From d33c699343282fae32e0b966c17377595ee52db0 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Tue, 22 Nov 2016 19:38:36 +0100 Subject: wibble --- interimap | 2 ++ 1 file changed, 2 insertions(+) diff --git a/interimap b/interimap index 150c754..eccd3ab 100755 --- a/interimap +++ b/interimap @@ -1208,6 +1208,8 @@ while (1) { # we need to issue a NOOP command or go back to AUTH state since the # LIST command may not report the correct HIGHESTMODSEQ value for # the mailbox currently selected + # RFC3501: "The STATUS command MUST NOT be used as a "check for + # new messages in the selected mailbox" operation" if (defined $MAILBOX) { # Prefer UNSELECT over NOOP commands as it requires a single command per cycle if ($lIMAP->incapable('UNSELECT') or $rIMAP->incapable('UNSELECT')) { -- cgit v1.2.3 From 986edff592c159cb9057e960f380057ff06da939 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Tue, 22 Nov 2016 19:41:46 +0100 Subject: bugfix: when resuming a sync, only consider UIDs greater than a known UIDNEXT. --- interimap | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/interimap b/interimap index eccd3ab..7a36c4e 100755 --- a/interimap +++ b/interimap @@ -1088,6 +1088,18 @@ while (defined (my $row = $STH_LIST_INTERRUPTED->fetchrow_arrayref())) { # the _MODIFIED internal cache has been initialized with all our # UIDs. (Since there is no reliable HIGHESTMODSEQ, any flag # difference is treated as a conflict.) + $STH_GET_CACHE_BY_IDX->execute($IDX); + if (defined (my $cache = $STH_GET_CACHE_BY_IDX->fetchrow_hashref())) { + $lIMAP->set_cache($cache->{mailbox}, + UIDVALIDITY => $cache->{lUIDVALIDITY}, + UIDNEXT => $cache->{lUIDNEXT} + ); + $rIMAP->set_cache($cache->{mailbox}, + UIDVALIDITY => $cache->{rUIDVALIDITY}, + UIDNEXT => $cache->{rUIDNEXT} + ); + die if defined $STH_GET_CACHE_BY_IDX->fetch(); # sanity check + } sync_messages($IDX, $MAILBOX, [keys %lList], [keys %rList]); } -- cgit v1.2.3 From b399fbee737ebe99491bf1370002bbff00a784e0 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 1 Dec 2016 14:26:37 +0100 Subject: "fingerprint" now only pins the cert's SPKI, not the cert itself. --- interimap.md | 17 ++++++++++++----- lib/Net/IMAP/InterIMAP.pm | 4 ++-- pullimap.md | 17 ++++++++++++----- 3 files changed, 26 insertions(+), 12 deletions(-) diff --git a/interimap.md b/interimap.md index 7d119ab..b923933 100644 --- a/interimap.md +++ b/interimap.md @@ -345,12 +345,19 @@ Valid options are: *SSL_fingerprint* -: Fingerprint of the server certificate (or its public key) in the - form `[ALGO$]DIGEST_HEX`, where `ALGO` is the used algorithm - (by default `sha256`). +: Fingerprint of the server certificate's Subject Public Key Info, in + the form `[ALGO$]DIGEST_HEX` where `ALGO` is the used algorithm (by + default `sha256`). Attempting to connect to a server with a non-matching certificate - fingerprint causes `interimap` to abort the connection during the - SSL/TLS handshake. + SPKI fingerprint causes `interimap` to abort the connection during + the SSL/TLS handshake. + + You can use the following command to compute the SHA-256 digest of + certificate's Subject Public Key Info. + + openssl x509 -in /path/to/server/certificate.pem -pubkey \ + | openssl pkey -pubin -outform DER \ + | openssl dgst -sha256 *SSL_verify* diff --git a/lib/Net/IMAP/InterIMAP.pm b/lib/Net/IMAP/InterIMAP.pm index a899831..7a1ba34 100644 --- a/lib/Net/IMAP/InterIMAP.pm +++ b/lib/Net/IMAP/InterIMAP.pm @@ -1539,8 +1539,8 @@ sub _ssl_verify($$$) { my $type = Net::SSLeay::EVP_get_digestbyname($algo) or $self->_ssl_error("Can't find MD value for name '$algo'"); - if (Net::SSLeay::X509_digest($cert, $type) ne $digest and - Net::SSLeay::X509_pubkey_digest($cert, $type) ne $digest) { + my $pkey = Net::SSLeay::X509_get_X509_PUBKEY($cert); + unless (defined $pkey and Net::SSLeay::EVP_Digest($pkey, $type) eq $digest) { $self->warn("Fingerprint doesn't match! MiTM in action?"); $ok = 0; } diff --git a/pullimap.md b/pullimap.md index 06e5988..cb2a07a 100644 --- a/pullimap.md +++ b/pullimap.md @@ -210,12 +210,19 @@ Valid options are: *SSL_fingerprint* -: Fingerprint of the server certificate (or its public key) in the - form `[ALGO$]DIGEST_HEX`, where `ALGO` is the used algorithm - (by default `sha256`). +: Fingerprint of the server certificate's Subject Public Key Info, in + the form `[ALGO$]DIGEST_HEX` where `ALGO` is the used algorithm (by + default `sha256`). Attempting to connect to a server with a non-matching certificate - fingerprint causes `pullimap` to abort the connection during the - SSL/TLS handshake. + SPKI fingerprint causes `pullimap` to abort the connection during + the SSL/TLS handshake. + + You can use the following command to compute the SHA-256 digest of + certificate's Subject Public Key Info. + + openssl x509 -in /path/to/server/certificate.pem -pubkey \ + | openssl pkey -pubin -outform DER \ + | openssl dgst -sha256 *SSL_verify* -- cgit v1.2.3 From 6d985b7f2a457043e83a5ca6d90a741c4424affa Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 1 Dec 2016 14:28:29 +0100 Subject: wibble --- interimap.sample | 4 ++-- pullimap.sample | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/interimap.sample b/interimap.sample index c3919ce..8cd0a29 100644 --- a/interimap.sample +++ b/interimap.sample @@ -10,7 +10,7 @@ null-stderr = YES [remote] #type = imaps -host = imap.guilhem.org +host = imap.example.org #port = 993 #proxy = socks5h://localhost:9050 username = guilhem @@ -22,6 +22,6 @@ SSL_CApath = /etc/ssl/certs #SSL_verify = YES #SSL_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1 #SSL_cipherlist = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL -#SSL_fingerprint = sha256$62E436BB329C46A628314C49BDA7C2A2E86C57B2021B9A964B8FABB6540D3605 +#SSL_fingerprint = sha256$29111aea5d5be7e448bdc5c6e8a9d03bc9221c53c09b1cfbe6f953221e24dda0 # vim:ft=dosini diff --git a/pullimap.sample b/pullimap.sample index 63ff9de..136d3d4 100644 --- a/pullimap.sample +++ b/pullimap.sample @@ -11,22 +11,22 @@ SSL_CApath = /etc/ssl/certs [private] #type = imaps -host = imap.guilhem.org +host = imap.private.org #port = 993 #proxy = socks5h://localhost:9050 username = guilhem password = xxxxxxxxxxxxxxxx #compress = YES -#SSL_fingerprint = sha256$62E436BB329C46A628314C49BDA7C2A2E86C57B2021B9A964B8FABB6540D3605 +#SSL_fingerprint = sha256$d9915f4ad35b76d9eb40f34abd5e8f61edfaad3bf20d5336dc28efa8cc3921ad [work] #type = imaps -host = imap.example.com +host = imap.work.com #port = 993 #proxy = socks5h://localhost:9050 username = guilhem password = xxxxxxxxxxxxxxxx #compress = YES -#SSL_fingerprint = sha256$c93677ac6a4ac7d0a2b412c1bfdd83b9191c853aa8685bf5440f154e647caacf +#SSL_fingerprint = sha256$3956fd56921c02aeaffe4f8f576e802ee99ab5a096064f4fe7e6a0ad7b4b8a6e # vim:ft=dosini -- cgit v1.2.3 From 2b03d0e9561f2ec31aee1519348721bbf4d80820 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 1 Dec 2016 14:39:29 +0100 Subject: Update changelog. --- Changelog | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/Changelog b/Changelog index a1ae59f..f9ca699 100644 --- a/Changelog +++ b/Changelog @@ -1,13 +1,25 @@ interimap (0.3) upstream; - * Fix byte count for compression streams. - * Add an option 'SSL_protocols' to list SSL protocols to enable or + + New script 'pullimap', to pull mails from an IMAP mailbox and + deliver them to a SMTP session. + + Convert manpage format from groff to pandoc. + + interimap: Add support for IMAP NOTIFY [RFC 5465]. + + 'fingerprint' now only pins the cert's SPKI, not the cert itself + (require Net::SSLeay >=1.73). + - Fix byte count for compression streams. + - Add an option 'SSL_protocols' to list SSL protocols to enable or disable. The default value, "!SSLv2 !SSLv3", enables only TLSv1 and above. - * New script 'pullimap', to pull mails from an IMAP mailbox and - deliver them to a SMTP session. - - -- Guilhem Moulin Mon, 28 Sep 2015 01:16:47 +0200 + - Ensure "inbox" is always used in upper-case internally. + - Ensure the FD_CLOEXEC bit is 1 on sockets, logger and state files. + - Try again if connect(2) was interrupted. + - interimap: fix memory leak. + - interimap: use SQLite's own locking mechanism (instead of rolling + our own). + - interimap: when resuming a sync, only consider UIDs greater than a + known UIDNEXT. + + -- Guilhem Moulin Thu, 01 Dec 2016 14:37:50 +0100 interimap (0.2) upstream; -- cgit v1.2.3 From d5b28183b91b0931db1d185ea04cbeae4a70a677 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 1 Dec 2016 15:35:39 +0100 Subject: interimap.service: s/--watch/--notify/. --- interimap.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/interimap.service b/interimap.service index 8c685d9..6e487d4 100644 --- a/interimap.service +++ b/interimap.service @@ -4,7 +4,7 @@ Wants=network-online.target After=network-online.target [Service] -ExecStart=/usr/bin/interimap --watch +ExecStart=/usr/bin/interimap --notify RestartSec=10min Restart=on-failure -- cgit v1.2.3