From tss at iki.fi Sun Nov 3 22:08:03 2013 From: tss at iki.fi (Timo Sirainen) Date: Sun, 03 Nov 2013 22:08:03 +0200 Subject: [Dovecot-news] v2.2.7 released Message-ID: <1383509283.14365.2.camel@hurina> http://dovecot.org/releases/2.2/dovecot-2.2.7.tar.gz http://dovecot.org/releases/2.2/dovecot-2.2.7.tar.gz.sig * Some usage of passdb checkpassword could have been exploitable by local users. You may need to modify your setup to keep it working. See http://wiki2.dovecot.org/AuthDatabase/CheckPassword#Security + auth: Added ability to truncate values logged by auth_verbose_passwords (see 10-logging.conf comment) + mdbox: Added "mdbox_deleted" storage, which can be used to access messages with refcount=0. For example: doveadm import mdbox_deleted:~/mdbox "" mailbox inbox subject oops + ssl-params: Added ssl_dh_parameters_length setting. - master process was doing a hostname.domain lookup for each created process, which may have caused a lot of unnecessary DNS lookups. - dsync: Syncing over 100 messages at once caused problems in some situations, causing messages to get new UIDs. - fts-solr: Different Solr hosts for different users didn't work. From tss at iki.fi Sun Nov 3 22:52:06 2013 From: tss at iki.fi (Timo Sirainen) Date: Sun, 3 Nov 2013 22:52:06 +0200 Subject: [Dovecot-news] [Dovecot] v2.2.7 released In-Reply-To: <1383509283.14365.2.camel@hurina> References: <1383509283.14365.2.camel@hurina> Message-ID: <36D8C5FE-2717-404B-96DE-56D84E0AB2C5@iki.fi> On 3.11.2013, at 22.08, Timo Sirainen wrote: > * Some usage of passdb checkpassword could have been exploitable by > local users. You may need to modify your setup to keep it working. > See http://wiki2.dovecot.org/AuthDatabase/CheckPassword#Security Oh, forgot to mention here: This problem was found by the cPanel people (cPanel uses checkpassword). They also reserved CVE-2013-6171 for this. From tss at iki.fi Tue Nov 19 23:23:16 2013 From: tss at iki.fi (Timo Sirainen) Date: Tue, 19 Nov 2013 23:23:16 +0200 Subject: [Dovecot-news] v2.2.8 released Message-ID: <66D0C060-387D-4460-B00C-3E939694B2A6@iki.fi> http://dovecot.org/releases/2.2/dovecot-2.2.8.tar.gz http://dovecot.org/releases/2.2/dovecot-2.2.8.tar.gz.sig + Mail cache lookups work for the mail being saved. This improves performance by avoiding the need to parse the mail multiple times when using some plugins (e.g. mail_log). + Mail cache works for recently cached data also with in-memory indexes. + imapc: Many performance improvements, especially when working with dsync. Also added imapc_feature=fetch-headers which allows using FETCH BODY.PEEK[HEADER.FIELDS (..)] to avoid reading the entire header. + mail_location = ..:FULLDIRNAME=dbox-Mails is the same as :DIRNAME=dbox-Mails, but it will also be used for :INDEX and :CONTROL directories. (It should have worked this way from the beginning, but can't be changed anymore without breaking existing installations). - Fixed infinite loop in message parsing if message ends with "--boundary" and CR (without LF). Messages saved via SMTP/LMTP can't trigger this, because messages must end with an "LF.". A user could trigger this for him/herself though. - lmtp: Client was sometimes disconnected before all the output was sent to it. - imap_zlib plugin caused crashes during client disconnection in v2.2.7 - replicator: Database wasn't being exported to disk every 15 minutes as it should have. Instead it was being imported, causing "doveadm replicator remove" commands to not work very well. From tss at iki.fi Mon Nov 25 02:27:57 2013 From: tss at iki.fi (Timo Sirainen) Date: Mon, 25 Nov 2013 02:27:57 +0200 Subject: [Dovecot-news] v2.2.9 released Message-ID: <0B57B8E1-1802-47B9-B2BE-D6DABE2546E0@iki.fi> http://dovecot.org/releases/2.2/dovecot-2.2.9.tar.gz http://dovecot.org/releases/2.2/dovecot-2.2.9.tar.gz.sig + Full text search indexing can now be done automatically after saving/copying mails by setting plugin { fts_autoindex=yes } + replicator: Added replication_dsync_parameters setting to pass "doveadm sync" parameters (for controlling what to replicate). + Added mail-filter plugin + Added liblzma/xz support (zlib_save=xz) - v2.2.8's improved cache file handling exposed several old bugs related to fetching mail headers. - v2.2.7's iostream handling changes were causing some connections to be disconnected before flushing their output (e.g. POP3 logout message wasn't being sent)