1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
|
interimap (0.5.4) upstream;
* libinterimap: make SSL_verify also checks that the certificate
Subject Alternative Name (SAN) or Subject CommonName (CN) matches the
hostname or IP literal specified by the 'host' option. Previously it
was only checking the chain of trust. This bumps the minimum
Net::SSLeay version to 1.83 and OpenSSL version 1.0.2.
+ libinterimap: show the matching pinned SPKI in --debug mode.
+ test suite: always generate new certificates on `make test`. Hence
running `make test` now requires OpenSSL 1.1.1 or later.
+ test suite: sign all test certificates with the same root CA.
+ libinterimap: factor out hostname/IP parsing.
+ document that enclosing 'host' value in square brackets forces its
interpretation as an IP literal (hence skips name resolution).
- documentation: replace example.org with example.net for consistency.
-- Guilhem Moulin <guilhem@fripost.org> Thu, 10 Dec 2020 14:22:05 +0100
interimap (0.5.3) upstream;
* libinterimap: SSL_fingerprint now supports a space-separate list of
digests to pin, and succeeds if, and only if, the peer certificate
SPKI matches one of the pinned digest values. Specifying multiple
digest values can key useful in key rollover scenarios and/or when
the server supports certificates of different types (for instance
RSA+ECDSA).
- libinterimap: 'null-stderr' is now ignored when the 'debug' flag is
set (the standard error is never sent to /dev/null).
- test suite: use a RSA certificate rather than ECDSA.
- test suite: new test with a server offering both RSA+ECDSA
certificates. This test requires dovecot-imapd 2.2.31 or later.
-- Guilhem Moulin <guilhem@fripost.org> Wed, 09 Dec 2020 15:32:01 +0100
interimap (0.5.2) upstream;
- Makefile: remove 'smart' extension from pandoc call to generate
manuals (it's no longer supported by pandoc 2.9 which generates \[lq]
and \[rq] in the groff output anyway).
- libinterimap: fix response injection vulnerability after STARTTLS.
For background see https://gitlab.com/muttmua/mutt/-/issues/248 .
- libinterimap: abort on PREAUTH greeting received on plaintext
connections (set "STARTTLS = NO" to ignore). This is similar to
CVE-2020-12398 and CVE-2020-14093.
* libinterimap: fail when a capability to ENABLE is missing from the
server's CAPABILITY listing.
-- Guilhem Moulin <guilhem@fripost.org> Mon, 03 Aug 2020 20:50:41 +0200
interimap (0.5.1) upstream;
+ pullimap: also compare RFC 5322 date and envelope information in
mailbox comparison tests.
+ interimap, pullimap: remove `use lib` statement.
* Makefile: major refactoring, add install and uninstall targets, honor
BUILD_DOCDIR and DESTDIR variables.
-- Guilhem Moulin <guilhem@fripost.org> Thu, 02 Jul 2020 00:15:03 +0200
interimap (0.5) upstream;
Breaking changes:
* interimap: when matching mailbox names against the 'ignore-mailbox'
pattern, the hierarchy delimiter is substituted with a null character
before hand. For instance one should now use '^virtual(?:\x00|$)' to
exclude the mailbox named 'virtual' as well as its descendants
(regardless of the hierarchy delimiter in use).
Other changes:
* interimap: the space-speparated list of names and/or patterns in
'list-mailbox' can now contain C-style escape sequences (backslash
and hexadecimal escape).
* interimap: fail when two non-INBOX LIST replies return different
separators. This never happens for a single LIST command, but may
happen if mailboxes from different namespaces are being listed. The
workaround here is to run a new interimap instance for each
namespace.
* libinterimap: in tunnel mode, use a socketpair rather than two pipes
for IPC between the interimap and the IMAP server. Also, use
SOCK_CLOEXEC to save an fcntl() call when setting the close-on-exec
flag on the socket.
* interimap: new option 'list-reference' to specify a reference name.
This is useful for synchronizing multiple remote servers against
different namespaces belonging to the same local IMAP server (using a
different InterIMAP instance for each local namespace <-> remote
synchronization, for instance with the newly provided systemd
template unit file).
* Add a test-suite. (Requires dovecot-imapd, pkill(1) and xxd(1).)
* Completely refactor the documentation. In particular, move manpages
to a new 'doc' directory, and generate HTML documentation with `make
html`.
+ interimap: write which --target to use in --delete command
suggestions.
+ interimap: avoid caching hierarchy delimiters forever in the
database. Instead, use null characters internally, and substitute
them with the local and remote hierarchy delimiters (which thus no
longer need to match) for IMAP commands. This require a database
schema upgrade to alter the mailbox name column type from TEXT to
BLOB.
+ interimap: use the 'user_version' SQLite PRAGMA for database schema
version.
+ interimap, pullimap: in the manpage, clarify that the tunnel command
is run following Perl's `exec` semantics: it is passed to `/bin/sh -c`
when it contains shell metacharacters; and split into words and passed
to execvp(3) otherwise.
+ interimap, pullimap: redact AUTHENTICATE and LOGIN commands in
--debug mode in order to avoid inadvertently receiving credentials in
bug reports. --debug can be set twice to spell out these commands in
full.
+ interimap: new option 'log-prefix' to control the prefix of each log
entry, depending on the component name and relevant mailbox.
+ interimap: raise SELECT sample range size from 64 to 256 bytes.
- libinterimap: bugfix: hierarchy delimiters in LIST responses were
returned as an escaped quoted special, like "\\", not as a single
character (backslash in this case).
- libinterimap: the parser choked on responses with non-quoted/literal
astring containing ']' characters. And LIST responses with
non-quoted/literal list-mailbox names containing '%', '*' or ']'
characters.
- libinterimap: quote() the empty string as "" instead of a 0-length
literal. (This saves 3 bytes + one round-trip on servers not
supporting non-synchronizing literals, and 4 bytes otherwise.)
- interimap: unlike what the documentation said, spaces where not
allowed in the 'list-select-opts' configuration option, so at maximum
one selector could be used for the initial LIST command.
- interimap: unlike what the documentation said, 'ignore-mailbox' was
not ignored when names were specified as command line arguments.
- interimap: accept comma-separated values for --target.
- interimap: --rename of a \NonExistent mailbox didn't trigger a RENAME
command on the local/remote IMAP servers, nor an update of the
'mailboxes' table.
- interimap: don't try to delete \NoSelect mailboxes (it's an error per
RFC 3501 sec. 6.3.4).
- interimap: SQLite were not enforcing foreign key constraints (setting
the 'foreign_keys' PRAGMA during a transaction is a documented no-op).
- interimap: fix handling of mod-sequence values greater or equal than
2 << 63.
- libinterimap: use directories relative to $HOME for the XDG
environment variables default values. Previously getpwuid() was
called to determine the user's home directory, while the XDG
specification explicitely mentions $HOME. Conveniently our docs
always mentioned ~/, which on POSIX-compliant systems expands to the
value of the variable HOME. (Cf. Shell and Utilities volume of
POSIX.1-2017, sec. 2.6.1.)
- libinterimap: don't panic() when inflate() reports the end of the
compression stream is reached.
- libinterimap: the 'compress' boolean wasn't honored.
- libinterimap: fix STARTTLS directive, broken since 0.2.
- libinterimap: push_flag_updates(): the UNCHANGEDSINCE test from
the CONDSTORE extension was incorrectly placed after the flag list in
UID STORE commands.
- libinterimap: push_flag_updates(): ignore UIDs for which no untagged
FETCH response was received.
- libinterimap: push_flag_updates(): don't ignores received updates (by
another client) to a superset of the desigred flag list.
- libinterimap: avoid sending large UID EXPUNGE|FETCH|STORE commands as
they might exceed the server's max acceptable command size; these
commands are now split into multiple (sequential) commands when their
set representation exceeds 4096 bytes in size. Performance could be
improved by pipelining but given the scope of this software
(synchronization) it's unlikely to make any difference in practice.
This is a also a workaround for a bug in Dovecot 2.3.4:
https://dovecot.org/pipermail/dovecot/2019-November/117522.html
- interimap: for the reason explained above, limit number of messages
to 128 per APPEND command (only on servers advertizing MULTIAPPEND,
for other servers the number remains 1).
- interimap: gracefully ignore messages with a NIL RFC822 attribute.
- pullimap: treat messages with a NIL RFC822 attribute as empty.
- pullimap: fix mangling of data lines starting with a dot (when an RFC
5322 line starts with a '.', double it).
-- Guilhem Moulin <guilhem@fripost.org> Sat, 14 Dec 2019 18:42:25 +0100
interimap (0.4) upstream;
* pullimap: replace non RFC 5321-compliant envelope sender addresses
(received by the IMAP FETCH ENVELOPE command) with the null address
<>.
* pullimap, interimap: take configuration filename (default: "config")
relative to $XDG_CONFIG_HOME/$NAME (or ~/.config/$NAME), to comply
with the XDG specification. Thus the previous default config file
$XDG_CONFIG_HOME/$NAME should become $XDG_CONFIG_HOME/$NAME/config.
* Library: add support for TLSv1.3 (on recent enough Net::SSLeay), and
change "SSL_protocols" default value from "!SSLv2 !SSLv3" to "!SSLv2
!SSLv3 !TLSv1 !TLSv1.1".
+ Library: new API idle_start() and idle_stop().
+ Add support for untagged ESEARCH responses from RFC 4731.
+ pullimap: Use extended SEARCH commands (RFC 4731) if supported by
the server to search old mail and EXPUNGE them.
+ pullimap, interimap: don't autocreate statefile or database in
long-lived mode (when --watch or --idle is set). Instead, an error
is raised if the statefile or database doesn't exist.
- Ensure the lower bound of UID ranges is at least 1.
- Fix manpage generation with pandoc >=2.1.
- Specify minimum Perl and Net::SSLeay versions.
- interimap.service: use --watch=60 rather than --notify, because
dovecot's NOTIFY extension doesn't seem to work so well as of 2.2.27.
-- Guilhem Moulin <guilhem@fripost.org> Sun, 20 Jan 2019 20:30:08 +0100
interimap (0.3) upstream;
+ New script 'pullimap', to pull mails from an IMAP mailbox and
deliver them to an SMTP session.
+ Convert manpage format from groff to pandoc.
+ interimap: Add support for IMAP NOTIFY [RFC 5465].
+ 'fingerprint' now only pins the cert's SPKI, not the cert itself
(require Net::SSLeay >=1.73).
- Fix byte count for compression streams.
- Add an option 'SSL_protocols' to list SSL protocols to enable or
disable. The default value, "!SSLv2 !SSLv3", enables only TLSv1
and above.
- Ensure "inbox" is always used in upper-case internally.
- Ensure the FD_CLOEXEC bit is 1 on sockets, logger and state files.
- Try again if connect(2) was interrupted.
- interimap: fix memory leak.
- interimap: use SQLite's own locking mechanism (instead of rolling
our own).
- interimap: when resuming a sync, only consider UIDs greater than a
known UIDNEXT.
-- Guilhem Moulin <guilhem@fripost.org> Thu, 01 Dec 2016 14:37:50 +0100
interimap (0.2) upstream;
* Add support for the IMAP COMPRESS extension [RFC4978]. By default
enabled for the remote server, and disabled for the local server.
* Add traffic statistics after closing the connection to the IMAP
server.
* Add a configuration option 'null-stderr=YES' to send STDERR to
/dev/null for type=tunnel.
* Exit with return value 0 when receiving a SIGTERM.
* Add SSL options SINGLE_ECDH_USE, SINGLE_DH_USE, NO_SSLv2, NO_SSLv3
and NO_COMPRESSION to the compiled-in CTX options.
* Use SSL_MODE_AUTO_RETRY to avoid SSL_read failures during a
handshake.
* Rename the 'SSL_verify_trusted_peer', 'SSL_ca_path', and
'SSL_cipher_list' options to 'SSL_CApath', 'SSL_verify' and
'SSL_cipherlist', respectively.
* Add an option 'SSL_CAfile' to specify a file containing trusted
certificates to use during server certificate authentication.
* Replace IO::Socket::SSL dependency by the lower level Net::SSLeay.
* Accept non-fully qualified commands.
* Replace IO::Socket::INET dependency by the lower lever Socket to enable
IPv6. (Both are core Perl module.)
* Add a configuration option 'proxy' to proxy TCP connections to the
IMAP server.
* Set X.509 certificate purpose to 'SSL Server' for SSL_verify=YES.
* Display the certificate chain, SSL protocol and cipher in debug
mode.
* Bug fix: don't delete the lockfile if another instance of interimap
is running.
* Display source UIDs upon APPEND. Previously only target UIDs where
displayed in non-debug mode.
-- Guilhem Moulin <guilhem@fripost.org> Wed, 09 Sep 2015 00:44:35 +0200
interimap (0.1) upstream;
* Initial public release. Development was started in July 2015.
-- Guilhem Moulin <guilhem@fripost.org> Mon, 07 Sep 2015 17:14:42 +0200
|