diff options
author | Matthias Andree <matthias.andree@gmx.de> | 2021-08-26 23:53:14 +0200 |
---|---|---|
committer | Matthias Andree <matthias.andree@gmx.de> | 2021-08-27 00:16:12 +0200 |
commit | 8363b7b7b9f7b4fdeb0e804c4708f114e09c85d2 (patch) | |
tree | 2948ebfe41f64e79d4613aa14aace54de08bdd6b /README.SSL | |
parent | 5cca5d1e300a41bda91b983c8ccf7fbb60ccb957 (diff) | |
download | fetchmail-8363b7b7b9f7b4fdeb0e804c4708f114e09c85d2.tar.gz fetchmail-8363b7b7b9f7b4fdeb0e804c4708f114e09c85d2.tar.bz2 fetchmail-8363b7b7b9f7b4fdeb0e804c4708f114e09c85d2.zip |
Add CVE ID; revise TLS docs & fetchmail-SA-2021-02
Diffstat (limited to 'README.SSL')
-rw-r--r-- | README.SSL | 36 |
1 files changed, 21 insertions, 15 deletions
@@ -18,9 +18,6 @@ POP3/IMAP4) or is totally SSL-wrapped on a separate port. Also, fetchmail 6.4.0 and newer releases changed some of the semantics as the result of a bug-fix, and will auto-negotiate TLSv1 or newer only. -If your server does not support this, you may have to specify --sslproto -ssl3+. This is in order to prefer the newer TLS protocols, because SSLv2 -and v3 are broken. Finally, due to other defaults changing, and several mail services not supporting in-band negotiation of SSL or TLS by means of STLS or STARTTLS, @@ -40,28 +37,37 @@ In all four examples below, the (--)sslcertck has become redundant since fetchmail v6.4.0 but since fetchmail 6.3 releases will be in circulation for a while, we'll leave it here to be safe. -For use of SSL or TLS with in-band negotiation on the regular service's port, -i. e. with STLS or STARTTLS, use these command line options +For use of SSL or TLS on a separate port (recommended), called Implicit TLS, +the whole TCP connection is SSL-encrypted from the very beginning (SSL- or +TLS-wrapped), use these command line options (in the rcfile, +omit all leading "--"): - --sslproto auto --sslcertck + --ssl --sslproto tls1.2+ --sslcertck or these options in the rcfile (after the respective "user"... options) - sslproto auto sslcertck - + ssl sslproto tls1.2+ sslcertck -Note that some services do not offer STLS or STARTTLS, but most do -offer SSL or TLS on a separate, dedicated, "secure" port: -For use of SSL or TLS on a separate port, if the whole TCP connection is -SSL-encrypted from the very beginning (SSL- or TLS-wrapped), use these -command line options (in the rcfile, omit all leading "--"): +For use of SSL or TLS with in-band negotiation on the regular service's port, +i. e. with STLS or STARTTLS, use these command line options (omitting --ssl or +ssl): - --ssl --sslproto auto --sslcertck + --sslproto tls1.2+ --sslcertck or these options in the rcfile (after the respective "user"... options) - ssl sslproto auto sslcertck + sslproto tls1.2+ sslcertck + + +With up to date OpenSSL libraries (1.1.1 or newer), and with recent +software on the server, you can alternatively configure tls1.3+. + +For some older services, you may need to use tls1.1+ or tls1+ for compatibility +instead of the tls1.2+ above. In such situations, you should ask the service +provider or server operator to upgrade their TLS implementation such that +TLS v1.3 be supported, and once that happens, update your fetchmail configuration +to tls1.3+ or tls1.2+. Background and use (long version :-)) |