A few years ago I finally let go and started using a hosted email provider. Running a secure email platform is something I’ve done or years, both professionally and personally, but I was tired of power outages at home taking my email offline and it’s far less expensive to move to hosted email than convert my home into a redundant datacenter.
After some research, I landed on Fastmail. Pricing is very reasonable and they allow me to use all of the domains I have in my one account. To date, and it’s been a couple of years now, I’ve never lost access to my email due to their back-end going down. And, they are always pushing the boundaries with security and new features to improve the service. I’ve been very happy.
One of my favorite things to do is setup a dedicated email alias whenever I signup for something new online. Then, if that company sells my email address to spammers, etc., I can always tell who it was and delete the alias. I’m sure other providers can do that too, but its a wonderful thing.
Since I’m a sysadmin at heart though, I can’t just trust my email to them and not think about it again. I could re-point my domains pretty quickly if something were to happen to them as a company, but I also want to maintain my own totally offline backup of my IMAP mailbox.
Enter OfflineIMAP.
I run a script every day on one of my Linux servers that syncs down all of my email to a local machine, which I then further backup and protect.
This process begins with a BASH script:
#!/usr/bin/env bash
#First step is to make sure we're not running already. If so, wait 2 seconds and try again. Nearly pointless, but good to have, espcially in testing.
while pkill --signal 0 offlineimap
do
sleep 2
done
rm -f /home/topslakr/sent # This is Mutt's cache of sent emails, which I don't maintain long term.
offlineimap -c /home/topslakr/.offlineimaprc > /home/topslakr/Email_Sync.tmp 2>&1 & # Runs backup command and sends to background, writing to the .tmp file.
sleep 60 # Wait 1 minute for process to complete. It usually takes less than 10 seconds.
cat /home/topslakr/Email_Sync.tmp | mutt -s "Email Sync" {Your Email Address} # Emails the output of OfflineIMAP's run to me
For that script to work, you’ll need to setup configuration files both for OfflineIMAP itself, and mutt, a text based email client on Linux.
Firstly, here is my config file for OfflineIMAP. This file, on my CentosOS 7 system, is located in my /home/
[general]
accounts =
[Account
localrepository = Local
remoterepository = Remote
status_backend = sqlite
[Repository Local]
type = Maildir
localfolders =
[Repository Remote]
type = IMAP
remotehost = mail.messagingengine.com
remoteport = 993
ssl = yes
cert_fingerprint = ddac83e619367e9e5f6f0142decba6872d7319f2
holdconnectionopen = yes
remoteuser = Fastmail.com User Name
remotepass = Single Use Password
“[General]” defines the accounts OfflineIMAP is aware of. You can give them any name you like, and you then define it’s properties in the following [Account ___] section. The settings I have listed for General and Account will likely work for you as well.
Repository Local is the spot on your system where email is stored. It will build the folder directory you have in your IMAP account and put the messages within in.
Repository Remote is the details about the remote IMAP server itself. We’ll dig into ‘cert_fingerprint’ below. Make sure you set your username and password. With Fastmail you will need to set an app password in your account for this. Your normal Fastmail password will not work.
The final piece that I use is mutt to send me a status email. This isn’t required. I like to get notifications about routine jobs that run, so I can keep an eye on them. In this case, I take the status output of OfflineIMAP and email it to myself each day so I know it ran.
This is pretty simple. You just need to put a few details into your .muttrc file. My .muttrc file like like this:
set ssl_starttls=yes
set ssl_force_tls=yes
set smtp_url = "smtp://[fastmail Login]:[Another App Password]@smtp.fastmail.com:587/"
Pretty simple. I use a different app passwords for each piece but it’s probably possible to use just one.
So, the ‘cert_fingerprint’ line.
**Edit 10/7/2021 **
I was just re-finding the fingerprint for my script this morning, and I found out that fastmail actually publishes these. You can find them at the link below.
You can use the fingerprints at the above link, instead of the process here that follows
** Edit 10/26/2022 **
The fingerprints Fastmail is posting are not in the format offlineimap wants. Good news is that offlineimap now shows you the cert fingerprint in it’s error when it doesn’t match. So, you can grab the fingerprinting from the error and add it to your .offlineimaprc file.
** Back to the original post **
When you setup OfflineIMAP you add to your config a unique identifier from the SSL cert installed on the secure remote IMAP server. OfflineIMAP will then only sync if that certificate remains in place. If the remote side gets compromised, or someone intercepts the traffic and tries to decrypt it, OfflineIMAP will not run. Also, when Fastmail updates their SSL certificates, OfflineIMAP will fail. It’s really easy to get that identifier though, using a tool called ‘gnutls-cli’.
Simply run the tool with the web address:
gnutls-cli mail.messagingengine.com
In the return from that command, look for the ‘SHA-1 fingerprint’ for the web address you submitted. Often times the return will give you data for the certificate on the server, and the other certificates in the chain.
For this command this is the relevant data, and it’s not unique to you. This is the current (01/30/2020) SHA-1 fingerprint for mail.messagingengine.com:
- subject `C=AU,ST=Victoria,L=Melbourne,O=FastMail Pty Ltd,CN=*.messagingengine.com', issuer `C=US,O=DigiCert Inc,CN=DigiCert SHA2 Secure Server CA', RSA key 2048 bits, signed using RSA-SHA256, activated `2020-01-22 00:00:00 UTC', expires `2021-02-24 12:00:00 UTC', SHA-1 fingerprint `ddac83e619367e9e5f6f0142decba6872d7319f2'
Good luck with your backups!
Topslakr
This is super helpful, thank you for posting this and example configs! I’m currently setting up offlineimap + notmuch with my Fastmail account 🙂
Glad I was able to help you along. I’d not heard of notmuch. Looks pretty neat!
As for the FastMail IMAP server, it works with imap.fastmail.com as well — in accordance with their own docs: https://www.fastmail.com/help/technical/servernamesandports.html
The fingerprint is different, though.