fetchmail is the workhorse for downloading mail from legacy addresses. This does not mean that you want to be limited to legacy security for your passwords or mail contents. TLS Interposer helps upgrade security.
- TLS Interposer
- Eliminate BEAST, CRIME, Lucky13, RC4, SSLv3 weaknesses from binary/legacy applications
- Upgrading Apache 2.2 OpenSSL security with TLS Interposer
- Upgrade ejabberd to the latest TLS security [UPDATE#2, 2014-06-05]
- Securing fetchmail with improved TLS parameters
- Using TLS Interposer with OpenSSL 0.9.8g (Debian Lenny)
- Disable client certificate requests for Cyrus IMAP
If you have not installed TLS Interposer yet, please do so now using the TLS Interposer installation instructions.
Configure TLS Interposer for Fetchmail
On Ubuntu 12.04 LTS, I found it easiest to add the following two lines to
/etc/default/fetchmail (unwrap if necessary; both lines should start with
Don’t forget to restart fetchmail using
/etc/init.d/fetchmail restart or similar. Setting the
TLS_INTERPOSER_CIPHERS environment variable is necessary, as it enables some of the more secure RC4 ciphers. I found it necessary to activate these relatively weak protocols, as most POP3 and IMAP servers have not been upgraded to the latest TLS security. At least Microsoft and GMX servers seem to require RC4 for compatibility. Please let me know your (good or bad) experiences in the comments below.
If you see a message like
Nov 15 18:34:58 netfuture fetchmail: socket error while fetching from <your mail address>@<your provider>
Nov 15 18:34:58 netfuture fetchmail: Socket-Fehler beim Abholen von <your mail address>@<your provider>
or a similar text in your system’s default language
/var/log/mail.log after restarting, then your provider does not support any of the secure ciphers that TLS Interposer tries to force. You can then either
- try to talk your provider into upgrading their security,
- enable some additional ciphers for your provider, or
- disable TLS Interposer altogheter for fetchmail, if none of the above works.