diff options
-rwxr-xr-x | imap-dl | 17 | ||||
-rw-r--r-- | imap-dl.1.pod | 10 |
2 files changed, 18 insertions, 9 deletions
@@ -185,12 +185,21 @@ def scan_msgs(configfile:str, verbose:bool) -> None: port=int(conf.get('retriever', 'port', fallback=993)), ssl_context=ctx) as imap: username:str = conf.get('retriever', 'username') - use_kerberos = conf.getboolean('retriever', 'use_kerberos', - fallback=False) - if use_kerberos: + authentication:str = conf.get('retriever', 'authentication', + fallback='basic') + # FIXME: have the default automatically choose an opinionated + # best authentication method. e.g., if the gssapi module is + # installed and the user has a reasonable identity in their + # local credential cache, choose kerberos, otherwise, choose + # "basic". + if authentication == 'kerberos': auth_gssapi(username, imap, conf, server) - else: + elif authentication == 'basic': auth_builtin(username, imap, conf, server) + else: + # FIXME: implement other authentication mechanisms + raise Exception(f'retriever.authentication should be one of:\n' + '"basic" or "kerberos", got "{authentication}"') if verbose: # only enable debugging after login to avoid leaking credentials in the log imap.debug = 4 diff --git a/imap-dl.1.pod b/imap-dl.1.pod index 5864267..88e3129 100644 --- a/imap-dl.1.pod +++ b/imap-dl.1.pod @@ -43,14 +43,14 @@ options: B<retriever.server> is the dns name of the mailserver. +B<retriever.authentication> is either "basic" (the default, using the +IMAP LOGIN verb) or "kerberos" (IMAP AUTHENTICATE with GSSAPI, +requires the python3-gssapi module). + B<retriever.username> is the username of the IMAP account. B<retriever.password> is the password for the IMAP account when using -plaintext passwords. - -B<retriever.use_kerberos> (boolean) requests that Kerberos (through GSSAPI) is -to be used instead of password-based auth. There is no need to specify -password when using Kerberos. This requires the python3-gssapi module. +B<retriever.authentication> is set to "basic". B<retriever.ssl_ciphers> is an OpenSSL cipher string to use instead of the defaults. (The defaults are good; this should be avoided except to work |