From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id D0A7C1FF183 for ; Wed, 24 Sep 2025 13:32:47 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 044A82EE0; Wed, 24 Sep 2025 13:33:19 +0200 (CEST) From: Stoiko Ivanov To: pmg-devel@lists.proxmox.com Date: Wed, 24 Sep 2025 13:32:30 +0200 Message-ID: <20250924113247.50931-3-s.ivanov@proxmox.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20250924113247.50931-1-s.ivanov@proxmox.com> References: <20250924113247.50931-1-s.ivanov@proxmox.com> MIME-Version: 1.0 X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1758713578245 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.930 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_MAILER 2 Automated Mailer Tag Left in Email RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [fetchmail.pm] Subject: [pmg-devel] [PATCH pmg-api 1/2] fix #6798: fetchmail: adapt to changed sslproto semantics X-BeenThere: pmg-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Mail Gateway development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pmg-devel-bounces@lists.proxmox.com Sender: "pmg-devel" fetchmail defaults to verifying certificates since version 6.4.0 see fetchmail(1) - sslproto defaults to auto instead of '' - when sslproto is not '' then implicit/opportunistic TLS (StartTLS) is tried over the plain-text port - this results in the current config parsing and writing to always try a TLS-connection if the server offers starttls additionally sslcertck (only accept trusted certificates) defaults to true since 6.4.0 The combination of these two things has as a consequence, that unsetting 'use SSL' will fail for servers which have a self-signed certificate installed (I expect many to still do so). This patch simply fixes the 'use SSL' flag to disable all TLS (explicit and opportunistic) and thus keep the expectations of users. I did consider changing this to: * either add a checkbox to ignore an invalid certificate. * allow users to provide a fingerprint instead (not considered further as fetchmail (in trixie) uses MD5 fingerprints, and this seems a step back). Since we ship versions with the semantic change since PMG 6.x (buster shipped 6.4.0~beta43[0]) I don't think many users who use fetchmail ran into this (also most ISPs/Mail providers have valid certificates nowadays), the potential for regression should not be large. We could consider deprecating plain-text IMAP/POP in a future version, but I'd announce the deprecation with 9.0 to give it some visibility. [0] https://manpages.debian.org/buster/fetchmail/fetchmail.1.en.html Signed-off-by: Stoiko Ivanov --- src/PMG/Fetchmail.pm | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/src/PMG/Fetchmail.pm b/src/PMG/Fetchmail.pm index 3a647420..c35e03d8 100644 --- a/src/PMG/Fetchmail.pm +++ b/src/PMG/Fetchmail.pm @@ -143,6 +143,11 @@ sub read_fetchmail_conf { my $finalize_item = sub { my ($item) = @_; + + if ($item->{ssl} && !$item->{ssl_proto}) { + die "conflicting SSL settings for $item->{id}\n" if $item->{enabled}; + } + $cfg->{ $item->{id} } = $item; }; @@ -174,6 +179,8 @@ sub read_fetchmail_conf { $item->{port} = $get_token_argument->(); } elsif ($token eq 'interval') { $item->{interval} = $get_token_argument->(); + } elsif ($token eq 'sslproto') { + $item->{sslproto} = $get_token_argument->(); } elsif ( $token eq 'ssl' || $token eq 'keep' @@ -210,7 +217,11 @@ sub write_fetchmail_conf { } $set_fetchmail_defaults->($item); my $options = ['dropdelivered']; - push @$options, 'ssl' if $item->{ssl}; + if ($item->{ssl}) { + push @$options, 'ssl'; + } else { + push @$options, ('sslproto', '\'\''); + } push @$options, 'keep' if $item->{keep}; $item->{options} = join(' ', @$options); $data->{$id} = $item; -- 2.47.3 _______________________________________________ pmg-devel mailing list pmg-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel