* CVE-2019-11500: IMAP protocol parser does not properly handle NUL byte
   when scanning data in quoted strings, leading to out of bounds heap
   memory writes. Found by Nick Roessler and Rafi Rubin.
 * CVE-2019-7524: Missing input buffer size validation leads into
   arbitrary buffer overflow when reading fts or pop3 uidl header
   from Dovecot index. Exploiting this requires direct write access to
   the index files.

* login-proxy: If ssl_require_crl=no, allow revoked certificates.
   Also don't do CRL checks for incoming client certificates.
 * stats plugin: Don't temporarily enable PR_SET_DUMPABLE while opening
   /proc/self/io. This may still cause security problems if the process
   is ptrace()d at the same time. Instead, open it while still running
   as root.
 + doveadm: Added mailbox cache decision&remove commands. See
   doveadm-mailbox(1) man page for details.
 + doveadm: Added rebuild attachments command for rebuilding
   $HasAttachment or $HasNoAttachment flags for matching mails. See
   doveadm-rebuild(1) man page for details.
 + cassandra: Use fallback_consistency on more types of errors
 - cassandra: Fix consistency=quorum to work
 - dsync: Lock file generation failed if home directory didn't exist
 - In some configs if namespace root directory didn't yet exist, Dovecot
   failed to create mailboxes.lock when trying to create mailboxes
 - Snippet generation for HTML mails didn't ignore &entities inside
   blockquotes, producing strange looking snippets.
 - imapc: Fix assert-crash if getting disconnected and after
   reconnection all mails in the selected mailbox are gone.
 - pop3c: Handle unexpected server disconnections without assert-crash
 - fts: Fixes to indexing mails via virtual mailboxes.
 - fts: If mails contained NUL characters, the text around it wasn't
   indexed.
 - Obsolete dovecot.index.cache offsets were sometimes used. Trying to
   fetch a field that was just added to cache file may not have always
   found it.
 - dict-sql: Fix crash when reading NULL value from database
 - charset_alias: compile fails with Solaris Studio, reported by
   John Woods.
 - Fix local name handling in v2.2.34 SNI code, bug found by cPanel.
 - imapc: Don't try to add mails to index if they already exist there.
 - imapc: If email is modified in istream_opened hook, mail size isn't
   updated.
 - lib-dcrypt: When reading encrypted data, more data would not be
   read if buffer was not consumed causing panic or hang.
 - notify: When notify plugin is used and transaction commit fails in
   dsync, crash occurs.
 - sdbox: When delivering to a mailbox that is over quota, temp files
   are not cleaned up when saving or copying fails.
 * CVE-2017-15130: TLS SNI config lookups may lead to excessive
   memory usage, causing imap-login/pop3-login VSZ limit to be reached
   and the process restarted. This happens only if Dovecot config has
   local_name { } or local { } configuration blocks and attacker uses
   randomly generated SNI servernames.
 * CVE-2017-14461: Parsing invalid email addresses may cause a crash or
   leak memory contents to attacker. For example, these memory contents
   might contain parts of an email from another user if the same imap
   process is reused for multiple users. First discovered by Aleksandar
   Nikolic of Cisco Talos. Independently also discovered by "flxflndy"
   via HackerOne.
 * CVE-2017-15132: Aborted SASL authentication leaks memory in login
   process.
 * Linux: Core dumping is no longer enabled by default via
   PR_SET_DUMPABLE, because this may allow attackers to bypass
   chroot/group restrictions. Found by cPanel Security Team. Nowadays
   core dumps can be safely enabled by using "sysctl -w
   fs.suid_dumpable=2". If the old behaviour is wanted, it can still be
   enabled by setting:
   import_environment=$import_environment PR_SET_DUMPABLE=1
 * doveconf output now includes the hostname.
 + mail_attachment_detection_options setting controls when
   $HasAttachment and $HasNoAttachment keywords are set for mails.
 + imap: Support fetching body snippets using FETCH (SNIPPET) or
   (SNIPPET (LAZY=FUZZY))
 + fs-compress: Automatically detect whether input is compressed or not.
   Prefix the compression algorithm with "maybe-" to enable the
   detection, for example: "compress:maybe-gz:6:..."
 + Added settings to change dovecot.index* files' optimization behavior.
   See https://wiki2.dovecot.org/IndexFiles#Settings
 + Auth cache can now utilize auth workers to do password hash
   verification by setting auth_cache_verify_password_with_worker=yes.
 + Added charset_alias plugin. See
   https://wiki2.dovecot.org/Plugins/CharsetAlias
 + imap_logout_format and pop3_logout_format settings now support all of
   the generic variables (e.g. %{rip}, %{session}, etc.)
 + Added auth_policy_check_before_auth, auth_policy_check_after_auth
   and auth_policy_report_after_auth settings.
 - v2.2.33: doveadm-server: Various fixes related to log handling.
 - v2.2.33: doveadm failed when trying to access UNIX socket that didn't
   require authentication.
 - v2.2.33: doveadm log reopen stopped working
 - v2.2.30+: IMAP stopped advertising SPECIAL-USE capability
 - v2.2.30+: IMAP stopped sending untagged OK/NO storage notifications
 - replication: dsync sends unnecessary replication notification for
   changes it does internally. NOTE: Folder creates, renames, deletes
   and subscribes still trigger unnecessary replication notifications,
   but these should be rather rare.
 - mail_always/never_cache_fields setting changes weren't applied for
   existing dovecot.index.cache files.
 - Fix compiling and other problems with OpenSSL v1.1
 - auth policy: With master user logins, lookup using login username.
 - FTS reindexed all mails unnecessarily after loss of
   dovecot.index.cache file
 - mdbox rebuild repeatedly fails with "missing map extension"
 - SSL connections may have been hanging with imapc or doveadm client.
 - cassandra: Using protocol v3 (Cassandra v2.1) caused memory leaks and
   also timestamps weren't set to queries.
 - fs-crypt silently ignored public/private keys specified in
   configuration (mail_crypt_global_public/private_key) and just
   emitted plaintext output.
 - lock_method=dotlock caused crashes
 - imapc: Reconnection may cause crashes and other errors

doveadm director commands wait for the changes to be visible in the
  whole ring before they return. This is especially useful in testing.
  Environments listed in import_environment setting are now set or
  preserved when executing standalone commands (e.g. doveadm)
+ doveadm proxy: Support proxying logs. Previously the logs were
  visible only in the backend's logs.
+ Added %{if}, see https://wiki2.dovecot.org/Variables#Conditionals
+ Added a new notify_status plugin, which can be used to update dict
  with current status of a mailbox when it changes. See
  https://wiki2.dovecot.org/Plugins/NotifyStatus
+ Mailbox list index can be disabled for a namespace by appending
  ":LISTINDEX=" to location setting.
+ dsync/imapc: Added dsync_hashed_headers setting to specify which
  headers are used to match emails.
+ pop3-migration: Add pop3_migration_ignore_extra_uidls=yes to ignore
  mails that are visible in POP3 but not IMAP. This could happen if
  new mails were delivered during the migration run.
+ pop3-migration: Further improvements to help with Zimbra
+ pop3-migration: Cache POP3 UIDLs in imapc's dovecot.index.cache
  if indexes are enabled. These are used to optimize incremental syncs.
+ cassandra, dict-sql: Use prepared statements if protocol version>3.
+ auth: Added %{ldap_dn} variable for passdb/userdb ldap
- acl: The "create" (k) permission in global acl-file was sometimes
  ignored, allowing users to create mailboxes when they shouldn't have.
- sdbox: Mails were always opened when expunging, unless
  mail_attachment_fs was explicitly set to empty.
- lmtp/doveadm proxy: hostip passdb field was ignored, which caused
  unnecessary DNS lookups if host field wasn't an IP
- lmtp proxy: Fix crash when receiving unexpected reply in RCPT TO
- quota_clone: Update also when quota is unlimited (broken in v2.2.31)
- mbox, zlib: Fix assert-crash when accessing compressed mbox
- doveadm director kick -f parameter didn't work
- doveadm director flush <host> resulted flushing all hosts, if <host>
  wasn't an IP address.
- director: Various fixes to handling backend/director changes at
  abnormal times, especially while ring was unsynced. These could have
  resulted in crashes, non-optimal behavior or ignoring some of the
  changes.
- director: Use less CPU in imap-login processes when moving/kicking
  many users.
- lmtp: Session IDs were duplicated/confusing with multiple RCPT TOs
  when lmtp_rcpt_check_quota=yes
- doveadm sync -1 fails when local mailboxes exist that do not exist
  remotely. This commonly happened when lazy_expunge mailbox was
  autocreated when incremental sync expunged mails.
- pop3: rawlog_dir setting didn't work

director: "doveadm director move" to same host now refreshes user's
  timeout. This allows keeping user constantly in the same backend by
  just periodically moving the user there.
  When new mailbox is created, use initially INBOX's
  dovecot.index.cache caching decisions.
  Expunging mails writes GUID to dovecot.index.log now only if the
  GUID is quickly available from index/cache.
  pop3c: Increase timeout for PASS command to 5 minutes.
  Mail access errors are no longer ignored when searching or sorting.
  With IMAP the untagged SEARCH/SORT reply is still sent the same as
  before, but NO reply is returned instead of OK.
+ Make dovecot.list.index's filename configurable. This is needed when
  there are multiple namespaces pointing to the same mail root
  (e.g. lazy_expunge namespace for mdbox).
+ Add size.virtual to dovecot.index when folder vsizes are accessed
  (e.g. quota=count). This is mainly a workaround to avoid slow quota
  recalculation performance when message sizes get lost from
  dovecot.index.cache due to corruption or some other reason.
+ auth: Support OAUTHBEARER and XOAUTH2 mechanisms. Also support them
  in lib-dsasl for client side.
+ auth: Support filtering by SASL mechanism: passdb { mechanisms }
+ Shrink the mail processes' memory usage by not storing settings
  duplicated unnecessarily many times.
+ imap: Add imap_fetch_failure setting to control what happens when
  FETCH fails for some mails (see example-config).
+ imap: Include info about last command in disconnection log line.
+ imap: Created new SEARCH=X-MIMEPART extension. It's currently not
  advertised by default, since it's not fully implemented.
+ fts-solr: Add support for basic authentication.
+ Cassandra: Support automatically retrying failed queries if
  execution_retry_interval and execution_retry_times are set.
+ doveadm: Added "mailbox path" command.
+ mail_log plugin: If plugin { mail_log_cached_only=yes }, log the
  wanted fields only if it doesn't require opening the email.
+ mail_vsize_bg_after_count setting added (see example-config).
+ mail_sort_max_read_count setting added (see example-config).
+ pop3c: Added pop3c_features=no-pipelining setting to prevent using
  PIPELINING extension even though it's advertised.
- Index files: day_first_uid wasn't updated correctly since v2.2.26.
  This caused dovecot.index.cache to be non-optimal.
- imap: SEARCH/SORT may have assert-crashed in
  client_check_command_hangs
- imap: FETCH X-MAILBOX may have assert-crashed in virtual mailboxes.
- imap: Running time in tagged command reply was often wrongly 0.
- search: Using NOT n:* or NOT UID n:* wasn't handled correctly
- director: doveadm director kick was broken
- director: Fix crash when using director_flush_socket
- director: Fix some bugs when moving users between backends
- imapc: Various error handling fixes and improvements
- master: doveadm process status output had a lot of duplicates.
- autoexpunge: If mailbox's rename timestamp is newer than mail's
  save-timestamp, use it instead. This is useful when autoexpunging
  e.g. Trash/* and an entire mailbox is deleted by renaming it under
  Trash to prevent it from being autoexpunged too early.
- autoexpunge: Multiple processes may have been trying to expunge the
  same mails simultaneously. This was problematic especially with
  lazy_expunge plugin.
- auth: %{passdb:*} was empty in auth-worker processes
- auth-policy: hashed_password was always sent empty.
- dict-sql: Merge multiple UPDATEs to a single statement if possible.
- fts-solr: Escape {} chars when sending queries
- fts: fts_autoindex_exclude = \Special-use caused crashes
- doveadm-server: Fix leaks and other problems when process is reused
  for multiple requests (service_count != 1)
- sdbox: Fix assert-crash on mailbox create race
- lda/lmtp: deliver_log_format values weren't entirely correct if Sieve
  was used. especially %{storage_id} was broken.
- lmtp_user_concurrency_limit didn't work if userdb changed username

dovecot.list.index.log rotation sizes/times were changed so that
  the .log file stays smaller and .log.2 is deleted sooner.
+ Added mail_crypt plugin that allows encryption of stored emails.
  See http://wiki2.dovecot.org/Plugins/MailCrypt
+ stats: Global stats can be sent to Carbon server by setting
  stats_carbon_server=ip:port
+ imap/pop3 proxy: If passdb returns proxy_not_trusted, don't send
  ID/XCLIENT
+ Added generic hash modifier for %variables:
  %{<hash algorithm>;rounds=<n>,truncate=<bits>,salt=s>:field}
  Hash algorithm is any of the supported ones, e.g. md5, sha1, sha256.
  Also "pkcs5" is supported using SHA256. For example: %{sha256:user}
  or %{md5;truncate=32:user}.
+ Added support for SHA3-256 and SHA3-512 hashes.
+ config: Support DNS wildcards in local_name, e.g.
  local_name *.example.com { .. } matches anything.example.com, but
  not multiple.anything.example.com.
+ config: Support multiple names in local_name, e.g.
  local_name "1.example.com 2.example.com" { .. }
- Fixed crash in auth process when auth-policy was configured and
  authentication was aborted/failed without a username set.
- director: If two users had different tags but the same hash,
  the users may have been redirected to the wrong tag's hosts.
- Index files may have been thought incorrectly lost, causing
  "Missing middle file seq=.." to be logged and index rebuild.
  This happened more easily with IMAP hibernation enabled.
- Various fixes to restoring state correctly in un-hibernation.
- dovecot.index files were commonly 4 bytes per email too large. This
  is because 3 bytes per email were being wasted that could have been
  used for IMAP keywords.
- Various fixes to handle dovecot.list.index corruption better.
- lib-fts: Fixed assert-crash in address tokenizer with specific input.
- Fixed assert-crash in HTML to text parsing with specific input
  (e.g. for FTS indexing or snippet generation)
- doveadm sync -1: Fixed handling mailbox GUID conflicts.
- sdbox, mdbox: Perform full index rebuild if corruption is detected
  inside lib-index, which runs index fsck.
- quota: Don't skip quota checks when moving mails between different
  quota roots.
- search: Multiple sequence sets or UID sets in search parameters
  weren't handled correctly. They were incorrectly merged together.

- Fixed some compiling issues.
- auth: Fixed assert-crash when using NTLM or SKEY mechanisms and
  multiple passdbs.
- auth: Fixed crash when exporting to auth-worker passdb extra fields
  that had empty values.
- dsync: Fixed assert-crash in dsync_brain_sync_mailbox_deinit

lmtp: Start tracking lmtp_user_concurrency_limit and reject already
  at RCPT TO stage. This avoids MTA unnecessarily completing DATA only
  to get an error.
  doveadm: Previously only mail settings were read from protocol
  doveadm { .. } section. Now all settings are.
+ quota: Added quota_over_flag_lazy_check setting. It avoids checking
  quota_over_flag always at startup. Instead it's checked only when
  quota is being read for some other purpose.
+ auth: Added a new auth policy service:
  http://wiki2.dovecot.org/Authentication/Policy
+ auth: Added PBKDF2 password scheme
+ auth: Added %{auth_user}, %{auth_username} and %{auth_domain}
+ auth: Added ":remove" suffix to extra field names to remove them.
+ auth: Added "delay_until=<timestamp>[+<max random secs>]" passdb
  extra field. The auth will wait until <timestamp> and optionally some
  randomness and then return success.
+ dict proxy: Added idle_msecs=<n> parameter. Support async operations.
+ Performance improvements for handling large mailboxes.
+ Added lib-dcrypt API for providing cryptographic functions.
+ Added "doveadm mailbox update" command
+ imap commands' output now includes timing spent on the "syncing"
  stage if it's larger than 0.
+ cassandra: Added metrics=<path> to connect setting to output internal
  statistics in JSON format every second to <path>.
+ doveadm mailbox delete: Added -e parameter to delete only empty
  mailboxes. Added --unsafe option to quickly delete a mailbox,
  bypassing lazy_expunge and quota plugins.
+ doveadm user & auth cache flush are now available via doveadm-server.
+ doveadm service stop <services> will stop specified services while
  leaving the rest of Dovecot running.
+ quota optimization: Avoid reading mail sizes for backends which
  don't need them (count, fs, dirsize)
+ Added mailbox { autoexpunge_max_mails=<n> } setting.
+ Added welcome plugin: http://wiki2.dovecot.org/Plugins/Welcome
+ fts: Added fts_autoindex_exclude setting.
- v2.2.24's MIME parser was assert-crashing on mails having truncated
  MIME headers.
- auth: With multiple userdbs the final success/failure result wasn't
  always correct. The last userdb's result was always used.
- doveadm backup was sometimes deleting entire mailboxes unnecessarily.
- doveadm: Command -parameters weren't being sent to doveadm-server.
- If dovecot.index read failed e.g. because mmap() reached VSZ limit,
  an empty index could have been opened instead, corrupting the
  mailbox state.
- imapc: Fixed EXPUNGE handling when imapc_features didn't have modseq.
- lazy-expunge: Fixed a crash when copying failed. Various other fixes.
- fts-lucene: Fixed crash on index rescan.
- auth_stats=yes produced broken output
- dict-ldap: Various fixes
- dict-sql: NULL values crashed. Now they're treated as "not found".

doveconf now warns if it sees a global setting being changed when
  the same setting was already set inside some filters. (A common
  mistake has been adding more plugins to a global mail_plugins
  setting after it was already set inside protocol { .. }, which
  caused the global setting to be ignored for that protocol.)
  LMTP proxy: Increased default timeout 30s -> 125s. This makes it
  less likely to reach the timeout and cause duplicate deliveries.
  LMTP and indexer now append ":suffix" to session IDs to make it
  unique for the specific user's delivery. (Fixes duplicate session
  ID warnings in stats process.)
+ Added dict-ldap for performing read-only LDAP dict lookups.
+ lazy-expunge: All mails can be saved to a single specified mailbox.
+ mailbox { autoexpunge } supports now wildcards in mailbox names.
+ doveadm HTTP API: Added support for proxy commands
+ imapc: Reconnect when getting disconnected in non-selected state.
+ imapc: Added imapc_features=modseq to access MODSEQs/HIGHESTMODSEQ.
  This is especially useful for incremental dsync.
+ doveadm auth/user: Auth lookup performs debug logging if
  -o auth_debug=yes is given to doveadm.
+ Added passdb/userdb { auth_verbose=yes|no } setting.
+ Cassandra: Added user, password, num_threads, connect_timeout and
  request_timeout settings.
+ doveadm user -e <value>: Print <value> with %variables expanded.
- Huge header lines could have caused Dovecot to use too much memory
  (depending on config and used IMAP commands). (Typically this would
  result in only the single user's process dying with out of memory
  due to reaching service { vsz_limit } - not a global DoS).
- dsync: Detect and handle invalid/stale -s state string better.
- dsync: Fixed crash caused by specific mailbox renames
- auth: Auth cache is now disabled passwd-file. It was unnecessary and
  it broke %variables in extra fields.
- fts-tika: Don't crash if it returns 500 error
- dict-redis: Fixed timeout handling
- SEARCH INTHREAD was crashing
- stats: Only a single fifo_listeners was supported, making it
  impossible to use both auth_stats=yes and mail stats plugin.
- SSL errors were logged in separate "Stacked error" log lines
  instead of as part of the disconnection reason.
- MIME body parser didn't handle properly when a child MIME part's
  --boundary had the same prefix as the parent.

- doveadm mailbox list (and some others) were broken in v2.2.20
- director: Fixed making backend changes when running with only a
  single director server.
- virtual plugin: Fixed crash when trying to open nonexistent
  autocreated backend mailbox.

- director: Login UNIX sockets were normally detected as doveadm or
   director ring sockets, causing it to break in existing installations.
 - sdbox: When copying a mail in alt storage, place the destination to
   alt storage as well.

* dbox: Resyncing (e.g. doveadm force-resync) no longer deletes
   dovecot.index.cache file. The cache file was rarely the problem
   so this just caused unnecessary slowness.
 * Mailbox name limits changed during mailbox creation: Each part of
   a hierarchical name (e.g. "x" or "y" in "x/y") can now be up to 255
   chars long (instead of 200). This also reduces the max number of
   hierarchical levels to 16 (instead of 20) to keep the maximum name
   length 4096 (a common PATH_MAX limit). The 255 char limit is
   hopefully large enough for migrations from all existing systems.
   It's also the limit on many filesystems.

 + director: Added director_consistent_hashing setting to enable
   consistent hashing (instead of the mostly-random MD5 hashing).
   This causes fewer user moves between backends when backend counts
   are changed, which may improve performance (mainly due to caching).
 + director: Added support for "tags", which allows one director ring
   to serve multiple backend clusters with different sets of users.
 + LMTP server: Added lmtp_user_concurrency_limit setting to limit how
   many LMTP deliveries can be done concurrently for a single user.
 + LMTP server: Added support for STARTTLS command.
 + If logging data is generated faster than it can be written, log a
   warning about it and show information about it in log process's
   process title in ps output. Also don't allow a single service to
   flood too long at the cost of delaying other services' logging.
 + stats: Added support for getting global statistics.
 + stats: Use the same session IDs as the rest of Dovecot.
 + stats: Plugins can now create their own statistics fields
 + doveadm server: Non-mail related commands can now also be used
   via doveadm server (TCP socket).
 + doveadm proxying: passdb lookup can now override doveadm_port and
   change the username.
 + doveadm: Search query supports now "oldestonly" parameter to stop
   immediately on the first non-match. This can be used to optimize:
   doveadm expunge mailbox Trash savedbefore 30d oldestonly
 + doveadm: Added "save" command to directly save mails to specified
   mailbox (bypassing Sieve).
 + doveadm fetch: Added body.snippet field, which returns the first
   100 chars of a message without whitespace or HTML tags. The result
   is stored into dovecot.index.cache, so it can be fetched efficiently.
 + dsync: Added -t <timestamp> parameter to sync only mails newer than
   the given received-timestamp.
 + dsync: Added -F [-]<flag> parameter to sync only mails with[out] the
   given flag/keyword.
 + dsync: Added -a <mailbox> parameter to specify the virtual mailbox
   containing user's all mails. If this mailbox is already found to
   contain the wanted mail (by its GUID), the message is copied from
   there instead of being re-saved. (This isn't efficient enough yet
   for incremental replication.)
 + dsync: -m parameter can now specify \Special-use names for mailboxes.
 + imapc: Added imapc_features=gmail-migration to help migrations from
   GMail. See http://wiki2.dovecot.org/Migration/Gmail
 + imapc: Added imapc_features=search to support IMAP SEARCH command.
   (Currently requires ESEARCH support from remote server.)
 + expire plugin: Added expire_cache=yes setting to cache most of the
   database lookups in dovecot index files.
 + quota: If overquota-flag in userdb doesn't match the current quota
   usage, execute a configured script.
 + redis dict: Added support for expiring keys (:expire_secs=n) and
   specifying the database number (:db=n)
 - auth: Don't crash if master user login is attempted without
   any configured master=yes passdbs
 - Parsing UTF-8 text for mails could have caused broken results
   sometimes if buffering was split in the middle of a UTF-8 character.
   This affected at least searching messages.
 - String sanitization for some logged output wasn't done properly:
   UTF-8 text could have been truncated wrongly or the truncation may
   not have happened at all.
 - fts-lucene: Lookups from virtual mailbox consisting of over 32
   physical mailboxes could have caused crashes.

- defined virtual user "vmail" for mailbox-access 
    and virtual mailstorage /srv/vmail defined.