aboutsummaryrefslogtreecommitdiffstats
path: root/README.SSL-SERVER
blob: ae833e608814bf78ffe17f3ec1b8bbfb6a6b3e5f (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64

SSL server requirements
-----------------------

This document is meant for Internet service providers as a check-list.  If
fetchmail refers you to it, mail this file to the support address for the
server that caused the reference.

In order to let any mail client (not just fetchmail) verify server certificates 
properly, so that users can be sure their connection is not eavesdropped, there 
are several requirements that need to be fulfilled.

1. Match certificate and DNS names:

   The server certificate's "common name" or "subject alternative name" must 
   match the name by which clients are connecting. Avoid the use of wildmats if 
   possible, not all clients support them (fetchmail does).

   This may sound trivial, but for load balancing and failover setups, it may  
   not be obvious.

2. Provide the *full* certificate chain

   Many SSL documents tell you to install the server certificate, silently 
   assuming that it were directly signed by a trusted root certification 
   authority (CA).

   If your server certificate is not directly signed by the root certification 
   authority (root CA), then you are using intermediate CA. In this case, you 
   *MUST* (as per the TLS standard) provide *ALL* intermediate certificates.

   If you fail to provide intermediate certificates, clients can only connect 
   if the end user overrides/disables security warnings in his/her software, 
   and this disables the detection of eavesdroppers.

   The intermediate CA certificates must be issued after the server's 
   certificate in proper order, that is:
   first the intermediate CA cert that signed the servers' certificate, then 
   the intermedate CA cert that signed the previous intermediate CA, and all 
   the way back to the root CA cert (which you should omit).

   You can optionally add the root CA certificate, but this is redundant, as 
   the client needs to have that installed anyways (see 3 below) in its store 
   of trusted root certification authorities in order to verify certificates 
   that this root CA has signed.

   For software that does not offer "chain certificate" options, but that 
   supports reading certificates in PEM format, it is usually sufficient to 
   concatenate all the certs in proper order (again, from server to root).

3. Provide the *root* CA's certificate separately.

   Provide the root CA's certificate in a place where your end users will 
   quickly and easily find it, or provide a link to it. Depending on which mail 
   software your clients use, it may not be pre-installed, and users require 
   this root CA to verify your SSL server certificate, and possibly 
   intermediate certificates.

   This is particularly important if you're using local self-signed 
   certificates, as these are never preinstalled into end-users clients.

   Your technical support team should have the finger prints of this root CA 
   readily available at least in MD5 and SHA1 formats and offer to clients and 
   be ready to answer client questions as to the fingerprints (for 
   verification) and installation in commonly used clients.
generated by cgit v1.2.3 (git 2.46.0) at 2026-04-13 13:45:03 +0000
bb; font-weight: bold } /* Name.Function.Magic */ .highlight .vc { color: #336699 } /* Name.Variable.Class */ .highlight .vg { color: #dd7700 } /* Name.Variable.Global */ .highlight .vi { color: #3333bb } /* Name.Variable.Instance */ .highlight .vm { color: #336699 } /* Name.Variable.Magic */ .highlight .il { color: #0000DD; font-weight: bold } /* Literal.Number.Integer.Long */
These are scripts to help you running fetchmail in special situations. 
Note: you're on your own using these -- I don't really understand them,
I'm just passing them along.
								--esr

maildaemon:

Larry Fahnoe wrote this for driving fetchmail from cron.  It may be useful if
you want to force a PPP link up and then poll for mail at specified times.
I have rearranged it slightly to make it easier to configure.

novell:

Some mail from Dan Newcombe describing how to write a procmail rule that
will domainify Novell server names.

login & logout:

These are intended to help if you typically have multiple logins active.
Here's the script composer's original README:

	Please find attached 2 files, ~/.bash_login & ~/.bash_logout
	What these do is try to keep track of WHO is the process/tty
	that ran fetchmail in daemon mode.  I tried to use the bash
	Variable PPID, but when using xterm the PPID is set to the
	xterm's pid not the bash shell's pid so....

	They have been lightly tested.

	Any comments...

 				Hth, JimL <babydr@nwrain.net>

Doug Carter <dougc@canus.com> suggests this instead:

Add the following to your login script. (.ie .bash_profile, .profile, etc)

LOGINS=`who | grep $USER | wc -l`
if [ $LOGINS = 1 ]; then
    /usr/bin/fetchmail > /dev/null 2>&1
fi

Then add the following to your logout script. (.ie .bash_logout, etc)

LOGINS=`who | grep $USER | wc -l`
if [ $LOGINS = 1 ]; then
    /usr/bin/fetchmail -q > /dev/null 2>&1
fi

ip-up:

A note from James Stevens about using fetchmail in an ip-up script without
disabling timeouts.

runfetchmail:

A shellscript front end for fetchmail that mails you various statistics on
the downloaded mail and the state of your folders.  A good example of what
you can do with your own front end.

fetchspool:

If you find that the speed of forwarding to port 25 is limited by the
SMTP listener's speed, it may make sense to locally spool all the mail
first and feed it to sendmail after you hang up the network link.
This shellscript aims to do exactly that.  It would be smarter to
figure out why sendmail is slow, however.

fetchsetup:

This is a shell script for creating a $HOME/.fetchmailrc file, it will ask
you some questions and based on your answers it will create a .fetchmailrc
file, fetchsetup is linux specific so it may not work on another operating
system.

mailqueue.pl:

This script will connect to your isp (if not already connected),
send any outgoing mail and retrieve any incoming mail.  If this
program made the connection, it will also break the connection
when it is done.  By Bill Adams, <bill@evil.inetarena.com>.  The
latest version is carried at <http://evil.inetarena.com/>.

redhat_rc:

A fetchmail boot-time init file compatible with RedHat 5.1.  It leaves
fetchmail in background to get messages when you connect to your ISP.
The invoked fetchmail expects to find its configuration in
/etc/fetchmailrc, and must include the proper "interface" directive.

debian_rc:

A fetchmail boot-time init file compatible with Debian.  It leaves
fetchmail in background to get messages when you connect to your ISP.
The invoked fetchmail expects to find its configuration in
/root/.fetchmailrc, and must include the proper "interface" directive.

start_dynamic_ppp:

An admittedly scratchy ip-up script that Ryan Murray wrote to cope with
dynamic PPP addressing.  Will need some customizing.

	http://www.inetarena.com/~badams/linux/programs/mailqueue.pl

getfetchmail:

Here's a script that gets Eric's most recent fetchmail source rpm,
downloads it and (if the rpm's not broken) rebuilds it.

With fairly simple changes it can be used to download the latest i386 rpm
or tar.gz.
 
Those who are addicted to having the latest of everything could filter mail
from fetchmail announce through it and get new versions as they're
announced. However, if we all did that, Eric's ftp server might feel a
little stressed.

The script as written works on bash 2.  By John Summerfield
<summer@os2.ami.com.au>.

zsh-completion:

These commands set up command completion for fetchmail under zsh.
Jay Kominek <jay.kominek@colorado.edu>.

getmail/gotmail:

These scripts are front ends for fetchmail in daemon mode that can gather
log statistics and generate text or HTML reports.  See README.getmail for
details.  Scripts by Thomas Nesges <ThomaNesges@TNT-Computer.de>.

fetchmaildistrib:

This script resolves the issue where the sysadmin polls for mail with fetchmail
only at set intervals, but where a user wishes to see his email right
away. The duplication in /etc/fetchmailrc and ~/.fetchmailrc files is
automated with this script; whenever /etc/fetchmailrc is changed, this
script is run to distribute the stuff into all user's ~/.fetchmailrc
files.

multidrop:

Martijn Lievaart's sendmail hacks to make multidrop reliable.

domino:

Gustavo Chaves <gustavo@cpqd.com.br> wrote this script to deal with 
the boundary-mismatch bug in Domino (see FAQ item X5).  If you use
this with --mda, the broken boundaries will be fixed and the result
passed to procmail.

toprocmail:

John Lim Eng Hooi <jleh@mail.com> wrote this script, yet another 
mda plugin, to be used with fetchmail in foreground mode.  It displays
some header lines to stdout in color, passing them (and the rest of the
message content) to procmail.

preauth-harness:

Emmanuel Dreyfus's Perl test script for exercising IMAP PREAUTH
connections.  You'll have to patch in your username and password.

sm-hybrid:

Peter 'Rattacresh' Backes sent this patch to improve the behavior of 
sendmail 8.11.0 with multidrop.

fetchmailnochda.pl

Watchdog script to check whether fetchmail is working in daemon mode.

mold-remover.py

A short python script to remove old read mail from a pop3 mailserver.
Dovetails with fetchmail with keep option.
Run it as a cron job...
generated by cgit v1.2.3 (git 2.46.0) at 2026-04-13 13:45:02 +0000