notbugAs an Amazon Associate I earn from qualifying purchases.
Want a good read? Try FreeBSD Mastery: Jails (IT Mastery Book 15)

Current status

The server has been repaired, with a new power supply, for $23. I am waiting for lower COVID rates before visiting the datacenter to return it.
User login/updates are disabled as part of transition to git. Read details in our recent bog post - this is the old server.
non port: mail/dovecot-pigeonhole/distinfo

Number of commits found XX: 18

Wed, 6 Jan 2021
[ 14:58 pi ] Original commit   Revision:560527
560527 mail/dovecot-fts-xapian/Makefile
560527 mail/dovecot-pigeonhole/Makefile
560527 mail/dovecot-pigeonhole/distinfo
560527 mail/dovecot/Makefile
560527 mail/dovecot/distinfo
560527 mail/dovecot/pkg-plist
mail/dovecot: update -> 2.3.13, fix CVE in non-default config
mail/dovecot-pigeonhole: update 0.5.11 -> 0.5.13

- please note: option VPOPMAIl was removed from upstream

PR:		252415
Submitted by:	Evilham <>
Reviewed by:	fluffy
Approved by:	ler (maintainer)
MFH:		2021Q1
Security:	CVE-2020-24386, CVE-2020-25275
Fri, 14 Aug 2020
[ 00:27 ler ] Original commit   Revision:544857
544857 mail/dovecot-pigeonhole/Makefile
544857 mail/dovecot-pigeonhole/distinfo
544857 mail/dovecot/Makefile
544857 mail/dovecot/distinfo
544857 mail/dovecot/files/patch-configure
544857 mail/dovecot/files/patch-src_lib-fts_fts-filter-stemmer-snowball.c
544857 mail/dovecot/files/patch-src_lib-master_master-service.c
544857 mail/dovecot/files/patch-src_plugins_fts-lucene_SnowballFilter.h
544857 mail/dovecot/files/patch-src_plugins_fts-solr_solr-connection.c
544857 mail/dovecot/pkg-plist
mail/dovecot, mail/dovecot-pigeonhole: upgrade to and 0.5.11,

dovecot changelog:
* CVE-2020-12100: Parsing mails with a large number of MIME parts could
  have resulted in excessive CPU usage or a crash due to running out of
  stack memory.
* CVE-2020-12673: Dovecot's NTLM implementation does not correctly check
  message buffer size, which leads to reading past allocation which can
  lead to crash.
* CVE-2020-10967: lmtp/submission: Issuing the RCPT command with an
  address that has the empty quoted string as local-part causes the lmtp
  service to crash.
* CVE-2020-12674: Dovecot's RPA mechanism implementation accepts
  zero-length message, which leads to assert-crash later on.
* Events: Fix inconsistency in events. See event documentation in
(Only the first 15 lines of the commit message are shown above View all of this commit message)
Mon, 9 Mar 2020
[ 18:16 ler ] Original commit   Revision:528112
528112 mail/dovecot-pigeonhole/Makefile
528112 mail/dovecot-pigeonhole/distinfo
528112 mail/dovecot-pigeonhole/pkg-plist
mail/dovecot-pigeonhole: upgrade to 0.5.10.

- just to keep version numbers consistent
- fix some issues caused by a recent commit.
Wed, 4 Dec 2019
[ 17:59 ler ] Original commit   Revision:519037
519037 mail/dovecot-fts-xapian/Makefile
519037 mail/dovecot-pigeonhole/Makefile
519037 mail/dovecot-pigeonhole/distinfo
519037 mail/dovecot-pigeonhole/pkg-plist
519037 mail/dovecot/Makefile
519037 mail/dovecot/distinfo
519037 mail/dovecot/files/patch-src_lib-master_master-service.c
519037 mail/dovecot/files/patch-src_lib_net.c
519037 mail/dovecot/files/patch-src_master_main.c
519037 mail/dovecot/pkg-plist
mail/dovecot, mail/dovecot-pigeonhole: upgrade to 2.3.9, 0.5.9 respectively.

Bump PORTREVISION of mail/dovecot-fts-xapian for version change of dovecot.

* Changed several event field names for consistency and to avoid
  conflicts in parent-child event relationships:
   * SMTP server command events: Renamed "name" to "cmd_name"
   * Events inheriting from a mailbox: Renamed "name" to "mailbox"
   * Server connection events have only "remote_ip", "remote_port",
     "local_ip" and "local_port".
   * Removed duplicate "client_ip", "ip" and "port".
   * Mail storage events: Removed "service" field.
     Use "service:<name>" category instead.
(Only the first 15 lines of the commit message are shown above View all of this commit message)
Tue, 8 Oct 2019
[ 21:56 ler ] Original commit   Revision:514106
514106 mail/dovecot-pigeonhole/Makefile
514106 mail/dovecot-pigeonhole/distinfo
514106 mail/dovecot/Makefile
514106 mail/dovecot/distinfo
514106 mail/dovecot/pkg-plist
mail/dovecot, mail/dovecot-pigeonhole: upgrade to 2.3.8 and 0.5.8 respectively.

release notes:

+ Added mail_delivery_started and mail_delivery_finished events, see for details.
+ dsync-replication: Don't replicate users who have "noreplicate" extra
field in userdb.
+ doveadm service status: Show total number of processes created.
+ When logging to syslog, use instance_name setting's value for the
ident. This commonly is added as a log prefix.
+ Base64 encoding/decoding code was rewritten with additional features.
It shouldn't cause any user visible changes.
(Only the first 15 lines of the commit message are shown above View all of this commit message)
Wed, 28 Aug 2019
[ 15:59 ler ] Original commit   Revision:510075
510075 mail/dovecot-pigeonhole/Makefile
510075 mail/dovecot-pigeonhole/distinfo
510075 mail/dovecot/Makefile
510075 mail/dovecot/distinfo
mail/dovecot,mail/dovecot-pigeonhole: fix CVE-2019-11500

* CVE-2019-11500: IMAP protocol parser does not properly handle NUL byte
  when scanning data in quoted strings, leading to out of bounds heap
  memory writes. Found by Nick Roessler and Rafi Rubin.

MFH:		2019Q3
Security:	CVE-2019-11500
Tue, 23 Jul 2019
[ 14:26 ler ] Original commit   Revision:507215
507215 mail/dovecot-pigeonhole/Makefile
507215 mail/dovecot-pigeonhole/distinfo
507215 mail/dovecot/Makefile
507215 mail/dovecot/distinfo
507215 mail/dovecot/files/patch-src_lib-storage_mail-storage.c
507215 mail/dovecot/files/patch-src_lib_ostream-file.c
mail/dovecot, mail/dovecot-pigeonhole: upgrade to and

These releases fix the reported regressions in v2.3.7 & v0.5.7.

Dovecot core:
        - Fix TCP_NODELAY errors being logged on non-Linux OSes
        - lmtp proxy: Fix assert-crash when client uses BODY=8BITMIME
        - Remove wrongly added checks in namespace prefix checking

        - dsync: Sieve script syncing failed if mailbox attributes weren't
Fri, 12 Jul 2019
[ 13:20 ler ] Original commit   Revision:506460
506460 mail/dovecot-pigeonhole/Makefile
506460 mail/dovecot-pigeonhole/distinfo
506460 mail/dovecot/Makefile
506460 mail/dovecot/distinfo
506460 mail/dovecot/pkg-plist
mail/dovecot, mail/dovecot-pigeonhole: Update to 2.3.7 and 0.5.7 respectively.

dovecot changelog:
* fts-solr: Removed break-imap-search parameter
+ Added more events for the new statistics, see
+ mail-lua: Add IMAP metadata accessors, see
+ Add event exporters that allow exporting raw events to log files and
  external systems, see
+ SNIPPET is now PREVIEW and size has been increased to 200 characters.
+ Add body option to fts_enforced. This triggers building FTS index only
  on body search, and an error using FTS index fails the search rather
  than reads through all the mails.
(Only the first 15 lines of the commit message are shown above View all of this commit message)
Tue, 30 Apr 2019
[ 21:33 ler ] Original commit   Revision:500569
500569 mail/dovecot-pigeonhole/Makefile
500569 mail/dovecot-pigeonhole/distinfo
500569 mail/dovecot/Makefile
500569 mail/dovecot/distinfo
500569 mail/dovecot/files/patch-src_lib-master_test-event-stats.c
500569 mail/dovecot/files/patch-src_lib-sql_driver-mysql.c
500569 mail/dovecot/files/patch-src_plugins_fts-solr_solr-connection.c
mail/dovecot, mail/dovecot-pigeonhole: upgrade to 2.3.6, 0.5.6 respectively.

Dovecot changelog:
* CVE-2019-11494: Submission-login crashed with signal 11 due to null pointer
access when authentication was aborted by disconnecting.
* CVE-2019-11499: Submission-login crashed when authentication was started over
TLS secured channel and invalid authentication message was sent.
* auth: Support password grant with passdb oauth2.
+ Use system default CAs for outbound TLS connections.
+ Simplify array handling with new helper macros.
+ fts_solr: Enable configuring batch_size and soft_commit features.
- lmtp/submission: Fixed various bugs in XCLIENT handling, including a hang when
XCLIENT commands were sent infinitely to the remote server.
- lmtp/submission: Forwarded multi-line replies were erroneously sent as two
replies to the client.
- lib-smtp: client: Message was not guaranteed to contain CRLF consistently when
CHUNKING was used.
- fts_solr: Plugin was no longer compatible with Solr 7.
- Make it possible to disable certificate checking without setting
ssl_client_ca_* settings.
- pop3c: SSL support was broken.
(Only the first 15 lines of the commit message are shown above View all of this commit message)
Tue, 5 Mar 2019
[ 23:34 ler ] Original commit   Revision:494752
494752 mail/dovecot-pigeonhole/Makefile
494752 mail/dovecot-pigeonhole/distinfo
494752 mail/dovecot/Makefile
494752 mail/dovecot/distinfo
494752 mail/dovecot/files/patch-src_lib-master_test-event-stats.c
494752 mail/dovecot/pkg-plist
mail/dovecot and mail/dovecot-pigeonhole upgrade to 2.3.5 and 0.5.5 respectively

dovecot changelog:
+ Lua push notification driver: mail keywords and flags are provided in
MessageNew and MessageAppend events.
+ submission: Implement support for plugins.
+ auth: When auth_policy_log_only=yes, only log what the policy server response
would do without actually doing it.
+ auth: Always log policy server decisions with auth_verbose=yes
- v2.3.[34]: doveadm log errors: Output was missing user/session
- lda: Debug log lines could have shown slightly corrupted
- login proxy: Login processes may have crashed in various ways when
login_proxy_max_disconnect_delay was set.
- imap: Fix crash with Maildir+zlib if client disconnects during APPEND
- lmtp proxy: Fix potential assert-crash
- lmtp/submission: Fix crash when SMTP client transaction times out
- submission: Split large XCLIENT commands to 512 bytes per command, so Postfix
accepts them.
- submission: Fix crash when client sends invalid BURL command
(Only the first 15 lines of the commit message are shown above View all of this commit message)
Fri, 23 Nov 2018
[ 15:12 ler ] Original commit   Revision:485675
485675 mail/dovecot-pigeonhole/Makefile
485675 mail/dovecot-pigeonhole/distinfo
485675 mail/dovecot/Makefile
485675 mail/dovecot/distinfo
485675 mail/dovecot/files/patch-src_lib-master_test-event-stats.c
485675 mail/dovecot/files/patch-src_master_main.c
mail/dovecot update to 2.3.4, mail/dovecot-pigeonhole to 0.5.4

dovecot change log:
* The default postmaster_address is now "postmaster@<user domain or
   server hostname>". If username contains the @domain part, that's
   used. If not, then the server's hostname is used.
* "doveadm stats dump" now returns two decimals for the "avg" field.

+ Added push notification driver that uses a Lua script
+ Added new SQL, DNS and connection events.
+ Added "doveadm mailbox cache purge" command.
+ Added events API support for Lua scripts
+ doveadm force-resync -f parameter performs "index fsck" while opening
   the index. This may be useful to fix some types of broken index files.
(Only the first 15 lines of the commit message are shown above View all of this commit message)
Mon, 1 Oct 2018
[ 23:18 ler ] Original commit   Revision:481076
481076 mail/dovecot-pigeonhole/Makefile
481076 mail/dovecot-pigeonhole/distinfo
481076 mail/dovecot/Makefile
481076 mail/dovecot/distinfo
481076 mail/dovecot/files/patch-src_master_main.c
481076 mail/dovecot/pkg-plist
mail/dovecot upgrade to 2.3.3, mail/dovecot-pigeonhole upgrade to 0.5.3.

dovecot changelog:
* doveconf hides more secrets now in the default output.
* ssl_dh setting is no longer enforced at startup. If it's not set and
   non-ECC DH key exchange happens, error is logged and client is

+ Added log_debug=<filter> setting.
+ Added log_core_filter=<log filter> setting.
+ quota-clone: Write to dict asynchronously
+ --enable-hardening attempts to use retpoline Spectre 2 mitigations
+ lmtp proxy: Support source_ip passdb extra field.
+ doveadm stats dump: Support more fields and output stddev by default.
+ push-notification: Add SSL support for OX backend.
(Only the first 15 lines of the commit message are shown above View all of this commit message)
Fri, 29 Jun 2018
[ 16:36 ler ] Original commit   Revision:473557
473557 mail/dovecot-pigeonhole/Makefile
473557 mail/dovecot-pigeonhole/distinfo
473557 mail/dovecot-pigeonhole/pkg-plist
473557 mail/dovecot/Makefile
473557 mail/dovecot/distinfo
473557 mail/dovecot/files/patch-UPSTREAM-opensmtpd
473557 mail/dovecot/files/patch-src_doveadm_client-connection-tcp.c
473557 mail/dovecot/pkg-plist
mail/dovecot, mail/dovecot-pigeonhole: upgrade to 2.3.2 and 0.5.2 respectively

dovecot changelog:
v2.3.2 is mainly a bugfix release. It contains all the changes in v2.2.36, as
well as a bunch of other fixes (mainly for v2.3-only bugs). Binary packages are
already in

* old-stats plugin: Don't temporarily enable PR_SET_DUMPABLE while
   opening /proc/self/io. This may still cause security problems if the
   process is ptrace()d at the same time. Instead, open it while still
   running as root.
+ doveadm: Added mailbox cache decision&remove commands. See
   doveadm-mailbox(1) man page for details.
+ doveadm: Added rebuild attachments command for rebuilding
   $HasAttachment or $HasNoAttachment flags for matching mails. See
   doveadm-rebuild(1) man page for details.
+ cassandra: Use fallback_consistency on more types of errors
(Only the first 15 lines of the commit message are shown above View all of this commit message)
Sun, 1 Apr 2018
[ 17:10 adamw ] Original commit   Revision:466172
466172 mail/dovecot-pigeonhole/Makefile
466172 mail/dovecot-pigeonhole/distinfo
466172 mail/dovecot-pigeonhole/pkg-plist
466172 mail/dovecot/Makefile
466172 mail/dovecot/distinfo
466172 mail/dovecot/files/
466172 mail/dovecot/files/
466172 mail/dovecot/pkg-plist
Update dovecot to 2.3.1, and dovecot-pigeonhole to 0.5.1

This is a very large update, and it WILL require manually
updating existing conf files, though the changes to do so
are not extensive. Updating instructions are here:

Additionally there are various cleanups to the dovecot rc(8)
script, and support for a LUA scripting interface for dovecot.

The decision was made not to import the 2.3.0 or releases
here, due to the number of existing bugs. ler and I have been
dogfooding it for months now, and all of the bugs I've encountered
are fixed in this 2.3.1 release.

This update is the result of many, many hours of collborative work
between ler and me, and the input of many people on the freebsd-ports
Tue, 20 Mar 2018
[ 00:25 ler ] Original commit   Revision:465041
465041 mail/dovecot-pigeonhole/Makefile
465041 mail/dovecot-pigeonhole/distinfo
mail/dovecot-pigeonhole: upgrade to 0.4.23:
- editheader extension: Corrected the stream position calculations
  performed while making the modified message available as a stream.
  Pigeonhole Sieve crashed in LMTP with an assertion panic when the
  Sieve editheader extension was used before the message was redirected.
  Experiments indicate that the problem occurred only with LMTP and that
  LDA is not affected.
- fileinto extension: Fix assert panic occurring when fileinto is used
  without being listed in the require line, while the copy extension is
  listed there. This is a very old bug.
- imapsieve plugin: Do not log an error for messages that disappear
  concurrently while applying Sieve scripts. This is a further
  improvement on the imapsieve fix in the previous release (which fixed
  a panic). This event is now logged as a debug message.
Fri, 2 Mar 2018
[ 18:05 ler ] Original commit   Revision:463423
463423 mail/dovecot-pigeonhole/Makefile
463423 mail/dovecot-pigeonhole/distinfo
mail/dovecot-pigeonhole: upgrade to v0.4.22.

- Fixed filesystem path handling problem: sieve plugin could have
  assert-crashed with specific path lengths with: "Panic: file
  realpath.c: line 86 (path_normalize): assertion failed: (npath_pos +
  1 < npath + asize)".
- Sieve extprograms plugin: Large output from "execute" command crashed
  delivery. Fixed buffering issue in code that handles output from the
  external program.
- editheader extension: Extensively reworked the low-level
  implementation of adding and removing headers. This solves a few
  integer arithmetic problems reported by Clang runtime checks, but also
  improves code structure and reliability in general.
- imapsieve: Fix assert crash occurring when selected messages are
  expunged concurrently by the time Sieve filter is to be applied.
- imap4flags extension: Fix binary byte-code corruption occurring when
  the setflag, addflag, or removeflag command's flag-list is a variable.
- enotify extension: mailto method: Fixed parsing of mailto URI with
  only a header part.
- enotify extension: mailto method: Make sure "From:" header is set to a
  usable address and not "(null)".
- Fixed writing address headers to outgoing messages. It sometimes
  erroneously applied another layer of MIME header encoding.
Thu, 12 Oct 2017
[ 21:16 ler ] Original commit   Revision:451929
451929 mail/dovecot-pigeonhole/Makefile
451929 mail/dovecot-pigeonhole/distinfo
mail/dovecot-pigeonhole: update to 0.4.21.

Changelog v0.4.21:

* redirect action: Always set the X-Sieve-Redirected-From header to
  sieve_user_email if configured. Before, it would use the envelope
  recipient instead if available, which makes no sense if the primary
  e-mail address is available.
+ vacation extension: Allow ignoring the envelope sender while composing
  the "To:" header for the reply. Normally, the "To:" header is composed
  from the address found in the "Sender", "Resent-From" or "From"
  headers that is equal to the envelope sender. If none is then found,
  the bare envelope sender is used. This change adds a new setting
  "sieve_vacation_to_header_ignore_envelope". With this setting enabled,
  the "To:" header is always composed from those headers in the source
(Only the first 15 lines of the commit message are shown above View all of this commit message)
Sun, 27 Aug 2017
[ 14:34 ler ] Original commit   Revision:448822
448822 mail/dovecot-pigeonhole/Makefile
448822 mail/dovecot-pigeonhole/distinfo
mail/dovecot-pigeonhole: upgrade to 0.4.20.
Changelog v0.4.20:

+ Made the retention period for redirect duplicate identifiers
  configurable. For accounts that perform many redirects, the lda-dupes
  database could grow to impractical sizes. Changed the default
  retention period from 24 to 12 hours.
- sieve-filter: Fixed memory leak: forgot to clean up script binary at
  end of execution. Normally, this would merely be an inconsequential
  memory leak. However, when the script comes from an LDAP storage, this
  would cause io leak warnings.
- managesieve-login: Fixed handling of AUTHENTICATE command. A second
  authenticate command would be parsed wrong. This problem was caused by
  changes in the previous release.
- LDA Sieve plugin: Fixed minor memory leak caused by not cleaning up
  the sieve_discard script.

Number of commits found XX: 18

User Login
Create account

Servers and bandwidth provided by
New York Internet, iXsystems, and RootBSD

This site
What is FreshPorts?
About the authors
How big is it?
Security Policy

Enter Keywords:

Latest Vulnerabilities
samba411Mar 28
samba412Mar 28
samba413Mar 28
linux-c7-nettleMar 27
nettleMar 27
opensslMar 26
spamassassinMar 24
giteaMar 23
giteaMar 21
dnsmasqMar 18
dnsmasq-develMar 18
gitlab-ceMar 18
minioMar 17
chromiumMar 16
libresslMar 16

12 vulnerabilities affecting 72 ports have been reported in the past 14 days

* - modified, not new

All vulnerabilities

Last updated:
2021-03-28 22:40:29

Deleted ports
Sanity Test Failures

NEW Graphs (Javascript)

Calculated hourly:
Port count 42809
Broken 73
Deprecated 286
Ignore 313
Forbidden 4
Restricted 137
Vulnerable 22
Expired 118
Set to expire 262
Interactive 0
new 24 hours 0
new 48 hours0
new 7 days0
new fortnight0
new month48

Servers and bandwidth provided by
New York Internet, iXsystems, and RootBSD
Valid HTML, CSS, and RSS.
Copyright © 2000-2021 Dan Langille. All rights reserved.