From d1a40cf7cefbffe5ae41612f60b176ad0fc59847 Mon Sep 17 00:00:00 2001
From: Sunil Shetye <shetye@bombay.retortsoft.com>
Date: Thu, 11 Nov 2010 11:49:21 +0530
Subject: Do STARTTLS/STLS negotiation in IMAP/POP3 if it is mandatory ignoring
 server capabilities

---
 NEWS   | 2 ++
 imap.c | 7 ++-----
 pop3.c | 7 ++-----
 3 files changed, 6 insertions(+), 10 deletions(-)

diff --git a/NEWS b/NEWS
index 01cd2c0f..c9d08481 100644
--- a/NEWS
+++ b/NEWS
@@ -78,6 +78,8 @@ fetchmail-6.3.19 (not yet released):
 * Send a NOOP only after a failed STARTTLS in IMAP. (Sunil Shetye)
 * Demote GSSAPI verbose/debug syslog to INFO severity. Requested by Carlos E. R.
   and Derek Simkowiak via the fetchmail-users@ mailing list.
+* Do STARTTLS/STLS negotiation in IMAP/POP3 if it is mandatory even if the
+  server capabilities do not show support for upgradation to TLS. (Sunil Shetye)
 
 # DOCUMENTATION:
 * The manual page now links to IANA for GSSAPI service names.
diff --git a/imap.c b/imap.c
index cbaa913b..11b206c0 100644
--- a/imap.c
+++ b/imap.c
@@ -430,7 +430,8 @@ static int imap_getauth(int sock, struct query *ctl, char *greeting)
 	if (ctl->sslcommonname)
 	    commonname = ctl->sslcommonname;
 
-	if (strstr(capabilities, "STARTTLS"))
+	if (strstr(capabilities, "STARTTLS")
+		|| must_tls(ctl)) /* if TLS is mandatory, ignore capabilities */
 	{
 	    /* Use "tls1" rather than ctl->sslproto because tls1 is the only
 	     * protocol that will work with STARTTLS.  Don't need to worry
@@ -478,10 +479,6 @@ static int imap_getauth(int sock, struct query *ctl, char *greeting)
 		}
 		/* Usable.  Proceed with authenticating insecurely. */
 	    }
-	} else if (must_tls(ctl)) {
-	    /* Config required TLS but STARTTLS is not advertised. */
-	    report(stderr, GT_("%s: cannot upgrade to TLS: no STARTTLS in CAPABILITY response.\n"), commonname);
-	    return PS_SOCKET;
 	}
     }
 #endif /* SSL_ENABLE */
diff --git a/pop3.c b/pop3.c
index 21251e59..3e62d864 100644
--- a/pop3.c
+++ b/pop3.c
@@ -440,7 +440,8 @@ static int pop3_getauth(int sock, struct query *ctl, char *greeting)
 	    if (ctl->sslcommonname)
 		commonname = ctl->sslcommonname;
 
-	   if (has_stls)
+	   if (has_stls
+		   || must_tls(ctl)) /* if TLS is mandatory, ignore capabilities */
 	   {
 	       /* Use "tls1" rather than ctl->sslproto because tls1 is the only
 		* protocol that will work with STARTTLS.  Don't need to worry
@@ -490,10 +491,6 @@ static int pop3_getauth(int sock, struct query *ctl, char *greeting)
 		       report(stdout, GT_("%s: opportunistic upgrade to TLS failed, trying to continue.\n"), commonname);
 		   }
 	       }
-	   } else if (must_tls(ctl)) {
-	       /* Config required TLS but STLS is not advertised. */
-	       report(stderr, GT_("%s: cannot upgrade to TLS: no STLS in CAPA response.\n"), commonname);
-	       return PS_SOCKET;
 	   }
 	} /* maybe_tls() */
 #endif /* SSL_ENABLE */
-- 
cgit v1.2.3