From 4d9ebfc1ae8788f66be711273d73bf4831a7cd4e Mon Sep 17 00:00:00 2001 From: "Eric S. Raymond" Date: Sat, 11 Nov 2000 19:24:00 +0000 Subject: [PATCH] Ready to ship. svn path=/trunk/; revision=2983 --- Makefile.in | 2 +- NEWS | 13 ++++++++++++- conf.c | 1 + configure.in | 6 +++--- driver.c | 41 ++++++++++++++++++++++++++++++++++++----- fetchmail-FAQ.html | 29 +++++++++++++++++++++++++++-- fetchmail.c | 4 ++++ fetchmail.h | 1 + fetchmail.man | 11 ++++++++++- fetchmailconf | 9 +++++++++ imap.c | 6 ++++-- options.c | 8 ++++++++ rcfile_l.l | 1 + rcfile_y.y | 3 +++ sample.rcfile | 1 + sink.c | 4 ++++ 16 files changed, 125 insertions(+), 15 deletions(-) diff --git a/Makefile.in b/Makefile.in index 269976f8..70e887d7 100644 --- a/Makefile.in +++ b/Makefile.in @@ -4,7 +4,7 @@ # So just uncomment all the lines marked QNX. PACKAGE = fetchmail -VERSION = 5.5.5 +VERSION = 5.5.6 SUBDIRS = @INTLSUB@ @POSUB@ diff --git a/NEWS b/NEWS index 81f7cad2..80005759 100644 --- a/NEWS +++ b/NEWS @@ -2,9 +2,20 @@ (The `lines' figures total .c, .h, .l, and .y files under version control.) -* Chip Salzenberg's patch to prevent wilcards in Common Names from causing +fetchmail-5.5.5 (Sat Nov 11 14:22:24 EST 2000), 19563 lines: + +* Chip Salzenberg's patch to prevent wildcards in Common Names from causing spurious error messages (resolved Debian bug #75011). * Added --showdots option by Thomas Jarosch . +* Added --principal option from R. Lindsay Todd" . +* Spanish-language update from Javier Kohen. +* Nalin Dahyabai's fix to handle untagged responses during imap-gss + authentication. +* Koyama Mituru's patch for improved spam handling under qmail; checks + for a 553 reponse to RCPT TO. +* Added FAQ item F5 of %h and %p interpolation from Matthias Andree. + +There are 279 people on fetchmail-friends and 568 on fetchmail-announce. fetchmail-5.5.5 (Tue Oct 17 17:50:46 EDT 2000), 19523 lines: diff --git a/conf.c b/conf.c index 19f8346a..9b7571c7 100644 --- a/conf.c +++ b/conf.c @@ -291,6 +291,7 @@ void dump_config(struct runctl *runp, struct query *querylist) stringdump("plugin", ctl->server.plugin); stringdump("plugout", ctl->server.plugout); + stringdump("principal", ctl->server.principal); indent(0); fputs("'users': ", stdout); diff --git a/configure.in b/configure.in index 7f9c9ca9..73edf920 100644 --- a/configure.in +++ b/configure.in @@ -343,7 +343,7 @@ then else LIBS="$LIBS -lkrb5 -lcrypto -lcom_err" fi -elif test "$with_kerberos" != "no"; then +elif test "$with_kerberos" != "no" -a "$with_kerberos5" != "no" ; then for dir in /usr/kerberos /usr/local/krb5 /usr/athena do if test -f "$dir/include/krb5.h" @@ -437,7 +437,7 @@ then echo "Configuring kerberosIV for `uname`" CEFLAGS="$CEFLAGS -DKERBEROS_V4 -I/usr/include/kerberosIV" LIBS="$LIBS -lkrb -ldes" -elif test -n "$with_kerberos" -a -n "$with_kerberos5" -a "$with_kerberos" != "no" +elif test -n "$with_kerberos" -a -n "$with_kerberos5" -a "$with_kerberos" != "no" -a "$with_kerberos5" != "no" then CEFLAGS="$CEFLAGS -DKERBEROS_V4 -I$with_kerberos/include" LDEFLAGS="$LDEFLAGS -L$with_kerberos/lib" @@ -448,7 +448,7 @@ then else LIBS="-lkrb4 -ldes425 $LIBS" fi -elif test -n "$with_kerberos5" -a "$with_kerberos" != "no" +elif test -n "$with_kerberos5" -a "$with_kerberos" != "no" -a "$with_kerberos5" != "no" then for dir in /usr/kerberos /usr/kerberosIV /usr/athena do diff --git a/driver.c b/driver.c index 0c52f9b5..39a20ab3 100644 --- a/driver.c +++ b/driver.c @@ -1288,7 +1288,7 @@ static int readbody(int sock, struct query *ctl, flag forward, int len) #ifdef KERBEROS_V4 int -kerberos_auth (socket, canonical) +kerberos_auth (socket, canonical, principal) /* authenticate to the server host using Kerberos V4 */ int socket; /* socket to server host */ #if defined(__FreeBSD__) || defined(__OpenBSD__) @@ -1296,6 +1296,7 @@ char *canonical; /* server name */ #else const char *canonical; /* server name */ #endif +char *principal; { char * host_primary; KTEXT ticket; @@ -1303,11 +1304,36 @@ const char *canonical; /* server name */ CREDENTIALS cred; Key_schedule schedule; int rem; + char * prin_copy = (char *) NULL; + char * prin = (char *) NULL; + char * inst = (char *) NULL; + char * realm = (char *) NULL; + + if (principal != (char *)NULL && *principal) + { + char *cp; + prin = prin_copy = xstrdup(principal); + for (cp = prin_copy; *cp && *cp != '.'; ++cp) + ; + if (*cp) + { + *cp++ = '\0'; + inst = cp; + while (*cp && *cp != '@') + ++cp; + if (*cp) + { + *cp++ = '\0'; + realm = cp; + } + } + } xalloca(ticket, KTEXT, sizeof (KTEXT_ST)); - rem = (krb_sendauth (0L, socket, ticket, "pop", - canonical, - ((char *) (krb_realmofhost (canonical))), + rem = (krb_sendauth (0L, socket, ticket, + prin ? prin : "pop", + inst ? inst : canonical, + realm ? realm : ((char *) (krb_realmofhost (canonical))), ((unsigned long) 0), (&msg_data), (&cred), @@ -1315,6 +1341,10 @@ const char *canonical; /* server name */ ((struct sockaddr_in *) 0), ((struct sockaddr_in *) 0), "KPOPV0.1")); + if (prin_copy) + { + free(prin_copy); + } if (rem != KSUCCESS) { report(stderr, _("kerberos error %s\n"), (krb_get_err_text (rem))); @@ -1735,7 +1765,8 @@ const int maxfetch; /* maximum number of messages to fetch */ if (ctl->server.preauthenticate == A_KERBEROS_V4) { set_timeout(mytimeout); - ok = kerberos_auth(mailserver_socket, ctl->server.truename); + ok = kerberos_auth(mailserver_socket, ctl->server.truename, + ctl->server.principal); set_timeout(0); if (ok != 0) goto cleanUp; diff --git a/fetchmail-FAQ.html b/fetchmail-FAQ.html index befc865f..5b52eb67 100644 --- a/fetchmail-FAQ.html +++ b/fetchmail-FAQ.html @@ -10,7 +10,7 @@
Back to Fetchmail Home Page To Site Map -$Date: 2000/11/11 18:20:46 $ +$Date: 2000/11/11 19:23:49 $

Frequently Asked Questions About Fetchmail

@@ -53,6 +53,7 @@ IP address?
F2. The .fetchmailrc parser won't accept my all-numeric user name.
F3. The .fetchmailrc parser won't accept my host or username beginning with `no'.
F4. I'm getting a `parse error' message I don't understand.
+F5. The %h and %p escapes aren't being interporated correctly.

Configuration questions:

@@ -796,6 +797,30 @@ Yes, I know these ordering restrictions are hard to understand. Unfortunately, they're necessary in order to allow the `defaults' feature to work.

+

+

F5. The %h and %p escapes aren't being interporated correctly.

+ +Note that %h and %p are only recognized as placeholders if they are a +single word each; you cannot use %h:%p or other interpolations that +aren't space-delimited. If you happen to need such a thing, write a +wrapper. For example, in .fetchmailrc you can add this line:

+ +

+plugin 'mywrap.sh %h %p'
+
+ +With mywrap.sh containing:

+ +

+#! /bin/sh
+if test $# -ne 2 ; then
+  echo "usage: `basename $0`  "
+  exit 1
+fi
+exec openssl 2>/dev/null s_client -connect $1:$2 -quiet
+exit 2 # never reached unless openssl fails
+
+

C1. Why do I need a .fetchmailrc when running as root on my own machine?

@@ -2941,7 +2966,7 @@ install Linux on your server...

Back to Fetchmail Home Page To Site Map -$Date: 2000/11/11 18:20:46 $ +$Date: 2000/11/11 19:23:49 $

Eric S. Raymond <esr@snark.thyrsus.com>
diff --git a/fetchmail.c b/fetchmail.c index 617d4e80..e4035813 100644 --- a/fetchmail.c +++ b/fetchmail.c @@ -842,6 +842,7 @@ static void optmerge(struct query *h2, struct query *h1, int force) FLAG_MERGE(server.dns); FLAG_MERGE(server.checkalias); FLAG_MERGE(server.uidl); + FLAG_MERGE(server.principal); #if defined(linux) || defined(__FreeBSD__) FLAG_MERGE(server.interface); @@ -1571,6 +1572,9 @@ static void dump_params (struct runctl *runp, printf(_(" Kerberos V5 preauthentication enabled.\n")); else if (ctl->server.preauthenticate == A_SSH) printf(_(" End-to-end encryption assumed.\n")); + if (ctl->server.principal != (char *) NULL) { + printf(_(" Mail service principal is: %s\n"), ctl->server.principal); + } #ifdef SSL_ENABLE if (ctl->use_ssl) printf(" SSL encrypted sessions enabled.\n"); diff --git a/fetchmail.h b/fetchmail.h index 8907696a..819ff6c7 100644 --- a/fetchmail.h +++ b/fetchmail.h @@ -207,6 +207,7 @@ struct hostdata /* shared among all user connections to given server */ flag sdps; /* use Demon Internet SDPS *ENV */ #endif /* SDPS_ENABLE */ flag checkalias; /* resolve aliases by comparing IPs? */ + char *principal; /* Kerberos principal for mail service */ #if defined(linux) || defined(__FreeBSD__) diff --git a/fetchmail.man b/fetchmail.man index 6f803d43..a9b8a21e 100644 --- a/fetchmail.man +++ b/fetchmail.man @@ -221,6 +221,12 @@ news drop for a group of users. The port option permits you to specify a TCP/IP port to connect on. This option will seldom be necessary as all the supported protocols have well-established default port numbers. +.TP +.B \--principal +(Keyword: principal) +The principal option permits you to specify a service principal for +mutual authentication. This is applicable to POP3 or IMAP with Kerberos +authentication. .TP .B \-t, --timeout (Keyword: timeout) @@ -1884,7 +1890,8 @@ on the server but not selected for retrieval.) .IP 2 An error was encountered when attempting to open a socket to retrieve mail. If you don't know what a socket is, don't worry about it -- -just treat this as an 'unrecoverable error'. +just treat this as an 'unrecoverable error'. This error can also be +because a protocol fetchmail wants to use is not listed in /etc/services. .IP 3 The user authentication step failed. This usually means that a bad user-id, password, or APOP id was specified. Or it may mean that you @@ -2054,6 +2061,8 @@ The UIDL code is generally flaky and tends to lose its state on errors and line drops (so that old messages are re-seen). If this happens to you, switch to IMAP4. .PP +The `principal' option only handles Kerberos IV, not V. +.PP Send comments, bug reports, gripes, and the like to the fetchmail-friends list . An HTML FAQ is available at the fetchmail home page; surf to diff --git a/fetchmailconf b/fetchmailconf index 05a599ed..a17adbc0 100755 --- a/fetchmailconf +++ b/fetchmailconf @@ -226,6 +226,7 @@ class User: self.ssl = 0 # Enable Seccure Socket Layer self.sslkey = None # SSL key filename self.sslcert = None # SSL certificate filename + self.principal = None # Kerberos principal self.properties = None # Extension properties User.typemap = ( ('remote', 'String'), @@ -258,6 +259,7 @@ class User: ('ssl', 'Boolean'), ('sslkey', 'String'), ('sslcert', 'String'), + ('principal', 'String'), ('properties', 'String')) def __repr__(self): @@ -318,6 +320,8 @@ class User: res = res + " sslkey " + `self.sslkey` if self.sslcert and self.sslcert != UserDefaults.sslcert: res = res + " sslcert " + `self.sslcert` + if self.principal and self.principal != UserDefaults.principal: + res = res + " principal " + `self.principal` if self.expunge != UserDefaults.expunge: res = res + " expunge " + `self.expunge` res = res + "\n" @@ -1475,6 +1479,11 @@ class UserEdit(Frame, MyWidget): self.sslcert, '14').pack(side=TOP, fill=X) sslwin.pack(fill=X, anchor=N) + # Someday this should handle Kerberos 5 too + if 'imap-k4': + LabeledEntry(secwin, 'Principal:', + self.principal, '12').pack(side=TOP, fill=X) + names = Frame(leftwin, relief=RAISED, bd=5) Label(names, text="Local names").pack(side=TOP) ListEdit("New name: ", diff --git a/imap.c b/imap.c index ea44e5a0..39868ad5 100644 --- a/imap.c +++ b/imap.c @@ -608,8 +608,10 @@ static int do_gssauth(int sock, char *hostname, char *username) SockWrite(sock, buf1, strlen(buf1)); /* we should be done. Get status and finish up */ - if (result = gen_recv(sock, buf1, sizeof buf1)) - return result; + do { + if (result = gen_recv(sock, buf1, sizeof buf1)) + return result; + } while(strncmp(buf1, tag, strlen(tag)) != 0); if (strstr(buf1, "OK")) { /* flush security context */ if (outlevel >= O_DEBUG) diff --git a/options.c b/options.c index 6f9aaceb..86e10ebc 100644 --- a/options.c +++ b/options.c @@ -79,6 +79,7 @@ #endif #define LA_SHOWDOTS 53 +#define LA_PRINCIPAL 54 /* options still left: CDgGhHjJoORwWxXYz */ static const char *shortoptions = @@ -147,6 +148,8 @@ static const struct option longoptions[] = { {"sslcert", required_argument, (int *) 0, LA_SSLCERT }, #endif + {"principal", required_argument, (int *) 0, LA_PRINCIPAL }, + #if (defined(linux) && !INET6_ENABLE) || defined(__FreeBSD__) {"interface", required_argument, (int *) 0, LA_INTERFACE }, {"monitor", required_argument, (int *) 0, LA_MONITOR }, @@ -559,6 +562,10 @@ struct query *ctl; /* option record to be initialized */ break; #endif + case LA_PRINCIPAL: + ctl->server.principal = xstrdup(optarg); + break; + case 'y': case LA_YYDEBUG: yydebug = TRUE; @@ -629,6 +636,7 @@ struct query *ctl; /* option record to be initialized */ P(_(" -t, --timeout server nonresponse timeout\n")); P(_(" -E, --envelope envelope address header\n")); P(_(" -Q, --qvirtual prefix to remove from local user id\n")); + P(_(" --principal mail service principal\n")); P(_(" -u, --username specify users's login on server\n")); P(_(" -a, --all retrieve old and new messages\n")); diff --git a/rcfile_l.l b/rcfile_l.l index 8ce776bf..d729e3ed 100644 --- a/rcfile_l.l +++ b/rcfile_l.l @@ -90,6 +90,7 @@ ssh { SETSTATE(0); return SSH; } timeout { return TIMEOUT;} envelope { return ENVELOPE; } qvirtual { return QVIRTUAL; } +principal { return PRINCIPAL; } user(name)? {SETSTATE(NAME); return USERNAME; } pass(word)? {SETSTATE(NAME); return PASSWORD; } diff --git a/rcfile_y.y b/rcfile_y.y index f24f71a4..7308e3ff 100644 --- a/rcfile_y.y +++ b/rcfile_y.y @@ -73,6 +73,7 @@ extern char * yytext; %token DROPSTATUS DROPDELIVERED %token DNS SERVICE PORT UIDL INTERVAL MIMEDECODE IDLE CHECKALIAS %token SSL SSLKEY SSLCERT +%token PRINCIPAL %% @@ -148,6 +149,7 @@ serv_option : AKA alias_list current.server.port = KPOP_PORT; #endif /* INET6_ENABLE */ } + | PRINCIPAL STRING {current.server.principal = xstrdup($2);} | PROTOCOL SDPS { #ifdef SDPS_ENABLE current.server.protocol = P_POP3; @@ -483,6 +485,7 @@ static void reset_server(const char *name, int skip) current.smtp_socket = -1; current.server.pollname = xstrdup(name); current.server.skip = skip; + current.server.principal = (char *)NULL; } diff --git a/sample.rcfile b/sample.rcfile index 299ec8cd..865b3a18 100644 --- a/sample.rcfile +++ b/sample.rcfile @@ -27,6 +27,7 @@ # uidl # no uidl # port -- must be followed by a TCP/IP port number +# principal -- must be followed by a principal name # ssl # sslkeyfile -- must be followed by path to private key file # sslcertfile -- must be followed by path to certificate file diff --git a/sink.c b/sink.c index 45db08b6..b519e0d7 100644 --- a/sink.c +++ b/sink.c @@ -803,6 +803,10 @@ int open_sink(struct query *ctl, struct msgblk *msg, else { char errbuf[POPBUFSIZE]; + int res; + + if ((res = handle_smtp_report(ctl, msg))==PS_REFUSED) + return PS_REFUSED; strcpy(errbuf, idp->id); strcat(errbuf, ": "); -- 2.43.2