On Sun, Jul 13, 2025 at 7:56 AM Steve Litt via dovecot <dovecot@dovecot.org> wrote:

Andreas Haerter via dovecot said on Sat, 12 Jul 2025 15:08:53 +0200

...

Hi,

I am currently planning the migration from Dovecot 2.3 to 2.4 and was wondering if version 2.4.2 is just around the corner (and it therefore might make sense to wait a few more days).

Is there any planned schedule or does it still make sense to migrate to 2.4.1 within the next ~14 days?

Hi Andreas,

My advice would be to hold off on the 2.3.x to 2.4.x upgrade for the forseeable future. This upgrade involves a great many changes to dovecot.conf and the files in conf.d: The very grammar of these files. I didn't find the current state of Dovecot documentation on 2.4.x dovecot.conf helpful. Sooner or later good documentation will appear, on Dovecot's website or somewhere else. Once you have a solid path forward, that's the time to upgrade.

After fighting with 2.4.1 for a couple days, I downgraded back to 2.3.21 and held it there to prevent upgrade. When I get the time, I'll create a virtual machine guest on which to put 2.4.1 working on a very small and simple Maildir, in order to learn the ins and outs of the new dovecot.conf via reverse engineering, trial and error, and collecting info from many sources. Only after I understand it will I once again upgrade my main machine to 2.4.1.

When it comes to this upgrade, only the most Dovecot knowledgeable should be early adopters. The rest of us should wait and follow the path they forge.

So to answer your question, my advice is not to upgrade in the next 14 days, or even the next month or two, regardless of any 2.4.2 progress.

SteveT

Steve Litt

This advice sounds quite unfortunate. Does it mean you were never assisted by anyone when you got stuck? How complicated is your setup? I believe it is not, since you mention that, and I quote: <quote> When it comes to this upgrade, only the most Dovecot knowledgeable should be early adopters. The rest of us should wait and follow the path they forge. </quote>

I don't know the reason why Andreas is hesitant about migration to 2.4.x, but IMHO, you do not have any good reason for not upgrading. Where exactly did you get stuck? Bring it up and let the community decide where it was a real show-stopper that made you take this position.

-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 In an Internet failure case, the #1 suspect is a constant: DNS. "Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-) [How to ask smart questions: http://www.catb.org/~esr/faqs/smart-questions.html]

On Sun, Jul 13, 2025 at 7:56AM Steve Litt via dovecot <[1]dovecot@dovecot.org> wrote:

 Andreas Haerter via dovecot said on Sat, 12 Jul 2025 15:08:53 +0200

 >Hi,
 >
 >I am currently planning the migration from Dovecot 2.3 to 2.4 and was
 >wondering if version 2.4.2 is just around the corner (and it therefore
 >might make sense to wait a few more days).
 >
 >Is there any planned schedule or does it still make sense to migrate
 >to 2.4.1 within the next ~14 days?

 Hi Andreas,

 My advice would be to hold off on the 2.3.x to 2.4.x upgrade for the
 forseeable future. This upgrade involves a great many changes to
 dovecot.conf and the files in conf.d: The very grammar of these files.
 I didn't find the current state of Dovecot documentation on 2.4.x
 dovecot.conf helpful. Sooner or later good documentation will appear,
 on Dovecot's website or somewhere else. Once you have a solid path
 forward, that's the time to upgrade.

 After fighting with 2.4.1 for a couple days, I downgraded back to
 2.3.21 and held it there to prevent upgrade. When I get the time, I'll
 create a virtual machine guest on which to put 2.4.1 working on a very
 small and simple Maildir, in order to learn the ins and outs of the new
 dovecot.conf via reverse engineering, trial and error, and collecting
 info from many sources. Only after I understand it will I once again
 upgrade my main machine to 2.4.1.

 When it comes to this upgrade, only the most Dovecot
 knowledgeable should be early adopters. The rest of us should wait and
 follow the path they forge.

 So to answer your question, my advice is not to upgrade in the next 14
 days, or even the next month or two, regardless of any 2.4.2 progress.

 SteveT

 Steve Litt

This advice sounds quite unfortunate. Does it mean you were never assisted by anyone when you got stuck? How complicated is your setup? I believe it is not, since you mention that, and I quote: <quote> When it comes to this upgrade, only the most Dovecot knowledgeable should be early adopters. The rest of us should wait and follow the path they forge. </quote> I don't know the reason why Andreas is hesitant about migration to 2.4.x, but IMHO, you do not have any good reason for not upgrading. Where exactly did you get stuck? Bring it up and let the community decide where it was a real show-stopper that made you take this position.

Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 In an Internet failure case, the #1 suspect is a constant: DNS. "Oh, the cruft.", egrep -v '^$|^.*#' -\_(Tu)_/- :-) [How to ask smart questions: [2]http://www.catb.org/~esr/faqs/smart-questions.html]

References

Visible links

1. mailto:dovecot@dovecot.org
2. http://www.catb.org/~esr/faqs/smart-questions.html

On Mon Jul 14, 2025 at 1:38 AM CEST, Steve Litt via dovecot wrote:

[.. snip ..]

There was no one place I got stuck. On July 7 my email stopped working, griping about P12 certs in the .pem (don't remember the exact message). It quickly became obvious the problem was in Dovecot, and dovecot -F gave a "bad config file" error with a config that had worked for years.

More research showed that the Void distribution had upgraded from Dovecot 2.3.21 to 2.4.1 around July 3, and I had subsequently done a distro upgrade on July 7.

Perhaps if I had been paying more attention to the Dovecot mailing list I would have seen this coming and would have been more ready for it. But my bad, I just lightly skimmed the Dovecot mailing list because up until now, Dovecot *never* had problems or drama.

So I came upon the following:

https://doc.dovecot.org/2.4.1/installation/upgrade/2.3-to-2.4.html

https://willem.com/blog/2025-06-04_breaking-changes/

Neither told the complete story, and my email was down so I couldn't email this list.

As far as being a show-stopper, yeah, I'll let the community decide. But for me it was an absolute show-stopper. Time will tell whether I'm just some dummy who can't admin, or whether I'm the canary in the coal mine with most distros still on 2.3.x.

SteveT

[.. snip ..]

Steve

I'm also on Void, which is great, but that's what you get with a rolling release distro. All the upgrade trouble you have with other distros when switching from one major release to the next, with Void it just happens bit by bit over time. Things break, like out of the blue, and that's to be expected.

That's why I run all the sensitive stuff in LXC containers, with Alpine. Like my LDAP/Postfix/Dovecot (still, maybe Cyrus soon) server. Having the stuff you really depend on isolated means that you can deal with upgrades when you yourself choose to do so, not when somebody else says you should, potentially hitting you totally unprepared.

Greets, B

Hi Steve,

On 13.07.25 06:50, Steve Litt via dovecot wrote:

My advice would be to hold off on the 2.3.x to 2.4.x upgrade for the forseeable future. This upgrade involves a great many changes to dovecot.conf and the files in conf.d: The very grammar of these files.

Thank you for your advice. I'm aware of the significant changes between the 2.3.x and 2.4.x versions. I've been preparing accordingly and am not concerned by the challenges these changes may bring. For example, we work on smaller mail servers for non-profits and NGOs, where we know all the users personally. This allows us to clone the entire setup and thoroughly test everything in advance including with them.

So to answer your question, my advice is not to upgrade in the next 14 days, or even the next month or two, regardless of any 2.4.2 progress. I just don't want to livecycle stuff (a few servers are EOL now) and stay on 2.3.x for no reason beside getting into the new config. My primary concern is potentially encountering subtle bugs that may have already been patched in the development branch but aren't yet included in version 2.4.1 (or similar). If these bugs could easily be avoided by waiting just a few more days for a more stable release... therefore my question.

@aki and the other developers: Thank you. Dovecot remains an OUTSTANDING piece of software, and I am incredibly grateful that it exists as open-source, even if I have to migrate my configs :-D.

Without it, these mentioned environments serving the public good would struggle to maintain their own high-quality communication infrastructure without relying on third-party providers like Microsoft Exchange Online, which could pose political challenges for certain NGOs. The same applies to smaller businesses out there.

On a related note, I appreciate how Proxmox VE offers its community subscription[1] for € 115/year & CPU socket without adding any extra support services. This model allows organizations, even those with limited budgets, to contribute a little bit directly to the project in a straightforward way.

There is nothing comparable I can simply buy from OX for a few EUR per month per organization, isn't it? (sorry for the direct CC at Aki, but I want to make sure this question is not read over)

[1] https://www.proxmox.com/en/products/proxmox-virtual-environment/pricing

-- Regards, Andreas

foundata GmbH Steinhäuserstr. 20 76135 Karlsruhe

Sitz der Gesellschaft: Karlsruhe Registergericht: Amtsgericht Mannheim, HRB 714807 Geschäftsführung: Andreas Haerter USt-IdNr.: DE284122682

On 13/07/2025 21:28 EEST Steven Varco via dovecot <dovecot@dovecot.org> wrote:

...

Am 13.07.2025 um 06:50 schrieb Steve Litt via dovecot <dovecot@dovecot.org>:

My advice would be to hold off on the 2.3.x to 2.4.x upgrade for the forseeable future. This upgrade involves a great many changes to dovecot.conf and the files in conf.d: The very grammar of these files.

I second that, particularly because I’m one of the many people who were very unhappy with Dovecot's decision to remove director and sync from 2.4. Luckily Red Hat made the wise decision to keep 2.3 in its current RHEL 10, so I will go with AlmaLinux 10 until it’s EOL somewhere in 2035. :D Then I will upgrade to doevecot 2.5 or 2.6, whatever will be current in the next decade. And until then distriubuted file systems may become matured enough, so director and imapsync will not be needed anymore. :)

Steven

Small correction, doveadm sync (dsync) is still in 2.4, replicator has been removed.

Aki

Hi Genes,

On 13.07.25 12:14, Genes Lists wrote:

---

My advice:

[...]

2. avoid 'doveadm reload' and stick with restart until the core dump gets sorted out [1]

3. Avoid naming any (non-default) sieve script 'default'.

Thank you!

Point 2) would definitely have affected me for the exact same reason. Glad you mentioned it.

And point 3) might actually apply to a few of our environments as well. That one would have been much harder to track down, so thanks a lot for the heads-up!

-- Regards, Andreas Haerter

foundata GmbH Steinhäuserstr. 20 76135 Karlsruhe

Sitz der Gesellschaft: Karlsruhe Registergericht: Amtsgericht Mannheim, HRB 714807 Geschäftsführung: Andreas Haerter USt-IdNr.: DE284122682

On 13. Jul 2025, at 13.14, Genes Lists via dovecot <dovecot@dovecot.org> wrote:

(iv) All worked smoothly aside from pigeonhole sieve. I encountered 2 issues there. (a) non-root users need access to the certificate chain in order to be able to run "sievec". Quirky but easy enough to work around.

Which setting was it complaining about? ssl_client_* settings? or ssl_server_cert?

I have not been able to reproduce the core dump in non-production.
So the core dump seems to require having more clients perhaps and remains an outstanding issue.

Aki - any thoughts on the 'doveadm reload' crash? [1]

[1] https://dovecot.org/mailman3/archives/list/dovecot@dovecot.org/thread/CFH55D...

Hmm. Very strange. Seems to happen only when logging to syslog. Then it happens after running "doveadm reload" twice. I don't understand why it happens though. Seems to be some kind of memory corruption but of course it doesn't happen when running with valgrind. Need to try to debug further tomorrow.

Answering some more comments in the thread also:

Benny:

postfix never did incompatibel upgrade configs, never as ever, so why did dovecot try this now ?

v1.x config lasted for 8 years. v2.x config lasted for 15 years. It was getting kludgy enough that it was finally time to change it.

positive here it could add doveconf 2.3 config reader in dovecot 2.4, so 2.4 understands both 2.3 and 2.4, this will hold back any questions how to upgrade just like it have never being a problem with postfix, if postfix did something like this i would propperly be still running postfix version 1.0 :=)

There are unfortunately some differences between v2.3 and v2.4 that simple automatic config conversion wouldn't be possible in all situations. Especially settings coming from userdb lookups work a bit differently now.

Andreas:

There is nothing comparable I can simply buy from OX for a few EUR per month per organization, isn't it? (sorry for the direct CC at Aki, but I want to make sure this question is not read over)

Currently nothing I'm aware of. The main trouble is people paying for Dovecot would expect some kind of support, especially for difficult questions, which would then go all the way to development team to figure out, and take time out of development. In theory we could of course grow the development team, but that's a lot of trouble as well.

On 14. Jul 2025, at 0.39, Genes Lists via dovecot <dovecot@dovecot.org> wrote:

On Sun, 2025-07-13 at 23:31 +0300, Timo Sirainen via dovecot wrote:

...

...

   (a) non-root users need access to the certificate chain in

order to be able to run "sievec". Quirky but easy enough to work around.

Which setting was it complaining about? ssl_client_* settings? or ssl_server_cert?

Permission denied on the server cert :

ssl_server { cert_file = <this-one> key_file = .. prefer_ciphers = .. }

I can't reproduce this (tested 2.4.1 and git main). I have ssl_server_cert_file pointing to a file only root can read, but "sievec test.sieve" still works as non-root.

On Sun, 2025-07-13 at 19:40 -0400, Genes Lists via dovecot wrote:

On Mon, 2025-07-14 at 01:09 +0300, Timo Sirainen via dovecot wrote:

...

On 14. Jul 2025, at 0.39, Genes Lists via dovecot

This is I see at terminal:

% sievec Active.sieve doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10- ssl.conf line 10: cert_file: open(/a/b/c/d/e/f/g/fullchain.pem) failed: Permission denied

where 

each directory / down to  "g" is read-execute by other, g is root only and file is read by other i.e. 4 drwxr-xr-x 3 root root /a/b/c/d/e/f 4 drwxr-x--- 2 root root /a/b/c/d/e/f/g/ 4  -rw-r--r--  1 root root  /a/b/c/d/e/f/g/fullchain.pem

-- Gene

On Sun, 2025-07-13 at 19:40 -0400, Genes Lists via dovecot wrote:

 On Mon, 2025-07-14 at 01:09 +0300, Timo Sirainen via dovecot wrote:

   On 14. Jul 2025, at 0.39, Genes Lists via dovecot

This is I see at terminal: % sievec Active.sieve doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 10: cert_file: open(/a/b/c/d/e/f/g/fullchain.pem) failed: Permission denied where each directory / down to "g" is read-execute by other, g is root only and file is read by other i.e. 4 drwxr-xr-x 3 root root /a/b/c/d/e/f 4 drwxr-x--- 2 root root /a/b/c/d/e/f/g/ 4 -rw-r--r-- 1 root root /a/b/c/d/e/f/g/fullchain.pem

--

Gene

Hi,

On 13.07.25 09:35, Aki Tuomi wrote:

No concrete decision has been made yet, but we are planning on making on later this year.

Thanks for the straightforward answer! My main concern was potential bugs I might not be aware of, which could easily be avoided by waiting a few more days for a 2.4.2 release. 😄

Since that’s not the case, I'll go ahead and proceed with migrating to 2.4.1, as a general environment lifecycle is due in some environments.

-- Viele Grüße Andreas Haerter

foundata GmbH Steinhäuserstr. 20 76135 Karlsruhe

Sitz der Gesellschaft: Karlsruhe Registergericht: Amtsgericht Mannheim, HRB 714807 Geschäftsführung: Andreas Haerter USt-IdNr.: DE284122682