fetchmail can no longer connect to underwood & gives false error msg (TLS issues)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
fetchmail (Ubuntu) |
Expired
|
Undecided
|
Unassigned |
Bug Description
Version 6.4.16 is unable to fetch mail from the underwood onion site. This is the output when trying to connect:
fetchmail: normal termination, status 2
fetchmail: 6.4.16 querying underwood-onion (protocol IMAP) at Wed 30 Jun 2021 02:10:52 PM UTC: poll started
fetchmail: Trying to connect to 127.0.0.
fetchmail: IMAP< * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
fetchmail: IMAP> A0001 CAPABILITY
fetchmail: IMAP< * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN
fetchmail: IMAP< A0001 OK Pre-login capabilities listed, post-login capabilities have more.
fetchmail: IMAP> A0002 STARTTLS
fetchmail: IMAP< A0002 BAD TLS support isn't enabled.
fetchmail: 127.0.0.1: upgrade to TLS failed.
fetchmail: Unknown login or authentication error on billyikes@127.0.0.1
fetchmail: socket error while fetching from billyikes@
This worked with past versions. To reproduce, use this stanza in .fetchmailrc:
skip underwood-onion via 127.0.0.1
protocol imap
port 12345
username "billyikes"
sslproto 'SSL3+'
no sslcertck
fetchall
Note that past working stanzas did not need "sslproto" or "no sslcertck" but were introduced to after upgrading to 6.4.16.
run these commands:
$ socat TCP4-LISTEN:
$ fetchmail -v -d0 underwood-onion
$ pkill socat
It's the same outcome if "sslproto 'SSL23'" is used instead.
This is one report, but there are a few bugs here:
1) inability to connect to handshake with bad TLS protocols. It's an onion site, so SSL is not needed for crypto (it's there for a different purpose). So if fetchmail is judging the crypto to be insecure, it's overzealous in this case.
2) the "Unknown login or authentication error" is not only a false error, it's alarming. It's the worst kind of false error because it tells the user that there's a problem with their account.
3) there is no per-account SOCKS4a config parameter, so users are pushed into this inconvenient and ugly hack of running socat and piping through that. The "plugin" parameter does not help in this case because fetchmail still attempts to resolve the underwood2hj3pw
Bug (3) has always existed, but (1) & (2) are new regressions.
description: | updated |
description: | updated |
description: | updated |
Changed in fetchmail (Ubuntu): | |
status: | Incomplete → New |
Bill,
as to your report, I'll break it down along the same bug numbers.
Note I am speaking as the upstream maintainer here and am unaware of Ubuntu's or Debian's packaging decisions.
Bug #1. Fetchmail behaves properly. You requested some sslproto on a non-wrapped port (i. e. no "ssl" option), so fetchmail tries STARTTLS instead, which then fails. I suggest you re-read the manual for the relevant options that you are using and potential references from those options to others, if any. This is deliberately worded quite vaguely.
Bug #2 fetchmail has a 'login or authentication' error it cannot spell out in more detail for you, hence "unknown". Feel free to propose a better wording.
3a. I suggest you read the section "SOCKS" of the manual page. New options are quite high maintenance and I can't test them upstream for lack of socks proxies.
3b. From your earlier report [*] I suppose you might get away with something such as:
poll underwood2hj3pw d.onion via 127.0.0.1 127.0.0. 1:%h:%p, socksport= 9050"
plugin "socat STDIO SOCKS4A:
# other options here
_____ /bugs.launchpad .net/ubuntu/ +source/ fetchmail/ +bug/1924609
[*] https:/