[fetchmail-devel] fetchmail 6.3.20-pre1 release candidate should fix STARTTLS hangs

[Matthias A. <mat...@gm...>]

Greetings,

Sunil has worked on handling large IMAP mailboxes.
I have been working on the STARTTLS hang problem reported by Thomas
Jarosch, which should be fixed now, along with assorted minor
protocol nits that were picked.  I am not sure if I want/need a CVE for
a denial of service that is OS dependent.  Opinions solicited.

Please test fetchmail 6.3.20-pre1 on your operating system.
To do that, please:

1. download and unpack the fetchmail tarball (URLs below)
2. cd to to the unpacked directory
3. ./configure and install as usual
4. run fetchmail with these additional options:
   --auth any -vvvd0 --nodetach --nosyslog
5. report success or failure to the list or me personally.

PLEASE HELP: If you can offer access to test servers that I can send a
short test mail to and then log into to retrieve that test message -
particularly Exchange 2007 or Exchange 2010 is desired, but others
besides Cyrus IMAP and Dovecot are also welcome - please let me know.

PLEASE HELP: fetchmail needs translators for the program strings. Some
languages (such as those shown below) are in quite good shape, but
others are lacking a bit.  Translation information can be found at
<http://translationproject.org/domain/fetchmail.html>

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

DOWNLOAD this beta software from:
<http://home.pages.de/~mandree/fetchmail/>

The repository can be browsed at and cloned from:
<http://gitorious.org/fetchmail/fetchmail> - the branch is "legacy_63".

Git (the software used to keep the fetchmail source code version
controlled) information is at: <http://git-scm.com/>

CHANGES since the previous formal release of fetchmail listed below.
Unless otherwise noted, the changes were made by Matthias Andree:

# SECURITY FIXES
* Fetchmail's socket timeout handling was incomplete.  Network outages in the
  wrong phase of a communication, combined with unlucky operating systems and
  their defaults, could cause fetchmail to hang for extended amounts of time.
  Freezes for beyond a week were reported by Thomas Jarosch. Fetchmail sets
  UNIX- and Internet-domain socket send and receive timeouts now.
  This fixes a hang during STARTTLS negotiation reported by Thomas Jarosch.

# CHANGES
* fetchmail now always uses its own MD5 implementation.  The library and header
  variants are too diverse, and we've been bitten before -- and configure
  complains noisily on Cyrus-SASL's RFC1321 md5.h.
* fetchmail now supports an environment variable to suppress marking deleted
  messages as seen at the same time, FETCHMAIL_IMAP_DELETED_REMAINS_UNSEEN.
  See the manual page for details. Requested by Jonathan Buschmann.
* fetchmail sets Internet domain sockets to "keepalive" mode now. Note that
  there is no portable way to configure actual timeouts for this mode, and some
  systems only support a system-wide timeout setting.

# BUG FIXES
* Call strlen() only once when removing CRLF from a line. (Sunil Shetye)
* Do not search for UNSEEN messages in ranges. Usually, there are very few new
  messages and most of the range searches result in nothing. Instead, split the
  long response to make the IMAP driver think that there are multiple lines of
  response. (Sunil Shetye)
* Do not print "skipping message" for old messages even in verbose mode. If
  there are too many old messages, the logs just get filled without any real
  activity. (Sunil Shetye) (suggested by Yunfan Jiang)

# TRANSLATION UPDATES
  [de]    German (Matthias Andree)
  [ja]    Japanese (Takeshi Hamasaki)

-- 
Matthias Andree