[fetchmail-devel] fetchmail 7.0.0-alpha5 alpha preview release - SSL cipher setting/info

[Matthias A. <mat...@gm...>]

Greetings,

in an effort to get sufficient testing, I have released the next alpha
version of fetchmail 7.0.0. This merges post-6.3.23 changes in, and
should have all relevant fixes from releases up to, and including, 6.3.26.

The notable changes beyond that are

1. cleanup and change of SSL options to make them easier to understand,
and separate concerns (the protocol no longer overloads the connection
mode), and enable sslcertck by default (this should all be in the manual
page already, if bits are missing, let me know)

2. the addition of an option to print the SSL cipher in verbose mode,
and the ability to specify the offered ciphers through the environment
variable FETCHMAIL_SSL_CIPHERS. This is only documented here and in the
NEWS file for now.  There are several SSL/TLS code cleanups I need to
make before adding this feature formally, and on a per-server basis.

   Example:

   env FETCHMAIL_SSL_CIPHERS='ECDH:DH:!MEDIUM:!LOW:!EXP' fetchmail -vv

Note that fetchmail continues to be very chatty in debug mode (with two
-v options, or a -vv option), and note that some popular services
(Microsoft's and O2, for one) fail to set up a connection with the
setting above, whilst some others (notably, Google, Yahoo!,
Domainfactory) are happy with DH.


I am soliciting feedback on the new SSL option design and use, and yes I
know that certificate pinning, multiple certificate fingerprint, SHA1
certificate fingerprint checking are still pending.


The alpha version is available for download from these sites:
<http://home.pages.de/~mandree/fetchmail/>
<https://sourceforge.net/projects/fetchmail/files/branch_7-alpha/>

It is not available for download from BerliOS, its file release system
is too cumbersome to use for non-formal previews.

The fetchmail sources are also available via Git.

The corresponding git tag is SNAPSHOT_7-0-0-alpha5, the branch is
"sslrevolution1". The repository browsers (these show the clone URLs):
<http://gitorious.org/fetchmail>
<http://git.berlios.de/cgi-bin/cgit.cgi/fetchmail/>
<http://git.berlios.de/cgi-bin/gitweb.cgi?p=fetchmail;a=summary>

Please send feedback to fet...@li....

Happy fetches!
Matthias

--------------------------------------------------------------------------------
> # INCOMPATIBLE CHANGES
> * The SSL/TLS options were massively changed and disentangled, to be clearer.
> * --sslcertck is now the default, to aggressively request and validate X.509
>   (SSL/TLS) certificates from the servers.
>   Note: Several distributions offer ca-roots or ca-root-certificates
>   or similarly named packages that contain the CA certificates of major trust
>   agencies such as Verisign, Equifax, Thawte, and Deutsche Telekom. These are
>   convenient to install if you're pulling mail from major freemailer sites.
> * --sslmode starttls=must is now the default as a consequence of the
>   previous sslcertck default.
>   If you need an unencrypted connection, use --sslmode none.
> * See the REMOVED FEATURES section below for further incompatibilities.
> 
> # MAJOR CHANGES
> * The UIDL handler code is now much faster, especially noticable with lots of
>   mail kept on a POP3 server. Where the 6.3.X code was of O(n^2) complexity,
>   we're down to O(n log n).
>   Contributed by Rainer Weikusat, MAD Partners Ltd./MSS GmbH.
> * The POP3 code now always uses UIDL, except if "fetchall" is in effect.
>   Fixes BerliOS Bug #16172. Fixes Debian Bug#345788.
> * Fetchmail now enables SSL support by default. If this is undesired,
>   ./configure --without-ssl should help.
> * The OpenSSL code now excludes the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option.
>   This can cause interoperability problems with certain buggy servers, but is
>   required to defang chosen-plaintext attacks against AES.  While probably hard
>   to mount against fetchmail, let's play it safe rather than be sorry later.
> 
> # FEATURES ADDED
> * Fetchmail can now retrieve credentials from PWMD. This needs to be enabled at
>   compile-time and requires run-time configuration. See README.PWMD for details.
>   Contributed by Ben Kibbey, author of libpwmd and pwmd.
> * Fetchmail now supports a retrieve-error command line or rcfile option that
>   takes exactly one argument, abort (default), continue or markseen.  This
>   specifies the policy used by fetchmail to handle messages whose bodies
>   fail to be retrieved due to server errors.  Both the continue and markseen
>   options will skip the message with errors and allow the session to
>   continue so that subsequent messages can be retrieved.  The markseen
>   option will also mark the message with errors as seen.
>   The default policy is to abort the session whenever a server error occurs.
>   Contributed by Craig Brown.
> * Fetchmailconf offers cram-md5 and apop authentication.
> * The SSL/TLS/STARTTLS operation mode is now selected through a new --sslmode
>   option, which cleans up the incomprehensible --ssl and --sslproto mess of
>   fetchmail versions before v7.0.0.
> * The SSL/TLS/STARTTLS protocol version can now be selected through a new
>   --sslprotocolversion switch.
> * The SSL/TLS cipher in used is now reported in verbose mode.
> * Temporary and experimental feature to specify SSL/TLS ciphers. This is done
>   through the global FETCHMAIL_SSL_CIPHERS environment variable, which is set
>   to a string that is understood by OpenSSL's cipher(1) command. In debug mode
>   (-vv), the ordered list of client-side ciphers is printed.
> 
> # REMOVED FEATURES
> * IMAP2 protocol support was removed.
> * POP2 protocol support was removed.
> * RPOP (not actually a protocol, but a variant of POP3) was removed
> * POP3: the uidl option has been removed. It is always on.
> * POP3: LAST is no longer used. It was removed from POP3 in 1994, and it could
>   cause mail loss when the connection was interrupted or if clients besides
>   fetchmail polled the mailbox.
> * Trio was removed, fetchmail expects reasonable stdio.h quality levels.
> * Support for systems that do not conform to C89 and POSIX 2001 was removed,
>   this means that BeOS, EMX, NeXTSTEP quirks are no longer worked around.
> * The MX and host alias DNS lookups that fetchmail performs in multidrop mode
>   have been removed. They were based on the mistaken assumption that the
>   IMAP/POP3 server was also the MX server, which is rarely the case.  They have
>   never supported IPv6 (including IPv6-mapped IPv4) either.
>   Non-DNS based alias keywords such as "aka" remain.
> * Kerberos IV support was removed.
> * fetchmail no longer supports SSL v2. SSLv2 is insecure and had been deprecated
>   15 years ago. fetchmail will actively forbid SSLv2 negotiation by means of
>   SSL_OP_NO_SSLv2.  To fix Debian Bug#622054.
> * The --ssl option is obsolescent and triggers a warning that users should use
>   --sslmode wrapped instead. It is understood as an alias for --sslmode wrapped.
> * The --sslproto option was removed. Two new options were added in its place,
>   --sslmode and --sslprotocolversion.
> * A lot of outdated and/or unsafe-to-use material got dropped from contrib/.
> 
> # REGRESSION FIXES
> * The mimedecode feature now properly detects multipart/mixed-type matches, so
>   that quoted-printable-encoded multipart messages can get decoded.
>   (Regression in 5.0.0 on 1999-03-27, as a side effect of a PGP-mimedecode fix
>   attributed to Henrik Storner.)
> 
> # BUG FIXES
> * The mimedecode feature failed to ship the last line of the body if it was
>   encoded as quoted-printable and had a MIME soft line break in the very last
>   line.  Reported by Lars Hecking in June 2011.
>   Bug introduced on 1998-03-20 when the mimedecode support was added by ESR
>   before release 4.4.1 through code contributed by Henrik Storner.
>   Workaround for older releases: do not use mimedecode feature.
> * Fetchmail now detects singly-quoted % expansions in the mda option and refuses
>   to deliver for safety reasons. Fixes Debian Bug#347909.
> * The Server certificate: message in verbose mode now appears on stdout like the
>   remainder of the output. Reported by Henry Jensen, to fix Debian Bug #639807.
> 
> # CHANGES
> * A foreground fetchmail can now accept a few more options while another copy is
>   running in the background.
> * APOP is no longer a protocol, but an authentication method. In order to use
>   it, use protocol POP3 auth APOP, or on the commandline, -p pop3 --auth apop.
>   If no authentication method is specified, APOP is automatically tried if
>   offered by the server before we resort to sending the password as clear text.

--------------------------------------------------------------------------------