* [pmg-devel] [PATCH pmg-api v2 0/2] improve fetchmail handling in PMG
@ 2025-09-24 18:05 Stoiko Ivanov
2025-09-24 18:05 ` [pmg-devel] [PATCH pmg-api v2 1/2] fix #6798: fetchmail: adapt to changed sslproto semantics Stoiko Ivanov
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Stoiko Ivanov @ 2025-09-24 18:05 UTC (permalink / raw)
To: pmg-devel
supersedes: https://lore.proxmox.com/pmg-devel/20250924113247.50931-1-s.ivanov@proxmox.com/T/#t
v1->v2:
* rework the commit messages after reading them through.
pmg-api:
Stoiko Ivanov (2):
fix #6798: fetchmail: adapt to changed sslproto semantics
templates: fetchmail: add comment where users can add manual accounts
src/PMG/Fetchmail.pm | 13 ++++++++++++-
src/templates/fetchmailrc.tt | 3 +++
2 files changed, 15 insertions(+), 1 deletion(-)
package-rebuilds:
Stoiko Ivanov (1):
fetchmail: improve shipped service file
pkgs/fetchmail/fetchmail-6.4.39/debian/fetchmail.service | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--
2.47.3
_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel
^ permalink raw reply [flat|nested] 4+ messages in thread* [pmg-devel] [PATCH pmg-api v2 1/2] fix #6798: fetchmail: adapt to changed sslproto semantics 2025-09-24 18:05 [pmg-devel] [PATCH pmg-api v2 0/2] improve fetchmail handling in PMG Stoiko Ivanov @ 2025-09-24 18:05 ` Stoiko Ivanov 2025-09-24 18:05 ` [pmg-devel] [PATCH pmg-api v2 2/2] templates: fetchmail: add comment where users can add manual accounts Stoiko Ivanov 2025-09-24 18:05 ` [pmg-devel] [PATCH package-rebuilds v2 1/1] fetchmail: improve shipped service file Stoiko Ivanov 2 siblings, 0 replies; 4+ messages in thread From: Stoiko Ivanov @ 2025-09-24 18:05 UTC (permalink / raw) To: pmg-devel fetchmail defaults to verifying certificates since version 6.4.0 see fetchmail(1) - sslproto defaults to auto instead of '' - when sslproto is not '' then implicit/opportunistic TLS (StartTLS) is tried over the plain-text port - this results in the current config parsing and writing to always try a TLS-connection if the server offers starttls additionally sslcertck (only accept trusted certificates) defaults to true since 6.4.0 The combination of these two things has as a consequence, that unsetting 'use SSL' will fail for servers which have a self-signed certificate installed (I expect many to still do so). This patch simply fixes the 'use SSL' flag to disable all TLS (explicit and opportunistic) and thus keep the expectations of users. I did consider changing this to: * either add a checkbox to ignore an invalid certificate (which feels quite wrong). * allow users to provide a fingerprint instead (not considered further as fetchmail (in trixie) uses MD5 fingerprints, and this seems a step back). * keep things as they currently are and document that users need to add the self-signed certificate to the system-trust-store (/usr/local/share/ca-certificates) Since we ship versions with the semantic change since PMG 6.x (buster shipped 6.4.0~beta43[0]) I don't think many users who use fetchmail ran into this in the past few years - and most ISPs/mail providers have valid certificates nowadays. So the potential for regression should not be too large. We could consider deprecating plain-text IMAP/POP in a future version, but I'd announce the deprecation with 9.0 to give it some visibility. [0] https://manpages.debian.org/buster/fetchmail/fetchmail.1.en.html Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com> --- src/PMG/Fetchmail.pm | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/src/PMG/Fetchmail.pm b/src/PMG/Fetchmail.pm index 3a647420..c35e03d8 100644 --- a/src/PMG/Fetchmail.pm +++ b/src/PMG/Fetchmail.pm @@ -143,6 +143,11 @@ sub read_fetchmail_conf { my $finalize_item = sub { my ($item) = @_; + + if ($item->{ssl} && !$item->{ssl_proto}) { + die "conflicting SSL settings for $item->{id}\n" if $item->{enabled}; + } + $cfg->{ $item->{id} } = $item; }; @@ -174,6 +179,8 @@ sub read_fetchmail_conf { $item->{port} = $get_token_argument->(); } elsif ($token eq 'interval') { $item->{interval} = $get_token_argument->(); + } elsif ($token eq 'sslproto') { + $item->{sslproto} = $get_token_argument->(); } elsif ( $token eq 'ssl' || $token eq 'keep' @@ -210,7 +217,11 @@ sub write_fetchmail_conf { } $set_fetchmail_defaults->($item); my $options = ['dropdelivered']; - push @$options, 'ssl' if $item->{ssl}; + if ($item->{ssl}) { + push @$options, 'ssl'; + } else { + push @$options, ('sslproto', '\'\''); + } push @$options, 'keep' if $item->{keep}; $item->{options} = join(' ', @$options); $data->{$id} = $item; -- 2.47.3 _______________________________________________ pmg-devel mailing list pmg-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel ^ permalink raw reply [flat|nested] 4+ messages in thread
* [pmg-devel] [PATCH pmg-api v2 2/2] templates: fetchmail: add comment where users can add manual accounts 2025-09-24 18:05 [pmg-devel] [PATCH pmg-api v2 0/2] improve fetchmail handling in PMG Stoiko Ivanov 2025-09-24 18:05 ` [pmg-devel] [PATCH pmg-api v2 1/2] fix #6798: fetchmail: adapt to changed sslproto semantics Stoiko Ivanov @ 2025-09-24 18:05 ` Stoiko Ivanov 2025-09-24 18:05 ` [pmg-devel] [PATCH package-rebuilds v2 1/1] fetchmail: improve shipped service file Stoiko Ivanov 2 siblings, 0 replies; 4+ messages in thread From: Stoiko Ivanov @ 2025-09-24 18:05 UTC (permalink / raw) To: pmg-devel our fetchmail module uses /etc/fetchmailrc (symlinked to /etc/pmg/fetchmailrc) as authoritative source for fetchmail accounts. This means that if users need to make adaptations to fetchmail options it breaks the handling of fetchmail in the API and GUI. based on feedback from #6798 I think providing a hint where users can add accounts with manual overrides, while keeping the API/GUI working for all other accounts should help. Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com> --- src/templates/fetchmailrc.tt | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/templates/fetchmailrc.tt b/src/templates/fetchmailrc.tt index 76e591ca..f7f341de 100644 --- a/src/templates/fetchmailrc.tt +++ b/src/templates/fetchmailrc.tt @@ -9,6 +9,9 @@ defaults: smtphost [% ipconfig.int_ip %]/[% pmg.mail.ext_port %] +# add manually configured accounts below and before 'proxmox settings'(to keep the UI working) + + # proxmox settings (Do not delete this marker!!) [% FOREACH item IN fetchmail_users.list('values') %] [% IF item.enable %]poll[% ELSE %]skip[% END -%] -- 2.47.3 _______________________________________________ pmg-devel mailing list pmg-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel ^ permalink raw reply [flat|nested] 4+ messages in thread
* [pmg-devel] [PATCH package-rebuilds v2 1/1] fetchmail: improve shipped service file 2025-09-24 18:05 [pmg-devel] [PATCH pmg-api v2 0/2] improve fetchmail handling in PMG Stoiko Ivanov 2025-09-24 18:05 ` [pmg-devel] [PATCH pmg-api v2 1/2] fix #6798: fetchmail: adapt to changed sslproto semantics Stoiko Ivanov 2025-09-24 18:05 ` [pmg-devel] [PATCH pmg-api v2 2/2] templates: fetchmail: add comment where users can add manual accounts Stoiko Ivanov @ 2025-09-24 18:05 ` Stoiko Ivanov 2 siblings, 0 replies; 4+ messages in thread From: Stoiko Ivanov @ 2025-09-24 18:05 UTC (permalink / raw) To: pmg-devel fetchmail exits with exit-code 3 if: 'The user authentication step failed...' (see fetchmail(1)). This also includes the case if there are no accounts configured for fetching, e.g. if all accounts are configured with 'skip' instead of 'poll'. In PMG you get this when temporary disaling all configured accounts in the GUI. So we simply should not consider an exit of 3 as failure. Additionally adapt the Restart value to 'on-failure' (else systemd tries restarting 5 times and gives up) see systemd.service(5). Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com> --- pkgs/fetchmail/fetchmail-6.4.39/debian/fetchmail.service | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkgs/fetchmail/fetchmail-6.4.39/debian/fetchmail.service b/pkgs/fetchmail/fetchmail-6.4.39/debian/fetchmail.service index a6e3168..b7260ac 100644 --- a/pkgs/fetchmail/fetchmail-6.4.39/debian/fetchmail.service +++ b/pkgs/fetchmail/fetchmail-6.4.39/debian/fetchmail.service @@ -21,7 +21,8 @@ User=fetchmail Type=exec # sort $OPTIONS after "-daemon 300" to allow overwriting the interval using $OPTIONS ExecStart=/usr/bin/fetchmail --daemon 300 $OPTIONS --nodetach -f /etc/fetchmailrc --pidfile /run/fetchmail/fetchmail.pid -Restart=always +SuccessExitStatus=3 +Restart=on-failure [Install] WantedBy=multi-user.target -- 2.47.3 _______________________________________________ pmg-devel mailing list pmg-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2025-09-24 18:05 UTC | newest] Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2025-09-24 18:05 [pmg-devel] [PATCH pmg-api v2 0/2] improve fetchmail handling in PMG Stoiko Ivanov 2025-09-24 18:05 ` [pmg-devel] [PATCH pmg-api v2 1/2] fix #6798: fetchmail: adapt to changed sslproto semantics Stoiko Ivanov 2025-09-24 18:05 ` [pmg-devel] [PATCH pmg-api v2 2/2] templates: fetchmail: add comment where users can add manual accounts Stoiko Ivanov 2025-09-24 18:05 ` [pmg-devel] [PATCH package-rebuilds v2 1/1] fetchmail: improve shipped service file Stoiko Ivanov
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox