March 2007 - Dovecot-news

1.0.rc29 released
by Timo Sirainen 30 Mar '07

30 Mar '07

http://dovecot.org/releases/dovecot-1.0.rc29.tar.gz http://dovecot.org/releases/dovecot-1.0.rc29.tar.gz.sig Probably one more RC after this. * Security fix: If zlib plugin was loaded, it was possible to open gzipped mbox files outside the user's mail directory. + Added auth_gssapi_hostname setting. - IMAP: LIST "" "" didn't return anything if there didn't exist a namespace with empty prefix. This broke some clients. - If Dovecot is tried to be started when it's already running, don't delete existing auth sockets and break the running Dovecot - If deliver failed too early it still returned exit code 89 instead of EX_TEMPFAIL. - deliver: INBOX fallbacking with -n parameter wasn't working. - passdb passwd and shadow couldn't be used as master or deny databases - IDLE: inotify didn't notice changes in mbox file - If index file directory couldn't be created, disable indexes instead of failing to open the mailbox. - Several other minor fixes

1 0

Security hole #3: zlib plugin allows opening any gziped mboxes
by Timo Sirainen 30 Mar '07

30 Mar '07

zlib plugin allows opening gzipped mboxes as read-only mailboxes. However when using it, the mailbox name checks are bypassed so it's possible to open for example "../otheruser/somefile.gz". Only valid gzipped mbox files can be opened, and only if their name ends with ".gz". You can fix this by upgrading to v1.0.rc29 (available soon) or with this patch: http://dovecot.org/list/dovecot-cvs/2007-March/008488.html I don't think this matters much though. zlib plugin is rarely used, and those who do use it are probably using Dovecot with systems users (per-user UIDs), so the imap process wouldn't have access to other users' mbox files anyway. I found this problem when I was cleaning up the code in CVS HEAD.

1 0

1.0.rc28 released
by Timo Sirainen 23 Mar '07

23 Mar '07

http://dovecot.org/releases/dovecot-1.0.rc28.tar.gz http://dovecot.org/releases/dovecot-1.0.rc28.tar.gz.sig Still a bit more fixes. My coding TODO list is again empty. Unless something special happens in the next few weeks, I'll still make rc29 with the documentation included and v1.0 will be released April 13. * deliver + userdb static: Verify the user's existence from passdb, unless allow_all_users=yes * dovecot --exec-mail: Log to configured log files instead of stderr * Added "-example" part to doc/dovecot-sql-example.conf and doc/dovecot-ldap-example.conf. They are now also installed to $sysconfdir with "make install". + When copying/syncing a lot of mails, send "* OK Hang in there" replies to client every 15 seconds so it doesn't just timeout the connection. + Added idxview and logview utilities to examine Dovecot's index files + passdb passwd and shadow support blocking=yes setting now also + mbox: If mbox file changes unexpectedly while we're writing to it, log an error. + deliver: Ignore -m "" parameter to make calling it easier. + deliver: Added new -n parameter to disable autocreating mailboxes. It affects both -m parameter and Sieve plugin's fileinto action - mbox: Using ~/ in the mail root directory caused a ~ directory to be created (instead of expanding it to home directory) - auth cache: If unknown user was found from cache, we didn't properly return "unknown user" status, which could have caused problems in deliver. - mbox: Fixed "UID inserted in the middle of mailbox" in some conditions with broken X-UID headers - Index view syncing fixes - rc27 didn't compile with some non-GCC compilers - vpopmail support didn't compile in rc27 - NFS check with chrooting broke home direcotry for the first login - deliver: If user lookup returned "unknown user", it logged "BUG: Unexpected input" - convert plugin didn't convert INBOX

1 0

1.0.rc27 released
by Timo Sirainen 13 Mar '07

13 Mar '07

http://dovecot.org/releases/dovecot-1.0.rc27.tar.gz http://dovecot.org/releases/dovecot-1.0.rc27.tar.gz.sig A few new small features and lots of index/mbox fixes. I've been heavily stress testing this release, so I think it should be about perfect. :) I think the only thing still missing from v1.0 is documentation. There are some unwritten pages in the wiki, and I still haven't bothered to write the wiki -> doc/*.txt conversion script. The script will probably be pretty easy, but writing the docs can take a while. + mbox and index file code handles silently out of quota/disk space errors (maildir still has problems). They will give the user a "Not enough disk space" error instead of flooding the log file. + Added fsync_disable setting. + mail-log plugin: Log the mailbox name, except if it's INBOX + dovecot-auth: Added a lot more debug logging to passdbs and userdbs + dovecot-auth: Added %c variable which expands to "secured" with SSL/TLS/localhost. + dovecot-auth: Added %m variable which expands to auth mechanism name - maildir++ quota: With ignore=box setting the quota was still updated for the mailbox even though it was allowed to go over quota (but quota recalculation ignored the box). - Index file handling fixes - mbox syncing fixes - Wrong endianess index files still weren't silently rebuilt - IMAP quota plugin: GETQUOTAROOT returned the mailbox name wrong the namespace had a prefix or if its separator was non-default - IMAP: If client was appending multiple messages with MULTIAPPEND and LITERAL+ extensions and one of the appends failed, Dovecot treated the rest of the mail data as IMAP commands. - If mail was sent to client with sendfile() call, we could have hanged the connection. This could happen only if mails were saved with CR+LF linefeeds.

1 0

1.0.rc26 released
by Timo Sirainen 07 Mar '07

07 Mar '07

http://dovecot.org/releases/dovecot-1.0.rc26.tar.gz http://dovecot.org/releases/dovecot-1.0.rc26.tar.gz.sig Most importantly this should fix mbox problems in recent RCs. * Changed --with-headers to --enable-header-install * If time moves backwards only max. 5 seconds, sleep until we're back in the original present instead of killing ourself. An error is still logged. - IMAP: With namespace prefixes LSUB prefix.* listed INBOX.INBOX. - deliver: Ignore mbox metadata headers from the message input. X-IMAP header crashed deliver. - deliver: If mail_debug=yes, drop out DEBUG environment before calling sendmail binary. Postfix's sendmail didn't really like it. - mbox: X-UID brokeness fixes broke rc25 even with valid X-UID headers. Now the code should finally work right. - Maildir: When syncing a huge maildir, touch dovecot-uidlist.lock file once in a while to make sure it doesn't get overwritten by another process. - Maildir++ quota: We didn't handle NUL bytes in maildirsize files very well. Now the file is rebuilt when they're seen (NFS problem). - Index/view handling fix should fix some crashes/errors - If index files were moved to a different endianess machine, Dovecot logged all sorts of errors instead of silently rebuilding them. - Convert plugin didn't change hierarchy separators in mailbox names. - PostgreSQL authentication could have lost requests once in a while with a heavily loaded server. - Login processes could have crashed in some situations - auth cache crashed with non-plaintext mechanisms

1 0

1.0.rc25 released
by Timo Sirainen 01 Mar '07

01 Mar '07

http://dovecot.org/releases/dovecot-1.0.rc25.tar.gz http://dovecot.org/releases/dovecot-1.0.rc25.tar.gz.sig Instead of having "Should v1.0 be released already" discussion, how about having "What's still missing from wiki.dovecot.org and how could it be improved" discussion? And what should the wiki exported to doc/ directory in the tarball look like? * If time moves backwards, Dovecot kills itself instead of giving random problems. + Added --with-headers configure option to install .h files. Binary package builders could use this to create some dovecot-dev package to make compiling plugins easier. - PLAIN authentication: Don't crash dovecot-auth with invalid input. - IMAP APPEND: Don't crash if saving fails - IMAP LIST: If prefix.INBOX has children and we're listing under prefix.%, don't drop the prefix. - mbox: Broken X-UID headers still weren't handled correctly. - mail-log plugin: Fixed deleted/undeleted logging.

1 0