Earlier this week I was preparing a staging environment (on our live servers, so yes, that makes me TRWTF I guess) that required PHP 8.4. The servers were still running 8.2, but that upgrade was a bit overdue anyway, so I decided to run a dist-upgrade. After all, I’d been running 8.4 on dev for a while, so what could possibly go wrong?
Well, Dovecot could go wrong. I noticed the update, but it was from 2.3 to 2.4, so minor version, right? Not much could have changed, right? RIGHT?
Wrong.
This update completely (and I mean completely) overhauled the configuration syntax. Meaning that – essentially – our mail server was broken afterwards. Because fuck you backwards compatibility. Ugh. So I plunged into the official documentation. Which turned out to be not up-to-date. Or, ahead-of-date. Or something in-between. In short, not helpful.
After some head-scratching I decided I am one of the cool kids (or, at least, a cool middle aged man) and I would ask ChatGPT for help. Hey, what else could go wrong?
Oh boy.
I explicitly mentioned I was upgrading to Dovecot 2.4, which ChatGPT acknowledged was a breaking change (multiple times!). It then kept advising me <=2.3 legacy syntax. This went on, I kid you not, for about a day (not fulltime of course). Eventually, I managed to figure out (by myself) that the old %u, %n, %d etc. placeholders in SQL queries got superseded by %{user} and variants. Thank you Dovecot for not pointing that out to me in big, red letters. (And thank you ChatGPT for not telling me that until I figured it out by myself – “you’re absolutely right, these have been replaced by…” OF COURSE I’M FUCKING ABSOLUTELY RIGHT, I AM A HUMAN!!!1)
Anyway.
So I had that part working, but my mail users still couldn’t log in. Looking at the logs, the issue seemed to be that the MD5 “encryption” I’d been using for years was somehow deemed “insecure”.
Yes, I know MD5 is crappy encryption, but this was a mailserver with auto-generated passwords. Not a flying fuck was given. Except by Dovecot, which was suddenly flat-out refusing to authenticate, event though it fucking advertised supporting MD5 (yes, in doveadm output).
Despite my earlier dubious experiences, I decided to ask ChatGPT again, out of morbid curiosity. And it seems like it actually got it right this time: prohibiting MD5 seems to be a hard-coded limitation of Dovecot 2.4, despite it advertising it supports it. I poured another wine, lit another cigarette and started converting the most important mail accounts to SHA (the rest will complain later, I guessed).
All’s well that ends well? No, not quite. Though I could login to the server via IMAP now, and I could read my email, and send mail, mails weren’t being received by the server. So something else had changed.
Turns out (after a bit more head-scratching and ChatGPT “help”) that Dovecot now defaults to “stripping the domain name off of the receiving email address, since Linux systems default to usernames”. Yes it had a comment I should probably remove that if I was using something smarter. No, that’s not a helpful default. And it got introduced with no warning.
Tl;dr: upgrading to Dovecot 2.4 is a bumpy ride, at best. ChatGPT is not much help. And alcohol is an invaluable beverage.