+<h2><a name="K3">K3. How can I get fetchmail to work with ssh?</a></h2>
+
+We have three recipes for this. The first is easy to set up,
+but only supports one user at a time.<P>
+
+First, a lightly edited version of a recipe from Masafumi NAKANE:<p>
+
+1. You must have ssh (the ssh client) on the local host and sshd (ssh
+server) on the remote mail server. And you have to configure ssh so
+you can login to the sshd server host without a password. (Refer to ssh
+man page for several authentication methods.)<p>
+
+2. Add something like following to your .fetchmailrc file: <p>
+
+<pre>
+poll mailhost port 1234 via localhost with proto pop3:
+ preconnect "ssh -f -L 1234:mailhost:110 mailhost sleep 20 </dev/null >/dev/null";
+</pre>
+
+(Note that 1234 can be an arbitrary port number. Privileged ports can
+be specified only by root.) The effect of this ssh command is to
+forward connections made to localhost port 1234 (in above example) to
+mailhost's 110.<p>
+
+This configuration will enable secure mail transfer. All the
+conversation between fetchmail and remote pop server will be
+encrypted.<p>
+
+If sshd is not running on the remote mail server, you can specify
+intermediate host running it. If you do this, however, communication
+between the machine running sshd and the POP server will not be encrypted.
+And the preconnect line would be like this:<p>
+
+<pre>
+preconnect "ssh -f -L 1234:mailhost:110 sshdhost sleep 20 </dev/null >/dev/null"
+</pre>
+
+You can work this trick with IMAP too, but the port number 110 in the
+above would need to become 143.<p>
+
+Second, a recipe from Charlie Brady <cbrady@ind.tansu.com.au>:<p>
+
+Charlie says: "The [previous] recipe certainly works, but
+the solution I post here is better in a few respects":
+
+<UL>
+<LI>this method will not fail if two or more users attempt to use fetchmail
+ simultaneously.
+<LI>you are able to use the full facilities of tcpd to control access
+<LI>this method does not depend on the preconnect feature of fetchmail, so
+ can be used for tunneling of other services as well.
+</UL>
+
+Here are the steps:
+
+<OL>
+<LI>
+Make sure that the "socket" program is installed on the server
+machine. Presently it lives at <a
+href="ftp://sunsite.unc.edu/pub/linux/system/network/misc/socket-1.1.tar.gz">
+ftp://sunsite.unc.edu/pub/linux/system/network/misc/socket-1.1.tar.gz</a>,
+but watch out for a change in version number.<P>
+<LI>
+Set up an unprivileged account on your system with a .ssh directory
+containing an SSH identity file "identity" with no pass phrase,
+"identity.pub" and "known_hosts" containing the host key of your
+mailhost. Let's call this account "noddy".
+<LI>
+On mailhost, set up no-password access for noddy@yourhost. Add to your
+SSH authorized_keys file:
+
+<PRE>
+command="socket localhost 110",no-port-forwarding 1024 ......
+</PRE>
+
+where "<code>1024</code> ......" is the content of noddy's identity.pub file.
+<LI>
+Create a script /usr/local/bin/ssh.fm and make it executable:
+
+<PRE>
+#! /bin/sh
+exec ssh -q -C -l your.login.id -e none mailhost socket localhost 110
+</PRE>
+<LI>
+Add an entry in inetd.conf for whatever port you choose to use - say:
+
+<PRE>
+1234 stream tcp nowait noddy /usr/sbin/tcpd /usr/local/bin/ssh.fm
+</PRE>
+<LI>
+Send a HUP signal to your inetd.
+</OL>
+
+Now just use localhost:1234 to access your POP server.<P>
+
+For yet a third recipe, see <a href="http://sunsite.unc.edu/LDP/HOWTO/mini/Secure-POP+SSH.html">Secure POP via SSH mini-HOWTO</a>.<P>
+
+<hr>
+<h2><a name="K4">K4. What do I have to do to use the IMAP-GSS protocol?</a></h2>
+
+Fetchmail can use RFC1731 GSSAPI authorization to safely identify you
+to your IMAP server, as long as you can share Kerberos V credentials
+with your mail host and you have a GSSAPI-capable IMAP server.
+UW-IMAP (available via FTP at <a
+href="ftp://ftp.cac.washington.edu/mail/">ftp.cac.washington.edu</a>)
+is the only one I'm aware of and the one I recommend anyway for other
+reasons. You'll need version 4.1-FINAL or greater though, and it has
+to have GSS support compiled in.<p>
+
+Neither UW-IMAP nor fetchmail compile in support for GSS by default, since
+it requires libraries from the Kerberos V distribution (available via FTP at
+<a href="ftp://athena-dist.mit.edu/pub/ATHENA/kerberos">athena-dist.mit.edu</a>
+but mind the export restrictions). If you have these, compiling in GSS support
+is simple: add a <pre>--with-gssapi=[/path/to/krb5/root]</pre> option to
+configure. For instance, I have all of my Kerberos V libraries installed under
+/usr/krb5 so I run <pre>configure --with-gssapi=/usr/krb5</pre><p>
+
+Setting up Kerberos V authentication is beyond the scope of this FAQ
+(you may find Jim Rome's paper <a
+href="http://www.ornl.gov/~jar/HowToKerb.html"> How to Kerberize your
+site</a> helpful), but you'll at least need to add a credential for
+imap/[mailhost] to the keytab of the mail server (IMAP doesn't just
+use the host key). Then you'll need to have your credentials ready on
+your machine (cf. kinit).<p>
+
+After that things are very simple. Set your protocol to imap-gss in your
+.fetchmailrc, and omit the password, since imap-gss doesn't need one. You
+can specify a username if you want, but this is only useful if your mailbox
+belongs to a username different from your Kerberos principal. <p>
+
+Now you don't have to worry about your password appearing in cleartext in
+your .fetchmailrc, or across the network.<p>
+
+<hr>
+<h2><a name="K5">K5. How can I use fetchmail with SSL?</a></h2>
+
+The U.S. government's never-to-be-sufficiently-damned EAR regulations
+prevent me from including SSL library hooks in the distribution.
+However, the First Amendment of the U.S. Constitution hasn't been
+eviscerated (not yet, anyway -- our would-be totalitarians are
+working on trashing the Second Amendment first).<P>
+
+<h3>Option 1:</h3>