aboutsummaryrefslogtreecommitdiffstats
path: root/README
blob: 6faa58a782103e5a7719c47f943c715c441496f4 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68

fetchmail README
================

Introduction
------------

Fetchmail is a free, full-featured, robust, well-documented remote mail 
retrieval and forwarding utility intended to be used over on-demand TCP/IP 
links (such as SLIP or PPP connections).  It retrieves mail from remote mail 
servers and forwards it to your local (client) machine's delivery system, so it 
can then be be read by normal mail user agents such as mutt(1), elm(1) or 
Mail(1).

Fetchmail supports all standard mail-retrieval protocols in use on the 
Internet: POP3 (including some variants such as RPOP, APOP, KPOP), IMAP4rev1 
(also IMAP4, IMAP2bis), POP2, IMAP4, ETRN, and ODMR. On the output side, 
fetchmail supports ESMTP/SMTP, LMTP, and invocation of a local delivery agent.

Fetchmail also fully supports authentication via GSSAPI, Kerberos 4 and 5, 
RFC1938 one-time passwords, Compuserve's POP3 with RPA, Microsoft's NTLM, Demon 
Internet's SDPS, or CRAM-MD5 authentication a la RFC2195.

Fetchmail supports end-to-end encryption with OpenSSL, do read README.SSL for 
details on fetchmail's configuration and README.SSL-SERVER for server-side 
requirements.  NOTE! To be compatible with earlier releases, fetchmail 6.3's 
default behaviour is more relaxed than dictated by the standard - add options 
such as --sslcertck to tighten certificate checking.

Portability
-----------

The fetchmail code was developed under Linux, but has also been extensively 
tested under the BSD variants, AIX, HP-UX versions 9 and 10, SunOS, Solaris, 
NEXTSTEP, OSF 3.2, IRIX, and Rhapsody.

It should be readily portable to other Unix variants and Unix-like operating 
systems (it uses GNU autoconf).  It has been ported to Cygwin, LynxOS and BeOS 
and will build there without special action.  It has also been ported to QNX; 
to build under QNX, see the header comments in the Makefile.  It is reported to 
build and run under AmigaOS.

Further reading
---------------

The INSTALL file describes how to configure and install fetchmail.

See the distribution files FEATURES for a full list of features, NEWS for 
detailed information on recent changes, NOTES for design notes, and TODO for 
a list of things that still need doing.  If you want to hack on this code, 
a list of known bugs and to-do items can be found in the file todo.html.

Status, source code
-------------------

The fetchmail code appears to be stable and free of bugs affecting normal 
operation (that is, retrieving from POP3 or IMAP in single-drop mode and 
forwarding via SMTP to sendmail).

You can get the code from the fetchmail home page:

	http://www.fetchmail.info/

	http://fetchmail.berlios.de/

Enjoy!

							-- esr, ma
generated by cgit v1.2.3 (git 2.46.0) at 2026-04-02 11:08:43 +0000
"o">="Header"> <table width="100%" cellpadding="0" summary="Canned page header"> <tr> <td>Fetchmail</td> <td align="right"><!-- update date -->2010-05-06</td> </tr> </table> </div> <div id="Menu"> <hr> <a href="index.html" title="Main">Main</a><br> <a href="fetchmail-features.html">Features</a><br> <a href="fetchmail-man.html">Manual</a><br> <a href="fetchmail-FAQ.html" title="Fetchmail FAQ">FAQ</a><br> <a href="fetchmail-FAQ.pdf" title="Fetchmail FAQ as PDF">FAQ (PDF)</a><br> <a href="design-notes.html">Design Notes</a><br> <a href="http://developer.berlios.de/project/showfiles.php?group_id=1824">Download</a><br> Security/Errata<br> <a href="http://gitorious.org/fetchmail/fetchmail/">Development</a><br> <a href="http://developer.berlios.de/projects/fetchmail/">Project Page</a><br> <hr> </div> <div id="Content"> <h1>Fetchmail Security and Errata Information</h1> <p>These security issues (listed immediately below) and critical issues have become known to the fetchmail maintainer to the date mentioned above.</p> <p>Note that fetchmail 6.2.X and older are no longer supported and contain some of the problems mentioned below, even if they aren't mentioned in the security announcements:</p> <ul> <li><a name="fetchmail-EN-2010-03">EN-2010-03</a>: Fetchmail <a href="fetchmail-EN-2010-03.txt">fails POP3/IMAP authentication by not performing SASL AUTH properly.</a> This was a long-standing bug fixed in release 6.3.18.</li> <li><a name="cve-2010-1167" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1167">CVE-2010-1167:</a> Fetchmail <a href="fetchmail-SA-2010-02.txt">could exhaust all available memory and abort on certain computers (for instance Linux) in multibyte locales (for instance UTF-8) when dumping malformed headers in debug (-v -v) mode.</a> This bug was introduced long before 6.0.0 and has been fixed in release 6.3.17.</li> <li><a name="cve-2010-0562" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0562">CVE-2010-0562:</a> Fetchmail <a href="fetchmail-SA-2010-01.txt">would overrun the heap when displaying X.509 TLS/SSL certificates with characters with high bit set in verbose mode on platforms where char is a signed type.</a> This bug was introduced in release 6.3.11 and has been fixed in release 6.3.14.</li> <li><a name="cve-2009-2666" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2666">CVE-2009-2666:</a> Fetchmail <a href="fetchmail-SA-2009-01.txt">was found to validate SSL/TLS X.509 certificates improperly and allow man-in-the-middle-attacks to go undetected.</a> This bug has been fixed in release 6.3.11. For previous versions, use the <a href="fetchmail-SA-2009-01.txt">patch contained in the security announcement.</a></li> <li><a name="cve-2008-2711" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2711">CVE-2008-2711:</a> Fetchmail can <a href="fetchmail-SA-2008-01.txt">crash in verbose mode when logging long message headers.</a> This bug has been fixed in release 6.3.9. For 6.3.8, use the <a href="fetchmail-SA-2008-01.txt">patch contained in the security announcement.</a></li> <li><a name="cve-2007-4565" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4565">CVE-2007-4565:</a> Fetchmail can <a href="fetchmail-SA-2007-02.txt">crash when the SMTP server refuses a warning message generated by fetchmail.</a> This bug was introduced in fetchmail 4.6.8 and has been fixed in release 6.3.9. For 6.3.8, use the <a href="fetchmail-SA-2007-02.txt">patch contained in this security announcement.</a></li> <li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1558">CVE-2007-1558:</a> Fetchmail's APOP client was found to <a href="fetchmail-SA-2007-01.txt">validate APOP challenges insufficiently, making man-in-the-middle attacks on APOP secrets unnecessarily easier than need be.</a> This bug was long-standing, fetchmail 6.3.8 and newer validate the APOP challenge more strictly.</li> <li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5974">CVE-2006-5974:</a> Fetchmail was found to <a href="fetchmail-SA-2006-03.txt">crash when refusing a message that was bound to be delivered by an MDA.</a> This bug was introduced into fetchmail 6.3.5 and fixed in 6.3.6.</li> <li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5867">CVE-2006-5867:</a> Fetchmail was found to <a href="fetchmail-SA-2006-02.txt">omit TLS or send the password in clear text despite the configuration stating otherwise.</a> This was a long-standing bug reported by Isaac Wilcox, fixed in fetchmail 6.3.6. There will be no 6.2.X releases to fix this bug in 6.2.X.</li> <li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0321">CVE-2006-0321:</a> Fetchmail was found to <a href="fetchmail-SA-2006-01.txt">crash after bouncing a message with bad addresses. This bug was introduced with fetchmail 6.3.0 and fixed in fetchmail 6.3.2.</a></li> <li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4348">CVE-2005-4348:</a> Fetchmail was found to contain <a href="fetchmail-SA-2005-03.txt">a bug (null pointer dereference) that can be exploited to a denial of service attack</a> when fetchmail runs in multidrop mode. 6.2.5.5 and 6.3.1 have this bug fixed.</li> <li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3088">CVE-2005-3088:</a> Fetchmailconf was found to <a href="fetchmail-SA-2005-02.txt">open the configuration files world-readable, writing data to them, and only then tightening up permissions</a>, which may cause password information to be visible to other users. This bug affected fetchmail 6.2.0, 6.2.5 and 6.2.5.2. The bug is fixed in fetchmail 6.2.5.4 and 6.3.0.</li> <li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2335">CVE-2005-2335:</a> Fetchmail was found to contain a <a href="fetchmail-SA-2005-01.txt">remotely exploitable code injection vulnerability (potentially privileged code)</a> in the POP3 code, affecting both the 6.2.0 and 6.2.5 releases. 6.2.5.2, 6.2.5.4 and 6.3.0 have got this bug fixed. (Other versions have not been checked if they contain this bug.)</li> </ul> <p style="font-size:100%"><strong>Please <a href="http://developer.berlios.de/project/showfiles.php?group_id=1824">update to the newest fetchmail version</a>.</strong></p> </div> </body> </html>
generated by cgit v1.2.3 (git 2.46.0) at 2026-04-02 11:08:42 +0000