From BStegmaier

Jump to: navigation, search


Using secure connections, fetchmail compares the server key md5-fingerprint with the one given in the configuration file. The connection fails with

fetchmail: $SERVER fingerprints do not match!
fetchmail: SSL connection failed.

if those fingerprints do not match.


So, what's the fastest way to get the server's certificate and fingerprint? Just use

openssl s_client -connect $SERVER:$PORT -showcerts | openssl x509 -fingerprint -noout -md5

replacing $SERVER and $PORT with the appropriate values.


The output might look like this

depth=1 /C=US/O=Equifax Secure Inc./CN=Equifax Secure Global eBusiness CA-1
verify error:num=19:self signed certificate in certificate chain
verify return:0
MD5 Fingerprint=09:0E:5C:1A:DB:0F:5C:81:C0:20:B7:67:C1:CC:DB:B5


Now cut and paste the fingerprint to your fetchmailrc and that's it!

/etc/fetchmailrc or ~/.fetchmailrc
poll ... sslfingerprint '09:0E:5C:1A:DB:0F:5C:81:C0:20:B7:67:C1:CC:DB:B5'


Possible Issues

If you get something along the lines

unable to load certificate
2371:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:650:Expecting: TRUSTED CERTIFICATE

run the first command only

openssl s_client -connect $SERVER:$PORT -showcerts

and check for error messages.


The most common issues are:

  • Error:
gethostbyname failure
connect:errno=0

or

connect: Connection refused
connect:errno=111

Solution: You might have typed in a wrong hostname or port.


  • Error:
CONNECTED(00000003)
write:errno=104

Solution: Only ssl3 is supported. Try adding the option -ssl3