Distinguish between server not advertising TLS capability and server failing during...

Send a NOOP only after a failed STARTTLS in IMAP.

diff --git a/NEWS b/NEWS
index 8c11951c268b8ac1bf2d5711a9d9cb5bfb3fc210..8c93aa9b35613a7af815a4dd2302a1edb51820ad 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -75,6 +75,7 @@ fetchmail-6.3.19 (not yet released):
   Reported by Mihail Nechkin against FreeBSD port.
   Workaround for 6.3.18: build in a separate directory, i. e:
   mkdir build && cd build && ../configure --options-go-here
+* Send a NOOP only after a failed STARTTLS in IMAP. (Sunil Shetye)
 
 # DOCUMENTATION:
 * The manual page now links to IANA for GSSAPI service names.

diff --git a/imap.c b/imap.c
index b1c510433cfd2b9023aaaaf6ffa444274be0b855..cbaa913b1f4c84542aff9ee61b5ee2df5087d479 100644 (file)
--- a/imap.c
+++ b/imap.c
@@ -397,9 +397,6 @@ static int imap_getauth(int sock, struct query *ctl, char *greeting)
 /* apply for connection authorization */
 {
     int ok = 0;
-#ifdef SSL_ENABLE
-    int got_tls = 0;
-#endif
     (void)greeting;
 
     /*
@@ -457,17 +454,12 @@ static int imap_getauth(int sock, struct query *ctl, char *greeting)
                 * Now that we're confident in our TLS connection we can
                 * guarantee a secure capability re-probe.
                 */
-               got_tls = 1;
                capa_probe(sock, ctl);
                if (outlevel >= O_VERBOSE)
                {
                    report(stdout, GT_("%s: upgrade to TLS succeeded.\n"), commonname);
                }
-           }
-       }
-
-       if (!got_tls) {
-           if (must_tls(ctl)) {
+           } else if (must_tls(ctl)) {
                /* Config required TLS but we couldn't guarantee it, so we must
                 * stop. */
                report(stderr, GT_("%s: upgrade to TLS failed.\n"), commonname);
@@ -486,6 +478,10 @@ static int imap_getauth(int sock, struct query *ctl, char *greeting)
                }
                /* Usable.  Proceed with authenticating insecurely. */
            }
+       } else if (must_tls(ctl)) {
+           /* Config required TLS but STARTTLS is not advertised. */
+           report(stderr, GT_("%s: cannot upgrade to TLS: no STARTTLS in CAPABILITY response.\n"), commonname);
+           return PS_SOCKET;
        }
     }
 #endif /* SSL_ENABLE */

diff --git a/pop3.c b/pop3.c
index fd3e5b5d9d63513c3953bfbbca5fc353e4ca1b27..21251e59a2e7700475e34b8fae3303d461fd5d22 100644 (file)
--- a/pop3.c
+++ b/pop3.c
@@ -281,7 +281,6 @@ static int pop3_getauth(int sock, struct query *ctl, char *greeting)
 #endif /* OPIE_ENABLE */
 #ifdef SSL_ENABLE
     flag connection_may_have_tls_errors = FALSE;
-    flag got_tls = FALSE;
 #endif /* SSL_ENABLE */
 
     done_capa = FALSE;
@@ -465,7 +464,6 @@ static int pop3_getauth(int sock, struct query *ctl, char *greeting)
                    * Now that we're confident in our TLS connection we can
                    * guarantee a secure capability re-probe.
                    */
-                  got_tls = TRUE;
                   done_capa = FALSE;
                   ok = capa_probe(sock);
                   if (ok != PS_SUCCESS) {
@@ -475,11 +473,7 @@ static int pop3_getauth(int sock, struct query *ctl, char *greeting)
                   {
                       report(stdout, GT_("%s: upgrade to TLS succeeded.\n"), commonname);
                   }
-              }
-          }
-
-          if (!got_tls) {
-              if (must_tls(ctl)) {
+              } else if (must_tls(ctl)) {
                   /* Config required TLS but we couldn't guarantee it, so we must
                    * stop. */
                   report(stderr, GT_("%s: upgrade to TLS failed.\n"), commonname);
@@ -496,6 +490,10 @@ static int pop3_getauth(int sock, struct query *ctl, char *greeting)
                       report(stdout, GT_("%s: opportunistic upgrade to TLS failed, trying to continue.\n"), commonname);
                   }
               }
+          } else if (must_tls(ctl)) {
+              /* Config required TLS but STLS is not advertised. */
+              report(stderr, GT_("%s: cannot upgrade to TLS: no STLS in CAPA response.\n"), commonname);
+              return PS_SOCKET;
           }
        } /* maybe_tls() */
 #endif /* SSL_ENABLE */