A/I Fetchmail Configuration Howto with SSL Support
Updated: 2010-06-19 Keywords: fetchmail, SSL, Autistici, Inventati Description: how to configure fetchmail with SSL support for A/I mailboxes Language: en (English) Compatibility: fetchmail (SSL enabled) 6.3.17
Please note: This howto was written in 2010 and is out of date, especially as regards the part on SSL certificates: we now use Let's Encrypt certificates and don't use our own CA any longer. If you want to help us update this howto, we'll appreciate the help :)
This mini Howto will teach you how to configure fetchmail to download A/I mail from our servers using SSL to ensure your privacy and how to verify that no-one is sneaking on you while downloading your mail from our servers.
Fetchmail configuration file is ~/.fetchmailrc: edit or create the file and add the following lines:
# start A/I configuration poll "mail.autistici.org" proto imap user "firstname.lastname@example.org" pass "password" ssl sslfingerprint "F5:E5:EC:FB:3F:8F:FE:D3:B0:AF:35:E7:2E:E6:7D:8F" sslcertck sslcertpath "/etc/ssl/certs/" folder INBOX folder Spam nokeep # end A/I configuration
WARNING: the SSL fingerprint written above might change in the future, to find the right one you should install and verify our SSL CA certificate and then run the following command:
$ openssl s_client -connect mail.autistici.org:995
Change the email@example.com with your full e-mail address and password with your password.
The sslfingerprint could change over the years. Check it on A/I Certification Authority page under the mail.autistici.org section, where it says MD5 fingerprint.
Note that you can omit the "password" line and fill it in every time you connect via fetchmail to the server. This protects your password from someone gaining undue access to your pc and reading your configuration file.
The SSL option ensures the connection between you and the server happens through an encrypted channel while the ssl fingerprint is needed to confirm the fact that your are actually connecting to our servers and not to someone else just posing as our servers: it's a sort of verification of our servers identity.
The folder option points out which mail folder you are interested in downloading (INBOX and Spam are usually more than enough), while nokeep means you do not want to keep a copy of your messages on the server. For more information you can read fetchmail manual (using the command line 'man 1 fetchmail').
How can fetchmail verify A/I SSL certificate with the one presented by the server you are contacting via fetchmail (apart from the ssl fingerprint option)? The answer is in the sslcertck and sslcertpath options.
A/I Certificate can be downloaded from the A/I Certification Authority website, but you need to be sure that the connection you are using is "safe". Download the PEM version of the certificate and save it in the /etc/ssl/certs directory.
Now with root privileges execute c_rehash to ensure that the certificate can be used by OpenSSL.
Now you are ready, launch fetchmail and enjoy your messages