From 43dbe528ea249ac2d2fb7534be99282b549d4eeb Mon Sep 17 00:00:00 2001 From: Matthias Andree Date: Tue, 17 Jun 2008 12:43:54 +0000 Subject: Track website in separate SVN directory (mostly symlinks for now). svn path=/branches/BRANCH_6-3/; revision=5197 --- website/bighand.png | 1 + website/design-notes.html | 1 + website/esrs-design-notes.html | 1 + website/fetchmail-FAQ.html | 1 + website/fetchmail-FAQ.pdf | 1 + website/fetchmail-SA-2005-01.txt | 1 + website/fetchmail-SA-2005-02.txt | 1 + website/fetchmail-SA-2005-03.txt | 1 + website/fetchmail-SA-2006-01.txt | 1 + website/fetchmail-SA-2006-02.txt | 1 + website/fetchmail-SA-2006-03.txt | 1 + website/fetchmail-SA-2007-01.txt | 1 + website/fetchmail-SA-2007-02.txt | 1 + website/fetchmail-SA-2008-01.txt | 1 + website/fetchmail-features.html | 1 + website/fetchmail-man.html | 1 + website/fetchmail.png | Bin 0 -> 1715 bytes website/host-scripts/upload-website.sh | 31 ++++ website/index.html | 285 +++++++++++++++++++++++++++++++++ website/sitestyle.css | 112 +++++++++++++ website/testservers.html | 60 +++++++ website/todo.html | 1 + 22 files changed, 505 insertions(+) create mode 120000 website/bighand.png create mode 120000 website/design-notes.html create mode 120000 website/esrs-design-notes.html create mode 120000 website/fetchmail-FAQ.html create mode 120000 website/fetchmail-FAQ.pdf create mode 120000 website/fetchmail-SA-2005-01.txt create mode 120000 website/fetchmail-SA-2005-02.txt create mode 120000 website/fetchmail-SA-2005-03.txt create mode 120000 website/fetchmail-SA-2006-01.txt create mode 120000 website/fetchmail-SA-2006-02.txt create mode 120000 website/fetchmail-SA-2006-03.txt create mode 120000 website/fetchmail-SA-2007-01.txt create mode 120000 website/fetchmail-SA-2007-02.txt create mode 120000 website/fetchmail-SA-2008-01.txt create mode 120000 website/fetchmail-features.html create mode 120000 website/fetchmail-man.html create mode 100644 website/fetchmail.png create mode 100755 website/host-scripts/upload-website.sh create mode 100644 website/index.html create mode 100644 website/sitestyle.css create mode 100644 website/testservers.html create mode 120000 website/todo.html diff --git a/website/bighand.png b/website/bighand.png new file mode 120000 index 00000000..6089a451 --- /dev/null +++ b/website/bighand.png @@ -0,0 +1 @@ +../bighand.png \ No newline at end of file diff --git a/website/design-notes.html b/website/design-notes.html new file mode 120000 index 00000000..ab405e04 --- /dev/null +++ b/website/design-notes.html @@ -0,0 +1 @@ +../design-notes.html \ No newline at end of file diff --git a/website/esrs-design-notes.html b/website/esrs-design-notes.html new file mode 120000 index 00000000..9034bdc5 --- /dev/null +++ b/website/esrs-design-notes.html @@ -0,0 +1 @@ +../esrs-design-notes.html \ No newline at end of file diff --git a/website/fetchmail-FAQ.html b/website/fetchmail-FAQ.html new file mode 120000 index 00000000..1237cbbe --- /dev/null +++ b/website/fetchmail-FAQ.html @@ -0,0 +1 @@ +../fetchmail-FAQ.html \ No newline at end of file diff --git a/website/fetchmail-FAQ.pdf b/website/fetchmail-FAQ.pdf new file mode 120000 index 00000000..35f23132 --- /dev/null +++ b/website/fetchmail-FAQ.pdf @@ -0,0 +1 @@ +../build/fetchmail-FAQ.pdf \ No newline at end of file diff --git a/website/fetchmail-SA-2005-01.txt b/website/fetchmail-SA-2005-01.txt new file mode 120000 index 00000000..be32b441 --- /dev/null +++ b/website/fetchmail-SA-2005-01.txt @@ -0,0 +1 @@ +../fetchmail-SA-2005-01.txt \ No newline at end of file diff --git a/website/fetchmail-SA-2005-02.txt b/website/fetchmail-SA-2005-02.txt new file mode 120000 index 00000000..7d4c603f --- /dev/null +++ b/website/fetchmail-SA-2005-02.txt @@ -0,0 +1 @@ +../fetchmail-SA-2005-02.txt \ No newline at end of file diff --git a/website/fetchmail-SA-2005-03.txt b/website/fetchmail-SA-2005-03.txt new file mode 120000 index 00000000..3c9e1122 --- /dev/null +++ b/website/fetchmail-SA-2005-03.txt @@ -0,0 +1 @@ +../fetchmail-SA-2005-03.txt \ No newline at end of file diff --git a/website/fetchmail-SA-2006-01.txt b/website/fetchmail-SA-2006-01.txt new file mode 120000 index 00000000..7f27d828 --- /dev/null +++ b/website/fetchmail-SA-2006-01.txt @@ -0,0 +1 @@ +../fetchmail-SA-2006-01.txt \ No newline at end of file diff --git a/website/fetchmail-SA-2006-02.txt b/website/fetchmail-SA-2006-02.txt new file mode 120000 index 00000000..b41ed57d --- /dev/null +++ b/website/fetchmail-SA-2006-02.txt @@ -0,0 +1 @@ +../fetchmail-SA-2006-02.txt \ No newline at end of file diff --git a/website/fetchmail-SA-2006-03.txt b/website/fetchmail-SA-2006-03.txt new file mode 120000 index 00000000..0c33ccf0 --- /dev/null +++ b/website/fetchmail-SA-2006-03.txt @@ -0,0 +1 @@ +../fetchmail-SA-2006-03.txt \ No newline at end of file diff --git a/website/fetchmail-SA-2007-01.txt b/website/fetchmail-SA-2007-01.txt new file mode 120000 index 00000000..41d55067 --- /dev/null +++ b/website/fetchmail-SA-2007-01.txt @@ -0,0 +1 @@ +../fetchmail-SA-2007-01.txt \ No newline at end of file diff --git a/website/fetchmail-SA-2007-02.txt b/website/fetchmail-SA-2007-02.txt new file mode 120000 index 00000000..a53e5f0b --- /dev/null +++ b/website/fetchmail-SA-2007-02.txt @@ -0,0 +1 @@ +../fetchmail-SA-2007-02.txt \ No newline at end of file diff --git a/website/fetchmail-SA-2008-01.txt b/website/fetchmail-SA-2008-01.txt new file mode 120000 index 00000000..432329cb --- /dev/null +++ b/website/fetchmail-SA-2008-01.txt @@ -0,0 +1 @@ +../fetchmail-SA-2008-01.txt \ No newline at end of file diff --git a/website/fetchmail-features.html b/website/fetchmail-features.html new file mode 120000 index 00000000..bae7697b --- /dev/null +++ b/website/fetchmail-features.html @@ -0,0 +1 @@ +../fetchmail-features.html \ No newline at end of file diff --git a/website/fetchmail-man.html b/website/fetchmail-man.html new file mode 120000 index 00000000..3f5da813 --- /dev/null +++ b/website/fetchmail-man.html @@ -0,0 +1 @@ +../build/fetchmail-man.html \ No newline at end of file diff --git a/website/fetchmail.png b/website/fetchmail.png new file mode 100644 index 00000000..aeb2a9db Binary files /dev/null and b/website/fetchmail.png differ diff --git a/website/host-scripts/upload-website.sh b/website/host-scripts/upload-website.sh new file mode 100755 index 00000000..de1c4cbf --- /dev/null +++ b/website/host-scripts/upload-website.sh @@ -0,0 +1,31 @@ +#! /bin/sh + +# Script to upload fetchmail website from SVN repository +# (C) 2008 by Matthias Andree. GNU GPL v3. + +: ${BERLIOS_LOGIN=m-a} + +# abort on error +set -e + +# cd to parent of script +cd $(dirname "$0") +cd .. + +echo "==> Running sanity checks" +# make sure we have no dangling symlinks +if file * | egrep broken\|dangling ; then + echo "broken symlinks -> abort" >&2 + exit 1 +fi + +echo "==> Uploading website (rsync)" +# upload +rsync \ + --chmod=ug=rwX,o=rX,Dg=s --copy-links --times --checksum --verbose \ + --exclude host-scripts \ + --exclude .svn --exclude '*~' --exclude '#*#' \ + * \ + "$BERLIOS_LOGIN@shell.berlios.de:/home/groups/fetchmail/htdocs/" + +echo "==> Success." diff --git a/website/index.html b/website/index.html new file mode 100644 index 00000000..344513ed --- /dev/null +++ b/website/index.html @@ -0,0 +1,285 @@ + + + + + + + +Fetchmail + + + + + + + +
+ +logo: a hand presenting an envelope + +

Fetchmail

+ + +
+

ADDITIONAL FIXES FOR FETCHMAIL 6.3.8 RELEASE

+

New 2008-06-17: After the fetchmail-6.3.8 release described below, +two denial-of-service vulnerabilities (CVE-2007-4565) were discovered, but a new +release is not yet available. Patches are parts of the security announcements:

+ +

On 2008-04-24, the FAQ (also available as PDF), manual page and fetchmail-SA-2007-01.txt (CVE-2007-1558) have been revised.

+

On 2007-04-06, fetchmail-6.3.8 +was released (this is the download link), fixing up further fallout from the CVE-2006-5867 fix, fixing long-standing bugs, and strengthening the APOP client in response to CVE-2007-1558. Click here to see the change details.

+ +

FETCHMAIL 6.2.X UNSUPPORTED AND VULNERABLE - USE 6.3.X INSTEAD

+

fetchmail 6.2.X versions are susceptible to CVE-2006-5867 and CVE-2007-1558 and should be replaced by the most current 6.3.X version. Support has been discontinued as of 2006-01-22.

+ + + +
+ +

SECURITY ALERTS

+

NEW CVE-2008-2711: Fetchmail can crash in verbose mode when logging long message headers. This bug will be fixed in release 6.3.9. For the nonce, use the patch contained in the security announcement.

+

CVE-2007-4565: Fetchmail can crash when the SMTP server refuses a warning message generated by fetchmail. This bug was introduced in fetchmail 4.6.8 and will be fixed in release 6.3.9. For the nonce, use the patch contained in this security announcement.

+

CVE-2007-1558: Fetchmail's APOP client was found to validate APOP challenges insufficiently, making man-in-the-middle attacks on APOP secrets unnecessarily easier than need be. This bug was long-standing, fetchmail 6.3.8 validates the APOP challenge stricter.

+

CVE-2006-5974: Fetchmail was found to crash when refusing a message that was bound to be delivered by an MDA. This bug was introduced into fetchmail 6.3.5 and fixed in 6.3.6.

+

CVE-2006-5867: Fetchmail was found to omit TLS or send the password in clear text despite the configuration stating otherwise. This was a long-standing bug reported by Isaac Wilcox, fixed in fetchmail 6.3.6. There will be no 6.2.X releases to fix this bug in 6.2.X.

+

CVE-2006-0321: Fetchmail was found to crash after bouncing a message with bad addresses. This bug was introduced with fetchmail 6.3.0 and fixed in fetchmail 6.3.2.

+

CVE-2005-4348: Fetchmail was found to contain a bug (null pointer dereference) that can be exploited to a denial of service attack when fetchmail runs in multidrop mode. 6.2.5.5 and 6.3.1 have this bug fixed.

+

CVE-2005-3088: Fetchmailconf was found to open the configuration files world-readable, writing data to them, and only then tightening up permissions, which may cause password information to be visible to other users. This bug affected fetchmail 6.2.0, 6.2.5 and 6.2.5.2. The bug is fixed in fetchmail 6.2.5.4 and 6.3.0.

+

CVE-2005-2335: Fetchmail was found to contain a remotely exploitable code injection vulnerability (potentially privileged code) in the POP3 code, affecting both the 6.2.0 and 6.2.5 releases. 6.2.5.2, 6.2.5.4 and 6.3.0 have got this bug fixed. (Other versions have not been checked if they contain this bug.)

+ +

Please update to fetchmail version 6.3.8 and apply the two patches from the security announcements CVE-2007-4565 and CVE-2008-2711 above.

+ +
+ +

What fetchmail does:

+ +

Fetchmail is a full-featured, robust, well-documented +remote-mail retrieval and forwarding utility intended to be used over +on-demand TCP/IP links (such as SLIP or PPP connections). It supports +every remote-mail protocol now in use on the Internet: POP2, POP3, +RPOP, APOP, KPOP, all flavors of IMAP, ETRN, and ODMR. It can even +support IPv6 and IPSEC.

+ +

Fetchmail retrieves mail from remote mail servers and forwards it via +SMTP, so it can then be read by normal mail user agents such as mutt, elm(1) or BSD Mail. +It allows all your system MTA's filtering, forwarding, and aliasing +facilities to work just as they would on normal mail.

+ +

Fetchmail offers better protection against password-sniffing than any +other Unix remote-mail client. It supports APOP, KPOP, OTP, Compuserve +RPA, Microsoft NTLM, and IMAP RFC1731 encrypted authentication methods +including CRAM-MD5 to avoid sending passwords en clair. It can be +configured to support end-to-end encryption via tunneling with ssh, the Secure Shell.

+ +

Fetchmail can be used as a POP/IMAP-to-SMTP gateway for an entire DNS +domain, collecting mail from a single drop box on an ISP and +SMTP-forwarding it based on header addresses. (We don't really +recommend this, though, as it may lose important envelope-header +information. ETRN or a UUCP connection is better.)

+ +

Fetchmail can be started automatically and silently as a system daemon +at boot time. When running in this mode with a short poll interval, +it is pretty hard for anyone to tell that the incoming mail link is +not a full-time "push" connection.

+ +

Fetchmail is easy to configure. You can edit its dotfile directly, or +use the interactive GUI configurator (fetchmailconf) supplied with the +fetchmail distribution. It is also directly supported in linuxconf +versions 1.16r8 and later.

+ +

Fetchmail is fast and lightweight. It packs all its standard +features (POP3, IMAP, and ETRN support) in 196K of core on a +Pentium under Linux.

+ +

Fetchmail is open-source +and free +software.

+ +

Where to find out more about fetchmail:

+ +

See the Fetchmail Feature List for more +about what fetchmail does.

+ +

See the on-line manual page for +basics.

+ +

See the HTML Fetchmail FAQ for +troubleshooting help.

+ +

See the Fetchmail Design Notes +for discussion of some of the design choices in fetchmail.

+ +

See the project's To-Do list for indications +of known problems and requested features.

+ +

The developers use Subversion for revision control. +To get the latest development version, point your subversion client at http://mknod.org/svn/fetchmail/trunk/.

+ +

See the project +page for more, including downloads. +(However, note that we no longer use the subversion repository that Berlios provides.)

+ +

Getting help with fetchmail:

+ +

+There is a fetchmail-users list for help and other user discussion +of fetchmail. It's a MailMan list, which you can sign up for at +fetchmail-users@lists.berlios.de. There is also a +fetchmail-devel list for people who want to discuss fixes and +improvements in fetchmail and help co-develop it. That one is at +fetchmail-devel@lists.berlios.de. +Finally, there is an announcements-only list, +fetchmail-announce@lists.berlios.de.

+ +

Note: before submitting a question to the lists, please read +the FAQ (especially item G3 on how to report bugs). We +tend to get the same three newbie questions over and over again. The +FAQ covers them like a blanket.

+ +

Maintainer History

+

Fetchmail originated as a program called popclient, written +by Carl Harris. In 1996, Eric +S. Raymond took over; he soon renamed the program to fetchmail after +adding IMAP support.

+

In 2004 a new team took over, led by Rob Funk, Graham Wilson, and Matthias Andree. Since then, +Graham Wilson has retreated, and Sunil Shetye has +contributed several important pieces of code.

+ +

You can help improve fetchmail:

+ +

We welcome your code contributions. But even if you don't write code, +you can help fetchmail improve.

+ +

If you administer a site that runs a post-office server, you may be +able help improve fetchmail by lending us a test account on your site. +Note that we do not need a shell account for this purpose, just a +mailbox and a mail address. Nor are we interested in collecting maildrops per +se -- what we're collecting is different kinds of servers.

+ +

Before each release, we run a test harness that sends date-stamped +test mail to each site on our regression-test list, then tries to +retrieve it. Please take a look at the +list of test servers. If you can lend us an account on a kind +of server that is not already on this list, please do.

+ +

Where you can use fetchmail:

+ +

The fetchmail code was developed under Linux, but has also been +extensively tested under 4.4BSD, SunOS, Solaris, AIX, and NEXTSTEP. It +should be readily portable to other Unix variants (it requires only +POSIX plus BSD sockets, and uses GNU autoconf).

+ +

Fetchmail is supported only for Unix by its official maintainers. +However, it is reported to build and run correctly under BeOS, +AmigaOS, Rhapsody, and QNX as well. There is a CygWin port.

+ +

Related works

+ +

Similar software

+ +

fdm: A recently appeared software package that integrates basic filtering is Nicholas Marriott's fdm. + +

getmail: When fetchmail's development was +stalled before the latest team took over, Charles Cazabon's getmail came +along as an intended replacement. It still doesn't do everything that +fetchmail does, and often suffers from Python library shortcomings, for +instance when it comes to SSL, but it's close enough to give us a bit of +competition.

+ +

animail: Another contender with integrated filtering is Juanjo Álvarez Martínez's Animail.

+ +

Complementary and extension software

+ +

Jochen Hayek is developing a set of + +IMAP tools in Python that read your .fetchmailrc file and are +designed to work with fetchmail. Jochen's tools can report selected +header lines, or move incoming messages to named mailboxes based on +the contents of headers.

+ + + +

Peter Hawkins has written a script called gotmail that +can retrieve Hotmail. Another script, yosucker, can retrieve +Yahoo webmail.

+ +

There's a program called +mailfilter which can be used +to do spam filtering, that works particularly well called from fetchmail's +preconnect directive.

+ +

A hacker identifying himself simply as 'Steines' has written a +filter which rewrites the to-line with a line which only includes +receipients for a given domain and renames the old to-line. It also +rewrites the domain-part of addresses if the offical domain is +different from the local domain. You can find it here.

+ +
+ + +BerliOS Logo + + + diff --git a/website/sitestyle.css b/website/sitestyle.css new file mode 100644 index 00000000..160b3be8 --- /dev/null +++ b/website/sitestyle.css @@ -0,0 +1,112 @@ +/* From ESR's http://www.catb.org/~esr/sitestyle.css + * except: insert arial before helvetica in font lists + */ +/* Originally cribbed from http://bluerobot.com/web/layouts/layout1.html + * However, people who merge the hotlink colors are evil and should be killed, + * so I removed that. Fixing font sizes in pixels is evil, too; is much as + * possible I has move all dimensions to be relative to the associated font + * size. Finally, light grey is a great background color, but lousy for + * foreground text on white. + */ + +body { + margin:0; + padding:0; + font-family: arial, helvetica, sans-serif; + color:#333; + background-color:white; + } +p { + font-family: arial, helvetica, sans-serif; + /* margin:0 0 1em 0; */ + padding:0; + } +/* #Content>p {text-indent:2em; margin:0;} */ +/* #Content>p+p {text-indent:2em; margin-top: 1ex;} */ + +h1 { + font-size: x-large; + margin-bottom: 0.25ex; + } +h2 { + font-size: large; + margin-bottom: 0.25ex; + } + +a { + text-decoration:none; + font-family: arial, helvetica, sans-serif; + } +a:hover {background-color:#ccc;} + +#Header { + font-weight:600; + font-size: x-large; /* should be same as an h1 header */ + margin:20px 0 10px 0; + padding:0.3ex 0 1.3ex 20px; + border-style:solid; + border-color:black; + border-width:1px 0; + background-color:#eee; + +/* Here is the ugly brilliant hack that protects IE5/Win from its own +stupidity. Thanks to Tantek Celik for the hack and to Eric Costello +for publicizing it. IE5/Win incorrectly parses the "\"}"" value, +prematurely closing the style declaration. The incorrect IE5/Win value +is above, while the correct value is below. See +http://glish.com/css/hacks.asp for details. */ + + voice-family: "\"}\""; + voice-family:inherit; + height:4px; + } +/* I've heard this called the "be nice to Opera 5" rule. Basically, it +feeds correct length values to user agents that exhibit the parsing +error exploited above yet get the CSS box model right and understand +the CSS2 parent-child selector. ALWAYS include a "be nice to Opera 5" +rule every time you use the Tantek Celik hack (above). */ +body>#Header {height:14px;} + +#Content { + /* Left margin is menu width + 3em + */ + margin:0 50px 50px 11em; + padding:10px; + } + +#Menu { + position:absolute; + top:80px; + left:20px; + width:8em; + padding:0.5em; + background-color:#eee; + border:1px solid #999; +/* Again, the ugly brilliant hack. */ + voice-family: "\"}\""; + voice-family:inherit; + width:8em; + } +/* Again, "be nice to Opera 5". */ +body>#Menu {width:8em;} + +/* For convenience */ +.centered { + text-align: center; + margin-left: auto; + margin-right: auto; + } + +.notebox { + background-color:#eee; + border:1px dashed #999; + margin: 15px; + font-size:small; + text-indent: 0; +} + +/* +Local Variables: +compile-command: "(cd ~/WWW; upload sitestyle.css)" +End: +*/ diff --git a/website/testservers.html b/website/testservers.html new file mode 100644 index 00000000..5c212cca --- /dev/null +++ b/website/testservers.html @@ -0,0 +1,60 @@ + + + + + + +Fetchmail's Test List + + + +
Back to Home Page +Wed Oct 15 18:43:10 EDT 2003 +
+
+

Fetchmail's Test List

+ +

Here are the server types on my regression-test list:

+ + + + + + + + + + + + + + + + + + + + + + +
Protocol & Version:Special Options:
IMAP: CommuniGate IMAP serverIMAPrev1 STARTTLS AUTH=CRAM-MD5 AUTH=DIGEST-MD5
POP3: CommuniGate POP3 serverCAPA LAST APOP CRAM-MD5
POP3: IntraStore POP3 mail server!CAPA LAST
APOP: IntraStore POP3 mail server!CAPA LAST APOP
IMAP: IntraStore IMAP mail serverIMAPrev1 IDLE AUTH=CRAM-MD5 AUTH=SKEY AUTH=ANONYMOUS
POP3: Eudora EIMSCAPA LAST APOP SASL CRAM-MD5 NTLM
POP3: gmx.de pop server!CAPA UIDL
IMAP: IMail IMAP serverIMAP4rev1 AUTH=CRAM-MD5
IMAP: Microsoft ExchangeIDLE AUTH=NTLM
POP3: qpopper 3.1.2 (Eudora) patched with mysqlCAPA UIDL
IMAP: Courier IMAPIMAP4rev1
POP3: Courier POP3CAPA UIDL
APOP: Qpopper using APOP!CAPA
IMAP: UW IMAPIMAPrev1
IMAP: Courier IMAPIMAP4rev1
POP3: Qpopper 4.0.5CAPA UIDL
+ +

If you control a post-office server that is not one of the types listed +here, please consider lending me a test account. Note that I do not +need shell access, just the permissions to send mail to a mailbox the server +looks at and to fetch mail off of it.

+ +

I'd like to have weird things like a POP2 server on here. Also more +closed-source servers because they tend to be broken in odd +ways. These are the real robustness tests.

+ +
+ +
Back to Home Page +Wed Oct 15 18:43:10 EDT 2003 +
+ +
+ + diff --git a/website/todo.html b/website/todo.html new file mode 120000 index 00000000..3402e692 --- /dev/null +++ b/website/todo.html @@ -0,0 +1 @@ +../todo.html \ No newline at end of file -- cgit v1.2.3