Securing fetchmail with improved TLS parameters

Fetchmail logo

Fetchmail logofetchmail is the workhorse for downloading mail from legacy addresses. This does not mean that you want to be limited to legacy security for your passwords or mail contents. TLS Interposer helps upgrade security.

[simple_series title=”TLS Interposer articles”]

Installation

If you have not installed TLS Interposer yet, please do so now using the TLS Interposer installation instructions.

Configure TLS Interposer for Fetchmail

On Ubuntu 12.04 LTS, I found it easiest to add the following two lines to /etc/default/fetchmail (unwrap if necessary; both lines should start with export):

export TLS_INTERPOSER_CIPHERS='EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS'
export LD_PRELOAD=/usr/local/lib/tlsinterposer.so

Don’t forget to restart fetchmail using /etc/init.d/fetchmail restart or similar. Setting the TLS_INTERPOSER_CIPHERS environment variable is necessary, as it enables some of the more secure RC4 ciphers. I found it necessary to activate these relatively weak protocols, as most POP3 and IMAP servers have not been upgraded to the latest TLS security. [1]At least Microsoft and GMX servers seem to require RC4 for compatibility. Please let me know your (good or bad) experiences in the comments below.

If you see a message like

Nov 15 18:34:58 netfuture fetchmail[5988]: socket error while fetching from <your mail address>@<your provider>
or
Nov 15 18:34:58 netfuture fetchmail[5988]: Socket-Fehler beim Abholen von <your mail address>@<your provider>
or a similar text in your system’s default language

in /var/log/mail.log after restarting, then your provider does not support any of the secure ciphers that TLS Interposer tries to force. You can then either

Good luck!

,

Let’s stay in touch!

Receive a mail whenever I publish a new post.

About 1-2 Mails per month, no Spam.

Follow me on the Fediverse

Web apps


Leave a Reply

Only people in my network can comment.

This site uses Akismet to reduce spam. Learn how your comment data is processed.