I see these messages every time fetchmail pops my mail. I don't understand what certificates it is talking about, or how to straighten this out.
fetchmail: Server CommonName mismatch: localhost != mail.mydomain.com fetchmail: Server certificate verification error: self signed certificate fetchmail: Server certificate verification error: certificate has expired
What do I need to read up on to understand this and find a fix?
TIA, -chuck
On Wed, Oct 24, 2007 at 11:46:34AM -0500, Chuck Campbell wrote:
I see these messages every time fetchmail pops my mail. I don't understand what certificates it is talking about, or how to straighten this out.
A certificate identifies the server, i.e., the client gets a piece of information about the server that can be used to start a private conversation. The certificate must be signed by an entity, that you trust.
fetchmail: Server CommonName mismatch: localhost != mail.mydomain.com
The certificate was issued for the server: 'localhost', but you're connecting to 'mail.mydomain.com'. This could be a man-in-the-middle attack.
fetchmail: Server certificate verification error: self signed certificate
The certificate is signed by itself, not by an external entity that you trust. You can't be sure you're talking with the correct server.
fetchmail: Server certificate verification error: certificate has expired
Every certificate has a validity (start and end date when the certificate is valid). Yours has expired.
What do I need to read up on to understand this and find a fix?
Public key infrastructure (PKI):
http://www.gtlib.cc.gatech.edu/pub/linux/docs/HOWTO/other-formats/html_singl... http://www.carillon.ca/library/howtos.php
In article 20071024170332.GA9826@bit.office.eurotux.com, Luciano Rocha strange@nsk.no-ip.org wrote:
On Wed, Oct 24, 2007 at 11:46:34AM -0500, Chuck Campbell wrote:
I see these messages every time fetchmail pops my mail. I don't understand what certificates it is talking about, or how to straighten this out.
A certificate identifies the server, i.e., the client gets a piece of information about the server that can be used to start a private conversation. The certificate must be signed by an entity, that you trust.
fetchmail: Server CommonName mismatch: localhost != mail.mydomain.com
The certificate was issued for the server: 'localhost', but you're connecting to 'mail.mydomain.com'. This could be a man-in-the-middle attack.
Or it could be a poorly set up mail server.
fetchmail: Server certificate verification error: self signed certificate
The certificate is signed by itself, not by an external entity that you trust. You can't be sure you're talking with the correct server.
fetchmail: Server certificate verification error: certificate has expired
Every certificate has a validity (start and end date when the certificate is valid). Yours has expired.
Actually, it is not "your" certifiate. It is the certificate installed on the mail server. It looks like the administrator of your mail server has set it up with a test certificate issued to "localhost", signed by itself, and which has now expired. They should instead purchase a validated certificate from a certification authority.
What do I need to read up on to understand this and find a fix?
It's not something you can fix, except by getting your mail hosting from another provider, or persuading your current provider to get a proper certificate.
Cheers Tony
Luciano Rocha wrote:
On Wed, Oct 24, 2007 at 11:46:34AM -0500, Chuck Campbell wrote:
I see these messages every time fetchmail pops my mail. I don't understand what certificates it is talking about, or how to straighten this out.
A certificate identifies the server, i.e., the client gets a piece of information about the server that can be used to start a private conversation. The certificate must be signed by an entity, that you trust.
fetchmail: Server CommonName mismatch: localhost != mail.mydomain.com
The certificate was issued for the server: 'localhost', but you're connecting to 'mail.mydomain.com'. This could be a man-in-the-middle attack.
fetchmail: Server certificate verification error: self signed certificate
The certificate is signed by itself, not by an external entity that you trust. You can't be sure you're talking with the correct server.
fetchmail: Server certificate verification error: certificate has expired
Every certificate has a validity (start and end date when the certificate is valid). Yours has expired.
What do I need to read up on to understand this and find a fix?
Public key infrastructure (PKI):
http://www.gtlib.cc.gatech.edu/pub/linux/docs/HOWTO/other-formats/html_singl... http://www.carillon.ca/library/howtos.php
I would like to point out that the certificate in question resides on the server where you are getting ou mail from ... not your machine with fetch on it, so unless you own the mail server that it is pulling from, you are not going to fix the certificate.
On Wed, Oct 24, 2007 at 12:22:21PM -0500, Johnny Hughes wrote:
Luciano Rocha wrote:
On Wed, Oct 24, 2007 at 11:46:34AM -0500, Chuck Campbell wrote:
I see these messages every time fetchmail pops my mail. I don't understand what certificates it is talking about, or how to straighten this out.
I would like to point out that the certificate in question resides on the server where you are getting ou mail from ... not your machine with fetch on it, so unless you own the mail server that it is pulling from, you are not going to fix the certificate.
I assumed the mail server was under the poster's control. It's unusual to see a public server with so badly set up PKI.
On Wed, Oct 24, 2007 at 06:58:06PM +0100, Luciano Rocha wrote:
On Wed, Oct 24, 2007 at 12:22:21PM -0500, Johnny Hughes wrote:
Luciano Rocha wrote:
On Wed, Oct 24, 2007 at 11:46:34AM -0500, Chuck Campbell wrote:
I see these messages every time fetchmail pops my mail. I don't understand what certificates it is talking about, or how to straighten this out.
I would like to point out that the certificate in question resides on the server where you are getting ou mail from ... not your machine with fetch on it, so unless you own the mail server that it is pulling from, you are not going to fix the certificate.
I assumed the mail server was under the poster's control. It's unusual to see a public server with so badly set up PKI.
-- lfr 0/0
Interestingly, it is our hosting provider, networksolutions...
Possibly I need to set something in my administrator capacity for the email server. I'll drop them an email and find out.
Thanks for the help.
-chuck
On Wed, Oct 24, 2007 at 11:46:34AM -0500, Chuck Campbell wrote:
I see these messages every time fetchmail pops my mail. I don't understand what certificates it is talking about, or how to straighten this out.
fetchmail: Server CommonName mismatch: localhost != mail.mydomain.com fetchmail: Server certificate verification error: self signed certificate fetchmail: Server certificate verification error: certificate has expired
What do I need to read up on to understand this and find a fix?
I get messages like this with my fetchmail -- the cause has been either the mail provider on the remote end is using a default, self-signed and unmaintained certificate (ie when you install Sendmail, you get some self-signed certs generated that are useless beyond the scope of your own private use); in other cases I have been referring to the computer by a name which differs from that which the certificate was created with.
In this case I suspect a combination of the two. It looks like the service provider got a default cert set up with the system referring to itself as 'localhost', which is naturally different form the name 'mail.mydomain.com' which is how you are referring to it.
In practice this is probably nothing to worry unduly about unless you are paying extra for verified TLS-secured mail transmission. The expired, mismatched-name cert will be used to encrypt the mail transmission just as well as a "proper" cert will.
-
Chuck Campbell -
David Mackintosh -
Johnny Hughes -
Luciano Rocha -
tony@softins.clara.co.uk