May 2025 - dovecot - dovecot.org

Lots of problems with Dovecot 2.4
by sev+dovecot＠sev.monster 14 Aug '25

14 Aug '25

Hello all, I am trying to get Dovecot 2.4 running on Alpine Edge x86-64. But a myriad of problems have occurred that make it impossible to do so. First of all was the recent off-by-one bug that was recently fixed, which caused an unavoidable segfault on start under musl libc, which Alpine uses: https://gitlab.alpinelinux.org/alpine/aports/-/issues/17050 Then, I saw that the shadow driver was removed, which necessitated the installation of PAM and my learning about it... I haven't needed it before, so I'd never used it. I guess I understand why the decision was made to use PAM, though I still don't like it. After resolving those issue, I've run into new ones: 1. The passwd userdb does not seem to work correctly. It is able to get the first user and its information correctly, but any attempts to look up any user after that will seemingly always use the information from the first matched user. Setting max auths to 1 so that the auth process is discarded afterwards does not seem to help. For example, if the first user to log in to Dovecot is bob, and then user joe logs in, the information returned from the passwd userdb will all be that of user bob, not joe. This continues for all subsequent userdb lookups until Dovecot is restarted, and a new userdb lookup is persisted. Changing to passwd-file instead works and does not experience this problem. 2. Why is the only available username field for the passwd driver %{passwd:system_groups_user}? I understand what the purpose of the field is based on the docs, but shouldn't more than this be exposed? The fields available through passwd are also not documented, and I had to read the source to find them out. This should either be documented or a more standard username field be additionally exposed as with other drivers. Can this field even be relied on to use as the username, if the driver otherwise worked? 3. It seems the Exim auth driver is no longer able to successfully authenticate with Dovecot 2.4 against Exim 4.98.2. It works fine in the last version of 2.3.21.1. Has the authentication framework changed along with the other modifications that 2.4 underwent? Has any effort been made with the Exim team to resolve any incompatibilities? Can I somehow diagnose this issue if it's otherwise supposed to work? 4. The ldap driver can no longer look up missing fields from LDAP users. Some (but not all) of my users have the rfc2307bis schema posixAccount supplemental objectClass, and as such contain the posixHome, uidNumber, and gidNumber attributes—but even if I specify a default value, if one of the attributes is not queryable for the returned user, the lookup errors out and the login fails. This is a regression/undocumented change from 2.3.x, where instead of erroring out, the default_fields value would be used. Based on my interpretation of the design goals for 2.4, I would imagine the default filter would ignore the missing attribute error and set the default value like default_fields used to, no? Or am I missing something? 5. passdb_ldap_filter is always required for the ldap passdb driver, even if passdb_ldap_bind is enabled. Not only does this go against the docs, but the value is unused and it doesn't matter what it's set to. This is a regression from 2.3.x. Overall I am very unimpressed by 2.4. It clearly needed a lot more time in the oven and much more thorough testing. Relevant minimal config from my working 2.3.21.1 install: auth_username_format = %Ln auth_mechanisms = plain login passdb { driver = shadow } userdb { driver = passwd override_fields = gid=mail home=/var/mail/%Ln } passdb { driver = ldap args = /etc/dovecot/ldap-passdb.conf.ext #uris = ldapi://%2frun%2fopenldap%2fslapd.sock #base = ou=accounts,dc=ldap #auth_bind = yes #auth_bind_userdn = uid=%Ln,ou=accounts,dc=ldap } userdb { driver = ldap default_fields = uid=mail gid=mail home=/var/mail/%Ln args = /etc/dovecot/ldap-userdb.conf.ext #uris = ldapi://%2frun%2fopenldap%2fslapd.sock #dn = cn=dovecot,dc=ldap #dnpass = "some pw" #base = ou=accounts,dc=ldap #iterate_filter = (objectClass=inetOrgPerson) #iterate_attrs = uid=username #user_filter = (&(objectClass=inetOrgPerson)(uid=%Ln)) #user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid } mail_location = maildir:/var/mail/%Ln mail_plugins = $mail_plugins virtual namespace inbox { inbox = yes mailbox INBOX { auto = subscribe } } namespace virtual { type = private separator = . prefix = "Search Folders." location = virtual:/etc/dovecot/virtual:INDEX=~/dovecot-virtual.cache:CONTROL=~/dovecot-virtual.cache:VOLATILEDIR=~/dovecot-virtual.cache # virtual/All/dovecot-virtual: #!INBOX #* #-Junk #-Junk* #-Spam #-Spam* #-Trash #-Trash* #-Deleted #-Deleted* #-Deleted Items #-Deleted Items* # all hidden = yes list = children subscriptions = no mailbox All { auto = subscribe special_use = \All comment = All messages, excluding Junk and Trash } } namespace virtual-user { type = private separator = . prefix = "User Search Folders." location = virtual:~/.virtual:INDEX=~/dovecot-virtual-user.cache:CONTROL=~/dovecot-virtual-user.cache:VOLATILEDIR=~/dovecot-virtual-user.cache:LAYOUT=maildir++ hidden = yes list = children subscriptions = no } service auth { unix_listener auth-userdb { # restrict userdb to dovecot user/group only instead of world read/write mode = 0660 user = $default_internal_user group = $default_internal_group } unix_listener auth-client { # give Exim access to native authentication mode = 0660 group = exim } } service auth-worker { # no need to run as root user = $default_internal_user # allow pam passdb to read /etc/shadow group = shadow } !include_try /usr/share/dovecot/protocols.d/*.conf protocol imap { mail_max_userip_connections = 25 } protocol pop3 { mail_max_userip_connections = 25 } Converted config for 2.4: dovecot_config_version = 2.4.1 dovecot_storage_version = 2.4.1 mail_home = /var/mail/%{user | username | lower } mail_driver = maildir mail_path = $SET:mail_home mail_plugins = virtual auth_username_format = %{user | username | lower } auth_mechanisms = plain login passdb pam { failure_show_msg = yes max_requests = 1 } userdb passwd-file { passwd_file_path = /etc/passwd fields { gid = mail } } # BUG: doesn't work right #userdb passwd { # fields { # gid = mail # } #} passdb ldap { ldap_uris = ldapi://%2frun%2fopenldap%2fslapd.sock ldap_connection_group = login ldap_base = ou=accounts,dc=ldap ldap_bind = yes ldap_bind_userdn = uid=%{user | username | lower },ou=accounts,dc=ldap # XXX: thought this wasnt needed with bind? ldap_filter = z } userdb ldap { ldap_uris = ldapi://%2frun%2fopenldap%2fslapd.sock ldap_auth_dn = cn=dovecot,dc=ldap ldap_auth_dn_password = "some pw" ldap_base = ou=accounts,dc=ldap ldap_filter = (&(objectClass=inetOrgPerson)(uid=%{user | username | lower })) fields { username = %{ldap:uid} # BUG: causes errors if rfc2307bis posixAccount objectClass is not set home = %{ldap:homeDirectory | default($SET:mail_home)} uid = %{ldap:uidNumber | default(mail)} gid = %{ldap:gidNumber | default(mail)} } ldap_iterate_filter = (objectClass=inetOrgPerson) iterate_fields { username = %{ldap:uid} } } namespace inbox { inbox = yes mailbox INBOX { auto = subscribe } } namespace virtual { type = private separator = . prefix = "Search Folders." mail_driver = virtual mail_path = /etc/dovecot/virtual # virtual/All/dovecot-virtual: #!INBOX #* #-Junk #-Junk* #-Spam #-Spam* #-Trash #-Trash* #-Deleted #-Deleted* #-Deleted Items #-Deleted Items* # all mail_index_path = ~/dovecot-virtual.cache mail_control_path = ~/dovecot-virtual.cache mail_volatile_path = ~/dovecot-virtual.cache hidden = yes list = children subscriptions = no mailbox All { auto = subscribe special_use = \All comment = All messages, excluding Junk and Trash } } namespace virtual-user { type = private separator = . prefix = "User Search Folders." mail_driver = virtual mail_path = ~/dovecot-virtual-user mail_index_path = ~/dovecot-virtual-user.cache mail_control_path = ~/dovecot-virtual-user.cache mail_volatile_path = ~/dovecot-virtual-user.cache mailbox_list_layout = Maildir++ hidden = yes list = children subscriptions = no } service auth { unix_listener auth-userdb { # restrict userdb to dovecot user/group only instead of world read/write mode = 0660 } unix_listener auth-client { # give Exim access to native authentication mode = 0660 group = exim } } service auth-worker { # no need to run as root user = $SET:default_internal_user # allow pam passdb to read /etc/shadow group = shadow } protocols = imap pop3 protocol imap { mail_max_userip_connections = 25 } protocol pop3 { mail_max_userip_connections = 25 } In addition to help with the noted issues, I'd also love if anyone more knowledgeable on Dovecot 2.4 could give any pointers on my config and if I could improve the translation in any way, given I have been fumbling around with it for weeks and am not really sure if my various decisions are correct. Best regards.

7 8

[Patch] Allow sieve redirects to specified domains only
by Kadlecsik József 10 Aug '25

10 Aug '25

Hello, The use case is simple: we have to forbid sieve redirects to outside, but should be able to redirect inside. The patch below adds a new sieve configuration option sieve_allowed_redirects to list the domains to which redirects are permitted and otherwise are not allowed. Please consider it. diff --git a/pigeonhole/doc/example-config/conf.d/90-sieve.conf b/pigeonhole/doc/example-config/conf.d/90-sieve.conf index 238bcf4..3b4ac65 100644 --- a/pigeonhole/doc/example-config/conf.d/90-sieve.conf +++ b/pigeonhole/doc/example-config/conf.d/90-sieve.conf @@ -126,6 +126,10 @@ plugin { # script execution. If set to 0, no redirect actions are allowed. #sieve_max_redirects = 4 + # The comma/space separated list of email domains where redirection is allowed. + # If the list is empty, there is no restriction. + sieve_allowed_redirects = + # The maximum number of personal Sieve scripts a single user can have. If set # to 0, no limit on the number of scripts is enforced. # (Currently only relevant for ManageSieve) diff --git a/pigeonhole/src/lib-sieve/cmd-redirect.c b/pigeonhole/src/lib-sieve/cmd-redirect.c index 6a3b0a4..17e9031 100644 --- a/pigeonhole/src/lib-sieve/cmd-redirect.c +++ b/pigeonhole/src/lib-sieve/cmd-redirect.c @@ -107,6 +107,24 @@ const struct sieve_action_def act_redirect = { .commit = act_redirect_commit, }; +static bool +cmd_redirect_allowed(struct sieve_instance *svinst, + const struct smtp_address *to_address) +{ + const char **domain; + bool result = TRUE; + + if (!svinst->allowed_redirects) + return TRUE; + for (domain = svinst->allowed_redirects; *domain != NULL; ++domain) { + if (strcasecmp(*domain, to_address->domain) == 0) { + return TRUE; + } + result = FALSE; + } + return result; +} + /* * Validation */ @@ -127,6 +145,12 @@ cmd_redirect_validate(struct sieve_validator *validator, if (!sieve_validator_argument_activate(validator, cmd, arg, FALSE)) return FALSE; + if (svinst->max_redirects == 0) { + sieve_command_validate_error(validator, cmd, + "local policy prohibits the use of a redirect action"); + return FALSE; + } + /* We can only assess the validity of the outgoing address when it is * a string literal. For runtime-generated strings this needs to be * done at runtime. @@ -148,14 +172,17 @@ cmd_redirect_validate(struct sieve_validator *validator, } } T_END; + if (!result && + !cmd_redirect_allowed(svinst, + sieve_address_parse_str(raw_address, &error))) { + sieve_command_validate_error(validator, cmd, + "local policy prohibits the use of a redirect action"); + return FALSE; + } + return result; } - if (svinst->max_redirects == 0) { - sieve_command_validate_error(validator, cmd, - "local policy prohibits the use of a redirect action"); - return FALSE; - } return TRUE; } @@ -238,6 +265,11 @@ cmd_redirect_operation_execute(const struct sieve_runtime_env *renv, "local policy prohibits the use of a redirect action"); return SIEVE_EXEC_FAILURE; } + if (!cmd_redirect_allowed(svinst, to_address)) { + sieve_runtime_error(renv, NULL, + "local policy prohibits the use of a redirect action"); + return SIEVE_EXEC_FAILURE; + } if (sieve_runtime_trace_active(renv, SIEVE_TRLVL_ACTIONS)) { sieve_runtime_trace(renv, 0, "redirect action"); diff --git a/pigeonhole/src/lib-sieve/sieve-common.h b/pigeonhole/src/lib-sieve/sieve-common.h index e79fb4d..d980c9d 100644 --- a/pigeonhole/src/lib-sieve/sieve-common.h +++ b/pigeonhole/src/lib-sieve/sieve-common.h @@ -209,6 +209,7 @@ struct sieve_instance { const struct smtp_address *user_email, *user_email_implicit; struct sieve_address_source redirect_from; unsigned int redirect_duplicate_period; + const char **allowed_redirects; }; /* diff --git a/pigeonhole/src/lib-sieve/sieve-settings.c b/pigeonhole/src/lib-sieve/sieve-settings.c index 47f70da..70addc7 100644 --- a/pigeonhole/src/lib-sieve/sieve-settings.c +++ b/pigeonhole/src/lib-sieve/sieve-settings.c @@ -267,4 +267,10 @@ void sieve_settings_load(struct sieve_instance *svinst) svinst->user_email = address; } } + svinst->allowed_redirects = NULL; + str_setting = sieve_setting_get(svinst, "sieve_allowed_redirects"); + if (str_setting != NULL && *str_setting != '\0') { + svinst->allowed_redirects = + (const char **)p_strsplit_spaces(svinst->pool, str_setting, ", "); + } } Best regards, Jozsef -- E-mail : kadlecsik.jozsef(a)wigner.hun-ren.hu PGP key: https://wigner.hu/~kadlec/pgp_public_key.txt Address: Wigner Research Centre for Physics H-1525 Budapest 114, POB. 49, Hungary

2 1

Re: Problem email client iPhone ios18.2
by Michael Slusarz 17 Jun '25

17 Jun '25

Timo confirmed this type of message (see below) breaks iOS mail clients regardless of the IMAP server used. So it is almost certainly a client issue. We are in contact with the Apple Mail developers and have provided this debug information to them. michael > On 02/10/2025 7:19 AM MST Timo Sirainen via dovecot <dovecot(a)dovecot.org> wrote: > > > On 10. Feb 2025, at 15.24, Florian Effenberger via dovecot <dovecot(a)dovecot.org> wrote: > > > > Hello, > > > > frido--- via dovecot wrote on 10.02.25 at 14:07: > >> The problem as described at the start of this thread is not solved in iOS 18.3. A bit more testing shows that it only appears to happen with attachments around 1MB and bigger. > > > > there seem to be two kind of problems, at least on my devices. > > I'm also wondering if there are multiple issues. I have one way of easily reproducing, but it has nothing to do with IMAP IDLE. Here's a test email which causes the hang - snipped it a bit in the middle which you can fill out yourself with: > > dd if=/dev/urandom bs=1024 count=3432 | base64 -w76 > > If you want to test multiple times, change Message-Id for every delivery. This mail can be simply saved to INBOX, e.g. with doveadm save: > > To: <user(a)example.com> > Subject: testing > Content-Type: multipart/mixed; boundary="foo" > Date: Tue, 17 Dec 2024 06:46:17 +0000 > From: <user(a)example.com> > Message-Id: <fooab(a)example.com> > > > > --foo > Content-Type: multipart/alternative; boundary="bar" > > --bar > Content-Transfer-Encoding: quoted-printable > Content-Type: text/html; charset=UTF-8 > > asdf > --bar-- > > --foo > Content-Description: test.pdf > Content-Disposition: attachment; filename="test.pdf" > Content-Transfer-Encoding: base64 > Content-Type: application/octet-stream; name="test.pdf" > > > lBjZO0luFuyUiOqQ8KPTTpMyPoNhlSTPPJauDuCVSwbZgaNyhnObul5qrdyPKo0NGiQKA3Kha34A > <61642 lines of random> > 4cNyk39T2wMsnQavfl8LXwG1vNQylpgmSN4p6fOpmGqQ > > --foo-- > > _______________________________________________ > dovecot mailing list -- dovecot(a)dovecot.org > To unsubscribe send an email to dovecot-leave(a)dovecot.org

3 3

GSSAPI authentication for sieve
by Paul Zirnik 05 Jun '25

05 Jun '25

Hi all, I try to get GSSAPI working for sieve. I already found there was an issue with GSSAPI in dovecot 2.4 and applied the patch from this thread https://dovecot.org/mailman3/archives/list/dovecot@dovecot.org/thread/MWCLQ… With the patch GSSAPI now works for imap. I do test this with "imtest" from cyrus tools imat@speedy:~> imtest -v -p 143 -u imat -m GSSAPI manitou.disconnected.homeip.net S: * OK [CAPABILITY IMAP4rev1 LOGIN-REFERRALS ID ENABLE IDLE SASL-IR LITERAL+ STARTTLS LOGINDISABLED AUTH=GSSAPI] Dovecot ready. C: A01 AUTHENTICATE GSSAPI YIIDIgYJKoZIhvcSAQICAQBuggMRMIIDDaADAgEFoQMCAQ6iBwMFACAAAACjggIaYYICFjCCAhKgAwIBBaEZGxdESVNDT05ORUNURUQuSE9NRUlQLk5FVKIyMDCgAwIBA6EpMCcbBGltYXAbH21hbml0b3UuZGlzY29ubmVjdGVkLmhvbWVpcC5uZXSjggG6MIIBtqADAgESoQMCAQKiggGoBIIBpFcei+vGql9tb5TpNjKFgdKAo7p1IiSW8DXPJR2GkCrHVrm0LdtsUaky4zOCskwEQkLURA8CuxM5HGmXT38O56434VTStpRHWZx7Xu43UHHJpOjdf76YYqnIA7WEk76QQyUpnO3hQWCEwyAPf1GhQKGDWCosHEuvn3jNE8t8fWmnRtWSgr35w5GD9OHsYKwca14yUruNU/qfVL9I41bjiFcJ1FFjMyVa/+ogghBm4jDoiFTV7vB8WYpx8Vuuev0d48TZDqv7Kf5/G8TgH3bc59VLjCemLAzTjOQ4mZxTXBEh9OpibKPUozRd266ao7dAD4OHMWNORXKqWl/Ch0iC7q/QEg/qY7E0dm7wqMDROrzmaxWW8p5+y69AbjwylsgivknVcTmbQjVnGGvniDLTke8O6CvqeIum/uUli2FyBmSUt8kVju1GIfoysFP8BEu6gDXdbcsG2XbuoTvfzLyJNT7eomILhF9nZI1vFariqF3TJLo14/L4OCG05RrAH3o8kHTkUMz8rrZj5y0yzfQqlME66yBRezRRSccrrD5AWdHzRMvw26SB2TCB1qADAgESooHOBIHLTo7UMx+G8Q+Ly+Mmj35JBfLm+SWeCV1YGcJQ8O1hI6F3pKh4fMjx5L9v4v4NzbDWpZ8YlQtSBcDgyebiZjHaeqGf4bIcOaGyzfor3DhAn0q0n0Zx/SKJiTJuT9eT0pHwb/yaT9MzOZTP6C5HuXgxUN/2Po2qNwkzaU5gOH+sOYu6Y0AKoKGlkIQHejzns70FehWRn8wBbu8T9+8zKRU0qmBQXnqg/C10pSW7EUVD37VPhY0kLY6SB77KS/8aguWWC3OVAfw6bcAXVVM= S: + YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvzFWfR5FTOl77CqiMZ7qWR4I6JqXdi0JbIG4xTYJNYvQSsvxAxyfEiGINTMW5QytlcMvfiJpTj0U2Fd3Hr/MzLcCeCRwJ9jTg8m2E1ZgpmzmpXzl7xGq+MRIvetu3Wdgxum+ZQ8jPS1obTnI1Vh7I C: S: + BQQF/wAMAAAAAAAAHJz31AH///+2dWHfKNY/6f01FUw= C: BQQE/wAMAAAAAAAABI42iwEAAABpbWF0C53m6npnJwjAfaEu S: A01 OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE REPLACE SNIPPET=FUZZY PREVIEW=FUZZY PREVIEW SPECIAL-USE STATUS=SIZE SAVEDATE COMPRESS=DEFLATE INPROGRESS NOTIFY LITERAL+] Logged in Authenticated. Security strength factor: 0 C: Q01 LOGOUT * BYE Logging out Q01 OK Logout completed (0.001 + 0.000 secs). Connection closed. When i try to use "sivtest" from cyrus tools, this does hang and it looks like sievtest is still waiting for some data imat@speedy:~> sivtest -v -p 4190 -u imat -m GSSAPI manitou.disconnected.homeip.net S: "IMPLEMENTATION" "Dovecot Pigeonhole" S: "SIEVE" "fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include body variables enotify environment mailbox date index ihave duplicate mime foreverypart extracttext" S: "NOTIFY" "mailto" S: "SASL" "GSSAPI" S: "STARTTLS" S: "VERSION" "1.0" S: OK "Dovecot ready." C: AUTHENTICATE "GSSAPI" {1076+} YIIDIwYJKoZIhvcSAQICAQBuggMSMIIDDqADAgEFoQMCAQ6iBwMFACAAAACjggIbYYICFzCCAhOgAwIBBaEZGxdESVNDT05ORUNURUQuSE9NRUlQLk5FVKIzMDGgAwIBA6EqMCgbBXNpZXZlGx9tYW5pdG91LmRpc2Nvbm5lY3RlZC5ob21laXAubmV0o4IBujCCAbagAwIBEqEDAgECooIBqASCAaTS89GNFHQk6FCilKJkEP8Xl27g/A8b1T0pxGwipjYBug0+bprqG0xJucYaULvqi1PnTI+A6WJesi2434B+L0WAv1sdWhI60SpmmfnsZPD8uqbJmZEFMj9bQnS4VbNgduhEA+pgYp85q0PcP3I5DcMeypIC7rk2hv15qYnVSYhND/P3tOANikXc5JB3cWnnPc79gRW+Ozi75waihMIv7C3UvllUtb2tTUKqdGwz2D9/BT3e1ZfcueaWznhXmzieh4dHZyqvbm4UVVUuc4paI1QMUrImy6zEfXjEH0O8dbZN3FbiKjCdP7E/zFtd6PkWaI0lgk8qGP1JqaFtGgqo+EcDEgyh4DoTRuNGGJp7n1zmQGkgIHzsUNR+SydUhWijdWJSegeIrGsZ4/s8YZupdxpC8g1qComP0+holawe9/iAnCxmRNGrNXDSRnL8wMaVAgm7t0SrBUSOm/YHKZSlHpMIWw438Dp/FdWwuCm2jA5pTksRbzmpS9fguMwp65bX0xh/a0NkI2VWJfwUmgqws3LRv1WHsn2FB/k+w55oOMboOtO3SCCkgdkwgdagAwIBEqKBzgSBy9PZObV0yc813IAR4TwEzPtKepfhzLvT0vFekCieE0sCu7jig2m+bpKt1IbIngs+hiztVx4TXYJu/UjH8UKNYct7xFWAOamuh/Fp4AnTBQXxieMM9TGZsiot7NzH75kRUY6SifNYYbz579wBAMbPzId5n2NVdp2blEpaCDKhMdZf/AQqUj3eFbafs5ociy4cOfmQSNuW7hY4KpQ0JU0cdWQyh0+Xl+fE9tz1ctmRoTA4WIF3U1UcwB0CPxlFxlw6cW+OAP0mlWqJE5Yx S: "YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvEb5fwEVTKq3wm3xJawxEVD9Ngdz3tmzW5a8wJAh9lSRYSE0aJS97LvUtT1mWqZTFx5AZMJGfM7KpcbmJc3cOkVhe5lTUQDir58n1RywkyWYM6RvKd1Vzeonxt/AyJi7rN1CMR9VIh2KZUItIsz1y" here it hangs until timeout. May 24 10:10:36 manitou dovecot[45007]: auth(imat@disconnected.homeip.net,192.168.42.24,sasl:gssapi)<mh73Nt01+OHAqCoY>: Request timed out waiting for client to continue authentication (150 secs) May 24 10:11:06 manitou dovecot[45007]: managesieve-login: Login aborted: Inactivity during authentication (client didn't finish SASL auth, 1 attempts in 180 secs) (auth_waiting_client): user=<>, method=GSSAPI, rip=192.168.42.24, lip=192.168.42.42, session=<mh73Nt01+OHAqCoY> and sievtest does end with this S: BYE "Disconnected for inactivity during authentication." base64 decoding error Authentication failed. generic failure Security strength factor: 0 Connection closed. The "base64 decoding error" probably is unrelated as it does try to decode the "S: BYE .....". I also tested with other sieve clients, none does work (however different issues reported), while all tested imap clients do work. My guess is some small fix like the one from above is also needed for dovecot-pigeonhole. This is my used config manitou:~ # dovecot -n # 2.4.1-4 (7d8c0e5759): /etc/dovecot/dovecot.conf # Pigeonhole version 2.4.1-4 (0a86619f) # OS: Linux 6.14.6-1-default x86_64 # Hostname: manitou.disconnected.homeip.net # 4 default setting changes since version 2.4.0 dovecot_config_version = 2.4.0 auth_debug = yes auth_debug_passwords = yes auth_gssapi_hostname = manitou.disconnected.homeip.net auth_krb5_keytab = /etc/dovecot/dovecot.keytab auth_mechanisms = plain login gssapi dovecot_storage_version = 2.4.0 protocols { imap = yes lmtp = yes sieve = yes } protocol lmtp { auth_username_format = %{user | username} mail_plugins = sieve } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } unix_listener auth-userdb { } } namespace inbox { mail_driver = maildir mail_inbox_path = ~/Maildir/.INBOX mail_path = ~/Maildir inbox = yes separator = / } passdb pam { service_name = dovecot } userdb passwd { use_worker = yes } ssl_server { cert_file = /etc/ssl/servercerts/servercert.pem key_file = /etc/ssl/servercerts/serverkey.pem } service managesieve-login { } service managesieve { } sieve_script personal { active_path = ~/.dovecot.sieve path = ~/.sieve } What logs/infos are needed to dig into it ? thanks and regards, Tami

1 1

Fatal: Couldn't load required plugin /usr/lib/dovecot/lib90_sieve_plugin.so: dlopen() failed: Error relocating /usr/lib/dovecot/lib90_sieve_plugin.so: mail_deliver_get_return_address: symbol not found
by paradoor 04 Jun '25

04 Jun '25

Hi there, I have a Postfix/Dovecot server which today I upgraded from Alpine Linux 3.21 to 3.22. In the process, Dovecot updated from 2.3.21 to 2.4.1, and I updated my Dovecot config accordingly. At least `doveconf -n` runs without any error, and I'm able to start and run Dovecot. For context, I am using a passwd file where I enter usernames and argon2id passwords manually, since it's just a small mail server where I am the only user. The setup was working fine with Dovecot 2.3.x, and I've sent and received lots of mail before the update. However, I noticed that I'm no longer able to authenticate to the server since doing all the updates. I thought, maybe I should make sure the passwd file is correct with my password, so I tried running `doveadm pw -s argon2id`. I then got the error: `Fatal: Couldn't load required plugin /usr/lib/dovecot/lib90_sieve_plugin.so: dlopen() failed: Error relocating /usr/lib/dovecot/lib90_sieve_plugin.so: mail_deliver_get_return_address: symbol not found` I assume this is the cause of the problem, ie Dovecot isn't able to authenticate as this error occurs when a login attempt is made (I think?). I am not sure if this is an Alpine packaging issue or a Dovecot user issue, but just in case it's a user issue that I can fix myself, I thought to post here and ask if people know if there's something I can do to resolve this. I'm also posting to the Alpine mailing list in the case of it being an Alpine packaging issue. I've attached the output of `doveconf -n`; let me know if it's preferable to put this in the body of the email and I can send a reply with it in the body. `dovecot --version` is `2.4.1-4 (7d8c0e5759)`. Example `/var/log/dovecot.conf` authentication attempt: May 31 21:50:41 auth: Debug: conn unix:login (pid=21015,uid=91) [1]: client in: AUTH 4 PLAIN protocol=imap final-resp-ok secured=tls session=ElBsg3U25ou51Zrs lip=93.113.25.226 rip=185.213.154.236 lport=993 rport=35814 ssl_ja3_hash=422b5eb1ed3e9bdf65e87a42ed96ba1f local_name=mail.revsuine.xyz resp=<hidden> May 31 21:50:41 auth(${user | username},185.213.154.236,sasl:plain)<ElBsg3U25ou51Zrs>: Debug: passwd-file: Performing passdb lookup May 31 21:50:41 auth(${user | username},185.213.154.236,sasl:plain)<ElBsg3U25ou51Zrs>: Debug: passwd-file: lookup: user=${user | username} file=/etc/dovecot/passwd May 31 21:50:41 auth(${user | username},185.213.154.236,sasl:plain)<ElBsg3U25ou51Zrs>: Info: passwd-file: unknown user May 31 21:50:41 auth(${user | username},185.213.154.236,sasl:plain)<ElBsg3U25ou51Zrs>: Debug: passwd-file: Finished passdb lookup May 31 21:50:41 auth(${user | username},185.213.154.236,sasl:plain)<ElBsg3U25ou51Zrs>: Debug: Auth request finished May 31 21:50:41 auth(${user | username},185.213.154.236,sasl:plain)<ElBsg3U25ou51Zrs>: Debug: delaying auth failure May 31 21:50:43 auth: Debug: conn unix:login (pid=21015,uid=91) [1]: client passdb out: FAIL 4 user=${user | username} original_user=pid1 (The IP addresses are my public server IP address and a Mullvad VPN IP address, so not sensitive.) I'm using the same credentials and passwd file as before the update. Thanks in advance, appreciate any responses.

3 6

Crash in imapd
by Peter Chubb 02 Jun '25

02 Jun '25

Hi Folks, I'm seeing imapd crash when an evolution user accesses her primary mailbox. She can see the mailbox perfectly well using thunderbird or Apple Mail on an iPad; just not from her evolution instance. Version is 2.4.1-4 (7d8c0e5759) The error is an assertion failure: Panic: file istream-header-filter.c: line 665 (i_stream_header_filter_snapshot_free): assertion failed: (snapshot->mstream->snapshot_pending) I'm running on Debian unstable in an LXC container, using the Debian packaged version of dovecot. Filesystem for INBOX (mbox format) is XFS; home directories are mounted via NFS. The backtrace in gdb is: #0 0x00007f996709e95c in ?? () from /lib/x86_64-linux-gnu/libc.so.6 #1 0x00007f9967049cc2 in raise () from /lib/x86_64-linux-gnu/libc.so.6 #2 0x00007f99670324ac in abort () from /lib/x86_64-linux-gnu/libc.so.6 #3 0x00007f9967265964 in ?? () from /usr/lib/dovecot/libdovecot.so.0 #4 0x00007f9967333cb7 in ?? () from /usr/lib/dovecot/libdovecot.so.0 #5 0x00007f99672656c0 in i_panic () from /usr/lib/dovecot/libdovecot.so.0 #6 0x00007f996725eab1 in ?? () from /usr/lib/dovecot/libdovecot.so.0 #7 0x00007f9967345bdc in i_stream_snapshot_free () from /usr/lib/dovecot/libdovecot.so.0 #8 0x00007f9967345bdc in i_stream_snapshot_free () from /usr/lib/dovecot/libdovecot.so.0 #9 0x00007f9967345c6c in i_stream_unref () from /usr/lib/dovecot/libdovecot.so.0 #10 0x00007f996752bf99 in ?? () from /usr/lib/dovecot/libdovecot-storage.so.0 #11 0x00007f996752c391 in ?? () from /usr/lib/dovecot/libdovecot-storage.so.0 #12 0x00007f996752c64c in index_mail_get_special () from /usr/lib/dovecot/libdovecot-storage.so.0 #13 0x00007f99674a570e in mail_get_special () from /usr/lib/dovecot/libdovecot-storage.so.0 #14 0x000055fb1f1b298a in fetch_snippet (ctx=0x55fb4c044168, mail=0x55fb4c070e88, preview=0x55fb4c070230) at ./src/imap/imap-fetch-body.c:610 #15 0x000055fb1f1b7ce3 in imap_fetch_more_int (ctx=ctx@entry=0x55fb4c044168, cancel=false) at ./src/imap/imap-fetch.c:562 #16 0x000055fb1f1b7fbd in imap_fetch_more (ctx=0x55fb4c044168, cmd=0x55fb4c043e98) at ./src/imap/imap-fetch.c:617 #17 0x000055fb1f1ac1c8 in cmd_fetch (cmd=0x55fb4c043e98) at ./src/imap/cmd-fetch.c:382 #18 0x000055fb1f1b5124 in command_exec (cmd=cmd@entry=0x55fb4c043e98) at ./src/imap/imap-commands.c:208 #19 0x000055fb1f1bb650 in client_command_input (cmd=<optimized out>, cmd@entry=0x55fb4c043e98) at ./src/imap/imap-client.c:1271 #20 0x000055fb1f1bb6e6 in client_command_input (cmd=<optimized out>, cmd@entry=0x55fb4c043e98) at ./src/imap/imap-client.c:1341 #21 0x000055fb1f1bb97d in client_command_input (cmd=<optimized out>) at ./src/imap/imap-client.c:1305 #22 0x000055fb1f1bbb55 in client_handle_next_command (client=0x55fb4c042a68, remove_io_r=<synthetic pointer>) at ./src/imap/imap-client.c:1383 #23 client_handle_input (client=client@entry=0x55fb4c042a68) at ./src/imap/imap-client.c:1397 #24 0x000055fb1f1bbf47 in client_input (client=0x55fb4c042a68) at ./src/imap/imap-client.c:1441 #25 0x00007f996735177b in io_loop_call_io () from /usr/lib/dovecot/libdovecot.so.0 #26 0x00007f99673535ea in io_loop_handler_run_internal () from /usr/lib/dovecot/libdovecot.so.0 #27 0x00007f9967353694 in io_loop_handler_run () from /usr/lib/dovecot/libdovecot.so.0 #28 0x00007f9967353868 in io_loop_run () from /usr/lib/dovecot/libdovecot.so.0 #29 0x00007f99672a6347 in master_service_run () from /usr/lib/dovecot/libdovecot.so.0 #30 0x000055fb1f1a6e27 in main (argc=<optimized out>, argv=<optimized out>) at ./src/imap/main.c:601 dovecot -n === # 2.4.1-4 (7d8c0e5759): /etc/dovecot/dovecot.conf # Pigeonhole version 2.4.1-4 (0a86619f) # OS: Linux 6.12.16-amd64 x86_64 Debian 13.0 # Hostname: wombat.chubb.wattle.id.au # 4 default setting changes since version 2.4.0 dovecot_config_version = 2.4.0 dovecot_storage_version = 2.4.0 first_valid_uid = 130 fts_autoindex = yes fts_autoindex_max_recent_msgs = 999 fts_search_add_missing = yes mail_access_groups = mail mail_driver = mbox mail_full_filesystem_access = yes mail_home = /home/%{user|username} mail_inbox_path = /var/mail/%{user} mail_index_path = /var/indices/%{user} mail_nfs_storage = yes mail_path = ~/Mail/ mail_privileged_group = mail protocols { imap = yes } ssl_cipher_list = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+ECDHE-RSA-AES256-GCM-SHA384:+AES256:+CAMELLIA128:+AES128:+SSLv3:DES-CBC3-SHA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA ssl_min_protocol = TLSv1 passdb pam { } userdb passwd { } namespace inbox { inbox = yes mailbox Drafts { special_use = "\\Drafts" } mailbox Junk { special_use = "\\Junk" } mailbox Trash { special_use = "\\Trash" } mailbox Sent { special_use = "\\Sent" } mailbox "Sent Messages" { special_use = "\\Sent" } mailbox Spam { special_use = "\\Junk" } } service imap-login { inet_listener imap { } inet_listener imaps { } } service pop3-login { inet_listener pop3 { } inet_listener pop3s { } } service submission-login { inet_listener submission { } inet_listener submissions { } } service lmtp { unix_listener lmtp { } } service imap { } service submission { } service auth { unix_listener auth-userdb { } } service auth-worker { } service dict { unix_listener dict { } } ssl_server { cert_file = /etc/dovecot/private/dovecot.pem key_file = /etc/dovecot/private/dovecot.key } passdb local { driver = pam } userdb local { driver = passwd } ---

2 1

Help Translating Dovecot 2.3 Proxy Configuration to 2.4
by Brent Clark 31 May '25

31 May '25

Hi all, I'm in the process of upgrading from Dovecot 2.3 to 2.4 and would appreciate some help translating an existing configuration that uses a proxy lookup for user and password databases. Here's the relevant 2.3 configuration: |passdb { driver =dict args =/etc/dovecot/dovecot-dict-auth.conf.ext } userdb { driver =dict args =/etc/dovecot/dovecot-dict-auth.conf.ext } uri= proxy:/var/run/mail_directory_service/socket:somewhere password_key= passdb/%u user_key= userdb/%u iterate_disable= yes | This configuration was working fine in 2.3 to proxy user and password lookups to an external service via a Unix socket. However, Dovecot 2.4 has reworked configuration parsing, and this syntax no longer appears valid. I couldn’t find a direct equivalent in the 2.4 documentation. Could someone advise how this should be adapted for 2.4? What’s the correct way to specify the proxy: URI in 2.4? Are password_key and user_key still supported, or should I be using a different mechanism? Is iterate_disable = yes still relevant or required in this context? Any guidance, examples, or pointers to migration resources would be very helpful. Thanks in advance, Brent Clark Hi all, I'm in the process of upgrading from Dovecot 2.3 to 2.4 and would appreciate some help translating an existing configuration that uses a proxy lookup for user and password databases. Here's the relevant 2.3 configuration: passdb { driver =dict args =/etc/dovecot/dovecot-dict-auth.conf.ext } userdb { driver =dict args =/etc/dovecot/dovecot-dict-auth.conf.ext } uri = proxy:/var/run/mail_directory_service/socket:somewhere password_key = passdb/%u user_key = userdb/%u iterate_disable = yes This configuration was working fine in 2.3 to proxy user and password lookups to an external service via a Unix socket. However, Dovecot 2.4 has reworked configuration parsing, and this syntax no longer appears valid. I couldn’t find a direct equivalent in the 2.4 documentation. Could someone advise how this should be adapted for 2.4? What’s the correct way to specify the proxy: URI in 2.4? Are password_key and user_key still supported, or should I be using a different mechanism? Is iterate_disable = yes still relevant or required in this context? Any guidance, examples, or pointers to migration resources would be very helpful. Thanks in advance, Brent Clark

6 11

Panic with FTS_BACKEND_FLAG_TOKENIZED_INPUT and virtual mailboxes: file index-search-result.c: line 132
by markus-dovecot＠doits.de 30 May '25

30 May '25

Originally posted and debugged here: https://github.com/slusarz/dovecot-fts-flatcurve/issues/66 I have to following panic with fts flatcurve enabled: ``` Panic: file index-search-result.c: line 132 (index_search_result_update_flags): assertion failed: (result->search_args->args == &search_arg) Error: Raw backtrace: /usr/lib/dovecot/libdovecot.so.0(backtrace_append+0x46) [0x74e9890a2846] -> /usr/lib/dovecot/libdovecot.so.0(backtrace_get+0x22) [0x74e9890a2962] -> /usr/lib/dovecot/libdovecot.so.0(+0x10d81b) [0x74e9890af81b] -> /usr/lib/dovecot/libdovecot.so.0(+0x10d8b7) [0x74e9890af8b7] -> /usr/lib/dovecot/libdovecot.so.0(+0x5e2e2) [0x74e9890002e2] -> /usr/lib/dovecot/libdovecot-storage.so.0(+0x518a4) [0x74e9891d38a4] -> /usr/lib/dovecot/modules/lib20_virtual_plugin.so(virtual_storage_sync_init+0x274e) [0x74e988bf8a9e] -> /usr/lib/dovecot/libdovecot-storage.so.0(mailbox_sync_init+0x5c) [0x74e9891eff9c] -> /usr/lib/dovecot/libdovecot-storage.so.0(mailbox_sync+0x39) [0x74e9891f0039] -> dovecot/imap(cmd_select_full+0x1df) [0x62354bd8326f] -> dovecot/imap(command_exec+0xa4) [0x62354bd8b444] -> dovecot/imap(+0x22392) [0x62354bd89392] -> dovecot/imap(+0x22444) [0x62354bd89444] -> dovecot/imap(client_handle_input+0x1bd) [0x62354bd8989d] -> dovecot/imap(client_input+0x74) [0x62354bd89e64] -> /usr/lib/dovecot/libdovecot.so.0(io_loop_call_io+0x6d) [0x74e9890c603d] -> /usr/lib/dovecot/libdovecot.so.0(io_loop_handler_run_internal+0x13a) [0x74e9890c77aa] -> /usr/lib/dovecot/libdovecot.so.0(io_loop_handler_run+0x54) [0x74e9890c60e4] -> /usr/lib/dovecot/libdovecot.so.0(io_loop_run+0x40) [0x74e9890c62a0] -> /usr/lib/dovecot/libdovecot.so.0(master_service_run+0x17) [0x74e989036ad7] -> dovecot/imap(main+0x570) [0x62354bd7ad20] -> /lib/x86_64-linux-gnu/libc.so.6(+0x29d90) [0x74e988c29d90] -> /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0x80) [0x74e988c29e40] -> dovecot/imap(_start+0x25) [0x62354bd7ade5] ``` It happens when accessing virtual folder with filters like this: ``` something-*/excep-dev* header x-abc-exception "1" ``` The error happens on subsequent access of the folder: - Removing dovecot.index{,.log} files allows to access the virtual folder again - dovecot.index gets recreated on access and the folder can be accessed multiple times - Marking an e-mail read triggers the error, though! Now each next access raises the error - Removing dovecot.index{,.log} restores access again and the e-mails are still marked as read (so this information is not lost), until the next e-mail is marked as read: then the folder cannot be accessed again Slusarz debugged the backtrace and wrote a detailed description at https://github.com/slusarz/dovecot-fts-flatcurve/issues/66#issuecomment-229… which I'll quote here: > This is not a flatcurve bug - it is a bug within Dovecot's indexing/fts handling. > > (Detailed debug below, so that core team can understand the problem.) > > As discussed above, this bug is triggered with virtual mailboxes on subsequent accesses. The initial access will work fine; the assert crash only happens when the Dovecot lib-storage index code reads the indexes created for the virtual mailboxes. > > `index_search_result_update_appends()` in lib-storage/index/index-search-result.c > > * Inside this function, a "temporary search parameter to limit the search only to the new messages" is added to the mail search args. Later, it is checked that the mail_search args points to this same search parameter after the search is executed. It is this assert check that is failing, because the mail args is changing during the course of the search. > > * `i_assert(result->search_args->args == &search_arg);` > > > The search args are being altered in plugins/fts/fts-search.args.c, `fts_search_args_expand()`. Specifically, in that function, either `fts_search_args_expand_language_top_level()` or `fts_search_args_expand_tree()` is being called, which can replace the current args parameter with a new pointer. > > `fts_search_args_expand()` is being called in plugins//fts/fts-search.c by `fts_search_try_lookup()` when the FTS backend has the FTS_BACKEND_FLAG_TOKENIZED_INPUT flag set. Flatcurve has this flag set. > > This flag is defined in plugins/fts/fts-api-private.h. Comments say: > > ``` > /* Tokenize all the input. update_build_more() will be called a single > directly indexable token at a time. Searching will modify the search > args so that lookup() sees only tokens that can be directly > searched. */ > ``` > > Thus, the comments explicitly say the search args will be modified if this flag is set. This modification is incompatible with the assert check in `index_search_result_update_appends()`, which requires that the search args not be modified. > > The core team will have to determine whether this behavior is correct, or if the assert check is invalid. You can find some more discussion at https://github.com/slusarz/dovecot-fts-flatcurve/issues/66, but I think the most important part (the very detailed analysis from Slusarz, thanks again!) might be enough to understand and maybe fix the problem. Relevant information about the mail system: ``` # 2.3.21 (47349e2482): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.21 (f6cd4b8e) # OS: Linux 6.5.0-45-generic x86_64 Ubuntu 22.04.4 LTS [...] namespace { location = virtual:~/virtual:LAYOUT=maildir++ prefix = _/ separator = / } [...] plugin { acl = vfile acl_shared_dict = file:/var/lib/dovecot/db/shared fts = flatcurve fts_autoindex = yes fts_filters = normalizer-icu snowball stopwords fts_filters_en = lowercase snowball stopwords fts_languages = de en fts_tokenizer_email_address = maxlen=100 fts_tokenizer_generic = algorithm=simple maxlen=30 fts_tokenizers = generic email-address sieve = file:~/sieve;active=~/.dovecot.sieve } [...] ``` I can provide more information if you need. Thanks for looking into it!

2 2

RE: dragging files into mail folders
by Marc 30 May '25

30 May '25

If I drag files in imap folders in outlook they will show up in eg roundcube/thunderbird as winmail.dat. So I guess this is just a microsoft thing. Would be nice if there were plugins that would add functionality that unwrapped these winmail.dat files. > > > If i Understood correctly you are looking for a software like > > roundcube or something right ?. > > Not necessarily, but would be a good start. Question is if the imap > allows to store these files directly. > > > > that offers ajax based GUI that allows > > you to drap and drop mails into folders. > > Files not mails. .jpg, .odt, .txt etc > > > > > > > > With exchange and outlook I was always used to sometimes drag files > > into mail folders. Is something like this available for imap? Or maybe > a > > dovecot extension? > > > > > > (obviously I am not looking for a solution to store them as > > attachments to mails) > > > _______________________________________________ > > > dovecot mailing list -- dovecot(a)dovecot.org > > > To unsubscribe send an email to dovecot-leave(a)dovecot.org

2 2

dragging files into mail folders
by Marc 28 May '25

28 May '25

With exchange and outlook I was always used to sometimes drag files into mail folders. Is something like this available for imap? Or maybe a dovecot extension? (obviously I am not looking for a solution to store them as attachments to mails)

1 0