<DKIM> Cannot use offlineimap with gmail

Ilias Tsitsimpis i.tsitsimpis at gmail.com
Wed May 3 17:08:33 UTC 2017 

Hi Luke, Sridhar,

On Wed, May 03, 2017 at 04:17PM, Luke Kenneth Casson Leighton wrote:
> On Wed, May 3, 2017 at 1:35 PM, Sridhar M. A. <alaymari at gmail.com> wrote:
> > But, the problem I notice is that everytime I run offlineimap, the
> > fingerprint keeps changing
> 
>  there's absolutely no way that google would be changing the SSL
> certificate every hour.  the complaints would be absolutely
> catastrophic.
> 
>  thus the only logical conclusion that can be reached is that someone
> in between you and imap.gmail.com is hijacking the SSL connection and
> carrying out a man-in-the-middle attack.

This is not necessarily because of a man-in-the-middle attack.
imap.gmail.com resolves to more that one IPs, and depending on which one
is being used, the certificate changes. See for example:

  $ openssl s_client -connect 64.233.167.108:993 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -text -in /dev/stdin
  SHA1 Fingerprint=03:6B:E3:9E:F8:CB:CA:A1:E4:25:63:B7:FC:1D:EF:C6:3E:DB:54:C2
  Certificate:
      Data:
          Version: 3 (0x2)
          Serial Number: 6222593699333456547 (0x565b1800365ac2a3)
      Signature Algorithm: sha256WithRSAEncryption
          Issuer: C = US, O = Google Inc, CN = Google Internet Authority G2
          Validity
              Not Before: Apr 27 09:08:34 2017 GMT
              Not After : Jul 20 08:31:00 2017 GMT
          Subject: C = US, ST = California, L = Mountain View, O = Google Inc, CN = imap.gmail.com
  ...


  $ openssl s_client -connect 66.102.1.109:993 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -text -in /dev/stdin
  SHA1 Fingerprint=9F:79:A1:8A:11:77:29:C4:01:EA:8D:26:0C:4B:E6:F6:59:3A:6B:EF
  Certificate:
      Data:
          Version: 3 (0x2)
          Serial Number: 924670051984753458 (0xcd516835efe4332)
      Signature Algorithm: sha256WithRSAEncryption
          Issuer: C = US, O = Google Inc, CN = Google Internet Authority G2
          Validity
              Not Before: Apr 21 08:49:13 2017 GMT
              Not After : Jul 14 08:26:00 2017 GMT
          Subject: C = US, ST = California, L = Mountain View, O = Google Inc, CN = imap.gmail.com


The only viable solution is to verify that the certificates are
correctly signed, using the sslcacertfile option.

Sridhar, could you please try and replace the cert_fingerprint option
with 'sslcacertfile = OS-DEFAULT'?

-- 
Ilias

More information about the OfflineIMAP-project mailing list