imapext-2007
view docs/FAQ.txt @ 0:ada5e610ab86
imap-2007e
| author | yuuji@gentei.org |
|---|---|
| date | Mon, 14 Sep 2009 15:17:45 +0900 |
| parents | |
| children |
line source
1 /* ========================================================================
2 * Copyright 1988-2007 University of Washington
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 *
11 * ========================================================================
12 */
14 IMAP Toolkit Frequently Asked Questions
16 Table of Contents
18 * 1. General/Software Feature Questions
19 + 1.1 Can I set up a POP or IMAP server on UNIX/Linux/OSF/etc.?
20 + 1.2 I am currently using qpopper as my POP3 server on UNIX.
21 Do I need to replace it with ipop3d in order to run imapd?
22 + 1.3 Can I set up a POP or IMAP server on Windows XP, 2000,
23 NT, Me, 98, or 95?
24 + 1.4 Can I set up a POP or IMAP server on Windows 3.1 or DOS?
25 + 1.5 Can I set up a POP or IMAP server on Macintosh?
26 + 1.6 Can I set up a POP or IMAP server on VAX/VMS?
27 + 1.7 Can I set up a POP or IMAP server on TOPS-20?
28 + 1.8 Are hierarchical mailboxes supported?
29 + 1.9 Are "dual-use" mailboxes supported?
30 + 1.10 Can I have a mailbox that has both messages and
31 sub-mailboxes?
32 + 1.11 What is the difference between "mailbox" and "folder"?
33 + 1.12 What is the status of internationalization?
34 + 1.13 Can I use SSL?
35 + 1.14 Can I use TLS and the STARTTLS facility?
36 + 1.15 Can I use CRAM-MD5 authentication?
37 + 1.16 Can I use APOP authentication?
38 + 1.17 Can I use Kerberos V5?
39 + 1.18 Can I use PAM for plaintext passwords?
40 + 1.19 Can I use Kerberos 5 for plaintext passwords?
41 + 1.20 Can I use AFS for plaintext passwords?
42 + 1.21 Can I use DCE for plaintext passwords?
43 + 1.22 Can I use the CRAM-MD5 database for plaintext passwords?
44 + 1.23 Can I disable plaintext passwords?
45 + 1.24 Can I disable plaintext passwords on unencrypted
46 sessions, but allow them on encrypted sessions?
47 + 1.25 Can I use virtual hosts?
48 + 1.26 Can I use RPOP authentication?
49 + 1.27 Can I use Kerberos V4?
50 + 1.28 Is there support for S/Key or OTP?
51 + 1.29 Is there support for NTLM or SPA?
52 + 1.30 Is there support for mh?
53 + 1.31 Is there support for qmail and the maildir format?
54 + 1.32 Is there support for the Cyrus mailbox format?
55 + 1.33 Is this software Y2K compliant?
56 * 2. What Do I Need to Build This Software?
57 + 2.1 What do I need to build this software with SSL on UNIX?
58 + 2.2 What do I need to build this software with Kerberos V on
59 UNIX?
60 + 2.3 What do I need to use a C++ compiler with this software
61 to build my own application?
62 + 2.4 What do I need to build this software on Windows?
63 + 2.5 What do I need to build this software on DOS?
64 + 2.6 Can't I use Borland C to build this software on the PC?
65 + 2.7 What do I need to build this software on the Mac?
66 + 2.8 What do I need to build this software on VMS?
67 + 2.9 What do I need to build this software on TOPS-20?
68 + 2.10 What do I need to build this software on Amiga or OS/2?
69 + 2.11 What do I need to build this software on Windows CE?
70 * 3. Build and Configuration Questions
71 + 3.1 How do I configure the IMAP and POP servers on UNIX?
72 + 3.2 I built and installed the servers according to the BUILD
73 instructions. It can't be that easy. Don't I need to write a
74 config file?
75 + 3.3 How do I make the IMAP and POP servers look for INBOX at
76 some place other than the mail spool directory?
77 + 3.4 How do I make the IMAP server look for secondary folders
78 at some place other than the user's home directory?
79 + 3.5 How do I configure SSL?
80 + 3.6 How do I configure TLS and the STARTTLS facility?
81 + 3.7 How do I build/install OpenSSL and obtain/create
82 certificates for use with SSL?
83 + 3.8 How do I configure CRAM-MD5 authentication?
84 + 3.9 How do I configure APOP authentication?
85 + 3.10 How do I configure Kerberos V5?
86 + 3.11 How do I configure PAM for plaintext passwords?
87 + 3.12 It looks like all I have to do to make the server use
88 Kerberos is to build with PAM on my Linux system, and set it
89 up in PAM for Kerberos passwords. Right?
90 + 3.13 How do I configure Kerberos 5 for plaintext passwords?
91 + 3.14 How do I configure AFS for plaintext passwords?
92 + 3.15 How do I configure DCE for plaintext passwords?
93 + 3.16 How do I configure the CRAM-MD5 database for plaintext
94 passwords?
95 + 3.17 How do I disable plaintext passwords?
96 + 3.18 How do I disable plaintext passwords on unencrypted
97 sessions, but allow them in SSL or TLS sessions?
98 + 3.19 How do I configure virtual hosts?
99 + 3.20 Why do I get compiler warning messages such as:
100 o passing arg 3 of `scandir' from incompatible pointer
101 type
102 o Pointers are not assignment-compatible.
103 o Argument #4 is not the correct type.
104 during the build?
105 + 3.21 Why do I get compiler warning messages such as
106 o Operation between types "void(*)(int)" and "void*" is
107 not allowed.
108 o Function argument assignment between types "void*" and
109 "void(*)(int)" is not allowed.
110 o Pointers are not assignment-compatible.
111 o Argument #5 is not the correct type.
112 during the build?
113 + 3.22 Why do I get linker warning messages such as:
114 o mtest.c:515: the `gets' function is dangerous and should
115 not be used.
116 during the build? Isn't this a security bug?
117 + 3.23 Why do I get linker warning messages such as:
118 o auth_ssl.c:92: the `tmpnam' function is dangerous and
119 should not be used.
120 during the build? Isn't this a security bug?
121 + 3.24 OK, suppose I see a warning message about a function
122 being "dangerous and should not be used" for something other
123 than this gets() or tmpnam() call?
124 * 4. Operational Questions
125 + 4.1 How can I enable anonymous IMAP logins?
126 + 4.2 How do I set up an alert message that each IMAP user will
127 see?
128 + 4.3 How does the c-client library choose which of its several
129 mechanisms to use to establish an IMAP connection to the
130 server? I noticed that it can connect on port 143, port 993,
131 via rsh, and via ssh.
132 + 4.4 I am using a TLS-capable IMAP server, so I don't need to
133 use /ssl to get encryption. However, I want to be certain
134 that my session is TLS encrypted before I send my password.
135 How to I do this?
136 + 4.5 How do I use one of the alternative formats described in
137 the formats.txt document? In particular, I hear that mbx
138 format will give me better performance and allow shared
139 access.
140 + 4.6 How do I set up shared mailboxes?
141 + 4.7 How can I make the server syslogs go to someplace other
142 than the mail syslog?
143 * 5. Security Questions
144 + 5.1 I see that the IMAP server allows access to arbitary
145 files on the system, including /etc/passwd! How do I disable
146 this?
147 + 5.2 I've heard that IMAP servers are insecure. Is this true?
148 + 5.3 How do I know that I have the most secure version of the
149 server?
150 + 5.4 I see all these strcpy() and sprintf() calls, those are
151 unsafe, aren't they?
152 + 5.5 Those /tmp lock files are protected 666, is that really
153 right?
154 * 6. Why Did You Do This Strange Thing? Questions
155 + 6.1 Why don't you use GNU autoconfig / automake /
156 autoblurdybloop?
157 + 6.2 Why do you insist upon a build with -g? Doesn't it waste
158 disk and memory space?
159 + 6.3 Why don't you make c-client a shared library?
160 + 6.4 Why don't you use iconv() for internationalization
161 support?
162 + 6.5 Why is the IMAP server connected to the home directory by
163 default?
164 + 6.6 I have a Windows system. Why isn't the server plug and
165 play for me?
166 + 6.7 I looked at the UNIX SSL code and saw that you have the
167 SSL data payload size set to 8192 bytes. SSL allows 16K; why
168 aren't you using the full size?
169 + 6.8 Why is an mh format INBOX called #mhinbox instead of just
170 INBOX?
171 + 6.9 Why don't you support the maildir format?
172 + 6.10 Why don't you support the Cyrus format?
173 + 6.11 Why is it creating extra forks on my SVR4 system?
174 + 6.12 Why are you so fussy about the date/time format in the
175 internal "From " line in traditional UNIX mailbox files? My
176 other mail program just considers every line that starts with
177 "From " to be the start of the message.
178 + 6.13 Why is traditional UNIX format the default format?
179 + 6.14 Why do you write this "DON'T DELETE THIS MESSAGE --
180 FOLDER INTERNAL DATA" message at the start of traditional
181 UNIX and MMDF format mailboxes?
182 + 6.15 Why don't you stash the mailbox metadata in the first
183 real message of the mailbox instead of writing this fake
184 FOLDER INTERNAL DATA message?
185 + 6.16 Why aren't "dual-use" mailboxes the default?
186 + 6.17 Why do you use ucbcc to build on Solaris?
187 + 6.18 Why should I care about some old system with BSD
188 libraries? cc is the right thing on my Solaris system!
189 + 6.19 Why do you insist upon writing .lock files in the spool
190 directory?
191 + 6.20 Why should I care about compatibility with the past?
192 * 7. Problems and Annoyances
193 + 7.1 Help! My INBOX is empty! What happened to my messages?
194 + 7.2 Help! All my messages in a non-INBOX mailbox have been
195 concatenated into one message which claims to be from me and
196 has a subject of the file name of the mailbox! What's going
197 on?
198 + 7.3 Why do I get the message:
199 o CREATE failed: Can't create mailbox node xxxxxxxxx: File
200 exists
201 and how do I fix it?
202 + 7.4 Why can't I log in to the server? The user name and
203 password are right!
204 + 7.5 Help! My load average is soaring and I see hundreds of
205 POP and IMAP servers, many logged in as the same user!
206 + 7.6 Why does mail disappear even though I set "keep mail on
207 server"?
208 + 7.7 Why do I get the message
209 o Moved ##### bytes of new mail to /home/user/mbox from
210 /var/spool/mail/user
211 and why did this happen?
212 + 7.8 Why isn't it showing the local host name as a
213 fully-qualified domain name?
214 + 7.9 Why is the local host name in the From/Sender/Message-ID
215 headers of outgoing mail not coming out as a fully-qualified
216 domain name?
217 + 7.10 What does the message:
218 o Mailbox vulnerable - directory /var/spool/mail must have
219 1777 protection
220 mean? How can I fix this?
221 + 7.11 What does the message:
222 o Mailbox is open by another process, access is readonly
223 mean? How do I fix this?
224 + 7.12 What does the message:
225 o Can't get write access to mailbox, access is readonly
226 mean?
227 + 7.13 I set my POP3 client to "delete messages from server"
228 but they never get deleted. What is wrong?
229 + 7.14 What do messages such as:
230 o Message ... UID ... already has UID ...
231 o Message ... UID ... less than ...
232 o Message ... UID ... greater than last ...
233 o Invalid UID ... in message ..., rebuilding UIDs
234 mean?
235 + 7.15 What do the error messages:
236 o Unable to read internal header at ...
237 o Unable to find CRLF at ...
238 o Unable to parse internal header at ...
239 o Unable to parse message date at ...
240 o Unable to parse message flags at ...
241 o Unable to parse message UID at ...
242 o Unable to parse message size at ...
243 o Last message (at ... ) runs past end of file ...
244 mean? I am using mbx format.
245 + 7.16 What do the syslog messages:
246 o imap/tcp server failing (looping)
247 o pop3/tcp server failing (looping)
248 mean? When it happens, the listed service shuts down. How can
249 I fix this?
250 + 7.17 What does the syslog message:
251 o Mailbox lock file /tmp/.600.1df3 open failure:
252 Permission denied
253 mean?
254 + 7.18 What do the syslog messages:
255 o Command stream end of file, while reading line user=...
256 host=...
257 o Command stream end of file, while reading char user=...
258 host=...
259 o Command stream end of file, while writing text user=...
260 host=...
261 mean?
262 + 7.19 Why did my POP or IMAP session suddenly disconnect? The
263 syslog has the message:
264 o Killed (lost mailbox lock) user=... host=...
265 + 7.20 Why does my IMAP client show all the files on the
266 system, recursively from the UNIX root directory?
267 + 7.21 Why does my IMAP client show all of my files,
268 recursively from my UNIX home directory?
269 + 7.22 Why does my IMAP client show that I have mailboxes named
270 "#mhinbox", "#mh", "#shared", "#ftp", "#news", and "#public"?
271 + 7.23 Why does my IMAP client show all my files in my home
272 directory?
273 + 7.24 Why is there a long delay before I get connected to the
274 IMAP or POP server, no matter what client I use?
275 + 7.25 Why is there a long delay in Pine or any other c-client
276 based application call before I get connected to the IMAP
277 server? The hang seems to be in the c-client mail_open()
278 call. I don't have this problem with any other IMAP client.
279 There is no delay connecting to a POP3 or NNTP server with
280 mail_open().
281 + 7.26 Why does a message sometimes get split into two or more
282 messages on my SUN system?
283 + 7.27 Why did my POP or IMAP session suddenly disconnect? The
284 syslog has the message:
285 o Autologout user=<...my user name...> host=<...my imap
286 server...>
287 + 7.28 What does the UNIX error message:
288 o TLS/SSL failure: myserver: SSL negotiation failed
289 mean?
290 + 7.29 What does the PC error message:
291 o TLS/SSL failure: myserver: Unexpected TCP input
292 disconnect
293 mean?
294 + 7.30 What does the error message:
295 o TLS/SSL failure: myserver: Server name does not match
296 certificate
297 mean?
298 + 7.31 What does the UNIX error message:
299 o TLS/SSL failure: myserver: self-signed certificate
300 mean?
301 + 7.32 What does the PC error message
302 o TLS/SSL failure: myserver: Self-signed certificate or
303 untrusted authority
304 mean?
305 + 7.33 What does the UNIX error message:
306 o TLS/SSL failure: myserver: unable to get local issuer
307 certificate
308 mean?
309 + 7.34 Why does reading certain messages hang when using
310 Netscape? It works fine with Pine!
311 + 7.35 Why does Netscape say that there's a problem with the
312 IMAP server and that I should "Contact your mail server
313 administrator."?
314 + 7.36 Why is one user creating huge numbers of IMAP or POP
315 server sessions?
316 + 7.37 Why don't I get any new mail notifications from Outlook
317 Express or Outlook after a while?
318 + 7.38 Why don't I get any new mail notifications from
319 Entourage?
320 + 7.39 Why doesn't Entourage work at all?
321 + 7.40 Why doesn't Netscape Notify (NSNOTIFY.EXE) work at all?
322 + 7.41 Why can't I connect via SSL to Eudora? It says the
323 connection has been broken, and in the server syslogs I see
324 "Command stream end of file".
325 + 7.42 Sheesh. Aren't there any good IMAP clients out there?
326 + 7.43 But wait! PC Pine (or other PC program build with
327 c-client) crashes with the message
328 o incomplete SecBuffer exceeds maximum buffer size
329 when I use SSL connections. This is a bug in c-client, right?
330 + 7.44 My qpopper users keep on getting the DON'T DELETE THIS
331 MESSAGE -- FOLDER INTERNAL DATA if they also use Pine or
332 IMAP. How can I fix this?
333 + 7.45 Help! I installed the servers but I can't connect to
334 them from my client!
335 + 7.46 Why do I get the message
336 o Can not authenticate to SMTP server: 421 SMTP connection
337 went away!
338 and why did this happen? There was also something about
339 o SECURITY PROBLEM: insecure server advertised AUTH=PLAIN
340 + 7.47 Why do I get the message
341 o SMTP Authentication cancelled
342 and why did this happen? There was also something about
343 o SECURITY PROBLEM: insecure server advertised AUTH=PLAIN
344 + 7.48 Why do I get the message
345 o Invalid base64 string
346 when I try to authenticate to a Cyrus server?
347 * 8. Where to Go For Additional Information
348 + 8.1 Where can I go to ask questions?
349 + 8.2 I have some ideas for enhancements to IMAP. Where should
350 I go?
351 + 8.3 Where can I read more about IMAP and other email
352 protocols?
353 + 8.4 Where can I find out more about setting up and
354 administering an IMAP server?
355 _________________________________________________________________
357 1. General/Software Feature Questions
358 _________________________________________________________________
360 1.1 Can I set up a POP or IMAP server on UNIX/Linux/OSF/etc.?
362 Yes. Refer to the UNIX specific notes in files CONFIG and
363 BUILD.
364 _________________________________________________________________
366 1.2 I am currently using qpopper as my POP3 server on UNIX. Do I need
367 to replace it with ipop3d in order to run imapd?
369 Not necessarily.
371 Although ipop3d interoperates with imapd better than qpopper,
372 imapd and qpopper will work together. The few qpopper/imapd
373 interoperability issues mostly affect users who use both IMAP
374 and POP3 clients; those users would probably be better served
375 if their POP3 server is ipop3d.
377 If you are happy with qpopper and just want to add imapd, you
378 should do that, and defer a decision on changing qpopper to
379 ipop3d. That way, you can get comfortable with imapd's
380 performance, without changing anything for your qpopper users.
382 Many sites have subsequently decided to change from qpopper to
383 ipop3d in order to get better POP3/IMAP interoperability. If
384 you need to do this, you'll know. There also seems to be a way
385 to make qpopper work better with imapd; see the answer to the
386 My qpopper users keep on getting the DON'T DELETE THIS MESSAGE
387 -- FOLDER INTERNAL DATA if they also use Pine or IMAP. How can
388 I fix this? question.
389 _________________________________________________________________
391 1.3 Can I set up a POP or IMAP server on Windows XP, 2000, NT, Me, 98,
392 or 95?
394 Yes. Refer to the NT specific notes in files CONFIG and BUILD.
395 Also, for DOS-based versions of Windows (Windows Me, 98, and
396 95) you *must* set up CRAM-MD5 authentication, as described in
397 md5.txt.
399 There is no file access control on Windows 9x or Me, so you
400 probably will have to do modifications to env_unix.c to prevent
401 people from hacking others' mail.
403 Note, however, that the server is not plug and play the way it
404 is for UNIX.
405 _________________________________________________________________
407 1.4 Can I set up a POP or IMAP server on Windows 3.1 or DOS?
408 1.5 Can I set up a POP or IMAP server on Macintosh?
409 1.6 Can I set up a POP or IMAP server on VAX/VMS?
411 Yes, it's just a small matter of programming.
412 _________________________________________________________________
414 1.7 Can I set up a POP or IMAP server on TOPS-20?
416 You have a TOPS-20 system? Cool.
418 If IMAP2 (RFC 1176) is good enough for you, you can use MAPSER
419 which is about the ultimate gonzo pure TOPS-20 extended
420 addressing assembly language program. Unfortunately, IMAP2 is
421 barely good enough for Pine these days, and most other IMAP
422 clients won't work with IMAP2 at all. Maybe someone will hack
423 MAPSER to do IMAP4rev1 some day.
425 We don't know if anyone wrote a POP3 server for TOPS-20. There
426 definitely was a POP2 server once upon a time.
428 Or you can port the POP and IMAP server from this IMAP toolkit
429 to it. All that you need for a first stab is to port the MTX
430 driver. That'll probably be just a couple of hours of hacking.
431 _________________________________________________________________
433 1.8 Are hierarchical mailboxes supported?
434 1.9 Are "dual-use" mailboxes supported?
435 1.10 Can I have a mailbox that has both messages and sub-mailboxes?
437 Yes. However, there is one important caveat.
439 Some mailbox formats, including the default which is the
440 traditional UNIX mailbox format, are stored as a single file
441 containing all the messages. UNIX does not permit a name in the
442 filesystem to be both a file and a directory; consequently you
443 can not have a sub-mailbox within a mailbox that is in one of
444 these formats.
446 This is not a limitation of the software; this is a limitation
447 of UNIX. For example, there are mailbox formats in which the
448 name is a directory and each message is a file within that
449 directory; these formats support sub-mailboxes within such
450 mailboxes. However, for technical reasons, the "flat file"
451 formats are generally preferred since they perform better. Read
452 imap-2007/docs/formats.txt for more information on this topic.
454 It is always permissible to create a directory that is not a
455 mailbox, and have sub-mailboxes under it. The easiest way to
456 create a directory is to create a new mailbox inside a
457 directory that doesn't already exist. For example, if you
458 create "Mail/testbox" on UNIX, the directory "Mail/" will
459 automatically be created and then the mailbox "testbox" will be
460 created as a sub-mailbox of "Mail/".
462 It is also possible to create the name "Mail/" directly. Check
463 the documentation for your client software to see how to do
464 this with that software.
466 Of course, on Windows systems you would use "\" instead of "/".
467 _________________________________________________________________
469 1.11 What is the difference between "mailbox" and "folder"?
471 The term "mailbox" is IMAP-speak for what a lot of software
472 calls a "folder" or a "mail folder". However, "folder" is often
473 used in other contexts to refer to a directory, for example, in
474 the graphic user interface on both Windows and Macintosh.
476 A "mailbox" is specifically defined as a named object that
477 contains messages. It is not required to be capable of
478 containing other types of objects including other mailboxes;
479 although some mailbox formats will permit this.
481 In IMAP-speak, a mailbox which can not contain other mailboxes
482 is called a "no-inferiors mailbox". Similarly, a directory
483 which can not contain messages is not a mailbox and is called a
484 "no-select name".
485 _________________________________________________________________
487 1.12 What is the status of internationalization?
489 The IMAP toolkit is partially internationalized and
490 multilingualized.
492 Searching is supported in the following charsets: US-ASCII,
493 UTF-8, ISO-8859-1, ISO-8859-2, ISO-8859-3, ISO-8859-4,
494 ISO-8859-5, ISO-8859-6, ISO-8859-7, ISO-8859-8, ISO-8859-9,
495 ISO-8859-10, ISO-8859-11, ISO-8859-13, ISO-8859-14,
496 ISO-8859-15, ISO-8859-16, KOI8-R, KOI8-U (alias KOI8-RU),
497 TIS-620, VISCII, ISO-2022-JP, ISO-2022-KR, ISO-2022-CN,
498 ISO-2022-JP-1, ISO-2022-JP-2, GB2312 (alias CN-GB),
499 CN-GB-12345, BIG5 (alias CN-BIG5), EUC-JP, EUC-KR, Shift_JIS,
500 Shift-JIS, KS_C_5601-1987, KS_C_5601-1992, WINDOWS_874,
501 WINDOWS-1250, WINDOWS-1251, WINDOWS-1252, WINDOWS-1253,
502 WINDOWS-1254, WINDOWS-1255, WINDOWS-1256, WINDOWS-1257,
503 WINDOWS-1258.
505 All ISO-2022-?? charsets are treated identically, and support
506 ASCII, JIS Roman, hankaku katakana, ISO-8859-[1 - 10], TIS, GB
507 2312, JIS X 0208, JIS X 0212, KSC 5601, and planes 1 and 2 of
508 CNS 11643.
510 EUC-JP includes support for JIS X 0212 and hankaku katakana.
512 c-client library support also exists to convert text in any of
513 the above charsets into Unicode, including headers with MIME
514 encoded-words.
516 There is no support for localization (e.g. non-English error
517 messages) at the present time, but such support is planned.
518 _________________________________________________________________
520 1.13 Can I use SSL?
522 Yes. See the answer to the How do I configure SSL? question.
523 _________________________________________________________________
525 1.14 Can I use TLS and the STARTTLS facility?
527 Yes. See the answer to the How do I configure TLS and the
528 STARTTLS facility? question.
529 _________________________________________________________________
531 1.15 Can I use CRAM-MD5 authentication?
533 Yes. See the answer to the How do I configure CRAM-MD5
534 authentication? question.
535 _________________________________________________________________
537 1.16 Can I use APOP authentication?
539 Yes. See the How do I configure APOP authentication? question.
541 Note that there is no client support for APOP authentication.
542 _________________________________________________________________
544 1.17 Can I use Kerberos V5?
546 Yes. See the answer to the How do I configure Kerberos V5?
547 question.
548 _________________________________________________________________
550 1.18 Can I use PAM for plaintext passwords?
552 Yes. See the answer to the How do I configure PAM for plaintext
553 passwords? question.
554 _________________________________________________________________
556 1.19 Can I use Kerberos 5 for plaintext passwords?
558 Yes. See the answer to the How do I configure Kerberos 5 for
559 plaintext passwords? question.
560 _________________________________________________________________
562 1.20 Can I use AFS for plaintext passwords?
564 Yes. See the answer to the How do I configure AFS for plaintext
565 passwords? question.
566 _________________________________________________________________
568 1.21 Can I use DCE for plaintext passwords?
570 Yes. See the answer to the How do I configure DCE for plaintext
571 passwords? question.
572 _________________________________________________________________
574 1.22 Can I use the CRAM-MD5 database for plaintext passwords?
576 Yes. See the answer to the How do I configure the CRAM-MD5
577 database for plaintext passwords? question.
578 _________________________________________________________________
580 1.23 Can I disable plaintext passwords?
582 Yes. See the answer to the How do I disable plaintext
583 passwords? question.
584 _________________________________________________________________
586 1.24 Can I disable plaintext passwords on unencrypted sessions, but
587 allow them on encrypted sessions?
589 Yes. See the answer to the How do I disable plaintext passwords
590 on unencrypted sessions, but allow them in SSL or TLS sessions?
591 question.
592 _________________________________________________________________
594 1.25 Can I use virtual hosts?
596 Yes. See the answer to the How do I configure virtual hosts?
597 question.
598 _________________________________________________________________
600 1.26 Can I use RPOP authentication?
602 There is no support for RPOP authentication.
603 _________________________________________________________________
605 1.27 Can I use Kerberos V4?
607 Kerberos V4 is not supported. Kerberos V4 client-only
608 contributed code is available in
610 ftp://ftp.cac.washington.edu/mail/kerberos4-patches.tar.Z
612 This is a patchkit which must be applied to the IMAP toolkit
613 according to the instructions in the patchkit's README. We can
614 not promise that this code works.
615 _________________________________________________________________
617 1.28 Is there support for S/Key or OTP?
619 There is currently no support for S/Key or OTP. There may be an
620 OTP SASL authenticator available from third parties.
621 _________________________________________________________________
623 1.29 Is there support for NTLM or SPA?
625 There is currently no support for NTLM or SPA, nor are there
626 any plans to add such support. In general, I avoid
627 vendor-specific mechanisms. I also believe that these
628 mechanisms are being deprecated by their vendor.
630 There may be an NTLM SASL authenticator available from third
631 parties.
632 _________________________________________________________________
634 1.30 Is there support for mh?
636 Yes, but only as a legacy format. Your mh format INBOX is
637 accessed by the name "#mhinbox", and all other mh format
638 mailboxes are accessed by prefixing "#mh/" to the name, e.g.
639 "#mh/foo". The mh support uses the "Path:" entry in your
640 .mh_profile file to identify the root directory of your mh
641 format mailboxes.
643 Non-legacy use of mh format is not encouraged. There is no
644 support for permanent flags or unique identifiers; furthermore
645 there are known severe performance problems with the mh format.
646 _________________________________________________________________
648 1.31 Is there support for qmail and the maildir format?
650 There is no support for qmail or the maildir format in our
651 distribution, nor are there any plans to add such support.
652 Maildir support may be available from third parties.
653 _________________________________________________________________
655 1.32 Is there support for the Cyrus mailbox format?
657 No.
658 _________________________________________________________________
660 1.33 Is this software Y2K compliant?
662 Please read the files Y2K and calendar.txt.
663 _________________________________________________________________
665 2. What Do I Need to Build This Software?
666 _________________________________________________________________
668 2.1 What do I need to build this software with SSL on UNIX?
670 You need to build and install OpenSSL first.
671 _________________________________________________________________
673 2.2 What do I need to build this software with Kerberos V on UNIX?
675 You need to build and install MIT Kerberos first.
676 _________________________________________________________________
678 2.3 What do I need to use a C++ compiler with this software to build
679 my own application?
681 If you are building an application using the c-client library,
682 use the new c-client.h file instead of including the other
683 include files. It seems that c-client.h should define away all
684 the troublesome names that conflict with C++.
686 If you use gcc, you may need to use -fno-operator-names as
687 well.
688 _________________________________________________________________
690 2.4 What do I need to build this software on Windows?
692 You need Microsoft Visual C++ 6.0, Visual C++ .NET, or Visual
693 C# .NET (which you can buy from any computer store), along with
694 the Microsoft Platform SDK (which you can download from
695 Microsoft's web site).
697 You do not need to install the entire Platform SDK; it suffices
698 to install just the Core SDK and the Internet Development SDK.
699 _________________________________________________________________
701 2.5 What do I need to build this software on DOS?
703 It's been several years since we last attempted to do this. At
704 the time, we used Microsoft C.
705 _________________________________________________________________
707 2.6 Can't I use Borland C to build this software on the PC?
709 Probably not. If you know otherwise, please let us know.
710 _________________________________________________________________
712 2.7 What do I need to build this software on the Mac?
714 It has been several years since we last attempted to do this.
715 At the time, we used Symantec THINK C; but today you'll need a
716 C compiler which allows segments to be more than 32K.
717 _________________________________________________________________
719 2.8 What do I need to build this software on VMS?
721 You need the VMS C compiler, and either the Multinet or Netlib
722 TCP.
723 _________________________________________________________________
725 2.9 What do I need to build this software on TOPS-20?
727 You need the TOPS-20 KCC compiler.
728 _________________________________________________________________
730 2.10 What do I need to build this software on Amiga or OS/2?
732 We don't know.
733 _________________________________________________________________
735 2.11 What do I need to build this software on Windows CE?
737 This port is incomplete. Someone needs to finish it.
738 _________________________________________________________________
740 3. Build and Configuration Questions
741 _________________________________________________________________
743 3.1 How do I configure the IMAP and POP servers on UNIX?
744 3.2 I built and installed the servers according to the BUILD
745 instructions. It can't be that easy. Don't I need to write a config
746 file?
748 For ordinary "vanilla" UNIX systems, this software is plug and
749 play; just build it, install it, and you're done. If you have a
750 modified system, then you may want to do additional work; most
751 of this is to a single source code file (env_unix.c on UNIX
752 systems). Read the file CONFIG for more details.
754 Yes, it's that easy. There are some additional options, such as
755 SSL or Kerberos, which require additional steps to build. See
756 the relevant questions below.
757 _________________________________________________________________
759 3.3 How do I make the IMAP and POP servers look for INBOX at some
760 place other than the mail spool directory?
761 3.4 How do I make the IMAP server look for secondary folders at some
762 place other than the user's home directory?
764 Please read the file CONFIG for discussion of this and other
765 issues.
766 _________________________________________________________________
768 3.5 How do I configure SSL?
769 3.6 How do I configure TLS and the STARTTLS facility?
771 imap-2007 supports SSL and TLS client functionality on UNIX and
772 32-bit Windows for IMAP, POP3, SMTP, and NNTP; and SSL and TLS
773 server functionality on UNIX for IMAP and POP3.
775 UNIX SSL build requires that a third-party software package,
776 OpenSSL, be installed on the system first. Read
777 imap-2007/docs/SSLBUILD for more information.
779 SSL is supported via undocumented Microsoft interfaces in
780 Windows 9x and NT4; and via standard interfaces in Windows
781 2000, Windows Millenium, and Windows XP.
782 _________________________________________________________________
784 3.7 How do I build/install OpenSSL and obtain/create certificates for
785 use with SSL?
787 If you need help in doing this, try the contacts mentioned in
788 the OpenSSL README. We do not offer support for OpenSSL or
789 certificates.
790 _________________________________________________________________
792 3.8 How do I configure CRAM-MD5 authentication?
793 3.9 How do I configure APOP authentication?
795 CRAM-MD5 authentication is enabled in the IMAP and POP3 client
796 code on all platforms. Read md5.txt to learn how to set up
797 CRAM-MD5 and APOP authentication on UNIX and NT servers.
799 There is no support for APOP client authentication.
800 _________________________________________________________________
802 3.10 How do I configure Kerberos V5?
804 imap-2007 supports client and server functionality on UNIX and
805 32-bit Windows.
807 Kerberos V5 is supported by default in Windows 2000 builds:
809 nmake -f makefile.w2k
811 Other builds require that a third-party Kerberos package, e.g.
812 MIT Kerberos, be installed on the system first.
814 To build with Kerberos V5 on UNIX, include
815 EXTRAAUTHENTICATORS=gss in the make command line, e.g.
817 make lnp EXTRAAUTHENTICATORS=gss
819 To build with Kerberos V5 on Windows 9x, Windows Millenium, and
820 NT4, use the "makefile.ntk" file instead of "makefile.nt":
823 nmake -f makefile.ntk
824 _________________________________________________________________
826 3.11 How do I configure PAM for plaintext passwords?
828 On Linux systems, use the lnp port, e.g.
830 make lnp
832 On Solaris systems and other systems with defective PAM
833 implementations, build with PASSWDTYPE=pmb, e.g.
835 make sol PASSWDTYPE=pmb
837 On all other systems, build with PASSWDTYPE=pam, e.g
839 make foo PASSWDTYPE=pam
841 If you build with PASSWDTYPE=pam and authentication does not
842 work, try rebuilding (after a "make clean") with
843 PASSWDTYPE=pmb.
844 _________________________________________________________________
846 3.12 It looks like all I have to do to make the server use Kerberos is
847 to build with PAM on my Linux system, and set it up in PAM for
848 Kerberos passwords. Right?
850 Yes and no.
852 Doing this will make plaintext password authentication use the
853 Kerberos password instead of the /etc/passwd password.
855 However, this will NOT give you Kerberos-secure authentication.
856 See the answer to the How do I configure Kerberos V5? question
857 for how to build with Kerberos-secure authentication.
858 _________________________________________________________________
860 3.13 How do I configure Kerberos 5 for plaintext passwords?
862 Build with PASSWDTYPE=gss, e.g.
864 make sol PASSWDTYPE=gss
866 However, this will NOT give you Kerberos-secure authentication.
867 See the answer to the How do I configure Kerberos V5? question
868 for how to build with Kerberos-secure authentication.
869 _________________________________________________________________
871 3.14 How do I configure AFS for plaintext passwords?
873 Build with PASSWDTYPE=afs, e.g
875 make sol PASSWDTYPE=afs
876 _________________________________________________________________
878 3.15 How do I configure DCE for plaintext passwords?
880 Build with PASSWDTYPE=dce, e.g
882 make sol PASSWDTYPE=dce
883 _________________________________________________________________
885 3.16 How do I configure the CRAM-MD5 database for plaintext passwords?
887 The CRAM-MD5 password database is automatically used for
888 plaintext password if it exists.
890 Note that this is NOT CRAM-MD5-secure authentication. You
891 probably want to consider disabling plaintext passwords for
892 non-SSL/TLS sessions. See the next two questions.
893 _________________________________________________________________
895 3.17 How do I disable plaintext passwords?
897 Server-level plaintext passwords can be disabled by setting
898 PASSWDTYPE=nul, e.g.
900 make lnx EXTRAAUTHENTICATORS=gss PASSWDTYPE=nul
902 Note that you must have a CRAM-MD5 database installed or
903 specify at least one EXTRAAUTHENTICATOR, otherwise it will not
904 be possible to log in to the server.
906 When plaintext passwords are disabled, the IMAP server will
907 advertise the LOGINDISABLED capability and the POP3 server will
908 not advertise the USER capability.
910 3.18 How do I disable plaintext passwords on unencrypted sessions, but
911 allow them in SSL or TLS sessions?
913 Do not set PASSWDTYPE=nul or SSLTYPE=unix. Set SSLTYPE=nopwd
914 instead, e.g.
916 make lnx SSLTYPE=nopwd
918 When plaintext passwords are disabled, the IMAP server will
919 advertise the LOGINDISABLED capability and the POP3 server will
920 not advertise the USER capability.
922 Plaintext passwords will always be enabled in SSL sessions; the
923 IMAP server will not advertise the LOGINDISABLED capability and
924 the POP3 server will advertise the USER capability.
926 If the client does a successful start-TLS in a non-SSL session,
927 plaintext passwords will be enabled, and a new CAPABILITY or
928 CAPA command (which is required after start-TLS) will show the
929 effect as in SSL sessions.
930 _________________________________________________________________
932 3.19 How do I configure virtual hosts?
934 This is automatic, but with certain restrictions.
936 The most important one is that each virtual host must have its
937 own IP address; otherwise the server has no way of knowing
938 which virtual host is desired.
940 As distributed, the software uses a global password file; hence
941 user "fred" on one virtual host is "fred" on all virtual hosts.
942 You may want to modify the checkpw() routine to implement some
943 other policy (e.g. separate password files).
945 Note that the security model assumes that all users have their
946 own unique UNIX UID number. So if you use separate password
947 files you should make certain that the UID numbers do not
948 overlap between different files.
950 More advanced virtual host support may be available as patches
951 from third parties.
952 _________________________________________________________________
954 3.20 Why do I get compiler warning messages such as:
955 passing arg 3 of `scandir' from incompatible pointer type
956 Pointers are not assignment-compatible.
957 Argument #4 is not the correct type.
959 during the build?
961 You can safely ignore these messages.
963 Over the years, the prototype for scandir() has changed, and
964 thus is variant across different UNIX platforms. In particular,
965 the definitions of the third argument (type select_t) and
966 fourth argument (type compar_t) have changed over the years,
967 the issue being whether or not the arguments to the functions
968 pointed to by these function pointers are of type const or not.
970 The way that c-client calls scandir() will tend to generate
971 these compiler warnings on newer systems such as Linux;
972 however, it will still build. The problem with fixing the call
973 is that then it won't build on older systems.
974 _________________________________________________________________
976 3.21 Why do I get compiler warning messages such as
977 Operation between types "void(*)(int)" and "void*" is not allowed.
978 Function argument assignment between types "void*" and "void(*)(int)" is not a
979 llowed.
980 Pointers are not assignment-compatible.
981 Argument #5 is not the correct type.
983 during the build?
985 You can safely ignore these messages.
987 All known systems have no problem with casting a function
988 pointer to/from a void* pointer, certain C compilers issue a
989 compiler diagnostic because this facility is listed as a
990 "Common extension" by the C standard:
992 K.5.7 Function pointer casts
993 [#1] A pointer to an object or to void may be cast to a pointer
994 to a function, allowing data to be invoked as a function (6.3.4).
995 [#2] A pointer to a function may be cast to a pointer to an
996 object or to void, allowing a function to be inspected or
997 modified (for example, by a debugger) (6.3.4).
999 It may be just a "common extension", but this facility is
1000 relied upon heavily by c-client.
1001 _________________________________________________________________
1003 3.22 Why do I get linker warning messages such as:
1004 mtest.c:515: the `gets' function is dangerous and should not be used.
1006 during the build? Isn't this a security bug?
1008 You can safely ignore this message.
1010 Certain linkers, most notably on Linux, give this warning
1011 message. It is indeed true that the traditional gets() function
1012 is not a safe one.
1014 However, the mtest program is only a demonstration program, a
1015 model of a very basic application program using c-client. It is
1016 not something that you would install, much less run in any
1017 security-sensitive context.
1019 mtest has numerous other shortcuts that you wouldn't want to do
1020 in a real application program.
1022 The only "security bug" with mtest would be if it was run by
1023 some script in a security-sensitive context, but mtest isn't
1024 particularly useful for such purposes. If you wanted to write a
1025 script to automate some email task using c-client, you'd be
1026 better off using imapd instead of mtest.
1028 mtest only has two legitimate uses. It's a useful testbed for
1029 me when debugging new versions of c-client, and it's useful as
1030 a model for someone writing a simple c-client application to
1031 see how the various calls work.
1033 By the way, if you need a more advanced example of c-client
1034 programming than mtest (and you probably will), I recommend
1035 that you look at the source code for imapd and Pine.
1036 _________________________________________________________________
1038 3.23 Why do I get linker warning messages such as:
1039 auth_ssl.c:92: the `tmpnam' function is dangerous and should not be used.
1041 during the build? Isn't this a security bug?
1043 You can safely ignore this message.
1045 Certain linkers, most notably on Linux, give this warning
1046 message, based upon two known issues with tmpnam():
1048 there can be a buffer overflow if an inadequate buffer is
1049 allocated.
1050 there can be a timing race caused by certain incautious
1051 usage of the return value.
1053 Neither of these issues applies in the particular use that is
1054 made of tmpnam(). More importantly, the tmpnam() call is never
1055 executed on Linux systems.
1056 _________________________________________________________________
1058 3.24 OK, suppose I see a warning message about a function being
1059 "dangerous and should not be used" for something other than this
1060 gets() or tmpnam() call?
1062 Please forward the details for investigation.
1063 _________________________________________________________________
1065 4. Operational Questions
1066 _________________________________________________________________
1068 4.1 How can I enable anonymous IMAP logins?
1070 Create the file /etc/anonymous.newsgroups. At the present time,
1071 this file should be empty. This will permit IMAP logins as
1072 anonymous as well as the ANONYMOUS SASL authenticator.
1073 Anonymous users have access to mailboxes in the #news., #ftp/,
1074 and #public/ namespaces only.
1075 _________________________________________________________________
1077 4.2 How do I set up an alert message that each IMAP user will see?
1079 Create the file /etc/imapd.alert with the text of the message.
1080 This text should be kept to one line if possible. Note that
1081 this will cause an alert to every IMAP user every time they
1082 initiate an IMAP session, so it should only be used for
1083 critical messages.
1084 _________________________________________________________________
1086 4.3 How does the c-client library choose which of its several
1087 mechanisms to use to establish an IMAP connection to the server? I
1088 noticed that it can connect on port 143, port 993, via rsh, and via
1089 ssh.
1091 c-client chooses how to establish an IMAP connection via the
1092 following rules:
1094 + If /ssl is specified, use an SSL connection. Fail otherwise.
1095 + Else if client is a UNIX system and "ssh server exec
1096 /etc/rimapd" works, use that
1097 + Else if /tryssl is specified and an SSL connection works, use
1098 that.
1099 + Else if client is a UNIX system and "rsh server exec
1100 /etc/rimapd" works, use that.
1101 + Else use a non-SSL connection.
1102 _________________________________________________________________
1104 4.4 I am using a TLS-capable IMAP server, so I don't need to use /ssl
1105 to get encryption. However, I want to be certain that my session is
1106 TLS encrypted before I send my password. How to I do this?
1108 Use the /tls option in the mailbox name. This will cause an
1109 error message and the connection to fail if the server does not
1110 negotiate STARTTLS.
1111 _________________________________________________________________
1113 4.5 How do I use one of the alternative formats described in the
1114 formats.txt document? In particular, I hear that mbx format will give
1115 me better performance and allow shared access.
1117 The rumors about mbx format being preferred are true. It is
1118 faster than the traditional UNIX mailbox format and permits
1119 shared access.
1121 However, and this is very important, note that using an
1122 alternative mailbox format is an advanced facility, and only
1123 expert users should undertake it. If you don't understand any
1124 of the following notes, you may not be enough of an expert yet,
1125 and are probably better off not going this route until you are
1126 more comfortable with your understanding.
1128 Some of the formats, including mbx, are only supported by the
1129 software based on the c-client library, and are not recognized
1130 by other mailbox programs. The "vi" editor will corrupt any mbx
1131 format mailbox that it encounters.
1133 Another problem is that the certain formats, including mbx, use
1134 advanced file access and locking techniques that do not work
1135 reliably with NFS. NFS is not a real filesystem. Use IMAP
1136 instead of NFS for distributed access.
1138 Each of the following steps are in escalating order of
1139 involvement. The further you go down this list, the more deeply
1140 committed you become:
1142 + The simplest way to create a mbx-format mailbox is to prefix
1143 the name with "#driver.mbx/" when creating a mailbox through
1144 c-client. For example, if you create "#driver.mbx/foo", the
1145 mailbox "foo" will be created in mbx format. Only use
1146 "#driver.mbx/" when creating the mailbox. At all other times,
1147 just use the name ("foo" in this example); the software will
1148 automatically select the driver for mbx whenever that mailbox
1149 is accessed without you doing anything else.
1150 + You can use the "mailutil copy" command to copy an existing
1151 mailbox to a new mailbox in mbx format. Read the man page
1152 provided with the mailutil program for details.
1153 + If you create an mbx-format INBOX, by creating
1154 "#driver.mbx/INBOX" (note that "INBOX" must be all
1155 uppercase), then subsequent access to INBOX by any c-client
1156 based application will use the mbx-format INBOX. Any mail
1157 delivered to the traditional format mailbox in the spool
1158 directory (e.g. /var/spool/mail/$USER) will automatically be
1159 copied into the mbx-format INBOX and the spool directory copy
1160 removed.
1161 + You can cause any newly-created mailboxes to be in mbx-format
1162 by default by changing the definition of
1163 CREATEPROTO=unixproto to be CREATEPROTO=mbxproto in
1164 src/osdep/unix/Makefile, then rebuilding the IMAP toolkit (do
1165 a "make clean" first). Do not change EMPTYPROTO, since mbx
1166 format mailboxes are never a zero-byte file. If you use Pine
1167 or the imap-utils, you should probably also rebuild them with
1168 the new IMAP toolkit too.
1169 + You can deliver directly to the mbx-format INBOX by use of
1170 the tmail or dmail programs. tmail is for direct invocation
1171 from sendmail (or whatever MTA program you use); dmail is for
1172 calls from procmail. Both of these programs have man pages
1173 which must be read carefully before making this change.
1175 Most other servers (e.g. Cyrus) require use of a non-standard
1176 format. A full-fledged format conversion is not significantly
1177 different from what you have to do with other servers. The
1178 difference, which makes format conversion procedures somewhat
1179 more complicated with this server, is that there is no "all or
1180 nothing" requirement with this server. There are many points in
1181 between. A format conversion can be anything from a single
1182 mailbox or single user, to systemwide.
1184 This is good in that you can decide how far to go, or do the
1185 steps incrementally as you become more comfortable with the
1186 result. On the other hand, there's no "One True Way" which can
1187 be boiled down to a simple set of pedagogical instructions.
1189 A number of sites have done full-fledged format conversions,
1190 and are reportedly quite happy with the results. Feel free to
1191 ask in the comp.mail.imap newsgroup or the imap-uw mailing
1192 list for advice or help.
1193 _________________________________________________________________
1195 4.6 How do I set up shared mailboxes?
1197 At the simplest level, a shared mailbox is one which has UNIX
1198 file and directory protections which permit multiple users to
1199 access it. What this means is that your existing skills and
1200 tools to create and manage shared files on your UNIX system
1201 apply to shared mailboxes; e.g.
1203 chmod 666 mailbox
1205 You may want to consider the use of a mailbox format which
1206 permits multiple simultaneous read/write sessions, such as the
1207 mbx format. The traditional UNIX format only allows one
1208 read/write session to a mailbox at a time.
1210 An additional convenience item are three system directories,
1211 which can be set up for shared namespaces. These are: #ftp,
1212 #shared, and #public, and are defined by creating the
1213 associated UNIX users and home directories as described below.
1215 #ftp/ refers to the anonymous ftp filesystem exported by the
1216 ftp server, and is equivalent to the home directory for UNIX
1217 user "ftp". For example, #ftp/foo/bar refers to the file
1218 /foo/bar in the anonymous FTP filesystem, or ~ftp/foo/bar for
1219 normal users. Anonymous FTP files are available to anonymous
1220 IMAP logins. By default, newly-created files in #ftp/ are
1221 protected 644.
1223 #public/ refers to an IMAP toolkit convention called "public"
1224 files, and is equivalent to the home directory for UNIX user
1225 "imappublic". For example, #public/foo/bar refers to the file
1226 ~imappublic/foo/bar. Public files are available to anonymous
1227 IMAP logins. By default, newly-created files in #public are
1228 created with protection 0666.
1230 #shared/ refers to an IMAP toolkit convention called "shared"
1231 files, and is equivalent to the home directory for UNIX user
1232 "imapshared". For example, #shared/foo/bar refers to the file
1233 ~imapshared/foo/bar. Shared files are not available to
1234 anonymous IMAP logins. By default, newly-created files in
1235 #shared are created with protection 0660.
1236 _________________________________________________________________
1238 4.7 How can I make the server syslogs go to someplace other than the
1239 mail syslog?
1241 The openlog() call that sets the syslog facility is in
1242 src/osdep/unix/env_unix.c in routine server_init(). You need to
1243 edit this file to change the syslog facility from LOG_MAIL to
1244 the facility you want, then rebuild. You also need to set up
1245 your /etc/syslog.conf properly.
1247 Refer to the man pages for syslog and syslogd for more
1248 information on what the available syslog facilities are and how
1249 to configure syslogs. If you still don't understand what to do,
1250 find a UNIX system expert.
1251 _________________________________________________________________
1253 5. Security Questions
1254 _________________________________________________________________
1256 5.1 I see that the IMAP server allows access to arbitary files on the
1257 system, including /etc/passwd! How do I disable this?
1259 You should not worry about this if your IMAP users are allowed
1260 shell access. The IMAP server does not permit any access that
1261 the user can not have via the shell.
1263 If, and only if, you deny your IMAP users shell access, you may
1264 want to consider one of three choices. Note that these choices
1265 reduce IMAP functionality, and may have undesirable side
1266 effects. Each of these choices involves an edit to file
1267 src/osdep/unix/env_unix.c
1269 The first (and recommended) choice is to set restrictBox as
1270 described in file CONFIG. This will disable access to the
1271 filesystem root, to other users' home directory, and to
1272 superior directory.
1274 The second (and strongly NOT recommended) choice is to set
1275 closedBox as described in file CONFIG. This puts each IMAP
1276 session into a so-called "chroot jail", and thus setting this
1277 option is extremely dangerous; it can make your system much
1278 less secure and open to root compromise attacks. So do not use
1279 this option unless you are absolutely certain that you
1280 understand all the issues of a "chroot jail."
1282 The third choice is to rewrite routine mailboxfile() to
1283 implement whatever mapping from mailbox name to filesystem name
1284 (and restrictions) that you wish. This is the most general
1285 choice. As a guide, you can see at the start of routine
1286 mailboxfile() what the restrictBox choice does.
1287 _________________________________________________________________
1289 5.2 I've heard that IMAP servers are insecure. Is this true?
1291 There are no known security problems in this version of the
1292 IMAP toolkit, including the IMAP and POP servers. The IMAP and
1293 POP servers limit what can be done while not logged in, and as
1294 part of the login process discard all privileges except those
1295 of the user.
1297 As with other software packages, there have been buffer
1298 overflow vulnerabilities in past versions. All known problems
1299 of this nature are fixed in this version.
1301 There is every reason to believe that the bad guys are engaged
1302 in an ongoing effort to find vulnerabilities in the IMAP
1303 toolkit. We look for such problems, and when one is found we
1304 fix it.
1306 It's unfortunate that any vulnerabilities existed in past
1307 versions, and we're doing my best to keep the IMAP toolkit free
1308 of vulnerabilities. No new vulnerabilities have been discovered
1309 in quite a while, but efforts will not be relaxed.
1311 Beware of vendors who claim that their implementations can not
1312 have vulnerabilities.
1313 _________________________________________________________________
1315 5.3 How do I know that I have the most secure version of the server?
1317 The best way is to keep your server software up to date. The
1318 bad guys are always looking for ways to crack software, and
1319 when they find one, let all their friends know.
1321 Oldtimers used to refer to a concept of software rot: if your
1322 software hasn't been updated in a while, it would "rot" -- tend
1323 to acquire problems that it didn't have when it was new.
1325 The latest release version of the IMAP toolkit is always
1326 available at ftp://ftp.cac.washington.edu/mail/imap.tar.Z
1327 _________________________________________________________________
1329 5.4 I see all these strcpy() and sprintf() calls, those are unsafe,
1330 aren't they?
1332 Yes and no.
1334 It can be unsafe to do these calls if you do not know that the
1335 string being written will fit in the buffer. However, they are
1336 perfectly safe if you do know that.
1338 Beware of programmers who advocate doing a brute-force change
1339 of all instances of
1341 strcpy (s,t);
1343 to
1345 strncpy (s,t,n)[n] = '\0';
1347 and similar measures in the name of "fixing all possible buffer
1348 overflows."
1350 There are examples in which a security bug was introduced
1351 because of this type of "fix", due to the programmer using the
1352 wrong value for n. In one case, the programmer thought that n
1353 was larger than it actually was, causing a NUL to be written
1354 out of the buffer; in another, n was too small, and a security
1355 credential was truncated.
1357 What is particularly ironic was that in both cases, the
1358 original strcpy() was safe, because the size of the source
1359 string was known to be safe.
1361 With all this in mind, the software has been inspected, and it
1362 is believed that all places where buffer overflows can happen
1363 have been fixed. The strcpy()s that are still are in the code
1364 occur after a size check was done in some other way.
1366 Note that the common C idiom of
1368 *s++ = c;
1370 is just as vulnerable to buffer overflows. You can't cure
1371 buffer overflows by outlawing certain functions, nor is it
1372 desirable to do so; sometimes operations like strcpy()
1373 translate into fast machine instructions for better
1374 performance.
1376 Nothing replaces careful study of code. That's how the bad guys
1377 find bugs. Security is not accomplished by means of brute-force
1378 shortcuts.
1379 _________________________________________________________________
1381 5.5 Those /tmp lock files are protected 666, is that really right?
1383 Yes. Shared mailboxes won't work otherwise. Also, you get into
1384 accidental denial of service problems with old lock files left
1385 lying around; this happens fairly frequently.
1387 The deliberate mischief that can be caused by fiddling with the
1388 lock files is small-scale; harassment level at most. There are
1389 many -- and much more effective -- other ways of harassing
1390 another user on UNIX. It's usually not difficult to determine
1391 the culprit.
1393 Before worrying about deliberate mischief, worry first about
1394 things happening by accident!
1395 _________________________________________________________________
1397 6. Why Did You Do This Strange Thing? Questions
1398 _________________________________________________________________
1400 6.1 Why don't you use GNU autoconfig / automake / autoblurdybloop?
1402 Autoconfig et al are not available on all the platforms where
1403 the IMAP toolkit is supported; and do not work correctly on
1404 some of the platforms where they do exist. Furthermore, these
1405 programs add another layer of complexity to an already complex
1406 process.
1408 Coaxing software that uses autoconfig to build properly on
1409 platforms which were not specifically considered by that
1410 software wastes an inordinate amount of time. When (not if)
1411 autoconfig fails to do the right thing, the result is an
1412 inpenetrable morass to untangle in order to find the problem
1413 and fix it.
1415 The concept behind autoconfig is good, but the execution is
1416 flawed. It rarely does the right thing on a platform that
1417 wasn't specifically considered. Human life is too short to
1418 debug autoconfig problems, especially since the current
1419 mechanism is so much easier.
1420 _________________________________________________________________
1422 6.2 Why do you insist upon a build with -g? Doesn't it waste disk and
1423 memory space?
1425 From time to time a submitted port has snuck in without -g.
1426 This has always ended up causing problems. There are only two
1427 valid excuses for not using -g in a port:
1429 + The compiler does not support -g
1430 + An alternate form of -g is needed with optimization, e.g.
1431 -g3.
1433 There will be no new ports added without -g (or a suitable
1434 alternative) being set.
1436 -g has not been arbitrarily added to the ports which do not
1437 currently have it because we don't know if doing so would break
1438 the build. However, any support issues with one of those port
1439 will lead to the correct -g setting being determined and
1440 permanently added.
1442 Processors are fast enough (and disk space is cheap enough)
1443 that -g should be automatic in all compilers with no way of
1444 turning it off, and /bin/strip should be a symlink to
1445 /bin/true. Human life is too short to deal with binaries built
1446 without -g. Such binaries should be a bad memory of the days of
1447 KIPS processors and disks that costs several dollars per
1448 kilobyte.
1449 _________________________________________________________________
1451 6.3 Why don't you make c-client a shared library?
1453 All too often, shared libraries create far more problems than
1454 they solve.
1456 Remember that you only gain the benefit of a shared library
1457 when there are multiple applications which use that shared
1458 library. Even without shared libraries, on most modern
1459 operating systems (and many ancient ones too!) applications
1460 will share their text segments between across multiple
1461 processes running the same application. This means that if your
1462 system only runs one application (e.g. imapd) that uses the
1463 c-client library, then you gain no benefit from making c-client
1464 a shared library even if it has 100 imapd processes. You will,
1465 however suffer added complexity.
1467 If you have a server system that just runs imapd and ipop3d,
1468 then making c-client a shared library will save just one copy
1469 of c-client no matter how many IMAP/POP3 processes are running.
1471 The problem with shared libraries is that you have to keep
1472 around a copy of the library every time something changes in
1473 the library that would affect the interface the library
1474 presents to the application. So, you end up having many copies
1475 of the same shared library.
1477 If you don't keep multiple copies of the shared library, then
1478 one of two things happens. If there was proper versioning, then
1479 you'll get a message such as "cannot open shared object file"
1480 or "minor versions don't match" and the application won't run.
1481 Otherwise, the application will run, but will fail in
1482 mysterious ways.
1484 Several sites and third-party distributors have modified the
1485 c-client makefile in order to make c-client be a shared
1486 library. When (not if) a c-client based application fails in
1487 mysterious ways because of a library compatibility problem, the
1488 result is a bug report. A lot of time and effort ends up
1489 getting wasted investigating such bug reports.
1491 Memory is so cheap these days that it's not worth it. Human
1492 life is too short to deal with shared library compatibility
1493 problems.
1494 _________________________________________________________________
1496 6.4 Why don't you use iconv() for internationalization support?
1498 iconv() is not ubiquitous enough.
1499 _________________________________________________________________
1501 6.5 Why is the IMAP server connected to the home directory by default?
1503 The IMAP server has no way of knowing what you might call
1504 "mail" as opposed to "some other file"; in fact, you can use
1505 IMAP to access any file.
1507 The IMAP server also doesn't know whether your preferred
1508 subdirectory for mailbox files is "mail/", ".mail/", "Mail/",
1509 "Mailboxes/", or any of a zillion other possibilities. If one
1510 such name were chosen, it would undoubtably anger the partisans
1511 of all the other names.
1513 It is possible to modify the software so that the default
1514 connected directory is someplace else. Please read the file
1515 CONFIG for discussion of this and other issues.
1516 _________________________________________________________________
1518 6.6 I have a Windows system. Why isn't the server plug and play for
1519 me?
1521 There is no standard for how mail is stored on Windows; nor a
1522 single standard SMTP server. The closest to either would be the
1523 SMTP server in Microsoft's IIS.
1525 So there's no default by which to make assumptions. As the
1526 software is set up, it assumes that the each user has an
1527 Windows login account and private home directory, and that mail
1528 is stored on that home directory as files in one of the popular
1529 UNIX formats. It also assumes that there is some tool
1530 equivalent to inetd on UNIX that does the TCP/IP listening and
1531 server startup.
1533 Basically, unless you're an email software hacker, you probably
1534 want to look elsewhere if you want IMAP/POP servers for
1535 Windows.
1536 _________________________________________________________________
1538 6.7 I looked at the UNIX SSL code and saw that you have the SSL data
1539 payload size set to 8192 bytes. SSL allows 16K; why aren't you using
1540 the full size?
1542 This is to avoid an interoperability problem with:
1544 + PC IMAP clients that use Microsoft's SChannel.DLL (SSPI) for
1545 SSL support
1546 + Microsoft Exchange server (which also uses SChannel).
1548 SChannel has a bug that makes it think that the maximum SSL
1549 data payload size is 16379 bytes -- 5 bytes too small. Thus,
1550 c-client has to make sure that it never transmits full sized
1551 SSL packets.
1553 The reason for using 8K (as opposed to, say, 16379 bytes, or
1554 15K, or...) is that it corresponds with the TCP buffer size
1555 that the software uses elsewhere for input; there's a slight
1556 performance benefit to having the two sizes correspond or at
1557 least be a multiple of each other. Also, it keeps the size as a
1558 power of two, which might be significant on some platforms.
1560 There wasn't a significant difference that we could measure
1561 between 8K and 15K.
1563 Microsoft has developed a hotfix for this bug. Look up MSKB
1564 article number 300562. Contrary to the article text which
1565 implies that this is a Pine issue, this bug also affects
1566 Microsoft Exchange server with any client that transmits
1567 full-sized SSL payloads.
1568 _________________________________________________________________
1570 6.8 Why is an mh format INBOX called #mhinbox instead of just INBOX?
1572 It's a long story. In brief, the mh format driver is less
1573 functional than any of the other drivers. It turned out that
1574 there were some users (including high-level administrators) who
1575 tried mh years ago and no longer use it, but still had an mh
1576 profile left behind.
1578 When the mh driver used INBOX, it would see the mh profile, and
1579 proceed to move the user's INBOX into the mh format INBOX. This
1580 caused considerable confusion as some things stopped working.
1581 _________________________________________________________________
1583 6.9 Why don't you support the maildir format?
1585 It is technically difficult to support maildir in IMAP while
1586 maintaining acceptable performance, robustness, following the
1587 requirements of the IMAP protocol specification, and following
1588 the requirements of maildir.
1590 No one has succeeded in accomplishing all four together. The
1591 various maildir drivers offered as patches all have these
1592 problems. The problem is exacerbated because this
1593 implementation supports multiple formats; consequently this
1594 implementation can't make any performance shortcuts by assuming
1595 that all the world is maildir.
1597 We can't do a better job than the maildir fan community has
1598 done with their maildir drivers. Similarly, if the maildir fan
1599 community provides the maildir driver, they take on the
1600 responsibility for answering maildir-specific support
1601 questions. This is as it should be, and that is why maildir
1602 support is left to the maildir fan community.
1603 _________________________________________________________________
1605 6.10 Why don't you support the Cyrus format?
1607 There's no point to doing so. An implementation which supports
1608 multiple formats will never do as well as one which is
1609 optimized to support one single format.
1611 If you want to use Cyrus mailbox format, you should use the
1612 Cyrus server, which is the native implementation of that format
1613 and is specifically optimized for that format. That's also why
1614 Cyrus doesn't implement any other format.
1615 _________________________________________________________________
1617 6.11 Why is it creating extra forks on my SVR4 system?
1619 This is because your system only has fcntl() style locking and
1620 not flock() style locking. fcntl() locking has a design flaw
1621 that causes a close() to release any locks made by that process
1622 on the file opened on that file descriptor, even if the lock
1623 was made on a different file descriptor.
1625 This design flaw causes unexpected loss of lock, and consequent
1626 mailbox corruption. The workaround is to do certain "dangerous
1627 operations" in another fork, thus avoiding doing a close() in
1628 the vulnerable fork.
1630 The best way to solve this problem is to upgrade your SVR4
1631 (Solaris, AIX, HP-UX, SGI) or OSF/1 system to a more advanced
1632 operating system, such as Linux or BSD. These more advanced
1633 operating systems have fcntl() locking for compatibility with
1634 SVR4, but also have flock() locking.
1636 Beware of certain SVR4 systems, such as AIX, which have an
1637 "flock()" function in their C library that is just a jacket
1638 that does an fcntl() lock. This is not a true flock(), and has
1639 the same design flaw as fcntl().
1640 _________________________________________________________________
1642 6.12 Why are you so fussy about the date/time format in the internal
1643 "From " line in traditional UNIX mailbox files? My other mail program
1644 just considers every line that starts with "From " to be the start of
1645 the message.
1647 You just answered your own question. If any line that starts
1648 with "From " is treated as the start of a message, then every
1649 message text line which starts with "From " has to be quoted
1650 (typically by prefixing a ">" character). People complain about
1651 this -- "why did a > get stuck in my message?"
1653 So, good mail reading software only considers a line to be a
1654 "From " line if it follows the actual specification for a
1655 "From " line. This means, among other things, that the day of
1656 week is fixed-format: "May 14", but "May 7" (note the extra
1657 space) as opposed to "May 7". ctime() format for the date is
1658 the most common, although POSIX also allows a numeric timezone
1659 after the year. For compatibility with ancient software, the
1660 seconds are optional, the timezone may appear before the year,
1661 the old 3-letter timezones are also permitted, and "remote from
1662 xxx" may appear after the whole thing.
1664 Unfortunately, some software written by novices use other
1665 formats. The most common error is to have a variable-width day
1666 of month, perhaps in the erroneous belief that RFC 2822 (or RFC
1667 822) defines the format of the date/time in the "From " line
1668 (it doesn't; no RFC describes internal formats). I've seen a
1669 few other goofs, such as a single-digit second, but these are
1670 less common.
1672 If you are writing your own software that writes mailbox files,
1673 and you really aren't all that savvy with all the ins and outs
1674 and ancient history, you should seriously consider using the
1675 c-client library (e.g. routine mail_append()) instead of doing
1676 the file writes yourself. If you must do it yourself, use
1677 ctime(), as in:
1679 fprintf (mbx,"From %s@%h %s",user,host,ctime (time (0)));
1681 rather than try to figure out a good format yourself. ctime()
1682 is the most traditional format and nobody will flame you for
1683 using it.
1684 _________________________________________________________________
1686 6.13 Why is traditional UNIX format the default format?
1688 Compatibility with the past 30 or so years of UNIX history.
1689 This server is the only one that completely interoperates with
1690 legacy UNIX mail tools.
1691 _________________________________________________________________
1693 6.14 Why do you write this "DON'T DELETE THIS MESSAGE -- FOLDER
1694 INTERNAL DATA" message at the start of traditional UNIX and MMDF
1695 format mailboxes?
1697 This pseudo-message serves two purposes.
1699 First, it establishes the mailbox format even when the mailbox
1700 has no messages. Otherwise, a mailbox with no messages is a
1701 zero-byte file, which could be one of several formats.
1703 Second, it holds mailbox metadata used by IMAP: the UID
1704 validity, the last assigned UID, and mailbox keywords. Without
1705 this metadata, which must be preserved even when the mailbox
1706 has no messages, the traditional UNIX format wouldn't be able
1707 to support the full capabilities of IMAP.
1708 _________________________________________________________________
1710 6.15 Why don't you stash the mailbox metadata in the first real
1711 message of the mailbox instead of writing this fake FOLDER INTERNAL
1712 DATA message?
1714 In fact, that is what is done if the mailbox is non-empty and
1715 does not already have a FOLDER INTERNAL DATA message.
1717 One problem with doing that is that if some external program
1718 removes the first message, the metadata is lost and must be
1719 recreated, thus losing any prior UID or keyword list status
1720 that IMAP clients may depend upon.
1722 Another problem is that this doesn't help if the last message
1723 is deleted. This will result in an empty mailbox, and the
1724 necessity to create a FOLDER INTERNAL DATA message.
1725 _________________________________________________________________
1727 6.16 Why aren't "dual-use" mailboxes the default?
1729 Compatibility with the past 30 or so years of UNIX history, not
1730 to mention compatibility with user expectations when using
1731 shell tools.
1732 _________________________________________________________________
1734 6.17 Why do you use ucbcc to build on Solaris?
1736 It is a long, long story about why cc is set to ucbcc. You need
1737 to invoke the C compiler so that it links with the SVR4
1738 libraries and not the BSD libraries, otherwise readdir() will
1739 return the wrong information.
1741 Of all the names in the most common path, ucbcc is the only
1742 name to be found (on /usr/ccs/bin) that points to a suitable
1743 compiler. cc is likely to be /usr/ucb/cc which is absolutely
1744 not the compiler that you want. The real SVR4 cc is probably
1745 something like /opt/SUNWspro/bin/cc which is rarely in anyone's
1746 path by default.
1748 ucbcc is probably a link to acc, e.g.
1749 /opt/SUNWspro/SC4.0/bin/acc, and is the UCB C compiler using
1750 the SVR4 libraries.
1752 If ucbcc isn't on your system, then punt on the SUN C compiler
1753 and use gcc instead (the gso port instead of the sol port).
1755 If, in spite of all the above warnings, you choose to change
1756 "ucbcc" to "cc", you will probably find that the -O2 needs to
1757 be changed to -O. If you don't get any error messages with -O2,
1758 that's a pretty good indicator that you goofed and are running
1759 the compiler that will link with the BSD libraries.
1761 To recap:
1763 + The sol port is designed to be built using the UCB compiler
1764 using the SVR4 libraries. This compiler is "ucbcc", which is
1765 lunk to acc. You use -O2 as one of the CFLAGS.
1766 + If you build the sol port with the UCB compiler using the BSD
1767 libraries, you will get no error messages but you will get
1768 bad binaries (the most obvious symptom is dropping the first
1769 two characters return filenames from the imapd LIST command.
1770 This compiler also uses -O2, and is very often what the user
1771 gets from "cc". BEWARE
1772 + If you build the sol port with the real SVR4 compiler, which
1773 is often hidden away or unavailable on many systems, then you
1774 will get errors from -O2 and you need to change that to -O.
1775 But you will get a good binary. However, you should try it
1776 with -O2 first, to make sure that you got this compiler and
1777 not the UCB compiler using BSD libraries.
1778 _________________________________________________________________
1780 6.18 Why should I care about some old system with BSD libraries? cc is
1781 the right thing on my Solaris system!
1783 Because there still are sites that use such systems. On those
1784 systems, the assumption that "cc" does the right thing will
1785 lead to corrupt binaries with no error message or other warning
1786 that anything is amiss.
1788 Too many sites have fallen victim to this problem.
1789 _________________________________________________________________
1791 6.19 Why do you insist upon writing .lock files in the spool
1792 directory?
1794 Compatibility with the past 30 years of UNIX software which
1795 deals with the spool directory, especially software which
1796 delivers mail. Otherwise, it is possible to lose mail.
1797 _________________________________________________________________
1799 6.20 Why should I care about compatibility with the past?
1801 This is one of those questions in which the answer never
1802 convinces those who ask it. Somehow, everybody who ever asks
1803 this question ends up answering it for themselves as they get
1804 older, with the very answer that they rejected years earlier.
1805 _________________________________________________________________
1807 7. Problems and Annoyances
1808 _________________________________________________________________
1810 7.1 Help! My INBOX is empty! What happened to my messages?
1812 If you are seeing "0 messages" when you open INBOX and you know
1813 you have messages there (and perhaps have looked at your mail
1814 spool file and see that messages are there), then probably
1815 there is something wrong with the very first line of your mail
1816 spool file. Make sure that the first five bytes of the file are
1817 "From ", followed by an email address and a date/time in
1818 ctime() format, e.g.:
1820 From fred@foo.bar Mon May 7 20:54:30 2001
1821 _________________________________________________________________
1823 7.2 Help! All my messages in a non-INBOX mailbox have been
1824 concatenated into one message which claims to be from me and has a
1825 subject of the file name of the mailbox! What's going on?
1827 Something wrong with the very first line of the mailbox. Make
1828 sure that the first five bytes of the file are "From ",
1829 followed by an email address and a date/time in ctime() format,
1830 e.g.:
1832 From fred@foo.bar Mon May 7 20:54:30 2001
1833 _________________________________________________________________
1835 7.3 Why do I get the message: CREATE failed: Can't create mailbox node
1836 xxxxxxxxx: File exists and how do I fix it?
1838 See the answer to the Are hierarchical mailboxes supported?
1839 question.
1840 _________________________________________________________________
1842 7.4 Why can't I log in to the server? The user name and password are
1843 right!
1845 There are a myriad number of possible answers to this question.
1846 The only way to say for sure what is wrong is run the server
1847 under a debugger such as gdb while root (yes, you must be root)
1848 with a breakpoint at routines checkpw() and loginpw(), then
1849 single-step until you see which test rejected you. The server
1850 isn't going to give any error messages other than "login
1851 failed" in the name of not giving out any unnecessary
1852 information to unauthorized individuals.
1854 Here are some of the more common reasons why login may fail:
1856 + You didn't really give the correct user name and/or password.
1857 + Your client doesn't send the LOGIN command correctly; for
1858 example, IMAP2 clients won't send a password containing a "*"
1859 correctly to an IMAP4 server.
1860 + If you have set up a CRAM-MD5 database, remember that the
1861 password used is the one in the CRAM-MD5 database, and
1862 furthermore that there must also be an entry in /etc/passwd
1863 (but the /etc/passwd password is not used).
1864 + If you are using PAM, have you created a service file for the
1865 server in /etc/pam.d?
1866 + If you are using shadow passwords, have you used an
1867 appropriate port when building? In particular, note that
1868 "lnx" is for Linux systems without shadow passwords; you
1869 probably want "slx" or "lnp" instead.
1870 + If your system has account or password expirations, check to
1871 see that the expiration date hasn't passed.
1872 + You can't log in as root or any other UID 0 user. This is for
1873 your own safety, not to mention the fact that the servers use
1874 UID 0 as meaning "not logged in".
1875 _________________________________________________________________
1877 7.5 Help! My load average is soaring and I see hundreds of POP and
1878 IMAP servers, many logged in as the same user!
1880 Certain inferior losing GUI mail reading programs have a
1881 "synchronize all mailboxes at startup" (IMAP) or "check for new
1882 mail every second" (POP) feature which causes a rapid and
1883 unchecked spawning of servers.
1885 This is not a problem in the server; the client is really
1886 asking for all those server sessions. Unfortunately, there
1887 isn't much that the POP and IMAP servers can do about it; they
1888 don't spawned themselves.
1890 Some sites have added code to record the number of server
1891 sessions spawned per user per hour, and disable login for a
1892 user who has exceeded a predetermined rate. This doesn't stop
1893 the servers from being spawned; it just means that a server
1894 session will commit suicide a bit faster.
1896 Another possibility is to detect excessive server spawning
1897 activity at the level where the server is spawned, which would
1898 be inetd or possibly tcpd. The problem here is that this is a
1899 hard time to quantify. 50 sessions in a minute from a
1900 multi-user timesharing system may be perfectly alright, whereas
1901 10 sessions a minute from a PC may be too much.
1903 The real solution is to fix the client configuration, by
1904 disabling those evil features. Also tell the vendors of those
1905 clients how you feel about distributing denial-of-service
1906 attack tools in the guise of mail reading programs.
1907 _________________________________________________________________
1909 7.6 Why does mail disappear even though I set "keep mail on server"?
1910 7.7 Why do I get the message Moved ##### bytes of new mail to
1911 /home/user/mbox from /var/spool/mail/user and why did this happen?
1913 This is probably caused by the mbox driver. If the file "mbox"
1914 exists on the user's home directory and is in UNIX mailbox
1915 format, then when INBOX is opened this file will be selected as
1916 INBOX instead of the mail spool file. Messages will be
1917 automatically transferred from the mail spool file into the
1918 mbox file.
1920 To disable this behavior, delete "mbox" from the EXTRADRIVERS
1921 list in the top-level Makefile and rebuild. Note that if you do
1922 this, users won't be able to access the messages that have
1923 already been moved to mbox unless they open mbox instead of
1924 INBOX.
1925 _________________________________________________________________
1927 7.8 Why isn't it showing the local host name as a fully-qualified
1928 domain name?
1929 7.9 Why is the local host name in the From/Sender/Message-ID headers
1930 of outgoing mail not coming out as a fully-qualified domain name?
1932 Your UNIX system is misconfigured. The entry for your system in
1933 /etc/hosts must have the fully-qualified domain name first,
1934 e.g.
1936 105.69.1.234 myserver.example.com myserver
1938 A common mistake of novice system administrators is to have the
1939 short name first, e.g.
1941 105.69.1.234 myserver myserver.example.com
1943 or to omit the fully qualified domain name entirely, e.g.
1945 105.69.1.234 myserver
1947 The result of this is that when the IMAP toolkit does a
1948 gethostbyname() call to get the fully-qualified domain name, it
1949 would get "myserver" instead of "myserver.example.com".
1951 On some systems, a configuration file (typically named
1952 /etc/svc.conf, /etc/netsvc.conf, or /etc/nsswitch.conf) can be
1953 used to configure the system to use the domain name system
1954 (DNS) instead of /etc/hosts, so it doesn't matter if /etc/hosts
1955 is misconfigured.
1957 Check the man pages for gethostbyname, hosts, svc, and/or
1958 netsvc for more information.
1960 Unfortunately, certain vendors, most notably SUN, have failed
1961 to make this clear in their documentation. Most of SUN's
1962 documentation assumes a corporate network that is not connected
1963 to the Internet.
1965 net.folklore once (late 1980s) held that the proper procedure
1966 was to append the results of getdomainname() to the name
1967 returned by gethostname(), and some versions of sendmail
1968 configuration files were distributed that did this. This was
1969 incorrect; the string returned from getdomainname() is the
1970 Yellow Pages (a.k.a NIS) domain name, which is a completely
1971 different (albeit unfortunately named) entity from an Internet
1972 domain. These were often fortuitously the same string, except
1973 when they weren't. Frequently, this would result in host names
1974 with spuriously doubled domain names, e.g.
1976 myserver.example.com.example.com
1978 This practice has been thoroughly discredited for many years,
1979 but folklore dies hard.
1980 _________________________________________________________________
1982 7.10 What does the message: Mailbox vulnerable - directory
1983 /var/spool/mail must have 1777 protection mean? How can I fix this?
1985 In order to update a mailbox in the default UNIX format, it is
1986 necessary to create a lock file to prevent the mailer from
1987 delivering mail while an update is in progress. Some systems
1988 use a directory protection of 775, requiring that all mail
1989 handling programs be setgid mail; or of 755, requiring that all
1990 mail handling programs be setuid root.
1992 The IMAP toolkit does not run with any special privileges, and
1993 I plan to keep it that way. It is antithetical to the concept
1994 of a toolkit if users can't write their own programs to use it.
1995 Also, I've had enough bad experiences with security bugs while
1996 running privileged; the IMAP and POP servers have to be root
1997 when not logged in, in order to be able to log themselves in. I
1998 don't want to go any deeper down that slippery slope.
2000 Directory protection 1777 is secure enough on most well-managed
2001 systems. If you can't trust your users with a 1777 mail spool
2002 (petty harassment is about the limit of the abuse exposure),
2003 then you have much worse problems then that.
2005 If you absolutely insist upon requiring privileges to create a
2006 lock file, external file locking can be done via a setgid mail
2007 program named /etc/mlock (this is defined by LOCKPGM in the
2008 c-client Makefile). If the toolkit is unable to create a
2009 <...mailbox...>.lock file in the directory by itself, it will
2010 try to call mlock to do it. I do not recommend doing this for
2011 performance reasons.
2013 A sample mlock program is included as part of imap-2007. We
2014 have tried to make this sample program secure, but it has not
2015 been thoroughly audited.
2016 _________________________________________________________________
2018 7.11 What does the message: Mailbox is open by another process, access
2019 is readonly mean? How do I fix this?
2021 A problem occurred in applying a lock to a /tmp lock file.
2022 Either some other program has the mailbox open and won't
2023 relenquish it, or something is wrong with the protection of
2024 /tmp or the lock.
2026 Make sure that the /tmp directory is protected 1777. Some
2027 security scripts incorrectly set the protection of the /tmp
2028 directory to 775, which disables /tmp for all non-privileged
2029 programs.
2030 _________________________________________________________________
2032 7.12 What does the message: Can't get write access to mailbox, access
2033 is readonly mean?
2035 The mailbox file is write-protected against you.
2036 _________________________________________________________________
2038 7.13 I set my POP3 client to "delete messages from server" but they
2039 never get deleted. What is wrong?
2041 Make sure that your mailbox is not read-only: that the mailbox
2042 is owned by you and write enabled (protection 0600), and that
2043 the /tmp directory is longer world-writeable. /tmp must be
2044 world-writeable because lots of applications use it for scratch
2045 space. To fix this, do
2048 chmod 1777 /tmp
2050 as root.
2052 Make sure that your POP3 client issues a QUIT command when it
2053 finishes. The POP3 protocol specifies that deletions are
2054 discarded unless a proper QUIT is done.
2056 Make sure that you are not opening multiple POP3 sessions to
2057 the same mailbox. It is a requirement of the POP3 protocol than
2058 only one POP3 session be in effect to a mailbox at a time,
2059 however some, poorly-written POP3 clients violate this. Also,
2060 some background "check for new mail" tasks also cause a
2061 violation. See the answer to the What does the syslog message:
2062 Killed (lost mailbox lock) user=... host=... mean? question for
2063 more details.
2064 _________________________________________________________________
2066 7.14 What do messages such as:
2067 Message ... UID ... already has UID ...
2068 Message ... UID ... less than ...
2069 Message ... UID ... greater than last ...
2070 Invalid UID ... in message ..., rebuilding UIDs
2072 mean?
2074 Something happened to corrupt the unique identifier regime in
2075 the mailbox. In traditional UNIX-format mailboxes, this can
2076 happen if the user deleted the "DO NOT DELETE" internal
2077 message.
2079 This problem is relatively harmless; a new valid unique
2080 identifier regime will be created. The main effect is that any
2081 references to the old UIDs will no longer be useful.
2083 So, unless it is a chronic problem or you feel like debugging,
2084 you can safely ignore these messages.
2085 _________________________________________________________________
2087 7.15 What do the error messages:
2088 Unable to read internal header at ...
2089 Unable to find CRLF at ...
2090 Unable to parse internal header at ...
2091 Unable to parse message date at ...
2092 Unable to parse message flags at ...
2093 Unable to parse message UID at ...
2094 Unable to parse message size at ...
2095 Last message (at ... ) runs past end of file ...
2097 mean? I am using mbx format.
2099 The mbx-format mailbox is corrupted and needs to be repaired.
2101 You should make an effort to find out why the corruption
2102 happened. Was there an obvious system problem (crash or disk
2103 failure)? Did the user accidentally access the file via NFS?
2104 Mailboxes don't get corrupted by themselves; something caused
2105 the problem.
2107 Some people have developed automated scripts, but if you're
2108 comfortable using emacs it's pretty easy to fix it manually. Do
2109 not use vi or any other editor unless you are certain that
2110 editor can handle binary!!!
2112 If you are not comfortable with emacs, or if the file is too
2113 large to read with emacs, see the "step-by-step" technique
2114 later on for another way of doing it.
2116 After the word "at" in the error message is the byte position
2117 it got to when it got unhappy with the file, e.g. if you see:
2119 Unable to parse internal header at 43921: ne bombastic blurdybloop
2121 The problem occurs at the 43,931 byte in the file. That's the
2122 point you need to fix. c-client is expecting an internal header
2123 at that byte number, looking something like:
2125 6-Jan-1998 17:42:24 -0800,1045;000000100001-00000001
2127 The format of this internal line is:
2129 dd-mmm-yyyy hh:mm:ss +zzzz,ssss;ffffffffFFFF-UUUUUUUU
2131 The only thing that is variable is the "ssss" field, it can be
2132 as many digits as needed. All other fields (inluding the "dd")
2133 are fixed width. So, the easiest thing to do is to look forward
2134 in the file for the next internal header, and delete everything
2135 from the error point to that internal header.
2137 Here's what to do if you want to be smarter and do a little bit
2138 more work. Generally, you're in the middle of a message, and
2139 there's nothing wrong with that message. The problem happened
2140 in the *previous* message. So, search back to the previous
2141 internal header. Now, remember that "ssss" field? That's the
2142 size of that message.
2144 Mark where you are in the file, move the cursor to the line
2145 after the internal header, and skip that many bytes ("ssss")
2146 forward. If you're at the point of the error in the file, then
2147 that message is corrupt. If you're at a different point, then
2148 perhaps the previous message is corrupt and has a too long size
2149 count that "ate" into this message.
2151 Basically, what you need to do is make sure that all those size
2152 counts are right, and that moving "ssss" bytes from the line
2153 after the internal header will land you at another internal
2154 header.
2156 Usually, once you know what you're looking at, it's pretty easy
2157 to work out the corruption, and the best remedial action.
2158 Repair scripts will make the problem go away but may not always
2159 do the smartest/best salvage of the user's data. Manual repair
2160 is more flexible and usually preferable.
2162 Here is a step-by-step technique for fixing corrupt mbx files
2163 that's a bit cruder than the procedure outlined above, but
2164 works for any size file.
2166 In this example, suppose that the corrupt file is INBOX, the
2167 error message is
2169 Unable to find CRLF at 132551754
2171 and the size of the INBOX file is 132867870 bytes.
2173 The first step is to split the mailbox file at the point of the
2174 error:
2176 + Rename the INBOX file to some other name, such as INBOX.bad.
2177 + Copy the first 132,551,754 bytes of INBOX.bad to another
2178 file, such as INBOX.new.
2179 + Extract the trailing 316,116 bytes (132867870-132551754) of
2180 INBOX.bad into another file, such as INBOX.tail.
2181 + You no longer need INBOX.bad. Delete it.
2183 In other words, use the number from the "Unable to find CRLF
2184 at" as the point to split INBOX into two new files, INBOX.new
2185 and INBOX.tail.
2187 Now, remove the erroneous data:
2189 + Verify that you can open INBOX.new in IMAP or Pine.
2190 + The last message of INBOX.new is probably corrupted. Copy it
2191 to another file, such as badmsg.1, then delete and expunge
2192 that last message from INBOX.new
2193 + Locate the first occurance of text in INBOX.tail which looks
2194 like an internal header, as described above.
2195 + Remove all the text which occurs prior to that point, and
2196 place it into another file, such as badmsg.2. Note that in
2197 the case of a single digit date, there is a leading space
2198 which must not be removed (e.g. " 6-Nov-2001" not
2199 "6-Nov-2001").
2201 Reassemble the mailbox:
2203 + Append INBOX.tail to INBOX.new.
2204 + You no longer need INBOX.tail. Delete it.
2205 + Verify that you can open INBOX.new in IMAP or Pine.
2207 Reinstall INBOX.new as INBOX:
2209 + Check to see if you have received any new messages while
2210 repairing INBOX.
2211 + If you haven't received any new messages while repairing
2212 INBOX, just rename INBOX.new to INBOX.
2213 + If you have received new messages, be sure to copy the new
2214 messages from INBOX to INBOX.new before doing the rename.
2216 You now have a working INBOX, as well as two files with
2217 corrupted data (badmsg.1 and badmsg.2). There may be some
2218 useful data in the two badmsg files that you might want to try
2219 salvaging; otherwise you can delete the two badmsg files.
2220 _________________________________________________________________
2222 7.16 What do the syslog messages:
2224 imap/tcp server failing (looping)
2225 pop3/tcp server failing (looping)
2227 mean? When it happens, the listed service shuts down. How can I fix
2228 this?
2230 The error message "server failing (looping), service
2231 terminated" is not from either the IMAP or POP servers.
2232 Instead, it comes from inetd, the daemon which listens for TCP
2233 connections to a number of servers, including the IMAP and POP
2234 servers.
2236 inetd has a limit of 40 new server sessions per minute for any
2237 particular service. If more than 40 sessions are initiated in a
2238 minute, inetd will issue the "failing (looping), service
2239 terminated" message and shut down the service for 10 minutes.
2240 inetd does this to prevent system resource consumption by a
2241 client which is spawning infinite numbers of servers. It should
2242 be noted that this is a denial of service; however for some
2243 systems the alternative is a crash which would be a worse
2244 denial of service!
2246 For larger server systems, the limit of 40 is much too low. The
2247 limit was established many years ago when a system typically
2248 only ran a few dozen servers.
2250 On some versions of inetd, such as the one distributed with
2251 most versions of Linux, you can modify the /etc/inetd.conf file
2252 to have a larger number of servers by appending a period
2253 followed by a number after the nowait word for the server
2254 entry. For example, if your existing /etc/inetd.conf line
2255 reads:
2257 imap stream tcp nowait root /usr/etc/imapd imapd
2259 try changing it to be:
2261 imap stream tcp nowait.100 root /usr/etc/imapd imapd
2263 Another example (using TCP wrappers):
2265 imap stream tcp nowait root /usr/sbin/tcpd imapd
2267 try changing it to be:
2269 imap stream tcp nowait.100 root /usr/sbin/tcpd imapd
2271 to increase the limit to 100 sessions/minute.
2273 Before making this change, please read the information in "man
2274 inetd" to determine whether or not your inetd has this feature.
2275 If it does not, and you make this change, the likely outcome is
2276 that you will disable IMAP service entirely.
2278 Another way to fix this problem is to edit the inetd.c source
2279 code (provided by your UNIX system vendor) to set higher
2280 limits, rebuild inetd, install the new binary, and reboot your
2281 system. This should only be done by a UNIX system expert. In
2282 the inetd.c source code, the limits TOOMANY (normally 40) is
2283 the maximum number of new server sessions permitted per minute,
2284 and RETRYTIME (normally 600) is the number of seconds inetd
2285 will shut down the server after it exceeds TOOMANY.
2286 _________________________________________________________________
2288 7.17 What does the syslog message: Mailbox lock file /tmp/.600.1df3
2289 open failure: Permission denied mean?
2291 This usually means that some "helpful" security script person
2292 has protected /tmp so that it is no longer world-writeable.
2293 /tmp must be world-writeable because lots of applications use
2294 it for scratch space. To fix this, do
2296 chmod 1777 /tmp
2298 as root.
2300 If that isn't the answer, check the protection of the named
2301 file. If it is something other than 666, then either someone is
2302 hacking or some "helpful" person modified the code to have a
2303 different default lock file protection.
2304 _________________________________________________________________
2306 7.18 What do the syslog messages:
2307 Command stream end of file, while reading line user=... host=...
2308 Command stream end of file, while reading char user=... host=...
2309 Command stream end of file, while writing text user=... host=...
2311 mean?
2313 This message occurs when the session is disconnected without a
2314 proper LOGOUT (IMAP) or QUIT (POP) command being received by
2315 the server first.
2317 In many cases, this is perfectly normal; many client
2318 implementations are impolite and do this. Some programmers
2319 think this sort of rudeness is "more efficient".
2321 The condition could, however, indicate a client or network
2322 connectivity problem. The server has no way of knowing whether
2323 there's a problem or just a rude client, so it issues this
2324 message instead of a Logout.
2326 Certain inferior losing clients disconnect abruptly after a
2327 failed login, and instead of saying that the login failed, just
2328 say that they can't access the mailbox. They then complain to
2329 the system manager, who looks in the syslog and finds this
2330 message. Not very helpful, eh? See the answer to the Why can't
2331 I log in to the server? The user name and password are right!
2332 question.
2334 If the user isn't reporting a problem, you can probably ignore
2335 this message.
2336 _________________________________________________________________
2338 7.19 Why did my POP or IMAP session suddenly disconnect? The syslog
2339 has the message: Killed (lost mailbox lock) user=... host=...
2341 This message only happens when either the traditional UNIX
2342 mailbox format or MMDF format is in use. This format only
2343 allows one session to have the mailbox open read/write at a
2344 time.
2346 The servers assume that if a second session attempts to open
2347 the mailbox, that means that the first session is probably
2348 owned by an abandoned client. The common scenario here is a
2349 user who leaves his client running at the office, and then
2350 tries to read his mail from home. Through an internal mechanism
2351 called kiss of death, the second session requests the first
2352 session to kill itself. When the first session receives the
2353 "kiss of death", it issues the "Killed (lost mailbox lock)"
2354 syslog message and terminates. The second session then seizes
2355 read/write access, and becomes the new "first" session.
2357 Certain poorly-designed clients routinely open multiple
2358 sessions to the same mailbox; the users of those clients tend
2359 to get this message a lot.
2361 Another cause of this message is a background "check for new
2362 mail" task which does its work by opening a POP session to
2363 server every few seconds. They do this because POP doesn't have
2364 a way to announce new mail.
2366 The solution to both situations is to replace the client with a
2367 good online IMAP client such as Pine. Life is too short to
2368 waste on POP clients and poorly-designed IMAP clients.
2369 _________________________________________________________________
2371 7.20 Why does my IMAP client show all the files on the system,
2372 recursively from the UNIX root directory?
2373 7.21 Why does my IMAP client show all of my files, recursively from my
2374 UNIX home directory?
2376 A well-written client should only show one level of hierarchy
2377 and then stop, awaiting explicit user action before going
2378 lower. However, some poorly-designed clients will recursively
2379 list all files, which may be a very long list (especially if
2380 you have symbolic links to directories that create a loop in
2381 the filesystem graph!).
2383 This behavior has also been observed in some third-party
2384 c-client drivers, including maildir drivers. Consequently, this
2385 problem has even been observed in Pine. It is important to
2386 understand that this is not a problem in Pine or c-client; it
2387 is a problem in the third-party driver. A Pine built without
2388 that third-party driver will not have this problem.
2390 See also the answer to Why does my IMAP client show all my
2391 files in my home directory?
2392 _________________________________________________________________
2394 7.22 Why does my IMAP client show that I have mailboxes named
2395 "#mhinbox", "#mh", "#shared", "#ftp", "#news", and "#public"?
2397 These are IMAP namespace names. They represent other
2398 hierarchies in which messages may exist. These hierarchies may
2399 not necessarily exist on a server, but the namespace name is
2400 still in the namespace list in order to mark it as reserved.
2402 A few poorly-designed clients display all namespace names as if
2403 they were top-level mailboxes in a user's list of mailboxes,
2404 whether or not they actually exist. This is a flaw in those
2405 clients.
2406 _________________________________________________________________
2408 7.23 Why does my IMAP client show all my files in my home directory?
2410 As distributed, the IMAP server is connected to your home
2411 directory by default. It has no way of knowing what you might
2412 call "mail" as opposed to "some other file"; in fact, you can
2413 use IMAP to access any file.
2415 Most clients have an option to configure your connected
2416 directory on the IMAP server. For example, in Pine you can
2417 specify this as the "Path" in your folder-collection, e.g.
2419 Nickname : Secondary Folders
2420 Server : imap.example.com
2421 Path : mail/
2422 View :
2424 In this example, the user is connected to the "mail"
2425 subdirectory of his home directory.
2427 Other servers call this the "folder prefix" or similar term.
2429 It is possible to modify the IMAP server so that all users are
2430 automatically connected to some other directory, e.g. a
2431 subdirectory of the user's home directory. Read the file CONFIG
2432 for more details.
2433 _________________________________________________________________
2435 7.24 Why is there a long delay before I get connected to the IMAP or
2436 POP server, no matter what client I use?
2438 There are two common occurances of this problem:
2440 + You are running a system (e.g. certain versions of Linux)
2441 which by default attempts to connect to an "IDENT" protocol
2442 (port 113) server on your client. However, a firewall or NAT
2443 box is blocking connections to that port, so the connection
2444 attempt times out.
2445 The IDENT protocol is a well-known bad idea that does not
2446 deliver any real security but causes incredible problems. The
2447 idea is that this will give the server a record of the user
2448 name, or at least what some program listening on port 113
2449 says is the user name. So, if somebody coming from port nnnnn
2450 on a system does something bad, IDENT may give you the userid
2451 of the bad guy.
2452 The problem is, IDENT is only meaningful on a timesharing
2453 system which has an administrator who is privileged and users
2454 who are not. It is of no value on a personal system which has
2455 no separate concept of "system administrator" vs.
2456 "unprivileged user".
2457 On either type of system, security-minded people either turn
2458 IDENT off or replace it with an IDENT server that lies. Among
2459 other things, IDENT gives spammers the ability to harvest
2460 email addresses from anyone who connects to a web page.
2461 This problem has been showing up quite frequently on systems
2462 which use xinetd instead of inetd. Look for files named
2463 /etc/xinetd.conf, /etc/xinetd.d/imapd, /etc/inetd.d/ipop2d,
2464 and /etc/xinetd.d/ipop3d. In those files, look for lines
2465 containing "USERID", e.g.
2466 log_on_success += USERID
2467 Hunt down such lines, and delete them ruthlessly from all
2468 files in which they occur. Don't be shy about it.
2469 + The DNS is taking a long time to do a reverse DNS (PTR
2470 record) lookup of the IP address of your client. This is a
2471 problem in your DNS, which either you or you ISP need to
2472 resolve. Ideally, the DNS should return the client's name;
2473 but if it can't it should at least return an error quickly.
2475 As you may have noticed, neither of these are actual problems
2476 in the IMAP or POP servers; they are configuration issues with
2477 either your system or your network infrastructure. If this is
2478 all new to you, run (don't walk) to the nearest technical
2479 bookstore and get yourself a good pedagogical text on system
2480 administration for the type of system you are running.
2481 _________________________________________________________________
2483 7.25 Why is there a long delay in Pine or any other c-client based
2484 application call before I get connected to the IMAP server? The hang
2485 seems to be in the c-client mail_open() call. I don't have this
2486 problem with any other IMAP client. There is no delay connecting to a
2487 POP3 or NNTP server with mail_open().
2489 By default, the c-client library attempts to make a connection
2490 through rsh (and ssh, if you enable that). If the command:
2492 rsh imapserver exec /etc/rimapd
2494 (or ssh if that is enabled) returns with a "* PREAUTH"
2495 response, it will use the resulting rsh session as the IMAP
2496 session and not require an authentication step on the server.
2498 Unfortunately, rsh has a design error that treats "TCP
2499 connection refused" as "temporary failure, try again"; it
2500 expects the "rsh not allowed" case to be implemented as a
2501 successful connection followed by an error message and close
2502 the connection.
2504 It must be emphasized that this is a bug in rsh. It is not a
2505 bug in the IMAP toolkit.
2507 The use of rsh can be disabled in any the following ways:
2509 + You can disable it for this particular session by either:
2510 o setting an explicit port number in the mailbox name,
2511 e.g.
2512 {imapserver.foo.com:143}INBOX
2513 o using SSL (the /ssl switch)
2514 + You can disable rsh globally by setting the rsh timeout value
2515 to 0 with the call:
2516 mail_parameters (NIL,SET_RSHTIMEOUT,0);
2517 _________________________________________________________________
2519 7.26 Why does a message sometimes get split into two or more messages
2520 on my SUN system?
2522 This is caused by an interaction of two independent design
2523 problems in SUN mail software. The first problem is that the
2524 "forward message" option in SUN's mail tool program includes
2525 the internal "From " header line in the text that it forwarded.
2526 This internal header line is specific to traditional UNIX
2527 mailbox files and is not suitable for use in forwarded
2528 messages.
2530 The second problem is that the mail delivery agent assumes that
2531 mail reading programs will not use the traditional UNIX mailbox
2532 format but instead an incompatible variant that depends upon a
2533 Content-Length: message header. Content-Length is widely
2534 recognized to have been a terrible mistake, and is no longer
2535 recommended for use in mail (it is used in other facilities
2536 that use MIME).
2538 One symptom of the problem is that under certain circumstances,
2539 a message may get broken up into several messages. I'm also
2540 aware of security bugs caused by programs that foolishly trust
2541 "Content-Length:" headers with evil values.
2543 To fix the mailer on your system, edit your sendmail.cf to
2544 change the Mlocal line to have the -E flag. A typical entry
2545 will lool like:
2547 Mlocal, P=/usr/lib/mail.local, F=flsSDFMmnPE, S=10, R=20,
2548 A=mail.local -d $u
2550 This fix will also work around the problem with mail tool,
2551 because it will insert a ">" before the internal header line to
2552 prevent it from being interpreted by mail reading software as
2553 an internal header line.
2554 _________________________________________________________________
2556 7.27 Why did my POP or IMAP session suddenly disconnect? The syslog
2557 has the message:
2558 Autologout user=<...my user name...> host=<...my client system...>
2560 This is a problem in your client.
2562 In the case of IMAP, it failed to communicate with the IMAP
2563 server for over 30 minutes; in the case of POP, it failed to
2564 communicate with the POP server for over 10 minutes.
2565 _________________________________________________________________
2567 7.28 What does the UNIX error message: TLS/SSL failure: myserver: SSL
2568 negotiation failed mean?
2569 7.29 What does the PC error message: TLS/SSL failure: myserver:
2570 Unexpected TCP input disconnect mean?
2572 This usually means that an attempt to negotiate TLS encryption
2573 via the STARTTLS command failed, because the server advertises
2574 STARTTLS functionality, but doesn't actually have it (e.g.
2575 because no certificates are installed).
2577 Use the /notls option in the mailbox name to disable TLS
2578 negotiation.
2579 _________________________________________________________________
2581 7.30 What does the error message: TLS/SSL failure: myserver: Server
2582 name does not match certificate mean?
2584 An SSL or TLS session encryption failed because the server name
2585 in the server's certificate does not match the name that you
2586 gave it. This could indicate that the server is not really the
2587 system you think that it is, but can be also be called if you
2588 gave a nickname for the server or name that was not
2589 fully-qualified. You must use the fully-qualified domain name
2590 for the server in order to validate its certificate
2592 Use the /novalidate-cert option in the mailbox name to disable
2593 validation of the certificate.
2594 _________________________________________________________________
2596 7.31 What does the UNIX error message: TLS/SSL failure: myserver:
2597 self-signed certificate mean?
2598 7.32 What does the PC error message: TLS/SSL failure: myserver:
2599 Self-signed certificate or untrusted authority mean?
2601 An SSL or TLS session encryption failed because your server's
2602 certificate is "self-signed"; that is, it is not signed by any
2603 Certificate Authority (CA) and thus can not be validated. A
2604 CA-signed certificate costs money, and some smaller sites
2605 either don't want to pay for it or haven't gotten one yet. The
2606 bad part about this is that this means there is no guarantee
2607 that the server is really the system you think that it is.
2609 Use the /novalidate-cert option in the mailbox name to disable
2610 validation of the certificate.
2611 _________________________________________________________________
2613 7.33 What does the UNIX error message: TLS/SSL failure: myserver:
2614 unable to get local issuer certificate mean?
2616 An SSL or TLS session encryption failed because your system
2617 does not have the Certificate Authority (CA) certificates
2618 installed on OpenSSL's certificates directory. On most systems,
2619 this directory is /usr/local/ssl/certs). As a result, it is not
2620 possible to validate the server's certificate.
2622 If CA certificates are properly installed, you should see
2623 factory.pem and about a dozen other .pem names such as
2624 thawteCb.pem.
2626 As a workaround, you can use the /novalidate-cert option in the
2627 mailbox name to disable validation of the certificate; however,
2628 note that you are then vulnerable to various security attacks
2629 by bad guys.
2631 The correct fix is to copy all the files from the certs/
2632 directory in the OpenSSL distribution to the
2633 /usr/local/ssl/certs (or whatever) directory. Note that you
2634 need to do this after building OpenSSL, because the OpenSSL
2635 build creates a number of needed symbolic links. For some
2636 bizarre reason, the OpenSSL "make install" doesn't do this for
2637 you, so you must do it manually.
2638 _________________________________________________________________
2640 7.34 Why does reading certain messages hang when using Netscape? It
2641 works fine with Pine!
2643 There are two possible causes.
2645 Check the mail syslog. If you see the message "Killed (lost
2646 mailbox lock)" for the impacted user(s), read the FAQ entry
2647 regarding that message.
2649 Check the affected mailbox to see if there are embedded NUL
2650 characters in the message. NULs in message texts are a
2651 technical violation of both the message format and IMAP
2652 specifications. Most clients don't care, but apparently
2653 Netscape does.
2655 You can work around this by rebuilding imapd with the
2656 NETSCAPE_BRAIN_DAMAGE option set (see src/imapd/Makefile); this
2657 will cause imapd to convert all NULs to 0x80 characters. A
2658 better solution is to enable the feature in your MTA to
2659 MIME-convert messages with binary content. See the
2660 documentation for your MTA for how to do this.
2661 _________________________________________________________________
2663 7.35 Why does Netscape say that there's a problem with the IMAP server
2664 and that I should "Contact your mail server administrator."?
2666 Certain versions of Netscape do this when you click the Manage
2667 Mail button, which uses an undocumented feature of Netscape's
2668 proprietary IMAP server.
2670 You can work around this by rebuilding imapd with the
2671 NETSCAPE_BRAIN_DAMAGE option set (see src/imapd/Makefile) to a
2672 URL that points either to an alternative IMAP client (e.g.
2673 Pine) or perhaps to a homebrew mail account management page.
2674 _________________________________________________________________
2676 7.36 Why is one user creating huge numbers of IMAP or POP server
2677 sessions?
2679 The user is probably using Outlook Express, Eudora, or a
2680 similar program. See the answer to the Help! My load average is
2681 soaring and I see hundreds of POP and IMAP servers, many logged
2682 in as the same user! question.
2683 _________________________________________________________________
2685 7.37 Why don't I get any new mail notifications from Outlook Express
2686 or Outlook after a while?
2688 This is a known bug in Outlook Express. Microsoft is aware of
2689 the problem and its cause. They have informed us that they do
2690 not have any plans to fix it at the present time.
2692 The problem is also reported in Outlook 2000, but not verified.
2694 Outlook Express uses the IMAP IDLE command to avoid having to
2695 "ping" the server every few minutes for new mail.
2696 Unfortunately, Outlook Express overlooks the part in the IDLE
2697 specification which requires that a client terminate and
2698 restart the IDLE before the IMAP 30 minute inactivity
2699 autologout timer triggers.
2701 When this happens, Outlook Express displays "Not connected" at
2702 the bottom of the window. Since it's no longer connected to the
2703 IMAP server, it isn't going to notice any new mail.
2705 As soon as the user does anything that would cause an IMAP
2706 operation, Outlook Express will reconnect and new mail will
2707 flow again. If the user does something that causes an IMAP
2708 operation at least every 29 minutes, the problem won't happen.
2710 Modern versions of imapd attempt to work around the problem by
2711 automatically reporting fake new mail after 29 minutes. This
2712 causes Outlook Express to exit the IDLE state; as soon as this
2713 happens imapd revokes the fake new mail. As long as this
2714 behavior isn't known to cause problems with other clients, this
2715 workaround will remain in imapd.
2716 _________________________________________________________________
2718 7.38 Why don't I get any new mail notifications from Entourage?
2720 This is a known bug in Entourage.
2722 You built an older version of imapd with the
2723 MICROSOFT_BRAIN_DAMAGE option set, in order to disable support
2724 for the IDLE command. However, Entourage won't get new mail
2725 unless IDLE command support exists.
2727 Note: the MICROSOFT_BRAIN_DAMAGE option no longer exists in
2728 modern versions, as the Outlook Express problem which it
2729 attempted to solve has been worked around in another way.
2730 _________________________________________________________________
2732 7.39 Why doesn't Entourage work at all?
2734 It's hard to know. Entourage breaks almost every rule in the
2735 book for IMAP. It is highly instructive to do a packet trace on
2736 Entourage, as an example of how not to use IMAP. It does things
2737 like STATUS (MESSAGES) on the currently selected mailbox and
2738 re-fetching the same static data over and over again.
2740 It seems that every time we understand what it is doing wrong
2741 in Entourage and come up with a workaround, we learn about
2742 something else that's broken.
2744 Try building imapd with the ENTOURAGE_BRAIN_DAMAGE option set,
2745 in order to disable the diagnostic that occurs when doing
2746 STATUS on the currently selected mailbox.
2747 _________________________________________________________________
2749 7.40 Why doesn't Netscape Notify (NSNOTIFY.EXE) work at all?
2751 This is a bug in NSNOTIFY; it doesn't handle unsolicited data
2752 from the server correctly.
2754 Fortunately, there is no reason to use this program with IMAP;
2755 NSNOTIFY is a polling program to let you know when new mail has
2756 appeared in your maildrop. This is necessary with POP; but
2757 since IMAP dynamically announces new mail in the session you're
2758 better off (and will actually cause less load on the server!)
2759 keeping your mail reading program's IMAP session open and let
2760 IMAP do the notifying for you.
2762 Consequently, the recommended fix for the NSNOTIFY problem is
2763 to delete the NSNOTIFY binary.
2764 _________________________________________________________________
2766 7.41 Why can't I connect via SSL to Eudora? It says the connection has
2767 been broken, and in the server syslogs I see "Command stream end of
2768 file".
2770 There is a report that you can fix the problem by going into
2771 Eudora's advanced network configuration menu and increasing the
2772 network buffer size to 8192.
2773 _________________________________________________________________
2775 7.42 Sheesh. Aren't there any good IMAP clients out there?
2777 Yes!
2779 Pine is a wonderful client. It's fast, it uses IMAP well, and
2780 it generates text mail (life is too short to waste on HTML
2781 mail). Also, there are some really wonderful things in progress
2782 in the Pine world.
2784 There are some good GUI clients out there, mostly from smaller
2785 vendors. Without naming names, look for the vendors who are
2786 active in the IMAP protocol development community, and their
2787 products.
2789 Netscape, Eudora, and Outlook can be configured with enough
2790 effort to be good citizens and work well for users, but they
2791 can also be badly misconfigured, and often the misconfiguration
2792 is the default.
2793 _________________________________________________________________
2795 7.43 But wait! PC Pine (or other PC program build with c-client)
2796 crashes with the message incomplete SecBuffer exceeds maximum buffer
2797 size when I use SSL connections. This is a bug in c-client, right?
2799 It's a bug in the Microsoft SChannel.DLL, which implements SSL.
2800 Microsoft admits it (albeit with an unstatement: "it's not
2801 fully RFC compliant"). The problem is that SChannel indicates
2802 that the maximum SSL packet data size is 5 bytes smaller than
2803 the actual maximum. Thus, any IMAP server which transmits a
2804 maximum sized SSL packet will not work with PC Pine or any
2805 other program which uses SChannel.
2807 It can take a while for the problem to show up. The client has
2808 to do something that causes at least 16K of contiguous data.
2809 Many clients do partial fetching, which tends to reduce the
2810 number of cases where this can happen. However, all software
2811 which uses SChannel to support SSL is affected by this bug.
2813 This problem does not affect UNIX code, since OpenSSL is used
2814 on UNIX.
2816 This problem most recently showed up with the CommunigatePro
2817 IMAP server. They have an update which trims down their maximum
2818 contiguous data to less than 16K, in order to work around the
2819 problem.
2821 This problem has also shown up with the Exchange IMAP server
2822 with UNIX clients (including Pine built with an older version
2823 of c-client) which sends full-sized 16K SSL packets. Modern
2824 c-client works around the problem by trimming down its maximum
2825 outgoing SSL packet size to 8K.
2827 Microsoft has developed a hotfix for this bug. Look up MSKB
2828 article number 300562. Contrary to the article text which
2829 implies that this is a Pine issue, this bug also affect
2830 Microsoft Exchange server with *any* UNIX based client that
2831 transmits full-sized SSL payloads.
2832 _________________________________________________________________
2834 7.44 My qpopper users keep on getting the DON'T DELETE THIS MESSAGE --
2835 FOLDER INTERNAL DATA if they also use Pine or IMAP. How can I fix
2836 this?
2838 This is an incompatibility between qpopper and the c-client
2839 library used by Pine, imapd, and ipop[23]d.
2841 Assuming that you want to continue using qpopper, look into
2842 qpopper's --enable-uw-kludge-flag configuration flag, which is
2843 documented as "check for and hide UW 'Folder Internal Data'
2844 messages".
2846 The other alternative is to switch from qpopper to ipop3d.
2847 _________________________________________________________________
2849 7.45 Help! I installed the servers but I can't connect to them from my
2850 client!
2852 Review the installation instructions carefully. Make sure that
2853 you have not skipped any of the steps. Make sure that you have
2854 made the correct entries in the configuration files; pay
2855 careful attention to the exact spelling of the service names
2856 and the path names. Make sure as well that you have properly
2857 restarted inetd.
2859 If you have a system with Yellow Pages/NIS such as Solaris,
2860 have you updated the service names there as well as in
2861 /etc/services?
2863 If you have a system with TCP wrappers, have you properly
2864 updated the TCP wrapper files (e.g. /etc/hosts.allow and
2865 /etc/hosts.deny) for the servers?
2867 If you have a system which uses xinetd instead of inetd, have
2868 you made sure that you have made the correct corresponding
2869 xinetd changes for those services?
2871 Try telneting to the server port (143 for IMAP, 110 for POP3).
2872 If you get a "refused" error, that probably means that you
2873 don't have the service set up in inetd.conf. If the connection
2874 opens and then closes with no message, the service is set up,
2875 but either the path name of the server binary in inetd.conf is
2876 wrong or your TCP wrappers are configured to deny access.
2878 If you don't know how to make the corresponding changes to
2879 these files, seek the help of a local expert for your system.
2880 _________________________________________________________________
2882 7.46 Why do I get the message Can not authenticate to SMTP server: 421
2883 SMTP connection went away! and why did this happen? There was also
2884 something about SECURITY PROBLEM: insecure server advertised
2885 AUTH=PLAIN
2887 Some versions of qmail, including that running on
2888 mail.smtp.yahoo.com, disconnect the SMTP session if you fail to
2889 authenticate prior to attempting to transmit mail. An attempt
2890 to authenticate was made, but it failed because the server had
2891 already disconnected.
2893 To work around this, you need to specify /user=... in the host
2894 name specification.
2896 The SECURITY PROBLEM came about because the server advertised
2897 the AUTH=PLAIN SASL authentication mechanism outside of a
2898 TLS-encrypted session, in violation of RFC 4616. This message
2899 is just a warning, and in fact occurred after the server had
2900 disconnected.
2901 _________________________________________________________________
2903 7.47 Why do I get the message SMTP Authentication cancelled and why
2904 did this happen? There was also something about SECURITY PROBLEM:
2905 insecure server advertised AUTH=PLAIN
2907 This is a bug in the SMTP server.
2909 Some versions of qmail, including that running on
2910 mail.smtp.yahoo.com, have a bug in their implementation of SASL
2911 in their SMTP server, which renders it non-compliant with the
2912 standard.
2914 If the client does not provide an initial response in the
2915 command line for an authentication mechanism whose profile does
2916 not have an initial challenge, qmail issues a bogus response:
2918 334 ok, go on
2920 The problem is the "ok, go on". This violates RFC 4954's
2921 requirement that the text part in a 334 response be a BASE64
2922 encoded string; in other words, it is a protocol syntax error.
2924 In the case of AUTH=PLAIN, RFC 4422 (page 7) requires that the
2925 encoded string have no data. In other words, the appropropiate
2926 standards-compliant server response is "334" followed by a
2927 SPACE and a CRLF.
2929 The SECURITY PROBLEM came about because the server advertised
2930 the AUTH=PLAIN SASL authentication mechanism outside of a
2931 TLS-encrypted session, in violation of RFC 4616. This message
2932 is just a warning, and is not related the "Authentication
2933 cancelled" problem.
2934 _________________________________________________________________
2936 7.48 Why do I get the message Invalid base64 string when I try to
2937 authenticate to a Cyrus server?
2939 This slightly misleading message is the way that a Cyrus server
2940 indicates that an authentication exchange was cancelled. It is
2941 not indicative of a bug or protocol violation.
2943 The most common reason that this happens is if the Cyrus server
2944 offers Kerberos authentication, c-client is built with Kerberos
2945 support, but your client system is not within the Kerberos
2946 realm. In this case, the client code will try to authenticate
2947 via Kerberos, fail to get the Kerberos credentials, cancel the
2948 authentication attempt, and try the next available
2949 authentication technology.
2950 _________________________________________________________________
2952 8. Where to Go For Additional Information
2953 _________________________________________________________________
2955 8.1 Where can I go to ask questions?
2956 8.2 I have some ideas for enhancements to IMAP. Where should I go?
2958 If you have questions about the IMAP protocol, or want to
2959 participate in discussions of future directions of the IMAP
2960 protocol, the appropriate mailing list is
2961 imap-protocol@u.washington.edu. You can subscribe to this
2962 list via imap-protocol-request@u.washington.edu
2964 If you have questions about this software, you can send me
2965 email directly or use the imap-uw@u.washington.edu mailing
2966 list. You can subscribe to this list via
2967 imap-uw-request@u.washington.edu
2969 If you have general questions about the use of IMAP software
2970 (not specific to the UW IMAP toolkit) use the
2971 imap-use@u.washington.edu mailing list. You can subscribe to
2972 this list via imap-use-request@u.washington.edu
2974 You must be a subscriber to post to these lists. As an
2975 alternative, you can use the comp.mail.imap newsgroup.
2976 _________________________________________________________________
2978 8.3 Where can I read more about IMAP and other email protocols?
2980 We recommend Internet Email Protocols: A Developer's Guide, by
2981 Kevin Johnson, published by Addison Wesley, ISBN 0-201-43288-9.
2982 _________________________________________________________________
2984 8.4 Where can I find out more about setting up and administering an
2985 IMAP server?
2987 We recommend Managing IMAP, by Dianna Mullet & Kevin Mullet,
2988 published by O'Reilly, ISBN 0-596-00012-X.
2990 This book also has an excellent comparison of the UW and Cyrus
2991 IMAP servers.
2993 Last Updated: 15 November 2007