Stop Fetchmail SSL Cert Errors

Posted by on
Stop Fetch mail SSL Cert Errors

Image result for fetchmail error
                             

What is Fetchmail?
Fetchmail is a program that can retrieve email from remote servers for on-demand TCP/IP connections. Many users appreciate the ability to separate the process of downloading their messages located on a remote server from the process of reading and organizing their email in an MUA. Designed with the needs of dial-up users in mind, Fetchmail will connect and quickly download all of your email messages to your mail spool file using any number of protocols, including the POP3 and IMAP. It can even forward your email messages to an SMTP server, if necessary.

Before attempting to use Fetchmail, be sure that it is installed on your system. If it is not, you can install it using the fetchmail RPM on the Red Hat Linux CD-ROMs.

Fetchmail is configured for each user through the use of a .fetchmailrc file in the user's home directory. A program bundled with Fetchmail, called fetchmailconf, is very helpful for configuring a basic .fetchmailrc file that you can customize at will.
Using preferences in the .fetchmailrc file, Fetchmail will check for email on a remote server and pull it off, attempting to deliver it to port 25 on the local machine, using the local MTA to place the email in the correct user's spool file. If Procmail is available, it can then be used to filter the email and place it in a mailbox so that it can be read by an MUA.

ERROR !!!
fetchmail: Server certificate verification error: unable to get local issuer certificate
fetchmail: Server certificate verification error: certificate not trusted
fetchmail: Server certificate verification error: unable to verify the first certificate
 
SOLUTION !!!
get the mail server’s cert, and if necessary the cert from the issuing authority. /.fetchmail is a convenient place (for me) to keep fetchmail related files, so for this example, i will use /.fetchmail/ssl

# mkdir ~/.fetchmail/ssl

# cd ~/.fetchmail/ssl

get the mail server’s cert: 

# echo | openssl s_client -connect mail.example.com:993 -showcerts 2>/dev/null | sed -ne '/BEGIN CERT/,/END CERT/p' > mail.example.com.pem
get the CA’s root cert
extract the issuer from the mail server’s cert:
# echo | openssl s_client -connect mail.example.com:993 -showcerts 2>/dev/null | sed -ne '/issuer=/p'

if Equifax Secure Certificate Authority, get their cert at

https:_www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Certificate_Authority.cer
# curl https:_www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Certificate_Authority.cer > equifax.pem

let openssl verify the certs:
# c_rehash ~/.fetchmail/ssl

update .fetchmailrc - add these lines to the server’s section after the user options: 
sslcertck
sslcertpath "~/.fetchmail/ssl"
# sample server section:
poll mail.example.com
proto IMAP
timeout 60
auth password
user "foo"
password "bar"
sslcertck
sslcertpath ~/.fetchmail/ssl
the fetchmail logs should now be clear. if not, comment out the previous two lines, and add the server’s fingerprint to .fetchmailrc, again, in the server section:

# openssl x509 -in .fetchmail/ssl/mail.example.com.pem -noout -md5 -fingerprint |
               sed 's/._=/sslfingerprint "/;s/$/"/'

output looks like:

-> sslfingerprint "3E:5C:C1:83:0A:CA:E0:10:69:FD:F1:A4:99:8C:02:41"

Comments

Post a Comment