<tr>
<td width="30%">Back to <a href="index.html">Fetchmail Home
Page</a></td>
-<td width="30%" align="center">To <a href="/~esr/sitemap.html">Site
-Map</a></td>
-<td width="30%" align="right">$Date: 2004/01/13 07:00:14 $</td>
+<td width="30%" align="right">$Date: 2004/01/13 08:46:00 $</td>
</tr>
</table>
<a href="#I2">I2. How can I use fetchmail with Demon Internet's SDPS?</a><br/>
<a href="#I3">I3. How can I use fetchmail with usa.net's servers?</a><br/>
<a href="#I4">I4. How can I use fetchmail with geocities POP3 servers?</a><br/>
-<a href="#I5">I5. How can I use fetchmail with Hotmail?</a><br/>
+<a href="#I5">I5. How can I use fetchmail with Hotmail or Lycos Webmail?</a><br/>
<a href="#I6">I6. How can I use fetchmail with MSN?</a><br/>
<a href="#I7">I7. How can I use fetchmail with SpryNet?</a><br/>
<a href="#I8">I8. How can I use fetchmail with comcast.net?</a><br/>
<p>The latest HTML FAQ is available alongside the latest fetchmail
sources at the fetchmail home page: <a
-href="http://www.catb.org/~esr/fetchmail">http://www.catb.org/~esr/fetchmail</a>.
+href="http://fetchmail.berlios.de/">http://fetchmail.berlios.de/</a>.
You can also usually find both in the <a
href="http://sunsite.unc.edu/pub/Linux/system/mail/pop/!INDEX.html">
POP mail tools directory on Sunsite</a>.</p>
<p>For reasons fetchmail doesn't have other commonly-requested
features (such as password encryption, or multiple concurrent polls
-from the same instance of fetchmail) see the <a
-href="http://www.catb.org/~esr/fetchmail/design-notes.html">design
-notes</a>.</p>
+from the same instance of fetchmail) see <a
+href="esrs-design-notes.html">ESR's design
+notes</a>. Note that this document is partially obsoleted by the
+<a href="design-notes.html">updated design notes.</a></p>
<p>Fetchmail is a mature project, no longer in constant active
development. It is no longer my top project, and I am going to be
<p>You can get both POP3 and IMAP OTP patches from <a id="cmetz"
name="cmetz">Craig Metz</a> at <a
-href="http://www.inner.net/pub/">http://www.inner.net/pub/</a>.</p>
+href="http://www.inner.net/opie">http://www.inner.net/opie</a>.</p>
<p>These patches use a SASL authentication method named "X-OTP"
because there is not currently a standard way to do this; fetchmail
Geocities are lame, you should boycott them anyway.</p>
<hr/>
-<h2><a id="I5" name="I5">I5. How can I use fetchmail with Hotmail?</a></h2>
+<h2><a id="I5" name="I5">I5. How can I use fetchmail with Hotmail or Lycos Webmail?</a></h2>
-<p>You can't, yet. But <a
-href="http://linux.cudeso.be/linuxdoc/gotmail.php">gotmail</a> or
-<a href='http://people.freenet.de/courierdave/'>HotWayDaemon</a> might
-be what you need.</p>
+<p>You can't directly. But you can use fetchmail with hotmail or lycos
+webmail with the help of the <a
+href='http://people.freenet.de/courierdave/'>HotWayDaemon</a>
+daemon. You don't even need to install hotwayd as a daemon in
+<samp>inetd.conf</samp> but can use it as a plugin. Your
+configuration should look like this:</p>
+
+<pre>
+poll localhost protocol pop3 tracepolls
+ plugin "/usr/local/sbin/hotwayd -l 0 -p yourproxy:yourproxyport"
+ username "youremail@hotmail.com" password "yourpassword"
+ fetchall
+</pre>
+
+<p>As a second option you may consider using <a
+href="http://linux.cudeso.be/linuxdoc/gotmail.php">gotmail</a>.</p>
<hr/>
<h2><a id="I6" name="I6">I6. How can I use fetchmail with MSN?</a></h2>
<p>To use fetchmail with IPv6, you need a system that supports
IPv6, the "Basic Socket Interface Extensions for IPv6" (RFC 2133).
-This currently means that you need to have a BSD/OS or NetBSD
-system with the NRL IPv6+IPsec software distribution or a Linux
-system with a 2.2 or later kernel and net-tools. It should not be
-hard to build fetchmail on other IPv6 implementations if you can
-port the inet6-apps kit.</p>
-
-<p>To use fetchmail with networking security (read: IPsec), you
-need a system that supports IPsec, the API described in the
-"Network Security API for Sockets"
-(draft-metz-net-security-api-01.txt), and the inet6-apps kit. This
-currently means that you need to have a BSD/OS or NetBSD system
-with the NRL IPv6+IPsec software distribution. A Linux IPsec
-implementation supporting this API will probably appear in the
-coming months.</p>
+</p>
<p>The NRL IPv6+IPsec software distribution can be obtained from:
<a
href="http://web.mit.edu/network/isakmp">http://web.mit.edu/network/isakmp</a></p>
-<p>The inet6-apps kit can be obtained from <a
-href="http://ftp.ps.pl/pub/linux/IPv6/inet6-apps/">http://ftp.ps.pl/pub/linux/IPv6/inet6-apps/</a>.</p>
-
<p>More information on using IPv6 with Linux can be obtained
from:</p>
<li><a
href="http://www.bieringer.de/linux/IPv6/IPv6-HOWTO/IPv6-HOWTO.html">
http://www.bieringer.de/linux/IPv6/IPv6-HOWTO/IPv6-HOWTO.html</a></li>
-
-<li><a
-href="http://www.ipv6.inner.net/ipv6">http://www.ipv6.inner.net/ipv6</a>
-(via IPv6)</li>
-
-<li><a
-href="http://www.inner.net/ipv6">http://www.inner.net/ipv6</a> (via
-IPv4)</li>
</ul>
<hr/>
protocol imap username MYUSERNAME password MYPASSWORD
</pre>
+<p>You should note that SSL is only secure against a "man-in-the-middle"
+attack if the client is able to verify that the peer's public key is the
+correct one, and has not been substituted by an attacker. fetchmail can do
+this in one of two ways: by verifying the SSL certificate, or by checking
+the fingerprint of the peer's public key.</p>
+
+<p>There are three parts to SSL certificate verification: checking that the
+domain name in the certificate matches the hostname you asked to connect to;
+checking that the certificate expiry date has not passed; and checking that
+the certificate has been signed by a known Certificate Authority (CA). This
+last step takes some preparation, as you need to install the root
+certificates of all the CA's which you might come across.</p>
+
+<p>The easiest way to do this is using the root CA keys supplied in the
+OpenSSL distribution, which means you need to download and unpack the
+source tarball from www.openssl.org. Once you have done that:</p>
+
+<ol>
+<li><code>mkdir /etc/ssl/certs</code></li>
+<li>in the openssl-x.x.x/certs directory: <code>cp *.pem /etc/ssl/certs/</code></li>
+<li>in the openssl-x.x.x/tools directory: edit c_rehash and set
+<code>$dir="/etc/ssl"</code></li>
+<li>run "perl c_rehash". This generates a number of symlinks within the
+/etc/ssl/certs/ directory</li>
+</ol>
+
+<p>Now in .fetchmailrc, set option sslcertpath to point to this
+directory:</p>
+
+<pre>
+poll pop3.example.com proto pop3 uidl no dns
+ user foobar@example.com password xyzzy is foobar ssl sslcertpath /etc/ssl/certs
+</pre>
+
+<p>If the server certificate has not been signed by a known CA (e.g. it is a
+self-signed certificate), then this certificate validation will always
+fail.</p>
+
+<p>Certificate verification is always attempted. If it fails, by default a
+warning is printed but the connection carries on (which means you are not
+protected against attack). If your server's certificate has been properly
+set up and verifies correctly, then add the "sslcertck" option to enforce
+validation. If your server doesn't have a valid certificate though (e.g. it
+has a self-signed certificate) then it will never verify, and the only way
+you can protect yourself is by checking the fingerprint.</p>
+
+<p>To check the peer fingerprint: first use fetchmail -v once to connect to
+the host, at a time when you are pretty sure that there is no attack in
+progress (e.g. you are not traversing any untrusted network to reach the
+server). Make a note of the fingerprint shown. Now embed this in your
+.fetchmailrc using the sslfingerprint option: e.g.</p>
+
+<pre>
+poll pop3.example.com proto pop3 uidl no dns
+ user foobar@example.com password xyzzy is foobar ssl sslfingerprint "67:3E:02:94:D3:5B:C3:16:86:71:37:01:B1:3B:BC:E2"
+</pre>
+
+<p>When you next connect, the public key presented by the server will be
+verified against the fingerprint given. If it's different, it may mean that
+a man-in-the-middle attack is in progress - or it might just mean that the
+server changed its key. It's up to you to determine which has happened.</p>
+
<hr/>
<h2><a id="R1" name="R1">R1. Fetchmail isn't working, and -v shows
`SMTP connect failed' messages.</a></h2>
immediately" in my logs.</a></h2>
<p>This is your server barfing on the CAPA probe that fetchmail sends.</p>
-If you run fetchmail in daemon mode (say "set daemon 600"), you will
+
+<p>If you run fetchmail in daemon mode (say "set daemon 600"), you will
get the message only once per run.</p>
<p>If you set an authentication method explicitly (say, with
occurs if your mail server is not checking the sender addresses, but
your local server is.</p>
-<p>Or you could declare <code>antispam 451<code></p>
+<p>Or you could declare <code>antispam 451</code>.</p>
<p>Or, you could check your nameserver configuration and query logs for
dns errors.</p>
<hr />
<h2><a name="O13">O13. I want timestamp information in my fetchmail logs.</a></h2>
-<p>Write a <code>preconnect</connect> command in your configuration file that
-does something like "date >> $HOME/Procmail/fetchmail.log".</p>
+<p>Write a <code>preconnect</code> command in your configuration file that
+does something like "date >> $HOME/Procmail/fetchmail.log".</p>
<hr/>
<table width="100%" cellpadding="0" summary="Canned page footer">
<tr>
<td width="30%">Back to <a href="index.html">Fetchmail Home
Page</a></td>
-<td width="30%" align="center">To <a href="/~esr/sitemap.html">Site
-Map</a></td>
-<td width="30%" align="right">$Date: 2004/01/13 07:00:14 $</td>
+<td width="30%" align="right">$Date: 2004/01/13 08:46:00 $</td>
</tr>
</table>