3

Under an Arch Linux, I want to use offlineimap to synchronize to GMail like this.

[general]
accounts = Gmail
maxsyncaccounts = 3

[Account Gmail]
localrepository = LocalGmail
remoterepository = RepositoryGmail
autorefresh = 30
quick = 10
postsynchook = mu index --maildir ~/.offlineimap/Gmail

[Repository LocalGmail]
type = GmailMaildir
localfolders = ~/.offlineimap/Gmail

[Repository RepositoryGmail]
type = Gmail
maxconnections = 2
remoteuser = my.gmail.accountname
remotepass = gmailapppassword
folderfilter = lambda foldername: foldername not in ['[Gmail]/All Mail', '[Gmail]/Important']
sslcacertfile = /etc/ssl/certs/ca-certificates.crt

which fails due to some issue with SSL.

$ offlineimap -o -a Gmail
OfflineIMAP 7.2.1
  Licensed under the GNU GPL v2 or any later version (with an OpenSSL exception)
imaplib2 v2.57 (bundled), Python v2.7.15, OpenSSL 1.1.1a  20 Nov 2018
Account sync Gmail:
 *** Processing account Gmail
 Establishing connection to imap.gmail.com:993 (RepositoryGmail)
 ERROR: Unknown SSL protocol connecting to host 'imap.gmail.com' for repository 'RepositoryGmail'. OpenSSL responded:
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:726)

I read elsewhere that I can check the SSL connection by running

$ openssl s_client -showcerts -connect imap.gmail.com:993
[...]
* OK Gimap ready for requests from 217.63.244.188 s26mb317463625edc

which to me suggests that the error is not actually in the SSL connection, but in how offlineimap handles it. The certificate file `` exists and contains a GlobalSign Root CA - R2 certificate.

Just to be sure I have installed six and then offlineimap into both a clean python2.7 and a clean python3.7 virtualenv using their respective pips, and the CERTIFICATE_VERIFY_FAILED persists.

How do I get offlineimap to talk to GMail?

Anaphory
  • 692
  • 1
  • 5
  • 17
  • First... Have you enabled access to your Google account from [less secure applications](https://support.google.com/accounts/answer/6010255?hl=en) ... And Second... Have you created an [OAuth token](https://developers.google.com/identity/protocols/OAuth2) for the `offlineimap` application to use instead of your username and password. – RubberStamp Dec 12 '18 at 12:54
  • I have 2FA activated, so I have to use an app-specific password (which I do), instead of allowing access from less secure applications. I have not tried OAuth, I may try that later, in particular if I find a good guide how to do it. – Anaphory Dec 12 '18 at 13:41
  • The problem is with the server certificate pinning. Google is migrating its CA... perhaps the imap server certificate is in flux.... Try save the server cert in a local file and put that in the `sslcacertfile=` option. .... Reference [here](https://developers.google.com/maps/root-ca-faq) and [here](https://good.gsr2demo.pki.goog/) – RubberStamp Dec 12 '18 at 14:26

1 Answers1

4

On arch OpenSSL is now at 1.1.1 which runs into trouble with imaplib2

https://github.com/imaplib2/imaplib2/issues/5

As described in:

https://github.com/OfflineIMAP/offlineimap/issues/573

you can add ssl_version=tls1_2 to your .offlineimaprc and that will solve the issue

Reimundo Heluani
  • 141
  • 4
  • 2
    SO MUCH THANKS! I have been trying to set up (arch+offlineimap+gmail) since a month ago and it never worked! Now this line simply solves my problem. I would recommend people who are newbie as me to try out the description in (https://pbrisbin.com/posts/mutt_gmail_offlineimap/) with @Reimundo's answer! I felt my life is saved. Thanks again very much. – Student Feb 19 '19 at 01:14