Skip to content
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
4670 lines (4118 sloc) 226 KB
v2.3.9.2 2019-12-13 Aki Tuomi <>
- Mails with empty From/To headers can also cause crash
in push notification drivers.
v2.3.9.1 2019-12-13 Aki Tuomi <>
* CVE-2019-19722: Mails with group addresses in From or To fields
caused crash in push notification drivers.
v2.3.9 2019-12-04 Aki Tuomi <>
* Changed several event field names for consistency and to avoid
conflicts in parent-child event relationships:
* SMTP server command events: Renamed "name" to "cmd_name"
* Events inheriting from a mailbox: Renamed "name" to "mailbox"
* Server connection events have only "remote_ip", "remote_port",
"local_ip" and "local_port".
* Removed duplicate "client_ip", "ip" and "port".
* Mail storage events: Removed "service" field.
Use "service:<name>" category instead.
* HTTP client connection events: Renamed "host" to "dest_host" and
"port" to "dest_port"
* auth: Drop Postfix socketmap support. It hasn't been working
with recent Postfix versions for a while now.
* push-notification-lua: The "subject" field is now decoded to UTF8
instead of kept as MIME-encoded.
+ push-notification-lua: Added new "from_address", "from_display_name",
"to_address" and "to_display_name" fields. The display names are
decoded to UTF8.
+ Added various new fields to existing events.
+ Add lmtp_add_received_header setting. It can be used to prevent LMTP
from adding "Received:" headers.
+ doveadm: Support SSL/STARTTLS for proxied doveadm connections based on
doveadm_ssl setting and proxy ssl/tls settings.
+ Log filters support now "service:<name>", which matches all events for
the given service. It can also be used as a category.
+ lib: Use libunwind to get abort backtraces with function names
where available.
+ lmtp: When the LMTP proxy changes the username (from passdb lookup)
add an appropriate ORCPT parameter.
- lmtp: Add lmtp_client_workarounds setting to implement workarounds for
clients that send MAIL and RCPT commands with additional spaces before
the path and for clients that omit <> brackets around the path.
See example-config/conf.d/20-lmtp.conf.
- lda/lmtp: Invalid MAIL FROM addresses were rejcted too aggressively.
Now mails from addresses with unicode characters are delivered, but
their Return-Path header will be <> instead of the given MAIL FROM
- lmtp: The lmtp_hdr_delivery_address setting is ignored.
- imap: imap_command_finished event's "args" and "human_args" parameters
were always empty.
- mbox: Seeking in zlib and bzip2 compressed input streams didn't work
- imap-hibernate: Process crashed when client got destroyed while it was
attempted to be unhibernated, and the unhibernation fails.
- *-login: Proxying may have crashed if SSL handshake to the backend
failed immediately. This was unlikely to happen in normal operation.
- *-login: If TLS handshake to upstream server failed during proxying,
login process could crash due to invalid memory access.
- *-login: v2.3 regression: Using SASL authentication without initial
response may have caused SSL connections to hang. This happened often
at least with PHP's IMAP library.
- *-login: When login processes are flooded with authentication attempts
it starts logging errors about "Authentication server sent unknown id".
This is still expected. However, it also caused the login process to
disconnect from auth server and potentially log some user's password
in the error message.
- dict-sql: SQL prepared statements were not shared between sessions.
This resulted in creating a lot of prepared statements, which was
especially inefficient when using Cassandra backend with a lot of
Cassandra nodes.
- auth: auth_request_finished event didn't have success=yes parameter
set for successful authentications.
- auth: userdb dict - Trying to list users crashed.
- submission: Service could be configured to allow anonymous
authentication mechanism and anonymous user access.
- LAYOUT=index: Corrupted dovecot.list.index caused folder creation to
- doveadm: HTTP server crashes if request target starts with double "/".
- dsync: Remote dsync started hanging if the initial doveadm
"dsync-server" command was sent in the same TCP packet as the
following dsync handshake. v2.3.8 regression.
- lib: Several "input streams" had a bug that in some rare situations
might cause it to access freed memory. This could lead to crashes or
The only currently known effect of this is that using zlib plugin with
external mail attachments (mail_attachment_dir) could cause fetching
the mail to return a few bytes of garbage data at the beginning of the
header. Note that the mail wasn't saved corrupted, but fetching it
caused corrupted mail to be sent to the client.
- lib-storage: If a mail only has quoted content, use the quoted text
for generating message snippet (IMAP PREVIEW) instead of returning
empty snippet.
- lib-storage: When vsize header was rebuilt, newly calculated message
sizes were added to dovecot.index.cache instead of being directly
saved into vsize records in dovecot.index.
- lib: JSON generator was escaping UTF-8 characters unnecessarily.
v2.3.8 2019-10-08 Aki Tuomi <>
+ Added mail_delivery_started and mail_delivery_finished events, see for details.
+ dsync-replication: Don't replicate users who have "noreplicate" extra
field in userdb.
+ doveadm service status: Show total number of processes created.
+ When logging to syslog, use instance_name setting's value for the
ident. This commonly is added as a log prefix.
+ Base64 encoding/decoding code was rewritten with additional features.
It shouldn't cause any user visible changes.
- v2.3.7 regression: If a folder only receives new mails without any
other mail access, dovecot.index.log keeps growing forever and
dovecot.index keeps being rewritten for every mail delivery.
- dsync-replication may lose keywords after syncing mails restored from
another replica. This only happened if the mail only had keywords and
no system flags.
- event filters: Non-textual event fields could not be filtered using
- auth: Scope parameter was missing from OAuth password grant
- doveadm client-server communication may hang in some situations.
It is also using unnecessarily small TCP/IP packet sizes.
- doveadm who and kick did not flush protocol output correctly.
- imap: SETMETADATA with literal value would delete the metadata value
instead of updating it.
- imap: When client issues FETCH PREVIEW (LAZY=FUZZY) command, the
caching decisions should be updated so that newly saved mails will
have the preview cached.
- With mail_nfs_index=yes and/or mail_nfs_storage=yes setuid/setgid
permission bits in some files may have become dropped with some NFS
servers. Changed NFS flushing to now use chmod() instead of chown().
- quota: warnings did not work if quota root was noenforcing
- acl: Global ACL file ignored the last line if it didn't end with LF.
- doveadm stats dump: With JSON formatter output numbers using the
number type instead of as strings
- lmtp_proxy: Ensure that real_* variables are correctly set when using
- event exporter: http-post driver had hardcoded timeout and did not
support DNS lookups or TLS connections.
- auth: Fix user iteration to work with userdb passwd with glibc v2.28.
- auth: auth service can crash if auth-policy JSON response is invalid
or returned too fast.
- In some rare situations "ps" output could have shown a lot of "?"
characters after Dovecot process titles.
- When dovecot.index.pvt is empty, an unnecessary error is logged:
Error: .../dovecot.index.pvt reset, view is now inconsistent
- SMTP address encoder duplicated initial double quote character when
the localpart of an address ended in '..'. For example
"" became ""user+.." in a
sieve redirect.
v2.3.7.1 2019-07-23 Timo Sirainen <>
- Fix TCP_NODELAY errors being logged on non-Linux OSes
- lmtp proxy: Fix assert-crash when client uses BODY=8BITMIME
- Remove wrongly added checks in namespace prefix checking
v2.3.7 2019-07-12 Aki Tuomi <>
* fts-solr: Removed break-imap-search parameter
+ Added more events for the new statistics, see
+ mail-lua: Add IMAP metadata accessors, see
+ Add event exporters that allow exporting raw events to log files and
external systems, see
+ SNIPPET is now PREVIEW and size has been increased to 200 characters.
+ Add body option to fts_enforced. This triggers building FTS index only
on body search, and an error using FTS index fails the search rather
than reads through all the mails.
- Submission/LMTP: Fixed crash when domain argument is invalid in a
second EHLO/LHLO command.
- Copying/moving mails using Maildir format loses IMAP keywords in the
destination if the mail also has no system flags.
- mail_attachment_detection_options=add-flags-on-save caused email body
to be unnecessarily opened when FETCHing mail headers that were
already cached.
- mail attachment detection keywords not saved with maildir.
- dovecot.index.cache may have grown excessively large in some
situations. This happened especially when using autoexpunging with
lazy_expunge folders. Also with mdbox format in general the cache file
wasn't recreated as often as it should have.
- Autoexpunged mails weren't immediately deleted from the disk. Instead,
the deletion from disk happened the next time the folder was opened.
This could have caused unnecessary delays if the opening was done by
an interactive IMAP session.
- Dovecot's TCP connections sometimes add extra 40ms latency due to not
enabling TCP_NODELAY. HTTP and SMTP/LMTP connections weren't
affected, but everything else was. This delay wasn't always visible -
only in some situations with some message/packet sizes.
- imapc: Fix various crash conditions
- Dovecot builds were not always reproducible.
- login-proxy: With shutdown_clients=no after config reload the
existing connections could no longer be listed or kicked with doveadm.
- "doveadm proxy kick" with -f parameter caused a crash in some
- Auth policy can cause segmentation fault crash during auth process
shutdown if all auth requests have not been finished.
- Fix various minor bugs leading into incorrect behaviour in mailbox
list index handling. These rarely caused noticeable problems.
- LDAP auth: Iteration accesses freed memory, possibly crashing
- local_name { .. } filter in dovecot.conf does not correctly support
multiple names and wildcards were matched incorrectly.
- replicator: dsync assert-crashes if it can't connect to remote TCP
- config: Memory leak in config process when ssl_dh setting wasn't
set and there was no ssl-parameters.dat file.
This caused config process to die once in a while
with "out of memory".
v2.3.6 2019-04-30 Aki Tuomi <>
* CVE-2019-11494: Submission-login crashed with signal 11 due to null
pointer access when authentication was aborted by disconnecting.
* CVE-2019-11499: Submission-login crashed when authentication was
started over TLS secured channel and invalid authentication message
was sent.
* auth: Support password grant with passdb oauth2.
+ Use system default CAs for outbound TLS connections.
+ Simplify array handling with new helper macros.
+ fts_solr: Enable configuring batch_size and soft_commit features.
- lmtp/submission: Fixed various bugs in XCLIENT handling, including a
hang when XCLIENT commands were sent infinitely to the remote server.
- lmtp/submission: Forwarded multi-line replies were erroneously sent
as two replies to the client.
- lib-smtp: client: Message was not guaranteed to contain CRLF
consistently when CHUNKING was used.
- fts_solr: Plugin was no longer compatible with Solr 7.
- Make it possible to disable certificate checking without
setting ssl_client_ca_* settings.
- pop3c: SSL support was broken.
- mysql: Closing connection twice lead to crash on some systems.
- auth: Multiple oauth2 passdbs crashed auth process on deinit.
- HTTP client connection errors infrequently triggered a segmentation
fault when the connection was idle and not used for a particular
client instance.
v2.3.5.2 2019-04-18 Timo Sirainen <>
* CVE-2019-10691: Trying to login with 8bit username containing
invalid UTF8 input causes auth process to crash if auth policy is
enabled. This could be used rather easily to cause a DoS. Similar
crash also happens during mail delivery when using invalid UTF8 in
From or Subject header when OX push notification driver is used.
v2.3.5.1 2019-03-28 Timo Sirainen <>
* CVE-2019-7524: Missing input buffer size validation leads into
arbitrary buffer overflow when reading fts or pop3 uidl header
from Dovecot index. Exploiting this requires direct write access to
the index files.
v2.3.5 2019-03-05 Timo Sirainen <>
+ Lua push notification driver: mail keywords and flags are provided
in MessageNew and MessageAppend events.
+ submission: Implement support for plugins.
+ auth: When auth_policy_log_only=yes, only log what the policy server
response would do without actually doing it.
+ auth: Always log policy server decisions with auth_verbose=yes
- v2.3.[34]: doveadm log errors: Output was missing user/session
- lda: Debug log lines could have shown slightly corrupted
- login proxy: Login processes may have crashed in various ways when
login_proxy_max_disconnect_delay was set.
- imap: Fix crash with Maildir+zlib if client disconnects during APPEND
- lmtp proxy: Fix potential assert-crash
- lmtp/submission: Fix crash when SMTP client transaction times out
- submission: Split large XCLIENT commands to 512 bytes per command,
so Postfix accepts them.
- submission: Fix crash when client sends invalid BURL command
- submission: relay backend: VRFY command: Avoid forwarding 500 and
502 replies back to client.
- lib-http: Fix potential assert-crash when DNS lookup fails
- lib-fts: Fix search query generation when one language ignores a
token (e.g. via stopwords).
v2.3.4 2018-11-23 Timo Sirainen <>
* The default postmaster_address is now "postmaster@<user domain or
server hostname>". If username contains the @domain part, that's
used. If not, then the server's hostname is used.
* "doveadm stats dump" now returns two decimals for the "avg" field.
+ Added push notification driver that uses a Lua script
+ Added new SQL, DNS and connection events.
+ Added "doveadm mailbox cache purge" command.
+ Added events API support for Lua scripts
+ doveadm force-resync -f parameter performs "index fsck" while opening
the index. This may be useful to fix some types of broken index files.
This may become the default behavior in a later version.
- director: Kicking a user crashes if login process is very slow
- pop3_no_flag_updates=no: Don't expunge DELEted and RETRed messages
unless QUIT is sent.
- auth: Fix crypt() segfault with glibc-2.28+
- imap: Running UID FILTER script with errors assert-crashes
- dsync, pop3-migration: POP3 UIDLs weren't added to
dovecot.index.cache while mails were saved.
- dict clients may have been using 100% CPU while waiting for dict
server to finish commands.
- doveadm user: Fixed user listing via HTTP API
- All levels of Cassandra log messages were logged as Dovecot errors.
- http/smtp client may have crashed after SSL handshake
- Lua auth converted strings that looked like numbers into numbers.
v2.3.3 2018-10-01 Timo Sirainen <>
* doveconf hides more secrets now in the default output.
* ssl_dh setting is no longer enforced at startup. If it's not set and
non-ECC DH key exchange happens, error is logged and client is
+ Added log_debug=<filter> setting.
+ Added log_core_filter=<log filter> setting.
+ quota-clone: Write to dict asynchronously
+ --enable-hardening attempts to use retpoline Spectre 2 mitigations
+ lmtp proxy: Support source_ip passdb extra field.
+ doveadm stats dump: Support more fields and output stddev by default.
+ push-notification: Add SSL support for OX backend.
- NUL bytes in mail headers can cause truncated replies when fetched.
- director: Conflicting host up/down state changes may in some rare
situations ended up in a loop of two directors constantly overwriting
each others' changes.
- director: Fix hang/crash when multiple doveadm commands are being
handled concurrently.
- director: Fix assert-crash if doveadm disconnects too early
- virtual plugin: Some searches used 100% CPU for many seconds
- dsync assert-crashed with acl plugin in some situations.
- mail_attachment_detection_options=add-flags-on-save assert-crashed
with some specific Sieve scripts.
- Mail snippet generation crashed with mails containing invalid
Content-Type:multipart header.
- Log prefix ordering was different for some log lines.
- quota: With noenforcing option current quota usage wasn't updated.
- auth: Kerberos authentication against Samba assert-crashed.
- stats clients were unnecessarily chatty with the stats server.
- imapc: Fixed various assert-crashes when reconnecting to server.
- lmtp, submission: Fix potential crash if client disconnects while
handling a command.
- quota: Fixed compiling with glibc-2.26 / support libtirpc.
- fts-solr: Empty search values resulted in 400 Bad Request errors
- fts-solr: default_ns parameter couldn't be used
- submission server crashed if relay server returned over 7 lines in
a reply (e.g. to EHLO)
v2.3.2.1 2018-07-09 Timo Sirainen <>
- SSL/TLS servers may have crashed during client disconnection
- lmtp: With lmtp_rcpt_check_quota=yes mail deliveries may have
sometimes assert-crashed.
- v2.3.2: "make check" may have crashed with 32bit systems
v2.3.2 2018-06-29 Timo Sirainen <>
* old-stats plugin: Don't temporarily enable PR_SET_DUMPABLE while
opening /proc/self/io. This may still cause security problems if the
process is ptrace()d at the same time. Instead, open it while still
running as root.
+ doveadm: Added mailbox cache decision&remove commands. See
doveadm-mailbox(1) man page for details.
+ doveadm: Added rebuild attachments command for rebuilding
$HasAttachment or $HasNoAttachment flags for matching mails. See
doveadm-rebuild(1) man page for details.
+ cassandra: Use fallback_consistency on more types of errors
+ lmtp proxy: Support outgoing SSL/TLS connections
+ lmtp: Add lmtp_rawlog_dir and lmtp_proxy_rawlog_dir settings.
+ submission: Add support for rawlog_dir
+ submission: Add submission_client_workarounds setting.
+ lua auth: Add password_verify() function and additional fields in
auth request.
- doveadm-server: TCP connections are hanging when there is a lot of
network output. This especially caused hangs in dsync-replication.
- Using multiple type=shared mdbox namespaces crashed
- mail_fsync setting was ignored. It was always set to "optimized".
- lua auth: Fix potential crash at deinit
- SSL/TLS servers may have crashed if client disconnected during
- SSL/TLS servers: Don't send extraneous certificates to client when
alt certs are used.
- lda, lmtp: Return-Path header without '<' may have assert-crashed.
- lda, lmtp: Unencoded UTF-8 in email address headers may assert-crash
- lda: -f parameter didn't allow empty/null/domainless address
- lmtp, submission: Message size limit was hardcoded to 40 MB.
Exceeding it caused the connection to get dropped during transfer.
- lmtp: Fix potential crash when delivery fails at DATA stage
- lmtp: login_greeting setting was ignored
- Fix to work with OpenSSL v1.0.2f
- systemd unit restrictions were too strict by default
- Fix potential crashes when a lot of log output was produced
- SMTP client may have assert-crashed when sending mail
- IMAP COMPRESS: Send "end of compression" marker when disconnecting.
- cassandra: Fix consistency=quorum to work
- dsync: Lock file generation failed if home directory didn't exist
- Snippet generation for HTML mails didn't ignore &entities inside
blockquotes, producing strange looking snippets.
- imapc: Fix assert-crash if getting disconnected and after
reconnection all mails in the selected mailbox are gone.
- pop3c: Handle unexpected server disconnections without assert-crash
- fts: Fixes to indexing mails via virtual mailboxes.
- fts: If mails contained NUL characters, the text around it wasn't
- Obsolete dovecot.index.cache offsets were sometimes used. Trying to
fetch a field that was just added to cache file may not have always
found it.
v2.3.1 2018-02-29 Aki Tuomi <>
* Submission server support improvements and bug fixes
- Lots of bug fixes to submission server
* API CHANGE: array_idx_modifiable will no longer allocate space
- Particularly affects how you should check MODULE_CONTEXT result, or
+ mail_attachment_detection_options setting controls when
$HasAttachment and $HasNoAttachment keywords are set for mails.
+ imap: Support fetching body snippets using FETCH (SNIPPET) or
+ fs-compress: Automatically detect whether input is compressed or not.
Prefix the compression algorithm with "maybe-" to enable the
detection, for example: "compress:maybe-gz:6:..."
+ Added settings to change dovecot.index* files' optimization behavior.
+ Auth cache can now utilize auth workers to do password hash
verification by setting auth_cache_verify_password_with_worker=yes.
+ Added charset_alias plugin. See
+ imap_logout_format and pop3_logout_format settings now support all of
the generic variables (e.g. %{rip}, %{session}, etc.)
+ Added auth_policy_check_before_auth, auth_policy_check_after_auth
and auth_policy_report_after_auth settings.
+ master: Support HAProxy PP2_TYPE_SSL command and set "secured"
variable appropriately
- Invalid UCS4 escape in HTML can cause crashes
- imap: IMAP COMPRESS -enabled clietn crashes on disconnect
- lmtp: Fix crash when user is over quota
- lib-lda: Parsing Return-Path header address fails when it contains
- auth: SASL with Exim fails for AUTH commands without an initial
- imap: SPECIAL-USE capability isn't automatically added
- auth: LDAP subqueries do not support standard auth variables in
- auth: SHA256-CRYPT and SHA512-CRYPT schemes do not work
- lib-index: mail_always/never_cache_fields are not used for existing
cache files
- imap: Fetching headers leaks memory if search doesn't find any mails
- lmtp: ORCPT support in RCPT TO
- imap-login: Process sometimes ends up in infinite loop
- sdbox: Rolled back save/copy transaction doesn't delete temp files
- mail: lock_method=dotlock causes crashes
v2.3.0.1 2018-02-28 Timo Sirainen <>
* CVE-2017-15130: TLS SNI config lookups may lead to excessive
memory usage, causing imap-login/pop3-login VSZ limit to be reached
and the process restarted. This happens only if Dovecot config has
local_name { } or local { } configuration blocks and attacker uses
randomly generated SNI servernames.
* CVE-2017-14461: Parsing invalid email addresses may cause a crash or
leak memory contents to attacker. For example, these memory contents
might contain parts of an email from another user if the same imap
process is reused for multiple users. First discovered by Aleksandar
Nikolic of Cisco Talos. Independently also discovered by "flxflndy"
via HackerOne.
* CVE-2017-15132: Aborted SASL authentication leaks memory in login
* Linux: Core dumping is no longer enabled by default via
PR_SET_DUMPABLE, because this may allow attackers to bypass
chroot/group restrictions. Found by cPanel Security Team. Nowadays
core dumps can be safely enabled by using "sysctl -w
fs.suid_dumpable=2". If the old behaviour is wanted, it can still be
enabled by setting:
import_environment=$import_environment PR_SET_DUMPABLE=1
- imap-login with SSL/TLS connections may end up in infinite loop
v2.3.0 2017-12-22 Timo Sirainen <>
* Various setting changes, see
* Logging rewrite started: Logging is now based on hierarchical events.
This makes it possible to do various things, like: 1) giving
consistent log prefixes, 2) enabling debug logging with finer
granularity, 3) provide logs in more machine readable formats
(e.g. json). Everything isn't finished yet, especially a lot of the
old logging code still needs to be translated to the new way.
* Statistics rewrite started: Stats are now based on (log) events.
It's possible to gather statistics about any event that is logged.
See for details
* ssl_dh setting replaces the old generated ssl-parameters.dat
* IMAP: When BINARY FETCH finds a broken mails, send [PARSE] error
instead of [UNKNOWNCTE]
* Linux: core dumping via PR_SET_DUMPABLE is no longer enabled by
default due to potential security reasons (found by cPanel Security
+ Added support for SMTP submission proxy server, which includes
support for BURL and CHUNKING extension.
+ LMTP rewrite. Supports now CHUNKING extension and mixing of
local/proxy recipients.
+ auth: Support libsodium to add support for ARGON2I and ARGON2ID
password schemes.
+ auth: Support BLF-CRYPT password scheme in all platforms
+ auth: Added LUA scripting support for passdb/userdb.
- Input streams are more reliable now when there are errors or when
the maximum buffer size is reached. Previously in some situations
this could have caused Dovecot to try to read already freed memory.
- Output streams weren't previously handling failures when writing a
trailer at the end of the stream. This mainly affected encrypt and
zlib compress ostreams, which could have silently written truncated
files if the last write happened to fail (which shouldn't normally
have ever happened).
- virtual plugin: Fixed panic when fetching mails from virtual
mailboxes with IMAP BINARY extension.
- doveadm-server: Fix potential hangs with SSL connections
- doveadm proxy: Reading commands' output from v2.2.33+ servers could
have caused the output to be corrupted or caused a crash.
- Many other smaller fixes
v2.2.36.3 2019-03-28 Timo Sirainen <>
* CVE-2019-7524: Missing input buffer size validation leads into
arbitrary buffer overflow when reading fts or pop3 uidl header
from Dovecot index. Exploiting this requires direct write access to
the index files.
v2.2.36.1 2019-02-05 Timo Sirainen <>
* CVE-2019-3814: If imap/pop3/managesieve/submission client has
trusted certificate with missing username field
(ssl_cert_username_field), under some configurations Dovecot
mistakenly trusts the username provided via authentication instead
of failing.
* ssl_cert_username_field setting was ignored with external SMTP AUTH,
because none of the MTAs (Postfix, Exim) currently send the
cert_username field. This may have allowed users with trusted
certificate to specify any username in the authentication. This bug
didn't affect Dovecot's Submission service.
- pop3_no_flag_updates=no: Don't expunge RETRed messages without QUIT
- director: Kicking a user assert-crashes if login process is very slow
- lda/lmtp: Fix assert-crash with some Sieve scripts when
- fs-compress: Using maybe-gz assert-crashed when reading 0 sized file
- Snippet generation crashed with invalid Content-Type:multipart
v2.2.36 2018-05-23 Timo Sirainen <>
* login-proxy: If ssl_require_crl=no, allow revoked certificates.
Also don't do CRL checks for incoming client certificates.
* stats plugin: Don't temporarily enable PR_SET_DUMPABLE while opening
/proc/self/io. This may still cause security problems if the process
is ptrace()d at the same time. Instead, open it while still running
as root.
+ doveadm: Added mailbox cache decision&remove commands. See
doveadm-mailbox(1) man page for details.
+ doveadm: Added rebuild attachments command for rebuilding
$HasAttachment or $HasNoAttachment flags for matching mails. See
doveadm-rebuild(1) man page for details.
+ cassandra: Use fallback_consistency on more types of errors
- cassandra: Fix consistency=quorum to work
- dsync: Lock file generation failed if home directory didn't exist
- In some configs if namespace root directory didn't yet exist, Dovecot
failed to create mailboxes.lock when trying to create mailboxes
- Snippet generation for HTML mails didn't ignore &entities inside
blockquotes, producing strange looking snippets.
- imapc: Fix assert-crash if getting disconnected and after
reconnection all mails in the selected mailbox are gone.
- pop3c: Handle unexpected server disconnections without assert-crash
- fts: Fixes to indexing mails via virtual mailboxes.
- fts: If mails contained NUL characters, the text around it wasn't
- Obsolete dovecot.index.cache offsets were sometimes used. Trying to
fetch a field that was just added to cache file may not have always
found it.
- dict-sql: Fix crash when reading NULL value from database
v2.2.35 2018-03-19 Aki Tuomi <>
- charset_alias: compile fails with Solaris Studio, reported by
John Woods.
- Fix local name handling in v2.2.34 SNI code, bug found by cPanel.
- imapc: Don't try to add mails to index if they already exist there.
- imapc: If email is modified in istream_opened hook, mail size isn't
- lib-dcrypt: When reading encrypted data, more data would not be
read if buffer was not consumed causing panic or hang.
- notify: When notify plugin is used and transaction commit fails in
dsync, crash occurs.
- sdbox: When delivering to a mailbox that is over quota, temp files
are not cleaned up when saving or copying fails.
v2.2.34 2018-02-28 Timo Sirainen <>
* CVE-2017-15130: TLS SNI config lookups may lead to excessive
memory usage, causing imap-login/pop3-login VSZ limit to be reached
and the process restarted. This happens only if Dovecot config has
local_name { } or local { } configuration blocks and attacker uses
randomly generated SNI servernames.
* CVE-2017-14461: Parsing invalid email addresses may cause a crash or
leak memory contents to attacker. For example, these memory contents
might contain parts of an email from another user if the same imap
process is reused for multiple users. First discovered by Aleksandar
Nikolic of Cisco Talos. Independently also discovered by "flxflndy"
via HackerOne.
* CVE-2017-15132: Aborted SASL authentication leaks memory in login
* Linux: Core dumping is no longer enabled by default via
PR_SET_DUMPABLE, because this may allow attackers to bypass
chroot/group restrictions. Found by cPanel Security Team. Nowadays
core dumps can be safely enabled by using "sysctl -w
fs.suid_dumpable=2". If the old behaviour is wanted, it can still be
enabled by setting:
import_environment=$import_environment PR_SET_DUMPABLE=1
* doveconf output now includes the hostname.
+ mail_attachment_detection_options setting controls when
$HasAttachment and $HasNoAttachment keywords are set for mails.
+ imap: Support fetching body snippets using FETCH (SNIPPET) or
+ fs-compress: Automatically detect whether input is compressed or not.
Prefix the compression algorithm with "maybe-" to enable the
detection, for example: "compress:maybe-gz:6:..."
+ Added settings to change dovecot.index* files' optimization behavior.
+ Auth cache can now utilize auth workers to do password hash
verification by setting auth_cache_verify_password_with_worker=yes.
+ Added charset_alias plugin. See
+ imap_logout_format and pop3_logout_format settings now support all of
the generic variables (e.g. %{rip}, %{session}, etc.)
+ Added auth_policy_check_before_auth, auth_policy_check_after_auth
and auth_policy_report_after_auth settings.
- v2.2.33: doveadm-server: Various fixes related to log handling.
- v2.2.33: doveadm failed when trying to access UNIX socket that didn't
require authentication.
- v2.2.33: doveadm log reopen stopped working
- v2.2.30+: IMAP stopped advertising SPECIAL-USE capability
- v2.2.30+: IMAP stopped sending untagged OK/NO storage notifications
- replication: dsync sends unnecessary replication notification for
changes it does internally. NOTE: Folder creates, renames, deletes
and subscribes still trigger unnecessary replication notifications,
but these should be rather rare.
- mail_always/never_cache_fields setting changes weren't applied for
existing dovecot.index.cache files.
- Fix compiling and other problems with OpenSSL v1.1
- auth policy: With master user logins, lookup using login username.
- FTS reindexed all mails unnecessarily after loss of
dovecot.index.cache file
- mdbox rebuild repeatedly fails with "missing map extension"
- SSL connections may have been hanging with imapc or doveadm client.
- cassandra: Using protocol v3 (Cassandra v2.1) caused memory leaks and
also timestamps weren't set to queries.
- fs-crypt silently ignored public/private keys specified in
configuration (mail_crypt_global_public/private_key) and just
emitted plaintext output.
- lock_method=dotlock caused crashes
- imapc: Reconnection may cause crashes and other errors
v2.2.33.2 2017-10-20 Timo Sirainen <>
- doveadm: Fix crash in proxying (or dsync replication) if remote is
running older than v2.2.33
- auth: Fix memory leak in %{ldap_dn}
- dict-sql: Fix data types to work correctly with Cassandra
v2.2.33.1 2017-10-10 Timo Sirainen <>
- dovecot-lda was logging to stderr instead of to the log file.
v2.2.33 2017-10-10 Timo Sirainen <>
* doveadm director commands wait for the changes to be visible in the
whole ring before they return. This is especially useful in testing.
* Environments listed in import_environment setting are now set or
preserved when executing standalone commands (e.g. doveadm)
+ doveadm proxy: Support proxying logs. Previously the logs were
visible only in the backend's logs.
+ Added %{if}, see
+ Added a new notify_status plugin, which can be used to update dict
with current status of a mailbox when it changes. See
+ Mailbox list index can be disabled for a namespace by appending
":LISTINDEX=" to location setting.
+ dsync/imapc: Added dsync_hashed_headers setting to specify which
headers are used to match emails.
+ pop3-migration: Add pop3_migration_ignore_extra_uidls=yes to ignore
mails that are visible in POP3 but not IMAP. This could happen if
new mails were delivered during the migration run.
+ pop3-migration: Further improvements to help with Zimbra
+ pop3-migration: Cache POP3 UIDLs in imapc's dovecot.index.cache
if indexes are enabled. These are used to optimize incremental syncs.
+ cassandra, dict-sql: Use prepared statements if protocol version>3.
+ auth: Added %{ldap_dn} variable for passdb/userdb ldap
- acl: The "create" (k) permission in global acl-file was sometimes
ignored, allowing users to create mailboxes when they shouldn't have.
- sdbox: Mails were always opened when expunging, unless
mail_attachment_fs was explicitly set to empty.
- lmtp/doveadm proxy: hostip passdb field was ignored, which caused
unnecessary DNS lookups if host field wasn't an IP
- lmtp proxy: Fix crash when receiving unexpected reply in RCPT TO
- quota_clone: Update also when quota is unlimited (broken in v2.2.31)
- mbox, zlib: Fix assert-crash when accessing compressed mbox
- doveadm director kick -f parameter didn't work
- doveadm director flush <host> resulted flushing all hosts, if <host>
wasn't an IP address.
- director: Various fixes to handling backend/director changes at
abnormal times, especially while ring was unsynced. These could have
resulted in crashes, non-optimal behavior or ignoring some of the
- director: Use less CPU in imap-login processes when moving/kicking
many users.
- lmtp: Session IDs were duplicated/confusing with multiple RCPT TOs
when lmtp_rcpt_check_quota=yes
- doveadm sync -1 fails when local mailboxes exist that do not exist
remotely. This commonly happened when lazy_expunge mailbox was
autocreated when incremental sync expunged mails.
- pop3: rawlog_dir setting didn't work
v2.2.32 2017-08-24 Timo Sirainen <>
* imapc: Info-level line is logged every time when successfully
connected to the remote server. This includes local/remote IP/port,
which can be useful for matching against external logs.
* config: Log a warning if plugin { key=no } is used explicitly.
v2.3 will support "no" properly in plugin settings, but for now
any value at all for a boolean plugin setting is treated as "yes",
even if it's written as explicit "no". This change will now warn
that it most likely won't work as intended.
+ Various optimizations to avoid accessing files/directories when it's
not necessary. Especially avoid accessing mail root directories when
INDEX directories point to a different filesystem.
+ mail_location can now include ITERINDEX parameter. This tells Dovecot
to perform mailbox listing from the INDEX path instead of from the
mail root path. It's mainly useful when the INDEX storage is on a
faster storage.
+ mail_location can now include VOLATILEDIR=<path> parameter. This
is used for creating lock files and in future potentially other
files that don't need to exist permanently. The path could point to
tmpfs for example. This is especially useful to avoid creating lock
files to NFS or other remote filesystems. For example:
+ mail_location's LISTINDEX=<path> can now contain a full path.
This allows storing mailbox list index to a different storage
than the rest of the indexes, for example to tmpfs.
+ mail_location can now include NO-NOSELECT parameter. This
automatically deletes any \NoSelect mailboxes that have no children.
These mailboxes are sometimes confusing to users.
+ mail_location can now include BROKENCHAR=<char> parameter. This can
be useful with imapc to access mailbox names that aren't valid mUTF-7
charset from remote servers.
+ If mailbox_list_index_very_dirty_syncs=yes, the list index is no
longer refreshed against filesystem when listing mailboxes. This
allows the mailbox listing to be done entirely by only reading the
mailbox list index.
+ Added mailbox_list_index_include_inbox setting to control whether
INBOX's STATUS information should be cached in the mailbox list
index. The default is "no", but it may be useful to change it to
"yes", especially if LISTINDEX points to tmpfs.
+ userdb can return chdir=<path>, which override mail_home for the
chdir location. This can be useful to avoid accessing home directory
on login.
+ userdb can return postlogin=<socket> to specify per-user imap/pop3
postlogin socket path.
+ cassandra: Add support for result paging by adding page_size=<n>
parameter to the connect setting.
+ dsync/imapc, pop3-migration plugin: Strip also trailing tabs from
headers when matching mails. This helps with migrations from Zimbra.
+ imap_logout_format supports now %{appended} and %{autoexpunged}
+ virtual plugin: Optimize IDLE to use mailbox list index for finding
out when something has changed.
+ Added apparmor plugin. See
- virtual plugin: A lot of fixes. In many cases it was also working
very inefficiently or even incorrectly.
- imap: NOTIFY parameter parsing was incorrectly "fixed" in v2.2.31.
It was actually (mostly) working in previous versions, but broken
in v2.2.31.
- Modseq tracking didn't always work correctly. This could have caused
imap unhibernation to fail or IMAP QRESYNC/CONDSTORE extensions to
not work perfectly.
- mdbox: "Inconsistency in map index" wasn't fixed automatically
- dict-ldap: %variable values used in the LDAP filter weren't escaped.
- quota=count: quota_warning = -storage=.. was never executed (try #2).
v2.2.31 fixed it for -messages, but not for -storage.
- imapc: >= 32 kB mail bodies were supposed to be cached for subsequent
FETCHes, but weren't.
- quota-status service didn't support recipient_delimiter
- acl: Don't access dovecot-acl-list files with acl_globals_only=yes
- mail_location: If INDEX dir is set, mailbox deletion deletes its
childrens' indexes. For example if "box" is deleted, "box/child"
index directory was deleted as well (but mails were preserved).
- director: v2.2.31 caused rapid reconnection loops to directors
that were down.
v2.2.31 2017-06-26 Timo Sirainen <>
* LMTP: Removed "(Dovecot)" from added Received headers. Some
installations want to hide it, and there's not really any good reason
for anyone to have it.
+ Add ssl_alt_cert and ssl_alt_key settings to add support for
having both RSA and ECDSA certificates.
+ dsync/imapc, pop3-migration plugin: Strip trailing whitespace from
headers when matching mails. This helps with migrations from Zimbra.
+ acl: Add acl_globals_only setting to disable looking up
per-mailbox dovecot-acl files.
+ Parse invalid message addresses better. This mainly affects the
generated IMAP ENVELOPE replies.
- v2.2.30 wasn't fixing corrupted dovecot.index.cache files properly.
It could have deleted wrong mail's cache or assert-crashed.
- v2.2.30 mail-crypt-acl plugin was assert-crashing
- v2.2.30 welcome plugin wasn't working
- Various fixes to handling mailbox listing. Especially related to
handling nonexistent autocreated/autosubscribed mailboxes and ACLs.
- Global ACL file was parsed as if it was local ACL file. This caused
some of the ACL rule interactions to not work exactly as intended.
- auth: forward_* fields didn't work properly: Only the first forward
field was working, and only if the first passdb lookup succeeded.
- Using mail_sort_max_read_count sometimes caused "Broken sort-*
indexes, resetting" errors.
- Using mail_sort_max_read_count may have caused very high CPU usage.
- Message address parsing could have crashed on invalid input.
- imapc_features=fetch-headers wasn't always working correctly and
caused the full header to be fetched.
- imapc: Various bugfixes related to connection failure handling.
- quota=imapc sent unnecessary FETCH RFC822.SIZE to server when
expunging mails.
- quota=count: quota_warning = -storage=.. was never executed
- quota=count: Add support for "ns" parameter
- dsync: Fix incremental syncing for mails that don't have Date or
Message-ID headers.
- imap: Fix hang when client sends pipelined SEARCH +
- oauth2: Token validation didn't accept empty server responses.
- imap: NOTIFY command has been almost completely broken since the
beginning. I guess nobody has been trying to use it.
v2.2.30.2 2017-06-06 Timo Sirainen <>
- auth: Multiple failed authentications within short time caused
- push-notification: OX driver crashed at deinit
v2.2.30.1 2017-05-31 Timo Sirainen <>
- quota_warning scripts weren't working in v2.2.30
- vpopmail still wasn't compiling
v2.2.30 2017-05-30 Timo Sirainen <>
* auth: Use timing safe comparisons for everything related to
passwords. It's unlikely that these could have been used for
practical attacks, especially because Dovecot delays and flushes all
failed authentications in 2 second intervals. Also it could have
worked only when passwords were stored in plaintext in the passdb.
* master process sends SIGQUIT to all running children at shutdown,
which instructs them to close all the socket listeners immediately.
This way restarting Dovecot should no longer fail due to some
processes keeping the listeners open for a long time.
+ auth: Add passdb { mechanisms=none } to match separate passdb lookup
+ auth: Add passdb { username_filter } to use passdb only if user
matches the filter. See
+ dsync: Add dsync_commit_msgs_interval setting. It attempts to commit
the transaction after saving this many new messages. Because of the
way dsync works, it may not always be possible if mails are copied
or UIDs need to change.
+ imapc: Support imapc_features=search without ESEARCH extension.
+ imapc: Add imapc_features=fetch-bodystructure to pass through remote
+ imapc: Add quota=imapc backend to use GETQUOTA/GETQUOTAROOT on the
remote server.
+ passdb imap: Add allow_invalid_cert and ssl_ca_file parameters.
+ If dovecot.index.cache corruption is detected, reset only the one
corrupted mail instead of the whole file.
+ doveadm mailbox status: Add "firstsaved" field.
+ director_flush_socket: Add old host's up/down and vhost count as parameters
- More fixes to automatically fix corruption in dovecot.list.index
- dsync-server: Fix support for dsync_features=empty-header-workaround
- imapc: Various bugfixes, including infinite loops on some errors
- IMAP NOTIFY wasn't working for non-INBOX if IMAP client hadn't
enabled modseq tracking via CONDSTORE/QRESYNC.
- fts-lucene: Fix it to work again with mbox format
- Some internal error messages may have contained garbage in v2.2.29
- mail-crypt: Re-encrypt when copying/moving mails and per-mailbox keys
are used. Otherwise the copied mails can't be opened.
- vpopmail: Fix compiling
v2.2.29.1 2017-04-12 Timo Sirainen <>
- imapc reconnection fix was forgotten from 2.2.29 release, which also
made "make check" fail in a unit test
- dict-sql: Merging multiple UPDATEs to a single statement wasn't
actually working.
- Fixed building with vpopmail
v2.2.29 2017-04-10 Timo Sirainen <>
* passdb/userdb dict: Don't double-expand %variables in keys. If dict
was used as the authentication passdb, using specially crafted
%variables in the username could be used to cause DoS (CVE-2017-2669)
* When Dovecot encounters an internal error, it logs the real error and
usually logs another line saying what function failed. Previously the
second log line's error message was a rather uninformative "Internal
error occurred. Refer to server log for more information." Now the
real error message is duplicated in this second log line.
* lmtp: If a delivery has multiple recipients, run autoexpunging only
for the last recipient. This avoids a problem where a long
autoexpunge run causes LMTP client to timeout between the DATA
replies, resulting in duplicate mail deliveries.
* config: Don't stop the process due to idling. Otherwise the
configuration is reloaded when the process restarts.
* mail_log plugin: Differentiate autoexpunges from regular expunges
* imapc: Use LOGOUT to cleanly disconnect from server.
* lib-http: Internal status codes (>9000) are no longer visible in logs
* director: Log vhost count changes and HOST-UP/DOWN
+ quota: Add plugin { quota_max_mail_size } setting to limit the
maximum individual mail size that can be saved.
+ imapc: Add imapc_features=delay-login. If set, connecting to the
remote IMAP server isn't done until it's necessary.
+ imapc: Add imapc_connection_retry_count and
imapc_connection_retry_interval settings.
+ imap, pop3, indexer-worker: Add (deinit) to process title before
autoexpunging runs.
+ Added %{encrypt} and %{decrypt} variables
+ imap/pop3 proxy: Log proxy state in errors as human-readable string.
+ imap/pop3-login: All forward_* extra fields returned by passdb are
sent to the next hop when proxying using ID/XCLIENT commands. On the
receiving side these fields are imported and sent to auth process
where they're accessible via %{passdb:forward_*}. This is done only
if the sending IP address matches login_trusted_networks.
+ imap-login: If imap_id_retain=yes, send the IMAP ID string to
auth process. %{client_id} expands to it in auth process. The ID
string is also sent to the next hop when proxying.
+ passdb imap: Use ssl_client_ca_* settings for CA validation.
- fts-tika: Fixed crash when parsing attachment without
Content-Disposition header. Broken by 2.2.28.
- trash plugin was broken in 2.2.28
- auth: When passdb/userdb lookups were done via auth-workers, too much
data was added to auth cache. This could have resulted in wrong
replies when using multiple passdbs/userdbs.
- auth: passdb { skip & mechanisms } were ignored for the first passdb
- oauth2: Various fixes, including fixes to crashes
- dsync: Large Sieve scripts (or other large metadata) weren't always
- Index rebuild (e.g. doveadm force-resync) set all mails as \Recent
- imap-hibernate: %{userdb:*} wasn't expanded in mail_log_prefix
- doveadm: Exit codes weren't preserved when proxying commands via
doveadm-server. Almost all errors used exit code 75 (tempfail).
- ACLs weren't applied to not-yet-existing autocreated mailboxes.
- Fixed a potential crash when parsing a broken message header.
- cassandra: Fallback consistency settings weren't working correctly.
- doveadm director status <user>: "Initial config" was always empty
- imapc: Various reconnection fixes.
v2.2.28 2017-02-24 Timo Sirainen <>
* director: "doveadm director move" to same host now refreshes user's
timeout. This allows keeping user constantly in the same backend by
just periodically moving the user there.
* When new mailbox is created, use initially INBOX's
dovecot.index.cache caching decisions.
* Expunging mails writes GUID to dovecot.index.log now only if the
GUID is quickly available from index/cache.
* pop3c: Increase timeout for PASS command to 5 minutes.
* Mail access errors are no longer ignored when searching or sorting.
With IMAP the untagged SEARCH/SORT reply is still sent the same as
before, but NO reply is returned instead of OK.
+ Make dovecot.list.index's filename configurable. This is needed when
there are multiple namespaces pointing to the same mail root
(e.g. lazy_expunge namespace for mdbox).
+ Add size.virtual to dovecot.index when folder vsizes are accessed
(e.g. quota=count). This is mainly a workaround to avoid slow quota
recalculation performance when message sizes get lost from
dovecot.index.cache due to corruption or some other reason.
+ auth: Support OAUTHBEARER and XOAUTH2 mechanisms. Also support them
in lib-dsasl for client side.
+ auth: Support filtering by SASL mechanism: passdb { mechanisms }
+ Shrink the mail processes' memory usage by not storing settings
duplicated unnecessarily many times.
+ imap: Add imap_fetch_failure setting to control what happens when
FETCH fails for some mails (see example-config).
+ imap: Include info about last command in disconnection log line.
+ imap: Created new SEARCH=X-MIMEPART extension. It's currently not
advertised by default, since it's not fully implemented.
+ fts-solr: Add support for basic authentication.
+ Cassandra: Support automatically retrying failed queries if
execution_retry_interval and execution_retry_times are set.
+ doveadm: Added "mailbox path" command.
+ mail_log plugin: If plugin { mail_log_cached_only=yes }, log the
wanted fields only if it doesn't require opening the email.
+ mail_vsize_bg_after_count setting added (see example-config).
+ mail_sort_max_read_count setting added (see example-config).
+ pop3c: Added pop3c_features=no-pipelining setting to prevent using
PIPELINING extension even though it's advertised.
- Index files: day_first_uid wasn't updated correctly since v2.2.26.
This caused dovecot.index.cache to be non-optimal.
- imap: SEARCH/SORT may have assert-crashed in
- imap: FETCH X-MAILBOX may have assert-crashed in virtual mailboxes.
- imap: Running time in tagged command reply was often wrongly 0.
- search: Using NOT n:* or NOT UID n:* wasn't handled correctly
- director: doveadm director kick was broken
- director: Fix crash when using director_flush_socket
- director: Fix some bugs when moving users between backends
- imapc: Various error handling fixes and improvements
- master: doveadm process status output had a lot of duplicates.
- autoexpunge: If mailbox's rename timestamp is newer than mail's
save-timestamp, use it instead. This is useful when autoexpunging
e.g. Trash/* and an entire mailbox is deleted by renaming it under
Trash to prevent it from being autoexpunged too early.
- autoexpunge: Multiple processes may have been trying to expunge the
same mails simultaneously. This was problematic especially with
lazy_expunge plugin.
- auth: %{passdb:*} was empty in auth-worker processes
- auth-policy: hashed_password was always sent empty.
- dict-sql: Merge multiple UPDATEs to a single statement if possible.
- fts-solr: Escape {} chars when sending queries
- fts: fts_autoindex_exclude = \Special-use caused crashes
- doveadm-server: Fix leaks and other problems when process is reused
for multiple requests (service_count != 1)
- sdbox: Fix assert-crash on mailbox create race
- lda/lmtp: deliver_log_format values weren't entirely correct if Sieve
was used. especially %{storage_id} was broken.
- lmtp_user_concurrency_limit didn't work if userdb changed username
v2.2.27 2016-12-03 Timo Sirainen <>
* dovecot.list.index.log rotation sizes/times were changed so that
the .log file stays smaller and .log.2 is deleted sooner.
+ Added mail_crypt plugin that allows encryption of stored emails.
+ stats: Global stats can be sent to Carbon server by setting
+ imap/pop3 proxy: If passdb returns proxy_not_trusted, don't send
+ Added generic hash modifier for %variables:
%{<hash algorithm>;rounds=<n>,truncate=<bits>,salt=s>:field}
Hash algorithm is any of the supported ones, e.g. md5, sha1, sha256.
Also "pkcs5" is supported using SHA256. For example: %{sha256:user}
or %{md5;truncate=32:user}.
+ Added support for SHA3-256 and SHA3-512 hashes.
+ config: Support DNS wildcards in local_name, e.g.
local_name * { .. } matches, but
+ config: Support multiple names in local_name, e.g.
local_name "" { .. }
- Fixed crash in auth process when auth-policy was configured and
authentication was aborted/failed without a username set.
- director: If two users had different tags but the same hash,
the users may have been redirected to the wrong tag's hosts.
- Index files may have been thought incorrectly lost, causing
"Missing middle file seq=.." to be logged and index rebuild.
This happened more easily with IMAP hibernation enabled.
- Various fixes to restoring state correctly in un-hibernation.
- dovecot.index files were commonly 4 bytes per email too large. This
is because 3 bytes per email were being wasted that could have been
used for IMAP keywords.
- Various fixes to handle dovecot.list.index corruption better.
- lib-fts: Fixed assert-crash in address tokenizer with specific input.
- Fixed assert-crash in HTML to text parsing with specific input
(e.g. for FTS indexing or snippet generation)
- doveadm sync -1: Fixed handling mailbox GUID conflicts.
- sdbox, mdbox: Perform full index rebuild if corruption is detected
inside lib-index, which runs index fsck.
- quota: Don't skip quota checks when moving mails between different
quota roots.
- search: Multiple sequence sets or UID sets in search parameters
weren't handled correctly. They were incorrectly merged together.
v2.2.26.0 2016-10-28 Timo Sirainen <>
- Fixed some compiling issues.
- auth: Fixed assert-crash when using NTLM or SKEY mechanisms and
multiple passdbs.
- auth: Fixed crash when exporting to auth-worker passdb extra fields
that had empty values.
- dsync: Fixed assert-crash in dsync_brain_sync_mailbox_deinit
v2.2.26 2016-10-27 Timo Sirainen <>
* master: Removed hardcoded 511 backlog limit for listen(). The kernel
should limit this as needed.
* doveadm import: Source user is now initialized the same as target
user. Added -U parameter to override the source user.
* Mailbox names are no longer limited to 16 hierarchy levels. We'll
check another way to make sure mailbox names can't grow larger than
4096 bytes.
+ Added a concept of "alternative usernames" by returning user_* extra
field(s) in passdb. doveadm proxy list shows these alt usernames in
"doveadm proxy list" output. "doveadm director&proxy kick" adds
-f <passdb field> parameter. The alt usernames don't have to be
unique, so this allows creation of user groups and kicking them in
one command.
+ auth: passdb/userdb dict allows now %variables in key settings.
+ auth: If passdb returns noauthenticate=yes extra field, assume that
it only set extra fields and authentication wasn't actually performed.
+ auth: passdb static now supports password={scheme} prefix.
+ auth, login_log_format_elements: Added %{local_name} variable, which
expands to TLS SNI hostname if given.
+ imapc: Added imapc_max_line_length to limit maximum memory usage.
+ imap, pop3: Added rawlog_dir setting to store IMAP/POP3 traffic logs.
This replaces at least partially the rawlog plugin.
+ dsync: Added dsync_features=empty-header-workaround setting. This
makes incremental dsyncs work better for servers that randomly return
empty headers for mails. When an empty header is seen for an existing
mail, dsync assumes that it matches the local mail.
+ doveadm sync/backup: Added -I <max size> parameter to skip too
large mails.
+ doveadm sync/backup: Fixed -t parameter and added -e for "end date".
+ doveadm mailbox metadata: Added -s parameter to allow accessing
server metadata by using empty mailbox name.
+ Added "doveadm service status" and "doveadm process status" commands.
+ director: Added director_flush_socket. See
+ doveadm director flush: Users are now moved only max 100 at a time to
avoid load spikes. --max-parallel parameter overrides this.
+ Added FILE_LOCK_SLOW_WARNING_MSECS environment, which logs a warning
if any lock is waited on or kept for this many milliseconds.
- master process's listener socket was leaked to all child processes.
This might have allowed untrusted processes to capture and prevent
"doveadm service stop" comands from working.
- login proxy: Fixed crash when outgoing SSL connections were hanging.
- auth: userdb fields weren't passed to auth-workers, so %{userdb:*}
from previous userdbs didn't work there.
- auth: Each userdb lookup from cache reset its TTL.
- auth: Fixed auth_bind=yes + sasl_bind=yes to work together
- auth: Blocking userdb lookups reset extra fields set by previous
- auth: Cache keys didn't include %{passdb:*} and %{userdb:*}
- auth-policy: Fixed crash due to using already-freed memory if policy
lookup takes longer than auth request exists.
- lib-auth: Unescape passdb/userdb extra fields. Mainly affected
returning extra fields with LFs or TABs.
- lmtp_user_concurrency_limit>0 setting was logging unnecessary
anvil errors.
- lmtp_user_concurrency_limit is now checked before quota check with
lmtp_rcpt_check_quota=yes to avoid unnecessary quota work.
- lmtp: %{userdb:*} variables didn't work in mail_log_prefix
- autoexpunge settings for mailboxes with wildcards didn't work when
namespace prefix was non-empty.
- Fixed writing >2GB to iostream-temp files (used by fs-compress,
fs-metawrap, doveadm-http)
- director: Ignore duplicates in director_servers setting.
- director: Many fixes related to connection handshaking, user moving
and error handling.
- director: Don't break with shutdown_clients=no
- zlib, IMAP BINARY: Fixed internal caching when accessing multiple
newly created mails. They all had UID=0 and the next mail could have
wrongly used the previously cached mail.
- doveadm stats reset wasn't reseting all the stats.
- auth_stats=yes: Don't update num_logins, since it doubles them when
using with mail stats.
- quota count: Fixed deadlocks when updating vsize header.
- dict-quota: Fixed crashes happening due to memory corruption.
- dict proxy: Fixed various timeout-related bugs.
- doveadm proxying: Fixed -A and -u wildcard handling.
- doveadm proxying: Fixed hangs and bugs related to printing.
- imap: Fixed wrongly triggering assert-crash in
- imap proxy: Don't send ID command pipelined with nopipelining=yes
- imap-hibernate: Don't execute quota_over_script or last_login after
- imap-hibernate: Don't un-hibernate if client sends DONE+IDLE in one
IP packet.
- imap-hibernate: Fixed various failures when un-hibernating.
- fts: fts_autoindex=yes was broken in 2.2.25 unless
fts_autoindex_exclude settings existed.
- fts-solr: Fixed searching multiple mailboxes (patch by x16a0)
- doveadm fetch body.snippet wasn't working in 2.2.25. Also fixed a
crash with certain emails.
- pop3-migration + dbox: Various fixes related to POP3 UIDL
optimization in 2.2.25.
- pop3-migration: Fixed "truncated email header" workaround.
v2.2.25 2016-07-01 Timo Sirainen <>
* lmtp: Start tracking lmtp_user_concurrency_limit and reject already
at RCPT TO stage. This avoids MTA unnecessarily completing DATA only
to get an error.
* doveadm: Previously only mail settings were read from protocol
doveadm { .. } section. Now all settings are.
+ quota: Added quota_over_flag_lazy_check setting. It avoids checking
quota_over_flag always at startup. Instead it's checked only when
quota is being read for some other purpose.
+ auth: Added a new auth policy service:
+ auth: Added PBKDF2 password scheme
+ auth: Added %{auth_user}, %{auth_username} and %{auth_domain}
+ auth: Added ":remove" suffix to extra field names to remove them.
+ auth: Added "delay_until=<timestamp>[+<max random secs>]" passdb
extra field. The auth will wait until <timestamp> and optionally some
randomness and then return success.
+ dict proxy: Added idle_msecs=<n> parameter. Support async operations.
+ Performance improvements for handling large mailboxes.
+ Added lib-dcrypt API for providing cryptographic functions.
+ Added "doveadm mailbox update" command
+ imap commands' output now includes timing spent on the "syncing"
stage if it's larger than 0.
+ cassandra: Added metrics=<path> to connect setting to output internal
statistics in JSON format every second to <path>.
+ doveadm mailbox delete: Added -e parameter to delete only empty
mailboxes. Added --unsafe option to quickly delete a mailbox,
bypassing lazy_expunge and quota plugins.
+ doveadm user & auth cache flush are now available via doveadm-server.
+ doveadm service stop <services> will stop specified services while
leaving the rest of Dovecot running.
+ quota optimization: Avoid reading mail sizes for backends which
don't need them (count, fs, dirsize)
+ Added mailbox { autoexpunge_max_mails=<n> } setting.
+ Added welcome plugin:
+ fts: Added fts_autoindex_exclude setting.
- v2.2.24's MIME parser was assert-crashing on mails having truncated
MIME headers.
- auth: With multiple userdbs the final success/failure result wasn't
always correct. The last userdb's result was always used.
- doveadm backup was sometimes deleting entire mailboxes unnecessarily.
- doveadm: Command -parameters weren't being sent to doveadm-server.
- If dovecot.index read failed e.g. because mmap() reached VSZ limit,
an empty index could have been opened instead, corrupting the
mailbox state.
- imapc: Fixed EXPUNGE handling when imapc_features didn't have modseq.
- lazy-expunge: Fixed a crash when copying failed. Various other fixes.
- fts-lucene: Fixed crash on index rescan.
- auth_stats=yes produced broken output
- dict-ldap: Various fixes
- dict-sql: NULL values crashed. Now they're treated as "not found".
v2.2.24 2016-04-26 Timo Sirainen <>
* doveconf now warns if it sees a global setting being changed when
the same setting was already set inside some filters. (A common
mistake has been adding more plugins to a global mail_plugins
setting after it was already set inside protocol { .. }, which
caused the global setting to be ignored for that protocol.)
* LMTP proxy: Increased default timeout 30s -> 125s. This makes it
less likely to reach the timeout and cause duplicate deliveries.
* LMTP and indexer now append ":suffix" to session IDs to make it
unique for the specific user's delivery. (Fixes duplicate session
ID warnings in stats process.)
+ Added dict-ldap for performing read-only LDAP dict lookups.
+ lazy-expunge: All mails can be saved to a single specified mailbox.
+ mailbox { autoexpunge } supports now wildcards in mailbox names.
+ doveadm HTTP API: Added support for proxy commands
+ imapc: Reconnect when getting disconnected in non-selected state.
+ imapc: Added imapc_features=modseq to access MODSEQs/HIGHESTMODSEQ.
This is especially useful for incremental dsync.
+ doveadm auth/user: Auth lookup performs debug logging if
-o auth_debug=yes is given to doveadm.
+ Added passdb/userdb { auth_verbose=yes|no } setting.
+ Cassandra: Added user, password, num_threads, connect_timeout and
request_timeout settings.
+ doveadm user -e <value>: Print <value> with %variables expanded.
- Huge header lines could have caused Dovecot to use too much memory
(depending on config and used IMAP commands). (Typically this would
result in only the single user's process dying with out of memory
due to reaching service { vsz_limit } - not a global DoS).
- dsync: Detect and handle invalid/stale -s state string better.
- dsync: Fixed crash caused by specific mailbox renames
- auth: Auth cache is now disabled passwd-file. It was unnecessary and
it broke %variables in extra fields.
- fts-tika: Don't crash if it returns 500 error
- dict-redis: Fixed timeout handling
- SEARCH INTHREAD was crashing
- stats: Only a single fifo_listeners was supported, making it
impossible to use both auth_stats=yes and mail stats plugin.
- SSL errors were logged in separate "Stacked error" log lines
instead of as part of the disconnection reason.
- MIME body parser didn't handle properly when a child MIME part's
--boundary had the same prefix as the parent.
v2.2.23 2016-03-30 Timo Sirainen <>
- Various fixes to doveadm. Especially running commands via
doveadm-server was broken.
- director: Fixed user weakness getting stuck in some situations
- director: Fixed a situation where directors keep re-sending
different states to each others and never becoming synced.
- director: Fixed assert-crash related to a slow "user killed" reply
- Fixed assert-crash related to istream-concat, which could have
been triggered at least by a Sieve script.
v2.2.22 2016-03-16 Timo Sirainen <>
+ Added doveadm HTTP API: See
+ virtual plugin: Mailbox filtering can now be done based on the
mailbox metadata. See
+ stats: Added doveadm stats reset to reset global stats.
+ stats: Added authentication statistics if auth_stats=yes.
+ dsync, imapc, pop3c & pop3-migration: Many optimizations,
improvements and error handling fixes.
+ doveadm: Most commands now stop soon after SIGINT/SIGTERM.
- auth: Auth caching was done too aggressively when %variables were
used in default_fields, override_fields or LDAP pass/user_attrs.
userdb result_* were also ignored when user was found from cache.
- imap: Fixed various assert-crashes caused v2.2.20+. Some of them
caught actual hangs or otherwise unwanted behavior towards IMAP
- Expunges were forgotten in some situations, for example when
pipelining multiple IMAP MOVE commands.
- quota: Per-namespaces quota were broken for dict and count backends
in v2.2.20+
- fts-solr: Search queries were using OR instead of AND as the
separator for multi-token search queries in v2.2.20+.
- Single instance storage support wasn't really working in v2.2.16+
- dbox: POP3 message ordering wasn't working correctly.
- virtual plugin: Fixed crashes related to backend mailbox deletions.
v2.2.21 2015-12-11 Timo Sirainen <>
- doveadm mailbox list (and some others) were broken in v2.2.20
- director: Fixed making backend changes when running with only a
single director server.
- virtual plugin: Fixed crash when trying to open nonexistent
autocreated backend mailbox.
v2.2.20 2015-12-07 Timo Sirainen <>
+ Added mailbox { autoexpunge=<time> } setting. See for details.
+ ssl_options: Added support for no_ticket
+ imap/pop3/managesieve-login: Added postlogin_socket=path passdb extra
field. This allows replacing the default service
imap/pop3/managesieve {} settings for specific users (e.g. running
their imap process via valgrind or strace).
+ doveadm fetch: Added date.sent/received/saved.unixtime
+ fs-posix: Added mode=auto parameter to set the created files' and
directories' mode based on the parent dir if it has setgid-bit.
+ director: Support backends having hostnames, which makes it possible
to verify their SSL certificates.
- director: Directors' state became desynchronized if doveadm director
commands were used to modify the same backend in multiple directors
at the same time with conflicting changes. This fix includes some
extra checks, which makes sure that if such a conflict still happens
it's automatically fixed. In some situations such an automatic fix
may now be unnecessarily triggered and an error logged.
- director: Backend tags weren't working correctly.
- ldap: tls_* settings weren't used for ldaps URIs.
- ldap, mysql: Fixed setting connect timeout.
- auth: userdb lookups via auth-worker couldn't change username
- dsync: Fixed handling deleted directories. Make sure we don't go to
infinite mailbox renaming loop.
- imap: Fixed crash in NOTIFY when there were watched namespaces that
didn't support NOTIFY.
- imap: After SETMETADATA was used, various commands (especially FETCH)
could have started hanging when their output was large.
- stats: Idle sessions weren't refreshed often enough, causing stats
process to forget them and log errors about unknown sessions when
they were updated later.
- stats: Fixed "Duplicate session ID" errors when LMTP delivered to
multiple recipients and fts_autoindex=yes.
- zlib plugin: Fixed copying causing cache corruption when zlib_save
wasn't set, but the source message was compressed.
- fts-solr: Fixed escaping Solr query parameters.
- lmtp: quota_full_tempfail=yes was ignored with
v2.2.19 2015-10-02 Timo Sirainen <>
* pop3_deleted_flag has been broken since v2.2.10. Using it would
cause buffer overflows, which could be exploitable. However, this
bug would have become visible quite soon after users had deleted
some POP3 mails, because the pop3 processes would have started
crashing all the time even in normal use.
* "doveadm director flush" command has a changed meaning now:
It safely moves users to their wanted backends, instead of simply
forgetting the mapping entirely and leaving the existing connections
untouched. Use -F parameter to get the original unsafe behavior.
+ Added imap-hibernate processes (see imap_hibernate_timeout setting).
IDLEing IMAP connections can be hibernated, which saves memory.
+ Optimized tracking mailboxes' vsizes (= sum of all messages' sizes).
If mailbox_list_index=yes, it's also stored in there. This makes it
very efficient to look up vsizes for all mailboxes.
+ Added a quota "count" backend, which uses the mailbox vsizes to get
the current quota usage. It requires using the new quota_vsizes=yes
setting, which tracks the messages' "virtual sizes" rather than
"physical sizes". Their distiction is minor and mostly irrelevant
nowadays (if mail sizes should be counted with LF or CRLF newlines).
+ "doveadm director up/down" commands added. The monitoring script
should be using these commands instead of changing the vhost count.
This allows admin to manually disable a server by changing the vhost
count to 0 without the monitoring script changing it back.
+ Added support for HAProxy protocol:
+ Added push-notification plugin framework, which can be used to
easily implement push notifications to various backends. Implemented
"ox" backend for notifying Open-Xchange via HTTP/json.
+ imap_logout_format supports more variables now, e.g. number of
deleted messages.
+ pop3: Added pop3_delete_type setting (related to pop3_deleted_flag).
+ plugin { fts_enforced=yes } setting now fails body searches unless
it can be done via the full text search engine.
+ Added %{passdb:*} and %{userdb:*} variables to various places
+ auth: Added ":protected" suffix for passdb and userdb fields. If
used, the field doesn't overwrite an existing field.
+ IMAP/POP3 proxy: If a backend server dies, avoid client reconnection
spikes by slowly disconnecting clients over time. This is enabled by
setting login_proxy_max_disconnect_delay=secs passdb extra field.
+ imap: Added new read-only METADATA entries: /private/specialuse,
/shared/comment, /shared/admin
+ imap: If client disconnects in the middle of a command, log how long
the command had been running.
- mdbox: Rebuilding could have caused message's reference count to
overflow the 16bit number in some situations, causing problems when
trying to expunge the duplicates.
- Various search fixes (fts, solr, tika, lib-charset, indexer)
- Various virtual plugin fixes
- Various fixes and optimizations to dsync, imapc and pop3-migration
- imap: Various RFC compliancy and crash fixes to NOTIFY
v2.2.18 2015-05-15 Timo Sirainen <>
- director: Login UNIX sockets were normally detected as doveadm or
director ring sockets, causing it to break in existing installations.
- sdbox: When copying a mail in alt storage, place the destination to
alt storage as well.
v2.2.17 2015-05-13 Timo Sirainen <>
* Dovecot no longer checks or warns if a mountpoint is removed. This
was causing more trouble than it was worth. Make sure that all the
mountpoints that Dovecot accesses aren't writable by mail processes
when they're unmounted.
* dict server wasn't properly escaping/unescaping data. Fixing this
broke backwards compatibility with data that contains line feeds.
This hopefully affects only very few installations. If you're using
dict to save multiline data (Sieve scripts to SQL), you may be
* imap: SPECIAL-USE capability is no longer advertised if there are
no special_use flags specified for any mailboxes.
+ lmtp: Added lmtp_hdr_delivery_address setting to specify whether
to include email address in Delivered-To: and Received: headers.
+ Added initial version of full text search library, which includes
language-specific text normalization and filtering. This is still
in development, but it's already possible to use for testing with
fts-lucene and fts-solr.
+ lda, lmtp: deliver_log_format can now include %{delivery_time},
which expands to how many milliseconds it took to deliver the mail.
With LMTP %{session_time} also expands to how many milliseconds the
LMTP session took, not including the delivery time.
+ lmtp proxy: Mail delivery logging includes timing information.
+ imap: Most IMAP commands now include in the tagged reply how many
milliseconds it took to run the command (not counting the time spent
on waiting for the IMAP client to read/write data).
+ director: Implemented director_proxy_maybe passdb extra field to
be able to run director and backend in the same Dovecot instance.
(LMTP doesn't support mixed proxy/non-proxy destinations currently.)
+ doveadm: Added -F <file> parameter to read a list of users from the
given file and run the command for all the users. This is similar to
-A parameter reading the list of users from userdb lookup.
+ Implemented initial Cassandra CQL support as lib-sql backend. It's
only usable as dict backend currently.
+ Added quota-clone plugin to copy current quota usage to a dict.
- auth: If auth_master_user_separator was set, auth process could be
crashed by trying to log in with empty master username.
- imap-login, pop3-login: Fixed crash on handshake failures with new
OpenSSL versions (v1.0.2) when SSLv3 was disabled.
- auth: If one passdb fails allow_nets check, it shouldn't have failed
all the other passdb checks later on.
- imap: Server METADATA couldn't be accessed
- imapc: Fixed \Muted label handling in gmail-migration.
- imapc: Various bugfixes and improvements.
- Trash plugin fixes by Alexei Gradinari
- mbox: Fixed crash/corruption in some situations
v2.2.16 2015-03-12 Timo Sirainen <>
* dbox: Resyncing (e.g. doveadm force-resync) no longer deletes
dovecot.index.cache file. The cache file was rarely the problem
so this just caused unnecessary slowness.
* Mailbox name limits changed during mailbox creation: Each part of
a hierarchical name (e.g. "x" or "y" in "x/y") can now be up to 255
chars long (instead of 200). This also reduces the max number of
hierarchical levels to 16 (instead of 20) to keep the maximum name
length 4096 (a common PATH_MAX limit). The 255 char limit is
hopefully large enough for migrations from all existing systems.
It's also the limit on many filesystems.
+ director: Added director_consistent_hashing setting to enable
consistent hashing (instead of the mostly-random MD5 hashing).
This causes fewer user moves between backends when backend counts
are changed, which may improve performance (mainly due to caching).
+ director: Added support for "tags", which allows one director ring
to serve multiple backend clusters with different sets of users.
+ LMTP server: Added lmtp_user_concurrency_limit setting to limit how
many LMTP deliveries can be done concurrently for a single user.
+ LMTP server: Added support for STARTTLS command.
+ If logging data is generated faster than it can be written, log a
warning about it and show information about it in log process's
process title in ps output. Also don't allow a single service to
flood too long at the cost of delaying other services' logging.
+ stats: Added support for getting global statistics.
+ stats: Use the same session IDs as the rest of Dovecot.
+ stats: Plugins can now create their own statistics fields
+ doveadm server: Non-mail related commands can now also be used
via doveadm server (TCP socket).
+ doveadm proxying: passdb lookup can now override doveadm_port and
change the username.
+ doveadm: Search query supports now "oldestonly" parameter to stop
immediately on the first non-match. This can be used to optimize:
doveadm expunge mailbox Trash savedbefore 30d oldestonly
+ doveadm: Added "save" command to directly save mails to specified
mailbox (bypassing Sieve).
+ doveadm fetch: Added body.snippet field, which returns the first
100 chars of a message without whitespace or HTML tags. The result
is stored into dovecot.index.cache, so it can be fetched efficiently.
+ dsync: Added -t <timestamp> parameter to sync only mails newer than
the given received-timestamp.
+ dsync: Added -F [-]<flag> parameter to sync only mails with[out] the
given flag/keyword.
+ dsync: Added -a <mailbox> parameter to specify the virtual mailbox
containing user's all mails. If this mailbox is already found to
contain the wanted mail (by its GUID), the message is copied from
there instead of being re-saved. (This isn't efficient enough yet
for incremental replication.)
+ dsync: -m parameter can now specify \Special-use names for mailboxes.
+ imapc: Added imapc_features=gmail-migration to help migrations from
GMail. See
+ imapc: Added imapc_features=search to support IMAP SEARCH command.
(Currently requires ESEARCH support from remote server.)
+ expire plugin: Added expire_cache=yes setting to cache most of the
database lookups in dovecot index files.
+ quota: If overquota-flag in userdb doesn't match the current quota
usage, execute a configured script.
+ redis dict: Added support for expiring keys (:expire_secs=n) and
specifying the database number (:db=n)
- auth: Don't crash if master user login is attempted without
any configured master=yes passdbs
- Parsing UTF-8 text for mails could have caused broken results
sometimes if buffering was split in the middle of a UTF-8 character.
This affected at least searching messages.
- String sanitization for some logged output wasn't done properly:
UTF-8 text could have been truncated wrongly or the truncation may
not have happened at all.
- fts-lucene: Lookups from virtual mailbox consisting of over 32
physical mailboxes could have caused crashes.
v2.2.15 2014-10-24 Timo Sirainen <>
* Plugins can now print a banner comment in doveconf output
(typically the plugin version)
* Replication plugin now triggers low (instead of high) priority for
mail copying operations.
* IMAP/POP3/ManageSieve proxy: If destination server can't be
connected to, retry connecting once per second up to the value of
proxy_timeout. This allows quick restarts/upgrades on the backend
server without returning login failures.
* Internal passdb lookups (e.g. done by lmtp/doveadm proxy) wasn't
returning failure in some situations where it should have (e.g.
allow_nets mismatch)
* LMTP uses mail_log_prefix now for logging mail deliveries instead of
a hardcoded prefix. The non-delivery log prefix is still hardcoded
+ passdb allow_nets=local matches lookups that don't contain an IP
address (internally done by Dovecot services)
+ Various debug logging and error logging improvements
- Various race condition fixes to LAYOUT=index
- v2.2.14 virtual plugin crashed in some situations
v2.2.14 2014-10-14 Timo Sirainen <>
* lmtp: Delivered-To: header no longer contains <> around the email
address. Other MDAs don't have it either.
* "Out of disk space" errors are now treated as temporary errors
(not the same as "Out of disk quota").
* replication plugin: Use replication only for users who have a
non-empty mail_replica setting.
+ lmtp proxy: Log a line about each mail delivery.
+ Added login_source_ips setting. This can be used to set the source IP
address round-robin from a pool of IPs (in case you run out of TCP
+ Rawlog settings can use tcp:<host>:<port> as the path.
+ virtual plugin: Don't keep more than virtual_max_open_mailboxes
(default 64) number of backend mailboxes open.
+ SSL/TLS compression can be disabled with ssl_options=no_compression
+ acl: Global ACL file now supports "quotes" around patterns.
+ Added last-login plugin to set user's last-login timestamp on login.
+ LDAP auth: Allow passdb credentials lookup also with auth_bind=yes
- IMAP: MODSEQ was sent in FETCH reply even if CONDSTORE/QRESYNC wasn't
enabled. This broke at least old Outlooks.
- passdb static treated missing password field the same as an empty
password field.
- mdbox: Fixed potential infinite looping when scanning a broken
mdbox file.
- imap-login, pop3-login: Fixed potential crashes when client
disconnected unexpectedly.
- imap proxy: The connection was hanging in some usage patterns. This
mainly affected older Outlooks.
- lmtp proxy: The proxy sometimes delivered empty mails in error
situations or potentially delivered truncated mails.
- fts-lucene: If whitespace_chars was set, we may have ended up
indexing some garbage words, growing the index size unnecessarily.
- -c and -i parameters for dovecot/doveadm commands were ignored if
the config socket was readable.
- quota: Quota recalculation didn't include INBOX in some setups.
- Mail headers were sometimes added to dovecot.index.cache in wrong
order. The main problem this caused was with dsync+imapc incremental
syncing when the second sync thought the local mailbox had changed.
- Fixed several race conditions with dovecot.index.cache handling that
may have caused unnecessary "cache is corrupted" errors.
- doveadm backup didn't notice if emails were missing from the middle
of the destination mailbox. Now it deletes and resyncs the mailbox.
- auth: If auth client listed userdb and disconnected before finishing,
the auth worker process got stuck (and eventually all workers could
get used up and requests would start failing).
v2.2.13 2014-05-11 Timo Sirainen <>
* Fixed a DoS attack against imap/pop3-login processes. If SSL/TLS
handshake was started but wasn't finished, the login process
attempted to eventually forcibly disconnect the client, but failed
to do it correctly. This could have left the connections hanging
arond for a long time. (Affected Dovecot v1.1+)
+ mdbox: Added mdbox_purge_preserve_alt setting to keep the file
within alt storage during purge. (Should become enforced in v2.3.0?)
+ fts: Added support for parsing attachments via Apache Tika. Enable
with: plugin { fts_tika = http://tikahost:9998/tika/ }
+ virtual plugin: Delay opening backend mailboxes until it's necessary.
This requires mailbox_list_index=yes to work. (Currently IMAP IDLE
command still causes all backend mailboxes to be opened.)
+ mail_never_cache_fields=* means now to disable all caching. This may
be a useful optimization as doveadm/dsync parameter for some admin
tasks which shouldn't really update the cache file.
+ IMAP: Return SPECIAL-USE flags always for LSUB command.
- pop3 server was still crashing in v2.2.12 with some settings
- maildir: Various fixes and improvements to handling compressed mails,
especially when they have broken/missing S=sizes in filenames.
- fts-lucene, fts-solr: Fixed crash on search when the index contained
duplicate entries.
- Many fixes and performance improvements to dsync and replication
- director was somewhat broken when there were exactly two directors
in the ring. It caused errors about "weak users" getting stuck.
- mail_attachment_dir: Attachments with the last base64-encoded line
longer than the rest wasn't handled correctly.
- IMAP: SEARCH/SORT PARTIAL was handled completely wrong in v2.2.11+
- acl: Global ACL file handling was broken when multiple entries
matched the mailbox name. (Only the first entry was used.)
v2.2.12 2014-02-14 Timo Sirainen <>
- pop3 server was crashing in v2.2.11
v2.2.11 2014-02-12 Timo Sirainen <>
+ acl plugin: Added an alternative global ACL file that can contain
mailbox patterns. See for details.
+ imap proxy: Added proxy_nopipelining passdb setting to work around
other IMAP servers' bugs (MS Exchange 2013 especially).
+ Added %{auth_user}, %{auth_username} and %{auth_domain} variables.
See for details.
+ Added support for LZ4 compression.
+ stats: Track also wall clock time for commands.
+ pop3_migration plugin improvements to try harder to match the UIDLs
- imap: SEARCH/SORT PARTIAL responses may have been too large.
- doveadm backup: Fixed assert-crash when syncing mailbox deletion.
v2.2.10 2013-11-25 Timo Sirainen <>
+ auth: passdb/userdb dict rewrite to support much more complex
setups. See doc/example-config/dovecot-dict-auth.conf.ext.
The old settings will continue to work.
+ auth: Added userdb result_success/failure/tempfail and skip
settings, similar to passdb's. See
+ imap: Implemented SETQUOTA command for admin user when quota_set is
configured. See
+ quota: Support "*" and "?" wildcards in mailbox names in quota_rules
+ mysql: Added ssl_verify_server_cert=no|yes parameter. This currently
defaults to "no" to make sure nothing breaks, but likely will become
"yes" in Dovecot v2.3.
+ ldap: Added blocking=yes setting to use auth worker processes for
ldap lookups. This is a workaround for now to be able to use multiple
simultaneous LDAP connections.
+ pop3c+dsync performance improvements
- quota-status: quota_grace was ignored
- ldap: Fixed memory leak with auth_bind=yes and without
- imap: Don't send HIGHESTMODSEQ anymore on SELECT/EXAMINE when
CONDSTORE/QRESYNC has never before been enabled for the mailbox.
- imap: Fixes to handling mailboxes without permanent modseqs.
(When [NOMODSEQ] is returned by SELECT, mainly with in-memory
- imap: Various fixes to METADATA support.
- stats plugin: Processes that only temporarily dropped privileges
(e.g. indexer-worker) may have been logging errors about not being
able to open /proc/self/io.
v2.2.9 2013-11-25 Timo Sirainen <>
+ Full text search indexing can now be done automatically after
saving/copying mails by setting plugin { fts_autoindex=yes }
+ replicator: Added replication_dsync_parameters setting to pass
"doveadm sync" parameters (for controlling what to replicate).
+ Added mail-filter plugin
+ Added liblzma/xz support (zlib_save=xz)
- v2.2.8's improved cache file handling exposed several old bugs
related to fetching mail headers.
- v2.2.7's iostream handling changes were causing some connections
to be disconnected before flushing their output (e.g. POP3 logout
message wasn't being sent)
v2.2.8 2013-11-19 Timo Sirainen <>
+ Mail cache lookups work for the mail being saved. This improves
performance by avoiding the need to parse the mail multiple times
when using some plugins (e.g. mail_log).
+ Mail cache works for recently cached data also with in-memory
+ imapc: Many performance improvements, especially when working with
dsync. Also added imapc_feature=fetch-headers which allows using
FETCH BODY.PEEK[HEADER.FIELDS (..)] to avoid reading the entire
+ mail_location = ..:FULLDIRNAME=dbox-Mails is the same as
:DIRNAME=dbox-Mails, but it will also be used for
:INDEX and :CONTROL directories. (It should have worked this way
from the beginning, but can't be changed anymore without breaking
existing installations).
- Fixed infinite loop in message parsing if message ends with
"--boundary" and CR (without LF). Messages saved via SMTP/LMTP can't
trigger this, because messages must end with an "LF.". A user could
trigger this for him/herself though.
- lmtp: Client was sometimes disconnected before all the output was
sent to it.
- imap_zlib plugin caused crashes during client disconnection in
- replicator: Database wasn't being exported to disk every 15 minutes
as it should have. Instead it was being imported, causing "doveadm
replicator remove" commands to not work very well.
v2.2.7 2013-11-03 Timo Sirainen <>
* Some usage of passdb checkpassword could have been exploitable by
local users. You may need to modify your setup to keep it working.
+ auth: Added ability to truncate values logged by
auth_verbose_passwords (see 10-logging.conf comment)
+ mdbox: Added "mdbox_deleted" storage, which can be used to access
messages with refcount=0. For example: doveadm import
mdbox_deleted:~/mdbox "" mailbox inbox subject oops
+ ssl-params: Added ssl_dh_parameters_length setting.
- master process was doing a hostname.domain lookup for each created
process, which may have caused a lot of unnecessary DNS lookups.
- dsync: Syncing over 100 messages at once caused problems in some
situations, causing messages to get new UIDs.
- fts-solr: Different Solr hosts for different users didn't work.
v2.2.6 2013-09-25 Timo Sirainen <>
* acl: If public/shared namespace has a shared subscriptions file for
all users, don't list subscription entries that are not visible to
the user accessing it.
+ doveadm: Added "auth lookup" command for doing passdb lookup.
+ login_log_format_elements: Added %{orig_user}, %{orig_username}
and %{orig_domain} expanding to the username exactly as sent by
the client (before any changes auth process made).
+ Added ssl_prefer_server_ciphers setting.
+ auth_verbose_passwords: Log the password also for unknown users.
+ Linux: Added optional support for SO_REUSEPORT with
inet_listener { reuse_port=yes }
- director: v2.2.5 changes caused "SYNC lost" errors
- dsync: Many fixes and error handling improvements
- doveadm -A: Don't waste CPU by doing a separate config lookup
for each user
- Long-running ssl-params process no longer prevents Dovecot restart
- mbox: Fixed mailbox_list_index=yes to work correctly
v2.2.5 2013-08-05 Timo Sirainen <>
+ SSL: Added support for ECDH/ECDHE cipher suites (by David Hicks)
+ Added some missing man pages (by Pascal Volk)
+ quota-status: Added quota_status_toolarge setting (by Ulrich Zehl)
- director: Users near expiration could have been redirected to
different servers at the same time.
- pop3: Avoid assert-crash if client disconnects during LIST.
- mdbox: Corrupted index header still wasn't automatically fixed.
- dsync: Various fixes to work better with imapc and pop3c storages.
- ldap: sasl_bind=yes caused crashes, because Dovecot's lib-sasl
symbols conflicted with Cyrus SASL library.
- imap: Various error handling fixes to CATENATE. (Found using
Apple's stress test script.)
v2.2.4 2013-06-25 Timo Sirainen <>
+ doveadm: Added "flags" command to modify message flags.
+ doveadm: Added "deduplicate" command to expunge message duplicates.
+ dsync: Show the state in process title with verbose_proctitle=yes.
- imap/pop3 proxy: Master user logins were broken in v2.2.3
- sdbox/mdbox: A corrupted index header with wrong size was never
automatically fixed in v2.2.3.
- mbox: Fixed assert-crashes related to locking.
v2.2.3 2013-06-17 Timo Sirainen <>
* LDA/LMTP: If new mail delivery first fails with "temporary
failure", tempfail the whole delivery instead of falling back to
delivering the mail to INBOX. (Requires new Pigeonhole as well.)
* doc/solr-schema.xml was updated to Solr v4.x format. Also the
default analyzers were changed, hopefully for the better. Note that
the schema can't be changed for existing Solr indexes without
rebuilding everything.
* Solr plugin does only soft commits from now on. You'll need a
cronjob to send a hard commit command to it every few minutes.
+ Added %N modifier for variables as %H-like "new hash"
+ sdbox, mdbox: Support POP3 message order field (for migrations)
+ Added mailbox { driver } to specify a different mail storage
format for the mailbox than generally used within the namespace.
+ Added initial lib-sasl library for client side SASL support.
Currently supports only PLAIN, LOGIN and plugins. Used currently
by IMAP and POP3 proxying when authenticating to the remote server.
- IMAP: If subject contained only whitespace, Dovecot returned an
ENVELOPE reply with a huge literal value, effectively causing the
IMAP client to wait for more data forever.
- IMAP: Various URLAUTH fixes.
- imapc: Various bugfixes and improvements
- pop3c: Various fixes to make it work in dsync (without imapc)
- dsync: Fixes to syncing subscriptions. Fixes to syncing mailbox
v2.2.2 2013-05-20 Timo Sirainen <>
+ zlib: Keep the last mail cached uncompressed in a temp file. This
fixes performance when doing small partial fetches from a large
+ acl: If plugin { acl_defaults_from_inbox = yes } is set, get the
default ACLs for private and shared namespaces from the user's INBOX.
(This probably will become default in v2.3.)
+ pop3: Added pop3_deleted_flag setting to switch POP3 deletions to
only hide the messages from POP3, but still be visible via IMAP.
- ACL plugin: Mailbox creation wasn't actually checking any ACLs
and always succeeded (due to some v2.2 API changes). The created
mailbox couldn't have been accessed though, so this couldn't have
caused any data leak.
- IMAP: Various URLAUTH fixes.
- IMAP: Fixed a hang with invalid APPEND parameters.
- IMAP LIST-EXTENDED: INBOX was never listed with \Subscribed flag.
- mailbox_list_index=yes still caused crashes.
- maildir: Fixed a crash after dovecot-keywords file was re-read.
- maildir: If files had reappeared unexpectedly to a Maildir, they
were ignored until index files were deleted.
- Maildir: Fixed handling over 26 keywords in a mailbox.
- Maildir++: Fixed mail_shared_explicit_inbox=no
- namespace { prefix="" list=no } was listing mailboxes.
- imap/pop3-login proxying: Fixed a crash if TCP connection succeeded,
but the remote login timed out.
- Case-insensitive search/sort didn't work correctly for all unicode
characters, as specified by i;unicode-casemap comparator. If full
text search indexes were used, they need to be rebuilt for old mails
to be handled correctly. (This bug has existed always in Dovecot.)
v2.2.1 2013-04-19 Timo Sirainen <>
- mailbox_list_index=yes was broken.
- LAYOUT=index didn't list subscriptions.
- auth: Multiple master passdbs didn't work.
- Message parsing (e.g. during search) crashed when multipart message
didn't actually contain any parts.
v2.2.0 2013-04-11 Timo Sirainen <>
* When creating home directories, the permissions are copied from the
parent directory if it has setgid-bit set. For full details, see
* "doveadm auth" command was renamed to "doveadm auth test"
* IMAP: ID command now advertises server name as Dovecot by default.
It was already trivial to guess this from command replies.
* dovecot.index.cache files can be safely accessed only by v2.1.11+.
Older versions may think they're corrupted and delete them.
* LDA/LMTP: If saving a mail brings user from under quota to over
quota, allow it based on quota_grace setting (default: 10%
above quota limit).
* pop3_lock_session=yes now uses a POP3-only dovecot-pop3-session.lock
file instead of actually locking the mailbox (and causing
IMAP/LDA/LMTP to wait for the POP3 session to close).
* mail_shared_explicit_inbox setting's default switched to "no".
* ssl_client_ca_dir setting replaced imapc_ssl_ca_dir and
pop3c_ssl_ca_dir settings.
+ Implemented IMAP MOVE and BINARY extensions
+ Implemented IMAP CATENATE, URLAUTH and URLAUTH=BINARY extensions
(by Stephan Bosch).
+ Implemented IMAP NOTIFY extension. Requires mailbox_list_index=yes
to be enabled.
+ Redesigned and rewritten dsync. The new design makes the syncing
faster, more reliable and more featureful. The new dsync protocol
isn't backwards compatible with old dsync versions (but is designed
to be forwards compatible with future versions).
+ All mailbox formats now support per-user message flags for shared
mailboxes by using a private index. It can be enabled by adding
:INDEXPVT=<path> to mail location. This should be used instead of
:INDEX also for Maildir/mbox to improve performance.
+ Improved mailbox list indexes. They should be usable now, although
still disabled by default.
+ Added LAYOUT=index. The mailbox directories are created using their
GUIDs in the filesystem, while the actual GUID <-> name mapping
exists only in the index.
+ LMTP proxy: Implemented XCLIENT extension for passing remote IP
address through proxy.
v2.2.rc7 2013-04-10 Timo Sirainen <>
* checkpasword: AUTH_PASSWORD environment is no longer set.
* Running dsync no longer triggers quota warnings.
+ dsync: Commit large transactions every 100 new messages, so if a
large sync crashes it doesn't have to be restarted from the
- replicator: doveadm commands and user list export may have skipped
some users.
- Various fixes to mailbox_list_index=yes
v2.2.rc6 2013-04-08 Timo Sirainen <>
* replicator: Don't create replicator-doveadm socket by default.
This way doveadm replicator commands don't accidentally start an
unconfigured replicator server.
+ replicator: Have remote dsync notify the remote replicator that
a user was just synced. This way the replicators are kept roughly
in sync.
+ Added ssl_client_ca_file to specify the CA certs as a file. This is
needed (instead of ssl_client_ca_dir) in RedHat-based systems.
+ Added "doveadm fs" commands, mainly to debug lib-fs backends.
- Mailbox list indexes weren't using proper file permissions based
on the root directory.
v2.2.rc5 2013-04-05 Timo Sirainen <>
- A few small random fixes
v2.2.rc4 2013-04-05 Timo Sirainen <>
+ Added "doveadm replicator" commands
- Larger changes to lib-http and lib-ssl-iostream error handling.
The API caller can now get the exact error message as a string.
- Various bugfixes to LDAP changes in rc3
v2.2.rc3 2013-03-20 Timo Sirainen <>
+ dsync: Support syncing ACLs (and Sieve scripts with Pigeonhole)
+ ldap: Support subqueries and value pointers, see
+ postmaster_address setting: Expand %d to recipient's domain
- Fixed a crash when decoding quoted-printable content.
- dsync: Various bugfixes
v2.2.rc2 2013-02-15 Timo Sirainen <>
- rc1 wasn't actually usable in most configurations.
v2.2.rc1 2013-02-15 Timo Sirainen <>
* See v2.2.0 notes
v2.1.13 2013-01-06 Timo Sirainen <>
- Some fixes to cache file changes in v2.1.11.
- fts-solr: Overlong UTF8 sequences in mails were rejected by Solr and
caused the mails to not be indexed.
- virtual storage: Sorting mailbox by from/to/cc/bcc didn't work.
v2.1.12 2012-11-30 Timo Sirainen <>
- dovecot-config in v2.1.11 caused build problems with Pigeonhole
v2.1.11 2012-11-29 Timo Sirainen <>
* lmtp/lda: dovecot.index.cache file is no longer fully mapped to
memory, allowing mail deliveries to work even if the file is huge.
* auth: userdb passwd lookups are now done by auth worker processes
instead of auth master process (as it was documented, but
accidentally didn't work that way).
+ lmtp: lmtp_rcpt_check_quota=yes setting checks quota on RCPT TO.
- lmtp: After successful proxying RCPT TO, the next one to a
nonexistent user gave tempfail error instead of "user not found".
- lmtp proxy: Fixed hanging if remote server was down.
- imap: Fixed crash when SEARCH contained multiple KEYWORD parameters.
- doveadm: Various fixes to handling doveadm-server connections.
- -i <instance name> parameter for Dovecot tools didn't work correctly.
- director was somewhat broken in v2.1.10. This version also includes
various reliability enhancements.
- auth: passdb imap was broken in v2.1.10.
v2.1.10 2012-09-18 Timo Sirainen <>
+ imap: Implemented THREAD=ORDEREDSUBJECT extension.
+ Added "doveadm exec" command to easily execute commands from
libexec_dir, e.g. "doveadm exec imap -u user@domain"
+ Added "doveadm copy" command.
+ doveadm copy/move: Added optional user parameter to specify the
source username. This allows easily copying mails between different
+ Added namespace { disabled } setting to quickly enable/disable
namespaces. This is especially useful when its value is returned by
+ Added mailbox_alias plugin. It allows creating mailbox aliases using
+ imapc storage: Added imapc_max_idle_time setting to force activity
on connection.
+ fts-solr: Expunging multiple messages is now faster.
- director: In some conditions director may have disconnected from
another director (without logging about it), thinking it was sending
invalid data.
- imap: Various fixes to listing mailboxes.
- pop3-migration plugin: Avoid disconnection from POP3 server due
to idling.
- login processes crashed if there were a lot of local {} or remote {}
settings blocks.
v2.1.9 2012-08-01 Timo Sirainen <>
* mail-log plugin: Log mailbox names with UTF-8 everywhere
(instead of mUTF-7 in some places and UTF-8 in other places)
* director: Changed director_username_hash setting's default from %u
to %Lu (= lowercase usernames). This doesn't break any existing
installations, but might fix some of them.
+ doveadm: Added "auth cache flush [<username>]" command.
+ Implemented dict passdb/userdb
+ Implemented Redis and memcached dict backends, which can be used as
auth backends. Redis can also be used as dict-quota backend.
+ Added plugin { quota_ignore_save_errors=yes } setting to allow saving
a mail when quota lookup fails with temporary failure.
- Full text search indexing might have failed for some messages,
always causing indexer-worker process to run out of memory.
- fts-lucene: Fixed handling SEARCH HEADER FROM/TO/SUBJECT/CC/BCC when
the header wasn't lowercased.
- fts-squat: Fixed crash when searching a virtual mailbox.
- pop3: Fixed assert crash when doing UIDL on empty mailbox on some
- auth: GSSAPI RFC compliancy and error handling fixes.
- Various fixes related to handling shared namespaces
v2.1.8 2012-07-03 Timo Sirainen <>
+ pop3c: Added pop3c_master_user setting.
- imap: Mailbox names were accidentally sent as UTF-8 instead of mUTF-7
in previous v2.1.x releases for STATUS, MYRIGHTS and GETQUOTAROOT
- lmtp proxy: Don't timeout connections too early when mail has a lot
of RCPT TOs.
- director: Don't crash if the director is working alone.
- shared mailboxes: Avoid doing "@domain" userdb lookups.
- doveadm: Fixed crash with proxying some commands.
- fts-squat: Fixed handling multiple SEARCH parameters.
- imapc: Fixed a crash when message had more than 8 keywords.
- imapc: Don't crash on APPEND/COPY if server doesn't support UIDPLUS.
v2.1.7 2012-05-29 Timo Sirainen <>
* LDAP: Compatibility fix for v2.0: ldap: If attributes contain
ldapAttr=key=template%$ and ldapAttr doesn't exist, skip the key
instead of using "template" value with empty %$ part for the key.
+ pop3: Added pop3_uidl_duplicates setting for changing the behavior
for duplicate UIDLs.
+ director: Added "doveadm director ring remove" command.
- director: Don't crash with quickly disconnecting incoming director
- mdbox: If mail was originally saved to non-INBOX, and namespace
prefix is non-empty, don't assert-crash when rebuilding indexes.
- sdbox: Don't use more fds than necessary when copying mails.
- auth: Fixed crash with DIGEST-MD5 when attempting to do master user
login without master passdbs.
- Several fixes to mail_shared_explicit_inbox=no
- imapc: Use imapc_list_prefix also for listing subscriptions.
v2.1.6 2012-05-07 Timo Sirainen <>
* Session ID is now included by default in auth and login process
log lines. It can be added to mail processes also by adding
%{session} to mail_log_prefix.
+ Added ssl_require_crl setting, which specifies if CRL check must
be successful when verifying client certificates.
+ Added mail_shared_explicit_inbox setting to specify if a shared INBOX
should be accessible as "shared/$user" or "shared/$user/INBOX".
- v2.1.5: Using "~/" as mail_location or elsewhere failed to actually
expand it to home directory.
- dbox: Fixed potential assert-crash when reading dbox files.
- trash plugin: Fixed behavior when quota is already over limit.
- mail_log plugin: Logging "copy" event didn't work.
- Proxying to backend server with SSL: Verifying server certificate
name always failed, because it was compared to an IP address.
v2.1.5 2012-04-23 Timo Sirainen <>
* IMAP: When neither the session nor the mailbox has modseq tracking
enabled, return the mailbox as having NOMODSEQ in SELECT/EXAMINE
reply. Old versions in this situation always simply returned
HIGHESTMODSEQ as 1, which could have broken some clients.
+ dict file: Added optional fcntl/flock locking (default is dotlock)
+ fts-solr: doveadm fts rescan now resets indexes, which allows
reindexing mails. (This isn't a full rescan implementation like
fts-lucene has.)
+ doveadm expunge: Added -d parameter to delete mailbox if it's
empty after expunging.
- IMAP: Several fixes related to mailbox listing in some configs
- director: A lot of fixes and performance improvements
- v2.1.4 didn't work without a mail home directory set
- mbox: Deleting a mailbox didn't delete its index files.
- pop3c: TOP command was sent incorrectly
- trash plugin didn't work properly
- LMTP: Don't add a duplicate Return-Path: header when proxying.
- listescape: Don't unescape namespace prefixes.
v2.1.4 2012-04-09 Timo Sirainen <>
+ Added mail_temp_scan_interval setting and changed its default value
from 8 hours to 1 week.
+ Added pop3-migration plugin for easily doing a transparent IMAP+POP3
migration to Dovecot:
+ doveadm user: Added -m parameter to show some of the mail settings.
- Proxying SSL connections crashed in v2.1.[23]
- fts-solr: Indexing mail bodies was broken.
- director: Several changes to significantly improve error handling
- doveadm import didn't import messages' flags
- mail_full_filesystem_access=yes was broken
- Make sure IMAP clients can't create directories when accessing
nonexistent users' mailboxes via shared namespace.
- Dovecot auth clients authenticating via TCP socket could have failed
with bogus "PID already in use" errors.
v2.1.3 2012-03-16 Timo Sirainen <>
- mdbox was broken in v2.1.2
v2.1.2 2012-03-15 Timo Sirainen <>
+ Initial implementation of dsync-based replication. For now this
should be used only on non-critical systems.
+ Proxying: POP3 now supports sending remote IP+port from proxy to
backend server via Dovecot-specific XCLIENT extension.
+ Proxying: proxy_maybe=yes with host=<hostname> (instead of IP)
works now properly.
+ Proxying: Added auth_proxy_self setting
+ Proxying: Added proxy_always extra field (see wiki docs)
+ Added director_username_hash setting to specify what part of the
username is hashed. This can be used to implement per-domain
backends (which allows safely accessing shared mailboxes within
+ Added a "session ID" string for imap/pop3 connections, available
in %{session} variable. The session ID passes through Dovecot
IMAP/POP3 proxying to backend server. The same session ID is can be
reused after a long time (currently a bit under 9 years).
+ passdb checkpassword: Support "credentials lookups" (for
non-plaintext auth and for lmtp_proxy lookups)
+ fts: Added fts_index_timeout setting to abort search if indexing
hasn't finished by then (default is to wait forever).
- doveadm sync: If mailbox was expunged empty, messages may have
become back instead of also being expunged in the other side.
- director: If user logged into two directors while near user
expiration, the directors might have redirected the user to two
different backends.
- imap_id_* settings were ignored before login.
- Several fixes to mailbox_list_index=yes
- Previous v2.1.x didn't log all messages at shutdown.
- mbox: Fixed accessing Dovecot v1.x mbox index files without errors.
v2.1.1 2012-02-23 Timo Sirainen <>
+ dsync: If message with same GUID is saved multiple times in session,
copy it instead of re-saving.
- acl plugin + autocreated mailboxes crashed when listing mailboxes
- doveadm force-resync: Don't skip autocreated mailboxes (especially
- If process runs out of fds, stop listening for new connections only
temporarily, not permanently (avoids hangs with process_limit=1
- auth: passdb imap crashed for non-login authentication (e.g. smtp).
v2.1.0 2012-02-16 Timo Sirainen <>
* Plugins now use UTF-8 mailbox names rather than mUTF-7:
acl, autocreate, expire, trash, virtual
* auth_username_format default changed to %Lu. If you really want
case sensitive usernames, set it back to empty.
* Solr full text search backend changed to use mailbox GUIDs instead of
mailbox names, requiring reindexing everything. solr_old backend can
be used with old indexes to avoid reindexing, but it doesn't support
some newer features.
* Expire plugin: Only go through users listed by userdb iteration.
Delete dict rows for nonexistent users, unless
* Temporary authentication failures sent to IMAP/POP3 clients
now includes the server's hostname and timestamp. This makes it
easier to find the error message from logs.
* dsync was merged into doveadm. There is still "dsync" symlink
pointing to "doveadm", which you can use the old way for now.
The preferred ways to run dsync are "doveadm sync" (for old "dsync
mirror") and "doveadm backup".
+ imapc (= IMAP client) storage allows using a remote IMAP server to
be used as storage. This allows using Dovecot as a smart (caching)
proxy or using dsync to do migration from remote IMAP server.
+ Mailbox indexing via queuing indexer service (required for Lucene)
+ Lucene full text search (FTS) backend rewritten with support for
different languages
+ FTS finally supports "OR" search operation
+ FTS supports indexing attachments via external programs
+ IMAP FUZZY extension, supported by Lucene and Solr FTS backends
+ IMAP SPECIAL-USE extension to describe mailboxes
+ Mailbox list indexes
+ Statistics tracking via stats service. Exported via doveadm stats.
+ Autocreate plugin creates/subscribes mailboxes physically only when
the mailbox is opened for the first time. Mailbox listing shows the
autocreated mailboxes even if they don't physically exist.
+ Password and user databases now support default_fields and
override_fields settings to specify template defaults/overrides.
+ SCRAM-SHA-1 authentication mechanism by Florian Zeitz
+ LDAP: Allow building passdb/userdb extra fields from multiple LDAP
attributes by using %{ldap:attributeName} variables in the template.
+ Improved multi-instance support: Track automatically which instances
are started up and manage the list with doveadm instance commands.
All Dovecot commands now support -i <instance_name> parameter to
select the instance (instead of having to use -c <config path>).
See instance_name setting.
+ auth: Implemented support for Postfix's "TCP map" sockets for
user existence lookups.
- listescape plugin works perfectly now
v2.1.rc7 2012-02-15 Timo Sirainen <>
+ Added ignore_on_failure setting for namespaces. If namespace
initialization fails with this enabled (e.g. permission denied),
the namespace is silently skipped for the user.
v2.1.rc6 2012-02-12 Timo Sirainen <>
* Added automatic mountpoint tracking and doveadm mount commands to
manage the list. If a mountpoint is unmounted, error handling is
done by assuming that the files are only temporarily lost. This is
especially helpful if dbox alt storage becomes unmounted.
* Expire plugin: Only go through users listed by userdb iteration.
Delete dict rows for nonexistent users, unless
* LDA's out-of-quota and Sieve's reject mails now include DSN report
instead of MDN report.
+ LDAP: Allow building passdb/userdb extra fields from multiple LDAP
attributes by using %{ldap:attributeName} variables in the template.
+ doveadm log errors shows the last 1000 warnings and errors since
Dovecot was started.
+ Improved multi-instance support: Track automatically which instances
are started up and manage the list with doveadm instance commands.
All Dovecot commands now support -i <instance_name> parameter to
select the instance (instead of having to use -c <config path>).
See instance_name setting.
+ doveadm mailbox delete: Added -r parameter to delete recursively
+ doveadm acl: Added "add" and "remove" commands.
+ Updated to Unicode v6.1
- mdbox: When saving to alt storage, Dovecot didn't append as much
data to m.* files as it could have.
- dbox: Fixed error handling when saving failed or was aborted
- IMAP: Using COMPRESS extension may have caused assert-crashes
- IMAP: THREAD REFS sometimes returned invalid (0) nodes.
- dsync: Fixed handling non-ASCII characters in mailbox names.
v2.1.rc5 2012-01-26 Timo Sirainen <>
* Temporary authentication failures sent to IMAP/POP3 clients
now includes the server's hostname and timestamp. This makes it
easier to find the error message from logs.
+ auth: Implemented support for Postfix's "TCP map" sockets for
user existence lookups.
+ auth: Idling auth worker processes are now stopped. This reduces
error messages about MySQL disconnections.
- director: With >2 directors ring syncing might have stalled during
director connect/disconnect, causing logins to fail.
- LMTP client/proxy: Fixed potential hanging when sending (big) mails
- Compressed mails with external attachments (dbox + SIS + zlib) failed
sometimes with bogus "cached message size wrong" errors.
v2.1.rc4 was never actually released, but was accidentally tagged in hg.
v2.1.rc3 2012-01-06 Timo Sirainen <>
- Added missing file that prevented v2.1.rc2 from compiling..
v2.1.rc2 2012-01-06 Timo Sirainen <>
* dsync was merged into doveadm. There is still "dsync" symlink
pointing to "doveadm", which you can use the old way for now.
The preferred ways to run dsync are "doveadm sync" (for old "dsync
mirror") and "doveadm backup".
+ IMAP SPECIAL-USE extension to describe mailboxes
+ Added mailbox {} sections, which deprecate autocreate plugin
+ lib-fs: Added "mode" parameter to "posix" backend to specify mode
for created files/dirs (for mail_attachment_dir).
+ inet_listener names are now used to figure out what type the socket
is when useful. For example naming service auth { inet_listener } to
auth-client vs. auth-userdb has different behavior.
+ Added pop3c (= POP3 client) storage backend.
- LMTP proxying code was simplified, hopefully fixing its problems.
- dsync: Don't remove user's subscriptions for subscriptions=no
v2.1.rc1 2011-11-24 Timo Sirainen <>
* Plugins now use UTF-8 mailbox names rather than mUTF-7:
acl, autocreate, expire, trash, virtual
* auth_username_format default changed to %Lu. If you really want
case sensitive usernames, set it back to empty.
* Solr full text search backend changed to use mailbox GUIDs instead of
mailbox names, requiring reindexing everything. solr_old backend can
be used with old indexes to avoid reindexing, but it doesn't support
some newer features.
+ imapc (= IMAP client) storage allows using a remote IMAP server to
be used as storage. This allows using Dovecot as a smart (caching)
proxy or using dsync to do migration from remote IMAP server.
+ Mailbox indexing via queuing indexer service (required for Lucene)
+ Lucene full text search (FTS) backend rewritten with support for
different languages
+ FTS finally supports "OR" search operation
+ FTS supports indexing attachments via external programs
+ IMAP FUZZY extension, supported by Lucene and Solr FTS backends
+ IMAP SPECIAL-USE extension to describe mailboxes
+ Mailbox list indexes
+ Statistics tracking via stats service. Exported via doveadm stats.
+ Autocreate plugin creates/subscribes mailboxes physically only when
the mailbox is opened for the first time. Mailbox listing shows the
autocreated mailboxes even if they don't physically exist.
+ Password and user databases now support default_fields and
override_fields settings to specify template defaults/overrides.
+ SCRAM-SHA-1 authentication mechanism by Florian Zeitz
- listescape plugin works perfectly now
v2.0.15 2011-09-16 Timo Sirainen <>
+ doveadm altmove: Added -r parameter to move mails back to primary
- v2.0.14: Index reading could have eaten a lot of memory in some
- doveadm index no longer affects future caching decisions
- mbox: Fixed crash during mail delivery when mailbox didn't yet have
GUID assigned to it.
- zlib+mbox: Fetching last message from compressed mailboxes crashed.
- lib-sql: Fixed load balancing and error handling when multiple hosts
are used.
v2.0.14 2011-08-29 Timo Sirainen <>
+ doveadm: Added support for running mail commands by proxying to
another doveadm server.
+ Added "doveadm proxy list" and "doveadm proxy kick" commands to
list/kick proxy connections (via a new "ipc" service).
+ Added "doveadm director move" to assign user from one server to
another, killing any existing connections.
+ Added "doveadm director ring status" command.
+ userdb extra fields can now return name+=value to append to an
existing name, e.g. "mail_plugins+= quota".
- script-login attempted an unnecessary config lookup, which usually
failed with "Permission denied".
- lmtp: Fixed parsing quoted strings with spaces as local-part for
- imap: FETCH BODY[HEADER.FIELDS (..)] may have crashed or not
returned all data sometimes.
- ldap: Fixed random assert-crashing with with sasl_bind=yes.
- Fixes to handling mail chroots
- Fixed renaming mailboxes under different parent with FS layout when
using separate ALT, INDEX or CONTROL paths.
- zlib: Fixed reading concatenated .gz files.
v2.0.13 2011-05-11 Timo Sirainen <>
+ Added "doveadm index" command to add unindexed messages into
index/cache. If full text search is enabled, it also adds unindexed
messages to the fts database.
+ added "doveadm director dump" command.
+ pop3: Added support for showing messages in "POP3 order", which can
be different from IMAP message order. This can be useful for
migrations from other servers. Implemented it for Maildir as 'O'
field in dovecot-uidlist.
- doveconf: Fixed a wrong "subsection has ssl=yes" warning.
- mdbox purge: Fixed wrong warning about corrupted extrefs.
- sdbox: INBOX GUID changed when INBOX was autocreated, leading to
trouble with dsync.
- script-login binary wasn't actually dropping privileges to the
user/group/chroot specified by its service settings.
- Fixed potential crashes and other problems when parsing header names
that contained NUL characters.
v2.0.12 2011-04-12 Timo Sirainen <>
+ doveadm: Added "move" command for moving mails between mailboxes.
+ virtual: Added support for "+mailbox" entries that clear \Recent
flag from messages (default is to preserve them).
- dbox: Fixes to handling external attachments
- dsync: More fixes to avoid hanging with remote syncs
- dsync: Many other syncing/correctness fixes
- doveconf: v2.0.10 and v2.0.11 didn't output plugin {} section right
v2.0.11 2011-03-07 Timo Sirainen <>
* dotlock_use_excl setting's default was accidentally "no" in all
v2.0.x releases, instead of "yes" as in v1.1 and v1.2. Changed it
back to "yes."
- v2.0.10: LDAP support was broken
- v2.0.10: dsyncing to remote often hanged (timed out in 15 mins)
v2.0.10 2011-03-04 Timo Sirainen <>
* LMTP: For user+detail@domain deliveries, the +detail is again written
to Delivered-To: header.
* Skip auth penalty checks from IPs in login_trusted_networks.
+ Added import_environment setting.
+ Added submission_host setting to send mails via SMTP instead of
via sendmail binary.
+ Added doveadm acl get/set/delete commands for ACL manipulation,
similar to how IMAP ACL extension works.
+ Added doveadm acl debug command to help debug and fix problems
with why shared mailboxes aren't working as expected.
- IMAP: Fixed hangs with COMPRESS extension
- IMAP: Fixed a hang when trying to COPY to a nonexistent mailbox.
- IMAP: Fixed hang/crash with SEARCHRES + pipelining $.
- IMAP: Fixed assert-crash if IDLE+DONE is sent in same TCP packet.
- LMTP: Fixed sending multiple messages in a session.
- doveadm: Fixed giving parameters to mail commands.
- doveadm import: Settings weren't correctly used for the
import storage.
- dsync: Fixed somewhat random failures with saving messages to
remote dsync.
- v2.0.9: Config reload didn't notify running processes with
shutdown_clients=no, so they could have kept serving new clients
with old settings.
v2.0.9 2011-01-13 Timo Sirainen <>
- Linux: Fixed a high system CPU usage / high context switch count
performance problem
- Maildir: Avoid unnecessarily reading dovecot-uidlist while opening
- Maildir: Fixed renaming child mailboxes when namespace had a prefix.
- mdbox: Don't leave partially written messages to mdbox files when
aborting saving.
- Fixed master user logins when using userdb prefetch
- lda: Fixed a crash when trying to send "out of quota" reply
- lmtp: If delivering duplicate messages to same user's INBOX,
create different GUIDs for them. This helps to avoid duplicate
POP3 UIDLs when pop3_uidl_format=%g.
- virtual storage: Fixed saving multiple mails in a transaction
(e.g. copy multiple messages).
- dsync: Saved messages' save-date was set to 1970-01-01.
v2.0.8 2010-12-03 Timo Sirainen <>
* Services' default vsz_limits weren't being enforced correctly in
earlier v2.0 releases. Now that they are enforced, you might notice
that the default limits are too low and you need to increase them.
This problem will show up in logs as "out of memory" errors.
See default_vsz_limit and service { vsz_limit } settings.
* LMTP: In earlier versions if mail was delivered to user+detail@domain
address, LMTP server always attempted to deliver the mail to mailbox
named "detail". This was rather unintentional and shouldn't have been
the default. lmtp_save_to_detail_mailbox=yes setting now preserves
this behavior (default is no).
+ Added systemd support (configure --with-systemdsystemunitdir).
Based on patch by Christophe Fergeau.
+ Replaced broken mbox-snarf plugin with a new more generic snarf
- dbox: Fixes to handling external mail attachments
- verbose_proctitle=yes didn't work for all processes in v2.0.7
- imap, pop3: When service { client_count } was larger than 1, the
log messages didn't use the correct prefix. Last logged in user's
prefix was always used, regardless of what user's session actually
logged it. Now the proper log prefix is always used.
- MySQL: Only the first specified host was ever used
v2.0.7 2010-11-08 Timo Sirainen <>
* master: default_process_limit wasn't actually used anywhere,
rather the default was unlimited. Now that it is enforced, you might
notice that the default limit is too low and you need to increase it.
Dovecot logs a warning when this happens.
* mail-log plugin: Log mailbox name as virtual name rather than
physical name (e.g. namespace prefix is included in the name)
+ doveadm dump: Added imapzlib type to uncompress IMAP's
COMPRESS DEFLATE I/O traffic (e.g. from rawlog).
- IMAP: Fixed LIST-STATUS when listing subscriptions with
subscriptions=no namespaces.
- IMAP: Fixed SELECT QRESYNC not to crash on mailbox close if a lot of
changes were being sent.
- quota: Don't count virtual mailboxes in quota
- doveadm expunge didn't always actually do the physical expunging
- Fixed some index reading optimizations introduced by v2.0.5.
- LMTP proxying fixes
v2.0.6 2010-10-21 Timo Sirainen <>
* Pre-login CAPABILITY includes IDLE again. Mainly to make Blackberry
servers happy.
* auth: auth_cache_negative_ttl default was 0 in earlier v2.0.x, but it
was supposed to be 1 hour as in v1.x. Changed it back to 1h.
If you want it disabled, make sure doveconf shows it as 0.
+ dbox: Added support for saving mail attachments to external files,
with also support for single instance storage. This feature hasn't
had much testing yet, so be careful with it.
+ doveadm: Added import command for importing mails from other storages.
+ Reduced NFS I/O operations for index file accesses
+ dbox, Maildir: When copying messages, copy also already cached fields
from dovecot.index.cache
+ mdbox: Added mdbox_preallocate_space setting (Linux+ext4/XFS only)
- Maildir: LDA/LMTP assert-crashed sometimes when saving a mail.
- Fixed leaking fds when writing to dovecot.mailbox.log.
- Fixed rare dovecot.index.cache corruption
- IMAP: SEARCH YOUNGER/OLDER wasn't working correctly
v2.0.5 2010-10-01 Timo Sirainen <>
* acl: Fixed the logic of merging multiple ACL entries. Now it works as
documented, while previously it could have done slightly different
things depending on the order of the entries.
* virtual: Allow opening virtual mailboxes that refer to non-existing
mailboxes. It seems that the benefits of this outweigh the lack of
error message when typoing a mailbox name.
+ Added some disk I/O optimizations to Maildir and index code. They're
especially helpful with short-lived connections like POP3.
+ pop3: Added pop3_fast_size_lookups setting.
- doveconf sometimes failed with complaining about missing ssl_key
setting, causing e.g. dovecot-lda to fail.
- lda: If there's an error in configuration, doveconf didn't exit with
EX_TEMPFAIL as it should have.
- sdbox: Fixed memory leak when copying messages with hard links.
- zlib + sdbox combination didn't work
- zlib: Fixed several crashes, which mainly showed up with mbox.
- quota: Don't crash if user has quota disabled, but plugin loaded.
- doveadm fetch uid was actually returning sequence, not uid.
- v2.0.4's subscription listing ignored (and logged a warning about)
subscriptions=no namespaces' entries in some configurations.
(So listing shared mailboxes' subscriptions could have been broken.)
- acl: Fixed crashing when sometimes listing shared mailboxes via
dict proxy.
v2.0.4 2010-09-26 Timo Sirainen <>
* multi-dbox: If :INDEX=path is specified, keep
storage/* files also in the index path rather than
in the main storage directory.
WARNING: if you specified :INDEX= with earlier mdbox installation,
you must now manually move the storage indexes to the expected
directory! Otherwise Dovecot won't see them and will rebuild the
indexes, possibly unexpunging some mails.
- Maildir: Copying messages with hard links sometimes caused the
source maildir's entire tmp/ directory to be renamed to destination
maildir as if it were a message.
- Maildir: v2.0.3 broke expunging copied messages sometimes
- Maildir: INBOX whose tmp/ directory was lost couldn't be opened
- single-dbox: Messages weren't copied with hard links
- vpopmail support is hopefully working again.
- dsync: POP3 UIDLs weren't copied with Maildir
- dict file: Fixed fd leak (showed up easily with LMTP + quota)
v2.0.3 2010-09-17 Timo Sirainen <>
* dovecot-lda: Removed use of non-standard Envelope-To: header as a
default for -a. Set lda_original_recipient_header=Envelope-To to
returns the old behavior.
+ Added support for reverse quota warnings (i.e. when quota goes back
under the limit). This is enabled by adding '-' to beginning of
quota_warning value. Based on patch by Jeroen Koekkoek.
+ dovecot-lda: Added lda_original_recipient_header setting, which is
used for getting original recipient if -a isn't used.
+ dovecot-lda: Added -r parameter to specify final recipient address.
(It may differ from original address for e.g. aliases.)
+ Maildir: uidlist file can now override message's GUID, making it
possible for multiple messages in a mailbox to have the same GUID.
This also fixes dsync's message conflict resolution.
- dovecot-lda: If destination user isn't found, exit with EX_NOUSER,
- dsync: Fixed handling \Noselect mailboxes
- Fixed an infinite loop introduced by v2.0.2's message parser changes.
- Fixed a crash introduced by v2.0.2's istream-crlf changes.
v2.0.2 2010-09-08 Timo Sirainen <>
* vpopmail support is disabled for now, since it's broken. You can use
it via checkpassword support or its sql/ldap database directly.
- maildir: Fixed "duplicate uidlist entry" errors that happened at
least with LMTP when mail was delivered to multiple recipients
- Deleting ACLs didn't cause entries to be removed from acl_shared_dict
- mail_max_lock_timeout setting wasn't working with all locks
- auth_cache_size setting's old-style value wasn't autoconverted
and it usually also caused a crash
v2.0.1 2010-08-24 Timo Sirainen <>
* When dsync is started as root, remote dsync command is now also
executed as root instead of with dropped privileges.
- IMAP: QRESYNC parameters for SELECT weren't handled correctly.
- UTF-8 string validity checking wasn't done correctly (e.g.
mailbox names in Sieve fileinto)
- dsync: Fixed a random assert-crash with remote dsyncing
v2.0.0 2010-08-16 Timo Sirainen <>
* Dovecot uses two system users for internal purposes now by default:
dovenull and dovecot. You need to create the dovenull user or change
default_login_user setting.
* Global ACLs are now looked up using namespace prefixes. For example
if you previously had INBOX. namespace prefix and a global ACL for
"INBOX.Sent", it's now looked up from "INBOX.Sent" file instead of
"Sent" as before.
* Maildir: File permissions are no longer based on dovecot-shared file,
but the mailbox directory.
+ Redesigned master process. It's now more modular and there is less
code running as root.
+ Configuration supports now per-local/remote ip/network settings.
+ dsync utility does a two-way mailbox synchronization.
+ LMTP server and proxying.
+ Added mdbox (multi-dbox) mail storage backend.
+ doveadm utility can be used to do all kinds of administration
functions. Old dovecotpw and *view utilities now exist in its
+ imap and pop3 processes can now handle multiple connections.
+ IMAP: COMPRESS=DEFLATE is supported by imap_zlib plugin
+ director service helps NFS installations to redirect users always
to same server to avoid corruption
v2.0.rc6 2010-08-13 Timo Sirainen <>
- dict quota didn't always decrease quota when messages were expunged
- Shared INBOX wasn't always listed with FS layout
v2.0.rc5 2010-08-09 Timo Sirainen <>
- Using more than 2 plugins could have caused broken behavior
(more fixes for this)
- Listescape plugin fixes
- mbox: Fixed a couple of assert-crashes
- mdbox: Fixed potential assert-crash when saving multiple messages
in one transaction.
v2.0.rc4 2010-08-04 Timo Sirainen <>
+ director: Added director_doveadm_port for accepting doveadm
TCP connections.
+ doveadm: Added client/server architecture support for running mail
commands. Enable this by setting doveadm_worker_count to non-zero.
+ mail-log: Added support for mailbox_create event.
+ imap_capability = +XFOO BAR can be used to add capabilities instead
of replacing the whole capability string.
+ virtual storage: Added support for IDLE notifications.
- doveadm mailbox status: Fixed listing non-ASCII mailbox names.
- doveadm fetch: Fixed output when fetching message header or body
- doveadm director map/add/remove: Fixed handling IP address as
- dsync: A few more fixes
v2.0.rc3 2010-07-20 Timo Sirainen <>
* Single-dbox is now called "sdbox" instead of "dbox".
"dbox" will stay as an alias for it for now.
+ Added mail_temp_dir setting, used by deliver and lmtp for creating
temporary mail files. Default is /tmp.
+ doveadm: Added "director map" command to list user -> host mappings.
- imap: Fixed checking if list=children namespace has children.
- director: If all login processes died, director stopped reading
proxy-notify input and caused future login processes to hang
- mail_log plugin configuration was broken
- Using more than 2 plugins could have caused broken behavior
- mdbox: Race condition fixes related to copying and purging
- dsync: Lots of fixes
v2.0.rc2 2010-07-09 Timo Sirainen <>
- Fixed a crash with empty mail_plugins
- Fixed sharing INBOX to other users
- mdbox: Rebuilding storage was broken in rc1
- dsync was broken for remote syncs in rc1
- director+LMTP proxy wasn't working correctly
- v1.x config parser failed with some settings if pigeonhole wasn't
- virtual: If non-matching messages weren't expunged within same
session, they never got expunged.
v2.0.rc1 2010-07-02 Timo Sirainen <>
* See v2.0.0 notes
v1.2.6 2009-10-05 Timo Sirainen <>
* Upgraded to Unicode 5.2.0
+ Added authtest utility for doing passdb and userdb lookups.
+ login: ssl_security string now also shows the used compression.
- quota: Don't crash with non-Maildir++ quota backend.
- imap proxy: Fixed crashing with some specific password characters.
- dovecot --exec-mail was broken.
- Avoid assert-crashing when two processes try to create index at the
same time.
v1.2.5 2009-09-13 Timo Sirainen <>
* Authentication: DIGEST-MD5 and RPA mechanisms no longer require
user's login realm to be listed in auth_realms. It only made
configuration more difficult without really providing extra security.
* zlib plugin: Don't allow clients to save compressed data directly.
This prevents users from exploiting (most of the) potential security
holes in zlib/bzlib.
+ Added pop3_save_uidl setting.
+ dict quota: When updating quota and user isn't already in dict,
recalculate and save the quota.
- file_set_size() was broken with OSes that didn't support
posix_fallocate() (almost everyone except Linux), causing all kinds
of index file errors.
- v1.2.4 index file handling could have caused an assert-crash
- IMAP: Fixes to QRESYNC extension.
- virtual plugin: Crashfix
- deliver: Don't send rejects to any messages that have Auto-Submitted
header. This avoids emails loops.
- Maildir: Performance fixes, especially with maildir_very_dirty_syncs.
- Maildir++ quota: Limits weren't read early enough from maildirsize
file (when quota limits not enforced by Dovecot)
- Message decoding fixes (mainly for IMAP SEARCH, Sieve).
v1.2.4 2009-08-17 Timo Sirainen <>
* acl: When looking up ACL defaults, use global/local default files
if they exist. So it's now possible to set default ACLs by creating
dovecot-acl file to the mail root directory.
+ imap/pop3 proxy: If proxy destination is known to be down,
fail connections to it immediately.
+ imap/pop3 proxy: Added proxy_timeout passdb extra field to specify
proxy's connect timeout.
- Fixed a crash in index file handling.
- Fixed a crash in saving messages where message contained a CR
character that wasn't followed by LF (and the CR happened to be the
last character in an internal buffer).
- v1.2.3 crashed when listing shared namespace prefix.
- listescape plugin: Several fixes.
- autocreate plugin: Fixed autosubscribing to mailboxes in
subscriptions=no namespaces.
v1.2.3 2009-08-07 Timo Sirainen <>
* Mailbox names with control characters can't be created anymore.
Existing mailboxes can still be accessed though.
+ Allow namespace prefix to be opened as mailbox, if a mailbox
already exists in the root dir.
- Maildir: dovecot-uidlist was being recreated every time a mailbox
was accessed, even if nothing changed.
- listescape plugin was somewhat broken
- Compiling fixes for non-Linux/BSDs
- imap: tb-extra-mailbox-sep workaround was broken.
- ldap: Fixed hang when >128 requests were sent at once.
- fts_squat: Fixed crashing when searching virtual mailbox.
- imap: Fixed THREAD .. INTHREAD crashing.
v1.2.2 2009-07-27 Timo Sirainen <>
* GSSAPI: More changes to authentication. Hopefully good now.
* lazy_expunge plugin: Drop \Deleted flag when moving message.
+ dovecot -n/-a now outputs also lda settings.
+ dovecot.conf !include now supports globs (e.g.
!include /etc/dovecot/*.conf). Based on patch by Thomas Guthmann.
+ acl: Support spaces in user/group identifiers.
+ shared mailboxes: If only %%n is specified in prefix, default to
current user's domain.
- Dovecot master process could hang if it received signals too rapidly.
- Fixed "corrupted index cache file" errors (and perhaps others) caused
by e.g. IMAP's FETCH BODY[] command.
- IMAP: When QRESYNC is enabled, don't crash when a new mail is
received while IDLEing.
- IMAP: FETCH X-* parameters weren't working.
- Maildir++ quota: Quota was sometimes updated wrong when it was
being recalculated.
- Searching quoted-printable message body internally converted "_"
characters to spaces and didn't match search keys with "_".
- Messages in year's first/last day may have had broken timezones
with OSes not having struct tm->tm_gmtoff (e.g. Solaris).
- virtual plugin: If another session adds a new mailbox to index,
don't crash.
v1.2.1 2009-07-09 Timo Sirainen <>
* GSSAPI: Changed logging levels and improved the messages.
Changed the way cross-realm authentication handling is done,
hopefully it's working now for everyone.
* imap/pop3 logins now fail if home directory path is relative.
v1.2.0 deliver was already failing with these and they could have
caused problems even with v1.1.
* IMAP: Custom authentication failure messages are now prefixed with
[ALERT] to get more clients to actually show them.
+ Improved some error messages.
- pop3: AUTH PLAIN was broken when SASL initial response wasn't given.
- mbox: New mailboxes were created with UIDVALIDITY 1.
- quota-fs was defaulting to group quota instead of user quota.
- Fixed ACLs to work with mbox.
- Fixed fchmod(-1, -1) errors with BSDs
- convert plugin / convert-tool: Fixed changing hierarchy separators
in mailbox names when alt_hierarchy_char isn't set.
v1.2.0 2009-07-01 Timo Sirainen <>
* When creating files or directories to mailboxes, Dovecot now uses
the mailbox directory's permissions and GID for them. Previous
versions simply used 0600 mode always. For backwards compatibility
dovecot-shared file's permissions still override these with Maildir.
* SQL dictionary (quota) configuration file is different than in v1.1.
See doc/dovecot-dict-sql-example.conf for the new format.
* deliver -m: Mailbox name is now assumed to be in UTF-8 format,
not modified-UTF7. Stephan Bosch's new Sieve implementation also
assumes UTF-8 format in fileinto parameters.
+ Full support for shared mailboxes and IMAP ACL extension.
The code is mainly from Sascha Wilde and Bernhard Herzog.
+ IMAP: Added support for extensions: CONDSTORE, QRESYNC, ESEARCH,
+ SEARCH supports INTHREAD search key, but the rest of the INTHREAD
draft isn't implemented yet so it's not advertised in capability.
+ THREAD REFS algorithm where threads are sorted by their latest
message instead of the thread root message. There is also no base
subject merging.
+ IMAP: Implemented imap-response-codes draft.
+ Thread indexes for optimizing IMAP THREAD command and INTHREAD
search key.
+ Added userdb checkpassword (by Sascha Wilde)
+ Virtual mailboxes:
+ Autocreate plugin:
+ Listescape plugin:
v1.2.rc8 2009-06-30 Timo Sirainen <>
- Fixed building LDAP as plugin
- Fixed starting up in OS X
v1.2.rc7 2009-06-27 Timo Sirainen <>
* Removed configure --with-deliver, --with-pop3d and --disable-ipv6
+ Improved permission related error messages.
- mbox: Don't write garbage to mbox if message doesn't have a body.
- virtual: Fixed saving messages with keywords.
- virtual: Fixed infinite looping bug.
- zlib: Fixed error handling.
v1.2.rc6 2009-06-22 Timo Sirainen <>
* imap proxy: Pass through to client unexpected untagged replies
from remote server (e.g. alerts).
* Solr: Don't use "any" copyfield, it doubles the index size.
* mail_location: Allow using ":" characters in dir names by escaping
it as "::".
- mbox: Don't crash with invalid From_-lines.
- IMAP: Don't crash if IDLE command is pipelined after a long-running
- ACL / shared mailbox fixes
- Some metadata files were incorrectly getting 0666 permissions.
v1.2.rc5 2009-06-04 Timo Sirainen <>
* auth_cache_negative_ttl is now used also for password mismatches
(currently only with plaintext authentication mechanisms).
+ Added support for EXTERNAL SASL mechanism.
+ FETCH X-SAVEDATE can now be used to get messages' save timestamps
+ deliver_log_format: %s is now in UTF8
- If message body started with a space, some operations could have
- Fixed using LDAP support as a plugin
- Fixes to virtual mailboxes.
v1.2.rc4 2009-05-17 Timo Sirainen <>
* If /dev/arandom exists, use it instead of /dev/urandom (OpenBSD).
* When logging to a file, the lines now start with a timestamp instead
of "dovecot: " prefix.
+ IMAP: When multiple commands are pipelined, try harder to combine
their mailbox syncing together. For example with Maildir pipelining
STORE 1:* +FLAGS \Deleted and EXPUNGE commands the files won't
be unnecessarily rename()d before being unlink()ed.
+ imap-proxy: Send backend's CAPABILITY if it's different from what
was sent to client before.
+ IMAP: struct mail now keeps track of all kinds of statistics, such
as number of open()s, stat()s, bytes read, etc. These fields could
be exported by some kind of a statistics plugin (not included yet).
+ IMAP: SEARCH command now dynamically figures out how to run about
0.20 .. 0.25 seconds before seeing if there's other work to do.
This makes the SEARCH performance much better.
- Fixes to shared mailbox handling.
- Fixes to virtual mailboxes.
- THREAD command could have crashed.
- Fixes to expire-tool.
- mbox: Don't break if From_-line is preceded by CRLF (instead of LF).
- dict process wasn't restarted after SIGHUP was sent to master.
v1.2.rc3 2009-04-16 Timo Sirainen <>
* IMAP proxy no longer simply forwards tagged reply from
remote authentication command. It's now done only if the remote
server sent a [resp-code], otherwise all failure strings are
converted to Dovecot's "Authentication failed." to make sure that
if remote isn't using Dovecot it won't reveal user's existence.
+ Quota roots can now specify which namespace's quota they're
tracking. This is probably the most useful for giving public
namespaces a quota.
+ Added imap_idle_notify_interval setting.
- Fixes to shared mailbox handling
- Fixes to virtual mailboxes
- Fixed compiling with some FreeBSD and NetBSD versions
- THREAD REFS still might have returned one (0) at the beginning.
- deliver wasn't using mail_access_groups setting.
- Fixed some error handling in maildir and index code.
v1.2.rc2 2009-04-03 Timo Sirainen <>
- rquota.x file was missing from rc1 distribution, causing compiling
to fail.
v1.2.rc1 2009-04-03 Timo Sirainen <>
* See v1.2.0 notes
v1.1.5 2008-10-22 Timo Sirainen <>
* Dovecot prints an informational message about authentication problems
at startup. The message goes away after the first successful
authentication. This hopefully reduces the number of "Why doesn't
my authentication work?" questions.
+ Maildir/dbox: Try harder to assign unique UIDVALIDITY values to
mailboxes to avoid potential problems when recreating or renaming
mailboxes. The UIDVALIDITY is tracked using dovecot-uidvalidity*
files in the mail root directory.
+ Many logging improvements
- In some conditions Dovecot could have stopped using existing cache
file and never used it again until it was deleted.
- pop3 + Maildir: Make sure virtual sizes are always written to
dovecot-uidlist. This way if the indexes are lost Dovecot will never
do a huge amount of work to recalculate them.
- mbox: Fixed listing mailboxes in namespaces with prefix beginning
with '~' or '/' (i.e. UW-IMAP compatibility namespaces didn't work).
- dict quota: Don't crash when recalculating quota (when quota warnings
- Fixes to handling "out of disk space/quota" failures.
- Blocking passdbs/userdbs (e.g. PAM, MySQL) could have failed lookups
sometimes when auth_worker_max_request_count was non-zero.
- Fixed compiling with OpenBSD
v1.1.4 2008-10-05 Timo Sirainen <>
- SORT: Yet another assert-crashfix when renumbering index sort IDs.
- ACL plugin fixes: Negative rights were actually treated as positive
rights. 'k' right didn't prevent creating parent/child/child mailbox.
ACL groups weren't working.
- Maildir++ quota: Fixes to rebuilding when quota limit wasn't
specified in Dovecot (0 limit or limit read from maildirsize).
- mbox: Several bugfixes causing errors and crashes.
- Several fixes to expire plugin / expire-tool.
- lock_method=dotlock could have deadlocked with itself.
- Many error handling fixes and log message improvements.
v1.1.3 2008-09-02 Timo Sirainen <>
* mail_max_userip_connections limit no longer applies to master user
+ login_log_format_elements: Added %k to show SSL protocol/cipher
information. Not included by default.
+ imap/pop3-proxy: If auth_verbose=yes, log proxy login failures.
+ deliver: Added -s parameter to autosubscribe to autocreated mailboxes.
- message parser fixes - hopefully fixes an infinite looping problem
- SORT: One more assert-crashfix when renumbering index sort IDs.
- mbox: Saving may have truncated the mail being saved
- mbox: Several other bugfixes
- mail_full_filesystem_access=yes was broken when listing mailboxes
(it still is with maildir++ layout).
- maildirlock utility was somewhat broken
- zlib plugin: bzip2 support was somewhat broken
- NFS: Make sure writing to files via output streams don't
assert-crash when write() returns only partial success.
v1.1.2 2008-07-24 Timo Sirainen <>
+ Added full text search indexing support for Apache Lucene Solr
+ IMAP SORT: Added X-SCORE sort key for use with Solr searches.
+ zlib plugin supports now bzip2 also.
+ quota: All backends now take noenforcing parameter.
+ Maildir: Add ,S=<size> to maildir filename whenever quota plugin
is loaded, even when not using Maildir++ quota.
+ deliver: Allow lda section to override plugin settings.
+ deliver: Giving a -m <namespace prefix> parameter now silently saves
the mail to INBOX. This is useful for e.g. -m INBOX/${extension}
+ Added a new maildirlock utility for write-locking Dovecot Maildir.
+ dict-sql: Support non-MySQL databases by assuming they implement the
"INSERT .. ON DUPLICATE KEY" using an INSERT trigger.
- SORT: Fixed several crashes/errors with sort indexing.
- IMAP: BODYSTRUCTURE is finally RFC 3501 compliant. Earlier versions
didn't include Content-Location support.
- IMAP: Fixed bugs with listing INBOX.
- Maildir: maildirfolder file wasn't created when dovecot-shared
file existed on the root directory
- deliver didn't expand %variables in namespace location settings.
- zlib: Copying non-compressed messages resulted in empty mails
(except when hardlink-copying between maildirs).
- mbox-snarf plugin was somewhat broken
- deliver + Maildir: If uidlist couldn't be locked while saving,
we might have assert-crashed
- mbox: Fixed an assert-crash with \Recent flag handling
v1.1.1 2008-06-22 Timo Sirainen <>
- Maildir: When migrating from v1.0 with old format dovecot-uidlist
files, Dovecot may have appended lines to it using the new format and
later broken with "UID larger than next_uid" error.
v1.1.0 2008-06-21 Timo Sirainen <>
No changes since v1.1.rc13. Below are the largest changes since v1.0:
* After Dovecot v1.1 has modified index or dovecot-uidlist files,
they can't be opened anymore with Dovecot versions earlier than
* See doc/wiki/Upgrading.1.1.txt (or for latest changes, for list of changes since
v1.0 that you should be aware of when upgrading.
+ IMAP: Added support for UIDPLUS and LIST-EXTENDED extensions.
+ IMAP SORT: Sort keys are indexed, which makes SORT commands faster.
+ When saving messages, update cache file immediately with the data
that we expect client to fetch later.
+ NFS caches are are flushed whenever needed. See mail_nfs_storage and
mail_nfs_index settings.
+ Out of order command execution (SEARCH, FETCH, LIST), nonstandard
command cancellation (X-CANCEL <tag>)
+ IMAP: STATUS-IN-LIST draft implementation
+ Expire plugin can be used to keep track of oldest messages in
specific mailboxes. A nightly run can then quickly expunge old
messages from the mailboxes that have them. The tracking is done
using lib-dict, so you can use either Berkeley DB or SQL database.
+ Namespaces are supported everywhere now.
+ Namespaces have new list and subscriptions settings.
+ Full text search indexing support with Lucene and Squat backends.
+ OTP and S/KEY authentication mechanisms (by Andrey Panin).
+ mbox and Maildir works with both Maildir++ and FS layouts. You can
change these by appending :LAYOUT=maildir++ or :LAYOUT=fs to
+ LDAP: Support templates in pass_attrs and user_attrs
+ Support for listening in multiple IPs/ports.
+ Quota plugin rewrite: Support for multiple quota roots, warnings,
allow giving storage size in bytes or kilo/mega/giga/terabytes,
per-mailbox quota rules.
+ Filesystem quota backend supports inode limits, group quota and
RPC quota for NFS.
+ SEARCH and SORT finally compare non-ASCII characters
case-insensitively. We use i;unicode-casemap algorithm.
+ Config files support splitting values to multiple lines with \
v1.1.rc13 2008-06-20 Timo Sirainen <>
- mbox: Fixed a crash when adding a new X-IMAPbase: header with
- Message parser: Fixed assert-crash if cached MIME structure was
- Squat: Potential crashfix with mmap_disable=yes.
v1.1.rc12 2008-06-19 Timo Sirainen <>
- mbox: Don't give "Can't find next message offset" warnings when
plugin (e.g. quota) accesses the message being saved.
- deliver: Settings inside protocol imap {} weren't ignored.
v1.1.rc11 2008-06-19 Timo Sirainen <>
- dovecot-uidlist is now recreated if it results in file shrinking
over 25%.
- Some other minor fixes
v1.1.rc10 2008-06-13 Timo Sirainen <>
* LIST X-STATUS renamed to LIST STATUS and fixed its behavior with
LIST-EXTENDED options. It's now compatible with STATUS-IN-LIST
draft 00.
- Message parsing could have sometimes produced incorrect results,
corrupting BODY/BODYSTRUCTURE replies and perhaps others.
- SORT: Fixed several bugs
- FreeBSD 7.0: Environment clearing wasn't working correctly.
This caused "environment corrupted" problems at least with deliver
trying to call sendmail and running Dovecot from inetd.
- HP-UX: Several fixes to get it to work (by Christian Corti)
- Fixes to using expire plugin with SQL dictionary.
- dbox fixes
v1.1.rc9 2008-06-09 Timo Sirainen <>
+ Maildir: When hardlink-copying a file, copy the W=<vsize> in the
filename if it exists in the original filename.
- mbox: With rc8 empty lines were inserted in the middle of saved
mails' headers.
- maildir: Fixed problems with opening newly saved messages which we
saw in index file but couldn't see in dovecot-uidlist. Happened only
when messages weren't saved via Dovecot (deliver or IMAP).
- Several bugfixes to handling sort indexes
- deliver: Boolean settings that were supposed to default to "yes" were
set to "no" unless explicitly defined in dovecot.conf:
dotlock_use_excl, maildir_copy_with_hardlinks, mbox_dirty_syncs,
v1.1.rc8 2008-06-03 Timo Sirainen <>
+ deliver: Added -p parameter to provide path to delivered mail.
This allows maildir to save identical mails to multiple recipients
using hard links.
- rc6/rc7 broke POP3 with non-Maildir formats
- mbox: Saving a message without a body or the end-of-headers line
could have caused an assert-crash later.
- Several dbox fixes
v1.1.rc7 2008-05-30 Timo Sirainen <>
- Fixed compiling problems with non-Linux OSes
v1.1.rc6 2008-05-30 Timo Sirainen <>
* Index file format changed a bit. If an older Dovecot v1.1 reads
index files updated by rc6+, they may give "Invalid header record
size" or "ext reset: invalid record size" warnings. v1.0 won't give
these errors.
* IMAP: LIST .. RETURN (X-STATUS) command return now LIST entries
before STATUS entries.
* zlib plugin: Uncompress if the message begins with zlib header
instead of looking at the 'Z' flag. This fixes copying with hard
links. Based on a patch by Richard Platel.
+ IMAP: SORT index handling code was half-rewritten to fix several bugs
when multiple sessions were sorting at the same time. The new code is
hopefully also faster.
+ Maildir: If POP3 UIDL extra field is found from dovecot-uidlist,
it's used instead of the default UIDL format (or X-UIDL: header).
This allows easily preserving UIDLs when migrating from other POP3
servers. Patch by Nicholas Von Hollen @ Mailtrust.
+ Maildir: ,W=<vsize> is now always added to maildir filenames
+ deliver: Avoid reading dovecot-uidlist's contents if possible.
+ Added %T modifier = Trim whitespace from end of string
- IMAP: Fixed some bugs in LIST-EXTENDED implementation.
- IMAP: If client tries to change the selected mailbox state while
another command is still running, wait until the command is finished.
This fixes some crashes and other unwanted behavior.
- allow_nets userdb setting was broken with big endian CPUs
v1.1.rc5 2008-05-05 Timo Sirainen <>
+ Support cross-realm Kerberos 5 authentication. Based on patch by
Zachary Kotlarek.
+ Added dict_db_config setting to point to a Berkeley DB config file.
+ If mail_chroot ends with "/.", remove chroot prefix from home
- Fixed several bugs and memory leaks in ACL plugin. LIST and LSUB
may have listed mailboxes where user had no 'l' access. STORE could
have been used to update any flags without appropriate access.
- mbox: Valid-looking From_-lines in message bodies caused the message
to be split to two messages (broken since v1.0).
- Plugin initialization hooks were called in wrong order, possibly
causing problems when multiple plugins were used at the same time.
- Expire plugin was broken
- LIST-EXTENDED options were ignored.
- LDAP: Static attribute names weren't working correctly
- deliver: mail_uid and mail_gid settings weren't used.
- pop3 + maildir++ quota: maildirsize file wasn't created if it
didn't exist already.
- dnotify: Waiting for dotlock to be deleted used 100% CPU
v1.1.rc4 2008-04-01 Timo Sirainen <>
* Fixed two buffer overflows in str_find_init(). It was used by
SEARCH code when searching for headers or message body. Added code
to catch these kind of overflows when compiling with --enable-debug.
Found by Diego Liziero.
+ LDAP: Added debug_level and ldaprc_path settings (OpenLDAP-only)
+ Squat: Added fts_squat = partial=n full=m settings. See the wiki.
- dbox metadata updating fixes.
- quota: backend=n didn't work
- SEARCH RECENT may have returned non-recent messages if index files
were created by v1.0.
- If mailbox was opened as read-only with EXAMINE, STOREs were
permanently saved.
- LDAP: Templates were somewhat broken (by richs at
v1.1.rc3 2008-03-09 Timo Sirainen <>
* Fixed a security hole in blocking passdbs (MySQL always. PAM, passwd
and shadow if blocking=yes) where user could specify extra fields
in the password. The main problem here is when specifying
"skip_password_check" introduced in v1.0.11 for fixing master user
logins, allowing the user to log in as anyone without a valid
- mail_privileged_group was broken in some systems (OS X, Solaris?)
v1.1.rc2 2008-03-08 Timo Sirainen <>
* mail_extra_groups setting was commonly used insecurely. This setting
is now deprecated. Most users should switch to using
mail_privileged_group setting, but if you really need the old
functionality use mail_access_groups instead.
+ Expire plugin now supports wildcards in mailbox names.
+ dbox: Expire plugin supports moving old mails to alternative
dbox directory
+ Maildir++ quota: quota_rule=?:<rule> specifies a default rule
which is used only if the maildirsize file doesn't exist.
+ If SSL/TLS connection isn't closed cleanly, log the last error
in the disconnection line.
+ EXPUNGE: If new \Deleted messages were found while expunging,
do it again and expunge them as well (Outlook workaround)
- IMAP: SEARCH, LIST and THREAD command correctness fixes
- Maildir++ quota: Quota rules and warnings with % rules didn't work
if the default limits were taken from maildirsize file.
- Maildir++ quota: If both byte and message limits weren't specified,
maildirsize file was recalculated all the time
- mbox: Flag and keyword updates may have gotten lost in some
situations (happens with v1.0 too)
- ldap: Don't crash if userdb lookup fails
- Squat fixes and performance improvements
v1.1.rc1 2008-02-21 Timo Sirainen <>
* See v1.1.0 notes
v1.0.10 2007-12-29 Timo Sirainen <>
* Security hole with LDAP+auth cache: If base setting contained
%variables they weren't included in auth cache key, which broke
caching. This could have caused different users with same passwords
to log in as each other.
- LDAP: Fixed potential infinite looping when connection to LDAP
server was lost and there were queued requests.
- mbox: More changes to fix problems caused by v1.0.8 and v1.0.9.
- Maildir: Fixed a UIDLIST_IS_LOCKED() assert-crash in some conditions
(caused by changes in v1.0.9)
- If protocols=none, don't require imap executables to exist
v1.0.9 2007-12-11 Timo Sirainen <>
+ Maildir: Don't wait on dovecot-uidlist.lock when we just want to
find out a new filename for the message.
- mbox: v1.0.8 changes sometimes caused FETCH to fail with
"got too little data", disconnecting the client.
- Fixed a memory leak when FETCHing message header/body multiple
times within a command (e.g. BODY[1] BODY[2])
- IMAP: Partial body fetching was still slow with mboxes
v1.0.8 2007-11-28 Timo Sirainen <>
+ Authentication: Added "password_noscheme" field that can be used
instead of "password". "password" treats "{prefix}" as a password
scheme while "password_noscheme" treats it as part of the password
itself. So "password_noscheme" should be used if you're storing
passwords as plaintext. Non-plaintext passwords never begin
with "{", so this isn't a problem with them.
- IMAP: Partial body fetching was sometimes non-optimal, causing
the entire message to be read for every FETCH command.
- deliver failed to save the message when envelope sender address
contained spaces.
- Maildir++ quota: We could have randomly recalculated quota when
it wasn't necessary.
- Login process could have crashed after logging in if client sent
data before "OK Logged in" reply was sent (i.e. before master had
replied that login succeeded).
- Don't assert-crash when reading dovecot.index.logs generated by
Dovecot v1.1.
- Authentication: Don't assert-crash if password beings with "{" but
doesn't contain "}".
- Authentication cache didn't work when using settings that changed
the username (e.g. auth_username_format).
v1.0.7 2007-10-29 Timo Sirainen <>
- deliver: v1.0.6's "From " line ignoring could have written to a
bad location in stack, possibly causing problems.
v1.0.6 2007-10-28 Timo Sirainen <>
* IDLE: Interval between mailbox change notifies is now 1 second,
because some clients keep a long-running IDLE connection and use
other connections to actually read the mails.
* SORT: If Date: header is missing or broken, fallback to using
INTERNALDATE (as the SORT draft nowadays specifies).
+ deliver: If message begins with a "From " line, ignore it.
+ zlib plugin: If maildir file has a "Z" flag, open it with zlib.
- CREATE: Don't assert-crash if trying to create namespace prefix.
- SEARCH: Fixes to handling NOT operator with sequence ranges.
- LDAP reconnection fixes
- Maildir: Don't break when renaming mailboxes with '*' or '%'
characters and children.
- mbox: Fixed "file size unexpectedly shrinked" error in some
- quota+mbox: Don't fail if trying to delete a directory.
- Fixes to running from inetd
v1.0.5 2007-09-09 Timo Sirainen <>
- deliver: v1.0.4 broke home directory handling
- maildir: Creating mailboxes didn't use dovecot-shared's group for
cur/new/tmp directories.
v1.0.4 2007-09-08 Timo Sirainen <>
* Assume a MIME message if Content-Type: header exists, even if
Mime-Version: header doesn't.
- IMAP: CREATE ns_prefix/box/ didn't work right when namespace prefix
- deliver: plugin {} settings were overriding settings from userdb.
- mbox: Expunging the first message might not have worked always
- PostgreSQL: If we can't connect to server, timeout queries after
a while instead of trying forever.
- Solaris: sendfile() support was broken and could have caused
100% CPU usage and the connection hanging.
v1.0.3 2007-08-01 Timo Sirainen <>
- deliver: v1.0.2's bounce fix caused message to be always saved to
INBOX even if Sieve script had discard, reject or redirect commands.
- LDAP: auth_bind=yes and empty auth_bind_userdn leaked memory
- ACL plugin: If user was given i (insert) right for a mailbox, but
not all s/t/w (seen, deleted, other flags) rights, COPY and APPEND
commands weren't supposed to allow saving those flags. This is
technically a security fix, but it's unlikely this caused problems
for anyone.
- ACL plugin: i (insert) right didn't work unless user was also given
l (lookup) right.
- Solaris: Fixed filesystem quota for autofs mounts.
v1.0.2 2007-07-15 Timo Sirainen <>
* dbox isn't built anymore by default. It will be redesigned so it
shouldn't be used.
+ Maildir: Support reading dovecot-uidlist (v3) files created by
Dovecot v1.1.
- Maildir: "UIDVALIDITY changed" errors could happen with newly
created mailboxes
- If "INBOX." namespace was used, LIST returned it with \HasNoChildren
which caused some clients not to show any other mailboxes.
- Maildir++ quota: If multiple processes were updating maildirsize
at the same time, we failed with "Unknown error".
- IMAP: IDLE didn't actually disconnect client after 30 minutes of
- LDAP passdb/userdb was leaking memory
- deliver: %variables in plugin {} weren't expanded
- deliver: Don't bounce the mail if Sieve plugin returns failure
v1.0.1 2007-06-15 Timo Sirainen <>
* deliver: If Return-Path doesn't contain user and domain, don't try
to bounce the mail (this is how it was supposed to work earlier too)
* deliver: %variables in mail setting coming from userdb aren't
expanded anymore (again how it should have worked). The expansion
could have caused problems if paths contained any '%' characters.
+ Print Dovecot version number with dovecot -n and -a
+ deliver: Added -e parameter to write rejection error to stderr and
exit with EX_NOPERM instead of sending the rejection by executing
+ dovecot --log-error logs now a warning, an error and a fatal
- Trying to start Dovecot while it's already running doesn't anymore
wipe out login_dir and break the running Dovecot.
- maildir: Fixed "UID larger than next_uid" errors which happened
sometimes when dovecot-uidlist file didn't exist but index files did
(usually because mailbox didn't have any messages when it was
selected for the first time)
- maildir: We violated maildir spec a bit by not having keyword
characters sorted in the filename.
- maildir: If we don't have write access to cur/ directory, treat the
mailbox as read-only. This fixes some internal error problems with
trying to use read-only maildirs.
- maildir: Deleting a symlinked maildir failed with internal error.
- mbox: pop3_uidl_format=%m wasn't working right
- mbox: If non-filesystem quota was enabled, we could have failed
with "Unexpectedly lost From-line" errors while saving new messages
- mysql auth: %c didn't work. Patch by Andrey Panin
- APPEND / SEARCH: If internaldate was outside valid value for time_t,
we returned BAD error for APPEND and SEARCH never matched. With 64bit
systems this shouldn't have happened. With 32bit systems the valid
range is usually for years 1902..2037.
- COPY: We sent "Hang in there.." too early sometimes and checked it
too often (didn't break anything, but was slower than needed).
- deliver: Postfix's sendmail binary wasn't working with mail_debug=yes
- Don't corrupt ssl-parameters.dat files when running multiple Dovecot
- Cache compression caused dovecot.index.cache to be completely deleted
with big endian CPUs if 64bit file offsets were used (default)
- Fixed "(index_mail_parse_header): assertion failed" crash
v1.0.0 2007-04-13 Timo Sirainen <>
+ Documentation updated.
v1.0.rc32 2007-04-12 Timo Sirainen <>
- LDAP, auth_bind=no: Don't crash if doing non-plaintext ldap passdb
lookup for unknown user. This also broke deliver when userdb static
was used.
- LDAP, auth_bind=yes and userdb ldap: We didn't wait until bind was
finished before sending the userdb request, which could have caused
- LDAP: Don't break when compiling with OpenLDAP v2.3 library
- Convert plugin: Don't create "maildirfolder" file to Maildir root.
v1.0.rc31 2007-04-08 Timo Sirainen <>
- mbox: Give "mbox file was modified while we were syncing" error only
if we detect some problems in the mbox file. The check can't be
trusted with NFS.
- Convert plugin: If directory for destination storage doesn't exist,
create it.
- Convert plugin: Mailbox names weren't converted in subscription list.
v1.0.rc30 2007-04-06 Timo Sirainen <>
* PAM: Lowercase the PAM service name when calling with "args = *".
Linux PAM did this internally already, but at least BSD didn't.
If your PAM file used to be in /etc/pam.d/IMAP or POP3 file you'll
need to lowercase it now.
+ Send list of CA names to client when using
- IMAP: If message body started with line feed, it wasn't counted
in BODY and BODYSTRUCTURE replies' line count field.
- deliver didn't load plugins before chrooting
v1.0.rc29 2007-03-28 Timo Sirainen <>
* Security fix: If zlib plugin was loaded, it was possible to open
gzipped mbox files outside the user's mail directory.
+ Added auth_gssapi_hostname setting.
- IMAP: LIST "" "" didn't return anything if there didn't exist a
namespace with empty prefix. This broke some clients.
- If Dovecot is tried to be started when it's already running, don't
delete existing auth sockets and break the running Dovecot
- If deliver failed too early it still returned exit code 89 instead
- deliver: INBOX fallbacking with -n parameter wasn't working.
- passdb passwd and shadow couldn't be used as master or deny databases
- IDLE: inotify didn't notice changes in mbox file
- If index file directory couldn't be created, disable indexes instead
of failing to open the mailbox.
- rawlog wasn't working with chrooting
- Several other minor fixes
v1.0.rc28 2007-03-23 Timo Sirainen <>
* deliver + userdb static: Verify the user's existence from passdb,
unless allow_all_users=yes
* dovecot --exec-mail: Log to configured log files instead of stderr
* Added "-example" part to doc/dovecot-sql-example.conf and
doc/dovecot-ldap-example.conf. They are now also installed to
$sysconfdir with "make install".
+ When copying/syncing a lot of mails, send "* OK Hang in there"
replies to client every 15 seconds so it doesn't just timeout the
+ Added idxview and logview utilities to examine Dovecot's index files
+ passdb passwd and shadow support blocking=yes setting now also
+ mbox: If mbox file changes unexpectedly while we're writing to it,
log an error.
+ deliver: Ignore -m "" parameter to make calling it easier.
+ deliver: Added new -n parameter to disable autocreating mailboxes.
It affects both -m parameter and Sieve plugin's fileinto action
- mbox: Using ~/ in the mail root directory caused a ~ directory to be
created (instead of expanding it to home directory)
- auth cache: If unknown user was found from cache, we didn't properly
return "unknown user" status, which could have caused problems in
- mbox: Fixed "UID inserted in the middle of mailbox" in some
conditions with broken X-UID headers
- Index view syncing fixes
- rc27 didn't compile with some non-GCC compilers
- vpopmail support didn't compile in rc27
- NFS check with chrooting broke home direcotry for the first login
- deliver: If user lookup returned "unknown user", it logged
"BUG: Unexpected input"
- convert plugin didn't convert INBOX
v1.0.rc27 2007-03-13 Timo Sirainen <>
+ mbox and index file code handles silently out of quota/disk
space errors (maildir still has problems). They will give the user
a "Not enough disk space" error instead of flooding the log file.
+ Added fsync_disable setting.
+ mail-log plugin: Log the mailbox name, except if it's INBOX
+ dovecot-auth: Added a lot more debug logging to passdbs and userdbs
+ dovecot-auth: Added %c variable which expands to "secured" with
+ dovecot-auth: Added %m variable which expands to auth mechanism name
- maildir++ quota: With ignore=box setting the quota was still updated
for the mailbox even though it was allowed to go over quota (but
quota recalculation ignored the box).
- Index file handling fixes
- mbox syncing fixes
- Wrong endianness index files still weren't silently rebuilt
- IMAP quota plugin: GETQUOTAROOT returned the mailbox name wrong the
namespace had a prefix or if its separator was non-default
- IMAP: If client was appending multiple messages with MULTIAPPEND
and LITERAL+ extensions and one of the appends failed, Dovecot
treated the rest of the mail data as IMAP commands.
- If mail was sent to client with sendfile() call, we could have
hanged the connection. This could happen only if mails were saved
with CR+LF linefeeds.
v1.0.rc26 2007-03-07 Timo Sirainen <>
* Changed --with-headers to --enable-header-install
* If time moves backwards only max. 5 seconds, sleep until we're back
in the original present instead of killing ourself. An error is
still logged.
- IMAP: With namespace prefixes LSUB prefix.* listed INBOX.INBOX.
- deliver: Ignore mbox metadata headers from the message input.
X-IMAP header crashed deliver.
- deliver: If mail_debug=yes, drop out DEBUG environment before
calling sendmail binary. Postfix's sendmail didn't really like it.
- mbox: X-UID brokenness fixes broke rc25 even with valid X-UID headers.
Now the code should finally work right.
- Maildir: When syncing a huge maildir, touch dovecot-uidlist.lock file
once in a while to make sure it doesn't get overwritten by another
- Maildir++ quota: We didn't handle NUL bytes in maildirsize files very
well. Now the file is rebuilt when they're seen (NFS problem).
- Index/view handling fix should fix some crashes/errors
- If index files were moved to a different endianness machine, Dovecot
logged all sorts of errors instead of silently rebuilding them.
- Convert plugin didn't change hierarchy separators in mailbox names.
- PostgreSQL authentication could have lost requests once in a while
with a heavily loaded server.
- Login processes could have crashed in some situations
- auth cache crashed with non-plaintext mechanisms
v1.0.rc25 2007-03-01 Timo Sirainen <>
* If time moves backwards, Dovecot kills itself instead of giving
random problems.
+ Added --with-headers configure option to install .h files.
Binary package builders could use this to create some dovecot-dev
package to make compiling plugins easier.
- PLAIN authentication: Don't crash dovecot-auth with invalid input.
- IMAP APPEND: Don't crash if saving fails
- IMAP LIST: If prefix.INBOX has children and we're listing under
prefix.%, don't drop the prefix.
- mbox: Broken X-UID headers still weren't handled correctly.
- mail-log plugin: Fixed deleted/undeleted logging.
v1.0.rc24 2007-02-22 Timo Sirainen <>
* Dovecot now fails to load plugins that were compiled for different
Dovecot version, unless version_ignore=yes is set. This needs to be
explicitly set in plugins, so out-of-tree plugins won't have this
check by default.
- pop3_lock_session=yes could cause deadlocks, and with maildir the
uidlist lock could have been overridden after 2 minutes causing
- PAM wasted CPU by calling a timeout function 1000x too often
- Trash plugin was more or less broken with multiple namespaces and
with multiple trash mailboxes
v1.0.rc23 2007-02-20 Timo Sirainen <>
* deliver doesn't ever exit with Dovecot's internal exit codes anymore.
All its internal exit codes are changed to EX_TEMPFAIL.
* mbox: X-Delivery-ID header is now dropped when saving mails.
* mbox: If pop3_uidl_format=%m, we generate a unique X-Delivery-ID
header when saving mails to make sure the UIDL is unique.
+ PAM: blocking=yes in args uses an alternative way to do PAM checks.
Try it if you're having problems with PAM.
+ userdb passwd: blocking=yes in args makes the userdb lookups be done
in auth worker processes. Set it if you're doing remote NSS lookups
(eg. nss_ldap problems are fixed by this).
+ If PAM child process hasn't responded in two minutes, send KILL
signal to it (only with blocking=no)
- IMAP: APPEND ate all CPU while waiting for more data from the client
(broken in rc22)
- mbox: Broken X-UID headers assert-crashed sometimes
- mbox: When saving a message to an empty mbox file it got an UID
which immediately got incremented.
- mbox: Fixed some wrong "uid-last unexpectedly lost" errors.
- auth cache: In some situations we crashed if passdb had extra_fields.
- auth cache: Special extra_fields weren't saved to auth cache.
For example allow_nets restrictions were ignored for cached entries.
- A lot of initial login processes could cause auth socket errors
in log file at startup, if dovecot-auth started slowly. Now the
login processes are started only after dovecot-auth has finished
initializing itself.
- imap/pop3 proxy: Don't crash if the remote server disconnects before
we're logged in.
- deliver: Don't bother trying to save the mail twice into the default
mailbox (eg. if it's over quota).
- mmap_disable=yes + non-Linux was really slow with large
dovecot.index.cache files
- MySQL couldn't be used as a masterdb
- Trash plugin was more or less broken
- imap/pop3 couldn't load plugins if they chrooted
- imap/pop3-login process could crash in some conditions
- checkpassword-reply crashed if USER/HOME wasn't set
v1.0.rc22 2007-02-06 Timo Sirainen <>
+ pop3: Commit the transaction even if client didn't QUIT so cached
data gets saved.
- Fixed another indexing bug in rc19 and later which caused
transactions to be skipped in some situations, causing all kinds of
- mail_log_max_lines_per_sec was a bit broken and caused crashes with
dovecot -a
- BSD filesystem quota was counted wrong. Patch by Manuel Bouyer
- LIST: If namespace has a prefix and inbox=no, don't list
prefix.inbox if it happens to exist when listing for %.
v1.0.rc21 2007-02-02 Timo Sirainen <>
- Cache file handling could have crashed rc20
v1.0.rc20 2007-02-02 Timo Sirainen <>
+ dovecot: Added --log-error command line option to log an error, so
the error log is easily found.
+ Added mail_log_max_lines_per_sec setting. Change it to avoid log
throttling with mail_log plugin.
- Changing message flags was more or less broken in rc19
- ACL plugin still didn't work without separate control directory
- Some mbox handling fixes, including fixing an infinite loop
- Some index file handling fixes
- maildir quota: Fixed a file descriptor leak
- If auth_cache was enabled and userdb returned "user unknown"
(typically only deliver can do that), dovecot-auth crashed.
- mail_log plugin didn't work with pop3
v1.0.rc19 2007-01-23 Timo Sirainen <>
- ACL plugin didn't work unless control dir was separate from maildir
- More index file handling fixes
v1.0.rc18 2007-01-22 Timo Sirainen <>
* ACL plugin + Maildir: Moved dovecot-acl file from control directory
to maildir. To prevent accidents caused by this change, Dovecot
kills itself if it finds dovecot-acl file from the control directory.
* When opening a maildir, check if tmp/'s atime is over 8h old. If it
is, delete files in it with ctime older than 36h. However if
atime - ctime > 36h, it means that there's nothing to be deleted and
the scanning isn't done. We update atime ourself if filesystem is
mounted with noatime.
* base_dir doesn't need to be group-readable, don't force it.
* mail_read_mmaped setting is deprecated and possibly broken. It's now
removed from dovecot-example.conf, but it still works for now.
* Removed also umask setting from dovecot-example.conf since currently
it doesn't do what it's supposed to.
+ Authentication cache caches now also userdb data.
+ Added mail_log plugin to log various mail operations. Currently it
logs mail copies, deletions, expunges and mailbox deletions.
- dict quota: messages=n parameter actually changed storage limit.
- A lot of fixes to handling index files. This should fix almost all
of the problems ever reported.
- LDAP: auth_bind=yes was more or less broken.
- Saved mails and dovecot-keywords file didn't set the group from
dovecot-shared file.
- Fixed potential assert-crash while searching messages
- Fixed some crashes with invalid X-UID headers in mboxes
- If you didn't have a namespace with empty prefix, giving STATUS
command for a non-existing namespace caused the connection to give
"NO Unknown namespace" errors for all the future commands.
v1.0.rc17 2007-01-07 Timo Sirainen <>
- MySQL authentication caused username to show up as "OK" in rc16.
v1.0.rc16 2007-01-05 Timo Sirainen <>
* IMAP: When trying to fetch an already expunged message, Dovecot used
to just disconnect client. Now it instead replies with dummy NIL
* Priority numbers in plugin names have changed. If you're installing
from source, you should delete the existing plugin files before
installing the new ones, otherwise you'll get errors.
* Maildir: We're using rename() to move files from tmp/ to new/ now.
See -> "Issues with
the specification" for reasoning why this is safe. This makes saving
mails faster, and also makes Dovecot usable with Mac OS X's HFS+
(after you also set dotlock_use_excl=yes, see below).
+ Added dotlock_use_excl setting. If enabled, dotlocks are created
directly using O_EXCL flag, instead of by creating a temporary file
which is hardlinked. O_EXCL is faster, but may not work with NFS.
+ If Dovecot crashes with Linux or Solaris, it'll log a
"Raw backtrace". It's worse than gdb's backtrace, but better than
+ Added maildir_copy_preserve_filename=yes setting.
+ Added a lazy-expunge plugin to allow users to unexpunge their mails.
+ maildir quota: Added ignore setting to maildir quota, which allows
ignoring quota in Trash mailbox.
+ dict quota: If dictionary doesn't yet contain the quota, calculate
it by going through all the mails in all the mailboxes.
+ login_log_format_elements: Added %a=local port and %b=remote port
+ Added -i and -o options to rawlog to restrict logging only to
input or output.
- Doing a STATUS command for a selected mailbox (not a recommended
IMAP client behavior) caused Dovecot to sync the mailbox silently.
This could have lost eg. EXPUNGE events from clients, causing them
to use wrong sequence numbers.
- deliver was treating boolean settings set to "no" as if they were
"yes" (they were supposed to be commented out for "no")
- Running "dovecot" with -a or -n option while Dovecot was running
deleted all authentication sockets, which caused all the future
logins to fail.
- maildir: RENAME and DELETE didn't touch control directory if it was
different from maildir or index dir.
- We treated internal userdb lookup errors as "user unknown" errors.
In such situations this caused deliver to think the user didn't
exist and the mail get bounced.
- pam: Setting cache_key crashed
- shared maildir: dovecot-keywords file's mode wasn't taken from
dovecot-shared file.
- dovecotpw wasn't working with PowerPC
v1.0.rc15 2006-11-19 Timo Sirainen <>
* Fixed an off-by-one buffer overflow in cache file handling. The
code is executed only with mmap_disable=yes and only if index files
are used (ie. INDEX=MEMORY is safe).
* passdb checkpassword: Handle vpopmail's non-standard exit codes.
- rc14 sometimes assert-crashed if .log.2 file existed in a mailbox
(earlier versions leaked memory and file descriptors)
- io_add() assert-crashfixes
- Potential SSL hang fix at the beginning of the connection
v1.0.rc14 2006-11-12 Timo Sirainen <>
* LDAP: Don't try to use ldap_bind() with empty passwords, since
Windows 2003 AD skips password checking with them and just returns
* verbose_ssl=yes: Don't bother logging "syscall failed: EOF"
messages. No-one cares about them.
+ Dovecot sources should now compile without any warnings with gcc 3.2+
- rc13 crashed if client disconnected while IDLEing
- LDAP: auth_bind=yes fixes
- %variables: Fixed zero padding handling and documented it. %0.1n
shouldn't enable it, and it really shouldn't stay for the next
%variable. -sign also shouldn't stay for the next variable.
- Don't leak opened .log.2 transaction logs.
- Fixed a potential hang in IDLE command (probably really rare).
- Fixed potential problems with client disconnecting while master was
handling the login.
- quota plugin didn't work in Mac OS X
v1.0.rc13 2006-11-08 Timo Sirainen <>
+ deliver: If we're executing as a normal system user, get the HOME
environment from passwd if it's not set. This makes it possible to
run deliver from .forward.
- Older compilers caused LDAP authentication to crash
- Dying LDAP connections weren't handled exactly correctly in rc11,
although it seemed to work usually
- Fixed crashes and memory leaks with AUTHENTICATE command
- Fixed crashes and leaks with IMAP/POP3 proxying
- maildir: Changing a mailbox while another process was saving a
message there at the same may have caused the changes to not be made
into the maildir, which could have caused other problems later..
v1.0.rc12 2006-11-05 Timo Sirainen <>
- rc11 didn't compile with some compilers
- default_mail_env fallbacking was broken with --exec-mail
v1.0.rc11 2006-11-05 Timo Sirainen <>
* Renamed default_mail_env to mail_location. default_mail_env still
works for backwards compatibility.
* deliver: When sending rejects, don't include Content-Type in the
rejected mail's headers.
* LDAP changes:
* If auth binds are used, bind back to the default dn before doing
a search. Otherwise it could fail if a user gave an invalid
* Initial binding at connect is now done asynchronously.
* Use pass_attrs even with auth_bind=yes since it may contain
useful non-password fields.
+ passdb checkpassword: Give TCPLOCALIP and TCPREMOTEIP and PROTO=TCP
environments to the checkpassword binary so we're UCSPI (and vchkpw)
- mbox handling was a bit broken in rc10
- Using Dovecot via inetd kept crashing dovecot master
- deliver: Don't crash with -f "". Changed the default from envelope
- INBOX wasn't shown with LSUB command if only prefixed namespaces
were used.
- passdb ldap: Reconnecting to LDAP server wasn't working with
auth binds.
- passdb sql: Non-plaintext authentication didn't work
- MySQL passdb ignored all non-password checks, such as allow_nets
- trash plugin was broken
v1.0.rc10 2006-10-16 Timo Sirainen <>
* When matching allowed_nets IPs, convert IPv6-mapped-IPv4 addresses
to actual IPv4 addresses first.
+ IMAP: Try to avoid sending duplicate/useless message flag updates
+ Added support for non-plaintext authentication for vpopmail if it
returns plaintext passwords. Based on patch by Remi Gacogne.
+ Added %D modified to return "" as
"sub,dc=domain,dc=org" (for LDAP queries). Patch by Andrey Panin.
- rc9 broke cache files in 64bit systems
- deliver works now with mail_chroot
- auth cache didn't work properly with multiple passdbs
- Fixes to handling CRLF linefeeds in mboxes.
v1.0.rc9 2006-10-14 Timo Sirainen <>
* 64bit systems: dovecot.index.cache file will be rebuilt because
some time fields have been changed from 64bit fields to 32bit
fields. Now the same cache file can be used in both 32bit and
64bit systems without it being rebuilt.
* Added libmysqlclient workaround to conflicting sha1_result symbol,
which caused Dovecot to fail logging into MySQL.
+ dovecot.index.cache file opening is delayed until it's actually
needed. This reduces disk accesses a bit with eg. STATUS commands.
+ auth_cache: Try to handle changing passwords automatically: If
password verification fails, but the last one had succeeded, don't
use the cache. This works only with plaintext auth.
- dovecot.index.cache: We didn't properly detect if some fields were
different length than we expected, which caused assert crashes
- Lots of fixes to login/master process handling
- mbox: Fixed a bug causing "X-IMAPbase uid-last unexpectedly lost
in mbox file" errors, and possibly others.
v1.0.rc8 2006-10-09 Timo Sirainen <>
* GSSAPI: Changed POP3 service name to "pop", which is what the
standard says
* "mbox:/var/mail/%u" no longer works as the mail location. You'll
have to specify the mail root explicitly, just like the examples
always have: "mbox:~/mail:INBOX=/var/mail/%u"
+ SHA1, LDAP-MD5, PLAIN-MD5, PLAIN-MD4: The password can be now either
hex or base64 encoded. The encoding is detected automatically based
on the password string length.
+ Allow running only Dovecot master and dovecot-auth processes with
protocols=none setting
+ deliver: -f <envelope sender> parameter can be used to set mbox
From_-line's sender address
+ deliver: Log all mail saves and failures
+ Tru64 SIA passdb support. Patch by Simon L Jackson.
- INBOX was listed twice in mailbox list if namespace prefix was used
- INBOX-prefixed namespaces were a bit broken
- kqueue: Fix 100% CPU usage
- deliver: Duplicate storage was a bit broken
- dictionary code was broken (ie. dict quota)
- SIGHUP caused crashes sometimes
v1.0.rc7 2006-08-18 Timo Sirainen <>
* Require that Dovecot master process's version number matches the
child process's, unless version_ignore=yes. Usually it's an
accidental installation problem if the version numbers don't match.
* Maildir: Create maildirfolder file when creating new maildirs.
+ ldap+prefetch: Use global uid/gid settings if LDAP query doesn't
return them
+ %variables: Negative offsets count from the end of the string.
Patch by Johannes Berg.
- kqueue ioloop code rewrite
- notify=kqueue might have caused connection hangs sometimes
- deliver: If message body contained a valid mbox From_ line, it
and the rest of the message was skipped.
- mbox: We got into infinite loops if trying to open a 2 byte sized
file as mbox.
- Don't crash with ssl_disable=yes
- quota plugin caused compiling problems with some OSes
- mbox: After saving a mail to a synced mbox, we lost the sync which
caused worse performance
v1.0.rc6 2006-08-07 Timo Sirainen <>
* Removed login_max_logging_users setting since it was somewhat weird
in how it worked. Added login_max_connections to replace it with
login_process_per_connection=no, and with =yes its functionality
is now within login_max_processes_count.
+ Added --with-linux-quota configure option to specify which Linux
quota version to use, in case it's not correct in sys/quota.h.
Usually used as --with-linux-quota=2
+ acl plugins: If .DEFAULT file exists in global ACL root directory,
use it as the default ACLs for all mailboxes.
- Fixes to login process handling, especially with
- Back to the original SSL proxy code but with one small fix, which
hopefully fixes the occational hangs with it
- Several fixes to handling LIST command more correctly.
v1.0.rc5 2006-08-02 Timo Sirainen <>
- Saving to mboxes still caused assert-crashes
v1.0.rc4 2006-08-02 Timo Sirainen <>
- Saving to mboxes caused assert-crashes
v1.0.rc3 2006-08-02 Timo Sirainen <>
- SSL connections hanged sometimes, especially when saving messages.
- mbox: Mail bodies were saved with CR+LF linefeeds
- Mail forwarding was broken with deliver/Sieve
- dbox fixes. Might actually be usable now.
- Index file handling fixes with keywords
- Cache file was incorrectly used in some situations, which probably
caused problems sometimes.
- Maildir++ quota: Don't count "." and ".." directory sizes to quota.
After rewriting maildirsize file keep its fd open so that we can
later update it. Patch by Alexander Zagrebin
v1.0.rc2 2006-07-04 Timo Sirainen <>
* disable_plaintext_auth=yes: Removed hardcoded 127.* and ::1 IP
checks. Now we just assume that the connection is secure if the
local IP matches the remote IP address.
* SSL code rewrite which hopefully makes it work better than before.
Seems to work correctly, but if you suddently have trouble with SSL
connections this is likely the reason.
+ verbose_ssl=yes: Log also SSL alerts and BIO errors
- If namespace's location field wasn't set, the default location
was supposed to be used but it wasn't.
- When copying ssl-parameters.dat file from /var/lib to /var/run its
permissions went wrong if it couldn't be copied with hard linking.
- Fixed filesystem quota plugin to work with BSDs.
- Maildir: Saving mails didn't work if quota plugin was enabled (again)
- Maildir: Messages' received time wasn't saved properly when
saving/copying multiple messages at a time. Also if using quota
plugin the S= size was only set for the first saved file, and even
that was wrong.
- passdb passwd-file: Don't require valid uid/gid fields if file
isn't also being used as a userdb.
- PostgreSQL: Handle failures better so that there won't be
"invalid fd" errors in logs.
- Don't try to expunge messages if the mailbox is read-only. It'll
just cause our index files to go out of sync with the real
mailbox and cause errors.
- ANONYMOUS authentication mechanism couldn't work because
anonymous_username setting wasn't passed from master process.
v1.0.rc1 2006-06-28 Timo Sirainen <>
* PAM: If user's password is expired, give "Password expired" error
message to the user. Now actually working thanks to Vaidas Pilkauskas
* Relicensed dovecot-auth, lib-sql and lib-ntlm to MIT license. See
COPYING file for more information.
* Abuse prevention: When creating a mailbox, limit the number of
hierarchies (up to 20) and the length of the mailbox name within
a hierarchy (up to 200 characters).
* mbox: If saved mail doesn't end with LF, add it ourself so that the
mails always have one empty line before the next From-line.
+ Added --with-statedir configure option which defaults to
$localstatedir/lib/dovecot. ssl-parameters.dat is permanently
stored in that directory and is copied to login_dirs from there.
+ IMAP: Support SASL-IR extension (SASL initial response)
+ Support initial SASL response with LOGIN mechanism. Patch by Anders
+ Added PLAIN-MD4 password scheme. Patch by Andrey Panin.
+ Added support for XFS disk quotas. Patch by Pawel Jarosz
+ If another process deletes the opened mailbox, try to handle it
without writing errors to log file. Handles the most common cases.
+ Added TLS support for LDAP if the library supports it.
- SEARCH command was more or less broken with OR and NOT conditions
- Dovecot corrupted mbox files which had CR+LF linefeeds in headers
- MySQL code could have crashed while escaping strings
- MD4 code with NTLM authentication was broken with 64bit systems.
Patch by Andrey Panin
- Plugin loading was broken in some OSes (eg. FreeBSD)
- Several fixes to handling empty values in configuration file
- Several fixes to dictionary quota backend and dict server.
Also changed how they're configured.
- deliver: Fixed plugin handling settings
- mbox_min_index_size handling was somewhat broken
- passdb passwd-file: extra_args field wasn't read unless the file
was also used as userdb.
v1.0.beta9 2006-06-13 Timo Sirainen <>
* PAM: Don't call pam_setcred() unless setcred=yes PAM passdb
argument was given.
* Moved around settings in dovecot-example.conf to be in more logical
+ Local delivery agent (deliver binary) works again.
+ LDAP: Added support for SASL binding. Patch by Geert Jansen
+ ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log
invalid sent certificates. If verbose_ssl=yes, log even the valid
certificates. When using the username from the certificate, use
CommonName. Based on patch by HenkJan Wolthuis
+ PAM: Set PAM_TTY which is needed by some PAM plugins
+ dovecot --exec-mail ext <binary path> can now be used to start
binaries which want dovecot.conf to be read, for example the
- Expunging needed to be done twice if client used STORE +FLAGS.SILENT
command to set the \Deleted flags
- Added sql_escape_string() to lib-sql API and use it instead of
normal \-escaping.
- ACL plugin fixes
- DIGEST-MD5: Trying to use subsequent authentication crashed
- Fetching BODY when BODYSTRUCTURE was already cached caused the
reply to be broken in some cases
- Lots of fixes for index file handling
- dbox fixes and changes
- mbox syncing broke if some extraneous/broken headers were removed
(eg. extra X-IMAPbase headers in mails)
- Running Dovecot from inetd work now properly with POP3
- Quota plugin fixes for calculating the quota correctly
v1.0.beta8 2006-05-12 Timo Sirainen <>
* Fixed a security hole with mbox: "1 LIST .. *" command could
list all directories and files under the mbox root directory, so
if your mails were stored in eg. /var/mail/%u/ directory, the
command would list everything under /var/mail.
+ Unless nfs_check=no or mmap_disable=yes, check for the first login
if the user's index directory exists in NFS mount. If so, refuse to
run. This is done only on first login to avoid constant extra
+ If we have plugins set and imap_capability unset, figure out the
IMAP capabilities automatically by running imap binary at startup.
The generated capability list isn't updated until Dovecot is
restarted completely, so if you add or remove IMAP plugins you
should restart. If you have problems related to this, set
imap_capabilities setting manually to work around it.
+ Added auth_username_format setting
- pop3_lock_session setting wasn't really working
- Lots of fixes related to quota handling. It's still not working
perfectly though.
- Lots of index handling fixes, especially with mmap_disable=yes
- Maildir: saving mails could have sometimes caused "Append with UID
n, but next_uid = m" errors
- flock() locking never timeouted because ignoring SIGALRM caused the
system call just to be restarted when SIGALRM occurred (probably not
with all OSes though?)
- kqueue: Fixed "Unrecognized event". Patch by Vaclav Haisman
v1.0.beta7 2006-04-12 Timo Sirainen <>
+ Added shutdown_clients setting to control if existing imap/pop3
processes should be killed when master is.
- Master login fixes, PLAIN authentication was still broken..
v1.0.beta6 2006-04-12 Timo Sirainen <>
* The login and master usernames were reversed when using
master_user_separator (now the order is UW-IMAP compatible).
* Killing dovecot master process now kills all IMAP and POP3
processes also.
+ -a parameter to dovecot prints now all settings that Dovecot uses.
-n prints all settings that are different from defaults.
+ Added pop3_lock_session setting
+ %M modifier returns string's MD5 sum. Patch by Ben Winslow
- PLAIN SASL authentication wasn't working properly, causing failed
logins with some clients (broken in beta4)
- Fixes to Maildir++ quota, should actually work now
- Don't crash if passwd-file has entries without passwords
(eg. deny=yes databases)
- Fixed prefetch userdb to work nicely with other userdbs
- If master process runs out of file descriptors, don't go to
infinite loop (unlikely to have happened unless the OS's default
fd limit was too low)
- Fixed non-plaintext password lookups from LDAP. Patch by Lior Okman
- %U modifier was actually lowercasing the string. Patch by Ben Winslow
v1.0.beta5 2006-04-04 Timo Sirainen <>
- Beta4's SSL proxying rewrite worked worse than I thought.
Reverted it back to original code.
v1.0.beta4 2006-04-02 Timo Sirainen <>
* Changed the default lock_method back to fcntl. Apparently flock
gives problems with some systems.
* mbox: mailboxes beginning with '.' are now also listed
* Replaced mail_use_modules and mail_modules settings with mail_plugins
and mail_plugin_dir. Now instead of loading all plugins from the
directory, you'll have to give a list of plugins to load. If the
plugin couldn't be loaded, the process exits instead of just
ignoring the problem (this is important with ACL plugin).
+ Added support for "master users" who can log in as other people.
The master username can be given either in authorization ID
string with SASL PLAIN mechanism or by setting
auth_master_user_separator and giving it within the normal username
+ Added ACL plugin with ACL file backend. This however doesn't mean
that there yet exists a proper shared folder support. If master user
logged in as someone else, the ACLs are checked as the master user.
+ Added some Dovecot extensions to checkpassword passdb, see ChangeLog
+ Updated passwd-file format to allow specifying any key=value fields
+ Maildir++ quota support and several quota fixes
+ passdb supporting extra fields: Added "allow_nets" option which takes
a comma separated list of IPs/networks where to allow user to log in.
+ NFS: Handle ESTALE errors the best way we can
+ IMAP now writes to log when client disconnects
+ In shared mailboxes (if dovecot-shared file exists) \Seen flags are
now kept only in index files, so as long as each user has a separate
index file they have separate \Seen flags.
- Fixes to DIGEST-MD5 realm handling so it works with more clients
- BODYSTRUCTURE -> BODY conversion from cache file was broken with
mails containing message/rfc822 parts.
- Fixed several memory leaks
- We could have sent client FETCH notifications about messages before
telling about them with EXISTS
- Compiling fixes for Solaris and some other OSes
- Fixed problem with internal timeout handling code, which caused eg.
outlook-idle workaround to break.
- If /dev/urandom didn't exist, we didn't seed OpenSSL's random number
generator properly. Patch by Vilmos Nebehaj.
- Maildir: Recent flags weren't always immediately removed from mails
when mailbox was opened.
- Several changes to SSL proxying code, hopefully making it work
v1.0.beta3 2006-02-08 Timo Sirainen <>
* Dotlock code changed to timeout faster in some situations when
the lock file is old.
+ Added support for loading SQL drivers dynamically (see INSTALL file
for how to build them)
+ Keywords are stored to dboxes, and other dbox improvements.
+ dict-sql could actually work now, making quota-in-sql-database
possibly working now (not fully tested)
+ Added mail storage conversion plugin to convert automatically from
one mailbox format to another while user logs in. Doesn't preserve
+ Added plugin { .. } section to dovecot.conf for passing parameters
to plugins (see dovecot-example.conf).
+ Added ssl-build-param binary which is used to generate
ssl-parameters.dat. Main dovecot binary doesn't anymore link to
SSL libraries, and this also makes the process title be clearer
about why the process is eating all the CPU.
- Fix building without OpenSSL
- Fixed memory leak in MySQL driver
- Fixes to checkpassword
- Broken Content-Length header could have broken mbox opening
- Fixed potential hangs after APPEND command
- Fixed potential crashes in dovecot-auth and imap/pop3-login
- zlib plugin now links with -lz so it could actually work
- kqueue fixes by Vaclav Haisman
v1.0.beta2 2006-01-22 Timo Sirainen <>
+ Added SQLite support. Patch by Jakob Hirsch.
+ Added auth_debug_passwords setting. If it's not enabled, hide all
password strings from logs.
+ Added mail_cache_min_mail_count and mbox_min_index_size settings
which can be used to make Dovecot do less disk writes in small
mailboxes where they don't benefit that much.
+ Added --build-ssl-parameters parameter to dovecot binary
- SSL parameters were being regenerated every 10 minutes, although
not with all systems.
- Fixed dovecot-auth crashing at startup. Happened only with some
specific compilers.
- base_dir was supposed to be set world-readable, not world-writable
v1.0.beta1 2006-01-16 Timo Sirainen <>
* Almost a complete rewrite since 0.99.x, but some of the major
changes are:
+ Index file code rewritten to do less disk I/O, wait locks less and
in generate be smarter. They also support being in clustered
filesystems and NFS support is mostly working also.
+ Mail caching is smarter. Only the data that client requests is
cached. Before Dovecot opened and cached all mails when mailbox was
opened the first time, which was slow.
+ Mbox handling code rewritten to be much faster, safer and correct
+ New authentication mechanisms: APOP, GSSAPI, LOGIN, NTLM and RPA.
+ LDAP supports authentication binds
+ Authentication server can cache password database lookups
+ Support for multiple authentication databases
+ Namespace configuration
+ Dovecot works with shared