1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
2 "http://www.w3.org/TR/html4/loose.dtd">
5 <link rel="stylesheet" href="sitestyle.css" type="text/css">
6 <meta name="description" content="The Fetchmail Project">
7 <meta name="keywords" content="fetchmail, pop3, imap, email, mail">
8 <meta name="MSSmartTagsPreventParsing" content="TRUE">
9 <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
10 <title>Fetchmail</title>
15 <table width="100%" cellpadding="0" summary="Canned page header">
18 <td align="right"><!-- update date -->2008-11-16</td>
25 <a href="index.html" title="Main">Main</a><br>
26 <a href="fetchmail-features.html">Features</a><br>
27 <a href="fetchmail-man.html">Manual</a><br>
28 <a href="fetchmail-FAQ.html" title="Fetchmail FAQ">FAQ</a><br>
29 <a href="fetchmail-FAQ.pdf" title="Fetchmail FAQ as PDF">FAQ (PDF)</a><br>
30 <a href="design-notes.html">Design Notes</a><br>
31 <a href="http://developer.berlios.de/project/showfiles.php?group_id=1824">Download</a><br>
32 <a href="http://mknod.org/svn/fetchmail/">Development Code</a><br>
33 <a href="http://developer.berlios.de/projects/fetchmail/">Project Page</a><br>
39 <img src="bighand.png" width="100" height="71" alt="logo: a hand presenting an envelope" align="right">
43 <div style="background-color:#ffffff;color:#008000;"> <h1>fetchmail 6.3.6 release candidate #5</h1>
45 href="http://mandree.home.pages.de/fetchmail/">fetchmail-6.3.6-rc5 was released</a>, fixing several annoying bugs. <a href="http://mandree.home.pages.de/fetchmail/NEWS-6.3.6-rc5.txt">Click here for details.</a></p> </div>
48 <div style="background-color:#c0ffc0;color:#000000;">
49 <h1>NEWS: FETCHMAIL 6.3.9 RELEASE</h1>
50 <p>On 2008-11-16, <a href="http://developer.berlios.de/project/showfiles.php?group_id=1824">fetchmail-6.3.9
51 has been released (this is the download link),</a> fixing
52 various bugs, among them the security issues CVE-2008-2711 and
53 CVE-2007-4565, and two critical bugs. <a
54 href="http://developer.berlios.de/project/shownotes.php?group_id=1824&release_id=15418">Click
55 here to see the change details.</a>
60 <div style="background-color:#ffff80;color:#000000;font-size:80%;">
61 <h1>FETCHMAIL 6.2.X UNSUPPORTED AND VULNERABLE - USE 6.3.X INSTEAD</h1>
62 <p>fetchmail 6.2.X versions are susceptible to CVE-2006-5867 and CVE-2007-1558 and should be replaced by the most current 6.3.X version. Support has been discontinued as of 2006-01-22.</p>
67 <div style="background-color:#ffe0c0;color:#000000;font-size:85%"> <h1>SECURITY ALERTS</h1>
68 <p style="font-size:100%">These security issues (listed immediately below) have become
69 known to the fetchmail maintainer to the date mentioned above. Note
70 that fetchmail 6.2.X and older are no longer supported and contain
71 some of the problems mentioned below, even if they aren't mentioned
72 in the security announcements:</p>
74 <li><a name="cve-2008-2711" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2711">CVE-2008-2711:</a> Fetchmail can <a href="fetchmail-SA-2008-01.txt">crash in verbose mode when logging long message headers.</a> This bug will be fixed in release 6.3.9. For the nonce, use the <a href="fetchmail-SA-2008-01.txt">patch contained in the security announcement.</a></li>
75 <li><a name="cve-2007-4565" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4565">CVE-2007-4565:</a> Fetchmail can <a href="fetchmail-SA-2007-02.txt">crash when the SMTP server refuses a warning message generated by fetchmail.</a> This bug was introduced in fetchmail 4.6.8 and will be fixed in release 6.3.9. For the nonce, use the <a href="fetchmail-SA-2007-02.txt">patch contained in this security announcement.</a></li>
76 <li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1558">CVE-2007-1558:</a> Fetchmail's APOP client was found to <a href="fetchmail-SA-2007-01.txt">validate APOP challenges insufficiently, making man-in-the-middle attacks on APOP secrets unnecessarily easier than need be.</a> This bug was long-standing, fetchmail 6.3.8 validates the APOP challenge stricter.</li>
77 <li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5974">CVE-2006-5974:</a> Fetchmail was found to <a href="fetchmail-SA-2006-03.txt">crash when refusing a message that was bound to be delivered by an MDA.</a> This bug was introduced into fetchmail 6.3.5 and fixed in 6.3.6.</li>
78 <li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5867">CVE-2006-5867:</a> Fetchmail was found to <a href="fetchmail-SA-2006-02.txt">omit TLS or send the password in clear text despite the configuration stating otherwise.</a> This was a long-standing bug reported by Isaac Wilcox, fixed in fetchmail 6.3.6. There will be no 6.2.X releases to fix this bug in 6.2.X.</li>
79 <li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0321">CVE-2006-0321:</a> Fetchmail was found to <a href="fetchmail-SA-2006-01.txt">crash after bouncing a message with bad addresses. This bug was introduced with fetchmail 6.3.0 and fixed in fetchmail 6.3.2.</a></li>
80 <li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4348">CVE-2005-4348:</a> Fetchmail was found to contain <a href="fetchmail-SA-2005-03.txt">a bug (null pointer dereference) that can be exploited to a denial of service attack</a> when fetchmail runs in multidrop mode. 6.2.5.5 and 6.3.1 have this bug fixed.</li>
81 <li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3088">CVE-2005-3088:</a> Fetchmailconf was found to <a href="fetchmail-SA-2005-02.txt">open the configuration files world-readable, writing data to them, and only then tightening up permissions</a>, which may cause password information to be visible to other users. This bug affected fetchmail 6.2.0, 6.2.5 and 6.2.5.2. The bug is fixed in fetchmail 6.2.5.4 and 6.3.0.</li>
82 <li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2335">CVE-2005-2335:</a> Fetchmail was found to contain a <a href="fetchmail-SA-2005-01.txt">remotely exploitable code injection vulnerability (potentially privileged code)</a> in the POP3 code, affecting both the 6.2.0 and 6.2.5 releases. 6.2.5.2, 6.2.5.4 and 6.3.0 have got this bug fixed. (Other versions have not been checked if they contain this bug.)</li>
85 <p style="font-size:100%"><strong>Please <a href="http://developer.berlios.de/project/showfiles.php?group_id=1824">update to fetchmail version 6.3.9</a>.</strong></p>
89 <h1>What fetchmail does:</h1>
91 <p>Fetchmail is a full-featured, robust, well-documented
92 remote-mail retrieval and forwarding utility intended to be used over
93 on-demand TCP/IP links (such as SLIP or PPP connections). It supports
94 every remote-mail protocol now in use on the Internet: POP2, POP3,
95 RPOP, APOP, KPOP, all flavors of <a
96 href="http://www.imap.org">IMAP</a>, ETRN, and ODMR. It can even
97 support IPv6 and IPSEC.</p>
99 <p>Fetchmail retrieves mail from remote mail servers and forwards it via
100 SMTP, so it can then be read by normal mail user agents such as <a
101 href="http://www.mutt.org/">mutt</a>, elm(1) or BSD Mail.
102 It allows all your system MTA's filtering, forwarding, and aliasing
103 facilities to work just as they would on normal mail.</p>
105 <p>Fetchmail offers better protection against password-sniffing than any
106 other Unix remote-mail client. It supports APOP, KPOP, OTP, Compuserve
107 RPA, Microsoft NTLM, and IMAP RFC1731 encrypted authentication methods
108 including CRAM-MD5 to avoid sending passwords en clair. It can be
109 configured to support end-to-end encryption via tunneling with <a
110 href="http://www.openssh.com/">ssh, the Secure Shell</a>.</p>
112 <p>Fetchmail can be used as a POP/IMAP-to-SMTP gateway for an entire DNS
113 domain, collecting mail from a single drop box on an ISP and
114 SMTP-forwarding it based on header addresses. (We don't really
115 recommend this, though, as it may lose important envelope-header
116 information. ETRN or a UUCP connection is better.)</p>
118 <p>Fetchmail can be started automatically and silently as a system daemon
119 at boot time. When running in this mode with a short poll interval,
120 it is pretty hard for anyone to tell that the incoming mail link is
121 not a full-time "push" connection.</p>
123 <p>Fetchmail is easy to configure. You can edit its dotfile directly, or
124 use the interactive GUI configurator (fetchmailconf) supplied with the
125 fetchmail distribution. It is also directly supported in linuxconf
126 versions 1.16r8 and later.</p>
128 <p>Fetchmail is fast and lightweight. It packs all its standard
129 features (POP3, IMAP, and ETRN support) in 196K of core on a
130 Pentium under Linux.</p>
132 <p>Fetchmail is <a href="http://www.opensource.org">open-source</a>
133 and <a href="http://www.gnu.org/philosophy/free-sw.html">free
136 <h1>Where to find out more about fetchmail:</h1>
138 <p>See the <a href="fetchmail-features.html">Fetchmail Feature List</a> for more
139 about what fetchmail does.</p>
141 <p>See the on-line <a href="fetchmail-man.html">manual page</a> for
144 <p>See the <a href="fetchmail-FAQ.html">HTML Fetchmail FAQ</a> for
145 troubleshooting help.</p>
147 <p>See the <a href="design-notes.html">Fetchmail Design Notes</a>
148 for discussion of some of the design choices in fetchmail.</p>
150 <p>See the project's <a href="todo.html">To-Do list</a> for indications
151 of known problems and requested features.</p>
153 <p>The developers use <a
154 href="http://subversion.tigris.org/">Subversion</a> for revision control.
155 To get the latest development version, point your subversion client at <a
156 href="http://mknod.org/svn/fetchmail/trunk/">http://mknod.org/svn/fetchmail/trunk/</a>.</p>
159 href="http://developer.berlios.de/projects/fetchmail/">project
160 page</a> for more, including <a
161 href="http://developer.berlios.de/project/showfiles.php?group_id=1824">downloads</a>.
162 (However, note that we no longer use the subversion repository that Berlios provides.)</p>
164 <h1>Getting help with fetchmail:</h1>
167 There is a fetchmail-users list for help and other user discussion
168 of fetchmail. It's a MailMan list, which you can sign up for at <a
169 href="http://lists.berlios.de/mailman/listinfo/fetchmail-users">
170 fetchmail-users@lists.berlios.de</a>. There is also a
171 fetchmail-devel list for people who want to discuss fixes and
172 improvements in fetchmail and help co-develop it. That one is at <a
173 href="http://lists.berlios.de/mailman/listinfo/fetchmail-devel">
174 fetchmail-devel@lists.berlios.de</a>.
175 Finally, there is an announcements-only list, <a
176 href="http://lists.berlios.de/mailman/listinfo/fetchmail-announce">
177 fetchmail-announce@lists.berlios.de</a>.</p>
179 <p>Note: before submitting a question to the lists, <strong>please read
180 the <a href="fetchmail-FAQ.html">FAQ</a></strong> (especially item <a
181 href="fetchmail-FAQ.html#G3">G3</a> on how to report bugs). We
182 tend to get the same three newbie questions over and over again. The
183 FAQ covers them like a blanket.</p>
185 <h1>Maintainer History</h1>
186 <p>Fetchmail originated as a program called <i>popclient</i>, written
187 by Carl Harris. In 1996, <a href="http://www.catb.org/~esr/">Eric
188 S. Raymond</a> took over; he soon renamed the program to fetchmail after
189 adding IMAP support.</p>
190 <p>In 2004 a new team took over, led by <a
191 href="http://developer.berlios.de/users/rfunk/">Rob Funk</a>, <a
192 href="http://developer.berlios.de/users/bob/">Graham Wilson</a>, and <a
193 href="http://developer.berlios.de/users/m-a/">Matthias Andree</a>. Since then,
194 Graham Wilson has retreated, and <a
195 href="http://developer.berlios.de/users/shetye/">Sunil Shetye</a> has
196 contributed several important pieces of code.</p>
198 <h1>You can help improve fetchmail:</h1>
200 <p>We welcome your code contributions. But even if you don't write code,
201 you can help fetchmail improve.</p>
203 <p><strong>If you administer a site that runs a post-office server, you may be
204 able help improve fetchmail by lending us a test account on your site.
205 Note that we do not need a shell account for this purpose, just a
206 mailbox and a mail address. Nor are we interested in collecting maildrops per
207 se -- what we're collecting is different <em>kinds of servers</em>.</strong></p>
209 <p>Before each release, we run a test harness that sends date-stamped
210 test mail to each site on our regression-test list, then tries to
211 retrieve it. Please take a look at the <a href="testservers.html">
212 list of test servers</a>. If you can lend us an account on a kind
213 of server that is <em>not</em> already on this list, please do.</p>
215 <h1>Where you can use fetchmail:</h1>
217 <p>The fetchmail code was developed under Linux, but has also been
218 extensively tested under 4.4BSD, SunOS, Solaris, AIX, and NEXTSTEP. It
219 should be readily portable to other Unix variants (it requires only
220 POSIX plus BSD sockets, and uses GNU autoconf).</p>
222 <p>Fetchmail is supported only for Unix by its official maintainers.
223 However, it is reported to build and run correctly under BeOS,
224 AmigaOS, Rhapsody, and QNX as well. There is a CygWin port.</p>
226 <h1>Related works</h1>
228 <h2>Similar software</h2>
230 <p><strong>fdm:</strong> A recently appeared software package that integrates basic filtering is <a href="http://fdm.sourceforge.net/">Nicholas Marriott's fdm</a>.
232 <p><strong>getmail:</strong> When fetchmail's development was
233 stalled before the latest team took over, <a
234 href="http://pyropus.ca/software/getmail/">Charles Cazabon's getmail</a> came
235 along as an intended replacement. It still doesn't do everything that
236 fetchmail does, and often suffers from Python library shortcomings, for
237 instance when it comes to SSL, but it's close enough to give us a bit of
240 <p><strong>animail:</strong> Another contender with integrated filtering is <a href="http://juanjoalvarez.net/animaileng">Juanjo Álvarez Martínez's Animail</a>.</p>
242 <h2>Complementary and extension software</h2>
244 <p>Jochen Hayek is developing a set of
245 <a href="http://www.b.shuttle.de/hayek/JHimap_utils/">
246 IMAP tools in Python</a> that read your .fetchmailrc file and are
247 designed to work with fetchmail. Jochen's tools can report selected
248 header lines, or move incoming messages to named mailboxes based on
249 the contents of headers.</p>
252 <p>Donncha O Caoihm has written a Perl script called
253 <a href="http://blogs.linux.ie/xeer/install-sendmail/">install-sendmail</a>
254 that assists you in installing sendmail and fetchmail together.</p>
257 <p>Peter Hawkins has written a script called <a
258 href="http://linux.cudeso.be/linuxdoc/gotmail.php">gotmail</a> that
259 can retrieve Hotmail. Another script, <a
260 href="http://yosucker.sourceforge.net">yosucker</a>, can retrieve
263 <p>There's a program called
264 <a href="http://mailfilter.sourceforge.net/">mailfilter</a> which can be used
265 to do spam filtering, that works particularly well called from fetchmail's
266 <code>preconnect</code> directive.</p>
268 <p>A hacker identifying himself simply as 'Steines' has written a
269 filter which rewrites the to-line with a line which only includes
270 receipients for a given domain and renames the old to-line. It also
271 rewrites the domain-part of addresses if the offical domain is
272 different from the local domain. You can find it <a
273 href="http://www.steines.com/mailf/">here</a>.</p>
278 <a href="http://validator.w3.org/check?uri=referer"><img src="http://www.w3.org/Icons/valid-html401-blue" alt="Valid HTML 4.01 Transitional" height="31" width="88"></a>
279 <a href="http://jigsaw.w3.org/css-validator/"> <img style="border:0;width:88px;height:31px" src="http://jigsaw.w3.org/css-validator/images/vcss-blue" alt="Valid CSS"> </a>
280 <a href="http://developer.berlios.de"> <img src="http://developer.berlios.de/bslogo.php?group_id=1824&type=1" width="124" height="32" border="0" alt="BerliOS Logo"></a>