Public bug reported:
Version 6.4.16 is unable to fetch mail from the underwood onion site.
This is the output when trying to connect:
fetchmail: normal termination, status 2
fetchmail: 6.4.16 querying underwood-onion (protocol IMAP) at Wed 30 Jun 2021
02:10:52 PM UTC: poll started
fetchmail: Trying to connect to 127.0.0.1/12345...connected.
fetchmail: IMAP< * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID
ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
fetchmail: IMAP> A0001 CAPABILITY
fetchmail: IMAP< * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID
ENABLE IDLE AUTH=PLAIN AUTH=LOGIN
fetchmail: IMAP< A0001 OK Pre-login capabilities listed, post-login
capabilities have more.
fetchmail: IMAP> A0002 STARTTLS
fetchmail: IMAP< A0002 BAD TLS support isn't enabled.
fetchmail: 127.0.0.1: upgrade to TLS failed.
fetchmail: Unknown login or authentication error on billyikes@127.0.0.1
fetchmail: socket error while fetching from billyikes@underwood-onion
This worked with past versions. To reproduce, use this stanza in
.fetchmailrc:
skip underwood-onion via 127.0.0.1
protocol imap
port 12345
username "billyikes"
sslproto 'SSL3+'
no sslcertck
fetchall
Note that past working stanzas did not need "sslproto" or "no sslcertck"
but were introduced to after upgrading to 6.4.16.
run these commands:
$ socat TCP4-LISTEN:12345,reuseaddr,fork
SOCKS4A:127.0.0.1:underwood2hj3pwd.onion:143,socksport=9050
$ fetchmail -v -d0 underwood-onion
$ pkill socat
This is one report, but there are a few bugs here:
1) inability to connect to handshake with bad TLS protocols. It's an
onion site, so SSL is not needed for crypto (it's there for a different
purpose). So if fetchmail is judging the crypto to be insecure, it's
overzealous in this case.
2) the "Unknown login or authentication error" is not only a false
error, it's alarming. It's the worst kind of false error because it
tells the user that there's a problem with their account.
3) there is no per-account SOCKS4a config parameter, so users are pushed
into this inconvenient and ugly hack of running socat and piping through
that. The "plugin" parameter does not help in this case because
fetchmail still attempts to resolve the underwood2hj3pwd.onion outside
of the proxy.
Bug \3 has always existed, but 1 & 2 are new regressions.
** Affects: fetchmail (Ubuntu)
Importance: Undecided
Status: New
** Description changed:
Version 6.4.16 is unable to fetch mail from the underwood onion site.
This is the output when trying to connect:
fetchmail: normal termination, status 2
fetchmail: 6.4.16 querying underwood-onion (protocol IMAP) at Wed 30 Jun 2021
02:10:52 PM UTC: poll started
fetchmail: Trying to connect to 127.0.0.1/12345...connected.
fetchmail: IMAP< * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS
ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
fetchmail: IMAP> A0001 CAPABILITY
fetchmail: IMAP< * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID
ENABLE IDLE AUTH=PLAIN AUTH=LOGIN
fetchmail: IMAP< A0001 OK Pre-login capabilities listed, post-login
capabilities have more.
fetchmail: IMAP> A0002 STARTTLS
fetchmail: IMAP< A0002 BAD TLS support isn't enabled.
fetchmail: 127.0.0.1: upgrade to TLS failed.
fetchmail: Unknown login or authentication error on billyikes@127.0.0.1
fetchmail: socket error while fetching from billyikes@underwood-onion
This worked with past versions. To reproduce, use this stanza in
.fetchmailrc:
skip underwood-onion via 127.0.0.1
- protocol imap
- port 12345
- username "billyikes"
- sslproto 'SSL3+'
- no sslcertck
- fetchall
+ protocol imap
+ port 12345
+ username "billyikes"
+ sslproto 'SSL3+'
+ no sslcertck
+ fetchall
Note that past working stanzas did not need "sslproto" or "no sslcertck"
but were introduced to after upgrading to 6.4.16.
run these commands:
$ socat TCP4-LISTEN:12345,reuseaddr,fork
SOCKS4A:127.0.0.1:underwood2hj3pwd.onion:143,socksport=9050
$ fetchmail -v -d0 underwood-onion
$ pkill socat
This is one report, but there are a few bugs here:
1) inability to connect to handshake with bad TLS protocols. It's an
onion site, so SSL is not needed for crypto (it's there for a different
purpose). So if fetchmail is judging the crypto to be insecure, it's
overzealous in this case.
2) the "Unknown login or authentication error" is not only a false
error, it's alarming. It's the worst kind of false error because it
tells the user that there's a problem with their account.
3) there is no per-account SOCKS4a config parameter, so users are pushed
into this inconvenient and ugly hack of running socat and piping through
that. The "plugin" parameter does not help in this case because
fetchmail still attempts to resolve the underwood2hj3pwd.onion outside
of the proxy.
- Bug 3 has always existed, but 1 & 2 are new regressions.
+ Bug \3 has always existed, but 1 & 2 are new regressions.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1934155
Title:
fetchmail can no longer connect to underwood & gives false error msg
(TLS issues)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/fetchmail/+bug/1934155/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
