Diese Seite in Deutsch.

fetchmail & SSL

Since I usually use SSH to connect to other machines I simply dislike the idea of transmitting clear text passwords. For that reason I switched from fetchmail to fetchmail linked against OpenSSL.

This change means fetchmail and the corresponding POP3 or IMAP4-server don't talk cleartext but encrypted, thus not using port 110 or 143 but 995 or 993. Now some lines have to be added to .fetchmailrc.

Most important thing is to add the line ssl to enable fetchmails SSL-capabilities. My .fetchmailrc now looked like this:

poll pop3.web.de with
   proto pop3
   user christoph.rummel
   is bronski
   no rewrite
   ssl

Let's test this:

fetchmail: 5.9.11 querying pop3.web.de (protocol POP3) at Wed, 02 Oct 2002 18:37:27 +0200 (CEST): poll started
fetchmail: Issuer Organization: Thawte Consulting cc
fetchmail: Issuer CommonName: Thawte Server CA
fetchmail: Server CommonName: pop3.web.de
fetchmail: pop3.web.de key fingerprint: 1F:41:82:3D:67:D7:44:28:AA:64:DA:06:9C:D6:76:47
fetchmail: pop3.web.de fingerprints match.
fetchmail: Warning: server certificate verification: unable to get local issuer certificate
5458:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:832:
fetchmail: SSL connection failed.
fetchmail: 5.9.11 querying pop3.web.de (protocol POP3) at Wed, 02 Oct 2002 18:37:28 +0200 (CEST): poll completed
fetchmail: normal termination, status 0

First thing I can do is adding the fingerprint to my .fetchmailrc:

sslfingerprint "1F:41:82:3D:67:D7:44:28:AA:64:DA:06:9C:D6:76:47"

Now I need to get the servers certificates. I'm using OpenSSL for that purpose:

bronski@gate:~$ openssl s_client -connect pop3.web.de:995 -showcerts

This example is for POP3, for IMAP it looks like this: bronski@gate:~$ openssl s_client -connect mail.mac.com:993 -showcerts

The result of this command gives a lot of data including the x509-cert in PEM-format. What we are interested in is the part beginning end ending with the following lines:

-----BEGIN CERTIFICATE-----
MII[...]
-----END CERTIFICATE-----

But this is not everything we need - the certificate of the CA (certificate agency, an institution issuing certificates) that issued this cert is also needed so the cert can be verified.
Usually the output of the last command should give you enough information to find out which CA it is you're looking for. Different possibilities: Either the POP service provider is offering all needed certificates for download, or the CAs URL is included in the certs description, or you have to guess the URL from the CAs name. Once there, it usually is the CAs Class 3 certificate you're looking for.
mail.mac.com gives you the CA-certificate along with their own certificate so we don't have to look further. pop3.web.de only gives you their own certificate, but the have a link to the appropriate CA-certificate on their webpages: http://trust.web.de/root.sql/

Update (2002-10-02):
From today web.de abandoned their self signed CA certificate and switched to an official, known CA. To be precise it is Thawte Server CA.

If you get a certificate in DER-format you have to convert it into PEM-format: This can be done using the following command:

bronski@gate:~$ openssl x509 -in certificate.der -inform DER -outform PEM

All resulting certs have to be put into one directory and have to be hashed to work for fetchmail. The best way to do this is c_rehash which comes with apache and with the OpenSSL-sourcecode. There it can be found in the subdirectory tools.
OpenSSL comes with some well known CA-certificates preinstalled. Those are, depending on which distribution or installation you use, in, e.g., /etc/ssl/certs.

bronski@gate:~$ mkdir .certs
bronski@gate:~$ cp webde*.pem .certs
bronski@gate:~$ c_rehash .certs
webdepop3.pem => 7712a0b8.0
webdeimap.pem => 0dcae815.0
thawteserverca.pem => ddc328ff.0

Now for two more lines in .fetchmailrc:

sslcertck
sslcertpath /home/bronski/.certs

Those two lines need to be in the same block as the corresponding poll-command.
The first line makes fetchmail aborting the connection if no valid certs can be found (in case a cert is revoked or expires) and the second line tells fetchmail where to find the certs.
If the certificate expires mail polling fails. In that case you can remove sslcertchk. This way the certificate doesn't get checkeds and you will be able to fetch your mail.

Now polling for mail looks like this:

bronski@lampe:~$ fetchmail -v pop3.web.de
fetchmail: 5.9.11 querying pop3.web.de (protocol POP3) at Wed, 02 Oct 2002 18:42:00 +0200 (CEST): poll started
fetchmail: Issuer Organization: Thawte Consulting cc
fetchmail: Issuer CommonName: Thawte Server CA
fetchmail: Server CommonName: pop3.web.de
fetchmail: pop3.web.de key fingerprint: 1F:41:82:3D:67:D7:44:28:AA:64:DA:06:9C:D6:76:47
fetchmail: pop3.web.de fingerprints match.
fetchmail: POP3< +OK WEB.DE POP3-Server
fetchmail: POP3> USER christoph.rummel
fetchmail: POP3< +OK Bitte Kennwort eingeben/enter password
fetchmail: POP3> PASS *
fetchmail: POP3< +OK Postfach bereit/mailbox locked and ready
fetchmail: POP3> STAT
fetchmail: POP3< +OK 0 0
fetchmail: No mail for christoph.rummel at pop3.web.de
fetchmail: POP3> QUIT
fetchmail: POP3< +OK
fetchmail: 5.9.11 querying pop3.web.de (protocol POP3) at Wed, 02 Oct 2002 18:42:05 +0200 (CEST): poll completed
fetchmail: normal termination, status 1

BTW: the passphrase is fetched from .netrc (Don't forget to chmod 600 .netrc!)

Good luck and safe polling!

P.S.: So far I couldn't find any documentation on autentification using user certificates, wich would be even more thrilling! ;-)

P.P.S.: In case you have any questions, feel free to contact me via contact-form and ask your question.