diff options
| -rw-r--r-- | NEWS | 6 | ||||
| -rw-r--r-- | env.c | 3 | ||||
| -rw-r--r-- | fetchmail-FAQ.html | 48 | ||||
| -rw-r--r-- | fetchmail.c | 25 | ||||
| -rw-r--r-- | fetchmail.h | 11 | ||||
| -rw-r--r-- | fetchmail.man | 91 | ||||
| -rw-r--r-- | imap.c | 60 | ||||
| -rw-r--r-- | options.c | 12 | ||||
| -rw-r--r-- | rcfile_l.l | 5 | ||||
| -rw-r--r-- | rcfile_y.y | 7 |
10 files changed, 112 insertions, 156 deletions
@@ -5,6 +5,12 @@ * CRAM-MD5 authentication of IMAP and POP3 is working. Tested against IMAP4rev1 2000.287 and v2000.70 POP3 gateway at neo.netnea.com. * Full support for POP3 AUTH (RFC1734) with KERBEROS_IV, GSSAPI, OTP. + This code has been completely refactored. In the process, it is + possible I have broken GSSAPI and OPIE; this needs to be tested. + The old IMAP-LOGIN, IMAP-GSS, and IMAP-K4 protocols are gone; fetchmail + now uses these automatically when it detects the right capabilities. + To prevent having fetchmail look for a password, specify a "preauth" + option other than "password". * Noted that Debian bugs #78963, #63064, #81312, #78796, #78363, #78149, #68627, #67559, #63308, #63088, #71428 are fixed. * Resolved Debian bug #65505: fetchmail now returns a nonzero exit status @@ -206,12 +206,9 @@ const char *showproto(int proto) #endif /* POP2_ENABLE */ case P_POP3: return("POP3"); case P_IMAP: return("IMAP"); - case P_IMAP_K4: return("IMAP-K4"); #ifdef GSSAPI case P_IMAP_GSS: return("IMAP-GSS"); #endif /* GSSAPI */ - case P_IMAP_CRAM_MD5: return("IMAP-LOGIN"); - case P_IMAP_LOGIN: return("IMAP-LOGIN"); case P_APOP: return("APOP"); case P_RPOP: return("RPOP"); case P_ETRN: return("ETRN"); diff --git a/fetchmail-FAQ.html b/fetchmail-FAQ.html index d4d0123e..84d06ae9 100644 --- a/fetchmail-FAQ.html +++ b/fetchmail-FAQ.html @@ -10,7 +10,7 @@ <table width="100%" cellpadding=0><tr> <td width="30%">Back to <a href="index.html">Fetchmail Home Page</a> <td width="30%" align=center>To <a href="/~esr/sitemap.html">Site Map</a> -<td width="30%" align=right>$Date: 2001/02/10 21:24:24 $ +<td width="30%" align=right>$Date: 2001/02/11 23:26:07 $ </table> <HR> <H1>Frequently Asked Questions About Fetchmail</H1> @@ -352,7 +352,7 @@ on the Web with a search for that title.<p> <hr> <h2><a name="G7">G7. What is the best server to use with fetchmail?</a></h2> -The short answer: IMAP4rev1 running over Unix.<P> +The short answer: IMAP 2000 running over Unix.<P> Here's a longer answer: <P> @@ -374,7 +374,12 @@ the fetchmailconf utility).<P> If you have the option, we recommend using or installing an IMAP4rev1 server; it has the best facilities for tracking message `seen' states. It also recovers from interrupted connections more gracefully than -POP3, and enables some significant performance optimizations.<P> +POP3, and enables some significant performance optimizations. The new +<a href="ftp://ftp.cac.washington.edu/imap/imap.tar.Z">IMAP 2000</a> +is particularly nice, as it supports CRAM-MD5 so you don't have to +ship your mail password over the net en clair (fetchmail autodetects +this capability). Older versions had support for GSSAPI giving a +similar effect, .<P> Don't be fooled by NT/Exchange propaganda. M$ Exchange is just plain broken (see item <a href="#S2">S2</a>) and NT cannot handle the @@ -384,13 +389,6 @@ over Solaris! For extended discussion, see John Kirch's excellent <a href="http://unix-vs-nt.org/kirch/">white paper</a> on Unix vs. NT performance.<P> -You can find sources for IMAP software at <a -href="http://www.imap.org">The IMAP Connection</a>; we like the -open-source <a href="ftp://ftp.cac.washington.edu/imap/">UW IMAP</a> -server, which is the reference implementation of IMAP. UW IMAP's -support for GSSAPI gives you a good way to authenticate without -sending a password en clair.<P> - Source for a high-quality supported implementation of POP is available from the <a href="ftp://ftp.qualcomm.com/eudora/servers/unix/popper/">Eudora FTP site</a>. Don't use 2.5, which has a rather restrictive license. @@ -462,7 +460,11 @@ response to a CAPABILITY query). Do a <code>fetchmail -v</code> to see these, or telnet direct to the server port (110 for POP3, 143 for IMAP).<P> -The facility you are most likely to have available is APOP. This is a +If your mailserver is using IMAP 2000, you'll have CRAM-MD5 support +built in. Fetchmail autodetects this; you can skip the rest of this +section.<P> + +The POP3 facility you are most likely to have available is APOP. This is a POP3 feature supported by many servers (fetchmailconf's autoprobe facility will detect it and tell you if you have it). If you see something in the greeting line that looks like an @@ -478,12 +480,12 @@ Alternatively, you may have Kerberos available. This may require you to set up some magic files in your home directory on your client machine, but means you can omit specifying any password at all.<P> -Fetchmail supports two different Kerberos schemes. One is a -POP3 variant called KPOP; consult the documentation of your mail -server to see if you have it (one clue is the string "krb-IV" in the -greeting line on port 110). The other is an IMAP facility described -by RFC1731. You can tell if this one is present by looking for -AUTH=KERBEROS_V4 in the CAPABILITY response.<P> +Fetchmail supports two different Kerberos schemes. One is a POP3 +variant called KPOP; consult the documentation of your mail server to +see if you have it (one clue is the string "krb-IV" in the greeting +line on port 110). The other is an IMAP and POP3 facility described +by RFC1731 and RFC1734. You can tell if this one is present by looking +for AUTH=KERBEROS_V4 in the CAPABILITY response.<P> If you are fetching mail from a CompuServe POP3 account, you can use their RPA authentication (which works much like APOP). See <a @@ -498,14 +500,6 @@ and your fetchmail was built with OPIE support compiled in (see the distribution INSTALL file), fetchmail will detect it also. When using OTP, you will specify a password but it will not be sent en clair.<P> -Sadly, there is at present (September 1999) no OTP or APOP-like -facility generally available on IMAP servers. However, there do exist -patches which will OTP-enable the University of Washington IMAP -daemon, version 4.2-FINAL. We have a report that the GSSAPI support -in fetchmail works with the GSSAPI support in the most recent version -of UW IMAP. Or you can use <a href="#K5">SSL</a> for complete -end-to-end encryption if you have an SSL-enabled mailserver.<P> - You can get both POP3 and IMAP OTP patches from <a name="cmetz">Craig Metz</A> at <a href="http://www.inner.net/pub/">http://www.inner.net/pub/</a>.<P> @@ -514,6 +508,8 @@ there is not currently a standard way to do this; fetchmail also uses this method, so the two will interoperate happily. They better, because this is how Craig gets his mail ;-)<P> +Finally, you can use <a href="#K5">SSL</a> for complete +end-to-end encryption if you have an SSL-enabled mailserver.<P> <hr> <h2><a name="G10">G10. Is any special configuration needed to use a dynamic IP address?</a></h2> @@ -2967,7 +2963,7 @@ switching to IMAP and using a short expunge interval.<p> <table width="100%" cellpadding=0><tr> <td width="30%">Back to <a href="index.html">Fetchmail Home Page</a> <td width="30%" align=center>To <a href="/~esr/sitemap.html">Site Map</a> -<td width="30%" align=right>$Date: 2001/02/10 21:24:24 $ +<td width="30%" align=right>$Date: 2001/02/11 23:26:07 $ </table> <P><ADDRESS>Eric S. Raymond <A HREF="mailto:esr@thyrsus.com"><esr@snark.thyrsus.com></A></ADDRESS> diff --git a/fetchmail.c b/fetchmail.c index 3b06594d..9e42335a 100644 --- a/fetchmail.c +++ b/fetchmail.c @@ -323,13 +323,7 @@ int main(int argc, char **argv) { if (ctl->active && !(implicitmode && ctl->server.skip)&&!ctl->password) { - if (ctl->server.preauthenticate == A_KERBEROS_V4 || - ctl->server.preauthenticate == A_KERBEROS_V5 || - ctl->server.preauthenticate == A_SSH || -#ifdef GSSAPI - ctl->server.protocol == P_IMAP_GSS || -#endif /* GSSAPI */ - ctl->server.protocol == P_IMAP_K4) + if (ctl->server.preauthenticate != A_PASSWORD) /* Server won't care what the password is, but there must be some non-null string here. */ ctl->password = ctl->remotename; @@ -499,11 +493,7 @@ int main(int argc, char **argv) for (ctl = querylist; ctl; ctl = ctl->next) { if (ctl->active && !(implicitmode && ctl->server.skip) - && ctl->server.protocol != P_ETRN - && ctl->server.protocol != P_IMAP_K4 -#ifdef GSSAPI - && ctl->server.protocol != P_IMAP_GSS -#endif /* GSSAPI */ + && ctl->server.preauthenticate == A_PASSWORD && !ctl->password) { if (!isatty(0)) @@ -1486,9 +1476,6 @@ static int query_host(struct query *ctl) #endif /* POP3_ENABLE */ break; case P_IMAP: - case P_IMAP_K4: - case P_IMAP_CRAM_MD5: - case P_IMAP_LOGIN: #ifdef GSSAPI case P_IMAP_GSS: #endif /* GSSAPI */ @@ -1578,14 +1565,16 @@ static void dump_params (struct runctl *runp, ctl->server.skip ? _("will not") : _("will")); /* * Don't poll for password when there is one or when using the ETRN - * or IMAP-GSS protocol + * or GSSAPI or KERBEROS protocol */ /* ETRN, IMAP_GSS, and IMAP_K4 do not need a password, so skip this */ if ( (ctl->server.protocol != P_ETRN) #ifdef GSSAPI - && (ctl->server.protocol != P_IMAP_GSS) + && (ctl->server.preauthenticate != A_GSSAPI) #endif /* GSSAPI */ - && (ctl->server.protocol != P_IMAP_K4) ) { + && (ctl->server.preauthenticate != A_KERBEROS_V4) + && (ctl->server.preauthenticate != A_KERBEROS_V5)) + { if (!ctl->password) printf(_(" Password will be prompted for.\n")); else if (outlevel >= O_VERBOSE) diff --git a/fetchmail.h b/fetchmail.h index 3f931bf2..dbc386d4 100644 --- a/fetchmail.h +++ b/fetchmail.h @@ -12,12 +12,8 @@ #define P_APOP 4 #define P_RPOP 5 #define P_IMAP 6 -#define P_IMAP_K4 7 -#define P_IMAP_GSS 8 -#define P_IMAP_CRAM_MD5 9 -#define P_IMAP_LOGIN 10 -#define P_ETRN 11 -#define P_ODMR 12 +#define P_ETRN 7 +#define P_ODMR 8 #if INET6_ENABLE #define SMTP_PORT "smtp" @@ -36,7 +32,8 @@ #define A_PASSWORD 0 /* password or inline authentication */ #define A_KERBEROS_V4 1 /* preauthenticate w/ Kerberos V4 */ #define A_KERBEROS_V5 2 /* preauthenticate w/ Kerberos V5 */ -#define A_SSH 3 /* preauthentication at session level */ +#define A_GSSAPI 3 /* preauthenticate with GSSAPI */ +#define A_SSH 4 /* preauthentication at session level */ /* * Definitions for buffer sizes. We get little help on setting maxima diff --git a/fetchmail.man b/fetchmail.man index 75713762..db1444aa 100644 --- a/fetchmail.man +++ b/fetchmail.man @@ -177,7 +177,7 @@ Post Office Protocol 2 .IP POP3 Post Office Protocol 3 .IP APOP -Use POP3 with MD5 authentication. +Use POP3 with old-fashioned MD5-challenge authentication. .IP RPOP Use POP3 with RPOP authentication. .IP KPOP @@ -186,19 +186,6 @@ Use POP3 with Kerberos V4 preauthentication on port 1109. Use POP3 with Demon Internet's SDPS extensions. .IP IMAP IMAP2bis, IMAP4, or IMAP4rev1 (\fIfetchmail\fR autodetects their capabilities). -.IP IMAP-K4 -IMAP4, or IMAP4rev1 (\fIfetchmail\fR autodetects their capabilities) -with RFC 1731 Kerberos v4 preauthentication. -.IP IMAP-GSS -IMAP4, or IMAP4rev1 (\fIfetchmail\fR autodetects their capabilities) -with RFC 1731 GSSAPI preauthentication. -.IP IMAP-CRAMMD5 -IMAP4, or IMAP4rev1 (\fIfetchmail\fR autodetects their capabilities) -with RFC 2195 CRAM-MD5 authentication. -.IP IMAP-LOGIN -IMAP4, or IMAP4rev1 (\fIfetchmail\fR autodetects their capabilities) -with plain LOGIN authentication only, even if the server supports -better methods. .IP ETRN Use the ESMTP ETRN option. .IP ODMR @@ -511,16 +498,18 @@ fetchmail runs with the effective GID set to that of the kmem group when interface data is being collected. .TP .B --preauth <type> -(Keyword: preauth[enticate]) +(Keyword: preauth[enticate]) This option permits you to specify a preauthentication type (see USER AUTHENTICATION below for details). The possible values are \&`\fBpassword\fR', `\fBkerberos_v5\fR' and `\fBkerberos\fR' (or, for -excruciating exactness, `\fBkerberos_v4\fR'), and \fBssh\fR. Use -\fBssh\fR to suppress fetchmail's normal inquiry for a password when -you are using an end-to-end secure connection such as an ssh tunnel. -Other values of this option are provided primarily for developers; -choosing KPOP protocol automatically selects Kerberos -preauthentication, and all other alternatives use password +excruciating exactness, `\fBkerberos_v4\fR'), \fRgssapi\fR, and +\fBssh\fR. Any value other than "password" suppresses fetchmail's +normal inquiry for a password. Specify \fBssh\fR when you are using +an end-to-end secure connection such as an ssh tunnel; specify +\fRgssapi\fR or \fBkerberos_v4\fR if you are using a protocol variant +that employs GSSAPI or K4. Other values of this option are provided +primarily for developers; choosing KPOP protocol automatically selects +Kerberos preauthentication, and all other alternatives use password authentication (though APOP uses a generated one-time key as the password and IMAP-K4 uses RFC1731 Kerberos v4 authentication). This option does not work with ETRN or ODMR. @@ -696,21 +685,19 @@ the server greeting time to the server, which can verify it by checking its authorization database. .PP If your \fIfetchmail\fR was built with Kerberos support and you specify -Kerberos preauthentication (either with --auth or the \fI.fetchmailrc\fR +Kerberos preauthentication (either with --preauth or the \fI.fetchmailrc\fR option \fBauthenticate kerberos_v4\fR) it will try to get a Kerberos ticket from the mailserver at the start of each query. Note: if either the pollnane or via name is `hesiod', fetchmail will try to use Hesiod to look up the mailserver. .PP -If you use IMAP-K4, \fIfetchmail\fR will expect the IMAP server to have -RFC1731-conformant AUTHENTICATE KERBEROS_V4 capability, and will use it. -.PP -If you use IMAP-GSS, \fIfetchmail\fR will expect the IMAP server to have -RFC1731-conformant AUTHENTICATE GSSAPI capability, and will use it. -Currently this has only been tested over Kerberos V, so you're expected -to already have a ticket-granting ticket. You may pass a username different -from your principal name using the standard \fB--user\fR command or by -the \fI.fetchmailrc\fR option \fBuser\fR. +If you use POP3 or IMAP with GSSAPI preauthentication, \fIfetchmail\fR will +expect the server to have RFC1731- or RFC1734-conformant GSSAPI +capability, and will use it. Currently this has only been tested over +Kerberos V, so you're expected to already have a ticket-granting +ticket. You may pass a username different from your principal name +using the standard \fB--user\fR command or by the \fI.fetchmailrc\fR +option \fBuser\fR. .PP If your IMAP daemon returns the PREAUTH response in its greeting line, fetchmail will notice this and skip the normal authentication step. @@ -1158,7 +1145,7 @@ Specify DNS name of mailserver, overriding poll name T} proto[col] -p T{ Specify protocol (case insensitive): -POP2, POP3, IMAP, IMAP-K4, IMAP-GSS, APOP, KPOP +POP2, POP3, IMAP, APOP, KPOP T} local[domains] \& T{ Specify domain(s) to be regarded as local @@ -1221,7 +1208,7 @@ netsec \& T{ Pass in IPsec security option request. T} principal \& T{ -Set Kerberos principal (only useful with imap-k4) +Set Kerberos principal (only useful with imap and kerberos) T} .TE @@ -1584,20 +1571,17 @@ Legal protocol identifiers for use with the `protocol' keyword are: pop3 (or POP3) sdps (or SDPS) imap (or IMAP) - imap-k4 (or IMAP-K4) - imap-gss (or IMAP-GSS) - imap-crammd5 (or IMAP-CRAMMD5) - imap-login (or IMAP-LOGIN) apop (or APOP) kpop (or KPOP) .PP -Legal authentication types are `password' or `kerberos'. The former -specifies authentication by normal transmission of a password (the -password may be plaintext or subject to protocol-specific encryption -as in APOP); the second tells \fIfetchmail\fR to try to get a Kerberos -ticket at the start of each query instead, and send an arbitrary -string as the password. +Legal authentication types are `password', `kerberos', and `gssapi'. +The `password' type specifies authentication by normal transmission of a +password (the password may be plaintext or subject to +protocol-specific encryption as in APOP); `kerberos' tells +\fIfetchmail\fR to try to get a Kerberos ticket at the start of each +query instead, and send an arbitrary string as the password; and +`gssapi' tells fetchmail to use GSSAPI authentication. .PP Specifying `kpop' sets POP3 protocol over port 1109 with Kerberos V4 preauthentication. These defaults may be overridden by later options. @@ -2049,16 +2033,17 @@ mailserver-side filter that consolidates the contents of all envelope headers into a single one (procmail, mailagent, or maildrop can be programmed to do this fairly easily). .PP -Use of any of the supported protocols other than POP3 with OTP or RPA, -APOP, KPOP, IMAP-K4, IMAP-GSS, IMAP-CRAMMD5, or ETRN requires that the -program send unencrypted passwords over the TCP/IP connection to the -mailserver. This creates a risk that name/password pairs might be -snaffled with a packet sniffer or more sophisticated monitoring -software. Under Linux and FreeBSD, the --interface option can be used -to restrict polling to availability of a specific interface device -with a specific local or remote IP address, but snooping is still -possible if (a) either host has a network device that can be opened -in promiscuous mode, or (b) the intervening network link can be tapped. +Use of some of these protocols (POP2, POP3, or POP4 with the password +authentication type, if the server doesn't have CRAM-MD5 capability) +requires that the program send unencrypted passwords over the TCP/IP +connection to the mailserver. This creates a risk that name/password +pairs might be snaffled with a packet sniffer or more sophisticated +monitoring software. Under Linux and FreeBSD, the --interface option +can be used to restrict polling to availability of a specific +interface device with a specific local or remote IP address, but +snooping is still possible if (a) either host has a network device +that can be opened in promiscuous mode, or (b) the intervening network +link can be tapped. .PP Use of the %F or %T escapes in an mda option could open a security hole, because they pass text manipulable by an attacker to a shell @@ -276,27 +276,20 @@ int imap_getauth(int sock, struct query *ctl, char *greeting) return(PS_SUCCESS); } -#if OPIE_ENABLE - if ((ctl->server.protocol == P_IMAP) && strstr(capabilities, "AUTH=X-OTP")) - { - if (outlevel >= O_DEBUG) - report(stdout, _("OTP authentication is supported\n")); - if (do_otp(sock, ctl) == PS_SUCCESS) - return(PS_SUCCESS); - }; -#endif /* OPIE_ENABLE */ - + /* + * OK, now try the protocol variants that don't require passwords first. + */ #ifdef GSSAPI if (strstr(capabilities, "AUTH=GSSAPI")) { - if (ctl->server.protocol == P_IMAP_GSS) + if (ctl->server.preauthenticate == A_GSSAPI) { if (outlevel >= O_DEBUG) report(stdout, _("GSS authentication is supported\n")); return do_gssauth(sock, ctl->server.truename, ctl->remotename); } } - else if (ctl->server.protocol == P_IMAP_GSS) + else if (ctl->server.preauthenticate == P_IMAP_GSS) { report(stderr, _("Required GSS capability not supported by server\n")); @@ -310,43 +303,47 @@ int imap_getauth(int sock, struct query *ctl, char *greeting) if (outlevel >= O_DEBUG) report(stdout, _("KERBEROS_V4 authentication is supported\n")); - if (ctl->server.protocol == P_IMAP_K4) + if (ctl->server.preauthenticate == A_KERBEROS_V4) { if ((ok = do_rfc1731(sock, "AUTHENTICATE", ctl->server.truename))) /* SASL cancellation of authentication */ gen_send(sock, "*"); - return(ok); } /* else fall through to ordinary AUTH=LOGIN case */ } - else if (ctl->server.protocol == P_IMAP_K4) + else if (ctl->server.preauthenticate == A_KERBEROS_V4) { - report(stderr, + report(stderr, _("Required KERBEROS_V4 capability not supported by server\n")); - return(PS_AUTHFAIL); + return(PS_AUTHFAIL); } #endif /* KERBEROS_V4 */ + /* + * No such luck. OK, now try the variants that mask your password + * in a challenge-response. + */ + if (strstr(capabilities, "AUTH=CRAM-MD5")) { if (outlevel >= O_DEBUG) - report (stdout, _("CRAM-MD5 authentication is supported\n")); - if (ctl->server.protocol != P_IMAP_LOGIN) - { - if ((ok = do_cram_md5 (sock, "AUTHENTICATE", ctl))) - /* SASL cancellation of authentication */ - gen_send(sock, "*"); - - return(ok); - } + report(stdout, _("CRAM-MD5 authentication is supported\n")); + if ((ok = do_cram_md5 (sock, "AUTHENTICATE", ctl))) + /* SASL cancellation of authentication */ + gen_send(sock, "*"); + return(ok); } - else if (ctl->server.protocol == P_IMAP_CRAM_MD5) + +#if OPIE_ENABLE + if (strstr(capabilities, "AUTH=X-OTP")) { - report(stderr, - _("Required CRAM-MD5 capability not supported by server\n")); - return(PS_AUTHFAIL); - } + if (outlevel >= O_DEBUG) + report(stdout, _("OTP authentication is supported\n")); + if (do_otp(sock, ctl) == PS_SUCCESS) + return(PS_SUCCESS); + }; +#endif /* OPIE_ENABLE */ #ifdef NTLM_ENABLE if (strstr (capabilities, "AUTH=NTLM")) @@ -366,6 +363,7 @@ int imap_getauth(int sock, struct query *ctl, char *greeting) }; #endif /* __UNUSED__ */ + /* we're stuck with sending the password en clair */ { /* these sizes guarantee no buffer overflow */ char remotename[NAMELEN*2+1], password[PASSWORDLEN*2+1]; @@ -358,18 +358,6 @@ struct query *ctl; /* option record to be initialized */ } else if (strcasecmp(optarg,"imap") == 0) ctl->server.protocol = P_IMAP; -#ifdef KERBEROS_V4 - else if (strcasecmp(optarg,"imap-k4") == 0) - ctl->server.protocol = P_IMAP_K4; -#endif /* KERBEROS_V4 */ -#ifdef GSSAPI - else if (strcasecmp(optarg, "imap-gss") == 0) - ctl->server.protocol = P_IMAP_GSS; -#endif /* GSSAPI */ - else if (strcasecmp(optarg, "imap-crammd5") == 0) - ctl->server.protocol = P_IMAP_CRAM_MD5; - else if (strcasecmp(optarg, "imap-login") == 0) - ctl->server.protocol = P_IMAP_LOGIN; else if (strcasecmp(optarg,"etrn") == 0) ctl->server.protocol = P_ETRN; else { @@ -83,6 +83,7 @@ service { return SERVICE; } port { return PORT; } interval { return INTERVAL; } preauth(enticate)? { SETSTATE(PREAUTH); return PREAUTHENTICATE; } +gssapi { SETSTATE(0); return GSSAPI; } kerberos(_v)?4 { SETSTATE(0); return KERBEROS4; } kerberos(_v)?5 { SETSTATE(0); return KERBEROS5; } kerberos { SETSTATE(0); return KERBEROS; } @@ -174,10 +175,6 @@ options {/* EMPTY */} (pop2)|(POP2) { yylval.proto = P_POP2; return PROTO; } (sdps)|(SDPS) { return SDPS; } (pop3)|(POP3) { yylval.proto = P_POP3; return PROTO; } -(imap-k4)|(IMAP-K4) { yylval.proto = P_IMAP_K4; return PROTO; } -(imap-gss)|(IMAP-GSS) { yylval.proto = P_IMAP_GSS; return PROTO; } -(imap-crammd5)|(IMAP-CRAMMD5) { yylval.proto = P_IMAP_CRAM_MD5; return PROTO; } -(imap-login)|(IMAP-LOGIN) { yylval.proto = P_IMAP_LOGIN; return PROTO; } (imap)|(IMAP) { yylval.proto = P_IMAP; return PROTO; } (apop)|(APOP) { yylval.proto = P_APOP; return PROTO; } (etrn)|(ETRN) { yylval.proto = P_ETRN; return PROTO; } @@ -59,8 +59,8 @@ extern char * yytext; } %token DEFAULTS POLL SKIP VIA AKA LOCALDOMAINS PROTOCOL -%token PREAUTHENTICATE TIMEOUT KPOP SDPS KERBEROS4 KERBEROS5 KERBEROS SSH -%token ENVELOPE QVIRTUAL USERNAME PASSWORD FOLDER SMTPHOST MDA BSMTP LMTP +%token PREAUTHENTICATE TIMEOUT KPOP SDPS KERBEROS4 KERBEROS5 KERBEROS GSSAPI +%token SSH ENVELOPE QVIRTUAL USERNAME PASSWORD FOLDER SMTPHOST MDA BSMTP LMTP %token SMTPADDRESS SMTPNAME SPAMRESPONSE PRECONNECT POSTCONNECT LIMIT WARNINGS %token NETSEC INTERFACE MONITOR PLUGIN PLUGOUT %token IS HERE THERE TO MAP WILDCARD @@ -191,6 +191,9 @@ serv_option : AKA alias_list current.server.preauthenticate = A_KERBEROS_V4; #endif /* KERBEROS_V5 */ } + | PREAUTHENTICATE GSSAPI { + current.server.preauthenticate = A_GSSAPI; + } | PREAUTHENTICATE SSH {current.server.preauthenticate = A_SSH;} | TIMEOUT NUMBER {current.server.timeout = $2;} |