Menu
▾
▴
Re: [fetchmail-users] Fetchmail retrieving message body of only "OK FETCH completed"?
|
From: Matthias A. <mat...@gm...> - 2007-07-25 02:51:33
|
Beau James schrieb: > --> > In the meantime, I downloaded and installed the source package, built > --> > it myself, and tried to run the version I had built. I worked through > --> > a number of issues but then ran into SSL errors: > --> > > --> > fetchmail: starting fetchmail 6.3.8 daemon > --> > 25839:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_cl > --> > nt.c:567: > --> > fetchmail: SSL connection failed. > --> > fetchmail: socket error while fetching from bj...@em... > --> > fetchmail: Query status=2 (SOCKET) > --> > fetchmail: sleeping at Sun Jul 22 21:24:36 2007 for 300 seconds > --> > --> This looks like fetchmail talking SSL to a non-SSL port. Note that TLS is > --> not the same as SSL; TLS starts in cleartext and negotiate SSL while there > --> has been some protocol chit-chat, and SSL starts with the SSL negotiation > --> right away. TLS and SSL also use separate ports. TLS uses the regular > --> 110/143 for POP3/IMAP, SSL uses 995/993 for POP3/IMAP. > --> > --> HTH > > Indeed it did. Thanks! > > Starting "fetchmail --service 993" worked - mail was retrieved from > the Exchange server with no problem. > > I did get one message in the logfile: > > fetchmail: starting fetchmail 6.3.8 daemon > fetchmail: Server certificate verification error: self signed certificate in cer > tificate chain > > This didn't seem to cause any problems. Sorry, I'm a crypto neophyte. > I know what this means, literally, but don't know what the implications The deal is that fetchmail cannot detect "man in the middle" attacks in this environment and setup. To fix this, you'd need to install the certificate of the "CA" that signed the server certificate. Put the CA certificate into /etc/ssl/certs/ (adjust path as required), run c_rehash on that directory to create the necessary symlinks, and if that's insufficient you can tell fetchmail where to look for the certs with the --sslcertpath option. Once you got rid of the verification error, you should add the --sslcertck option to have fetchmail terminate the connection if the certificate can't be verified. That is to make sure fetchmail hands the password out only to the real server and not any imposters that might have tapped the wire (particularly easy with WLAN if unencrypted or using WEP), mounted ARP redirecting attacks or whatever. HTH Matthias |
