Dovecot won’t start after upgrading to Plesk 18.0.73 with Warden installed: root cause and temporary fix (until Warden 5.03)

Published 10/07/2025

X (Twitter) Facebook Pinterest LinkedIn Email WhatsApp

Critical summary

What happened: upgrading to Plesk 18.0.73 (Sept 30, 2025) bumps Dovecot to 2.4.1-4. Dovecot 2.4 introduces breaking config syntax changes, so Dovecot fails to start when the Warden Anti-spam and Virus Protection extension is installed.
Who’s affected: Plesk servers with Warden (default or customized policies).
Temporary fix: replace /etc/dovecot/conf.d/99-warden.conf with a Dovecot-2.4-compatible version matching your Spam Action in Warden, then restart Dovecot.
Important: Do not change Policy Settings / Blacklist / Whitelist in Warden after applying the fix, or Warden will rewrite the file and Dovecot will fail again. A permanent fix is coming in Warden 5.03 (covers this and other Dovecot 2.4 changes), expected next week.

Symptoms & verification

systemctl status dovecot shows failed (often with status 89 or parse errors).
journalctl -u dovecot reports syntax/brace errors under /etc/dovecot/conf.d/.
doveconf -n fails with a parsing error referencing 99-warden.conf.

Temporary workaround (step by step)

Before you start: back up the current file.
cp -a /etc/dovecot/conf.d/99-warden.conf /etc/dovecot/conf.d/99-warden.conf.bak.$(date +%F%H%M)

1) Pick the correct block for your Warden spam action

If Warden → Content Filter Settings → Policy Settings → Spam action = “move to spam folder” (default)
Replace /etc/dovecot/conf.d/99-warden.conf with:

service imap {
  vsz_limit = 512MB
}
protocol imap {
  mail_plugins {
    imap_sieve = yes
  }
}
sieve_plugins {
  sieve_imapsieve   = yes
  sieve_extprograms = yes
}
sieve_global_extensions {
  vnd.dovecot.pipe = yes
}
sieve_pipe_bin_dir = /var/qmail/popuser
sieve_script mailbox-after {
  type = after
  path = /var/qmail/mailnames/%{user | domain}/%{user | username}/.warden.sieve
}
sieve_script domain-after {
  type = after
  path = /var/qmail/mailnames/%{user | domain}/.warden.sieve
}
sieve_script global-after {
  type = after
  path = /var/qmail/popuser/warden-server.sieve
}
Code language: PHP (php)

If your “Spam action” is “quarantine”, “block”, or “tag”
Replace /etc/dovecot/conf.d/99-warden.conf with:

service imap {
  vsz_limit = 512MB
}
protocol imap {
  mail_plugins {
    imap_sieve = yes
  }
}
sieve_plugins {
  sieve_imapsieve   = yes
  sieve_extprograms = yes
}
sieve_global_extensions {
  vnd.dovecot.pipe = yes
}
sieve_pipe_bin_dir = /var/qmail/popuser
sieve_script mailbox-after {
  type = after
  path = /var/qmail/mailnames/%{user | domain}/%{user | username}/.warden.sieve
}
sieve_script domain-after {
  type = after
  path = /var/qmail/mailnames/%{user | domain}/.warden.sieve
}
Code language: JavaScript (javascript)

These directives use Dovecot 2.4 syntax for mail_plugins, sieve_plugins, and sieve_script blocks, replacing older constructs that prevent Dovecot from starting.

2) Ensure Sieve (Pigeonhole) packages are installed

Debian/Ubuntu: apt-get install dovecot-sieve dovecot-managesieved
RHEL/Alma/Rocky: dnf install dovecot-pigeonhole

3) Validate and restart

doveconf -n   # should print the config without errors
systemctl restart dovecot
systemctl status dovecot --no-pager
Code language: PHP (php)

If OK: ACTIVE (running).

Prevent regression until Warden 5.03

While waiting for the official fix:

Do not change Policy Settings, Blacklist, or Whitelist in Warden; these actions regenerate 99-warden.conf with the old syntax.
If you must lock the file temporarily, you can make it immutable (use with care): chattr +i /etc/dovecot/conf.d/99-warden.conf Warning: remember to remove immutability (chattr -i) before upgrading to Warden 5.03 or editing the file again.

Extra checks

Logs: journalctl -u dovecot -b should be clean of parse errors post-restart.
Ports: ss -ltnp | grep dovecot (or netstat -tlnp) to verify IMAP/IMAPS.
Functional test: connect via IMAP/IMAPS, move a message to Spam, and verify Sieve rules run.

(Optional) Automate across multiple servers

Adapt to your environment. Pass move or quarantine as the first arg, matching your Warden spam action.

#!/usr/bin/env bash
set -euo pipefail
CONF=/etc/dovecot/conf.d/99-warden.conf
BACKUP=${CONF}.bak.$(date +%F%H%M)
POLICY="${1:-move}" # move | quarantine
cp -a "$CONF" "$BACKUP"
if [[ "$POLICY" == "move" ]]; then
  cat > "$CONF" <<'EOF'
service imap { vsz_limit = 512MB }
protocol imap { mail_plugins { imap_sieve = yes } }
sieve_plugins { sieve_imapsieve = yes sieve_extprograms = yes }
sieve_global_extensions { vnd.dovecot.pipe = yes }
sieve_pipe_bin_dir = /var/qmail/popuser
sieve_script mailbox-after { type = after path = /var/qmail/mailnames/%{user | domain}/%{user | username}/.warden.sieve }
sieve_script domain-after  { type = after path = /var/qmail/mailnames/%{user | domain}/.warden.sieve }
sieve_script global-after  { type = after path = /var/qmail/popuser/warden-server.sieve }
EOF
else
  cat > "$CONF" <<'EOF'
service imap { vsz_limit = 512MB }
protocol imap { mail_plugins { imap_sieve = yes } }
sieve_plugins { sieve_imapsieve = yes sieve_extprograms = yes }
sieve_global_extensions { vnd.dovecot.pipe = yes }
sieve_pipe_bin_dir = /var/qmail/popuser
sieve_script mailbox-after { type = after path = /var/qmail/mailnames/%{user | domain}/%{user | username}/.warden.sieve }
sieve_script domain-after  { type = after path = /var/qmail/mailnames/%{user | domain}/.warden.sieve }
EOF
fi
doveconf -n >/dev/null
systemctl restart dovecot
systemctl --no-pager --full status dovecot
echo "Temporary fix applied. Backup saved at $BACKUP"
Code language: PHP (php)

Usage: bash fix-warden-dovecot.sh move or bash fix-warden-dovecot.sh quarantine

FAQ

Can I roll back Dovecot to a previous version?
Not recommended on Plesk: downgrading Dovecot can leave the stack inconsistent. The config fix is the safe path until Warden 5.03 lands.

Which exact version introduces the breakage?
Dovecot 2.4.1-4 (bundled with Plesk 18.0.73) changes the config syntax, invalidating Warden-generated files from prior versions.

Do I need to edit other files under /etc/dovecot/?**
Typically no. The breakage is in 99-warden.conf. Still, run doveconf -n to catch any other includes with legacy syntax.

When is Warden 5.03 expected?
Per the vendor report, within the next week from the latest notice. 5.03 addresses this and “any other” issues stemming from the Dovecot 2.4 upgrade.

What if I change Policy/Blacklist/Whitelist after applying the fix?
Warden will rewrite 99-warden.conf with old syntax and Dovecot will fail again. Avoid changes until Warden 5.03, or (temporarily) protect the file with chattr +i—and remember to undo it before upgrading.

X (Twitter) Facebook Pinterest LinkedIn Email WhatsApp

Dovecot won’t start after upgrading to Plesk 18.0.73 with Warden installed: root cause and temporary fix (until Warden 5.03)

Symptoms & verification

Temporary workaround (step by step)

1) Pick the correct block for your Warden spam action

2) Ensure Sieve (Pigeonhole) packages are installed

3) Validate and restart

Prevent regression until Warden 5.03

Extra checks

(Optional) Automate across multiple servers

FAQ

Related articles

Linux Kernel 6.13 Officially Released: What’s New and Why It Matters

Types of Computer Memory: RAM, ROM, PROM, EPROM, and EEPROM – What They Are and How They Differ

Kalker: The scientific calculator redefining advanced calculations

DeepSeek V3.1: A Step-by-Step Practical Guide to the Fastest Hybrid AI Today

DE-CIX Hits 25 Tbps Traffic Milestone: A Clear Signal That Global Digital Infrastructure Must Keep Evolving

RunSQL Launches Free SQL Validator: A Practical Tool to Improve Query Writing and Performance

VirtualBox 7.2 Released: Early Linux 6.17 Support, ARM Virtualization Boost, and Major Graphics Improvements

SQL NOT: Precise Searches with Exclusion Criteria

CentOS Kicks Off RISC-V Era with Developer Preview of CentOS Stream 10 and RHEL 10

Security Alert: OpenVPN Vulnerability (CVE-2025-2704) Enables DoS Attacks on Servers Using tls-crypt-v2