Re: [Fetchmail-users] Constantly changing ssl fingerprints

[Gene H. <ghe...@wd...>]

On Sunday 25 January 2015 12:22:58 Jerry did opine
And Gene did reply:
> On Sun, 25 Jan 2015 11:40:50 -0500, Gene Heskett stated:
> > On Sunday 25 January 2015 08:48:28 Jerry did opine
> > 
> > And Gene did reply:
> > > I do not know if there is an easy way around this problem, so I
> > > thought I would simply ask for assistance.
> > > 
> > > I have several users here that use Google's "gmail". Google has
> > > been changing their SSL certificate on a nearly monthly basis.
> > > This causes havoc with our mail system.
> > > 
> > > Fetchmail is configured to fetch mail from 11 different "gmail"
> > > accounts. Each account has a different "user name" and "password".
> > > The config line in the global fetchmailrc file read like this:
> > > 
> > > user 'us...@gm...' there with password 'SECRET' options forcecr
> > > dropdelivered smtpname ssl sslcertpath /usr/local/etc/postfix/certs
> > > sslfingerprint '26:85:9C:DD:04:26:70:C2:20:0A:A0:A2:24:E4:CF:30'
> > > 
> > > Every time Google changes certs, I have to get their new
> > > fingerprint and change it on all of the gmail accounts. Fetchmail
> > > does not send a notice to the user that SSL has failed. Therefore,
> > > it is sometimes a day or two before anyone actually knows it has
> > > happened. That is rare though. Most of the time they realize it
> > > after not receiving any mail for 24 hours.
> > > 
> > > My question are:
> > > 
> > > 1) Is it possible to configure fetchmail to send an error notice to
> > > the user immediately if an ssl error has occurred?
> > > 
> > > 2) How else could I configure fetchmail to simply not check the
> > > fingerprint?
> > > 
> > > I did notice that "fetchmailconf" will print out the new
> > > fingerprint when used to access gmail. Is there a way to have
> > > fetchmail send that to the user. I currently use openssl to
> > > download the certs and extract the fingerprint.
> > > 
> > > By the way, I use fetchmail > Postfix > Dovecot. I have never been
> > > able to get fetchmail > Dovecot without using Postfix as the
> > > intermediary.
> > > 
> > > I am open to any suggestions?
> > 
> > But on a reread of the man page for fetchmail, I see no mention of a
> > way to make such a failure verbose enough in the logs that it leaves
> > a failure hint there.  Perhaps it needs to "grow" such a reporting
> > option?
> 
> Fetchmail leaves this error message in the logs:
> 
> fetchmail: pop.gmail.com fingerprints do not match!
> fetchmail: OpenSSL reported: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> fetchmail: SSL connection failed.
> fetchmail: socket error while fetching from
> us...@gm...@pop.gmail.com fetchmail: Query status=2 (SOCKET)

That is very similar to what I saw at the time. Then it went away for a 
couple weeks then came back and I just quit polling it. I'd long since 
moved all my mailing lists subs off it, mainly due to their duplicate 
policy.  Its not open for discussion, I tried. So I just moved everything 
back to my lifetime account on a qmail server at the tv station.  Lots 
more spam but hey, it also Just Works(TM).

Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>
US V Castleman, SCOTUS, Mar 2014 is grounds for Impeaching SCOTUS