Skip to content

Make fetchmail play nice with your ISP’s SSL-Certificate

4. December 2011

Problem:
Using secure connections, fetchmail compares the server key md5-fingerprint with the one given in the configuration file. The connection fails with

fetchmail: $SERVER fingerprints do not match!
fetchmail: SSL connection failed.

Cause:
if those fingerprints do not match.

Solution:
So, what’s the fastest way to get the server’s certificate and fingerprint? Just use

openssl s_client -connect $SERVER:$PORT -showcerts | openssl x509 -fingerprint -noout -md5

replacing $SERVER and $PORT with the appropriate values.

The output might look like this

depth=1 /C=US/O=Equifax Secure Inc./CN=Equifax Secure Global eBusiness CA-1
 verify error:num=19:self signed certificate in certificate chain
 verify return:0
 MD5 Fingerprint=09:0E:5C:1A:DB:0F:5C:81:C0:20:B7:67:C1:CC:DB:B5
Now cut and paste the fingerprint to your fetchmailrc and that's it!
 /etc/fetchmailrc or ~/.fetchmailrc
 poll ... sslfingerprint '09:0E:5C:1A:DB:0F:5C:81:C0:20:B7:67:C1:CC:DB:B5'

Example ~/.fetchmailrc

# kein syslog, sonst keine ausgaben to stdout
#set syslog
set postmaster "postmaster"
set bouncemail
set spambounce
set properties ""

#############################################
# foo@bar.com (ISP)                         #
#############################################
poll mail.your-isp.com  with proto POP3 timeout 60 and options no dns
       user 'foo@bar.com' there with password 'baz'
       is   'foo'    here
       options fetchall keep
#       options fetchall

########################################################################################
### Add this for fetchmail on mm2                                                    ###
### Why?                                                                             ###
### Because it uses SSL by default                                                   ###
########################################################################################
### How to get this?                                                                 ###
### openssl s_client -connect mail.your-isp.de:993  -showcerts | openssl x509 -fingerprint -noout -md5       ###
###                                                                                  ###
### Quelle:                                                                          ###
### http://www.bstegmaier.de/wiki/index.php/Fetchmail_ssl_fingerprint                ###
########################################################################################
        sslfingerprint 'AA:BB:CC:DD:EE:FF:00:11:22:33:44:55:66:77:88:99'


http://www.bstegmaier.de/wiki/index.php/Fetchmail_ssl_fingerprint

Advertisements

From → Mail

Leave a Comment

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: