Admin 2008 -->
Admin 2008 -->
# apt-get install fetchmail
# login joeblow
Create .fetchmailrc, then paste config info below into users home directory file :
# vi .fetchmailrc
poll pop.gmail.com
proto IMAP4
user "joeblow"
password "password" (note:omitting this line makes FMail ask for password when run, so not to keep in PLAINTEXT in this file)
keep (retains all mail on server after download)
options ssl
Fetchmail looks for its conf file by default in $HOME/.fetchmailrc. Under most circumstances, the .fetchmailrc file should have the permissions set to 600 (by issuing a chmod 600 .fetchmailrc command), closing off all access to "group" and "other." If the recipe file has permissions greater than 0710 (which grants all permissions to the owner, and execute-only to the group), Fetchmail will fail to run, interpreting the condition as a security flaw. Because your mail passwords are stored in cleartext in the recipe file, granting read permission to group or other is not advised.
Remember to fwd POP in Gmail.
Run
#fetchmail -d0 -vk pop.gmail.com
.........trunc.....
fetchmail: POP3> RETR 40
fetchmail: POP3< +OK message follows
reading message joeblow@gmail-pop.l.google.com:40 of 324 (612 octets)
fetchmail: SMTP> MAIL FROM:<joeblow@gmail.com> SIZE=612
fetchmail: SMTP< 250 OK
not flushed.....
^Cfetchmail: terminated with signal 2
You have new mail in /var/mail/joeblow
$ tail /var/mail/joeblow
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0017_01C774C4.60375700"
X-Mailer: Microsoft Office Outlook 11.........blah
--------------mdn000104040901040603050904--
fetchmail with SSL support.
If you are not sure if your fetchmail has SSL support, check for something like libssl.so.0 with:
# ldd /usr/bin/fetchmail
libcom_err.so.2 => /lib/libcom_err.so.2 (0xb75d8000)
libssl.so.0.9.8 => /usr/lib/i686/cmov/libssl.so.0.9.8 (0xb7592000)
ldd prints the shared libraries required by each program or shared library specified on the command line.
The .certs dir now needs the 2 SSL (Secure Sockets Layer) .pem (Privacy Enhanced Mail) certificates data:
Certificate setup (not necessarily req) but interesting anyway:
http://www.axllent.org/docs/networking/gmail_pop3_with_fetchmail
Gmail now provides users with a free 7GB+ mailbox for storing all their mail. There are 3 main interfaces to access their mail, the main one being http (web) access, the others being IMAP & POP3. The thing that is quite unique is that Gmail only allows SSL connections for POP3 (port 995) & SMTP (587).
#man openssl
OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer
(SSL v2/v3) and Transport Layer Security (TLS v1) network protocols and
related cryptography standards required by them.
The openssl program is a command line tool for using the various
can be used for
Creation of RSA, DH and DSA key parameters
Creation of X.509 certificates, CSRs and CRLs
Calculation of Message Digests
Encryption and Decryption with Ciphers
SSL/TLS Client and Server Tests
Handling of S/MIME signed or encrypted mail
OpenSSL gets certificate info of server to put in our own certificate file for future connection user authentication. The 2 certificates below go in gmail.pem and equifax.pem in the .certs directory.
# openssl
OpenSSL> s_client -connect pop.gmail.com:995 -showcerts
CONNECTED(00000003)
depth=1 /C=US/O=Google Inc/CN=Google Internet Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=pop.gmail.com
i:/C=US/O=Google Inc/CN=Google Internet Authority
-----BEGIN CERTIFICATE-----
MIIDWjCCAsOgAwIBAgIKFNMahgADAAASkDANBgkqhkiG9w0BAQUFADBGMQswCQYD
VQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZR29vZ2xlIElu
dGVybmV0IEF1dGhvcml0eTAeFw0xMDA0MjIyMDExMjNaFw0xMTA0MjIyMDIxMjNa
MGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N
b3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRYwFAYDVQQDEw1wb3Au
Z21haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC701lFBdiiC0BB
JEo2U1wmmS6Gv+qr4bjG6xeCSgb0UGI2vN1ifYyrf/wj1jBLupou+Ds+s0zLzE5Y
vsADQvu+pkDXoOcnK2YxiOiuZaGOSRKC2b0rbg4oYyS1TogEBcX+KpUxWQNpccW6
FPzpSVtmiG4azMUIR0mM2HERnwke/wIDAQABo4IBLDCCASgwHQYDVR0OBBYEFJr4
/CBophXvQNM/AFWw8zu5EXKiMB8GA1UdIwQYMBaAFL/AMOv1QxE+Z7qekfv8atrj
axIkMFsGA1UdHwRUMFIwUKBOoEyGSmh0dHA6Ly93d3cuZ3N0YXRpYy5jb20vR29v
Z2xlSW50ZXJuZXRBdXRob3JpdHkvR29vZ2xlSW50ZXJuZXRBdXRob3JpdHkuY3Js
MGYGCCsGAQUFBwEBBFowWDBWBggrBgEFBQcwAoZKaHR0cDovL3d3dy5nc3RhdGlj
LmNvbS9Hb29nbGVJbnRlcm5ldEF1dGhvcml0eS9Hb29nbGVJbnRlcm5ldEF1dGhv
cml0eS5jcnQwIQYJKwYBBAGCNxQCBBQeEgBXAGUAYgBTAGUAcgB2AGUAcjANBgkq
hkiG9w0BAQUFAAOBgQDETrSXXdPv8yvPZ5cR8yupyXlHzUvA5rNVFzOmBE/QCrNx
wLHDMP36+axPMWp+uraNfsc798zHES0GDgz+P97KItu8T75ysvjUUpWKeeuHcYHh
QSGi5iYB7XxEB9oCnSC9tpq8el2/mWFvVJSO69bO+zDOqgFPJ/GZYIxWgglMqA==
-----END CERTIFICATE-----
1 s:/C=US/O=Google Inc/CN=Google Internet Authority
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
-----BEGIN CERTIFICATE-----
MIICsDCCAhmgAwIBAgIDC2dxMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDkwNjA4MjA0MzI3WhcNMTMwNjA3MTk0MzI3
WjBGMQswCQYDVQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZ
R29vZ2xlIEludGVybmV0IEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
gYkCgYEAye23pIucV+eEPkB9hPSP0XFjU5nneXQUr0SZMyCSjXvlKAy6rWxJfoNf
NFlOCnowzdDXxFdF7dWq1nMmzq0yE7jXDx07393cCDaob1FEm8rWIFJztyaHNWrb
qeXUWaUr/GcZOfqTGBhs3t0lig4zFEfC7wFQeeT9adGnwKziV28CAwEAAaOBozCB
oDAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFL/AMOv1QxE+Z7qekfv8atrjaxIk
MB8GA1UdIwQYMBaAFEjmaPkr0rKV10fYIyAQTzOYkJ/UMBIGA1UdEwEB/wQIMAYB
Af8CAQAwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20v
Y3Jscy9zZWN1cmVjYS5jcmwwDQYJKoZIhvcNAQEFBQADgYEAuIojxkiWsRF8YHde
BZqrocb6ghwYB8TrgbCoZutJqOkM0ymt9e8kTP3kS8p/XmOrmSfLnzYhLLkQYGfN
0rTw8Ktx5YtaiScRhKqOv5nwnQkhClIZmloJ0pC3+gz4fniisIWvXEyZ2VxVKfml
UUIuOss4jHg7y/j7lYe8vJD5UDI=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=pop.gmail.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority
---
No client certificate CA names sent
---
SSL handshake has read 1703 bytes and written 300 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID: 365DC99A10E9C26A59C4DB81827BFE5A1A876F92D9BA3B3CDC9D29C827BAC22E
Session-ID-ctx:
Master-Key: 847B4013D06E87C5A18CBAF3DCCA19E4964F9C61487BE751968DBF749A9B96B408E7FBD923C1007069CB9533C2E54983
Key-Arg : None
Start Time: 1286059861
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
+OK Gpop ready for requests from 87.112.69.251 m29pf7383803wej.69
Now get the Equifax certificate:
# wget -O equifax.pem
--2010-10-03 11:44:20-- https://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Certificate_Authority.cer
Resolving www.geotrust.com... 69.58.181.102
Connecting to www.geotrust.com|69.58.181.102|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1162 (1.1K) [text/html]
Saving to: `equifax.pem'
100%[=========================================>] 1,162 --.-K/s in 0s
2010-10-03 11:44:21 (15.3 MB/s) - `equifax.pem' saved [1162/1162]
Copy everything from (and including) the -----BEGIN CERTIFICATE----- to the -----END CERTIFICATE-----, from both certs above, and save them in your new .certs directory as 'gmail.pem', and equifax.pem.
root#mv -v /home/joeblow/equifax.pem /home/joeblow/.certs/equifax.pem
`/home/joeblow/equifax.pem' -> `/home/joeblow/.certs/equifax.pem'
$ vi .certs/gmail.pem (paste ---Begin Cert End Cert etc.)
Now that we have both certificates stored in ~/.certs we just need to rehash them so SSL (and fetchmail) can read and use them:
#man c_rehash
DESCRIPTION
c_rehash scans directories and takes a hash value of each .pem and .crt
file in the directory. It then creates symbolic links for each of the
files named by the hash value. This is useful as many programs require
directories to be set up like this in order to find the certificates they
require.sting certificates
$ c_rehash ~/.certs/
Doing /home/joeblow/.certs/
Doing /home/joeblow/.certs/
equifax.pem => 594f1775.0
gmail.pem => 34ceaf75.0
To confirm we have the correct and working certificates, let us make an SSL connection to the Gmail server testing our 2 new certificates:
$ openssl s_client -connect pop.gmail.com:995 -CApath ~/.certs/
...blah...
Master-Key: 392A27B5B3064930FAA34906D3FFE346E4EED693A46B430DA3C7A6D4E17B9A14BDA6C315123507196C4EF4E8F6F91422
Key-Arg : None
Start Time: 1286103033
Timeout : 300 (sec)
Verify return code: 0 (ok)
+OK Gpop ready for requests from 87.x.x.x e2pf7963312wbu.16
Certs are good.
For Fetchmail to use the certs, the info has to be added to the .fetchmailrc conf file, similar to:
set postmaster "joeblow"
# set polling time (5 minutes)
set daemon 600
poll pop.gmail.com with proto POP3
user 'joeblow@gmail.com' there with password 'secretpassword' is joeblow here options ssl
sslcertck sslcertpath /home/joeblow/.certs
Test Cert chat verbosely again using:
#fetchmail -d0 -vk pop.gmail.com
fetchmail: warning: multidrop for pop.gmail.com requires envelope option!
fetchmail: warning: Do not ask for support if all mail goes to postmaster!
Enter password for joeblow@pop.gmail.com:
fetchmail: 6.3.9-rc2 querying pop.gmail.com (protocol POP3) at Sun 03 Oct 2010 11:51:55 BST: poll started
Trying to connect to 209.85.229.109/995...connected.
fetchmail: Issuer Organisation: Google Inc
fetchmail: Issuer CommonName: Google Internet Authority
fetchmail: Server CommonName: pop.gmail.com
fetchmail: pop.gmail.com key fingerprint: 6B:C4:63:05:87:1E:72:88:ED:81:C5:A2:51:6B:B7:B6
fetchmail: POP3< +OK Gpop ready for requests from 87.112.69.251 m53pf7892373wej.90
fetchmail: POP3> CAPA...blah
Mail downloads OK.
To run Fetchmail as a Daemon using the polling times you set:
# fetchmail