Last week I’ve spend quite a lot of time playing with Dovecot 2.0.0 and 2.0.1 and I think I’ve finally nailed it. The whole configuration was turned upside down and I had to find out how everything worked again. Compiling stayed mostly the same, I only needed to change one option. But I’ve done it and I know have two test servers running 2.0.1 in a fully functioning setup as described earlier. Currently the documentation is only available for Snow Leopard but if anyone needs to run this on Leopard I’m willing to spend some time on it to find out how to do it.

Here is the new documentation:

• Building Dovecot 2.x in 32 bits on Snow Leopard
• Building Dovecot 2.x in 64 bits on Snow Leopard
• Configuring Dovecot 2.x on Snow Leopard

If you want to upgrade from 1.2.x I would suggest just to compile and install 2.x, redo the configuration from scratch and restart Dovecot.

A new version has been released of the 1.2.x branch, even now when Dovecot 2.x has been released there are still improvements to the 1.2.x branch. I’m working on the upgrade to 2.0 which is proving a challenge as the configuration is completely changed.

I’ve installed 1.2.14 on my production and a test machine still running 1.2.x and didn’t find any issues with it. The improvements are:

• virtual mailboxes: Added support for IDLE notifications.
• master: Don’t crash on config reload when using dict processes.
• IMAP: QRESYNC parameters for SELECT weren’t handled correctly.

As I said, currently working on the upgrade to Dovecot 2.0, hope to have it done before the next weekend.

Again a new version of Dovecot is released. As far as I can tell it’s just a bug fix release (mostly concerning ACL’s) and not a security fix. I think that if you are not affected then you are not required to upgrade and can skip this one. But sometimes it’s better to be safe then sorry.

Now I’ve got my production server running Dovecot (finally) and can tell you that it really rocks and I performed the upgrade without any problem. Just configure, compile and install as per instructions and then kill the current running dovecot process. The new version should start automatically.

Just an small remark, just saw in my WordPress dashboard before posting this, that I’ve passed the 200 blogposts on this blog. That is excluding the 134 pages (the actual documentation) and the 920 comments (which I tend to prune every now and then to keep them relevant).

Had some time to spare today so a bit quicker then anticipated here is step 2 in the migration from Courier to Dovecot. In this step we move away from Courier-Auth to the Dovecot built in authentication module for the Postfix SASL SMTP authentication.

Read on for more information on step 2 for the migration.

Finally I’ve started the official migration of my production server from the Courier programs to Dovecot. I’ve done it several times on a test server but that is nothing compared to doing it or real on a server where there are a lot more emails and users working on.

I already ran into some problems that I haven’t seen one any of my test runs, which shows that it was good to do this upgrade myself for real before posting the full writeup. I’m posting the migration in several independent steps which you can do at your own leisure and speed. After each step you will have a fully functioning mailserver where only a small part of the setup has been changed. In this manner everything should be manageable and hopefully will not pose to many issues.

In the first step we are going to replace the Courier IMAP server with the Dovecot IMAP server. The instructions will work for Leopard and Snow Leopard. The next step will be about replacing Courier Auth with the Dovecot Auth module.

But no time to waste, read the first step in migrating from Courier to Dovecot.

A new version of Dovecot has been released. As far as I can tell it’s just a bug fix release and not a security fix. I think that if you are not affected then you are not required to upgrade and can skip this one. But sometimes it’s better to be safe then sorry.

• deliver: Don’t crash when a message with Auto-submitted: header gets rejected.
• lib-storage: Fixed header searches to work correctly when there are multiple headers with same name.
• dict client: Disconnect from dict server after 1 second of idling.
• dict: If process crashed, it wasn’t automatically restarted
• dict file: If dict file’s group permissions equal world permissions, don’t try to change its gid.
• maildir: Fixed a memory leak when copying with hardlinks.
• maildir: Expunging last messages may have assert-crashed if their filenames had just changed.

Timo released another bugfix to Dovecot, mbox users really should upgrade, because by sending a message with a huge header you could basically cause a DoS (this problem exists only with v1.2.x, not with v1.0 or v1.1). Our default setting is maildirs instead of mbox, so you should be safe.

• mbox: Message header reading was unnecessarily slow. Fetching a huge header could have resulted in Dovecot eating a lot of CPU. Also searching messages was much slower than necessary.
• mbox, dbox, cydir: Mail root directory was created with 0770 permissions, instead of 0700.
• maildir: Reading uidlist could have ended up in an infinite loop.
• IMAP IDLE: v1.2.7+ caused extra load by checking changes every 0.5 seconds after a change had occurred in mailbox

Timo released another bugfix to Dovecot, some minor fixes are included. If you don’t have any problem you don’t need to upgrade if you don’t want to. Bugs fixed in this issue are:

• %variables now support %{host}, %{pid} and %{env:ENVIRONMENT_NAME} everywhere.
• LIST-STATUS capability is now advertised
• maildir: Fixed several assert-crashes.
• imap: LIST “” inbox shouldn’t crash when using namespace with “INBOX.” prefix.
• lazy_expunge now ignores non-private namespaces.

Timo released another bugfix to Dovecot, he hopes it will last for the next few months. I guess he needs more time for the 2.x release which is coming along nicely. Bugs fixed in this issue are:

• maildir: When saving, filenames now always contain ,S=. Previously this was done only when quota plugin was loaded. It’s required for zlib plugin and may be useful for other things too.
• lazy-expunge: Support a single-namespace configuration. If a mailbox is deleted, its messages are merged with its old expunged messages (if there were any).
• expire: Settings now support spaces in mailbox names by using quoted strings.
• maildir: v1.2.7 and v1.2.8 caused assert-crashes in maildir_uidlist_records_drop_expunges()
• maildir_copy_preserve_filename=yes could have caused crashes.
• Maildir++ quota: % limits weren’t updated when limits were read from maildirsize.
• virtual: v1.2.8 didn’t fully fix the “lots of mailboxes” bug
• virtual: Fixed updating virtual mailbox based on flag changes.
• fts-squat: Fixed searching multi-byte characters.

A new version of Dovecot has been released. It’s just a minor bug fix and not a real security fix. I think that if you are not affected (like running on a server with no other local users) then you are not required to upgrade and can skip this one.

This is mainly to fix the 0777 base_dir creation issue, which could be considered a security hole, exploitable by local users. An attacker could for example replace Dovecot’s auth socket and log in as other users. Gaining root privileges isn’t possible though.

This affects only v1.2 users, v1.1 and older versions were creating the directory with 0755 permission.

If your Dovecot’s base_dir isn’t in /var/run/dovecot/, you should also make sure that the $prefix/var/ and $prefix/var/run/ (i.e. /usr/local/var/, /usr/local/var/run/ by default) aren’t 0777.

The fixes include:

• Dovecot v1.2.x had been creating base_dir (and its parents if necessary) with 0777 permissions. The base_dir’s permissions get changed to 0755 automatically at startup, but you may need to chmod the parent directories manually.
• acl: If user has rights from more than one group, merge them instead of choosing one group’s rights and ignoring others.
• virtual: When using a lot of mailboxes, the virtual mailbox’s header could have grown over 32 kB and caused “out of memory” crashes. Also over 64 kB headers couldn’t even be updated with existing transaction log records. Added a new record type that gets used with >=64 kB headers. Older Dovecot versions don’t understand this header and will log errors if they see it.
• FETCH BODYSTRUCTURE didn’t return RFC 2231 “key*” fields correctly