Fixing fetchmail SSL trust problems

[sawyl]

As an aide-memoire, here is a quick way to prevent fetchmail from logging Server certificate verification error: certificate not trusted messages.

1. Create a certificates directory
   mkdir -p /usr/local/etc/fetchmail/certs
2. Change to a temporary directory
   cd $TMPDIR
3. Get the certificate from your POP3 server
   echo | openssl s_client -connect <pop server>:993 -showcerts > info
   where <pop server> is your mail server
4. Extract the security certificate
   sed -n "/^--*BEGIN/,/^--*END/{p;/^--*END/q;};d" info > /usr/local/etc/fetchmail/certs/<pop server>.pem
5. Find the certificating authority
   grep issuer= /tmp/info
6. Get the appropriate root certificate, for example:
   wget http://www.geotrust.com/resources/root_certificates/certificates/GeoTrust_Global_CA.pem
7. Move the root certificate into place
   mv GeoTrust_Global_CA.pem /usr/local/etc/fetchmail/certs
8. Create hashed symlinks
   c_rehash /usr/local/etc/fetchmail/certs
9. Append the following to the fetchmail configuration file
   sslcertck sslcertpath /usr/local/etc/fetchmail/certs
10. Restart the fetchmail daemon

And, obviously, check the logs to confirm the validity of the change and send a few test mails from a remote server to check that everything is working as expected...