mirror of
https://github.com/uw-imap/imap.git
synced 2024-11-16 18:38:21 +01:00
22f316e36d
MD5 2126fd125ea26b73b20f01fcd5940369
2994 lines
140 KiB
Plaintext
2994 lines
140 KiB
Plaintext
/* ========================================================================
|
|
* Copyright 1988-2007 University of Washington
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
*
|
|
* ========================================================================
|
|
*/
|
|
|
|
IMAP Toolkit Frequently Asked Questions
|
|
|
|
Table of Contents
|
|
|
|
* 1. General/Software Feature Questions
|
|
+ 1.1 Can I set up a POP or IMAP server on UNIX/Linux/OSF/etc.?
|
|
+ 1.2 I am currently using qpopper as my POP3 server on UNIX.
|
|
Do I need to replace it with ipop3d in order to run imapd?
|
|
+ 1.3 Can I set up a POP or IMAP server on Windows XP, 2000,
|
|
NT, Me, 98, or 95?
|
|
+ 1.4 Can I set up a POP or IMAP server on Windows 3.1 or DOS?
|
|
+ 1.5 Can I set up a POP or IMAP server on Macintosh?
|
|
+ 1.6 Can I set up a POP or IMAP server on VAX/VMS?
|
|
+ 1.7 Can I set up a POP or IMAP server on TOPS-20?
|
|
+ 1.8 Are hierarchical mailboxes supported?
|
|
+ 1.9 Are "dual-use" mailboxes supported?
|
|
+ 1.10 Can I have a mailbox that has both messages and
|
|
sub-mailboxes?
|
|
+ 1.11 What is the difference between "mailbox" and "folder"?
|
|
+ 1.12 What is the status of internationalization?
|
|
+ 1.13 Can I use SSL?
|
|
+ 1.14 Can I use TLS and the STARTTLS facility?
|
|
+ 1.15 Can I use CRAM-MD5 authentication?
|
|
+ 1.16 Can I use APOP authentication?
|
|
+ 1.17 Can I use Kerberos V5?
|
|
+ 1.18 Can I use PAM for plaintext passwords?
|
|
+ 1.19 Can I use Kerberos 5 for plaintext passwords?
|
|
+ 1.20 Can I use AFS for plaintext passwords?
|
|
+ 1.21 Can I use DCE for plaintext passwords?
|
|
+ 1.22 Can I use the CRAM-MD5 database for plaintext passwords?
|
|
+ 1.23 Can I disable plaintext passwords?
|
|
+ 1.24 Can I disable plaintext passwords on unencrypted
|
|
sessions, but allow them on encrypted sessions?
|
|
+ 1.25 Can I use virtual hosts?
|
|
+ 1.26 Can I use RPOP authentication?
|
|
+ 1.27 Can I use Kerberos V4?
|
|
+ 1.28 Is there support for S/Key or OTP?
|
|
+ 1.29 Is there support for NTLM or SPA?
|
|
+ 1.30 Is there support for mh?
|
|
+ 1.31 Is there support for qmail and the maildir format?
|
|
+ 1.32 Is there support for the Cyrus mailbox format?
|
|
+ 1.33 Is this software Y2K compliant?
|
|
* 2. What Do I Need to Build This Software?
|
|
+ 2.1 What do I need to build this software with SSL on UNIX?
|
|
+ 2.2 What do I need to build this software with Kerberos V on
|
|
UNIX?
|
|
+ 2.3 What do I need to use a C++ compiler with this software
|
|
to build my own application?
|
|
+ 2.4 What do I need to build this software on Windows?
|
|
+ 2.5 What do I need to build this software on DOS?
|
|
+ 2.6 Can't I use Borland C to build this software on the PC?
|
|
+ 2.7 What do I need to build this software on the Mac?
|
|
+ 2.8 What do I need to build this software on VMS?
|
|
+ 2.9 What do I need to build this software on TOPS-20?
|
|
+ 2.10 What do I need to build this software on Amiga or OS/2?
|
|
+ 2.11 What do I need to build this software on Windows CE?
|
|
* 3. Build and Configuration Questions
|
|
+ 3.1 How do I configure the IMAP and POP servers on UNIX?
|
|
+ 3.2 I built and installed the servers according to the BUILD
|
|
instructions. It can't be that easy. Don't I need to write a
|
|
config file?
|
|
+ 3.3 How do I make the IMAP and POP servers look for INBOX at
|
|
some place other than the mail spool directory?
|
|
+ 3.4 How do I make the IMAP server look for secondary folders
|
|
at some place other than the user's home directory?
|
|
+ 3.5 How do I configure SSL?
|
|
+ 3.6 How do I configure TLS and the STARTTLS facility?
|
|
+ 3.7 How do I build/install OpenSSL and obtain/create
|
|
certificates for use with SSL?
|
|
+ 3.8 How do I configure CRAM-MD5 authentication?
|
|
+ 3.9 How do I configure APOP authentication?
|
|
+ 3.10 How do I configure Kerberos V5?
|
|
+ 3.11 How do I configure PAM for plaintext passwords?
|
|
+ 3.12 It looks like all I have to do to make the server use
|
|
Kerberos is to build with PAM on my Linux system, and set it
|
|
up in PAM for Kerberos passwords. Right?
|
|
+ 3.13 How do I configure Kerberos 5 for plaintext passwords?
|
|
+ 3.14 How do I configure AFS for plaintext passwords?
|
|
+ 3.15 How do I configure DCE for plaintext passwords?
|
|
+ 3.16 How do I configure the CRAM-MD5 database for plaintext
|
|
passwords?
|
|
+ 3.17 How do I disable plaintext passwords?
|
|
+ 3.18 How do I disable plaintext passwords on unencrypted
|
|
sessions, but allow them in SSL or TLS sessions?
|
|
+ 3.19 How do I configure virtual hosts?
|
|
+ 3.20 Why do I get compiler warning messages such as:
|
|
o passing arg 3 of `scandir' from incompatible pointer
|
|
type
|
|
o Pointers are not assignment-compatible.
|
|
o Argument #4 is not the correct type.
|
|
during the build?
|
|
+ 3.21 Why do I get compiler warning messages such as
|
|
o Operation between types "void(*)(int)" and "void*" is
|
|
not allowed.
|
|
o Function argument assignment between types "void*" and
|
|
"void(*)(int)" is not allowed.
|
|
o Pointers are not assignment-compatible.
|
|
o Argument #5 is not the correct type.
|
|
during the build?
|
|
+ 3.22 Why do I get linker warning messages such as:
|
|
o mtest.c:515: the `gets' function is dangerous and should
|
|
not be used.
|
|
during the build? Isn't this a security bug?
|
|
+ 3.23 Why do I get linker warning messages such as:
|
|
o auth_ssl.c:92: the `tmpnam' function is dangerous and
|
|
should not be used.
|
|
during the build? Isn't this a security bug?
|
|
+ 3.24 OK, suppose I see a warning message about a function
|
|
being "dangerous and should not be used" for something other
|
|
than this gets() or tmpnam() call?
|
|
* 4. Operational Questions
|
|
+ 4.1 How can I enable anonymous IMAP logins?
|
|
+ 4.2 How do I set up an alert message that each IMAP user will
|
|
see?
|
|
+ 4.3 How does the c-client library choose which of its several
|
|
mechanisms to use to establish an IMAP connection to the
|
|
server? I noticed that it can connect on port 143, port 993,
|
|
via rsh, and via ssh.
|
|
+ 4.4 I am using a TLS-capable IMAP server, so I don't need to
|
|
use /ssl to get encryption. However, I want to be certain
|
|
that my session is TLS encrypted before I send my password.
|
|
How to I do this?
|
|
+ 4.5 How do I use one of the alternative formats described in
|
|
the formats.txt document? In particular, I hear that mbx
|
|
format will give me better performance and allow shared
|
|
access.
|
|
+ 4.6 How do I set up shared mailboxes?
|
|
+ 4.7 How can I make the server syslogs go to someplace other
|
|
than the mail syslog?
|
|
* 5. Security Questions
|
|
+ 5.1 I see that the IMAP server allows access to arbitary
|
|
files on the system, including /etc/passwd! How do I disable
|
|
this?
|
|
+ 5.2 I've heard that IMAP servers are insecure. Is this true?
|
|
+ 5.3 How do I know that I have the most secure version of the
|
|
server?
|
|
+ 5.4 I see all these strcpy() and sprintf() calls, those are
|
|
unsafe, aren't they?
|
|
+ 5.5 Those /tmp lock files are protected 666, is that really
|
|
right?
|
|
* 6. Why Did You Do This Strange Thing? Questions
|
|
+ 6.1 Why don't you use GNU autoconfig / automake /
|
|
autoblurdybloop?
|
|
+ 6.2 Why do you insist upon a build with -g? Doesn't it waste
|
|
disk and memory space?
|
|
+ 6.3 Why don't you make c-client a shared library?
|
|
+ 6.4 Why don't you use iconv() for internationalization
|
|
support?
|
|
+ 6.5 Why is the IMAP server connected to the home directory by
|
|
default?
|
|
+ 6.6 I have a Windows system. Why isn't the server plug and
|
|
play for me?
|
|
+ 6.7 I looked at the UNIX SSL code and saw that you have the
|
|
SSL data payload size set to 8192 bytes. SSL allows 16K; why
|
|
aren't you using the full size?
|
|
+ 6.8 Why is an mh format INBOX called #mhinbox instead of just
|
|
INBOX?
|
|
+ 6.9 Why don't you support the maildir format?
|
|
+ 6.10 Why don't you support the Cyrus format?
|
|
+ 6.11 Why is it creating extra forks on my SVR4 system?
|
|
+ 6.12 Why are you so fussy about the date/time format in the
|
|
internal "From " line in traditional UNIX mailbox files? My
|
|
other mail program just considers every line that starts with
|
|
"From " to be the start of the message.
|
|
+ 6.13 Why is traditional UNIX format the default format?
|
|
+ 6.14 Why do you write this "DON'T DELETE THIS MESSAGE --
|
|
FOLDER INTERNAL DATA" message at the start of traditional
|
|
UNIX and MMDF format mailboxes?
|
|
+ 6.15 Why don't you stash the mailbox metadata in the first
|
|
real message of the mailbox instead of writing this fake
|
|
FOLDER INTERNAL DATA message?
|
|
+ 6.16 Why aren't "dual-use" mailboxes the default?
|
|
+ 6.17 Why do you use ucbcc to build on Solaris?
|
|
+ 6.18 Why should I care about some old system with BSD
|
|
libraries? cc is the right thing on my Solaris system!
|
|
+ 6.19 Why do you insist upon writing .lock files in the spool
|
|
directory?
|
|
+ 6.20 Why should I care about compatibility with the past?
|
|
* 7. Problems and Annoyances
|
|
+ 7.1 Help! My INBOX is empty! What happened to my messages?
|
|
+ 7.2 Help! All my messages in a non-INBOX mailbox have been
|
|
concatenated into one message which claims to be from me and
|
|
has a subject of the file name of the mailbox! What's going
|
|
on?
|
|
+ 7.3 Why do I get the message:
|
|
o CREATE failed: Can't create mailbox node xxxxxxxxx: File
|
|
exists
|
|
and how do I fix it?
|
|
+ 7.4 Why can't I log in to the server? The user name and
|
|
password are right!
|
|
+ 7.5 Help! My load average is soaring and I see hundreds of
|
|
POP and IMAP servers, many logged in as the same user!
|
|
+ 7.6 Why does mail disappear even though I set "keep mail on
|
|
server"?
|
|
+ 7.7 Why do I get the message
|
|
o Moved ##### bytes of new mail to /home/user/mbox from
|
|
/var/spool/mail/user
|
|
and why did this happen?
|
|
+ 7.8 Why isn't it showing the local host name as a
|
|
fully-qualified domain name?
|
|
+ 7.9 Why is the local host name in the From/Sender/Message-ID
|
|
headers of outgoing mail not coming out as a fully-qualified
|
|
domain name?
|
|
+ 7.10 What does the message:
|
|
o Mailbox vulnerable - directory /var/spool/mail must have
|
|
1777 protection
|
|
mean? How can I fix this?
|
|
+ 7.11 What does the message:
|
|
o Mailbox is open by another process, access is readonly
|
|
mean? How do I fix this?
|
|
+ 7.12 What does the message:
|
|
o Can't get write access to mailbox, access is readonly
|
|
mean?
|
|
+ 7.13 I set my POP3 client to "delete messages from server"
|
|
but they never get deleted. What is wrong?
|
|
+ 7.14 What do messages such as:
|
|
o Message ... UID ... already has UID ...
|
|
o Message ... UID ... less than ...
|
|
o Message ... UID ... greater than last ...
|
|
o Invalid UID ... in message ..., rebuilding UIDs
|
|
mean?
|
|
+ 7.15 What do the error messages:
|
|
o Unable to read internal header at ...
|
|
o Unable to find CRLF at ...
|
|
o Unable to parse internal header at ...
|
|
o Unable to parse message date at ...
|
|
o Unable to parse message flags at ...
|
|
o Unable to parse message UID at ...
|
|
o Unable to parse message size at ...
|
|
o Last message (at ... ) runs past end of file ...
|
|
mean? I am using mbx format.
|
|
+ 7.16 What do the syslog messages:
|
|
o imap/tcp server failing (looping)
|
|
o pop3/tcp server failing (looping)
|
|
mean? When it happens, the listed service shuts down. How can
|
|
I fix this?
|
|
+ 7.17 What does the syslog message:
|
|
o Mailbox lock file /tmp/.600.1df3 open failure:
|
|
Permission denied
|
|
mean?
|
|
+ 7.18 What do the syslog messages:
|
|
o Command stream end of file, while reading line user=...
|
|
host=...
|
|
o Command stream end of file, while reading char user=...
|
|
host=...
|
|
o Command stream end of file, while writing text user=...
|
|
host=...
|
|
mean?
|
|
+ 7.19 Why did my POP or IMAP session suddenly disconnect? The
|
|
syslog has the message:
|
|
o Killed (lost mailbox lock) user=... host=...
|
|
+ 7.20 Why does my IMAP client show all the files on the
|
|
system, recursively from the UNIX root directory?
|
|
+ 7.21 Why does my IMAP client show all of my files,
|
|
recursively from my UNIX home directory?
|
|
+ 7.22 Why does my IMAP client show that I have mailboxes named
|
|
"#mhinbox", "#mh", "#shared", "#ftp", "#news", and "#public"?
|
|
+ 7.23 Why does my IMAP client show all my files in my home
|
|
directory?
|
|
+ 7.24 Why is there a long delay before I get connected to the
|
|
IMAP or POP server, no matter what client I use?
|
|
+ 7.25 Why is there a long delay in Pine or any other c-client
|
|
based application call before I get connected to the IMAP
|
|
server? The hang seems to be in the c-client mail_open()
|
|
call. I don't have this problem with any other IMAP client.
|
|
There is no delay connecting to a POP3 or NNTP server with
|
|
mail_open().
|
|
+ 7.26 Why does a message sometimes get split into two or more
|
|
messages on my SUN system?
|
|
+ 7.27 Why did my POP or IMAP session suddenly disconnect? The
|
|
syslog has the message:
|
|
o Autologout user=<...my user name...> host=<...my imap
|
|
server...>
|
|
+ 7.28 What does the UNIX error message:
|
|
o TLS/SSL failure: myserver: SSL negotiation failed
|
|
mean?
|
|
+ 7.29 What does the PC error message:
|
|
o TLS/SSL failure: myserver: Unexpected TCP input
|
|
disconnect
|
|
mean?
|
|
+ 7.30 What does the error message:
|
|
o TLS/SSL failure: myserver: Server name does not match
|
|
certificate
|
|
mean?
|
|
+ 7.31 What does the UNIX error message:
|
|
o TLS/SSL failure: myserver: self-signed certificate
|
|
mean?
|
|
+ 7.32 What does the PC error message
|
|
o TLS/SSL failure: myserver: Self-signed certificate or
|
|
untrusted authority
|
|
mean?
|
|
+ 7.33 What does the UNIX error message:
|
|
o TLS/SSL failure: myserver: unable to get local issuer
|
|
certificate
|
|
mean?
|
|
+ 7.34 Why does reading certain messages hang when using
|
|
Netscape? It works fine with Pine!
|
|
+ 7.35 Why does Netscape say that there's a problem with the
|
|
IMAP server and that I should "Contact your mail server
|
|
administrator."?
|
|
+ 7.36 Why is one user creating huge numbers of IMAP or POP
|
|
server sessions?
|
|
+ 7.37 Why don't I get any new mail notifications from Outlook
|
|
Express or Outlook after a while?
|
|
+ 7.38 Why don't I get any new mail notifications from
|
|
Entourage?
|
|
+ 7.39 Why doesn't Entourage work at all?
|
|
+ 7.40 Why doesn't Netscape Notify (NSNOTIFY.EXE) work at all?
|
|
+ 7.41 Why can't I connect via SSL to Eudora? It says the
|
|
connection has been broken, and in the server syslogs I see
|
|
"Command stream end of file".
|
|
+ 7.42 Sheesh. Aren't there any good IMAP clients out there?
|
|
+ 7.43 But wait! PC Pine (or other PC program build with
|
|
c-client) crashes with the message
|
|
o incomplete SecBuffer exceeds maximum buffer size
|
|
when I use SSL connections. This is a bug in c-client, right?
|
|
+ 7.44 My qpopper users keep on getting the DON'T DELETE THIS
|
|
MESSAGE -- FOLDER INTERNAL DATA if they also use Pine or
|
|
IMAP. How can I fix this?
|
|
+ 7.45 Help! I installed the servers but I can't connect to
|
|
them from my client!
|
|
+ 7.46 Why do I get the message
|
|
o Can not authenticate to SMTP server: 421 SMTP connection
|
|
went away!
|
|
and why did this happen? There was also something about
|
|
o SECURITY PROBLEM: insecure server advertised AUTH=PLAIN
|
|
+ 7.47 Why do I get the message
|
|
o SMTP Authentication cancelled
|
|
and why did this happen? There was also something about
|
|
o SECURITY PROBLEM: insecure server advertised AUTH=PLAIN
|
|
+ 7.48 Why do I get the message
|
|
o Invalid base64 string
|
|
when I try to authenticate to a Cyrus server?
|
|
* 8. Where to Go For Additional Information
|
|
+ 8.1 Where can I go to ask questions?
|
|
+ 8.2 I have some ideas for enhancements to IMAP. Where should
|
|
I go?
|
|
+ 8.3 Where can I read more about IMAP and other email
|
|
protocols?
|
|
+ 8.4 Where can I find out more about setting up and
|
|
administering an IMAP server?
|
|
_________________________________________________________________
|
|
|
|
1. General/Software Feature Questions
|
|
_________________________________________________________________
|
|
|
|
1.1 Can I set up a POP or IMAP server on UNIX/Linux/OSF/etc.?
|
|
|
|
Yes. Refer to the UNIX specific notes in files CONFIG and
|
|
BUILD.
|
|
_________________________________________________________________
|
|
|
|
1.2 I am currently using qpopper as my POP3 server on UNIX. Do I need
|
|
to replace it with ipop3d in order to run imapd?
|
|
|
|
Not necessarily.
|
|
|
|
Although ipop3d interoperates with imapd better than qpopper,
|
|
imapd and qpopper will work together. The few qpopper/imapd
|
|
interoperability issues mostly affect users who use both IMAP
|
|
and POP3 clients; those users would probably be better served
|
|
if their POP3 server is ipop3d.
|
|
|
|
If you are happy with qpopper and just want to add imapd, you
|
|
should do that, and defer a decision on changing qpopper to
|
|
ipop3d. That way, you can get comfortable with imapd's
|
|
performance, without changing anything for your qpopper users.
|
|
|
|
Many sites have subsequently decided to change from qpopper to
|
|
ipop3d in order to get better POP3/IMAP interoperability. If
|
|
you need to do this, you'll know. There also seems to be a way
|
|
to make qpopper work better with imapd; see the answer to the
|
|
My qpopper users keep on getting the DON'T DELETE THIS MESSAGE
|
|
-- FOLDER INTERNAL DATA if they also use Pine or IMAP. How can
|
|
I fix this? question.
|
|
_________________________________________________________________
|
|
|
|
1.3 Can I set up a POP or IMAP server on Windows XP, 2000, NT, Me, 98,
|
|
or 95?
|
|
|
|
Yes. Refer to the NT specific notes in files CONFIG and BUILD.
|
|
Also, for DOS-based versions of Windows (Windows Me, 98, and
|
|
95) you *must* set up CRAM-MD5 authentication, as described in
|
|
md5.txt.
|
|
|
|
There is no file access control on Windows 9x or Me, so you
|
|
probably will have to do modifications to env_unix.c to prevent
|
|
people from hacking others' mail.
|
|
|
|
Note, however, that the server is not plug and play the way it
|
|
is for UNIX.
|
|
_________________________________________________________________
|
|
|
|
1.4 Can I set up a POP or IMAP server on Windows 3.1 or DOS?
|
|
1.5 Can I set up a POP or IMAP server on Macintosh?
|
|
1.6 Can I set up a POP or IMAP server on VAX/VMS?
|
|
|
|
Yes, it's just a small matter of programming.
|
|
_________________________________________________________________
|
|
|
|
1.7 Can I set up a POP or IMAP server on TOPS-20?
|
|
|
|
You have a TOPS-20 system? Cool.
|
|
|
|
If IMAP2 (RFC 1176) is good enough for you, you can use MAPSER
|
|
which is about the ultimate gonzo pure TOPS-20 extended
|
|
addressing assembly language program. Unfortunately, IMAP2 is
|
|
barely good enough for Pine these days, and most other IMAP
|
|
clients won't work with IMAP2 at all. Maybe someone will hack
|
|
MAPSER to do IMAP4rev1 some day.
|
|
|
|
We don't know if anyone wrote a POP3 server for TOPS-20. There
|
|
definitely was a POP2 server once upon a time.
|
|
|
|
Or you can port the POP and IMAP server from this IMAP toolkit
|
|
to it. All that you need for a first stab is to port the MTX
|
|
driver. That'll probably be just a couple of hours of hacking.
|
|
_________________________________________________________________
|
|
|
|
1.8 Are hierarchical mailboxes supported?
|
|
1.9 Are "dual-use" mailboxes supported?
|
|
1.10 Can I have a mailbox that has both messages and sub-mailboxes?
|
|
|
|
Yes. However, there is one important caveat.
|
|
|
|
Some mailbox formats, including the default which is the
|
|
traditional UNIX mailbox format, are stored as a single file
|
|
containing all the messages. UNIX does not permit a name in the
|
|
filesystem to be both a file and a directory; consequently you
|
|
can not have a sub-mailbox within a mailbox that is in one of
|
|
these formats.
|
|
|
|
This is not a limitation of the software; this is a limitation
|
|
of UNIX. For example, there are mailbox formats in which the
|
|
name is a directory and each message is a file within that
|
|
directory; these formats support sub-mailboxes within such
|
|
mailboxes. However, for technical reasons, the "flat file"
|
|
formats are generally preferred since they perform better. Read
|
|
imap-2007/docs/formats.txt for more information on this topic.
|
|
|
|
It is always permissible to create a directory that is not a
|
|
mailbox, and have sub-mailboxes under it. The easiest way to
|
|
create a directory is to create a new mailbox inside a
|
|
directory that doesn't already exist. For example, if you
|
|
create "Mail/testbox" on UNIX, the directory "Mail/" will
|
|
automatically be created and then the mailbox "testbox" will be
|
|
created as a sub-mailbox of "Mail/".
|
|
|
|
It is also possible to create the name "Mail/" directly. Check
|
|
the documentation for your client software to see how to do
|
|
this with that software.
|
|
|
|
Of course, on Windows systems you would use "\" instead of "/".
|
|
_________________________________________________________________
|
|
|
|
1.11 What is the difference between "mailbox" and "folder"?
|
|
|
|
The term "mailbox" is IMAP-speak for what a lot of software
|
|
calls a "folder" or a "mail folder". However, "folder" is often
|
|
used in other contexts to refer to a directory, for example, in
|
|
the graphic user interface on both Windows and Macintosh.
|
|
|
|
A "mailbox" is specifically defined as a named object that
|
|
contains messages. It is not required to be capable of
|
|
containing other types of objects including other mailboxes;
|
|
although some mailbox formats will permit this.
|
|
|
|
In IMAP-speak, a mailbox which can not contain other mailboxes
|
|
is called a "no-inferiors mailbox". Similarly, a directory
|
|
which can not contain messages is not a mailbox and is called a
|
|
"no-select name".
|
|
_________________________________________________________________
|
|
|
|
1.12 What is the status of internationalization?
|
|
|
|
The IMAP toolkit is partially internationalized and
|
|
multilingualized.
|
|
|
|
Searching is supported in the following charsets: US-ASCII,
|
|
UTF-8, ISO-8859-1, ISO-8859-2, ISO-8859-3, ISO-8859-4,
|
|
ISO-8859-5, ISO-8859-6, ISO-8859-7, ISO-8859-8, ISO-8859-9,
|
|
ISO-8859-10, ISO-8859-11, ISO-8859-13, ISO-8859-14,
|
|
ISO-8859-15, ISO-8859-16, KOI8-R, KOI8-U (alias KOI8-RU),
|
|
TIS-620, VISCII, ISO-2022-JP, ISO-2022-KR, ISO-2022-CN,
|
|
ISO-2022-JP-1, ISO-2022-JP-2, GB2312 (alias CN-GB),
|
|
CN-GB-12345, BIG5 (alias CN-BIG5), EUC-JP, EUC-KR, Shift_JIS,
|
|
Shift-JIS, KS_C_5601-1987, KS_C_5601-1992, WINDOWS_874,
|
|
WINDOWS-1250, WINDOWS-1251, WINDOWS-1252, WINDOWS-1253,
|
|
WINDOWS-1254, WINDOWS-1255, WINDOWS-1256, WINDOWS-1257,
|
|
WINDOWS-1258.
|
|
|
|
All ISO-2022-?? charsets are treated identically, and support
|
|
ASCII, JIS Roman, hankaku katakana, ISO-8859-[1 - 10], TIS, GB
|
|
2312, JIS X 0208, JIS X 0212, KSC 5601, and planes 1 and 2 of
|
|
CNS 11643.
|
|
|
|
EUC-JP includes support for JIS X 0212 and hankaku katakana.
|
|
|
|
c-client library support also exists to convert text in any of
|
|
the above charsets into Unicode, including headers with MIME
|
|
encoded-words.
|
|
|
|
There is no support for localization (e.g. non-English error
|
|
messages) at the present time, but such support is planned.
|
|
_________________________________________________________________
|
|
|
|
1.13 Can I use SSL?
|
|
|
|
Yes. See the answer to the How do I configure SSL? question.
|
|
_________________________________________________________________
|
|
|
|
1.14 Can I use TLS and the STARTTLS facility?
|
|
|
|
Yes. See the answer to the How do I configure TLS and the
|
|
STARTTLS facility? question.
|
|
_________________________________________________________________
|
|
|
|
1.15 Can I use CRAM-MD5 authentication?
|
|
|
|
Yes. See the answer to the How do I configure CRAM-MD5
|
|
authentication? question.
|
|
_________________________________________________________________
|
|
|
|
1.16 Can I use APOP authentication?
|
|
|
|
Yes. See the How do I configure APOP authentication? question.
|
|
|
|
Note that there is no client support for APOP authentication.
|
|
_________________________________________________________________
|
|
|
|
1.17 Can I use Kerberos V5?
|
|
|
|
Yes. See the answer to the How do I configure Kerberos V5?
|
|
question.
|
|
_________________________________________________________________
|
|
|
|
1.18 Can I use PAM for plaintext passwords?
|
|
|
|
Yes. See the answer to the How do I configure PAM for plaintext
|
|
passwords? question.
|
|
_________________________________________________________________
|
|
|
|
1.19 Can I use Kerberos 5 for plaintext passwords?
|
|
|
|
Yes. See the answer to the How do I configure Kerberos 5 for
|
|
plaintext passwords? question.
|
|
_________________________________________________________________
|
|
|
|
1.20 Can I use AFS for plaintext passwords?
|
|
|
|
Yes. See the answer to the How do I configure AFS for plaintext
|
|
passwords? question.
|
|
_________________________________________________________________
|
|
|
|
1.21 Can I use DCE for plaintext passwords?
|
|
|
|
Yes. See the answer to the How do I configure DCE for plaintext
|
|
passwords? question.
|
|
_________________________________________________________________
|
|
|
|
1.22 Can I use the CRAM-MD5 database for plaintext passwords?
|
|
|
|
Yes. See the answer to the How do I configure the CRAM-MD5
|
|
database for plaintext passwords? question.
|
|
_________________________________________________________________
|
|
|
|
1.23 Can I disable plaintext passwords?
|
|
|
|
Yes. See the answer to the How do I disable plaintext
|
|
passwords? question.
|
|
_________________________________________________________________
|
|
|
|
1.24 Can I disable plaintext passwords on unencrypted sessions, but
|
|
allow them on encrypted sessions?
|
|
|
|
Yes. See the answer to the How do I disable plaintext passwords
|
|
on unencrypted sessions, but allow them in SSL or TLS sessions?
|
|
question.
|
|
_________________________________________________________________
|
|
|
|
1.25 Can I use virtual hosts?
|
|
|
|
Yes. See the answer to the How do I configure virtual hosts?
|
|
question.
|
|
_________________________________________________________________
|
|
|
|
1.26 Can I use RPOP authentication?
|
|
|
|
There is no support for RPOP authentication.
|
|
_________________________________________________________________
|
|
|
|
1.27 Can I use Kerberos V4?
|
|
|
|
Kerberos V4 is not supported. Kerberos V4 client-only
|
|
contributed code is available in
|
|
|
|
ftp://ftp.cac.washington.edu/mail/kerberos4-patches.tar.Z
|
|
|
|
This is a patchkit which must be applied to the IMAP toolkit
|
|
according to the instructions in the patchkit's README. We can
|
|
not promise that this code works.
|
|
_________________________________________________________________
|
|
|
|
1.28 Is there support for S/Key or OTP?
|
|
|
|
There is currently no support for S/Key or OTP. There may be an
|
|
OTP SASL authenticator available from third parties.
|
|
_________________________________________________________________
|
|
|
|
1.29 Is there support for NTLM or SPA?
|
|
|
|
There is currently no support for NTLM or SPA, nor are there
|
|
any plans to add such support. In general, I avoid
|
|
vendor-specific mechanisms. I also believe that these
|
|
mechanisms are being deprecated by their vendor.
|
|
|
|
There may be an NTLM SASL authenticator available from third
|
|
parties.
|
|
_________________________________________________________________
|
|
|
|
1.30 Is there support for mh?
|
|
|
|
Yes, but only as a legacy format. Your mh format INBOX is
|
|
accessed by the name "#mhinbox", and all other mh format
|
|
mailboxes are accessed by prefixing "#mh/" to the name, e.g.
|
|
"#mh/foo". The mh support uses the "Path:" entry in your
|
|
.mh_profile file to identify the root directory of your mh
|
|
format mailboxes.
|
|
|
|
Non-legacy use of mh format is not encouraged. There is no
|
|
support for permanent flags or unique identifiers; furthermore
|
|
there are known severe performance problems with the mh format.
|
|
_________________________________________________________________
|
|
|
|
1.31 Is there support for qmail and the maildir format?
|
|
|
|
There is no support for qmail or the maildir format in our
|
|
distribution, nor are there any plans to add such support.
|
|
Maildir support may be available from third parties.
|
|
_________________________________________________________________
|
|
|
|
1.32 Is there support for the Cyrus mailbox format?
|
|
|
|
No.
|
|
_________________________________________________________________
|
|
|
|
1.33 Is this software Y2K compliant?
|
|
|
|
Please read the files Y2K and calendar.txt.
|
|
_________________________________________________________________
|
|
|
|
2. What Do I Need to Build This Software?
|
|
_________________________________________________________________
|
|
|
|
2.1 What do I need to build this software with SSL on UNIX?
|
|
|
|
You need to build and install OpenSSL first.
|
|
_________________________________________________________________
|
|
|
|
2.2 What do I need to build this software with Kerberos V on UNIX?
|
|
|
|
You need to build and install MIT Kerberos first.
|
|
_________________________________________________________________
|
|
|
|
2.3 What do I need to use a C++ compiler with this software to build
|
|
my own application?
|
|
|
|
If you are building an application using the c-client library,
|
|
use the new c-client.h file instead of including the other
|
|
include files. It seems that c-client.h should define away all
|
|
the troublesome names that conflict with C++.
|
|
|
|
If you use gcc, you may need to use -fno-operator-names as
|
|
well.
|
|
_________________________________________________________________
|
|
|
|
2.4 What do I need to build this software on Windows?
|
|
|
|
You need Microsoft Visual C++ 6.0, Visual C++ .NET, or Visual
|
|
C# .NET (which you can buy from any computer store), along with
|
|
the Microsoft Platform SDK (which you can download from
|
|
Microsoft's web site).
|
|
|
|
You do not need to install the entire Platform SDK; it suffices
|
|
to install just the Core SDK and the Internet Development SDK.
|
|
_________________________________________________________________
|
|
|
|
2.5 What do I need to build this software on DOS?
|
|
|
|
It's been several years since we last attempted to do this. At
|
|
the time, we used Microsoft C.
|
|
_________________________________________________________________
|
|
|
|
2.6 Can't I use Borland C to build this software on the PC?
|
|
|
|
Probably not. If you know otherwise, please let us know.
|
|
_________________________________________________________________
|
|
|
|
2.7 What do I need to build this software on the Mac?
|
|
|
|
It has been several years since we last attempted to do this.
|
|
At the time, we used Symantec THINK C; but today you'll need a
|
|
C compiler which allows segments to be more than 32K.
|
|
_________________________________________________________________
|
|
|
|
2.8 What do I need to build this software on VMS?
|
|
|
|
You need the VMS C compiler, and either the Multinet or Netlib
|
|
TCP.
|
|
_________________________________________________________________
|
|
|
|
2.9 What do I need to build this software on TOPS-20?
|
|
|
|
You need the TOPS-20 KCC compiler.
|
|
_________________________________________________________________
|
|
|
|
2.10 What do I need to build this software on Amiga or OS/2?
|
|
|
|
We don't know.
|
|
_________________________________________________________________
|
|
|
|
2.11 What do I need to build this software on Windows CE?
|
|
|
|
This port is incomplete. Someone needs to finish it.
|
|
_________________________________________________________________
|
|
|
|
3. Build and Configuration Questions
|
|
_________________________________________________________________
|
|
|
|
3.1 How do I configure the IMAP and POP servers on UNIX?
|
|
3.2 I built and installed the servers according to the BUILD
|
|
instructions. It can't be that easy. Don't I need to write a config
|
|
file?
|
|
|
|
For ordinary "vanilla" UNIX systems, this software is plug and
|
|
play; just build it, install it, and you're done. If you have a
|
|
modified system, then you may want to do additional work; most
|
|
of this is to a single source code file (env_unix.c on UNIX
|
|
systems). Read the file CONFIG for more details.
|
|
|
|
Yes, it's that easy. There are some additional options, such as
|
|
SSL or Kerberos, which require additional steps to build. See
|
|
the relevant questions below.
|
|
_________________________________________________________________
|
|
|
|
3.3 How do I make the IMAP and POP servers look for INBOX at some
|
|
place other than the mail spool directory?
|
|
3.4 How do I make the IMAP server look for secondary folders at some
|
|
place other than the user's home directory?
|
|
|
|
Please read the file CONFIG for discussion of this and other
|
|
issues.
|
|
_________________________________________________________________
|
|
|
|
3.5 How do I configure SSL?
|
|
3.6 How do I configure TLS and the STARTTLS facility?
|
|
|
|
imap-2007 supports SSL and TLS client functionality on UNIX and
|
|
32-bit Windows for IMAP, POP3, SMTP, and NNTP; and SSL and TLS
|
|
server functionality on UNIX for IMAP and POP3.
|
|
|
|
UNIX SSL build requires that a third-party software package,
|
|
OpenSSL, be installed on the system first. Read
|
|
imap-2007/docs/SSLBUILD for more information.
|
|
|
|
SSL is supported via undocumented Microsoft interfaces in
|
|
Windows 9x and NT4; and via standard interfaces in Windows
|
|
2000, Windows Millenium, and Windows XP.
|
|
_________________________________________________________________
|
|
|
|
3.7 How do I build/install OpenSSL and obtain/create certificates for
|
|
use with SSL?
|
|
|
|
If you need help in doing this, try the contacts mentioned in
|
|
the OpenSSL README. We do not offer support for OpenSSL or
|
|
certificates.
|
|
_________________________________________________________________
|
|
|
|
3.8 How do I configure CRAM-MD5 authentication?
|
|
3.9 How do I configure APOP authentication?
|
|
|
|
CRAM-MD5 authentication is enabled in the IMAP and POP3 client
|
|
code on all platforms. Read md5.txt to learn how to set up
|
|
CRAM-MD5 and APOP authentication on UNIX and NT servers.
|
|
|
|
There is no support for APOP client authentication.
|
|
_________________________________________________________________
|
|
|
|
3.10 How do I configure Kerberos V5?
|
|
|
|
imap-2007 supports client and server functionality on UNIX and
|
|
32-bit Windows.
|
|
|
|
Kerberos V5 is supported by default in Windows 2000 builds:
|
|
|
|
nmake -f makefile.w2k
|
|
|
|
Other builds require that a third-party Kerberos package, e.g.
|
|
MIT Kerberos, be installed on the system first.
|
|
|
|
To build with Kerberos V5 on UNIX, include
|
|
EXTRAAUTHENTICATORS=gss in the make command line, e.g.
|
|
|
|
make lnp EXTRAAUTHENTICATORS=gss
|
|
|
|
To build with Kerberos V5 on Windows 9x, Windows Millenium, and
|
|
NT4, use the "makefile.ntk" file instead of "makefile.nt":
|
|
|
|
|
|
nmake -f makefile.ntk
|
|
_________________________________________________________________
|
|
|
|
3.11 How do I configure PAM for plaintext passwords?
|
|
|
|
On Linux systems, use the lnp port, e.g.
|
|
|
|
make lnp
|
|
|
|
On Solaris systems and other systems with defective PAM
|
|
implementations, build with PASSWDTYPE=pmb, e.g.
|
|
|
|
make sol PASSWDTYPE=pmb
|
|
|
|
On all other systems, build with PASSWDTYPE=pam, e.g
|
|
|
|
make foo PASSWDTYPE=pam
|
|
|
|
If you build with PASSWDTYPE=pam and authentication does not
|
|
work, try rebuilding (after a "make clean") with
|
|
PASSWDTYPE=pmb.
|
|
_________________________________________________________________
|
|
|
|
3.12 It looks like all I have to do to make the server use Kerberos is
|
|
to build with PAM on my Linux system, and set it up in PAM for
|
|
Kerberos passwords. Right?
|
|
|
|
Yes and no.
|
|
|
|
Doing this will make plaintext password authentication use the
|
|
Kerberos password instead of the /etc/passwd password.
|
|
|
|
However, this will NOT give you Kerberos-secure authentication.
|
|
See the answer to the How do I configure Kerberos V5? question
|
|
for how to build with Kerberos-secure authentication.
|
|
_________________________________________________________________
|
|
|
|
3.13 How do I configure Kerberos 5 for plaintext passwords?
|
|
|
|
Build with PASSWDTYPE=gss, e.g.
|
|
|
|
make sol PASSWDTYPE=gss
|
|
|
|
However, this will NOT give you Kerberos-secure authentication.
|
|
See the answer to the How do I configure Kerberos V5? question
|
|
for how to build with Kerberos-secure authentication.
|
|
_________________________________________________________________
|
|
|
|
3.14 How do I configure AFS for plaintext passwords?
|
|
|
|
Build with PASSWDTYPE=afs, e.g
|
|
|
|
make sol PASSWDTYPE=afs
|
|
_________________________________________________________________
|
|
|
|
3.15 How do I configure DCE for plaintext passwords?
|
|
|
|
Build with PASSWDTYPE=dce, e.g
|
|
|
|
make sol PASSWDTYPE=dce
|
|
_________________________________________________________________
|
|
|
|
3.16 How do I configure the CRAM-MD5 database for plaintext passwords?
|
|
|
|
The CRAM-MD5 password database is automatically used for
|
|
plaintext password if it exists.
|
|
|
|
Note that this is NOT CRAM-MD5-secure authentication. You
|
|
probably want to consider disabling plaintext passwords for
|
|
non-SSL/TLS sessions. See the next two questions.
|
|
_________________________________________________________________
|
|
|
|
3.17 How do I disable plaintext passwords?
|
|
|
|
Server-level plaintext passwords can be disabled by setting
|
|
PASSWDTYPE=nul, e.g.
|
|
|
|
make lnx EXTRAAUTHENTICATORS=gss PASSWDTYPE=nul
|
|
|
|
Note that you must have a CRAM-MD5 database installed or
|
|
specify at least one EXTRAAUTHENTICATOR, otherwise it will not
|
|
be possible to log in to the server.
|
|
|
|
When plaintext passwords are disabled, the IMAP server will
|
|
advertise the LOGINDISABLED capability and the POP3 server will
|
|
not advertise the USER capability.
|
|
|
|
3.18 How do I disable plaintext passwords on unencrypted sessions, but
|
|
allow them in SSL or TLS sessions?
|
|
|
|
Do not set PASSWDTYPE=nul or SSLTYPE=unix. Set SSLTYPE=nopwd
|
|
instead, e.g.
|
|
|
|
make lnx SSLTYPE=nopwd
|
|
|
|
When plaintext passwords are disabled, the IMAP server will
|
|
advertise the LOGINDISABLED capability and the POP3 server will
|
|
not advertise the USER capability.
|
|
|
|
Plaintext passwords will always be enabled in SSL sessions; the
|
|
IMAP server will not advertise the LOGINDISABLED capability and
|
|
the POP3 server will advertise the USER capability.
|
|
|
|
If the client does a successful start-TLS in a non-SSL session,
|
|
plaintext passwords will be enabled, and a new CAPABILITY or
|
|
CAPA command (which is required after start-TLS) will show the
|
|
effect as in SSL sessions.
|
|
_________________________________________________________________
|
|
|
|
3.19 How do I configure virtual hosts?
|
|
|
|
This is automatic, but with certain restrictions.
|
|
|
|
The most important one is that each virtual host must have its
|
|
own IP address; otherwise the server has no way of knowing
|
|
which virtual host is desired.
|
|
|
|
As distributed, the software uses a global password file; hence
|
|
user "fred" on one virtual host is "fred" on all virtual hosts.
|
|
You may want to modify the checkpw() routine to implement some
|
|
other policy (e.g. separate password files).
|
|
|
|
Note that the security model assumes that all users have their
|
|
own unique UNIX UID number. So if you use separate password
|
|
files you should make certain that the UID numbers do not
|
|
overlap between different files.
|
|
|
|
More advanced virtual host support may be available as patches
|
|
from third parties.
|
|
_________________________________________________________________
|
|
|
|
3.20 Why do I get compiler warning messages such as:
|
|
passing arg 3 of `scandir' from incompatible pointer type
|
|
Pointers are not assignment-compatible.
|
|
Argument #4 is not the correct type.
|
|
|
|
during the build?
|
|
|
|
You can safely ignore these messages.
|
|
|
|
Over the years, the prototype for scandir() has changed, and
|
|
thus is variant across different UNIX platforms. In particular,
|
|
the definitions of the third argument (type select_t) and
|
|
fourth argument (type compar_t) have changed over the years,
|
|
the issue being whether or not the arguments to the functions
|
|
pointed to by these function pointers are of type const or not.
|
|
|
|
The way that c-client calls scandir() will tend to generate
|
|
these compiler warnings on newer systems such as Linux;
|
|
however, it will still build. The problem with fixing the call
|
|
is that then it won't build on older systems.
|
|
_________________________________________________________________
|
|
|
|
3.21 Why do I get compiler warning messages such as
|
|
Operation between types "void(*)(int)" and "void*" is not allowed.
|
|
Function argument assignment between types "void*" and "void(*)(int)" is not a
|
|
llowed.
|
|
Pointers are not assignment-compatible.
|
|
Argument #5 is not the correct type.
|
|
|
|
during the build?
|
|
|
|
You can safely ignore these messages.
|
|
|
|
All known systems have no problem with casting a function
|
|
pointer to/from a void* pointer, certain C compilers issue a
|
|
compiler diagnostic because this facility is listed as a
|
|
"Common extension" by the C standard:
|
|
|
|
K.5.7 Function pointer casts
|
|
[#1] A pointer to an object or to void may be cast to a pointer
|
|
to a function, allowing data to be invoked as a function (6.3.4).
|
|
[#2] A pointer to a function may be cast to a pointer to an
|
|
object or to void, allowing a function to be inspected or
|
|
modified (for example, by a debugger) (6.3.4).
|
|
|
|
It may be just a "common extension", but this facility is
|
|
relied upon heavily by c-client.
|
|
_________________________________________________________________
|
|
|
|
3.22 Why do I get linker warning messages such as:
|
|
mtest.c:515: the `gets' function is dangerous and should not be used.
|
|
|
|
during the build? Isn't this a security bug?
|
|
|
|
You can safely ignore this message.
|
|
|
|
Certain linkers, most notably on Linux, give this warning
|
|
message. It is indeed true that the traditional gets() function
|
|
is not a safe one.
|
|
|
|
However, the mtest program is only a demonstration program, a
|
|
model of a very basic application program using c-client. It is
|
|
not something that you would install, much less run in any
|
|
security-sensitive context.
|
|
|
|
mtest has numerous other shortcuts that you wouldn't want to do
|
|
in a real application program.
|
|
|
|
The only "security bug" with mtest would be if it was run by
|
|
some script in a security-sensitive context, but mtest isn't
|
|
particularly useful for such purposes. If you wanted to write a
|
|
script to automate some email task using c-client, you'd be
|
|
better off using imapd instead of mtest.
|
|
|
|
mtest only has two legitimate uses. It's a useful testbed for
|
|
me when debugging new versions of c-client, and it's useful as
|
|
a model for someone writing a simple c-client application to
|
|
see how the various calls work.
|
|
|
|
By the way, if you need a more advanced example of c-client
|
|
programming than mtest (and you probably will), I recommend
|
|
that you look at the source code for imapd and Pine.
|
|
_________________________________________________________________
|
|
|
|
3.23 Why do I get linker warning messages such as:
|
|
auth_ssl.c:92: the `tmpnam' function is dangerous and should not be used.
|
|
|
|
during the build? Isn't this a security bug?
|
|
|
|
You can safely ignore this message.
|
|
|
|
Certain linkers, most notably on Linux, give this warning
|
|
message, based upon two known issues with tmpnam():
|
|
|
|
there can be a buffer overflow if an inadequate buffer is
|
|
allocated.
|
|
there can be a timing race caused by certain incautious
|
|
usage of the return value.
|
|
|
|
Neither of these issues applies in the particular use that is
|
|
made of tmpnam(). More importantly, the tmpnam() call is never
|
|
executed on Linux systems.
|
|
_________________________________________________________________
|
|
|
|
3.24 OK, suppose I see a warning message about a function being
|
|
"dangerous and should not be used" for something other than this
|
|
gets() or tmpnam() call?
|
|
|
|
Please forward the details for investigation.
|
|
_________________________________________________________________
|
|
|
|
4. Operational Questions
|
|
_________________________________________________________________
|
|
|
|
4.1 How can I enable anonymous IMAP logins?
|
|
|
|
Create the file /etc/anonymous.newsgroups. At the present time,
|
|
this file should be empty. This will permit IMAP logins as
|
|
anonymous as well as the ANONYMOUS SASL authenticator.
|
|
Anonymous users have access to mailboxes in the #news., #ftp/,
|
|
and #public/ namespaces only.
|
|
_________________________________________________________________
|
|
|
|
4.2 How do I set up an alert message that each IMAP user will see?
|
|
|
|
Create the file /etc/imapd.alert with the text of the message.
|
|
This text should be kept to one line if possible. Note that
|
|
this will cause an alert to every IMAP user every time they
|
|
initiate an IMAP session, so it should only be used for
|
|
critical messages.
|
|
_________________________________________________________________
|
|
|
|
4.3 How does the c-client library choose which of its several
|
|
mechanisms to use to establish an IMAP connection to the server? I
|
|
noticed that it can connect on port 143, port 993, via rsh, and via
|
|
ssh.
|
|
|
|
c-client chooses how to establish an IMAP connection via the
|
|
following rules:
|
|
|
|
+ If /ssl is specified, use an SSL connection. Fail otherwise.
|
|
+ Else if client is a UNIX system and "ssh server exec
|
|
/etc/rimapd" works, use that
|
|
+ Else if /tryssl is specified and an SSL connection works, use
|
|
that.
|
|
+ Else if client is a UNIX system and "rsh server exec
|
|
/etc/rimapd" works, use that.
|
|
+ Else use a non-SSL connection.
|
|
_________________________________________________________________
|
|
|
|
4.4 I am using a TLS-capable IMAP server, so I don't need to use /ssl
|
|
to get encryption. However, I want to be certain that my session is
|
|
TLS encrypted before I send my password. How to I do this?
|
|
|
|
Use the /tls option in the mailbox name. This will cause an
|
|
error message and the connection to fail if the server does not
|
|
negotiate STARTTLS.
|
|
_________________________________________________________________
|
|
|
|
4.5 How do I use one of the alternative formats described in the
|
|
formats.txt document? In particular, I hear that mbx format will give
|
|
me better performance and allow shared access.
|
|
|
|
The rumors about mbx format being preferred are true. It is
|
|
faster than the traditional UNIX mailbox format and permits
|
|
shared access.
|
|
|
|
However, and this is very important, note that using an
|
|
alternative mailbox format is an advanced facility, and only
|
|
expert users should undertake it. If you don't understand any
|
|
of the following notes, you may not be enough of an expert yet,
|
|
and are probably better off not going this route until you are
|
|
more comfortable with your understanding.
|
|
|
|
Some of the formats, including mbx, are only supported by the
|
|
software based on the c-client library, and are not recognized
|
|
by other mailbox programs. The "vi" editor will corrupt any mbx
|
|
format mailbox that it encounters.
|
|
|
|
Another problem is that the certain formats, including mbx, use
|
|
advanced file access and locking techniques that do not work
|
|
reliably with NFS. NFS is not a real filesystem. Use IMAP
|
|
instead of NFS for distributed access.
|
|
|
|
Each of the following steps are in escalating order of
|
|
involvement. The further you go down this list, the more deeply
|
|
committed you become:
|
|
|
|
+ The simplest way to create a mbx-format mailbox is to prefix
|
|
the name with "#driver.mbx/" when creating a mailbox through
|
|
c-client. For example, if you create "#driver.mbx/foo", the
|
|
mailbox "foo" will be created in mbx format. Only use
|
|
"#driver.mbx/" when creating the mailbox. At all other times,
|
|
just use the name ("foo" in this example); the software will
|
|
automatically select the driver for mbx whenever that mailbox
|
|
is accessed without you doing anything else.
|
|
+ You can use the "mailutil copy" command to copy an existing
|
|
mailbox to a new mailbox in mbx format. Read the man page
|
|
provided with the mailutil program for details.
|
|
+ If you create an mbx-format INBOX, by creating
|
|
"#driver.mbx/INBOX" (note that "INBOX" must be all
|
|
uppercase), then subsequent access to INBOX by any c-client
|
|
based application will use the mbx-format INBOX. Any mail
|
|
delivered to the traditional format mailbox in the spool
|
|
directory (e.g. /var/spool/mail/$USER) will automatically be
|
|
copied into the mbx-format INBOX and the spool directory copy
|
|
removed.
|
|
+ You can cause any newly-created mailboxes to be in mbx-format
|
|
by default by changing the definition of
|
|
CREATEPROTO=unixproto to be CREATEPROTO=mbxproto in
|
|
src/osdep/unix/Makefile, then rebuilding the IMAP toolkit (do
|
|
a "make clean" first). Do not change EMPTYPROTO, since mbx
|
|
format mailboxes are never a zero-byte file. If you use Pine
|
|
or the imap-utils, you should probably also rebuild them with
|
|
the new IMAP toolkit too.
|
|
+ You can deliver directly to the mbx-format INBOX by use of
|
|
the tmail or dmail programs. tmail is for direct invocation
|
|
from sendmail (or whatever MTA program you use); dmail is for
|
|
calls from procmail. Both of these programs have man pages
|
|
which must be read carefully before making this change.
|
|
|
|
Most other servers (e.g. Cyrus) require use of a non-standard
|
|
format. A full-fledged format conversion is not significantly
|
|
different from what you have to do with other servers. The
|
|
difference, which makes format conversion procedures somewhat
|
|
more complicated with this server, is that there is no "all or
|
|
nothing" requirement with this server. There are many points in
|
|
between. A format conversion can be anything from a single
|
|
mailbox or single user, to systemwide.
|
|
|
|
This is good in that you can decide how far to go, or do the
|
|
steps incrementally as you become more comfortable with the
|
|
result. On the other hand, there's no "One True Way" which can
|
|
be boiled down to a simple set of pedagogical instructions.
|
|
|
|
A number of sites have done full-fledged format conversions,
|
|
and are reportedly quite happy with the results. Feel free to
|
|
ask in the comp.mail.imap newsgroup or the imap-uw mailing
|
|
list for advice or help.
|
|
_________________________________________________________________
|
|
|
|
4.6 How do I set up shared mailboxes?
|
|
|
|
At the simplest level, a shared mailbox is one which has UNIX
|
|
file and directory protections which permit multiple users to
|
|
access it. What this means is that your existing skills and
|
|
tools to create and manage shared files on your UNIX system
|
|
apply to shared mailboxes; e.g.
|
|
|
|
chmod 666 mailbox
|
|
|
|
You may want to consider the use of a mailbox format which
|
|
permits multiple simultaneous read/write sessions, such as the
|
|
mbx format. The traditional UNIX format only allows one
|
|
read/write session to a mailbox at a time.
|
|
|
|
An additional convenience item are three system directories,
|
|
which can be set up for shared namespaces. These are: #ftp,
|
|
#shared, and #public, and are defined by creating the
|
|
associated UNIX users and home directories as described below.
|
|
|
|
#ftp/ refers to the anonymous ftp filesystem exported by the
|
|
ftp server, and is equivalent to the home directory for UNIX
|
|
user "ftp". For example, #ftp/foo/bar refers to the file
|
|
/foo/bar in the anonymous FTP filesystem, or ~ftp/foo/bar for
|
|
normal users. Anonymous FTP files are available to anonymous
|
|
IMAP logins. By default, newly-created files in #ftp/ are
|
|
protected 644.
|
|
|
|
#public/ refers to an IMAP toolkit convention called "public"
|
|
files, and is equivalent to the home directory for UNIX user
|
|
"imappublic". For example, #public/foo/bar refers to the file
|
|
~imappublic/foo/bar. Public files are available to anonymous
|
|
IMAP logins. By default, newly-created files in #public are
|
|
created with protection 0666.
|
|
|
|
#shared/ refers to an IMAP toolkit convention called "shared"
|
|
files, and is equivalent to the home directory for UNIX user
|
|
"imapshared". For example, #shared/foo/bar refers to the file
|
|
~imapshared/foo/bar. Shared files are not available to
|
|
anonymous IMAP logins. By default, newly-created files in
|
|
#shared are created with protection 0660.
|
|
_________________________________________________________________
|
|
|
|
4.7 How can I make the server syslogs go to someplace other than the
|
|
mail syslog?
|
|
|
|
The openlog() call that sets the syslog facility is in
|
|
src/osdep/unix/env_unix.c in routine server_init(). You need to
|
|
edit this file to change the syslog facility from LOG_MAIL to
|
|
the facility you want, then rebuild. You also need to set up
|
|
your /etc/syslog.conf properly.
|
|
|
|
Refer to the man pages for syslog and syslogd for more
|
|
information on what the available syslog facilities are and how
|
|
to configure syslogs. If you still don't understand what to do,
|
|
find a UNIX system expert.
|
|
_________________________________________________________________
|
|
|
|
5. Security Questions
|
|
_________________________________________________________________
|
|
|
|
5.1 I see that the IMAP server allows access to arbitary files on the
|
|
system, including /etc/passwd! How do I disable this?
|
|
|
|
You should not worry about this if your IMAP users are allowed
|
|
shell access. The IMAP server does not permit any access that
|
|
the user can not have via the shell.
|
|
|
|
If, and only if, you deny your IMAP users shell access, you may
|
|
want to consider one of three choices. Note that these choices
|
|
reduce IMAP functionality, and may have undesirable side
|
|
effects. Each of these choices involves an edit to file
|
|
src/osdep/unix/env_unix.c
|
|
|
|
The first (and recommended) choice is to set restrictBox as
|
|
described in file CONFIG. This will disable access to the
|
|
filesystem root, to other users' home directory, and to
|
|
superior directory.
|
|
|
|
The second (and strongly NOT recommended) choice is to set
|
|
closedBox as described in file CONFIG. This puts each IMAP
|
|
session into a so-called "chroot jail", and thus setting this
|
|
option is extremely dangerous; it can make your system much
|
|
less secure and open to root compromise attacks. So do not use
|
|
this option unless you are absolutely certain that you
|
|
understand all the issues of a "chroot jail."
|
|
|
|
The third choice is to rewrite routine mailboxfile() to
|
|
implement whatever mapping from mailbox name to filesystem name
|
|
(and restrictions) that you wish. This is the most general
|
|
choice. As a guide, you can see at the start of routine
|
|
mailboxfile() what the restrictBox choice does.
|
|
_________________________________________________________________
|
|
|
|
5.2 I've heard that IMAP servers are insecure. Is this true?
|
|
|
|
There are no known security problems in this version of the
|
|
IMAP toolkit, including the IMAP and POP servers. The IMAP and
|
|
POP servers limit what can be done while not logged in, and as
|
|
part of the login process discard all privileges except those
|
|
of the user.
|
|
|
|
As with other software packages, there have been buffer
|
|
overflow vulnerabilities in past versions. All known problems
|
|
of this nature are fixed in this version.
|
|
|
|
There is every reason to believe that the bad guys are engaged
|
|
in an ongoing effort to find vulnerabilities in the IMAP
|
|
toolkit. We look for such problems, and when one is found we
|
|
fix it.
|
|
|
|
It's unfortunate that any vulnerabilities existed in past
|
|
versions, and we're doing my best to keep the IMAP toolkit free
|
|
of vulnerabilities. No new vulnerabilities have been discovered
|
|
in quite a while, but efforts will not be relaxed.
|
|
|
|
Beware of vendors who claim that their implementations can not
|
|
have vulnerabilities.
|
|
_________________________________________________________________
|
|
|
|
5.3 How do I know that I have the most secure version of the server?
|
|
|
|
The best way is to keep your server software up to date. The
|
|
bad guys are always looking for ways to crack software, and
|
|
when they find one, let all their friends know.
|
|
|
|
Oldtimers used to refer to a concept of software rot: if your
|
|
software hasn't been updated in a while, it would "rot" -- tend
|
|
to acquire problems that it didn't have when it was new.
|
|
|
|
The latest release version of the IMAP toolkit is always
|
|
available at ftp://ftp.cac.washington.edu/mail/imap.tar.Z
|
|
_________________________________________________________________
|
|
|
|
5.4 I see all these strcpy() and sprintf() calls, those are unsafe,
|
|
aren't they?
|
|
|
|
Yes and no.
|
|
|
|
It can be unsafe to do these calls if you do not know that the
|
|
string being written will fit in the buffer. However, they are
|
|
perfectly safe if you do know that.
|
|
|
|
Beware of programmers who advocate doing a brute-force change
|
|
of all instances of
|
|
|
|
strcpy (s,t);
|
|
|
|
to
|
|
|
|
strncpy (s,t,n)[n] = '\0';
|
|
|
|
and similar measures in the name of "fixing all possible buffer
|
|
overflows."
|
|
|
|
There are examples in which a security bug was introduced
|
|
because of this type of "fix", due to the programmer using the
|
|
wrong value for n. In one case, the programmer thought that n
|
|
was larger than it actually was, causing a NUL to be written
|
|
out of the buffer; in another, n was too small, and a security
|
|
credential was truncated.
|
|
|
|
What is particularly ironic was that in both cases, the
|
|
original strcpy() was safe, because the size of the source
|
|
string was known to be safe.
|
|
|
|
With all this in mind, the software has been inspected, and it
|
|
is believed that all places where buffer overflows can happen
|
|
have been fixed. The strcpy()s that are still are in the code
|
|
occur after a size check was done in some other way.
|
|
|
|
Note that the common C idiom of
|
|
|
|
*s++ = c;
|
|
|
|
is just as vulnerable to buffer overflows. You can't cure
|
|
buffer overflows by outlawing certain functions, nor is it
|
|
desirable to do so; sometimes operations like strcpy()
|
|
translate into fast machine instructions for better
|
|
performance.
|
|
|
|
Nothing replaces careful study of code. That's how the bad guys
|
|
find bugs. Security is not accomplished by means of brute-force
|
|
shortcuts.
|
|
_________________________________________________________________
|
|
|
|
5.5 Those /tmp lock files are protected 666, is that really right?
|
|
|
|
Yes. Shared mailboxes won't work otherwise. Also, you get into
|
|
accidental denial of service problems with old lock files left
|
|
lying around; this happens fairly frequently.
|
|
|
|
The deliberate mischief that can be caused by fiddling with the
|
|
lock files is small-scale; harassment level at most. There are
|
|
many -- and much more effective -- other ways of harassing
|
|
another user on UNIX. It's usually not difficult to determine
|
|
the culprit.
|
|
|
|
Before worrying about deliberate mischief, worry first about
|
|
things happening by accident!
|
|
_________________________________________________________________
|
|
|
|
6. Why Did You Do This Strange Thing? Questions
|
|
_________________________________________________________________
|
|
|
|
6.1 Why don't you use GNU autoconfig / automake / autoblurdybloop?
|
|
|
|
Autoconfig et al are not available on all the platforms where
|
|
the IMAP toolkit is supported; and do not work correctly on
|
|
some of the platforms where they do exist. Furthermore, these
|
|
programs add another layer of complexity to an already complex
|
|
process.
|
|
|
|
Coaxing software that uses autoconfig to build properly on
|
|
platforms which were not specifically considered by that
|
|
software wastes an inordinate amount of time. When (not if)
|
|
autoconfig fails to do the right thing, the result is an
|
|
inpenetrable morass to untangle in order to find the problem
|
|
and fix it.
|
|
|
|
The concept behind autoconfig is good, but the execution is
|
|
flawed. It rarely does the right thing on a platform that
|
|
wasn't specifically considered. Human life is too short to
|
|
debug autoconfig problems, especially since the current
|
|
mechanism is so much easier.
|
|
_________________________________________________________________
|
|
|
|
6.2 Why do you insist upon a build with -g? Doesn't it waste disk and
|
|
memory space?
|
|
|
|
From time to time a submitted port has snuck in without -g.
|
|
This has always ended up causing problems. There are only two
|
|
valid excuses for not using -g in a port:
|
|
|
|
+ The compiler does not support -g
|
|
+ An alternate form of -g is needed with optimization, e.g.
|
|
-g3.
|
|
|
|
There will be no new ports added without -g (or a suitable
|
|
alternative) being set.
|
|
|
|
-g has not been arbitrarily added to the ports which do not
|
|
currently have it because we don't know if doing so would break
|
|
the build. However, any support issues with one of those port
|
|
will lead to the correct -g setting being determined and
|
|
permanently added.
|
|
|
|
Processors are fast enough (and disk space is cheap enough)
|
|
that -g should be automatic in all compilers with no way of
|
|
turning it off, and /bin/strip should be a symlink to
|
|
/bin/true. Human life is too short to deal with binaries built
|
|
without -g. Such binaries should be a bad memory of the days of
|
|
KIPS processors and disks that costs several dollars per
|
|
kilobyte.
|
|
_________________________________________________________________
|
|
|
|
6.3 Why don't you make c-client a shared library?
|
|
|
|
All too often, shared libraries create far more problems than
|
|
they solve.
|
|
|
|
Remember that you only gain the benefit of a shared library
|
|
when there are multiple applications which use that shared
|
|
library. Even without shared libraries, on most modern
|
|
operating systems (and many ancient ones too!) applications
|
|
will share their text segments between across multiple
|
|
processes running the same application. This means that if your
|
|
system only runs one application (e.g. imapd) that uses the
|
|
c-client library, then you gain no benefit from making c-client
|
|
a shared library even if it has 100 imapd processes. You will,
|
|
however suffer added complexity.
|
|
|
|
If you have a server system that just runs imapd and ipop3d,
|
|
then making c-client a shared library will save just one copy
|
|
of c-client no matter how many IMAP/POP3 processes are running.
|
|
|
|
The problem with shared libraries is that you have to keep
|
|
around a copy of the library every time something changes in
|
|
the library that would affect the interface the library
|
|
presents to the application. So, you end up having many copies
|
|
of the same shared library.
|
|
|
|
If you don't keep multiple copies of the shared library, then
|
|
one of two things happens. If there was proper versioning, then
|
|
you'll get a message such as "cannot open shared object file"
|
|
or "minor versions don't match" and the application won't run.
|
|
Otherwise, the application will run, but will fail in
|
|
mysterious ways.
|
|
|
|
Several sites and third-party distributors have modified the
|
|
c-client makefile in order to make c-client be a shared
|
|
library. When (not if) a c-client based application fails in
|
|
mysterious ways because of a library compatibility problem, the
|
|
result is a bug report. A lot of time and effort ends up
|
|
getting wasted investigating such bug reports.
|
|
|
|
Memory is so cheap these days that it's not worth it. Human
|
|
life is too short to deal with shared library compatibility
|
|
problems.
|
|
_________________________________________________________________
|
|
|
|
6.4 Why don't you use iconv() for internationalization support?
|
|
|
|
iconv() is not ubiquitous enough.
|
|
_________________________________________________________________
|
|
|
|
6.5 Why is the IMAP server connected to the home directory by default?
|
|
|
|
The IMAP server has no way of knowing what you might call
|
|
"mail" as opposed to "some other file"; in fact, you can use
|
|
IMAP to access any file.
|
|
|
|
The IMAP server also doesn't know whether your preferred
|
|
subdirectory for mailbox files is "mail/", ".mail/", "Mail/",
|
|
"Mailboxes/", or any of a zillion other possibilities. If one
|
|
such name were chosen, it would undoubtably anger the partisans
|
|
of all the other names.
|
|
|
|
It is possible to modify the software so that the default
|
|
connected directory is someplace else. Please read the file
|
|
CONFIG for discussion of this and other issues.
|
|
_________________________________________________________________
|
|
|
|
6.6 I have a Windows system. Why isn't the server plug and play for
|
|
me?
|
|
|
|
There is no standard for how mail is stored on Windows; nor a
|
|
single standard SMTP server. The closest to either would be the
|
|
SMTP server in Microsoft's IIS.
|
|
|
|
So there's no default by which to make assumptions. As the
|
|
software is set up, it assumes that the each user has an
|
|
Windows login account and private home directory, and that mail
|
|
is stored on that home directory as files in one of the popular
|
|
UNIX formats. It also assumes that there is some tool
|
|
equivalent to inetd on UNIX that does the TCP/IP listening and
|
|
server startup.
|
|
|
|
Basically, unless you're an email software hacker, you probably
|
|
want to look elsewhere if you want IMAP/POP servers for
|
|
Windows.
|
|
_________________________________________________________________
|
|
|
|
6.7 I looked at the UNIX SSL code and saw that you have the SSL data
|
|
payload size set to 8192 bytes. SSL allows 16K; why aren't you using
|
|
the full size?
|
|
|
|
This is to avoid an interoperability problem with:
|
|
|
|
+ PC IMAP clients that use Microsoft's SChannel.DLL (SSPI) for
|
|
SSL support
|
|
+ Microsoft Exchange server (which also uses SChannel).
|
|
|
|
SChannel has a bug that makes it think that the maximum SSL
|
|
data payload size is 16379 bytes -- 5 bytes too small. Thus,
|
|
c-client has to make sure that it never transmits full sized
|
|
SSL packets.
|
|
|
|
The reason for using 8K (as opposed to, say, 16379 bytes, or
|
|
15K, or...) is that it corresponds with the TCP buffer size
|
|
that the software uses elsewhere for input; there's a slight
|
|
performance benefit to having the two sizes correspond or at
|
|
least be a multiple of each other. Also, it keeps the size as a
|
|
power of two, which might be significant on some platforms.
|
|
|
|
There wasn't a significant difference that we could measure
|
|
between 8K and 15K.
|
|
|
|
Microsoft has developed a hotfix for this bug. Look up MSKB
|
|
article number 300562. Contrary to the article text which
|
|
implies that this is a Pine issue, this bug also affects
|
|
Microsoft Exchange server with any client that transmits
|
|
full-sized SSL payloads.
|
|
_________________________________________________________________
|
|
|
|
6.8 Why is an mh format INBOX called #mhinbox instead of just INBOX?
|
|
|
|
It's a long story. In brief, the mh format driver is less
|
|
functional than any of the other drivers. It turned out that
|
|
there were some users (including high-level administrators) who
|
|
tried mh years ago and no longer use it, but still had an mh
|
|
profile left behind.
|
|
|
|
When the mh driver used INBOX, it would see the mh profile, and
|
|
proceed to move the user's INBOX into the mh format INBOX. This
|
|
caused considerable confusion as some things stopped working.
|
|
_________________________________________________________________
|
|
|
|
6.9 Why don't you support the maildir format?
|
|
|
|
It is technically difficult to support maildir in IMAP while
|
|
maintaining acceptable performance, robustness, following the
|
|
requirements of the IMAP protocol specification, and following
|
|
the requirements of maildir.
|
|
|
|
No one has succeeded in accomplishing all four together. The
|
|
various maildir drivers offered as patches all have these
|
|
problems. The problem is exacerbated because this
|
|
implementation supports multiple formats; consequently this
|
|
implementation can't make any performance shortcuts by assuming
|
|
that all the world is maildir.
|
|
|
|
We can't do a better job than the maildir fan community has
|
|
done with their maildir drivers. Similarly, if the maildir fan
|
|
community provides the maildir driver, they take on the
|
|
responsibility for answering maildir-specific support
|
|
questions. This is as it should be, and that is why maildir
|
|
support is left to the maildir fan community.
|
|
_________________________________________________________________
|
|
|
|
6.10 Why don't you support the Cyrus format?
|
|
|
|
There's no point to doing so. An implementation which supports
|
|
multiple formats will never do as well as one which is
|
|
optimized to support one single format.
|
|
|
|
If you want to use Cyrus mailbox format, you should use the
|
|
Cyrus server, which is the native implementation of that format
|
|
and is specifically optimized for that format. That's also why
|
|
Cyrus doesn't implement any other format.
|
|
_________________________________________________________________
|
|
|
|
6.11 Why is it creating extra forks on my SVR4 system?
|
|
|
|
This is because your system only has fcntl() style locking and
|
|
not flock() style locking. fcntl() locking has a design flaw
|
|
that causes a close() to release any locks made by that process
|
|
on the file opened on that file descriptor, even if the lock
|
|
was made on a different file descriptor.
|
|
|
|
This design flaw causes unexpected loss of lock, and consequent
|
|
mailbox corruption. The workaround is to do certain "dangerous
|
|
operations" in another fork, thus avoiding doing a close() in
|
|
the vulnerable fork.
|
|
|
|
The best way to solve this problem is to upgrade your SVR4
|
|
(Solaris, AIX, HP-UX, SGI) or OSF/1 system to a more advanced
|
|
operating system, such as Linux or BSD. These more advanced
|
|
operating systems have fcntl() locking for compatibility with
|
|
SVR4, but also have flock() locking.
|
|
|
|
Beware of certain SVR4 systems, such as AIX, which have an
|
|
"flock()" function in their C library that is just a jacket
|
|
that does an fcntl() lock. This is not a true flock(), and has
|
|
the same design flaw as fcntl().
|
|
_________________________________________________________________
|
|
|
|
6.12 Why are you so fussy about the date/time format in the internal
|
|
"From " line in traditional UNIX mailbox files? My other mail program
|
|
just considers every line that starts with "From " to be the start of
|
|
the message.
|
|
|
|
You just answered your own question. If any line that starts
|
|
with "From " is treated as the start of a message, then every
|
|
message text line which starts with "From " has to be quoted
|
|
(typically by prefixing a ">" character). People complain about
|
|
this -- "why did a > get stuck in my message?"
|
|
|
|
So, good mail reading software only considers a line to be a
|
|
"From " line if it follows the actual specification for a
|
|
"From " line. This means, among other things, that the day of
|
|
week is fixed-format: "May 14", but "May 7" (note the extra
|
|
space) as opposed to "May 7". ctime() format for the date is
|
|
the most common, although POSIX also allows a numeric timezone
|
|
after the year. For compatibility with ancient software, the
|
|
seconds are optional, the timezone may appear before the year,
|
|
the old 3-letter timezones are also permitted, and "remote from
|
|
xxx" may appear after the whole thing.
|
|
|
|
Unfortunately, some software written by novices use other
|
|
formats. The most common error is to have a variable-width day
|
|
of month, perhaps in the erroneous belief that RFC 2822 (or RFC
|
|
822) defines the format of the date/time in the "From " line
|
|
(it doesn't; no RFC describes internal formats). I've seen a
|
|
few other goofs, such as a single-digit second, but these are
|
|
less common.
|
|
|
|
If you are writing your own software that writes mailbox files,
|
|
and you really aren't all that savvy with all the ins and outs
|
|
and ancient history, you should seriously consider using the
|
|
c-client library (e.g. routine mail_append()) instead of doing
|
|
the file writes yourself. If you must do it yourself, use
|
|
ctime(), as in:
|
|
|
|
fprintf (mbx,"From %s@%h %s",user,host,ctime (time (0)));
|
|
|
|
rather than try to figure out a good format yourself. ctime()
|
|
is the most traditional format and nobody will flame you for
|
|
using it.
|
|
_________________________________________________________________
|
|
|
|
6.13 Why is traditional UNIX format the default format?
|
|
|
|
Compatibility with the past 30 or so years of UNIX history.
|
|
This server is the only one that completely interoperates with
|
|
legacy UNIX mail tools.
|
|
_________________________________________________________________
|
|
|
|
6.14 Why do you write this "DON'T DELETE THIS MESSAGE -- FOLDER
|
|
INTERNAL DATA" message at the start of traditional UNIX and MMDF
|
|
format mailboxes?
|
|
|
|
This pseudo-message serves two purposes.
|
|
|
|
First, it establishes the mailbox format even when the mailbox
|
|
has no messages. Otherwise, a mailbox with no messages is a
|
|
zero-byte file, which could be one of several formats.
|
|
|
|
Second, it holds mailbox metadata used by IMAP: the UID
|
|
validity, the last assigned UID, and mailbox keywords. Without
|
|
this metadata, which must be preserved even when the mailbox
|
|
has no messages, the traditional UNIX format wouldn't be able
|
|
to support the full capabilities of IMAP.
|
|
_________________________________________________________________
|
|
|
|
6.15 Why don't you stash the mailbox metadata in the first real
|
|
message of the mailbox instead of writing this fake FOLDER INTERNAL
|
|
DATA message?
|
|
|
|
In fact, that is what is done if the mailbox is non-empty and
|
|
does not already have a FOLDER INTERNAL DATA message.
|
|
|
|
One problem with doing that is that if some external program
|
|
removes the first message, the metadata is lost and must be
|
|
recreated, thus losing any prior UID or keyword list status
|
|
that IMAP clients may depend upon.
|
|
|
|
Another problem is that this doesn't help if the last message
|
|
is deleted. This will result in an empty mailbox, and the
|
|
necessity to create a FOLDER INTERNAL DATA message.
|
|
_________________________________________________________________
|
|
|
|
6.16 Why aren't "dual-use" mailboxes the default?
|
|
|
|
Compatibility with the past 30 or so years of UNIX history, not
|
|
to mention compatibility with user expectations when using
|
|
shell tools.
|
|
_________________________________________________________________
|
|
|
|
6.17 Why do you use ucbcc to build on Solaris?
|
|
|
|
It is a long, long story about why cc is set to ucbcc. You need
|
|
to invoke the C compiler so that it links with the SVR4
|
|
libraries and not the BSD libraries, otherwise readdir() will
|
|
return the wrong information.
|
|
|
|
Of all the names in the most common path, ucbcc is the only
|
|
name to be found (on /usr/ccs/bin) that points to a suitable
|
|
compiler. cc is likely to be /usr/ucb/cc which is absolutely
|
|
not the compiler that you want. The real SVR4 cc is probably
|
|
something like /opt/SUNWspro/bin/cc which is rarely in anyone's
|
|
path by default.
|
|
|
|
ucbcc is probably a link to acc, e.g.
|
|
/opt/SUNWspro/SC4.0/bin/acc, and is the UCB C compiler using
|
|
the SVR4 libraries.
|
|
|
|
If ucbcc isn't on your system, then punt on the SUN C compiler
|
|
and use gcc instead (the gso port instead of the sol port).
|
|
|
|
If, in spite of all the above warnings, you choose to change
|
|
"ucbcc" to "cc", you will probably find that the -O2 needs to
|
|
be changed to -O. If you don't get any error messages with -O2,
|
|
that's a pretty good indicator that you goofed and are running
|
|
the compiler that will link with the BSD libraries.
|
|
|
|
To recap:
|
|
|
|
+ The sol port is designed to be built using the UCB compiler
|
|
using the SVR4 libraries. This compiler is "ucbcc", which is
|
|
lunk to acc. You use -O2 as one of the CFLAGS.
|
|
+ If you build the sol port with the UCB compiler using the BSD
|
|
libraries, you will get no error messages but you will get
|
|
bad binaries (the most obvious symptom is dropping the first
|
|
two characters return filenames from the imapd LIST command.
|
|
This compiler also uses -O2, and is very often what the user
|
|
gets from "cc". BEWARE
|
|
+ If you build the sol port with the real SVR4 compiler, which
|
|
is often hidden away or unavailable on many systems, then you
|
|
will get errors from -O2 and you need to change that to -O.
|
|
But you will get a good binary. However, you should try it
|
|
with -O2 first, to make sure that you got this compiler and
|
|
not the UCB compiler using BSD libraries.
|
|
_________________________________________________________________
|
|
|
|
6.18 Why should I care about some old system with BSD libraries? cc is
|
|
the right thing on my Solaris system!
|
|
|
|
Because there still are sites that use such systems. On those
|
|
systems, the assumption that "cc" does the right thing will
|
|
lead to corrupt binaries with no error message or other warning
|
|
that anything is amiss.
|
|
|
|
Too many sites have fallen victim to this problem.
|
|
_________________________________________________________________
|
|
|
|
6.19 Why do you insist upon writing .lock files in the spool
|
|
directory?
|
|
|
|
Compatibility with the past 30 years of UNIX software which
|
|
deals with the spool directory, especially software which
|
|
delivers mail. Otherwise, it is possible to lose mail.
|
|
_________________________________________________________________
|
|
|
|
6.20 Why should I care about compatibility with the past?
|
|
|
|
This is one of those questions in which the answer never
|
|
convinces those who ask it. Somehow, everybody who ever asks
|
|
this question ends up answering it for themselves as they get
|
|
older, with the very answer that they rejected years earlier.
|
|
_________________________________________________________________
|
|
|
|
7. Problems and Annoyances
|
|
_________________________________________________________________
|
|
|
|
7.1 Help! My INBOX is empty! What happened to my messages?
|
|
|
|
If you are seeing "0 messages" when you open INBOX and you know
|
|
you have messages there (and perhaps have looked at your mail
|
|
spool file and see that messages are there), then probably
|
|
there is something wrong with the very first line of your mail
|
|
spool file. Make sure that the first five bytes of the file are
|
|
"From ", followed by an email address and a date/time in
|
|
ctime() format, e.g.:
|
|
|
|
From fred@foo.bar Mon May 7 20:54:30 2001
|
|
_________________________________________________________________
|
|
|
|
7.2 Help! All my messages in a non-INBOX mailbox have been
|
|
concatenated into one message which claims to be from me and has a
|
|
subject of the file name of the mailbox! What's going on?
|
|
|
|
Something wrong with the very first line of the mailbox. Make
|
|
sure that the first five bytes of the file are "From ",
|
|
followed by an email address and a date/time in ctime() format,
|
|
e.g.:
|
|
|
|
From fred@foo.bar Mon May 7 20:54:30 2001
|
|
_________________________________________________________________
|
|
|
|
7.3 Why do I get the message: CREATE failed: Can't create mailbox node
|
|
xxxxxxxxx: File exists and how do I fix it?
|
|
|
|
See the answer to the Are hierarchical mailboxes supported?
|
|
question.
|
|
_________________________________________________________________
|
|
|
|
7.4 Why can't I log in to the server? The user name and password are
|
|
right!
|
|
|
|
There are a myriad number of possible answers to this question.
|
|
The only way to say for sure what is wrong is run the server
|
|
under a debugger such as gdb while root (yes, you must be root)
|
|
with a breakpoint at routines checkpw() and loginpw(), then
|
|
single-step until you see which test rejected you. The server
|
|
isn't going to give any error messages other than "login
|
|
failed" in the name of not giving out any unnecessary
|
|
information to unauthorized individuals.
|
|
|
|
Here are some of the more common reasons why login may fail:
|
|
|
|
+ You didn't really give the correct user name and/or password.
|
|
+ Your client doesn't send the LOGIN command correctly; for
|
|
example, IMAP2 clients won't send a password containing a "*"
|
|
correctly to an IMAP4 server.
|
|
+ If you have set up a CRAM-MD5 database, remember that the
|
|
password used is the one in the CRAM-MD5 database, and
|
|
furthermore that there must also be an entry in /etc/passwd
|
|
(but the /etc/passwd password is not used).
|
|
+ If you are using PAM, have you created a service file for the
|
|
server in /etc/pam.d?
|
|
+ If you are using shadow passwords, have you used an
|
|
appropriate port when building? In particular, note that
|
|
"lnx" is for Linux systems without shadow passwords; you
|
|
probably want "slx" or "lnp" instead.
|
|
+ If your system has account or password expirations, check to
|
|
see that the expiration date hasn't passed.
|
|
+ You can't log in as root or any other UID 0 user. This is for
|
|
your own safety, not to mention the fact that the servers use
|
|
UID 0 as meaning "not logged in".
|
|
_________________________________________________________________
|
|
|
|
7.5 Help! My load average is soaring and I see hundreds of POP and
|
|
IMAP servers, many logged in as the same user!
|
|
|
|
Certain inferior losing GUI mail reading programs have a
|
|
"synchronize all mailboxes at startup" (IMAP) or "check for new
|
|
mail every second" (POP) feature which causes a rapid and
|
|
unchecked spawning of servers.
|
|
|
|
This is not a problem in the server; the client is really
|
|
asking for all those server sessions. Unfortunately, there
|
|
isn't much that the POP and IMAP servers can do about it; they
|
|
don't spawned themselves.
|
|
|
|
Some sites have added code to record the number of server
|
|
sessions spawned per user per hour, and disable login for a
|
|
user who has exceeded a predetermined rate. This doesn't stop
|
|
the servers from being spawned; it just means that a server
|
|
session will commit suicide a bit faster.
|
|
|
|
Another possibility is to detect excessive server spawning
|
|
activity at the level where the server is spawned, which would
|
|
be inetd or possibly tcpd. The problem here is that this is a
|
|
hard time to quantify. 50 sessions in a minute from a
|
|
multi-user timesharing system may be perfectly alright, whereas
|
|
10 sessions a minute from a PC may be too much.
|
|
|
|
The real solution is to fix the client configuration, by
|
|
disabling those evil features. Also tell the vendors of those
|
|
clients how you feel about distributing denial-of-service
|
|
attack tools in the guise of mail reading programs.
|
|
_________________________________________________________________
|
|
|
|
7.6 Why does mail disappear even though I set "keep mail on server"?
|
|
7.7 Why do I get the message Moved ##### bytes of new mail to
|
|
/home/user/mbox from /var/spool/mail/user and why did this happen?
|
|
|
|
This is probably caused by the mbox driver. If the file "mbox"
|
|
exists on the user's home directory and is in UNIX mailbox
|
|
format, then when INBOX is opened this file will be selected as
|
|
INBOX instead of the mail spool file. Messages will be
|
|
automatically transferred from the mail spool file into the
|
|
mbox file.
|
|
|
|
To disable this behavior, delete "mbox" from the EXTRADRIVERS
|
|
list in the top-level Makefile and rebuild. Note that if you do
|
|
this, users won't be able to access the messages that have
|
|
already been moved to mbox unless they open mbox instead of
|
|
INBOX.
|
|
_________________________________________________________________
|
|
|
|
7.8 Why isn't it showing the local host name as a fully-qualified
|
|
domain name?
|
|
7.9 Why is the local host name in the From/Sender/Message-ID headers
|
|
of outgoing mail not coming out as a fully-qualified domain name?
|
|
|
|
Your UNIX system is misconfigured. The entry for your system in
|
|
/etc/hosts must have the fully-qualified domain name first,
|
|
e.g.
|
|
|
|
105.69.1.234 myserver.example.com myserver
|
|
|
|
A common mistake of novice system administrators is to have the
|
|
short name first, e.g.
|
|
|
|
105.69.1.234 myserver myserver.example.com
|
|
|
|
or to omit the fully qualified domain name entirely, e.g.
|
|
|
|
105.69.1.234 myserver
|
|
|
|
The result of this is that when the IMAP toolkit does a
|
|
gethostbyname() call to get the fully-qualified domain name, it
|
|
would get "myserver" instead of "myserver.example.com".
|
|
|
|
On some systems, a configuration file (typically named
|
|
/etc/svc.conf, /etc/netsvc.conf, or /etc/nsswitch.conf) can be
|
|
used to configure the system to use the domain name system
|
|
(DNS) instead of /etc/hosts, so it doesn't matter if /etc/hosts
|
|
is misconfigured.
|
|
|
|
Check the man pages for gethostbyname, hosts, svc, and/or
|
|
netsvc for more information.
|
|
|
|
Unfortunately, certain vendors, most notably SUN, have failed
|
|
to make this clear in their documentation. Most of SUN's
|
|
documentation assumes a corporate network that is not connected
|
|
to the Internet.
|
|
|
|
net.folklore once (late 1980s) held that the proper procedure
|
|
was to append the results of getdomainname() to the name
|
|
returned by gethostname(), and some versions of sendmail
|
|
configuration files were distributed that did this. This was
|
|
incorrect; the string returned from getdomainname() is the
|
|
Yellow Pages (a.k.a NIS) domain name, which is a completely
|
|
different (albeit unfortunately named) entity from an Internet
|
|
domain. These were often fortuitously the same string, except
|
|
when they weren't. Frequently, this would result in host names
|
|
with spuriously doubled domain names, e.g.
|
|
|
|
myserver.example.com.example.com
|
|
|
|
This practice has been thoroughly discredited for many years,
|
|
but folklore dies hard.
|
|
_________________________________________________________________
|
|
|
|
7.10 What does the message: Mailbox vulnerable - directory
|
|
/var/spool/mail must have 1777 protection mean? How can I fix this?
|
|
|
|
In order to update a mailbox in the default UNIX format, it is
|
|
necessary to create a lock file to prevent the mailer from
|
|
delivering mail while an update is in progress. Some systems
|
|
use a directory protection of 775, requiring that all mail
|
|
handling programs be setgid mail; or of 755, requiring that all
|
|
mail handling programs be setuid root.
|
|
|
|
The IMAP toolkit does not run with any special privileges, and
|
|
I plan to keep it that way. It is antithetical to the concept
|
|
of a toolkit if users can't write their own programs to use it.
|
|
Also, I've had enough bad experiences with security bugs while
|
|
running privileged; the IMAP and POP servers have to be root
|
|
when not logged in, in order to be able to log themselves in. I
|
|
don't want to go any deeper down that slippery slope.
|
|
|
|
Directory protection 1777 is secure enough on most well-managed
|
|
systems. If you can't trust your users with a 1777 mail spool
|
|
(petty harassment is about the limit of the abuse exposure),
|
|
then you have much worse problems then that.
|
|
|
|
If you absolutely insist upon requiring privileges to create a
|
|
lock file, external file locking can be done via a setgid mail
|
|
program named /etc/mlock (this is defined by LOCKPGM in the
|
|
c-client Makefile). If the toolkit is unable to create a
|
|
<...mailbox...>.lock file in the directory by itself, it will
|
|
try to call mlock to do it. I do not recommend doing this for
|
|
performance reasons.
|
|
|
|
A sample mlock program is included as part of imap-2007. We
|
|
have tried to make this sample program secure, but it has not
|
|
been thoroughly audited.
|
|
_________________________________________________________________
|
|
|
|
7.11 What does the message: Mailbox is open by another process, access
|
|
is readonly mean? How do I fix this?
|
|
|
|
A problem occurred in applying a lock to a /tmp lock file.
|
|
Either some other program has the mailbox open and won't
|
|
relenquish it, or something is wrong with the protection of
|
|
/tmp or the lock.
|
|
|
|
Make sure that the /tmp directory is protected 1777. Some
|
|
security scripts incorrectly set the protection of the /tmp
|
|
directory to 775, which disables /tmp for all non-privileged
|
|
programs.
|
|
_________________________________________________________________
|
|
|
|
7.12 What does the message: Can't get write access to mailbox, access
|
|
is readonly mean?
|
|
|
|
The mailbox file is write-protected against you.
|
|
_________________________________________________________________
|
|
|
|
7.13 I set my POP3 client to "delete messages from server" but they
|
|
never get deleted. What is wrong?
|
|
|
|
Make sure that your mailbox is not read-only: that the mailbox
|
|
is owned by you and write enabled (protection 0600), and that
|
|
the /tmp directory is longer world-writeable. /tmp must be
|
|
world-writeable because lots of applications use it for scratch
|
|
space. To fix this, do
|
|
|
|
|
|
chmod 1777 /tmp
|
|
|
|
as root.
|
|
|
|
Make sure that your POP3 client issues a QUIT command when it
|
|
finishes. The POP3 protocol specifies that deletions are
|
|
discarded unless a proper QUIT is done.
|
|
|
|
Make sure that you are not opening multiple POP3 sessions to
|
|
the same mailbox. It is a requirement of the POP3 protocol than
|
|
only one POP3 session be in effect to a mailbox at a time,
|
|
however some, poorly-written POP3 clients violate this. Also,
|
|
some background "check for new mail" tasks also cause a
|
|
violation. See the answer to the What does the syslog message:
|
|
Killed (lost mailbox lock) user=... host=... mean? question for
|
|
more details.
|
|
_________________________________________________________________
|
|
|
|
7.14 What do messages such as:
|
|
Message ... UID ... already has UID ...
|
|
Message ... UID ... less than ...
|
|
Message ... UID ... greater than last ...
|
|
Invalid UID ... in message ..., rebuilding UIDs
|
|
|
|
mean?
|
|
|
|
Something happened to corrupt the unique identifier regime in
|
|
the mailbox. In traditional UNIX-format mailboxes, this can
|
|
happen if the user deleted the "DO NOT DELETE" internal
|
|
message.
|
|
|
|
This problem is relatively harmless; a new valid unique
|
|
identifier regime will be created. The main effect is that any
|
|
references to the old UIDs will no longer be useful.
|
|
|
|
So, unless it is a chronic problem or you feel like debugging,
|
|
you can safely ignore these messages.
|
|
_________________________________________________________________
|
|
|
|
7.15 What do the error messages:
|
|
Unable to read internal header at ...
|
|
Unable to find CRLF at ...
|
|
Unable to parse internal header at ...
|
|
Unable to parse message date at ...
|
|
Unable to parse message flags at ...
|
|
Unable to parse message UID at ...
|
|
Unable to parse message size at ...
|
|
Last message (at ... ) runs past end of file ...
|
|
|
|
mean? I am using mbx format.
|
|
|
|
The mbx-format mailbox is corrupted and needs to be repaired.
|
|
|
|
You should make an effort to find out why the corruption
|
|
happened. Was there an obvious system problem (crash or disk
|
|
failure)? Did the user accidentally access the file via NFS?
|
|
Mailboxes don't get corrupted by themselves; something caused
|
|
the problem.
|
|
|
|
Some people have developed automated scripts, but if you're
|
|
comfortable using emacs it's pretty easy to fix it manually. Do
|
|
not use vi or any other editor unless you are certain that
|
|
editor can handle binary!!!
|
|
|
|
If you are not comfortable with emacs, or if the file is too
|
|
large to read with emacs, see the "step-by-step" technique
|
|
later on for another way of doing it.
|
|
|
|
After the word "at" in the error message is the byte position
|
|
it got to when it got unhappy with the file, e.g. if you see:
|
|
|
|
Unable to parse internal header at 43921: ne bombastic blurdybloop
|
|
|
|
The problem occurs at the 43,931 byte in the file. That's the
|
|
point you need to fix. c-client is expecting an internal header
|
|
at that byte number, looking something like:
|
|
|
|
6-Jan-1998 17:42:24 -0800,1045;000000100001-00000001
|
|
|
|
The format of this internal line is:
|
|
|
|
dd-mmm-yyyy hh:mm:ss +zzzz,ssss;ffffffffFFFF-UUUUUUUU
|
|
|
|
The only thing that is variable is the "ssss" field, it can be
|
|
as many digits as needed. All other fields (inluding the "dd")
|
|
are fixed width. So, the easiest thing to do is to look forward
|
|
in the file for the next internal header, and delete everything
|
|
from the error point to that internal header.
|
|
|
|
Here's what to do if you want to be smarter and do a little bit
|
|
more work. Generally, you're in the middle of a message, and
|
|
there's nothing wrong with that message. The problem happened
|
|
in the *previous* message. So, search back to the previous
|
|
internal header. Now, remember that "ssss" field? That's the
|
|
size of that message.
|
|
|
|
Mark where you are in the file, move the cursor to the line
|
|
after the internal header, and skip that many bytes ("ssss")
|
|
forward. If you're at the point of the error in the file, then
|
|
that message is corrupt. If you're at a different point, then
|
|
perhaps the previous message is corrupt and has a too long size
|
|
count that "ate" into this message.
|
|
|
|
Basically, what you need to do is make sure that all those size
|
|
counts are right, and that moving "ssss" bytes from the line
|
|
after the internal header will land you at another internal
|
|
header.
|
|
|
|
Usually, once you know what you're looking at, it's pretty easy
|
|
to work out the corruption, and the best remedial action.
|
|
Repair scripts will make the problem go away but may not always
|
|
do the smartest/best salvage of the user's data. Manual repair
|
|
is more flexible and usually preferable.
|
|
|
|
Here is a step-by-step technique for fixing corrupt mbx files
|
|
that's a bit cruder than the procedure outlined above, but
|
|
works for any size file.
|
|
|
|
In this example, suppose that the corrupt file is INBOX, the
|
|
error message is
|
|
|
|
Unable to find CRLF at 132551754
|
|
|
|
and the size of the INBOX file is 132867870 bytes.
|
|
|
|
The first step is to split the mailbox file at the point of the
|
|
error:
|
|
|
|
+ Rename the INBOX file to some other name, such as INBOX.bad.
|
|
+ Copy the first 132,551,754 bytes of INBOX.bad to another
|
|
file, such as INBOX.new.
|
|
+ Extract the trailing 316,116 bytes (132867870-132551754) of
|
|
INBOX.bad into another file, such as INBOX.tail.
|
|
+ You no longer need INBOX.bad. Delete it.
|
|
|
|
In other words, use the number from the "Unable to find CRLF
|
|
at" as the point to split INBOX into two new files, INBOX.new
|
|
and INBOX.tail.
|
|
|
|
Now, remove the erroneous data:
|
|
|
|
+ Verify that you can open INBOX.new in IMAP or Pine.
|
|
+ The last message of INBOX.new is probably corrupted. Copy it
|
|
to another file, such as badmsg.1, then delete and expunge
|
|
that last message from INBOX.new
|
|
+ Locate the first occurance of text in INBOX.tail which looks
|
|
like an internal header, as described above.
|
|
+ Remove all the text which occurs prior to that point, and
|
|
place it into another file, such as badmsg.2. Note that in
|
|
the case of a single digit date, there is a leading space
|
|
which must not be removed (e.g. " 6-Nov-2001" not
|
|
"6-Nov-2001").
|
|
|
|
Reassemble the mailbox:
|
|
|
|
+ Append INBOX.tail to INBOX.new.
|
|
+ You no longer need INBOX.tail. Delete it.
|
|
+ Verify that you can open INBOX.new in IMAP or Pine.
|
|
|
|
Reinstall INBOX.new as INBOX:
|
|
|
|
+ Check to see if you have received any new messages while
|
|
repairing INBOX.
|
|
+ If you haven't received any new messages while repairing
|
|
INBOX, just rename INBOX.new to INBOX.
|
|
+ If you have received new messages, be sure to copy the new
|
|
messages from INBOX to INBOX.new before doing the rename.
|
|
|
|
You now have a working INBOX, as well as two files with
|
|
corrupted data (badmsg.1 and badmsg.2). There may be some
|
|
useful data in the two badmsg files that you might want to try
|
|
salvaging; otherwise you can delete the two badmsg files.
|
|
_________________________________________________________________
|
|
|
|
7.16 What do the syslog messages:
|
|
|
|
imap/tcp server failing (looping)
|
|
pop3/tcp server failing (looping)
|
|
|
|
mean? When it happens, the listed service shuts down. How can I fix
|
|
this?
|
|
|
|
The error message "server failing (looping), service
|
|
terminated" is not from either the IMAP or POP servers.
|
|
Instead, it comes from inetd, the daemon which listens for TCP
|
|
connections to a number of servers, including the IMAP and POP
|
|
servers.
|
|
|
|
inetd has a limit of 40 new server sessions per minute for any
|
|
particular service. If more than 40 sessions are initiated in a
|
|
minute, inetd will issue the "failing (looping), service
|
|
terminated" message and shut down the service for 10 minutes.
|
|
inetd does this to prevent system resource consumption by a
|
|
client which is spawning infinite numbers of servers. It should
|
|
be noted that this is a denial of service; however for some
|
|
systems the alternative is a crash which would be a worse
|
|
denial of service!
|
|
|
|
For larger server systems, the limit of 40 is much too low. The
|
|
limit was established many years ago when a system typically
|
|
only ran a few dozen servers.
|
|
|
|
On some versions of inetd, such as the one distributed with
|
|
most versions of Linux, you can modify the /etc/inetd.conf file
|
|
to have a larger number of servers by appending a period
|
|
followed by a number after the nowait word for the server
|
|
entry. For example, if your existing /etc/inetd.conf line
|
|
reads:
|
|
|
|
imap stream tcp nowait root /usr/etc/imapd imapd
|
|
|
|
try changing it to be:
|
|
|
|
imap stream tcp nowait.100 root /usr/etc/imapd imapd
|
|
|
|
Another example (using TCP wrappers):
|
|
|
|
imap stream tcp nowait root /usr/sbin/tcpd imapd
|
|
|
|
try changing it to be:
|
|
|
|
imap stream tcp nowait.100 root /usr/sbin/tcpd imapd
|
|
|
|
to increase the limit to 100 sessions/minute.
|
|
|
|
Before making this change, please read the information in "man
|
|
inetd" to determine whether or not your inetd has this feature.
|
|
If it does not, and you make this change, the likely outcome is
|
|
that you will disable IMAP service entirely.
|
|
|
|
Another way to fix this problem is to edit the inetd.c source
|
|
code (provided by your UNIX system vendor) to set higher
|
|
limits, rebuild inetd, install the new binary, and reboot your
|
|
system. This should only be done by a UNIX system expert. In
|
|
the inetd.c source code, the limits TOOMANY (normally 40) is
|
|
the maximum number of new server sessions permitted per minute,
|
|
and RETRYTIME (normally 600) is the number of seconds inetd
|
|
will shut down the server after it exceeds TOOMANY.
|
|
_________________________________________________________________
|
|
|
|
7.17 What does the syslog message: Mailbox lock file /tmp/.600.1df3
|
|
open failure: Permission denied mean?
|
|
|
|
This usually means that some "helpful" security script person
|
|
has protected /tmp so that it is no longer world-writeable.
|
|
/tmp must be world-writeable because lots of applications use
|
|
it for scratch space. To fix this, do
|
|
|
|
chmod 1777 /tmp
|
|
|
|
as root.
|
|
|
|
If that isn't the answer, check the protection of the named
|
|
file. If it is something other than 666, then either someone is
|
|
hacking or some "helpful" person modified the code to have a
|
|
different default lock file protection.
|
|
_________________________________________________________________
|
|
|
|
7.18 What do the syslog messages:
|
|
Command stream end of file, while reading line user=... host=...
|
|
Command stream end of file, while reading char user=... host=...
|
|
Command stream end of file, while writing text user=... host=...
|
|
|
|
mean?
|
|
|
|
This message occurs when the session is disconnected without a
|
|
proper LOGOUT (IMAP) or QUIT (POP) command being received by
|
|
the server first.
|
|
|
|
In many cases, this is perfectly normal; many client
|
|
implementations are impolite and do this. Some programmers
|
|
think this sort of rudeness is "more efficient".
|
|
|
|
The condition could, however, indicate a client or network
|
|
connectivity problem. The server has no way of knowing whether
|
|
there's a problem or just a rude client, so it issues this
|
|
message instead of a Logout.
|
|
|
|
Certain inferior losing clients disconnect abruptly after a
|
|
failed login, and instead of saying that the login failed, just
|
|
say that they can't access the mailbox. They then complain to
|
|
the system manager, who looks in the syslog and finds this
|
|
message. Not very helpful, eh? See the answer to the Why can't
|
|
I log in to the server? The user name and password are right!
|
|
question.
|
|
|
|
If the user isn't reporting a problem, you can probably ignore
|
|
this message.
|
|
_________________________________________________________________
|
|
|
|
7.19 Why did my POP or IMAP session suddenly disconnect? The syslog
|
|
has the message: Killed (lost mailbox lock) user=... host=...
|
|
|
|
This message only happens when either the traditional UNIX
|
|
mailbox format or MMDF format is in use. This format only
|
|
allows one session to have the mailbox open read/write at a
|
|
time.
|
|
|
|
The servers assume that if a second session attempts to open
|
|
the mailbox, that means that the first session is probably
|
|
owned by an abandoned client. The common scenario here is a
|
|
user who leaves his client running at the office, and then
|
|
tries to read his mail from home. Through an internal mechanism
|
|
called kiss of death, the second session requests the first
|
|
session to kill itself. When the first session receives the
|
|
"kiss of death", it issues the "Killed (lost mailbox lock)"
|
|
syslog message and terminates. The second session then seizes
|
|
read/write access, and becomes the new "first" session.
|
|
|
|
Certain poorly-designed clients routinely open multiple
|
|
sessions to the same mailbox; the users of those clients tend
|
|
to get this message a lot.
|
|
|
|
Another cause of this message is a background "check for new
|
|
mail" task which does its work by opening a POP session to
|
|
server every few seconds. They do this because POP doesn't have
|
|
a way to announce new mail.
|
|
|
|
The solution to both situations is to replace the client with a
|
|
good online IMAP client such as Pine. Life is too short to
|
|
waste on POP clients and poorly-designed IMAP clients.
|
|
_________________________________________________________________
|
|
|
|
7.20 Why does my IMAP client show all the files on the system,
|
|
recursively from the UNIX root directory?
|
|
7.21 Why does my IMAP client show all of my files, recursively from my
|
|
UNIX home directory?
|
|
|
|
A well-written client should only show one level of hierarchy
|
|
and then stop, awaiting explicit user action before going
|
|
lower. However, some poorly-designed clients will recursively
|
|
list all files, which may be a very long list (especially if
|
|
you have symbolic links to directories that create a loop in
|
|
the filesystem graph!).
|
|
|
|
This behavior has also been observed in some third-party
|
|
c-client drivers, including maildir drivers. Consequently, this
|
|
problem has even been observed in Pine. It is important to
|
|
understand that this is not a problem in Pine or c-client; it
|
|
is a problem in the third-party driver. A Pine built without
|
|
that third-party driver will not have this problem.
|
|
|
|
See also the answer to Why does my IMAP client show all my
|
|
files in my home directory?
|
|
_________________________________________________________________
|
|
|
|
7.22 Why does my IMAP client show that I have mailboxes named
|
|
"#mhinbox", "#mh", "#shared", "#ftp", "#news", and "#public"?
|
|
|
|
These are IMAP namespace names. They represent other
|
|
hierarchies in which messages may exist. These hierarchies may
|
|
not necessarily exist on a server, but the namespace name is
|
|
still in the namespace list in order to mark it as reserved.
|
|
|
|
A few poorly-designed clients display all namespace names as if
|
|
they were top-level mailboxes in a user's list of mailboxes,
|
|
whether or not they actually exist. This is a flaw in those
|
|
clients.
|
|
_________________________________________________________________
|
|
|
|
7.23 Why does my IMAP client show all my files in my home directory?
|
|
|
|
As distributed, the IMAP server is connected to your home
|
|
directory by default. It has no way of knowing what you might
|
|
call "mail" as opposed to "some other file"; in fact, you can
|
|
use IMAP to access any file.
|
|
|
|
Most clients have an option to configure your connected
|
|
directory on the IMAP server. For example, in Pine you can
|
|
specify this as the "Path" in your folder-collection, e.g.
|
|
|
|
Nickname : Secondary Folders
|
|
Server : imap.example.com
|
|
Path : mail/
|
|
View :
|
|
|
|
In this example, the user is connected to the "mail"
|
|
subdirectory of his home directory.
|
|
|
|
Other servers call this the "folder prefix" or similar term.
|
|
|
|
It is possible to modify the IMAP server so that all users are
|
|
automatically connected to some other directory, e.g. a
|
|
subdirectory of the user's home directory. Read the file CONFIG
|
|
for more details.
|
|
_________________________________________________________________
|
|
|
|
7.24 Why is there a long delay before I get connected to the IMAP or
|
|
POP server, no matter what client I use?
|
|
|
|
There are two common occurances of this problem:
|
|
|
|
+ You are running a system (e.g. certain versions of Linux)
|
|
which by default attempts to connect to an "IDENT" protocol
|
|
(port 113) server on your client. However, a firewall or NAT
|
|
box is blocking connections to that port, so the connection
|
|
attempt times out.
|
|
The IDENT protocol is a well-known bad idea that does not
|
|
deliver any real security but causes incredible problems. The
|
|
idea is that this will give the server a record of the user
|
|
name, or at least what some program listening on port 113
|
|
says is the user name. So, if somebody coming from port nnnnn
|
|
on a system does something bad, IDENT may give you the userid
|
|
of the bad guy.
|
|
The problem is, IDENT is only meaningful on a timesharing
|
|
system which has an administrator who is privileged and users
|
|
who are not. It is of no value on a personal system which has
|
|
no separate concept of "system administrator" vs.
|
|
"unprivileged user".
|
|
On either type of system, security-minded people either turn
|
|
IDENT off or replace it with an IDENT server that lies. Among
|
|
other things, IDENT gives spammers the ability to harvest
|
|
email addresses from anyone who connects to a web page.
|
|
This problem has been showing up quite frequently on systems
|
|
which use xinetd instead of inetd. Look for files named
|
|
/etc/xinetd.conf, /etc/xinetd.d/imapd, /etc/inetd.d/ipop2d,
|
|
and /etc/xinetd.d/ipop3d. In those files, look for lines
|
|
containing "USERID", e.g.
|
|
log_on_success += USERID
|
|
Hunt down such lines, and delete them ruthlessly from all
|
|
files in which they occur. Don't be shy about it.
|
|
+ The DNS is taking a long time to do a reverse DNS (PTR
|
|
record) lookup of the IP address of your client. This is a
|
|
problem in your DNS, which either you or you ISP need to
|
|
resolve. Ideally, the DNS should return the client's name;
|
|
but if it can't it should at least return an error quickly.
|
|
|
|
As you may have noticed, neither of these are actual problems
|
|
in the IMAP or POP servers; they are configuration issues with
|
|
either your system or your network infrastructure. If this is
|
|
all new to you, run (don't walk) to the nearest technical
|
|
bookstore and get yourself a good pedagogical text on system
|
|
administration for the type of system you are running.
|
|
_________________________________________________________________
|
|
|
|
7.25 Why is there a long delay in Pine or any other c-client based
|
|
application call before I get connected to the IMAP server? The hang
|
|
seems to be in the c-client mail_open() call. I don't have this
|
|
problem with any other IMAP client. There is no delay connecting to a
|
|
POP3 or NNTP server with mail_open().
|
|
|
|
By default, the c-client library attempts to make a connection
|
|
through rsh (and ssh, if you enable that). If the command:
|
|
|
|
rsh imapserver exec /etc/rimapd
|
|
|
|
(or ssh if that is enabled) returns with a "* PREAUTH"
|
|
response, it will use the resulting rsh session as the IMAP
|
|
session and not require an authentication step on the server.
|
|
|
|
Unfortunately, rsh has a design error that treats "TCP
|
|
connection refused" as "temporary failure, try again"; it
|
|
expects the "rsh not allowed" case to be implemented as a
|
|
successful connection followed by an error message and close
|
|
the connection.
|
|
|
|
It must be emphasized that this is a bug in rsh. It is not a
|
|
bug in the IMAP toolkit.
|
|
|
|
The use of rsh can be disabled in any the following ways:
|
|
|
|
+ You can disable it for this particular session by either:
|
|
o setting an explicit port number in the mailbox name,
|
|
e.g.
|
|
{imapserver.foo.com:143}INBOX
|
|
o using SSL (the /ssl switch)
|
|
+ You can disable rsh globally by setting the rsh timeout value
|
|
to 0 with the call:
|
|
mail_parameters (NIL,SET_RSHTIMEOUT,0);
|
|
_________________________________________________________________
|
|
|
|
7.26 Why does a message sometimes get split into two or more messages
|
|
on my SUN system?
|
|
|
|
This is caused by an interaction of two independent design
|
|
problems in SUN mail software. The first problem is that the
|
|
"forward message" option in SUN's mail tool program includes
|
|
the internal "From " header line in the text that it forwarded.
|
|
This internal header line is specific to traditional UNIX
|
|
mailbox files and is not suitable for use in forwarded
|
|
messages.
|
|
|
|
The second problem is that the mail delivery agent assumes that
|
|
mail reading programs will not use the traditional UNIX mailbox
|
|
format but instead an incompatible variant that depends upon a
|
|
Content-Length: message header. Content-Length is widely
|
|
recognized to have been a terrible mistake, and is no longer
|
|
recommended for use in mail (it is used in other facilities
|
|
that use MIME).
|
|
|
|
One symptom of the problem is that under certain circumstances,
|
|
a message may get broken up into several messages. I'm also
|
|
aware of security bugs caused by programs that foolishly trust
|
|
"Content-Length:" headers with evil values.
|
|
|
|
To fix the mailer on your system, edit your sendmail.cf to
|
|
change the Mlocal line to have the -E flag. A typical entry
|
|
will lool like:
|
|
|
|
Mlocal, P=/usr/lib/mail.local, F=flsSDFMmnPE, S=10, R=20,
|
|
A=mail.local -d $u
|
|
|
|
This fix will also work around the problem with mail tool,
|
|
because it will insert a ">" before the internal header line to
|
|
prevent it from being interpreted by mail reading software as
|
|
an internal header line.
|
|
_________________________________________________________________
|
|
|
|
7.27 Why did my POP or IMAP session suddenly disconnect? The syslog
|
|
has the message:
|
|
Autologout user=<...my user name...> host=<...my client system...>
|
|
|
|
This is a problem in your client.
|
|
|
|
In the case of IMAP, it failed to communicate with the IMAP
|
|
server for over 30 minutes; in the case of POP, it failed to
|
|
communicate with the POP server for over 10 minutes.
|
|
_________________________________________________________________
|
|
|
|
7.28 What does the UNIX error message: TLS/SSL failure: myserver: SSL
|
|
negotiation failed mean?
|
|
7.29 What does the PC error message: TLS/SSL failure: myserver:
|
|
Unexpected TCP input disconnect mean?
|
|
|
|
This usually means that an attempt to negotiate TLS encryption
|
|
via the STARTTLS command failed, because the server advertises
|
|
STARTTLS functionality, but doesn't actually have it (e.g.
|
|
because no certificates are installed).
|
|
|
|
Use the /notls option in the mailbox name to disable TLS
|
|
negotiation.
|
|
_________________________________________________________________
|
|
|
|
7.30 What does the error message: TLS/SSL failure: myserver: Server
|
|
name does not match certificate mean?
|
|
|
|
An SSL or TLS session encryption failed because the server name
|
|
in the server's certificate does not match the name that you
|
|
gave it. This could indicate that the server is not really the
|
|
system you think that it is, but can be also be called if you
|
|
gave a nickname for the server or name that was not
|
|
fully-qualified. You must use the fully-qualified domain name
|
|
for the server in order to validate its certificate
|
|
|
|
Use the /novalidate-cert option in the mailbox name to disable
|
|
validation of the certificate.
|
|
_________________________________________________________________
|
|
|
|
7.31 What does the UNIX error message: TLS/SSL failure: myserver:
|
|
self-signed certificate mean?
|
|
7.32 What does the PC error message: TLS/SSL failure: myserver:
|
|
Self-signed certificate or untrusted authority mean?
|
|
|
|
An SSL or TLS session encryption failed because your server's
|
|
certificate is "self-signed"; that is, it is not signed by any
|
|
Certificate Authority (CA) and thus can not be validated. A
|
|
CA-signed certificate costs money, and some smaller sites
|
|
either don't want to pay for it or haven't gotten one yet. The
|
|
bad part about this is that this means there is no guarantee
|
|
that the server is really the system you think that it is.
|
|
|
|
Use the /novalidate-cert option in the mailbox name to disable
|
|
validation of the certificate.
|
|
_________________________________________________________________
|
|
|
|
7.33 What does the UNIX error message: TLS/SSL failure: myserver:
|
|
unable to get local issuer certificate mean?
|
|
|
|
An SSL or TLS session encryption failed because your system
|
|
does not have the Certificate Authority (CA) certificates
|
|
installed on OpenSSL's certificates directory. On most systems,
|
|
this directory is /usr/local/ssl/certs). As a result, it is not
|
|
possible to validate the server's certificate.
|
|
|
|
If CA certificates are properly installed, you should see
|
|
factory.pem and about a dozen other .pem names such as
|
|
thawteCb.pem.
|
|
|
|
As a workaround, you can use the /novalidate-cert option in the
|
|
mailbox name to disable validation of the certificate; however,
|
|
note that you are then vulnerable to various security attacks
|
|
by bad guys.
|
|
|
|
The correct fix is to copy all the files from the certs/
|
|
directory in the OpenSSL distribution to the
|
|
/usr/local/ssl/certs (or whatever) directory. Note that you
|
|
need to do this after building OpenSSL, because the OpenSSL
|
|
build creates a number of needed symbolic links. For some
|
|
bizarre reason, the OpenSSL "make install" doesn't do this for
|
|
you, so you must do it manually.
|
|
_________________________________________________________________
|
|
|
|
7.34 Why does reading certain messages hang when using Netscape? It
|
|
works fine with Pine!
|
|
|
|
There are two possible causes.
|
|
|
|
Check the mail syslog. If you see the message "Killed (lost
|
|
mailbox lock)" for the impacted user(s), read the FAQ entry
|
|
regarding that message.
|
|
|
|
Check the affected mailbox to see if there are embedded NUL
|
|
characters in the message. NULs in message texts are a
|
|
technical violation of both the message format and IMAP
|
|
specifications. Most clients don't care, but apparently
|
|
Netscape does.
|
|
|
|
You can work around this by rebuilding imapd with the
|
|
NETSCAPE_BRAIN_DAMAGE option set (see src/imapd/Makefile); this
|
|
will cause imapd to convert all NULs to 0x80 characters. A
|
|
better solution is to enable the feature in your MTA to
|
|
MIME-convert messages with binary content. See the
|
|
documentation for your MTA for how to do this.
|
|
_________________________________________________________________
|
|
|
|
7.35 Why does Netscape say that there's a problem with the IMAP server
|
|
and that I should "Contact your mail server administrator."?
|
|
|
|
Certain versions of Netscape do this when you click the Manage
|
|
Mail button, which uses an undocumented feature of Netscape's
|
|
proprietary IMAP server.
|
|
|
|
You can work around this by rebuilding imapd with the
|
|
NETSCAPE_BRAIN_DAMAGE option set (see src/imapd/Makefile) to a
|
|
URL that points either to an alternative IMAP client (e.g.
|
|
Pine) or perhaps to a homebrew mail account management page.
|
|
_________________________________________________________________
|
|
|
|
7.36 Why is one user creating huge numbers of IMAP or POP server
|
|
sessions?
|
|
|
|
The user is probably using Outlook Express, Eudora, or a
|
|
similar program. See the answer to the Help! My load average is
|
|
soaring and I see hundreds of POP and IMAP servers, many logged
|
|
in as the same user! question.
|
|
_________________________________________________________________
|
|
|
|
7.37 Why don't I get any new mail notifications from Outlook Express
|
|
or Outlook after a while?
|
|
|
|
This is a known bug in Outlook Express. Microsoft is aware of
|
|
the problem and its cause. They have informed us that they do
|
|
not have any plans to fix it at the present time.
|
|
|
|
The problem is also reported in Outlook 2000, but not verified.
|
|
|
|
Outlook Express uses the IMAP IDLE command to avoid having to
|
|
"ping" the server every few minutes for new mail.
|
|
Unfortunately, Outlook Express overlooks the part in the IDLE
|
|
specification which requires that a client terminate and
|
|
restart the IDLE before the IMAP 30 minute inactivity
|
|
autologout timer triggers.
|
|
|
|
When this happens, Outlook Express displays "Not connected" at
|
|
the bottom of the window. Since it's no longer connected to the
|
|
IMAP server, it isn't going to notice any new mail.
|
|
|
|
As soon as the user does anything that would cause an IMAP
|
|
operation, Outlook Express will reconnect and new mail will
|
|
flow again. If the user does something that causes an IMAP
|
|
operation at least every 29 minutes, the problem won't happen.
|
|
|
|
Modern versions of imapd attempt to work around the problem by
|
|
automatically reporting fake new mail after 29 minutes. This
|
|
causes Outlook Express to exit the IDLE state; as soon as this
|
|
happens imapd revokes the fake new mail. As long as this
|
|
behavior isn't known to cause problems with other clients, this
|
|
workaround will remain in imapd.
|
|
_________________________________________________________________
|
|
|
|
7.38 Why don't I get any new mail notifications from Entourage?
|
|
|
|
This is a known bug in Entourage.
|
|
|
|
You built an older version of imapd with the
|
|
MICROSOFT_BRAIN_DAMAGE option set, in order to disable support
|
|
for the IDLE command. However, Entourage won't get new mail
|
|
unless IDLE command support exists.
|
|
|
|
Note: the MICROSOFT_BRAIN_DAMAGE option no longer exists in
|
|
modern versions, as the Outlook Express problem which it
|
|
attempted to solve has been worked around in another way.
|
|
_________________________________________________________________
|
|
|
|
7.39 Why doesn't Entourage work at all?
|
|
|
|
It's hard to know. Entourage breaks almost every rule in the
|
|
book for IMAP. It is highly instructive to do a packet trace on
|
|
Entourage, as an example of how not to use IMAP. It does things
|
|
like STATUS (MESSAGES) on the currently selected mailbox and
|
|
re-fetching the same static data over and over again.
|
|
|
|
It seems that every time we understand what it is doing wrong
|
|
in Entourage and come up with a workaround, we learn about
|
|
something else that's broken.
|
|
|
|
Try building imapd with the ENTOURAGE_BRAIN_DAMAGE option set,
|
|
in order to disable the diagnostic that occurs when doing
|
|
STATUS on the currently selected mailbox.
|
|
_________________________________________________________________
|
|
|
|
7.40 Why doesn't Netscape Notify (NSNOTIFY.EXE) work at all?
|
|
|
|
This is a bug in NSNOTIFY; it doesn't handle unsolicited data
|
|
from the server correctly.
|
|
|
|
Fortunately, there is no reason to use this program with IMAP;
|
|
NSNOTIFY is a polling program to let you know when new mail has
|
|
appeared in your maildrop. This is necessary with POP; but
|
|
since IMAP dynamically announces new mail in the session you're
|
|
better off (and will actually cause less load on the server!)
|
|
keeping your mail reading program's IMAP session open and let
|
|
IMAP do the notifying for you.
|
|
|
|
Consequently, the recommended fix for the NSNOTIFY problem is
|
|
to delete the NSNOTIFY binary.
|
|
_________________________________________________________________
|
|
|
|
7.41 Why can't I connect via SSL to Eudora? It says the connection has
|
|
been broken, and in the server syslogs I see "Command stream end of
|
|
file".
|
|
|
|
There is a report that you can fix the problem by going into
|
|
Eudora's advanced network configuration menu and increasing the
|
|
network buffer size to 8192.
|
|
_________________________________________________________________
|
|
|
|
7.42 Sheesh. Aren't there any good IMAP clients out there?
|
|
|
|
Yes!
|
|
|
|
Pine is a wonderful client. It's fast, it uses IMAP well, and
|
|
it generates text mail (life is too short to waste on HTML
|
|
mail). Also, there are some really wonderful things in progress
|
|
in the Pine world.
|
|
|
|
There are some good GUI clients out there, mostly from smaller
|
|
vendors. Without naming names, look for the vendors who are
|
|
active in the IMAP protocol development community, and their
|
|
products.
|
|
|
|
Netscape, Eudora, and Outlook can be configured with enough
|
|
effort to be good citizens and work well for users, but they
|
|
can also be badly misconfigured, and often the misconfiguration
|
|
is the default.
|
|
_________________________________________________________________
|
|
|
|
7.43 But wait! PC Pine (or other PC program build with c-client)
|
|
crashes with the message incomplete SecBuffer exceeds maximum buffer
|
|
size when I use SSL connections. This is a bug in c-client, right?
|
|
|
|
It's a bug in the Microsoft SChannel.DLL, which implements SSL.
|
|
Microsoft admits it (albeit with an unstatement: "it's not
|
|
fully RFC compliant"). The problem is that SChannel indicates
|
|
that the maximum SSL packet data size is 5 bytes smaller than
|
|
the actual maximum. Thus, any IMAP server which transmits a
|
|
maximum sized SSL packet will not work with PC Pine or any
|
|
other program which uses SChannel.
|
|
|
|
It can take a while for the problem to show up. The client has
|
|
to do something that causes at least 16K of contiguous data.
|
|
Many clients do partial fetching, which tends to reduce the
|
|
number of cases where this can happen. However, all software
|
|
which uses SChannel to support SSL is affected by this bug.
|
|
|
|
This problem does not affect UNIX code, since OpenSSL is used
|
|
on UNIX.
|
|
|
|
This problem most recently showed up with the CommunigatePro
|
|
IMAP server. They have an update which trims down their maximum
|
|
contiguous data to less than 16K, in order to work around the
|
|
problem.
|
|
|
|
This problem has also shown up with the Exchange IMAP server
|
|
with UNIX clients (including Pine built with an older version
|
|
of c-client) which sends full-sized 16K SSL packets. Modern
|
|
c-client works around the problem by trimming down its maximum
|
|
outgoing SSL packet size to 8K.
|
|
|
|
Microsoft has developed a hotfix for this bug. Look up MSKB
|
|
article number 300562. Contrary to the article text which
|
|
implies that this is a Pine issue, this bug also affect
|
|
Microsoft Exchange server with *any* UNIX based client that
|
|
transmits full-sized SSL payloads.
|
|
_________________________________________________________________
|
|
|
|
7.44 My qpopper users keep on getting the DON'T DELETE THIS MESSAGE --
|
|
FOLDER INTERNAL DATA if they also use Pine or IMAP. How can I fix
|
|
this?
|
|
|
|
This is an incompatibility between qpopper and the c-client
|
|
library used by Pine, imapd, and ipop[23]d.
|
|
|
|
Assuming that you want to continue using qpopper, look into
|
|
qpopper's --enable-uw-kludge-flag configuration flag, which is
|
|
documented as "check for and hide UW 'Folder Internal Data'
|
|
messages".
|
|
|
|
The other alternative is to switch from qpopper to ipop3d.
|
|
_________________________________________________________________
|
|
|
|
7.45 Help! I installed the servers but I can't connect to them from my
|
|
client!
|
|
|
|
Review the installation instructions carefully. Make sure that
|
|
you have not skipped any of the steps. Make sure that you have
|
|
made the correct entries in the configuration files; pay
|
|
careful attention to the exact spelling of the service names
|
|
and the path names. Make sure as well that you have properly
|
|
restarted inetd.
|
|
|
|
If you have a system with Yellow Pages/NIS such as Solaris,
|
|
have you updated the service names there as well as in
|
|
/etc/services?
|
|
|
|
If you have a system with TCP wrappers, have you properly
|
|
updated the TCP wrapper files (e.g. /etc/hosts.allow and
|
|
/etc/hosts.deny) for the servers?
|
|
|
|
If you have a system which uses xinetd instead of inetd, have
|
|
you made sure that you have made the correct corresponding
|
|
xinetd changes for those services?
|
|
|
|
Try telneting to the server port (143 for IMAP, 110 for POP3).
|
|
If you get a "refused" error, that probably means that you
|
|
don't have the service set up in inetd.conf. If the connection
|
|
opens and then closes with no message, the service is set up,
|
|
but either the path name of the server binary in inetd.conf is
|
|
wrong or your TCP wrappers are configured to deny access.
|
|
|
|
If you don't know how to make the corresponding changes to
|
|
these files, seek the help of a local expert for your system.
|
|
_________________________________________________________________
|
|
|
|
7.46 Why do I get the message Can not authenticate to SMTP server: 421
|
|
SMTP connection went away! and why did this happen? There was also
|
|
something about SECURITY PROBLEM: insecure server advertised
|
|
AUTH=PLAIN
|
|
|
|
Some versions of qmail, including that running on
|
|
mail.smtp.yahoo.com, disconnect the SMTP session if you fail to
|
|
authenticate prior to attempting to transmit mail. An attempt
|
|
to authenticate was made, but it failed because the server had
|
|
already disconnected.
|
|
|
|
To work around this, you need to specify /user=... in the host
|
|
name specification.
|
|
|
|
The SECURITY PROBLEM came about because the server advertised
|
|
the AUTH=PLAIN SASL authentication mechanism outside of a
|
|
TLS-encrypted session, in violation of RFC 4616. This message
|
|
is just a warning, and in fact occurred after the server had
|
|
disconnected.
|
|
_________________________________________________________________
|
|
|
|
7.47 Why do I get the message SMTP Authentication cancelled and why
|
|
did this happen? There was also something about SECURITY PROBLEM:
|
|
insecure server advertised AUTH=PLAIN
|
|
|
|
This is a bug in the SMTP server.
|
|
|
|
Some versions of qmail, including that running on
|
|
mail.smtp.yahoo.com, have a bug in their implementation of SASL
|
|
in their SMTP server, which renders it non-compliant with the
|
|
standard.
|
|
|
|
If the client does not provide an initial response in the
|
|
command line for an authentication mechanism whose profile does
|
|
not have an initial challenge, qmail issues a bogus response:
|
|
|
|
334 ok, go on
|
|
|
|
The problem is the "ok, go on". This violates RFC 4954's
|
|
requirement that the text part in a 334 response be a BASE64
|
|
encoded string; in other words, it is a protocol syntax error.
|
|
|
|
In the case of AUTH=PLAIN, RFC 4422 (page 7) requires that the
|
|
encoded string have no data. In other words, the appropropiate
|
|
standards-compliant server response is "334" followed by a
|
|
SPACE and a CRLF.
|
|
|
|
The SECURITY PROBLEM came about because the server advertised
|
|
the AUTH=PLAIN SASL authentication mechanism outside of a
|
|
TLS-encrypted session, in violation of RFC 4616. This message
|
|
is just a warning, and is not related the "Authentication
|
|
cancelled" problem.
|
|
_________________________________________________________________
|
|
|
|
7.48 Why do I get the message Invalid base64 string when I try to
|
|
authenticate to a Cyrus server?
|
|
|
|
This slightly misleading message is the way that a Cyrus server
|
|
indicates that an authentication exchange was cancelled. It is
|
|
not indicative of a bug or protocol violation.
|
|
|
|
The most common reason that this happens is if the Cyrus server
|
|
offers Kerberos authentication, c-client is built with Kerberos
|
|
support, but your client system is not within the Kerberos
|
|
realm. In this case, the client code will try to authenticate
|
|
via Kerberos, fail to get the Kerberos credentials, cancel the
|
|
authentication attempt, and try the next available
|
|
authentication technology.
|
|
_________________________________________________________________
|
|
|
|
8. Where to Go For Additional Information
|
|
_________________________________________________________________
|
|
|
|
8.1 Where can I go to ask questions?
|
|
8.2 I have some ideas for enhancements to IMAP. Where should I go?
|
|
|
|
If you have questions about the IMAP protocol, or want to
|
|
participate in discussions of future directions of the IMAP
|
|
protocol, the appropriate mailing list is
|
|
imap-protocol@u.washington.edu. You can subscribe to this
|
|
list via imap-protocol-request@u.washington.edu
|
|
|
|
If you have questions about this software, you can send me
|
|
email directly or use the imap-uw@u.washington.edu mailing
|
|
list. You can subscribe to this list via
|
|
imap-uw-request@u.washington.edu
|
|
|
|
If you have general questions about the use of IMAP software
|
|
(not specific to the UW IMAP toolkit) use the
|
|
imap-use@u.washington.edu mailing list. You can subscribe to
|
|
this list via imap-use-request@u.washington.edu
|
|
|
|
You must be a subscriber to post to these lists. As an
|
|
alternative, you can use the comp.mail.imap newsgroup.
|
|
_________________________________________________________________
|
|
|
|
8.3 Where can I read more about IMAP and other email protocols?
|
|
|
|
We recommend Internet Email Protocols: A Developer's Guide, by
|
|
Kevin Johnson, published by Addison Wesley, ISBN 0-201-43288-9.
|
|
_________________________________________________________________
|
|
|
|
8.4 Where can I find out more about setting up and administering an
|
|
IMAP server?
|
|
|
|
We recommend Managing IMAP, by Dianna Mullet & Kevin Mullet,
|
|
published by O'Reilly, ISBN 0-596-00012-X.
|
|
|
|
This book also has an excellent comparison of the UW and Cyrus
|
|
IMAP servers.
|
|
|
|
Last Updated: 15 November 2007
|