Sophos POP3 Proxy / SSL / fetchmail on eFa-4.0.4

General eFa discussion
Post Reply
LoM+OeF
Posts: 5
Joined: 20 Sep 2021 13:45
Location: Papenburg, East Frisia
Contact:

Sophos POP3 Proxy / SSL / fetchmail on eFa-4.0.4

Post by LoM+OeF »

Hello,

we have a Sophos UTM 9, and get our mails via POP3 Proxy + SSL.
In the protocols of the E-Mail server (we use Tobit David) I see, that the SSL certificate of the Sophos UTM9 is used:

Code: Select all

POP3MainThread: g_ActiveThreads=0, Inprocess=
POP3MainThread: after waitWhileActive() g_ActiveThreads=0, Inprocess=
:1: (00001092) OutOfBandDataInline: 1
:2: (00001108) ReUseAddr          : 1
:5: (00001104) OutOfBandDataInline: 1
:1: (00001092) KeepAlive          : 5 minutes
:2: (00001108) OutOfBandDataInline: 1
:5: (00001104) KeepAlive          : 5 minutes
:2: (00001108) KeepAlive          : 5 minutes
:6: (00000840) Socket Bound to Port 0
:4: (00001052) Socket Bound to Port 0
:1: (00001092) Socket Bound to Port 0
:5: (00001104) Socket Bound to Port 0
:2: (00001108) Socket Bound to Port 0
:3: (00001100) Socket Connected to 212.227.15.162
:6: (00000840) Socket Connected to 212.227.15.178
:1: (00001092) Socket Connected to 212.227.15.162
:4: (00001052) Socket Connected to 212.227.15.178
:5: (00001104) Socket Connected to 212.227.15.162
:2: (00001108) Socket Connected to 212.227.15.178
(00001100)(DAVIDTLS) Server certificate information:
(00001100) Subject: /C=de/L=Stadt/O=Firma/CN=firewall.firma.de                                                                                                                   
(00001100) Issuer: /C=de/L=Stadt/O=Firma/CN=Firma WebAdmin CA/emailAddress=administrator@firma.de                                                      
(00001100) SSL version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256
:3: SSL connected
:3: ReceiveMail: connected, Socket=00001100
:3: (00001100) read (31/0)
:3: (00001100) Got complete TCP Message (Size=31)
:3: +OK POP3Proxy ready on node 1
Now i want to get the mails on the eFa-4.0.4 via fetchmail + SSL and the Sophos Pop3 proxy, but it fails:

Code: Select all

[root@mw24mailgate certs]# fetchmail -v -a -k -f /etc/fetchmailrc
fetchmail: WARNUNG: Vom Betrieb mit root-Rechten wird abgeraten.
fetchmail: 6.3.24 fragt pop.1und1.de ab (Protokoll POP3) um Mi 10 Nov 2021 13:13:11 CET: Abfrage gestartet
Versuche, mit 212.227.15.162/995 zu verbinden...verbunden.
fetchmail: Server-Zertifikat:
fetchmail: Herausgeber-Organisation: Firma
fetchmail: Herausgeber-CommonName: Firma WebAdmin CA
fetchmail: Subjekt-CommonName: firewall.firma.de
fetchmail: Subject Alternative Name: firewall.firma.de
fetchmail: Server-CommonName stimmt nicht überein: firewall.firma.de != pop.1und1.de
fetchmail: pop.1und1.de-Schlüssel-Fingerabdruck: F7:3D:0F:ED:EE:E8:E5:E9:0A:AA:0F:E1:A0:76:7F:61
fetchmail: Fehler bei Server-Zertifikat-Überprüfung: unable to get local issuer certificate
fetchmail: Das heißt, dass das Wurzelzertifikat (ausgestellt für /C=de/L=Stadt/O=Firma/CN=firewall.firma.de) nicht unter den vertrauenswürdigen CA-Zertifikaten ist, oder dass c_rehash auf dem Verzeichnis ausgeführt werden muss. Details sind in der fetchmail-Handbuchseite im bei --sslcertpath beschrieben.
140654116874128:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:s3_clnt.c:1264:
fetchmail: SSL-Verbindung fehlgeschlagen.
fetchmail: Socket-Fehler beim Abholen von info@firma.com@pop.1und1.de
fetchmail: 6.3.24 fragt ab pop.1und1.de (Protokoll POP3) um Mi 10 Nov 2021 13:13:11 CET: Abfrage beendet
fetchmail: Abfragestatus=2 (SOCKET)
fetchmail: normale Beendigung, Status 2
Warning: i think, i have some knowledge gaps ;-)

What i tried meanwhile?
I downloaded the local x509 cert *.pem file from the sophos utm 9, uploded it to /etc/ssl/certs and did an c_rehash.
No success.
I tried several parameters in the fetchmailrc file, no success.
Does anybody have a tip, where i can search ?



best regards,
Frank
henk
Posts: 517
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: Sophos POP3 Proxy / SSL / fetchmail on eFa-4.0.4

Post by henk »

fetchmail issues :shock:

First, when you run

Code: Select all

yum check-update
is there any ca-certificate update shown? if so run it

Checked your example, it works..

Code: Select all

openssl s_client -connect 212.227.15.162:995
Try fix the issue, by adding the sslpatch, something like this:

Code: Select all

fetchmail -v  --syslog --nobounce --sslcertpath /etc/ssl/certs -f  /etc/fetchmailrc

.fetchmailrc

Code: Select all

poll blablabla
        timeout 120
        with proto POP3
        user "xxxxx" there with password "Welcome123" is "Spammy" here
             ssl
             sslcertck

When you got it worjing..

With fetchmail you can add a few options.( as localhost will be the source of every mail)

take a close look at the --invisible option

please read the complete post as there is another important option mentioned there (Read IP Address From Received Header = 2)

viewtopic.php?t=2545

PS,
Seems you run fetchmail under root, dont do that. Create separate user (like fmuser)
and put the .fetchmailrc in the fmuser homedir
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
LoM+OeF
Posts: 5
Joined: 20 Sep 2021 13:45
Location: Papenburg, East Frisia
Contact:

Re: Sophos POP3 Proxy / SSL / fetchmail on eFa-4.0.4

Post by LoM+OeF »

Hi Henk,

it's me: memberlist.php?mode=viewprofile&u=1610
But my old account isn't working any more :-( - and i have forgotten my pw and the registered e-mail adress :-(

i check your tips tommorow, if i get the time and post the results.

best regards,
Frank
LoM+OeF
Posts: 5
Joined: 20 Sep 2021 13:45
Location: Papenburg, East Frisia
Contact:

Re: Sophos POP3 Proxy / SSL / fetchmail on eFa-4.0.4

Post by LoM+OeF »

Good morning,

i did so like descripted in your post:

Code: Select all

[root@mw24mailgate etc]# yum check-update
Geladene Plugins: fastestmirror
Determining fastest mirrors
epel/x86_64/metalink                                                                                                                                                                                                  |  21 kB  00:00:00
 * base: mirror.scaleuptech.com
 * eFa4: dl.efa-project.org
 * epel: mirror.nl.leaseweb.net
 * extras: centos.mirrors.psw.services
 * updates: artfiles.org
base                                                                                                                                                                                                                  | 3.6 kB  00:00:00
eFa4                                                                                                                                                                                                                  | 2.9 kB  00:00:00
epel                                                                                                                                                                                                                  | 4.7 kB  00:00:00
extras                                                                                                                                                                                                                | 2.9 kB  00:00:00
ius                                                                                                                                                                                                                   | 1.3 kB  00:00:00
updates                                                                                                                                                                                                               | 2.9 kB  00:00:00
(1/9): base/7/x86_64/group_gz                                                                                                                                                                                         | 153 kB  00:00:00
(2/9): eFa4/primary_db                                                                                                                                                                                                | 153 kB  00:00:00
(3/9): epel/x86_64/group_gz                                                                                                                                                                                           |  96 kB  00:00:00
(4/9): ius/x86_64/primary                                                                                                                                                                                             |  99 kB  00:00:00
(5/9): extras/7/x86_64/primary_db                                                                                                                                                                                     | 243 kB  00:00:00
(6/9): epel/x86_64/updateinfo                                                                                                                                                                                         | 1.0 MB  00:00:02
(7/9): base/7/x86_64/primary_db                                                                                                                                                                                       | 6.1 MB  00:00:03
(8/9): epel/x86_64/primary_db                                                                                                                                                                                         | 7.0 MB  00:00:03
(9/9): updates/7/x86_64/primary_db                                                                                                                                                                                    |  12 MB  00:00:04
ius                                                                                                                                                                                                                                  473/473
[root@mw24mailgate etc]#
Then i deleted all ceritficates in /etc/ssl/certs from the past tries.

Code: Select all

[root@mw24mailgate certs]# c_rehash
Doing /etc/pki/tls/certs
WARNING: ca-bundle.crt does not contain a certificate or CRL: skipping
WARNING: ca-bundle.trust.crt does not contain a certificate or CRL: skipping
WARNING: make-dummy-cert does not contain a certificate or CRL: skipping
WARNING: renew-dummy-cert does not contain a certificate or CRL: skipping
WARNING: localhost.crt does not contain a certificate or CRL: skipping
[root@mw24mailgate certs]# pwd
/etc/ssl/certs
[root@mw24mailgate certs]# ls -lisa
insgesamt 12
67204785 0 drwxr-xr-x. 2 root root  151 12. Nov 08:24 .
33590151 0 drwxr-xr-x. 5 root root   81  2. Nov 11:45 ..
67204783 0 lrwxrwxrwx. 1 root root   49  2. Nov 11:45 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
67204786 0 lrwxrwxrwx. 1 root root   55  2. Nov 11:45 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
68052905 0 -rw-r--r--. 1 root root    0 12. Nov 08:23 Local
68095730 0 -rw-------. 1 root root    0 12. Nov 08:23 localhost.crt
67312973 4 -rwxr-xr-x. 1 root root  610 14. Okt 14:30 make-dummy-cert
67312972 4 -rw-r--r--. 1 root root 2516 14. Okt 14:30 Makefile
67312974 4 -rwxr-xr-x. 1 root root  829 14. Okt 14:30 renew-dummy-cert
[root@mw24mailgate certs]#


Then:

Code: Select all

[root@mw24mailgate etc]# openssl s_client -connect 212.227.15.162:995
CONNECTED(00000003)
depth=0 C = de, L = Stadt, O = Company GmbH, CN = firewall.firma.de
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = de, L = Stadt, O = Company GmbH, CN = firewall.firma.de
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=de/L=Stadt/O=Company GmbH/CN=firewall.firma.de
   i:/C=de/L=Stadt/O=Company GmbH/CN=Company GmbH WebAdmin CA/emailAddress=administrator@firma.de
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE+DCCA+CgAwIBAgIJANGWSHAYQCDqMA0GCSqGSIb3DQEBCwUAMIGoMQswCQYD
VQQGEwJkZTESMBAGA1UEBwwJUGFwZW5idXJnMSEwHwYDVQQKDBhFbGVrdHJvIE11
w593ZXNzZWxzIEdtYkgxLTArBgNVBAMMJEVsZWt0cm8gTXXDn3dlc3NlbHMgR21i
SCBXZWJBZG1pbiBDQTEzMDEGCSqGSIb3DQEJARYkYWRtaW5pc3RyYXRvckBlbGVr
dHJvLW11c3N3ZXNzZWxzLmRlMB4XDTIxMDQxNTA3MTkyOFoXDTIzMDYyNDA3MTky
OFowbjELMAkGA1UEBhMCZGUxEjAQBgNVBAcMCVBhcGVuYnVyZzEhMB8GA1UECgwY
RWxla3RybyBNdcOfd2Vzc2VscyBHbWJIMSgwJgYDVQQDDB9maXJld2FsbC5lbGVr
dHJvLW11c3N3ZXNzZWxzLmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAvvjREm9BB5n8I1Ym0YpuIc7xfSrwjQNhQ4vIXTk++AwVzapTgbhTymMHnw0o
YcS/eQDsJsSESJH0gcMHt8Zg2s3tXXDVPoA/O4B0Y6NgF6dd/XG75h3Nyv3dX5SM
U4OtQJfmV0lpllwneziWah5JAZQVV5oUsiqnpdDKJoA86txAEBeVVs8xYQ0vM0iL
E7kV19Mq1zjZ4XFHEiMN6GLbh7qm26AdKt/XgqFD+WJwaZH8RVHlNW/KIF3XzOqQ
OWKo6BHevv0zW6N49PSUjT36WmlYP4FNMLxABGGcOZTL7DzXzeYFo75jED7hHHsp
xFBsieHHwr7TrqjLXwujysDumwIDAQABo4IBXDCCAVgwHQYDVR0OBBYEFEluex6A
wQfD+RavXDQh7YWV95ejMIHdBgNVHSMEgdUwgdKAFILFqWdnxbtGLy/QRjZbxZqn
p+F4oYGupIGrMIGoMQswCQYDVQQGEwJkZTESMBAGA1UEBwwJUGFwZW5idXJnMSEw
HwYDVQQKDBhFbGVrdHJvIE11w593ZXNzZWxzIEdtYkgxLTArBgNVBAMMJEVsZWt0
cm8gTXXDn3dlc3NlbHMgR21iSCBXZWJBZG1pbiBDQTEzMDEGCSqGSIb3DQEJARYk
YWRtaW5pc3RyYXRvckBlbGVrdHJvLW11c3N3ZXNzZWxzLmRlggkA0ZZIcBhAIOkw
KgYDVR0RBCMwIYIfZmlyZXdhbGwuZWxla3Ryby1tdXNzd2Vzc2Vscy5kZTATBgNV
HSUEDDAKBggrBgEFBQcDATAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DANBgkqhkiG
9w0BAQsFAAOCAQEAkib7j+NtpIIoXVDm0qE43QZqIDTXHgxaooFmqEnyqxC2yJsw
ZFc1npis4IZvksq+5nV6jVh77E99WB1sQN7e2n7iGCUEewdS+npWDDG/9pFayc2s
9YVixmf3qdQTDljn5uzmZv9lscgQJOJpqOnnBrsWxj+who/2b55qEjtEPbGLTsjx
MYieeAEbHcUBHoh2vL6jANXTWCMVdC7ci0LSirXU6yAhBFSWZfFNxW35L6z+zbRg
08bkZFZb8tygXuK8cn5wkTUNcAjQHY9UFDJcM6IHJ0E2mvICDENk84to2Vb5uDEB
ESk9lZjVVE2BgoZyGG7ftWzvL7Q5u1+1ILpTmw==
-----END CERTIFICATE-----
subject=/C=de/L=Stadt/O=Company GmbH/CN=firewall.firma.de
issuer=/C=de/L=Stadt/O=Company GmbH/CN=Company GmbH WebAdmin CA/emailAddress=administrator@firma.de
---
No client certificate CA names sent
---
SSL handshake has read 1585 bytes and written 603 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : RC4-SHA
    Session-ID: F96F76E356728C4BDA6146C8B2E35886C651A2E44E2DE70D48A62A4E6C6D880C
    Session-ID-ctx:
    Master-Key: 4991F06A3308DFB4C116B0DD8458689C9A3F606E069BCD67F11EAF73F212BD12EA179B9EADC6A78EE6E9D6E0B59B4BA4
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 15 47 83 06 72 bb 03 48-69 b0 13 6e 3a a0 09 69   .G..r..Hi..n:..i
    0010 - 6e c4 fd eb 1f c8 bb 05-76 7b e8 87 da fb 52 0a   n.......v{....R.
    0020 - 84 42 ab 0b 48 0b 30 7c-7a 8d 1f 4c 37 7f 69 1d   .B..H.0|z..L7.i.
    0030 - ff 00 18 de 62 09 fc e2-34 fb 52 c7 34 5f a4 15   ....b...4.R.4_..
    0040 - a4 f4 5d fc 84 f9 64 34-29 e3 bd f5 ce ae d2 c5   ..]...d4).......
    0050 - 4a a1 cd 7d 5e b9 d0 9a-46 01 59 71 e5 a9 5d b5   J..}^...F.Yq..].
    0060 - c5 ce 2d bc 1d 2b 31 f1-ac 5f f3 79 5f 26 73 91   ..-..+1.._.y_&s.
    0070 - ba e0 55 57 c0 bf ce 19-73 51 af 68 26 fe 0e 47   ..UW....sQ.h&..G
    0080 - e9 9c 8a be e8 9d bf 7e-ed 29 c7 c7 bf 5b 24 43   .......~.)...[$C
    0090 - 67 db 7d e6 c0 81 cb e0-82 4e 9a 2d 86 58 43 fa   g.}......N.-.XC.

    Start Time: 1636696551
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
+OK POP3Proxy ready on node 1

is this the error causing the fetchmail not working and what you i to do?

Code: Select all

verify error:num=20:unable to get local issuer certificate
verify return:1

Code: Select all

[root@mw24mailgate etc]# fetchmail -v  --syslog --nobounce --sslcertpath /etc/ssl/certs -f  /etc/fetchmailrc
fetchmail: WARNUNG: Vom Betrieb mit root-Rechten wird abgeraten.
140576705943440:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:s3_clnt.c:1264:
[root@mw24mailgate etc]#
the fetchmail.rc:

Code: Select all

poll pop.1und1.de proto pop3 user info@company.com password *VERYSECRET* is info@company.com ssl sslcertck
best regards
Frank
LoM+OeF
Posts: 5
Joined: 20 Sep 2021 13:45
Location: Papenburg, East Frisia
Contact:

Re: Sophos POP3 Proxy / SSL / fetchmail on eFa-4.0.4

Post by LoM+OeF »

i tried meanwhile:

Code: Select all

echo | openssl s_client -connect 212.227.15.162:995 -showcerts
then i copied this in /etc/ssl/certs/mail.1und1.pem:

Code: Select all

-----BEGIN CERTIFICATE-----
MIIJHzCCCAegAwIBAgIQG1ebkEKWxDfDaN0aEa/xqjANBgkqhkiG9w0BAQsFADCB
3zELMAkGA1UEBhMCREUxJTAjBgNVBAoMHFQtU3lzdGVtcyBJbnRlcm5hdGlvbmFs
IEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50ZXIxHDAaBgNVBAgM
E05vcmRyaGVpbiBXZXN0ZmFsZW4xDjAMBgNVBBEMBTU3MjUwMRAwDgYDVQQHDAdO
ZXRwaGVuMSAwHgYDVQQJDBdVbnRlcmUgSW5kdXN0cmllc3RyLiAyMDEmMCQGA1UE
AwwdVGVsZVNlYyBTZXJ2ZXJQYXNzIENsYXNzIDIgQ0EwHhcNMjEwODA0MDgzNzE0
WhcNMjIwODA4MjM1OTU5WjBmMQswCQYDVQQGEwJERTERMA8GA1UEChMISU9OT1Mg
U0UxGDAWBgNVBAgTD1JoZWlubGFuZC1QZmFsejESMBAGA1UEBxMJTW9udGFiYXVy
MRYwFAYDVQQDEw1zbXRwLmlvbm9zLmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAzuQ4lyENhRxAA8ctVb3kzTunHeZQtcBuDKC2z3hYdWOaxIEZ5ifx
0mOkvnpBH569e0ABKzorocGamwosM0zMIY8FbXpb05fm6/fIpStZ1vAdxQZooCd1
ePHlzvhaA/PA9ynY55utK2waSO4SWvv4VzZlIMdOY/S6a5lmQy02pmJ3Rv6ovCH3
upho4nkgtw4pQncvB6FjLe6j78NwDaeYnALrU1mOGsC/KfQZulI5snZoYX6RGnxd
KEycIscwHjc01H73wiCsaAVKfBt9LczxP7wFNDv/0pf6+eVyykADH8CJD26z64U6
3FMXYHRuNf7rAaBgl8Yy3pk8J3T3ucIwlwIDAQABo4IFTTCCBUkwHwYDVR0jBBgw
FoAUlMh0RvU6tEZIJvgryjQeViYEEgAwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQW
MBQGCCsGAQUFBwMCBggrBgEFBQcDATAdBgNVHQ4EFgQUvUEvaEZG9zzB136TQGxw
DxPVbaswZQYDVR0gBF4wXDBQBgorBgEEAb1HDRcBMEIwQAYIKwYBBQUHAgEWNGh0
dHA6Ly9kb2NzLnNlcnZlcnBhc3MudGVsZXNlYy5kZS9jcHMvc2VydmVycGFzcy5o
dG0wCAYGZ4EMAQICMEsGA1UdHwREMEIwQKA+oDyGOmh0dHA6Ly9jcmwuc2VydmVy
cGFzcy50ZWxlc2VjLmRlL3JsL1NlcnZlclBhc3NfQ2xhc3NfMi5jcmwwgZkGCCsG
AQUFBwEBBIGMMIGJMDMGCCsGAQUFBzABhidodHRwOi8vb2NzcC5zZXJ2ZXJwYXNz
LnRlbGVzZWMuZGUvb2NzcHIwUgYIKwYBBQUHMAKGRmh0dHA6Ly9jcmwuc2VydmVy
cGFzcy50ZWxlc2VjLmRlL2NydC9UZWxlU2VjX1NlcnZlclBhc3NfQ2xhc3NfMl9D
QS5jZXIwDAYDVR0TAQH/BAIwADCBkgYDVR0RBIGKMIGHgg1zbXRwLmlvbm9zLmRl
ggxwb3AuaW9ub3MuZGWCDWltYXAuaW9ub3MuZGWCDXNtdHAuMXVuZDEuZGWCDHBv
cC4xdW5kMS5kZYINaW1hcC4xdW5kMS5kZYIOc210cC4xdW5kMS5jb22CDXBvcC4x
dW5kMS5jb22CDmltYXAuMXVuZDEuY29tMIIC4wYKKwYBBAHWeQIEAgSCAtMEggLP
As0AdQBvU3asMfAxGdiZAKRRFf93FRwR2QLBACkGjbIImjfZEwAAAXsQT0WgAAAE
AwBGMEQCIBCjE6ekpkg454Y0vr83ep5ZRg7/TRfc/v8aqGXLeRlzAiBGhIj2z+zy
gK+Pc/q5fuLhQlmPQ9uyNnUbbD4/spe0wQB2AEalVet1+pEgMLWiiWn0830RLEF0
vv1JuIWr8vxw/m1HAAABexBPRXYAAAQDAEcwRQIgD+cLJPE/eeybA3voTYOVazEp
6zkcGPyp7Gp8FYaqSZsCIQDyaLjB1DCunmEjTG2GW8lplm9fqzz1XPX1qNZFqWl6
/gB2ACl5vvCeOTkh8FZzn2Old+W+V32cYAr4+U1dJlwlXceEAAABexBPRa4AAAQD
AEcwRQIgVlUdsD7PSUAZ5EAuBMGGrj9GM7cvjyDY79j9qzxYQu8CIQDPqRkHflMz
B5whutDPX8LNJU0Ol2BGeIXvZrjYvGpvLgB1AFWB1MIWkDYBSuoLm1c8U/DA5Dh4
cCUIFy+jqh0HE9MMAAABexBPRkwAAAQDAEYwRAIgKYKhdcCKTBjW/ZKUZK+FMd22
ztrDJV4ey4LcuWAV7o0CIClafT1OMj//bLEaUmYmYaJCRlHkcFEhAqNog8mSYxC0
AHYAUaOw9f0BeZxWbbg3eI8MpHrMGyfL956IQpoN/tSLBeUAAAF7EE9G5QAABAMA
RzBFAiEA1IQZojkTRM32F1b8e8tj2EmfUKpgBiYV+CUNMXJDs1gCIGJB9DF2nLq4
B+6C8ZBrMuYsdXB95qOCuArrTZlGL22NAHUAQcjKsd8iRkoQxqE6CUKHXk4xixsD
6+tLx2jwkGKWBvYAAAF7EE9H5QAABAMARjBEAiABbDUDv6ml07NEta9U4z0baijB
APlhapVOKMklfpf4IAIgMFbPVBoalTWk4P3NM7z6GrE76OID0JAkDcb8svxQAYMw
DQYJKoZIhvcNAQELBQADggEBALvJsgIj+vU+bcKLPYPPBn0I/WK4q6WQISdkeTLf
RiqZjjwlv8k6w3mh6YKO1sUSOBGa9BR4VmVQDhLIQ8vzZFAvzYg2ainX/RrybQiC
L1al1yVk/vmB1pamKIifelclOEXPLlcBG6UessvpNxA8ajnwdeYIrh6iN6rKZugU
iJJp03gQD/BZSEMH9koEBjQtrOltdzGWf8WVsDMlQQ+wGE6zLhM+BkKnZNBE42Kj
QYscMOc4+OMkMMqo+F1suxAuldUcJrhvSsNR0GirdjVKmG343Fu0g6k+j4qlrrR2
rhxWFA59pdq+yxDTLJy1XP6efGWJCge/g7WO4G89NNdpIcY=
-----END CERTIFICATE-----
then i did a c_rehash:

Code: Select all

[root@mw24mailgate certs]# ls -lisa
insgesamt 16
67204785 0 drwxr-xr-x. 2 root root  173 12. Nov 09:27 .
33590151 0 drwxr-xr-x. 5 root root   81  2. Nov 11:45 ..
67204783 0 lrwxrwxrwx. 1 root root   49  2. Nov 11:45 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
67204786 0 lrwxrwxrwx. 1 root root   55  2. Nov 11:45 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
68052905 0 -rw-r--r--. 1 root root    0 12. Nov 08:23 Local
68095730 0 -rw-------. 1 root root    0 12. Nov 08:23 localhost.crt
67201373 4 -rw-r--r--. 1 root root 1785 12. Nov 09:27 mail.1und1.pem
67312973 4 -rwxr-xr-x. 1 root root  610 14. Okt 14:30 make-dummy-cert
67312972 4 -rw-r--r--. 1 root root 2516 14. Okt 14:30 Makefile
67312974 4 -rwxr-xr-x. 1 root root  829 14. Okt 14:30 renew-dummy-cert
[root@mw24mailgate certs]# c_rehash ./
Doing ./
WARNING: ca-bundle.crt does not contain a certificate or CRL: skipping
WARNING: ca-bundle.trust.crt does not contain a certificate or CRL: skipping
WARNING: make-dummy-cert does not contain a certificate or CRL: skipping
WARNING: renew-dummy-cert does not contain a certificate or CRL: skipping
WARNING: localhost.crt does not contain a certificate or CRL: skipping
[root@mw24mailgate certs]#
i also take the certifcate from our sophos like above:

Code: Select all

[root@mw24mailgate certs]# ls -lisa
insgesamt 20
67204785 0 drwxr-xr-x. 2 root root  209 12. Nov 09:34 .
33590151 0 drwxr-xr-x. 5 root root   81  2. Nov 11:45 ..
68047509 0 lrwxrwxrwx. 1 root root   14 12. Nov 09:34 43cc8c5b.0 -> mail.1und1.pem
67204783 0 lrwxrwxrwx. 1 root root   49  2. Nov 11:45 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
67204786 0 lrwxrwxrwx. 1 root root   55  2. Nov 11:45 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
68052905 0 -rw-r--r--. 1 root root    0 12. Nov 08:23 Local
68095730 0 -rw-------. 1 root root    0 12. Nov 08:23 localhost.crt
67201373 4 -rw-r--r--. 1 root root 1785 12. Nov 09:27 mail.1und1.pem
67312973 4 -rwxr-xr-x. 1 root root  610 14. Okt 14:30 make-dummy-cert
67312972 4 -rw-r--r--. 1 root root 2516 14. Okt 14:30 Makefile
67312974 4 -rwxr-xr-x. 1 root root  829 14. Okt 14:30 renew-dummy-cert
70026997 4 -rw-r--r--. 1 root root 1785 12. Nov 09:33 sophos.pem
[root@mw24mailgate certs]# c_rehash ./
Doing ./
WARNING: ca-bundle.crt does not contain a certificate or CRL: skipping
WARNING: ca-bundle.trust.crt does not contain a certificate or CRL: skipping
WARNING: make-dummy-cert does not contain a certificate or CRL: skipping
WARNING: renew-dummy-cert does not contain a certificate or CRL: skipping
WARNING: localhost.crt does not contain a certificate or CRL: skipping
WARNING: Skipping duplicate certificate sophos.pem
[root@mw24mailgate certs]#
no success.

best regards,
Frank
henk
Posts: 517
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: Sophos POP3 Proxy / SSL / fetchmail on eFa-4.0.4

Post by henk »

before you can proceeed with fetchmail, you need to get this working first.

Code: Select all

openssl s_client -connect 212.227.15.162:995
Output should look like this

Code: Select all

openssl s_client -connect 212.227.15.162:995
CONNECTED(00000003)
depth=2 C = DE, O = T-Systems Enterprise Services GmbH, OU = T-Systems Trust Center, CN = T-TeleSec GlobalRoot Class 2
verify return:1
depth=1 C = DE, O = T-Systems International GmbH, OU = T-Systems Trust Center, ST = Nordrhein Westfalen, postalCode = 57250, L = Netphen, street = Untere Industriestr. 20, CN = TeleSec ServerPass Class 2 CA
verify return:1
depth=0 C = DE, O = IONOS SE, ST = Rheinland-Pfalz, L = Montabaur, CN = smtp.ionos.de
verify return:1
---
Certificate chain
 0 s:/C=DE/O=IONOS SE/ST=Rheinland-Pfalz/L=Montabaur/CN=smtp.ionos.de
   i:/C=DE/O=T-Systems International GmbH/OU=T-Systems Trust Center/ST=Nordrhein Westfalen/postalCode=57250/L=Netphen/street=Untere Industriestr. 20/CN=TeleSec ServerPass Class 2 CA
 1 s:/C=DE/O=T-Systems International GmbH/OU=T-Systems Trust Center/ST=Nordrhein Westfalen/postalCode=57250/L=Netphen/street=Untere Industriestr. 20/CN=TeleSec ServerPass Class 2 CA
   i:/C=DE/O=T-Systems Enterprise Services GmbH/OU=T-Systems Trust Center/CN=T-TeleSec GlobalRoot Class 2
---
Server certificate
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
henk
Posts: 517
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: Sophos POP3 Proxy / SSL / fetchmail on eFa-4.0.4

Post by henk »

And it doesnt make sense to me to retrieve keys and save local
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
LoM+OeF
Posts: 5
Joined: 20 Sep 2021 13:45
Location: Papenburg, East Frisia
Contact:

Re: Sophos POP3 Proxy / SSL / fetchmail on eFa-4.0.4

Post by LoM+OeF »

aha ;-)

So as i wrote in my first post, we have a sophos utm with active pop3 proxy.

With active pop3 proxy i get the answer from your sophos firewall (let's encrypt ssl certificate):

Code: Select all

[root@mw24mailgate clamav]# openssl s_client -connect 212.227.15.162:995 -showcerts
CONNECTED(00000003)
depth=0 C = de, L = Papenburg, O = Elektro Mu\C3\9Fwessels GmbH, CN = firewall.elektro-musswessels.de
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = de, L = Papenburg, O = Elektro Mu\C3\9Fwessels GmbH, CN = firewall.elektro-musswessels.de
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=de/L=Papenburg/O=Elektro Mu\xC3\x9Fwessels GmbH/CN=firewall.elektro-musswessels.de
   i:/C=de/L=Papenburg/O=Elektro Mu\xC3\x9Fwessels GmbH/CN=Elektro Mu\xC3\x9Fwessels GmbH WebAdmin CA/emailAddress=administrator@elektro-musswessels.de
-----BEGIN CERTIFICATE-----
MIIE+DCCA+CgAwIBAgIJANGWSHAYQCDqMA0GCSqGSIb3DQEBCwUAMIGoMQswCQYD
VQQGEwJkZTESMBAGA1UEBwwJUGFwZW5idXJnMSEwHwYDVQQKDBhFbGVrdHJvIE11
w593ZXNzZWxzIEdtYkgxLTArBgNVBAMMJEVsZWt0cm8gTXXDn3dlc3NlbHMgR21i
SCBXZWJBZG1pbiBDQTEzMDEGCSqGSIb3DQEJARYkYWRtaW5pc3RyYXRvckBlbGVr
dHJvLW11c3N3ZXNzZWxzLmRlMB4XDTIxMDQxNTA3MTkyOFoXDTIzMDYyNDA3MTky
OFowbjELMAkGA1UEBhMCZGUxEjAQBgNVBAcMCVBhcGVuYnVyZzEhMB8GA1UECgwY
RWxla3RybyBNdcOfd2Vzc2VscyBHbWJIMSgwJgYDVQQDDB9maXJld2FsbC5lbGVr
dHJvLW11c3N3ZXNzZWxzLmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAvvjREm9BB5n8I1Ym0YpuIc7xfSrwjQNhQ4vIXTk++AwVzapTgbhTymMHnw0o
YcS/eQDsJsSESJH0gcMHt8Zg2s3tXXDVPoA/O4B0Y6NgF6dd/XG75h3Nyv3dX5SM
U4OtQJfmV0lpllwneziWah5JAZQVV5oUsiqnpdDKJoA86txAEBeVVs8xYQ0vM0iL
E7kV19Mq1zjZ4XFHEiMN6GLbh7qm26AdKt/XgqFD+WJwaZH8RVHlNW/KIF3XzOqQ
OWKo6BHevv0zW6N49PSUjT36WmlYP4FNMLxABGGcOZTL7DzXzeYFo75jED7hHHsp
xFBsieHHwr7TrqjLXwujysDumwIDAQABo4IBXDCCAVgwHQYDVR0OBBYEFEluex6A
wQfD+RavXDQh7YWV95ejMIHdBgNVHSMEgdUwgdKAFILFqWdnxbtGLy/QRjZbxZqn
p+F4oYGupIGrMIGoMQswCQYDVQQGEwJkZTESMBAGA1UEBwwJUGFwZW5idXJnMSEw
HwYDVQQKDBhFbGVrdHJvIE11w593ZXNzZWxzIEdtYkgxLTArBgNVBAMMJEVsZWt0
cm8gTXXDn3dlc3NlbHMgR21iSCBXZWJBZG1pbiBDQTEzMDEGCSqGSIb3DQEJARYk
YWRtaW5pc3RyYXRvckBlbGVrdHJvLW11c3N3ZXNzZWxzLmRlggkA0ZZIcBhAIOkw
KgYDVR0RBCMwIYIfZmlyZXdhbGwuZWxla3Ryby1tdXNzd2Vzc2Vscy5kZTATBgNV
HSUEDDAKBggrBgEFBQcDATAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DANBgkqhkiG
9w0BAQsFAAOCAQEAkib7j+NtpIIoXVDm0qE43QZqIDTXHgxaooFmqEnyqxC2yJsw
ZFc1npis4IZvksq+5nV6jVh77E99WB1sQN7e2n7iGCUEewdS+npWDDG/9pFayc2s
9YVixmf3qdQTDljn5uzmZv9lscgQJOJpqOnnBrsWxj+who/2b55qEjtEPbGLTsjx
MYieeAEbHcUBHoh2vL6jANXTWCMVdC7ci0LSirXU6yAhBFSWZfFNxW35L6z+zbRg
08bkZFZb8tygXuK8cn5wkTUNcAjQHY9UFDJcM6IHJ0E2mvICDENk84to2Vb5uDEB
ESk9lZjVVE2BgoZyGG7ftWzvL7Q5u1+1ILpTmw==
-----END CERTIFICATE-----
---
Server certificate
subject=/C=de/L=Papenburg/O=Elektro Mu\xC3\x9Fwessels GmbH/CN=firewall.elektro-musswessels.de
issuer=/C=de/L=Papenburg/O=Elektro Mu\xC3\x9Fwessels GmbH/CN=Elektro Mu\xC3\x9Fwessels GmbH WebAdmin CA/emailAddress=administrator@elektro-musswessels.de
---
No client certificate CA names sent
---
SSL handshake has read 1585 bytes and written 603 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : RC4-SHA
    Session-ID: 14B8CEF599B6CB374496FE0EB0444BD320C62CC53C7C2DFABBB39C40E0E7E169
    Session-ID-ctx:
    Master-Key: 37C4184DDC2914F5CC71FEDD63038B0A4339CF6C9A0B7D4BBC2EDB5AF9002F3D87A751884E6820BD2518E5AA8E3453EE
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 92 8c 9f 42 fc 66 49 22-ee 7d a7 ea 3e b4 2b 27   ...B.fI".}..>.+'
    0010 - f5 18 be 8a b5 cf f2 bf-97 9e 67 d5 5c f8 5b 6f   ..........g.\.[o
    0020 - 10 1d 48 b4 6b 6e 8c e4-45 5a 7e 0b 9e c9 83 1f   ..H.kn..EZ~.....
    0030 - c6 4f 05 db ee f1 80 ef-48 73 46 6f 6d 17 09 0d   .O......HsFom...
    0040 - 33 65 92 7b 5d cd 64 7d-f2 1f d6 b4 3d 4e 9b fd   3e.{].d}....=N..
    0050 - a2 e3 2e 04 fb 1d 4a 74-14 43 9a b3 0e 44 15 b1   ......Jt.C...D..
    0060 - 40 84 ef 7c 09 bf 21 85-2d b4 d3 84 be 3d cf 7a   @..|..!.-....=.z
    0070 - 68 26 24 0a ce 11 23 92-f4 e6 06 00 1a 52 7f cd   h&$...#......R..
    0080 - a6 9c bf 65 b9 af 0b 62-2d 76 f4 67 25 ba 31 af   ...e...b-v.g%.1.
    0090 - fb aa cb 40 14 59 e6 c5-62 e7 1f 01 e0 e4 74 6f   ...@.Y..b.....to

    Start Time: 1636716921
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
+OK POP3Proxy ready on node 1

Adding a bypass rule in the sophos utm, i get the right answer from 1und1, although pop3 ist running:

Code: Select all

[root@mw24mailgate clamav]# openssl s_client -connect 212.227.15.162:995 -showcerts
CONNECTED(00000003)
depth=1 C = DE, O = T-Systems International GmbH, OU = T-Systems Trust Center, ST = Nordrhein Westfalen, postalCode = 57250, L = Netphen, street = Untere Industriestr. 20, CN = TeleSec ServerPass Class 2 CA
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
 0 s:/C=DE/O=IONOS SE/ST=Rheinland-Pfalz/L=Montabaur/CN=smtp.ionos.de
   i:/C=DE/O=T-Systems International GmbH/OU=T-Systems Trust Center/ST=Nordrhein Westfalen/postalCode=57250/L=Netphen/street=Untere Industriestr. 20/CN=TeleSec ServerPass Class 2 CA
-----BEGIN CERTIFICATE-----
MIIJHzCCCAegAwIBAgIQG1ebkEKWxDfDaN0aEa/xqjANBgkqhkiG9w0BAQsFADCB
3zELMAkGA1UEBhMCREUxJTAjBgNVBAoMHFQtU3lzdGVtcyBJbnRlcm5hdGlvbmFs
IEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50ZXIxHDAaBgNVBAgM
E05vcmRyaGVpbiBXZXN0ZmFsZW4xDjAMBgNVBBEMBTU3MjUwMRAwDgYDVQQHDAdO
ZXRwaGVuMSAwHgYDVQQJDBdVbnRlcmUgSW5kdXN0cmllc3RyLiAyMDEmMCQGA1UE
AwwdVGVsZVNlYyBTZXJ2ZXJQYXNzIENsYXNzIDIgQ0EwHhcNMjEwODA0MDgzNzE0
WhcNMjIwODA4MjM1OTU5WjBmMQswCQYDVQQGEwJERTERMA8GA1UEChMISU9OT1Mg
U0UxGDAWBgNVBAgTD1JoZWlubGFuZC1QZmFsejESMBAGA1UEBxMJTW9udGFiYXVy
MRYwFAYDVQQDEw1zbXRwLmlvbm9zLmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAzuQ4lyENhRxAA8ctVb3kzTunHeZQtcBuDKC2z3hYdWOaxIEZ5ifx
0mOkvnpBH569e0ABKzorocGamwosM0zMIY8FbXpb05fm6/fIpStZ1vAdxQZooCd1
ePHlzvhaA/PA9ynY55utK2waSO4SWvv4VzZlIMdOY/S6a5lmQy02pmJ3Rv6ovCH3
upho4nkgtw4pQncvB6FjLe6j78NwDaeYnALrU1mOGsC/KfQZulI5snZoYX6RGnxd
KEycIscwHjc01H73wiCsaAVKfBt9LczxP7wFNDv/0pf6+eVyykADH8CJD26z64U6
3FMXYHRuNf7rAaBgl8Yy3pk8J3T3ucIwlwIDAQABo4IFTTCCBUkwHwYDVR0jBBgw
FoAUlMh0RvU6tEZIJvgryjQeViYEEgAwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQW
MBQGCCsGAQUFBwMCBggrBgEFBQcDATAdBgNVHQ4EFgQUvUEvaEZG9zzB136TQGxw
DxPVbaswZQYDVR0gBF4wXDBQBgorBgEEAb1HDRcBMEIwQAYIKwYBBQUHAgEWNGh0
dHA6Ly9kb2NzLnNlcnZlcnBhc3MudGVsZXNlYy5kZS9jcHMvc2VydmVycGFzcy5o
dG0wCAYGZ4EMAQICMEsGA1UdHwREMEIwQKA+oDyGOmh0dHA6Ly9jcmwuc2VydmVy
cGFzcy50ZWxlc2VjLmRlL3JsL1NlcnZlclBhc3NfQ2xhc3NfMi5jcmwwgZkGCCsG
AQUFBwEBBIGMMIGJMDMGCCsGAQUFBzABhidodHRwOi8vb2NzcC5zZXJ2ZXJwYXNz
LnRlbGVzZWMuZGUvb2NzcHIwUgYIKwYBBQUHMAKGRmh0dHA6Ly9jcmwuc2VydmVy
cGFzcy50ZWxlc2VjLmRlL2NydC9UZWxlU2VjX1NlcnZlclBhc3NfQ2xhc3NfMl9D
QS5jZXIwDAYDVR0TAQH/BAIwADCBkgYDVR0RBIGKMIGHgg1zbXRwLmlvbm9zLmRl
ggxwb3AuaW9ub3MuZGWCDWltYXAuaW9ub3MuZGWCDXNtdHAuMXVuZDEuZGWCDHBv
cC4xdW5kMS5kZYINaW1hcC4xdW5kMS5kZYIOc210cC4xdW5kMS5jb22CDXBvcC4x
dW5kMS5jb22CDmltYXAuMXVuZDEuY29tMIIC4wYKKwYBBAHWeQIEAgSCAtMEggLP
As0AdQBvU3asMfAxGdiZAKRRFf93FRwR2QLBACkGjbIImjfZEwAAAXsQT0WgAAAE
AwBGMEQCIBCjE6ekpkg454Y0vr83ep5ZRg7/TRfc/v8aqGXLeRlzAiBGhIj2z+zy
gK+Pc/q5fuLhQlmPQ9uyNnUbbD4/spe0wQB2AEalVet1+pEgMLWiiWn0830RLEF0
vv1JuIWr8vxw/m1HAAABexBPRXYAAAQDAEcwRQIgD+cLJPE/eeybA3voTYOVazEp
6zkcGPyp7Gp8FYaqSZsCIQDyaLjB1DCunmEjTG2GW8lplm9fqzz1XPX1qNZFqWl6
/gB2ACl5vvCeOTkh8FZzn2Old+W+V32cYAr4+U1dJlwlXceEAAABexBPRa4AAAQD
AEcwRQIgVlUdsD7PSUAZ5EAuBMGGrj9GM7cvjyDY79j9qzxYQu8CIQDPqRkHflMz
B5whutDPX8LNJU0Ol2BGeIXvZrjYvGpvLgB1AFWB1MIWkDYBSuoLm1c8U/DA5Dh4
cCUIFy+jqh0HE9MMAAABexBPRkwAAAQDAEYwRAIgKYKhdcCKTBjW/ZKUZK+FMd22
ztrDJV4ey4LcuWAV7o0CIClafT1OMj//bLEaUmYmYaJCRlHkcFEhAqNog8mSYxC0
AHYAUaOw9f0BeZxWbbg3eI8MpHrMGyfL956IQpoN/tSLBeUAAAF7EE9G5QAABAMA
RzBFAiEA1IQZojkTRM32F1b8e8tj2EmfUKpgBiYV+CUNMXJDs1gCIGJB9DF2nLq4
B+6C8ZBrMuYsdXB95qOCuArrTZlGL22NAHUAQcjKsd8iRkoQxqE6CUKHXk4xixsD
6+tLx2jwkGKWBvYAAAF7EE9H5QAABAMARjBEAiABbDUDv6ml07NEta9U4z0baijB
APlhapVOKMklfpf4IAIgMFbPVBoalTWk4P3NM7z6GrE76OID0JAkDcb8svxQAYMw
DQYJKoZIhvcNAQELBQADggEBALvJsgIj+vU+bcKLPYPPBn0I/WK4q6WQISdkeTLf
RiqZjjwlv8k6w3mh6YKO1sUSOBGa9BR4VmVQDhLIQ8vzZFAvzYg2ainX/RrybQiC
L1al1yVk/vmB1pamKIifelclOEXPLlcBG6UessvpNxA8ajnwdeYIrh6iN6rKZugU
iJJp03gQD/BZSEMH9koEBjQtrOltdzGWf8WVsDMlQQ+wGE6zLhM+BkKnZNBE42Kj
QYscMOc4+OMkMMqo+F1suxAuldUcJrhvSsNR0GirdjVKmG343Fu0g6k+j4qlrrR2
rhxWFA59pdq+yxDTLJy1XP6efGWJCge/g7WO4G89NNdpIcY=
-----END CERTIFICATE-----
 1 s:/C=DE/O=T-Systems International GmbH/OU=T-Systems Trust Center/ST=Nordrhein Westfalen/postalCode=57250/L=Netphen/street=Untere Industriestr. 20/CN=TeleSec ServerPass Class 2 CA
   i:/C=DE/O=T-Systems Enterprise Services GmbH/OU=T-Systems Trust Center/CN=T-TeleSec GlobalRoot Class 2
-----BEGIN CERTIFICATE-----
MIIFwDCCBKigAwIBAgIIfjnHrR3Z8EMwDQYJKoZIhvcNAQELBQAwgYIxCzAJBgNV
BAYTAkRFMSswKQYDVQQKDCJULVN5c3RlbXMgRW50ZXJwcmlzZSBTZXJ2aWNlcyBH
bWJIMR8wHQYDVQQLDBZULVN5c3RlbXMgVHJ1c3QgQ2VudGVyMSUwIwYDVQQDDBxU
LVRlbGVTZWMgR2xvYmFsUm9vdCBDbGFzcyAyMB4XDTE0MDIxMTE0MzkxMFoXDTI0
MDIxMTIzNTk1OVowgd8xCzAJBgNVBAYTAkRFMSUwIwYDVQQKDBxULVN5c3RlbXMg
SW50ZXJuYXRpb25hbCBHbWJIMR8wHQYDVQQLDBZULVN5c3RlbXMgVHJ1c3QgQ2Vu
dGVyMRwwGgYDVQQIDBNOb3JkcmhlaW4gV2VzdGZhbGVuMQ4wDAYDVQQRDAU1NzI1
MDEQMA4GA1UEBwwHTmV0cGhlbjEgMB4GA1UECQwXVW50ZXJlIEluZHVzdHJpZXN0
ci4gMjAxJjAkBgNVBAMMHVRlbGVTZWMgU2VydmVyUGFzcyBDbGFzcyAyIENBMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3oxwJVY3bSb6ejJ42f9VEt1N
vW2swwllcs5ifPsHAulpSoFc2Y9gMOKQqkuyjN1foCegDDeEr6FBLD5YuROldcX8
2aDNBKDh9GpSJYZMLrYwlfR4EJUGwLidHDn93H95j1M67sNlCyCfcbso0zFBQzXK
KO06sbC1QH9M1Xdrltz8bQS+LbGRTM5JcPYhhxXcnsFstQVaGmfqFQitPXhT3g9+
8Fbob6taSylFVk1E89G2N0NrrtIVTnaD0PcWF8AdMyX34zIoQAXMezyGV2kqst/Q
Ghvzd09jjMT6f8Q8pAlyGFTGuxsEjeU/rrS/yKU8bFEEvuR5WT/I4Kme+8OlzQID
AQABo4IB2TCCAdUwEgYDVR0TAQH/BAgwBgEB/wIBADBDBgNVHSAEPDA6MDgGBFUd
IAAwMDAuBggrBgEFBQcCARYiaHR0cDovL3BraS50ZWxlc2VjLmRlL2Nwcy9jcHMu
aHRtbDAOBgNVHQ8BAf8EBAMCAQYwge8GA1UdHwSB5zCB5DA1oDOgMYYvaHR0cDov
L3BraS50ZWxlc2VjLmRlL3JsL0dsb2JhbFJvb3RfQ2xhc3NfMi5jcmwwgaqggaeg
gaSGgaFsZGFwOi8vcGtpLnRlbGVzZWMuZGUvQ049VC1UZWxlU2VjJTIwR2xvYmFs
Um9vdCUyMENsYXNzJTIwMixPVT1ULVN5c3RlbXMlMjBUcnVzdCUyMENlbnRlcixP
PVQtU3lzdGVtcyUyMEVudGVycHJpc2UlMjBTZXJ2aWNlcyUyMEdtYkgsQz1ERT9B
dXRob3JpdHlSZXZvY2F0aW9uTGlzdDA4BggrBgEFBQcBAQQsMCowKAYIKwYBBQUH
MAGGHGh0dHA6Ly9vY3NwLnRlbGVzZWMuZGUvb2NzcHIwHQYDVR0OBBYEFJTIdEb1
OrRGSCb4K8o0HlYmBBIAMB8GA1UdIwQYMBaAFL9ZIDYAeaCgImuM1fJh0rgsy4JK
MA0GCSqGSIb3DQEBCwUAA4IBAQB55S9CfCkclWVtUIxl2c4aM5wqlLZRZ7zVhynK
KOhWKyTw+D2BOjc+TXIPkgRMqF3Sn8ZD4UTOARboJxswYnLZDkvBuvTbYa+N52Jy
oBP2TXIpEWEyJl7Oq8NFbERwg4X6MabLgjGvJETicPpKGfAINKDwPScQCsWHiCaX
X50cZzmWw17S0rWECOvPEt/4tXJ4Me9aAxx6WRm708n/K8O4mB3AzvA/M7VUDaP9
8LtreoTnWInjyg/8+Ahtce3foMXiIP4+9IX7fbm6yqh4u33tqMESDcRP6eGdzq4D
qnHyIvj9XNpuGgMvDgq357kZQS9e5XVH5icSvW1kr2kX2t1f
-----END CERTIFICATE-----
---
Server certificate
subject=/C=DE/O=IONOS SE/ST=Rheinland-Pfalz/L=Montabaur/CN=smtp.ionos.de
issuer=/C=DE/O=T-Systems International GmbH/OU=T-Systems Trust Center/ST=Nordrhein Westfalen/postalCode=57250/L=Netphen/street=Untere Industriestr. 20/CN=TeleSec ServerPass Class 2 CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4323 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 4C5C9D76E682C9F2F7354464E02805DBBEACA5A662726A6E484DAC760AD18569
    Session-ID-ctx:
    Master-Key: 5790C2E86368A4F30A61979B9391D05FC3892F69F8E19DC795F5FE530C583219ECDCE8B43915BA87BC58A58E03AA2423
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1636717133
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
+OK POP server ready H mieue042 1MOzbI-1n47eR1JCm-00Pd1q

So: how can i get running fetchmail like our Tobit Server, which connects through the active Pop3Proxy using the firewall cert without problems ?

Tobit Log:

Code: Select all

:5: Connecting to server 212.227.15.178
:5: (00000692) New Socket
:5: (00000692) ReUseAddr          : 1
:5: (00000692) OutOfBandDataInline: 1
:5: (00000692) KeepAlive          : 5 minutes
:5: (00000692) Socket Bound to Port 0
:5: (00000692) Socket Connected to 212.227.15.178
(00000692)(DAVIDTLS) Server certificate information:
(00000692) Subject: /C=de/L=Papenburg/O=Elektro Mu\xC3\x9Fwessels GmbH/CN=firewall.elektro-musswessels.de                                                                                                                   
(00000692) Issuer: /C=de/L=Papenburg/O=Elektro Mu\xC3\x9Fwessels GmbH/CN=Elektro Mu\xC3\x9Fwessels GmbH WebAdmin CA/emailAddress=administrator@elektro-musswessels.de                                                      
(00000692) SSL version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256
:5: SSL connected
:5: ReceiveMail: connected, Socket=00000692
:7: (00000760) read (5/0)
:7: (00000760) Got complete TCP Message (Size=5)
:7: +OK
:7: STAT
:10: (00000452) read (5/0)
:10: (00000452) Got complete TCP Message (Size=5)
:10: +OK
:10: STAT
:9: (00000712) read (5/0)
:9: (00000712) Got complete TCP Message (Size=5)
:9: +OK
:9: STAT
:8: (00000672) read (5/0)
:8: (00000672) Got complete TCP Message (Size=5)
:8: +OK
:8: STAT
:7: (00000760) read (9/0)
:7: (00000760) Got complete TCP Message (Size=9)
:7: +OK 0 0
:7: QUIT
:7: (00000760) read (5/0)
:7: (00000760) Got complete TCP Message (Size=5)
:7: +OK
:7: mailboxDone

best regards,
Frank
henk
Posts: 517
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: Sophos POP3 Proxy / SSL / fetchmail on eFa-4.0.4

Post by henk »

Frank,

The error is on your (client)side

watch the "verify error:num=20:unable to get local issuer certificate" in your example

Question: When you go and visit any https site with your browser, did you ever needed to download and store anything first?
I dont and I also use fetchmail with pop3s.

If I remember well, you need to focus on access rights. Will check my config, when I've got time and report back.

Key is the unable to get local issuer certificate.

Let me show my check, notice the difference? And I sure didnt download anything.

Code: Select all

openssl s_client -connect 212.227.15.162:995 -showcerts
CONNECTED(00000003)
depth=2 C = DE, O = T-Systems Enterprise Services GmbH, OU = T-Systems Trust Center, CN = T-TeleSec GlobalRoot Class 2
verify return:1
depth=1 C = DE, O = T-Systems International GmbH, OU = T-Systems Trust Center, ST = Nordrhein Westfalen, postalCode = 57250, L = Netphen, street = Untere Industriestr. 20, CN = TeleSec ServerPass Class 2 CA
verify return:1
depth=0 C = DE, O = IONOS SE, ST = Rheinland-Pfalz, L = Montabaur, CN = smtp.ionos.de
verify return:1
---
Certificate chain
 0 s:/C=DE/O=IONOS SE/ST=Rheinland-Pfalz/L=Montabaur/CN=smtp.ionos.de
   i:/C=DE/O=T-Systems International GmbH/OU=T-Systems Trust Center/ST=Nordrhein Westfalen/postalCode=57250/L=Netphen/street=Untere Industriestr. 20/CN=TeleSec ServerPass Class 2 CA
-----BEGIN CERTIFICATE-----
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
DeRaptor
Posts: 28
Joined: 25 Oct 2017 15:47

Re: Sophos POP3 Proxy / SSL / fetchmail on eFa-4.0.4

Post by DeRaptor »

Thank you - take time ;-)

And i got my old account . found the right password :lol:
henk
Posts: 517
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: Sophos POP3 Proxy / SSL / fetchmail on eFa-4.0.4

Post by henk »

haha, lost passwords..

can you check openssl version -d

Code: Select all

openssl version -d
OPENSSLDIR: "/etc/pki/tls"
The wanted CA

Code: Select all

ls -l /etc/pki/tls/certs

Code: Select all

total 32
lrwxrwxrwx  1 root root   49 Sep 24 15:58 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
lrwxrwxrwx  1 root root   55 Sep 24 15:58 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
-rw-------  1 root root 1460 Aug 13  2020 localhost.crt
-rw-r--r--. 1 root root  870 Jan  6  2020 mailscanner.cnf
-rw-r--r--. 1 root root 1484 Jan  6  2020 mailscanner.crt
-rw-r--r--. 1 root root 1094 Jan  6  2020 mailscanner.csr
-rw-------. 1 root root 1679 Nov 30  2019 mailscanner.key
-rwxr-xr-x  1 root root  610 Oct 14 14:30 make-dummy-cert
-rw-r--r--  1 root root 2516 Oct 14 14:30 Makefile
-rwxr-xr-x  1 root root  829 Oct 14 14:30 renew-dummy-cert
consider disable all protocolls and just enable TLS1.2

Code: Select all

/etc/httpd/conf.d/ssl.conf
SSLProtocol -all +TLSv1.2'
'SSLProxyProtocol -all +TLSv1.2
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
DeRaptor
Posts: 28
Joined: 25 Oct 2017 15:47

Re: Sophos POP3 Proxy / SSL / fetchmail on eFa-4.0.4

Post by DeRaptor »

henk wrote: 11 Nov 2021 12:54 fetchmail issues :shock:
Hi,

after destroying my local certificate store, i decided to restinstall eFa complete new. :?

And i use now fetchmail with option --ssplproto tls1.2 :shifty: as henk suggested - if intelligence services will read your mails, they have way to read with SSL encryption. :ugeek:

best regards,
Frank
henk
Posts: 517
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: Sophos POP3 Proxy / SSL / fetchmail on eFa-4.0.4

Post by henk »

If it aint broke it needs more... :lol:

Great you've got it working, assuming you also had a look at viewtopic.php?t=2545 :clap:

on the intelligence services reading mail.

2 options.

1. encrypt messages with PGP and use pigeons to send the passphrase :ugeek:

Code: Select all

-----BEGIN PGP MESSAGE-----

jA0ECQMC+qdzDR7ZDev10koBqvtyxh5mWuVu15nUlxYiXZ2SnkI3BcIE76dUe0z2
NlUBxkNTwzC3Yqu6lbCKfcOf3EsMY71dI4H5yqSqKXVJK0LDROd6RBad4A==
=mjPN
-----END PGP MESSAGE-----
2. Use the Dutch language, and no-one will understand a word you say. Works for mail too. Go try :lol:
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
DeRaptor
Posts: 28
Joined: 25 Oct 2017 15:47

Re: Sophos POP3 Proxy / SSL / fetchmail on eFa-4.0.4

Post by DeRaptor »

henk wrote: 23 Nov 2021 23:14 2. Use the Dutch language, and no-one will understand a word you say. Works for mail too. Go try :lol:
:D :lol: :lol:

Consider: i live in border neighbourhood, and the east frisia language has the same speech roots as Dutch.
Although i don't speak east frisia language, i understand them, if they speak slowly. And i understand Dutch, if it's spoken slowly ;-)

Thank you for your kind support !
Post Reply