Re: [Fetchmail-users] Constantly changing ssl fingerprints

[Gene H. <ghe...@wd...>]

On Sunday 25 January 2015 08:48:28 Jerry did opine
And Gene did reply:
> I do not know if there is an easy way around this problem, so I thought
> I would simply ask for assistance.
> 
> I have several users here that use Google's "gmail". Google has been
> changing their SSL certificate on a nearly monthly basis. This causes
> havoc with our mail system.
> 
> Fetchmail is configured to fetch mail from 11 different "gmail"
> accounts. Each account has a different "user name" and "password". The
> config line in the global fetchmailrc file read like this:
> 
> user 'us...@gm...' there with password 'SECRET' options forcecr
> dropdelivered smtpname ssl sslcertpath /usr/local/etc/postfix/certs
> sslfingerprint '26:85:9C:DD:04:26:70:C2:20:0A:A0:A2:24:E4:CF:30'
> 
> Every time Google changes certs, I have to get their new fingerprint
> and change it on all of the gmail accounts. Fetchmail does not send a
> notice to the user that SSL has failed. Therefore, it is sometimes a
> day or two before anyone actually knows it has happened. That is rare
> though. Most of the time they realize it after not receiving any mail
> for 24 hours.
> 
> My question are:
> 
> 1) Is it possible to configure fetchmail to send an error notice to the
> user immediately if an ssl error has occurred?
> 
> 2) How else could I configure fetchmail to simply not check the
> fingerprint?
> 
> I did notice that "fetchmailconf" will print out the new fingerprint
> when used to access gmail. Is there a way to have fetchmail send that
> to the user. I currently use openssl to download the certs and extract
> the fingerprint.
> 
> By the way, I use fetchmail > Postfix > Dovecot. I have never been able
> to get fetchmail > Dovecot without using Postfix as the intermediary.
> 
> I am open to any suggestions?

This is a new bit of news to me as I have fetchmail scanning a very little 
used account at gmail, one my ISP farmed out to gmail when they disco'd 
their own mail server about 2 years ago, and it is not logging any 
failures.  OTOH I do not use it except as a pop3 fetcher, feeding procmail 
which runs it thru SA and clamav. Those accounts do have the  line "ssl" 
in their stanza.

I did have a 2nd, real gmail account, but it died, presumably from their 
dance with ssl, and since I haven't actually used it for a list 
subscribing address for several years, I just turned off the poll stanza 
as I couldn't care less if they save 50Gb of spam in an account I can't 
access.

But on a reread of the man page for fetchmail, I see no mention of a way 
to make such a failure verbose enough in the logs that it leaves a failure 
hint there.  Perhaps it needs to "grow" such a reporting option?

Or, if as you state, fetchmailconf can fetch the missing fingerprints, 
then obviously the code to do so exists, why not transfer it to fetchmail 
with a daemon option to enable it?

That way, the fix could be automated.  It would be nice if the 
"postmaster" got a message that the new fingerprint fetch was done though.
Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>
US V Castleman, SCOTUS, Mar 2014 is grounds for Impeaching SCOTUS