Fetchmail: Fetching mail secure
Problem
I'm using fetchmail to fetch mail unencrypted and with tcpdump I can see my passwords coming along in cleartext:
$> sudo tcpdump -A -i eth0 -l -s0 | grep LOGIN # IMAP $> sudo tcpdump -A -i eth0 -l -s0 | grep PASS # POP
So this means that anyone with access to my transmitted network packets can see my passwords!
Solution
Invoke fetchmail with the following ssl options in .fetchmailrc
ssl sslcertck sslcertpath ... sslfingerprint ...
See my journal on installing the certificates or search Google for "fetchmail ssl".
See also
- fetchmail & SSL
- Informative page by Christoph Rummel on how to install ssl with fetchmail.
- Fetchmail Via SSL/SSH
- Alternate solution to SSL, using SSH
Journal
20080104
Connecting to IMAP/SSL doesn't seem to work:
$> fetchmail Enter password for me@site.country@hostname.myisp.country: fetchmail: connection to hostname.myisp.country:imaps [x.x.x.x/993] failed: Connection timed out. IMAP connection to hostname.myisp.country failed: Connection timed out fetchmail: Query status=2 (SOCKET) $>
Connection to POP/SSL yields:
$> fetchmail -v Enter password for me@site.com@hostname.myisp.com: fetchmail: 6.3.6 querying hostname.myisp.com (protocol POP3) at Fri 04 Jan 2008 02:58:11 PM CET: poll started Trying to connect to x.x.x.x/995...connected. fetchmail: Issuer Organisation: Equifax Secure Inc. fetchmail: Issuer CommonName: Equifax Secure Global eBusiness CA-1 fetchmail: Server CommonName: hostname.myisp.com fetchmail: hostname.myisp.com key fingerprint: C9:3B:49:9D:AC:89:42:2C:14:D4:D3:03:B5:BF:80:CE fetchmail: Server certificate verification error: unable to get local issuer certificate fetchmail: Server certificate verification error: certificate not trusted fetchmail: Server certificate verification error: unable to verify the first certificate fetchmail: POP3< +OK <16877.1199454585@hostname.myisp.com> fetchmail: POP3> CAPA fetchmail: POP3< +OK Capability list follows fetchmail: POP3< TOP fetchmail: POP3< UIDL fetchmail: POP3< LAST fetchmail: POP3< USER fetchmail: POP3< APOP fetchmail: POP3< . fetchmail: POP3> USER me@site.com fetchmail: POP3< +OK fetchmail: POP3> PASS * fetchmail: POP3< +OK fetchmail: POP3> STAT fetchmail: POP3< +OK 0 0 fetchmail: No mail for me@site.com at hostname.myisp.com fetchmail: POP3> QUIT fetchmail: POP3< +OK fetchmail: 6.3.6 querying hostname.myisp.com (protocol POP3) at Fri 04 Jan 2008 02:58:11 PM CET: poll completed fetchmail: normal termination, status 1
Copy the fingerprint to your fetchmailrc:
sslfingerprint C9:3B:49:9D:AC:89:42:2C:14:D4:D3:03:B5:BF:80:CE
Retrieve the server certificate:
$> openssl s_client -connect hostname.myisp.com:995 -showcerts
Copy the lines including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- to a file ~/.certs/hostname.myisp.com.crt
Rehash the certificate(s):
$> c_rehash ~/.certs
Add this to your fetchmailrc:
sslcertck sslcertpath /home/yourname/.certs
I now receive the following error:
$> fetchmail Enter password for me@site.com@hostname.myisp.com: fetchmail: Server certificate verification error: unable to get local issuer certificate 28416:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:894: fetchmail: SSL connection failed. fetchmail: socket error while fetching from me@site.com@hostname.myisp.com fetchmail: Query status=2 (SOCKET)
Maybe I should install the certificate of the issuer (Equifax Secure Global eBusiness CA-1) as well. Google tells me the certificate can be downloaded from http://www.geotrust.com/resources/root_certificates/index.asp
I downloaded the Base-64 encoded certificate, copied it to ~/.certs and did a c_rehash ~/.certs
Still error. Maybe I installed the `Equifax Secure eBusiness CA-1' whereas I should've installed the `Equifax Secure Global eBusiness CA-1'. Installed the latter as well.
And it works!:
$> fetchmail Enter password for me@site.com@hostname.myisp.com: fetchmail: No mail for me@site.com at hostname.myisp.com
Now to check if the password really isn't transmitted in cleartext. First comment all `ssl' keywords in .fetchmailrc and start this `tcpdump' in another terminal while issuing a `fetchmail':
$> sudo tcpdump -A -i eth0 -l -s0 | grep PASS
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes .1.]$X..PASS ....
Tcpdump reports my password in cleartext if SSL is disabled. Now uncomment the ssl settings in your .fetchmailrc and restart `tcpdump' and issue a `fetchmail':
$> sudo tcpdump -A -i eth0 -l -s0 | grep PASS tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes ^C
No password is revealed with SSL :-)
