aboutsummaryrefslogtreecommitdiffstats
path: root/README.SSL-SERVER
blob: ae833e608814bf78ffe17f3ec1b8bbfb6a6b3e5f (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64

SSL server requirements
-----------------------

This document is meant for Internet service providers as a check-list.  If
fetchmail refers you to it, mail this file to the support address for the
server that caused the reference.

In order to let any mail client (not just fetchmail) verify server certificates 
properly, so that users can be sure their connection is not eavesdropped, there 
are several requirements that need to be fulfilled.

1. Match certificate and DNS names:

   The server certificate's "common name" or "subject alternative name" must 
   match the name by which clients are connecting. Avoid the use of wildmats if 
   possible, not all clients support them (fetchmail does).

   This may sound trivial, but for load balancing and failover setups, it may  
   not be obvious.

2. Provide the *full* certificate chain

   Many SSL documents tell you to install the server certificate, silently 
   assuming that it were directly signed by a trusted root certification 
   authority (CA).

   If your server certificate is not directly signed by the root certification 
   authority (root CA), then you are using intermediate CA. In this case, you 
   *MUST* (as per the TLS standard) provide *ALL* intermediate certificates.

   If you fail to provide intermediate certificates, clients can only connect 
   if the end user overrides/disables security warnings in his/her software, 
   and this disables the detection of eavesdroppers.

   The intermediate CA certificates must be issued after the server's 
   certificate in proper order, that is:
   first the intermediate CA cert that signed the servers' certificate, then 
   the intermedate CA cert that signed the previous intermediate CA, and all 
   the way back to the root CA cert (which you should omit).

   You can optionally add the root CA certificate, but this is redundant, as 
   the client needs to have that installed anyways (see 3 below) in its store 
   of trusted root certification authorities in order to verify certificates 
   that this root CA has signed.

   For software that does not offer "chain certificate" options, but that 
   supports reading certificates in PEM format, it is usually sufficient to 
   concatenate all the certs in proper order (again, from server to root).

3. Provide the *root* CA's certificate separately.

   Provide the root CA's certificate in a place where your end users will 
   quickly and easily find it, or provide a link to it. Depending on which mail 
   software your clients use, it may not be pre-installed, and users require 
   this root CA to verify your SSL server certificate, and possibly 
   intermediate certificates.

   This is particularly important if you're using local self-signed 
   certificates, as these are never preinstalled into end-users clients.

   Your technical support team should have the finger prints of this root CA 
   readily available at least in MD5 and SHA1 formats and offer to clients and 
   be ready to answer client questions as to the fingerprints (for 
   verification) and installation in commonly used clients.
generated by cgit v1.2.3 (git 2.46.0) at 2026-06-10 01:18:40 +0000
FIRST If you want support for RFC1938-compliant one-time passwords, you'll need to install Craig Metz's OPIE libraries first and *make sure they're on the normal library path* where configure will find them. Then configure with --enable-OPIE, and fetchmail build process will detect them and compile appropriately. Note: there is no point in doing this unless your server is OTP-enabled. To test this, telnet to the server port and give it a valid USER id. If the OK response includes the string "otp-", you should install OPIE. You need version 2.32 or better. The OPIE library sources are available at ftp://ftp.inner.net/pub/opie. You can also find OPIE and IPV6-capable servers there. Building in IPv6 support or the IPsec patches REQUIRES that Craig Metz's inet6-apps kit be installed; the IPsec patches require that the kit be built with network security API support enabled. The kit can be gotten from ftp.ipv6.inner.net:/pub/ipv6 (via IPv6) or ftp.inner.net /pub/ipv6 (via IPv4). 2. CONFIGURE Installing fetchmail is easy. From within this directory, type: ./configure The autoconfiguration script will spend a bit of time figuring out the specifics of your system. If you want to specify a particular compiler (e.g. you have gcc but want to compile with cc), set the environment variable CC before you run configure. The configure script accepts certain standard configuration options. These include --prefix, --exec-prefix, --bindir, --infodir, --mandir, and --srcdir. Do `configure --help' for more. POP2 support is no longer compiled in by default, as POP2 is way obsolete and there don't seem to be any live servers for it anymore. You can configure it back in if you want with `configure --enable-POP2', but leaving it out cuts the executable's size slightly. Support for CompuServe's RPA authentication method (rather similar to APOP) is available but also not included in the standard build. You can compile it in with `configure --enable-RPA'. Support for authentication using RFC1731 GSSAPI is available but also not included by default. You can compile it in with `configure --with-gssapi', which looks for GSSAPI support in standard locations (/usr, /usr/local). If you set --with-GSSAPI=DIR you can direct the build to look for GSSAPI support under DIR. If you want to build for debugging, CFLAGS=-g LDFLAGS=" " ./configure will do that. To enable multilingual support using GNU gettext, configure --enable-nls Advanced configuration: Specifying --with-kerberos=DIR or --with-kerberos5=DIR will tell the fetchmail build process to look in DIR for Kerberos support. Configure normally looks in /usr/kerberos and /usr/athena; if you specify this option with an argument it will look in DIR first. Unfortunately, there doesn't seem to be good standardization of where Kerberos lives. If your configuration doesn't match one of the four that fetchmail's configure.in knows about, you may find you have to hand-hack the Makefile a bit. You may also want to hand-hack the Makefile if you're writing a custom or bleeding-edge resolver library. In that case you will probably want to add -lresolv or whatever to the definition of LOADLIBS. It is also possible to explicitly condition out the support for POP3, IMAP, and ETRN (with configure arguments of --disable-POP3, --disable-IMAP, and --disable-ETRN respectively). However, none of these wins back more that 3 to 4K on an Intel box. If you're running QNX, edit the distributed Makefile directly. The QNX values for various macros are there but commented out; all you have to do is uncomment them. 3. MAKE You may find you need flex at version 2.5.3 or greater to build fetchmail. The stock lex distributed with some versions of Linux does not work -- it yields a parser which core-dumps on syntax errors. You can get flex at the GNU ftp site, ftp://prep.ai.mit.edu/pub/gnu. Run make This should compile fetchmail for your system. If fetchmail fails to build properly, see the FAQ section B on build-time problems. Note: parallelized make (e.g. make -j 4) fails due to some weirdness in the yacc productions. 4. INSTALL Lastly, become root and run make install This will install fetchmail. By default, fetchmail will be installed in /usr/local/bin, with the man page in /usr/local/man/man1. You can use the configure options --bindir and --mandir to change these. NOTE: If you are using an MTA other than sendmail (such as qmail, exim, or smail), see the FAQ (section T) for discussion of any special configuration steps that may be necessary. 5. SET UP A RUN CONTROL FILE See the man page and the file sample.rcfile for a description of how to configure your individual preferences. If you're upgrading from popclient, see question F4 in the FAQ file. 6. TEST I strongly recommend that your first fetchmail run use the -v and -k options, in case there is something not quite right with your server, your local delivery configuration or your port 25 listener. Also, beware of aliases that direct your local mail back to the server host! This software is known to work with the qpop/popper series of freeware POP3 servers; also with the IMAP2bis and IMAP4 servers that are distributed with Pine from the University of Washington; also with the Cyrus IMAP server from CMU. This covers all the servers normally hosted on Linux and *BSD systems. It also works with Microsoft Exchange, despite the fact that Microsoft Exchange is extremely broken (returns incorrect message lengths in LIST responses). 7. REPORTING BUGS You should read the FAQ file question G3 before reporting a bug. 8. USE IT Once you've verified your configuration, you can start fetchmail to run in background and forget about it. Enjoy!
generated by cgit v1.2.3 (git 2.46.0) at 2026-06-10 01:18:38 +0000