A new verison of Dovecot has been released a few days ago but I’ve only been able to test it today, sorry busy week.

The bugfixes include:

• Authentication: DIGEST-MD5 and RPA mechanisms no longer require user’s login realm to be listed in auth_realms. It only made configuration more difficult without really providing extra security.
• zlib plugin: Don’t allow clients to save compressed data directly. This prevents users from exploiting (most of the) potential security holes in zlib/bzlib.
• Added pop3_save_uidl setting.
• dict quota: When updating quota and user isn’t already in dict, recalculate and save the quota.
• file_set_size() was broken with OSes that didn’t support posix_fallocate() (almost everyone except Linux), causing all kinds of index file errors.
• v1.2.4 index file handling could have caused an assert-crash
• IMAP: Fixes to QRESYNC extension.
• virtual plugin: Crashfix
• deliver: Don’t send rejects to any messages that have Auto-Submitted
  header. This avoids emails loops.
• Maildir: Performance fixes, especially with maildir_very_dirty_syncs.
• Maildir++ quota: Limits weren’t read early enough from maildirsize file (when quota limits not enforced by Dovecot)
• Message decoding fixes (mainly for IMAP SEARCH, Sieve).