diff options
| -rw-r--r-- | NEWS | 2 | ||||
| -rw-r--r-- | TODO.txt | 2 | ||||
| -rw-r--r-- | fetchmail.man | 8 | ||||
| -rw-r--r-- | imap.c | 9 | ||||
| -rw-r--r-- | pop3.c | 18 |
5 files changed, 25 insertions, 14 deletions
@@ -104,6 +104,8 @@ fetchmail 6.3.5 (not yet released): * Keep syslog output at one line per message (this works if no errors occur). * Track getaddrinfo() results to properly free them after timeouts, reported by Uli Zappe. This MIGHT fix Debian Bug#294547 and Bug#377135. +* Fetchmail in verbose mode now logs if it opportunistically upgrades a POP3 + or IMAP connection to TLS security with STLS/STARTTLS. # CHANGES: * Rename all fetchmail-internal lock_* functions to fm_lock_*. Obsoletes @@ -1,5 +1,3 @@ -- log/print warning if fetchmail uses TLS without configuration, - to avoid users being surprised (see Debian Bug#294547). - allow full user@domain mappings in multidrop matching (is this perhaps a 6.4.0 issue?) see Andrew Longland-Meech's multidrop problems on fetchmail-users diff --git a/fetchmail.man b/fetchmail.man index 648f7e1b..adab35cc 100644 --- a/fetchmail.man +++ b/fetchmail.man @@ -401,12 +401,14 @@ server. This can cause some complications in daemon mode. .TP .B \-\-sslproto <name> (Keyword: sslproto) -Forces an SSL protocol. Possible values are '\fBssl2\fR', +Forces an SSL or TLS protocol. Possible values are '\fBssl2\fR', \&'\fBssl3\fR', '\fBssl23\fR', and '\fBtls1\fR'. Try this if the default handshake does not work for your server. To defeat automatic TLSv1 negotiation when the server advertises STARTTLS or STLS, use \fB''\fR or -\&'\fBssl23\fR'. The default is to try appropriate protocols depending -on context. +\&'\fBssl23\fR'. This option, even if the argument is the empty string, +will also suppress the diagnostic 'SERVER: opportunistic upgrade to +TLS.' message in verbose mode. The default is to try appropriate +protocols depending on context. .TP .B \-\-sslcertck (Keyword: sslcertck) @@ -391,7 +391,9 @@ static int imap_getauth(int sock, struct query *ctl, char *greeting) * not other SSL protocols */ if (ok == PS_SUCCESS && - SSLOpen(sock,ctl->sslcert,ctl->sslkey,"tls1",ctl->sslcertck, ctl->sslcertpath,ctl->sslfingerprint,realhost,ctl->server.pollname) == -1) + SSLOpen(sock,ctl->sslcert,ctl->sslkey,"tls1",ctl->sslcertck, + ctl->sslcertpath,ctl->sslfingerprint, + realhost,ctl->server.pollname) == -1) { if (!ctl->sslproto && !ctl->wehaveauthed) { @@ -402,7 +404,10 @@ static int imap_getauth(int sock, struct query *ctl, char *greeting) report(stderr, GT_("SSL connection failed.\n")); return PS_SOCKET; - } + } else { + if (outlevel >= O_VERBOSE && !ctl->sslproto) + report(stdout, GT_("%s: opportunistic upgrade to TLS.\n"), realhost); + } did_stls = TRUE; /* @@ -449,21 +449,25 @@ static int pop3_getauth(int sock, struct query *ctl, char *greeting) ok = gen_transact(sock, "STLS"); /* We use "tls1" instead of ctl->sslproto, as we want STLS, - * not other SSL protocols - */ + * not other SSL protocols */ if (ok == PS_SUCCESS && - SSLOpen(sock,ctl->sslcert,ctl->sslkey,"tls1",ctl->sslcertck, ctl->sslcertpath,ctl->sslfingerprint,realhost,ctl->server.pollname) == -1) + SSLOpen(sock,ctl->sslcert,ctl->sslkey,"tls1",ctl->sslcertck, + ctl->sslcertpath,ctl->sslfingerprint, + realhost,ctl->server.pollname) == -1) { if (!ctl->sslproto && !ctl->wehaveauthed) { ctl->sslproto = xstrdup(""); - /* repoll immediately */ - return(PS_REPOLL); + /* repoll immediately without TLS */ + return PS_REPOLL; } report(stderr, GT_("SSL connection failed.\n")); - return PS_SOCKET; - } + return PS_SOCKET; + } else { + if (outlevel >= O_VERBOSE && !ctl->sslproto) + report(stdout, GT_("%s: opportunistic upgrade to TLS.\n"), realhost); + } did_stls = TRUE; /* |