Thursday, December 28, 2006

Configuring fetchmail to work with gmail

Gmail uses the POP3-over-SSL protocol, which encrypts your messages, to pop your mails. Thus, we should get a legel certificate for verification. You can use any legal certificates, here we will grab Google's own cerificate and authenticate it.

  1. Get gmail's own cerificate:
    $ openssl s_client -connect smtp.gmail.com:995 -showcerts
    Which will output such below:
    CONNECTED(00000003)
    depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc./CN=pop.gmail.com
    verify error:num=20:unable to get local issuer certificate
    verify return:1
    depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc./CN=pop.gmail.com
    verify error:num=27:certificate not trusted
    verify return:1
    depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc./CN=pop.gmail.com
    verify error:num=21:unable to verify the first certificate
    verify return:1
    ---
    Certificate chain
    0 s:/C=US/ST=California/L=Mountain View/O=Google Inc./CN=pop.gmail.com
      i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
    -----BEGIN CERTIFICATE-----
    MIIC3TCCAkagAwIBAgIDBZIAMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
    MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
    aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDUxMTE1MjEyMjQ0WhcNMDcxMTE2MjEyMjQ0
    WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMN
    TW91bnRhaW4gVmlldzEUMBIGA1UEChMLR29vZ2xlIEluYy4xFjAUBgNVBAMTDXBv
    cC5nbWFpbC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMP8LCYiLGJ/
    RihwcOi1V/zHVTw0Gfu+mI141Vjuuj2DtQoav8emwlXbu8gZoKP9GeMWpX1Vo9qN
    4gkslIToHmDnIwGjcaEAfpdhSR9g54Kf5Y7BEXVyco6mTIlpe9vsbV0dmB1FvLP2
    1N09dkUJfi7V0fjb8mcn3QYu6+6QNoxPAgMBAAGjga4wgaswDgYDVR0PAQH/BAQD
    AgTwMB0GA1UdDgQWBBTdASsopgao1m8hcEg0cDZhucltljA6BgNVHR8EMzAxMC+g
    LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDAf
    BgNVHSMEGDAWgBRI5mj5K9KylddH2CMgEE8zmJCf1DAdBgNVHSUEFjAUBggrBgEF
    BQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQEFBQADgYEAln3/pVqYnUXA1TVGzOqX
    LFhohGxpuNkr1UJnQmYxmZeB07uPBYRX8c0JXEKs29TmAHRsLhmp8kF36F11Dxgi
    Xm/Y8I9zgWHoMj7SL3Ve/u8K8K7XcUyUuaWmldLQAREafpFy+f+KYHGuAVh8hjy6
    XyPlMCqj+PNp8QXjgOcgO68=
    -----END CERTIFICATE-----
    ---
    Server certificate
    subject=/C=US/ST=California/L=Mountain View/O=Google Inc./CN=pop.gmail.com
    issuer=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 891 bytes and written 314 bytes
    ---
    New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
    Server public key is 1024 bit
    Compression: NONE
    Expansion: NONE
    SSL-Session:
       Protocol  : TLSv1
       Cipher    : DES-CBC3-SHA
       Session-ID: C376985C4DAFD52F21A89E42FB9D36DA0458F3A6F1D97E9615A0793DE2C2163C
       Session-ID-ctx:
       Master-Key: 74C5BE3ACBEE15367F1D7ADCD91B478B0FD81FC9EDB56D8698C1DCAEE09CAEECCE58C557308CBE0C049EFB50D1EB2829
       Key-Arg   : None
       Start Time: 1167236180
       Timeout   : 300 (sec)
       Verify return code: 21 (unable to verify the first certificate)
    ---
    +OK Gpop ready for requests from 210.77.27.77 f57pf402492pyh
    

    Then, the Gmail's certificate is just the content between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----. Prepare a directory to save your certificates, for example, ~/.certs/. Copy such content and save into the file ~/.certs/gmail.pem

  2. Get the Fingerprint of the certificate, run the command below:
    $ openssl x509 -fingerprint -md5 -noout -in gmail.pem
    MD5 Fingerprint=59:51:61:89:CD:DD:B2:35:94:BB:44:97:A0:39:D5:B4
    

  3. Rehash the gmail certificates:
    $ c_rehash ~/.certs
    Doing /home/nini/.certs/
    gmail.pem => 7f549ca4.0
    

  4. Now, the configuration of POP3-over-SSL has mostly completed. Verfiy whether everthing is ok by the following commands:
    $ openssl s_client -connect pop.gmail.com:995 -CApath ~/.certs -quiet
    depth=1 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
    verify return:1
    depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc./CN=pop.gmail.com
    verify return:1
    +OK Gpop x99xx9999xxx ready.
    CAPA
    +OK Capability list follows
    USER
    RESP-CODES
    EXPIRE 0
    LOGIN-DELAY 300
    X-GOOGLE-VERHOEVEN
    .
    USER username@gmail.com
    +OK send PASS
    PASS password
    +OK Welcome.
    CAPA
    +OK Capability list follows
    USER
    RESP-CODES
    PIPELINING
    EXPIRE 0
    LOGIN-DELAY 300
    TOP
    UIDL
    X-GOOGLE-VERHOEVEN
    .
    QUIT
    +OK Farewell.
    read:errno=0
    

  5. Then, configure your ~/.fetchmailrc file, here is a good example:
    poll pop.gmail.com with proto POP3 uidl
        username "username@gmail.com" there with password "password" is "nini" here
        options keep ssl sslfingerprint
        '59:51:61:89:CD:DD:B2:35:94:BB:44:97:A0:39:D5:B4'
        # sslcertck sslcertpath "/home/nini/.certs"
        mda "/usr/bin/procmail -d %T"
    

    If your fetchmail is not running as a deamon but a crontab task, use the configuration file above and make sure the line contained sslcertpath is commented. Otherwise, you might occour the error:

    fetchmail: Server certificate verification error: unable to get local issuer certificate
    25424:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:894:
    fetchmail: SSL connection failed.
    

    Perhaps, this has exposed a slight difference in logging behaviour between daemon mode and single instance mode. you can test it with the command:

    $ fetchmail -d0 -v pop.gmail.com
    

Use esmtp over smtp server

  1. Edit the configuration file ~/.esmtprc:
    hostname = smtp.gmail.com
    username = "username@gmail.com"
    password = "password"
    starttls = enabled
    
  2. $ chmod 0710 ~/.esmtprc
  3. If you use mutt as your mail client, then modifiy ~/.muttrc
    ~/.muttrc

    set envelope_from set sendmail="/usr/bin/esmtp -v -X ~/.esmtplog" my_hdr From: "username@gmail.com" my_hdr Reply-To: "username@gmail.com" set sendmail_wait=0

Reference:

3 comments:

Badzil said...

Had some problems with Gmail and certificates (""Server certificate verification error: unable to get local issuer certificate"). Your tutorial was the only one I found giving me a working solution.

Nice work !

DD said...

Thanks for this, helped with the last bit of the puzzle. Didn't spot the # in front of sslcertk which caused a blip. Note for bsd users there is no c_rehash script, just do the symlink yourself with
-------------------------------------
ln -s gmail.pem \
`openssl x509 -hash -in gmail.pem -noout`.0
-------------------------------------
which in effect pastes the result of the hash function into the symlink. NOTE this ASSUMES that there are no existing hash symlinks so check ~/.certs/ first and if in doubt use an iterative script or insert the trailing .n by hand

Anonymous said...

Who knows where to download XRumer 5.0 Palladium?
Help, please. All recommend this program to effectively advertise on the Internet, this is the best program!