Menu
▾
▴
Re: [Fetchmail-users] Constantly changing ssl fingerprints
|
From: Jerry <je...@se...> - 2015-01-25 17:23:05
|
On Sun, 25 Jan 2015 11:40:50 -0500, Gene Heskett stated: > On Sunday 25 January 2015 08:48:28 Jerry did opine > And Gene did reply: > > I do not know if there is an easy way around this problem, so I thought > > I would simply ask for assistance. > > > > I have several users here that use Google's "gmail". Google has been > > changing their SSL certificate on a nearly monthly basis. This causes > > havoc with our mail system. > > > > Fetchmail is configured to fetch mail from 11 different "gmail" > > accounts. Each account has a different "user name" and "password". The > > config line in the global fetchmailrc file read like this: > > > > user 'us...@gm...' there with password 'SECRET' options forcecr > > dropdelivered smtpname ssl sslcertpath /usr/local/etc/postfix/certs > > sslfingerprint '26:85:9C:DD:04:26:70:C2:20:0A:A0:A2:24:E4:CF:30' > > > > Every time Google changes certs, I have to get their new fingerprint > > and change it on all of the gmail accounts. Fetchmail does not send a > > notice to the user that SSL has failed. Therefore, it is sometimes a > > day or two before anyone actually knows it has happened. That is rare > > though. Most of the time they realize it after not receiving any mail > > for 24 hours. > > > > My question are: > > > > 1) Is it possible to configure fetchmail to send an error notice to the > > user immediately if an ssl error has occurred? > > > > 2) How else could I configure fetchmail to simply not check the > > fingerprint? > > > > I did notice that "fetchmailconf" will print out the new fingerprint > > when used to access gmail. Is there a way to have fetchmail send that > > to the user. I currently use openssl to download the certs and extract > > the fingerprint. > > > > By the way, I use fetchmail > Postfix > Dovecot. I have never been able > > to get fetchmail > Dovecot without using Postfix as the intermediary. > > > > I am open to any suggestions? > But on a reread of the man page for fetchmail, I see no mention of a way > to make such a failure verbose enough in the logs that it leaves a failure > hint there. Perhaps it needs to "grow" such a reporting option? Fetchmail leaves this error message in the logs: fetchmail: pop.gmail.com fingerprints do not match! fetchmail: OpenSSL reported: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed fetchmail: SSL connection failed. fetchmail: socket error while fetching from us...@gm...@pop.gmail.com fetchmail: Query status=2 (SOCKET) -- Jerry |
