1 |
Mick <michaelkintzios@×××××.com> [10-10-02 13:52]: |
2 |
> On Saturday 02 October 2010 11:31:38 meino.cramer@×××.de wrote: |
3 |
> > Hi, |
4 |
> > |
5 |
> > fetchmail's log told me, that there is something wrong with the setup |
6 |
> > of the certificats. |
7 |
> > |
8 |
> > In the log there is the following section |
9 |
> > fetchmail: Server certificate: |
10 |
> > fetchmail: Issuer Organization: Thawte Consulting cc |
11 |
> > fetchmail: Issuer CommonName: Thawte Premium Server CA |
12 |
> > fetchmail: Subject CommonName: pop.gmx.net |
13 |
> > fetchmail: pop.gmx.net key fingerprint: |
14 |
> > A6:57:BC:4A:97:AD:DB:99:00:E9:3A:B8:81:55:D7:B6 fetchmail: Server |
15 |
> > certificate verification error: unable to get local issuer certificate |
16 |
> > fetchmail: This means that the root signing certificate (issued for |
17 |
> > /C=DE/ST=Bayern/L=Munich/O=GMX GmbH/CN=pop.gmx.net) is not in the trusted |
18 |
> > CA certificate locations, or that c_rehash needs to be run on the |
19 |
> > certificate directory. For details, please see the documentation of |
20 |
> > --sslcertpath and --sslcertfile in the manual page. fetchmail: Server |
21 |
> > certificate: |
22 |
> > fetchmail: Issuer Organization: Thawte Consulting cc |
23 |
> > fetchmail: Issuer CommonName: Thawte Premium Server CA |
24 |
> > fetchmail: Subject CommonName: pop.gmx.net |
25 |
> > fetchmail: Server certificate verification error: certificate not |
26 |
> > trusted fetchmail: Server certificate: |
27 |
> > fetchmail: Issuer Organization: Thawte Consulting cc |
28 |
> > fetchmail: Issuer CommonName: Thawte Premium Server CA |
29 |
> > fetchmail: Subject CommonName: pop.gmx.net |
30 |
> > fetchmail: Server certificate verification error: unable to verify the |
31 |
> > first certificate fetchmail: Warning: the connection is insecure, |
32 |
> > continuing anyways. (Better use --sslcertck!) |
33 |
> > |
34 |
> > |
35 |
> > In beforehand I did the following: |
36 |
> > |
37 |
> > From the output of this command |
38 |
> > #> openssl s_client -connect pop.gmx.net:995 -showcerts |
39 |
> > |
40 |
> > I copied the section |
41 |
> > |
42 |
> > -----BEGIN CERTIFICATE----- |
43 |
> > MIIDUzCCArygAwIBAgIQDNZUbIDJ5EM+DVSd5AzXOjANBgkqhkiG9w0BAQUFADCB |
44 |
> > zjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJ |
45 |
> > Q2FwZSBUb3duMR0wGwYDVQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UE |
46 |
> > CxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhh |
47 |
> > d3RlIFByZW1pdW0gU2VydmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNl |
48 |
> > cnZlckB0aGF3dGUuY29tMB4XDTEwMDQyMjAwMDAwMFoXDTEzMDUwOTIzNTk1OVow |
49 |
> > WDELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJheWVybjEPMA0GA1UEBxQGTXVuaWNo |
50 |
> > MREwDwYDVQQKFAhHTVggR21iSDEUMBIGA1UEAxQLcG9wLmdteC5uZXQwgZ8wDQYJ |
51 |
> > KoZIhvcNAQEBBQADgY0AMIGJAoGBAMu3VYZP3YqpNweeIp+zIYtAlYL9Nya5hq6j |
52 |
> > k+ShUtukV1746nqJto70+4oNhCYJ33mMw+vS5fODjuggG+Z1xcL5YU8mUyG2E7fH |
53 |
> > YkfNtHHMhRntN15ml7Kv3c52kmOI09r2psnlNPkkNx5shneON8jZfXYlqQq5Vq1l |
54 |
> > Hz+jEjFrAgMBAAGjgaYwgaMwDAYDVR0TAQH/BAIwADBABgNVHR8EOTA3MDWgM6Ax |
55 |
> > hi9odHRwOi8vY3JsLnRoYXd0ZS5jb20vVGhhd3RlU2VydmVyUHJlbWl1bUNBLmNy |
56 |
> > bDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYIKwYBBQUHAQEEJjAk |
57 |
> > MCIGCCsGAQUFBzABhhZodHRwOi8vb2NzcC50aGF3dGUuY29tMA0GCSqGSIb3DQEB |
58 |
> > BQUAA4GBAF/BVQRh2QOAtH8491d2XIKqdRZNY4OUMh6qccb0xLGNTDx3E4iwoYHc |
59 |
> > yi2axElQG+7VAEIbDftzfhVUttsPwLI0BM2Nvz6KkwnlrJmt9HuZOjyv9M6szCxX |
60 |
> > jHqVXkTDtrvRzT3hHTLD63l4PAqAUDpR4Th4N23IyxpgVqmYZwoJ |
61 |
> > -----END CERTIFICATE----- |
62 |
> > |
63 |
> > into a file "pop.gmx.net.pem" and copied ths file into |
64 |
> > /etc/fetchmail/certs |
65 |
> > |
66 |
> > Than I downloaded the whole package of root certificates from here |
67 |
> > https://www.verisign.com/support/thawte-roots.zip |
68 |
> > unpacked it and copied each *.pem file into /etc/fetchmail/certs also. |
69 |
> > I renamend the files to not to contain blanks with detox. |
70 |
> > |
71 |
> > |
72 |
> > Then I run as root the command |
73 |
> > $> c_rehash /etc/fetchmail/certs |
74 |
> > |
75 |
> > I checked /etc/fetchmail/certs and found all files being symlinked to |
76 |
> > something which looks like hash keys (?). |
77 |
> > |
78 |
> > c_hash does not submit any error message. |
79 |
> > |
80 |
> > After this I added below the poll section of my accounts |
81 |
> > $HOME/.fetchmailrc the following line: |
82 |
> > |
83 |
> > sslcertpath /etc/fetchmail/certs |
84 |
> > |
85 |
> > Nonetheless fetchmail complains about local certifcates. |
86 |
> > |
87 |
> > What do I have to do to fix this ? |
88 |
> > |
89 |
> > Best regards and thank you for any help in advance! |
90 |
> > mcc |
91 |
> |
92 |
> Sendmail and I think fetchmail (haven't used the latter yet) do a strict check |
93 |
> of certs against a local store. The error above tells you to add to your |
94 |
> .fetchmailrc the option of sslcertck. Did you do that? |
95 |
> |
96 |
> So your .fetchmailrc should show something like: |
97 |
> |
98 |
> user 'mcc@gmx_whatever.com' with pass "123456" is 'mcc' here options ssl |
99 |
> sslcertck sslcertpath '/etc/fetchmail/certs' |
100 |
> |
101 |
> If you have done the above and still does not work then the problem may be |
102 |
> that the user you are running fetchmail as does not have read access to your |
103 |
> /etc/fetchmail/certs. Change that to a ~/fetchmail/.certs and it should work. |
104 |
> |
105 |
> HTH. |
106 |
> -- |
107 |
> Regards, |
108 |
> Mick |
109 |
|
110 |
Hi Mick, |
111 |
|
112 |
thank you for your help. :) |
113 |
|
114 |
I currently have this line in my fetchtmailrc (the rest is commented out). |
115 |
This had worked until the ssl/cert-showdown: |
116 |
|
117 |
poll pop.gmx.net protocol pop3 user "Meino.Cramer@×××.de" password "<this is the password>" mda "/usr/bin/procmail -d %T" |
118 |
|
119 |
In the inet and in your post I found a totally different syntax...so |
120 |
it seems that I have lived behind the moon for a long time I didn't |
121 |
get all the new syntax changes according to fetchmail ;) |
122 |
|
123 |
I chenged the above line to |
124 |
poll pop.gmx.net protocol pop3 user "Meino.Cramer@×××.de" password "<this is the password>" mda "/usr/bin/procmail -d %T" options ssl |
125 |
sslcertck sslcertpath '/etc/fetchmail/certs' |
126 |
|
127 |
which results with |
128 |
fetchmail -v |
129 |
in |
130 |
fetchmail: 6.3.17 querying pop.gmx.net (protocol POP3) at Sat Oct 2 16:12:51 2010: poll started |
131 |
Trying to connect to 212.227.17.185/995...connected. |
132 |
fetchmail: Server certificate: |
133 |
fetchmail: Issuer Organization: Thawte Consulting cc |
134 |
fetchmail: Issuer CommonName: Thawte Premium Server CA |
135 |
fetchmail: Subject CommonName: pop.gmx.net |
136 |
fetchmail: pop.gmx.net key fingerprint: A6:57:BC:4A:97:AD:DB:99:00:E9:3A:B8:81:55:D7:B6 |
137 |
fetchmail: Server certificate verification error: unable to get local issuer certificate |
138 |
fetchmail: This means that the root signing certificate (issued for /C=DE/ST=Bayern/L=Munich/O=GMX GmbH/CN=pop.gmx.net) is not in the trusted CA certificate locations, or that c_rehash needs to be run on the certificate directory. For details, please see the documentation of --sslcertpath and --sslcertfile in the manual page. |
139 |
17550:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:982: |
140 |
fetchmail: SSL connection failed. |
141 |
fetchmail: socket error while fetching from Meino.Cramer@×××.de@pop.gmx.net |
142 |
fetchmail: 6.3.17 querying pop.gmx.net (protocol POP3) at Sat Oct 2 16:12:51 2010: poll completed |
143 |
fetchmail: Query status=2 (SOCKET) |
144 |
fetchmail: normal termination, status 2 |
145 |
|
146 |
ls -l /etc/fetchmail/certs: |
147 |
total 44 |
148 |
lrwxrwxrwx 1 root root 30 Oct 2 12:10 09ca81a7.0 -> Thawte_Personal_Premium_CA.pem |
149 |
lrwxrwxrwx 1 root root 26 Oct 2 12:10 2e4eed3c.0 -> thawte_Primary_Root_CA.pem |
150 |
lrwxrwxrwx 1 root root 28 Oct 2 12:10 3a7f6b22.0 -> Thawte_Personal_Basic_CA.pem |
151 |
lrwxrwxrwx 1 root root 50 Oct 2 12:10 415660c1.0 -> Class_3_Public_Primary_Certification_Authority.pem |
152 |
lrwxrwxrwx 1 root root 31 Oct 2 12:10 64d1f6f4.0 -> Thawte_Personal_Freemail_CA.pem |
153 |
lrwxrwxrwx 1 root root 31 Oct 2 12:10 64d1f6f4.1 -> thawte_Personal_Freemail_CA.pem |
154 |
lrwxrwxrwx 1 root root 20 Oct 2 12:10 6cc3c4c3.0 -> Thawte_Server_CA.pem |
155 |
lrwxrwxrwx 1 root root 28 Oct 2 12:10 98ec67f0.0 -> Thawte_Premium_Server_CA.pem |
156 |
lrwxrwxrwx 1 root root 26 Oct 2 12:10 9e6afd31.0 -> Thawte_Timestamping_CA.pem |
157 |
-rw-r--r-- 1 root root 833 Oct 2 12:06 Class_3_Public_Primary_Certification_Authority.pem |
158 |
-rw-r--r-- 1 root root 1167 Oct 2 12:06 Thawte_Personal_Basic_CA.pem |
159 |
-rw-r--r-- 1 root root 1183 Oct 2 12:06 Thawte_Personal_Freemail_CA.pem |
160 |
-rw-r--r-- 1 root root 1175 Oct 2 12:06 Thawte_Personal_Premium_CA.pem |
161 |
-rw-r--r-- 1 root root 1175 Oct 2 12:06 Thawte_Premium_Server_CA.pem |
162 |
-rw-r--r-- 1 root root 1146 Oct 2 12:06 Thawte_Server_CA.pem |
163 |
-rw-r--r-- 1 root root 992 Oct 2 12:06 Thawte_Timestamping_CA.pem |
164 |
lrwxrwxrwx 1 root root 33 Oct 2 12:10 c089bbbd.0 -> thawte_Primary_Root_CA-G2_ECC.pem |
165 |
lrwxrwxrwx 1 root root 15 Oct 2 12:10 ec4e2774.0 -> pop.gmx.net.pem |
166 |
-rw-r--r-- 1 root root 1213 Oct 2 12:10 pop.gmx.net.pem |
167 |
-rw-r--r-- 1 root root 1164 Oct 2 12:06 thawte_Personal_Freemail_CA.pem |
168 |
-rw-r--r-- 1 root root 939 Oct 2 12:06 thawte_Primary_Root_CA-G2_ECC.pem |
169 |
-rw-r--r-- 1 root root 1493 Oct 2 12:06 thawte_Primary_Root_CA.pem |
170 |
|
171 |
everything is world readable... |
172 |
|
173 |
Finally I did a fetchmail --version which gave me: |
174 |
This is fetchmail release 6.3.17+RPA+NTLM+SDPS+SSL+NLS. |
175 |
|
176 |
Copyright (C) 2002, 2003 Eric S. Raymond |
177 |
Copyright (C) 2004 Matthias Andree, Eric S. Raymond, |
178 |
Robert M. Funk, Graham Wilson |
179 |
Copyright (C) 2005 - 2006, 2010 Sunil Shetye |
180 |
Copyright (C) 2005 - 2010 Matthias Andree |
181 |
Fetchmail comes with ABSOLUTELY NO WARRANTY. This is free software, and you |
182 |
are welcome to redistribute it under certain conditions. For details, |
183 |
please see the file COPYING in the source or documentation directory. |
184 |
|
185 |
Fallback MDA: (none) |
186 |
Linux solfire 2.6.35.7 #2 SMP PREEMPT Thu Sep 30 14:29:29 CEST 2010 x86_64 AMD Phenom(tm) II X6 1090T Processor AuthenticAMD GNU/Linux |
187 |
Taking options from command line and /home/mccramer/.fetchmailrc |
188 |
Idfile is /home/mccramer/.fetchids |
189 |
Fetchmail will forward misaddressed multidrop messages to mccramer. |
190 |
Options for retrieving from Meino.Cramer@×××.de@pop.gmx.net: |
191 |
True name of server is pop.gmx.net. |
192 |
Protocol is POP3. |
193 |
All available authentication methods will be tried. |
194 |
SSL encrypted sessions enabled. |
195 |
SSL server certificate checking enabled. |
196 |
SSL trusted certificate directory: /etc/fetchmail/certs |
197 |
Server nonresponse timeout is 300 seconds (default). |
198 |
Default mailbox selected. |
199 |
Only new messages will be retrieved (--all off). |
200 |
Fetched messages will not be kept on the server (--keep off). |
201 |
Old messages will not be flushed before message retrieval (--flush off). |
202 |
Oversized messages will not be flushed before message retrieval (--limitflush off). |
203 |
Rewrite of server-local addresses is enabled (--norewrite off). |
204 |
Carriage-return stripping is enabled (stripcr on). |
205 |
Carriage-return forcing is disabled (forcecr off). |
206 |
Interpretation of Content-Transfer-Encoding is enabled (pass8bits off). |
207 |
MIME decoding is disabled (mimedecode off). |
208 |
Idle after poll is disabled (idle off). |
209 |
Nonempty Status lines will be kept (dropstatus off) |
210 |
Delivered-To lines will be kept (dropdelivered off) |
211 |
Fetch message size limit is 100 (--fetchsizelimit 100). |
212 |
Do binary search of UIDs during 3 out of 4 polls (--fastuidl 4). |
213 |
Messages will be delivered with "/usr/bin/procmail -d %T". |
214 |
Single-drop mode: 1 local name recognized. |
215 |
No UIDs saved from this host. |
216 |
|
217 |
I have no clue, whether the certs are not accepted... |
218 |
|
219 |
What did I wrong? |
220 |
|
221 |
Best regards |
222 |
mcc |