Fetchmail with SSL
From Antiflux Wiki
(→Configure Fetchmail) |
|||
| (12 intermediate revisions not shown.) | |||
| Line 23: | Line 23: | ||
== The Steps == | == The Steps == | ||
| - | + | Firstly, note that all of these commands take place on your local machine, not on antiflux. Also, all of the steps below specify my home directory (/home/yohanan) on my local machine. You should obviously change this to your home directory. | |
| - | + | === Create a Local Repository for the Certificates === | |
| - | + | <pre> | |
| + | $ mkdir /home/yohanan/.certs | ||
| + | </pre> | ||
| - | <pre>$ openssl s_client -CApath /home/yohanan/.certs -connect mail.antiflux.org:993 -showcerts</pre> | + | === Get the Mail Server Certificate === |
| + | |||
| + | <pre> | ||
| + | $ openssl s_client -CApath /home/yohanan/.certs -connect mail.antiflux.org:993 -showcerts | ||
| + | </pre> | ||
Press Ctrl-D when you get the Ok line to terminate the session. Scroll up through the output generated and copy/paste the lines of output inclusive of the lines listed below. | Press Ctrl-D when you get the Ok line to terminate the session. Scroll up through the output generated and copy/paste the lines of output inclusive of the lines listed below. | ||
| - | <pre>-----BEGIN CERTIFICATE----- | + | <pre> |
| + | -----BEGIN CERTIFICATE----- | ||
... | ... | ||
<a whole lot of cryptic ascii here> | <a whole lot of cryptic ascii here> | ||
... | ... | ||
| - | -----END CERTIFICATE-----</pre> | + | -----END CERTIFICATE----- |
| + | </pre> | ||
| - | Save them in a file in /home/yohanan/.certs. The file must end in a ''pem'' extension. For example, you could name the file | + | Save them in a file in /home/yohanan/.certs. The file must end in a ''pem'' extension. For example, you could name the file antiflux.org.pem. |
| - | + | === Get the Root Certificate === | |
| - | <pre>$ cd /home/yohanan/.certs | + | You need to download [http://antiflux.org/ca/antiflux.org-root.crt http://antiflux.org/ca/antiflux.org-root.crt] but this can be an issue using a browser since there is a good chance your browser will try to install it (for its mail client). Instead you need to do a "Save link as..." from the browser to save it. Put it in the /home/yohanan/.certs directory and change the extension from ''crt'' to ''pem''. |
| + | |||
| + | I use '''wget''' from the command-line to get around using the browser to download the certificate. | ||
| + | |||
| + | <pre> | ||
| + | $ cd /home/yohanan/.certs | ||
$ wget http://antiflux.org/ca/antiflux.org-root.crt | $ wget http://antiflux.org/ca/antiflux.org-root.crt | ||
| - | $ mv antiflux.org-root.crt antiflux.org-root.pem</pre> | + | $ mv antiflux.org-root.crt antiflux.org-root.pem |
| + | </pre> | ||
| + | |||
| + | === Run ''c_rehash'' on the Certificates Directory === | ||
| + | |||
| + | <pre> | ||
| + | $ c_rehash /home/yohanan/.certs | ||
| + | </pre> | ||
| + | |||
| + | You should see results similar to the following: | ||
| + | |||
| + | <pre> | ||
| + | Doing /home/yohanan/.certs | ||
| + | antiflux.org.pem => 6aaf9651.0 | ||
| + | antiflux.org-root.pem => 3a918149.0 | ||
| + | </pre> | ||
| + | |||
| + | === Recheck Your Work === | ||
| + | |||
| + | Re-run the following command: | ||
| + | |||
| + | <pre> | ||
| + | openssl s_client -CApath /home/yohanan/.certs -connect mail.antiflux.org:993 -showcerts | ||
| + | </pre> | ||
| + | |||
| + | Scroll to the top of the output and look for a ''depth=1''. This implies that the certificates are now in working order. | ||
| + | |||
| + | === Configure Fetchmail === | ||
| + | |||
| + | First, get the fingerprint for the mailserver by using the following command: | ||
| + | |||
| + | <pre> | ||
| + | $ openssl x509 -in /home/yohanan/.certs/antiflux.org.pem -noout -md5 -fingerprint | ||
| + | </pre> | ||
| + | |||
| + | You should see output similar to the following: | ||
| + | |||
| + | <pre> | ||
| + | MD5 Fingerprint=E8:9C:9E:43:89:15:4E:C8:6C:BA:5C:05:5B:F3:95:C7 | ||
| + | </pre> | ||
| + | |||
| + | You will use the part after MD5 Fingerprint= in your .fetchmailrc configuration as stated below. I will assume that you already have a properly configured .fetchmailrc file. The following information needs to be included: | ||
| + | |||
| + | <pre> | ||
| + | ssl sslcertck sslfingerprint 'A1:B2:C3:D4:E5:F6:G7:H8:I9:J0:K1:L2:M3:N4:O5:P6' | ||
| + | sslcertpath /home/yohanan/.certs | ||
| + | </pre> | ||
| + | |||
| + | === Run Fetchmail to Test === | ||
| + | |||
| + | <pre> | ||
| + | $ fetchmail | ||
| + | </pre> | ||
| + | |||
| + | If no errors are output, then you are all done. | ||
Current revision
My home machine runs Gentoo Linux. I pull all the e-mail from my various accounts---personal, school, etc.---to my home machine and read it from there. I use fetchmail to pull my e-mail, and I use mutt to read/send my e-mail.
This article does not attempt to go into the depths of using fetchmail. Rather, it describes a specific issue I had while pulling mail from antiflux. Specifically, I use fetchmail in conjunction with SSL and was running into error messages because the Antiflux root CA is not issued by a well-known authority. What I list below are the steps to setting up fetchmail using SSL to obtain e-mail from antiflux. This is a slightly more specific (to antiflux) description I originally posted in a Gentoo forum.
Contents |
Preliminary Information
My home directory is /home/yohanan
Here are the original errors I was seeing whenever fetchmail:
fetchmail: Server certificate verification error: unable to get local issuer certificate fetchmail: Server certificate verification error: certificate not trusted fetchmail: Server certificate verification error: unable to verify the first certificate
Here is the pertinent information I (now) have in my .fetchmailrc file:
poll mail.antiflux.org with proto IMAP
user 'yohanan' there with password 'PASSWORD' is 'yohanan' here ssl
sslcertck sslfingerprint 'E8:9C:9E:43:89:15:4E:C8:6C:BA:5C:05:5B:F3:95:C7'
sslcertpath /home/yohanan/.certs fetchall
The Steps
Firstly, note that all of these commands take place on your local machine, not on antiflux. Also, all of the steps below specify my home directory (/home/yohanan) on my local machine. You should obviously change this to your home directory.
Create a Local Repository for the Certificates
$ mkdir /home/yohanan/.certs
Get the Mail Server Certificate
$ openssl s_client -CApath /home/yohanan/.certs -connect mail.antiflux.org:993 -showcerts
Press Ctrl-D when you get the Ok line to terminate the session. Scroll up through the output generated and copy/paste the lines of output inclusive of the lines listed below.
-----BEGIN CERTIFICATE----- ... <a whole lot of cryptic ascii here> ... -----END CERTIFICATE-----
Save them in a file in /home/yohanan/.certs. The file must end in a pem extension. For example, you could name the file antiflux.org.pem.
Get the Root Certificate
You need to download http://antiflux.org/ca/antiflux.org-root.crt but this can be an issue using a browser since there is a good chance your browser will try to install it (for its mail client). Instead you need to do a "Save link as..." from the browser to save it. Put it in the /home/yohanan/.certs directory and change the extension from crt to pem.
I use wget from the command-line to get around using the browser to download the certificate.
$ cd /home/yohanan/.certs $ wget http://antiflux.org/ca/antiflux.org-root.crt $ mv antiflux.org-root.crt antiflux.org-root.pem
Run c_rehash on the Certificates Directory
$ c_rehash /home/yohanan/.certs
You should see results similar to the following:
Doing /home/yohanan/.certs antiflux.org.pem => 6aaf9651.0 antiflux.org-root.pem => 3a918149.0
Recheck Your Work
Re-run the following command:
openssl s_client -CApath /home/yohanan/.certs -connect mail.antiflux.org:993 -showcerts
Scroll to the top of the output and look for a depth=1. This implies that the certificates are now in working order.
Configure Fetchmail
First, get the fingerprint for the mailserver by using the following command:
$ openssl x509 -in /home/yohanan/.certs/antiflux.org.pem -noout -md5 -fingerprint
You should see output similar to the following:
MD5 Fingerprint=E8:9C:9E:43:89:15:4E:C8:6C:BA:5C:05:5B:F3:95:C7
You will use the part after MD5 Fingerprint= in your .fetchmailrc configuration as stated below. I will assume that you already have a properly configured .fetchmailrc file. The following information needs to be included:
ssl sslcertck sslfingerprint 'A1:B2:C3:D4:E5:F6:G7:H8:I9:J0:K1:L2:M3:N4:O5:P6' sslcertpath /home/yohanan/.certs
Run Fetchmail to Test
$ fetchmail
If no errors are output, then you are all done.
