Re: [Fetchmail-users] SECURITY ANNOUNCE (INTERIM): fetchmail users should configure --ssl wherever available, and also require at least TLS1.2

[Peter S. <dr...@uc...>]

Dear Matthias,

Fedora 34 just upgraded fetchmail for us.

Now fetchmail --version shows

This is fetchmail release 6.4.20+GSS+RPA+NTLM+SDPS+SSL-SSLv2-SSLv3+NLS+KRB5.
Compiled with SSL library 0x101010bf "OpenSSL 1.1.1k  FIPS 25 Mar 2021"
Run-time uses SSL library 0x101010bf "OpenSSL 1.1.1k  FIPS 25 Mar 2021"
OpenSSL: OPENSSLDIR: "/etc/pki/tls"
Engines: ENGINESDIR: "/usr/lib64/engines-1.1"

Since this upgrade my fetchmail logfile is showing the
"run-together-lines" behavior, lacking the usual newline chars.

This is not a big deal of course, but if there's a way to fix it,
let me know.

It looks as if you're struggling a bit, so I wish you the best of
luck.  I really appreciate your depth of knowledge and years and
years of dealing with this stuff.  fetchmail is so useful.

     -- Peter

=================================================================
On Aug 15, 2021 at  4:40 pm, Matthias Andree <mat...@gm...> wrote:
| Greetings,
| 
| all released fetchmail versions to date (up to and including 6.4.21) 
| were found susceptible to some sorts of attacks against STARTTLS (IMAP) 
| or STLS (POP3), which can lead to a session that remains unencrypted 
| even though --sslproto tls1.2+ or similar configurations require 
| encryption, and worst case exposing the user's login credentials and 
| also e-mail when the configuration tells otherwise.
| 
| The solution in fetchmail code requires thorough reviews and
| changes that will take more time.  Remember that fetchmail is 
| a volunteer spare-time project.
| 
| The details of the implementation and concept flaws shall be disclosed 
| later in the formal fetchmail security announcement 2021-02 (not yet 
| published).
| 
| MITIGATING THE IMPACT: 
| 
| Proper configuration for Implicit TLS can mitigate the impact for many 
| users.  I am already announcing such configuration changes below:
| 
| ------------------------------------------------------------------------
| Everyone whose server supports "Implicit TLS", meaning TLS on 
| a dedicated imaps port (TCP port 993) or pop3s port (TCP port 995), 
| should reconfigure fetchmail to enable this option (ssl or --ssl) 
| permanently.
| This can be achieved in two ways, either of which alone is sufficient:
| 
| - on the command line, add --ssl), which will affect all servers 
|   included in the poll (= all poll statements from the rcfile, or all 
|   servers mentioned on the same command line).
| 
| - in the rcfile, by adding the word "ssl" without quotes after each
|   configuration stanza for a user description.
| 
| After making the change, test your new configuration before enabling 
| unattended operation.
| 
| 
| Future directions: 1. The Internet Engineering Task Force (IETF) has 
| proposed standards that consider both STARTTLS obsolete (RFC-8314) and 
| deprecate TLS 1.1 and earlier (including all SSL versions) (RFC-8997).
| 
| 2. I may make Implicit TLS the default in future fetchmail releases,
| and promise to at least bump the minor version to >= 6.5.0 in that case.
| ------------------------------------------------------------------------
| 
| I will also add an *unrelated* recommendation while we are at it and 
| users are suggested to edit their configurations anyways:
| 
| I suggest that everyone configures fetchmail to negotiate at least TLS 
| v1.2 if supported by the server, or at least TLS v1.2, which can happen 
| on the command line through --sslproto TLS1.2+ or in the rcfile by 
| adding sslproto TLS1.2+ in each stanza after each user statement.
| 
| Where possible, meaning server-side support and support by the local 
| OpenSSL library version (for instance, 1.1.1 is good enough), fetchmail 
| can also be configured to require TLS v1.3 or newer instead, in that 
| case, use --sslproto TLS1.3+ on the command line or sslproto TLS1.3+ in 
| the rcfile.
| 
| 
| future direction: fetchmail 6.5 and newer (not yet released and several 
| weeks to months out) will make TLS 1.2 the minimum required version, and 
| will also require an OpenSSL library that supports TLS 1.3.
| ------------------------------------------------------------------------
| 
| 
| Note that the changes proposed above, when successfully deployed, can 
| remain in place when fetchmail 6.4.22 will be released, so there is no 
| need to wait.




| _______________________________________________
| Fetchmail-users mailing list
| Fet...@li...
| https://lists.sourceforge.net/lists/listinfo/fetchmail-users