From 916abfe741d97532ceacd834c2a5229f0a67c3c5 Mon Sep 17 00:00:00 2001 From: Matthias Andree Date: Mon, 19 Aug 2019 21:30:39 +0200 Subject: Update documentation. --- INSTALL | 31 ++++++++++++++++--------------- NEWS | 1 + README | 15 ++++++++------- README.packaging | 14 +++++--------- RELEASE-INSTRUCTIONS | 2 -- RELEASEVERSIONS | 2 ++ TODO.txt | 9 +++------ design-notes.html | 12 +++++------- 8 files changed, 40 insertions(+), 46 deletions(-) diff --git a/INSTALL b/INSTALL index a0b75204..9ac5208e 100644 --- a/INSTALL +++ b/INSTALL @@ -66,11 +66,6 @@ configure option '--with-included-gettext'. Installing fetchmail is easy. From within this directory, type: - ./configure --with-ssl - -if you have OpenSSL (and its developer packages, if separate) installed -on your system, or if you don't or do not need SSL/TLS support: - ./configure The autoconfiguration script will spend a bit of time figuring out the @@ -80,7 +75,7 @@ variable CC before you run configure. The configure script accepts certain standard configuration options. These include --prefix, --exec-prefix, --bindir, --infodir, --mandir, -and --srcdir. Do 'configure --help' for more. +and --srcdir. Run 'configure --help' for more. POP2 support is no longer compiled in by default, as POP2 is way obsolete and there don't seem to be any live servers for it anymore. You can @@ -102,15 +97,14 @@ locations (/usr, /usr/local). If you set --with-GSSAPI=DIR you can direct the build to look for GSSAPI support under DIR. Hooks for the OpenSSL library (see http://www.openssl.org/) are -included in the distribution. To enable these, configure with ---with-ssl; they are not included in the standard build. Fetchmail's -configure script will probe some default locations for the -include/openssl/ssl.h file. If this doesn't work (i. e. configure prints -"SSL support enabled, but OpenSSL not found" and aborts), you need to -give the explicit prefix of your OpenSSL installation (specify the -directory that contains OpenSSL's "include" subdirectory), for instance: -"--with-ssl=/example/path" would assume that you have an -/example/path/include/openssl/ssl.h header file. +included in the distribution. Fetchmail 6.4 enables these by default. +Fetchmail's configure script will query pkg-config (pkgconf) or failing that, +probe some default locations for the include/openssl/ssl.h file. If this +doesn't work (i. e. configure prints "SSL support enabled, but OpenSSL not +found" and aborts), you need to give the explicit prefix of your OpenSSL +installation (specify the directory that contains OpenSSL's "include" +subdirectory), for instance: "--with-ssl=/example/path" would assume that you +have an /example/path/include/openssl/ssl.h header file. 2.2 Advanced options @@ -142,6 +136,13 @@ Run This should compile fetchmail for your system. If fetchmail fails to build properly, see the FAQ section B on build-time problems. +On multi-core computers, run + + make -j8 + +on a computer that supports 8 CPU threads at the same time (for instance, +Octocore computers or Quad-core computers supporting two threads per core). + 4. INSTALL diff --git a/NEWS b/NEWS index a36bc39e..577cc5a0 100644 --- a/NEWS +++ b/NEWS @@ -59,6 +59,7 @@ removed from a 6.4.0 or newer release.) fetchmail may switch to a different SSL library. * SSLv3 support may be removed from a future fetchmail release. It has been obsolete for many years and found insecure. Use TLS. +* Fetchmailconf is deprecated and will be removed from a future release. -------------------------------------------------------------------------------- diff --git a/README b/README index dadc0538..a33a791c 100644 --- a/README +++ b/README @@ -22,9 +22,10 @@ Internet's SDPS, or CRAM-MD5 authentication a la RFC2195. Fetchmail supports end-to-end encryption with OpenSSL, do read README.SSL for details on fetchmail's configuration and README.SSL-SERVER for server-side -requirements. NOTE! To be compatible with earlier releases, fetchmail 6.3's -default behaviour is more relaxed than dictated by the standard - add options -such as --sslcertck to tighten certificate checking. +requirements. NOTE! To be compatible with earlier releases, fetchmail 6.4 +default behaviour is more relaxed than dictated by recommendations - while it +does away with SSLv2, only negotiates SSLv3 if forced to, it will by default +still negotiate TLS v1.0. Portability ----------- @@ -33,10 +34,10 @@ The fetchmail code was developed under Linux, but has also been extensively tested under the BSD variants, AIX, HP-UX versions 9 and 10, SunOS, Solaris, NEXTSTEP, OSF 3.2, IRIX, and Rhapsody once upon a time. -The maintainer no longer has acess to these systems, and assumes that -the system is at least Single-Unix-Specification V2 compatible, yet will -permit a C89 compiler. It currently ships with a copy of the trio library -for systems that lack snprintf(). +The current maintainer does not have access to these systems, and assumes that +the system is at least Single-Unix-Specification V2 compatible, yet fetchmaiil +should be compilable by a C89 compiler. It currently ships with a copy of the +trio library for systems that lack snprintf(). Fetchmail should be able to be compiled with C89, C99, C11, C++98, C++03, C++11, C++14 compilers, but not C++17 because the "register" keyword is diff --git a/README.packaging b/README.packaging index 08d115d0..d4f8bf47 100644 --- a/README.packaging +++ b/README.packaging @@ -1,25 +1,21 @@ README.packaging ================ -fetchmail 6.3 changes relevant for packagers +fetchmail 6.4 changes relevant for packagers -------------------------------------------- Greetings, dear packager! The bullet points below mention a few useful hints for package(r)s: -- Please use OpenSSL and add --with-ssl to the ./configure command line. - SSL/TLS support hasn't been enabled in the default build in order to maintain - fetchmail 6.2 compatibility as far as possible. SSL/TLS however is a highly - recommended compilation option. +- Fetchmail requires a somewhat recent OpenSSL v1.0.2. - Fetchmail now uses automake and supports all common automake targets and overrides such as "make install-strip" or "DESTDIR=..." for staging areas. -- The fetchmailconf script has been renamed to fetchmailconf.py, automake will - install it into Python's top-level site-packages directory and byte-compile - it (so you need to package or remove fetchmailconf.pyc and fetchmailconf.pyo - as well). +- The fetchmailconf script is named fetchmailconf.py, automake will install it + into Python's top-level site-packages directory and byte-compile it (so you + need to package or remove fetchmailconf.pyc and fetchmailconf.pyo as well). - If you want to defeat Python byte-code compilation and would rather like to install fetchmailconf.py yourself, you can add diff --git a/RELEASE-INSTRUCTIONS b/RELEASE-INSTRUCTIONS index 8fbb23ea..5523418b 100644 --- a/RELEASE-INSTRUCTIONS +++ b/RELEASE-INSTRUCTIONS @@ -18,5 +18,3 @@ To do a release: - Update the fetchmail website for version, link to release nodes (update release_id) and last update, commit, and upload. - -- Announce on freshmeat. diff --git a/RELEASEVERSIONS b/RELEASEVERSIONS index 99814c80..aa8113f4 100644 --- a/RELEASEVERSIONS +++ b/RELEASEVERSIONS @@ -1,5 +1,7 @@ Note that this file is kept for historic reference. It will no longer be updated or maintained. +The recent release history can be obtained by looking +at the Git tags. -- Matthias Andree, 2010-02-06 diff --git a/TODO.txt b/TODO.txt index fcbc9005..8839b017 100644 --- a/TODO.txt +++ b/TODO.txt @@ -1,6 +1,6 @@ Note that there is a separate todo.html with different content than this. -6.4 MUST: +soon - MUST: + multiple certs + check alternative passed checks, fingerprints... for interactions + do we support CRLs? @@ -8,8 +8,6 @@ Note that there is a separate todo.html with different content than this. can check their finger prints or certificates in arbitrary ways (grarpamp) + modified UTF-7 (RFC-3501 5.1.3) for mailbox names - -soon - MUST: - blacklist DigiNotar/Comodo/Türktrust hacks/certs, possibly with Chrome's serial# list? - check if wildcards from X.509 are handled as strictly as required by @@ -47,7 +45,6 @@ soon - SHOULD: - CRYPTO: log configured server name on certificate mismatch (perhaps pay attention to via entries and stuff like that) - CRYPTO: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=432618 - * write a table of combinations of TLS/SSL options - add To: header to warning mails (authfail for instance) - Fix TOCTOU race around prc_filecheck* - Read CAPABILITY from greeting if present, saves one round trip. @@ -75,8 +72,8 @@ questionable: - fetch IMAP message in one go (fetchmail-devel by Adam Simpkins around Nov 2nd)? -6.4: -- Properly free host/user entries (through C++ class instantiation and destructors...) +- Properly free host/user entries (through C++ class instantiation and + destructors...) - Remove stupid options, such as spambounce, or deferred bounces for anything but wrong addresses - Do not ever guess envelope from content headers such as To:/Cc:/Resent-To: or diff --git a/design-notes.html b/design-notes.html index 4aaba5cb..fc4a2c3b 100644 --- a/design-notes.html +++ b/design-notes.html @@ -26,7 +26,8 @@

Introduction

-

This document is supposed to complement This document's contents were last updated in 2006, around fetchmail 6.3.4/6.3.5 time. +It is supposed to complement Eric S. Raymond's (ESR's) design notes. The new maintainers don't agree with some of the decisions ESR made previously, and the differences and new directions will be laid @@ -35,12 +36,9 @@ the necessary code revisions have been made.

Security

-

Fetchmail was handed over in a pretty poor shape, security-wise. It will -happily talk to the network with root privileges, use sscanf() to read -remotely received data into fixed-length stack-based buffers without -length limitation and so on. A full audit is required and security -concepts will have to be applied. Random bits are:

- +

+ Fetchmail 6.2.x was handed over in a pretty poor shape, security-wise. It would happily talk to the network with root privileges, used sscanf() to read remotely received data into fixed-length stack-based buffers without length limitation and so on. A full audit is required and security concepts will have to be applied. Random bits are: +