X-Git-Url: http://pileus.org/git/?a=blobdiff_plain;f=fetchmail.man;h=babc57ab7c4a5899865c27b5dc2c464ccee94e99;hb=0aa3f030cdb0ab4a8e45360e6c1ec599d97e8acd;hp=5b7dc6c283d1b2296a1f127e671c3ccf84c13182;hpb=aa404982fe7cb8339247fc104e99b05dbca47204;p=~andy%2Ffetchmail diff --git a/fetchmail.man b/fetchmail.man index 5b7dc6c2..babc57ab 100644 --- a/fetchmail.man +++ b/fetchmail.man @@ -10,7 +10,7 @@ .\" Load www macros to process .URL requests, this requires groff: .mso www.tmac .\" -.TH fetchmail 1 "fetchmail 7.0.0-alpha1" "fetchmail" "fetchmail reference manual" +.TH fetchmail 1 "fetchmail 7.0.0-alpha3" "fetchmail" "fetchmail reference manual" .SH NAME fetchmail \- fetch mail from a POP, IMAP, ETRN, or ODMR-capable server @@ -267,9 +267,6 @@ Tries IMAP and POP3 (skipping any of these for which support has not been compiled in). .IP POP3 Post Office Protocol 3 -.IP APOP -Use POP3 with old-fashioned MD5-challenge authentication. -Considered not resistant to man-in-the-middle attacks. .IP KPOP Use POP3 with Kerberos V5 authentication on port 1109. .IP SDPS @@ -452,9 +449,9 @@ Also see \-\-sslcert above. (Keyword: sslproto) .br Forces an SSL/TLS protocol. Possible values are \fB''\fP, -\&'\fBSSL23\fP' (note however that fetchmail, since v6.3.20, prohibits -negotiation of SSLv2 -- it has been deprecated for 15 years and is -insecure), \&'\fBSSL3\fP', and +\&'\fBSSL2\fP' (not supported on all systems), +\&'\fBSSL23\fP', (use of these two values is discouraged +and should only be used as a last resort) \&'\fBSSL3\fP', and \&'\fBTLS1\fP'. The default behaviour if this option is unset is: for connections without \-\-ssl, use \&'\fBTLS1\fP' so that fetchmail will opportunistically try STARTTLS negotiation with TLS1. You can configure @@ -1103,7 +1100,8 @@ time to the server, which can verify it by checking its authorization database. \fBNote that APOP is no longer considered resistant against -man-in-the-middle attacks.\fP +man-in-the-middle attacks, and should not be used without a verified +SSL/TLS connection.\fP .SS RETR or TOP \fBfetchmail\fP makes some efforts to make the server believe messages had not been retrieved, by using the TOP command with a large number of @@ -1697,7 +1695,7 @@ Specify DNS name of mailserver, overriding poll name T} proto[col] \-p \& T{ Specify protocol (case insensitive): -POP3, IMAP, APOP, KPOP +POP3, IMAP, KPOP T} local[domains] \& m T{ Specify domain(s) to be regarded as local @@ -2165,20 +2163,20 @@ Legal protocol identifiers for use with the 'protocol' keyword are: .sp .nf auto (or AUTO) (legacy, to be removed from future release) + pop3 (or POP3) - sdps (or SDPS) + sdps (or SDPS) (a POP3 variant specific to Demon) + kpop (or KPOP) (a Kerberos-based variant) + imap (or IMAP) - apop (or APOP) - kpop (or KPOP) .fi .sp .PP -Legal authentication types are 'any', 'password', -\&'kerberos_v5' and 'gssapi', 'cram\-md5', 'otp', 'msn' -(only for POP3), 'ntlm', 'ssh', 'external' (only IMAP). +Legal authentication types are 'any', 'password', 'apop' (only for +POP3), \&'kerberos_v5' and 'gssapi', 'cram\-md5', 'otp', 'msn' +(only for POP3), 'ntlm', 'ssh', 'external' (only for IMAP). The 'password' type specifies -authentication by normal transmission of a password (the password may be -plain text or subject to protocol-specific encryption as in CRAM-MD5); +authentication by normal transmission of a password; \&'kerberos_v5' tells \fBfetchmail\fP to try to get a Kerberos ticket at the start of each query instead, and send an arbitrary string as the password; and 'gssapi' tells fetchmail to use GSSAPI authentication. @@ -2745,14 +2743,15 @@ then that name is used as the default local name. Otherwise session ID (this elaborate logic is designed to handle the case of multiple names per userid gracefully). -.IP \fBFETCHMAIL_IMAP_DELETED_REMAINS_UNSEEN\fP -(since v6.3.20): -If this environment variable is set and not empty, fetchmail will NOT mark -messages retrieved through IMAP as \\Seen when they are deleted. This may suppress -delivery notifications on some systems (some versions of HP OpenMail) and change them -to mention "deleted without being read" on others (some versions of Microsoft Exchange). -The default (if this variable is unset or empty) is to mark messages as \\Seen -and \\Deleted at the same time. +.IP \fBFETCHMAIL_DISABLE_CBC_IV_COUNTERMEASURE\fP +(since v6.3.22): +If this environment variable is set and not empty, fetchmail will disable +a countermeasure against an SSL CBC IV attack (by setting +SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS). This is a security risk, but may be +necessary for connecting to certain non-standards-conforming servers. +See fetchmail's NEWS file and fetchmail-SA-2012-01.txt for details. +Earlier fetchmail versions (v6.3.21 and older) used to disable this +countermeasure, but v6.3.22 no longer does that as a safety precaution. .IP \fBFETCHMAIL_INCLUDE_DEFAULT_X509_CA_CERTS\fP (since v6.3.17): @@ -2786,7 +2785,7 @@ it). Running \fBfetchmail\fP in foreground while a background fetchmail is running will do whichever of these is appropriate to wake it up. -.SH BUGS AND KNOWN PROBLEMS +.SH BUGS, LIMITATIONS, AND KNOWN PROBLEMS .PP Please check the \fBNEWS\fP file that shipped with fetchmail for more known bugs than those listed here. @@ -2796,6 +2795,10 @@ character, for instance "demonstr@ti on". These are rather uncommon and only hurt when using UID-based \-\-keep setups, so the 6.3.X versions of fetchmail won't be fixed. .PP +Fetchmail cannot handle configurations where you have multiple accounts +that use the same server name and the same login. Any user@server +combination must be unique. +.PP The assumptions that the DNS and in particular the checkalias options make are not often sustainable. For instance, it has become uncommon for an MX server to be a POP3 or IMAP server at the same time. Therefore the