• make sure you name the certificate files with a .pem extension

• Locate the italic section from the output starting with "issuer=", this is the issuing certificate authority for the google certificate. Be aware that gmail and googlemail use different certificate authorities!!! The "CN=Thawte Premium Server CA" identifies the certificate we will create next. Search for the string in http://prdownloads.sourceforge.net/souptonuts/cert.pem?download. Right above the "CN=Thawte Premium Server CA" string you will find another --BEGIN CERTIFICATE-- and --END CERTIFICATE-- section. Copy this section (again including the --BEGIN CERTIFICATE-- and --END CERTIFICATE-- lines) into a file in the directory /opt/cert/.cert. Name the file after the certificatre authority where the certificate comes from. If you need more certificates, use the same technique to create different files for them.

• Locate the italic section from the output starting with "issuer=", this is the issuing certificate authority for the google certificate. Be aware that gmail and googlemail use different certificate authorities!!! The "CN=Thawte Premium Server CA" identifies the certificate we will create next. Search for the string in "/usr/share/ssl/cert.pem". Right above the "CN=Thawte Premium Server CA" string you will find another --BEGIN CERTIFICATE-- and --END CERTIFICATE-- section. Copy this section (again including the --BEGIN CERTIFICATE-- and --END CERTIFICATE-- lines) into a file in the directory /opt/cert/.cert. Name the file after the certificatre authority where the certificate comes from. If you need more certificates, use the same technique to create different files for them.

• Locate the italic section from the output starting with "issuer=", this is the issuing certificate authority for the google certificate. Be aware that gmail and googlemail use different certificate authorities!!! The "CN=Thawte Premium Server CA" identifies the certificate we will create next. Search for the string in [[http://prdownloads.sourceforge.net/souptonuts/cert.pem?download|"/usr/share/ssl/cert.pem"]. Right above the "CN=Thawte Premium Server CA" string you will find another --BEGIN CERTIFICATE-- and --END CERTIFICATE-- section. Copy this section (again including the --BEGIN CERTIFICATE-- and --END CERTIFICATE-- lines) into a file in the directory /opt/cert/.cert. Name the file after the certificatre authority where the certificate comes from. If you need more certificates, use the same technique to create different files for them.

   i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division

/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com @]'''[@

issuer=/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division /CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com

depth=1 /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division /CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com

   i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division

/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com

issuer=/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division /CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com

@]'''[@

@]'''[@

This article has been tested on a Slug running Unslug 6.8 and Debian 4.0 (etch). I am sure it can be easily adopted for other distributions.

For Debian you will have to substitute "ipkg" with "apt-get" above!

Google's gmail talks in an encrypted POP3 protocol that will be supported by FetchMail if you configure it with the right SSL certificates. Here I am going to describe the process of doing it on the SLUG. Be aware, that there are different hosts from which mail can be retrieved, e.g. pop.gmail.com and pop.googlemail.com, etc. Different hosts use different certificates so take care! This tutorial will use pop.googlemail.com for fetching mail.

• Download the gmail/googlemail certificate using the following command from the correct server:

[root@smallguy certs]$ openssl s_client -connect pop.gmail.com:995 -showcerts

depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=pop.googlemail.com verify error:num=20:unable to get local issuer certificate ... verify error:num=21:unable to verify the first certificate

 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=pop.googlemail.com
   i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com

'''[@

MIIDZzCCAtCgAwIBAgIQVgcr3aRmXe9qOpz240ZwgzANBgkqhkiG9w0BAQUFADCB? zjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJ Q2FwZSBUb3duMR0wGwYDVQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UE? CxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhh? d3RlIFByZW1pdW0gU2VydmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNl cnZlckB0aGF3dGUuY29tMB4XDTA4MDMxNDIzMjMyNFoXDTA5MDMxNDIzMjMyNFow bDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDU1v dW50YWluIFZpZXcxEzARBgNVBAoTCkdvb2dsZSBJbmMxGzAZBgNVBAMTEnBvcC5n b29nbGVtYWlsLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvyNeXqie ElJeN0Bxh2?+UQFs67TtsShZRWNfyk4u5?+waQoHsmsBL2UKtPSeFnuW6/60SpeyUr EnIMNgtv2t6JbA4fPgN5iOMvGNybR?+CZoE56OUfH7XxVBbhSxvvO?/HXJvYkflsYJ? FRT+OMDiu91V2HgAdAn8hgcjYDvldGFMoq8CAwEAAaOBpjCBozAdBgNVHSUEFjAU? BggrBgEFBQcDAQYIKwYBBQUHAwIwQAYDVR0fBDkwNzA1oDOgMYYvaHR0cDovL2Ny? bC50aGF3dGUuY29tL1RoYXd0ZVByZW1pdW1TZXJ2ZXJDQS5jcmwwMgYIKwYBBQUH AQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vb2NzcC50aGF3dGUuY29tMAwGA1Ud? EwEB?/wQCMAAwDQYJKoZIhvcNAQEFBQADgYEAHovI/7KRFAfDzQevDyjsHTt8jRCJ cdmMvzeVFUInWa3iKJFmCCEKscOQjHhMJ0Undl4SkATuyc2nKs7B6boyb40U9Rbz RlAWi?+zIDuj2kRml/b1IQexbKZBAUa17q+Q4PzTmgFzW0UF0?++G29J7rxnZgtlJ1? n4f5gfa+lFXpf+k=

@]'''[@

Server certificate subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=pop.googlemail.com

issuer=/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com

---

... +OK Gpop ready for requests from 85.178.177.47 12pf79459fks.20

• Copy everything between the --BEGIN CERTIFICATE-- and --END CERTIFICATE-- including the BEGIN and END lines into a file in the directory /opt/cert/.cert. Name the file after the host where you just got the certificate from.
• Locate the italic section from the output, this is the issuing certificate authority for the google certificate. Be aware that gmail and googlemail use different certificate authorities!!! The "CN=Thawte Premium Server CA" identifies the certificate we will create next. Search for the string in [[http://prdownloads.sourceforge.net/souptonuts/cert.pem?download|"/usr/share/ssl/cert.pem"]. Right above the "CN=Thawte Premium Server CA" string you will find another --BEGIN CERTIFICATE-- and --END CERTIFICATE-- section. Copy this section (again including the --BEGIN CERTIFICATE-- and --END CERTIFICATE-- lines) into a file in the directory /opt/cert/.cert. Name the file after the certificatre authority where the certificate comes from. If you need more certificates, use the same technique to create different files for them.
• go to /opt/cert and type /tmp/c_rehash .cert this will create the necessary symbolic links for openssl.
• Test your certificates using the following command (remember to use the right hostname!)

[root@smallguy certs]$ openssl s_client -connect pop.googlemail.com:995 -CApath /opt/cert/.cert

CONNECTED(00000003) depth=1 /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com verify return:1 depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=pop.googlemail.com verify return:1 --- Certificate chain

 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=pop.googlemail.com
   i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com

--- Server certificate

MIIDZzCCAtCgAwIBAgIQVgcr3aRmXe9qOpz240ZwgzANBgkqhkiG9w0BAQUFADCB? zjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJ Q2FwZSBUb3duMR0wGwYDVQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UE? CxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhh? d3RlIFByZW1pdW0gU2VydmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNl cnZlckB0aGF3dGUuY29tMB4XDTA4MDMxNDIzMjMyNFoXDTA5MDMxNDIzMjMyNFow bDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDU1v dW50YWluIFZpZXcxEzARBgNVBAoTCkdvb2dsZSBJbmMxGzAZBgNVBAMTEnBvcC5n b29nbGVtYWlsLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvyNeXqie ElJeN0Bxh2?+UQFs67TtsShZRWNfyk4u5?+waQoHsmsBL2UKtPSeFnuW6/60SpeyUr EnIMNgtv2t6JbA4fPgN5iOMvGNybR?+CZoE56OUfH7XxVBbhSxvvO?/HXJvYkflsYJ? FRT+OMDiu91V2HgAdAn8hgcjYDvldGFMoq8CAwEAAaOBpjCBozAdBgNVHSUEFjAU? BggrBgEFBQcDAQYIKwYBBQUHAwIwQAYDVR0fBDkwNzA1oDOgMYYvaHR0cDovL2Ny? bC50aGF3dGUuY29tL1RoYXd0ZVByZW1pdW1TZXJ2ZXJDQS5jcmwwMgYIKwYBBQUH AQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vb2NzcC50aGF3dGUuY29tMAwGA1Ud? EwEB?/wQCMAAwDQYJKoZIhvcNAQEFBQADgYEAHovI/7KRFAfDzQevDyjsHTt8jRCJ cdmMvzeVFUInWa3iKJFmCCEKscOQjHhMJ0Undl4SkATuyc2nKs7B6boyb40U9Rbz RlAWi?+zIDuj2kRml/b1IQexbKZBAUa17q+Q4PzTmgFzW0UF0?++G29J7rxnZgtlJ1? n4f5gfa+lFXpf+k=

subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=pop.googlemail.com issuer=/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com --- No client certificate CA names sent --- SSL handshake has read 1021 bytes and written 300 bytes --- New, TLSv1?/SSLv3?, Cipher is RC4?-MD5? Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session:

    Protocol  : TLSv1?
    Cipher    : RC4?-MD5?
    Session-ID: B46CB6EFDBE999473C12E1312D23A61A25C79170ECC6FEF5D18D69945B27A571?
    Session-ID-ctx:
    Master-Key: 38C9C43B2E6FC58111BC1F5614207B02513EADAFE99134E7C02B00A0F916C6C0936CB367539A882F8F22328B6D19AD66
    Key-Arg   : None
    Start Time: 1227823017
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

--- +OK Gpop ready for requests from 122.164.255.73 b21pf2941934rvf.0 @]

• Notice the Verify return code: 0 (ok) message in the third line from the bottom. If you see a non zero return code then you have most probably missed some step so far. Typically you will get error code 21 if the certificates are not accessible (path errors, permission errors and so on). Make sure you get error code zero.
• Now in your home directory, create a file called .fetchmailrc (notice the dot at the beginning of the filename). This will contain fetchmail configuration for this user account on the slug.
• Add the following contents to the file

[@

poll pop.googlemail.com with proto POP3? and options no dns ssl sslcertck sslcertpath '/opt/cert/.cert'

user 'youruser@googlemail.com' with pass "yourpassword" is 'your slug account' here options

You need a special perl script called c_rehash. You can find it at this location. Download this perl script locally and move it to your slug through FTP or just fire up VI on a xterm session and cut and paste it in!

[root@smallguy certs]$openssl s_client -connect pop.gmail.com:995 -CApath /opt/certs/.certs/

1. I receive my gmail to the root user on the Slug
2. In the line below replace 'youruser' with your gmail account,
3. 'yourpassword' with your gmail password and 'your slug account'
4. with the user id on the slug who should be configured to receive the mails

• Now in your home directory, create a file called .fetchmailrc (notice the dot at the beginning of the filename). This will contain fetchmail configuration for this user account on the slug.
• Add the following contents to the file

#
#
# Sample .fetchmailrc file for Gmail
#
# Check mail every 900 seconds
set daemon 900
set syslog


set postmaster root

#set bouncemail
#
#  To keep mail on the server use the you would put keep at the end.
#
poll pop.gmail.com with proto POP3 and options no dns
#
#I receive my gmail to the root user on the Slug
#In the line below replace 'youruser' with your gmail account, 'yourpassword' with your gmail password and 'your slug account' with the user id on the slug who should be configured to receive the mails
user 'youruser@gmail.com' with pass "yourpassword"  is 'your slug account' here options
# You would use this to by-pass Postfix
# mda '/usr/bin/procmail -d %T'

You need a special perl script called c_rehash. You can find it at this location c_rehash. Download this perl script locally and move it to your slug through FTP or just fire up VI on a xterm session and cut and paste it in!

• Notice the Verify return code: 0 (ok) message in the third line from the bottom. If you see a non zero return code then you have most probably missed some step so far. Typically you will get error code 21 if the certificates are not accessible (path errors, permission errors and so on). Make sure you get error code zero.

Note: This article has been adapted to the Slug and is based on the very detailed article at http://souptonuts.sourceforge.net/postfix_tutorial.html

[root@smallguy certs]$openssl s_client -connect pop.gmail.com:995 -CApath? /opt/certs/.certs/

    Verify return code: 0 (ok)

    <b>Verify return code: 0 (ok)</b>

[root@smallguy certs]$openssl s_client -connect pop.gmail.com:995 -CApath? /opt/certs/.certs/

• Log into your gmail account
• Go into gmail options and select POP3/IMAP and enable it.
• Pick whatever option works best for you (ie. send all the mails through POP3 or just the new ones)

• Download the two certificates for OpenSSL from the following site
• Create a directory called /opt/cert/.cert
• move the two files under /opt/cert/.cert
• go to /opt/cert and type /tmp/c_rehash .cert this will create the necessary symbolic links for openssl.
• Test your certificates using the following command

[root@smallguy certs]$openssl s_client -connect pop.gmail.com:995 -CApath? /opt/certs/.certs/

[@

@]

<pre>

</pre>

[root@smallguy certs]$openssl s_client -connect pop.gmail.com:995 -CApath? /opt/certs/.certs/

CONNECTED(00000003) depth=1 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority verify return:1 depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc./CN=pop.gmail.com verify return:1 --- Certificate chain

 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc./CN=pop.gmail.com
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority

--- Server certificate

MIIC3TCCAkagAwIBAgIDCDijMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT? MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0? aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDcxMDI1MTc1MzE2WhcNMDkxMjI0MTg1MzE2 WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMN? TW91bnRhaW4gVmlldzEUMBIGA1UEChMLR29vZ2xlIEluYy4xFjAUBgNVBAMTDXBv? cC5nbWFpbC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAO03QxerFKZV 8yeomuL4zSl8Pr7hMWnKMMgp/CwhwadeBmL0LQHHbjL?/6z/Z59ZQvrztqkwhchA2? APKzUwRVTyn7Shx6vBqk6oFmTqoOLmY6hbq6l8uVdUv0AfbHwio8CnLpK2?+nbuFl flPwx1DH0E3grD8+CrH5SmScfTWbDkcXAgMBAAGjga4wgaswDgYDVR0PAQH?/BAQD AgTwMB0GA1UdDgQWBBTJRG?/OFpZt?+BV43JM3NshHMjpwazA6BgNVHR8EMzAxMC?+g LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDAf? BgNVHSMEGDAWgBRI5mj5K9KylddH2CMgEE8zmJCf1DAdBgNVHSUEFjAUBggrBgEF? BQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQEFBQADgYEAOKr3mhxtwFCS3J6lbeaf? 3KrHKi935BZkI75sRbON+hog0t2ovcM2i7fxs3xneH8USLsHgfxNBj9tkMogMK/K sO/NUVZ/IfyqcNNkp2619qTQXthKRH42JKpAKgNhT1bdno3pxn?+eDEpqmU3CE7IP HDCjWOK1fGkZ?/yFAuTxuxAc=

subject=/C=US/ST=California/L=Mountain View/O=Google Inc./CN=pop.gmail.com issuer=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority --- No client certificate CA names sent --- SSL handshake has read 891 bytes and written 314 bytes --- New, TLSv1?/SSLv3?, Cipher is DES-CBC3?-SHA Server public key is 1024 bit SSL-Session:

    Protocol  : TLSv1?
    Cipher    : DES-CBC3?-SHA
    Session-ID: 01B74ECC24F4327E6B8A0D7546BA90F89734A4EABD9FDC6D7BFAA6AED3FEBEBF
    Session-ID-ctx:
    Master-Key: 786761D1B113DD37F5A68CA24A69DD1561C737052BB6D477F5C4A5C3AAA1AA9E6A5B27478DB181E1595289ACC51589EA
    Key-Arg   : None
    Start Time: 1198379343
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

--- +OK Gpop ready for requests from 122.164.255.73 b21pf2941934rvf.0

      * openssl s_client -connect pop.gmail.com:995 -CApath? /opt/certs/.certs/

Configure GMail (on the Google servers)

   * go to /opt/cert and type /tmp/c_rehash .cert this will create the necessary symbolic links for openssl.
   * Test your certificates using the following command
      * *openssl s_client -connect pop.gmail.com:995 -CApath? /opt/certs/.certs/*

You need a special perl script called c_rehash. You can find it at this location http://web.mit.edu/crypto/bin/c_rehash][c_rehash. Download this perl script locally and move it to your slug through FTP or just fire up VI on a xterm session and cut and paste it in!

Save the c_rehash file in a temporary directory (say /tmp) and change its permissions to enable execution (chmod 744 c_rehash)

You need a special perl script called c_rehash. You can find it at this location http://web.mit.edu/crypto/bin/c_rehash][c_rehash Once you have these pieces ready, you need to follow step by step configuration of each piece.

Google's gmail talks in an encrypted POP3 protocol that will be supported by FetchMail if you configure it with the right SSL certificates. Here I am going to describe the process of doing it on the SLUG.

   * Download the two certificates for OpenSSL from the following site

   * Perl : ipkg install perl - This is only temporarily to run the rehash program

Google's gmail talks in an encrypted POP3 protocol that will be supported by FetchMail? if you configure it with the right SSL certificates. Here I am going to describe the process of doing it on the SLUG.

   * Download the two certificates for OpenSSL? from the following site
   * Create a directory called /opt/cert/.cert
   * move the two files under /opt/cert/.cert

To setup GMail mail download from the Slug, you will need to install the following packages

Configure GMail (on the server)

   * Go into gmail options and select POP3/IMAP and enable it.  
   * Pick whatever option works best for you (ie. send all the mails through POP3 or just the new ones)

Google's gmail talks in an encrypted POP3 protocol that will be supported by

Setting up fetchmail and gmail on the slug

Configure GMail? (on the server)

Fetchmail

Once you have these three pieces ready, you need to follow step by step configuration of each piece.

---+++Configure GMail? (on the server)

   * Log into your gmail account
   * Go into gmail options and select POP3?/IMAP and enable it.  
   * Pick whatever option works best for you (ie. send all the mails through POP3? or just the new ones)

---+++Fetchmail

Google's gmail talks in an encrypted POP3? protocol that will be supported by

---++Setting up fetchmail and gmail on the slug

This article has been tested on a Slug running Unslug 6.8. I am sure it can be easily adopted for other distributions.

   * Openssl : ipkg install openssl
   * fetchmail : ipkg install fetchmail
   * sendmail (or some other MTA) : ipkg install sendmail

Once you have these three pieces ready, you

---++Setting up FetchMail? and GMail? on the slug

To setup GMail? mail download from the Slug, you will need to install the following packages

   * OpenSSL?
   * FetchMail?
   * sendmail (or some other MTA)

Note: This article has been adapted to the Slug and is based on the very detailed article at http://souptonuts.sourceforge.net/postfix_tutorial.html