Upgrading to trixie but still show some errors:

#log_debug=category=auth

#auth_debug_passwords = yes

##

## Authentication processes

##

# Enable LOGIN command and all other plaintext authentications even if

# SSL/TLS is not used (LOGINDISABLED capability). Note that if the remote IP

# matches the local IP (ie. you're connecting from the same computer), the

# connection is considered secure and plaintext authentication is allowed,

# unless ssl = required.

#auth_allow_cleartext = yes

# Authentication cache size (e.g. 10M). 0 means it's disabled. Note that

# bsdauth, PAM and vpopmail require cache_key to be set for caching to be used.

#auth_cache_size = 0

# Time to live for cached data. After TTL expires the cached record is no

# longer used, *except* if the main database lookup returns internal failure.

# We also try to handle password changes automatically: If user's previous

# authentication was successful, but this one wasn't, the cache isn't used.

# For now this works only with plaintext authentication.

#auth_cache_ttl = 1 hour

# TTL for negative hits (user not found, password mismatch).

# 0 disables caching them completely.

#auth_cache_negative_ttl = 1 hour

# Space separated list of realms for SASL authentication mechanisms that need

# them. You can leave it empty if you don't want to support multiple realms.

# Many clients simply use the first one listed here, so keep the default realm

# first.

#auth_realms =

#

# Default realm/domain to use if none was specified. This is used for both

# SASL realms and appending @domain to username in plaintext logins.

#auth_default_domain =

# List of allowed characters in username. If the user-given username contains

# a character not listed in here, the login automatically fails. This is just

# an extra check to make sure user can't exploit any potential quote escaping

# vulnerabilities with SQL/LDAP databases. If you want to allow all characters,

# set this value to empty.

#auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@

# Username character translations before it's looked up from databases. The

# value contains series of from -> to characters. For example "#@/@" means

# that '#' and '/' characters are translated to '@'.

#auth_username_translation =

# Username formatting before it's looked up from databases.

#auth_username_format = %{user|lower}

#auth_username_format = %{user|username|lower}

# If you want to allow master users to log in by specifying the master

# username within the normal username string (ie. not using SASL mechanism's

# support for it), you can specify the separator character here. The format

# is then <username><separator><master username>. UW-IMAP uses "*" as the

# separator, so that could be a good choice.

#auth_master_user_separator =

# Username to use for users logging in with ANONYMOUS SASL mechanism

#auth_anonymous_username = anonymous

# Host name to use in GSSAPI principal names. The default is to use the

# name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab

# entries.

#auth_gssapi_hostname =

# Kerberos keytab to use for the GSSAPI mechanism. Will use the system

# default (usually /etc/krb5.keytab) if not specified. You may need to change

# the auth service to run as root to be able to read this file.

#auth_krb5_keytab = 

# Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and

# ntlm_auth helper. <https://doc.dovecot.org/latest/core/config/auth/mechanisms/winbind.html>

#auth_use_winbind = no

# Path for Samba's ntlm_auth helper binary.

#auth_winbind_helper_path = /usr/bin/ntlm_auth

# Time to delay before replying to failed authentications.

#auth_failure_delay = 2 secs

# Require a valid SSL client certificate or the authentication fails.

#auth_ssl_require_client_cert = no

# Take the username from client's SSL certificate, using 

# X509_NAME_get_text_by_NID() which returns the subject's DN's

# CommonName. 

#auth_ssl_username_from_cert = no

# Space separated list of wanted authentication mechanisms:

#   plain login digest-md5 cram-md5 ntlm anonymous gssapi

#   gss-spnego xoauth2 oauthbearer

# NOTE: See also auth_allow_cleartext setting.

#auth_mechanisms = plain login 

##

## Password and user databases

##

#

# Password database is used to verify user's password (and nothing more).

# You can have multiple passdbs and userdbs. This is useful if you want to

# allow both system users (/etc/passwd) and virtual users to login without

# duplicating the system users into virtual database.

#

# <https://doc.dovecot.org/latest/core/config/auth/passdb.html>

#

# User database specifies where mails are located and what user/group IDs

# own them. For single-UID configuration use "static" userdb.

#

# <https://doc.dovecot.org/latest/core/config/auth/userdb.html>

#!include auth-deny.conf.ext

#!include auth-master.conf.ext

#!include auth-oauth2.conf.ext

!include auth-system.conf.ext

#!include auth-sql.conf.ext

#!include auth-ldap.conf.ext

#!include auth-passwdfile.conf.ext

#!include auth-static.conf.ext

## Logging verbosity and debugging.

##

# Log filter is a space-separated list conditions. If any of the conditions

# match, the log filter matches (i.e. they're ORed together). Parenthesis

# are supported if multiple conditions need to be matched together.

#

# See https://doc.dovecot.org/configuration_manual/event_filter/ for details.

#

# For example: event=http_request_* AND category=error AND category=storage

#

# Filter to specify what debug logging to enable. This will eventually replace

# mail_debug and auth_debug settings.

#log_debug = 

# Crash after logging a matching event. For example category=error will crash

# any time an error is logged, which can be useful for debugging.

#log_core_filter = 

# Log unsuccessful authentication attempts and the reasons why they failed.

#auth_verbose = no

#auth_verbose = yes

# In case of password mismatches, log the attempted password. Valid values are

# no, plain and sha1. sha1 can be useful for detecting brute force password

# attempts vs. user simply trying the same password over and over again.

# You can also truncate the value to n chars by appending ":n" (e.g. sha1:6).

#auth_verbose_passwords = no

# To chain multiple logging conditions you can use,

# log_debug=$SET:log_debug or category=xxx

# Even more verbose logging for debugging purposes. Shows for example SQL

# queries.

#auth_debug = no

#log_debug=category=auth

#

# In case of password mismatches, log the passwords and used scheme so the

# problem can be debugged. Enabling this also enables auth_debug.

#auth_debug_passwords = no

#auth_debug_passwords = yes

# Enable mail process debugging. This can help you figure out why Dovecot

# isn't finding your mails.

#mail_debug = no

#log_debug=category=mail

# Show protocol level SSL errors.

#verbose_ssl = no

#log_debug=category=ssl

# mail_log plugin provides more event logging for mail processes.

plugin {

#mail_plugins {

#   notify = yes

#   mail_log = yes

#}

# Events to log. Also available: flag_change append

  #mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename

#mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename flag_change append

# Available fields: uid, box, msgid, from, subject, size, vsize, flags

# size and vsize are available only for expunge and copy events.

  #mail_log_fields = uid box msgid size

}

#mail_log_fields = uid box msgid size from subject vsize flags

# only log cached fields

#mail_log_cached_only = yes

##

## Log formatting.

# Space-separated list of elements we want to log. The elements which have

# a non-empty variable value are joined together to form a comma-separated

# string.

#login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c

#login_log_format_elements = user=<%{user}> method=%{mechanism} rip=%{remote_ip} lip=%{local_ip} mpid=%{mail_pid} %{secured} session=<%{session}>

# Login log format. %s contains login_log_format_elements string, %$ contains

# Login log format. %{elements} contains login_log_format_elements string, %{message} contains

# the data we want to log.

#login_log_format = %$: %s

# Log prefix for mail processes. See doc/wiki/Variables.txt for list of

# possible variables you can use.

#mail_log_prefix = "%s(%u)<%{pid}><%{session}>: "

# Format to use for logging mail deliveries:

#  %$ - Delivery status message (e.g. "saved to INBOX")

#  %m / %{msgid} - Message-ID

#  %s / %{subject} - Subject

#  %f / %{from} - From address

#  %p / %{size} - Physical size

#  %w / %{vsize} - Virtual size

#  %e / %{from_envelope} - MAIL FROM envelope

#  %{to_envelope} - RCPT TO envelope

#  %{delivery_time} - How many milliseconds it took to deliver the mail

#  %{session_time} - How long LMTP session took, not including delivery_time

#  %{storage_id} - Backend-specific ID for mail, e.g. Maildir filename

#deliver_log_format = msgid=%m: %$

#login_log_format = %{message}: %{elements}

# Log prefix for mail processes. See

# https://doc.dovecot.org/latest/core/settings/variables.html#mail-service-user-variables

# for list of possible variables.

#mail_log_prefix = "%{service}(%{user})<%{process:pid}><%{session}>: "

# Format to use for logging mail deliveries. See https://doc.dovecot.org/latest/core/summaries/settings.html#deliver_log_format

# for list of possible variables.

#deliver_log_format = msgid=%{msgid}: %{message} (subject=%{subject} from=%{from} size=%{size})

#

# <doc/wiki/MailLocation.txt>

#

mail_location = mbox:~/mail/:INBOX=/var/mail/%u

# mail_location = mbox:~/mail/:INBOX=/var/mail/%u

# Debian defaults

# Note that upstream considers mbox deprecated and strongly recommends

# against its use in production environments. See further information

# at

# https://doc.dovecot.org/2.4.0/core/config/mailbox/formats/mbox.html

mail_driver = mbox

mail_home = /home/%u

mail_path = /home/%u/mail

mail_inbox_path = /var/mail/%u

# If you need to set multiple mailbox locations or want to change default

# namespace settings, you can do it by defining namespace sections.

  namespace spam {

      prefix = spam

#     separator = .

    location = virtual:/etc/dovecot/virtual/spam:INDEX=~/mail/virtual/%u/spam

    list = no

    hidden = yes

  }

  namespace sent {

      prefix = sent

#     separator = .

    location = virtual:/etc/dovecot/virtual/sent:INDEX=~/mail/virtual/%u/sent

    list = no

    hidden = yes

  }

#default_process_limit = 100

#default_client_limit = 1000

# Default VSZ (virtual memory size) limit for service processes. This is mainly

# intended to catch and kill processes that leak memory before they eat up

# everything.

#default_vsz_limit = 256M

# Login user is internally used by login processes. This is the most untrusted

# user in Dovecot system. It shouldn't have access to anything at all.

#default_login_user = dovenull

# Internal user is used by unprivileged processes. It should be separate from

# login user, so that login processes can't disturb other processes.

#default_internal_user = dovecot

service imap-login {

  inet_listener imap {

    #port = 143

  }

  inet_listener imaps {

    #port = 993

    #ssl = yes

  }

  # Number of connections to handle before starting a new process. Typically

  # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0

  # is faster. <d>

  #service_restart_request_count = 1

  # Number of processes to always keep waiting for more connections.

  #process_min_avail = 0

  # If you set service_restart_request_count=0, you probably need to grow this.

  #vsz_limit = 256M # default

}

service pop3-login {

  inet_listener pop3 {

    #port = 110

  }

  inet_listener pop3s {

    #port = 995

    #ssl = yes

  }

}

service submission-login {

  inet_listener submission {

    #port = 587

  }

  inet_listener submissions {

    #port = 465

  }

}

service lmtp {

  unix_listener lmtp {

    #mode = 0666

  }

  # Create inet listener only if you can't use the above UNIX socket

  #inet_listener lmtp {

    # Avoid making LMTP visible for the entire internet

    #listen = 127.0.0.1

    #port = 24

  #}

}

service imap {

  # Most of the memory goes to mmap()ing files. You may need to increase this

  # limit if you have huge mailboxes.

  #vsz_limit = 256M # default

  # Max. number of IMAP processes (connections)

  #process_limit = 1024

}

service pop3 {

  # Max. number of POP3 processes (connections)

  #process_limit = 1024

}

service submission {

  # Max. number of SMTP Submission processes (connections)

  #process_limit = 1024

}

service auth {

  # auth_socket_path points to this userdb socket by default. It's typically

  # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have

  # full permissions to this socket are able to get a list of all usernames and

  # get the results of everyone's userdb lookups.

  #

  # The default 0666 mode allows anyone to connect to the socket, but the

  # userdb lookups will succeed only if the userdb returns an "uid" field that

  # matches the caller process's UID. Also if caller's uid or gid matches the

  # socket's uid or gid the lookup succeeds. Anything else causes a failure.

  #

  # To give the caller full permissions to lookup all users, set the mode to

  # something else than 0666 and Dovecot lets the kernel enforce the

  # permissions (e.g. 0777 allows everyone full permissions).

  unix_listener auth-userdb {

    #mode = 0666

    #user = 

    #group = 

  }

  # Postfix smtp-auth

  #unix_listener /var/spool/postfix/private/auth {

  #  mode = 0666

  #}

  # Auth process is run as this user.

  #user = $SET:default_internal_user

}

service auth-worker {

  # Auth worker process is run as root by default, so that it can access

  # /etc/shadow. If this isn't necessary, the user should be changed to

  # $SET:default_internal_user.

  #user = root

}

service dict {

  # If dict proxy is used, mail processes should have access to its socket.

  # For example: mode=0660, group=vmail and global mail_access_groups=vmail

  unix_listener dict {

    #mode = 0600

    #user = 

    #group = 

  }

}