aboutsummaryrefslogtreecommitdiffstats
path: root/website/index.html
blob: 60032d63642f0d48327b18ba3c7febfe445a2c62 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
    "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<link rel="stylesheet" href="sitestyle.css" type="text/css">
<meta name="description" content="The Fetchmail Project">
<meta name="keywords" content="fetchmail, pop3, imap, email, mail">
<meta name="MSSmartTagsPreventParsing" content="TRUE">
<title>Fetchmail</title>
</head>
<body>

<div id="Header">
<table width="100%" cellpadding="0" summary="Canned page header">
<tr>
<td>Fetchmail</td>
<td align="right"><!-- update date -->2008-06-24</td>
</tr>
</table>
</div>

<div id="Menu">
	<hr/>
	<a href="index.html" title="Main">Main</a><br />
	<a href="fetchmail-features.html">Features</a><br />
	<a href="fetchmail-man.html">Manual</a><br />
	<a href="fetchmail-FAQ.html" title="Fetchmail FAQ">FAQ</a><br />
	<a href="fetchmail-FAQ.pdf" title="Fetchmail FAQ as PDF">FAQ (PDF)</a><br />
	<a href="design-notes.html">Design Notes</a><br />
	<a href="http://developer.berlios.de/project/showfiles.php?group_id=1824">Download</a><br />
	<a href="http://mknod.org/svn/fetchmail/">Development Code</a><br />
	<a href="http://developer.berlios.de/projects/fetchmail/">Project Page</a><br />
	<hr/>
</div>

<div id="Content">

<img src="bighand.png" width="100" height="71" alt="logo: a hand presenting an envelope" align="right" />

<h1>Fetchmail</h1>
<!--
<div style="background-color:#ffffff;color:#008000;"> <h1>fetchmail 6.3.6 release candidate #5</h1>
<p>On 2006-12-19, <a
href="http://mandree.home.pages.de/fetchmail/">fetchmail-6.3.6-rc5 was released</a>, fixing several annoying bugs. <a href="http://mandree.home.pages.de/fetchmail/NEWS-6.3.6-rc5.txt">Click here for details.</a></p> </div>
-->

<div style="background-color:#80ff80;color:#000000;">
<h1>ADDITIONAL FIXES FOR FETCHMAIL 6.3.8 RELEASE</h1>
<p>New 2008-06-24 After the fetchmail-6.3.8 release described below,
two denial-of-service vulnerabilities were discovered, but a new release
is not yet available. Release candidates may be found at <a
    href="http://home.pages.de/~mandree/fetchmail/">http://home.pages.de/~mandree/fetchmail/</a>.
Official patches for 6.3.8 are parts of the security
announcements (you may need to use patch -l to apply them, this should
tell patch to ignore whitespace differences):</p>
<ul>
    <li><strong>(REVISED)</strong> <a href="#cve-2008-2711">CVE-2008-2711:</a> <a
	href="fetchmail-SA-2008-01.txt">fetchmail-SA-2008-01.txt</a></li>
    <li><a href="#cve-2007-4565">CVE-2007-4565:</a> <a
	href="fetchmail-SA-2007-02.txt">fetchmail-SA-2007-02.txt</a></li>
</ul>
<p>On 2008-04-24, the <a href="fetchmail-FAQ.html">FAQ</a> <a
    href="fetchmail-FAQ.pdf">(also available as PDF)</a>, <a
    href="fetchmail-man.html">manual page</a> and <a href="fetchmail-SA-2007-01.txt">fetchmail-SA-2007-01.txt (CVE-2007-1558)</a> have been revised.</p>
<p>On 2007-04-06, <a href="http://developer.berlios.de/project/showfiles.php?group_id=1824">fetchmail-6.3.8
was released (this is the download link),</a> fixing up further fallout from the CVE-2006-5867 fix, fixing long-standing bugs, and strengthening the APOP client in response to CVE-2007-1558. <a href="https://developer.berlios.de/project/shownotes.php?group_id=1824&amp;release_id=12610">Click here to see the change details.</a></p> </div>

<div style="background-color:#ffff80;color:#000000;font-size:80%;"> <h1>FETCHMAIL 6.2.X UNSUPPORTED AND VULNERABLE - USE 6.3.X INSTEAD</h1>
<p>fetchmail 6.2.X versions are susceptible to CVE-2006-5867 and CVE-2007-1558 and should be replaced by the most current 6.3.X version. Support has been discontinued as of 2006-01-22.</p>

<!--
<p>On 2006-01-22, fetchmail 6.2.X has reached end of its support life. No
further releases of 6.2.X versions will be made and no bug reports for 6.2.X
will be accepted unless the bug persists in the 6.3.X releases. Users are asked
to upgrade to the most current 6.3.X release; care was taken to keep 6.3.X as
compatible as possible with 6.2.X to ensure a smooth upgrade experience. See
above for 6.3.X release news.</p>
-->

</div>

<div style="background-color:#ff8080;color:#000000;font-size:85%"> <h1>SECURITY ALERTS</h1>
<p><strong>NEW</strong> <a name="cve-2008-2711" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2711">CVE-2008-2711:</a> Fetchmail can <a href="fetchmail-SA-2008-01.txt">crash in verbose mode when logging long message headers.</a> This bug will be fixed in release 6.3.9. For the nonce, use the <a href="fetchmail-SA-2008-01.txt">patch contained in the security announcement.</a></p>
<p><a name="cve-2007-4565" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4565">CVE-2007-4565:</a> Fetchmail can <a href="fetchmail-SA-2007-02.txt">crash when the SMTP server refuses a warning message generated by fetchmail.</a> This bug was introduced in fetchmail 4.6.8 and will be fixed in release 6.3.9. For the nonce, use the <a href="fetchmail-SA-2007-02.txt">patch contained in this security announcement.</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1558">CVE-2007-1558:</a> Fetchmail's APOP client was found to <a href="fetchmail-SA-2007-01.txt">validate APOP challenges insufficiently, making man-in-the-middle attacks on APOP secrets unnecessarily easier than need be.</a> This bug was long-standing, fetchmail 6.3.8 validates the APOP challenge stricter.</p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5974">CVE-2006-5974:</a> Fetchmail was found to <a href="fetchmail-SA-2006-03.txt">crash when refusing a message that was bound to be delivered by an MDA.</a> This bug was introduced into fetchmail 6.3.5 and fixed in 6.3.6.</p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5867">CVE-2006-5867:</a> Fetchmail was found to <a href="fetchmail-SA-2006-02.txt">omit TLS or send the password in clear text despite the configuration stating otherwise.</a> This was a long-standing bug reported by Isaac Wilcox, fixed in fetchmail 6.3.6. There will be no 6.2.X releases to fix this bug in 6.2.X.</p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0321">CVE-2006-0321:</a> Fetchmail was found to <a href="fetchmail-SA-2006-01.txt">crash after bouncing a message with bad addresses. This bug was introduced with fetchmail 6.3.0 and fixed in fetchmail 6.3.2.</a></p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4348">CVE-2005-4348:</a> Fetchmail was found to contain <a href="fetchmail-SA-2005-03.txt">a bug (null pointer dereference) that can be exploited to a denial of service attack</a> when fetchmail runs in multidrop mode. 6.2.5.5 and 6.3.1 have this bug fixed.</p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3088">CVE-2005-3088:</a> Fetchmailconf was found to <a href="fetchmail-SA-2005-02.txt">open the configuration files world-readable, writing data to them, and only then tightening up permissions</a>, which may cause password information to be visible to other users. This bug affected fetchmail 6.2.0, 6.2.5 and 6.2.5.2.  The bug is fixed in fetchmail 6.2.5.4 and 6.3.0.</p>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2335">CVE-2005-2335:</a> Fetchmail was found to contain a <a href="fetchmail-SA-2005-01.txt">remotely exploitable code injection vulnerability (potentially privileged code)</a> in the POP3 code, affecting both the 6.2.0 and 6.2.5 releases. 6.2.5.2, 6.2.5.4 and 6.3.0 have got this bug fixed. (Other versions have not been checked if they contain this bug.)</p>

<p><strong>Please <a href="http://developer.berlios.de/project/showfiles.php?group_id=1824">update to fetchmail version 6.3.8</a> and apply the two patches from the security announcements CVE-2007-4565 and CVE-2008-2711 above.</strong></p>

</div>

<h1>What fetchmail does:</h1>

<p>Fetchmail is a full-featured, robust, well-documented
remote-mail retrieval and forwarding utility intended to be used over
on-demand TCP/IP links (such as SLIP or PPP connections). It supports
every remote-mail protocol now in use on the Internet: POP2, POP3,
RPOP, APOP, KPOP, all flavors of <a
href="http://www.imap.org">IMAP</a>, ETRN, and ODMR. It can even
support IPv6 and IPSEC.</p>

<p>Fetchmail retrieves mail from remote mail servers and forwards it via
SMTP, so it can then be read by normal mail user agents such as <a
href="http://www.mutt.org/">mutt</a>, elm(1) or BSD Mail.
It allows all your system MTA's filtering, forwarding, and aliasing
facilities to work just as they would on normal mail.</p>

<p>Fetchmail offers better protection against password-sniffing than any
other Unix remote-mail client.  It supports APOP, KPOP, OTP, Compuserve
RPA, Microsoft NTLM, and IMAP RFC1731 encrypted authentication methods
including CRAM-MD5 to avoid sending passwords en clair. It can be
configured to support end-to-end encryption via tunneling with <a
href="http://www.openssh.com/">ssh, the Secure Shell</a>.</p>

<p>Fetchmail can be used as a POP/IMAP-to-SMTP gateway for an entire DNS
domain, collecting mail from a single drop box on an ISP and
SMTP-forwarding it based on header addresses. (We don't really
recommend this, though, as it may lose important envelope-header
information.  ETRN or a UUCP connection is better.)</p>

<p>Fetchmail can be started automatically and silently as a system daemon
at boot time.  When running in this mode with a short poll interval,
it is pretty hard for anyone to tell that the incoming mail link is
not a full-time "push" connection.</p>

<p>Fetchmail is easy to configure.  You can edit its dotfile directly, or
use the interactive GUI configurator (fetchmailconf) supplied with the
fetchmail distribution.  It is also directly supported in linuxconf
versions 1.16r8 and later.</p>

<p>Fetchmail is fast and lightweight.  It packs all its standard
features (POP3, IMAP, and ETRN support) in 196K of core on a
Pentium under Linux.</p>

<p>Fetchmail is <a href="http://www.opensource.org">open-source</a>
and <a href="http://www.gnu.org/philosophy/free-sw.html">free
software</a>.</p>

<h1>Where to find out more about fetchmail:</h1>

<p>See the <a href="fetchmail-features.html">Fetchmail Feature List</a> for more
about what fetchmail does.</p>

<p>See the on-line <a href="fetchmail-man.html">manual page</a> for
basics.</p>

<p>See the <a href="fetchmail-FAQ.html">HTML Fetchmail FAQ</a> for
troubleshooting help.</p>

<p>See the <a href="design-notes.html">Fetchmail Design Notes</a>
for discussion of some of the design choices in fetchmail.</p>

<p>See the project's <a href="todo.html">To-Do list</a> for indications
of known problems and requested features.</p>

<p>The developers use <a
href="http://subversion.tigris.org/">Subversion</a> for revision control.
To get the latest development version, point your subversion client at <a
href="http://mknod.org/svn/fetchmail/trunk/">http://mknod.org/svn/fetchmail/trunk/</a>.</p>

<p>See the <a
href="http://developer.berlios.de/projects/fetchmail/">project
page</a> for more, including <a
href="http://developer.berlios.de/project/showfiles.php?group_id=1824">downloads</a>.
(However, note that we no longer use the subversion repository that Berlios provides.)</p>

<h1>Getting help with fetchmail:</h1>

<p>
There is a fetchmail-users list for help and other user discussion
of fetchmail.  It's a MailMan list, which you can sign up for at <a
href="http://lists.berlios.de/mailman/listinfo/fetchmail-users">
fetchmail-users@lists.berlios.de</a>.  There is also a
fetchmail-devel list for people who want to discuss fixes and
improvements in fetchmail and help co-develop it.  That one is at <a
href="http://lists.berlios.de/mailman/listinfo/fetchmail-devel">
fetchmail-devel@lists.berlios.de</a>.
Finally, there is an announcements-only list, <a
href="http://lists.berlios.de/mailman/listinfo/fetchmail-announce">
fetchmail-announce@lists.berlios.de</a>.</p>

<p>Note: before submitting a question to the lists, <strong>please read
the <a href="fetchmail-FAQ.html">FAQ</a></strong> (especially item <a
href="fetchmail-FAQ.html#G3">G3</a> on how to report bugs).  We
tend to get the same three newbie questions over and over again.  The
FAQ covers them like a blanket.</p>

<h1>Maintainer History</h1>
<p>Fetchmail originated as a program called <i>popclient</i>, written
by Carl Harris.  In 1996, <a href="http://www.catb.org/~esr/">Eric
S. Raymond</a> took over; he soon renamed the program to fetchmail after
adding IMAP support.</p>
<p>In 2004 a new team took over, led by <a
href="http://developer.berlios.de/users/rfunk/">Rob Funk</a>, <a
href="http://developer.berlios.de/users/bob/">Graham Wilson</a>, and <a
href="http://developer.berlios.de/users/m-a/">Matthias Andree</a>. Since then,
Graham Wilson has retreated, and <a
href="http://developer.berlios.de/users/shetye/">Sunil Shetye</a> has
contributed several important pieces of code.</p>

<h1>You can help improve fetchmail:</h1>

<p>We welcome your code contributions.  But even if you don't write code,
you can help fetchmail improve.</p>

<p><strong>If you administer a site that runs a post-office server, you may be
able help improve fetchmail by lending us a test account on your site.
Note that we do not need a shell account for this purpose, just a 
mailbox and a mail address.  Nor are we interested in collecting maildrops per
se -- what we're collecting is different <em>kinds of servers</em>.</strong></p>

<p>Before each release, we run a test harness that sends date-stamped 
test mail to each site on our regression-test list, then tries to
retrieve it.  Please take a look at the <a href="testservers.html">
list of test servers</a>.  If you can lend us an account on a kind
of server that is <em>not</em> already on this list, please do.</p>

<h1>Where you can use fetchmail:</h1>

<p>The fetchmail code was developed under Linux, but has also been
extensively tested under 4.4BSD, SunOS, Solaris, AIX, and NEXTSTEP.  It
should be readily portable to other Unix variants (it requires only
POSIX plus BSD sockets, and uses GNU autoconf).</p>

<p>Fetchmail is supported only for Unix by its official maintainers.
However, it is reported to build and run correctly under BeOS,
AmigaOS, Rhapsody, and QNX as well.  There is a CygWin port.</p>

<h1>Related works</h1>

<h2>Similar software</h2>

<p><strong>fdm:</strong> A recently appeared software package that integrates basic filtering is <a href="http://fdm.sourceforge.net/">Nicholas Marriott's fdm</a>.

<p><strong>getmail:</strong> When fetchmail's development was
stalled before the latest team took over, <a
href="http://pyropus.ca/software/getmail/">Charles Cazabon's getmail</a> came
along as an intended replacement.  It still doesn't do everything that
fetchmail does, and often suffers from Python library shortcomings, for
instance when it comes to SSL, but it's close enough to give us a bit of
competition.</p>

<p><strong>animail:</strong> Another contender with integrated filtering is <a href="http://juanjoalvarez.net/animaileng">Juanjo �lvarez Mart�nez's Animail</a>.</p>

<h2>Complementary and extension software</h2>

<p>Jochen Hayek is developing a set of
<a href="http://www.b.shuttle.de/hayek/JHimap_utils/">
IMAP tools in Python</a> that read your .fetchmailrc file and are
designed to work with fetchmail.   Jochen's tools can report selected
header lines, or move incoming messages to named mailboxes based on
the contents of headers.</p>

<!-- no longer true
<p>Donncha O Caoihm has written a Perl script called 
<a href="http://blogs.linux.ie/xeer/install-sendmail/">install-sendmail</a>
that assists you in installing sendmail and fetchmail together.</p>
-->

<p>Peter Hawkins has written a script called <a
href="http://linux.cudeso.be/linuxdoc/gotmail.php">gotmail</a> that
can retrieve Hotmail. Another script, <a
href="http://yosucker.sourceforge.net">yosucker</a>, can retrieve
Yahoo webmail.</p>

<p>There's a program called
<a href="http://mailfilter.sourceforge.net/">mailfilter</a> which can be used
to do spam filtering, that works particularly well called from fetchmail's
<code>preconnect</code> directive.</p>

<p>A hacker identifying himself simply as 'Steines' has written a
filter which rewrites the to-line with a line which only includes
receipients for a given domain and renames the old to-line. It also
rewrites the domain-part of addresses if the offical domain is
different from the local domain. You can find it <a 
href="http://www.steines.com/mailf/">here</a>.</p>

</div>

<a href="http://developer.berlios.de"> 
<img src="http://developer.berlios.de/bslogo.php?group_id=1824&amp;type=1" width="124" height="32" border="0" alt="BerliOS Logo" align="right" /></a>

</body>
</html>