Getting mail server certificate fingerprint for use in offlineimap with openssl

Happy new year 2020! We now officially live in the future!
Make it a good one!

And yeah, it’s been a long time since my last post. Lot of stuff happened that I might one day write down here. But for now I’m happy to be writing again and I hope to write more on a regular base. Not just coding related stuff, but let’s see…

Now back to topic:

I now switched back to using offlineimap for all my mail accounts with mu4e.

For configuring ssl with servers you need to have their cert fingerprint. For e.g. my icloud this looks something like this:

[Repository me-remote]
type = IMAP
remotehost = imap.mail.me.com
remoteuser = ...
remotepasseval = get_keychain_pass(account="...@me.com", server="imap.mail.me.com")
realdelete = no
maxconnections = 1
ssl = yes
cert_fingerprint = ?
sslcacertfile = /usr/local/etc/openssl/cert.pem

But how do I find out the cert fingerprint ?

Well we can here use openssl for the rescue.
First find out the server domain and the port for you mail.
For e.g. my iCloud Account, accoding to apple.com this looks like.

IMAP-Informationen für den Posteingangsserver

  • Servername: imap.mail.me.com
  • SSL erforderlich: Ja
  • Port: 993

So we can query openssl with this command:

SSL_CERT_DIR="" openssl s_client -connect imap.mail.me.com:993 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -text -in /dev/stdin

The output can be quite long for some pages but we are only intereseted in the first lines which look like.

SHA1 Fingerprint=E1:A5:F9:D2:2A:81:09:79:CA:CD:FC:0B:41:51:F5:61:E8:D0:29:76
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
62:cb:bf:c5:66:12:7c:47:58:e9:6b:db:c3:8e:c9:e6
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = Apple IST CA 2 - G1, OU = Certification Authority, O = Apple Inc., C = US

Now replace all colon in the fingerprint and add it to the offlineimaprc file.

E1A5F9D22A810979CACDFC0B4151F561E8D02976

After creating an app specific password within my apple account, I can use offlineimap with it.

Leave a Reply