[pmg-devel] [PATCH pmg-api/package-rebuilds] improve fetchmail handling in PMG

[pmg-devel] [PATCH pmg-api/package-rebuilds] improve fetchmail handling in PMG

[Stoiko Ivanov]

the following patch series is the results of looking a bit into our
fetchmail handling - and seeing that non-TLS imap/pop3 accounts were
probably not really working since buster see #6798 for a report pointing
to this.

the patch for the fetchmail.service file (package-rebuilds) is the result
of actually running fetchmail with some accounts configured while
debugging.

all has been minimally tested on a fresh VM, with an old dovecot vm I had
lying around as IMAP server (seems the default config of dovecot for a
rather long while is to disable login over plain-text channels, which
surprised me while debugging).

pmg-api:
Stoiko Ivanov (2):
  fix #6798: fetchmail: adapt to changed sslproto semantics
  templates: fetchmail: add comment where users can manual accounts

 src/PMG/Fetchmail.pm         | 13 ++++++++++++-
 src/templates/fetchmailrc.tt |  3 +++
 2 files changed, 15 insertions(+), 1 deletion(-)

package-rebuilds:
Stoiko Ivanov (1):
  fetchmail: improve shipped service file

 pkgs/fetchmail/fetchmail-6.4.39/debian/fetchmail.service | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

-- 
2.47.3



_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel

[pmg-devel] [PATCH 1/1 package-rebuilds] fetchmail: improve shipped service file

[Stoiko Ivanov]

fetchmail exits with 3 if:
'The user authentication step failed...' (see fetchmail(1)).
This also includes if there are no accounts configured for fetching,
e.g. if all accounts are configured with 'skip' instead of 'poll'.

The usecase in PMG is to set all disabled accounts to 'skip'.

So simply do not consider an exit of 3 as failure.
Additionally adapt the Restart value to 'on-failure' (else systemd
tries restarting 5 times and gives up)
see systemd.service(5) for the settings.

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
 pkgs/fetchmail/fetchmail-6.4.39/debian/fetchmail.service | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/pkgs/fetchmail/fetchmail-6.4.39/debian/fetchmail.service b/pkgs/fetchmail/fetchmail-6.4.39/debian/fetchmail.service
index a6e3168..b7260ac 100644
--- a/pkgs/fetchmail/fetchmail-6.4.39/debian/fetchmail.service
+++ b/pkgs/fetchmail/fetchmail-6.4.39/debian/fetchmail.service
@@ -21,7 +21,8 @@ User=fetchmail
 Type=exec
 # sort $OPTIONS after "-daemon 300" to allow overwriting the interval using $OPTIONS
 ExecStart=/usr/bin/fetchmail --daemon 300 $OPTIONS --nodetach -f /etc/fetchmailrc --pidfile /run/fetchmail/fetchmail.pid
-Restart=always
+SuccessExitStatus=3
+Restart=on-failure
 
 [Install]
 WantedBy=multi-user.target
-- 
2.47.3



_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel

[pmg-devel] [PATCH pmg-api 1/2] fix #6798: fetchmail: adapt to changed sslproto semantics

[Stoiko Ivanov]

fetchmail defaults to verifying certificates since version 6.4.0
see fetchmail(1)
- sslproto defaults to auto instead of ''
- when sslproto is not '' then implicit/opportunistic TLS (StartTLS)
  is tried over the plain-text port
- this results in the current config parsing and writing to always
  try a TLS-connection if the server offers starttls

additionally sslcertck (only accept trusted certificates) defaults to
true since 6.4.0

The combination of these two things has as a consequence, that
unsetting 'use SSL' will fail for servers which have a self-signed
certificate installed (I expect many to still do so).

This patch simply fixes the 'use SSL' flag to disable all TLS
(explicit and opportunistic) and thus keep the expectations of users.

I did consider changing this to:
* either add a checkbox to ignore an invalid certificate.
* allow users to provide a fingerprint instead (not considered
  further as fetchmail (in trixie) uses MD5 fingerprints, and this
  seems a step back).

Since we ship versions with the semantic change since PMG 6.x (buster
shipped 6.4.0~beta43[0]) I don't think many users who use fetchmail
ran into this (also most ISPs/Mail providers have valid certificates
nowadays), the potential for regression should not be large.

We could consider deprecating plain-text IMAP/POP in a future version,
but I'd announce the deprecation with 9.0 to give it some visibility.

[0] https://manpages.debian.org/buster/fetchmail/fetchmail.1.en.html

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
 src/PMG/Fetchmail.pm | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/src/PMG/Fetchmail.pm b/src/PMG/Fetchmail.pm
index 3a647420..c35e03d8 100644
--- a/src/PMG/Fetchmail.pm
+++ b/src/PMG/Fetchmail.pm
@@ -143,6 +143,11 @@ sub read_fetchmail_conf {
 
         my $finalize_item = sub {
             my ($item) = @_;
+
+            if ($item->{ssl} && !$item->{ssl_proto}) {
+                die "conflicting SSL settings for $item->{id}\n" if $item->{enabled};
+            }
+
             $cfg->{ $item->{id} } = $item;
         };
 
@@ -174,6 +179,8 @@ sub read_fetchmail_conf {
                 $item->{port} = $get_token_argument->();
             } elsif ($token eq 'interval') {
                 $item->{interval} = $get_token_argument->();
+            } elsif ($token eq 'sslproto') {
+                $item->{sslproto} = $get_token_argument->();
             } elsif (
                 $token eq 'ssl'
                 || $token eq 'keep'
@@ -210,7 +217,11 @@ sub write_fetchmail_conf {
         }
         $set_fetchmail_defaults->($item);
         my $options = ['dropdelivered'];
-        push @$options, 'ssl' if $item->{ssl};
+        if ($item->{ssl}) {
+            push @$options, 'ssl';
+        } else {
+            push @$options, ('sslproto', '\'\'');
+        }
         push @$options, 'keep' if $item->{keep};
         $item->{options} = join(' ', @$options);
         $data->{$id} = $item;
-- 
2.47.3



_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel

[pmg-devel] [PATCH pmg-api 2/2] templates: fetchmail: add comment where users can manual accounts

[Stoiko Ivanov]

our fetchmail module uses /etc/fetchmailrc (symlinked to
/etc/pmg/fetchmailrc) as authoritative source for fetchmail accounts.

This means that if users need to make adaptations to fetchmail options
it breaks the handling of fetchmail in the API and GUI.

based on feedback from #6798 I think providing a hint where users
can add accounts with manual overrides, while keeping the API/GUI
working for all other accounts should help.

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
 src/templates/fetchmailrc.tt | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/templates/fetchmailrc.tt b/src/templates/fetchmailrc.tt
index 76e591ca..f7f341de 100644
--- a/src/templates/fetchmailrc.tt
+++ b/src/templates/fetchmailrc.tt
@@ -9,6 +9,9 @@ defaults:
 
 smtphost [% ipconfig.int_ip %]/[% pmg.mail.ext_port %]
 
+# add manually configured accounts below and before 'proxmox settings'(to keep the UI working)
+
+
 # proxmox settings (Do not delete this marker!!)
 [% FOREACH item IN fetchmail_users.list('values') %]
 [% IF item.enable %]poll[% ELSE %]skip[% END -%]
-- 
2.47.3



_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel