Re: [gentoo-user] fetchmail + certs = problems - gentoo-user

From:	meino.cramer@×××.de
To:	gentoo-user@l.g.o
Subject:	Re: [gentoo-user] fetchmail + certs = problems
Date:	Sat, 02 Oct 2010 14:17:39
Message-Id:	`20101002141701.GA12626@solfire`
In Reply to:	Re: [gentoo-user] fetchmail + certs = problems by Mick

1

Mick <michaelkintzios@×××××.com> [10-10-02 13:52]:

2

> On Saturday 02 October 2010 11:31:38 meino.cramer@×××.de wrote:

3

> > Hi,

4

> >

5

> > fetchmail's log told me, that there is something wrong with the setup

6

> > of the certificats.

7

> >

8

> > In the log there is the following section

9

> >     fetchmail: Server certificate:

10

> >     fetchmail: Issuer Organization: Thawte Consulting cc

11

> >     fetchmail: Issuer CommonName: Thawte Premium Server CA

12

> >     fetchmail: Subject CommonName: pop.gmx.net

13

> >     fetchmail: pop.gmx.net key fingerprint:

14

> > A6:57:BC:4A:97:AD:DB:99:00:E9:3A:B8:81:55:D7:B6 fetchmail: Server

15

> > certificate verification error: unable to get local issuer certificate

16

> > fetchmail: This means that the root signing certificate (issued for

17

> > /C=DE/ST=Bayern/L=Munich/O=GMX GmbH/CN=pop.gmx.net) is not in the trusted

18

> > CA certificate locations, or that c_rehash needs to be run on the

19

> > certificate directory. For details, please see the documentation of

20

> > --sslcertpath and --sslcertfile in the manual page. fetchmail: Server

21

> > certificate:

22

> >     fetchmail: Issuer Organization: Thawte Consulting cc

23

> >     fetchmail: Issuer CommonName: Thawte Premium Server CA

24

> >     fetchmail: Subject CommonName: pop.gmx.net

25

> >     fetchmail: Server certificate verification error: certificate not

26

> > trusted fetchmail: Server certificate:

27

> >     fetchmail: Issuer Organization: Thawte Consulting cc

28

> >     fetchmail: Issuer CommonName: Thawte Premium Server CA

29

> >     fetchmail: Subject CommonName: pop.gmx.net

30

> >     fetchmail: Server certificate verification error: unable to verify the

31

> > first certificate fetchmail: Warning: the connection is insecure,

32

> > continuing anyways. (Better use --sslcertck!)

33

> >

34

> >

35

> > In beforehand I did the following:

36

> >

37

> > From the output of this command

38

> >     #> openssl s_client -connect pop.gmx.net:995 -showcerts

39

> >

40

> > I copied the section

41

> >

42

> >     -----BEGIN CERTIFICATE-----

43

> >     MIIDUzCCArygAwIBAgIQDNZUbIDJ5EM+DVSd5AzXOjANBgkqhkiG9w0BAQUFADCB

44

> >     zjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJ

45

> >     Q2FwZSBUb3duMR0wGwYDVQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UE

46

> >     CxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhh

47

> >     d3RlIFByZW1pdW0gU2VydmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNl

48

> >     cnZlckB0aGF3dGUuY29tMB4XDTEwMDQyMjAwMDAwMFoXDTEzMDUwOTIzNTk1OVow

49

> >     WDELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJheWVybjEPMA0GA1UEBxQGTXVuaWNo

50

> >     MREwDwYDVQQKFAhHTVggR21iSDEUMBIGA1UEAxQLcG9wLmdteC5uZXQwgZ8wDQYJ

51

> >     KoZIhvcNAQEBBQADgY0AMIGJAoGBAMu3VYZP3YqpNweeIp+zIYtAlYL9Nya5hq6j

52

> >     k+ShUtukV1746nqJto70+4oNhCYJ33mMw+vS5fODjuggG+Z1xcL5YU8mUyG2E7fH

53

> >     YkfNtHHMhRntN15ml7Kv3c52kmOI09r2psnlNPkkNx5shneON8jZfXYlqQq5Vq1l

54

> >     Hz+jEjFrAgMBAAGjgaYwgaMwDAYDVR0TAQH/BAIwADBABgNVHR8EOTA3MDWgM6Ax

55

> >     hi9odHRwOi8vY3JsLnRoYXd0ZS5jb20vVGhhd3RlU2VydmVyUHJlbWl1bUNBLmNy

56

> >     bDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYIKwYBBQUHAQEEJjAk

57

> >     MCIGCCsGAQUFBzABhhZodHRwOi8vb2NzcC50aGF3dGUuY29tMA0GCSqGSIb3DQEB

58

> >     BQUAA4GBAF/BVQRh2QOAtH8491d2XIKqdRZNY4OUMh6qccb0xLGNTDx3E4iwoYHc

59

> >     yi2axElQG+7VAEIbDftzfhVUttsPwLI0BM2Nvz6KkwnlrJmt9HuZOjyv9M6szCxX

60

> >     jHqVXkTDtrvRzT3hHTLD63l4PAqAUDpR4Th4N23IyxpgVqmYZwoJ

61

> >     -----END CERTIFICATE-----

62

> >

63

> > into a file "pop.gmx.net.pem" and copied ths file into

64

> > /etc/fetchmail/certs

65

> >

66

> > Than I downloaded the whole package of root certificates from here

67

> > https://www.verisign.com/support/thawte-roots.zip

68

> > unpacked it and copied each *.pem file into /etc/fetchmail/certs also.

69

> > I renamend the files to not to contain blanks with detox.

70

> >

71

> >

72

> > Then I run as root the command

73

> >     $> c_rehash /etc/fetchmail/certs

74

> >

75

> > I checked /etc/fetchmail/certs and found all files being symlinked to

76

> > something which looks like hash keys (?).

77

> >

78

> > c_hash does not submit any error message.

79

> >

80

> > After this I added below the poll section of my accounts

81

> > $HOME/.fetchmailrc the following line:

82

> >

83

> >     sslcertpath /etc/fetchmail/certs

84

> >

85

> > Nonetheless fetchmail complains about local certifcates.

86

> >

87

> > What do I have to do to fix this ?

88

> >

89

> > Best regards and thank you for any help in advance!

90

> > mcc

91

>

92

> Sendmail and I think fetchmail (haven't used the latter yet) do a strict check

93

> of certs against a local store.  The error above tells you to add to your

94

> .fetchmailrc the option of sslcertck.  Did you do that?

95

>

96

> So your .fetchmailrc should show something like:

97

>

98

> user 'mcc@gmx_whatever.com' with pass "123456"  is 'mcc' here options ssl

99

> sslcertck  sslcertpath '/etc/fetchmail/certs'

100

>

101

> If you have done the above and still does not work then the problem may be

102

> that the user you are running fetchmail as does not have read access to your

103

> /etc/fetchmail/certs.  Change that to a ~/fetchmail/.certs and it should work.

104

>

105

> HTH.

106

> --

107

> Regards,

108

> Mick

109

110

Hi Mick,

111

112

thank you for your help. :)

113

114

I currently have this line in my fetchtmailrc (the rest is commented out).

115

This had worked until the ssl/cert-showdown:

116

117

    poll pop.gmx.net protocol pop3 user "Meino.Cramer@×××.de" password "<this is the password>" mda "/usr/bin/procmail -d %T"

118

119

In the inet and in your post I found a totally different syntax...so

120

it seems that I have lived behind the moon for a long time I didn't

121

get all the new syntax changes according to fetchmail ;)

122

123

I chenged the above line to

124

    poll pop.gmx.net protocol pop3 user "Meino.Cramer@×××.de" password "<this is the password>" mda "/usr/bin/procmail -d %T" options ssl

125

    sslcertck  sslcertpath '/etc/fetchmail/certs'

126

127

which results with 

128

    fetchmail -v

129

in

130

    fetchmail: 6.3.17 querying pop.gmx.net (protocol POP3) at Sat Oct  2 16:12:51 2010: poll started

131

    Trying to connect to 212.227.17.185/995...connected.

132

    fetchmail: Server certificate:

133

    fetchmail: Issuer Organization: Thawte Consulting cc

134

    fetchmail: Issuer CommonName: Thawte Premium Server CA

135

    fetchmail: Subject CommonName: pop.gmx.net

136

    fetchmail: pop.gmx.net key fingerprint: A6:57:BC:4A:97:AD:DB:99:00:E9:3A:B8:81:55:D7:B6

137

    fetchmail: Server certificate verification error: unable to get local issuer certificate

138

    fetchmail: This means that the root signing certificate (issued for /C=DE/ST=Bayern/L=Munich/O=GMX GmbH/CN=pop.gmx.net) is not in the trusted CA certificate locations, or that c_rehash needs to be run on the certificate directory. For details, please see the documentation of --sslcertpath and --sslcertfile in the manual page.

139

    17550:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:982:

140

    fetchmail: SSL connection failed.

141

    fetchmail: socket error while fetching from Meino.Cramer@×××.de@pop.gmx.net

142

    fetchmail: 6.3.17 querying pop.gmx.net (protocol POP3) at Sat Oct  2 16:12:51 2010: poll completed

143

    fetchmail: Query status=2 (SOCKET)

144

    fetchmail: normal termination, status 2

145

146

ls -l /etc/fetchmail/certs:

147

    total 44

148

    lrwxrwxrwx 1 root root   30 Oct  2 12:10 09ca81a7.0 -> Thawte_Personal_Premium_CA.pem

149

    lrwxrwxrwx 1 root root   26 Oct  2 12:10 2e4eed3c.0 -> thawte_Primary_Root_CA.pem

150

    lrwxrwxrwx 1 root root   28 Oct  2 12:10 3a7f6b22.0 -> Thawte_Personal_Basic_CA.pem

151

    lrwxrwxrwx 1 root root   50 Oct  2 12:10 415660c1.0 -> Class_3_Public_Primary_Certification_Authority.pem

152

    lrwxrwxrwx 1 root root   31 Oct  2 12:10 64d1f6f4.0 -> Thawte_Personal_Freemail_CA.pem

153

    lrwxrwxrwx 1 root root   31 Oct  2 12:10 64d1f6f4.1 -> thawte_Personal_Freemail_CA.pem

154

    lrwxrwxrwx 1 root root   20 Oct  2 12:10 6cc3c4c3.0 -> Thawte_Server_CA.pem

155

    lrwxrwxrwx 1 root root   28 Oct  2 12:10 98ec67f0.0 -> Thawte_Premium_Server_CA.pem

156

    lrwxrwxrwx 1 root root   26 Oct  2 12:10 9e6afd31.0 -> Thawte_Timestamping_CA.pem

157

    -rw-r--r-- 1 root root  833 Oct  2 12:06 Class_3_Public_Primary_Certification_Authority.pem

158

    -rw-r--r-- 1 root root 1167 Oct  2 12:06 Thawte_Personal_Basic_CA.pem

159

    -rw-r--r-- 1 root root 1183 Oct  2 12:06 Thawte_Personal_Freemail_CA.pem

160

    -rw-r--r-- 1 root root 1175 Oct  2 12:06 Thawte_Personal_Premium_CA.pem

161

    -rw-r--r-- 1 root root 1175 Oct  2 12:06 Thawte_Premium_Server_CA.pem

162

    -rw-r--r-- 1 root root 1146 Oct  2 12:06 Thawte_Server_CA.pem

163

    -rw-r--r-- 1 root root  992 Oct  2 12:06 Thawte_Timestamping_CA.pem

164

    lrwxrwxrwx 1 root root   33 Oct  2 12:10 c089bbbd.0 -> thawte_Primary_Root_CA-G2_ECC.pem

165

    lrwxrwxrwx 1 root root   15 Oct  2 12:10 ec4e2774.0 -> pop.gmx.net.pem

166

    -rw-r--r-- 1 root root 1213 Oct  2 12:10 pop.gmx.net.pem

167

    -rw-r--r-- 1 root root 1164 Oct  2 12:06 thawte_Personal_Freemail_CA.pem

168

    -rw-r--r-- 1 root root  939 Oct  2 12:06 thawte_Primary_Root_CA-G2_ECC.pem

169

    -rw-r--r-- 1 root root 1493 Oct  2 12:06 thawte_Primary_Root_CA.pem

170

171

everything is world readable...

172

173

Finally I did a fetchmail --version which gave me:

174

    This is fetchmail release 6.3.17+RPA+NTLM+SDPS+SSL+NLS.

175

176

    Copyright (C) 2002, 2003 Eric S. Raymond

177

    Copyright (C) 2004 Matthias Andree, Eric S. Raymond,

178

                       Robert M. Funk, Graham Wilson

179

    Copyright (C) 2005 - 2006, 2010 Sunil Shetye

180

    Copyright (C) 2005 - 2010 Matthias Andree

181

    Fetchmail comes with ABSOLUTELY NO WARRANTY. This is free software, and you

182

    are welcome to redistribute it under certain conditions. For details,

183

    please see the file COPYING in the source or documentation directory.

184

185

    Fallback MDA: (none)

186

    Linux solfire 2.6.35.7 #2 SMP PREEMPT Thu Sep 30 14:29:29 CEST 2010 x86_64 AMD Phenom(tm) II X6 1090T Processor AuthenticAMD GNU/Linux

187

    Taking options from command line and /home/mccramer/.fetchmailrc

188

    Idfile is /home/mccramer/.fetchids

189

    Fetchmail will forward misaddressed multidrop messages to mccramer.

190

    Options for retrieving from Meino.Cramer@×××.de@pop.gmx.net:

191

      True name of server is pop.gmx.net.

192

      Protocol is POP3.

193

      All available authentication methods will be tried.

194

      SSL encrypted sessions enabled.

195

      SSL server certificate checking enabled.

196

      SSL trusted certificate directory: /etc/fetchmail/certs

197

      Server nonresponse timeout is 300 seconds (default).

198

      Default mailbox selected.

199

      Only new messages will be retrieved (--all off).

200

      Fetched messages will not be kept on the server (--keep off).

201

      Old messages will not be flushed before message retrieval (--flush off).

202

      Oversized messages will not be flushed before message retrieval (--limitflush off).

203

      Rewrite of server-local addresses is enabled (--norewrite off).

204

      Carriage-return stripping is enabled (stripcr on).

205

      Carriage-return forcing is disabled (forcecr off).

206

      Interpretation of Content-Transfer-Encoding is enabled (pass8bits off).

207

      MIME decoding is disabled (mimedecode off).

208

      Idle after poll is disabled (idle off).

209

      Nonempty Status lines will be kept (dropstatus off)

210

      Delivered-To lines will be kept (dropdelivered off)

211

      Fetch message size limit is 100 (--fetchsizelimit 100).

212

      Do binary search of UIDs during 3 out of 4 polls (--fastuidl 4).

213

      Messages will be delivered with "/usr/bin/procmail -d %T".

214

      Single-drop mode: 1 local name recognized.

215

      No UIDs saved from this host.

216

217

I have no clue, whether the certs are not accepted...

218

219

What did I wrong?

220

221

Best regards

222

mcc

Gentoo Archives: gentoo-user

Replies

1	Mick <michaelkintzios@×××××.com> [10-10-02 13:52]:
2	> On Saturday 02 October 2010 11:31:38 meino.cramer@×××.de wrote:
3	> > Hi,
4	> >
5	> > fetchmail's log told me, that there is something wrong with the setup
6	> > of the certificats.
7	> >
8	> > In the log there is the following section
9	> > fetchmail: Server certificate:
10	> > fetchmail: Issuer Organization: Thawte Consulting cc
11	> > fetchmail: Issuer CommonName: Thawte Premium Server CA
12	> > fetchmail: Subject CommonName: pop.gmx.net
13	> > fetchmail: pop.gmx.net key fingerprint:
14	> > A6:57:BC:4A:97:AD:DB:99:00:E9:3A:B8:81:55:D7:B6 fetchmail: Server
15	> > certificate verification error: unable to get local issuer certificate
16	> > fetchmail: This means that the root signing certificate (issued for
17	> > /C=DE/ST=Bayern/L=Munich/O=GMX GmbH/CN=pop.gmx.net) is not in the trusted
18	> > CA certificate locations, or that c_rehash needs to be run on the
19	> > certificate directory. For details, please see the documentation of
20	> > --sslcertpath and --sslcertfile in the manual page. fetchmail: Server
21	> > certificate:
22	> > fetchmail: Issuer Organization: Thawte Consulting cc
23	> > fetchmail: Issuer CommonName: Thawte Premium Server CA
24	> > fetchmail: Subject CommonName: pop.gmx.net
25	> > fetchmail: Server certificate verification error: certificate not
26	> > trusted fetchmail: Server certificate:
27	> > fetchmail: Issuer Organization: Thawte Consulting cc
28	> > fetchmail: Issuer CommonName: Thawte Premium Server CA
29	> > fetchmail: Subject CommonName: pop.gmx.net
30	> > fetchmail: Server certificate verification error: unable to verify the
31	> > first certificate fetchmail: Warning: the connection is insecure,
32	> > continuing anyways. (Better use --sslcertck!)
33	> >
34	> >
35	> > In beforehand I did the following:
36	> >
37	> > From the output of this command
38	> > #> openssl s_client -connect pop.gmx.net:995 -showcerts
39	> >
40	> > I copied the section
41	> >
42	> > -----BEGIN CERTIFICATE-----
43	> > MIIDUzCCArygAwIBAgIQDNZUbIDJ5EM+DVSd5AzXOjANBgkqhkiG9w0BAQUFADCB
44	> > zjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJ
45	> > Q2FwZSBUb3duMR0wGwYDVQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UE
46	> > CxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhh
47	> > d3RlIFByZW1pdW0gU2VydmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNl
48	> > cnZlckB0aGF3dGUuY29tMB4XDTEwMDQyMjAwMDAwMFoXDTEzMDUwOTIzNTk1OVow
49	> > WDELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJheWVybjEPMA0GA1UEBxQGTXVuaWNo
50	> > MREwDwYDVQQKFAhHTVggR21iSDEUMBIGA1UEAxQLcG9wLmdteC5uZXQwgZ8wDQYJ
51	> > KoZIhvcNAQEBBQADgY0AMIGJAoGBAMu3VYZP3YqpNweeIp+zIYtAlYL9Nya5hq6j
52	> > k+ShUtukV1746nqJto70+4oNhCYJ33mMw+vS5fODjuggG+Z1xcL5YU8mUyG2E7fH
53	> > YkfNtHHMhRntN15ml7Kv3c52kmOI09r2psnlNPkkNx5shneON8jZfXYlqQq5Vq1l
54	> > Hz+jEjFrAgMBAAGjgaYwgaMwDAYDVR0TAQH/BAIwADBABgNVHR8EOTA3MDWgM6Ax
55	> > hi9odHRwOi8vY3JsLnRoYXd0ZS5jb20vVGhhd3RlU2VydmVyUHJlbWl1bUNBLmNy
56	> > bDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYIKwYBBQUHAQEEJjAk
57	> > MCIGCCsGAQUFBzABhhZodHRwOi8vb2NzcC50aGF3dGUuY29tMA0GCSqGSIb3DQEB
58	> > BQUAA4GBAF/BVQRh2QOAtH8491d2XIKqdRZNY4OUMh6qccb0xLGNTDx3E4iwoYHc
59	> > yi2axElQG+7VAEIbDftzfhVUttsPwLI0BM2Nvz6KkwnlrJmt9HuZOjyv9M6szCxX
60	> > jHqVXkTDtrvRzT3hHTLD63l4PAqAUDpR4Th4N23IyxpgVqmYZwoJ
61	> > -----END CERTIFICATE-----
62	> >
63	> > into a file "pop.gmx.net.pem" and copied ths file into
64	> > /etc/fetchmail/certs
65	> >
66	> > Than I downloaded the whole package of root certificates from here
67	> > https://www.verisign.com/support/thawte-roots.zip
68	> > unpacked it and copied each *.pem file into /etc/fetchmail/certs also.
69	> > I renamend the files to not to contain blanks with detox.
70	> >
71	> >
72	> > Then I run as root the command
73	> > $> c_rehash /etc/fetchmail/certs
74	> >
75	> > I checked /etc/fetchmail/certs and found all files being symlinked to
76	> > something which looks like hash keys (?).
77	> >
78	> > c_hash does not submit any error message.
79	> >
80	> > After this I added below the poll section of my accounts
81	> > $HOME/.fetchmailrc the following line:
82	> >
83	> > sslcertpath /etc/fetchmail/certs
84	> >
85	> > Nonetheless fetchmail complains about local certifcates.
86	> >
87	> > What do I have to do to fix this ?
88	> >
89	> > Best regards and thank you for any help in advance!
90	> > mcc
91	>
92	> Sendmail and I think fetchmail (haven't used the latter yet) do a strict check
93	> of certs against a local store. The error above tells you to add to your
94	> .fetchmailrc the option of sslcertck. Did you do that?
95	>
96	> So your .fetchmailrc should show something like:
97	>
98	> user 'mcc@gmx_whatever.com' with pass "123456" is 'mcc' here options ssl
99	> sslcertck sslcertpath '/etc/fetchmail/certs'
100	>
101	> If you have done the above and still does not work then the problem may be
102	> that the user you are running fetchmail as does not have read access to your
103	> /etc/fetchmail/certs. Change that to a ~/fetchmail/.certs and it should work.
104	>
105	> HTH.
106	> --
107	> Regards,
108	> Mick
109
110	Hi Mick,
111
112	thank you for your help. :)
113
114	I currently have this line in my fetchtmailrc (the rest is commented out).
115	This had worked until the ssl/cert-showdown:
116
117	poll pop.gmx.net protocol pop3 user "Meino.Cramer@×××.de" password "<this is the password>" mda "/usr/bin/procmail -d %T"
118
119	In the inet and in your post I found a totally different syntax...so
120	it seems that I have lived behind the moon for a long time I didn't
121	get all the new syntax changes according to fetchmail ;)
122
123	I chenged the above line to
124	poll pop.gmx.net protocol pop3 user "Meino.Cramer@×××.de" password "<this is the password>" mda "/usr/bin/procmail -d %T" options ssl
125	sslcertck sslcertpath '/etc/fetchmail/certs'
126
127	which results with
128	fetchmail -v
129	in
130	fetchmail: 6.3.17 querying pop.gmx.net (protocol POP3) at Sat Oct 2 16:12:51 2010: poll started
131	Trying to connect to 212.227.17.185/995...connected.
132	fetchmail: Server certificate:
133	fetchmail: Issuer Organization: Thawte Consulting cc
134	fetchmail: Issuer CommonName: Thawte Premium Server CA
135	fetchmail: Subject CommonName: pop.gmx.net
136	fetchmail: pop.gmx.net key fingerprint: A6:57:BC:4A:97:AD:DB:99:00:E9:3A:B8:81:55:D7:B6
137	fetchmail: Server certificate verification error: unable to get local issuer certificate
138	fetchmail: This means that the root signing certificate (issued for /C=DE/ST=Bayern/L=Munich/O=GMX GmbH/CN=pop.gmx.net) is not in the trusted CA certificate locations, or that c_rehash needs to be run on the certificate directory. For details, please see the documentation of --sslcertpath and --sslcertfile in the manual page.
139	17550:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:982:
140	fetchmail: SSL connection failed.
141	fetchmail: socket error while fetching from Meino.Cramer@×××.de@pop.gmx.net
142	fetchmail: 6.3.17 querying pop.gmx.net (protocol POP3) at Sat Oct 2 16:12:51 2010: poll completed
143	fetchmail: Query status=2 (SOCKET)
144	fetchmail: normal termination, status 2
145
146	ls -l /etc/fetchmail/certs:
147	total 44
148	lrwxrwxrwx 1 root root 30 Oct 2 12:10 09ca81a7.0 -> Thawte_Personal_Premium_CA.pem
149	lrwxrwxrwx 1 root root 26 Oct 2 12:10 2e4eed3c.0 -> thawte_Primary_Root_CA.pem
150	lrwxrwxrwx 1 root root 28 Oct 2 12:10 3a7f6b22.0 -> Thawte_Personal_Basic_CA.pem
151	lrwxrwxrwx 1 root root 50 Oct 2 12:10 415660c1.0 -> Class_3_Public_Primary_Certification_Authority.pem
152	lrwxrwxrwx 1 root root 31 Oct 2 12:10 64d1f6f4.0 -> Thawte_Personal_Freemail_CA.pem
153	lrwxrwxrwx 1 root root 31 Oct 2 12:10 64d1f6f4.1 -> thawte_Personal_Freemail_CA.pem
154	lrwxrwxrwx 1 root root 20 Oct 2 12:10 6cc3c4c3.0 -> Thawte_Server_CA.pem
155	lrwxrwxrwx 1 root root 28 Oct 2 12:10 98ec67f0.0 -> Thawte_Premium_Server_CA.pem
156	lrwxrwxrwx 1 root root 26 Oct 2 12:10 9e6afd31.0 -> Thawte_Timestamping_CA.pem
157	-rw-r--r-- 1 root root 833 Oct 2 12:06 Class_3_Public_Primary_Certification_Authority.pem
158	-rw-r--r-- 1 root root 1167 Oct 2 12:06 Thawte_Personal_Basic_CA.pem
159	-rw-r--r-- 1 root root 1183 Oct 2 12:06 Thawte_Personal_Freemail_CA.pem
160	-rw-r--r-- 1 root root 1175 Oct 2 12:06 Thawte_Personal_Premium_CA.pem
161	-rw-r--r-- 1 root root 1175 Oct 2 12:06 Thawte_Premium_Server_CA.pem
162	-rw-r--r-- 1 root root 1146 Oct 2 12:06 Thawte_Server_CA.pem
163	-rw-r--r-- 1 root root 992 Oct 2 12:06 Thawte_Timestamping_CA.pem
164	lrwxrwxrwx 1 root root 33 Oct 2 12:10 c089bbbd.0 -> thawte_Primary_Root_CA-G2_ECC.pem
165	lrwxrwxrwx 1 root root 15 Oct 2 12:10 ec4e2774.0 -> pop.gmx.net.pem
166	-rw-r--r-- 1 root root 1213 Oct 2 12:10 pop.gmx.net.pem
167	-rw-r--r-- 1 root root 1164 Oct 2 12:06 thawte_Personal_Freemail_CA.pem
168	-rw-r--r-- 1 root root 939 Oct 2 12:06 thawte_Primary_Root_CA-G2_ECC.pem
169	-rw-r--r-- 1 root root 1493 Oct 2 12:06 thawte_Primary_Root_CA.pem
170
171	everything is world readable...
172
173	Finally I did a fetchmail --version which gave me:
174	This is fetchmail release 6.3.17+RPA+NTLM+SDPS+SSL+NLS.
175
176	Copyright (C) 2002, 2003 Eric S. Raymond
177	Copyright (C) 2004 Matthias Andree, Eric S. Raymond,
178	Robert M. Funk, Graham Wilson
179	Copyright (C) 2005 - 2006, 2010 Sunil Shetye
180	Copyright (C) 2005 - 2010 Matthias Andree
181	Fetchmail comes with ABSOLUTELY NO WARRANTY. This is free software, and you
182	are welcome to redistribute it under certain conditions. For details,
183	please see the file COPYING in the source or documentation directory.
184
185	Fallback MDA: (none)
186	Linux solfire 2.6.35.7 #2 SMP PREEMPT Thu Sep 30 14:29:29 CEST 2010 x86_64 AMD Phenom(tm) II X6 1090T Processor AuthenticAMD GNU/Linux
187	Taking options from command line and /home/mccramer/.fetchmailrc
188	Idfile is /home/mccramer/.fetchids
189	Fetchmail will forward misaddressed multidrop messages to mccramer.
190	Options for retrieving from Meino.Cramer@×××.de@pop.gmx.net:
191	True name of server is pop.gmx.net.
192	Protocol is POP3.
193	All available authentication methods will be tried.
194	SSL encrypted sessions enabled.
195	SSL server certificate checking enabled.
196	SSL trusted certificate directory: /etc/fetchmail/certs
197	Server nonresponse timeout is 300 seconds (default).
198	Default mailbox selected.
199	Only new messages will be retrieved (--all off).
200	Fetched messages will not be kept on the server (--keep off).
201	Old messages will not be flushed before message retrieval (--flush off).
202	Oversized messages will not be flushed before message retrieval (--limitflush off).
203	Rewrite of server-local addresses is enabled (--norewrite off).
204	Carriage-return stripping is enabled (stripcr on).
205	Carriage-return forcing is disabled (forcecr off).
206	Interpretation of Content-Transfer-Encoding is enabled (pass8bits off).
207	MIME decoding is disabled (mimedecode off).
208	Idle after poll is disabled (idle off).
209	Nonempty Status lines will be kept (dropstatus off)
210	Delivered-To lines will be kept (dropdelivered off)
211	Fetch message size limit is 100 (--fetchsizelimit 100).
212	Do binary search of UIDs during 3 out of 4 polls (--fastuidl 4).
213	Messages will be delivered with "/usr/bin/procmail -d %T".
214	Single-drop mode: 1 local name recognized.
215	No UIDs saved from this host.
216
217	I have no clue, whether the certs are not accepted...
218
219	What did I wrong?
220
221	Best regards
222	mcc