Commit Graph

117 Commits

Author SHA1 Message Date
Ebben Aries
9bfd610230 change hard coding of AF_UNSPEC to user-defined address-families per repository
Some environments that return AAAA records for their IMAP servers can pose
problems for clients that do not have end-to-end IPv6 connectivity for a number
of reasons (e.g. policy, lack of full routing, security, etc..)

Even with a fallback mechanism in place, you can still arrive at IMAP
implementations that could prevent authentication from unknown IPv6 space. This
in itself is not enough to fallback to IPv4 since there is an actual connection
on that socket.

This change is for introducing a user-defined value:

  [Repository imap-remote]
  ipv6 = no

to create a preference per repository on which AF to connect to the remote
server on

ipv6 = yes (AF_INET6)
ipv6 = no (AF_INET)
unspecified = default

Signed-off-by: Ebben Aries <e@dscp.org>
Signed-off-by: Nicolas Sebrecht <nicolas.s-dev@laposte.net>
2016-02-23 06:57:21 +01:00
Ray Song
b670bb2022 XOAUTH2 handler: urlopen with proxied socket
Signed-off-by: Ray Song <i@maskray.me>
Signed-off-by: Nicolas Sebrecht <nicolas.s-dev@laposte.net>
2016-02-15 11:14:50 +01:00
ojab
cfa704bbf2 Allow authorization via XOAUTH2 using access token
Signed-off-by: Slava Kardakov <ojab@ojab.ru>
Signed-off-by: Nicolas Sebrecht <nicolas.s-dev@laposte.net>
2015-12-30 00:25:57 +01:00
Valentin Lab
b2adf2d258 fix: avoid writing password to log
Github-fix: #266
Signed-off-by: Valentin Lab <valentin.lab@kalysto.org>
Signed-off-by: Nicolas Sebrecht <nicolas.s-dev@laposte.net>
2015-11-04 08:00:50 +01:00
Ben Boeckel
f03afcd224 imapserver: add a tls_level option
Allow the user to block usage of known-bad versions of SSL and TLS.

Signed-off-by: Ben Boeckel <mathstuf@gmail.com>
Signed-off-by: Nicolas Sebrecht <nicolas.s-dev@laposte.net>
2015-10-12 15:54:15 +02:00
Christopher Corley
f7efaa2093 learn XOAUTH2 authentication
Signed-off-by: François Lamboley <francois.lamboley@happn.com>
Signed-off-by: Nicolas Sebrecht <nicolas.s-dev@laposte.net>
2015-10-06 14:24:42 +02:00
Nicolas Sebrecht
300f884c09 idle: continue trying selecting the folder on OfflineImapError.Error
Signed-off-by: Nicolas Sebrecht <nicolas.s-dev@laposte.net>
2015-03-18 23:09:34 +01:00
夏恺(Xia Kai)
d36209a305 add proxy support powered by PySocks
Read proxy option in imapserver, instantiate a class in imaplibutil
using a self-defined keyword and a socket instance, and use this socket
instance to substitute the default socket instance used in imaplib2.

Signed-off-by: 夏恺(Xia Kai) <xiaket@gmail.com>
Signed-off-by: Nicolas Sebrecht <nicolas.s-dev@laposte.net>
2015-02-17 10:34:20 +01:00
Nicolas Sebrecht
461554b7b1 more style consistency
Signed-off-by: Nicolas Sebrecht <nicolas.s-dev@laposte.net>
2015-02-10 17:25:00 +01:00
Eygene Ryabinkin
f69613965f Make OS-default CA certificate file to be requested explicitely
This simplifies logics for the user, especially if he uses both
fingerprint and certificate validation: it is hard to maintain
the compatibility with the prior behaviour and to avoid getting
default CA bundle to be disabled when fingerprint verification
is requested.

See
  http://thread.gmane.org/gmane.mail.imap.offlineimap.general/6695
for discussion about this change.

Default CA bundle is requested via 'sslcertfile = OS-DEFAULT'.

I had also enforced all cases where explicitely-requested CA bundles
are non-existent to be hard errors: when users asks us to use CA
bundle (and, thus, certificate validation), but we can't find one,
we must error out rather than happily continue and downgrade to
no validation.

Reported-By: Edd Barrett <edd@theunixzoo.co.uk>
Reviewed-By: Nicolas Sebrecht <nicolas.s-dev@laposte.net>
Signed-off-by: Eygene Ryabinkin <rea@codelabs.ru>
2015-01-18 22:05:49 +03:00
Eygene Ryabinkin
e7fabf9e57 Properly re-raise exception to save original tracebacks
We usually mutate some exceptions to OfflineImapError() and it is
a whole lot better if such exception will show up with the original
traceback, so all valid occurrences of such mutations were transformed
to the 3-tuple form of "raise".  Had also added coding guidelines
document where this re-raise strategy is documented.

Signed-off-by: Eygene Ryabinkin <rea@codelabs.ru>
2015-01-12 17:51:21 +03:00
Nicolas Sebrecht
0f40ca4799 more style consistency
Signed-off-by: Nicolas Sebrecht <nicolas.s-dev@laposte.net>
2015-01-08 23:36:19 +01:00
Eygene Ryabinkin
1746676af8 Make IDLE mode to work again
Refactoring in commit 6cbd2498 touched wrong class's "idle" call.

Found-by: Tomasz Żok <tomasz.zok@gmail.com>
Signed-off-by: Eygene Ryabinkin <rea@codelabs.ru>
2014-05-23 13:19:11 +04:00
Abdo Roig-Maranges
8c43e52173 Fix multiple typos in var, function and exception names
Signed-off-by: Eygene Ryabinkin <rea@codelabs.ru>
2014-05-07 18:29:47 +04:00
Abdo Roig-Maranges
96c9cca83a Class IMAPServer: idle() is private now
Signed-off-by: Eygene Ryabinkin <rea@codelabs.ru>
2014-05-07 18:29:47 +04:00
Eygene Ryabinkin
d96af192ed Move space to the end of string
... to be aligned with the rest of the code.

Signed-off-by: Eygene Ryabinkin <rea@codelabs.ru>
2014-05-07 00:07:56 +04:00
Ben Boeckel
7c271d5131 Imapserver: add missing space to the log message
Signed-off-by: Eygene Ryabinkin <rea@codelabs.ru>
2014-05-07 00:04:44 +04:00
Abdó Roig-Maranges
0903428fda Enable compressed connections to the IMAP server
Added the configuration setting usecompression for the IMAP repositories.
When enabled, the data from and to the IMAP server is compressed.

Signed-off-by: Eygene Ryabinkin <rea@codelabs.ru>
2014-05-02 19:30:49 +04:00
Eygene Ryabinkin
6cbd2498ae Refactoring: make functions to be private if we can
Make external API of class/module to be smaller, explicitely mark
all internal functions.  Also annotate methods that are implemented
as the part of the parent class interface.

Signed-off-by: Eygene Ryabinkin <rea@codelabs.ru>
2014-04-30 19:35:56 +04:00
Andreas Mack
e26827c1cb Make authentication mechanisms configurable
Added configuration option "auth_mechanisms" to the config file:
it is a list of mechanisms that will be tried in the specified order.

Author: Andreas Mack <andreas.mack@konsec.com>
Signed-off-by: Eygene Ryabinkin <rea@codelabs.ru>
2013-08-08 22:34:30 +04:00
Steve Purcell
968d5520da Allow transport-type tunnels to the IMAP servers
It's nice to set up an ssh tunnel command which forwards an IMAP tcp
port inside an encrypted session, e.g. with ssh's "-W" flag.  In this
case the tunnelled connection still requires authentication inside
IMAP session, because this is transport-only tunnel that substitutes
normal TCP/SSL connection.

New directive, 'transporttunnel' was added: it specifies the command
that will create the tunnel.  Only one type of tunnel must be
specified for a single repository: we can't have both preauthenticated
and transport-type tunnels, they won't chain together.

From: Steve Purcell <steve@sanityinc.com>
Signed-off-by: Eygene Ryabinkin <rea@codelabs.ru>
2013-08-06 12:18:21 +04:00
Andreas Mack
acaa96291d Add SASL PLAIN authentication method
- this method isn't as deprecated as IMAP LOGIN;

 - it allows to keep hashed passwords on the server side;

 - it has the ability to specify that the remote identity
   is different from authenticating username, so it even
   can be useful in some cases (e.g., migrated mailboxes);
   configuration variable "remote_identity" was introduced
   to leverage this functionality.

From: Andreas Mack <andreas.mack@konsec.com>
Signed-off-by: Eygene Ryabinkin <rea@codelabs.ru>
2013-08-06 01:51:41 +04:00
Eygene Ryabinkin
7d313f49dc Refactored authentication handling
- created helper routine that will do authentication;

 - routine tries each method in turn, first successful
   one terminates it: makes things easier to read
   and handle;

 - renamed plainauth() inside offlineimap/imapserver.py
   to loginauth(): the function does IMAP LOGIN authentication
   and there is PLAIN SASL method, so previous name was
   a bit misleading;

 - slightly improved error reporting: all exceptions during
   authentication will be reported at the end of the run;

 - now loginauth() is never called if LOGINDISABLED is advertized
   by the server; it used to be invoked unconditionally when
   CRAM-MD5 fails, but we should respect server's opinion on
   how to handle its users.

Signed-off-by: Eygene Ryabinkin <rea@codelabs.ru>
2013-08-06 01:10:10 +04:00
mxgr7
0d992ee7d3 Execute pre/post hooks for IDLE-toggled syncs
Make IDLE syncs be equal to the regular synchronisations
in respect to pre-sync and post-sync hooks.

From: mxgr7 <maxgerer@gmail.com>
Signed-off-by: Eygene Ryabinkin <rea@codelabs.ru>
2013-08-02 13:53:21 +04:00
Eygene Ryabinkin
67d68c2fc8 IMAP: simplify locking and fix potential lock loss
Run the locked code under 'with': this guarantees that lock
will be released in any case.

This modification also avoids the case when our thread wasn't running
locked when exception was caught, another thread got the lock, our
code checked it via self.connectionlock.locked() and errorneously
released the lock thinking that is was running locked.

Signed-off-by: Eygene Ryabinkin <rea@codelabs.ru>
2013-07-22 00:08:39 +04:00
Eygene Ryabinkin
41cb0f577f Prune trailing whitespaces from code and documentation
They are redundant in all pruned cases and sometimes even create some
problems, e.g., when one tries to jump through paragraphs in vi.

Signed-off-by: Eygene Ryabinkin <rea@codelabs.ru>
2013-07-21 23:00:23 +04:00
Ryan Kavanagh
2bacdb7fa3 Allow setting IMAP servers' SSL version
We now allow setting the SSL version used when connecting to IMAPS servers, and
do so via the `ssl_version` configuration option. We default to the current
practice (letting python's "ssl" library automatically detect the correct
version). There are however rare cases where one must specify the version to
use.

Signed-off-by: Ryan Kavanagh <rak@debian.org>
2013-07-08 10:57:58 -04:00
Sebastian Spaeth
03566b2037 Replace thread.get_ident()
Replace low-level thread.get_ident() with threading.currentThread().ident.
This works both in python2.6 and python3. (thread is renamed _thread and its
direct use is not recommended)

Signed-off-by: Sebastian Spaeth <Sebastian@SSpaeth.de>
2012-02-06 17:41:43 +01:00
Sebastian Spaeth
81fc20c7ca Remove python<2.6 import workarounds (set & ssl)
'set' is builtin since python2.6, so remove the imports. Also 'ssl' exists
since 2.6 and has everything we need, so no need for conditional import
tests here anymore.

Signed-off-by: Sebastian Spaeth <Sebastian@SSpaeth.de>
2012-02-06 17:41:42 +01:00
Sebastian Spaeth
0844d27f9f except Ex, e: --> except Ex as e:
Nudge us towards python3 compatability by converting deprecated python2 syntax.

Signed-off-by: Sebastian Spaeth <Sebastian@SSpaeth.de>
2012-02-06 17:41:42 +01:00
Sebastian Spaeth
17f60f7233 Remove from __future__ import with_statements
These were needed for python <2.6 compatability, but since we depend on
python 2.6 now, these can go.

Signed-off-by: Sebastian Spaeth <Sebastian@SSpaeth.de>
2012-01-06 23:13:55 +01:00
Sebastian Spaeth
bf4127c2d6 Remove unused imapserver getdelim()
imapserver.getdelim() was not used at all, so remove this function. The
folder delimiter is available via the repository.getsep() call.

Signed-off-by: Sebastian Spaeth <Sebastian@SSpaeth.de>
2011-12-01 10:12:54 +01:00
Sebastian Spaeth
ab184d84e2 Reduce parameter list to account.syncfolder call
The remote|local|statusrepo is an anttribute of each SyncableAccount()
anyway, so we don't need to pass it in, we can simply get it from the
Account().

Signed-off-by: Sebastian Spaeth <Sebastian@SSpaeth.de>
2011-11-03 13:29:43 +01:00
Sebastian Spaeth
8dbf62cfdb Add a TODO comment
This function can IMHO lead to possible deadlocks when waiting for the
connectionlock. Do add a comment to that regard, this will need to audit.

Signed-off-by: Sebastian Spaeth <Sebastian@SSpaeth.de>
2011-11-02 11:56:04 +01:00
Sebastian Spaeth
ccfa747ce6 Use lock with 'with' statement
To make sure, the lock gets released even if we raise an exception between
acquire() and release()

Signed-off-by: Sebastian Spaeth <Sebastian@SSpaeth.de>
2011-11-02 11:30:16 +01:00
Sebastian Spaeth
006f19aba9 Make releaseconnection a NOOP when conn is None
During cleanup we often call releaseconnection in a finally: block. But
in cases of error, we might have dropped the connection earlier already
and set it to "None". In this case don't fail releaseconnection() but
make it a NOOP.

Signed-off-by: Sebastian Spaeth <Sebastian@SSpaeth.de>
2011-11-02 10:36:30 +01:00
Sebastian Spaeth
f6f8fc8528 Simplify the keepalive code a bit
Should not change behavior.
Signed-off-by: Sebastian Spaeth <Sebastian@SSpaeth.de>
2011-10-27 16:56:18 +02:00
Sebastian Spaeth
76b0d7cf25 imapserver: Make noop() more resitent against dropped connections.
Drop a connection, if the NOOP to keep a connection open fails due to
broken connections.

Note that I believe this function is not working as intended. We grab
one random connection and send a NOOP. This is not enough to keep all
connections open, and if we invoke this function multiple times, we
might well always get the same connection to send a NOOP through.

Signed-off-by: Sebastian Spaeth <Sebastian@SSpaeth.de>
2011-10-05 18:18:55 +02:00
Sebastian Spaeth
4bfc1e8227 except imapobj.abort() -> except imapobj.abort
When checking for the IMAP4.abort() exception, we need of course to
perform:

except imapobj.abort:

and not

except imapobj.abort():

Thanks to Johannes Stezenbach <js@sig21.net> for pointing to the glitch.

Signed-off-by: Sebastian Spaeth <Sebastian@SSpaeth.de>
2011-09-27 14:08:20 +02:00
Sebastian Spaeth
347e1eaa32 update CAPABILITIES after login
Some Webservers (I am looking at you Gmail) send different capabilities
before and after login, so they can tailor their server capabilities to
the user. While legal, this is uncommon and we were not updating our
server capabilities. Doing so allows us to detect that Gmail actually
supports the UIDPLUS extension, and we will stop mangling headers when
uploading to Gmail. This could lead to some performance gains when we
upload many messages to Gmail.

Signed-off-by: Sebastian Spaeth <Sebastian@SSpaeth.de>
2011-09-21 02:32:45 +02:00
Sebastian Spaeth
eeef8f4bab Don't ask for hostname if using a tunnel
In tunnel mode, we don't need to ask for a hostname because there is no
need for one. Fix this.

Signed-off-by: Sebastian Spaeth <Sebastian@SSpaeth.de>
2011-09-19 15:07:34 +02:00
Sebastian Spaeth
1ac9dc7fb4 Implement RFC 2595 LOGINDISABLED
Warn the user and abort when we attempt a plaintext login, but the
server has explicitly disabled plaintext logins.

Signed-off-by: Sebastian Spaeth <Sebastian@SSpaeth.de>
2011-09-19 09:55:27 +02:00
Sebastian Spaeth
82e47896cf Don't ask for username in the preauthtunnel case
repos.getuesr() asks for a username if none is specified, but in the
case of a tunnel connection, we don't need one, so we need to skip the
repos.getuser() call here.

Signed-off-by: Sebastian Spaeth <Sebastian@SSpaeth.de>
2011-09-19 08:31:14 +02:00
Nicolas Sebrecht
78a67ac73c Merge branch 'ss/cleanup-idle' into next 2011-09-12 20:02:26 +02:00
Sebastian Spaeth
ce8471a011 IMAP IDLE cleanup(5): Really discard connections when they are dropped
Finally, actually discard dropped connections when we detect them as an
imapobj.abort() has been thrown. In this case, invoke releaseconnection
with drop_conn=True.

We don't need the self.aborted attribute to get signified of dropped
connections. An Execption during the noop will do.

Signed-off-by: Sebastian Spaeth <Sebastian@SSpaeth.de>
Signed-off-by: Nicolas Sebrecht <nicolas.s-dev@laposte.net>
2011-09-12 19:55:14 +02:00
Sebastian Spaeth
59753fc06f IMAP IDLE cleanup(4): Simplify code
while True: if a: return

is equivalent to

   while not a:

Signed-off-by: Sebastian Spaeth <Sebastian@SSpaeth.de>
Signed-off-by: Nicolas Sebrecht <nicolas.s-dev@laposte.net>
2011-09-12 19:55:14 +02:00
Sebastian Spaeth
6ad0de08ef IMAP IDLE cleanup(3): Rename self.event to self.stop_sig
Variable name 'event' is as bad as it gets. Rename it to something that
actually describes what it is about.

Signed-off-by: Sebastian Spaeth <Sebastian@SSpaeth.de>
Signed-off-by: Nicolas Sebrecht <nicolas.s-dev@laposte.net>
2011-09-12 19:55:14 +02:00
Sebastian Spaeth
0bebd65ba0 IMAP IDLE cleanup(2): Add code documentation
Add code documentation throughout the idle() function.

Signed-off-by: Sebastian Spaeth <Sebastian@SSpaeth.de>
Signed-off-by: Nicolas Sebrecht <nicolas.s-dev@laposte.net>
2011-09-12 19:55:14 +02:00
Sebastian Spaeth
f369961a87 IMAP IDLE cleanup(1): Move idle callback out of loop
Don't redefine the idle callback function on every run in the while
loop, define it once when we enter the function.

Signed-off-by: Sebastian Spaeth <Sebastian@SSpaeth.de>
Signed-off-by: Nicolas Sebrecht <nicolas.s-dev@laposte.net>
2011-09-12 19:55:13 +02:00
Sebastian Spaeth
8800fa37a3 Implement Server SSL fingerprint check
If we connect to a SSL server (not STARTTLS) and no CA cert has been
specified for verification, we check the configured SSL fingerprint and
bail out in case it has not been set yet, or it does not match.

This means one more mandatory option for SSL configuration, but it
improves security a lot.

Signed-off-by: Sebastian Spaeth <Sebastian@SSpaeth.de>
Signed-off-by: Nicolas Sebrecht <nicolas.s-dev@laposte.net>
2011-09-12 19:45:15 +02:00