commit 9f1d1d27edbb3cf0b5e70055667cee0ecaddfacf9b93ef333bb27626455dac32 Author: Angel Yankov Date: Fri Nov 29 14:58:57 2024 +0000 Accepting request 1227336 from home:ayankov:branches:server:mail - Upgrade to 6.5.1 * Drop two wolfSSL compile-time checks that were for older 6.4 or for future 7.0 releases and broke compilation with wolfSSL 5.7.4. Fixes https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=282413#c4 * Use %p instead of non-portable %#p for one wolfSSL-related diagnostic message (FreeBSD defines %#p to be %p, on many other platforms it's undefined behavior). * Add regex_helper.c to list of files that contain translatable strings, which contains two strings we missed to translate. * Simplify EVP_MD_fetch API detection ("like OpenSSL 3" vs. "like OpenSSL 1") for version switch and base it on the claimed OpenSSL version of the crypto SSL, which works for LibreSSL (claims OpenSSL 2) and wolfSSL alike. * Several translations added - Rebased fetchmail-6.3.8-smtp_errors.patch - Rebased fetchmail-FAQ-list-gmail-options-including-oauthbearer-and-app.patch - Rebased fetchmail-add-contrib-fetchnmail-oauth2.py-token-acquisition-u.patch - Rebased fetchmail-add-imap-oauthbearer-support.patch - Rebased fetchmail-add-passwordfile-and-passwordfd-options.patch - Rebased fetchmail-add-query_to64_outsize-utility-function.patch - Rebased fetchmail-bump-max-passwordlen-to-1bytes.patch - Rebased fetchmail-give-each-ctl-it-s-own-copy-of-password.patch - Rebased fetchmail-increase-max-password-length-to-handle-oauth-tokens.patch - Rebased fetchmail-re-read-passwordfile-on-every-poll.patch - Rebased fetchmail-support-oauthbearer-xoauth2-with-pop3.patch - Rebased fetchmailconf-no-more-future.patch OBS-URL: https://build.opensuse.org/request/show/1227336 OBS-URL: https://build.opensuse.org/package/show/server:mail/fetchmail?expand=0&rev=159 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/fetchmail-6.3.8-smtp_errors.patch b/fetchmail-6.3.8-smtp_errors.patch new file mode 100644 index 0000000..a37d48b --- /dev/null +++ b/fetchmail-6.3.8-smtp_errors.patch @@ -0,0 +1,41 @@ +# Patches fetchmail's behaviour for SMTP servers which: +# 1) insist on using TLS - we do not want messages which cannot +# be sent due to server negotiation problems lost - rather we +# keep them on the mailserver. As users should realize rather +# quickly that something went wrong, the overhead shouldn't +# be considered that important. +# 2) use the 501 error code to mark spam - in such a case +# the 'antispam' option should be used +Index: fetchmail-6.5.1/sink.c +=================================================================== +--- fetchmail-6.5.1.orig/sink.c ++++ fetchmail-6.5.1/sink.c +@@ -526,6 +526,19 @@ static int handle_smtp_report(struct que + free(responses[0]); + return(PS_TRANSIENT); + ++ case 501: /* Syntax error in parameters or arguments */ ++ /* ++ * Some SMTP servers use this error code to refuse spam, however ++ * as we don't want to delete message if e.g. the address is (possibly ++ * by mistake) malformed, user has to use the 'antispam' option to ++ * treat this as spam symptom ++ */ ++ free(responses[0]); ++ if (outlevel > O_SILENT) ++ report_complete(stdout, ++ GT_(" SMTP 501 error - if the server uses this code to report spam, include '501' in the 'antispam' option .\n")); ++ return(PS_TRANSIENT); ++ + default: + /* bounce non-transient errors back to the sender */ + if (smtperr >= 500 && smtperr <= 599) +@@ -591,7 +604,7 @@ static int handle_smtp_report_without_bo + case 553: /* invalid sending domain */ + return(PS_REFUSED); + +- default: ++ default: + /* bounce non-transient errors back to the sender */ + if (smtperr >= 500 && smtperr <= 599) + return(PS_SUCCESS); diff --git a/fetchmail-6.4.38.tar.xz b/fetchmail-6.4.38.tar.xz new file mode 100644 index 0000000..f1b1ee7 --- /dev/null +++ b/fetchmail-6.4.38.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a6cb4ea863ac61d242ffb2db564a39123761578d3e40d71ce7b6f2905be609d9 +size 1220892 diff --git a/fetchmail-6.4.38.tar.xz.asc b/fetchmail-6.4.38.tar.xz.asc new file mode 100644 index 0000000..ff286a0 --- /dev/null +++ b/fetchmail-6.4.38.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEE3EplW9mTzUhx+oIQ5BKxVu/zhVoFAmW6so4ACgkQ5BKxVu/z +hVpUtw//YQSqqTTXxtZEY3+sq/19wrEcieYuCOq/4HzlIPywfL30uDMHBOnsx5aM +c2CDiaOnvneV4HYUlwARshmdXupY3Wt88t5dHT131FUpl/mhHPERO2yARwgPAVPZ +ouBIGFVG/zvvsMj80znuwkWnedLO4bKfdK5jbKP8MPBE/MDROiC9TgOpRJyiXwV1 +os5o9IgTVcsdm6kfoS9RzYYQOFkpzWOqOckd/gUbX7+MXTRZlm8XuFYlT5RhayMv +YDVNiCuhsu8k0rFiouONzSEq0hYhP+jiKUKtLG32TvyiuJjhJdTb/QHikB0bJY5z +SAWQM86Hu6aqR84HxHiHxL6mkoTq390LQ6OasUZll61fp14uS7wFS1MtrS34va9+ +VvZFnvPCRWmUc9jAu7lPjwefDcFi9553F+lBi0+B5Pk0LSekNIvR7Wm2FrY8NNYo +t+YgiPTXIGkV2GHLntNXPm2z+EM831UaFE7l4ytrJ3MKexr+eDjhCQGqjn3Oc3eZ +mzYuuekFYDzHiBkEDIZj/NT66zW/6z0mPWoTWHdWHyPedCZR6GKD4mZQC34O/idj +v14RITz1JqEwRKJKQQ9iYETsIXAHH/I9tEFGsUKfGeLQTqPwIh5rmv81wi3os300 +b1fZrG6BB0CT4t3CRwB55Tdb39+PD52SdqxzibTTNYwfaW3zqHo= +=M6hf +-----END PGP SIGNATURE----- diff --git a/fetchmail-6.5.1.tar.xz b/fetchmail-6.5.1.tar.xz new file mode 100644 index 0000000..20245cd --- /dev/null +++ b/fetchmail-6.5.1.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ca3fdb95141c277aca109be77f4d45b47e03ee010043058dd90bc182db518d4a +size 1110924 diff --git a/fetchmail-6.5.1.tar.xz.asc b/fetchmail-6.5.1.tar.xz.asc new file mode 100644 index 0000000..c2f54d2 --- /dev/null +++ b/fetchmail-6.5.1.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEE3EplW9mTzUhx+oIQ5BKxVu/zhVoFAmcz6JcACgkQ5BKxVu/z +hVptQA//c7mklRvCJmSIhF91w0XntT5aOoWL19zLLZXBXgU+3YXmhu8sUufaZtVF +ORJpJPvxEuK3g3Ja9rS4q959pM1rTDZ15GvpnF9oXUi62xLEEGzMweU8PIIMu7Ov +AV6kJMJ0jmVEBwRhVnYn18+QgiB33hy6CiHbzKXQafElbSbR+7Cg7C4tPpv2hlfh +BslV/zZIGwDfi6GrlZqfPyd/r8258fhsmUQa/y/HTYm9QCc1DKXfSPzqpb1yZMLe +omOw0IMduE2xn2QsWz2CgdeNO7QPH6qFoM9SJTh3xtI4f7xVb6tLW4vvVpOQb85E +LIUg+NWoqBmLBx2wkLttSld9kDJZFTVksZEa7XcvJGY62tIeLAn/0Y1Ytg6Xpm9H +oihaNZ7vhsB6iwNWOuHxXtJOpvkMfEDmtSQDoT3ier+HA8/+ofiLUrctZ30uh0da +R/AjFDwFD53lbdWmfMpL+ZUHcctSg+3MDaL2AF2eOkxlDf0+zESffncxLLUXnhgR +5eSpxg/CclShPY1kkq6D3UTznwLu4UxsjL2YmQS0jefE4VrJOBFxpExMs2z/tMKn +yRV8JnDWTAHtw1FmynXz0YClXVHSKlf2h4vTUf92hapwvcz2ExhjkLDFiMMi+/jX ++Qlb4iYVUdg5rqvTCTgWoHC4nArbcSSlYrxSQZpjSzUzyJzsSX8= +=fYQt +-----END PGP SIGNATURE----- diff --git a/fetchmail-FAQ-list-gmail-options-including-oauthbearer-and-app.patch b/fetchmail-FAQ-list-gmail-options-including-oauthbearer-and-app.patch new file mode 100644 index 0000000..c02dbb6 --- /dev/null +++ b/fetchmail-FAQ-list-gmail-options-including-oauthbearer-and-app.patch @@ -0,0 +1,48 @@ +From: Matthew Ogilvie +Date: Sat, 3 Jun 2017 17:57:22 -0600 +Subject: FAQ: list gmail options including oauthbearer and app password +Git-repo: https://gitlab.com/fetchmail/fetchmail.git +Git-commit: dbeee6a0c0fc5392953f38d6f0dcffdeeb8ae141 + +--- + fetchmail-FAQ.html | 24 +++++++++++++++++++++--- + 1 file changed, 21 insertions(+), 3 deletions(-) + +Index: fetchmail-6.5.1/fetchmail-FAQ.html +=================================================================== +--- fetchmail-6.5.1.orig/fetchmail-FAQ.html ++++ fetchmail-6.5.1/fetchmail-FAQ.html +@@ -1956,12 +1956,28 @@ authentication schemes based on OAuth 2. + users to jump through quite a few hoops, and use web browsers for + signing in, and software vendors to hand in their software for + sometimes paid reviews. Such is not going to happen for fetchmail. ++ ++If this hinders access to your account through fetchmail, you have some ++options:

++ + +-If this hinders access to your account through fetchmail, you may +-need to turn on access for "less secure apps", or create an application or service specific password. +- +-For Google, this - at some point in time - used to live at https://myaccount.google.com/lesssecureapps.
+ It is disputable whether an application that does not include web + browsing capabilities or heavy-weight libraries is "less secure" as + Google claims.

diff --git a/fetchmail-add-contrib-fetchnmail-oauth2.py-token-acquisition-u.patch b/fetchmail-add-contrib-fetchnmail-oauth2.py-token-acquisition-u.patch new file mode 100644 index 0000000..d603fba --- /dev/null +++ b/fetchmail-add-contrib-fetchnmail-oauth2.py-token-acquisition-u.patch @@ -0,0 +1,616 @@ +From: Matthew Ogilvie +Date: Thu, 1 Jun 2017 00:09:02 -0600 +Subject: add contrib/fetchnmail-oauth2.py token acquisition utility +Git-repo: https://gitlab.com/fetchmail/fetchmail.git +Git-commit: c82625858682eb2396b6a49da79e403c6f2b018b + +--- + contrib/README | 6 + contrib/fetchmail-oauth2.py | 567 ++++++++++++++++++++++++++++++++++++++++++++ + fetchmail.man | 3 + 3 files changed, 575 insertions(+), 1 deletion(-) + create mode 100755 contrib/fetchmail-oauth2.py + +Index: fetchmail-6.5.1/contrib/README +=================================================================== +--- fetchmail-6.5.1.orig/contrib/README ++++ fetchmail-6.5.1/contrib/README +@@ -181,6 +181,12 @@ sendmail 8.11.0 with multidrop. + + Watchdog script to check whether fetchmail is working in daemon mode. + ++### fetchmail-oauth2.py ++ ++Script to obtain oauth2 access tokens that "fetchmail --auth oauthbearer" ++expects in place of the password. See --help and comments in the ++script, as well as fetchmail --auth documentation. ++ + ### mold-remover.py + + A short python script to remove old read mail from a pop3 mailserver. +Index: fetchmail-6.5.1/contrib/fetchmail-oauth2.py +=================================================================== +--- /dev/null ++++ fetchmail-6.5.1/contrib/fetchmail-oauth2.py +@@ -0,0 +1,567 @@ ++#!/usr/bin/python ++# ++# Updates: Copyright 2017 Matthew Ogilvie (mogilvie+fml at zoho.com) ++# - Started with https://github.com/google/gmail-oauth2-tools.git ++# commit 45c39795044c604ed126205806191a8473c0f671 dated ++# 2015-06-09. ++# - Add file interaction (--refresh, --auto_refresh, ++# --obtain_refresh_token_file and related options). ++# - Support both python 2 and 3. ++# - Keeping the same license (below). ++# ++# Copyright 2012 Google Inc. ++# ++# Licensed under the Apache License, Version 2.0 (the "License"); ++# you may not use this file except in compliance with the License. ++# You may obtain a copy of the License at ++# ++ # http://www.apache.org/licenses/LICENSE-2.0 ++# ++# Unless required by applicable law or agreed to in writing, software ++# distributed under the License is distributed on an "AS IS" BASIS, ++# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++# See the License for the specific language governing permissions and ++# limitations under the License. ++ ++############### ++# POSSIBLE IMPROVEMENTS: ++# ++# FUTURE: Explicitly track expiration time of access tokens, ++# and base --auto_refresh on actual expiration time instead of ++# simple age. ++# FUTURE: Add a mode that can print the access token by itself to ++# stdout, presumably piped into fetchmail or similar (either both ++# launched by a wrapper script, this launches fetchmail, or fetchmail ++# launches this). ++# FUTURE: Mix old and new interfaces (or get rid of old interface): ++# Support using a config file to supply some of the details ++# for the original google modes of operation (--generate_oauth2_token, ++# --generate_oauth2_string, --refresh_token, and --test_*). ++# Also support providing sensative data on the command line instead ++# of files for the new modes of operation, despite the lack ++# of security (process listings, .bash_history files, etc). ++# FUTURE: Revise model for how to set permissions on updated files? ++# Preserve existing? Somehow allow setting UID/GID? Warn if files ++# are accessible by anyone but the current user? ++ ++"""Performs client tasks for testing IMAP OAuth2 authentication. ++ ++This documentation and examples is for gmail. For other providers, ++you will likely need to track down appropriate non-default settings ++for auth_url, token_url, and scope. ++ ++To use this script, you'll need to have registered with Google as an OAuth ++application and obtained an OAuth client ID and client secret. ++See https://developers.google.com/identity/protocols/OAuth2 and ++https://developers.google.com/identity/sign-in/web/devconsole-project ++for instructions on registering and for documentation of the APIs ++invoked by this code. ++ ++This script has 2 main modes of operation. ++ ++1. The first mode is used to generate and authorize an OAuth2 token, the ++first step in logging in via OAuth2. ++ ++First, after registering your "application" (above) you should setup a ++configuration file. Use a text editor to do the command-line equivalent of: ++ ++ sed 's/^ *//' > /path/to/oauth2Config.properties << EOF ++ client_id=1038[...].apps.googleusercontent.com ++ client_secret=VWFn8LIKAMC-MsjBMhJeOplZ ++ refresh_token_file=/home/path/to/refresh_token_file ++ access_token_file=/home/path/to/access_token_file ++EOF ++ ++ chmod 600 /path/to/oauth2Config.properties ++ ++Then run the following, and repeat any time the refresh token stops ++working, such as when you change your password. This is interactive ++and requires a web browser to complete: ++ ++ oauth2 -c /path/to/oauth2Config.properties --obtain_refresh_token_file ++ ++The script will converse with Google and generate an oauth request ++token, then present you with a URL you should visit in your browser to ++authorize the token. Once you get the verification code from the Google ++website, enter it into the script, which will then save access and referesh ++tokens to the corresponding files for later use. ++ ++Also, you'll usually need to configure fetchmail by ++including a section like the following in your .fetchmailrc: ++ ++ poll imap.gmail.com protocol imap ++ auth oauthbearer username "USER@gmail.com" ++ passwordfile "/home/path/to/access_token_file" ++ is LOCALUSER here sslmode wrapped sslcertck ++ ++Alternative for debugging: You can also use the original google ++script interface to obtain these tokens without involving files: ++ ++ oauth2 \ ++ --client_id=1038[...].apps.googleusercontent.com \ ++ --client_secret=VWFn8LIKAMC-MsjBMhJeOplZ \ ++ --generate_oauth2_token ++ ++ ++----- ++2. The script will generate new access tokens using a refresh token. ++ ++This uses the same config file setup above. ++ ++ oauth2 -c /path/to/oauth2Config.properties --auto_refresh ++ # Or force refresh by using --refresh instead of --auto_refresh. ++ ++ fetchmail -s # or other tools configured to use the access_token_file ++ # And/or call something to update outgoing MTA relay configuration, ++ # if necessary. ++ ++You may put this sequence in a short shell script, ++and configure cron to call it a few times per hour. ++ ++Alternative for debugging: You can also use the original google ++script interface to refresh the token without involving files: ++ ++ oauth2 \ ++ --client_id=1038[...].apps.googleusercontent.com \ ++ --client_secret=VWFn8LIKAMC-MsjBMhJeOplZ \ ++ --refresh_token=1/Yzm6MRy4q1xi7Dx2DuWXNgT6s37OrP_DW_IoyTum4YA ++ ++----- ++Google's non-file script interface also supports a few other ++testing modes; see --help. ++""" ++ ++from __future__ import print_function ++import base64 ++import imaplib ++import json ++from optparse import OptionParser ++import smtplib ++import sys ++import os ++import time ++ ++try: ++ import urllib.request as urlopen ++ import urllib.parse as urlparse ++except ImportError: ++ import urllib as urlopen ++ import urllib as urlparse ++ ++try: input = raw_input ++except NameError: pass ++ ++ ++def SetupOptionParser(): ++ # Usage message is the module's docstring. ++ parser = OptionParser(usage=__doc__) ++ parser.add_option('-c', '--config_file', ++ default=None, ++ help='Configuration file for --refresh ' ++ 'and --obtain_refresh_token_file.\n' ++ 'The file should contain 4 (or more) settings, ' ++ 'one per line, or they can also be overridden ' ++ 'by the equivalent options:\n' ++ ' client_id=...\n' ++ ' client_secret=...\n' ++ ' refresh_token_file=/path/to/...\n' ++ ' access_token_file=/path/to/...\n' ++ ' Also max_age_sec, scope, umask, auth_url, and' ++ ' token_url have reasonable defaults for google.') ++ parser.add_option('--auto_refresh', ++ action='store_const', ++ default=None, ++ const=1, ++ dest='refresh', ++ help='Automatically refresh access_token_file, ' ++ 'if older than max_age_sec from ' ++ 'required -c /file/ info.'); ++ parser.add_option('--refresh', ++ action='store_const', ++ const=2, ++ dest='refresh', ++ help='Refresh access_token_file ' ++ 'unconditionally. Requires -c /file/ info.'); ++ parser.add_option('--obtain_refresh_token_file', ++ action='store_true', ++ dest='obtain_refresh_token_file', ++ default=None, ++ help='Update refresh token in file. This is ' ++ 'interactive, and requires ' ++ 'a web browser. Also requires -c /file/ info. ' ++ 'This also saves an initial access_token_file.'); ++ parser.add_option('--client_id', ++ default=None, ++ help='Client ID of the application that is authenticating. ' ++ 'See OAuth2 documentation for details.') ++ parser.add_option('--client_secret', ++ default=None, ++ help='Client secret of the application that is ' ++ 'authenticating. See OAuth2 documentation for ' ++ 'details.') ++ parser.add_option('--access_token_file', ++ default=None, ++ help='File name containing OAuth2 access token') ++ parser.add_option('--refresh_token_file', ++ default=None, ++ help='File name containing OAuth2 refresh token') ++ parser.add_option('--max_age_sec', ++ default=None, # manual default 3000 ++ help='default max file age for --auto_refresh. ' ++ 'Defaults to 3000 (10 minutes short of ' ++ 'normal 3600 sec token expiration).') ++ parser.add_option('--umask', ++ default=None, # manual default 0077 ++ help='default umask for --auto_refresh and ' ++ '--obtain_refresh_token_file. Defaults to 0077.') ++ parser.add_option('--scope', ++ default=None, # manual default='https://mail.google.com/' ++ help='scope for the access token. Multiple scopes can be ' ++ 'listed separated by spaces with the whole argument ' ++ 'quoted. Defaults to https://mail.google.com/') ++ parser.add_option('--auth_url', ++ default=None, # manual default... ++ help='Permission URL for --obtain_refresh_token_file. ' ++ 'Defaults to https://accounts.google.com/o/oauth2/auth.') ++ parser.add_option('--token_url', ++ default=None, # manual default... ++ help='Token URL for --obtain_refresh_token_file,' ++ ' and --refresh. ' ++ 'Defaults to https://accounts.google.com/o/oauth2/token.') ++ parser.add_option('--generate_oauth2_token', ++ action='store_true', ++ dest='generate_oauth2_token', ++ help='(OLD/testing) generates an OAuth2 token for testing.' ++ ' Ignores all files.') ++ parser.add_option('--refresh_token', ++ default=None, ++ help='(OLD/testing) Generate a new access token using' ++ ' this OAuth2 refresh token. Ignores all files.') ++ parser.add_option('--user', ++ default=None, ++ help='(OLD/testing) email address of user whose account' ++ ' is being accessed') ++ parser.add_option('--access_token', ++ default=None, ++ help='(OLD/testing) OAuth2 access token.') ++ parser.add_option('--generate_oauth2_string', ++ action='store_true', ++ dest='generate_oauth2_string', ++ help='(OLD/testing) generates an initial client response' ++ ' string for OAuth2. Ignores all files.') ++ parser.add_option('--test_imap_authentication', ++ action='store_true', ++ dest='test_imap_authentication', ++ help='(OLD/testing) attempts to authenticate to IMAP. ' ++ 'Ignores all files.') ++ parser.add_option('--test_smtp_authentication', ++ action='store_true', ++ dest='test_smtp_authentication', ++ help='(OLD/testing) attempts to authenticate to SMTP. ' ++ 'Ignores all files.') ++ return parser ++ ++ ++# Hardcoded dummy redirect URI for non-web apps. ++REDIRECT_URI = 'urn:ietf:wg:oauth:2.0:oob' ++ ++ ++def UrlEscape(text): ++ # See OAUTH 5.1 for a definition of which characters need to be escaped. ++ return urlparse.quote(text, safe='~-._') ++ ++ ++def UrlUnescape(text): ++ # See OAUTH 5.1 for a definition of which characters need to be escaped. ++ return urlparse.unquote(text) ++ ++ ++def FormatUrlParams(params): ++ """Formats parameters into a URL query string. ++ ++ Args: ++ params: A key-value map. ++ ++ Returns: ++ A URL query string version of the given parameters. ++ """ ++ param_fragments = [] ++ for param in sorted(params.items(), key=lambda x: x[0]): ++ param_fragments.append('%s=%s' % (param[0], UrlEscape(param[1]))) ++ return '&'.join(param_fragments) ++ ++ ++def GeneratePermissionUrl(client_id, scope, auth_url): ++ """Generates the URL for authorizing access. ++ ++ This uses the "OAuth2 for Installed Applications" flow described at ++ https://developers.google.com/accounts/docs/OAuth2InstalledApp ++ ++ Args: ++ client_id: Client ID obtained by registering your app. ++ scope: scope for access token, e.g. 'https://mail.google.com' ++ Returns: ++ A URL that the user should visit in their browser. ++ """ ++ if not scope: ++ scope = 'https://mail.google.com/' ++ if not auth_url: ++ auth_url = 'https://accounts.google.com/o/oauth2/auth' ++ params = {} ++ params['client_id'] = client_id ++ params['redirect_uri'] = REDIRECT_URI ++ params['scope'] = scope ++ params['response_type'] = 'code' ++ return '%s?%s' % (auth_url, FormatUrlParams(params)) ++ ++ ++def AuthorizeTokens(client_id, client_secret, authorization_code, token_url): ++ """Obtains OAuth access token and refresh token. ++ ++ This uses the application portion of the "OAuth2 for Installed Applications" ++ flow at https://developers.google.com/accounts/docs/OAuth2InstalledApp#handlingtheresponse ++ ++ Args: ++ client_id: Client ID obtained by registering your app. ++ client_secret: Client secret obtained by registering your app. ++ authorization_code: code generated by Google Accounts after user grants ++ permission. ++ Returns: ++ The decoded response from the Google Accounts server, as a dict. Expected ++ fields include 'access_token', 'expires_in', and 'refresh_token'. ++ """ ++ params = {} ++ params['client_id'] = client_id ++ params['client_secret'] = client_secret ++ params['code'] = authorization_code ++ params['redirect_uri'] = REDIRECT_URI ++ params['grant_type'] = 'authorization_code' ++ if not token_url: ++ token_url = 'https://accounts.google.com/o/oauth2/token' ++ ++ response = urlopen.urlopen(token_url, ++ urlparse.urlencode(params).encode('ascii')).read() ++ return json.loads(response.decode("utf-8")) ++ ++ ++def RefreshToken(client_id, client_secret, refresh_token, token_url): ++ """Obtains a new token given a refresh token. ++ ++ See https://developers.google.com/accounts/docs/OAuth2InstalledApp#refresh ++ ++ Args: ++ client_id: Client ID obtained by registering your app. ++ client_secret: Client secret obtained by registering your app. ++ refresh_token: A previously-obtained refresh token. ++ Returns: ++ The decoded response from the Google Accounts server, as a dict. Expected ++ fields include 'access_token', 'expires_in', and 'refresh_token'. ++ """ ++ params = {} ++ params['client_id'] = client_id ++ params['client_secret'] = client_secret ++ params['refresh_token'] = refresh_token ++ params['grant_type'] = 'refresh_token' ++ if not token_url: ++ token_url = 'https://accounts.google.com/o/oauth2/token' ++ ++ response = urlopen.urlopen(token_url, ++ urlparse.urlencode(params).encode('ascii')).read() ++ return json.loads(response.decode("utf-8")) ++ ++ ++def GenerateOAuth2String(username, access_token, base64_encode=True): ++ """Generates an IMAP OAuth2 authentication string. ++ ++ See https://developers.google.com/google-apps/gmail/oauth2_overview ++ ++ Args: ++ username: the username (email address) of the account to authenticate ++ access_token: An OAuth2 access token. ++ base64_encode: Whether to base64-encode the output. ++ ++ Returns: ++ The SASL argument for the OAuth2 mechanism. ++ """ ++ auth_string = 'user=%s\1auth=Bearer %s\1\1' % (username, access_token) ++ if base64_encode: ++ auth_string = base64.b64encode(auth_string) ++ return auth_string ++ ++ ++def TestImapAuthentication(user, auth_string): ++ """Authenticates to IMAP with the given auth_string. ++ ++ Prints a debug trace of the attempted IMAP connection. ++ ++ Args: ++ user: The Gmail username (full email address) ++ auth_string: A valid OAuth2 string, as returned by GenerateOAuth2String. ++ Must not be base64-encoded, since imaplib does its own base64-encoding. ++ """ ++ print() ++ imap_conn = imaplib.IMAP4_SSL('imap.gmail.com') ++ imap_conn.debug = 4 ++ imap_conn.authenticate('XOAUTH2', lambda x: auth_string) ++ imap_conn.select('INBOX') ++ ++ ++def TestSmtpAuthentication(user, auth_string): ++ """Authenticates to SMTP with the given auth_string. ++ ++ Args: ++ user: The Gmail username (full email address) ++ auth_string: A valid OAuth2 string, not base64-encoded, as returned by ++ GenerateOAuth2String. ++ """ ++ print() ++ smtp_conn = smtplib.SMTP('smtp.gmail.com', 587) ++ smtp_conn.set_debuglevel(True) ++ smtp_conn.ehlo('test') ++ smtp_conn.starttls() ++ smtp_conn.docmd('AUTH', 'XOAUTH2 ' + base64.b64encode(auth_string)) ++ ++ ++def RequireOptions(options, *args): ++ missing = [arg for arg in args if getattr(options, arg) is None] ++ if missing: ++ print('Missing options: %s' % ' '.join(missing)) ++ sys.exit(-1) ++ ++def parseConfigFile(options): ++ if options.config_file: ++ cfg = dict(line.strip().split('=',1) for line in open(options.config_file)) ++ else: ++ cfg = { } ++ # defaults: ++ if not 'scope' in cfg: ++ cfg['scope'] = 'https://mail.google.com/' ++ if not 'max_age_sec' in cfg: ++ cfg['max_age_sec'] = '3000' ++ if not 'umask' in cfg: ++ cfg['umask'] = '0077' ++ if not 'auth_url' in cfg: ++ cfg['auth_url'] = 'https://accounts.google.com/o/oauth2/auth' ++ if not 'token_url' in cfg: ++ cfg['token_url'] = 'https://accounts.google.com/o/oauth2/token' ++ # overrides (from command line): ++ for arg in [ 'scope', 'client_id', 'client_secret', 'umask', ++ 'max_age_sec', 'access_token_file', 'refresh_token_file', ++ 'auth_url', 'token_url' ]: ++ if getattr(options,arg): ++ cfg[arg] = getattr(options,arg) ++ return cfg ++ ++def requireConfig(cfg, *args): ++ missing = [arg for arg in args if not arg in cfg] ++ if missing: ++ print('Missing options: %s' % ' '.join(missing)) ++ sys.exit(-1) ++ ++ ++def main(argv): ++ options_parser = SetupOptionParser() ++ (options, args) = options_parser.parse_args() ++ if options.refresh: ++ cfg = parseConfigFile(options) ++ requireConfig(cfg, 'refresh_token_file', 'access_token_file', ++ 'client_id', 'client_secret', 'umask') ++ st = os.stat(cfg['access_token_file']) ++ if options.refresh < 2: ++ requireConfig(cfg, 'max_age_sec') ++ if time.time()-st.st_mtime < int(cfg['max_age_sec']): ++ return ++ with open(cfg['refresh_token_file'],"r") as f: ++ reftok = f.readline().rstrip() ++ if len(reftok) == 0: ++ print('refresh token is empty') ++ sys.exit(-1) ++ response = RefreshToken(cfg['client_id'],cfg['client_secret'],reftok, ++ cfg['token_url']) ++ newTok = response['access_token'] ++ if len(newTok) == 0: ++ print('failed to obtain access token: it is empty') ++ sys.exit(-1) ++ savedUmask = os.umask(int(cfg['umask'],8)) ++ try: ++ with open(cfg['access_token_file']+".tmp","w") as f: ++ f.write(newTok) ++ f.write('\n') ++ os.rename(cfg['access_token_file']+".tmp",cfg['access_token_file']) ++ finally: ++ os.umask(savedUmask) ++ elif options.obtain_refresh_token_file: ++ cfg = parseConfigFile(options) ++ requireConfig(cfg, 'refresh_token_file', 'access_token_file', ++ 'client_id', 'client_secret', 'umask') ++ print('To authorize token, visit this url and follow the directions:') ++ print(' %s' % GeneratePermissionUrl(cfg['client_id'], cfg['scope'], ++ cfg['auth_url'])) ++ authorization_code = input('Enter verification code: ') ++ response = AuthorizeTokens(cfg['client_id'], cfg['client_secret'], ++ authorization_code, cfg['token_url']) ++ newRefTok = response['refresh_token'] ++ if len(newRefTok) == 0: ++ print('failed to obtain refresh token: it is empty') ++ sys.exit(-1) ++ newTok = response['access_token'] ++ if len(newTok) == 0: ++ print('failed to obtain corresponding access token: it is empty') ++ sys.exit(-1) ++ savedUmask = os.umask(int(cfg['umask'],8)) ++ try: ++ with open(cfg['refresh_token_file']+".tmp","w") as f: ++ f.write(newRefTok) ++ f.write('\n') ++ os.rename(cfg['refresh_token_file']+".tmp",cfg['refresh_token_file']) ++ with open(cfg['access_token_file']+".tmp","w") as f: ++ f.write(newTok) ++ f.write('\n') ++ print("Refresh token saved to '%s'" % cfg['refresh_token_file']) ++ print("Initial access token saved to '%s'" % cfg['access_token_file']) ++ print('Access Token Expiration Seconds: %s' % response['expires_in']) ++ os.rename(cfg['access_token_file']+".tmp",cfg['access_token_file']) ++ finally: ++ os.umask(savedUmask) ++ ++ ##### (OLD/testing options) ++ ++ elif options.refresh_token: ++ RequireOptions(options, 'client_id', 'client_secret') ++ response = RefreshToken(options.client_id, options.client_secret, ++ options.refresh_token, options.token_url) ++ print('Access Token: %s' % response['access_token']) ++ print('Access Token Expiration Seconds: %s' % response['expires_in']) ++ elif options.generate_oauth2_string: ++ RequireOptions(options, 'user', 'access_token') ++ print ('OAuth2 argument:\n' + ++ GenerateOAuth2String(options.user, options.access_token)) ++ elif options.generate_oauth2_token: ++ RequireOptions(options, 'client_id', 'client_secret') ++ print('To authorize token, visit this url and follow the directions:') ++ print(' %s' % GeneratePermissionUrl(options.client_id, options.scope, ++ options.auth_url)) ++ authorization_code = input('Enter verification code: ') ++ response = AuthorizeTokens(options.client_id, options.client_secret, ++ authorization_code, options.token_url) ++ print('Refresh Token: %s' % response['refresh_token']) ++ print('Access Token: %s' % response['access_token']) ++ print('Access Token Expiration Seconds: %s' % response['expires_in']) ++ elif options.test_imap_authentication: ++ RequireOptions(options, 'user', 'access_token') ++ TestImapAuthentication(options.user, ++ GenerateOAuth2String(options.user, options.access_token, ++ base64_encode=False)) ++ elif options.test_smtp_authentication: ++ RequireOptions(options, 'user', 'access_token') ++ TestSmtpAuthentication(options.user, ++ GenerateOAuth2String(options.user, options.access_token, ++ base64_encode=False)) ++ else: ++ options_parser.print_help() ++ print('Nothing to do, exiting.') ++ return ++ ++ ++if __name__ == '__main__': ++ main(sys.argv) +Index: fetchmail-6.5.1/fetchmail.man +=================================================================== +--- fetchmail-6.5.1.orig/fetchmail.man ++++ fetchmail-6.5.1/fetchmail.man +@@ -1181,7 +1181,8 @@ External tools are necessary to obtain + such tokens. Access tokens often expire fairly quickly (e.g. 1 hour), + and new ones need to be generated from renewal tokens, so the + "passwordfile", "passwordfd", or "pwmd_*" options may be useful. See the +-oauth2.py script from ++contrib/fetchmail-oauth2.py script from the fetchmail source code, which ++was derived from code associated with + .URL https://github.com/google/gmail-oauth2-tools/wiki/OAuth2DotPyRunThrough "Google's Oauth2 Run Through" , + and other oauth2 documentation. For services like gmail, an "App Password" + is probably preferable if available, because it has roughly the same diff --git a/fetchmail-add-imap-oauthbearer-support.patch b/fetchmail-add-imap-oauthbearer-support.patch new file mode 100644 index 0000000..e5567fb --- /dev/null +++ b/fetchmail-add-imap-oauthbearer-support.patch @@ -0,0 +1,300 @@ +From: Matthew Ogilvie +Date: Sat, 27 May 2017 15:32:28 -0600 +Subject: add imap oauthbearer support +Git-repo: https://gitlab.com/fetchmail/fetchmail.git +Git-commit: 5c44df6df70b90f06d3204c6fbdd1ff19e990ca0 + +This expects an oauth2 access token in place of password. +When configured, it will also fall back on trying xoauth2. +--- + conf.c | 2 + + fetchmail.c | 3 + + fetchmail.h | 2 + + fetchmail.man | 26 +++++++++++-- + fetchmailconf.py | 2 - + imap.c | 104 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ + options.c | 2 + + rcfile_l.l | 1 + 8 files changed, 137 insertions(+), 5 deletions(-) + +Index: fetchmail-6.5.1/conf.c +=================================================================== +--- fetchmail-6.5.1.orig/conf.c ++++ fetchmail-6.5.1/conf.c +@@ -284,6 +284,8 @@ void dump_config(struct runctl *runp, st + stringdump("auth", "otp"); + else if (ctl->server.authenticate == A_MSN) + stringdump("auth", "msn"); ++ else if (ctl->server.authenticate == A_OAUTHBEARER) ++ stringdump("auth", "oauthbearer"); + + #ifdef HAVE_RES_SEARCH + booldump("dns", ctl->server.dns); +Index: fetchmail-6.5.1/fetchmail.c +=================================================================== +--- fetchmail-6.5.1.orig/fetchmail.c ++++ fetchmail-6.5.1/fetchmail.c +@@ -1804,6 +1804,9 @@ static void dump_params (struct runctl * + case A_IMPLICIT: + printf(GT_(" End-to-end encryption assumed.\n")); + break; ++ case A_OAUTHBEARER: ++ printf(GT_(" OAUTHBEARER will be forced; expecting password to really be OAUTH2 authentication token\n")); ++ break; + } + if (ctl->server.principal != (char *) NULL) + printf(GT_(" Mail service principal is: %s\n"), ctl->server.principal); +Index: fetchmail-6.5.1/fetchmail.h +=================================================================== +--- fetchmail-6.5.1.orig/fetchmail.h ++++ fetchmail-6.5.1/fetchmail.h +@@ -64,6 +64,7 @@ struct addrinfo; + #define A_IMPLICIT 8 /* authentication at session level */ + #define A_MSN 9 /* same as NTLM with keyword MSN */ + #define A_EXTERNAL 10 /* external authentication (client cert) */ ++#define A_OAUTHBEARER 11 /** oauth2 access token (not password) */ + + /* some protocols or authentication types (KERBEROS, GSSAPI, SSH) don't + * require a password */ +@@ -99,6 +100,7 @@ struct addrinfo; + #define MSGBUFSIZE 8192 + + #define NAMELEN 64 /* max username length */ ++/* oauth2 access tokens seem to be about 130 characters; make this longer: */ + #define PASSWORDLEN 256 /* max password length */ + #define DIGESTLEN 33 /* length of MD5 digest */ + +Index: fetchmail-6.5.1/fetchmail.man +=================================================================== +--- fetchmail-6.5.1.orig/fetchmail.man ++++ fetchmail-6.5.1/fetchmail.man +@@ -1113,8 +1113,8 @@ AUTHENTICATION below for details). The + \&\fBpassword\fP, \fBkerberos_v5\fP, \fBkerberos\fP (or, for + excruciating exactness, \fBkerberos_v4\fP), \fBgssapi\fP, + \fBcram\-md5\fP, \fBotp\fP, \fBntlm\fP, \fBmsn\fP (only for POP3), +-\fBexternal\fP (only IMAP) and \fBimplicit\fP (\fBssh\fP is understood +-as alias for \fBimplicit\fP). ++\fBexternal\fP (only IMAP), \fBimplicit\fP (\fBssh\fP is understood ++as alias for \fBimplicit\fP) and \fBoauthbearer\fP (only IMAP). + When \fBany\fP (the default) is specified, fetchmail tries + first methods that do not require a password (EXTERNAL, GSSAPI, KERBEROS\ IV, + KERBEROS\ 5); then it looks for methods that mask your password +@@ -1139,8 +1139,24 @@ authentication. This option does not wo + in line with RFC-2743 and IANA registrations, see + .UR https://www.iana.org/assignments/gssapi-service-names/ + Generic Security Service Application Program Interface (GSSAPI)/Kerberos/Simple +-Authentication and Security Layer (SASL) Service Names +-.UE . ++Authentication and Security Layer (SASL) Service Names . ++.sp ++\fBoauthbearer\fP expects the supplied password to be an oauth2 authentication ++token instead of a password, as used by services like gmail. ++See RFC 7628 and RFC 6750. The \fBoauthbearer\fP ++setting also allows the non-standard "xoauth2" SASL scheme (using ++the same token) if the server only claims to support "xoauth2". ++External tools are necessary to obtain ++such tokens. Access tokens often expire fairly quickly (e.g. 1 hour), ++and new ones need to be generated from renewal tokens. See the ++oauth2.py script from ++.URL https://github.com/google/gmail-oauth2-tools/wiki/OAuth2DotPyRunThrough "Google's Oauth2 Run Through" , ++and other oauth2 documentation. For services like gmail, an "App Password" ++is probably preferable if available, because it has roughly the same ++security risks, and is a whole lot simpler to get working. "App Password" ++and oauthbearer both need to protect secrets on the client machine (files) and ++over the network (SSL/TLS). But "App Password" is ++sometimes completely disabled by business "G-suite" administrators. + .SS Miscellaneous Options + .TP + .B \-f | \-\-fetchmailrc +@@ -2475,7 +2491,9 @@ Legal protocol identifiers for use with + .PP + Legal authentication types are 'any', 'password', 'kerberos', + \&'kerberos_v4', 'kerberos_v5' and 'gssapi', 'cram\-md5', 'otp', 'msn' +-(only for POP3), 'ntlm', 'implicit', 'external' (only IMAP). ++(only for POP3), 'ntlm', 'implicit', 'external' (only IMAP), ++'oauthbearer' (only for IMAP; requires authentication token in ++place of password). + The 'password' type specifies + authentication by normal transmission of a password (the password may be + plain text or subject to protocol-specific encryption as in CRAM-MD5); +Index: fetchmail-6.5.1/fetchmailconf.py +=================================================================== +--- fetchmail-6.5.1.orig/fetchmailconf.py ++++ fetchmail-6.5.1/fetchmailconf.py +@@ -499,7 +499,7 @@ defaultports = {"auto":None, + "ODMR":"odmr"} + + authlist = ("any", "password", "gssapi", "kerberos", "implicit", "otp", +- "msn", "ntlm") ++ "msn", "ntlm", "oauthbearer") + + listboxhelp = { + 'title' : 'List Selection Help', +Index: fetchmail-6.5.1/imap.c +=================================================================== +--- fetchmail-6.5.1.orig/imap.c ++++ fetchmail-6.5.1/imap.c +@@ -24,6 +24,10 @@ + #define IMAP4 0 /* IMAP4 rev 0, RFC1730 */ + #define IMAP4rev1 1 /* IMAP4 rev 1, RFC2060 */ + ++/* imap_plus_cont_context values */ ++#define IPLUS_NONE 0 ++#define IPLUS_OAUTHBEARER 1 /* oauthbearer (for more error info) */ ++ + /* global variables: please reinitialize them explicitly for proper + * working in daemon mode */ + +@@ -49,6 +53,8 @@ static void clear_sessiondata(void) { + * a const initializer */ + const char *const capa_begin = " [CAPABILITY "; const unsigned capa_len = 13; + ++static int plus_cont_context = IPLUS_NONE; ++ + /* mailbox variables initialized in imap_getrange() */ + static int count = 0, oldcount = 0, recentcount = 0, unseen = 0, deletions = 0; + static unsigned int startcount = 1; +@@ -262,6 +268,21 @@ static int imap_response(int sock, char + if (ok != PS_SUCCESS) + return(ok); + ++ if (buf[0] == '+' && buf[1] == ' ') { ++ if (plus_cont_context == IPLUS_OAUTHBEARER) { ++ /* future: Consider decoding the base64-encoded JSON ++ * error response info and logging it. But for now, ++ * ignore continuation data, send the expected blank ++ * line, and assume that the next response will be ++ * a tagged "NO" as documented. ++ */ ++ SockWrite(sock, "\r\n", 2); ++ if (outlevel >= O_MONITOR) ++ report(stdout, "IMAP> \n"); ++ continue; ++ } ++ } ++ + /* all tokens in responses are caseblind */ + for (cp = buf; *cp; cp++) + if (islower((unsigned char)*cp)) +@@ -394,6 +415,69 @@ static int do_imap_ntlm(int sock, struct + } + #endif /* NTLM */ + ++static int do_imap_oauthbearer(int sock, struct query *ctl,flag xoauth2) ++{ ++ /* Implements relevant parts of RFC-7628, RFC-6750, and ++ * https://developers.google.com/gmail/imap/xoauth2-protocol ++ * ++ * This assumes something external manages obtaining an up-to-date ++ * authentication/bearer token and arranging for it to be in ++ * ctl->password. This may involve renewing it ahead of time if ++ * necessary using a renewal token that fetchmail knows nothing about. ++ * See: ++ * https://github.com/google/gmail-oauth2-tools/wiki/OAuth2DotPyRunThrough ++ */ ++ const char *name; ++ char *oauth2str; ++ int oauth2len; ++ int saved_suppress_tags = suppress_tags; ++ ++ char *oauth2b64; ++ ++ int ok; ++ ++ oauth2len = strlen(ctl->remotename) + strlen(ctl->password) + 32; ++ oauth2str = (char *)xmalloc(oauth2len); ++ if (xoauth2) ++ { ++ snprintf(oauth2str, oauth2len, ++ "user=%s\1auth=Bearer %s\1\1", ++ ctl->remotename, ++ ctl->password); ++ name = "XOAUTH2"; ++ } ++ else ++ { ++ snprintf(oauth2str, oauth2len, ++ "n,a=%s,\1auth=Bearer %s\1\1", ++ ctl->remotename, ++ ctl->password); ++ name = "OAUTHBEARER"; ++ } ++ ++ oauth2b64 = (char *)xmalloc(2*strlen(oauth2str)+8); ++ to64frombits(oauth2b64, oauth2str, strlen(oauth2str)); ++ ++ memset(oauth2str, 0x55, strlen(oauth2str)); ++ free(oauth2str); ++ ++ /* Protect the access token like a password in logs, despite the ++ * usually-short expiration time and base64 encoding: ++ */ ++ strlcpy(shroud, oauth2b64, sizeof(shroud)); ++ ++ plus_cont_context = IPLUS_OAUTHBEARER; ++ ok = gen_transact(sock, "AUTHENTICATE %s %s", name, oauth2b64); ++ plus_cont_context = IPLUS_NONE; ++ ++ memset(shroud, 0x55, sizeof(shroud)); ++ shroud[0] = '\0'; ++ memset(oauth2b64, 0x55, strlen(oauth2b64)); ++ free(oauth2b64); ++ ++ return ok; ++} ++ + static void imap_canonicalize(char *result, char *raw, size_t maxlen) + /* encode an IMAP password as per RFC1730's quoting conventions */ + { +@@ -584,6 +668,26 @@ static int imap_getauth(int sock, struct + for future maintenance */ + (void)ok; + ++ if (ctl->server.authenticate == A_OAUTHBEARER) ++ { ++ /* Fetchmail's oauthbearer and xoauth2 support expects the "password" ++ * to actually be an oauth2 authentication token, so only ++ * try these options if specifically enabled. ++ * (Generating a token using the complex https-based oauth2 ++ * protocol is left as an exercise for the user.) ++ */ ++ if (strstr(capabilities, "AUTH=OAUTHBEARER") || ++ !strstr(capabilities, "AUTH=XOAUTH2")) ++ { ++ ok = do_imap_oauthbearer(sock, ctl, FALSE); /* OAUTHBEARER */ ++ } ++ if (ok && strstr(capabilities, "AUTH=XOAUTH2")) ++ { ++ ok = do_imap_oauthbearer(sock, ctl, TRUE); /* XOAUTH2 */ ++ } ++ return ok; ++ } ++ + /* Yahoo hack - we'll just try ID if it was offered by the server, + * and IGNORE errors. */ + { +Index: fetchmail-6.5.1/options.c +=================================================================== +--- fetchmail-6.5.1.orig/options.c ++++ fetchmail-6.5.1/options.c +@@ -395,6 +395,8 @@ int parsecmdline (int argc /** argument + ctl->server.authenticate = A_ANY; + else if (strcmp(optarg, "msn") == 0) + ctl->server.authenticate = A_MSN; ++ else if (strcmp(optarg, "oauthbearer") == 0) ++ ctl->server.authenticate = A_OAUTHBEARER; + else { + fprintf(stderr,GT_("Invalid authentication `%s' specified.\n"), optarg); + errflag++; +Index: fetchmail-6.5.1/rcfile_l.l +=================================================================== +--- fetchmail-6.5.1.orig/rcfile_l.l ++++ fetchmail-6.5.1/rcfile_l.l +@@ -103,6 +103,7 @@ cram(-md5)? { SETSTATE(0); yylval.proto + msn { SETSTATE(0); yylval.proto = A_MSN; return AUTHTYPE;} + ntlm { SETSTATE(0); yylval.proto = A_NTLM; return AUTHTYPE;} + password { SETSTATE(0); yylval.proto = A_PASSWORD; return AUTHTYPE;} ++oauthbearer { SETSTATE(0); yylval.proto = A_OAUTHBEARER; return AUTHTYPE;} + timeout { return TIMEOUT;} + idletimeout { return IDLETIMEOUT;} + envelope { return ENVELOPE; } diff --git a/fetchmail-add-passwordfile-and-passwordfd-options.patch b/fetchmail-add-passwordfile-and-passwordfd-options.patch new file mode 100644 index 0000000..f8d8ab8 --- /dev/null +++ b/fetchmail-add-passwordfile-and-passwordfd-options.patch @@ -0,0 +1,314 @@ +From: Matthew Ogilvie +Date: Sun, 28 May 2017 00:01:02 -0600 +Subject: add passwordfile and passwordfd options +Git-repo: https://gitlab.com/fetchmail/fetchmail.git +Git-commit: cdd7182f65734c97723ba5f282040e08d830e650 + +--- + fetchmail.c | 82 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++-- + fetchmail.h | 2 + + fetchmail.man | 40 +++++++++++++++++++++++++++- + options.c | 16 +++++++++++ + rcfile_l.l | 2 + + rcfile_y.y | 6 ++++ + 6 files changed, 145 insertions(+), 3 deletions(-) + +Index: fetchmail-6.5.1/fetchmail.c +=================================================================== +--- fetchmail-6.5.1.orig/fetchmail.c ++++ fetchmail-6.5.1/fetchmail.c +@@ -471,7 +471,7 @@ int main(int argc, char **argv) + /* Server won't care what the password is, but there + must be some non-null string here. */ + ctl->password = ctl->remotename; +- else ++ else if (!ctl->passwordfile && ctl->passwordfd==-1) + { + const netrc_entry *p; + +@@ -649,8 +649,81 @@ int main(int argc, char **argv) + if (ctl->active && !(implicitmode && ctl->server.skip) + && !NO_PASSWORD(ctl) && !ctl->password) + { +- if (!isatty(0)) ++ if (ctl->passwordfd != -1) + { ++ char msg[PASSWORDLEN+1]; ++ char *mi; ++ ++ /* Read one character at a time to avoid reading too ++ * much if more than one password sent in through this FD ++ * (although that would be a questionable practice). ++ */ ++ for (mi = msg; mipasswordfd, mi, 1); ++ if(res == -1) { ++ int saveErrno = errno; ++ fprintf(stderr, ++ GT_("fetchmail: unable to read password from fd=%d: %s\n"), ++ ctl->passwordfd, ++ strerror(saveErrno)); ++ memset(msg, 0x55, mi-msg); ++ return PS_AUTHFAIL; ++ } ++ if (res == 0 || *mi == '\n') ++ break; ++ } ++ *mi = '\0'; ++ if (mi == msg) { ++ fprintf(stderr, ++ GT_("fetchmail: empty password read from fd=%d\n"), ++ ctl->passwordfd); ++ return PS_AUTHFAIL; ++ } ++ ++ ctl->password = xstrdup(msg); ++ memset(msg, 0x55, mi-msg); ++ } else if (ctl->passwordfile) { ++ int fd = open(ctl->passwordfile, O_RDONLY); ++ char msg[PASSWORDLEN+1]; ++ char *newline; ++ int res; ++ ++ if (fd == -1) { ++ int saveErrno = errno; ++ fprintf(stderr, ++ GT_("fetchmail: unable to open %s: %s\n"), ++ ctl->passwordfile, ++ strerror(saveErrno)); ++ return PS_AUTHFAIL; ++ } ++ ++ res = read(fd, msg, sizeof(msg)-1); ++ if (res == -1 || close(fd) == -1) { ++ int saveErrno = errno; ++ fprintf(stderr, ++ GT_("fetchmail: error reading %s: %s\n"), ++ ctl->passwordfile, ++ strerror(saveErrno)); ++ return PS_AUTHFAIL; ++ } ++ msg[res] = '\0'; ++ ++ newline = memchr(msg, '\n', res); ++ if (newline != NULL) { ++ *newline = '\0'; ++ } ++ ++ if (strlen(msg) == 0) { ++ fprintf(stderr, ++ GT_("fetchmail: empty password read from %s\n"), ++ ctl->passwordfile); ++ memset(msg, 0x55, res); ++ return PS_AUTHFAIL; ++ } ++ ++ ctl->password = xstrdup(msg); ++ memset(msg, 0x55, res); ++ } else if (!isatty(0)) { + fprintf(stderr, + GT_("fetchmail: can't find a password for %s@%s.\n"), + ctl->remotename, ctl->server.pollname); +@@ -1046,6 +1119,10 @@ static void optmerge(struct query *h2, s + FLAG_MERGE(wildcard); + STRING_MERGE(remotename); + STRING_MERGE(password); ++ FLAG_MERGE(passwordfile); ++ if (force ? h1->passwordfd!=-1 : h2->passwordfd==-1) { ++ h2->passwordfd = h1->passwordfd; ++ } + STRING_MERGE(mda); + STRING_MERGE(bsmtp); + FLAG_MERGE(listener); +@@ -1112,6 +1189,7 @@ static int load_params(int argc, char ** + def_opts.smtp_socket = -1; + def_opts.smtpaddress = (char *)0; + def_opts.smtpname = (char *)0; ++ def_opts.passwordfd = -1; + def_opts.server.protocol = P_AUTO; + def_opts.server.timeout = CLIENT_TIMEOUT; + def_opts.server.idle_timeout = CLIENT_IDLE_TIMEOUT; +Index: fetchmail-6.5.1/fetchmail.h +=================================================================== +--- fetchmail-6.5.1.orig/fetchmail.h ++++ fetchmail-6.5.1/fetchmail.h +@@ -312,6 +312,8 @@ struct query + int wildcard; /* should unmatched names be passed through */ + char *remotename; /* remote login name to use */ + char *password; /* remote password to use */ ++ char *passwordfile; /* filename; first line contains password */ ++ int passwordfd; /* fileno that password will be piped into */ + struct idlist *mailboxes; /* list of mailboxes to check */ + + /* per-forwarding-target data */ +Index: fetchmail-6.5.1/fetchmail.man +=================================================================== +--- fetchmail-6.5.1.orig/fetchmail.man ++++ fetchmail-6.5.1/fetchmail.man +@@ -1056,6 +1056,37 @@ The default is your login name on the cl + \fBfetchmail\fP. + See USER AUTHENTICATION below for a complete description. + .TP ++.B \-\-passwordfile ++(Keyword: passwordfile) ++.br ++Specifies a file name from which to read the first line to use as the password. ++Useful if something changes the password/token often without regenerating a ++long fetchmailrc file, such as with typical xoauth2 authentication tokens. ++Protect the file with appropriate permissions to avoid leaking your password. ++Fetchmail might not re-read the file in daemon mode (-d) unless the ++fetchmailrc file also changes, so it might make sense to run it in ++non-daemon mode from some other background process (cron and/or whatever ++updates the password). ++.TP ++.B \-\-passwordfd ++(Keyword: passwordfd) ++.br ++Specifies a file descriptor number inherited from the calling process, ++from which fetchmail should read one line to use as the password. ++The descriptor will usually be the receiving end of a pipe (equivalent ++to "something | fetchmail \-\-passwordfd 5 5<\&0"), ++although it could also be a redirected input file ++(equivalent to "fetchmail \-\-passwordfd 5 5 | \-\-interface + (Keyword: interface) + .br +@@ -1148,7 +1179,8 @@ setting also allows the non-standard "xo + the same token) if the server only claims to support "xoauth2". + External tools are necessary to obtain + such tokens. Access tokens often expire fairly quickly (e.g. 1 hour), +-and new ones need to be generated from renewal tokens. See the ++and new ones need to be generated from renewal tokens, so the ++"passwordfile", "passwordfd", or "pwmd_*" options may be useful. See the + oauth2.py script from + .URL https://github.com/google/gmail-oauth2-tools/wiki/OAuth2DotPyRunThrough "Google's Oauth2 Run Through" , + and other oauth2 documentation. For services like gmail, an "App Password" +@@ -2100,6 +2132,12 @@ T} + pass[word] \& \& T{ + Specify remote account password + T} ++passwordfile \-\-... \& T{ ++File name with password in first line. ++T} ++passwordfd \-\-... \& T{ ++Inherited file descriptor from which to read one line for the password. ++T} + ssl \& \& T{ + Connect to server over the specified base protocol using SSL encryption + T} +Index: fetchmail-6.5.1/options.c +=================================================================== +--- fetchmail-6.5.1.orig/options.c ++++ fetchmail-6.5.1/options.c +@@ -29,6 +29,8 @@ enum { + LA_POSTMASTER, + LA_NOBOUNCE, + LA_AUTH, ++ LA_PASSWORDFILE, ++ LA_PASSWORDFD, + LA_FETCHDOMAINS, + LA_BSMTP, + LA_LMTP, +@@ -98,6 +100,8 @@ static const struct option longoptions[] + {"port", required_argument, (int *) 0, 'P' }, + {"service", required_argument, (int *) 0, 'P' }, + {"auth", required_argument, (int *) 0, LA_AUTH}, ++ {"passwordfile", required_argument, (int *) 0, LA_PASSWORDFILE }, ++ {"passwordfd", required_argument, (int *) 0, LA_PASSWORDFD }, + {"timeout", required_argument, (int *) 0, 't' }, + {"envelope", required_argument, (int *) 0, 'E' }, + {"qvirtual", required_argument, (int *) 0, 'Q' }, +@@ -231,6 +235,7 @@ int parsecmdline (int argc /** argument + + memset(ctl, '\0', sizeof(struct query)); /* start clean */ + ctl->smtp_socket = -1; ++ ctl->passwordfd = -1; + + while (!errflag && + (c = getopt_long(argc,argv,shortoptions, +@@ -402,6 +407,17 @@ int parsecmdline (int argc /** argument + errflag++; + } + break; ++ case LA_PASSWORDFILE: ++ ctl->passwordfile = optarg; ++ break; ++ case LA_PASSWORDFD: ++ ctl->passwordfd = xatoi(optarg, &errflag); ++ if (ctl->passwordfd < 0) { ++ fprintf(stderr,GT_("Invalid file descriptor %d\n"), ++ ctl->passwordfd); ++ errflag++; ++ } ++ break; + case 't': + ctl->server.timeout = xatoi(optarg, &errflag); + if (ctl->server.timeout == 0) +Index: fetchmail-6.5.1/rcfile_l.l +=================================================================== +--- fetchmail-6.5.1.orig/rcfile_l.l ++++ fetchmail-6.5.1/rcfile_l.l +@@ -116,6 +116,8 @@ accept { return ACCEPT; } + reject { return REJECT_; } + + user(name)? {SETSTATE(NAME); return USERNAME; } ++passwordfile { return PASSWORDFILE; } ++passwordfd { return PASSWORDFD; } + pass(word)? {SETSTATE(NAME); return PASSWORD; } + folder(s)? { return FOLDER; } + smtp(host)? { return SMTPHOST; } +Index: fetchmail-6.5.1/rcfile_y.y +=================================================================== +--- fetchmail-6.5.1.orig/rcfile_y.y ++++ fetchmail-6.5.1/rcfile_y.y +@@ -62,6 +62,7 @@ void yyerror (const char *s) + %token DEFAULTS POLL SKIP VIA AKA LOCALDOMAINS PROTOCOL + %token AUTHENTICATE TIMEOUT IDLETIMEOUT KPOP SDPS ENVELOPE QVIRTUAL + %token USERNAME PASSWORD FOLDER SMTPHOST FETCHDOMAINS MDA BSMTP LMTP ++%token PASSWORDFILE PASSWORDFD + %token SMTPADDRESS SMTPNAME SPAMRESPONSE PRECONNECT POSTCONNECT LIMIT WARNINGS + %token INTERFACE MONITOR PLUGIN PLUGOUT + %token IS HERE THERE TO MAP +@@ -314,6 +315,8 @@ user_option : TO mapping_list HERE + + | IS STRING THERE {current.remotename = $2;} + | PASSWORD STRING {current.password = $2;} ++ | PASSWORDFILE STRING {current.passwordfile = $2;} ++ | PASSWORDFD NUMBER {current.passwordfd = NUM_VALUE_IN($2);} + | FOLDER folder_list + | SMTPHOST smtp_list + | FETCHDOMAINS fetch_list +@@ -495,6 +498,7 @@ static void reset_server(const char *nam + trailer = FALSE; + memset(¤t,'\0',sizeof(current)); + current.smtp_socket = -1; ++ current.passwordfd = -1; + current.server.pollname = xstrdup(name); + current.server.skip = skip; + } +@@ -515,6 +519,7 @@ static void user_reset(void) + + memset(¤t, '\0', sizeof(current)); + current.smtp_socket = -1; ++ current.passwordfd = -1; + + current.server = save; + } +@@ -535,6 +540,7 @@ struct query *hostalloc(struct query *in + { + memset(node, '\0', sizeof(struct query)); + node->smtp_socket = -1; ++ node->passwordfd = -1; + } + + /* append to end of list */ diff --git a/fetchmail-add-query_to64_outsize-utility-function.patch b/fetchmail-add-query_to64_outsize-utility-function.patch new file mode 100644 index 0000000..68a6270 --- /dev/null +++ b/fetchmail-add-query_to64_outsize-utility-function.patch @@ -0,0 +1,41 @@ +From: Matthew Ogilvie +Date: Fri, 21 Dec 2018 09:00:46 -0700 +Subject: add query_to64_outsize() utility function +Git-repo: https://gitlab.com/fetchmail/fetchmail.git +Git-commit: cc6e146d516140df800da68976eb7c0aa1cef7c0 + +--- + base64.c | 7 +++++++ + fetchmail.h | 1 + + 2 files changed, 8 insertions(+) + +Index: fetchmail-6.5.1/base64.c +=================================================================== +--- fetchmail-6.5.1.orig/base64.c ++++ fetchmail-6.5.1/base64.c +@@ -66,6 +66,13 @@ fail: + return rc; + } + ++size_t query_to64_outsize(size_t inlen) ++/* Returns how much space needs to be allocated to receive the output from ++ * to64frombits(), including the '\0' terminator. */ ++{ ++ return ((inlen+2)/3)*4+1; ++} ++ + int from64tobits(void *out_, const char *in, int maxlen) + /* base 64 to raw bytes in quasi-big-endian order, returning count of bytes */ + /* maxlen limits output buffer size, set to zero to ignore */ +Index: fetchmail-6.5.1/fetchmail.h +=================================================================== +--- fetchmail-6.5.1.orig/fetchmail.h ++++ fetchmail-6.5.1/fetchmail.h +@@ -611,6 +611,7 @@ int prc_filecheck(const char *, const fl + /* base64.c */ + unsigned len64frombits(unsigned inlen); /** calculate length needed to encode inlen octets. warnings: 1. caller needs to add 1 for a trailing \0 byte himself. 2. returns 0 for inlen 0! */ + int to64frombits(char *, const void *, int inlen, size_t outlen); ++size_t query_to64_outsize(size_t inlen); + int from64tobits(void *, const char *, int mxoutlen); + + /* unmime.c */ diff --git a/fetchmail-add-readme-oauth2-issue-27.patch b/fetchmail-add-readme-oauth2-issue-27.patch new file mode 100644 index 0000000..439b3fa --- /dev/null +++ b/fetchmail-add-readme-oauth2-issue-27.patch @@ -0,0 +1,160 @@ +From: William Bader +Date: Sun, 31 Jan 2021 06:42:46 +0000 +Subject: Add README.OAUTH2 issue #27 +Git-repo: https://gitlab.com/fetchmail/fetchmail.git +Git-commit: d52ba9652c9207358e0b9acc11403688f6f16b9e + +--- + README.OAUTH2 | 147 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 147 insertions(+) + +--- /dev/null ++++ b/README.OAUTH2 +@@ -0,0 +1,147 @@ ++OAUTH2 support for gmail ++======================== ++ ++Preface ++------- ++ ++fetchmail 7 adds support for OAuth2. ++You create a project in google that requests gmail access to request an OAuth2 client id and client secret. ++Then you use the contributed fetchmail-oauth2.py to request a refresh token for gmail access to your gmail account. ++Then you use the fetchmail-oauth2.py again to request temporary access tokens that fetchmail uses like a password. ++ ++Create a Google project and request an OAuth2 client id and client secret ++------------------------------------------------------------------------- ++ ++* Open the Google API Dashboard: https://console.developers.google.com/apis/dashboard ++* The first time that you enter the page, you will have to select your country and agree to terms of service. ++* You should see a title bar with "Google APIs" and a menu down the left with "Dashboard, Library, ++ Credentials, OAuth consent screen, Domain verification, Page usage agreements". ++* Click to create a new project, possibly on a pull-down arrow to the right of "Google APIs" on the title bar. ++* Click on "NEW PROJECT". ++ + Enter a project name like "fetchmail". ++ + You can leave "Location" as "No organization" for personal email. ++ + If you are a G Suite administrator, you might be able to enter your G Suite organization. ++ + When you enter the project name, you will get a message like "Project ID: fetchmail-123456. It cannot be changed later." ++ + Make a note of the full project name. ++ + Click on "CREATE". ++ + Google will take a few seconds to create the project. ++* Switch to the new project, either from "SELECT PROJECT" in the notification window or on the title bar pulldown after "Google APIs". ++* Click on "Credentials" on the menu at the left. ++* Click on "+ CREATE CREDENTIALS" at the top of the window. ++* Select "OAuth client ID" from the list of credential types. ++* Click on "CONFIGURE CONSENT SCREEN" at the right. ++ + Select "External" from the list of user types. "Internal" is for organizations with G Suite. ++ + Click "CREATE". ++* Fill out the app registration form. ++ + "App name" can be the full project name, like "fetchmail-123456". It has to be unique. ++ + "User support email" can be your gmail email. ++ + "App logo" can be empty. I used /usr/share/icons/Adwaita/256x256/legacy/emblem-mail.png ++ + "Application home page" can be empty. ++ + "Application privacy policy link" can be empty. ++ + "Application terms of service link" can be empty. ++ + "Authorized domain" can be empty. ++ + "Developer contact email address" can be your gmail email. ++ + Click "SAVE AND CONTINUE". ++ + Click "ADD OR REMOVE SCOPES" on the "Edit app registration" screen. ++ + Click on "Google API Library". This opens a new tab. ++ + Filter for "Email" and click on "Gmail API". ++ + Click on "ENABLE". ++ + Return to the "Edit app registration" tab and refresh. ++ + Click "ADD OR REMOVE SCOPES" on the "Edit app registration" screen. ++ + I think that the scope ".../auth/gmail.modify" to "View and modify but not delete your email" is sufficient. ++ + Click on "SAVE AND CONTINUE". This opens the "Test Users" window. ++ + Click on "+ ADD USERS". ++ + Enter you gmail address and click on "ADD". ++ + Click on "SAVE AND CONTINUE". ++ + This opens a "Summary" page. ++ + If you need to change something, click on "OAuth consent screen" on the menu at the left and then "EDIT APP" to step through the screens again. ++* Click on "Credentials" on the menu at the left to create client credentials. ++ + Click on "+ CREATE CREDENTIALS" at the top of the window. ++ + Select "OAuth client ID" from the list of credential types. ++ + Select "Desktop app" from the list of "Application types". ++ + "Name" can be "DesktopClient1" or whatever the screen suggests. ++ + Click on "CREATE". ++ + It will show a window with "Your Client ID" and "Your Client Secret". Copy them somewhere safe. ++ ++Download and build fetchmail 7 ++------------------------------ ++``` ++git clone https://gitlab.com/fetchmail/fetchmail.git ++cd fetchmail ++git checkout -t origin/next ++./autogen.sh ++./configure ++make ++make check ++sudo make install ++``` ++ ++Configure fetchmail-oauth2.py ++----------------------------- ++* Create a file, for example /home/yourname/.fetchmail-oauth2 ++``` ++client_id=YOUR-CLIENT-ID ++client_secret=YOUR-CLIENT-SECRET ++refresh_token_file=/home/yourname/.fetchmail-refresh ++access_token_file=/home/yourname/.fetchmail-token ++max_age_sec=3000 ++``` ++* Replace YOUR-CLIENT-ID and YOUR-CLIENT-SECRET with the keys for "Your Client ID" and "Your Client Secret" from the previous step. ++* The refresh and token files do not need to exist, but they have to be valid paths. ++* Run `contrib/fetchmail-oauth2.py -c /home/yourname/.fetchmail-oauth2 --obtain_refresh_token_file` ++ + The script will give you a URL. ++ + Paste the URL into a web browser. ++ + URL should open a google authentication page. ++ + Select the email account. ++ + Google will warn that the app isn't verified. Click on "Continue". ++ + Google will warn that "fetchmail-123456 wants to access your Google Account `your.name@gmail.com`". ++ + Click on "Allow". ++ + The page will display the sign in key. ++ + Paste the key into the script. ++ + The script will report: ++``` ++Refresh token saved to '/home/yourname/.fetchmail-refresh' ++Initial access token saved to '/home/yourname/.fetchmail-token' ++Access Token Expiration Seconds: 3599 ++``` ++ + Hopefully you will not need to do this again for months or years. ++* Run `chmod 0600` on all of the files .fetchmail-oauth2 .fetchmail-refresh .fetchmail-token ++ ++Configure fetchmail ++--------------------- ++* Create an entry in your `.fetchmailrc` ++``` ++poll imap.gmail.com protocol imap ++ auth oauthbearer username "your.name@gmail.com" ++ passwordfile "/home/yourname/.fetchmail-token" ++ is yourname here ++ fetchlimit 10 folder "Download" ++ keep ++ sslmode wrapped sslcertck ++``` ++* Run `chmod 0400` on your `.fetchmailrc` ++* The optional "fetchlimit #" limits the number of emails if you are testing. ++* The optional "folder name" sets the folder to check. ++* I made gmail filters that add a "Download" label to important emails. ++* Fetchmail downloads unread emails. You can go into gmail and mark a few emails unread for testing. ++* Try running fetchmail once at a command line. ++ ++Script fetchmail ++---------------- ++* Each access token expires after an hour. ++* If you run fetchmail from cron, you should run `fetchmail-oauth2.py -c /home/yourname/.fetchmail-oauth2 --auto_refresh ; fetchmail` ++* For example, `*/2 * * * * (fetchmail-oauth2.py -c /home/yourname/.fetchmail-oauth2 --auto_refresh ; fetchmail) > /home/yourname/fetchmail.log 2>&1` ++* The `--auto_refresh` option checks the age of the key against the `max_age_sec` and renews it if necessary. ++* `max_age_sec=3000` in `.fetchmail-oauth2` renews the key after 50 minutes, which should give a safe margin. ++ ++Further reading ++--------------- ++* Instructions by the author of OAuth2 support for Fetchmail and Postfix ++ + Setting Up OAUTH2 Support for Fetchmail and Postfix http://mmogilvi.users.sourceforge.net/software/oauthbearer.html ++ + Run `fetchmail-oauth2.py --help | less` ++* Documents from Google ++ + Using OAuth 2.0 to Access Google APIs https://developers.google.com/identity/protocols/oauth2 ++ + Integrating Google Sign-In into your web app https://developers.google.com/identity/sign-in/web/devconsole-project ++* Google links ++ + Google API Dashboard: https://console.developers.google.com/apis/dashboard ++ + Google Cloud Resource Manager: https://console.developers.google.com/cloud-resource-manager diff --git a/fetchmail-bump-max-passwordlen-to-1bytes.patch b/fetchmail-bump-max-passwordlen-to-1bytes.patch new file mode 100644 index 0000000..0e9e190 --- /dev/null +++ b/fetchmail-bump-max-passwordlen-to-1bytes.patch @@ -0,0 +1,23 @@ +From: Matthias Andree +Date: Sat, 24 Apr 2021 15:12:01 +0200 +Subject: Bump max. passwordlen to 10000 bytes. +Git-repo: https://gitlab.com/fetchmail/fetchmail.git +Git-commit: 919fd787540c4a3fa4694566edce406df1e42001 + +--- + fetchmail.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: fetchmail-6.5.1/fetchmail.h +=================================================================== +--- fetchmail-6.5.1.orig/fetchmail.h ++++ fetchmail-6.5.1/fetchmail.h +@@ -101,7 +101,7 @@ struct addrinfo; + + #define NAMELEN 64 /* max username length */ + /* oauth2 access tokens seem to be about 130 characters; make this longer: */ +-#define PASSWORDLEN 4096 /* max password length; oauth2 tokens have no maximum length */ ++#define PASSWORDLEN 10000 /* max password length; oauth2 tokens have no maximum length */ + #define DIGESTLEN 33 /* length of MD5 digest */ + + /* exit code values */ diff --git a/fetchmail-chase-and-integrate-interface-change.patch b/fetchmail-chase-and-integrate-interface-change.patch new file mode 100644 index 0000000..d53a036 --- /dev/null +++ b/fetchmail-chase-and-integrate-interface-change.patch @@ -0,0 +1,29 @@ +From: Matthias Andree +Date: Sun, 25 Nov 2018 12:09:07 +0100 +Subject: Chase and integrate interface change. +Git-repo: https://gitlab.com/fetchmail/fetchmail.git +Git-commit: d52b7b6859d46134b46e6de9b408739b18745d47 + +--- + oauth2.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/oauth2.c ++++ b/oauth2.c +@@ -10,6 +10,7 @@ + #include "oauth2.h" + + #include ++#include + #include + + char *get_oauth2_string(struct query *ctl,flag xoauth2) +@@ -52,7 +53,7 @@ char *get_oauth2_string(struct query *ct + } + + oauth2b64 = (char *)xmalloc(2*strlen(oauth2str)+8); +- to64frombits(oauth2b64, oauth2str, strlen(oauth2str)); ++ to64frombits(oauth2b64, oauth2str, strlen(oauth2str), oauth2len); + + memset(oauth2str, 0x55, strlen(oauth2str)); + free(oauth2str); diff --git a/fetchmail-give-each-ctl-it-s-own-copy-of-password.patch b/fetchmail-give-each-ctl-it-s-own-copy-of-password.patch new file mode 100644 index 0000000..90139cc --- /dev/null +++ b/fetchmail-give-each-ctl-it-s-own-copy-of-password.patch @@ -0,0 +1,45 @@ +From: Matthew Ogilvie +Date: Fri, 9 Jun 2017 19:31:17 -0600 +Subject: give each ctl it's own copy of password +Git-repo: https://gitlab.com/fetchmail/fetchmail.git +Git-commit: 469b0a212e7f047ab16ef46a9158df5fb373e8c2 + +pwdb_* and passwordfile options may free and re-allocate password +for each poll operation. Giving each context it's own copy of +the password should prevent accessing freed memory in another copy. + +I haven't tested pwmd, but these seem like obvious fixes. +--- + fetchmail.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +Index: fetchmail-6.5.1/fetchmail.c +=================================================================== +--- fetchmail-6.5.1.orig/fetchmail.c ++++ fetchmail-6.5.1/fetchmail.c +@@ -470,7 +470,7 @@ int main(int argc, char **argv) + if (NO_PASSWORD(ctl)) + /* Server won't care what the password is, but there + must be some non-null string here. */ +- ctl->password = ctl->remotename; ++ ctl->password = xstrdup(ctl->remotename); + else if (!ctl->passwordfile && ctl->passwordfd==-1) + { + const netrc_entry *p; +@@ -1118,7 +1118,15 @@ static void optmerge(struct query *h2, s + + FLAG_MERGE(wildcard); + STRING_MERGE(remotename); +- STRING_MERGE(password); ++ if (force ? !!h1->password : !h2->password) { ++ if (h2->password) { ++ memset(h2->password, 0x55, strlen(h2->password)); ++ xfree(h2->password); ++ } ++ if (h1->password) { ++ h2->password = xstrdup(h1->password); ++ } ++ } + FLAG_MERGE(passwordfile); + if (force ? h1->passwordfd!=-1 : h2->passwordfd==-1) { + h2->passwordfd = h1->passwordfd; diff --git a/fetchmail-increase-max-password-length-to-handle-oauth-tokens.patch b/fetchmail-increase-max-password-length-to-handle-oauth-tokens.patch new file mode 100644 index 0000000..8a483e0 --- /dev/null +++ b/fetchmail-increase-max-password-length-to-handle-oauth-tokens.patch @@ -0,0 +1,32 @@ +From: =?utf-8?q?Martin_Sj=C3=B6lund_=3Cmartin=40sjoelund=2Ese=3E?= +Date: Thu, 17 Dec 2020 09:09:44 +0100 +Subject: Increase max password length to handle oauth tokens +Git-repo: https://gitlab.com/fetchmail/fetchmail.git +Git-commit: 6e877b5d92527ad501aaef46e37704b51db316fb + +The maximum length of oauth2 access tokens is unbounded. +* Google uses 2048 byte access tokens and "Google reserves the right + to change token size within these limits, and your application + must support variable token sizes accordingly." +* My Office365 access token is 2108 bytes long. +* Intuit says you must support 4096 byte access tokens. + +This simply patches the hard-coded limit to 4096 bytes, but it might +not be sufficient. +--- + fetchmail.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: fetchmail-6.5.1/fetchmail.h +=================================================================== +--- fetchmail-6.5.1.orig/fetchmail.h ++++ fetchmail-6.5.1/fetchmail.h +@@ -101,7 +101,7 @@ struct addrinfo; + + #define NAMELEN 64 /* max username length */ + /* oauth2 access tokens seem to be about 130 characters; make this longer: */ +-#define PASSWORDLEN 256 /* max password length */ ++#define PASSWORDLEN 4096 /* max password length; oauth2 tokens have no maximum length */ + #define DIGESTLEN 33 /* length of MD5 digest */ + + /* exit code values */ diff --git a/fetchmail-oauth2-c-calculate-and-pass-in-correct-buffer-size-to-to64frombits.patch b/fetchmail-oauth2-c-calculate-and-pass-in-correct-buffer-size-to-to64frombits.patch new file mode 100644 index 0000000..567c2cb --- /dev/null +++ b/fetchmail-oauth2-c-calculate-and-pass-in-correct-buffer-size-to-to64frombits.patch @@ -0,0 +1,35 @@ +From: Matthew Ogilvie +Date: Fri, 21 Dec 2018 09:01:40 -0700 +Subject: oauth2.c: calculate and pass in correct buffer size to to64frombits() +Git-repo: https://gitlab.com/fetchmail/fetchmail.git +Git-commit: 914ee333c73baa3c58d1e819ff4d66052e663335 + +Also allocate the actual needed size instead of an excessively large +approximate size. + +--- + oauth2.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/oauth2.c ++++ b/oauth2.c +@@ -34,6 +34,7 @@ char *get_oauth2_string(struct query *ct + int oauth2len; + + char *oauth2b64; ++ size_t oauth2b64alloc; + + oauth2len = strlen(ctl->remotename) + strlen(ctl->password) + 32; + oauth2str = (char *)xmalloc(oauth2len); +@@ -52,8 +53,9 @@ char *get_oauth2_string(struct query *ct + ctl->password); + } + +- oauth2b64 = (char *)xmalloc(2*strlen(oauth2str)+8); +- to64frombits(oauth2b64, oauth2str, strlen(oauth2str), oauth2len); ++ oauth2b64alloc = query_to64_outsize(strlen(oauth2str)); ++ oauth2b64 = (char *)xmalloc(oauth2b64alloc); ++ to64frombits(oauth2b64, oauth2str, strlen(oauth2str), oauth2b64alloc); + + memset(oauth2str, 0x55, strlen(oauth2str)); + free(oauth2str); diff --git a/fetchmail-re-read-passwordfile-on-every-poll.patch b/fetchmail-re-read-passwordfile-on-every-poll.patch new file mode 100644 index 0000000..41018f1 --- /dev/null +++ b/fetchmail-re-read-passwordfile-on-every-poll.patch @@ -0,0 +1,172 @@ +From: Matthew Ogilvie +Date: Fri, 9 Jun 2017 18:20:40 -0600 +Subject: re-read passwordfile on every poll +Git-repo: https://gitlab.com/fetchmail/fetchmail.git +Git-commit: c2b96715bb39b9cfd1c751eae6b0111bed9c8581 + +--- + fetchmail.c | 100 ++++++++++++++++++++++++++++++++++++++-------------------- + fetchmail.man | 9 +---- + 2 files changed, 69 insertions(+), 40 deletions(-) + +Index: fetchmail-6.5.1/fetchmail.c +=================================================================== +--- fetchmail-6.5.1.orig/fetchmail.c ++++ fetchmail-6.5.1/fetchmail.c +@@ -681,48 +681,19 @@ int main(int argc, char **argv) + } + + ctl->password = xstrdup(msg); ++ ctl->passwordfile = NULL; + memset(msg, 0x55, mi-msg); + } else if (ctl->passwordfile) { +- int fd = open(ctl->passwordfile, O_RDONLY); +- char msg[PASSWORDLEN+1]; +- char *newline; +- int res; +- +- if (fd == -1) { ++ if (access(ctl->passwordfile, R_OK) != 0) { + int saveErrno = errno; + fprintf(stderr, +- GT_("fetchmail: unable to open %s: %s\n"), ++ GT_("fetchmail: unable to access %s: %s\n"), + ctl->passwordfile, + strerror(saveErrno)); + return PS_AUTHFAIL; + } +- +- res = read(fd, msg, sizeof(msg)-1); +- if (res == -1 || close(fd) == -1) { +- int saveErrno = errno; +- fprintf(stderr, +- GT_("fetchmail: error reading %s: %s\n"), +- ctl->passwordfile, +- strerror(saveErrno)); +- return PS_AUTHFAIL; +- } +- msg[res] = '\0'; +- +- newline = memchr(msg, '\n', res); +- if (newline != NULL) { +- *newline = '\0'; +- } +- +- if (strlen(msg) == 0) { +- fprintf(stderr, +- GT_("fetchmail: empty password read from %s\n"), +- ctl->passwordfile); +- memset(msg, 0x55, res); +- return PS_AUTHFAIL; +- } +- +- ctl->password = xstrdup(msg); +- memset(msg, 0x55, res); ++ ctl->password = xstrdup("dummy"); ++ /* file will be read/re-read on each poll interval below */ + } else if (!isatty(0)) { + fprintf(stderr, + GT_("fetchmail: can't find a password for %s@%s.\n"), +@@ -739,6 +710,8 @@ int main(int argc, char **argv) + ctl->password = xstrdup((char *)fm_getpassword(tmpbuf)); + free(tmpbuf); + } ++ } else { ++ ctl->passwordfile = NULL; + } + } + +@@ -938,6 +911,65 @@ int main(int argc, char **argv) + + dofastuidl = 0; /* this is reset in the driver if required */ + ++ if (ctl->passwordfile) { ++ int fd = open(ctl->passwordfile, O_RDONLY); ++ char msg[PASSWORDLEN+1]; ++ char *newline; ++ int res; ++ ++ if (fd == -1) { ++ int saveErrno = errno; ++ report(stderr, ++ GT_("fetchmail: unable to open %s: %s\n"), ++ ctl->passwordfile, ++ strerror(saveErrno)); ++ continue; ++ } ++ ++ res = read(fd, msg, sizeof(msg)-1); ++ close(fd); ++ if (res == -1) { ++ int saveErrno = errno; ++ report(stderr, ++ GT_("fetchmail: error reading %s: %s\n"), ++ ctl->passwordfile, ++ strerror(saveErrno)); ++ continue; ++ } ++ msg[res] = '\0'; ++ ++ newline = memchr(msg, '\n', res); ++ if (newline != NULL) { ++ *newline = '\0'; ++ } ++ ++ if (strlen(msg) == 0) { ++ report(stderr, ++ GT_("fetchmail: empty password read from %s\n"), ++ ctl->passwordfile); ++ memset(msg, 0x55, res); ++ continue; ++ } ++ ++ if (ctl->password) { ++ memset(ctl->password, 0x55, strlen(ctl->password)); ++ xfree(ctl->password); ++ } ++ ctl->password = xstrdup(msg); ++ memset(msg, 0x55, res); ++ } ++ ++ if (!ctl->password) { ++ /* This shouldn't be reachable (all cases caught ++ * earlier), but keep it for safety since there ++ * are many cases. ++ */ ++ report(stderr, ++ GT_("password is unexpectedly NULL querying %s\n"), ++ ctl->server.pollname); ++ continue; ++ } ++ + querystatus = query_host(ctl); + + if (NUM_NONZERO(ctl->fastuidl)) +Index: fetchmail-6.5.1/fetchmail.man +=================================================================== +--- fetchmail-6.5.1.orig/fetchmail.man ++++ fetchmail-6.5.1/fetchmail.man +@@ -1061,12 +1061,9 @@ See USER AUTHENTICATION below for a comp + .br + Specifies a file name from which to read the first line to use as the password. + Useful if something changes the password/token often without regenerating a +-long fetchmailrc file, such as with typical xoauth2 authentication tokens. ++long fetchmailrc file, such as with typical oauth2 authentication tokens. + Protect the file with appropriate permissions to avoid leaking your password. +-Fetchmail might not re-read the file in daemon mode (-d) unless the +-fetchmailrc file also changes, so it might make sense to run it in +-non-daemon mode from some other background process (cron and/or whatever +-updates the password). ++Fetchmail will re-read the file for each poll when in daemon mode. + .TP + .B \-\-passwordfd + (Keyword: passwordfd) +@@ -1079,7 +1076,7 @@ although it could also be a redirected i + (equivalent to "fetchmail \-\-passwordfd 5 5 +Date: Fri, 30 Jun 2017 02:35:12 -0600 +Subject: support oauthbearer/xoauth2 with pop3 +Git-repo: https://gitlab.com/fetchmail/fetchmail.git +Git-commit: 7b5c56f0fa3acb4c5589a4747c1921a311d8a464 + +(Also factor out some common imap/pop3 oauth2 code.) +--- + Makefile.am | 2 + fetchmail.man | 5 -- + imap.c | 53 +++-------------------- + oauth2.c | 61 +++++++++++++++++++++++++++ + oauth2.h | 6 ++ + pop3.c | 130 +++++++++++++++++++++++++++++++++++++++++++++++++++++++--- + 6 files changed, 202 insertions(+), 55 deletions(-) + create mode 100644 oauth2.c + create mode 100644 oauth2.h + +Index: fetchmail-6.5.1/Makefile.am +=================================================================== +--- fetchmail-6.5.1.orig/Makefile.am ++++ fetchmail-6.5.1/Makefile.am +@@ -63,7 +63,7 @@ fetchmail_SOURCES= fetchmail.h getopt.h + fetchmail.c env.c idle.c options.c daemon.c \ + driver.c transact.c sink.c smtp.c \ + idlist.c uid.c mxget.c md5ify.c cram.c gssapi.c \ +- opie.c interface.c netrc.c \ ++ oauth2.c opie.c interface.c netrc.c \ + unmime.c conf.c checkalias.c uid_db.h uid_db.c\ + lock.h lock.c \ + rcfile_l.l rcfile_y.y \ +Index: fetchmail-6.5.1/fetchmail.man +=================================================================== +--- fetchmail-6.5.1.orig/fetchmail.man ++++ fetchmail-6.5.1/fetchmail.man +@@ -1114,7 +1114,7 @@ AUTHENTICATION below for details). The + excruciating exactness, \fBkerberos_v4\fP), \fBgssapi\fP, + \fBcram\-md5\fP, \fBotp\fP, \fBntlm\fP, \fBmsn\fP (only for POP3), + \fBexternal\fP (only IMAP), \fBimplicit\fP (\fBssh\fP is understood +-as alias for \fBimplicit\fP) and \fBoauthbearer\fP (only IMAP). ++as alias for \fBimplicit\fP) and \fBoauthbearer\fP (requires token). + When \fBany\fP (the default) is specified, fetchmail tries + first methods that do not require a password (EXTERNAL, GSSAPI, KERBEROS\ IV, + KERBEROS\ 5); then it looks for methods that mask your password +@@ -2492,8 +2492,7 @@ Legal protocol identifiers for use with + Legal authentication types are 'any', 'password', 'kerberos', + \&'kerberos_v4', 'kerberos_v5' and 'gssapi', 'cram\-md5', 'otp', 'msn' + (only for POP3), 'ntlm', 'implicit', 'external' (only IMAP), +-'oauthbearer' (only for IMAP; requires authentication token in +-place of password). ++'oauthbearer' (requires authentication token in place of password). + The 'password' type specifies + authentication by normal transmission of a password (the password may be + plain text or subject to protocol-specific encryption as in CRAM-MD5); +Index: fetchmail-6.5.1/imap.c +=================================================================== +--- fetchmail-6.5.1.orig/imap.c ++++ fetchmail-6.5.1/imap.c +@@ -15,6 +15,7 @@ + #include + #include + #include ++#include "oauth2.h" + #include "socket.h" + + #include "i18n.h" +@@ -417,63 +418,23 @@ static int do_imap_ntlm(int sock, struct + + static int do_imap_oauthbearer(int sock, struct query *ctl,flag xoauth2) + { +- /* Implements relevant parts of RFC-7628, RFC-6750, and +- * https://developers.google.com/gmail/imap/xoauth2-protocol +- * +- * This assumes something external manages obtaining an up-to-date +- * authentication/bearer token and arranging for it to be in +- * ctl->password. This may involve renewing it ahead of time if +- * necessary using a renewal token that fetchmail knows nothing about. +- * See: +- * https://github.com/google/gmail-oauth2-tools/wiki/OAuth2DotPyRunThrough +- */ +- const char *name; +- char *oauth2str; +- int oauth2len; +- int saved_suppress_tags = suppress_tags; +- +- char *oauth2b64; +- ++ char *oauth2str = get_oauth2_string(ctl, xoauth2); ++ const char *name = xoauth2 ? "XOAUTH2" : "OAUTHBEARER"; + int ok; + +- oauth2len = strlen(ctl->remotename) + strlen(ctl->password) + 32; +- oauth2str = (char *)xmalloc(oauth2len); +- if (xoauth2) +- { +- snprintf(oauth2str, oauth2len, +- "user=%s\1auth=Bearer %s\1\1", +- ctl->remotename, +- ctl->password); +- name = "XOAUTH2"; +- } +- else +- { +- snprintf(oauth2str, oauth2len, +- "n,a=%s,\1auth=Bearer %s\1\1", +- ctl->remotename, +- ctl->password); +- name = "OAUTHBEARER"; +- } +- +- oauth2b64 = (char *)xmalloc(2*strlen(oauth2str)+8); +- to64frombits(oauth2b64, oauth2str, strlen(oauth2str)); +- +- memset(oauth2str, 0x55, strlen(oauth2str)); +- free(oauth2str); +- + /* Protect the access token like a password in logs, despite the + * usually-short expiration time and base64 encoding: + */ +- strlcpy(shroud, oauth2b64, sizeof(shroud)); ++ strlcpy(shroud, oauth2str, sizeof(shroud)); + + plus_cont_context = IPLUS_OAUTHBEARER; +- ok = gen_transact(sock, "AUTHENTICATE %s %s", name, oauth2b64); ++ ok = gen_transact(sock, "AUTHENTICATE %s %s", name, oauth2str); + plus_cont_context = IPLUS_NONE; + + memset(shroud, 0x55, sizeof(shroud)); + shroud[0] = '\0'; +- memset(oauth2b64, 0x55, strlen(oauth2b64)); +- free(oauth2b64); ++ memset(oauth2str, 0x55, strlen(oauth2str)); ++ free(oauth2str); + + return ok; + } +Index: fetchmail-6.5.1/oauth2.c +=================================================================== +--- /dev/null ++++ fetchmail-6.5.1/oauth2.c +@@ -0,0 +1,61 @@ ++/* ++ * oauth2.c -- oauthbearer and xoauth2 support ++ * ++ * Copyright 2017 by Matthew Ogilvie ++ * For license terms, see the file COPYING in this directory. ++ */ ++ ++#include "config.h" ++#include "fetchmail.h" ++#include "oauth2.h" ++ ++#include ++#include ++ ++char *get_oauth2_string(struct query *ctl,flag xoauth2) ++{ ++ /* Implements the bearer token string based for a ++ * combination of RFC-7628 (ouath sasl, with ++ * examples for imap only), RFC-6750 (oauth2), and ++ * RFC-5034 (pop sasl), as implemented by gmail and others. ++ * ++ * Also supports xoauth2, which is just a couple of minor variariations. ++ * https://developers.google.com/gmail/imap/xoauth2-protocol ++ * ++ * This assumes something external manages obtaining an up-to-date ++ * authentication/bearer token and arranging for it to be in ++ * ctl->password. This may involve renewing it ahead of time if ++ * necessary using a renewal token that fetchmail knows nothing about. ++ * See: ++ * https://github.com/google/gmail-oauth2-tools/wiki/OAuth2DotPyRunThrough ++ */ ++ char *oauth2str; ++ int oauth2len; ++ ++ char *oauth2b64; ++ ++ oauth2len = strlen(ctl->remotename) + strlen(ctl->password) + 32; ++ oauth2str = (char *)xmalloc(oauth2len); ++ if (xoauth2) ++ { ++ snprintf(oauth2str, oauth2len, ++ "user=%s\1auth=Bearer %s\1\1", ++ ctl->remotename, ++ ctl->password); ++ } ++ else ++ { ++ snprintf(oauth2str, oauth2len, ++ "n,a=%s,\1auth=Bearer %s\1\1", ++ ctl->remotename, ++ ctl->password); ++ } ++ ++ oauth2b64 = (char *)xmalloc(2*strlen(oauth2str)+8); ++ to64frombits(oauth2b64, oauth2str, strlen(oauth2str)); ++ ++ memset(oauth2str, 0x55, strlen(oauth2str)); ++ free(oauth2str); ++ ++ return oauth2b64; ++} +Index: fetchmail-6.5.1/oauth2.h +=================================================================== +--- /dev/null ++++ fetchmail-6.5.1/oauth2.h +@@ -0,0 +1,6 @@ ++#ifndef OAUTH2_H ++#define OAUTH2_H ++ ++char *get_oauth2_string(struct query *ctl,flag xoauth2); ++ ++#endif /*OAUTH2_H*/ +Index: fetchmail-6.5.1/pop3.c +=================================================================== +--- fetchmail-6.5.1.orig/pop3.c ++++ fetchmail-6.5.1/pop3.c +@@ -17,6 +17,7 @@ + #include + #include + ++#include "oauth2.h" + #include "socket.h" + #include "i18n.h" + #include "uid_db.h" +@@ -49,6 +50,10 @@ static flag has_cram = FALSE; + static flag has_otp = FALSE; + static flag has_ntlm = FALSE; + static flag has_stls = FALSE; ++static flag has_oauthbearer = FALSE; ++static flag has_xoauth2 = FALSE; ++ ++static const char *next_sasl_resp = NULL; + + static void clear_sessiondata(void) { + /* must match defaults above */ +@@ -132,12 +137,65 @@ static int pop3_ok (int sock, char *argb + char buf [POPBUFSIZE+1]; + char *bufp; + +- if ((ok = gen_recv(sock, buf, sizeof(buf))) == 0) ++ while ((ok = gen_recv(sock, buf, sizeof(buf))) == 0) + { bufp = buf; +- if (*bufp == '+' || *bufp == '-') +- bufp++; +- else ++ if (*bufp == '+') ++ { ++ bufp++; ++ if (*bufp == ' ' && next_sasl_resp != NULL) ++ { ++ /* Currently only used for OAUTHBEARER/XOAUTH2, and only ++ * rarely even then. ++ * ++ * This is the only case where the top while() actually ++ * loops. ++ * ++ * For OAUTHBEARER, data aftetr '+ ' is probably ++ * base64-encoded JSON with some HTTP-related error details. ++ */ ++ if (*next_sasl_resp != '\0') ++ SockWrite(sock, next_sasl_resp, strlen(next_sasl_resp)); ++ SockWrite(sock, "\r\n", 2); ++ if (outlevel >= O_MONITOR) ++ { ++ const char *found; ++ if (shroud[0] && (found = strstr(next_sasl_resp, shroud))) ++ { ++ /* enshroud() without copies, and avoid ++ * confusing with a genuine "*" (cancel). ++ */ ++ report(stdout, "POP3> %.*s[SHROUDED]%s\n", ++ (int)(found-next_sasl_resp), next_sasl_resp, ++ found+strlen(shroud)); ++ } ++ else ++ { ++ report(stdout, "POP3> %s\n", next_sasl_resp); ++ } ++ } ++ ++ if (*next_sasl_resp == '\0' || *next_sasl_resp == '*') ++ { ++ /* No more responses expected, cancel AUTH command if ++ * more responses requested. ++ */ ++ next_sasl_resp = "*"; ++ } ++ else ++ { ++ next_sasl_resp = ""; ++ } ++ continue; ++ } ++ } ++ else if (*bufp == '-') ++ { ++ bufp++; ++ } ++ else ++ { + return(PS_PROTOCOL); ++ } + + while (isalpha((unsigned char)*bufp)) + bufp++; +@@ -206,6 +264,8 @@ static int pop3_ok (int sock, char *argb + #endif + if (argbuf != NULL) + strcpy(argbuf,bufp); ++ ++ break; + } + + return(ok); +@@ -234,11 +294,13 @@ static int capa_probe(int sock) + #ifdef NTLM_ENABLE + has_ntlm = FALSE; + #endif /* NTLM_ENABLE */ ++ has_oauthbearer = FALSE; ++ has_xoauth2 = FALSE; + + ok = gen_transact(sock, "CAPA"); + if (ok == PS_SUCCESS) + { +- char buffer[64]; ++ char buffer[128]; + char *cp; + + /* determine what authentication methods we have available */ +@@ -253,6 +315,10 @@ static int capa_probe(int sock) + if (strstr(buffer, "STLS")) + has_stls = TRUE; + #endif /* SSL_ENABLE */ ++static flag has_oauthbearer = FALSE; ++static flag has_xoauth2 = FALSE; ++ ++static const char *next_sasl_resp = NULL; + + #if defined(GSSAPI) + if (strstr(buffer, "GSSAPI")) +@@ -276,6 +342,12 @@ static int capa_probe(int sock) + + if (strstr(buffer, "CRAM-MD5")) + has_cram = TRUE; ++ ++ if (strstr(buffer, "OAUTHBEARER")) ++ has_oauthbearer = TRUE; ++ ++ if (strstr(buffer, "XOAUTH2")) ++ has_xoauth2 = TRUE; + } + } + done_capa = TRUE; +@@ -292,6 +364,40 @@ static void set_peek_capable(struct quer + peek_capable = !ctl->fetchall && (!ctl->keep || ctl->server.uidl); + } + ++static int do_oauthbearer(int sock, struct query *ctl, flag xoauth2) ++{ ++ char *oauth2str = get_oauth2_string(ctl, xoauth2); ++ const char *name = xoauth2 ? "XOAUTH2" : "OAUTHBEARER"; ++ int ok; ++ ++ /* Protect the access token like a password in logs, despite the ++ * usually-short expiration time and base64 encoding: ++ */ ++ strlcpy(shroud, oauth2str, sizeof(shroud)); ++ ++ if (4+1+1+2+strlen(name)+strlen(oauth2str) <= 255) ++ { ++ next_sasl_resp = ""; ++ ok = gen_transact(sock, "AUTH %s %s", name, oauth2str); ++ } ++ else ++ { ++ /* Too long to use "initial client response" (RFC-5034 section 4, ++ * referencing RFC-4422 section 4). ++ */ ++ next_sasl_resp = oauth2str; ++ ok = gen_transact(sock, "AUTH %s", name); ++ } ++ next_sasl_resp = NULL; ++ ++ memset(shroud, 0x55, sizeof(shroud)); ++ shroud[0] = '\0'; ++ memset(oauth2str, 0x55, strlen(oauth2str)); ++ free(oauth2str); ++ ++ return ok; ++} ++ + static int pop3_getauth(int sock, struct query *ctl, char *greeting) + /* apply for connection authorization */ + { +@@ -371,6 +477,7 @@ static int pop3_getauth(int sock, struct + (ctl->server.authenticate == A_KERBEROS_V5) || + (ctl->server.authenticate == A_OTP) || + (ctl->server.authenticate == A_CRAM_MD5) || ++ (ctl->server.authenticate == A_OAUTHBEARER) || + maybe_starttls(ctl)) + { + if ((ok = capa_probe(sock)) != PS_SUCCESS) +@@ -520,6 +627,19 @@ static int pop3_getauth(int sock, struct + /* + * OK, we have an authentication type now. + */ ++ if (ctl->server.authenticate == A_OAUTHBEARER) ++ { ++ if (has_oauthbearer || !has_xoauth2) ++ { ++ ok = do_oauthbearer(sock, ctl, FALSE); /* OAUTHBEARER */ ++ } ++ if (ok != PS_SUCCESS && has_xoauth2) ++ { ++ ok = do_oauthbearer(sock, ctl, TRUE); /* XOAUTH2 */ ++ } ++ break; ++ } ++ + #if defined(KERBEROS_V4) + /* + * Servers doing KPOP have to go through a dummy login sequence diff --git a/fetchmail.changes b/fetchmail.changes new file mode 100644 index 0000000..ce90c31 --- /dev/null +++ b/fetchmail.changes @@ -0,0 +1,1787 @@ +------------------------------------------------------------------- +Tue Nov 26 09:22:07 UTC 2024 - Angel Yankov + +- Upgrade to 6.5.1 + * Drop two wolfSSL compile-time checks that were for older 6.4 or for future + 7.0 releases and broke compilation with wolfSSL 5.7.4. + Fixes https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=282413#c4 + * Use %p instead of non-portable %#p for one wolfSSL-related diagnostic message + (FreeBSD defines %#p to be %p, on many other platforms it's undefined + behavior). + * Add regex_helper.c to list of files that contain translatable strings, + which contains two strings we missed to translate. + * Simplify EVP_MD_fetch API detection ("like OpenSSL 3" vs. "like OpenSSL 1") + for version switch and base it on the claimed OpenSSL version of the crypto + SSL, which works for LibreSSL (claims OpenSSL 2) and wolfSSL alike. + * Several translations added + - Rebased fetchmail-6.3.8-smtp_errors.patch + - Rebased fetchmail-FAQ-list-gmail-options-including-oauthbearer-and-app.patch + - Rebased fetchmail-add-contrib-fetchnmail-oauth2.py-token-acquisition-u.patch + - Rebased fetchmail-add-imap-oauthbearer-support.patch + - Rebased fetchmail-add-passwordfile-and-passwordfd-options.patch + - Rebased fetchmail-add-query_to64_outsize-utility-function.patch + - Rebased fetchmail-bump-max-passwordlen-to-1bytes.patch + - Rebased fetchmail-give-each-ctl-it-s-own-copy-of-password.patch + - Rebased fetchmail-increase-max-password-length-to-handle-oauth-tokens.patch + - Rebased fetchmail-re-read-passwordfile-on-every-poll.patch + - Rebased fetchmail-support-oauthbearer-xoauth2-with-pop3.patch + - Rebased fetchmailconf-no-more-future.patch + +------------------------------------------------------------------- +Thu Apr 4 09:01:54 UTC 2024 - Dirk Müller + +- update to 6.4.38: + * Tighten OpenSSL and wolfSSL version requirements again. See + README.SSL. + * Distributors providing older versions that they backport + security fixes for may want to patch socket.c but remember + to redirect support to your distribution's support channels. + The fetchmail maintainer only supports functionally + unmodified builds with publicly available SSL/TLS library + versions. + * fetchmail will refuse to build against OpenSSL 1.0.2 older + than 1.0.2u, or wolfSSL older than 5.6.2. It will warn about + OpenSSL older than 3.0.9, or between 3.1.0 and 3.1.4, + or wolfSSL older than 5.6.6. + +------------------------------------------------------------------- +Wed Jan 17 00:33:48 UTC 2024 - Steve Kowalik + +- Add patch fetchmailconf-no-more-future.patch: + * Drop requirement for python-future from fetchmailconf. + +------------------------------------------------------------------- +Wed Mar 1 17:15:06 UTC 2023 - David Anes + +- Update to 6.4.37: + * TRANSLATIONS: language translations were updated: + - sr [Serbian] + +------------------------------------------------------------------- +Tue Feb 7 15:44:28 UTC 2023 - David Anes + +- Update to 6.4.36: + * TRANSLATIONS: language translations were updated: + - cs, es, fr, ja, pl, ro, sq, sv + +------------------------------------------------------------------- +Sat Jan 21 15:14:46 UTC 2023 - Dirk Müller + +- disable opie support + +------------------------------------------------------------------- +Thu Jan 5 21:24:47 UTC 2023 - David Anes + +- Update to 6.4.35: + * BREAKING CHANGES: + - Fetchmail now warns about OpenSSL before 1.1.1s or 3.0.7, + and rejects wolfSSL older than 5.5.0. + * Updated Swedish and Esperanto translations. + +------------------------------------------------------------------- +Fri Oct 21 11:24:40 UTC 2022 - David Anes + +- Remove stale requires to python-rpm-macros. + +------------------------------------------------------------------- +Mon Oct 17 09:33:53 UTC 2022 - David Anes + +- Update to 6.4.34: + * Bugfixes: + - When an SMTP receiver refuses delivery, a message would be + deleted from the mail store in spite of a softbounce option + that is enabled. + + * Translations: + - Updated Serbian translation + +------------------------------------------------------------------- +Thu Sep 1 07:14:57 UTC 2022 - Matej Cepl + +- Update to 6.4.33: + - Turns out the snapd version of HTMLDOC 1.9.16 is broken, so I + have added a wrapper script that uses the flatpak version of + HTMLDOC, for the benefit of rebuilding on distros that do not + ship HTMLDOC natively. +- Remove upstreamed 44-uncorrupt_runfetchmail.patch + +------------------------------------------------------------------- +Wed Aug 31 15:47:06 UTC 2022 - Stefan Schubert + +- Migration to /usr/etc: Saving user changed configuration files + in /etc and restoring them while an RPM update. + +------------------------------------------------------------------- +Sat Jul 30 19:10:08 UTC 2022 - Matej Cepl + +- Update to 6.4.32: + * Use configure to find rst2html, some systems install it only + with .py suffix, others only without, and some install both. + * Update README.maintainer + * Translations updated. +- Reapplied patches +- Add 44-uncorrupt_runfetchmail.patch to clean up some contrib/ + scripts (gl#fetchmail/fetchmail#44). + +------------------------------------------------------------------- +Mon Jul 18 08:26:23 UTC 2022 - David Anes + +- update to 6.4.31 + * Bugfixes: + - Try to fix ./configure --with-ssl=... for systems that have + multiple OpenSSL versions installed. Issues reported by + Dennis Putnam. + - The netrc parser now reports its errors to syslog or logfile + when appropriate, previously it would always log to stderr. + - Add error checking to .netrc parser. + * Changes: + - manpage: use .UR/.UE macros instead of .URL for URIs. + - manpage: fix contractions. Found with FreeBSD's igor tool. + - manpage: HTML now built with pandoc -> python-docutils + (manServer.pl was dropped) + +------------------------------------------------------------------- +Tue Jun 21 13:43:53 UTC 2022 - Stefan Schubert + +- Moved logrotate files from user specific directory /etc/logrotate.d + to vendor specific directory /usr/etc/logrotate.d. + +------------------------------------------------------------------- +Thu Apr 28 10:16:07 UTC 2022 - David Anes + +- update to 6.4.30: + * Breaking changes: + - Bump wolfSSL minimum required version to 5.2.0 to pull in + security fix. + * Changes: + - Using OpenSSL 1.* before 1.1.1n elicits a compile-time + warning. + - Using OpenSSL 3.* before 3.0.2 elicits a compile-time + warning. + - configure.ac was tweaked in order to hopefully fix + cross-compilation issues report, and different patch + suggested + * Translations.: + - ro: Updated Romanian translation. + +------------------------------------------------------------------- +Sat Apr 9 22:38:16 UTC 2022 - Dirk Müller + +- update to 6.4.29: + * Updated vi [Vietnamese] translation. + +------------------------------------------------------------------- +Thu Mar 10 07:15:19 UTC 2022 - David Anes + +- update to 6.4.28: + * Updated spanish translation. +- fix typos in changelog. + +------------------------------------------------------------------- +Fri Feb 25 18:13:26 UTC 2022 - David Anes + +- update to 6.4.27: + * Bump wolfSSL minimum required version to 5.1.1 to pull in + security fix. + * Updated romanian translation. + +------------------------------------------------------------------- +Wed Jan 12 10:39:18 UTC 2022 - David Anes + +- fix [bsc#1194203]: + * Always create fetchmail group, even if the user is already + present, as a leftover from Leap 15.2 upgrade. This may happen + also if user is messing with groups/users directly or upgrading + from even an older fetchmail versions. + +------------------------------------------------------------------- +Mon Dec 27 16:50:06 UTC 2021 - David Anes + +- update to 6.4.26: + * When using wolfSSL 5.0.0, work around a bug that appears to hit + wolfSSL when receiving handshake records while still in + SSL_peek(). Workaround is to read 1 byte and cache it, then + call SSL_peek() again. This affects only some servers. + * New serbian translation. + +------------------------------------------------------------------- +Sat Dec 11 23:23:50 UTC 2021 - Dirk Müller + +- update to 6.4.25: + * 6.4.24's workaround for OpenSSL 1.0.2's X509_V_FLAG_TRUSTED_FIRST flag + contained a typo and would not kick in properly. + * Library and/or rpath setting from configure.ac was fixed. + * Added an example systemd unit file and instructions to contrib/systemd/ + which runs fetchmail as a daemon with 5-minute poll intervals. + * fetchmail can now be used with wolfSSL 5's OpenSSL compatibility layer, + see INSTALL and README.SSL. This is considered experimental. + Feedback solicited. + * Bison 3.8 dropped yytoknum altogether, breaking compilation due to a + warning workaround. Remove the cast of yytoknum to void. This may cause + a compiler warning to reappear with older Bison versions. + * OpenSSL 1.0.2: Workaround for systems that keep the expired DST Root CA X3 + certificate in its trust store because OpenSSL by default prefers the + untrusted certificate and fails. + * For common ssh-based IMAP PREAUTH setups (i. e. those that use a plugin + - no matter its contents - and that set auth ssh), change the STARTTLS + error message to suggest sslproto '' instead. + This is a commonly reported issue after the CVE-2021-39272 fix in 6.4.22. +- drop fetchmail-bison-3.8.patch (upstream) +- Rebased patches: + * fetchmail-add-imap-oauthbearer-support.patch + * fetchmail-support-oauthbearer-xoauth2-with-pop3.patch + +------------------------------------------------------------------- +Tue Nov 9 16:23:42 UTC 2021 - Dominique Leuenberger + +- Add fetchmail-bison-3.8.patch: Fix build with bison 3.8. + +------------------------------------------------------------------- +Wed Oct 6 15:00:19 UTC 2021 - Pedro Monreal + +- Update to 6.4.22: [bsc#1190069, CVE-2021-39272] + * OPENSSL AND LICENSING NOTE: + - fetchmail 6.4.22 is compatible with OpenSSL 1.1.1 and 3.0.0. + OpenSSL's licensing changed between these releases from dual + OpenSSL/SSLeay license to Apache License v2.0, which is + considered incompatible with GPL v2 by the FSF. For + implications and details, see the file COPYING. + * SECURITY FIXES: + - CVE-2021-39272: fetchmail-SA-2021-02: On IMAP connections, + without --ssl and with nonempty --sslproto, meaning that + fetchmail is to enforce TLS, and when the server or an attacker + sends a PREAUTH greeting, fetchmail used to continue an + unencrypted connection. Now, log the error and abort the + connection. --Recommendation for servers that support + SSL/TLS-wrapped or "implicit" mode on a dedicated port + (default 993): use --ssl, or the ssl user option in an rcfile. + - On IMAP and POP3 connections, --auth ssh no longer prevents + STARTTLS negotiation. + - On IMAP connections, fetchmail does not permit overriding + a server-side LOGINDISABLED with --auth password any more. + - On POP3 connections, the possibility for RPA authentication + (by probing with an AUTH command without arguments) no longer + prevents STARTTLS negotiation. + - For POP3 connections, only attempt RPA if the authentication + type is "any". + * BUG FIXES: + - On IMAP connections, when AUTHENTICATE EXTERNAL fails and we + have received the tagged (= final) response, do not send "*". + - On IMAP connections, AUTHENTICATE EXTERNAL without username + will properly send a "=" for protocol compliance. + - On IMAP connections, AUTHENTICATE EXTERNAL will now check if + the server advertised SASL-IR (RFC-4959) support and otherwise + refuse (fetchmail <= 6.4 has not supported and does not support + the separate challenge/response with command continuation) + - On IMAP connections, when --auth external is requested but not + advertised by the server, log a proper error message. + - Fetchmail no longer crashes when attempting a connection with + --plugin "" or --plugout "". + - Fetchmail no longer leaks memory when processing the arguments + of --plugin or --plugout on connections. + - On POP3 connections, the CAPAbilities parser is now caseblind. + - Fix segfault on configurations with "defaults ... no envelope". + This is a regression in fetchmail 6.4.3 and happened when + plugging memory leaks, which did not account for that the + envelope parameter is special when set as "no envelope". The + segfault happens in a constant strlen(-1), triggered by trusted + local input => no vulnerability. + - Fix program abort (SIGABRT) with "internal error" when invalid + sslproto is given with OpenSSL 1.1.0 API compatible SSL + implementations. + * CHANGES: + - IMAP: When fetchmail is in not-authenticated state and the server + volunteers CAPABILITY information, use it and do not re-probe. + (After STARTTLS, fetchmail must and will re-probe explicitly.) + - For typical POP3/IMAP ports 110, 143, 993, 995, if port and --ssl + option do not match, emit a warning and continue. + - fetchmail.man and README.SSL were updated in line with + RFC-8314/8996/8997 recommendations to prefer Implicit TLS + (--ssl/ssl) and TLS v1.2 or newer, placing --sslproto tls1.2+ + more prominently. The defaults shall not change between 6.4.X + releases for compatibility. + * Rebase patches: + fetchmail-add-imap-oauthbearer-support.patch + fetchmail-add-query_to64_outsize-utility-function.patch + fetchmail-support-oauthbearer-xoauth2-with-pop3.patch + +------------------------------------------------------------------- +Tue Sep 14 08:55:42 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Modified: + * fetchmail.service + +------------------------------------------------------------------- +Tue Aug 24 16:50:40 UTC 2021 - Pedro Monreal + +- Update to 6.4.21: + * REGRESSION FIX: The new security fix in 6.4.20 for + CVE-2021-36386 caused truncation of messages logged to + buffered outputs, predominantly --logfile. + +------------------------------------------------------------------- +Thu Jul 29 07:57:07 UTC 2021 - Pedro Monreal + +- Update to 6.4.20: [bsc#1188875, CVE-2021-36386] + * CVE-2021-36386: DoS or information disclosure in some configurations. + When a log message exceeds c. 2 kByte in size, for instance, + with very long header contents, and depending on verbosity + option, fetchmail can crash or misreport each first log message + that requires a buffer reallocation. fetchmail then reallocates + memory and re-runs vsnprintf() without another call to va_start(), + so it reads garbage. The exact impact depends on many factors + around the compiler and operating system configurations used and + the implementation details of the stdarg.h interfaces of the two + functions mentioned before. + +------------------------------------------------------------------- +Thu May 13 16:57:09 UTC 2021 - Jeff Mahoney + +- Backported support for OAUTH2 authentication from Fetchmail 7.0. + - add imap oauthbearer support + - support oauthbearer/xoauth2 with pop3 + - add passwordfile and passwordfd options + - add contrib/fetchnmail-oauth2.py token acquisition utility + - FAQ: list gmail options including oauthbearer and app password + - give each ctl it's own copy of password + - re-read passwordfile on every poll + - add query_to64_outsize() utility function + - Chase and integrate interface change. + - oauth2.c: calculate and pass in correct buffer size to to64frombits() + - Increase max password length to handle oauth tokens + - Bump max. passwordlen to 10000 bytes. + - Add README.OAUTH2 +- Added patches: + * fetchmail-add-imap-oauthbearer-support.patch + * fetchmail-support-oauthbearer-xoauth2-with-pop3.patch + * fetchmail-add-passwordfile-and-passwordfd-options.patch + * fetchmail-add-contrib-fetchnmail-oauth2.py-token-acquisition-u.patch + * fetchmail-FAQ-list-gmail-options-including-oauthbearer-and-app.patch + * fetchmail-give-each-ctl-it-s-own-copy-of-password.patch + * fetchmail-re-read-passwordfile-on-every-poll.patch + * fetchmail-add-query_to64_outsize-utility-function.patch + * fetchmail-chase-and-integrate-interface-change.patch + * fetchmail-oauth2-c-calculate-and-pass-in-correct-buffer-size-to-to64frombits.patch + * fetchmail-increase-max-password-length-to-handle-oauth-tokens.patch + * fetchmail-bump-max-passwordlen-to-1bytes.patch + * fetchmail-add-readme-oauth2-issue-27.patch + +------------------------------------------------------------------- +Sat May 8 19:55:09 UTC 2021 - Dirk Müller + +- update to 6.4.19: + * fetchmailconf: properly catch and report option parsing errors + * LMTP: do not try to validate the last component of a UNIX-domain LMTP socket + as though it were a TCP port. + +------------------------------------------------------------------- +Tue Apr 6 02:13:46 UTC 2021 - Dirk Müller + +- update to 6.4.18: + * fetchmailconf: fetchmail 6.4.16 added --sslcertfile to the configuration dump, + but fetchmailconf support was incomplete in Git 7349f124 and it could not + parse sslcertfile, thus the user settings editor came up empty with console + errors printed. Fix configuration parser in fetchmailconf. + * fetchmailconf: do not require fetchmail for -V. do not require Tk (Tkinter) + for -d option. This is to fail more gracefully on incomplete installs. + * TLS code: remove OPENSSL_NO_DEPRECATED macros to avoid portability issues + with OpenSSL v3 - these are for development purposes, not production. + * TLS futureproofing: use SSL_use_PrivateKey_file instead of + SSL_use_RSAPrivateKey_file, the latter will be deprecated with OpenSSL v3, + and the user's key file might be something else than RSA. + * IMAP client: it used to leak memory for username and password when trying + the LOGIN (password-based) authentication and encountered a timeout situation. + * dist-tools/getstats.py: also counts lines in *.py files, shown above. + * fetchmail.man: now mentions that you may need to add --ssl when specifying + a TLS-wrapped port. + * fetchmailconf: --version (-V) now prints the Python version in use. + +------------------------------------------------------------------- +Mon Mar 1 07:51:03 UTC 2021 - Pedro Monreal + +- update to 6.4.16: + * fetchmail's --configdump, and fetchmailconf, lacked support for + the sslcertfile option. + * fetchmail --version [fetchmail -V] now queries and prints the + SSL/TLS library's "SSL default trusted certificate" file or + directory (mind the word "default"), where the OpenSSL-compatible + TLS implementation will look for trusted root, meaning + certification authority (CA), certificates. + * fetchmail --version now prints version of the OpenSSL library + that it was compiled against, and that it is using at runtime, + and also the OPENSSL_DIR and OPENSSL_ENGINES_DIR (if available). + +------------------------------------------------------------------- +Mon Jan 4 10:28:06 UTC 2021 - Dirk Müller + +- update to 6.4.15: + * Fix a typo in the manual page reported by David McKelvie. + * Fix cross-compilation with openssl, by Fabrice Fontaine. Merge request !23. + * Fix truncation of SMTP PLAIN AUTH with ^ in credentials, by Earl Chew. + +------------------------------------------------------------------- +Sat Dec 19 09:52:39 UTC 2020 - Dirk Mueller + +- update to 6.4.14: + * sr: Мирослав Николић (Miroslav Nikolić) [Serbian] + * Errors about lock file (= pidfile) creation could be lost in daemon + configurations (-d option, or set daemon) when using syslog. Now they are also + logged to syslog. Found verifying a pidfile creation issue on 6.4.12 that was + previously reported by Alex Hall of Automatic Distributors. + * If the lock file cannot be removed (no write permission on directory), try + to truncate it, and if that fails, report error. + * If the pidfile was non-default, fetchmail -q or --quit would malfunction and + claim no other fetchmail were running, because it did not read the + configuration files or merge the command line options, thus it would look for + the PID in the wrong file. + +------------------------------------------------------------------- +Fri Dec 18 09:39:19 UTC 2020 - Thorsten Kukuk + +- Don't require systemd +- Use tmpfiles for all files +- Use systemd macro for tmpfiles +- Don't delete home directory if the user stays +- Use sysusers config to create system user + +------------------------------------------------------------------- +Fri Sep 4 20:22:16 UTC 2020 - Dirk Mueller + +- update to 6.4.12: + # REGRESSION FIX: + * configure: fetchmail 6.4.9 and 6.4.10 would miss checking for TLS v1.2 and + TLS v1.3 support if AC_LIB_LINKFLAGS came up with something such as + /path/to/libssl.so, rather than -lssl. (For instance on FreeBSD) + * configure: fetchmail 6.4.9's configure was unable to pick up OpenSSL + if it wasn't announced by pkg-config, for instance, on FreeBSD + +------------------------------------------------------------------- +Fri Aug 28 10:08:46 UTC 2020 - Callum Farmer + +- De-hardcode /usr/lib path for launch executable (bsc#1174075) +- Spec file cleanups + +------------------------------------------------------------------- +Wed Aug 26 17:48:08 UTC 2020 - Pedro Monreal Gonzalez + +- Update fetchmail.keyring file +- Use %{_prefix}/lib instead of %{_libexecdir} + +------------------------------------------------------------------- +Mon Aug 24 12:59:11 UTC 2020 - Dirk Mueller + +- update to 6.4.8: + * Add a test program fm_realpath, and a t.realpath script, neither to be + installed. These will test resolution of the current working directory. + * TRANSLATION UPDATES + * Plug memory leaks when parts of the configuration (defaults, rcfile, command + line) override one another. + * fetchmail terminated the placeholder command string too late and included + garbage from the heap at the end of the string. Workaround: don't use place- + holders %h or %p in the --plugin string. Bug added in 6.4.0 when merging + Gitlab merge request !5 in order to fix an input buffer overrun. + Faulty commit 418cda65f752e367fa663fd13884a45fcbc39ddd. + * Fetchmail now checks for errors when trying to read the .idfile + * Fetchmail's error messages that reports that the defaults entry isn't the + first was made more precise. It could be misleading if there was a poll or + skip statement before the defaults. + * Fetchmail documentation was updated to require OpenSSL 1.1.1. + OpenSSL 1.0.2 reached End Of Life status at the end of the year 2019. + Fetchmail will tolerate, but warn about, 1.0.2 for now on the assumption that + distributors backport security fixes as the need arises. + Fetchmail will also warn if another SSL library that is API-compatible + with OpenSSL lacks TLS v1.3 support. + * If the trust anchor is missing, fetchmail refers the user to README.SSL. + * The AC_DECLS(getenv) check was removed, its only user was broken and not + accounting for that AC_DECLS always defines HAVE_DECL_... to 0 or 1, so + fetchmail never declared a missing getenv() symbol (it was testing with + #ifdef). Remove the backup declaration. getenv is mandated by SUSv2 anyways. + * fetchmailconf now supports Python 3 and currently requires the "future" + package, see https://pypi.org/project/future/. + * fetchmailconf: The minimum supported version is now Python 2.7.13, but it is + recommended to use at least 2.7.16 (due to its massive SSL updates). + Older Python versions may check SSL certificates not strictly enough, + which may cause fetchmail to complain later, if the certificate verify fails. + * fetchmailconf now autoprobes SSL-wrapped connections (ports 993 and 995 for + IMAP and POP3) as well and by preference. + * fetchmailconf now defaults newly created users to "ssl" if either of the + existing users sets ssl, or if the server has freshly been probed and + found supporting ssl. + There is a caveat: adding a user to an existing server without probing it + again may skip adding ssl. (This does not prevent STARTTLS.) + * Fix three bugs in fetchmail.man (one unterminated string to .IP macro, one + line that ran into a .PP macro, .TH date format), and remove one .br request + from inside the table, which is unsupported by FreeBSD 12's mandoc(1) formatter. + * Further man page fixes and additions by Chris Mayo and Gregor Zattler. + * When evaluating the need for STARTTLS in non-default configurations (SSL + certificate validation turned off), fetchmail would only consider --sslproto + tls1 as requiring STARTTLS, now all non-empty protocol versions do. + * fetchmailconf now properly writes "no sslcertck" if sslcertck is disabled. + * fetchmailconf now catches and reports OS errors (including DNS errors) when + autoprobing. + * fetchmailconf received a host of other bugfixes, see the Git commit log. + +------------------------------------------------------------------- +Wed Aug 19 08:10:15 UTC 2020 - Dominique Leuenberger + +- Fix invalid usage of libexecdir where %_tmpfilesdir was meant to + be used. + +------------------------------------------------------------------- +Sun Feb 2 08:25:32 UTC 2020 - Thorsten Kukuk + +- pwdutils is gone long time ago + +------------------------------------------------------------------- +Wed Jan 8 14:39:43 UTC 2020 - Ondřej Súkup + +- switch to python3 +- don't require python*-devel + +------------------------------------------------------------------- +Fri Oct 4 12:41:35 UTC 2019 - Pedro Monreal Gonzalez + +- Update to 6.4.1 [bsc#1152964] + ## REGRESSION FIXES: + * The bug fix Debian Bug#941129 was incomplete and caused + - a regression in the default file locations, so that fetchmail was + no longer able to find its configuration files in some situations. + - a regression under _FORTIFY_SOURCE where PATH_MAX > minimal _POSIX_PATH_MAX. + +- Update to 6.4.0 + ## SECURITY FIXES THAT AFFECT BEHAVIOUR AND MAY REQUIRE RECONFIGURATION + * Fetchmail no longer supports SSLv2. + * Fetchmail no longer attempts to negotiate SSLv3 by default, + even with --sslproto ssl23. Fetchmail can now use SSLv3, or TLSv1.1 or a newer + TLS version, with STLS/STARTTLS (it would previously force TLSv1.0 with + STARTTLS). If the OpenSSL version used at build and run-time supports these + versions, --sslproto ssl3 and --sslproto ssl3+ can be used to re-enable SSLv3. + Doing so is discouraged because the SSLv3 protocol is broken. + While this change is supposed to be compatible with common configurations, + users may have to and are advised to change all explicit --sslproto ssl2 + (change to newer protocols required), --sslproto ssl3, --sslproto tls1 to + --sslproto auto, so that they can benefit from TLSv1.1 and TLSv1.2 where + supported by the server. + The --sslproto option now understands the values auto, ssl3+, tls1+, tls1.1, + tls1.1+, tls1.2, tls1.2+, tls1.3, tls1.3+ (case insensitively), see CHANGES + below for details. + * Fetchmail defaults to --sslcertck behaviour. A new option --nosslcertck to + override this has been added, but may be removed in future fetchmail versions + in favour of another configuration option that makes the insecurity in using + this option clearer. + ## SECURITY FIXES + * Fetchmail prevents buffer overruns in GSSAPI authentication with user names + beyond c. 6000 characters in length. Reported by Greg Hudson. + ## CHANGED REQUIREMENTS + * fetchmail 6.4.0 is written in C99 and requires a SUSv3 (Single Unix + Specification v3, a superset of POSIX.1-2001 aka. IEEE Std 1003.1-2001 with + XSI extension) compliant system. For now, a C89 compiler should also work + if the system is SUSv3 compliant. + In particular, older fetchmail versions had workaround for several functions + standardized in the Single Unix Specification v3, these have been removed. + The trio/ library has been removed from the distribution. + ## CHANGES + * fetchmail 6.3.X is unsupported. + * fetchmail now configures OpenSSL support by default. + * fetchmail now requires OpenSSL v1.0.2 or newer. + * Fetchmail now supports --sslproto auto and --sslproto tls1+ (same as ssl23). + * --sslproto tls1.1+, tls1.2+, and tls1.3+ are now supported for + auto-negotiation with a minimum specified TLS protocol version, and --sslproto + tls1.1, --sslproto tls1.2 and --sslproto tls1.3 to force the specified TLS + protocol version. Note that tls1.3 requires OpenSSL v1.1.1 or newer. + * Fetchmail now detects if the server hangs up prematurely during SSL_connect() + and reports this condition as such, and not just as SSL connection failure. + (OpenSSL 1.0.2 reported incompatible with pop3.live.com by Jerry Seibert). + * A foreground fetchmail can now accept a few more options while another copy is + running in the background. + * fetchmail now handles POP3 --keep UID lists more efficiently, by using Rainer + Weikusat's P-Tree implementation. This reduces the complexity for handling + a large UIDL from O(n^2) to O(n log n) and becomes noticably faster with + thousands of kept messages. (IMAP does not currently track UIDs and is unaffected.) + At the same time, the UIDL emulation code for deficient servers has been + removed. It never worked really well. Servers that do not implement the + optional UIDL command only work with --fetchall option set, which in itself is + incompatible with the --keep option (it would cause message duplication). + * fetchmail, when setting up TLS connections, now uses SSL_set_tlsext_host_name() + to set up the SNI (Server Name Indication). Some servers (for instance + googlemail) require SNI when using newer SSL protocols. + * Fetchmail now sets the expected hostname through OpenSSL 1.0.2's new + X509_VERIFY_PARAM_set1_host() function to enable OpenSSL's native certificate + verification features. + * fetchmail will drop the connection when fetching with IMAP and receiving an + unexpected untagged "* BYE" response, to work around certain faulty servers. + * The FETCHMAIL_POP3_FORCE_RETR environment variable is now documented, + it forces fetchmail, when talking POP3, to always use the RETR command, + even if it would otherwise use the TOP command. + * Fetchmail's configure stage will try to query pkg-config or pkgconf for libssl + and libcrypto, in case other system use .pc files to document specific library dependencies. + * The gethostbyname() API calls and compatibility functions have been removed. + * These translations are shipped but not installed by default because + they have less than 500 translated messages out of 714: el fi gl pt_BR sk tr + -> Greek, Finnish, Galician, Brazilian Portuguese, Slovak, Turkish. + * Fetchmail now refuses delivery if the MDA option contains single-quoted expansions. + ## FIXES + * Do not translate header tags such as "Subject:". + * Convert most links from berlios.de to sourceforge.net. + * Report error to stderr, and exit, if --idle is combined with multiple accounts. + * Point to --idle from GENERAL OPERATION to clarify --idle and multiple mailboxes do not mix. + * Fix SSL-enabled build on systems that do not declare SSLv3_client_method(), + or that #define OPENSSL_NO_SSL3 inside #include + * Version report lists -SSLv3 on SSL-enabled no-ssl3 builds. + * Fetchmail no longer adds a NUL byte to the username in GSSAPI authentication. + This was reported to break Kerberos-based authentication with Microsoft Exchange 2013 + * Set umask properly before writing the .fetchids file, to avoid failing the + security check on the next run. + * When forwarding by LMTP, also check antispam response code when collecting + the responses after the CR LF . CR LF sequence at the end of the DATA phase. + * fetchmail will not try other protocols after a socket error. This avoids mismatches + of how different prococols see messages as "seen" and re-fetches of known mail. + * fetchmail no longer reports "System error during SSL_connect(): Success." + * fetchmailconf would ignore Edit or Delete actions on the first (topmost) + item in a list (no matter if server list, user list, ...). + * The mimedecode feature now properly detects multipart/mixed-type matches, so + that quoted-printable-encoded multipart messages can get decoded. + (Regression in 5.0.0 on 1999-03-27, as a side effect of a PGP-mimedecode fix + attributed to Henrik Storner.) + * FETCHMAILHOME can now safely be a relative path, which will be qualified + through realpath(). Previously, it had to be absolute in daemon mode. + ## KNOWN BUGS AND WORKAROUNDS + (This section floats upwards through the NEWS file so it stays with the + current release information) + * Fetchmail does not handle messages without Message-ID header well + (See sourceforge.net bug #780933) + * Fetchmail currently uses 31-bit signed integers in several places + where unsigned and/or wider types should have been used, for instance, + for mailbox sizes, and misreports sizes of 2 GibiB and beyond. + Fixing this requires C89 compatibility to be relinquished. + * BSMTP is mostly untested and errors can cause corrupt output. + * Sun Workshop 6 (SPARC) is known to miscompile the configuration file lexer in + 64-bit mode. Either compile 32-bit code or use GCC to compile 64-bit fetchmail. + * Fetchmail does not track pending deletes across crashes. + * The command line interface is sometimes a bit stubborn, for instance, + fetchmail -s doesn't work with a daemon running. + * Linux systems may return duplicates of an IP address in some circumstances if + no or no global IPv6 addresses are configured. + (No workaround. Ubuntu Bug#582585, Novell Bug#606980.) + * Kerberos 5 may be broken, particularly on Heimdal, and provide bogus error + messages. This will not be fixed, because the maintainer has no Kerberos 5 + server to test against. Use GSSAPI. + +- Remove patches merged upstream: + * fetchmail-openssl11.patch + * fetchmail-fetchmailconf-python3-1of3.patch + * fetchmail-fetchmailconf-python3-2of3.patch + * fetchmail-fetchmailconf-python3-3of3.patch +- Rebase fetchmail-6.3.8-smtp_errors.patch + +------------------------------------------------------------------- +Fri May 31 08:05:50 UTC 2019 - Pedro Monreal Gonzalez + +- Remove comment about not available FETCHMAIL_USER configuration + variable in sysconfig.fetchmail (bsc#1136538) + +------------------------------------------------------------------- +Wed May 29 11:58:18 UTC 2019 - Dr. Werner Fink + +- Use Debian 02_remove_SSLv3 change set based on beta 6.4.0 to + modernize the patch fetchmail-openssl11.patch for modern TLS + (auto) support + +------------------------------------------------------------------- +Thu Mar 15 17:12:10 UTC 2018 - pmonrealgonzalez@suse.com + +- Fix fetchmailconf to compile with python{2,3} [bsc#1082694] + * fetchmail-fetchmailconf-python3-1of3.patch + * fetchmail-fetchmailconf-python3-2of3.patch + * fetchmail-fetchmailconf-python3-3of3.patch + +------------------------------------------------------------------- +Fri Mar 2 19:32:52 UTC 2018 - pmonrealgonzalez@suse.com + +- By default, the status messages are redirected to + /var/log/fetchmail. The syslog option or no-logging are also + available. (bsc#1033081) + +------------------------------------------------------------------- +Thu Nov 23 13:43:10 UTC 2017 - rbrown@suse.com + +- Replace references to /var/adm/fillup-templates with new + %_fillupdir macro (boo#1069468) + +------------------------------------------------------------------- +Mon Nov 13 17:18:00 UTC 2017 - vcizek@suse.com + +- drop SSLv3 support to build with openssl 1.1 (bsc#1066940) + * add fetchmail-openssl11.patch + +------------------------------------------------------------------- +Fri Apr 28 13:55:29 UTC 2017 - pmonrealgonzalez@suse.com + + - Allow --syslog option in daemon mode (bsc#1033081). + * By default, the status messages are redirected to the syslog. + +------------------------------------------------------------------- +Fri Mar 31 06:17:12 UTC 2017 - meissner@suse.com + +- prerequire group(daemon) to meet new tumbleweed user handling + +------------------------------------------------------------------- +Fri May 13 19:33:41 UTC 2016 - jengelh@inai.de + +- Check for user/group existence before attempting to add them, + and remove error suppression from these calls. +- Ensure tmpfile creation is run + +------------------------------------------------------------------- +Fri May 13 12:06:54 UTC 2016 - pjanouch@suse.de + +- Made the helper script introduced in last change return exit status + 5 on configuration errors instead of 1, which should make it a bit + less confusing (bsc#979534) + +------------------------------------------------------------------- +Fri Apr 8 12:20:27 UTC 2016 - pjanouch@suse.de + +- Made /etc/sysconfig/fetchmail work again after a botched systemd + conversion that ignored the file altogether (bsc#905673) +- Removed the FETCHMAIL_USER setting in favor of editing the + systemd service file (which should be copied to the respective + location in /etc, and not edited in-place) + +------------------------------------------------------------------- +Thu Jan 8 16:04:11 UTC 2015 - tchvatal@suse.com + +- Cleanup with spec-cleaner +- Remove support for <12.3 as it does not build anyway. +- Fix krb5 switches +- Provide proper rcbla controler for the service + +------------------------------------------------------------------- +Mon Dec 29 13:46:10 UTC 2014 - meissner@suse.com + +- build with PIE + +------------------------------------------------------------------- +Fri Dec 5 13:06:55 UTC 2014 - lmuelle@suse.com + +- Removed executable permission bits from fetchmail.service file. +- Update the project url in the spec file after Berlios shutdown. +- Remove dependency on gpg-offline as signature checking is implemented in the + source validator. + +------------------------------------------------------------------- +Sun Nov 09 03:40:00 UTC 2014 - Led + +- fix bashism in postun script + +------------------------------------------------------------------- +Wed May 21 09:51:34 UTC 2014 - jsegitz@novell.com + +- added necessary macros for systemd files + +------------------------------------------------------------------- +Sun Oct 27 18:18:54 UTC 2013 - p.drouand@gmail.com + +- Add systemd support for openSUSE >= 12.3 + +------------------------------------------------------------------- +Mon Apr 29 12:45:09 UTC 2013 - vcizek@suse.com + +- added offline gpg verification +- update to 6.3.26 + # CRITICAL BUG FIX for setups using "mimedecode": + * The mimedecode feature failed to ship the last line of the body if it was + encoded as quoted-printable and had a MIME soft line break in the very last + line. Reported by Lars Hecking in June 2011. + * Bug introduced on 1998-03-20 when the mimedecode support was added by ESR + before release 4.4.1 through code contributed by Henrik Storner. + Workaround for older releases: do not use mimedecode feature. + * Earlier versions of this NEWS file claimed this bug fixed in fetchmail-6.3.23, + but it was not. + * Fixes Launchpad Bug#1171818. + +------------------------------------------------------------------- +Tue Mar 19 10:28:33 UTC 2013 - vcizek@suse.com + +- update to 6.3,25 +# CRITICAL AND REGRESSION FIXES +* Plug a memory leak in OpenSSL's certificate verification callback. + This would affect fetchmail configurations running with SSL in daemon mode + more than one-shot runs. + Reported by Erik Thiele, and pinned by Dominik Heeg, + fixes Debian Bug #688015. + This bug was introduced into fetchmail 6.3.0 (committed 2005-10-29) + when support for subjectAltName was added through a patch by Roland + Stigge, submitted as Debian Bug#201113. + +* The --logfile option now works again outside daemon mode, reported by Heinz + Diehl. The documentation that I had been reading was inconsistent with the + code, and only parts of the manual page claimed that --logfile was only + effective in daemon mode. + +# BUG FIXES +* Fix a memory leak in out-of-memory error condition while handling plugins. + Report and patch by John Beck (found with Parfait static code analyzer). +* Fix a NULL pointer dereference in out-of-memory error condition while handling + plugins. + Report and patch by John Beck (found with Parfait static code analyzer). + +# CHANGES +* Improved reporting when SSL/TLS X.509 certificate validation has failed, + working around a not-so-recent swapping of two OpenSSL error codes, and + a practical impossibility to distinguish broken certification chains from + missing trust anchors (root certificates). +* OpenSSL decoded errors are now reported through report(), rather than dumped + to stderr, so that they should show up in logfiles and/or syslog. +* The fetchmail manual page no longer claims that MD5 were the default OpenSSL + hash format (for use with --sslfingerprint). Reported by Jakob Wilk, + PARTIAL fix for Debian Bug#700266. +* The fetchmail manual page now refers the user to --softbounce from the + SMTP/ESMTP ERROR HANDLING section. Reported by Anton Shterenlikht. + +------------------------------------------------------------------- +Tue Dec 11 10:21:56 UTC 2012 - vcizek@suse.com + +- update to 6.3.23 +# REGRESSION FIXES +* Fix compilation with OpenSSL implementations before 0.9.8m that lack + SSL_CTX_clear_options. Patch by Earl Chew. + Note that the use of older OpenSSL versions with fetchmail is unsupported and + *not* recommended. +# BUG FIXES +* Fix combination of --plugin and -f -. Patch by Alexander Zangerl, + to fix Debian Bug#671294. +* Clean up logfile vs. syslog handling, and in case logfile overrides + syslog, send a message to the latter stating where logging goes. +# CHANGES +* The build process can now be made a bit more silent and concise through + ./configure --enable-silent-rules, or by adding "V=0" to the make command. +# WORKAROUNDS +* Make Maillennium POP3 workarounds less specific, to encompass + Maillennium POP3/UNIBOX (Maillennium V05.00c++). Reported by Eddie + via fetchmail-users mailing list, 2012-10-13. +# TRANSLATION UPDATES + +------------------------------------------------------------------- +Mon Nov 12 15:41:55 UTC 2012 - coolo@suse.com + +- do not use useradd -o without -u + +------------------------------------------------------------------- +Tue Sep 11 09:09:21 UTC 2012 - vcizek@suse.com + +- update to 6.3.22 + # SECURITY FIXES + * CVE-2012-3482 (bnc#775988) + * CVE-2011-3389 + # BUG FIX + * The Server certificate: message in verbose mode now appears on stdout like the + remainder of the output. Reported by Henry Jensen, to fix Debian Bug #639807. + * The GSSAPI-related autoconf code now matches gssapi.c better, and uses + a different check to look for GSS_C_NT_HOSTBASED_SERVICE. + This fixes the GSSAPI-enabled build on NetBSD 6 Beta. + # CHANGES + * The security and errata notices fetchmail-{EN,SA}-20??-??.txt are now + under the more relaxed CC BY-ND 3.0 license (the noncommercial clause + was dropped). The Creative Commons address was updated. + * The Python-related Makefile.am parts were simplified to avoid an automake + 1.11.X bug around noinst_PYTHON, Automake Bug #10995. + * Configuring fetchmail without SSL now triggers a configure warning, + and asks the user to consider running configure --with-ssl. + # WORKAROUNDS + * Some servers, notably Zimbra, return A1234 987 FETCH () in response to + a header request, in the face of message corruption. fetchmail now treats + these as temporary errors. Report and Patch by Mikulas Patocka, Red Hat. + * Some servers, notably Microsoft Exchange, return "A0009 OK FETCH completed." + without any header in response to a header request for meeting reminder + messages (with a "meeting.ics" attachment). fetchmail now treats these as + transient errors. Report by John Connett, Patch by Sunil Shetye. + +------------------------------------------------------------------- +Thu Jun 14 11:58:02 UTC 2012 - seife+obs@b1-systems.com + +- dont't require, just suggest smtp_daemon -- fetchmail does run + fine (and much safer) with e.g. procmail as mda. + +------------------------------------------------------------------- +Fri Dec 2 12:57:32 UTC 2011 - coolo@suse.com + +- add automake as buildrequire to avoid implicit dependency + +------------------------------------------------------------------- +Sun Sep 18 17:17:12 UTC 2011 - jengelh@medozas.de + +- Apply packaging guidelines (remove redundant/obsolete + tags/sections from specfile, etc.) + +------------------------------------------------------------------- +Tue Aug 30 09:09:49 UTC 2011 - puzel@suse.com + +- repack upstream tarball without fetchmail-{SA,EN}-*.txt + (bnc#713698) +- add README-security.txt + +------------------------------------------------------------------- +Mon Aug 22 09:12:13 UTC 2011 - puzel@novell.com + +- update to fetchmail-6.3.21 + - critical bug fix + - The IMAP client no longer inserts NUL bytes into the last line + of a message when it is not closed with a LF or CRLF sequence. + Reported by Antoine Levitt. As a side effect of the fix, and + in order to avoid a full rewrite, fetchmail will now + CRLF-terminate the last line fetched through IMAP, even if it + is originally not terminated by LF or CRLF. This bears no + relevance if your messages end up in mbox, but adds line + termination for storages (like Maildir) that do not require + that the last line be LF- or CRLF-terminated. + +------------------------------------------------------------------- +Thu Jun 30 09:32:27 UTC 2011 - cdenicolo@novell.com + +- license update: GPLv2+ + remove licenses " Other uncritical OpenSource License ; Public Domain, + Freeware" + +------------------------------------------------------------------- +Mon Jun 6 13:52:08 UTC 2011 - puzel@novell.com + +- update to fetchmail-6.3.20 + # SECURITY BUG FIXES + - CVE-2011-1947 (bnc#697368): STARTTLS: Fetchmail runs the IMAP + STARTTLS or POP3 STLS negotiation with the set timeout (default + five minutes) now. This was reported missing, with observed + fetchmail freezes beyond a week, by Thomas Jarosch. + See fetchmail-SA-2011-01.txt for further details. + # BUG FIXES + - IMAP: Do not search for UNSEEN messages in ranges. Usually, + there are very few new messages and most of the range searches + result in nothing. Instead, split the long response to make the + IMAP driver think that there are multiple lines of response. + - Do not print "skipping message" for old messages even in + verbose mode. If there are too many old messages, the logs just + get filled without any real activity. + - Build: fetchmail now always uses its own MD5 implementation + rather than trying to find a system library with matched + header. The library and header variants found on systems are + too diverse, and the code size saving is not worth any more + wasted user or programmer time. + # CHANGES + - Call strlen() only once when removing CRLF from a line. + - fetchmail sets Internet domain sockets to "keepalive" mode now. + Note that there is no portable way to configure actual timeouts + for this mode, and some systems only support a system-wide + timeout setting. fetchmail does not attempt to tune the time + spans of keepalive mode. +- remove build-time dependency on ed +- use spec-cleaner + +------------------------------------------------------------------- +Mon Dec 13 11:25:12 UTC 2010 - puzel@novell.com + +- update to fetchmail-6.3.19 + - bugfix release + * When specifying multiple local multidrop lists, do not lose + wildcard flag. (Affects "user foo is bar baz * is joe here") + * In multidrop configurations, an asterisk can now appear + anywhere in the list of local users, not just at the end. + * In multidrop mode, header parsing is now more verbose in -vv + mode, so that it becomes possible to see which header is used. + * Make --antispam work from command line (these used to work in + rcfiles). + * Smoke test XHTML 1.1 validation, and if it fails, skip + validating HTML documents. Skip validating + Mailbox-Names-UTF7.html. Several systems have broken XHTML 1.1 + DTD installations that jeopardize the build. + * Send a NOOP only after a failed STARTTLS in IMAP. + * GSSAPI verbose/debug syslog to INFO severity. Do STARTTLS/STLS + negotiation in IMAP/POP3 if it is mandatory even if the server + capabilities do not show support for upgradation to TLS. To + use this, configure --sslproto tls1. + * IMAP: Understand empty strings as FETCH response, seen on + Yahoo. Note that fetchmail continues to expect literals as + FETCH response for now. + +------------------------------------------------------------------- +Mon Oct 11 08:37:09 UTC 2010 - puzel@novell.com + +- update to fetchmail-6.3.18 + # SECURITY IMPROVEMENTS TO DEFANG X.509 CERTIFICATE ABUSE + * Fetchmail now only accepts wildcard certificate common names + and subject alternative names if they start with "*.". Previous + versions would accept wildcards even if no period followed + immediately. + * Fetchmail now disallows wildcards in certificates to match + domain literals (such as 10.9.8.7), or wildcards in domain + literals ("*.168.23.23"). The test is overly picky and + triggers if the pattern (after skipping the initial wildcard + "*") or domain consists solely of digits and dots, and thus + matches more than needed. + * Fetchmail now disallows wildcarding top-level domains. + # CRITICAL BUG FIXES AND REGRESSION FIXES + * Fetchmail 6.3.15, 6.3.16, and 6.3.17 would pick up libmd5 to + obtain MD5* functions, as an effect of an undocumented Solaris + MD5 fix. This caused all MD5-related functions to malfunction + if, for instance, libmd5.so was installed on other operating + systems as part of libwww on machines where long isn't + 32-bits, i. e. usually on 64-bit computers. + * Fetchmail 6.3.17 warned about insecure SSL/TLS connections + even if a matching --sslfingerprint was specified. This is an + omission from an SSL usability change made in 6.3.17. + * Fetchmail will now apply timeouts to the authentication stage. + This stage encompasses STARTTLS/STLS negotiation in IMAP/POP3. + Reported missing by Thomas Jarosch. + * Fetchmail now cancels GSSAPI authentication properly when + encountering GSS errors, such as no or unsuitable credentials. + It now sends an asterisk on a line by its own, as required in + SASL. This fixes protocol synchronization issues that cause + Authentication failures, often observed with kerberized MS + Exchange servers. + * Other fixes. + +------------------------------------------------------------------- +Tue Aug 17 14:20:47 UTC 2010 - puzel@novell.com + +- update to fetchmail-6.3.17 + # SECURITY FIX + * CVE-2010-1167: Fetchmail before release 6.3.17 did not properly + sanitize external input (mail headers and UID). + # FEATURES + * Fetchmail now supports a --sslcertfile option to + specify a "CA bundle" file (a file that contains trusted CA + certificates). + * Fetchmail now supports a + FETCHMAIL_INCLUDE_DEFAULT_X509_CA_CERTS environment variable + to force loading the default SSL CA certificate locations even + if --sslcertfile or --sslcertpath is used. If neither option + is in effect, fetchmail loads the default locations. + # REGRESSION FIX + * Fix string handling in rcfile scanner, which caused fetchmail + to misparse a run control file in certain circumstances. + # BUG FIXES + * Plug memory leak when using a "defaults" entry in the run + control file. + * Do not print SSL certificate mismatches unless verbose or + --sslcertck is enabled. + * Do not lose "set invisible" in fetchmailconf. (Michael Barnack) +- drop fetchmail-SA-2010-02.patch (in upstream) + +------------------------------------------------------------------- +Mon Apr 19 12:36:27 UTC 2010 - puzel@novell.com + +- add fetchmail-SA-2010-02.patch (bnc#597673) + +------------------------------------------------------------------- +Wed Apr 14 16:00:29 UTC 2010 - puzel@novell.com + +- make it possible change default fetchmailrc location using new + sysconfig option +- do not change owner of fetchmailrc in post + +------------------------------------------------------------------- +Wed Apr 7 11:33:04 UTC 2010 - puzel@novell.com + +- update to fetchmail-6.3.16 + # BUG FIX + * Fix --interface option, broken in 6.3.15. + # CHANGE + * Call OpenSSL_add_all_algorithms(). This is needed to support + non-mandatory algorithms in certificates. + +------------------------------------------------------------------- +Mon Mar 29 09:46:25 UTC 2010 - puzel@novell.com + +- update to fetchmail-6.3.15 + # FEATURE + * Fetchmail now supports a bad-header command line or rcfile + option that takes exactly one argument, accept or reject + (default). + # BUG FIXES + * In the rcfile, recognize "local" as abbreviation for + "localdomains", as documented. + * Do not close stdout when using mda and "bsmtp -" at the same time. + * Log operating system errors when BSMTP writes fail. + * Fix verbose mode progress formatting regression from 6.3.10; + SMTP trace lines were no longer on a line of their own. Reported + by Melchior Franz. + * Check seteuid() return value and abort running MDA if switch fails. + * Set global flags in a consistent manner. Make --nosoftbounce and + --nobounce work from command line (these used to work in rcfiles). + Reported and fix confirmed working by N.J. Mann. (Sunil Shetye) + +------------------------------------------------------------------- +Fri Feb 5 11:32:55 UTC 2010 - puzel@novell.com + +- update to fetchmail-6.3.14 + # SECURITY FIXES + * SSL/TLS certificate information is now also reported properly + on computers that consider the "char" type signed. Fixes + malloc() buffer overrun. Workaround for older versions: do not + use verbose mode. + # BUG FIXES + * The IMAP client no longer skips messages from several IMAP + servers including Dovecot if fetchmail's "idle" is in use. + Causes were that fetchmail (a) ignored some untagged responses + when it should not (b) relied on EXISTS messages in response to + EXPUNGE, which aren't mandated by RFC-3501 (the IMAP standard) + and aren't sent by Dovecot either. Fix by Sunil Shetye (the fix + also consolidates IMAP response handling, improving overall + robustness of the IMAP client), bug report and testing by Matt + Doran, with further hints from Timo Sirainen. + * The SMTP client now recovers from errors (such as servers + dropping the connection after errors) when sending an RSET + command. Fix by Sunil Shetye. Report by James Moe. + * The IMAP client now uses "SEARCH UNSEEN" rather than "SEARCH + UNSEEN NOT DELETED" again on IMAP2, to fix a regression in + fetchmail 6.2.5 reported by Will Stringer in June 2004. (Sunil + Shetye) + * The IMAP client now uses "SEARCH UNSEEN UNDELETED" on IMAP4 + and IMAP4r1 servers (Sunil Shetye). + * Workaround: The IMAP client now falls back to "FETCH n:m + FLAGS" if the server does not support "SEARCH". (Sunil Shetye) + * The IMAP client now requests message numbers in batches of + 1,000 to avoid problems if there are more than 1860 unseen + messages. (Sunil Shetye) Note that this wasn't security + relevant because fetchmail would only read up to the maximum + buffer size and leave the remainder of the string unread, going + out of synch afterwards. + * Stricter validation of IMAP responses containing byte or + message counts. +- fetchmail 6.3.13 : + # REGRESSION FIXES + * The multiline SMTP error fix in release 6.3.12 caused + fetchmail to lose message codes 400..599 and treat all of these + as temporary error. This would cause messages to be left on the + server even if softbounce was turned off. Reported by Thomas + Jarosch. + +------------------------------------------------------------------- +Fri Nov 13 14:10:16 UTC 2009 - puzel@novell.com + +- update to fetchmail-6.3.12 + # REGRESSION FIXES + * The CVS-2009-2666 fix in fetchmail release 6.3.11 caused a free() of + unallocated memory on SSL connections, which caused crashes or program aborts + on some systems (depending on how initialization and free() of unallocated + memory is handled in compiler and libc). + Workaround for older versions: run in verbose mode. + Patch courtesy of Thomas Heinz, fixes Gentoo Bug #280760. + This regression affected only the 6.3.11 release, but not the patch that was + part of the security announcement fetchmail-SA-2009-01. + # BUG FIXES + * Fix error reporting for GSSAPI on Heimdal (h5l) Kerberos. + * Look for MD5_Init in libcrypto rather than libssl, fixes Gentoo Kerberos + builds; fixes upstream parts of Gentoo Bugs #231400 and #185652, and fixes + BerliOS Bug #16134. + * Report multiline SMTP errors properly, reported by Earl Chew; fixes Debian Bug + #569899, reported by Akihiro Terasaki. + Note: This fix introduced a regression, fixed in 6.3.13. + * Replace control characters in SMTP replies by '?'. + * Fetchmailconf: Fix descriptions for smtpaddress and smtpname options; + smtpaddress is for RCPT TO, not MAIL FROM. Found by Gerard Seibert. +- update to fetchmail-6.3.13 + # REGRESSION FIXES + * The multiline SMTP error fix in release 6.3.12 caused fetchmail to lose + message codes 400..599 and treat all of these as temporary error. This would + cause messages to be left on the server even if softbounce was turned off. + Reported by Thomas Jarosch. +- drop fetchmail-6.3.11-fix-invalid-free.patch (fixed upstream) + + +------------------------------------------------------------------- +Mon Aug 10 09:30:16 UTC 2009 - puzel@novell.com + +- add fetchmail-6.3.11-fix-invalid-free.patch + - fix https://bugs.gentoo.org/280760 + +------------------------------------------------------------------- +Sun Aug 9 12:43:26 CEST 2009 - coolo@novell.com + +- use new python macros + +------------------------------------------------------------------- +Thu Aug 6 11:35:50 UTC 2009 - puzel@novell.com + +- update to 6.3.11 + # SECURITY BUGFIXES + * CVE-2009-2666: SSL NUL prefix impersonation attack through NULs in a + part of a X.509 certificate's CommonName and subjectAltName fields. These + fields use opaque strings with a separate length field, so that the NUL + character isn't a special character inside the certificate. Fetchmail, being + written in the C language, used to treat these strings as C strings + nonetheless, so that the domain comparison would end at the first embedded NUL + character, rather than at the real end of the string. + Fetchmail will now abort certificate verification as failed if NULs are + encountered inside either of these fields regardless of their position, and + drop the connection even if --sslcertck is not used, because NUL is not a + valid character in legitimate DNS names. + See fetchmail-SA-2009-01.txt for details, including a minimal patch. + + # BUGFIXES + * Remove the spurious message "message delimiter found while scanning headers". + RFC-5322 syntax states that the delimiter is part of the body, and the body is + optional. + * Convert all non-printable characters in certificate Subject/Issuer + Common Name or Subject Alternative Name fields to ANSI-C hex escapes (\xnn, + where nn are hex digits). + +------------------------------------------------------------------- +Fri Jul 3 09:58:22 CEST 2009 - puzel@novell.com + +- update to 6.3.10 (final version) + +------------------------------------------------------------------- +Mon Jun 1 15:00:06 CEST 2009 - puzel@suse.cz + +- update to 6.3.10-beta1 + # INCOMPATIBLE BUGFIXES AND CHANGES: + * Fetchmail no longer drops permanently undelivered messages by default, to + match historic documentation. It does this by adding a new "softbounce" + option, see below. + * There is a new "softbounce" global option that prevents the deletion of + messages that have not been forwarded. It defaults to "true" for fetchmail + 6.3.X in order to match historic documentation. This may change its default + in the next major release. + * For other changes, please see the package changelog +- update fetchmail-6.3.8-smtp_errors.patch (partially upstreamed) + +------------------------------------------------------------------- +Tue Jan 13 11:56:26 CET 2009 - puzel@suse.cz + +- update to 6.3.9 final + - deleted fetchmail-fix-permissions-doc.patch (fixed upstream) + +------------------------------------------------------------------- +Mon Jan 12 14:53:53 CET 2009 - puzel@suse.cz + +- fix spurious messages from fetchmail.init (bnc#464037) + +------------------------------------------------------------------- +Fri Nov 14 20:59:37 CET 2008 - mrueckert@suse.de + +- make the kerberos handling based on suse_version instead + of sles_version + +------------------------------------------------------------------- +Thu Oct 9 11:40:00 CEST 2008 - puzel@suse.cz + +- fix documentation inconsistency (bnc#174287) +- mark /etc/logrotate.d/fetchmail as %config(noreplace) + +------------------------------------------------------------------- +Wed Oct 1 13:15:25 CEST 2008 - puzel@suse.cz + +- Fix build on SLE9 + - do not build with kerberos support on SLE9 + +------------------------------------------------------------------- +Tue Sep 9 11:36:52 CEST 2008 - kukuk@suse.de + +- Remove support for dante (deprecated, homepage not reacheable,...) + +------------------------------------------------------------------- +Thu Sep 4 17:07:26 CEST 2008 - puzel@suse.cz + +- update to 6.3.9rc2 + - bugfix release, see package changelog for details +- removed fetchmail-6.3.8-CVE-2007-4565.patch (fixed in upstream) +- removed fetchmail-6.3.8-long_headers_segfault.patch (fixed in upstream) + +------------------------------------------------------------------- +Fri Aug 22 13:58:53 CEST 2008 - puzel@suse.cz + +- fix build on SLE10 + - do not run autoreconf if suse_version < 1010 + +------------------------------------------------------------------- +Thu Jul 24 17:12:51 CEST 2008 - puzel@suse.cz + +- specfile cleanup and rpmlint warning fixes + * removed obsolete 'Provides: pop' + * added logrotate dependency + * removed unnecessary python dependency + * removed unnecessary 'export CFLAGS="$RPM_OPT_FLAGS"' + - %configure macro should suffice +- initscript fixes + * obsolete X-UnitedLinux-Should-Start replaced by + Should-Start + * same with Should-Stop + * added $remote-fs dependency + +------------------------------------------------------------------- +Tue Jul 1 11:53:19 CEST 2008 - puzel@suse.cz + +- updated fetchmail-6.3.8-long_headers_segfault.patch from upstream + +------------------------------------------------------------------- +Tue Jun 17 13:20:08 CEST 2008 - puzel@suse.cz + +- kerberos (krb5) support enabled [bnc#353817] + +------------------------------------------------------------------- +Wed May 28 16:58:33 CEST 2008 - puzel@suse.cz + +- fixed broken oneshot option in initscript [bnc#360507] + +------------------------------------------------------------------- +Thu May 22 17:44:06 CEST 2008 - puzel@suse.cz + +- fixed bnc#354291 + * caused segmentation fault when retrieving mail with long To: + headers + +------------------------------------------------------------------- +Wed Apr 30 17:49:47 CEST 2008 - pcerny@suse.cz + +- added option to specify polling interval to init script + +------------------------------------------------------------------- +Fri Mar 28 18:31:11 CET 2008 - pcerny@suse.cz + +- additional fix for bnc#246829 + [fetchmail-6.3.8-starttls.patch -> + fetchmail-6.3.8-smtp_errors.patch] + +------------------------------------------------------------------- +Wed Nov 28 14:53:25 CET 2007 - pv@suse.de + +- add PreReq pwdutils #327550 - yast2-mail fetchmail error + +------------------------------------------------------------------- +Thu Sep 27 20:50:39 CEST 2007 - pcerny@suse.de + +- Fix for DoS vulnerability (#308271 CVE-2007-4565) +- Do not remove messages if SMTP insists on TLS (#246829) + [fetchmail-6.3.8-starttls.patch] + +------------------------------------------------------------------- +Tue Sep 11 15:15:14 CEST 2007 - ro@suse.de + +- remove librsaref2-devel from buildrequires (unused) + +------------------------------------------------------------------- +Fri Aug 31 18:09:04 CEST 2007 - pcerny@suse.cz + +- librsaref2 => librsaref2-devel [#302599] +- removed %suseversion > 800 check (insserv) + +------------------------------------------------------------------- +Mon Jul 2 21:49:01 CEST 2007 - lrupp@suse.de + +- rsaref => librsaref2 + +------------------------------------------------------------------- +Thu Apr 19 14:15:51 CEST 2007 - sbrabec@suse.cz + +- Updated to version 6.3.8: + * Make the APOP challenge parser more distrustful and have it + reject challenges that do not conform to RFC-822 msg-id format + (CVE-2007-1558). + * Repoll immediately if a protocol error happens during the + authentication attempt after a failed opportunistic TLS upgrade + (#262450). + * Do not crash with a null pointer dereference when opening the + BSMTP file fails. + * Make BSMTP output actually work. + * Add delete-later and delete-later.README. + * Fix KPOP. + * Fix repoll when server disconnects after opportunistic TLS + failed for POP3. + * Documentation and string fixes. + +------------------------------------------------------------------- +Fri Mar 30 02:22:36 CEST 2007 - ro@suse.de + +- added pwdutils to buildreq + +------------------------------------------------------------------- +Tue Feb 6 15:01:38 CET 2007 - sbrabec@suse.cz + +- Repair repoll after opportunistic TLS failed (#223507#c27, + Berlios#10133). +- Use upstream fix of KPOP regression (#223507#c26). + +------------------------------------------------------------------- +Thu Jan 25 15:57:47 CET 2007 - sbrabec@suse.cz + +- Fixed regression in KPOP support (#223507#c8). + http://lists.berlios.de/pipermail/fetchmail-devel/2007-January/000857.html + +------------------------------------------------------------------- +Wed Jan 24 16:32:55 CET 2007 - sbrabec@suse.cz + +- Updated to version 6.3.6 (#223507): + * Password disclosure vulnerability fixed (CVE-2006-5867). + * Repairs a regression in 6.3.5 that crashes fetchmail when a + message with invalid headers is found while fetchmail's mda + option is in use (CVE-2006-5974). + * Repair --logfile, broken in 6.3.5. + * Repair --user, broken in 6.3.5. + * RPOP: used to log the password locally rather than an asterisk + as the other protocols do. + * POP3: Probes capabilities now when Kerberos V5 is enabled, so + that we can actually detect if the server supports it. + * DNS: Detect /etc/resolv.conf changes + * When HOME and FETCHMAILHOME are unset, be sure to copy user + database information. +- Spec file cleanup. + +------------------------------------------------------------------- +Wed Oct 25 19:36:22 CEST 2006 - sbrabec@suse.cz + +- Fixed problems caused by calling daemon as non-root (#207305). + +------------------------------------------------------------------- +Mon Oct 23 17:07:33 CEST 2006 - sbrabec@suse.cz + +- Updated to version 6.3.5: + * Bug fixes. + * Translation updates. + * Logging behavior changes. + * fetchmail now supports foo@example.org=bar user mappings for + multidrop boxes. + * Bouncing improvements. + * Improved IMAP and SDPS behavior. + * See NEWS for deprecated features and major incompatible change + advance warnings. + +------------------------------------------------------------------- +Sat Oct 21 15:01:29 CEST 2006 - schwab@suse.de + +- Run automake. + +------------------------------------------------------------------- +Thu Jun 1 16:43:40 CEST 2006 - sbrabec@suse.cz + +- By default run as non-root user fetchmail (159764#c1). +- Implemented "oneshot" in the init script (159764#c8). + +------------------------------------------------------------------- +Mon Apr 3 17:09:42 CEST 2006 - sbrabec@suse.cz + +- Backported fixes for two crashes (159764#c9, 159764#c10). + +------------------------------------------------------------------- +Wed Jan 25 21:35:51 CET 2006 - mls@suse.de + +- converted neededforbuild to BuildRequires + +------------------------------------------------------------------- +Mon Jan 23 12:49:11 CET 2006 - sbrabec@suse.cz + +- Updated to version 6.3.2 (fixes CVE-2006-0321). + +------------------------------------------------------------------- +Tue Jan 10 17:01:49 CET 2006 - sbrabec@suse.cz + +- Updated to version 6.3.1 (fixes #140475). + +------------------------------------------------------------------- +Mon Dec 5 20:07:59 CET 2005 - sbrabec@suse.cz + +- Updated to version 6.3.0 (fixes #131232). + +------------------------------------------------------------------- +Wed Jul 27 19:21:35 CEST 2005 - sbrabec@suse.cz + +- Updated to version 6.2.5.2 (#97555). + +------------------------------------------------------------------- +Mon Apr 25 17:13:23 CEST 2005 - sbrabec@suse.cz + +- Prevent lost mails with NULL envelope (#80331). + +------------------------------------------------------------------- +Thu Feb 3 01:46:25 CET 2005 - ro@suse.de + +- fix build on older distributions + +------------------------------------------------------------------- +Wed Jan 19 17:02:11 CET 2005 - sbrabec@suse.cz + +- Turned on GSSAPI, SOCKS and RSAREF support. +- Fixed implicit declaration and random result warnings. + +------------------------------------------------------------------- +Fri Sep 24 15:25:30 CEST 2004 - sbrabec@suse.cz + +- Added more sysconfig options for init script. + +------------------------------------------------------------------- +Thu Sep 16 14:31:43 CEST 2004 - aj@suse.de + +- Remove wrong definition. + +------------------------------------------------------------------- +Tue Aug 31 13:41:00 CEST 2004 - sbrabec@suse.cz + +- Added sendmail to Required-Start/Stop (#44500). + +------------------------------------------------------------------- +Wed May 05 13:21:08 CEST 2004 - sbrabec@suse.cz + +- Added sysconfig variable for polling interval (#39777). +- Init script adapted to conform latest LSB. + +------------------------------------------------------------------- +Tue Apr 27 01:26:21 CEST 2004 - ro@suse.de + +- fix missing return value in pop2.c + +------------------------------------------------------------------- +Tue Mar 30 12:35:25 CEST 2004 - sbrabec@suse.cz + +- Added /etc/fetchmailrc to file list. + +------------------------------------------------------------------- +Thu Mar 25 18:43:11 CET 2004 - mmj@suse.de + +- Add postfix to # neededforbuild + +------------------------------------------------------------------- +Wed Mar 10 14:20:07 CET 2004 - sbrabec@suse.cz + +- Set fetchsizelimit for APOP and RPOP (bug #35555). + http://lists.ccil.org/pipermail/fetchmail-friends/2003-October/003958.html + +------------------------------------------------------------------- +Wed Feb 04 17:13:20 CET 2004 - sbrabec@suse.cz + +- Updated to version 6.2.5. + +------------------------------------------------------------------- +Sat Jan 10 16:55:44 CET 2004 - adrian@suse.de + +- add %defattr + +------------------------------------------------------------------- +Thu Oct 23 14:27:10 CEST 2003 - kukuk@suse.de + +- Remove wrong requires + +------------------------------------------------------------------- +Thu Aug 07 15:41:46 CEST 2003 - sbrabec@suse.cz + +- Updated to version 6.2.3. + +------------------------------------------------------------------- +Tue May 20 11:52:16 CEST 2003 - mmj@suse.de + +- Fix typo + +------------------------------------------------------------------- +Wed Mar 26 15:58:20 CET 2003 - sbrabec@suse.cz + +- Updated to version 6.2.2. +- Created startup script. + +------------------------------------------------------------------- +Thu Jan 16 11:38:02 CET 2003 - sbrabec@suse.cz + +- Updated to version 6.2.1. + +------------------------------------------------------------------- +Fri Dec 13 19:50:23 CET 2002 - mmj@suse.de + +- Update to 6.2.0 which has security fix for rfc822.c and some + translations plus an SMTP timeout patch + +------------------------------------------------------------------- +Tue Dec 10 19:09:32 CET 2002 - sbrabec@suse.cz + +- Updated to version 6.1.3. + +------------------------------------------------------------------- +Wed Nov 20 14:32:34 CET 2002 - sbrabec@suse.cz + +- Spec file cleanup (bug #21912). + +------------------------------------------------------------------- +Thu Oct 24 18:47:33 CEST 2002 - sbrabec@suse.cz + +- Update to version 6.1.1. + +------------------------------------------------------------------- +Tue Oct 01 18:39:16 CEST 2002 - sbrabec@suse.cz + +- Removed --with-included-gettext and re-enabled NLS. +- OPIE/OTP fixes. +- Spec file cleanup. + +------------------------------------------------------------------- +Fri Sep 27 10:38:05 CEST 2002 - mmj@suse.de + +- Update to 6.1.0 including since 5.9.13: + o Support for STARTTLS over IMAP + o Cleanups and bugfixes + o Translation update + o Fix for potential remote vulnerability in multidrop mode, + which according to the author is an important security fix. + +------------------------------------------------------------------- +Mon Jul 29 19:56:29 CEST 2002 - jreuter@suse.de + +- more spec file cleanup + +------------------------------------------------------------------- +Mon Jul 29 17:19:19 CEST 2002 - jreuter@suse.de + +- added /etc/logrotate.d/fetchmail (Bugzilla #17279) +- spec file cleanup + +------------------------------------------------------------------- +Fri Jul 19 19:58:31 CEST 2002 - jreuter@suse.de + +- removed /usr/share/locale/*/LC_MESSAGES/fetchmail.mo from file list + +------------------------------------------------------------------- +Wed Jul 17 13:18:49 CEST 2002 - jreuter@suse.de + +- updated to version 5.9.13 +- disabled NLS support because it doesn't compile and esr is about + to remove it anyway +- complete changelog: http://tuxedo.org/~esr/fetchmail/NEWS + +------------------------------------------------------------------- +Sat Mar 23 15:51:48 CET 2002 - kukuk@suse.de + +- Fix fetchmailconf (wrong python widget destroy calls) [Bug #15391] + +------------------------------------------------------------------- +Mon Sep 17 15:49:17 CEST 2001 - bjacke@suse.de + +- minor fixes in README.SUSE + +------------------------------------------------------------------- +Thu Aug 16 23:07:12 CEST 2001 - bjacke@suse.de + +- update to 5.9.0 + +------------------------------------------------------------------- +Thu Jul 12 16:51:45 CEST 2001 - bjacke@suse.de + +- update to 5.8.14 + +------------------------------------------------------------------- +Fri Jun 15 01:12:08 CEST 2001 - bjacke@suse.de + +- patch to prevent buffer overflow due to long headers + +------------------------------------------------------------------- +Tue Apr 3 13:07:18 CEST 2001 - bjacke@suse.de + +- update to 5.8.0 + +------------------------------------------------------------------- +Thu Mar 22 18:51:02 CET 2001 - ro@suse.de + +- added split-aliases as provides + +------------------------------------------------------------------- +Wed Feb 14 12:36:44 CET 2001 - bjacke@suse.de + +- updated to 5.6.5 (fixes #6245) +- fix fetchmailconf nospambounce problem +- enable RPA protocol + +------------------------------------------------------------------- +Fri Jan 5 16:30:40 CET 2001 - bjacke@suse.de + +- disabled IPv6 support for the time being to fix bug #5111 + +------------------------------------------------------------------- +Wed Dec 20 16:37:10 CET 2000 - garloff@suse.de + +- pass --enable-NTLM to configure in order to enable M$ Exchange + compatible auth proto +- explicitly specify the directories with --mandir etc ... +- Use DESTDIR= instead of prefix to pass RPM_BUILD_ROOT +- add %{?suse_update_config} + +------------------------------------------------------------------- +Mon Dec 18 15:25:28 CET 2000 - bjacke@suse.de + +- some spec file fixes + +------------------------------------------------------------------- +Mon Dec 18 14:25:01 CET 2000 - ro@suse.de + +- Fix requires for fetchmailconf (again) + +------------------------------------------------------------------- +Mon Dec 18 13:14:36 CET 2000 - bjacke@suse.de + +- merged ssl stuff from fetchmailssl to fetchmail package + +------------------------------------------------------------------- +Wed Nov 29 10:53:39 CET 2000 - bjacke@suse.de + +- updated to 5.6.0 +- adjust README to new boot concept + +------------------------------------------------------------------- +Fri Nov 10 22:04:35 CET 2000 - bjacke@suse.de + +- updated to version 5.5.5 +- switched to long names +- added README.SuSE + +------------------------------------------------------------------- +Sun Sep 3 14:57:40 CEST 2000 - bjacke@suse.de + +- update to fetchmail-5.5.1 + +------------------------------------------------------------------- +Tue May 23 14:14:35 CEST 2000 - bk@suse.de + +- moved fetchmailconf man page to subpackage fetchmcf + +------------------------------------------------------------------- +Mon May 15 10:40:20 CEST 2000 - bk@suse.de + +- update to fetchmail-5.4.0, new major version. + +------------------------------------------------------------------- +Wed Mar 1 18:22:35 CET 2000 - werner@suse.de + +- Fix config.guess selection + +------------------------------------------------------------------- +Thu Feb 24 15:24:19 CET 2000 - dipa@suse.de + +- update to fetchmail-5.3. update to fetchmail-5.3.00 + +------------------------------------------------------------------- +Tue Feb 15 03:36:31 CET 2000 - bk@suse.de + +- update to fetchmail-5.2.8, that's the code freeze release for 5.3.0 + +------------------------------------------------------------------- +Tue Feb 8 02:53:41 CET 2000 - bk@suse.de + +- update to fetchmail-5.2.7, Eric's changelog to 5.2.6 is very small: + * Updated FAQ and + * Updated es.po. + * Disable mail notification on server unreachable. This turned out to + be a very bad idea. + +------------------------------------------------------------------- +Tue Feb 1 09:23:01 CET 2000 - ro@suse.de + +- specfile typo + +------------------------------------------------------------------- +Tue Feb 1 00:36:53 CET 2000 - ro@suse.de + +- create man directory + +------------------------------------------------------------------- +Mon Jan 31 19:39:32 CET 2000 - bk@suse.de + +- restarted spec from package-provided spec, subpackages fetchmcf (fetchmailconf) + +------------------------------------------------------------------- +Wed Oct 20 20:31:14 CEST 1999 - bk@suse.de + +- split-off from pop, update to 5.1.2 + diff --git a/fetchmail.exec b/fetchmail.exec new file mode 100644 index 0000000..b0b0d32 --- /dev/null +++ b/fetchmail.exec @@ -0,0 +1,29 @@ +#!/bin/sh +# fetchmail-systemd-exec: sysconfig helper script for systemd + +die() { + echo "$@" 1>&2 + exit 5 # closest thing among fetchmail's exit codes +} + +echo "$FETCHMAIL_POLLING_INTERVAL" | grep -Eq '^[0-9]+$' \ + || die 'invalid $FETCHMAIL_POLLING_INTERVAL setting' +[ -r "$FETCHMAIL_RC_PATH" ] \ + || die '$FETCHMAIL_RC_PATH does not exist or cannot be read' + +OPTS="-d $FETCHMAIL_POLLING_INTERVAL" +[ "$FETCHMAIL_FETCHALL" = "yes" ] && OPTS="$OPTS -a" +[ "$FETCHMAIL_SILENT" = "yes" ] && OPTS="$OPTS -s" +[ "`whoami`" = "fetchmail" -a -z "$FETCHMAILHOME" ] && \ + export FETCHMAILHOME=/var/lib/fetchmail + +if [ ! -z "$FETCHMAIL_DEFAULT_LOGFILE" ] ; then + if [ "$FETCHMAIL_DEFAULT_LOGFILE" = "syslog" ]; then + OPTS="$OPTS --syslog" + else + OPTS="$OPTS -L $FETCHMAIL_DEFAULT_LOGFILE" + fi +fi + +exec /usr/bin/fetchmail $OPTS $FETCHMAIL_EXPERT_OPTIONS \ + -f $FETCHMAIL_RC_PATH diff --git a/fetchmail.keyring b/fetchmail.keyring new file mode 100644 index 0000000..258e7cc --- /dev/null +++ b/fetchmail.keyring @@ -0,0 +1,71 @@ +pub rsa4096 2015-09-09 [SC] [expires: 2020-12-23] + DC4A655BD993CD4871FA8210E412B156EFF3855A +uid [ unknown] Matthias Andree +uid [ unknown] Matthias Andree +sub rsa4096 2015-09-09 [E] [expires: 2020-12-23] + +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBFXwq5cBEADQxc9JeK4yqt1BX5tOMfzyIfEyBWXix0xqeAA/HQ2wd31NFcGF +EbAevDsGoO7UcYQji1Gj/TggmclV37SHPDE++bU7O6Wur57FfTsVCmS6XjHj/n2q +XgxrWtU7Fv9YOBz/wNge3sGAh2xbwh5dTt+Ew6TbuMbwXNonb4WUCo6yFMrDd2vg +9RqcVSDpdLFO0JI9hNGLQDtHP2TbBfGj8V5qz9NFiGzRxmmFhMzqOSDCEs9uanr3 +TCLq7yZFTyAmXDCZuyFhxGwHDo6jB+9LbIprA/oH0uFol899hiIrZRm7kIAYsOSv +p84x0XBFvSMoDY4ZA4Ucv3xk+aDqob0V5F4+W3Vg7bdlpbAuwov944Zawbm/sBGc +tNbfNeWjc+L7F43PbghzCfk6aLH0LwH3lNiu76F57lJqfTCnkBd0V0dUZ0/AJFsk +Zu+aO/dCVkbfjotXDqsh55kBrSMsRX/rqt2d43q6o9AyWu5aMqLAG2ZN19qLu/a1 +vzbMEfRaimlFSo9LMY1jf5TcUc7mNlPDhm8c6o+Ivx/D0tSQ4V+3SqbroYgHo1A4 +Qyiau4sEP2YFtKbdRdpaN7WsdfdaZmrd9xa5lvp/gQZEdpLPzL0aBDEeUzaL/nee +/EDQUbPuSYJCmDNyqxs/Y4j0ZGQmIPT1CY34AvdjIcLuT/BG1JZaIlKQ9QARAQAB +tCVNYXR0aGlhcyBBbmRyZWUgPG1hbmRyZWVARnJlZUJTRC5vcmc+iQJUBBMBCgA+ +AhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAFiEE3EplW9mTzUhx+oIQ5BKxVu/z +hVoFAl4CEFEFCQnymDoACgkQ5BKxVu/zhVo/1g//WEhWloFEhIEY52aiexsPRKan +WNcB0gUc15cT4hviWsyibYQFFJoRhc65fW739K0AbA1wjZha4jPLTwLtcFOSiIYT +ia4VDXg9zabe48SiGso2iNGaTmNj/ZIr6F8WplaylJvyuvZPSA71c7uzbkJMWYpE +PwFVYM/6g6ZYE/gy8PlYOQ+4cZzqxCHXwa2CHeCWmx4uFY2ntLY92BRxJIcMZPzB +VKq+MtXSdaZjkDAz+Oj1PJnZ1lo04+RSKtdMyiNBgv+Js3s6eX2DSfXLuTN1yeR5 +PhlBNp8UbmBiV8gmVM1BDY4ga9JrY4nyPrbs5oPdaoXs1AV/HC82kBgkfA/PAWzs +4yGEU/XQNUQbrCNHUdIY6nDnjdZfIpCVXnemk5oOPfV1lJfz+FgLYxfNnooYczbt +/qwqElPSiTBL97Q5zbuX3Z3IllgT8HkhInMx5WofRjdu4valUI4yuSSfxmCXIXtz +5iNedYhitg84J53hqFV6i9ctzbLbMYWaATUCEAHn9yLgwCluRyd3Wgmfde7zAXQh +nxs65L9WzpNk0TnhDT6yJ3DzG/ycl0655wL6LGXgwWWDu0L60HNva8fJ83GqYpSf +DVEzgj3cKBt2uWfwoZ/HvFQNzT4Bwh+WtkU602MUd+6hcEOde4+WfwPuoBdMjiea +HJ7bMxKFtexpZvtsqzq0KE1hdHRoaWFzIEFuZHJlZSA8bWF0dGhpYXMuYW5kcmVl +QGdteC5kZT6JAlQEEwEKAD4CGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AWIQTc +SmVb2ZPNSHH6ghDkErFW7/OFWgUCXgIQUQUJCfKYOgAKCRDkErFW7/OFWrlcD/9T +FaFcPIQvOCHMkX+qHbLM1DLJbxQsEyx2hkXBDsN5Q2vqL14GvsG8ArFyWrrDTre2 +fr6j3xY27C2QhJ+JxKv3+ln+hv45zNSU1E2lld3HXmtBBGnDhcjekZZF0b/Hmr7Y +unSL87Vp/Wq5dLslUH83Ycg2NQbpg7LpjdB7gnZlGS8cK17rTiSxhVIrPpUp0heS +VVUmo2VQXtSMCspdmbY/uZfYjco9tLBfeHuC+N9E4gV2zPSmzGjzutQmt3UZCL2W +MEy8SC0ljKb8FXF37/deEgSYtX5lB8MjHGUuKiVP22MyVAFRfZIOvkeYuCPXs876 +JKYA8ShsE+MNdYzcwgIWIAmS8RZOJ0Wgr4wW+gdz/3ALaQtsTRGSUOBtZ3Ewl3gR +rWiFnKvBKaV48+qBpFMtfCBfOmrWS4W7wldAxBoy3lkhXUAGRIZlrE8eJFgYZPg6 +CLOh/iGaI7WADP63ZaoiLXfY3WWV5gR6wxGMsfdI4F4ccJx4Lyyhg6IG6aaRGO05 +jvIdVIWimFc0UVcGh10HBLnMNZwaQBf9CO56cJWRtlK5UibTXCYQWw4Ct1gZGgjR +IZC3qrfrQj1nl6N5lN3bEKeGpRTF1CFspW6ZkJHRii5JdbjRmcu5wWVGEnVkporU +H/6+eN3h7IHFupCij0tqLh+maK8Ch19etVhBobb5uLkCDQRV8KuXARAA1ybtHKfQ +7yVepuWbvnoZpuaoxM6yCKSrrm/MVnxuxk5R9mDVtBGQMbqDPDyZWqkDFKdtkJO6 +kS/WZH6u3EtW6Ouz4s4MAEHJ3Bi//8CPhTb/KqhgaSjcJ/TM3wZRLlq63Po/ZeAh +RJwCk6r48bL+GznEpbYa5ecANu6Smp1LB4FoLnMJOJQHdUOlk265ccQEgwbvjpjG +Kwns3CBcUBnZzJu6klAsLchMehNAil4F+R0tkCrVdf6Ty0rCJIgRm9of/mr/Mxa9 +s1IQVccZqj8Xe34lmrhllVGAzSOfbtl9mtIjSwYkUE/mN/6eLBCAV7/g92iJ1Fh0 +NP1YAxWhJXPzmY9pbv8t9FHe+7SH2k0gT+i0LZnG+U91c7SeDrfftEb8OVSIwJIr +PiTuygGep+UyFvu75CAvtOKrjjJrDuX+f9V6NDRaMywQq5/GTefBmEdhKAcetDzI +wxVNTLLyCu0g4Q923+AthZ1dh9kAqdBeEx/hoVWm4uxRsudFVnKiOOEDCPyB+KeF +qrfxXPHXlRgvGAvH+jnCuhwWrfYkH0gPC5YV90bZ1G5eAwZcOAvhHH2Uo8+Oa+GN +2ofZdO2fpayF8FHcqahgNYb4XjKGiTWxZTUb8WB2NFGHnmGvP9rYaAQ/JkSbKUrq +2kHV+uJiaQYWQK/Y7pSSonKsk4FESmbpTUsAEQEAAYkCPAQYAQoAJgIbDBYhBNxK +ZVvZk81IcfqCEOQSsVbv84VaBQJeAhCMBQkJ8ph1AAoJEOQSsVbv84VajsgP/iso +w15UNuy2nZuHJwD3tj/vHv/iXaPg8OVcrP6BCf5TA+N7QDYbW9A/QwHRHsaYQ3y6 +gpCUN6oobMJJSFDI/I40TowZ2TtEaPuVNzAe+H8Qe0BKiVkp8N0v7LzwB7AdmgpR +hzdvvDJfEgk2AR4WtRc9b+sykWTBguGHA1/96ji84L4ef5VWkotB0B2em9RlRmQ8 +ScyB0JdjTXL5Ddkumtgeu3ltLrZTPlMrstf4XmlAYI6u+Jsn9Q+hgD1zmcwY5Mox +GrSZgFoA9izdrDSk3QzLjN4bzLAJ9GIlSA/FtJ0rMDkCFCzPb6DCJTCBFE5lRUXf +J8wnTygpvvhomWuiTH5ahcCeJ0JWxspjI/wKikWtdCGTME1KjudM73XceiRwHSCJ +kGtoGFXcPE/CtsYsztLfb5icWzMG5zPAGZLEweNfyjVzyuYmAfvOCaQRcwRQqgzK +587CVTUqxySqmk3VH1PtsfauUgvP/uvamVC2SE8djnqxXI3VrixbTMcNCAQVOSEU +e5kEWx/u3BE23c6dYmZGq1TSGtIbseQZ0FemUQ3wEDtIg06z5lnsw0SfO5O9Ut2/ +Zb6acmXOCQJ7AqCBs8fn/4qqizH+cgNz63sPPheOYUROzEaNU+uPdgcpU2UZ9iDe +LIJMO3QLkDsZDVhwATsHfyFKQN3TKHGJukMSQ4Lf +=0adh +-----END PGP PUBLIC KEY BLOCK----- diff --git a/fetchmail.logrotate b/fetchmail.logrotate new file mode 100644 index 0000000..4cd3c5d --- /dev/null +++ b/fetchmail.logrotate @@ -0,0 +1,12 @@ +/var/log/fetchmail { + compress + dateext + maxage 365 + rotate 99 + size=+1024k + notifempty + missingok + copytruncate + create 0600 fetchmail root +} + diff --git a/fetchmail.service b/fetchmail.service new file mode 100644 index 0000000..f3bd5a4 --- /dev/null +++ b/fetchmail.service @@ -0,0 +1,23 @@ +[Unit] +Description=A remote-mail retrieval utility +After=network.target + +[Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions +EnvironmentFile=-/etc/sysconfig/fetchmail +User=fetchmail +ExecStart=@LIBEXECDIR@/fetchmail-systemd-exec +RestartSec=1 + +[Install] +WantedBy=multi-user.target diff --git a/fetchmail.spec b/fetchmail.spec new file mode 100644 index 0000000..8490fd9 --- /dev/null +++ b/fetchmail.spec @@ -0,0 +1,210 @@ +# +# spec file for package fetchmail +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +#Compat macro for new _fillupdir macro introduced in Nov 2017 +%if ! %{defined _fillupdir} + %define _fillupdir %{_localstatedir}/adm/fillup-templates +%endif +Name: fetchmail +Version: 6.5.1 +Release: 0 +Summary: Full-Featured POP and IMAP Mail Retrieval Daemon +License: GPL-2.0-or-later +URL: https://www.fetchmail.info/ +Source0: https://sourceforge.net/projects/%{name}/files/branch_6.5/%{name}-%{version}.tar.xz +Source1: https://sourceforge.net/projects/%{name}/files/branch_6.5/%{name}-%{version}.tar.xz.asc +Source2: %{name}.logrotate +Source3: sysconfig.%{name} +Source5: %{name}.keyring +Source6: %{name}.service +Source7: %{name}.tmpfiles +Source8: %{name}.exec +Source9: %{name}.sysusers +Patch0: fetchmail-6.3.8-smtp_errors.patch +Patch1: fetchmail-add-imap-oauthbearer-support.patch +Patch2: fetchmail-support-oauthbearer-xoauth2-with-pop3.patch +Patch3: fetchmail-add-passwordfile-and-passwordfd-options.patch +Patch4: fetchmail-add-contrib-fetchnmail-oauth2.py-token-acquisition-u.patch +Patch5: fetchmail-FAQ-list-gmail-options-including-oauthbearer-and-app.patch +Patch6: fetchmail-give-each-ctl-it-s-own-copy-of-password.patch +Patch7: fetchmail-re-read-passwordfile-on-every-poll.patch +Patch8: fetchmail-add-query_to64_outsize-utility-function.patch +Patch9: fetchmail-chase-and-integrate-interface-change.patch +Patch10: fetchmail-oauth2-c-calculate-and-pass-in-correct-buffer-size-to-to64frombits.patch +Patch11: fetchmail-increase-max-password-length-to-handle-oauth-tokens.patch +Patch12: fetchmail-bump-max-passwordlen-to-1bytes.patch +Patch13: fetchmail-add-readme-oauth2-issue-27.patch +Patch14: fetchmailconf-no-more-future.patch +BuildRequires: automake +BuildRequires: bison +BuildRequires: fdupes +BuildRequires: flex +BuildRequires: krb5-devel +BuildRequires: openssl-devel +BuildRequires: postfix +BuildRequires: procmail +BuildRequires: python3-base +BuildRequires: shadow +BuildRequires: systemd-rpm-macros +BuildRequires: sysuser-shadow +BuildRequires: sysuser-tools +BuildRequires: xz +Requires: logrotate +Requires(pre): %fillup_prereq +Suggests: smtp_daemon +%sysusers_requires + +%description +Fetchmail is a robust and well-documented remote mail retrieval and +forwarding utility intended to be used over on-demand TCP/IP links +(such as SLIP or PPP connections). + +Fetchmail retrieves mail from remote mail servers and forwards it to +your local machine's delivery system, so it can be read by normal mail +user agents, such as mutt, elm, pine, (x)emacs/gnus, or mailx. + +fetchmailconf, an interactive GUI configurator suitable for end-users, +is included in the fetchmailconf package. + +%package -n fetchmailconf +Summary: Fetchmail Configuration Utility +Requires: %{name} = %{version} +Requires: python3 >= 3.7 +Requires: python3-tk + +%description -n fetchmailconf +A GUI configuration utility for generating fetchmail configuration +files (.fetchmailrc). + +%prep +%autosetup -p1 +cp -a %{SOURCE2} %{SOURCE3} . + +ACLOCAL="aclocal -I m4 -I m4-local" autoreconf -fvi + +%build +export CFLAGS="%{optflags} -fPIE" +%configure \ + --enable-POP2 \ + --enable-RPA \ + --enable-NTLM \ + --enable-SDPS \ + --with-kerberos5 \ + --with-gssapi \ + --with-ssl=%{_prefix} \ + --with-python=%{bindir}/python3 +%make_build LDFLAGS="-pie" +%sysusers_generate_pre %{SOURCE9} fetchmail + +%install +%make_install +ln -sf fetchmail.1.gz %{buildroot}%{_mandir}/man1/fetchmailconf.1.gz +%if 0%{?suse_version} > 1500 +mkdir -p %{buildroot}%{_sysconfdir} +mkdir -p %{buildroot}%{_distconfdir}/logrotate.d +cp fetchmail.logrotate %{buildroot}%{_distconfdir}/logrotate.d/fetchmail +%else +mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d +cp fetchmail.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/fetchmail +%endif +mkdir -p %{buildroot}/sbin +mkdir -p %{buildroot}%{_unitdir} +mkdir -p %{buildroot}%{_tmpfilesdir} +mkdir -p %{buildroot}%{_sysusersdir} +sed -e 's-@LIBEXECDIR@-%{_libexecdir}-g' -i %{SOURCE6} +install -m 0644 %{SOURCE6} %{buildroot}%{_unitdir}/%{name}.service +install -m 0644 %{SOURCE7} %{buildroot}%{_tmpfilesdir}/%{name}.conf +install -m 0644 %{SOURCE9} %{buildroot}%{_sysusersdir}/%{name}.conf +mkdir -p %{buildroot}%{_libexecdir} +install -m 0755 %{SOURCE8} %{buildroot}%{_libexecdir}/%{name}-systemd-exec +mkdir -p %{buildroot}%{_sbindir} +ln -s service %{buildroot}%{_sbindir}/rc%{name} +touch %{buildroot}%{_sysconfdir}/fetchmailrc +mkdir -p %{buildroot}%{_fillupdir} +cp sysconfig.%{name} %{buildroot}%{_fillupdir} +mkdir -p %{buildroot}%{_localstatedir}/log +touch %{buildroot}%{_localstatedir}/log/fetchmail +mkdir -p %{buildroot}%{_localstatedir}/lib/fetchmail +# Deduplicate Python files +%fdupes %{buildroot}%{python3_sitelib} +# we don't need this, it's aimed at fetchmail developers +# and rpmlint is complaining that we have a binary in /usr/share +rm -r contrib/gai* +%find_lang %{name} + +%pre -f fetchmail.pre +%service_add_pre %{name}.service +%if 0%{?suse_version} > 1500 +# Prepare for migration to /usr/etc; save any old .rpmsave +for i in logrotate.d/fetchmail ; do + test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i}.rpmsave.old ||: +done +%endif + +%post +%fillup_only +%tmpfiles_create %{name}.conf +%service_add_post %{name}.service + +%if 0%{?suse_version} > 1500 +%posttrans +# Migration to /usr/etc, restore just created .rpmsave +for i in logrotate.d/fetchmail ; do + test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i} ||: +done +%endif + +%preun +%service_del_preun %{name}.service + +%postun +%service_del_postun %{name}.service + +%check +%make_build check + +%files -f %{name}.lang +%license COPYING +%doc FAQ FEATURES NEWS NOTES OLDNEWS README README.NTLM README.OAUTH2 README.SSL README.SSL-SERVER TODO contrib *.html *.txt *.pdf +%{_bindir}/fetchmail +%dir %attr(0700, fetchmail, fetchmail) %{_localstatedir}/lib/fetchmail +%ghost %attr(0600, fetchmail, root) %{_localstatedir}/log/fetchmail +%{_mandir}/man1/fetchmail.1%{?ext_man} +%ghost %config(noreplace) %attr(0600, fetchmail, root) %{_sysconfdir}/fetchmailrc +%if 0%{?suse_version} > 1500 +%{_distconfdir}/logrotate.d/fetchmail +%else +%config(noreplace) %{_sysconfdir}/logrotate.d/fetchmail +%endif +%{_unitdir}/%{name}.service +%{_sbindir}/rc%{name} +%{_libexecdir}/%{name}-systemd-exec +%{_tmpfilesdir}/%{name}.conf +%{_sysusersdir}/%{name}.conf +%{_fillupdir}/sysconfig.%{name} + +%files -n fetchmailconf +%{_bindir}/fetchmailconf +%{_mandir}/man1/fetchmailconf.1%{?ext_man} + +%if 0%{suse_version} > 1500 +%{python3_sitelib}/fetchmailconf.* +%{python3_sitelib}/__pycache__/fetchmailconf* +%endif + +%changelog diff --git a/fetchmail.sysusers b/fetchmail.sysusers new file mode 100644 index 0000000..d495863 --- /dev/null +++ b/fetchmail.sysusers @@ -0,0 +1,11 @@ +# Type Name ID GECOS [HOME] + +# during upgrade from previous versions, the group may +# have been deleted but the user still be present. Therefore +# we have to be sure to recreate the group, as adding only +# the user (if already present) won't create it +g fetchmail - + +u fetchmail - "mail retrieval daemon" /var/lib/fetchmail +m fetchmail fetchmail + diff --git a/fetchmail.tmpfiles b/fetchmail.tmpfiles new file mode 100644 index 0000000..6fe8526 --- /dev/null +++ b/fetchmail.tmpfiles @@ -0,0 +1,2 @@ +d /run/fetchmail 700 fetchmail fetchmail +f /var/log/fetchmail 600 fetchmail root diff --git a/fetchmailconf-no-more-future.patch b/fetchmailconf-no-more-future.patch new file mode 100644 index 0000000..d48a632 --- /dev/null +++ b/fetchmailconf-no-more-future.patch @@ -0,0 +1,13 @@ +Index: fetchmail-6.5.1/fetchmailconf.py +=================================================================== +--- fetchmail-6.5.1.orig/fetchmailconf.py ++++ fetchmail-6.5.1/fetchmailconf.py +@@ -3,7 +3,7 @@ + # A GUI configurator for generating fetchmail configuration files. + # by Eric S. Raymond, , + # Matthias Andree +-# Requires Python with Tkinter, and the following OS-dependent services: ++# Requires Python 3.7+ with Tkinter, and the following OS-dependent services: + # posix, posixpath, socket + + # WARNING: this needs to be updated for fetchmail 6.4's SSL options, diff --git a/sysconfig.fetchmail b/sysconfig.fetchmail new file mode 100644 index 0000000..c87c320 --- /dev/null +++ b/sysconfig.fetchmail @@ -0,0 +1,53 @@ +## Path: Network/Mail/Fetchmail +## Description: Fetchmail init script options +## ServiceRestart: fetchmail +## Type: integer +## Default: 600 +# +# Polling interval in seconds for daemon mode. Mails are regularly +# fetched in this interval. +# +FETCHMAIL_POLLING_INTERVAL="600" + +## Type: yesno +## Default: yes +# +# The default is to retrieve all messages on server. If you want to +# retrieve only new messages and keep old (seen) messages, disable +# this option. +# +FETCHMAIL_FETCHALL="yes" + +## Type: yesno +## Default: no +# +# Fetchmail logs by default all retrieved or kept messages. If you do +# not want to log every single message fetchmail downloads or keeps on +# the server every time it polls, enable this option. +# +FETCHMAIL_SILENT="no" + +## Type: string +## Default: "/var/log/fetchmail" +## Options: "/path/to/file", "syslog", "" +# +# This option allows to redirect status messages in daemon mode to the +# specified log file or syslog(3) system if available. If empty, omits +# any logging options. +# +FETCHMAIL_DEFAULT_LOGFILE="/var/log/fetchmail" + +## Type: string +## Default: "" +# +# Any additional fetchmail options. See fetchmail(1) manual page for +# more information. +# +FETCHMAIL_EXPERT_OPTIONS="" + +## Type: string +## Default: "/etc/fetchmailrc" +# +# Use to override default location of fetchmailrc. +# +FETCHMAIL_RC_PATH="/etc/fetchmailrc"