1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
|
Version 1.4.21:
- Build with libgsasl by default again (if found).
- Add IDN support to --configure (build with libidn2 to enable this).
Version 1.4.20:
- No significant changes.
Version 1.4.19:
- Add support for SCRAM-SHA-256-PLUS and SCRAM-SHA-1-PLUS authentication, and
prefer SCRAM methods over the PLAIN method because of their superior
properties.
Version 1.4.18:
- No significant changes.
Version 1.4.17:
- Added a new configuration command 'eval' to replace the current configuration
file line with the output of a command (similar to passwordeval, but more
general).
Version 1.4.16:
- No significant changes.
Version 1.4.15:
- Added mpopd, a minimal POP3 server that delivers mails from a local mailbox
in maildir format. It can be used by end users as a way to handle incoming
mail via mpop with mail clients that insist on using POP3.
Version 1.4.14:
- No significant changes.
Version 1.4.13:
- Added support for SCRAM-SHA-256 authentication via GNU SASL
Version 1.4.12:
- Added support for libtls as an alternative to GnuTLS
Version 1.4.11:
- Added support for XOAUTH2, the predecessor of OAUTHBEARER.
- The passwordeval command can now handle very long input, which can be
necessary for OAUTHBEARER and XOAUTH2.
- GnuTLS >= 3.4 is required
Version 1.4.10:
- Improved handling of temporary files on Windows systems.
- Re-enabled support for systems lacking vasprintf(), such as IBM i PASE.
Version 1.4.9:
- No significant changes.
Version 1.4.8:
- Added a new socket command and --socket option to connect via local sockets.
- Added a new tls_host_override command and --tls-host-override option to
override the host name used for TLS verification.
- Fixed the source_ip command for proxies.
Version 1.4.7:
- Minor bug fixes.
Version 1.4.6:
- Minor bug fixes.
Version 1.4.5:
- Fixed OAUTHBEARER.
- Support for TLS client certificates via PKCS11 devices, e.g. smart cards.
- Various small bug fixes and improvements.
Version 1.4.4:
- Added support for the OAUTHBEARER authentication method.
- Several minor bug fixes.
Version 1.4.3:
- This version fixes a security problem that affects version 1.4.2 (older
versions are not affected): when the new default value system for
tls_trust_file is used, the result of certificate verification was not
properly checked.
Version 1.4.2:
- To simplify TLS setup, the tls_trust_file command has a new default value
'system' that selects the system default trust. Now you just need tls=on to
use TLS; the other TLS options are only required in special cases.
To make this work without breaking compatibility with older mpop versions,
tls_fingerprint now overrides tls_trust_file, and tls_certcheck=off overrides
both (previously, you could not specify contradicting options).
- To simplify setup, a new option '--configure <mailaddress>' was added that
automatically generates a configuration file for a given mail address.
However, this only works if the mail domain publishes appropriate SRV records.
Version 1.4.1:
- Fixed our TLS code to support TLS 1.3 with GnuTLS.
Version 1.4.0:
- Using OpenSSL is discouraged and may not be supported in the future. Please
use GnuTLS instead. The reasons are explained here:
https://marlam.de/mpop/news/openssl-discouraged/
- As using GNU SASL is most likely unnecessary, it is disabled by default now.
Since everything uses TLS nowadays and thus can use PLAIN authentication, you
really only need it for GSSAPI.
- If your system requires a library for IDN support, libidn2 is now used instead
of the older libidn.
- The APOP and CRAM-MD5 authentication method are marked as obsolete / insecure
and will not be chosen automatically anymore.
- The passwordeval command does not require the password to be terminated by a
new line character anymore.
- Builtin default port numbers are now used instead of consulting /etc/services.
- Support for DJGPP and for systems lacking vasprintf(), mkstemp(), or tmpfile()
is removed.
Version 1.2.8:
- Fix support for ~/.config/mpop/config as configuration file
- Add --source-ip option and source_ip command to bind the outgoing connection
to a specific source IP address.
- Enable SNI for TLS
Version 1.2.7:
- Add support for ~/.config/mpop/config as configuration file
- Add network timeout handling on Windows
- Fix command line handling of SHA256 TLS fingerprints
- Update german translation
Version 1.2.6:
- Return better error code when one or more accounts fail.
Version 1.2.5:
- Support SHA256 fingerprints for tls_fingerprint, and mark both SHA1 and MD5 as
deprecated.
Version 1.2.4:
- The system default policy is used with GnuTLS instead of a hardcoded one.
Version 1.2.3:
- A bug in SOCKS support was fixed.
- Handling non-fatal errors in TLS handshakes was fixed.
Version 1.2.2:
- No significant changes.
Version 1.2.1:
- The new configure option --with-tls replaces --with-ssl.
- A new configure option --disable-gai-idn was added.
Version 1.2.0:
- Support for SOCKS proxies was added. This allows mpop to be used with Tor.
- GNOME Keyring support now uses libsecret instead of libgnome-keyring. It is
now documented how to use secret-tool to manage passwords for mpop; the
obsolete mpop-gnome-tool script is removed.
- Configuration file security is now only checked if the file actually contains
secrets such as passwords. (If you still store passwords in the configuration
file, consider using the passwordeval command or a key ring instead.)
- The GSSAPI authentication method is not chosen automatically anymore, you have
to request it manually if you really want to use it.
- Libidn is not required for IDN support anymore on systems where getaddrinfo()
supports the AI_IDN flag and the GnuTLS version is >= 3.4.0.
- SSLv3 is disabled, and the obsolete tls_force_sslv3 command and
--tls-force-sslv3 option have no effect anymore.
Version 1.0.29:
- No significant changes.
Version 1.0.28:
- No significant changes.
Version 1.0.27:
- No significant changes.
Version 1.0.26:
- No significant changes.
Version 1.0.25:
- DIGEST-MD5 authentication is not considered secure any longer. See RFC 6331.
Version 1.0.24:
- The build system was updated, and as a consequence some options to the
configure script have changed. See './configure --help'.
- The license of the manual was changed from the GNU FDL to a very simple
permissive license.
- Unmaintained translations (es, pt_BR) were removed.
Version 1.0.23:
- No significant changes.
Version 1.0.22:
- A new command 'received_header' with a corresponding '--received-header'
option allows to disable the default Received header if required.
- A new command 'passwordeval' with a corresponding '--passwordeval' option
allows to set the password to the output of a command.
Version 1.0.21:
- No significant changes.
Version 1.0.20:
- Added support for authentication mechanism SCRAM-SHA-1 via GNU SASL.
- The new command tls_fingerprint allows one to trust one particular TLS
certificate, in case tls_trust_file cannot be used for some reason.
- The new script mpop-gnome-tool.py manages Gnome Keyring passwords for mpop.
Version 1.0.19:
- When using OpenSSL, mpop now correctly handles NUL characters in the Common
Name and Subject Alternative Name fields of certificates. This fixes a
security problem. Note that mpop is not affected by this problem if GnuTLS is
used.
- Mpop can now handle mail boxes larger than 2 GiB on 32bit systems. Previously,
this only worked on 64bit systems.
Version 1.0.18:
- Delivery to MS Exchange pickup directories is now supported, thanks to Julien
Larigaldie.
Version 1.0.17:
- No significant changes.
Version 1.0.16:
- Mpop now also reads SYSCONFDIR/netrc if the password was not found in
~/.netrc.
- Support for the GNOME keyring was added by Satoru SATOH.
Version 1.0.15:
- This version fixes two bad bugs that prevented mpop from correctly retrieving
mails under certain cicumstances.
Version 1.0.14:
- The configuration command tls_crl_file was added. This allows to use
certificate revocation lists (CRLs) during certificate verification.
- The configuration command tls_min_dh_prime_bits was added. This is needed to
use TLS/SSL with servers that use a small Diffie-Hellman (DH) prime size.
- The configuration command tls_priorities was added. This allows to fine tune
TLS/SSL session parameters.
Version 1.0.13:
- Support for the Mac OS X keychain was added by Jay Soffian.
Version 1.0.12:
- No significant changes.
Version 1.0.11:
- The license was updated to GPLv3 or later (source code) and GFDLv1.2 or later
(documentation).
- Bug fixes and improvements for large POP3 mail boxes with thousands of mails
were made.
Version 1.0.10:
- A bug in the UID handling code was fixed. The bug was introduced in version
1.0.7. As a consequence, if you update from version 1.0.7-1.0.9, the first
invocation of this new mpop version will download all mails from the server,
even mails that were retrieved before.
Version 1.0.9:
- Security fix:
- APOP authentication is vulnerable to man-in-the-middle attacks. See
CVE-2007-1558. Such attacks might lead to password disclosure.
Therefore, mpop does not use APOP automatically without TLS anymore.
Additionally, mpop's checks on the APOP challenge were too lax in previous
versions, making attacks easier than necessary. This has been fixed.
- Security improvements:
- NTLM authentication is considered insecure because it is undocumented. It
is therefore not used automatically without TLS anymore.
- TLS requires tls_trust_file or a disabled tls_certcheck now, so that it is
not silently vulnerable to man-in-the-middle attacks.
Version 1.0.8:
- Improved workarounds for POP3 servers that are not exactly RFC conformant.
For example, pipelining is now enabled automatically for pop.gmail.com and
some other servers.
Version 1.0.7:
- Mpop now works with the Comcast.net POP3 server, thanks to a patch by
Benji Fisher.
Version 1.0.6:
- The default setting for pipelining is now "auto". "on" and "off" now have a
slightly different meaning: they force pipelining on or off regardless of
server capabilities.
If you use pipelining=on and your POP3 sessions hang, switch to
pipelining=auto.
Version 1.0.5:
- No significant changes.
Version 1.0.4:
- No significant changes.
Version 1.0.3:
- A spanish translation was added by Carlos MartÃn Nieto. Thanks a lot!
- GNU SASL support works again (it was broken in 1.0.2).
Version 1.0.2:
- The configuration command tls_force_sslv3 was added. This is needed to use
TLS/SSL with some old and broken servers.
Version 1.0.1:
- The default UIDLS file changed from "~/.mpop_uidls" to
"~/.mpop_uidls/%U_at_%H".
%U and %H will be replaced with the user and host name of an account.
This means that every account uses its own UIDLS file now.
!!! IMPORTANT !!!
If you update from mpop-1.0.0, you *must* do one of the following:
- If your ~/.mpop_uidls file contains no UIDs, delete it.
- If you want to keep using it, add the following line to the "defaults"
section of your configuration file:
uidls_file ~/.mpop_uidls
Version 1.0.0:
- Added the option --all-accounts (-a) to query all accounts in the
configuration file. Changed the short option for --auth-only from -a to -A.
Version 0.8.5:
- Removed the simple_mbox delivery method because it is unnecessary. Please use
the mbox method instead.
- Optional support for Internationalized Domain Names (IDN) was added.
GNU Libidn is required for this.
- mpop will now respond to CTRL+C immediately, because all network operations
are now interruptible.
- The options of the configure script have changed! Please read the file INSTALL
for more information.
- Some minor bugfixes and improvements were made.
Version 0.8.4:
- The only_new command and --only-new option were re-added, but with a slightly
different meaning. The default behaviour is compatible to previous 0.8.x
versions.
Version 0.8.3:
- UIDLS files created by versions prior to 0.5.0 are not accepted anymore.
Version 0.8.2:
- Removed the OpenSSL exception note from the license information.
Version 0.8.1:
- Bugfix: Don't leave stale messages on the server.
Version 0.8.0:
- Fixed handling of servers that do not support pipelining.
- mpop will now always remember mails that were already retrieved and delivered,
even in case of errors or program termination. These mails will never be
retrieved a second time. The only_new command and only-new option were
therefore removed.
- The 'connect_timeout' setting was replaced by a 'timeout' setting that applies
to all network operations.
Version 0.7.0:
- Native language support (NLS) was added. Currently the only supported language
besides english is german, but it is easy to add more translations (hint,
hint)!
- When delivering mail, mpop adds a Received header now
- The parameters pipeline_min and pipeline_max are no longer configurable; they
are compile time constants now.
- Minor improvements all over the place
Version 0.6.3:
- No new festures, just bugfixes.
Version 0.6.2:
- Delivery to maildir folder is now possible. Example:
delivery maildir ~/Mail/incoming
- Filter scripts can now use the envelope from address and the size of a mail.
Example:
filter ~/bin/my-pop3-filter.sh --from=%F --size=%S
Version 0.6.1:
- This is a hotfix release because of the following error:
If TLS is not used and a mail with a line longer than 1023 characters is read,
a null character was wrongly inserted into that line.
Version 0.6.0:
- Implemented delivery to mbox mailboxes. There are now two methods to deliver
mails: mda and mbox. You can choose one with the new "delivery" command.
BEWARE: When switching from 0.5.0, you need to convert your configuration
file to use the new command by inserting "delivery" before all "mda"
commands.
Version 0.5.0:
- Speed improvements through network efficient POP3 command usage and faster
UID comparison. Use the pipelining command to speed up your POP3 sessions.
- Added support for the .netrc file: If a password is needed but none is given,
mpop will try to find it in ~/.netrc, and if that fails, mpop will prompt you
for it.
- Nicer output
Version 0.4.3:
- One important bugfix (potential segfault)
Version 0.4.2:
- mpop can now keep track of already retrieved mails. Use only_new=on (or
--only-new=on on the command line) to process only new messages and ignore
already retrieved messages.
The file to store the lists of unique IDs of already retrieved messages in is
~/.mpop_uidls by default. This can be changed with uidls_file/--uidls-file.
Version 0.4.1:
- Added the new connect_timeout command and --connect-timeout option.
- Added specialisation to account definitions. See documentation of the
account command and the example files.
Version 0.4.0:
- The default_mda command is obsolete: there's a new defaults command to set
default values for all following commands.
- The password will be prompted for if non is given in the configuration file
- The user configuration file is required to have no more permissions than
0600 (user read/write).
- Added support for AUTH EXTERNAL
- Various cleanups
- You need GnuTLS >= 1.2.0 now if you want GnuTLS support.
Version 0.3.1:
- --serverinfo is now usable without valid authentication data
Version 0.3.0:
- You can now filter your mails before downloading them by inspecting only the
mail headers: use the new filter command or --filter option. Your POP3 server
must support the POP3 TOP command for this to work.
- Added --mda option
- Various bugfixes and cleanups
Version 0.2.0:
- Update to the latest msmtp code base:
- New command line options; see the man page or the --help text
- Optional GNU SASL support. In addition to the built-in USER/PASS and APOP
methods, there's support for PLAIN, CRAM-MD5, DIGEST-MD5, GSSAPI, LOGIN,
and NTLM. Beware: This has not been tested yet!
- TLS certificate information output with --serverinfo and -debug
- Long option support on all platforms (thanks to gnulib)
- Enhanced almost all commands to allow unsetting of features
- Changed commands: "tls_nostarttls" is replaced by "tls_starttls off" and
"tls_nocertcheck" by "tls_certcheck off"
Version 0.1.4:
- IPv6 support on Windows systems
- *Lots* of small bug fixes and improvements
Version 0.1.3:
- When an error occurs, the so far successfully delivered mails will not be
undeleted on the server anymore. This should prevent double download of
mails.
Version 0.1.2:
- This version can be compiled without TLS/SSL support; use
--disable-ssl if you really want that.
Version 0.1.1:
- New commands: default_mda, killsize, skipsize
- Important bug fixes
Version 0.1.0:
- initial public release; 90% of the code comes from msmtp
read the TODO file to find out about missing and untested features!
|
