The real 5.2.0.

svn path=/trunk/; revision=2659

3 files changed, 91 insertions, 21 deletions

diff --git a/README b/README
index ac78d6aa..c74dc57f 100644
--- a/README
+++ b/README
@@ -12,7 +12,7 @@ Internet: POP2, POP3 (including POP3 with RFC1938 one-time passwords),
 RPOP, APOP, KPOP, Compuserve's POP3 with RPA, Microsoft's NTLM, Demon
 Internet's SDPS, all flavors of IMAP (including IMAP4rev1 with RFC1731
 Kerberos v4 or GSSAPI authentication or CRAM-MD5 authentication), and
-ESMTP ETRN.
+ESMTP ETRN.  Fetchmail also supports end-to-end encryption with OpenSSL.
 
 The fetchmail code was developed under Linux, but has also been
 extensively tested under the BSD variants, AIX, HP-UX versions 9 and
diff --git a/fetchmail-FAQ.html b/fetchmail-FAQ.html
index 37cc3c42..6f0b1ec8 100644
--- a/fetchmail-FAQ.html
+++ b/fetchmail-FAQ.html
@@ -10,7 +10,7 @@
 <table width="100%" cellpadding=0><tr>
 <td width="30%">Back to <a href="index.html">Fetchmail Home Page</a>
 <td width="30%" align=center>To <a href="/~esr/sitemap.html">Site Map</a>
-<td width="30%" align=right>$Date: 1999/11/30 20:01:32 $
+<td width="30%" align=right>$Date: 1999/12/19 18:05:39 $
 </table>
 <HR>
 <H1>Frequently Asked Questions About Fetchmail</H1>
@@ -539,6 +539,17 @@ The specific recipe for using fetchmail with a firewall is at <a
 href="#K1">K1</a><P>
 
 <hr>
+<h2><a name="B1">B1. Lex bombs out while building the fetchmail lexer.</a></h2>
+
+In the immortal words of Alan Cox the last time this came up: ``Take
+the Solaris lex and stick it up the backside of a passing Sun
+salesman, then install <a
+href="ftp://prep.ai.mit.edu/ftp/pub/gnu">flex</a> and use that.  All
+will be happier.''<P>
+
+I couldn't have put it better myself, and ain't going to try now.<P>
+
+<hr>
 <h2><a name="G11">G11. Is any special configuration needed to <em>send</em> mail?</a></h2>
 
 A user asks: but how do we send mail out to the POP3 server? Do I need
@@ -574,17 +585,6 @@ gateway between POP3/IMAP servers and SMTP.  Disconnected operation
 requires an elaborate interactive client.  It's a very different problem.<p>
 
 <hr>
-<h2><a name="B1">B1. Lex bombs out while building the fetchmail lexer.</a></h2>
-
-In the immortal words of Alan Cox the last time this came up: ``Take
-the Solaris lex and stick it up the backside of a passing Sun
-salesman, then install <a
-href="ftp://prep.ai.mit.edu/ftp/pub/gnu">flex</a> and use that.  All
-will be happier.''<P>
-
-I couldn't have put it better myself, and ain't going to try now.<P>
-
-<hr>
 <h2><a name="B2">B2. I get link failures when I try to build fetchmail.</a></h2>
 
 If you get errors resembling these<P>
@@ -696,7 +696,7 @@ all-numeric token as a number, which confused it when it was
 expecting a name.  String quoting forces the token's class.<p>
 
 The lexical analyzer in 5.0.6 and beyond is smarter and assumes
-any token following "username" or "password" is a string.<p>
+any token following "username" or "password" is a string.
 
 <hr>
 <h2><a name="F3">F3. The .fetchmailrc parser won't accept my host or username beginning with `no'.</a></h2>
@@ -1193,7 +1193,7 @@ banished by <a
 href="http://www.eudora.com/freeware/qpop.html">upgrading to qpopper
 3.0b1</a>.<p>
 
-<h3>Bad interaction with fetchmail 4.4.2 to 4.4.7</h3>
+<h3>Bad interaction with fetchmail 4.4.2 to 4,4.7</h3>
 
 Versions of fetchmail from 4.4.2 through 4.4.7 had a bad interaction 
 with Eudora qpopper versions 2.3 and later.  See <a href="#X5">X5</a>
@@ -1466,10 +1466,6 @@ You can't.  At least not if you want to be able to see attachments.
 MailMax has a bug; it reports the message length with attachments 
 but doesn't download them on TOP or RETR. <p>
 
-We recommend ditching MailMax for a server that actually works.  While
-you're at it, you should consider ditching the NT it runs over for an operating
-system that actually works (see <a href="#G7">G7</a>).<p>
-
 <hr>
 <h2><a name="S10">S10. How can I use fetchmail with Novell GroupWise?</a></h2>
 
@@ -1894,7 +1890,7 @@ option values that work:<P>
 </pre>
 
 <hr>
-<h2><a name="R8">R8. Fetchmail running as root stopped working after an OS upgrade</a></h2>
+<a name="R8">R8. Fetchmail running as root stopped working after an OS upgrade</a></h2>
 
 In RH 6.0, the HOME value in the boot-time root environment changed
 from /root to / as the result of a change in init.  Move your
@@ -2502,7 +2498,7 @@ inactivity timeout.<p>
 <table width="100%" cellpadding=0><tr>
 <td width="30%">Back to <a href="index.html">Fetchmail Home Page</a>
 <td width="30%" align=center>To <a href="/~esr/sitemap.html">Site Map</a>
-<td width="30%" align=right>$Date: 1999/11/30 20:01:32 $
+<td width="30%" align=right>$Date: 1999/12/19 18:05:39 $
 </table>
 
 <P><ADDRESS>Eric S. Raymond <A HREF="mailto:esr@thyrsus.com">&lt;esr@snark.thyrsus.com&gt;</A></ADDRESS>
diff --git a/fetchmail.man b/fetchmail.man
index b0ab6339..77900035 100644
--- a/fetchmail.man
+++ b/fetchmail.man
@@ -256,6 +256,44 @@ Causes a specified non-default mail folder on the mailserver (or
 comma-separated list of folders) to be retrieved.  The syntax of the
 folder name is server-dependent.  This option is not available under
 POP3 or ETRN.
+.TP
+.B \--ssl
+(Keyword: ssl)
+Causes the connection to the mail server to be encrypted via SSL.  Connect
+to the server using the specified base protocol over a connection secured
+by SSL.  SSL support must be present at the server.  If no port is
+specified, the connection is attempted to the well known port of the SSL
+version of the base protocol.  This is generally a different port than the
+port used by the base protocol.  For imap, this is port 143 for the clear
+protocol and port 993 for the SSL secured protocol.
+.TP
+.B \--sslcert <name>
+(Keyword: sslcert)
+Specifies the file name of the client side public SSL certificate.  Some
+SSL encrypted servers may require client side keys and certificates for
+authentication.  In most cases, this is optional.  This specifies
+the location of the public key certificate to be presented to the server
+at the time the SSL session is established.  It is not required (but may
+be provided) if the server does not require it.  Some servers may
+require it, some servers may request it but not require it, and some
+servers may not request it at all.  It may be the same file
+as the private key (combined key and certificate file) but this is not
+recommended.
+.TP
+.B \--sslkey <name>
+(Keyword: sslkey)
+Specifies the file name of the client side private SSL key.  Some SSL
+encrypted servers may require client side keys and certificates for
+authentication.  In most cases, this is optional.  This specifies
+the location of the private key used to sign transactions with the server
+at the time the SSL session is established.  It is not required (but may
+be provided) if the server does not require it.  Some servers may
+require it, some servers may request it but not require it, and some
+servers may not request it at all.  It may be the same file
+as the public key (combined key and certificate file) but this is not
+recommended.  If a password is required to unlock the key, it will be
+prompted for at the time just prior to establishing the session to the
+server.  This can cause some complications in daemon mode.
 .SS Delivery Control Options
 .TP
 .B \-S <hosts>, --smtphost <hosts>
@@ -669,6 +707,33 @@ initialized.  You can also do this using the `netsec' server option
 in the .fetchmailrc file.  In either case, the option value is a
 string in the format accepted by the net_security_strtorequest() 
 function of the inet6_apps library.
+.PP
+You can access SSL encrypted services by specifying the --ssl option.
+You can also do this using the "ssl" server option in the .fetchmailrc
+file.  With SSL encryption enabled, queries are initiated over a connection
+after negotiating an SSL session.  Some services, such as POP3 and IMAP,
+have different well known ports defined for the SSL encrypted services.
+The encrypted ports will be selected automatically when SSL is enabled and
+no explicit port is specified.
+.PP
+When connecting to an SSL encrypted server, the server presents a certificate
+to the client for validation.  The certificate is checked to verify that
+the common name in the certificate matches the name of the server being
+contacted and that the effective and expiration dates in the certificate
+indicate that it is currently valid.  If any of these checks fail, a warning
+message is printed, but the connection continues.  The server certificate
+does not need to be signed by any specific Certifying Authority and may
+be a "self-signed" certificate.
+.PP
+Some SSL encrypted servers may request a client side certificate.  A client
+side public SSL certificate and private SSL key may be specified.  If
+requested by the server, the client certificate is sent to the server for
+validation.  Some servers may require a valid client certificate and may
+refuse connections if a certificate is not provided or if the certificate
+is not valid.  Some servers may require client side certificates be signed
+by a recognized Certifying Authority.  The format for the key files and
+the certificate files is that required by the underlying SSL libraries
+(OpenSSL in the general case).
 
 .SH DAEMON MODE
 The 
@@ -1020,6 +1085,15 @@ T}
 port    	-P	T{
 Specify TCP/IP service port
 T}
+ssl    		T{
+Connect to server over the specified base protocol using SSL encryption
+T}
+sslcert    		T{
+Specify file for client side public SSL certificate
+T}
+sslkey    		T{
+Specify file for client side private SSL key
+T}
 auth[enticate]	-A	T{
 Set preauthentication type (default `password')
 T}