Re: [Fetchmail-users] fetchmail and ssl certificates

[Peter P. <ro...@ri...>]

On Thu, Jul 02, 2020 at 08:28:15AM -0500, Ranjan Maitra wrote:
> Hi,
> 
> Here is my .fetchmailrc
> 
> set daemon 301
> poll pop.gmx.com
>      protocol POP3
>      service 995
>      authenticate password
>      user "use...@gm..."
>      ssl
>      sslfingerprint "5C:6B:60:FE:80:97:0B:13:EB:36:A3:66:48:28:7A:61:5E:B2:25:DA"
> mda 'procmail -d %s'
> keep
> 
> So, it worked fine till last night, but since this morning, this has not been working. Here is what I get:
> 
> $ fetchmail -c
> fetchmail: pop.gmx.com fingerprints do not match!
> fetchmail: OpenSSL reported: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
> fetchmail: pop.gmx.com: SSL connection failed.
> fetchmail: socket error while fetching from use...@gm...@pop.gmx.com
> 
> 
> Here is how I verified my fingerprint:
> 
> ~$ openssl s_client -servername gmx.com -connect pop.gmx.com:995 | openssl x509 -fingerprint -noout
> depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
> verify return:1
> depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = GeoTrust RSA CA 2018
> verify return:1
> depth=0 C = DE, ST = Rheinland-Pfalz, L = Montabaur, O = 1&1 Mail & Media GmbH, CN = mout.gmx.com
> verify return:1
> SHA1 Fingerprint=5C:6B:60:FE:80:97:0B:13:EB:36:A3:66:48:28:7A:61:5E:B2:25:DA
> 
> Any suggestions as to what I am doing wrong?
> 
> I am on F32 (fully updated) which has fetchmail-6.4.1 and openssl-1:1.1.1g.

It seems that gmx.com have deployed the certificates for "mout.gmx.com"
on the services that listen for connections on the addresses for
"pop.gmx.com". The "CN = mout.gmx.com" part says "this certificate has
been issued to the mout.gmx.com server", and fetchmail is (rightly)
concerned about the hostname pop.gmx.com not being the same as that.

The real solution to the problem would be to let GMX know so that they
can deploy the correct certificate. A workaround so that you may fetch
your e-mail today would be to explicitly specify

  sslcommonname mout.gmx.com

...or something similar in your fetchmail configuration, so that it
knows to expect a certificate issued to a different host than the one it
thinks it's connecting to.

G'luck,
Peter

-- 
Peter Pentchev  ro...@ri... ro...@de... pp...@st...
PGP key:        http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint 2EE7 A7A5 17FC 124C F115  C354 651E EFB0 2527 DF13