[fetchmail]Re: [fetchmail-users] SSL authentication problems with Gmail
Matthias Andree
matthias.andree@gmx.de
Thu, 05 Jan 2006 00:58:19 +0100
Sebastian Tennant <sebyte@smolny.plus.com> writes:
> Doh! Just when you think you've wrapped something up...
>
> I didn't attach the init script did I? I attached my fetchmailrc,
> including my password!
>
> I've changed the password, and there were no other account details
> included, so no harm done... luckily!
>
> Take two. Init script attached.
OK, that, and the relevant syslog except allow me to write a concluding
report, Sebastian's problems are completely solved.
1. grabbing the certificate from the server dialogue failed; although
c_rehash had worked properly, it was the wrong certificate
apparently. ("unable to get local issuer certificate")
There are certainly people with a deeper understanding of the SSL
certification process that can explain this better than I can.
2. Debian's ca-certificates package has the Thawte root certificate in
the default place, this proved sufficient to verify Google's
certificate (which is signed by Thawte) in fetchmail 6.3.1 even with
--sslcertck (which I recommend to use, as it's safer).
NOTE: older fetchmail versions fail to set the SSL default
certificate path, you must set "--sslcertpath /etc/ssl/certs"
manually (or whichever the path is; you can also specify this in the
fetchmailrc file.).
3. Debian's init script diverts logging to syslog by default, and the
reporter's syslog.conf split error messages out to a separate file,
where they went unnoticed.
I therefore take the right to advise against using the "=" and "!"
operators in syslog.conf. "mail.info" is the correct left-hand-side
to use in syslog.conf for fetchmail 6.2.5.X and 6.3.X.
4. Debian's init script supports an operation "debug-run", which avoids
syslog, and logs everything on the console in verbose mode. This
appears to be a simple way to procure all necessary debug information
on Debian systems.
Happy fetchmailing,
--
Matthias Andree