[opensuse] fetchmail and certificates
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 I see this warning while I fetch email: <2.3> 2012-12-27 13:10:28 minas-tirith fetchmail 9789 - - Server CommonName mismatch: pop.dominioabsoluto.net != correo.coitt.es <2.3> 2012-12-27 13:10:28 minas-tirith fetchmail 9789 - - Warning: the connection is insecure, continuing anyways. (Better use --sslcertck!) (--sslcertck! would be useles) The problem is that coitt is hosted at dominioabsoluto, so the certificate does not match; but the server is ok, it is the one I need to use. How could I make the warning go away? Ie, make fetchmail accept the certificate silently (at least not at warning syslog level)? - -- Cheers Carlos E. R. (from 11.4, with Evergreen, x86_64 "Celadon" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) iF4EAREIAAYFAlDcO/wACgkQja8UbcUWM1wboAD+IqDXUr0tKL6H4B8COTmXXPOq W3v7A9exWpd2GNfg01UA/2UpUtK0WTEBosmEIWNTcuGjclpvB+T8xFqHiz6pUHkH =U22F -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hello, On Thu, 27 Dec 2012, Carlos E. R. wrote:
I see this warning while I fetch email:
<2.3> 2012-12-27 13:10:28 minas-tirith fetchmail 9789 - - Server CommonName mismatch: pop.dominioabsoluto.net != correo.coitt.es <2.3> 2012-12-27 13:10:28 minas-tirith fetchmail 9789 - - Warning: the connection is insecure, continuing anyways. (Better use --sslcertck!)
I've been asking myself that same question for years now. Not sure what version's manpage I've looked at and what I tried (unsuccessfully), but these look promising: ==== man fetchmail (fetchmail-6.3.21 / oS 12.1) ==== --sslcommonname <common name> (Keyword: sslcommonname; since v6.3.9) [..] ALTERNATE AUTHENTICATION FORMS [..] Secure Socket Layers (SSL) and Transport Layer Security (TLS) [..] The certificate is checked to verify that the common name in the cer- tificate matches the name of the server being contacted and that the effective and expiration dates in the certificate indicate that it is currently valid. If any of these checks fail, a warning message is printed, but the connection continues. ==== So, according to documentation (and probably due to popular demand ;) the addition of the new keyword/option and value sslcommonname pop.dominioabsoluto.net to the relevant server section of your fetchmailrc should help. [in my case, the cert is self-signed, with a different CN and expired, haven't gotten round to find out how to generate a fitting cert with plesk yet ... *gah*] -dnh -- New, from IKEA: DARCKENSE, the chair. Available in white only. All-natural materials! -- Niklas Karlsson -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Content-ID:
I've been asking myself that same question for years now.
Not sure what version's manpage I've looked at and what I tried (unsuccessfully), but these look promising:
... (Use of this option is discouraged) - :-)
So, according to documentation (and probably due to popular demand ;) the addition of the new keyword/option and value
sslcommonname pop.dominioabsoluto.net
to the relevant server section of your fetchmailrc should help.
It does, many thanks. The relevant section is the user part, not the server part, which is funny. Yes, they warn that the proper solution is correcting the upstream server, but that is out of the question. There is no support email... this is a free account by an organization.
[in my case, the cert is self-signed, with a different CN and expired, haven't gotten round to find out how to generate a fitting cert with plesk yet ... *gah*]
I can understand that... :-) - -- Cheers Carlos E. R. (from 11.4, with Evergreen, x86_64 "Celadon" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) iF4EAREIAAYFAlDgqWcACgkQja8UbcUWM1w/SgD/f8rQi0kz5of1M0KsMXHzKM6j w5hi3u+NVFu1BTcYBq0A/AuAnimSCiTb2VfTRML2gLEGhNtxHx2C4dOFOKM9XDtu =vG2a -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2012-12-30 a las 21:51 +0100, Carlos E. R. escribió:
El 2012-12-30 a las 16:40 +0100, David Haller escribió:
to the relevant server section of your fetchmailrc should help.
It does, many thanks. The relevant section is the user part, not the server part, which is funny.
(I wonder why I did not see that in the man page, which I have read several times... but not all or not with sufficient attention) Clearing those messages from the warning log had the consequence that I now notice other messages previously unnoticed in my warning log: <2.3> 2012-12-31 03:10:06 minas-tirith fetchmail 30339 - - Server certificate: <2.3> 2012-12-31 03:11:26 fetchmail 30339 - - last message repeated 2 times It is related to gmail: <2.6> 2012-12-31 03:50:21 minas-tirith fetchmail 31660 - - Trying to connect to 173.194.67.108/993...connected. <2.3> 2012-12-31 03:50:22 minas-tirith fetchmail 31660 - - Server certificate: <2.6> 2012-12-31 03:50:22 minas-tirith fetchmail 31660 - - Issuer Organization: Google Inc <2.6> 2012-12-31 03:50:22 minas-tirith fetchmail 31660 - - Issuer CommonName: Google Internet Authority <2.6> 2012-12-31 03:50:22 minas-tirith fetchmail 31660 - - Subject CommonName: imap.gmail.com <2.6> 2012-12-31 03:50:22 minas-tirith fetchmail 31660 - - Subject Alternative Name: imap.gmail.com It happens that one of those messages is reported with priority 3 (the <2.3> in my log) instead of 6. It is surely a bug, but this being 11.4, I can not report it. - -- Cheers Carlos E. R. (from 11.4, with Evergreen, x86_64 "Celadon" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) iF4EAREIAAYFAlDhAMUACgkQja8UbcUWM1zKYAD8DA7rQszRELjsUUDqB3pKbCLo ARn90YPI0vf5qPxkXroA+we6D5GtcFtv0AX/UHF/r/igWosQ7HtbI8u11u6R84nW =5m6A -----END PGP SIGNATURE-----
participants (2)
-
Carlos E. R.
-
David Haller