On 31/05/2025 20:31 EEST via dovecot <dovecot@dovecot.org> wrote:
Hello all,
I am trying to get Dovecot 2.4 running on Alpine Edge x86-64. But a myriad of problems have occurred that make it impossible to do so.
First of all was the recent off-by-one bug that was recently fixed, which caused an unavoidable segfault on start under musl libc, which Alpine uses: https://gitlab.alpinelinux.org/alpine/aports/-/issues/17050
Then, I saw that the shadow driver was removed, which necessitated the installation of PAM and my learning about it... I haven't needed it before, so I'd never used it. I guess I understand why the decision was made to use PAM, though I still don't like it.
After resolving those issue, I've run into new ones:
The passwd userdb does not seem to work correctly. It is able to get the first user and its information correctly, but any attempts to look up any user after that will seemingly always use the information from the first matched user. Setting max auths to 1 so that the auth process is discarded afterwards does not seem to help. For example, if the first user to log in to Dovecot is bob, and then user joe logs in, the information returned from the passwd userdb will all be that of user bob, not joe. This continues for all subsequent userdb lookups until Dovecot is restarted, and a new userdb lookup is persisted. Changing to passwd-file instead works and does not experience this problem.
Why is the only available username field for the passwd driver %{passwd:system_groups_user}? I understand what the purpose of the field is based on the docs, but shouldn't more than this be exposed? The fields available through passwd are also not documented, and I had to read the source to find them out. This should either be documented or a more standard username field be additionally exposed as with other drivers. Can this field even be relied on to use as the username, if the driver otherwise worked?
It seems the Exim auth driver is no longer able to successfully authenticate with Dovecot 2.4 against Exim 4.98.2. It works fine in the last version of 2.3.21.1. Has the authentication framework changed along with the other modifications that 2.4 underwent? Has any effort been made with the Exim team to resolve any incompatibilities? Can I somehow diagnose this issue if it's otherwise supposed to work?
The ldap driver can no longer look up missing fields from LDAP users. Some (but not all) of my users have the rfc2307bis schema posixAccount supplemental objectClass, and as such contain the posixHome, uidNumber, and gidNumber attributes—but even if I specify a default value, if one of the attributes is not queryable for the returned user, the lookup errors out and the login fails. This is a regression/undocumented change from 2.3.x, where instead of erroring out, the default_fields value would be used. Based on my interpretation of the design goals for 2.4, I would imagine the default filter would ignore the missing attribute error and set the default value like default_fields used to, no? Or am I missing something?
passdb_ldap_filter is always required for the ldap passdb driver, even if passdb_ldap_bind is enabled. Not only does this go against the docs, but the value is unused and it doesn't matter what it's set to. This is a regression from 2.3.x.
Overall I am very unimpressed by 2.4. It clearly needed a lot more time in the oven and much more thorough testing.
We unfortunately aren't able to test all possible combinations that our community users, and these problems that you described are are mostly problems with musl-libc, so with Alpine I would probably wait until next release. Testing under every possible combination under the sun is not really possible for us at this moment, so we focus on the things we support with Pro.
- You can't combine things like that unfortunately. You could try instead %{ldap:homeDirectory | default} (this will default to empty string).
Also default needs '' if you want to return exactly mail, so default('mail') would probably work. default(mail) does something totally different.
- We'll look at fixing that.
Aki