Timo released another bugfix to Dovecot, mbox users really should upgrade, because by sending a message with a huge header you could basically cause a DoS (this problem exists only with v1.2.x, not with v1.0 or v1.1). Our default setting is maildirs instead of mbox, so you should be safe.

• mbox: Message header reading was unnecessarily slow. Fetching a huge header could have resulted in Dovecot eating a lot of CPU. Also searching messages was much slower than necessary.
• mbox, dbox, cydir: Mail root directory was created with 0770 permissions, instead of 0700.
• maildir: Reading uidlist could have ended up in an infinite loop.
• IMAP IDLE: v1.2.7+ caused extra load by checking changes every 0.5 seconds after a change had occurred in mailbox

Timo released another bugfix to Dovecot, some minor fixes are included. If you don’t have any problem you don’t need to upgrade if you don’t want to. Bugs fixed in this issue are:

• %variables now support %{host}, %{pid} and %{env:ENVIRONMENT_NAME} everywhere.
• LIST-STATUS capability is now advertised
• maildir: Fixed several assert-crashes.
• imap: LIST “” inbox shouldn’t crash when using namespace with “INBOX.” prefix.
• lazy_expunge now ignores non-private namespaces.

Timo released another bugfix to Dovecot, he hopes it will last for the next few months. I guess he needs more time for the 2.x release which is coming along nicely. Bugs fixed in this issue are:

• maildir: When saving, filenames now always contain ,S=. Previously this was done only when quota plugin was loaded. It’s required for zlib plugin and may be useful for other things too.
• lazy-expunge: Support a single-namespace configuration. If a mailbox is deleted, its messages are merged with its old expunged messages (if there were any).
• expire: Settings now support spaces in mailbox names by using quoted strings.
• maildir: v1.2.7 and v1.2.8 caused assert-crashes in maildir_uidlist_records_drop_expunges()
• maildir_copy_preserve_filename=yes could have caused crashes.
• Maildir++ quota: % limits weren’t updated when limits were read from maildirsize.
• virtual: v1.2.8 didn’t fully fix the “lots of mailboxes” bug
• virtual: Fixed updating virtual mailbox based on flag changes.
• fts-squat: Fixed searching multi-byte characters.

A new version of Dovecot has been released. It’s just a minor bug fix and not a real security fix. I think that if you are not affected (like running on a server with no other local users) then you are not required to upgrade and can skip this one.

This is mainly to fix the 0777 base_dir creation issue, which could be considered a security hole, exploitable by local users. An attacker could for example replace Dovecot’s auth socket and log in as other users. Gaining root privileges isn’t possible though.

This affects only v1.2 users, v1.1 and older versions were creating the directory with 0755 permission.

If your Dovecot’s base_dir isn’t in /var/run/dovecot/, you should also make sure that the $prefix/var/ and $prefix/var/run/ (i.e. /usr/local/var/, /usr/local/var/run/ by default) aren’t 0777.

The fixes include:

• Dovecot v1.2.x had been creating base_dir (and its parents if necessary) with 0777 permissions. The base_dir’s permissions get changed to 0755 automatically at startup, but you may need to chmod the parent directories manually.
• acl: If user has rights from more than one group, merge them instead of choosing one group’s rights and ignoring others.
• virtual: When using a lot of mailboxes, the virtual mailbox’s header could have grown over 32 kB and caused “out of memory” crashes. Also over 64 kB headers couldn’t even be updated with existing transaction log records. Added a new record type that gets used with >=64 kB headers. Older Dovecot versions don’t understand this header and will log errors if they see it.
• FETCH BODYSTRUCTURE didn’t return RFC 2231 “key*” fields correctly

A new version of Dovecot has been released a few days ago but I’ve only been able to test it in the last few days. Sorry, my day job is getting a bit hecktic at the moment and is eating in my personal time.

There is mention of moving o a 2.0 version in a few weeks. I hope to have that ready and tested as soon as possible.

Here is a list of the changes:

• Upgraded to Unicode 5.2.0
• Added authtest utility for doing passdb and userdb lookups.
• login: ssl_security string now also shows the used compression.
• quota: Don’t crash with non-Maildir++ quota backend.
• imap proxy: Fixed crashing with some specific password characters.
• dovecot –exec-mail was broken.
• Avoid assert-crashing when two processes try to create index at the same time.

Update: There is a small issue when compiling this version on Leopard. It’s has to do with the fact that Leopard is using an older version (0.7.8) of OpenSSL than Snow Leopard (using 0.9.8).

The error will show itself during the make fase of the build. You would see errors like:

Undefined symbols:
“_SSL_get_current_compression”, referenced from:
_ssl_proxy_get_security_string in liblogin-common.a(ssl-proxy-openssl.o)
“_SSL_COMP_get_name”, referenced from:
_ssl_proxy_get_security_string in liblogin-common.a(ssl-proxy-openssl.o)
ld: symbol(s) not found

You can solve it by downloading and applying this fix, execute the following commands from the 1.2.6 source directory:

curl "http://hg.dovecot.org/dovecot-1.2/raw-file/4add5c3f13ea/configure.in" \
-o ./configure.in
 
curl "http://hg.dovecot.org/dovecot-1.2/raw-file/4add5c3f13ea/src/login-common/ssl-proxy-openssl.c" \
-o ./src/login-common/ssl-proxy-openssl.c

Then run the normal ./configure and make statements from the regular install instructions.

A new verison of Dovecot has been released a few days ago but I’ve only been able to test it today, sorry busy week.

The bugfixes include:

• Authentication: DIGEST-MD5 and RPA mechanisms no longer require user’s login realm to be listed in auth_realms. It only made configuration more difficult without really providing extra security.
• zlib plugin: Don’t allow clients to save compressed data directly. This prevents users from exploiting (most of the) potential security holes in zlib/bzlib.
• Added pop3_save_uidl setting.
• dict quota: When updating quota and user isn’t already in dict, recalculate and save the quota.
• file_set_size() was broken with OSes that didn’t support posix_fallocate() (almost everyone except Linux), causing all kinds of index file errors.
• v1.2.4 index file handling could have caused an assert-crash
• IMAP: Fixes to QRESYNC extension.
• virtual plugin: Crashfix
• deliver: Don’t send rejects to any messages that have Auto-Submitted
  header. This avoids emails loops.
• Maildir: Performance fixes, especially with maildir_very_dirty_syncs.
• Maildir++ quota: Limits weren’t read early enough from maildirsize file (when quota limits not enforced by Dovecot)
• Message decoding fixes (mainly for IMAP SEARCH, Sieve).

Allright, a bit later than I had anticipated and planned. But that’s what you get if Apple starts releasing stuff earlier then expected. It screws with your planning. But the instructions for installing the basic mailserver in 64 bits are finished and tested on my MacBook Pro. This new machine is a god send and worth every penny up to now.

Please note that these are my initial instructions using an upgraded machine. Next up I need to test the instructions on a clean install of Snow Leopard. When that’s done I will upgrade my Core Duo mini to Snow Leopard and see how the 32 bits version will work out.

Happy reading: The mailserver on Snow Leopard

Good luck and can you please let me know if it worked for you?

There is already a new version of the Dovecot IMAP and POP3 server released. It’s a bug fix release that where discoverd since the last release a short time ago. I’ve updated all my test servers without any issue. Here is a list of issues fixed:

• acl: When looking up ACL defaults, use global/local default files if they exist. So it’s now possible to set default ACLs by creating dovecot-acl file to the mail root directory.
• imap/pop3 proxy: If proxy destination is known to be down, fail connections to it immediately.
• imap/pop3 proxy: Added proxy_timeout passdb extra field to specify proxy’s connect timeout.
• Fixed a crash in index file handling.
• Fixed a crash in saving messages where message contained a CR character that wasn’t followed by LF (and the CR happened to be the last character in an internal buffer).
• v1.2.3 crashed when listing shared namespace prefix.
• listescape plugin: Several fixes.
• autocreate plugin: Fixed autosubscribing to mailboxes in subscriptions=no namespaces.

There is a new version of the Dovecot IMAP and POP3 server released. It’s a bug fix release that where discoverd since the last release. I’ve updated all my test servers without any issue. Here is a list of issues fixed:

• Mailbox names with control characters can’t be created anymore. Existing mailboxes can still be accessed though.
• Allow namespace prefix to be opened as mailbox, if a mailbox already exists in the root dir.
• Maildir: dovecot-uidlist was being recreated every time a mailbox was accessed, even if nothing changed.
• listescape plugin was somewhat broken
• Compiling fixes for non-Linux/BSDs
• imap: tb-extra-mailbox-sep workaround was broken.
• ldap: Fixed hang when >128 requests were sent at once.
• fts_squat: Fixed crashing when searching virtual mailbox.
• imap: Fixed THREAD .. INTHREAD crashing.

There is a new version of the Dovecot IMAP and POP3 server released. It’s mainly meant as a bug fix release that where discoverd by a multitude of users which upgraded to 1.2.1. I’ve updated all my test servers without any significant issues. Here is a list of issues fixed:

• GSSAPI: More changes to authentication. Hopefully good now.
• lazy_expunge plugin: Drop \Deleted flag when moving message.
• dovecot -n/-a now outputs also lda settings.
• dovecot.conf !include now supports globs (e.g. !include /etc/dovecot/*.conf). Based on patch by Thomas Guthmann.
• acl: Support spaces in user/group identifiers.
• shared mailboxes: If only %%n is specified in prefix, default to current user’s domain.
• Dovecot master process could hang if it received signals too rapidly.
• Fixed “corrupted index cache file” errors (and perhaps others) caused by e.g. IMAP’s FETCH BODY[] command.
• IMAP: When QRESYNC is enabled, don’t crash when a new mail is received while IDLEing.
• IMAP: FETCH X-* parameters weren’t working.
• Maildir++ quota: Quota was sometimes updated wrong when it was being recalculated.
• Searching quoted-printable message body internally converted “_” characters to spaces and didn’t match search keys with “_”.
• Messages in year’s first/last day may have had broken timezones with OSes not having struct tm->tm_gmtoff (e.g. Solaris).
• virtual plugin: If another session adds a new mailbox to index, don’t crash.