Hi List, Hi Aki,
On 2026-04-21 13:46:49, Aki Tuomi via dovecot wrote:
For one, it's documented:
https://doc.dovecot.org/2.4.3/core/config/auth/databases/ldap.html#ldap_base
this is to avoid LDAP injection attack on authentication, CVE-2026-27860
But you're right, it should've been in the 2.4.x page.
The matches change we have to check, matching was changed due to certain patterns causing assert crashes.
Aki
On 21/04/2026 14:37 EEST Patrick Cernko via dovecot <dovecot@dovecot.org> wrote:
- The behavior of sieve matches using ":matches" has changed:
Example email (only the relevant header): List-Id: Dovecot Mailing List <dovecot.dovecot.org>
Example Sieve script: if header :matches "List-Id" "*<dovecot*.dovecot.org>" { fileinto "dovecot"; }
In 2.4.2 (and earlier) the example email matched the condition and got stored in the dovecot folder, while in 2.4.3 the condition does NOT match. As a workaround I added a '*' at the end of the match ("*<dovecot*.dovecot.org>*") to get my mails stored correctly again.
Is this changed behavior for Sieve intentional or a bug? In case of a bug, could you please provide a fix?
In case of intentional behavior:
- Could you please explain the intention? Why was it necessary?
- What would be the correct fix for the sieve example to match a List-Id header that ENDS WITH ".dovecot.org>"?
- I assume, that other users on my servers will run into similar problems once I upgrade their servers. Is it possible to detect such problematic matches in Sieve scripts? E.g. "all matches without a trailing '*' are affected", ... This would give me a chance, to inform my users or even fix their scripts in advance.
for the record: The mentioned changed behavior of sieve matches has been reverted in 2.4.4, as mentioned in the changelogs:
- lib-sieve: matches - Fix trailing literal match when it fills value exactly. v2.4.3 regression.
At least my specific case now works as before 2.4.3 again.
Thank you for the fix!
Patrick Cernko <pcernko@mpi-klsb.mpg.de> +49 681 9325 5815 Joint Scientific IT and Technical Service Max-Planck-Institute für Informatik & Softwaresysteme