Problems setting up imapfilter and to make it easier for the consumer

Tom dertom at gmail.com
Thu Oct 21 06:14:58 BST 2021


Hello,

i just tried for sometime to setup Offlineimap. For me on Manjaro i could
just install it, easy.
I came to offlineimap from a Post from 2011 on the "LinuxMagazin" in
Germany.

I wanted to test the function with a not so important Account and it told
me:

Account sync xxxxx:
 *** Processing account xxxxx
 Establishing connection to mail.xxxxxxx:993 (Account)
 ERROR: No CA certificates and no server fingerprints configured.  You must
configure at least something, otherwise having SSL helps nothing.
 *** Finished account 'xxxxx' in 0:00
ERROR: Exceptions occurred during the run!
ERROR: No CA certificates and no server fingerprints configured.  You must
configure at least something, otherwise having SSL helps nothing.

Ah, what exactly ? That makes no sense et all to me.
Now, you maybe say: Noob, RTFM. Ah, well, i did. It says just to configure
your accounts and storage... and you are good to go.
http://www.offlineimap.org/doc/quick_start.html

Running it
It says to specify at least a fingerprint, Figuring out to get the
Fingerprint "i have never needed before" is quite the task, because for a
consumer like me, who cares ? Thunderbird or others do not care, they just
accept the certificate given. If my Password is correct. Yes, yes,
security, but then again, if i have to get the Fingerprint myself like:

openssl s_client -showcerts -connect mail.server.net:443 | openssl x509
-fingerprint -noout

FAQ Says:
Checking the SSL certificate and then it tells you without any explanation
todo this:
$SSL_CERT_DIR="" openssl s_client -connect hosname:993 < /dev/null
2>/dev/null | openssl x509 -fingerprint -noout -text -in /dev/stdin

what am i doing here ? Why is there a Variable "$SSL_CERT_DIR?", i thought
it is not for me, because of how it is written with the variable in front.
Nevertheless that works,too.

All Security is already out of the window relying on the dns to send me to
the correct server...

I am just saying.

Then i added the fingerprint and had an error in it.
Then, to my astonishment, imapfilter showed me the actual fingerprint i had
to add... which wasn't the same as i configured, because i had it wrapped
in "".

ERROR: Server SSL fingerprint(s) '[('openssl_sha512', '...'),
('openssl_sha384', '...'), ('openssl_sha256', '...'), ('openssl_sha224',
'...'), ('openssl_sha1', '...')]' for hostname 'mail.server.net' does not
match configured fingerprint(s) ['...'].  Please verify and set
'cert_fingerprint' accordingly if not set yet.

Why not just make that output a standard function ? Just print the
fingerprint and ask to add it or tell the user to copy and paste it in the
config file. Like SSH does it.

It would make life much easier if that was documented in the FAQ's. Maybe i
have overseen that... but then again,
http://www.offlineimap.org/doc/quick_start.html

should have some mention about that. Who uses IMAP without SSL these days ?

Having said that,

Thank you for your work on this so i can backup my Accounts.

All the best to you,
Tom
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/offlineimap-project/attachments/20211021/48e83b26/attachment.htm>


More information about the OfflineIMAP-project mailing list