.dovecot.metadata

@@ -1,2 +0,0 @@
-b9c7290dad1ac3bc1ead11359812a137a3d173f7 SOURCES/dovecot-2.3-pigeonhole-0.5.8.tar.gz
-65b93f7fd53705b3c97f9eee141a76c5f4f3a624 SOURCES/dovecot-2.3.8.tar.gz

.gitignore

@@ -1,2 +1,2 @@
-SOURCES/dovecot-2.3-pigeonhole-0.5.8.tar.gz
-SOURCES/dovecot-2.3.8.tar.gz
+SOURCES/dovecot-2.3-pigeonhole-0.5.16.tar.gz
+SOURCES/dovecot-2.3.16.tar.gz

SOURCES/dovecot-2.1.10-waitonline.patch

@@ -1,11 +1,11 @@
-diff -up dovecot-2.3.0.1/dovecot.service.in.waitonline dovecot-2.3.0.1/dovecot.service.in
---- dovecot-2.3.0.1/dovecot.service.in.waitonline	2018-03-01 10:35:39.888371078 +0100
-+++ dovecot-2.3.0.1/dovecot.service.in	2018-03-01 10:36:29.738784661 +0100
-@@ -12,6 +12,7 @@ After=local-fs.target network-online.tar
+diff -up dovecot-2.3.15/dovecot.service.in.waitonline dovecot-2.3.15/dovecot.service.in
+--- dovecot-2.3.15/dovecot.service.in.waitonline	2021-06-21 20:19:19.560494654 +0200
++++ dovecot-2.3.15/dovecot.service.in	2021-06-21 20:21:17.443066248 +0200
+@@ -15,6 +15,7 @@ After=local-fs.target network-online.tar
  
  [Service]
- Type=simple
+ Type=@systemdservicetype@
 +ExecStartPre=/usr/libexec/dovecot/prestartscript
  ExecStart=@sbindir@/dovecot -F
- PIDFile=@rundir@/master.pid
  ExecReload=@bindir@/doveadm reload
+ ExecStop=@bindir@/doveadm stop

SOURCES/dovecot-2.2.20-initbysystemd.patch

@@ -1,6 +1,6 @@
-diff -up dovecot-2.3.0.1/dovecot-init.service.initbysystemd dovecot-2.3.0.1/dovecot-init.service
---- dovecot-2.3.0.1/dovecot-init.service.initbysystemd	2018-03-01 10:38:22.059716008 +0100
-+++ dovecot-2.3.0.1/dovecot-init.service	2018-03-01 10:38:22.059716008 +0100
+diff -up dovecot-2.3.15/dovecot-init.service.initbysystemd dovecot-2.3.15/dovecot-init.service
+--- dovecot-2.3.15/dovecot-init.service.initbysystemd	2021-06-21 20:21:49.250680889 +0200
++++ dovecot-2.3.15/dovecot-init.service	2021-06-21 20:21:49.250680889 +0200
 @@ -0,0 +1,13 @@
 +[Unit]
 +Description=One-time Dovecot init service
@@ -15,32 +15,37 @@ diff -up dovecot-2.3.0.1/dovecot-init.service.initbysystemd dovecot-2.3.0.1/dove
 +  SSLDIR=/etc/pki/dovecot/ OPENSSLCONFIG=/etc/pki/dovecot/dovecot-openssl.cnf /usr/libexec/dovecot/mkcert.sh /dev/null 2>&1;\
 +fi'
 +
-diff -up dovecot-2.3.0.1/dovecot.service.in.initbysystemd dovecot-2.3.0.1/dovecot.service.in
---- dovecot-2.3.0.1/dovecot.service.in.initbysystemd	2018-03-01 10:38:22.060716016 +0100
-+++ dovecot-2.3.0.1/dovecot.service.in	2018-03-01 10:40:45.524901319 +0100
-@@ -8,7 +8,8 @@
+diff -up dovecot-2.3.15/dovecot.service.in.initbysystemd dovecot-2.3.15/dovecot.service.in
+--- dovecot-2.3.15/dovecot.service.in.initbysystemd	2021-06-21 20:21:49.250680889 +0200
++++ dovecot-2.3.15/dovecot.service.in	2021-06-21 20:22:46.935981920 +0200
+@@ -11,7 +11,8 @@
  Description=Dovecot IMAP/POP3 email server
  Documentation=man:dovecot(1)
- Documentation=http://wiki2.dovecot.org/
+ Documentation=https://doc.dovecot.org/
 -After=local-fs.target network-online.target
 +After=local-fs.target network-online.target dovecot-init.service
 +Requires=dovecot-init.service
  
  [Service]
- Type=simple
-diff -up dovecot-2.3.0.1/Makefile.am.initbysystemd dovecot-2.3.0.1/Makefile.am
---- dovecot-2.3.0.1/Makefile.am.initbysystemd	2018-02-28 15:28:57.000000000 +0100
-+++ dovecot-2.3.0.1/Makefile.am	2018-03-01 10:38:22.060716016 +0100
-@@ -63,9 +63,10 @@ if HAVE_SYSTEMD
+ Type=@systemdservicetype@
+diff -up dovecot-2.3.15/Makefile.am.initbysystemd dovecot-2.3.15/Makefile.am
+--- dovecot-2.3.15/Makefile.am.initbysystemd	2021-06-21 20:21:49.250680889 +0200
++++ dovecot-2.3.15/Makefile.am	2021-06-21 20:24:26.676765849 +0200
+@@ -21,6 +21,7 @@ EXTRA_DIST = \
+ 	run-test-valgrind.supp \
+ 	dovecot.service.in \
+ 	dovecot.socket \
++	dovecot-init.service \
+ 	$(conf_DATA)
  
+ noinst_DATA = dovecot-config
+@@ -69,7 +70,8 @@ dovecot-config: dovecot-config.in Makefi
+ if WANT_SYSTEMD
  systemdsystemunit_DATA = \
          dovecot.socket \
 -        dovecot.service
 +        dovecot.service \
 +        dovecot-init.service
- else
--EXTRA_DIST += dovecot.socket dovecot.service.in
-+EXTRA_DIST += dovecot.socket dovecot.service.in dovecot-init.service
  endif
  
  install-exec-hook:

SOURCES/dovecot-2.2.36-bigkey.patch

@@ -1,9 +1,9 @@
-diff -up dovecot-2.2.36/doc/dovecot-openssl.cnf.bigkey dovecot-2.2.36/doc/dovecot-openssl.cnf
---- dovecot-2.2.36/doc/dovecot-openssl.cnf.bigkey	2017-06-23 13:18:28.000000000 +0200
-+++ dovecot-2.2.36/doc/dovecot-openssl.cnf	2018-10-16 17:15:35.836205498 +0200
+diff -up dovecot-2.3.15/doc/dovecot-openssl.cnf.bigkey dovecot-2.3.15/doc/dovecot-openssl.cnf
+--- dovecot-2.3.15/doc/dovecot-openssl.cnf.bigkey	2021-06-21 20:24:51.913456628 +0200
++++ dovecot-2.3.15/doc/dovecot-openssl.cnf	2021-06-21 20:25:36.352912123 +0200
 @@ -1,5 +1,5 @@
  [ req ]
--default_bits = 1024
+-default_bits = 2048
 +default_bits = 3072
  encrypt_key = yes
  distinguished_name = req_dn

SOURCES/dovecot-2.3.0.1-libxcrypt.patch

@@ -1,11 +0,0 @@
-diff -up dovecot-2.3.0.1/src/auth/mycrypt.c.libxcrypt dovecot-2.3.0.1/src/auth/mycrypt.c
---- dovecot-2.3.0.1/src/auth/mycrypt.c.libxcrypt       2018-02-28 15:28:58.000000000 +0100
-+++ dovecot-2.3.0.1/src/auth/mycrypt.c 2018-03-27 10:57:38.447769201 +0200
-@@ -14,6 +14,7 @@
- #  define _XPG6 /* Some Solaris versions require this, some break with this */
- #endif
- #include <unistd.h>
-+#include <crypt.h>
- 
- #include "mycrypt.h"
- 

SOURCES/dovecot-2.3.16-d7705bc6.patch

@@ -0,0 +1,17 @@
+diff --git a/src/lib-index/mail-index-sync.c b/src/lib-index/mail-index-sync.c
+index 6322ee1869..c847f1cc01 100644
+--- a/src/lib-index/mail-index-sync.c
++++ b/src/lib-index/mail-index-sync.c
+@@ -544,6 +544,12 @@ static bool mail_index_sync_view_have_any(struct mail_index_view *view,
+ 		return TRUE;
+ 
+ 	mail_transaction_log_get_head(view->index->log, &log_seq, &log_offset);
++	if (log_seq < view->map->hdr.log_file_seq ||
++	    ((log_seq == view->map->hdr.log_file_seq &&
++	      log_offset < view->map->hdr.log_file_tail_offset))) {
++		/* invalid offsets - let the syncing handle the error */
++		return TRUE;
++	}
+ 	if (mail_transaction_log_view_set(view->log_view,
+ 					  view->map->hdr.log_file_seq,
+ 					  view->map->hdr.log_file_tail_offset,

SOURCES/dovecot-2.3.16-ftbfsbigend.patch

@@ -0,0 +1,53 @@
+commit ec4595097067a736717ef202fe8542b1b4bc2dd5
+Author: Timo Sirainen <timo.sirainen@open-xchange.com>
+Date:   Tue Aug 10 12:22:08 2021 +0300
+
+    lib-index: Fix storing cache fields' last_used with 64bit big endian CPUs
+
+diff --git a/src/lib-index/mail-cache-fields.c b/src/lib-index/mail-cache-fields.c
+index e929fb559d..429e0d234c 100644
+--- a/src/lib-index/mail-cache-fields.c
++++ b/src/lib-index/mail-cache-fields.c
+@@ -524,6 +524,19 @@ static void copy_to_buf_byte(struct mail_cache *cache, buffer_t *dest,
+ 	}
+ }
+ 
++static void
++copy_to_buf_last_used(struct mail_cache *cache, buffer_t *dest, bool add_new)
++{
++	size_t offset = offsetof(struct mail_cache_field, last_used);
++#if defined(WORDS_BIGENDIAN) && SIZEOF_VOID_P == 8
++	/* 64bit time_t with big endian CPUs: copy the last 32 bits instead of
++	   the first 32 bits (that are always 0). The 32 bits are enough until
++	   year 2106, so we're not in a hurry to use 64 bits on disk. */
++	offset += sizeof(uint32_t);
++#endif
++	copy_to_buf(cache, dest, add_new, offset, sizeof(uint32_t));
++}
++
+ static int mail_cache_header_fields_update_locked(struct mail_cache *cache)
+ {
+ 	buffer_t *buffer;
+@@ -536,9 +549,7 @@ static int mail_cache_header_fields_update_locked(struct mail_cache *cache)
+ 
+ 	buffer = t_buffer_create(256);
+ 
+-	copy_to_buf(cache, buffer, FALSE,
+-		    offsetof(struct mail_cache_field, last_used),
+-		    sizeof(uint32_t));
++	copy_to_buf_last_used(cache, buffer, FALSE);
+ 	ret = mail_cache_write(cache, buffer->data, buffer->used,
+ 			       offset + MAIL_CACHE_FIELD_LAST_USED());
+ 	if (ret == 0) {
+@@ -599,9 +610,7 @@ void mail_cache_header_fields_get(struct mail_cache *cache, buffer_t *dest)
+ 	buffer_append(dest, &hdr, sizeof(hdr));
+ 
+ 	/* we have to keep the field order for the existing fields. */
+-	copy_to_buf(cache, dest, TRUE,
+-		    offsetof(struct mail_cache_field, last_used),
+-		    sizeof(uint32_t));
++	copy_to_buf_last_used(cache, dest, TRUE);
+ 	copy_to_buf(cache, dest, TRUE,
+ 		    offsetof(struct mail_cache_field, field_size),
+ 		    sizeof(uint32_t));
+

SOURCES/dovecot-2.3.16-keeplzma.patch

@@ -0,0 +1,353 @@
+diff -up dovecot-2.3.16/configure.ac.keeplzma dovecot-2.3.16/configure.ac
+--- dovecot-2.3.16/configure.ac.keeplzma	2021-08-06 11:25:51.000000000 +0200
++++ dovecot-2.3.16/configure.ac	2022-02-28 13:58:02.337149927 +0100
+@@ -173,7 +173,7 @@ AS_HELP_STRING([--with-bzlib], [Build wi
+   want_bzlib=auto)
+ 
+ AC_ARG_WITH(lzma,
+-AS_HELP_STRING([--with-lzma], [Build with LZMA decompression support (auto)]),
++AS_HELP_STRING([--with-lzma], [Build with LZMA compression support (auto)]),
+   TEST_WITH(lzma, $withval),
+   want_lzma=auto)
+ 
+diff -up dovecot-2.3.16/run-test-valgrind.supp.keeplzma dovecot-2.3.16/run-test-valgrind.supp
+--- dovecot-2.3.16/run-test-valgrind.supp.keeplzma	2021-08-06 11:25:51.000000000 +0200
++++ dovecot-2.3.16/run-test-valgrind.supp	2022-02-28 13:58:02.337149927 +0100
+@@ -5,6 +5,17 @@
+    obj:*/bash
+ }
+ {
++   <liblzma>
++   Memcheck:Cond
++   obj:/lib/x86_64-linux-gnu/liblzma.so.5.*
++   obj:/lib/x86_64-linux-gnu/liblzma.so.5.*
++   obj:/lib/x86_64-linux-gnu/liblzma.so.5.*
++   obj:/lib/x86_64-linux-gnu/liblzma.so.5.*
++   obj:/lib/x86_64-linux-gnu/liblzma.so.5.*
++   fun:lzma_stream_encoder
++   fun:lzma_easy_encoder
++}
++{
+    <openssl_centos6_i386_v1_0_1_compression_methods>
+    Memcheck:Leak
+    fun:malloc
+diff -up dovecot-2.3.16/src/lib-compression/compression.c.keeplzma dovecot-2.3.16/src/lib-compression/compression.c
+--- dovecot-2.3.16/src/lib-compression/compression.c.keeplzma	2021-08-06 11:25:51.000000000 +0200
++++ dovecot-2.3.16/src/lib-compression/compression.c	2022-02-28 14:22:32.467944396 +0100
+@@ -25,6 +25,7 @@
+ #endif
+ #ifndef HAVE_LZMA
+ #  define i_stream_create_lzma NULL
++#  define o_stream_create_lzma NULL
+ #endif
+ #ifndef HAVE_LZ4
+ #  define i_stream_create_lz4 NULL
+@@ -216,7 +217,7 @@ const struct compression_handler compres
+ 		.ext = ".xz",
+ 		.is_compressed = is_compressed_xz,
+ 		.create_istream = i_stream_create_lzma,
+-		.create_ostream = NULL,
++		.create_ostream = o_stream_create_lzma,
+ 		.get_min_level = compression_get_min_level_unsupported,
+ 		.get_default_level = compression_get_default_level_unsupported,
+ 		.get_max_level = compression_get_max_level_unsupported,
+diff -up dovecot-2.3.16/src/lib-compression/Makefile.am.keeplzma dovecot-2.3.16/src/lib-compression/Makefile.am
+--- dovecot-2.3.16/src/lib-compression/Makefile.am.keeplzma	2021-08-06 11:25:51.000000000 +0200
++++ dovecot-2.3.16/src/lib-compression/Makefile.am	2022-02-28 13:58:02.337149927 +0100
+@@ -13,6 +13,7 @@ libcompression_la_SOURCES = \
+ 	istream-zlib.c \
+ 	istream-bzlib.c \
+ 	istream-zstd.c \
++	ostream-lzma.c \
+ 	ostream-lz4.c \
+ 	ostream-zlib.c \
+ 	ostream-bzlib.c \
+diff -up dovecot-2.3.16/src/lib-compression/ostream-lzma.c.keeplzma dovecot-2.3.16/src/lib-compression/ostream-lzma.c
+--- dovecot-2.3.16/src/lib-compression/ostream-lzma.c.keeplzma	2022-02-28 13:58:02.338149934 +0100
++++ dovecot-2.3.16/src/lib-compression/ostream-lzma.c	2022-02-28 13:58:02.338149934 +0100
+@@ -0,0 +1,263 @@
++/* Copyright (c) 2010-2018 Dovecot authors, see the included COPYING file */
++
++#include "lib.h"
++
++#ifdef HAVE_LZMA
++
++#include "ostream-private.h"
++#include "ostream-zlib.h"
++#include <lzma.h>
++
++#define CHUNK_SIZE (1024*64)
++
++struct lzma_ostream {
++	struct ostream_private ostream;
++	lzma_stream strm;
++
++	unsigned char outbuf[CHUNK_SIZE];
++	unsigned int outbuf_offset, outbuf_used;
++
++	bool flushed:1;
++};
++
++static void o_stream_lzma_close(struct iostream_private *stream,
++				bool close_parent)
++{
++	struct lzma_ostream *zstream = (struct lzma_ostream *)stream;
++	i_assert(zstream->ostream.finished ||
++		 zstream->ostream.ostream.stream_errno != 0 ||
++		 zstream->ostream.error_handling_disabled);
++	lzma_end(&zstream->strm);
++	if (close_parent)
++		o_stream_close(zstream->ostream.parent);
++}
++
++static int o_stream_zlib_send_outbuf(struct lzma_ostream *zstream)
++{
++	ssize_t ret;
++	size_t size;
++
++	if (zstream->outbuf_used == 0)
++		return 1;
++
++	size = zstream->outbuf_used - zstream->outbuf_offset;
++	i_assert(size > 0);
++	ret = o_stream_send(zstream->ostream.parent,
++			    zstream->outbuf + zstream->outbuf_offset, size);
++	if (ret < 0) {
++		o_stream_copy_error_from_parent(&zstream->ostream);
++		return -1;
++	}
++	if ((size_t)ret != size) {
++		zstream->outbuf_offset += ret;
++		return 0;
++	}
++	zstream->outbuf_offset = 0;
++	zstream->outbuf_used = 0;
++	return 1;
++}
++
++static ssize_t
++o_stream_lzma_send_chunk(struct lzma_ostream *zstream,
++			  const void *data, size_t size)
++{
++	lzma_stream *zs = &zstream->strm;
++	int ret;
++
++	i_assert(zstream->outbuf_used == 0);
++
++	zs->next_in = (void *)data;
++	zs->avail_in = size;
++	while (zs->avail_in > 0) {
++		if (zs->avail_out == 0) {
++			/* previous block was compressed. send it and start
++			   compression for a new block. */
++			zs->next_out = zstream->outbuf;
++			zs->avail_out = sizeof(zstream->outbuf);
++
++			zstream->outbuf_used = sizeof(zstream->outbuf);
++			if ((ret = o_stream_zlib_send_outbuf(zstream)) < 0)
++				return -1;
++			if (ret == 0) {
++				/* parent stream's buffer full */
++				break;
++			}
++		}
++
++		ret = lzma_code(zs, LZMA_RUN);
++		switch (ret) {
++		case LZMA_OK:
++			break;
++		case LZMA_MEM_ERROR:
++			i_fatal_status(FATAL_OUTOFMEM,
++				       "lzma.write(%s): Out of memory",
++				       o_stream_get_name(&zstream->ostream.ostream));
++		default:
++			i_panic("lzma.write(%s) failed with unexpected code %d",
++				o_stream_get_name(&zstream->ostream.ostream), ret);
++		}
++	}
++	size -= zs->avail_in;
++
++	return size;
++}
++
++static int o_stream_lzma_send_flush(struct lzma_ostream *zstream, bool final)
++{
++	lzma_stream *zs = &zstream->strm;
++	size_t len;
++	bool done = FALSE;
++	int ret;
++
++	i_assert(zs->avail_in == 0);
++
++	if (zstream->flushed) {
++		i_assert(zstream->outbuf_used == 0);
++		return 1;
++	}
++
++	if ((ret = o_stream_flush_parent_if_needed(&zstream->ostream)) <= 0)
++		return ret;
++	if ((ret = o_stream_zlib_send_outbuf(zstream)) <= 0)
++		return ret;
++
++	if (!final)
++		return 1;
++
++	i_assert(zstream->outbuf_used == 0);
++	do {
++		len = sizeof(zstream->outbuf) - zs->avail_out;
++		if (len != 0) {
++			zs->next_out = zstream->outbuf;
++			zs->avail_out = sizeof(zstream->outbuf);
++
++			zstream->outbuf_used = len;
++			if ((ret = o_stream_zlib_send_outbuf(zstream)) <= 0)
++				return ret;
++			if (done)
++				break;
++		}
++		ret = lzma_code(zs, LZMA_FINISH);
++		switch (ret) {
++		case LZMA_OK:
++			/* still unfinished - need to call lzma_code() again */
++			break;
++		case LZMA_STREAM_END:
++			/* output is fully finished */
++			done = TRUE;
++			break;
++		case LZMA_MEM_ERROR:
++			i_fatal_status(FATAL_OUTOFMEM,
++				       "lzma.write(%s): Out of memory",
++				       o_stream_get_name(&zstream->ostream.ostream));
++		default:
++			i_panic("lzma.write(%s) flush failed with unexpected code %d",
++				o_stream_get_name(&zstream->ostream.ostream), ret);
++		}
++	} while (zs->avail_out != sizeof(zstream->outbuf));
++
++	if (final)
++		zstream->flushed = TRUE;
++	i_assert(zstream->outbuf_used == 0);
++	return 1;
++}
++
++static int o_stream_lzma_flush(struct ostream_private *stream)
++{
++	struct lzma_ostream *zstream = (struct lzma_ostream *)stream;
++	int ret;
++
++	if ((ret = o_stream_lzma_send_flush(zstream, stream->finished)) < 0)
++		return -1;
++	else if (ret > 0)
++		return o_stream_flush_parent(stream);
++	return ret;
++}
++
++static size_t
++o_stream_lzma_get_buffer_used_size(const struct ostream_private *stream)
++{
++	const struct lzma_ostream *zstream =
++		(const struct lzma_ostream *)stream;
++
++	/* outbuf has already compressed data that we're trying to send to the
++	   parent stream. We're not including lzma's internal compression
++	   buffer size. */
++	return (zstream->outbuf_used - zstream->outbuf_offset) +
++		o_stream_get_buffer_used_size(stream->parent);
++}
++
++static size_t
++o_stream_lzma_get_buffer_avail_size(const struct ostream_private *stream)
++{
++	/* FIXME: not correct - this is counting compressed size, which may be
++	   too larger than uncompressed size in some situations. Fixing would
++	   require some kind of additional buffering. */
++	return o_stream_get_buffer_avail_size(stream->parent);
++}
++
++static ssize_t
++o_stream_lzma_sendv(struct ostream_private *stream,
++		    const struct const_iovec *iov, unsigned int iov_count)
++{
++	struct lzma_ostream *zstream = (struct lzma_ostream *)stream;
++	ssize_t ret, bytes = 0;
++	unsigned int i;
++
++	if ((ret = o_stream_zlib_send_outbuf(zstream)) <= 0) {
++		/* error / we still couldn't flush existing data to
++		   parent stream. */
++		return ret;
++	}
++
++	for (i = 0; i < iov_count; i++) {
++		ret = o_stream_lzma_send_chunk(zstream, iov[i].iov_base,
++						iov[i].iov_len);
++		if (ret < 0)
++			return -1;
++		bytes += ret;
++		if ((size_t)ret != iov[i].iov_len)
++			break;
++	}
++	stream->ostream.offset += bytes;
++
++	/* avail_in!=0 check is used to detect errors. if it's non-zero here
++	   it simply means we didn't send all the data */
++	zstream->strm.avail_in = 0;
++	return bytes;
++}
++
++struct ostream *o_stream_create_lzma(struct ostream *output, int level)
++{
++	struct lzma_ostream *zstream;
++	lzma_ret ret;
++
++	i_assert(level >= 1 && level <= 9);
++
++	zstream = i_new(struct lzma_ostream, 1);
++	zstream->ostream.sendv = o_stream_lzma_sendv;
++	zstream->ostream.flush = o_stream_lzma_flush;
++	zstream->ostream.get_buffer_used_size =
++		o_stream_lzma_get_buffer_used_size;
++	zstream->ostream.get_buffer_avail_size =
++		o_stream_lzma_get_buffer_avail_size;
++	zstream->ostream.iostream.close = o_stream_lzma_close;
++
++	ret = lzma_easy_encoder(&zstream->strm, level, LZMA_CHECK_CRC64);
++	switch (ret) {
++	case LZMA_OK:
++		break;
++	case LZMA_MEM_ERROR:
++		i_fatal_status(FATAL_OUTOFMEM, "lzma: Out of memory");
++	case LZMA_OPTIONS_ERROR:
++		i_fatal("lzma: Invalid level");
++	default:
++		i_fatal("lzma_easy_encoder() failed with %d", ret);
++	}
++
++	zstream->strm.next_out = zstream->outbuf;
++	zstream->strm.avail_out = sizeof(zstream->outbuf);
++	return o_stream_create(&zstream->ostream, output,
++			       o_stream_get_fd(output));
++}
++#endif
+diff -up dovecot-2.3.16/src/lib-compression/ostream-zlib.h.keeplzma dovecot-2.3.16/src/lib-compression/ostream-zlib.h
+--- dovecot-2.3.16/src/lib-compression/ostream-zlib.h.keeplzma	2021-08-06 11:25:51.000000000 +0200
++++ dovecot-2.3.16/src/lib-compression/ostream-zlib.h	2022-02-28 13:58:02.338149934 +0100
+@@ -4,6 +4,7 @@
+ struct ostream *o_stream_create_gz(struct ostream *output, int level);
+ struct ostream *o_stream_create_deflate(struct ostream *output, int level);
+ struct ostream *o_stream_create_bz2(struct ostream *output, int level);
++struct ostream *o_stream_create_lzma(struct ostream *output, int level);
+ struct ostream *o_stream_create_lz4(struct ostream *output, int level);
+ struct ostream *o_stream_create_zstd(struct ostream *output, int level);
+ 
+diff -up dovecot-2.3.16/src/lib-compression/test-compression.c.keeplzma dovecot-2.3.16/src/lib-compression/test-compression.c
+--- dovecot-2.3.16/src/lib-compression/test-compression.c.keeplzma	2021-08-06 11:25:51.000000000 +0200
++++ dovecot-2.3.16/src/lib-compression/test-compression.c	2022-02-28 13:58:02.338149934 +0100
+@@ -730,7 +730,6 @@ static void test_compression_int(bool au
+ 
+ 	for (i = 0; compression_handlers[i].name != NULL; i++) {
+ 		if (compression_handlers[i].create_istream != NULL &&
+-		    compression_handlers[i].create_ostream != NULL &&
+ 		    (!autodetect ||
+ 		     compression_handlers[i].is_compressed != NULL)) T_BEGIN {
+ 			if (compression_handlers[i].is_compressed != NULL &&

SOURCES/dovecot-2.3.18-9f300239..4596d399.patch

@@ -0,0 +1,578 @@
+From 9f3002393fe1c1fe317121d03591569dac120739 Mon Sep 17 00:00:00 2001
+From: Stephan Bosch <stephan.bosch@open-xchange.com>
+Date: Tue, 17 Aug 2021 19:09:13 +0200
+Subject: [PATCH 01/12] lib-sieve: sieve-interpreter - Fix field mixup in debug
+ message.
+
+---
+ src/lib-sieve/sieve-interpreter.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/lib-sieve/sieve-interpreter.c b/src/lib-sieve/sieve-interpreter.c
+index 9ee6c659..274e142d 100644
+--- a/src/lib-sieve/sieve-interpreter.c
++++ b/src/lib-sieve/sieve-interpreter.c
+@@ -1003,8 +1003,8 @@ int sieve_interpreter_continue(struct sieve_interpreter *interp,
+ 		}
+ 		e_debug(e->event(), "Finished running script `%s' "
+ 			"(status=%s, resource usage: %s)",
+-			sieve_execution_exitcode_to_str(ret),
+ 			sieve_binary_source(interp->runenv.sbin),
++			sieve_execution_exitcode_to_str(ret),
+ 			sieve_resource_usage_get_summary(&interp->rusage));
+ 		interp->running = FALSE;
+ 	}
+
+From 54e020c1212f626049bffc6c6fea8e606a893af2 Mon Sep 17 00:00:00 2001
+From: Stephan Bosch <stephan.bosch@open-xchange.com>
+Date: Wed, 18 Aug 2021 01:44:23 +0200
+Subject: [PATCH 02/12] lib-sieve: sieve-result - Remove success parameter from
+ sieve_result_implicit_keep_execute().
+
+---
+ src/lib-sieve/sieve-result.c | 18 ++++++++----------
+ 1 file changed, 8 insertions(+), 10 deletions(-)
+
+diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c
+index 55eb9f54..d3f2f925 100644
+--- a/src/lib-sieve/sieve-result.c
++++ b/src/lib-sieve/sieve-result.c
+@@ -1475,8 +1475,7 @@ void sieve_result_execution_destroy(struct sieve_result_execution **_rexec)
+ }
+ 
+ static void
+-sieve_result_implicit_keep_execute(struct sieve_result_execution *rexec,
+-				   bool success)
++sieve_result_implicit_keep_execute(struct sieve_result_execution *rexec)
+ {
+ 	const struct sieve_action_exec_env *aenv = &rexec->action_env;
+ 	struct sieve_result *result = aenv->result;
+@@ -1486,6 +1485,7 @@ sieve_result_implicit_keep_execute(struct sieve_result_execution *rexec,
+ 	struct sieve_action_execution *aexec_keep = &rexec->keep;
+ 	struct sieve_result_action *ract_keep = &rexec->keep_action;
+ 	struct sieve_action *act_keep = &ract_keep->action;
++	bool success = (rexec->status == SIEVE_EXEC_OK);
+ 
+ 	if (rexec->keep_equiv_action != NULL) {
+ 		e_debug(rexec->event, "No implicit keep needed "
+@@ -1579,8 +1579,8 @@ sieve_result_implicit_keep_execute(struct sieve_result_execution *rexec,
+ 		}
+ 	}
+ 
+-	e_debug(rexec->event, "Execute implicit keep (failure=%s)",
+-		(!success ? "yes" : "no"));
++	e_debug(rexec->event, "Execute implicit keep (status=%s)",
++		sieve_execution_exitcode_to_str(rexec->status));
+ 
+ 	/* Initialize side effects */
+ 	sieve_action_execution_add_side_effects(rexec, aexec_keep, ract_keep);
+@@ -1633,7 +1633,7 @@ sieve_result_implicit_keep_finalize(struct sieve_result_execution *rexec,
+ 	/* Start keep if necessary */
+ 	if (act_keep->def == NULL ||
+ 	    aexec_keep->state != SIEVE_ACTION_EXECUTION_STATE_EXECUTED) {
+-		sieve_result_implicit_keep_execute(rexec, success);
++		sieve_result_implicit_keep_execute(rexec);
+ 	/* Switch to failure keep if necessary. */
+ 	} else if (rexec->keep_success && !success){
+ 		e_debug(rexec->event, "Switch to failure implicit keep");
+@@ -1645,7 +1645,7 @@ sieve_result_implicit_keep_finalize(struct sieve_result_execution *rexec,
+ 		i_zero(aexec_keep);
+ 
+ 		/* Start failure keep action. */
+-		sieve_result_implicit_keep_execute(rexec, success);
++		sieve_result_implicit_keep_execute(rexec);
+ 	}
+ 	if (act_keep->def == NULL)
+ 		return rexec->keep_status;
+@@ -1931,10 +1931,8 @@ int sieve_result_execute(struct sieve_result_execution *rexec, int status,
+ 		/* Execute implicit keep if the transaction failed or when the
+ 		   implicit keep was not canceled during transaction.
+ 		 */
+-		if (rexec->status != SIEVE_EXEC_OK || rexec->keep_implicit) {
+-			sieve_result_implicit_keep_execute(
+-				rexec, (rexec->status == SIEVE_EXEC_OK));
+-		}
++		if (rexec->status != SIEVE_EXEC_OK || rexec->keep_implicit)
++			sieve_result_implicit_keep_execute(rexec);
+ 	}
+ 
+ 	/* Transaction commit/rollback */
+
+From 291f2fdb77b86db566dca7c028dd93fc741f6b31 Mon Sep 17 00:00:00 2001
+From: Stephan Bosch <stephan.bosch@open-xchange.com>
+Date: Wed, 18 Aug 2021 01:40:57 +0200
+Subject: [PATCH 03/12] lib-sieve: sieve-result - Remove success parameter from
+ sieve_result_implicit_keep_finalize().
+
+---
+ src/lib-sieve/sieve-result.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c
+index d3f2f925..3cf2c02a 100644
+--- a/src/lib-sieve/sieve-result.c
++++ b/src/lib-sieve/sieve-result.c
+@@ -1603,8 +1603,7 @@ sieve_result_implicit_keep_execute(struct sieve_result_execution *rexec)
+ }
+ 
+ static int
+-sieve_result_implicit_keep_finalize(struct sieve_result_execution *rexec,
+-				    bool success)
++sieve_result_implicit_keep_finalize(struct sieve_result_execution *rexec)
+ {
+ 	const struct sieve_action_exec_env *aenv = &rexec->action_env;
+ 	const struct sieve_execute_env *eenv = aenv->exec_env;
+@@ -1612,6 +1611,7 @@ sieve_result_implicit_keep_finalize(struct sieve_result_execution *rexec,
+ 	struct sieve_result_action *ract_keep = &rexec->keep_action;
+ 	struct sieve_action *act_keep = &ract_keep->action;
+ 	int commit_status = SIEVE_EXEC_OK;
++	bool success = (rexec->status == SIEVE_EXEC_OK);
+ 
+ 	if (rexec->keep_equiv_action != NULL) {
+ 		struct sieve_action_execution *ke_aexec =
+@@ -1627,8 +1627,8 @@ sieve_result_implicit_keep_finalize(struct sieve_result_execution *rexec,
+ 		return rexec->keep_status;
+ 	}
+ 
+-	e_debug(rexec->event, "Finalize implicit keep (failure=%s)",
+-		(!success ? "yes" : "no"));
++	e_debug(rexec->event, "Finalize implicit keep (status=%s)",
++		sieve_execution_exitcode_to_str(rexec->status));
+ 
+ 	/* Start keep if necessary */
+ 	if (act_keep->def == NULL ||
+@@ -1950,8 +1950,7 @@ int sieve_result_execute(struct sieve_result_execution *rexec, int status,
+ 		   implicit keep was not canceled during transaction.
+ 		 */
+ 		if (rexec->status != SIEVE_EXEC_OK || rexec->keep_implicit) {
+-			ret = sieve_result_implicit_keep_finalize(
+-				rexec, (rexec->status == SIEVE_EXEC_OK));
++			ret = sieve_result_implicit_keep_finalize(rexec);
+ 			switch (ret) {
+ 			case SIEVE_EXEC_OK:
+ 				if (result_status == SIEVE_EXEC_TEMP_FAILURE)
+
+From 10e347e3c9eb5e7bf5bc6f178389005357f527fe Mon Sep 17 00:00:00 2001
+From: Stephan Bosch <stephan.bosch@open-xchange.com>
+Date: Wed, 18 Aug 2021 02:07:01 +0200
+Subject: [PATCH 04/12] lib-sieve: sieve-result - Move temp failure status
+ checks into sieve_result_implicit_keep_execute().
+
+---
+ src/lib-sieve/sieve-result.c | 38 ++++++++++++++++++++++++------------
+ 1 file changed, 26 insertions(+), 12 deletions(-)
+
+diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c
+index 3cf2c02a..44afeef7 100644
+--- a/src/lib-sieve/sieve-result.c
++++ b/src/lib-sieve/sieve-result.c
+@@ -934,6 +934,7 @@ struct sieve_result_execution {
+ 	bool keep_success:1;
+ 	bool keep_explicit:1;
+ 	bool keep_implicit:1;
++	bool keep_finalizing:1;
+ 	bool seen_delivery:1;
+ 	bool executed:1;
+ 	bool executed_delivery:1;
+@@ -1485,7 +1486,24 @@ sieve_result_implicit_keep_execute(struct sieve_result_execution *rexec)
+ 	struct sieve_action_execution *aexec_keep = &rexec->keep;
+ 	struct sieve_result_action *ract_keep = &rexec->keep_action;
+ 	struct sieve_action *act_keep = &ract_keep->action;
+-	bool success = (rexec->status == SIEVE_EXEC_OK);
++	bool success = FALSE;
++
++	switch (rexec->status) {
++	case SIEVE_EXEC_OK:
++		success = TRUE;
++		break;
++	case SIEVE_EXEC_TEMP_FAILURE:
++	case SIEVE_EXEC_RESOURCE_LIMIT:
++		if (rexec->executed)
++			break;
++		if (rexec->committed)
++			break;
++		if (rexec->keep_finalizing)
++			break;
++		return;
++	default:
++		break;
++	}
+ 
+ 	if (rexec->keep_equiv_action != NULL) {
+ 		e_debug(rexec->event, "No implicit keep needed "
+@@ -1630,6 +1648,8 @@ sieve_result_implicit_keep_finalize(struct sieve_result_execution *rexec)
+ 	e_debug(rexec->event, "Finalize implicit keep (status=%s)",
+ 		sieve_execution_exitcode_to_str(rexec->status));
+ 
++	rexec->keep_finalizing = TRUE;
++
+ 	/* Start keep if necessary */
+ 	if (act_keep->def == NULL ||
+ 	    aexec_keep->state != SIEVE_ACTION_EXECUTION_STATE_EXECUTED) {
+@@ -1923,17 +1943,11 @@ int sieve_result_execute(struct sieve_result_execution *rexec, int status,
+ 		return rexec->status;
+ 	}
+ 
+-	/* Execute implicit keep if necessary */
+-
+-	if (rexec->executed ||
+-	    (rexec->status != SIEVE_EXEC_TEMP_FAILURE &&
+-	     rexec->status != SIEVE_EXEC_RESOURCE_LIMIT)) {
+-		/* Execute implicit keep if the transaction failed or when the
+-		   implicit keep was not canceled during transaction.
+-		 */
+-		if (rexec->status != SIEVE_EXEC_OK || rexec->keep_implicit)
+-			sieve_result_implicit_keep_execute(rexec);
+-	}
++	/* Execute implicit keep if the transaction failed or when the
++	   implicit keep was not canceled during transaction.
++	 */
++	if (rexec->status != SIEVE_EXEC_OK || rexec->keep_implicit)
++		sieve_result_implicit_keep_execute(rexec);
+ 
+ 	/* Transaction commit/rollback */
+ 
+
+From c84e6e5d8d1d8b03a0ba5958804d200c6e1916d8 Mon Sep 17 00:00:00 2001
+From: Stephan Bosch <stephan.bosch@open-xchange.com>
+Date: Wed, 18 Aug 2021 02:26:32 +0200
+Subject: [PATCH 05/12] lib-sieve: sieve-result - Move temp failure status
+ checks into sieve_result_implicit_keep_finalize().
+
+---
+ src/lib-sieve/sieve-result.c | 56 +++++++++++++++++++++---------------
+ 1 file changed, 33 insertions(+), 23 deletions(-)
+
+diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c
+index 44afeef7..10cc3b95 100644
+--- a/src/lib-sieve/sieve-result.c
++++ b/src/lib-sieve/sieve-result.c
+@@ -1629,7 +1629,20 @@ sieve_result_implicit_keep_finalize(struct sieve_result_execution *rexec)
+ 	struct sieve_result_action *ract_keep = &rexec->keep_action;
+ 	struct sieve_action *act_keep = &ract_keep->action;
+ 	int commit_status = SIEVE_EXEC_OK;
+-	bool success = (rexec->status == SIEVE_EXEC_OK);
++	bool success = FALSE;
++
++	switch (rexec->status) {
++	case SIEVE_EXEC_OK:
++		success = TRUE;
++		break;
++	case SIEVE_EXEC_TEMP_FAILURE:
++	case SIEVE_EXEC_RESOURCE_LIMIT:
++		if (rexec->committed)
++			break;
++		return rexec->status;
++	default:
++		break;
++	}
+ 
+ 	if (rexec->keep_equiv_action != NULL) {
+ 		struct sieve_action_execution *ke_aexec =
+@@ -1957,32 +1970,29 @@ int sieve_result_execute(struct sieve_result_execution *rexec, int status,
+ 	/* Commit implicit keep if necessary */
+ 
+ 	result_status = rexec->status;
+-	if (rexec->committed ||
+-	    (rexec->status != SIEVE_EXEC_TEMP_FAILURE &&
+-	     rexec->status != SIEVE_EXEC_RESOURCE_LIMIT)) {
+-		/* Commit implicit keep if the transaction failed or when the
+-		   implicit keep was not canceled during transaction.
+-		 */
+-		if (rexec->status != SIEVE_EXEC_OK || rexec->keep_implicit) {
+-			ret = sieve_result_implicit_keep_finalize(rexec);
+-			switch (ret) {
+-			case SIEVE_EXEC_OK:
+-				if (result_status == SIEVE_EXEC_TEMP_FAILURE)
+-					result_status = SIEVE_EXEC_FAILURE;
++
++	/* Commit implicit keep if the transaction failed or when the
++	   implicit keep was not canceled during transaction.
++	 */
++	if (rexec->status != SIEVE_EXEC_OK || rexec->keep_implicit) {
++		ret = sieve_result_implicit_keep_finalize(rexec);
++		switch (ret) {
++		case SIEVE_EXEC_OK:
++			if (result_status == SIEVE_EXEC_TEMP_FAILURE)
++				result_status = SIEVE_EXEC_FAILURE;
++			break;
++		case SIEVE_EXEC_TEMP_FAILURE:
++			if (!rexec->committed) {
++				result_status = ret;
+ 				break;
+-			case SIEVE_EXEC_TEMP_FAILURE:
+-				if (!rexec->committed) {
+-					result_status = ret;
+-					break;
+-				}
+-				/* fall through */
+-			default:
+-				result_status = SIEVE_EXEC_KEEP_FAILED;
+ 			}
++			/* fall through */
++		default:
++			result_status = SIEVE_EXEC_KEEP_FAILED;
+ 		}
+-		if (rexec->status == SIEVE_EXEC_OK)
+-			rexec->status = result_status;
+ 	}
++	if (rexec->status == SIEVE_EXEC_OK)
++		rexec->status = result_status;
+ 
+ 	/* Finish execution */
+ 
+
+From 92b4b06d5d8deeefdd17d5fb18d7f0d23e8e414b Mon Sep 17 00:00:00 2001
+From: Stephan Bosch <stephan.bosch@open-xchange.com>
+Date: Wed, 18 Aug 2021 02:46:18 +0200
+Subject: [PATCH 06/12] lib-sieve: sieve-result - Skip implicit keep in
+ execution stage upon temp failure.
+
+It will be executed in the commit phase if necessary; don't do it early; it will
+only be rolled back.
+---
+ src/lib-sieve/sieve-result.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c
+index 10cc3b95..82354831 100644
+--- a/src/lib-sieve/sieve-result.c
++++ b/src/lib-sieve/sieve-result.c
+@@ -1494,8 +1494,6 @@ sieve_result_implicit_keep_execute(struct sieve_result_execution *rexec)
+ 		break;
+ 	case SIEVE_EXEC_TEMP_FAILURE:
+ 	case SIEVE_EXEC_RESOURCE_LIMIT:
+-		if (rexec->executed)
+-			break;
+ 		if (rexec->committed)
+ 			break;
+ 		if (rexec->keep_finalizing)
+
+From f2b81cc6ebaa3001bde693f7abdb990f467f7831 Mon Sep 17 00:00:00 2001
+From: Stephan Bosch <stephan.bosch@open-xchange.com>
+Date: Wed, 18 Aug 2021 02:56:32 +0200
+Subject: [PATCH 07/12] lib-sieve: sieve-result - Fix handling of resource
+ limit status after implicit keep commit.
+
+---
+ src/lib-sieve/sieve-result.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c
+index 82354831..96582075 100644
+--- a/src/lib-sieve/sieve-result.c
++++ b/src/lib-sieve/sieve-result.c
+@@ -1980,6 +1980,7 @@ int sieve_result_execute(struct sieve_result_execution *rexec, int status,
+ 				result_status = SIEVE_EXEC_FAILURE;
+ 			break;
+ 		case SIEVE_EXEC_TEMP_FAILURE:
++		case SIEVE_EXEC_RESOURCE_LIMIT:
+ 			if (!rexec->committed) {
+ 				result_status = ret;
+ 				break;
+
+From 293f0027106a725e4cbcf56b673f1eedda00c317 Mon Sep 17 00:00:00 2001
+From: Stephan Bosch <stephan.bosch@open-xchange.com>
+Date: Wed, 18 Aug 2021 02:54:25 +0200
+Subject: [PATCH 08/12] lib-sieve: sieve-result - Fix resource leak occurring
+ when implicit keep is executed before temporary failure at commit.
+
+In the commit phase the implicit keep was never finalized, meaning that it was
+not rolled back and thus not cleaned up properly. This leads to a memory leak
+and a mailbox reference leak. This in turn causes an assert crash at the end
+of delivery when the mail user is destroyed.
+---
+ src/lib-sieve/sieve-result.c | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c
+index 96582075..10ea349c 100644
+--- a/src/lib-sieve/sieve-result.c
++++ b/src/lib-sieve/sieve-result.c
+@@ -1627,7 +1627,7 @@ sieve_result_implicit_keep_finalize(struct sieve_result_execution *rexec)
+ 	struct sieve_result_action *ract_keep = &rexec->keep_action;
+ 	struct sieve_action *act_keep = &ract_keep->action;
+ 	int commit_status = SIEVE_EXEC_OK;
+-	bool success = FALSE;
++	bool success = FALSE, temp_failure = FALSE;
+ 
+ 	switch (rexec->status) {
+ 	case SIEVE_EXEC_OK:
+@@ -1637,7 +1637,15 @@ sieve_result_implicit_keep_finalize(struct sieve_result_execution *rexec)
+ 	case SIEVE_EXEC_RESOURCE_LIMIT:
+ 		if (rexec->committed)
+ 			break;
+-		return rexec->status;
++
++		if (aexec_keep->state !=
++		    SIEVE_ACTION_EXECUTION_STATE_EXECUTED)
++			return rexec->status;
++		/* Roll back for temporary failure when no other action
++		   is committed. */
++		commit_status = rexec->status;
++		temp_failure = TRUE;
++		break;
+ 	default:
+ 		break;
+ 	}
+@@ -1662,8 +1670,10 @@ sieve_result_implicit_keep_finalize(struct sieve_result_execution *rexec)
+ 	rexec->keep_finalizing = TRUE;
+ 
+ 	/* Start keep if necessary */
+-	if (act_keep->def == NULL ||
+-	    aexec_keep->state != SIEVE_ACTION_EXECUTION_STATE_EXECUTED) {
++	if (temp_failure) {
++		rexec->keep_status = rexec->status;
++	} else if (act_keep->def == NULL ||
++		   aexec_keep->state != SIEVE_ACTION_EXECUTION_STATE_EXECUTED) {
+ 		sieve_result_implicit_keep_execute(rexec);
+ 	/* Switch to failure keep if necessary. */
+ 	} else if (rexec->keep_success && !success){
+
+From 81bd53d6c9fa14fc6b32304e49dddb8fd022de91 Mon Sep 17 00:00:00 2001
+From: Stephan Bosch <stephan.bosch@open-xchange.com>
+Date: Wed, 18 Aug 2021 13:29:41 +0200
+Subject: [PATCH 09/12] lib-sieve: sieve-result - Assert that implicit keep is
+ executed in sieve_result_implicit_keep_finalize().
+
+---
+ src/lib-sieve/sieve-result.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c
+index 10ea349c..de97d6ae 100644
+--- a/src/lib-sieve/sieve-result.c
++++ b/src/lib-sieve/sieve-result.c
+@@ -1691,6 +1691,8 @@ sieve_result_implicit_keep_finalize(struct sieve_result_execution *rexec)
+ 	if (act_keep->def == NULL)
+ 		return rexec->keep_status;
+ 
++	i_assert(aexec_keep->state == SIEVE_ACTION_EXECUTION_STATE_EXECUTED);
++
+ 	/* Finalize keep action */
+ 	rexec->keep_status = sieve_result_action_commit_or_rollback(
+ 		rexec, aexec_keep, rexec->keep_status, &commit_status);
+
+From dbf5b62ba82766a7d824e81005b2517d96984ef0 Mon Sep 17 00:00:00 2001
+From: Stephan Bosch <stephan.bosch@open-xchange.com>
+Date: Wed, 18 Aug 2021 02:43:05 +0200
+Subject: [PATCH 10/12] lib-sieve: sieve-result - Add debug messages for temp
+ failure handling.
+
+---
+ src/lib-sieve/sieve-result.c | 28 +++++++++++++++++++++++++---
+ 1 file changed, 25 insertions(+), 3 deletions(-)
+
+diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c
+index de97d6ae..c21c8017 100644
+--- a/src/lib-sieve/sieve-result.c
++++ b/src/lib-sieve/sieve-result.c
+@@ -1494,10 +1494,21 @@ sieve_result_implicit_keep_execute(struct sieve_result_execution *rexec)
+ 		break;
+ 	case SIEVE_EXEC_TEMP_FAILURE:
+ 	case SIEVE_EXEC_RESOURCE_LIMIT:
+-		if (rexec->committed)
++		if (rexec->committed) {
++			e_debug(rexec->event,
++				"Temporary failure occurred (status=%s), "
++				"but other actions were already committed: "
++				"execute failure implicit keep",
++				sieve_execution_exitcode_to_str(rexec->status));
+ 			break;
++		}
+ 		if (rexec->keep_finalizing)
+ 			break;
++
++		e_debug(rexec->event,
++			"Skip implicit keep for temporary failure "
++			"(state=execute, status=%s)",
++			sieve_execution_exitcode_to_str(rexec->status));
+ 		return;
+ 	default:
+ 		break;
+@@ -1635,12 +1646,23 @@ sieve_result_implicit_keep_finalize(struct sieve_result_execution *rexec)
+ 		break;
+ 	case SIEVE_EXEC_TEMP_FAILURE:
+ 	case SIEVE_EXEC_RESOURCE_LIMIT:
+-		if (rexec->committed)
++		if (rexec->committed) {
++			e_debug(rexec->event,
++				"Temporary failure occurred (status=%s), "
++				"but other actions were already committed: "
++				"commit failure implicit keep",
++				sieve_execution_exitcode_to_str(rexec->status));
+ 			break;
++		}
+ 
+ 		if (aexec_keep->state !=
+-		    SIEVE_ACTION_EXECUTION_STATE_EXECUTED)
++		    SIEVE_ACTION_EXECUTION_STATE_EXECUTED) {
++			e_debug(rexec->event,
++				"Skip implicit keep for temporary failure "
++				"(state=commit, status=%s)",
++				sieve_execution_exitcode_to_str(rexec->status));
+ 			return rexec->status;
++		}
+ 		/* Roll back for temporary failure when no other action
+ 		   is committed. */
+ 		commit_status = rexec->status;
+
+From 65d771c15bf443690580dbb0643556794106522b Mon Sep 17 00:00:00 2001
+From: Stephan Bosch <stephan.bosch@open-xchange.com>
+Date: Wed, 18 Aug 2021 13:26:26 +0200
+Subject: [PATCH 11/12] lib-sieve: sieve-result - Indicate in
+ sieve_result_transaction_execute() debug message whether actions were
+ executed.
+
+---
+ src/lib-sieve/sieve-result.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c
+index c21c8017..6f3cb954 100644
+--- a/src/lib-sieve/sieve-result.c
++++ b/src/lib-sieve/sieve-result.c
+@@ -1796,10 +1796,11 @@ sieve_result_transaction_execute(struct sieve_result_execution *rexec,
+ 	}
+ 
+ 	e_debug(rexec->event, "Finished executing actions "
+-		"(status=%s, keep=%s)",
++		"(status=%s, keep=%s, executed=%s)",
+ 		sieve_execution_exitcode_to_str(status),
+ 		(rexec->keep_explicit ? "explicit" :
+-		 (rexec->keep_implicit ? "implicit" : "none")));
++		 (rexec->keep_implicit ? "implicit" : "none")),
++		(rexec->executed ? "yes" : "no"));
+ 	return status;
+ }
+ 
+
+From 4596d39908a868783fae9a0c2fd264409c0aaa96 Mon Sep 17 00:00:00 2001
+From: Stephan Bosch <stephan.bosch@open-xchange.com>
+Date: Wed, 18 Aug 2021 13:27:50 +0200
+Subject: [PATCH 12/12] lib-sieve: sieve-result - Indicate in
+ sieve_result_transaction_finalize() debug message whether actions were
+ committed.
+
+---
+ src/lib-sieve/sieve-result.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/lib-sieve/sieve-result.c b/src/lib-sieve/sieve-result.c
+index 6f3cb954..effd6f28 100644
+--- a/src/lib-sieve/sieve-result.c
++++ b/src/lib-sieve/sieve-result.c
+@@ -1859,10 +1859,11 @@ sieve_result_transaction_commit_or_rollback(
+ 	}
+ 
+ 	e_debug(rexec->event, "Finished finalizing actions "
+-		"(status=%s, keep=%s)",
++		"(status=%s, keep=%s, committed=%s)",
+ 		sieve_execution_exitcode_to_str(status),
+ 		(rexec->keep_explicit ? "explicit" :
+-		 (rexec->keep_implicit ? "implicit" : "none")));
++		 (rexec->keep_implicit ? "implicit" : "none")),
++		(rexec->committed ? "yes" : "no"));
+ 
+ 	return commit_status;
+ }

SOURCES/dovecot-2.3.18-bdf447e4.patch

@@ -0,0 +1,31 @@
+From bdf4474ed82aaf964e7d94e72ca56b496e3815f9 Mon Sep 17 00:00:00 2001
+From: Timo Sirainen <timo.sirainen@open-xchange.com>
+Date: Fri, 1 Oct 2021 15:08:45 +0300
+Subject: [PATCH] virtual: Fix leaking mailboxes if virtual mailbox can't be
+ opened
+
+Fixes also a crash at deinit:
+Panic: file mail-user.c: line 232 (mail_user_deinit): assertion failed: ((*user)->refcount == 1)
+---
+ src/plugins/virtual/virtual-storage.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/plugins/virtual/virtual-storage.c b/src/plugins/virtual/virtual-storage.c
+index 2f31503d53..a0779cc186 100644
+--- a/src/plugins/virtual/virtual-storage.c
++++ b/src/plugins/virtual/virtual-storage.c
+@@ -495,12 +495,12 @@ static int virtual_mailbox_open(struct mailbox *box)
+ 		ret = virtual_mailboxes_open(mbox, box->flags);
+ 		array_pop_back(&mbox->storage->open_stack);
+ 	}
++	if (ret == 0)
++		ret = index_storage_mailbox_open(box, FALSE);
+ 	if (ret < 0) {
+ 		virtual_mailbox_close_internal(mbox);
+ 		return -1;
+ 	}
+-	if (index_storage_mailbox_open(box, FALSE) < 0)
+-		return -1;
+ 
+ 	mbox->virtual_ext_id =
+ 		mail_index_ext_register(mbox->box.index, "virtual", 0,

SOURCES/dovecot-2.3.19.1-7bad6a24.patch

@@ -0,0 +1,131 @@
+From 7bad6a24160e34bce8f10e73dbbf9e5fbbcd1904 Mon Sep 17 00:00:00 2001
+From: Timo Sirainen <timo.sirainen@open-xchange.com>
+Date: Mon, 9 May 2022 15:23:33 +0300
+Subject: [PATCH] auth: Fix handling passdbs with identical driver/args but
+ different mechanisms/username_filter
+
+The passdb was wrongly deduplicated in this situation, causing wrong
+mechanisms or username_filter setting to be used. This would be a rather
+unlikely configuration though.
+
+Fixed by moving mechanisms and username_filter from struct passdb_module
+to struct auth_passdb, which is where they should have been in the first
+place.
+---
+ src/auth/auth-request.c |  6 +++---
+ src/auth/auth.c         | 18 ++++++++++++++++++
+ src/auth/auth.h         |  5 +++++
+ src/auth/passdb.c       | 15 ++-------------
+ src/auth/passdb.h       |  4 ----
+ 5 files changed, 28 insertions(+), 20 deletions(-)
+
+diff --git a/src/auth/auth-request.c b/src/auth/auth-request.c
+index cd08b1fa02..0ca29f3674 100644
+--- a/src/auth/auth-request.c
++++ b/src/auth/auth-request.c
+@@ -534,8 +534,8 @@ auth_request_want_skip_passdb(struct auth_request *request,
+ 			      struct auth_passdb *passdb)
+ {
+ 	/* if mechanism is not supported, skip */
+-	const char *const *mechs = passdb->passdb->mechanisms;
+-	const char *const *username_filter = passdb->passdb->username_filter;
++	const char *const *mechs = passdb->mechanisms;
++	const char *const *username_filter = passdb->username_filter;
+ 	const char *username;
+ 
+ 	username = request->fields.user;
+@@ -548,7 +548,7 @@ auth_request_want_skip_passdb(struct auth_request *request,
+ 		return TRUE;
+ 	}
+ 
+-	if (passdb->passdb->username_filter != NULL &&
++	if (passdb->username_filter != NULL &&
+ 	    !auth_request_username_accepted(username_filter, username)) {
+ 		auth_request_log_debug(request,
+ 				       request->mech != NULL ? AUTH_SUBSYS_MECH
+diff --git a/src/auth/auth.c b/src/auth/auth.c
+index f2f3fda20c..9f6c4ba60c 100644
+--- a/src/auth/auth.c
++++ b/src/auth/auth.c
+@@ -99,6 +99,24 @@ auth_passdb_preinit(struct auth *auth, const struct auth_passdb_settings *set,
+ 	auth_passdb->override_fields_tmpl =
+ 		passdb_template_build(auth->pool, set->override_fields);
+ 
++	if (*set->mechanisms == '\0') {
++		auth_passdb->mechanisms = NULL;
++	} else if (strcasecmp(set->mechanisms, "none") == 0) {
++		auth_passdb->mechanisms = (const char *const[]){ NULL };
++	} else {
++		auth_passdb->mechanisms =
++			(const char *const *)p_strsplit_spaces(auth->pool,
++				set->mechanisms, " ,");
++	}
++
++	if (*set->username_filter == '\0') {
++		auth_passdb->username_filter = NULL;
++	} else {
++		auth_passdb->username_filter =
++			(const char *const *)p_strsplit_spaces(auth->pool,
++				set->username_filter, " ,");
++	}
++
+ 	/* for backwards compatibility: */
+ 	if (set->pass)
+ 		auth_passdb->result_success = AUTH_DB_RULE_CONTINUE;
+diff --git a/src/auth/auth.h b/src/auth/auth.h
+index f700e29d5c..460a179765 100644
+--- a/src/auth/auth.h
++++ b/src/auth/auth.h
+@@ -41,6 +41,11 @@ struct auth_passdb {
+ 	struct passdb_template *default_fields_tmpl;
+ 	struct passdb_template *override_fields_tmpl;
+ 
++	/* Supported authentication mechanisms, NULL is all, {NULL} is none */
++	const char *const *mechanisms;
++	/* Username filter, NULL is no filter */
++	const char *const *username_filter;
++
+ 	enum auth_passdb_skip skip;
+ 	enum auth_db_rule result_success;
+ 	enum auth_db_rule result_failure;
+diff --git a/src/auth/passdb.c b/src/auth/passdb.c
+index eb4ac8ae82..f5eed1af4f 100644
+--- a/src/auth/passdb.c
++++ b/src/auth/passdb.c
+@@ -224,19 +224,8 @@ passdb_preinit(pool_t pool, const struct auth_passdb_settings *set)
+ 	passdb->id = ++auth_passdb_id;
+ 	passdb->iface = *iface;
+ 	passdb->args = p_strdup(pool, set->args);
+-	if (*set->mechanisms == '\0') {
+-		passdb->mechanisms = NULL;
+-	} else if (strcasecmp(set->mechanisms, "none") == 0) {
+-		passdb->mechanisms = (const char *const[]){NULL};
+-	} else {
+-		passdb->mechanisms = (const char* const*)p_strsplit_spaces(pool, set->mechanisms, " ,");
+-	}
+-
+-	if (*set->username_filter == '\0') {
+-		passdb->username_filter = NULL;
+-	} else {
+-		passdb->username_filter = (const char* const*)p_strsplit_spaces(pool, set->username_filter, " ,");
+-	}
++	/* NOTE: if anything else than driver & args are added here,
++	   passdb_find() also needs to be updated. */
+ 	array_push_back(&passdb_modules, &passdb);
+ 	return passdb;
+ }
+diff --git a/src/auth/passdb.h b/src/auth/passdb.h
+index 2e95328e5c..e466a9fdb6 100644
+--- a/src/auth/passdb.h
++++ b/src/auth/passdb.h
+@@ -63,10 +63,6 @@ struct passdb_module {
+ 	/* Default password scheme for this module.
+ 	   If default_cache_key is set, must not be NULL. */
+ 	const char *default_pass_scheme;
+-	/* Supported authentication mechanisms, NULL is all, [NULL] is none*/
+-	const char *const *mechanisms;
+-	/* Username filter, NULL is no filter */
+-	const char *const *username_filter;
+ 
+ 	/* If blocking is set to TRUE, use child processes to access
+ 	   this passdb. */

SOURCES/dovecot-2.3.6-opensslhmac.patch

@@ -1,6 +1,6 @@
-diff -up dovecot-2.3.8/src/auth/auth-token.c.opensslhmac dovecot-2.3.8/src/auth/auth-token.c
---- dovecot-2.3.8/src/auth/auth-token.c.opensslhmac	2019-10-08 10:46:18.000000000 +0200
-+++ dovecot-2.3.8/src/auth/auth-token.c	2019-11-19 16:34:11.338037002 +0100
+diff -up dovecot-2.3.14/src/auth/auth-token.c.opensslhmac dovecot-2.3.14/src/auth/auth-token.c
+--- dovecot-2.3.14/src/auth/auth-token.c.opensslhmac	2021-03-04 09:38:06.000000000 +0100
++++ dovecot-2.3.14/src/auth/auth-token.c	2021-03-22 20:44:13.022912242 +0100
 @@ -161,17 +161,17 @@ void auth_token_deinit(void)
  const char *auth_token_get(const char *service, const char *session_pid,
  			   const char *username, const char *session_id)
@@ -26,9 +26,9 @@ diff -up dovecot-2.3.8/src/auth/auth-token.c.opensslhmac dovecot-2.3.8/src/auth/
  
  	return binary_to_hex(result, sizeof(result));
  }
-diff -up dovecot-2.3.8/src/auth/mech-cram-md5.c.opensslhmac dovecot-2.3.8/src/auth/mech-cram-md5.c
---- dovecot-2.3.8/src/auth/mech-cram-md5.c.opensslhmac	2019-10-08 10:46:18.000000000 +0200
-+++ dovecot-2.3.8/src/auth/mech-cram-md5.c	2019-11-19 16:34:11.338037002 +0100
+diff -up dovecot-2.3.14/src/auth/mech-cram-md5.c.opensslhmac dovecot-2.3.14/src/auth/mech-cram-md5.c
+--- dovecot-2.3.14/src/auth/mech-cram-md5.c.opensslhmac	2021-03-04 09:38:06.000000000 +0100
++++ dovecot-2.3.14/src/auth/mech-cram-md5.c	2021-03-22 20:44:13.022912242 +0100
 @@ -51,7 +51,7 @@ static bool verify_credentials(struct cr
  {
  	
@@ -52,59 +52,57 @@ diff -up dovecot-2.3.8/src/auth/mech-cram-md5.c.opensslhmac dovecot-2.3.8/src/au
  
  	response_hex = binary_to_hex(digest, sizeof(digest));
  
-diff -up dovecot-2.3.8/src/auth/mech-scram-sha1.c.opensslhmac dovecot-2.3.8/src/auth/mech-scram-sha1.c
---- dovecot-2.3.8/src/auth/mech-scram-sha1.c.opensslhmac	2019-10-08 10:46:18.000000000 +0200
-+++ dovecot-2.3.8/src/auth/mech-scram-sha1.c	2019-11-19 16:34:11.338037002 +0100
-@@ -71,7 +71,7 @@ static const char *get_scram_server_firs
- 
+diff -up dovecot-2.3.14/src/auth/mech-scram.c.opensslhmac dovecot-2.3.14/src/auth/mech-scram.c
+--- dovecot-2.3.14/src/auth/mech-scram.c.opensslhmac	2021-03-04 09:38:06.000000000 +0100
++++ dovecot-2.3.14/src/auth/mech-scram.c	2021-03-22 20:44:13.022912242 +0100
+@@ -78,7 +78,7 @@ static const char *get_scram_server_firs
  static const char *get_scram_server_final(struct scram_auth_request *request)
  {
+ 	const struct hash_method *hmethod = request->hash_method;
 -	struct hmac_context ctx;
 +	struct openssl_hmac_context ctx;
  	const char *auth_message;
- 	unsigned char server_signature[SHA1_RESULTLEN];
+ 	unsigned char server_signature[hmethod->digest_size];
  	string_t *str;
-@@ -80,10 +80,10 @@ static const char *get_scram_server_fina
+@@ -87,9 +87,9 @@ static const char *get_scram_server_fina
  			request->server_first_message, ",",
  			request->client_final_message_without_proof, NULL);
  
--	hmac_init(&ctx, request->server_key, sizeof(request->server_key),
-+	openssl_hmac_init(&ctx, request->server_key, sizeof(request->server_key),
- 		  &hash_method_sha1);
+-	hmac_init(&ctx, request->server_key, hmethod->digest_size, hmethod);
 -	hmac_update(&ctx, auth_message, strlen(auth_message));
 -	hmac_final(&ctx, server_signature);
++	openssl_hmac_init(&ctx, request->server_key, hmethod->digest_size, hmethod);
 +	openssl_hmac_update(&ctx, auth_message, strlen(auth_message));
 +	openssl_hmac_final(&ctx, server_signature);
  
  	str = t_str_new(MAX_BASE64_ENCODED_SIZE(sizeof(server_signature)));
  	str_append(str, "v=");
-@@ -221,7 +221,7 @@ static bool parse_scram_client_first(str
- 
+@@ -228,7 +228,7 @@ static bool parse_scram_client_first(str
  static bool verify_credentials(struct scram_auth_request *request)
  {
+ 	const struct hash_method *hmethod = request->hash_method;
 -	struct hmac_context ctx;
 +	struct openssl_hmac_context ctx;
  	const char *auth_message;
- 	unsigned char client_key[SHA1_RESULTLEN];
- 	unsigned char client_signature[SHA1_RESULTLEN];
-@@ -232,10 +232,10 @@ static bool verify_credentials(struct sc
+ 	unsigned char client_key[hmethod->digest_size];
+ 	unsigned char client_signature[hmethod->digest_size];
+@@ -239,9 +239,9 @@ static bool verify_credentials(struct sc
  			request->server_first_message, ",",
  			request->client_final_message_without_proof, NULL);
  
--	hmac_init(&ctx, request->stored_key, sizeof(request->stored_key),
-+	openssl_hmac_init(&ctx, request->stored_key, sizeof(request->stored_key),
- 		  &hash_method_sha1);
+-	hmac_init(&ctx, request->stored_key, hmethod->digest_size, hmethod);
 -	hmac_update(&ctx, auth_message, strlen(auth_message));
 -	hmac_final(&ctx, client_signature);
++	openssl_hmac_init(&ctx, request->stored_key, hmethod->digest_size, hmethod);
 +	openssl_hmac_update(&ctx, auth_message, strlen(auth_message));
 +	openssl_hmac_final(&ctx, client_signature);
  
+ 	const unsigned char *proof_data = request->proof->data;
  	for (i = 0; i < sizeof(client_signature); i++)
- 		client_key[i] =
-diff -up dovecot-2.3.8/src/auth/password-scheme.c.opensslhmac dovecot-2.3.8/src/auth/password-scheme.c
---- dovecot-2.3.8/src/auth/password-scheme.c.opensslhmac	2019-10-08 10:46:18.000000000 +0200
-+++ dovecot-2.3.8/src/auth/password-scheme.c	2019-11-19 16:34:11.339036998 +0100
-@@ -647,11 +647,11 @@ static void
+diff -up dovecot-2.3.14/src/auth/password-scheme.c.opensslhmac dovecot-2.3.14/src/auth/password-scheme.c
+--- dovecot-2.3.14/src/auth/password-scheme.c.opensslhmac	2021-03-04 09:38:06.000000000 +0100
++++ dovecot-2.3.14/src/auth/password-scheme.c	2021-03-22 20:44:13.022912242 +0100
+@@ -639,11 +639,11 @@ static void
  cram_md5_generate(const char *plaintext, const struct password_generate_params *params ATTR_UNUSED,
  		  const unsigned char **raw_password_r, size_t *size_r)
  {
@@ -118,104 +116,101 @@ diff -up dovecot-2.3.8/src/auth/password-scheme.c.opensslhmac dovecot-2.3.8/src/
  		  strlen(plaintext), &hash_method_md5);
  	hmac_md5_get_cram_context(&ctx, context_digest);
  
-diff -up dovecot-2.3.8/src/auth/password-scheme-scram.c.opensslhmac dovecot-2.3.8/src/auth/password-scheme-scram.c
---- dovecot-2.3.8/src/auth/password-scheme-scram.c.opensslhmac	2019-10-08 10:46:18.000000000 +0200
-+++ dovecot-2.3.8/src/auth/password-scheme-scram.c	2019-11-19 16:34:11.339036998 +0100
-@@ -27,23 +27,23 @@ static void Hi(const unsigned char *str,
- 	       const unsigned char *salt, size_t salt_size, unsigned int i,
- 	       unsigned char result[SHA1_RESULTLEN])
+diff -up dovecot-2.3.14/src/auth/password-scheme-scram.c.opensslhmac dovecot-2.3.14/src/auth/password-scheme-scram.c
+--- dovecot-2.3.14/src/auth/password-scheme-scram.c.opensslhmac	2021-03-04 09:38:06.000000000 +0100
++++ dovecot-2.3.14/src/auth/password-scheme-scram.c	2021-03-22 20:44:13.023912229 +0100
+@@ -30,23 +30,23 @@ Hi(const struct hash_method *hmethod, co
+    const unsigned char *salt, size_t salt_size, unsigned int i,
+    unsigned char *result)
  {
 -	struct hmac_context ctx;
 +	struct openssl_hmac_context ctx;
- 	unsigned char U[SHA1_RESULTLEN];
+ 	unsigned char U[hmethod->digest_size];
  	unsigned int j, k;
  
  	/* Calculate U1 */
--	hmac_init(&ctx, str, str_size, &hash_method_sha1);
+-	hmac_init(&ctx, str, str_size, hmethod);
 -	hmac_update(&ctx, salt, salt_size);
 -	hmac_update(&ctx, "\0\0\0\1", 4);
 -	hmac_final(&ctx, U);
-+	openssl_hmac_init(&ctx, str, str_size, &hash_method_sha1);
++	openssl_hmac_init(&ctx, str, str_size, hmethod);
 +	openssl_hmac_update(&ctx, salt, salt_size);
 +	openssl_hmac_update(&ctx, "\0\0\0\1", 4);
 +	openssl_hmac_final(&ctx, U);
  
- 	memcpy(result, U, SHA1_RESULTLEN);
+ 	memcpy(result, U, hmethod->digest_size);
  
  	/* Calculate U2 to Ui and Hi */
  	for (j = 2; j <= i; j++) {
--		hmac_init(&ctx, str, str_size, &hash_method_sha1);
+-		hmac_init(&ctx, str, str_size, hmethod);
 -		hmac_update(&ctx, U, sizeof(U));
 -		hmac_final(&ctx, U);
-+		openssl_hmac_init(&ctx, str, str_size, &hash_method_sha1);
++		openssl_hmac_init(&ctx, str, str_size, hmethod);
 +		openssl_hmac_update(&ctx, U, sizeof(U));
 +		openssl_hmac_final(&ctx, U);
- 		for (k = 0; k < SHA1_RESULTLEN; k++)
+ 		for (k = 0; k < hmethod->digest_size; k++)
  			result[k] ^= U[k];
  	}
-@@ -94,7 +94,7 @@ int scram_sha1_verify(const char *plaint
- 		      const unsigned char *raw_password, size_t size,
- 		      const char **error_r)
+@@ -102,7 +102,7 @@ int scram_verify(const struct hash_metho
+ 		 const char *plaintext, const unsigned char *raw_password,
+ 		 size_t size, const char **error_r)
  {
 -	struct hmac_context ctx;
 +	struct openssl_hmac_context ctx;
  	const char *salt_base64;
  	unsigned int iter_count;
  	const unsigned char *salt;
-@@ -118,10 +118,10 @@ int scram_sha1_verify(const char *plaint
- 	   iter_count, salted_password);
+@@ -126,9 +126,9 @@ int scram_verify(const struct hash_metho
+ 	   salt, salt_len, iter_count, salted_password);
  
  	/* Calculate ClientKey */
--	hmac_init(&ctx, salted_password, sizeof(salted_password),
-+	openssl_hmac_init(&ctx, salted_password, sizeof(salted_password),
- 		  &hash_method_sha1);
+-	hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod);
 -	hmac_update(&ctx, "Client Key", 10);
 -	hmac_final(&ctx, client_key);
++	openssl_hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod);
 +	openssl_hmac_update(&ctx, "Client Key", 10);
 +	openssl_hmac_final(&ctx, client_key);
  
  	/* Calculate StoredKey */
- 	sha1_get_digest(client_key, sizeof(client_key), calculated_stored_key);
-@@ -139,7 +139,7 @@ void scram_sha1_generate(const char *pla
- 			 const unsigned char **raw_password_r, size_t *size_r)
+ 	hash_method_get_digest(hmethod, client_key, sizeof(client_key),
+@@ -147,7 +147,7 @@ void scram_generate(const struct hash_me
+ 		    const unsigned char **raw_password_r, size_t *size_r)
  {
  	string_t *str;
 -	struct hmac_context ctx;
 +	struct openssl_hmac_context ctx;
  	unsigned char salt[16];
- 	unsigned char salted_password[SHA1_RESULTLEN];
- 	unsigned char client_key[SHA1_RESULTLEN];
-@@ -157,10 +157,10 @@ void scram_sha1_generate(const char *pla
+ 	unsigned char salted_password[hmethod->digest_size];
+ 	unsigned char client_key[hmethod->digest_size];
+@@ -165,9 +165,9 @@ void scram_generate(const struct hash_me
  	   sizeof(salt), SCRAM_DEFAULT_ITERATE_COUNT, salted_password);
  
  	/* Calculate ClientKey */
--	hmac_init(&ctx, salted_password, sizeof(salted_password),
-+	openssl_hmac_init(&ctx, salted_password, sizeof(salted_password),
- 		  &hash_method_sha1);
+-	hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod);
 -	hmac_update(&ctx, "Client Key", 10);
 -	hmac_final(&ctx, client_key);
++	openssl_hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod);
 +	openssl_hmac_update(&ctx, "Client Key", 10);
 +	openssl_hmac_final(&ctx, client_key);
  
  	/* Calculate StoredKey */
- 	sha1_get_digest(client_key, sizeof(client_key), stored_key);
-@@ -168,10 +168,10 @@ void scram_sha1_generate(const char *pla
+ 	hash_method_get_digest(hmethod, client_key, sizeof(client_key),
+@@ -176,9 +176,9 @@ void scram_generate(const struct hash_me
  	base64_encode(stored_key, sizeof(stored_key), str);
  
  	/* Calculate ServerKey */
--	hmac_init(&ctx, salted_password, sizeof(salted_password),
-+	openssl_hmac_init(&ctx, salted_password, sizeof(salted_password),
- 		  &hash_method_sha1);
+-	hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod);
 -	hmac_update(&ctx, "Server Key", 10);
 -	hmac_final(&ctx, server_key);
++	openssl_hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod);
 +	openssl_hmac_update(&ctx, "Server Key", 10);
 +	openssl_hmac_final(&ctx, server_key);
  	str_append_c(str, ',');
  	base64_encode(server_key, sizeof(server_key), str);
  
-diff -up dovecot-2.3.8/src/lib/hmac.c.opensslhmac dovecot-2.3.8/src/lib/hmac.c
---- dovecot-2.3.8/src/lib/hmac.c.opensslhmac	2019-10-08 10:46:18.000000000 +0200
-+++ dovecot-2.3.8/src/lib/hmac.c	2019-11-19 17:25:28.045716181 +0100
+diff -up dovecot-2.3.14/src/lib/hmac.c.opensslhmac dovecot-2.3.14/src/lib/hmac.c
+--- dovecot-2.3.14/src/lib/hmac.c.opensslhmac	2021-03-04 09:38:06.000000000 +0100
++++ dovecot-2.3.14/src/lib/hmac.c	2021-03-22 20:44:13.023912229 +0100
 @@ -7,6 +7,10 @@
   * This software is released under the MIT license.
   */
@@ -292,11 +287,11 @@ diff -up dovecot-2.3.8/src/lib/hmac.c.opensslhmac dovecot-2.3.8/src/lib/hmac.c
 +    }
 +    i_assert(no_fips);
 +	struct orig_hmac_context_priv *ctx = &_ctx->u.priv;
- 	int i;
- 	unsigned char k_ipad[64];
- 	unsigned char k_opad[64];
+ 	unsigned int i;
+ 	unsigned char k_ipad[meth->block_size];
+ 	unsigned char k_opad[meth->block_size];
 @@ -53,9 +112,27 @@ void hmac_init(struct hmac_context *_ctx
- 	safe_memset(k_opad, 0, 64);
+ 	safe_memset(k_opad, 0, meth->block_size);
  }
  
 -void hmac_final(struct hmac_context *_ctx, unsigned char *digest)
@@ -453,9 +448,9 @@ diff -up dovecot-2.3.8/src/lib/hmac.c.opensslhmac dovecot-2.3.8/src/lib/hmac.c
 -	safe_memset(prk, 0, sizeof(prk));
 -	safe_memset(okm, 0, sizeof(okm));
  }
-diff -up dovecot-2.3.8/src/lib/hmac-cram-md5.c.opensslhmac dovecot-2.3.8/src/lib/hmac-cram-md5.c
---- dovecot-2.3.8/src/lib/hmac-cram-md5.c.opensslhmac	2019-10-08 10:46:18.000000000 +0200
-+++ dovecot-2.3.8/src/lib/hmac-cram-md5.c	2019-11-19 16:34:11.339036998 +0100
+diff -up dovecot-2.3.14/src/lib/hmac-cram-md5.c.opensslhmac dovecot-2.3.14/src/lib/hmac-cram-md5.c
+--- dovecot-2.3.14/src/lib/hmac-cram-md5.c.opensslhmac	2021-03-04 09:38:06.000000000 +0100
++++ dovecot-2.3.14/src/lib/hmac-cram-md5.c	2021-03-22 20:44:13.023912229 +0100
 @@ -9,10 +9,10 @@
  #include "md5.h"
  #include "hmac-cram-md5.h"
@@ -482,9 +477,9 @@ diff -up dovecot-2.3.8/src/lib/hmac-cram-md5.c.opensslhmac dovecot-2.3.8/src/lib
  	const unsigned char *cdp;
  
  	struct md5_context *ctx = (void*)hmac_ctx->ctx;
-diff -up dovecot-2.3.8/src/lib/hmac-cram-md5.h.opensslhmac dovecot-2.3.8/src/lib/hmac-cram-md5.h
---- dovecot-2.3.8/src/lib/hmac-cram-md5.h.opensslhmac	2019-10-08 10:46:18.000000000 +0200
-+++ dovecot-2.3.8/src/lib/hmac-cram-md5.h	2019-11-19 16:34:11.339036998 +0100
+diff -up dovecot-2.3.14/src/lib/hmac-cram-md5.h.opensslhmac dovecot-2.3.14/src/lib/hmac-cram-md5.h
+--- dovecot-2.3.14/src/lib/hmac-cram-md5.h.opensslhmac	2021-03-04 09:38:06.000000000 +0100
++++ dovecot-2.3.14/src/lib/hmac-cram-md5.h	2021-03-22 20:44:13.023912229 +0100
 @@ -5,9 +5,9 @@
  
  #define CRAM_MD5_CONTEXTLEN 32
@@ -497,19 +492,19 @@ diff -up dovecot-2.3.8/src/lib/hmac-cram-md5.h.opensslhmac dovecot-2.3.8/src/lib
  		const unsigned char context_digest[CRAM_MD5_CONTEXTLEN]);
  
  
-diff -up dovecot-2.3.8/src/lib/hmac.h.opensslhmac dovecot-2.3.8/src/lib/hmac.h
---- dovecot-2.3.8/src/lib/hmac.h.opensslhmac	2019-10-08 10:46:18.000000000 +0200
-+++ dovecot-2.3.8/src/lib/hmac.h	2019-11-19 16:34:11.339036998 +0100
-@@ -3,60 +3,97 @@
- 
+diff -up dovecot-2.3.14/src/lib/hmac.h.opensslhmac dovecot-2.3.14/src/lib/hmac.h
+--- dovecot-2.3.14/src/lib/hmac.h.opensslhmac	2021-03-04 09:38:06.000000000 +0100
++++ dovecot-2.3.14/src/lib/hmac.h	2021-03-22 20:44:13.023912229 +0100
+@@ -4,60 +4,97 @@
  #include "hash-method.h"
  #include "sha1.h"
+ #include "sha2.h"
 +#include <openssl/objects.h>
 +#include <openssl/hmac.h>
 +#include <openssl/kdf.h>
 +#include <openssl/err.h>
  
- #define HMAC_MAX_CONTEXT_SIZE 256
+ #define HMAC_MAX_CONTEXT_SIZE sizeof(struct sha512_ctx)
  
 -struct hmac_context_priv {
 +struct openssl_hmac_context_priv {
@@ -611,9 +606,9 @@ diff -up dovecot-2.3.8/src/lib/hmac.h.opensslhmac dovecot-2.3.8/src/lib/hmac.h
  		  okm_buffer, okm_len);
  	return okm_buffer;
  }
-diff -up dovecot-2.3.8/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac dovecot-2.3.8/src/lib-imap-urlauth/imap-urlauth.c
---- dovecot-2.3.8/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac	2019-10-08 10:46:18.000000000 +0200
-+++ dovecot-2.3.8/src/lib-imap-urlauth/imap-urlauth.c	2019-11-19 16:34:11.339036998 +0100
+diff -up dovecot-2.3.14/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac dovecot-2.3.14/src/lib-imap-urlauth/imap-urlauth.c
+--- dovecot-2.3.14/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac	2021-03-04 09:38:06.000000000 +0100
++++ dovecot-2.3.14/src/lib-imap-urlauth/imap-urlauth.c	2021-03-22 20:44:13.023912229 +0100
 @@ -85,15 +85,15 @@ imap_urlauth_internal_generate(const cha
  			       const unsigned char mailbox_key[IMAP_URLAUTH_KEY_LEN],
  			       size_t *token_len_r)
@@ -634,10 +629,10 @@ diff -up dovecot-2.3.8/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac dovecot-2
  
  	*token_len_r = SHA1_RESULTLEN + 1;
  	return token;
-diff -up dovecot-2.3.8/src/lib/Makefile.am.opensslhmac dovecot-2.3.8/src/lib/Makefile.am
---- dovecot-2.3.8/src/lib/Makefile.am.opensslhmac	2019-10-08 10:46:18.000000000 +0200
-+++ dovecot-2.3.8/src/lib/Makefile.am	2019-11-19 16:34:11.340036994 +0100
-@@ -323,6 +323,9 @@ headers = \
+diff -up dovecot-2.3.14/src/lib/Makefile.am.opensslhmac dovecot-2.3.14/src/lib/Makefile.am
+--- dovecot-2.3.14/src/lib/Makefile.am.opensslhmac	2021-03-04 09:38:06.000000000 +0100
++++ dovecot-2.3.14/src/lib/Makefile.am	2021-03-22 20:44:13.023912229 +0100
+@@ -352,6 +352,9 @@ headers = \
  	wildcard-match.h \
  	write-full.h
  
@@ -647,69 +642,63 @@ diff -up dovecot-2.3.8/src/lib/Makefile.am.opensslhmac dovecot-2.3.8/src/lib/Mak
  test_programs = test-lib
  noinst_PROGRAMS = $(test_programs)
  
-diff -up dovecot-2.3.8/src/lib-ntlm/ntlm-encrypt.c.opensslhmac dovecot-2.3.8/src/lib-ntlm/ntlm-encrypt.c
---- dovecot-2.3.8/src/lib-ntlm/ntlm-encrypt.c.opensslhmac	2019-10-08 10:46:18.000000000 +0200
-+++ dovecot-2.3.8/src/lib-ntlm/ntlm-encrypt.c	2019-11-19 16:34:11.340036994 +0100
-@@ -61,12 +61,12 @@ void ntlm_v1_hash(const char *passwd, un
- }
+diff -up dovecot-2.3.14/src/lib-oauth2/oauth2-jwt.c.opensslhmac dovecot-2.3.14/src/lib-oauth2/oauth2-jwt.c
+--- dovecot-2.3.14/src/lib-oauth2/oauth2-jwt.c.opensslhmac	2021-03-04 09:38:06.000000000 +0100
++++ dovecot-2.3.14/src/lib-oauth2/oauth2-jwt.c	2021-03-22 20:44:13.024912217 +0100
+@@ -106,14 +106,14 @@ oauth2_validate_hmac(const struct oauth2
+ 	if (oauth2_lookup_hmac_key(set, azp, alg, key_id, &key, error_r) < 0)
+ 		return -1;
  
- static void
--hmac_md5_ucs2le_string_ucase(struct hmac_context *ctx, const char *str)
--{
--	size_t len;
--	unsigned char *wstr = t_unicode_str(str, TRUE, &len);
--
--	hmac_update(ctx, wstr, len);
-+hmac_md5_ucs2le_string_ucase(struct openssl_hmac_context *ctx, const char *str)
-+ {
-+ 	size_t len;
-+ 	unsigned char *wstr = t_unicode_str(str, TRUE, &len);
-+ 
-+	openssl_hmac_update(ctx, wstr, len);
- }
- 
- static void ATTR_NULL(2)
-@@ -74,13 +74,13 @@ ntlm_v2_hash(const char *user, const cha
- 	     const unsigned char *hash_v1,
- 	     unsigned char hash[NTLMSSP_V2_HASH_SIZE])
- {
 -	struct hmac_context ctx;
+-	hmac_init(&ctx, key->data, key->used, method);
+-	hmac_update(&ctx, blobs[0], strlen(blobs[0]));
+-	hmac_update(&ctx, ".", 1);
+-	hmac_update(&ctx, blobs[1], strlen(blobs[1]));
 +	struct openssl_hmac_context ctx;
++	openssl_hmac_init(&ctx, key->data, key->used, method);
++	openssl_hmac_update(&ctx, blobs[0], strlen(blobs[0]));
++	openssl_hmac_update(&ctx, ".", 1);
++	openssl_hmac_update(&ctx, blobs[1], strlen(blobs[1]));
+ 	unsigned char digest[method->digest_size];
  
--	hmac_init(&ctx, hash_v1, NTLMSSP_HASH_SIZE, &hash_method_md5);
-+	openssl_hmac_init(&ctx, hash_v1, NTLMSSP_HASH_SIZE, &hash_method_md5);
- 	hmac_md5_ucs2le_string_ucase(&ctx, user);
- 	if (target != NULL)
- 		hmac_md5_ucs2le_string_ucase(&ctx, target);
--	hmac_final(&ctx, hash);
-+	openssl_hmac_final(&ctx, hash);
- }
+-	hmac_final(&ctx, digest);
++	openssl_hmac_final(&ctx, digest);
  
- void
-@@ -125,15 +125,15 @@ ntlmssp_v2_response(const char *user, co
- 		    const unsigned char *blob, size_t blob_size,
- 		    unsigned char response[NTLMSSP_V2_RESPONSE_SIZE])
+ 	buffer_t *their_digest =
+ 		t_base64url_decode_str(BASE64_DECODE_FLAG_NO_PADDING, blobs[2]);
+diff -up dovecot-2.3.14/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac dovecot-2.3.14/src/lib-oauth2/test-oauth2-jwt.c
+--- dovecot-2.3.14/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac	2021-03-04 09:38:06.000000000 +0100
++++ dovecot-2.3.14/src/lib-oauth2/test-oauth2-jwt.c	2021-03-22 20:46:09.524440794 +0100
+@@ -236,7 +236,7 @@ static void save_key_to(const char *algo
+ static void sign_jwt_token_hs256(buffer_t *tokenbuf, buffer_t *key)
  {
--	struct hmac_context ctx;
-+	struct openssl_hmac_context ctx;
- 	unsigned char hash[NTLMSSP_V2_HASH_SIZE];
- 
- 	ntlm_v2_hash(user, target, hash_v1, hash);
- 
--	hmac_init(&ctx, hash, NTLMSSP_V2_HASH_SIZE, &hash_method_md5);
--	hmac_update(&ctx, challenge, NTLMSSP_CHALLENGE_SIZE);
--	hmac_update(&ctx, blob, blob_size);
--	hmac_final(&ctx, response);
-+	openssl_hmac_init(&ctx, hash, NTLMSSP_V2_HASH_SIZE, &hash_method_md5);
-+	openssl_hmac_update(&ctx, challenge, NTLMSSP_CHALLENGE_SIZE);
-+	openssl_hmac_update(&ctx, blob, blob_size);
-+	openssl_hmac_final(&ctx, response);
- 
- 	safe_memset(hash, 0, sizeof(hash));
- }
-diff -up dovecot-2.3.8/src/lib/pkcs5.c.opensslhmac dovecot-2.3.8/src/lib/pkcs5.c
---- dovecot-2.3.8/src/lib/pkcs5.c.opensslhmac	2019-10-08 10:46:18.000000000 +0200
-+++ dovecot-2.3.8/src/lib/pkcs5.c	2019-11-19 16:34:11.340036994 +0100
+ 	i_assert(key != NULL);
+-	buffer_t *sig = t_hmac_buffer(&hash_method_sha256, key->data, key->used,
++	buffer_t *sig = openssl_t_hmac_buffer(&hash_method_sha256, key->data, key->used,
+ 				      tokenbuf);
+ 	buffer_append(tokenbuf, ".", 1);
+ 	base64url_encode(BASE64_ENCODE_FLAG_NO_PADDING, SIZE_MAX,
+@@ -246,7 +246,7 @@ static void sign_jwt_token_hs256(buffer_
+ static void sign_jwt_token_hs384(buffer_t *tokenbuf, buffer_t *key)
+ {
+ 	i_assert(key != NULL);
+-	buffer_t *sig = t_hmac_buffer(&hash_method_sha384, key->data, key->used,
++	buffer_t *sig = openssl_t_hmac_buffer(&hash_method_sha384, key->data, key->used,
+ 				      tokenbuf);
+ 	buffer_append(tokenbuf, ".", 1);
+ 	base64url_encode(BASE64_ENCODE_FLAG_NO_PADDING, SIZE_MAX,
+@@ -256,7 +256,7 @@ static void sign_jwt_token_hs384(buffer_
+ static void sign_jwt_token_hs512(buffer_t *tokenbuf, buffer_t *key)
+ {
+ 	i_assert(key != NULL);
+-	buffer_t *sig = t_hmac_buffer(&hash_method_sha512, key->data, key->used,
++	buffer_t *sig = openssl_t_hmac_buffer(&hash_method_sha512, key->data, key->used,
+ 				      tokenbuf);
+ 	buffer_append(tokenbuf, ".", 1);
+ 	base64url_encode(BASE64_ENCODE_FLAG_NO_PADDING, SIZE_MAX,
+diff -up dovecot-2.3.14/src/lib/pkcs5.c.opensslhmac dovecot-2.3.14/src/lib/pkcs5.c
+--- dovecot-2.3.14/src/lib/pkcs5.c.opensslhmac	2021-03-04 09:38:06.000000000 +0100
++++ dovecot-2.3.14/src/lib/pkcs5.c	2021-03-22 20:44:13.024912217 +0100
 @@ -52,7 +52,7 @@ int pkcs5_pbkdf2(const struct hash_metho
  	size_t l = (length + hash->digest_size - 1)/hash->digest_size; /* same as ceil(length/hash->digest_size) */
  	unsigned char dk[l * hash->digest_size];
@@ -744,10 +733,10 @@ diff -up dovecot-2.3.8/src/lib/pkcs5.c.opensslhmac dovecot-2.3.8/src/lib/pkcs5.c
  			for(i = 0; i < hash->digest_size; i++)
  				block[i] ^= U_c[i];
  		}
-diff -up dovecot-2.3.8/src/lib/test-hmac.c.opensslhmac dovecot-2.3.8/src/lib/test-hmac.c
---- dovecot-2.3.8/src/lib/test-hmac.c.opensslhmac	2019-10-08 10:46:18.000000000 +0200
-+++ dovecot-2.3.8/src/lib/test-hmac.c	2019-11-19 16:34:11.340036994 +0100
-@@ -112,11 +112,11 @@ static void test_hmac_rfc(void)
+diff -up dovecot-2.3.14/src/lib/test-hmac.c.opensslhmac dovecot-2.3.14/src/lib/test-hmac.c
+--- dovecot-2.3.14/src/lib/test-hmac.c.opensslhmac	2021-03-04 09:38:06.000000000 +0100
++++ dovecot-2.3.14/src/lib/test-hmac.c	2021-03-22 20:44:13.024912217 +0100
+@@ -206,11 +206,11 @@ static void test_hmac_rfc(void)
  	test_begin("hmac sha256 rfc4231 vectors");
  	for(size_t i = 0; i < N_ELEMENTS(test_vectors); i++) {
  		const struct test_vector *vec = &(test_vectors[i]);
@@ -763,7 +752,39 @@ diff -up dovecot-2.3.8/src/lib/test-hmac.c.opensslhmac dovecot-2.3.8/src/lib/tes
  		test_assert_idx(memcmp(res, vec->res, vec->res_len) == 0, i);
  	}
  	test_end();
-@@ -129,7 +129,7 @@ static void test_hmac_buffer(void)
+@@ -221,11 +221,11 @@ static void test_hmac384_rfc(void)
+ 	test_begin("hmac sha384 rfc4231 vectors");
+ 	for (size_t i = 0; i < N_ELEMENTS(test_vectors_hmac384); i++) {
+ 		const struct test_vector *vec = &(test_vectors_hmac384[i]);
+-		struct hmac_context ctx;
+-		hmac_init(&ctx, vec->key, vec->key_len, hash_method_lookup(vec->prf));
+-		hmac_update(&ctx, vec->data, vec->data_len);
++		struct openssl_hmac_context ctx;
++		openssl_hmac_init(&ctx, vec->key, vec->key_len, hash_method_lookup(vec->prf));
++		openssl_hmac_update(&ctx, vec->data, vec->data_len);
+ 		unsigned char res[SHA384_RESULTLEN];
+-		hmac_final(&ctx, res);
++		openssl_hmac_final(&ctx, res);
+ 		test_assert_idx(memcmp(res, vec->res, vec->res_len) == 0, i);
+ 	}
+ 	test_end();
+@@ -236,11 +236,11 @@ static void test_hmac512_rfc(void)
+ 	test_begin("hmac sha512 rfc4231 vectors");
+ 	for (size_t i = 0; i < N_ELEMENTS(test_vectors_hmac512); i++) {
+ 		const struct test_vector *vec = &(test_vectors_hmac512[i]);
+-		struct hmac_context ctx;
+-		hmac_init(&ctx, vec->key, vec->key_len, hash_method_lookup(vec->prf));
+-		hmac_update(&ctx, vec->data, vec->data_len);
++		struct openssl_hmac_context ctx;
++		openssl_hmac_init(&ctx, vec->key, vec->key_len, hash_method_lookup(vec->prf));
++		openssl_hmac_update(&ctx, vec->data, vec->data_len);
+ 		unsigned char res[SHA512_RESULTLEN];
+-		hmac_final(&ctx, res);
++		openssl_hmac_final(&ctx, res);
+ 		test_assert_idx(memcmp(res, vec->res, vec->res_len) == 0, i);
+ 	}
+ 	test_end();
+@@ -253,7 +253,7 @@ static void test_hmac_buffer(void)
  
  	buffer_t *tmp;
  
@@ -772,7 +793,7 @@ diff -up dovecot-2.3.8/src/lib/test-hmac.c.opensslhmac dovecot-2.3.8/src/lib/tes
  			  vec->data, vec->data_len);
  
  	test_assert(tmp->used == vec->res_len &&
-@@ -146,7 +146,7 @@ static void test_hkdf_rfc(void)
+@@ -270,7 +270,7 @@ static void test_hkdf_rfc(void)
  		buffer_set_used_size(res, 0);
  		const struct test_vector_5869 *vec = &(test_vectors_5869[i]);
  		const struct hash_method *m = hash_method_lookup(vec->prf);
@@ -781,7 +802,7 @@ diff -up dovecot-2.3.8/src/lib/test-hmac.c.opensslhmac dovecot-2.3.8/src/lib/tes
  			  vec->info, vec->info_len, res, vec->okm_len);
  		test_assert_idx(memcmp(res->data, vec->okm, vec->okm_len) == 0, i);
  	}
-@@ -159,7 +159,7 @@ static void test_hkdf_buffer(void)
+@@ -283,7 +283,7 @@ static void test_hkdf_buffer(void)
  	test_begin("hkdf temporary buffer");
  	const struct test_vector_5869 *vec = &(test_vectors_5869[0]);
  	const struct hash_method *m = hash_method_lookup(vec->prf);

SOURCES/dovecot.tmpfilesd

@@ -1,2 +1,2 @@
-d /var/run/dovecot 0755 root dovecot -
+d /run/dovecot 0755 root dovecot -
 

SPECS/dovecot.spec

@@ -3,9 +3,9 @@
 Summary: Secure imap and pop3 server
 Name: dovecot
 Epoch: 1
-Version: 2.3.8
+Version: 2.3.16
 %global prever %{nil}
-Release: 1%{?dist}
+Release: 5%{?dist}
 #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2
 License: MIT and LGPLv2
 Group: System Environment/Daemons
@@ -14,7 +14,7 @@ URL: http://www.dovecot.org/
 Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz
 Source1: dovecot.init
 Source2: dovecot.pam
-%global pigeonholever 0.5.8
+%global pigeonholever 0.5.16
 Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz
 Source9: dovecot.sysconfig
 Source10: dovecot.tmpfilesd
@@ -32,7 +32,6 @@ Patch6: dovecot-2.1.10-waitonline.patch
 
 Patch8: dovecot-2.2.20-initbysystemd.patch
 Patch9: dovecot-2.2.22-systemd_w_protectsystem.patch
-Patch10: dovecot-2.3.0.1-libxcrypt.patch
 
 # sent upstream, rhbz#1630380
 Patch11: dovecot-2.2.36-aclfix.patch
@@ -44,6 +43,21 @@ Patch13: dovecot-2.2.36-bigkey.patch
 # hard to break circular dependency between lib and lib-dcrypt
 Patch14: dovecot-2.3.6-opensslhmac.patch
 
+# from upstream, for dovecot < 2.3.17, s390x FTBFS fix
+Patch15: dovecot-2.3.16-ftbfsbigend.patch
+Patch16: dovecot-2.3.16-keeplzma.patch
+
+# from upstream, for <= 2.3.19.1, rhbz#2106232
+Patch17: dovecot-2.3.19.1-7bad6a24.patch
+
+# from upstream, for < 2.3.19.1, rhbz#2128857
+Patch18: dovecot-2.3.18-9f300239..4596d399.patch
+Patch19: dovecot-2.3.18-bdf447e4.patch
+
+# from upstream, for < 2.3.21, RHEL-22854
+Patch20: dovecot-2.3.16-d7705bc6.patch
+
+
 Source15: prestartscript
 
 BuildRequires: openssl-devel, pam-devel, zlib-devel, bzip2-devel, libcap-devel
@@ -58,6 +72,7 @@ BuildRequires: krb5-devel
 BuildRequires: quota-devel
 BuildRequires: xz-devel
 BuildRequires: lz4-devel
+BuildRequires: multilib-rpm-config
 #BuildRequires: libsodium-devel
 #BuildRequires: libexttextcat-devel
 #BuildRequires: libstemmer-devel
@@ -138,17 +153,22 @@ This package provides the development files for dovecot.
 
 %prep
 %setup -q -n %{name}-%{version}%{?prever} -a 8
-%patch1 -p1 -b .default-settings
-%patch2 -p1 -b .mkcert-permissions
-%patch3 -p1 -b .mkcert-paths
-%patch6 -p1 -b .waitonline
-%patch8 -p1 -b .initbysystemd
-%patch9 -p1 -b .systemd_w_protectsystem
-#%patch10 -p1 -b .libxcrypt
-%patch11 -p1 -b .aclfix
-%patch13 -p1 -b .bigkey
-%patch14 -p1 -b .opensslhmac
+%patch -P 1 -p1 -b .default-settings
+%patch -P 2 -p1 -b .mkcert-permissions
+%patch -P 3 -p1 -b .mkcert-paths
+%patch -P 6 -p1 -b .waitonline
+%patch -P 8 -p1 -b .initbysystemd
+%patch -P 9 -p1 -b .systemd_w_protectsystem
+%patch -P 11 -p1 -b .aclfix
+%patch -P 13 -p1 -b .bigkey
+%patch -P 14 -p1 -b .opensslhmac
+%patch -P 15 -p1 -b .ftbfsbigend
+%patch -P 16 -p1 -b .keeplzma
+%patch -P 17 -p1 -b .7bad6a24
+%patch -P 19 -p1 -b .bdf447e4
+%patch -P 20 -p1 -b .d7705bc6
 pushd dovecot-2*3-pigeonhole-%{pigeonholever}
+%patch -P 18 -p1 -b .9f300239..4596d399
 
 popd
 
@@ -166,6 +186,8 @@ autoreconf -I . -fiv #required for aarch64 support
 %endif
 %configure                       \
     INSTALL_DATA="install -c -p -m644" \
+    --with-rundir=%{_rundir}/%{name}   \
+    --with-systemd               \
     --docdir=%{_docdir}/%{name}  \
     --disable-static             \
     --disable-rpath              \
@@ -212,9 +234,11 @@ rm -rf $RPM_BUILD_ROOT
 
 make install DESTDIR=$RPM_BUILD_ROOT
 
-#move doc dir back to build dir so doc macro in files section can use it
+# move doc dir back to build dir so doc macro in files section can use it
 mv $RPM_BUILD_ROOT/%{_docdir}/%{name} %{_builddir}/%{name}-%{version}%{?prever}/docinstall
 
+# fix multilib issues
+%multilib_fix_c_header --file %{_includedir}/dovecot/config.h
 
 pushd dovecot-2*3-pigeonhole-%{pigeonholever}
 make install DESTDIR=$RPM_BUILD_ROOT
@@ -224,7 +248,6 @@ mv $RPM_BUILD_ROOT/%{_docdir}/%{name} $RPM_BUILD_ROOT/%{_docdir}/%{name}-pigeonh
 install -m 644 AUTHORS ChangeLog COPYING COPYING.LGPL INSTALL NEWS README $RPM_BUILD_ROOT/%{_docdir}/%{name}-pigeonhole
 popd
 
-
 %if %{?fedora}00%{?rhel} < 6
 sed -i 's|password-auth|system-auth|' %{SOURCE2}
 %endif
@@ -312,7 +335,7 @@ fi
 install -d -m 0755 -g dovecot -d /var/run/dovecot
 install -d -m 0755 -d /var/run/dovecot/empty
 install -d -m 0750 -g dovenull -d /var/run/dovecot/login
-install -d -m 0755 -g dovenull -d /var/run/dovecot/token-login
+install -d -m 0750 -g dovenull -d /var/run/dovecot/token-login
 [ -x /sbin/restorecon ] && /sbin/restorecon -R /var/run/dovecot ||:
 
 %preun
@@ -365,6 +388,7 @@ make check
 %{_bindir}/doveadm
 %{_bindir}/doveconf
 %{_bindir}/dsync
+%{_bindir}/dovecot-sysreport
 
 
 %if %{?fedora}0 > 140 || %{?rhel}0 > 60
@@ -386,6 +410,7 @@ make check
 %config(noreplace) %{_sysconfdir}/dovecot/conf.d/10-logging.conf
 %config(noreplace) %{_sysconfdir}/dovecot/conf.d/10-mail.conf
 %config(noreplace) %{_sysconfdir}/dovecot/conf.d/10-master.conf
+%config(noreplace) %{_sysconfdir}/dovecot/conf.d/10-metrics.conf
 %config(noreplace) %{_sysconfdir}/dovecot/conf.d/10-ssl.conf
 %config(noreplace) %{_sysconfdir}/dovecot/conf.d/15-lda.conf
 %config(noreplace) %{_sysconfdir}/dovecot/conf.d/15-mailboxes.conf
@@ -405,8 +430,6 @@ make check
 %config(noreplace) %{_sysconfdir}/dovecot/conf.d/auth-sql.conf.ext
 %config(noreplace) %{_sysconfdir}/dovecot/conf.d/auth-static.conf.ext
 %config(noreplace) %{_sysconfdir}/dovecot/conf.d/auth-system.conf.ext
-%config(noreplace) %{_sysconfdir}/dovecot/conf.d/auth-vpopmail.conf.ext
-
 %config(noreplace) %{_sysconfdir}/pam.d/dovecot
 %config(noreplace) %{ssldir}/dovecot-openssl.cnf
 
@@ -447,9 +470,11 @@ make check
 %{_libexecdir}/%{name}
 %exclude %{_libexecdir}/%{name}/managesieve*
 
-%attr(0755,root,dovecot) %ghost /var/run/dovecot
+%dir %attr(0755,root,dovecot) %ghost /var/run/dovecot
 %attr(0750,root,dovenull) %ghost /var/run/dovecot/login
+%attr(0750,root,dovenull) %ghost /var/run/dovecot/token-login
 %attr(0755,root,root) %ghost /var/run/dovecot/empty
+
 %attr(0750,dovecot,dovecot) /var/lib/dovecot
 
 %{_datadir}/%{name}
@@ -506,6 +531,53 @@ make check
 %{_libdir}/%{name}/dict/libdriver_pgsql.so
 
 %changelog
+* Fri Feb 16 2024 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-5
+- fixes assert-crash when IMAP client uses QRESYNC (#RHEL-22854)
+
+* Fri Aug 04 2023 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-4
+- fix leaking mailboxes if virtual mailbox can't be opened (#2128857)
+
+* Tue Jul 19 2022 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-3
+- fix possible privilege escalation when similar master and non-master passdbs are used (#2106231)
+
+* Wed Dec 08 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-2
+- do not disable xz/lzma for now despite being deprecated
+
+* Wed Dec 08 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-1
+- dovecot updated to 2.3.16, pigeonhole to 0.5.16
+- fix CVE-2021-33515 plaintext commands injection (#1980014)
+
+* Wed Feb 03 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-9
+- fix CVE-2020-24386 IMAP hibernation function allows mail access (#1913534)
+
+* Tue Jan 12 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-8
+- fix CVE-2020-25275 denial of service via mail MIME parsing (#1914019)
+
+* Thu Jan 07 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-7
+- change run directory from /var/run to /run (#1805947)
+
+* Wed Dec 02 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-6
+- fix mail storage block count parsing (#1894418)
+- MIME parser crashed when boundaries were wrong (#1888111)
+
+* Mon Nov 02 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-5
+- multilib compatibility (#1853137)
+
+* Fri Aug 07 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-4
+- fix CVE-2020-12100 resource exhaustion via deeply nested MIME parts (#1866756)
+- fix CVE-2020-12673 out of bound reads in dovecot NTLM implementation (#1866761)
+- fix CVE-2020-12674 crash due to assert in RPA implementation (#1866768)
+
+* Mon Jun 01 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-3
+- fix CVE-2020-10957 dovecot: malformed NOOP commands leads to DoS (#1840354)
+- fix CVE-2020-10958 dovecot: command followed by sufficient number of newlines
+  leads to use-after-free (#1840357)
+- fix CVE-2020-10967 dovecot: sending mail with empty quoted localpart
+  leads to DoS (#1840356)
+
+* Thu Jan 09 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-2
+- fix default attributes for ghost files
+
 * Tue Nov 19 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-1
 - dovecot updated to 2.3.8 with pigeonhole updated to 0.5.8 (#1653117)