Menu
▾
▴
Re: [Fetchmail-users] Using fetchmail with iCloud via IMAP
|
From: Jon B. <bri...@nm...> - 2022-03-12 07:51:12
|
Without the certificates extracted from the output of the command: openssl s_client -connect imap.mail.me.com:993 -showcerts or with the Mozilla root certificates, available from https://curl.se/docs/caextract.html fetchmail says: fetchmail: Server certificate verification error: self signed certificate in certificate chain fetchmail: Missing trust anchor certificate: /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services fetchmail: This could mean that the root CA's signing certificate is not in the trusted CA certificate location, or that c_rehash needs to be run on the certificate directory. For details, please see the documentation of --sslcertpath and --sslcertfile in the manual page. See README.SSL for details. fetchmail: OpenSSL reported: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed fetchmail: imap.mail.me.com: SSL connection failed. fetchmail: socket error while fetching from <name>@imap.mail.me.com fetchmail: Query status=2 (SOCKET) The certificate chain is: depth=2 C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services verify error:num=19:self signed certificate in certificate chain verify return:1 depth=2 C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services verify return:1 depth=1 CN = Apple Public Server RSA CA 12 - G1, O = Apple Inc., ST = California, C = US verify return:1 depth=0 CN = imap.mail.me.com, OU = management:idms.group.859635, O = Apple Inc., ST = California, C = US verify return:1 Also see: https://support.plesk.com/hc/en-us/articles/213961665-How-to-verify-that-SSL-for-IMAP-POP3-SMTP-works-and-a-proper-SSL-certificate-is-in-use for example: https://www.sslshopper.com/ssl-checker.html#hostname=imap.mail.me.com:993 On Sat, Mar 12, 2022 at 01:06:32AM +0100, Matthias Andree wrote: > > Am 11.03.22 um 22:59 schrieb Jon Brinkmann: > > Thanks! > > > > I got it working, with one additional step. The depth=2 SSL certificate for > > icloud.com is self-signed, so fetchmail refuses the SSL connection. I found > > the solution at: > > > > https://geekmush.wordpress.com/2007/06/29/how-to-make-fetchmail-happy-with-the-servers-ssl-cert/ > > Congratulations, you have just installed some attacker's CA > certificates. That is not a solution, but unsafe garbage. > > Please everyone remove the certificates you have installed that way. > > Instead, install your distribution's default Mozilla certificate > package. Depending on your distribution, it might be called > ca-certificates or ca_root_nss or similar. > > Explanation: > > The root CA certificate (Equifax's in that example on the website) MUST > be obtained via a SECURE separate channel and NOT from the connection. > There are SSL tools (for instance, SSLsplit) that will generate such CA > certificates on the fly to crack the encrypted connection and you could > not tell from the name that this is happening. This is typical for > anti-virus/web security gateways/firewalls and of course also in > malicious attacks. > > _______________________________________________ > Fetchmail-users mailing list > Fet...@li... > https://lists.sourceforge.net/lists/listinfo/fetchmail-users |
