mirror of
https://github.com/uw-imap/imap.git
synced 2024-12-26 05:08:21 +01:00
22f316e36d
MD5 2126fd125ea26b73b20f01fcd5940369
4227 lines
152 KiB
HTML
4227 lines
152 KiB
HTML
<!--
|
|
* ========================================================================
|
|
* Copyright 1988-2007 University of Washington
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
*
|
|
* ========================================================================
|
|
*
|
|
-->
|
|
|
|
<!--chtml set title="IMAP Toolkit Frequently Asked Questions"-->
|
|
<!--chtml include "//imap/incs/top.inc"-->
|
|
|
|
<h2>Table of Contents</h2>
|
|
|
|
<ul>
|
|
<li>
|
|
<a href="#general">1. General/Software Feature Questions</a>
|
|
|
|
<ul>
|
|
<li><a href="#1.1">1.1 Can I set up a POP or IMAP server on
|
|
UNIX/Linux/OSF/etc.?</a></li>
|
|
|
|
<li><a href="#1.2">1.2 I am currently using qpopper as my POP3 server
|
|
on UNIX. Do I need to replace it with ipop3d in order to run
|
|
imapd?</a></li>
|
|
|
|
<li><a href="#1.3">1.3 Can I set up a POP or IMAP server on Windows
|
|
XP, 2000, NT, Me, 98, or 95?</a></li>
|
|
|
|
<li><a href="#1.4">1.4 Can I set up a POP or IMAP server on Windows
|
|
3.1 or DOS?</a></li>
|
|
|
|
<li><a href="#1.5">1.5 Can I set up a POP or IMAP server on
|
|
Macintosh?</a></li>
|
|
|
|
<li><a href="#1.6">1.6 Can I set up a POP or IMAP server on
|
|
VAX/VMS?</a></li>
|
|
|
|
<li><a href="#1.7">1.7 Can I set up a POP or IMAP server on
|
|
TOPS-20?</a></li>
|
|
|
|
<li><a href="#1.8">1.8 Are hierarchical mailboxes supported?</a></li>
|
|
|
|
<li><a href="#1.9">1.9 Are "dual-use" mailboxes supported?</a></li>
|
|
|
|
<li><a href="#1.10">1.10 Can I have a mailbox that has both messages
|
|
and sub-mailboxes?</a></li>
|
|
|
|
<li><a href="#1.11">1.11 What is the difference between "mailbox" and
|
|
"folder"?</a></li>
|
|
|
|
<li><a href="#1.12">1.12 What is the status of
|
|
internationalization?</a></li>
|
|
|
|
<li><a href="#1.13">1.13 Can I use SSL?</a></li>
|
|
|
|
<li><a href="#1.14">1.14 Can I use TLS and the STARTTLS
|
|
facility?</a></li>
|
|
|
|
<li><a href="#1.15">1.15 Can I use CRAM-MD5 authentication?</a></li>
|
|
|
|
<li><a href="#1.16">1.16 Can I use APOP authentication?</a></li>
|
|
|
|
<li><a href="#1.17">1.17 Can I use Kerberos V5?</a></li>
|
|
|
|
<li><a href="#1.18">1.18 Can I use PAM for plaintext
|
|
passwords?</a></li>
|
|
|
|
<li><a href="#1.19">1.19 Can I use Kerberos 5 for plaintext
|
|
passwords?</a></li>
|
|
|
|
<li><a href="#1.20">1.20 Can I use AFS for plaintext
|
|
passwords?</a></li>
|
|
|
|
<li><a href="#1.21">1.21 Can I use DCE for plaintext
|
|
passwords?</a></li>
|
|
|
|
<li><a href="#1.22">1.22 Can I use the CRAM-MD5 database for
|
|
plaintext passwords?</a></li>
|
|
|
|
<li><a href="#1.23">1.23 Can I disable plaintext passwords?</a></li>
|
|
|
|
<li><a href="#1.24">1.24 Can I disable plaintext passwords on
|
|
unencrypted sessions, but allow them on encrypted sessions?</a></li>
|
|
|
|
<li><a href="#1.25">1.25 Can I use virtual hosts?</a></li>
|
|
|
|
<li><a href="#1.26">1.26 Can I use RPOP authentication?</a></li>
|
|
|
|
<li><a href="#1.27">1.27 Can I use Kerberos V4?</a></li>
|
|
|
|
<li><a href="#1.28">1.28 Is there support for S/Key or OTP?</a></li>
|
|
|
|
<li><a href="#1.29">1.29 Is there support for NTLM or SPA?</a></li>
|
|
|
|
<li><a href="#1.30">1.30 Is there support for mh?</a></li>
|
|
|
|
<li><a href="#1.31">1.31 Is there support for qmail and the maildir
|
|
format?</a></li>
|
|
|
|
<li><a href="#1.32">1.32 Is there support for the Cyrus mailbox
|
|
format?</a></li>
|
|
|
|
<li><a href="#1.33">1.33 Is this software Y2K compliant?</a></li>
|
|
</ul>
|
|
</li>
|
|
|
|
<li>
|
|
<a href="#requirements">2. What Do I Need to Build This Software?</a>
|
|
|
|
<ul>
|
|
<li><a href="#2.1">2.1 What do I need to build this software with SSL
|
|
on UNIX?</a></li>
|
|
|
|
<li><a href="#2.2">2.2 What do I need to build this software with
|
|
Kerberos V on UNIX?</a></li>
|
|
|
|
<li><a href="#2.3">2.3 What do I need to use a C++ compiler with this
|
|
software to build my own application?</a></li>
|
|
|
|
<li><a href="#2.4">2.4 What do I need to build this software on
|
|
Windows?</a></li>
|
|
|
|
<li><a href="#2.5">2.5 What do I need to build this software on
|
|
DOS?</a></li>
|
|
|
|
<li><a href="#2.6">2.6 Can't I use Borland C to build this software
|
|
on the PC?</a></li>
|
|
|
|
<li><a href="#2.7">2.7 What do I need to build this software on the
|
|
Mac?</a></li>
|
|
|
|
<li><a href="#2.8">2.8 What do I need to build this software on
|
|
VMS?</a></li>
|
|
|
|
<li><a href="#2.9">2.9 What do I need to build this software on
|
|
TOPS-20?</a></li>
|
|
|
|
<li><a href="#2.10">2.10 What do I need to build this software on
|
|
Amiga or OS/2?</a></li>
|
|
|
|
<li><a href="#2.11">2.11 What do I need to build this software on
|
|
Windows CE?</a></li>
|
|
</ul>
|
|
</li>
|
|
|
|
<li>
|
|
<a href="#build">3. Build and Configuration Questions</a>
|
|
|
|
<ul>
|
|
<li><a href="#3.1">3.1 How do I configure the IMAP and POP servers on
|
|
UNIX?</a></li>
|
|
|
|
<li><a href="#3.2">3.2 I built and installed the servers according to
|
|
the BUILD instructions. It can't be that easy. Don't I need to write
|
|
a config file?</a></li>
|
|
|
|
<li><a href="#3.3">3.3 How do I make the IMAP and POP servers look
|
|
for INBOX at some place other than the mail spool directory?</a></li>
|
|
|
|
<li><a href="#3.4">3.4 How do I make the IMAP server look for
|
|
secondary folders at some place other than the user's home
|
|
directory?</a></li>
|
|
|
|
<li><a href="#3.5">3.5 How do I configure SSL?</a></li>
|
|
|
|
<li><a href="#3.6">3.6 How do I configure TLS and the STARTTLS
|
|
facility?</a></li>
|
|
|
|
<li><a href="#3.7">3.7 How do I build/install OpenSSL and
|
|
obtain/create certificates for use with SSL?</a></li>
|
|
|
|
<li><a href="#3.8">3.8 How do I configure CRAM-MD5
|
|
authentication?</a></li>
|
|
|
|
<li><a href="#3.9">3.9 How do I configure APOP
|
|
authentication?</a></li>
|
|
|
|
<li><a href="#3.10">3.10 How do I configure Kerberos V5?</a></li>
|
|
|
|
<li><a href="#3.11">3.11 How do I configure PAM for plaintext
|
|
passwords?</a></li>
|
|
|
|
<li><a href="#3.12">3.12 It looks like all I have to do to make the
|
|
server use Kerberos is to build with PAM on my Linux system, and set
|
|
it up in PAM for Kerberos passwords. Right?</a></li>
|
|
|
|
<li><a href="#3.13">3.13 How do I configure Kerberos 5 for plaintext
|
|
passwords?</a></li>
|
|
|
|
<li><a href="#3.14">3.14 How do I configure AFS for plaintext
|
|
passwords?</a></li>
|
|
|
|
<li><a href="#3.15">3.15 How do I configure DCE for plaintext
|
|
passwords?</a></li>
|
|
|
|
<li><a href="#3.16">3.16 How do I configure the CRAM-MD5 database for
|
|
plaintext passwords?</a></li>
|
|
|
|
<li><a href="#3.17">3.17 How do I disable plaintext
|
|
passwords?</a></li>
|
|
|
|
<li><a href="#3.18">3.18 How do I disable plaintext passwords on
|
|
unencrypted sessions, but allow them in SSL or TLS sessions?</a></li>
|
|
|
|
<li><a href="#3.19">3.19 How do I configure virtual hosts?</a></li>
|
|
|
|
<li>
|
|
<a href="#3.20">3.20 Why do I get compiler warning messages such
|
|
as:
|
|
|
|
<ul>
|
|
<li>passing arg 3 of `scandir' from incompatible pointer
|
|
type</li>
|
|
|
|
<li>Pointers are not assignment-compatible.</li>
|
|
|
|
<li>Argument #4 is not the correct type.</li>
|
|
</ul>during the build?</a>
|
|
</li>
|
|
|
|
<li>
|
|
<a href="#3.21">3.21 Why do I get compiler warning messages such
|
|
as
|
|
|
|
<ul>
|
|
<li>Operation between types "void(*)(int)" and "void*" is not
|
|
allowed.</li>
|
|
|
|
<li>Function argument assignment between types "void*" and
|
|
"void(*)(int)" is not allowed.</li>
|
|
|
|
<li>Pointers are not assignment-compatible.</li>
|
|
|
|
<li>Argument #5 is not the correct type.</li>
|
|
</ul>during the build?</a>
|
|
</li>
|
|
|
|
<li>
|
|
<a href="#3.22">3.22 Why do I get linker warning messages such
|
|
as:
|
|
|
|
<ul>
|
|
<li>mtest.c:515: the `gets' function is dangerous and should not
|
|
be used.</li>
|
|
</ul>during the build? Isn't this a security bug?</a>
|
|
</li>
|
|
|
|
<li>
|
|
<a href="#3.23">3.23 Why do I get linker warning messages such
|
|
as:</a>
|
|
|
|
<ul>
|
|
<li>auth_ssl.c:92: the `tmpnam' function is dangerous and should
|
|
not be used.</li>
|
|
</ul>during the build? Isn't this a security bug?
|
|
</li>
|
|
|
|
<li><a href="#3.24">3.24 OK, suppose I see a warning message about a
|
|
function being "dangerous and should not be used" for something other
|
|
than this gets() or tmpnam() call?</a></li>
|
|
</ul>
|
|
</li>
|
|
|
|
<li>
|
|
<a href="#operation">4. Operational Questions</a>
|
|
|
|
<ul>
|
|
<li><a href="#4.1">4.1 How can I enable anonymous IMAP
|
|
logins?</a></li>
|
|
|
|
<li><a href="#4.2">4.2 How do I set up an alert message that each
|
|
IMAP user will see?</a></li>
|
|
|
|
<li><a href="#4.3">4.3 How does the c-client library choose which of
|
|
its several mechanisms to use to establish an IMAP connection to the
|
|
server? I noticed that it can connect on port 143, port 993, via rsh,
|
|
and via ssh.</a></li>
|
|
|
|
<li><a href="#4.4">4.4 I am using a TLS-capable IMAP server, so I
|
|
don't need to use /ssl to get encryption. However, I want to be
|
|
certain that my session is TLS encrypted before I send my password.
|
|
How to I do this?</a></li>
|
|
|
|
<li><a href="#4.5">4.5 How do I use one of the alternative formats
|
|
described in the formats.txt document? In particular, I hear that mbx
|
|
format will give me better performance and allow shared
|
|
access.</a></li>
|
|
|
|
<li><a href="#4.6">4.6 How do I set up shared mailboxes?</a></li>
|
|
|
|
<li><a href="#4.7">4.7 How can I make the server syslogs go to
|
|
someplace other than the mail syslog?</a></li>
|
|
</ul>
|
|
</li>
|
|
|
|
<li>
|
|
<a href="#security">5. Security Questions</a>
|
|
|
|
<ul>
|
|
<li><a href="#5.1">5.1 I see that the IMAP server allows access to
|
|
arbitary files on the system, including /etc/passwd! How do I disable
|
|
this?</a></li>
|
|
|
|
<li><a href="#5.2">5.2 I've heard that IMAP servers are insecure. Is
|
|
this true?</a></li>
|
|
|
|
<li><a href="#5.3">5.3 How do I know that I have the most secure
|
|
version of the server?</a></li>
|
|
|
|
<li><a href="#5.4">5.4 I see all these strcpy() and sprintf() calls,
|
|
those are unsafe, aren't they?</a></li>
|
|
|
|
<li><a href="#5.5">5.5 Those /tmp lock files are protected 666, is
|
|
that really right?</a></li>
|
|
</ul>
|
|
</li>
|
|
|
|
<li>
|
|
<a href="#strange">6. <i>Why Did You Do This Strange Thing?</i>
|
|
Questions</a>
|
|
|
|
<ul>
|
|
<li><a href="#6.1">6.1 Why don't you use GNU autoconfig / automake /
|
|
autoblurdybloop?</a></li>
|
|
|
|
<li><a href="#6.2">6.2 Why do you insist upon a build with -g?
|
|
Doesn't it waste disk and memory space?</a></li>
|
|
|
|
<li><a href="#6.3">6.3 Why don't you make c-client a shared
|
|
library?</a></li>
|
|
|
|
<li><a href="#6.4">6.4 Why don't you use iconv() for
|
|
internationalization support?</a></li>
|
|
|
|
<li><a href="#6.5">6.5 Why is the IMAP server connected to the home
|
|
directory by default?</a></li>
|
|
|
|
<li><a href="#6.6">6.6 I have a Windows system. Why isn't the server
|
|
plug and play for me?</a></li>
|
|
|
|
<li><a href="#6.7">6.7 I looked at the UNIX SSL code and saw that you
|
|
have the SSL data payload size set to 8192 bytes. SSL allows 16K; why
|
|
aren't you using the full size?</a></li>
|
|
|
|
<li><a href="#6.8">6.8 Why is an mh format INBOX called #mhinbox
|
|
instead of just INBOX?</a></li>
|
|
|
|
<li><a href="#6.9">6.9 Why don't you support the maildir
|
|
format?</a></li>
|
|
|
|
<li><a href="#6.10">6.10 Why don't you support the Cyrus
|
|
format?</a></li>
|
|
|
|
<li><a href="#6.11">6.11 Why is it creating extra forks on my SVR4
|
|
system?</a></li>
|
|
|
|
<li><a href="#6.12">6.12 Why are you so fussy about the date/time
|
|
format in the internal <code>"From "</code> line in traditional
|
|
UNIX mailbox files? My other mail program just considers every line
|
|
that starts with <code>"From "</code> to be the start of the
|
|
message.</a></li>
|
|
|
|
<li><a href="#6.13">6.13 Why is traditional UNIX format the default
|
|
format?</a></li>
|
|
|
|
<li><a href="#6.14">6.14 Why do you write this "DON'T DELETE THIS
|
|
MESSAGE -- FOLDER INTERNAL DATA" message at the start of traditional
|
|
UNIX and MMDF format mailboxes?</a></li>
|
|
|
|
<li><a href="#6.15">6.15 Why don't you stash the mailbox metadata in
|
|
the first real message of the mailbox instead of writing this fake
|
|
FOLDER INTERNAL DATA message?</a></li>
|
|
|
|
<li><a href="#6.16">6.16 Why aren't "dual-use" mailboxes the
|
|
default?</a></li>
|
|
|
|
<li><a href="#6.17">6.17 Why do you use ucbcc to build on
|
|
Solaris?</a></li>
|
|
|
|
<li><a href="#6.18">6.18 Why should I care about some old system with
|
|
BSD libraries? cc is the right thing on my Solaris system!</a></li>
|
|
|
|
<li><a href="#6.19">6.19 Why do you insist upon writing .lock files
|
|
in the spool directory?</a></li>
|
|
|
|
<li><a href="#6.20">6.20 Why should I care about compatibility with
|
|
the past?</a></li>
|
|
</ul>
|
|
</li>
|
|
|
|
<li>
|
|
<a href="#problems">7. Problems and Annoyances</a>
|
|
|
|
<ul>
|
|
<li><a href="#7.1">7.1 Help! My INBOX is empty! What happened to my
|
|
messages?</a></li>
|
|
|
|
<li><a href="#7.2">7.2 Help! All my messages in a non-INBOX mailbox
|
|
have been concatenated into one message which claims to be from me
|
|
and has a subject of the file name of the mailbox! What's going
|
|
on?</a></li>
|
|
|
|
<li>
|
|
<a href="#7.3">7.3 Why do I get the message:
|
|
|
|
<ul>
|
|
<li>CREATE failed: Can't create mailbox node xxxxxxxxx: File
|
|
exists</li>
|
|
</ul>and how do I fix it?</a>
|
|
</li>
|
|
|
|
<li><a href="#7.4">7.4 Why can't I log in to the server? The user
|
|
name and password are right!</a></li>
|
|
|
|
<li><a href="#7.5">7.5 Help! My load average is soaring and I see
|
|
hundreds of POP and IMAP servers, many logged in as the same
|
|
user!</a></li>
|
|
|
|
<li><a href="#7.6">7.6 Why does mail disappear even though I set
|
|
"keep mail on server"?</a></li>
|
|
|
|
<li>
|
|
<a href="#7.7">7.7 Why do I get the message
|
|
|
|
<ul>
|
|
<li>Moved ##### bytes of new mail to /home/user/mbox from
|
|
/var/spool/mail/user</li>
|
|
</ul>and why did this happen?</a>
|
|
</li>
|
|
|
|
<li><a href="#7.8">7.8 Why isn't it showing the local host name as a
|
|
fully-qualified domain name?</a></li>
|
|
|
|
<li><a href="#7.9">7.9 Why is the local host name in the
|
|
From/Sender/Message-ID headers of outgoing mail not coming out as a
|
|
fully-qualified domain name?</a></li>
|
|
|
|
<li>
|
|
<a href="#7.10">7.10 What does the message:
|
|
|
|
<ul>
|
|
<li>Mailbox vulnerable - directory /var/spool/mail must have 1777
|
|
protection</li>
|
|
</ul>mean? How can I fix this?</a>
|
|
</li>
|
|
|
|
<li>
|
|
<a href="#7.11">7.11 What does the message:
|
|
|
|
<ul>
|
|
<li>Mailbox is open by another process, access is readonly</li>
|
|
</ul>mean? How do I fix this?</a>
|
|
</li>
|
|
|
|
<li>
|
|
<a href="#7.12">7.12 What does the message:
|
|
|
|
<ul>
|
|
<li>Can't get write access to mailbox, access is readonly</li>
|
|
</ul>mean?</a>
|
|
</li>
|
|
|
|
<li><a href="#7.13">7.13 I set my POP3 client to "delete messages
|
|
from server" but they never get deleted. What is wrong?</a></li>
|
|
|
|
<li>
|
|
<a href="#7.14">7.14 What do messages such as:
|
|
|
|
<ul>
|
|
<li>Message ... UID ... already has UID ...</li>
|
|
|
|
<li>Message ... UID ... less than ...</li>
|
|
|
|
<li>Message ... UID ... greater than last ...</li>
|
|
|
|
<li>Invalid UID ... in message ..., rebuilding UIDs</li>
|
|
</ul>mean?</a>
|
|
</li>
|
|
|
|
<li>
|
|
<a href="#7.15">7.15 What do the error messages:
|
|
|
|
<ul>
|
|
<li>Unable to read internal header at ...</li>
|
|
|
|
<li>Unable to find CRLF at ...</li>
|
|
|
|
<li>Unable to parse internal header at ...</li>
|
|
|
|
<li>Unable to parse message date at ...</li>
|
|
|
|
<li>Unable to parse message flags at ...</li>
|
|
|
|
<li>Unable to parse message UID at ...</li>
|
|
|
|
<li>Unable to parse message size at ...</li>
|
|
|
|
<li>Last message (at ... ) runs past end of file ...</li>
|
|
</ul>mean? I am using mbx format.</a>
|
|
</li>
|
|
|
|
<li>
|
|
<a href="#7.16">7.16 What do the syslog messages:
|
|
|
|
<ul>
|
|
<li>imap/tcp server failing (looping)</li>
|
|
|
|
<li>pop3/tcp server failing (looping)</li>
|
|
</ul>mean? When it happens, the listed service shuts down. How can
|
|
I fix this?</a>
|
|
</li>
|
|
|
|
<li>
|
|
<a href="#7.17">7.17 What does the syslog message:
|
|
|
|
<ul>
|
|
<li>Mailbox lock file /tmp/.600.1df3 open failure: Permission
|
|
denied</li>
|
|
</ul>mean?</a>
|
|
</li>
|
|
|
|
<li>
|
|
<a href="#7.18">7.18 What do the syslog messages:
|
|
|
|
<ul>
|
|
<li>Command stream end of file, while reading line user=...
|
|
host=...</li>
|
|
|
|
<li>Command stream end of file, while reading char user=...
|
|
host=...</li>
|
|
|
|
<li>Command stream end of file, while writing text user=...
|
|
host=...</li>
|
|
</ul>mean?</a>
|
|
</li>
|
|
|
|
<li>
|
|
<a href="#7.19">7.19 Why did my POP or IMAP session suddenly
|
|
disconnect? The syslog has the message:
|
|
|
|
<ul>
|
|
<li>Killed (lost mailbox lock) user=... host=...</li>
|
|
</ul></a>
|
|
</li>
|
|
|
|
<li><a href="#7.20">7.20 Why does my IMAP client show all the files
|
|
on the system, recursively from the UNIX root directory?</a></li>
|
|
|
|
<li><a href="#7.21">7.21 Why does my IMAP client show all of my
|
|
files, recursively from my UNIX home directory?</a></li>
|
|
|
|
<li><a href="#7.22">7.22 Why does my IMAP client show that I have
|
|
mailboxes named "#mhinbox", "#mh", "#shared", "#ftp", "#news", and
|
|
"#public"?</a></li>
|
|
|
|
<li><a href="#7.23">7.23 Why does my IMAP client show all my files in
|
|
my home directory?</a></li>
|
|
|
|
<li><a href="#7.24">7.24 Why is there a long delay before I get
|
|
connected to the IMAP or POP server, no matter what client I
|
|
use?</a></li>
|
|
|
|
<li><a href="#7.25">7.25 Why is there a long delay in Pine or any
|
|
other c-client based application call before I get connected to the
|
|
IMAP server? The hang seems to be in the c-client mail_open() call. I
|
|
don't have this problem with any other IMAP client. There is no delay
|
|
connecting to a POP3 or NNTP server with mail_open().</a></li>
|
|
|
|
<li><a href="#7.26">7.26 Why does a message sometimes get split into
|
|
two or more messages on my SUN system?</a></li>
|
|
|
|
<li>
|
|
<a href="#7.27">7.27 Why did my POP or IMAP session suddenly
|
|
disconnect? The syslog has the message:
|
|
|
|
<ul>
|
|
<li>Autologout user=<...my user name...> host=<...my
|
|
imap server...></li>
|
|
</ul></a>
|
|
</li>
|
|
|
|
<li>
|
|
<a href="#7.28">7.28 What does the UNIX error message:
|
|
|
|
<ul>
|
|
<li>TLS/SSL failure: myserver: SSL negotiation failed</li>
|
|
</ul>mean?</a>
|
|
</li>
|
|
|
|
<li>
|
|
<a href="#7.29">7.29 What does the PC error message:
|
|
|
|
<ul>
|
|
<li>TLS/SSL failure: myserver: Unexpected TCP input
|
|
disconnect</li>
|
|
</ul>mean?</a>
|
|
</li>
|
|
|
|
<li>
|
|
<a href="#7.30">7.30 What does the error message:
|
|
|
|
<ul>
|
|
<li>TLS/SSL failure: myserver: Server name does not match
|
|
certificate</li>
|
|
</ul>mean?</a>
|
|
</li>
|
|
|
|
<li>
|
|
<a href="#7.31">7.31 What does the UNIX error message:
|
|
|
|
<ul>
|
|
<li>TLS/SSL failure: myserver: self-signed certificate</li>
|
|
</ul>mean?</a>
|
|
</li>
|
|
|
|
<li>
|
|
<a href="#7.32">7.32 What does the PC error message
|
|
|
|
<ul>
|
|
<li>TLS/SSL failure: myserver: Self-signed certificate or
|
|
untrusted authority</li>
|
|
</ul>mean?</a>
|
|
</li>
|
|
|
|
<li>
|
|
<a href="#7.33">7.33 What does the UNIX error message:
|
|
|
|
<ul>
|
|
<li>TLS/SSL failure: myserver: unable to get local issuer
|
|
certificate</li>
|
|
</ul>mean?</a>
|
|
</li>
|
|
|
|
<li><a href="#7.34">7.34 Why does reading certain messages hang when
|
|
using Netscape? It works fine with Pine!</a></li>
|
|
|
|
<li><a href="#7.35">7.35 Why does Netscape say that there's a problem
|
|
with the IMAP server and that I should "Contact your mail server
|
|
administrator."?</a></li>
|
|
|
|
<li><a href="#7.36">7.36 Why is one user creating huge numbers of
|
|
IMAP or POP server sessions?</a></li>
|
|
|
|
<li><a href="#7.37">7.37 Why don't I get any new mail notifications
|
|
from Outlook Express or Outlook after a while?</a></li>
|
|
|
|
<li><a href="#7.38">7.38 Why don't I get any new mail notifications
|
|
from Entourage?</a></li>
|
|
|
|
<li><a href="#7.39">7.39 Why doesn't Entourage work at all?</a></li>
|
|
|
|
<li><a href="#7.40">7.40 Why doesn't Netscape Notify (NSNOTIFY.EXE)
|
|
work at all?</a></li>
|
|
|
|
<li><a href="#7.41">7.41 Why can't I connect via SSL to Eudora? It
|
|
says the connection has been broken, and in the server syslogs I see
|
|
"Command stream end of file".</a></li>
|
|
|
|
<li><a href="#7.42">7.42 Sheesh. Aren't there <i>any</i> good IMAP
|
|
clients out there?</a></li>
|
|
|
|
<li>
|
|
<a href="#7.43">7.43 But wait! PC Pine (or other PC program build
|
|
with c-client) crashes with the message
|
|
|
|
<ul>
|
|
<li>incomplete SecBuffer exceeds maximum buffer size</li>
|
|
</ul>when I use SSL connections. This is a bug in c-client, right?</a>
|
|
</li>
|
|
|
|
<li><a href="#7.44">7.44 My qpopper users keep on getting the DON'T
|
|
DELETE THIS MESSAGE -- FOLDER INTERNAL DATA if they also use Pine or
|
|
IMAP. How can I fix this?</a></li>
|
|
|
|
<li><a href="#7.45">7.45 Help! I installed the servers but I can't
|
|
connect to them from my client!</a></li>
|
|
|
|
<li>
|
|
<a href="#7.46">7.46 Why do I get the message
|
|
|
|
<ul>
|
|
<li>Can not authenticate to SMTP server: 421 SMTP connection went
|
|
away!</li>
|
|
</ul>and why did this happen? There was also something about
|
|
|
|
<ul>
|
|
<li>SECURITY PROBLEM: insecure server advertised AUTH=PLAIN</li>
|
|
</ul></a>
|
|
</li>
|
|
|
|
<li>
|
|
<a href="#7.47">7.47 Why do I get the message
|
|
|
|
<ul>
|
|
<li>SMTP Authentication cancelled</li>
|
|
</ul>and why did this happen? There was also something about
|
|
|
|
<ul>
|
|
<li>SECURITY PROBLEM: insecure server advertised AUTH=PLAIN</li>
|
|
</ul></a>
|
|
</li>
|
|
|
|
<li>
|
|
<a href="#7.48">7.48 Why do I get the message
|
|
|
|
<ul>
|
|
<li>Invalid base64 string</li>
|
|
</ul>when I try to authenticate to a Cyrus server?
|
|
</li></a>
|
|
</ul>
|
|
</li>
|
|
|
|
<li>
|
|
<a href="#additional">8. Where to Go For Additional Information</a>
|
|
|
|
<ul>
|
|
<li><a href="#8.1">8.1 Where can I go to ask questions?</a></li>
|
|
|
|
<li><a href="#8.2">8.2 I have some ideas for enhancements to IMAP.
|
|
Where should I go?</a></li>
|
|
|
|
<li><a href="#8.3">8.3 Where can I read more about IMAP and other
|
|
email protocols?</a></li>
|
|
|
|
<li><a href="#8.4">8.4 Where can I find out more about setting up and
|
|
administering an IMAP server?</a></li>
|
|
</ul>
|
|
</li>
|
|
</ul><!--=======START BODY-->
|
|
<hr>
|
|
|
|
<h2><a name="general">1. General/Software Feature Questions</a></h2>
|
|
<hr>
|
|
|
|
<p><a name="1.1"><strong>1.1 Can I set up a POP or IMAP server on
|
|
UNIX/Linux/OSF/etc.?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>Yes. Refer to the UNIX specific notes in files CONFIG and BUILD.</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="1.2"><strong>1.2 I am currently using qpopper as my POP3 server on
|
|
UNIX. Do I need to replace it with ipop3d in order to run
|
|
imapd?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
Not necessarily.
|
|
|
|
<p>Although ipop3d interoperates with imapd better than qpopper, imapd
|
|
and qpopper will work together. The few qpopper/imapd interoperability
|
|
issues mostly affect users who use both IMAP and POP3 clients; those
|
|
users would probably be better served if their POP3 server is
|
|
ipop3d.</p>
|
|
|
|
<p>If you are happy with qpopper and just want to add imapd, you should
|
|
do that, and defer a decision on changing qpopper to ipop3d. That way,
|
|
you can get comfortable with imapd's performance, without changing
|
|
anything for your qpopper users.</p>
|
|
|
|
<p>Many sites have subsequently decided to change from qpopper to
|
|
ipop3d in order to get better POP3/IMAP interoperability. If you need
|
|
to do this, you'll know. There also seems to be a way to make qpopper
|
|
work better with imapd; see the answer to the <a href="#7.44">My
|
|
qpopper users keep on getting the DON'T DELETE THIS MESSAGE -- FOLDER
|
|
INTERNAL DATA if they also use Pine or IMAP. How can I fix this?</a>
|
|
question.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="1.3"><strong>1.3 Can I set up a POP or IMAP server on Windows XP,
|
|
2000, NT, Me, 98, or 95?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
Yes. Refer to the NT specific notes in files CONFIG and BUILD. Also,
|
|
for DOS-based versions of Windows (Windows Me, 98, and 95) you *must*
|
|
set up CRAM-MD5 authentication, as described in md5.txt.
|
|
|
|
<p>There is no file access control on Windows 9x or Me, so you probably
|
|
will have to do modifications to env_unix.c to prevent people from
|
|
hacking others' mail.</p>
|
|
|
|
<p>Note, however, that the server is not plug and play the way it is
|
|
for UNIX.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="1.4"><strong>1.4 Can I set up a POP or IMAP server on Windows 3.1 or
|
|
DOS?</strong></a><br>
|
|
<a name="1.5"><strong>1.5 Can I set up a POP or IMAP server on
|
|
Macintosh?</strong></a><br>
|
|
<a name="1.6"><strong>1.6 Can I set up a POP or IMAP server on
|
|
VAX/VMS?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>Yes, it's just a small matter of programming.</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="1.7"><strong>1.7 Can I set up a POP or IMAP server on
|
|
TOPS-20?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
You have a TOPS-20 system? Cool.
|
|
|
|
<p>If IMAP2 (RFC 1176) is good enough for you, you can use MAPSER which
|
|
is about the ultimate gonzo pure TOPS-20 extended addressing assembly
|
|
language program. Unfortunately, IMAP2 is barely good enough for Pine
|
|
these days, and most other IMAP clients won't work with IMAP2 at all.
|
|
Maybe someone will hack MAPSER to do IMAP4rev1 some day.</p>
|
|
|
|
<p>We don't know if anyone wrote a POP3 server for TOPS-20. There
|
|
definitely was a POP2 server once upon a time.</p>
|
|
|
|
<p>Or you can port the POP and IMAP server from this IMAP toolkit to
|
|
it. All that you need for a first stab is to port the MTX driver.
|
|
That'll probably be just a couple of hours of hacking.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="1.8"><strong>1.8 Are hierarchical mailboxes
|
|
supported?</strong></a><br>
|
|
<a name="1.9"><strong>1.9 Are "dual-use" mailboxes
|
|
supported?</strong></a><br>
|
|
<a name="1.10"><strong>1.10 Can I have a mailbox that has both messages and
|
|
sub-mailboxes?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
Yes. However, there is one important caveat.
|
|
|
|
<p>Some mailbox formats, including the default which is the traditional
|
|
UNIX mailbox format, are stored as a single file containing all the
|
|
messages. UNIX does not permit a name in the filesystem to be both a
|
|
file and a directory; consequently you can not have a sub-mailbox
|
|
within a mailbox that is in one of these formats.</p>
|
|
|
|
<p>This is not a limitation of the software; this is a limitation of
|
|
UNIX. For example, there are mailbox formats in which the name is a
|
|
directory and each message is a file within that directory; these
|
|
formats support sub-mailboxes within such mailboxes. However, for
|
|
technical reasons, the "flat file" formats are generally preferred
|
|
since they perform better. Read imap-2007/docs/formats.txt for more
|
|
information on this topic.</p>
|
|
|
|
<p>It is always permissible to create a directory that is not a
|
|
mailbox, and have sub-mailboxes under it. The easiest way to create a
|
|
directory is to create a new mailbox inside a directory that doesn't
|
|
already exist. For example, if you create "Mail/testbox" on UNIX, the
|
|
directory "Mail/" will automatically be created and then the mailbox
|
|
"testbox" will be created as a sub-mailbox of "Mail/".</p>
|
|
|
|
<p>It is also possible to create the name "Mail/" directly. Check the
|
|
documentation for your client software to see how to do this with that
|
|
software.</p>
|
|
|
|
<p>Of course, on Windows systems you would use "\" instead of "/".</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="1.11"><strong>1.11 What is the difference between "mailbox" and
|
|
"folder"?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
The term "mailbox" is IMAP-speak for what a lot of software calls a
|
|
"folder" or a "mail folder". However, "folder" is often used in other
|
|
contexts to refer to a directory, for example, in the graphic user
|
|
interface on both Windows and Macintosh.
|
|
|
|
<p>A "mailbox" is specifically defined as a named object that contains
|
|
messages. It is not required to be capable of containing other types of
|
|
objects including other mailboxes; although some mailbox formats will
|
|
permit this.</p>
|
|
|
|
<p>In IMAP-speak, a mailbox which can not contain other mailboxes is
|
|
called a "no-inferiors mailbox". Similarly, a directory which can not
|
|
contain messages is not a mailbox and is called a "no-select name".</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="1.12"><strong>1.12 What is the status of
|
|
internationalization?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
The IMAP toolkit is partially internationalized and multilingualized.
|
|
|
|
<p>Searching is supported in the following charsets: US-ASCII, UTF-8,
|
|
ISO-8859-1, ISO-8859-2, ISO-8859-3, ISO-8859-4, ISO-8859-5, ISO-8859-6,
|
|
ISO-8859-7, ISO-8859-8, ISO-8859-9, ISO-8859-10, ISO-8859-11,
|
|
ISO-8859-13, ISO-8859-14, ISO-8859-15, ISO-8859-16, KOI8-R, KOI8-U
|
|
(alias KOI8-RU), TIS-620, VISCII, ISO-2022-JP, ISO-2022-KR,
|
|
ISO-2022-CN, ISO-2022-JP-1, ISO-2022-JP-2, GB2312 (alias CN-GB),
|
|
CN-GB-12345, BIG5 (alias CN-BIG5), EUC-JP, EUC-KR, Shift_JIS,
|
|
Shift-JIS, KS_C_5601-1987, KS_C_5601-1992, WINDOWS_874, WINDOWS-1250,
|
|
WINDOWS-1251, WINDOWS-1252, WINDOWS-1253, WINDOWS-1254, WINDOWS-1255,
|
|
WINDOWS-1256, WINDOWS-1257, WINDOWS-1258.</p>
|
|
|
|
<p>All ISO-2022-?? charsets are treated identically, and support ASCII,
|
|
JIS Roman, hankaku katakana, ISO-8859-[1 - 10], TIS, GB 2312, JIS X
|
|
0208, JIS X 0212, KSC 5601, and planes 1 and 2 of CNS 11643.</p>
|
|
|
|
<p>EUC-JP includes support for JIS X 0212 and hankaku katakana.</p>
|
|
|
|
<p>c-client library support also exists to convert text in any of the
|
|
above charsets into Unicode, including headers with MIME
|
|
encoded-words.</p>
|
|
|
|
<p>There is no support for localization (e.g. non-English error
|
|
messages) at the present time, but such support is planned.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="1.13"><strong>1.13 Can I use SSL?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>Yes. See the answer to the <a href="#3.5">How do I configure SSL?</a>
|
|
question.</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="1.14"><strong>1.14 Can I use TLS and the STARTTLS
|
|
facility?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>Yes. See the answer to the <a href="#3.6">How do I configure TLS and
|
|
the STARTTLS facility?</a> question.</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="1.15"><strong>1.15 Can I use CRAM-MD5
|
|
authentication?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>Yes. See the answer to the <a href="#3.8">How do I configure CRAM-MD5
|
|
authentication?</a> question.</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="1.16"><strong>1.16 Can I use APOP authentication?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
Yes. See the <a href="#3.9">How do I configure APOP authentication?</a>
|
|
question.
|
|
|
|
<p>Note that there is no client support for APOP authentication.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="1.17"><strong>1.17 Can I use Kerberos V5?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>Yes. See the answer to the <a href="#3.10">How do I configure
|
|
Kerberos V5?</a> question.</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="1.18"><strong>1.18 Can I use PAM for plaintext
|
|
passwords?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>Yes. See the answer to the <a href="#3.11">How do I configure PAM for
|
|
plaintext passwords?</a> question.</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="1.19"><strong>1.19 Can I use Kerberos 5 for plaintext
|
|
passwords?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>Yes. See the answer to the <a href="#3.13">How do I configure
|
|
Kerberos 5 for plaintext passwords?</a> question.</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="1.20"><strong>1.20 Can I use AFS for plaintext
|
|
passwords?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>Yes. See the answer to the <a href="#3.14">How do I configure AFS for
|
|
plaintext passwords?</a> question.</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="1.21"><strong>1.21 Can I use DCE for plaintext
|
|
passwords?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>Yes. See the answer to the <a href="#3.15">How do I configure DCE for
|
|
plaintext passwords?</a> question.</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="1.22"><strong>1.22 Can I use the CRAM-MD5 database for plaintext
|
|
passwords?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>Yes. See the answer to the <a href="#3.16">How do I configure the
|
|
CRAM-MD5 database for plaintext passwords?</a> question.</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="1.23"><strong>1.23 Can I disable plaintext
|
|
passwords?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>Yes. See the answer to the <a href="#3.17">How do I disable plaintext
|
|
passwords?</a> question.</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="1.24"><strong>1.24 Can I disable plaintext passwords on unencrypted
|
|
sessions, but allow them on encrypted sessions?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>Yes. See the answer to the <a href="#3.18">How do I disable plaintext
|
|
passwords on unencrypted sessions, but allow them in SSL or TLS
|
|
sessions?</a> question.</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="1.25"><strong>1.25 Can I use virtual hosts?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>Yes. See the answer to the <a href="#3.19">How do I configure virtual
|
|
hosts?</a> question.</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="1.26"><strong>1.26 Can I use RPOP authentication?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>There is no support for RPOP authentication.</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="1.27"><strong>1.27 Can I use Kerberos V4?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
Kerberos V4 is not supported. Kerberos V4 client-only contributed code
|
|
is available in
|
|
<pre>
|
|
<a href=
|
|
"ftp://ftp.cac.washington.edu/mail/kerberos4-patches.tar.Z">ftp://ftp.cac.washington.edu/mail/kerberos4-patches.tar.Z
|
|
</a>
|
|
</pre>This is a patchkit which must be applied to the IMAP toolkit according
|
|
to the instructions in the patchkit's README. We can not promise that this
|
|
code works.
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="1.28"><strong>1.28 Is there support for S/Key or
|
|
OTP?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>There is currently no support for S/Key or OTP. There may be an OTP
|
|
SASL authenticator available from third parties.</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="1.29"><strong>1.29 Is there support for NTLM or
|
|
SPA?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
There is currently no support for NTLM or SPA, nor are there any plans
|
|
to add such support. In general, I avoid vendor-specific mechanisms. I
|
|
also believe that these mechanisms are being deprecated by their
|
|
vendor.
|
|
|
|
<p>There may be an NTLM SASL authenticator available from third
|
|
parties.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="1.30"><strong>1.30 Is there support for mh?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
Yes, but only as a legacy format. Your mh format INBOX is accessed by
|
|
the name "#mhinbox", and all other mh format mailboxes are accessed by
|
|
prefixing "#mh/" to the name, e.g. "#mh/foo". The mh support uses the
|
|
"Path:" entry in your .mh_profile file to identify the root directory
|
|
of your mh format mailboxes.
|
|
|
|
<p>Non-legacy use of mh format is not encouraged. There is no support
|
|
for permanent flags or unique identifiers; furthermore there are known
|
|
severe performance problems with the mh format.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="1.31"><strong>1.31 Is there support for qmail and the maildir
|
|
format?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>There is no support for qmail or the maildir format in our
|
|
distribution, nor are there any plans to add such support. Maildir
|
|
support may be available from third parties.</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="1.32"><strong>1.32 Is there support for the Cyrus mailbox
|
|
format?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>No.</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="1.33"><strong>1.33 Is this software Y2K compliant?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>Please read the files Y2K and calendar.txt.</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><br></p>
|
|
|
|
<h2><a name="requirements">2. What Do I Need to Build This Software?</a></h2>
|
|
<hr>
|
|
|
|
<p><a name="2.1"><strong>2.1 What do I need to build this software with SSL on
|
|
UNIX?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>You need to build and install OpenSSL first.</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="2.2"><strong>2.2 What do I need to build this software with Kerberos
|
|
V on UNIX?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>You need to build and install MIT Kerberos first.</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="2.3"><strong>2.3 What do I need to use a C++ compiler with this
|
|
software to build my own application?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
If you are building an application using the c-client library, use the
|
|
new c-client.h file instead of including the other include files. It
|
|
seems that c-client.h should define away all the troublesome names that
|
|
conflict with C++.
|
|
|
|
<p>If you use gcc, you may need to use -fno-operator-names as well.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="2.4"><strong>2.4 What do I need to build this software on
|
|
Windows?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
You need Microsoft Visual C++ 6.0, Visual C++ .NET, or Visual C# .NET
|
|
(which you can buy from any computer store), along with the Microsoft
|
|
Platform SDK (which you can download from Microsoft's web site).
|
|
|
|
<p>You do not need to install the entire Platform SDK; it suffices to
|
|
install just the Core SDK and the Internet Development SDK.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="2.5"><strong>2.5 What do I need to build this software on
|
|
DOS?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>It's been several years since we last attempted to do this. At the
|
|
time, we used Microsoft C.</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="2.6"><strong>2.6 Can't I use Borland C to build this software on the
|
|
PC?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>Probably not. If you know otherwise, please let us know.</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="2.7"><strong>2.7 What do I need to build this software on the
|
|
Mac?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>It has been several years since we last attempted to do this. At the
|
|
time, we used Symantec THINK C; but today you'll need a C compiler which
|
|
allows segments to be more than 32K.</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="2.8"><strong>2.8 What do I need to build this software on
|
|
VMS?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>You need the VMS C compiler, and either the Multinet or Netlib
|
|
TCP.</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="2.9"><strong>2.9 What do I need to build this software on
|
|
TOPS-20?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>You need the TOPS-20 KCC compiler.</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="2.10"><strong>2.10 What do I need to build this software on Amiga or
|
|
OS/2?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>We don't know.</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="2.11"><strong>2.11 What do I need to build this software on Windows
|
|
CE?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>This port is incomplete. Someone needs to finish it.</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><br></p>
|
|
|
|
<h2><a name="build">3. Build and Configuration Questions</a></h2>
|
|
<hr>
|
|
|
|
<p><a name="3.1"><strong>3.1 How do I configure the IMAP and POP servers on
|
|
UNIX?</strong></a><br>
|
|
<a name="3.2"><strong>3.2 I built and installed the servers according to the
|
|
BUILD instructions. It can't be that easy. Don't I need to write a
|
|
config file?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
For ordinary "vanilla" UNIX systems, this software is plug and play;
|
|
just build it, install it, and you're done. If you have a modified
|
|
system, then you may want to do additional work; most of this is to a
|
|
single source code file (env_unix.c on UNIX systems). Read the file
|
|
CONFIG for more details.
|
|
|
|
<p>Yes, it's that easy. There are some additional options, such as SSL
|
|
or Kerberos, which require additional steps to build. See the relevant
|
|
questions below.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="3.3"><strong>3.3 How do I make the IMAP and POP servers look for
|
|
INBOX at some place other than the mail spool
|
|
directory?</strong></a><br>
|
|
<a name="3.4"><strong>3.4 How do I make the IMAP server look for secondary
|
|
folders at some place other than the user's home
|
|
directory?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>Please read the file CONFIG for discussion of this and other
|
|
issues.</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="3.5"><strong>3.5 How do I configure SSL?</strong></a><br>
|
|
<a name="3.6"><strong>3.6 How do I configure TLS and the STARTTLS
|
|
facility?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
imap-2007 supports SSL and TLS client functionality on UNIX and 32-bit
|
|
Windows for IMAP, POP3, SMTP, and NNTP; and SSL and TLS server
|
|
functionality on UNIX for IMAP and POP3.
|
|
|
|
<p>UNIX SSL build requires that a third-party software package,
|
|
OpenSSL, be installed on the system first. Read imap-2007/docs/SSLBUILD
|
|
for more information.</p>
|
|
|
|
<p>SSL is supported via undocumented Microsoft interfaces in Windows 9x
|
|
and NT4; and via standard interfaces in Windows 2000, Windows
|
|
Millenium, and Windows XP.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="3.7"><strong>3.7 How do I build/install OpenSSL and obtain/create
|
|
certificates for use with SSL?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>If you need help in doing this, try the contacts mentioned in the
|
|
OpenSSL README. We do not offer support for OpenSSL or certificates.</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="3.8"><strong>3.8 How do I configure CRAM-MD5
|
|
authentication?</strong></a><br>
|
|
<a name="3.9"><strong>3.9 How do I configure APOP
|
|
authentication?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
CRAM-MD5 authentication is enabled in the IMAP and POP3 client code on
|
|
all platforms. Read md5.txt to learn how to set up CRAM-MD5 and APOP
|
|
authentication on UNIX and NT servers.
|
|
|
|
<p>There is no support for APOP client authentication.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="3.10"><strong>3.10 How do I configure Kerberos V5?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
imap-2007 supports client and server functionality on UNIX and 32-bit
|
|
Windows.
|
|
|
|
<p>Kerberos V5 is supported by default in Windows 2000 builds:</p>
|
|
<pre>
|
|
nmake -f makefile.w2k
|
|
</pre>
|
|
|
|
<p>Other builds require that a third-party Kerberos package, e.g. MIT
|
|
Kerberos, be installed on the system first.</p>
|
|
|
|
<p>To build with Kerberos V5 on UNIX, include EXTRAAUTHENTICATORS=gss
|
|
in the make command line, e.g.</p>
|
|
<pre>
|
|
make lnp EXTRAAUTHENTICATORS=gss
|
|
</pre>
|
|
|
|
<p>To build with Kerberos V5 on Windows 9x, Windows Millenium, and NT4,
|
|
use the "makefile.ntk" file instead of "makefile.nt":</p>
|
|
<pre>
|
|
|
|
nmake -f makefile.ntk
|
|
</pre>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="3.11"><strong>3.11 How do I configure PAM for plaintext
|
|
passwords?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
On Linux systems, use the lnp port, e.g.
|
|
<pre>
|
|
make lnp
|
|
|
|
</pre>On Solaris systems and other systems with defective PAM
|
|
implementations, build with PASSWDTYPE=pmb, e.g.
|
|
<pre>
|
|
make sol PASSWDTYPE=pmb
|
|
</pre>On all other systems, build with PASSWDTYPE=pam, e.g
|
|
<pre>
|
|
make foo PASSWDTYPE=pam
|
|
</pre>If you build with PASSWDTYPE=pam and authentication does not work, try
|
|
rebuilding (after a "make clean") with PASSWDTYPE=pmb.
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="3.12"><strong>3.12 It looks like all I have to do to make the server
|
|
use Kerberos is to build with PAM on my Linux system, and set it up in
|
|
PAM for Kerberos passwords. Right?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
Yes and no.
|
|
|
|
<p>Doing this will make plaintext password authentication use the
|
|
Kerberos password instead of the /etc/passwd password.</p>
|
|
|
|
<p>However, this will NOT give you Kerberos-secure authentication. See
|
|
the answer to the <a href="#3.10">How do I configure Kerberos V5?</a>
|
|
question for how to build with Kerberos-secure authentication.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="3.13"><strong>3.13 How do I configure Kerberos 5 for plaintext
|
|
passwords?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
Build with PASSWDTYPE=gss, e.g.
|
|
<pre>
|
|
make sol PASSWDTYPE=gss
|
|
</pre>However, this will NOT give you Kerberos-secure authentication. See the
|
|
answer to the <a href="#3.10">How do I configure Kerberos V5?</a> question
|
|
for how to build with Kerberos-secure authentication.
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="3.14"><strong>3.14 How do I configure AFS for plaintext
|
|
passwords?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
Build with PASSWDTYPE=afs, e.g
|
|
<pre>
|
|
make sol PASSWDTYPE=afs
|
|
|
|
</pre>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="3.15"><strong>3.15 How do I configure DCE for plaintext
|
|
passwords?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
Build with PASSWDTYPE=dce, e.g
|
|
<pre>
|
|
make sol PASSWDTYPE=dce
|
|
</pre>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="3.16"><strong>3.16 How do I configure the CRAM-MD5 database for
|
|
plaintext passwords?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
The CRAM-MD5 password database is automatically used for plaintext
|
|
password if it exists.
|
|
|
|
<p>Note that this is NOT CRAM-MD5-secure authentication. You probably
|
|
want to consider disabling plaintext passwords for non-SSL/TLS
|
|
sessions. See the next two questions.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="3.17"><strong>3.17 How do I disable plaintext
|
|
passwords?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
Server-level plaintext passwords can be disabled by setting
|
|
PASSWDTYPE=nul, e.g.
|
|
<pre>
|
|
make lnx EXTRAAUTHENTICATORS=gss PASSWDTYPE=nul
|
|
</pre>Note that you must have a CRAM-MD5 database installed or specify at
|
|
least one EXTRAAUTHENTICATOR, otherwise it will not be possible to log in to
|
|
the server.
|
|
|
|
<p>When plaintext passwords are disabled, the IMAP server will
|
|
advertise the LOGINDISABLED capability and the POP3 server will not
|
|
advertise the USER capability.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
|
|
<p><a name="3.18"><strong>3.18 How do I disable plaintext passwords on
|
|
unencrypted sessions, but allow them in SSL or TLS
|
|
sessions?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
<p>Do not set PASSWDTYPE=nul or SSLTYPE=unix. Set SSLTYPE=nopwd
|
|
instead, e.g.</p>
|
|
<pre>
|
|
make lnx SSLTYPE=nopwd
|
|
</pre>
|
|
|
|
<p>When plaintext passwords are disabled, the IMAP server will
|
|
advertise the LOGINDISABLED capability and the POP3 server will not
|
|
advertise the USER capability.</p>
|
|
|
|
<p>Plaintext passwords will always be enabled in SSL sessions; the IMAP
|
|
server will not advertise the LOGINDISABLED capability and the POP3
|
|
server will advertise the USER capability.</p>
|
|
|
|
<p>If the client does a successful start-TLS in a non-SSL session,
|
|
plaintext passwords will be enabled, and a new CAPABILITY or CAPA
|
|
command (which is required after start-TLS) will show the effect as in
|
|
SSL sessions.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="3.19"><strong>3.19 How do I configure virtual
|
|
hosts?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
This is automatic, but with certain restrictions.
|
|
|
|
<p>The most important one is that each virtual host must have its own
|
|
IP address; otherwise the server has no way of knowing which virtual
|
|
host is desired.</p>
|
|
|
|
<p>As distributed, the software uses a global password file; hence user
|
|
"fred" on one virtual host is "fred" on all virtual hosts. You may want
|
|
to modify the checkpw() routine to implement some other policy (e.g.
|
|
separate password files).</p>
|
|
|
|
<p>Note that the security model assumes that all users have their own
|
|
unique UNIX UID number. So if you use separate password files you
|
|
should make certain that the UID numbers do not overlap between
|
|
different files.</p>
|
|
|
|
<p>More advanced virtual host support may be available as patches from
|
|
third parties.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="3.20"><strong>3.20 Why do I get compiler warning messages such
|
|
as:</strong></a></p>
|
|
<pre>
|
|
passing arg 3 of `scandir' from incompatible pointer type
|
|
Pointers are not assignment-compatible.
|
|
Argument #4 is not the correct type.
|
|
|
|
</pre>
|
|
|
|
<p><strong>during the build?</strong></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
You can safely ignore these messages.
|
|
|
|
<p>Over the years, the prototype for scandir() has changed, and thus is
|
|
variant across different UNIX platforms. In particular, the definitions
|
|
of the third argument (type select_t) and fourth argument (type
|
|
compar_t) have changed over the years, the issue being whether or not
|
|
the arguments to the functions pointed to by these function pointers
|
|
are of type const or not.</p>
|
|
|
|
<p>The way that c-client calls scandir() will tend to generate these
|
|
compiler warnings on newer systems such as Linux; however, it will
|
|
still build. The problem with fixing the call is that then it won't
|
|
build on older systems.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="3.21"><strong>3.21 Why do I get compiler warning messages such
|
|
as</strong></a></p>
|
|
<pre>
|
|
Operation between types "void(*)(int)" and "void*" is not allowed.
|
|
Function argument assignment between types "void*" and "void(*)(int)" is not allowed.
|
|
Pointers are not assignment-compatible.
|
|
Argument #5 is not the correct type.
|
|
</pre>
|
|
|
|
<p><strong>during the build?</strong></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
You can safely ignore these messages.
|
|
|
|
<p>All known systems have no problem with casting a function pointer
|
|
to/from a void* pointer, certain C compilers issue a compiler
|
|
diagnostic because this facility is listed as a "Common extension" by
|
|
the C standard:</p>
|
|
<pre>
|
|
K.5.7 Function pointer casts
|
|
[#1] A pointer to an object or to void may be cast to a pointer
|
|
to a function, allowing data to be invoked as a function (6.3.4).
|
|
[#2] A pointer to a function may be cast to a pointer to an
|
|
object or to void, allowing a function to be inspected or
|
|
modified (for example, by a debugger) (6.3.4).
|
|
|
|
</pre>It may be just a "common extension", but this facility is relied upon
|
|
heavily by c-client.
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="3.22"><strong>3.22 Why do I get linker warning messages such
|
|
as:</strong></a></p>
|
|
<pre>
|
|
mtest.c:515: the `gets' function is dangerous and should not be used.
|
|
</pre>
|
|
|
|
<p><strong>during the build? Isn't this a security bug?</strong></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
You can safely ignore this message.
|
|
|
|
<p>Certain linkers, most notably on Linux, give this warning message.
|
|
It is indeed true that the traditional gets() function is not a safe
|
|
one.</p>
|
|
|
|
<p>However, the mtest program is only a demonstration program, a model
|
|
of a very basic application program using c-client. It is not something
|
|
that you would install, much less run in any security-sensitive
|
|
context.</p>
|
|
|
|
<p>mtest has numerous other shortcuts that you wouldn't want to do in a
|
|
real application program.</p>
|
|
|
|
<p>The only "security bug" with mtest would be if it was run by some
|
|
script in a security-sensitive context, but mtest isn't particularly
|
|
useful for such purposes. If you wanted to write a script to automate
|
|
some email task using c-client, you'd be better off using imapd instead
|
|
of mtest.</p>
|
|
|
|
<p>mtest only has two legitimate uses. It's a useful testbed for me
|
|
when debugging new versions of c-client, and it's useful as a model for
|
|
someone writing a simple c-client application to see how the various
|
|
calls work.</p>
|
|
|
|
<p>By the way, if you need a more advanced example of c-client
|
|
programming than mtest (and you probably will), I recommend that you
|
|
look at the source code for imapd and Pine.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="3.23"><strong>3.23 Why do I get linker warning messages such
|
|
as:</strong></a></p>
|
|
<pre>
|
|
auth_ssl.c:92: the `tmpnam' function is dangerous and should not be used.
|
|
</pre>
|
|
|
|
<p><strong>during the build? Isn't this a security bug?</strong></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
You can safely ignore this message.
|
|
|
|
<p>Certain linkers, most notably on Linux, give this warning message,
|
|
based upon two known issues with tmpnam():</p>
|
|
|
|
<dl>
|
|
<dd>there can be a buffer overflow if an inadequate buffer is
|
|
allocated.</dd>
|
|
|
|
<dd>there can be a timing race caused by certain incautious usage of
|
|
the return value.</dd>
|
|
</dl>
|
|
|
|
<p>Neither of these issues applies in the particular use that is made
|
|
of tmpnam(). More importantly, the tmpnam() call is never executed on
|
|
Linux systems.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="3.24"><strong>3.24 OK, suppose I see a warning message about a
|
|
function being "dangerous and should not be used" for something other
|
|
than this gets() or tmpnam() call?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>Please forward the details for investigation.</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><br></p>
|
|
|
|
<h2><a name="operation">4. Operational Questions</a></h2>
|
|
<hr>
|
|
|
|
<p><a name="4.1"><strong>4.1 How can I enable anonymous IMAP
|
|
logins?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>Create the file /etc/anonymous.newsgroups. At the present time, this
|
|
file should be empty. This will permit IMAP logins as anonymous as well
|
|
as the ANONYMOUS SASL authenticator. Anonymous users have access to
|
|
mailboxes in the #news., #ftp/, and #public/ namespaces only.</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="4.2"><strong>4.2 How do I set up an alert message that each IMAP
|
|
user will see?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>Create the file /etc/imapd.alert with the text of the message. This
|
|
text should be kept to one line if possible. Note that this will cause an
|
|
alert to every IMAP user every time they initiate an IMAP session, so it
|
|
should only be used for critical messages.</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="4.3"><strong>4.3 How does the c-client library choose which of its
|
|
several mechanisms to use to establish an IMAP connection to the server?
|
|
I noticed that it can connect on port 143, port 993, via rsh, and via
|
|
ssh.</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
c-client chooses how to establish an IMAP connection via the following
|
|
rules:
|
|
|
|
<ul>
|
|
<li>If /ssl is specified, use an SSL connection. Fail otherwise.</li>
|
|
|
|
<li>Else if client is a UNIX system and "ssh server exec /etc/rimapd"
|
|
works, use that</li>
|
|
|
|
<li>Else if /tryssl is specified and an SSL connection works, use
|
|
that.</li>
|
|
|
|
<li>Else if client is a UNIX system and "rsh server exec /etc/rimapd"
|
|
works, use that.</li>
|
|
|
|
<li>Else use a non-SSL connection.</li>
|
|
</ul>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="4.4"><strong>4.4 I am using a TLS-capable IMAP server, so I don't
|
|
need to use /ssl to get encryption. However, I want to be certain that
|
|
my session is TLS encrypted before I send my password. How to I do
|
|
this?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>Use the /tls option in the mailbox name. This will cause an error
|
|
message and the connection to fail if the server does not negotiate
|
|
STARTTLS.</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="4.5"><strong>4.5 How do I use one of the alternative formats
|
|
described in the formats.txt document? In particular, I hear that mbx
|
|
format will give me better performance and allow shared
|
|
access.</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
The rumors about mbx format being preferred are true. It is faster than
|
|
the traditional UNIX mailbox format and permits shared access.
|
|
|
|
<p>However, and this is <em>very important</em>, note that using an
|
|
alternative mailbox format is an advanced facility, and only expert
|
|
users should undertake it. If you don't understand any of the following
|
|
notes, you may not be enough of an expert yet, and are probably better
|
|
off not going this route until you are more comfortable with your
|
|
understanding.</p>
|
|
|
|
<p>Some of the formats, including mbx, are only supported by the
|
|
software based on the c-client library, and are not recognized by other
|
|
mailbox programs. The "vi" editor will corrupt any mbx format mailbox
|
|
that it encounters.</p>
|
|
|
|
<p>Another problem is that the certain formats, including mbx, use
|
|
advanced file access and locking techniques that do <em>not</em> work
|
|
reliably with NFS. NFS is not a real filesystem. Use IMAP instead of
|
|
NFS for distributed access.</p>
|
|
|
|
<p>Each of the following steps are in escalating order of involvement.
|
|
The further you go down this list, the more deeply committed you
|
|
become:</p>
|
|
|
|
<ul>
|
|
<li>The simplest way to create a mbx-format mailbox is to prefix the
|
|
name with "#driver.mbx/" when creating a mailbox through c-client.
|
|
For example, if you create "#driver.mbx/foo", the mailbox "foo" will
|
|
be created in mbx format. Only use "#driver.mbx/" when creating the
|
|
mailbox. At all other times, just use the name ("foo" in this
|
|
example); the software will automatically select the driver for mbx
|
|
whenever that mailbox is accessed without you doing anything
|
|
else.</li>
|
|
|
|
<li>You can use the "mailutil copy" command to copy an existing
|
|
mailbox to a new mailbox in mbx format. Read the man page provided
|
|
with the mailutil program for details.</li>
|
|
|
|
<li>If you create an mbx-format INBOX, by creating
|
|
"#driver.mbx/INBOX" (note that "INBOX" must be all uppercase), then
|
|
subsequent access to INBOX by any c-client based application will use
|
|
the mbx-format INBOX. Any mail delivered to the traditional format
|
|
mailbox in the spool directory (e.g. /var/spool/mail/$USER) will
|
|
automatically be copied into the mbx-format INBOX and the spool
|
|
directory copy removed.</li>
|
|
|
|
<li>You can cause any newly-created mailboxes to be in mbx-format by
|
|
default by changing the definition of CREATEPROTO=unixproto to be
|
|
CREATEPROTO=mbxproto in src/osdep/unix/Makefile, then rebuilding the
|
|
IMAP toolkit (do a "make clean" first). Do not change EMPTYPROTO,
|
|
since mbx format mailboxes are never a zero-byte file. If you use
|
|
Pine or the imap-utils, you should probably also rebuild them with
|
|
the new IMAP toolkit too.</li>
|
|
|
|
<li>You can deliver directly to the mbx-format INBOX by use of the
|
|
tmail or dmail programs. tmail is for direct invocation from sendmail
|
|
(or whatever MTA program you use); dmail is for calls from procmail.
|
|
Both of these programs have man pages which must be read carefully
|
|
before making this change.</li>
|
|
</ul>
|
|
|
|
<p>Most other servers (e.g. Cyrus) require use of a non-standard
|
|
format. A full-fledged format conversion is not significantly different
|
|
from what you have to do with other servers. The difference, which
|
|
makes format conversion procedures somewhat more complicated with this
|
|
server, is that there is no "all or nothing" requirement with this
|
|
server. There are many points in between. A format conversion can be
|
|
anything from a single mailbox or single user, to systemwide.</p>
|
|
|
|
<p>This is good in that you can decide how far to go, or do the steps
|
|
incrementally as you become more comfortable with the result. On the
|
|
other hand, there's no "One True Way" which can be boiled down to a
|
|
simple set of pedagogical instructions.</p>
|
|
|
|
<p>A number of sites have done full-fledged format conversions, and are
|
|
reportedly quite happy with the results. Feel free to ask in the
|
|
comp.mail.imap newsgroup or the imap-uw mailing list for advice or
|
|
help.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="4.6"><strong>4.6 How do I set up shared mailboxes?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
At the simplest level, a shared mailbox is one which has UNIX file and
|
|
directory protections which permit multiple users to access it. What
|
|
this means is that your existing skills and tools to create and manage
|
|
shared files on your UNIX system apply to shared mailboxes; e.g.
|
|
<pre>
|
|
chmod 666 mailbox
|
|
</pre>
|
|
|
|
<p>You may want to consider the use of a mailbox format which permits
|
|
multiple simultaneous read/write sessions, such as the mbx format. The
|
|
traditional UNIX format only allows one read/write session to a
|
|
mailbox at a time.</p>
|
|
|
|
<p>An additional convenience item are three system directories, which
|
|
can be set up for shared namespaces. These are: #ftp, #shared, and
|
|
#public, and are defined by creating the associated UNIX users and home
|
|
directories as described below.</p>
|
|
|
|
<p>#ftp/ refers to the anonymous ftp filesystem exported by the ftp
|
|
server, and is equivalent to the home directory for UNIX user "ftp".
|
|
For example, #ftp/foo/bar refers to the file /foo/bar in the anonymous
|
|
FTP filesystem, or ~ftp/foo/bar for normal users. Anonymous FTP files
|
|
are available to anonymous IMAP logins. By default, newly-created files
|
|
in #ftp/ are protected 644.</p>
|
|
|
|
<p>#public/ refers to an IMAP toolkit convention called "public" files,
|
|
and is equivalent to the home directory for UNIX user "imappublic". For
|
|
example, #public/foo/bar refers to the file ~imappublic/foo/bar. Public
|
|
files are available to anonymous IMAP logins. By default, newly-created
|
|
files in #public are created with protection 0666.</p>
|
|
|
|
<p>#shared/ refers to an IMAP toolkit convention called "shared" files,
|
|
and is equivalent to the home directory for UNIX user "imapshared". For
|
|
example, #shared/foo/bar refers to the file ~imapshared/foo/bar. Shared
|
|
files are <em>not</em> available to anonymous IMAP logins. By default,
|
|
newly-created files in #shared are created with protection 0660.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="4.7"><strong>4.7 How can I make the server syslogs go to someplace
|
|
other than the mail syslog?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
The openlog() call that sets the syslog facility is in
|
|
<strong>src/osdep/unix/env_unix.c</strong> in routine
|
|
<strong>server_init()</strong>. You need to edit this file to change
|
|
the syslog facility from LOG_MAIL to the facility you want, then
|
|
rebuild. You also need to set up your /etc/syslog.conf properly.
|
|
|
|
<p>Refer to the man pages for syslog and syslogd for more information
|
|
on what the available syslog facilities are and how to configure
|
|
syslogs. If you still don't understand what to do, find a UNIX system
|
|
expert.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><br></p>
|
|
|
|
<h2><a name="security">5. Security Questions</a></h2>
|
|
<hr>
|
|
|
|
<p><a name="5.1"><strong>5.1 I see that the IMAP server allows access to
|
|
arbitary files on the system, including /etc/passwd! How do I disable
|
|
this?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
You should not worry about this if your IMAP users are allowed shell
|
|
access. The IMAP server does not permit any access that the user can
|
|
not have via the shell.
|
|
|
|
<p>If, and only if, you deny your IMAP users shell access, you may want
|
|
to consider one of three choices. Note that these choices reduce IMAP
|
|
functionality, and may have undesirable side effects. Each of these
|
|
choices involves an edit to file
|
|
<strong>src/osdep/unix/env_unix.c</strong></p>
|
|
|
|
<p>The first (and recommended) choice is to set
|
|
<strong>restrictBox</strong> as described in file CONFIG. This will
|
|
disable access to the filesystem root, to other users' home directory,
|
|
and to superior directory.</p>
|
|
|
|
<p>The second (and strongly NOT recommended) choice is to set
|
|
<strong>closedBox</strong> as described in file CONFIG. This puts each
|
|
IMAP session into a so-called "chroot jail", and thus setting this
|
|
option is <em>extremely</em> dangerous; it can make your system much
|
|
less secure and open to root compromise attacks. So do not use this
|
|
option unless you are <em>absolutely certain</em> that you understand
|
|
all the issues of a "chroot jail."</p>
|
|
|
|
<p>The third choice is to rewrite routine
|
|
<strong>mailboxfile()</strong> to implement whatever mapping from
|
|
mailbox name to filesystem name (and restrictions) that you wish. This
|
|
is the most general choice. As a guide, you can see at the start of
|
|
routine <strong>mailboxfile()</strong> what the
|
|
<strong>restrictBox</strong> choice does.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="5.2"><strong>5.2 I've heard that IMAP servers are insecure. Is this
|
|
true?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
There are no known security problems in this version of the IMAP
|
|
toolkit, including the IMAP and POP servers. The IMAP and POP servers
|
|
limit what can be done while not logged in, and as part of the login
|
|
process discard all privileges except those of the user.
|
|
|
|
<p>As with other software packages, there have been buffer overflow
|
|
vulnerabilities in past versions. All known problems of this nature are
|
|
fixed in this version.</p>
|
|
|
|
<p>There is every reason to believe that the bad guys are engaged in an
|
|
ongoing effort to find vulnerabilities in the IMAP toolkit. We look for
|
|
such problems, and when one is found we fix it.</p>
|
|
|
|
<p>It's unfortunate that any vulnerabilities existed in past versions,
|
|
and we're doing my best to keep the IMAP toolkit free of
|
|
vulnerabilities. No new vulnerabilities have been discovered in quite a
|
|
while, but efforts will not be relaxed.</p>
|
|
|
|
<p>Beware of vendors who claim that their implementations can not have
|
|
vulnerabilities.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="5.3"><strong>5.3 How do I know that I have the most secure version
|
|
of the server?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
The best way is to keep your server software up to date. The bad guys
|
|
are always looking for ways to crack software, and when they find one,
|
|
let all their friends know.
|
|
|
|
<p>Oldtimers used to refer to a concept of <em>software rot</em>: if
|
|
your software hasn't been updated in a while, it would "rot" -- tend to
|
|
acquire problems that it didn't have when it was new.</p>
|
|
|
|
<p>The latest release version of the IMAP toolkit is always available
|
|
at <a href=
|
|
"ftp://ftp.cac.washington.edu/mail/imap.tar.Z">ftp://ftp.cac.washington.edu/mail/imap.tar.Z</a></p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="5.4"><strong>5.4 I see all these strcpy() and sprintf() calls, those
|
|
are unsafe, aren't they?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
Yes and no.
|
|
|
|
<p>It can be unsafe to do these calls if you do not know that the
|
|
string being written will fit in the buffer. However, they are
|
|
perfectly safe if you do know that.</p>
|
|
|
|
<p>Beware of programmers who advocate doing a brute-force change of all
|
|
instances of</p>
|
|
<pre>
|
|
strcpy (s,t);
|
|
</pre>to
|
|
<pre>
|
|
strncpy (s,t,n)[n] = '\0';
|
|
</pre>and similar measures in the name of "fixing all possible buffer
|
|
overflows."
|
|
|
|
<p>There are examples in which a security bug was introduced because of
|
|
this type of "fix", due to the programmer using the wrong value for n.
|
|
In one case, the programmer thought that n was larger than it actually
|
|
was, causing a NUL to be written out of the buffer; in another, n was
|
|
too small, and a security credential was truncated.</p>
|
|
|
|
<p>What is particularly ironic was that in both cases, the original
|
|
strcpy() was safe, because the size of the source string was known to
|
|
be safe.</p>
|
|
|
|
<p>With all this in mind, the software has been inspected, and it is
|
|
believed that all places where buffer overflows can happen have been
|
|
fixed. The strcpy()s that are still are in the code occur after a size
|
|
check was done in some other way.</p>
|
|
|
|
<p>Note that the common C idiom of</p>
|
|
<pre>
|
|
*s++ = c;
|
|
</pre>is just as vulnerable to buffer overflows. You can't cure buffer
|
|
overflows by outlawing certain functions, nor is it desirable to do so;
|
|
sometimes operations like strcpy() translate into fast machine instructions
|
|
for better performance.
|
|
|
|
<p>Nothing replaces careful study of code. That's how the bad guys find
|
|
bugs. Security is not accomplished by means of brute-force
|
|
shortcuts.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="5.5"><strong>5.5 Those /tmp lock files are protected 666, is that
|
|
really right?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
Yes. Shared mailboxes won't work otherwise. Also, you get into
|
|
accidental denial of service problems with old lock files left lying
|
|
around; this happens fairly frequently.
|
|
|
|
<p>The deliberate mischief that can be caused by fiddling with the lock
|
|
files is small-scale; harassment level at most. There are many -- and
|
|
much more effective -- other ways of harassing another user on UNIX.
|
|
It's usually not difficult to determine the culprit.</p>
|
|
|
|
<p>Before worrying about deliberate mischief, worry first about things
|
|
happening by accident!</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><br></p>
|
|
|
|
<h2><a name="strange">6. <em>Why Did You Do This Strange Thing?</em>
|
|
Questions</a></h2>
|
|
<hr>
|
|
|
|
<p><a name="6.1"><strong>6.1 Why don't you use GNU autoconfig / automake /
|
|
autoblurdybloop?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
Autoconfig et al are not available on all the platforms where the IMAP
|
|
toolkit is supported; and do not work correctly on some of the
|
|
platforms where they do exist. Furthermore, these programs add another
|
|
layer of complexity to an already complex process.
|
|
|
|
<p>Coaxing software that uses autoconfig to build properly on platforms
|
|
which were not specifically considered by that software wastes an
|
|
inordinate amount of time. When (not if) autoconfig fails to do the
|
|
right thing, the result is an inpenetrable morass to untangle in order
|
|
to find the problem and fix it.</p>
|
|
|
|
<p>The concept behind autoconfig is good, but the execution is flawed.
|
|
It rarely does the right thing on a platform that wasn't specifically
|
|
considered. Human life is too short to debug autoconfig problems,
|
|
especially since the current mechanism is so much easier.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="6.2"><strong>6.2 Why do you insist upon a build with -g? Doesn't it
|
|
waste disk and memory space?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
From time to time a submitted port has snuck in without -g. This has
|
|
<em>always</em> ended up causing problems. There are only two valid
|
|
excuses for not using -g in a port:
|
|
|
|
<ul>
|
|
<li>The compiler does not support -g</li>
|
|
|
|
<li>An alternate form of -g is needed with optimization, e.g.
|
|
-g3.</li>
|
|
</ul>
|
|
|
|
<p>There will be no new ports added without -g (or a suitable
|
|
alternative) being set.</p>
|
|
|
|
<p>-g has not been arbitrarily added to the ports which do not
|
|
currently have it because we don't know if doing so would break the
|
|
build. However, any support issues with one of those port <em>will</em>
|
|
lead to the correct -g setting being determined and permanently
|
|
added.</p>
|
|
|
|
<p>Processors are fast enough (and disk space is cheap enough) that -g
|
|
should be automatic in all compilers with no way of turning it off, and
|
|
/bin/strip should be a symlink to /bin/true. Human life is too short to
|
|
deal with binaries built without -g. Such binaries should be a bad
|
|
memory of the days of KIPS processors and disks that costs several
|
|
dollars per kilobyte.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="6.3"><strong>6.3 Why don't you make c-client a shared
|
|
library?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
All too often, shared libraries create far more problems than they
|
|
solve.
|
|
|
|
<p>Remember that you only gain the benefit of a shared library when
|
|
there are multiple applications which use that shared library. Even
|
|
without shared libraries, on most modern operating systems (and many
|
|
ancient ones too!) applications will share their text segments between
|
|
across multiple processes running the same application. This means that
|
|
if your system only runs one application (e.g. imapd) that uses the
|
|
c-client library, then you gain no benefit from making c-client a
|
|
shared library even if it has 100 imapd processes. You will, however
|
|
suffer added complexity.</p>
|
|
|
|
<p>If you have a server system that just runs imapd and ipop3d, then
|
|
making c-client a shared library will save just one copy of c-client no
|
|
matter how many IMAP/POP3 processes are running.</p>
|
|
|
|
<p>The problem with shared libraries is that you have to keep around a
|
|
copy of the library every time something changes in the library that
|
|
would affect the interface the library presents to the application. So,
|
|
you end up having many copies of the same shared library.</p>
|
|
|
|
<p>If you don't keep multiple copies of the shared library, then one of
|
|
two things happens. If there was proper versioning, then you'll get a
|
|
message such as "cannot open shared object file" or "minor versions
|
|
don't match" and the application won't run. Otherwise, the application
|
|
will run, but will fail in mysterious ways.</p>
|
|
|
|
<p>Several sites and third-party distributors have modified the
|
|
c-client makefile in order to make c-client be a shared library.
|
|
<em>When</em> (not <em>if</em>) a c-client based application fails in
|
|
mysterious ways because of a library compatibility problem, the result
|
|
is a bug report. A lot of time and effort ends up getting wasted
|
|
investigating such bug reports.</p>
|
|
|
|
<p>Memory is so cheap these days that it's not worth it. Human life is
|
|
too short to deal with shared library compatibility problems.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="6.4"><strong>6.4 Why don't you use iconv() for internationalization
|
|
support?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>iconv() is not ubiquitous enough.</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="6.5"><strong>6.5 Why is the IMAP server connected to the home
|
|
directory by default?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
The IMAP server has no way of knowing what you might call "mail" as
|
|
opposed to "some other file"; in fact, you can use IMAP to access any
|
|
file.
|
|
|
|
<p>The IMAP server also doesn't know whether your preferred
|
|
subdirectory for mailbox files is "mail/", ".mail/", "Mail/",
|
|
"Mailboxes/", or any of a zillion other possibilities. If one such name
|
|
were chosen, it would undoubtably anger the partisans of all the other
|
|
names.</p>
|
|
|
|
<p>It is possible to modify the software so that the default connected
|
|
directory is someplace else. Please read the file CONFIG for discussion
|
|
of this and other issues.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="6.6"><strong>6.6 I have a Windows system. Why isn't the server plug
|
|
and play for me?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
There is no standard for how mail is stored on Windows; nor a single
|
|
standard SMTP server. The closest to either would be the SMTP server in
|
|
Microsoft's IIS.
|
|
|
|
<p>So there's no default by which to make assumptions. As the software
|
|
is set up, it assumes that the each user has an Windows login account
|
|
and private home directory, and that mail is stored on that home
|
|
directory as files in one of the popular UNIX formats. It also assumes
|
|
that there is some tool equivalent to inetd on UNIX that does the
|
|
TCP/IP listening and server startup.</p>
|
|
|
|
<p>Basically, unless you're an email software hacker, you probably want
|
|
to look elsewhere if you want IMAP/POP servers for Windows.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="6.7"><strong>6.7 I looked at the UNIX SSL code and saw that you have
|
|
the SSL data payload size set to 8192 bytes. SSL allows 16K; why aren't
|
|
you using the full size?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
This is to avoid an interoperability problem with:
|
|
|
|
<ul>
|
|
<li>PC IMAP clients that use Microsoft's SChannel.DLL (SSPI) for SSL
|
|
support</li>
|
|
|
|
<li>Microsoft Exchange server (which also uses SChannel).</li>
|
|
</ul>
|
|
|
|
<p>SChannel has a bug that makes it think that the maximum SSL data
|
|
payload size is 16379 bytes -- 5 bytes too small. Thus, c-client has to
|
|
make sure that it never transmits full sized SSL packets.</p>
|
|
|
|
<p>The reason for using 8K (as opposed to, say, 16379 bytes, or 15K,
|
|
or...) is that it corresponds with the TCP buffer size that the
|
|
software uses elsewhere for input; there's a slight performance benefit
|
|
to having the two sizes correspond or at least be a multiple of each
|
|
other. Also, it keeps the size as a power of two, which might be
|
|
significant on some platforms.</p>
|
|
|
|
<p>There wasn't a significant difference that we could measure between
|
|
8K and 15K.</p>
|
|
|
|
<p>Microsoft has developed a hotfix for this bug. Look up MSKB article
|
|
number 300562. Contrary to the article text which implies that this is
|
|
a Pine issue, this bug also affects Microsoft Exchange server with
|
|
<em>any</em> client that transmits full-sized SSL payloads.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="6.8"><strong>6.8 Why is an mh format INBOX called #mhinbox instead
|
|
of just INBOX?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
It's a long story. In brief, the mh format driver is less functional
|
|
than any of the other drivers. It turned out that there were some users
|
|
(including high-level administrators) who tried mh years ago and no
|
|
longer use it, but still had an mh profile left behind.
|
|
|
|
<p>When the mh driver used INBOX, it would see the mh profile, and
|
|
proceed to move the user's INBOX into the mh format INBOX. This caused
|
|
considerable confusion as some things stopped working.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="6.9"><strong>6.9 Why don't you support the maildir
|
|
format?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
It is technically difficult to support maildir in IMAP while
|
|
maintaining acceptable performance, robustness, following the
|
|
requirements of the IMAP protocol specification, and following the
|
|
requirements of maildir.
|
|
|
|
<p>No one has succeeded in accomplishing all four together. The various
|
|
maildir drivers offered as patches all have these problems. The problem
|
|
is exacerbated because this implementation supports multiple formats;
|
|
consequently this implementation can't make any performance shortcuts
|
|
by assuming that all the world is maildir.</p>
|
|
|
|
<p>We can't do a better job than the maildir fan community has done
|
|
with their maildir drivers. Similarly, if the maildir fan community
|
|
provides the maildir driver, they take on the responsibility for
|
|
answering maildir-specific support questions. This is as it should be,
|
|
and that is why maildir support is left to the maildir fan
|
|
community.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="6.10"><strong>6.10 Why don't you support the Cyrus
|
|
format?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
There's no point to doing so. An implementation which supports multiple
|
|
formats will never do as well as one which is optimized to support one
|
|
single format.
|
|
|
|
<p>If you want to use Cyrus mailbox format, you should use the Cyrus
|
|
server, which is the native implementation of that format and is
|
|
specifically optimized for that format. That's also why Cyrus doesn't
|
|
implement any other format.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="6.11"><strong>6.11 Why is it creating extra forks on my SVR4
|
|
system?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
This is because your system only has fcntl() style locking and not
|
|
flock() style locking. fcntl() locking has a design flaw that causes a
|
|
close() to release any locks made by that process on the file opened on
|
|
that file descriptor, even if the lock was made on a different file
|
|
descriptor.
|
|
|
|
<p>This design flaw causes unexpected loss of lock, and consequent
|
|
mailbox corruption. The workaround is to do certain "dangerous
|
|
operations" in another fork, thus avoiding doing a close() in the
|
|
vulnerable fork.</p>
|
|
|
|
<p>The best way to solve this problem is to upgrade your SVR4 (Solaris,
|
|
AIX, HP-UX, SGI) or OSF/1 system to a more advanced operating system,
|
|
such as Linux or BSD. These more advanced operating systems have
|
|
fcntl() locking for compatibility with SVR4, but also have flock()
|
|
locking.</p>
|
|
|
|
<p>Beware of certain SVR4 systems, such as AIX, which have an "flock()"
|
|
function in their C library that is just a jacket that does an fcntl()
|
|
lock. This is not a true flock(), and has the same design flaw as
|
|
fcntl().</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="6.12"><strong>6.12 Why are you so fussy about the date/time format in
|
|
the internal <code>"From "</code> line in traditional UNIX mailbox
|
|
files? My other mail program just considers every line that starts with
|
|
<code>"From "</code> to be the start of the message.</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
You just answered your own question. If any line that starts with
|
|
<code>"From "</code> is treated as the start of a message, then
|
|
every message text line which starts with <code>"From "</code> has
|
|
to be quoted (typically by prefixing a ">" character). People
|
|
complain about this -- "why did a > get stuck in my message?"
|
|
|
|
<p>So, good mail reading software only considers a line to be a
|
|
<code>"From "</code> line if it follows the actual specification
|
|
for a "From " line. This means, among other things, that the day of
|
|
week is fixed-format: <code>"May 14"</code>, but
|
|
<code>"May 7"</code> (note the extra space) as opposed to
|
|
<code>"May 7"</code>. ctime() format for the date is the most
|
|
common, although POSIX also allows a numeric timezone after the
|
|
year. For compatibility with ancient software, the seconds are optional,
|
|
the timezone may appear before the year, the old 3-letter timezones are
|
|
also permitted, and "remote from xxx" may appear after the whole
|
|
thing.</p>
|
|
|
|
<p>Unfortunately, some software written by novices use other formats.
|
|
The most common error is to have a variable-width day of month, perhaps
|
|
in the erroneous belief that RFC 2822 (or RFC 822) defines the format of
|
|
the date/time in the <code>"From "</code> line (it doesn't; no RFC
|
|
describes internal formats). I've seen a few other goofs, such as a
|
|
single-digit second, but these are less common.</p>
|
|
|
|
<p>If you are writing your own software that writes mailbox files, and
|
|
you really aren't all that savvy with all the ins and outs and ancient
|
|
history, you should seriously consider using the c-client library (e.g.
|
|
routine mail_append()) instead of doing the file writes yourself. If
|
|
you must do it yourself, use ctime(), as in:</p>
|
|
<pre>
|
|
fprintf (mbx,"From %s@%h %s",user,host,ctime (time (0)));
|
|
</pre>rather than try to figure out a good format yourself. ctime() is the
|
|
most traditional format and nobody will flame you for using it.
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="6.13"><strong>6.13 Why is traditional UNIX format the default
|
|
format?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>Compatibility with the past 30 or so years of UNIX history. This
|
|
server is the only one that completely interoperates with legacy UNIX
|
|
mail tools.</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="6.14"><strong>6.14 Why do you write this "DON'T DELETE THIS MESSAGE
|
|
-- FOLDER INTERNAL DATA" message at the start of traditional UNIX and
|
|
MMDF format mailboxes?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
This pseudo-message serves two purposes.
|
|
|
|
<p>First, it establishes the mailbox format even when the mailbox has
|
|
no messages. Otherwise, a mailbox with no messages is a zero-byte file,
|
|
which could be one of several formats.</p>
|
|
|
|
<p>Second, it holds mailbox metadata used by IMAP: the UID validity,
|
|
the last assigned UID, and mailbox keywords. Without this metadata,
|
|
which must be preserved even when the mailbox has no messages, the
|
|
traditional UNIX format wouldn't be able to support the full
|
|
capabilities of IMAP.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="6.15"><strong>6.15 Why don't you stash the mailbox metadata in the
|
|
first real message of the mailbox instead of writing this fake FOLDER
|
|
INTERNAL DATA message?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
In fact, that is what is done if the mailbox is non-empty and does not
|
|
already have a FOLDER INTERNAL DATA message.
|
|
|
|
<p>One problem with doing that is that if some external program removes
|
|
the first message, the metadata is lost and must be recreated, thus
|
|
losing any prior UID or keyword list status that IMAP clients may
|
|
depend upon.</p>
|
|
|
|
<p>Another problem is that this doesn't help if the last message is
|
|
deleted. This will result in an empty mailbox, and the necessity to
|
|
create a FOLDER INTERNAL DATA message.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="6.16"><strong>6.16 Why aren't "dual-use" mailboxes the
|
|
default?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>Compatibility with the past 30 or so years of UNIX history, not to
|
|
mention compatibility with user expectations when using shell tools.</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="6.17"><strong>6.17 Why do you use ucbcc to build on
|
|
Solaris?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
It is a long, long story about why cc is set to ucbcc. You need to
|
|
invoke the C compiler so that it links with the SVR4 libraries and not
|
|
the BSD libraries, otherwise readdir() will return the wrong
|
|
information.
|
|
|
|
<p>Of all the names in the most common path, ucbcc is the only name to
|
|
be found (on /usr/ccs/bin) that points to a suitable compiler. cc is
|
|
likely to be /usr/ucb/cc which is absolutely not the compiler that you
|
|
want. The real SVR4 cc is probably something like /opt/SUNWspro/bin/cc
|
|
which is rarely in anyone's path by default.</p>
|
|
|
|
<p>ucbcc is probably a link to acc, e.g. /opt/SUNWspro/SC4.0/bin/acc,
|
|
and is the UCB C compiler using the SVR4 libraries.</p>
|
|
|
|
<p>If ucbcc isn't on your system, then punt on the SUN C compiler and
|
|
use gcc instead (the gso port instead of the sol port).</p>
|
|
|
|
<p>If, in spite of all the above warnings, you choose to change "ucbcc"
|
|
to "cc", you will probably find that the -O2 needs to be changed to -O.
|
|
If you don't get any error messages with -O2, that's a pretty good
|
|
indicator that you goofed and are running the compiler that will link
|
|
with the BSD libraries.</p>
|
|
|
|
<p>To recap:</p>
|
|
|
|
<ul>
|
|
<li>The sol port is designed to be built using the UCB compiler using
|
|
the SVR4 libraries. This compiler is "ucbcc", which is lunk to acc.
|
|
You use -O2 as one of the CFLAGS.</li>
|
|
|
|
<li>If you build the sol port with the UCB compiler using the BSD
|
|
libraries, you will get no error messages but you will get bad
|
|
binaries (the most obvious symptom is dropping the first two
|
|
characters return filenames from the imapd LIST command. This
|
|
compiler also uses -O2, and is very often what the user gets from
|
|
"cc". <strong>BEWARE</strong></li>
|
|
|
|
<li>If you build the sol port with the real SVR4 compiler, which is
|
|
often hidden away or unavailable on many systems, then you will get
|
|
errors from -O2 and you need to change that to -O. But you will get a
|
|
good binary. However, you should try it with -O2 first, to make sure
|
|
that you got this compiler and not the UCB compiler using BSD
|
|
libraries.</li>
|
|
</ul>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="6.18"><strong>6.18 Why should I care about some old system with BSD
|
|
libraries? cc is the right thing on my Solaris system!</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
Because there still are sites that use such systems. On those systems,
|
|
the assumption that "cc" does the right thing will lead to corrupt
|
|
binaries with no error message or other warning that anything is amiss.
|
|
|
|
<p>Too many sites have fallen victim to this problem.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="6.19"><strong>6.19 Why do you insist upon writing .lock files in the
|
|
spool directory?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>Compatibility with the past 30 years of UNIX software which deals
|
|
with the spool directory, especially software which delivers mail.
|
|
Otherwise, it is possible to lose mail.</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="6.20"><strong>6.20 Why should I care about compatibility with the
|
|
past?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>This is one of those questions in which the answer never convinces
|
|
those who ask it. Somehow, everybody who ever asks this question ends up
|
|
answering it for themselves as they get older, with the very answer that
|
|
they rejected years earlier.</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><br></p>
|
|
|
|
<h2><a name="problems">7. Problems and Annoyances</a></h2>
|
|
<hr>
|
|
|
|
<p><a name="7.1"><strong>7.1 Help! My INBOX is empty! What happened to my
|
|
messages?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
If you are seeing "0 messages" when you open INBOX and you know you
|
|
have messages there (and perhaps have looked at your mail spool file
|
|
and see that messages are there), then probably there is something
|
|
wrong with the very first line of your mail spool file. Make sure that
|
|
the first five bytes of the file are "From ", followed by an email
|
|
address and a date/time in ctime() format, e.g.:
|
|
<pre>
|
|
From fred@foo.bar Mon May 7 20:54:30 2001
|
|
</pre>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="7.2"><strong>7.2 Help! All my messages in a non-INBOX mailbox have
|
|
been concatenated into one message which claims to be from me and has a
|
|
subject of the file name of the mailbox! What's going
|
|
on?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
Something wrong with the very first line of the mailbox. Make sure that
|
|
the first five bytes of the file are "From ", followed by an email
|
|
address and a date/time in ctime() format, e.g.:
|
|
<pre>
|
|
From fred@foo.bar Mon May 7 20:54:30 2001
|
|
</pre>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="7.3"><strong>7.3 Why do I get the message:</strong> <tt>CREATE
|
|
failed: Can't create mailbox node xxxxxxxxx: File exists</tt>
|
|
<strong>and how do I fix it?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>See the answer to the <a href="#1.8">Are hierarchical mailboxes
|
|
supported?</a> question.</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="7.4"><strong>7.4 Why can't I log in to the server? The user name and
|
|
password are right!</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
There are a myriad number of possible answers to this question. The
|
|
only way to say for sure what is wrong is run the server under a
|
|
debugger such as gdb while root (yes, you must be root) with a
|
|
breakpoint at routines checkpw() and loginpw(), then single-step until
|
|
you see which test rejected you. The server isn't going to give any
|
|
error messages other than "login failed" in the name of not giving out
|
|
any unnecessary information to unauthorized individuals.
|
|
|
|
<p>Here are some of the more common reasons why login may fail:</p>
|
|
|
|
<ul>
|
|
<li>You didn't really give the correct user name and/or
|
|
password.</li>
|
|
|
|
<li>Your client doesn't send the LOGIN command correctly; for
|
|
example, IMAP2 clients won't send a password containing a "*"
|
|
correctly to an IMAP4 server.</li>
|
|
|
|
<li>If you have set up a CRAM-MD5 database, remember that the
|
|
password used is the one in the CRAM-MD5 database, and furthermore
|
|
that there must also be an entry in /etc/passwd (but the /etc/passwd
|
|
password is not used).</li>
|
|
|
|
<li>If you are using PAM, have you created a service file for the
|
|
server in /etc/pam.d?</li>
|
|
|
|
<li>If you are using shadow passwords, have you used an appropriate
|
|
port when building? In particular, note that "lnx" is for Linux
|
|
systems without shadow passwords; you probably want "slx" or "lnp"
|
|
instead.</li>
|
|
|
|
<li>If your system has account or password expirations, check to see
|
|
that the expiration date hasn't passed.</li>
|
|
|
|
<li>You can't log in as root or any other UID 0 user. This is for
|
|
your own safety, not to mention the fact that the servers use UID 0
|
|
as meaning "not logged in".</li>
|
|
</ul>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="7.5"><strong>7.5 Help! My load average is soaring and I see hundreds
|
|
of POP and IMAP servers, many logged in as the same
|
|
user!</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
Certain inferior losing GUI mail reading programs have a "synchronize
|
|
all mailboxes at startup" (IMAP) or "check for new mail every second"
|
|
(POP) feature which causes a rapid and unchecked spawning of servers.
|
|
|
|
<p>This is not a problem in the server; the client is really asking for
|
|
all those server sessions. Unfortunately, there isn't much that the POP
|
|
and IMAP servers can do about it; they don't spawned themselves.</p>
|
|
|
|
<p>Some sites have added code to record the number of server sessions
|
|
spawned per user per hour, and disable login for a user who has
|
|
exceeded a predetermined rate. This doesn't stop the servers from being
|
|
spawned; it just means that a server session will commit suicide a bit
|
|
faster.</p>
|
|
|
|
<p>Another possibility is to detect excessive server spawning activity
|
|
at the level where the server is spawned, which would be inetd or
|
|
possibly tcpd. The problem here is that this is a hard time to
|
|
quantify. 50 sessions in a minute from a multi-user timesharing system
|
|
may be perfectly alright, whereas 10 sessions a minute from a PC may be
|
|
too much.</p>
|
|
|
|
<p>The real solution is to fix the client configuration, by disabling
|
|
those evil features. Also tell the vendors of those clients how you
|
|
feel about distributing denial-of-service attack tools in the guise of
|
|
mail reading programs.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="7.6"><strong>7.6 Why does mail disappear even though I set "keep
|
|
mail on server"?</strong></a><br>
|
|
<a name="7.7"><strong>7.7 Why do I get the message</strong> <tt>Moved #####
|
|
bytes of new mail to /home/user/mbox from /var/spool/mail/user</tt>
|
|
<strong>and why did this happen?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
This is probably caused by the mbox driver. If the file "mbox" exists
|
|
on the user's home directory and is in UNIX mailbox format, then when
|
|
INBOX is opened this file will be selected as INBOX instead of the mail
|
|
spool file. Messages will be automatically transferred from the mail
|
|
spool file into the mbox file.
|
|
|
|
<p>To disable this behavior, delete "mbox" from the EXTRADRIVERS list
|
|
in the top-level Makefile and rebuild. Note that if you do this, users
|
|
won't be able to access the messages that have already been moved to
|
|
mbox unless they open mbox instead of INBOX.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="7.8"><strong>7.8 Why isn't it showing the local host name as a
|
|
fully-qualified domain name?</strong></a><br>
|
|
<a name="7.9"><strong>7.9 Why is the local host name in the
|
|
From/Sender/Message-ID headers of outgoing mail not coming out as a
|
|
fully-qualified domain name?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
Your UNIX system is misconfigured. The entry for your system in
|
|
/etc/hosts must have the fully-qualified domain name first, e.g.
|
|
<pre>
|
|
105.69.1.234 myserver.example.com myserver
|
|
</pre>
|
|
|
|
<p>A common mistake of novice system administrators is to have the
|
|
short name first, e.g.</p>
|
|
<pre>
|
|
105.69.1.234 myserver myserver.example.com
|
|
|
|
</pre>
|
|
|
|
<p>or to omit the fully qualified domain name entirely, e.g.</p>
|
|
<pre>
|
|
105.69.1.234 myserver
|
|
</pre>
|
|
|
|
<p>The result of this is that when the IMAP toolkit does a
|
|
gethostbyname() call to get the fully-qualified domain name, it would
|
|
get "myserver" instead of "myserver.example.com".</p>
|
|
|
|
<p>On some systems, a configuration file (typically named
|
|
/etc/svc.conf, /etc/netsvc.conf, or /etc/nsswitch.conf) can be used to
|
|
configure the system to use the domain name system (DNS) instead of
|
|
/etc/hosts, so it doesn't matter if /etc/hosts is misconfigured.</p>
|
|
|
|
<p>Check the man pages for gethostbyname, hosts, svc, and/or netsvc for
|
|
more information.</p>
|
|
|
|
<p>Unfortunately, certain vendors, most notably SUN, have failed to
|
|
make this clear in their documentation. Most of SUN's documentation
|
|
assumes a corporate network that is not connected to the Internet.</p>
|
|
|
|
<p>net.folklore once (late 1980s) held that the proper procedure was to
|
|
append the results of getdomainname() to the name returned by
|
|
gethostname(), and some versions of sendmail configuration files were
|
|
distributed that did this. This was incorrect; the string returned from
|
|
getdomainname() is the Yellow Pages (a.k.a NIS) domain name, which is a
|
|
completely different (albeit unfortunately named) entity from an
|
|
Internet domain. These were often fortuitously the same string, except
|
|
when they weren't. Frequently, this would result in host names with
|
|
spuriously doubled domain names, e.g.</p>
|
|
<pre>
|
|
myserver.example.com.example.com
|
|
|
|
</pre>
|
|
|
|
<p>This practice has been thoroughly discredited for many years, but
|
|
folklore dies hard.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="7.10"><strong>7.10 What does the message:</strong> <tt>Mailbox
|
|
vulnerable - directory /var/spool/mail must have 1777 protection</tt>
|
|
<strong>mean? How can I fix this?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
In order to update a mailbox in the default UNIX format, it is
|
|
necessary to create a lock file to prevent the mailer from delivering
|
|
mail while an update is in progress. Some systems use a directory
|
|
protection of 775, requiring that all mail handling programs be setgid
|
|
mail; or of 755, requiring that all mail handling programs be setuid
|
|
root.
|
|
|
|
<p>The IMAP toolkit does not run with any special privileges, and I
|
|
plan to keep it that way. It is antithetical to the concept of a
|
|
toolkit if users can't write their own programs to use it. Also, I've
|
|
had enough bad experiences with security bugs while running privileged;
|
|
the IMAP and POP servers have to be root when not logged in, in order
|
|
to be able to log themselves in. I don't want to go any deeper down
|
|
that slippery slope.</p>
|
|
|
|
<p>Directory protection 1777 is secure enough on most well-managed
|
|
systems. If you can't trust your users with a 1777 mail spool (petty
|
|
harassment is about the limit of the abuse exposure), then you have
|
|
much worse problems then that.</p>
|
|
|
|
<p>If you absolutely insist upon requiring privileges to create a lock
|
|
file, external file locking can be done via a setgid mail program named
|
|
/etc/mlock (this is defined by LOCKPGM in the c-client Makefile). If
|
|
the toolkit is unable to create a <...mailbox...>.lock file in
|
|
the directory by itself, it will try to call mlock to do it. I do not
|
|
recommend doing this for performance reasons.</p>
|
|
|
|
<p>A sample mlock program is included as part of imap-2007. We have
|
|
tried to make this sample program secure, but it has not been
|
|
thoroughly audited.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="7.11"><strong>7.11 What does the message:</strong> <tt>Mailbox is
|
|
open by another process, access is readonly</tt> <strong>mean? How do I
|
|
fix this?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
A problem occurred in applying a lock to a /tmp lock file. Either some
|
|
other program has the mailbox open and won't relenquish it, or
|
|
something is wrong with the protection of /tmp or the lock.
|
|
|
|
<p>Make sure that the /tmp directory is protected 1777. Some security
|
|
scripts incorrectly set the protection of the /tmp directory to 775,
|
|
which disables /tmp for all non-privileged programs.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="7.12"><strong>7.12 What does the message:</strong> <tt>Can't get
|
|
write access to mailbox, access is readonly</tt>
|
|
<strong>mean?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>The mailbox file is write-protected against you.</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="7.13"><strong>7.13 I set my POP3 client to "delete messages from
|
|
server" but they never get deleted. What is wrong?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
Make sure that your mailbox is not read-only: that the mailbox is owned
|
|
by you and write enabled (protection 0600), and that the /tmp directory
|
|
is longer world-writeable. /tmp must be world-writeable because lots of
|
|
applications use it for scratch space. To fix this, do
|
|
<pre>
|
|
|
|
chmod 1777 /tmp
|
|
</pre>as root.
|
|
|
|
<p>Make sure that your POP3 client issues a QUIT command when it
|
|
finishes. The POP3 protocol specifies that deletions are discarded
|
|
unless a proper QUIT is done.</p>
|
|
|
|
<p>Make sure that you are not opening multiple POP3 sessions to the
|
|
same mailbox. It is a requirement of the POP3 protocol than only one
|
|
POP3 session be in effect to a mailbox at a time, however some,
|
|
poorly-written POP3 clients violate this. Also, some background "check
|
|
for new mail" tasks also cause a violation. See the answer to the
|
|
<a href="#7.19">What does the syslog message: Killed (lost mailbox
|
|
lock) user=... host=... mean?</a> question for more details.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="7.14"><strong>7.14 What do messages such as:</strong></a></p>
|
|
<pre>
|
|
Message ... UID ... already has UID ...
|
|
Message ... UID ... less than ...
|
|
Message ... UID ... greater than last ...
|
|
Invalid UID ... in message ..., rebuilding UIDs
|
|
</pre>
|
|
|
|
<p><strong>mean?</strong></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
Something happened to corrupt the unique identifier regime in the
|
|
mailbox. In traditional UNIX-format mailboxes, this can happen if the
|
|
user deleted the "DO NOT DELETE" internal message.
|
|
|
|
<p>This problem is relatively harmless; a new valid unique identifier
|
|
regime will be created. The main effect is that any references to the
|
|
old UIDs will no longer be useful.</p>
|
|
|
|
<p>So, unless it is a chronic problem or you feel like debugging, you
|
|
can safely ignore these messages.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="7.15"><strong>7.15 What do the error messages:</strong></a></p>
|
|
<pre>
|
|
Unable to read internal header at ...
|
|
Unable to find CRLF at ...
|
|
Unable to parse internal header at ...
|
|
Unable to parse message date at ...
|
|
Unable to parse message flags at ...
|
|
Unable to parse message UID at ...
|
|
Unable to parse message size at ...
|
|
Last message (at ... ) runs past end of file ...
|
|
</pre>
|
|
|
|
<p><strong>mean? I am using mbx format.</strong></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
The mbx-format mailbox is corrupted and needs to be repaired.
|
|
|
|
<p>You should make an effort to find out why the corruption happened.
|
|
Was there an obvious system problem (crash or disk failure)? Did the
|
|
user accidentally access the file via NFS? Mailboxes don't get
|
|
corrupted by themselves; something caused the problem.</p>
|
|
|
|
<p>Some people have developed automated scripts, but if you're
|
|
comfortable using emacs it's pretty easy to fix it manually. Do
|
|
<em>not</em> use vi or any other editor unless you are certain that
|
|
editor can handle binary!!!</p>
|
|
|
|
<p>If you are not comfortable with emacs, or if the file is too large
|
|
to read with emacs, see the "step-by-step" technique later on for
|
|
another way of doing it.</p>
|
|
|
|
<p>After the word "at" in the error message is the byte position it got
|
|
to when it got unhappy with the file, e.g. if you see:</p>
|
|
<pre>
|
|
Unable to parse internal header at 43921: ne bombastic blurdybloop
|
|
</pre>The problem occurs at the 43,931 byte in the file. That's the point you
|
|
need to fix. c-client is expecting an internal header at that byte number,
|
|
looking something like:
|
|
<pre>
|
|
6-Jan-1998 17:42:24 -0800,1045;000000100001-00000001
|
|
</pre>The format of this internal line is:
|
|
<pre>
|
|
dd-mmm-yyyy hh:mm:ss +zzzz,ssss;ffffffffFFFF-UUUUUUUU
|
|
</pre>The only thing that is variable is the "ssss" field, it can be as many
|
|
digits as needed. All other fields (inluding the "dd") are fixed width. So,
|
|
the easiest thing to do is to look forward in the file for the next internal
|
|
header, and delete everything from the error point to that internal header.
|
|
|
|
<p>Here's what to do if you want to be smarter and do a little bit more
|
|
work. Generally, you're in the middle of a message, and there's nothing
|
|
wrong with that message. The problem happened in the *previous*
|
|
message. So, search back to the previous internal header. Now, remember
|
|
that "ssss" field? That's the size of that message.</p>
|
|
|
|
<p>Mark where you are in the file, move the cursor to the line after
|
|
the internal header, and skip that many bytes ("ssss") forward. If
|
|
you're at the point of the error in the file, then that message is
|
|
corrupt. If you're at a different point, then perhaps the previous
|
|
message is corrupt and has a too long size count that "ate" into this
|
|
message.</p>
|
|
|
|
<p>Basically, what you need to do is make sure that all those size
|
|
counts are right, and that moving "ssss" bytes from the line after the
|
|
internal header will land you at another internal header.</p>
|
|
|
|
<p>Usually, once you know what you're looking at, it's pretty easy to
|
|
work out the corruption, and the best remedial action. Repair scripts
|
|
will make the problem go away but may not always do the smartest/best
|
|
salvage of the user's data. Manual repair is more flexible and usually
|
|
preferable.</p>
|
|
|
|
<p>Here is a step-by-step technique for fixing corrupt mbx files that's
|
|
a bit cruder than the procedure outlined above, but works for any size
|
|
file.</p>
|
|
|
|
<p>In this example, suppose that the corrupt file is INBOX, the error
|
|
message is</p>
|
|
<pre>
|
|
Unable to find CRLF at 132551754
|
|
</pre>and the size of the INBOX file is 132867870 bytes.
|
|
|
|
<p>The first step is to split the mailbox file at the point of the
|
|
error:</p>
|
|
|
|
<ul>
|
|
<li>Rename the INBOX file to some other name, such as INBOX.bad.</li>
|
|
|
|
<li>Copy the first 132,551,754 bytes of INBOX.bad to another file,
|
|
such as INBOX.new.</li>
|
|
|
|
<li>Extract the trailing 316,116 bytes (132867870-132551754) of
|
|
INBOX.bad into another file, such as INBOX.tail.</li>
|
|
|
|
<li>You no longer need INBOX.bad. Delete it.</li>
|
|
</ul>In other words, use the number from the "Unable to find CRLF at"
|
|
as the point to split INBOX into two new files, INBOX.new and
|
|
INBOX.tail.
|
|
|
|
<p>Now, remove the erroneous data:</p>
|
|
|
|
<ul>
|
|
<li>Verify that you can open INBOX.new in IMAP or Pine.</li>
|
|
|
|
<li>The last message of INBOX.new is probably corrupted. Copy it to
|
|
another file, such as badmsg.1, then delete and expunge that last
|
|
message from INBOX.new</li>
|
|
|
|
<li>Locate the first occurance of text in INBOX.tail which looks like
|
|
an internal header, as described above.</li>
|
|
|
|
<li>Remove all the text which occurs prior to that point, and place
|
|
it into another file, such as badmsg.2. Note that in the case of a
|
|
single digit date, there is a leading space which must not be removed
|
|
(e.g. " 6-Nov-2001" not "6-Nov-2001").</li>
|
|
</ul>
|
|
|
|
<p>Reassemble the mailbox:</p>
|
|
|
|
<ul>
|
|
<li>Append INBOX.tail to INBOX.new.</li>
|
|
|
|
<li>You no longer need INBOX.tail. Delete it.</li>
|
|
|
|
<li>Verify that you can open INBOX.new in IMAP or Pine.</li>
|
|
</ul>
|
|
|
|
<p>Reinstall INBOX.new as INBOX:</p>
|
|
|
|
<ul>
|
|
<li>Check to see if you have received any new messages while
|
|
repairing INBOX.</li>
|
|
|
|
<li>If you haven't received any new messages while repairing INBOX,
|
|
just rename INBOX.new to INBOX.</li>
|
|
|
|
<li>If you have received new messages, be sure to copy the new
|
|
messages from INBOX to INBOX.new before doing the rename.</li>
|
|
</ul>
|
|
|
|
<p>You now have a working INBOX, as well as two files with corrupted
|
|
data (badmsg.1 and badmsg.2). There may be some useful data in the two
|
|
badmsg files that you might want to try salvaging; otherwise you can
|
|
delete the two badmsg files.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="7.16"><strong>7.16 What do the syslog messages:</strong></a></p>
|
|
<pre>
|
|
|
|
imap/tcp server failing (looping)
|
|
pop3/tcp server failing (looping)
|
|
</pre>
|
|
|
|
<p><strong>mean? When it happens, the listed service shuts down. How can I
|
|
fix this?</strong></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
The error message "server failing (looping), service terminated" is not
|
|
from either the IMAP or POP servers. Instead, it comes from inetd, the
|
|
daemon which listens for TCP connections to a number of servers,
|
|
including the IMAP and POP servers.
|
|
|
|
<p>inetd has a limit of 40 new server sessions per minute for any
|
|
particular service. If more than 40 sessions are initiated in a minute,
|
|
inetd will issue the "failing (looping), service terminated" message
|
|
and shut down the service for 10 minutes. inetd does this to prevent
|
|
system resource consumption by a client which is spawning infinite
|
|
numbers of servers. It should be noted that this is a denial of
|
|
service; however for some systems the alternative is a crash which
|
|
would be a worse denial of service!</p>
|
|
|
|
<p>For larger server systems, the limit of 40 is much too low. The
|
|
limit was established many years ago when a system typically only ran a
|
|
few dozen servers.</p>
|
|
|
|
<p>On some versions of inetd, such as the one distributed with most
|
|
versions of Linux, you can modify the <strong>/etc/inetd.conf</strong>
|
|
file to have a larger number of servers by appending a period followed
|
|
by a number after the <strong>nowait</strong> word for the server
|
|
entry. For example, if your existing /etc/inetd.conf line reads:</p>
|
|
<pre>
|
|
imap stream tcp nowait root /usr/etc/imapd imapd
|
|
</pre>try changing it to be:
|
|
<pre>
|
|
imap stream tcp nowait.100 root /usr/etc/imapd imapd
|
|
</pre>Another example (using TCP wrappers):
|
|
<pre>
|
|
imap stream tcp nowait root /usr/sbin/tcpd imapd
|
|
</pre>try changing it to be:
|
|
<pre>
|
|
imap stream tcp nowait.100 root /usr/sbin/tcpd imapd
|
|
|
|
</pre>to increase the limit to 100 sessions/minute.
|
|
|
|
<p>Before making this change, please read the information in "man
|
|
inetd" to determine whether or not your inetd has this feature. If it
|
|
does not, and you make this change, the likely outcome is that you will
|
|
disable IMAP service entirely.</p>
|
|
|
|
<p>Another way to fix this problem is to edit the inetd.c source code
|
|
(provided by your UNIX system vendor) to set higher limits, rebuild
|
|
inetd, install the new binary, and reboot your system. This should only
|
|
be done by a UNIX system expert. In the inetd.c source code, the limits
|
|
<strong>TOOMANY</strong> (normally 40) is the maximum number of new
|
|
server sessions permitted per minute, and <strong>RETRYTIME</strong>
|
|
(normally 600) is the number of seconds inetd will shut down the server
|
|
after it exceeds TOOMANY.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="7.17"><strong>7.17 What does the syslog message:</strong>
|
|
<tt>Mailbox lock file /tmp/.600.1df3 open failure: Permission
|
|
denied</tt> <strong>mean?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
This usually means that some "helpful" security script person has
|
|
protected /tmp so that it is no longer world-writeable. /tmp must be
|
|
world-writeable because lots of applications use it for scratch space.
|
|
To fix this, do
|
|
<pre>
|
|
chmod 1777 /tmp
|
|
|
|
</pre>as root.
|
|
|
|
<p>If that isn't the answer, check the protection of the named file. If
|
|
it is something other than 666, then either someone is hacking or some
|
|
"helpful" person modified the code to have a different default lock
|
|
file protection.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="7.18"><strong>7.18 What do the syslog messages:</strong></a></p>
|
|
<pre>
|
|
Command stream end of file, while reading line user=... host=...
|
|
Command stream end of file, while reading char user=... host=...
|
|
Command stream end of file, while writing text user=... host=...
|
|
</pre>
|
|
|
|
<p><strong>mean?</strong></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
This message occurs when the session is disconnected without a proper
|
|
LOGOUT (IMAP) or QUIT (POP) command being received by the server first.
|
|
|
|
<p>In many cases, this is perfectly normal; many client implementations
|
|
are impolite and do this. Some programmers think this sort of rudeness
|
|
is "more efficient".</p>
|
|
|
|
<p>The condition could, however, indicate a client or network
|
|
connectivity problem. The server has no way of knowing whether there's
|
|
a problem or just a rude client, so it issues this message instead of a
|
|
Logout.</p>
|
|
|
|
<p>Certain inferior losing clients disconnect abruptly after a failed
|
|
login, and instead of saying that the login failed, just say that they
|
|
can't access the mailbox. They then complain to the system manager, who
|
|
looks in the syslog and finds this message. Not very helpful, eh? See
|
|
the answer to the <a href="#7.4">Why can't I log in to the server? The
|
|
user name and password are right!</a> question.</p>
|
|
|
|
<p>If the user isn't reporting a problem, you can probably ignore this
|
|
message.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="7.19"><strong>7.19 Why did my POP or IMAP session suddenly
|
|
disconnect? The syslog has the message:</strong> <tt>Killed (lost
|
|
mailbox lock) user=... host=...</tt></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
This message only happens when either the traditional UNIX mailbox
|
|
format or MMDF format is in use. This format only allows one session to
|
|
have the mailbox open read/write at a time.
|
|
|
|
<p>The servers assume that if a second session attempts to open the
|
|
mailbox, that means that the first session is probably owned by an
|
|
abandoned client. The common scenario here is a user who leaves his
|
|
client running at the office, and then tries to read his mail from
|
|
home. Through an internal mechanism called <em>kiss of death</em>, the
|
|
second session requests the first session to kill itself. When the
|
|
first session receives the "kiss of death", it issues the "Killed (lost
|
|
mailbox lock)" syslog message and terminates. The second session then
|
|
seizes read/write access, and becomes the new "first" session.</p>
|
|
|
|
<p>Certain poorly-designed clients routinely open multiple sessions to
|
|
the same mailbox; the users of those clients tend to get this message a
|
|
lot.</p>
|
|
|
|
<p>Another cause of this message is a background "check for new mail"
|
|
task which does its work by opening a POP session to server every few
|
|
seconds. They do this because POP doesn't have a way to announce new
|
|
mail.</p>
|
|
|
|
<p>The solution to both situations is to replace the client with a good
|
|
online IMAP client such as Pine. Life is too short to waste on POP
|
|
clients and poorly-designed IMAP clients.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="7.20"><strong>7.20 Why does my IMAP client show all the files on the
|
|
system, recursively from the UNIX root directory?</strong></a><br>
|
|
<a name="7.21"><strong>7.21 Why does my IMAP client show all of my files,
|
|
recursively from my UNIX home directory?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
A well-written client should only show one level of hierarchy and then
|
|
stop, awaiting explicit user action before going lower. However, some
|
|
poorly-designed clients will recursively list all files, which may be a
|
|
very long list (especially if you have symbolic links to directories
|
|
that create a loop in the filesystem graph!).
|
|
|
|
<p>This behavior has also been observed in some third-party c-client
|
|
drivers, including maildir drivers. Consequently, this problem has even
|
|
been observed in Pine. It is important to understand that this is not a
|
|
problem in Pine or c-client; it is a problem in the third-party driver.
|
|
A Pine built without that third-party driver will not have this
|
|
problem.</p>
|
|
|
|
<p>See also the answer to <a href="#7.73">Why does my IMAP client show
|
|
all my files in my home directory?</a></p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="7.22"><strong>7.22 Why does my IMAP client show that I have
|
|
mailboxes named "#mhinbox", "#mh", "#shared", "#ftp", "#news", and
|
|
"#public"?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
These are IMAP namespace names. They represent other hierarchies in
|
|
which messages may exist. These hierarchies may not necessarily exist
|
|
on a server, but the namespace name is still in the namespace list in
|
|
order to mark it as reserved.
|
|
|
|
<p>A few poorly-designed clients display all namespace names as if they
|
|
were top-level mailboxes in a user's list of mailboxes, whether or not
|
|
they actually exist. This is a flaw in those clients.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="7.23"><strong>7.23 Why does my IMAP client show all my files in my
|
|
home directory?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
As distributed, the IMAP server is connected to your home directory by
|
|
default. It has no way of knowing what you might call "mail" as opposed
|
|
to "some other file"; in fact, you can use IMAP to access any file.
|
|
|
|
<p>Most clients have an option to configure your connected directory on
|
|
the IMAP server. For example, in Pine you can specify this as the
|
|
"Path" in your folder-collection, e.g.</p>
|
|
<pre>
|
|
Nickname : Secondary Folders
|
|
Server : imap.example.com
|
|
Path : mail/
|
|
View :
|
|
</pre>In this example, the user is connected to the "mail" subdirectory of
|
|
his home directory.
|
|
|
|
<p>Other servers call this the "folder prefix" or similar term.</p>
|
|
|
|
<p>It is possible to modify the IMAP server so that all users are
|
|
automatically connected to some other directory, e.g. a subdirectory of
|
|
the user's home directory. Read the file CONFIG for more details.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="7.24"><strong>7.24 Why is there a long delay before I get connected
|
|
to the IMAP or POP server, no matter what client I use?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
There are two common occurances of this problem:
|
|
|
|
<ul>
|
|
<li>You are running a system (e.g. certain versions of Linux) which
|
|
by default attempts to connect to an "IDENT" protocol (port 113)
|
|
server on your client. However, a firewall or NAT box is blocking
|
|
connections to that port, so the connection attempt times out.
|
|
|
|
<p>The IDENT protocol is a well-known bad idea that does not
|
|
deliver any real security but causes incredible problems. The idea
|
|
is that this will give the server a record of the user name, or at
|
|
least what some program listening on port 113 says is the user
|
|
name. So, if somebody coming from port nnnnn on a system does
|
|
something bad, IDENT may give you the userid of the bad guy.</p>
|
|
|
|
<p>The problem is, IDENT is only meaningful on a timesharing system
|
|
which has an administrator who is privileged and users who are not.
|
|
It is of no value on a personal system which has no separate
|
|
concept of "system administrator" vs. "unprivileged user".</p>
|
|
|
|
<p>On either type of system, security-minded people either turn
|
|
IDENT off or replace it with an IDENT server that lies. Among other
|
|
things, IDENT gives spammers the ability to harvest email addresses
|
|
from anyone who connects to a web page.</p>
|
|
|
|
<p>This problem has been showing up quite frequently on systems
|
|
which use xinetd instead of inetd. Look for files named
|
|
/etc/xinetd.conf, /etc/xinetd.d/imapd, /etc/inetd.d/ipop2d, and
|
|
/etc/xinetd.d/ipop3d. In those files, look for lines containing
|
|
"USERID", e.g.</p>
|
|
<pre>
|
|
log_on_success += USERID
|
|
</pre>Hunt down such lines, and delete them ruthlessly from all files in
|
|
which they occur. Don't be shy about it.
|
|
</li>
|
|
|
|
<li>The DNS is taking a long time to do a reverse DNS (PTR record)
|
|
lookup of the IP address of your client. This is a problem in your
|
|
DNS, which either you or you ISP need to resolve. Ideally, the DNS
|
|
should return the client's name; but if it can't it should at least
|
|
return an error quickly.</li>
|
|
</ul>
|
|
|
|
<p>As you may have noticed, neither of these are actual problems in the
|
|
IMAP or POP servers; they are configuration issues with either your
|
|
system or your network infrastructure. If this is all new to you, run
|
|
(don't walk) to the nearest technical bookstore and get yourself a good
|
|
pedagogical text on system administration for the type of system you
|
|
are running.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="7.25"><strong>7.25 Why is there a long delay in Pine or any other
|
|
c-client based application call before I get connected to the IMAP
|
|
server? The hang seems to be in the c-client mail_open() call. I don't
|
|
have this problem with any other IMAP client. There is no delay
|
|
connecting to a POP3 or NNTP server with mail_open().</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
By default, the c-client library attempts to make a connection through
|
|
rsh (and ssh, if you enable that). If the command:
|
|
<pre>
|
|
rsh imapserver exec /etc/rimapd
|
|
|
|
</pre>(or ssh if that is enabled) returns with a "* PREAUTH" response, it
|
|
will use the resulting rsh session as the IMAP session and not require an
|
|
authentication step on the server.
|
|
|
|
<p>Unfortunately, rsh has a design error that treats "TCP connection
|
|
refused" as "temporary failure, try again"; it expects the "rsh not
|
|
allowed" case to be implemented as a successful connection followed by
|
|
an error message and close the connection.</p>
|
|
|
|
<p>It must be emphasized that this is a bug in rsh. It is <em>not</em>
|
|
a bug in the IMAP toolkit.</p>
|
|
|
|
<p>The use of rsh can be disabled in any the following ways:</p>
|
|
|
|
<ul>
|
|
<li>You can disable it for this particular session by either:
|
|
|
|
<ul>
|
|
<li>setting an explicit port number in the mailbox name, e.g.
|
|
<pre>
|
|
{imapserver.foo.com:143}INBOX
|
|
</pre>
|
|
</li>
|
|
|
|
<li>using SSL (the /ssl switch)</li>
|
|
</ul>
|
|
</li>
|
|
|
|
<li>You can disable rsh globally by setting the rsh timeout value to
|
|
0 with the call:
|
|
<pre>
|
|
mail_parameters (NIL,SET_RSHTIMEOUT,0);
|
|
</pre>
|
|
</li>
|
|
</ul>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="7.26"><strong>7.26 Why does a message sometimes get split into two
|
|
or more messages on my SUN system?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
This is caused by an interaction of two independent design problems in
|
|
SUN mail software. The first problem is that the "forward message"
|
|
option in SUN's <em>mail tool</em> program includes the internal "From
|
|
" header line in the text that it forwarded. This internal header line
|
|
is specific to traditional UNIX mailbox files and is not suitable for
|
|
use in forwarded messages.
|
|
|
|
<p>The second problem is that the mail delivery agent assumes that mail
|
|
reading programs will not use the traditional UNIX mailbox format but
|
|
instead an incompatible variant that depends upon a
|
|
<em>Content-Length:</em> message header. Content-Length is widely
|
|
recognized to have been a terrible mistake, and is no longer
|
|
recommended for use in mail (it is used in other facilities that use
|
|
MIME).</p>
|
|
|
|
<p>One symptom of the problem is that under certain circumstances, a
|
|
message may get broken up into several messages. I'm also aware of
|
|
security bugs caused by programs that foolishly trust "Content-Length:"
|
|
headers with evil values.</p>
|
|
|
|
<p>To fix the mailer on your system, edit your sendmail.cf to change
|
|
the <strong>Mlocal</strong> line to have the <strong>-E</strong> flag.
|
|
A typical entry will lool like:</p>
|
|
<pre>
|
|
Mlocal, P=/usr/lib/mail.local, F=flsSDFMmnPE, S=10, R=20,
|
|
A=mail.local -d $u
|
|
</pre>This fix will also work around the problem with mail tool, because it
|
|
will insert a ">" before the internal header line to prevent it from being
|
|
interpreted by mail reading software as an internal header line.
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="7.27"><strong>7.27 Why did my POP or IMAP session suddenly
|
|
disconnect? The syslog has the message:</strong></a></p>
|
|
<pre>
|
|
Autologout user=<...my user name...> host=<...my client system...>
|
|
|
|
</pre>
|
|
|
|
<dl>
|
|
<dd>
|
|
This is a problem in your client.
|
|
|
|
<p>In the case of IMAP, it failed to communicate with the IMAP server
|
|
for over 30 minutes; in the case of POP, it failed to communicate with
|
|
the POP server for over 10 minutes.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="7.28"><strong>7.28 What does the UNIX error message:</strong>
|
|
<tt>TLS/SSL failure: myserver: SSL negotiation failed</tt>
|
|
<strong>mean?</strong></a><br>
|
|
<a name="7.29"><strong>7.29 What does the PC error message:</strong>
|
|
<tt>TLS/SSL failure: myserver: Unexpected TCP input disconnect</tt>
|
|
<strong>mean?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
This usually means that an attempt to negotiate TLS encryption via the
|
|
STARTTLS command failed, because the server advertises STARTTLS
|
|
functionality, but doesn't actually have it (e.g. because no
|
|
certificates are installed).
|
|
|
|
<p>Use the /notls option in the mailbox name to disable TLS
|
|
negotiation.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="7.30"><strong>7.30 What does the error message:</strong> <tt>TLS/SSL
|
|
failure: myserver: Server name does not match certificate</tt>
|
|
<strong>mean?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
An SSL or TLS session encryption failed because the server name in the
|
|
server's certificate does not match the name that you gave it. This
|
|
could indicate that the server is not really the system you think that
|
|
it is, but can be also be called if you gave a nickname for the server
|
|
or name that was not fully-qualified. You must use the fully-qualified
|
|
domain name for the server in order to validate its certificate
|
|
|
|
<p>Use the /novalidate-cert option in the mailbox name to disable
|
|
validation of the certificate.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="7.31"><strong>7.31 What does the UNIX error message:</strong>
|
|
<tt>TLS/SSL failure: myserver: self-signed certificate</tt>
|
|
<strong>mean?</strong></a><br>
|
|
<a name="7.32"><strong>7.32 What does the PC error message:</strong>
|
|
<tt>TLS/SSL failure: myserver: Self-signed certificate or untrusted
|
|
authority</tt> <strong>mean?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
An SSL or TLS session encryption failed because your server's
|
|
certificate is "self-signed"; that is, it is not signed by any
|
|
Certificate Authority (CA) and thus can not be validated. A CA-signed
|
|
certificate costs money, and some smaller sites either don't want to
|
|
pay for it or haven't gotten one yet. The bad part about this is that
|
|
this means there is no guarantee that the server is really the system
|
|
you think that it is.
|
|
|
|
<p>Use the /novalidate-cert option in the mailbox name to disable
|
|
validation of the certificate.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="7.33"><strong>7.33 What does the UNIX error message:</strong>
|
|
<tt>TLS/SSL failure: myserver: unable to get local issuer
|
|
certificate</tt> <strong>mean?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
An SSL or TLS session encryption failed because your system does not
|
|
have the Certificate Authority (CA) certificates installed on OpenSSL's
|
|
certificates directory. On most systems, this directory is
|
|
/usr/local/ssl/certs). As a result, it is not possible to validate the
|
|
server's certificate.
|
|
|
|
<p>If CA certificates are properly installed, you should see
|
|
factory.pem and about a dozen other .pem names such as
|
|
thawteCb.pem.</p>
|
|
|
|
<p>As a workaround, you can use the /novalidate-cert option in the
|
|
mailbox name to disable validation of the certificate; however, note
|
|
that you are then vulnerable to various security attacks by bad
|
|
guys.</p>
|
|
|
|
<p>The correct fix is to copy all the files from the certs/ directory
|
|
in the OpenSSL distribution to the /usr/local/ssl/certs (or whatever)
|
|
directory. Note that you need to do this after building OpenSSL,
|
|
because the OpenSSL build creates a number of needed symbolic links.
|
|
For some bizarre reason, the OpenSSL "make install" doesn't do this for
|
|
you, so you must do it manually.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="7.34"><strong>7.34 Why does reading certain messages hang when using
|
|
Netscape? It works fine with Pine!</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
There are two possible causes.
|
|
|
|
<p>Check the mail syslog. If you see the message "Killed (lost mailbox
|
|
lock)" for the impacted user(s), read the FAQ entry regarding that
|
|
message.</p>
|
|
|
|
<p>Check the affected mailbox to see if there are embedded NUL
|
|
characters in the message. NULs in message texts are a technical
|
|
violation of both the message format and IMAP specifications. Most
|
|
clients don't care, but apparently Netscape does.</p>
|
|
|
|
<p>You can work around this by rebuilding imapd with the
|
|
<strong>NETSCAPE_BRAIN_DAMAGE</strong> option set (see
|
|
src/imapd/Makefile); this will cause imapd to convert all NULs to 0x80
|
|
characters. A better solution is to enable the feature in your MTA to
|
|
MIME-convert messages with binary content. See the documentation for
|
|
your MTA for how to do this.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="7.35"><strong>7.35 Why does Netscape say that there's a problem with
|
|
the IMAP server and that I should "Contact your mail server
|
|
administrator."?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
Certain versions of Netscape do this when you click the Manage Mail
|
|
button, which uses an undocumented feature of Netscape's proprietary
|
|
IMAP server.
|
|
|
|
<p>You can work around this by rebuilding imapd with the
|
|
<strong>NETSCAPE_BRAIN_DAMAGE</strong> option set (see
|
|
src/imapd/Makefile) to a URL that points either to an alternative IMAP
|
|
client (e.g. Pine) or perhaps to a homebrew mail account management
|
|
page.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="7.36"><strong>7.36 Why is one user creating huge numbers of IMAP or
|
|
POP server sessions?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>The user is probably using Outlook Express, Eudora, or a similar
|
|
program. See the answer to the <a href="#7.5">Help! My load average is
|
|
soaring and I see hundreds of POP and IMAP servers, many logged in as the
|
|
same user!</a> question.</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="7.37"><strong>7.37 Why don't I get any new mail notifications from
|
|
Outlook Express or Outlook after a while?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
This is a known bug in Outlook Express. Microsoft is aware of the
|
|
problem and its cause. They have informed us that they do not have any
|
|
plans to fix it at the present time.
|
|
|
|
<p>The problem is also reported in Outlook 2000, but not verified.</p>
|
|
|
|
<p>Outlook Express uses the IMAP IDLE command to avoid having to "ping"
|
|
the server every few minutes for new mail. Unfortunately, Outlook
|
|
Express overlooks the part in the IDLE specification which requires
|
|
that a client terminate and restart the IDLE before the IMAP 30 minute
|
|
inactivity autologout timer triggers.</p>
|
|
|
|
<p>When this happens, Outlook Express displays "Not connected" at the
|
|
bottom of the window. Since it's no longer connected to the IMAP
|
|
server, it isn't going to notice any new mail.</p>
|
|
|
|
<p>As soon as the user does anything that would cause an IMAP
|
|
operation, Outlook Express will reconnect and new mail will flow again.
|
|
If the user does something that causes an IMAP operation at least every
|
|
29 minutes, the problem won't happen.</p>
|
|
|
|
<p>Modern versions of imapd attempt to work around the problem by
|
|
automatically reporting fake new mail after 29 minutes. This causes
|
|
Outlook Express to exit the IDLE state; as soon as this happens imapd
|
|
revokes the fake new mail. As long as this behavior isn't known to
|
|
cause problems with other clients, this workaround will remain in
|
|
imapd.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="7.38"><strong>7.38 Why don't I get any new mail notifications from
|
|
Entourage?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
This is a known bug in Entourage.
|
|
|
|
<p>You built an older version of imapd with the
|
|
<strong>MICROSOFT_BRAIN_DAMAGE</strong> option set, in order to disable
|
|
support for the IDLE command. However, Entourage won't get new mail
|
|
unless IDLE command support exists.</p>
|
|
|
|
<p>Note: the MICROSOFT_BRAIN_DAMAGE option no longer exists in modern
|
|
versions, as the Outlook Express problem which it attempted to solve
|
|
has been worked around in another way.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="7.39"><strong>7.39 Why doesn't Entourage work at
|
|
all?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
It's hard to know. Entourage breaks almost every rule in the book for
|
|
IMAP. It is highly instructive to do a packet trace on Entourage, as an
|
|
example of how <em>not</em> to use IMAP. It does things like STATUS
|
|
(MESSAGES) on the currently selected mailbox and re-fetching the same
|
|
static data over and over again.
|
|
|
|
<p>It seems that every time we understand what it is doing wrong in
|
|
Entourage and come up with a workaround, we learn about something else
|
|
that's broken.</p>
|
|
|
|
<p>Try building imapd with the <strong>ENTOURAGE_BRAIN_DAMAGE</strong>
|
|
option set, in order to disable the diagnostic that occurs when doing
|
|
STATUS on the currently selected mailbox.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="7.40"><strong>7.40 Why doesn't Netscape Notify (NSNOTIFY.EXE) work
|
|
at all?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
This is a bug in NSNOTIFY; it doesn't handle unsolicited data from the
|
|
server correctly.
|
|
|
|
<p>Fortunately, there is no reason to use this program with IMAP;
|
|
NSNOTIFY is a polling program to let you know when new mail has
|
|
appeared in your maildrop. This is necessary with POP; but since IMAP
|
|
dynamically announces new mail in the session you're better off (and
|
|
will actually cause less load on the server!) keeping your mail reading
|
|
program's IMAP session open and let IMAP do the notifying for you.</p>
|
|
|
|
<p>Consequently, the recommended fix for the NSNOTIFY problem is to
|
|
delete the NSNOTIFY binary.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="7.41"><strong>7.41 Why can't I connect via SSL to Eudora? It says
|
|
the connection has been broken, and in the server syslogs I see "Command
|
|
stream end of file".</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>There is a report that you can fix the problem by going into Eudora's
|
|
advanced network configuration menu and increasing the network buffer
|
|
size to 8192.</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="7.42"><strong>7.42 Sheesh. Aren't there <em>any</em> good IMAP
|
|
clients out there?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
Yes!
|
|
|
|
<p>Pine is a <em>wonderful</em> client. It's fast, it uses IMAP well,
|
|
and it generates text mail (life is too short to waste on HTML mail).
|
|
Also, there are some really wonderful things in progress in the Pine
|
|
world.</p>
|
|
|
|
<p>There are some good GUI clients out there, mostly from smaller
|
|
vendors. Without naming names, look for the vendors who are active in
|
|
the IMAP protocol development community, and their products.</p>
|
|
|
|
<p>Netscape, Eudora, and Outlook <em>can</em> be configured with enough
|
|
effort to be good citizens and work well for users, <em>but</em> they
|
|
can also be badly misconfigured, and often the misconfiguration is the
|
|
default.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="7.43"><strong>7.43 But wait! PC Pine (or other PC program build with
|
|
c-client) crashes with the message</strong> <tt>incomplete SecBuffer
|
|
exceeds maximum buffer size</tt> <strong>when I use SSL connections.
|
|
This is a bug in c-client, right?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
It's a bug in the Microsoft SChannel.DLL, which implements SSL.
|
|
Microsoft admits it (albeit with an unstatement: "it's not fully RFC
|
|
compliant"). The problem is that SChannel indicates that the maximum
|
|
SSL packet data size is 5 bytes smaller than the actual maximum. Thus,
|
|
any IMAP server which transmits a maximum sized SSL packet will not
|
|
work with PC Pine or any other program which uses SChannel.
|
|
|
|
<p>It can take a while for the problem to show up. The client has to do
|
|
something that causes at least 16K of contiguous data. Many clients do
|
|
partial fetching, which tends to reduce the number of cases where this
|
|
can happen. However, <em>all</em> software which uses SChannel to
|
|
support SSL is affected by this bug.</p>
|
|
|
|
<p>This problem does not affect UNIX code, since OpenSSL is used on
|
|
UNIX.</p>
|
|
|
|
<p>This problem most recently showed up with the CommunigatePro IMAP
|
|
server. They have an update which trims down their maximum contiguous
|
|
data to less than 16K, in order to work around the problem.</p>
|
|
|
|
<p>This problem has also shown up with the Exchange IMAP server with
|
|
UNIX clients (including Pine built with an older version of c-client)
|
|
which sends full-sized 16K SSL packets. Modern c-client works around
|
|
the problem by trimming down its maximum outgoing SSL packet size to
|
|
8K.</p>
|
|
|
|
<p>Microsoft has developed a hotfix for this bug. Look up MSKB article
|
|
number 300562. Contrary to the article text which implies that this is
|
|
a Pine issue, this bug also affect Microsoft Exchange server with *any*
|
|
UNIX based client that transmits full-sized SSL payloads.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="7.44"><strong>7.44 My qpopper users keep on getting the DON'T DELETE
|
|
THIS MESSAGE -- FOLDER INTERNAL DATA if they also use Pine or IMAP. How
|
|
can I fix this?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
This is an incompatibility between qpopper and the c-client library
|
|
used by Pine, imapd, and ipop[23]d.
|
|
|
|
<p>Assuming that you want to continue using qpopper, look into
|
|
qpopper's <strong>--enable-uw-kludge-flag</strong> configuration flag,
|
|
which is documented as "check for and hide UW 'Folder Internal Data'
|
|
messages".</p>
|
|
|
|
<p>The other alternative is to switch from qpopper to ipop3d.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="7.45"><strong>7.45 Help! I installed the servers but I can't connect
|
|
to them from my client!</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
Review the installation instructions carefully. Make sure that you have
|
|
not skipped any of the steps. Make sure that you have made the correct
|
|
entries in the configuration files; pay careful attention to the exact
|
|
spelling of the service names and the path names. Make sure as well
|
|
that you have properly restarted inetd.
|
|
|
|
<p>If you have a system with Yellow Pages/NIS such as Solaris, have you
|
|
updated the service names there as well as in /etc/services?</p>
|
|
|
|
<p>If you have a system with TCP wrappers, have you properly updated
|
|
the TCP wrapper files (e.g. /etc/hosts.allow and /etc/hosts.deny) for
|
|
the servers?</p>
|
|
|
|
<p>If you have a system which uses xinetd instead of inetd, have you
|
|
made sure that you have made the correct corresponding xinetd changes
|
|
for those services?</p>
|
|
|
|
<p>Try telneting to the server port (143 for IMAP, 110 for POP3). If
|
|
you get a "refused" error, that probably means that you don't have the
|
|
service set up in inetd.conf. If the connection opens and then closes
|
|
with no message, the service is set up, but either the path name of the
|
|
server binary in inetd.conf is wrong or your TCP wrappers are
|
|
configured to deny access.</p>
|
|
|
|
<p>If you don't know how to make the corresponding changes to these
|
|
files, seek the help of a local expert for your system.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="7.46"><strong>7.46 Why do I get the message</strong> <tt>Can not
|
|
authenticate to SMTP server: 421 SMTP connection went away!</tt>
|
|
<strong>and why did this happen? There was also something about</strong>
|
|
<tt>SECURITY PROBLEM: insecure server advertised AUTH=PLAIN</tt></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
Some versions of qmail, including that running on mail.smtp.yahoo.com,
|
|
disconnect the SMTP session if you fail to authenticate prior to
|
|
attempting to transmit mail. An attempt to authenticate was made, but
|
|
it failed because the server had already disconnected.
|
|
|
|
<p>To work around this, you need to specify /user=... in the host name
|
|
specification.</p>
|
|
|
|
<p>The SECURITY PROBLEM came about because the server advertised the
|
|
AUTH=PLAIN SASL authentication mechanism outside of a TLS-encrypted
|
|
session, in violation of RFC 4616. This message is just a warning, and
|
|
in fact occurred after the server had disconnected.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="7.47"><strong>7.47 Why do I get the message</strong> <tt>SMTP
|
|
Authentication cancelled</tt> <strong>and why did this happen? There was
|
|
also something about</strong> <tt>SECURITY PROBLEM: insecure server
|
|
advertised AUTH=PLAIN</tt></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
This is a bug in the SMTP server.
|
|
|
|
<p>Some versions of qmail, including that running on
|
|
mail.smtp.yahoo.com, have a bug in their implementation of SASL in
|
|
their SMTP server, which renders it non-compliant with the
|
|
standard.</p>
|
|
|
|
<p>If the client does not provide an initial response in the command
|
|
line for an authentication mechanism whose profile does not have an
|
|
initial challenge, qmail issues a bogus response:</p>
|
|
<pre>
|
|
334 ok, go on
|
|
</pre>The problem is the "ok, go on". This violates RFC 4954's requirement
|
|
that the text part in a 334 response be a BASE64 encoded string; in other
|
|
words, it is a protocol syntax error.
|
|
|
|
<p>In the case of AUTH=PLAIN, RFC 4422 (page 7) requires that the
|
|
encoded string have no data. In other words, the appropropiate
|
|
standards-compliant server response is "334" followed by a SPACE and a
|
|
CRLF.</p>
|
|
|
|
<p>The SECURITY PROBLEM came about because the server advertised the
|
|
AUTH=PLAIN SASL authentication mechanism outside of a TLS-encrypted
|
|
session, in violation of RFC 4616. This message is just a warning, and
|
|
is not related the "Authentication cancelled" problem.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="7.48"><strong>7.48 Why do I get the message</strong> <tt>Invalid
|
|
base64 string</tt> <strong>when I try to authenticate to a Cyrus
|
|
server?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
This slightly misleading message is the way that a Cyrus server
|
|
indicates that an authentication exchange was cancelled. It is not
|
|
indicative of a bug or protocol violation.
|
|
|
|
<p>The most common reason that this happens is if the Cyrus server
|
|
offers Kerberos authentication, c-client is built with Kerberos
|
|
support, but your client system is not within the Kerberos realm. In
|
|
this case, the client code will try to authenticate via Kerberos, fail
|
|
to get the Kerberos credentials, cancel the authentication attempt, and
|
|
try the next available authentication technology.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><br></p>
|
|
|
|
<h2><a name="additional">8. Where to Go For Additional Information</a></h2>
|
|
<hr>
|
|
|
|
<p><a name="8.1"><strong>8.1 Where can I go to ask questions?</strong></a><br>
|
|
<a name="8.2"><strong>8.2 I have some ideas for enhancements to IMAP. Where
|
|
should I go?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
If you have questions about the IMAP protocol, or want to participate
|
|
in discussions of future directions of the IMAP protocol, the
|
|
appropriate mailing list is imap-protocol@u.washington.edu. You can
|
|
subscribe to this list via <a href=
|
|
"mailto:imap-protocol-request@u.washington.edu"><tt>imap-protocol-request@u.washington.edu</tt></a>
|
|
|
|
<p>If you have questions about this software, you can send me email
|
|
directly or use the imap-uw@u.washington.edu mailing list. You can
|
|
subscribe to this list via <a href=
|
|
"mailto:imap-uw-request@u.washington.edu"><tt>imap-uw-request@u.washington.edu</tt></a></p>
|
|
|
|
<p>If you have general questions about the use of IMAP software
|
|
(not specific to the UW IMAP toolkit) use the
|
|
imap-use@u.washington.edu mailing list. You can subscribe to
|
|
this list via <a href=
|
|
"mailto:imap-use-request@u.washington.edu"><tt>imap-use-request@u.washington.edu</tt></a></p>
|
|
|
|
<p>You must be a subscriber to post to these lists. As an
|
|
alternative, you can use the
|
|
<strong>comp.mail.imap</strong> newsgroup.</p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="8.3"><strong>8.3 Where can I read more about IMAP and other email
|
|
protocols?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>We recommend <em>Internet Email Protocols: A Developer's Guide</em>,
|
|
by Kevin Johnson, published by Addison Wesley, ISBN 0-201-43288-9.</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
<hr>
|
|
|
|
<p><a name="8.4"><strong>8.4 Where can I find out more about setting up and
|
|
administering an IMAP server?</strong></a></p>
|
|
|
|
<dl>
|
|
<dd>
|
|
We recommend <em>Managing IMAP</em>, by Dianna Mullet & Kevin
|
|
Mullet, published by O'Reilly, ISBN 0-596-00012-X.
|
|
|
|
<p>This book also has an excellent comparison of the UW and Cyrus IMAP
|
|
servers.<br></p>
|
|
</dd>
|
|
</dl>
|
|
|
|
<p><a href="#top">Back to top</a></p>
|
|
|
|
<p>Last Updated: 15 November 2007</p>
|
|
|
|
<!--chtml include "//imap/incs/bottom.inc"-->
|
|
|