diff --git a/fetchmail-6.3.8-smtp_errors.patch b/fetchmail-6.3.8-smtp_errors.patch index ce7ecc9..3985dcb 100644 --- a/fetchmail-6.3.8-smtp_errors.patch +++ b/fetchmail-6.3.8-smtp_errors.patch @@ -10,7 +10,7 @@ Index: fetchmail-6.3.10-beta1/sink.c =================================================================== --- fetchmail-6.3.10-beta1.orig/sink.c 2009-05-25 17:55:07.000000000 +0200 +++ fetchmail-6.3.10-beta1/sink.c 2009-06-01 14:37:12.000000000 +0200 -@@ -551,6 +551,19 @@ static int handle_smtp_report(struct que +@@ -553,6 +553,19 @@ static int handle_smtp_report(struct que free(responses[0]); return(PS_TRANSIENT); @@ -30,7 +30,7 @@ Index: fetchmail-6.3.10-beta1/sink.c default: /* bounce non-transient errors back to the sender */ if (smtperr >= 500 && smtperr <= 599) -@@ -620,7 +633,7 @@ static int handle_smtp_report_without_bo +@@ -622,7 +635,7 @@ static int handle_smtp_report_without_bo #endif /* __DONT_FEED_THE_SPAMMERS__ */ return(PS_REFUSED); diff --git a/fetchmail-openssl11.patch b/fetchmail-openssl11.patch index 3077b2f..9e01412 100644 --- a/fetchmail-openssl11.patch +++ b/fetchmail-openssl11.patch @@ -1,14 +1,1576 @@ -Index: fetchmail-6.3.26/socket.c -=================================================================== ---- fetchmail-6.3.26.orig/socket.c 2013-04-23 22:00:45.000000000 +0200 -+++ fetchmail-6.3.26/socket.c 2017-11-13 18:16:35.450860469 +0100 -@@ -914,7 +914,8 @@ int SSLOpen(int sock, char *mycert, char +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + fetchmail (6.3.26-2) unstable; urgency=low + . + * New maintainer (closes: #800750). + * Backport upstream fix for SSLv3 removal (closes: #804604) and do not + recommend SSLv3 (closes: #801178). + * Remove quilt and its usage. + * Add dh-python to build depends. + * Update upstream URLs. + * Update watch file. + * Update Standards-Version to 3.9.6 . +Author: Laszlo Boszormenyi (GCS) +Bug-Debian: https://bugs.debian.org/800750 +Bug-Debian: https://bugs.debian.org/801178 +Bug-Debian: https://bugs.debian.org/804604 + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: https://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- fetchmail-6.3.26.orig/Makefile.am ++++ fetchmail-6.3.26/Makefile.am +@@ -31,7 +31,7 @@ libfm_a_SOURCES= xmalloc.c base64.c rfc8 + servport.c ntlm.h smbbyteorder.h smbdes.h smbmd4.h \ + smbencrypt.h smbdes.c smbencrypt.c smbmd4.c smbutil.c \ + libesmtp/gethostbyname.h libesmtp/gethostbyname.c \ +- smbtypes.h fm_getaddrinfo.c tls.c rfc822valid.c \ ++ smbtypes.h fm_getaddrinfo.c starttls.c rfc822valid.c \ + xmalloc.h sdump.h sdump.c x509_name_match.c \ + fm_strl.h md5c.c + if NTLM_ENABLE +--- fetchmail-6.3.26.orig/Makefile.in ++++ fetchmail-6.3.26/Makefile.in +@@ -97,14 +97,14 @@ am__libfm_a_SOURCES_DIST = xmalloc.c bas + rfc2047e.c servport.c ntlm.h smbbyteorder.h smbdes.h smbmd4.h \ + smbencrypt.h smbdes.c smbencrypt.c smbmd4.c smbutil.c \ + libesmtp/gethostbyname.h libesmtp/gethostbyname.c smbtypes.h \ +- fm_getaddrinfo.c tls.c rfc822valid.c xmalloc.h sdump.h sdump.c \ ++ fm_getaddrinfo.c starttls.c rfc822valid.c xmalloc.h sdump.h sdump.c \ + x509_name_match.c fm_strl.h md5c.c ntlmsubr.c + @NTLM_ENABLE_TRUE@am__objects_1 = ntlmsubr.$(OBJEXT) + am_libfm_a_OBJECTS = xmalloc.$(OBJEXT) base64.$(OBJEXT) \ + rfc822.$(OBJEXT) report.$(OBJEXT) rfc2047e.$(OBJEXT) \ + servport.$(OBJEXT) smbdes.$(OBJEXT) smbencrypt.$(OBJEXT) \ + smbmd4.$(OBJEXT) smbutil.$(OBJEXT) gethostbyname.$(OBJEXT) \ +- fm_getaddrinfo.$(OBJEXT) tls.$(OBJEXT) rfc822valid.$(OBJEXT) \ ++ fm_getaddrinfo.$(OBJEXT) starttls.$(OBJEXT) rfc822valid.$(OBJEXT) \ + sdump.$(OBJEXT) x509_name_match.$(OBJEXT) md5c.$(OBJEXT) \ + $(am__objects_1) + libfm_a_OBJECTS = $(am_libfm_a_OBJECTS) +@@ -483,7 +483,7 @@ libfm_a_SOURCES = xmalloc.c base64.c rfc + servport.c ntlm.h smbbyteorder.h smbdes.h smbmd4.h \ + smbencrypt.h smbdes.c smbencrypt.c smbmd4.c smbutil.c \ + libesmtp/gethostbyname.h libesmtp/gethostbyname.c smbtypes.h \ +- fm_getaddrinfo.c tls.c rfc822valid.c xmalloc.h sdump.h sdump.c \ ++ fm_getaddrinfo.c starttls.c rfc822valid.c xmalloc.h sdump.h sdump.c \ + x509_name_match.c fm_strl.h md5c.c $(am__append_1) + libfm_a_LIBADD = $(EXTRAOBJ) + libfm_a_DEPENDENCIES = $(EXTRAOBJ) +--- fetchmail-6.3.26.orig/NEWS ++++ fetchmail-6.3.26/NEWS +@@ -51,8 +51,6 @@ removed from a 6.4.0 or newer release.) + * The --bsmtp - mode of operation may be removed in a future release. + * Given that OpenSSL is severely underdocumented, and needs license exceptions, + fetchmail may switch to a different SSL library. +-* SSLv2 support will be removed from a future fetchmail release. It has been +- obsolete for more than a decade. + + -------------------------------------------------------------------------------- + +--- fetchmail-6.3.26.orig/README.SSL ++++ fetchmail-6.3.26/README.SSL +@@ -11,36 +11,45 @@ specific to fetchmail. + In case of troubles, mail the README.SSL-SERVER file to your ISP and + have them check their server configuration against it. + +-Unfortunately, fetchmail confuses SSL/TLS protocol levels with whether +-a service needs to use in-band negotiation (STLS/STARTTLS for POP3/IMAP4) or is +-totally SSL-wrapped on a separate port. For compatibility reasons, this cannot +-be fixed in a bugfix release. ++Unfortunately, fetchmail confuses SSL/TLS protocol levels with whether a ++service needs to use in-band negotiation (STLS/STARTTLS for POP3/IMAP4) ++or is totally SSL-wrapped on a separate port. For compatibility ++reasons, this cannot be fixed in a bugfix or minor release. ++ ++Also, fetchmail 6.4.0 and newer releases changed some of the semantics ++as the result of a bug-fix, and will auto-negotiate TLSv1 or newer only. ++If your server does not support this, you may have to specify --sslproto ++ssl3. This is in order to prefer the newer TLS protocols, because SSLv2 ++and v3 are broken. + +- -- Matthias Andree, 2009-05-09 ++ -- Matthias Andree, 2015-01-16 + + + Quickstart + ---------- + ++Use an up-to-date release of OpenSSL 1.0.1 or newer, so as to get ++TLSv1.2 support. ++ + For use of SSL or TLS with in-band negotiation on the regular service's port, + i. e. with STLS or STARTTLS, use these command line options + +- --sslproto tls1 --sslcertck ++ --sslproto auto --sslcertck + + or these options in the rcfile (after the respective "user"... options) + +- sslproto tls1 sslcertck ++ sslproto auto sslcertck + + + For use of SSL or TLS on a separate port, if the whole TCP connection is +-SSL-encrypted from the very beginning, use these command line options (in the +-rcfile, omit all leading "--"): ++SSL-encrypted from the very beginning (SSL- or TLS-wrapped), use these ++command line options (in the rcfile, omit all leading "--"): + +- --ssl --sslproto ssl3 --sslcertck ++ --ssl --sslproto auto --sslcertck + + or these options in the rcfile (after the respective "user"... options) + +- ssl sslproto ssl3 sslcertck ++ ssl sslproto auto sslcertck + + + Background and use (long version :-)) +--- fetchmail-6.3.26.orig/config.h.in ++++ fetchmail-6.3.26/config.h.in +@@ -49,9 +49,9 @@ + don't. */ + #undef HAVE_DECL_H_ERRNO + +-/* Define to 1 if you have the declaration of `SSLv2_client_method', and to 0 ++/* Define to 1 if you have the declaration of `SSLv3_client_method', and to 0 + if you don't. */ +-#undef HAVE_DECL_SSLV2_CLIENT_METHOD ++#undef HAVE_DECL_SSLV3_CLIENT_METHOD + + /* Define to 1 if you have the declaration of `strerror', and to 0 if you + don't. */ +--- fetchmail-6.3.26.orig/configure ++++ fetchmail-6.3.26/configure +@@ -1,13 +1,11 @@ + #! /bin/sh + # Guess values for system-dependent variables and create Makefiles. +-# Generated by GNU Autoconf 2.68 for fetchmail 6.3.26. ++# Generated by GNU Autoconf 2.69 for fetchmail 6.3.26. + # + # Report bugs to . + # + # +-# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001, +-# 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free Software +-# Foundation, Inc. ++# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. + # + # + # This configure script is free software; the Free Software Foundation +@@ -136,6 +134,31 @@ export LANGUAGE + # CDPATH. + (unset CDPATH) >/dev/null 2>&1 && unset CDPATH + ++# Use a proper internal environment variable to ensure we don't fall ++ # into an infinite loop, continuously re-executing ourselves. ++ if test x"${_as_can_reexec}" != xno && test "x$CONFIG_SHELL" != x; then ++ _as_can_reexec=no; export _as_can_reexec; ++ # We cannot yet assume a decent shell, so we have to provide a ++# neutralization value for shells without unset; and this also ++# works around shells that cannot unset nonexistent variables. ++# Preserve -v and -x to the replacement shell. ++BASH_ENV=/dev/null ++ENV=/dev/null ++(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV ++case $- in # (((( ++ *v*x* | *x*v* ) as_opts=-vx ;; ++ *v* ) as_opts=-v ;; ++ *x* ) as_opts=-x ;; ++ * ) as_opts= ;; ++esac ++exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"} ++# Admittedly, this is quite paranoid, since all the known shells bail ++# out after a failed `exec'. ++$as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2 ++as_fn_exit 255 ++ fi ++ # We don't want this to propagate to other subprocesses. ++ { _as_can_reexec=; unset _as_can_reexec;} + if test "x$CONFIG_SHELL" = x; then + as_bourne_compatible="if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then : + emulate sh +@@ -169,7 +192,8 @@ if ( set x; as_fn_ret_success y && test + else + exitcode=1; echo positional parameters were not saved. + fi +-test x\$exitcode = x0 || exit 1" ++test x\$exitcode = x0 || exit 1 ++test -x / || exit 1" + as_suggested=" as_lineno_1=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_1a=\$LINENO + as_lineno_2=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_2a=\$LINENO + eval 'test \"x\$as_lineno_1'\$as_run'\" != \"x\$as_lineno_2'\$as_run'\" && +@@ -214,21 +238,25 @@ IFS=$as_save_IFS + + + if test "x$CONFIG_SHELL" != x; then : +- # We cannot yet assume a decent shell, so we have to provide a +- # neutralization value for shells without unset; and this also +- # works around shells that cannot unset nonexistent variables. +- # Preserve -v and -x to the replacement shell. +- BASH_ENV=/dev/null +- ENV=/dev/null +- (unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV +- export CONFIG_SHELL +- case $- in # (((( +- *v*x* | *x*v* ) as_opts=-vx ;; +- *v* ) as_opts=-v ;; +- *x* ) as_opts=-x ;; +- * ) as_opts= ;; +- esac +- exec "$CONFIG_SHELL" $as_opts "$as_myself" ${1+"$@"} ++ export CONFIG_SHELL ++ # We cannot yet assume a decent shell, so we have to provide a ++# neutralization value for shells without unset; and this also ++# works around shells that cannot unset nonexistent variables. ++# Preserve -v and -x to the replacement shell. ++BASH_ENV=/dev/null ++ENV=/dev/null ++(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV ++case $- in # (((( ++ *v*x* | *x*v* ) as_opts=-vx ;; ++ *v* ) as_opts=-v ;; ++ *x* ) as_opts=-x ;; ++ * ) as_opts= ;; ++esac ++exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"} ++# Admittedly, this is quite paranoid, since all the known shells bail ++# out after a failed `exec'. ++$as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2 ++exit 255 + fi + + if test x$as_have_required = xno; then : +@@ -331,6 +359,14 @@ $as_echo X"$as_dir" | + + + } # as_fn_mkdir_p ++ ++# as_fn_executable_p FILE ++# ----------------------- ++# Test if FILE is an executable regular file. ++as_fn_executable_p () ++{ ++ test -f "$1" && test -x "$1" ++} # as_fn_executable_p + # as_fn_append VAR VALUE + # ---------------------- + # Append the text in VALUE to the end of the definition contained in VAR. Take +@@ -452,6 +488,10 @@ as_cr_alnum=$as_cr_Letters$as_cr_digits + chmod +x "$as_me.lineno" || + { $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2; as_fn_exit 1; } + ++ # If we had to re-execute with $CONFIG_SHELL, we're ensured to have ++ # already done that, so ensure we don't try to do so again and fall ++ # in an infinite loop. This has already happened in practice. ++ _as_can_reexec=no; export _as_can_reexec + # Don't try to exec as it changes $[0], causing all sort of problems + # (the dirname of $[0] is not the place where we might find the + # original and so on. Autoconf is especially sensitive to this). +@@ -486,16 +526,16 @@ if (echo >conf$$.file) 2>/dev/null; then + # ... but there are two gotchas: + # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. + # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. +- # In both cases, we have to default to `cp -p'. ++ # In both cases, we have to default to `cp -pR'. + ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || +- as_ln_s='cp -p' ++ as_ln_s='cp -pR' + elif ln conf$$.file conf$$ 2>/dev/null; then + as_ln_s=ln + else +- as_ln_s='cp -p' ++ as_ln_s='cp -pR' + fi + else +- as_ln_s='cp -p' ++ as_ln_s='cp -pR' + fi + rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file + rmdir conf$$.dir 2>/dev/null +@@ -507,28 +547,8 @@ else + as_mkdir_p=false + fi + +-if test -x / >/dev/null 2>&1; then +- as_test_x='test -x' +-else +- if ls -dL / >/dev/null 2>&1; then +- as_ls_L_option=L +- else +- as_ls_L_option= +- fi +- as_test_x=' +- eval sh -c '\'' +- if test -d "$1"; then +- test -d "$1/."; +- else +- case $1 in #( +- -*)set "./$1";; +- esac; +- case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #(( +- ???[sx]*):;;*)false;;esac;fi +- '\'' sh +- ' +-fi +-as_executable_p=$as_test_x ++as_test_x='test -x' ++as_executable_p=as_fn_executable_p + + # Sed expression to map a string onto a valid CPP name. + as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'" +@@ -742,6 +762,7 @@ infodir + docdir + oldincludedir + includedir ++runstatedir + localstatedir + sharedstatedir + sysconfdir +@@ -841,6 +862,7 @@ datadir='${datarootdir}' + sysconfdir='${prefix}/etc' + sharedstatedir='${prefix}/com' + localstatedir='${prefix}/var' ++runstatedir='${localstatedir}/run' + includedir='${prefix}/include' + oldincludedir='/usr/include' + docdir='${datarootdir}/doc/${PACKAGE_TARNAME}' +@@ -1093,6 +1115,15 @@ do + | -silent | --silent | --silen | --sile | --sil) + silent=yes ;; + ++ -runstatedir | --runstatedir | --runstatedi | --runstated \ ++ | --runstate | --runstat | --runsta | --runst | --runs \ ++ | --run | --ru | --r) ++ ac_prev=runstatedir ;; ++ -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \ ++ | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \ ++ | --run=* | --ru=* | --r=*) ++ runstatedir=$ac_optarg ;; ++ + -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb) + ac_prev=sbindir ;; + -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \ +@@ -1230,7 +1261,7 @@ fi + for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \ + datadir sysconfdir sharedstatedir localstatedir includedir \ + oldincludedir docdir infodir htmldir dvidir pdfdir psdir \ +- libdir localedir mandir ++ libdir localedir mandir runstatedir + do + eval ac_val=\$$ac_var + # Remove trailing slashes. +@@ -1258,8 +1289,6 @@ target=$target_alias + if test "x$host_alias" != x; then + if test "x$build_alias" = x; then + cross_compiling=maybe +- $as_echo "$as_me: WARNING: if you wanted to set the --build type, don't use --host. +- If a cross compiler is detected then cross compile mode will be used" >&2 + elif test "x$build_alias" != "x$host_alias"; then + cross_compiling=yes + fi +@@ -1385,6 +1414,7 @@ Fine tuning of the installation director + --sysconfdir=DIR read-only single-machine data [PREFIX/etc] + --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] + --localstatedir=DIR modifiable single-machine data [PREFIX/var] ++ --runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run] + --libdir=DIR object code libraries [EPREFIX/lib] + --includedir=DIR C header files [PREFIX/include] + --oldincludedir=DIR C header files for non-gcc [/usr/include] +@@ -1548,9 +1578,9 @@ test -n "$ac_init_help" && exit $ac_stat + if $ac_init_version; then + cat <<\_ACEOF + fetchmail configure 6.3.26 +-generated by GNU Autoconf 2.68 ++generated by GNU Autoconf 2.69 + +-Copyright (C) 2010 Free Software Foundation, Inc. ++Copyright (C) 2012 Free Software Foundation, Inc. + This configure script is free software; the Free Software Foundation + gives unlimited permission to copy, distribute and modify it. + _ACEOF +@@ -1827,7 +1857,7 @@ $as_echo "$ac_try_echo"; } >&5 + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || +- $as_test_x conftest$ac_exeext ++ test -x conftest$ac_exeext + }; then : + ac_retval=0 + else +@@ -2030,7 +2060,8 @@ int + main () + { + static int test_array [1 - 2 * !(($2) >= 0)]; +-test_array [0] = 0 ++test_array [0] = 0; ++return test_array [0]; + + ; + return 0; +@@ -2046,7 +2077,8 @@ int + main () + { + static int test_array [1 - 2 * !(($2) <= $ac_mid)]; +-test_array [0] = 0 ++test_array [0] = 0; ++return test_array [0]; + + ; + return 0; +@@ -2072,7 +2104,8 @@ int + main () + { + static int test_array [1 - 2 * !(($2) < 0)]; +-test_array [0] = 0 ++test_array [0] = 0; ++return test_array [0]; + + ; + return 0; +@@ -2088,7 +2121,8 @@ int + main () + { + static int test_array [1 - 2 * !(($2) >= $ac_mid)]; +-test_array [0] = 0 ++test_array [0] = 0; ++return test_array [0]; + + ; + return 0; +@@ -2122,7 +2156,8 @@ int + main () + { + static int test_array [1 - 2 * !(($2) <= $ac_mid)]; +-test_array [0] = 0 ++test_array [0] = 0; ++return test_array [0]; + + ; + return 0; +@@ -2195,7 +2230,7 @@ This file contains any messages produced + running configure, to aid debugging if configure makes a mistake. + + It was created by fetchmail $as_me 6.3.26, which was +-generated by GNU Autoconf 2.68. Invocation command line was ++generated by GNU Autoconf 2.69. Invocation command line was + + $ $0 $@ + +@@ -2689,7 +2724,7 @@ case $as_dir/ in #(( + # by default. + for ac_prog in ginstall scoinst install; do + for ac_exec_ext in '' $ac_executable_extensions; do +- if { test -f "$as_dir/$ac_prog$ac_exec_ext" && $as_test_x "$as_dir/$ac_prog$ac_exec_ext"; }; then ++ if as_fn_executable_p "$as_dir/$ac_prog$ac_exec_ext"; then + if test $ac_prog = install && + grep dspmsg "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then + # AIX install. It has an incompatible calling convention. +@@ -2858,7 +2893,7 @@ do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do +- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ++ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_STRIP="${ac_tool_prefix}strip" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 +@@ -2898,7 +2933,7 @@ do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do +- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ++ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_ac_ct_STRIP="strip" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 +@@ -2949,7 +2984,7 @@ do + test -z "$as_dir" && as_dir=. + for ac_prog in mkdir gmkdir; do + for ac_exec_ext in '' $ac_executable_extensions; do +- { test -f "$as_dir/$ac_prog$ac_exec_ext" && $as_test_x "$as_dir/$ac_prog$ac_exec_ext"; } || continue ++ as_fn_executable_p "$as_dir/$ac_prog$ac_exec_ext" || continue + case `"$as_dir/$ac_prog$ac_exec_ext" --version 2>&1` in #( + 'mkdir (GNU coreutils) '* | \ + 'mkdir (coreutils) '* | \ +@@ -3002,7 +3037,7 @@ do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do +- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ++ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_AWK="$ac_prog" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 +@@ -3295,7 +3330,7 @@ do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do +- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ++ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_path_PYTHON="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 +@@ -3466,7 +3501,7 @@ do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do +- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ++ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_AWK="$ac_prog" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 +@@ -3512,7 +3547,7 @@ do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do +- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ++ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_CC="${ac_tool_prefix}gcc" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 +@@ -3552,7 +3587,7 @@ do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do +- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ++ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_ac_ct_CC="gcc" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 +@@ -3605,7 +3640,7 @@ do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do +- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ++ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_CC="${ac_tool_prefix}cc" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 +@@ -3646,7 +3681,7 @@ do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do +- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ++ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then + ac_prog_rejected=yes + continue +@@ -3704,7 +3739,7 @@ do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do +- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ++ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_CC="$ac_tool_prefix$ac_prog" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 +@@ -3748,7 +3783,7 @@ do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do +- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ++ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_ac_ct_CC="$ac_prog" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 +@@ -4194,8 +4229,7 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ + /* end confdefs.h. */ + #include + #include +-#include +-#include ++struct stat; + /* Most of the following tests are stolen from RCS 5.7's src/conf.sh. */ + struct buf { int x; }; + FILE * (*rcsopen) (struct buf *, struct stat *, int); +@@ -4751,7 +4785,7 @@ do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do +- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ++ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_RANLIB="${ac_tool_prefix}ranlib" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 +@@ -4791,7 +4825,7 @@ do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do +- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ++ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_ac_ct_RANLIB="ranlib" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 +@@ -4859,7 +4893,7 @@ do + for ac_prog in grep ggrep; do + for ac_exec_ext in '' $ac_executable_extensions; do + ac_path_GREP="$as_dir/$ac_prog$ac_exec_ext" +- { test -f "$ac_path_GREP" && $as_test_x "$ac_path_GREP"; } || continue ++ as_fn_executable_p "$ac_path_GREP" || continue + # Check for GNU ac_path_GREP and select it if it is found. + # Check for GNU $ac_path_GREP + case `"$ac_path_GREP" --version 2>&1` in +@@ -4925,7 +4959,7 @@ do + for ac_prog in egrep; do + for ac_exec_ext in '' $ac_executable_extensions; do + ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext" +- { test -f "$ac_path_EGREP" && $as_test_x "$ac_path_EGREP"; } || continue ++ as_fn_executable_p "$ac_path_EGREP" || continue + # Check for GNU ac_path_EGREP and select it if it is found. + # Check for GNU $ac_path_EGREP + case `"$ac_path_EGREP" --version 2>&1` in +@@ -5132,8 +5166,8 @@ else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext + /* end confdefs.h. */ + +-# define __EXTENSIONS__ 1 +- $ac_includes_default ++# define __EXTENSIONS__ 1 ++ $ac_includes_default + int + main () + { +@@ -5513,11 +5547,11 @@ else + int + main () + { +-/* FIXME: Include the comments suggested by Paul. */ ++ + #ifndef __cplusplus +- /* Ultrix mips cc rejects this. */ ++ /* Ultrix mips cc rejects this sort of thing. */ + typedef int charset[2]; +- const charset cs; ++ const charset cs = { 0, 0 }; + /* SunOS 4.1.1 cc rejects this. */ + char const *const *pcpcc; + char **ppc; +@@ -5534,8 +5568,9 @@ main () + ++pcpcc; + ppc = (char**) pcpcc; + pcpcc = (char const *const *) ppc; +- { /* SCO 3.2v4 cc rejects this. */ +- char *t; ++ { /* SCO 3.2v4 cc rejects this sort of thing. */ ++ char tx; ++ char *t = &tx; + char const *s = 0 ? (char *) 0 : (char const *) 0; + + *t++ = 0; +@@ -5551,10 +5586,10 @@ main () + iptr p = 0; + ++p; + } +- { /* AIX XL C 1.02.0.0 rejects this saying ++ { /* AIX XL C 1.02.0.0 rejects this sort of thing, saying + "k.c", line 2.27: 1506-025 (S) Operand must be a modifiable lvalue. */ +- struct s { int j; const int *ap[3]; }; +- struct s *b; b->j = 5; ++ struct s { int j; const int *ap[3]; } bx; ++ struct s *b = &bx; b->j = 5; + } + { /* ULTRIX-32 V3.1 (Rev 9) vcc rejects this */ + const int foo = 10; +@@ -5600,7 +5635,7 @@ do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do +- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ++ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_LEX="$ac_prog" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 +@@ -5632,7 +5667,8 @@ a { ECHO; } + b { REJECT; } + c { yymore (); } + d { yyless (1); } +-e { yyless (input () != 0); } ++e { /* IRIX 6.5 flex 2.5.4 underquotes its yyless argument. */ ++ yyless ((input () != 0)); } + f { unput (yytext[0]); } + . { BEGIN INITIAL; } + %% +@@ -5792,7 +5828,7 @@ do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do +- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ++ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_YACC="$ac_prog" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 +@@ -6044,7 +6080,7 @@ do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do +- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ++ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_path_GMSGFMT="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 +@@ -8548,7 +8584,7 @@ do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do +- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ++ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_path_procmail="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 +@@ -8590,7 +8626,7 @@ do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do +- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ++ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_path_sendmail="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 +@@ -8632,7 +8668,7 @@ do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do +- if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ++ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_path_maildrop="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 +@@ -10121,16 +10157,16 @@ $as_echo "$as_me: WARNING: Consider re-r + fi + + case "$LIBS" in *-lssl*) +- ac_fn_c_check_decl "$LINENO" "SSLv2_client_method" "ac_cv_have_decl_SSLv2_client_method" "#include ++ ac_fn_c_check_decl "$LINENO" "SSLv3_client_method" "ac_cv_have_decl_SSLv3_client_method" "#include + " +-if test "x$ac_cv_have_decl_SSLv2_client_method" = xyes; then : ++if test "x$ac_cv_have_decl_SSLv3_client_method" = xyes; then : + ac_have_decl=1 + else + ac_have_decl=0 + fi + + cat >>confdefs.h <<_ACEOF +-#define HAVE_DECL_SSLV2_CLIENT_METHOD $ac_have_decl ++#define HAVE_DECL_SSLV3_CLIENT_METHOD $ac_have_decl + _ACEOF + + ;; +@@ -11334,16 +11370,16 @@ if (echo >conf$$.file) 2>/dev/null; then + # ... but there are two gotchas: + # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. + # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. +- # In both cases, we have to default to `cp -p'. ++ # In both cases, we have to default to `cp -pR'. + ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || +- as_ln_s='cp -p' ++ as_ln_s='cp -pR' + elif ln conf$$.file conf$$ 2>/dev/null; then + as_ln_s=ln + else +- as_ln_s='cp -p' ++ as_ln_s='cp -pR' + fi + else +- as_ln_s='cp -p' ++ as_ln_s='cp -pR' + fi + rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file + rmdir conf$$.dir 2>/dev/null +@@ -11403,28 +11439,16 @@ else + as_mkdir_p=false + fi + +-if test -x / >/dev/null 2>&1; then +- as_test_x='test -x' +-else +- if ls -dL / >/dev/null 2>&1; then +- as_ls_L_option=L +- else +- as_ls_L_option= +- fi +- as_test_x=' +- eval sh -c '\'' +- if test -d "$1"; then +- test -d "$1/."; +- else +- case $1 in #( +- -*)set "./$1";; +- esac; +- case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #(( +- ???[sx]*):;;*)false;;esac;fi +- '\'' sh +- ' +-fi +-as_executable_p=$as_test_x ++ ++# as_fn_executable_p FILE ++# ----------------------- ++# Test if FILE is an executable regular file. ++as_fn_executable_p () ++{ ++ test -f "$1" && test -x "$1" ++} # as_fn_executable_p ++as_test_x='test -x' ++as_executable_p=as_fn_executable_p + + # Sed expression to map a string onto a valid CPP name. + as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'" +@@ -11446,7 +11470,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_wri + # values after options handling. + ac_log=" + This file was extended by fetchmail $as_me 6.3.26, which was +-generated by GNU Autoconf 2.68. Invocation command line was ++generated by GNU Autoconf 2.69. Invocation command line was + + CONFIG_FILES = $CONFIG_FILES + CONFIG_HEADERS = $CONFIG_HEADERS +@@ -11512,10 +11536,10 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_writ + ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" + ac_cs_version="\\ + fetchmail config.status 6.3.26 +-configured by $0, generated by GNU Autoconf 2.68, ++configured by $0, generated by GNU Autoconf 2.69, + with options \\"\$ac_cs_config\\" + +-Copyright (C) 2010 Free Software Foundation, Inc. ++Copyright (C) 2012 Free Software Foundation, Inc. + This config.status script is free software; the Free Software Foundation + gives unlimited permission to copy, distribute and modify it." + +@@ -11606,7 +11630,7 @@ fi + _ACEOF + cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 + if \$ac_cs_recheck; then +- set X '$SHELL' '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion ++ set X $SHELL '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion + shift + \$as_echo "running CONFIG_SHELL=$SHELL \$*" >&6 + CONFIG_SHELL='$SHELL' +--- fetchmail-6.3.26.orig/configure.ac ++++ fetchmail-6.3.26/configure.ac +@@ -802,7 +802,7 @@ else + fi + + case "$LIBS" in *-lssl*) +- AC_CHECK_DECLS([SSLv2_client_method],,,[#include ]) ++ AC_CHECK_DECLS([SSLv3_client_method],,,[#include ]) + ;; + esac + +--- fetchmail-6.3.26.orig/fetchmail-FAQ.html ++++ fetchmail-6.3.26/fetchmail-FAQ.html +@@ -667,8 +667,8 @@ because there is not currently a standar + also uses this method, so the two will interoperate happily. They + better, because this is how Craig gets his mail ;-)

+ +-

Finally, you can use SSL for complete +-end-to-end encryption if you have an SSL-enabled mailserver.

++

Finally, you can use SSL or TLS for complete ++end-to-end encryption if you have a TLS-enabled mailserver.

+ +

G11. Is any special configuration needed + to use a dynamic IP address?

+@@ -2120,7 +2120,7 @@ SSL? + +

You'll need to have the OpenSSL libraries installed, and they +-should at least be version 0.9.7. ++should at least be version 0.9.8, with 1.0.1 preferred. + Configure with --with-ssl. If you have the OpenSSL libraries + installed in commonly-used default locations, this will + suffice. If you have them installed in a non-default location, +@@ -2130,7 +2130,7 @@ to --with-ssl after an equal sign.

+

Fetchmail binaries built this way support ssl, + sslkey, and sslcert options that control + SSL encryption, and will automatically use tls if the +-server offers it. You will need to have an SSL-enabled mailserver to ++server offers it. You will need to have an SSL/TLS-enabled mailserver to + use these options. See the manual page for details and some words + of care on the limited security provided.

+ +@@ -2155,13 +2155,14 @@ poll MYSERVER port 993 plugin "openssl s + protocol imap username MYUSERNAME password MYPASSWORD + + +-

You should note that SSL is only secure against a "man-in-the-middle" +-attack if the client is able to verify that the peer's public key is the +-correct one, and has not been substituted by an attacker. fetchmail can do +-this in one of two ways: by verifying the SSL certificate, or by checking +-the fingerprint of the peer's public key.

++

You should note that SSL or TLS are only secure against a ++"man-in-the-middle" attack if the client is able to verify that the ++peer's public key is the correct one, and has not been substituted by an ++attacker. fetchmail can do this in one of two ways: by verifying the SSL ++certificate, or by checking the fingerprint of the peer's public ++key.

+ +-

There are three parts to SSL certificate verification: checking that the ++

There are three parts to TLS certificate verification: checking that the + domain name in the certificate matches the hostname you asked to connect to; + checking that the certificate expiry date has not passed; and checking that + the certificate has been signed by a known Certificate Authority (CA). This +@@ -2227,8 +2228,12 @@ will automatically attempt TLS negotiati + time. This can however cause problems if the upstream didn't configure + his certificates properly.

+ +-

In order to prevent fetchmail from trying TLS (STLS, STARTTLS) +-negotiation, add this option:

++

In order to prevent fetchmail 6.4.0 and newer versions from trying ++STLS or STARTTLS negotiation, add this option:

++
sslproto ''
++ ++

In order to prevent older fetchmail versions from trying TLS (STLS, STARTTLS) ++negotiation where the above does not work, try this option:

+ + 
sslproto ssl23
+ +@@ -2876,15 +2881,22 @@ need to say something like 'envelo + + 
+ Received: from send103.yahoomail.com (send103.yahoomail.com [205.180.60.92])
+-    by iserv.ttns.net (8.8.5/8.8.5) with SMTP id RAA10088
+-    for <ksturgeon@fbceg.org>; Wed, 9 Sep 1998 17:01:59 -0700
++    by iserv.example.net (8.8.5/8.8.5) with SMTP id RAA10088
++    for <ksturgeon@fbceg.example.org>; Wed, 9 Sep 1998 17:01:59 -0700
+
+ +-

it checks to see if 'iserv.ttns.net' is a DNS alias of your +-mailserver before accepting 'ksturgeon@fbceg.org' as an envelope ++

it checks to see if 'iserv.example.net' is a DNS alias of your ++mailserver before accepting 'ksturgeon@fbceg.example.org' as an envelope + address. This check might fail if your DNS were misconfigured, or +-if you were using 'no dns' and had failed to declare iserv.ttns.net +-as an alias of your server.

++if you were using 'no dns' and had failed to declare iserv.example.net ++as an alias of your server. The typical hint is logging similar to: ++line rejected, iserv.example.net is not an alias of the mailserver, ++if you use fetchmail in verbose mode.

++ ++

Workaround: You can specify the alias explicitly, with aka ++ iserv.example.net statements in the rcfile. Replace ++iserv.example.net by the name you find in your ++'by' part of the 'Received:' line.

+ +

M8. Users are getting multiple copies of + messages.

+@@ -3237,6 +3249,8 @@ Hayes mode escape "+++".

+

X8. A spurious ) is being appended to my + messages.

+ ++

Fetchmail 6.3.5 and newer releases are supposed to fix this.

++ +

Due to the problem described in S2, the + IMAP support in fetchmail cannot follow the IMAP protocol 100 %. + Most of the time it doesn't matter, but if you combine it with an +@@ -3279,8 +3293,6 @@ it at the end of the message it forwards + on, you'll get a message about actual != expected. + + +-

There is no fix for this.

+- +

X9. Missing "Content-Transfer-Encoding" header + with Domino IMAP

+ +--- fetchmail-6.3.26.orig/fetchmail.c ++++ fetchmail-6.3.26/fetchmail.c +@@ -54,6 +54,10 @@ + #define ENETUNREACH 128 /* Interactive doesn't know this */ + #endif /* ENETUNREACH */ + ++#ifdef SSL_ENABLE ++#include /* for OPENSSL_NO_SSL2 and ..._SSL3 checks */ ++#endif ++ + /* prototypes for internal functions */ + static int load_params(int, char **, int); + static void dump_params (struct runctl *runp, struct query *, flag implicit); +@@ -138,7 +142,7 @@ static void printcopyright(FILE *fp) { + "Copyright (C) 2004 Matthias Andree, Eric S. Raymond,\n" + " Robert M. Funk, Graham Wilson\n" + "Copyright (C) 2005 - 2012 Sunil Shetye\n" +- "Copyright (C) 2005 - 2013 Matthias Andree\n" ++ "Copyright (C) 2005 - 2015 Matthias Andree\n" + )); + fprintf(fp, GT_("Fetchmail comes with ABSOLUTELY NO WARRANTY. This is free software, and you\n" + "are welcome to redistribute it under certain conditions. For details,\n" +@@ -262,6 +266,9 @@ int main(int argc, char **argv) + #endif /* ODMR_ENABLE */ + #ifdef SSL_ENABLE + "+SSL" ++#if (HAVE_DECL_SSLV3_CLIENT_METHOD + 0 == 0) || defined(OPENSSL_NO_SSL3) ++ "-SSLv3" ++#endif + #endif + #ifdef OPIE_ENABLE + "+OPIE" +--- fetchmail-6.3.26.orig/fetchmail.h ++++ fetchmail-6.3.26/fetchmail.h +@@ -771,9 +771,9 @@ int servport(const char *service); + int fm_getaddrinfo(const char *node, const char *serv, const struct addrinfo *hints, struct addrinfo **res); + void fm_freeaddrinfo(struct addrinfo *ai); + +-/* prototypes from tls.c */ +-int maybe_tls(struct query *ctl); +-int must_tls(struct query *ctl); ++/* prototypes from starttls.c */ ++int maybe_starttls(struct query *ctl); ++int must_starttls(struct query *ctl); + + /* prototype from rfc822valid.c */ + int rfc822_valid_msgid(const unsigned char *); +--- fetchmail-6.3.26.orig/fetchmail.man ++++ fetchmail-6.3.26/fetchmail.man +@@ -412,23 +412,22 @@ from. The folder information is written + .B \-\-ssl + (Keyword: ssl) + .br +-Causes the connection to the mail server to be encrypted +-via SSL. Connect to the server using the specified base protocol over a +-connection secured by SSL. This option defeats opportunistic starttls +-negotiation. It is highly recommended to use \-\-sslproto 'SSL3' +-\-\-sslcertck to validate the certificates presented by the server and +-defeat the obsolete SSLv2 negotiation. More information is available in +-the \fIREADME.SSL\fP file that ships with fetchmail. +-.IP +-Note that fetchmail may still try to negotiate SSL through starttls even +-if this option is omitted. You can use the \-\-sslproto option to defeat +-this behavior or tell fetchmail to negotiate a particular SSL protocol. ++Causes the connection to the mail server to be encrypted via SSL, by ++negotiating SSL directly after connecting (SSL-wrapped mode). It is ++highly recommended to use \-\-sslcertck to validate the certificates ++presented by the server. Please see the description of \-\-sslproto ++below! More information is available in the \fIREADME.SSL\fP file that ++ships with fetchmail. ++.IP ++Note that even if this option is omitted, fetchmail may still negotiate ++SSL in-band for POP3 or IMAP, through the STLS or STARTTLS feature. You ++can use the \-\-sslproto option to modify that behavior. + .IP + If no port is specified, the connection is attempted to the well known + port of the SSL version of the base protocol. This is generally a + different port than the port used by the base protocol. For IMAP, this + is port 143 for the clear protocol and port 993 for the SSL secured +-protocol, for POP3, it is port 110 for the clear text and port 995 for ++protocol; for POP3, it is port 110 for the clear text and port 995 for + the encrypted variant. + .IP + If your system lacks the corresponding entries from /etc/services, see +@@ -470,39 +469,73 @@ cause some complications in daemon mode. + .IP + Also see \-\-sslcert above. + .TP +-.B \-\-sslproto +-(Keyword: sslproto) ++.B \-\-sslproto ++(Keyword: sslproto, NOTE: semantic changes since v6.4.0) + .br +-Forces an SSL/TLS protocol. Possible values are \fB''\fP, +-\&'\fBSSL2\fP' (not supported on all systems), +-\&'\fBSSL23\fP', (use of these two values is discouraged +-and should only be used as a last resort) \&'\fBSSL3\fP', and +-\&'\fBTLS1\fP'. The default behaviour if this option is unset is: for +-connections without \-\-ssl, use \&'\fBTLS1\fP' so that fetchmail will +-opportunistically try STARTTLS negotiation with TLS1. You can configure +-this option explicitly if the default handshake (TLS1 if \-\-ssl is not +-used) does not work for your server. +-.IP +-Use this option with '\fBTLS1\fP' value to enforce a STARTTLS +-connection. In this mode, it is highly recommended to also use +-\-\-sslcertck (see below). Note that this will then cause fetchmail +-v6.3.19 to force STARTTLS negotiation even if it is not advertised by +-the server. +-.IP +-To defeat opportunistic TLSv1 negotiation when the server advertises +-STARTTLS or STLS, and use a cleartext connection use \fB''\fP. This +-option, even if the argument is the empty string, will also suppress the +-diagnostic 'SERVER: opportunistic upgrade to TLS.' message in verbose +-mode. The default is to try appropriate protocols depending on context. ++This option has a dual use, out of historic fetchmail behaviour. It ++controls both the SSL/TLS protocol version and, if \-\-ssl is not ++specified, the STARTTLS behaviour (upgrading the protocol to an SSL or ++TLS connection in-band). Some other options may however make TLS ++mandatory. ++.PP ++Only if this option and \-\-ssl are both missing for a poll, there will ++be opportunistic TLS for POP3 and IMAP, where fetchmail will attempt to ++upgrade to TLSv1 or newer. ++.PP ++Recognized values for \-\-sslproto are given below. You should normally ++chose one of the auto-negotiating options, i. e. '\fBauto\fP' or one of ++the options ending in a plus (\fB+\fP) character. Note that depending ++on OpenSSL library version and configuration, some options cause ++run-time errors because the requested SSL or TLS versions are not ++supported by the particular installed OpenSSL library. ++.RS ++.IP "\fB''\fP, the empty string" ++Disable STARTTLS. If \-\-ssl is given for the same server, log an error ++and pretend that '\fBauto\fP' had been used instead. ++.IP '\fBauto\fP' ++(default). Since v6.4.0. Require TLS. Auto-negotiate TLSv1 or newer, disable SSLv3 downgrade. ++(fetchmail 6.3.26 and older have auto-negotiated all protocols that ++their OpenSSL library supported, including the broken SSLv3). ++.IP "\&'\fBSSL23\fP' ++see '\fBauto\fP'. ++.IP \&'\fBSSL3\fP' ++Require SSLv3 exactly. SSLv3 is broken, not supported on all systems, avoid it ++if possible. This will make fetchmail negotiate SSLv3 only, and is the ++only way besides '\fBSSL3+\fP' to have fetchmail 6.4.0 or newer permit SSLv3. ++.IP \&'\fBSSL3+\fP' ++same as '\fBauto\fP', but permit SSLv3 as well. This is the only way ++besides '\fBSSL3\fP' to have fetchmail 6.4.0 or newer permit SSLv3. ++.IP \&'\fBTLS1\fP' ++Require TLSv1. This does not negotiate TLSv1.1 or newer, and is ++discouraged. Replace by TLS1+ unless the latter chokes your server. ++.IP \&'\fBTLS1+\fP' ++Since v6.4.0. See 'fBauto\fP'. ++.IP \&'\fBTLS1.1\fP' ++Since v6.4.0. Require TLS v1.1 exactly. ++.IP \&'\fBTLS1.1+\fP' ++Since v6.4.0. Require TLS. Auto-negotiate TLSv1.1 or newer. ++.IP \&'\fBTLS1.2\fP' ++Since v6.4.0. Require TLS v1.2 exactly. ++.IP '\fBTLS1.2+\fP' ++Since v6.4.0. Require TLS. Auto-negotiate TLSv1.2 or newer. ++.IP "Unrecognized parameters" ++are treated the same as '\fBauto\fP'. ++.RE ++.IP ++NOTE: you should hardly ever need to use anything other than '' (to ++force an unencrypted connection) or 'auto' (to enforce TLS). + .TP + .B \-\-sslcertck + (Keyword: sslcertck) + .br +-Causes fetchmail to strictly check the server certificate against a set of +-local trusted certificates (see the \fBsslcertfile\fP and \fBsslcertpath\fP +-options). If the server certificate cannot be obtained or is not signed by one +-of the trusted ones (directly or indirectly), the SSL connection will fail, +-regardless of the \fBsslfingerprint\fP option. ++Causes fetchmail to require that SSL/TLS be used and disconnect if it ++can not successfully negotiate SSL or TLS, or if it cannot successfully ++verify and validate the certificate and follow it to a trust anchor (or ++trusted root certificate). The trust anchors are given as a set of local ++trusted certificates (see the \fBsslcertfile\fP and \fBsslcertpath\fP ++options). If the server certificate cannot be obtained or is not signed ++by one of the trusted ones (directly or indirectly), fetchmail will ++disconnect, regardless of the \fBsslfingerprint\fP option. + .IP + Note that CRL (certificate revocation lists) are only supported in + OpenSSL 0.9.7 and newer! Your system clock should also be reasonably +@@ -1202,31 +1235,33 @@ capability response. Specify a user opti + username and the part to the right as the NTLM domain. + + .SS Secure Socket Layers (SSL) and Transport Layer Security (TLS) ++.PP All retrieval protocols can use SSL or TLS wrapping for the ++transport. Additionally, POP3 and IMAP retrival can also negotiate ++SSL/TLS by means of STARTTLS (or STLS). + .PP + Note that fetchmail currently uses the OpenSSL library, which is + severely underdocumented, so failures may occur just because the + programmers are not aware of OpenSSL's requirement of the day. + For instance, since v6.3.16, fetchmail calls + OpenSSL_add_all_algorithms(), which is necessary to support certificates +-using SHA256 on OpenSSL 0.9.8 -- this information is deeply hidden in the +-documentation and not at all obvious. Please do not hesitate to report +-subtle SSL failures. +-.PP +-You can access SSL encrypted services by specifying the \-\-ssl option. +-You can also do this using the "ssl" user option in the .fetchmailrc +-file. With SSL encryption enabled, queries are initiated over a +-connection after negotiating an SSL session, and the connection fails if +-SSL cannot be negotiated. Some services, such as POP3 and IMAP, have ++using SHA256 on OpenSSL 0.9.8 -- this information is deeply hidden in ++the documentation and not at all obvious. Please do not hesitate to ++report subtle SSL failures. ++.PP ++You can access SSL encrypted services by specifying the options starting ++with \-\-ssl, such as \-\-ssl, \-\-sslproto, \-\-sslcertck, and others. ++You can also do this using the corresponding user options in the .fetchmailrc ++file. Some services, such as POP3 and IMAP, have + different well known ports defined for the SSL encrypted services. The + encrypted ports will be selected automatically when SSL is enabled and +-no explicit port is specified. The \-\-sslproto 'SSL3' option should be +-used to select the SSLv3 protocol (default if unset: v2 or v3). Also, +-the \-\-sslcertck command line or sslcertck run control file option +-should be used to force strict certificate checking - see below. ++no explicit port is specified. Also, the \-\-sslcertck command line or ++sslcertck run control file option should be used to force strict ++certificate checking - see below. + .PP + If SSL is not configured, fetchmail will usually opportunistically try to use +-STARTTLS. STARTTLS can be enforced by using \-\-sslproto "TLS1". TLS +-connections use the same port as the unencrypted version of the ++STARTTLS. STARTTLS can be enforced by using \-\-sslproto\~auto and ++defeated by using \-\-sslproto\~''. ++TLS connections use the same port as the unencrypted version of the + protocol and negotiate TLS via special command. The \-\-sslcertck + command line or sslcertck run control file option should be used to + force strict certificate checking - see below. +--- fetchmail-6.3.26.orig/imap.c ++++ fetchmail-6.3.26/imap.c +@@ -405,6 +405,8 @@ static int imap_getauth(int sock, struct + /* apply for connection authorization */ + { + int ok = 0; ++ char *commonname; ++ + (void)greeting; + + /* +@@ -429,25 +431,21 @@ static int imap_getauth(int sock, struct + return(PS_SUCCESS); + } + +-#ifdef SSL_ENABLE +- if (maybe_tls(ctl)) { +- char *commonname; +- +- commonname = ctl->server.pollname; +- if (ctl->server.via) +- commonname = ctl->server.via; +- if (ctl->sslcommonname) +- commonname = ctl->sslcommonname; ++ commonname = ctl->server.pollname; ++ if (ctl->server.via) ++ commonname = ctl->server.via; ++ if (ctl->sslcommonname) ++ commonname = ctl->sslcommonname; + +- if (strstr(capabilities, "STARTTLS") +- || must_tls(ctl)) /* if TLS is mandatory, ignore capabilities */ ++#ifdef SSL_ENABLE ++ if (maybe_starttls(ctl)) { ++ if ((strstr(capabilities, "STARTTLS") && maybe_starttls(ctl)) ++ || must_starttls(ctl)) /* if TLS is mandatory, ignore capabilities */ + { +- /* Use "tls1" rather than ctl->sslproto because tls1 is the only +- * protocol that will work with STARTTLS. Don't need to worry +- * whether TLS is mandatory or opportunistic unless SSLOpen() fails +- * (see below). */ ++ /* Don't need to worry whether TLS is mandatory or ++ * opportunistic unless SSLOpen() fails (see below). */ + if (gen_transact(sock, "STARTTLS") == PS_SUCCESS +- && (set_timeout(mytimeout), SSLOpen(sock, ctl->sslcert, ctl->sslkey, "tls1", ctl->sslcertck, ++ && (set_timeout(mytimeout), SSLOpen(sock, ctl->sslcert, ctl->sslkey, ctl->sslproto, ctl->sslcertck, + ctl->sslcertfile, ctl->sslcertpath, ctl->sslfingerprint, commonname, + ctl->server.pollname, &ctl->remotename)) != -1) + { +@@ -470,7 +468,7 @@ static int imap_getauth(int sock, struct + { + report(stdout, GT_("%s: upgrade to TLS succeeded.\n"), commonname); + } +- } else if (must_tls(ctl)) { ++ } else if (must_starttls(ctl)) { + /* Config required TLS but we couldn't guarantee it, so we must + * stop. */ + set_timeout(0); +@@ -492,6 +490,10 @@ static int imap_getauth(int sock, struct + /* Usable. Proceed with authenticating insecurely. */ + } + } ++ } else { ++ if (strstr(capabilities, "STARTTLS") && outlevel >= O_VERBOSE) { ++ report(stdout, GT_("%s: WARNING: server offered STARTTLS but sslproto '' given.\n"), commonname); ++ } + } + #endif /* SSL_ENABLE */ + +--- fetchmail-6.3.26.orig/po/Makevars ++++ fetchmail-6.3.26/po/Makevars +@@ -46,3 +46,15 @@ MSGID_BUGS_ADDRESS = fetchmail-devel@lis + # This is the list of locale categories, beyond LC_MESSAGES, for which the + # message catalogs shall be used. It is usually empty. + EXTRA_LOCALE_CATEGORIES = ++ ++# This tells whether the $(DOMAIN).pot file contains messages with an 'msgctxt' ++# context. Possible values are "yes" and "no". Set this to yes if the ++# package uses functions taking also a message context, like pgettext(), or ++# if in $(XGETTEXT_OPTIONS) you define keywords with a context argument. ++USE_MSGCTXT = no ++ ++# These options get passed to msgmerge. ++# Useful options are in particular: ++# --previous to keep previous msgids of translated messages, ++# --quiet to reduce the verbosity. ++MSGMERGE_OPTIONS = +--- fetchmail-6.3.26.orig/pop3.c ++++ fetchmail-6.3.26/pop3.c +@@ -281,6 +281,7 @@ static int pop3_getauth(int sock, struct + #endif /* OPIE_ENABLE */ + #ifdef SSL_ENABLE + flag connection_may_have_tls_errors = FALSE; ++ char *commonname; + #endif /* SSL_ENABLE */ + + done_capa = FALSE; +@@ -393,7 +394,7 @@ static int pop3_getauth(int sock, struct + (ctl->server.authenticate == A_KERBEROS_V5) || + (ctl->server.authenticate == A_OTP) || + (ctl->server.authenticate == A_CRAM_MD5) || +- maybe_tls(ctl)) ++ maybe_starttls(ctl)) + { + if ((ok = capa_probe(sock)) != PS_SUCCESS) + /* we are in STAGE_GETAUTH => failure is PS_AUTHFAIL! */ +@@ -406,12 +407,12 @@ static int pop3_getauth(int sock, struct + (ok == PS_SOCKET && !ctl->wehaveauthed)) + { + #ifdef SSL_ENABLE +- if (must_tls(ctl)) { ++ if (must_starttls(ctl)) { + /* fail with mandatory STLS without repoll */ + report(stderr, GT_("TLS is mandatory for this session, but server refused CAPA command.\n")); + report(stderr, GT_("The CAPA command is however necessary for TLS.\n")); + return ok; +- } else if (maybe_tls(ctl)) { ++ } else if (maybe_starttls(ctl)) { + /* defeat opportunistic STLS */ + xfree(ctl->sslproto); + ctl->sslproto = xstrdup(""); +@@ -431,24 +432,19 @@ static int pop3_getauth(int sock, struct + } + + #ifdef SSL_ENABLE +- if (maybe_tls(ctl)) { +- char *commonname; ++ commonname = ctl->server.pollname; ++ if (ctl->server.via) ++ commonname = ctl->server.via; ++ if (ctl->sslcommonname) ++ commonname = ctl->sslcommonname; + +- commonname = ctl->server.pollname; +- if (ctl->server.via) +- commonname = ctl->server.via; +- if (ctl->sslcommonname) +- commonname = ctl->sslcommonname; +- +- if (has_stls +- || must_tls(ctl)) /* if TLS is mandatory, ignore capabilities */ ++ if (maybe_starttls(ctl)) { ++ if (has_stls || must_starttls(ctl)) /* if TLS is mandatory, ignore capabilities */ + { +- /* Use "tls1" rather than ctl->sslproto because tls1 is the only +- * protocol that will work with STARTTLS. Don't need to worry +- * whether TLS is mandatory or opportunistic unless SSLOpen() fails +- * (see below). */ ++ /* Don't need to worry whether TLS is mandatory or ++ * opportunistic unless SSLOpen() fails (see below). */ + if (gen_transact(sock, "STLS") == PS_SUCCESS +- && (set_timeout(mytimeout), SSLOpen(sock, ctl->sslcert, ctl->sslkey, "tls1", ctl->sslcertck, ++ && (set_timeout(mytimeout), SSLOpen(sock, ctl->sslcert, ctl->sslkey, ctl->sslproto, ctl->sslcertck, + ctl->sslcertfile, ctl->sslcertpath, ctl->sslfingerprint, commonname, + ctl->server.pollname, &ctl->remotename)) != -1) + { +@@ -475,7 +471,7 @@ static int pop3_getauth(int sock, struct + { + report(stdout, GT_("%s: upgrade to TLS succeeded.\n"), commonname); + } +- } else if (must_tls(ctl)) { ++ } else if (must_starttls(ctl)) { + /* Config required TLS but we couldn't guarantee it, so we must + * stop. */ + set_timeout(0); +@@ -495,7 +491,11 @@ static int pop3_getauth(int sock, struct + } + } + } +- } /* maybe_tls() */ ++ } else { /* maybe_starttls() */ ++ if (has_stls && outlevel >= O_VERBOSE) { ++ report(stdout, GT_("%s: WARNING: server offered STLS, but sslproto '' given.\n"), commonname); ++ } ++ } /* maybe_starttls() */ + #endif /* SSL_ENABLE */ + + /* +--- fetchmail-6.3.26.orig/socket.c ++++ fetchmail-6.3.26/socket.c +@@ -876,7 +876,9 @@ int SSLOpen(int sock, char *mycert, char + { + struct stat randstat; + int i; ++ int avoid_ssl_versions = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; + long sslopts = SSL_OP_ALL; ++ int ssle_connect = 0; + + SSL_load_error_strings(); + SSL_library_init(); +@@ -906,25 +908,57 @@ int SSLOpen(int sock, char *mycert, char + /* Make sure a connection referring to an older context is not left */ + _ssl_context[sock] = NULL; + if(myproto) { +- if(!strcasecmp("ssl2",myproto)) { +-#if HAVE_DECL_SSLV2_CLIENT_METHOD + 0 > 0 +- _ctx[sock] = SSL_CTX_new(SSLv2_client_method()); ++ if(!strcasecmp("ssl3",myproto)) { ++#if (HAVE_DECL_SSLV3_CLIENT_METHOD > 0) && (0 == OPENSSL_NO_SSL3 + 0) ++ _ctx[sock] = SSL_CTX_new(SSLv3_client_method()); ++ avoid_ssl_versions &= ~SSL_OP_NO_SSLv3; + #else +- report(stderr, GT_("Your operating system does not support SSLv2.\n")); ++ report(stderr, GT_("Your OpenSSL version does not support SSLv3.\n")); return -1; #endif - } else if(!strcasecmp("ssl3",myproto)) { +- } else if(!strcasecmp("ssl3",myproto)) { - _ctx[sock] = SSL_CTX_new(SSLv3_client_method()); -+ report(stderr, GT_("Your operating system does not support SSLv3.\n")); -+ return -1; ++ } else if(!strcasecmp("ssl3+",myproto)) { ++ avoid_ssl_versions &= ~SSL_OP_NO_SSLv3; ++ myproto = NULL; } else if(!strcasecmp("tls1",myproto)) { _ctx[sock] = SSL_CTX_new(TLSv1_client_method()); - } else if (!strcasecmp("ssl23",myproto)) { +- } else if (!strcasecmp("ssl23",myproto)) { ++ } else if(!strcasecmp("tls1+",myproto)) { ++ myproto = NULL; ++#if defined(TLS1_1_VERSION) && TLS_MAX_VERSION >= TLS1_1_VERSION ++ } else if(!strcasecmp("tls1.1",myproto)) { ++ _ctx[sock] = SSL_CTX_new(TLSv1_1_client_method()); ++ } else if(!strcasecmp("tls1.1+",myproto)) { ++ myproto = NULL; ++ avoid_ssl_versions |= SSL_OP_NO_TLSv1; ++#else ++ } else if(!strcasecmp("tls1.1",myproto) || !strcasecmp("tls1.1+", myproto)) { ++ report(stderr, GT_("Your OpenSSL version does not support TLS v1.1.\n")); ++ return -1; ++#endif ++#if defined(TLS1_2_VERSION) && TLS_MAX_VERSION >= TLS1_2_VERSION ++ } else if(!strcasecmp("tls1.2",myproto)) { ++ _ctx[sock] = SSL_CTX_new(TLSv1_2_client_method()); ++ } else if(!strcasecmp("tls1.2+",myproto)) { ++ myproto = NULL; ++ avoid_ssl_versions |= SSL_OP_NO_TLSv1; ++ avoid_ssl_versions |= SSL_OP_NO_TLSv1_1; ++#else ++ } else if(!strcasecmp("tls1.2",myproto) || !strcasecmp("tls1.2+", myproto)) { ++ report(stderr, GT_("Your OpenSSL version does not support TLS v1.2.\n")); ++ return -1; ++#endif ++ } else if (!strcasecmp("ssl23",myproto) || 0 == strcasecmp("auto",myproto)) { + myproto = NULL; + } else { +- report(stderr,GT_("Invalid SSL protocol '%s' specified, using default (SSLv23).\n"), myproto); ++ report(stderr,GT_("Invalid SSL protocol '%s' specified, using default autoselect (SSL23).\n"), myproto); + myproto = NULL; + } + } +- if(!myproto) { ++ // do not combine into an else { } as myproto may be nulled ++ // above! ++ if (!myproto) { ++ // SSLv23 is a misnomer and will in fact use the best ++ // available protocol, subject to SSL_OP_NO* ++ // constraints. + _ctx[sock] = SSL_CTX_new(SSLv23_client_method()); + } + if(_ctx[sock] == NULL) { +@@ -938,7 +972,7 @@ int SSLOpen(int sock, char *mycert, char + sslopts &= ~ SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; + } + +- SSL_CTX_set_options(_ctx[sock], sslopts); ++ SSL_CTX_set_options(_ctx[sock], sslopts | avoid_ssl_versions); + + if (certck) { + SSL_CTX_set_verify(_ctx[sock], SSL_VERIFY_PEER, SSL_ck_verify_callback); +@@ -1008,8 +1042,18 @@ int SSLOpen(int sock, char *mycert, char + } + + if (SSL_set_fd(_ssl_context[sock], sock) == 0 +- || SSL_connect(_ssl_context[sock]) < 1) { ++ || (ssle_connect = SSL_connect(_ssl_context[sock])) < 1) { ++ int e = errno; ++ unsigned long ssle_err_from_queue = ERR_peek_error(); ++ unsigned long ssle_err_from_get_error = SSL_get_error(_ssl_context[sock], ssle_connect); + ERR_print_errors_fp(stderr); ++ if (SSL_ERROR_SYSCALL == ssle_err_from_get_error && 0 == ssle_err_from_queue) { ++ if (0 == ssle_connect) { ++ report(stderr, GT_("Server shut down connection prematurely during SSL_connect().\n")); ++ } else if (ssle_connect < 0) { ++ report(stderr, GT_("System error during SSL_connect(): %s\n"), strerror(e)); ++ } ++ } + SSL_free( _ssl_context[sock] ); + _ssl_context[sock] = NULL; + SSL_CTX_free(_ctx[sock]); +@@ -1017,6 +1061,24 @@ int SSLOpen(int sock, char *mycert, char + return(-1); + } + ++ if (outlevel >= O_VERBOSE) { ++ SSL_CIPHER const *sc; ++ int bitsmax, bitsused; ++ ++ const char *ver; ++ ++ ver = SSL_get_version(_ssl_context[sock]); ++ ++ sc = SSL_get_current_cipher(_ssl_context[sock]); ++ if (!sc) { ++ report (stderr, GT_("Cannot obtain current SSL/TLS cipher - no session established?\n")); ++ } else { ++ bitsused = SSL_CIPHER_get_bits(sc, &bitsmax); ++ report(stdout, GT_("SSL/TLS: using protocol %s, cipher %s, %d/%d secret/processed bits\n"), ++ ver, SSL_CIPHER_get_name(sc), bitsused, bitsmax); ++ } ++ } ++ + /* Paranoia: was the callback not called as we expected? */ + if (!_depth0ck) { + report(stderr, GT_("Certificate/fingerprint verification was somehow skipped!\n")); +--- /dev/null ++++ fetchmail-6.3.26/starttls.c +@@ -0,0 +1,37 @@ ++/** \file tls.c - collect common TLS functionality ++ * \author Matthias Andree ++ * \date 2006 ++ */ ++ ++#include "fetchmail.h" ++ ++#include ++ ++#ifdef HAVE_STRINGS_H ++#include ++#endif ++ ++/** return true if user allowed opportunistic STARTTLS/STLS */ ++int maybe_starttls(struct query *ctl) { ++#ifdef SSL_ENABLE ++ /* opportunistic or forced TLS */ ++ return (!ctl->sslproto || strlen(ctl->sslproto)) ++ && !ctl->use_ssl; ++#else ++ (void)ctl; ++ return 0; ++#endif ++} ++ ++/** return true if user requires STARTTLS/STLS, note though that this ++ * code must always use a logical AND with maybe_tls(). */ ++int must_starttls(struct query *ctl) { ++#ifdef SSL_ENABLE ++ return maybe_starttls(ctl) ++ && (ctl->sslfingerprint || ctl->sslcertck ++ || (ctl->sslproto && !strcasecmp(ctl->sslproto, "tls1"))); ++#else ++ (void)ctl; ++ return 0; ++#endif ++} diff --git a/fetchmail.changes b/fetchmail.changes index 680ed5a..8e70278 100644 --- a/fetchmail.changes +++ b/fetchmail.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Wed May 29 11:58:18 UTC 2019 - Dr. Werner Fink + +- Use Debian 02_remove_SSLv3 change set based on beta 6.4.0 to + modernize the patch fetchmail-openssl11.patch for modern TLS + (auto) support + ------------------------------------------------------------------- Thu Mar 15 17:12:10 UTC 2018 - pmonrealgonzalez@suse.com diff --git a/fetchmail.spec b/fetchmail.spec index 5184306..bc758aa 100644 --- a/fetchmail.spec +++ b/fetchmail.spec @@ -1,7 +1,7 @@ # # spec file for package fetchmail # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ #