Cyrus IMAP 3.12.0-beta1 Release Notes
*************************************

Download from GitHub:

* https://github.com/cyrusimap/cyrus-imapd/releases/download/cyrus-
  imapd-3.12.0-beta1/cyrus-imapd-3.12.0-beta1.tar.gz

* https://github.com/cyrusimap/cyrus-imapd/releases/download/cyrus-
  imapd-3.12.0-beta1/cyrus-imapd-3.12.0-beta1.tar.gz.sig


Major changes since the 3.10 series
===================================

* Add "allowspecialusesubfolder" imapd.conf(5) option to permit
  special-use subfolders.  Thanks Michael Menge.

* Suppress duplicate calendar alarms in calalarmd.

* Add "caldav_alarm_suppress_file" imapd.conf(5) option to specify a
  file whose existence suppresses calalarmd processing

* Add "caldav_alarm_db_path" imapd.conf(5) option

* Add "caldav_alarm_support_components" imapd.conf(5) option to
  suppress alarms for all but select iCalendar component types.

* Added "--clearmodseq" option to ctl_conversationsdb(8)

* Optional I/O throttling, for testing

* The "DAV:principal-property-search" REPORT honours the previously
  set "DAV:displayname" property on matches.  Thanks Дилян Палаузов.

* Adds "fatals_abort" imapd.conf(5) option for fatal errors to abort
  and produce a core dump.

* The CalDAV and CardDAV HTML administration pages allow editing the
  "DAV:displayname" and "description" properties.  For calendars also
  the "color" and "order" properties.  Thanks Дилян Палаузов.

* Enables the calendar-timezone-id (**RFC 7809**) DAV property even if
  tzdist http module is disabled.

* Adds support for IMAP JMAPACCESS (**RFC 9698**).

* Adds the mboxgroups authorization mechanism for access control
  groups that are managed within Cyrus.

* Adds support for IMAP PARTIAL (**RFC 9394**) and INPROGRESS (**RFC
  9585**) extensions

* The IMAP parser now supports full 32-bit unsigned numbers

* Adds support for IMAP UTF8=ACCEPT (**RFC 6855**).  This extension
  will only be advertised and supported if BOTH "reject8bit" and
  "munge8bit" imapd.conf(5) options are disabled

* User-defined flags are now replicated even when not in use on any
  messages.

* Adds support for the HAProxy protocol.  The imapd(8), pop3d(8),
  lmtpd(8), nntpd(8), httpd(8), and timsieved(8) service daemons now
  accept a "-H" argument to enable this.

* Adds support for "comparator-i;unicode-casemap" (**RFC 5051**) to
  Sieve

* Running processes can now have debug logging toggled on/off by
  sending them SIGUSR1

* Updates the email address parser to preserve non-ASCII characters in
  the domain part.  To apply this to existing messages, reconstruct(8)
  the mailboxes with the "-G" option to force reparsing email headers.

* master(8) now restarts failing DAEMON processes, and SERVICE
  processes with the "babysit" flag, forever, with a short delay in
  case of recurring failures.  Previously, such processes that failed
  too many times in a short space of time were disabled until the
  operator sent a SIGHUP.

* Increased granularity of Prometheus report frequency configuration.

* Adds JMAP Email/query filter conditions "messageId", "references",
  and "inReplyTo".  See New JMAP Email/query filter conditions.

* Add a "skipuser-$userid" touchfile to sync directories.  See
  sync_client(8).

* Adds "replicaonly" imapd.conf(5) config option to mark a server as
  being only a replica, blocking non-silent writes, and deactivating
  calalarmd(8) processing.


Removed features
================

The following features and behaviours have been removed in 3.12.  If
your deployment depends on these, you should not upgrade to 3.12.

* The experimental Cyrus Backups feature has been removed.

* DIGEST-MD5 and NTLM are no longer supported in httpd.  You may need
  to remove DIGEST-MD5 from "sasl_mech_list" in imapd.conf(5).  Thanks
  Дилян Палаузов.

* The "improved_mboxlist_sort" imapd.conf(5) option had no effect
  since v3.6.  It is now deprecated.  Thanks Дилян Палаузов.

* timsieved(8) now always sends a capability response after a
  successful authentication, per **RFC 5804**.  The
  "sieve_sasl_send_unsolicited_capability" imapd.conf(5) option is now
  deprecated.  Thanks Дилян Палаузов.

* Support for the legacy IMAP XMOVE command has been removed.

* Removed Kerberos 4 support.  Thanks Дилян Палаузов.

* Removed MIT Kerberized POP3 support.  Thanks Дилян Палаузов.


Storage changes
===============

* None so far


Updates to default configuration
================================

The cyr_info(8) *conf*, *conf-all* and *conf-default* subcommands
accept an *-s <version>* argument to highlight imapd.conf(5) options
that are new or whose behaviour has changed since the specified
version.  We recommend using this when evaluating a new Cyrus version
to check which configuration options you will need to examine and
maybe set or change during the process.

* The "maxlogins_per_user" and "maxlogins_per_host" imapd.conf(5)
  options now apply per service, not globally.  So for example if you
  have "maxlogins_per_user: 5" and some user has 5 active IMAP
  sessions, the user will still be able to access HTTP services.

  The LMTP service now uses these limits too.  This can prevent
  resource starvation when a lot of mail is being delivered to a
  mailbox that is locked for a long time.  Instead of having many
  lmtpd(8) processes waiting on the lock, excess connections
  attempting delivery to the same mailbox will be deferred with a 4xx
  response.

* The "prometheus_update_freq" imapd.conf(5) option has been
  deprecated and replaced by "prometheus_service_update_freq",
  "prometheus_master_update_freq", and "prometheus_usage_update_freq",
  allowing these sets of statistics to be reported at different
  frequencies.  The relatively-expensive usage statistics are no
  longer reported by default.  To re-enable, configure a suitable
  update frequency for "prometheus_usage_update_freq".


Security fixes
==============

* Fixed Issue #5046: prevent Cyrus IMAP servers being used in
  Application Layer Protocol Confusion (ALPACA) attacks, particularly
  against web browsers


Significant bugfixes
====================

* Fixed Issue #1763: Adds a way to freeze an entire server temporarily
  while taking snapshots or similar, using cyr_withlock_run(8).  This
  relies on a new "global_lock" imapd.conf(5) option being enabled,
  which is enabled by default.  Whether or not this setting is
  enabled, you can also use "cyr_withlock_run --user" to run a command
  with a single user locked.

* Fixed Issue #5146: can't subscribe to shared mailbox when username
  is a prefix of owner's username

  Subscriptions databases will be upgraded the next time they're
  opened, and any bad entries due to the bug will be found and fixed.
  You can force this for a particular user by connecting to IMAP as
  them and issuing a command like ". LSUB "" "*"" or similar, but this
  will happen anyway during normal usage.
