15 Sep 2009
A new verison of Dovecot has been released a few days ago but I’ve only been able to test it today, sorry busy week.
The bugfixes include:
- Authentication: DIGEST-MD5 and RPA mechanisms no longer require user’s login realm to be listed in auth_realms. It only made configuration more difficult without really providing extra security.
- zlib plugin: Don’t allow clients to save compressed data directly. This prevents users from exploiting (most of the) potential security holes in zlib/bzlib.
- Added pop3_save_uidl setting.
- dict quota: When updating quota and user isn’t already in dict, recalculate and save the quota.
- file_set_size() was broken with OSes that didn’t support posix_fallocate() (almost everyone except Linux), causing all kinds of index file errors.
- v1.2.4 index file handling could have caused an assert-crash
- IMAP: Fixes to QRESYNC extension.
- virtual plugin: Crashfix
- deliver: Don’t send rejects to any messages that have Auto-Submitted
header. This avoids emails loops.
- Maildir: Performance fixes, especially with maildir_very_dirty_syncs.
- Maildir++ quota: Limits weren’t read early enough from maildirsize file (when quota limits not enforced by Dovecot)
- Message decoding fixes (mainly for IMAP SEARCH, Sieve).