Pre-order the New Samsung Galaxy Z Flip4 & Galaxy Z Fold4 and, for a limited time, get twice the storage and a free case!
Need to update email settings?
gw1500se's profile

Contributor

 • 

10 Messages

Sat, Jun 25, 2022 3:28 PM

How to Get Email Certificate

I am getting a warning when logging in to use --sslcertck. In order to do that I need to get the proper certificate. I have been unable to find it. Can someone point me to the certificate? TIA

ATTHelp

Community Support

 • 

195.7K Messages

2 m前

We're here to help with your login, gw1500se!

 

We suggest using and checking if you can login to Currently to view your e-mails, as the website is supported by AT&T and we are able to determine if any present issues are with your account, or with how it connects to outside servers. However, if you are using 3rd Party Email Clients - this would be considered any other website or application outside of Currently - you may need to look into Open Authentication or Secure Mail Key to fix the certificate error you are receiving.

 

Open Authentication is a security measure we put in place that encrypts your e-mail and password when using 3rd Party e-mail clients. We have an article regarding OAuth that states what applications work with this security system.

 

If the 3rd Party e-mail client you are using is not in that list, you will need to Create a Secure Mail Key. This is a security measure that encrypts your password, and you are able to create and manage it via myAT&T. You will then use your Secure Mail Key as your password when logging into any 3rd Party programs or applications, while your login to any AT&T sites will stay the same.

 

If you are needing the information for server settings, we suggest using IMAP for your 3rd Party e-mail clients.

 

If you are still running into issues getting logged in, please let us know what error message you are receiving when trying to log into Currently.

 

We hope to hear back from you!

 

Donovan, AT&T Community Specialist

Contributor

 • 

10 Messages

2 m前

Thanks for the reply but that was not really the question. I am able to log in but, according to the warning, insecurely. I want to implement --sslcertck, per the warning, but cannot find the appropriate certificate.

ATTHelp

Community Support

 • 

195.7K Messages

2 m前

Thanks for the clarification, gw1500se!

 

Please send us a screenshot of the warning, so we can properly help you implement the certificate.

 

We'll be awaiting your response.

 

Aminah, AT&T Community Specialist

Contributor

 • 

10 Messages

2 m前

Here it is:

 Warning: the connection is insecure, continuing anyways. (Better use --sslcertck!)

This is from inbound.att.net

JefferMC

ACE - Expert

 • 

29.3K Messages

2 m前

 Warning: the connection is insecure, continuing anyways. (Better use --sslcertck!)

The screenshot would have been better, as it might have given us a clue what tool you are attempting to use to read your e-mail, since you haven't said.  You still can, you know.

Contributor

 • 

10 Messages

2 m前

That error is from command line. I'm using fetchmail so there is noting to screen shot.

JefferMC

ACE - Expert

 • 

29.3K Messages

2 m前

You can screenshot a terminal window, and then we'd have seen a Linux terminal window with a fetchmail command line and might have had a clue sooner.  I looked up the switch "--sslcertck" and figured out what we finally dragged out of you.

Quoting from an online man page for fetchmail:

--sslcertck
  (Keyword: sslcertck, default enabled since v6.4.0)
--sslcertck causes fetchmail to require that SSL/TLS be used anddisconnect unless it can successfully negotiate SSL or TLS, or if it cannot successfully verify and validate the certificate and follow it to a trust anchor (or trusted root certificate). The trust anchors are given as a set of local trusted certificates (see thesslcertfileandsslcertpathoptions). If the server certificate cannot be obtained or is not signed by one of the trusted ones (directly or indirectly), fetchmail will disconnect, regardless of thesslfingerprintoption.

So, the switch doesn't need you to have a certificate.  It only instructs fetchmail to require that the connection be encrypted with TLS encryption, which means that the remote server needs to send you a certificate with a valid trust chain to a server that you're configured to trust.

So... to answer your original question, you get the certificate by making a connection to the remote mail server.  It then sends you its certificate.

(edited)

Contributor

 • 

10 Messages

2 m前

Then it doesn't work right.

fetchmail: Server CommonName mismatch: legacy.pop.mail.yahoo.com != inbound.att.net
fetchmail: inbound.att.net key fingerprint: F7:3F:D4:D4:EF:AA:B6:C6:3A:A3:65:26:DF:D6:62:DE
140655602763664:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:s3_clnt.c:1264:
fetchmail: SSL connection failed.

JefferMC

ACE - Expert

 • 

29.3K Messages

2 m前

So that is telling you that the server you're connecting to is returning a certificate with a different name from the name you connected to it with. The idea is that when you connect to a server using name "x", that server should hand you a certificate for name "x", not one for name "y".

If you connected using the "inbound.att.net" name, then AT&T and Yahoo mail administration are full of id10ts who cannot find their rear end with both hands to decide what they're going to name servers and be able to hand out the right certs when connected via that name.  You can try configuring the mail server as "legacy.pop.mail.yahoo.com" and seeing if that works.  It might not work at all, work for a little while, or work forever; it's hard to tell.  "inbound.att.net" is the documented name, and that's the name the server you connect to should have on its certs when you connect to it.

If you connected using "legacy.pop.mail.yahoo.com", then try connecting via "inbound.att.net".

Contributor

 • 

10 Messages

2 m前

Thanks. That seems to work for now.

JefferMC

ACE - Expert

 • 

29.3K Messages

2 m前

It should work until:

1) Someone at yahoo decides that legacy.pop.mail.yahoo.com is an outdated name and removes it from the DNS server, or

2) Someone at yahoo decides that the server reached by legacy.pop.mail.yahoo.com needs to return the inbound.att.net certificate.

I've reported it to AT&T, who may or may not be able to report it to Yahoo, which may be more dangerous than leaving it alone.

Contributor

 • 

10 Messages

2 m前

For whatever reason ATT gave up control of its own email servers, it was a mistake, IMO.

Need help?
New to AT&T Community?
New to the AT&T Community? Start by visiting the Community How-To.
New to the AT&T Community?
Visit the Community How-To.