- dovecot-2.3.16/doc/example-config/conf.d/10-ssl.conf.default-settings	2021-08-06 11:25:51.000000000 +0200
-+++ dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf	2018-03-01 10:33:54.779499044 +0100
++++ dovecot-2.3.16/doc/example-config/conf.d/10-ssl.conf	2021-10-27 11:13:02.834533975 +0200
 @@ -3,7 +3,9 @@
  ##
  
@@ -32,7 +32,7 @@ diff -up dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf.default-settings
  
  # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
  # dropping root privileges, so keep the key file unreadable by anyone but
-@@ -57,6 +59,7 @@ ssl_key = </etc/ssl/private/dovecot.pem
+@@ -64,6 +66,7 @@ ssl_key = </etc/ssl/private/dovecot.pem
  #ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
  # To disable non-EC DH, use:
  #ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH

dovecot-2.1-privatetmp.patch

@@ -0,0 +1,11 @@
+diff -up dovecot-2.2.19/dovecot.service.in.privatetmp dovecot-2.2.19/dovecot.service.in
+--- dovecot-2.2.19/dovecot.service.in.privatetmp	2015-10-05 12:50:24.273780394 +0200
++++ dovecot-2.2.19/dovecot.service.in	2015-10-05 12:50:56.281621589 +0200
+@@ -26,6 +26,7 @@ After=local-fs.target network.target
+ Type=simple
+ ExecStart=@sbindir@/dovecot -F $OPTIONS
+ ExecReload=@sbindir@/dovecot reload
++PrivateTmp=true
+ NonBlocking=yes
+ 
+ [Install]

dovecot-2.1.4-postreleasefix.patch

@@ -0,0 +1,27 @@
+# HG changeset patch
+# User Timo Sirainen <tss@iki.fi>
+# Date 1334041779 -10800
+# Node ID 20e1aa322b1e3b7d47c7cb1b6ff68a8d07fe6c9d
+# Parent  0b59dbb1a288153d2eb26d47cd9f7a953335c66f
+lib-storage: mail_user_try_home_expand() now looks up home only when needed.
+Before a recent code cleanup the lookup was always done, but if the home
+didn't exist it still just happened to return success. The cleanup changed
+it to return failure, which broke the original behavior.
+
+diff -r 0b59dbb1a288 -r 20e1aa322b1e src/lib-storage/mail-user.c
+--- a/src/lib-storage/mail-user.c	Tue Apr 10 09:52:35 2012 +0300
++++ b/src/lib-storage/mail-user.c	Tue Apr 10 10:09:39 2012 +0300
+@@ -343,6 +343,11 @@
+ {
+ 	const char *home, *path = *pathp;
+ 
++	if (strncmp(path, "~/", 2) != 0) {
++		/* no need to expand home */
++		return 0;
++	}
++
+ 	if (mail_user_get_home(user, &home) <= 0)
+ 		return -1;
+ 
+
+

dovecot-2.2-80ed82a93c1a.patch

@@ -0,0 +1,450 @@
+
+# HG changeset patch
+# User Timo Sirainen <tss@iki.fi>
+# Date 1416386277 -32400
+# Node ID 80ed82a93c1af5f6885e75a34007eb52d0692a8d
+# Parent  31262a892ba7302bfea6e70e17d3acd468736d70
+mbox: Added more (and earlier) detection for errors in mbox istreams.
+
+diff -r 31262a892ba7 -r 80ed82a93c1a src/lib-storage/index/mbox/istream-raw-mbox.c
+--- a/src/lib-storage/index/mbox/istream-raw-mbox.c	Wed Nov 19 17:37:18 2014 +0900
++++ b/src/lib-storage/index/mbox/istream-raw-mbox.c	Wed Nov 19 17:37:57 2014 +0900
+@@ -506,7 +506,8 @@
+ 	return rstream->from_offset;
+ }
+ 
+-uoff_t istream_raw_mbox_get_header_offset(struct istream *stream)
++int istream_raw_mbox_get_header_offset(struct istream *stream,
++				       uoff_t *hdr_offset_r)
+ {
+ 	struct raw_mbox_istream *rstream =
+ 		(struct raw_mbox_istream *)stream->real_stream;
+@@ -520,13 +521,17 @@
+ 		i_error("Unexpectedly lost From-line from mbox file %s at "
+ 			"%"PRIuUOFF_T, i_stream_get_name(stream),
+ 			rstream->from_offset);
+-		return (uoff_t)-1;
++		return -1;
+ 	}
++	if (stream->stream_errno != 0)
++		return -1;
+ 
+-	return rstream->hdr_offset;
++	*hdr_offset_r = rstream->hdr_offset;
++	return 0;
+ }
+ 
+-uoff_t istream_raw_mbox_get_body_offset(struct istream *stream)
++int istream_raw_mbox_get_body_offset(struct istream *stream,
++				     uoff_t *body_offset_r)
+ {
+ 	struct raw_mbox_istream *rstream =
+ 		(struct raw_mbox_istream *)stream->real_stream;
+@@ -534,8 +539,10 @@
+ 
+ 	i_assert(rstream->seeked);
+ 
+-	if (rstream->body_offset != (uoff_t)-1)
+-		return rstream->body_offset;
++	if (rstream->body_offset != (uoff_t)-1) {
++		*body_offset_r = rstream->body_offset;
++		return 0;
++	}
+ 
+ 	offset = stream->v_offset;
+ 	i_stream_seek(stream, rstream->hdr_offset);
+@@ -551,27 +558,30 @@
+ 			} else {
+ 				i_assert(rstream->body_offset != (uoff_t)-1);
+ 			}
+-			break;
++			return -1;
+ 		}
+ 	}
+ 
+ 	i_stream_seek(stream, offset);
+-	return rstream->body_offset;
++	*body_offset_r = rstream->body_offset;
++	return 0;
+ }
+ 
+-uoff_t istream_raw_mbox_get_body_size(struct istream *stream,
+-				      uoff_t expected_body_size)
++int istream_raw_mbox_get_body_size(struct istream *stream,
++				   uoff_t expected_body_size,
++				   uoff_t *body_size_r)
+ {
+ 	struct raw_mbox_istream *rstream =
+ 		(struct raw_mbox_istream *)stream->real_stream;
+ 	const unsigned char *data;
+ 	size_t size;
+-	uoff_t old_offset, body_size, next_body_offset;
++	uoff_t old_offset, body_offset, body_size, next_body_offset;
+ 
+ 	i_assert(rstream->seeked);
+ 	i_assert(rstream->hdr_offset != (uoff_t)-1);
+ 
+-	(void)istream_raw_mbox_get_body_offset(stream);
++	if (istream_raw_mbox_get_body_offset(stream, &body_offset) < 0)
++		return -1;
+ 	body_size = rstream->mail_size == (uoff_t)-1 ? (uoff_t)-1 :
+ 		rstream->mail_size - (rstream->body_offset -
+ 				      rstream->hdr_offset);
+@@ -580,8 +590,10 @@
+ 		/* if we already have the existing body size, use it as long as
+ 		   it's >= expected body_size. otherwise the previous parsing
+ 		   may have stopped at a From_-line that belongs to the body. */
+-		if (body_size != (uoff_t)-1 && body_size >= expected_body_size)
+-			return body_size;
++		if (body_size != (uoff_t)-1 && body_size >= expected_body_size) {
++			*body_size_r = body_size;
++			return 0;
++		}
+ 
+ 		next_body_offset = rstream->body_offset + expected_body_size;
+ 		/* If header_missing_eoh is set, the message body begins with
+@@ -600,21 +612,27 @@
+ 			rstream->mail_size =
+ 				next_body_offset - rstream->hdr_offset;
+ 			i_stream_seek(stream, old_offset);
+-			return expected_body_size;
++			*body_size_r = expected_body_size;
++			return 0;
+ 		}
+ 		/* invalid expected_body_size */
+ 	}
+-	if (body_size != (uoff_t)-1)
+-		return body_size;
++	if (body_size != (uoff_t)-1) {
++		*body_size_r = body_size;
++		return 0;
++	}
+ 
+ 	/* have to read through the message body */
+ 	while (i_stream_read_data(stream, &data, &size, 0) > 0)
+ 		i_stream_skip(stream, size);
+ 	i_stream_seek(stream, old_offset);
++	if (stream->stream_errno != 0)
++		return -1;
+ 
+ 	i_assert(rstream->mail_size != (uoff_t)-1);
+-	return rstream->mail_size -
++	*body_size_r = rstream->mail_size -
+ 		(rstream->body_offset - rstream->hdr_offset);
++	return 0;
+ }
+ 
+ time_t istream_raw_mbox_get_received_time(struct istream *stream)
+@@ -651,13 +669,15 @@
+ 	return rstream->crlf_ending;
+ }
+ 
+-void istream_raw_mbox_next(struct istream *stream, uoff_t expected_body_size)
++int istream_raw_mbox_next(struct istream *stream, uoff_t expected_body_size)
+ {
+ 	struct raw_mbox_istream *rstream =
+ 		(struct raw_mbox_istream *)stream->real_stream;
+ 	uoff_t body_size;
+ 
+-	body_size = istream_raw_mbox_get_body_size(stream, expected_body_size);
++	if (istream_raw_mbox_get_body_size(stream, expected_body_size,
++					   &body_size) < 0)
++		return -1;
+ 	rstream->mail_size = (uoff_t)-1;
+ 
+ 	rstream->received_time = rstream->next_received_time;
+@@ -678,6 +698,7 @@
+ 
+ 	rstream->eof = FALSE;
+ 	rstream->istream.istream.eof = FALSE;
++	return 0;
+ }
+ 
+ int istream_raw_mbox_seek(struct istream *stream, uoff_t offset)
+@@ -698,10 +719,8 @@
+ 	/* if seeked is FALSE, we unlocked in the middle. don't try to use
+ 	   any cached state then. */
+ 	if (rstream->mail_size != (uoff_t)-1 && rstream->seeked &&
+-	    rstream->hdr_offset + rstream->mail_size == offset) {
+-		istream_raw_mbox_next(stream, (uoff_t)-1);
+-		return 0;
+-	}
++	    rstream->hdr_offset + rstream->mail_size == offset)
++		return istream_raw_mbox_next(stream, (uoff_t)-1);
+ 
+ 	if (offset == rstream->from_offset && rstream->seeked) {
+ 		/* back to beginning of current message */
+diff -r 31262a892ba7 -r 80ed82a93c1a src/lib-storage/index/mbox/istream-raw-mbox.h
+--- a/src/lib-storage/index/mbox/istream-raw-mbox.h	Wed Nov 19 17:37:18 2014 +0900
++++ b/src/lib-storage/index/mbox/istream-raw-mbox.h	Wed Nov 19 17:37:57 2014 +0900
+@@ -9,15 +9,18 @@
+ /* Return offset to beginning of the "\nFrom"-line. */
+ uoff_t istream_raw_mbox_get_start_offset(struct istream *stream);
+ /* Return offset to beginning of the headers. */
+-uoff_t istream_raw_mbox_get_header_offset(struct istream *stream);
++int istream_raw_mbox_get_header_offset(struct istream *stream,
++				       uoff_t *hdr_offset_r);
+ /* Return offset to beginning of the body. */
+-uoff_t istream_raw_mbox_get_body_offset(struct istream *stream);
++int istream_raw_mbox_get_body_offset(struct istream *stream,
++				     uoff_t *body_offset_r);
+ 
+ /* Return the number of bytes in the body of this message. If
+    expected_body_size isn't (uoff_t)-1, we'll use it as potentially valid body
+    size to avoid actually reading through the whole message. */
+-uoff_t istream_raw_mbox_get_body_size(struct istream *stream,
+-				      uoff_t expected_body_size);
++int istream_raw_mbox_get_body_size(struct istream *stream,
++				   uoff_t expected_body_size,
++				   uoff_t *body_size_r);
+ 
+ /* Return received time of current message, or (time_t)-1 if the timestamp is
+    broken. */
+@@ -30,7 +33,7 @@
+ 
+ /* Jump to next message. If expected_body_size isn't (uoff_t)-1, we'll use it
+    as potentially valid body size. */
+-void istream_raw_mbox_next(struct istream *stream, uoff_t expected_body_size);
++int istream_raw_mbox_next(struct istream *stream, uoff_t expected_body_size);
+ 
+ /* Seek to message at given offset. offset must point to beginning of
+    "\nFrom ", or 0 for beginning of file. Returns -1 if it offset doesn't
+diff -r 31262a892ba7 -r 80ed82a93c1a src/lib-storage/index/mbox/mbox-mail.c
+--- a/src/lib-storage/index/mbox/mbox-mail.c	Wed Nov 19 17:37:18 2014 +0900
++++ b/src/lib-storage/index/mbox/mbox-mail.c	Wed Nov 19 17:37:57 2014 +0900
+@@ -304,10 +304,10 @@
+ 		return -1;
+ 
+ 	/* our header size varies, so don't do any caching */
+-	body_offset = istream_raw_mbox_get_body_offset(mbox->mbox_stream);
+-	if (body_offset == (uoff_t)-1) {
++	if (istream_raw_mbox_get_body_offset(mbox->mbox_stream, &body_offset) < 0) {
+ 		mail_storage_set_critical(_mail->box->storage,
+-					  "Couldn't get mbox size");
++			"mbox %s: Couldn't get body offset for uid=%u",
++			mailbox_get_path(&mbox->box), mail->mail.mail.uid);
+ 		return -1;
+ 	}
+ 
+@@ -319,8 +319,13 @@
+ 		body_size = (uoff_t)-1;
+ 
+ 	/* verify that the calculated body size is correct */
+-	body_size = istream_raw_mbox_get_body_size(mbox->mbox_stream,
+-						   body_size);
++	if (istream_raw_mbox_get_body_size(mbox->mbox_stream,
++					   body_size, &body_size) < 0) {
++		mail_storage_set_critical(_mail->box->storage,
++			"mbox %s: Couldn't get body size for uid=%u",
++			mailbox_get_path(&mbox->box), mail->mail.mail.uid);
++		return -1;
++	}
+ 
+ 	data->physical_size = hdr_size.physical_size + body_size;
+ 	*size_r = data->physical_size;
+@@ -352,7 +357,12 @@
+ 	}
+ 
+ 	raw_stream = mbox->mbox_stream;
+-	hdr_offset = istream_raw_mbox_get_header_offset(raw_stream);
++	if (istream_raw_mbox_get_header_offset(raw_stream, &hdr_offset) < 0) {
++		mail_storage_set_critical(mbox->box.storage,
++			"mbox %s: Couldn't get header offset for uid=%u",
++			mailbox_get_path(&mbox->box), mail->mail.mail.uid);
++		return -1;
++	}
+ 	i_stream_seek(raw_stream, hdr_offset);
+ 
+ 	if (next_offset != (uoff_t)-1)
+diff -r 31262a892ba7 -r 80ed82a93c1a src/lib-storage/index/mbox/mbox-sync-parse.c
+--- a/src/lib-storage/index/mbox/mbox-sync-parse.c	Wed Nov 19 17:37:18 2014 +0900
++++ b/src/lib-storage/index/mbox/mbox-sync-parse.c	Wed Nov 19 17:37:57 2014 +0900
+@@ -453,8 +453,8 @@
+ 	return strcasecmp(key, func->header);
+ }
+ 
+-void mbox_sync_parse_next_mail(struct istream *input,
+-			       struct mbox_sync_mail_context *ctx)
++int mbox_sync_parse_next_mail(struct istream *input,
++			      struct mbox_sync_mail_context *ctx)
+ {
+ 	struct mbox_sync_context *sync_ctx = ctx->sync_ctx;
+ 	struct message_header_parser_ctx *hdr_ctx;
+@@ -545,6 +545,12 @@
+ 	}
+ 
+ 	ctx->body_offset = input->v_offset;
++	if (input->stream_errno != 0) {
++		mbox_sync_set_critical(ctx->sync_ctx, "read(%s) failed: %s",
++			i_stream_get_name(input), i_stream_get_error(input));
++		return -1;
++	}
++	return 0;
+ }
+ 
+ bool mbox_sync_parse_match_mail(struct mbox_mailbox *mbox,
+diff -r 31262a892ba7 -r 80ed82a93c1a src/lib-storage/index/mbox/mbox-sync-private.h
+--- a/src/lib-storage/index/mbox/mbox-sync-private.h	Wed Nov 19 17:37:18 2014 +0900
++++ b/src/lib-storage/index/mbox/mbox-sync-private.h	Wed Nov 19 17:37:57 2014 +0900
+@@ -158,8 +158,8 @@
+ void mbox_sync_set_critical(struct mbox_sync_context *sync_ctx,
+ 			    const char *fmt, ...) ATTR_FORMAT(2, 3);
+ 
+-void mbox_sync_parse_next_mail(struct istream *input,
+-			       struct mbox_sync_mail_context *ctx);
++int mbox_sync_parse_next_mail(struct istream *input,
++			      struct mbox_sync_mail_context *ctx);
+ bool mbox_sync_parse_match_mail(struct mbox_mailbox *mbox,
+ 				struct mail_index_view *view, uint32_t seq);
+ 
+diff -r 31262a892ba7 -r 80ed82a93c1a src/lib-storage/index/mbox/mbox-sync-rewrite.c
+--- a/src/lib-storage/index/mbox/mbox-sync-rewrite.c	Wed Nov 19 17:37:18 2014 +0900
++++ b/src/lib-storage/index/mbox/mbox-sync-rewrite.c	Wed Nov 19 17:37:57 2014 +0900
+@@ -318,11 +318,11 @@
+ 	return 1;
+ }
+ 
+-static void mbox_sync_read_next(struct mbox_sync_context *sync_ctx,
+-				struct mbox_sync_mail_context *mail_ctx,
+-				struct mbox_sync_mail *mails,
+-				uint32_t seq, uint32_t idx,
+-				uoff_t expunged_space)
++static int mbox_sync_read_next(struct mbox_sync_context *sync_ctx,
++			       struct mbox_sync_mail_context *mail_ctx,
++			       struct mbox_sync_mail *mails,
++			       uint32_t seq, uint32_t idx,
++			       uoff_t expunged_space)
+ {
+ 	unsigned int first_mail_expunge_extra;
+ 	uint32_t orig_next_uid;
+@@ -332,8 +332,12 @@
+ 	mail_ctx->seq = seq;
+ 	mail_ctx->header = sync_ctx->header;
+ 
+-	mail_ctx->mail.offset =
+-		istream_raw_mbox_get_header_offset(sync_ctx->input);
++	if (istream_raw_mbox_get_header_offset(sync_ctx->input,
++					       &mail_ctx->mail.offset) < 0) {
++		mbox_sync_set_critical(sync_ctx,
++			"Couldn't get header offset for seq=%u", seq);
++		return -1;
++	}
+ 	mail_ctx->mail.body_size = mails[idx].body_size;
+ 
+ 	orig_next_uid = sync_ctx->next_uid;
+@@ -361,7 +365,8 @@
+ 		mails[idx].from_offset += first_mail_expunge_extra;
+ 	}
+ 
+-	mbox_sync_parse_next_mail(sync_ctx->input, mail_ctx);
++	if (mbox_sync_parse_next_mail(sync_ctx->input, mail_ctx) < 0)
++		return -1;
+ 	i_assert(mail_ctx->mail.pseudo == mails[idx].pseudo);
+ 
+ 	/* set next_uid back before updating the headers. this is important
+@@ -381,6 +386,7 @@
+ 		if (mail_ctx->have_eoh)
+ 			str_append_c(mail_ctx->header, '\n');
+ 	}
++	return 0;
+ }
+ 
+ static int mbox_sync_read_and_move(struct mbox_sync_context *sync_ctx,
+@@ -398,8 +404,9 @@
+ 		if (mbox_sync_seek(sync_ctx, mails[idx].from_offset) < 0)
+ 			return -1;
+ 
+-		mbox_sync_read_next(sync_ctx, &new_mail_ctx, mails, seq, idx,
+-				    expunged_space);
++		if (mbox_sync_read_next(sync_ctx, &new_mail_ctx, mails, seq, idx,
++					expunged_space) < 0)
++			return -1;
+ 		mail_ctx = &new_mail_ctx;
+ 	} else {
+ 		i_assert(seq == mail_ctx->seq);
+diff -r 31262a892ba7 -r 80ed82a93c1a src/lib-storage/index/mbox/mbox-sync.c
+--- a/src/lib-storage/index/mbox/mbox-sync.c	Wed Nov 19 17:37:18 2014 +0900
++++ b/src/lib-storage/index/mbox/mbox-sync.c	Wed Nov 19 17:37:57 2014 +0900
+@@ -131,8 +131,10 @@
+ mbox_sync_read_next_mail(struct mbox_sync_context *sync_ctx,
+ 			 struct mbox_sync_mail_context *mail_ctx)
+ {
++	uoff_t offset;
++
+ 	/* get EOF */
+-	(void)istream_raw_mbox_get_header_offset(sync_ctx->input);
++	(void)istream_raw_mbox_get_header_offset(sync_ctx->input, &offset);
+ 	if (istream_raw_mbox_is_eof(sync_ctx->input))
+ 		return 0;
+ 
+@@ -144,19 +146,27 @@
+ 
+ 	mail_ctx->mail.from_offset =
+ 		istream_raw_mbox_get_start_offset(sync_ctx->input);
+-	mail_ctx->mail.offset =
+-		istream_raw_mbox_get_header_offset(sync_ctx->input);
++	if (istream_raw_mbox_get_header_offset(sync_ctx->input, &mail_ctx->mail.offset) < 0) {
++		mbox_sync_set_critical(sync_ctx,
++			"Couldn't get header offset for seq=%u", mail_ctx->seq);
++		return -1;
++	}
+ 
+-	mbox_sync_parse_next_mail(sync_ctx->input, mail_ctx);
++	if (mbox_sync_parse_next_mail(sync_ctx->input, mail_ctx) < 0)
++		return -1;
++	if (istream_raw_mbox_is_corrupted(sync_ctx->input))
++		return -1;
++
+ 	i_assert(sync_ctx->input->v_offset != mail_ctx->mail.from_offset ||
+ 		 sync_ctx->input->eof);
+ 
+-	if (istream_raw_mbox_is_corrupted(sync_ctx->input))
++	if (istream_raw_mbox_get_body_size(sync_ctx->input,
++					   mail_ctx->content_length,
++					   &mail_ctx->mail.body_size) < 0) {
++		mbox_sync_set_critical(sync_ctx,
++			"Couldn't get body size for seq=%u", mail_ctx->seq);
+ 		return -1;
+-
+-	mail_ctx->mail.body_size =
+-		istream_raw_mbox_get_body_size(sync_ctx->input,
+-					       mail_ctx->content_length);
++	}
+ 	i_assert(mail_ctx->mail.body_size < OFF_T_MAX);
+ 
+ 	if ((mail_ctx->mail.flags & MAIL_RECENT) != 0 &&
+@@ -810,7 +820,7 @@
+ mbox_sync_seek_to_seq(struct mbox_sync_context *sync_ctx, uint32_t seq)
+ {
+ 	struct mbox_mailbox *mbox = sync_ctx->mbox;
+-	uoff_t old_offset;
++	uoff_t old_offset, offset;
+ 	uint32_t uid;
+ 	int ret;
+         bool deleted;
+@@ -864,7 +874,11 @@
+ 
+         sync_ctx->idx_seq = seq;
+ 	sync_ctx->dest_first_mail = sync_ctx->seq == 0;
+-        (void)istream_raw_mbox_get_body_offset(sync_ctx->input);
++	if (istream_raw_mbox_get_body_offset(sync_ctx->input, &offset) < 0) {
++		mbox_sync_set_critical(sync_ctx,
++			"Message body offset lookup failed");
++		return -1;
++	}
+ 	return 1;
+ }
+ 
+@@ -1149,8 +1163,9 @@
+ 			sync_ctx->idx_seq++;
+ 		}
+ 
+-		istream_raw_mbox_next(sync_ctx->input,
+-				      mail_ctx->mail.body_size);
++		if (istream_raw_mbox_next(sync_ctx->input,
++					  mail_ctx->mail.body_size) < 0)
++			return -1;
+ 		offset = istream_raw_mbox_get_start_offset(sync_ctx->input);
+ 
+ 		if (sync_ctx->need_space_seq != 0) {
+

dovecot-2.3.14-opensslv3.patch

@@ -0,0 +1,34 @@
+diff -up dovecot-2.3.14/src/lib-dcrypt/dcrypt-openssl.c.opensslv3 dovecot-2.3.14/src/lib-dcrypt/dcrypt-openssl.c
+--- dovecot-2.3.14/src/lib-dcrypt/dcrypt-openssl.c.opensslv3	2021-06-03 18:56:52.573174433 +0200
++++ dovecot-2.3.14/src/lib-dcrypt/dcrypt-openssl.c	2021-06-03 18:56:52.585174274 +0200
+@@ -73,10 +73,30 @@
+   2<tab>key algo oid<tab>1<tab>symmetric algo name<tab>salt<tab>hash algo<tab>rounds<tab>E(RSA = i2d_PrivateKey, EC=Private Point)<tab>key id
+ **/
+ 
++#if OPENSSL_VERSION_MAJOR == 3
++static EC_KEY *EVP_PKEY_get0_EC_KEYv3(EVP_PKEY *key)
++{
++  EC_KEY *eck = EVP_PKEY_get1_EC_KEY(key);
++  EVP_PKEY_set1_EC_KEY(key, eck);
++  EC_KEY_free(eck);
++  return eck;
++}
++
++static EC_KEY *EVP_PKEY_get1_EC_KEYv3(EVP_PKEY *key)
++{
++  EC_KEY *eck = EVP_PKEY_get1_EC_KEY(key);
++  EVP_PKEY_set1_EC_KEY(key, eck);
++  return eck;
++}
++
++#define EVP_PKEY_get0_EC_KEY EVP_PKEY_get0_EC_KEYv3 
++#define EVP_PKEY_get1_EC_KEY EVP_PKEY_get1_EC_KEYv3
++#else
+ #ifndef HAVE_EVP_PKEY_get0
+ #define EVP_PKEY_get0_EC_KEY(x) x->pkey.ec
+ #define EVP_PKEY_get0_RSA(x) x->pkey.rsa
+ #endif
++#endif
+ 
+ #ifndef HAVE_OBJ_LENGTH
+ #define OBJ_length(o) ((o)->length)

dovecot-2.3.15-fixvalcond.patch

@@ -0,0 +1,24 @@
+diff -up dovecot-2.3.15/dovecot-2.3-pigeonhole-0.5.15/src/lib-sieve/storage/dict/sieve-dict-script.c.fixvalcond dovecot-2.3.15/dovecot-2.3-pigeonhole-0.5.15/src/lib-sieve/storage/dict/sieve-dict-script.c
+--- dovecot-2.3.15/dovecot-2.3-pigeonhole-0.5.16/src/lib-sieve/storage/dict/sieve-dict-script.c.fixvalcond	2021-06-21 23:07:55.269814896 +0200
++++ dovecot-2.3.15/dovecot-2.3-pigeonhole-0.5.16/src/lib-sieve/storage/dict/sieve-dict-script.c	2021-06-21 23:07:55.298814544 +0200
+@@ -109,7 +109,7 @@ static int sieve_dict_script_get_stream
+ {
+ 	struct sieve_dict_script *dscript =
+ 		(struct sieve_dict_script *)script;
+-	const char *path, *name = script->name, *data, *error;
++	const char *path, *name = script->name, *data, *error = NULL;
+ 	int ret;
+ 
+ 	dscript->data_pool =
+diff -up dovecot-2.3.15/src/lib-storage/index/index-attribute.c.fixvalcond dovecot-2.3.15/src/lib-storage/index/index-attribute.c
+--- dovecot-2.3.15/src/lib-storage/index/index-attribute.c.fixvalcond	2021-06-14 15:40:37.000000000 +0200
++++ dovecot-2.3.15/src/lib-storage/index/index-attribute.c	2021-06-21 21:52:22.963171229 +0200
+@@ -249,7 +249,7 @@ int index_storage_attribute_get(struct m
+ 				struct mail_attribute_value *value_r)
+ {
+ 	struct dict *dict;
+-	const char *mailbox_prefix, *error;
++	const char *mailbox_prefix, *error = NULL;
+ 	int ret;
+ 
+ 	i_zero(value_r);

dovecot-2.3.15-valbasherr.patch

@@ -0,0 +1,20 @@
+diff -up dovecot-2.3.15/run-test-valgrind.supp.valbasherr dovecot-2.3.15/run-test-valgrind.supp
+--- dovecot-2.3.15/run-test-valgrind.supp.valbasherr	2021-06-21 22:52:53.272707239 +0200
++++ dovecot-2.3.15/run-test-valgrind.supp	2021-06-21 22:54:19.786668430 +0200
+@@ -1,4 +1,16 @@
+ {
++   <bashagin>
++   Memcheck:Leak
++   match-leak-kinds: definite
++   fun:malloc
++   fun:make_if_command
++   fun:yyparse
++   fun:parse_command
++   fun:read_command
++   fun:reader_loop
++   fun:main
++}
++{
+    <bash>
+    Memcheck:Leak
+    fun:malloc

dovecot-2.3.8-blockcount.patch

@@ -0,0 +1,20 @@
+diff -up dovecot-2.3.8/src/lib-storage/index/index-mail-binary.c.blockcount dovecot-2.3.8/src/lib-storage/index/index-mail-binary.c
+--- dovecot-2.3.8/src/lib-storage/index/index-mail-binary.c.blockcount	2020-12-02 11:34:10.229027593 +0100
++++ dovecot-2.3.8/src/lib-storage/index/index-mail-binary.c	2020-12-02 11:36:47.328933276 +0100
+@@ -339,13 +339,14 @@ blocks_count_lines(struct binary_ctx *ct
+ 		i_stream_skip(full_input, skip);
+ 		cur_block_offset += skip;
+ 
+-		if (cur_block->input->eof) {
++		if (i_stream_read_eof(cur_block->input)) {
+ 			/* go to the next block */
+-			if (++block_idx == block_count) {
++			if (block_idx+1 == block_count) {
+ 				i_assert(i_stream_read_eof(full_input));
+ 				ret = -1;
+ 				break;
+ 			}
++			block_idx++;
+ 			cur_block++;
+ 			cur_block_offset = 0;
+ 		}

dovecot.spec

@@ -1,26 +1,28 @@
 %global __provides_exclude_from %{_docdir}
 %global __requires_exclude_from %{_docdir}
+
 Summary: Secure imap and pop3 server
 Name: dovecot
 Epoch: 1
 Version: 2.3.16
 %global prever %{nil}
-Release: 5%{?dist}
+Release: 11%{?dist}
 #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2
 License: MIT and LGPLv2
-Group: System Environment/Daemons
 
-URL: http://www.dovecot.org/
+URL: https://www.dovecot.org/
-Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz
+Source: https://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz
 Source1: dovecot.init
 Source2: dovecot.pam
 %global pigeonholever 0.5.16
-Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz
+Source8: https://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz
 Source9: dovecot.sysconfig
 Source10: dovecot.tmpfilesd
 
 #our own
 Source14: dovecot.conf.5
+Source15: prestartscript
+Source16: dovecot.sysusers
 
 # 3x Fedora/RHEL specific
 Patch1: dovecot-2.0-defaultconfig.patch
@@ -32,50 +34,54 @@ Patch6: dovecot-2.1.10-waitonline.patch
 
 Patch8: dovecot-2.2.20-initbysystemd.patch
 Patch9: dovecot-2.2.22-systemd_w_protectsystem.patch
-
+Patch15: dovecot-2.3.11-bigkey.patch
-# sent upstream, rhbz#1630380
-Patch11: dovecot-2.2.36-aclfix.patch
-
-Patch13: dovecot-2.2.36-bigkey.patch
 
 # do not use own implementation of HMAC, use OpenSSL for certification purposes
 # not sent upstream as proper fix would use dovecot's lib-dcrypt but it introduces
 # hard to break circular dependency between lib and lib-dcrypt
-Patch14: dovecot-2.3.6-opensslhmac.patch
+Patch16: dovecot-2.3.6-opensslhmac.patch
 
-# from upstream, for dovecot < 2.3.17, s390x FTBFS fix
+Patch17: dovecot-2.3.14-opensslv3.patch
-Patch15: dovecot-2.3.16-ftbfsbigend.patch
+
-Patch16: dovecot-2.3.16-keeplzma.patch
+# FTBFS
+Patch18: dovecot-2.3.15-fixvalcond.patch
+Patch19: dovecot-2.3.15-valbasherr.patch
+Patch20: dovecot-2.3.16-ftbfsbigend.patch
 
 # from upstream, for <= 2.3.19.1, rhbz#2106232
-Patch17: dovecot-2.3.19.1-7bad6a24.patch
+Patch21: dovecot-2.3.19.1-7bad6a24.patch
 
 # from upstream, for < 2.3.19.1, rhbz#2128857
-Patch18: dovecot-2.3.18-9f300239..4596d399.patch
+Patch22: dovecot-2.3.18-bdf447e4.patch
-Patch19: dovecot-2.3.18-bdf447e4.patch
+Patch23: dovecot-2.3.18-9f300239..4596d399.patch
 
-# from upstream, for < 2.3.21, RHEL-22854
+# from upstream, for < 2.3.21, RHEL-25434
-Patch20: dovecot-2.3.16-d7705bc6.patch
+Patch24: dovecot-2.3.16-d7705bc6.patch
 
-
+BuildRequires: gcc, gcc-c++, openssl-devel, pam-devel, zlib-devel, bzip2-devel, libcap-devel
-Source15: prestartscript
-
-BuildRequires: openssl-devel, pam-devel, zlib-devel, bzip2-devel, libcap-devel
 BuildRequires: libtool, autoconf, automake, pkgconfig
 BuildRequires: sqlite-devel
-BuildRequires: postgresql-devel
+BuildRequires: libpq-devel
-#BuildRequires: libpq-devel
 BuildRequires: mariadb-connector-c-devel
-#BuildRequires: libxcrypt-devel
+BuildRequires: libxcrypt-devel
 BuildRequires: openldap-devel
 BuildRequires: krb5-devel
 BuildRequires: quota-devel
+BuildRequires: rpcgen
 BuildRequires: xz-devel
 BuildRequires: lz4-devel
+BuildRequires: libzstd-devel
+%if %{?rhel}0 == 0
+BuildRequires: libsodium-devel
+%endif
+BuildRequires: libicu-devel
+BuildRequires: libexttextcat-devel
+BuildRequires: libstemmer-devel
 BuildRequires: multilib-rpm-config
-#BuildRequires: libsodium-devel
+BuildRequires: flex, bison
-#BuildRequires: libexttextcat-devel
+BuildRequires: systemd-devel
-#BuildRequires: libstemmer-devel
+# for dovecot.sysusers
+BuildRequires: systemd-rpm-macros 
 
 # gettext-devel is needed for running autoconf because of the
 # presence of AM_ICONV
@@ -86,33 +92,19 @@ Requires: openssl >= 0.9.7f-4
 
 # Package includes an initscript service file, needs to require initscripts package
 Requires(pre): shadow-utils
-%if %{?fedora}0 > 140 || %{?rhel}0 > 60
 Requires: systemd
 Requires(post): systemd-units
 Requires(preun): systemd-units
 Requires(postun): systemd-units
-%else
-Requires: initscripts
-Requires(post): chkconfig
-Requires(preun): chkconfig initscripts
-Requires(postun): initscripts
-%endif
 
-%if %{?fedora}0 > 150 || %{?rhel}0 >60
-#clucene in fedora <=15 and rhel<=6 is too old
 BuildRequires: clucene-core-devel
-%endif
 
 %global ssldir %{_sysconfdir}/pki/%{name}
 
-%if %{?fedora}00%{?rhel} < 6
-%global _initddir %{_initrddir}
-BuildRequires: curl-devel expat-devel
-%else
 BuildRequires: libcurl-devel expat-devel
-%endif
+BuildRequires: make
 
-%global restart_flag /var/run/%{name}/%{name}-restart-after-rpm-install
+%global restart_flag /run/%{name}/%{name}-restart-after-rpm-install
 
 %description
 Dovecot is an IMAP server for Linux/UNIX-like systems, written with security 
@@ -124,7 +116,6 @@ The SQL drivers and authentication plug-ins are in their subpackages.
 %package pigeonhole
 Requires: %{name} = %{epoch}:%{version}-%{release}
 Summary: Sieve and managesieve plug-in for dovecot
-Group: System Environment/Daemons
 License: MIT and LGPLv2
 
 %description pigeonhole
@@ -133,21 +124,18 @@ This package provides sieve and managesieve plug-in for dovecot LDA.
 %package pgsql
 Requires: %{name} = %{epoch}:%{version}-%{release}
 Summary: Postgres SQL back end for dovecot
-Group: System Environment/Daemons
 %description pgsql
 This package provides the Postgres SQL back end for dovecot-auth etc.
 
 %package mysql
 Requires: %{name} = %{epoch}:%{version}-%{release}
 Summary: MySQL back end for dovecot
-Group: System Environment/Daemons
 %description mysql
 This package provides the MySQL back end for dovecot-auth etc.
 
 %package devel
 Requires: %{name} = %{epoch}:%{version}-%{release}
 Summary: Development files for dovecot
-Group: Development/Libraries
 %description devel
 This package provides the development files for dovecot.
 
@@ -159,19 +147,22 @@ This package provides the development files for dovecot.
 %patch -P 6 -p1 -b .waitonline
 %patch -P 8 -p1 -b .initbysystemd
 %patch -P 9 -p1 -b .systemd_w_protectsystem
-%patch -P 11 -p1 -b .aclfix
+%patch -P 15 -p1 -b .bigkey
-%patch -P 13 -p1 -b .bigkey
+%patch -P 16 -p1 -b .opensslhmac
-%patch -P 14 -p1 -b .opensslhmac
+%patch -P 17 -p1 -b .opensslv3
-%patch -P 15 -p1 -b .ftbfsbigend
+%patch -P 18 -p1 -b .fixvalcond
-%patch -P 16 -p1 -b .keeplzma
+%patch -P 19 -p1 -b .valbasherr
-%patch -P 17 -p1 -b .7bad6a24
+%patch -P 20 -p1 -b .ftbfsbigend
-%patch -P 19 -p1 -b .bdf447e4
+%patch -P 21 -p1 -b .7bad6a24
-%patch -P 20 -p1 -b .d7705bc6
+%patch -P 22 -p1 -b .bdf447e4
+%patch -P 24 -p1 -b .d7705bc6
+cp run-test-valgrind.supp dovecot-2.3-pigeonhole-%{pigeonholever}/
+# valgrind would fail with shell wrapper
+echo "testsuite" >dovecot-2.3-pigeonhole-%{pigeonholever}/run-test-valgrind.exclude
+
 pushd dovecot-2*3-pigeonhole-%{pigeonholever}
-%patch -P 18 -p1 -b .9f300239..4596d399
+%patch -P 23 -p1 -b .9f300239..4596d399
-
 popd
-
 sed -i '/DEFAULT_INCLUDES *=/s|$| '"$(pkg-config --cflags libclucene-core)|" src/plugins/fts-lucene/Makefile.in
 
 %build
@@ -179,11 +170,8 @@ sed -i '/DEFAULT_INCLUDES *=/s|$| '"$(pkg-config --cflags libclucene-core)|" src
 %global _hardened_build 1
 export CFLAGS="%{__global_cflags} -fno-strict-aliasing -fstack-reuse=none"
 export LDFLAGS="-Wl,-z,now -Wl,-z,relro %{?__global_ldflags}"
-# el6 autoconf too old to regen; use packaged files (#1082384)
-%if %{?fedora}00%{?rhel} > 6
 mkdir -p m4
 autoreconf -I . -fiv #required for aarch64 support
-%endif
 %configure                       \
     INSTALL_DATA="install -c -p -m644" \
     --with-rundir=%{_rundir}/%{name}   \
@@ -201,17 +189,18 @@ autoreconf -I . -fiv #required for aarch64 support
     --with-mysql                 \
     --with-sqlite                \
     --with-zlib                  \
+    --with-zstd                  \
     --with-libcap                \
+    --with-icu                   \
     --with-lucene                \
     --with-ssl=openssl           \
     --with-ssldir=%{ssldir}      \
     --with-solr                  \
     --with-systemdsystemunitdir=%{_unitdir}  \
     --with-docs
-
 sed -i 's|/etc/ssl|/etc/pki/dovecot|' doc/mkcert.sh doc/example-config/conf.d/10-ssl.conf
 
-make %{?_smp_mflags}
+%make_build
 
 #pigeonhole
 pushd dovecot-2*3-pigeonhole-%{pigeonholever}
@@ -226,13 +215,13 @@ pushd dovecot-2*3-pigeonhole-%{pigeonholever}
     --with-dovecot=../                 \
     --without-unfinished-features
 
-make %{?_smp_mflags}
+%make_build
 popd
 
 %install
 rm -rf $RPM_BUILD_ROOT
 
-make install DESTDIR=$RPM_BUILD_ROOT
+%make_install
 
 # move doc dir back to build dir so doc macro in files section can use it
 mv $RPM_BUILD_ROOT/%{_docdir}/%{name} %{_builddir}/%{name}-%{version}%{?prever}/docinstall
@@ -241,17 +230,13 @@ mv $RPM_BUILD_ROOT/%{_docdir}/%{name} %{_builddir}/%{name}-%{version}%{?prever}/
 %multilib_fix_c_header --file %{_includedir}/dovecot/config.h
 
 pushd dovecot-2*3-pigeonhole-%{pigeonholever}
-make install DESTDIR=$RPM_BUILD_ROOT
+%make_install
 
 mv $RPM_BUILD_ROOT/%{_docdir}/%{name} $RPM_BUILD_ROOT/%{_docdir}/%{name}-pigeonhole
 
 install -m 644 AUTHORS ChangeLog COPYING COPYING.LGPL INSTALL NEWS README $RPM_BUILD_ROOT/%{_docdir}/%{name}-pigeonhole
 popd
 
-%if %{?fedora}00%{?rhel} < 6
-sed -i 's|password-auth|system-auth|' %{SOURCE2}
-%endif
-
 install -p -D -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/dovecot
 
 #install man pages
@@ -260,6 +245,8 @@ install -p -D -m 644 %{SOURCE14} $RPM_BUILD_ROOT%{_mandir}/man5/dovecot.conf.5
 #install waitonline script
 install -p -D -m 755 %{SOURCE15} $RPM_BUILD_ROOT%{_libexecdir}/dovecot/prestartscript
 
+install -p -D -m 0644 %{SOURCE16} $RPM_BUILD_ROOT%{_sysusersdir}/dovecot.sysusers
+
 # generate ghost .pem files
 mkdir -p $RPM_BUILD_ROOT%{ssldir}/certs
 mkdir -p $RPM_BUILD_ROOT%{ssldir}/private
@@ -268,14 +255,9 @@ chmod 600 $RPM_BUILD_ROOT%{ssldir}/certs/dovecot.pem
 touch $RPM_BUILD_ROOT%{ssldir}/private/dovecot.pem
 chmod 600 $RPM_BUILD_ROOT%{ssldir}/private/dovecot.pem
 
-%if %{?fedora}0 > 140 || %{?rhel}0 > 60
 install -p -D -m 644 %{SOURCE10} $RPM_BUILD_ROOT%{_tmpfilesdir}/dovecot.conf
-%else
-install -p -D -m 755 %{SOURCE1} $RPM_BUILD_ROOT%{_initddir}/dovecot
-install -p -D -m 600 %{SOURCE9} $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/dovecot
-%endif
 
-mkdir -p $RPM_BUILD_ROOT/var/run/dovecot/{login,empty,token-login}
+mkdir -p $RPM_BUILD_ROOT/run/dovecot/{login,empty,token-login}
 
 # Install dovecot configuration and dovecot-openssl.cnf
 mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/dovecot/conf.d
@@ -302,78 +284,63 @@ popd
 
 %pre
 #dovecot uid and gid are reserved, see /usr/share/doc/setup-*/uidgid 
-getent group dovecot >/dev/null || groupadd -r --gid 97 dovecot
+%sysusers_create_compat %{SOURCE16}
-getent passwd dovecot >/dev/null || \
-useradd -r --uid 97 -g dovecot -d /usr/libexec/dovecot -s /sbin/nologin -c "Dovecot IMAP server" dovecot
 
-getent group dovenull >/dev/null || groupadd -r dovenull
+if [ -z "$LEAPP_IPU_IN_PROGRESS" ]
-getent passwd dovenull >/dev/null || \
+then
-useradd -r -g dovenull -d /usr/libexec/dovecot -s /sbin/nologin -c "Dovecot's unauthorized user" dovenull
+  # during LEAPP upgrade, services are not running anyway
 
-# do not let dovecot run during upgrade rhbz#134325
+  # do not let dovecot run during upgrade rhbz#134325
-if [ "$1" = "2" ]; then
+  if [ "$1" = "2" ]; then
-  rm -f %restart_flag
+    rm -f %restart_flag
-%if %{?fedora}0 > 140 || %{?rhel}0 > 60
+    /bin/systemctl is-active %{name}.service >/dev/null 2>&1 && touch %restart_flag ||:
-  /bin/systemctl is-active %{name}.service >/dev/null 2>&1 && touch %restart_flag ||:
+    /bin/systemctl stop %{name}.service >/dev/null 2>&1
-  /bin/systemctl stop %{name}.service >/dev/null 2>&1
+  fi
-%else
-  /sbin/service %{name} status >/dev/null 2>&1 && touch %restart_flag ||:
-  /sbin/service %{name} stop >/dev/null 2>&1
-%endif
 fi
 
 %post
 if [ $1 -eq 1 ]
 then
-%if %{?fedora}0 > 140 || %{?rhel}0 > 60
   %systemd_post dovecot.service
-%else
-  /sbin/chkconfig --add %{name}
-%endif
 fi
 
-install -d -m 0755 -g dovecot -d /var/run/dovecot
+install -d -m 0755 -g dovecot -d /run/dovecot
-install -d -m 0755 -d /var/run/dovecot/empty
+install -d -m 0755 -d /run/dovecot/empty
-install -d -m 0750 -g dovenull -d /var/run/dovecot/login
+install -d -m 0750 -g dovenull -d /run/dovecot/login
-install -d -m 0750 -g dovenull -d /var/run/dovecot/token-login
+install -d -m 0750 -g dovenull -d /run/dovecot/token-login
-[ -x /sbin/restorecon ] && /sbin/restorecon -R /var/run/dovecot ||:
+[ -x /sbin/restorecon ] && /sbin/restorecon -R /run/dovecot ||:
 
 %preun
 if [ $1 = 0 ]; then
-%if %{?fedora}0 > 140 || %{?rhel}0 > 60
         /bin/systemctl disable dovecot.service dovecot.socket >/dev/null 2>&1 || :
         /bin/systemctl stop dovecot.service dovecot.socket >/dev/null 2>&1 || :
-%else
+    rm -rf /run/dovecot
-    /sbin/service %{name} stop > /dev/null 2>&1
-    /sbin/chkconfig --del %{name}
-%endif
-    rm -rf /var/run/dovecot
 fi
 
 %postun
-%if %{?fedora}0 > 140 || %{?rhel}0 > 60
+if [ -z "$LEAPP_IPU_IN_PROGRESS" ]
-/bin/systemctl daemon-reload >/dev/null 2>&1 || :
+then
-%endif
+  # during LEAPP upgrade, services are not running anyway
+  /bin/systemctl daemon-reload >/dev/null 2>&1 || :
 
-if [ "$1" -ge "1" -a -e %restart_flag ]; then
+  if [ "$1" -ge "1" -a -e %restart_flag ]; then
-%if %{?fedora}0 > 140 || %{?rhel}0 > 60
+      /bin/systemctl start dovecot.service >/dev/null 2>&1 || :
-    /bin/systemctl start dovecot.service >/dev/null 2>&1 || :
+  rm -f %restart_flag
-%else
+  fi
-    /sbin/service %{name} start >/dev/null 2>&1 || :
-%endif
-rm -f %restart_flag
 fi
 
 %posttrans
-# dovecot should be started again in %%postun, but it's not executed on reinstall
+
-# if it was already started, restart_flag won't be here, so it's ok to test it again
+if [ -z "$LEAPP_IPU_IN_PROGRESS" ]
-if [ -e %restart_flag ]; then
+then
-%if %{?fedora}0 > 140 || %{?rhel}0 > 60
+  # during LEAPP upgrade, services are not running anyway
+
+  # dovecot should be started again in %%postun, but it's not executed on reinstall
+  # if it was already started, restart_flag won't be here, so it's ok to test it again
+  if [ -e %restart_flag ]; then
     /bin/systemctl start dovecot.service >/dev/null 2>&1 || :
-%else
+    rm -f %restart_flag
-    /sbin/service %{name} start >/dev/null 2>&1 || :
+  fi
-%endif
-rm -f %restart_flag
 fi
 
 %check
@@ -391,15 +358,11 @@ make check
 %{_bindir}/dovecot-sysreport
 
 
-%if %{?fedora}0 > 140 || %{?rhel}0 > 60
 %_tmpfilesdir/dovecot.conf
+%{_sysusersdir}/dovecot.sysusers
 %{_unitdir}/dovecot.service
 %{_unitdir}/dovecot-init.service
 %{_unitdir}/dovecot.socket
-%else
-%{_initddir}/dovecot
-%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/dovecot
-%endif
 
 %dir %{_sysconfdir}/dovecot
 %dir %{_sysconfdir}/dovecot/conf.d
@@ -470,10 +433,10 @@ make check
 %{_libexecdir}/%{name}
 %exclude %{_libexecdir}/%{name}/managesieve*
 
-%dir %attr(0755,root,dovecot) %ghost /var/run/dovecot
+%dir %attr(0755,root,dovecot) %ghost /run/dovecot
-%attr(0750,root,dovenull) %ghost /var/run/dovecot/login
+%attr(0750,root,dovenull) %ghost /run/dovecot/login
-%attr(0750,root,dovenull) %ghost /var/run/dovecot/token-login
+%attr(0750,root,dovenull) %ghost /run/dovecot/token-login
-%attr(0755,root,root) %ghost /var/run/dovecot/empty
+%attr(0755,root,root) %ghost /run/dovecot/empty
 
 %attr(0750,dovecot,dovecot) /var/lib/dovecot
 
@@ -531,113 +494,253 @@ make check
 %{_libdir}/%{name}/dict/libdriver_pgsql.so
 
 %changelog
-* Fri Feb 16 2024 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-5
+* Fri Feb 16 2024 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-11
-- fixes assert-crash when IMAP client uses QRESYNC (#RHEL-22854)
+- fixes assert-crash when IMAP client uses QRESYNC (#RHEL-25434)
 
-* Fri Aug 04 2023 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-4
+* Tue Aug 15 2023 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-10
-- fix leaking mailboxes if virtual mailbox can't be opened (#2128857)
+- fix leaking mailboxes if virtual mailbox can't be opened (#2231408)
 
-* Tue Jul 19 2022 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-3
+* Sat May 27 2023 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-9
-- fix possible privilege escalation when similar master and non-master passdbs are used (#2106231)
+- add buildrequire of rpcgen to enable rquota support(#2157045)
 
-* Wed Dec 08 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-2
+* Tue Sep 13 2022 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-8
-- do not disable xz/lzma for now despite being deprecated
+- do not run systemd commands during leapp upgrade (#2119385)
 
-* Wed Dec 08 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-1
+* Tue Jul 12 2022 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-7
+- fix possible privilege escalation when similar master and non-master passdbs are used (#2106232)
+
+* Wed Jul 06 2022 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-6
+- fix possible nonzero return value of postinst script(#2053368)
+
+* Tue Jul 05 2022 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-5
+- workaround sysuers macro defficiency (#2095399)
+
+* Tue Jul 05 2022 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-4
+- use systemd-sysusers for user creation (#2095399)
+
+* Wed Nov 03 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-3
+- re-enable LTO build (#1990080)
+
+* Wed Oct 27 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-2
+- set first_valid_uid to 1000 to match system default (#2009716)
+
+* Fri Aug 20 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-1
 - dovecot updated to 2.3.16, pigeonhole to 0.5.16
-- fix CVE-2021-33515 plaintext commands injection (#1980014)
+- fixes several regressions (#1997583)
 
-* Wed Feb 03 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-9
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1:2.3.15-2
-- fix CVE-2020-24386 IMAP hibernation function allows mail access (#1913534)
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
 
-* Tue Jan 12 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-8
+* Wed Jul 21 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.15-1
-- fix CVE-2020-25275 denial of service via mail MIME parsing (#1914019)
+- dovecot updated to 2.3.15, pigeonhole updated to 0.5.15
+- CVE-2021-29157: Dovecot does not correctly escape kid and azp fields in
+  JWT tokens. This may be used to supply attacker controlled keys to
+  validate tokens, if attacker has local access (#1979833)
+- CVE-2021-33515: On-path attacker could have injected plaintext commands
+  before STARTTLS negotiation that would be executed after STARTTLS
+  finished with the client
+- Add TSLv1.3 support to min_protocols.
 
-* Thu Jan 07 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-7
+* Wed Jul 14 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.14-5
-- change run directory from /var/run to /run (#1805947)
+- fix mail storage block count parsing (#1974281)
 
-* Wed Dec 02 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-6
+* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 1:2.3.14-4
-- fix mail storage block count parsing (#1894418)
+- Rebuilt for RHEL 9 BETA for openssl 3.0
-- MIME parser crashed when boundaries were wrong (#1888111)
+  Related: rhbz#1971065
 
-* Mon Nov 02 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-5
+* Fri Jun 04 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.14-3
-- multilib compatibility (#1853137)
+- compatibility with openssl 3.0 (#1962035)
 
-* Fri Aug 07 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-4
+* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 1:2.3.14-2
-- fix CVE-2020-12100 resource exhaustion via deeply nested MIME parts (#1866756)
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
-- fix CVE-2020-12673 out of bound reads in dovecot NTLM implementation (#1866761)
-- fix CVE-2020-12674 crash due to assert in RPA implementation (#1866768)
 
-* Mon Jun 01 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-3
+* Mon Mar 22 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.14-1
-- fix CVE-2020-10957 dovecot: malformed NOOP commands leads to DoS (#1840354)
+- dovecot updated to 2.3.14, pigeonhole to 0.5.14
-- fix CVE-2020-10958 dovecot: command followed by sufficient number of newlines
+- use OpenSSL's implementation of HMAC
-  leads to use-after-free (#1840357)
+- Remove autocreate, expire, snarf and mail-filter plugins.
-- fix CVE-2020-10967 dovecot: sending mail with empty quoted localpart
+- Remove cydir storage driver.
-  leads to DoS (#1840356)
+- Remove XZ/LZMA write support. Read support will be removed in future release.
 
-* Thu Jan 09 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-2
+* Mon Feb 08 2021 Pavel Raiskup <praiskup@redhat.com> - 1:2.3.13-7
-- fix default attributes for ghost files
+- rebuild for libpq ABI fix rhbz#1908268
 
-* Tue Nov 19 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-1
+* Mon Feb 01 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.13-6
-- dovecot updated to 2.3.8 with pigeonhole updated to 0.5.8 (#1653117)
+- use make macros
 
-* Thu Aug 29 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.36-10
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.3.13-5
-- fix CVE-2019-11500: IMAP protocol parser does not properly handle NUL byte
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Mon Jan 18 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.13-4
+- fix multilib issues
+
+* Mon Jan 18 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.13-3
+- bump release and rebuild
+
+* Thu Jan 07 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.13-2
+- fix rundir location
+
+* Wed Jan 06 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.13-1
+- fix release number
+
+* Mon Jan 04 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.13-0
+- dovecot updated to 2.3.13, pigeonhole to 0.5.13
+- CVE-2020-24386: Specially crafted command can cause IMAP hibernate to
+  allow logged in user to access other people's emails and filesystem
+  information.
+- Metric filter and global event filter variable syntax changed to a
+  SQL-like format. 
+- auth: Added new aliases for %{variables}. Usage of the old ones is
+  possible, but discouraged.
+- auth: Removed RPA auth mechanism, SKEY auth mechanism, NTLM auth
+  mechanism and related password schemes.
+- auth: Removed passdb-sia, passdb-vpopmail and userdb-vpopmail.
+- auth: Removed postfix postmap socket
+
+* Wed Oct 21 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.11.3-7
+- change run directory from /var/run to /run (#1777922)
+
+* Wed Oct 21 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.11.3-6
+- use bigger default key size (#1882939)
+
+* Wed Sep 02 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.11.3-5
+- fix gssapi issue
+
+* Wed Aug 26 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.11.3-4
+- fix FTBFS on 32bit systems
+
+* Mon Aug 17 2020 Jeff Law <law@redhat.com> - 1:2.3.11.3-2
+- Disable LTO
+
+* Sat Aug 15 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.11.3-1
+- CVE-2020-12100: Parsing mails with a large number of MIME parts could
+  have resulted in excessive CPU usage or a crash due to running out of
+  stack memory.
+- CVE-2020-12673: Dovecot's NTLM implementation does not correctly check
+  message buffer size, which leads to reading past allocation which can
+  lead to crash.
+- CVE-2020-10967: lmtp/submission: Issuing the RCPT command with an
+  address that has the empty quoted string as local-part causes the lmtp
+  service to crash.
+- CVE-2020-12674: Dovecot's RPA mechanism implementation accepts
+  zero-length message, which leads to assert-crash later on.
+
+* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.3.10.1-3
+- Second attempt - Rebuilt for
+  https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.3.10.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Mon May 18 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.10.1-1
+- dovecot updated to 2.3.10.1
+- fixes CVE-2020-10967, CVE-2020-10958, CVE-2020-10957
+
+* Tue Apr 21 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.10-1
+- dovecot updated to 2.3.10, pigeonhole updated to 0.5.10
+
+* Wed Feb 12 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.9.3-1
+- dovecot updated to 2.3.9.3
+- fixes CVE-2020-7046: Truncated UTF-8 can be used to DoS
+      submission-login and lmtp processes.
+- fixes CVE-2020-7957: Specially crafted mail can crash snippet generation.
+
+
+* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.3.9.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Thu Dec 19 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.9.2-1
+- CVE-2019-19722: Mails with group addresses in From or To fields
+  caused crash in push notification drivers.
+
+* Wed Dec 04 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.9-1
+- dovecot updated to 2.3.9, pigeonhole updated to 0.5.9 
+
+* Thu Oct 10 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-1
+- dovecot updated to 2.3.8, pigeonhole 0.5.8
+
+* Thu Aug 29 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.7.2-1
+- dovecot updated to 2.3.7.2, pigeonhole 0.5.7.2
+- fixes CVE-2019-11500: IMAP protocol parser does not properly handle NUL byte
   when scanning data in quoted strings, leading to out of bounds heap
-  memory writes (#1741788)
+  memory writes
 
-* Fri Aug 23 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.36-9
+* Mon Aug 19 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:1-2.3.7.1
-- reset errno before iterating through users (#1630410)
+- dovecot updated to 2.3.7.1, pigeonhole updated to 0.5.7.1
 
-* Mon Jun 17 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.36-8
+* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.3.6-4
-- fix CVE-2019-3814: improper certificate validation (#1674370)
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
 
-* Fri Jun 14 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.36-7
+* Fri May 31 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.6-3
-- do not print error message when restorecon is not present 
+- disable gcc 9 stack reuse temporarily
-  during install (#1626395)
-- change default config to use minimal UID = 1000 (#1630410)
 
-* Mon Jun 10 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.36-6
+* Mon May 13 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.6-2
-- use OpenSSl implementation of HMAC, disable CRAM-MD5 when FIPS is enabled (#1618749)
+- use /run instead of /var/run (#1706372)
 
-* Tue Oct 16 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.36-5
+* Thu May 02 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.6-1
-- make key not that bigger (#1618714)
+- dovecot updated to 2.3.6, pigeonhole updated to 0.5.6
 
-* Tue Oct 16 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.36-4
+* Thu Apr 18 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.5.2-1
-- generated key was too small (#1618714)
+- dovecot updated to 2.3.5.2
+- fixes CVE-2019-10691: Trying to login with 8bit username containing
+  invalid UTF8 input causes auth process to crash if auth policy is enabled.
 
-* Wed Sep 19 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.36-3
+* Thu Mar 28 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.5.1-1
-- fix global ACL directory configuration search path (#1630383)
+- dovecot updated to 2.3.5.1
-- update first/last_valid_gid range patch (#1630410)
+- CVE-2019-7524: Missing input buffer size validation leads into
+  arbitrary buffer overflow when reading fts or pop3 uidl header
+  from Dovecot index.
 
-* Mon Jul 30 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.36-2
+* Wed Mar 06 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.5-1
-- fix defaut permissions of gost run files
+- dovecot updated to 2.3.5, pigeonhole updated to 0.5.5
 
-* Thu Jun 28 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.36-1
+* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.3.4-3
-- dovecot updated to 2.2.36, pigeonhole to 0.4.24
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
 
-* Thu May 24 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.35-3
+* Mon Jan 14 2019 Björn Esser <besser82@fedoraproject.org> - 1:2.3.4-2
-- disable tcp_wrappers as it's not available in rhel8
+- Rebuilt for libcrypt.so.2 (#1666033)
 
-* Thu Apr 19 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.35-2
+* Wed Jan 09 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.4-1
-- include crypt.h explicitely
+- dovecot updated to 2.3.4, pigeonhole updated to 0.5.4
 
-* Wed Mar 21 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.35-1
+* Tue Oct 02 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.3-1
-- dovecot updated to 2.2.35, pigeonhole updated to 0.4.23
+- dovecot updated to 2.3.3, pigeonhole pdated to 0.5.3
+- doveconf hides more secrets now in the default output
+- NUL bytes in mail headers can cause truncated replies when fetched. 
+- virtual plugin: Some searches used 100% CPU for many seconds 
+- dsync assert-crashed with acl plugin in some situations. 
+- imapc: Fixed various assert-crashes when reconnecting to server. 
 
-* Thu Mar 01 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.34-1
+
-- dovecot updated to 2.2.34, pigeonhole updated to 0.4.22
+* Tue Oct 02 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.2.1-4
-- fixes CVE-2017-15130: TLS SNI config lookups may lead to excessive
+- fix dovecot-init service syntax error (#1635017)
-  memory usage, causing imap-login/pop3-login VSZ limit to be reached
+
-  and the process restarted. This happens only if Dovecot config has
+* Mon Aug 13 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.2.1-3
-  local_name { } or local { } configuration blocks and attacker uses
+- do not try to generate ssl-params as its obsolete (#1614640)
-  randomly generated SNI servernames.
+
-- fixes CVE-2017-14461: Parsing invalid email addresses may cause a crash or
+* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.3.2.1-2
-  leak memory contents to attacker. For example, these memory contents
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
-  might contain parts of an email from another user if the same imap
+
-  process is reused for multiple users.
+* Tue Jul 10 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.2.1-1
-- fixes CVE-2017-15132: Aborted SASL authentication leaks memory in login
+- SSL/TLS servers may have crashed during client disconnection
-  process.
+
+* Mon Jul 09 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.2-1
+- dovecot updated to 2.3.2, pigeonhole to 0.5.2
+
+* Wed Mar 28 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.1-2
+- fix ftbfs - murmurhash3 check fail
+
+* Wed Mar 28 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.1-1
+- dovecot updated to 2.3.1, pigeonhole updated to 0.5.1
+
+* Tue Mar 27 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.0.1-3
+- use libxcrypt for Fedora >= 28, part of ftbfs fix (#1548520)
+
+* Wed Mar 07 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.0.1-2
+- add gcc buildrequire
+
+* Thu Mar 01 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.0.1-1
+- dovecot updated to 2.3.0.1, pigeonhole updated to 0.5.0.1
 
 * Fri Feb 09 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1:2.2.33.2-5
 - Escape macros in %%changelog

dovecot.sysusers

@@ -0,0 +1,9 @@
+#Type Name    ID    GECOS                       Home directory       Shell
+g     dovecot 97
+u     dovecot 97   "Dovecot IMAP server"        /usr/libexec/dovecot /sbin/nologin
+m     dovecot dovecot
+
+g     dovenull -
+u     dovenull -   "Dovecot - unauthorized user" /usr/libexec/dovecot /sbin/nologin
+m     dovenull dovenull
+

gating.yaml

@@ -0,0 +1,7 @@
+--- !Policy
+product_versions:
+  - rhel-9
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}
+

rpminspect.yaml

@@ -0,0 +1,14 @@
+---
+runpath:
+  allowed_paths:
+    # dovecot only plugins
+    - /usr/lib/dovecot/old-stats
+    - /usr/lib64/dovecot/old-stats
+badfuncs:
+  ignore:
+    # used: inet_aton in explicitely ipv4 code path
+    # gethostbyname as a debug mesage with fallback
+    # removed from next major version already
+    - /usr/lib/dovecot/libdovecot.so.0.0.0
+    - /usr/lib64/dovecot/libdovecot.so.0.0.0
+

sources

@@ -0,0 +1,2 @@
+SHA512 (dovecot-2.3.16.tar.gz) = 31a9d352c7ead466d65ee0535b1fbd9138e35235f1ebfeedc4eef54cba450663c59708d162eaf0712af1c40f23526ac86aab2eece8cefde3edf690127472fd1e
+SHA512 (dovecot-2.3-pigeonhole-0.5.16.tar.gz) = 880e00654eab85cc41b27ac470cce6011991e3cdb005642f495c2297fd9492bfb2b6b4ef63c88c2ac10bec870ad69b8bee6b11dd1bc5099e16c3cc2857312543