X-Git-Url: http://pileus.org/git/?a=blobdiff_plain;f=fetchmail.man;h=2356d95eb1179629eb6480de3ad76ace670771f8;hb=e4dd196b137223195739b9e0f50ec2a8a02b3534;hp=63672cbe4fd044b53af03bfbfcf9f529985428f5;hpb=abea527a5a95b8c54dd5fb9958afcca5a52e5dc3;p=~andy%2Ffetchmail diff --git a/fetchmail.man b/fetchmail.man index 63672cbe..2356d95e 100644 --- a/fetchmail.man +++ b/fetchmail.man @@ -10,7 +10,7 @@ .\" Load www macros to process .URL requests, this requires groff: .mso www.tmac .\" -.TH fetchmail 1 "fetchmail 6.3.18" "fetchmail" "fetchmail reference manual" +.TH fetchmail 1 "fetchmail 6.3.25" "fetchmail" "fetchmail reference manual" .SH NAME fetchmail \- fetch mail from a POP, IMAP, ETRN, or ODMR-capable server @@ -48,7 +48,7 @@ adding all of the options you'd normally use.\fP .IP .nf -env LC_ALL=C fetchmail -V -v --nodetach --nosyslog +env LC_ALL=C fetchmail \-V \-v \-\-nodetach \-\-nosyslog .fi .IP (This command line prints in English how fetchmail understands your @@ -56,7 +56,7 @@ configuration.) .IP .nf -env LC_ALL=C fetchmail -vvv --nodetach --nosyslog +env LC_ALL=C fetchmail \-vvv \-\-nodetach \-\-nosyslog .fi .IP (This command line actually runs fetchmail with verbose English output.) @@ -365,7 +365,7 @@ email if this happens. .IP Beginning with fetchmail 6.3.10, the SMTP client uses the recommended minimum timeouts from RFC-5321 while waiting for the SMTP/LMTP server it is talking to. -You can raise the timeouts even more, but you cannot shorten it. This is to +You can raise the timeouts even more, but you cannot shorten them. This is to avoid a painful situation where fetchmail has been configured with a short timeout (a minute or less), ships a long message (many MBytes) to the local MTA, which then takes longer than timeout to respond "OK", which it eventually @@ -474,23 +474,26 @@ Also see \-\-sslcert above. (Keyword: sslproto) .br Forces an SSL/TLS protocol. Possible values are \fB''\fP, -\&'\fBSSL2\fP', '\fBSSL23\fP', (use of these two values is discouraged +\&'\fBSSL2\fP' (not supported on all systems), +\&'\fBSSL23\fP', (use of these two values is discouraged and should only be used as a last resort) \&'\fBSSL3\fP', and \&'\fBTLS1\fP'. The default behaviour if this option is unset is: for -connections without \-\-ssl, use \&'\fBTLS1\fP' that fetchmail will +connections without \-\-ssl, use \&'\fBTLS1\fP' so that fetchmail will opportunistically try STARTTLS negotiation with TLS1. You can configure this option explicitly if the default handshake (TLS1 if \-\-ssl is not -used, does not work for your server. +used) does not work for your server. .IP Use this option with '\fBTLS1\fP' value to enforce a STARTTLS connection. In this mode, it is highly recommended to also use -\-\-sslcertck (see below). +\-\-sslcertck (see below). Note that this will then cause fetchmail +v6.3.19 to force STARTTLS negotiation even if it is not advertised by +the server. .IP To defeat opportunistic TLSv1 negotiation when the server advertises -STARTTLS or STLS, use \fB''\fP. This option, even if the argument is -the empty string, will also suppress the diagnostic 'SERVER: -opportunistic upgrade to TLS.' message in verbose mode. The default is -to try appropriate protocols depending on context. +STARTTLS or STLS, and use a cleartext connection use \fB''\fP. This +option, even if the argument is the empty string, will also suppress the +diagnostic 'SERVER: opportunistic upgrade to TLS.' message in verbose +mode. The default is to try appropriate protocols depending on context. .TP .B \-\-sslcertck (Keyword: sslcertck) @@ -699,7 +702,7 @@ maildrop easier to understand. Finally, we strongly advise that you do \fBnot\fP use qmail-inject. The command line interface is non-standard without providing benefits for -typical use, and fetchmail makes no attempts to accomodate +typical use, and fetchmail makes no attempts to accommodate qmail-inject's deviations from the standard. Some of qmail-inject's command-line and environment options are actually dangerous and can cause broken threads, non-detected duplicate messages and forwarding @@ -931,7 +934,9 @@ connection such as an ssh tunnel; specify \fBexternal\fP when you use TLS with client authentication and specify \fBgssapi\fP or \&\fBkerberos_v4\fP if you are using a protocol variant that employs GSSAPI or K4. Choosing KPOP protocol automatically selects Kerberos -authentication. This option does not work with ETRN. +authentication. This option does not work with ETRN. GSSAPI service names are +in line with RFC-2743 and IANA registrations, see +.URL http://www.iana.org/assignments/gssapi-service-names/ "Generic Security Service Application Program Interface (GSSAPI)/Kerberos/Simple Authentication and Security Layer (SASL) Service Names" . .SS Miscellaneous Options .TP .B \-f | \-\-fetchmailrc @@ -1361,6 +1366,8 @@ The option turns off use of .BR syslog (3), assuming it's turned on in the \fI~/.fetchmailrc\fP file. +This option is overridden, in certain situations, by \fB\-\-logfile\fP (which +see). .PP The .B \-N @@ -1372,8 +1379,7 @@ fetchmail runs as the child of a supervisor process such as .BR init (8) or Gerrit Pape's .BR runit (8). -Note that this also causes the logfile option to be ignored (though -perhaps it shouldn't). +Note that this also causes the logfile option to be ignored. .PP Note that while running in daemon mode polling a POP2 or IMAP2bis server, transient errors (such as DNS failures or sendmail delivery refusals) @@ -1697,13 +1703,16 @@ Keep permanently undeliverable mail as though a temporary error had occurred (default). T} set logfile \-L \& T{ -Name of a file to append error and status messages to. +Name of a file to append error and status messages to. Only effective +in daemon mode and if fetchmail detaches. If effective, overrides \fBset +syslog\fP. T} set idfile \-i \& T{ Name of the file to store UID lists in. T} set syslog \& \& T{ -Do error logging through syslog(3). +Do error logging through syslog(3). May be overriden by \fBset +logfile\fP. T} set no syslog \& \& T{ Turn off error logging through syslog(3). (default) @@ -2672,7 +2681,7 @@ mail" to be an error condition (for instance, for cron jobs), use a POSIX-compliant shell and add .nf -|| [ $? -eq 1 ] +|| [ $? \-eq 1 ] .fi to the end of the fetchmail command line, note that this leaves 0 @@ -2776,6 +2785,16 @@ then that name is used as the default local name. Otherwise session ID (this elaborate logic is designed to handle the case of multiple names per userid gracefully). +.IP \fBFETCHMAIL_DISABLE_CBC_IV_COUNTERMEASURE\fP +(since v6.3.22): +If this environment variable is set and not empty, fetchmail will disable +a countermeasure against an SSL CBC IV attack (by setting +SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS). This is a security risk, but may be +necessary for connecting to certain non-standards-conforming servers. +See fetchmail's NEWS file and fetchmail-SA-2012-01.txt for details. +Earlier fetchmail versions (v6.3.21 and older) used to disable this +countermeasure, but v6.3.22 no longer does that as a safety precaution. + .IP \fBFETCHMAIL_INCLUDE_DEFAULT_X509_CA_CERTS\fP (since v6.3.17): If this environment variable is set and not empty, fetchmail will always load @@ -2808,7 +2827,7 @@ it). Running \fBfetchmail\fP in foreground while a background fetchmail is running will do whichever of these is appropriate to wake it up. -.SH BUGS AND KNOWN PROBLEMS +.SH BUGS, LIMITATIONS, AND KNOWN PROBLEMS .PP Please check the \fBNEWS\fP file that shipped with fetchmail for more known bugs than those listed here. @@ -2818,6 +2837,10 @@ character, for instance "demonstr@ti on". These are rather uncommon and only hurt when using UID-based \-\-keep setups, so the 6.3.X versions of fetchmail won't be fixed. .PP +Fetchmail cannot handle configurations where you have multiple accounts +that use the same server name and the same login. Any user@server +combination must be unique. +.PP The assumptions that the DNS and in particular the checkalias options make are not often sustainable. For instance, it has become uncommon for an MX server to be a POP3 or IMAP server at the same time. Therefore the @@ -2982,7 +3005,8 @@ LMTP: RFC 2033. .TP 5 GSSAPI: -RFC 1508. +RFC 1508, RFC 1734, +.URL http://www.iana.org/assignments/gssapi-service-names/ "Generic Security Service Application Program Interface (GSSAPI)/Kerberos/Simple Authentication and Security Layer (SASL) Service Names" . .TP 5 TLS: RFC 2595.