Hi Mark,
I use RT with Exchange 2007 and had to use the same fingerprint resolution that you discovered.
My fetchmailrc looks similar to the following (i've changed hostnames, passwords and used the fingerprint of google's https servers):
set no syslog set logfile /var/log/fetchmail/fetchmail.log set daemon 90 poll exchange.corporate.local proto IMAP port 993: user "rt.systems" pass "plaintextpassword" ssl sslcertpath /usr/local/etc/sslcerts sslproto "TLS1" sslfingerprint "40:50:62:E5:BE:FD:E4:AF:97:E9:38:2A:F1:6C:C8:7C:8F:B7:C4:E2" mda "/usr/bin/perl /usr/local/rt3/bin/rt-mailgate --queue 'Systems' --action correspond --url https://rt.corporate.local/"; user "rt.systems-comment" pass "plaintextpassword" ssl sslcertpath /usr/local/etc/sslcerts sslproto "TLS1" sslfingerprint "40:50:62:E5:BE:FD:E4:AF:97:E9:38:2A:F1:6C:C8:7C:8F:B7:C4:E2" mda "/usr/bin/perl /usr/local/rt3/bin/rt-mailgate --queue 'Systems' --action comment --url https://rt.corporate.local/";
In order to populate the sslcertpath and sslfingerprint fields, you will need to place the certificates for the server, and any CA and Intermediate certs in the sslcertpath and use c_rehash from apache or the OpenSSL source code.
The procedure I followed is almost exactly the same as described by Christoph Rummel here: http://bronski.net/data/fetchmail-eng.php
I generated the fingerprints using the command "openssl x509 -in servercert.pem -noout -fingerprint" against a copy of the certificate (the bit between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" including those two lines when you run "openssl s_client -connect exchange.corporate.local:993 -showcerts")
Hope this helps,
Jim
----- Original Message ----- From: "Mark Rogers" mark@quarella.co.uk To: "ALUG - mailing list" main@lists.alug.org.uk Sent: Thursday, 30 September, 2010 4:30:43 PM Subject: [ALUG] fetchmail and MS Exchange 2010
I can't persuade fetchmail to collect mail from an Exchange server on our LAN (fetchmail and Exchange are both on the LAN).
The errors I am getting are: fetchmail: Server CommonName mismatch: myoffice.mydomain.co.uk != 192.168.11.10 fetchmail: Server certificate verification error: unable to get local issuer certificate fetchmail: Server certificate verification error: certificate not trusted fetchmail: Server certificate verification error: unable to verify the first certificate fetchmail: Error exchanging credentials fetchmail: Authorisation failure on user@192.168.11.10 fetchmail: Query status=3 (AUTHFAIL)
myoffice.mydomain.co.uk resolves to the office's external IP address, although I think (from Googling) that the first line is a warning not the reason for the failure.
My fetchmailrc is fairly simple: set daemon 60 set invisible set no bouncemail set no syslog set logfile /var/log/fetchmail.log poll 192.168.11.10 protocol pop3 username "user" password "password" mda "/usr/bin/rt-mailgate --queue general --action correspond --url http://localhost/rt/" no keep
You'll see from the last line that I'm trying to set up Request Tracker (RT), and it needs to be able to collect mail from our office mailserver.
This guy seems to have the fix: http://berqnet.blogspot.com/2009/11/exchange-2007-fetchmail.html .. but I don't know what he means by "the fingerprint of the Exchange 2007".
[We've had nothing but problems like this since moving to Exchange, but it does a reasonable job of keeping Windows users in check so we're stuck with it.]