commit 7cbf58df31dca41e13d04b801117acf187b88b7a (HEAD, tag: v0.90, master)
Author: Phil Pennock
Date: 2019-03-29 17:07:23 -0400
Update copyright years; correct README re license
commit 00a60e60bd73f11238d2898196c2e8b0f98bbe98
Author: Vincent Breitmoser
Date: 2018-10-23 16:50:19 +0200
use .sieve extension for temporary file
This helps editors recognize the file type, and start in the appropriate
editing mode.
commit 82f614b00b6a50b2e211db7593027c1323a8c1e3
Author: Johan Vromans
Date: 2018-07-24 10:04:13 +0200
Fix RE errors (will be fatal in perl 5.30).
commit f7cf58fb68013e4f0bfb0506502155b113e25e6f (tag: v0.89)
Author: Phil Pennock
Date: 2017-02-14 19:06:15 -0500
Security robustness stance: drop . from @INC
commit 0d3dedfc479018eef4d76502edfb42dc0416f75d
Author: Phil Pennock
Date: 2017-01-07 23:32:55 +0000
much shorter --help; --passwordfd example in docs
* There is so much help text in the options section that the pod2usage
defaults are unfriendly in this command; drop to just the synopsis,
with prelude text hinting at `--man`.
* Supply an example of using `--passwordfd` in shell, using here-strings.
commit 1ef355448d3f3d216956b8561777b727085397d3
Author: Phil Pennock
Date: 2016-08-29 17:05:46 -0400
Update copyright year
commit 92ae1c107a75732382b70968e767bd319c2cdca2
Author: Gernot Schulz
Date: 2016-05-25 15:26:16 +0200
Version-based CAPA munging: handle Kolab/nocaps
This patch adds support for the special case of patched Cyrus servers
which behave differently from what sieve-connect would infer from their
version numbers.
Some modern servers get patched to not resend their capabilities after
STARTTLS. For example, Kolab's Cyrus gets patched this way to ensure
compatibility with older Kontact versions (Cyrus timsieved
v2.3.16-kolab-nocaps).
sieve-connect simply needs to do nothing in regards to compatibilities
after STARTTLS in this case. This patch applies this behavior to any
Cyrus servers which carry "nocaps" in their version string.
Approved-By: Phil Pennock
commit f245a4c621f4b866978d7a74dbdca8c9025cae6a
Author: Phil Pennock
Date: 2016-08-29 16:40:49 -0400
Exit 1 if warnings seen if non-interactive
If used interactively, humans make silly typos and recover. If not
interactive, those problems are actual errors which should cause us to
exit non-zero for tooling to be able to rely upon `$?`.
(I'm embarrassed to have let this slip through, but it's a result of the
history: initially interactive, then scriptability added.)
To avoid missing some corner case, we just capture all calls to warn()
if non-interactive, and track things that way, instead of introducing a
new function. Ah Perl, ♡ you so.
commit df005a607db10e488a62e0fada425da6d7ac84a8
Author: Phil Pennock
Date: 2016-08-29 16:21:22 -0400
nit: brace placement
commit 8ec2d1d5d0bd4bee1e96f23322f20edbd5dbee5d
Author: Phil Pennock
Date: 2016-08-29 15:52:24 -0400
Require TLS verification to work
Philipp Erbelding filed a bug-report and PR to fix that if TLS
verification was requested but no CA file or path is available,
sieve-connect should die. Which was good, but not enough.
Our handling here was to silently fall back to non-TLS cleartext if the
server did not advertise the STARTTLS capability. That was an unhappy
compromise back when many did not configure TLS and the difficulty of
persuading that TLS should be configured was high(er). But the world
has moved on, so let's try to fix this. Hey, our major number is still
0.
With this:
* unless `--clearchan` is passed on the command-line, if TLS
verification is enabled then `--noclearchan` is implicitly assumed
+ unless `$SIEVECONNECT_INSECURE_CLEARTEXT_FALLBACK` set non-empty
in environment
+ so, can change invocation, or set an obnoxious educational
environment variable, but the default is better
* Failure to find CA information means verification must fail, so abort
before even trying to connect (unless `--clearchan` enabled per
above)
* slightly better debug logging for when this bites people
Tested via temporarily commenting out `tls_cert_file` in `imapd.conf`
for Cyrus IMAP.
commit 00b7487a4caec7af4a64ef502a3a54bcffd9d46e
Author: Phil Pennock
Date: 2015-06-28 01:41:12 +0000
Remote sieve name should be basename of local
*POSSIBLY BREAKING CHANGE*
If user specifies a path to a local sieve script, then we were using the
full path for upload to the remote sieve server. Now we use the
basename, so everything after the last directory separator.
RFC 5804 does not disallow a directory separator, but timsieved does.
It seems likely that most servers will.
A remote name with directory separators can still be explicitly
specified. This change tries to make the inferred name choice smarter.
Folks using `/` or `\` in path-names, where the remote server allows
this, may be affected. In practice, I believe that breakage is
unlikely.
commit 3e4d4707ab119f0a3800fc16a0cb8d6ac4e585b3
Author: Phil Pennock
Date: 2015-06-28 01:13:06 +0000
Docs: provide EXAMPLES & AVAILABILITY sections
commit 8af70c68574ecb0dbc5dfb0055233f75973d6d03
Author: Phil Pennock
Date: 2014-02-04 19:59:14 -0800
Interactive 'debug' command if --debug
It can be useful to toggle debug off after connection has been
established and authenticated, etc. So at the REPL, provide a `debug`
command, but only if invoked with `--debug`.
commit 23ac5922d0ca50c016e999efa4ead460ab62ff95
Author: Phil Pennock
Date: 2014-02-04 19:47:37 -0800
Support --tlshostname option
Useful for confirming behaviour when using a different hostname to any
found in the certificate -- ideally, fix the certificates. But we're a
tool used by admins debugging, so let people debug!
commit 5ec0bcbeaeff1542d639de4723a3cd89654a8def
Author: Phil Pennock
Date: 2013-12-05 03:36:27 -0500
Handle .local in domains better (undef fix)
The public domain search can return undef, if the current host is not in
a public domain at all (ie, `foo.local`). Deal with the consequences.
commit a82c683050183d2eb501cc5a34513cb17d11454d (tag: v0.87)
Author: Phil Pennock
Date: 2013-12-03 20:27:30 -0500
Various documentation cleanups.
Options are shortest unique prefices, so say so. Then fix the
documented `--check` to be its full `--checkscript`.
Describe in the _docs_ what's meant by a Perl port specification and
what the implications are.
Drop the patronising text around the action options; how embarrassing,
that I once wrote such garbage. Instead, actually bother documenting
the options.
Fix the ENVIRONMENT section to reference all the vars now honoured.
Reference Mozilla::PublicSuffix in PREREQUISITES.
Various typos cleaned.
commit af2059adec380652f5802e92ebf39bfade061864
Author: Phil Pennock
Date: 2013-11-18 09:04:54 -0800
Give --tlscertfingerprint with explicit digest alg
Embedding a hard-coded choice of SHA1 violates algorithmic agility;
rather than constrain to my preferred choice, this should be given as
part of the option.
Also switched the option name to contain `cert` because there are
multiple digest types available in this situation and we're matching the
certificate digest (everything issued), not the public key digest (which
would be constant as new certificates are issued for the same key). We
might add support for pubkey-based fingerprints later.
Explicitly pull in Net::SSLeay, with a version constraint, since we now
rely upon it for a top-level feature. We require v1.37. Debian
oldstable (wheezy) is on 1.36, RHEL6 appears to be on 1.35. Those are
old enough that we can't reasonably sustain support for them while
providing useful modern security features.
Make sure to debug-log when the FP check succeeds, so the user can see
feedback indicating that validation did actually occur.
commit e0213504886f0d8283a51ee1846400e3409e97f4
Author: lukas227
Date: 2013-11-18 11:46:44 +0100
add support for fingerprint pinning via parameter
commit bd2230acc24fdf06f6c8b03c2505f303c6758b99
Author: Phil Pennock
Date: 2013-10-29 17:58:51 -0400
Be clearer about port specification meaning
The debug messages understandably led a user astray, because when seeing
`sieve(4190)` they thought that meant port 4190, not that this was the
port specification being passed down ("try to find 'sieve' in
/etc/services (or other getservent source) and use 4190 as a fallback").
Fix the debug message to notice when the port is being given in this
form and tack on an explanation. Issue a debug warning, the first time
evaluating this, if services lists a different value, to highlight the
conflict and aid in debugging.
Fix the debug message for SRV records to not use the previous port
definition in the 'old' status logging, because the port number did not
factor into the SRV lookup and the claim was slightly off.
Thanks to Daniel Schulte for his patience when using the tool to debug.
commit 1f25d45a8b6a555147ff12deae6a4c9ccc4a0ee5
Author: Phil Pennock
Date: 2013-10-29 17:29:36 -0400
Honor SSL_CERT_DIR & SSL_CERT_FILE env vars
The Perl IO::Socket::SSL keeps us from benefitting from OpenSSL defaults
initialisation for CA certificates location. Before we ask the OpenSSL
binary for locations, we now do the same thing that the library init
would do, and preferentially honour `$SSL_CERT_DIR` and then
`$SSL_CERT_FILE` as locations.
I've also corrected the POD documentation on this topic, which was out
of date.
commit 3c93d73443a2e94bb8393c0b354a279a02059040
Author: Phil Pennock
Date: 2013-07-27 16:28:27 -0400
SSL certs location: bugfixes, check more places.
Issue #1 is a report from LEVAI Daniel that the recent certs-finding
functionality is broken on OpenBSD, because of an assumption that if
we can find OPENSSLDIR from openssl(1), then certs/ within that must
be valid.
Made a validity check for a given dir; not existing is silent, but
existing and unusable triggers debug messages. It checks for being
a dir and having filenames ending ".0" inside that directory.
Bug-fixed stderr-handling around the search.
If openssl doesn't give us a location, and none of the file candidates
exist, then check a few locations for SSL_ca_path directory candidacy.
Fixes #1
commit b3ebacea45b92dc1c67e393371b380391c209fb7
Author: Phil Pennock
Date: 2013-06-02 05:09:41 -0400
"edit" functionality, some stability cleanups.
Ian Campbell contributed code to add an "edit" command, which downloads
a script, invokes a text editor, checks it and then uploads it.
I've mutilated his contribution; first, to not just use sensible-editor
but check for environment variables $VISUAL then $EDITOR, then try
sensible-editor, then vi (because it's the classic default, not because
it's good for newcomers -- if you don't like it, use env or implement
the sensible-editor system).
Then I made it dependent upon having VERSION capability because it uses
CHECKSCRIPT which is also dependent upon having VERSION. Alas, my
server is old and does not support CHECKSCRIPT, so I can't be 100% sure
this works, but "correct by inspection". *cough*
Added a SIGPIPE handler to abort a little more cleanly. Tracked lost
connections better, to abort cleanly.
Uncovered that when getting a response from a server with a string
literal, I was not reading the CRLF which follows the string, so was
ending up unsynchronized. Fixed.
Better return codes from functions.
commit 416e1bb126c26e397c23a24b53548d7bfbb45581
Author: Phil Pennock
Date: 2013-06-02 03:42:54 -0400
Ask OpenSSL for certs location, fallback fixed list
Invoke the openssl command, handle failure, fallback to checking some
paths for certs; the default paths are taken from golang's TLS support.
commit d843bb5a010c8145ed10ebbf2c89a75bbb0aff9a (tag: v0.85.1)
Author: Phil Pennock
Date: 2013-04-21 23:34:35 -0400
Plumbing for git instead of svn
Use git tags for version numbers
commit 1dd818b5f087966d9bdecc44dcc60f9b0350635e (tag: v0.85)
Author: Phil Pennock
Date: 2013-04-14 00:29:13 +0000
Fix TLS verification; find server by own hostname & SRV.
* TLS hostname verification was not actually happening. I'm mortified.
* IO::Socket::SSL requirement bumped to 1.14 (was 0.97).
* By default, if no server specified, before falling back to localhost try to
use the current hostname and SRV records in DNS to figure out if Sieve is
available. Checks for sieve, imaps & imap protocol SRV records and honours
target==. to mean "no".
* This works better with the Mozilla::PublicSuffix module installed.
* Added ability to blacklist authentication mechanisms
commit 0602a3462403d3b9f0f0dab3d572215dcf49bff9 (tag: v0.84)
Author: Phil Pennock
Date: 2012-11-29 06:09:01 +0000
Command-line options for TLS CA cert locations [Till Maas]
Till Maas provided a patch adding --tlscapath and --tlscafile options.
I've adjusted that so that, for debugging clarity, if --tlscafile is
specified then the --tlscapath equivalent configuration is removed from
the SSL options, so that we only pass one or the other to SSL setup.
Removed some tabs from the POD text.
Minor POD cleanups.
Debug-log where we'll be grabbing SSL CA certs from.
Use -T- for all TLS-specific debug logging.
commit c3f7d3588d4bd2dffe4602d370e6bef3ae8661cf
Author: Phil Pennock
Date: 2012-05-24 00:13:26 +0000
Negotiate any TLSv1.0+ protocol.
If /etc/ssl/certs does not exist, try to find a certs dir by asking OpenSSL.
commit 4a21c9c14342497395161d408828a2e375b0fa70
Author: Phil Pennock
Date: 2011-04-02 10:08:47 +0000
Update copyright year. Note that spec is in an RFC, not a draft.
commit 77dff4a70537ce63448ede21d3f6dab368eb4249
Author: Phil Pennock
Date: 2011-04-02 10:05:16 +0000
Accept a STARTTLS response of >OK<, not just >OK "some text"<.
Reported by: Piotr Sikora (patch provided, not used but trivially similar)
commit d5cd06dcd740b3230f3f5fdc6578a73658cc7e2f
Author: Phil Pennock
Date: 2011-01-10 09:07:12 +0000
Version display includes Net::DNS
[deferred commit; Aug 5th 2010]
commit 19504d06dc7a201a905fa3814ca6adec6c976b0d (tag: v0.77)
Author: Phil Pennock
Date: 2010-08-05 07:57:28 +0000
Mailing-list.
Update README to better reflect current state of affairs. Likewise TODO.
commit a765fbdfb6a424513ad00ff55678325ea4f1bf76 (tag: v0.76)
Author: Phil Pennock
Date: 2010-08-05 07:18:05 +0000
Use SRV records for _sieve._tcp.
Add --nosrv to inhibit this.
Try multiple hosts, iterating through SRV results.
[Adds Net::DNS dependency, and SRV weighted prioritised sorting is not supported]
commit 292470e2ddd462f6a9766c6b1bc41fd7cbccd137 (tag: v0.75)
Author: Phil Pennock
Date: 2010-08-05 06:20:06 +0000
Change default port to 4190 for RFC 5804.
Move default port to (top of) user-serviceable area.
Provide a BUGS-section discussion of this.
Make the --debug message for connection establishment report the port
connected to.
commit fc53c5a00bb34ba92cb2dc13fca033818b59b967 (tag: v0.74)
Author: Phil Pennock
Date: 2010-08-05 06:05:06 +0000
Implement CHECKSCRIPT.
WARNING: UNTESTED (need to find a test server that actually supports this)
Add version-checking and --ignoreserverversion to override that.
Fix hostname check to permit a colon, for IPv6 addresses;
reported-by: Alexander Sulfrian
commit d04d21eaf8a798e262f3fa6f2055aa0f962207b4
Author: Phil Pennock
Date: 2010-04-29 00:13:32 +0000
Fix copyright year.
commit 548dcf14d02861520c984a28423c9104c804d8e5
Author: Phil Pennock
Date: 2010-04-29 00:12:44 +0000
Provide --notlsverify option, based on patch from Heiko Schlittermann.
commit ee8553963ccfb5e693c705cd635129f3e0d4d9a6
Author: Phil Pennock
Date: 2009-12-01 20:18:35 +0000
Pod::Text does not have the methods I used. It looks like I was using
interfaces from Pod::Simple::Text, thus the "man" command could never have
worked. That, or the API changed significantly.
Make "man" work again. Make it optional, conditional upon Pod::Simple::Text
being available.
When showing command aliases in "help", sort them.
commit df98a9f931fa3a5e5ebd361d681b2893d3cbd4bb (tag: v0.69)
Author: Phil Pennock
Date: 2009-03-29 23:29:08 +0000
For Gnu readline, when debugging, force a call to display-readline-version.
localise the $| setting in the non-RL prompter.
Add notes to the README about the perl segfault issue (Term::ReadLine::Gnu).
commit b6f5aa626233db59f6917ca75e095f213d542e46
Author: Phil Pennock
Date: 2009-03-29 18:56:04 +0000
Copyright update (make dist caught it)
commit 10258cb723b7903495708c191637c3b50991cf0b
Author: Phil Pennock
Date: 2009-03-29 18:53:54 +0000
Cyrus timsieved workaround for 2.3.13 to 2.3.x where x >= 13.
commit 1377837b977376987bedecd88db300348742cec1 (tag: v0.65)
Author: Phil Pennock
Date: 2008-11-15 02:16:38 +0000
Version-dependent server-IMPLEMENTATION check for NOOP. :-(
--debugsasl option to split off that debugging.
Simplified --debug --version with no strict refs.
commit 5ec209549938d20ba94d6dbec849476e8f9f7af6
Author: Phil Pennock
Date: 2008-11-15 01:41:20 +0000
Debug bit-length, set externalssf for SASL.
commit d5e923a0d18948b80d0da657a6b4cf94c066359a
Author: Phil Pennock
Date: 2008-11-15 01:04:12 +0000
Allow --debug --version to reveal more.
commit c1322a44ff55d89b9b7f07e5600a652242abda98
Author: Phil Pennock
Date: 2008-09-15 05:11:04 +0000
draft-martin-managesieve-12.txt is out, NOOP response changed.
Handle it (by making into a calling error something we weren't doing).
commit f845032bba6df92d7ffc05df405fb0e8f57fc624
Author: Phil Pennock
Date: 2008-07-22 05:28:43 +0000
WARNING: UNTESTED because there's not a server I know of to test this against.
Implement NOOP as an official command which might return OK.
Various comment fixes.
commit 413a508baba34bca9704310fda7df2be671ecdef
Author: Phil Pennock
Date: 2008-05-22 22:00:14 +0000
Comment fix re STARTTLS->CAPABILITY reality.
commit 595d95157dff2f25b7b8bda1f77a946f3ff09f9a (tag: v0.57)
Author: Phil Pennock
Date: 2008-04-23 05:45:51 +0000
Authen::SASL 2.11 is out. Adjust to use it.
commit 2ae662f05c69edc847f15e4abff785350f94919d (tag: v0.56)
Author: Phil Pennock
Date: 2008-03-28 05:36:36 +0000
Yves is using the older Cyrus setup which doesn't automatically send
a capability response and noted that the NOOP->NO logic was broken
by the new checks on capabilities.
Attempted to fix it. Will publicly release this fix if this is
confirmed to work.
commit dfb59fca7f23fff7b28377f20ae77774f479434b
Author: Phil Pennock
Date: 2008-03-24 07:10:14 +0000
Condense copyright years.
Confirms that grep pattern in Makefile works. :^)
commit 65f44ba336b4ae6723a081f4e562d3de0c6c54c3
Author: Phil Pennock
Date: 2008-03-24 07:00:08 +0000
Copyright update: it's 2008 now and there have been logic changes.
commit 18a4b7a59ba50fd10cf4e8aabc5ab9db52d0824e (tag: v0.52)
Author: Phil Pennock
Date: 2008-03-24 06:10:07 +0000
Do final server verification if Authen::SASL::Perl is newer than the
current version. Revisit this?
commit 691575e7e552cc2839b9ea8f6f2443002c32c775
Author: Phil Pennock
Date: 2008-03-24 04:53:57 +0000
When repeating parameters, strip off to basename so that can put a pathname
and end up uploading a filename.
commit c20cc3dedcc53b8bcbe1ba6feb3123e106a07a8e
Author: Phil Pennock
Date: 2008-03-24 03:21:08 +0000
Skip aNULL TLS ciphers too.
Documentation update re GSSAPI and added a TODO
commit 1a1a633f9655820adb255f5cee2ae94f1e4fdb3d
Author: Phil Pennock
Date: 2008-03-24 02:37:32 +0000
Handle OK followed by data at end of capability response. Is legit.
Reported by Can Burak Cilingir to Debian.
Support empty capability value "" in some special cases. Noted in debug
output in Can's bug-report.
Capability names are case-insensitive, deal accordingly.
More robustness against dropped connections (debugging against pysieved).
Handle a + in a literal length in a place where it was missed.
commit d9b4d31b7c55d88f91efa7486d2318b0edb764e5
Author: Phil Pennock
Date: 2008-01-03 08:32:29 +0000
Renamed --dumpsslinfo to --dumptlsinfo but kept old name too since
it's as likely to be used by someone going from memory.
Documented --dumptlsinfo. Sent the PEM to stderr ipv stdout.
commit 0a250164e0fea825402e109173588c2811b4dfff
Author: Phil Pennock
Date: 2008-01-03 08:24:18 +0000
--dumpsslinfo to show the SSL cert info and, if debugging, the PEM cert.
commit 647a14cd716dda1d769f2cf438fc55dc3f8e321f
Author: Phil Pennock
Date: 2008-01-03 00:54:15 +0000
Debug traces now include trailing \r\n etc.
commit 4b8e7b9db24e87dd138ec78c4d8a7c88f27aafdf (tag: v0.44)
Author: Phil Pennock
Date: 2008-01-02 01:18:19 +0000
MultiHomed => 1
(try multiple IPs, incl. IPv4 when service not listening on IPv6)
commit da01f86159893b564ca352d0eaf33ee9a7af2b6a (tag: v0.43)
Author: Phil Pennock
Date: 2007-12-27 02:31:10 +0000
Cyrus 2.3.11 broke sieve-connect by sending an unrequested CAPABILITY
response after finishing TLS negotiations. This leads to protocol
ambiguity; work around it by sending a non-existent command (NOOP),
expecting to see a NO response; if we get a CAPABILITY response first
then use that, otherwise issue a CAPABILITY command as per normal.
commit 5a3c992ccd28716d0b2f46a2d32ca251e1a3014d (tag: v0.42)
Author: Phil Pennock
Date: 2007-12-06 07:14:19 +0000
Properly restrict the tab-completion stuff to only be set up if
Term::ReadLine is Term::ReadLine::Gnu.
Fixes warnings on MacOS X from uninitialised variables ($quote,
from $rl_attribs->{completion_quote_character} at what was
line 1008, now 1010).
commit 22cd88948f3c194a448b3fbe5c91c1837b718f9b (tag: v0.41)
Author: Phil Pennock
Date: 2007-11-24 14:57:45 +0000
Comment explaining why $authconversation->code() not checked in final verification.
commit 0394947c02947f7faa44653ca7dd85a7c77788a6
Author: Phil Pennock
Date: 2007-11-24 14:30:13 +0000
Version
commit 7d7d72f69af14a2399eb449a922751a8d75c23b6 (tag: v0.39)
Author: Phil Pennock
Date: 2007-11-20 02:40:36 +0000
Put the new SASL error checking in after the client_step() too.
commit 44a873f42fa68c49abc914a631a2c58c147c3a53
Author: Phil Pennock
Date: 2007-11-20 02:38:43 +0000
Turns out, can use methods on the SASL client object to detect an error
and report it. Do so. Now highlights when GSSAPI fails because there's
no server principal (which raises questions as to why the mechanism would
be advertised in that case).
bugfix a die() -> closedie() (audited for other occurences, none found)
commit c43a8a3ce1db33ca81a691db57f7a132fa444029 (tag: v0.33)
Author: Phil Pennock
Date: 2007-06-09 00:58:49 +0000
Moved the defaults for $forbid_* up to the user-configurable section.
commit e19bdd90070aa2073c1f107547dd22f5b5a134dd
Author: Phil Pennock
Date: 2007-06-07 08:39:23 +0000
--noclearauth, --noclearchan
Makefile: install-* targets dependent upon files being installed.
commit 3c02835329288f86bc6883136241bc46516e3b61 (tag: v0.30)
Author: Phil Pennock
Date: 2007-06-05 07:52:50 +0000
Make generated man-page slightly cleaner syntactically.
Should make whatis indices correct.
commit 71be07951849dff0f4f8f54649960416ffff86a5
Author: Phil Pennock
Date: 2007-06-05 07:15:13 +0000
Make manpage & PGP sig; change title line in man-page.
commit df2aa74788a90f68e88abfe7e37cd5d8f7d7a7c8
Author: Phil Pennock
Date: 2007-06-05 06:48:08 +0000
Started packaging up sieve-connect.
commit 0ab03c1cc5cad24e88b4c7901e5172020db8a478
Author: Phil Pennock
Date: 2007-06-05 05:44:52 +0000
sieve_connect -> sieve-connect
Generated by dwww version 1.15 on Thu Aug 28 22:48:06 CEST 2025.