+*.o
*~
-\#*#
+.autotools
+.cproject
+.deps/
+.project
+.rsyncs
+/nbproject/
ABOUT-NLS
aclocal.m4
autobuild/
autom4te.cache
-.autotools
build*
build*/
compile
config.sub
configure
configure.lineno
-.cproject
cscope.out
depcomp
-.deps/
dox/
FAQ
FEATURES
fetchmail
-fetchmailconf
+fetchmail-*.tar.*
+fetchmail-*.tar.xz
fetchmail-FAQ.pdf
fetchmail-man.html
fetchmail.spec
-fetchmail-*.tar.*
-fetchmail-*.tar.xz
+fetchmailconf
genlsm.sh
IMAPCapa
install-sh
mxget
netrc
NOTES
-*.o
po/Makefile
po/POTFILES
po/remove-potcdate.sed
po/stamp-po
-.project
py-compile
rcfile_l.c
rcfile_y.c
rfc2047e
rfc822
rfc822valid
-.rsyncs
stamp-h1
tags
TODO
unmime
x509_name_match
ylwrap
+\#*#
Copyright (C) 2002, 2003 Eric S. Raymond
Copyright (C) 2004 Matthias Andree, Eric S. Raymond,
Robert M. Funk, Graham Wilson
-Copyright (C) 2005 - 2006, 2010 Sunil Shetye
-Copyright (C) 2005 - 2010 Matthias Andree
+Copyright (C) 2005 - 2012 Sunil Shetye
+Copyright (C) 2005 - 2013 Matthias Andree
If enabled at configure/compile time, the following clause applies:
| This product includes software developed by the OpenSSL Project
.txt.html:
asciidoc --unsafe -a toc -a data-uri -o $@ $< || { rm -f $@ ; exit 1 ; }
+# default to some non-default options when using "make distcheck"
+AM_DISTCHECK_CONFIGURE_FLAGS=--with-ssl
+
# The following sets edit modes for GNU EMACS.
# Local Variables:
# compile-command:"configure"
--------------------------------------------------------------------------------
-fetchmail-6.3.24 (released 2012-12-23, 26108 LoC):
-
-# NOTE THAT THE RELEASE OF FUTURE FETCHMAIL 6.3.X VERSIONS IS UNCLEAR.
-Should a 7.0 release be made earlier, chances are that the 6.3.X branch
-is abandoned and its changes be folded into the 7.0 release, with changes
-after 6.3.24 not available on their own in a newer 6.3.X release.
+fetchmail-6.3.25 (released 2013-03-18, 26149 LoC):
# NOTE THAT FETCHMAIL IS NO LONGER PUBLISHED THROUGH IBIBLIO.
- They have stopped accepting submissions and consider themselves an archive.
+* They have stopped accepting submissions and consider themselves an archive.
-# CRITICAL AND REGRESSION FIXES
-* Plug a memory leak in OpenSSL's certificate verification callback.
- This would affect fetchmail configurations running with SSL in daemon mode
- more than one-shot runs.
- Reported by Erik Thiele, and pinned by Dominik Heeg,
- fixes Debian Bug #688015.
- This bug was introduced into fetchmail 6.3.0 (committed 2005-10-29)
- when support for subjectAltName was added through a patch by Roland
- Stigge, submitted as Debian Bug#201113.
+# BUG FIXES
+* Fix a memory leak in out-of-memory error condition while handling plugins.
+ Report and patch by John Beck (found with Parfait static code analyzer).
+* Fix a NULL pointer dereference in out-of-memory error condition while handling
+ plugins.
+ Report and patch by John Beck (found with Parfait static code analyzer).
-* The --logfile option now works again outside daemon mode, reported by Heinz
- Diehl. The documentation that I had been reading was inconsistent with the
- code, and only parts of the manual page claimed that --logfile was only
- effective in daemon mode.
+# CHANGES
+* Improved reporting when SSL/TLS X.509 certificate validation has failed,
+ working around a not-so-recent swapping of two OpenSSL error codes, and
+ a practical impossibility to distinguish broken certification chains from
+ missing trust anchors (root certificates).
+* OpenSSL decoded errors are now reported through report(), rather than dumped
+ to stderr, so that they should show up in logfiles and/or syslog.
+* The fetchmail manual page no longer claims that MD5 were the default OpenSSL
+ hash format (for use with --sslfingerprint). Reported by Jakob Wilk,
+ PARTIAL fix for Debian Bug#700266.
+* The fetchmail manual page now refers the user to --softbounce from the
+ SMTP/ESMTP ERROR HANDLING section. Reported by Anton Shterenlikht.
+
+# WORKAROUNDS
+* Older systems that provide the older RFC-2553 implementation of getaddrinfo,
+ rather than the current RFC-3493, and systems that do not provide this
+ getaddrinfo() interface at all and thus use the replacement functions from
+ libesmtp/getaddrinfo.?, might return EAI_NODATA when a host is registered in
+ DNS as MX or similar, but without A or AAAA records. Handle this situation
+ when checking for multidrop aliases and treat EAI_NODATA the same as
+ EAI_NONAME, i. e. name cannot be resolved.
+
+ The proper fix, however, is to upgrade the operating system.
+
+# TRANSLATION UPDATES
+[cs] Czech, by Petr Pisar
+[da] Danish, by Joe Hansen
+[de] German
+[eo] Esperanto, by Sian Mountbatten and Felipe Castro
+[fr] French, by Frédéric Marchal
+[ja] Japanese, by Takeshi Hamasaki
+[pl] Polish, by Jakub Bogusz
+[sv] Swedish, by Göran Uddeborg
+[vi] Vietnamese, by Trần Ngọc Quân
# KNOWN BUGS AND WORKAROUNDS
(This section floats upwards through the NEWS file so it stays with the
server to test against. Use GSSAPI.
+fetchmail-6.3.24 (released 2012-12-23, 26108 LoC):
+
+# CRITICAL AND REGRESSION FIXES
+* Plug a memory leak in OpenSSL's certificate verification callback.
+ This would affect fetchmail configurations running with SSL in daemon mode
+ more than one-shot runs.
+ Reported by Erik Thiele, and pinned by Dominik Heeg,
+ fixes Debian Bug #688015.
+ This bug was introduced into fetchmail 6.3.0 (committed 2005-10-29)
+ when support for subjectAltName was added through a patch by Roland
+ Stigge, submitted as Debian Bug#201113.
+
+* The --logfile option now works again outside daemon mode, reported by Heinz
+ Diehl. The documentation that I had been reading was inconsistent with the
+ code, and only parts of the manual page claimed that --logfile was only
+ effective in daemon mode.
+
+
fetchmail-6.3.23 (released 2012-12-10, 26106 LoC):
# REGRESSION FIXES
Note that there is a separate todo.html with different content than this.
soon - MUST:
-- blacklist DigiNotar/Comodo hacks/certs, possibly with Chrome's serial#
+- blacklist DigiNotar/Comodo/Türktrust hacks/certs, possibly with Chrome's serial#
list?
- check if wildcards from X.509 are handled as strictly as required by
the RFCs.
dnl
dnl XXX - if bumping version here, check fetchmail.man, too!
-AC_INIT([fetchmail],[7.0.0-alpha4],[fetchmail-devel@lists.berlios.de])
+AC_INIT([fetchmail],[7.0.0-alpha5],[fetchmail-devel@lists.berlios.de])
AC_CONFIG_SRCDIR([fetchmail.h])
AC_CONFIG_HEADERS([config.h])
AC_CONFIG_LIBOBJ_DIR([.])
A patch against fetchmail 6.3.20 to allow creating a raw socket log if
configured through an environment variable, to assist debugging and
troubleshooting. Documentation at the beginning of the file.
+
+### gai (added 2013-02-03, --ma)
+
+A trivial getaddrinfo() program to check the getaddrinfo() call from the
+system, as a research tool for the fetchmail developers.
--- /dev/null
+/*
+ * File: gai.c
+ * Author: Matthias Andree
+ *
+ * Created on 3. Februar 2013, 15:03
+ * A short file to call getaddrinfo with the same arguments as checkalias.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netdb.h>
+
+/*
+ *
+ */
+int main(int argc, char** argv) {
+ struct addrinfo hints;
+ struct addrinfo *res;
+
+ if (argc != 2 || 0 == strcmp("-h", argv[1])) {
+ fprintf(stderr, "Usage: %s hostname\n", argv[0]);
+ exit(EXIT_FAILURE);
+ }
+
+ memset(&hints, 0, sizeof hints);
+ hints.ai_family=AF_UNSPEC;
+ hints.ai_protocol=PF_UNSPEC;
+ hints.ai_socktype=SOCK_STREAM;
+ hints.ai_flags=AI_CANONNAME;
+
+ int result = getaddrinfo(argv[1], NULL, &hints, &res);
+ if (result) {
+ fprintf(stderr, "getaddrinfo(\"%s\", ...AI_CANONNAME...) failed: %d (%s)\n", argv[1], result, gai_strerror(result));
+ exit(EXIT_FAILURE);
+ }
+
+ freeaddrinfo(res);
+ return (EXIT_SUCCESS);
+}
+
fprintf(fp, GT_("Copyright (C) 2002, 2003 Eric S. Raymond\n"
"Copyright (C) 2004 Matthias Andree, Eric S. Raymond,\n"
" Robert M. Funk, Graham Wilson\n"
- "Copyright (C) 2005 - 2012 Matthias Andree, Sunil Shetye\n"
+ "Copyright (C) 2005 - 2012 Sunil Shetye\n"
+ "Copyright (C) 2005 - 2013 Matthias Andree\n"
));
fprintf(fp, GT_("Fetchmail comes with ABSOLUTELY NO WARRANTY. This is free software, and you\n"
"are welcome to redistribute it under certain conditions. For details,\n"
.\" Load www macros to process .URL requests, this requires groff:
.mso www.tmac
.\"
-.TH fetchmail 1 "fetchmail 7.0.0-alpha4" "fetchmail" "fetchmail reference manual"
+.TH fetchmail 1 "fetchmail 7.0.0-alpha5" "fetchmail" "fetchmail reference manual"
.SH NAME
fetchmail \- fetch mail from a POP, IMAP, ETRN, or ODMR-capable server
(since v6.3.10, Keyword: set softbounce, since v6.3.10)
.br
Soft bounce mode. All permanent delivery errors cause messages to be
-left on the upstream server if the protocol supports that. Default to
-match historic fetchmail documentation, to be changed to hard bounce
-mode in the next fetchmail release.
+left on the upstream server if the protocol supports that.
+.B This option is on by default to match historic fetchmail documentation,
+and will be changed to hard bounce mode in the next fetchmail release.
.SS Disposal Options
.TP
.B \-a | \-\-all | (since v6.3.3) \-\-fetchall
.br
Specify the fingerprint of the server key (an MD5 hash of the key) in
hexadecimal notation with colons separating groups of two digits. The letter
-hex digits must be in upper case. This is the default format OpenSSL uses,
-and the one fetchmail uses to report the fingerprint when an SSL connection
+hex digits must be in upper case. This is the format
+that fetchmail uses to report the fingerprint when an SSL connection
is established. When this is specified, fetchmail will compare the server key
fingerprint with the given one, and the connection will fail if they do not
-match regardless of the \fBsslcertck\fP setting. The connection will
+match, regardless of the \fBsslcertck\fP setting. The connection will
also fail if fetchmail cannot obtain an SSL certificate from the server.
This can be used to prevent man-in-the-middle attacks, but the finger
print from the server needs to be obtained or verified over a secure
programmers are not aware of OpenSSL's requirement of the day.
For instance, since v6.3.16, fetchmail calls
OpenSSL_add_all_algorithms(), which is necessary to support certificates
-with SHA256 on OpenSSL 0.9.8 -- this information is deeply hidden in the
+using SHA256 on OpenSSL 0.9.8 -- this information is deeply hidden in the
documentation and not at all obvious. Please do not hesitate to report
subtle SSL failures.
.PP
.SH SMTP/ESMTP ERROR HANDLING
Besides the spam-blocking described above, fetchmail takes special
-actions on the following SMTP/ESMTP error responses
+actions \(em that may be modified by the \-\-softbounce option \(em on
+the following SMTP/ESMTP error response codes
.TP 5
452 (insufficient system storage)
Leave the message in the server mailbox for later retrieval.
Delete the message from the server. Don't even try to send
bounce-mail to the originator.
.PP
-Other errors trigger bounce mail back to the originator. See also BUGS.
+Other errors greater or equal to 500 trigger bounce mail back to the
+originator, unless suppressed by \-\-softbounce. See also BUGS.
.SH THE RUN CONTROL FILE
The preferred way to set up fetchmail is to write a
argvec = (char **)malloc(s);
if (!argvec)
{
- report(stderr, GT_("fetchmail: malloc failed\n"));
free(plugin_copy);
+ report(stderr, GT_("fetchmail: malloc failed\n"));
return NULL;
}
memset(argvec, 0, s);
if (outlevel >= O_VERBOSE)
report(stderr, GT_("running %s (host %s service %s)\n"), plugin, host, service);
argvec = parse_plugin(plugin,host,service);
+ if (argvec == NULL)
+ _exit(EXIT_FAILURE);
execvp(*argvec, argvec);
report(stderr, GT_("execvp(%s) failed\n"), *argvec);
_exit(EXIT_FAILURE);
#include <openssl/x509v3.h>
#include <openssl/rand.h>
+static void report_SSL_errors(FILE *stream)
+{
+ unsigned long err;
+
+ while (0ul != (err = ERR_get_error())) {
+ char *errstr = ERR_error_string(err, NULL);
+ report(stream, GT_("OpenSSL reported: %s\n"), errstr);
+ }
+}
+
+/* override ERR_print_errors_fp to our own implementation */
+#undef ERR_print_errors_fp
+#define ERR_print_errors_fp(stream) report_SSL_errors((stream))
+
static SSL_CTX *_ctx[FD_SETSIZE];
static SSL *_ssl_context[FD_SETSIZE];
} /* if (depth == 0 && !_depth0ck) */
if (err != X509_V_OK && err != _prev_err && !(_check_fp != 0 && _check_digest && !strict)) {
+ char *tmp;
+ int did_rep_err = 0;
_prev_err = err;
-
+
report(stderr, GT_("Server certificate verification error: %s\n"), X509_verify_cert_error_string(err));
/* We gave the error code, but maybe we can add some more details for debugging */
switch (err) {
+ /* actually we do not want to lump these together, but
+ * since OpenSSL flipped the meaning of these error
+ * codes in the past, and they do hardly make a
+ * practical difference because servers need not provide
+ * the root signing certificate, we don't bother telling
+ * users the difference:
+ */
+ case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
X509_NAME_oneline(issuer, buf, sizeof(buf));
buf[sizeof(buf) - 1] = '\0';
- report(stderr, GT_("unknown issuer (first %d characters): %s\n"), (int)(sizeof(buf)-1), buf);
- report(stderr, GT_("This error usually happens when the server provides an incomplete certificate "
- "chain, which is nothing fetchmail could do anything about. For details, "
- "please see the README.SSL-SERVER document that comes with fetchmail.\n"));
- break;
+ report(stderr, GT_("Broken certification chain at: %s\n"), (tmp = sdump(buf, strlen(buf))));
+ xfree(tmp);
+ report(stderr, GT_( "This could mean that the server did not provide the intermediate CA's certificate(s), "
+ "which is nothing fetchmail could do anything about. For details, "
+ "please see the README.SSL-SERVER document that ships with fetchmail.\n"));
+ did_rep_err = 1;
+ /* FALLTHROUGH */
case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
- case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
- X509_NAME_oneline(subj, buf, sizeof(buf));
- buf[sizeof(buf) - 1] = '\0';
- report(stderr, GT_("This means that the root signing certificate (issued for %s) is not in the "
- "trusted CA certificate locations, or that c_rehash needs to be run "
+ if (!did_rep_err) {
+ X509_NAME_oneline(issuer, buf, sizeof(buf));
+ buf[sizeof(buf) - 1] = '\0';
+ report(stderr, GT_("Missing trust anchor certificate: %s\n"), (tmp = sdump(buf, strlen(buf))));
+ xfree(tmp);
+ }
+ report(stderr, GT_( "This could mean that the root CA's signing certificate is not in the "
+ "trusted CA certificate location, or that c_rehash needs to be run "
"on the certificate directory. For details, please "
- "see the documentation of --sslcertpath and --sslcertfile in the manual page.\n"), buf);
+ "see the documentation of --sslcertpath and --sslcertfile in the manual page.\n"));
break;
default:
break;
} else if (!strcasecmp("ssl23",myproto)) {
myproto = NULL;
} else {
- fprintf(stderr,GT_("Invalid SSL protocol '%s' specified, using default (SSL23).\n"), myproto);
+ report(stderr,GT_("Invalid SSL protocol '%s' specified, using default (SSLv23).\n"), myproto);
myproto = NULL;
}
}
<table width="100%" cellpadding="0" summary="Canned page header">
<tr>
<td>Fetchmail</td>
-<td align="right"><!-- update date -->2012-12-23</td>
+<td align="right"><!-- update date -->2013-03-18</td>
</tr>
</table>
</div>
<h1>Fetchmail</h1>
<div style="background-color:#c0ffc0;color:#000000;">
- <h1>NEWS: FETCHMAIL 6.3.24 RELEASE</h1>
- <p>On 2012-12-23, <a
- href="http://developer.berlios.de/project/showfiles.php?group_id=1824&release_id=19227">fetchmail-6.3.24
- has been released (this is the download link),</a> fixing a
- minor regression and a memory leak.
+ <h1>NEWS: FETCHMAIL 6.3.25 RELEASE</h1>
+ <p>On 2013-03-18, <a
+ href="http://developer.berlios.de/project/showfiles.php?group_id=1824&release_id=19327">fetchmail-6.3.25
+ has been released (this is the download link),</a> fixing a few
+ minor bugs, improving OpenSSL error reporting, and adding an
+ Esperanto-language translation. <a
+ href="https://sourceforge.net/projects/fetchmail/files/branch_6.3/">You
+ can also download from sourceforge.net by clicking here.</a>
<br>It is a recommended update for all users and distributors. <a
- href="http://developer.berlios.de/project/shownotes.php?group_id=1824&release_id=19227">Click
- here to see the change details.</a> Note that 6.3.22 fixed
- security bugs, and is the oldest version that should be used.
- </p>
+ href="http://developer.berlios.de/project/shownotes.php?group_id=1824&release_id=19327">Click
+ here to see the change details.</a></p>
<h1>SSL issues after upgrade to OpenSSL 1.0.0?</h1>
<p>If your fetchmail upgrade entails an upgrade of the OpenSSL