The Dovecot team has released Dovecot 2.4.3, a stable update for this widely used open-source IMAP and POP3 server. This release notably improves UTF-8 support for mail storage, enabling better handling of internationalized email content and ensuring full Unicode compatibility.
At the same time, the update continues development of experimental features in the 2.4 series, including optional support for mail UTF-8 and IMAP4rev2, which require explicit enablement during build and configuration.
On the security side, this release resolves several high-impact security vulnerabilities, including SQL and LDAP injection risks stemming from misconfigured authentication username restrictions, as well as a denial-of-service issue caused by invalid base64-encoded authentication input.
Additional fixes address excessive CPU and memory usage from crafted MIME parameters and IMAP input, as well as weaknesses in OTP authentication and credential verification.
Dovecot 2.4.3 introduces several functional improvements, including a new default UNIX socket for token-based authentication, expanded IMAP capabilities such as APPENDLIMIT and STATUS (DELETED) for IMAP4rev2, and enhanced IMAP client support for MIMEPART search, SORT, and ESORT extensions.
On top of that, the LMTP and submission proxy components now support extended XCLIENT parameters, and SQL handling is improved with parameterized queries.
This release also includes several configuration and behavior changes. The default service extra groups setting is replaced with mail access groups, and zero is no longer accepted as a synonym for unlimited values in multiple parameters. Expunge behavior during shutdown and timeout defaults in internal services has also been adjusted.
Finally, the update provides extensive bug fixes, including resolutions for build issues on BSD, Solaris, and macOS, authentication crashes and leaks, IMAP state handling problems, and parsing and boundary-checking errors in core libraries. Additional fixes address TLS handling in LDAP, compression-related crashes, and edge cases in HTTP and JSON processing.
For more details, see the release announcement or check out the project’s GitHub changelog.
Dovecot 2.4.3 is available as pre-built packages from the project repository and as official Docker images. Users upgrading from earlier 2.x versions should review the 2.3 to 2.4 upgrade documentation, especially regarding configuration changes and experimental features in the 2.4 branch.
