INSTALL Instructions for fetchmail
==================================

Building from Git repository: see README.git

Packagers and port/emerge maintainers: see README.packaging.


If you have installed binaries (e.g. from a Linux RPM or DPKG, Solaris
package or FreeBSD port), you can skip to step 5 below.

---------------------------------------------------------------------
The Frequently Asked Questions list, included as the file FAQ in this
distribution, answers the most common questions about configuring and
running fetchmail.
---------------------------------------------------------------------


1. PREPARATIONS: USEFUL THINGS TO INSTALL FIRST

1.1 Choose a TLS/SSL library.

OpenSSL has been used for a long time and is tested and proven.
See README.SSL for details.

Forked libraries deriving from OpenSSL and under the SSLeay or OpenSSL license
cannot be used due to licensing issues, and are not supported.
This affects, f.i., LibreSSL, unless it is part of the operating system
(f. i., on OpenBSD).  However, LibreSSL diverges from OpenSSL and is
not supported by the fetchmail maintainer.

Since 6.4.27 and for fetchmail 6.5.x, there has been experimental support for
recent wolfSSL versions, which is under GNU GPL v3 (as of wolfSSL 5.8.2) or
later license and hence may be easier for a consistent GPLv2+ licensing of
fetchmail.  Due to the higher support effort for wolfSSL, it may be removed
before the next fetchmail major release.

Choose between OpenSSL or wolfSSL.

1.1a OpenSSL

If you are installing OpenSSL yourself, it is recommended that you build
shared OpenSSL libraries, it works better and updating OpenSSL does not
then require you to reinstall all applications that use OpenSSL.

Try after unpacking OpenSSL:

	./config shared && make && make test && make install

1.1b wolfSSL

If you are installing wolfSSL yourself, be sure to use a hardened build
with all OpenSSL APIs - you may add --enable-debug,
and note that --enable-opensslextra does NOT suffice.
Also note that overriding AM_CFLAGS or CFLAGS in wolfSSL's build may break
the OpenSSL compatibility layer.

  env "CFLAGS=-DOPENSSL_COMPATIBLE_DEFAULTS -DWOLFSSL_BLIND_PRIVATE_KEY -O" \
	./configure --enable-opensslall --enable-harden \
  	--enable-context-extra-user-data
  make && make test && make install

fetchmail's configure option --with-wolfssl takes precedence over --with-ssl.

1.2 gettext (internationalization)

Internationalization of fetchmail requires GNU gettext (libintl and
libiconv). Fetchmail, as of version 6.3.0, no longer ships its own
libintl copy.  Note that some systems include gettext in their libc.

1.3 (removed, required library no longer available and uses weak/broken
     MD4 and MD5 hash schemes)

1.4 IPv6

Building in IPv6 support *requires* an up-to-date operating system.
Recent Linux versions with glibc 2.1.1 or newer, FreeBSD, Solaris should
be fine.

1.5 Optional requisites

Python 3 (which needs to provide a "python3" command) can be used to run a few
additional tests in "make check" and tries fetching from a local mock POP3
server currently.

Python 3 and the Tk or Tkinter package are required to run fetchmailconf,
a graphical configuration utility.


2. Configuring can be done with autotools (./configure) or meson

The following sections will have A or B variants depending on
whether you'll use GNU autoconf/automake ("autotools") or the meson
build system <https://mesonbuild.com/>


2A. CONFIGURE

2A.1 Basic options

Installing fetchmail is easy.  From within this directory, type:

When using OpenSSL:

  ./configure

  It is possible to either specify the install path, or pkg-config
  module name, with --with-ssl, examples:

  ./configure --with-ssl=/opt/openssl3

  ./configure --with-ssl=eopenssl30

When using wolfSSL (adjust the trust file location, see below):

  ./configure --with-wolfssl \
  WOLFSSL_TRUST_FILE=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

Here, you need to adjust the file path according to where your ca_cert_nss or
ca-certificates package installs the default trust bundle in PEM format with
BEGIN CERTIFICATE lines.
wolfSSL 5.1 cannot parse BEGIN TRUSTED CERTIFICATE bundles.

Some typical locations as of 2021 are:
on Fedora Linux:  /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
on Debian/Ubuntu: /etc/ssl/certs/ca-certificates.crt
on FreeBSD:       /usr/local/share/certs/ca-root-nss.crt

The auto-configuration script will spend a bit of time figuring out the
specifics of your system.  If you want to specify a particular compiler
(e.g. you have gcc but want to compile with cc), set the environment
variable CC before you run configure.

The configure script accepts certain standard configuration options.
These include --prefix, --exec-prefix, --bindir, --infodir, --mandir,
and --srcdir.  Run 'configure --help' for more.

POP2 support is no longer compiled in by default, as POP2 is way obsolete
and there don't seem to be any live servers for it any more.  You can
configure it back in if you want with 'configure --enable-POP2', but
leaving it out cuts the executable's size slightly.

Support for CompuServe's RPA authentication method (rather similar to
APOP) is available but also not included in the standard build.  You
can compile it in with 'configure --enable-RPA'.

Support for Microsoft's NTLM authentication method is also available
but not included in the standard build either.  You can compile it in
with 'configure --enable-NTLM'.

Support for authentication using RFC1731 GSSAPI is available
but also not included by default.  You can compile it in with
'configure --with-gssapi', which looks for GSSAPI support in standard
locations (/usr, /usr/local).  Be sure to have the matching krb5-config
on PATH!
  If you set --with-GSSAPI=DIR, you can direct the build to look for GSSAPI
support under DIR, which may not work on all systems.

Hooks for the OpenSSL library (see http://www.openssl.org/) are
included in the distribution.  Fetchmail 6.4 enables these by default.
Fetchmail's configure script will query pkg-config (pkgconf) or failing that,
probe some default locations for the include/openssl/ssl.h file. If this
doesn't work (i. e. configure prints "SSL support enabled, but OpenSSL not
found" and aborts), you need to give the explicit prefix of your OpenSSL
installation (specify the directory that contains OpenSSL's "include"
subdirectory), for instance: "--with-ssl=/example/path" would assume that you
have an /example/path/include/openssl/ssl.h header file.

2A.2 Advanced options

Specifying --with-kerberos=DIR or --with-kerberos5=DIR will tell the
fetchmail build process to look in DIR for Kerberos support.
Configure normally looks in /usr/kerberos and /usr/athena; if you
specify this option with an argument it will look in DIR first.

Unfortunately, there doesn't seem to be good standardization of where
Kerberos lives.  If your configuration doesn't match one of the four
that fetchmail's configure.in knows about, you may find you have to
hand-hack the Makefile a bit.

You may also want to hand-hack the Makefile if you're writing a custom
or bleeding-edge resolver library.  In that case you will probably
want to add -lresolv or whatever to the definition of LOADLIBS.

It is also possible to explicitly condition out the support for
POP3, IMAP, and ETRN (with configure arguments of --disable-POP3,
--disable-IMAP, and --disable-ETRN respectively).


2B.1 CONFIGURE WITH meson

Run:

    meson setup \
         -Dbuildtype=release -Doptimization=3 \
         -Db_lto=true -Db_pie=true \
	 _build

If you want to use wolfssl,

 - add -Dtls_library=wolfssl

 - add -DWOLFSSL_TRUST_FILE=/path/to/cert.pem (default: /etc/ssl/cert.pem)

Here, you need to adjust the file path according to where your ca_cert_nss or
ca-certificates package installs the default trust bundle in PEM format with
BEGIN CERTIFICATE lines.
wolfSSL 5.1 cannot parse BEGIN TRUSTED CERTIFICATE bundles.


3A. BUILD (./configure based)

Run

	make check

This should compile fetchmail for your system.  If fetchmail fails to build
properly, see the FAQ section B on build-time problems.

On multi-core computers, run

	make -j8 check

on a computer that supports 8 CPU threads at the same time (for instance,
Octocore computers or Quad-core computers supporting two threads per core).

3B. BUILD (meson based)

Run	ninja -C _build test


4A. INSTALL (.configure based)

Lastly, become root and run

	make install

This will install fetchmail.  By default, fetchmail will be installed
in /usr/local/bin, with the man page in /usr/local/man/man1.  You can
use the configure options --bindir and --mandir to change these.

If you are tight on disk space, you can run instead

	make install-strip

NOTE: If you are using an MTA other than sendmail (such as qmail,
exim, or smail), see the FAQ (section T) for discussion of any special
configuration steps that may be necessary.

4B. INSTALL (meson based)

Run
	ninja -C _build install


5. SET UP A RUN CONTROL FILE

See the man page for a description of how to configure your individual
preferences.

If you're upgrading from popclient, see question F4 in the FAQ file.


6. TEST

I strongly recommend that your first fetchmail run use the -v, -a and -k
options, in case there is something not quite right with your server,
your local delivery configuration or your port 25 listener.  Also,
beware of aliases that direct your local mail back to the server host!

This software is known to work with the qpop/popper series of freeware
POP3 servers; also with the IMAP2bis and IMAP4 servers that are
distributed with Pine from the University of Washington; also with the
Cyrus IMAP server from CMU.  This covers all the servers commonly
hosted on Linux and *BSD systems.  It also works with the IMAP service
of Microsoft Exchange, despite the fact that Microsoft Exchange is
extremely broken (returns incorrect message lengths in LIST
responses).

See the FAQ, section S, for detailed advice on running with various
servers.


7. REPORTING BUGS

You should read the FAQ file question G3 before reporting a bug.


8. USE IT

Once you've verified your configuration, you can start fetchmail to
run in background and forget about it.  Enjoy!


END of text file INSTALL