Configuring fetchmail to work with gmail

Gmail uses the POP3-over-SSL protocol, which encrypts your messages, to pop your mails. Thus, we should get a legel certificate for verification. You can use any legal certificates, here we will grab Google's own cerificate and authenticate it.

1. Get gmail's own cerificate:

   $ openssl s_client -connect smtp.gmail.com:995 -showcerts

   Which will output such below:

   CONNECTED(00000003)
   depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc./CN=pop.gmail.com
   verify error:num=20:unable to get local issuer certificate
   verify return:1
   depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc./CN=pop.gmail.com
   verify error:num=27:certificate not trusted
   verify return:1
   depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc./CN=pop.gmail.com
   verify error:num=21:unable to verify the first certificate
   verify return:1
   ---
   Certificate chain
   0 s:/C=US/ST=California/L=Mountain View/O=Google Inc./CN=pop.gmail.com
     i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
   -----BEGIN CERTIFICATE-----
   MIIC3TCCAkagAwIBAgIDBZIAMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
   MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
   aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDUxMTE1MjEyMjQ0WhcNMDcxMTE2MjEyMjQ0
   WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMN
   TW91bnRhaW4gVmlldzEUMBIGA1UEChMLR29vZ2xlIEluYy4xFjAUBgNVBAMTDXBv
   cC5nbWFpbC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMP8LCYiLGJ/
   RihwcOi1V/zHVTw0Gfu+mI141Vjuuj2DtQoav8emwlXbu8gZoKP9GeMWpX1Vo9qN
   4gkslIToHmDnIwGjcaEAfpdhSR9g54Kf5Y7BEXVyco6mTIlpe9vsbV0dmB1FvLP2
   1N09dkUJfi7V0fjb8mcn3QYu6+6QNoxPAgMBAAGjga4wgaswDgYDVR0PAQH/BAQD
   AgTwMB0GA1UdDgQWBBTdASsopgao1m8hcEg0cDZhucltljA6BgNVHR8EMzAxMC+g
   LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDAf
   BgNVHSMEGDAWgBRI5mj5K9KylddH2CMgEE8zmJCf1DAdBgNVHSUEFjAUBggrBgEF
   BQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQEFBQADgYEAln3/pVqYnUXA1TVGzOqX
   LFhohGxpuNkr1UJnQmYxmZeB07uPBYRX8c0JXEKs29TmAHRsLhmp8kF36F11Dxgi
   Xm/Y8I9zgWHoMj7SL3Ve/u8K8K7XcUyUuaWmldLQAREafpFy+f+KYHGuAVh8hjy6
   XyPlMCqj+PNp8QXjgOcgO68=
   -----END CERTIFICATE-----
   ---
   Server certificate
   subject=/C=US/ST=California/L=Mountain View/O=Google Inc./CN=pop.gmail.com
   issuer=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
   ---
   No client certificate CA names sent
   ---
   SSL handshake has read 891 bytes and written 314 bytes
   ---
   New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
   Server public key is 1024 bit
   Compression: NONE
   Expansion: NONE
   SSL-Session:
      Protocol  : TLSv1
      Cipher    : DES-CBC3-SHA
      Session-ID: C376985C4DAFD52F21A89E42FB9D36DA0458F3A6F1D97E9615A0793DE2C2163C
      Session-ID-ctx:
      Master-Key: 74C5BE3ACBEE15367F1D7ADCD91B478B0FD81FC9EDB56D8698C1DCAEE09CAEECCE58C557308CBE0C049EFB50D1EB2829
      Key-Arg   : None
      Start Time: 1167236180
      Timeout   : 300 (sec)
      Verify return code: 21 (unable to verify the first certificate)
   ---
   +OK Gpop ready for requests from 210.77.27.77 f57pf402492pyh
   

   Then, the Gmail's certificate is just the content between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----. Prepare a directory to save your certificates, for example, ~/.certs/. Copy such content and save into the file ~/.certs/gmail.pem

2. Get the Fingerprint of the certificate, run the command below:

   $ openssl x509 -fingerprint -md5 -noout -in gmail.pem
   MD5 Fingerprint=59:51:61:89:CD:DD:B2:35:94:BB:44:97:A0:39:D5:B4
   

3. Rehash the gmail certificates:

   $ c_rehash ~/.certs
   Doing /home/nini/.certs/
   gmail.pem => 7f549ca4.0
   

4. Now, the configuration of POP3-over-SSL has mostly completed. Verfiy whether everthing is ok by the following commands:

   $ openssl s_client -connect pop.gmail.com:995 -CApath ~/.certs -quiet
   depth=1 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
   verify return:1
   depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc./CN=pop.gmail.com
   verify return:1
   +OK Gpop x99xx9999xxx ready.
   CAPA
   +OK Capability list follows
   USER
   RESP-CODES
   EXPIRE 0
   LOGIN-DELAY 300
   X-GOOGLE-VERHOEVEN
   .
   USER username@gmail.com
   +OK send PASS
   PASS password
   +OK Welcome.
   CAPA
   +OK Capability list follows
   USER
   RESP-CODES
   PIPELINING
   EXPIRE 0
   LOGIN-DELAY 300
   TOP
   UIDL
   X-GOOGLE-VERHOEVEN
   .
   QUIT
   +OK Farewell.
   read:errno=0
   

5. Then, configure your ~/.fetchmailrc file, here is a good example:

   poll pop.gmail.com with proto POP3 uidl
       username "username@gmail.com" there with password "password" is "nini" here
       options keep ssl sslfingerprint
       '59:51:61:89:CD:DD:B2:35:94:BB:44:97:A0:39:D5:B4'
       # sslcertck sslcertpath "/home/nini/.certs"
       mda "/usr/bin/procmail -d %T"
   

   If your fetchmail is not running as a deamon but a crontab task, use the configuration file above and make sure the line contained sslcertpath is commented. Otherwise, you might occour the error:

   fetchmail: Server certificate verification error: unable to get local issuer certificate
   25424:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:894:
   fetchmail: SSL connection failed.
   

   Perhaps, this has exposed a slight difference in logging behaviour between daemon mode and single instance mode. you can test it with the command:

   $ fetchmail -d0 -v pop.gmail.com
   

Use esmtp over smtp server

1. Edit the configuration file ~/.esmtprc:

   hostname = smtp.gmail.com
   username = "username@gmail.com"
   password = "password"
   starttls = enabled
   

2. $ chmod 0710 ~/.esmtprc

3. If you use mutt as your mail client, then modifiy ~/.muttrc

   ~/.muttrc
   set envelope_from
   set sendmail="/usr/bin/esmtp -v -X ~/.esmtplog"
   my_hdr From: "username@gmail.com"
   my_hdr Reply-To: "username@gmail.com"
   set sendmail_wait=0
   

Reference:

• http://download.gna.org/hpr/fetchmail/FAQ/gmail-pop-howto.html
• http://www.linuxsir.org/bbs/showthread.php?p=1375514l