Whether you use Linux or FreeBSD or even Mac OS X, fetchmail can be used to retrieve your fastmail.fm e-mail using secure IMAP with SSL encryption. You will need to have OpenSSL and fetchmail with SSL support installed. This is standard on many Linux/BSD distributions.
NOTE: the SSL certificate changed on 8 April 2014. You will need to re-fetch the certificates below and update the fingerprint in your fetchmail config file
Installing the Certificates Edit
Certificates are used to verify the identity of the IMAP server. First, you'll need to create a ~/.certs directory:
mkdir ~/.certs cd ~/.certs
Next, you will need to retrieve the certificates for the fastmail.fm IMAP server (mail.messagingengine.com) and the company that issued fastmail.fm their certificate.
openssl s_client -CApath $HOME/.certs -connect mail.messagingengine.com:993 -showcerts \ < /dev/null \ | perl -lne 'print if /BEGIN CERT/ .. /END CERT/; last if /END CERT/' \ > fastmail.pem
FastMail are currently using a digicert certificate, which is chained though to the DigiCert root certificate. You can fetch the intermediate and root certificates from digicerts servers:
wget https://www.digicert.com/CACerts/DigiCertHighAssuranceEVRootCA.crt wget https://www.digicert.com/CACerts/DigiCertHighAssuranceCA-3.crt
Note: You should use https in the above wget to ensure a secure connection to FastMail when retrieving the root certificate, otherwise the whole point of SSL trust chains falls down.
Now, you just need to execute one more command and your certificates directory should be complete:
c_rehash is part of OpenSSL. It will create symbolic links with hexadecimal names that point to each of the .pem files in your ~/.certs directory. The contents of your ~/.certs directory should look something like this:
lrwxrwxrwx 1 brong brong 29 2011-09-01 13:47 02b2d53d.0 -> DigiCertHighAssuranceCA-3.crt lrwxrwxrwx 1 brong brong 29 2011-09-01 13:47 1445ed77.0 -> DigiCertHighAssuranceCA-3.crt lrwxrwxrwx 1 brong brong 33 2011-09-01 13:47 244b5494.0 -> DigiCertHighAssuranceEVRootCA.crt lrwxrwxrwx 1 brong brong 12 2011-09-01 13:47 4f9f158f.0 -> fastmail.pem lrwxrwxrwx 1 brong brong 33 2011-09-01 13:47 81b9768f.0 -> DigiCertHighAssuranceEVRootCA.crt -rw-rw-r-- 1 brong brong 2256 2011-09-01 13:22 DigiCertHighAssuranceCA-3.crt -rw-rw-r-- 1 brong brong 1390 2011-09-01 13:45 DigiCertHighAssuranceEVRootCA.crt lrwxrwxrwx 1 brong brong 12 2011-09-01 13:47 e726ed0b.0 -> fastmail.pem -rw-rw-r-- 1 brong brong 2399 2011-09-01 13:35 fastmail.pem
Execute the openssl s_client command again to verify that you have all of the certificates installed properly:
openssl s_client -CApath $HOME/.certs -connect mail.messagingengine.com:993 -showcerts < /dev/null
After the initial "CONNECTED" line, there should be lines that start with "depth=" for each of the certificates in the certifcation chain. On the line after each of these lines, it should say "verify return:1" in each case. If it doesn't, then you have a problem with your certificates or you are missing a certificate.
Configuring ~/.fetchmailrc Edit
After this, you will need to create a ~/.fetchmailrc file. It should be readable only by you, since it will ultimately contain your fastmail.fm password. (You could leave out your password, if you so desire; fetchmail will prompt you for a password each time you start it.)
touch ~/.fetchmailrc chmod 600 ~/.fetchmailrc
Next, load ~/.fetchmailrc into your favorite text editor and paste the following lines:
set daemon 600 # Poll at 10-minute intervals set logfile "/path/to/your/home/directory/.fetchmail.log" defaults no dns mimedecode fetchall poll mail.messagingengine.com protocol IMAP: user firstname.lastname@example.org is yourlocaluserid here ssl sslfingerprint "FD:21:50:76:D4:D4:F7:67:FD:B3:A5:CE:4D:57:B5:EA" sslcertck sslcertpath /path/to/your/home/directory/.certs password yourfastmailpasswordhere;
Obviously, replace "email@example.com" with your fastmail.fm e-mail address. Replace "yourlocaluserid" with the user ID you use on your computer. Replace "/path/to/your/home/directory" with the actual path to your home directory. Replace "yourfastmailpasswordhere" with your fastmail.fm password. Make sure you do not delete the semicolon at the end of that last line.
The hexadecimal string on the "sslfingerprint" line was obtained using the following command:
openssl x509 -in ~/.certs/fastmail.pem -noout -md5 -fingerprint
You should verify that the output of that command matches the fingerprint specified in your ~/.fetchmailrc. It is possible that the fastmail.fm certificate could change. If it does, then the fingerprint of the certificate will be different from what is listed above. This should not happen frequently. Most commercial certificates do not expire for a year or more.
The above ~/.fetchmailrc assumes you have a mail transport/delivery agent (MTA/MDA), such as sendmail or postfix listening on port 25. If you do not, you should set one up. Doing so is beyond the scope of this tutorial.
You are now ready to start up fetchmail! You'll want to start it up in verbose, non-daemon mode first to see if you have configured everything correctly:
fetchmail -N -v
It should print something like the following lines to your terminal:
fetchmail: 6.3.6 querying mail.messagingengine.com (protocol IMAP) at Wed Jan 28 19:10:28 2009: poll started fetchmail: Trying to connect to 22.214.171.124/993...connected. fetchmail: Issuer Organization: DigiCert Inc fetchmail: Issuer CommonName: DigiCert Global CA fetchmail: Server CommonName: *.messagingengine.com fetchmail: Subject Alternative Name: mail.messagingengine.com fetchmail: Subject Alternative Name: dav.messagingengine.com fetchmail: Subject Alternative Name: ftp.messagingengine.com fetchmail: Subject Alternative Name: ldap.messagingengine.com fetchmail: Subject Alternative Name: chat.messagingengine.com fetchmail: Subject Alternative Name: www.messagingengine.com fetchmail: Subject Alternative Name: wap.messagingengine.com fetchmail: Subject Alternative Name: messagingengine.com fetchmail: Subject Alternative Name: *.messagingengine.com fetchmail: mail.messagingengine.com key fingerprint: 05:0E:9B:F2:0F:0E:4C:DE:F9:8B:D3:2D:9B:FB:B6:CE fetchmail: mail.messagingengine.com fingerprints match.
It should then proceed to download any e-mails you may have on the fastmail.fm server, and you should be able read the e-mail on your local machine using your favorite e-mail program (pine, mutt, etc.), also known as mail user agent or MUA.
After it is done, type control-C to terminate fetchmail. You are now ready to use fetchmail in daemon mode.
to start the fetchmail daemon.
If your computer is configured to use the X11 session manager, I recommend putting fetchmail in your ~/.xsession file. With that there, the fetchmail daemon will start up whenever you login to X11 on console and it should terminate when you logout.