Fetchmail: Fetching mail secure

From FVue
Jump to: navigation, search

Problem

I'm using fetchmail to fetch mail unencrypted and with tcpdump I can see my passwords coming along in cleartext:

$> sudo tcpdump -A -i eth0 -l -s0 | grep LOGIN  # IMAP
$> sudo tcpdump -A -i eth0 -l -s0 | grep PASS  # POP

So this means that anyone with access to my transmitted network packets can see my passwords!

Solution

Invoke fetchmail with the following ssl options in .fetchmailrc

ssl
sslcertck
sslcertpath ...
sslfingerprint ...

See my journal on installing the certificates or search Google for "fetchmail ssl".

See also

fetchmail & SSL
Informative page by Christoph Rummel on how to install ssl with fetchmail.
Fetchmail Via SSL/SSH
Alternate solution to SSL, using SSH

Journal

20080104

Connecting to IMAP/SSL doesn't seem to work:

$> fetchmail
Enter password for me@site.country@hostname.myisp.country: 
fetchmail: connection to hostname.myisp.country:imaps [x.x.x.x/993] failed: Connection timed out.
IMAP connection to hostname.myisp.country failed: Connection timed out
fetchmail: Query status=2 (SOCKET)
$>


Connection to POP/SSL yields:

$> fetchmail -v
Enter password for me@site.com@hostname.myisp.com: 
fetchmail: 6.3.6 querying hostname.myisp.com (protocol POP3) at Fri 04 Jan 2008 02:58:11 PM CET: poll started
Trying to connect to x.x.x.x/995...connected.
fetchmail: Issuer Organisation: Equifax Secure Inc.
fetchmail: Issuer CommonName: Equifax Secure Global eBusiness CA-1
fetchmail: Server CommonName: hostname.myisp.com
fetchmail: hostname.myisp.com key fingerprint: C9:3B:49:9D:AC:89:42:2C:14:D4:D3:03:B5:BF:80:CE
fetchmail: Server certificate verification error: unable to get local issuer certificate
fetchmail: Server certificate verification error: certificate not trusted
fetchmail: Server certificate verification error: unable to verify the first certificate
fetchmail: POP3< +OK <16877.1199454585@hostname.myisp.com>
fetchmail: POP3> CAPA
fetchmail: POP3< +OK Capability list follows
fetchmail: POP3< TOP
fetchmail: POP3< UIDL
fetchmail: POP3< LAST
fetchmail: POP3< USER
fetchmail: POP3< APOP
fetchmail: POP3< .
fetchmail: POP3> USER me@site.com
fetchmail: POP3< +OK 
fetchmail: POP3> PASS *
fetchmail: POP3< +OK 
fetchmail: POP3> STAT
fetchmail: POP3< +OK 0 0
fetchmail: No mail for me@site.com at hostname.myisp.com
fetchmail: POP3> QUIT
fetchmail: POP3< +OK 
fetchmail: 6.3.6 querying hostname.myisp.com (protocol POP3) at Fri 04 Jan 2008 02:58:11 PM CET: poll completed
fetchmail: normal termination, status 1

Copy the fingerprint to your fetchmailrc:

  sslfingerprint C9:3B:49:9D:AC:89:42:2C:14:D4:D3:03:B5:BF:80:CE

Retrieve the server certificate:

$> openssl s_client -connect hostname.myisp.com:995 -showcerts

Copy the lines including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- to a file ~/.certs/hostname.myisp.com.crt

Rehash the certificate(s):

$> c_rehash ~/.certs

Add this to your fetchmailrc:

sslcertck
sslcertpath /home/yourname/.certs

I now receive the following error:

$> fetchmail
Enter password for me@site.com@hostname.myisp.com: 
fetchmail: Server certificate verification error: unable to get local issuer certificate
28416:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:894:
fetchmail: SSL connection failed.
fetchmail: socket error while fetching from me@site.com@hostname.myisp.com
fetchmail: Query status=2 (SOCKET)

Maybe I should install the certificate of the issuer (Equifax Secure Global eBusiness CA-1) as well. Google tells me the certificate can be downloaded from http://www.geotrust.com/resources/root_certificates/index.asp

I downloaded the Base-64 encoded certificate, copied it to ~/.certs and did a c_rehash ~/.certs

Still error. Maybe I installed the `Equifax Secure eBusiness CA-1' whereas I should've installed the `Equifax Secure Global eBusiness CA-1'. Installed the latter as well.

And it works!:

$> fetchmail
Enter password for me@site.com@hostname.myisp.com: 
fetchmail: No mail for me@site.com at hostname.myisp.com

Now to check if the password really isn't transmitted in cleartext. First comment all `ssl' keywords in .fetchmailrc and start this `tcpdump' in another terminal while issuing a `fetchmail':

$> sudo tcpdump -A -i eth0 -l -s0 | grep PASS

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes .1.]$X..PASS ....

Tcpdump reports my password in cleartext if SSL is disabled. Now uncomment the ssl settings in your .fetchmailrc and restart `tcpdump' and issue a `fetchmail':

$> sudo tcpdump -A -i eth0 -l -s0 | grep PASS
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
^C

No password is revealed with SSL :-)

Comments

blog comments powered by Disqus