[Fetchmail-users] ANNOUNCE: The 6.5.7.rc1 release of fetchmail is available (SMTP AUTH fixes & .netrc support - NO (START)TLS yet)

[Matthias A. <mat...@gm...>]

The 6.5.7.rc1 release of fetchmail is now available at the usual locations,
including <https://downloads.sourceforge.net/project/fetchmail/branch_6.5/>.


Please test this especially if
+ you use SMTP AUTH (esmtppassword)
+ and/or want to store your SMTP passwords in .netrc
and share feedback mentioning the 6.5.7.rc1 version via list,
by e-mail or, if you find a bug, Gitlab issue (account required) at 
https://gitlab.com/fetchmail/fetchmail/-/issues -
note for bug reports that AUTH PLAIN and AUTH LOGIN data must be redacted
from your reports, these can be reversed to reveal your password!

Reminder: only subscribers to the fetchmail mailing lists can send mail there.
 

Plan:

I intend this to further clean up the SMTP AUTH code, which I saw necessary
when fixing the security bug in 6.5.6, and collect the translations, which
I could not wait for when making the security bugfix release. 

If we don't see regressions, I intend to release 6.5.7 in c. 10 days.

Afterwards, I intend to quickly follow up with an unplanned but necessary
fetchmail 6.6.0 feature release that will add TLS and STARTTLS support for
SMTP because we don't have strong protection for SMTP passwords yet.


The source archive is available at:
<https://downloads.sourceforge.net/project/fetchmail/branch_6.5/fetchmail-6.5.7.rc1.tar.xz/download>

The detached GnuPG signature is available at:
<https://downloads.sourceforge.net/project/fetchmail/branch_6.5/fetchmail-6.5.7.rc1.tar.xz.asc/download>

The SHA256 hashes for the tarballs are:
SHA2-256(fetchmail-6.5.7.rc1.tar.xz)= 2aa57f8cfe117dcfaf0a481a8c607dc401c15603bcb641bc610ec794c398cb9a


Here are the release notes:
--------------------------------------------------------------------------------
fetchmail-6.5.7 (not yet released):

## BUGFIX:
* When authenticating to an SMTP server, the AUTH LOGIN method (which didn't
  become a proposed standard, and is only the third method fetchmail would try,
  if CRAM-MD5 and PLAIN weren't offered) required that the server returned
  a 334 code followed by a blank and by a decodable base64 challenge we ignored
  anyways.  This is in line with RFC 4952.
    However, to improve compatibility, fetchmail now accepts anything that
  starts with "334 " and disregards the remainder of the line.
  At the same time, AUTH LOGIN was deprecated. AUTH PLAIN should be available
  everywhere AUTH LOGIN is, and is specified in IETF RFC 4616.
* When authenticating to an SMTP server, i. e. esmtpname/esmtppassword are
  defined, check for errors, and skip servers that do not understand EHLO,
  because we cannot negotiate supported authentication schemes with them.
  This should avoid attempting to send a lot of messages and see them rejected.
* When authenticating to an SMTP server, do not send client abort "*" when
  we receive any other server reply but 334.
* Extend 6.5.6's RFC-5321 address-literal fix to MAIL FROM:<>. This might
  apply when we only have a server's IP address and need to quality
  addresses without domain. Fixes Debian Bug#1080025.
* SMTP AUTH can now look up passwords from the .netrc file - for that,
  fetchmail's esmtpname setting must match the login for the given host in
  .netrc. Fixes Debian Bug#1056651 by Ticker Berkin.

## TRANSLATION UPDATES were contributed by these fine people - thank you!
* cs:    Petr Pisar [Czech]
* eo:    Keith Bowes [Esperanto]
* es:    Cristian Othón Martínez Vera [Spanish]
* fr:    Frédéric Marchal [French]
* ja:    Takeshi Hamasaki [Japanese]
* pl:    Jakub Bogusz [Polish]
* ro:    Remus-Gabriel Chelu [Romanian]
* sv:    Göran Uddeborg [Swedish]

-------------------------------------------------------------------------------