diff options
| author | Matthias Andree <matthias.andree@gmx.de> | 2021-10-31 12:53:45 +0100 |
|---|---|---|
| committer | Matthias Andree <matthias.andree@gmx.de> | 2021-10-31 12:55:32 +0100 |
| commit | 56e8f9b656fdc8bbec569b6ac5deb6fe66c62aed (patch) | |
| tree | 597e762f3c25b01c3183329ebda3733b75b04305 | |
| parent | b93af8e832b1b13b82ef6485dd8ddca08fc1340c (diff) | |
| download | fetchmail-56e8f9b656fdc8bbec569b6ac5deb6fe66c62aed.tar.gz fetchmail-56e8f9b656fdc8bbec569b6ac5deb6fe66c62aed.tar.bz2 fetchmail-56e8f9b656fdc8bbec569b6ac5deb6fe66c62aed.zip | |
IMAP: improve STARTTLS error message for ssh-plugin case
For common ssh-based IMAP PREAUTH setups (i. e. those that use a plugin
- no matter its contents - and that set auth ssh), change the STARTTLS
error message to suggest sslproto '' instead.
| -rw-r--r-- | NEWS | 7 | ||||
| -rw-r--r-- | fetchmail.man | 5 | ||||
| -rw-r--r-- | imap.c | 9 |
3 files changed, 17 insertions, 4 deletions
@@ -92,6 +92,13 @@ removed from a 6.5.0 or newer release.) -------------------------------------------------------------------------------- fetchmail-6.4.23 (not yet released): +# USABILITY: +* For common ssh-based IMAP PREAUTH setups (i. e. those that use a plugin + - no matter its contents - and that set auth ssh), change the STARTTLS + error message to suggest sslproto '' instead. + This is a commonly reported issue after the CVE-2021-39272 fix in 6.4.22. + Fixes Redhat Bugzilla 2008160. Fixes GitLab #39. + # TRANSLATIONS: language translations were updated by these fine people: * ja: Takeshi Hamasaki [Japanese] * sr: Мирослав Николић (Miroslav Nikolić) [Serbian] diff --git a/fetchmail.man b/fetchmail.man index 4e2895c5..0cece97b 100644 --- a/fetchmail.man +++ b/fetchmail.man @@ -10,7 +10,7 @@ .\" Load www macros to process .URL requests, this requires groff: .mso www.tmac .\" -.TH fetchmail 1 2021-08-10 "fetchmail 6.4.22" "fetchmail reference manual" +.TH fetchmail 1 2021-10-31 "fetchmail 6.4.23" "fetchmail reference manual" .SH NAME fetchmail \- fetch mail from a POP, IMAP, ETRN, or ODMR-capable server @@ -1020,7 +1020,8 @@ may be used to force various authentication methods Any value other than \fBpassword\fP, \fBcram\-md5\fP, \fBntlm\fP, \&\fBmsn\fP or \fBotp\fP suppresses fetchmail's normal inquiry for a password. Specify \fBssh\fP when you are using an end-to-end secure -connection such as an ssh tunnel; specify \fBexternal\fP when you use +connection such as an ssh tunnel (in this case you may also want to specify +\&\fB\-\-sslproto\ ''\fP, which see); specify \fBexternal\fP when you use TLS with client authentication and specify \fBgssapi\fP or \&\fBkerberos_v4\fP if you are using a protocol variant that employs GSSAPI or K4. Choosing KPOP protocol automatically selects Kerberos @@ -489,8 +489,13 @@ static int imap_getauth(int sock, struct query *ctl, char *greeting) #ifdef SSL_ENABLE /* Defend against a PREAUTH-prevents-STARTTLS attack */ if (preauth && must_starttls(ctl)) { - report(stderr, GT_("%s: configuration requires TLS, but STARTTLS is not permitted " - "because of authenticated state (PREAUTH). Aborting connection. Server permitting, try --ssl instead (see manual).\n"), commonname); + if (ctl->server.plugin && A_SSH == ctl->server.authenticate) { + report(stderr, GT_("%s: configuration requires TLS, but STARTTLS is not permitted " + "because of authenticated state (PREAUTH). Aborting connection. If your plugin is secure, you can defeat STARTTLS with --sslproto '' (see manual).\n"), commonname); + } else { + report(stderr, GT_("%s: configuration requires TLS, but STARTTLS is not permitted " + "because of authenticated state (PREAUTH). Aborting connection. Server permitting, try --ssl instead (see manual).\n"), commonname); + } preauth = FALSE; /* reset for the next session */ return PS_SOCKET; } |