Cherry pick/dovecot/documentation release 3.1

data/settings.js

@@ -7372,6 +7372,11 @@ The details of how this setting works depends on the used protocol:
 
 	mail_access_groups: {
 		values: setting_types.BOOLLIST,
+		default: '[[setting,default_internal_group]]',
+		changed: {
+			settings_mail_access_groups_changed: `
+Changed from empty to [[setting,default_internal_group]].`
+		},
 		text: `
 Supplementary groups that are granted access for mail processes.
 

data/updates.js

@@ -82,6 +82,7 @@ export const updates = {
 	variables_login_variables_protocol: '2.4.0',
 	variables_owner_user_added: '2.4.0',
 	var_expand: '2.4.0',
+	variables_oauth2: '2.4.3',
 
 	/* Tags used in doveadm.js */
 
@@ -144,6 +145,7 @@ export const updates = {
 	settings_inet_listener_type_added: '2.4.0',
 	settings_login_socket_path_added: '2.4.0',
 	settings_lmtp_user_concurrency_limit_changed: '2.4.1',
+	settings_mail_access_groups_changed: '2.4.3',
 	settings_mail_attachment_sis_option_changed: '2.4.0',
 	settings_mail_cache_max_headers_count_added: '2.4.0',
 	settings_mail_cache_max_header_name_length_added: '2.4.0',

docs/core/config/auth/databases/ldap.md

@@ -395,14 +395,13 @@ userdb ldap {
 
 ### User Iteration
 
-For using `doveadm -A` or `-u` with wildcards:
+For using `doveadm -A` or `-u` with wildcards you need to configure the userdb
+to support user iteration. This is done by adding
+[[setting,userdb_ldap_iterate_filter]] and
+[[setting,userdb_ldap_iterate_fields]] settings to the userdb:
 ```
-ldap_uris = ldap://ldap.example.org
-ldap_auth_dn = cn=admin,dc=example,dc=org
-ldap_auth_dn_password = secret
-ldap_base = dc=example,dc=org
-
 userdb ldap {
+  # filter = ...
   iterate_filter = (objectClass=posixAccount)
   iterate_fields {
     user = %{ldap:uid}

docs/core/config/auth/databases/oauth2.md

@@ -132,7 +132,7 @@ oauth2 {
   introspection_mode = post
   username_attribute = username
   fields {
-    pass = %{oauth2:access_token}
+    pass = %{token}
   }
 }
 
@@ -145,7 +145,7 @@ passdb oauth2 {
       host = 127.0.0.1
       proxy = y
       proxy_mech = xoauth2
-      pass = %{passdb:token}
+      pass = %{oauth2:access_token}
     }
   }
 }

docs/core/settings/variables.md

@@ -331,6 +331,8 @@ See also:
 | `client_id` | If [[setting,imap_id_retain]] is enabled this variable is populated with the client ID request as IMAP arglist. For directly logging the ID see the [[event,imap_id_received]] event. |
 | `passdb:forward_<name>` | Used by proxies to pass on extra fields to the next hop, see [[link,auth_forward_fields]]. |
 | `id` | Internal ID number of the current passdb/userdb. |
+| `token` | Used OAUTH2 token. This is only present in [[setting,oauth2_fields]]. [[added,variables_oauth2]] |
+| `oauth2:<name>` | Return oauth2 field "name". This is only present in [[setting,oauth2_fields]]. |
 
 ## Conditionals
 

docs/installation/upgrade/2.4-to-2.4.x.md

@@ -39,3 +39,22 @@ changed to `2.4.2`.
 | [[setting,mail_attachment_detection_options]] |  | `add-flags content-type=!application/signature` | |
 | `service/anvil/unix_listener/anvil/mode` | `0600` | `0660` |
 | `service/anvil/unix_listener/anvil/group` | (empty = root) | `$SET:default_internal_group` |
+
+### v2.4.2 to v2.4.3
+
+#### Changed Setting Defaults
+
+These changes don't take effect until [[setting,dovecot_config_version]] is
+changed to `2.4.3`.
+
+| Setting | Old Default Value | New Default Value |
+| ------- | ----------------- | ----------------- |
+| [[setting,mail_access_groups]] |  | [[setting,default_internal_group]] |
+| `service/doveadm/service_extra_groups` | [[setting,default_internal_group]] | |
+| `service/imap/service_extra_groups` | [[setting,default_internal_group]] | |
+| `service/imap-urlauth-worker/service_extra_groups` | [[setting,default_internal_group]] | |
+| `service/indexer-worker/service_extra_groups` | [[setting,default_internal_group]] | |
+| `service/lmtp/service_extra_groups` | [[setting,default_internal_group]] | |
+| `service/pop3/service_extra_groups` | [[setting,default_internal_group]] | |
+| `service/submission/service_extra_groups` | [[setting,default_internal_group]] | |
+| `service/managesieve/service_extra_groups` | [[setting,default_internal_group]] | |

docs/installation/upgrade/include/2.4-default-settings.inc

@@ -1,7 +1,7 @@
 | [[setting,imapc_features]] | Features "delay-login", "search", "fetch-headers", "fetch-bodystructure", "fetch-size" by default. Enable "acl" and "modseq" by default, if the remote server supports it. |
 | [[setting,mail_cache_max_headers_count]] | unlimited | 100 | New feature, explicitly set to `0` for the old behavior. |
 | [[setting,mail_cache_max_header_name_length]] | unlimited | 100 | New feature, explicitly set to `0` for the old behavior. |
-| [[setting,mail_log_prefix]] | `%s(%u)<%{pid}><%{session}>:` | `%{protocol}(%{user})<%{process:pid}><%{session}>:` | New variable expansion syntax. |
+| [[setting,mail_log_prefix]] | `%s(%u)<%{pid}><%{session}>:` | `%{service}(%{user})<%{process:pid}><%{session}>:` | New variable expansion syntax. |
 | [[setting,mailbox_list_drop_noselect]] | `no` | `yes` | `\NoSelect` folders are now dropped by default. |
 | `service/anvil/chroot` | empty | \<no value\> | Anvil is no longer chrooted. |
 | `service/anvil/user` | $default_internal_user | \<no value\> | Anvil runs as root. |

docs/installation/upgrade/include/2.4-var-expand.inc

@@ -23,7 +23,7 @@ the "user" variable and applies the "domain" filter for it.
 | `%n` | `%{user \| username }` |
 | `%p` | `%{client_pid }` |
 | `%r` | `%{remote_ip }` |
-| `%s` | `%{protocol}` |
+| `%s` | `%{protocol}` for login & auth settings, `%{service}` for storage settings |
 | `%u` | `%{user}` |
 | `%w` | `%{password}` |
 
@@ -58,7 +58,7 @@ the "user" variable and applies the "domain" filter for it.
 | `%{real_rport}` | `%{real_remote_port}` |
 | `%{rip}` | `%{remote_ip}` |
 | `%{rport}` | `%{remote_port }` |
-| `%{service}` | `%{protocol}` |
+| `%{service}` for login & auth settings (but not storage settings) | `%{protocol}` |
 
 ##### Shared namespace variables