From e69917e02f0ec379fc87f163421c5404c702fa6b Mon Sep 17 00:00:00 2001 From: "Eric S. Raymond" Date: Sat, 12 May 2001 06:13:46 +0000 Subject: via localhost is gone. svn path=/trunk/; revision=3302 --- fetchmail-FAQ.html | 139 +++++++---------------------------------------------- 1 file changed, 17 insertions(+), 122 deletions(-) (limited to 'fetchmail-FAQ.html') diff --git a/fetchmail-FAQ.html b/fetchmail-FAQ.html index b086e59f..aab8a0f4 100644 --- a/fetchmail-FAQ.html +++ b/fetchmail-FAQ.html @@ -10,7 +10,7 @@
Back to Fetchmail Home Page To Site Map -$Date: 2001/04/26 03:24:46 $ +$Date: 2001/05/12 06:13:45 $

Frequently Asked Questions About Fetchmail

@@ -707,9 +707,14 @@ once you have installed the `bind' package.

F1. Why does my old .fetchmailrc file no longer work?

+

If your file predates 5.8.3

+ +

The `via localhost' special case for use with ssh tunnelling is gone. +Use the %h feature of plugin instead. +

If your file predates 5.6.8

-In 5.6.8, the preauth keyword and option were changed back to +

In 5.6.8, the preauth keyword and option were changed back to auth. The preauth synonym will still be supported through a few more point releases. @@ -1747,135 +1752,25 @@ http://www.bieringer.de/linux/IPv6/IPv6-HOWTO/IPv6-HOWTO.html

K3. How can I get fetchmail to work with ssh?

-We have three recipes for this. - -

Using plugin

- -There's a very simple IMAP recipe using the plugin option. -Use the following: +

Use the plugin option. This is dead simple with IMAP: plugin "ssh %h /usr/sbin/imapd" -You may have to use a different absolute pathname, whatever the +

You may have to use a different absolute pathname, whatever the location of imapd on your mailserver is. This option tells fetchmail that instead of opening a connection on the server's port 143 and doing standard IMAP authentication, fetchmail should ssh to the server and run imapd, using the more secure ssh authentication (as well as -getting ssh's end-to-end encryption). - -

Single-User POP3

- -First, a lightly edited version of a recipe from Masafumi NAKANE. -This one is easy to set up, but only supports one user at a time. - -

1. You must have ssh (the ssh client) on the local host and sshd (ssh -server) on the remote mail server. And you have to configure ssh so -you can login to the sshd server host without a password. (Refer to ssh -man page for several authentication methods.) - -

2. Add something like following to your .fetchmailrc file: - -

-poll mailhost port 1234 via localhost with proto pop3:
-        preconnect "ssh -l username -f mailhost -L 1234:mailhost:110 sleep 5"
-
- -This is an SSH 1.x recipe. According to Mick Papadonis, the -equivalent SSH 2.x recipe is this: - -

-poll localhost port 1234 with proto pop3:
-        preconnect "ssh -n -S -x -l username -fo mailhost -L 1234:mailhost:110; sleep 5"
-
- -The sleep is needed on slower machines to prevent fetchmail from -trying to open the socket before ssh actually makes it ready. Faster -machines may not need it. - -

(Note that 1234 can be an arbitrary port number. Privileged ports can -be specified only by root.) The effect of this ssh command is to -forward connections made to localhost port 1234 (in above example) to -mailhost's 110. - -

This configuration will enable secure mail transfer. All the -conversation between fetchmail and remote pop server will be -encrypted. - -

If sshd is not running on the remote mail server, you can specify an -intermediate host running it. If you do this, however, communication -between the machine running sshd and the POP server will not be encrypted. -And the preconnect line would be like this: - -

-preconnect "ssh -f -L 1234:mailhost:110 sshdhost sleep 20 </dev/null >/dev/null"
-
- -You can work this trick with IMAP too, but the port number 110 in the -above would need to become 143. In either case you'll have to specify -a password but the password will not be sent in clear. - -

There is an explanation of a similar recipe at Secure -POP via SSH mini-HOWTO. - -

Multi-User POP3

- -Second, a recipe from Charlie Brady <cbrady@ind.tansu.com.au>: - -

Charlie says: "The recipe [from Masafume NAKANE] certainly works, but -the solution I post here is better in a few respects": - -

- -Here are the steps: - -
    -
  1. -Make sure that the "socket" program is installed on the server -machine. Presently it lives at -ftp://sunsite.unc.edu/pub/linux/system/network/misc/socket-1.1.tar.gz, -but watch out for a change in version number.

    -

  2. -Set up an unprivileged account on your system with a .ssh directory -containing an SSH identity file "identity" with no pass phrase, -"identity.pub" and "known_hosts" containing the host key of your -mailhost. Let's call this account "noddy". -
  3. -On mailhost, set up no-password access for noddy@yourhost. Add to your -SSH authorized_keys file: - -
    -command="socket localhost 110",no-port-forwarding 1024 ......
-
    - -where "1024 ......" is the content of noddy's identity.pub file. -
  4. -Create a script /usr/local/bin/ssh.fm and make it executable: - -
    -#! /bin/sh
-exec ssh -q -C -l your.login.id -e none mailhost socket localhost 110
-
    -
  5. -Add an entry in inetd.conf for whatever port you choose to use - say: - -
    -1234 stream tcp nowait noddy /usr/sbin/tcpd /usr/local/bin/ssh.fm
-
    -
  6. -Send a HUP signal to your inetd. -
+getting ssh's end-to-end encryption). Most IMAP daemons will detect +that they've been called from the command line and assume the +connection is peauthenticated. -Now just use localhost:1234 to access your POP server. +

POP3 daemons aren't quite as smart. They won't know they are +preauthenticated in this mode, so you'll actually have to ship your +password. It will be under ssh encryption, though, so that shouldn't +be a problem.

K4. What do I have to do to use the IMAP-GSS protocol?

@@ -2950,7 +2845,7 @@ switching to IMAP and using a short expunge interval.
Back to Fetchmail Home Page To Site Map -$Date: 2001/04/26 03:24:46 $ +$Date: 2001/05/12 06:13:45 $
Eric S. Raymond <esr@snark.thyrsus.com>
-- cgit v1.2.3