10
10
.\" Load www macros to process .URL requests, this requires groff:
13
.TH fetchmail 1 "fetchmail 6.3.16" "fetchmail" "fetchmail reference manual"
13
.TH fetchmail 1 "fetchmail 6.3.17" "fetchmail" "fetchmail reference manual"
16
16
fetchmail \- fetch mail from a POP, IMAP, ETRN, or ODMR-capable server
495
495
(Keyword: sslcertck)
497
497
Causes fetchmail to strictly check the server certificate against a set of
498
local trusted certificates (see the \fBsslcertpath\fP option). If the server
499
certificate cannot be obtained or is not signed by one of the trusted ones
500
(directly or indirectly), the SSL connection will fail, regardless of
501
the \fBsslfingerprint\fP option.
498
local trusted certificates (see the \fBsslcertfile\fP and \fBsslcertpath\fP
499
options). If the server certificate cannot be obtained or is not signed by one
500
of the trusted ones (directly or indirectly), the SSL connection will fail,
501
regardless of the \fBsslfingerprint\fP option.
503
503
Note that CRL (certificate revocation lists) are only supported in
504
504
OpenSSL 0.9.7 and newer! Your system clock should also be reasonably
507
507
Note that this optional behavior may become default behavior in future
508
508
fetchmail versions.
510
.B \-\-sslcertfile <file>
511
(Keyword: sslcertfile, since v6.3.17)
513
Sets the file fetchmail uses to look up local certificates. The default is
514
empty. This can be given in addition to \fB\-\-sslcertpath\fP below, and
515
certificates specified in \fB\-\-sslcertfile\fP will be processed before those
516
in \fB\-\-sslcertpath\fP. The option can be used in addition to
517
\fB\-\-sslcertpath\fP.
519
The file is a text file. It contains the concatenation of trusted CA
520
certificates in PEM format.
522
Note that using this option will suppress loading the default SSL trusted CA
523
certificates file unless you set the environment variable
524
\fBFETCHMAIL_INCLUDE_DEFAULT_X509_CA_CERTS\fP to a non-empty value.
510
526
.B \-\-sslcertpath <directory>
511
527
(Keyword: sslcertpath)
513
Sets the directory fetchmail uses to look up local certificates. The default
514
is your OpenSSL default one. The directory must be hashed as OpenSSL expects
515
it - every time you add or modify a certificate in the directory, you need
516
to use the \fBc_rehash\fP tool (which comes with OpenSSL in the tools/
529
Sets the directory fetchmail uses to look up local certificates. The default is
530
your OpenSSL default directory. The directory must be hashed the way OpenSSL
531
expects it - every time you add or modify a certificate in the directory, you
532
need to use the \fBc_rehash\fP tool (which comes with OpenSSL in the tools/
533
subdirectory). Also, after OpenSSL upgrades, you may need to run
534
\fBc_rehash\fP; particularly when upgrading from 0.9.X to 1.0.0.
536
This can be given in addition to \fB\-\-sslcertfile\fP above, which see for
539
Note that using this option will suppress adding the default SSL trusted CA
540
certificates directory unless you set the environment variable
541
\fBFETCHMAIL_INCLUDE_DEFAULT_X509_CA_CERTS\fP to a non-empty value.
519
543
.B \-\-sslcommonname <common name>
520
544
(Keyword: sslcommonname; since v6.3.9)
1805
1829
Connect to server over the specified base protocol using SSL encryption
1807
1831
sslcert \& \& T{
1808
Specify file for client side public SSL certificate
1832
Specify file for \fBclient side\fP public SSL certificate
1834
sslcertfile \& \& T{
1835
Specify file with trusted CA certificates
1837
sslcertpath \& \& T{
1838
Specify c_rehash-ed directory with trusted CA certificates.
1810
1840
sslkey \& \& T{
1811
Specify file for client side private SSL key
1841
Specify file for \fBclient side\fP private SSL key
1813
1843
sslproto \& \& T{
1814
1844
Force ssl protocol for connection
2726
2756
lock file to help prevent concurrent runs (root mode, systems without /var/run).
2728
2758
.SH ENVIRONMENT
2730
If the FETCHMAILUSER variable is set, it is used as the name of the
2759
.IP \fBFETCHMAILHOME\fP
2760
If this environment variable is set to a valid and
2761
existing directory name, fetchmail will read $FETCHMAILHOME/fetchmailrc
2762
(the dot is missing in this case), $FETCHMAILHOME/.fetchids and
2763
$FETCHMAILHOME/.fetchmail.pid rather than from the user's home
2764
directory. The .netrc file is always looked for in the the invoking
2765
user's home directory regardless of FETCHMAILHOME's setting.
2767
.IP \fBFETCHMAILUSER\fP
2768
If this environment variable is set, it is used as the name of the
2731
2769
calling user (default local name) for purposes such as mailing error
2732
2770
notifications. Otherwise, if either the LOGNAME or USER variable is
2733
2771
correctly set (e.g. the corresponding UID matches the session user ID)
2736
2774
session ID (this elaborate logic is designed to handle the case of
2737
2775
multiple names per userid gracefully).
2740
If the environment variable FETCHMAILHOME is set to a valid and
2741
existing directory name, fetchmail will read $FETCHMAILHOME/fetchmailrc
2742
(the dot is missing in this case), $FETCHMAILHOME/.fetchids and
2743
$FETCHMAILHOME/.fetchmail.pid rather than from the user's home
2744
directory. The .netrc file is always looked for in the the invoking
2745
user's home directory regardless of FETCHMAILHOME's setting.
2777
.IP \fBFETCHMAIL_INCLUDE_DEFAULT_X509_CA_CERTS\fP
2779
If this environment variable is set and not empty, fetchmail will always load
2780
the default X.509 trusted certificate locations for SSL/TLS CA certificates,
2781
even if \fB\-\-sslcertfile\fP and \fB\-\-sslcertpath\fP are given. The latter locations take precedence over the system default locations.
2782
This is useful in case there are broken certificates in the system directories
2783
and the user has no administrator privileges to remedy the problem.
2748
2786
If the HOME_ETC variable is set, fetchmail will read
2749
2787
$HOME_ETC/.fetchmailrc instead of ~/.fetchmailrc.
2751
2789
If HOME_ETC and FETCHMAILHOME are both set, HOME_ETC will be ignored.
2791
.IP \fBSOCKS_CONF\fP
2754
2792
(only if SOCKS support is compiled in) this variable is used by the
2755
2793
socks library to find out which configuration file it should read. Set
2756
2794
this to /dev/null to bypass the SOCKS proxy.
2761
daemon is running as root, SIGUSR1 wakes it up from its sleep phase and
2762
forces a poll of all non-skipped servers. For compatibility reasons,
2763
SIGHUP can also be used in 6.3.X but may not be available in future
2797
If a \fBfetchmail\fP daemon is running as root, SIGUSR1 wakes it up from its
2798
sleep phase and forces a poll of all non-skipped servers. For compatibility
2799
reasons, SIGHUP can also be used in 6.3.X but may not be available in future
2764
2800
fetchmail versions.
2768
is running in daemon mode as non-root, use SIGUSR1 to wake it (this is
2769
so SIGHUP due to logout can retain the default action of killing it).
2802
If \fBfetchmail\fP is running in daemon mode as non-root, use SIGUSR1 to wake
2803
it (this is so SIGHUP due to logout can retain the default action of killing
2771
2806
Running \fBfetchmail\fP in foreground while a background fetchmail is
2772
2807
running will do whichever of these is appropriate to wake it up.