255pages on
this wiki

Introduction Edit

Whether you use Linux or FreeBSD or even Mac OS X, fetchmail can be used to retrieve your e-mail using secure IMAP with SSL encryption. You will need to have OpenSSL and fetchmail with SSL support installed. This is standard on many Linux/BSD distributions.

NOTE: the SSL certificate changed on 8 April 2014. You will need to re-fetch the certificates below and update the fingerprint in your fetchmail config file

Installing the Certificates Edit

Certificates are used to verify the identity of the IMAP server. First, you'll need to create a ~/.certs directory:

mkdir ~/.certs
cd ~/.certs

Next, you will need to retrieve the certificates for the IMAP server ( and the company that issued their certificate.

openssl s_client -CApath $HOME/.certs -connect -showcerts \
  < /dev/null \
  | perl -lne 'print if /BEGIN CERT/ .. /END CERT/; last if /END CERT/' \
  > fastmail.pem

FastMail are currently using a digicert certificate, which is chained though to the DigiCert root certificate. You can fetch the intermediate and root certificates from digicerts servers:


Note: You should use https in the above wget to ensure a secure connection to FastMail when retrieving the root certificate, otherwise the whole point of SSL trust chains falls down.

Now, you just need to execute one more command and your certificates directory should be complete:

c_rehash .

c_rehash is part of OpenSSL. It will create symbolic links with hexadecimal names that point to each of the .pem files in your ~/.certs directory. The contents of your ~/.certs directory should look something like this:

lrwxrwxrwx   1 brong brong    29 2011-09-01 13:47 02b2d53d.0 -> DigiCertHighAssuranceCA-3.crt
lrwxrwxrwx   1 brong brong    29 2011-09-01 13:47 1445ed77.0 -> DigiCertHighAssuranceCA-3.crt
lrwxrwxrwx   1 brong brong    33 2011-09-01 13:47 244b5494.0 -> DigiCertHighAssuranceEVRootCA.crt
lrwxrwxrwx   1 brong brong    12 2011-09-01 13:47 4f9f158f.0 -> fastmail.pem
lrwxrwxrwx   1 brong brong    33 2011-09-01 13:47 81b9768f.0 -> DigiCertHighAssuranceEVRootCA.crt
-rw-rw-r--   1 brong brong  2256 2011-09-01 13:22 DigiCertHighAssuranceCA-3.crt
-rw-rw-r--   1 brong brong  1390 2011-09-01 13:45 DigiCertHighAssuranceEVRootCA.crt
lrwxrwxrwx   1 brong brong    12 2011-09-01 13:47 e726ed0b.0 -> fastmail.pem
-rw-rw-r--   1 brong brong  2399 2011-09-01 13:35 fastmail.pem

Execute the openssl s_client command again to verify that you have all of the certificates installed properly:

openssl s_client -CApath $HOME/.certs -connect -showcerts  < /dev/null

After the initial "CONNECTED" line, there should be lines that start with "depth=" for each of the certificates in the certifcation chain. On the line after each of these lines, it should say "verify return:1" in each case. If it doesn't, then you have a problem with your certificates or you are missing a certificate.

Configuring ~/.fetchmailrc Edit

After this, you will need to create a ~/.fetchmailrc file. It should be readable only by you, since it will ultimately contain your password. (You could leave out your password, if you so desire; fetchmail will prompt you for a password each time you start it.)

touch ~/.fetchmailrc
chmod 600 ~/.fetchmailrc

Next, load ~/.fetchmailrc into your favorite text editor and paste the following lines:

set daemon 600  # Poll at 10-minute intervals
set logfile "/path/to/your/home/directory/.fetchmail.log"

        no dns

poll protocol IMAP:
        user is yourlocaluserid here
        sslfingerprint "FD:21:50:76:D4:D4:F7:67:FD:B3:A5:CE:4D:57:B5:EA"
        sslcertck sslcertpath /path/to/your/home/directory/.certs
        password yourfastmailpasswordhere;

Obviously, replace "" with your e-mail address. Replace "yourlocaluserid" with the user ID you use on your computer. Replace "/path/to/your/home/directory" with the actual path to your home directory. Replace "yourfastmailpasswordhere" with your password. Make sure you do not delete the semicolon at the end of that last line.

The hexadecimal string on the "sslfingerprint" line was obtained using the following command:

openssl x509 -in ~/.certs/fastmail.pem -noout -md5 -fingerprint

You should verify that the output of that command matches the fingerprint specified in your ~/.fetchmailrc. It is possible that the certificate could change. If it does, then the fingerprint of the certificate will be different from what is listed above. This should not happen frequently. Most commercial certificates do not expire for a year or more.

The above ~/.fetchmailrc assumes you have a mail transport/delivery agent (MTA/MDA), such as sendmail or postfix listening on port 25. If you do not, you should set one up. Doing so is beyond the scope of this tutorial.

You are now ready to start up fetchmail! You'll want to start it up in verbose, non-daemon mode first to see if you have configured everything correctly:

fetchmail -N -v

It should print something like the following lines to your terminal:

fetchmail: 6.3.6 querying (protocol IMAP) at Wed Jan 28 19:10:28 2009: poll started
fetchmail: Trying to connect to
fetchmail: Issuer Organization: DigiCert Inc
fetchmail: Issuer CommonName: DigiCert Global CA
fetchmail: Server CommonName: *
fetchmail: Subject Alternative Name:
fetchmail: Subject Alternative Name:
fetchmail: Subject Alternative Name:
fetchmail: Subject Alternative Name:
fetchmail: Subject Alternative Name:
fetchmail: Subject Alternative Name:
fetchmail: Subject Alternative Name:
fetchmail: Subject Alternative Name:
fetchmail: Subject Alternative Name: *
fetchmail: key fingerprint: 05:0E:9B:F2:0F:0E:4C:DE:F9:8B:D3:2D:9B:FB:B6:CE
fetchmail: fingerprints match.

It should then proceed to download any e-mails you may have on the server, and you should be able read the e-mail on your local machine using your favorite e-mail program (pine, mutt, etc.), also known as mail user agent or MUA.

After it is done, type control-C to terminate fetchmail. You are now ready to use fetchmail in daemon mode.

Just type


to start the fetchmail daemon.

If your computer is configured to use the X11 session manager, I recommend putting fetchmail in your ~/.xsession file. With that there, the fetchmail daemon will start up whenever you login to X11 on console and it should terminate when you logout.

Around Wikia's network

Random Wiki