Re: mbox 2 Maildir

[Tamas Hegedus]

Hi,

I am experimenting with the migration.
I unset mail_location, thus it is empty and dovecot performs automatic 
mailbox detection. Therefore I do not need per-user set of mail 
location. I login as a testuser and do:

doveadm sync maildir:~/Maildir

It seems for me that in this situation the new Maildir becomes the 
active mail delivery location at the time of the creation(?) or 
completing the sync(?).


So if I want to rerun to avoid loosing new messages:
doveadm sync maildir:~/Maildir
I got an error that I can not sync to itself.

I guess this would not be a problem and would be rather simply. However, 
if I issue a revers sync to be sure not loosing new messages:

doveadm sync -R mail/
doveadm(hegedus): Fatal: execvp(mail/) failed: Permission denied
dsync-local(hegedus): Error: read(remote) failed: EOF (version not received)

(I tried to set a+x on my old mbox 'mail' directory and its contents)

I would appreciate any suggestion.
Thanks,
Tamas

On 01/30/2019 03:32 PM, Christian Schmidt wrote:

Hi,

Tamas Hegedus, 29.01.19:

* Configuration uses mail_location = mbox:~/mails
* setup per-user mail location and do for each user individually in a 
serial manner:
-- doveadm sync maildir:~/Maildir; mbox is synced to Maildir, long 
running time

-- doveadm sync maildir:~/Maildir; rerun to do it for new messages (fast)
-- add USER to userdb and set extra field to maildir:~/Maildir
users not present in the userdb should default to dovcot default; 
conditionally optional: doveadm auth cache flush


IMHO there is no need to create or change special userdb entries. See 
https://wiki.dovecot.org/MailLocation:
"By default the mail_location setting is empty, which means that Dovecot 
attempts to locate automatically where your mails are."


Regards,
Christian




--
Tamas Hegedus, PhD
Senior Research Fellow
Department of Biophysics and Radiation Biology
Semmelweis University | phone: (36) 1-459 1500/60233
Tuzolto utca 37-47| mailto:ta...@hegelab.org
Budapest, 1094, Hungary   | http://www.hegelab.org

Dovecot v2.2.36.1 released

[Aki Tuomi]

https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz
https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig

    * CVE-2019-3814: If imap/pop3/managesieve/submission client has
      trusted certificate with missing username field
      (ssl_cert_username_field), under some configurations Dovecot
      mistakenly trusts the username provided via authentication instead
      of failing.
    * ssl_cert_username_field setting was ignored with external SMTP AUTH,
      because none of the MTAs (Postfix, Exim) currently send the
      cert_username field. This may have allowed users with trusted
      certificate to specify any username in the authentication. This bug
      didn't affect Dovecot's Submission service.

    - pop3_no_flag_updates=no: Don't expunge RETRed messages without QUIT
    - director: Kicking a user assert-crashes if login process is very slow
    - lda/lmtp: Fix assert-crash with some Sieve scripts when
      mail_attachment_detection_options=add-flags-on-save
    - fs-compress: Using maybe-gz assert-crashed when reading 0 sized file
    - Snippet generation crashed with invalid Content-Type:multipart


---

Aki Tuomi
Open-Xchange Oy




signature.asc
Description: OpenPGP digital signature

Dovecot 2.3.4.1 released

[Aki Tuomi]

https://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz
https://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz.sig

Binary packages in https://repo.dovecot.org/

    * CVE-2019-3814: If imap/pop3/managesieve/submission client has
      trusted certificate with missing username field
      (ssl_cert_username_field), under some configurations Dovecot
      mistakenly trusts the username provided via authentication instead
      of failing.
    * ssl_cert_username_field setting was ignored with external SMTP AUTH,
      because none of the MTAs (Postfix, Exim) currently send the
      cert_username field. This may have allowed users with trusted
      certificate to specify any username in the authentication. This bug
      didn't affect Dovecot's Submission service.


---

Aki Tuomi
Open-Xchange oy



signature.asc
Description: OpenPGP digital signature

CVE-2019-3814: Suitable client certificate can be used to login as other user

[Aki Tuomi]

Dear subscribers,

we're sharing our latest advisory with you and would like to thank
everyone who contributed in finding and solving those vulnerabilities.
Feel free to join our bug bounty programs (open-xchange, dovecot,
powerdns) at HackerOne. Please find patches for v2.2.36 and v2.3.4 attached,
or download new version from https://dovecot.org

Yours sincerely,
Aki Tuomi
Open-Xchange Oy


Product: Dovecot
Vendor: Open-Xchange Oy
Internal reference: DOV-2890 (Bug ID)
Vulnerability type: Improper Authentication - Generic (CWE287)
Vulnerable versions: 1.1.0 - 2.2.36 and 2.3.0 - 2.3.4
Vulnerable component: authentication
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed versions: 2.2.36.1, 2.3.4.1
Vendor notification: 2019-01-16
Solution date: 2019-01-20
Public disclosure: 2019-02-05
Researcher Credits: https://hackerone.com/halfdog
CVE reference: CVE-2019-3814
CVSS: 8.2 (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N)

Vulnerability Details:
Normally Dovecot is configured to authenticate
imap/pop3/managesieve/submission clients using regular username/password
combination. Some installations have also required clients to present a
trusted SSL certificate on top of that. It's also possible to configure
Dovecot to take the username from the certificate instead of from the
user provided authentication. It's also possible to avoid having a
password at all, only trusting the SSL certificate.

If the provided trusted SSL certificate is missing the username field,
Dovecot should be failing the authentication. However, the earlier
versions will take the username from the user provided authentication
fields (e.g. LOGIN command). If there is no additional password
verification, this allows the attacker to login as anyone else in the
system.

This affects only installations using:

auth_ssl_require_client_cert = yes
auth_ssl_username_from_cert = yes

Attacker must also have access to a valid trusted certificate without
the ssl_cert_username_field in it. The default is commonName, which
almost certainly exists in all certificates. This could happen for
example if ssl_cert_username_field is a field that normally doesn't
exist, and attacker has access to a web server's certificate (and key),
which is signed with the same CA.

Attack can be migitated by having the certificates with proper Extended
Key Usage, such as 'TLS Web Server' and 'TLS Web Server Client'.

Also, ssl_cert_username_field setting was ignored with external SMTP
AUTH, because none of the MTAs (Postfix, Exim) currently send the
cert_username field. This may have allowed users with trusted
certificate to specify any username in the authentication. This does not
apply to Dovecot Submission service.

Proof of concept

Create a CA certificate for signing, and sign a certificate with missing
commoName attribute.

With following configuration

passdb {
    driver = static
    arguments = nopassword
}

ssl_ca =

cve-2019-3814-dovecot-2.2.tgz
Description: application/compressed-tar


cve-2019-3814-dovecot-2.3.tgz
Description: application/compressed-tar


signature.asc
Description: OpenPGP digital signature

Re: Dovecot v2.2.36.1 released

[Eric Broch]

Aki,

What's the difference between 2.2.x and 2.3.x version of Dovecot? And 
why do you maintain both?


I stopped building RPM's of the 2.2.x version and now only build 2.3.x. 
Should I be maintaining both?


Eric

On 2/5/2019 6:01 AM, Aki Tuomi wrote:

https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz
https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig

     * CVE-2019-3814: If imap/pop3/managesieve/submission client has
       trusted certificate with missing username field
       (ssl_cert_username_field), under some configurations Dovecot
       mistakenly trusts the username provided via authentication instead
       of failing.
     * ssl_cert_username_field setting was ignored with external SMTP AUTH,
       because none of the MTAs (Postfix, Exim) currently send the
       cert_username field. This may have allowed users with trusted
       certificate to specify any username in the authentication. This bug
       didn't affect Dovecot's Submission service.

     - pop3_no_flag_updates=no: Don't expunge RETRed messages without QUIT
     - director: Kicking a user assert-crashes if login process is very slow
     - lda/lmtp: Fix assert-crash with some Sieve scripts when
       mail_attachment_detection_options=add-flags-on-save
     - fs-compress: Using maybe-gz assert-crashed when reading 0 sized file
     - Snippet generation crashed with invalid Content-Type:multipart


---

Aki Tuomi
Open-Xchange Oy



--
Eric Broch
White Horse Technical Consulting (WHTC)

problem using different dovecot versions

[Gonzalo Palacios Goicolea]

Hi All,

I'm new to the list and may be it's a known issue. I have a set of 
servers with RHEL6 and dovecot-2.2.10-1_14.el6.x86_64 and another set of 
servers with RHEL7 and, now, with dovecot-2.2.36-3.el7.x86_64. Both sets 
write to the same NFS.
Since I updated RHEL7 servers (from 2.2.10-8.el7.x86_64) I've problems 
with index files when a RHEL7 dovecot service write to the filesystem of 
a user (the first log line corresponds to RHEL7 and the others to RHEL6):


Feb  5 09:33:05 listas3 dovecot: lda(user@domain): sieve: 
msgid=<007b...@uam.es>: stored mail into mailbox 'INBOX'
Feb  5 09:33:25 buzon1 dovecot: imap(user@domain): Error: Corrupted 
transaction log file /.../Maildir/dovecot.index.log seq 1610: Invalid 
transaction log size (28408 vs 28528): /.../Maildir/dovecot.index.log 
(sync_offset=28408)
Feb  5 09:33:25 buzon1 dovecot: imap(user@domain): Panic: file 
mail-index-sync-keywords.c: line 227 (keywords_update_records): 
assertion failed: (data_offset >= sizeof(struct mail_index_record))
Feb  5 09:33:25 buzon1 dovecot: imap(user@domain): Error: Raw backtrace: 
/usr/lib64/dovecot/libdovecot.so.0() [0x3713268b8a] -> 
/usr/lib64/dovecot/libdovecot.so.0() [0x3713268bf6] -> 
/usr/lib64/dovecot/libdovecot.so.0() [0x37132224aa] -> 
/usr/lib64/dovecot/libdovecot-storage.so.0(mail_index_sync_keywords+0x7fd) 
[0x3713aca43d] -> 
/usr/lib64/dovecot/libdovecot-storage.so.0(mail_index_sync_record+0xec) 
[0x3713acacac] -> 
/usr/lib64/dovecot/libdovecot-storage.so.0(mail_index_sync_map+0x234) 
[0x3713acbae4] -> 
/usr/lib64/dovecot/libdovecot-storage.so.0(mail_index_map+0x83) 
[0x3713abcce3] -> 
/usr/lib64/dovecot/libdovecot-storage.so.0(mail_index_refresh+0xe) 
[0x3713ab793e] -> 
/usr/lib64/dovecot/libdovecot-storage.so.0(maildir_sync_header_refresh+0x10) 
[0x3713a4e1e0] -> /usr/lib64/dovecot/libdovecot-storage.so.0() 
[0x3713a4e330] -> /usr/lib64/dovecot/libdovecot-storage.so.0() 
[0x3713a4f3d4] -> /usr/lib64/dovecot/libdovecot-storage.so.0() 
[0x3713a4f7b3] -> 
/usr/lib64/dovecot/libdovecot-storage.so.0(maildir_storage_sync_init+0xd9) 
[0x3713a4fa59] -> 
/usr/lib64/dovecot/libdovecot-storage.so.0(mailbox_sync_init+0x31) 
[0x3713a7d731] -> 
/usr/lib64/dovecot/libdovecot-storage.so.0(mailbox_sync+0x27) 
[0x3713a7e7b7] -> 
/usr/lib64/dovecot/libdovecot-storage.so.0(index_storage_get_status+0x62) 
[0x3713aa8fc2] -> /usr/lib64/dovecot/lib10_quota_plugin.so(+0xc3ec) 
[0x7fd272dfe3ec] -> 
/usr/lib64/dovecot/libdovecot-storage.so.0(mailbox_get_status+0x5c) 
[0x3713a7f4fc] -> dovecot/imap(imap_status_get+0x7a) [0x41dbea] -> 
dovecot/imap(cmd_status+0x179) [0x413059] -> 
dovecot/imap(command_exec+0x3d) [0x4170bd] -> dovecot/imap() [0x416180] 
-> dovecot/imap() [0x41627a] -> dovecot/imap(client_handle_input+0x11d) 
[0x4164ed] -> dovecot/imap(client_input+0x6f) [0x41685f] -> 
/usr/lib64/dovecot/libdovecot.so.0(io_loop_call_io+0x36) [0x3713278a56] 
-> /usr/lib64/dovecot/libdovecot.so.0(io_loop_handler_run+0xa7) 
[0x3713279b27] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_run+0x38) 
[0x37132789c8]
Feb  5 09:33:25 buzon1 dovecot: imap(user@domain): Fatal: master: 
service(imap): child 2057 killed with signal 6 (core dumped)
Feb  5 09:33:25 buzon4 dovecot: imap-login: Login: user=, 
method=PLAIN, rip=192.168.x.x, lip=150.x.x.x, mpid=3459, 
session=
Feb  5 09:33:30 buzon4 dovecot: imap(user@domain): Panic: file 
mail-index-sync-keywords.c: line 227 (keywords_update_records): 
assertion failed: (data_offset >= sizeof(struct mail_index_record))
Feb  5 09:33:30 buzon4 dovecot: imap(user@domain): Error: Raw backtrace: 
/usr/lib64/dovecot/libdovecot.so.0() [0x3a88668b8a] -> 
/usr/lib64/dovecot/libdovecot.so.0() [0x3a88668bf6] -> 
/usr/lib64/dovecot/libdovecot.so.0() [0x3a886224aa] -> 
/usr/lib64/dovecot/libdovecot-storage.so.0(mail_index_sync_keywords+0x7fd) 
[0x3a88eca43d] -> 
/usr/lib64/dovecot/libdovecot-storage.so.0(mail_index_sync_record+0xec) 
[0x3a88ecacac] -> 
/usr/lib64/dovecot/libdovecot-storage.so.0(mail_index_sync_map+0x234) 
[0x3a88ecbae4] -> 
/usr/lib64/dovecot/libdovecot-storage.so.0(mail_index_map+0x83) 
[0x3a88ebcce3] -> /usr/lib64/dovecot/libdovecot-storage.so.0() 
[0x3a88eb797c] -> /usr/lib64/dovecot/libdovecot-storage.so.0() 
[0x3a88eb7d58] -> 
/usr/lib64/dovecot/libdovecot-storage.so.0(mail_index_open+0xf0) 
[0x3a88eb7ec0] -> 
/usr/lib64/dovecot/libdovecot-storage.so.0(index_storage_mailbox_open+0xad) 
[0x3a88eab2bd] -> /usr/lib64/dovecot/libdovecot-storage.so.0() 
[0x3a88e4d71a] -> /usr/lib64/dovecot/libdovecot-storage.so.0() 
[0x3a88e4d7ef] -> /usr/lib64/dovecot/libdovecot-storage.so.0() 
[0x3a88e7f694] -> 
/usr/lib64/dovecot/libdovecot-storage.so.0(mailbox_open+0xf) 
[0x3a88e7f84f] -> 
/usr/lib64/dovecot/libdovecot-storage.so.0(index_storage_get_status+0x4a) 
[0x3a88ea8faa] -> /usr/lib64/dovecot/lib10_quota_plugin.so(+0xc3ec) 
[0x7fbd599263ec] -> 
/usr/lib64/dovecot/libdovecot-storage.so.0(mailbox_get_status+0x5c) 
[0x3a88e7f4fc] -> dovecot/imap(imap_status_get+0x7a) [0x41dbea] -> 
dovecot/imap(cmd_s

Re: Dovecot v2.2.36.1 released

[Aki Tuomi]

 
 
  
   Hi,
  
  
   
  
  
   as per our EOL statement 2.2.36 receives security and critical updates. That said, we decided to flush few annoying bugs with .1 release.
  
  
   
  
  
   You do not need to build releases for 2.2.
  
  
   
  
  
   Aki
  
  
   
On 05 February 2019 at 17:36 Eric Broch <
ebr...@whitehorsetc.com> wrote:
   
   

   
   

   
   
Aki,
   
   

   
   
What's the difference between 2.2.x and 2.3.x version of Dovecot? And
   
   
why do you maintain both?
   
   

   
   
I stopped building RPM's of the 2.2.x version and now only build 2.3.x.
   
   
Should I be maintaining both?
   
   

   
   
Eric
   
   

   
   
On 2/5/2019 6:01 AM, Aki Tuomi wrote:
   
   

 https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz


 https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig

   
   

     * CVE-2019-3814: If imap/pop3/managesieve/submission client has


       trusted certificate with missing username field


       (ssl_cert_username_field), under some configurations Dovecot


       mistakenly trusts the username provided via authentication instead


       of failing.


     * ssl_cert_username_field setting was ignored with external SMTP AUTH,


       because none of the MTAs (Postfix, Exim) currently send the


       cert_username field. This may have allowed users with trusted


       certificate to specify any username in the authentication. This bug


       didn't affect Dovecot's Submission service.

   
   

     - pop3_no_flag_updates=no: Don't expunge RETRed messages without QUIT


     - director: Kicking a user assert-crashes if login process is very slow


     - lda/lmtp: Fix assert-crash with some Sieve scripts when


       mail_attachment_detection_options=add-flags-on-save


     - fs-compress: Using maybe-gz assert-crashed when reading 0 sized file


     - Snippet generation crashed with invalid Content-Type:multipart

   
   
>
   
   

 ---

   
   

 Aki Tuomi


 Open-Xchange Oy

   
   
>
   
   
--
   
   
Eric Broch
   
   
White Horse Technical Consulting (WHTC)
   
  
  
   
  
  
   ---
   Aki Tuomi
   
 

Re: Dovecot v2.2.36.1 released

[Michael Slusarz]

> On February 5, 2019 at 8:36 AM Eric Broch  wrote:
> 
> What's the difference between 2.2.x and 2.3.x version of Dovecot? And 
> why do you maintain both?

https://dovecot.org/pipermail/dovecot-news/2018-August/000386.html

michael

Re: Dovecot v2.2.36.1 released

[Gerald Galster]

Hello Aki,

> https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz
> https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig
> 
> - pop3_no_flag_updates=no: Don't expunge RETRed messages without QUIT

is this in any way related to the problem that has first been reported in march 
last year:

"Duplicate mails on pop3 expunge with dsync replication on 2.2.35 (2.2.33.2 
works)"

Thanks
Gerald

Re: Dovecot v2.2.36.1 released

[Eric Broch]

Thank you!

On 2/5/2019 8:43 AM, Aki Tuomi wrote:

Hi,

as per our EOL statement 2.2.36 receives security and critical 
updates. That said, we decided to flush few annoying bugs with .1 
release.


You do not need to build releases for 2.2.

Aki
On 05 February 2019 at 17:36 Eric Broch < ebr...@whitehorsetc.com 
> wrote:



Aki,

What's the difference between 2.2.x and 2.3.x version of Dovecot? And
why do you maintain both?

I stopped building RPM's of the 2.2.x version and now only build 2.3.x.
Should I be maintaining both?

Eric

On 2/5/2019 6:01 AM, Aki Tuomi wrote:

https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz
https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig
    * CVE-2019-3814: If imap/pop3/managesieve/submission client has
      trusted certificate with missing username field
      (ssl_cert_username_field), under some configurations Dovecot
      mistakenly trusts the username provided via authentication 
instead

      of failing.
    * ssl_cert_username_field setting was ignored with external SMTP 
AUTH,

      because none of the MTAs (Postfix, Exim) currently send the
      cert_username field. This may have allowed users with trusted
      certificate to specify any username in the authentication. 
This bug

      didn't affect Dovecot's Submission service.
    - pop3_no_flag_updates=no: Don't expunge RETRed messages without 
QUIT
    - director: Kicking a user assert-crashes if login process is 
very slow

    - lda/lmtp: Fix assert-crash with some Sieve scripts when
mail_attachment_detection_options=add-flags-on-save
    - fs-compress: Using maybe-gz assert-crashed when reading 0 
sized file

    - Snippet generation crashed with invalid Content-Type:multipart

>

---
Aki Tuomi
Open-Xchange Oy

>
--
Eric Broch
White Horse Technical Consulting (WHTC)


---
Aki Tuomi


--
Eric Broch
White Horse Technical Consulting (WHTC)

Re: Dovecot v2.2.36.1 released

[Larry Rosenman]

for some reason Aki's posts are not making it to my GMail account from this
list.

Any idea why?

On Tue, Feb 5, 2019 at 10:04 AM Eric Broch  wrote:

> Thank you!
> On 2/5/2019 8:43 AM, Aki Tuomi wrote:
>
> Hi,
>
> as per our EOL statement 2.2.36 receives security and critical updates.
> That said, we decided to flush few annoying bugs with .1 release.
>
> You do not need to build releases for 2.2.
>
> Aki
>
> On 05 February 2019 at 17:36 Eric Broch < ebr...@whitehorsetc.com> wrote:
>
>
> Aki,
>
> What's the difference between 2.2.x and 2.3.x version of Dovecot? And
> why do you maintain both?
>
> I stopped building RPM's of the 2.2.x version and now only build 2.3.x.
> Should I be maintaining both?
>
> Eric
>
> On 2/5/2019 6:01 AM, Aki Tuomi wrote:
>
> https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz
> https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig
>
> * CVE-2019-3814: If imap/pop3/managesieve/submission client has
>   trusted certificate with missing username field
>   (ssl_cert_username_field), under some configurations Dovecot
>   mistakenly trusts the username provided via authentication instead
>   of failing.
> * ssl_cert_username_field setting was ignored with external SMTP AUTH,
>   because none of the MTAs (Postfix, Exim) currently send the
>   cert_username field. This may have allowed users with trusted
>   certificate to specify any username in the authentication. This bug
>   didn't affect Dovecot's Submission service.
>
> - pop3_no_flag_updates=no: Don't expunge RETRed messages without QUIT
> - director: Kicking a user assert-crashes if login process is very
> slow
> - lda/lmtp: Fix assert-crash with some Sieve scripts when
>   mail_attachment_detection_options=add-flags-on-save
> - fs-compress: Using maybe-gz assert-crashed when reading 0 sized file
> - Snippet generation crashed with invalid Content-Type:multipart
>
> >
>
> ---
>
> Aki Tuomi
> Open-Xchange Oy
>
> >
> --
> Eric Broch
> White Horse Technical Consulting (WHTC)
>
>
> ---
> Aki Tuomi
>
> --
> Eric Broch
> White Horse Technical Consulting (WHTC)
>
>

-- 
Larry Rosenman http://www.lerctr.org/~ler
Phone: +1 214-642-9640 (c) E-Mail: larry...@gmail.com
US Mail: 5708 Sabbia Dr, Round Rock, TX 78665-2106

Re: Dovecot v2.2.36.1 released

[bOnK]

On 5-2-2019 17:06, Larry Rosenman wrote:
for some reason Aki's posts are not making it to my GMail account from 
this list.


Any idea why?


Authentication-Results: cloud.webmeneer.net; dmarc=fail (p=reject dis=none) 
header.from=open-xchange.com

Re: Dovecot v2.2.36.1 released

[Timo Sirainen]

On 5 Feb 2019, at 7.48, Gerald Galster  wrote:
> 
> Hello Aki,
> 
>> https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz
>> https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig
>> 
>>- pop3_no_flag_updates=no: Don't expunge RETRed messages without QUIT
> 
> is this in any way related to the problem that has first been reported in 
> march last year:
> 
> "Duplicate mails on pop3 expunge with dsync replication on 2.2.35 (2.2.33.2 
> works)"

Unlikely.

Re: mbox 2 Maildir

[Tamas Hegedus]

Sorry. I had wrong syntax. Missing "mbox:"
It is OK with this:
doveadm sync -RD mbox:~/mail/

On 02/05/2019 10:48 AM, Tamas Hegedus wrote:

Hi,

I am experimenting with the migration.
I unset mail_location, thus it is empty and dovecot performs automatic 
mailbox detection. Therefore I do not need per-user set of mail 
location. I login as a testuser and do:

doveadm sync maildir:~/Maildir

It seems for me that in this situation the new Maildir becomes the 
active mail delivery location at the time of the creation(?) or 
completing the sync(?).


So if I want to rerun to avoid loosing new messages:
doveadm sync maildir:~/Maildir
I got an error that I can not sync to itself.

I guess this would not be a problem and would be rather simply. However, 
if I issue a revers sync to be sure not loosing new messages:

doveadm sync -R mail/
doveadm(hegedus): Fatal: execvp(mail/) failed: Permission denied
dsync-local(hegedus): Error: read(remote) failed: EOF (version not 
received)


(I tried to set a+x on my old mbox 'mail' directory and its contents)

I would appreciate any suggestion.
Thanks,
Tamas

On 01/30/2019 03:32 PM, Christian Schmidt wrote:

Hi,

Tamas Hegedus, 29.01.19:

* Configuration uses mail_location = mbox:~/mails
* setup per-user mail location and do for each user individually in a 
serial manner:
-- doveadm sync maildir:~/Maildir; mbox is synced to Maildir, long 
running time
-- doveadm sync maildir:~/Maildir; rerun to do it for new messages 
(fast)

-- add USER to userdb and set extra field to maildir:~/Maildir
users not present in the userdb should default to dovcot default; 
conditionally optional: doveadm auth cache flush


IMHO there is no need to create or change special userdb entries. See 
https://wiki.dovecot.org/MailLocation:
"By default the mail_location setting is empty, which means that 
Dovecot attempts to locate automatically where your mails are."


Regards,
Christian







--
Tamas Hegedus, PhD
Senior Research Fellow
Department of Biophysics and Radiation Biology
Semmelweis University | phone: (36) 1-459 1500/60233
Tuzolto utca 37-47| mailto:ta...@hegelab.org
Budapest, 1094, Hungary   | http://www.hegelab.org

Re: Dovecot v2.2.36.1 released

[Sami Ketola via dovecot]

Hi,

It's probably because gmail. They refuse emails for random reasons occasionally.

Sami

> On 5 Feb 2019, at 17.06, Larry Rosenman  wrote:
> 
> for some reason Aki's posts are not making it to my GMail account from this 
> list.
> 
> Any idea why?
> 
> On Tue, Feb 5, 2019 at 10:04 AM Eric Broch  > wrote:
> Thank you!
> 
> On 2/5/2019 8:43 AM, Aki Tuomi wrote:
>> Hi,
>> 
>> as per our EOL statement 2.2.36 receives security and critical updates. That 
>> said, we decided to flush few annoying bugs with .1 release.
>> 
>> You do not need to build releases for 2.2.
>> 
>> Aki
>>> On 05 February 2019 at 17:36 Eric Broch < ebr...@whitehorsetc.com 
>>> > wrote:
>>> 
>>> 
>>> Aki,
>>> 
>>> What's the difference between 2.2.x and 2.3.x version of Dovecot? And
>>> why do you maintain both?
>>> 
>>> I stopped building RPM's of the 2.2.x version and now only build 2.3.x.
>>> Should I be maintaining both?
>>> 
>>> Eric
>>> 
>>> On 2/5/2019 6:01 AM, Aki Tuomi wrote:
 https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz 
 
 https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig 
 * 
 CVE-2019-3814: If imap/pop3/managesieve/submission client has
   trusted certificate with missing username field
   (ssl_cert_username_field), under some configurations Dovecot
   mistakenly trusts the username provided via authentication instead
   of failing.
 * ssl_cert_username_field setting was ignored with external SMTP AUTH,
   because none of the MTAs (Postfix, Exim) currently send the
   cert_username field. This may have allowed users with trusted
   certificate to specify any username in the authentication. This bug
   didn't affect Dovecot's Submission service.
 - pop3_no_flag_updates=no: Don't expunge RETRed messages without QUIT
 - director: Kicking a user assert-crashes if login process is very slow
 - lda/lmtp: Fix assert-crash with some Sieve scripts when
   mail_attachment_detection_options=add-flags-on-save
 - fs-compress: Using maybe-gz assert-crashed when reading 0 sized file
 - Snippet generation crashed with invalid Content-Type:multipart
>>> >
 ---
 Aki Tuomi
 Open-Xchange Oy
>>> >
>>> --
>>> Eric Broch
>>> White Horse Technical Consulting (WHTC)
>> 
>> --- 
>> Aki Tuomi
> -- 
> Eric Broch
> White Horse Technical Consulting (WHTC)
> 
> 
> -- 
> Larry Rosenman http://www.lerctr.org/~ler 
> 
> Phone: +1 214-642-9640 (c) E-Mail: larry...@gmail.com 
> 
> US Mail: 5708 Sabbia Dr, Round Rock, TX 78665-2106

Release notify (2.2.36.1 and 2.3.4.1)

[Aki Tuomi via dovecot]

Due to DMARC issues some people have failed to receive the latest security 
information, so here it is repeated for both releases:

2.3.4.1

https://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz
https://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz.sig

Binary packages in https://repo.dovecot.org/

* CVE-2019-3814: If imap/pop3/managesieve/submission client has
  trusted certificate with missing username field
  (ssl_cert_username_field), under some configurations Dovecot
  mistakenly trusts the username provided via authentication instead
  of failing.
* ssl_cert_username_field setting was ignored with external SMTP AUTH,
  because none of the MTAs (Postfix, Exim) currently send the
  cert_username field. This may have allowed users with trusted
  certificate to specify any username in the authentication. This bug
  didn't affect Dovecot's Submission service.




2.2.36.1

https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz
https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig

* CVE-2019-3814: If imap/pop3/managesieve/submission client has
  trusted certificate with missing username field
  (ssl_cert_username_field), under some configurations Dovecot
  mistakenly trusts the username provided via authentication instead
  of failing.
* ssl_cert_username_field setting was ignored with external SMTP AUTH,
  because none of the MTAs (Postfix, Exim) currently send the
  cert_username field. This may have allowed users with trusted
  certificate to specify any username in the authentication. This bug
  didn't affect Dovecot's Submission service.

- pop3_no_flag_updates=no: Don't expunge RETRed messages without QUIT
- director: Kicking a user assert-crashes if login process is very slow
- lda/lmtp: Fix assert-crash with some Sieve scripts when
  mail_attachment_detection_options=add-flags-on-save
- fs-compress: Using maybe-gz assert-crashed when reading 0 sized file
- Snippet generation crashed with invalid Content-Type:multipart

Re: Dovecot v2.2.36.1 released (Pigeonhole 0.4.24.1)

[Stephan Bosch via dovecot]

Hi,

Here is the associated release for Pigeonhole:

https://pigeonhole.dovecot.org/releases/2.2/dovecot-2.2-pigeonhole-0.4.24.1.tar.gz
https://pigeonhole.dovecot.org/releases/2.2/dovecot-2.2-pigeonhole-0.4.24.1.tar.gz.sig
Binary packages included in https://repo.dovecot.org/

+ imapsieve: Added imapsieve_expunge_discarded setting which causes
  discarded messages to be expunged immediately.
- Sieve scripts running in IMAPSIEVE or IMAP FILTER=SIEVE context that
  modify the message, store the message a second time, rather than
  replacing the originally stored unmodified message.
- imapsieve: Fix crash when COPYing mails from a virtual mailbox when
  the source messages originate from more than a single real mailbox
- imap_filter_sieve plugin: Implement the missing UID FILTER command.
- imap_filter_sieve plugin: Fix FILTER to work with pipelining


Regards,

Stephan.

Op 5-2-2019 om 14:01 schreef Aki Tuomi:

https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz
https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig

     * CVE-2019-3814: If imap/pop3/managesieve/submission client has
       trusted certificate with missing username field
       (ssl_cert_username_field), under some configurations Dovecot
       mistakenly trusts the username provided via authentication instead
       of failing.
     * ssl_cert_username_field setting was ignored with external SMTP AUTH,
       because none of the MTAs (Postfix, Exim) currently send the
       cert_username field. This may have allowed users with trusted
       certificate to specify any username in the authentication. This bug
       didn't affect Dovecot's Submission service.

     - pop3_no_flag_updates=no: Don't expunge RETRed messages without QUIT
     - director: Kicking a user assert-crashes if login process is very slow
     - lda/lmtp: Fix assert-crash with some Sieve scripts when
       mail_attachment_detection_options=add-flags-on-save
     - fs-compress: Using maybe-gz assert-crashed when reading 0 sized file
     - Snippet generation crashed with invalid Content-Type:multipart


---

Aki Tuomi
Open-Xchange Oy

Re: Dovecot v2.2.36.1 released (Pigeonhole 0.4.24.1)

[Michael Marley via dovecot]

On 2019-02-05 13:07, Stephan Bosch via dovecot wrote:

Hi,

Here is the associated release for Pigeonhole:

https://pigeonhole.dovecot.org/releases/2.2/dovecot-2.2-pigeonhole-0.4.24.1.tar.gz
https://pigeonhole.dovecot.org/releases/2.2/dovecot-2.2-pigeonhole-0.4.24.1.tar.gz.sig
Binary packages included in https://repo.dovecot.org/

+ imapsieve: Added imapsieve_expunge_discarded setting which causes
  discarded messages to be expunged immediately.
- Sieve scripts running in IMAPSIEVE or IMAP FILTER=SIEVE context 
that

  modify the message, store the message a second time, rather than
  replacing the originally stored unmodified message.
- imapsieve: Fix crash when COPYing mails from a virtual mailbox 
when
  the source messages originate from more than a single real 
mailbox
- imap_filter_sieve plugin: Implement the missing UID FILTER 
command.

- imap_filter_sieve plugin: Fix FILTER to work with pipelining


Regards,

Stephan.

Op 5-2-2019 om 14:01 schreef Aki Tuomi:

https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz
https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig

     * CVE-2019-3814: If imap/pop3/managesieve/submission client has
       trusted certificate with missing username field
       (ssl_cert_username_field), under some configurations Dovecot
       mistakenly trusts the username provided via authentication 
instead

       of failing.
     * ssl_cert_username_field setting was ignored with external SMTP 
AUTH,

       because none of the MTAs (Postfix, Exim) currently send the
       cert_username field. This may have allowed users with trusted
       certificate to specify any username in the authentication. This 
bug

       didn't affect Dovecot's Submission service.

     - pop3_no_flag_updates=no: Don't expunge RETRed messages without 
QUIT
     - director: Kicking a user assert-crashes if login process is 
very slow

     - lda/lmtp: Fix assert-crash with some Sieve scripts when
       mail_attachment_detection_options=add-flags-on-save
     - fs-compress: Using maybe-gz assert-crashed when reading 0 sized 
file

     - Snippet generation crashed with invalid Content-Type:multipart


---

Aki Tuomi
Open-Xchange Oy


Is there going to be an equivalent 0.5.4.1 release with the same 
functionality but for Dovecot 2.3.x?


Michael

Re: Release notify (2.2.36.1 and 2.3.4.1)

[Odhiambo Washington via dovecot]

On Tue, 5 Feb 2019 at 20:32, Aki Tuomi via dovecot 
wrote:

> Due to DMARC issues some people have failed to receive the latest security
> information, so here it is repeated for both releases:
>
> 2.3.4.1
>
> https://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz
> https://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz.sig
> 
> Binary packages in https://repo.dovecot.org/
>
> * CVE-2019-3814: If imap/pop3/managesieve/submission client has
>   trusted certificate with missing username field
>   (ssl_cert_username_field), under some configurations Dovecot
>   mistakenly trusts the username provided via authentication instead
>   of failing.
> * ssl_cert_username_field setting was ignored with external SMTP AUTH,
>   because none of the MTAs (Postfix, Exim) currently send the
>   cert_username field. This may have allowed users with trusted
>   certificate to specify any username in the authentication. This bug
>   didn't affect Dovecot's Submission service.
>

FreeBSD-11.2 (amd64):

gmake[2]: Entering directory
'/usr/home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1/src/lib-master'
gcc -DHAVE_CONFIG_H -I. -I../..  -I../../src/lib -I../../src/lib-dns
-I../../src/lib-test -I../../src/lib-settings -I../../src/lib-ssl-iostream
-DPKG_RUNDIR=\""/opt/dovecot2.3/var/run/dovecot"\"
-DPKG_STATEDIR=\""/opt/dovecot2.3/var/lib/dovecot"\"
-DSYSCONFDIR=\""/opt/dovecot2.3/etc/dovecot"\"
-DBINDIR=\""/opt/dovecot2.3/bin"\"   -std=gnu99 -g -O2
-fstack-protector-strong -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -Wall -W
-Wmissing-prototypes -Wmissing-declarations -Wpointer-arith
-Wchar-subscripts -Wformat=2 -Wbad-function-cast -fno-builtin-strftime
-Wstrict-aliasing=2 -I/usr/local/include   -MT test-event-stats.o -MD -MP
-MF .deps/test-event-stats.Tpo -c -o test-event-stats.o test-event-stats.c
test-event-stats.c: In function 'kill_stats_child':
test-event-stats.c:101:2: warning: implicit declaration of function 'kill'
[-Wimplicit-function-declaration]
  (void)kill(stats_pid, SIGKILL);
  ^
test-event-stats.c:101:24: error: 'SIGKILL' undeclared (first use in this
function)
  (void)kill(stats_pid, SIGKILL);
^
test-event-stats.c:101:24: note: each undeclared identifier is reported
only once for each function it appears in
gmake[2]: *** [Makefile:638: test-event-stats.o] Error 1
gmake[2]: Leaving directory
'/usr/home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1/src/lib-master'
gmake[1]: *** [Makefile:565: install-recursive] Error 1
gmake[1]: Leaving directory
'/usr/home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1/src'
gmake: *** [Makefile:683: install-recursive] Error 1




FreeBSD-9.3:

gmake[3]: Entering directory
'/usr/home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1/src/lib-master'
gcc -DHAVE_CONFIG_H -I. -I../..  -I../../src/lib -I../../src/lib-dns
-I../../src/lib-test -I../../src/lib-settings -I../../src/lib-ssl-iostream
-DPKG_RUNDIR=\""/opt/dovecot2.3/var/run/dovecot"\"
-DPKG_STATEDIR=\""/opt/dovecot2.3/var/lib/dovecot"\"
-DSYSCONFDIR=\""/opt/dovecot2.3/etc/dovecot"\"
-DBINDIR=\""/opt/dovecot2.3/bin"\"   -std=gnu99 -g -O2 -fstack-protector
-U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -Wall -W -Wmissing-prototypes
-Wmissing-declarations -Wpointer-arith -Wchar-subscripts -Wformat=2
-Wbad-function-cast -fno-builtin-strftime -Wstrict-aliasing=2
-I/usr/local/include   -MT test-event-stats.o -MD -MP -MF
.deps/test-event-stats.Tpo -c -o test-event-stats.o test-event-stats.c
test-event-stats.c: In function 'kill_stats_child':
test-event-stats.c:101: warning: implicit declaration of function 'kill'
test-event-stats.c:101: error: 'SIGKILL' undeclared (first use in this
function)
test-event-stats.c:101: error: (Each undeclared identifier is reported only
once
test-event-stats.c:101: error: for each function it appears in.)
test-event-stats.c: In function 'test_no_merging2':
test-event-stats.c:361: warning: format '%lu' expects type 'long unsigned
int', but argument 2 has type 'uint64_t'
test-event-stats.c: In function 'test_no_merging3':
test-event-stats.c:387: warning: format '%lu' expects type 'long unsigned
int', but argument 2 has type 'uint64_t'
test-event-stats.c:387: warning: format '%lu' expects type 'long unsigned
int', but argument 4 has type 'uint64_t'
test-event-stats.c:387: warning: format '%lu' expects type 'long unsigned
int', but argument 6 has type 'uint64_t'
test-event-stats.c: In function 'test_merge_events2':
test-event-stats.c:452: warning: format '%lu' expects type 'long unsigned
int', but argument 2 has type 'uint64_t'
test-event-stats.c: In function 'test_skip_parents':
test-event-stats.c:484: warning: format '%lu' expects type 'long unsigned
int', but argument 2 has type 'uint64_t'
test-event-stats.c:484: warning: format '%lu' expects type 'long unsigned
int', but argument 4 has type 'uint64_t'
test-event-stats.c:484: warning: format '%lu' expects type 'long unsigned
int', but argument 6 has type 'uint64_t'
test-event-st

Re: Release notify (2.2.36.1 and 2.3.4.1)

[Aki Tuomi via dovecot]

 
 
  
   
  
  
   
On 05 February 2019 at 22:18 Odhiambo Washington via dovecot <
dovecot@dovecot.org> wrote:
   
   

   
   

   
   
On Tue, 5 Feb 2019 at 20:32, Aki Tuomi via dovecot <
dovecot@dovecot.org>
   
   
wrote:
   
   

   
   

 Due to DMARC issues some people have failed to receive the latest security


 information, so here it is repeated for both releases:

   
   

 2.3.4.1

   
   

 https://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz


 https://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz.sig


 <
 https://dovecot.org/releases/2.3/dovecot-2.3.2.tar.gz.sig>


 Binary packages in 
 https://repo.dovecot.org/

   
   

 * CVE-2019-3814: If imap/pop3/managesieve/submission client has


 trusted certificate with missing username field


 (ssl_cert_username_field), under some configurations Dovecot


 mistakenly trusts the username provided via authentication instead


 of failing.


 * ssl_cert_username_field setting was ignored with external SMTP AUTH,


 because none of the MTAs (Postfix, Exim) currently send the


 cert_username field. This may have allowed users with trusted


 certificate to specify any username in the authentication. This bug


 didn't affect Dovecot's Submission service.

   
   

   
   
FreeBSD-11.2 (amd64):
   
   

   
   
gmake[2]: Entering directory
   
   
'/usr/home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1/src/lib-master'
   
   
gcc -DHAVE_CONFIG_H -I. -I../.. -I../../src/lib -I../../src/lib-dns
   
   
-I../../src/lib-test -I../../src/lib-settings -I../../src/lib-ssl-iostream
   
   
-DPKG_RUNDIR=\""/opt/dovecot2.3/var/run/dovecot"\"
   
   
-DPKG_STATEDIR=\""/opt/dovecot2.3/var/lib/dovecot"\"
   
   
-DSYSCONFDIR=\""/opt/dovecot2.3/etc/dovecot"\"
   
   
-DBINDIR=\""/opt/dovecot2.3/bin"\" -std=gnu99 -g -O2
   
   
-fstack-protector-strong -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -Wall -W
   
   
-Wmissing-prototypes -Wmissing-declarations -Wpointer-arith
   
   
-Wchar-subscripts -Wformat=2 -Wbad-function-cast -fno-builtin-strftime
   
   
-Wstrict-aliasing=2 -I/usr/local/include -MT test-event-stats.o -MD -MP
   
   
-MF .deps/test-event-stats.Tpo -c -o test-event-stats.o test-event-stats.c
   
   
test-event-stats.c: In function 'kill_stats_child':
   
   
test-event-stats.c:101:2: warning: implicit declaration of function 'kill'
   
   
[-Wimplicit-function-declaration]
   
   
(void)kill(stats_pid, SIGKILL);
   
   
^
   
   
test-event-stats.c:101:24: error: 'SIGKILL' undeclared (first use in this
   
   
function)
   
   
(void)kill(stats_pid, SIGKILL);
   
   
^
   
   
test-event-stats.c:101:24: note: each undeclared identifier is reported
   
   
only once for each function it appears in
   
   
gmake[2]: *** [Makefile:638: test-event-stats.o] Error 1
   
   
gmake[2]: Leaving directory
   
   
'/usr/home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1/src/lib-master'
   
   
gmake[1]: *** [Makefile:565: install-recursive] Error 1
   
   
gmake[1]: Leaving directory
   
   
'/usr/home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1/src'
   
   
gmake: *** [Makefile:683: install-recursive] Error 1
   
   

   
   
  
  
   Yes. 2.3 4.1 has only single fix.
  
  
   
  
  
   Aki
  
  
   
  
  
   
   
FreeBSD-9.3:
   
   

   
   
gmake[3]: Entering directory
   
   
'/usr/home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1/src/lib-master'
   
   
gcc -DHAVE_CONFIG_H -I. -I../.. -I../../src/lib -I../../src/lib-dns
   
   
-I../../src/lib-test -I../../src/lib-settings -I../../src/lib-ssl-iostream
   
   
-DPKG_RUNDIR=\""/opt/dovecot2.3/var/run/dovecot"\"
   
   
-DPKG_STATEDIR=\""/opt/dovecot2.3/var/lib/dovecot"\"
   
   
-DSYSCONFDIR=\""/opt/dovecot2.3/etc/dovecot"\"
   
   
-DBINDIR=\""/opt/dovecot2.3/bin"\" -std=gnu99 -g -O2 -fstack-protector
   
   
-U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -Wall -W -Wmissing-prototypes
   
   
-Wmissing-declarations -Wpointer-arith -Wchar-subscripts -Wformat=2
   
   
-Wbad-function-cast -fno-builtin-strftime -Wstrict-aliasing=2
   
   
-I/usr/local/include -MT test-event-stats.o -MD -MP -MF
   
   
.deps/test-event-stats.Tpo -c -o test-event-stats.o test-event-stats.c
   
   
test-event-stats.c: In function 'kill_stats_child':
   
   
test-event-stats.c:101: warning: implicit declaration of function 'kill'
   
   
test-event-stats.c:101: error: 'SIGKILL' undeclared (first use in this
   
   
function)
   
   
test-event-stats.c:101: error: (Each undeclared identifier is reported only
   
   
once
   
   
test-event-stats.c:101: error: for each function it appears in.)
  

Re: Release notify (2.2.36.1 and 2.3.4.1)

[The Doctor via dovecot]

On Tue, Feb 05, 2019 at 11:18:45PM +0300, Odhiambo Washington via dovecot wrote:
> On Tue, 5 Feb 2019 at 20:32, Aki Tuomi via dovecot 
> wrote:
> 
> > Due to DMARC issues some people have failed to receive the latest security
> > information, so here it is repeated for both releases:
> >
> > 2.3.4.1
> >
> > https://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz
> > https://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz.sig
> > 
> > Binary packages in https://repo.dovecot.org/
> >
> > * CVE-2019-3814: If imap/pop3/managesieve/submission client has
> >   trusted certificate with missing username field
> >   (ssl_cert_username_field), under some configurations Dovecot
> >   mistakenly trusts the username provided via authentication instead
> >   of failing.
> > * ssl_cert_username_field setting was ignored with external SMTP AUTH,
> >   because none of the MTAs (Postfix, Exim) currently send the
> >   cert_username field. This may have allowed users with trusted
> >   certificate to specify any username in the authentication. This bug
> >   didn't affect Dovecot's Submission service.
> >
> 
> FreeBSD-11.2 (amd64):
> 
> gmake[2]: Entering directory
> '/usr/home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1/src/lib-master'
> gcc -DHAVE_CONFIG_H -I. -I../..  -I../../src/lib -I../../src/lib-dns
> -I../../src/lib-test -I../../src/lib-settings -I../../src/lib-ssl-iostream
> -DPKG_RUNDIR=\""/opt/dovecot2.3/var/run/dovecot"\"
> -DPKG_STATEDIR=\""/opt/dovecot2.3/var/lib/dovecot"\"
> -DSYSCONFDIR=\""/opt/dovecot2.3/etc/dovecot"\"
> -DBINDIR=\""/opt/dovecot2.3/bin"\"   -std=gnu99 -g -O2
> -fstack-protector-strong -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -Wall -W
> -Wmissing-prototypes -Wmissing-declarations -Wpointer-arith
> -Wchar-subscripts -Wformat=2 -Wbad-function-cast -fno-builtin-strftime
> -Wstrict-aliasing=2 -I/usr/local/include   -MT test-event-stats.o -MD -MP
> -MF .deps/test-event-stats.Tpo -c -o test-event-stats.o test-event-stats.c
> test-event-stats.c: In function 'kill_stats_child':
> test-event-stats.c:101:2: warning: implicit declaration of function 'kill'
> [-Wimplicit-function-declaration]
>   (void)kill(stats_pid, SIGKILL);
>   ^
> test-event-stats.c:101:24: error: 'SIGKILL' undeclared (first use in this
> function)
>   (void)kill(stats_pid, SIGKILL);
> ^
> test-event-stats.c:101:24: note: each undeclared identifier is reported
> only once for each function it appears in
> gmake[2]: *** [Makefile:638: test-event-stats.o] Error 1
> gmake[2]: Leaving directory
> '/usr/home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1/src/lib-master'
> gmake[1]: *** [Makefile:565: install-recursive] Error 1
> gmake[1]: Leaving directory
> '/usr/home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1/src'
> gmake: *** [Makefile:683: install-recursive] Error 1
> 
>


Ports wokred for me.

> 
> 
> FreeBSD-9.3:
> 
> gmake[3]: Entering directory
> '/usr/home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1/src/lib-master'
> gcc -DHAVE_CONFIG_H -I. -I../..  -I../../src/lib -I../../src/lib-dns
> -I../../src/lib-test -I../../src/lib-settings -I../../src/lib-ssl-iostream
> -DPKG_RUNDIR=\""/opt/dovecot2.3/var/run/dovecot"\"
> -DPKG_STATEDIR=\""/opt/dovecot2.3/var/lib/dovecot"\"
> -DSYSCONFDIR=\""/opt/dovecot2.3/etc/dovecot"\"
> -DBINDIR=\""/opt/dovecot2.3/bin"\"   -std=gnu99 -g -O2 -fstack-protector
> -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -Wall -W -Wmissing-prototypes
> -Wmissing-declarations -Wpointer-arith -Wchar-subscripts -Wformat=2
> -Wbad-function-cast -fno-builtin-strftime -Wstrict-aliasing=2
> -I/usr/local/include   -MT test-event-stats.o -MD -MP -MF
> .deps/test-event-stats.Tpo -c -o test-event-stats.o test-event-stats.c
> test-event-stats.c: In function 'kill_stats_child':
> test-event-stats.c:101: warning: implicit declaration of function 'kill'
> test-event-stats.c:101: error: 'SIGKILL' undeclared (first use in this
> function)
> test-event-stats.c:101: error: (Each undeclared identifier is reported only
> once
> test-event-stats.c:101: error: for each function it appears in.)
> test-event-stats.c: In function 'test_no_merging2':
> test-event-stats.c:361: warning: format '%lu' expects type 'long unsigned
> int', but argument 2 has type 'uint64_t'
> test-event-stats.c: In function 'test_no_merging3':
> test-event-stats.c:387: warning: format '%lu' expects type 'long unsigned
> int', but argument 2 has type 'uint64_t'
> test-event-stats.c:387: warning: format '%lu' expects type 'long unsigned
> int', but argument 4 has type 'uint64_t'
> test-event-stats.c:387: warning: format '%lu' expects type 'long unsigned
> int', but argument 6 has type 'uint64_t'
> test-event-stats.c: In function 'test_merge_events2':
> test-event-stats.c:452: warning: format '%lu' expects type 'long unsigned
> int', but argument 2 has type 'uint64_t'
> test-event-stats.c: In function 'test_skip_parents':
> test-event-stats.c:484: warning: format '%lu' expects ty

Re: Release notify (2.2.36.1 and 2.3.4.1)

[Larry Rosenman via dovecot]

You're welcome.  (From your friendly FreeBSD Dovecot maintainer).

On Tue, Feb 5, 2019 at 2:26 PM The Doctor via dovecot 
wrote:

> On Tue, Feb 05, 2019 at 11:18:45PM +0300, Odhiambo Washington via dovecot
> wrote:
> > On Tue, 5 Feb 2019 at 20:32, Aki Tuomi via dovecot 
> > wrote:
> >
> > > Due to DMARC issues some people have failed to receive the latest
> security
> > > information, so here it is repeated for both releases:
> > >
> > > 2.3.4.1
> > >
> > > https://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz
> > > https://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz.sig
> > > 
> > > Binary packages in https://repo.dovecot.org/
> > >
> > > * CVE-2019-3814: If imap/pop3/managesieve/submission client has
> > >   trusted certificate with missing username field
> > >   (ssl_cert_username_field), under some configurations Dovecot
> > >   mistakenly trusts the username provided via authentication
> instead
> > >   of failing.
> > > * ssl_cert_username_field setting was ignored with external SMTP
> AUTH,
> > >   because none of the MTAs (Postfix, Exim) currently send the
> > >   cert_username field. This may have allowed users with trusted
> > >   certificate to specify any username in the authentication. This
> bug
> > >   didn't affect Dovecot's Submission service.
> > >
> >
> > FreeBSD-11.2 (amd64):
> >
> > gmake[2]: Entering directory
> > '/usr/home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1/src/lib-master'
> > gcc -DHAVE_CONFIG_H -I. -I../..  -I../../src/lib -I../../src/lib-dns
> > -I../../src/lib-test -I../../src/lib-settings
> -I../../src/lib-ssl-iostream
> > -DPKG_RUNDIR=\""/opt/dovecot2.3/var/run/dovecot"\"
> > -DPKG_STATEDIR=\""/opt/dovecot2.3/var/lib/dovecot"\"
> > -DSYSCONFDIR=\""/opt/dovecot2.3/etc/dovecot"\"
> > -DBINDIR=\""/opt/dovecot2.3/bin"\"   -std=gnu99 -g -O2
> > -fstack-protector-strong -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -Wall -W
> > -Wmissing-prototypes -Wmissing-declarations -Wpointer-arith
> > -Wchar-subscripts -Wformat=2 -Wbad-function-cast -fno-builtin-strftime
> > -Wstrict-aliasing=2 -I/usr/local/include   -MT test-event-stats.o -MD -MP
> > -MF .deps/test-event-stats.Tpo -c -o test-event-stats.o
> test-event-stats.c
> > test-event-stats.c: In function 'kill_stats_child':
> > test-event-stats.c:101:2: warning: implicit declaration of function
> 'kill'
> > [-Wimplicit-function-declaration]
> >   (void)kill(stats_pid, SIGKILL);
> >   ^
> > test-event-stats.c:101:24: error: 'SIGKILL' undeclared (first use in this
> > function)
> >   (void)kill(stats_pid, SIGKILL);
> > ^
> > test-event-stats.c:101:24: note: each undeclared identifier is reported
> > only once for each function it appears in
> > gmake[2]: *** [Makefile:638: test-event-stats.o] Error 1
> > gmake[2]: Leaving directory
> > '/usr/home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1/src/lib-master'
> > gmake[1]: *** [Makefile:565: install-recursive] Error 1
> > gmake[1]: Leaving directory
> > '/usr/home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1/src'
> > gmake: *** [Makefile:683: install-recursive] Error 1
> >
> >
>
>
> Ports wokred for me.
>
> >
> >
> > FreeBSD-9.3:
> >
> > gmake[3]: Entering directory
> > '/usr/home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1/src/lib-master'
> > gcc -DHAVE_CONFIG_H -I. -I../..  -I../../src/lib -I../../src/lib-dns
> > -I../../src/lib-test -I../../src/lib-settings
> -I../../src/lib-ssl-iostream
> > -DPKG_RUNDIR=\""/opt/dovecot2.3/var/run/dovecot"\"
> > -DPKG_STATEDIR=\""/opt/dovecot2.3/var/lib/dovecot"\"
> > -DSYSCONFDIR=\""/opt/dovecot2.3/etc/dovecot"\"
> > -DBINDIR=\""/opt/dovecot2.3/bin"\"   -std=gnu99 -g -O2 -fstack-protector
> > -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -Wall -W -Wmissing-prototypes
> > -Wmissing-declarations -Wpointer-arith -Wchar-subscripts -Wformat=2
> > -Wbad-function-cast -fno-builtin-strftime -Wstrict-aliasing=2
> > -I/usr/local/include   -MT test-event-stats.o -MD -MP -MF
> > .deps/test-event-stats.Tpo -c -o test-event-stats.o test-event-stats.c
> > test-event-stats.c: In function 'kill_stats_child':
> > test-event-stats.c:101: warning: implicit declaration of function 'kill'
> > test-event-stats.c:101: error: 'SIGKILL' undeclared (first use in this
> > function)
> > test-event-stats.c:101: error: (Each undeclared identifier is reported
> only
> > once
> > test-event-stats.c:101: error: for each function it appears in.)
> > test-event-stats.c: In function 'test_no_merging2':
> > test-event-stats.c:361: warning: format '%lu' expects type 'long unsigned
> > int', but argument 2 has type 'uint64_t'
> > test-event-stats.c: In function 'test_no_merging3':
> > test-event-stats.c:387: warning: format '%lu' expects type 'long unsigned
> > int', but argument 2 has type 'uint64_t'
> > test-event-stats.c:387: warning: format '%lu' expects type 'long unsigned
> > int', but argument 4 has type 'uint64_t'
> > test-event-stats.c:387: warning: format '%lu' expects type 'long unsi

Re: Release notify (2.2.36.1 and 2.3.4.1)

[Odhiambo Washington via dovecot]

Oh, so manual compile should NOT work and it's okay or am I missing
something?

On Tue, 5 Feb 2019 at 23:26, The Doctor  wrote:

> On Tue, Feb 05, 2019 at 11:18:45PM +0300, Odhiambo Washington via dovecot
> wrote:
> > On Tue, 5 Feb 2019 at 20:32, Aki Tuomi via dovecot 
> > wrote:
> >
> > > Due to DMARC issues some people have failed to receive the latest
> security
> > > information, so here it is repeated for both releases:
> > >
> > > 2.3.4.1
> > >
> > > https://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz
> > > https://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz.sig
> > > 
> > > Binary packages in https://repo.dovecot.org/
> > >
> > > * CVE-2019-3814: If imap/pop3/managesieve/submission client has
> > >   trusted certificate with missing username field
> > >   (ssl_cert_username_field), under some configurations Dovecot
> > >   mistakenly trusts the username provided via authentication
> instead
> > >   of failing.
> > > * ssl_cert_username_field setting was ignored with external SMTP
> AUTH,
> > >   because none of the MTAs (Postfix, Exim) currently send the
> > >   cert_username field. This may have allowed users with trusted
> > >   certificate to specify any username in the authentication. This
> bug
> > >   didn't affect Dovecot's Submission service.
> > >
> >
> > FreeBSD-11.2 (amd64):
> >
> > gmake[2]: Entering directory
> > '/usr/home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1/src/lib-master'
> > gcc -DHAVE_CONFIG_H -I. -I../..  -I../../src/lib -I../../src/lib-dns
> > -I../../src/lib-test -I../../src/lib-settings
> -I../../src/lib-ssl-iostream
> > -DPKG_RUNDIR=\""/opt/dovecot2.3/var/run/dovecot"\"
> > -DPKG_STATEDIR=\""/opt/dovecot2.3/var/lib/dovecot"\"
> > -DSYSCONFDIR=\""/opt/dovecot2.3/etc/dovecot"\"
> > -DBINDIR=\""/opt/dovecot2.3/bin"\"   -std=gnu99 -g -O2
> > -fstack-protector-strong -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -Wall -W
> > -Wmissing-prototypes -Wmissing-declarations -Wpointer-arith
> > -Wchar-subscripts -Wformat=2 -Wbad-function-cast -fno-builtin-strftime
> > -Wstrict-aliasing=2 -I/usr/local/include   -MT test-event-stats.o -MD -MP
> > -MF .deps/test-event-stats.Tpo -c -o test-event-stats.o
> test-event-stats.c
> > test-event-stats.c: In function 'kill_stats_child':
> > test-event-stats.c:101:2: warning: implicit declaration of function
> 'kill'
> > [-Wimplicit-function-declaration]
> >   (void)kill(stats_pid, SIGKILL);
> >   ^
> > test-event-stats.c:101:24: error: 'SIGKILL' undeclared (first use in this
> > function)
> >   (void)kill(stats_pid, SIGKILL);
> > ^
> > test-event-stats.c:101:24: note: each undeclared identifier is reported
> > only once for each function it appears in
> > gmake[2]: *** [Makefile:638: test-event-stats.o] Error 1
> > gmake[2]: Leaving directory
> > '/usr/home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1/src/lib-master'
> > gmake[1]: *** [Makefile:565: install-recursive] Error 1
> > gmake[1]: Leaving directory
> > '/usr/home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1/src'
> > gmake: *** [Makefile:683: install-recursive] Error 1
> >
> >
>
>
> Ports wokred for me.
>
> >
> >
> > FreeBSD-9.3:
> >
> > gmake[3]: Entering directory
> > '/usr/home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1/src/lib-master'
> > gcc -DHAVE_CONFIG_H -I. -I../..  -I../../src/lib -I../../src/lib-dns
> > -I../../src/lib-test -I../../src/lib-settings
> -I../../src/lib-ssl-iostream
> > -DPKG_RUNDIR=\""/opt/dovecot2.3/var/run/dovecot"\"
> > -DPKG_STATEDIR=\""/opt/dovecot2.3/var/lib/dovecot"\"
> > -DSYSCONFDIR=\""/opt/dovecot2.3/etc/dovecot"\"
> > -DBINDIR=\""/opt/dovecot2.3/bin"\"   -std=gnu99 -g -O2 -fstack-protector
> > -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -Wall -W -Wmissing-prototypes
> > -Wmissing-declarations -Wpointer-arith -Wchar-subscripts -Wformat=2
> > -Wbad-function-cast -fno-builtin-strftime -Wstrict-aliasing=2
> > -I/usr/local/include   -MT test-event-stats.o -MD -MP -MF
> > .deps/test-event-stats.Tpo -c -o test-event-stats.o test-event-stats.c
> > test-event-stats.c: In function 'kill_stats_child':
> > test-event-stats.c:101: warning: implicit declaration of function 'kill'
> > test-event-stats.c:101: error: 'SIGKILL' undeclared (first use in this
> > function)
> > test-event-stats.c:101: error: (Each undeclared identifier is reported
> only
> > once
> > test-event-stats.c:101: error: for each function it appears in.)
> > test-event-stats.c: In function 'test_no_merging2':
> > test-event-stats.c:361: warning: format '%lu' expects type 'long unsigned
> > int', but argument 2 has type 'uint64_t'
> > test-event-stats.c: In function 'test_no_merging3':
> > test-event-stats.c:387: warning: format '%lu' expects type 'long unsigned
> > int', but argument 2 has type 'uint64_t'
> > test-event-stats.c:387: warning: format '%lu' expects type 'long unsigned
> > int', but argument 4 has type 'uint64_t'
> > test-event-stats.c:387: warning: format '%lu' expects type 'long unsig

Re: Release notify (2.2.36.1 and 2.3.4.1)

[Larry Rosenman via dovecot]

pull the patches from the port.


On Tue, Feb 5, 2019 at 2:28 PM Odhiambo Washington via dovecot <
dovecot@dovecot.org> wrote:

> Oh, so manual compile should NOT work and it's okay or am I missing
> something?
>
> On Tue, 5 Feb 2019 at 23:26, The Doctor  wrote:
>
>> On Tue, Feb 05, 2019 at 11:18:45PM +0300, Odhiambo Washington via dovecot
>> wrote:
>> > On Tue, 5 Feb 2019 at 20:32, Aki Tuomi via dovecot > >
>> > wrote:
>> >
>> > > Due to DMARC issues some people have failed to receive the latest
>> security
>> > > information, so here it is repeated for both releases:
>> > >
>> > > 2.3.4.1
>> > >
>> > > https://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz
>> > > https://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz.sig
>> > > 
>> > > Binary packages in https://repo.dovecot.org/
>> > >
>> > > * CVE-2019-3814: If imap/pop3/managesieve/submission client has
>> > >   trusted certificate with missing username field
>> > >   (ssl_cert_username_field), under some configurations Dovecot
>> > >   mistakenly trusts the username provided via authentication
>> instead
>> > >   of failing.
>> > > * ssl_cert_username_field setting was ignored with external SMTP
>> AUTH,
>> > >   because none of the MTAs (Postfix, Exim) currently send the
>> > >   cert_username field. This may have allowed users with trusted
>> > >   certificate to specify any username in the authentication. This
>> bug
>> > >   didn't affect Dovecot's Submission service.
>> > >
>> >
>> > FreeBSD-11.2 (amd64):
>> >
>> > gmake[2]: Entering directory
>> > '/usr/home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1/src/lib-master'
>> > gcc -DHAVE_CONFIG_H -I. -I../..  -I../../src/lib -I../../src/lib-dns
>> > -I../../src/lib-test -I../../src/lib-settings
>> -I../../src/lib-ssl-iostream
>> > -DPKG_RUNDIR=\""/opt/dovecot2.3/var/run/dovecot"\"
>> > -DPKG_STATEDIR=\""/opt/dovecot2.3/var/lib/dovecot"\"
>> > -DSYSCONFDIR=\""/opt/dovecot2.3/etc/dovecot"\"
>> > -DBINDIR=\""/opt/dovecot2.3/bin"\"   -std=gnu99 -g -O2
>> > -fstack-protector-strong -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -Wall -W
>> > -Wmissing-prototypes -Wmissing-declarations -Wpointer-arith
>> > -Wchar-subscripts -Wformat=2 -Wbad-function-cast -fno-builtin-strftime
>> > -Wstrict-aliasing=2 -I/usr/local/include   -MT test-event-stats.o -MD
>> -MP
>> > -MF .deps/test-event-stats.Tpo -c -o test-event-stats.o
>> test-event-stats.c
>> > test-event-stats.c: In function 'kill_stats_child':
>> > test-event-stats.c:101:2: warning: implicit declaration of function
>> 'kill'
>> > [-Wimplicit-function-declaration]
>> >   (void)kill(stats_pid, SIGKILL);
>> >   ^
>> > test-event-stats.c:101:24: error: 'SIGKILL' undeclared (first use in
>> this
>> > function)
>> >   (void)kill(stats_pid, SIGKILL);
>> > ^
>> > test-event-stats.c:101:24: note: each undeclared identifier is reported
>> > only once for each function it appears in
>> > gmake[2]: *** [Makefile:638: test-event-stats.o] Error 1
>> > gmake[2]: Leaving directory
>> > '/usr/home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1/src/lib-master'
>> > gmake[1]: *** [Makefile:565: install-recursive] Error 1
>> > gmake[1]: Leaving directory
>> > '/usr/home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1/src'
>> > gmake: *** [Makefile:683: install-recursive] Error 1
>> >
>> >
>>
>>
>> Ports wokred for me.
>>
>> >
>> >
>> > FreeBSD-9.3:
>> >
>> > gmake[3]: Entering directory
>> > '/usr/home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1/src/lib-master'
>> > gcc -DHAVE_CONFIG_H -I. -I../..  -I../../src/lib -I../../src/lib-dns
>> > -I../../src/lib-test -I../../src/lib-settings
>> -I../../src/lib-ssl-iostream
>> > -DPKG_RUNDIR=\""/opt/dovecot2.3/var/run/dovecot"\"
>> > -DPKG_STATEDIR=\""/opt/dovecot2.3/var/lib/dovecot"\"
>> > -DSYSCONFDIR=\""/opt/dovecot2.3/etc/dovecot"\"
>> > -DBINDIR=\""/opt/dovecot2.3/bin"\"   -std=gnu99 -g -O2 -fstack-protector
>> > -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -Wall -W -Wmissing-prototypes
>> > -Wmissing-declarations -Wpointer-arith -Wchar-subscripts -Wformat=2
>> > -Wbad-function-cast -fno-builtin-strftime -Wstrict-aliasing=2
>> > -I/usr/local/include   -MT test-event-stats.o -MD -MP -MF
>> > .deps/test-event-stats.Tpo -c -o test-event-stats.o test-event-stats.c
>> > test-event-stats.c: In function 'kill_stats_child':
>> > test-event-stats.c:101: warning: implicit declaration of function 'kill'
>> > test-event-stats.c:101: error: 'SIGKILL' undeclared (first use in this
>> > function)
>> > test-event-stats.c:101: error: (Each undeclared identifier is reported
>> only
>> > once
>> > test-event-stats.c:101: error: for each function it appears in.)
>> > test-event-stats.c: In function 'test_no_merging2':
>> > test-event-stats.c:361: warning: format '%lu' expects type 'long
>> unsigned
>> > int', but argument 2 has type 'uint64_t'
>> > test-event-stats.c: In function 'test_no_merging3':
>> > test-event-stats.c:387: warning: format '%lu' expects type '

Re: Release notify (2.2.36.1 and 2.3.4.1)

[Aki Tuomi via dovecot]

 
 
  
   Did I say so? It's known issue and will be fixed in future release.
  
  
   
  
  
   Aki
  
  
   
On 05 February 2019 at 22:27 Odhiambo Washington via dovecot <
dovecot@dovecot.org> wrote:
   
   

   
   

   
   
Oh, so manual compile should NOT work and it's okay or am I missing
   
   
something?
   
   

   
   
On Tue, 5 Feb 2019 at 23:26, The Doctor <
doc...@doctor.nl2k.ab.ca> wrote:
   
   

   
   

 On Tue, Feb 05, 2019 at 11:18:45PM +0300, Odhiambo Washington via dovecot


 wrote:


 
  On Tue, 5 Feb 2019 at 20:32, Aki Tuomi via dovecot <
  dovecot@dovecot.org>
 
 
  wrote:
 


 
  
   Due to DMARC issues some people have failed to receive the latest
  
 


 security


 
  
   information, so here it is repeated for both releases:
  
 
 
  
   2.3.4.1
  
 
 
  
   https://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz
  
  
   https://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz.sig
  
  
   <
   https://dovecot.org/releases/2.3/dovecot-2.3.2.tar.gz.sig>
  
  
   Binary packages in 
   https://repo.dovecot.org/
  
 
 
  
   * CVE-2019-3814: If imap/pop3/managesieve/submission client has
  
  
   trusted certificate with missing username field
  
  
   (ssl_cert_username_field), under some configurations Dovecot
  
  
   mistakenly trusts the username provided via authentication
  
 


 instead


 
  
   of failing.
  
  
   * ssl_cert_username_field setting was ignored with external SMTP
  
 


 AUTH,


 
  
   because none of the MTAs (Postfix, Exim) currently send the
  
  
   cert_username field. This may have allowed users with trusted
  
  
   certificate to specify any username in the authentication. This
  
 


 bug


 
  
   didn't affect Dovecot's Submission service.
  
 


 
  FreeBSD-11.2 (amd64):
 


 
  gmake[2]: Entering directory
 
 
  '/usr/home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1/src/lib-master'
 
 
  gcc -DHAVE_CONFIG_H -I. -I../.. -I../../src/lib -I../../src/lib-dns
 
 
  -I../../src/lib-test -I../../src/lib-settings
 


 -I../../src/lib-ssl-iostream


 
  -DPKG_RUNDIR=\""/opt/dovecot2.3/var/run/dovecot"\"
 
 
  -DPKG_STATEDIR=\""/opt/dovecot2.3/var/lib/dovecot"\"
 
 
  -DSYSCONFDIR=\""/opt/dovecot2.3/etc/dovecot"\"
 
 
  -DBINDIR=\""/opt/dovecot2.3/bin"\" -std=gnu99 -g -O2
 
 
  -fstack-protector-strong -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -Wall -W
 
 
  -Wmissing-prototypes -Wmissing-declarations -Wpointer-arith
 
 
  -Wchar-subscripts -Wformat=2 -Wbad-function-cast -fno-builtin-strftime
 
 
  -Wstrict-aliasing=2 -I/usr/local/include -MT test-event-stats.o -MD -MP
 
 
  -MF .deps/test-event-stats.Tpo -c -o test-event-stats.o
 


 test-event-stats.c


 
  test-event-stats.c: In function 'kill_stats_child':
 
 
  test-event-stats.c:101:2: warning: implicit declaration of function
 


 'kill'


 
  [-Wimplicit-function-declaration]
 
 
  (void)kill(stats_pid, SIGKILL);
 
 
  ^
 
 
  test-event-stats.c:101:24: error: 'SIGKILL' undeclared (first use in this
 
 
  function)
 
 
  (void)kill(stats_pid, SIGKILL);
 
 
  ^
 
 
  test-event-stats.c:101:24: note: each undeclared identifier is reported
 
 
  only once for each function it appears in
 
 
  gmake[2]: *** [Makefile:638: test-event-stats.o] Error 1
 
 
  gmake[2]: Leaving directory
 
 
  '/usr/home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1/src/lib-master'
 
 
  gmake[1]: *** [Makefile:565: install-recursive] Error 1
 
 
  gmake[1]: Leaving directory
 
 
  '/usr/home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1/src'
 
 
  gmake: *** [Makefile:683: install-recursive] Error 1
 


 >

   
   
>
   
   

 Ports wokred for me.

   
   


 >


 
  FreeBSD-9.3:
 


 
  gmake[3]: Entering directory
 
 
  '/usr/home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1/src/lib-master'
 
 
  gcc -DHAVE_CONFIG_H -I. -I../.. -I../../src/lib -I../../src/lib-dns
 
 
  -I../../src/lib-test -I../../src/lib-settings
 


 -I../../src/lib-ssl-iostream


 
  -DPKG_RUNDIR=\""/opt/dovecot2.3/var/run/d

Re: Release notify (2.2.36.1 and 2.3.4.1)

[Odhiambo Washington via dovecot]

I have always been able to compile manually, even from RCs so I believe I
should be able to compile from the tarball as well.
Something is broken,

On Tue, 5 Feb 2019 at 23:29, Larry Rosenman  wrote:

> pull the patches from the port.
>
>
> On Tue, Feb 5, 2019 at 2:28 PM Odhiambo Washington via dovecot <
> dovecot@dovecot.org> wrote:
>
>> Oh, so manual compile should NOT work and it's okay or am I missing
>> something?
>>
>> On Tue, 5 Feb 2019 at 23:26, The Doctor  wrote:
>>
>>> On Tue, Feb 05, 2019 at 11:18:45PM +0300, Odhiambo Washington via
>>> dovecot wrote:
>>> > On Tue, 5 Feb 2019 at 20:32, Aki Tuomi via dovecot <
>>> dovecot@dovecot.org>
>>> > wrote:
>>> >
>>> > > Due to DMARC issues some people have failed to receive the latest
>>> security
>>> > > information, so here it is repeated for both releases:
>>> > >
>>> > > 2.3.4.1
>>> > >
>>> > > https://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz
>>> > > https://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz.sig
>>> > > 
>>> > > Binary packages in https://repo.dovecot.org/
>>> > >
>>> > > * CVE-2019-3814: If imap/pop3/managesieve/submission client has
>>> > >   trusted certificate with missing username field
>>> > >   (ssl_cert_username_field), under some configurations Dovecot
>>> > >   mistakenly trusts the username provided via authentication
>>> instead
>>> > >   of failing.
>>> > > * ssl_cert_username_field setting was ignored with external SMTP
>>> AUTH,
>>> > >   because none of the MTAs (Postfix, Exim) currently send the
>>> > >   cert_username field. This may have allowed users with trusted
>>> > >   certificate to specify any username in the authentication.
>>> This bug
>>> > >   didn't affect Dovecot's Submission service.
>>> > >
>>> >
>>> > FreeBSD-11.2 (amd64):
>>> >
>>> > gmake[2]: Entering directory
>>> > '/usr/home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1/src/lib-master'
>>> > gcc -DHAVE_CONFIG_H -I. -I../..  -I../../src/lib -I../../src/lib-dns
>>> > -I../../src/lib-test -I../../src/lib-settings
>>> -I../../src/lib-ssl-iostream
>>> > -DPKG_RUNDIR=\""/opt/dovecot2.3/var/run/dovecot"\"
>>> > -DPKG_STATEDIR=\""/opt/dovecot2.3/var/lib/dovecot"\"
>>> > -DSYSCONFDIR=\""/opt/dovecot2.3/etc/dovecot"\"
>>> > -DBINDIR=\""/opt/dovecot2.3/bin"\"   -std=gnu99 -g -O2
>>> > -fstack-protector-strong -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -Wall -W
>>> > -Wmissing-prototypes -Wmissing-declarations -Wpointer-arith
>>> > -Wchar-subscripts -Wformat=2 -Wbad-function-cast -fno-builtin-strftime
>>> > -Wstrict-aliasing=2 -I/usr/local/include   -MT test-event-stats.o -MD
>>> -MP
>>> > -MF .deps/test-event-stats.Tpo -c -o test-event-stats.o
>>> test-event-stats.c
>>> > test-event-stats.c: In function 'kill_stats_child':
>>> > test-event-stats.c:101:2: warning: implicit declaration of function
>>> 'kill'
>>> > [-Wimplicit-function-declaration]
>>> >   (void)kill(stats_pid, SIGKILL);
>>> >   ^
>>> > test-event-stats.c:101:24: error: 'SIGKILL' undeclared (first use in
>>> this
>>> > function)
>>> >   (void)kill(stats_pid, SIGKILL);
>>> > ^
>>> > test-event-stats.c:101:24: note: each undeclared identifier is reported
>>> > only once for each function it appears in
>>> > gmake[2]: *** [Makefile:638: test-event-stats.o] Error 1
>>> > gmake[2]: Leaving directory
>>> > '/usr/home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1/src/lib-master'
>>> > gmake[1]: *** [Makefile:565: install-recursive] Error 1
>>> > gmake[1]: Leaving directory
>>> > '/usr/home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1/src'
>>> > gmake: *** [Makefile:683: install-recursive] Error 1
>>> >
>>> >
>>>
>>>
>>> Ports wokred for me.
>>>
>>> >
>>> >
>>> > FreeBSD-9.3:
>>> >
>>> > gmake[3]: Entering directory
>>> > '/usr/home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1/src/lib-master'
>>> > gcc -DHAVE_CONFIG_H -I. -I../..  -I../../src/lib -I../../src/lib-dns
>>> > -I../../src/lib-test -I../../src/lib-settings
>>> -I../../src/lib-ssl-iostream
>>> > -DPKG_RUNDIR=\""/opt/dovecot2.3/var/run/dovecot"\"
>>> > -DPKG_STATEDIR=\""/opt/dovecot2.3/var/lib/dovecot"\"
>>> > -DSYSCONFDIR=\""/opt/dovecot2.3/etc/dovecot"\"
>>> > -DBINDIR=\""/opt/dovecot2.3/bin"\"   -std=gnu99 -g -O2
>>> -fstack-protector
>>> > -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -Wall -W -Wmissing-prototypes
>>> > -Wmissing-declarations -Wpointer-arith -Wchar-subscripts -Wformat=2
>>> > -Wbad-function-cast -fno-builtin-strftime -Wstrict-aliasing=2
>>> > -I/usr/local/include   -MT test-event-stats.o -MD -MP -MF
>>> > .deps/test-event-stats.Tpo -c -o test-event-stats.o test-event-stats.c
>>> > test-event-stats.c: In function 'kill_stats_child':
>>> > test-event-stats.c:101: warning: implicit declaration of function
>>> 'kill'
>>> > test-event-stats.c:101: error: 'SIGKILL' undeclared (first use in this
>>> > function)
>>> > test-event-stats.c:101: error: (Each undeclared identifier is reported
>>> only
>>> > once
>>> > test-event-stats.c:101: e

Re: Release notify (2.2.36.1 and 2.3.4.1)

[Larry Rosenman via dovecot]

the patches are already in git master.  I've pulled them into the
mail/dovecot port.

The dovecot guys/gals will release it eventually, but the port works TODAY.


On Tue, Feb 5, 2019 at 2:33 PM Odhiambo Washington 
wrote:

> I have always been able to compile manually, even from RCs so I believe I
> should be able to compile from the tarball as well.
> Something is broken,
>
> On Tue, 5 Feb 2019 at 23:29, Larry Rosenman  wrote:
>
>> pull the patches from the port.
>>
>>
>> On Tue, Feb 5, 2019 at 2:28 PM Odhiambo Washington via dovecot <
>> dovecot@dovecot.org> wrote:
>>
>>> Oh, so manual compile should NOT work and it's okay or am I missing
>>> something?
>>>
>>> On Tue, 5 Feb 2019 at 23:26, The Doctor 
>>> wrote:
>>>
 On Tue, Feb 05, 2019 at 11:18:45PM +0300, Odhiambo Washington via
 dovecot wrote:
 > On Tue, 5 Feb 2019 at 20:32, Aki Tuomi via dovecot <
 dovecot@dovecot.org>
 > wrote:
 >
 > > Due to DMARC issues some people have failed to receive the latest
 security
 > > information, so here it is repeated for both releases:
 > >
 > > 2.3.4.1
 > >
 > > https://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz
 > > https://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz.sig
 > > 
 > > Binary packages in https://repo.dovecot.org/
 > >
 > > * CVE-2019-3814: If imap/pop3/managesieve/submission client has
 > >   trusted certificate with missing username field
 > >   (ssl_cert_username_field), under some configurations Dovecot
 > >   mistakenly trusts the username provided via authentication
 instead
 > >   of failing.
 > > * ssl_cert_username_field setting was ignored with external
 SMTP AUTH,
 > >   because none of the MTAs (Postfix, Exim) currently send the
 > >   cert_username field. This may have allowed users with trusted
 > >   certificate to specify any username in the authentication.
 This bug
 > >   didn't affect Dovecot's Submission service.
 > >
 >
 > FreeBSD-11.2 (amd64):
 >
 > gmake[2]: Entering directory
 > '/usr/home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1/src/lib-master'
 > gcc -DHAVE_CONFIG_H -I. -I../..  -I../../src/lib -I../../src/lib-dns
 > -I../../src/lib-test -I../../src/lib-settings
 -I../../src/lib-ssl-iostream
 > -DPKG_RUNDIR=\""/opt/dovecot2.3/var/run/dovecot"\"
 > -DPKG_STATEDIR=\""/opt/dovecot2.3/var/lib/dovecot"\"
 > -DSYSCONFDIR=\""/opt/dovecot2.3/etc/dovecot"\"
 > -DBINDIR=\""/opt/dovecot2.3/bin"\"   -std=gnu99 -g -O2
 > -fstack-protector-strong -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -Wall
 -W
 > -Wmissing-prototypes -Wmissing-declarations -Wpointer-arith
 > -Wchar-subscripts -Wformat=2 -Wbad-function-cast -fno-builtin-strftime
 > -Wstrict-aliasing=2 -I/usr/local/include   -MT test-event-stats.o -MD
 -MP
 > -MF .deps/test-event-stats.Tpo -c -o test-event-stats.o
 test-event-stats.c
 > test-event-stats.c: In function 'kill_stats_child':
 > test-event-stats.c:101:2: warning: implicit declaration of function
 'kill'
 > [-Wimplicit-function-declaration]
 >   (void)kill(stats_pid, SIGKILL);
 >   ^
 > test-event-stats.c:101:24: error: 'SIGKILL' undeclared (first use in
 this
 > function)
 >   (void)kill(stats_pid, SIGKILL);
 > ^
 > test-event-stats.c:101:24: note: each undeclared identifier is
 reported
 > only once for each function it appears in
 > gmake[2]: *** [Makefile:638: test-event-stats.o] Error 1
 > gmake[2]: Leaving directory
 > '/usr/home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1/src/lib-master'
 > gmake[1]: *** [Makefile:565: install-recursive] Error 1
 > gmake[1]: Leaving directory
 > '/usr/home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1/src'
 > gmake: *** [Makefile:683: install-recursive] Error 1
 >
 >


 Ports wokred for me.

 >
 >
 > FreeBSD-9.3:
 >
 > gmake[3]: Entering directory
 > '/usr/home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1/src/lib-master'
 > gcc -DHAVE_CONFIG_H -I. -I../..  -I../../src/lib -I../../src/lib-dns
 > -I../../src/lib-test -I../../src/lib-settings
 -I../../src/lib-ssl-iostream
 > -DPKG_RUNDIR=\""/opt/dovecot2.3/var/run/dovecot"\"
 > -DPKG_STATEDIR=\""/opt/dovecot2.3/var/lib/dovecot"\"
 > -DSYSCONFDIR=\""/opt/dovecot2.3/etc/dovecot"\"
 > -DBINDIR=\""/opt/dovecot2.3/bin"\"   -std=gnu99 -g -O2
 -fstack-protector
 > -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -Wall -W -Wmissing-prototypes
 > -Wmissing-declarations -Wpointer-arith -Wchar-subscripts -Wformat=2
 > -Wbad-function-cast -fno-builtin-strftime -Wstrict-aliasing=2
 > -I/usr/local/include   -MT test-event-stats.o -MD -MP -MF
 > .deps/test-event-stats.Tpo -c -o test-event-stats.o test-event-stats.c
 > t

Re: Release notify (2.2.36.1 and 2.3.4.1)

[Odhiambo Washington via dovecot]

Noted.

I will wait for dovecot-2.3.4.2 tarball then.

In all the servers I listed (+2 more), I never use the mail/dovecot port.

I rely on mail/dovecot port on my own prototype (FreeBSD 12) which I have
built in preparation for the upgrade of all the servers I currently have
(except the 11.2).
So for now, they have to run with 2.3.4, because of that reason - I am not
using the port. And yes, I know about DESTDIR :-)


On Tue, 5 Feb 2019 at 23:35, Larry Rosenman  wrote:

> the patches are already in git master.  I've pulled them into the
> mail/dovecot port.
>
> The dovecot guys/gals will release it eventually, but the port works TODAY.
>
>
> On Tue, Feb 5, 2019 at 2:33 PM Odhiambo Washington 
> wrote:
>
>> I have always been able to compile manually, even from RCs so I believe I
>> should be able to compile from the tarball as well.
>> Something is broken,
>>
>> On Tue, 5 Feb 2019 at 23:29, Larry Rosenman  wrote:
>>
>>> pull the patches from the port.
>>>
>>>
>>> On Tue, Feb 5, 2019 at 2:28 PM Odhiambo Washington via dovecot <
>>> dovecot@dovecot.org> wrote:
>>>
 Oh, so manual compile should NOT work and it's okay or am I missing
 something?

 On Tue, 5 Feb 2019 at 23:26, The Doctor 
 wrote:

> On Tue, Feb 05, 2019 at 11:18:45PM +0300, Odhiambo Washington via
> dovecot wrote:
> > On Tue, 5 Feb 2019 at 20:32, Aki Tuomi via dovecot <
> dovecot@dovecot.org>
> > wrote:
> >
> > > Due to DMARC issues some people have failed to receive the latest
> security
> > > information, so here it is repeated for both releases:
> > >
> > > 2.3.4.1
> > >
> > > https://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz
> > > https://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz.sig
> > > 
> > > Binary packages in https://repo.dovecot.org/
> > >
> > > * CVE-2019-3814: If imap/pop3/managesieve/submission client has
> > >   trusted certificate with missing username field
> > >   (ssl_cert_username_field), under some configurations Dovecot
> > >   mistakenly trusts the username provided via authentication
> instead
> > >   of failing.
> > > * ssl_cert_username_field setting was ignored with external
> SMTP AUTH,
> > >   because none of the MTAs (Postfix, Exim) currently send the
> > >   cert_username field. This may have allowed users with trusted
> > >   certificate to specify any username in the authentication.
> This bug
> > >   didn't affect Dovecot's Submission service.
> > >
> >
> > FreeBSD-11.2 (amd64):
> >
> > gmake[2]: Entering directory
> > '/usr/home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1/src/lib-master'
> > gcc -DHAVE_CONFIG_H -I. -I../..  -I../../src/lib -I../../src/lib-dns
> > -I../../src/lib-test -I../../src/lib-settings
> -I../../src/lib-ssl-iostream
> > -DPKG_RUNDIR=\""/opt/dovecot2.3/var/run/dovecot"\"
> > -DPKG_STATEDIR=\""/opt/dovecot2.3/var/lib/dovecot"\"
> > -DSYSCONFDIR=\""/opt/dovecot2.3/etc/dovecot"\"
> > -DBINDIR=\""/opt/dovecot2.3/bin"\"   -std=gnu99 -g -O2
> > -fstack-protector-strong -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -Wall
> -W
> > -Wmissing-prototypes -Wmissing-declarations -Wpointer-arith
> > -Wchar-subscripts -Wformat=2 -Wbad-function-cast
> -fno-builtin-strftime
> > -Wstrict-aliasing=2 -I/usr/local/include   -MT test-event-stats.o
> -MD -MP
> > -MF .deps/test-event-stats.Tpo -c -o test-event-stats.o
> test-event-stats.c
> > test-event-stats.c: In function 'kill_stats_child':
> > test-event-stats.c:101:2: warning: implicit declaration of function
> 'kill'
> > [-Wimplicit-function-declaration]
> >   (void)kill(stats_pid, SIGKILL);
> >   ^
> > test-event-stats.c:101:24: error: 'SIGKILL' undeclared (first use in
> this
> > function)
> >   (void)kill(stats_pid, SIGKILL);
> > ^
> > test-event-stats.c:101:24: note: each undeclared identifier is
> reported
> > only once for each function it appears in
> > gmake[2]: *** [Makefile:638: test-event-stats.o] Error 1
> > gmake[2]: Leaving directory
> > '/usr/home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1/src/lib-master'
> > gmake[1]: *** [Makefile:565: install-recursive] Error 1
> > gmake[1]: Leaving directory
> > '/usr/home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1/src'
> > gmake: *** [Makefile:683: install-recursive] Error 1
> >
> >
>
>
> Ports wokred for me.
>
> >
> >
> > FreeBSD-9.3:
> >
> > gmake[3]: Entering directory
> > '/usr/home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1/src/lib-master'
> > gcc -DHAVE_CONFIG_H -I. -I../..  -I../../src/lib -I../../src/lib-dns
> > -I../../src/lib-test -I../../src/lib-settings
> -I../../src/lib-ssl-iostream
> > -DPKG_RUNDIR=\""/o

Re: Release notify (2.2.36.1 and 2.3.4.1)

[Larry Rosenman via dovecot]

2.3.4 had the same compile issues


On Tue, Feb 5, 2019 at 2:44 PM Odhiambo Washington 
wrote:

> Noted.
>
> I will wait for dovecot-2.3.4.2 tarball then.
>
> In all the servers I listed (+2 more), I never use the mail/dovecot port.
>
> I rely on mail/dovecot port on my own prototype (FreeBSD 12) which I have
> built in preparation for the upgrade of all the servers I currently have
> (except the 11.2).
> So for now, they have to run with 2.3.4, because of that reason - I am not
> using the port. And yes, I know about DESTDIR :-)
>
>
> On Tue, 5 Feb 2019 at 23:35, Larry Rosenman  wrote:
>
>> the patches are already in git master.  I've pulled them into the
>> mail/dovecot port.
>>
>> The dovecot guys/gals will release it eventually, but the port works
>> TODAY.
>>
>>
>> On Tue, Feb 5, 2019 at 2:33 PM Odhiambo Washington 
>> wrote:
>>
>>> I have always been able to compile manually, even from RCs so I believe
>>> I should be able to compile from the tarball as well.
>>> Something is broken,
>>>
>>> On Tue, 5 Feb 2019 at 23:29, Larry Rosenman  wrote:
>>>
 pull the patches from the port.


 On Tue, Feb 5, 2019 at 2:28 PM Odhiambo Washington via dovecot <
 dovecot@dovecot.org> wrote:

> Oh, so manual compile should NOT work and it's okay or am I missing
> something?
>
> On Tue, 5 Feb 2019 at 23:26, The Doctor 
> wrote:
>
>> On Tue, Feb 05, 2019 at 11:18:45PM +0300, Odhiambo Washington via
>> dovecot wrote:
>> > On Tue, 5 Feb 2019 at 20:32, Aki Tuomi via dovecot <
>> dovecot@dovecot.org>
>> > wrote:
>> >
>> > > Due to DMARC issues some people have failed to receive the latest
>> security
>> > > information, so here it is repeated for both releases:
>> > >
>> > > 2.3.4.1
>> > >
>> > > https://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz
>> > > https://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz.sig
>> > > 
>> > > Binary packages in https://repo.dovecot.org/
>> > >
>> > > * CVE-2019-3814: If imap/pop3/managesieve/submission client
>> has
>> > >   trusted certificate with missing username field
>> > >   (ssl_cert_username_field), under some configurations Dovecot
>> > >   mistakenly trusts the username provided via authentication
>> instead
>> > >   of failing.
>> > > * ssl_cert_username_field setting was ignored with external
>> SMTP AUTH,
>> > >   because none of the MTAs (Postfix, Exim) currently send the
>> > >   cert_username field. This may have allowed users with
>> trusted
>> > >   certificate to specify any username in the authentication.
>> This bug
>> > >   didn't affect Dovecot's Submission service.
>> > >
>> >
>> > FreeBSD-11.2 (amd64):
>> >
>> > gmake[2]: Entering directory
>> > '/usr/home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1/src/lib-master'
>> > gcc -DHAVE_CONFIG_H -I. -I../..  -I../../src/lib -I../../src/lib-dns
>> > -I../../src/lib-test -I../../src/lib-settings
>> -I../../src/lib-ssl-iostream
>> > -DPKG_RUNDIR=\""/opt/dovecot2.3/var/run/dovecot"\"
>> > -DPKG_STATEDIR=\""/opt/dovecot2.3/var/lib/dovecot"\"
>> > -DSYSCONFDIR=\""/opt/dovecot2.3/etc/dovecot"\"
>> > -DBINDIR=\""/opt/dovecot2.3/bin"\"   -std=gnu99 -g -O2
>> > -fstack-protector-strong -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2
>> -Wall -W
>> > -Wmissing-prototypes -Wmissing-declarations -Wpointer-arith
>> > -Wchar-subscripts -Wformat=2 -Wbad-function-cast
>> -fno-builtin-strftime
>> > -Wstrict-aliasing=2 -I/usr/local/include   -MT test-event-stats.o
>> -MD -MP
>> > -MF .deps/test-event-stats.Tpo -c -o test-event-stats.o
>> test-event-stats.c
>> > test-event-stats.c: In function 'kill_stats_child':
>> > test-event-stats.c:101:2: warning: implicit declaration of function
>> 'kill'
>> > [-Wimplicit-function-declaration]
>> >   (void)kill(stats_pid, SIGKILL);
>> >   ^
>> > test-event-stats.c:101:24: error: 'SIGKILL' undeclared (first use
>> in this
>> > function)
>> >   (void)kill(stats_pid, SIGKILL);
>> > ^
>> > test-event-stats.c:101:24: note: each undeclared identifier is
>> reported
>> > only once for each function it appears in
>> > gmake[2]: *** [Makefile:638: test-event-stats.o] Error 1
>> > gmake[2]: Leaving directory
>> > '/usr/home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1/src/lib-master'
>> > gmake[1]: *** [Makefile:565: install-recursive] Error 1
>> > gmake[1]: Leaving directory
>> > '/usr/home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1/src'
>> > gmake: *** [Makefile:683: install-recursive] Error 1
>> >
>> >
>>
>>
>> Ports wokred for me.
>>
>> >
>> >
>> > FreeBSD-9.3:
>> >
>> > gmake[3]: Entering directory
>> > '/usr

Really solved - Re: Solved - Re: SELinux policy to allow Dovecot to connect to Mysql

[Robert Moskowitz via dovecot]

This is an old issue, but I am building a new system and hit this 
problem all over again.


This time, I asked for help from the SELinux list, as googling did not 
find anything new.  What resulted was a policy to allow dovecot to 
connect to mysql.sock:


yum install policycoreutils

cat > dovecot_mysql.te <<  \EOF
policy_module(dovecot_mysql,1.0.0)
gen_require(`
   type dovecot_t;
')
mysql_read_config(dovecot_t)
mysql_stream_connect(dovecot_t)
EOF

make -f /usr/share/selinux/devel/Makefile dovecot_mysql.pp
semodule -i dovecot_mysql.pp

IF you are using a TCP connection over 127.0.0.1, then it is simpler:


echo '(allow dovecot_t mysqld_port_t (tcp_socket (name_connect)))' > 
dovecot-mysql.cil

semodule -i dovecot-mysql.cil
sesearch -A -s dovecot_t -c tcp_socket -p name_connect | grep sql
allow dovecot_t mysqld_port_t:tcp_socket name_connect;
allow dovecot_t postgresql_port_t:tcp_socket name_connect;

Enjoy!

On 4/7/17 11:12 AM, Robert Moskowitz wrote:
I reread my sql.conf.ext files and realized they were actually 
connecting to localhost.  So I did some googling, and found how to 
connect to the socket:


connect = host=/var/lib/mysql/mysql.sock dbname=postfix user=postfix 
password=Postfix_Database_Password


And all fixed.  No more failures.  Plus probably securer.

On 04/07/2017 10:57 AM, Robert Moskowitz wrote:
The strange thing is that dovecot auth has no problem connecting to 
mysql, but the quota query is what is failing.


On 04/07/2017 10:43 AM, Robert Moskowitz wrote:
As I have noted in previous messages, I been getting the following 
on my new mailserver:


Apr  7 10:17:27 z9m9z dovecot: dict: Error: mysql(localhost): 
Connect failed to database (postfix): Can't connect to local MySQL 
server through socket '/var/lib/mysql/mysql.sock' (13) - waiting for 
25 seconds before retry


They go away when I setenforce 0.  It is not a timing issue as I 
earlier thought.


So I googled dovecot mysql selinux and the only worthwhile hit was:

http://zszsit.blogspot.com/2012/12/dovecot-mysql-selinux-issue-on-centos6.html 



that provides a /etc/selinux/dovecot2mysql.te and other selinux stuff.

Is there a simpler way like a setsbool option?

With all the howtos on dovecot with mysql, it is interesting that 
none of them seem to have this problem.  Maybe because they connect 
to mysql through TCP port 3306 which has ITS set of problems (like 
MariaDB defaults to not listening on TCP).


thanks!

Re: Release notify (2.2.36.1 and 2.3.4.1)

[Odhiambo Washington via dovecot]

Bueno.

I don't even remember well.

Wasn't that issue about mysql-8.0.12 to 8.0.13??



On Tue, 5 Feb 2019 at 23:46, Larry Rosenman  wrote:

> 2.3.4 had the same compile issues
>
>
> On Tue, Feb 5, 2019 at 2:44 PM Odhiambo Washington 
> wrote:
>
>> Noted.
>>
>> I will wait for dovecot-2.3.4.2 tarball then.
>>
>> In all the servers I listed (+2 more), I never use the mail/dovecot port.
>>
>> I rely on mail/dovecot port on my own prototype (FreeBSD 12) which I have
>> built in preparation for the upgrade of all the servers I currently have
>> (except the 11.2).
>> So for now, they have to run with 2.3.4, because of that reason - I am
>> not using the port. And yes, I know about DESTDIR :-)
>>
>>
>> On Tue, 5 Feb 2019 at 23:35, Larry Rosenman  wrote:
>>
>>> the patches are already in git master.  I've pulled them into the
>>> mail/dovecot port.
>>>
>>> The dovecot guys/gals will release it eventually, but the port works
>>> TODAY.
>>>
>>>
>>> On Tue, Feb 5, 2019 at 2:33 PM Odhiambo Washington 
>>> wrote:
>>>
 I have always been able to compile manually, even from RCs so I believe
 I should be able to compile from the tarball as well.
 Something is broken,

 On Tue, 5 Feb 2019 at 23:29, Larry Rosenman  wrote:

> pull the patches from the port.
>
>
> On Tue, Feb 5, 2019 at 2:28 PM Odhiambo Washington via dovecot <
> dovecot@dovecot.org> wrote:
>
>> Oh, so manual compile should NOT work and it's okay or am I missing
>> something?
>>
>> On Tue, 5 Feb 2019 at 23:26, The Doctor 
>> wrote:
>>
>>> On Tue, Feb 05, 2019 at 11:18:45PM +0300, Odhiambo Washington via
>>> dovecot wrote:
>>> > On Tue, 5 Feb 2019 at 20:32, Aki Tuomi via dovecot <
>>> dovecot@dovecot.org>
>>> > wrote:
>>> >
>>> > > Due to DMARC issues some people have failed to receive the
>>> latest security
>>> > > information, so here it is repeated for both releases:
>>> > >
>>> > > 2.3.4.1
>>> > >
>>> > > https://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz
>>> > > https://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz.sig
>>> > > 
>>> > > Binary packages in https://repo.dovecot.org/
>>> > >
>>> > > * CVE-2019-3814: If imap/pop3/managesieve/submission client
>>> has
>>> > >   trusted certificate with missing username field
>>> > >   (ssl_cert_username_field), under some configurations
>>> Dovecot
>>> > >   mistakenly trusts the username provided via authentication
>>> instead
>>> > >   of failing.
>>> > > * ssl_cert_username_field setting was ignored with external
>>> SMTP AUTH,
>>> > >   because none of the MTAs (Postfix, Exim) currently send the
>>> > >   cert_username field. This may have allowed users with
>>> trusted
>>> > >   certificate to specify any username in the authentication.
>>> This bug
>>> > >   didn't affect Dovecot's Submission service.
>>> > >
>>> >
>>> > FreeBSD-11.2 (amd64):
>>> >
>>> > gmake[2]: Entering directory
>>> > '/usr/home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1/src/lib-master'
>>> > gcc -DHAVE_CONFIG_H -I. -I../..  -I../../src/lib
>>> -I../../src/lib-dns
>>> > -I../../src/lib-test -I../../src/lib-settings
>>> -I../../src/lib-ssl-iostream
>>> > -DPKG_RUNDIR=\""/opt/dovecot2.3/var/run/dovecot"\"
>>> > -DPKG_STATEDIR=\""/opt/dovecot2.3/var/lib/dovecot"\"
>>> > -DSYSCONFDIR=\""/opt/dovecot2.3/etc/dovecot"\"
>>> > -DBINDIR=\""/opt/dovecot2.3/bin"\"   -std=gnu99 -g -O2
>>> > -fstack-protector-strong -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2
>>> -Wall -W
>>> > -Wmissing-prototypes -Wmissing-declarations -Wpointer-arith
>>> > -Wchar-subscripts -Wformat=2 -Wbad-function-cast
>>> -fno-builtin-strftime
>>> > -Wstrict-aliasing=2 -I/usr/local/include   -MT test-event-stats.o
>>> -MD -MP
>>> > -MF .deps/test-event-stats.Tpo -c -o test-event-stats.o
>>> test-event-stats.c
>>> > test-event-stats.c: In function 'kill_stats_child':
>>> > test-event-stats.c:101:2: warning: implicit declaration of
>>> function 'kill'
>>> > [-Wimplicit-function-declaration]
>>> >   (void)kill(stats_pid, SIGKILL);
>>> >   ^
>>> > test-event-stats.c:101:24: error: 'SIGKILL' undeclared (first use
>>> in this
>>> > function)
>>> >   (void)kill(stats_pid, SIGKILL);
>>> > ^
>>> > test-event-stats.c:101:24: note: each undeclared identifier is
>>> reported
>>> > only once for each function it appears in
>>> > gmake[2]: *** [Makefile:638: test-event-stats.o] Error 1
>>> > gmake[2]: Leaving directory
>>> > '/usr/home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1/src/lib-master'
>>> > gmake[1]: *** [Makefile:565: install-recursive] Error 1
>>> > gmake[1]: Leaving directory
>>> > '

Re: Dovecot v2.2.36.1 released (Pigeonhole 0.4.24.1)

[Stephan Bosch via dovecot]

Op 05/02/2019 om 20:27 schreef Michael Marley via dovecot:

On 2019-02-05 13:07, Stephan Bosch via dovecot wrote:

Hi,

Here is the associated release for Pigeonhole:

https://pigeonhole.dovecot.org/releases/2.2/dovecot-2.2-pigeonhole-0.4.24.1.tar.gz 

https://pigeonhole.dovecot.org/releases/2.2/dovecot-2.2-pigeonhole-0.4.24.1.tar.gz.sig 


Binary packages included in https://repo.dovecot.org/

Is there going to be an equivalent 0.5.4.1 release with the same 
functionality but for Dovecot 2.3.x?




No. The current plan is to release a 2.3.5/0.5.5 later this month.

Regards,

Stephan.

Re: Release notify (2.2.36.1 and 2.3.4.1)

[Larry Rosenman via dovecot]

that was a MySQL issue and mmokhi fixed it in Ports.

I really do try to be conscientious about making sure it works (I use it
for my mailserver).

I really don't understand your hangup about using ports/pkg/poudriere/etc
to build the ports and install them.


On Tue, Feb 5, 2019 at 2:53 PM Odhiambo Washington 
wrote:

> Bueno.
>
> I don't even remember well.
>
> Wasn't that issue about mysql-8.0.12 to 8.0.13??
>
>
>
> On Tue, 5 Feb 2019 at 23:46, Larry Rosenman  wrote:
>
>> 2.3.4 had the same compile issues
>>
>>
>> On Tue, Feb 5, 2019 at 2:44 PM Odhiambo Washington 
>> wrote:
>>
>>> Noted.
>>>
>>> I will wait for dovecot-2.3.4.2 tarball then.
>>>
>>> In all the servers I listed (+2 more), I never use the mail/dovecot port.
>>>
>>> I rely on mail/dovecot port on my own prototype (FreeBSD 12) which I
>>> have built in preparation for the upgrade of all the servers I currently
>>> have (except the 11.2).
>>> So for now, they have to run with 2.3.4, because of that reason - I am
>>> not using the port. And yes, I know about DESTDIR :-)
>>>
>>>
>>> On Tue, 5 Feb 2019 at 23:35, Larry Rosenman  wrote:
>>>
 the patches are already in git master.  I've pulled them into the
 mail/dovecot port.

 The dovecot guys/gals will release it eventually, but the port works
 TODAY.


 On Tue, Feb 5, 2019 at 2:33 PM Odhiambo Washington 
 wrote:

> I have always been able to compile manually, even from RCs so I
> believe I should be able to compile from the tarball as well.
> Something is broken,
>
> On Tue, 5 Feb 2019 at 23:29, Larry Rosenman 
> wrote:
>
>> pull the patches from the port.
>>
>>
>> On Tue, Feb 5, 2019 at 2:28 PM Odhiambo Washington via dovecot <
>> dovecot@dovecot.org> wrote:
>>
>>> Oh, so manual compile should NOT work and it's okay or am I missing
>>> something?
>>>
>>> On Tue, 5 Feb 2019 at 23:26, The Doctor 
>>> wrote:
>>>
 On Tue, Feb 05, 2019 at 11:18:45PM +0300, Odhiambo Washington via
 dovecot wrote:
 > On Tue, 5 Feb 2019 at 20:32, Aki Tuomi via dovecot <
 dovecot@dovecot.org>
 > wrote:
 >
 > > Due to DMARC issues some people have failed to receive the
 latest security
 > > information, so here it is repeated for both releases:
 > >
 > > 2.3.4.1
 > >
 > > https://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz
 > > https://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz.sig
 > > 
 > > Binary packages in https://repo.dovecot.org/
 > >
 > > * CVE-2019-3814: If imap/pop3/managesieve/submission client
 has
 > >   trusted certificate with missing username field
 > >   (ssl_cert_username_field), under some configurations
 Dovecot
 > >   mistakenly trusts the username provided via
 authentication instead
 > >   of failing.
 > > * ssl_cert_username_field setting was ignored with external
 SMTP AUTH,
 > >   because none of the MTAs (Postfix, Exim) currently send
 the
 > >   cert_username field. This may have allowed users with
 trusted
 > >   certificate to specify any username in the
 authentication. This bug
 > >   didn't affect Dovecot's Submission service.
 > >
 >
 > FreeBSD-11.2 (amd64):
 >
 > gmake[2]: Entering directory
 > '/usr/home/wash/Tools/Dovecot/2.3/dovecot-2.3.4.1/src/lib-master'
 > gcc -DHAVE_CONFIG_H -I. -I../..  -I../../src/lib
 -I../../src/lib-dns
 > -I../../src/lib-test -I../../src/lib-settings
 -I../../src/lib-ssl-iostream
 > -DPKG_RUNDIR=\""/opt/dovecot2.3/var/run/dovecot"\"
 > -DPKG_STATEDIR=\""/opt/dovecot2.3/var/lib/dovecot"\"
 > -DSYSCONFDIR=\""/opt/dovecot2.3/etc/dovecot"\"
 > -DBINDIR=\""/opt/dovecot2.3/bin"\"   -std=gnu99 -g -O2
 > -fstack-protector-strong -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2
 -Wall -W
 > -Wmissing-prototypes -Wmissing-declarations -Wpointer-arith
 > -Wchar-subscripts -Wformat=2 -Wbad-function-cast
 -fno-builtin-strftime
 > -Wstrict-aliasing=2 -I/usr/local/include   -MT test-event-stats.o
 -MD -MP
 > -MF .deps/test-event-stats.Tpo -c -o test-event-stats.o
 test-event-stats.c
 > test-event-stats.c: In function 'kill_stats_child':
 > test-event-stats.c:101:2: warning: implicit declaration of
 function 'kill'
 > [-Wimplicit-function-declaration]
 >   (void)kill(stats_pid, SIGKILL);
 >   ^
 > test-event-stats.c:101:24: error: 'SIGKILL' undeclared (first use
 in this
 > function)
 >   (void)kill(stats_pid, SIGKILL);
 

Re: acl_groups in LDAP

[Jakobus Schürz via dovecot]

Am 05.02.19 um 08:23 schrieb Christian Rößner via dovecot:
> Hi,
>
> I found a 9 year old thread 
> (https://www.dovecot.org/list/dovecot/2010-October/054407.html) concerning 
> acl_groups in OpenLDAP. In this thread someone asked, if it is possible to 
> provide ACLs as multi value in OpenLDAP. I know that Dovecot expects 
> acl_groups as a comma separated list, so currently I do this with a single 
> value. Did the code change a little bit and accepts multi values now?
>
> Would be nice to have attributes like:
>
> ACLAttribute: group1
> ACLAttribute: group2
> ...
>
> Instead of:
>
> ACLAttribute: group1,group2
>
> Thanks in advance
This sounds good!

Or do you know, how to build an overlay for openldap, which produces the
list for acl_groups?


jakob