How to make fetchmail happy with the server’s SSL cert

June 29, 2007

Have you tried running fetchmail against a POP3S server and gotten these messages over and over?

fetchmail: Server certificate verification error: unable to get local issuer certificate
fetchmail: Server certificate verification error: certificate not trusted
fetchmail: Server certificate verification error: unable to verify the first certificate

Congratulations, you are not alone. Looking around, I see a lot of people having this problem and the answers are usually not as clear as they could be. Let’s see if I can make it less clear, too.

  1. Make sure a recent openssl is installed and your fetchmail is linked against it, etc, etc
  2. Run “openssl s_client -connect -showcerts” (hit enter after the output to exit)
    Cut and paste the stuff between the “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–” lines (inclusive) into a file
    Review the rest of the output for the “issuer=” line (in this case, “Equifax Secure Certificate Authority”)
    Go here and grab the “Base-64 encoded X.509” version of the cert for “Equifax Secure Certificate Authority”
    Rename that file with a “.pem” extension
    Make a certs directory somewhere (i.e. /usr/local/etc/fetchmail/certs) and put both files in it
    Run “c_rehash /usr/local/etc/fetchmail/certs”
    Add this to your .fetchmailrc under the “poll” section for this server: “sslcertck sslcertpath /usr/local/etc/fetchmail/certs”
    Run “fetchmail -v” and see if the warnings are gone!

    You will need to do this for each server that you poll with SSL (both the server and its issuer’s PEM).

SPF – Not just for sunscreen anymore!

June 29, 2007

Unless you are a spam generator (in which case, please go jump into a wood chipper), you want to do everything you can to help stop the spam onslaught.

One thing all domain owners can do is setup a SPF record in the DNS zone.
For all sorts of information, check out this link. They have a nice wizard for helping you create your SPF record, too. At first, it seem complicated, but trust me, it’s not.
A simple example is just:
IN TXT "v=spf1 mx ~all"
Which just means, “Accept mail from my domain from any of my MX servers (as listed in my DNS zone).”If you have someone else process your inbound mail (say an anti-spam/anti-virus filtering service like we provide), but it ends up on your own mail server, and you send your own mail directly, you might have something like:

IN TXT "v=spf1 mx ~all"
Which means, “Accept mail from my domain from any of my MX servers as well as the server” The “a:” tells the receiving side to lookup an A record for and if the IP of the connecting sender matches, all is good!If you send mail to a use of Google Mail, Google really appreciates your use of an SPF record and even puts a nice record in the header of the received email:

Received-SPF: pass ( domain of designates as permitted sender)
This was sent from a customer directly from their Exchange server that we listed as an “a:” record in their DNS zone.So, that’s the sender’s side, how about being on the receiving side …

Some MTAs already support SPF natively, and almost all other current MTAs have patches or software plugins that provide SPF support. In fact, Ubuntu’s 7.04 release (Feisty Fawn) has announced support for their Postfix package. Have I mentioned yet that I like Ubuntu? 🙂 With luck, they will back port it into their LTS distribution … maybe.

If your MTA doesn’t already support SPF, there are a number of methods to stuff it in … I suggest to just start Googling around.

For Postfix on a non-7.04 Ubuntu server, check out this link. The worst part is getting all of the prereq perl modules in place.

If you want to skip all of this work, but want to keep your own mail server, feel free to contact us at info at — we can do the pre-filtering of anti-spam/anti-virus for you and then relay the mail to your server. We also do POP/IMAP/Webmail services for offsite email storage if that’s what you would prefer.

With luck, if more and more domains, servers, and relays implement SPF, at least the faked originator spam will loose ground, so put on your SPF already, will ya!?!

add to del.icio.usDigg itStumble It!Add to Blinkslistadd to furladd to ma.gnoliaadd to simpyseed the vineTailRank