On Fri, Mar 27, 2026 at 11:26 AM Aki Tuomi via dovecot <dovecot@dovecot.org> wrote:
Hi!
We are happy to publish version 2.4.3 of Dovecot and Pigeonhole. These contain several CVEs, discovered by external researches. The majority of these have been discovered with help of automated code analysis tools like claude code security, which is why some of these are rather old, missed bugs.
No new supported distros have been added or old removed, no new dependencies have been added.
Note that there are experimental features in 2.4, one is enabled with
--enable-experimental-mail-utf8, and another with--enable-experimental-imap4rev2, and you also need to set mail_utf8_extensions=yes and imap4rev2_enabled=yes to enable them in config.https://dovecot.org/releases/2.4/dovecot-2.4.3.tar.gz https://dovecot.org/releases/2.4/dovecot-2.4.3.tar.gz.sig https://pigeonhole.dovecot.org/releases/2.4/dovecot-pigeonhole-2.4.3.tar.gz
https://pigeonhole.dovecot.org/releases/2.4/dovecot-pigeonhole-2.4.3.tar.gz....
Binary packages in https://repo.dovecot.org/ Docker images in https://hub.docker.com/r/dovecot/dovecot
Using the same configure options I used for dovecot-2.4.2, I end up with a compile failure for 2.4.3:
./configure --enable-maintainer-mode
--with-sql=yes
--with-mysql
--with-pgsql
--with-zlib
--with-bzlib
--with-ssl=openssl
--enable-experimental-mail-utf8
--enable-experimental-imap4rev2
--with-pcre2
make
make[3]: Leaving directory '/home/wash/Dovecot/dovecot-2.4.3/src/anvil'
Making all in auth
make[3]: Entering directory '/home/wash/Dovecot/dovecot-2.4.3/src/auth'
CC test_auth_cache-auth-cache.o
CC test_auth_cache-test-auth-cache.o
CC auth-main.o
CC auth-auth.o
CC auth-auth-cache.o
CC auth-auth-client-connection.o
CC auth-auth-master-connection.o
CC auth-auth-policy.o
CC auth-auth-penalty.o
CC auth-auth-request.o
CC auth-auth-request-fields.o
CC auth-auth-request-handler.o
CC auth-auth-request-var-expand.o
CC auth-auth-sasl-mech-apop.o
CC auth-auth-sasl-mech-dovecot-token.o
CC auth-auth-sasl-mech-oauth2.o
CC auth-auth-sasl.o
CC auth-auth-settings.o
CC auth-auth-fields.o
CC auth-auth-token.o
CC auth-auth-worker-connection.o
CC auth-auth-worker-server.o
CC auth-db-oauth2.o
CC auth-db-sql.o
CC auth-db-passwd-file.o
CC auth-passdb.o
CC auth-passdb-blocking.o
CC auth-passdb-bsdauth.o
CC auth-passdb-cache.o
CC auth-passdb-oauth2.o
CC auth-passdb-passwd.o
CC auth-passdb-passwd-file.o
CC auth-passdb-pam.o
CC auth-passdb-sql.o
CC auth-passdb-static.o
CC auth-userdb.o
CC auth-userdb-blocking.o
CC auth-userdb-passwd.o
CC auth-userdb-passwd-file.o
CC auth-userdb-prefetch.o
CC auth-userdb-static.o
CC auth-userdb-sql.o
CC auth-db-ldap.o
CC auth-db-ldap-sasl.o
CC auth-db-ldap-settings.o
CC auth-passdb-ldap.o
CC auth-userdb-ldap.o
CC auth-db-lua.o
CC auth-passdb-lua.o
CC auth-userdb-lua.o
CCLD auth
CCLD test-auth-cache
CC auth.o
CC auth-cache.o
CC auth-client-connection.o
CC auth-master-connection.o
CC auth-policy.o
CC auth-penalty.o
CC auth-request.o
CC auth-request-fields.o
CC auth-request-handler.o
CC auth-request-var-expand.o
CC auth-sasl-mech-apop.o
CC auth-sasl-mech-dovecot-token.o
CC auth-sasl-mech-oauth2.o
CC auth-sasl.o
CC auth-settings.o
CC auth-fields.o
CC auth-token.o
CC auth-worker-connection.o
CC auth-worker-server.o
CC db-oauth2.o
CC db-sql.o
CC db-passwd-file.o
CC passdb.o
CC passdb-blocking.o
CC passdb-bsdauth.o
CC passdb-cache.o
CC passdb-oauth2.o
CC passdb-passwd.o
CC passdb-passwd-file.o
CC passdb-pam.o
CC passdb-sql.o
CC passdb-static.o
CC userdb.o
CC userdb-blocking.o
CC userdb-passwd.o
CC userdb-passwd-file.o
CC userdb-prefetch.o
CC userdb-static.o
CC userdb-sql.o
CC db-ldap.o
CC db-ldap-sasl.o
CC db-ldap-settings.o
CC passdb-ldap.o
CC userdb-ldap.o
CC db-lua.o
CC passdb-lua.o
CC userdb-lua.o
CC test-auth.o
CC test-mock.o
CC test-auth-client.o
CCLD test-auth-client
CC test-auth-master.o
CC test-auth-master-server.o
CCLD test-auth-master
CC test-auth-request-var-expand.o
CC test-auth-request-fields.o
CC test-username-filter.o
CC test-ldap.o
CC test-lua.o
CC test-main.o
CCLD test-auth
libtool: error: cannot find the library '../../src/lib-lua/
libdovecot-lua.la' or unhandled argument '../../src/lib-lua/
libdovecot-lua.la'
make[3]: *** [Makefile:1403: test-auth] Error 1
make[3]: Leaving directory '/home/wash/Dovecot/dovecot-2.4.3/src/auth'
make[2]: *** [Makefile:612: all-recursive] Error 1
make[2]: Leaving directory '/home/wash/Dovecot/dovecot-2.4.3/src'
make[1]: *** [Makefile:742: all-recursive] Error 1
make[1]: Leaving directory '/home/wash/Dovecot/dovecot-2.4.3'
make: *** [Makefile:584: all] Error 2
wash@eu:~/Dovecot$
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 In an Internet failure case, the #1 suspect is a constant: DNS. "Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-) [How to ask smart questions: http://www.catb.org/~esr/faqs/smart-questions.html]
On Fri, Mar 27, 2026 at 11:26AM Aki Tuomi via dovecot <[1]dovecot@dovecot.org> wrote:
Hi!
We are happy to publish version 2.4.3 of Dovecot and Pigeonhole. These
contain several CVEs, discovered by external researches. The majority of
these have been discovered with help of automated code analysis tools
like claude code security, which is why some of these are rather old,
missed bugs.
No new supported distros have been added or old removed, no new
dependencies have been added.
Note that there are experimental features in 2.4, one is enabled with
`--enable-experimental-mail-utf8`, and another with
`--enable-experimental-imap4rev2`, and you also need to set
mail_utf8_extensions=yes and imap4rev2_enabled=yes to enable them in
config.
[2]https://dovecot.org/releases/2.4/dovecot-2.4.3.tar.gz
[3]https://dovecot.org/releases/2.4/dovecot-2.4.3.tar.gz.sig
[4]https://pigeonhole.dovecot.org/releases/2.4/dovecot-pigeonhole-2.4.3.tar.gz
[5]https://pigeonhole.dovecot.org/releases/2.4/dovecot-pigeonhole-2.4.3.tar.gz.sig
Binary packages in [6]https://repo.dovecot.org/
Docker images in [7]https://hub.docker.com/r/dovecot/dovecotUsing the same configure options I used for dovecot-2.4.2, I end up with a compile failure for 2.4.3:
./configure --enable-maintainer-mode
--with-sql=yes
--with-mysql
--with-pgsql
--with-zlib
--with-bzlib
--with-ssl=openssl
--enable-experimental-mail-utf8
--enable-experimental-imap4rev2
--with-pcre2
make
make[3]: Leaving directory '/home/wash/Dovecot/dovecot-2.4.3/src/anvil'
Making all in auth
make[3]: Entering directory '/home/wash/Dovecot/dovecot-2.4.3/src/auth'
CC test_auth_cache-auth-cache.o
CC test_auth_cache-test-auth-cache.o
CC auth-main.o
CC auth-auth.o
CC auth-auth-cache.o
CC auth-auth-client-connection.o
CC auth-auth-master-connection.o
CC auth-auth-policy.o
CC auth-auth-penalty.o
CC auth-auth-request.o
CC auth-auth-request-fields.o
CC auth-auth-request-handler.o
CC auth-auth-request-var-expand.o
CC auth-auth-sasl-mech-apop.o
CC auth-auth-sasl-mech-dovecot-token.o
CC auth-auth-sasl-mech-oauth2.o
CC auth-auth-sasl.o
CC auth-auth-settings.o
CC auth-auth-fields.o
CC auth-auth-token.o
CC auth-auth-worker-connection.o
CC auth-auth-worker-server.o
CC auth-db-oauth2.o
CC auth-db-sql.o
CC auth-db-passwd-file.o
CC auth-passdb.o
CC auth-passdb-blocking.o
CC auth-passdb-bsdauth.o
CC auth-passdb-cache.o
CC auth-passdb-oauth2.o
CC auth-passdb-passwd.o
CC auth-passdb-passwd-file.o
CC auth-passdb-pam.o
CC auth-passdb-sql.o
CC auth-passdb-static.o
CC auth-userdb.o
CC auth-userdb-blocking.o
CC auth-userdb-passwd.o
CC auth-userdb-passwd-file.o
CC auth-userdb-prefetch.o
CC auth-userdb-static.o
CC auth-userdb-sql.o
CC auth-db-ldap.o
CC auth-db-ldap-sasl.o
CC auth-db-ldap-settings.o
CC auth-passdb-ldap.o
CC auth-userdb-ldap.o
CC auth-db-lua.o
CC auth-passdb-lua.o
CC auth-userdb-lua.o
CCLD auth
CCLD test-auth-cache
CC auth.o
CC auth-cache.o
CC auth-client-connection.o
CC auth-master-connection.o
CC auth-policy.o
CC auth-penalty.o
CC auth-request.o
CC auth-request-fields.o
CC auth-request-handler.o
CC auth-request-var-expand.o
CC auth-sasl-mech-apop.o
CC auth-sasl-mech-dovecot-token.o
CC auth-sasl-mech-oauth2.o
CC auth-sasl.o
CC auth-settings.o
CC auth-fields.o
CC auth-token.o
CC auth-worker-connection.o
CC auth-worker-server.o
CC db-oauth2.o
CC db-sql.o
CC db-passwd-file.o
CC passdb.o
CC passdb-blocking.o
CC passdb-bsdauth.o
CC passdb-cache.o
CC passdb-oauth2.o
CC passdb-passwd.o
CC passdb-passwd-file.o
CC passdb-pam.o
CC passdb-sql.o
CC passdb-static.o
CC userdb.o
CC userdb-blocking.o
CC userdb-passwd.o
CC userdb-passwd-file.o
CC userdb-prefetch.o
CC userdb-static.o
CC userdb-sql.o
CC db-ldap.o
CC db-ldap-sasl.o
CC db-ldap-settings.o
CC passdb-ldap.o
CC userdb-ldap.o
CC db-lua.o
CC passdb-lua.o
CC userdb-lua.o
CC test-auth.o
CC test-mock.o
CC test-auth-client.o
CCLD test-auth-client
CC test-auth-master.o
CC test-auth-master-server.o
CCLD test-auth-master
CC test-auth-request-var-expand.o
CC test-auth-request-fields.o
CC test-username-filter.o
CC test-ldap.o
CC test-lua.o
CC test-main.o
CCLD test-auth
libtool: error: cannot find the library
'../../src/lib-lua/[8]libdovecot-lua.la' or unhandled argument
'../../src/lib-lua/[9]libdovecot-lua.la'
make[3]: *** [Makefile:1403: test-auth] Error 1
make[3]: Leaving directory '/home/wash/Dovecot/dovecot-2.4.3/src/auth'
make[2]: *** [Makefile:612: all-recursive] Error 1
make[2]: Leaving directory '/home/wash/Dovecot/dovecot-2.4.3/src'
make[1]: *** [Makefile:742: all-recursive] Error 1
make[1]: Leaving directory '/home/wash/Dovecot/dovecot-2.4.3'
make: *** [Makefile:584: all] Error 2
wash@eu:~/Dovecot$
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 In an Internet failure case, the #1 suspect is a constant: DNS. "Oh, the cruft.", egrep -v '^$|^.*#' -\_(Tu)_/- :-) [How to ask smart questions: [10]http://www.catb.org/~esr/faqs/smart-questions.html]
References
Visible links
- mailto:dovecot@dovecot.org
- https://dovecot.org/releases/2.4/dovecot-2.4.3.tar.gz
- https://dovecot.org/releases/2.4/dovecot-2.4.3.tar.gz.sig
- https://pigeonhole.dovecot.org/releases/2.4/dovecot-pigeonhole-2.4.3.tar.gz
- https://pigeonhole.dovecot.org/releases/2.4/dovecot-pigeonhole-2.4.3.tar.gz....
- https://repo.dovecot.org/
- https://hub.docker.com/r/dovecot/dovecot
- http://libdovecot-lua.la/
- http://libdovecot-lua.la/
- http://www.catb.org/~esr/faqs/smart-questions.html