Mods to George Sipe's interface option.

svn path=/trunk/; revision=694

3 files changed, 33 insertions, 24 deletions

diff --git a/NEWS b/NEWS
index 68962e11..b11004be 100644
--- a/NEWS
+++ b/NEWS
@@ -15,6 +15,10 @@
 ------------------------------------------------------------------------------
 fetchmail-2.6 (Wed Dec 25 05:56:24 EST 1996)
 
+features -- 
+
+* --interface option format is now simpler.
+
 bugs --
 
 * Fixed length-computation bug (apparently introduced in 2.3) that messed
diff --git a/README b/README
index 5eeaa57c..888fcb45 100644
--- a/README
+++ b/README
@@ -34,6 +34,9 @@ pop-perl5-1.2, popc, popmail-1.6 and upop) are marked with **.
 	** Support for retrieving and forwarding from multi-drop mailboxes
 	   that is guaranteed not to cause mail loops.
 
+	** (Linux only) Security option to permit fetchmail to run only
+	   when an interface to a particular IP address is up.
+
 	*  Easy control via command line or free-format run control file.
 
 	*  Daemon mode -- fetchmail can be run in background to poll
@@ -60,11 +63,11 @@ pop-perl5-1.2, popc, popmail-1.6 and upop) are marked with **.
 	   feedback is rapid, bugs get found and fixed rapidly.
 
 The fetchmail code appears to be stable and free of bugs affecting
-normal operation (that is, retrieving from POP3 or IMAP and forwarding
-99via SMTP to sendmail).  It will probably undergo substantial change
-only if and when support for a new retrieval protocol or authentication
-is added.  See the distribution files NEWS for detailed information on
-recent changes and NOTES for design notes.
+normal operation (that is, retrieving from POP3 or IMAP in single-drop
+mode and forwarding via SMTP to sendmail).  It will probably undergo
+substantial change only if and when support for a new retrieval
+protocol or authentication is added.  See the distribution files NEWS
+for detailed information on recent changes and NOTES for design notes.
 
 You can easily fetch the latest version of fetchmail  via FTP from the
 following FTP directory:
diff --git a/fetchmail.man b/fetchmail.man
index ce1b76b5..d24234ff 100644
--- a/fetchmail.man
+++ b/fetchmail.man
@@ -107,26 +107,24 @@ Specify an alternate name for the .fetchids file used to save POP3
 UIDs. 
 .TP
 .B \-I specification, --interface specification
-.I fetchmail
-relies on the underlying TCP/IP protocol to reach the server host.
-Transient links are commonly established directly to a mail host and are
-relatively secure channels to communicate.  When other routes exist, or
-when a transient link is established to a different remote host, your
-username and password may be vulnerable to snooping when daemon mode
-automatically polls for mail.
-.sp
-This option may be used to specify a connection IP address (or range)
-for a system TCP/IP interface.  When the link is not up or is connected
-to a different host, polling will be skipped.  The format is:
-.sp
-	interface/iii.iii.iii.iii/mmm.mmm.mmm.mmm
+Require that a point-to-point connection to a given IP address be up
+before polling.  Normally fetchmail is used via a transient
+point-to-point TCP/IP link established directly to a mailserver via
+SLIP or PPP; this is a relatively secure channel.  But when other
+TCP/IP routes to the mailserver exist, your username and password may
+be vulnerable to snooping (especially when daemon mode automatically
+polls for mail, shipping a clear password over the net at predictable
+intervals).  The --interface option may be used to prevent this by
+specifying a connection IP address (or range) for the mailserver
+TCP/IP link.  When the specified link is not up or is not connected to
+a matching IP address, polling will be skipped.  The format is:
 .sp
-The field after the first slash is the acceptable IP address and the
-field after the second slash is a mask which specifies a range of IP
-addresses to accept.  If no mask is present 255.255.255.255 is assumed
-(i.e. an exact match).
+	iii.iii.iii.iii/mmm.mmm.mmm.mmm
 .sp
-This option is currently only supported under Linux.
+The field before the slash is the acceptable IP address and the field
+after the slash is a mask which specifies a range of IP addresses to
+accept.  If no mask is present 255.255.255.255 is assumed (i.e. an
+exact match). This option is currently only supported under Linux.
 .TP
 .B \-M interface, --monitor interface
 Daemon mode can cause transient links which are automatically taken down
@@ -827,7 +825,11 @@ Use of any of the supported protocols other than APOP or KPOP requires
 that the program send unencrypted passwords over the TCP/IP connection
 to the mailserver.  This creates a risk that name/password pairs
 might be snaffled with a packet sniffer or more sophisticated
-monitoring software.
+monitoring software.  Under Linux, the --interface option can be used
+to restrict polling to a specified point-to-point link, but snooping
+is still possible if (a) either host has a network device that can be
+opened in promiscuous mode, or (b) the intervening network link can
+be tapped.
 .PP
 Send comments, bug reports, gripes, and the like to Eric S. Raymond
 <esr@thyrsus.com>.