[SOLVED] PMG 6.1-5 restore configuration from 5.1-4

[Andres.Urzagasti]

Hi,
We have in production a PMG 5.1-4. Due to intermitent issues with Avast, we need to update.
The update from 5.1-4 to 6.1-5 was OK, but later I cannot update the Avast package, so I have installed PMG 6.1-5 from scratch.

Installations work very well, Avast installation are OK (with the new repositories from Avast).
But when I have restored the configuration, appears this error in Fetchmail:

-- Logs begin at Tue 2020-02-25 00:54:05 -03, end at Tue 2020-02-25 00:54:17 -03. --
Feb 25 00:54:14 proxmoxMG systemd[1]: Starting LSB: init-Script for system wide fetchmail daemon...
Feb 25 00:54:14 proxmoxMG fetchmail[955]: Not starting fetchmail daemon, disabled via /etc/default/fetchmail.
Feb 25 00:54:14 proxmoxMG systemd[1]: Started LSB: init-Script for system wide fetchmail daemon.

I have changed some options in /etc/init.d/fetchmail and the fetchmail daemons finally start up.
However actually the system cannot fetch mails . This is a problem very similar to my previous post.
- Accounts are POP3 without SSL
- Accounts are configured in GUI, and I can see in /etc/pmg/fetchmailrc in POP3 mode
- Fetchmail also tryes to login using TLS.

However the log says:
Feb 25 01:23:54 proxmoxMG fetchmail[3521]: (mailserverexternal): upgrade to TLS failed.
Feb 25 01:23:54 proxmoxMG fetchmail[3521]: Unknown login or authentication error on user@(mailserverexternal)
Feb 25 01:23:54 proxmoxMG fetchmail[3521]: socket error while fetching from user@proxmox0089
Feb 25 01:23:54 proxmoxMG fetchmail[3521]: Query status=2 (SOCKET)

Some ideas?
Thanks!

 

[Andres.Urzagasti]

Output of systemctl status fetchmail

● fetchmail.service - LSB: init-Script for system wide fetchmail daemon
Loaded: loaded (/etc/init.d/fetchmail; generated)
Active: active (running) since Tue 2020-02-25 01:23:18 -03; 9min ago
Docs: man:systemd-sysv-generator(8)
Tasks: 1 (limit: 4915)
Memory: 1.8M
CGroup: /system.slice/fetchmail.service
└─3521 /usr/bin/fetchmail -f /etc/pmg/fetchmailrc --pidfile /var/run/fetchmail/fetchmail.pid --syslog

Feb 25 01:29:21 proxmoxMG fetchmail[3521]: socket error while fetching from (USER)@proxmox0024
Feb 25 01:29:21 proxmoxMG fetchmail[3521]: Query status=2 (SOCKET)
Feb 25 01:29:21 proxmoxMG fetchmail[3521]: servidor.com: upgrade to TLS failed.
Feb 25 01:29:21 proxmoxMG fetchmail[3521]: Unknown login or authentication error on (OTHERUSER)@servidor.com
Feb 25 01:29:21 proxmoxMG fetchmail[3521]: socket error while fetching from (OTHERUSER)@proxmox0010
Feb 25 01:29:21 proxmoxMG fetchmail[3521]: Query status=2 (SOCKET)

 

[Andres.Urzagasti]

Update
The issue is originated in some configuration of PMG that forcing pop3-SSL , that I cannot find.
The /etc/pmg/fetchmailrc is configured with accounts of type user@domain.com, in POP3 110 port without SSL
The ISP provider are providing POP3 without SSL (110 port) or POP3 with TLS1.1 (995 port)
I have tested configuration with POP3-110 and POP3-995-SSL and I have same error ( server.com : upgrade to TLS failed. )

I have donwgraded the /etc/ssl/openssl.conf to work with 1.1 ( MinProtocol = TLSv1.1 and CipherString = DEFAULT@SECLEVEL=1) but I cannot connect to my ISP server.

Any directios to disable SSL in this fetchmail?

 

[Stoiko Ivanov]

hm - I guess the problem is that your provider is using a self-signed certificate for it's pop3s (995) and pop3+starttls server

These days you really should ask them to use a certificate signed by a CA

as a probably more sensible workaround would be - to fetch their certificate and add them to your PMGs certificate store

(afair: get the cert (with openssl s_client or so), add it to /usr/local/share/ca-certificates/; run update-ca-certificates -f)

 

[Andres.Urzagasti]

Thanks Ivanov. Also I have tested to fetch certificate - but there is self-signed and TLS1.1

The change of email provider will be in the next days.
We have licensed previously Avast for integration with PMG and as you says, "in these days" I cannot rely on TLS1.1.

 

[Stoiko Ivanov]

I would expect fetchmail to use the value you configured in openssl config

the only other thing I could think of as workaround is to edit the fetchmailrc.tt template and add the necessary options to also disable starttls - you would need to experiment but it should be absence of ssl and sslproto should be set to ' ' (empty)

I hope this helps!

 

[Andres.Urzagasti]

Hi again Ivanov,
Finally with your last message, i have changed :
/var/lib/pmg/templates/fetchmail.tt

defaults:
antispam -1
batchlimit 100
sslproto ''

AND I have changed also /etc/pmg/fetchmailrc and added sslproto ''

With this two changes, the config works OK, and the PMG 6.1.5 now downloads POP3 mail using fetchmail without SSL *and* filtering with AVAST.
Surely will upgrade the ISP provider in the next days.

In conclusion:
- In PMG 6.x is not possible download mail using SSL/TLS 1.1
- Is not recomendable download mail using POP3 without SSL (security concerns)

Thanks for your assistance. This case is closed.

 

[Stoiko Ivanov]

Glad that worked out