fetchmail-devel — Development related discussion

[fetchmail-devel] fetchmail 6.2.5.4 released (security bugfix) (legacy)

[Matthias A. <mat...@gm...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greetings,

I am announcing the release of fetchmail 6.2.5.4. For the main part, the
updated fetchmailconf that fixed CVE-2005-3088 (the password exposure
problem) is now part of the tarball, many build problems with 6.2.5 and
6.2.5.2 were fixed and the infamous "timeout" bug with IMAP that only
showed with several servers (for instance, older CommuniGate; Debian
Bug#314509) was also fixed. CVE-2005-2335 was already fixed in 6.2.5.2,
the fix is also part of 6.2.5.4. See below for details.

The software is available from:
<https://developer.berlios.de/project/showfiles.php?group_id=1824&release_id=7976>

fetchmail-6.2.5.X is a security fix branch that forked off
fetchmail-6.2.5. It does not change for anything but security and the
most severe bug fixes. Note that no 6.2.5.X security audits are planned
except when a particular bug is reported, and that 6.2.5.X is unsafe to
use on some systems, particularly those that lack a *working and secure*
snprintf implementation.

This 6.2.5.X branch is ONLY intended for packages for systems that
cannot move forward to a newer version for stability policies, such as
Debian stable.  Note that this branch may be discontinued alongside the
official 6.3.0 release without further notice.

End users and all other systems should therefore use a current
fetchmail-6.2.9-rc* release candidate or, if available at that time,
6.3.X or newer release.

These are the relevant changes since (and excluding) 6.2.5.2:

* SECURITY FIX CVE-2005-3088: fetchmailconf: fix password exposure: use
  umask 077 before opening output file and restore umask later.
* Critical fix: fix IMAP timeouts, counting message count down on
  servers that do not send EXISTS counts after EXPUNGE. Debian Bug#314509.
* On FreeBSD, add /usr/local/include to CPPFLAGS so that libintl.h is found.
* Avoid automatically picking up HESIOD implementations that lack
  hesiod_getmailhost, such as the one in FreeBSD's base system.
* Fix makedepend for separated build (where the build is not run from
  the source directory), but prevent packaging from separated build, it
  yields bogus results.
* Fix resolv.h autodetection.
* Add +HESIOD to version printout if appropriate.
* Ship pre-built rcfile_l.c for systems that don't have flex.
* Also ship pre-built rcfile_y.[ch] for systems that don't have flex,
  yacc or bison.
* Build environment: Update included gettext. Fix
  --with-included-gettext. Fix parallel build (make -j). Fix "always
  rebuild fetchmail" syndrome.
* Do not link against -ll or -lfl (not needed).

Regards,

- -- 
Matthias Andree
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFDfTM3vmGDOQUufZURAtu2AKCyPEETBn+q1vTQBMF3eHCR0UlEhQCdE7Os
i1DBvMPM0ry0ufynC+0QjKE=
=fUW6
-----END PGP SIGNATURE-----

[fetchmail-devel] fetchmail 6.2.9-rc8 available (bug fixes)

[Matthias A. <mat...@gm...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greetings,

I have just released fetchmail 6.2.9-rc9, the hopefully last release
candidate before 6.3.0, with minor bug fixes.

For distributors, please upload this to every unstable/testing/current
distribution that you have (do not upload to "stable", it changes
behavior in a few places) to expose this to wider testing.

Changes since -rc8 are:
* The default for --smtphost is now always "localhost" regardless of
  authentication types and protocols, so as to simplify configurations for
  workstations where the SMTP daemon only listens on the loopback interface.
  Sunil Shetye & Matthias Andree
* Man page: update --smtphost documentation. Sunil Shetye, Matthias Andree.
* Man page: update --smtpaddress documentation. Sunil Shetye.
* Fix several memory leaks and bugs in the SMTP/LMTP retry logic where
  fetchmail confused UNIX and Internet domain sockets. Sunil Shetye.
* Man page (BUGS): document that passwords are length limited. Matthias Andree
* Man page: Document that quoted strings that run across line boundaries
  contain the control characters (CR or LF). Document explicitly the backslash
  escape sequences and their differences from the escape sequences used in the
  C programming language.  Matthias Andree
* Fix segfault when run control file ends with a backslash inside an
  unterminated quoted string. Matthias Andree.
* In quoted strings, support backslash as last character on a line to join the
  following line to the current. Matthias Andree.
* Parsing untagged IMAP responses is more robust now. Matthias Andree.
* Man page: Remove some procmail praises in --mda documentation, suggest
  maildrop instead, warn of procmail fallthrough behavior. Matthias Andree.
* Man page: Revise AUTHORS and SEE ALSO sections. Matthias Andree.
* Updated translations: Albanian [sq] (Besnik Bleta), Catalan [ca] (Ernest
  Adrogué Calveras), Czech [cs] (Miloslav Trmac), German [de] (MA),
  Spanish (Castilian) [es] (Javier Kohen), French [fr] (MA),
  Polish [pl] (Jakub Bogusz), Russian [ru] (Pavel Maryanov).
* In oversized warning messages, print the account name, too. Fixes Debian
  Bug#213299. Sunil Shetye (MA).
* Fix '!: command not found' in configure script on nonconformant shells
  such as Solaris' /bin/sh.
* The IMAP trail-eating fix in -rc8 was broken and fixed by Sunil
  Shetye.

I seek everyone to test it out, report remaining bugs, update outdated
translations (send your translated .po files to the translation
project's robot, it'll forward your translation to the -devel list) or
send patches for documentation or report inconsistencies (including
formatting!) in the documentation.

The software is available from:
<https://developer.berlios.de/project/showfiles.php?group_id=1824&release_id=8049>
<http://home.pages.de/~mandree/fetchmail/>

Regards,

- -- 
Matthias Andree
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFDfTEivmGDOQUufZURAhvXAKD6MF7T8MhWvpjlJ/11PsRjaVjmRgCgnry2
oGSAFM4uTU3QdG6IZB1FgcA=
=82bb
-----END PGP SIGNATURE-----

[fetchmail-devel] New Albanian PO file for `fetchmail'

[Translation P. R. <tra...@ir...>]

Hello, gentle maintainer. This is a message from the Translation
Project robot.

A revised PO file, for programs using the textual domain `fetchmail',
has been submitted by the team of translators taking care of the
Albanian language.  This particular file, along with all other PO
files pertaining to the same textual domain, is available as:
>    http://www.iro.umontreal.ca/translation/maint/fetchmail/sq.po

The file should soon be made available in mirror sites as:

>    ftp://ftp.unex.es/pub/gnu-i18n/po/maint/fetchmail/sq.po
>    http://translation.sf.net/maint/fetchmail/sq.po
>    ftp://tiger.informatik.hu-berlin.de/pub/po/maint/fetchmail/sq.po

This file has already been sent to you separately on 2005-11-17,
as a MIME invoice unpacking the file `fetchmail-6.2.9-rc8.sq.po'.

The following HTML page should also be updated by tomorrow.

>    http://www.iro.umontreal.ca/translation/HTML/domain-fetchmail.html

Please consider including all PO files, as they stand, in the `po/'
subdirectory of your next release of programs using that textual domain,
whether it is official or pretest.  Whenever you have a distribution ready
which holds a newer PO Template, please send the URL of this distribution
to the address below.  The distribution could be a pretest or a snapshot,
it does not even have to compile.  This is to be used by translators,
when they need to get some translation context from your sources.

Within the Translation Project, each PO Template file should have different
version numbers, but since it is not OK to have two different distributions
using same version numbers, this is not a problem in practice.

Contact me if any question arises.  Thanks for your collaboration,

                                The Translation Project robot, in the
                                name of your translation coordinator.
                                mailto:tra...@ir...

[fetchmail-devel] Yahoo POP downloading problem - (poplib.error_proto: -ERR Error logging in)

[Narendra <nam...@os...>]

Dear fetchmail,
 
I got a problem when i try to download mail from yahoo pop
server(pop.mail.yahoo.com)
 
I'm able to connect to pop server and after that the server is accepting
user name. But when i sumit password it is responding with -ERR command.
 
i'm giving the code here. Could anyone please let me know the problem and
how to solve that.
 
i'm giving my code here in python
 
import poplib
 
M=poplib.POP3('pop.mail.yahoo.com')
 
M.user('deliveraudit')
M.pass_('XXXXXXXX')
 
" poplib.error_proto: -ERR Error logging in. Please visit
http://mail.yahoo.com"
 
This is the error message i'm getting. 
 
Can any one kindly help me. Your help will always be appreciated.
 
Thanks,
Narendra
R@D Dept.
Zustek Corporation

Re: [fetchmail-devel] Re: imap trail broken

[Matthias A. <mat...@gm...>]

Sunil Shetye <sh...@bo...> writes:

> Quoting from Matthias Andree's mail on Mon, Nov 14, 2005 at 11:42:25PM +0100:
>> > Changes in imap_trail() in r4396 are incorrect and can cause segfault.
>> 
>> How can it cause segfault? It may eat too much garbage but I'd really
>> like to see the backtrace to investigate - if a malicious upstream
>> server can also trigger the segfault, we're in trouble.
>
> ...
>
>> > -	    t = buf + strspn(t, " \t");
>                              ^
>
> In the original code, the variable 't' passed to strspn() is
> uninitialized.

Urgh, right, it should have been buf as the first argument to strspn.
And it indeed forgot skipping over the tag.

> Thomas Wolff has already reported a segfault for rc8 in the
> fetchmail-users list. This could be a reason for that. Are you
> releasing rc9 soon?

Yes, really soon.

-- 
Matthias Andree

[fetchmail-devel] Re: imap trail broken

[Sunil S. <sh...@bo...>]

Quoting from Matthias Andree's mail on Mon, Nov 14, 2005 at 11:42:25PM +0100:
> > Changes in imap_trail() in r4396 are incorrect and can cause segfault.
> 
> How can it cause segfault? It may eat too much garbage but I'd really
> like to see the backtrace to investigate - if a malicious upstream
> server can also trigger the segfault, we're in trouble.

...

> > -	    t = buf + strspn(t, " \t");
                             ^

In the original code, the variable 't' passed to strspn() is
uninitialized.

Thomas Wolff has already reported a segfault for rc8 in the
fetchmail-users list. This could be a reason for that. Are you
releasing rc9 soon?

-- 
Sunil Shetye.

[fetchmail-devel] New Polish PO file for `fetchmail'

[Translation P. R. <tra...@ir...>]

Hello, gentle maintainer. This is a message from the Translation
Project robot.

A revised PO file, for programs using the textual domain `fetchmail',
has been submitted by the team of translators taking care of the
Polish language.  This particular file, along with all other PO files
pertaining to the same textual domain, is available as:
>    http://www.iro.umontreal.ca/translation/maint/fetchmail/pl.po

The file should soon be made available in mirror sites as:

>    ftp://ftp.unex.es/pub/gnu-i18n/po/maint/fetchmail/pl.po
>    http://translation.sf.net/maint/fetchmail/pl.po
>    ftp://tiger.informatik.hu-berlin.de/pub/po/maint/fetchmail/pl.po

This file has already been sent to you separately on 2005-11-16,
as a MIME invoice unpacking the file `fetchmail-6.2.9-rc8.pl.po'.

The following HTML page should also be updated by tomorrow.

>    http://www.iro.umontreal.ca/translation/HTML/domain-fetchmail.html

Please consider including all PO files, as they stand, in the `po/'
subdirectory of your next release of programs using that textual domain,
whether it is official or pretest.  Whenever you have a distribution ready
which holds a newer PO Template, please send the URL of this distribution
to the address below.  The distribution could be a pretest or a snapshot,
it does not even have to compile.  This is to be used by translators,
when they need to get some translation context from your sources.

Within the Translation Project, each PO Template file should have different
version numbers, but since it is not OK to have two different distributions
using same version numbers, this is not a problem in practice.

Contact me if any question arises.  Thanks for your collaboration,

                                The Translation Project robot, in the
                                name of your translation coordinator.
                                mailto:tra...@ir...

[fetchmail-devel] New Russian PO file for `fetchmail'

[Translation P. R. <tra...@ir...>]

Hello, gentle maintainer. This is a message from the Translation
Project robot.

A revised PO file, for programs using the textual domain `fetchmail',
has been submitted by the team of translators taking care of the
Russian language.  This particular file, along with all other PO files
pertaining to the same textual domain, is available as:
>    http://www.iro.umontreal.ca/translation/maint/fetchmail/ru.po

The file should soon be made available in mirror sites as:

>    ftp://ftp.unex.es/pub/gnu-i18n/po/maint/fetchmail/ru.po
>    http://translation.sf.net/maint/fetchmail/ru.po
>    ftp://tiger.informatik.hu-berlin.de/pub/po/maint/fetchmail/ru.po

This file has already been sent to you separately on 2005-11-16,
as a MIME invoice unpacking the file `fetchmail-6.2.9-rc8.ru.po'.

The following HTML page should also be updated by tomorrow.

>    http://www.iro.umontreal.ca/translation/HTML/domain-fetchmail.html

Please consider including all PO files, as they stand, in the `po/'
subdirectory of your next release of programs using that textual domain,
whether it is official or pretest.  Whenever you have a distribution ready
which holds a newer PO Template, please send the URL of this distribution
to the address below.  The distribution could be a pretest or a snapshot,
it does not even have to compile.  This is to be used by translators,
when they need to get some translation context from your sources.

Within the Translation Project, each PO Template file should have different
version numbers, but since it is not OK to have two different distributions
using same version numbers, this is not a problem in practice.

Contact me if any question arises.  Thanks for your collaboration,

                                The Translation Project robot, in the
                                name of your translation coordinator.
                                mailto:tra...@ir...

[fetchmail-devel] New PO Template file for `fetchmail'

[Translation P. R. <tra...@ir...>]

Hello, gentle maintainer. This is a message from the Translation
Project robot.

A new PO Template file, for programs using the textual domain
`fetchmail', has just been made available to language teams for
translation, and a copy is available as:
>    http://www.iro.umontreal.ca/translation/domains/POT/fetchmail-6.2.9-rc8.pot

The file should soon be made available in mirror sites as:

>    ftp://ftp.unex.es/pub/gnu-i18n/po/domains/POT/fetchmail-6.2.9-rc8.pot
>    http://translation.sf.net/domains/POT/fetchmail-6.2.9-rc8.pot
>    ftp://tiger.informatik.hu-berlin.de/pub/po/domains/POT/fetchmail-6.2.9-rc8.pot


In your releases, this file is usually found as `po/fetchmail.pot'.
It is created or updated automatically at `make dist' time, or
whenever you run `make update-po' in the `po/' subdirectory.  Whenever
you have a distribution ready which holds a newer PO Template, please
send the URL of this distribution to the address below.  The
distribution could be a pretest or a snapshot, it does not even have
to compile.  This is to be used by translators, when they need to get
some translation context from your sources.

Within the Translation Project, each PO Template file should have
different version numbers, but since it is not OK to have two
different distributions having same version numbers, this is not a
problem in practice.
Here is the URL information which has just been provided to translators for
your package.  Please inform the translation coordinator, at the address
given below, if the information does not appear to be adequate or current:

>    http://download.berlios.de/fetchmail/fetchmail-6.2.9-rc8.tar.bz2

Translated PO files will later be automatically e-mailed to you.

Thanks for your collaboration,

                                The Translation Project robot, in the
                                name of your translation coordinator.
                                mailto:tra...@ir...

[fetchmail-devel] Re: [fetchmail]multi-hop ssh

[Matthias A. <mat...@gm...>]

Derek Broughton <au...@po...> writes:

> Due to "issues" with the $%^*!@#  firewall at my client's site, I can't get
> out to my mailbox, directly.  So, I'm trying to use fetchmail via ssh in
> two hops. This works from home:
>   poll pointerstop.ca with proto imap 
>     plugin "ssh pointers@%h /usr/sbin/imapd" auth ssh
>     user "pointers" 
>
> and this works (as user fetchmail)  from the client's site:
>   ssh  de...@io... \
>     'ssh poi...@po... /usr/sbin/imapd'
> and seems to meet the criteria for a plugin: I can give it imap commands on
> stdin and get results on stdout.  The ssh keys are configured correctly so
> that no passwords are requested.
>
> But this  doesn't:
>   poll pointerstop.ca with proto imap 
>     plugin "ssh de...@io... \
>       'ssh  poi...@po... /usr/sbin/imapd'"
>       auth ssh
>     user "pointers" 
>
> Syslog shows:
>   socket error while fetching from pointerstop.ca
>
> What am I doing wrong?  Is there some really good reason why I can't
> do it?

Yes. Line breaks within strings are evil, regardless of the backslash.
I'd say you have hit a bug in fetchmail's configuration file parser.

You can see this when running "fetchmail --configdump | grep -w plugin"
and I bet io.acad... doesn't like \n for a command.

For the nonce, write the plugin command on a single line and it should
work (I hope your mailer doesn't wrap this..., it's one line for poll,
one for plugin, one for auth, one for user, totalling four (4)).

  poll pointerstop.ca with proto imap 
    plugin "ssh de...@io... 'ssh poi...@po... /usr/sbin/imapd'"
    auth ssh
    user "pointers" 

And this is the --configdump excerpt as shown above:

Original (the version you posted):
            "plugin":"ssh de...@io... \n      'ssh  poi...@po... /usr/sbin/imapd'",
                                                     ====

Revised (my version):
            "plugin":"ssh de...@io... 'ssh  poi...@po... /usr/sbin/imapd'",

This may come as a surprise, and is inconsistent with parsing outside
strings where the backslash at the very end of a line will be silently
ignored, and line feeds can be embedded with \n anyhow, so I'll change
this for fetchmail 6.3.0.

(Cc:ing fetchmail-devel so that Sunil can comment :-)

-- 
Matthias Andree

Re: [fetchmail-devel] [PATCH] display of max pwd len

[Matthias A. <mat...@gm...>]

Nico Golde <ni...@ng...> writes:

> Hi,
> * Matthias Andree <mat...@gm...> [2005-11-10 11:58]:
>> Nico Golde <ni...@gm...> writes:
>> > Hallo Miloslav,
>> >
>> > * Miloslav Trmac <mi...@re...> [2005-07-07 15:15]:
>> >> Hello,
>> >> On Thu, Jul 07, 2005 at 11:47:18AM +0200, Nico Golde wrote:
>> >> > +    printf("Maximum password length is: %d\n", PASSWORDLEN);
>> >> GT_("..."), please.
>> >
>> > oh thanks! attached.
>> 
>> Hmmm... is this still needed? I think I can drop this as it's only
>> relevant for online passwords but the majority of configurations will
>> have passwords stored in .fetchmailrc or .netrc, right?
>
> Feel free to do it.

I've added a note to the BUGS section of the manual page that tells the
user that interactively entered passwords will be truncated.

-- 
Matthias Andree

Re: [fetchmail-devel] [PATCH 2] Re: mail delivery via smtp broken

[Matthias A. <mat...@gm...>]

On Fri, 11 Nov 2005, Sunil Shetye wrote:

> > Find below the patch I have just committed to SVN.
> > It is against 6.2.9-rc8.
> 
> The man page documentation part is inconsistent. While fixing it, I
> had a look at the smtpaddress code and found potential memory leaks
> and bugs in sink.c.

Excellent that someone tries to fix these. I had a look at these bugs
(i. e. I knew they were there) but chose not to fix them for 6.3.0 as
the allocation was, as you call it, convoluted. Thanks a lot for
cleaning this up.

I have merged your patch in two commits (one for code, one for docs).

-- 
Matthias Andree

Re: [fetchmail-devel] Re: [fetchmail-announce] fetchmail 6.2.9-rc8 available (regression fixes)

[Matthias A. <mat...@gm...>]

Simon Barner schrieb am 2005-11-10:

> The bug in -rc7 that I reported to you in a private mail seems to be
> fixed: Fetchmail now delivers mail via an smtp server on localhost
> without an explicit "--smtphost localhost" again.

Thanks for following up on this.

-- 
Matthias Andree

Re: [fetchmail-devel] [PATCH] imap trail broken

[Matthias A. <mat...@gm...>]

Sunil Shetye schrieb am 2005-11-11:

> Changes in imap_trail() in r4396 are incorrect and can cause segfault.

How can it cause segfault? It may eat too much garbage but I'd really
like to see the backtrace to investigate - if a malicious upstream
server can also trigger the segfault, we're in trouble.

> This patch should fix this.

Applied, thank you.

> 
> ===============================================================================
> Index: fetchmail/imap.c
> ===================================================================
> --- fetchmail/imap.c	(revision 4410)
> +++ fetchmail/imap.c	(working copy)
> @@ -1055,8 +1055,9 @@
>  
>  	/* UW IMAP returns "OK FETCH", Cyrus returns "OK Completed" */
>  	if (strncmp(buf, tag, strlen(tag)) == 0) {
> -	    t = buf + strspn(t, " \t");
> -	    if (strncmp(t, "OK", 2))
> +	    t = buf + strlen(tag);
> +	    t += strspn(t, " \t");
> +	    if (strncmp(t, "OK", 2) == 0)
>  		break;
>  	}
>      }
> ===============================================================================
> 

-- 
Matthias Andree

Re: [fetchmail-devel] [PATCH] display of max pwd len

[Nico G. <ni...@ng...>]

Hi,
* Matthias Andree <mat...@gm...> [2005-11-10 11:58]:
> Nico Golde <ni...@gm...> writes:
> > Hallo Miloslav,
> >
> > * Miloslav Trmac <mi...@re...> [2005-07-07 15:15]:
> >> Hello,
> >> On Thu, Jul 07, 2005 at 11:47:18AM +0200, Nico Golde wrote:
> >> > +    printf("Maximum password length is: %d\n", PASSWORDLEN);
> >> GT_("..."), please.
> >
> > oh thanks! attached.
> 
> Hmmm... is this still needed? I think I can drop this as it's only
> relevant for online passwords but the majority of configurations will
> have passwords stored in .fetchmailrc or .netrc, right?

Feel free to do it.
Regards Nico
-- 
Nico Golde - JAB: ni...@ja... | GPG: 0x73647CFF
http://www.ngolde.de | http://www.muttng.org | http://grml.org
Forget about that mouse with 3/4/5 buttons -
gimme a keyboard with 103/104/105 keys!

[fetchmail-devel] [PATCH] imap trail broken

[Sunil S. <sh...@bo...>]

Hi,

Changes in imap_trail() in r4396 are incorrect and can cause segfault.
This patch should fix this.

===============================================================================
Index: fetchmail/imap.c
===================================================================
--- fetchmail/imap.c	(revision 4410)
+++ fetchmail/imap.c	(working copy)
@@ -1055,8 +1055,9 @@
 
 	/* UW IMAP returns "OK FETCH", Cyrus returns "OK Completed" */
 	if (strncmp(buf, tag, strlen(tag)) == 0) {
-	    t = buf + strspn(t, " \t");
-	    if (strncmp(t, "OK", 2))
+	    t = buf + strlen(tag);
+	    t += strspn(t, " \t");
+	    if (strncmp(t, "OK", 2) == 0)
 		break;
 	}
     }
===============================================================================

-- 
Sunil Shetye.

[fetchmail-devel] [PATCH 2] Re: mail delivery via smtp broken

[Sunil S. <sh...@bo...>]

Quoting from Matthias Andree's mail on Thu, Nov 10, 2005 at 11:28:28AM +0100:
> Matthias Andree <mat...@gm...> writes:
> 
> > Right. So we'll have -rc9 without this "fetchmailhost for smtphost"
> > behavior and another documentation update.
> 
> Find below the patch I have just committed to SVN.
> It is against 6.2.9-rc8.

The man page documentation part is inconsistent. While fixing it, I
had a look at the smtpaddress code and found potential memory leaks
and bugs in sink.c.

1. parsed_host is not freed in some cases. This happens when the first
smtp server is down in this setup:

poll mailserver
    ...
    smtphost "smtpserver1" "smtpserver2"
    ...

2. parsed_host is being initialized for UNIX socket also. For UNIX
socket, parsed_host should be NULL.

3. If EHLO fails on a UNIX socket, it tries HELO on a network socket!

4. ctl->destaddr is allocated memory in two cases. This memory is
never freed.

5. ctl->destaddr was being assigned in a very convoluted manner.
Since, parsed_host is already set correctly now, it can be used
directly.

Please find a patch attached to fix the documentation and the above
issues.

-- 
Sunil Shetye.

[fetchmail-devel] Re: [fetchmail-announce] fetchmail 6.2.9-rc8 available (regression fixes)

[Simon B. <ba...@gm...>]

Matthias Andree wrote:
> Greetings,
> 
> I have just released fetchmail 6.2.9-rc8, the hopefully last release
> candidate before 6.3.0. It fixes two regressions introduced into -rc7
> and fixes another minor bug. Some polish was added to manual page and
> error messages.

The bug in -rc7 that I reported to you in a private mail seems to be
fixed: Fetchmail now delivers mail via an smtp server on localhost
without an explicit "--smtphost localhost" again.

-- 
Best regards / Viele Grüße,                             ba...@Fr...
 Simon Barner                                                ba...@gm...

Re: [fetchmail-devel] Re: mail delivery via smtp broken

[Matthias A. <mat...@gm...>]

Matthias Andree <mat...@gm...> writes:

> Right. So we'll have -rc9 without this "fetchmailhost for smtphost"
> behavior and another documentation update.

Find below the patch I have just committed to SVN.
It is against 6.2.9-rc8.

-- 
Matthias Andree

Re: [fetchmail-devel] Re: mail delivery via smtp broken

[Matthias A. <mat...@gm...>]

Sunil Shetye <sh...@bo...> writes:

> Quoting from Matthias Andree's mail on Thu, Nov 10, 2005 at 02:31:57AM +0100:
>> >> This patch should fix this broken behaviour.
>> >
>> > Thanks, applied for upcoming -rc8.
>> 
>> Actually we need to set fetchmailhost when Kerberos is used, to match
>> documentation somewhat, so I'll use this:
>
> The setting of fetchmailhost is correct.
>
>> +		save_str(&ctl->smtphunt, use_kerberos ? fetchmailhost : "localhost", FALSE);
>
> I believe this is still incorrect. Your patch would imply that if
> using Kerberos authentication, the local SMTP server should listen on
> the external interface, exposing the system to SMTP attacks. A secure
> desktop machine will have the local SMTP server listening on the
> loopback interface (i.e. on localhost) only.

> ODMR / ETRN / Kerberos authentication are all mailserver side options.
> They do not imply that the local SMTP server should listen on the
> desktop machine's external interface.

Right. So we'll have -rc9 without this "fetchmailhost for smtphost"
behavior and another documentation update.

-- 
Matthias Andree

[fetchmail-devel] Re: mail delivery via smtp broken

[Sunil S. <sh...@bo...>]

Quoting from Matthias Andree's mail on Thu, Nov 10, 2005 at 02:31:57AM +0100:
> >> This patch should fix this broken behaviour.
> >
> > Thanks, applied for upcoming -rc8.
> 
> Actually we need to set fetchmailhost when Kerberos is used, to match
> documentation somewhat, so I'll use this:

The setting of fetchmailhost is correct.

> +		save_str(&ctl->smtphunt, use_kerberos ? fetchmailhost : "localhost", FALSE);

I believe this is still incorrect. Your patch would imply that if
using Kerberos authentication, the local SMTP server should listen on
the external interface, exposing the system to SMTP attacks. A secure
desktop machine will have the local SMTP server listening on the
loopback interface (i.e. on localhost) only.

ODMR / ETRN / Kerberos authentication are all mailserver side options.
They do not imply that the local SMTP server should listen on the
desktop machine's external interface.

-- 
Sunil Shetye.

[fetchmail-devel] fetchmail 6.2.9-rc8 available (regression fixes)

[Matthias A. <mat...@gm...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greetings,

I have just released fetchmail 6.2.9-rc8, the hopefully last release
candidate before 6.3.0. It fixes two regressions introduced into -rc7
and fixes another minor bug. Some polish was added to manual page and
error messages.

- -----------------------------------------------------------------------
Support call - fetchmail needs funding:
<https://developer.berlios.de/developer/make_donation.php?user_id=2007>
- -----------------------------------------------------------------------

For distributors, please upload this to every unstable/testing/current
distribution that you have (do not upload to "stable", it changes
behavior in a few places) to expose this to wider testing.

Changes since -rc7 are:
* POP2 is obsolete. Support for POP2 may be removed from a future fetchmail
  version without further notice. (MA)
* When eating IMAP message trailer, don't see any line containing "OK" as the
  end of the trailer, but wait for the proper tagged OK line. To work around
  the qmail + Courier-IMAP problem in Debian Bug#338007. Matthias Andree
* Fix Debian Bug#317761: when trying to send a bounce message, don't bail out
  if we cannot qualify our own hostname, so we aren't losing the bounce.
  Instead, pass the buck on to the SMTP server and use our own unqualified
  hostname. Matthias Andree
* Revise some error messages so they are less confusing. Sunil Shetye.
* Man page: update --smtphost documentation. Matthias Andree
* Man page: clarify --loghost works only while detached. Matthias Andree
(not in the NEWS file:)
* Fix -rc7 crash when our own hostname cannot be qualified when we are
  to send a bounce. Matthias Andree

I seek everyone to test it out, report remaining bugs, update outdated
translations (send your translated .po files to the translation
project's robot, it'll forward your translation to the -devel list) or
send patches for documentation or report inconsistencies (including
formatting!) in the documentation.

The software is available from:
<https://developer.berlios.de/project/showfiles.php?group_id=1824&release_id=7951>
<http://home.pages.de/~mandree/fetchmail/>

Regards,

- -- 
Matthias Andree
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFDcrcyvmGDOQUufZURAhNEAKDViQK2aqSjUQ4QzRd1SgwXqol10QCfQ0i1
pS2MOIobL/KsbIULa8bWdws=
=CpXr
-----END PGP SIGNATURE-----

Re: [fetchmail-devel] [PATCH] display of max pwd len

[Matthias A. <mat...@gm...>]

Nico Golde <ni...@gm...> writes:

> Hallo Miloslav,
>
> * Miloslav Trmac <mi...@re...> [2005-07-07 15:15]:
>> Hello,
>> On Thu, Jul 07, 2005 at 11:47:18AM +0200, Nico Golde wrote:
>> > +    printf("Maximum password length is: %d\n", PASSWORDLEN);
>> GT_("..."), please.
>
> oh thanks! attached.

Hmmm... is this still needed? I think I can drop this as it's only
relevant for online passwords but the majority of configurations will
have passwords stored in .fetchmailrc or .netrc, right?

-- 
Matthias Andree

Re: [fetchmail-devel] --logfile option not supported

[Matthias A. <mat...@gm...>]

Nico Golde <ni...@ng...> writes:

> fetchmail -h displays the --logfile argument.
> I had a look at the source code and this option isn't
> supported. It is listed in options.c but has no function.

logfile is supported only for daemon mode and unless "nodetach" is used.
This is documented in the --logfile section which I'll reword so it's
easier to grasp, and I'll add another note to the 'Miscellaneous Run
Control Options' section. The changes are going into 6.2.9-rc8.

Thank you.

-- 
Matthias Andree

Re: [fetchmail-devel] [PATCH] mail delivery via smtp broken

[Matthias A. <mat...@gm...>]

Matthias Andree <mat...@gm...> writes:

> Sunil Shetye <sh...@bo...> writes:
>
>> smtp servers (on all non-server machines) listen on the loopback
>> interface (i.e. 127.0.0.1) only. However, fetchmail release 6.2.9-rc7,
>> by default, attempts to connect to the IP address obtained from
>> gethostname(), which typically points to the external interface. Thus,
>> fetchmail is no longer able to deliver mails by default!
>>
>> The problem is that fetchmailhost is overloaded to contain the
>> domainname to be used for HELO/EHLO and for rcpt address and also to
>> contain the default SMTP host. Previously, it was localhost, but
>> after changes in r4382, it became the actual hostname. For smtp
>> servers listening on localhost only, mail delivery consequently fails.
>>
>> This patch should fix this broken behaviour.
>
> Thanks, applied for upcoming -rc8.

Actually we need to set fetchmailhost when Kerberos is used, to match
documentation somewhat, so I'll use this:

Index: fetchmail.c
===================================================================
--- fetchmail.c	(Revision 4390)
+++ fetchmail.c	(Arbeitskopie)
@@ -922,7 +922,7 @@
  *         - false if servers found on the command line */
 static int load_params(int argc, char **argv, int optind)
 {
-    int	implicitmode, st;
+    int	implicitmode, st, use_kerberos;
     struct passwd *pw;
     struct query def_opts, *ctl;
     struct stat rcstat;
@@ -1070,18 +1070,20 @@
      * If we're using Kerberos for authentication, we need 
      * the FQDN in order to generate capability keys.
      */
+    use_kerberos = 0;
+    /* use_kerberos is saved until later to properly set the invisible
+     * --smtphost (aka. smtphunt) default */
     for (ctl = querylist; ctl; ctl = ctl->next)
 	if (ctl->active && 
 		(ctl->server.protocol==P_ETRN || ctl->server.protocol==P_ODMR
 		 || ctl->server.authenticate == A_KERBEROS_V4
 		 || ctl->server.authenticate == A_KERBEROS_V5))
 	{
-	    fetchmailhost = host_fqdn(1);
+	    use_kerberos = 1;
 	    break;
 	}
 
-    if (!ctl) /* list exhausted */
-	fetchmailhost = host_fqdn(0);
+    fetchmailhost = host_fqdn(use_kerberos);
 
     /* this code enables flags to be turned off */
 #define DEFAULT(flag, dflt)	if (flag == FLAG_TRUE)\
@@ -1156,7 +1158,7 @@
 	     * Make sure we have a nonempty host list to forward to.
 	     */
 	    if (!ctl->smtphunt)
-		save_str(&ctl->smtphunt, fetchmailhost, FALSE);
+		save_str(&ctl->smtphunt, use_kerberos ? fetchmailhost : "localhost", FALSE);
 
 	    /*
 	     * Make sure we have a nonempty list of domains to fetch from.


The manual page is outdated, it maunders something about invisible
defaults, but I haven't seen those in the code, it's a regular
default. And it does not only apply to Kerberos auth but also to
ODMR/ETRN polls... so I'll revise the manual page to match this
ODMR/ETRN code.

-- 
Matthias Andree