Protect yourself online
wq6n-73's profile

Contributor

 • 

2 Messages

Wednesday, March 22nd, 2017 1:04 PM

inbound.att.net ssl certificates fail for fetchmail pop3

Within the last month or so, my fetchmailrc script stopped working. I use the pop3 with sslcertck:

poll inbound.att.net with proto pop3 service 995:

sslproto 'TLS1'

user "@att.net" password "" is here

sslcertck sslcertpath '/etc/ssl/certs/' smtphost localhost

 

Openssl check appears to be normal with the exception of possible ssl mismatch at legacy.pop.mail.yahoo.com :

# openssl s_client -host inbound.att.net -port 995
CONNECTED(00000003)
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify return:1
depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 3 Secure Server CA - G4
verify return:1
depth=0 C = US, ST = California, L = Sunnyvale, O = Yahoo Inc., OU = Information Technology, CN = legacy.pop.mail.yahoo.com
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=Sunnyvale/O=Yahoo Inc./OU=Information Technology/CN=legacy.pop.mail.yahoo.com
i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIIpjCCB46gAwIBAgIQDc9LFCaU7HXISZt8q924/zANBgkqhkiG9w0BAQsFADB+
MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAd
BgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxLzAtBgNVBAMTJlN5bWFudGVj
IENsYXNzIDMgU2VjdXJlIFNlcnZlciBDQSAtIEc0MB4XDTE2MDkyMDAwMDAwMFoX
DTE4MDkyMDIzNTk1OVowgZAxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9y
bmlhMRIwEAYDVQQHDAlTdW5ueXZhbGUxEzARBgNVBAoMCllhaG9vIEluYy4xHzAd
BgNVBAsMFkluZm9ybWF0aW9uIFRlY2hub2xvZ3kxIjAgBgNVBAMMGWxlZ2FjeS5w
b3AubWFpbC55YWhvby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDAjpsBvYb8X3BXrHeriSRWugNBxGjlpVpbiJ2JzdymxjaGQyOdcyYV5Oe8malA
1UHH+jr82ekkhR24AINlCkW3ojoKk10dC0Q6HbR8s5tckGVTJQIuEXOyxLZ74772
dKM0x2B0Yz1LDKPV7RJEn+DE+6fYyGzz3UkJWpyxw9b5QARjHO68CCMHuY+2NyhR
2lf8W/DZdomhy1rO/z/ul149b7g87pdh1uyRP8CMe6EbxhymTSbEAd0LFA2LgSFU
1du4+q6k6F1+FxQm+f+a63NgpfFR2PeqTmBnTsVW9VNzysX5vpa61f6ChShQsN7W
272fqPV6PvEd3ezH6JpptadrAgMBAAGjggULMIIFBzCCAj0GA1UdEQSCAjQwggIw
ghlsZWdhY3kucG9wLm1haWwueWFob28uY29tghJwb3AubWFpbC55YWhvby5jb22C
FCoucG9wLm1haWwueWFob28uY29tghVwb3AuYml6bWFpbC55YWhvby5jb22CFXBv
cC5tYWlsLnlhaG9vLmNvbS5hcoIVcG9wLm1haWwueWFob28uY29tLmF1ghVwb3Au
bWFpbC55YWhvby5jb20uYnKCFXBvcC5tYWlsLnlhaG9vLmNvbS5oa4IVcG9wLm1h
aWwueWFob28uY29tLm15ghVwb3AubWFpbC55YWhvby5jb20ucGiCFXBvcC5tYWls
LnlhaG9vLmNvbS5zZ4IVcG9wLm1haWwueWFob28uY29tLnR3ghVwb3AubWFpbC55
YWhvby5jb20udm6CFHBvcC5tYWlsLnlhaG9vLmNvLmlkghRwb3AubWFpbC55YWhv
by5jby5pboIUcG9wLm1haWwueWFob28uY28ua3KCFHBvcC5tYWlsLnlhaG9vLmNv
LnRoghRwb3AubWFpbC55YWhvby5jby51a4IRcG9wLm1haWwueWFob28uY2GCEXBv
cC5tYWlsLnlhaG9vLmRlghFwb3AubWFpbC55YWhvby5mcoIRcG9wLm1haWwueWFo
b28uaW6CEXBvcC5tYWlsLnlhaG9vLml0ghNwb3AuY29ycmVvLnlhaG9vLmVzgg5w
b3AueTdtYWlsLmNvbYIRcG9wLmF0dC55YWhvby5jb20wCQYDVR0TBAIwADAOBgNV
HQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGEGA1Ud
IARaMFgwVgYGZ4EMAQICMEwwIwYIKwYBBQUHAgEWF2h0dHBzOi8vZC5zeW1jYi5j
b20vY3BzMCUGCCsGAQUFBwICMBkMF2h0dHBzOi8vZC5zeW1jYi5jb20vcnBhMB8G
A1UdIwQYMBaAFF9gz2GQVd+EQxSKYCqy9Xr0QxjvMCsGA1UdHwQkMCIwIKAeoByG
Gmh0dHA6Ly9zcy5zeW1jYi5jb20vc3MuY3JsMFcGCCsGAQUFBwEBBEswSTAfBggr
BgEFBQcwAYYTaHR0cDovL3NzLnN5bWNkLmNvbTAmBggrBgEFBQcwAoYaaHR0cDov
L3NzLnN5bWNiLmNvbS9zcy5jcnQwggF+BgorBgEEAdZ5AgQCBIIBbgSCAWoBaAB2
AN3rHSt6DU+mIIuBrYFocH4ujp0B1VyIjT0RxM227L7MAAABV0nx/14AAAQDAEcw
RQIgfkkZxUY04LfwJP0jyi4by4UoOd7N7394vK5QjFiBk5UCIQCNDpUVXUlkjGC8
KvEcZJZRcMtOuD3S0G1Gc/yQbIlMNwB1AGj2mPgfZIK+OozuuSgdTPxxUV1nk9RE
0QpnrLtPT/vEAAABV0nyABoAAAQDAEYwRAIgDWpqOUTmigsLtt4HV8QnUBZXmJoe
peI/aboc7KIvCjUCIB9IR8YT2cPT8Wt7U/Iw/3+xS04MMu4WzOBy+3AEBNQJAHcA
7ku9t3XOYLrhQmkfq+GeZqMPfl+wctiDAMR7iXqo/csAAAFXSfIBXwAABAMASDBG
AiEAhamp7suhJVpxwwLgbS6WDCvt+yeyuNZmWFZ2fYLS6t8CIQDdkwSwXD1k4h8I
1mtP0v0XDlmN92oyCkZiW1TXlo7BgjANBgkqhkiG9w0BAQsFAAOCAQEAaI/pl8sL
3bBHFAivshZ7r0X7VMNVXa9L9/qYmdbNfmNChIlGFsrLrXCghl3pEOvB9G8rvDRZ
U6XVLReH9XYZk/zYOPZ9MfJ2iePpEyyC098SXI/mM4PzkfaImcRvgLk2n05BvKOC
NfF0l9IIQXU7RugEC97dPoIqO2sucevHPVKD1VttPWQznVdgTGekiAAg++Kylrjg
ljRns3rLED8uN7CKCk2qs7belbnvNtrTOnrNCKa9jmEeCaO9DZbpvA1s2LA5L6HR
S2d0ohqZe63JbuWVIAekyFshyBxGOYDwT3QWGyFlvcbR6GgJI5iH0aNY3iTgugKH
x3Ychr4Jo8cNtQ==
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Sunnyvale/O=Yahoo Inc./OU=Information Technology/CN=legacy.pop.mail.yahoo.com
issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5284 bytes and written 429 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 58D2702A2B33733688B90B1D39F4E516A34355525B3CFB4FAFBF6DBF8CCD8045
Session-ID-ctx:
Master-Key: AB56F70F6DB40E8884BA6CD1FD35ABD1D60B984E166A00B293231F587399D1180150F3E70F8A7038D7659DA9554F835C
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1490186282
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
+OK Hello from jpop-0.1

 

Since I cannot use sslcertck I was trying to make use of the peer fingerprint (ssl fingerprint)

e.g. sslfingerprint "66:89:36:BA:15:CD:9B:DA:BE:39:02:34:5C:0B:C1:30"

 

I have been unable to collect or set the ssl fingerprint. Maybe if I set up Thunderbird to do the pop3 exchange.

Comments are welcome

Contributor

 • 

3 Messages

7 years ago

The easy and working solution is this.

 

Inbound mail server is currently inbound.att.net

Change it to legacy.pop.mail.yahoo.com

 

Fixed.

 

miletx.com

Not finding what you're looking for?
New to AT&T Community?
New to the AT&T Community? Start by visiting the Community How-To.
New to the AT&T Community?
Visit the Community How-To.