From: Ken Hornstein Date: Fri, 30 Sep 2016 19:15:08 +0000 (-0400) Subject: Add -initialtls/-notls flags to msgchk. X-Git-Url: https://diplodocus.org/git/nmh/commitdiff_plain/e19df85ee3edbc78b6029aa2344bb62bf4270747?ds=sidebyside;hp=f9494c69a257858a68635a3e98c189dcf1f2ec20 Add -initialtls/-notls flags to msgchk. --- diff --git a/man/msgchk.man b/man/msgchk.man index 226c82e4..fa502330 100644 --- a/man/msgchk.man +++ b/man/msgchk.man @@ -20,6 +20,8 @@ all/mail/nomail ] .RB [ \-sasl ] .RB [ \-saslmech .IR mechanism ] +.RB [ \-initialtls ] +.RB [ \-notls ] .RB [ \-authservice .IR service ] .RB [ \-snoop ] @@ -147,10 +149,21 @@ and grant authorization to that account. See the .B mhlogin man page for more details. .PP -Gmail only supports POP3 over TLS, but -.B msgchk -has no TLS support. To work around this, use something like -.B -proxy 'openssl s_client -connect %h:995 -CAfile /etc/ssl/certs/ca-certificates.crt -quiet' +If +.B nmh +has been compiled with TLS support, the +.B \-initialtls +switch will require the negotiation of TLS when connecting +to the remote POP server. The +.B \-initialtls +switch will negotiate TLS immediately after the connection has taken place, +before any POP commands are sent or received. Data encrypted by TLS is +labeled `(tls-encrypted)' and `(tls-decrypted)` with viewing the POP +transaction with the +.B \-snoop +switch. The +.B \-notls +switch will disable all attempts to negotiate TLS. .SH FILES .fc ^ ~ .nf diff --git a/uip/msgchk.c b/uip/msgchk.c index 5861dae9..d7b2c2f0 100644 --- a/uip/msgchk.c +++ b/uip/msgchk.c @@ -20,6 +20,12 @@ # define SASLminc(a) 0 #endif +#ifndef TLS_SUPPORT +# define TLSminc(a) (a) +#else +# define TLSminc(a) 0 +#endif + #define MSGCHK_SWITCHES \ X("date", 0, DATESW) \ X("nodate", 0, NDATESW) \ @@ -34,6 +40,8 @@ X("sasl", SASLminc(4), SASLSW) \ X("saslmech", SASLminc(5), SASLMECHSW) \ X("authservice", SASLminc(0), AUTHSERVICESW) \ + X("initialtls", TLSminc(-10), INITTLSSW) \ + X("notls", TLSminc(-5), NOTLSSW) \ X("proxy command", 0, PROXYSW) \ #define X(sw, minchars, id) id, @@ -72,14 +80,14 @@ DEFINE_SWITCH_ARRAY(MSGCHK, switches); static int donote (char *, int); static int checkmail (char *, char *, int, int, int); static int remotemail (char *, char *, char *, char *, int, int, int, int, - char *, const char *); + char *, int, const char *); int main (int argc, char **argv) { int datesw = 1, notifysw = NT_ALL; - int status = 0, sasl = 0; + int status = 0, sasl = 0, tls = 0; int snoop = 0, vecp = 0; char *cp, *host = NULL, *port = NULL, *user = NULL, *proxy = NULL; char buf[BUFSIZ], *saslmech = NULL, *auth_svc = NULL; @@ -161,6 +169,14 @@ main (int argc, char **argv) adios (NULL, "missing argument to %s", argp[-2]); continue; + case INITTLSSW: + tls++; + continue; + + case NOTLSSW: + tls = 0; + continue; + case AUTHSERVICESW: #ifdef OAUTH_SUPPORT if (!(auth_svc = *argp++) || *auth_svc == '-') @@ -202,11 +218,11 @@ main (int argc, char **argv) if (host) { if (vecp == 0) { status = remotemail (host, port, user, proxy, notifysw, 1, - snoop, sasl, saslmech, auth_svc); + snoop, sasl, saslmech, tls, auth_svc); } else { for (vecp = 0; vec[vecp]; vecp++) status += remotemail (host, port, vec[vecp], proxy, notifysw, 0, - snoop, sasl, saslmech, auth_svc); + snoop, sasl, saslmech, tls, auth_svc); } } else { if (user == NULL) user = getusername (); @@ -330,7 +346,7 @@ extern char response[]; static int remotemail (char *host, char *port, char *user, char *proxy, int notifysw, - int personal, int snoop, int sasl, char *saslmech, + int personal, int snoop, int sasl, char *saslmech, int tls, const char *auth_svc) { int nmsgs, nbytes, status; @@ -350,7 +366,7 @@ remotemail (char *host, char *port, char *user, char *proxy, int notifysw, /* open the POP connection */ if (pop_init (host, port, creds.user, creds.password, proxy, snoop, sasl, - saslmech, 0, auth_svc) == NOTOK + saslmech, tls, auth_svc) == NOTOK || pop_stat (&nmsgs, &nbytes) == NOTOK /* check for messages */ || pop_quit () == NOTOK) { /* quit POP connection */ advise (NULL, "%s", response);