can an old config be used with changes?

On Fri, Jan 24, 2025 at 12:04 PM Aki Tuomi <aki.tuomi@open-xchange.com> wrote:

Hi!

There is a sample configuration file installed to /etc/dovecot during installation process, based on doc/dovecot.conf.in.

The .ext.conf files are no more needed as they are inlined into the configuration itself, and we decided to drop the conf.d example files. We still use some in debian/rhel packaging to enable certain protocols upon installation.

Aki

...

On 24/01/2025 19:58 EET Larry Rosenman via dovecot <dovecot@dovecot.org> wrote:

Where is the sample configuration files now? I don't see them in the tarball.

On Fri, Jan 24, 2025 at 4:44 AM Aki Tuomi via Dovecot-news < dovecot-news@dovecot.org> wrote:

...

Hi all,

after a very long wait we are finally happy to release Dovecot v2.4.0!

Some IMPORTANT things to notice:

• We have changed the signing key for 2.4 going forward, releases are signed with EF0882079FD4ED32BF8B23B2A1B09EF84EDC5219, which can be found at https://repo.dovecot.org/DOVECOT-REPO-GPG-2.4 and is signed with the previous key.

The old key has been renamed to https://repo.dovecot.org/DOVECOT-REPO-GPG-2.3.

• New 2.4 packages **are not** compatible with old 2.3 configuration, please carefully review https://doc.dovecot.org/2.4.0/installation/upgrade/2.3-to-2.4.html before installing the new packages.

• We are happy to provide experimental arm64 support in the form of a Docker image.

• Docker images are now ran rootless, with UID 1000 as vmail using built sources. Please take this into consideration when upgrading. Latest 2.3 image can be used with tag 2.3-latest, if you are not ready for this change.

We won't be sending separate mail about Pigeonhole anymore as we will release one anyways when we release Dovecot, and Pigeonhole versioning has been changed to match Dovecot versioning.

Source codes available at

• https://www.dovecot.org/releases/2.4/dovecot-2.4.0.tar.gz

• https://www.dovecot.org/releases/2.4/dovecot-2.4.0.tar.gz.sig

https://pigeonhole.dovecot.org/releases/2.4/dovecot-pigeonhole-2.4.0.tar.gz

...

https://pigeonhole.dovecot.org/releases/2.4/dovecot-pigeonhole-2.4.0.tar.gz....

...

Binary packages in https://repo.dovecot.org/ Docker images in https://hub.docker.com/r/dovecot/dovecot

Kind regards, Aki Tuomi Open-Xchange oy

Dovecot Core NEWS

• config: dovecot_config_version must be the first non-comment line in configuration file.
• config: dovecot_storage_version must be in the configuration file.
• config: Many configuration options have changed so old configuration files do not work without rewrite. See https://doc.dovecot.org/main/installation/upgrade/2.3-to-2.4.html
• config: New variable expansion syntax has been introduced, see https://doc.dovecot.org/main/core/settings/variables.html
• config: Some default settings have changed.
• config: plugin {} section has been removed.
• *-login: With ssl=required, connections from login_trusted_networks are now also required to be SSL/TLS encrypted.
• acl: Use ACL settings instead of Global ACL Directories.
• auth-worker: auth_worker_max_count is replaced with service auth-worker { process_limit }.
• auth: Weak password schemes are disabled by default, use auth_allow_weak_schemes to enable them.
• auth_debug, mail_debug: Use log_debug filter instead.
• config: All sections require a name, for example passdb/userdb: passdb static { password=secret }
• db2: Remove Berkeley DB support.
• dict-memcached: This is removed, use Redis instead.
• director: Feature has been removed. See potential replacement at https://github.com/dovecot/tools/blob/main/director.lua
• doveadm: USER environment variable is only supported with --no-userdb-lookup. One of -u, -F or -A must be used otherwise.
• doveconf: Option -n is now default when running doveconf.
• dsync: Use doveadm sync instead, legacy symlink has been removed.
• fs-sis: Feature is now deprecated and has been made read-only. It will be removed in future release.
• fts-lucene, fts-squat: These have been removed, use fts-flatcurve or fts-solr instead.
• imap-login: IMAP compression is now handled in proxies.
• imap_quota: SETQUOTA / quota_set has been removed.
• imap_zlib: This plugin is no longer needed, it's always enabled.
• imapc: All features are enabled by default, imapc_features can be

...

to explicitly disable features that are not wanted.

• lib-storage: mbox driver is now frozen.
• mail_compress: XZ and LZMA algorithm support has been removed.
• mailbox-alias: Plugin has been removed.
• old_stats, auth_stats: These have been removed.
• openssl: Minimum supported version of OpenSSL is now 1.1.1.
• openssl: Add support for OpenSSL 3.x
• quota-dict, quota-dirsize: These have been removed, use quota-count instead. You can use quota_clone to copy quota usage to some database.
• replicator: Feature has been removed. Use NFS or some other shared filesystem instead, or run doveadm sync in crontab.
• stats: The bytes_in and bytes_out field in several events have been renamed as net_in_bytes and net_out_bytes.
• zlib: Renamed to mail_compress plugin.

• Experimental SMTPUTF8 and IMAP UTF8=ACCEPT support has been added. Needs --enable-experimental-mail-utf8 configure option and mail_utf8_extensions=yes setting.
• Long running mail commands can be aborted with Ctrl-C / doveadm kick.
• auth: LDAP driver now supports multi-value attributes.
• auth: Add support for SCRAM-SHA-1-PLUS and SCRAM-SHA-256-PLUS.
• auth: Add support for TLS channel binding.
• auth: Support sending JA3 hash to policy server.
• configure: Detect latest Lua version.
• *-login: Support for TLS Server Name has been improved to allow

used pre-login

...

settings. For example capabilities to be changed based on TLS Server Name.

• *-login: Support for TLS ALPN has been added, connections with mismatching application are now refused. Missing ALPN is accepted.
• fts-flatcurve: New Xapian based FTS plugin has been added.
• imap: Support for INPROGRESS untagged messages as per RFC 9585.
• lib-lua: Expose Dovecot DNS client.
• lib-lua: Expose Dovecot HTTP client.
• lib-sasl: Support SCRAM-SHA mechanisms.
• lmtp: SNI support has been added which allows settings to be applied based on TLS Server Name.
• sqlite: Support WAL mode.
• stats: Submetric name size has been increased.
• submission: Add submission_add_received_header setting to protect sender identity by suppressing the Received: header.

• Many bugs have been fixed.

Pigeonhole NEWS

• Change configuration syntax to match new Dovecot configuration syntax.
• vacation: Reduce default days to 60 from infinity
• vacation: vacation_max_period=0 is now an error.
• Version has been changed to match Dovecot version.

• Added i;unicode-casecmp comparator.

• Lots of bugs have been fixed.

---

Dovecot-news mailing list -- dovecot-news@dovecot.org To unsubscribe send an email to dovecot-news-leave@dovecot.org

-- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 (c) E-Mail: ler@lerctr.org US Mail: 13425 Ranch Road 620 N, Apt 718, Austin, TX 78717-1010

---

dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org

-- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 (c) E-Mail: ler@lerctr.org US Mail: 13425 Ranch Road 620 N, Apt 718, Austin, TX 78717-1010

then I have a bunch of work for the FreeBSD port :(

On Fri, Jan 24, 2025 at 12:23 PM Aki Tuomi <aki.tuomi@open-xchange.com> wrote:

Old config files can be used if they are suitably modified, but they will not work as-is.

Aki

...

On 24/01/2025 20:12 EET Larry Rosenman via dovecot <dovecot@dovecot.org> wrote:

can an old config be used with changes?

On Fri, Jan 24, 2025 at 12:04 PM Aki Tuomi <aki.tuomi@open-xchange.com> wrote:

...

Hi!

There is a sample configuration file installed to /etc/dovecot during installation process, based on doc/dovecot.conf.in.

The .ext.conf files are no more needed as they are inlined into the configuration itself, and we decided to drop the conf.d example files. We still use some in debian/rhel packaging to enable certain protocols upon installation.

Aki

...

On 24/01/2025 19:58 EET Larry Rosenman via dovecot < dovecot@dovecot.org> wrote:

Where is the sample configuration files now? I don't see them in the tarball.

On Fri, Jan 24, 2025 at 4:44 AM Aki Tuomi via Dovecot-news < dovecot-news@dovecot.org> wrote:

...

Hi all,

after a very long wait we are finally happy to release Dovecot v2.4.0!

Some IMPORTANT things to notice:

• We have changed the signing key for 2.4 going forward, releases are signed with EF0882079FD4ED32BF8B23B2A1B09EF84EDC5219, which can be found at https://repo.dovecot.org/DOVECOT-REPO-GPG-2.4 and is signed with the previous key.

The old key has been renamed to https://repo.dovecot.org/DOVECOT-REPO-GPG-2.3.

• New 2.4 packages **are not** compatible with old 2.3 configuration, please carefully review https://doc.dovecot.org/2.4.0/installation/upgrade/2.3-to-2.4.html before installing the new packages.

• We are happy to provide experimental arm64 support in the form of a Docker image.

• Docker images are now ran rootless, with UID 1000 as vmail using built sources. Please take this into consideration when upgrading. Latest 2.3 image can be used with tag 2.3-latest, if you are not ready for this change.

We won't be sending separate mail about Pigeonhole anymore as we will release one anyways when we release Dovecot, and Pigeonhole versioning has been changed to match Dovecot versioning.

Source codes available at

• https://www.dovecot.org/releases/2.4/dovecot-2.4.0.tar.gz

• https://www.dovecot.org/releases/2.4/dovecot-2.4.0.tar.gz.sig

https://pigeonhole.dovecot.org/releases/2.4/dovecot-pigeonhole-2.4.0.tar.gz

...

...

...

https://pigeonhole.dovecot.org/releases/2.4/dovecot-pigeonhole-2.4.0.tar.gz....

...

...

...

Binary packages in https://repo.dovecot.org/ Docker images in https://hub.docker.com/r/dovecot/dovecot

Kind regards, Aki Tuomi Open-Xchange oy

Dovecot Core NEWS

• config: dovecot_config_version must be the first non-comment line in configuration file.
• config: dovecot_storage_version must be in the configuration file.
• config: Many configuration options have changed so old

configuration

...

files do not work without rewrite. See

...

• config: New variable expansion syntax has been introduced, see https://doc.dovecot.org/main/core/settings/variables.html
• config: Some default settings have changed.
• config: plugin {} section has been removed.
• *-login: With ssl=required, connections from login_trusted_networks are now also required to be SSL/TLS encrypted.
• acl: Use ACL settings instead of Global ACL Directories.
• auth-worker: auth_worker_max_count is replaced with service auth-worker { process_limit }.
• auth: Weak password schemes are disabled by default, use auth_allow_weak_schemes to enable them.
• auth_debug, mail_debug: Use log_debug filter instead.
• config: All sections require a name, for example passdb/userdb: passdb static { password=secret }
• db2: Remove Berkeley DB support.
• dict-memcached: This is removed, use Redis instead.
• director: Feature has been removed. See potential replacement at https://github.com/dovecot/tools/blob/main/director.lua
• doveadm: USER environment variable is only supported with --no-userdb-lookup. One of -u, -F or -A must be used otherwise.
• doveconf: Option -n is now default when running doveconf.
• dsync: Use doveadm sync instead, legacy symlink has been removed.
• fs-sis: Feature is now deprecated and has been made read-only. It will be removed in future release.
• fts-lucene, fts-squat: These have been removed, use fts-flatcurve or fts-solr instead.
• imap-login: IMAP compression is now handled in proxies.
• imap_quota: SETQUOTA / quota_set has been removed.
• imap_zlib: This plugin is no longer needed, it's always enabled.
• imapc: All features are enabled by default, imapc_features can be used to explicitly disable features that are not wanted.
• lib-storage: mbox driver is now frozen.
• mail_compress: XZ and LZMA algorithm support has been removed.
• mailbox-alias: Plugin has been removed.
• old_stats, auth_stats: These have been removed.
• openssl: Minimum supported version of OpenSSL is now 1.1.1.
• openssl: Add support for OpenSSL 3.x
• quota-dict, quota-dirsize: These have been removed, use quota-count instead. You can use quota_clone to copy quota usage to some database.
• replicator: Feature has been removed. Use NFS or some other shared filesystem instead, or run doveadm sync in crontab.
• stats: The bytes_in and bytes_out field in several events have been renamed as net_in_bytes and net_out_bytes.
• zlib: Renamed to mail_compress plugin.

• Experimental SMTPUTF8 and IMAP UTF8=ACCEPT support has been added. Needs --enable-experimental-mail-utf8 configure option and mail_utf8_extensions=yes setting.
• Long running mail commands can be aborted with Ctrl-C / doveadm kick.
• auth: LDAP driver now supports multi-value attributes.
• auth: Add support for SCRAM-SHA-1-PLUS and SCRAM-SHA-256-PLUS.
• auth: Add support for TLS channel binding.
• auth: Support sending JA3 hash to policy server.
• configure: Detect latest Lua version.
• *-login: Support for TLS Server Name has been improved to allow

https://doc.dovecot.org/main/installation/upgrade/2.3-to-2.4.html pre-login

...

settings. For example capabilities to be changed based on TLS Server Name.

• *-login: Support for TLS ALPN has been added, connections with mismatching application are now refused. Missing ALPN is accepted.
• fts-flatcurve: New Xapian based FTS plugin has been added.
• imap: Support for INPROGRESS untagged messages as per RFC 9585.
• lib-lua: Expose Dovecot DNS client.
• lib-lua: Expose Dovecot HTTP client.
• lib-sasl: Support SCRAM-SHA mechanisms.
• lmtp: SNI support has been added which allows settings to be applied based on TLS Server Name.
• sqlite: Support WAL mode.
• stats: Submetric name size has been increased.
• submission: Add submission_add_received_header setting to protect sender identity by suppressing the Received: header.

• Many bugs have been fixed.

Pigeonhole NEWS

• Change configuration syntax to match new Dovecot configuration syntax.
• vacation: Reduce default days to 60 from infinity
• vacation: vacation_max_period=0 is now an error.
• Version has been changed to match Dovecot version.

• Added i;unicode-casecmp comparator.

• Lots of bugs have been fixed.

---

Dovecot-news mailing list -- dovecot-news@dovecot.org To unsubscribe send an email to dovecot-news-leave@dovecot.org

-- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 (c) E-Mail: ler@lerctr.org US Mail: 13425 Ranch Road 620 N, Apt 718, Austin, TX 78717-1010

---

dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org

-- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 (c) E-Mail: ler@lerctr.org US Mail: 13425 Ranch Road 620 N, Apt 718, Austin, TX 78717-1010

---

dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org

-- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 (c) E-Mail: ler@lerctr.org US Mail: 13425 Ranch Road 620 N, Apt 718, Austin, TX 78717-1010

any chance to get the old example configuration back with suitable 2.4 changes?

On Fri, Jan 24, 2025 at 12:25 PM Michael Slusarz < michael.slusarz@dovecotpro.com> wrote:

...

On 01/24/2025 11:12 AM MST Larry Rosenman via dovecot < dovecot@dovecot.org> wrote:

can an old config be used with changes?

https://doc.dovecot.org/2.4.0/installation/upgrade/2.3-to-2.4.html#configura...

michael

-- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 (c) E-Mail: ler@lerctr.org US Mail: 13425 Ranch Road 620 N, Apt 718, Austin, TX 78717-1010

On Fri, 24 Jan 2025, Aki Tuomi via dovecot wrote:

Hi!

Indeed the ssl settings were changed bit last minute, and we forgot them from the upgrading page: see

https://doc.dovecot.org/2.4.0/core/summaries/settings.html#ssl_server

OK, so I changed

ssl = required ssl_dh = </etc/dovecot/dh.pem ssl_cert = </path/to/fullchain.pem ssl_key = </path/to/privkey.pem ssl_prefer_server_ciphers = yes

into

ssl = required ssl_server_dh_file = /etc/dovecot/dh.pem ssl_server_cert_file = /path/to/fullchain.pem ssl_server_key_file = /path/to/privkey.pem ssl_server_prefer_ciphers = server

However:

mail_location setting & mail userdb field Split into multiple mail_* settings.

is in the upgrading page.

See https://doc.dovecot.org/2.4.0/core/config/mailbox/mail_location.html#mail-lo...

It is in the documentation, but not in the "upgrading from 2.3 to 2.4" (https://doc.dovecot.org/2.4.0/installation/upgrade/2.3-to-2.4.html)

which alas is where/what I looked at, assuming that anything else would continue to work as in 2.3 (my mistake for not looking at the actual full documentation for 2.4.0).

so in my case I've replaced

mail_location = mdbox:/var/vmail/%d/%n

with:

mail_driver = mdbox mail_path = /var/vmail/%{domain}/%{username}

I hope that that's OK but will double and triple check when I have more time, and then do the removal-of-2.3-followed-by-install-of-2.4 again :)

Thanks! Bernardo

Aki

...

On 24/01/2025 21:04 EET Bernardo Reino via dovecot <dovecot@dovecot.org> wrote:

Hello,

I decided to go ahead and upgrade, and had to rollback (to 2.3.31), as, even though I took care of adapting my dovecot.conf and read the instructions for upgrading from 2.3 to 2.4, I got:

doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf line 18: mail_location: Unknown setting: mail_location

which was wholly unexpected. The line has: mail_location = mdbox:/var/vmail/%d/%n

Even removing that line (and adding the default location to the userdb), I then got:

doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf line 31: ssl_dh: Unknown setting: ssl_dh doveconf: Error: managesieve-login: dump-capability process returned 89 doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf line 31: ssl_dh: Unknown setting: ssl_dh

That line has: ssl_dh = </etc/dovecot/dh.pem

I'll double check, but I didn't see anything about mail_location or ssl_dh being unknown settings in 2.4.

Cheers, Bernardo

On Fri, 24 Jan 2025, Aki Tuomi via dovecot wrote:

...

Hi all,

after a very long wait we are finally happy to release Dovecot v2.4.0!

Some IMPORTANT things to notice:

• We have changed the signing key for 2.4 going forward, releases are signed with EF0882079FD4ED32BF8B23B2A1B09EF84EDC5219, which can be found at https://repo.dovecot.org/DOVECOT-REPO-GPG-2.4 and is signed with the previous key.

The old key has been renamed to https://repo.dovecot.org/DOVECOT-REPO-GPG-2.3.

• New 2.4 packages **are not** compatible with old 2.3 configuration, please carefully review https://doc.dovecot.org/2.4.0/installation/upgrade/2.3-to-2.4.html before installing the new packages.

• We are happy to provide experimental arm64 support in the form of a Docker image.

• Docker images are now ran rootless, with UID 1000 as vmail using built sources. Please take this into consideration when upgrading. Latest 2.3 image can be used with tag 2.3-latest, if you are not ready for this change.

We won't be sending separate mail about Pigeonhole anymore as we will release one anyways when we release Dovecot, and Pigeonhole versioning has been changed to match Dovecot versioning.

Source codes available at

• https://www.dovecot.org/releases/2.4/dovecot-2.4.0.tar.gz
• https://www.dovecot.org/releases/2.4/dovecot-2.4.0.tar.gz.sig
• https://pigeonhole.dovecot.org/releases/2.4/dovecot-pigeonhole-2.4.0.tar.gz
• https://pigeonhole.dovecot.org/releases/2.4/dovecot-pigeonhole-2.4.0.tar.gz....

Binary packages in https://repo.dovecot.org/ Docker images in https://hub.docker.com/r/dovecot/dovecot

Kind regards, Aki Tuomi Open-Xchange oy

Dovecot Core NEWS

• config: dovecot_config_version must be the first non-comment line in configuration file.
• config: dovecot_storage_version must be in the configuration file.
• config: Many configuration options have changed so old configuration files do not work without rewrite. See https://doc.dovecot.org/main/installation/upgrade/2.3-to-2.4.html
• config: New variable expansion syntax has been introduced, see https://doc.dovecot.org/main/core/settings/variables.html
• config: Some default settings have changed.
• config: plugin {} section has been removed.
• *-login: With ssl=required, connections from login_trusted_networks are now also required to be SSL/TLS encrypted.
• acl: Use ACL settings instead of Global ACL Directories.
• auth-worker: auth_worker_max_count is replaced with service auth-worker { process_limit }.
• auth: Weak password schemes are disabled by default, use auth_allow_weak_schemes to enable them.
• auth_debug, mail_debug: Use log_debug filter instead.
• config: All sections require a name, for example passdb/userdb: passdb static { password=secret }
• db2: Remove Berkeley DB support.
• dict-memcached: This is removed, use Redis instead.
• director: Feature has been removed. See potential replacement at https://github.com/dovecot/tools/blob/main/director.lua
• doveadm: USER environment variable is only supported with --no-userdb-lookup. One of -u, -F or -A must be used otherwise.
• doveconf: Option -n is now default when running doveconf.
• dsync: Use doveadm sync instead, legacy symlink has been removed.
• fs-sis: Feature is now deprecated and has been made read-only. It will be removed in future release.
• fts-lucene, fts-squat: These have been removed, use fts-flatcurve or fts-solr instead.
• imap-login: IMAP compression is now handled in proxies.
• imap_quota: SETQUOTA / quota_set has been removed.
• imap_zlib: This plugin is no longer needed, it's always enabled.
• imapc: All features are enabled by default, imapc_features can be used to explicitly disable features that are not wanted.
• lib-storage: mbox driver is now frozen.
• mail_compress: XZ and LZMA algorithm support has been removed.
• mailbox-alias: Plugin has been removed.
• old_stats, auth_stats: These have been removed.
• openssl: Minimum supported version of OpenSSL is now 1.1.1.
• openssl: Add support for OpenSSL 3.x
• quota-dict, quota-dirsize: These have been removed, use quota-count instead. You can use quota_clone to copy quota usage to some database.
• replicator: Feature has been removed. Use NFS or some other shared filesystem instead, or run doveadm sync in crontab.
• stats: The bytes_in and bytes_out field in several events have been renamed as net_in_bytes and net_out_bytes.
• zlib: Renamed to mail_compress plugin.

• Experimental SMTPUTF8 and IMAP UTF8=ACCEPT support has been added. Needs --enable-experimental-mail-utf8 configure option and mail_utf8_extensions=yes setting.
• Long running mail commands can be aborted with Ctrl-C / doveadm kick.
• auth: LDAP driver now supports multi-value attributes.
• auth: Add support for SCRAM-SHA-1-PLUS and SCRAM-SHA-256-PLUS.
• auth: Add support for TLS channel binding.
• auth: Support sending JA3 hash to policy server.
• configure: Detect latest Lua version.
• *-login: Support for TLS Server Name has been improved to allow pre-login settings. For example capabilities to be changed based on TLS Server Name.
• *-login: Support for TLS ALPN has been added, connections with mismatching application are now refused. Missing ALPN is accepted.
• fts-flatcurve: New Xapian based FTS plugin has been added.
• imap: Support for INPROGRESS untagged messages as per RFC 9585.
• lib-lua: Expose Dovecot DNS client.
• lib-lua: Expose Dovecot HTTP client.
• lib-sasl: Support SCRAM-SHA mechanisms.
• lmtp: SNI support has been added which allows settings to be applied based on TLS Server Name.
• sqlite: Support WAL mode.
• stats: Submetric name size has been increased.
• submission: Add submission_add_received_header setting to protect sender identity by suppressing the Received: header.

• Many bugs have been fixed.

Pigeonhole NEWS

• Change configuration syntax to match new Dovecot configuration syntax.
• vacation: Reduce default days to 60 from infinity
• vacation: vacation_max_period=0 is now an error.
• Version has been changed to match Dovecot version.

• Added i;unicode-casecmp comparator.

• Lots of bugs have been fixed.

---

dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org

---

dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org

On 24. Jan 2025, at 23.21, Bjoern Franke via dovecot <dovecot@dovecot.org> wrote:

Hi,

...

after a very long wait we are finally happy to release Dovecot v2.4.0!

while trying to upgrade to 2.4.0, I stumbled upon some issues:

The old config looked like this:

mail_location = mdbox:/data/mail/%u passdb { driver = passwd-file args = scheme=CRYPT username_format=%u /etc/dovecot/users }

userdb { driver = passwd-file args = username_format=%u /etc/dovecot/users default_fields = uid=vmail gid=vmail home=/data/mail/%u }

So I thought the "mapped" version should fit:

---

mail_driver = mdbox mail_path = /data/mail/%{user}

passdb passwd-file { auth_username_format = %{user} passwd_file_path = /etc/dovecot/users } userdb passwd-file { auth_username_format = %{user} passwd_file_path = /etc/dovecot/users fields { gid:default = vmail home:default = /data/mail/%{user} uid:default = vmail } }

Looks ok..

But lmtp doesn't find the user until I set auth_username_format = %{user | username}

Did you have auth_username_format set already in old config? The default also has | lower to make it lowercase, which you probably want to keep.

But then it tries to store the new mail in /data/mail/user@fqdn though "home:default = /data/mail/%{user}" is set.

I can't reproduce this. If I have auth_username_format = %{user | username} then home:default = /data/mail/%{user}" expands to username without the @domain. Does it also contain the @domain if you run "doveadm user user@fqdn"?

Besides that, sieve_script personal { active_path = /data/mail/%{user}/dovecot.sieve driver = file path = = /data/mail/%{user}/sieve

Is there an extra = here or just copy&paste mistake?

} throws "sieve_file_storage settings: Failed to parse configuration: Failed to expand sieve_script_path setting variables: Unknown variable 'user'"

What's the full error / which process is logging this? We have CI tests successfully using %{user} in sieve_script_path, so it can't be entirely broken.

Hi Timo,

Timo Sirainen wrote:

Oh, should clarify these. I was talking about global auth_username_format setting. With that it behaves as expected. But if you set it only inside passdb {} or userdb {} then it affects only the lookup user (i.e. lookup "user", not "user@domain" in passwd-file), but not the %{user} variable (it will contain "user@domain"). This behavior is intentional, but I wonder if it could be documented better somewhere.

Indeed I can confirm that the documentation on this subject is... optimizable.

Actually, back when I was going through the Dovecot docs for the first time, I found it utterly confusing and chaotic. It's very detailed, which is great, but for first time readers it kind of lacks an "entry point" - a place that says "This is how Dovecot is structured, this is what you have to know first, then probably this is the second thing you'll need...". Once you get used to it, you're able to navigate around and find what you need, but back then it took me like 2 full days to be able to even read (and understand) the sample config. Having it scattered over a dozen files doesn't help, either. </rant>

Back to the topic of the username format: Due to the above reasons, I didn't even know there was a global "auth_username_format" setting. I always used the per-passdb/userdb, because this is what the (pre-2.4) documentation on "passwd-file" says. And yes, I found out the hard way that setting this to "%n" changes the username just for the purpose of the lookup, but afterwards it remains user@domain. My workaround currently is to use a "default_fields = user=%n" in the userdb definition, which then persists for the remainder of the session.

So my question is: Is this the "right way" to do things, or is it better to use the global "auth_username_format" ? On a broader level, the problem I'm facing (and I can't imagine I'm the only one) is that I'd like to achieve the following behavior:

1. Authenticate users with plain "username", and NOT accept "user@domain" style usernames. This is the reason I'm currently not using "username_format" in the passdb definition, since this would basically allow logging in with arbitrary user@anydomain, as long as the username part exists. I'm guessing this is not what most people using plain usernames want.

2. When receiving incoming mail via LMTP, validate the recipient addresses, ideally using the SAME userdb that is used for authentication/login, but accept the mail only if the address is on the "correct" domain. The docs suggest using a second userdb definition (referring to the same source user data like SQL, or passwd-file or whatever) and setting "username_format = %n" there. The problem here is that, again, this would accept any arbitraty recipient address having a valid username part. So user@correctdomain and user@anyrandomdomain would be happily delivered to the same inbox. Currently, the only thing that prevents this from happening (at least in my setup) is that Postfix is configured to only accept @correctdomain mails, and reject all others. However, it would be much better - and safer - to be able to configure this within Dovecot, and not rely on external software.

2.1. There is an almost-workaround for this, using the "username_filter" parameter which allows wildcards like "*@domain" and would fail if the user doesn't match the correct domain. Regrettably, this is only supported for passdb definitions, but not for userdb's. However, LMTP and LDA validate incoming mail addresses against the userdb only, and don't perform a passdb lookup.

2.2 The only real solution I can think of is having a separate userdb for incoming mail validation (i.e. not same as the one used for login purposes) where you explicitly list all valid email addresses as user@domain, and use the (default) username_format of "%Lu". This looks like a support nightmare - you have to redundantly manage your users in two separate places, not to mention having the same "@domain" string repeated hundreds of times (and prone to typos, etc.).

Is there a more "elegant" way to achieve the above behavior (which to me seems like the most basic setup), without using dirty hacks and workarounds? Am I missing something?

Thanks! Mike

P.S. Maybe this is better placed in a separate thread, since it's kind of off-topic to the 2.4 release, but I thought I'd take the opportunity since your remark on the difference between global vs. per-userdb username_format was new to me.

Timo Sirainen wrote:

We have a new documentation structure, but I don't know if it's any better regarding that. For some reason people aren't super interested in spending much time on writing documentation. :)

Well, I'd be willing to do that - unfortunately not regularly, as Dovecot is not my day job, but at least when I stumble upon something that takes me hours debugging/analyzing/understanding, then it's not much of a deal to document what you just found out. Actually in such situations I sometimes make my own notes, in case I need it in future. Writing it down usually makes you understand it even better (or realize that you still don't quite get it...). So then I'd just have to commit/post somewhere what I wrote anyway.

One big idea behind v2.4 config rewrite is that now all settings are global settings. You can add any setting inside any filter { .. } section, although it might get just ignored there.

That's a good idea, although in the short term it's a bit confusing when you're used to the old way of doing things. At least now it's more systematic, and makes userdb/passdb and other section-style settings behave like filters, similar to protocol/local/remote, etc. That's another thing I found confusing at the beginning, that the section syntax is used for like 5 different things, depending on context.

How about your passdb/userdb contains only user@example.com, and then you set auth_default_domain=example.com?

Somehow I always thought the "auth_default_realm" (as it was called before) was only for NTLM/GSSAPI authentications, probably due to the word "realm". Didn't realize it leads to appending @domain for passwd-file authentication. Another example where the new name of the config parameter in 2.4 makes it more intuitive - thumbs up.

Yes, that would be one possible solution in my case. It does mean that the "@domain" has to be repeated in every single line in the passwd-file, but at least you can reuse the same file for authentication and LMTP recipient validation, which eliminates maintaining two separate user lists.

Another possibility could be to add a new userdb before the real one, which drops the domain for valid domains: userdb drop-domain { driver = passed-file passwd_file_path = /etc/dovecot/valid-domains result_success = continue fields { user = %{user | username} } }

valid-domains file would just list all valid domains, one per line

If I'm understanding your idea correctly, you'd also need "auth_username_format = %{user | domain}" (or "username_format = %d" in the old syntax), right? Also, I'd change "result_success" to "continue-fail", because otherwise the overall userdb result will be successful even if the next userdb (containing the actual users) does NOT find the user. This means that anyrandomuser@correctdomain would validate. Probably we also need "result_failure = return-fail" in order to abort searching if the domain is not found.

I'm still not quite sure about the new "fields" section - does this replace the old "default_fields" or "override_fields" or both? In the above example, does user rename (dropping the domain part) get executed only if the userdb is successful or always? If it's always executed, then we definitely need "result_failure = return-fail".

But thanks a lot for the pointers! I'll play around with these and see which one works best for me.

Yet another possibility could be to use %{if} to drop the domain in the existing userdb passwd-file { auth_username_format }

Another very good idea, actually the simplest one to implement, although probably not the most efficient runtime-wise. (Does that if-expression get re-parsed for every lookup or only once at config load time?)

Again, very valuable input, thank you Timo!

Regards, Mike

Timo Sirainen wrote:

Our documentation is written using github pull requests, so anybody can easily do changes as little or as much as wanted. https://github.com/dovecot/documentation/

I know, but I assumed only a limited (pre-approved) list of contributors can commit patches, that't why to be honest, I never cared to do a research on your "contribing policy"... which is *presumably* also documented somewhere :-)

Yes, either that or I think fields { noauthenticate = yes } would also work.

I thought noauthenticate refers only to passdb's? To my understanding the effect of this is to just apply any passdb extra fields - notably, even if the password doesn't match - and then do the actual authentication in the following passdbs.

What would be the effect of noauthenticate on a userdb?

Then it would need to be inside protocol lmtp {} or otherwise IMAP auths without domains would fail.

Great, yet another new thing for me - never thought that user/passdb's can be inside filter sections! Does the filtering preserve the cascading order? That is, does this work (pseudo code):

passdb passwd-file-without-domains protocol lmtp { userdb drop-domain-for-valid-domains } userdb same-passwd-file-as-passdb

Or do we need this:

protocol imap { passdb passwd-file-without-domains userdb prefetch-reuse-the-above } protocol lmtp { userdb drop-domain-for-valid-domains userdb passwd-file-without-domains }

I'd argue that parts of this discussion are actually valuable enough (for a non-trivial amount of people) to make it into the documentation...

On 24. Jan 2025, at 23.53, Timo Sirainen via dovecot <dovecot@dovecot.org> wrote:

On 24. Jan 2025, at 23.49, Timo Sirainen <timo@sirainen.com> wrote:

...

...

But lmtp doesn't find the user until I set auth_username_format = %{user | username}

Did you have auth_username_format set already in old config? The default also has | lower to make it lowercase, which you probably want to keep.

...

But then it tries to store the new mail in /data/mail/user@fqdn though "home:default = /data/mail/%{user}" is set.

I can't reproduce this. If I have auth_username_format = %{user | username} then home:default = /data/mail/%{user}" expands to username without the @domain. Does it also contain the @domain if you run "doveadm user user@fqdn"?

Oh, should clarify these. I was talking about global auth_username_format setting. With that it behaves as expected. But if you set it only inside passdb {} or userdb {} then it affects only the lookup user (i.e. lookup "user", not "user@domain" in passwd-file), but not the %{user} variable (it will contain "user@domain"). This behavior is intentional, but I wonder if it could be documented better somewhere.

Actually, it's not working at all how I thought it would. The global auth_username_format works as expected. However, using it inside passdb or userdb works only with passwd-file driver, where the username lookup is changed but it won't affect %{user}. For anything else the setting is just ignored. Perhaps this will change in the future, but for now I'll just update documentation. It's not really a problem for other passdbs/userdbs anyway.

Hi,

imapsieve_mailbox1_name = Junk imapsieve_mailbox1_causes = COPY imapsieve_mailbox1_before = file:/usr/lib/dovecot/sieve/report-spam.sieve

for 2.4?

Putting

sieve_script junk { type = before cause = copy driver = file path = /data/mail/sieve/report-spam.sieve }

into the mailbox configuration solved it.

Regards Bjoern

On 25. Jan 2025, at 13.27, * Neustradamus * via dovecot <dovecot@dovecot.org> wrote:

But there is a big problem, this version has announced with:

• SCRAM-SHA-X-PLUS support with X = 1 / 256.
• TLS Channel Binding

But when I look the source code, it is not supported:

• https://github.com/search?q=org%3Adovecot+scram-sha-1-plus&type=code
• https://github.com/search?q=org%3Adovecot+scram-sha-256-plus&type=code
• https://github.com/search?q=org%3Adovecot+scram-sha-256&type=code
• https://github.com/search?q=org%3Adovecot+scram-sha-1&type=code
• https://github.com/search?q=org%3Adovecot+TLS+channel+binding&type=code

The code is here: https://github.com/dovecot/core/blob/release-2.4.0/src/auth/mech-scram.c

It has been started by Stephan Bosch (thanks) but no news since more one year:

• https://github.com/dovecot/core/compare/main...stephanbosch:dovecot-core:sas...

It's not in the main branch yet, only in release-2.4.0 branch. It'll eventually be merged into main, but not quite yet.

Hi! This will be fixed bit later due to technical reasons. It's not a big problem, in the end. Aki On 26/01/2025 21:16 EET * Neustradamus * via dovecot <dovecot@dovecot.org> wrote: Thanks Timo Sirainen for your e-mail! With your answer, I have discovered a BIG problem. It is really strange to have a new branch and main (formerly master) -> it is not good! Why the main branch is not used correctly? The main branch must be up-to-date with current 2.4.x. An old 2.3.x branch for old stable code. An old 2.2.x branch too. Etc. One branch -> several tags, help for tagging: - https://git-scm.com/book/en/v2/Git-Basics-Tagging Can you solve all and remove all bad branches? - https://github.com/dovecot/core/branches/all Thanks in advance. Regards, Neustradamus ________________________________________ From: Timo Sirainen via dovecot <dovecot@dovecot.org> Sent: Saturday, January 25, 2025 20:53 To: * Neustradamus * Cc: dovecot@dovecot.org Subject: Re: [Dovecot-news] Dovecot v2.4.0 released On 25. Jan 2025, at 13.27, * Neustradamus * via dovecot <dovecot@dovecot.org> wrote: But there is a big problem, this version has announced with: - SCRAM-SHA-X-PLUS support with X = 1 / 256. - TLS Channel Binding But when I look the source code, it is not supported: - https://github.com/search?q=org%3Adovecot+scram-sha-1- plus&type=code - https://github.com/search?q=org%3Adovecot+scram-sha-256- plus&type=code - https://github.com/search?q=org%3Adovecot+scram-sha- 256&type=code - https://github.com/search?q=org%3Adovecot+scram-sha- 1&type=code - https://github.com/ search?q=org%3Adovecot+TLS+channel+binding&type=code The code is here: https://github.com/dovecot/core/blob/release-2.4.0/ src/auth/mech-scram.c It has been started by Stephan Bosch (thanks) but no news since more one year: - https://github.com/dovecot/core/compare/ main...stephanbosch:dovecot-core:sasl-scram-plus It's not in the main branch yet, only in release-2.4.0 branch. It'll eventually be merged into main, but not quite yet. _______________________________________________ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org _______________________________________________ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org

On 25. Jan 2025, at 22.29, Brad Smith via dovecot <dovecot@dovecot.org> wrote:

Test building 2.4 I see the last commit to the SSL code before the release went out broke building with LibreSSL..

https://github.com/dovecot/core/commit/77d50a6b5e75796896e8e5b437783a9949790...

CC iostream-openssl.lo iostream-openssl.c:756:55: warning: unused parameter 'ssl_io' [-Wunused-parameter] openssl_iostream_get_compression(struct ssl_iostream *ssl_io) ^ iostream-openssl.c:893:4: error: use of undeclared identifier 'SSL_OP_NO_RENEGOTIATION' SSL_OP_NO_RENEGOTIATION)) {

Well, the question is then whether LibreSSL does renegotiation always or never with <TLSv1.3? That determines whether we disable channel binding entirely with LibreSSL + <TLSv1.3 or always allow it.

On 26. Jan 2025, at 3.40, PhilB via dovecot <dovecot@dovecot.org> wrote:

Where I'm confused is the replacement of mail_location. Currently this is:

mail_location = maildir:/var/mail/users/%u

Should this be changed to:

mail_driver = maildir mail_path = /var/mail/users/%{user}

Yes.

Hope I have given enough information. Thanks for any help provided.

BTW, while researching, I think I found a small typo here: https://doc.dovecot.org/2.4.0/core/config/users/virtual.html#usernames-and-d... Second para: "domain%{user}ser"

Thanks, it was supposed to be "domain%user" still in there - will fix it.

On 27. Jan 2025, at 12.30, Christian Rößner via dovecot <dovecot@dovecot.org> wrote:

Hi,

I have ported my Lua backend to fit with Dovecot version 2.4.0. I encountered minor issues:

Could you please add the configuration docs for the dovecot-http-client or point me to the location, where I can find it? It seems, "debug", "timeout" and "max_attempts" have been dropped or renamed.

Looks like the documentation update wasn't exactly right. Updating it in https://github.com/dovecot/documentation/pull/1148

In general, Lua supports all http_client_* settings without the http_client_ prefix and ssl_client_* settings with the prefix. So:

• request_max_attempts
• request_timeout

There is no more debug setting. You can enable debug for the parent event instead.

request.service is always nil and is no longer set to the current service name like imap, pop3, ...

It was named wrongly. It's request.protocol now.