I can't persuade fetchmail to collect mail from an Exchange server on our LAN (fetchmail and Exchange are both on the LAN).
The errors I am getting are: fetchmail: Server CommonName mismatch: myoffice.mydomain.co.uk != 192.168.11.10 fetchmail: Server certificate verification error: unable to get local issuer certificate fetchmail: Server certificate verification error: certificate not trusted fetchmail: Server certificate verification error: unable to verify the first certificate fetchmail: Error exchanging credentials fetchmail: Authorisation failure on user@192.168.11.10 fetchmail: Query status=3 (AUTHFAIL)
myoffice.mydomain.co.uk resolves to the office's external IP address, although I think (from Googling) that the first line is a warning not the reason for the failure.
My fetchmailrc is fairly simple: set daemon 60 set invisible set no bouncemail set no syslog set logfile /var/log/fetchmail.log poll 192.168.11.10 protocol pop3 username "user" password "password" mda "/usr/bin/rt-mailgate --queue general --action correspond --url http://localhost/rt/" no keep
You'll see from the last line that I'm trying to set up Request Tracker (RT), and it needs to be able to collect mail from our office mailserver.
This guy seems to have the fix: http://berqnet.blogspot.com/2009/11/exchange-2007-fetchmail.html .. but I don't know what he means by "the fingerprint of the Exchange 2007".
[We've had nothing but problems like this since moving to Exchange, but it does a reasonable job of keeping Windows users in check so we're stuck with it.]
Date: Thu, 30 Sep 2010 16:30:43 +0100 From: mark@quarella.co.uk To: main@lists.alug.org.uk Subject: [ALUG] fetchmail and MS Exchange 2010
I can't persuade fetchmail to collect mail from an Exchange server on our LAN (fetchmail and Exchange are both on the LAN).
The errors I am getting are: fetchmail: Server CommonName mismatch: myoffice.mydomain.co.uk != 192.168.11.10 fetchmail: Server certificate verification error: unable to get local issuer certificate fetchmail: Server certificate verification error: certificate not trusted fetchmail: Server certificate verification error: unable to verify the first certificate fetchmail: Error exchanging credentials
Looks like a certificate problem to me.
fetchmail: Authorisation failure on user@192.168.11.10 fetchmail: Query status=3 (AUTHFAIL)
myoffice.mydomain.co.uk resolves to the office's external IP address, although I think (from Googling) that the first line is a warning not the reason for the failure.
DNS issue - may well be link to the cert problem.
My fetchmailrc is fairly simple: set daemon 60 set invisible set no bouncemail set no syslog set logfile /var/log/fetchmail.log
poll 192.168.11.10 protocol pop3 username "user" password "password" mda
POP3 ? A bit old ? lol ...
"/usr/bin/rt-mailgate --queue general --action correspond --url http://localhost/rt/" no keep
This guy seems to have the fix: http://berqnet.blogspot.com/2009/11/exchange-2007-fetchmail.html .. but I don't know what he means by "the fingerprint of the Exchange 2007".
SSH is a BIG cert, there is a little bit, called the fingerprint, its the (maybe) CRC which say this is OK.
HTH Keith
Hi Mark,
I use RT with Exchange 2007 and had to use the same fingerprint resolution that you discovered.
My fetchmailrc looks similar to the following (i've changed hostnames, passwords and used the fingerprint of google's https servers):
set no syslog set logfile /var/log/fetchmail/fetchmail.log set daemon 90 poll exchange.corporate.local proto IMAP port 993: user "rt.systems" pass "plaintextpassword" ssl sslcertpath /usr/local/etc/sslcerts sslproto "TLS1" sslfingerprint "40:50:62:E5:BE:FD:E4:AF:97:E9:38:2A:F1:6C:C8:7C:8F:B7:C4:E2" mda "/usr/bin/perl /usr/local/rt3/bin/rt-mailgate --queue 'Systems' --action correspond --url https://rt.corporate.local/"; user "rt.systems-comment" pass "plaintextpassword" ssl sslcertpath /usr/local/etc/sslcerts sslproto "TLS1" sslfingerprint "40:50:62:E5:BE:FD:E4:AF:97:E9:38:2A:F1:6C:C8:7C:8F:B7:C4:E2" mda "/usr/bin/perl /usr/local/rt3/bin/rt-mailgate --queue 'Systems' --action comment --url https://rt.corporate.local/";
In order to populate the sslcertpath and sslfingerprint fields, you will need to place the certificates for the server, and any CA and Intermediate certs in the sslcertpath and use c_rehash from apache or the OpenSSL source code.
The procedure I followed is almost exactly the same as described by Christoph Rummel here: http://bronski.net/data/fetchmail-eng.php
I generated the fingerprints using the command "openssl x509 -in servercert.pem -noout -fingerprint" against a copy of the certificate (the bit between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" including those two lines when you run "openssl s_client -connect exchange.corporate.local:993 -showcerts")
Hope this helps,
Jim
----- Original Message ----- From: "Mark Rogers" mark@quarella.co.uk To: "ALUG - mailing list" main@lists.alug.org.uk Sent: Thursday, 30 September, 2010 4:30:43 PM Subject: [ALUG] fetchmail and MS Exchange 2010
I can't persuade fetchmail to collect mail from an Exchange server on our LAN (fetchmail and Exchange are both on the LAN).
The errors I am getting are: fetchmail: Server CommonName mismatch: myoffice.mydomain.co.uk != 192.168.11.10 fetchmail: Server certificate verification error: unable to get local issuer certificate fetchmail: Server certificate verification error: certificate not trusted fetchmail: Server certificate verification error: unable to verify the first certificate fetchmail: Error exchanging credentials fetchmail: Authorisation failure on user@192.168.11.10 fetchmail: Query status=3 (AUTHFAIL)
myoffice.mydomain.co.uk resolves to the office's external IP address, although I think (from Googling) that the first line is a warning not the reason for the failure.
My fetchmailrc is fairly simple: set daemon 60 set invisible set no bouncemail set no syslog set logfile /var/log/fetchmail.log poll 192.168.11.10 protocol pop3 username "user" password "password" mda "/usr/bin/rt-mailgate --queue general --action correspond --url http://localhost/rt/" no keep
You'll see from the last line that I'm trying to set up Request Tracker (RT), and it needs to be able to collect mail from our office mailserver.
This guy seems to have the fix: http://berqnet.blogspot.com/2009/11/exchange-2007-fetchmail.html .. but I don't know what he means by "the fingerprint of the Exchange 2007".
[We've had nothing but problems like this since moving to Exchange, but it does a reasonable job of keeping Windows users in check so we're stuck with it.]
On 01/10/10 10:04, Jim Rippon wrote:
I use RT with Exchange 2007 and had to use the same fingerprint resolution that you discovered.
My fetchmailrc looks similar to the following (i've changed hostnames, passwords and used the fingerprint of google's https servers): [...]
Hope this helps,
Thanks, Jim. That seems fairly straightforward; at present I have it working by "cheating" and enabling plain text authorisation for POP3 on the server (it's only across the local LAN so it's not a big security risk), but I would like to get this working properly so will try and experiment later.
The fetchmail docs are very outdated; they include vague mumblings about Exchange 2000 and that's about it!
-
Jim Rippon -
keithjamiesonï¼ hotmail.co.uk -
Mark Rogers