Menu
▾
▴
Re: [Fetchmail-users] Constantly changing ssl fingerprints
|
From: Martin K. <mk...@gm...> - 2015-01-25 18:48:27
|
Hi Jerry, >>>> I have several users here that use Google's "gmail". Google has >>>> been changing their SSL certificate on a nearly monthly basis. >>>> This causes havoc with our mail system. >>>> >>>> Fetchmail is configured to fetch mail from 11 different "gmail" >>>> accounts. Each account has a different "user name" and "password". >>>> The config line in the global fetchmailrc file read like this: >>>> >>>> user 'us...@gm...' there with password 'SECRET' options forcecr >>>> dropdelivered smtpname ssl sslcertpath /usr/local/etc/postfix/certs >>>> sslfingerprint '26:85:9C:DD:04:26:70:C2:20:0A:A0:A2:24:E4:CF:30' why socomplicated? I use this snippet: defaults: proto pop3 timeout 300 sslproto 'TLS1' ssl sslcertfile /usr/ssl/certs/ca-bundle.trust.crt sslcertck limit 50000000 warnings 86400 As pop.google.com has an "official" certificate, there is no need for a fingerprint check. Just let fetchmail know your root ca certs. I only use sslfingerprint for self-signed certs, as an override where root ca cert verification fails. You don't seem to use sslcertck, but better you should. Martin |
