fetchmail-users

Re: [fetchmail-users] Fetchmail retrieving message body of only "OK FETCH completed"?

[Rob M. <rob...@gm...>]

Keep it on the list please!

On 7/23/07, Beau James <bj...@ci...> wrote:
> Is what follows what you meant by "diagnosic", or have I left something out?

That's what a lack of caffeine does for my ability to speel :)

> 220 xfe-sjc-211.amer.cisco.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.1
> 830 ready at  Mon, 23 Jul 2007 11:57:54 -0700

Can you find out which version of Exchange this is?

>     6. The output of fetchmail -V called with whatever other command-line
>        options you used.
>
> % fetchmail -V
> This is fetchmail release 6.2.2+NTLM+SSL

As Matthias said, you really (*really*) need to upgrade to 6.3.8.  You
don't even have to install the software, you can just run the binary
from your chosen location :)

There's no obvious problems with your config.

Sanity check - accessing your mailbox with another IMAP client (or
even Outlook Web Access, OWA) for these problem emails doesn't show
any problem?

If that is the case can you provide (as unchanged as possible) a
sample problem email?  There may be something in there that helps work
out what's going on.

-- 
                 Please keep list traffic on the list.

Rob MacGregor
      Whoever fights monsters should see to it that in the process he
        doesn't become a monster.                  Friedrich Nietzsche

Re: [fetchmail-users] Fetchmail retrieving message body of only "OK FETCH completed"?

[Beau J. <bj...@ci...>]

--> Keep it on the list please!

Sorry, I meant to "Reply-All" but fat-fingered it to a unicast reply.

Our sysadmins replied that there had been a problem with the loadbalancing
frontends for the Exchange server pool.  They tell me that it is fixed now.
Given the intermittent and relatively infrequent nature of the problem, it
will take some time to feel confident that that is really the case.

FWIW, other info inline below.

Thanks again.

Beau

--> On 7/23/07, Beau James <bj...@ci...> wrote:
--> > Is what follows what you meant by "diagnosic", or have I left something out?
--> 
--> That's what a lack of caffeine does for my ability to speel :)
--> 
--> > 220 xfe-sjc-211.amer.cisco.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.1
--> > 830 ready at  Mon, 23 Jul 2007 11:57:54 -0700
--> 
--> Can you find out which version of Exchange this is?

I'll see if I can get that info.  If anyone knows how to ask Exchange
for that info "over the wire", please let me know - I don't have
access to the machines on which Exchange is running.

--> >     6. The output of fetchmail -V called with whatever other command-line
--> >        options you used.
--> >
--> > % fetchmail -V
--> > This is fetchmail release 6.2.2+NTLM+SSL
--> 
--> As Matthias said, you really (*really*) need to upgrade to 6.3.8.  You
--> don't even have to install the software, you can just run the binary
--> from your chosen location :)

I'm trying to convince the admins to upgrade the company-wide version.

In the meantime, I downloaded and installed the source package, built
it myself, and tried to run the version I had built.  I worked through
a number of issues but then ran into SSL errors:

fetchmail: starting fetchmail 6.3.8 daemon
25839:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_cl
nt.c:567:
fetchmail: SSL connection failed.
fetchmail: socket error while fetching from bj...@em...
fetchmail: Query status=2 (SOCKET)
fetchmail: sleeping at Sun Jul 22 21:24:36 2007 for 300 seconds

at which point I decided I was getting in over my head.

--> There's no obvious problems with your config.

Thanks.

--> Sanity check - accessing your mailbox with another IMAP client (or
--> even Outlook Web Access, OWA) for these problem emails doesn't show
--> any problem?

Correct.

--> If that is the case can you provide (as unchanged as possible) a
--> sample problem email?  There may be something in there that helps work
--> out what's going on.

I will do that, if it happens again.

--> -- 
-->                  Please keep list traffic on the list.
--> 
--> Rob MacGregor
-->       Whoever fights monsters should see to it that in the process he
-->         doesn't become a monster.                  Friedrich Nietzsche
--> _______________________________________________
--> fetchmail-users mailing list
--> fet...@li...
--> https://lists.berlios.de/mailman/listinfo/fetchmail-users
--> 

Re: [fetchmail-users] Fetchmail retrieving message body of only "OK FETCH completed"?

[Matthias A. <mat...@gm...>]

Beau James schrieb:
> In the meantime, I downloaded and installed the source package, built
> it myself, and tried to run the version I had built.  I worked through
> a number of issues but then ran into SSL errors:
> 
> fetchmail: starting fetchmail 6.3.8 daemon
> 25839:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_cl
> nt.c:567:
> fetchmail: SSL connection failed.
> fetchmail: socket error while fetching from bj...@em...
> fetchmail: Query status=2 (SOCKET)
> fetchmail: sleeping at Sun Jul 22 21:24:36 2007 for 300 seconds

This looks like fetchmail talking SSL to a non-SSL port. Note that TLS is
not the same as SSL; TLS starts in cleartext and negotiate SSL while there
has been some protocol chit-chat, and SSL starts with the SSL negotiation
right away. TLS and SSL also use separate ports. TLS uses the regular
110/143 for POP3/IMAP, SSL uses 995/993 for POP3/IMAP.

HTH
Matthias

Re: [fetchmail-users] Fetchmail retrieving message body of only "OK FETCH completed"?

[Rob M. <rob...@gm...>]

On 7/24/07, Beau James <bj...@ci...> wrote:
>
> I'll see if I can get that info.  If anyone knows how to ask Exchange
> for that info "over the wire", please let me know - I don't have
> access to the machines on which Exchange is running.

You may want to simply ask the admins :)

> I'm trying to convince the admins to upgrade the company-wide version.

Just point them to the list of known vulnerabilities, and the fact
that support on this list will be little more than "upgrade if you
want any real help" :)

> In the meantime, I downloaded and installed the source package, built
> it myself, and tried to run the version I had built.  I worked through
> a number of issues but then ran into SSL errors:
>
> fetchmail: starting fetchmail 6.3.8 daemon
> 25839:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_cl
> nt.c:567:
> fetchmail: SSL connection failed.
> fetchmail: socket error while fetching from bj...@em...
> fetchmail: Query status=2 (SOCKET)
> fetchmail: sleeping at Sun Jul 22 21:24:36 2007 for 300 seconds
>
> at which point I decided I was getting in over my head.

If you run the diagnostic output (--nosyslog --nodetach -vvv) it may
provide more to information to work with.  You may find section K6 of
the FAQ useful.

Alternatively, just configure it without SSL :)

-- 
                 Please keep list traffic on the list.

Rob MacGregor
      Whoever fights monsters should see to it that in the process he
        doesn't become a monster.                  Friedrich Nietzsche

Re: [fetchmail-users] Fetchmail retrieving message body of only "OK FETCH completed"?

[Beau J. <bj...@ci...>]

--> > In the meantime, I downloaded and installed the source package, built
--> > it myself, and tried to run the version I had built.  I worked through
--> > a number of issues but then ran into SSL errors:
--> > 
--> > fetchmail: starting fetchmail 6.3.8 daemon
--> > 25839:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_cl
--> > nt.c:567:
--> > fetchmail: SSL connection failed.
--> > fetchmail: socket error while fetching from bj...@em...
--> > fetchmail: Query status=2 (SOCKET)
--> > fetchmail: sleeping at Sun Jul 22 21:24:36 2007 for 300 seconds
--> 
--> This looks like fetchmail talking SSL to a non-SSL port. Note that TLS is
--> not the same as SSL; TLS starts in cleartext and negotiate SSL while there
--> has been some protocol chit-chat, and SSL starts with the SSL negotiation
--> right away. TLS and SSL also use separate ports. TLS uses the regular
--> 110/143 for POP3/IMAP, SSL uses 995/993 for POP3/IMAP.
--> 
--> HTH

Indeed it did.  Thanks!

Starting "fetchmail --service 993" worked - mail was retrieved from
the Exchange server with no problem.

I did get one message in the logfile:

fetchmail: starting fetchmail 6.3.8 daemon
fetchmail: Server certificate verification error: self signed certificate in cer
tificate chain

This didn't seem to cause any problems.  Sorry, I'm a crypto neophyte.
I know what this means, literally, but don't know what the implications

Thanks again for the info about the SSL ports.

Beau

--> Matthias
--> 

Re: [fetchmail-users] Fetchmail retrieving message body of only "OK FETCH completed"?

[Matthias A. <mat...@gm...>]

Beau James schrieb:
> --> > In the meantime, I downloaded and installed the source package, built
> --> > it myself, and tried to run the version I had built.  I worked through
> --> > a number of issues but then ran into SSL errors:
> --> > 
> --> > fetchmail: starting fetchmail 6.3.8 daemon
> --> > 25839:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_cl
> --> > nt.c:567:
> --> > fetchmail: SSL connection failed.
> --> > fetchmail: socket error while fetching from bj...@em...
> --> > fetchmail: Query status=2 (SOCKET)
> --> > fetchmail: sleeping at Sun Jul 22 21:24:36 2007 for 300 seconds
> --> 
> --> This looks like fetchmail talking SSL to a non-SSL port. Note that TLS is
> --> not the same as SSL; TLS starts in cleartext and negotiate SSL while there
> --> has been some protocol chit-chat, and SSL starts with the SSL negotiation
> --> right away. TLS and SSL also use separate ports. TLS uses the regular
> --> 110/143 for POP3/IMAP, SSL uses 995/993 for POP3/IMAP.
> --> 
> --> HTH
> 
> Indeed it did.  Thanks!
> 
> Starting "fetchmail --service 993" worked - mail was retrieved from
> the Exchange server with no problem.
> 
> I did get one message in the logfile:
> 
> fetchmail: starting fetchmail 6.3.8 daemon
> fetchmail: Server certificate verification error: self signed certificate in cer
> tificate chain
> 
> This didn't seem to cause any problems.  Sorry, I'm a crypto neophyte.
> I know what this means, literally, but don't know what the implications

The deal is that fetchmail cannot detect "man in the middle" attacks in
this environment and setup.

To fix this, you'd need to install the certificate of the "CA" that signed
the server certificate. Put the CA certificate into /etc/ssl/certs/ (adjust
path as required), run c_rehash on that directory to create the necessary
symlinks, and if that's insufficient you can tell fetchmail where to look
for the certs with the --sslcertpath option.

Once you got rid of the verification error, you should add the --sslcertck
option to have fetchmail terminate the connection if the certificate can't
be verified. That is to make sure fetchmail hands the password out only to
the real server and not any imposters that might have tapped the wire
(particularly easy with WLAN if unencrypted or using WEP), mounted ARP
redirecting attacks or whatever.

HTH
Matthias