Commit 916abfe7 authored by Matthias Andree's avatar Matthias Andree

Update documentation.

parent 86b77d1b
......@@ -66,11 +66,6 @@ configure option '--with-included-gettext'.
Installing fetchmail is easy. From within this directory, type:
./configure --with-ssl
if you have OpenSSL (and its developer packages, if separate) installed
on your system, or if you don't or do not need SSL/TLS support:
./configure
The autoconfiguration script will spend a bit of time figuring out the
......@@ -80,7 +75,7 @@ variable CC before you run configure.
The configure script accepts certain standard configuration options.
These include --prefix, --exec-prefix, --bindir, --infodir, --mandir,
and --srcdir. Do 'configure --help' for more.
and --srcdir. Run 'configure --help' for more.
POP2 support is no longer compiled in by default, as POP2 is way obsolete
and there don't seem to be any live servers for it anymore. You can
......@@ -102,15 +97,14 @@ locations (/usr, /usr/local). If you set --with-GSSAPI=DIR
you can direct the build to look for GSSAPI support under DIR.
Hooks for the OpenSSL library (see http://www.openssl.org/) are
included in the distribution. To enable these, configure with
--with-ssl; they are not included in the standard build. Fetchmail's
configure script will probe some default locations for the
include/openssl/ssl.h file. If this doesn't work (i. e. configure prints
"SSL support enabled, but OpenSSL not found" and aborts), you need to
give the explicit prefix of your OpenSSL installation (specify the
directory that contains OpenSSL's "include" subdirectory), for instance:
"--with-ssl=/example/path" would assume that you have an
/example/path/include/openssl/ssl.h header file.
included in the distribution. Fetchmail 6.4 enables these by default.
Fetchmail's configure script will query pkg-config (pkgconf) or failing that,
probe some default locations for the include/openssl/ssl.h file. If this
doesn't work (i. e. configure prints "SSL support enabled, but OpenSSL not
found" and aborts), you need to give the explicit prefix of your OpenSSL
installation (specify the directory that contains OpenSSL's "include"
subdirectory), for instance: "--with-ssl=/example/path" would assume that you
have an /example/path/include/openssl/ssl.h header file.
2.2 Advanced options
......@@ -142,6 +136,13 @@ Run
This should compile fetchmail for your system. If fetchmail fails to build
properly, see the FAQ section B on build-time problems.
On multi-core computers, run
make -j8
on a computer that supports 8 CPU threads at the same time (for instance,
Octocore computers or Quad-core computers supporting two threads per core).
4. INSTALL
......
......@@ -59,6 +59,7 @@ removed from a 6.4.0 or newer release.)
fetchmail may switch to a different SSL library.
* SSLv3 support may be removed from a future fetchmail release. It has been
obsolete for many years and found insecure. Use TLS.
* Fetchmailconf is deprecated and will be removed from a future release.
--------------------------------------------------------------------------------
......
......@@ -22,9 +22,10 @@ Internet's SDPS, or CRAM-MD5 authentication a la RFC2195.
Fetchmail supports end-to-end encryption with OpenSSL, do read README.SSL for
details on fetchmail's configuration and README.SSL-SERVER for server-side
requirements. NOTE! To be compatible with earlier releases, fetchmail 6.3's
default behaviour is more relaxed than dictated by the standard - add options
such as --sslcertck to tighten certificate checking.
requirements. NOTE! To be compatible with earlier releases, fetchmail 6.4
default behaviour is more relaxed than dictated by recommendations - while it
does away with SSLv2, only negotiates SSLv3 if forced to, it will by default
still negotiate TLS v1.0.
Portability
-----------
......@@ -33,10 +34,10 @@ The fetchmail code was developed under Linux, but has also been extensively
tested under the BSD variants, AIX, HP-UX versions 9 and 10, SunOS, Solaris,
NEXTSTEP, OSF 3.2, IRIX, and Rhapsody once upon a time.
The maintainer no longer has acess to these systems, and assumes that
the system is at least Single-Unix-Specification V2 compatible, yet will
permit a C89 compiler. It currently ships with a copy of the trio library
for systems that lack snprintf().
The current maintainer does not have access to these systems, and assumes that
the system is at least Single-Unix-Specification V2 compatible, yet fetchmaiil
should be compilable by a C89 compiler. It currently ships with a copy of the
trio library for systems that lack snprintf().
Fetchmail should be able to be compiled with C89, C99, C11, C++98, C++03,
C++11, C++14 compilers, but not C++17 because the "register" keyword is
......
README.packaging
================
fetchmail 6.3 changes relevant for packagers
fetchmail 6.4 changes relevant for packagers
--------------------------------------------
Greetings, dear packager!
The bullet points below mention a few useful hints for package(r)s:
- Please use OpenSSL and add --with-ssl to the ./configure command line.
SSL/TLS support hasn't been enabled in the default build in order to maintain
fetchmail 6.2 compatibility as far as possible. SSL/TLS however is a highly
recommended compilation option.
- Fetchmail requires a somewhat recent OpenSSL v1.0.2.
- Fetchmail now uses automake and supports all common automake targets and
overrides such as "make install-strip" or "DESTDIR=..." for staging areas.
- The fetchmailconf script has been renamed to fetchmailconf.py, automake will
install it into Python's top-level site-packages directory and byte-compile
it (so you need to package or remove fetchmailconf.pyc and fetchmailconf.pyo
as well).
- The fetchmailconf script is named fetchmailconf.py, automake will install it
into Python's top-level site-packages directory and byte-compile it (so you
need to package or remove fetchmailconf.pyc and fetchmailconf.pyo as well).
- If you want to defeat Python byte-code compilation and would rather like to
install fetchmailconf.py yourself, you can add
......
......@@ -18,5 +18,3 @@ To do a release:
- Update the fetchmail website for version, link to release nodes
(update release_id) and last update, commit, and upload.
- Announce on freshmeat.
Note that this file is kept for historic reference.
It will no longer be updated or maintained.
The recent release history can be obtained by looking
at the Git tags.
-- Matthias Andree, 2010-02-06
......
Note that there is a separate todo.html with different content than this.
6.4 MUST:
soon - MUST:
+ multiple certs
+ check alternative passed checks, fingerprints... for interactions
+ do we support CRLs?
......@@ -8,8 +8,6 @@ Note that there is a separate todo.html with different content than this.
can check their finger prints or certificates in arbitrary ways
(grarpamp)
+ modified UTF-7 (RFC-3501 5.1.3) for mailbox names
soon - MUST:
- blacklist DigiNotar/Comodo/Türktrust hacks/certs, possibly with Chrome's serial#
list?
- check if wildcards from X.509 are handled as strictly as required by
......@@ -47,7 +45,6 @@ soon - SHOULD:
- CRYPTO: log configured server name on certificate mismatch (perhaps pay
attention to via entries and stuff like that)
- CRYPTO: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=432618
* write a table of combinations of TLS/SSL options
- add To: header to warning mails (authfail for instance)
- Fix TOCTOU race around prc_filecheck*
- Read CAPABILITY from greeting if present, saves one round trip.
......@@ -75,8 +72,8 @@ questionable:
- fetch IMAP message in one go (fetchmail-devel by Adam Simpkins
<[email protected]> around Nov 2nd)?
6.4:
- Properly free host/user entries (through C++ class instantiation and destructors...)
- Properly free host/user entries (through C++ class instantiation and
destructors...)
- Remove stupid options, such as spambounce, or deferred bounces for anything
but wrong addresses
- Do not ever guess envelope from content headers such as To:/Cc:/Resent-To: or
......
......@@ -26,7 +26,8 @@
<h2>Introduction</h2>
<p>This document is supposed to complement <a
<p>This document's contents were last updated in 2006, around fetchmail 6.3.4/6.3.5 time.
It is supposed to complement <a
href="esrs-design-notes.html">Eric S. Raymond's (ESR's)
design notes.</a> The new maintainers don't agree with some of the decisions
ESR made previously, and the differences and new directions will be laid
......@@ -35,12 +36,9 @@ the necessary code revisions have been made.</p>
<h2>Security</h2>
<p>Fetchmail was handed over in a pretty poor shape, security-wise. It will
happily talk to the network with root privileges, use sscanf() to read
remotely received data into fixed-length stack-based buffers without
length limitation and so on. A full audit is required and security
concepts will have to be applied. Random bits are:</p>
<p>
Fetchmail 6.2.x was handed over in a pretty poor shape, security-wise. It would happily talk to the network with root privileges, used sscanf() to read remotely received data into fixed-length stack-based buffers without length limitation and so on. A full audit is required and security concepts will have to be applied. Random bits are:
</p>
<ul>
<li>code talking to the network does not require root privileges and
needs to run without root permissions</li>
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment