Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

fetchmail authentication error

825 views
Skip to first unread message

Haines Brown

unread,
Jan 31, 2008, 4:50:23 PM1/31/08
to
For some time I've been running fetchmail and getting the warning:
"upgrade to TLS failed." I was told I could ignore it, for fetchmail can
only use TLS (Transpost Layer Security protocol) if it's compiled with
SSL support, which my binary version does not support. I'm using
fetchmail 6.3.6.1etch1.

I've also had the error: "Server CommonName mismatch: localhost !=
pop.hartford-hwp.com", but this didn't keep fetchmail from working.

I suspect the From: line of this message has some odd garbage, and this
may be related to my authentication problem, but I've no idea how to
proceed to repair it.

For no obvious reason, fetchmail failed to retrieve mail and times out
after five minutes. I got:

fetchmail: Server CommonName mismatch: localhost != pop.hartford-hwp.com
fetchmail: Server certificate verification error: self signed certificate
fetchmail: timeout after 300 seconds waiting for server pop.hartford-hwp.com.
fetchmail: socket error while fetching from
bro...@hartford-hwp.com@pop.hartford-hwp.com
fetchmail: Query status=2 (SOCKET)

In looking into this certificate verification problem, I find that it
can be ignored, but I went ahead and did:

$ mkdir ~/.certs
$ openssl s_client -connect imap.example.com:993 | \
> sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
> .certs/imap.pem
gethostbyname failure
connect:errno=0
$ c_rehash ~/.certs

This creates empty file: ~/.certs/imap.pem

I next add the line to .fetchmail.rc:

sslcertck sslcertpath $HOME/.certs

I finally do: c_rehash

The problem is that my ~/.certs/imap/pem is empty. I assume there
should be something in it.

$ fetchmail -cvv
fetchmail: 6.3.6 querying pop.hartford-hwp.com (protocol POP3) at Thu 31 J
an 2008 02:15:34 PM EST: poll started
Trying to connect to 209.237.134.152/110...connected.
fetchmail: POP3< +OK Hello there.
fetchmail: POP3> CAPA
fetchmail: POP3< +OK Here's what I can do:
fetchmail: POP3< STLS
fetchmail: POP3< TOP
fetchmail: POP3< USER
fetchmail: POP3< LOGIN-DELAY 10
fetchmail: POP3< PIPELINING
fetchmail: POP3< UIDL
fetchmail: POP3< IMPLEMENTATION Courier Mail Server
fetchmail: POP3< .
fetchmail: POP3> STLS
fetchmail: POP3< +OK Begin SSL/TLS negotiation now.
fetchmail: Issuer Organization: Courier Mail Server
fetchmail: Issuer CommonName: localhost
fetchmail: Server CommonName: localhost
fetchmail: Server CommonName mismatch: localhost != pop.hartford-hwp.com
fetchmail: pop.hartford-hwp.com key fingerprint: 27:33:38:C0:92:FF:CE:37:E
2:BC:70:7C:25:24:E5:03
fetchmail: Server certificate verification error: self signed certificate
14813:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed:s3_clnt.c:894:
fetchmail: pop.hartford-hwp.com: upgrade to TLS failed.
fetchmail: Unknown login or authentication error on bro...@hartford-hwp.co
m...@mymail.myregisteredsite.com
fetchmail: socket error while fetching from bro...@hartford-hwp.com@pop.ha
rtford-hwp.com
fetchmail: 6.3.6 querying pop.hartford-hwp.com (protocol POP3) at Thu 31 J
an 2008 02:15:34 PM EST: poll completed
fetchmail: normal termination, status 2

It seems as if I've enabled certificate verification so that the error
can no longer be ignored.

--

Haines Brown, KB1GRM



--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

Haines Brown

unread,
Feb 1, 2008, 7:50:13 AM2/1/08
to
I found this morning that my problem with mail server authentication
seems to have fixed itself overnight. However, while fetchmail can now
authenticate and download mail, I still periodically (perhaps one of
every four fetches) get my old error messages:

Server CommonName mismatch: localhost != pop.hartford-hwp.com

Server certificate verification error: self signed certificate

I'd appreciate some help here. Does the first statement mean that the
server expected pop.hartford-hwp.com and was not getting it from my
machine or that my machine identifies itself as pop.hartford-hwp.com and
that is not what the server expects? In ~/.fetchmail I have:

poll pop.hartford-hwp.com
proto POP3

If I try the original account name assigned to me by my mail service
(pop.registeredsite.com), it does not authenticate. I believe the error
message may have shown up at about the time the mail service asked me to
change the mail account name to pop.hartford-hwp.com.

I assigned my machine the name:

$ hostname
teufel

As for the error message on the second line, I get the impression that
this is because I am not running TLS. I tried to retrieve my certificate
from the server, but it was empty, and so I presume no certificate
exists. So when I use the command in ~/.fetchmailrc:

sslcertck sslcertpath $HOME/.certs

I naturally can't get authenticated on the server. I undertand that to
get TLS support, one has to compile fetchmail from source. Is that so?
Can I simply ignore the warning message?

0 new messages