How to manually verify the certificates used by:
pop.gmail.com
imap.gmail.com
smtp.gmail.com

If your e-mail program complains.
First of all, here are some fingerprints I've seen recently (mostly here
to make this page findable; you can't trust use them for verification because
my server isn't using HTTPS and you don't trust me :P):

for imap.gmail.com:
MD5: 41:BE:CF:CE:07:70:F0:FA:EA:53:C8:FC:CB:92:5C:38
SHA1: DB:7F:2D:F4:8F:9E:94:50:3A:84:97:AE:41:73:12:A3:A5:87:5F:96


Now, how to check that:

openssl s_client -connect imap.gmail.com:993

this will spew out a bunch of text, including the certificate. Put the block
from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- (including those
lines) in cert.pem.

(You'll also note that openssl says "verify error:num=20:unable to get local
issuer certificate" at the top. This is the failure to verify the cert.)

Now do this:

openssl x509 -in cert.pem -text

Now under "Authority Information Access:", you'll have something like:
Authority Information Access: 
     CA Issuers - URI:http://pki.google.com/GIAG2.crt

That's the URL of the certificate that signed this one. Download it over HTTPS.
This should work, i.e. the certificate of the https server on pki.google.com should
validate, which means you've now got a trusted copy of GIAG2.crt.

So, now you have GIAG2.crt, which you trust, and cert.pem, which you're not sure about.

One more intermediate step: GIAG2.crt is in a binary format, apparently called DER.
openssl can convert it to PEM:

openssl x509 -inform DER -outform PEM -in GIAG2.crt -out GIAG2.pem

Now you can verify it:

openssl verify -CAfile GIAG2.pem cert.pem

...which hopefully comes back with:
cert.pem: OK

But... is this the same certificate that your mail program presented you with?

openssl x509 -in cert.pem -fingerprint

(or, if you need to check the MD5 fingerprint:
openssl x509 -in cert.pem -fingerprint -md5
)