Fetchmail & SSL

ssl mail

We don't want to do cleartext authentication against a POP3 or IMAP server and fetch the e-mail unencrypted.

Fetchmail will be configured for ssl to encrypt the communication to the corresponding server.

Now some lines have to be added to ~/.fetchmailrc or /etc/fetchmailrc

poll h727391.serverkompetenz.net
  proto pop3
  user "user"
  pass "pass"
  is username
  fetchall
  ssl

When testing the new config with fetchmail -cv it gives back the following

# fetchmail -cv
fetchmail: --check mode enabled, not fetching mail
fetchmail: 6.3.9 querying h727391.serverkompetenz.net (protocol POP3) at Sun Jul 26 00:41:19 2009: poll started
Trying to connect to 81.169.171.105/995...connected.
fetchmail: Issuer Organization: Courier Mail Server
fetchmail: Issuer CommonName: h727391.serverkompetenz.net
fetchmail: Server CommonName: h727391.serverkompetenz.net
fetchmail: h727391.serverkompetenz.net key fingerprint: 72:DF:A7:2F:2C:B5:9F:4A:96:C2:EA:4B:24:57:88:4A
fetchmail: Server certificate verification error: self signed certificate

First thing that can be done is adding the fingerprint to fetchmailrc: sslfingerprint "72:DF:A7:2F:2C:B5:9F:4A:96:C2:EA:4B:24:57:88:4A"

Now we need to get the servers certificates. We are using OpenSSL for that purpose:

# openssl s_client -connect 81.169.171.105:995 -showcerts

The result of this command gives a lot of data including the x509-cert in PEM-format. What we are interested in is the part beginning and ending with the following lines:

-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----

The certificate of the certificate authority that issued this cert is also needed so the cert can be verified. So in this example the CA is on my mailserver and I simply downloaded it's certificate and put it into the /etc/ssl/certs/ directory.

The certs have to be hashed to work for fetchmail. The best way to do this is c_rehash which comes with dev-libs/openssl Here it should be done as root

# c_rehash /etc/ssl/certs/
h727391_courier.pem => 7ac73aac.0
h727391_ca.pem => 017e6717.0

Otherwise you can put the certificates into ~/.certs/ for example, execute c_rehash .certs as your normal user running fetchmail and add the following two lines to your fetchmailrc.
Don't forget to edit the path to the users home directory.

sslcertck
sslcertpath /home/mo/.certs

Those two lines need to be in the same block as the corresponding poll-command. The first line makes fetchmail aborting the connection if no valid certs can be found (in case a cert is revoked or expires) and the second line tells fetchmail where to find the certs.
If the certificate expires mail polling fails. In that case sslcertchk can be removed. This way the certificate won't be checked but the mail will be fetched.

After that polling looks like this

# fetchmail -cv
fetchmail: --check mode enabled, not fetching mail
fetchmail: 6.3.9 querying h727391.serverkompetenz.net (protocol POP3) at Sun Jul 26 01:10:52 2009: poll started
Trying to connect to 81.169.171.105/995...connected.
fetchmail: Issuer Organization: Courier Mail Server
fetchmail: Issuer CommonName: h727391.serverkompetenz.net
fetchmail: Server CommonName: h727391.serverkompetenz.net
fetchmail: h727391.serverkompetenz.net key fingerprint: 72:DF:A7:2F:2C:B5:9F:4A:96:C2:EA:4B:24:57:88:4A
fetchmail: h727391.serverkompetenz.net fingerprints match.

Previous Post Next Post