[SOLVED] Fetchmail

abakhiet · 05-22-2010, 04:12 AM

Hola, i need to ask you how can i make some fetchmail jobs to download mails from my gmail account into my mail account in my own server ???
my server is :

Quote:

Linux Centos 5.4
Postfix Mail Server

i make a file named .fetchmailrc in my home directory and set its permissions to 755and the content of this file is :

Quote:

set postmaster “postmaster”
set bouncemail
set no spambounce
set properties “”
poll imap.googlemail.com:993 protocol imap username "username@gmail.com" password "password"

i think something is not completed, i need to make that fetch to a specific user only, not all users

Thanks in advance

repo · 05-22-2010, 05:13 AM

You need to compile fetchmail with ssl support

Code:

poll pop.gmail.com with proto POP3
user 'user' there with password 'password' is 'user' here options keep no rewrite ssl sslkey '/home/user/ssl' sslcert '/home/use/ssl'

http://www.axllent.org/docs/networki...with_fetchmail

abakhiet · 05-22-2010, 09:55 AM

Thanks my friend, but i make all the settings in the article, but it gives me an error :

Quote:

-bash-3.2$ fetchmail -d0 -vk pop.gmail.com
fetchmail: 6.3.6 querying pop.gmail.com (protocol POP3) at Sat 22 May 2010 05:53:49 PM EEST: poll started
Trying to connect to 74.125.77.109/995...connected.
fetchmail: Server certificate verification error: unable to get local issuer certificate
4445:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:912:
fetchmail: SSL connection failed.
fetchmail: socket error while fetching from abakhiet@gmail.com@pop.gmail.com
fetchmail: 6.3.6 querying pop.gmail.com (protocol POP3) at Sat 22 May 2010 05:53:54 PM EEST: poll completed
fetchmail: Query status=2 (SOCKET)
fetchmail: normal termination, status 2

and my .fetchmailrc file content is :

Quote:

# set username
set postmaster "user5"
# set polling time (5 minutes)
set daemon 600

poll pop.gmail.com
proto pop3
user "usert@gmail.com"
pass "blanked"
is abakhiet ssl
sslcertck sslcertpath /home/user5/.certs/

repo · 05-22-2010, 12:04 PM

Here is how I do it:

Code:

$ mkdir ~/.certs 
$ cd ~/.certs
$wget --no-check-certificate -O Equifax.pem \
 https://www.geotrust.com/resources/r..._Authority.cer
$c_rehash .

get the cerificate

Code:

$ openssl s_client -connect pop.gmail.com:995 -showcerts

Copy the certificate to gmail.pem
Get the fingerprint

Code:

$ openssl x509 -noout -in gmail.pem -enddate -fingerprint -md5 -dates

This will give you a fingerprint.
Use this fingerprint in fetchmailrc

Quote:

poll pop.gmail.com with proto POP3
user "{USERNAME@gmail.com}", with password "{PASSWORD}", is {localmailbox} here
options ssl sslfingerprint '92:73:17:4C:34:4B:68:F7:B2:17:71:42:0D:7F:9F:33'
sslcertck sslcertpath /home/{USER}/.certs

test if everything is correct

Code:

fetchmail -d0 -vk pop.gmail.com

abakhiet · 05-23-2010, 12:27 AM

thanks a lot my friend, but really i need to download messages from my gmail account only one time in the day in a certain hour, so how can i do this ???

repo · 05-23-2010, 02:45 AM

You can run fetchmail in a cronjob
Don't run it as a deamon

graemev · 09-22-2010, 03:44 PM

This lead me to a working solution , however several things were different

1: my googlemail account is googlemail.com not gmail.com ... despite all the google entries saying I still connect to gmail.com , in fact I had to use googlemail.com as the server. Specifically:

openssl s_client -connect imap.googlemail.com:993 -showcerts > from-imap.googlemail.com

(note port no differs for imap)

NB you user id is full so "graeme.foobar@googlemail.com" (not graeme.foobar)

I had to download a whole series of certificates:

That line above gives me TWO certificates (both google, they have there own CA ... save cash :-) ) so I stored these in:

imap.googlemail.com.pem
and
Google-Internet-Authority.pem

The latter is signed by equifax, which you can see by doing:

openssl x509 -in Google-Internet-Authority.pem -text

Which says:

Issuer: C=US, O=Equifax, OU=Equifax Secure Certificate Authority

So I go to:

http://www.geotrust.com/resources/ro...tes/index.html

An dthe description there which matched in my case was:

http://www.geotrust.com/resources/ro..._Authority.cer

(I'm sure there must be a better way to find the correct root certificate ... not just it's description :-( )

I renamed this to .pem and reran c_rehash .

So the chain appears to be:

imap.googlemail.com is certified by google-Internet-Authority which
is in turn certified by Equifax Secure Certificate Authorit.

graemev · 05-15-2011, 11:26 AM

So for those of you coming across this, the certificate has aged out (looks like 22Apr2011) so it was failing:

fetchmail: imap.googlemail.com fingerprints do not match!
20791:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:951:
fetchmail: SSL connection failed.

Looking at the cert downloaded above, I see:

# openssl x509 -noout -in /var/lib/fetchmail/.certs/imap.googlemail.com.pem -enddate -fingerprint -md5 -dates
MD5 Fingerprint=FC:5D:72:53:40:85:65:9B:8D:61:03:10:01:21:C6:62
notBefore=Apr 22 20:17:57 2010 GMT
notAfter=Apr 22 20:27:57 2011 GMT

(yep expired 22Apr ... I only just realised I wasn't getting googlemail :-)

So I need to get new cert:

Here I need to do:

openssl s_client -connect imap.googlemail.com:993 -showcerts > from-imap.googlemail.com

Also try this:

openssl s_client -connect imap.gmail.com:993 -showcerts > from-imap.gmail.com

From these I extracted:

googlemail.pem
gmail.pem
Google-Internet-Authority.pem

The Google-Internet-Authority.pem is still good , so I only need other two.

So I copy these into fetchmails .cert directory and do:

#c_rehash $PWD

THEN (I forgot @ 1st) remember to copy the fingerprint:

# openssl x509 -noout -in googlemail.pem -enddate -fingerprint -md5 -dates
MD5 Fingerprint=66:F8:8A:EA:34:2C:BE:57:33:17:B6:02:BE:A2:0F:6E
notBefore=Feb 16 04:41:53 2011 GMT
notAfter=Feb 16 04:51:53 2012 GMT

And stick this into the fetchmail RC:

poll imap.googlemail.com with proto IMAP
user "graeme.foobar@googlemail.com", with password "password here", is graeme here
options ssl sslfingerprint '66:F8:8A:EA:34:2C:BE:57:33:17:B6:02:BE:A2:0F:6E'
sslcertck sslcertpath /var/lib/fetchmail/.certs