fetchmail can no longer connect to underwood & gives false error msg (TLS issues)

Bill,

as to your report, I'll break it down along the same bug numbers.
Note I am speaking as the upstream maintainer here and am unaware of Ubuntu's or Debian's packaging decisions.

Bug #1. Fetchmail behaves properly. You requested some sslproto on a non-wrapped port (i. e. no "ssl" option), so fetchmail tries STARTTLS instead, which then fails. I suggest you re-read the manual for the relevant options that you are using and potential references from those options to others, if any. This is deliberately worded quite vaguely.

Bug #2 fetchmail has a 'login or authentication' error it cannot spell out in more detail for you, hence "unknown". Feel free to propose a better wording.

3a. I suggest you read the section "SOCKS" of the manual page. New options are quite high maintenance and I can't test them upstream for lack of socks proxies.

3b. From your earlier report [*] I suppose you might get away with something such as:

poll underwood2hj3pwd.onion via 127.0.0.1
        plugin "socat STDIO SOCKS4A:127.0.0.1:%h:%p,socksport=9050"
# other options here

_____
[*] https://bugs.launchpad.net/ubuntu/+source/fetchmail/+bug/1924609

Hello Bill,

I agree with Matthias' reply: fetchmail seems to be working just as expected. Also please note that we use this bug tracker to work on bugs in Ubuntu, so feature requests like a per-account SOCKS4a config parameter don't really fit here; at a first look the right venue would be [1].

I'm marking this bug report as Incomplete for now. If you still believe you found a bug in how fetchmail handles ssl/tls/starttls connections please provide more details about your findings and change the bug status back to New, we'll look to it again. Otherwise if you agree we don't really have a bug here please change the report status to Invalid. Thanks!

[1] https://gitlab.com/fetchmail/fetchmail/

I appreciate the quick response, but I have to say both of you overlooked some of the data I presented, so I will elaborate. I was able to workaround the bug, but there are still bugs here. Having read the man page more times, I continue to find more anomalies than answers, which I will elaborate here.

To be clear, fetchmail changed, not my config. This config works on fetchmail 6.3.26 but fails on 6.4.16:

```
skip underwood-onion via 127.0.0.1
        protocol imap
        port 12345
        username "billyikes"
        fetchall
```
Nothing in your response suggests that I should expect this config to be treated differently from the two different versions of fetchmail. But it is. Verbose output shows that version 6.4.16 sends a "STARTTLS" even though the config does not call for SSL/TLS in any way. That's a bug. The man page says "sslproto auto" is a default which superficially seems reasonable until you notice that "auto" actually imposes TLS. This is a distortion of what users expect by the meaning of "automatic".

My first attempt at a fix for underwood was to add these lines (which fixed some of my stanzas for other servers):
~~~
sslproto 'SSL3+'
no sslcertck
~~~
Intution suggests this means: "If the server demands SSL, then be permissive and allow SSL3 or newer, but don't bother checking whether the cert is good or not, just use it if the server insists". But what we find is that the behavior is not intuitive w.r.t the options. And because it fails the rule of least astonishment, I'm calling it a bug. Moreover, the new manpage states:

"This option has a dual use, out of historic fetchmail behaviour. It controls both the SSL/TLS protocol version and, if --ssl is not specified, the STARTTLS behaviour (upgrading the protocol to an SSL or TLS connection in-band). Some other options may however make TLS mandatory."

To say sslproto "controls STARTTLS behaviour" without fully specifying how that behavior is controlled is a recipe for confusion. An empty argument is said to disable STARTTLS, but that was always the case. So there are two problems here. The first problem is that STARTTLS is technical under-the-hood jargon that end users probably should not be responsible for understanding. Users are basically told whether SSL/TLS is used, not what low-level commands are being passed to make that happen. The second problem is that auto states "require TLS", but does not mention the low-level "STARTTLS" that the section mentioned earlier. It's not clear if fetchmail is treating "TLS" and "STARTTLS" as one in the same, but users wouldn't generally know the underlying details expressed in RFC specs. We do see some ESPs making a distinction (e.g. https://danwin1210.me/mail/) IOW, STARTTLS is mentioned just enough to confuse, and not enough to be understandable.

Apart from the misleading & non-intuitive wording, some things are plainly false. E.g. this statement from the man page is simply not true:

"Only if this option [sslproto] and --ssl are both missing for a poll, there will be opportunistic TLS for POP3 and IMAP, where fetchmail will attempt to upgrade to TLSv1 or newer."

If that were a true statement, then...

I've also noticed that "auto" and "TLS1+" have the same meaning when passed to --SSLPROTO. That's part of the problem. So now there is duplication, and no way to get opportunistic crypto. If auto was previously opportunistic, then the change to remove it should be rolled back.

Bill,

I can sense quite a deal of frustration on your end, and am sorry for that. I should have mentioned to also look into the NEWS file, which at least would have told you that sslcertck is now the default. Fetchmail's -vv verbose mode might also try to log more details on the decisions along the way...

Your feedback as to how you find documentation confusing or incomplete or incompletely referenced is helpful, thank you for that - although it will take a while before improvements will make it into Ubuntu, this is due to how software ends up for Ubuntu.

On the other hand, I must say that nobody promised that fetchmail 6.4 would be bug-for-bug-compatible with 6.3, and fetchmail has indeed changed in the years between the 6.3.26 and 6.4.1X releases. In particular, I was making fetchmail 6.4 protect users' credentials more thoroughly, and this is why fetchmail finally defaults to certificate validation, and that makes "opportunistic" encryption quite a bit more mandatory, and the failing STARTTLS after the server hadn't offered it was/is not helpful: In order to validate certificates, fetchmail will try to obtain one - and on a non-SSL connection this means starttls, and fetchmail tries it blind.

I see that it is less transparent to users than I would have hoped, so thanks for mirroring that - the certificate validation makes TLS (or STARTTLS in-band negotiation for that matter) less opportunistic and more mandatory than parts of the documentation suggest.

So, "no sslcertck" is currently required to make "opportunistic" TLS really opportunistic (your "config 2" - and not in an obscure way mandatory), and "sslproto ''" indeed defeats TLS negotiation at all (your config 3).

I need to think a bit more about which changes could go into 6.5, and which will have to wait for 7.0, where the version is more of a flag to users that reads "beware of incompatibilities".

I see that I overlooked the NEWS file. That's more detailed than I'm used to seeing. As I was just now skimming through it, it was clear that moves made to protect users from weak algorithms assumed they're on an untunneled connection, which is not always the case. Sometimes the SSL is just used for verification and the crypto is just redundant.

I should also mention that I struggled with the "no sslcertck" syntax. All the options I've been using to that point were "<key> <value>" format, and "no sslcertck" is an exceptional transpose of it. I first tried "sslcertck no" because I was sure the key-value wouldn't flip. But in fact the "keyword" really included a space. Coupled with the inconsistency of some keywords starting with "set", I felt I couldn't trust the man page. Adding to the confusion, some options take arguments and some do not, but the Keyword/Option Summary table doesn't show any BNF and it omits the <value> token, making so we have to work out from the wording of the "Function" column whether it's unary or takes an argument.

Anyway, I appreciate your help and I hope my feedback helps for future revisions.

Thanks for the report Bill and even more for the awesome and detailed explanations Matthias!
AFAICS there is nothing in here for Ubuntu to fix "right now". As versions 6.5/7.0 are releases we will pick them up but that isn't what this bug was about.

Gladly config based solutions were found to handle the problem, but I'll mark the bug as incomplete to auto-expire if nothing else needs to be added in your opinion.

[Expired for fetchmail (Ubuntu) because there has been no activity for 60 days.]