[pmg-devel] [PATCH pmg-api 1/2] fix #6798: fetchmail: adapt to changed sslproto semantics

Stoiko Ivanov s.ivanov at proxmox.com
Wed Sep 24 13:32:30 CEST 2025 

fetchmail defaults to verifying certificates since version 6.4.0
see fetchmail(1)
- sslproto defaults to auto instead of ''
- when sslproto is not '' then implicit/opportunistic TLS (StartTLS)
  is tried over the plain-text port
- this results in the current config parsing and writing to always
  try a TLS-connection if the server offers starttls

additionally sslcertck (only accept trusted certificates) defaults to
true since 6.4.0

The combination of these two things has as a consequence, that
unsetting 'use SSL' will fail for servers which have a self-signed
certificate installed (I expect many to still do so).

This patch simply fixes the 'use SSL' flag to disable all TLS
(explicit and opportunistic) and thus keep the expectations of users.

I did consider changing this to:
* either add a checkbox to ignore an invalid certificate.
* allow users to provide a fingerprint instead (not considered
  further as fetchmail (in trixie) uses MD5 fingerprints, and this
  seems a step back).

Since we ship versions with the semantic change since PMG 6.x (buster
shipped 6.4.0~beta43[0]) I don't think many users who use fetchmail
ran into this (also most ISPs/Mail providers have valid certificates
nowadays), the potential for regression should not be large.

We could consider deprecating plain-text IMAP/POP in a future version,
but I'd announce the deprecation with 9.0 to give it some visibility.

[0] https://manpages.debian.org/buster/fetchmail/fetchmail.1.en.html

Signed-off-by: Stoiko Ivanov <s.ivanov at proxmox.com>
---
 src/PMG/Fetchmail.pm | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/src/PMG/Fetchmail.pm b/src/PMG/Fetchmail.pm
index 3a647420..c35e03d8 100644
--- a/src/PMG/Fetchmail.pm
+++ b/src/PMG/Fetchmail.pm
@@ -143,6 +143,11 @@ sub read_fetchmail_conf {
 
         my $finalize_item = sub {
             my ($item) = @_;
+
+            if ($item->{ssl} && !$item->{ssl_proto}) {
+                die "conflicting SSL settings for $item->{id}\n" if $item->{enabled};
+            }
+
             $cfg->{ $item->{id} } = $item;
         };
 
@@ -174,6 +179,8 @@ sub read_fetchmail_conf {
                 $item->{port} = $get_token_argument->();
             } elsif ($token eq 'interval') {
                 $item->{interval} = $get_token_argument->();
+            } elsif ($token eq 'sslproto') {
+                $item->{sslproto} = $get_token_argument->();
             } elsif (
                 $token eq 'ssl'
                 || $token eq 'keep'
@@ -210,7 +217,11 @@ sub write_fetchmail_conf {
         }
         $set_fetchmail_defaults->($item);
         my $options = ['dropdelivered'];
-        push @$options, 'ssl' if $item->{ssl};
+        if ($item->{ssl}) {
+            push @$options, 'ssl';
+        } else {
+            push @$options, ('sslproto', '\'\'');
+        }
         push @$options, 'keep' if $item->{keep};
         $item->{options} = join(' ', @$options);
         $data->{$id} = $item;
-- 
2.47.3

More information about the pmg-devel mailing list