diff options
Diffstat (limited to 'NEWS')
| -rw-r--r-- | NEWS | 18 |
1 files changed, 10 insertions, 8 deletions
@@ -93,21 +93,19 @@ fetchmail-6.4.22 (not yet released): fetchmail is to enforce TLS, and when the server or an attacker sends a PREAUTH greeting, fetchmail used to continue an unencrypted connection. Now, log the error and abort the connection. - - Recommendation for servers that support SSL/TLS-wrapped or "implicit" mode on - a dedicated port (default 993): use --ssl. - - Reported by: Andrew C. Aitchison, based on the USENIX Security 21 paper "Why + Recommendation for servers that support SSL/TLS-wrapped or "implicit" mode on + a dedicated port (default 993): use --ssl, or the ssl user option in an rcfile. + Reported by: Andrew C. Aitchison, based on the USENIX Security 21 paper "Why TLS is better without STARTTLS - A Security Analysis of STARTTLS in the Email Context" by Damian Poddebniak, Fabian Ising, Hanno Böck, and Sebastian Schinzel. The paper did not mention fetchmail. * On IMAP and POP3 connections, --auth ssh no longer prevents STARTTLS negotiation. -* On IMAP connections, do not permit to override a server-side LOGINDISABLED - with --auth password any more. +* On IMAP connections, fetchmail does not permit overriding a server-side + LOGINDISABLED with --auth password any more. * On POP3 connections, the possibility for RPA authentication (by probing with an AUTH command without arguments) no longer prevents STARTTLS negotiation. -* For POP3 connections, RPA is only attempted if the authentication type is any. +* For POP3 connections, only attempt RPA if the authentication type is "any". # BUG FIXES: * On IMAP connections, when AUTHENTICATE EXTERNAL fails and we have received the @@ -138,6 +136,10 @@ fetchmail-6.4.22 (not yet released): * For typical POP3/IMAP ports 110, 143, 993, 995, if port and --ssl option do not match, emit a warning and continue. Closes Gitlab #31. (cherry-picked from 6.5 beta branch "legacy_6x") +* fetchmail.man and README.SSL were updated in line with RFC-8314/8996/8997 + recommendations to prefer Implicit TLS (--ssl/ssl) and TLS v1.2 or newer, + placing --sslproto tls1.2+ more prominently. + The defaults shall not change between 6.4.X releases for compatibility. -------------------------------------------------------------------------------- fetchmail-6.4.21 (released 2021-08-09, 30042 LoC): |