|
 |
| Sat, Jul 26th | home | browse | articles | contact | chat | submit | faq | newsletter | about | stats | scoop | 07:19 UTC |
|
|
login « register « recover password « |
|
| [Article] | add comment | [Article] |
|
|
|
If you have a Gmail account and would like to use it in conjunction with your personal computers, this tutorial will walk you through configuring and installing the latest version of Postfix with SASL authentication and TLS encryption necessary for connecting and relaying mail to smtp.gmail.com and configuring fetchmail with STARTTLS to fetch messages from your Gmail account to your local system. It will also discuss how to forward mail to other computers and how to automatically backup copies of email messages. Copyright notice: All reader-contributed material on freshmeat.net is the property and responsibility of its author; for reprint rights, please contact the author directly. Quick BackgroundPostfix is a mail server,or MTA (Mail Transfer Agent). It accepts messages and delivers them. fetchmail is a remote mail retrieval system, providing home users like you, who don't have corporate accounts, the ability to pull mail from an ISP, or in this case Gmail, to your local Linux box. All the examples below have been made with the fake domain name "squeezel", which is my four-year-old's word for the concatenation of "squeeze" and "wheezel". Safety First: Configure fetchmail with STARTTLSIt is very important to set up fetchmail with some type of encryption. Otherwise, your Gmail password will be broadcast over the Internet every time the fetchmail daemon tries to pick up mail, which could be every 90 seconds. In addition, this tutorial will walk you through building and configuring the latest version of Postfix with TLS and SASL support. Getting the Postfix Source: Latest Version, More Toys1. Downloading the Postfix SourceGet the latest version of Postfix. As of this writing, the latest version is 2.2.3, which was released on May 3, 2005. You can find out what version you have with the following command:
$ postconf mail_version mail_version = 2.2.3 From the Postfix homepage, download the latest version. NcFTP is a popular alternative to ftp. If you don't have it, ftp or wget will do. This example is done with postfix-2.2.3. Again, check for updates.
$ ncftpget ftp://mirrors.loonybin.net/pub/postfix/official/postfix-2.2.3.tar.gz
$ ncftpget ftp://mirrors.loonybin.net/pub/postfix/official/postfix-2.2.3.tar.gz.sig
$ ncftpget ftp://mirrors.loonybin.net/pub/postfix/wietse.pgp
Next, import the PGP key.
$ gpg --import wietse.pgp
gpg: key C12BCD99: public key "Wietse Venema <wietse@porcupine.org>" imported
gpg: key D5327CB9: public key "wietse venema <wietse@porcupine.org>" imported
gpg: Total number processed: 2
gpg: imported: 2 (RSA: 2)
Verify that the source is valid:
$ gpg --verify postfix-2.2.3.tar.gz.sig postfix-2.2.3.tar.gz
Extract the files:
$ tar -xzf postfix-2.2.3.tar.gz
2. Compiling Postfix with TLS and SASL supportSince you're connecting to Google's Gmail, you'll need to compile Postfix with TLS (for encryption) and SASL (for authentication). 2.1 First Upgrade OpenSSL and SASLSpecial note: Some older versions of Red Hat 8 and 9 may not have an updated version of openssl. Check to see what version you have with the following command:
$ openssl version
OpenSSL 0.9.7g 11 Apr 2005
If you need to upgrade openssl, find out where the current "openssl"
directory is located. The default settings for openssl put it in
$ ./config --prefix=/usr --openssldir=/usr/share/ssl
$ make
$ make test
$ make install
2.2 Upgrading Cyrus SASL
You may have authentication problems without the latest upgrade. I had
the following error in my
Authentication failed: cannot SASL authenticate to server smtp.gmail.com[64.233.163.109]: no mechanism available
You can get the latest cyrus-sasl package from ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/. Make sure you search for the latest package. As of this writing, the following is the latest:
$ ncftpget ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/cyrus-sasl-2.1.20.tar.gz
Again, you will probably want to upgrade these two packages, as they provide new tools for creating certificates. Also, some older versions may cause problems when Postfix is compiled, since there is an outdated "ssh.h" file. 2.3 Add the Postfix User (postfix) and Group (postdrop)At this stage, you've upgraded openssl and sasl. If you have authentication failures, upgrade those packages. I had problems with Fedora Core 3 RPM installs, so I had to go back and upgrade. Next, you will add "postfix" as a user. Normally, you don't want this user to have a home directory ("-M") or login capability ("-s /sbin/nologin"), so these two commands can be used:
# useradd -M -s /sbin/nologin postfix
# groupadd postdrop
2.4 Make OptionsYou do not need to add "postfix" to the group "postdrop"; it lives alone. Now you are ready to run make. If you need to re-run make, you should issue the "make tidy" command to clean up the old files. Choose "Option 1" if you don't have MySQL. Postfix can work with MySQL tables, so it may be something you want to try later, after you get Gmail working.
Clean Everything if Needed
$ make tidy
Option 1: TLS and SASL2. You need at least this for Gmail.
$ make makefiles CCARGS="-DUSE_TLS -DUSE_SASL_AUTH -I/usr/include/sasl" \
AUXLIBS="-lssl -lcrypto -lsasl2"
Optionx 2: TLS, SASL2, and MySQL.
$ make makefiles CCARGS="-DUSE_TLS -DUSE_SASL_AUTH -I/usr/include/sasl -DHAS_MYSQL -I/usr/local/include/mysql" \
AUXLIBS="-lssl -lcrypto -L/usr/local/lib/mysql -lmysqlclient -lz -lm -lsasl2"
Or, if MySQL libs are in "/usr/lib/mysql", something like this:
$ make makefiles CCARGS="-DUSE_TLS -DUSE_SASL_AUTH -I/usr/include/sasl -DHAS_MYSQL -I/usr/include/mysql" \
AUXLIBS="-lssl -lcrypto -L/usr/lib/mysql -lmysqlclient -lz -lm -lsasl2"
$ make
$ make install
2.5 Installation QuestionsAfter the "make install", you will be asked questions on where to place files. Unless you need to do otherwise, take the defaults. This will make it easy to follow the directions later.
Warning: if you use this script to install Postfix locally,
this script will replace existing sendmail or Postfix programs.
Make backups if you want to be able to recover.
Before installing files, this script prompts you for some definitions.
Most definitions will be remembered, so you have to specify them
only once. All definitions should have a reasonable default value.
Please specify the prefix for installed file names. Specify this ONLY
if you are building ready-to-install packages for distribution to other
machines.
install_root: [/]
Please specify a directory for scratch files while installing Postfix. You
must have write permission in this directory.
tempdir: [/home/src/postfix/postfix-2.2.2]
Please specify the final destination directory for installed Postfix
configuration files.
config_directory: [/etc/postfix]
... [SNIP] ...
pages. You can no longer specify "no" here.
manpage_directory: [/usr/local/man]
Please specify the destination directory for the Postfix README
files. Specify "no" if you do not want to install these files.
readme_directory: [no]
2.6 What Libraries are Linked?Once you are done, as a check to see if ssl has been compiled into postfix, you can ldd the postfix binary as follows, which will show linked libraries.
$ ldd /usr/sbin/postfix
libssl.so.4 => /lib/libssl.so.4 (0x007ae000)
libcrypto.so.4 => /lib/libcrypto.so.4 (0x006bb000)
libmysqlclient.so.14 => /usr/lib/mysql/libmysqlclient.so.14 (0x00b28000)
libz.so.1 => /usr/lib/libz.so.1 (0x00bf1000)
libm.so.6 => /lib/tls/libm.so.6 (0x00afd000)
libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x005f6000)
libpcre.so.0 => /lib/libpcre.so.0 (0x00d46000)
libdb-4.2.so => /lib/tls/i686/libdb-4.2.so (0x00201000)
libnsl.so.1 => /lib/libnsl.so.1 (0x007e4000)
libresolv.so.2 => /lib/libresolv.so.2 (0x00d30000)
libc.so.6 => /lib/tls/libc.so.6 (0x009d1000)
libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x006a5000)
libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x0061b000)
libcom_err.so.2 => /lib/libcom_err.so.2 (0x005f1000)
libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x00682000)
libdl.so.2 => /lib/libdl.so.2 (0x00b22000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0x032cb000)
/lib/ld-linux.so.2 (0x009b7000)
libpthread.so.0 => /lib/tls/libpthread.so.0 (0x00c13000)
The first line with "libssl.so" shows that I have ssl installed, then,
six lines down after the command, see "libsasl2.so.2". In my version,
did I choose MySQL? The best way to tell is with the 2.7 Accessible Shared Libraries
By the way, if you get odd MySQL errors during the "make install" and
your MySQL libraries live in
$ cat /etc/ld.so.conf
...
/usr/local/lib/mysql
After adding this line, you must run the
$ ldconfig
At this stage, there are still some Postfix configuration settings. We'll get back to them, but first, it makes sense to generate the certificates. 3. Generating CertificatesAgain, before getting started, make sure you have the latest version of openssl. See the steps above if you decide to upgrade.
$ openssl version
OpenSSL 0.9.7g 11 Apr 2005
3.1 Creating Your Own CAYou can get signed certificates from Thawte and VeriSign, but you don't have to for your home system. Instead, you will become your own "Certificate Authority", and sign your own SSL certs. Below is the command to create your own CA. Hit return for the first prompt to create the CA. It will prompt you for a password, and prompt to confirm. Remember the password. Also, it's important that the "Organization Name" matches when you create the "server" certificate. I show my answers in bold, so you can see how they will match when creating and signing certificates.
$ /usr/local/ssl/misc/CA.pl -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
.......++++++
...................++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase: password123
Verifying - Enter PEM pass phrase: password123
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:US
State or Province Name (full name) [Pennsylvania]:Pennsylvania
Locality Name (eg, city) []:Elkins Park
Organization Name (eg, company) []:Chirico_Widgets
...
If, after doing the above command, you find that you want to extend the key (say you didn't change the "default_days = 3650", or you did and want to change it back), you can issue the following commands:
$ openssl x509 -in demoCA/cacert.pem -days 1024 -out cacert.pem -signkey demoCA/private/cakey.pem
$ cp cacert.pem demoCA
Or you could hard code values in 3.2 Generate the Server CertificateThis is the server cert request that will be signed by the CA Authority. Note that the "-nodes" option is used so that the certificate will not require a passphrase each time the secure daemon is started. I have also added my fake domain name "squeezel.squeezel.com".
$ openssl req -new -nodes \
-subj '/CN=squeezel.squeezel.com/O=Chirico_Widgets/C=US/ST=Pennsylvania/L=Elkins Park' \
-keyout FOO-key.pem -out FOO-req.pem -days 3650
Note above that "/0=Chirico_Widgets" must match the name given in the the original CA. For example, "/0=Widgets co." will not work. It must be exact. 3.3 Sign the Server CertificateThe following step will sign the certificate.
$ openssl ca -out FOO-cert.pem -infiles FOO-req.pem
3.4 Copy Signed Certificates to /etc/postfix/certsThe next step copies all the required certificates to where Postfix can find them. In addition, the correct rights are enforced on each file.
$ cp demoCA/cacert.pem FOO-key.pem FOO-cert.pem /etc/postfix $ chmod 644 /etc/postfix/FOO-cert.pem /etc/postfix/cacert.pem $ chmod 400 /etc/postfix/FOO-key.pem 4. Configuring Postfix
The files Postfix configuration is particular to the hostname of your computer. You can have a fake hostname, like "squeezel.squeezel.com". Pick a name and set it up as follows. (You can actually use "squeezel.squeezel.com" if you want, since it's not a real domain name, though you might want to use something more descriptive. The point is that it doesn't have to be registered to you, but does have to be unique.) 4.1 Configure the Hostname
The computer that these examples are taken from is
"squeezel.squeezel.com", and it exists on IP address 192.168.1.81. The
short name is just squeezel. Another computer, on IP address
"192.168.1.155" is "tape.squeezel.com". here's
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 localhost.localdomain localhost
192.168.1.81 squeezel.squeezel.com squeezel
192.168.1.155 tape.squeezel.com tape
You may also want to edit
HOSTNAME=squeezel.squeezel.com
Finally, to put all changes into effect, run the following command with root privileges:
$ hostname squeezel.squeezel.com Some of the settings in the Postfix main.cf file depend upon the hostname. 4.2 main.cf
The following settings can be added to the end of the
## Add these lines to the bottom on main.cf
##
##
## TLS Settings
#
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_tls_cert_file = /etc/postfix/FOO-cert.pem
smtp_tls_key_file = /etc/postfix/FOO-key.pem
smtp_tls_session_cache_database = btree:/var/run/smtp_tls_session_cache
smtp_use_tls = yes
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_cert_file = /etc/postfix/FOO-cert.pem
smtpd_tls_key_file = /etc/postfix/FOO-key.pem
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:/var/run/smtpd_tls_session_cache
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
## SASL Settings
# This is going into THIS server
smtpd_sasl_auth_enable = no
# We need this
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtpd_sasl_local_domain = $myhostname
smtp_sasl_security_options = noanonymous
#smtp_sasl_security_options =
smtp_sasl_tls_security_options = noanonymous
smtpd_sasl_application_name = smtpd
## Gmail Relay
relayhost = [smtp.gmail.com]
## Good for Testing
# sender_bcc_maps = hash:/etc/postfix/bcc_table
# Disable DNS Lookups
disable_dns_lookups = yes
#
# Great New feature Address Mapping
# for example may mchirico@localhost to mchirico@gmail.com
smtp_generic_maps = hash:/etc/postfix/generic
#
#
transport_maps = hash:/etc/postfix/transport
The TLS settings are pretty standard, and the above code is taken from the documentation, which is worth a read. The "*.pem" files appear to be listed twice, but notice the difference between "smtp" and "smtpd". One is for client connectivity and the other is for connecting to this server. 4.3 sasl_passwd
In the above Below is a sample sasl_passwd file. This will log into smtp.gmail.com with username mchirico, using the password pa33w0r8.
# Contents of sasl_passwd
#
[smtp.gmail.com] mchirico@gmail.com:pa33w0r8
This file must be converted to hash format with the following commands:
$ cd /etc/postfix
$ postmap sasl_passwd
The After you've executed the above command, run this simple "hash" key test:
$ postmap -q [smtp.gmail.com] sasl_passwd
mchirico@gmail.com:pa33w0r8
4.4 generic
The file
chirico@squeezel.squeezel.com mchirico@gmail.com
4.5 transport
# Contents of /etc/postfix/transport
#
# This sends mail to Gmail
gmail.com smtp:[smtp.gmail.com]
#
# Except mail going to the tape and closet servers
tape.squeezel.com relay:[tape.squeezel.com]
closet.squeezel.com relay:[closet.squeezel.com]
The transport file sends all email to Gmail or "smtp.gmail.com", except
for internal mail on my network, which is relayed to the appropriate
servers. Sending email to "root@tape" does not send it out to the
Google account. Note that the return address is
"chirico@squeezel.squeezel.com" because of the following entry in
4.6 master.cf
This file must by owned by root. Whenever changes are made to this file,
Postfix should be reloaded with
smtp unix - - n - - smtp
relay unix - - n - - smtp
-o smtp_generic_maps=
Note the empty That's it for the server certificate. Postfix will still have to be configured to connect to your ISP. 4.7 Utilizing "postconf -n"
To see if all the changes went into effect, here is the output of the
[root@squeezel ~]# postconf -n
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
disable_dns_lookups = yes
html_directory = no
mail_owner = postfix
mailq_path = /usr/bin/mailq
manpage_directory = /usr/local/man
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = no
relayhost = [smtp.gmail.com]
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtp_generic_maps = hash:/etc/postfix/generic
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_tls_cert_file = /etc/postfix/FOO-cert.pem
smtp_tls_key_file = /etc/postfix/FOO-key.pem
smtp_tls_session_cache_database = btree:/var/run/smtp_tls_session_cache
smtp_use_tls = yes
smtpd_sasl_application_name = smtpd
smtpd_sasl_auth_enable = no
smtpd_sasl_local_domain = $myhostname
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_cert_file = /etc/postfix/FOO-cert.pem
smtpd_tls_key_file = /etc/postfix/FOO-key.pem
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:/var/run/smtpd_tls_session_cache
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
4.8 Common Postfix Commands
$ /etc/init.d/postfix restart # restarts postfix needed for inet_interfaces changes
$ postfix reload # reloads most changes in main.cf
$ postfix check # checks postfix configuration
$ postconf -n # dumps setting that went into effect
$ postconf -m # shows the map types: mysql, hash, regexp ...
$ postmap <filename> # creates a map file for transports, sender_canonical etc.
$ postqueue -p # checks the queue
$ postsuper -d ALL # deletes all messages in the queue
$ postsuper -d AC8231EDA2D # deletes message AC8231EDA2D
$ postconf mail_version # this tells you what version of Postfix you are using
4.9 MySQL
Instead of using the hash type, you can leverage MySQL. Below is a
sample
# The entry in main.cf is
# smtp_generic_maps = mysql:/etc/postfix/generic_mysql
#
# This is the MySQL table definition
# create table smtpg_maps (
# pkey int NOT NULL auto_increment,
# address varchar(50),
# smtp_address varchar(50),
# timeEnter timestamp(14),
# PRIMARY KEY (pkey));
#
# insert into smtpg_maps (address,smtp_address) values ('chirico@squeezel.squeezel.com','mchirico@gmail.com');
# insert into smtpg_maps (address,smtp_address) values ('lpayne@squeezel.squeezel.com','payne.lisa@gmail.com');
# insert into smtpg_maps (address,smtp_address) values ('root@squeezel.squeezel.com','mike.chirico@gmail.com');
#
# Test this with
# $ postmap -q "root@squeezel.squeezel.com" mysql:/etc/postfix/generic_mysql
#
hosts = localhost
user = mysqlmail
password = S0m3paSSw0r9
dbname = mail
query = SELECT smtp_address FROM smtpg_maps WHERE address = '%s'
4.10 Additional ItemsIf you are using Fedora Core, which defaults to sendmail, you may need to make a few configuration changes. For example, you may be picking up the incorrect version of sendmail.
$ alternatives --config mta
There are 2 programs which provide 'mta'.
Selection Command
-----------------------------------------------
*+ 1 /usr/sbin/sendmail.sendmail
2 /usr/sbin/sendmail.postfix
Enter to keep the current selection[+], or type selection number:
You will want to select 2. If you then do an "ls" on sendmail, you will see the following results:
$ ls -l /usr/sbin/sendmail
lrwxrwxrwx 1 root root 21 Jan 13 20:53 /usr/sbin/sendmail -> /etc/alternatives/mta
$ ls -l /etc/alternatives/mta
lrwxrwxrwx 1 root root 26 Apr 28 10:34 /etc/alternatives/mta -> /usr/sbin/sendmail.postfix
Now try sending mail. The "correct" sendmail will build a report that you can view with mutt or your email package. Below is an example test.
$ sendmail -bv zmchirico@yahoo.com
4.10.1 Backups with bccAny mail sent from "gmchirico@squeezel.squeezel.com" can be blind copied to another server. In this case, the server is "chirico@tape".
In /etc/postfix/main.cf:
sender_bcc_maps = hash:/etc/postfix/bcc_table
Remember to
In /etc/postfix/bcc_table:
gmchirico@squeezel.squeezel.com chirico@tape
If you want to get copies of everything coming in and going out, use the
In /etc/postfix/main.cf:
always_bcc = allmail
It's not a completely blind copy, since it will show up when users
on the system do a FetchmailFetchmail pulls messages from Google's Gmail, since for a home user with a fake domain and changing IP address, their email server will not forward the mail. 5. Safety First: Configure fetchmail with STARTTLSAgain, it is very important to set up fetchmail with some type of encryption. STARTTLS encryption works well, since you have already installed the necessary openssl files. You just need to pick up the necessary keys and put them in the proper format. 5.1 Google Gmail Certificates
$ openssl s_client -connect smtp.gmail.com:995 -showcerts
The command above will return the certificate from Google's Gmail as follows:
CONNECTED(00000003)
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=pop.gmail.com
i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Server CA/emailAddress=server-certs@thawte.com
-----BEGIN CERTIFICATE-----
MIIDRDCCAq2gAwIBAgIDILn5MA0GCSqGSIb3DQEBBAUAMIHEMQswCQYDVQQGEwJa
QTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xHTAb
BgNVBAoTFFRoYXd0ZSBDb25zdWx0aW5nIGNjMSgwJgYDVQQLEx9DZXJ0aWZpY2F0
aW9uIFNlcnZpY2VzIERpdmlzaW9uMRkwFwYDVQQDExBUaGF3dGUgU2VydmVyIENB
MSYwJAYJKoZIhvcNAQkBFhdzZXJ2ZXItY2VydHNAdGhhd3RlLmNvbTAeFw0wNDEy
MTMxOTQ2MjRaFw0wNTEyMTMxOTQ2MjRaMGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQI
EwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKEwpH
b29nbGUgSW5jMRYwFAYDVQQDEw1wb3AuZ21haWwuY29tMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQDF6HmquCQW7cS7pI1KIrklmLCEOqj6+kC+PoJx9F2TMZqs
hYVHM85ZJypj2Uv1q6zOjd/34DAkKmYZK9mVbY6I+PsMl0Azyn910sdQ9k9yN2tc
nCQBpKE38IN97tISL3xbqRsdLTsw94B3PS9A735MX7EGXG1tX/6GnUqTiQqJIwID
AQABo4GfMIGcMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjA5BgNVHR8E
MjAwMC6gLKAqhihodHRwOi8vY3JsLnRoYXd0ZS5jb20vVGhhd3RlU2VydmVyQ0Eu
Y3JsMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL29jc3AudGhh
d3RlLmNvbTAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUAA4GBAD4f2AcBn4WD
eF07St93dsdbqGYdlMrCquN6yd6WvYoNRosX0N4nMtKTJN6CNAgs2lvfL1qSChYf
NX4LosLm3OzM9KGSMVAiG7lsu9sQULX+GH8h7HLBlOOKWhnOyf3TNL5kZeGj9NL8
L83QaTlPJVKkwLgKVGM8Yk349y32Nr9D
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=pop.gmail.com
issuer=/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Server CA/emailAddress=server-certs@thawte.com
---
No client certificate CA names sent
---
SSL handshake has read 994 bytes and written 332 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : DES-CBC3-SHA
Session-ID: 99413B0588D17E638E5F2992DEE68393F1B4FF477A0B4318B8B2651E85C63D77
Session-ID-ctx:
Master-Key: 97BD90B0EF9F3C77013CF8F42077838C518A30EBAD18BDD9E6B8500E8221BC0B82DD2CC4F9DFC84814960E1EF609EB1C
Key-Arg : None
Start Time: 1117819950
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
+OK Gpop g2pf1372524wra ready.
5.2 Extract the CertificateNext, you need to copy the certificate part, which is everything between "BEGIN CERTIFICATE" and "END CERTIFICATE", and save this to a file.
-----BEGIN CERTIFICATE-----
...
d3RlLmNvbTAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUAA4GBAD4f2AcBn4WD
eF07St93dsdbqGYdlMrCquN6yd6WvYoNRosX0N4nMtKTJN6CNAgs2lvfL1qSChYf
NX4LosLm3OzM9KGSMVAiG7lsu9sQULX+GH8h7HLBlOOKWhnOyf3TNL5kZeGj9NL8
L83QaTlPJVKkwLgKVGM8Yk349y32Nr9D
-----END CERTIFICATE-----
Notice that the CA for this certificate is thawte.com, which means you
need that certificate as well. This is a very common certificate. You
can copy and paste it from 5.3 Certificate of the CA - Thawte
Thawte Server CA ================ MD5 Fingerprint: C5:70:C4:A2:ED:53:78:0C:C8:10:53:81:64:CB:D0:1D PEM Data: -----BEGIN CERTIFICATE----- MIIDEzCCAnygAwIBAgIBATANBgkqhkiG9w0BAQQFADCBxDELMAkGA1UEBhMCWkEx FTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMR0wGwYD VQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UECxMfQ2VydGlmaWNhdGlv biBTZXJ2aWNlcyBEaXZpc2lvbjEZMBcGA1UEAxMQVGhhd3RlIFNlcnZlciBDQTEm MCQGCSqGSIb3DQEJARYXc2VydmVyLWNlcnRzQHRoYXd0ZS5jb20wHhcNOTYwODAx MDAwMDAwWhcNMjAxMjMxMjM1OTU5WjCBxDELMAkGA1UEBhMCWkExFTATBgNVBAgT DFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMR0wGwYDVQQKExRUaGF3 dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNl cyBEaXZpc2lvbjEZMBcGA1UEAxMQVGhhd3RlIFNlcnZlciBDQTEmMCQGCSqGSIb3 DQEJARYXc2VydmVyLWNlcnRzQHRoYXd0ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQAD gY0AMIGJAoGBANOkUG7I/1Zr5s9dtuoMaHVHoqrC2oQl/Kj0R1HahbUgdJSGHg91 yekIYfUGbTBuFRkC6VLAYttNmZ7iagxEOM3+vuNkCXDF/rFrKbYvScg71CcEJRCX L+eQbcAoQpnXTEPew/UhbVSfXcNY4cDk2VuwuNy0e982OsK1ZiIS1ocNAgMBAAGj EzARMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAB/pMaVz7lcxG 7oWDTSEwjsrZqG9JGubaUeNgcGyEYRGhGshIPllDfU+VPaGLtwtimHp1it2ITk6e QNuozDJ0uW8NxuOzRAvZim+aKZuZGCg70eNAKJpaPNW15yAbi8qkq43pUdniTCxZ qdq5snUb9kLy78fyGPmJvKP/iiMucEc= -----END CERTIFICATE----- To recap, you should have the two certificates saved to separate files. In my case, I've labeled them googlepop.pem and thawte.pem 5.4 Rehash or Creating Symlinks
Once you have created these files, you will need to run the
[chirico@squeezel certs]$ c_rehash .certs
Doing .certs
googlepop.pem => 34ceaf75.0
thawte.pem => ddc328ff.0
5.5 Checking the Certificate
It's possible to check the certificates as with the
$ openssl s_client -connect pop.gmail.com:995 -CApath /home/chirico/certs/.certs/
CONNECTED(00000003)
depth=1 /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Server CA/emailAddress=server-certs@thawte.com
verify return:1
depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=pop.gmail.com
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=pop.gmail.com
i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Server CA/emailAddress=server-certs@thawte.com
---
Server certificate
-----BEGIN CERTIFICATE-----
... [SNIP] ...
---
+OK Gpop ready.
5.6 The Fetchmail .fetchmailrc
Note that the fetchmail option Below is a sample ".fetchmailrc" file, the file that should be stored in your home directory.
#
#
# Sample /home/chirico/.fetchmailrc file for Gmail
#
# Check mail every 90 seconds
set daemon 90
set syslog
set postmaster chirico
#set bouncemail
#
# The Gmail username is mchirico, but on this computer, it is chirico.
# To keep mail on the server, put "keep" at the end.
# user 'mchirico@gmail.com' with pass "pa33w0r8" is 'chirico' here options ssl sslcertck sslcertpath '/home/chirico/certs/.certs' keep
#
poll pop.gmail.com with proto POP3 and options no dns
user 'mchirico@gmail.com' with pass "pa33w0r8" is 'chirico' here options ssl sslcertck sslcertpath '/home/chirico/certs/.certs'
smtphost localhost
# You would use this to by-pass Postfix
# mda '/usr/bin/procmail -d %T'
5.7 Fetchmail CommandsHere are some of the more common fetchmail commands:
$ fetchmail -q # quits the fetchmail daemon
$ fetchmail -v # start the fetchmail daemon in verbose mode
$ fetchmail -c # checks for email only
$ fetchmail -S localhost # delivers mail to your Postfix server
Normally, you want to start fetchmail with the "-v" option and take a
look at the ConclusionYour home computer should now be all set to send and receive mail through Google. Happy Gmailing! Author's bio: Mike Chirico, a father of triplets (all girls), lives outside of Philadelphia, PA, USA. He has worked with Linux since 1996, has a Masters in Computer Science and Mathematics from Villanova University, and has worked in computer-related jobs from Wall Street to the University of Pennsylvania. His hero is Paul Erdos, a brilliant number theorist who was known for his open collaboration with others. T-Shirts and Fame! We're eager to find people interested in writing articles on software-related topics. We're flexible on length, style, and topic, so long as you know what you're talking about and back up your opinions with facts. Anyone who writes an article gets a t-shirt from ThinkGeek in addition to 15 minutes of fame. If you think you'd like to try your hand at it, let jeff.covey@freshmeat.net know what you'd like to write about. [Comments are disabled]
[»]
GMail rocks because of the interface Cool but... isn't the greatest thing about GMail the interface? It's
simple, clean, and not geeky.
[»]
starttls? Correct if I'm wrong (and I'd _love_ to be corrected), but AFAIK fetchmail
does not actually use the STARTTLS mechanism to initiate a SSL/TLS
connection. Instead it uses the old "protocol" called alternate
port, which simply amounts to the assumption that a POP3 server is SSL
encrypted when running on port 995, and the analogous convention for
IMAP.
[»]
Things have changed... The cert for pop.gmail.com has changed, as has the signing authority:
Equifax Secure Certificate Authority instead of Thawte.
[»]
Re: Things have changed...
--
[»]
Re: Things have changed... An update on this article can be found at http://souptonuts.sourceforge.net/postfix_tutorial.html
[»]
pop3 ssl? > It is very important to set up fetchmail with some type of encryption.
Otherwise, your Gmail password will be broadcast over the Internet
[»]
Re: pop3 ssl?
This sets up an encrypted connection to "some" server. There is no verification that this server is really pop.gmail.com. For example it is possible, and has happened in the past, that upsteam DNS(s) could be poisoned. Reference Sans DNS poisoning. Remember, DNS maps the name to an IP address. If it's not the correct IP address, you could potentially establish an encrypted connected to someone who is not really pop.gmail.com, and give them your password. Using fetchmail with the sslcertck option validates the certificate first, making sure you really are talking to gmail, before sending your password.
[»]
Re: pop3 ssl? Thanks, Mike.
[»]
Re: pop3 ssl?
[»]
Thank you I use mutt + gmail at home with nbsmtp + fetchmail + procmail because that
seemed to be the easiest way to configure. What are the advantages of
using postfix compared with my setup?
[»]
Re: Thank you
--
[»]
Re: Thank you
[»]
Re: Thank you
|
|
