On Thu, Feb 02, 2023 at 10:44:17AM +0100, Ævar Arnfjörð Bjarmason wrote:
> Before [1] we'd force the "imap.host" to be set, even if the
> "imap.tunnel" was set, and then proceed to not use the "host" for
> establishing a connection, as we'd use the tunneling command.
>
> However, we'd still use the "imap.host" if it was set as the "host"
> field given to the credential helper, and in messages that were shared
> with the non-tunnel mode, until a preceding commit made these OpenSSL
> codepaths tunnel-only.
>
> Let's always give "host=tunnel" to the credential helper when in the
> "imap.tunnel" mode, and rephrase the relevant messages to indicate
> that we're tunneling. This changes the existing behavior, but that
> behavior was emergent and didn't make much sense. If we were using
> "imap.tunnel" the value in "imap.host" might be entirely unrelated to
> the host we're tunneling to. Let's not pretend to know more than we do
> in that case.
If you tunnel to two different hosts, how is the credential system
supposed to know which is which?
If you really want to distinguish connecting to $host versus tunneling
to $host, I think you'd have to invent some new URL scheme
(imap-tunnel:// or something).
But IMHO it is not really worth it. Your statement of "the value in
imap.host might be entirely unrelated" does not match my experience. I
don't use imap-send, but I've been doing imap-tunneling with various
programs for two decades, and it's pretty normal to configure both, and
to consider the tunnel command as an implementation detail for getting
to the host. For example, my mutt config is like[1]:
set folder = imap://example.com/
set tunnel = "ssh example.com /etc/rimapd"
and I expect to be able to refer to folders as imap://example.com/foo,
etc (well, in mutt you'd use the shorthand "=foo", but the idea is the
same). So if we see:
[imap]
host = example.com
tunnel = ssh example.com /etc/rimapd
we should likewise think of it as example.com, but with an
implementation detail of how to contact the server.
Of course if you don't set imap.host, then we don't have anything useful
to say. But as you saw, in that case imap-send will default the host
field to the word "tunnel".
-Peff
[1] In my experience the main reason to tunnel is to avoid auth
altogether, so for those cases the credential code wouldn't matter
either way. But I imagine there may be some people who use it to pierce
a firewall or some other network obstacle, and really do want it to
be otherwise just like a connection to $host.
