Member
hi
i am looking to encryption for my cable line.i feeling If cable line is insecure,
then ISP's host probably is insecure too. Also sometimes its possible that connection of my ISP is via the open Internet. I read about ssl with fetchmail but that was not enough to understand. so please any body confirm me
how to Configure ssl with fetchmail?
thank you.
Member
hi
good choice is to be secure.ssl encrypts passwords and prevents man-in-the-
middle attacks
You absolutely must have the latest version of fetchmail.
previous release does not work with ssl!
Download from here:
http://developer.berlios.de/project/...?group_id=1824
rpm binary works with my opensuse.
Your mileage may differ. Perhaps you will
need to build from source.
Step1:
run fetchmail -v
- check that you do not already have an ssl
command in .fetchmailrc- fetchmail -v
- look for the first line that starts like this:
- fetchmail: IMAP< * OK [CAPABILITY
- check for the capability “STARTTLS” in this
line.- If not there, you are out of luck, your imap
server does not support ssl. Otherwise, goto
next step.
Step2:
run fetchmail -v --ssl
look for errors that look like this:
fetchmail: Server certificate verification error:
unable to get local issuer certificate
fetchmail: Server certificate verification error:
certificate not trusted
fetchmail: Server certificate verification error:
unable to verify the first certificate
no errors: done, add ssl to .fetchmailrc
otherwise continue to step 3
Step3:
run fetchmail -v --ssl
look for a line that looks like this:
fetchmail: Issuer CommonName: Equifax Secure eBusiness CA-1
Search the net for the CommonName.
step4:
Find the place to download
the certificate.
we got the location !
Check what we found ,that it is from the true respectable site.
step5
Download the base64 version of the certificate.
step 6:
Find the place openssl keeps
all its certificates!
There will be a lot of files of type “.pem” there.
On my system it is: /etc/ssl/certs
logon to root, copy the certificate you
downloaded there, renaming the type to “.pem”.
Then do a “c_rehash” on the directory.
Example:
# c_rehash /etc/ssl/certs
step7:
fetchmail -v --ssl again!
This time check that the error messages we
encountered before about:
Server certificate
has gone away!
verification error:
OK, good we have verified that ssl works!
Step8:
edit .fetchmailrc
add “ssl” and “sslcertck” to the user line.
Mine looks like this:
set postmaster "pelliott"
set bouncemail
set no spambounce
set properties ""
poll mail.io.com with proto IMAP
user 'pelliott' there with password 'XXXXXX' is \
'pelliott' here
ssl sslcertck
Done.
Member
hay if you want some more information for Gmail try this .
Configuring email client for Gmail with fetchmail.
Enable POP in your Gmail account.
Find out where X.509/“privacy-enhanced-mail (PEM)” certificates live on your system, e.g., in the /usr/share/ssl/certs/ directory. The “locate .pem” command may help you figure this out, or you can just create a new world-readable directory exclusively for this.
The Gmail POP3-over-SSL (pop3s) server presents a server certificate at every secure-socket-layer (SSL) connection establishment; we will want to be able to verify its authenticity.
(A new server certificate was rolled out by Gmail on 2005-12-13 when the old one expired on that same day with a few minutes of POP service unavailability.)
That server certificate is itself signed by a certificate authority (CA), Equifax Secure (now GeoTrust), using a self-signed root certificate having the “Equifax Secure Certificate Authority” organizational unit name (OU) and no common name (CN). You need to download, install in its own file, and index this root certificate.
The c_rehash command is a Perl script that comes with the OpenSSL toolkit; it creates symbolic links to certificate files (with a “.pem” extension) using symlink names based on a hash of each certificate's whole subject name. Fetchmail uses the OpenSSL libraries and will only try to open the installed file by looking it up under the 594f1775.0 (or 594f1775.1 and so on) file name in the end.
The server certificate itself does not need to be stored anywhere.
The fetchmail client does not need to present a client certificate. Instead, client authentication is performed using the USER and PASS post-office-protocol version 3 (POP3) commands within the SSL connection, once it has been properly established.
Edit the appropriate .fetchmailrc file, depending on how you run fetchmail (i.e., as root or as a lesser-privileged local user). The contents of this file are documented by the fetchmail(1) man page, which can be consulted using the “man fetchmail” command. You will need an entry such as this one:
Add any other option according to your preferences. If other family members also have a Gmail account and this is root's .fetchmailrc file, you can add similar three-line user subsections under this same poll section; the last two lines will redundantly be identical for every Gmail account.
The specified password is that of the Gmail account, not the local user's password. Since this configuration file contain passwords, it must be non-world-readable:
The MD5 fingerprint is that of the “pop.gmail.com” server certificate delivered by the Gmail POP3-over-SSL server, not that of the “Equifax Secure Certificate Authority” root certificate.
Note that this will not be enough to perform certificate-revocation-list (CRL) verifications, which fetchmail/OpenSSL does not support; however, this shortcoming is somewhat mitigated by the MD5 fingerprint verification, at the price of a loss in unattended flexibility (should Gmail wish to change its server certificate for some unlikely reason).
There is no need to inform fetchmail that the POP3-over-SSL (pop3s) TCP port is 995; it's smart enough to figure it out on its own.
Note that POP3-over-SSL is not the same as regular (non-SSL) POP3 with use of the STLS command and capability (i.e., RFC 2595's POP3 STARTTLS extension), which Gmail does not support.
You should be able to test this with
once you complete the email-forwarding/email-delivery part of fetchmail's configuration and integration (which is beyond the email-retrieval scope of this help document).
The Gmail POP3-over-SSL server specifies that it does not want to be polled more than once every five minutes (i.e., 300 seconds), as can be verified by executing the following command:
Make sure to respect this delay if automatic polling is configured. This can be achieved by specifying “set daemon 300” in the .fetchmailrc file, or by specifying “-d 300” on the fetchmail command line, where 300 can be replaced by a greater number if desired.
Member
Hi,
I trying to configure ssl access to gawab, but couldn't do it.
Could anyone post the instructions regarding Gawab and Go Daddy certificates, please?
luislupe
Posting Permissions
Reply With Quote
Bookmarks