A new verison of Dovecot has been released a few days ago but I’ve only been able to test it today, sorry busy week.

The bugfixes include:

  • Authentication: DIGEST-MD5 and RPA mechanisms no longer require user’s login realm to be listed in auth_realms. It only made configuration more difficult without really providing extra security.
  • zlib plugin: Don’t allow clients to save compressed data directly. This prevents users from exploiting (most of the) potential security holes in zlib/bzlib.
  • Added pop3_save_uidl setting.
  • dict quota: When updating quota and user isn’t already in dict, recalculate and save the quota.
  • file_set_size() was broken with OSes that didn’t support posix_fallocate() (almost everyone except Linux), causing all kinds of index file errors.
  • v1.2.4 index file handling could have caused an assert-crash
  • IMAP: Fixes to QRESYNC extension.
  • virtual plugin: Crashfix
  • deliver: Don’t send rejects to any messages that have Auto-Submitted
    header. This avoids emails loops.
  • Maildir: Performance fixes, especially with maildir_very_dirty_syncs.
  • Maildir++ quota: Limits weren’t read early enough from maildirsize file (when quota limits not enforced by Dovecot)
  • Message decoding fixes (mainly for IMAP SEARCH, Sieve).