-Fetchmail has no configuration facility to enforce TLS connections.
-Configuring --sslproto 'tls1' does not cause connection aborts if TLS is
-not offered or the TLS handshake fails for POP3 or IMAP.
-Even if fetchmail is forced to validate an TLS certificate by means of
---sslfingerprint or --sslcertck, it may expose cleartext credentials
-over an unencrypted connection.
+Fetchmail has had several nasty password disclosure vulnerabilities for
+a long time. It was only recently that these have been found.
+
+V1. sslcertck/sslfingerprint options should have implied "sslproto tls1"
+ in order to enforce TLS negotiation, but did not.
+
+V2. Even with "sslproto tls1" in the config, fetches would go ahead
+ in plain text if STLS/STARTTLS wasn't available (not advertised,
+ or advertised but rejected).
+
+V3. POP3 fetches could completely ignore all TLS options whether
+ available or not because it didn't reliably issue CAPA before
+ checking for STLS support - but CAPA is a requisite for STLS.
+ Whether or not CAPAbilities were probed, depended on the "auth"
+ option. (Fetchmail only tried CAPA if the auth option was not set at
+ all, was set to gssapi, kerberos, kerberos_v4, otp, or cram-md5.)