Maintenance for Dovecot / Postfix
The concern over Log4J brought me here to check if either Dovecot or Postfix made use of this library. From what I've seen, this is NOT the case.
But I do have another concern: I'm unclear about the maintenance requirements for these two applications. I was able to install them after considerable difficulties, and have been avoiding them since! I did manage to upgrade to Ubuntu 20.4, but I'm wondering if Dovecot and Postfix are programs that are or aren't automatically upgrading. I first installed them in Dec. 2019, so it's been two years of trouble free service.
The guide I originally used for installation was Linode's Email with Postfix, Dovecot and MySQL.
I don't see anything in it concerning guidelines for maintenance, only the initial installation.
6 Replies
✓ Best Answer
I checked the Makefiles for BOTH postfix and dovecot and there was no reference to 'log4j' or '4j' in either of them.
-- sw
What I've figured out so far:
One can get the version of dovecot with the following command:
dovecot --version
There is a URL for upgrading Dovecot, but at first glance I'm not seeing much in the way of instructions or guidelines, just notes on what has changed between versions. Also noteworthy, the downloads for Ubuntu only go up to 18.04, not 20.04.
I regularly update the system with apt-get update/upgrade. I do not know if upgrades to Dovecot are performed. My version is 2.3.7.2, but it seems the most current is 2.3.16.
For postfix, the command to find the version is unexpected:
postconf mail_version
I've not found anything obvious at the Postfix Howtos and FAQs. Perhaps I'm overlooking something obvious?
When I go to a download site, the "release notes" links look like they might have some pertinent information.
If you know of more clear-cut documentation pertaining to updating either of these programs, I would very much appreciate getting a link!
Hello,
Updating software to the latest stable versions on operating systems like Ubuntu can be problematic, given that they generally stick with a single version and patch it with security updates, if necessary. If you want to upgrade to the latest version, you have some options.
You can compile the software you want to upgrade from source, and manually install it rather than using a package manager. You could also enable the repositories for Ubuntu 21.10 to attempt to upgrade those specific programs, but you may run into incompatibility with different versions of glibc or other libraries, so I wouldn't recommend this option. The last option is switching from Ubuntu to an operating system that's more bleeding edge, like Arch Linux or one of its derivatives, which would ensure you're always on the latest versions of such software, for the most part.
I did attempt to do some research on upgrading Dovecot and Postfix on Ubuntu, but didn't come up with anything in particular that might be helpful. You could try what I mentioned above, perhaps one of those might help you. Compiling from source might be the best option if you don't want to switch to another operating system.
Good luck.
Blake
As far as I can tell, neither postfix (3.6.3) nor dovecot (2.3.17) do not use log4j.
-- sw
Hi @stevewi -
I appreciate your checking on this and answering, but the wording used is a bit confusing to me, as the "neither" in combination with "do not" can be read as a double negative, resulting in a positive, implying both DO use log4j.
I don't think that is your intention--just wanted to confirm.
Hi Blake (@tech10) -
I'm thinking, based on your feedback, that the main consideration, as far as safety goes for my postfix and dovecot programs, is to ensure that both are still receiving safety patches.
As far as I can tell, this is currently the case. I'll bet it's possible to ask on forums or support for the products.
In the future, I'm going to try to remember to pay more attention to upgrade tech before installing a service. It is very easy to be preoccupied with the immediate goal (getting something up and running) and not pay attention to how one might undo or upgrade. Tutorial writers seem vulnerable to the same oversight.