aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--Changelog24
-rwxr-xr-xinterimap14
-rw-r--r--interimap.md17
-rw-r--r--interimap.sample4
-rw-r--r--interimap.service2
-rw-r--r--lib/Net/IMAP/InterIMAP.pm4
-rw-r--r--pullimap.md17
-rw-r--r--pullimap.sample8
8 files changed, 65 insertions, 25 deletions
diff --git a/Changelog b/Changelog
index a1ae59f..f9ca699 100644
--- a/Changelog
+++ b/Changelog
@@ -1,13 +1,25 @@
interimap (0.3) upstream;
- * Fix byte count for compression streams.
- * Add an option 'SSL_protocols' to list SSL protocols to enable or
+ + New script 'pullimap', to pull mails from an IMAP mailbox and
+ deliver them to a SMTP session.
+ + Convert manpage format from groff to pandoc.
+ + interimap: Add support for IMAP NOTIFY [RFC 5465].
+ + 'fingerprint' now only pins the cert's SPKI, not the cert itself
+ (require Net::SSLeay >=1.73).
+ - Fix byte count for compression streams.
+ - Add an option 'SSL_protocols' to list SSL protocols to enable or
disable. The default value, "!SSLv2 !SSLv3", enables only TLSv1
and above.
- * New script 'pullimap', to pull mails from an IMAP mailbox and
- deliver them to a SMTP session.
-
- -- Guilhem Moulin <guilhem@guilhem.org> Mon, 28 Sep 2015 01:16:47 +0200
+ - Ensure "inbox" is always used in upper-case internally.
+ - Ensure the FD_CLOEXEC bit is 1 on sockets, logger and state files.
+ - Try again if connect(2) was interrupted.
+ - interimap: fix memory leak.
+ - interimap: use SQLite's own locking mechanism (instead of rolling
+ our own).
+ - interimap: when resuming a sync, only consider UIDs greater than a
+ known UIDNEXT.
+
+ -- Guilhem Moulin <guilhem@guilhem.org> Thu, 01 Dec 2016 14:37:50 +0100
interimap (0.2) upstream;
diff --git a/interimap b/interimap
index 150c754..7a36c4e 100755
--- a/interimap
+++ b/interimap
@@ -1088,6 +1088,18 @@ while (defined (my $row = $STH_LIST_INTERRUPTED->fetchrow_arrayref())) {
# the _MODIFIED internal cache has been initialized with all our
# UIDs. (Since there is no reliable HIGHESTMODSEQ, any flag
# difference is treated as a conflict.)
+ $STH_GET_CACHE_BY_IDX->execute($IDX);
+ if (defined (my $cache = $STH_GET_CACHE_BY_IDX->fetchrow_hashref())) {
+ $lIMAP->set_cache($cache->{mailbox},
+ UIDVALIDITY => $cache->{lUIDVALIDITY},
+ UIDNEXT => $cache->{lUIDNEXT}
+ );
+ $rIMAP->set_cache($cache->{mailbox},
+ UIDVALIDITY => $cache->{rUIDVALIDITY},
+ UIDNEXT => $cache->{rUIDNEXT}
+ );
+ die if defined $STH_GET_CACHE_BY_IDX->fetch(); # sanity check
+ }
sync_messages($IDX, $MAILBOX, [keys %lList], [keys %rList]);
}
@@ -1208,6 +1220,8 @@ while (1) {
# we need to issue a NOOP command or go back to AUTH state since the
# LIST command may not report the correct HIGHESTMODSEQ value for
# the mailbox currently selected
+ # RFC3501: "The STATUS command MUST NOT be used as a "check for
+ # new messages in the selected mailbox" operation"
if (defined $MAILBOX) {
# Prefer UNSELECT over NOOP commands as it requires a single command per cycle
if ($lIMAP->incapable('UNSELECT') or $rIMAP->incapable('UNSELECT')) {
diff --git a/interimap.md b/interimap.md
index 7d119ab..b923933 100644
--- a/interimap.md
+++ b/interimap.md
@@ -345,12 +345,19 @@ Valid options are:
*SSL_fingerprint*
-: Fingerprint of the server certificate (or its public key) in the
- form `[ALGO$]DIGEST_HEX`, where `ALGO` is the used algorithm
- (by default `sha256`).
+: Fingerprint of the server certificate's Subject Public Key Info, in
+ the form `[ALGO$]DIGEST_HEX` where `ALGO` is the used algorithm (by
+ default `sha256`).
Attempting to connect to a server with a non-matching certificate
- fingerprint causes `interimap` to abort the connection during the
- SSL/TLS handshake.
+ SPKI fingerprint causes `interimap` to abort the connection during
+ the SSL/TLS handshake.
+
+ You can use the following command to compute the SHA-256 digest of
+ certificate's Subject Public Key Info.
+
+ openssl x509 -in /path/to/server/certificate.pem -pubkey \
+ | openssl pkey -pubin -outform DER \
+ | openssl dgst -sha256
*SSL_verify*
diff --git a/interimap.sample b/interimap.sample
index c3919ce..8cd0a29 100644
--- a/interimap.sample
+++ b/interimap.sample
@@ -10,7 +10,7 @@ null-stderr = YES
[remote]
#type = imaps
-host = imap.guilhem.org
+host = imap.example.org
#port = 993
#proxy = socks5h://localhost:9050
username = guilhem
@@ -22,6 +22,6 @@ SSL_CApath = /etc/ssl/certs
#SSL_verify = YES
#SSL_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
#SSL_cipherlist = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL
-#SSL_fingerprint = sha256$62E436BB329C46A628314C49BDA7C2A2E86C57B2021B9A964B8FABB6540D3605
+#SSL_fingerprint = sha256$29111aea5d5be7e448bdc5c6e8a9d03bc9221c53c09b1cfbe6f953221e24dda0
# vim:ft=dosini
diff --git a/interimap.service b/interimap.service
index 8c685d9..6e487d4 100644
--- a/interimap.service
+++ b/interimap.service
@@ -4,7 +4,7 @@ Wants=network-online.target
After=network-online.target
[Service]
-ExecStart=/usr/bin/interimap --watch
+ExecStart=/usr/bin/interimap --notify
RestartSec=10min
Restart=on-failure
diff --git a/lib/Net/IMAP/InterIMAP.pm b/lib/Net/IMAP/InterIMAP.pm
index a899831..7a1ba34 100644
--- a/lib/Net/IMAP/InterIMAP.pm
+++ b/lib/Net/IMAP/InterIMAP.pm
@@ -1539,8 +1539,8 @@ sub _ssl_verify($$$) {
my $type = Net::SSLeay::EVP_get_digestbyname($algo)
or $self->_ssl_error("Can't find MD value for name '$algo'");
- if (Net::SSLeay::X509_digest($cert, $type) ne $digest and
- Net::SSLeay::X509_pubkey_digest($cert, $type) ne $digest) {
+ my $pkey = Net::SSLeay::X509_get_X509_PUBKEY($cert);
+ unless (defined $pkey and Net::SSLeay::EVP_Digest($pkey, $type) eq $digest) {
$self->warn("Fingerprint doesn't match! MiTM in action?");
$ok = 0;
}
diff --git a/pullimap.md b/pullimap.md
index 06e5988..cb2a07a 100644
--- a/pullimap.md
+++ b/pullimap.md
@@ -210,12 +210,19 @@ Valid options are:
*SSL_fingerprint*
-: Fingerprint of the server certificate (or its public key) in the
- form `[ALGO$]DIGEST_HEX`, where `ALGO` is the used algorithm
- (by default `sha256`).
+: Fingerprint of the server certificate's Subject Public Key Info, in
+ the form `[ALGO$]DIGEST_HEX` where `ALGO` is the used algorithm (by
+ default `sha256`).
Attempting to connect to a server with a non-matching certificate
- fingerprint causes `pullimap` to abort the connection during the
- SSL/TLS handshake.
+ SPKI fingerprint causes `pullimap` to abort the connection during
+ the SSL/TLS handshake.
+
+ You can use the following command to compute the SHA-256 digest of
+ certificate's Subject Public Key Info.
+
+ openssl x509 -in /path/to/server/certificate.pem -pubkey \
+ | openssl pkey -pubin -outform DER \
+ | openssl dgst -sha256
*SSL_verify*
diff --git a/pullimap.sample b/pullimap.sample
index 63ff9de..136d3d4 100644
--- a/pullimap.sample
+++ b/pullimap.sample
@@ -11,22 +11,22 @@ SSL_CApath = /etc/ssl/certs
[private]
#type = imaps
-host = imap.guilhem.org
+host = imap.private.org
#port = 993
#proxy = socks5h://localhost:9050
username = guilhem
password = xxxxxxxxxxxxxxxx
#compress = YES
-#SSL_fingerprint = sha256$62E436BB329C46A628314C49BDA7C2A2E86C57B2021B9A964B8FABB6540D3605
+#SSL_fingerprint = sha256$d9915f4ad35b76d9eb40f34abd5e8f61edfaad3bf20d5336dc28efa8cc3921ad
[work]
#type = imaps
-host = imap.example.com
+host = imap.work.com
#port = 993
#proxy = socks5h://localhost:9050
username = guilhem
password = xxxxxxxxxxxxxxxx
#compress = YES
-#SSL_fingerprint = sha256$c93677ac6a4ac7d0a2b412c1bfdd83b9191c853aa8685bf5440f154e647caacf
+#SSL_fingerprint = sha256$3956fd56921c02aeaffe4f8f576e802ee99ab5a096064f4fe7e6a0ad7b4b8a6e
# vim:ft=dosini