- dovecot - dovecot.org

Dovecot lifecycle announcement
by Aki Tuomi 12 May '25

12 May '25

We are announcing these Dovecot end-of-life (EOL) decisions: 1. All Dovecot versions before 2.3 are now fully EOL. We will not provide any additional patches, including security issues, for these releases. 2. For Dovecot CE 2.3 we will provide critical security bug fixes. Thus, if you are experiencing a non-security issue with Dovecot, we need you to upgrade into latest 2.4 CE release and reproduce the problem there in order for the team to debug. The Dovecot team will no longer debug non-security related issues for 2.3 releases. If the issue can occur with the latest 2.4 release, please file a bug report and we will take a look! If you are using a 2.3.x version packaged from an Operating System Vendor, please open a bug against them for fixing it. We do not provide patches or bug fixes against these OS Vendor specific releases. Dovecot CE 2.4.x is the current main release, which will continue to receive feature, bug and security patches. We accept bug reports against latest 2.4 version or "main" branch of Dovecot. Packages for Dovecot CE 2.4 can be found at https://repo.dovecot.org. Thank you for using Dovecot! Note: Users with a commercial agreement with Open-Xchange (Dovecot Pro) have a separate extended EOL policy, so this announcement does not apply to them. Regards, Aki Tuomi Open-Xchange oy

1 0

MySQL Auth Troubles during Migration to 2.4.1
by Odhiambo Washington 07 May '25

07 May '25

I am between a rock and a hard place while doing my migration from 2.3.19.1 to 2.4.1 I have setup a clean system to test the running before I import my database of virtual users. I haven't changed much from the config examples provided at My auth-sql.conf.ext: sql_driver = mysql mysql /var/run/mysqld/mysqld.sock { user = db_user password = XXXXX dbname = dbname } passdb sql { default_password_scheme = SHA512 query = SELECT crypt AS password FROM users,domains WHERE users.username = '%{user}' AND users.enabled = '1' AND users.type='local' and domains.enabled='1' and domains.domain_id = users.domain_id } userdb sql { query = SELECT pop as home, uid, gid FROM users WHERE username = '%{user}' iterate_query = SELECT username AS user FROM users } dovecot -n: ``` root@mail:/etc/dovecot/conf.d# doveconf -n # 2.4.1-4+debian12 (7d8c0e5759): /etc/dovecot/dovecot.conf # Pigeonhole version 2.4.1-4+debian12 (0a86619f) # OS: Linux 6.1.0-34-amd64 x86_64 Debian 12.10 # Hostname: mail.domain.name dovecot_config_version = 2.4.1 auth_debug_passwords = yes auth_verbose = yes auth_verbose_passwords = yes dovecot_storage_version = 2.4.1 fts_autoindex = yes fts_autoindex_max_recent_msgs = 999 fts_search_add_missing = yes info_log_path = /var/log/dovecot.log log_debug = category=auth mail_plugins { notify = yes mail_log = yes } protocols = imap pop3 lmtp sieve sql_driver = mysql mysql /var/run/mysqld/mysqld.sock { dbname = exim4u password = # hidden, use -P to show it user = exim4u } passdb sql { default_password_scheme = SHA512 query = SELECT crypt AS password FROM users,domains WHERE users.username = '%{user}' AND users.enabled = '1' AND users.type='local' and domains.enabled='1' and domains.domain_id = users.domain_id } userdb sql { iterate_query = SELECT username AS user FROM users query = SELECT pop as home, uid, gid FROM users WHERE username = '%{user}' } namespace inbox { inbox = yes mailbox Drafts { special_use = "\\Drafts" } mailbox Junk { special_use = "\\Junk" } mailbox Trash { special_use = "\\Trash" } mailbox Sent { special_use = "\\Sent" } mailbox "Sent Messages" { special_use = "\\Sent" } } service imap-login { inet_listener imap { } inet_listener imaps { } } service pop3-login { inet_listener pop3 { } inet_listener pop3s { } } service submission-login { inet_listener submission { } inet_listener submissions { } } service lmtp { unix_listener lmtp { } } service imap { } service pop3 { } service submission { } service auth { unix_listener auth-userdb { } } service auth-worker { } service dict { unix_listener dict { } } service managesieve-login { inet_listener sieve { port = 4190 } inet_listener sieve_deprecated { port = 2000 } } service managesieve { } ``` I ran a test against the POP3 daemon: ``` telnet 0 110 Trying 0.0.0.0... Connected to 0. Escape character is '^]'. +OK Dovecot ready. user 'joh(a)doe.com +OK pass XXXXXXX -ERR [SYS/TEMP] Temporary authentication failure. ``` And the debugging ends up in "pop3-login: Info: Login aborted: Logged out (auth service reported temporary failure". I am not sure where to look for this. May 04 13:08:46 auth: Debug: sqlpool(mysql): Creating new connection May 04 13:08:46 auth: Debug: Read auth token secret from /run/auth-token-secret.dat May 04 13:08:46 auth: Debug: mysql(/var/run/mysqld/mysqld.sock): Connecting May 04 13:08:46 auth: Debug: conn unix:login (pid=9061,uid=117) [1]: Server accepted connection (fd=19) May 04 13:08:46 auth: Debug: conn unix:login (pid=9061,uid=117) [1]: auth client connected (pid=9061) May 04 13:09:12 auth: Debug: conn unix:login (pid=9061,uid=117) [1]: client in: AUTH 1 PLAIN protocol=pop3 final-resp-ok secured session=0sexkUw07I1/AAAB lip=127.0.0.1 rip=127.0.0.1 lport=110 rport=36332 resp=AHdhc2hAbWFyYS5jbG91ZAB3YXNoQG1hcmEuY2xvdWQ= (previous base64 data may contain sensitive data) May 04 13:09:12 auth(joh@doe.com,127.0.0.1,sasl:plain)<0sexkUw07I1/AAAB>: Debug: sql: Performing passdb lookup May 04 13:09:12 auth: Debug: conn unix:auth-worker: Connecting May 04 13:09:12 auth: Debug: conn unix:auth-worker (pid=9055,uid=0): Client connected (fd=20) May 04 13:09:12 auth: Debug: conn unix:auth-worker (pid=9055,uid=0): Sending version handshake May 04 13:09:12 auth-worker(9138): Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth May 04 13:09:12 auth-worker(9138): Debug: Module loaded: /usr/lib/dovecot/modules/auth/libdriver_mysql.so May 04 13:09:12 auth-worker(9138): Debug: Module loaded: /usr/lib/dovecot/modules/auth/libdriver_pgsql.so May 04 13:09:12 auth-worker(9138): Debug: Module loaded: /usr/lib/dovecot/modules/auth/libdriver_sqlite.so May 04 13:09:12 auth-worker(9138): Debug: sqlpool(mysql): Creating new connection May 04 13:09:12 auth-worker(9138): Debug: mysql(/var/run/mysqld/mysqld.sock): Connecting May 04 13:09:12 auth-worker(9138): Debug: conn unix:auth-worker (pid=9063,uid=116): Server accepted connection (fd=13) May 04 13:09:12 auth-worker(9138): Debug: conn unix:auth-worker (pid=9063,uid=116): Sending version handshake May 04 13:09:12 auth-worker(9138): Debug: conn unix:auth-worker (pid=9063,uid=116): auth-worker<1>: Handling PASSV request May 04 13:09:12 auth-worker(joh(a)doe.com,127.0.0.1)<9138><0sexkUw07I1/AAAB>: request [1]: Debug: sql: Performing passdb lookup May 04 13:09:12 auth: Debug: auth-worker: Worker sent process limit '30' May 04 13:09:12 auth-worker(joh(a)doe.com,127.0.0.1)<9138><0sexkUw07I1/AAAB>: request [1]: Debug: sql: query: SELECT crypt AS password FROM users,domains WHERE users.username = 'joh(a)doe.com' AND users.enabled = '1' AND users.type='local' and domains.enabled='1' and domains.domain_id = users.domain_id May 04 13:09:12 auth-worker(9138): Debug: mysql(/var/run/mysqld/mysqld.sock): Finished query 'SELECT crypt AS password FROM users,domains WHERE users.username = 'joh(a)doe.com' AND users.enabled = '1' AND users.type='local' and domains.enabled='1' and domains.domain_id = users.domain_id' in 0 msecs May 04 13:09:12 auth-worker(joh(a)doe.com,127.0.0.1)<9138><0sexkUw07I1/AAAB>: request [1]: Debug: sql: Finished passdb lookup May 04 13:09:12 auth-worker(9138): Debug: conn unix:auth-worker (pid=9063,uid=116): auth-worker<1>: Finished: internal_failure May 04 13:09:12 auth(joh@doe.com,127.0.0.1,sasl:plain)<0sexkUw07I1/AAAB>: Debug: sql: Finished passdb lookup May 04 13:09:14 auth(joh@doe.com,127.0.0.1,sasl:plain)<0sexkUw07I1/AAAB>: Debug: Auth request finished May 04 13:09:14 auth(joh@doe.com,127.0.0.1,sasl:plain)<0sexkUw07I1/AAAB>: Debug: immediate auth failure due to internal failure May 04 13:09:14 auth: Debug: conn unix:login (pid=9061,uid=117) [1]: client passdb out: FAIL 1 user=joh(a)doe.com code=temp_fail May 04 13:09:18 pop3-login: Info: Login aborted: Logged out (auth service reported temporary failure, 1 attempts in 6 secs) (temp_fail): user=< joh(a)doe.com>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured, session=<0sexkUw07I1/AAAB> -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 In an Internet failure case, the #1 suspect is a constant: DNS. "Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-) [How to ask smart questions: http://www.catb.org/~esr/faqs/smart-questions.html] I am between a rock and a hard place while doing my migration from 2.3.19.1 to 2.4.1 I have setup a clean system to test the running before I import my database of virtual users. I haven't changed much from the config examples provided at My auth-sql.conf.ext: sql_driver = mysql mysql /var/run/mysqld/mysqld.sock { user = db_user password = XXXXX dbname = dbname } passdb sql { default_password_scheme = SHA512 query = SELECT crypt AS password FROM users,domains WHERE users.username = '% {user}' AND users.enabled = '1' AND users.type='local' and domains.enabled='1' and domains.domain_id = users.domain_id } userdb sql { query = SELECT pop as home, uid, gid FROM users WHERE username = '%{user}' iterate_query = SELECT username AS user FROM users } dovecot -n: ``` root@mail:/etc/dovecot/conf.d# doveconf -n # 2.4.1-4+debian12 (7d8c0e5759): /etc/dovecot/dovecot.conf # Pigeonhole version 2.4.1-4+debian12 (0a86619f) # OS: Linux 6.1.0-34-amd64 x86_64 Debian 12.10 # Hostname: mail.domain.name dovecot_config_version = 2.4.1 auth_debug_passwords = yes auth_verbose = yes auth_verbose_passwords = yes dovecot_storage_version = 2.4.1 fts_autoindex = yes fts_autoindex_max_recent_msgs = 999 fts_search_add_missing = yes info_log_path = /var/log/dovecot.log log_debug = category=auth mail_plugins { notify = yes mail_log = yes } protocols = imap pop3 lmtp sieve sql_driver = mysql mysql /var/run/mysqld/mysqld.sock { dbname = exim4u password = # hidden, use -P to show it user = exim4u } passdb sql { default_password_scheme = SHA512 query = SELECT crypt AS password FROM users,domains WHERE users.username = '% {user}' AND users.enabled = '1' AND users.type='local' and domains.enabled='1' and domains.domain_id = users.domain_id } userdb sql { iterate_query = SELECT username AS user FROM users query = SELECT pop as home, uid, gid FROM users WHERE username = '%{user}' } namespace inbox { inbox = yes mailbox Drafts { special_use = "\\Drafts" } mailbox Junk { special_use = "\\Junk" } mailbox Trash { special_use = "\\Trash" } mailbox Sent { special_use = "\\Sent" } mailbox "Sent Messages" { special_use = "\\Sent" } } service imap-login { inet_listener imap { } inet_listener imaps { } } service pop3-login { inet_listener pop3 { } inet_listener pop3s { } } service submission-login { inet_listener submission { } inet_listener submissions { } } service lmtp { unix_listener lmtp { } } service imap { } service pop3 { } service submission { } service auth { unix_listener auth-userdb { } } service auth-worker { } service dict { unix_listener dict { } } service managesieve-login { inet_listener sieve { port = 4190 } inet_listener sieve_deprecated { port = 2000 } } service managesieve { } ``` I ran a test against the POP3 daemon: ``` telnet 0 110 Trying 0.0.0.0... Connected to 0. Escape character is '^]'. +OK Dovecot ready. user 'joh(a)doe.com +OK pass XXXXXXX -ERR [SYS/TEMP] Temporary authentication failure. ``` And the debugging ends up in "pop3-login: Info: Login aborted: Logged out (auth service reported temporary failure". I am not sure where to look for this. May 04 13:08:46 auth: Debug: sqlpool(mysql): Creating new connection May 04 13:08:46 auth: Debug: Read auth token secret from /run/auth-token- secret.dat May 04 13:08:46 auth: Debug: mysql(/var/run/mysqld/mysqld.sock): Connecting May 04 13:08:46 auth: Debug: conn unix:login (pid=9061,uid=117) [1]: Server accepted connection (fd=19) May 04 13:08:46 auth: Debug: conn unix:login (pid=9061,uid=117) [1]: auth client connected (pid=9061) May 04 13:09:12 auth: Debug: conn unix:login (pid=9061,uid=117) [1]: client in: AUTH 1 PLAIN protocol=pop3 final-resp-ok secured session=0sexkUw07I1/AAAB lip=127.0.0.1 rip=127.0.0.1 lport=110 rport=36332 resp=AHdhc2hAbWFyYS5jbG91ZAB3YXNoQG1hcmEuY2xvdWQ= (previous base64 data may contain sensitive data) May 04 13:09:12 auth(joh@doe.com,127.0.0.1,sasl:plain)<0sexkUw07I1/AAAB>: Debug: sql: Performing passdb lookup May 04 13:09:12 auth: Debug: conn unix:auth-worker: Connecting May 04 13:09:12 auth: Debug: conn unix:auth-worker (pid=9055,uid=0): Client connected (fd=20) May 04 13:09:12 auth: Debug: conn unix:auth-worker (pid=9055,uid=0): Sending version handshake May 04 13:09:12 auth-worker(9138): Debug: Loading modules from directory: /usr/ lib/dovecot/modules/auth May 04 13:09:12 auth-worker(9138): Debug: Module loaded: /usr/lib/dovecot/ modules/auth/libdriver_mysql.so May 04 13:09:12 auth-worker(9138): Debug: Module loaded: /usr/lib/dovecot/ modules/auth/libdriver_pgsql.so May 04 13:09:12 auth-worker(9138): Debug: Module loaded: /usr/lib/dovecot/ modules/auth/libdriver_sqlite.so May 04 13:09:12 auth-worker(9138): Debug: sqlpool(mysql): Creating new connection May 04 13:09:12 auth-worker(9138): Debug: mysql(/var/run/mysqld/mysqld.sock): Connecting May 04 13:09:12 auth-worker(9138): Debug: conn unix:auth-worker (pid=9063,uid=116): Server accepted connection (fd=13) May 04 13:09:12 auth-worker(9138): Debug: conn unix:auth-worker (pid=9063,uid=116): Sending version handshake May 04 13:09:12 auth-worker(9138): Debug: conn unix:auth-worker (pid=9063,uid=116): auth-worker<1>: Handling PASSV request May 04 13:09:12 auth-worker(joh(a)doe.com,127.0.0.1)<9138><0sexkUw07I1/AAAB>: request [1]: Debug: sql: Performing passdb lookup May 04 13:09:12 auth: Debug: auth-worker: Worker sent process limit '30' May 04 13:09:12 auth-worker(joh(a)doe.com,127.0.0.1)<9138><0sexkUw07I1/AAAB>: request [1]: Debug: sql: query: SELECT crypt AS password FROM users,domains WHERE users.username = 'joh(a)doe.com' AND users.enabled = '1' AND users.type='local' and domains.enabled='1' and domains.domain_id = users.domain_id May 04 13:09:12 auth-worker(9138): Debug: mysql(/var/run/mysqld/mysqld.sock): Finished query 'SELECT crypt AS password FROM users,domains WHERE users.username = 'joh(a)doe.com' AND users.enabled = '1' AND users.type='local' and domains.enabled='1' and domains.domain_id = users.domain_id' in 0 msecs May 04 13:09:12 auth-worker(joh(a)doe.com,127.0.0.1)<9138><0sexkUw07I1/AAAB>: request [1]: Debug: sql: Finished passdb lookup May 04 13:09:12 auth-worker(9138): Debug: conn unix:auth-worker (pid=9063,uid=116): auth-worker<1>: Finished: internal_failure May 04 13:09:12 auth(joh@doe.com,127.0.0.1,sasl:plain)<0sexkUw07I1/AAAB>: Debug: sql: Finished passdb lookup May 04 13:09:14 auth(joh@doe.com,127.0.0.1,sasl:plain)<0sexkUw07I1/AAAB>: Debug: Auth request finished May 04 13:09:14 auth(joh@doe.com,127.0.0.1,sasl:plain)<0sexkUw07I1/AAAB>: Debug: immediate auth failure due to internal failure May 04 13:09:14 auth: Debug: conn unix:login (pid=9061,uid=117) [1]: client passdb out: FAIL 1 user=joh(a)doe.com code=temp_fail May 04 13:09:18 pop3-login: Info: Login aborted: Logged out (auth service reported temporary failure, 1 attempts in 6 secs) (temp_fail): user=<joh(a)doe.com>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured, session=<0sexkUw07I1/AAAB> -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 In an Internet failure case, the #1 suspect is a constant: DNS. "Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-) [How to ask smart questions: http://www.catb.org/~esr/faqs/smart- questions.html]

2 4

Quota wrongfully reported as exceeded on shared mailbox
by adminkram＠tripelspark.de 07 May '25

07 May '25

Hi, I've been scratching my head without luck with the following problem: I've shared a mailbox from one user "COMPANY" to another user "JOE". Both users have quotas and both quotas are less than 50% used. When the user JOE tries to post a message into the shared folder, dovecot complains that the user would be over quota: bash# /usr/lib/dovecot/imap -u JOE 1 append shared/COMPANY/Sent/JOE {10} a NO [OVERQUOTA] Quota exceeded (mailbox for user is full) (0.057 + 0.000 + 0.057 secs). However, nobody is over quota: bash# doveadm quota get -u COMPANY Quota name Type Value Limit % User quota STORAGE 4754996 10485760 45 User quota MESSAGE 33695 - 0 bash# doveadm quota get -u JOE Quota name Type Value Limit % User quota STORAGE 14 1048576 0 User quota MESSAGE 3 - 0 Some more infos: 1. Dovecot-2.3.21 (+Debian updates) 2.3.21 (47349e2482) (NOTE: dovecot.org/mailing-lists says: Use dovecot –version to get it. The command is dovecot --version, though!) 2. I've performed "doveadm quota recalc" on both users, no change. 3. I've checked sharing ACL permissions, if I give just "l" permission, the response will be "NO [NOPERM] Permission denied". It does not seem to be an ACL permission reported wrongly. 4. I've tried increasing the quota size beyond reason (100 Gbytes for JOE), no change. 5. I've restarted dovecot after each change. 6. When trying to move a message into the shared Sent/joe folder in Thunderbird, same problem happens, Thunderbird displays the over quota message. Thunderbird cannot display the quota info for the shared folder, though. 7. I tried to enable rawlog (rawlog_dir in protocol imap). It does nothing helpful. It logs the manual commands from my pre-auth sessions (imap -u JOE) but it will stubbornly not log any commands issued by Thunderbird. ?! Any idea how to further debug this or what could be wrong? Thank you, Wolfgang

2 1

Dovecot 3.21.1 -> 2.4.0 SegFault
by Cata S 06 May '25

06 May '25

Hi guys, There seems to be some issue with Dovecot deployed on alpine. More specifically, the dovecot.config file is not properly read. I have run some debugging and the SegFault is returned in the function below: #0 0x000055555556779b in config_parsed_get_setting () No symbol table info available. #1 0x0000555555563708 in config_dump_full () No symbol table info available. #2 0x000055555555c814 in main () No symbol table info available. This was also addressed by alpine here: https://gitlab.alpinelinux.org/alpine/aports/-/issues/17050 Any idea what could be causing this? Thanks for looking into it, Cata

2 1

(2.4) weird doveadm behavior
by Kamil Jońca 06 May '25

06 May '25

debian package 2.4.1-4 (7d8c0e5759): /etc/dovecot/dovecot.conf I have namespace: namespace expunged { mail_driver = maildir mail_path = ~/Mail/expunged/ mailbox_list_layout = fs hidden = yes inbox = no list = no prefix = .EXPUNGED/ separator = / } %doveadm search -u kjonca mailbox .EXPUNGED|head -n 1 08ac303413c11168864d2a00a6f72b09 30802 %doveadm fetch -u kjonca text mailbox-guid 08ac303413c11168864d2a00a6f72b09 uid 30802 ...empty output... How can I fetch messages? KJ -- http://wolnelektury.pl/wesprzyj/teraz/ Now KEN and BARBIE are PERMANENTLY ADDICTED to MIND-ALTERING DRUGS ...

3 6

2.3 -> 2.4 migration problem(s)
by Kamil Jońca 06 May '25

06 May '25

Recently in debian sid version 2.4 appeared and I tried to migrate. it (mostly working) but Neither dovecot-lda nor doveadm does not see current system user context i.e. --8<---------------cut here---------------start------------->8--- %doveadm mailbox list Fatal: One of -u, -F, -A or --no-userdb-lookup must be provided --8<---------------cut here---------------end--------------->8--- from lda logs --8<---------------cut here---------------start------------->8--- Fatal: Namespace root: mail_storage settings: Failed to parse configuration: Invalid setting mail_path=~/Mail/0/: mail_path setting used home directory (~/) but there is no mail_home and userdb didn't return it --8<---------------cut here---------------end--------------->8--- for dovecot-lda setting "mail_home = /home/%{user|username}" helped but still ... doveadm mailbox list -u kjonca and "-d" option helped in both cases Moreover I found that doveadm does not work when dovecot is stoped (but used to work in 2.3.x) Another thing is: --8<---------------cut here---------------start------------->8--- deliver_log_format = msgid=%m: %$ --8<---------------cut here---------------end--------------->8--- in 2.3.x configuration it created line like this: --8<---------------cut here---------------start------------->8--- 2025-04-27T02:08:31.925845+02:00 alfa dovecot: LDA(kjonca): sieve: msgid=<fd248603-b186-4ee2-9e76-b9b9c0fe7a87@alfa>: fileinto action: stored mail into mailbox 'RSS' --8<---------------cut here---------------end--------------->8--- but now it does not work (what is strange I cannot find %$ description and %m is described as "mechanism" not message id ...) So how can I have old loggin and authentication mechanisms? KJ # 2.4.1-4 (7d8c0e5759): /etc/dovecot/dovecot.conf # Pigeonhole version 2.4.1-4 (0a86619f) # OS: Linux 6.12.22-amd64 x86_64 Debian trixie/sid # ... # 4 default setting change dovecot_config_version = 2.4.0 acl_driver = vfile auth_allow_cleartext = yes auth_debug = yes auth_mechanisms = plain digest-md5 cram-md5 login auth_username_format = %{user | username } auth_verbose = yes default_vsz_limit = 1024M dovecot_storage_version = 2.4.0 lazy_expunge_mailbox = .EXPUNGED/ lazy_expunge_only_last_instance = yes listen = alfa mail_driver = maildir mail_inbox_path = ~/Mail/0/INBOX mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename flag_change save mail_log_fields = uid box msgid size from subject flags mail_log_prefix = "%{protocol}(%{user}): " mail_path = ~/Mail/0/ mail_plugins { acl = yes lazy_expunge = yes } postmaster_address = root@localhost protocols { imap = yes } sieve_execute_bin_dir = %{home}/sieve/bin sieve_execute_exec_timeout = 86400s sieve_extensions { fileinto = yes reject = yes envelope = yes encoded-character = yes vacation = yes subaddress = yes comparator-i;ascii-numeric = yes relational = yes regex = yes imap4flags = yes copy = yes include = yes body = yes variables = yes enotify = yes environment = yes mailbox = yes date = yes index = yes ihave = yes duplicate = yes mime = yes foreverypart = yes extracttext = yes vnd.dovecot.pipe = yes vnd.dovecot.execute = yes vnd.dovecot.filter = yes vnd.dovecot.debug = yes editheader = yes } sieve_filter_bin_dir = %{home}/sieve/bin sieve_filter_exec_timeout = 86400s sieve_pipe_bin_dir = %{home}/sieve/bin sieve_pipe_exec_timeout = 86400s sieve_plugins { sieve_extprograms = yes } ssl = no service auth { user = root unix_listener auth-userdb { } } passdb alfa { default_password_scheme = PLAIN driver = passwd-file passwd_file_path = /etc/security/dovecot.pwd } userdb alfa { passwd_file_path = /etc/security/dovecot.pwd driver = passwd-file } namespace root { inbox = yes separator = / } namespace expunged { mail_driver = maildir mail_path = ~/Mail/expunged/ hidden = yes inbox = no list = no prefix = .EXPUNGED/ separator = / } service imap-login { inet_listener imap { } } service imap { } service auth-worker { user = dovecot } service dict { unix_listener dict { } } protocol lda { deliver_log_format = msgid=%m: %$ info_log_path = syslog log_path = syslog mail_plugins { sieve = yes } syslog_facility = mail } protocol imap { mail_max_userip_connections = 20 mail_plugins { mail_log = yes notify = yes acl = yes imap_acl = yes lazy_expunge = yes } } sieve_script personal { path = ~/.dovecot.sieve } sieve_script before { path = /etc/dovecot/sieve } -- http://wolnelektury.pl/wesprzyj/teraz/ The way I understand it, the Russians are sort of a combination of evil and incompetence... sort of like the Post Office with tanks. -- Emo Philips

3 2

Re: Authentication caching and password changes
by Michael Slusarz 04 May '25

04 May '25

> On 05/03/2025 5:31 AM MDT Diego Alvarez via dovecot <dovecot(a)dovecot.org> wrote: > > In Dovecot docs (https://doc.dovecot.org/2.3/configuration_manual/ > authentication/caching/) we see: > > 1. User logs in with password Y. The cached password X doesn’t match Y and the > previous authentication was unsuccessful, so Dovecot doesn’t bother doing > another backend passdb lookup (until cache TTL expires). The login fails. > > Anyone knows why they chose this design ? Why not simply do a passdb lookup > instead of waiting for cache TTL to expire ? You didn't copy and paste the whole context of this documentation comment: https://doc.dovecot.org/2.4.1/core/config/auth/caching.html#early-change When looking at the full context, this is a situation where a user is either using a password that isn't yet valid (= a bad password, so it's a valid denial), or the user did change their password but the Dovecot system doesn't see the change for some reason (= server/admin issue). In the above situation, doing a passdb lookup without waiting for cache TTL expiration is simply the same situation as not having a negative cache at all. So either don't use the negative cache or fix the password sync (and if you can't fix the authentication sync delay, you can't use a negative cache). An unlikely situation is that the user is using the wrong password originally, and then changes their password to this wrong password. You can always reduce the negative cache TTL if you want to catch this rare situation, at the cost of a lower cache hit rate more generally. michael

2 1

Re: (2.3->2.4) How to expunge with hierarhy saving?
by Michael Slusarz 04 May '25

04 May '25

> On 05/02/2025 10:17 PM MDT Kamil Jońca via dovecot <dovecot(a)dovecot.org> wrote: > > I have used lazy_expunge plugin with namespace (configuration convert): > > namespace expunged { > mail_driver = maildir > mail_path = ~/Mail/expunged/ > hidden = yes > inbox = no > list = no > prefix = .EXPUNGED/ > separator = / > } > > with > lazy_expunge_mailbox = .EXPUNGED > > this allowed me to keep hierarchy (i.e.mails from "admin" mailbox were > expunged to "~/Mail/expunged/admin" ) > this is no longer true - the best I can achieve is to have single > mailbox with all mails :( > Is it possible to get older behavior? > (lazy_expunge_mailbox = .EXPUNGED/ - ends with error) Namespace storage for lazy-expunge plugin was deprecated all the way back in 2.3.0, and was removed for 2.4. I've cleaned up the documentation page to remove all references to namespaces (https://github.com/dovecot/documentation/pull/1234) michael

1 0

Running dovecot 2.4
by Odhiambo Washington 04 May '25

04 May '25

Looking at https://doc.dovecot.org/2.4.1/core/admin/running.html, and comparing with a system where I have installed Dovecot 2.4.1: root@mail:/etc/dovecot/conf.d# ps auxw|grep "dovecot" root 9739 0.0 0.0 8872 4816 ? Ss 14:47 0:00 /usr/sbin/dovecot -F root 9741 0.0 0.0 5324 3280 ? S 14:47 0:00 dovecot/anvil root 9742 0.0 0.0 5428 3256 ? S 14:47 0:00 dovecot/log root 9743 0.0 0.1 51976 10248 ? S 14:47 0:00 dovecot/config Why are my other services not running? For example, the dovecot/auth service is not running. On an system running 2.3.21, I get: wash@eu:~$ ps auxw|grep "dovecot" root 181404 0.0 0.0 8240 4408 ? Ss 14:33 0:00 /usr/sbin/dovecot -F dovecot 181408 0.0 0.0 10668 6936 ? S 14:33 0:00 dovecot/managesieve-login Debian-+ 181409 0.0 0.0 12192 8880 ? S 14:33 0:00 dovecot/lmtp -L dovecot 181410 0.0 0.0 4760 1436 ? S 14:33 0:00 dovecot/anvil root 181411 0.0 0.0 5028 2960 ? S 14:33 0:00 dovecot/log Debian-+ 181412 0.0 0.0 12192 8848 ? S 14:33 0:00 dovecot/lmtp -L Debian-+ 181413 0.0 0.0 12192 9040 ? S 14:33 0:00 dovecot/lmtp -L Debian-+ 181414 0.0 0.0 12192 8908 ? S 14:33 0:00 dovecot/lmtp -L Debian-+ 181415 0.0 0.0 12192 8876 ? S 14:33 0:00 dovecot/lmtp -L root 181416 0.0 0.0 8096 5444 ? S 14:33 0:00 dovecot/config dovecot 181418 0.0 0.0 5964 3496 ? S 14:33 0:00 dovecot/stats dovecot 181419 0.0 0.0 12216 8456 ? S 14:33 0:00 dovecot/auth root@mail:/etc/dovecot/conf.d# doveconf -n # 2.4.1-4+debian12 (7d8c0e5759): /etc/dovecot/dovecot.conf # Pigeonhole version 2.4.1-4+debian12 (0a86619f) # OS: Linux 6.1.0-34-amd64 x86_64 Debian 12.10 # Hostname: mail.test,domain dovecot_config_version = 2.4.1 auth_debug_passwords = yes auth_mechanisms = plain login dovecot_storage_version = 2.4.1 fts_autoindex = yes fts_autoindex_max_recent_msgs = 999 fts_search_add_missing = yes info_log_path = /var/log/dovecot.log log_debug = category=auth mail_driver = Maildir mail_path = ~/Maildir protocols = imap pop3 lmtp sieve sql_driver = mysql mysql /var/run/mysqld/mysqld.sock { dbname = exim4u password = # hidden, use -P to show it user = exim4u } passdb sql { default_password_scheme = SHA512 query = SELECT crypt AS password FROM users,domains WHERE users.username = '%{user}' AND users.enabled = '1' AND users.type='local' and domains.enabled='1' and domains.domain_id = users.domain_id } userdb sql { iterate_query = SELECT username AS user FROM users query = SELECT pop as home, uid, gid FROM users WHERE username = '%{user}' } namespace inbox { inbox = yes mailbox Drafts { special_use = "\\Drafts" } mailbox Junk { special_use = "\\Junk" } mailbox Trash { special_use = "\\Trash" } mailbox Sent { special_use = "\\Sent" } mailbox "Sent Messages" { special_use = "\\Sent" } } service imap-login { inet_listener imap { } inet_listener imaps { } } service pop3-login { inet_listener pop3 { } inet_listener pop3s { } } service submission-login { inet_listener submission { } inet_listener submissions { } } service lmtp { unix_listener lmtp { } } service imap { } service pop3 { } service submission { } service auth { unix_listener auth-userdb { } } service auth-worker { } service dict { unix_listener dict { } } service managesieve-login { inet_listener sieve { port = 4190 } inet_listener sieve_deprecated { port = 2000 } } service managesieve { } -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 In an Internet failure case, the #1 suspect is a constant: DNS. "Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-) [How to ask smart questions: http://www.catb.org/~esr/faqs/smart-questions.html] Looking at https://doc.dovecot.org/2.4.1/core/admin/running.html, and comparing with a system where I have installed Dovecot 2.4.1: root@mail:/etc/dovecot/conf.d# ps auxw|grep "dovecot" root 9739 0.0 0.0 8872 4816 ? Ss 14:47 0:00 /usr/sbin/ dovecot -F root 9741 0.0 0.0 5324 3280 ? S 14:47 0:00 dovecot/ anvil root 9742 0.0 0.0 5428 3256 ? S 14:47 0:00 dovecot/log root 9743 0.0 0.1 51976 10248 ? S 14:47 0:00 dovecot/ config Why are my other services not running? For example, the dovecot/auth service is not running. On an system running 2.3.21, I get: wash@eu:~$ ps auxw|grep "dovecot" root 181404 0.0 0.0 8240 4408 ? Ss 14:33 0:00 /usr/sbin/ dovecot -F dovecot 181408 0.0 0.0 10668 6936 ? S 14:33 0:00 dovecot/ managesieve-login Debian-+ 181409 0.0 0.0 12192 8880 ? S 14:33 0:00 dovecot/lmtp -L dovecot 181410 0.0 0.0 4760 1436 ? S 14:33 0:00 dovecot/ anvil root 181411 0.0 0.0 5028 2960 ? S 14:33 0:00 dovecot/log Debian-+ 181412 0.0 0.0 12192 8848 ? S 14:33 0:00 dovecot/lmtp -L Debian-+ 181413 0.0 0.0 12192 9040 ? S 14:33 0:00 dovecot/lmtp -L Debian-+ 181414 0.0 0.0 12192 8908 ? S 14:33 0:00 dovecot/lmtp -L Debian-+ 181415 0.0 0.0 12192 8876 ? S 14:33 0:00 dovecot/lmtp -L root 181416 0.0 0.0 8096 5444 ? S 14:33 0:00 dovecot/ config dovecot 181418 0.0 0.0 5964 3496 ? S 14:33 0:00 dovecot/ stats dovecot 181419 0.0 0.0 12216 8456 ? S 14:33 0:00 dovecot/auth root@mail:/etc/dovecot/conf.d# doveconf -n # 2.4.1-4+debian12 (7d8c0e5759): /etc/dovecot/dovecot.conf # Pigeonhole version 2.4.1-4+debian12 (0a86619f) # OS: Linux 6.1.0-34-amd64 x86_64 Debian 12.10 # Hostname: mail.test,domain dovecot_config_version = 2.4.1 auth_debug_passwords = yes auth_mechanisms = plain login dovecot_storage_version = 2.4.1 fts_autoindex = yes fts_autoindex_max_recent_msgs = 999 fts_search_add_missing = yes info_log_path = /var/log/dovecot.log log_debug = category=auth mail_driver = Maildir mail_path = ~/Maildir protocols = imap pop3 lmtp sieve sql_driver = mysql mysql /var/run/mysqld/mysqld.sock { dbname = exim4u password = # hidden, use -P to show it user = exim4u } passdb sql { default_password_scheme = SHA512 query = SELECT crypt AS password FROM users,domains WHERE users.username = '% {user}' AND users.enabled = '1' AND users.type='local' and domains.enabled='1' and domains.domain_id = users.domain_id } userdb sql { iterate_query = SELECT username AS user FROM users query = SELECT pop as home, uid, gid FROM users WHERE username = '%{user}' } namespace inbox { inbox = yes mailbox Drafts { special_use = "\\Drafts" } mailbox Junk { special_use = "\\Junk" } mailbox Trash { special_use = "\\Trash" } mailbox Sent { special_use = "\\Sent" } mailbox "Sent Messages" { special_use = "\\Sent" } } service imap-login { inet_listener imap { } inet_listener imaps { } } service pop3-login { inet_listener pop3 { } inet_listener pop3s { } } service submission-login { inet_listener submission { } inet_listener submissions { } } service lmtp { unix_listener lmtp { } } service imap { } service pop3 { } service submission { } service auth { unix_listener auth-userdb { } } service auth-worker { } service dict { unix_listener dict { } } service managesieve-login { inet_listener sieve { port = 4190 } inet_listener sieve_deprecated { port = 2000 } } service managesieve { } -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 In an Internet failure case, the #1 suspect is a constant: DNS. "Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-) [How to ask smart questions: http://www.catb.org/~esr/faqs/smart- questions.html]

1 0

MySQL AUTH failing
by Odhiambo Washington 03 May '25

03 May '25

I am arriving late to begin the migration to 2.4. The following is my auth-sql.conf.ext: # MySQL Authentication sql_driver = mysql mysql /var/run/mysqld/mysqld.sock { user = user password = SECRET dbname = pass } passdb sql { default_password_scheme = MD5-CRYPT query = SELECT crypt AS password FROM users,domains WHERE users.username = '%u' AND users.enabled = '1' AND users.type='local' and domains.enabled='1' and domains.domain_id = users.domain_id } userdb sql { query = SELECT pop as home, uid, gid FROM users WHERE username = '%u' iterate_query = SELECT username AS user FROM users } The queries work for Dovecot 2.3, but fail for 2.4: May 03 20:46:44 auth-worker(john(a)doe.com,127.0.0.1)<4758><AAi/1z40rt9/AAAB>: request [1]: Debug: sql: query: SELECT crypt AS password FROM users,domains WHERE users.username = '%u' AND users.enabled = '1' AND users.type='local' and domains.enabled='1' and domains.domain_id = users.domain_id May 03 20:46:44 auth-worker(4758): Debug: mysql(/var/run/mysqld/mysqld.sock): Finished query 'SELECT crypt AS password FROM users,domains WHERE users.username = '%u' AND users.enabled = '1' AND users.type='local' and domains.enabled='1' and domains.domain_id = users.domain_id' in 1 msecs May 03 20:46:44 auth-worker(john(a)doe.com,127.0.0.1)<4758><AAi/1z40rt9/AAAB>: request [1]: Info: sql: unknown user May 03 20:46:44 auth-worker(john(a)doe.com,127.0.0.1)<4758><AAi/1z40rt9/AAAB>: request [1]: Debug: sql: Finished passdb lookup May 03 20:46:44 auth-worker(4758): Debug: conn unix:auth-worker (pid=4757,uid=116): auth-worker<1>: Finished: user_unknown May 03 20:46:44 auth(john@doe.com,127.0.0.1,sasl:plain)<AAi/1z40rt9/AAAB>: Debug: sql: Finished passdb lookup May 03 20:46:44 auth(john@doe.com,127.0.0.1,sasl:plain)<AAi/1z40rt9/AAAB>: Debug: Auth request finished May 03 20:46:44 auth(john@doe.com,127.0.0.1,sasl:plain)<AAi/1z40rt9/AAAB>: Debug: delaying auth failure May 03 20:46:46 auth: Debug: conn unix:login (pid=4755,uid=117) [1]: client passdb out: FAIL 1 user=john(a)doe.com -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 In an Internet failure case, the #1 suspect is a constant: DNS. "Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-) [How to ask smart questions: http://www.catb.org/~esr/faqs/smart-questions.html] I am arriving late to begin the migration to 2.4. The following is my auth-sql.conf.ext: # MySQL Authentication sql_driver = mysql mysql /var/run/mysqld/mysqld.sock { user = user password = SECRET dbname = pass } passdb sql { default_password_scheme = MD5-CRYPT query = SELECT crypt AS password FROM users,domains WHERE users.username = '%u' AND users.enabled = '1' AND users.type='local' and domains.enabled='1' and domains.domain_id = users.domain_id } userdb sql { query = SELECT pop as home, uid, gid FROM users WHERE username = '%u' iterate_query = SELECT username AS user FROM users } The queries work for Dovecot 2.3, but fail for 2.4: May 03 20:46:44 auth-worker(john(a)doe.com,127.0.0.1)<4758><AAi/1z40rt9/AAAB>: request [1]: Debug: sql: query: SELECT crypt AS password FROM users,domains WHERE users.username = '%u' AND users.enabled = '1' AND users.type='local' and domains.enabled='1' and domains.domain_id = users.domain_id May 03 20:46:44 auth-worker(4758): Debug: mysql(/var/run/mysqld/mysqld.sock): Finished query 'SELECT crypt AS password FROM users,domains WHERE users.username = '%u' AND users.enabled = '1' AND users.type='local' and domains.enabled='1' and domains.domain_id = users.domain_id' in 1 msecs May 03 20:46:44 auth-worker(john(a)doe.com,127.0.0.1)<4758><AAi/1z40rt9/AAAB>: request [1]: Info: sql: unknown user May 03 20:46:44 auth-worker(john(a)doe.com,127.0.0.1)<4758><AAi/1z40rt9/AAAB>: request [1]: Debug: sql: Finished passdb lookup May 03 20:46:44 auth-worker(4758): Debug: conn unix:auth-worker (pid=4757,uid=116): auth-worker<1>: Finished: user_unknown May 03 20:46:44 auth(john@doe.com,127.0.0.1,sasl:plain)<AAi/1z40rt9/AAAB>: Debug: sql: Finished passdb lookup May 03 20:46:44 auth(john@doe.com,127.0.0.1,sasl:plain)<AAi/1z40rt9/AAAB>: Debug: Auth request finished May 03 20:46:44 auth(john@doe.com,127.0.0.1,sasl:plain)<AAi/1z40rt9/AAAB>: Debug: delaying auth failure May 03 20:46:46 auth: Debug: conn unix:login (pid=4755,uid=117) [1]: client passdb out: FAIL 1 user=john(a)doe.com -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 In an Internet failure case, the #1 suspect is a constant: DNS. "Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-) [How to ask smart questions: http://www.catb.org/~esr/faqs/smart- questions.html]

1 0