Categories
Computers

fetchmail daemon mode

My desktop has been doubling as the home email server for awhile now. Towards that end, I’ve been running fetchmail to grab stuff off various POP servers and then running it through a vanilla install of exim to get it to the local accounts on my end. I had been using it out of cron- which took some doing because there’s the chance for user’s cron jobs to step on one another.

The combination of coordinating the cron jobs and managing separate fetchmailrc files caused me to finally rethink the setup. I don’t generally like to mess with stuff that’s working, but there seemed to be a reasonably painless path forward. I could merge all the individual user fetchmailrc files into a single one and then run fetchmail in daemon mode, as opposed to cron. The end result is after the jump for those interested, and as a marker for myself when something goes awry.

The big win for me personally is administration of one fetchmailrc file, as opposed to one per user. Here it is, with a little editing:

set postmaster "*adminuser*"
set bouncemail
set no spambounce
set properties ""
set daemon 900

defaults proto POP3
    options stripcr ssl sslcertck sslcertpath /etc/ssl/certs

poll yertlex.dartmouth.org with proto POP3 auth password
    user '*popuser1*' there with password '*secret1*' is '*localuser1*' here 
        options sslfingerprint "5E:2E:47:9C:2F:9E:54:AA:9B:3E:CB:65:6C:29:D9:5E"

poll plus.pop.mail.yahoo.com with proto POP3
    user '*popuser2*' there with password '*secret2*' is '*localuser2*' here 
        options keep sslfingerprint "F6:0D:A4:CA:91:A9:AC:88:4C:BF:D6:70:02:61:87:86"
poll pop.gmail.com with proto POP3
    user '*popuser1*' there with password '*secret1*' is '*localuser1*' here
        options keep sslfingerprint "6B:C4:63:05:87:1E:72:88:ED:81:C5:A2:51:6B:B7:B6"
    user '*popuser2*' there with password '*secret2*' is '*localuser2*' here 
        options keep sslfingerprint "6B:C4:63:05:87:1E:72:88:ED:81:C5:A2:51:6B:B7:B6"

poll hostxxx.hostmonster.com with proto POP3
    user '*popuser1*' there with password '*secret1*' is '*localuser1*' here
        options keep sslfingerprint "4C:C7:88:2F:3F:F8:2A:4D:3B:02:10:39:34:08:5C:60"
    user '*popuser2*' there with password '*secret2*' is '*localuser2*' here
        options keep sslfingerprint "4C:C7:88:2F:3F:F8:2A:4D:3B:02:10:39:34:08:5C:60"
    user '*popuser3' there with password '*secret3*' is '*localusesr3*' here
        options keep sslfingerprint "4C:C7:88:2F:3F:F8:2A:4D:3B:02:10:39:34:08:5C:60"

It’s stored as /etc/fetchmailrc with the owner:group set as fetchmail:nogroup and 0600 permissions. The START_DAEMON line in /etc/defaults/fetchmail needs to be set to yes so when the machine is restarted, the fetchmail daemon will start up. It can also be started manually by executing /etc/init.d/fetchmail start as root.

Most of this is straight forward. The defaults stanza is useful because anything there is applied to all the remote mail servers. Thus, all of my servers use SSL to make sure that passwords and the like are not sent in the clear. Also, the sslfingerprint option gives me a heads up if the certificate changes, giving me a chance to independently verify the new cert. Somewhat overkill I suppose, but I might as well take advantage of it.

The set daemon line is in seconds, so mine runs every 15 minutes.

A quick look might cause someone to think this is a multidrop setup, but that’s incorrect. It’s all single user. I’m just making use of the fetchmail syntax to avoid unnecessary duplication. It’s part of the reason I switched to running it in daemon mode- a single clean rc file. The sslfingerprint option makes it a little clunky; luckily that just a copy-paste.

This isn’t optimal. It would be nice if usernames and passwords could be setup to be fetched from the user accounts, where they’d arguably be safer. It’s not a big deal here since this is all home stuff, making it a workable compromise. Interestingly, fetchmail will check local user’s .netrc file for password info, but only if run as that user. So that won’t work here. Still, I wonder if something can’t be done there. I’ll have to noodle it a bit. Also, it would be nice if the sslfingerprint didn’t have to be entered per user. But my understanding is my use of it here really isn’t as was intended. Apparently it’s entirely possible for the servers to have different valid certificates and fingerprints. My above setup would fail if upon connection a different SSL certificate was received. I have yet to see that, so I’m leaving it for the now.

Leave a Reply

Your email address will not be published. Required fields are marked *