Re: [fetchmail-devel] [fetchmail-users] master: TODO.txt

[Matthias A. <mat...@gm...>]

Am 24.04.2013 10:37, schrieb grarpamp:
> Noted some things
> 
> - blacklist DigiNotar/Comodo/T<C3><BC>rktrust hacks/certs, possibly
> with Chrome's serial# list?
> 
> I would not hardcode this but instead place fingerprints in multiple
> global/per_host 'fpdeny' config options. In part because testing
> infrastructure with these certs is valuable. And at least that way,
> even if they're lazy and only use sslcertck, if some emergency
> arises they can add a negative print there affecting global/per_host.
> Additionally, point the user to where they can find and then build
> their own updated cert store free from all such junk. As well as
> point them to some doc about the importance of fingerprint checking.

Up front, thanks a bunch for the feedback.  We should move to
fetchmail-devel though...

I am wondering - especially about switching SSL library, too, because
OpenSSL requires you to jump quite through a few hoops for even standard
stuff, like CRLs and OCSP.

> https://mxr.mozilla.org/mozilla-central/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1
>   ftp://ftp.mozilla.org/pub/security/nss/releases/
> https://github.com/agl/extract-nss-root-certs.git

> I'll try to remember to add this to the 'cert' ticket when I find
> it again.

<http://svnweb.freebsd.org/ports/head/security/ca_root_nss/files/MAca-bundle.pl.in?revision=312617&view=markup>

> - CRYPTO: remove sslfingerprint? too easily abused (see NEWS)
> 
> I trust this is by now just an old entry. If not, please don't :)

This line is to be dropped from TODO.txt -- I've seen too many
certification "authorities" that did not deserve this name, and I seem
to have someone willing to tell users in the fetchmail lobby how to make
_good_ use of this feature.

The missing link is that you hardly ever get the certificate
fingerprints on the "how to configure Outlook, blahmail, whatever for
fetching mail from us" on the ISP help pages, or even better, by snail
mail when they send you account data.

> #### config flexibility
> Consider making 'poll [thing]'s thing just a label string. And
> breaking apart the config into types:  'polls' with 'poll [label]',
> 'hosts' with 'host [label]', and 'accounts' with 'account [label]'.
> Put whatever you want in a label ... 'blah' 'jo...@sc...',
> 'foo.com', '1.2.3.4' ... but treat it as a label. 

Basically we're already quite close, we'd only have to make sure that
adding a poll argument on the command line permits specifying an
account. See <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=705291>,
for instance.

Your notion of

poll thing   host foo.example.org   account blah

is spelt

poll thing   via foo.example.org    user blah

today :-)

We lack group selection capability, though, as detailed in the Debian
BTS report linked above.

> Collect all poll types
> into a set for daemon or oneshot runs. Account types are
> always singly available for commandline oneshot's. 'netaddr'
> may be fqdn, or ip (dns down/insecure scenario). Error out
> if a label dependency does not exist. Order of types in file
> does not matter, indented bits are type content. Includes
> work.

That would be missing.

> 
> ./fetch -p  # polls
> ./fetch -a play2
> ./fetch -a mywork -h work1_pop  # temporary swap :)
> ./fetch -a play1  # bombs on foo1
> 
> It's really really hard to get fetchmail to do anything like this
> today. Unless you forget it and frontend it with your own config
> and call engine. These sort of configs are powerful.

And require particular attention in tracing output (and possibly imply
"verbose" mode) so that we can give users a hint what they are doing and
what fetchmail is making of it, so that we can later properly dissect
bug reports.

Well, the other frequently asked feature is "poll multiple hosts at the
same time" (especially on high-speed-but-high-latency-links, such as
DSL, satellite), which needs to go hand in hand here.

The actual multithreading-the-input is not too hard to come by, the
question is how to limit the output side, and to assess if that is
necessary.

If you think ISP-grade "POP collector option" (disregarding it violates
most site's security policy to share credentials with another entity),
you may want to configure "poll 50 accounts at the same time but only
use 20 outbound SMTP threads".  This requires caching mail, either in
RAM, or on disk.

I have updated the master's TODO.txt a tiny bit (near the end).