| blob | 2fac001f65b04bfef4da649c163b19b571bbd06a |
2 [blue.gif] _Panda IMAP Frequently Asked Questions_
4 Table of Contents
6 * What is Panda IMAP?
7 * 1. General/Software Feature Questions
8 + 1.1 Can I set up a POP or IMAP server on UNIX/Linux/OSF/etc.?
9 + 1.2 I am currently using qpopper as my POP3 server on UNIX. Do
10 I need to replace it with ipop3d in order to run imapd?
11 + 1.3 Can I set up a POP or IMAP server on Windows XP, 2000, NT,
12 Me, 98, or 95?
13 + 1.4 Can I set up a POP or IMAP server on Windows 3.1 or DOS?
14 + 1.5 Can I set up a POP or IMAP server on Macintosh?
15 + 1.6 Can I set up a POP or IMAP server on VAX/VMS?
16 + 1.7 Can I set up a POP or IMAP server on TOPS-20?
17 + 1.8 Are hierarchical mailboxes supported?
18 + 1.9 Are "dual-use" mailboxes supported?
19 + 1.10 Can I have a mailbox that has both messages and
20 sub-mailboxes?
21 + 1.11 What is the difference between "mailbox" and "folder"?
22 + 1.12 What is the status of internationalization?
23 + 1.13 Can I use SSL?
24 + 1.14 Can I use TLS and the STARTTLS facility?
25 + 1.15 Can I use CRAM-MD5 authentication?
26 + 1.16 Can I use APOP authentication?
27 + 1.17 Can I use Kerberos V5?
28 + 1.18 Can I use PAM for plaintext passwords?
29 + 1.19 Can I use Kerberos 5 for plaintext passwords?
30 + 1.20 Can I use AFS for plaintext passwords?
31 + 1.21 Can I use DCE for plaintext passwords?
32 + 1.22 Can I use the CRAM-MD5 database for plaintext passwords?
33 + 1.23 Can I disable plaintext passwords?
34 + 1.24 Can I disable plaintext passwords on unencrypted
35 sessions, but allow them on encrypted sessions?
36 + 1.25 Can I use virtual hosts?
37 + 1.26 Can I use RPOP authentication?
38 + 1.27 Can I use Kerberos V4?
39 + 1.28 Is there support for S/Key or OTP?
40 + 1.29 Is there support for NTLM or SPA?
41 + 1.30 Is there support for mh?
42 + 1.31 Is there support for qmail and the maildir format?
43 + 1.32 Is there support for the Cyrus mailbox format?
44 + 1.33 Is this software Y2K compliant?
45 * 2. What Do I Need to Build This Software?
46 + 2.1 What do I need to build this software with SSL on UNIX?
47 + 2.2 What do I need to build this software with Kerberos V on
48 UNIX?
49 + 2.3 What do I need to use a C++ compiler with this software to
50 build my own application?
51 + 2.4 What do I need to build this software on Windows?
52 + 2.5 What do I need to build this software on DOS?
53 + 2.6 Can't I use Borland C to build this software on the PC?
54 + 2.7 What do I need to build this software on the Mac?
55 + 2.8 What do I need to build this software on VMS?
56 + 2.9 What do I need to build this software on TOPS-20?
57 + 2.10 What do I need to build this software on Amiga or OS/2?
58 + 2.11 What do I need to build this software on Windows CE?
59 * 3. Build and Configuration Questions
60 + 3.1 How do I configure the IMAP and POP servers on UNIX?
61 + 3.2 I built and installed the servers according to the BUILD
62 instructions. It can't be that easy. Don't I need to write a
63 config file?
64 + 3.3 How do I make the IMAP and POP servers look for INBOX at
65 some place other than the mail spool directory?
66 + 3.4 How do I make the IMAP server look for secondary folders
67 at some place other than the user's home directory?
68 + 3.5 How do I configure SSL?
69 + 3.6 How do I configure TLS and the STARTTLS facility?
70 + 3.7 How do I build/install OpenSSL and obtain/create
71 certificates for use with SSL?
72 + 3.8 How do I configure CRAM-MD5 authentication?
73 + 3.9 How do I configure APOP authentication?
74 + 3.10 How do I configure Kerberos V5?
75 + 3.11 How do I configure PAM for plaintext passwords?
76 + 3.12 It looks like all I have to do to make the server use
77 Kerberos is to build with PAM on my Linux system, and set it
78 up in PAM for Kerberos passwords. Right?
79 + 3.13 How do I configure Kerberos 5 for plaintext passwords?
80 + 3.14 How do I configure AFS for plaintext passwords?
81 + 3.15 How do I configure DCE for plaintext passwords?
82 + 3.16 How do I configure the CRAM-MD5 database for plaintext
83 passwords?
84 + 3.17 How do I disable plaintext passwords?
85 + 3.18 How do I disable plaintext passwords on unencrypted
86 sessions, but allow them in SSL or TLS sessions?
87 + 3.19 How do I configure virtual hosts?
88 + 3.20 Why do I get compiler warning messages such as:
89 o passing arg 3 of `scandir' from incompatible pointer type
90 o Pointers are not assignment-compatible.
91 o Argument #4 is not the correct type.
92 during the build?
93 + 3.21 Why do I get compiler warning messages such as
94 o Operation between types "void(*)(int)" and "void*" is not
95 allowed.
96 o Function argument assignment between types "void*" and
97 "void(*)(int)" is not allowed.
98 o Pointers are not assignment-compatible.
99 o Argument #5 is not the correct type.
100 during the build?
101 + 3.22 Why do I get linker warning messages such as:
102 o mtest.c:515: the `gets' function is dangerous and should
103 not be used.
104 during the build? Isn't this a security bug?
105 + 3.23 Why do I get linker warning messages such as:
106 o auth_ssl.c:92: the `tmpnam' function is dangerous and
107 should not be used.
108 during the build? Isn't this a security bug?
109 + 3.24 OK, suppose I see a warning message about a function
110 being "dangerous and should not be used" for something other
111 than this gets() or tmpnam() call?
112 * 4. Operational Questions
113 + 4.1 How can I enable anonymous IMAP logins?
114 + 4.2 How do I set up an alert message that each IMAP user will
115 see?
116 + 4.3 How does the c-client library choose which of its several
117 mechanisms to use to establish an IMAP connection to the
118 server? I noticed that it can connect on port 143, port 993,
119 via rsh, and via ssh.
120 + 4.4 I am using a TLS-capable IMAP server, so I don't need to
121 use /ssl to get encryption. However, I want to be certain that
122 my session is TLS encrypted before I send my password. How to
123 I do this?
124 + 4.5 How do I use one of the alternative formats described in
125 the formats.txt document? In particular, I hear that mbx
126 format will give me better performance and allow shared
127 access.
128 + 4.6 How do I set up shared mailboxes?
129 + 4.7 How can I make the server syslogs go to someplace other
130 than the mail syslog?
131 * 5. Security Questions
132 + 5.1 I see that the IMAP server allows access to arbitrary
133 files on the system, including /etc/passwd! How do I disable
134 this?
135 + 5.2 I've heard that IMAP servers are insecure. Is this true?
136 + 5.3 How do I know that I have the most secure version of the
137 server?
138 + 5.4 I see all these strcpy() and sprintf() calls, those are
139 unsafe, aren't they?
140 + 5.5 Those /tmp lock files are protected 666, is that really
141 right?
142 * 6. Why Did You Do This Strange Thing? Questions
143 + 6.1 Why don't you use GNU autoconfig / automake /
144 autoblurdybloop?
145 + 6.2 Why do you insist upon a build with -g? Doesn't it waste
146 disk and memory space?
147 + 6.3 Why don't you make c-client a shared library?
148 + 6.4 Why don't you use iconv() for internationalization
149 support?
150 + 6.5 Why is the IMAP server connected to the home directory by
151 default?
152 + 6.6 I have a Windows system. Why isn't the server plug and
153 play for me?
154 + 6.7 I looked at the UNIX SSL code and saw that you have the
155 SSL data payload size set to 8192 bytes. SSL allows 16K; why
156 aren't you using the full size?
157 + 6.8 Why is an mh format INBOX called #mhinbox instead of just
158 INBOX?
159 + 6.9 Why don't you support the maildir format?
160 + 6.10 Why don't you support the Cyrus format?
161 + 6.11 Why is it creating extra forks on my SVR4 system?
162 + 6.12 Why are you so fussy about the date/time format in the
163 internal "From " line in traditional UNIX mailbox files? My
164 other mail program just considers every line that starts with
165 "From " to be the start of the message.
166 + 6.13 Why is traditional UNIX format the default format?
167 + 6.14 Why do you write this "DON'T DELETE THIS MESSAGE --
168 FOLDER INTERNAL DATA" message at the start of traditional UNIX
169 and MMDF format mailboxes?
170 + 6.15 Why don't you stash the mailbox metadata in the first
171 real message of the mailbox instead of writing this fake
172 FOLDER INTERNAL DATA message?
173 + 6.16 Why aren't "dual-use" mailboxes the default?
174 + 6.17 Why do you use ucbcc to build on Solaris?
175 + 6.18 Why should I care about some old system with BSD
176 libraries? cc is the right thing on my Solaris system!
177 + 6.19 Why do you insist upon writing .lock files in the spool
178 directory?
179 + 6.20 Why should I care about compatibility with the past?
180 * 7. Problems and Annoyances
181 + 7.1 Help! My INBOX is empty! What happened to my messages?
182 + 7.2 Help! All my messages in a non-INBOX mailbox have been
183 concatenated into one message which claims to be from me and
184 has a subject of the file name of the mailbox! What's going
185 on?
186 + 7.3 Why do I get the message:
187 o CREATE failed: Can't create mailbox node xxxxxxxxx: File
188 exists
189 and how do I fix it?
190 + 7.4 Why can't I log in to the server? The user name and
191 password are right!
192 + 7.5 Help! My load average is soaring and I see hundreds of POP
193 and IMAP servers, many logged in as the same user!
194 + 7.6 Why does mail disappear even though I set "keep mail on
195 server"?
196 + 7.7 Why do I get the message
197 o Moved ##### bytes of new mail to /home/user/mbox from
198 /var/spool/mail/user
199 and why did this happen?
200 + 7.8 Why isn't it showing the local host name as a
201 fully-qualified domain name?
202 + 7.9 Why is the local host name in the From/Sender/Message-ID
203 headers of outgoing mail not coming out as a fully-qualified
204 domain name?
205 + 7.10 What does the message:
206 o Mailbox vulnerable - directory /var/spool/mail must have
207 1777 protection
208 mean? How can I fix this?
209 + 7.11 What does the message:
210 o Mailbox is open by another process, access is readonly
211 mean? How do I fix this?
212 + 7.12 What does the message:
213 o Can't get write access to mailbox, access is readonly
214 mean?
215 + 7.13 I set my POP3 client to "delete messages from server" but
216 they never get deleted. What is wrong?
217 + 7.14 What do messages such as:
218 o Message ... UID ... already has UID ...
219 o Message ... UID ... less than ...
220 o Message ... UID ... greater than last ...
221 o Invalid UID ... in message ..., rebuilding UIDs
222 mean?
223 + 7.15 What do the error messages:
224 o Unable to read internal header at ...
225 o Unable to find CRLF at ...
226 o Unable to parse internal header at ...
227 o Unable to parse message date at ...
228 o Unable to parse message flags at ...
229 o Unable to parse message UID at ...
230 o Unable to parse message size at ...
231 o Last message (at ... ) runs past end of file ...
232 mean? I am using mbx format.
233 + 7.16 What do the syslog messages:
234 o imap/tcp server failing (looping)
235 o pop3/tcp server failing (looping)
236 mean? When it happens, the listed service shuts down. How can
237 I fix this?
238 + 7.17 What does the syslog message:
239 o Mailbox lock file /tmp/.600.1df3 open failure: Permission
240 denied
241 mean?
242 + 7.18 What do the syslog messages:
243 o Command stream end of file, while reading line user=...
244 host=...
245 o Command stream end of file, while reading char user=...
246 host=...
247 o Command stream end of file, while writing text user=...
248 host=...
249 mean?
250 + 7.19 Why did my POP or IMAP session suddenly disconnect? The
251 syslog has the message:
252 o Killed (lost mailbox lock) user=... host=...
253 + 7.20 Why does my IMAP client show all the files on the system,
254 recursively from the UNIX root directory?
255 + 7.21 Why does my IMAP client show all of my files, recursively
256 from my UNIX home directory?
257 + 7.22 Why does my IMAP client show that I have mailboxes named
258 "#mhinbox", "#mh", "#shared", "#ftp", "#news", and "#public"?
259 + 7.23 Why does my IMAP client show all my files in my home
260 directory?
261 + 7.24 Why is there a long delay before I get connected to the
262 IMAP or POP server, no matter what client I use?
263 + 7.25 Why is there a long delay in Alpine or any other c-client
264 based application call before I get connected to the IMAP
265 server? The hang seems to be in the c-client mail_open() call.
266 I don't have this problem with any other IMAP client. There is
267 no delay connecting to a POP3 or NNTP server with mail_open().
268 + 7.26 Why does a message sometimes get split into two or more
269 messages on my SUN system?
270 + 7.27 Why did my POP or IMAP session suddenly disconnect? The
271 syslog has the message:
272 o Autologout user=<...my user name...> host=<...my imap
273 server...>
274 + 7.28 What does the UNIX error message:
275 o TLS/SSL failure: myserver: SSL negotiation failed
276 mean?
277 + 7.29 What does the PC error message:
278 o TLS/SSL failure: myserver: Unexpected TCP input
279 disconnect
280 mean?
281 + 7.30 What does the error message:
282 o TLS/SSL failure: myserver: Server name does not match
283 certificate
284 mean?
285 + 7.31 What does the UNIX error message:
286 o TLS/SSL failure: myserver: self-signed certificate
287 mean?
288 + 7.32 What does the PC error message
289 o TLS/SSL failure: myserver: Self-signed certificate or
290 untrusted authority
291 mean?
292 + 7.33 What does the UNIX error message:
293 o TLS/SSL failure: myserver: unable to get local issuer
294 certificate
295 mean?
296 + 7.34 Why does reading certain messages hang when using
297 Netscape? It works fine with Alpine!
298 + 7.35 Why does Netscape say that there's a problem with the
299 IMAP server and that I should "Contact your mail server
300 administrator."?
301 + 7.36 Why is one user creating huge numbers of IMAP or POP
302 server sessions?
303 + 7.37 Why don't I get any new mail notifications from Outlook
304 Express or Outlook after a while?
305 + 7.38 Why don't I get any new mail notifications from
306 Entourage?
307 + 7.39 Why doesn't Entourage work at all?
308 + 7.40 Why doesn't Netscape Notify (NSNOTIFY.EXE) work at all?
309 + 7.41 Why can't I connect via SSL to Eudora? It says the
310 connection has been broken, and in the server syslogs I see
311 "Command stream end of file".
312 + 7.42 Sheesh. Aren't there any good IMAP clients out there?
313 + 7.43 But wait! PC Alpine (or other PC program build with
314 c-client) crashes with the message
315 o incomplete SecBuffer exceeds maximum buffer size
316 when I use SSL connections. This is a bug in c-client, right?
317 + 7.44 My qpopper users keep on getting the DON'T DELETE THIS
318 MESSAGE -- FOLDER INTERNAL DATA if they also use Alpine or
319 IMAP. How can I fix this?
320 + 7.45 Help! I installed the servers but I can't connect to them
321 from my client!
322 + 7.46 Why do I get the message
323 o Can not authenticate to SMTP server: 421 SMTP connection
324 went away!
325 and why did this happen? There was also something about
326 o SECURITY PROBLEM: insecure server advertised AUTH=PLAIN
327 + 7.47 Why do I get the message
328 o SMTP Authentication cancelled
329 and why did this happen? There was also something about
330 o SECURITY PROBLEM: insecure server advertised AUTH=PLAIN
331 + 7.48 Why do I get the message
332 o Invalid base64 string
333 when I try to authenticate to a Cyrus server?
334 * 8. Where to Go For Additional Information
335 + 8.1 Where can I go to ask questions?
336 + 8.2 I have some ideas for enhancements to IMAP. Where should I
337 go?
338 + 8.3 Where can I read more about IMAP and other email
339 protocols?
340 + 8.4 Where can I find out more about setting up and
341 administering an IMAP server?
342 __________________________________________________________________
344 What is Panda IMAP?
346 Panda IMAP is a fork of the final University of Washington
347 version (imap-2007b). The current UW version is imap-2007e which
348 has only minor changes from imap-2007b. All of these changes (or
349 something better) are in Panda IMAP.
351 Panda IMAP is available by donation.
353 Back to top
354 __________________________________________________________________
356 1. General/Software Feature Questions
357 __________________________________________________________________
359 _1.1 Can I set up a POP or IMAP server on UNIX/Linux/OSF/etc.?_
361 Yes. Refer to the UNIX specific notes in files CONFIG and BUILD.
363 Back to top
364 __________________________________________________________________
366 _1.2 I am currently using qpopper as my POP3 server on UNIX. Do I need
367 to replace it with ipop3d in order to run imapd?_
369 Not necessarily.
371 Although ipop3d interoperates with imapd better than qpopper,
372 imapd and qpopper will work together. The few qpopper/imapd
373 interoperability issues mostly affect users who use both IMAP
374 and POP3 clients; those users would probably be better served if
375 their POP3 server is ipop3d.
377 If you are happy with qpopper and just want to add imapd, you
378 should do that, and defer a decision on changing qpopper to
379 ipop3d. That way, you can get comfortable with imapd's
380 performance, without changing anything for your qpopper users.
382 Many sites have subsequently decided to change from qpopper to
383 ipop3d in order to get better POP3/IMAP interoperability. If you
384 need to do this, you'll know. There also seems to be a way to
385 make qpopper work better with imapd; see the answer to the My
386 qpopper users keep on getting the DON'T DELETE THIS MESSAGE --
387 FOLDER INTERNAL DATA if they also use Alpine or IMAP. How can I
388 fix this? question.
390 Back to top
391 __________________________________________________________________
393 _1.3 Can I set up a POP or IMAP server on Windows XP, 2000, NT, Me, 98,
394 or 95?_
396 Yes. Refer to the NT specific notes in files CONFIG and BUILD.
397 Also, for DOS-based versions of Windows (Windows Me, 98, and 95)
398 you *must* set up CRAM-MD5 authentication, as described in
399 md5.txt.
401 There is no file access control on Windows 9x or Me, so you
402 probably will have to do modifications to env_unix.c to prevent
403 people from hacking others' mail.
405 Note, however, that the server is not plug and play the way it
406 is for UNIX.
408 Back to top
409 __________________________________________________________________
411 _1.4 Can I set up a POP or IMAP server on Windows 3.1 or DOS?_
412 _1.5 Can I set up a POP or IMAP server on Macintosh?_
413 _1.6 Can I set up a POP or IMAP server on VAX/VMS?_
415 Yes, it's just a small matter of programming.
417 Back to top
418 __________________________________________________________________
420 _1.7 Can I set up a POP or IMAP server on TOPS-20?_
422 You have a TOPS-20 system? Cool.
424 If IMAP2 (RFC 1176) is good enough for you, you can use MAPSER
425 which is about the ultimate gonzo pure TOPS-20 extended
426 addressing assembly language program. Unfortunately, IMAP2 is
427 barely good enough for Alpine these days, and most other IMAP
428 clients won't work with IMAP2 at all. Maybe someone will hack
429 MAPSER to do IMAP4rev1 some day.
431 We don't know if anyone wrote a POP3 server for TOPS-20. There
432 definitely was a POP2 server once upon a time.
434 Or you can port the POP and IMAP server from this IMAP toolkit
435 to it. All that you need for a first stab is to port the MTX
436 driver. That'll probably be just a couple of hours of hacking.
438 Back to top
439 __________________________________________________________________
441 _1.8 Are hierarchical mailboxes supported?_
442 _1.9 Are "dual-use" mailboxes supported?_
443 _1.10 Can I have a mailbox that has both messages and sub-mailboxes?_
445 Yes. However, there is one important caveat.
447 Some mailbox formats, including the default which is the
448 traditional UNIX mailbox format, are stored as a single file
449 containing all the messages. UNIX does not permit a name in the
450 filesystem to be both a file and a directory; consequently you
451 can not have a sub-mailbox within a mailbox that is in one of
452 these formats.
454 This is not a limitation of the software; this is a limitation
455 of UNIX. For example, there are mailbox formats in which the
456 name is a directory and each message is a file within that
457 directory; these formats support sub-mailboxes within such
458 mailboxes. However, for technical reasons, the "flat file"
459 formats are generally preferred since they perform better. Read
460 imap-2010/docs/formats.txt for more information on this topic.
462 It is always permissible to create a directory that is not a
463 mailbox, and have sub-mailboxes under it. The easiest way to
464 create a directory is to create a new mailbox inside a directory
465 that doesn't already exist. For example, if you create
466 "Mail/testbox" on UNIX, the directory "Mail/" will automatically
467 be created and then the mailbox "testbox" will be created as a
468 sub-mailbox of "Mail/".
470 It is also possible to create the name "Mail/" directly. Check
471 the documentation for your client software to see how to do this
472 with that software.
474 Of course, on Windows systems you would use "\" instead of "/".
476 Back to top
477 __________________________________________________________________
479 _1.11 What is the difference between "mailbox" and "folder"?_
481 The term "mailbox" is IMAP-speak for what a lot of software
482 calls a "folder" or a "mail folder". However, "folder" is often
483 used in other contexts to refer to a directory, for example, in
484 the graphic user interface on both Windows and Macintosh.
486 A "mailbox" is specifically defined as a named object that
487 contains messages. It is not required to be capable of
488 containing other types of objects including other mailboxes;
489 although some mailbox formats will permit this.
491 In IMAP-speak, a mailbox which can not contain other mailboxes
492 is called a "no-inferiors mailbox". Similarly, a directory which
493 can not contain messages is not a mailbox and is called a
494 "no-select name".
496 Back to top
497 __________________________________________________________________
499 _1.12 What is the status of internationalization?_
501 The IMAP toolkit is partially internationalized and
502 multilingualized.
504 Searching is supported in the following charsets: US-ASCII,
505 UTF-8, ISO-8859-1, ISO-8859-2, ISO-8859-3, ISO-8859-4,
506 ISO-8859-5, ISO-8859-6, ISO-8859-7, ISO-8859-8, ISO-8859-9,
507 ISO-8859-10, ISO-8859-11, ISO-8859-13, ISO-8859-14, ISO-8859-15,
508 ISO-8859-16, KOI8-R, KOI8-U (alias KOI8-RU), TIS-620, VISCII,
509 ISO-2022-JP, ISO-2022-KR, ISO-2022-CN, ISO-2022-JP-1,
510 ISO-2022-JP-2, GB2312 (alias CN-GB), CN-GB-12345, BIG5 (alias
511 CN-BIG5), EUC-JP, EUC-KR, Shift_JIS, Shift-JIS, KS_C_5601-1987,
512 KS_C_5601-1992, WINDOWS_874, WINDOWS-1250, WINDOWS-1251,
513 WINDOWS-1252, WINDOWS-1253, WINDOWS-1254, WINDOWS-1255,
514 WINDOWS-1256, WINDOWS-1257, WINDOWS-1258.
516 All ISO-2022-?? charsets are treated identically, and support
517 ASCII, JIS Roman, hankaku katakana, ISO-8859-[1 - 10], TIS, GB
518 2312, JIS X 0208, JIS X 0212, KSC 5601, and planes 1 and 2 of
519 CNS 11643.
521 EUC-JP includes support for JIS X 0212 and hankaku katakana.
523 c-client library support also exists to convert text in any of
524 the above charsets into Unicode, including headers with MIME
525 encoded-words.
527 There is no support for localization (e.g. non-English error
528 messages) at the present time, but such support is planned.
530 Back to top
531 __________________________________________________________________
533 _1.13 Can I use SSL?_
535 Yes. See the answer to the How do I configure SSL? question.
537 Back to top
538 __________________________________________________________________
540 _1.14 Can I use TLS and the STARTTLS facility?_
542 Yes. See the answer to the How do I configure TLS and the
543 STARTTLS facility? question.
545 Back to top
546 __________________________________________________________________
548 _1.15 Can I use CRAM-MD5 authentication?_
550 Yes. See the answer to the How do I configure CRAM-MD5
551 authentication? question.
553 Back to top
554 __________________________________________________________________
556 _1.16 Can I use APOP authentication?_
558 Yes. See the How do I configure APOP authentication? question.
560 Note that there is no client support for APOP authentication.
562 Back to top
563 __________________________________________________________________
565 _1.17 Can I use Kerberos V5?_
567 Yes. See the answer to the How do I configure Kerberos V5?
568 question.
570 Back to top
571 __________________________________________________________________
573 _1.18 Can I use PAM for plaintext passwords?_
575 Yes. See the answer to the How do I configure PAM for plaintext
576 passwords? question.
578 Back to top
579 __________________________________________________________________
581 _1.19 Can I use Kerberos 5 for plaintext passwords?_
583 Yes. See the answer to the How do I configure Kerberos 5 for
584 plaintext passwords? question.
586 Back to top
587 __________________________________________________________________
589 _1.20 Can I use AFS for plaintext passwords?_
591 Yes. See the answer to the How do I configure AFS for plaintext
592 passwords? question.
594 Back to top
595 __________________________________________________________________
597 _1.21 Can I use DCE for plaintext passwords?_
599 Yes. See the answer to the How do I configure DCE for plaintext
600 passwords? question.
602 Back to top
603 __________________________________________________________________
605 _1.22 Can I use the CRAM-MD5 database for plaintext passwords?_
607 Yes. See the answer to the How do I configure the CRAM-MD5
608 database for plaintext passwords? question.
610 Back to top
611 __________________________________________________________________
613 _1.23 Can I disable plaintext passwords?_
615 Yes. See the answer to the How do I disable plaintext passwords?
616 question.
618 Back to top
619 __________________________________________________________________
621 _1.24 Can I disable plaintext passwords on unencrypted sessions, but
622 allow them on encrypted sessions?_
624 Yes. See the answer to the How do I disable plaintext passwords
625 on unencrypted sessions, but allow them in SSL or TLS sessions?
626 question.
628 Back to top
629 __________________________________________________________________
631 _1.25 Can I use virtual hosts?_
633 Yes. See the answer to the How do I configure virtual hosts?
634 question.
636 Back to top
637 __________________________________________________________________
639 _1.26 Can I use RPOP authentication?_
641 There is no support for RPOP authentication.
643 Back to top
644 __________________________________________________________________
646 _1.27 Can I use Kerberos V4?_
648 Kerberos V4 is not supported.
650 Back to top
651 __________________________________________________________________
653 _1.28 Is there support for S/Key or OTP?_
655 There is currently no support for S/Key or OTP. There may be an
656 OTP SASL authenticator available from third parties.
658 Back to top
659 __________________________________________________________________
661 _1.29 Is there support for NTLM or SPA?_
663 There is currently no support for NTLM or SPA, nor are there any
664 plans to add such support. In general, I avoid vendor-specific
665 mechanisms. I also believe that these mechanisms are being
666 deprecated by their vendor.
668 There may be an NTLM SASL authenticator available from third
669 parties.
671 Back to top
672 __________________________________________________________________
674 _1.30 Is there support for mh?_
676 Yes, but only as a legacy format. Your mh format INBOX is
677 accessed by the name "#mhinbox", and all other mh format
678 mailboxes are accessed by prefixing "#mh/" to the name, e.g.
679 "#mh/foo". The mh support uses the "Path:" entry in your
680 .mh_profile file to identify the root directory of your mh
681 format mailboxes.
683 Non-legacy use of mh format is not encouraged. There is no
684 support for permanent flags or unique identifiers; furthermore
685 there are known severe performance problems with the mh format.
687 Back to top
688 __________________________________________________________________
690 _1.31 Is there support for qmail and the maildir format?_
692 There is no support for qmail or the maildir format in our
693 distribution, nor are there any plans to add such support.
694 Maildir support may be available from third parties.
696 Back to top
697 __________________________________________________________________
699 _1.32 Is there support for the Cyrus mailbox format?_
701 No.
703 Back to top
704 __________________________________________________________________
706 _1.33 Is this software Y2K compliant?_
708 Please read the files Y2K and calendar.txt.
710 Back to top
711 __________________________________________________________________
713 2. What Do I Need to Build This Software?
714 __________________________________________________________________
716 _2.1 What do I need to build this software with SSL on UNIX?_
718 You need to build and install OpenSSL first.
720 Back to top
721 __________________________________________________________________
723 _2.2 What do I need to build this software with Kerberos V on UNIX?_
725 You need to build and install MIT Kerberos first.
727 Back to top
728 __________________________________________________________________
730 _2.3 What do I need to use a C++ compiler with this software to build
731 my own application?_
733 If you are building an application using the c-client library,
734 use the new c-client.h file instead of including the other
735 include files. It seems that c-client.h should define away all
736 the troublesome names that conflict with C++.
738 If you use gcc, you may need to use -fno-operator-names as well.
740 Back to top
741 __________________________________________________________________
743 _2.4 What do I need to build this software on Windows?_
745 You need Microsoft Visual C++ 6.0, Visual C++ .NET, or Visual C#
746 .NET (which you can buy from any computer store), along with the
747 Microsoft Platform SDK (which you can download from Microsoft's
748 web site).
750 You do not need to install the entire Platform SDK; it suffices
751 to install just the Core SDK and the Internet Development SDK.
753 Back to top
754 __________________________________________________________________
756 _2.5 What do I need to build this software on DOS?_
758 It's been several years since we last attempted to do this. At
759 the time, we used Microsoft C.
761 Back to top
762 __________________________________________________________________
764 _2.6 Can't I use Borland C to build this software on the PC?_
766 Probably not. If you know otherwise, please let us know.
768 Back to top
769 __________________________________________________________________
771 _2.7 What do I need to build this software on the Mac?_
773 It has been several years since we last attempted to do this. At
774 the time, we used Symantec THINK C; but today you'll need a C
775 compiler which allows segments to be more than 32K.
777 Back to top
778 __________________________________________________________________
780 _2.8 What do I need to build this software on VMS?_
782 You need the VMS C compiler, and either the Multinet or Netlib
783 TCP.
785 Back to top
786 __________________________________________________________________
788 _2.9 What do I need to build this software on TOPS-20?_
790 You need the TOPS-20 KCC compiler.
792 Back to top
793 __________________________________________________________________
795 _2.10 What do I need to build this software on Amiga or OS/2?_
797 We don't know.
799 Back to top
800 __________________________________________________________________
802 _2.11 What do I need to build this software on Windows CE?_
804 This port is incomplete. Someone needs to finish it.
806 Back to top
807 __________________________________________________________________
809 3. Build and Configuration Questions
810 __________________________________________________________________
812 _3.1 How do I configure the IMAP and POP servers on UNIX?_
813 _3.2 I built and installed the servers according to the BUILD
814 instructions. It can't be that easy. Don't I need to write a config
815 file?_
817 For ordinary "vanilla" UNIX systems, this software is plug and
818 play; just build it, install it, and you're done. If you have a
819 modified system, then you may want to do additional work; most
820 of this is to a single source code file (env_unix.c on UNIX
821 systems). Read the file CONFIG for more details.
823 Yes, it's that easy. There are some additional options, such as
824 SSL or Kerberos, which require additional steps to build. See
825 the relevant questions below.
827 Back to top
828 __________________________________________________________________
830 _3.3 How do I make the IMAP and POP servers look for INBOX at some
831 place other than the mail spool directory?_
832 _3.4 How do I make the IMAP server look for secondary folders at some
833 place other than the user's home directory?_
835 Please read the file CONFIG for discussion of this and other
836 issues.
838 Back to top
839 __________________________________________________________________
841 _3.5 How do I configure SSL?_
842 _3.6 How do I configure TLS and the STARTTLS facility?_
844 imap-2010 supports SSL and TLS client functionality on UNIX and
845 32-bit Windows for IMAP, POP3, SMTP, and NNTP; and SSL and TLS
846 server functionality on UNIX for IMAP and POP3.
848 UNIX SSL build requires that a third-party software package,
849 OpenSSL, be installed on the system first. Read
850 imap-2010/docs/SSLBUILD for more information.
852 SSL is supported via undocumented Microsoft interfaces in
853 Windows 9x and NT4; and via standard interfaces in Windows 2000,
854 Windows Millennium, and Windows XP.
856 Back to top
857 __________________________________________________________________
859 _3.7 How do I build/install OpenSSL and obtain/create certificates for
860 use with SSL?_
862 If you need help in doing this, try the contacts mentioned in
863 the OpenSSL README. We do not offer support for OpenSSL or
864 certificates.
866 Back to top
867 __________________________________________________________________
869 _3.8 How do I configure CRAM-MD5 authentication?_
870 _3.9 How do I configure APOP authentication?_
872 CRAM-MD5 authentication is enabled in the IMAP and POP3 client
873 code on all platforms. Read md5.txt to learn how to set up
874 CRAM-MD5 and APOP authentication on UNIX and NT servers.
876 There is no support for APOP client authentication.
878 Back to top
879 __________________________________________________________________
881 _3.10 How do I configure Kerberos V5?_
883 imap-2010 supports client and server functionality on UNIX and
884 32-bit Windows.
886 Kerberos V5 is supported by default in Windows 2000 builds:
888 nmake -f makefile.w2k
890 Other builds require that a third-party Kerberos package, e.g.
891 MIT Kerberos, be installed on the system first.
893 To build with Kerberos V5 on UNIX, include
894 EXTRAAUTHENTICATORS=gss in the make command line, e.g.
896 make lnp EXTRAAUTHENTICATORS=gss
898 To build with Kerberos V5 on Windows 9x, Windows Millennium, and
899 NT4, use the "makefile.ntk" file instead of "makefile.nt":
902 nmake -f makefile.ntk
904 Back to top
905 __________________________________________________________________
907 _3.11 How do I configure PAM for plaintext passwords?_
909 On Linux systems, use the lnp port, e.g.
911 make lnp
914 On Solaris systems and other systems with defective PAM
915 implementations, build with PASSWDTYPE=pmb, e.g.
917 make sol PASSWDTYPE=pmb
919 On all other systems, build with PASSWDTYPE=pam, e.g
921 make foo PASSWDTYPE=pam
923 If you build with PASSWDTYPE=pam and authentication does not
924 work, try rebuilding (after a "make clean") with PASSWDTYPE=pmb.
926 Back to top
927 __________________________________________________________________
929 _3.12 It looks like all I have to do to make the server use Kerberos is
930 to build with PAM on my Linux system, and set it up in PAM for Kerberos
931 passwords. Right?_
933 Yes and no.
935 Doing this will make plaintext password authentication use the
936 Kerberos password instead of the /etc/passwd password.
938 However, this will NOT give you Kerberos-secure authentication.
939 See the answer to the How do I configure Kerberos V5? question
940 for how to build with Kerberos-secure authentication.
942 Back to top
943 __________________________________________________________________
945 _3.13 How do I configure Kerberos 5 for plaintext passwords?_
947 Build with PASSWDTYPE=gss, e.g.
949 make sol PASSWDTYPE=gss
951 However, this will NOT give you Kerberos-secure authentication.
952 See the answer to the How do I configure Kerberos V5? question
953 for how to build with Kerberos-secure authentication.
955 Back to top
956 __________________________________________________________________
958 _3.14 How do I configure AFS for plaintext passwords?_
960 Build with PASSWDTYPE=afs, e.g
962 make sol PASSWDTYPE=afs
965 Back to top
966 __________________________________________________________________
968 _3.15 How do I configure DCE for plaintext passwords?_
970 Build with PASSWDTYPE=dce, e.g
972 make sol PASSWDTYPE=dce
974 Back to top
975 __________________________________________________________________
977 _3.16 How do I configure the CRAM-MD5 database for plaintext passwords?_
979 The CRAM-MD5 password database is automatically used for
980 plaintext password if it exists.
982 Note that this is NOT CRAM-MD5-secure authentication. You
983 probably want to consider disabling plaintext passwords for
984 non-SSL/TLS sessions. See the next two questions.
986 Back to top
987 __________________________________________________________________
989 _3.17 How do I disable plaintext passwords?_
991 Server-level plaintext passwords can be disabled by setting
992 PASSWDTYPE=nul, e.g.
994 make lnx EXTRAAUTHENTICATORS=gss PASSWDTYPE=nul
996 Note that you must have a CRAM-MD5 database installed or specify
997 at least one EXTRAAUTHENTICATOR, otherwise it will not be
998 possible to log in to the server.
1000 When plaintext passwords are disabled, the IMAP server will
1001 advertise the LOGINDISABLED capability and the POP3 server will
1002 not advertise the USER capability.
1004 Back to top
1006 _3.18 How do I disable plaintext passwords on unencrypted sessions, but
1007 allow them in SSL or TLS sessions?_
1009 Do not set PASSWDTYPE=nul or SSLTYPE=unix. Set SSLTYPE=nopwd
1010 instead, e.g.
1012 make lnx SSLTYPE=nopwd
1014 When plaintext passwords are disabled, the IMAP server will
1015 advertise the LOGINDISABLED capability and the POP3 server will
1016 not advertise the USER capability.
1018 Plaintext passwords will always be enabled in SSL sessions; the
1019 IMAP server will not advertise the LOGINDISABLED capability and
1020 the POP3 server will advertise the USER capability.
1022 If the client does a successful start-TLS in a non-SSL session,
1023 plaintext passwords will be enabled, and a new CAPABILITY or
1024 CAPA command (which is required after start-TLS) will show the
1025 effect as in SSL sessions.
1027 Back to top
1028 __________________________________________________________________
1030 _3.19 How do I configure virtual hosts?_
1032 This is automatic, but with certain restrictions.
1034 The most important one is that each virtual host must have its
1035 own IP address; otherwise the server has no way of knowing which
1036 virtual host is desired.
1038 As distributed, the software uses a global password file; hence
1039 user "fred" on one virtual host is "fred" on all virtual hosts.
1040 You may want to modify the checkpw() routine to implement some
1041 other policy (e.g. separate password files).
1043 Note that the security model assumes that all users have their
1044 own unique UNIX UID number. So if you use separate password
1045 files you should make certain that the UID numbers do not
1046 overlap between different files.
1048 More advanced virtual host support may be available as patches
1049 from third parties.
1051 Back to top
1052 __________________________________________________________________
1054 _3.20 Why do I get compiler warning messages such as:_
1055 passing arg 3 of `scandir' from incompatible pointer type
1056 Pointers are not assignment-compatible.
1057 Argument #4 is not the correct type.
1060 _during the build?_
1062 You can safely ignore these messages.
1064 Over the years, the prototype for scandir() has changed, and
1065 thus is variant across different UNIX platforms. In particular,
1066 the definitions of the third argument (type select_t) and fourth
1067 argument (type compar_t) have changed over the years, the issue
1068 being whether or not the arguments to the functions pointed to
1069 by these function pointers are of type const or not.
1071 The way that c-client calls scandir() will tend to generate
1072 these compiler warnings on newer systems such as Linux; however,
1073 it will still build. The problem with fixing the call is that
1074 then it won't build on older systems.
1076 Back to top
1077 __________________________________________________________________
1079 _3.21 Why do I get compiler warning messages such as_
1080 Operation between types "void(*)(int)" and "void*" is not allowed.
1081 Function argument assignment between types "void*" and "void(*)(int)" is not al
1082 lowed.
1083 Pointers are not assignment-compatible.
1084 Argument #5 is not the correct type.
1086 _during the build?_
1088 You can safely ignore these messages.
1090 All known systems have no problem with casting a function
1091 pointer to/from a void* pointer, certain C compilers issue a
1092 compiler diagnostic because this facility is listed as a "Common
1093 extension" by the C standard:
1095 K.5.7 Function pointer casts
1096 [#1] A pointer to an object or to void may be cast to a pointer
1097 to a function, allowing data to be invoked as a function (6.3.4).
1098 [#2] A pointer to a function may be cast to a pointer to an
1099 object or to void, allowing a function to be inspected or
1100 modified (for example, by a debugger) (6.3.4).
1103 It may be just a "common extension", but this facility is relied
1104 upon heavily by c-client.
1106 Back to top
1107 __________________________________________________________________
1109 _3.22 Why do I get linker warning messages such as:_
1110 mtest.c:515: the `gets' function is dangerous and should not be used.
1112 _during the build? Isn't this a security bug?_
1114 You can safely ignore this message.
1116 Certain linkers, most notably on Linux, give this warning
1117 message. It is indeed true that the traditional gets() function
1118 is not a safe one.
1120 However, the mtest program is only a demonstration program, a
1121 model of a very basic application program using c-client. It is
1122 not something that you would install, much less run in any
1123 security-sensitive context.
1125 mtest has numerous other shortcuts that you wouldn't want to do
1126 in a real application program.
1128 The only "security bug" with mtest would be if it was run by
1129 some script in a security-sensitive context, but mtest isn't
1130 particularly useful for such purposes. If you wanted to write a
1131 script to automate some email task using c-client, you'd be
1132 better off using imapd instead of mtest.
1134 mtest only has two legitimate uses. It's a useful testbed for me
1135 when debugging new versions of c-client, and it's useful as a
1136 model for someone writing a simple c-client application to see
1137 how the various calls work.
1139 By the way, if you need a more advanced example of c-client
1140 programming than mtest (and you probably will), I recommend that
1141 you look at the source code for imapd and Alpine.
1143 Back to top
1144 __________________________________________________________________
1146 _3.23 Why do I get linker warning messages such as:_
1147 auth_ssl.c:92: the `tmpnam' function is dangerous and should not be used.
1149 _during the build? Isn't this a security bug?_
1151 You can safely ignore this message.
1153 Certain linkers, most notably on Linux, give this warning
1154 message, based upon two known issues with tmpnam():
1156 there can be a buffer overflow if an inadequate buffer is
1157 allocated.
1158 there can be a timing race caused by certain incautious
1159 usage of the return value.
1161 Neither of these issues applies in the particular use that is
1162 made of tmpnam(). More importantly, the tmpnam() call is never
1163 executed on Linux systems.
1165 Back to top
1166 __________________________________________________________________
1168 _3.24 OK, suppose I see a warning message about a function being
1169 "dangerous and should not be used" for something other than this gets()
1170 or tmpnam() call?_
1172 Please forward the details for investigation.
1174 Back to top
1175 __________________________________________________________________
1177 4. Operational Questions
1178 __________________________________________________________________
1180 _4.1 How can I enable anonymous IMAP logins?_
1182 Create the file /etc/anonymous.newsgroups. At the present time,
1183 this file should be empty. This will permit IMAP logins as
1184 anonymous as well as the ANONYMOUS SASL authenticator. Anonymous
1185 users have access to mailboxes in the #news., #ftp/, and
1186 #public/ namespaces only.
1188 Back to top
1189 __________________________________________________________________
1191 _4.2 How do I set up an alert message that each IMAP user will see?_
1193 Create the file /etc/imapd.alert with the text of the message.
1194 This text should be kept to one line if possible. Note that this
1195 will cause an alert to every IMAP user every time they initiate
1196 an IMAP session, so it should only be used for critical
1197 messages.
1199 Back to top
1200 __________________________________________________________________
1202 _4.3 How does the c-client library choose which of its several
1203 mechanisms to use to establish an IMAP connection to the server? I
1204 noticed that it can connect on port 143, port 993, via rsh, and via
1205 ssh._
1207 c-client chooses how to establish an IMAP connection via the
1208 following rules:
1210 + If /ssl is specified, use an SSL connection. Fail otherwise.
1211 + Else if client is a UNIX system and "ssh server exec
1212 /etc/rimapd" works, use that
1213 + Else if /tryssl is specified and an SSL connection works, use
1214 that.
1215 + Else if client is a UNIX system and "rsh server exec
1216 /etc/rimapd" works, use that.
1217 + Else use a non-SSL connection.
1219 Back to top
1220 __________________________________________________________________
1222 _4.4 I am using a TLS-capable IMAP server, so I don't need to use /ssl
1223 to get encryption. However, I want to be certain that my session is TLS
1224 encrypted before I send my password. How to I do this?_
1226 Use the /tls option in the mailbox name. This will cause an
1227 error message and the connection to fail if the server does not
1228 negotiate STARTTLS.
1230 Back to top
1231 __________________________________________________________________
1233 _4.5 How do I use one of the alternative formats described in the
1234 formats.txt document? In particular, I hear that mix format will give
1235 me better performance and allow shared access._
1237 The rumors about mix format being preferred are true. It is
1238 faster than the traditional UNIX mailbox format and permits
1239 shared access.
1241 However, and this is _very important_, note that using an
1242 alternative mailbox format is an advanced facility, and only
1243 expert users should undertake it. If you don't understand any of
1244 the following notes, you may not be enough of an expert yet, and
1245 are probably better off not going this route until you are more
1246 comfortable with your understanding.
1248 Some of the formats, including mix, are only supported by the
1249 software based on the c-client library, and are not recognized
1250 by other mailbox programs. The "vi" editor may corrupt mailboxes
1251 written in these formats.
1253 Another problem is that the certain formats, including mix and
1254 mbx, use advanced file access and locking techniques that do
1255 _not_ work reliably with NFS. NFS is not a real filesystem. Use
1256 IMAP instead of NFS for distributed access.
1258 Each of the following steps are in escalating order of
1259 involvement. The further you go down this list, the more deeply
1260 committed you become:
1262 + The simplest way to create a mix-format mailbox is to prefix
1263 the name with "#driver.mix/" when creating a mailbox through
1264 c-client. For example, if you create "#driver.mix/foo", the
1265 mailbox "foo" will be created in mix format. Only use
1266 "#driver.mix/" when creating the mailbox. At all other times,
1267 just use the name ("foo" in this example); the software will
1268 automatically select the driver for mix whenever that mailbox
1269 is accessed without you doing anything else.
1270 + You can use the "mailutil copy" command to copy an existing
1271 mailbox to a new mailbox in mix format. Read the man page
1272 provided with the mailutil program for details.
1273 + If you create an mix-format INBOX, by creating
1274 "#driver.mix/INBOX" (note that "INBOX" must be all uppercase),
1275 then subsequent access to INBOX by any c-client based
1276 application will use the mix-format INBOX. Any mail delivered
1277 to the traditional format mailbox in the spool directory (e.g.
1278 /var/spool/mail/$USER) will automatically be copied into the
1279 mix-format INBOX and the spool directory copy removed.
1280 + You can cause any newly-created mailboxes to be in mix-format
1281 by default by changing the definition of CREATEPROTO=unixproto
1282 to be CREATEPROTO=mixproto in src/osdep/unix/Makefile, then
1283 rebuilding the IMAP toolkit (do a "make clean" first). Do not
1284 change EMPTYPROTO, since mix format mailboxes are directories
1285 and thus are never a zero-byte file. If you use Alpine or the
1286 imap-utils, you should probably also rebuild them with the new
1287 IMAP toolkit too.
1288 + You can deliver directly to the mix-format INBOX by use of the
1289 tmail or dmail programs. tmail is for direct invocation from
1290 sendmail (or whatever MTA program you use); dmail is for calls
1291 from procmail. Both of these programs have man pages which
1292 must be read carefully before making this change.
1294 Most other servers (e.g. Cyrus) require use of a non-standard
1295 format. A full-fledged format conversion is not significantly
1296 different from what you have to do with other servers. The
1297 difference, which makes format conversion procedures somewhat
1298 more complicated with this server, is that there is no "all or
1299 nothing" requirement with this server. There are many points in
1300 between. A format conversion can be anything from a single
1301 mailbox or single user, to systemwide.
1303 This is good in that you can decide how far to go, or do the
1304 steps incrementally as you become more comfortable with the
1305 result. On the other hand, there's no "One True Way" which can
1306 be boiled down to a simple set of pedagogical instructions.
1308 A number of sites have done full-fledged format conversions, and
1309 are reportedly quite happy with the results. Feel free to ask in
1310 the comp.mail.imap newsgroup for help.
1312 Back to top
1313 __________________________________________________________________
1315 _4.6 How do I set up shared mailboxes?_
1317 At the simplest level, a shared mailbox is one which has UNIX
1318 file and directory protections which permit multiple users to
1319 access it. What this means is that your existing skills and
1320 tools to create and manage shared files on your UNIX system
1321 apply to shared mailboxes; e.g.
1323 chmod 666 mailbox
1325 You may want to consider the use of a mailbox format which
1326 permits multiple simultaneous read/write sessions, such as the
1327 mix format. The traditional UNIX format only allows one
1328 read/write session to a mailbox at a time.
1330 An additional convenience item are three system directories,
1331 which can be set up for shared namespaces. These are: #ftp,
1332 #shared, and #public, and are defined by creating the associated
1333 UNIX users and home directories as described below.
1335 #ftp/ refers to the anonymous ftp filesystem exported by the ftp
1336 server, and is equivalent to the home directory for UNIX user
1337 "ftp". For example, #ftp/foo/bar refers to the file /foo/bar in
1338 the anonymous FTP filesystem, or ~ftp/foo/bar for normal users.
1339 Anonymous FTP files are available to anonymous IMAP logins. By
1340 default, newly-created files in #ftp/ are protected 644.
1342 #public/ refers to an IMAP toolkit convention called "public"
1343 files, and is equivalent to the home directory for UNIX user
1344 "imappublic". For example, #public/foo/bar refers to the file
1345 ~imappublic/foo/bar. Public files are available to anonymous
1346 IMAP logins. By default, newly-created files in #public are
1347 created with protection 0666.
1349 #shared/ refers to an IMAP toolkit convention called "shared"
1350 files, and is equivalent to the home directory for UNIX user
1351 "imapshared". For example, #shared/foo/bar refers to the file
1352 ~imapshared/foo/bar. Shared files are _not_ available to
1353 anonymous IMAP logins. By default, newly-created files in
1354 #shared are created with protection 0660.
1356 Back to top
1357 __________________________________________________________________
1359 _4.7 How can I make the server syslogs go to someplace other than the
1360 mail syslog?_
1362 The openlog() call that sets the syslog facility is in
1363 _src/osdep/unix/env_unix.c_ in routine _server_init()_. You need
1364 to edit this file to change the syslog facility from LOG_MAIL to
1365 the facility you want, then rebuild. You also need to set up
1366 your /etc/syslog.conf properly.
1368 Refer to the man pages for syslog and syslogd for more
1369 information on what the available syslog facilities are and how
1370 to configure syslogs. If you still don't understand what to do,
1371 find a UNIX system expert.
1373 Back to top
1374 __________________________________________________________________
1376 5. Security Questions
1377 __________________________________________________________________
1379 _5.1 I see that the IMAP server allows access to arbitrary files on the
1380 system, including /etc/passwd! How do I disable this?_
1382 You should not worry about this if your IMAP users are allowed
1383 shell access. The IMAP server does not permit any access that
1384 the user can not have via the shell.
1386 If, and only if, you deny your IMAP users shell access, you may
1387 want to consider one of three choices. Note that these choices
1388 reduce IMAP functionality, and may have undesirable side
1389 effects. Each of these choices involves an edit to file
1390 _src/osdep/unix/env_unix.c_
1392 The first (and recommended) choice is to set _restrictBox_ as
1393 described in file CONFIG. This will disable access to the
1394 filesystem root, to other users' home directory, and to superior
1395 directory.
1397 The second (and strongly NOT recommended) choice is to set
1398 _closedBox_ as described in file CONFIG. This puts each IMAP
1399 session into a so-called "chroot jail", and thus setting this
1400 option is _extremely_ dangerous; it can make your system much
1401 less secure and open to root compromise attacks. So do not use
1402 this option unless you are _absolutely certain_ that you
1403 understand all the issues of a "chroot jail."
1405 The third choice is to rewrite routine _mailboxfile()_ to
1406 implement whatever mapping from mailbox name to filesystem name
1407 (and restrictions) that you wish. This is the most general
1408 choice. As a guide, you can see at the start of routine
1409 _mailboxfile()_ what the _restrictBox_ choice does.
1411 Back to top
1412 __________________________________________________________________
1414 _5.2 I've heard that IMAP servers are insecure. Is this true?_
1416 There are no known security problems in this version of the IMAP
1417 toolkit, including the IMAP and POP servers. The IMAP and POP
1418 servers limit what can be done while not logged in, and as part
1419 of the login process discard all privileges except those of the
1420 user.
1422 As with other software packages, there have been buffer overflow
1423 vulnerabilities in past versions. All known problems of this
1424 nature are fixed in this version.
1426 There is every reason to believe that the bad guys are engaged
1427 in an ongoing effort to find vulnerabilities in the IMAP
1428 toolkit. We look for such problems, and when one is found we fix
1429 it.
1431 It's unfortunate that any vulnerabilities existed in past
1432 versions, and we're doing my best to keep the IMAP toolkit free
1433 of vulnerabilities. No new vulnerabilities have been discovered
1434 in quite a while, but efforts will not be relaxed.
1436 Beware of vendors who claim that their implementations can not
1437 have vulnerabilities.
1439 Back to top
1440 __________________________________________________________________
1442 _5.3 How do I know that I have the most secure version of the server?_
1444 The best way is to keep your server software up to date. The bad
1445 guys are always looking for ways to crack software, and when
1446 they find one, let all their friends know.
1448 Oldtimers used to refer to a concept of _software rot_: if your
1449 software hasn't been updated in a while, it would "rot" -- tend
1450 to acquire problems that it didn't have when it was new.
1452 Unfortunately, UW IMAP is rapidly succumbing to "software rot",
1453 as it is no longer being developed or maintained. If you have
1454 not yet switched to Panda IMAP, you should seriously consider
1455 doing so.
1457 Panda IMAP is available by donation. Donors are given a URL
1458 which they can use to download Panda IMAP, including future
1459 versions.
1461 Back to top
1462 __________________________________________________________________
1464 _5.4 I see all these strcpy() and sprintf() calls, those are unsafe,
1465 aren't they?_
1467 Yes and no.
1469 It can be unsafe to do these calls if you do not know that the
1470 string being written will fit in the buffer. However, they are
1471 perfectly safe if you do know that.
1473 Beware of programmers who advocate doing a brute-force change of
1474 all instances of
1476 strcpy (s,t);
1478 to
1480 strncpy (s,t,n)[n] = '\0';
1482 and similar measures in the name of "fixing all possible buffer
1483 overflows."
1485 There are examples in which a security bug was introduced
1486 because of this type of "fix", due to the programmer using the
1487 wrong value for n. In one case, the programmer thought that n
1488 was larger than it actually was, causing a NUL to be written out
1489 of the buffer; in another, n was too small, and a security
1490 credential was truncated.
1492 What is particularly ironic was that in both cases, the original
1493 strcpy() was safe, because the size of the source string was
1494 known to be safe.
1496 With all this in mind, the software has been inspected, and it
1497 is believed that all places where buffer overflows can happen
1498 have been fixed. The strcpy()s that are still are in the code
1499 occur after a size check was done in some other way.
1501 Note that the common C idiom of
1503 *s++ = c;
1505 is just as vulnerable to buffer overflows. You can't cure buffer
1506 overflows by outlawing certain functions, nor is it desirable to
1507 do so; sometimes operations like strcpy() translate into fast
1508 machine instructions for better performance.
1510 Nothing replaces careful study of code. That's how the bad guys
1511 find bugs. Security is not accomplished by means of brute-force
1512 shortcuts.
1514 Back to top
1515 __________________________________________________________________
1517 _5.5 Those /tmp lock files are protected 666, is that really right?_
1519 Yes. Shared mailboxes won't work otherwise. Also, you get into
1520 accidental denial of service problems with old lock files left
1521 lying around; this happens fairly frequently.
1523 The deliberate mischief that can be caused by fiddling with the
1524 lock files is small-scale; harassment level at most. There are
1525 many -- and much more effective -- other ways of harassing
1526 another user on UNIX. It's usually not difficult to determine
1527 the culprit.
1529 Before worrying about deliberate mischief, worry first about
1530 things happening by accident!
1532 Back to top
1533 __________________________________________________________________
1535 6. _Why Did You Do This Strange Thing?_ Questions
1536 __________________________________________________________________
1538 _6.1 Why don't you use GNU autoconfig / automake / autoblurdybloop?_
1540 Autoconfig et al are not available on all the platforms where
1541 the IMAP toolkit is supported; and do not work correctly on some
1542 of the platforms where they do exist. Furthermore, these
1543 programs add another layer of complexity to an already complex
1544 process.
1546 Coaxing software that uses autoconfig to build properly on
1547 platforms which were not specifically considered by that
1548 software wastes an inordinate amount of time. When (not if)
1549 autoconfig fails to do the right thing, the result is an
1550 impenetrable morass to untangle in order to find the problem and
1551 fix it.
1553 The concept behind autoconfig is good, but the execution is
1554 flawed. It rarely does the right thing on a platform that wasn't
1555 specifically considered. Human life is too short to debug
1556 autoconfig problems, especially since the current mechanism is
1557 so much easier.
1559 Back to top
1560 __________________________________________________________________
1562 _6.2 Why do you insist upon a build with -g? Doesn't it waste disk and
1563 memory space?_
1565 From time to time a submitted port has snuck in without -g. This
1566 has _always_ ended up causing problems. There are only two valid
1567 excuses for not using -g in a port:
1569 + The compiler does not support -g
1570 + An alternate form of -g is needed with optimization, e.g. -g3.
1572 There will be no new ports added without -g (or a suitable
1573 alternative) being set.
1575 -g has not been arbitrarily added to the ports which do not
1576 currently have it because we don't know if doing so would break
1577 the build. However, any support issues with one of those port
1578 _will_ lead to the correct -g setting being determined and
1579 permanently added.
1581 Processors are fast enough (and disk space is cheap enough) that
1582 -g should be automatic in all compilers with no way of turning
1583 it off, and /bin/strip should be a symlink to /bin/true. Human
1584 life is too short to deal with binaries built without -g. Such
1585 binaries should be a bad memory of the days of KIPS processors
1586 and disks that costs several dollars per kilobyte.
1588 Back to top
1589 __________________________________________________________________
1591 _6.3 Why don't you make c-client a shared library?_
1593 All too often, shared libraries create far more problems than
1594 they solve.
1596 Remember that you only gain the benefit of a shared library when
1597 there are multiple applications which use that shared library.
1598 Even without shared libraries, on most modern operating systems
1599 (and many ancient ones too!) applications will share their text
1600 segments between across multiple processes running the same
1601 application. This means that if your system only runs one
1602 application (e.g. imapd) that uses the c-client library, then
1603 you gain no benefit from making c-client a shared library even
1604 if it has 100 imapd processes. You will, however suffer added
1605 complexity.
1607 If you have a server system that just runs imapd and ipop3d,
1608 then making c-client a shared library will save just one copy of
1609 c-client no matter how many IMAP/POP3 processes are running.
1611 The problem with shared libraries is that you have to keep
1612 around a copy of the library every time something changes in the
1613 library that would affect the interface the library presents to
1614 the application. So, you end up having many copies of the same
1615 shared library.
1617 If you don't keep multiple copies of the shared library, then
1618 one of two things happens. If there was proper versioning, then
1619 you'll get a message such as "cannot open shared object file" or
1620 "minor versions don't match" and the application won't run.
1621 Otherwise, the application will run, but will fail in mysterious
1622 ways.
1624 Several sites and third-party distributors have modified the
1625 c-client makefile in order to make c-client be a shared library.
1626 _When_ (not _if_) a c-client based application fails in
1627 mysterious ways because of a library compatibility problem, the
1628 result is a bug report. A lot of time and effort ends up getting
1629 wasted investigating such bug reports.
1631 Memory is so cheap these days that it's not worth it. Human life
1632 is too short to deal with shared library compatibility problems.
1634 Back to top
1635 __________________________________________________________________
1637 _6.4 Why don't you use iconv() for internationalization support?_
1639 iconv() is not ubiquitous enough.
1641 Back to top
1642 __________________________________________________________________
1644 _6.5 Why is the IMAP server connected to the home directory by default?_
1646 The IMAP server has no way of knowing what you might call "mail"
1647 as opposed to "some other file"; in fact, you can use IMAP to
1648 access any file.
1650 The IMAP server also doesn't know whether your preferred
1651 subdirectory for mailbox files is "mail/", ".mail/", "Mail/",
1652 "Mailboxes/", or any of a zillion other possibilities. If one
1653 such name were chosen, it would undoubtably anger the partisans
1654 of all the other names.
1656 It is possible to modify the software so that the default
1657 connected directory is someplace else. Please read the file
1658 CONFIG for discussion of this and other issues.
1660 Back to top
1661 __________________________________________________________________
1663 _6.6 I have a Windows system. Why isn't the server plug and play for
1664 me?_
1666 There is no standard for how mail is stored on Windows; nor a
1667 single standard SMTP server. The closest to either would be the
1668 SMTP server in Microsoft's IIS.
1670 So there's no default by which to make assumptions. As the
1671 software is set up, it assumes that the each user has an Windows
1672 login account and private home directory, and that mail is
1673 stored on that home directory as files in one of the popular
1674 UNIX formats. It also assumes that there is some tool equivalent
1675 to inetd on UNIX that does the TCP/IP listening and server
1676 startup.
1678 Basically, unless you're an email software hacker, you probably
1679 want to look elsewhere if you want IMAP/POP servers for Windows.
1681 Back to top
1682 __________________________________________________________________
1684 _6.7 I looked at the UNIX SSL code and saw that you have the SSL data
1685 payload size set to 8192 bytes. SSL allows 16K; why aren't you using
1686 the full size?_
1688 This is to avoid an interoperability problem with:
1690 + PC IMAP clients that use Microsoft's SChannel.DLL (SSPI) for
1691 SSL support
1692 + Microsoft Exchange server (which also uses SChannel).
1694 SChannel has a bug that makes it think that the maximum SSL data
1695 payload size is 16379 bytes -- 5 bytes too small. Thus, c-client
1696 has to make sure that it never transmits full sized SSL packets.
1698 The reason for using 8K (as opposed to, say, 16379 bytes, or
1699 15K, or...) is that it corresponds with the TCP buffer size that
1700 the software uses elsewhere for input; there's a slight
1701 performance benefit to having the two sizes correspond or at
1702 least be a multiple of each other. Also, it keeps the size as a
1703 power of two, which might be significant on some platforms.
1705 There wasn't a significant difference that we could measure
1706 between 8K and 15K.
1708 Microsoft has developed a hotfix for this bug. Look up MSKB
1709 article number 300562. Contrary to the article text which
1710 implies that this is a Alpine issue, this bug also affects
1711 Microsoft Exchange server with _any_ client that transmits
1712 full-sized SSL payloads.
1714 Back to top
1715 __________________________________________________________________
1717 _6.8 Why is an mh format INBOX called #mhinbox instead of just INBOX?_
1719 It's a long story. In brief, the mh format driver is less
1720 functional than any of the other drivers. It turned out that
1721 there were some users (including high-level administrators) who
1722 tried mh years ago and no longer use it, but still had an mh
1723 profile left behind.
1725 When the mh driver used INBOX, it would see the mh profile, and
1726 proceed to move the user's INBOX into the mh format INBOX. This
1727 caused considerable confusion as some things stopped working.
1729 Back to top
1730 __________________________________________________________________
1732 _6.9 Why don't you support the maildir format?_
1734 It is technically difficult to support maildir in IMAP while
1735 maintaining acceptable performance, robustness, following the
1736 requirements of the IMAP protocol specification, and following
1737 the requirements of maildir.
1739 No one has succeeded in accomplishing all four together. The
1740 various maildir drivers offered as patches all have these
1741 problems. The problem is exacerbated because this implementation
1742 supports multiple formats; consequently this implementation
1743 can't make any performance shortcuts by assuming that all the
1744 world is maildir.
1746 We can't do a better job than the maildir fan community has done
1747 with their maildir drivers. Similarly, if the maildir fan
1748 community provides the maildir driver, they take on the
1749 responsibility for answering maildir-specific support questions.
1750 This is as it should be, and that is why maildir support is left
1751 to the maildir fan community.
1753 Back to top
1754 __________________________________________________________________
1756 _6.10 Why don't you support the Cyrus format?_
1758 There's no point to doing so. An implementation which supports
1759 multiple formats will never do as well as one which is optimized
1760 to support one single format.
1762 If you want to use Cyrus mailbox format, you should use the
1763 Cyrus server, which is the native implementation of that format
1764 and is specifically optimized for that format. That's also why
1765 Cyrus doesn't implement any other format.
1767 Back to top
1768 __________________________________________________________________
1770 _6.11 Why is it creating extra forks on my SVR4 system?_
1772 This is because your system only has fcntl() style locking and
1773 not flock() style locking. fcntl() locking has a design flaw
1774 that causes a close() to release any locks made by that process
1775 on the file opened on that file descriptor, even if the lock was
1776 made on a different file descriptor.
1778 This design flaw causes unexpected loss of lock, and consequent
1779 mailbox corruption. The workaround is to do certain "dangerous
1780 operations" in another fork, thus avoiding doing a close() in
1781 the vulnerable fork.
1783 The best way to solve this problem is to upgrade your SVR4
1784 (Solaris, AIX, HP-UX, SGI) or OSF/1 system to a more advanced
1785 operating system, such as Linux or BSD. These more advanced
1786 operating systems have fcntl() locking for compatibility with
1787 SVR4, but also have flock() locking.
1789 Beware of certain SVR4 systems, such as AIX, which have an
1790 "flock()" function in their C library that is just a jacket that
1791 does an fcntl() lock. This is not a true flock(), and has the
1792 same design flaw as fcntl().
1794 Back to top
1795 __________________________________________________________________
1797 _6.12 Why are you so fussy about the date/time format in the internal
1798 "From " line in traditional UNIX mailbox files? My other mail program
1799 just considers every line that starts with "From " to be the start of
1800 the message._
1802 You just answered your own question. If any line that starts
1803 with "From " is treated as the start of a message, then every
1804 message text line which starts with "From " has to be quoted
1805 (typically by prefixing a ">" character). People complain about
1806 this -- "why did a > get stuck in my message?"
1808 So, good mail reading software only considers a line to be a
1809 "From " line if it follows the actual specification for a
1810 "From " line. This means, among other things, that the day of
1811 week is fixed-format: "May 14", but "May 7" (note the extra
1812 space) as opposed to "May 7". ctime() format for the date is the
1813 most common, although POSIX also allows a numeric timezone after
1814 the year. For compatibility with ancient software, the seconds
1815 are optional, the timezone may appear before the year, the old
1816 3-letter timezones are also permitted, and "remote from xxx" may
1817 appear after the whole thing.
1819 Unfortunately, some software written by novices use other
1820 formats. The most common error is to have a variable-width day
1821 of month, perhaps in the erroneous belief that RFC 2822 (or RFC
1822 822) defines the format of the date/time in the "From " line (it
1823 doesn't; no RFC describes internal formats). I've seen a few
1824 other goofs, such as a single-digit second, but these are less
1825 common.
1827 If you are writing your own software that writes mailbox files,
1828 and you really aren't all that savvy with all the ins and outs
1829 and ancient history, you should seriously consider using the
1830 c-client library (e.g. routine mail_append()) instead of doing
1831 the file writes yourself. If you must do it yourself, use
1832 ctime(), as in:
1834 fprintf (mbx,"From %s@%h %s",user,host,ctime (time (0)));
1836 rather than try to figure out a good format yourself. ctime() is
1837 the most traditional format and nobody will flame you for using
1838 it.
1840 Back to top
1841 __________________________________________________________________
1843 _6.13 Why is traditional UNIX format the default format?_
1845 Compatibility with the past 30 or so years of UNIX history. This
1846 server is the only one that completely interoperates with legacy
1847 UNIX mail tools.
1849 Back to top
1850 __________________________________________________________________
1852 _6.14 Why do you write this "DON'T DELETE THIS MESSAGE -- FOLDER
1853 INTERNAL DATA" message at the start of traditional UNIX and MMDF format
1854 mailboxes?_
1856 This pseudo-message serves two purposes.
1858 First, it establishes the mailbox format even when the mailbox
1859 has no messages. Otherwise, a mailbox with no messages is a
1860 zero-byte file, which could be one of several formats.
1862 Second, it holds mailbox metadata used by IMAP: the UID
1863 validity, the last assigned UID, and mailbox keywords. Without
1864 this metadata, which must be preserved even when the mailbox has
1865 no messages, the traditional UNIX format wouldn't be able to
1866 support the full capabilities of IMAP.
1868 Back to top
1869 __________________________________________________________________
1871 _6.15 Why don't you stash the mailbox metadata in the first real
1872 message of the mailbox instead of writing this fake FOLDER INTERNAL
1873 DATA message?_
1875 In fact, that is what is done if the mailbox is non-empty and
1876 does not already have a FOLDER INTERNAL DATA message.
1878 One problem with doing that is that if some external program
1879 removes the first message, the metadata is lost and must be
1880 recreated, thus losing any prior UID or keyword list status that
1881 IMAP clients may depend upon.
1883 Another problem is that this doesn't help if the last message is
1884 deleted. This will result in an empty mailbox, and the necessity
1885 to create a FOLDER INTERNAL DATA message.
1887 Back to top
1888 __________________________________________________________________
1890 _6.16 Why aren't "dual-use" mailboxes the default?_
1892 Compatibility with the past 30 or so years of UNIX history, not
1893 to mention compatibility with user expectations when using shell
1894 tools.
1896 Back to top
1897 __________________________________________________________________
1899 _6.17 Why do you use ucbcc to build on Solaris?_
1901 It is a long, long story about why cc is set to ucbcc. You need
1902 to invoke the C compiler so that it links with the SVR4
1903 libraries and not the BSD libraries, otherwise readdir() will
1904 return the wrong information.
1906 Of all the names in the most common path, ucbcc is the only name
1907 to be found (on /usr/ccs/bin) that points to a suitable
1908 compiler. cc is likely to be /usr/ucb/cc which is absolutely not
1909 the compiler that you want. The real SVR4 cc is probably
1910 something like /opt/SUNWspro/bin/cc which is rarely in anyone's
1911 path by default.
1913 ucbcc is probably a link to acc, e.g.
1914 /opt/SUNWspro/SC4.0/bin/acc, and is the UCB C compiler using the
1915 SVR4 libraries.
1917 If ucbcc isn't on your system, then punt on the SUN C compiler
1918 and use gcc instead (the gso port instead of the sol port).
1920 If, in spite of all the above warnings, you choose to change
1921 "ucbcc" to "cc", you will probably find that the -O2 needs to be
1922 changed to -O. If you don't get any error messages with -O2,
1923 that's a pretty good indicator that you goofed and are running
1924 the compiler that will link with the BSD libraries.
1926 To recap:
1928 + The sol port is designed to be built using the UCB compiler
1929 using the SVR4 libraries. This compiler is "ucbcc", which is
1930 lunk to acc. You use -O2 as one of the CFLAGS.
1931 + If you build the sol port with the UCB compiler using the BSD
1932 libraries, you will get no error messages but you will get bad
1933 binaries (the most obvious symptom is dropping the first two
1934 characters return filenames from the imapd LIST command. This
1935 compiler also uses -O2, and is very often what the user gets
1936 from "cc". _BEWARE_
1937 + If you build the sol port with the real SVR4 compiler, which
1938 is often hidden away or unavailable on many systems, then you
1939 will get errors from -O2 and you need to change that to -O.
1940 But you will get a good binary. However, you should try it
1941 with -O2 first, to make sure that you got this compiler and
1942 not the UCB compiler using BSD libraries.
1944 Back to top
1945 __________________________________________________________________
1947 _6.18 Why should I care about some old system with BSD libraries? cc is
1948 the right thing on my Solaris system!_
1950 Because there still are sites that use such systems. On those
1951 systems, the assumption that "cc" does the right thing will lead
1952 to corrupt binaries with no error message or other warning that
1953 anything is amiss.
1955 Too many sites have fallen victim to this problem.
1957 Back to top
1958 __________________________________________________________________
1960 _6.19 Why do you insist upon writing .lock files in the spool
1961 directory?_
1963 Compatibility with the past 30 years of UNIX software which
1964 deals with the spool directory, especially software which
1965 delivers mail. Otherwise, it is possible to lose mail.
1967 Back to top
1968 __________________________________________________________________
1970 _6.20 Why should I care about compatibility with the past?_
1972 This is one of those questions in which the answer never
1973 convinces those who ask it. Somehow, everybody who ever asks
1974 this question ends up answering it for themselves as they get
1975 older, with the very answer that they rejected years earlier.
1977 Back to top
1978 __________________________________________________________________
1980 7. Problems and Annoyances
1981 __________________________________________________________________
1983 _7.1 Help! My INBOX is empty! What happened to my messages?_
1985 If you are seeing "0 messages" when you open INBOX and you know
1986 you have messages there (and perhaps have looked at your mail
1987 spool file and see that messages are there), then probably there
1988 is something wrong with the very first line of your mail spool
1989 file. Make sure that the first five bytes of the file are "From
1990 ", followed by an email address and a date/time in ctime()
1991 format, e.g.:
1993 From fred@foo.bar Mon May 7 20:54:30 2001
1995 Back to top
1996 __________________________________________________________________
1998 _7.2 Help! All my messages in a non-INBOX mailbox have been
1999 concatenated into one message which claims to be from me and has a
2000 subject of the file name of the mailbox! What's going on?_
2002 Something wrong with the very first line of the mailbox. Make
2003 sure that the first five bytes of the file are "From ", followed
2004 by an email address and a date/time in ctime() format, e.g.:
2006 From fred@foo.bar Mon May 7 20:54:30 2001
2008 Back to top
2009 __________________________________________________________________
2011 _7.3 Why do I get the message:_ CREATE failed: Can't create mailbox
2012 node xxxxxxxxx: File exists _and how do I fix it?_
2014 See the answer to the Are hierarchical mailboxes supported?
2015 question.
2017 Back to top
2018 __________________________________________________________________
2020 _7.4 Why can't I log in to the server? The user name and password are
2021 right!_
2023 There are a myriad number of possible answers to this question.
2024 The only way to say for sure what is wrong is run the server
2025 under a debugger such as gdb while root (yes, you must be root)
2026 with a breakpoint at routines checkpw() and loginpw(), then
2027 single-step until you see which test rejected you. The server
2028 isn't going to give any error messages other than "login failed"
2029 in the name of not giving out any unnecessary information to
2030 unauthorized individuals.
2032 Here are some of the more common reasons why login may fail:
2034 + You didn't really give the correct user name and/or password.
2035 + Your client doesn't send the LOGIN command correctly; for
2036 example, IMAP2 clients won't send a password containing a "*"
2037 correctly to an IMAP4 server.
2038 + If you have set up a CRAM-MD5 database, remember that the
2039 password used is the one in the CRAM-MD5 database, and
2040 furthermore that there must also be an entry in /etc/passwd
2041 (but the /etc/passwd password is not used).
2042 + If you are using PAM, have you created a service file for the
2043 server in /etc/pam.d?
2044 + If you are using shadow passwords, have you used an
2045 appropriate port when building? In particular, note that "lnx"
2046 is for Linux systems without shadow passwords; you probably
2047 want "slx" or "lnp" instead.
2048 + If your system has account or password expirations, check to
2049 see that the expiration date hasn't passed.
2050 + You can't log in as root or any other UID 0 user. This is for
2051 your own safety, not to mention the fact that the servers use
2052 UID 0 as meaning "not logged in".
2054 Back to top
2055 __________________________________________________________________
2057 _7.5 Help! My load average is soaring and I see hundreds of POP and
2058 IMAP servers, many logged in as the same user!_
2060 Certain inferior losing GUI mail reading programs have a
2061 "synchronize all mailboxes at startup" (IMAP) or "check for new
2062 mail every second" (POP) feature which causes a rapid and
2063 unchecked spawning of servers.
2065 This is not a problem in the server; the client is really asking
2066 for all those server sessions. Unfortunately, there isn't much
2067 that the POP and IMAP servers can do about it; they don't
2068 spawned themselves.
2070 Some sites have added code to record the number of server
2071 sessions spawned per user per hour, and disable login for a user
2072 who has exceeded a predetermined rate. This doesn't stop the
2073 servers from being spawned; it just means that a server session
2074 will commit suicide a bit faster.
2076 Another possibility is to detect excessive server spawning
2077 activity at the level where the server is spawned, which would
2078 be inetd or possibly tcpd. The problem here is that this is a
2079 hard time to quantify. 50 sessions in a minute from a multi-user
2080 timesharing system may be perfectly alright, whereas 10 sessions
2081 a minute from a PC may be too much.
2083 The real solution is to fix the client configuration, by
2084 disabling those evil features. Also tell the vendors of those
2085 clients how you feel about distributing denial-of-service attack
2086 tools in the guise of mail reading programs.
2088 Back to top
2089 __________________________________________________________________
2091 _7.6 Why does mail disappear even though I set "keep mail on server"?_
2092 _7.7 Why do I get the message_ Moved ##### bytes of new mail to
2093 /home/user/mbox from /var/spool/mail/user _and why did this happen?_
2095 This is probably caused by the mbox driver. If the file "mbox"
2096 exists on the user's home directory and is in UNIX mailbox
2097 format, then when INBOX is opened this file will be selected as
2098 INBOX instead of the mail spool file. Messages will be
2099 automatically transferred from the mail spool file into the mbox
2100 file.
2102 To disable this behavior, delete "mbox" from the EXTRADRIVERS
2103 list in the top-level Makefile and rebuild. Note that if you do
2104 this, users won't be able to access the messages that have
2105 already been moved to mbox unless they open mbox instead of
2106 INBOX.
2108 Back to top
2109 __________________________________________________________________
2111 _7.8 Why isn't it showing the local host name as a fully-qualified
2112 domain name?_
2113 _7.9 Why is the local host name in the From/Sender/Message-ID headers
2114 of outgoing mail not coming out as a fully-qualified domain name?_
2116 Your UNIX system is misconfigured. The entry for your system in
2117 /etc/hosts must have the fully-qualified domain name first, e.g.
2119 105.69.1.234 myserver.example.com myserver
2121 A common mistake of novice system administrators is to have the
2122 short name first, e.g.
2124 105.69.1.234 myserver myserver.example.com
2127 or to omit the fully qualified domain name entirely, e.g.
2129 105.69.1.234 myserver
2131 The result of this is that when the IMAP toolkit does a
2132 gethostbyname() call to get the fully-qualified domain name, it
2133 would get "myserver" instead of "myserver.example.com".
2135 On some systems, a configuration file (typically named
2136 /etc/svc.conf, /etc/netsvc.conf, or /etc/nsswitch.conf) can be
2137 used to configure the system to use the domain name system (DNS)
2138 instead of /etc/hosts, so it doesn't matter if /etc/hosts is
2139 misconfigured.
2141 Check the man pages for gethostbyname, hosts, svc, and/or netsvc
2142 for more information.
2144 Unfortunately, certain vendors, most notably SUN, have failed to
2145 make this clear in their documentation. Most of SUN's
2146 documentation assumes a corporate network that is not connected
2147 to the Internet.
2149 net.folklore once (late 1980s) held that the proper procedure
2150 was to append the results of getdomainname() to the name
2151 returned by gethostname(), and some versions of sendmail
2152 configuration files were distributed that did this. This was
2153 incorrect; the string returned from getdomainname() is the
2154 Yellow Pages (a.k.a NIS) domain name, which is a completely
2155 different (albeit unfortunately named) entity from an Internet
2156 domain. These were often fortuitously the same string, except
2157 when they weren't. Frequently, this would result in host names
2158 with spuriously doubled domain names, e.g.
2160 myserver.example.com.example.com
2163 This practice has been thoroughly discredited for many years,
2164 but folklore dies hard.
2166 Back to top
2167 __________________________________________________________________
2169 _7.10 What does the message:_ Mailbox vulnerable - directory
2170 /var/spool/mail must have 1777 protection _mean? How can I fix this?_
2172 In order to update a mailbox in the default UNIX format, it is
2173 necessary to create a lock file to prevent the mailer from
2174 delivering mail while an update is in progress. Some systems use
2175 a directory protection of 775, requiring that all mail handling
2176 programs be setgid mail; or of 755, requiring that all mail
2177 handling programs be setuid root.
2179 The IMAP toolkit does not run with any special privileges, and I
2180 plan to keep it that way. It is antithetical to the concept of a
2181 toolkit if users can't write their own programs to use it. Also,
2182 I've had enough bad experiences with security bugs while running
2183 privileged; the IMAP and POP servers have to be root when not
2184 logged in, in order to be able to log themselves in. I don't
2185 want to go any deeper down that slippery slope.
2187 Directory protection 1777 is secure enough on most well-managed
2188 systems. If you can't trust your users with a 1777 mail spool
2189 (petty harassment is about the limit of the abuse exposure),
2190 then you have much worse problems then that.
2192 If you absolutely insist upon requiring privileges to create a
2193 lock file, external file locking can be done via a setgid mail
2194 program named /etc/mlock (this is defined by LOCKPGM in the
2195 c-client Makefile). If the toolkit is unable to create a
2196 <...mailbox...>.lock file in the directory by itself, it will
2197 try to call mlock to do it. I do not recommend doing this for
2198 performance reasons.
2200 A sample mlock program is included as part of imap-2010. We have
2201 tried to make this sample program secure, but it has not been
2202 thoroughly audited.
2204 Back to top
2205 __________________________________________________________________
2207 _7.11 What does the message:_ Mailbox is open by another process,
2208 access is readonly _mean? How do I fix this?_
2210 A problem occurred in applying a lock to a /tmp lock file.
2211 Either some other program has the mailbox open and won't
2212 relenquish it, or something is wrong with the protection of /tmp
2213 or the lock.
2215 Make sure that the /tmp directory is protected 1777. Some
2216 security scripts incorrectly set the protection of the /tmp
2217 directory to 775, which disables /tmp for all non-privileged
2218 programs.
2220 Back to top
2221 __________________________________________________________________
2223 _7.12 What does the message:_ Can't get write access to mailbox, access
2224 is readonly _mean?_
2226 The mailbox file is write-protected against you.
2228 Back to top
2229 __________________________________________________________________
2231 _7.13 I set my POP3 client to "delete messages from server" but they
2232 never get deleted. What is wrong?_
2234 Make sure that your mailbox is not read-only: that the mailbox
2235 is owned by you and write enabled (protection 0600), and that
2236 the /tmp directory is longer world-writeable. /tmp must be
2237 world-writeable because lots of applications use it for scratch
2238 space. To fix this, do
2241 chmod 1777 /tmp
2243 as root.
2245 Make sure that your POP3 client issues a QUIT command when it
2246 finishes. The POP3 protocol specifies that deletions are
2247 discarded unless a proper QUIT is done.
2249 Make sure that you are not opening multiple POP3 sessions to the
2250 same mailbox. It is a requirement of the POP3 protocol than only
2251 one POP3 session be in effect to a mailbox at a time, however
2252 some, poorly-written POP3 clients violate this. Also, some
2253 background "check for new mail" tasks also cause a violation.
2254 See the answer to the What does the syslog message: Killed (lost
2255 mailbox lock) user=... host=... mean? question for more details.
2257 Back to top
2258 __________________________________________________________________
2260 _7.14 What do messages such as:_
2261 Message ... UID ... already has UID ...
2262 Message ... UID ... less than ...
2263 Message ... UID ... greater than last ...
2264 Invalid UID ... in message ..., rebuilding UIDs
2266 _mean?_
2268 Something happened to corrupt the unique identifier regime in
2269 the mailbox. In traditional UNIX-format mailboxes, this can
2270 happen if the user deleted the "DO NOT DELETE" internal message.
2272 This problem is relatively harmless; a new valid unique
2273 identifier regime will be created. The main effect is that any
2274 references to the old UIDs will no longer be useful.
2276 So, unless it is a chronic problem or you feel like debugging,
2277 you can safely ignore these messages.
2279 Back to top
2280 __________________________________________________________________
2282 _7.15 What do the error messages:_
2283 Unable to read internal header at ...
2284 Unable to find CRLF at ...
2285 Unable to parse internal header at ...
2286 Unable to parse message date at ...
2287 Unable to parse message flags at ...
2288 Unable to parse message UID at ...
2289 Unable to parse message size at ...
2290 Last message (at ... ) runs past end of file ...
2292 _mean? I am using mbx format._
2294 The mbx-format mailbox is corrupted and needs to be repaired.
2296 You should make an effort to find out why the corruption
2297 happened. Was there an obvious system problem (crash or disk
2298 failure)? Did the user accidentally access the file via NFS?
2299 Mailboxes don't get corrupted by themselves; something caused
2300 the problem.
2302 Some people have developed automated scripts, but if you're
2303 comfortable using emacs it's pretty easy to fix it manually. Do
2304 _not_ use vi or any other editor unless you are certain that
2305 editor can handle binary!!!
2307 If you are not comfortable with emacs, or if the file is too
2308 large to read with emacs, see the "step-by-step" technique later
2309 on for another way of doing it.
2311 After the word "at" in the error message is the byte position it
2312 got to when it got unhappy with the file, e.g. if you see:
2314 Unable to parse internal header at 43921: ne bombastic blurdybloop
2316 The problem occurs at the 43,931 byte in the file. That's the
2317 point you need to fix. c-client is expecting an internal header
2318 at that byte number, looking something like:
2320 6-Jan-1998 17:42:24 -0800,1045;000000100001-00000001
2322 The format of this internal line is:
2324 dd-mmm-yyyy hh:mm:ss +zzzz,ssss;ffffffffFFFF-UUUUUUUU
2326 The only thing that is variable is the "ssss" field, it can be
2327 as many digits as needed. All other fields (including the "dd")
2328 are fixed width. So, the easiest thing to do is to look forward
2329 in the file for the next internal header, and delete everything
2330 from the error point to that internal header.
2332 Here's what to do if you want to be smarter and do a little bit
2333 more work. Generally, you're in the middle of a message, and
2334 there's nothing wrong with that message. The problem happened in
2335 the *previous* message. So, search back to the previous internal
2336 header. Now, remember that "ssss" field? That's the size of that
2337 message.
2339 Mark where you are in the file, move the cursor to the line
2340 after the internal header, and skip that many bytes ("ssss")
2341 forward. If you're at the point of the error in the file, then
2342 that message is corrupt. If you're at a different point, then
2343 perhaps the previous message is corrupt and has a too long size
2344 count that "ate" into this message.
2346 Basically, what you need to do is make sure that all those size
2347 counts are right, and that moving "ssss" bytes from the line
2348 after the internal header will land you at another internal
2349 header.
2351 Usually, once you know what you're looking at, it's pretty easy
2352 to work out the corruption, and the best remedial action. Repair
2353 scripts will make the problem go away but may not always do the
2354 smartest/best salvage of the user's data. Manual repair is more
2355 flexible and usually preferable.
2357 Here is a step-by-step technique for fixing corrupt mbx files
2358 that's a bit cruder than the procedure outlined above, but works
2359 for any size file.
2361 In this example, suppose that the corrupt file is INBOX, the
2362 error message is
2364 Unable to find CRLF at 132551754
2366 and the size of the INBOX file is 132867870 bytes.
2368 The first step is to split the mailbox file at the point of the
2369 error:
2371 + Rename the INBOX file to some other name, such as INBOX.bad.
2372 + Copy the first 132,551,754 bytes of INBOX.bad to another file,
2373 such as INBOX.new.
2374 + Extract the trailing 316,116 bytes (132867870-132551754) of
2375 INBOX.bad into another file, such as INBOX.tail.
2376 + You no longer need INBOX.bad. Delete it.
2378 In other words, use the number from the "Unable to find CRLF at"
2379 as the point to split INBOX into two new files, INBOX.new and
2380 INBOX.tail.
2382 Now, remove the erroneous data:
2384 + Verify that you can open INBOX.new in IMAP or Alpine.
2385 + The last message of INBOX.new is probably corrupted. Copy it
2386 to another file, such as badmsg.1, then delete and expunge
2387 that last message from INBOX.new
2388 + Locate the first occurance of text in INBOX.tail which looks
2389 like an internal header, as described above.
2390 + Remove all the text which occurs prior to that point, and
2391 place it into another file, such as badmsg.2. Note that in the
2392 case of a single digit date, there is a leading space which
2393 must not be removed (e.g. " 6-Nov-2001" not "6-Nov-2001").
2395 Reassemble the mailbox:
2397 + Append INBOX.tail to INBOX.new.
2398 + You no longer need INBOX.tail. Delete it.
2399 + Verify that you can open INBOX.new in IMAP or Alpine.
2401 Reinstall INBOX.new as INBOX:
2403 + Check to see if you have received any new messages while
2404 repairing INBOX.
2405 + If you haven't received any new messages while repairing
2406 INBOX, just rename INBOX.new to INBOX.
2407 + If you have received new messages, be sure to copy the new
2408 messages from INBOX to INBOX.new before doing the rename.
2410 You now have a working INBOX, as well as two files with
2411 corrupted data (badmsg.1 and badmsg.2). There may be some useful
2412 data in the two badmsg files that you might want to try
2413 salvaging; otherwise you can delete the two badmsg files.
2415 Back to top
2416 __________________________________________________________________
2418 _7.16 What do the syslog messages:_
2420 imap/tcp server failing (looping)
2421 pop3/tcp server failing (looping)
2423 _mean? When it happens, the listed service shuts down. How can I fix
2424 this?_
2426 The error message "server failing (looping), service terminated"
2427 is not from either the IMAP or POP servers. Instead, it comes
2428 from inetd, the daemon which listens for TCP connections to a
2429 number of servers, including the IMAP and POP servers.
2431 inetd has a limit of 40 new server sessions per minute for any
2432 particular service. If more than 40 sessions are initiated in a
2433 minute, inetd will issue the "failing (looping), service
2434 terminated" message and shut down the service for 10 minutes.
2435 inetd does this to prevent system resource consumption by a
2436 client which is spawning infinite numbers of servers. It should
2437 be noted that this is a denial of service; however for some
2438 systems the alternative is a crash which would be a worse denial
2439 of service!
2441 For larger server systems, the limit of 40 is much too low. The
2442 limit was established many years ago when a system typically
2443 only ran a few dozen servers.
2445 On some versions of inetd, such as the one distributed with most
2446 versions of Linux, you can modify the _/etc/inetd.conf_ file to
2447 have a larger number of servers by appending a period followed
2448 by a number after the _nowait_ word for the server entry. For
2449 example, if your existing /etc/inetd.conf line reads:
2451 imap stream tcp nowait root /usr/etc/imapd imapd
2453 try changing it to be:
2455 imap stream tcp nowait.100 root /usr/etc/imapd imapd
2457 Another example (using TCP wrappers):
2459 imap stream tcp nowait root /usr/sbin/tcpd imapd
2461 try changing it to be:
2463 imap stream tcp nowait.100 root /usr/sbin/tcpd imapd
2466 to increase the limit to 100 sessions/minute.
2468 Before making this change, please read the information in "man
2469 inetd" to determine whether or not your inetd has this feature.
2470 If it does not, and you make this change, the likely outcome is
2471 that you will disable IMAP service entirely.
2473 Another way to fix this problem is to edit the inetd.c source
2474 code (provided by your UNIX system vendor) to set higher limits,
2475 rebuild inetd, install the new binary, and reboot your system.
2476 This should only be done by a UNIX system expert. In the inetd.c
2477 source code, the limits _TOOMANY_ (normally 40) is the maximum
2478 number of new server sessions permitted per minute, and
2479 _RETRYTIME_ (normally 600) is the number of seconds inetd will
2480 shut down the server after it exceeds TOOMANY.
2482 Back to top
2483 __________________________________________________________________
2485 _7.17 What does the syslog message:_ Mailbox lock file /tmp/.600.1df3
2486 open failure: Permission denied _mean?_
2488 This usually means that some "helpful" security script person
2489 has protected /tmp so that it is no longer world-writeable. /tmp
2490 must be world-writeable because lots of applications use it for
2491 scratch space. To fix this, do
2493 chmod 1777 /tmp
2496 as root.
2498 If that isn't the answer, check the protection of the named
2499 file. If it is something other than 666, then either someone is
2500 hacking or some "helpful" person modified the code to have a
2501 different default lock file protection.
2503 Back to top
2504 __________________________________________________________________
2506 _7.18 What do the syslog messages:_
2507 Command stream end of file, while reading line user=... host=...
2508 Command stream end of file, while reading char user=... host=...
2509 Command stream end of file, while writing text user=... host=...
2511 _mean?_
2513 This message occurs when the session is disconnected without a
2514 proper LOGOUT (IMAP) or QUIT (POP) command being received by the
2515 server first.
2517 In many cases, this is perfectly normal; many client
2518 implementations are impolite and do this. Some programmers think
2519 this sort of rudeness is "more efficient".
2521 The condition could, however, indicate a client or network
2522 connectivity problem. The server has no way of knowing whether
2523 there's a problem or just a rude client, so it issues this
2524 message instead of a Logout.
2526 Certain inferior losing clients disconnect abruptly after a
2527 failed login, and instead of saying that the login failed, just
2528 say that they can't access the mailbox. They then complain to
2529 the system manager, who looks in the syslog and finds this
2530 message. Not very helpful, eh? See the answer to the Why can't I
2531 log in to the server? The user name and password are right!
2532 question.
2534 If the user isn't reporting a problem, you can probably ignore
2535 this message.
2537 Back to top
2538 __________________________________________________________________
2540 _7.19 Why did my POP or IMAP session suddenly disconnect? The syslog
2541 has the message:_ Killed (lost mailbox lock) user=... host=...
2543 This message only happens when either the traditional UNIX
2544 mailbox format or MMDF format is in use. This format only allows
2545 one session to have the mailbox open read/write at a time.
2547 The servers assume that if a second session attempts to open the
2548 mailbox, that means that the first session is probably owned by
2549 an abandoned client. The common scenario here is a user who
2550 leaves his client running at the office, and then tries to read
2551 his mail from home. Through an internal mechanism called _kiss
2552 of death_, the second session requests the first session to kill
2553 itself. When the first session receives the "kiss of death", it
2554 issues the "Killed (lost mailbox lock)" syslog message and
2555 terminates. The second session then seizes read/write access,
2556 and becomes the new "first" session.
2558 Certain poorly-designed clients routinely open multiple sessions
2559 to the same mailbox; the users of those clients tend to get this
2560 message a lot.
2562 Another cause of this message is a background "check for new
2563 mail" task which does its work by opening a POP session to
2564 server every few seconds. They do this because POP doesn't have
2565 a way to announce new mail.
2567 The solution to both situations is to replace the client with a
2568 good online IMAP client such as Alpine. Life is too short to
2569 waste on POP clients and poorly-designed IMAP clients.
2571 Back to top
2572 __________________________________________________________________
2574 _7.20 Why does my IMAP client show all the files on the system,
2575 recursively from the UNIX root directory?_
2576 _7.21 Why does my IMAP client show all of my files, recursively from my
2577 UNIX home directory?_
2579 A well-written client should only show one level of hierarchy
2580 and then stop, awaiting explicit user action before going lower.
2581 However, some poorly-designed clients will recursively list all
2582 files, which may be a very long list (especially if you have
2583 symbolic links to directories that create a loop in the
2584 filesystem graph!).
2586 This behavior has also been observed in some third-party
2587 c-client drivers, including maildir drivers. Consequently, this
2588 problem has even been observed in Alpine. It is important to
2589 understand that this is not a problem in Alpine or c-client; it
2590 is a problem in the third-party driver. A Alpine built without
2591 that third-party driver will not have this problem.
2593 See also the answer to Why does my IMAP client show all my files
2594 in my home directory?
2596 Back to top
2597 __________________________________________________________________
2599 _7.22 Why does my IMAP client show that I have mailboxes named
2600 "#mhinbox", "#mh", "#shared", "#ftp", "#news", and "#public"?_
2602 These are IMAP namespace names. They represent other hierarchies
2603 in which messages may exist. These hierarchies may not
2604 necessarily exist on a server, but the namespace name is still
2605 in the namespace list in order to mark it as reserved.
2607 A few poorly-designed clients display all namespace names as if
2608 they were top-level mailboxes in a user's list of mailboxes,
2609 whether or not they actually exist. This is a flaw in those
2610 clients.
2612 Back to top
2613 __________________________________________________________________
2615 _7.23 Why does my IMAP client show all my files in my home directory?_
2617 As distributed, the IMAP server is connected to your home
2618 directory by default. It has no way of knowing what you might
2619 call "mail" as opposed to "some other file"; in fact, you can
2620 use IMAP to access any file.
2622 Most clients have an option to configure your connected
2623 directory on the IMAP server. For example, in Alpine you can
2624 specify this as the "Path" in your folder-collection, e.g.
2626 Nickname : Secondary Folders
2627 Server : imap.example.com
2628 Path : mail/
2629 View :
2631 In this example, the user is connected to the "mail"
2632 subdirectory of his home directory.
2634 Other servers call this the "folder prefix" or similar term.
2636 It is possible to modify the IMAP server so that all users are
2637 automatically connected to some other directory, e.g. a
2638 subdirectory of the user's home directory. Read the file CONFIG
2639 for more details.
2641 Back to top
2642 __________________________________________________________________
2644 _7.24 Why is there a long delay before I get connected to the IMAP or
2645 POP server, no matter what client I use?_
2647 There are two common occurrences of this problem:
2649 + You are running a system (e.g. certain versions of Linux)
2650 which by default attempts to connect to an "IDENT" protocol
2651 (port 113) server on your client. However, a firewall or NAT
2652 box is blocking connections to that port, so the connection
2653 attempt times out.
2654 The IDENT protocol is a well-known bad idea that does not
2655 deliver any real security but causes incredible problems. The
2656 idea is that this will give the server a record of the user
2657 name, or at least what some program listening on port 113 says
2658 is the user name. So, if somebody coming from port nnnnn on a
2659 system does something bad, IDENT may give you the userid of
2660 the bad guy.
2661 The problem is, IDENT is only meaningful on a timesharing
2662 system which has an administrator who is privileged and users
2663 who are not. It is of no value on a personal system which has
2664 no separate concept of "system administrator" vs.
2665 "unprivileged user".
2666 On either type of system, security-minded people either turn
2667 IDENT off or replace it with an IDENT server that lies. Among
2668 other things, IDENT gives spammers the ability to harvest
2669 email addresses from anyone who connects to a web page.
2670 This problem has been showing up quite frequently on systems
2671 which use xinetd instead of inetd. Look for files named
2672 /etc/xinetd.conf, /etc/xinetd.d/imapd, /etc/inetd.d/ipop2d,
2673 and /etc/xinetd.d/ipop3d. In those files, look for lines
2674 containing "USERID", e.g.
2675 log_on_success += USERID
2677 Hunt down such lines, and delete them ruthlessly from all
2678 files in which they occur. Don't be shy about it.
2679 + The DNS is taking a long time to do a reverse DNS (PTR record)
2680 lookup of the IP address of your client. This is a problem in
2681 your DNS, which either you or you ISP need to resolve.
2682 Ideally, the DNS should return the client's name; but if it
2683 can't it should at least return an error quickly.
2685 As you may have noticed, neither of these are actual problems in
2686 the IMAP or POP servers; they are configuration issues with
2687 either your system or your network infrastructure. If this is
2688 all new to you, run (don't walk) to the nearest technical
2689 bookstore and get yourself a good pedagogical text on system
2690 administration for the type of system you are running.
2692 Back to top
2693 __________________________________________________________________
2695 _7.25 Why is there a long delay in Alpine or any other c-client based
2696 application call before I get connected to the IMAP server? The hang
2697 seems to be in the c-client mail_open() call. I don't have this problem
2698 with any other IMAP client. There is no delay connecting to a POP3 or
2699 NNTP server with mail_open()._
2701 By default, the c-client library attempts to make a connection
2702 through rsh (and ssh, if you enable that). If the command:
2704 rsh imapserver exec /etc/rimapd
2707 (or ssh if that is enabled) returns with a "* PREAUTH" response,
2708 it will use the resulting rsh session as the IMAP session and
2709 not require an authentication step on the server.
2711 Unfortunately, rsh has a design error that treats "TCP
2712 connection refused" as "temporary failure, try again"; it
2713 expects the "rsh not allowed" case to be implemented as a
2714 successful connection followed by an error message and close the
2715 connection.
2717 It must be emphasized that this is a bug in rsh. It is _not_ a
2718 bug in the IMAP toolkit.
2720 The use of rsh can be disabled in any the following ways:
2722 + You can disable it for this particular session by either:
2723 o setting an explicit port number in the mailbox name, e.g.
2724 {imapserver.foo.com:143}INBOX
2726 o using SSL (the /ssl switch)
2727 + You can disable rsh globally by setting the rsh timeout value
2728 to 0 with the call:
2729 mail_parameters (NIL,SET_RSHTIMEOUT,0);
2731 Back to top
2732 __________________________________________________________________
2734 _7.26 Why does a message sometimes get split into two or more messages
2735 on my SUN system?_
2737 This is caused by an interaction of two independent design
2738 problems in SUN mail software. The first problem is that the
2739 "forward message" option in SUN's _mail tool_ program includes
2740 the internal "From " header line in the text that it forwarded.
2741 This internal header line is specific to traditional UNIX
2742 mailbox files and is not suitable for use in forwarded messages.
2744 The second problem is that the mail delivery agent assumes that
2745 mail reading programs will not use the traditional UNIX mailbox
2746 format but instead an incompatible variant that depends upon a
2747 _Content-Length:_ message header. Content-Length is widely
2748 recognized to have been a terrible mistake, and is no longer
2749 recommended for use in mail (it is used in other facilities that
2750 use MIME).
2752 One symptom of the problem is that under certain circumstances,
2753 a message may get broken up into several messages. I'm also
2754 aware of security bugs caused by programs that foolishly trust
2755 "Content-Length:" headers with evil values.
2757 To fix the mailer on your system, edit your sendmail.cf to
2758 change the _Mlocal_ line to have the _-E_ flag. A typical entry
2759 will lool like:
2761 Mlocal, P=/usr/lib/mail.local, F=flsSDFMmnPE, S=10, R=20,
2762 A=mail.local -d $u
2764 This fix will also work around the problem with mail tool,
2765 because it will insert a ">" before the internal header line to
2766 prevent it from being interpreted by mail reading software as an
2767 internal header line.
2769 Back to top
2770 __________________________________________________________________
2772 _7.27 Why did my POP or IMAP session suddenly disconnect? The syslog
2773 has the message:_
2774 Autologout user=<...my user name...> host=<...my client system...>
2777 This is a problem in your client.
2779 In the case of IMAP, it failed to communicate with the IMAP
2780 server for over 30 minutes; in the case of POP, it failed to
2781 communicate with the POP server for over 10 minutes.
2783 Back to top
2784 __________________________________________________________________
2786 _7.28 What does the UNIX error message:_ TLS/SSL failure: myserver: SSL
2787 negotiation failed _mean?_
2788 _7.29 What does the PC error message:_ TLS/SSL failure: myserver:
2789 Unexpected TCP input disconnect _mean?_
2791 This usually means that an attempt to negotiate TLS encryption
2792 via the STARTTLS command failed, because the server advertises
2793 STARTTLS functionality, but doesn't actually have it (e.g.
2794 because no certificates are installed).
2796 Use the /notls option in the mailbox name to disable TLS
2797 negotiation.
2799 Back to top
2800 __________________________________________________________________
2802 _7.30 What does the error message:_ TLS/SSL failure: myserver: Server
2803 name does not match certificate _mean?_
2805 An SSL or TLS session encryption failed because the server name
2806 in the server's certificate does not match the name that you
2807 gave it. This could indicate that the server is not really the
2808 system you think that it is, but can be also be called if you
2809 gave a nickname for the server or name that was not
2810 fully-qualified. You must use the fully-qualified domain name
2811 for the server in order to validate its certificate
2813 Use the /novalidate-cert option in the mailbox name to disable
2814 validation of the certificate.
2816 Back to top
2817 __________________________________________________________________
2819 _7.31 What does the UNIX error message:_ TLS/SSL failure: myserver:
2820 self-signed certificate _mean?_
2821 _7.32 What does the PC error message:_ TLS/SSL failure: myserver:
2822 Self-signed certificate or untrusted authority _mean?_
2824 An SSL or TLS session encryption failed because your server's
2825 certificate is "self-signed"; that is, it is not signed by any
2826 Certificate Authority (CA) and thus can not be validated. A
2827 CA-signed certificate costs money, and some smaller sites either
2828 don't want to pay for it or haven't gotten one yet. The bad part
2829 about this is that this means there is no guarantee that the
2830 server is really the system you think that it is.
2832 Use the /novalidate-cert option in the mailbox name to disable
2833 validation of the certificate.
2835 Back to top
2836 __________________________________________________________________
2838 _7.33 What does the UNIX error message:_ TLS/SSL failure: myserver:
2839 unable to get local issuer certificate _mean?_
2841 An SSL or TLS session encryption failed because your system does
2842 not have the Certificate Authority (CA) certificates installed
2843 on OpenSSL's certificates directory. On most systems, this
2844 directory is /usr/local/ssl/certs). As a result, it is not
2845 possible to validate the server's certificate.
2847 If CA certificates are properly installed, you should see
2848 factory.pem and about a dozen other .pem names such as
2849 thawteCb.pem.
2851 As a workaround, you can use the /novalidate-cert option in the
2852 mailbox name to disable validation of the certificate; however,
2853 note that you are then vulnerable to various security attacks by
2854 bad guys.
2856 The correct fix is to copy all the files from the certs/
2857 directory in the OpenSSL distribution to the
2858 /usr/local/ssl/certs (or whatever) directory. Note that you need
2859 to do this after building OpenSSL, because the OpenSSL build
2860 creates a number of needed symbolic links. For some bizarre
2861 reason, the OpenSSL "make install" doesn't do this for you, so
2862 you must do it manually.
2864 Back to top
2865 __________________________________________________________________
2867 _7.34 Why does reading certain messages hang when using Netscape? It
2868 works fine with Alpine!_
2870 There are two possible causes.
2872 Check the mail syslog. If you see the message "Killed (lost
2873 mailbox lock)" for the impacted user(s), read the FAQ entry
2874 regarding that message.
2876 Check the affected mailbox to see if there are embedded NUL
2877 characters in the message. NULs in message texts are a technical
2878 violation of both the message format and IMAP specifications.
2879 Most clients don't care, but apparently Netscape does.
2881 You can work around this by rebuilding imapd with the
2882 _NETSCAPE_BRAIN_DAMAGE_ option set (see src/imapd/Makefile); this
2883 will cause imapd to convert all NULs to 0x80 characters. A
2884 better solution is to enable the feature in your MTA to
2885 MIME-convert messages with binary content. See the documentation
2886 for your MTA for how to do this.
2888 Back to top
2889 __________________________________________________________________
2891 _7.35 Why does Netscape say that there's a problem with the IMAP server
2892 and that I should "Contact your mail server administrator."?_
2894 Certain versions of Netscape do this when you click the Manage
2895 Mail button, which uses an undocumented feature of Netscape's
2896 proprietary IMAP server.
2898 You can work around this by rebuilding imapd with the
2899 _NETSCAPE_BRAIN_DAMAGE_ option set (see src/imapd/Makefile) to a
2900 URL that points either to an alternative IMAP client (e.g.
2901 Alpine) or perhaps to a homebrew mail account management page.
2903 Back to top
2904 __________________________________________________________________
2906 _7.36 Why is one user creating huge numbers of IMAP or POP server
2907 sessions?_
2909 The user is probably using Outlook Express, Eudora, or a similar
2910 program. See the answer to the Help! My load average is soaring
2911 and I see hundreds of POP and IMAP servers, many logged in as
2912 the same user! question.
2914 Back to top
2915 __________________________________________________________________
2917 _7.37 Why don't I get any new mail notifications from Outlook Express
2918 or Outlook after a while?_
2920 This is a known bug in Outlook Express. Microsoft is aware of
2921 the problem and its cause. They have informed us that they do
2922 not have any plans to fix it at the present time.
2924 The problem is also reported in Outlook 2000, but not verified.
2926 Outlook Express uses the IMAP IDLE command to avoid having to
2927 "ping" the server every few minutes for new mail. Unfortunately,
2928 Outlook Express overlooks the part in the IDLE specification
2929 which requires that a client terminate and restart the IDLE
2930 before the IMAP 30 minute inactivity autologout timer triggers.
2932 When this happens, Outlook Express displays "Not connected" at
2933 the bottom of the window. Since it's no longer connected to the
2934 IMAP server, it isn't going to notice any new mail.
2936 As soon as the user does anything that would cause an IMAP
2937 operation, Outlook Express will reconnect and new mail will flow
2938 again. If the user does something that causes an IMAP operation
2939 at least every 29 minutes, the problem won't happen.
2941 Modern versions of imapd attempt to work around the problem by
2942 automatically reporting fake new mail after 29 minutes. This
2943 causes Outlook Express to exit the IDLE state; as soon as this
2944 happens imapd revokes the fake new mail. As long as this
2945 behavior isn't known to cause problems with other clients, this
2946 workaround will remain in imapd.
2948 Back to top
2949 __________________________________________________________________
2951 _7.38 Why don't I get any new mail notifications from Entourage?_
2953 This is a known bug in Entourage.
2955 You built an older version of imapd with the
2956 _MICROSOFT_BRAIN_DAMAGE_ option set, in order to disable support
2957 for the IDLE command. However, Entourage won't get new mail
2958 unless IDLE command support exists.
2960 Note: the MICROSOFT_BRAIN_DAMAGE option no longer exists in
2961 modern versions, as the Outlook Express problem which it
2962 attempted to solve has been worked around in another way.
2964 Back to top
2965 __________________________________________________________________
2967 _7.39 Why doesn't Entourage work at all?_
2969 It's hard to know. Entourage breaks almost every rule in the
2970 book for IMAP. It is highly instructive to do a packet trace on
2971 Entourage, as an example of how _not_ to use IMAP. It does
2972 things like STATUS (MESSAGES) on the currently selected mailbox
2973 and re-fetching the same static data over and over again.
2975 It seems that every time we understand what it is doing wrong in
2976 Entourage and come up with a workaround, we learn about
2977 something else that's broken.
2979 Try building imapd with the _ENTOURAGE_BRAIN_DAMAGE_ option set,
2980 in order to disable the diagnostic that occurs when doing STATUS
2981 on the currently selected mailbox.
2983 Back to top
2984 __________________________________________________________________
2986 _7.40 Why doesn't Netscape Notify (NSNOTIFY.EXE) work at all?_
2988 This is a bug in NSNOTIFY; it doesn't handle unsolicited data
2989 from the server correctly.
2991 Fortunately, there is no reason to use this program with IMAP;
2992 NSNOTIFY is a polling program to let you know when new mail has
2993 appeared in your maildrop. This is necessary with POP; but since
2994 IMAP dynamically announces new mail in the session you're better
2995 off (and will actually cause less load on the server!) keeping
2996 your mail reading program's IMAP session open and let IMAP do
2997 the notifying for you.
2999 Consequently, the recommended fix for the NSNOTIFY problem is to
3000 delete the NSNOTIFY binary.
3002 Back to top
3003 __________________________________________________________________
3005 _7.41 Why can't I connect via SSL to Eudora? It says the connection has
3006 been broken, and in the server syslogs I see "Command stream end of
3007 file"._
3009 There is a report that you can fix the problem by going into
3010 Eudora's advanced network configuration menu and increasing the
3011 network buffer size to 8192.
3013 Back to top
3014 __________________________________________________________________
3016 _7.42 Sheesh. Aren't there any good IMAP clients out there?_
3018 Yes!
3020 Alpine is a _wonderful_ client. It's fast, it uses IMAP well,
3021 and it generates text mail (life is too short to waste on HTML
3022 mail). Also, there are some really wonderful things in progress
3023 in the Alpine world.
3025 There are some good GUI clients out there, mostly from smaller
3026 vendors. Without naming names, look for the vendors who are
3027 active in the IMAP protocol development community, and their
3028 products.
3030 Netscape, Eudora, and Outlook _can_ be configured with enough
3031 effort to be good citizens and work well for users, _but_ they
3032 can also be badly misconfigured, and often the misconfiguration
3033 is the default.
3035 Back to top
3036 __________________________________________________________________
3038 _7.43 But wait! PC Alpine (or other PC program build with c-client)
3039 crashes with the message_ incomplete SecBuffer exceeds maximum buffer
3040 size _when I use SSL connections. This is a bug in c-client, right?_
3042 It's a bug in the Microsoft SChannel.DLL, which implements SSL.
3043 Microsoft admits it (albeit with an unstatement: "it's not fully
3044 RFC compliant"). The problem is that SChannel indicates that the
3045 maximum SSL packet data size is 5 bytes smaller than the actual
3046 maximum. Thus, any IMAP server which transmits a maximum sized
3047 SSL packet will not work with PC Alpine or any other program
3048 which uses SChannel.
3050 It can take a while for the problem to show up. The client has
3051 to do something that causes at least 16K of contiguous data.
3052 Many clients do partial fetching, which tends to reduce the
3053 number of cases where this can happen. However, _all_ software
3054 which uses SChannel to support SSL is affected by this bug.
3056 This problem does not affect UNIX code, since OpenSSL is used on
3057 UNIX.
3059 This problem most recently showed up with the CommunigatePro
3060 IMAP server. They have an update which trims down their maximum
3061 contiguous data to less than 16K, in order to work around the
3062 problem.
3064 This problem has also shown up with the Exchange IMAP server
3065 with UNIX clients (including Alpine built with an older version
3066 of c-client) which sends full-sized 16K SSL packets. Modern
3067 c-client works around the problem by trimming down its maximum
3068 outgoing SSL packet size to 8K.
3070 Microsoft has developed a hotfix for this bug. Look up MSKB
3071 article number 300562. Contrary to the article text which
3072 implies that this is a Alpine issue, this bug also affect
3073 Microsoft Exchange server with *any* UNIX based client that
3074 transmits full-sized SSL payloads.
3076 Back to top
3077 __________________________________________________________________
3079 _7.44 My qpopper users keep on getting the DON'T DELETE THIS MESSAGE --
3080 FOLDER INTERNAL DATA if they also use Alpine or IMAP. How can I fix
3081 this?_
3083 This is an incompatibility between qpopper and the c-client
3084 library used by Alpine, imapd, and ipop[23]d.
3086 Assuming that you want to continue using qpopper, look into
3087 qpopper's _--enable-uw-kludge-flag_ configuration flag, which is
3088 documented as "check for and hide UW 'Folder Internal Data'
3089 messages".
3091 The other alternative is to switch from qpopper to ipop3d.
3093 Back to top
3094 __________________________________________________________________
3096 _7.45 Help! I installed the servers but I can't connect to them from my
3097 client!_
3099 Review the installation instructions carefully. Make sure that
3100 you have not skipped any of the steps. Make sure that you have
3101 made the correct entries in the configuration files; pay careful
3102 attention to the exact spelling of the service names and the
3103 path names. Make sure as well that you have properly restarted
3104 inetd.
3106 If you have a system with Yellow Pages/NIS such as Solaris, have
3107 you updated the service names there as well as in /etc/services?
3109 If you have a system with TCP wrappers, have you properly
3110 updated the TCP wrapper files (e.g. /etc/hosts.allow and
3111 /etc/hosts.deny) for the servers?
3113 If you have a system which uses xinetd instead of inetd, have
3114 you made sure that you have made the correct corresponding
3115 xinetd changes for those services?
3117 Try telneting to the server port (143 for IMAP, 110 for POP3).
3118 If you get a "refused" error, that probably means that you don't
3119 have the service set up in inetd.conf. If the connection opens
3120 and then closes with no message, the service is set up, but
3121 either the path name of the server binary in inetd.conf is wrong
3122 or your TCP wrappers are configured to deny access.
3124 If you don't know how to make the corresponding changes to these
3125 files, seek the help of a local expert for your system.
3127 Back to top
3128 __________________________________________________________________
3130 _7.46 Why do I get the message_ Can not authenticate to SMTP server:
3131 421 SMTP connection went away! _and why did this happen? There was also
3132 something about_ SECURITY PROBLEM: insecure server advertised
3133 AUTH=PLAIN
3135 Some versions of qmail, including that running on
3136 mail.smtp.yahoo.com, disconnect the SMTP session if you fail to
3137 authenticate prior to attempting to transmit mail. An attempt to
3138 authenticate was made, but it failed because the server had
3139 already disconnected.
3141 To work around this, you need to specify /user=... in the host
3142 name specification.
3144 The SECURITY PROBLEM came about because the server advertised
3145 the AUTH=PLAIN SASL authentication mechanism outside of a
3146 TLS-encrypted session, in violation of RFC 4616. This message is
3147 just a warning, and in fact occurred after the server had
3148 disconnected.
3150 Back to top
3151 __________________________________________________________________
3153 _7.47 Why do I get the message_ SMTP Authentication cancelled _and why
3154 did this happen? There was also something about_ SECURITY PROBLEM:
3155 insecure server advertised AUTH=PLAIN
3157 This is a bug in the SMTP server.
3159 Some versions of qmail, including that running on
3160 mail.smtp.yahoo.com, have a bug in their implementation of SASL
3161 in their SMTP server, which renders it non-compliant with the
3162 standard.
3164 If the client does not provide an initial response in the
3165 command line for an authentication mechanism whose profile does
3166 not have an initial challenge, qmail issues a bogus response:
3168 334 ok, go on
3170 The problem is the "ok, go on". This violates RFC 4954's
3171 requirement that the text part in a 334 response be a BASE64
3172 encoded string; in other words, it is a protocol syntax error.
3174 In the case of AUTH=PLAIN, RFC 4422 (page 7) requires that the
3175 encoded string have no data. In other words, the appropriate
3176 standards-compliant server response is "334" followed by a SPACE
3177 and a CRLF.
3179 The SECURITY PROBLEM came about because the server advertised
3180 the AUTH=PLAIN SASL authentication mechanism outside of a
3181 TLS-encrypted session, in violation of RFC 4616. This message is
3182 just a warning, and is not related the "Authentication
3183 cancelled" problem.
3185 Back to top
3186 __________________________________________________________________
3188 _7.48 Why do I get the message_ Invalid base64 string _when I try to
3189 authenticate to a Cyrus server?_
3191 This slightly misleading message is the way that a Cyrus server
3192 indicates that an authentication exchange was cancelled. It is
3193 not indicative of a bug or protocol violation.
3195 The most common reason that this happens is if the Cyrus server
3196 offers Kerberos authentication, c-client is built with Kerberos
3197 support, but your client system is not within the Kerberos
3198 realm. In this case, the client code will try to authenticate
3199 via Kerberos, fail to get the Kerberos credentials, cancel the
3200 authentication attempt, and try the next available
3201 authentication technology.
3203 Back to top
3204 __________________________________________________________________
3206 8. Where to Go For Additional Information
3207 __________________________________________________________________
3209 _8.1 Where can I go to ask questions?_
3210 _8.2 I have some ideas for enhancements to IMAP. Where should I go?_
3212 If you have questions about the IMAP protocol, or want to
3213 participate in discussions of future directions of the IMAP
3214 protocol, the appropriate mailing list is
3215 imap-protocol@u.washington.edu. You can subscribe to this list
3216 via imap-protocol-request@u.washington.edu
3218 You must be a subscriber to post to this list. As an
3219 alternative, you can use the _comp.mail.imap_ newsgroup.
3221 Back to top
3222 __________________________________________________________________
3224 _8.3 Where can I read more about IMAP and other email protocols?_
3226 We recommend _Internet Email Protocols: A Developer's Guide_, by
3227 Kevin Johnson, published by Addison Wesley, ISBN 0-201-43288-9.
3229 Back to top
3230 __________________________________________________________________
3232 _8.4 Where can I find out more about setting up and administering an
3233 IMAP server?_
3235 We recommend _Managing IMAP_, by Dianna Mullet & Kevin Mullet,
3236 published by O'Reilly, ISBN 0-596-00012-X.
3238 Back to top
3240 Last Updated: 5 May 2010