Note that there is a separate todo.html with different content than this.
soon - MUST:
+- blacklist DigiNotar/Comodo/Türktrust hacks/certs, possibly with Chrome's serial#
+ list?
+- check if wildcards from X.509 are handled as strictly as required by
+ the RFCs.
+- audit if there are further untrusted data report_*() calls.
- Debian Bug #475239, MIME decoder may break up words (need to quote results)
- put bare IP addresses in brackets for SMTP (check if there are RFC
1123/5321/5322 differences)
-- Debian Bug #531589: fetchmail ignores SIGUSR1 in idle mode.
- Fix further occurrences of SMTP reply code handling:
- for proper smtp_reponse caching of multiline codes (there are some)
- for stomping over control characters.
Postfix virtual users" around 2009-09-23 on fetchmail-users@).
soon - SHOULD:
-- replace " \n" by "\n" (and similar) - but make sure translators have
- time to catch up.
+- support NIL and strings where they are alternatives to literals
+- Debian Bug #531589: fetchmail ignores SIGUSR1 in idle mode.
+ seems non-trivial to fix: in imap_idle(), we wait for untagged
+ responses, and may be deep in SSL_peek -- and that restarts the
+ underlying blocking read() from the socket, so we never break out of
+ the SSL_peek() with SIGUSR1.
+- add repoll for all kinds of auth failures
+ (requires framework to track which auth failed in auto mode)
+- SockOpen sometimes exits with errno == 0, confusing users (found with
+ Google RealTime on Twitter)
- make sure the man page completely lists all options (f. i. sslcertpath) in
the tables.
- allow \Deleted without \Seen, rf.
- document IMAP4 ACL requirements
- CRYPTO: log configured server name on certificate mismatch (perhaps pay
attention to via entries and stuff like that)
-- CRYPTO: BerliOS Bug #11576, thread on fetchmail users "Invalid SSL certificate" by
- Philip Susi, SSL negotiation does not use ERR_error_string(3ssl) to report
- errors in a readable way, we just report socket errors with no good reason.
- CRYPTO: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=432618
* write a table of combinations of TLS/SSL options
- add To: header to warning mails (authfail for instance)
- Fix TOCTOU race around prc_filecheck*
- Read CAPABILITY from greeting if present, saves one round trip.
- Check if LAST argument is properly validated against message count.
-- find a solution for the "invalid header" discards message problem
- (escape headers and stuff reminder into body)
- add Message-ID: header and other SHOULD headers to warning mails?
+- report actual SMTP error with "SMTP listener refused delivery", sugg.
+ Richard Brooksby, fetchmail-users 2010-04-06.
soon - MAY:
+- find a better replacement for sscanf parsing - we don't usually
+ detect errors in format strings such as "* %d FETCH " because we don't
+ check if the FETCH is (a) present, (b) consumed.
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=471176
=> fetchmail: support utf-8 encoding in log file
Revisit http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=400719
- fetch IMAP message in one go (fetchmail-devel by Adam Simpkins
<simpkins@cisco.com> around Nov 2nd)?
-6.4:
+7.0:
+- Properly free host/user entries (through C++ class instantiation and destructors...)
- Remove stupid options, such as spambounce, or deferred bounces for anything
but wrong addresses
- Do not ever guess envelope from content headers such as To:/Cc:/Resent-To: or
(silently allowing g+x).
- make UID code more efficient, parsing is O(n^2), should be no worse
than O(n log n), lookup is O(n), should be O(log n).
+ * Idea for C: use <search.h> tfind/tsearch. Need to split idlist up
+ so it only keeps the ids, and use an array to track status.
- help systematic debugging
- by making logging more strict (Postfix's msg_* as example??)
- by adding a --loggingtest or something that emits
- CRYPTO: perhaps port to NSS? Check license and features and required procedure
changes. - Redhat Bugs #333741 (crypto consolidation), #346891 (port fetchmail to NSS)
- CRYPTO: make the SSL default v3 (rather than v23).
-- CRYPTO: remove sslfingerprint? too easily abused (see NEWS)
- CRYPTO: force sslcertck
- CRYPTO: by default forbid cleartext or other compromising password
schemes over insecure connections?
- allow forcing RETR (RETR vs. TOP, fetchmail-users, drbob 2008-01-11)
- CRYPTO: use SASL?
- make logfile more useful (redirect not only in daemon mode)
+- close/reopen logfile on certain signals (for newsyslog/logrotate
+ support)
- for virtual mapping, we don't currently support local user aliases or
regexp matching with replacement. This would be useful for hosting
several virtual domains in one multidrop mailbox, as in
does it expect, what does it get instead, what does that mean, how can the
user fix it; references to the manual)
+- grarpamp suggested, on the fetchmail list in later April 2013, more
+ config file flexibility and explicitness, by marking polls, hosts,
+ accounts. See thread.
+
+- more selection options, Debian Bug#705291.
+
+- add a way to specify multiple fingerprints per host
+
+- add a way to specify non-MD5 fingerprints per host. SHA1 can be told
+ from its mere length; other digest algorithms would require some sort
+ of prefix. We may require the prefix for SHA1, too, for clarity.
+
DOCUMENTATION:
- Add info whether Keywords are global, server or user keywords
- consolidate multidrop documentation