Thank you!

On 2/5/2019 8:43 AM, Aki Tuomi wrote:

Hi,

as per our EOL statement 2.2.36 receives security and critical updates. That said, we decided to flush few annoying bugs with .1 release.

You do not need to build releases for 2.2.

Aki

...

On 05 February 2019 at 17:36 Eric Broch < ebroch@whitehorsetc.com mailto:ebroch@whitehorsetc.com> wrote:

Aki,

What's the difference between 2.2.x and 2.3.x version of Dovecot? And why do you maintain both?

I stopped building RPM's of the 2.2.x version and now only build 2.3.x. Should I be maintaining both?

Eric

On 2/5/2019 6:01 AM, Aki Tuomi wrote:

...

https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig * CVE-2019-3814: If imap/pop3/managesieve/submission client has trusted certificate with missing username field (ssl_cert_username_field), under some configurations Dovecot mistakenly trusts the username provided via authentication instead of failing. * ssl_cert_username_field setting was ignored with external SMTP AUTH, because none of the MTAs (Postfix, Exim) currently send the cert_username field. This may have allowed users with trusted certificate to specify any username in the authentication. This bug didn't affect Dovecot's Submission service. - pop3_no_flag_updates=no: Don't expunge RETRed messages without QUIT - director: Kicking a user assert-crashes if login process is very slow - lda/lmtp: Fix assert-crash with some Sieve scripts when mail_attachment_detection_options=add-flags-on-save - fs-compress: Using maybe-gz assert-crashed when reading 0 sized file - Snippet generation crashed with invalid Content-Type:multipart

---

Aki Tuomi Open-Xchange Oy

-- Eric Broch White Horse Technical Consulting (WHTC)

---

Aki Tuomi

-- Eric Broch White Horse Technical Consulting (WHTC)

Hi,

It's probably because gmail. They refuse emails for random reasons occasionally.

Sami

On 5 Feb 2019, at 17.06, Larry Rosenman larryrtx@gmail.com wrote:

for some reason Aki's posts are not making it to my GMail account from this list.

Any idea why?

On Tue, Feb 5, 2019 at 10:04 AM Eric Broch mailto:ebroch@whitehorsetc.com> wrote: Thank you!

On 2/5/2019 8:43 AM, Aki Tuomi wrote:

...

Hi,

as per our EOL statement 2.2.36 receives security and critical updates. That said, we decided to flush few annoying bugs with .1 release.

You do not need to build releases for 2.2.

Aki

...

On 05 February 2019 at 17:36 Eric Broch < ebroch@whitehorsetc.com mailto:ebroch@whitehorsetc.com> wrote:

Aki,

What's the difference between 2.2.x and 2.3.x version of Dovecot? And why do you maintain both?

I stopped building RPM's of the 2.2.x version and now only build 2.3.x. Should I be maintaining both?

Eric

On 2/5/2019 6:01 AM, Aki Tuomi wrote:

...

https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig * CVE-2019-3814: If imap/pop3/managesieve/submission client has trusted certificate with missing username field (ssl_cert_username_field), under some configurations Dovecot mistakenly trusts the username provided via authentication instead of failing. * ssl_cert_username_field setting was ignored with external SMTP AUTH, because none of the MTAs (Postfix, Exim) currently send the cert_username field. This may have allowed users with trusted certificate to specify any username in the authentication. This bug didn't affect Dovecot's Submission service. - pop3_no_flag_updates=no: Don't expunge RETRed messages without QUIT - director: Kicking a user assert-crashes if login process is very slow - lda/lmtp: Fix assert-crash with some Sieve scripts when mail_attachment_detection_options=add-flags-on-save - fs-compress: Using maybe-gz assert-crashed when reading 0 sized file - Snippet generation crashed with invalid Content-Type:multipart

---

Aki Tuomi Open-Xchange Oy

-- Eric Broch White Horse Technical Consulting (WHTC)

---

Aki Tuomi

Eric Broch White Horse Technical Consulting (WHTC)

-- Larry Rosenman http://www.lerctr.org/~ler http://www.lerctr.org/~ler Phone: +1 214-642-9640 (c) E-Mail: larryrtx@gmail.com mailto:larryrtx@gmail.com US Mail: 5708 Sabbia Dr, Round Rock, TX 78665-2106

On February 5, 2019 at 8:36 AM Eric Broch ebroch@whitehorsetc.com wrote:

What's the difference between 2.2.x and 2.3.x version of Dovecot? And why do you maintain both?

https://dovecot.org/pipermail/dovecot-news/2018-August/000386.html

michael

On 5 Feb 2019, at 7.48, Gerald Galster list+dovecot@gcore.biz wrote:

Hello Aki,

...

https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig

• pop3_no_flag_updates=no: Don't expunge RETRed messages without QUIT

is this in any way related to the problem that has first been reported in march last year:

"Duplicate mails on pop3 expunge with dsync replication on 2.2.35 (2.2.33.2 works)"

Unlikely.

On 2019-02-05 13:07, Stephan Bosch via dovecot wrote:

Hi,

Here is the associated release for Pigeonhole:

https://pigeonhole.dovecot.org/releases/2.2/dovecot-2.2-pigeonhole-0.4.24.1.... https://pigeonhole.dovecot.org/releases/2.2/dovecot-2.2-pigeonhole-0.4.24.1.... Binary packages included in https://repo.dovecot.org/

+ imapsieve: Added imapsieve_expunge_discarded setting which causes
  discarded messages to be expunged immediately.
- Sieve scripts running in IMAPSIEVE or IMAP FILTER=SIEVE context 

that modify the message, store the message a second time, rather than replacing the originally stored unmodified message. - imapsieve: Fix crash when COPYing mails from a virtual mailbox when the source messages originate from more than a single real mailbox - imap_filter_sieve plugin: Implement the missing UID FILTER command. - imap_filter_sieve plugin: Fix FILTER to work with pipelining

Regards,

Stephan.

Op 5-2-2019 om 14:01 schreef Aki Tuomi:

...

https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig

    * CVE-2019-3814: If imap/pop3/managesieve/submission client has trusted certificate with missing username field (ssl_cert_username_field), under some configurations Dovecot mistakenly trusts the username provided via authentication instead of failing. * ssl_cert_username_field setting was ignored with external SMTP AUTH, because none of the MTAs (Postfix, Exim) currently send the cert_username field. This may have allowed users with trusted certificate to specify any username in the authentication. This bug didn't affect Dovecot's Submission service.

    - pop3_no_flag_updates=no: Don't expunge RETRed messages without QUIT - director: Kicking a user assert-crashes if login process is very slow - lda/lmtp: Fix assert-crash with some Sieve scripts when mail_attachment_detection_options=add-flags-on-save - fs-compress: Using maybe-gz assert-crashed when reading 0 sized file - Snippet generation crashed with invalid Content-Type:multipart

---

Aki Tuomi Open-Xchange Oy

Is there going to be an equivalent 0.5.4.1 release with the same functionality but for Dovecot 2.3.x?

Michael

Hi,

Stephan Bosch via dovecot, 05.02.19:

Here is the associated release for Pigeonhole:

With the line deb http://xi.dovecot.fi/debian/ stable-auto/dovecot-2.2 main in my /etc/apt/sources.list, apt update fails with a Hash sum mismatch:

Err:14 http://xi.dovecot.fi/debian stable-auto/dovecot-2.2/main amd64 Packages Hash Sum mismatch Hashes of expected file: - Filesize:20770 [weak] - SHA512:e2272b4dc431f5fae85f96f80170f20e5e2e955bc288b1ac28d447ad06eaf9336bf5131ea9cdf178e36fc46e5986b5baff4eabdd562c665b97e762c4f44c0b06 - SHA256:936acd204d9b147225f763fb136e3a673d9003960a2104319b414a6602bb28a5 - SHA1:363e915b19b242b4011c01e6d2dc177e06414733 [weak] - MD5Sum:0f56fd080c93b5257e39e979335e5582 [weak] Hashes of received file: - SHA512:76306aaddd2f48a526a9a3b8cb8c4cf1b3b10f3f13cdd8fcf50d1969f95e0c0a6e44df94fc0f36b7efcf8ad1718f4dd78b6db97d962a192a72f700e99e7647a8 - SHA256:5b31992a7ed1a356c666dacf08d3e45fe5de527d177ecfb4c0079fc238d6d3f3 - SHA1:9dfb0af157863b2d916eedb8faf16739151698c1 [weak] - MD5Sum:4f047a8fc01ba5b7645ef63244972068 [weak] - Filesize:17109 [weak] Last modification reported: Tue, 05 Feb 2019 14:48:20 +0000 Release file created at: Tue, 05 Feb 2019 14:35:10 +0000

Could you please check this?

TIA & Regards, Christian

-- No signature available.