Fork of isync with filter support
639c84ea28
such connections don't support STARTTLS. that is reasonable, as whatever makes the connection preauthenticated (typically a Tunnel used to launch imapd via a shell login) must already rely on the connection's security. consequently, we would not try to use STARTTLS with such connections. unfortunately, we'd also skip the RequireSSL check as a side effect. this means that a rogue server (via a MITM attack) could simply offer a preauthenticated connection to make us not use SSL, and thus bypass server authentication. as a result, we could send potentially sensitive data to the attacker: - with Patterns used, we would send a LIST command which reveals the remote Path setting. this isn't very useful to an attacker. also, IMAP Accounts usually rely on the server-provided NAMESPACE to start with. - with Create enabled for the remote Store, we would upload messages from newly appeared local folders. this isn't a very likely situation, unless the attacker manages to convince the victim to move/copy interesting mails to a new folder right before the attack. - with Expunge enabled for the local Store, previously synchronized folders would be wiped. however, this would require the attacker to know the correct UIDVALIDITY of each remote folder, which would require incredible luck or convincing the victim to disclose them. the first mismatch would likely tip off the victim. in practice, someone with the level of technical and social engineering skills required for this attack would very likely find more attractive attack vectors. therefore, i don't consider this a particularly serious issue. configurations with UseIMAPS enabled or using a secure Tunnel were not affected to start with. a side effect of this fix is that most users of Tunnel will now need to explicitly set RequireSSL to false. an alternative approach would be defaulting all SSL-related settings to off when Tunnel is used. this would be too invasive for a patch release, but i'll consider it for 1.2. see also CVE-2014-2567 for the Trojita MUA. |
||
---|---|---|
debian | ||
src | ||
.gitignore | ||
acinclude.m4 | ||
AUTHORS | ||
autogen.sh | ||
configure.ac | ||
COPYING | ||
get-cert | ||
isync.spec.in | ||
Makefile.am | ||
NEWS | ||
README | ||
TODO |
_ (_)___ _ _ _ __ ___ | / __| | | | '_ \ / __| | \__ \ |_| | | | | (__ |_|___/\__, |_| |_|\___| |___/ isync/mbsync - free (GPL) mailbox synchronization program http://isync.sf.net/ See AUTHORS for contact information. ``mbsync'' is a command line application which synchronizes mailboxes; currently Maildir and IMAP4 mailboxes are supported. New messages, message deletions and flag changes can be propagated both ways. ``mbsync'' is suitable for use in IMAP-disconnected mode. Synchronization is based on unique message identifiers (UIDs), so no identification conflicts can occur (as opposed to some other mail synchronizers). Synchronization state is kept in one local text file per mailbox pair; multiple replicas of a mailbox can be maintained. isync is the project name, while mbsync is the current executable name; this change was necessary because of massive changes in the user interface. An isync executable still exists; it is a compatibility wrapper around mbsync. * Features * Fine-grained selection of synchronization operations to perform * Synchronizes single mailboxes or entire mailbox collections * Partial mirrors possible: keep only the latest messages locally * Trash functionality: backup messages before removing them * IMAP features: * Supports TLS/SSL via imaps: (port 993) and STARTTLS (RFC2595) * Supports CRAM-MD5 (RFC2195) for authentication * Supports NAMESPACE (RFC2342) for simplified configuration * Pipelining for maximum speed * Compatibility isync should work fairly well with any IMAP4 compliant server; servers that support the UIDPLUS and LITERAL+ extensions are most efficient. Courier 1.4.3 is known to be buggy, version 1.7.3 works fine. c-client (UW-IMAP, Pine) is mostly fine, but versions less than 2004a.352 tend to change UIDVALIDITY pretty often when used with unix/mbox mailboxes, making isync refuse synchronization. M$ Exchange (up to 2010 at least) occasionally exposes the same problem. The "cure" is to simply copy the new UIDVALIDITY from the affected mailbox to mbsync's state file. This is a Bad Hack (TM), but it works - use at your own risk (if the UIDVALIDITY change was genuine, this will delete all messages in the affected mailbox - not that this ever happened to me). * Platforms At some point, ``isync'' has successfully run on: Linux, Solaris 2.7, OpenBSD 2.8, FreeBSD 4.3. Note that Cygwin cannot be reasonably supported due to restrictions of the Windows file system. * Requirements Berkley DB 4.2+ OpenSSL for TLS/SSL support (optional) * Installation ./autogen.sh (only when building from git) ./configure make sudo make install * Help Please see the man page for complete documentation.