aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@debian.org>2020-12-26 23:33:12 +0100
committerGuilhem Moulin <guilhem@debian.org>2020-12-26 23:33:12 +0100
commitf4a60089cd7fdff73504a1f1f0afde642e77b735 (patch)
tree4fbbd58649eedea0485901753406caf0beb36836
parent2e485797d8ec91a0a74ec1f1e2e8723cf74a586e (diff)
parent9cbaed6527c3030819976dbe41bfb4392d6a6fa2 (diff)
Merge tag 'v0.5.5' into debian/latest
Release version 0.5.5
-rw-r--r--.gitignore1
-rw-r--r--Changelog67
-rw-r--r--Makefile13
-rw-r--r--README93
-rw-r--r--doc/getting-started.md2
-rw-r--r--doc/interimap.1.md59
-rw-r--r--doc/pullimap.1.md65
-rwxr-xr-xinterimap8
-rw-r--r--interimap.sample4
-rw-r--r--lib/Net/IMAP/InterIMAP.pm172
-rwxr-xr-xpullimap14
-rw-r--r--pullimap.sample4
-rw-r--r--tests/config/dovecot/dhparams.pem (renamed from tests/snippets/dovecot/dhparams.pem)0
-rw-r--r--tests/config/dovecot/imapd.conf (renamed from tests/snippets/dovecot/imapd.conf)0
-rw-r--r--tests/config/dovecot/interimap-required-capabilities.conf (renamed from tests/snippets/dovecot/interimap-required-capabilities.conf)0
-rw-r--r--tests/config/dovecot/lmtpd.conf (renamed from tests/snippets/dovecot/lmtpd.conf)0
-rw-r--r--tests/config/dovecot/ssl.conf (renamed from tests/snippets/dovecot/ssl.conf)1
-rw-r--r--tests/list1
-rwxr-xr-xtests/preauth-plaintext/imapd4
-rw-r--r--tests/preauth-plaintext/t2
-rwxr-xr-xtests/run8
-rwxr-xr-xtests/starttls-injection/imapd20
-rw-r--r--tests/starttls/t3
l---------tests/tls-ciphers/interimap.remote1
l---------tests/tls-ciphers/remote.conf1
-rw-r--r--tests/tls-ciphers/t31
-rw-r--r--tests/tls-pin-fingerprint/t6
-rw-r--r--tests/tls-protocols/openssl.cnf14
-rw-r--r--tests/tls-protocols/t76
-rw-r--r--tests/tls-rsa+ecdsa/t6
-rw-r--r--tests/tls-verify-peer/t32
-rw-r--r--tests/tls/t3
32 files changed, 483 insertions, 228 deletions
diff --git a/.gitignore b/.gitignore
index 9dae7e6..2267ea4 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,5 @@
*~
+*.bak
/doc/*.1
/doc/*.html
!/doc/template.html
diff --git a/Changelog b/Changelog
index 28a1ef4..cba8719 100644
--- a/Changelog
+++ b/Changelog
@@ -1,18 +1,67 @@
+interimap (0.5.5) upstream;
+
+ * libinterimap: remove default SSL_protocols value "!SSLv2 !SSLv3
+ !TLSv1 !TLSv1.1" and use the system default instead. As of Debian
+ Buster (OpenSSL 1.1.1) this does not make a difference, however using
+ the system default provides better compatibility with future libssl
+ versions.
+ * libinterimap: deprecate SSL_protocols, obsoleted by new settings
+ SSL_protocol_{min,max}. Using the libssl interface simplifies our
+ protocol black/whitelist greatly; this only allows simple min/max
+ bounds, but holes are arguably not very useful here.
+ * libinterimap: use default locations for trusted CA certificates when
+ neither CAfile nor CApath are set. In particular, OpenSSL's default
+ locations can be overridden by the SSL_CERT_FILE resp. SSL_CERT_DIR
+ environment variables, see SSL_CTX_load_verify_locations(3ssl).
+ * libinterimap: _start_ssl() now fails immediately with OpenSSL <1.1.0.
+ It could in principle still work with earlier versions if the new
+ settings SSL_protocol_{min,max} are not used, however it's cumbersome
+ to do individual checks for specific settings, let alone maintain
+ test coverage with multiple OpenSSL versions.
+ * libinterimap: new option SSL_ciphersuites to set the TLSv1.3
+ ciphersuites; also, clarify that SSL_cipherlist only applies to
+ TLSv1.2 and below, see SSL_CTX_set_cipher_list(3ssl).
+ + `make release`: also bump libinterimap version and pin it in 'use'
+ declarations.
+ + Make error messages more uniform and consistent.
+ - libinterimap: use Net::SSLeay::get_version() to get the protocol
+ version string.
+ - test suite: `mv tests/snippets tests/config`
+ - tests/tls-protocols: use custom OpenSSL configuration file with
+ MinProtocol=None so we can test TLSv1 as well, not just TLSv1.2 and
+ later.
+ - test suite: explicitly set ssl_min_protocol=TLSv1 in the Dovecot
+ configuration file (the default as of 2.3.11.3), hence running TLS
+ tests now require Dovecot 2.3 or later.
+ - documentation: simplify SSL options in the sample configuration files.
+ - README: suggest 'restrict,command="/usr/bin/doveadm exec imap"' as
+ authorized_keys(5) options.
+ - README: suggest ControlPath=$XDG_RUNTIME_DIR/ssh-imap-%C for the SSH
+ transport (note that variable expansion is only available in OpenSSH
+ 8.4 and later).
+ - test suite: ensure we haven't started speaking IMAP when the SSL/TLS
+ handshake is aborted (unless STARTTLS is used to upgrade to
+ connection).
+ - documentation: clarify that known TLS protocol versions depend on the
+ OpenSSL version used.
+
+ -- Guilhem Moulin <guilhem@fripost.org> Sat, 26 Dec 2020 23:11:10 +0100
+
interimap (0.5.4) upstream;
* libinterimap: make SSL_verify also checks that the certificate
Subject Alternative Name (SAN) or Subject CommonName (CN) matches the
hostname or IP literal specified by the 'host' option. Previously it
was only checking the chain of trust. This bumps the minimum
- Net::SSLeay version to 1.83 and OpenSSL version 1.0.2.
+ Net::SSLeay version to 1.83 and OpenSSL version to 1.0.2 (when
+ SSL_verify is used).
* libinterimap: add support for the TLS SNI (Server Name Indication)
extension, controlled by the new 'SSL_hostname' option. The default
value of that option is the value of the 'host' option when it is
hostname, and the empty string (which disables SNI) when it is an IP
literal.
+ libinterimap: show the matching pinned SPKI in --debug mode.
- + test suite: always generate new certificates on `make test`. Hence
- running `make test` now requires OpenSSL 1.1.1 or later.
+ + test suite: always generate new certificates on `make test`.
+ test suite: sign all test certificates with the same root CA.
+ libinterimap: factor out hostname/IP parsing.
+ document that enclosing 'host' value in square brackets forces its
@@ -26,7 +75,7 @@ interimap (0.5.4) upstream;
interimap (0.5.3) upstream;
- * libinterimap: SSL_fingerprint now supports a space-separate list of
+ * libinterimap: SSL_fingerprint now supports a space-separated list of
digests to pin, and succeeds if, and only if, the peer certificate
SPKI matches one of the pinned digest values. Specifying multiple
digest values can key useful in key rollover scenarios and/or when
@@ -75,7 +124,7 @@ interimap (0.5) upstream;
(regardless of the hierarchy delimiter in use).
Other changes:
- * interimap: the space-speparated list of names and/or patterns in
+ * interimap: the space-separated list of names and/or patterns in
'list-mailbox' can now contain C-style escape sequences (backslash
and hexadecimal escape).
* interimap: fail when two non-INBOX LIST replies return different
@@ -83,7 +132,7 @@ interimap (0.5) upstream;
happen if mailboxes from different namespaces are being listed. The
workaround here is to run a new interimap instance for each
namespace.
- * libinterimap: in tunnel mode, use a socketpair rather than two pipes
+ * libinterimap: in tunnel mode, use a socket pair rather than two pipes
for IPC between the interimap and the IMAP server. Also, use
SOCK_CLOEXEC to save an fcntl() call when setting the close-on-exec
flag on the socket.
@@ -146,7 +195,7 @@ interimap (0.5) upstream;
- libinterimap: use directories relative to $HOME for the XDG
environment variables default values. Previously getpwuid() was
called to determine the user's home directory, while the XDG
- specification explicitely mentions $HOME. Conveniently our docs
+ specification explicitly mentions $HOME. Conveniently our docs
always mentioned ~/, which on POSIX-compliant systems expands to the
value of the variable HOME. (Cf. Shell and Utilities volume of
POSIX.1-2017, sec. 2.6.1.)
@@ -160,7 +209,7 @@ interimap (0.5) upstream;
- libinterimap: push_flag_updates(): ignore UIDs for which no untagged
FETCH response was received.
- libinterimap: push_flag_updates(): don't ignores received updates (by
- another client) to a superset of the desigred flag list.
+ another client) to a superset of the desired flag list.
- libinterimap: avoid sending large UID EXPUNGE|FETCH|STORE commands as
they might exceed the server's max acceptable command size; these
commands are now split into multiple (sequential) commands when their
@@ -170,7 +219,7 @@ interimap (0.5) upstream;
This is a also a workaround for a bug in Dovecot 2.3.4:
https://dovecot.org/pipermail/dovecot/2019-November/117522.html
- interimap: for the reason explained above, limit number of messages
- to 128 per APPEND command (only on servers advertizing MULTIAPPEND,
+ to 128 per APPEND command (only on servers advertising MULTIAPPEND,
for other servers the number remains 1).
- interimap: gracefully ignore messages with a NIL RFC822 attribute.
- pullimap: treat messages with a NIL RFC822 attribute as empty.
diff --git a/Makefile b/Makefile
index ff62bf1..9f4702d 100644
--- a/Makefile
+++ b/Makefile
@@ -20,16 +20,21 @@ test:
./tests/run-all
release:
- @if ! git diff HEAD --quiet -- ./interimap ./pullimap ./Changelog; then \
+ @if ! git diff HEAD --quiet -- ./Changelog ./interimap ./pullimap ./lib/Net/IMAP/InterIMAP.pm; then \
echo "Dirty state, refusing to release!" >&2; \
exit 1; \
fi
- sed -ri "0,/^( -- .*) .*/ s//\1 $(shell date -R)/" ./Changelog
VERS=$$(dpkg-parsechangelog -l Changelog -SVersion 2>/dev/null) && \
- sed -ri "0,/^(our \\\$$VERSION\\s*=\s*)'[0-9.]+'\\s*;/ s//\1'$$VERS';/" \
+ if git rev-parse -q --verify "refs/tags/v$$VERS" >/dev/null; then echo "tag exists" 2>/dev/null; exit 1; fi && \
+ sed -ri "0,/^( -- .*) .*/ s//\\1 $(shell date -R)/" ./Changelog && \
+ sed -ri "0,/^(our\\s+\\\$$VERSION\\s*=\\s*)'[0-9.]+'\\s*;/ s//\\1'$$VERS';/" \
+ -- ./interimap ./pullimap && \
+ sed -ri "0,/^(package\\s+Net::IMAP::InterIMAP\\s+)v[0-9.]+\\s*;/ s//\\1v$$VERS;/" \
+ -- ./lib/Net/IMAP/InterIMAP.pm && \
+ sed -ri "0,/^(use\\s+Net::IMAP::InterIMAP\\s+)[0-9.]+(\\s|\\$$)/ s//\\1$$VERS\\2/" \
-- ./interimap ./pullimap && \
git commit -m "Prepare new release v$$VERS." \
- -- ./interimap ./pullimap ./Changelog && \
+ -- ./Changelog ./interimap ./pullimap ./lib/Net/IMAP/InterIMAP.pm && \
git tag -sm "Release version $$VERS" "v$$VERS"
## make html CSS="https://guilhem.org/static/css/bootstrap.min.css" BUILD_DOCDIR="$XDG_RUNTIME_DIR/Downloads"
diff --git a/README b/README
index fbc4ed7..c241486 100644
--- a/README
+++ b/README
@@ -1,54 +1,51 @@
InterIMAP is a fast bidirectional synchronization program for QRESYNC-capable
IMAP4rev1 servers. PullIMAP retrieves messages a remote IMAP mailbox and
-deliver them to an SMTP session. Visit https://guilhem.org/interimap
-for more information.
+deliver them to an SMTP session. Visit https://guilhem.org/interimap for more
+information.
-_______________________________________________________________________
+______________________________________________________________________________
-Compared to IMAP-to-Maildir synchronization solutions like OfflineIMAP,
-adding an IMAP server between the Maildir storage and the MUA saves
-loads of readdir(2) system calls and other File System quirks; moreover
-the abstraction layer offered by the IMAP server makes the MUA and
-synchronization program agnostic to the storage backend (Maildir, mbox,
-dbox,...) in use.
+Compared to IMAP-to-Maildir synchronization solutions like OfflineIMAP, adding
+an IMAP server between the Maildir storage and the MUA saves loads of
+readdir(2) system calls and other File System quirks; moreover the abstraction
+layer offered by the IMAP server makes the MUA and synchronization program
+agnostic to the storage backend (Maildir, mbox, dbox,...) in use.
IMAP synchronization of a mailbox is usually two-folds: 1/ detect and
-propagate changes (flag updates and message deletions) to existing
-messages, then 2/ copy the new messages. The naive way to perform the
-first step is to issue a FETCH command to list all messages in the
-mailbox along with their flags and UIDs, causing heavy network usage.
-Instead, InterIMAP takes advantage of the QRESYNC extension from
-[RFC7162] to perform stateful synchronization: querying changes since
-the last synchronization only gives a phenomenal performance boost and
-drastically reduces the network traffic.
+propagate changes (flag updates and message deletions) to existing messages,
+then 2/ copy the new messages. The naive way to perform the first step is to
+issue a FETCH command to list all messages in the mailbox along with their
+flags and UIDs, causing heavy network usage. Instead, InterIMAP takes
+advantage of the QRESYNC extension from [RFC7162] to perform stateful
+synchronization: querying changes since the last synchronization only gives a
+phenomenal performance boost and drastically reduces the network traffic.
-For convenience reasons servers must also support LIST-EXTENDED
-[RFC5258], LIST-STATUS [RFC5819] and UIDPLUS [RFC4315]. Other supported
-extensions are:
- * LITERAL+ [RFC2088] non-synchronizing literals (recommended),
- * MULTIAPPEND [RFC3502] (recommended),
- * COMPRESS=DEFLATE [RFC4978] (recommended),
- * SASL-IR [RFC4959] SASL Initial Client Response, and
+For convenience reasons servers must also support LIST-EXTENDED [RFC5258],
+LIST-STATUS [RFC5819] and UIDPLUS [RFC4315]. Other supported extensions are:
+
+ * LITERAL+ [RFC2088] non-synchronizing literals (recommended);
+ * MULTIAPPEND [RFC3502] (recommended);
+ * COMPRESS=DEFLATE [RFC4978] (recommended);
+ * SASL-IR [RFC4959] SASL Initial Client Response; and
* UNSELECT [RFC3691].
-_______________________________________________________________________
+______________________________________________________________________________
-IMAP traffic is mostly text (beside message bodies perhaps) hence
-compresses pretty well: enabling compression can save a great amount of
-network resources.
+IMAP traffic is mostly text (beside message bodies perhaps) hence compresses
+pretty well: enabling compression can save a great amount of network
+resources.
However establishing an SSL/TLS connection (type=imaps, or type=imap and
STARTTLS=YES) yields a small overhead due to the SSL/TLS handshake.
On the other hand if SSH access is allowed on the remote server, one can
-tunnel the IMAP traffic through SSH and use OpenSSH's ControlPersist
-feature to save most of the cryptographic overhead (at the expense of a
-local 'ssh' process and a remote 'imap' process). Moreover if the IMAP
-user is a valid UNIX user it is possible to use pre-authentication on
-the remote server as well, which saves the extra round trip caused by
-the AUTHENTICATE command. For instance the following configuration
-snippet saves bandwidth and brings a significant speed gain compared to
-type=imaps.
+tunnel the IMAP traffic through SSH and use OpenSSH's ControlPersist feature
+to save most of the cryptographic overhead (at the expense of a local 'ssh'
+process and a remote 'imap' process). Moreover if the IMAP user is a valid
+UNIX user it is possible to use pre-authentication on the remote server as
+well, which saves the extra round trip caused by the AUTHENTICATE command.
+For instance the following configuration snippet saves bandwidth and brings a
+significant speed gain compared to type=imaps.
local: $XDG_CONFIG_HOME/interimap/config:
[remote]
@@ -59,7 +56,7 @@ type=imaps.
Host imap.example.net
IdentityFile ~/.ssh/id-interimap
IdentitiesOnly yes
- ControlPath /run/shm/%u@%n
+ ControlPath ${XDG_RUNTIME_DIR}/ssh-imap-%C
ControlMaster auto
ControlPersist 10m
StrictHostKeyChecking yes
@@ -69,17 +66,17 @@ type=imaps.
Compression yes
remote: ~user/.ssh/authorized_keys:
- command="/usr/lib/dovecot/imap",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-... id-interimap
+ restrict,command="/usr/bin/doveadm exec imap" ssh-[…] id-interimap
-However for long-lived connections (using the --watch command-line
-option), the TLS overhead becomes negligible hence the advantage offered
-by the OpenSSH ControlPersist feature is not obvious. Furthermore if
-the remote server supports the IMAP COMPRESS extension [RFC4978], adding
-compress=DEFLATE to the configuration can also greatly reduce bandwidth
-usage with regular INET sockets (type=imaps or type=imap).
+However for long-lived connections (using the --watch command-line option),
+the TLS overhead becomes negligible hence the advantage offered by the OpenSSH
+ControlPersist feature is not obvious. Furthermore if the remote server
+supports the IMAP COMPRESS extension [RFC4978], adding compress=DEFLATE to the
+configuration can also greatly reduce bandwidth usage with regular INET
+sockets (type=imaps or type=imap).
-_______________________________________________________________________
+______________________________________________________________________________
-InterIMAP is Copyright© 2015-2018 Guilhem Moulin ⟨guilhem@fripost.org⟩,
-and licensed for use under the GNU General Public License version 3 or
-later. See ‘COPYING’ for specific terms and distribution information.
+InterIMAP is Copyright© 2015-2020 Guilhem Moulin ⟨guilhem@fripost.org⟩, and
+licensed for use under the GNU General Public License version 3 or later. See
+‘COPYING’ for specific terms and distribution information.
diff --git a/doc/getting-started.md b/doc/getting-started.md
index 83d3ba9..74fc8da 100644
--- a/doc/getting-started.md
+++ b/doc/getting-started.md
@@ -20,7 +20,7 @@ format][mbox]). Local mail clients usually access it directly. They
also often maintain their own cache in order to speed up message header
listing and searches.
-While most bidirectional synchronisation software (such as [OfflineIMAP])
+While most bidirectional synchronization software (such as [OfflineIMAP])
are able to handle a mail storage in Maildir format, *InterIMAP is
not*. Instead, InterIMAP needs an [IMAP4rev1] server on *both* peers
to synchronize. This may sound like a severe limitation at first, but by
diff --git a/doc/interimap.1.md b/doc/interimap.1.md
index 2d2a637..2d588ae 100644
--- a/doc/interimap.1.md
+++ b/doc/interimap.1.md
@@ -249,7 +249,7 @@ Valid options are:
Two wildcards are available, and passed verbatim to the IMAP server:
a ‘\*’ character matches zero or more characters, while a ‘%’
character matches zero or more characters up to the hierarchy
- delimiter. Hardcoding the hierarchy delimiter in this setting is
+ delimiter. Hard-coding the hierarchy delimiter in this setting is
not advised because the server might silently change it at some
point. A null character should be used instead. For instance, if
*list-mailbox* is set `"foo\x00bar"` then, assuming the hierarchy
@@ -309,7 +309,7 @@ Valid options are:
`type=imap` and `type=imaps` are respectively used for IMAP and IMAP
over SSL/TLS connections over an INET socket.
`type=tunnel` causes `interimap` to create an unnamed pair of
- connected sockets for interprocess communication with a *command*
+ connected sockets for inter-process communication with a *command*
instead of opening a network socket.
Note that specifying `type=tunnel` in the `[remote]` section makes
the default *database* to be `localhost.db`.
@@ -383,19 +383,32 @@ Valid options are:
*SSL_protocols*
-: A space-separated list of SSL protocols to enable or disable (if
- prefixed with an exclamation mark `!`. Known protocols are `SSLv2`,
- `SSLv3`, `TLSv1`, `TLSv1.1`, `TLSv1.2`, and `TLSv1.3`. Enabling a
- protocol is a short-hand for disabling all other protocols.
- (Default: `!SSLv2 !SSLv3 !TLSv1 !TLSv1.1`, i.e., only enable TLSv1.2
- and above.)
+: Space-separated list of SSL/TLS protocol versions to explicitly
+ enable (or disable if prefixed with an exclamation mark `!`).
+ Potentially known protocols are `SSLv2`, `SSLv3`, `TLSv1`,
+ `TLSv1.1`, `TLSv1.2`, and `TLSv1.3`, depending on the OpenSSL
+ version used.
+ Enabling a protocol is a short-hand for disabling all other
+ protocols.
-*SSL_cipher_list*
+ *DEPRECATED*: Use *SSL_protocol_min* and/or *SSL_protocol_max*
+ instead.
-: The cipher list to send to the server. Although the server
- determines which cipher suite is used, it should take the first
- supported cipher in the list sent by the client. See
- [`ciphers`(1ssl)] for more information.
+*SSL_protocol_min*, *SSL_protocol_max*
+
+: Set minimum resp. maximum SSL/TLS protocol version to use for the
+ connection. Potentially recognized values are `SSLv3`, `TLSv1`,
+ `TLSv1.1`, `TLSv1.2`, and `TLSv1.3`, depending on the OpenSSL
+ version used.
+
+*SSL_cipherlist*, *SSL_ciphersuites*
+
+: Sets the TLSv1.2 and below cipher list resp. TLSv1.3 cipher suites.
+ The combination of these lists is sent to the server, which then
+ determines which cipher to use (normally the first supported one
+ from the list sent by the client). The default suites depend on the
+ OpenSSL version and its configuration, see [`ciphers`(1ssl)] for
+ more information.
*SSL_fingerprint*
@@ -415,12 +428,12 @@ Valid options are:
Specifying multiple digest values can be useful in key rollover
scenarios and/or when the server supports certificates of different
- types (for instance RSA+ECDSA). In that case the connection is
- aborted when none of the specified digests matches.
+ types (for instance a dual-cert RSA/ECDSA setup). In that case the
+ connection is aborted when none of the specified digests matches.
*SSL_verify*
-: Whether to verify the server certificate chain, and match its
+: Whether to 1/ verify the server certificate chain; and 2/ match its
Subject Alternative Name (SAN) or Subject CommonName (CN) against
the value of the *host* option.
(Default: `YES`.)
@@ -430,6 +443,14 @@ Valid options are:
measure as it pins directly its key material and ignore its chain of
trust.
+*SSL_CAfile*
+
+: File containing trusted certificates to use during server
+ certificate verification when `SSL_verify=YES`.
+
+ Trusted CA certificates are loaded from the default system locations
+ unless one (or both) of *SSL_CAfile* or *SSL_CApath* is set.
+
*SSL_CApath*
: Directory to use for server certificate verification when
@@ -437,10 +458,8 @@ Valid options are:
This directory must be in “hash format”, see [`verify`(1ssl)] for
more information.
-*SSL_CAfile*
-
-: File containing trusted certificates to use during server
- certificate verification when `SSL_verify=YES`.
+ Trusted CA certificates are loaded from the default system locations
+ unless one (or both) of *SSL_CAfile* or *SSL_CApath* is set.
*SSL_hostname*
diff --git a/doc/pullimap.1.md b/doc/pullimap.1.md
index c9500e0..89969b2 100644
--- a/doc/pullimap.1.md
+++ b/doc/pullimap.1.md
@@ -106,14 +106,14 @@ Valid options are:
*deliver-ehlo*
-: Hostname to use in `EHLO` or `LHLO` commands.
+: Name to use in `EHLO` or `LHLO` commands.
(Default: `localhost.localdomain`.)
*deliver-rcpt*
: Message recipient. Note that the local part needs to quoted if it
contains special characters; see [RFC 5321] for details.
- (Default: the username associated with the effective uid of the
+ (Default: the username associated with the effective user ID of the
`pullimap` process.)
*purge-after*
@@ -123,7 +123,7 @@ Valid options are:
`SEARCH` criterion ignoring time and timezone.)
If *purge-after* is set to `0` then messages are deleted immediately
after delivery. Otherwise `pullimap` issues an IMAP `SEARCH` (or
- extended `SEARCH` on servers advertizing the [`ESEARCH`][RFC 4731]
+ extended `SEARCH` on servers advertising the [`ESEARCH`][RFC 4731]
capability) command to list old messages; if `--idle` is set then
the `SEARCH` command is issued again every 12 hours.
@@ -133,7 +133,7 @@ Valid options are:
`type=imap` and `type=imaps` are respectively used for IMAP and IMAP
over SSL/TLS connections over an INET socket.
`type=tunnel` causes `pullimap` to create an unnamed pair of
- connected sockets for interprocess communication with a *command*
+ connected sockets for inter-process communication with a *command*
instead of opening a network socket.
(Default: `imaps`.)
@@ -202,19 +202,32 @@ Valid options are:
*SSL_protocols*
-: A space-separated list of SSL protocols to enable or disable (if
- prefixed with an exclamation mark `!`. Known protocols are `SSLv2`,
- `SSLv3`, `TLSv1`, `TLSv1.1`, `TLSv1.2`, and `TLSv1.3`. Enabling a
- protocol is a short-hand for disabling all other protocols.
- (Default: `!SSLv2 !SSLv3 !TLSv1 !TLSv1.1`, i.e., only enable TLSv1.2
- and above.)
+: Space-separated list of SSL/TLS protocol versions to explicitly
+ enable (or disable if prefixed with an exclamation mark `!`).
+ Potentially known protocols are `SSLv2`, `SSLv3`, `TLSv1`,
+ `TLSv1.1`, `TLSv1.2`, and `TLSv1.3`, depending on the OpenSSL
+ version used.
+ Enabling a protocol is a short-hand for disabling all other
+ protocols.
-*SSL_cipher_list*
+ *DEPRECATED*: Use *SSL_protocol_min* and/or *SSL_protocol_max*
+ instead.
-: The cipher list to send to the server. Although the server
- determines which cipher suite is used, it should take the first
- supported cipher in the list sent by the client. See
- [`ciphers`(1ssl)] for more information.
+*SSL_protocol_min*, *SSL_protocol_max*
+
+: Set minimum resp. maximum SSL/TLS protocol version to use for the
+ connection. Potentially recognized values are `SSLv3`, `TLSv1`,
+ `TLSv1.1`, `TLSv1.2`, and `TLSv1.3`, depending on the OpenSSL
+ version used.
+
+*SSL_cipherlist*, *SSL_ciphersuites*
+
+: Sets the TLSv1.2 and below cipher list resp. TLSv1.3 cipher suites.
+ The combination of these lists is sent to the server, which then
+ determines which cipher to use (normally the first supported one
+ from the list sent by the client). The default suites depend on the
+ OpenSSL version and its configuration, see [`ciphers`(1ssl)] for
+ more information.
*SSL_fingerprint*
@@ -234,12 +247,12 @@ Valid options are:
Specifying multiple digest values can be useful in key rollover
scenarios and/or when the server supports certificates of different
- types (for instance RSA+ECDSA). In that case the connection is
- aborted when none of the specified digests matches.
+ types (for instance a dual-cert RSA/ECDSA setup). In that case the
+ connection is aborted when none of the specified digests matches.
*SSL_verify*
-: Whether to verify the server certificate chain, and match its
+: Whether to 1/ verify the server certificate chain; and 2/ match its
Subject Alternative Name (SAN) or Subject CommonName (CN) against
the value of the *host* option.
(Default: `YES`.)
@@ -249,6 +262,14 @@ Valid options are:
measure as it pins directly its key material and ignore its chain of
trust.
+*SSL_CAfile*
+
+: File containing trusted certificates to use during server
+ certificate verification when `SSL_verify=YES`.
+
+ Trusted CA certificates are loaded from the default system locations
+ unless one (or both) of *SSL_CAfile* or *SSL_CApath* is set.
+
*SSL_CApath*
: Directory to use for server certificate verification when
@@ -256,10 +277,8 @@ Valid options are:
This directory must be in “hash format”, see [`verify`(1ssl)] for
more information.
-*SSL_CAfile*
-
-: File containing trusted certificates to use during server
- certificate verification when `SSL_verify=YES`.
+ Trusted CA certificates are loaded from the default system locations
+ unless one (or both) of *SSL_CAfile* or *SSL_CApath* is set.
*SSL_hostname*
@@ -322,7 +341,7 @@ In more details, `pullimap` works as follows:
to terminate it gracefully.
3. Issue a `UID STORE` command to mark all retrieved messages (and
- stalled UIDs found in the *statefile* after the eigth byte) as
+ stalled UIDs found in the *statefile* after the eighth byte) as
`\Seen`.
4. Update the *statefile* with the new UIDNEXT value (bytes 5-8).
diff --git a/interimap b/interimap
index f8aa768..7bb86f6 100755
--- a/interimap
+++ b/interimap
@@ -2,7 +2,7 @@
#----------------------------------------------------------------------
# Fast bidirectional synchronization for QRESYNC-capable IMAP servers
-# Copyright © 2015-2019 Guilhem Moulin <guilhem@fripost.org>
+# Copyright © 2015-2020 Guilhem Moulin <guilhem@fripost.org>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -22,7 +22,7 @@ use v5.14.2;
use strict;
use warnings;
-our $VERSION = '0.5.4';
+our $VERSION = '0.5.5';
my $NAME = 'interimap';
my $DATABASE_VERSION = 1;
use Getopt::Long qw/:config posix_default no_ignore_case gnu_compat
@@ -32,7 +32,7 @@ use DBD::SQLite::Constants ':file_open';
use Fcntl qw/F_GETFD F_SETFD FD_CLOEXEC/;
use List::Util 'first';
-use Net::IMAP::InterIMAP 0.0.5 qw/xdg_basedir read_config compact_set/;
+use Net::IMAP::InterIMAP 0.5.5 qw/xdg_basedir read_config compact_set/;
# Clean up PATH
$ENV{PATH} = join ':', qw{/usr/bin /bin};
@@ -286,7 +286,7 @@ sub list_mailboxes($) {
my ($m) = sort keys %$delims;
$imap->{delimiter} = delete $delims->{$m};
} else {
- # didn't get a non-INBOX LIST reply so we need to explicitely query
+ # didn't get a non-INBOX LIST reply so we need to explicitly query
# the hierarchy delimiter
get_delimiter($name, $imap, $ref);
}
diff --git a/interimap.sample b/interimap.sample
index b4d131c..36eeb2a 100644
--- a/interimap.sample
+++ b/interimap.sample
@@ -23,10 +23,8 @@ password = xxxxxxxxxxxxxxxx
#compress = YES
# SSL options
-SSL_CApath = /etc/ssl/certs
#SSL_verify = YES
-#SSL_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
-#SSL_cipherlist = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL
+#SSL_protocol_min = TLSv1.2
#SSL_fingerprint = sha256$29111aea5d5be7e448bdc5c6e8a9d03bc9221c53c09b1cfbe6f953221e24dda0
# vim:ft=dosini
diff --git a/lib/Net/IMAP/InterIMAP.pm b/lib/Net/IMAP/InterIMAP.pm
index fff1570..0c4fc89 100644
--- a/lib/Net/IMAP/InterIMAP.pm
+++ b/lib/Net/IMAP/InterIMAP.pm
@@ -1,6 +1,6 @@
#----------------------------------------------------------------------
# A minimal IMAP4 client for QRESYNC-capable servers
-# Copyright © 2015-2019 Guilhem Moulin <guilhem@fripost.org>
+# Copyright © 2015-2020 Guilhem Moulin <guilhem@fripost.org>
#
# This pr