fetchmail, ca-certificates
and procmail
packages give you
everything you need. Once you have these installed, here's how to set
it up:
set daemon 300 set postmaster 'myusername' set syslog #set logfile ${HOME}/Mail/fetchmail.log poll pop.gmail.com with proto pop3 user "me@hostedgmail.com" is 'myusername' here options ssl sslcertck sslcertpath '/etc/postfix/certs' keep with mda "procmail -d %T" # For debugging, use # fetchmail -Nvvvd0 --nosyslog
myusername
is my username on the local machine;
me@hostedgmail.com
is my email address on my gmail hosted
account. (Or it can be your gmail address). fetchmail assumes that email
sent to me@hostedgmail.com
should be delivered
to /var/mail/myusername
.
ssl
and sslcertck
insist on SSL encryption for
the connection to gmail. The keep
option tells fetchmail
to leave a copy of the mail on Gmail even after downloading it.
I don't put my password in this file, so I have to start the fetchmail command manually, in daemon mode, and provide it the password which it uses for the lifetime of the process.
openssl s_client -connect pop.gmail.com:995 -showcertsIn the returned text, you will see:
Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc./CN=pop.gmail.com i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority -----BEGIN CERTIFICATE----- MIIC3TCCAkagAwIBAgIDBZIAMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0 aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDUxMTE1MjEyMjQ0WhcNMDcxMTE2MjEyMjQ0 WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMN TW91bnRhaW4gVmlldzEUMBIGA1UEChMLR29vZ2xlIEluYy4xFjAUBgNVBAMTDXBv cC5nbWFpbC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMP8LCYiLGJ/ RihwcOi1V/zHVTw0Gfu+mI141Vjuuj2DtQoav8emwlXbu8gZoKP9GeMWpX1Vo9qN 4gkslIToHmDnIwGjcaEAfpdhSR9g54Kf5Y7BEXVyco6mTIlpe9vsbV0dmB1FvLP2 1N09dkUJfi7V0fjb8mcn3QYu6+6QNoxPAgMBAAGjga4wgaswDgYDVR0PAQH/BAQD AgTwMB0GA1UdDgQWBBTdASsopgao1m8hcEg0cDZhucltljA6BgNVHR8EMzAxMC+g LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDAf BgNVHSMEGDAWgBRI5mj5K9KylddH2CMgEE8zmJCf1DAdBgNVHSUEFjAUBggrBgEF BQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQEFBQADgYEAln3/pVqYnUXA1TVGzOqX LFhohGxpuNkr1UJnQmYxmZeB07uPBYRX8c0JXEKs29TmAHRsLhmp8kF36F11Dxgi Xm/Y8I9zgWHoMj7SL3Ve/u8K8K7XcUyUuaWmldLQAREafpFy+f+KYHGuAVh8hjy6 XyPlMCqj+PNp8QXjgOcgO68= -----END CERTIFICATE-----Copy the text between the BEGIN and END CERTIFICATE into /etc/postfix/certs/gmail.pem. (You can copy it from here; it seldom changes).
You also need to get the certificate of the CA, which is Equifax in this case. This certificate is:
Equifax Secure CA ================= MD5 Fingerprint: 67:CB:9D:C0:13:24:8A:82:9B:B2:17:1E:D1:1B:EC:D4 PEM Data: -----BEGIN CERTIFICATE----- MIIDIDCCAomgAwIBAgIENd70zzANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJV UzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2Vy dGlmaWNhdGUgQXV0aG9yaXR5MB4XDTk4MDgyMjE2NDE1MVoXDTE4MDgyMjE2NDE1 MVowTjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VxdWlmYXgxLTArBgNVBAsTJEVx dWlmYXggU2VjdXJlIENlcnRpZmljYXRlIEF1dGhvcml0eTCBnzANBgkqhkiG9w0B AQEFAAOBjQAwgYkCgYEAwV2xWGcIYu6gmi0fCG2RFGiYCh7+2gRvE4RiIcPRfM6f BeC4AfBONOziipUEZKzxa1NfBbPLZ4C/QgKO/t0BCezhABRP/PvwDN1Dulsr4R+A cJkVV5MW8Q+XarfCaCMczE1ZMKxRHjuvK9buY0V7xdlfUNLjUA86iOe/FP3gx7kC AwEAAaOCAQkwggEFMHAGA1UdHwRpMGcwZaBjoGGkXzBdMQswCQYDVQQGEwJVUzEQ MA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2VydGlm aWNhdGUgQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMBoGA1UdEAQTMBGBDzIwMTgw ODIyMTY0MTUxWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAUSOZo+SvSspXXR9gj IBBPM5iQn9QwHQYDVR0OBBYEFEjmaPkr0rKV10fYIyAQTzOYkJ/UMAwGA1UdEwQF MAMBAf8wGgYJKoZIhvZ9B0EABA0wCxsFVjMuMGMDAgbAMA0GCSqGSIb3DQEBBQUA A4GBAFjOKer89961zgK5F7WF0bnj4JXMJTENAKaSbn+2kmOeUJXRmm/kEd5jhW6Y 7qj/WsjTVbJmcVfewCHrPSqnI0kBBIZCe/zuf6IWUrVnZ9NA2zsmWLIodz2uFHdh 1voqZiegDfqnc1zqcPGUIWVEX/r87yloqaKHee9570+sB3c4 -----END CERTIFICATE-----And you can copy the certificate (the lines from BEGIN CERT to END CERT) into /etc/postfix/certs/Equifax_CA.pem
On Linux, if you have the ca-certificates
package installed,
the Equifax cert is already in /etc/ssl/certs,
as Equifax_Secure_CA.pem
. You can copy
the gmail cert into the same directory as gmail.pem.
Run c_rehash /etc/postfix/certs
(or c_rehash
/etc/ssl/certs
on Linux). This creates some
symlink files in the directory.
fetchmail
to test the connection, as:
fetchmail -Nvvvd0 --nosyslogand you should see a successful communication.
fetchmail -d 60
, which
tells it to run in daemon mode and poll the server once a minute. It
should prompt you for your password; enter it. I run this manually
every time I reboot the machine, and leave the daemon process running.
sudo apt-get install postfix
should set
you up. If you need to install from source for some
reason, this
page provides detailed instructions.
smtp.gmail.com:587 mygmailaccount@gmail.com:mygmailpasswordThis tells Postfix to use that account and password while trying to connect to smtp.gmail.com at port 587. (The ":587" suffix to smtp.gmail.com may not be strictly necessary).
You can also replace the username/password with the email address and
password for your hosted gmail account if you have
one.
postmap /etc/postfix/sasl_passwd
, which will create
a file called /etc/postfix/sasl_passwd.db
. This is the
file that postfix will read.
/etc/postfix/certs/ThawtePremiumServerCA.pem
-----BEGIN CERTIFICATE----- MIIDJzCCApCgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBzjELMAkGA1UEBhMC WkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3du MR0wGwYDVQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UECxMfQ2Vy dGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhhd3Rl IFByZW1pdW0gU2VydmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNl cnZlckB0aGF3dGUuY29tMB4XDTk2MDgwMTAwMDAwMFoXDTIwMTIzMTIzNTk1 OVowgc4xCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQ BgNVBAcTCUNhcGUgVG93bjEdMBsGA1UEChMUVGhhd3RlIENvbnN1bHRpbmcg Y2MxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24x ITAfBgNVBAMTGFRoYXd0ZSBQcmVtaXVtIFNlcnZlciBDQTEoMCYGCSqGSIb3 DQEJARYZcHJlbWl1bS1zZXJ2ZXJAdGhhd3RlLmNvbTCBnzANBgkqhkiG9w0B AQEFAAOBjQAwgYkCgYEA0jY2aovXwlue2oFBYo847kkEVdbQ7xwblRZH7xhI NTpS9CtqBo87L+pW46+GjZ4X9560ZXUCTe/LCaIhUdib0GfQug2SBhRz1JPL lyoAnFxODLz6FVL88kRu2hFKbgifLy3j+ao6hnO2RlNYyIkFvYMRuHM/qgeN 9EJN50CdHDcCAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0B AQQFAAOBgQAmSCwWwlj66BZ0DKqqX1Q/8tfJeGBeXm43YyJ3Nn6yF8Q0ufUI hfzJATj/Tb7yFkJD57taRvvBxhEf8UqwKEbJw8RCfbz6q1lu1bdRiBHjpIUZ a4JMpAwSremkrj/xw0llmozFyD4lt5SZu5IycQfwhl7tUCemDaYj+bvLpgcU Qg== -----END CERTIFICATE-----
c_rehash /etc/postfix/certs
which will create some
symlinks.
On Ubuntu linux, the ca-certificates
package has a list of
root certificates. If they are not already installed, apt-get
install ca-certificates
should get them and install them in
the /etc/ssl/certs
directory, with the appropriate links.
/etc/postfix/main.cf
. Setup smtp_sasl_CApath
to /etc/ssl/certs
or /etc/postfix/certs
depending on where you installed the CA cert.
#-- # Can use relayhost = [smtp.gmail.com]:587 to not do MX lookups relayhost = smtp.gmail.com:587 # auth -- credentials to authenticate yourself to gmail smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = noanonymous # TLS to encrypt the connection to gmail smtp_tls_security_level = secure smtp_tls_CApath = /etc/postfix/certs smtp_tls_session_cache_database = btree:/etc/postfix/smtp_scache smtp_tls_session_cache_timeout = 3600s smtp_tls_loglevel = 1 tls_random_source = dev:/dev/urandom
sudo postfix reload
/bin/mail
or any
other mail program) and watch syslog (tail -f
/var/log/mail.log
) to see if it successfully connected to gmail.