From ee0b0c2f75ce9d434032898ab13ebd1d71557b18 Mon Sep 17 00:00:00 2001
From: Rich Braun <richb@instantlinux.net>
Date: Thu, 29 Jan 2026 10:54:04 -0800
Subject: [PATCH 1/5] SYS-656 dovecot 2.4.1 image update

---
 images/dovecot/Dockerfile                    | 15 ++---
 images/dovecot/README.md                     | 30 ++++++++-
 images/dovecot/entrypoint-dovecot.sh         |  4 +-
 images/dovecot/helm/Chart.yaml               |  6 +-
 images/dovecot/helm/templates/configmap.yaml | 50 ++++++++-------
 images/dovecot/helm/values.yaml              | 12 +++-
 k8s/Makefile.helm                            | 14 ++---
 k8s/Makefile.vars                            |  2 -
 k8s/global.yaml                              |  8 ---
 k8s/install/gitlab-rbac.yaml                 | 64 --------------------
 k8s/scripts/node_labels.sh.example           |  2 -
 11 files changed, 78 insertions(+), 129 deletions(-)
 delete mode 100644 k8s/global.yaml
 delete mode 100644 k8s/install/gitlab-rbac.yaml

diff --git a/images/dovecot/Dockerfile b/images/dovecot/Dockerfile
index 17c72a4d..2b9cdd14 100644
--- a/images/dovecot/Dockerfile
+++ b/images/dovecot/Dockerfile
@@ -1,4 +1,4 @@
-FROM instantlinux/postfix:3.10.2-r0
+FROM instantlinux/postfix:3.10.5-r0
 
 ARG BUILD_DATE
 ARG VCS_REF
@@ -9,20 +9,21 @@ LABEL org.opencontainers.image.authors="Rich Braun docker@instantlinux.net" \
     org.label-schema.vcs-url=https://github.com/instantlinux/docker-tools
 
 ARG DOVECOT_VERSION=2.4.1-r2
+ARG PROCMAIL_VERSION=3.22-r4
 ARG MKCERT_SHA=d1efad065f9ef34da372847ff4a4d5ffd86b97410b303d8a43ea25aa2119c86d
-
+ARG PROCMAIL_SHA=4ac9f21c3d7dbed5b32e7547da39f4d429de480679b4c856026caea39ca842f9
 ENV LDAP_SECRETNAME=ldap-ro-password \
     SSL_DH=
 
-# TODO - procmail is missing from 3.12 repo, unsure if support ended
-RUN echo '@old http://dl-cdn.alpinelinux.org/alpine/v3.11/main' \
-      >>/etc/apk/repositories && \
+RUN cd /tmp && \
+    wget -q https://dl-cdn.alpinelinux.org/alpine/v3.11/main/x86_64/procmail-$PROCMAIL_VERSION.apk && \
+    echo "$PROCMAIL_SHA  procmail-$PROCMAIL_VERSION.apk" | sha256sum -c && \
     apk add --no-cache dovecot=$DOVECOT_VERSION dovecot-ldap=$DOVECOT_VERSION \
-      procmail@old && \
+      procmail-$PROCMAIL_VERSION.apk openldap-clients && \
     cd /usr/local/bin && \
     wget -q https://raw.githubusercontent.com/dovecot/core/release-2.4.1/doc/mkcert.sh && \
     echo "$MKCERT_SHA  mkcert.sh" | sha256sum -c && \
-    chmod 755 /usr/local/bin/mkcert.sh
+    rm /tmp/* && chmod 755 /usr/local/bin/mkcert.sh
     
 EXPOSE 143 993 
 VOLUME /etc/dovecot/conf.local /home /var/spool/mail
diff --git a/images/dovecot/README.md b/images/dovecot/README.md
index 9b64cd06..d914b0cf 100644
--- a/images/dovecot/README.md
+++ b/images/dovecot/README.md
@@ -11,7 +11,7 @@ Configuration is defined as files in a volume mounted as
 
 * Define your local settings as dovecot.conf.
 
-* If you have an LDAP server, put its settings in dovecot-ldap.conf. The helm chart provided here can support either Active Directory or openldap.
+* If you have an LDAP server, put its settings in passdb section of dovecot.conf. The helm chart provided here can support either Active Directory or openldap.
 
 * (Optional, to save startup time) generate a dh.pem file for TLS:
   ```
@@ -39,6 +39,14 @@ make dovecot
 
 See the Makefile and Makefile.vars files under k8s directory for default values referenced within kubernetes.yaml.
 
+To provide high availability across the cluster, the helm chart here includes an optional data-sync service to keep the inbox, mail and spool directories synchronized across 2 or more worker nodes. Minor data loss can occur when the service shifts from one worker to another, so this feature isn't recommended for large production deployments (when running on a cloud provider, simply use their block storage capabilities). That said, unison-based data-sync service has been rock-solid on a bare-metal cluster for years.
+
+Auth is the most challenging aspect of implementing dovecot. Use the following command from with the container to verify user authentication:
+```
+doveadm auth login <user>
+```
+If using openldap, turn on log setting `BER` to view raw packet contents as you troubleshoot login from dovecot.
+
 ### Variables
 
 | Variable | Default | Description |
@@ -47,7 +55,7 @@ See the Makefile and Makefile.vars files under k8s directory for default values
 | SSL_DH |  | Filename (in conf.local) of DH parameters |
 | TZ | UTC | time zone |
 
-Need more configurability? Edit the ConfigMap defined in kubernetes.yaml.
+Need more configurability? Edit the ConfigMap defined in the helm chart.
 
 ### Secrets
 
@@ -65,3 +73,21 @@ If you want to make improvements to this image, see [CONTRIBUTING](https://githu
 ### Upgrade Notes
 
 * When upgrading to 2.3.14+, replace any references to `hash:` with `lmdb:` in your config files.
+
+* When upgrading to 2.4+, there are a lot of gratuitous [config-directive changes](https://doc.dovecot.org/main/installation/upgrade/2.3-to-2.4.html). The Docker image doesn't contain configs but the helm chart provided here has a configmap template that contains the following changes:
+
+|Helm var|2.3|2.4|Notes|
+|uris|hosts | ldap_uris | <host> becomes ldap://<host>:389 |
+| |ldap_version| (unchanged)| |
+|base|base| ldap_base| |
+|bind|auth_bind| ldap_bind | |
+|bind_userdn|auth_bind_userdn|ldap_bind_userdn | |
+|tls|tls|ldap_starttls | |
+| | |dovecot_config_version|new|
+| | |dovecot_storage_version|new|
+|filter| |ldap_filter|now required|
+| |args|(removed)|directives moved to passdb config|
+| |address|listen| |
+| |ssl_cert|ssl_server_cert_file|angle bracket removed|
+| |ssl_dh|ssl_server_dh_file|angle bracket removed|
+| |ssl_key|ssl_server_key_file|angle bracket removed|
diff --git a/images/dovecot/entrypoint-dovecot.sh b/images/dovecot/entrypoint-dovecot.sh
index efc009c3..c2e675ef 100755
--- a/images/dovecot/entrypoint-dovecot.sh
+++ b/images/dovecot/entrypoint-dovecot.sh
@@ -27,9 +27,9 @@ if [ -s $ETC/conf.local/dovecot.conf ]; then
 fi
 if [ -z "$SSH_DH" ]; then
   openssl dhparam -dsaparam -out $ETC/dh.pem 4096
-  echo "ssl_dh = <$ETC/dh.pem" >> $ETC/dovecot.conf
+  echo "ssl_server_dh_file = $ETC/dh.pem" >> $ETC/dovecot.conf
 else
-  echo "ssl_dh = <$ETC/conf.local/$SSH_DH" >> $ETC/dovecot.conf
+  echo "ssl_server_dh_file = $ETC/conf.local/$SSH_DH" >> $ETC/dovecot.conf
 fi
 if [ -s $ETC/conf.local/dovecot-ldap.conf ]; then
   cp $ETC/conf.local/dovecot-ldap.conf $ETC
diff --git a/images/dovecot/helm/Chart.yaml b/images/dovecot/helm/Chart.yaml
index 32209515..f2d74e1a 100644
--- a/images/dovecot/helm/Chart.yaml
+++ b/images/dovecot/helm/Chart.yaml
@@ -6,9 +6,8 @@ sources:
 - https://github.com/instantlinux/docker-tools
 - https://github.com/vdukhovni/dovecot
 type: application
-version: 0.1.12
-  # appVersion: "2.4.1-r2"
-appVersion: "2.3.21.1-r0"
+version: 0.1.13
+appVersion: "2.4.2-r1"
 dependencies:
 - name: chartlib
   version: 0.1.8
@@ -16,3 +15,4 @@ dependencies:
 - name: data-sync
   version: 0.1.3
   repository: https://instantlinux.github.io/docker-tools
+  condition: data-sync.enabled
diff --git a/images/dovecot/helm/templates/configmap.yaml b/images/dovecot/helm/templates/configmap.yaml
index 3f1634f8..9a2991a1 100644
--- a/images/dovecot/helm/templates/configmap.yaml
+++ b/images/dovecot/helm/templates/configmap.yaml
@@ -7,7 +7,8 @@ metadata:
     {{- include "local.labels" . | nindent 4 }}
 data:
   dovecot.conf: |
-    dovecot_config_version = 2.4
+    dovecot_config_version = {{ .Values.version.config }}
+    dovecot_storage_version = {{ .Values.version.storage }}
     auth_mechanisms = plain login
     auth_allow_cleartext = no
     mail_access_groups = mail
@@ -19,12 +20,29 @@ data:
     mail_debug = no
 
     first_valid_uid = 300
-    passdb dovecot {
+    passdb ldap {
       driver = ldap
-      args = /etc/dovecot/dovecot-ldap.conf
+      ldap_uris = {{ .Values.ldap.uris }}
+      {{- if .Values.ldap.dn }}
+      ldap_dn = {{ .Values.ldap.dn }}
+      ldap_dnpass = PASSWORD
+      {{- end }}
+      ldap_version = {{ .Values.ldap.version }}
+      ldap_base = {{ .Values.ldap.base }}
+      ldap_bind = {{ .Values.ldap.bind }}
+      ldap_filter = {{ .Values.ldap.filter }}
+      {{- if .Values.ldap.bind_userdn }}
+      ldap_bind_userdn = {{ .Values.ldap.bind_userdn }}
+      {{- end }}
+      {{- if .Values.ldap.active_directory }}
+      ldap_user_attrs = sAMAccountName=home=/home/%$
+      ldap_user_filter = (&(ObjectClass=user)(sAMAccountName=%{user}))
+      ldap_pass_filter = (&(ObjectClass=user)(sAMAccountName=%{user}))
+      {{- end }}
+      ldap_starttls = {{ .Values.ldap.tls }}
     }
-    userdb dovecot {
-      driver = passwd
+    userdb passwd {
+      use_worker = yes
     }
     service auth {
       user = root
@@ -36,33 +54,13 @@ data:
     }
     service imap-login {
       inet_listener imaps {
-        address = 0.0.0.0
+        listen = 0.0.0.0
         port = 993
         ssl = yes
       }
     }
-    # ssl_cert = </etc/ssl/certs/smtpd-cert.pem
-    # ssl_key = </etc/ssl/private/smtpd-key.pem
     ssl_min_protocol = TLSv1.2
     ssl_server_cert_file = /etc/ssl/certs/smtpd-cert.pem
     ssl_server_key_file = /etc/ssl/private/smtpd-key.pem
     syslog_facility = "local1"
-  dovecot-ldap.conf: |
-    hosts = {{ .Values.ldap.hosts }}
-    {{- if .Values.ldap.dn }}
-    dn = {{ .Values.ldap.dn }}
-    dnpass = PASSWORD
-    {{- end }}
-    ldap_version = {{ .Values.ldap.version }}
-    base = {{ .Values.ldap.base }}
-    auth_bind = {{ .Values.ldap.auth_bind }}
-    {{- if .Values.ldap.auth_bind_userdn }}
-    auth_bind_userdn = {{ .Values.ldap.auth_bind_userdn }}
-    {{- end }}
-    {{- if .Values.ldap.active_directory }}
-    user_attrs = sAMAccountName=home=/home/%$
-    user_filter = (&(ObjectClass=user)(sAMAccountName=%u))
-    pass_filter = (&(ObjectClass=user)(sAMAccountName=%u))
-    {{- end }}
-    tls = {{ .Values.ldap.tls }}
 {{- end }}
diff --git a/images/dovecot/helm/values.yaml b/images/dovecot/helm/values.yaml
index b5bc5844..070c78d6 100644
--- a/images/dovecot/helm/values.yaml
+++ b/images/dovecot/helm/values.yaml
@@ -64,17 +64,19 @@ aliases: |
   gnats-admin:	root
   mailman:	root
   mailman-owner:	mailman
+configVersion: 2.4.1
 dhcpSubnet1: 192.168.2.0/24
 domain: example.com
 hostnameEmail: example.com
 ldap:
   active_directory: false
-  auth_bind: "yes"
-  auth_bind_userdn: ""
   base: cn=Users,DC=workgroup,DC=example,DC=com
+  bind: "yes"
+  bind_userdn: ""
   dn: ""
-  hosts: dc01 dc02
+  filter: (&(objectClass=inetOrgPerson)(uid=%{user}))
   tls: "no"
+  uris: ldap://dc01:389
   version: 3
 # Force reload of certs at least every 30 days
 livenessProbe:
@@ -96,6 +98,9 @@ users: {}
   # - username: user2
   #   name: John Doe
   #   uid: 301
+version:
+  config: 2.4.1
+  storage: 2.4.1
 
 deployment:
   command: [/bin/sh]
@@ -189,6 +194,7 @@ configmapPostfix:
 
 # Subchart data-sync, maintains persistent data across nodes
 data-sync:
+  enabled: false
   statefulset:
     containerPorts: [ containerPort: 22 ]
     env:
diff --git a/k8s/Makefile.helm b/k8s/Makefile.helm
index dc475e02..6fb99dc5 100644
--- a/k8s/Makefile.helm
+++ b/k8s/Makefile.helm
@@ -12,33 +12,27 @@ helm_list:
 	@helm list --time-format="Mon Jan 2 15:04" --all-namespaces \
 	  --kube-context=sudo
 
-# TODO get rid of global.yaml and values.yaml, the idea made sense before
-#  adopting helm when values were from environment variables but makes no
-#  sense with per-instance yaml override files; helm's developers explicitly
-#  exclude the possibility of reading env vars from the shell enviroment
-#  in which helm is running - so global is leftover from my decade-earlier
-#  LXC-era designs
-$(CHARTS):: %: ../admin/services/values.yaml helm/%/Chart.lock
+$(CHARTS):: %: helm/%/Chart.lock
 	@echo --$(NOTICE) $@--
 ifeq ($(ACTION), delete)
 	@helm uninstall --kube-context=sudo -n $(K8S_NAMESPACE) $@
 else
 	@$(eval OVERRIDE := $(shell [ -s ../admin/services/values/$@.yaml ] \
 	  && echo "-f ../admin/services/values/$@.yaml"))
-	helm upgrade --install -f global.yaml -f $< $(OVERRIDE) $(XARGS) $@ ./helm/$@
+	helm upgrade --install -f $< $(OVERRIDE) $(XARGS) $@ ./helm/$@
 endif
 	@helm list --time-format="Mon Jan 2 15:04" --selector name=$@
 
 # TODO this is identical to above but for subdir, DRY it out
 #   the helmify project is just too exhausting
-$(INSTANCES):: %: ../admin/services/values.yaml helm/instances/%/Chart.lock
+$(INSTANCES):: %: helm/instances/%/Chart.lock
 	@echo --$(NOTICE) $@--
 ifeq ($(ACTION), delete)
 	@helm uninstall --kube-context=sudo -n $(K8S_NAMESPACE) $@
 else
 	@$(eval OVERRIDE := $(shell [ -s ../admin/services/values/$@.yaml ] \
 	  && echo "-f ../admin/services/values/$@.yaml"))
-	helm upgrade --install -f global.yaml -f $< $(OVERRIDE) $(XARGS) $@ ./helm/instances/$@
+	helm upgrade --install -f $< $(OVERRIDE) $(XARGS) $@ ./helm/instances/$@
 endif
 	@helm list --time-format="Mon Jan 2 15:04" --selector name=$@
 
diff --git a/k8s/Makefile.vars b/k8s/Makefile.vars
index 8d45a225..337b14d7 100644
--- a/k8s/Makefile.vars
+++ b/k8s/Makefile.vars
@@ -32,8 +32,6 @@ export TZ                   ?= UTC
 export K8S_INGRESS_NGINX_IP ?= 10.101.1.2
 export AUTHELIA_IP          ?= 10.101.1.5
 export MONITOR_EXT_IP       ?= 192.168.1.20
-# export PROMETHEUS_IP      ?= 10.101.1.21
-# export PROM_ALERT_IP      ?= 10.101.1.22
 export RSYSLOGD_IP          ?= 10.101.1.40
 export COREDNS_IP           ?= 10.96.0.10
 export NODE_LOCAL_DNS_IP    ?= 169.254.0.10
diff --git a/k8s/global.yaml b/k8s/global.yaml
deleted file mode 100644
index 5ebbaded..00000000
--- a/k8s/global.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
-# TODO: remove this outdated file
-# authelia:
-#   fqdn: authtotp.example.com
-#   ip: 10.101.1.5
-# domain: example.com
-# serviceAccount:
-#   enabled: false
-# tz: UTC
diff --git a/k8s/install/gitlab-rbac.yaml b/k8s/install/gitlab-rbac.yaml
deleted file mode 100644
index 723d3ebe..00000000
--- a/k8s/install/gitlab-rbac.yaml
+++ /dev/null
@@ -1,64 +0,0 @@
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: gitlab
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: gitlab-pod-privileged
-  namespace: $K8S_NAMESPACE
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: gitlab-runner-dockersock
-  namespace: gitlab
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: gitlab:gitlab-runner-binding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: dockersock
-subjects:
-- kind: ServiceAccount
-  name: gitlab-runner-dockersock
-  namespace: gitlab
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: gitlab-pod
-rules:
-- apiGroups: [""]
-  resources:
-  - nodes
-  - pods
-  verbs: [list, watch]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: gitlab-pod-binding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: gitlab-pod
-subjects:
-- kind: ServiceAccount
-  name: gitlab-pod-privileged
-  namespace: $K8S_NAMESPACE
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: dockersock
-rules:
-- apiGroups: [ policy ]
-  resourceNames: [ dockersock ]
-  resources: [ podsecuritypolicies ]
-  verbs: [ use ]
diff --git a/k8s/scripts/node_labels.sh.example b/k8s/scripts/node_labels.sh.example
index 195caf4c..85af8f62 100755
--- a/k8s/scripts/node_labels.sh.example
+++ b/k8s/scripts/node_labels.sh.example
@@ -21,7 +21,6 @@ kubectl $SUDO label node --overwrite $NODE service.data-sync=allow
 kubectl $SUDO label node --overwrite $NODE service.db00=allow
 kubectl $SUDO label node --overwrite $NODE service.dc02=allow
 kubectl $SUDO label node --overwrite $NODE service.dovecot=allow
-kubectl $SUDO label node --overwrite $NODE service.gitlab=allow
 kubectl $SUDO label node --overwrite $NODE service.git-dump=allow
 kubectl $SUDO label node --overwrite $NODE service.jira=allow
 kubectl $SUDO label node --overwrite $NODE service.mt-daapd=allow
@@ -31,5 +30,4 @@ kubectl $SUDO label node --overwrite $NODE service.nut-02=allow
 NODE=kube3.$DOMAIN
 kubectl $SUDO label node --overwrite $NODE service.data-sync=allow
 kubectl $SUDO label node --overwrite $NODE service.db00=allow
-kubectl $SUDO label node --overwrite $NODE service.duplicati=allow
 kubectl $SUDO label node --overwrite $NODE service.mythtv-backend=allow

From a96b00b671bdba9274d71020a153eefc5d88b84c Mon Sep 17 00:00:00 2001
From: Rich Braun <richb@instantlinux.net>
Date: Thu, 29 Jan 2026 11:07:51 -0800
Subject: [PATCH 2/5] SYS-656 wip

---
 images/dovecot/Dockerfile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/images/dovecot/Dockerfile b/images/dovecot/Dockerfile
index 2b9cdd14..043e6ed4 100644
--- a/images/dovecot/Dockerfile
+++ b/images/dovecot/Dockerfile
@@ -18,8 +18,8 @@ ENV LDAP_SECRETNAME=ldap-ro-password \
 RUN cd /tmp && \
     wget -q https://dl-cdn.alpinelinux.org/alpine/v3.11/main/x86_64/procmail-$PROCMAIL_VERSION.apk && \
     echo "$PROCMAIL_SHA  procmail-$PROCMAIL_VERSION.apk" | sha256sum -c && \
-    apk add --no-cache dovecot=$DOVECOT_VERSION dovecot-ldap=$DOVECOT_VERSION \
-      procmail-$PROCMAIL_VERSION.apk openldap-clients && \
+    apk add --no-cache dovecot=$DOVECOT_VERSION dovecot-ldap=$DOVECOT_VERSION && \
+    apk add --allow-untrusted procmail-$PROCMAIL_VERSION.apk && \
     cd /usr/local/bin && \
     wget -q https://raw.githubusercontent.com/dovecot/core/release-2.4.1/doc/mkcert.sh && \
     echo "$MKCERT_SHA  mkcert.sh" | sha256sum -c && \

From 8484061c4ee45d6a5ed82a17abfda8ab87fb495b Mon Sep 17 00:00:00 2001
From: Rich Braun <richb@instantlinux.net>
Date: Thu, 29 Jan 2026 12:33:29 -0800
Subject: [PATCH 3/5] SYS-656 wip

---
 images/dovecot/Dockerfile | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/images/dovecot/Dockerfile b/images/dovecot/Dockerfile
index 043e6ed4..7f5a4313 100644
--- a/images/dovecot/Dockerfile
+++ b/images/dovecot/Dockerfile
@@ -12,12 +12,22 @@ ARG DOVECOT_VERSION=2.4.1-r2
 ARG PROCMAIL_VERSION=3.22-r4
 ARG MKCERT_SHA=d1efad065f9ef34da372847ff4a4d5ffd86b97410b303d8a43ea25aa2119c86d
 ARG PROCMAIL_SHA=4ac9f21c3d7dbed5b32e7547da39f4d429de480679b4c856026caea39ca842f9
+ARG TARGETARCH
 ENV LDAP_SECRETNAME=ldap-ro-password \
     SSL_DH=
 
 RUN cd /tmp && \
-    wget -q https://dl-cdn.alpinelinux.org/alpine/v3.11/main/x86_64/procmail-$PROCMAIL_VERSION.apk && \
-    echo "$PROCMAIL_SHA  procmail-$PROCMAIL_VERSION.apk" | sha256sum -c && \
+    case ${TARGETARCH} in \
+    amd64) \
+      wget -q https://dl-cdn.alpinelinux.org/alpine/v3.11/main/x86_64/procmail-$PROCMAIL_VERSION.apk && \
+      echo "$PROCMAIL_SHA  procmail-$PROCMAIL_VERSION.apk" | sha256sum -c ;; \
+    arm64) \
+      wget -q https://dl-cdn.alpinelinux.org/alpine/v3.11/main/aarch64/procmail-$PROCMAIL_VERSION.apk ;; \
+    arm/v6) \
+      wget -q https://dl-cdn.alpinelinux.org/alpine/v3.11/main/armhf/procmail-$PROCMAIL_VERSION.apk ;; \
+    arm/v7) \
+      wget -q https://dl-cdn.alpinelinux.org/alpine/v3.11/main/armv7/procmail-$PROCMAIL_VERSION.apk ;; \
+    esac && \
     apk add --no-cache dovecot=$DOVECOT_VERSION dovecot-ldap=$DOVECOT_VERSION && \
     apk add --allow-untrusted procmail-$PROCMAIL_VERSION.apk && \
     cd /usr/local/bin && \

From 666a5571f5aa311010cb5bcc380d23d0b6a94610 Mon Sep 17 00:00:00 2001
From: Rich Braun <richb@instantlinux.net>
Date: Thu, 29 Jan 2026 12:48:16 -0800
Subject: [PATCH 4/5] SYS-656 wip

---
 images/dovecot/Dockerfile | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/images/dovecot/Dockerfile b/images/dovecot/Dockerfile
index 7f5a4313..5420325d 100644
--- a/images/dovecot/Dockerfile
+++ b/images/dovecot/Dockerfile
@@ -12,21 +12,22 @@ ARG DOVECOT_VERSION=2.4.1-r2
 ARG PROCMAIL_VERSION=3.22-r4
 ARG MKCERT_SHA=d1efad065f9ef34da372847ff4a4d5ffd86b97410b303d8a43ea25aa2119c86d
 ARG PROCMAIL_SHA=4ac9f21c3d7dbed5b32e7547da39f4d429de480679b4c856026caea39ca842f9
-ARG TARGETARCH
+ARG TARGETPLATFORM
 ENV LDAP_SECRETNAME=ldap-ro-password \
     SSL_DH=
 
 RUN cd /tmp && \
-    case ${TARGETARCH} in \
-    amd64) \
+    case ${TARGETPLATFORM} in \
+    linux/amd64) \
       wget -q https://dl-cdn.alpinelinux.org/alpine/v3.11/main/x86_64/procmail-$PROCMAIL_VERSION.apk && \
       echo "$PROCMAIL_SHA  procmail-$PROCMAIL_VERSION.apk" | sha256sum -c ;; \
-    arm64) \
+    linux/arm64) \
       wget -q https://dl-cdn.alpinelinux.org/alpine/v3.11/main/aarch64/procmail-$PROCMAIL_VERSION.apk ;; \
-    arm/v6) \
+    linux/arm/v6) \
       wget -q https://dl-cdn.alpinelinux.org/alpine/v3.11/main/armhf/procmail-$PROCMAIL_VERSION.apk ;; \
-    arm/v7) \
+    linux/arm/v7) \
       wget -q https://dl-cdn.alpinelinux.org/alpine/v3.11/main/armv7/procmail-$PROCMAIL_VERSION.apk ;; \
+    *) echo Unrecognized ${TARGETPLATFORM} ;; \
     esac && \
     apk add --no-cache dovecot=$DOVECOT_VERSION dovecot-ldap=$DOVECOT_VERSION && \
     apk add --allow-untrusted procmail-$PROCMAIL_VERSION.apk && \

From aa49bdd9f3a7465c8dd67b98f83799875066719e Mon Sep 17 00:00:00 2001
From: Rich Braun <richb@instantlinux.net>
Date: Thu, 29 Jan 2026 13:00:29 -0800
Subject: [PATCH 5/5] SYS-656 wip

---
 images/dovecot/helm/Chart.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/images/dovecot/helm/Chart.yaml b/images/dovecot/helm/Chart.yaml
index f2d74e1a..36e75de6 100644
--- a/images/dovecot/helm/Chart.yaml
+++ b/images/dovecot/helm/Chart.yaml
@@ -7,7 +7,7 @@ sources:
 - https://github.com/vdukhovni/dovecot
 type: application
 version: 0.1.13
-appVersion: "2.4.2-r1"
+appVersion: "2.4.1-r2"
 dependencies:
 - name: chartlib
   version: 0.1.8