| blob | a952f1e396dd0c0954cfb9905f0819cfbb6239c5 |
2 Panda IMAP Frequently Asked Questions
4 Table of Contents
6 * What is Panda IMAP?
7 * 1. General/Software Feature Questions
8 + 1.1 Can I set up a POP or IMAP server on UNIX/Linux/OSF/etc.?
9 + 1.2 I am currently using qpopper as my POP3 server on UNIX. Do
10 I need to replace it with ipop3d in order to run imapd?
11 + 1.3 Can I set up a POP or IMAP server on Windows XP, 2000, NT,
12 Me, 98, or 95?
13 + 1.4 Can I set up a POP or IMAP server on Windows 3.1 or DOS?
14 + 1.5 Can I set up a POP or IMAP server on Macintosh?
15 + 1.6 Can I set up a POP or IMAP server on VAX/VMS?
16 + 1.7 Can I set up a POP or IMAP server on TOPS-20?
17 + 1.8 Are hierarchical mailboxes supported?
18 + 1.9 Are "dual-use" mailboxes supported?
19 + 1.10 Can I have a mailbox that has both messages and
20 sub-mailboxes?
21 + 1.11 What is the difference between "mailbox" and "folder"?
22 + 1.12 What is the status of internationalization?
23 + 1.13 Can I use SSL?
24 + 1.14 Can I use TLS and the STARTTLS facility?
25 + 1.15 Can I use CRAM-MD5 authentication?
26 + 1.16 Can I use APOP authentication?
27 + 1.17 Can I use Kerberos V5?
28 + 1.18 Can I use PAM for plaintext passwords?
29 + 1.19 Can I use Kerberos 5 for plaintext passwords?
30 + 1.20 Can I use AFS for plaintext passwords?
31 + 1.21 Can I use DCE for plaintext passwords?
32 + 1.22 Can I use the CRAM-MD5 database for plaintext passwords?
33 + 1.23 Can I disable plaintext passwords?
34 + 1.24 Can I disable plaintext passwords on unencrypted
35 sessions, but allow them on encrypted sessions?
36 + 1.25 Can I use virtual hosts?
37 + 1.26 Can I use RPOP authentication?
38 + 1.27 Can I use Kerberos V4?
39 + 1.28 Is there support for S/Key or OTP?
40 + 1.29 Is there support for NTLM or SPA?
41 + 1.30 Is there support for mh?
42 + 1.31 Is there support for qmail and the maildir format?
43 + 1.32 Is there support for the Cyrus mailbox format?
44 + 1.33 Is this software Y2K compliant?
45 * 2. What Do I Need to Build This Software?
46 + 2.1 What do I need to build this software with SSL on UNIX?
47 + 2.2 What do I need to build this software with Kerberos V on
48 UNIX?
49 + 2.3 What do I need to use a C++ compiler with this software to
50 build my own application?
51 + 2.4 What do I need to build this software on Windows?
52 + 2.5 What do I need to build this software on DOS?
53 + 2.6 Can't I use Borland C to build this software on the PC?
54 + 2.7 What do I need to build this software on the Mac?
55 + 2.8 What do I need to build this software on VMS?
56 + 2.9 What do I need to build this software on TOPS-20?
57 + 2.10 What do I need to build this software on Amiga or OS/2?
58 + 2.11 What do I need to build this software on Windows CE?
59 * 3. Build and Configuration Questions
60 + 3.1 How do I configure the IMAP and POP servers on UNIX?
61 + 3.2 I built and installed the servers according to the BUILD
62 instructions. It can't be that easy. Don't I need to write a
63 config file?
64 + 3.3 How do I make the IMAP and POP servers look for INBOX at
65 some place other than the mail spool directory?
66 + 3.4 How do I make the IMAP server look for secondary folders
67 at some place other than the user's home directory?
68 + 3.5 How do I configure SSL?
69 + 3.6 How do I configure TLS and the STARTTLS facility?
70 + 3.7 How do I build/install OpenSSL and obtain/create
71 certificates for use with SSL?
72 + 3.8 How do I configure CRAM-MD5 authentication?
73 + 3.9 How do I configure APOP authentication?
74 + 3.10 How do I configure Kerberos V5?
75 + 3.11 How do I configure PAM for plaintext passwords?
76 + 3.12 It looks like all I have to do to make the server use
77 Kerberos is to build with PAM on my Linux system, and set it
78 up in PAM for Kerberos passwords. Right?
79 + 3.13 How do I configure Kerberos 5 for plaintext passwords?
80 + 3.14 How do I configure AFS for plaintext passwords?
81 + 3.15 How do I configure DCE for plaintext passwords?
82 + 3.16 How do I configure the CRAM-MD5 database for plaintext
83 passwords?
84 + 3.17 How do I disable plaintext passwords?
85 + 3.18 How do I disable plaintext passwords on unencrypted
86 sessions, but allow them in SSL or TLS sessions?
87 + 3.19 How do I configure virtual hosts?
88 + 3.20 Why do I get compiler warning messages such as:
89 o passing arg 3 of `scandir' from incompatible pointer type
90 o Pointers are not assignment-compatible.
91 o Argument #4 is not the correct type.
92 during the build?
93 + 3.21 Why do I get compiler warning messages such as
94 o Operation between types "void(*)(int)" and "void*" is not
95 allowed.
96 o Function argument assignment between types "void*" and
97 "void(*)(int)" is not allowed.
98 o Pointers are not assignment-compatible.
99 o Argument #5 is not the correct type.
100 during the build?
101 + 3.22 Why do I get linker warning messages such as:
102 o mtest.c:515: the `gets' function is dangerous and should
103 not be used.
104 during the build? Isn't this a security bug?
105 + 3.23 Why do I get linker warning messages such as:
106 o auth_ssl.c:92: the `tmpnam' function is dangerous and
107 should not be used.
108 during the build? Isn't this a security bug?
109 + 3.24 OK, suppose I see a warning message about a function
110 being "dangerous and should not be used" for something other
111 than this gets() or tmpnam() call?
112 * 4. Operational Questions
113 + 4.1 How can I enable anonymous IMAP logins?
114 + 4.2 How do I set up an alert message that each IMAP user will
115 see?
116 + 4.3 How does the c-client library choose which of its several
117 mechanisms to use to establish an IMAP connection to the
118 server? I noticed that it can connect on port 143, port 993,
119 via rsh, and via ssh.
120 + 4.4 I am using a TLS-capable IMAP server, so I don't need to
121 use /ssl to get encryption. However, I want to be certain that
122 my session is TLS encrypted before I send my password. How to
123 I do this?
124 + 4.5 How do I use one of the alternative formats described in
125 the formats.txt document? In particular, I hear that mbx
126 format will give me better performance and allow shared
127 access.
128 + 4.6 How do I set up shared mailboxes?
129 + 4.7 How can I make the server syslogs go to someplace other
130 than the mail syslog?
131 * 5. Security Questions
132 + 5.1 I see that the IMAP server allows access to arbitary files
133 on the system, including /etc/passwd! How do I disable this?
134 + 5.2 I've heard that IMAP servers are insecure. Is this true?
135 + 5.3 How do I know that I have the most secure version of the
136 server?
137 + 5.4 I see all these strcpy() and sprintf() calls, those are
138 unsafe, aren't they?
139 + 5.5 Those /tmp lock files are protected 666, is that really
140 right?
141 * 6. Why Did You Do This Strange Thing? Questions
142 + 6.1 Why don't you use GNU autoconfig / automake /
143 autoblurdybloop?
144 + 6.2 Why do you insist upon a build with -g? Doesn't it waste
145 disk and memory space?
146 + 6.3 Why don't you make c-client a shared library?
147 + 6.4 Why don't you use iconv() for internationalization
148 support?
149 + 6.5 Why is the IMAP server connected to the home directory by
150 default?
151 + 6.6 I have a Windows system. Why isn't the server plug and
152 play for me?
153 + 6.7 I looked at the UNIX SSL code and saw that you have the
154 SSL data payload size set to 8192 bytes. SSL allows 16K; why
155 aren't you using the full size?
156 + 6.8 Why is an mh format INBOX called #mhinbox instead of just
157 INBOX?
158 + 6.9 Why don't you support the maildir format?
159 + 6.10 Why don't you support the Cyrus format?
160 + 6.11 Why is it creating extra forks on my SVR4 system?
161 + 6.12 Why are you so fussy about the date/time format in the
162 internal "From " line in traditional UNIX mailbox files? My
163 other mail program just considers every line that starts with
164 "From " to be the start of the message.
165 + 6.13 Why is traditional UNIX format the default format?
166 + 6.14 Why do you write this "DON'T DELETE THIS MESSAGE --
167 FOLDER INTERNAL DATA" message at the start of traditional UNIX
168 and MMDF format mailboxes?
169 + 6.15 Why don't you stash the mailbox metadata in the first
170 real message of the mailbox instead of writing this fake
171 FOLDER INTERNAL DATA message?
172 + 6.16 Why aren't "dual-use" mailboxes the default?
173 + 6.17 Why do you use ucbcc to build on Solaris?
174 + 6.18 Why should I care about some old system with BSD
175 libraries? cc is the right thing on my Solaris system!
176 + 6.19 Why do you insist upon writing .lock files in the spool
177 directory?
178 + 6.20 Why should I care about compatibility with the past?
179 * 7. Problems and Annoyances
180 + 7.1 Help! My INBOX is empty! What happened to my messages?
181 + 7.2 Help! All my messages in a non-INBOX mailbox have been
182 concatenated into one message which claims to be from me and
183 has a subject of the file name of the mailbox! What's going
184 on?
185 + 7.3 Why do I get the message:
186 o CREATE failed: Can't create mailbox node xxxxxxxxx: File
187 exists
188 and how do I fix it?
189 + 7.4 Why can't I log in to the server? The user name and
190 password are right!
191 + 7.5 Help! My load average is soaring and I see hundreds of POP
192 and IMAP servers, many logged in as the same user!
193 + 7.6 Why does mail disappear even though I set "keep mail on
194 server"?
195 + 7.7 Why do I get the message
196 o Moved ##### bytes of new mail to /home/user/mbox from
197 /var/spool/mail/user
198 and why did this happen?
199 + 7.8 Why isn't it showing the local host name as a
200 fully-qualified domain name?
201 + 7.9 Why is the local host name in the From/Sender/Message-ID
202 headers of outgoing mail not coming out as a fully-qualified
203 domain name?
204 + 7.10 What does the message:
205 o Mailbox vulnerable - directory /var/spool/mail must have
206 1777 protection
207 mean? How can I fix this?
208 + 7.11 What does the message:
209 o Mailbox is open by another process, access is readonly
210 mean? How do I fix this?
211 + 7.12 What does the message:
212 o Can't get write access to mailbox, access is readonly
213 mean?
214 + 7.13 I set my POP3 client to "delete messages from server" but
215 they never get deleted. What is wrong?
216 + 7.14 What do messages such as:
217 o Message ... UID ... already has UID ...
218 o Message ... UID ... less than ...
219 o Message ... UID ... greater than last ...
220 o Invalid UID ... in message ..., rebuilding UIDs
221 mean?
222 + 7.15 What do the error messages:
223 o Unable to read internal header at ...
224 o Unable to find CRLF at ...
225 o Unable to parse internal header at ...
226 o Unable to parse message date at ...
227 o Unable to parse message flags at ...
228 o Unable to parse message UID at ...
229 o Unable to parse message size at ...
230 o Last message (at ... ) runs past end of file ...
231 mean? I am using mbx format.
232 + 7.16 What do the syslog messages:
233 o imap/tcp server failing (looping)
234 o pop3/tcp server failing (looping)
235 mean? When it happens, the listed service shuts down. How can
236 I fix this?
237 + 7.17 What does the syslog message:
238 o Mailbox lock file /tmp/.600.1df3 open failure: Permission
239 denied
240 mean?
241 + 7.18 What do the syslog messages:
242 o Command stream end of file, while reading line user=...
243 host=...
244 o Command stream end of file, while reading char user=...
245 host=...
246 o Command stream end of file, while writing text user=...
247 host=...
248 mean?
249 + 7.19 Why did my POP or IMAP session suddenly disconnect? The
250 syslog has the message:
251 o Killed (lost mailbox lock) user=... host=...
252 + 7.20 Why does my IMAP client show all the files on the system,
253 recursively from the UNIX root directory?
254 + 7.21 Why does my IMAP client show all of my files, recursively
255 from my UNIX home directory?
256 + 7.22 Why does my IMAP client show that I have mailboxes named
257 "#mhinbox", "#mh", "#shared", "#ftp", "#news", and "#public"?
258 + 7.23 Why does my IMAP client show all my files in my home
259 directory?
260 + 7.24 Why is there a long delay before I get connected to the
261 IMAP or POP server, no matter what client I use?
262 + 7.25 Why is there a long delay in Alpine or any other c-client
263 based application call before I get connected to the IMAP
264 server? The hang seems to be in the c-client mail_open() call.
265 I don't have this problem with any other IMAP client. There is
266 no delay connecting to a POP3 or NNTP server with mail_open().
267 + 7.26 Why does a message sometimes get split into two or more
268 messages on my SUN system?
269 + 7.27 Why did my POP or IMAP session suddenly disconnect? The
270 syslog has the message:
271 o Autologout user=<...my user name...> host=<...my imap
272 server...>
273 + 7.28 What does the UNIX error message:
274 o TLS/SSL failure: myserver: SSL negotiation failed
275 mean?
276 + 7.29 What does the PC error message:
277 o TLS/SSL failure: myserver: Unexpected TCP input
278 disconnect
279 mean?
280 + 7.30 What does the error message:
281 o TLS/SSL failure: myserver: Server name does not match
282 certificate
283 mean?
284 + 7.31 What does the UNIX error message:
285 o TLS/SSL failure: myserver: self-signed certificate
286 mean?
287 + 7.32 What does the PC error message
288 o TLS/SSL failure: myserver: Self-signed certificate or
289 untrusted authority
290 mean?
291 + 7.33 What does the UNIX error message:
292 o TLS/SSL failure: myserver: unable to get local issuer
293 certificate
294 mean?
295 + 7.34 Why does reading certain messages hang when using
296 Netscape? It works fine with Alpine!
297 + 7.35 Why does Netscape say that there's a problem with the
298 IMAP server and that I should "Contact your mail server
299 administrator."?
300 + 7.36 Why is one user creating huge numbers of IMAP or POP
301 server sessions?
302 + 7.37 Why don't I get any new mail notifications from Outlook
303 Express or Outlook after a while?
304 + 7.38 Why don't I get any new mail notifications from
305 Entourage?
306 + 7.39 Why doesn't Entourage work at all?
307 + 7.40 Why doesn't Netscape Notify (NSNOTIFY.EXE) work at all?
308 + 7.41 Why can't I connect via SSL to Eudora? It says the
309 connection has been broken, and in the server syslogs I see
310 "Command stream end of file".
311 + 7.42 Sheesh. Aren't there any good IMAP clients out there?
312 + 7.43 But wait! PC Alpine (or other PC program build with
313 c-client) crashes with the message
314 o incomplete SecBuffer exceeds maximum buffer size
315 when I use SSL connections. This is a bug in c-client, right?
316 + 7.44 My qpopper users keep on getting the DON'T DELETE THIS
317 MESSAGE -- FOLDER INTERNAL DATA if they also use Alpine or
318 IMAP. How can I fix this?
319 + 7.45 Help! I installed the servers but I can't connect to them
320 from my client!
321 + 7.46 Why do I get the message
322 o Can not authenticate to SMTP server: 421 SMTP connection
323 went away!
324 and why did this happen? There was also something about
325 o SECURITY PROBLEM: insecure server advertised AUTH=PLAIN
326 + 7.47 Why do I get the message
327 o SMTP Authentication cancelled
328 and why did this happen? There was also something about
329 o SECURITY PROBLEM: insecure server advertised AUTH=PLAIN
330 + 7.48 Why do I get the message
331 o Invalid base64 string
332 when I try to authenticate to a Cyrus server?
333 * 8. Where to Go For Additional Information
334 + 8.1 Where can I go to ask questions?
335 + 8.2 I have some ideas for enhancements to IMAP. Where should I
336 go?
337 + 8.3 Where can I read more about IMAP and other email
338 protocols?
339 + 8.4 Where can I find out more about setting up and
340 administering an IMAP server?
341 __________________________________________________________________
343 What is Panda IMAP?
345 Panda IMAP is a fork of the final University of Washington
346 version (imap-2007b). The current UW version is imap-2007e which
347 has only minor changes from imap-2007b. All of these changes (or
348 something better) are in Panda IMAP.
350 Panda IMAP is available by donation.
352 Back to top
353 __________________________________________________________________
355 1. General/Software Feature Questions
356 __________________________________________________________________
358 1.1 Can I set up a POP or IMAP server on UNIX/Linux/OSF/etc.?
360 Yes. Refer to the UNIX specific notes in files CONFIG and BUILD.
362 Back to top
363 __________________________________________________________________
365 1.2 I am currently using qpopper as my POP3 server on UNIX. Do I need
366 to replace it with ipop3d in order to run imapd?
368 Not necessarily.
370 Although ipop3d interoperates with imapd better than qpopper,
371 imapd and qpopper will work together. The few qpopper/imapd
372 interoperability issues mostly affect users who use both IMAP
373 and POP3 clients; those users would probably be better served if
374 their POP3 server is ipop3d.
376 If you are happy with qpopper and just want to add imapd, you
377 should do that, and defer a decision on changing qpopper to
378 ipop3d. That way, you can get comfortable with imapd's
379 performance, without changing anything for your qpopper users.
381 Many sites have subsequently decided to change from qpopper to
382 ipop3d in order to get better POP3/IMAP interoperability. If you
383 need to do this, you'll know. There also seems to be a way to
384 make qpopper work better with imapd; see the answer to the My
385 qpopper users keep on getting the DON'T DELETE THIS MESSAGE --
386 FOLDER INTERNAL DATA if they also use Alpine or IMAP. How can I
387 fix this? question.
389 Back to top
390 __________________________________________________________________
392 1.3 Can I set up a POP or IMAP server on Windows XP, 2000, NT, Me, 98,
393 or 95?
395 Yes. Refer to the NT specific notes in files CONFIG and BUILD.
396 Also, for DOS-based versions of Windows (Windows Me, 98, and 95)
397 you *must* set up CRAM-MD5 authentication, as described in
398 md5.txt.
400 There is no file access control on Windows 9x or Me, so you
401 probably will have to do modifications to env_unix.c to prevent
402 people from hacking others' mail.
404 Note, however, that the server is not plug and play the way it
405 is for UNIX.
407 Back to top
408 __________________________________________________________________
410 1.4 Can I set up a POP or IMAP server on Windows 3.1 or DOS?
411 1.5 Can I set up a POP or IMAP server on Macintosh?
412 1.6 Can I set up a POP or IMAP server on VAX/VMS?
414 Yes, it's just a small matter of programming.
416 Back to top
417 __________________________________________________________________
419 1.7 Can I set up a POP or IMAP server on TOPS-20?
421 You have a TOPS-20 system? Cool.
423 If IMAP2 (RFC 1176) is good enough for you, you can use MAPSER
424 which is about the ultimate gonzo pure TOPS-20 extended
425 addressing assembly language program. Unfortunately, IMAP2 is
426 barely good enough for Alpine these days, and most other IMAP
427 clients won't work with IMAP2 at all. Maybe someone will hack
428 MAPSER to do IMAP4rev1 some day.
430 We don't know if anyone wrote a POP3 server for TOPS-20. There
431 definitely was a POP2 server once upon a time.
433 Or you can port the POP and IMAP server from this IMAP toolkit
434 to it. All that you need for a first stab is to port the MTX
435 driver. That'll probably be just a couple of hours of hacking.
437 Back to top
438 __________________________________________________________________
440 1.8 Are hierarchical mailboxes supported?
441 1.9 Are "dual-use" mailboxes supported?
442 1.10 Can I have a mailbox that has both messages and sub-mailboxes?
444 Yes. However, there is one important caveat.
446 Some mailbox formats, including the default which is the
447 traditional UNIX mailbox format, are stored as a single file
448 containing all the messages. UNIX does not permit a name in the
449 filesystem to be both a file and a directory; consequently you
450 can not have a sub-mailbox within a mailbox that is in one of
451 these formats.
453 This is not a limitation of the software; this is a limitation
454 of UNIX. For example, there are mailbox formats in which the
455 name is a directory and each message is a file within that
456 directory; these formats support sub-mailboxes within such
457 mailboxes. However, for technical reasons, the "flat file"
458 formats are generally preferred since they perform better. Read
459 imap-2010/docs/formats.txt for more information on this topic.
461 It is always permissible to create a directory that is not a
462 mailbox, and have sub-mailboxes under it. The easiest way to
463 create a directory is to create a new mailbox inside a directory
464 that doesn't already exist. For example, if you create
465 "Mail/testbox" on UNIX, the directory "Mail/" will automatically
466 be created and then the mailbox "testbox" will be created as a
467 sub-mailbox of "Mail/".
469 It is also possible to create the name "Mail/" directly. Check
470 the documentation for your client software to see how to do this
471 with that software.
473 Of course, on Windows systems you would use "\" instead of "/".
475 Back to top
476 __________________________________________________________________
478 1.11 What is the difference between "mailbox" and "folder"?
480 The term "mailbox" is IMAP-speak for what a lot of software
481 calls a "folder" or a "mail folder". However, "folder" is often
482 used in other contexts to refer to a directory, for example, in
483 the graphic user interface on both Windows and Macintosh.
485 A "mailbox" is specifically defined as a named object that
486 contains messages. It is not required to be capable of
487 containing other types of objects including other mailboxes;
488 although some mailbox formats will permit this.
490 In IMAP-speak, a mailbox which can not contain other mailboxes
491 is called a "no-inferiors mailbox". Similarly, a directory which
492 can not contain messages is not a mailbox and is called a
493 "no-select name".
495 Back to top
496 __________________________________________________________________
498 1.12 What is the status of internationalization?
500 The IMAP toolkit is partially internationalized and
501 multilingualized.
503 Searching is supported in the following charsets: US-ASCII,
504 UTF-8, ISO-8859-1, ISO-8859-2, ISO-8859-3, ISO-8859-4,
505 ISO-8859-5, ISO-8859-6, ISO-8859-7, ISO-8859-8, ISO-8859-9,
506 ISO-8859-10, ISO-8859-11, ISO-8859-13, ISO-8859-14, ISO-8859-15,
507 ISO-8859-16, KOI8-R, KOI8-U (alias KOI8-RU), TIS-620, VISCII,
508 ISO-2022-JP, ISO-2022-KR, ISO-2022-CN, ISO-2022-JP-1,
509 ISO-2022-JP-2, GB2312 (alias CN-GB), CN-GB-12345, BIG5 (alias
510 CN-BIG5), EUC-JP, EUC-KR, Shift_JIS, Shift-JIS, KS_C_5601-1987,
511 KS_C_5601-1992, WINDOWS_874, WINDOWS-1250, WINDOWS-1251,
512 WINDOWS-1252, WINDOWS-1253, WINDOWS-1254, WINDOWS-1255,
513 WINDOWS-1256, WINDOWS-1257, WINDOWS-1258.
515 All ISO-2022-?? charsets are treated identically, and support
516 ASCII, JIS Roman, hankaku katakana, ISO-8859-[1 - 10], TIS, GB
517 2312, JIS X 0208, JIS X 0212, KSC 5601, and planes 1 and 2 of
518 CNS 11643.
520 EUC-JP includes support for JIS X 0212 and hankaku katakana.
522 c-client library support also exists to convert text in any of
523 the above charsets into Unicode, including headers with MIME
524 encoded-words.
526 There is no support for localization (e.g. non-English error
527 messages) at the present time, but such support is planned.
529 Back to top
530 __________________________________________________________________
532 1.13 Can I use SSL?
534 Yes. See the answer to the How do I configure SSL? question.
536 Back to top
537 __________________________________________________________________
539 1.14 Can I use TLS and the STARTTLS facility?
541 Yes. See the answer to the How do I configure TLS and the
542 STARTTLS facility? question.
544 Back to top
545 __________________________________________________________________
547 1.15 Can I use CRAM-MD5 authentication?
549 Yes. See the answer to the How do I configure CRAM-MD5
550 authentication? question.
552 Back to top
553 __________________________________________________________________
555 1.16 Can I use APOP authentication?
557 Yes. See the How do I configure APOP authentication? question.
559 Note that there is no client support for APOP authentication.
561 Back to top
562 __________________________________________________________________
564 1.17 Can I use Kerberos V5?
566 Yes. See the answer to the How do I configure Kerberos V5?
567 question.
569 Back to top
570 __________________________________________________________________
572 1.18 Can I use PAM for plaintext passwords?
574 Yes. See the answer to the How do I configure PAM for plaintext
575 passwords? question.
577 Back to top
578 __________________________________________________________________
580 1.19 Can I use Kerberos 5 for plaintext passwords?
582 Yes. See the answer to the How do I configure Kerberos 5 for
583 plaintext passwords? question.
585 Back to top
586 __________________________________________________________________
588 1.20 Can I use AFS for plaintext passwords?
590 Yes. See the answer to the How do I configure AFS for plaintext
591 passwords? question.
593 Back to top
594 __________________________________________________________________
596 1.21 Can I use DCE for plaintext passwords?
598 Yes. See the answer to the How do I configure DCE for plaintext
599 passwords? question.
601 Back to top
602 __________________________________________________________________
604 1.22 Can I use the CRAM-MD5 database for plaintext passwords?
606 Yes. See the answer to the How do I configure the CRAM-MD5
607 database for plaintext passwords? question.
609 Back to top
610 __________________________________________________________________
612 1.23 Can I disable plaintext passwords?
614 Yes. See the answer to the How do I disable plaintext passwords?
615 question.
617 Back to top
618 __________________________________________________________________
620 1.24 Can I disable plaintext passwords on unencrypted sessions, but
621 allow them on encrypted sessions?
623 Yes. See the answer to the How do I disable plaintext passwords
624 on unencrypted sessions, but allow them in SSL or TLS sessions?
625 question.
627 Back to top
628 __________________________________________________________________
630 1.25 Can I use virtual hosts?
632 Yes. See the answer to the How do I configure virtual hosts?
633 question.
635 Back to top
636 __________________________________________________________________
638 1.26 Can I use RPOP authentication?
640 There is no support for RPOP authentication.
642 Back to top
643 __________________________________________________________________
645 1.27 Can I use Kerberos V4?
647 Kerberos V4 is not supported.
649 Back to top
650 __________________________________________________________________
652 1.28 Is there support for S/Key or OTP?
654 There is currently no support for S/Key or OTP. There may be an
655 OTP SASL authenticator available from third parties.
657 Back to top
658 __________________________________________________________________
660 1.29 Is there support for NTLM or SPA?
662 There is currently no support for NTLM or SPA, nor are there any
663 plans to add such support. In general, I avoid vendor-specific
664 mechanisms. I also believe that these mechanisms are being
665 deprecated by their vendor.
667 There may be an NTLM SASL authenticator available from third
668 parties.
670 Back to top
671 __________________________________________________________________
673 1.30 Is there support for mh?
675 Yes, but only as a legacy format. Your mh format INBOX is
676 accessed by the name "#mhinbox", and all other mh format
677 mailboxes are accessed by prefixing "#mh/" to the name, e.g.
678 "#mh/foo". The mh support uses the "Path:" entry in your
679 .mh_profile file to identify the root directory of your mh
680 format mailboxes.
682 Non-legacy use of mh format is not encouraged. There is no
683 support for permanent flags or unique identifiers; furthermore
684 there are known severe performance problems with the mh format.
686 Back to top
687 __________________________________________________________________
689 1.31 Is there support for qmail and the maildir format?
691 There is no support for qmail or the maildir format in our
692 distribution, nor are there any plans to add such support.
693 Maildir support may be available from third parties.
695 Back to top
696 __________________________________________________________________
698 1.32 Is there support for the Cyrus mailbox format?
700 No.
702 Back to top
703 __________________________________________________________________
705 1.33 Is this software Y2K compliant?
707 Please read the files Y2K and calendar.txt.
709 Back to top
710 __________________________________________________________________
712 2. What Do I Need to Build This Software?
713 __________________________________________________________________
715 2.1 What do I need to build this software with SSL on UNIX?
717 You need to build and install OpenSSL first.
719 Back to top
720 __________________________________________________________________
722 2.2 What do I need to build this software with Kerberos V on UNIX?
724 You need to build and install MIT Kerberos first.
726 Back to top
727 __________________________________________________________________
729 2.3 What do I need to use a C++ compiler with this software to build my
730 own application?
732 If you are building an application using the c-client library,
733 use the new c-client.h file instead of including the other
734 include files. It seems that c-client.h should define away all
735 the troublesome names that conflict with C++.
737 If you use gcc, you may need to use -fno-operator-names as well.
739 Back to top
740 __________________________________________________________________
742 2.4 What do I need to build this software on Windows?
744 You need Microsoft Visual C++ 6.0, Visual C++ .NET, or Visual C#
745 .NET (which you can buy from any computer store), along with the
746 Microsoft Platform SDK (which you can download from Microsoft's
747 web site).
749 You do not need to install the entire Platform SDK; it suffices
750 to install just the Core SDK and the Internet Development SDK.
752 Back to top
753 __________________________________________________________________
755 2.5 What do I need to build this software on DOS?
757 It's been several years since we last attempted to do this. At
758 the time, we used Microsoft C.
760 Back to top
761 __________________________________________________________________
763 2.6 Can't I use Borland C to build this software on the PC?
765 Probably not. If you know otherwise, please let us know.
767 Back to top
768 __________________________________________________________________
770 2.7 What do I need to build this software on the Mac?
772 It has been several years since we last attempted to do this. At
773 the time, we used Symantec THINK C; but today you'll need a C
774 compiler which allows segments to be more than 32K.
776 Back to top
777 __________________________________________________________________
779 2.8 What do I need to build this software on VMS?
781 You need the VMS C compiler, and either the Multinet or Netlib
782 TCP.
784 Back to top
785 __________________________________________________________________
787 2.9 What do I need to build this software on TOPS-20?
789 You need the TOPS-20 KCC compiler.
791 Back to top
792 __________________________________________________________________
794 2.10 What do I need to build this software on Amiga or OS/2?
796 We don't know.
798 Back to top
799 __________________________________________________________________
801 2.11 What do I need to build this software on Windows CE?
803 This port is incomplete. Someone needs to finish it.
805 Back to top
806 __________________________________________________________________
808 3. Build and Configuration Questions
809 __________________________________________________________________
811 3.1 How do I configure the IMAP and POP servers on UNIX?
812 3.2 I built and installed the servers according to the BUILD
813 instructions. It can't be that easy. Don't I need to write a config
814 file?
816 For ordinary "vanilla" UNIX systems, this software is plug and
817 play; just build it, install it, and you're done. If you have a
818 modified system, then you may want to do additional work; most
819 of this is to a single source code file (env_unix.c on UNIX
820 systems). Read the file CONFIG for more details.
822 Yes, it's that easy. There are some additional options, such as
823 SSL or Kerberos, which require additional steps to build. See
824 the relevant questions below.
826 Back to top
827 __________________________________________________________________
829 3.3 How do I make the IMAP and POP servers look for INBOX at some place
830 other than the mail spool directory?
831 3.4 How do I make the IMAP server look for secondary folders at some
832 place other than the user's home directory?
834 Please read the file CONFIG for discussion of this and other
835 issues.
837 Back to top
838 __________________________________________________________________
840 3.5 How do I configure SSL?
841 3.6 How do I configure TLS and the STARTTLS facility?
843 imap-2010 supports SSL and TLS client functionality on UNIX and
844 32-bit Windows for IMAP, POP3, SMTP, and NNTP; and SSL and TLS
845 server functionality on UNIX for IMAP and POP3.
847 UNIX SSL build requires that a third-party software package,
848 OpenSSL, be installed on the system first. Read
849 imap-2010/docs/SSLBUILD for more information.
851 SSL is supported via undocumented Microsoft interfaces in
852 Windows 9x and NT4; and via standard interfaces in Windows 2000,
853 Windows Millenium, and Windows XP.
855 Back to top
856 __________________________________________________________________
858 3.7 How do I build/install OpenSSL and obtain/create certificates for
859 use with SSL?
861 If you need help in doing this, try the contacts mentioned in
862 the OpenSSL README. We do not offer support for OpenSSL or
863 certificates.
865 Back to top
866 __________________________________________________________________
868 3.8 How do I configure CRAM-MD5 authentication?
869 3.9 How do I configure APOP authentication?
871 CRAM-MD5 authentication is enabled in the IMAP and POP3 client
872 code on all platforms. Read md5.txt to learn how to set up
873 CRAM-MD5 and APOP authentication on UNIX and NT servers.
875 There is no support for APOP client authentication.
877 Back to top
878 __________________________________________________________________
880 3.10 How do I configure Kerberos V5?
882 imap-2010 supports client and server functionality on UNIX and
883 32-bit Windows.
885 Kerberos V5 is supported by default in Windows 2000 builds:
887 nmake -f makefile.w2k
889 Other builds require that a third-party Kerberos package, e.g.
890 MIT Kerberos, be installed on the system first.
892 To build with Kerberos V5 on UNIX, include
893 EXTRAAUTHENTICATORS=gss in the make command line, e.g.
895 make lnp EXTRAAUTHENTICATORS=gss
897 To build with Kerberos V5 on Windows 9x, Windows Millenium, and
898 NT4, use the "makefile.ntk" file instead of "makefile.nt":
901 nmake -f makefile.ntk
903 Back to top
904 __________________________________________________________________
906 3.11 How do I configure PAM for plaintext passwords?
908 On Linux systems, use the lnp port, e.g.
910 make lnp
912 On Solaris systems and other systems with defective PAM
913 implementations, build with PASSWDTYPE=pmb, e.g.
915 make sol PASSWDTYPE=pmb
917 On all other systems, build with PASSWDTYPE=pam, e.g
919 make foo PASSWDTYPE=pam
921 If you build with PASSWDTYPE=pam and authentication does not
922 work, try rebuilding (after a "make clean") with PASSWDTYPE=pmb.
924 Back to top
925 __________________________________________________________________
927 3.12 It looks like all I have to do to make the server use Kerberos is
928 to build with PAM on my Linux system, and set it up in PAM for Kerberos
929 passwords. Right?
931 Yes and no.
933 Doing this will make plaintext password authentication use the
934 Kerberos password instead of the /etc/passwd password.
936 However, this will NOT give you Kerberos-secure authentication.
937 See the answer to the How do I configure Kerberos V5? question
938 for how to build with Kerberos-secure authentication.
940 Back to top
941 __________________________________________________________________
943 3.13 How do I configure Kerberos 5 for plaintext passwords?
945 Build with PASSWDTYPE=gss, e.g.
947 make sol PASSWDTYPE=gss
949 However, this will NOT give you Kerberos-secure authentication.
950 See the answer to the How do I configure Kerberos V5? question
951 for how to build with Kerberos-secure authentication.
953 Back to top
954 __________________________________________________________________
956 3.14 How do I configure AFS for plaintext passwords?
958 Build with PASSWDTYPE=afs, e.g
960 make sol PASSWDTYPE=afs
962 Back to top
963 __________________________________________________________________
965 3.15 How do I configure DCE for plaintext passwords?
967 Build with PASSWDTYPE=dce, e.g
969 make sol PASSWDTYPE=dce
971 Back to top
972 __________________________________________________________________
974 3.16 How do I configure the CRAM-MD5 database for plaintext passwords?
976 The CRAM-MD5 password database is automatically used for
977 plaintext password if it exists.
979 Note that this is NOT CRAM-MD5-secure authentication. You
980 probably want to consider disabling plaintext passwords for
981 non-SSL/TLS sessions. See the next two questions.
983 Back to top
984 __________________________________________________________________
986 3.17 How do I disable plaintext passwords?
988 Server-level plaintext passwords can be disabled by setting
989 PASSWDTYPE=nul, e.g.
991 make lnx EXTRAAUTHENTICATORS=gss PASSWDTYPE=nul
993 Note that you must have a CRAM-MD5 database installed or specify
994 at least one EXTRAAUTHENTICATOR, otherwise it will not be
995 possible to log in to the server.
997 When plaintext passwords are disabled, the IMAP server will
998 advertise the LOGINDISABLED capability and the POP3 server will
999 not advertise the USER capability.
1001 Back to top
1003 3.18 How do I disable plaintext passwords on unencrypted sessions, but
1004 allow them in SSL or TLS sessions?
1006 Do not set PASSWDTYPE=nul or SSLTYPE=unix. Set SSLTYPE=nopwd
1007 instead, e.g.
1009 make lnx SSLTYPE=nopwd
1011 When plaintext passwords are disabled, the IMAP server will
1012 advertise the LOGINDISABLED capability and the POP3 server will
1013 not advertise the USER capability.
1015 Plaintext passwords will always be enabled in SSL sessions; the
1016 IMAP server will not advertise the LOGINDISABLED capability and
1017 the POP3 server will advertise the USER capability.
1019 If the client does a successful start-TLS in a non-SSL session,
1020 plaintext passwords will be enabled, and a new CAPABILITY or
1021 CAPA command (which is required after start-TLS) will show the
1022 effect as in SSL sessions.
1024 Back to top
1025 __________________________________________________________________
1027 3.19 How do I configure virtual hosts?
1029 This is automatic, but with certain restrictions.
1031 The most important one is that each virtual host must have its
1032 own IP address; otherwise the server has no way of knowing which
1033 virtual host is desired.
1035 As distributed, the software uses a global password file; hence
1036 user "fred" on one virtual host is "fred" on all virtual hosts.
1037 You may want to modify the checkpw() routine to implement some
1038 other policy (e.g. separate password files).
1040 Note that the security model assumes that all users have their
1041 own unique UNIX UID number. So if you use separate password
1042 files you should make certain that the UID numbers do not
1043 overlap between different files.
1045 More advanced virtual host support may be available as patches
1046 from third parties.
1048 Back to top
1049 __________________________________________________________________
1051 3.20 Why do I get compiler warning messages such as:
1052 passing arg 3 of `scandir' from incompatible pointer type
1053 Pointers are not assignment-compatible.
1054 Argument #4 is not the correct type.
1056 during the build?
1058 You can safely ignore these messages.
1060 Over the years, the prototype for scandir() has changed, and
1061 thus is variant across different UNIX platforms. In particular,
1062 the definitions of the third argument (type select_t) and fourth
1063 argument (type compar_t) have changed over the years, the issue
1064 being whether or not the arguments to the functions pointed to
1065 by these function pointers are of type const or not.
1067 The way that c-client calls scandir() will tend to generate
1068 these compiler warnings on newer systems such as Linux; however,
1069 it will still build. The problem with fixing the call is that
1070 then it won't build on older systems.
1072 Back to top
1073 __________________________________________________________________
1075 3.21 Why do I get compiler warning messages such as
1076 Operation between types "void(*)(int)" and "void*" is not allowed.
1077 Function argument assignment between types "void*" and "void(*)(int)" is not al
1078 lowed.
1079 Pointers are not assignment-compatible.
1080 Argument #5 is not the correct type.
1082 during the build?
1084 You can safely ignore these messages.
1086 All known systems have no problem with casting a function
1087 pointer to/from a void* pointer, certain C compilers issue a
1088 compiler diagnostic because this facility is listed as a "Common
1089 extension" by the C standard:
1091 K.5.7 Function pointer casts
1092 [#1] A pointer to an object or to void may be cast to a pointer
1093 to a function, allowing data to be invoked as a function (6.3.4).
1094 [#2] A pointer to a function may be cast to a pointer to an
1095 object or to void, allowing a function to be inspected or
1096 modified (for example, by a debugger) (6.3.4).
1098 It may be just a "common extension", but this facility is relied
1099 upon heavily by c-client.
1101 Back to top
1102 __________________________________________________________________
1104 3.22 Why do I get linker warning messages such as:
1105 mtest.c:515: the `gets' function is dangerous and should not be used.
1107 during the build? Isn't this a security bug?
1109 You can safely ignore this message.
1111 Certain linkers, most notably on Linux, give this warning
1112 message. It is indeed true that the traditional gets() function
1113 is not a safe one.
1115 However, the mtest program is only a demonstration program, a
1116 model of a very basic application program using c-client. It is
1117 not something that you would install, much less run in any
1118 security-sensitive context.
1120 mtest has numerous other shortcuts that you wouldn't want to do
1121 in a real application program.
1123 The only "security bug" with mtest would be if it was run by
1124 some script in a security-sensitive context, but mtest isn't
1125 particularly useful for such purposes. If you wanted to write a
1126 script to automate some email task using c-client, you'd be
1127 better off using imapd instead of mtest.
1129 mtest only has two legitimate uses. It's a useful testbed for me
1130 when debugging new versions of c-client, and it's useful as a
1131 model for someone writing a simple c-client application to see
1132 how the various calls work.
1134 By the way, if you need a more advanced example of c-client
1135 programming than mtest (and you probably will), I recommend that
1136 you look at the source code for imapd and Alpine.
1138 Back to top
1139 __________________________________________________________________
1141 3.23 Why do I get linker warning messages such as:
1142 auth_ssl.c:92: the `tmpnam' function is dangerous and should not be used.
1144 during the build? Isn't this a security bug?
1146 You can safely ignore this message.
1148 Certain linkers, most notably on Linux, give this warning
1149 message, based upon two known issues with tmpnam():
1151 there can be a buffer overflow if an inadequate buffer is
1152 allocated.
1153 there can be a timing race caused by certain incautious
1154 usage of the return value.
1156 Neither of these issues applies in the particular use that is
1157 made of tmpnam(). More importantly, the tmpnam() call is never
1158 executed on Linux systems.
1160 Back to top
1161 __________________________________________________________________
1163 3.24 OK, suppose I see a warning message about a function being
1164 "dangerous and should not be used" for something other than this gets()
1165 or tmpnam() call?
1167 Please forward the details for investigation.
1169 Back to top
1170 __________________________________________________________________
1172 4. Operational Questions
1173 __________________________________________________________________
1175 4.1 How can I enable anonymous IMAP logins?
1177 Create the file /etc/anonymous.newsgroups. At the present time,
1178 this file should be empty. This will permit IMAP logins as
1179 anonymous as well as the ANONYMOUS SASL authenticator. Anonymous
1180 users have access to mailboxes in the #news., #ftp/, and
1181 #public/ namespaces only.
1183 Back to top
1184 __________________________________________________________________
1186 4.2 How do I set up an alert message that each IMAP user will see?
1188 Create the file /etc/imapd.alert with the text of the message.
1189 This text should be kept to one line if possible. Note that this
1190 will cause an alert to every IMAP user every time they initiate
1191 an IMAP session, so it should only be used for critical
1192 messages.
1194 Back to top
1195 __________________________________________________________________
1197 4.3 How does the c-client library choose which of its several
1198 mechanisms to use to establish an IMAP connection to the server? I
1199 noticed that it can connect on port 143, port 993, via rsh, and via
1200 ssh.
1202 c-client chooses how to establish an IMAP connection via the
1203 following rules:
1205 + If /ssl is specified, use an SSL connection. Fail otherwise.
1206 + Else if client is a UNIX system and "ssh server exec
1207 /etc/rimapd" works, use that
1208 + Else if /tryssl is specified and an SSL connection works, use
1209 that.
1210 + Else if client is a UNIX system and "rsh server exec
1211 /etc/rimapd" works, use that.
1212 + Else use a non-SSL connection.
1214 Back to top
1215 __________________________________________________________________
1217 4.4 I am using a TLS-capable IMAP server, so I don't need to use /ssl
1218 to get encryption. However, I want to be certain that my session is TLS
1219 encrypted before I send my password. How to I do this?
1221 Use the /tls option in the mailbox name. This will cause an
1222 error message and the connection to fail if the server does not
1223 negotiate STARTTLS.
1225 Back to top
1226 __________________________________________________________________
1228 4.5 How do I use one of the alternative formats described in the
1229 formats.txt document? In particular, I hear that mix format will give
1230 me better performance and allow shared access.
1232 The rumors about mix format being preferred are true. It is
1233 faster than the traditional UNIX mailbox format and permits
1234 shared access.
1236 However, and this is very important, note that using an
1237 alternative mailbox format is an advanced facility, and only
1238 expert users should undertake it. If you don't understand any of
1239 the following notes, you may not be enough of an expert yet, and
1240 are probably better off not going this route until you are more
1241 comfortable with your understanding.
1243 Some of the formats, including mix, are only supported by the
1244 software based on the c-client library, and are not recognized
1245 by other mailbox programs. The "vi" editor may corrupt mailboxes
1246 written in these formats.
1248 Another problem is that the certain formats, including mix and
1249 mbx, use advanced file access and locking techniques that do not
1250 work reliably with NFS. NFS is not a real filesystem. Use IMAP
1251 instead of NFS for distributed access.
1253 Each of the following steps are in escalating order of
1254 involvement. The further you go down this list, the more deeply
1255 committed you become:
1257 + The simplest way to create a mix-format mailbox is to prefix
1258 the name with "#driver.mix/" when creating a mailbox through
1259 c-client. For example, if you create "#driver.mix/foo", the
1260 mailbox "foo" will be created in mix format. Only use
1261 "#driver.mix/" when creating the mailbox. At all other times,
1262 just use the name ("foo" in this example); the software will
1263 automatically select the driver for mix whenever that mailbox
1264 is accessed without you doing anything else.
1265 + You can use the "mailutil copy" command to copy an existing
1266 mailbox to a new mailbox in mix format. Read the man page
1267 provided with the mailutil program for details.
1268 + If you create an mix-format INBOX, by creating
1269 "#driver.mix/INBOX" (note that "INBOX" must be all uppercase),
1270 then subsequent access to INBOX by any c-client based
1271 application will use the mix-format INBOX. Any mail delivered
1272 to the traditional format mailbox in the spool directory (e.g.
1273 /var/spool/mail/$USER) will automatically be copied into the
1274 mix-format INBOX and the spool directory copy removed.
1275 + You can cause any newly-created mailboxes to be in mix-format
1276 by default by changing the definition of CREATEPROTO=unixproto
1277 to be CREATEPROTO=mixproto in src/osdep/unix/Makefile, then
1278 rebuilding the IMAP toolkit (do a "make clean" first). Do not
1279 change EMPTYPROTO, since mix format mailboxes are directories
1280 and thus are never a zero-byte file. If you use Alpine or the
1281 imap-utils, you should probably also rebuild them with the new
1282 IMAP toolkit too.
1283 + You can deliver directly to the mix-format INBOX by use of the
1284 tmail or dmail programs. tmail is for direct invocation from
1285 sendmail (or whatever MTA program you use); dmail is for calls
1286 from procmail. Both of these programs have man pages which
1287 must be read carefully before making this change.
1289 Most other servers (e.g. Cyrus) require use of a non-standard
1290 format. A full-fledged format conversion is not significantly
1291 different from what you have to do with other servers. The
1292 difference, which makes format conversion procedures somewhat
1293 more complicated with this server, is that there is no "all or
1294 nothing" requirement with this server. There are many points in
1295 between. A format conversion can be anything from a single
1296 mailbox or single user, to systemwide.
1298 This is good in that you can decide how far to go, or do the
1299 steps incrementally as you become more comfortable with the
1300 result. On the other hand, there's no "One True Way" which can
1301 be boiled down to a simple set of pedagogical instructions.
1303 A number of sites have done full-fledged format conversions, and
1304 are reportedly quite happy with the results. Feel free to ask in
1305 the comp.mail.imap newsgroup for help.
1307 Back to top
1308 __________________________________________________________________
1310 4.6 How do I set up shared mailboxes?
1312 At the simplest level, a shared mailbox is one which has UNIX
1313 file and directory protections which permit multiple users to
1314 access it. What this means is that your existing skills and
1315 tools to create and manage shared files on your UNIX system
1316 apply to shared mailboxes; e.g.
1318 chmod 666 mailbox
1320 You may want to consider the use of a mailbox format which
1321 permits multiple simultaneous read/write sessions, such as the
1322 mix format. The traditional UNIX format only allows one
1323 read/write session to a mailbox at a time.
1325 An additional convenience item are three system directories,
1326 which can be set up for shared namespaces. These are: #ftp,
1327 #shared, and #public, and are defined by creating the associated
1328 UNIX users and home directories as described below.
1330 #ftp/ refers to the anonymous ftp filesystem exported by the ftp
1331 server, and is equivalent to the home directory for UNIX user
1332 "ftp". For example, #ftp/foo/bar refers to the file /foo/bar in
1333 the anonymous FTP filesystem, or ~ftp/foo/bar for normal users.
1334 Anonymous FTP files are available to anonymous IMAP logins. By
1335 default, newly-created files in #ftp/ are protected 644.
1337 #public/ refers to an IMAP toolkit convention called "public"
1338 files, and is equivalent to the home directory for UNIX user
1339 "imappublic". For example, #public/foo/bar refers to the file
1340 ~imappublic/foo/bar. Public files are available to anonymous
1341 IMAP logins. By default, newly-created files in #public are
1342 created with protection 0666.
1344 #shared/ refers to an IMAP toolkit convention called "shared"
1345 files, and is equivalent to the home directory for UNIX user
1346 "imapshared". For example, #shared/foo/bar refers to the file
1347 ~imapshared/foo/bar. Shared files are not available to anonymous
1348 IMAP logins. By default, newly-created files in #shared are
1349 created with protection 0660.
1351 Back to top
1352 __________________________________________________________________
1354 4.7 How can I make the server syslogs go to someplace other than the
1355 mail syslog?
1357 The openlog() call that sets the syslog facility is in
1358 src/osdep/unix/env_unix.c in routine server_init(). You need to
1359 edit this file to change the syslog facility from LOG_MAIL to
1360 the facility you want, then rebuild. You also need to set up
1361 your /etc/syslog.conf properly.
1363 Refer to the man pages for syslog and syslogd for more
1364 information on what the available syslog facilities are and how
1365 to configure syslogs. If you still don't understand what to do,
1366 find a UNIX system expert.
1368 Back to top
1369 __________________________________________________________________
1371 5. Security Questions
1372 __________________________________________________________________
1374 5.1 I see that the IMAP server allows access to arbitary files on the
1375 system, including /etc/passwd! How do I disable this?
1377 You should not worry about this if your IMAP users are allowed
1378 shell access. The IMAP server does not permit any access that
1379 the user can not have via the shell.
1381 If, and only if, you deny your IMAP users shell access, you may
1382 want to consider one of three choices. Note that these choices
1383 reduce IMAP functionality, and may have undesirable side
1384 effects. Each of these choices involves an edit to file
1385 src/osdep/unix/env_unix.c
1387 The first (and recommended) choice is to set restrictBox as
1388 described in file CONFIG. This will disable access to the
1389 filesystem root, to other users' home directory, and to superior
1390 directory.
1392 The second (and strongly NOT recommended) choice is to set
1393 closedBox as described in file CONFIG. This puts each IMAP
1394 session into a so-called "chroot jail", and thus setting this
1395 option is extremely dangerous; it can make your system much less
1396 secure and open to root compromise attacks. So do not use this
1397 option unless you are absolutely certain that you understand all
1398 the issues of a "chroot jail."
1400 The third choice is to rewrite routine mailboxfile() to
1401 implement whatever mapping from mailbox name to filesystem name
1402 (and restrictions) that you wish. This is the most general
1403 choice. As a guide, you can see at the start of routine
1404 mailboxfile() what the restrictBox choice does.
1406 Back to top
1407 __________________________________________________________________
1409 5.2 I've heard that IMAP servers are insecure. Is this true?
1411 There are no known security problems in this version of the IMAP
1412 toolkit, including the IMAP and POP servers. The IMAP and POP
1413 servers limit what can be done while not logged in, and as part
1414 of the login process discard all privileges except those of the
1415 user.
1417 As with other software packages, there have been buffer overflow
1418 vulnerabilities in past versions. All known problems of this
1419 nature are fixed in this version.
1421 There is every reason to believe that the bad guys are engaged
1422 in an ongoing effort to find vulnerabilities in the IMAP
1423 toolkit. We look for such problems, and when one is found we fix
1424 it.
1426 It's unfortunate that any vulnerabilities existed in past
1427 versions, and we're doing my best to keep the IMAP toolkit free
1428 of vulnerabilities. No new vulnerabilities have been discovered
1429 in quite a while, but efforts will not be relaxed.
1431 Beware of vendors who claim that their implementations can not
1432 have vulnerabilities.
1434 Back to top
1435 __________________________________________________________________
1437 5.3 How do I know that I have the most secure version of the server?
1439 The best way is to keep your server software up to date. The bad
1440 guys are always looking for ways to crack software, and when
1441 they find one, let all their friends know.
1443 Oldtimers used to refer to a concept of software rot: if your
1444 software hasn't been updated in a while, it would "rot" -- tend
1445 to acquire problems that it didn't have when it was new.
1447 Unfortunately, UW IMAP is rapidly succumbing to "software rot",
1448 as it is no longer being developed or maintained. If you have
1449 not yet switched to Panda IMAP, you should seriously consider
1450 doing so.
1452 Panda IMAP is available by donation. Donors are given a URL
1453 which they can use to download Panda IMAP, including future
1454 versions.
1456 Back to top
1457 __________________________________________________________________
1459 5.4 I see all these strcpy() and sprintf() calls, those are unsafe,
1460 aren't they?
1462 Yes and no.
1464 It can be unsafe to do these calls if you do not know that the
1465 string being written will fit in the buffer. However, they are
1466 perfectly safe if you do know that.
1468 Beware of programmers who advocate doing a brute-force change of
1469 all instances of
1471 strcpy (s,t);
1473 to
1475 strncpy (s,t,n)[n] = '\0';
1477 and similar measures in the name of "fixing all possible buffer
1478 overflows."
1480 There are examples in which a security bug was introduced
1481 because of this type of "fix", due to the programmer using the
1482 wrong value for n. In one case, the programmer thought that n
1483 was larger than it actually was, causing a NUL to be written out
1484 of the buffer; in another, n was too small, and a security
1485 credential was truncated.
1487 What is particularly ironic was that in both cases, the original
1488 strcpy() was safe, because the size of the source string was
1489 known to be safe.
1491 With all this in mind, the software has been inspected, and it
1492 is believed that all places where buffer overflows can happen
1493 have been fixed. The strcpy()s that are still are in the code
1494 occur after a size check was done in some other way.
1496 Note that the common C idiom of
1498 *s++ = c;
1500 is just as vulnerable to buffer overflows. You can't cure buffer
1501 overflows by outlawing certain functions, nor is it desirable to
1502 do so; sometimes operations like strcpy() translate into fast
1503 machine instructions for better performance.
1505 Nothing replaces careful study of code. That's how the bad guys
1506 find bugs. Security is not accomplished by means of brute-force
1507 shortcuts.
1509 Back to top
1510 __________________________________________________________________
1512 5.5 Those /tmp lock files are protected 666, is that really right?
1514 Yes. Shared mailboxes won't work otherwise. Also, you get into
1515 accidental denial of service problems with old lock files left
1516 lying around; this happens fairly frequently.
1518 The deliberate mischief that can be caused by fiddling with the
1519 lock files is small-scale; harassment level at most. There are
1520 many -- and much more effective -- other ways of harassing
1521 another user on UNIX. It's usually not difficult to determine
1522 the culprit.
1524 Before worrying about deliberate mischief, worry first about
1525 things happening by accident!
1527 Back to top
1528 __________________________________________________________________
1530 6. Why Did You Do This Strange Thing? Questions
1531 __________________________________________________________________
1533 6.1 Why don't you use GNU autoconfig / automake / autoblurdybloop?
1535 Autoconfig et al are not available on all the platforms where
1536 the IMAP toolkit is supported; and do not work correctly on some
1537 of the platforms where they do exist. Furthermore, these
1538 programs add another layer of complexity to an already complex
1539 process.
1541 Coaxing software that uses autoconfig to build properly on
1542 platforms which were not specifically considered by that
1543 software wastes an inordinate amount of time. When (not if)
1544 autoconfig fails to do the right thing, the result is an
1545 inpenetrable morass to untangle in order to find the problem and
1546 fix it.
1548 The concept behind autoconfig is good, but the execution is
1549 flawed. It rarely does the right thing on a platform that wasn't
1550 specifically considered. Human life is too short to debug
1551 autoconfig problems, especially since the current mechanism is
1552 so much easier.
1554 Back to top
1555 __________________________________________________________________
1557 6.2 Why do you insist upon a build with -g? Doesn't it waste disk and
1558 memory space?
1560 From time to time a submitted port has snuck in without -g. This
1561 has always ended up causing problems. There are only two valid
1562 excuses for not using -g in a port:
1564 + The compiler does not support -g
1565 + An alternate form of -g is needed with optimization, e.g. -g3.
1567 There will be no new ports added without -g (or a suitable
1568 alternative) being set.
1570 -g has not been arbitrarily added to the ports which do not
1571 currently have it because we don't know if doing so would break
1572 the build. However, any support issues with one of those port
1573 will lead to the correct -g setting being determined and
1574 permanently added.
1576 Processors are fast enough (and disk space is cheap enough) that
1577 -g should be automatic in all compilers with no way of turning
1578 it off, and /bin/strip should be a symlink to /bin/true. Human
1579 life is too short to deal with binaries built without -g. Such
1580 binaries should be a bad memory of the days of KIPS processors
1581 and disks that costs several dollars per kilobyte.
1583 Back to top
1584 __________________________________________________________________
1586 6.3 Why don't you make c-client a shared library?
1588 All too often, shared libraries create far more problems than
1589 they solve.
1591 Remember that you only gain the benefit of a shared library when
1592 there are multiple applications which use that shared library.
1593 Even without shared libraries, on most modern operating systems
1594 (and many ancient ones too!) applications will share their text
1595 segments between across multiple processes running the same
1596 application. This means that if your system only runs one
1597 application (e.g. imapd) that uses the c-client library, then
1598 you gain no benefit from making c-client a shared library even
1599 if it has 100 imapd processes. You will, however suffer added
1600 complexity.
1602 If you have a server system that just runs imapd and ipop3d,
1603 then making c-client a shared library will save just one copy of
1604 c-client no matter how many IMAP/POP3 processes are running.
1606 The problem with shared libraries is that you have to keep
1607 around a copy of the library every time something changes in the
1608 library that would affect the interface the library presents to
1609 the application. So, you end up having many copies of the same
1610 shared library.
1612 If you don't keep multiple copies of the shared library, then
1613 one of two things happens. If there was proper versioning, then
1614 you'll get a message such as "cannot open shared object file" or
1615 "minor versions don't match" and the application won't run.
1616 Otherwise, the application will run, but will fail in mysterious
1617 ways.
1619 Several sites and third-party distributors have modified the
1620 c-client makefile in order to make c-client be a shared library.
1621 When (not if) a c-client based application fails in mysterious
1622 ways because of a library compatibility problem, the result is a
1623 bug report. A lot of time and effort ends up getting wasted
1624 investigating such bug reports.
1626 Memory is so cheap these days that it's not worth it. Human life
1627 is too short to deal with shared library compatibility problems.
1629 Back to top
1630 __________________________________________________________________
1632 6.4 Why don't you use iconv() for internationalization support?
1634 iconv() is not ubiquitous enough.
1636 Back to top
1637 __________________________________________________________________
1639 6.5 Why is the IMAP server connected to the home directory by default?
1641 The IMAP server has no way of knowing what you might call "mail"
1642 as opposed to "some other file"; in fact, you can use IMAP to
1643 access any file.
1645 The IMAP server also doesn't know whether your preferred
1646 subdirectory for mailbox files is "mail/", ".mail/", "Mail/",
1647 "Mailboxes/", or any of a zillion other possibilities. If one
1648 such name were chosen, it would undoubtably anger the partisans
1649 of all the other names.
1651 It is possible to modify the software so that the default
1652 connected directory is someplace else. Please read the file
1653 CONFIG for discussion of this and other issues.
1655 Back to top
1656 __________________________________________________________________
1658 6.6 I have a Windows system. Why isn't the server plug and play for me?
1660 There is no standard for how mail is stored on Windows; nor a
1661 single standard SMTP server. The closest to either would be the
1662 SMTP server in Microsoft's IIS.
1664 So there's no default by which to make assumptions. As the
1665 software is set up, it assumes that the each user has an Windows
1666 login account and private home directory, and that mail is
1667 stored on that home directory as files in one of the popular
1668 UNIX formats. It also assumes that there is some tool equivalent
1669 to inetd on UNIX that does the TCP/IP listening and server
1670 startup.
1672 Basically, unless you're an email software hacker, you probably
1673 want to look elsewhere if you want IMAP/POP servers for Windows.
1675 Back to top
1676 __________________________________________________________________
1678 6.7 I looked at the UNIX SSL code and saw that you have the SSL data
1679 payload size set to 8192 bytes. SSL allows 16K; why aren't you using
1680 the full size?
1682 This is to avoid an interoperability problem with:
1684 + PC IMAP clients that use Microsoft's SChannel.DLL (SSPI) for
1685 SSL support
1686 + Microsoft Exchange server (which also uses SChannel).
1688 SChannel has a bug that makes it think that the maximum SSL data
1689 payload size is 16379 bytes -- 5 bytes too small. Thus, c-client
1690 has to make sure that it never transmits full sized SSL packets.
1692 The reason for using 8K (as opposed to, say, 16379 bytes, or
1693 15K, or...) is that it corresponds with the TCP buffer size that
1694 the software uses elsewhere for input; there's a slight
1695 performance benefit to having the two sizes correspond or at
1696 least be a multiple of each other. Also, it keeps the size as a
1697 power of two, which might be significant on some platforms.
1699 There wasn't a significant difference that we could measure
1700 between 8K and 15K.
1702 Microsoft has developed a hotfix for this bug. Look up MSKB
1703 article number 300562. Contrary to the article text which
1704 implies that this is a Alpine issue, this bug also affects
1705 Microsoft Exchange server with any client that transmits
1706 full-sized SSL payloads.
1708 Back to top
1709 __________________________________________________________________
1711 6.8 Why is an mh format INBOX called #mhinbox instead of just INBOX?
1713 It's a long story. In brief, the mh format driver is less
1714 functional than any of the other drivers. It turned out that
1715 there were some users (including high-level administrators) who
1716 tried mh years ago and no longer use it, but still had an mh
1717 profile left behind.
1719 When the mh driver used INBOX, it would see the mh profile, and
1720 proceed to move the user's INBOX into the mh format INBOX. This
1721 caused considerable confusion as some things stopped working.
1723 Back to top
1724 __________________________________________________________________
1726 6.9 Why don't you support the maildir format?
1728 It is technically difficult to support maildir in IMAP while
1729 maintaining acceptable performance, robustness, following the
1730 requirements of the IMAP protocol specification, and following
1731 the requirements of maildir.
1733 No one has succeeded in accomplishing all four together. The
1734 various maildir drivers offered as patches all have these
1735 problems. The problem is exacerbated because this implementation
1736 supports multiple formats; consequently this implementation
1737 can't make any performance shortcuts by assuming that all the
1738 world is maildir.
1740 We can't do a better job than the maildir fan community has done
1741 with their maildir drivers. Similarly, if the maildir fan
1742 community provides the maildir driver, they take on the
1743 responsibility for answering maildir-specific support questions.
1744 This is as it should be, and that is why maildir support is left
1745 to the maildir fan community.
1747 Back to top
1748 __________________________________________________________________
1750 6.10 Why don't you support the Cyrus format?
1752 There's no point to doing so. An implementation which supports
1753 multiple formats will never do as well as one which is optimized
1754 to support one single format.
1756 If you want to use Cyrus mailbox format, you should use the
1757 Cyrus server, which is the native implementation of that format
1758 and is specifically optimized for that format. That's also why
1759 Cyrus doesn't implement any other format.
1761 Back to top
1762 __________________________________________________________________
1764 6.11 Why is it creating extra forks on my SVR4 system?
1766 This is because your system only has fcntl() style locking and
1767 not flock() style locking. fcntl() locking has a design flaw
1768 that causes a close() to release any locks made by that process
1769 on the file opened on that file descriptor, even if the lock was
1770 made on a different file descriptor.
1772 This design flaw causes unexpected loss of lock, and consequent
1773 mailbox corruption. The workaround is to do certain "dangerous
1774 operations" in another fork, thus avoiding doing a close() in
1775 the vulnerable fork.
1777 The best way to solve this problem is to upgrade your SVR4
1778 (Solaris, AIX, HP-UX, SGI) or OSF/1 system to a more advanced
1779 operating system, such as Linux or BSD. These more advanced
1780 operating systems have fcntl() locking for compatibility with
1781 SVR4, but also have flock() locking.
1783 Beware of certain SVR4 systems, such as AIX, which have an
1784 "flock()" function in their C library that is just a jacket that
1785 does an fcntl() lock. This is not a true flock(), and has the
1786 same design flaw as fcntl().
1788 Back to top
1789 __________________________________________________________________
1791 6.12 Why are you so fussy about the date/time format in the internal
1792 "From " line in traditional UNIX mailbox files? My other mail program
1793 just considers every line that starts with "From " to be the start of
1794 the message.
1796 You just answered your own question. If any line that starts
1797 with "From " is treated as the start of a message, then every
1798 message text line which starts with "From " has to be quoted
1799 (typically by prefixing a ">" character). People complain about
1800 this -- "why did a > get stuck in my message?"
1802 So, good mail reading software only considers a line to be a
1803 "From " line if it follows the actual specification for a
1804 "From " line. This means, among other things, that the day of
1805 week is fixed-format: "May 14", but "May 7" (note the extra
1806 space) as opposed to "May 7". ctime() format for the date is the
1807 most common, although POSIX also allows a numeric timezone after
1808 the year. For compatibility with ancient software, the seconds
1809 are optional, the timezone may appear before the year, the old
1810 3-letter timezones are also permitted, and "remote from xxx" may
1811 appear after the whole thing.
1813 Unfortunately, some software written by novices use other
1814 formats. The most common error is to have a variable-width day
1815 of month, perhaps in the erroneous belief that RFC 2822 (or RFC
1816 822) defines the format of the date/time in the "From " line (it
1817 doesn't; no RFC describes internal formats). I've seen a few
1818 other goofs, such as a single-digit second, but these are less
1819 common.
1821 If you are writing your own software that writes mailbox files,
1822 and you really aren't all that savvy with all the ins and outs
1823 and ancient history, you should seriously consider using the
1824 c-client library (e.g. routine mail_append()) instead of doing
1825 the file writes yourself. If you must do it yourself, use
1826 ctime(), as in:
1828 fprintf (mbx,"From %s@%h %s",user,host,ctime (time (0)));
1830 rather than try to figure out a good format yourself. ctime() is
1831 the most traditional format and nobody will flame you for using
1832 it.
1834 Back to top
1835 __________________________________________________________________
1837 6.13 Why is traditional UNIX format the default format?
1839 Compatibility with the past 30 or so years of UNIX history. This
1840 server is the only one that completely interoperates with legacy
1841 UNIX mail tools.
1843 Back to top
1844 __________________________________________________________________
1846 6.14 Why do you write this "DON'T DELETE THIS MESSAGE -- FOLDER
1847 INTERNAL DATA" message at the start of traditional UNIX and MMDF format
1848 mailboxes?
1850 This pseudo-message serves two purposes.
1852 First, it establishes the mailbox format even when the mailbox
1853 has no messages. Otherwise, a mailbox with no messages is a
1854 zero-byte file, which could be one of several formats.
1856 Second, it holds mailbox metadata used by IMAP: the UID
1857 validity, the last assigned UID, and mailbox keywords. Without
1858 this metadata, which must be preserved even when the mailbox has
1859 no messages, the traditional UNIX format wouldn't be able to
1860 support the full capabilities of IMAP.
1862 Back to top
1863 __________________________________________________________________
1865 6.15 Why don't you stash the mailbox metadata in the first real message
1866 of the mailbox instead of writing this fake FOLDER INTERNAL DATA
1867 message?
1869 In fact, that is what is done if the mailbox is non-empty and
1870 does not already have a FOLDER INTERNAL DATA message.
1872 One problem with doing that is that if some external program
1873 removes the first message, the metadata is lost and must be
1874 recreated, thus losing any prior UID or keyword list status that
1875 IMAP clients may depend upon.
1877 Another problem is that this doesn't help if the last message is
1878 deleted. This will result in an empty mailbox, and the necessity
1879 to create a FOLDER INTERNAL DATA message.
1881 Back to top
1882 __________________________________________________________________
1884 6.16 Why aren't "dual-use" mailboxes the default?
1886 Compatibility with the past 30 or so years of UNIX history, not
1887 to mention compatibility with user expectations when using shell
1888 tools.
1890 Back to top
1891 __________________________________________________________________
1893 6.17 Why do you use ucbcc to build on Solaris?
1895 It is a long, long story about why cc is set to ucbcc. You need
1896 to invoke the C compiler so that it links with the SVR4
1897 libraries and not the BSD libraries, otherwise readdir() will
1898 return the wrong information.
1900 Of all the names in the most common path, ucbcc is the only name
1901 to be found (on /usr/ccs/bin) that points to a suitable
1902 compiler. cc is likely to be /usr/ucb/cc which is absolutely not
1903 the compiler that you want. The real SVR4 cc is probably
1904 something like /opt/SUNWspro/bin/cc which is rarely in anyone's
1905 path by default.
1907 ucbcc is probably a link to acc, e.g.
1908 /opt/SUNWspro/SC4.0/bin/acc, and is the UCB C compiler using the
1909 SVR4 libraries.
1911 If ucbcc isn't on your system, then punt on the SUN C compiler
1912 and use gcc instead (the gso port instead of the sol port).
1914 If, in spite of all the above warnings, you choose to change
1915 "ucbcc" to "cc", you will probably find that the -O2 needs to be
1916 changed to -O. If you don't get any error messages with -O2,
1917 that's a pretty good indicator that you goofed and are running
1918 the compiler that will link with the BSD libraries.
1920 To recap:
1922 + The sol port is designed to be built using the UCB compiler
1923 using the SVR4 libraries. This compiler is "ucbcc", which is
1924 lunk to acc. You use -O2 as one of the CFLAGS.
1925 + If you build the sol port with the UCB compiler using the BSD
1926 libraries, you will get no error messages but you will get bad
1927 binaries (the most obvious symptom is dropping the first two
1928 characters return filenames from the imapd LIST command. This
1929 compiler also uses -O2, and is very often what the user gets
1930 from "cc". BEWARE
1931 + If you build the sol port with the real SVR4 compiler, which
1932 is often hidden away or unavailable on many systems, then you
1933 will get errors from -O2 and you need to change that to -O.
1934 But you will get a good binary. However, you should try it
1935 with -O2 first, to make sure that you got this compiler and
1936 not the UCB compiler using BSD libraries.
1938 Back to top
1939 __________________________________________________________________
1941 6.18 Why should I care about some old system with BSD libraries? cc is
1942 the right thing on my Solaris system!
1944 Because there still are sites that use such systems. On those
1945 systems, the assumption that "cc" does the right thing will lead
1946 to corrupt binaries with no error message or other warning that
1947 anything is amiss.
1949 Too many sites have fallen victim to this problem.
1951 Back to top
1952 __________________________________________________________________
1954 6.19 Why do you insist upon writing .lock files in the spool directory?
1956 Compatibility with the past 30 years of UNIX software which
1957 deals with the spool directory, especially software which
1958 delivers mail. Otherwise, it is possible to lose mail.
1960 Back to top
1961 __________________________________________________________________
1963 6.20 Why should I care about compatibility with the past?
1965 This is one of those questions in which the answer never
1966 convinces those who ask it. Somehow, everybody who ever asks
1967 this question ends up answering it for themselves as they get
1968 older, with the very answer that they rejected years earlier.
1970 Back to top
1971 __________________________________________________________________
1973 7. Problems and Annoyances
1974 __________________________________________________________________
1976 7.1 Help! My INBOX is empty! What happened to my messages?
1978 If you are seeing "0 messages" when you open INBOX and you know
1979 you have messages there (and perhaps have looked at your mail
1980 spool file and see that messages are there), then probably there
1981 is something wrong with the very first line of your mail spool
1982 file. Make sure that the first five bytes of the file are "From
1983 ", followed by an email address and a date/time in ctime()
1984 format, e.g.:
1986 From fred@foo.bar Mon May 7 20:54:30 2001
1988 Back to top
1989 __________________________________________________________________
1991 7.2 Help! All my messages in a non-INBOX mailbox have been concatenated
1992 into one message which claims to be from me and has a subject of the
1993 file name of the mailbox! What's going on?
1995 Something wrong with the very first line of the mailbox. Make
1996 sure that the first five bytes of the file are "From ", followed
1997 by an email address and a date/time in ctime() format, e.g.:
1999 From fred@foo.bar Mon May 7 20:54:30 2001
2001 Back to top
2002 __________________________________________________________________
2004 7.3 Why do I get the message: CREATE failed: Can't create mailbox node
2005 xxxxxxxxx: File exists and how do I fix it?
2007 See the answer to the Are hierarchical mailboxes supported?
2008 question.
2010 Back to top
2011 __________________________________________________________________
2013 7.4 Why can't I log in to the server? The user name and password are
2014 right!
2016 There are a myriad number of possible answers to this question.
2017 The only way to say for sure what is wrong is run the server
2018 under a debugger such as gdb while root (yes, you must be root)
2019 with a breakpoint at routines checkpw() and loginpw(), then
2020 single-step until you see which test rejected you. The server
2021 isn't going to give any error messages other than "login failed"
2022 in the name of not giving out any unnecessary information to
2023 unauthorized individuals.
2025 Here are some of the more common reasons why login may fail:
2027 + You didn't really give the correct user name and/or password.
2028 + Your client doesn't send the LOGIN command correctly; for
2029 example, IMAP2 clients won't send a password containing a "*"
2030 correctly to an IMAP4 server.
2031 + If you have set up a CRAM-MD5 database, remember that the
2032 password used is the one in the CRAM-MD5 database, and
2033 furthermore that there must also be an entry in /etc/passwd
2034 (but the /etc/passwd password is not used).
2035 + If you are using PAM, have you created a service file for the
2036 server in /etc/pam.d?
2037 + If you are using shadow passwords, have you used an
2038 appropriate port when building? In particular, note that "lnx"
2039 is for Linux systems without shadow passwords; you probably
2040 want "slx" or "lnp" instead.
2041 + If your system has account or password expirations, check to
2042 see that the expiration date hasn't passed.
2043 + You can't log in as root or any other UID 0 user. This is for
2044 your own safety, not to mention the fact that the servers use
2045 UID 0 as meaning "not logged in".
2047 Back to top
2048 __________________________________________________________________
2050 7.5 Help! My load average is soaring and I see hundreds of POP and IMAP
2051 servers, many logged in as the same user!
2053 Certain inferior losing GUI mail reading programs have a
2054 "synchronize all mailboxes at startup" (IMAP) or "check for new
2055 mail every second" (POP) feature which causes a rapid and
2056 unchecked spawning of servers.
2058 This is not a problem in the server; the client is really asking
2059 for all those server sessions. Unfortunately, there isn't much
2060 that the POP and IMAP servers can do about it; they don't
2061 spawned themselves.
2063 Some sites have added code to record the number of server
2064 sessions spawned per user per hour, and disable login for a user
2065 who has exceeded a predetermined rate. This doesn't stop the
2066 servers from being spawned; it just means that a server session
2067 will commit suicide a bit faster.
2069 Another possibility is to detect excessive server spawning
2070 activity at the level where the server is spawned, which would
2071 be inetd or possibly tcpd. The problem here is that this is a
2072 hard time to quantify. 50 sessions in a minute from a multi-user
2073 timesharing system may be perfectly alright, whereas 10 sessions
2074 a minute from a PC may be too much.
2076 The real solution is to fix the client configuration, by
2077 disabling those evil features. Also tell the vendors of those
2078 clients how you feel about distributing denial-of-service attack
2079 tools in the guise of mail reading programs.
2081 Back to top
2082 __________________________________________________________________
2084 7.6 Why does mail disappear even though I set "keep mail on server"?
2085 7.7 Why do I get the message Moved ##### bytes of new mail to
2086 /home/user/mbox from /var/spool/mail/user and why did this happen?
2088 This is probably caused by the mbox driver. If the file "mbox"
2089 exists on the user's home directory and is in UNIX mailbox
2090 format, then when INBOX is opened this file will be selected as
2091 INBOX instead of the mail spool file. Messages will be
2092 automatically transferred from the mail spool file into the mbox
2093 file.
2095 To disable this behavior, delete "mbox" from the EXTRADRIVERS
2096 list in the top-level Makefile and rebuild. Note that if you do
2097 this, users won't be able to access the messages that have
2098 already been moved to mbox unless they open mbox instead of
2099 INBOX.
2101 Back to top
2102 __________________________________________________________________
2104 7.8 Why isn't it showing the local host name as a fully-qualified
2105 domain name?
2106 7.9 Why is the local host name in the From/Sender/Message-ID headers of
2107 outgoing mail not coming out as a fully-qualified domain name?
2109 Your UNIX system is misconfigured. The entry for your system in
2110 /etc/hosts must have the fully-qualified domain name first, e.g.
2112 105.69.1.234 myserver.example.com myserver
2114 A common mistake of novice system administrators is to have the
2115 short name first, e.g.
2117 105.69.1.234 myserver myserver.example.com
2119 or to omit the fully qualified domain name entirely, e.g.
2121 105.69.1.234 myserver
2123 The result of this is that when the IMAP toolkit does a
2124 gethostbyname() call to get the fully-qualified domain name, it
2125 would get "myserver" instead of "myserver.example.com".
2127 On some systems, a configuration file (typically named
2128 /etc/svc.conf, /etc/netsvc.conf, or /etc/nsswitch.conf) can be
2129 used to configure the system to use the domain name system (DNS)
2130 instead of /etc/hosts, so it doesn't matter if /etc/hosts is
2131 misconfigured.
2133 Check the man pages for gethostbyname, hosts, svc, and/or netsvc
2134 for more information.
2136 Unfortunately, certain vendors, most notably SUN, have failed to
2137 make this clear in their documentation. Most of SUN's
2138 documentation assumes a corporate network that is not connected
2139 to the Internet.
2141 net.folklore once (late 1980s) held that the proper procedure
2142 was to append the results of getdomainname() to the name
2143 returned by gethostname(), and some versions of sendmail
2144 configuration files were distributed that did this. This was
2145 incorrect; the string returned from getdomainname() is the
2146 Yellow Pages (a.k.a NIS) domain name, which is a completely
2147 different (albeit unfortunately named) entity from an Internet
2148 domain. These were often fortuitously the same string, except
2149 when they weren't. Frequently, this would result in host names
2150 with spuriously doubled domain names, e.g.
2152 myserver.example.com.example.com
2154 This practice has been thoroughly discredited for many years,
2155 but folklore dies hard.
2157 Back to top
2158 __________________________________________________________________
2160 7.10 What does the message: Mailbox vulnerable - directory
2161 /var/spool/mail must have 1777 protection mean? How can I fix this?
2163 In order to update a mailbox in the default UNIX format, it is
2164 necessary to create a lock file to prevent the mailer from
2165 delivering mail while an update is in progress. Some systems use
2166 a directory protection of 775, requiring that all mail handling
2167 programs be setgid mail; or of 755, requiring that all mail
2168 handling programs be setuid root.
2170 The IMAP toolkit does not run with any special privileges, and I
2171 plan to keep it that way. It is antithetical to the concept of a
2172 toolkit if users can't write their own programs to use it. Also,
2173 I've had enough bad experiences with security bugs while running
2174 privileged; the IMAP and POP servers have to be root when not
2175 logged in, in order to be able to log themselves in. I don't
2176 want to go any deeper down that slippery slope.
2178 Directory protection 1777 is secure enough on most well-managed
2179 systems. If you can't trust your users with a 1777 mail spool
2180 (petty harassment is about the limit of the abuse exposure),
2181 then you have much worse problems then that.
2183 If you absolutely insist upon requiring privileges to create a
2184 lock file, external file locking can be done via a setgid mail
2185 program named /etc/mlock (this is defined by LOCKPGM in the
2186 c-client Makefile). If the toolkit is unable to create a
2187 <...mailbox...>.lock file in the directory by itself, it will
2188 try to call mlock to do it. I do not recommend doing this for
2189 performance reasons.
2191 A sample mlock program is included as part of imap-2010. We have
2192 tried to make this sample program secure, but it has not been
2193 thoroughly audited.
2195 Back to top
2196 __________________________________________________________________
2198 7.11 What does the message: Mailbox is open by another process, access
2199 is readonly mean? How do I fix this?
2201 A problem occurred in applying a lock to a /tmp lock file.
2202 Either some other program has the mailbox open and won't
2203 relenquish it, or something is wrong with the protection of /tmp
2204 or the lock.
2206 Make sure that the /tmp directory is protected 1777. Some
2207 security scripts incorrectly set the protection of the /tmp
2208 directory to 775, which disables /tmp for all non-privileged
2209 programs.
2211 Back to top
2212 __________________________________________________________________
2214 7.12 What does the message: Can't get write access to mailbox, access
2215 is readonly mean?
2217 The mailbox file is write-protected against you.
2219 Back to top
2220 __________________________________________________________________
2222 7.13 I set my POP3 client to "delete messages from server" but they
2223 never get deleted. What is wrong?
2225 Make sure that your mailbox is not read-only: that the mailbox
2226 is owned by you and write enabled (protection 0600), and that
2227 the /tmp directory is longer world-writeable. /tmp must be
2228 world-writeable because lots of applications use it for scratch
2229 space. To fix this, do
2232 chmod 1777 /tmp
2234 as root.
2236 Make sure that your POP3 client issues a QUIT command when it
2237 finishes. The POP3 protocol specifies that deletions are
2238 discarded unless a proper QUIT is done.
2240 Make sure that you are not opening multiple POP3 sessions to the
2241 same mailbox. It is a requirement of the POP3 protocol than only
2242 one POP3 session be in effect to a mailbox at a time, however
2243 some, poorly-written POP3 clients violate this. Also, some
2244 background "check for new mail" tasks also cause a violation.
2245 See the answer to the What does the syslog message: Killed (lost
2246 mailbox lock) user=... host=... mean? question for more details.
2248 Back to top
2249 __________________________________________________________________
2251 7.14 What do messages such as:
2252 Message ... UID ... already has UID ...
2253 Message ... UID ... less than ...
2254 Message ... UID ... greater than last ...
2255 Invalid UID ... in message ..., rebuilding UIDs
2257 mean?
2259 Something happened to corrupt the unique identifier regime in
2260 the mailbox. In traditional UNIX-format mailboxes, this can
2261 happen if the user deleted the "DO NOT DELETE" internal message.
2263 This problem is relatively harmless; a new valid unique
2264 identifier regime will be created. The main effect is that any
2265 references to the old UIDs will no longer be useful.
2267 So, unless it is a chronic problem or you feel like debugging,
2268 you can safely ignore these messages.
2270 Back to top
2271 __________________________________________________________________
2273 7.15 What do the error messages:
2274 Unable to read internal header at ...
2275 Unable to find CRLF at ...
2276 Unable to parse internal header at ...
2277 Unable to parse message date at ...
2278 Unable to parse message flags at ...
2279 Unable to parse message UID at ...
2280 Unable to parse message size at ...
2281 Last message (at ... ) runs past end of file ...
2283 mean? I am using mbx format.
2285 The mbx-format mailbox is corrupted and needs to be repaired.
2287 You should make an effort to find out why the corruption
2288 happened. Was there an obvious system problem (crash or disk
2289 failure)? Did the user accidentally access the file via NFS?
2290 Mailboxes don't get corrupted by themselves; something caused
2291 the problem.
2293 Some people have developed automated scripts, but if you're
2294 comfortable using emacs it's pretty easy to fix it manually. Do
2295 not use vi or any other editor unless you are certain that
2296 editor can handle binary!!!
2298 If you are not comfortable with emacs, or if the file is too
2299 large to read with emacs, see the "step-by-step" technique later
2300 on for another way of doing it.
2302 After the word "at" in the error message is the byte position it
2303 got to when it got unhappy with the file, e.g. if you see:
2305 Unable to parse internal header at 43921: ne bombastic blurdybloop
2307 The problem occurs at the 43,931 byte in the file. That's the
2308 point you need to fix. c-client is expecting an internal header
2309 at that byte number, looking something like:
2311 6-Jan-1998 17:42:24 -0800,1045;000000100001-00000001
2313 The format of this internal line is:
2315 dd-mmm-yyyy hh:mm:ss +zzzz,ssss;ffffffffFFFF-UUUUUUUU
2317 The only thing that is variable is the "ssss" field, it can be
2318 as many digits as needed. All other fields (inluding the "dd")
2319 are fixed width. So, the easiest thing to do is to look forward
2320 in the file for the next internal header, and delete everything
2321 from the error point to that internal header.
2323 Here's what to do if you want to be smarter and do a little bit
2324 more work. Generally, you're in the middle of a message, and
2325 there's nothing wrong with that message. The problem happened in
2326 the *previous* message. So, search back to the previous internal
2327 header. Now, remember that "ssss" field? That's the size of that
2328 message.
2330 Mark where you are in the file, move the cursor to the line
2331 after the internal header, and skip that many bytes ("ssss")
2332 forward. If you're at the point of the error in the file, then
2333 that message is corrupt. If you're at a different point, then
2334 perhaps the previous message is corrupt and has a too long size
2335 count that "ate" into this message.
2337 Basically, what you need to do is make sure that all those size
2338 counts are right, and that moving "ssss" bytes from the line
2339 after the internal header will land you at another internal
2340 header.
2342 Usually, once you know what you're looking at, it's pretty easy
2343 to work out the corruption, and the best remedial action. Repair
2344 scripts will make the problem go away but may not always do the
2345 smartest/best salvage of the user's data. Manual repair is more
2346 flexible and usually preferable.
2348 Here is a step-by-step technique for fixing corrupt mbx files
2349 that's a bit cruder than the procedure outlined above, but works
2350 for any size file.
2352 In this example, suppose that the corrupt file is INBOX, the
2353 error message is
2355 Unable to find CRLF at 132551754
2357 and the size of the INBOX file is 132867870 bytes.
2359 The first step is to split the mailbox file at the point of the
2360 error:
2362 + Rename the INBOX file to some other name, such as INBOX.bad.
2363 + Copy the first 132,551,754 bytes of INBOX.bad to another file,
2364 such as INBOX.new.
2365 + Extract the trailing 316,116 bytes (132867870-132551754) of
2366 INBOX.bad into another file, such as INBOX.tail.
2367 + You no longer need INBOX.bad. Delete it.
2369 In other words, use the number from the "Unable to find CRLF at"
2370 as the point to split INBOX into two new files, INBOX.new and
2371 INBOX.tail.
2373 Now, remove the erroneous data:
2375 + Verify that you can open INBOX.new in IMAP or Alpine.
2376 + The last message of INBOX.new is probably corrupted. Copy it
2377 to another file, such as badmsg.1, then delete and expunge
2378 that last message from INBOX.new
2379 + Locate the first occurance of text in INBOX.tail which looks
2380 like an internal header, as described above.
2381 + Remove all the text which occurs prior to that point, and
2382 place it into another file, such as badmsg.2. Note that in the
2383 case of a single digit date, there is a leading space which
2384 must not be removed (e.g. " 6-Nov-2001" not "6-Nov-2001").
2386 Reassemble the mailbox:
2388 + Append INBOX.tail to INBOX.new.
2389 + You no longer need INBOX.tail. Delete it.
2390 + Verify that you can open INBOX.new in IMAP or Alpine.
2392 Reinstall INBOX.new as INBOX:
2394 + Check to see if you have received any new messages while
2395 repairing INBOX.
2396 + If you haven't received any new messages while repairing
2397 INBOX, just rename INBOX.new to INBOX.
2398 + If you have received new messages, be sure to copy the new
2399 messages from INBOX to INBOX.new before doing the rename.
2401 You now have a working INBOX, as well as two files with
2402 corrupted data (badmsg.1 and badmsg.2). There may be some useful
2403 data in the two badmsg files that you might want to try
2404 salvaging; otherwise you can delete the two badmsg files.
2406 Back to top
2407 __________________________________________________________________
2409 7.16 What do the syslog messages:
2411 imap/tcp server failing (looping)
2412 pop3/tcp server failing (looping)
2414 mean? When it happens, the listed service shuts down. How can I fix
2415 this?
2417 The error message "server failing (looping), service terminated"
2418 is not from either the IMAP or POP servers. Instead, it comes
2419 from inetd, the daemon which listens for TCP connections to a
2420 number of servers, including the IMAP and POP servers.
2422 inetd has a limit of 40 new server sessions per minute for any
2423 particular service. If more than 40 sessions are initiated in a
2424 minute, inetd will issue the "failing (looping), service
2425 terminated" message and shut down the service for 10 minutes.
2426 inetd does this to prevent system resource consumption by a
2427 client which is spawning infinite numbers of servers. It should
2428 be noted that this is a denial of service; however for some
2429 systems the alternative is a crash which would be a worse denial
2430 of service!
2432 For larger server systems, the limit of 40 is much too low. The
2433 limit was established many years ago when a system typically
2434 only ran a few dozen servers.
2436 On some versions of inetd, such as the one distributed with most
2437 versions of Linux, you can modify the /etc/inetd.conf file to
2438 have a larger number of servers by appending a period followed
2439 by a number after the nowait word for the server entry. For
2440 example, if your existing /etc/inetd.conf line reads:
2442 imap stream tcp nowait root /usr/etc/imapd imapd
2444 try changing it to be:
2446 imap stream tcp nowait.100 root /usr/etc/imapd imapd
2448 Another example (using TCP wrappers):
2450 imap stream tcp nowait root /usr/sbin/tcpd imapd
2452 try changing it to be:
2454 imap stream tcp nowait.100 root /usr/sbin/tcpd imapd
2456 to increase the limit to 100 sessions/minute.
2458 Before making this change, please read the information in "man
2459 inetd" to determine whether or not your inetd has this feature.
2460 If it does not, and you make this change, the likely outcome is
2461 that you will disable IMAP service entirely.
2463 Another way to fix this problem is to edit the inetd.c source
2464 code (provided by your UNIX system vendor) to set higher limits,
2465 rebuild inetd, install the new binary, and reboot your system.
2466 This should only be done by a UNIX system expert. In the inetd.c
2467 source code, the limits TOOMANY (normally 40) is the maximum
2468 number of new server sessions permitted per minute, and
2469 RETRYTIME (normally 600) is the number of seconds inetd will
2470 shut down the server after it exceeds TOOMANY.
2472 Back to top
2473 __________________________________________________________________
2475 7.17 What does the syslog message: Mailbox lock file /tmp/.600.1df3
2476 open failure: Permission denied mean?
2478 This usually means that some "helpful" security script person
2479 has protected /tmp so that it is no longer world-writeable. /tmp
2480 must be world-writeable because lots of applications use it for
2481 scratch space. To fix this, do
2483 chmod 1777 /tmp
2485 as root.
2487 If that isn't the answer, check the protection of the named
2488 file. If it is something other than 666, then either someone is
2489 hacking or some "helpful" person modified the code to have a
2490 different default lock file protection.
2492 Back to top
2493 __________________________________________________________________
2495 7.18 What do the syslog messages:
2496 Command stream end of file, while reading line user=... host=...
2497 Command stream end of file, while reading char user=... host=...
2498 Command stream end of file, while writing text user=... host=...
2500 mean?
2502 This message occurs when the session is disconnected without a
2503 proper LOGOUT (IMAP) or QUIT (POP) command being received by the
2504 server first.
2506 In many cases, this is perfectly normal; many client
2507 implementations are impolite and do this. Some programmers think
2508 this sort of rudeness is "more efficient".
2510 The condition could, however, indicate a client or network
2511 connectivity problem. The server has no way of knowing whether
2512 there's a problem or just a rude client, so it issues this
2513 message instead of a Logout.
2515 Certain inferior losing clients disconnect abruptly after a
2516 failed login, and instead of saying that the login failed, just
2517 say that they can't access the mailbox. They then complain to
2518 the system manager, who looks in the syslog and finds this
2519 message. Not very helpful, eh? See the answer to the Why can't I
2520 log in to the server? The user name and password are right!
2521 question.
2523 If the user isn't reporting a problem, you can probably ignore
2524 this message.
2526 Back to top
2527 __________________________________________________________________
2529 7.19 Why did my POP or IMAP session suddenly disconnect? The syslog has
2530 the message: Killed (lost mailbox lock) user=... host=...
2532 This message only happens when either the traditional UNIX
2533 mailbox format or MMDF format is in use. This format only allows
2534 one session to have the mailbox open read/write at a time.
2536 The servers assume that if a second session attempts to open the
2537 mailbox, that means that the first session is probably owned by
2538 an abandoned client. The common scenario here is a user who
2539 leaves his client running at the office, and then tries to read
2540 his mail from home. Through an internal mechanism called kiss of
2541 death, the second session requests the first session to kill
2542 itself. When the first session receives the "kiss of death", it
2543 issues the "Killed (lost mailbox lock)" syslog message and
2544 terminates. The second session then seizes read/write access,
2545 and becomes the new "first" session.
2547 Certain poorly-designed clients routinely open multiple sessions
2548 to the same mailbox; the users of those clients tend to get this
2549 message a lot.
2551 Another cause of this message is a background "check for new
2552 mail" task which does its work by opening a POP session to
2553 server every few seconds. They do this because POP doesn't have
2554 a way to announce new mail.
2556 The solution to both situations is to replace the client with a
2557 good online IMAP client such as Alpine. Life is too short to
2558 waste on POP clients and poorly-designed IMAP clients.
2560 Back to top
2561 __________________________________________________________________
2563 7.20 Why does my IMAP client show all the files on the system,
2564 recursively from the UNIX root directory?
2565 7.21 Why does my IMAP client show all of my files, recursively from my
2566 UNIX home directory?
2568 A well-written client should only show one level of hierarchy
2569 and then stop, awaiting explicit user action before going lower.
2570 However, some poorly-designed clients will recursively list all
2571 files, which may be a very long list (especially if you have
2572 symbolic links to directories that create a loop in the
2573 filesystem graph!).
2575 This behavior has also been observed in some third-party
2576 c-client drivers, including maildir drivers. Consequently, this
2577 problem has even been observed in Alpine. It is important to
2578 understand that this is not a problem in Alpine or c-client; it
2579 is a problem in the third-party driver. A Alpine built without
2580 that third-party driver will not have this problem.
2582 See also the answer to Why does my IMAP client show all my files
2583 in my home directory?
2585 Back to top
2586 __________________________________________________________________
2588 7.22 Why does my IMAP client show that I have mailboxes named
2589 "#mhinbox", "#mh", "#shared", "#ftp", "#news", and "#public"?
2591 These are IMAP namespace names. They represent other hierarchies
2592 in which messages may exist. These hierarchies may not
2593 necessarily exist on a server, but the namespace name is still
2594 in the namespace list in order to mark it as reserved.
2596 A few poorly-designed clients display all namespace names as if
2597 they were top-level mailboxes in a user's list of mailboxes,
2598 whether or not they actually exist. This is a flaw in those
2599 clients.
2601 Back to top
2602 __________________________________________________________________
2604 7.23 Why does my IMAP client show all my files in my home directory?
2606 As distributed, the IMAP server is connected to your home
2607 directory by default. It has no way of knowing what you might
2608 call "mail" as opposed to "some other file"; in fact, you can
2609 use IMAP to access any file.
2611 Most clients have an option to configure your connected
2612 directory on the IMAP server. For example, in Alpine you can
2613 specify this as the "Path" in your folder-collection, e.g.
2615 Nickname : Secondary Folders
2616 Server : imap.example.com
2617 Path : mail/
2618 View :
2620 In this example, the user is connected to the "mail"
2621 subdirectory of his home directory.
2623 Other servers call this the "folder prefix" or similar term.
2625 It is possible to modify the IMAP server so that all users are
2626 automatically connected to some other directory, e.g. a
2627 subdirectory of the user's home directory. Read the file CONFIG
2628 for more details.
2630 Back to top
2631 __________________________________________________________________
2633 7.24 Why is there a long delay before I get connected to the IMAP or
2634 POP server, no matter what client I use?
2636 There are two common occurances of this problem:
2638 + You are running a system (e.g. certain versions of Linux)
2639 which by default attempts to connect to an "IDENT" protocol
2640 (port 113) server on your client. However, a firewall or NAT
2641 box is blocking connections to that port, so the connection
2642 attempt times out.
2643 The IDENT protocol is a well-known bad idea that does not
2644 deliver any real security but causes incredible problems. The
2645 idea is that this will give the server a record of the user
2646 name, or at least what some program listening on port 113 says
2647 is the user name. So, if somebody coming from port nnnnn on a
2648 system does something bad, IDENT may give you the userid of
2649 the bad guy.
2650 The problem is, IDENT is only meaningful on a timesharing
2651 system which has an administrator who is privileged and users
2652 who are not. It is of no value on a personal system which has
2653 no separate concept of "system administrator" vs.
2654 "unprivileged user".
2655 On either type of system, security-minded people either turn
2656 IDENT off or replace it with an IDENT server that lies. Among
2657 other things, IDENT gives spammers the ability to harvest
2658 email addresses from anyone who connects to a web page.
2659 This problem has been showing up quite frequently on systems
2660 which use xinetd instead of inetd. Look for files named
2661 /etc/xinetd.conf, /etc/xinetd.d/imapd, /etc/inetd.d/ipop2d,
2662 and /etc/xinetd.d/ipop3d. In those files, look for lines
2663 containing "USERID", e.g.
2664 log_on_success += USERID
2665 Hunt down such lines, and delete them ruthlessly from all
2666 files in which they occur. Don't be shy about it.
2667 + The DNS is taking a long time to do a reverse DNS (PTR record)
2668 lookup of the IP address of your client. This is a problem in
2669 your DNS, which either you or you ISP need to resolve.
2670 Ideally, the DNS should return the client's name; but if it
2671 can't it should at least return an error quickly.
2673 As you may have noticed, neither of these are actual problems in
2674 the IMAP or POP servers; they are configuration issues with
2675 either your system or your network infrastructure. If this is
2676 all new to you, run (don't walk) to the nearest technical
2677 bookstore and get yourself a good pedagogical text on system
2678 administration for the type of system you are running.
2680 Back to top
2681 __________________________________________________________________
2683 7.25 Why is there a long delay in Alpine or any other c-client based
2684 application call before I get connected to the IMAP server? The hang
2685 seems to be in the c-client mail_open() call. I don't have this problem
2686 with any other IMAP client. There is no delay connecting to a POP3 or
2687 NNTP server with mail_open().
2689 By default, the c-client library attempts to make a connection
2690 through rsh (and ssh, if you enable that). If the command:
2692 rsh imapserver exec /etc/rimapd
2694 (or ssh if that is enabled) returns with a "* PREAUTH" response,
2695 it will use the resulting rsh session as the IMAP session and
2696 not require an authentication step on the server.
2698 Unfortunately, rsh has a design error that treats "TCP
2699 connection refused" as "temporary failure, try again"; it
2700 expects the "rsh not allowed" case to be implemented as a
2701 successful connection followed by an error message and close the
2702 connection.
2704 It must be emphasized that this is a bug in rsh. It is not a bug
2705 in the IMAP toolkit.
2707 The use of rsh can be disabled in any the following ways:
2709 + You can disable it for this particular session by either:
2710 o setting an explicit port number in the mailbox name, e.g.
2711 {imapserver.foo.com:143}INBOX
2712 o using SSL (the /ssl switch)
2713 + You can disable rsh globally by setting the rsh timeout value
2714 to 0 with the call:
2715 mail_parameters (NIL,SET_RSHTIMEOUT,0);
2717 Back to top
2718 __________________________________________________________________
2720 7.26 Why does a message sometimes get split into two or more messages
2721 on my SUN system?
2723 This is caused by an interaction of two independent design
2724 problems in SUN mail software. The first problem is that the
2725 "forward message" option in SUN's mail tool program includes the
2726 internal "From " header line in the text that it forwarded. This
2727 internal header line is specific to traditional UNIX mailbox
2728 files and is not suitable for use in forwarded messages.
2730 The second problem is that the mail delivery agent assumes that
2731 mail reading programs will not use the traditional UNIX mailbox
2732 format but instead an incompatible variant that depends upon a
2733 Content-Length: message header. Content-Length is widely
2734 recognized to have been a terrible mistake, and is no longer
2735 recommended for use in mail (it is used in other facilities that
2736 use MIME).
2738 One symptom of the problem is that under certain circumstances,
2739 a message may get broken up into several messages. I'm also
2740 aware of security bugs caused by programs that foolishly trust
2741 "Content-Length:" headers with evil values.
2743 To fix the mailer on your system, edit your sendmail.cf to
2744 change the Mlocal line to have the -E flag. A typical entry will
2745 lool like:
2747 Mlocal, P=/usr/lib/mail.local, F=flsSDFMmnPE, S=10, R=20,
2748 A=mail.local -d $u
2750 This fix will also work around the problem with mail tool,
2751 because it will insert a ">" before the internal header line to
2752 prevent it from being interpreted by mail reading software as an
2753 internal header line.
2755 Back to top
2756 __________________________________________________________________
2758 7.27 Why did my POP or IMAP session suddenly disconnect? The syslog has
2759 the message:
2760 Autologout user=<...my user name...> host=<...my client system...>
2762 This is a problem in your client.
2764 In the case of IMAP, it failed to communicate with the IMAP
2765 server for over 30 minutes; in the case of POP, it failed to
2766 communicate with the POP server for over 10 minutes.
2768 Back to top
2769 __________________________________________________________________
2771 7.28 What does the UNIX error message: TLS/SSL failure: myserver: SSL
2772 negotiation failed mean?
2773 7.29 What does the PC error message: TLS/SSL failure: myserver:
2774 Unexpected TCP input disconnect mean?
2776 This usually means that an attempt to negotiate TLS encryption
2777 via the STARTTLS command failed, because the server advertises
2778 STARTTLS functionality, but doesn't actually have it (e.g.
2779 because no certificates are installed).
2781 Use the /notls option in the mailbox name to disable TLS
2782 negotiation.
2784 Back to top
2785 __________________________________________________________________
2787 7.30 What does the error message: TLS/SSL failure: myserver: Server
2788 name does not match certificate mean?
2790 An SSL or TLS session encryption failed because the server name
2791 in the server's certificate does not match the name that you
2792 gave it. This could indicate that the server is not really the
2793 system you think that it is, but can be also be called if you
2794 gave a nickname for the server or name that was not
2795 fully-qualified. You must use the fully-qualified domain name
2796 for the server in order to validate its certificate
2798 Use the /novalidate-cert option in the mailbox name to disable
2799 validation of the certificate.
2801 Back to top
2802 __________________________________________________________________
2804 7.31 What does the UNIX error message: TLS/SSL failure: myserver:
2805 self-signed certificate mean?
2806 7.32 What does the PC error message: TLS/SSL failure: myserver:
2807 Self-signed certificate or untrusted authority mean?
2809 An SSL or TLS session encryption failed because your server's
2810 certificate is "self-signed"; that is, it is not signed by any
2811 Certificate Authority (CA) and thus can not be validated. A
2812 CA-signed certificate costs money, and some smaller sites either
2813 don't want to pay for it or haven't gotten one yet. The bad part
2814 about this is that this means there is no guarantee that the
2815 server is really the system you think that it is.
2817 Use the /novalidate-cert option in the mailbox name to disable
2818 validation of the certificate.
2820 Back to top
2821 __________________________________________________________________
2823 7.33 What does the UNIX error message: TLS/SSL failure: myserver:
2824 unable to get local issuer certificate mean?
2826 An SSL or TLS session encryption failed because your system does
2827 not have the Certificate Authority (CA) certificates installed
2828 on OpenSSL's certificates directory. On most systems, this
2829 directory is /usr/local/ssl/certs). As a result, it is not
2830 possible to validate the server's certificate.
2832 If CA certificates are properly installed, you should see
2833 factory.pem and about a dozen other .pem names such as
2834 thawteCb.pem.
2836 As a workaround, you can use the /novalidate-cert option in the
2837 mailbox name to disable validation of the certificate; however,
2838 note that you are then vulnerable to various security attacks by
2839 bad guys.
2841 The correct fix is to copy all the files from the certs/
2842 directory in the OpenSSL distribution to the
2843 /usr/local/ssl/certs (or whatever) directory. Note that you need
2844 to do this after building OpenSSL, because the OpenSSL build
2845 creates a number of needed symbolic links. For some bizarre
2846 reason, the OpenSSL "make install" doesn't do this for you, so
2847 you must do it manually.
2849 Back to top
2850 __________________________________________________________________
2852 7.34 Why does reading certain messages hang when using Netscape? It
2853 works fine with Alpine!
2855 There are two possible causes.
2857 Check the mail syslog. If you see the message "Killed (lost
2858 mailbox lock)" for the impacted user(s), read the FAQ entry
2859 regarding that message.
2861 Check the affected mailbox to see if there are embedded NUL
2862 characters in the message. NULs in message texts are a technical
2863 violation of both the message format and IMAP specifications.
2864 Most clients don't care, but apparently Netscape does.
2866 You can work around this by rebuilding imapd with the
2867 NETSCAPE_BRAIN_DAMAGE option set (see src/imapd/Makefile); this
2868 will cause imapd to convert all NULs to 0x80 characters. A
2869 better solution is to enable the feature in your MTA to
2870 MIME-convert messages with binary content. See the documentation
2871 for your MTA for how to do this.
2873 Back to top
2874 __________________________________________________________________
2876 7.35 Why does Netscape say that there's a problem with the IMAP server
2877 and that I should "Contact your mail server administrator."?
2879 Certain versions of Netscape do this when you click the Manage
2880 Mail button, which uses an undocumented feature of Netscape's
2881 proprietary IMAP server.
2883 You can work around this by rebuilding imapd with the
2884 NETSCAPE_BRAIN_DAMAGE option set (see src/imapd/Makefile) to a
2885 URL that points either to an alternative IMAP client (e.g.
2886 Alpine) or perhaps to a homebrew mail account management page.
2888 Back to top
2889 __________________________________________________________________
2891 7.36 Why is one user creating huge numbers of IMAP or POP server
2892 sessions?
2894 The user is probably using Outlook Express, Eudora, or a similar
2895 program. See the answer to the Help! My load average is soaring
2896 and I see hundreds of POP and IMAP servers, many logged in as
2897 the same user! question.
2899 Back to top
2900 __________________________________________________________________
2902 7.37 Why don't I get any new mail notifications from Outlook Express or
2903 Outlook after a while?
2905 This is a known bug in Outlook Express. Microsoft is aware of
2906 the problem and its cause. They have informed us that they do
2907 not have any plans to fix it at the present time.
2909 The problem is also reported in Outlook 2000, but not verified.
2911 Outlook Express uses the IMAP IDLE command to avoid having to
2912 "ping" the server every few minutes for new mail. Unfortunately,
2913 Outlook Express overlooks the part in the IDLE specification
2914 which requires that a client terminate and restart the IDLE
2915 before the IMAP 30 minute inactivity autologout timer triggers.
2917 When this happens, Outlook Express displays "Not connected" at
2918 the bottom of the window. Since it's no longer connected to the
2919 IMAP server, it isn't going to notice any new mail.
2921 As soon as the user does anything that would cause an IMAP
2922 operation, Outlook Express will reconnect and new mail will flow
2923 again. If the user does something that causes an IMAP operation
2924 at least every 29 minutes, the problem won't happen.
2926 Modern versions of imapd attempt to work around the problem by
2927 automatically reporting fake new mail after 29 minutes. This
2928 causes Outlook Express to exit the IDLE state; as soon as this
2929 happens imapd revokes the fake new mail. As long as this
2930 behavior isn't known to cause problems with other clients, this
2931 workaround will remain in imapd.
2933 Back to top
2934 __________________________________________________________________
2936 7.38 Why don't I get any new mail notifications from Entourage?
2938 This is a known bug in Entourage.
2940 You built an older version of imapd with the
2941 MICROSOFT_BRAIN_DAMAGE option set, in order to disable support
2942 for the IDLE command. However, Entourage won't get new mail
2943 unless IDLE command support exists.
2945 Note: the MICROSOFT_BRAIN_DAMAGE option no longer exists in
2946 modern versions, as the Outlook Express problem which it
2947 attempted to solve has been worked around in another way.
2949 Back to top
2950 __________________________________________________________________
2952 7.39 Why doesn't Entourage work at all?
2954 It's hard to know. Entourage breaks almost every rule in the
2955 book for IMAP. It is highly instructive to do a packet trace on
2956 Entourage, as an example of how not to use IMAP. It does things
2957 like STATUS (MESSAGES) on the currently selected mailbox and
2958 re-fetching the same static data over and over again.
2960 It seems that every time we understand what it is doing wrong in
2961 Entourage and come up with a workaround, we learn about
2962 something else that's broken.
2964 Try building imapd with the ENTOURAGE_BRAIN_DAMAGE option set,
2965 in order to disable the diagnostic that occurs when doing STATUS
2966 on the currently selected mailbox.
2968 Back to top
2969 __________________________________________________________________
2971 7.40 Why doesn't Netscape Notify (NSNOTIFY.EXE) work at all?
2973 This is a bug in NSNOTIFY; it doesn't handle unsolicited data
2974 from the server correctly.
2976 Fortunately, there is no reason to use this program with IMAP;
2977 NSNOTIFY is a polling program to let you know when new mail has
2978 appeared in your maildrop. This is necessary with POP; but since
2979 IMAP dynamically announces new mail in the session you're better
2980 off (and will actually cause less load on the server!) keeping
2981 your mail reading program's IMAP session open and let IMAP do
2982 the notifying for you.
2984 Consequently, the recommended fix for the NSNOTIFY problem is to
2985 delete the NSNOTIFY binary.
2987 Back to top
2988 __________________________________________________________________
2990 7.41 Why can't I connect via SSL to Eudora? It says the connection has
2991 been broken, and in the server syslogs I see "Command stream end of
2992 file".
2994 There is a report that you can fix the problem by going into
2995 Eudora's advanced network configuration menu and increasing the
2996 network buffer size to 8192.
2998 Back to top
2999 __________________________________________________________________
3001 7.42 Sheesh. Aren't there any good IMAP clients out there?
3003 Yes!
3005 Alpine is a wonderful client. It's fast, it uses IMAP well, and
3006 it generates text mail (life is too short to waste on HTML
3007 mail). Also, there are some really wonderful things in progress
3008 in the Alpine world.
3010 There are some good GUI clients out there, mostly from smaller
3011 vendors. Without naming names, look for the vendors who are
3012 active in the IMAP protocol development community, and their
3013 products.
3015 Netscape, Eudora, and Outlook can be configured with enough
3016 effort to be good citizens and work well for users, but they can
3017 also be badly misconfigured, and often the misconfiguration is
3018 the default.
3020 Back to top
3021 __________________________________________________________________
3023 7.43 But wait! PC Alpine (or other PC program build with c-client)
3024 crashes with the message incomplete SecBuffer exceeds maximum buffer
3025 size when I use SSL connections. This is a bug in c-client, right?
3027 It's a bug in the Microsoft SChannel.DLL, which implements SSL.
3028 Microsoft admits it (albeit with an unstatement: "it's not fully
3029 RFC compliant"). The problem is that SChannel indicates that the
3030 maximum SSL packet data size is 5 bytes smaller than the actual
3031 maximum. Thus, any IMAP server which transmits a maximum sized
3032 SSL packet will not work with PC Alpine or any other program
3033 which uses SChannel.
3035 It can take a while for the problem to show up. The client has
3036 to do something that causes at least 16K of contiguous data.
3037 Many clients do partial fetching, which tends to reduce the
3038 number of cases where this can happen. However, all software
3039 which uses SChannel to support SSL is affected by this bug.
3041 This problem does not affect UNIX code, since OpenSSL is used on
3042 UNIX.
3044 This problem most recently showed up with the CommunigatePro
3045 IMAP server. They have an update which trims down their maximum
3046 contiguous data to less than 16K, in order to work around the
3047 problem.
3049 This problem has also shown up with the Exchange IMAP server
3050 with UNIX clients (including Alpine built with an older version
3051 of c-client) which sends full-sized 16K SSL packets. Modern
3052 c-client works around the problem by trimming down its maximum
3053 outgoing SSL packet size to 8K.
3055 Microsoft has developed a hotfix for this bug. Look up MSKB
3056 article number 300562. Contrary to the article text which
3057 implies that this is a Alpine issue, this bug also affect
3058 Microsoft Exchange server with *any* UNIX based client that
3059 transmits full-sized SSL payloads.
3061 Back to top
3062 __________________________________________________________________
3064 7.44 My qpopper users keep on getting the DON'T DELETE THIS MESSAGE --
3065 FOLDER INTERNAL DATA if they also use Alpine or IMAP. How can I fix
3066 this?
3068 This is an incompatibility between qpopper and the c-client
3069 library used by Alpine, imapd, and ipop[23]d.
3071 Assuming that you want to continue using qpopper, look into
3072 qpopper's --enable-uw-kludge-flag configuration flag, which is
3073 documented as "check for and hide UW 'Folder Internal Data'
3074 messages".
3076 The other alternative is to switch from qpopper to ipop3d.
3078 Back to top
3079 __________________________________________________________________
3081 7.45 Help! I installed the servers but I can't connect to them from my
3082 client!
3084 Review the installation instructions carefully. Make sure that
3085 you have not skipped any of the steps. Make sure that you have
3086 made the correct entries in the configuration files; pay careful
3087 attention to the exact spelling of the service names and the
3088 path names. Make sure as well that you have properly restarted
3089 inetd.
3091 If you have a system with Yellow Pages/NIS such as Solaris, have
3092 you updated the service names there as well as in /etc/services?
3094 If you have a system with TCP wrappers, have you properly
3095 updated the TCP wrapper files (e.g. /etc/hosts.allow and
3096 /etc/hosts.deny) for the servers?
3098 If you have a system which uses xinetd instead of inetd, have
3099 you made sure that you have made the correct corresponding
3100 xinetd changes for those services?
3102 Try telneting to the server port (143 for IMAP, 110 for POP3).
3103 If you get a "refused" error, that probably means that you don't
3104 have the service set up in inetd.conf. If the connection opens
3105 and then closes with no message, the service is set up, but
3106 either the path name of the server binary in inetd.conf is wrong
3107 or your TCP wrappers are configured to deny access.
3109 If you don't know how to make the corresponding changes to these
3110 files, seek the help of a local expert for your system.
3112 Back to top
3113 __________________________________________________________________
3115 7.46 Why do I get the message Can not authenticate to SMTP server: 421
3116 SMTP connection went away! and why did this happen? There was also
3117 something about SECURITY PROBLEM: insecure server advertised AUTH=PLAIN
3119 Some versions of qmail, including that running on
3120 mail.smtp.yahoo.com, disconnect the SMTP session if you fail to
3121 authenticate prior to attempting to transmit mail. An attempt to
3122 authenticate was made, but it failed because the server had
3123 already disconnected.
3125 To work around this, you need to specify /user=... in the host
3126 name specification.
3128 The SECURITY PROBLEM came about because the server advertised
3129 the AUTH=PLAIN SASL authentication mechanism outside of a
3130 TLS-encrypted session, in violation of RFC 4616. This message is
3131 just a warning, and in fact occurred after the server had
3132 disconnected.
3134 Back to top
3135 __________________________________________________________________
3137 7.47 Why do I get the message SMTP Authentication cancelled and why did
3138 this happen? There was also something about SECURITY PROBLEM: insecure
3139 server advertised AUTH=PLAIN
3141 This is a bug in the SMTP server.
3143 Some versions of qmail, including that running on
3144 mail.smtp.yahoo.com, have a bug in their implementation of SASL
3145 in their SMTP server, which renders it non-compliant with the
3146 standard.
3148 If the client does not provide an initial response in the
3149 command line for an authentication mechanism whose profile does
3150 not have an initial challenge, qmail issues a bogus response:
3152 334 ok, go on
3154 The problem is the "ok, go on". This violates RFC 4954's
3155 requirement that the text part in a 334 response be a BASE64
3156 encoded string; in other words, it is a protocol syntax error.
3158 In the case of AUTH=PLAIN, RFC 4422 (page 7) requires that the
3159 encoded string have no data. In other words, the appropropiate
3160 standards-compliant server response is "334" followed by a SPACE
3161 and a CRLF.
3163 The SECURITY PROBLEM came about because the server advertised
3164 the AUTH=PLAIN SASL authentication mechanism outside of a
3165 TLS-encrypted session, in violation of RFC 4616. This message is
3166 just a warning, and is not related the "Authentication
3167 cancelled" problem.
3169 Back to top
3170 __________________________________________________________________
3172 7.48 Why do I get the message Invalid base64 string when I try to
3173 authenticate to a Cyrus server?
3175 This slightly misleading message is the way that a Cyrus server
3176 indicates that an authentication exchange was cancelled. It is
3177 not indicative of a bug or protocol violation.
3179 The most common reason that this happens is if the Cyrus server
3180 offers Kerberos authentication, c-client is built with Kerberos
3181 support, but your client system is not within the Kerberos
3182 realm. In this case, the client code will try to authenticate
3183 via Kerberos, fail to get the Kerberos credentials, cancel the
3184 authentication attempt, and try the next available
3185 authentication technology.
3187 Back to top
3188 __________________________________________________________________
3190 8. Where to Go For Additional Information
3191 __________________________________________________________________
3193 8.1 Where can I go to ask questions?
3194 8.2 I have some ideas for enhancements to IMAP. Where should I go?
3196 If you have questions about the IMAP protocol, or want to
3197 participate in discussions of future directions of the IMAP
3198 protocol, the appropriate mailing list is
3199 imap-protocol@u.washington.edu. You can subscribe to this list
3200 via imap-protocol-request@u.washington.edu
3202 You must be a subscriber to post to this list. As an
3203 alternative, you can use the comp.mail.imap newsgroup.
3205 Back to top
3206 __________________________________________________________________
3208 8.3 Where can I read more about IMAP and other email protocols?
3210 We recommend Internet Email Protocols: A Developer's Guide, by
3211 Kevin Johnson, published by Addison Wesley, ISBN 0-201-43288-9.
3213 Back to top
3214 __________________________________________________________________
3216 8.4 Where can I find out more about setting up and administering an
3217 IMAP server?
3219 We recommend Managing IMAP, by Dianna Mullet & Kevin Mullet,
3220 published by O'Reilly, ISBN 0-596-00012-X.
3222 Back to top
3224 Last Updated: 5 May 2010