Fetchmail randomly stopped working, now getting SSL error

Red Squirrel · 12-13-2022, 09:03 AM

I have a local web server that uses fetchmail to get mail from my web host so I can store my mail locally, it's always worked, and suddenly a few days ago, it just stopped. My web host says they did not make any changes to their server. This is what the log looks like:

Code:

fetchmail: 6.3.8 querying mail.example.ca (protocol POP3) at Tue 13 Dec 2022 09:58:22 AM EST: poll started
fetchmail: Trying to connect to 158.69.168.192/995...connected.
fetchmail: SSL connection failed.
fetchmail: socket error while fetching from user@example.com@mail.example.ca

This is what the fetchmailrc looks like:

Code:

poll mail.example.ca proto pop3 port 995
user 'user@example.com' there with password 'removed' is email_user here ssl

Anyone know why this would fail suddenly or how I can get more log info out of it to see what's going on?

I tried running it with -vvv or specifying a log with -L but I'm not getting any more details.

Also if I connect to port 110 without ssl, then it works. Obviously, this is a bad idea though.

wpeckham · 12-13-2022, 03:23 PM

Ask them to check if the SSL version or key standard changed, because it is the security portion of that connection that appears to be failing.

the most dangerous thing about accessing mail at 110 unencrypted is not that YOU do it, but that it could easily be spoofed to allow ANYONE to do it. Otherwise someone would have to be intercepting your packets to get the unencrypted data.

The provider should be willing to help (if they are any good), as this does become a security issue at this point.

Red Squirrel · 12-13-2022, 03:35 PM

Yeah I checked with them and they told me nothing changed. But I do wonder if the support people are just unaware of what types of upgrades are going on.

The fetchmail server is also very old so I wonder if there is some kind of root cert that expired, but without any adequate error/logging it's impossible to know why it's failing. Suppose I need to just look at upgrading this box.

elgrandeperro · 12-16-2022, 10:40 PM

I would use openssl client to debug it. If they have private CAs, you will need to reference them via the command line.

Here is an example:

http://billauer.co.il/blog/2018/01/f...penssl-nc-ssl/

At least you can see if it is a Cert problem. You would only need to get to connection, not the rest of the protocol because itis failing way before it is doing anything useful, like the SSL handshake.

Red Squirrel · 12-18-2022, 02:14 PM

I get this:

Code:

CONNECTED(00000003)
5786:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

Is there a way to force more info with that command? I don't see anything in the man file such as -v etc or a way to increase debugging.

I am overly due to upgrade this server (one running Fetchmail), so I'm starting to think I may need to just do that. I'm starting to think the host disabled an old cipher or something.

elgrandeperro · 12-18-2022, 09:21 PM

Add -debug

It is not even getting to the certificate negotiation.

Red Squirrel · 12-20-2022, 03:23 PM

I get this: (Redacted the hex dump in case it has any identifying info).

Code:

CONNECTED(00000003)
write to 0x246de70 [0x246f2d0] (145 bytes => 145 (0x91))
[hexdump]                                           `
read from 0x246de70 [0x2474830] (7 bytes => 0 (0x0))
24065:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188: