movemail

movemail

[Richard Stallman]

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

Should we delete the movemail program, given these problems with it?

configure: WARNING: This configuration installs a 'movemail' program
that retrieves POP3 email via only insecure channels.
To omit insecure POP3, you can use './configure --without-pop'.
configure: You might want to install GNU Mailutils
<http://mailutils.org> and use './configure --with-mailutils'.

-- 
Dr Richard Stallman
President, Free Software Foundation (gnu.org, fsf.org)
Internet Hall-of-Famer (internethalloffame.org)
Skype: No way! See stallman.org/skype.html.

Re: movemail

[Eli Zaretskii]

> From: Richard Stallman <rms@gnu.org>
> Date: Mon, 31 Jul 2017 21:19:52 -0400
> 
> Should we delete the movemail program, given these problems with it?

No, because non-Posix systems have no choice but use it.  Gnu
Mailutils are blatantly Posix-centric and don't build on anything
else.

Re: movemail

[Paul Eggert]

>> Should we delete the movemail program, given these problems with it?
> No, because non-Posix systems have no choice but use it.  Gnu
> Mailutils are blatantly Posix-centric and don't build on anything
> else.

Instead of deleting movemail, we could change 'configure' so that 
'--without-pop' is the default. This wouldn't affect platforms that use GNU 
Mailutils, and would improve security on other platforms' default installation.

Re: movemail

[Eli Zaretskii]

> Cc: emacs-devel@gnu.org
> From: Paul Eggert <eggert@cs.ucla.edu>
> Date: Tue, 1 Aug 2017 09:18:57 -0700
> 
> >> Should we delete the movemail program, given these problems with it?
> > No, because non-Posix systems have no choice but use it.  Gnu
> > Mailutils are blatantly Posix-centric and don't build on anything
> > else.
> 
> Instead of deleting movemail, we could change 'configure' so that 
> '--without-pop' is the default. This wouldn't affect platforms that use GNU 
> Mailutils, and would improve security on other platforms' default installation.

Once again, since the main mass of users of this program seems no
longer to dwell on Posix platforms, please do NOT take away the POP3
option by default.

Re: movemail

[Tim Cross]

[-- Attachment #1: Type: text/plain, Size: 1258 bytes --]

Do we have any figures on the percentage of users on different platforms
and of those, how many of them actually need this insecure POP3
functionality?  I would have thought very few users actually need the
movemail feature, especially on non-POSIX systems. Also, why is an insecure
pop3 process the only solution or is it really the only solution because
nobody has put time into a better secure solution?

On 2 August 2017 at 04:46, Eli Zaretskii <eliz@gnu.org> wrote:

> > Cc: emacs-devel@gnu.org
> > From: Paul Eggert <eggert@cs.ucla.edu>
> > Date: Tue, 1 Aug 2017 09:18:57 -0700
> >
> > >> Should we delete the movemail program, given these problems with it?
> > > No, because non-Posix systems have no choice but use it.  Gnu
> > > Mailutils are blatantly Posix-centric and don't build on anything
> > > else.
> >
> > Instead of deleting movemail, we could change 'configure' so that
> > '--without-pop' is the default. This wouldn't affect platforms that use
> GNU
> > Mailutils, and would improve security on other platforms' default
> installation.
>
> Once again, since the main mass of users of this program seems no
> longer to dwell on Posix platforms, please do NOT take away the POP3
> option by default.
>
>


-- 
regards,

Tim

--
Tim Cross

[-- Attachment #2: Type: text/html, Size: 1992 bytes --]

Re: movemail

[Paul Eggert]

Tim Cross wrote:
> Do we have any figures on the percentage of users on different platforms
> and of those, how many of them actually need this insecure POP3
> functionality?  I would have thought very few users actually need the
> movemail feature, especially on non-POSIX systems.

I don't know of any figures. Perhaps we could get a feeling for it by having 
Emacs warn the user at runtime if movemail is used in POP mode, as this is quite 
insecure.

> why is an insecure
> pop3 process the only solution or is it really the only solution because
> nobody has put time into a better secure solution?

The latter, in the sense that the "better secure solution" is GNU Mailutils 
(where people have put in the time). Unfortunately GNU Mailutils has not been 
ported to MS-Windows.

At some point I suppose we should make --with-mailutils the default, at least on 
non-MS-Windows hosts that have GNU Mailutils installed.

Re: movemail

[Eli Zaretskii]

> Cc: rms@gnu.org, Emacs developers <emacs-devel@gnu.org>
> From: Paul Eggert <eggert@cs.ucla.edu>
> Date: Wed, 2 Aug 2017 01:11:11 -0700
> 
> At some point I suppose we should make --with-mailutils the default, at least on 
> non-MS-Windows hosts that have GNU Mailutils installed.

I'm okay with that.  We could do that right now, unless there are some
disadvantages.  (Why didn't we do that till now?)

Re: movemail

[Paul Eggert]

[-- Attachment #1: Type: text/plain, Size: 168 bytes --]

Eli Zaretskii wrote:
> We could do that right now, unless there are some
> disadvantages.  (Why didn't we do that till now?)

Haven't a clue. I installed the attached.

[-- Attachment #2: 0001-Default-to-with-mailutils-if-it-is-installed.patch --]
[-- Type: text/x-patch, Size: 5482 bytes --]

From 2d2c12fc5f45ff73387efd6241447f3d9cbadf09 Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Wed, 2 Aug 2017 19:13:26 -0700
Subject: [PATCH] Default to --with-mailutils if it is installed

* configure.ac (with_mailutils): Default to 'yes' if GNU Mailutils
is installed.  See:
http://lists.gnu.org/archive/html/emacs-devel/2017-08/msg00054.html
---
 INSTALL              | 17 ++++++++---------
 configure.ac         | 13 ++++++++++---
 doc/emacs/rmail.texi |  2 +-
 etc/NEWS             | 10 ++++++----
 4 files changed, 25 insertions(+), 17 deletions(-)

diff --git a/INSTALL b/INSTALL
index ea96890..33084b9 100644
--- a/INSTALL
+++ b/INSTALL
@@ -261,10 +261,10 @@ Emacs with the options '--without-dbus --without-gconf --without-gsettings'.
 
 To read email via a network protocol like IMAP or POP, you can
 configure Emacs with the option '--with-mailutils', so that it always
-uses the GNU Mailutils 'movemail' program to retrieve mail.  Otherwise
-the Emacs build procedure builds and installs an auxiliary 'movemail'
-program, a limited and insecure substitute that Emacs can use when
-Mailutils is not installed; when this happens, there are several
+uses the GNU Mailutils 'movemail' program to retrieve mail; this is
+the default if GNU Mailutils is installed.  Otherwise the Emacs build
+procedure builds and installs an auxiliary 'movemail' program, a
+limited and insecure substitute; when this happens, there are several
 configure options such as --without-pop that provide fine-grained
 control over Emacs 'movemail' construction.
 
@@ -272,10 +272,9 @@ The Emacs mail reader RMAIL is configured to be able to read mail from
 a POP3 server by default.  Versions of the POP protocol older than
 POP3 are not supported.  While POP3 support is typically enabled,
 whether Emacs actually uses POP3 is controlled by individual users;
-see the Rmail chapter of the Emacs manual.  Unless you configure
---with-mailutils, it is a good idea to configure --without-pop so that
-users are less likely to inadvertently read email via insecure
-channels.
+see the Rmail chapter of the Emacs manual.  Unless --with-mailutils is
+in effect, it is a good idea to configure --without-pop so that users
+are less likely to inadvertently read email via insecure channels.
 
 For image support you may have to download, build, and install the
 appropriate image support libraries for image types other than XBM and
@@ -550,7 +549,7 @@ information on this.
 Emacs info files.
 
 8) If your system uses lock files to interlock access to mailer inbox files,
-and if you did not configure --with-mailutils, then you might need to
+and if --with-mailutils is not in effect, then you might need to
 make the Emacs-specific 'movemail' program setuid or setgid in order
 to enable it to write the lock files.  We believe this is safe.
 
diff --git a/configure.ac b/configure.ac
index c3e440a..c9e8c0d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -234,9 +234,16 @@ AC_DEFUN
 # in a movemail implementation that supports only unencrypted POP3
 # connections.  Encrypted connections should be the default.
 
-OPTION_DEFAULT_OFF([mailutils],
-  [rely on GNU Mailutils, so that the --without-pop through --with-mailhost
-   options are irrelevant])
+AC_ARG_WITH([mailutils],
+  [AS_HELP_STRING([--with-mailutils],
+     [rely on GNU Mailutils, so that the --without-pop through --with-mailhost
+      options are irrelevant; this is the default if GNU Mailutils is
+      installed])],
+  [],
+  [with_mailutils=$with_features
+   if test "$with_mailutils" = yes; then
+     (movemail --version) >/dev/null 2>&1 || with_mailutils=no
+   fi])
 if test "$with_mailutils" = no; then
   with_mailutils=
 fi
diff --git a/doc/emacs/rmail.texi b/doc/emacs/rmail.texi
index 046087e..f2416a0 100644
--- a/doc/emacs/rmail.texi
+++ b/doc/emacs/rmail.texi
@@ -1382,7 +1382,7 @@ Movemail
 version.  There are two versions of the @command{movemail} program: the
 GNU Mailutils version (@pxref{movemail,,,mailutils,GNU mailutils}),
 and an Emacs-specific version that is built and installed unless Emacs
-was configured using the @option{--with-mailutils} option.
+was configured @option{--with-mailutils} in effect.
 The two @command{mailtool} versions support the same
 command line syntax and the same basic subset of options.  However, the
 Mailutils version offers additional features.
diff --git a/etc/NEWS b/etc/NEWS
index 44f5ff5..b72793d 100644
--- a/etc/NEWS
+++ b/etc/NEWS
@@ -31,10 +31,12 @@ Use 'configure --with-gnutls=no' to build even when GnuTLS is missing.
 version 2.6.6 or later.
 
 ** The new option 'configure --with-mailutils' causes Emacs to rely on
-GNU Mailutils 'movemail' to retrieve email.  By default, the Emacs
-build procedure continues to build and install a limited and insecure
-'movemail' substitute.  Although --with-mailutils is recommended, it
-is not yet the default due to backward-compatibility concerns.
+GNU Mailutils to retrieve email.  It is recommended, and is the
+default if GNU Mailutils is installed.  When --with-mailutils is not
+in effect, the Emacs build procedure by default continues to build and
+install a limited 'movemail' substitute that retrieves POP3 email only
+via insecure channels; to avoid this problem, use either
+--with-mailutils or --without-pop when configuring.
 
 ** The new option 'configure --enable-gcc-warnings=warn-only' causes
 GCC to issue warnings without stopping the build.  This behavior is
-- 
2.7.4

Re: movemail

[Richard Stallman]

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > The latter, in the sense that the "better secure solution" is GNU Mailutils 
  > (where people have put in the time). Unfortunately GNU Mailutils has not been 
  > ported to MS-Windows.

It is unfortunate for those who use Windows -- but then, using Windows
is itself a much greater misfortune.

If people implement Windows support in GNU Movemail, we will accept
that code following our usual practices.  But if someone asks me
whether to implement Windows support in GNU Movemail, or write something
that makes the GNU system better, we will say that the latter is what
advances our cause.

-- 
Dr Richard Stallman
President, Free Software Foundation (gnu.org, fsf.org)
Internet Hall-of-Famer (internethalloffame.org)
Skype: No way! See stallman.org/skype.html.

Re: movemail

[Nix]

On 1 Aug 2017, Eli Zaretskii told this:

>> From: Richard Stallman <rms@gnu.org>
>> Date: Mon, 31 Jul 2017 21:19:52 -0400
>> 
>> Should we delete the movemail program, given these problems with it?
>
> No, because non-Posix systems have no choice but use it.  Gnu
> Mailutils are blatantly Posix-centric and don't build on anything
> else.

Also, if you disable POP, movemail is still used to shuffle mail from
one place to another on the local filesystem. (It just doesn't do any
network access any more.)

-- 
NULL && (void)