Dovecot and Pigeonhole v2.4.3 released
Hi!
We are happy to publish version 2.4.3 of Dovecot and Pigeonhole. These contain several CVEs, discovered by external researches. The majority of these have been discovered with help of automated code analysis tools like claude code security, which is why some of these are rather old, missed bugs.
No new supported distros have been added or old removed, no new dependencies have been added.
Note that there are experimental features in 2.4, one is enabled with --enable-experimental-mail-utf8, and another with --enable-experimental-imap4rev2, and you also need to set mail_utf8_extensions=yes and imap4rev2_enabled=yes to enable them in config.
https://dovecot.org/releases/2.4/dovecot-2.4.3.tar.gz https://dovecot.org/releases/2.4/dovecot-2.4.3.tar.gz.sig https://pigeonhole.dovecot.org/releases/2.4/dovecot-pigeonhole-2.4.3.tar.gz https://pigeonhole.dovecot.org/releases/2.4/dovecot-pigeonhole-2.4.3.tar.gz....
Binary packages in https://repo.dovecot.org/ Docker images in https://hub.docker.com/r/dovecot/dovecot
- CVE-2025-59028: Invalid base64 authentication can cause DoS for other logins.
- CVE-2025-59031: decode2text.sh OOXML extraction may follow symlinks and read unintended files during indexing. Fixed by dropping the script.
- CVE-2026-24031: SQL injection possible if auth_username_chars is configured empty. Fixed escaping to always happen. v2.4 regression.
- CVE-2026-27859: Excessive RFC 2231 MIME parameters in email would cause excessive CPU usage. Fixed by limiting number of parameters to process.
- CVE-2026-27860: LDAP query injection possible if auth_username_chars is configured empty. Fixed escaping to always happen. v2.4 regression.
- CVE-2026-27857: Sending excessive parenthesis causes imap-login to use excessive memory.
- CVE-2026-27856: Doveadm credentials were not checked using timing-safe checking function.
- CVE-2026-27855: OTP driver vulnerable to replay attack.
- Remove default service/*/service_extra_groups=$SET:default_internal_group. They are now replaced by default mail_access_groups=$SET:default_internal_group.
- The version file has been renamed as version.txt to avoid clash with C++ headers.
- auth: oauth2 - Do not export token automatically, must be exported using fields.
- config: Don't accept 0 as meaning unlimited anymore for last_valid_uid, last_valid_gid, mail_cache_max_headers_count, mail_cache_max_header_name_length, mail_vsize_bg_after_count, mail_sort_max_read_count, message_max_size, submission_max_recipients and quota_mail_size.
- imap, pop3: Don't autoexpunge if Dovecot is shutting down or process is killed.
- imap: LIST - Handle invalid mUTF-7 mailbox names as never matching anything
- lazy-expunge: Change lazy_expunge_only_last_instance default to yes.
- lda: Use EX_TEMPFAIL (75) if configuration is invalid instead of 89. v2.4 regression.
- lib-master: Increase ANVIL_DEFAULT_LOOKUP_TIMEOUT_MSECS from 5s to 30s
- lib: crc32 - Use zlib's built-in CRC32 function
- Improve UTF-8 support for mail storage.
- auth: Add default auth-token UNIX socket for token-based authentication.
- doc: solr-config-9.xml - Make it compatible with Solr 9.8.0
- doveadm: dsync - Search mails when exporting to reduce number of mails exported by dsync-server.
- dovecot-sysreport: Add -D|--destdir support.
- imap, imap-hibernate: Use DOVECOT-TOKEN authentication for unhibernation. Default imap-master socket permissioms have been changed due to this.
- imap: Add APPENDLIMIT capability when configured with quota_mail_size.
- imap: Support STATUS (DELETED) for IMAP4rev2.
- imapc: Add support for SEARCH MIMEPART
- imapc: Improve error forwarding.
- imapc: Support SORT and ESORT extensions.
- imapc: Support STATUS (DELETED) for IMAP4rev2.
- lib-sql: Support parameterized queries.
- lib-test: Add new test-dir API for better temporary test directory handling.
- lmtp: Advertize SIZE capability when configured with quota_mail_size.
- lmtp: Support XCLIENT DESTADDR and DESTPORT
- pop3-login: proxy - Add support for XCLIENT DESTIP and DESTPORT
- submission-login: proxy - Add support for XCLIENT DESTIP and DESTPORT
- Various optimizations have been made to the code.
- Fix building dovecot with BSD, Solaris and macOS.
- auth: Crash would occur if users were iterated but userdb_ldap_iterate_fields was not set.
- auth: Fix request leak when client authenticates with unsupported mechanism.
- auth: Some passdbs would default to PLAIN instead of CRYPT scheme.
- config: Section and setting names could have been intermixed, resulting in the setting being silently ignored.
- configure: Fix checking if BUILD_IMAP_HIBERNATE is set
- doveadm: dsync - -e parameter was handled wrong with dsync-server.
- fts-flatcurve: Mailbox leak would occur if mailbox failed to open.
- imap: Fix potential issues with unhibernation and process state handling.
- imapc: SEARCH failure handling was done wrong.
- imapc: UID STORE commands included extra comma in uidset.
- lib-auth-client: auth-master - Fix panic when reconnecting after handshake timeout.
- lib-compression: Lz4 algorithm would assert-crash with malicious data.
- lib-dcrypt: Fix digest algorithm handling.
- lib-dict: Escape username paths to prevent traversal issues with dict-fs.
- lib-http: Fix HTTP parsing edge cases and state handling.
- lib-iostream: Disallow empty ssl_min_protocol.
- lib-json: Fix incorrect character handling logic.
- lib-ldap: Fix various TLS related bugs.
- lib-mail: Fix charset translation and MIME parsing edge cases.
- lib-mail: Fix multiple bounds checks and parsing issues in message handling.
- lib-var-expand: Multiple fixes and improvements for expansion handling.
- lib: Fix punycode decoding out-of-bounds reads.
- lib: Fix unicode normalization edge cases causing crashes.
- lib-http: Chunked transfer trailer size was not limited.
- login-common: Improve logging and internal error handling.
- login-common: login_log_format_elements was split by spaces naively, which could break variable expansion. Use template aware splitting now.
- master: Dovecot would fail to start if listen directive was used and dovenull or dovecot user was missing.
- pop3c: Connection might've hung with SSL.
- util: Fix handling of environment variables containing control characters.
- Many other bugs have been fixed.
- CVE-2026-27858: managesieve-login can allocate large amount of memory during authentication.
- CVE-2025-59032: ManageSieve panic occurs with sieve-connect as a client.
- lib-sieve: Don't accept 0 as meaning unlimited anymore for sieve_quota_script_count and sieve_quota_storage_size.
- managesieve-login: If mail_max_userip_connections is reached, return LIMIT/CONNECTIONS resp-code.
- managesieve-login: proxy - Return unexpected backend failures as TRYLATER/NORETRY resp-code.
- managesieve: Remove default service_extra_groups=$SET:default_internal_group.
- managesieve-login: proxy - Add support for XCLIENT DESTIP and DESTPORT.
- imapsieve: Fix panic occurring upon implicit flag changes.
- lib-sieve: include-extension - Fix crash occurring when previous global command has no arguments.
- lib-sieve: Fix erroneous attempt to read active script for non-personal storage.
- lib-sieve: ldap: Fix linking non-shared LIBDOVECOT.
On Fri, 2026-03-27 at 10:06 +0200, Aki Tuomi via dovecot wrote:
Hi!
We are happy to publish version 2.4.3 of Dovecot and Pigeonhole. These contain several CVEs, discovered by external researches. The majority of these have been discovered with help of automated code analysis tools like claude code security, which is why some of these are rather old, missed bugs.
No new supported distros have been added or old removed, no new dependencies have been added.
Note that there are experimental features in 2.4, one is enabled with
--enable-experimental-mail-utf8, and another with--enable- experimental-imap4rev2, and you also need to set mail_utf8_extensions=yes and imap4rev2_enabled=yes to enable them in config.
Thank you Aki - I think there may be a typo in the announce:
imap4rev2_enabled=yes
should probably be:
imap4rev2_enable=yes
gene
On 27/03/2026 13:34 EET Genes Lists via dovecot <dovecot@dovecot.org> wrote:
On Fri, 2026-03-27 at 10:06 +0200, Aki Tuomi via dovecot wrote:
Hi!
We are happy to publish version 2.4.3 of Dovecot and Pigeonhole. These contain several CVEs, discovered by external researches. The majority of these have been discovered with help of automated code analysis tools like claude code security, which is why some of these are rather old, missed bugs.
No new supported distros have been added or old removed, no new dependencies have been added.
Note that there are experimental features in 2.4, one is enabled with
--enable-experimental-mail-utf8, and another with--enable- experimental-imap4rev2, and you also need to set mail_utf8_extensions=yes and imap4rev2_enabled=yes to enable them in config.Thank you Aki - I think there may be a typo in the announce:
imap4rev2_enabled=yes
should probably be:
imap4rev2_enable=yes
gene
Woops. Thanks for letting me know.
Aki
On Fri, Mar 27, 2026 at 11:26 AM Aki Tuomi via dovecot <dovecot@dovecot.org> wrote:
Hi!
We are happy to publish version 2.4.3 of Dovecot and Pigeonhole. These contain several CVEs, discovered by external researches. The majority of these have been discovered with help of automated code analysis tools like claude code security, which is why some of these are rather old, missed bugs.
No new supported distros have been added or old removed, no new dependencies have been added.
Note that there are experimental features in 2.4, one is enabled with
--enable-experimental-mail-utf8, and another with--enable-experimental-imap4rev2, and you also need to set mail_utf8_extensions=yes and imap4rev2_enabled=yes to enable them in config.https://dovecot.org/releases/2.4/dovecot-2.4.3.tar.gz https://dovecot.org/releases/2.4/dovecot-2.4.3.tar.gz.sig https://pigeonhole.dovecot.org/releases/2.4/dovecot-pigeonhole-2.4.3.tar.gz
https://pigeonhole.dovecot.org/releases/2.4/dovecot-pigeonhole-2.4.3.tar.gz....
Binary packages in https://repo.dovecot.org/ Docker images in https://hub.docker.com/r/dovecot/dovecot
Using the same configure options I used for dovecot-2.4.2, I end up with a compile failure for 2.4.3:
./configure --enable-maintainer-mode
--with-sql=yes
--with-mysql
--with-pgsql
--with-zlib
--with-bzlib
--with-ssl=openssl
--enable-experimental-mail-utf8
--enable-experimental-imap4rev2
--with-pcre2
make
make[3]: Leaving directory '/home/wash/Dovecot/dovecot-2.4.3/src/anvil'
Making all in auth
make[3]: Entering directory '/home/wash/Dovecot/dovecot-2.4.3/src/auth'
CC test_auth_cache-auth-cache.o
CC test_auth_cache-test-auth-cache.o
CC auth-main.o
CC auth-auth.o
CC auth-auth-cache.o
CC auth-auth-client-connection.o
CC auth-auth-master-connection.o
CC auth-auth-policy.o
CC auth-auth-penalty.o
CC auth-auth-request.o
CC auth-auth-request-fields.o
CC auth-auth-request-handler.o
CC auth-auth-request-var-expand.o
CC auth-auth-sasl-mech-apop.o
CC auth-auth-sasl-mech-dovecot-token.o
CC auth-auth-sasl-mech-oauth2.o
CC auth-auth-sasl.o
CC auth-auth-settings.o
CC auth-auth-fields.o
CC auth-auth-token.o
CC auth-auth-worker-connection.o
CC auth-auth-worker-server.o
CC auth-db-oauth2.o
CC auth-db-sql.o
CC auth-db-passwd-file.o
CC auth-passdb.o
CC auth-passdb-blocking.o
CC auth-passdb-bsdauth.o
CC auth-passdb-cache.o
CC auth-passdb-oauth2.o
CC auth-passdb-passwd.o
CC auth-passdb-passwd-file.o
CC auth-passdb-pam.o
CC auth-passdb-sql.o
CC auth-passdb-static.o
CC auth-userdb.o
CC auth-userdb-blocking.o
CC auth-userdb-passwd.o
CC auth-userdb-passwd-file.o
CC auth-userdb-prefetch.o
CC auth-userdb-static.o
CC auth-userdb-sql.o
CC auth-db-ldap.o
CC auth-db-ldap-sasl.o
CC auth-db-ldap-settings.o
CC auth-passdb-ldap.o
CC auth-userdb-ldap.o
CC auth-db-lua.o
CC auth-passdb-lua.o
CC auth-userdb-lua.o
CCLD auth
CCLD test-auth-cache
CC auth.o
CC auth-cache.o
CC auth-client-connection.o
CC auth-master-connection.o
CC auth-policy.o
CC auth-penalty.o
CC auth-request.o
CC auth-request-fields.o
CC auth-request-handler.o
CC auth-request-var-expand.o
CC auth-sasl-mech-apop.o
CC auth-sasl-mech-dovecot-token.o
CC auth-sasl-mech-oauth2.o
CC auth-sasl.o
CC auth-settings.o
CC auth-fields.o
CC auth-token.o
CC auth-worker-connection.o
CC auth-worker-server.o
CC db-oauth2.o
CC db-sql.o
CC db-passwd-file.o
CC passdb.o
CC passdb-blocking.o
CC passdb-bsdauth.o
CC passdb-cache.o
CC passdb-oauth2.o
CC passdb-passwd.o
CC passdb-passwd-file.o
CC passdb-pam.o
CC passdb-sql.o
CC passdb-static.o
CC userdb.o
CC userdb-blocking.o
CC userdb-passwd.o
CC userdb-passwd-file.o
CC userdb-prefetch.o
CC userdb-static.o
CC userdb-sql.o
CC db-ldap.o
CC db-ldap-sasl.o
CC db-ldap-settings.o
CC passdb-ldap.o
CC userdb-ldap.o
CC db-lua.o
CC passdb-lua.o
CC userdb-lua.o
CC test-auth.o
CC test-mock.o
CC test-auth-client.o
CCLD test-auth-client
CC test-auth-master.o
CC test-auth-master-server.o
CCLD test-auth-master
CC test-auth-request-var-expand.o
CC test-auth-request-fields.o
CC test-username-filter.o
CC test-ldap.o
CC test-lua.o
CC test-main.o
CCLD test-auth
libtool: error: cannot find the library '../../src/lib-lua/
libdovecot-lua.la' or unhandled argument '../../src/lib-lua/
libdovecot-lua.la'
make[3]: *** [Makefile:1403: test-auth] Error 1
make[3]: Leaving directory '/home/wash/Dovecot/dovecot-2.4.3/src/auth'
make[2]: *** [Makefile:612: all-recursive] Error 1
make[2]: Leaving directory '/home/wash/Dovecot/dovecot-2.4.3/src'
make[1]: *** [Makefile:742: all-recursive] Error 1
make[1]: Leaving directory '/home/wash/Dovecot/dovecot-2.4.3'
make: *** [Makefile:584: all] Error 2
wash@eu:~/Dovecot$
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 In an Internet failure case, the #1 suspect is a constant: DNS. "Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-) [How to ask smart questions: http://www.catb.org/~esr/faqs/smart-questions.html]
On Fri, Mar 27, 2026 at 11:26AM Aki Tuomi via dovecot <[1]dovecot@dovecot.org> wrote:
Hi!
We are happy to publish version 2.4.3 of Dovecot and Pigeonhole. These
contain several CVEs, discovered by external researches. The majority of
these have been discovered with help of automated code analysis tools
like claude code security, which is why some of these are rather old,
missed bugs.
No new supported distros have been added or old removed, no new
dependencies have been added.
Note that there are experimental features in 2.4, one is enabled with
`--enable-experimental-mail-utf8`, and another with
`--enable-experimental-imap4rev2`, and you also need to set
mail_utf8_extensions=yes and imap4rev2_enabled=yes to enable them in
config.
[2]https://dovecot.org/releases/2.4/dovecot-2.4.3.tar.gz
[3]https://dovecot.org/releases/2.4/dovecot-2.4.3.tar.gz.sig
[4]https://pigeonhole.dovecot.org/releases/2.4/dovecot-pigeonhole-2.4.3.tar.gz
[5]https://pigeonhole.dovecot.org/releases/2.4/dovecot-pigeonhole-2.4.3.tar.gz.sig
Binary packages in [6]https://repo.dovecot.org/
Docker images in [7]https://hub.docker.com/r/dovecot/dovecotUsing the same configure options I used for dovecot-2.4.2, I end up with a compile failure for 2.4.3:
./configure --enable-maintainer-mode
--with-sql=yes
--with-mysql
--with-pgsql
--with-zlib
--with-bzlib
--with-ssl=openssl
--enable-experimental-mail-utf8
--enable-experimental-imap4rev2
--with-pcre2
make
make[3]: Leaving directory '/home/wash/Dovecot/dovecot-2.4.3/src/anvil'
Making all in auth
make[3]: Entering directory '/home/wash/Dovecot/dovecot-2.4.3/src/auth'
CC test_auth_cache-auth-cache.o
CC test_auth_cache-test-auth-cache.o
CC auth-main.o
CC auth-auth.o
CC auth-auth-cache.o
CC auth-auth-client-connection.o
CC auth-auth-master-connection.o
CC auth-auth-policy.o
CC auth-auth-penalty.o
CC auth-auth-request.o
CC auth-auth-request-fields.o
CC auth-auth-request-handler.o
CC auth-auth-request-var-expand.o
CC auth-auth-sasl-mech-apop.o
CC auth-auth-sasl-mech-dovecot-token.o
CC auth-auth-sasl-mech-oauth2.o
CC auth-auth-sasl.o
CC auth-auth-settings.o
CC auth-auth-fields.o
CC auth-auth-token.o
CC auth-auth-worker-connection.o
CC auth-auth-worker-server.o
CC auth-db-oauth2.o
CC auth-db-sql.o
CC auth-db-passwd-file.o
CC auth-passdb.o
CC auth-passdb-blocking.o
CC auth-passdb-bsdauth.o
CC auth-passdb-cache.o
CC auth-passdb-oauth2.o
CC auth-passdb-passwd.o
CC auth-passdb-passwd-file.o
CC auth-passdb-pam.o
CC auth-passdb-sql.o
CC auth-passdb-static.o
CC auth-userdb.o
CC auth-userdb-blocking.o
CC auth-userdb-passwd.o
CC auth-userdb-passwd-file.o
CC auth-userdb-prefetch.o
CC auth-userdb-static.o
CC auth-userdb-sql.o
CC auth-db-ldap.o
CC auth-db-ldap-sasl.o
CC auth-db-ldap-settings.o
CC auth-passdb-ldap.o
CC auth-userdb-ldap.o
CC auth-db-lua.o
CC auth-passdb-lua.o
CC auth-userdb-lua.o
CCLD auth
CCLD test-auth-cache
CC auth.o
CC auth-cache.o
CC auth-client-connection.o
CC auth-master-connection.o
CC auth-policy.o
CC auth-penalty.o
CC auth-request.o
CC auth-request-fields.o
CC auth-request-handler.o
CC auth-request-var-expand.o
CC auth-sasl-mech-apop.o
CC auth-sasl-mech-dovecot-token.o
CC auth-sasl-mech-oauth2.o
CC auth-sasl.o
CC auth-settings.o
CC auth-fields.o
CC auth-token.o
CC auth-worker-connection.o
CC auth-worker-server.o
CC db-oauth2.o
CC db-sql.o
CC db-passwd-file.o
CC passdb.o
CC passdb-blocking.o
CC passdb-bsdauth.o
CC passdb-cache.o
CC passdb-oauth2.o
CC passdb-passwd.o
CC passdb-passwd-file.o
CC passdb-pam.o
CC passdb-sql.o
CC passdb-static.o
CC userdb.o
CC userdb-blocking.o
CC userdb-passwd.o
CC userdb-passwd-file.o
CC userdb-prefetch.o
CC userdb-static.o
CC userdb-sql.o
CC db-ldap.o
CC db-ldap-sasl.o
CC db-ldap-settings.o
CC passdb-ldap.o
CC userdb-ldap.o
CC db-lua.o
CC passdb-lua.o
CC userdb-lua.o
CC test-auth.o
CC test-mock.o
CC test-auth-client.o
CCLD test-auth-client
CC test-auth-master.o
CC test-auth-master-server.o
CCLD test-auth-master
CC test-auth-request-var-expand.o
CC test-auth-request-fields.o
CC test-username-filter.o
CC test-ldap.o
CC test-lua.o
CC test-main.o
CCLD test-auth
libtool: error: cannot find the library
'../../src/lib-lua/[8]libdovecot-lua.la' or unhandled argument
'../../src/lib-lua/[9]libdovecot-lua.la'
make[3]: *** [Makefile:1403: test-auth] Error 1
make[3]: Leaving directory '/home/wash/Dovecot/dovecot-2.4.3/src/auth'
make[2]: *** [Makefile:612: all-recursive] Error 1
make[2]: Leaving directory '/home/wash/Dovecot/dovecot-2.4.3/src'
make[1]: *** [Makefile:742: all-recursive] Error 1
make[1]: Leaving directory '/home/wash/Dovecot/dovecot-2.4.3'
make: *** [Makefile:584: all] Error 2
wash@eu:~/Dovecot$
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 In an Internet failure case, the #1 suspect is a constant: DNS. "Oh, the cruft.", egrep -v '^$|^.*#' -\_(Tu)_/- :-) [How to ask smart questions: [10]http://www.catb.org/~esr/faqs/smart-questions.html]
References
Visible links
- mailto:dovecot@dovecot.org
- https://dovecot.org/releases/2.4/dovecot-2.4.3.tar.gz
- https://dovecot.org/releases/2.4/dovecot-2.4.3.tar.gz.sig
- https://pigeonhole.dovecot.org/releases/2.4/dovecot-pigeonhole-2.4.3.tar.gz
- https://pigeonhole.dovecot.org/releases/2.4/dovecot-pigeonhole-2.4.3.tar.gz....
- https://repo.dovecot.org/
- https://hub.docker.com/r/dovecot/dovecot
- http://libdovecot-lua.la/
- http://libdovecot-lua.la/
- http://www.catb.org/~esr/faqs/smart-questions.html
On 28/03/2026 11:03 EET Washington Odhiambo via dovecot
<[1]dovecot@dovecot.org> wrote:
On Fri, Mar 27, 2026 at 11:26AM Aki Tuomi via dovecot
<[2]dovecot@dovecot.org>
wrote:
Hi!
We are happy to publish version 2.4.3 of Dovecot and Pigeonhole. These
contain several CVEs, discovered by external researches. The majority
of
these have been discovered with help of automated code analysis tools
like
claude code security, which is why some of these are rather old,
missed
bugs.
No new supported distros have been added or old removed, no new
dependencies have been added.
Note that there are experimental features in 2.4, one is enabled with
`--enable-experimental-mail-utf8`, and another with
`--enable-experimental-imap4rev2`, and you also need to set
mail_utf8_extensions=yes and imap4rev2_enabled=yes to enable them in
config.
[3]https://dovecot.org/releases/2.4/dovecot-2.4.3.tar.gz
[4]https://dovecot.org/releases/2.4/dovecot-2.4.3.tar.gz.sig
[5]https://pigeonhole.dovecot.org/releases/2.4/dovecot-pigeonhole-2.4.3.tar.gz
[6]https://pigeonhole.dovecot.org/releases/2.4/dovecot-pigeonhole-2.4.3.tar.gz.sig
Binary packages in [7]https://repo.dovecot.org/
Docker images in [8]https://hub.docker.com/r/dovecot/dovecot
Using the same configure options I used for dovecot-2.4.2, I end up with
a
compile failure for 2.4.3:
./configure --enable-maintainer-mode \
--with-sql=yes \
--with-mysql \
--with-pgsql \
--with-zlib \
--with-bzlib \
--with-ssl=openssl \
--enable-experimental-mail-utf8 \
--enable-experimental-imap4rev2 \
--with-pcre2
makeHi,
unfortunately lua dependency crept in. Fix is already in review. I'll post the link once it's merged.
Aki
References
Visible links
- mailto:dovecot@dovecot.org
- mailto:dovecot@dovecot.org
- https://dovecot.org/releases/2.4/dovecot-2.4.3.tar.gz
- https://dovecot.org/releases/2.4/dovecot-2.4.3.tar.gz.sig
- https://pigeonhole.dovecot.org/releases/2.4/dovecot-pigeonhole-2.4.3.tar.gz
- https://pigeonhole.dovecot.org/releases/2.4/dovecot-pigeonhole-2.4.3.tar.gz....
- https://repo.dovecot.org/
- https://hub.docker.com/r/dovecot/dovecot
"Aki" == Aki Tuomi via dovecot <dovecot@dovecot.org> writes:
Using the same configure options I used for dovecot-2.4.2, I end up with a compile failure for 2.4.3:
./configure --enable-maintainer-mode \ --with-sql=yes \ --with-mysql \ --with-pgsql \ --with-zlib \ --with-bzlib \ --with-ssl=openssl \ --enable-experimental-mail-utf8 \ --enable-experimental-imap4rev2 \ --with-pcre2 make
unfortunately lua dependency crept in. Fix is already in review. I'll post the link once it's merged.
Aki
Does this mean you'll be releasing a v2.4.4 in the near future then since this breaks 2.4.3 builds completely?
John
On 29/03/2026 20:52 EEST John Stoffel via dovecot <dovecot@dovecot.org> wrote:
"Aki" == Aki Tuomi via dovecot <dovecot@dovecot.org> writes:
Using the same configure options I used for dovecot-2.4.2, I end up with a compile failure for 2.4.3:./configure --enable-maintainer-mode \ --with-sql=yes \ --with-mysql \ --with-pgsql \ --with-zlib \ --with-bzlib \ --with-ssl=openssl \ --enable-experimental-mail-utf8 \ --enable-experimental-imap4rev2 \ --with-pcre2 makeunfortunately lua dependency crept in. Fix is already in review. I'll post the link once it's merged.
Aki
Does this mean you'll be releasing a v2.4.4 in the near future then since this breaks 2.4.3 builds completely?
John
Possibly. Anyways, if you are in a hurry, you can apply a patch that was just posted to the list.
Aki
Fixed in main with https://github.com/dovecot/core/compare/dfe1a7293879dbce25b3b471bdb8ef17ec2a...
Aki
On 28/03/2026 11:45 EET Aki Tuomi via dovecot <dovecot@dovecot.org> wrote:
On 28/03/2026 11:03 EET Washington Odhiambo via dovecot <[1]dovecot@dovecot.org> wrote:
On Fri, Mar 27, 2026 at 11:26AM Aki Tuomi via dovecot <[2]dovecot@dovecot.org> wrote: Hi! We are happy to publish version 2.4.3 of Dovecot and Pigeonhole. These contain several CVEs, discovered by external researches. The majority of these have been discovered with help of automated code analysis tools like claude code security, which is why some of these are rather old, missed bugs. No new supported distros have been added or old removed, no new dependencies have been added. Note that there are experimental features in 2.4, one is enabled with `--enable-experimental-mail-utf8`, and another with `--enable-experimental-imap4rev2`, and you also need to set mail_utf8_extensions=yes and imap4rev2_enabled=yes to enable them in config. [3]https://dovecot.org/releases/2.4/dovecot-2.4.3.tar.gz [4]https://dovecot.org/releases/2.4/dovecot-2.4.3.tar.gz.sig [5]https://pigeonhole.dovecot.org/releases/2.4/dovecot-pigeonhole-2.4.3.tar.gz [6]https://pigeonhole.dovecot.org/releases/2.4/dovecot-pigeonhole-2.4.3.tar.gz.sig Binary packages in [7]https://repo.dovecot.org/ Docker images in [8]https://hub.docker.com/r/dovecot/dovecot Using the same configure options I used for dovecot-2.4.2, I end up with a compile failure for 2.4.3: ./configure --enable-maintainer-mode \ --with-sql=yes \ --with-mysql \ --with-pgsql \ --with-zlib \ --with-bzlib \ --with-ssl=openssl \ --enable-experimental-mail-utf8 \ --enable-experimental-imap4rev2 \ --with-pcre2 makeHi,
unfortunately lua dependency crept in. Fix is already in review. I'll post the link once it's merged.
Aki
References
Visible links
- mailto:dovecot@dovecot.org
- mailto:dovecot@dovecot.org
- https://dovecot.org/releases/2.4/dovecot-2.4.3.tar.gz
- https://dovecot.org/releases/2.4/dovecot-2.4.3.tar.gz.sig
- https://pigeonhole.dovecot.org/releases/2.4/dovecot-pigeonhole-2.4.3.tar.gz
- https://pigeonhole.dovecot.org/releases/2.4/dovecot-pigeonhole-2.4.3.tar.gz....
- https://repo.dovecot.org/
- https://hub.docker.com/r/dovecot/dovecot
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
Hello,
Aki Tuomi wrote:
We are happy to publish version 2.4.3 of Dovecot and Pigeonhole. These contain several CVEs, discovered by external researches.
I noticed that three manpages are missing from the 2.4.3 source tarball (compared to 2.4.2):
- doveadm-backup.1
- doveadm-copy.1
- doveadm-search-query.7
I'm guessing that this is not intentional?
Cheers, Daniel Neri
Hi again,On 30 Mar 2026, at 18:32, dne+dovecot--- via dovecot <dovecot@dovecot.org> wrote:
Aki Tuomi wrote:
We are happy to publish version 2.4.3 of Dovecot and Pigeonhole. These contain several CVEs, discovered by external researches.
I noticed that three manpages are missing from the 2.4.3 source tarball (compared to 2.4.2):
- doveadm-backup.1
- doveadm-copy.1
- doveadm-search-query.7
I'm guessing that this is not intentional?
Any feedback on this issue?
Thanks.
Best Regards, Daniel
Hi again,On 30 Mar 2026, at 18:32, dne+dovecot--- via dovecot <dovecot@dovecot.org> wrote:
Aki Tuomi wrote:
We are happy to publish version 2.4.3 of Dovecot and Pigeonhole. These
contain several CVEs, discovered by external researches.
I noticed that three manpages are missing from the 2.4.3 source tarball
(compared to 2.4.2):
- doveadm-backup.1
- doveadm-copy.1
- doveadm-search-query.7
I'm guessing that this is not intentional?Any feedback on this issue? Thanks. Best Regards, Daniel
On 07/04/2026 10:14 EEST Daniel Néri via dovecot <dovecot@dovecot.org> wrote:
Hi again,
On 30 Mar 2026, at 18:32, dne+dovecot--- via dovecot <dovecot@dovecot.org> wrote:
Aki Tuomi wrote:
We are happy to publish version 2.4.3 of Dovecot and Pigeonhole. These contain several CVEs, discovered by external researches.
I noticed that three manpages are missing from the 2.4.3 source tarball (compared to 2.4.2):
- doveadm-backup.1
- doveadm-copy.1
- doveadm-search-query.7
I'm guessing that this is not intentional?
Any feedback on this issue?
Thanks.
Best Regards, Daniel
Hi again,On 30 Mar 2026, at 18:32, dne+dovecot--- via dovecot <dovecot@dovecot.org> wrote:
Aki Tuomi wrote: We are happy to publish version 2.4.3 of Dovecot and Pigeonhole. These contain several CVEs, discovered by external researches. I noticed that three manpages are missing from the 2.4.3 source tarball (compared to 2.4.2): - doveadm-backup.1 - doveadm-copy.1 - doveadm-search-query.7 I'm guessing that this is not intentional?Any feedback on this issue? Thanks. Best Regards, Daniel
We are looking into it, might take a while as there are other things too. Not forgotten, though.
Aki
Hello !
27/03/2026 à 09:06, Aki Tuomi via dovecot wrote :
We are happy to publish version 2.4.3 of Dovecot and Pigeonhole.
Note that there are experimental features in 2.4, one is enabled with
--enable-experimental-mail-utf8, and another with--enable-experimental-imap4rev2, and you also need to set mail_utf8_extensions=yes and imap4rev2_enabled=yes to enable them in config.
Dovecot provided binary packages for Debian 13 includes experimental-imap4rev2 feature. I can't see experimental-mail-utf8.
$ /usr/sbin/dovecot --version --build-options 2.4.3-1+debian13 (c1b22ef978) root@vps-0761a05e:/home/apydo# /usr/sbin/dovecot --build-options Build options: ioloop=epoll notify=inotify *experimental-imap4rev2* openssl io_block_size=8192 SQL driver plugins: mysql postgresql sqlite Passdb: ldap pam passwd passwd-file sql Userdb: ldap(plugin) passwd prefetch passwd-file sql
I'd like to give a try on imap4rev2 feature in a (small) production dovecot setup. This is an IMAPS server with LMTP for postfix delivery. I can provide config if useful. Is there any problem with enabling and disabling this feature in real life?
-- Best regards, Artur
Hello ! 27/03/2026 `a 09:06, Aki Tuomi via dovecot wrote :
We are happy to publish version 2.4.3 of Dovecot and Pigeonhole.
Note that there are experimental features in 2.4, one is enabled with --enable-experimental-mail-utf8, and another with --enable-experimental-imap4rev2, and you also need to set mail_utf8_extensions=yes and imap4rev2_enabled=yes to enable them in config.
Dovecot provided binary packages for Debian 13 includes experimental-imap4rev2 feature. I can't see experimental-mail-utf8.
$ /usr/sbin/dovecot --version --build-options 2.4.3-1+debian13 (c1b22ef978) root@vps-0761a05e:/home/apydo# /usr/sbin/dovecot --build-options Build options: ioloop=epoll notify=inotify experimental-imap4rev2 openssl io_block_size=8192 SQL driver plugins: mysql postgresql sqlite Passdb: ldap pam passwd passwd-file sql Userdb: ldap(plugin) passwd prefetch passwd-file sql
I'd like to give a try on imap4rev2 feature in a (small) production dovecot setup. This is an IMAPS server with LMTP for postfix delivery. I can provide config if useful. Is there any problem with enabling and disabling this feature in real life?
-- Best regards, Artur
participants (8)
-
Aki Tuomi
-
Aki Tuomi
-
Artur
-
Daniel Néri
-
dne+dovecot@rb67.eu
-
Genes Lists
-
John Stoffel
-
Washington Odhiambo