fetchmail-users

[fetchmail-users] Server CommonName mismatch

[N.J. M. <nj...@nj...>]

Hi,

I have been using fetchmail for about three weeks now and I am very
happy with it.  But... (You knew a "but" was going to be next. ;-) )

Every time I poll my ISP I get the following errors:

fetchmail: Server CommonName mismatch: localhost.localdomain != inmail.njm.f2s.com
fetchmail: Server certificate verification error: self signed certificate

At first I throught the first one was due to something I was doing
wrong, but I now suspect it is nothing to do with me.  Can someone
confirm that please?  My change of mind stems from running
fetchmail -v -v -v and redirecting the output to a log file.  (The idea
for that came from a message I read earlier today on this list, so
lurking here for a while does pay. :-) )

In the log I get:

fetchmail: Old UID list from inmail.njm.f2s.com: <empty>
fetchmail: Scratch list of UIDs: <empty>
fetchmail: 6.3.4 querying inmail.njm.f2s.com (protocol POP3) at Tue Jul 25 10:43:33 2006: poll started
fetchmail: POP3< +OK imap3.freedom2surf.net Cyrus POP3 v2.2.12-Invoca-RPM-2.2.12-7 server ready <122...@im...>
fetchmail: POP3> CAPA
fetchmail: POP3< +OK List of capabilities follows
fetchmail: POP3< SASL DIGEST-MD5 CRAM-MD5
fetchmail: POP3< STLS
fetchmail: POP3< EXPIRE NEVER
fetchmail: POP3< LOGIN-DELAY 0
fetchmail: POP3< TOP
fetchmail: POP3< UIDL
fetchmail: POP3< PIPELINING
fetchmail: POP3< RESP-CODES
fetchmail: POP3< AUTH-RESP-CODE
fetchmail: POP3< USER
fetchmail: POP3< IMPLEMENTATION Cyrus POP3 server v2.2.12-Invoca-RPM-2.2.12-7
fetchmail: POP3< .
fetchmail: POP3> STLS
fetchmail: POP3< +OK Begin TLS negotiation now
fetchmail: Issuer Organization: SomeOrganization
fetchmail: Issuer CommonName: localhost.localdomain
fetchmail: Server CommonName: localhost.localdomain
fetchmail: inmail.njm.f2s.com key fingerprint: E1:A1:1A:47:61:46:97:6D:F3:9D:BF:13:59:40:EA:E3
fetchmail: POP3> CAPA

(I hope my MUA hasn't mangled that too much.)

So it looks like fetchmail is complaining about my ISPs setup.  Is that
right?

For reference, I am running fetchmail 6.3.4 on FreeBSD v6.1 (STABLE).

Thanks in advance.

Cheers,
Nick.
-- 
"We're predicting third stage shutdown at 11 minutes 42 seconds."

Re: [fetchmail-users] Server CommonName mismatch

[Volker K. <hi...@pa...>]

> fetchmail: Server CommonName mismatch: localhost.localdomain != inmail.njm.f2s.com
> fetchmail: Server certificate verification error: self signed certificate

> So it looks like fetchmail is complaining about my ISPs setup.  Is that
> right?

Yes. Your ISP is using a self-baked certificate; it's cheap (i.e. free).
On the negative, your fetchmail (and browser, etc) have no idea whether
your ISP is trustworthy, or is in fact the person/entity it claims to
be. To teach fetchmail about both, you need to load your ISP's CA
(certificate authority) into your openssh setup. By doing so, you
personally assume liability for aforementioned claims to be true.

The use of certificates here is to increase security. Security here
means:

1) Each time you run fetchmail, the connection which is opened is
guaranteed to be to <someone> at the other end. You expect that someone
to be your ISP.

2) The connection is encrypted, and protected from eavesdropping by
anyone other than a) yourself, b) that "someone".

The trick is to make sure that the "someone" is in fact your ISP. With
self-signed certificates, the only guaranteed way to do so is to jump
into your car and to pick up the CA from your ISP in person.

The shortcut is to read out your ISP's certificate fingerprint, and to
load this into fetchmail 6.3.4 or above. This solves your problem, but
you then have two possibilities when you've loaded the fingerprint:

1) You loaded the fingerprint of your ISP's CA into fetchmail. You have
security as good as it'll possibly get. Self-signed cert or otherwise.

2) You loaded the fingerprint of an imposter, assuming the imposter to
be your ISP. Both you and the imposter will read your email.

Your alternative is quite likely using plain text passwords. Even
possibility 2) is an improvement to that, because reading your email is
restricted from everyone, to you and the imposter.

Volker

-- 
Volker Kuhlmann			is list0570 with the domain in header
http://volker.dnsalias.net/	Please do not CC list postings to me.

Re: [fetchmail-users] Server CommonName mismatch

[Rob M. <rob...@gm...>]

On 7/25/06, N.J. Mann <nj...@nj...> wrote:
> Hi,
>
> I have been using fetchmail for about three weeks now and I am very
> happy with it.  But... (You knew a "but" was going to be next. ;-) )
>
> Every time I poll my ISP I get the following errors:
>
> fetchmail: Server CommonName mismatch: localhost.localdomain != inmail.njm.f2s.com
> fetchmail: Server certificate verification error: self signed certificate

There was a recent thread on this.  The summary (assuming you don't
want to read the thread) was to either use an ISP with a clue, or do
what Volker advised and use the fingerprints.

-- 
                 Please keep list traffic on the list.

Rob MacGregor
      Whoever fights monsters should see to it that in the process he
        doesn't become a monster.                  Friedrich Nietzsche