diff options
| -rw-r--r-- | README | 2 | ||||
| -rw-r--r-- | fetchmail-FAQ.html | 36 | ||||
| -rw-r--r-- | fetchmail.man | 74 |
3 files changed, 91 insertions, 21 deletions
@@ -12,7 +12,7 @@ Internet: POP2, POP3 (including POP3 with RFC1938 one-time passwords), RPOP, APOP, KPOP, Compuserve's POP3 with RPA, Microsoft's NTLM, Demon Internet's SDPS, all flavors of IMAP (including IMAP4rev1 with RFC1731 Kerberos v4 or GSSAPI authentication or CRAM-MD5 authentication), and -ESMTP ETRN. +ESMTP ETRN. Fetchmail also supports end-to-end encryption with OpenSSL. The fetchmail code was developed under Linux, but has also been extensively tested under the BSD variants, AIX, HP-UX versions 9 and diff --git a/fetchmail-FAQ.html b/fetchmail-FAQ.html index 37cc3c42..6f0b1ec8 100644 --- a/fetchmail-FAQ.html +++ b/fetchmail-FAQ.html @@ -10,7 +10,7 @@ <table width="100%" cellpadding=0><tr> <td width="30%">Back to <a href="index.html">Fetchmail Home Page</a> <td width="30%" align=center>To <a href="/~esr/sitemap.html">Site Map</a> -<td width="30%" align=right>$Date: 1999/11/30 20:01:32 $ +<td width="30%" align=right>$Date: 1999/12/19 18:05:39 $ </table> <HR> <H1>Frequently Asked Questions About Fetchmail</H1> @@ -539,6 +539,17 @@ The specific recipe for using fetchmail with a firewall is at <a href="#K1">K1</a><P> <hr> +<h2><a name="B1">B1. Lex bombs out while building the fetchmail lexer.</a></h2> + +In the immortal words of Alan Cox the last time this came up: ``Take +the Solaris lex and stick it up the backside of a passing Sun +salesman, then install <a +href="ftp://prep.ai.mit.edu/ftp/pub/gnu">flex</a> and use that. All +will be happier.''<P> + +I couldn't have put it better myself, and ain't going to try now.<P> + +<hr> <h2><a name="G11">G11. Is any special configuration needed to <em>send</em> mail?</a></h2> A user asks: but how do we send mail out to the POP3 server? Do I need @@ -574,17 +585,6 @@ gateway between POP3/IMAP servers and SMTP. Disconnected operation requires an elaborate interactive client. It's a very different problem.<p> <hr> -<h2><a name="B1">B1. Lex bombs out while building the fetchmail lexer.</a></h2> - -In the immortal words of Alan Cox the last time this came up: ``Take -the Solaris lex and stick it up the backside of a passing Sun -salesman, then install <a -href="ftp://prep.ai.mit.edu/ftp/pub/gnu">flex</a> and use that. All -will be happier.''<P> - -I couldn't have put it better myself, and ain't going to try now.<P> - -<hr> <h2><a name="B2">B2. I get link failures when I try to build fetchmail.</a></h2> If you get errors resembling these<P> @@ -696,7 +696,7 @@ all-numeric token as a number, which confused it when it was expecting a name. String quoting forces the token's class.<p> The lexical analyzer in 5.0.6 and beyond is smarter and assumes -any token following "username" or "password" is a string.<p> +any token following "username" or "password" is a string. <hr> <h2><a name="F3">F3. The .fetchmailrc parser won't accept my host or username beginning with `no'.</a></h2> @@ -1193,7 +1193,7 @@ banished by <a href="http://www.eudora.com/freeware/qpop.html">upgrading to qpopper 3.0b1</a>.<p> -<h3>Bad interaction with fetchmail 4.4.2 to 4.4.7</h3> +<h3>Bad interaction with fetchmail 4.4.2 to 4,4.7</h3> Versions of fetchmail from 4.4.2 through 4.4.7 had a bad interaction with Eudora qpopper versions 2.3 and later. See <a href="#X5">X5</a> @@ -1466,10 +1466,6 @@ You can't. At least not if you want to be able to see attachments. MailMax has a bug; it reports the message length with attachments but doesn't download them on TOP or RETR. <p> -We recommend ditching MailMax for a server that actually works. While -you're at it, you should consider ditching the NT it runs over for an operating -system that actually works (see <a href="#G7">G7</a>).<p> - <hr> <h2><a name="S10">S10. How can I use fetchmail with Novell GroupWise?</a></h2> @@ -1894,7 +1890,7 @@ option values that work:<P> </pre> <hr> -<h2><a name="R8">R8. Fetchmail running as root stopped working after an OS upgrade</a></h2> +<a name="R8">R8. Fetchmail running as root stopped working after an OS upgrade</a></h2> In RH 6.0, the HOME value in the boot-time root environment changed from /root to / as the result of a change in init. Move your @@ -2502,7 +2498,7 @@ inactivity timeout.<p> <table width="100%" cellpadding=0><tr> <td width="30%">Back to <a href="index.html">Fetchmail Home Page</a> <td width="30%" align=center>To <a href="/~esr/sitemap.html">Site Map</a> -<td width="30%" align=right>$Date: 1999/11/30 20:01:32 $ +<td width="30%" align=right>$Date: 1999/12/19 18:05:39 $ </table> <P><ADDRESS>Eric S. Raymond <A HREF="mailto:esr@thyrsus.com"><esr@snark.thyrsus.com></A></ADDRESS> diff --git a/fetchmail.man b/fetchmail.man index b0ab6339..77900035 100644 --- a/fetchmail.man +++ b/fetchmail.man @@ -256,6 +256,44 @@ Causes a specified non-default mail folder on the mailserver (or comma-separated list of folders) to be retrieved. The syntax of the folder name is server-dependent. This option is not available under POP3 or ETRN. +.TP +.B \--ssl +(Keyword: ssl) +Causes the connection to the mail server to be encrypted via SSL. Connect +to the server using the specified base protocol over a connection secured +by SSL. SSL support must be present at the server. If no port is +specified, the connection is attempted to the well known port of the SSL +version of the base protocol. This is generally a different port than the +port used by the base protocol. For imap, this is port 143 for the clear +protocol and port 993 for the SSL secured protocol. +.TP +.B \--sslcert <name> +(Keyword: sslcert) +Specifies the file name of the client side public SSL certificate. Some +SSL encrypted servers may require client side keys and certificates for +authentication. In most cases, this is optional. This specifies +the location of the public key certificate to be presented to the server +at the time the SSL session is established. It is not required (but may +be provided) if the server does not require it. Some servers may +require it, some servers may request it but not require it, and some +servers may not request it at all. It may be the same file +as the private key (combined key and certificate file) but this is not +recommended. +.TP +.B \--sslkey <name> +(Keyword: sslkey) +Specifies the file name of the client side private SSL key. Some SSL +encrypted servers may require client side keys and certificates for +authentication. In most cases, this is optional. This specifies +the location of the private key used to sign transactions with the server +at the time the SSL session is established. It is not required (but may +be provided) if the server does not require it. Some servers may +require it, some servers may request it but not require it, and some +servers may not request it at all. It may be the same file +as the public key (combined key and certificate file) but this is not +recommended. If a password is required to unlock the key, it will be +prompted for at the time just prior to establishing the session to the +server. This can cause some complications in daemon mode. .SS Delivery Control Options .TP .B \-S <hosts>, --smtphost <hosts> @@ -669,6 +707,33 @@ initialized. You can also do this using the `netsec' server option in the .fetchmailrc file. In either case, the option value is a string in the format accepted by the net_security_strtorequest() function of the inet6_apps library. +.PP +You can access SSL encrypted services by specifying the --ssl option. +You can also do this using the "ssl" server option in the .fetchmailrc +file. With SSL encryption enabled, queries are initiated over a connection +after negotiating an SSL session. Some services, such as POP3 and IMAP, +have different well known ports defined for the SSL encrypted services. +The encrypted ports will be selected automatically when SSL is enabled and +no explicit port is specified. +.PP +When connecting to an SSL encrypted server, the server presents a certificate +to the client for validation. The certificate is checked to verify that +the common name in the certificate matches the name of the server being +contacted and that the effective and expiration dates in the certificate +indicate that it is currently valid. If any of these checks fail, a warning +message is printed, but the connection continues. The server certificate +does not need to be signed by any specific Certifying Authority and may +be a "self-signed" certificate. +.PP +Some SSL encrypted servers may request a client side certificate. A client +side public SSL certificate and private SSL key may be specified. If +requested by the server, the client certificate is sent to the server for +validation. Some servers may require a valid client certificate and may +refuse connections if a certificate is not provided or if the certificate +is not valid. Some servers may require client side certificates be signed +by a recognized Certifying Authority. The format for the key files and +the certificate files is that required by the underlying SSL libraries +(OpenSSL in the general case). .SH DAEMON MODE The @@ -1020,6 +1085,15 @@ T} port -P T{ Specify TCP/IP service port T} +ssl T{ +Connect to server over the specified base protocol using SSL encryption +T} +sslcert T{ +Specify file for client side public SSL certificate +T} +sslkey T{ +Specify file for client side private SSL key +T} auth[enticate] -A T{ Set preauthentication type (default `password') T} |