* More fixes for SMTP bugs and others
## BUGFIXES:
* When authenticating to an SMTP server, the AUTH LOGIN method (which didn't
become a proposed standard, and is only the third method fetchmail would try,
if CRAM-MD5 and PLAIN weren't offered) required that the server returned
a 334 code followed by a blank and by a decodable base64 challenge we ignored
anyways. This is in line with RFC 4952.
However, to improve compatibility, fetchmail now accepts anything that
starts with "334 " and disregards the remainder of the line.
At the same time, AUTH LOGIN was deprecated. AUTH PLAIN should be available
everywhere AUTH LOGIN is, and is specified in IETF RFC 4616.
* When authenticating to an SMTP server, i. e. esmtpname/esmtppassword are
defined, check for errors, and skip servers that do not understand EHLO,
because we cannot negotiate supported authentication schemes with them.
This should avoid attempting to send a lot of messages and see them rejected.
* When authenticating to an SMTP server, do not send client abort "*" when
we receive any other server reply but 334.
* Extend 6.5.6's RFC-5321 address-literal fix to MAIL FROM. This might
apply when we only have a server's IP address and need to quality
addresses without domain. Fixes Debian Bug#1080025.
* SMTP AUTH can now look up passwords from the .netrc file - for that,
fetchmail's esmtpname setting must match the login for the given host in
.netrc. Fixes Debian Bug#1056651 by Ticker Berkin.
* Improve the GSSAPI (Kerberos V) build, which was pretty hard to get working.
This was improved. Recommendation:
- For autoconf builds (./configure), be sure to have the desired krb5-config
executable early on $PATH before running ./configure.
- For meson builds, be sure to list the path to your krb5-gssapi.pc file on
PKG_CONFIG_PATH. (meson will fall back to krb5-config, so if that's on PATH,
OBS-URL: https://build.opensuse.org/package/show/server:mail/fetchmail?expand=0&rev=167
* Rebased fetchmail-add-passwordfile-and-passwordfd-options.patch
* Rebased fetchmail-add-query_to64_outsize-utility-function.patch
* Rebased fetchmail-bump-max-passwordlen-to-1bytes.patch
* Rebased fetchmail-give-each-ctl-it-s-own-copy-of-password.patch
* Rebased fetchmail-increase-max-password-length-to-handle-oauth-tokens.patch
* Rebased fetchmail-re-read-passwordfile-on-every-poll.patch
* Rebased fetchmail-support-oauthbearer-xoauth2-with-pop3.patch
* SECURITY BUGFIX:
* fetchmail-SA-2025-01.txt: CVE pending assignment by MITRE
An SMTP server advertising EHLO and AUTH, and if fetchmail is configured to
authenticate (esmtpname and esmtppassword given and non-empty), the server
might crash fetchmail by sending a "334" response without further blank to
fetchmail's AUTH request. This is in violation of applicable RFC-4952 though.
Fetchmail now detects this situation and reports it separately as
malformed server reply.
Fetchmail 6.5.6 has been released without waiting for translation updates
or CVE identifier, these will be provided in followup releases.
* BUGFIXES:
* RFC-5321: When the --smtpaddress, --smtphost, --smtpname, -D or -S argument
is an numeric address literal such as 192.0.2.2 or 2001:0DB8::4321, properly
format that as such in the SMTP RCPT command as user@[192.0.2.2] or
user@[IPv6:2001:0DB8::4321].
* When printing output on the console while fetching mail, do not intersperse
another copy of our program name and date in the middle of a log line.
Workaround for older versions: --logfile /dev/tty (might also use
--logfile /dev/stderr) - but note this changes buffering behavior and may
output to appear later and without ticker marks.
OBS-URL: https://build.opensuse.org/package/show/server:mail/fetchmail?expand=0&rev=165
