夜神 岩男 wrote: >> I'm trying to setup sendmail/dovecot on a new server running CentOS-6 >> (well, CentOS-6.2 now). >> Everything seems to go well, but when I run fetchmail I get this warning: >> ------------------------------------ >> [tim at grover ~]$ fetchmail imap.maths.tcd.ie >> fetchmail: Warning: the connection is insecure, continuing anyways. >> (Better use --sslcertck!) >> ------------------------------------ >> >> If I do add --sslcertck (as suggested) I get the response: >> ------------------------------------ >> [tim at grover ~]$ fetchmail --sslcertck imap.maths.tcd.ie >> fetchmail: Server certificate verification error: self signed certificate >> fetchmail: This means that the root signing certificate (issued for >> /C=IE/ST=Dublin/L=Dublin/O=School of Mathematics, Trinity College, >> Dublin./OU=Automatically-generated IMAP SSL >> key/CN=imap.maths.tcd.ie/emailAddress=postmaster- k8gv5eYDmBCYFDSwBDOiMg at public.gmane.org) >> is not in the trusted CA certificate locations, or that c_rehash needs to >> be run on the certificate directory. For details, please see the >> documentation of -- sslcertpath and --sslcertfile in the manual page. >> 139925738739528:error:14090086:SSL >> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify >> failed:s3_clnt.c:1063: >> fetchmail: SSL connection failed. >> fetchmail: socket error while fetching from >> tim at imap.maths.tcd.ie fetchmail: Query >> status=2 (SOCKET) >> ------------------------------------ > Its just healthier, more detailed warnings that what you got before. > > SSL/TLS relies on a third party verification of a certificate. This > means a third party's signature on the certificate of the site you are > connecting to. If, on the other hand, the site you're connecting to > signed their own certificate themselves, then you have no way of knowing > if they are really themselves because nobody outside of the 2-party > connection is validating that the system you're taking to today is the > same system you were talking to yesterday. Thanks very much for your explanation, which throws some light on the subject. What I still find a little puzzling is that "fetchmail --sslcertck imap.maths.tcd.ie" tells me the SSL connection failed, yet "fetchmail imap.maths.tcd.ie" seems to work. Also, I'm not clear if SSL will look at all the crt's in /etc/pki/tls/certs , or just ca-bundle.crt? -- Timothy Murphy e-mail: gayleard /at/ eircom.net tel: +353-86-2336090, +353-1-2842366 s-mail: School of Mathematics, Trinity College Dublin