Headsup on feature removal

older
Bug maybe already resolved? Sieve...

Aki Tuomi

17 Mar 2020 17 Mar '20

8:50 a.m.

Hi!

Dovecot is now a nearly 20 year old product, and during that time it has accumulated many different features and plugins in its core repository.

We are starting to gradually remove some of these parts, which are unused, untested or deprecated. We will provide advance notification before removing anything.

To start, the following features are likely to be removed in next few releases of Dovecot.

Authentication drivers: vpopmail, checkpassword, bsdauth, shadow, sia
Password schemes: HMAC-MD5, RPA, SKEY, PLAIN-MD4, LANMAN, NTLM, SMD5
Authentication mechanisms: ntlm, rpa, skey
Dict drivers: memcached, memcached-ascii (use redis instead)
postfix postmap support
autocreate & autosubscribe plugins (use built-in auto=create/subscribe setting instead)
expire plugin (use built-in autoexpunge setting)
fts-squat plugin
mailbox alias plugin
mail-filter plugin
snarf plugin
xz compression algorithm

For the authentication drivers that are being removed, we suggest using Lua as a replacement. See https://doc.dovecot.org/configuration_manual/authentication/lua_based_authen...

For information about converting between password schemes, see https://wiki2.dovecot.org/HowTo/ConvertPasswordSchemes

If you are using any of these features, please start preparing for their removal in the near future. Features will begin to be dropped as of v2.3.11.

Additionally, the mbox format will no longer receive new development. It will still be maintained, however its use beyond migrations and other limited use cases will be discouraged.

Please contact us via the mailing list if you have any questions.

Regards, Dovecot Team

Attachments:

signature.asc (application/pgp-signature — 475 bytes)

Show replies by date

With these planned changes, you mention they will be removed from 'core', so is the intention to allow more of these legacy plugins to more to their own repo's for those that might still want to use them?

Eg, more in the the path of plug-in architecture? Just curious for clarity.

Oh, and have to add.. still waiting on the variable capability patch, to allow plugins to modify advertised capabilities. (#pull request 86)

This will allow us to provide our dove cot plugins more widely to the community.

On 2020-03-16 11:50 p.m., Aki Tuomi wrote:

...

Hi!

Dovecot is now a nearly 20 year old product, and during that time it has accumulated many different features and plugins in its core repository.

We are starting to gradually remove some of these parts, which are unused, untested or deprecated. We will provide advance notification before removing anything.

To start, the following features are likely to be removed in next few releases of Dovecot.

Authentication drivers: vpopmail, checkpassword, bsdauth, shadow, sia

Password schemes: HMAC-MD5, RPA, SKEY, PLAIN-MD4, LANMAN, NTLM, SMD5

Authentication mechanisms: ntlm, rpa, skey

Dict drivers: memcached, memcached-ascii (use redis instead)

postfix postmap support

autocreate & autosubscribe plugins (use built-in auto=create/subscribe setting instead)

expire plugin (use built-in autoexpunge setting)

fts-squat plugin

mailbox alias plugin

mail-filter plugin

snarf plugin

xz compression algorithm

For the authentication drivers that are being removed, we suggest using Lua as a replacement. See https://doc.dovecot.org/configuration_manual/authentication/lua_based_authen...

For information about converting between password schemes, see https://wiki2.dovecot.org/HowTo/ConvertPasswordSchemes

If you are using any of these features, please start preparing for their removal in the near future. Features will begin to be dropped as of v2.3.11.

Additionally, the mbox format will no longer receive new development. It will still be maintained, however its use beyond migrations and other limited use cases will be discouraged.

Please contact us via the mailing list if you have any questions.

Regards, Dovecot Team

-- "Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company.

Aki Tuomi

7:15 a.m.

Michael Peddemors

3:49 p.m.

Amongst other plug-ins, yes..

On 2020-03-17 10:15 p.m., Aki Tuomi wrote:

...

Those plugins can be resurrected with simple git revert.

Are you planning on open sourcing your client id authetication plugin?

Aki

...
On 18/03/2020 01:44 Michael Peddemors < michael@linuxmagic.com mailto:michael@linuxmagic.com> wrote:

With these planned changes, you mention they will be removed from 'core', so is the intention to allow more of these legacy plugins to more to their own repo's for those that might still want to use them?

Eg, more in the the path of plug-in architecture? Just curious for clarity.

Oh, and have to add.. still waiting on the variable capability patch, to allow plugins to modify advertised capabilities. (#pull request 86)

This will allow us to provide our dove cot plugins more widely to the community.

On 2020-03-16 11:50 p.m., Aki Tuomi wrote:

...
Hi!

Dovecot is now a nearly 20 year old product, and during that time it has accumulated many different features and plugins in its core repository.

We are starting to gradually remove some of these parts, which are unused, untested or deprecated. We will provide advance notification before removing anything.

To start, the following features are likely to be removed in next few releases of Dovecot.

Authentication drivers: vpopmail, checkpassword, bsdauth, shadow, sia

Password schemes: HMAC-MD5, RPA, SKEY, PLAIN-MD4, LANMAN, NTLM, SMD5

Authentication mechanisms: ntlm, rpa, skey

Dict drivers: memcached, memcached-ascii (use redis instead)

postfix postmap support

autocreate & autosubscribe plugins (use built-in auto=create/subscribe setting instead)

expire plugin (use built-in autoexpunge setting)

fts-squat plugin

mailbox alias plugin

mail-filter plugin

snarf plugin

xz compression algorithm

For the authentication drivers that are being removed, we suggest using Lua as a replacement. See https://doc.dovecot.org/configuration_manual/authentication/lua_based_authen...

For information about converting between password schemes, see https://wiki2.dovecot.org/HowTo/ConvertPasswordSchemes

If you are using any of these features, please start preparing for their removal in the near future. Features will begin to be dropped as of v2.3.11.

Additionally, the mbox format will no longer receive new development. It will still be maintained, however its use beyond migrations and other limited use cases will be discouraged.

Please contact us via the mailing list if you have any questions.

Regards, Dovecot Team

-- "Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company.

Aki Tuomi

-- "Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

Remo Mattei

5:52 p.m.

So I am on of the many users with qmail, and using vpopmail auth, I guess chatting with some other guys in the other mailing list we will convert to mysql driver but this is a lot of work for many people.

I do understand dropping things out but a valid solutions needs to be proposed.

Remo

...

On Mar 18, 2020, at 06:49, Michael Peddemors michael@linuxmagic.com wrote:

Amongst other plug-ins, yes..

On 2020-03-17 10:15 p.m., Aki Tuomi wrote:

...
Those plugins can be resurrected with simple git revert. Are you planning on open sourcing your client id authetication plugin? Aki

...
On 18/03/2020 01:44 Michael Peddemors < michael@linuxmagic.com mailto:michael@linuxmagic.com mailto:michael@linuxmagic.com>> wrote:

With these planned changes, you mention they will be removed from 'core', so is the intention to allow more of these legacy plugins to more to their own repo's for those that might still want to use them?

Eg, more in the the path of plug-in architecture? Just curious for clarity.

Oh, and have to add.. still waiting on the variable capability patch, to allow plugins to modify advertised capabilities. (#pull request 86)

This will allow us to provide our dove cot plugins more widely to the community.

On 2020-03-16 11:50 p.m., Aki Tuomi wrote:

...
Hi!

Dovecot is now a nearly 20 year old product, and during that time it has accumulated many different features and plugins in its core repository.

We are starting to gradually remove some of these parts, which are unused, untested or deprecated. We will provide advance notification before removing anything.

To start, the following features are likely to be removed in next few releases of Dovecot.

Authentication drivers: vpopmail, checkpassword, bsdauth, shadow, sia

Password schemes: HMAC-MD5, RPA, SKEY, PLAIN-MD4, LANMAN, NTLM, SMD5

Authentication mechanisms: ntlm, rpa, skey

Dict drivers: memcached, memcached-ascii (use redis instead)

postfix postmap support

autocreate & autosubscribe plugins (use built-in auto=create/subscribe setting instead)

expire plugin (use built-in autoexpunge setting)

fts-squat plugin

mailbox alias plugin

mail-filter plugin

snarf plugin

xz compression algorithm

For the authentication drivers that are being removed, we suggest using Lua as a replacement. See https://doc.dovecot.org/configuration_manual/authentication/lua_based_authen...

For information about converting between password schemes, see https://wiki2.dovecot.org/HowTo/ConvertPasswordSchemes

If you are using any of these features, please start preparing for their removal in the near future. Features will begin to be dropped as of v2.3.11.

Additionally, the mbox format will no longer receive new development. It will still be maintained, however its use beyond migrations and other limited use cases will be discouraged.

Please contact us via the mailing list if you have any questions.

Regards, Dovecot Team

-- "Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company.

Aki Tuomi

-- "Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com http://www.linuxmagic.com/ @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca http://www.wizard.ca/ "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company.

Aki Tuomi

7:26 p.m.

Hi!

I understand that it is not trivial to move away from vpopmail and does require changing a working system. But then again, one should be able to configure MySQL passdb/userdb with vpopmail schema.

I am not familiar with vpopmail but if someone comes with instructions we can polish them a bit (if necessary) and publish them as howto on doc.dovecot.org.

Aki

...

On 18/03/2020 17:52 Remo Mattei remo@rm.ht wrote:

So I am on of the many users with qmail, and using vpopmail auth, I guess chatting with some other guys in the other mailing list we will convert to mysql driver but this is a lot of work for many people.

I do understand dropping things out but a valid solutions needs to be proposed.

Remo

...
On Mar 18, 2020, at 06:49, Michael Peddemors michael@linuxmagic.com wrote:

Amongst other plug-ins, yes..

On 2020-03-17 10:15 p.m., Aki Tuomi wrote:

...
Those plugins can be resurrected with simple git revert. Are you planning on open sourcing your client id authetication plugin? Aki

...
On 18/03/2020 01:44 Michael Peddemors mailto:michael@linuxmagic.com> wrote:

With these planned changes, you mention they will be removed from 'core', so is the intention to allow more of these legacy plugins to more to their own repo's for those that might still want to use them?

Eg, more in the the path of plug-in architecture? Just curious for clarity.

Oh, and have to add.. still waiting on the variable capability patch, to allow plugins to modify advertised capabilities. (#pull request 86)

This will allow us to provide our dove cot plugins more widely to the community.

On 2020-03-16 11:50 p.m., Aki Tuomi wrote:

...
Hi!

Dovecot is now a nearly 20 year old product, and during that time it has accumulated many different features and plugins in its core repository.

We are starting to gradually remove some of these parts, which are unused, untested or deprecated. We will provide advance notification before removing anything.

To start, the following features are likely to be removed in next few releases of Dovecot.

Authentication drivers: vpopmail, checkpassword, bsdauth, shadow, sia

Password schemes: HMAC-MD5, RPA, SKEY, PLAIN-MD4, LANMAN, NTLM, SMD5

Authentication mechanisms: ntlm, rpa, skey

Dict drivers: memcached, memcached-ascii (use redis instead)

postfix postmap support

autocreate & autosubscribe plugins (use built-in auto=create/subscribe setting instead)

expire plugin (use built-in autoexpunge setting)

fts-squat plugin

mailbox alias plugin

mail-filter plugin

snarf plugin

xz compression algorithm

For the authentication drivers that are being removed, we suggest using Lua as a replacement. See https://doc.dovecot.org/configuration_manual/authentication/lua_based_authen...

For information about converting between password schemes, see https://wiki2.dovecot.org/HowTo/ConvertPasswordSchemes

If you are using any of these features, please start preparing for their removal in the near future. Features will begin to be dropped as of v2.3.11.

Additionally, the mbox format will no longer receive new development. It will still be maintained, however its use beyond migrations and other limited use cases will be discouraged.

Please contact us via the mailing list if you have any questions.

Regards, Dovecot Team

-- "Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company.

Aki Tuomi

-- "Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc. Visit us athttp://www.linuxmagic.com (http://www.linuxmagic.com/)@linuxmagic A Wizard IT Company - For More Infohttp://www.wizard.ca (http://www.wizard.ca/) "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company.

Michael Peddemors

7:35 p.m.

One way it can be done as well, using the 'vchkpw' part of vpopmail, which is 'checkpassword' compliant, however if that goes away ;)

On 2020-03-18 10:26 a.m., Aki Tuomi wrote:

...

Hi!

I understand that it is not trivial to move away from vpopmail and does require changing a working system. But then again, one should be able to configure MySQL passdb/userdb with vpopmail schema.

I am not familiar with vpopmail but if someone comes with instructions we can polish them a bit (if necessary) and publish them as howto on doc.dovecot.org.

Aki

...
On 18/03/2020 17:52 Remo Mattei remo@rm.ht wrote:

So I am on of the many users with qmail, and using vpopmail auth, I guess chatting with some other guys in the other mailing list we will convert to mysql driver but this is a lot of work for many people.

I do understand dropping things out but a valid solutions needs to be proposed.

Remo

-- "Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

Alessio Cecchi

11:55 p.m.

Hi Aki and Remo,

switch from vpopmail driver to SQL driver (if you are using vpopmail with mysql as backend) is very simple.

First you need to setup the right query for vpopmail database:

# cat /etc/dovecot/dovecot-sql.conf.ext

### Vpopmail driver = mysql connect = host=192.168.1.2 dbname=vpopmail user=vpopmail password=Vp0pM4iL default_pass_scheme = MD5-CRYPT

### Query to get a list of all usernames. iterate_query = SELECT CONCAT(pw_name, '@', pw_domain) AS user FROM vpopmail

### user_query for vpopmail user_query = SELECT pw_dir AS home, 89 AS uid, 89 AS gid, concat('*:backend=', pw_shell) AS quota_rule FROM vpopmail WHERE pw_name = '%n' AND pw_domain = '%d'

### password_query for vpopmail (not used) #password_query = SELECT CONCAT(pw_name, '@', pw_domain) AS user, pw_passwd AS password FROM vpopmail WHERE pw_name = '%n' AND pw_domain = '%d'

### password_query for vpopmail with prefetch password_query = SELECT CONCAT(pw_name, '@', pw_domain) AS user, pw_passwd AS password, concat('*:backend=', pw_shell) as userdb_quota_rule, 89 AS userdb_uid, 89 AS userdb_gid, pw_dir AS userdb_home FROM vpopmail WHERE pw_name = '%n' AND pw_domain = '%d'

after to setup auth-sql like this:

# cat /etc/dovecot/conf.d/auth-sql.conf.ext

passdb { driver = sql args = /etc/dovecot/dovecot-sql.conf.ext }

userdb { driver = prefetch }

userdb { driver = sql args = /etc/dovecot/dovecot-sql.conf.ext }

and after to swith from auth-vpopmail to auth-sql from /etc/dovecot/conf.d/10-auth.conf

You can also setup Dovecot in order to apply vpopmail POP/IMAP/SMTP/Webmail gids/domains limits for example with a password query more complicated like this:

password_query = SELECT CONCAT(pw_name, '@', pw_domain) AS user, pw_passwd AS password, concat('*:backend=', pw_shell) as userdb_quota_rule, 89 AS userdb_uid, 89 AS userdb_gid, pw_dir AS userdb_home FROM vpopmail LEFT JOIN limits ON vpopmail.pw_domain = limits.domain WHERE pw_name = '%n' AND pw_domain='%d' AND (( '%s' = 'smtp' AND (pw_gid & 2048)<>2048 AND COALESCE(disable_smtp,0)!=1) OR ('%s' = 'pop3' AND (pw_gid & 2)<>2 AND COALESCE(disable_pop,0) != 1 ) OR ('%s' = 'imap' AND ('%r'='192.168.100.1' OR '%r'='192.168.100.2') AND (pw_gid & 4)<>4 AND COALESCE(disable_webmail,0)!=1) OR ('%s' = 'imap' AND ('%r'!='192.168.100.1' AND '%r'!='192.168.100.2') AND (pw_gid & 8)<>8 AND COALESCE(disable_imap,0)!=1));

where 192.168.100.1 and 192.168.100.2 are the IPs of your webmail servers.

For a more beautifull setup and to show in dovecot logs "user disabled" instead of "password error" you can put this password_query under the dovecot auth-deny.conf.ext configurations.

If you need more help or info I can help you.

Ciao

Il 18/03/20 18:26, Aki Tuomi ha scritto:

...

Hi!

I understand that it is not trivial to move away from vpopmail and does require changing a working system. But then again, one should be able to configure MySQL passdb/userdb with vpopmail schema.

I am not familiar with vpopmail but if someone comes with instructions we can polish them a bit (if necessary) and publish them as howto on doc.dovecot.org.

Aki

...
On 18/03/2020 17:52 Remo Mattei remo@rm.ht wrote:

So I am on of the many users with qmail, and using vpopmail auth, I guess chatting with some other guys in the other mailing list we will convert to mysql driver but this is a lot of work for many people.

I do understand dropping things out but a valid solutions needs to be proposed.

Remo

-- Alessio Cecchi Postmaster @ http://www.qboxmail.it https://www.linkedin.com/in/alessice

John Stoffel

19 Mar 19 Mar

3:01 a.m.

...

...
...
...
...
"Alessio" == Alessio Cecchi alessio@skye.it writes:

Alessio> Hi Aki and Remo, Alessio> switch from vpopmail driver to SQL driver (if you are using vpopmail with mysql as backend) is Alessio> very simple.

Alessio> First you need to setup the right query for vpopmail database:

Alessio> # cat /etc/dovecot/dovecot-sql.conf.ext

Alessio> ### Vpopmail Alessio> driver = mysql Alessio> connect = host=192.168.1.2 dbname=vpopmail user=vpopmail password=Vp0pM4iL Alessio> default_pass_scheme = MD5-CRYPT

Alessio> ### Query to get a list of all usernames. Alessio> iterate_query = SELECT CONCAT(pw_name, '@', pw_domain) AS user FROM vpopmail

Alessio> ### user_query for vpopmail

Alessio> user_query = SELECT pw_dir AS home, 89 AS uid, 89 AS gid, Alessio> concat('*:backend=', pw_shell) AS quota_rule FROM vpopmail Alessio> WHERE pw_name = '%n' AND pw_domain = '%d'

Careful! You need to explain that 89 is the UID and GID of the vpopmail user account? Or some other account? I don't use either of these auth methods, but this just struck me a a little magical.

Alessio Cecchi

1:24 p.m.

Il 19/03/20 02:01, John Stoffel ha scritto:

...

Alessio> ### user_query for vpopmail Alessio> user_query = SELECT pw_dir AS home, 89 AS uid, 89 AS gid, Alessio> concat('*:backend=', pw_shell) AS quota_rule FROM vpopmail Alessio> WHERE pw_name = '%n' AND pw_domain = '%d'

Careful! You need to explain that 89 is the UID and GID of the vpopmail user account? Or some other account? I don't use either of these auth methods, but this just struck me a a little magical.

Hi John,

what you said is true but historically in vpopmail environments uid and gid are usually hardcoded at 89

Anyone can check their uid and gid with "id vpopmail" command from shell and update as necessary.

-- Alessio Cecchi Postmaster @ http://www.qboxmail.it https://www.linkedin.com/in/alessice

Aki Tuomi

1:39 p.m.

...

On 19/03/2020 13:24 Alessio Cecchi alessio@skye.it wrote:

Il 19/03/20 02:01, John Stoffel ha scritto:

...
Alessio> ### user_query for vpopmail Alessio> user_query = SELECT pw_dir AS home, 89 AS uid, 89 AS gid, Alessio> concat('*:backend=', pw_shell) AS quota_rule FROM vpopmail Alessio> WHERE pw_name = '%n' AND pw_domain = '%d'

Careful! You need to explain that 89 is the UID and GID of the vpopmail user account? Or some other account? I don't use either of these auth methods, but this just struck me a a little magical.

Hi John,

what you said is true but historically in vpopmail environments uid and gid are usually hardcoded at 89

Anyone can check their uid and gid with "id vpopmail" command from shell and update as necessary.

-- Alessio Cecchi

You can also replace 89 with 'vpopmail' and let dovecot resolve the number.

Aki

John Stoffel

8:49 p.m.

...

...
...
...
...
"Alessio" == Alessio Cecchi alessio@skye.it writes:

Alessio> Il 19/03/20 02:01, John Stoffel ha scritto: Alessio> ### user_query for vpopmail

Alessio> user_query = SELECT pw_dir AS home, 89 AS uid, 89 AS gid, Alessio> concat('*:backend=', pw_shell) AS quota_rule FROM vpopmail Alessio> WHERE pw_name = '%n' AND pw_domain = '%d'

Alessio> Careful! You need to explain that 89 is the UID and GID of the Alessio> vpopmail user account? Or some other account? I don't use either of Alessio> these auth methods, but this just struck me a a little magical.

Alessio> what you said is true but historically in vpopmail Alessio> environments uid and gid are usually hardcoded at 89

Alessio> Anyone can check their uid and gid with "id vpopmail" command Alessio> from shell and update as necessary.

Thanks for the clarification, hopefully this helps other people having to move.

John

Peter

18 Mar 18 Mar

5:32 a.m.

New subject: [Dovecot-news] Headsup on feature removal

On 17/03/20 7:50 pm, Aki Tuomi wrote:

...

Dovecot is now a nearly 20 year old product, and during that time it has accumulated many different features and plugins in its core repository.

We are starting to gradually remove some of these parts, which are unused, untested or deprecated. We will provide advance notification before removing anything.

To start, the following features are likely to be removed in next few releases of Dovecot.

...

If you are using any of these features, please start preparing for their removal in the near future. Features will begin to be dropped as of v2.3.11.

Allow me to formally express my objections here. You provide repositories that automatically upgrade dovecot through point releases on various different package management systems, so here's what is going to happen:

Anyone that uses features you remove in 2.3.11 will have dovecot break on them simply by running "yum update" (or equivalent) at that time. This could be production systems that have been running for years on platforms such as CentOS 7.

Then things will break again in 2.3.12 (assuming you remove features then), and in 2.3.13, etc.

So you want to have a product that has a reputation for purposefully breaking installations just for running security updates?

Please consider holding off on removing features for the next major release, 2.4.0 instead. It makes sense to retain, in as much as is possible, feature backwards compatibility across a major release.

Peter

Markus Schönhaber

10:03 a.m.

New subject: [Dovecot-news] Headsup on feature removal

18.03.20, 04:32 CET, Peter:

...

Please consider holding off on removing features for the next major release, 2.4.0 instead. It makes sense to retain, in as much as is possible, feature backwards compatibility across a major release.

Seconded! That you are going to drop features from the code base that are old and rarely used is understandable. Doing so in a minor release is not.

-- Regards mks

JAVIER MIGUEL RODRIGUEZ

7:56 p.m.

New subject: [Dovecot-news] Headsup on feature removal

I fully agree with this:

...

Please consider holding off on removing features for the next major release, 2.4.0 instead. It makes sense to retain, in as much as is possible, feature backwards compatibility across a major release.

Noel Butler

11:55 p.m.

New subject: [Dovecot-news] Headsup on feature removal

On 19/03/2020 03:56, JAVIER MIGUEL RODRIGUEZ wrote:

...

I fully agree with this:

...
Please consider holding off on removing features for the next major release, 2.4.0 instead. It makes sense to retain, in as much as is possible, feature backwards compatibility across a major release.

I'm astonished that features are being removed in a dot release as well, no other major project does this, hell, most don't like adding new features in dot releases let alone stripping them out.

None of the listed changes affect me that I can see, but I've been around a long time and I'm flabbergasted that someone actually approved this on dot release.

Now although there is no real need for them to further upgrade to ensure business continuity, if a serious exploit is released in the wild they highly likely will get bitten. Stripping everything else at once in a new major is perfectly acceptable, and, is the norm.

-- Kind Regards,

Noel Butler

	This Email, including attachments, may contain legally privileged

information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate any part of this message without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message.

Rob Sterenborg (Lists)

19 Mar 19 Mar

12:03 p.m.

New subject: [Dovecot-news] Headsup on feature removal

On 18-03-2020 22:55, Noel Butler wrote:

...

On 19/03/2020 03:56, JAVIER MIGUEL RODRIGUEZ wrote:

...
I fully agree with this:

...
Please consider holding off on removing features for the next major release, 2.4.0 instead. It makes sense to retain, in as much as is possible, feature backwards compatibility across a major release.

I'm astonished that features are being removed in a dot release as well, no other major project does this, hell, most don't like adding new features in dot releases let alone stripping them out.

None of the listed changes affect me that I can see, but I've been around a long time and I'm flabbergasted that someone actually approved this on dot release.

Now although there is no real need for them to further upgrade to ensure business continuity, if a serious exploit is released in the wild they highly likely will get bitten. Stripping everything else at once in a new major is perfectly acceptable, and, is the norm.

I have to say that I also cannot understand why you're going to remove features from a dot release. You can give the heads-up here, but it is not common-practice and will very likely break a lot of setups.

It's understandable that you want to remove features that are hardly used or maintained, but not in a dot release.

Please reconsider this removal, and remove those features as of the next major release.

-- Kind regards, Rob

Aki Tuomi

9:07 p.m.

New subject: [Dovecot-news] Headsup on feature removal

Hi!

We appreciate the feedback we have received from everyone, and we have discussed it internally.

The features we are removing are deprecated and should not have been used anymore. They all have alternatives that work equally well if not better.

For the authentication drivers, you can use passwd, pam and Lua as replacements for most of them. Lua in particular allows good integration with just about any external system. VPopmail can be replaced with SQL authentication.

For password schemes, we have guide: https://wiki2.dovecot.org/HowTo/ConvertPasswordSchemes

Memcached should be replaced with redis.

The expire, autocreate and autosubscribe plugins can be replaced with namespace settings:

namespace { mailbox Name { auto = create or subscribe autoexpunge = value } }

See the mailbox configuration documentation at https://doc.dovecot.org/configuration_manual/namespace/#mailbox-settings.

fts-squat can be replaced with Solr. squat has been considered obsolete (and that has been also indicated in documentation) since at least 2014.

After discussing it internally, we decided to postpone the xz removal for the time being. We understand the complexity of migrating away from it, so we want to give more time to do that. However beware that there are memory management issues in liblzma and we consider it unsafe to use. Feel free to use any of the other supported compresion algorithms instead. (We are also adding zstandard support in 2.3.11.)

You can switch your repository configuration to not use the ce-2.3-latest symlink, but rather to use a specific version (e.g., ce-2.3.10) giving you the control about when the system upgrades to a new version without missing out on CVE fixes in updated packages.

Finally, I want to point out that we will be happy if someone wants to start maintaining a feature we are planning to remove.

Aki

Michael Peddemors

11:19 p.m.

New subject: [Dovecot-news] Headsup on feature removal

For the record, the SQL method will not always work in every environment, and might entail a lot more overhead in some environments than the simpler 'checkpassword' methods.

Q. How many people use the checkpassword method still on this list?

Might recommend that be left in longer, however wave a hand if you need someone to take over support on that end..

On 2020-03-19 12:07 p.m., Aki Tuomi wrote:

...

Hi!

We appreciate the feedback we have received from everyone, and we have discussed it internally.

The features we are removing are deprecated and should not have been used anymore. They all have alternatives that work equally well if not better.

For the authentication drivers, you can use passwd, pam and Lua as replacements for most of them. Lua in particular allows good integration with just about any external system. VPopmail can be replaced with SQL authentication.

For password schemes, we have guide: https://wiki2.dovecot.org/HowTo/ConvertPasswordSchemes

Memcached should be replaced with redis.

The expire, autocreate and autosubscribe plugins can be replaced with namespace settings:

namespace { mailbox Name { auto = create or subscribe autoexpunge = value } }

See the mailbox configuration documentation at https://doc.dovecot.org/configuration_manual/namespace/#mailbox-settings.

fts-squat can be replaced with Solr. squat has been considered obsolete (and that has been also indicated in documentation) since at least 2014.

After discussing it internally, we decided to postpone the xz removal for the time being. We understand the complexity of migrating away from it, so we want to give more time to do that. However beware that there are memory management issues in liblzma and we consider it unsafe to use. Feel free to use any of the other supported compresion algorithms instead. (We are also adding zstandard support in 2.3.11.)

You can switch your repository configuration to not use the ce-2.3-latest symlink, but rather to use a specific version (e.g., ce-2.3.10) giving you the control about when the system upgrades to a new version without missing out on CVE fixes in updated packages.

Finally, I want to point out that we will be happy if someone wants to start maintaining a feature we are planning to remove.

Aki

-- "Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

Javier Miguel Rodríguez

17 Apr 17 Apr

11:27 a.m.

New subject: [Dovecot-news] Headsup on feature removal

Hello Aki

Can you elaborate about memory management issues in liblzma & dovecot?

Regards

El 19/03/2020 a las 20:07, Aki Tuomi escribió:

...

After discussing it internally, we decided to postpone the xz removal for the time being. We understand the complexity of migrating away from it, so we want to give more time to do that. However beware that there are memory management issues in liblzma and we consider it unsafe to use. Feel free to use any of the other supported compresion algorithms instead. (We are also adding zstandard support in 2.3.11.)

Philip Colmer

18 Mar 18 Mar

10:34 a.m.

...

Additionally, the mbox format will no longer receive new development. It will still be maintained, however its use beyond migrations and other limited use cases will be discouraged.

As someone who digs into instructions to find just the bits and pieces needed to get things going, is there any guidance on how to configure dovecot to use something other than mbox? At the moment, we have postfix delivering mail as normal and then dovecot providing the IMAP layer on top of that mbox file.

Thank you.

Philip

On Tue, 17 Mar 2020 at 06:51, Aki Tuomi aki.tuomi@dovecot.fi wrote:

...

Hi!

Dovecot is now a nearly 20 year old product, and during that time it has accumulated many different features and plugins in its core repository.

We are starting to gradually remove some of these parts, which are unused, untested or deprecated. We will provide advance notification before removing anything.

To start, the following features are likely to be removed in next few releases of Dovecot.

Authentication drivers: vpopmail, checkpassword, bsdauth, shadow, sia

Password schemes: HMAC-MD5, RPA, SKEY, PLAIN-MD4, LANMAN, NTLM, SMD5

Authentication mechanisms: ntlm, rpa, skey

Dict drivers: memcached, memcached-ascii (use redis instead)

postfix postmap support

autocreate & autosubscribe plugins (use built-in auto=create/subscribe setting instead)

expire plugin (use built-in autoexpunge setting)

fts-squat plugin

mailbox alias plugin

mail-filter plugin

snarf plugin

xz compression algorithm

For the authentication drivers that are being removed, we suggest using Lua as a replacement. See https://doc.dovecot.org/configuration_manual/authentication/lua_based_authen...

For information about converting between password schemes, see https://wiki2.dovecot.org/HowTo/ConvertPasswordSchemes

If you are using any of these features, please start preparing for their removal in the near future. Features will begin to be dropped as of v2.3.11.

Additionally, the mbox format will no longer receive new development. It will still be maintained, however its use beyond migrations and other limited use cases will be discouraged.

Please contact us via the mailing list if you have any questions.

Regards, Dovecot Team

Javier Miguel Rodríguez

2:35 p.m.

New subject: [Dovecot-news] Headsup on feature removal

xz compression support for mdbox is used extensively here. Why are you planning to remove it?

El 17/03/2020 a las 7:50, Aki Tuomi escribió:

...

Hi!

Dovecot is now a nearly 20 year old product, and during that time it has accumulated many different features and plugins in its core repository.

We are starting to gradually remove some of these parts, which are unused, untested or deprecated. We will provide advance notification before removing anything.

To start, the following features are likely to be removed in next few releases of Dovecot.

Authentication drivers: vpopmail, checkpassword, bsdauth, shadow, sia

Password schemes: HMAC-MD5, RPA, SKEY, PLAIN-MD4, LANMAN, NTLM, SMD5

Authentication mechanisms: ntlm, rpa, skey

Dict drivers: memcached, memcached-ascii (use redis instead)

postfix postmap support

autocreate & autosubscribe plugins (use built-in auto=create/subscribe setting instead)

expire plugin (use built-in autoexpunge setting)

fts-squat plugin

mailbox alias plugin

mail-filter plugin

snarf plugin

xz compression algorithm

For the authentication drivers that are being removed, we suggest using Lua as a replacement. See https://doc.dovecot.org/configuration_manual/authentication/lua_based_authen...

For information about converting between password schemes, see https://wiki2.dovecot.org/HowTo/ConvertPasswordSchemes

If you are using any of these features, please start preparing for their removal in the near future. Features will begin to be dropped as of v2.3.11.

Additionally, the mbox format will no longer receive new development. It will still be maintained, however its use beyond migrations and other limited use cases will be discouraged.

Please contact us via the mailing list if you have any questions.

Regards, Dovecot Team

Dovecot-news mailing list Dovecot-news@dovecot.org https://dovecot.org/mailman/listinfo/dovecot-news

Dewayne Geraghty

19 Mar 19 Mar

10:20 a.m.

New subject: [Dovecot-news] Headsup on feature removal

Thank-you for the heads-up notification. It is very helpful for planning. Unfortunately we do not allow any languages to be installed on production systems (per the security people).

As we do use autocreate/subscribe plugins, could you please direct us to any workaround for our current use of plugin { autocreate = Sent autocreate2 = Drafts autocreate3 = SPAM autocreate4 = Junk E-mail autosubscribe = Sent autosubscribe2 = Drafts autosubscribe3 = SPAM autosubscribe4 = Junk E-mail quota = maildir:User quota ...

I'm sure that many would appreciate any pointers or advise to any other plugin replacement methods or is the user-base expected to learn lua?

We have used dovecot and greatly appreciate the work that the dovecot team have provided for us. Kind regards, Dewayne.

Daniel Miller

30 Mar 30 Mar

5:40 a.m.

------ Original Message ------

...

[...] To start, the following features are likely to be removed in next few releases of Dovecot. [...]

mailbox alias plugin

Like autocreate, autosubscribe, and expire - Is there a built-in feature that makes this plugin obsolete?

Daniel

1624

Age (days ago)

1655

Last active (days ago)

List overview

23 comments

15 participants

participants (15)

Aki Tuomi
Aki Tuomi
Alessio Cecchi
Daniel Miller
Dewayne Geraghty
JAVIER MIGUEL RODRIGUEZ
Javier Miguel Rodríguez
John Stoffel
Markus Schönhaber
Michael Peddemors
Noel Butler
Peter
Philip Colmer
Remo Mattei
Rob Sterenborg (Lists)