NSLU2-Linux
view · edit · print · history

Setting up fetchmail and gmail on the slug

This article has been tested on a Slug running Unslug 6.8 and Debian 4.0 (etch). I am sure it can be easily adopted for other distributions.

To setup GMail mail download from the Slug, you will need to install the following packages 

   * Openssl : ipkg install openssl
   * fetchmail : ipkg install fetchmail
   * sendmail (or some other MTA) : ipkg install sendmail
   * Perl : ipkg install perl - This is only temporarily to run the rehash program

For Debian you will have to substitute "ipkg" with "apt-get" above!

You need a special perl script called c_rehash. You can find it at this location. Download this perl script locally and move it to your slug through FTP or just fire up VI on a xterm session and cut and paste it in!

Save the c_rehash file in a temporary directory (say /tmp) and change its permissions to enable execution (chmod 744 c_rehash)

Once you have these pieces ready, you need to follow step by step configuration of each piece.

Configure GMail (on the Google servers)

  • Log into your gmail account
  • Go into gmail options and select POP3/IMAP and enable it.
  • Pick whatever option works best for you (ie. send all the mails through POP3 or just the new ones)

Fetchmail

Google's gmail talks in an encrypted POP3 protocol that will be supported by FetchMail if you configure it with the right SSL certificates. Here I am going to describe the process of doing it on the SLUG. Be aware, that there are different hosts from which mail can be retrieved, e.g. pop.gmail.com and pop.googlemail.com, etc. Different hosts use different certificates so take care! This tutorial will use pop.googlemail.com for fetching mail.

  • Create a directory called /opt/cert/.cert
  • Download the gmail/googlemail certificate using the following command from the correct server:

[root@smallguy certs]$ openssl s_client -connect pop.gmail.com:995 -showcerts 

CONNECTED(00000003)
depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=pop.googlemail.com
verify error:num=20:unable to get local issuer certificate
...
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=pop.googlemail.com
   i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division
/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com

-----BEGIN CERTIFICATE-----
MIIDZzCCAtCgAwIBAgIQVgcr3aRmXe9qOpz240ZwgzANBgkqhkiG9w0BAQUFADCB
zjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJ
Q2FwZSBUb3duMR0wGwYDVQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UE
CxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhh
d3RlIFByZW1pdW0gU2VydmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNl
cnZlckB0aGF3dGUuY29tMB4XDTA4MDMxNDIzMjMyNFoXDTA5MDMxNDIzMjMyNFow
bDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDU1v
dW50YWluIFZpZXcxEzARBgNVBAoTCkdvb2dsZSBJbmMxGzAZBgNVBAMTEnBvcC5n
b29nbGVtYWlsLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvyNeXqie
ElJeN0Bxh2+UQFs67TtsShZRWNfyk4u5+waQoHsmsBL2UKtPSeFnuW6/60SpeyUr
EnIMNgtv2t6JbA4fPgN5iOMvGNybR+CZoE56OUfH7XxVBbhSxvvO/HXJvYkflsYJ
FRT+OMDiu91V2HgAdAn8hgcjYDvldGFMoq8CAwEAAaOBpjCBozAdBgNVHSUEFjAU
BggrBgEFBQcDAQYIKwYBBQUHAwIwQAYDVR0fBDkwNzA1oDOgMYYvaHR0cDovL2Ny
bC50aGF3dGUuY29tL1RoYXd0ZVByZW1pdW1TZXJ2ZXJDQS5jcmwwMgYIKwYBBQUH
AQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vb2NzcC50aGF3dGUuY29tMAwGA1Ud
EwEB/wQCMAAwDQYJKoZIhvcNAQEFBQADgYEAHovI/7KRFAfDzQevDyjsHTt8jRCJ
cdmMvzeVFUInWa3iKJFmCCEKscOQjHhMJ0Undl4SkATuyc2nKs7B6boyb40U9Rbz
RlAWi+zIDuj2kRml/b1IQexbKZBAUa17q+Q4PzTmgFzW0UF0++G29J7rxnZgtlJ1
n4f5gfa+lFXpf+k=
-----END CERTIFICATE-----

---
Server certificate
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=pop.googlemail.com

issuer=/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division
/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com

---
No client certificate CA names sent
...
+OK Gpop ready for requests from 85.178.177.47 12pf79459fks.20
  • Copy everything between the --BEGIN CERTIFICATE-- and --END CERTIFICATE-- including the BEGIN and END lines into a file in the directory /opt/cert/.cert. Name the file after the host where you just got the certificate from.
  • Locate the italic section from the output starting with "issuer=", this is the issuing certificate authority for the google certificate. Be aware that gmail and googlemail use different certificate authorities!!! The "CN=Thawte Premium Server CA" identifies the certificate we will create next. Search for the string in http://prdownloads.sourceforge.net/souptonuts/cert.pem?download(approve sites). Right above the "CN=Thawte Premium Server CA" string you will find another --BEGIN CERTIFICATE-- and --END CERTIFICATE-- section. Copy this section (again including the --BEGIN CERTIFICATE-- and --END CERTIFICATE-- lines) into a file in the directory /opt/cert/.cert. Name the file after the certificatre authority where the certificate comes from. If you need more certificates, use the same technique to create different files for them.
  • make sure you name the certificate files with a .pem extension
  • go to /opt/cert and type /tmp/c_rehash .cert this will create the necessary symbolic links for openssl.
  • Test your certificates using the following command (remember to use the right hostname!)

[root@smallguy certs]$ openssl s_client -connect pop.googlemail.com:995 -CApath /opt/cert/.cert 

CONNECTED(00000003)
depth=1 /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division
/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
verify return:1
depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=pop.googlemail.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=pop.googlemail.com
   i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division
/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDZzCCAtCgAwIBAgIQVgcr3aRmXe9qOpz240ZwgzANBgkqhkiG9w0BAQUFADCB
zjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJ
Q2FwZSBUb3duMR0wGwYDVQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UE
CxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhh
d3RlIFByZW1pdW0gU2VydmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNl
cnZlckB0aGF3dGUuY29tMB4XDTA4MDMxNDIzMjMyNFoXDTA5MDMxNDIzMjMyNFow
bDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDU1v
dW50YWluIFZpZXcxEzARBgNVBAoTCkdvb2dsZSBJbmMxGzAZBgNVBAMTEnBvcC5n
b29nbGVtYWlsLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvyNeXqie
ElJeN0Bxh2+UQFs67TtsShZRWNfyk4u5+waQoHsmsBL2UKtPSeFnuW6/60SpeyUr
EnIMNgtv2t6JbA4fPgN5iOMvGNybR+CZoE56OUfH7XxVBbhSxvvO/HXJvYkflsYJ
FRT+OMDiu91V2HgAdAn8hgcjYDvldGFMoq8CAwEAAaOBpjCBozAdBgNVHSUEFjAU
BggrBgEFBQcDAQYIKwYBBQUHAwIwQAYDVR0fBDkwNzA1oDOgMYYvaHR0cDovL2Ny
bC50aGF3dGUuY29tL1RoYXd0ZVByZW1pdW1TZXJ2ZXJDQS5jcmwwMgYIKwYBBQUH
AQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vb2NzcC50aGF3dGUuY29tMAwGA1Ud
EwEB/wQCMAAwDQYJKoZIhvcNAQEFBQADgYEAHovI/7KRFAfDzQevDyjsHTt8jRCJ
cdmMvzeVFUInWa3iKJFmCCEKscOQjHhMJ0Undl4SkATuyc2nKs7B6boyb40U9Rbz
RlAWi+zIDuj2kRml/b1IQexbKZBAUa17q+Q4PzTmgFzW0UF0++G29J7rxnZgtlJ1
n4f5gfa+lFXpf+k=
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=pop.googlemail.com
issuer=/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division
/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
---
No client certificate CA names sent
---
SSL handshake has read 1021 bytes and written 300 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-MD5
    Session-ID: B46CB6EFDBE999473C12E1312D23A61A25C79170ECC6FEF5D18D69945B27A571
    Session-ID-ctx:
    Master-Key: 38C9C43B2E6FC58111BC1F5614207B02513EADAFE99134E7C02B00A0F916C6C0936CB367539A882F8F22328B6D19AD66
    Key-Arg   : None
    Start Time: 1227823017
    Timeout   : 300 (sec)

    Verify return code: 0 (ok)

---
+OK Gpop ready for requests from 122.164.255.73 b21pf2941934rvf.0
  • Notice the Verify return code: 0 (ok) message in the third line from the bottom. If you see a non zero return code then you have most probably missed some step so far. Typically you will get error code 21 if the certificates are not accessible (path errors, permission errors and so on). Make sure you get error code zero.
  • Now in your home directory, create a file called .fetchmailrc (notice the dot at the beginning of the filename). This will contain fetchmail configuration for this user account on the slug.
  • Add the following contents to the file 
#
#
# Sample .fetchmailrc file for Gmail
#
# Check mail every 900 seconds
set daemon 900
set syslog


set postmaster root

#set bouncemail
#
#  To keep mail on the server use the you would put keep at the end.
#
poll pop.googlemail.com with proto POP3 and options no dns ssl sslcertck sslcertpath '/opt/cert/.cert'
#
# I receive my gmail to the root user on the Slug
# In the line below replace 'youruser' with your gmail account,
# 'yourpassword' with your gmail password and 'your slug account'
# with the user id on the slug who should be configured to receive the mails
user 'youruser@googlemail.com' with pass "yourpassword"  is 'your slug account' here options
# You would use this to by-pass Postfix
# mda '/usr/bin/procmail -d %T'

Note: This article has been adapted to the Slug and is based on the very detailed article at http://souptonuts.sourceforge.net/postfix_tutorial.html

view · edit · print · history · Last edited by vivekv.
Based on work by avgrichter, fcarolo, and vivekv.
Originally by vivekv.
Page last modified on January 19, 2009, at 04:43 PM