aboutsummaryrefslogtreecommitdiffstats
path: root/README.SSL
diff options
context:
space:
mode:
Diffstat (limited to 'README.SSL')
-rw-r--r--README.SSL81
1 files changed, 52 insertions, 29 deletions
diff --git a/README.SSL b/README.SSL
index ba3de41a..c7c77452 100644
--- a/README.SSL
+++ b/README.SSL
@@ -12,56 +12,79 @@ setup.
In case of troubles, mail the README.SSL-SERVER file to your ISP and
have them check their server configuration against it.
-Note that fetchmail up to version 6.3.26 confused SSL/TLS protocol levels with
-whether a service needs to use in-band negotiation (STLS/STARTTLS for
-POP3/IMAP4) or is totally SSL-wrapped on a separate port.
+Note that fetchmail up to version 6.3.26 used to confuse SSL/TLS protocol
+levels with whether a service needs to use in-band negotiation (STLS/STARTTLS
+for POP3/IMAP4) or is totally SSL-wrapped ("Implicit TLS") on a separate port.
+Fetchmail 6.4 seeks to fix that to some extent without breaking the
+command-line and rcfile interfaces too much (see --ssl and --sslproto options,
+below and in the manual).
-Also, fetchmail 6.4.0 and newer releases changed some of the semantics
-as the result of a bug-fix, and will auto-negotiate TLSv1 or newer only.
-If your server does not support this, you may have to specify --sslproto
-ssl3+. This is in order to prefer the newer TLS protocols, because SSLv2
-and v3 are broken.
+fetchmail 6.4.0 will auto-negotiate TLSv1 or newer only.
-Finally, due to other defaults changing, and several mail services not
-supporting in-band negotiation of SSL or TLS by means of STLS or STARTTLS,
-you may need to add ssl or --ssl to your configuration.
+Fetchmail 6.4.38 supports OpenSSL 3.0.9, 3.1.4, and WolfSSL 5.6.6 or newer,
+and might support OpenSSL 3.2.0 or newer.
+Fetchmail may compile against end-of-life (EOL) OpenSSL 1.x.y versions,
+but these are unsupported by the fetchmail maintainer.
+It is expected that the user only uses a supported SSL library that receives
+security fixes and is kept up to date.
- -- Matthias Andree, 2021-03-29
+Note that WolfSSL 5 is a bit less flexible about its trust store,
+see INSTALL chapter 2.1 for details.
+
+Note that many messages printed by fetchmail will print "OpenSSL"
+even if wolfSSL is being used. Reason is that fetchmail uses
+wolfSSL's OpenSSL compatibility layer and not the native wolfSSL API.
+
+ -- Matthias Andree, 2024-01-31
Quickstart
----------
-Use an up-to-date release of OpenSSL v1.1.1 or newer, so as to get
-TLSv1.3 support. Older OpenSSL versions are unsupported upstream, and
-fetchmail rejects versions before v1.0.2 and warns about versions before v1.1.1.
+Use an up-to-date release of OpenSSL v3.0/v3.1 or wolfSSL 5.5 or
+newer, so as to get TLSv1.3 support and latest fixes. Older OpenSSL versions
+are unsupported upstream, and fetchmail rejects versions before v1.0.2f and
+warns about versions before 3.0.13.
+
+wolfSSL needs to be configured with --enable-opensslall --enable-harden,
+else some required OpenSSL APIs are missing, especially for SNI (server name
+indication), which is required to fetch mail from Google and some other mail
+server providers.
In all four examples below, the (--)sslcertck has become redundant
-since fetchmail v6.4.0 but since fetchmail 6.3 releases will be in circulation
-for a while, we'll leave it here to be safe.
+since fetchmail v6.4.0, but since fetchmail 6.3 releases will be in circulation
+for too long, (--)sslcertck will remain in the examples below for now.
-For use of SSL or TLS with in-band negotiation on the regular service's port,
-i. e. with STLS or STARTTLS, use these command line options
+For use of SSL or TLS on a separate port (recommended), called Implicit TLS,
+the whole TCP connection is SSL-encrypted from the very beginning (SSL- or
+TLS-wrapped), use these command line options (in the rcfile,
+omit all leading "--"):
- --sslproto auto --sslcertck
+ --ssl --sslproto tls1.2+ --sslcertck
or these options in the rcfile (after the respective "user"... options)
- sslproto auto sslcertck
-
+ ssl sslproto tls1.2+ sslcertck
-Note that some services do not offer STLS or STARTTLS, but most do
-offer SSL or TLS on a separate, dedicated, "secure" port:
-For use of SSL or TLS on a separate port, if the whole TCP connection is
-SSL-encrypted from the very beginning (SSL- or TLS-wrapped), use these
-command line options (in the rcfile, omit all leading "--"):
+For use of SSL or TLS with in-band negotiation on the regular service's port,
+i. e. with STLS or STARTTLS, use these command line options (omitting --ssl or
+ssl):
- --ssl --sslproto auto --sslcertck
+ --sslproto tls1.2+ --sslcertck
or these options in the rcfile (after the respective "user"... options)
- ssl sslproto auto sslcertck
+ sslproto tls1.2+ sslcertck
+
+
+With recent software on the server, you can alternatively configure tls1.3+.
+
+For some older services, you may need to use tls1.1+ or tls1+ for compatibility
+instead of the tls1.2+ above. In such situations, you should ask the service
+provider or server operator to upgrade their TLS implementation such that
+TLS v1.3 be supported, and once that happens, update your fetchmail configuration
+to tls1.3+ or tls1.2+.
Background and use (long version :-))
generated by cgit v1.2.3 (git 2.39.1) at 2025-12-13 19:27:25 +0000