On Sun, Oct 24, 2010 at 09:10:44 -0600, Joseph wrote: > I just commented out the lines: > sslcertck > sslcertpath /etc/ssl/certs/ >
If you disable the "sslcertck", then fetchmail won't abort the connection if the certificate validation fails. In other words, if someone does trick your machine into connecting to an imposter pop.gmail.com server, fetchmail will go ahead and try to log in (thus sending your GMail credentials to the impostor), though it will log the validation failure as it does so. If you don't mind that risk you can certainly leave it that way, but the "recommended" approach is to keep the "sslcertck" there, so fetchmail aborts with a shout if it detects a certificate problem. (See, for example, the note found in the second paragraph of the "More information:" section of http://www.debian.org/security/2009/dsa-1852 ) (But at the same time, I am suggesting that you should _not_ need the "sslcertpath" option, even when "sslcertck" is enabled. That's how I have my fetchmail configured, in any case.) Hope that makes sense. Nathan
