News

mpop 1.4.21 is released

2025-01-13

This release update the build system and improves the documentation.

mpop 1.4.20 is released

2024-08-01

This release fixes detection of server capabilities, in particular the list of supported authentication methods: the last method reported by the server was not recognized by mpop. This bug was introduced in version 1.4.19.

The bug was found and fixed by Michaël Cadilhac. Thank you very much!

Furthermore, translations were updated. Thanks again to everyone at translationproject.org!

mpop 1.4.19 is released

2024-06-04

This release adds support for SCRAM-SHA-*-PLUS authentication, and prefers to use the SCRAM methods if they are available. A few corner case bugs were fixed. Translations were updated, thanks again to everyone at translationproject.org!

By the way: 20 years ago (on June 8), mpop version 0.1.0 was released. This was the first public version. It appeared 11 months after msmtp, and both still share a large part of their source code.

mpop 1.4.18 is released

2023-01-30

This release fixes XOAUTH2 authentication problems and updates translations (including a new Swedish translation).

mpop 1.4.17 is released

2022-08-07

This release adds a new configuration command eval that replaces the current configuration file line with the output of a command (similar to passwordeval, but more general).
Furthermore, a few minor problems were corrected and the documentation and translations were updated.

mpop 1.4.16 is released

2021-10-22

This release fixes a few minor problems related to translations and the documentation.

mpop 1.4.15 is released

2021-10-03

This release adds a new minimal POP3 server called mpopd. You can use it as a gateway between mpop and mail software such as Thunderbird that cannot use local mail boxes directly and insists on using a POP3 server.
Similarly, msmtpd (part of msmtp) can now be used as a gateway between a msmtp and mail software that insists on using an SMTP server.
So now you can have full control over incoming and outgoing mail, including all the processing and filtering with any tools you want, while still using a mail client that does not give you these options itself.
See the msmtpd and mpopd documentation for examples.

mpop 1.4.14 is released

2021-09-13

This release fixes a potential crash (null pointer dereference) that happens when the server does not support the UIDL command. Furthermore, for configurations using libtls instead of GnuTLS, the tls_fingerprint and tls_certcheck commands were fixed.

mpop and starttls security

2021-08-26

A recent security analysis of STARTTLS revealed many problems of STARTTLS (as opposed to immediate TLS) in mail clients and servers. The researchers published their fake mail server software that can be used for testing client software such as mpop.
I used this software to test mpop and found no problems related to STARTTLS, but I would be grateful if someone could double check this in case I missed something. Please let me know your results, I will update this news item accordingly!
I did however find a potential null-pointer dereference if the server does not support the UIDL command. This is now fixed in the git repository.

mpop 1.4.13 is released

2021-03-12

This release adds support for SCRAM-SHA-256 authentication via libgsasl thanks to Simon Josefsson. It also updates translations.

mpop 1.4.12 is released

2020-12-23

This release adds support for the libtls library (provided by the LibreSSL project), thanks to Nihal Jere.
This is the third TLS library supported by mpop. Use the --with-tls= option of the configure script to choose one. Here's an overview:

GnuTLS (--with-tls=gnutls): The default choice. Full feature set.
libtls (--with-tls=libtls): A brand new addition. Already with full feature set.
OpenSSL (--with-tls=openssl): Old code, in bad shape. Needs to be updated or it will be removed.

Furthermore, translations were updated. Thanks again to the translators at translationproject.org!

mpop 1.4.11 is released

2020-11-13

This release add support for XOAUTH2 authentication, the predecessor of OAUTHBEARER that is still in use. The passwordeval command can now handle long inputs for these methods. Furthermore, translations were updated. Thanks again to the translators at translationproject.org!

mpop 1.4.10 is released

2020-06-03

Portability was improved. There should be no "permission denied" errors for temporary files on Windows systems anymore.
Translations were updated. Thanks again to the translators at translationproject.org!

mpop with oauth2 for gmail

2020-04-30

Christian Tenllado documented how to use msmtp with OAuth2 authentication for Gmail. The same approach should also work for mpop.

mpop 1.4.9 is released

2020-04-23

This version updates internationalization files and includes a new serbian translation. Thanks to the translators at translationproject.org!

mpop 1.4.8 is released

2020-04-12

This version includes the folowing changes:

Added a new socket command and --socket option to connect via local sockets.
Added a new tls_host_override command and --tls-host-override option to override the host name used for TLS verification.
Fixed the source_ip command for proxies.

Furthermore, the translations were updated. Thanks to all translators at translationproject.org!

mpop 1.4.7 is released

2019-12-24

This minor update fixes a build problem on MinGW and synchronizes some source files with msmtp.

mpop 1.4.6 is released

2019-09-27

This minor update fixes a build problem on Cygwin and updates the Vim syntax files.

mpop 1.4.5 is released

2019-07-12

This version fixes OAUTHBEARER authentication, adds support for TLS client certificates via PKCS11 devices such as smart cards, and fixes a few minor bugs.

mpop 1.4.4 is released

2019-04-24

This version adds support for the OAUTHBEARER authentication method and fixes a few minor bugs.

Support for OAUTHBEARER / XOAUTH2

2019-04-06

The git repository contains new support for the OAUTHBEARER authentication method, formerly known as XOAUTH2, a method pushed mainly by Google.
This means mpop can now use an OAuth2 token for authentication by setting auth oauthbearer in the configuration file. The token is typically passed to mpop via the passwordeval command since it changes regularly.
However, mpop does not provide a way to generate such a token. This depends on your mail provider.
Since I do not use this method myself, it would be great if you could test this feature and maybe document how to generate the necessary token for your mail provider, so that I can add examples to the documentation.
Looking forward to your feedback!

Source code moved

2019-02-19

The source code moved to git.marlam.de, see the updated download instructions.
The reason is that gitlab vanished from Debian stable and there is no working upgrade path to the version in Debian backports. Sorry for the inconvenience.

mpop 1.4.3 is released

2019-02-11

This version fixes a security problem that affects version 1.4.2 (older versions are not affected): when the new default value system for tls_trust_file is used, the result of certificate verification was not properly checked.

Update 2019-02-14: The same problem in msmtp has been assigned CVE-2019-8337. This is the patch that fixes it (included in version 1.4.3).

mpop 1.4.2 is released

2019-01-12

This version simplifies configuration:

A new --configure user@example.com option automatically generates a configuration for the given mail address. This works for domains that publish appropriate SRV records (as they should according to RFC 8314).
You now only need tls on to activate TLS because there is a new default value for tls_trust_file that selects the system default trust.

Additionally, there are several code cleanups and updates, and updated translations by the Translation Project. Many thanks to the translators!

mpop 1.4.1 is released

2018-12-08

This version fixes a bug that broke TLS 1.3 support.
Furthermore, translations are now handled by the Translation Project, and a new Ukrainian translation is already included in this release. Many thanks to the translators!

If you do not want to upgrade to the 1.4 series yet but you need TLS 1.3 support, you can apply this patch to mpop version 1.2.8 or 1.0.29.

mpop 1.4.0 is released

2018-09-04

This is the first release of the new stable release series. Noteworthy changes since 1.2.8:

Using OpenSSL is discouraged and may not be supported in the future. Please use GnuTLS instead. The reasons are explained here.
As using GNU SASL is most likely unnecessary, it is disabled by default now. Since everything uses TLS nowadays and thus can use PLAIN authentication, you really only need it for GSSAPI.
If your system requires a library for IDN support, libidn2 is now used instead of the older libidn.
The APOP and CRAM-MD5 authentication methods are marked as obsolete / insecure and will not be chosen automatically anymore.
The passwordeval command does not require the password to be terminated by a new line character anymore.
Builtin default port numbers are now used instead of consulting /etc/services.
Support for DJGPP and for systems lacking vasprintf(), mkstemp(), or tmpfile() is removed.

mpop 1.4.0rc1 is released

2018-08-20

This is a release candidate for the upcoming 1.4.x stable release series. The following changes were made:

Using OpenSSL is discouraged and may not be supported in the future. Please use GnuTLS instead. The reasons are explained here.
As using GNU SASL is most likely unnecessary, it is disabled by default now. Since everything uses TLS nowadays and thus can use PLAIN authentication, you really only need it for GSSAPI.
The APOP and CRAM-MD5 authentication methods are marked as obsolete / insecure and will not be chosen automatically anymore.
If your system requires a library for IDN support, libidn2 is now used instead of the older libidn.
Builtin default port numbers are now used instead of consulting /etc/services.
Support for DJGPP and for systems lacking mkstemp() or tmpfile() is removed.

Using mpop with OpenSSL is discouraged, please use GnuTLS

2018-08-19

It is recommended to use mpop with GnuTLS instead of OpenSSL. The upcoming version of mpop will not use OpenSSL automatically anymore, and if you choose it manually, you will get a warning.

The reasons for this are listed in this news entry for msmtp (mpop and msmtp use the same TLS code).

mpop 1.2.8 is released

2018-06-28

New in this release:

Fixed support for ~/.config/mpop/config as configuration file
Support for TLS Server Name Indication (SNI)
Support for binding the outgoing connection to a source IP, using the new --source-ip option or source_ip command

mpop 1.2.7 is released

2018-06-15

New in this release:

Support for ~/.config/mpop/config as configuration file
Network timeout handling on Windows
Fixed command line handling of SHA256 TLS fingerprints
Updated german translation

Project moved

2018-06-12

After many years, this project moved from Sourceforge to a self-hosted gitlab instance: https://gitlab.marlam.de/marlam/mpop.

Older news are stored in the news archive.

RSS