[pmg-devel] [PATCH pmg-api v2 1/2] fix #6798: fetchmail: adapt to changed sslproto semantics

From: Stoiko Ivanov <s.ivanov@proxmox.com>
To: pmg-devel@lists.proxmox.com
Subject: [pmg-devel] [PATCH pmg-api v2 1/2] fix #6798: fetchmail: adapt to changed sslproto semantics
Date: Wed, 24 Sep 2025 20:05:13 +0200	[thread overview]
Message-ID: <20250924180538.9281-2-s.ivanov@proxmox.com> (raw)
In-Reply-To: <20250924180538.9281-1-s.ivanov@proxmox.com>

fetchmail defaults to verifying certificates since version 6.4.0
see fetchmail(1)
- sslproto defaults to auto instead of ''
- when sslproto is not '' then implicit/opportunistic TLS (StartTLS)
  is tried over the plain-text port
- this results in the current config parsing and writing to always
  try a TLS-connection if the server offers starttls

additionally sslcertck (only accept trusted certificates) defaults to
true since 6.4.0

The combination of these two things has as a consequence, that
unsetting 'use SSL' will fail for servers which have a self-signed
certificate installed (I expect many to still do so).

This patch simply fixes the 'use SSL' flag to disable all TLS
(explicit and opportunistic) and thus keep the expectations of users.

I did consider changing this to:
* either add a checkbox to ignore an invalid certificate (which feels
  quite wrong).
* allow users to provide a fingerprint instead (not considered
  further as fetchmail (in trixie) uses MD5 fingerprints, and this
  seems a step back).
* keep things as they currently are and document that users need to
  add the self-signed certificate to the system-trust-store
  (/usr/local/share/ca-certificates)

Since we ship versions with the semantic change since PMG 6.x (buster
shipped 6.4.0~beta43[0]) I don't think many users who use fetchmail
ran into this in the past few years - and most ISPs/mail providers
have valid certificates nowadays. So the potential for regression
should not be too large.

We could consider deprecating plain-text IMAP/POP in a future version,
but I'd announce the deprecation with 9.0 to give it some visibility.

[0] https://manpages.debian.org/buster/fetchmail/fetchmail.1.en.html

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
 src/PMG/Fetchmail.pm | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/src/PMG/Fetchmail.pm b/src/PMG/Fetchmail.pm
index 3a647420..c35e03d8 100644
--- a/src/PMG/Fetchmail.pm
+++ b/src/PMG/Fetchmail.pm
@@ -143,6 +143,11 @@ sub read_fetchmail_conf {
 
         my $finalize_item = sub {
             my ($item) = @_;
+
+            if ($item->{ssl} && !$item->{ssl_proto}) {
+                die "conflicting SSL settings for $item->{id}\n" if $item->{enabled};
+            }
+
             $cfg->{ $item->{id} } = $item;
         };
 
@@ -174,6 +179,8 @@ sub read_fetchmail_conf {
                 $item->{port} = $get_token_argument->();
             } elsif ($token eq 'interval') {
                 $item->{interval} = $get_token_argument->();
+            } elsif ($token eq 'sslproto') {
+                $item->{sslproto} = $get_token_argument->();
             } elsif (
                 $token eq 'ssl'
                 || $token eq 'keep'
@@ -210,7 +217,11 @@ sub write_fetchmail_conf {
         }
         $set_fetchmail_defaults->($item);
         my $options = ['dropdelivered'];
-        push @$options, 'ssl' if $item->{ssl};
+        if ($item->{ssl}) {
+            push @$options, 'ssl';
+        } else {
+            push @$options, ('sslproto', '\'\'');
+        }
         push @$options, 'keep' if $item->{keep};
         $item->{options} = join(' ', @$options);
         $data->{$id} = $item;
-- 
2.47.3



_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel

