Fetchmail with SSL

From Antiflux Wiki

(Difference between revisions)
Jump to: navigation, search
(The Steps)
Current revision (01:06, 27 April 2010) (edit) (undo)
(Configure Fetchmail)
 
(10 intermediate revisions not shown.)
Line 23: Line 23:
== The Steps ==
== The Steps ==
-
'''Step 1:''' Create a local repository for the certificates
+
Firstly, note that all of these commands take place on your local machine, not on antiflux. Also, all of the steps below specify my home directory (/home/yohanan) on my local machine. You should obviously change this to your home directory.
 +
 
 +
=== Create a Local Repository for the Certificates ===
<pre>
<pre>
Line 29: Line 31:
</pre>
</pre>
-
'''Step 2:''' Get the mail server certificate
+
=== Get the Mail Server Certificate ===
<pre>
<pre>
Line 45: Line 47:
</pre>
</pre>
-
Save them in a file in /home/yohanan/.certs. The file must end in a ''pem'' extension. For example, you could name the file imap.antiflux.org.pem.
+
Save them in a file in /home/yohanan/.certs. The file must end in a ''pem'' extension. For example, you could name the file antiflux.org.pem.
-
'''Step 3:''' Get the root certificate
+
=== Get the Root Certificate ===
-
You need to download [http://antiflux.org/ca/antiflux.org-root.crt] but this can be an issue using a browser since there is a good chance your browser will try to install it (for its mail client). Instead you need to do a "Save link as..." from the browser to save it. Put it in the /home/yohanan/.certs directory and change the extension from ''crt'' to ''pem''.
+
You need to download [http://antiflux.org/ca/antiflux.org-root.crt http://antiflux.org/ca/antiflux.org-root.crt] but this can be an issue using a browser since there is a good chance your browser will try to install it (for its mail client). Instead you need to do a "Save link as..." from the browser to save it. Put it in the /home/yohanan/.certs directory and change the extension from ''crt'' to ''pem''.
I use '''wget''' from the command-line to get around using the browser to download the certificate.
I use '''wget''' from the command-line to get around using the browser to download the certificate.
Line 59: Line 61:
</pre>
</pre>
-
'''Step 4:''' Run c_rehash on the certificates directory
+
=== Run ''c_rehash'' on the Certificates Directory ===
<pre>
<pre>
-
$ c_rehash /home/foobar/.certs
+
$ c_rehash /home/yohanan/.certs
</pre>
</pre>
Line 73: Line 75:
</pre>
</pre>
-
'''Step 5:''' Recheck your work
+
=== Recheck Your Work ===
Re-run the following command:
Re-run the following command:
<pre>
<pre>
-
openssl s_client -CApath /home/foobar/.certs -connect pop.foobar.com:995 -showcerts
+
openssl s_client -CApath /home/yohanan/.certs -connect mail.antiflux.org:993 -showcerts
 +
</pre>
 +
 
 +
Scroll to the top of the output and look for a ''depth=1''. This implies that the certificates are now in working order.
 +
 
 +
=== Configure Fetchmail ===
 +
 
 +
First, get the fingerprint for the mailserver by using the following command:
 +
 
 +
<pre>
 +
$ openssl x509 -in /home/yohanan/.certs/antiflux.org.pem -noout -md5 -fingerprint
 +
</pre>
 +
 
 +
You should see output similar to the following:
 +
 
 +
<pre>
 +
MD5 Fingerprint=E8:9C:9E:43:89:15:4E:C8:6C:BA:5C:05:5B:F3:95:C7
 +
</pre>
 +
 
 +
You will use the part after MD5 Fingerprint= in your .fetchmailrc configuration as stated below. I will assume that you already have a properly configured .fetchmailrc file. The following information needs to be included:
 +
 
 +
<pre>
 +
ssl sslcertck sslfingerprint 'A1:B2:C3:D4:E5:F6:G7:H8:I9:J0:K1:L2:M3:N4:O5:P6'
 +
sslcertpath /home/yohanan/.certs
 +
</pre>
 +
 
 +
=== Run Fetchmail to Test ===
 +
 
 +
<pre>
 +
$ fetchmail
</pre>
</pre>
-
Scroll to the top of the output and look for a ''depth=1''. This implies that the certificates are now in working order.
+
If no errors are output, then you are all done.

Current revision

My home machine runs Gentoo Linux. I pull all the e-mail from my various accounts---personal, school, etc.---to my home machine and read it from there. I use fetchmail to pull my e-mail, and I use mutt to read/send my e-mail.

This article does not attempt to go into the depths of using fetchmail. Rather, it describes a specific issue I had while pulling mail from antiflux. Specifically, I use fetchmail in conjunction with SSL and was running into error messages because the Antiflux root CA is not issued by a well-known authority. What I list below are the steps to setting up fetchmail using SSL to obtain e-mail from antiflux. This is a slightly more specific (to antiflux) description I originally posted in a Gentoo forum.

Contents

Preliminary Information

My home directory is /home/yohanan

Here are the original errors I was seeing whenever fetchmail:

fetchmail: Server certificate verification error: unable to get local issuer certificate
fetchmail: Server certificate verification error: certificate not trusted
fetchmail: Server certificate verification error: unable to verify the first certificate

Here is the pertinent information I (now) have in my .fetchmailrc file:

poll mail.antiflux.org with proto IMAP
        user 'yohanan' there with password 'PASSWORD' is 'yohanan' here ssl
sslcertck sslfingerprint 'E8:9C:9E:43:89:15:4E:C8:6C:BA:5C:05:5B:F3:95:C7'
sslcertpath /home/yohanan/.certs fetchall


The Steps

Firstly, note that all of these commands take place on your local machine, not on antiflux. Also, all of the steps below specify my home directory (/home/yohanan) on my local machine. You should obviously change this to your home directory.

Create a Local Repository for the Certificates

$ mkdir /home/yohanan/.certs

Get the Mail Server Certificate

$ openssl s_client -CApath /home/yohanan/.certs -connect mail.antiflux.org:993 -showcerts

Press Ctrl-D when you get the Ok line to terminate the session. Scroll up through the output generated and copy/paste the lines of output inclusive of the lines listed below.

-----BEGIN CERTIFICATE-----
...
<a whole lot of cryptic ascii here>
...
-----END CERTIFICATE-----

Save them in a file in /home/yohanan/.certs. The file must end in a pem extension. For example, you could name the file antiflux.org.pem.

Get the Root Certificate

You need to download http://antiflux.org/ca/antiflux.org-root.crt but this can be an issue using a browser since there is a good chance your browser will try to install it (for its mail client). Instead you need to do a "Save link as..." from the browser to save it. Put it in the /home/yohanan/.certs directory and change the extension from crt to pem.

I use wget from the command-line to get around using the browser to download the certificate.

$ cd /home/yohanan/.certs
$ wget http://antiflux.org/ca/antiflux.org-root.crt
$ mv antiflux.org-root.crt antiflux.org-root.pem

Run c_rehash on the Certificates Directory

$ c_rehash /home/yohanan/.certs

You should see results similar to the following:

Doing /home/yohanan/.certs
antiflux.org.pem => 6aaf9651.0
antiflux.org-root.pem => 3a918149.0

Recheck Your Work

Re-run the following command:

openssl s_client -CApath /home/yohanan/.certs -connect mail.antiflux.org:993 -showcerts

Scroll to the top of the output and look for a depth=1. This implies that the certificates are now in working order.

Configure Fetchmail

First, get the fingerprint for the mailserver by using the following command:

$ openssl x509 -in /home/yohanan/.certs/antiflux.org.pem -noout -md5 -fingerprint

You should see output similar to the following:

MD5 Fingerprint=E8:9C:9E:43:89:15:4E:C8:6C:BA:5C:05:5B:F3:95:C7

You will use the part after MD5 Fingerprint= in your .fetchmailrc configuration as stated below. I will assume that you already have a properly configured .fetchmailrc file. The following information needs to be included:

ssl sslcertck sslfingerprint 'A1:B2:C3:D4:E5:F6:G7:H8:I9:J0:K1:L2:M3:N4:O5:P6'
sslcertpath /home/yohanan/.certs

Run Fetchmail to Test

$ fetchmail

If no errors are output, then you are all done.

Personal tools