The real 5.2.0.

svn path=/trunk/; revision=2659

1 files changed, 74 insertions, 0 deletions

diff --git a/fetchmail.man b/fetchmail.man
index b0ab6339..77900035 100644
--- a/fetchmail.man
+++ b/fetchmail.man
@@ -256,6 +256,44 @@ Causes a specified non-default mail folder on the mailserver (or
 comma-separated list of folders) to be retrieved.  The syntax of the
 folder name is server-dependent.  This option is not available under
 POP3 or ETRN.
+.TP
+.B \--ssl
+(Keyword: ssl)
+Causes the connection to the mail server to be encrypted via SSL.  Connect
+to the server using the specified base protocol over a connection secured
+by SSL.  SSL support must be present at the server.  If no port is
+specified, the connection is attempted to the well known port of the SSL
+version of the base protocol.  This is generally a different port than the
+port used by the base protocol.  For imap, this is port 143 for the clear
+protocol and port 993 for the SSL secured protocol.
+.TP
+.B \--sslcert <name>
+(Keyword: sslcert)
+Specifies the file name of the client side public SSL certificate.  Some
+SSL encrypted servers may require client side keys and certificates for
+authentication.  In most cases, this is optional.  This specifies
+the location of the public key certificate to be presented to the server
+at the time the SSL session is established.  It is not required (but may
+be provided) if the server does not require it.  Some servers may
+require it, some servers may request it but not require it, and some
+servers may not request it at all.  It may be the same file
+as the private key (combined key and certificate file) but this is not
+recommended.
+.TP
+.B \--sslkey <name>
+(Keyword: sslkey)
+Specifies the file name of the client side private SSL key.  Some SSL
+encrypted servers may require client side keys and certificates for
+authentication.  In most cases, this is optional.  This specifies
+the location of the private key used to sign transactions with the server
+at the time the SSL session is established.  It is not required (but may
+be provided) if the server does not require it.  Some servers may
+require it, some servers may request it but not require it, and some
+servers may not request it at all.  It may be the same file
+as the public key (combined key and certificate file) but this is not
+recommended.  If a password is required to unlock the key, it will be
+prompted for at the time just prior to establishing the session to the
+server.  This can cause some complications in daemon mode.
 .SS Delivery Control Options
 .TP
 .B \-S <hosts>, --smtphost <hosts>
@@ -669,6 +707,33 @@ initialized.  You can also do this using the `netsec' server option
 in the .fetchmailrc file.  In either case, the option value is a
 string in the format accepted by the net_security_strtorequest() 
 function of the inet6_apps library.
+.PP
+You can access SSL encrypted services by specifying the --ssl option.
+You can also do this using the "ssl" server option in the .fetchmailrc
+file.  With SSL encryption enabled, queries are initiated over a connection
+after negotiating an SSL session.  Some services, such as POP3 and IMAP,
+have different well known ports defined for the SSL encrypted services.
+The encrypted ports will be selected automatically when SSL is enabled and
+no explicit port is specified.
+.PP
+When connecting to an SSL encrypted server, the server presents a certificate
+to the client for validation.  The certificate is checked to verify that
+the common name in the certificate matches the name of the server being
+contacted and that the effective and expiration dates in the certificate
+indicate that it is currently valid.  If any of these checks fail, a warning
+message is printed, but the connection continues.  The server certificate
+does not need to be signed by any specific Certifying Authority and may
+be a "self-signed" certificate.
+.PP
+Some SSL encrypted servers may request a client side certificate.  A client
+side public SSL certificate and private SSL key may be specified.  If
+requested by the server, the client certificate is sent to the server for
+validation.  Some servers may require a valid client certificate and may
+refuse connections if a certificate is not provided or if the certificate
+is not valid.  Some servers may require client side certificates be signed
+by a recognized Certifying Authority.  The format for the key files and
+the certificate files is that required by the underlying SSL libraries
+(OpenSSL in the general case).
 
 .SH DAEMON MODE
 The 
@@ -1020,6 +1085,15 @@ T}
 port    	-P	T{
 Specify TCP/IP service port
 T}
+ssl    		T{
+Connect to server over the specified base protocol using SSL encryption
+T}
+sslcert    		T{
+Specify file for client side public SSL certificate
+T}
+sslkey    		T{
+Specify file for client side private SSL key
+T}
 auth[enticate]	-A	T{
 Set preauthentication type (default `password')
 T}