* CRAM-MD5 authentication of IMAP and POP3 is working. Tested against
IMAP4rev1 2000.287 and v2000.70 POP3 gateway at neo.netnea.com.
* Full support for POP3 AUTH (RFC1734) with KERBEROS_IV, GSSAPI, OTP.
+ This code has been completely refactored. In the process, it is
+ possible I have broken GSSAPI and OPIE; this needs to be tested.
+ The old IMAP-LOGIN, IMAP-GSS, and IMAP-K4 protocols are gone; fetchmail
+ now uses these automatically when it detects the right capabilities.
+ To prevent having fetchmail look for a password, specify a "preauth"
+ option other than "password".
* Noted that Debian bugs #78963, #63064, #81312, #78796, #78363, #78149,
#68627, #67559, #63308, #63088, #71428 are fixed.
* Resolved Debian bug #65505: fetchmail now returns a nonzero exit status
#endif /* POP2_ENABLE */
case P_POP3: return("POP3");
case P_IMAP: return("IMAP");
- case P_IMAP_K4: return("IMAP-K4");
#ifdef GSSAPI
case P_IMAP_GSS: return("IMAP-GSS");
#endif /* GSSAPI */
- case P_IMAP_CRAM_MD5: return("IMAP-LOGIN");
- case P_IMAP_LOGIN: return("IMAP-LOGIN");
case P_APOP: return("APOP");
case P_RPOP: return("RPOP");
case P_ETRN: return("ETRN");
<table width="100%" cellpadding=0><tr>
<td width="30%">Back to <a href="index.html">Fetchmail Home Page</a>
<td width="30%" align=center>To <a href="/~esr/sitemap.html">Site Map</a>
-<td width="30%" align=right>$Date: 2001/02/10 21:24:24 $
+<td width="30%" align=right>$Date: 2001/02/11 23:26:07 $
</table>
<HR>
<H1>Frequently Asked Questions About Fetchmail</H1>
<hr>
<h2><a name="G7">G7. What is the best server to use with fetchmail?</a></h2>
-The short answer: IMAP
4rev1 running over Unix.<P>
+The short answer: IMAP
2000 running over Unix.<P>
Here's a longer answer: <P>
If you have the option, we recommend using or installing an IMAP4rev1
server; it has the best facilities for tracking message `seen' states.
It also recovers from interrupted connections more gracefully than
-POP3, and enables some significant performance optimizations.<P>
+POP3, and enables some significant performance optimizations. The new
+<a href="ftp://ftp.cac.washington.edu/imap/imap.tar.Z">IMAP 2000</a>
+is particularly nice, as it supports CRAM-MD5 so you don't have to
+ship your mail password over the net en clair (fetchmail autodetects
+this capability). Older versions had support for GSSAPI giving a
+similar effect, .<P>
Don't be fooled by NT/Exchange propaganda. M$ Exchange is just plain
broken (see item <a href="#S2">S2</a>) and NT cannot handle the
href="http://unix-vs-nt.org/kirch/">white paper</a> on Unix
vs. NT performance.<P>
-You can find sources for IMAP software at <a
-href="http://www.imap.org">The IMAP Connection</a>; we like the
-open-source <a href="ftp://ftp.cac.washington.edu/imap/">UW IMAP</a>
-server, which is the reference implementation of IMAP. UW IMAP's
-support for GSSAPI gives you a good way to authenticate without
-sending a password en clair.<P>
-
Source for a high-quality supported implementation of POP is available
from the <a href="ftp://ftp.qualcomm.com/eudora/servers/unix/popper/">Eudora
FTP site</a>. Don't use 2.5, which has a rather restrictive license.
to see these, or telnet direct to the server port (110 for POP3, 143 for
IMAP).<P>
-The facility you are most likely to have available is APOP. This is a
+If your mailserver is using IMAP 2000, you'll have CRAM-MD5 support
+built in. Fetchmail autodetects this; you can skip the rest of this
+section.<P>
+
+The POP3 facility you are most likely to have available is APOP. This is a
POP3 feature supported by many servers (fetchmailconf's autoprobe
facility will detect it and tell you if you have it). If you see
something in the greeting line that looks like an
to set up some magic files in your home directory on your client
machine, but means you can omit specifying any password at all.<P>
-Fetchmail supports two different Kerberos schemes. One is a
-POP3 variant called KPOP; consult the documentation of your mail
-server to see if you have it (one clue is the string "krb-IV" in the
-greeting line on port 110). The other is an IMAP facility described
-by RFC1731. You can tell if this one is present by looking for
-AUTH=KERBEROS_V4 in the CAPABILITY response.<P>
+Fetchmail supports two different Kerberos schemes. One is a POP3
+variant called KPOP; consult the documentation of your mail server to
+see if you have it (one clue is the string "krb-IV" in the greeting
+line on port 110). The other is an IMAP and POP3 facility described
+by RFC1731 and RFC1734. You can tell if this one is present by looking
+
for AUTH=KERBEROS_V4 in the CAPABILITY response.<P>
If you are fetching mail from a CompuServe POP3 account, you can use
their RPA authentication (which works much like APOP). See <a
distribution INSTALL file), fetchmail will detect it also. When using
OTP, you will specify a password but it will not be sent en clair.<P>
-Sadly, there is at present (September 1999) no OTP or APOP-like
-facility generally available on IMAP servers. However, there do exist
-patches which will OTP-enable the University of Washington IMAP
-daemon, version 4.2-FINAL. We have a report that the GSSAPI support
-in fetchmail works with the GSSAPI support in the most recent version
-of UW IMAP. Or you can use <a href="#K5">SSL</a> for complete
-end-to-end encryption if you have an SSL-enabled mailserver.<P>
-
You can get both POP3 and IMAP OTP patches from <a name="cmetz">Craig
Metz</A> at <a
href="http://www.inner.net/pub/">http://www.inner.net/pub/</a>.<P>
this method, so the two will interoperate happily. They better,
because this is how Craig gets his mail ;-)<P>
+Finally, you can use <a href="#K5">SSL</a> for complete
+end-to-end encryption if you have an SSL-enabled mailserver.<P>
<hr>
<h2><a name="G10">G10. Is any special configuration needed to use a dynamic IP address?</a></h2>
<table width="100%" cellpadding=0><tr>
<td width="30%">Back to <a href="index.html">Fetchmail Home Page</a>
<td width="30%" align=center>To <a href="/~esr/sitemap.html">Site Map</a>
-<td width="30%" align=right>$Date: 2001/02/10 21:24:24 $
+<td width="30%" align=right>$Date: 2001/02/11 23:26:07 $
</table>
<P><ADDRESS>Eric S. Raymond <A HREF="mailto:esr@thyrsus.com"><esr@snark.thyrsus.com></A></ADDRESS>
{
if (ctl->active && !(implicitmode && ctl->server.skip)&&!ctl->password)
{
- if (ctl->server.preauthenticate == A_KERBEROS_V4 ||
- ctl->server.preauthenticate == A_KERBEROS_V5 ||
- ctl->server.preauthenticate == A_SSH ||
-#ifdef GSSAPI
- ctl->server.protocol == P_IMAP_GSS ||
-#endif /* GSSAPI */
- ctl->server.protocol == P_IMAP_K4)
+ if (ctl->server.preauthenticate != A_PASSWORD)
/* Server won't care what the password is, but there
must be some non-null string here. */
ctl->password = ctl->remotename;
for (ctl = querylist; ctl; ctl = ctl->next)
{
if (ctl->active && !(implicitmode && ctl->server.skip)
- && ctl->server.protocol != P_ETRN
- && ctl->server.protocol != P_IMAP_K4
-#ifdef GSSAPI
- && ctl->server.protocol != P_IMAP_GSS
-#endif /* GSSAPI */
+ && ctl->server.preauthenticate == A_PASSWORD
&& !ctl->password)
{
if (!isatty(0))
#endif /* POP3_ENABLE */
break;
case P_IMAP:
- case P_IMAP_K4:
- case P_IMAP_CRAM_MD5:
- case P_IMAP_LOGIN:
#ifdef GSSAPI
case P_IMAP_GSS:
#endif /* GSSAPI */
ctl->server.skip ? _("will not") : _("will"));
/*
* Don't poll for password when there is one or when using the ETRN
- * or IMAP-GSS protocol
+ * or GSSAPI or KERBEROS protocol
*/
/* ETRN, IMAP_GSS, and IMAP_K4 do not need a password, so skip this */
if ( (ctl->server.protocol != P_ETRN)
#ifdef GSSAPI
- && (ctl->server.protocol != P_IMAP_GSS)
+ && (ctl->server.preauthenticate != A_GSSAPI)
#endif /* GSSAPI */
- && (ctl->server.protocol != P_IMAP_K4) ) {
+ && (ctl->server.preauthenticate != A_KERBEROS_V4)
+ && (ctl->server.preauthenticate != A_KERBEROS_V5))
+ {
if (!ctl->password)
printf(_(" Password will be prompted for.\n"));
else if (outlevel >= O_VERBOSE)
#define P_APOP 4
#define P_RPOP 5
#define P_IMAP 6
-#define P_IMAP_K4 7
-#define P_IMAP_GSS 8
-#define P_IMAP_CRAM_MD5 9
-#define P_IMAP_LOGIN 10
-#define P_ETRN 11
-#define P_ODMR 12
+#define P_ETRN 7
+#define P_ODMR 8
#if INET6_ENABLE
#define SMTP_PORT "smtp"
#define A_PASSWORD 0 /* password or inline authentication */
#define A_KERBEROS_V4 1 /* preauthenticate w/ Kerberos V4 */
#define A_KERBEROS_V5 2 /* preauthenticate w/ Kerberos V5 */
-#define A_SSH 3 /* preauthentication at session level */
+#define A_GSSAPI 3 /* preauthenticate with GSSAPI */
+#define A_SSH 4 /* preauthentication at session level */
/*
* Definitions for buffer sizes. We get little help on setting maxima
.IP POP3
Post Office Protocol 3
.IP APOP
-Use POP3 with MD5 authentication.
+Use POP3 with old-fashioned MD5-challenge authentication.
.IP RPOP
Use POP3 with RPOP authentication.
.IP KPOP
Use POP3 with Demon Internet's SDPS extensions.
.IP IMAP
IMAP2bis, IMAP4, or IMAP4rev1 (\fIfetchmail\fR autodetects their capabilities).
-.IP IMAP-K4
-IMAP4, or IMAP4rev1 (\fIfetchmail\fR autodetects their capabilities)
-with RFC 1731 Kerberos v4 preauthentication.
-.IP IMAP-GSS
-IMAP4, or IMAP4rev1 (\fIfetchmail\fR autodetects their capabilities)
-with RFC 1731 GSSAPI preauthentication.
-.IP IMAP-CRAMMD5
-IMAP4, or IMAP4rev1 (\fIfetchmail\fR autodetects their capabilities)
-with RFC 2195 CRAM-MD5 authentication.
-.IP IMAP-LOGIN
-IMAP4, or IMAP4rev1 (\fIfetchmail\fR autodetects their capabilities)
-with plain LOGIN authentication only, even if the server supports
-better methods.
.IP ETRN
Use the ESMTP ETRN option.
.IP ODMR
when interface data is being collected.
.TP
.B --preauth <type>
-(Keyword: preauth[enticate])
+(Keyword: preauth[enticate])
This option permits you to specify a preauthentication type (see USER
AUTHENTICATION below for details). The possible values are
\&`\fBpassword\fR', `\fBkerberos_v5\fR' and `\fBkerberos\fR' (or, for
-excruciating exactness, `\fBkerberos_v4\fR'), and \fBssh\fR. Use
-\fBssh\fR to suppress fetchmail's normal inquiry for a password when
-you are using an end-to-end secure connection such as an ssh tunnel.
-Other values of this option are provided primarily for developers;
-choosing KPOP protocol automatically selects Kerberos
-preauthentication, and all other alternatives use password
+excruciating exactness, `\fBkerberos_v4\fR'), \fRgssapi\fR, and
+\fBssh\fR. Any value other than "password" suppresses fetchmail's
+normal inquiry for a password. Specify \fBssh\fR when you are using
+an end-to-end secure connection such as an ssh tunnel; specify
+\fRgssapi\fR or \fBkerberos_v4\fR if you are using a protocol variant
+that employs GSSAPI or K4. Other values of this option are provided
+primarily for developers; choosing KPOP protocol automatically selects
+Kerberos preauthentication, and all other alternatives use password
authentication (though APOP uses a generated one-time key as the
password and IMAP-K4 uses RFC1731 Kerberos v4 authentication). This
option does not work with ETRN or ODMR.
checking its authorization database.
.PP
If your \fIfetchmail\fR was built with Kerberos support and you specify
-Kerberos preauthentication (either with --auth or the \fI.fetchmailrc\fR
+Kerberos preauthentication (either with --preauth or the \fI.fetchmailrc\fR
option \fBauthenticate kerberos_v4\fR) it will try to get a Kerberos
ticket from the mailserver at the start of each query. Note: if
either the pollnane or via name is `hesiod', fetchmail will try to use
Hesiod to look up the mailserver.
.PP
-If you use IMAP-K4, \fIfetchmail\fR will expect the IMAP server to have
-RFC1731-conformant AUTHENTICATE KERBEROS_V4 capability, and will use it.
-.PP
-If you use IMAP-GSS, \fIfetchmail\fR will expect the IMAP server to have
-RFC1731-conformant AUTHENTICATE GSSAPI capability, and will use it.
-Currently this has only been tested over Kerberos V, so you're expected
-to already have a ticket-granting ticket. You may pass a username different
-from your principal name using the standard \fB--user\fR command or by
-the \fI.fetchmailrc\fR option \fBuser\fR.
+If you use POP3 or IMAP with GSSAPI preauthentication, \fIfetchmail\fR will
+expect the server to have RFC1731- or RFC1734-conformant GSSAPI
+capability, and will use it. Currently this has only been tested over
+Kerberos V, so you're expected to already have a ticket-granting
+ticket. You may pass a username different from your principal name
+using the standard \fB--user\fR command or by the \fI.fetchmailrc\fR
+option \fBuser\fR.
.PP
If your IMAP daemon returns the PREAUTH response in its greeting line,
fetchmail will notice this and skip the normal authentication step.
T}
proto[col] -p T{
Specify protocol (case insensitive):
-POP2, POP3, IMAP, IMAP-K4, IMAP-GSS, APOP, KPOP
+POP2, POP3, IMAP, APOP, KPOP
T}
local[domains] \& T{
Specify domain(s) to be regarded as local
Pass in IPsec security option request.
T}
principal \& T{
-Set Kerberos principal (only useful with imap-k4)
+Set Kerberos principal (only useful with imap and kerberos)
T}
.TE
pop3 (or POP3)
sdps (or SDPS)
imap (or IMAP)
- imap-k4 (or IMAP-K4)
- imap-gss (or IMAP-GSS)
- imap-crammd5 (or IMAP-CRAMMD5)
- imap-login (or IMAP-LOGIN)
apop (or APOP)
kpop (or KPOP)
.PP
-Legal authentication types are `password' or `kerberos'. The former
-specifies authentication by normal transmission of a password (the
-password may be plaintext or subject to protocol-specific encryption
-as in APOP); the second tells \fIfetchmail\fR to try to get a Kerberos
-ticket at the start of each query instead, and send an arbitrary
-string as the password.
+Legal authentication types are `password', `kerberos', and `gssapi'.
+The `password' type specifies authentication by normal transmission of a
+password (the password may be plaintext or subject to
+protocol-specific encryption as in APOP); `kerberos' tells
+\fIfetchmail\fR to try to get a Kerberos ticket at the start of each
+query instead, and send an arbitrary string as the password; and
+`gssapi' tells fetchmail to use GSSAPI authentication.
.PP
Specifying `kpop' sets POP3 protocol over port 1109 with Kerberos V4
preauthentication. These defaults may be overridden by later options.
headers into a single one (procmail, mailagent, or maildrop can be
programmed to do this fairly easily).
.PP
-Use of any of the supported protocols other than POP3 with OTP or RPA,
-APOP, KPOP, IMAP-K4, IMAP-GSS, IMAP-CRAMMD5, or ETRN requires that the
-program send unencrypted passwords over the TCP/IP connection to the
-mailserver. This creates a risk that name/password pairs might be
-snaffled with a packet sniffer or more sophisticated monitoring
-software. Under Linux and FreeBSD, the --interface option can be used
-to restrict polling to availability of a specific interface device
-with a specific local or remote IP address, but snooping is still
-possible if (a) either host has a network device that can be opened
-in promiscuous mode, or (b) the intervening network link can be tapped.
+Use of some of these protocols (POP2, POP3, or POP4 with the password
+authentication type, if the server doesn't have CRAM-MD5 capability)
+requires that the program send unencrypted passwords over the TCP/IP
+connection to the mailserver. This creates a risk that name/password
+pairs might be snaffled with a packet sniffer or more sophisticated
+monitoring software. Under Linux and FreeBSD, the --interface option
+can be used to restrict polling to availability of a specific
+interface device with a specific local or remote IP address, but
+snooping is still possible if (a) either host has a network device
+that can be opened in promiscuous mode, or (b) the intervening network
+link can be tapped.
.PP
Use of the %F or %T escapes in an mda option could open a security
hole, because they pass text manipulable by an attacker to a shell
return(PS_SUCCESS);
}
-#if OPIE_ENABLE
- if ((ctl->server.protocol == P_IMAP) && strstr(capabilities, "AUTH=X-OTP"))
- {
- if (outlevel >= O_DEBUG)
- report(stdout, _("OTP authentication is supported\n"));
- if (do_otp(sock, ctl) == PS_SUCCESS)
- return(PS_SUCCESS);
- };
-#endif /* OPIE_ENABLE */
-
+ /*
+ * OK, now try the protocol variants that don't require passwords first.
+ */
#ifdef GSSAPI
if (strstr(capabilities, "AUTH=GSSAPI"))
{
- if (ctl->server.protocol == P_IMAP_GSS)
+ if (ctl->server.preauthenticate == A_GSSAPI)
{
if (outlevel >= O_DEBUG)
report(stdout, _("GSS authentication is supported\n"));
return do_gssauth(sock, ctl->server.truename, ctl->remotename);
}
}
- else if (ctl->server.protocol == P_IMAP_GSS)
+ else if (ctl->server.preauthenticate == P_IMAP_GSS)
{
report(stderr,
_("Required GSS capability not supported by server\n"));
if (outlevel >= O_DEBUG)
report(stdout, _("KERBEROS_V4 authentication is supported\n"));
- if (ctl->server.protocol == P_IMAP_K4)
+ if (ctl->server.preauthenticate == A_KERBEROS_V4)
{
if ((ok = do_rfc1731(sock, "AUTHENTICATE", ctl->server.truename)))
/* SASL cancellation of authentication */
gen_send(sock, "*");
-
return(ok);
}
/* else fall through to ordinary AUTH=LOGIN case */
}
- else if (ctl->server.protocol == P_IMAP_K4)
+ else if (ctl->server.preauthenticate == A_KERBEROS_V4)
{
- report(stderr,
+ report(stderr,
_("Required KERBEROS_V4 capability not supported by server\n"));
- return(PS_AUTHFAIL);
+ return(PS_AUTHFAIL);
}
#endif /* KERBEROS_V4 */
+ /*
+ * No such luck. OK, now try the variants that mask your password
+ * in a challenge-response.
+ */
+
if (strstr(capabilities, "AUTH=CRAM-MD5"))
{
if (outlevel >= O_DEBUG)
- report (stdout, _("CRAM-MD5 authentication is supported\n"));
- if (ctl->server.protocol != P_IMAP_LOGIN)
- {
- if ((ok = do_cram_md5 (sock, "AUTHENTICATE", ctl)))
- /* SASL cancellation of authentication */
- gen_send(sock, "*");
-
- return(ok);
- }
+ report(stdout, _("CRAM-MD5 authentication is supported\n"));
+ if ((ok = do_cram_md5 (sock, "AUTHENTICATE", ctl)))
+ /* SASL cancellation of authentication */
+ gen_send(sock, "*");
+ return(ok);
}
- else if (ctl->server.protocol == P_IMAP_CRAM_MD5)
+
+#if OPIE_ENABLE
+ if (strstr(capabilities, "AUTH=X-OTP"))
{
- report(stderr,
- _("Required CRAM-MD5 capability not supported by server\n"));
- return(PS_AUTHFAIL);
- }
+ if (outlevel >= O_DEBUG)
+ report(stdout, _("OTP authentication is supported\n"));
+ if (do_otp(sock, ctl) == PS_SUCCESS)
+ return(PS_SUCCESS);
+ };
+#endif /* OPIE_ENABLE */
#ifdef NTLM_ENABLE
if (strstr (capabilities, "AUTH=NTLM"))
};
#endif /* __UNUSED__ */
+ /* we're stuck with sending the password en clair */
{
/* these sizes guarantee no buffer overflow */
char remotename[NAMELEN*2+1], password[PASSWORDLEN*2+1];
}
else if (strcasecmp(optarg,"imap") == 0)
ctl->server.protocol = P_IMAP;
-#ifdef KERBEROS_V4
- else if (strcasecmp(optarg,"imap-k4") == 0)
- ctl->server.protocol = P_IMAP_K4;
-#endif /* KERBEROS_V4 */
-#ifdef GSSAPI
- else if (strcasecmp(optarg, "imap-gss") == 0)
- ctl->server.protocol = P_IMAP_GSS;
-#endif /* GSSAPI */
- else if (strcasecmp(optarg, "imap-crammd5") == 0)
- ctl->server.protocol = P_IMAP_CRAM_MD5;
- else if (strcasecmp(optarg, "imap-login") == 0)
- ctl->server.protocol = P_IMAP_LOGIN;
else if (strcasecmp(optarg,"etrn") == 0)
ctl->server.protocol = P_ETRN;
else {
port { return PORT; }
interval { return INTERVAL; }
preauth(enticate)? { SETSTATE(PREAUTH); return PREAUTHENTICATE; }
+gssapi { SETSTATE(0); return GSSAPI; }
kerberos(_v)?4 { SETSTATE(0); return KERBEROS4; }
kerberos(_v)?5 { SETSTATE(0); return KERBEROS5; }
kerberos { SETSTATE(0); return KERBEROS; }
(pop2)|(POP2) { yylval.proto = P_POP2; return PROTO; }
(sdps)|(SDPS) { return SDPS; }
(pop3)|(POP3) { yylval.proto = P_POP3; return PROTO; }
-(imap-k4)|(IMAP-K4) { yylval.proto = P_IMAP_K4; return PROTO; }
-(imap-gss)|(IMAP-GSS) { yylval.proto = P_IMAP_GSS; return PROTO; }
-(imap-crammd5)|(IMAP-CRAMMD5) { yylval.proto = P_IMAP_CRAM_MD5; return PROTO; }
-(imap-login)|(IMAP-LOGIN) { yylval.proto = P_IMAP_LOGIN; return PROTO; }
(imap)|(IMAP) { yylval.proto = P_IMAP; return PROTO; }
(apop)|(APOP) { yylval.proto = P_APOP; return PROTO; }
(etrn)|(ETRN) { yylval.proto = P_ETRN; return PROTO; }
}
%token DEFAULTS POLL SKIP VIA AKA LOCALDOMAINS PROTOCOL
-%token PREAUTHENTICATE TIMEOUT KPOP SDPS KERBEROS4 KERBEROS5 KERBEROS SSH
-%token ENVELOPE QVIRTUAL USERNAME PASSWORD FOLDER SMTPHOST MDA BSMTP LMTP
+%token PREAUTHENTICATE TIMEOUT KPOP SDPS KERBEROS4 KERBEROS5 KERBEROS GSSAPI
+%token SSH ENVELOPE QVIRTUAL USERNAME PASSWORD FOLDER SMTPHOST MDA BSMTP LMTP
%token SMTPADDRESS SMTPNAME SPAMRESPONSE PRECONNECT POSTCONNECT LIMIT WARNINGS
%token NETSEC INTERFACE MONITOR PLUGIN PLUGOUT
%token IS HERE THERE TO MAP WILDCARD
current.server.preauthenticate = A_KERBEROS_V4;
#endif /* KERBEROS_V5 */
}
+ | PREAUTHENTICATE GSSAPI {
+ current.server.preauthenticate = A_GSSAPI;
+ }
| PREAUTHENTICATE SSH {current.server.preauthenticate = A_SSH;}
| TIMEOUT NUMBER {current.server.timeout = $2;}
projects / ~andy / fetchmail / commitdiff