Securing fetchmail with improved TLS parameters

Fetchmail logofetchmail is the workhorse for downloading mail from legacy addresses. This does not mean that you want to be limited to legacy security for your passwords or mail contents. TLS Interposer helps upgrade security.

Installation

If you have not installed TLS Interposer yet, please do so now using the TLS Interposer installation instructions.

Configure TLS Interposer for Fetchmail

On Ubuntu 12.04 LTS, I found it easiest to add the following two lines to /etc/default/fetchmail (unwrap if necessary; both lines should start with export):

export TLS_INTERPOSER_CIPHERS='EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS'
export LD_PRELOAD=/usr/local/lib/tlsinterposer.so

Don’t forget to restart fetchmail using /etc/init.d/fetchmail restart or similar. Setting the TLS_INTERPOSER_CIPHERS environment variable is necessary, as it enables some of the more secure RC4 ciphers. I found it necessary to activate these relatively weak protocols, as most POP3 and IMAP servers have not been upgraded to the latest TLS security. [1]At least Microsoft and GMX servers seem to require RC4 for compatibility. Please let me know your (good or bad) experiences in the comments below.

If you see a message like

Nov 15 18:34:58 netfuture fetchmail[5988]: socket error while fetching from <your mail address>@<your provider>
or
Nov 15 18:34:58 netfuture fetchmail[5988]: Socket-Fehler beim Abholen von <your mail address>@<your provider>
or a similar text in your system’s default language

in /var/log/mail.log after restarting, then your provider does not support any of the secure ciphers that TLS Interposer tries to force. You can then either

  • try to talk your provider into upgrading their security,
  • enable some additional ciphers for your provider, or
  • disable TLS Interposer altogheter for fetchmail, if none of the above works.

Good luck!

Footnotes   [ + ]

1. At least Microsoft and GMX servers seem to require RC4 for compatibility. Please let me know your (good or bad) experiences in the comments below.

Schreibe einen Kommentar