X-Git-Url: http://pileus.org/git/?a=blobdiff_plain;f=fetchmail.man;h=45f2cb98a25c15cd9e34061f10bd2ed6f5787e32;hb=4b493b7cf285fa8ee2c572987e2e59ec3a743c0b;hp=f56503f012b1fff938dc1380a475608a6bc4853f;hpb=603a1467db5a94b2c80678919fbf1b7c19714983;p=~andy%2Ffetchmail

diff --git a/fetchmail.man b/fetchmail.man
index f56503f0..45f2cb98 100644
--- a/fetchmail.man
+++ b/fetchmail.man
@@ -10,7 +10,7 @@
 .\" Load www macros to process .URL requests, this requires groff:
 .mso www.tmac
 .\"
-.TH fetchmail 1 "fetchmail 6.3.19" "fetchmail" "fetchmail reference manual"
+.TH fetchmail 1 "fetchmail 7.0.0-alpha3" "fetchmail" "fetchmail reference manual"
 
 .SH NAME
 fetchmail \- fetch mail from a POP, IMAP, ETRN, or ODMR-capable server
@@ -267,9 +267,6 @@ Tries IMAP and POP3 (skipping any of these for which support
 has not been compiled in).
 .IP POP3
 Post Office Protocol 3
-.IP APOP
-Use POP3 with old-fashioned MD5-challenge authentication.
-Considered not resistant to man-in-the-middle attacks.
 .IP KPOP
 Use POP3 with Kerberos V5 authentication on port 1109.
 .IP SDPS
@@ -343,7 +340,7 @@ email if this happens.
 .IP
 Beginning with fetchmail 6.3.10, the SMTP client uses the recommended minimum
 timeouts from RFC-5321 while waiting for the SMTP/LMTP server it is talking to.
-You can raise the timeouts even more, but you cannot shorten it. This is to
+You can raise the timeouts even more, but you cannot shorten them. This is to
 avoid a painful situation where fetchmail has been configured with a short
 timeout (a minute or less), ships a long message (many MBytes) to the local
 MTA, which then takes longer than timeout to respond "OK", which it eventually
@@ -452,8 +449,9 @@ Also see \-\-sslcert above.
 (Keyword: sslproto)
 .br
 Forces an SSL/TLS protocol. Possible values are \fB''\fP,
-\&'\fBSSL2\fP', '\fBSSL23\fP', (use of these two values is discouraged
-and should only be used as a last resort) \&'\fBSSL3\fP', and
+\&'\fBSSL23\fP' (note however that fetchmail, since v7.0.0, prohibits
+negotiation of SSLv2 -- it has been deprecated for 15 years and is
+insecure), \&'\fBSSL3\fP', and
 \&'\fBTLS1\fP'.  The default behaviour if this option is unset is: for
 connections without \-\-ssl, use \&'\fBTLS1\fP' so that fetchmail will
 opportunistically try STARTTLS negotiation with TLS1. You can configure
@@ -721,7 +719,7 @@ messages, but some distributors modified fetchmail to accept them. You can now
 configure fetchmail's behaviour per server.
 .TP
 .B \-\-retrieve\-error {abort|continue|markseen}
-(Keyword: retrieve\-error; since v6.4)
+(Keyword: retrieve\-error; since v7.0)
 .br
 Specify how fetchmail is supposed to treat messages which fail to be
 retrieved due to server errors, i. e. fetching the message body fails with
@@ -1102,7 +1100,8 @@ time to the server, which can verify it by checking its authorization
 database.
 
 \fBNote that APOP is no longer considered resistant against
-man-in-the-middle attacks.\fP
+man-in-the-middle attacks, and should not be used without a verified
+SSL/TLS connection.\fP
 .SS RETR or TOP
 \fBfetchmail\fP makes some efforts to make the server believe messages
 had not been retrieved, by using the TOP command with a large number of
@@ -1190,8 +1189,8 @@ connection after negotiating an SSL session, and the connection fails if
 SSL cannot be negotiated.  Some services, such as POP3 and IMAP, have
 different well known ports defined for the SSL encrypted services.  The
 encrypted ports will be selected automatically when SSL is enabled and
-no explicit port is specified. The \-\-sslproto 'SSL3' option should be
-used to select the SSLv3 protocol (default if unset: v2 or v3).  Also,
+no explicit port is specified. The \-\-sslproto 'SSL3' need no longer be
+used to avoid the SSLv2 protocol. Also,
 the \-\-sslcertck command line or sslcertck run control file option
 should be used to force strict certificate checking - see below.
 .PP
@@ -1696,7 +1695,7 @@ Specify DNS name of mailserver, overriding poll name
 T}
 proto[col]	\-p	\&	T{
 Specify protocol (case insensitive):
-POP3, IMAP, APOP, KPOP
+POP3, IMAP, KPOP
 T}
 local[domains]	\&	m	T{
 Specify domain(s) to be regarded as local
@@ -2164,20 +2163,20 @@ Legal protocol identifiers for use with the 'protocol' keyword are:
 .sp
 .nf
     auto (or AUTO) (legacy, to be removed from future release)
+
     pop3 (or POP3)
-    sdps (or SDPS)
+      sdps (or SDPS) (a POP3 variant specific to Demon)
+      kpop (or KPOP) (a Kerberos-based variant)
+
     imap (or IMAP)
-    apop (or APOP)
-    kpop (or KPOP)
 .fi
 .sp
 .PP
-Legal authentication types are 'any', 'password',
-\&'kerberos_v5' and 'gssapi', 'cram\-md5', 'otp', 'msn'
-(only for POP3), 'ntlm', 'ssh', 'external' (only IMAP).
+Legal authentication types are 'any', 'password', 'apop' (only for
+POP3), \&'kerberos_v5' and 'gssapi', 'cram\-md5', 'otp', 'msn'
+(only for POP3), 'ntlm', 'ssh', 'external' (only for IMAP).
 The 'password' type specifies
-authentication by normal transmission of a password (the password may be
-plain text or subject to protocol-specific encryption as in CRAM-MD5);
+authentication by normal transmission of a password;
 \&'kerberos_v5' tells \fBfetchmail\fP to try to get a Kerberos ticket at the
 start of each query instead, and send an arbitrary string as the
 password; and 'gssapi' tells fetchmail to use GSSAPI authentication.
@@ -2744,6 +2743,16 @@ then that name is used as the default local name.  Otherwise
 session ID (this elaborate logic is designed to handle the case of
 multiple names per userid gracefully).
 
+.IP \fBFETCHMAIL_DISABLE_CBC_IV_COUNTERMEASURE\fP
+(since v6.3.22):
+If this environment variable is set and not empty, fetchmail will disable
+a countermeasure against an SSL CBC IV attack (by setting 
+SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS).  This is a security risk, but may be
+necessary for connecting to certain non-standards-conforming servers.
+See fetchmail's NEWS file and fetchmail-SA-2012-01.txt for details.
+Earlier fetchmail versions (v6.3.21 and older) used to disable this 
+countermeasure, but v6.3.22 no longer does that as a safety precaution.
+
 .IP \fBFETCHMAIL_INCLUDE_DEFAULT_X509_CA_CERTS\fP
 (since v6.3.17):
 If this environment variable is set and not empty, fetchmail will always load
@@ -2776,7 +2785,7 @@ it).
 Running \fBfetchmail\fP in foreground while a background fetchmail is
 running will do whichever of these is appropriate to wake it up.
 
-.SH BUGS AND KNOWN PROBLEMS
+.SH BUGS, LIMITATIONS, AND KNOWN PROBLEMS
 .PP
 Please check the \fBNEWS\fP file that shipped with fetchmail for more
 known bugs than those listed here.
@@ -2786,6 +2795,10 @@ character, for instance "demonstr@ti on". These are rather uncommon and
 only hurt when using UID-based \-\-keep setups, so the 6.3.X versions of
 fetchmail won't be fixed.
 .PP
+Fetchmail cannot handle configurations where you have multiple accounts
+that use the same server name and the same login. Any user@server
+combination must be unique.
+.PP
 The assumptions that the DNS and in particular the checkalias options
 make are not often sustainable. For instance, it has become uncommon for
 an MX server to be a POP3 or IMAP server at the same time. Therefore the