Re: Fetchmail (long); continually losing authentication with gmx.net

To: debian-user@lists.debian.org
Subject: Re: Fetchmail (long); continually losing authentication with gmx.net
From: Frédéric Marchal <frederic.marchal@wowtechnology.com>
Date: Wed, 26 Nov 2014 08:50:56 +0100
Message-id: <[🔎] CAJ7R-8RRndKAevkOKsXnEHQAwMYU-Ca3wrKe-mdkkZguSfUZ+Q@mail.gmail.com>
In-reply-to: <[🔎] 5474E7DA.8060708@tesco.net>
References: <[🔎] 5473869D.2020901@tesco.net> <[🔎] 201411242202.18241.frederic.marchal@wowtechnology.com> <[🔎] 5474E7DA.8060708@tesco.net>

2014-11-25 21:34 GMT+01:00 Ron Leach <ronleach@tesco.net>:
> Did the trick.  Logs show that fetchmail is
> 1. using opportunistic TLS on pop3, but
> 2. Sometimes times out after receiving a certificate, and then
> 3. Fetchmail declines to use TLS with the *next* user, but
> 4. gmx complains about not using ssl, and fails the authorisation.
>
> That repeats at each poll.  I wonder what might be causing the timeout?  But
> shouldn't fetchmail tolerate communication hiccups, anyway?  (Rhetorical
> Qs.)
>
> I'll post the log showing the fail event(s) in case it helps, but I think
> I'd like to run either the latest fetchmail (from sourceforge), or the
> version from Debian Etch (which doesn't fail).
>
> Here's a failing fetchmail log (anonymised).  Fetchmail tries to collect
> mail for 2 users, user1 and user2.  TLS fails during user1, and fetchmail
> then doesn't try TLS for user2 (and doesn't try TLS ever again for user2,
> though not shown here), but gmx complains every time about not using SSL.
>
> fetchmail: awakened at Tue 25 Nov 2014 18:33:40 GMT
> fetchmail: 6.3.21 querying pop.gmx.net (protocol POP3) at Tue 25 Nov 2014
> 18:33:40 GMT: poll started
> fetchmail: Trying to connect to 212.227.17.169/110...connected.
> fetchmail: POP3< +OK POP server ready H migmx123 0[…]
> fetchmail: POP3> CAPA
> fetchmail: POP3< +OK Capability list follows
> fetchmail: POP3< TOP
> fetchmail: POP3< UIDL
> fetchmail: POP3< STLS
> fetchmail: POP3< USER
> fetchmail: POP3< SASL PLAIN
> fetchmail: POP3< IMPLEMENTATION trinity
> fetchmail: POP3< .
> fetchmail: POP3> STLS
> fetchmail: POP3< +OK Begin TLS negotiation
> fetchmail: Certificate chain, from root to peer, starting at depth 2:
> fetchmail: Issuer Organisation: Deutsche Telekom AG
> fetchmail: Issuer CommonName: Deutsche Telekom Root CA 2
> fetchmail: Subject CommonName: Deutsche Telekom Root CA 2
> fetchmail: Certificate at depth 1:
> fetchmail: Issuer Organisation: Deutsche Telekom AG
> fetchmail: Issuer CommonName: Deutsche Telekom Root CA 2
> fetchmail: Subject CommonName: TeleSec ServerPass DE-1
> fetchmail: Server certificate:
> fetchmail: Issuer Organisation: T-Systems International GmbH
> fetchmail: Issuer CommonName: TeleSec ServerPass DE-1
> fetchmail: Subject CommonName: pop.gmx.net
> fetchmail: Subject Alternative Name: pop.gmx.net
> fetchmail: Subject Alternative Name: pop.gmx.de
> fetchmail: pop.gmx.net key fingerprint:
> 8A:B7:78:CF:0D:73:4E:EE:FF:EB:B8:C0:90:7D:46:56
> fetchmail: timeout after 100 seconds.
> fetchmail: socket error while fetching from [user1]@gmx.net@pop.gmx.net
> fetchmail: 6.3.21 querying pop.gmx.net (protocol POP3) at Tue 25 Nov 2014
> 18:35:37 GMT: poll completed
> fetchmail: Merged UID list from pop.gmx.net: 0[…]= SEEN
> fetchmail: Query status=2 (SOCKET)
> fetchmail: 6.3.21 querying pop.gmx.net (protocol POP3) at Tue 25 Nov 2014
> 18:35:37 GMT: poll started
> fetchmail: Trying to connect to 212.227.17.169/110...connected.
> fetchmail: POP3< +OK POP server ready H migmx123 0[…]
> fetchmail: POP3> CAPA
> fetchmail: POP3< +OK Capability list follows
> fetchmail: POP3< TOP
> fetchmail: POP3< UIDL
> fetchmail: POP3< STLS
> fetchmail: POP3< USER
> fetchmail: POP3< SASL PLAIN
> fetchmail: POP3< IMPLEMENTATION trinity
> fetchmail: POP3< .
> fetchmail: POP3> STLS
> fetchmail: POP3< +OK Begin TLS negotiation
> fetchmail: pop.gmx.net: opportunistic upgrade to TLS failed, trying to
> continue.
> fetchmail: POP3> USER [user2]@gmx.net
> fetchmail: Repoll immediately on [user2]@gmx.net@pop.gmx.net
> fetchmail: Trying to connect to 212.227.17.169/110...connected.
> fetchmail: POP3< +OK POP server ready H migmx123 0[…]
> fetchmail: POP3> USER [user2]@gmx.net
> fetchmail: POP3< +OK password required for user "[user2]@gmx.net"
> fetchmail: POP3> PASS *
> fetchmail: POP3< -ERR Fehler beim Abruf Ihrer GMX E-Mails. Ihre Verbindung
> ist nicht verschluesselt. Aktivieren Sie SSL in Ihrem Mailprogramm.
> Anleitungen: https://ssl.gmx.net
> fetchmail: Fehler beim Abruf Ihrer GMX E-Mails. Ihre Verbindung ist nicht
> verschluesselt. Aktivieren Sie SSL in Ihrem Mailprogramm. Anleitungen:
> https://ssl.gmx.net
>
> Translation: Error retrieving your GMX email. Your connection is not
> encrypted. Enable SSL in your mail program. Instructions:
> https://ssl.gmx.net
>
> fetchmail: Authorisation failure on [user2]@gmx.net@pop.gmx.net (previously
> authorised)
> fetchmail: POP3> QUIT
> fetchmail: 6.3.21 querying pop.gmx.net (protocol POP3) at Tue 25 Nov 2014
> 18:36:42 GMT: poll completed
> fetchmail: Merged UID list from pop.gmx.net: 0[…]= SEEN
> fetchmail: Query status=3 (AUTHFAIL)
> fetchmail: Writing fetchids file.
> fetchmail: sleeping at Tue 25 Nov 2014 18:36:42 GMT for 150 seconds
>
> I've also saved a log showing the preceding (working) sequence where
> fetchmail successfully checks mailboxes for both users; I didn't post it, to
> save length, but can do if anyone wishes to see it.
>
> I'm not sure what to do.  In particular, I'm not sure whether I should try
> to debug this a little further, in case there's a config problem (though
> it's the same config as the Etch server, and fetchmail works for a while
> before tripping, and I have tried with various config tweaks before posting
> to the list) or in case there's an instability in this version which the
> maintainers should be told about.  Delighted to have some advice on this.

Fetchmail certainly uses the system ssl library and SSLv3 was recently
disabled system wide for security reasons (see the poodle attack).

I ran the following command to debug a ssl connection to your server
and it succeed:

openssl s_client -connect pop.gmx.net:110 -starttls pop3 -debug

But requiring SSLv3 doesn't work:

openssl s_client -connect pop.gmx.net:110 -starttls pop3 -debug -ssl3

The connection is rejected much like what your log shows.

You'll have to investigate a bit but my theory is that fetchmail is
requesting SSLv3. As it is disabled by wheezy but is accepted by etch
it works with the latter but not the former.

Fetchmail should have an option to force the ssl protocol to be TLSv1.
I think it should be --sslprotoversion tlsv1 or something similar.

Frederic

Reply to:

Follow-Ups:
- Re: SOLVED Fetchmail; continually losing authentication with gmx.net
  - From: Ron Leach <ronleach@tesco.net>

References:
- Fetchmail; continually losing authentication with gmx.net
  - From: Ron Leach <ronleach@tesco.net>
- Re: Fetchmail; continually losing authentication with gmx.net
  - From: Frédéric Marchal <frederic.marchal@wowtechnology.com>
- Re: Fetchmail (long); continually losing authentication with gmx.net
  - From: Ron Leach <ronleach@tesco.net>

Prev by Date: Re: How to override fuse args to ntfs-3g to set permissions?
Next by Date: Re: Headless server just got suspended by updating systemd
Previous by thread: Re: Fetchmail (long); continually losing authentication with gmx.net
Next by thread: Re: SOLVED Fetchmail; continually losing authentication with gmx.net
Index(es):
- Date
- Thread