Gmail now provides users with a free 7GB+ mailbox for storing all their mail. There are 3 main interfaces to access their mail, the main one being http (web) access, the others being IMAP & POP3. The thing that is quite unique is that Gmail only allows SSL connections for POP3 & SMTP.
This short tutorial will show you how to download your mail automatically from your Gmail account every 5 minutes using fetchmail.
Settings => Forwarding and POPin your Gmail web account.
$ ldd /usr/bin/fetchmail
linux-gate.so.1 => (0xffffe000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0xb7fb7000)
libresolv.so.2 => /lib/libresolv.so.2 (0xb7fa2000)
libssl.so.0.9.7 => /usr/lib/libssl.so.0.9.7 (0xb7f71000)
libcrypto.so.0.9.7 => /usr/lib/libcrypto.so.0.9.7 (0xb7e6e000)
libc.so.6 => /lib/libc.so.6 (0xb7d56000)
libdl.so.2 => /lib/libdl.so.2 (0xb7d52000)
/lib/ld-linux.so.2 (0xb7feb000)
If you see something like libssl.so.0....
then yours has it.
In this tutorial we will be using our own directory for the SSL certificates, and not the system-wide one. Firstly create a directory '~/.certs
'
$ mkdir ~/.certs
Now we retrieve the Gmail certificate provided by the Gmail pop server:
$ openssl s_client -connect pop.gmail.com:995 -showcerts
You should see something along the lines of:
openssl s_client -connect pop.gmail.com:995 -showcerts
CONNECTED(00000003)
depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc./CN=pop.gmail.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc./CN=pop.gmail.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc./CN=pop.gmail.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc./CN=pop.gmail.com
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
-----BEGIN CERTIFICATE-----
MIIC3TCCAkagAwIBAgIDCDijMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDcxMDI1MTc1MzE2WhcNMDkxMjI0MTg1MzE2
WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMN
TW91bnRhaW4gVmlldzEUMBIGA1UEChMLR29vZ2xlIEluYy4xFjAUBgNVBAMTDXBv
cC5nbWFpbC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAO03QxerFKZV
8yeomuL4zSl8Pr7hMWnKMMgp/CwhwadeBmL0LQHHbjL/6z/Z59ZQvrztqkwhchA2
APKzUwRVTyn7Shx6vBqk6oFmTqoOLmY6hbq6l8uVdUv0AfbHwio8CnLpK2+nbuFl
flPwx1DH0E3grD8+CrH5SmScfTWbDkcXAgMBAAGjga4wgaswDgYDVR0PAQH/BAQD
AgTwMB0GA1UdDgQWBBTJRG/OFpZt+BV43JM3NshHMjpwazA6BgNVHR8EMzAxMC+g
LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDAf
BgNVHSMEGDAWgBRI5mj5K9KylddH2CMgEE8zmJCf1DAdBgNVHSUEFjAUBggrBgEF
BQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQEFBQADgYEAOKr3mhxtwFCS3J6lbeaf
3KrHKi935BZkI75sRbON+hog0t2ovcM2i7fxs3xneH8USLsHgfxNBj9tkMogMK/K
sO/NUVZ/IfyqcNNkp2619qTQXthKRH42JKpAKgNhT1bdno3pxn+eDEpqmU3CE7IP
HDCjWOK1fGkZ/yFAuTxuxAc=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=Mountain View/O=Google Inc./CN=pop.gmail.com
issuer=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
No client certificate CA names sent
---
SSL handshake has read 883 bytes and written 324 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID: 3B0994F7D7087FB2DE5AF45A8B17C14CFDAE027CF3C30EF6EA5C7F45B77B90BB
Session-ID-ctx:
Master-Key: 69E41F2C295FA75F7D6FA3E4FA7A2FF875D4E79F1F216FF4E8B3AE7B7BC37D69E63BC11B9C03C4AA11F8A46941A1D29E
Key-Arg : None
Start Time: 1236374059
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
+OK Gpop ready for requests from 119.224.20.8 32pf3108680wfa.32
Copy everything from (and including) the -----BEGIN CERTIFICATE-----
to the -----END CERTIFICATE-----
, and save it in your new .certs directory as 'gmail.pem
'. Now we also need a copy of the certificate of the issuer, in google's case Equifax Secure Certificate Authority
. For your ease I will put the needed code in here which you just need to copy/paste into a new file called 'equifax.pem
':
-----BEGIN CERTIFICATE-----
MIIC3TCCAkagAwIBAgIDCDijMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDcxMDI1MTc1MzE2WhcNMDkxMjI0MTg1MzE2
WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMN
TW91bnRhaW4gVmlldzEUMBIGA1UEChMLR29vZ2xlIEluYy4xFjAUBgNVBAMTDXBv
cC5nbWFpbC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAO03QxerFKZV
8yeomuL4zSl8Pr7hMWnKMMgp/CwhwadeBmL0LQHHbjL/6z/Z59ZQvrztqkwhchA2
APKzUwRVTyn7Shx6vBqk6oFmTqoOLmY6hbq6l8uVdUv0AfbHwio8CnLpK2+nbuFl
flPwx1DH0E3grD8+CrH5SmScfTWbDkcXAgMBAAGjga4wgaswDgYDVR0PAQH/BAQD
AgTwMB0GA1UdDgQWBBTJRG/OFpZt+BV43JM3NshHMjpwazA6BgNVHR8EMzAxMC+g
LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDAf
BgNVHSMEGDAWgBRI5mj5K9KylddH2CMgEE8zmJCf1DAdBgNVHSUEFjAUBggrBgEF
BQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQEFBQADgYEAOKr3mhxtwFCS3J6lbeaf
3KrHKi935BZkI75sRbON+hog0t2ovcM2i7fxs3xneH8USLsHgfxNBj9tkMogMK/K
sO/NUVZ/IfyqcNNkp2619qTQXthKRH42JKpAKgNhT1bdno3pxn+eDEpqmU3CE7IP
HDCjWOK1fGkZ/yFAuTxuxAc=
-----END CERTIFICATE-----
Now that we have both certificates stored in ~/.certs we just need to rehash them so SSL (and fetchmail) can read and use them:
$ c_rehash ~/.certs/
Doing /home/user5/.certs/
gmail.pem => 7f549ca4.0
To confirm we have the correct and working certificates, let us make an SSL connection to the Gmail server testing our 2 new certificates:
$ openssl s_client -connect pop.gmail.com:995 -CApath ~/.certs/
... ...
---
+OK Gpop ready for requests from ....
There should be much more data inbetween, however the important thing to note is the final (or similar) +OK Gpop ready for requests from ....
If not, please retrace the above steps to confirm you have it correct.
We need to configure out ~/.fetchmailrc file check every 5 minutes automatically if we have mail, and if so to download it. Please 'do not
' check more often than every 5 minutes, else google may block or ban you, as that just overloads their systems. For this fetchmail example I am going to use the username (locally on the system) as user5
, the Gmail address of spammesilly@gmail.com
, and the password of secretpassword
:
# set username
set postmaster "user5"
# set polling time (5 minutes)
set daemon 600
poll pop.gmail.com with proto POP3
user 'spammesilly@gmail.com' there with password 'secretpassword' is user5 here options ssl
sslcertck sslcertpath /home/user5/.certs/
Right, save the file, and now we can do a test verbosely to see if it works. Note: mail will be downloaded into your system-default mailbox, depending on your system. Hopefully you already know where that is located. Do the verbose test with:
$ fetchmail -d0 -vk pop.gmail.com
fetchmail: 6.2.5.2 querying pop.gmail.com (protocol POP3) at Sun Dec 18 00:24:05 2005: poll started
fetchmail: Issuer Organization: Equifax
fetchmail: Unknown Issuer CommonName
fetchmail: Server CommonName: pop.gmail.com
fetchmail: pop.gmail.com key fingerprint: 59:51:61:89:CD:DD:B2:35:94:BB:44:97:A0:39:D5:B4
fetchmail: POP3< +OK Gpop i34pf3725375wxd ready.
fetchmail: POP3> CAPA
fetchmail: POP3< +OK Capability list follows
fetchmail: POP3< USER
fetchmail: POP3< RESP-CODES
fetchmail: POP3< EXPIRE 0
fetchmail: POP3< LOGIN-DELAY 300
fetchmail: POP3< X-GOOGLE-VERHOEVEN
fetchmail: POP3< .
fetchmail: POP3> USER spammesilly@gmail.com
fetchmail: POP3< +OK send PASS
fetchmail: POP3> PASS *
fetchmail: POP3< +OK Welcome.
fetchmail: POP3> STAT
fetchmail: POP3< +OK 0 0
fetchmail: No mail for spammesilly@gmail.com at pop.gmail.com
fetchmail: POP3> QUIT
fetchmail: POP3< +OK Farewell.
fetchmail: 6.2.5.2 querying pop.gmail.com (protocol POP3) at Sun Dec 18 00:24:10 2005: poll completed
fetchmail: normal termination, status 1
Your output might be longer if you had mail waiting already for you to download from Gmail. This above example had an empty mailbox, but as you see it logged in successfully, and logged out successfully too.
If this is all working fine, then you can start your fetchmail daemon with the command:
$ fetchmail