OK, if any of you have access to GSSAPI or Kerboros-capable POP or IMAP
servers, please read carefully...
Todd Sabin <tas(_at_)webspan(_dot_)net>:
It was broken in the
general case, not just the uw-imap2000 case. The problem was the
usage of gen_transact, which caused part of the CRAM dialog to be
tagged, which is wrong.
Yup, you're right. See below.
BTW, I'm not so happy with the ok function. The char* argument seems
to be completely unnecessary most of the places *_ok is used. Note
the otherwise unnecessary dummy variable in do_cram_md5 now. Also,
there's no size argument for the char*, which makes it an accident
waiting to happen.
Yes, this is grubby. See below.
Also, feel free to ignore the driver.c change. It's unrelated, but
something that I've been adding to my builds for a long time. I fetch
mail from a number of mailboxes and find that having a header that
tells which mailbox fetchmail pulled it from makes sorting it properly
that much simpler. Figured someone else might find it useful.
I might take this patch, separated and cleaned up.
p.s. If you want to use a free mail server that support CRAM-MD5, try
www.mailandnews.com. Their IMAP server has other issues, but it does
support CRAM-MD5.
Charles Bueche lent me the use of his CRAM-savvy IMAP server, and I
went on a tear.
The good news is, I now have CRAM-MD5 working with both the IMAP 2000
imapd and the pop3d proxy, and it's a cleaner fix than yours. I bit
the bullet and created a way to diable tagging in gen_transact. I
then went through and rewrote most of the ad-hoc gen_send/gen_recv
pairs in the authentication code to be gen_transacts with tagging
disabled instead. This simplified the code no end and will give us
better transaction logging.
More good news is that while I was at it I tore apart and redesigned
the whole authentication part of the code. The IMAP-K4 and IMAP-GSS
protocols are now history; instead, both the POP3 and IMAP drivers now
look for authentication methods in decreasing order of coolness until
they either find one the server supports or fall out the bottom and
have to do straight login with password.
The search order is GSSAPI, KERBEROS, CRAM, X-OTP, NTLM, and LOGIN.
So if you have one of the protocols that doesn't need a password at all
compiled in, those get tried first. You can force a particular authentication
method if you need to with --preauth.
So everything is now cleaned up and nicely orthogonal. And your patch
isn't necessary, because gen_transact can be used pretty much everywhere
now; no more passing in the OK function. (We can discuss cleaning up the
argument profile of the *_ok() functions as a separate issue).
So what's the bad news?
I know CRAM-MD5 works. I know login works. But in doing all this it
is possible that I have broken the GSSAPI and Kerberos code. I don't
have a way to test that.
So I'm going to ship another release tonight. And here's my request to all
of you who have access to a POP3 or IMAP server that can do GSSAPI or
Kerberos:
1. Please test the new release gainst it ASAP. Calling
fetchmail -c -v
should test your authentication without touching your mailbox.
2. If possible, try to get me a test account on the server. In order
to do systematic regression testing, I want to collect test accounts
in as many different kinds of POP3 and IMAP server as possible.
Right now I have access to the following:
IMAP4rev1 v12.264 at imap.ccil.org (UW IMAP)
POP3 v7.64 at pop3.ccil.org Unknown
IMAP4rev1 v10.168 at pop3.netaxs.com (UW IMAP)
QPOP (version 2.53) at popcorn.netaxs.com (Eudora QPOPPER)
IMAP4rev1 2000.287 at neo.netnea.com (IMAP2000 POP3 imapd)
POP3 v2000.70 at neo.netnea.com (IMAP2000 POP3 gateway)
I'd like to collect more sites, especially sites with unusual servers and
unusual authentication methods. My plan is to write a big honkin'
regression test harness that shotguns dated mail to each test site
and then tries to collect it all. Voila! Instant compatibility
test, to be run at least once before every release.
--
<a href="http://www.tuxedo.org/~esr/";>Eric S. Raymond</a>
It is the assumption of this book that a work of art is a gift, not a
commodity. Or, to state the modern case with more precision, that works of
art exist simultaneously in two "economies," a market economy and a gift
economy. Only one of these is essential, however: a work of art can survive
without the market, but where there is no gift there is no art.
-- Lewis Hyde, The Gift: Imagination and the Erotic Life of Property