diff options
Diffstat (limited to 'imap/docs/FAQ.html')
| -rw-r--r-- | imap/docs/FAQ.html | 4226 |
1 files changed, 4226 insertions, 0 deletions
diff --git a/imap/docs/FAQ.html b/imap/docs/FAQ.html new file mode 100644 index 00000000..12a9feac --- /dev/null +++ b/imap/docs/FAQ.html @@ -0,0 +1,4226 @@ +<!-- + * ======================================================================== + * Copyright 1988-2007 University of Washington + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * + * ======================================================================== + * +--> + +<!--chtml set title="IMAP Toolkit Frequently Asked Questions"--> +<!--chtml include "//imap/incs/top.inc"--> + + <h2>Table of Contents</h2> + + <ul> + <li> + <a href="#general">1. General/Software Feature Questions</a> + + <ul> + <li><a href="#1.1">1.1 Can I set up a POP or IMAP server on + UNIX/Linux/OSF/etc.?</a></li> + + <li><a href="#1.2">1.2 I am currently using qpopper as my POP3 server + on UNIX. Do I need to replace it with ipop3d in order to run + imapd?</a></li> + + <li><a href="#1.3">1.3 Can I set up a POP or IMAP server on Windows + XP, 2000, NT, Me, 98, or 95?</a></li> + + <li><a href="#1.4">1.4 Can I set up a POP or IMAP server on Windows + 3.1 or DOS?</a></li> + + <li><a href="#1.5">1.5 Can I set up a POP or IMAP server on + Macintosh?</a></li> + + <li><a href="#1.6">1.6 Can I set up a POP or IMAP server on + VAX/VMS?</a></li> + + <li><a href="#1.7">1.7 Can I set up a POP or IMAP server on + TOPS-20?</a></li> + + <li><a href="#1.8">1.8 Are hierarchical mailboxes supported?</a></li> + + <li><a href="#1.9">1.9 Are "dual-use" mailboxes supported?</a></li> + + <li><a href="#1.10">1.10 Can I have a mailbox that has both messages + and sub-mailboxes?</a></li> + + <li><a href="#1.11">1.11 What is the difference between "mailbox" and + "folder"?</a></li> + + <li><a href="#1.12">1.12 What is the status of + internationalization?</a></li> + + <li><a href="#1.13">1.13 Can I use SSL?</a></li> + + <li><a href="#1.14">1.14 Can I use TLS and the STARTTLS + facility?</a></li> + + <li><a href="#1.15">1.15 Can I use CRAM-MD5 authentication?</a></li> + + <li><a href="#1.16">1.16 Can I use APOP authentication?</a></li> + + <li><a href="#1.17">1.17 Can I use Kerberos V5?</a></li> + + <li><a href="#1.18">1.18 Can I use PAM for plaintext + passwords?</a></li> + + <li><a href="#1.19">1.19 Can I use Kerberos 5 for plaintext + passwords?</a></li> + + <li><a href="#1.20">1.20 Can I use AFS for plaintext + passwords?</a></li> + + <li><a href="#1.21">1.21 Can I use DCE for plaintext + passwords?</a></li> + + <li><a href="#1.22">1.22 Can I use the CRAM-MD5 database for + plaintext passwords?</a></li> + + <li><a href="#1.23">1.23 Can I disable plaintext passwords?</a></li> + + <li><a href="#1.24">1.24 Can I disable plaintext passwords on + unencrypted sessions, but allow them on encrypted sessions?</a></li> + + <li><a href="#1.25">1.25 Can I use virtual hosts?</a></li> + + <li><a href="#1.26">1.26 Can I use RPOP authentication?</a></li> + + <li><a href="#1.27">1.27 Can I use Kerberos V4?</a></li> + + <li><a href="#1.28">1.28 Is there support for S/Key or OTP?</a></li> + + <li><a href="#1.29">1.29 Is there support for NTLM or SPA?</a></li> + + <li><a href="#1.30">1.30 Is there support for mh?</a></li> + + <li><a href="#1.31">1.31 Is there support for qmail and the maildir + format?</a></li> + + <li><a href="#1.32">1.32 Is there support for the Cyrus mailbox + format?</a></li> + + <li><a href="#1.33">1.33 Is this software Y2K compliant?</a></li> + </ul> + </li> + + <li> + <a href="#requirements">2. What Do I Need to Build This Software?</a> + + <ul> + <li><a href="#2.1">2.1 What do I need to build this software with SSL + on UNIX?</a></li> + + <li><a href="#2.2">2.2 What do I need to build this software with + Kerberos V on UNIX?</a></li> + + <li><a href="#2.3">2.3 What do I need to use a C++ compiler with this + software to build my own application?</a></li> + + <li><a href="#2.4">2.4 What do I need to build this software on + Windows?</a></li> + + <li><a href="#2.5">2.5 What do I need to build this software on + DOS?</a></li> + + <li><a href="#2.6">2.6 Can't I use Borland C to build this software + on the PC?</a></li> + + <li><a href="#2.7">2.7 What do I need to build this software on the + Mac?</a></li> + + <li><a href="#2.8">2.8 What do I need to build this software on + VMS?</a></li> + + <li><a href="#2.9">2.9 What do I need to build this software on + TOPS-20?</a></li> + + <li><a href="#2.10">2.10 What do I need to build this software on + Amiga or OS/2?</a></li> + + <li><a href="#2.11">2.11 What do I need to build this software on + Windows CE?</a></li> + </ul> + </li> + + <li> + <a href="#build">3. Build and Configuration Questions</a> + + <ul> + <li><a href="#3.1">3.1 How do I configure the IMAP and POP servers on + UNIX?</a></li> + + <li><a href="#3.2">3.2 I built and installed the servers according to + the BUILD instructions. It can't be that easy. Don't I need to write + a config file?</a></li> + + <li><a href="#3.3">3.3 How do I make the IMAP and POP servers look + for INBOX at some place other than the mail spool directory?</a></li> + + <li><a href="#3.4">3.4 How do I make the IMAP server look for + secondary folders at some place other than the user's home + directory?</a></li> + + <li><a href="#3.5">3.5 How do I configure SSL?</a></li> + + <li><a href="#3.6">3.6 How do I configure TLS and the STARTTLS + facility?</a></li> + + <li><a href="#3.7">3.7 How do I build/install OpenSSL and + obtain/create certificates for use with SSL?</a></li> + + <li><a href="#3.8">3.8 How do I configure CRAM-MD5 + authentication?</a></li> + + <li><a href="#3.9">3.9 How do I configure APOP + authentication?</a></li> + + <li><a href="#3.10">3.10 How do I configure Kerberos V5?</a></li> + + <li><a href="#3.11">3.11 How do I configure PAM for plaintext + passwords?</a></li> + + <li><a href="#3.12">3.12 It looks like all I have to do to make the + server use Kerberos is to build with PAM on my Linux system, and set + it up in PAM for Kerberos passwords. Right?</a></li> + + <li><a href="#3.13">3.13 How do I configure Kerberos 5 for plaintext + passwords?</a></li> + + <li><a href="#3.14">3.14 How do I configure AFS for plaintext + passwords?</a></li> + + <li><a href="#3.15">3.15 How do I configure DCE for plaintext + passwords?</a></li> + + <li><a href="#3.16">3.16 How do I configure the CRAM-MD5 database for + plaintext passwords?</a></li> + + <li><a href="#3.17">3.17 How do I disable plaintext + passwords?</a></li> + + <li><a href="#3.18">3.18 How do I disable plaintext passwords on + unencrypted sessions, but allow them in SSL or TLS sessions?</a></li> + + <li><a href="#3.19">3.19 How do I configure virtual hosts?</a></li> + + <li> + <a href="#3.20">3.20 Why do I get compiler warning messages such + as: + + <ul> + <li>passing arg 3 of `scandir' from incompatible pointer + type</li> + + <li>Pointers are not assignment-compatible.</li> + + <li>Argument #4 is not the correct type.</li> + </ul>during the build?</a> + </li> + + <li> + <a href="#3.21">3.21 Why do I get compiler warning messages such + as + + <ul> + <li>Operation between types "void(*)(int)" and "void*" is not + allowed.</li> + + <li>Function argument assignment between types "void*" and + "void(*)(int)" is not allowed.</li> + + <li>Pointers are not assignment-compatible.</li> + + <li>Argument #5 is not the correct type.</li> + </ul>during the build?</a> + </li> + + <li> + <a href="#3.22">3.22 Why do I get linker warning messages such + as: + + <ul> + <li>mtest.c:515: the `gets' function is dangerous and should not + be used.</li> + </ul>during the build? Isn't this a security bug?</a> + </li> + + <li> + <a href="#3.23">3.23 Why do I get linker warning messages such + as:</a> + + <ul> + <li>auth_ssl.c:92: the `tmpnam' function is dangerous and should + not be used.</li> + </ul>during the build? Isn't this a security bug? + </li> + + <li><a href="#3.24">3.24 OK, suppose I see a warning message about a + function being "dangerous and should not be used" for something other + than this gets() or tmpnam() call?</a></li> + </ul> + </li> + + <li> + <a href="#operation">4. Operational Questions</a> + + <ul> + <li><a href="#4.1">4.1 How can I enable anonymous IMAP + logins?</a></li> + + <li><a href="#4.2">4.2 How do I set up an alert message that each + IMAP user will see?</a></li> + + <li><a href="#4.3">4.3 How does the c-client library choose which of + its several mechanisms to use to establish an IMAP connection to the + server? I noticed that it can connect on port 143, port 993, via rsh, + and via ssh.</a></li> + + <li><a href="#4.4">4.4 I am using a TLS-capable IMAP server, so I + don't need to use /ssl to get encryption. However, I want to be + certain that my session is TLS encrypted before I send my password. + How to I do this?</a></li> + + <li><a href="#4.5">4.5 How do I use one of the alternative formats + described in the formats.txt document? In particular, I hear that mbx + format will give me better performance and allow shared + access.</a></li> + + <li><a href="#4.6">4.6 How do I set up shared mailboxes?</a></li> + + <li><a href="#4.7">4.7 How can I make the server syslogs go to + someplace other than the mail syslog?</a></li> + </ul> + </li> + + <li> + <a href="#security">5. Security Questions</a> + + <ul> + <li><a href="#5.1">5.1 I see that the IMAP server allows access to + arbitary files on the system, including /etc/passwd! How do I disable + this?</a></li> + + <li><a href="#5.2">5.2 I've heard that IMAP servers are insecure. Is + this true?</a></li> + + <li><a href="#5.3">5.3 How do I know that I have the most secure + version of the server?</a></li> + + <li><a href="#5.4">5.4 I see all these strcpy() and sprintf() calls, + those are unsafe, aren't they?</a></li> + + <li><a href="#5.5">5.5 Those /tmp lock files are protected 666, is + that really right?</a></li> + </ul> + </li> + + <li> + <a href="#strange">6. <i>Why Did You Do This Strange Thing?</i> + Questions</a> + + <ul> + <li><a href="#6.1">6.1 Why don't you use GNU autoconfig / automake / + autoblurdybloop?</a></li> + + <li><a href="#6.2">6.2 Why do you insist upon a build with -g? + Doesn't it waste disk and memory space?</a></li> + + <li><a href="#6.3">6.3 Why don't you make c-client a shared + library?</a></li> + + <li><a href="#6.4">6.4 Why don't you use iconv() for + internationalization support?</a></li> + + <li><a href="#6.5">6.5 Why is the IMAP server connected to the home + directory by default?</a></li> + + <li><a href="#6.6">6.6 I have a Windows system. Why isn't the server + plug and play for me?</a></li> + + <li><a href="#6.7">6.7 I looked at the UNIX SSL code and saw that you + have the SSL data payload size set to 8192 bytes. SSL allows 16K; why + aren't you using the full size?</a></li> + + <li><a href="#6.8">6.8 Why is an mh format INBOX called #mhinbox + instead of just INBOX?</a></li> + + <li><a href="#6.9">6.9 Why don't you support the maildir + format?</a></li> + + <li><a href="#6.10">6.10 Why don't you support the Cyrus + format?</a></li> + + <li><a href="#6.11">6.11 Why is it creating extra forks on my SVR4 + system?</a></li> + + <li><a href="#6.12">6.12 Why are you so fussy about the date/time + format in the internal <code>"From "</code> line in traditional + UNIX mailbox files? My other mail program just considers every line + that starts with <code>"From "</code> to be the start of the + message.</a></li> + + <li><a href="#6.13">6.13 Why is traditional UNIX format the default + format?</a></li> + + <li><a href="#6.14">6.14 Why do you write this "DON'T DELETE THIS + MESSAGE -- FOLDER INTERNAL DATA" message at the start of traditional + UNIX and MMDF format mailboxes?</a></li> + + <li><a href="#6.15">6.15 Why don't you stash the mailbox metadata in + the first real message of the mailbox instead of writing this fake + FOLDER INTERNAL DATA message?</a></li> + + <li><a href="#6.16">6.16 Why aren't "dual-use" mailboxes the + default?</a></li> + + <li><a href="#6.17">6.17 Why do you use ucbcc to build on + Solaris?</a></li> + + <li><a href="#6.18">6.18 Why should I care about some old system with + BSD libraries? cc is the right thing on my Solaris system!</a></li> + + <li><a href="#6.19">6.19 Why do you insist upon writing .lock files + in the spool directory?</a></li> + + <li><a href="#6.20">6.20 Why should I care about compatibility with + the past?</a></li> + </ul> + </li> + + <li> + <a href="#problems">7. Problems and Annoyances</a> + + <ul> + <li><a href="#7.1">7.1 Help! My INBOX is empty! What happened to my + messages?</a></li> + + <li><a href="#7.2">7.2 Help! All my messages in a non-INBOX mailbox + have been concatenated into one message which claims to be from me + and has a subject of the file name of the mailbox! What's going + on?</a></li> + + <li> + <a href="#7.3">7.3 Why do I get the message: + + <ul> + <li>CREATE failed: Can't create mailbox node xxxxxxxxx: File + exists</li> + </ul>and how do I fix it?</a> + </li> + + <li><a href="#7.4">7.4 Why can't I log in to the server? The user + name and password are right!</a></li> + + <li><a href="#7.5">7.5 Help! My load average is soaring and I see + hundreds of POP and IMAP servers, many logged in as the same + user!</a></li> + + <li><a href="#7.6">7.6 Why does mail disappear even though I set + "keep mail on server"?</a></li> + + <li> + <a href="#7.7">7.7 Why do I get the message + + <ul> + <li>Moved ##### bytes of new mail to /home/user/mbox from + /var/spool/mail/user</li> + </ul>and why did this happen?</a> + </li> + + <li><a href="#7.8">7.8 Why isn't it showing the local host name as a + fully-qualified domain name?</a></li> + + <li><a href="#7.9">7.9 Why is the local host name in the + From/Sender/Message-ID headers of outgoing mail not coming out as a + fully-qualified domain name?</a></li> + + <li> + <a href="#7.10">7.10 What does the message: + + <ul> + <li>Mailbox vulnerable - directory /var/spool/mail must have 1777 + protection</li> + </ul>mean? How can I fix this?</a> + </li> + + <li> + <a href="#7.11">7.11 What does the message: + + <ul> + <li>Mailbox is open by another process, access is readonly</li> + </ul>mean? How do I fix this?</a> + </li> + + <li> + <a href="#7.12">7.12 What does the message: + + <ul> + <li>Can't get write access to mailbox, access is readonly</li> + </ul>mean?</a> + </li> + + <li><a href="#7.13">7.13 I set my POP3 client to "delete messages + from server" but they never get deleted. What is wrong?</a></li> + + <li> + <a href="#7.14">7.14 What do messages such as: + + <ul> + <li>Message ... UID ... already has UID ...</li> + + <li>Message ... UID ... less than ...</li> + + <li>Message ... UID ... greater than last ...</li> + + <li>Invalid UID ... in message ..., rebuilding UIDs</li> + </ul>mean?</a> + </li> + + <li> + <a href="#7.15">7.15 What do the error messages: + + <ul> + <li>Unable to read internal header at ...</li> + + <li>Unable to find CRLF at ...</li> + + <li>Unable to parse internal header at ...</li> + + <li>Unable to parse message date at ...</li> + + <li>Unable to parse message flags at ...</li> + + <li>Unable to parse message UID at ...</li> + + <li>Unable to parse message size at ...</li> + + <li>Last message (at ... ) runs past end of file ...</li> + </ul>mean? I am using mbx format.</a> + </li> + + <li> + <a href="#7.16">7.16 What do the syslog messages: + + <ul> + <li>imap/tcp server failing (looping)</li> + + <li>pop3/tcp server failing (looping)</li> + </ul>mean? When it happens, the listed service shuts down. How can + I fix this?</a> + </li> + + <li> + <a href="#7.17">7.17 What does the syslog message: + + <ul> + <li>Mailbox lock file /tmp/.600.1df3 open failure: Permission + denied</li> + </ul>mean?</a> + </li> + + <li> + <a href="#7.18">7.18 What do the syslog messages: + + <ul> + <li>Command stream end of file, while reading line user=... + host=...</li> + + <li>Command stream end of file, while reading char user=... + host=...</li> + + <li>Command stream end of file, while writing text user=... + host=...</li> + </ul>mean?</a> + </li> + + <li> + <a href="#7.19">7.19 Why did my POP or IMAP session suddenly + disconnect? The syslog has the message: + + <ul> + <li>Killed (lost mailbox lock) user=... host=...</li> + </ul></a> + </li> + + <li><a href="#7.20">7.20 Why does my IMAP client show all the files + on the system, recursively from the UNIX root directory?</a></li> + + <li><a href="#7.21">7.21 Why does my IMAP client show all of my + files, recursively from my UNIX home directory?</a></li> + + <li><a href="#7.22">7.22 Why does my IMAP client show that I have + mailboxes named "#mhinbox", "#mh", "#shared", "#ftp", "#news", and + "#public"?</a></li> + + <li><a href="#7.23">7.23 Why does my IMAP client show all my files in + my home directory?</a></li> + + <li><a href="#7.24">7.24 Why is there a long delay before I get + connected to the IMAP or POP server, no matter what client I + use?</a></li> + + <li><a href="#7.25">7.25 Why is there a long delay in Pine or any + other c-client based application call before I get connected to the + IMAP server? The hang seems to be in the c-client mail_open() call. I + don't have this problem with any other IMAP client. There is no delay + connecting to a POP3 or NNTP server with mail_open().</a></li> + + <li><a href="#7.26">7.26 Why does a message sometimes get split into + two or more messages on my SUN system?</a></li> + + <li> + <a href="#7.27">7.27 Why did my POP or IMAP session suddenly + disconnect? The syslog has the message: + + <ul> + <li>Autologout user=<...my user name...> host=<...my + imap server...></li> + </ul></a> + </li> + + <li> + <a href="#7.28">7.28 What does the UNIX error message: + + <ul> + <li>TLS/SSL failure: myserver: SSL negotiation failed</li> + </ul>mean?</a> + </li> + + <li> + <a href="#7.29">7.29 What does the PC error message: + + <ul> + <li>TLS/SSL failure: myserver: Unexpected TCP input + disconnect</li> + </ul>mean?</a> + </li> + + <li> + <a href="#7.30">7.30 What does the error message: + + <ul> + <li>TLS/SSL failure: myserver: Server name does not match + certificate</li> + </ul>mean?</a> + </li> + + <li> + <a href="#7.31">7.31 What does the UNIX error message: + + <ul> + <li>TLS/SSL failure: myserver: self-signed certificate</li> + </ul>mean?</a> + </li> + + <li> + <a href="#7.32">7.32 What does the PC error message + + <ul> + <li>TLS/SSL failure: myserver: Self-signed certificate or + untrusted authority</li> + </ul>mean?</a> + </li> + + <li> + <a href="#7.33">7.33 What does the UNIX error message: + + <ul> + <li>TLS/SSL failure: myserver: unable to get local issuer + certificate</li> + </ul>mean?</a> + </li> + + <li><a href="#7.34">7.34 Why does reading certain messages hang when + using Netscape? It works fine with Pine!</a></li> + + <li><a href="#7.35">7.35 Why does Netscape say that there's a problem + with the IMAP server and that I should "Contact your mail server + administrator."?</a></li> + + <li><a href="#7.36">7.36 Why is one user creating huge numbers of + IMAP or POP server sessions?</a></li> + + <li><a href="#7.37">7.37 Why don't I get any new mail notifications + from Outlook Express or Outlook after a while?</a></li> + + <li><a href="#7.38">7.38 Why don't I get any new mail notifications + from Entourage?</a></li> + + <li><a href="#7.39">7.39 Why doesn't Entourage work at all?</a></li> + + <li><a href="#7.40">7.40 Why doesn't Netscape Notify (NSNOTIFY.EXE) + work at all?</a></li> + + <li><a href="#7.41">7.41 Why can't I connect via SSL to Eudora? It + says the connection has been broken, and in the server syslogs I see + "Command stream end of file".</a></li> + + <li><a href="#7.42">7.42 Sheesh. Aren't there <i>any</i> good IMAP + clients out there?</a></li> + + <li> + <a href="#7.43">7.43 But wait! PC Pine (or other PC program build + with c-client) crashes with the message + + <ul> + <li>incomplete SecBuffer exceeds maximum buffer size</li> + </ul>when I use SSL connections. This is a bug in c-client, right?</a> + </li> + + <li><a href="#7.44">7.44 My qpopper users keep on getting the DON'T + DELETE THIS MESSAGE -- FOLDER INTERNAL DATA if they also use Pine or + IMAP. How can I fix this?</a></li> + + <li><a href="#7.45">7.45 Help! I installed the servers but I can't + connect to them from my client!</a></li> + + <li> + <a href="#7.46">7.46 Why do I get the message + + <ul> + <li>Can not authenticate to SMTP server: 421 SMTP connection went + away!</li> + </ul>and why did this happen? There was also something about + + <ul> + <li>SECURITY PROBLEM: insecure server advertised AUTH=PLAIN</li> + </ul></a> + </li> + + <li> + <a href="#7.47">7.47 Why do I get the message + + <ul> + <li>SMTP Authentication cancelled</li> + </ul>and why did this happen? There was also something about + + <ul> + <li>SECURITY PROBLEM: insecure server advertised AUTH=PLAIN</li> + </ul></a> + </li> + + <li> + <a href="#7.48">7.48 Why do I get the message + + <ul> + <li>Invalid base64 string</li> + </ul>when I try to authenticate to a Cyrus server? + </li></a> + </ul> + </li> + + <li> + <a href="#additional">8. Where to Go For Additional Information</a> + + <ul> + <li><a href="#8.1">8.1 Where can I go to ask questions?</a></li> + + <li><a href="#8.2">8.2 I have some ideas for enhancements to IMAP. + Where should I go?</a></li> + + <li><a href="#8.3">8.3 Where can I read more about IMAP and other + email protocols?</a></li> + + <li><a href="#8.4">8.4 Where can I find out more about setting up and + administering an IMAP server?</a></li> + </ul> + </li> + </ul><!--=======START BODY--> + <hr> + + <h2><a name="general">1. General/Software Feature Questions</a></h2> + <hr> + + <p><a name="1.1"><strong>1.1 Can I set up a POP or IMAP server on + UNIX/Linux/OSF/etc.?</strong></a></p> + + <dl> + <dd>Yes. Refer to the UNIX specific notes in files CONFIG and BUILD.</dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="1.2"><strong>1.2 I am currently using qpopper as my POP3 server on + UNIX. Do I need to replace it with ipop3d in order to run + imapd?</strong></a></p> + + <dl> + <dd> + Not necessarily. + + <p>Although ipop3d interoperates with imapd better than qpopper, imapd + and qpopper will work together. The few qpopper/imapd interoperability + issues mostly affect users who use both IMAP and POP3 clients; those + users would probably be better served if their POP3 server is + ipop3d.</p> + + <p>If you are happy with qpopper and just want to add imapd, you should + do that, and defer a decision on changing qpopper to ipop3d. That way, + you can get comfortable with imapd's performance, without changing + anything for your qpopper users.</p> + + <p>Many sites have subsequently decided to change from qpopper to + ipop3d in order to get better POP3/IMAP interoperability. If you need + to do this, you'll know. There also seems to be a way to make qpopper + work better with imapd; see the answer to the <a href="#7.44">My + qpopper users keep on getting the DON'T DELETE THIS MESSAGE -- FOLDER + INTERNAL DATA if they also use Pine or IMAP. How can I fix this?</a> + question.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="1.3"><strong>1.3 Can I set up a POP or IMAP server on Windows XP, + 2000, NT, Me, 98, or 95?</strong></a></p> + + <dl> + <dd> + Yes. Refer to the NT specific notes in files CONFIG and BUILD. Also, + for DOS-based versions of Windows (Windows Me, 98, and 95) you *must* + set up CRAM-MD5 authentication, as described in md5.txt. + + <p>There is no file access control on Windows 9x or Me, so you probably + will have to do modifications to env_unix.c to prevent people from + hacking others' mail.</p> + + <p>Note, however, that the server is not plug and play the way it is + for UNIX.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="1.4"><strong>1.4 Can I set up a POP or IMAP server on Windows 3.1 or + DOS?</strong></a><br> + <a name="1.5"><strong>1.5 Can I set up a POP or IMAP server on + Macintosh?</strong></a><br> + <a name="1.6"><strong>1.6 Can I set up a POP or IMAP server on + VAX/VMS?</strong></a></p> + + <dl> + <dd>Yes, it's just a small matter of programming.</dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="1.7"><strong>1.7 Can I set up a POP or IMAP server on + TOPS-20?</strong></a></p> + + <dl> + <dd> + You have a TOPS-20 system? Cool. + + <p>If IMAP2 (RFC 1176) is good enough for you, you can use MAPSER which + is about the ultimate gonzo pure TOPS-20 extended addressing assembly + language program. Unfortunately, IMAP2 is barely good enough for Pine + these days, and most other IMAP clients won't work with IMAP2 at all. + Maybe someone will hack MAPSER to do IMAP4rev1 some day.</p> + + <p>We don't know if anyone wrote a POP3 server for TOPS-20. There + definitely was a POP2 server once upon a time.</p> + + <p>Or you can port the POP and IMAP server from this IMAP toolkit to + it. All that you need for a first stab is to port the MTX driver. + That'll probably be just a couple of hours of hacking.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="1.8"><strong>1.8 Are hierarchical mailboxes + supported?</strong></a><br> + <a name="1.9"><strong>1.9 Are "dual-use" mailboxes + supported?</strong></a><br> + <a name="1.10"><strong>1.10 Can I have a mailbox that has both messages and + sub-mailboxes?</strong></a></p> + + <dl> + <dd> + Yes. However, there is one important caveat. + + <p>Some mailbox formats, including the default which is the traditional + UNIX mailbox format, are stored as a single file containing all the + messages. UNIX does not permit a name in the filesystem to be both a + file and a directory; consequently you can not have a sub-mailbox + within a mailbox that is in one of these formats.</p> + + <p>This is not a limitation of the software; this is a limitation of + UNIX. For example, there are mailbox formats in which the name is a + directory and each message is a file within that directory; these + formats support sub-mailboxes within such mailboxes. However, for + technical reasons, the "flat file" formats are generally preferred + since they perform better. Read imap-2007/docs/formats.txt for more + information on this topic.</p> + + <p>It is always permissible to create a directory that is not a + mailbox, and have sub-mailboxes under it. The easiest way to create a + directory is to create a new mailbox inside a directory that doesn't + already exist. For example, if you create "Mail/testbox" on UNIX, the + directory "Mail/" will automatically be created and then the mailbox + "testbox" will be created as a sub-mailbox of "Mail/".</p> + + <p>It is also possible to create the name "Mail/" directly. Check the + documentation for your client software to see how to do this with that + software.</p> + + <p>Of course, on Windows systems you would use "\" instead of "/".</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="1.11"><strong>1.11 What is the difference between "mailbox" and + "folder"?</strong></a></p> + + <dl> + <dd> + The term "mailbox" is IMAP-speak for what a lot of software calls a + "folder" or a "mail folder". However, "folder" is often used in other + contexts to refer to a directory, for example, in the graphic user + interface on both Windows and Macintosh. + + <p>A "mailbox" is specifically defined as a named object that contains + messages. It is not required to be capable of containing other types of + objects including other mailboxes; although some mailbox formats will + permit this.</p> + + <p>In IMAP-speak, a mailbox which can not contain other mailboxes is + called a "no-inferiors mailbox". Similarly, a directory which can not + contain messages is not a mailbox and is called a "no-select name".</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="1.12"><strong>1.12 What is the status of + internationalization?</strong></a></p> + + <dl> + <dd> + The IMAP toolkit is partially internationalized and multilingualized. + + <p>Searching is supported in the following charsets: US-ASCII, UTF-8, + ISO-8859-1, ISO-8859-2, ISO-8859-3, ISO-8859-4, ISO-8859-5, ISO-8859-6, + ISO-8859-7, ISO-8859-8, ISO-8859-9, ISO-8859-10, ISO-8859-11, + ISO-8859-13, ISO-8859-14, ISO-8859-15, ISO-8859-16, KOI8-R, KOI8-U + (alias KOI8-RU), TIS-620, VISCII, ISO-2022-JP, ISO-2022-KR, + ISO-2022-CN, ISO-2022-JP-1, ISO-2022-JP-2, GB2312 (alias CN-GB), + CN-GB-12345, BIG5 (alias CN-BIG5), EUC-JP, EUC-KR, Shift_JIS, + Shift-JIS, KS_C_5601-1987, KS_C_5601-1992, WINDOWS_874, WINDOWS-1250, + WINDOWS-1251, WINDOWS-1252, WINDOWS-1253, WINDOWS-1254, WINDOWS-1255, + WINDOWS-1256, WINDOWS-1257, WINDOWS-1258.</p> + + <p>All ISO-2022-?? charsets are treated identically, and support ASCII, + JIS Roman, hankaku katakana, ISO-8859-[1 - 10], TIS, GB 2312, JIS X + 0208, JIS X 0212, KSC 5601, and planes 1 and 2 of CNS 11643.</p> + + <p>EUC-JP includes support for JIS X 0212 and hankaku katakana.</p> + + <p>c-client library support also exists to convert text in any of the + above charsets into Unicode, including headers with MIME + encoded-words.</p> + + <p>There is no support for localization (e.g. non-English error + messages) at the present time, but such support is planned.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="1.13"><strong>1.13 Can I use SSL?</strong></a></p> + + <dl> + <dd>Yes. See the answer to the <a href="#3.5">How do I configure SSL?</a> + question.</dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="1.14"><strong>1.14 Can I use TLS and the STARTTLS + facility?</strong></a></p> + + <dl> + <dd>Yes. See the answer to the <a href="#3.6">How do I configure TLS and + the STARTTLS facility?</a> question.</dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="1.15"><strong>1.15 Can I use CRAM-MD5 + authentication?</strong></a></p> + + <dl> + <dd>Yes. See the answer to the <a href="#3.8">How do I configure CRAM-MD5 + authentication?</a> question.</dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="1.16"><strong>1.16 Can I use APOP authentication?</strong></a></p> + + <dl> + <dd> + Yes. See the <a href="#3.9">How do I configure APOP authentication?</a> + question. + + <p>Note that there is no client support for APOP authentication.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="1.17"><strong>1.17 Can I use Kerberos V5?</strong></a></p> + + <dl> + <dd>Yes. See the answer to the <a href="#3.10">How do I configure + Kerberos V5?</a> question.</dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="1.18"><strong>1.18 Can I use PAM for plaintext + passwords?</strong></a></p> + + <dl> + <dd>Yes. See the answer to the <a href="#3.11">How do I configure PAM for + plaintext passwords?</a> question.</dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="1.19"><strong>1.19 Can I use Kerberos 5 for plaintext + passwords?</strong></a></p> + + <dl> + <dd>Yes. See the answer to the <a href="#3.13">How do I configure + Kerberos 5 for plaintext passwords?</a> question.</dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="1.20"><strong>1.20 Can I use AFS for plaintext + passwords?</strong></a></p> + + <dl> + <dd>Yes. See the answer to the <a href="#3.14">How do I configure AFS for + plaintext passwords?</a> question.</dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="1.21"><strong>1.21 Can I use DCE for plaintext + passwords?</strong></a></p> + + <dl> + <dd>Yes. See the answer to the <a href="#3.15">How do I configure DCE for + plaintext passwords?</a> question.</dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="1.22"><strong>1.22 Can I use the CRAM-MD5 database for plaintext + passwords?</strong></a></p> + + <dl> + <dd>Yes. See the answer to the <a href="#3.16">How do I configure the + CRAM-MD5 database for plaintext passwords?</a> question.</dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="1.23"><strong>1.23 Can I disable plaintext + passwords?</strong></a></p> + + <dl> + <dd>Yes. See the answer to the <a href="#3.17">How do I disable plaintext + passwords?</a> question.</dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="1.24"><strong>1.24 Can I disable plaintext passwords on unencrypted + sessions, but allow them on encrypted sessions?</strong></a></p> + + <dl> + <dd>Yes. See the answer to the <a href="#3.18">How do I disable plaintext + passwords on unencrypted sessions, but allow them in SSL or TLS + sessions?</a> question.</dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="1.25"><strong>1.25 Can I use virtual hosts?</strong></a></p> + + <dl> + <dd>Yes. See the answer to the <a href="#3.19">How do I configure virtual + hosts?</a> question.</dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="1.26"><strong>1.26 Can I use RPOP authentication?</strong></a></p> + + <dl> + <dd>There is no support for RPOP authentication.</dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="1.27"><strong>1.27 Can I use Kerberos V4?</strong></a></p> + + <dl> + <dd> + Kerberos V4 is not supported. Kerberos V4 client-only contributed code + is available in + <pre> +<a href= +"ftp://ftp.cac.washington.edu/mail/kerberos4-patches.tar.Z">ftp://ftp.cac.washington.edu/mail/kerberos4-patches.tar.Z +</a> +</pre>This is a patchkit which must be applied to the IMAP toolkit according +to the instructions in the patchkit's README. We can not promise that this +code works. + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="1.28"><strong>1.28 Is there support for S/Key or + OTP?</strong></a></p> + + <dl> + <dd>There is currently no support for S/Key or OTP. There may be an OTP + SASL authenticator available from third parties.</dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="1.29"><strong>1.29 Is there support for NTLM or + SPA?</strong></a></p> + + <dl> + <dd> + There is currently no support for NTLM or SPA, nor are there any plans + to add such support. In general, I avoid vendor-specific mechanisms. I + also believe that these mechanisms are being deprecated by their + vendor. + + <p>There may be an NTLM SASL authenticator available from third + parties.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="1.30"><strong>1.30 Is there support for mh?</strong></a></p> + + <dl> + <dd> + Yes, but only as a legacy format. Your mh format INBOX is accessed by + the name "#mhinbox", and all other mh format mailboxes are accessed by + prefixing "#mh/" to the name, e.g. "#mh/foo". The mh support uses the + "Path:" entry in your .mh_profile file to identify the root directory + of your mh format mailboxes. + + <p>Non-legacy use of mh format is not encouraged. There is no support + for permanent flags or unique identifiers; furthermore there are known + severe performance problems with the mh format.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="1.31"><strong>1.31 Is there support for qmail and the maildir + format?</strong></a></p> + + <dl> + <dd>There is no support for qmail or the maildir format in our + distribution, nor are there any plans to add such support. Maildir + support may be available from third parties.</dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="1.32"><strong>1.32 Is there support for the Cyrus mailbox + format?</strong></a></p> + + <dl> + <dd>No.</dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="1.33"><strong>1.33 Is this software Y2K compliant?</strong></a></p> + + <dl> + <dd>Please read the files Y2K and calendar.txt.</dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><br></p> + + <h2><a name="requirements">2. What Do I Need to Build This Software?</a></h2> + <hr> + + <p><a name="2.1"><strong>2.1 What do I need to build this software with SSL on + UNIX?</strong></a></p> + + <dl> + <dd>You need to build and install OpenSSL first.</dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="2.2"><strong>2.2 What do I need to build this software with Kerberos + V on UNIX?</strong></a></p> + + <dl> + <dd>You need to build and install MIT Kerberos first.</dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="2.3"><strong>2.3 What do I need to use a C++ compiler with this + software to build my own application?</strong></a></p> + + <dl> + <dd> + If you are building an application using the c-client library, use the + new c-client.h file instead of including the other include files. It + seems that c-client.h should define away all the troublesome names that + conflict with C++. + + <p>If you use gcc, you may need to use -fno-operator-names as well.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="2.4"><strong>2.4 What do I need to build this software on + Windows?</strong></a></p> + + <dl> + <dd> + You need Microsoft Visual C++ 6.0, Visual C++ .NET, or Visual C# .NET + (which you can buy from any computer store), along with the Microsoft + Platform SDK (which you can download from Microsoft's web site). + + <p>You do not need to install the entire Platform SDK; it suffices to + install just the Core SDK and the Internet Development SDK.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="2.5"><strong>2.5 What do I need to build this software on + DOS?</strong></a></p> + + <dl> + <dd>It's been several years since we last attempted to do this. At the + time, we used Microsoft C.</dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="2.6"><strong>2.6 Can't I use Borland C to build this software on the + PC?</strong></a></p> + + <dl> + <dd>Probably not. If you know otherwise, please let us know.</dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="2.7"><strong>2.7 What do I need to build this software on the + Mac?</strong></a></p> + + <dl> + <dd>It has been several years since we last attempted to do this. At the + time, we used Symantec THINK C; but today you'll need a C compiler which + allows segments to be more than 32K.</dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="2.8"><strong>2.8 What do I need to build this software on + VMS?</strong></a></p> + + <dl> + <dd>You need the VMS C compiler, and either the Multinet or Netlib + TCP.</dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="2.9"><strong>2.9 What do I need to build this software on + TOPS-20?</strong></a></p> + + <dl> + <dd>You need the TOPS-20 KCC compiler.</dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="2.10"><strong>2.10 What do I need to build this software on Amiga or + OS/2?</strong></a></p> + + <dl> + <dd>We don't know.</dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="2.11"><strong>2.11 What do I need to build this software on Windows + CE?</strong></a></p> + + <dl> + <dd>This port is incomplete. Someone needs to finish it.</dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><br></p> + + <h2><a name="build">3. Build and Configuration Questions</a></h2> + <hr> + + <p><a name="3.1"><strong>3.1 How do I configure the IMAP and POP servers on + UNIX?</strong></a><br> + <a name="3.2"><strong>3.2 I built and installed the servers according to the + BUILD instructions. It can't be that easy. Don't I need to write a + config file?</strong></a></p> + + <dl> + <dd> + For ordinary "vanilla" UNIX systems, this software is plug and play; + just build it, install it, and you're done. If you have a modified + system, then you may want to do additional work; most of this is to a + single source code file (env_unix.c on UNIX systems). Read the file + CONFIG for more details. + + <p>Yes, it's that easy. There are some additional options, such as SSL + or Kerberos, which require additional steps to build. See the relevant + questions below.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="3.3"><strong>3.3 How do I make the IMAP and POP servers look for + INBOX at some place other than the mail spool + directory?</strong></a><br> + <a name="3.4"><strong>3.4 How do I make the IMAP server look for secondary + folders at some place other than the user's home + directory?</strong></a></p> + + <dl> + <dd>Please read the file CONFIG for discussion of this and other + issues.</dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="3.5"><strong>3.5 How do I configure SSL?</strong></a><br> + <a name="3.6"><strong>3.6 How do I configure TLS and the STARTTLS + facility?</strong></a></p> + + <dl> + <dd> + imap-2007 supports SSL and TLS client functionality on UNIX and 32-bit + Windows for IMAP, POP3, SMTP, and NNTP; and SSL and TLS server + functionality on UNIX for IMAP and POP3. + + <p>UNIX SSL build requires that a third-party software package, + OpenSSL, be installed on the system first. Read imap-2007/docs/SSLBUILD + for more information.</p> + + <p>SSL is supported via undocumented Microsoft interfaces in Windows 9x + and NT4; and via standard interfaces in Windows 2000, Windows + Millenium, and Windows XP.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="3.7"><strong>3.7 How do I build/install OpenSSL and obtain/create + certificates for use with SSL?</strong></a></p> + + <dl> + <dd>If you need help in doing this, try the contacts mentioned in the + OpenSSL README. We do not offer support for OpenSSL or certificates.</dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="3.8"><strong>3.8 How do I configure CRAM-MD5 + authentication?</strong></a><br> + <a name="3.9"><strong>3.9 How do I configure APOP + authentication?</strong></a></p> + + <dl> + <dd> + CRAM-MD5 authentication is enabled in the IMAP and POP3 client code on + all platforms. Read md5.txt to learn how to set up CRAM-MD5 and APOP + authentication on UNIX and NT servers. + + <p>There is no support for APOP client authentication.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="3.10"><strong>3.10 How do I configure Kerberos V5?</strong></a></p> + + <dl> + <dd> + imap-2007 supports client and server functionality on UNIX and 32-bit + Windows. + + <p>Kerberos V5 is supported by default in Windows 2000 builds:</p> + <pre> + nmake -f makefile.w2k +</pre> + + <p>Other builds require that a third-party Kerberos package, e.g. MIT + Kerberos, be installed on the system first.</p> + + <p>To build with Kerberos V5 on UNIX, include EXTRAAUTHENTICATORS=gss + in the make command line, e.g.</p> + <pre> + make lnp EXTRAAUTHENTICATORS=gss +</pre> + + <p>To build with Kerberos V5 on Windows 9x, Windows Millenium, and NT4, + use the "makefile.ntk" file instead of "makefile.nt":</p> + <pre> + + nmake -f makefile.ntk +</pre> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="3.11"><strong>3.11 How do I configure PAM for plaintext + passwords?</strong></a></p> + + <dl> + <dd> + On Linux systems, use the lnp port, e.g. + <pre> + make lnp + +</pre>On Solaris systems and other systems with defective PAM +implementations, build with PASSWDTYPE=pmb, e.g. + <pre> + make sol PASSWDTYPE=pmb +</pre>On all other systems, build with PASSWDTYPE=pam, e.g + <pre> + make foo PASSWDTYPE=pam +</pre>If you build with PASSWDTYPE=pam and authentication does not work, try +rebuilding (after a "make clean") with PASSWDTYPE=pmb. + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="3.12"><strong>3.12 It looks like all I have to do to make the server + use Kerberos is to build with PAM on my Linux system, and set it up in + PAM for Kerberos passwords. Right?</strong></a></p> + + <dl> + <dd> + Yes and no. + + <p>Doing this will make plaintext password authentication use the + Kerberos password instead of the /etc/passwd password.</p> + + <p>However, this will NOT give you Kerberos-secure authentication. See + the answer to the <a href="#3.10">How do I configure Kerberos V5?</a> + question for how to build with Kerberos-secure authentication.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="3.13"><strong>3.13 How do I configure Kerberos 5 for plaintext + passwords?</strong></a></p> + + <dl> + <dd> + Build with PASSWDTYPE=gss, e.g. + <pre> + make sol PASSWDTYPE=gss +</pre>However, this will NOT give you Kerberos-secure authentication. See the +answer to the <a href="#3.10">How do I configure Kerberos V5?</a> question +for how to build with Kerberos-secure authentication. + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="3.14"><strong>3.14 How do I configure AFS for plaintext + passwords?</strong></a></p> + + <dl> + <dd> + Build with PASSWDTYPE=afs, e.g + <pre> + make sol PASSWDTYPE=afs + +</pre> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="3.15"><strong>3.15 How do I configure DCE for plaintext + passwords?</strong></a></p> + + <dl> + <dd> + Build with PASSWDTYPE=dce, e.g + <pre> + make sol PASSWDTYPE=dce +</pre> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="3.16"><strong>3.16 How do I configure the CRAM-MD5 database for + plaintext passwords?</strong></a></p> + + <dl> + <dd> + The CRAM-MD5 password database is automatically used for plaintext + password if it exists. + + <p>Note that this is NOT CRAM-MD5-secure authentication. You probably + want to consider disabling plaintext passwords for non-SSL/TLS + sessions. See the next two questions.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="3.17"><strong>3.17 How do I disable plaintext + passwords?</strong></a></p> + + <dl> + <dd> + Server-level plaintext passwords can be disabled by setting + PASSWDTYPE=nul, e.g. + <pre> + make lnx EXTRAAUTHENTICATORS=gss PASSWDTYPE=nul +</pre>Note that you must have a CRAM-MD5 database installed or specify at +least one EXTRAAUTHENTICATOR, otherwise it will not be possible to log in to +the server. + + <p>When plaintext passwords are disabled, the IMAP server will + advertise the LOGINDISABLED capability and the POP3 server will not + advertise the USER capability.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + + <p><a name="3.18"><strong>3.18 How do I disable plaintext passwords on + unencrypted sessions, but allow them in SSL or TLS + sessions?</strong></a></p> + + <dl> + <dd> + <p>Do not set PASSWDTYPE=nul or SSLTYPE=unix. Set SSLTYPE=nopwd + instead, e.g.</p> + <pre> + make lnx SSLTYPE=nopwd +</pre> + + <p>When plaintext passwords are disabled, the IMAP server will + advertise the LOGINDISABLED capability and the POP3 server will not + advertise the USER capability.</p> + + <p>Plaintext passwords will always be enabled in SSL sessions; the IMAP + server will not advertise the LOGINDISABLED capability and the POP3 + server will advertise the USER capability.</p> + + <p>If the client does a successful start-TLS in a non-SSL session, + plaintext passwords will be enabled, and a new CAPABILITY or CAPA + command (which is required after start-TLS) will show the effect as in + SSL sessions.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="3.19"><strong>3.19 How do I configure virtual + hosts?</strong></a></p> + + <dl> + <dd> + This is automatic, but with certain restrictions. + + <p>The most important one is that each virtual host must have its own + IP address; otherwise the server has no way of knowing which virtual + host is desired.</p> + + <p>As distributed, the software uses a global password file; hence user + "fred" on one virtual host is "fred" on all virtual hosts. You may want + to modify the checkpw() routine to implement some other policy (e.g. + separate password files).</p> + + <p>Note that the security model assumes that all users have their own + unique UNIX UID number. So if you use separate password files you + should make certain that the UID numbers do not overlap between + different files.</p> + + <p>More advanced virtual host support may be available as patches from + third parties.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="3.20"><strong>3.20 Why do I get compiler warning messages such + as:</strong></a></p> + <pre> + passing arg 3 of `scandir' from incompatible pointer type + Pointers are not assignment-compatible. + Argument #4 is not the correct type. + +</pre> + + <p><strong>during the build?</strong></p> + + <dl> + <dd> + You can safely ignore these messages. + + <p>Over the years, the prototype for scandir() has changed, and thus is + variant across different UNIX platforms. In particular, the definitions + of the third argument (type select_t) and fourth argument (type + compar_t) have changed over the years, the issue being whether or not + the arguments to the functions pointed to by these function pointers + are of type const or not.</p> + + <p>The way that c-client calls scandir() will tend to generate these + compiler warnings on newer systems such as Linux; however, it will + still build. The problem with fixing the call is that then it won't + build on older systems.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="3.21"><strong>3.21 Why do I get compiler warning messages such + as</strong></a></p> + <pre> + Operation between types "void(*)(int)" and "void*" is not allowed. + Function argument assignment between types "void*" and "void(*)(int)" is not allowed. + Pointers are not assignment-compatible. + Argument #5 is not the correct type. +</pre> + + <p><strong>during the build?</strong></p> + + <dl> + <dd> + You can safely ignore these messages. + + <p>All known systems have no problem with casting a function pointer + to/from a void* pointer, certain C compilers issue a compiler + diagnostic because this facility is listed as a "Common extension" by + the C standard:</p> + <pre> + K.5.7 Function pointer casts + [#1] A pointer to an object or to void may be cast to a pointer + to a function, allowing data to be invoked as a function (6.3.4). + [#2] A pointer to a function may be cast to a pointer to an + object or to void, allowing a function to be inspected or + modified (for example, by a debugger) (6.3.4). + +</pre>It may be just a "common extension", but this facility is relied upon +heavily by c-client. + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="3.22"><strong>3.22 Why do I get linker warning messages such + as:</strong></a></p> + <pre> +mtest.c:515: the `gets' function is dangerous and should not be used. +</pre> + + <p><strong>during the build? Isn't this a security bug?</strong></p> + + <dl> + <dd> + You can safely ignore this message. + + <p>Certain linkers, most notably on Linux, give this warning message. + It is indeed true that the traditional gets() function is not a safe + one.</p> + + <p>However, the mtest program is only a demonstration program, a model + of a very basic application program using c-client. It is not something + that you would install, much less run in any security-sensitive + context.</p> + + <p>mtest has numerous other shortcuts that you wouldn't want to do in a + real application program.</p> + + <p>The only "security bug" with mtest would be if it was run by some + script in a security-sensitive context, but mtest isn't particularly + useful for such purposes. If you wanted to write a script to automate + some email task using c-client, you'd be better off using imapd instead + of mtest.</p> + + <p>mtest only has two legitimate uses. It's a useful testbed for me + when debugging new versions of c-client, and it's useful as a model for + someone writing a simple c-client application to see how the various + calls work.</p> + + <p>By the way, if you need a more advanced example of c-client + programming than mtest (and you probably will), I recommend that you + look at the source code for imapd and Pine.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="3.23"><strong>3.23 Why do I get linker warning messages such + as:</strong></a></p> + <pre> + auth_ssl.c:92: the `tmpnam' function is dangerous and should not be used. +</pre> + + <p><strong>during the build? Isn't this a security bug?</strong></p> + + <dl> + <dd> + You can safely ignore this message. + + <p>Certain linkers, most notably on Linux, give this warning message, + based upon two known issues with tmpnam():</p> + + <dl> + <dd>there can be a buffer overflow if an inadequate buffer is + allocated.</dd> + + <dd>there can be a timing race caused by certain incautious usage of + the return value.</dd> + </dl> + + <p>Neither of these issues applies in the particular use that is made + of tmpnam(). More importantly, the tmpnam() call is never executed on + Linux systems.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="3.24"><strong>3.24 OK, suppose I see a warning message about a + function being "dangerous and should not be used" for something other + than this gets() or tmpnam() call?</strong></a></p> + + <dl> + <dd>Please forward the details for investigation.</dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><br></p> + + <h2><a name="operation">4. Operational Questions</a></h2> + <hr> + + <p><a name="4.1"><strong>4.1 How can I enable anonymous IMAP + logins?</strong></a></p> + + <dl> + <dd>Create the file /etc/anonymous.newsgroups. At the present time, this + file should be empty. This will permit IMAP logins as anonymous as well + as the ANONYMOUS SASL authenticator. Anonymous users have access to + mailboxes in the #news., #ftp/, and #public/ namespaces only.</dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="4.2"><strong>4.2 How do I set up an alert message that each IMAP + user will see?</strong></a></p> + + <dl> + <dd>Create the file /etc/imapd.alert with the text of the message. This + text should be kept to one line if possible. Note that this will cause an + alert to every IMAP user every time they initiate an IMAP session, so it + should only be used for critical messages.</dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="4.3"><strong>4.3 How does the c-client library choose which of its + several mechanisms to use to establish an IMAP connection to the server? + I noticed that it can connect on port 143, port 993, via rsh, and via + ssh.</strong></a></p> + + <dl> + <dd> + c-client chooses how to establish an IMAP connection via the following + rules: + + <ul> + <li>If /ssl is specified, use an SSL connection. Fail otherwise.</li> + + <li>Else if client is a UNIX system and "ssh server exec /etc/rimapd" + works, use that</li> + + <li>Else if /tryssl is specified and an SSL connection works, use + that.</li> + + <li>Else if client is a UNIX system and "rsh server exec /etc/rimapd" + works, use that.</li> + + <li>Else use a non-SSL connection.</li> + </ul> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="4.4"><strong>4.4 I am using a TLS-capable IMAP server, so I don't + need to use /ssl to get encryption. However, I want to be certain that + my session is TLS encrypted before I send my password. How to I do + this?</strong></a></p> + + <dl> + <dd>Use the /tls option in the mailbox name. This will cause an error + message and the connection to fail if the server does not negotiate + STARTTLS.</dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="4.5"><strong>4.5 How do I use one of the alternative formats + described in the formats.txt document? In particular, I hear that mbx + format will give me better performance and allow shared + access.</strong></a></p> + + <dl> + <dd> + The rumors about mbx format being preferred are true. It is faster than + the traditional UNIX mailbox format and permits shared access. + + <p>However, and this is <em>very important</em>, note that using an + alternative mailbox format is an advanced facility, and only expert + users should undertake it. If you don't understand any of the following + notes, you may not be enough of an expert yet, and are probably better + off not going this route until you are more comfortable with your + understanding.</p> + + <p>Some of the formats, including mbx, are only supported by the + software based on the c-client library, and are not recognized by other + mailbox programs. The "vi" editor will corrupt any mbx format mailbox + that it encounters.</p> + + <p>Another problem is that the certain formats, including mbx, use + advanced file access and locking techniques that do <em>not</em> work + reliably with NFS. NFS is not a real filesystem. Use IMAP instead of + NFS for distributed access.</p> + + <p>Each of the following steps are in escalating order of involvement. + The further you go down this list, the more deeply committed you + become:</p> + + <ul> + <li>The simplest way to create a mbx-format mailbox is to prefix the + name with "#driver.mbx/" when creating a mailbox through c-client. + For example, if you create "#driver.mbx/foo", the mailbox "foo" will + be created in mbx format. Only use "#driver.mbx/" when creating the + mailbox. At all other times, just use the name ("foo" in this + example); the software will automatically select the driver for mbx + whenever that mailbox is accessed without you doing anything + else.</li> + + <li>You can use the "mailutil copy" command to copy an existing + mailbox to a new mailbox in mbx format. Read the man page provided + with the mailutil program for details.</li> + + <li>If you create an mbx-format INBOX, by creating + "#driver.mbx/INBOX" (note that "INBOX" must be all uppercase), then + subsequent access to INBOX by any c-client based application will use + the mbx-format INBOX. Any mail delivered to the traditional format + mailbox in the spool directory (e.g. /var/spool/mail/$USER) will + automatically be copied into the mbx-format INBOX and the spool + directory copy removed.</li> + + <li>You can cause any newly-created mailboxes to be in mbx-format by + default by changing the definition of CREATEPROTO=unixproto to be + CREATEPROTO=mbxproto in src/osdep/unix/Makefile, then rebuilding the + IMAP toolkit (do a "make clean" first). Do not change EMPTYPROTO, + since mbx format mailboxes are never a zero-byte file. If you use + Pine or the imap-utils, you should probably also rebuild them with + the new IMAP toolkit too.</li> + + <li>You can deliver directly to the mbx-format INBOX by use of the + tmail or dmail programs. tmail is for direct invocation from sendmail + (or whatever MTA program you use); dmail is for calls from procmail. + Both of these programs have man pages which must be read carefully + before making this change.</li> + </ul> + + <p>Most other servers (e.g. Cyrus) require use of a non-standard + format. A full-fledged format conversion is not significantly different + from what you have to do with other servers. The difference, which + makes format conversion procedures somewhat more complicated with this + server, is that there is no "all or nothing" requirement with this + server. There are many points in between. A format conversion can be + anything from a single mailbox or single user, to systemwide.</p> + + <p>This is good in that you can decide how far to go, or do the steps + incrementally as you become more comfortable with the result. On the + other hand, there's no "One True Way" which can be boiled down to a + simple set of pedagogical instructions.</p> + + <p>A number of sites have done full-fledged format conversions, and are + reportedly quite happy with the results. Feel free to ask in the + comp.mail.imap newsgroup or the imap-uw mailing list for advice or + help.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="4.6"><strong>4.6 How do I set up shared mailboxes?</strong></a></p> + + <dl> + <dd> + At the simplest level, a shared mailbox is one which has UNIX file and + directory protections which permit multiple users to access it. What + this means is that your existing skills and tools to create and manage + shared files on your UNIX system apply to shared mailboxes; e.g. + <pre> + chmod 666 mailbox +</pre> + + <p>You may want to consider the use of a mailbox format which permits + multiple simultaneous read/write sessions, such as the mbx format. The + traditional UNIX format only allows one read/write session to a + mailbox at a time.</p> + + <p>An additional convenience item are three system directories, which + can be set up for shared namespaces. These are: #ftp, #shared, and + #public, and are defined by creating the associated UNIX users and home + directories as described below.</p> + + <p>#ftp/ refers to the anonymous ftp filesystem exported by the ftp + server, and is equivalent to the home directory for UNIX user "ftp". + For example, #ftp/foo/bar refers to the file /foo/bar in the anonymous + FTP filesystem, or ~ftp/foo/bar for normal users. Anonymous FTP files + are available to anonymous IMAP logins. By default, newly-created files + in #ftp/ are protected 644.</p> + + <p>#public/ refers to an IMAP toolkit convention called "public" files, + and is equivalent to the home directory for UNIX user "imappublic". For + example, #public/foo/bar refers to the file ~imappublic/foo/bar. Public + files are available to anonymous IMAP logins. By default, newly-created + files in #public are created with protection 0666.</p> + + <p>#shared/ refers to an IMAP toolkit convention called "shared" files, + and is equivalent to the home directory for UNIX user "imapshared". For + example, #shared/foo/bar refers to the file ~imapshared/foo/bar. Shared + files are <em>not</em> available to anonymous IMAP logins. By default, + newly-created files in #shared are created with protection 0660.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="4.7"><strong>4.7 How can I make the server syslogs go to someplace + other than the mail syslog?</strong></a></p> + + <dl> + <dd> + The openlog() call that sets the syslog facility is in + <strong>src/osdep/unix/env_unix.c</strong> in routine + <strong>server_init()</strong>. You need to edit this file to change + the syslog facility from LOG_MAIL to the facility you want, then + rebuild. You also need to set up your /etc/syslog.conf properly. + + <p>Refer to the man pages for syslog and syslogd for more information + on what the available syslog facilities are and how to configure + syslogs. If you still don't understand what to do, find a UNIX system + expert.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><br></p> + + <h2><a name="security">5. Security Questions</a></h2> + <hr> + + <p><a name="5.1"><strong>5.1 I see that the IMAP server allows access to + arbitary files on the system, including /etc/passwd! How do I disable + this?</strong></a></p> + + <dl> + <dd> + You should not worry about this if your IMAP users are allowed shell + access. The IMAP server does not permit any access that the user can + not have via the shell. + + <p>If, and only if, you deny your IMAP users shell access, you may want + to consider one of three choices. Note that these choices reduce IMAP + functionality, and may have undesirable side effects. Each of these + choices involves an edit to file + <strong>src/osdep/unix/env_unix.c</strong></p> + + <p>The first (and recommended) choice is to set + <strong>restrictBox</strong> as described in file CONFIG. This will + disable access to the filesystem root, to other users' home directory, + and to superior directory.</p> + + <p>The second (and strongly NOT recommended) choice is to set + <strong>closedBox</strong> as described in file CONFIG. This puts each + IMAP session into a so-called "chroot jail", and thus setting this + option is <em>extremely</em> dangerous; it can make your system much + less secure and open to root compromise attacks. So do not use this + option unless you are <em>absolutely certain</em> that you understand + all the issues of a "chroot jail."</p> + + <p>The third choice is to rewrite routine + <strong>mailboxfile()</strong> to implement whatever mapping from + mailbox name to filesystem name (and restrictions) that you wish. This + is the most general choice. As a guide, you can see at the start of + routine <strong>mailboxfile()</strong> what the + <strong>restrictBox</strong> choice does.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="5.2"><strong>5.2 I've heard that IMAP servers are insecure. Is this + true?</strong></a></p> + + <dl> + <dd> + There are no known security problems in this version of the IMAP + toolkit, including the IMAP and POP servers. The IMAP and POP servers + limit what can be done while not logged in, and as part of the login + process discard all privileges except those of the user. + + <p>As with other software packages, there have been buffer overflow + vulnerabilities in past versions. All known problems of this nature are + fixed in this version.</p> + + <p>There is every reason to believe that the bad guys are engaged in an + ongoing effort to find vulnerabilities in the IMAP toolkit. We look for + such problems, and when one is found we fix it.</p> + + <p>It's unfortunate that any vulnerabilities existed in past versions, + and we're doing my best to keep the IMAP toolkit free of + vulnerabilities. No new vulnerabilities have been discovered in quite a + while, but efforts will not be relaxed.</p> + + <p>Beware of vendors who claim that their implementations can not have + vulnerabilities.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="5.3"><strong>5.3 How do I know that I have the most secure version + of the server?</strong></a></p> + + <dl> + <dd> + The best way is to keep your server software up to date. The bad guys + are always looking for ways to crack software, and when they find one, + let all their friends know. + + <p>Oldtimers used to refer to a concept of <em>software rot</em>: if + your software hasn't been updated in a while, it would "rot" -- tend to + acquire problems that it didn't have when it was new.</p> + + <p>The latest release version of the IMAP toolkit is always available + at <a href= + "ftp://ftp.cac.washington.edu/mail/imap.tar.Z">ftp://ftp.cac.washington.edu/mail/imap.tar.Z</a></p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="5.4"><strong>5.4 I see all these strcpy() and sprintf() calls, those + are unsafe, aren't they?</strong></a></p> + + <dl> + <dd> + Yes and no. + + <p>It can be unsafe to do these calls if you do not know that the + string being written will fit in the buffer. However, they are + perfectly safe if you do know that.</p> + + <p>Beware of programmers who advocate doing a brute-force change of all + instances of</p> + <pre> + strcpy (s,t); +</pre>to + <pre> + strncpy (s,t,n)[n] = '\0'; +</pre>and similar measures in the name of "fixing all possible buffer +overflows." + + <p>There are examples in which a security bug was introduced because of + this type of "fix", due to the programmer using the wrong value for n. + In one case, the programmer thought that n was larger than it actually + was, causing a NUL to be written out of the buffer; in another, n was + too small, and a security credential was truncated.</p> + + <p>What is particularly ironic was that in both cases, the original + strcpy() was safe, because the size of the source string was known to + be safe.</p> + + <p>With all this in mind, the software has been inspected, and it is + believed that all places where buffer overflows can happen have been + fixed. The strcpy()s that are still are in the code occur after a size + check was done in some other way.</p> + + <p>Note that the common C idiom of</p> + <pre> + *s++ = c; +</pre>is just as vulnerable to buffer overflows. You can't cure buffer +overflows by outlawing certain functions, nor is it desirable to do so; +sometimes operations like strcpy() translate into fast machine instructions +for better performance. + + <p>Nothing replaces careful study of code. That's how the bad guys find + bugs. Security is not accomplished by means of brute-force + shortcuts.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="5.5"><strong>5.5 Those /tmp lock files are protected 666, is that + really right?</strong></a></p> + + <dl> + <dd> + Yes. Shared mailboxes won't work otherwise. Also, you get into + accidental denial of service problems with old lock files left lying + around; this happens fairly frequently. + + <p>The deliberate mischief that can be caused by fiddling with the lock + files is small-scale; harassment level at most. There are many -- and + much more effective -- other ways of harassing another user on UNIX. + It's usually not difficult to determine the culprit.</p> + + <p>Before worrying about deliberate mischief, worry first about things + happening by accident!</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><br></p> + + <h2><a name="strange">6. <em>Why Did You Do This Strange Thing?</em> + Questions</a></h2> + <hr> + + <p><a name="6.1"><strong>6.1 Why don't you use GNU autoconfig / automake / + autoblurdybloop?</strong></a></p> + + <dl> + <dd> + Autoconfig et al are not available on all the platforms where the IMAP + toolkit is supported; and do not work correctly on some of the + platforms where they do exist. Furthermore, these programs add another + layer of complexity to an already complex process. + + <p>Coaxing software that uses autoconfig to build properly on platforms + which were not specifically considered by that software wastes an + inordinate amount of time. When (not if) autoconfig fails to do the + right thing, the result is an inpenetrable morass to untangle in order + to find the problem and fix it.</p> + + <p>The concept behind autoconfig is good, but the execution is flawed. + It rarely does the right thing on a platform that wasn't specifically + considered. Human life is too short to debug autoconfig problems, + especially since the current mechanism is so much easier.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="6.2"><strong>6.2 Why do you insist upon a build with -g? Doesn't it + waste disk and memory space?</strong></a></p> + + <dl> + <dd> + From time to time a submitted port has snuck in without -g. This has + <em>always</em> ended up causing problems. There are only two valid + excuses for not using -g in a port: + + <ul> + <li>The compiler does not support -g</li> + + <li>An alternate form of -g is needed with optimization, e.g. + -g3.</li> + </ul> + + <p>There will be no new ports added without -g (or a suitable + alternative) being set.</p> + + <p>-g has not been arbitrarily added to the ports which do not + currently have it because we don't know if doing so would break the + build. However, any support issues with one of those port <em>will</em> + lead to the correct -g setting being determined and permanently + added.</p> + + <p>Processors are fast enough (and disk space is cheap enough) that -g + should be automatic in all compilers with no way of turning it off, and + /bin/strip should be a symlink to /bin/true. Human life is too short to + deal with binaries built without -g. Such binaries should be a bad + memory of the days of KIPS processors and disks that costs several + dollars per kilobyte.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="6.3"><strong>6.3 Why don't you make c-client a shared + library?</strong></a></p> + + <dl> + <dd> + All too often, shared libraries create far more problems than they + solve. + + <p>Remember that you only gain the benefit of a shared library when + there are multiple applications which use that shared library. Even + without shared libraries, on most modern operating systems (and many + ancient ones too!) applications will share their text segments between + across multiple processes running the same application. This means that + if your system only runs one application (e.g. imapd) that uses the + c-client library, then you gain no benefit from making c-client a + shared library even if it has 100 imapd processes. You will, however + suffer added complexity.</p> + + <p>If you have a server system that just runs imapd and ipop3d, then + making c-client a shared library will save just one copy of c-client no + matter how many IMAP/POP3 processes are running.</p> + + <p>The problem with shared libraries is that you have to keep around a + copy of the library every time something changes in the library that + would affect the interface the library presents to the application. So, + you end up having many copies of the same shared library.</p> + + <p>If you don't keep multiple copies of the shared library, then one of + two things happens. If there was proper versioning, then you'll get a + message such as "cannot open shared object file" or "minor versions + don't match" and the application won't run. Otherwise, the application + will run, but will fail in mysterious ways.</p> + + <p>Several sites and third-party distributors have modified the + c-client makefile in order to make c-client be a shared library. + <em>When</em> (not <em>if</em>) a c-client based application fails in + mysterious ways because of a library compatibility problem, the result + is a bug report. A lot of time and effort ends up getting wasted + investigating such bug reports.</p> + + <p>Memory is so cheap these days that it's not worth it. Human life is + too short to deal with shared library compatibility problems.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="6.4"><strong>6.4 Why don't you use iconv() for internationalization + support?</strong></a></p> + + <dl> + <dd>iconv() is not ubiquitous enough.</dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="6.5"><strong>6.5 Why is the IMAP server connected to the home + directory by default?</strong></a></p> + + <dl> + <dd> + The IMAP server has no way of knowing what you might call "mail" as + opposed to "some other file"; in fact, you can use IMAP to access any + file. + + <p>The IMAP server also doesn't know whether your preferred + subdirectory for mailbox files is "mail/", ".mail/", "Mail/", + "Mailboxes/", or any of a zillion other possibilities. If one such name + were chosen, it would undoubtably anger the partisans of all the other + names.</p> + + <p>It is possible to modify the software so that the default connected + directory is someplace else. Please read the file CONFIG for discussion + of this and other issues.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="6.6"><strong>6.6 I have a Windows system. Why isn't the server plug + and play for me?</strong></a></p> + + <dl> + <dd> + There is no standard for how mail is stored on Windows; nor a single + standard SMTP server. The closest to either would be the SMTP server in + Microsoft's IIS. + + <p>So there's no default by which to make assumptions. As the software + is set up, it assumes that the each user has an Windows login account + and private home directory, and that mail is stored on that home + directory as files in one of the popular UNIX formats. It also assumes + that there is some tool equivalent to inetd on UNIX that does the + TCP/IP listening and server startup.</p> + + <p>Basically, unless you're an email software hacker, you probably want + to look elsewhere if you want IMAP/POP servers for Windows.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="6.7"><strong>6.7 I looked at the UNIX SSL code and saw that you have + the SSL data payload size set to 8192 bytes. SSL allows 16K; why aren't + you using the full size?</strong></a></p> + + <dl> + <dd> + This is to avoid an interoperability problem with: + + <ul> + <li>PC IMAP clients that use Microsoft's SChannel.DLL (SSPI) for SSL + support</li> + + <li>Microsoft Exchange server (which also uses SChannel).</li> + </ul> + + <p>SChannel has a bug that makes it think that the maximum SSL data + payload size is 16379 bytes -- 5 bytes too small. Thus, c-client has to + make sure that it never transmits full sized SSL packets.</p> + + <p>The reason for using 8K (as opposed to, say, 16379 bytes, or 15K, + or...) is that it corresponds with the TCP buffer size that the + software uses elsewhere for input; there's a slight performance benefit + to having the two sizes correspond or at least be a multiple of each + other. Also, it keeps the size as a power of two, which might be + significant on some platforms.</p> + + <p>There wasn't a significant difference that we could measure between + 8K and 15K.</p> + + <p>Microsoft has developed a hotfix for this bug. Look up MSKB article + number 300562. Contrary to the article text which implies that this is + a Pine issue, this bug also affects Microsoft Exchange server with + <em>any</em> client that transmits full-sized SSL payloads.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="6.8"><strong>6.8 Why is an mh format INBOX called #mhinbox instead + of just INBOX?</strong></a></p> + + <dl> + <dd> + It's a long story. In brief, the mh format driver is less functional + than any of the other drivers. It turned out that there were some users + (including high-level administrators) who tried mh years ago and no + longer use it, but still had an mh profile left behind. + + <p>When the mh driver used INBOX, it would see the mh profile, and + proceed to move the user's INBOX into the mh format INBOX. This caused + considerable confusion as some things stopped working.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="6.9"><strong>6.9 Why don't you support the maildir + format?</strong></a></p> + + <dl> + <dd> + It is technically difficult to support maildir in IMAP while + maintaining acceptable performance, robustness, following the + requirements of the IMAP protocol specification, and following the + requirements of maildir. + + <p>No one has succeeded in accomplishing all four together. The various + maildir drivers offered as patches all have these problems. The problem + is exacerbated because this implementation supports multiple formats; + consequently this implementation can't make any performance shortcuts + by assuming that all the world is maildir.</p> + + <p>We can't do a better job than the maildir fan community has done + with their maildir drivers. Similarly, if the maildir fan community + provides the maildir driver, they take on the responsibility for + answering maildir-specific support questions. This is as it should be, + and that is why maildir support is left to the maildir fan + community.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="6.10"><strong>6.10 Why don't you support the Cyrus + format?</strong></a></p> + + <dl> + <dd> + There's no point to doing so. An implementation which supports multiple + formats will never do as well as one which is optimized to support one + single format. + + <p>If you want to use Cyrus mailbox format, you should use the Cyrus + server, which is the native implementation of that format and is + specifically optimized for that format. That's also why Cyrus doesn't + implement any other format.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="6.11"><strong>6.11 Why is it creating extra forks on my SVR4 + system?</strong></a></p> + + <dl> + <dd> + This is because your system only has fcntl() style locking and not + flock() style locking. fcntl() locking has a design flaw that causes a + close() to release any locks made by that process on the file opened on + that file descriptor, even if the lock was made on a different file + descriptor. + + <p>This design flaw causes unexpected loss of lock, and consequent + mailbox corruption. The workaround is to do certain "dangerous + operations" in another fork, thus avoiding doing a close() in the + vulnerable fork.</p> + + <p>The best way to solve this problem is to upgrade your SVR4 (Solaris, + AIX, HP-UX, SGI) or OSF/1 system to a more advanced operating system, + such as Linux or BSD. These more advanced operating systems have + fcntl() locking for compatibility with SVR4, but also have flock() + locking.</p> + + <p>Beware of certain SVR4 systems, such as AIX, which have an "flock()" + function in their C library that is just a jacket that does an fcntl() + lock. This is not a true flock(), and has the same design flaw as + fcntl().</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="6.12"><strong>6.12 Why are you so fussy about the date/time format in + the internal <code>"From "</code> line in traditional UNIX mailbox + files? My other mail program just considers every line that starts with + <code>"From "</code> to be the start of the message.</strong></a></p> + + <dl> + <dd> + You just answered your own question. If any line that starts with + <code>"From "</code> is treated as the start of a message, then + every message text line which starts with <code>"From "</code> has + to be quoted (typically by prefixing a ">" character). People + complain about this -- "why did a > get stuck in my message?" + + <p>So, good mail reading software only considers a line to be a + <code>"From "</code> line if it follows the actual specification + for a "From " line. This means, among other things, that the day of + week is fixed-format: <code>"May 14"</code>, but + <code>"May 7"</code> (note the extra space) as opposed to + <code>"May 7"</code>. ctime() format for the date is the most + common, although POSIX also allows a numeric timezone after the + year. For compatibility with ancient software, the seconds are optional, + the timezone may appear before the year, the old 3-letter timezones are + also permitted, and "remote from xxx" may appear after the whole + thing.</p> + + <p>Unfortunately, some software written by novices use other formats. + The most common error is to have a variable-width day of month, perhaps + in the erroneous belief that RFC 2822 (or RFC 822) defines the format of + the date/time in the <code>"From "</code> line (it doesn't; no RFC + describes internal formats). I've seen a few other goofs, such as a + single-digit second, but these are less common.</p> + + <p>If you are writing your own software that writes mailbox files, and + you really aren't all that savvy with all the ins and outs and ancient + history, you should seriously consider using the c-client library (e.g. + routine mail_append()) instead of doing the file writes yourself. If + you must do it yourself, use ctime(), as in:</p> + <pre> + fprintf (mbx,"From %s@%h %s",user,host,ctime (time (0))); +</pre>rather than try to figure out a good format yourself. ctime() is the +most traditional format and nobody will flame you for using it. + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="6.13"><strong>6.13 Why is traditional UNIX format the default + format?</strong></a></p> + + <dl> + <dd>Compatibility with the past 30 or so years of UNIX history. This + server is the only one that completely interoperates with legacy UNIX + mail tools.</dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="6.14"><strong>6.14 Why do you write this "DON'T DELETE THIS MESSAGE + -- FOLDER INTERNAL DATA" message at the start of traditional UNIX and + MMDF format mailboxes?</strong></a></p> + + <dl> + <dd> + This pseudo-message serves two purposes. + + <p>First, it establishes the mailbox format even when the mailbox has + no messages. Otherwise, a mailbox with no messages is a zero-byte file, + which could be one of several formats.</p> + + <p>Second, it holds mailbox metadata used by IMAP: the UID validity, + the last assigned UID, and mailbox keywords. Without this metadata, + which must be preserved even when the mailbox has no messages, the + traditional UNIX format wouldn't be able to support the full + capabilities of IMAP.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="6.15"><strong>6.15 Why don't you stash the mailbox metadata in the + first real message of the mailbox instead of writing this fake FOLDER + INTERNAL DATA message?</strong></a></p> + + <dl> + <dd> + In fact, that is what is done if the mailbox is non-empty and does not + already have a FOLDER INTERNAL DATA message. + + <p>One problem with doing that is that if some external program removes + the first message, the metadata is lost and must be recreated, thus + losing any prior UID or keyword list status that IMAP clients may + depend upon.</p> + + <p>Another problem is that this doesn't help if the last message is + deleted. This will result in an empty mailbox, and the necessity to + create a FOLDER INTERNAL DATA message.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="6.16"><strong>6.16 Why aren't "dual-use" mailboxes the + default?</strong></a></p> + + <dl> + <dd>Compatibility with the past 30 or so years of UNIX history, not to + mention compatibility with user expectations when using shell tools.</dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="6.17"><strong>6.17 Why do you use ucbcc to build on + Solaris?</strong></a></p> + + <dl> + <dd> + It is a long, long story about why cc is set to ucbcc. You need to + invoke the C compiler so that it links with the SVR4 libraries and not + the BSD libraries, otherwise readdir() will return the wrong + information. + + <p>Of all the names in the most common path, ucbcc is the only name to + be found (on /usr/ccs/bin) that points to a suitable compiler. cc is + likely to be /usr/ucb/cc which is absolutely not the compiler that you + want. The real SVR4 cc is probably something like /opt/SUNWspro/bin/cc + which is rarely in anyone's path by default.</p> + + <p>ucbcc is probably a link to acc, e.g. /opt/SUNWspro/SC4.0/bin/acc, + and is the UCB C compiler using the SVR4 libraries.</p> + + <p>If ucbcc isn't on your system, then punt on the SUN C compiler and + use gcc instead (the gso port instead of the sol port).</p> + + <p>If, in spite of all the above warnings, you choose to change "ucbcc" + to "cc", you will probably find that the -O2 needs to be changed to -O. + If you don't get any error messages with -O2, that's a pretty good + indicator that you goofed and are running the compiler that will link + with the BSD libraries.</p> + + <p>To recap:</p> + + <ul> + <li>The sol port is designed to be built using the UCB compiler using + the SVR4 libraries. This compiler is "ucbcc", which is lunk to acc. + You use -O2 as one of the CFLAGS.</li> + + <li>If you build the sol port with the UCB compiler using the BSD + libraries, you will get no error messages but you will get bad + binaries (the most obvious symptom is dropping the first two + characters return filenames from the imapd LIST command. This + compiler also uses -O2, and is very often what the user gets from + "cc". <strong>BEWARE</strong></li> + + <li>If you build the sol port with the real SVR4 compiler, which is + often hidden away or unavailable on many systems, then you will get + errors from -O2 and you need to change that to -O. But you will get a + good binary. However, you should try it with -O2 first, to make sure + that you got this compiler and not the UCB compiler using BSD + libraries.</li> + </ul> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="6.18"><strong>6.18 Why should I care about some old system with BSD + libraries? cc is the right thing on my Solaris system!</strong></a></p> + + <dl> + <dd> + Because there still are sites that use such systems. On those systems, + the assumption that "cc" does the right thing will lead to corrupt + binaries with no error message or other warning that anything is amiss. + + <p>Too many sites have fallen victim to this problem.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="6.19"><strong>6.19 Why do you insist upon writing .lock files in the + spool directory?</strong></a></p> + + <dl> + <dd>Compatibility with the past 30 years of UNIX software which deals + with the spool directory, especially software which delivers mail. + Otherwise, it is possible to lose mail.</dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="6.20"><strong>6.20 Why should I care about compatibility with the + past?</strong></a></p> + + <dl> + <dd>This is one of those questions in which the answer never convinces + those who ask it. Somehow, everybody who ever asks this question ends up + answering it for themselves as they get older, with the very answer that + they rejected years earlier.</dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><br></p> + + <h2><a name="problems">7. Problems and Annoyances</a></h2> + <hr> + + <p><a name="7.1"><strong>7.1 Help! My INBOX is empty! What happened to my + messages?</strong></a></p> + + <dl> + <dd> + If you are seeing "0 messages" when you open INBOX and you know you + have messages there (and perhaps have looked at your mail spool file + and see that messages are there), then probably there is something + wrong with the very first line of your mail spool file. Make sure that + the first five bytes of the file are "From ", followed by an email + address and a date/time in ctime() format, e.g.: + <pre> + From fred@foo.bar Mon May 7 20:54:30 2001 +</pre> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="7.2"><strong>7.2 Help! All my messages in a non-INBOX mailbox have + been concatenated into one message which claims to be from me and has a + subject of the file name of the mailbox! What's going + on?</strong></a></p> + + <dl> + <dd> + Something wrong with the very first line of the mailbox. Make sure that + the first five bytes of the file are "From ", followed by an email + address and a date/time in ctime() format, e.g.: + <pre> + From fred@foo.bar Mon May 7 20:54:30 2001 +</pre> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="7.3"><strong>7.3 Why do I get the message:</strong> <tt>CREATE + failed: Can't create mailbox node xxxxxxxxx: File exists</tt> + <strong>and how do I fix it?</strong></a></p> + + <dl> + <dd>See the answer to the <a href="#1.8">Are hierarchical mailboxes + supported?</a> question.</dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="7.4"><strong>7.4 Why can't I log in to the server? The user name and + password are right!</strong></a></p> + + <dl> + <dd> + There are a myriad number of possible answers to this question. The + only way to say for sure what is wrong is run the server under a + debugger such as gdb while root (yes, you must be root) with a + breakpoint at routines checkpw() and loginpw(), then single-step until + you see which test rejected you. The server isn't going to give any + error messages other than "login failed" in the name of not giving out + any unnecessary information to unauthorized individuals. + + <p>Here are some of the more common reasons why login may fail:</p> + + <ul> + <li>You didn't really give the correct user name and/or + password.</li> + + <li>Your client doesn't send the LOGIN command correctly; for + example, IMAP2 clients won't send a password containing a "*" + correctly to an IMAP4 server.</li> + + <li>If you have set up a CRAM-MD5 database, remember that the + password used is the one in the CRAM-MD5 database, and furthermore + that there must also be an entry in /etc/passwd (but the /etc/passwd + password is not used).</li> + + <li>If you are using PAM, have you created a service file for the + server in /etc/pam.d?</li> + + <li>If you are using shadow passwords, have you used an appropriate + port when building? In particular, note that "lnx" is for Linux + systems without shadow passwords; you probably want "slx" or "lnp" + instead.</li> + + <li>If your system has account or password expirations, check to see + that the expiration date hasn't passed.</li> + + <li>You can't log in as root or any other UID 0 user. This is for + your own safety, not to mention the fact that the servers use UID 0 + as meaning "not logged in".</li> + </ul> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="7.5"><strong>7.5 Help! My load average is soaring and I see hundreds + of POP and IMAP servers, many logged in as the same + user!</strong></a></p> + + <dl> + <dd> + Certain inferior losing GUI mail reading programs have a "synchronize + all mailboxes at startup" (IMAP) or "check for new mail every second" + (POP) feature which causes a rapid and unchecked spawning of servers. + + <p>This is not a problem in the server; the client is really asking for + all those server sessions. Unfortunately, there isn't much that the POP + and IMAP servers can do about it; they don't spawned themselves.</p> + + <p>Some sites have added code to record the number of server sessions + spawned per user per hour, and disable login for a user who has + exceeded a predetermined rate. This doesn't stop the servers from being + spawned; it just means that a server session will commit suicide a bit + faster.</p> + + <p>Another possibility is to detect excessive server spawning activity + at the level where the server is spawned, which would be inetd or + possibly tcpd. The problem here is that this is a hard time to + quantify. 50 sessions in a minute from a multi-user timesharing system + may be perfectly alright, whereas 10 sessions a minute from a PC may be + too much.</p> + + <p>The real solution is to fix the client configuration, by disabling + those evil features. Also tell the vendors of those clients how you + feel about distributing denial-of-service attack tools in the guise of + mail reading programs.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="7.6"><strong>7.6 Why does mail disappear even though I set "keep + mail on server"?</strong></a><br> + <a name="7.7"><strong>7.7 Why do I get the message</strong> <tt>Moved ##### + bytes of new mail to /home/user/mbox from /var/spool/mail/user</tt> + <strong>and why did this happen?</strong></a></p> + + <dl> + <dd> + This is probably caused by the mbox driver. If the file "mbox" exists + on the user's home directory and is in UNIX mailbox format, then when + INBOX is opened this file will be selected as INBOX instead of the mail + spool file. Messages will be automatically transferred from the mail + spool file into the mbox file. + + <p>To disable this behavior, delete "mbox" from the EXTRADRIVERS list + in the top-level Makefile and rebuild. Note that if you do this, users + won't be able to access the messages that have already been moved to + mbox unless they open mbox instead of INBOX.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="7.8"><strong>7.8 Why isn't it showing the local host name as a + fully-qualified domain name?</strong></a><br> + <a name="7.9"><strong>7.9 Why is the local host name in the + From/Sender/Message-ID headers of outgoing mail not coming out as a + fully-qualified domain name?</strong></a></p> + + <dl> + <dd> + Your UNIX system is misconfigured. The entry for your system in + /etc/hosts must have the fully-qualified domain name first, e.g. + <pre> + 105.69.1.234 myserver.example.com myserver +</pre> + + <p>A common mistake of novice system administrators is to have the + short name first, e.g.</p> + <pre> + 105.69.1.234 myserver myserver.example.com + +</pre> + + <p>or to omit the fully qualified domain name entirely, e.g.</p> + <pre> + 105.69.1.234 myserver +</pre> + + <p>The result of this is that when the IMAP toolkit does a + gethostbyname() call to get the fully-qualified domain name, it would + get "myserver" instead of "myserver.example.com".</p> + + <p>On some systems, a configuration file (typically named + /etc/svc.conf, /etc/netsvc.conf, or /etc/nsswitch.conf) can be used to + configure the system to use the domain name system (DNS) instead of + /etc/hosts, so it doesn't matter if /etc/hosts is misconfigured.</p> + + <p>Check the man pages for gethostbyname, hosts, svc, and/or netsvc for + more information.</p> + + <p>Unfortunately, certain vendors, most notably SUN, have failed to + make this clear in their documentation. Most of SUN's documentation + assumes a corporate network that is not connected to the Internet.</p> + + <p>net.folklore once (late 1980s) held that the proper procedure was to + append the results of getdomainname() to the name returned by + gethostname(), and some versions of sendmail configuration files were + distributed that did this. This was incorrect; the string returned from + getdomainname() is the Yellow Pages (a.k.a NIS) domain name, which is a + completely different (albeit unfortunately named) entity from an + Internet domain. These were often fortuitously the same string, except + when they weren't. Frequently, this would result in host names with + spuriously doubled domain names, e.g.</p> + <pre> + myserver.example.com.example.com + +</pre> + + <p>This practice has been thoroughly discredited for many years, but + folklore dies hard.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="7.10"><strong>7.10 What does the message:</strong> <tt>Mailbox + vulnerable - directory /var/spool/mail must have 1777 protection</tt> + <strong>mean? How can I fix this?</strong></a></p> + + <dl> + <dd> + In order to update a mailbox in the default UNIX format, it is + necessary to create a lock file to prevent the mailer from delivering + mail while an update is in progress. Some systems use a directory + protection of 775, requiring that all mail handling programs be setgid + mail; or of 755, requiring that all mail handling programs be setuid + root. + + <p>The IMAP toolkit does not run with any special privileges, and I + plan to keep it that way. It is antithetical to the concept of a + toolkit if users can't write their own programs to use it. Also, I've + had enough bad experiences with security bugs while running privileged; + the IMAP and POP servers have to be root when not logged in, in order + to be able to log themselves in. I don't want to go any deeper down + that slippery slope.</p> + + <p>Directory protection 1777 is secure enough on most well-managed + systems. If you can't trust your users with a 1777 mail spool (petty + harassment is about the limit of the abuse exposure), then you have + much worse problems then that.</p> + + <p>If you absolutely insist upon requiring privileges to create a lock + file, external file locking can be done via a setgid mail program named + /etc/mlock (this is defined by LOCKPGM in the c-client Makefile). If + the toolkit is unable to create a <...mailbox...>.lock file in + the directory by itself, it will try to call mlock to do it. I do not + recommend doing this for performance reasons.</p> + + <p>A sample mlock program is included as part of imap-2007. We have + tried to make this sample program secure, but it has not been + thoroughly audited.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="7.11"><strong>7.11 What does the message:</strong> <tt>Mailbox is + open by another process, access is readonly</tt> <strong>mean? How do I + fix this?</strong></a></p> + + <dl> + <dd> + A problem occurred in applying a lock to a /tmp lock file. Either some + other program has the mailbox open and won't relenquish it, or + something is wrong with the protection of /tmp or the lock. + + <p>Make sure that the /tmp directory is protected 1777. Some security + scripts incorrectly set the protection of the /tmp directory to 775, + which disables /tmp for all non-privileged programs.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="7.12"><strong>7.12 What does the message:</strong> <tt>Can't get + write access to mailbox, access is readonly</tt> + <strong>mean?</strong></a></p> + + <dl> + <dd>The mailbox file is write-protected against you.</dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="7.13"><strong>7.13 I set my POP3 client to "delete messages from + server" but they never get deleted. What is wrong?</strong></a></p> + + <dl> + <dd> + Make sure that your mailbox is not read-only: that the mailbox is owned + by you and write enabled (protection 0600), and that the /tmp directory + is longer world-writeable. /tmp must be world-writeable because lots of + applications use it for scratch space. To fix this, do + <pre> + + chmod 1777 /tmp +</pre>as root. + + <p>Make sure that your POP3 client issues a QUIT command when it + finishes. The POP3 protocol specifies that deletions are discarded + unless a proper QUIT is done.</p> + + <p>Make sure that you are not opening multiple POP3 sessions to the + same mailbox. It is a requirement of the POP3 protocol than only one + POP3 session be in effect to a mailbox at a time, however some, + poorly-written POP3 clients violate this. Also, some background "check + for new mail" tasks also cause a violation. See the answer to the + <a href="#7.19">What does the syslog message: Killed (lost mailbox + lock) user=... host=... mean?</a> question for more details.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="7.14"><strong>7.14 What do messages such as:</strong></a></p> + <pre> + Message ... UID ... already has UID ... + Message ... UID ... less than ... + Message ... UID ... greater than last ... + Invalid UID ... in message ..., rebuilding UIDs +</pre> + + <p><strong>mean?</strong></p> + + <dl> + <dd> + Something happened to corrupt the unique identifier regime in the + mailbox. In traditional UNIX-format mailboxes, this can happen if the + user deleted the "DO NOT DELETE" internal message. + + <p>This problem is relatively harmless; a new valid unique identifier + regime will be created. The main effect is that any references to the + old UIDs will no longer be useful.</p> + + <p>So, unless it is a chronic problem or you feel like debugging, you + can safely ignore these messages.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="7.15"><strong>7.15 What do the error messages:</strong></a></p> + <pre> + Unable to read internal header at ... + Unable to find CRLF at ... + Unable to parse internal header at ... + Unable to parse message date at ... + Unable to parse message flags at ... + Unable to parse message UID at ... + Unable to parse message size at ... + Last message (at ... ) runs past end of file ... +</pre> + + <p><strong>mean? I am using mbx format.</strong></p> + + <dl> + <dd> + The mbx-format mailbox is corrupted and needs to be repaired. + + <p>You should make an effort to find out why the corruption happened. + Was there an obvious system problem (crash or disk failure)? Did the + user accidentally access the file via NFS? Mailboxes don't get + corrupted by themselves; something caused the problem.</p> + + <p>Some people have developed automated scripts, but if you're + comfortable using emacs it's pretty easy to fix it manually. Do + <em>not</em> use vi or any other editor unless you are certain that + editor can handle binary!!!</p> + + <p>If you are not comfortable with emacs, or if the file is too large + to read with emacs, see the "step-by-step" technique later on for + another way of doing it.</p> + + <p>After the word "at" in the error message is the byte position it got + to when it got unhappy with the file, e.g. if you see:</p> + <pre> + Unable to parse internal header at 43921: ne bombastic blurdybloop +</pre>The problem occurs at the 43,931 byte in the file. That's the point you +need to fix. c-client is expecting an internal header at that byte number, +looking something like: + <pre> + 6-Jan-1998 17:42:24 -0800,1045;000000100001-00000001 +</pre>The format of this internal line is: + <pre> + dd-mmm-yyyy hh:mm:ss +zzzz,ssss;ffffffffFFFF-UUUUUUUU +</pre>The only thing that is variable is the "ssss" field, it can be as many +digits as needed. All other fields (inluding the "dd") are fixed width. So, +the easiest thing to do is to look forward in the file for the next internal +header, and delete everything from the error point to that internal header. + + <p>Here's what to do if you want to be smarter and do a little bit more + work. Generally, you're in the middle of a message, and there's nothing + wrong with that message. The problem happened in the *previous* + message. So, search back to the previous internal header. Now, remember + that "ssss" field? That's the size of that message.</p> + + <p>Mark where you are in the file, move the cursor to the line after + the internal header, and skip that many bytes ("ssss") forward. If + you're at the point of the error in the file, then that message is + corrupt. If you're at a different point, then perhaps the previous + message is corrupt and has a too long size count that "ate" into this + message.</p> + + <p>Basically, what you need to do is make sure that all those size + counts are right, and that moving "ssss" bytes from the line after the + internal header will land you at another internal header.</p> + + <p>Usually, once you know what you're looking at, it's pretty easy to + work out the corruption, and the best remedial action. Repair scripts + will make the problem go away but may not always do the smartest/best + salvage of the user's data. Manual repair is more flexible and usually + preferable.</p> + + <p>Here is a step-by-step technique for fixing corrupt mbx files that's + a bit cruder than the procedure outlined above, but works for any size + file.</p> + + <p>In this example, suppose that the corrupt file is INBOX, the error + message is</p> + <pre> + Unable to find CRLF at 132551754 +</pre>and the size of the INBOX file is 132867870 bytes. + + <p>The first step is to split the mailbox file at the point of the + error:</p> + + <ul> + <li>Rename the INBOX file to some other name, such as INBOX.bad.</li> + + <li>Copy the first 132,551,754 bytes of INBOX.bad to another file, + such as INBOX.new.</li> + + <li>Extract the trailing 316,116 bytes (132867870-132551754) of + INBOX.bad into another file, such as INBOX.tail.</li> + + <li>You no longer need INBOX.bad. Delete it.</li> + </ul>In other words, use the number from the "Unable to find CRLF at" + as the point to split INBOX into two new files, INBOX.new and + INBOX.tail. + + <p>Now, remove the erroneous data:</p> + + <ul> + <li>Verify that you can open INBOX.new in IMAP or Pine.</li> + + <li>The last message of INBOX.new is probably corrupted. Copy it to + another file, such as badmsg.1, then delete and expunge that last + message from INBOX.new</li> + + <li>Locate the first occurance of text in INBOX.tail which looks like + an internal header, as described above.</li> + + <li>Remove all the text which occurs prior to that point, and place + it into another file, such as badmsg.2. Note that in the case of a + single digit date, there is a leading space which must not be removed + (e.g. " 6-Nov-2001" not "6-Nov-2001").</li> + </ul> + + <p>Reassemble the mailbox:</p> + + <ul> + <li>Append INBOX.tail to INBOX.new.</li> + + <li>You no longer need INBOX.tail. Delete it.</li> + + <li>Verify that you can open INBOX.new in IMAP or Pine.</li> + </ul> + + <p>Reinstall INBOX.new as INBOX:</p> + + <ul> + <li>Check to see if you have received any new messages while + repairing INBOX.</li> + + <li>If you haven't received any new messages while repairing INBOX, + just rename INBOX.new to INBOX.</li> + + <li>If you have received new messages, be sure to copy the new + messages from INBOX to INBOX.new before doing the rename.</li> + </ul> + + <p>You now have a working INBOX, as well as two files with corrupted + data (badmsg.1 and badmsg.2). There may be some useful data in the two + badmsg files that you might want to try salvaging; otherwise you can + delete the two badmsg files.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="7.16"><strong>7.16 What do the syslog messages:</strong></a></p> + <pre> + + imap/tcp server failing (looping) + pop3/tcp server failing (looping) +</pre> + + <p><strong>mean? When it happens, the listed service shuts down. How can I + fix this?</strong></p> + + <dl> + <dd> + The error message "server failing (looping), service terminated" is not + from either the IMAP or POP servers. Instead, it comes from inetd, the + daemon which listens for TCP connections to a number of servers, + including the IMAP and POP servers. + + <p>inetd has a limit of 40 new server sessions per minute for any + particular service. If more than 40 sessions are initiated in a minute, + inetd will issue the "failing (looping), service terminated" message + and shut down the service for 10 minutes. inetd does this to prevent + system resource consumption by a client which is spawning infinite + numbers of servers. It should be noted that this is a denial of + service; however for some systems the alternative is a crash which + would be a worse denial of service!</p> + + <p>For larger server systems, the limit of 40 is much too low. The + limit was established many years ago when a system typically only ran a + few dozen servers.</p> + + <p>On some versions of inetd, such as the one distributed with most + versions of Linux, you can modify the <strong>/etc/inetd.conf</strong> + file to have a larger number of servers by appending a period followed + by a number after the <strong>nowait</strong> word for the server + entry. For example, if your existing /etc/inetd.conf line reads:</p> + <pre> + imap stream tcp nowait root /usr/etc/imapd imapd +</pre>try changing it to be: + <pre> + imap stream tcp nowait.100 root /usr/etc/imapd imapd +</pre>Another example (using TCP wrappers): + <pre> + imap stream tcp nowait root /usr/sbin/tcpd imapd +</pre>try changing it to be: + <pre> + imap stream tcp nowait.100 root /usr/sbin/tcpd imapd + +</pre>to increase the limit to 100 sessions/minute. + + <p>Before making this change, please read the information in "man + inetd" to determine whether or not your inetd has this feature. If it + does not, and you make this change, the likely outcome is that you will + disable IMAP service entirely.</p> + + <p>Another way to fix this problem is to edit the inetd.c source code + (provided by your UNIX system vendor) to set higher limits, rebuild + inetd, install the new binary, and reboot your system. This should only + be done by a UNIX system expert. In the inetd.c source code, the limits + <strong>TOOMANY</strong> (normally 40) is the maximum number of new + server sessions permitted per minute, and <strong>RETRYTIME</strong> + (normally 600) is the number of seconds inetd will shut down the server + after it exceeds TOOMANY.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="7.17"><strong>7.17 What does the syslog message:</strong> + <tt>Mailbox lock file /tmp/.600.1df3 open failure: Permission + denied</tt> <strong>mean?</strong></a></p> + + <dl> + <dd> + This usually means that some "helpful" security script person has + protected /tmp so that it is no longer world-writeable. /tmp must be + world-writeable because lots of applications use it for scratch space. + To fix this, do + <pre> + chmod 1777 /tmp + +</pre>as root. + + <p>If that isn't the answer, check the protection of the named file. If + it is something other than 666, then either someone is hacking or some + "helpful" person modified the code to have a different default lock + file protection.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="7.18"><strong>7.18 What do the syslog messages:</strong></a></p> + <pre> + Command stream end of file, while reading line user=... host=... + Command stream end of file, while reading char user=... host=... + Command stream end of file, while writing text user=... host=... +</pre> + + <p><strong>mean?</strong></p> + + <dl> + <dd> + This message occurs when the session is disconnected without a proper + LOGOUT (IMAP) or QUIT (POP) command being received by the server first. + + <p>In many cases, this is perfectly normal; many client implementations + are impolite and do this. Some programmers think this sort of rudeness + is "more efficient".</p> + + <p>The condition could, however, indicate a client or network + connectivity problem. The server has no way of knowing whether there's + a problem or just a rude client, so it issues this message instead of a + Logout.</p> + + <p>Certain inferior losing clients disconnect abruptly after a failed + login, and instead of saying that the login failed, just say that they + can't access the mailbox. They then complain to the system manager, who + looks in the syslog and finds this message. Not very helpful, eh? See + the answer to the <a href="#7.4">Why can't I log in to the server? The + user name and password are right!</a> question.</p> + + <p>If the user isn't reporting a problem, you can probably ignore this + message.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="7.19"><strong>7.19 Why did my POP or IMAP session suddenly + disconnect? The syslog has the message:</strong> <tt>Killed (lost + mailbox lock) user=... host=...</tt></a></p> + + <dl> + <dd> + This message only happens when either the traditional UNIX mailbox + format or MMDF format is in use. This format only allows one session to + have the mailbox open read/write at a time. + + <p>The servers assume that if a second session attempts to open the + mailbox, that means that the first session is probably owned by an + abandoned client. The common scenario here is a user who leaves his + client running at the office, and then tries to read his mail from + home. Through an internal mechanism called <em>kiss of death</em>, the + second session requests the first session to kill itself. When the + first session receives the "kiss of death", it issues the "Killed (lost + mailbox lock)" syslog message and terminates. The second session then + seizes read/write access, and becomes the new "first" session.</p> + + <p>Certain poorly-designed clients routinely open multiple sessions to + the same mailbox; the users of those clients tend to get this message a + lot.</p> + + <p>Another cause of this message is a background "check for new mail" + task which does its work by opening a POP session to server every few + seconds. They do this because POP doesn't have a way to announce new + mail.</p> + + <p>The solution to both situations is to replace the client with a good + online IMAP client such as Pine. Life is too short to waste on POP + clients and poorly-designed IMAP clients.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="7.20"><strong>7.20 Why does my IMAP client show all the files on the + system, recursively from the UNIX root directory?</strong></a><br> + <a name="7.21"><strong>7.21 Why does my IMAP client show all of my files, + recursively from my UNIX home directory?</strong></a></p> + + <dl> + <dd> + A well-written client should only show one level of hierarchy and then + stop, awaiting explicit user action before going lower. However, some + poorly-designed clients will recursively list all files, which may be a + very long list (especially if you have symbolic links to directories + that create a loop in the filesystem graph!). + + <p>This behavior has also been observed in some third-party c-client + drivers, including maildir drivers. Consequently, this problem has even + been observed in Pine. It is important to understand that this is not a + problem in Pine or c-client; it is a problem in the third-party driver. + A Pine built without that third-party driver will not have this + problem.</p> + + <p>See also the answer to <a href="#7.73">Why does my IMAP client show + all my files in my home directory?</a></p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="7.22"><strong>7.22 Why does my IMAP client show that I have + mailboxes named "#mhinbox", "#mh", "#shared", "#ftp", "#news", and + "#public"?</strong></a></p> + + <dl> + <dd> + These are IMAP namespace names. They represent other hierarchies in + which messages may exist. These hierarchies may not necessarily exist + on a server, but the namespace name is still in the namespace list in + order to mark it as reserved. + + <p>A few poorly-designed clients display all namespace names as if they + were top-level mailboxes in a user's list of mailboxes, whether or not + they actually exist. This is a flaw in those clients.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="7.23"><strong>7.23 Why does my IMAP client show all my files in my + home directory?</strong></a></p> + + <dl> + <dd> + As distributed, the IMAP server is connected to your home directory by + default. It has no way of knowing what you might call "mail" as opposed + to "some other file"; in fact, you can use IMAP to access any file. + + <p>Most clients have an option to configure your connected directory on + the IMAP server. For example, in Pine you can specify this as the + "Path" in your folder-collection, e.g.</p> + <pre> + Nickname : Secondary Folders + Server : imap.example.com + Path : mail/ + View : +</pre>In this example, the user is connected to the "mail" subdirectory of +his home directory. + + <p>Other servers call this the "folder prefix" or similar term.</p> + + <p>It is possible to modify the IMAP server so that all users are + automatically connected to some other directory, e.g. a subdirectory of + the user's home directory. Read the file CONFIG for more details.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="7.24"><strong>7.24 Why is there a long delay before I get connected + to the IMAP or POP server, no matter what client I use?</strong></a></p> + + <dl> + <dd> + There are two common occurances of this problem: + + <ul> + <li>You are running a system (e.g. certain versions of Linux) which + by default attempts to connect to an "IDENT" protocol (port 113) + server on your client. However, a firewall or NAT box is blocking + connections to that port, so the connection attempt times out. + + <p>The IDENT protocol is a well-known bad idea that does not + deliver any real security but causes incredible problems. The idea + is that this will give the server a record of the user name, or at + least what some program listening on port 113 says is the user + name. So, if somebody coming from port nnnnn on a system does + something bad, IDENT may give you the userid of the bad guy.</p> + + <p>The problem is, IDENT is only meaningful on a timesharing system + which has an administrator who is privileged and users who are not. + It is of no value on a personal system which has no separate + concept of "system administrator" vs. "unprivileged user".</p> + + <p>On either type of system, security-minded people either turn + IDENT off or replace it with an IDENT server that lies. Among other + things, IDENT gives spammers the ability to harvest email addresses + from anyone who connects to a web page.</p> + + <p>This problem has been showing up quite frequently on systems + which use xinetd instead of inetd. Look for files named + /etc/xinetd.conf, /etc/xinetd.d/imapd, /etc/inetd.d/ipop2d, and + /etc/xinetd.d/ipop3d. In those files, look for lines containing + "USERID", e.g.</p> + <pre> + log_on_success += USERID +</pre>Hunt down such lines, and delete them ruthlessly from all files in +which they occur. Don't be shy about it. + </li> + + <li>The DNS is taking a long time to do a reverse DNS (PTR record) + lookup of the IP address of your client. This is a problem in your + DNS, which either you or you ISP need to resolve. Ideally, the DNS + should return the client's name; but if it can't it should at least + return an error quickly.</li> + </ul> + + <p>As you may have noticed, neither of these are actual problems in the + IMAP or POP servers; they are configuration issues with either your + system or your network infrastructure. If this is all new to you, run + (don't walk) to the nearest technical bookstore and get yourself a good + pedagogical text on system administration for the type of system you + are running.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="7.25"><strong>7.25 Why is there a long delay in Pine or any other + c-client based application call before I get connected to the IMAP + server? The hang seems to be in the c-client mail_open() call. I don't + have this problem with any other IMAP client. There is no delay + connecting to a POP3 or NNTP server with mail_open().</strong></a></p> + + <dl> + <dd> + By default, the c-client library attempts to make a connection through + rsh (and ssh, if you enable that). If the command: + <pre> + rsh imapserver exec /etc/rimapd + +</pre>(or ssh if that is enabled) returns with a "* PREAUTH" response, it +will use the resulting rsh session as the IMAP session and not require an +authentication step on the server. + + <p>Unfortunately, rsh has a design error that treats "TCP connection + refused" as "temporary failure, try again"; it expects the "rsh not + allowed" case to be implemented as a successful connection followed by + an error message and close the connection.</p> + + <p>It must be emphasized that this is a bug in rsh. It is <em>not</em> + a bug in the IMAP toolkit.</p> + + <p>The use of rsh can be disabled in any the following ways:</p> + + <ul> + <li>You can disable it for this particular session by either: + + <ul> + <li>setting an explicit port number in the mailbox name, e.g. + <pre> + {imapserver.foo.com:143}INBOX +</pre> + </li> + + <li>using SSL (the /ssl switch)</li> + </ul> + </li> + + <li>You can disable rsh globally by setting the rsh timeout value to + 0 with the call: + <pre> + mail_parameters (NIL,SET_RSHTIMEOUT,0); +</pre> + </li> + </ul> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="7.26"><strong>7.26 Why does a message sometimes get split into two + or more messages on my SUN system?</strong></a></p> + + <dl> + <dd> + This is caused by an interaction of two independent design problems in + SUN mail software. The first problem is that the "forward message" + option in SUN's <em>mail tool</em> program includes the internal "From + " header line in the text that it forwarded. This internal header line + is specific to traditional UNIX mailbox files and is not suitable for + use in forwarded messages. + + <p>The second problem is that the mail delivery agent assumes that mail + reading programs will not use the traditional UNIX mailbox format but + instead an incompatible variant that depends upon a + <em>Content-Length:</em> message header. Content-Length is widely + recognized to have been a terrible mistake, and is no longer + recommended for use in mail (it is used in other facilities that use + MIME).</p> + + <p>One symptom of the problem is that under certain circumstances, a + message may get broken up into several messages. I'm also aware of + security bugs caused by programs that foolishly trust "Content-Length:" + headers with evil values.</p> + + <p>To fix the mailer on your system, edit your sendmail.cf to change + the <strong>Mlocal</strong> line to have the <strong>-E</strong> flag. + A typical entry will lool like:</p> + <pre> + Mlocal, P=/usr/lib/mail.local, F=flsSDFMmnPE, S=10, R=20, + A=mail.local -d $u +</pre>This fix will also work around the problem with mail tool, because it +will insert a ">" before the internal header line to prevent it from being +interpreted by mail reading software as an internal header line. + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="7.27"><strong>7.27 Why did my POP or IMAP session suddenly + disconnect? The syslog has the message:</strong></a></p> + <pre> + Autologout user=<...my user name...> host=<...my client system...> + +</pre> + + <dl> + <dd> + This is a problem in your client. + + <p>In the case of IMAP, it failed to communicate with the IMAP server + for over 30 minutes; in the case of POP, it failed to communicate with + the POP server for over 10 minutes.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="7.28"><strong>7.28 What does the UNIX error message:</strong> + <tt>TLS/SSL failure: myserver: SSL negotiation failed</tt> + <strong>mean?</strong></a><br> + <a name="7.29"><strong>7.29 What does the PC error message:</strong> + <tt>TLS/SSL failure: myserver: Unexpected TCP input disconnect</tt> + <strong>mean?</strong></a></p> + + <dl> + <dd> + This usually means that an attempt to negotiate TLS encryption via the + STARTTLS command failed, because the server advertises STARTTLS + functionality, but doesn't actually have it (e.g. because no + certificates are installed). + + <p>Use the /notls option in the mailbox name to disable TLS + negotiation.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="7.30"><strong>7.30 What does the error message:</strong> <tt>TLS/SSL + failure: myserver: Server name does not match certificate</tt> + <strong>mean?</strong></a></p> + + <dl> + <dd> + An SSL or TLS session encryption failed because the server name in the + server's certificate does not match the name that you gave it. This + could indicate that the server is not really the system you think that + it is, but can be also be called if you gave a nickname for the server + or name that was not fully-qualified. You must use the fully-qualified + domain name for the server in order to validate its certificate + + <p>Use the /novalidate-cert option in the mailbox name to disable + validation of the certificate.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="7.31"><strong>7.31 What does the UNIX error message:</strong> + <tt>TLS/SSL failure: myserver: self-signed certificate</tt> + <strong>mean?</strong></a><br> + <a name="7.32"><strong>7.32 What does the PC error message:</strong> + <tt>TLS/SSL failure: myserver: Self-signed certificate or untrusted + authority</tt> <strong>mean?</strong></a></p> + + <dl> + <dd> + An SSL or TLS session encryption failed because your server's + certificate is "self-signed"; that is, it is not signed by any + Certificate Authority (CA) and thus can not be validated. A CA-signed + certificate costs money, and some smaller sites either don't want to + pay for it or haven't gotten one yet. The bad part about this is that + this means there is no guarantee that the server is really the system + you think that it is. + + <p>Use the /novalidate-cert option in the mailbox name to disable + validation of the certificate.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="7.33"><strong>7.33 What does the UNIX error message:</strong> + <tt>TLS/SSL failure: myserver: unable to get local issuer + certificate</tt> <strong>mean?</strong></a></p> + + <dl> + <dd> + An SSL or TLS session encryption failed because your system does not + have the Certificate Authority (CA) certificates installed on OpenSSL's + certificates directory. On most systems, this directory is + /usr/local/ssl/certs). As a result, it is not possible to validate the + server's certificate. + + <p>If CA certificates are properly installed, you should see + factory.pem and about a dozen other .pem names such as + thawteCb.pem.</p> + + <p>As a workaround, you can use the /novalidate-cert option in the + mailbox name to disable validation of the certificate; however, note + that you are then vulnerable to various security attacks by bad + guys.</p> + + <p>The correct fix is to copy all the files from the certs/ directory + in the OpenSSL distribution to the /usr/local/ssl/certs (or whatever) + directory. Note that you need to do this after building OpenSSL, + because the OpenSSL build creates a number of needed symbolic links. + For some bizarre reason, the OpenSSL "make install" doesn't do this for + you, so you must do it manually.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="7.34"><strong>7.34 Why does reading certain messages hang when using + Netscape? It works fine with Pine!</strong></a></p> + + <dl> + <dd> + There are two possible causes. + + <p>Check the mail syslog. If you see the message "Killed (lost mailbox + lock)" for the impacted user(s), read the FAQ entry regarding that + message.</p> + + <p>Check the affected mailbox to see if there are embedded NUL + characters in the message. NULs in message texts are a technical + violation of both the message format and IMAP specifications. Most + clients don't care, but apparently Netscape does.</p> + + <p>You can work around this by rebuilding imapd with the + <strong>NETSCAPE_BRAIN_DAMAGE</strong> option set (see + src/imapd/Makefile); this will cause imapd to convert all NULs to 0x80 + characters. A better solution is to enable the feature in your MTA to + MIME-convert messages with binary content. See the documentation for + your MTA for how to do this.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="7.35"><strong>7.35 Why does Netscape say that there's a problem with + the IMAP server and that I should "Contact your mail server + administrator."?</strong></a></p> + + <dl> + <dd> + Certain versions of Netscape do this when you click the Manage Mail + button, which uses an undocumented feature of Netscape's proprietary + IMAP server. + + <p>You can work around this by rebuilding imapd with the + <strong>NETSCAPE_BRAIN_DAMAGE</strong> option set (see + src/imapd/Makefile) to a URL that points either to an alternative IMAP + client (e.g. Pine) or perhaps to a homebrew mail account management + page.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="7.36"><strong>7.36 Why is one user creating huge numbers of IMAP or + POP server sessions?</strong></a></p> + + <dl> + <dd>The user is probably using Outlook Express, Eudora, or a similar + program. See the answer to the <a href="#7.5">Help! My load average is + soaring and I see hundreds of POP and IMAP servers, many logged in as the + same user!</a> question.</dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="7.37"><strong>7.37 Why don't I get any new mail notifications from + Outlook Express or Outlook after a while?</strong></a></p> + + <dl> + <dd> + This is a known bug in Outlook Express. Microsoft is aware of the + problem and its cause. They have informed us that they do not have any + plans to fix it at the present time. + + <p>The problem is also reported in Outlook 2000, but not verified.</p> + + <p>Outlook Express uses the IMAP IDLE command to avoid having to "ping" + the server every few minutes for new mail. Unfortunately, Outlook + Express overlooks the part in the IDLE specification which requires + that a client terminate and restart the IDLE before the IMAP 30 minute + inactivity autologout timer triggers.</p> + + <p>When this happens, Outlook Express displays "Not connected" at the + bottom of the window. Since it's no longer connected to the IMAP + server, it isn't going to notice any new mail.</p> + + <p>As soon as the user does anything that would cause an IMAP + operation, Outlook Express will reconnect and new mail will flow again. + If the user does something that causes an IMAP operation at least every + 29 minutes, the problem won't happen.</p> + + <p>Modern versions of imapd attempt to work around the problem by + automatically reporting fake new mail after 29 minutes. This causes + Outlook Express to exit the IDLE state; as soon as this happens imapd + revokes the fake new mail. As long as this behavior isn't known to + cause problems with other clients, this workaround will remain in + imapd.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="7.38"><strong>7.38 Why don't I get any new mail notifications from + Entourage?</strong></a></p> + + <dl> + <dd> + This is a known bug in Entourage. + + <p>You built an older version of imapd with the + <strong>MICROSOFT_BRAIN_DAMAGE</strong> option set, in order to disable + support for the IDLE command. However, Entourage won't get new mail + unless IDLE command support exists.</p> + + <p>Note: the MICROSOFT_BRAIN_DAMAGE option no longer exists in modern + versions, as the Outlook Express problem which it attempted to solve + has been worked around in another way.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="7.39"><strong>7.39 Why doesn't Entourage work at + all?</strong></a></p> + + <dl> + <dd> + It's hard to know. Entourage breaks almost every rule in the book for + IMAP. It is highly instructive to do a packet trace on Entourage, as an + example of how <em>not</em> to use IMAP. It does things like STATUS + (MESSAGES) on the currently selected mailbox and re-fetching the same + static data over and over again. + + <p>It seems that every time we understand what it is doing wrong in + Entourage and come up with a workaround, we learn about something else + that's broken.</p> + + <p>Try building imapd with the <strong>ENTOURAGE_BRAIN_DAMAGE</strong> + option set, in order to disable the diagnostic that occurs when doing + STATUS on the currently selected mailbox.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="7.40"><strong>7.40 Why doesn't Netscape Notify (NSNOTIFY.EXE) work + at all?</strong></a></p> + + <dl> + <dd> + This is a bug in NSNOTIFY; it doesn't handle unsolicited data from the + server correctly. + + <p>Fortunately, there is no reason to use this program with IMAP; + NSNOTIFY is a polling program to let you know when new mail has + appeared in your maildrop. This is necessary with POP; but since IMAP + dynamically announces new mail in the session you're better off (and + will actually cause less load on the server!) keeping your mail reading + program's IMAP session open and let IMAP do the notifying for you.</p> + + <p>Consequently, the recommended fix for the NSNOTIFY problem is to + delete the NSNOTIFY binary.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="7.41"><strong>7.41 Why can't I connect via SSL to Eudora? It says + the connection has been broken, and in the server syslogs I see "Command + stream end of file".</strong></a></p> + + <dl> + <dd>There is a report that you can fix the problem by going into Eudora's + advanced network configuration menu and increasing the network buffer + size to 8192.</dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="7.42"><strong>7.42 Sheesh. Aren't there <em>any</em> good IMAP + clients out there?</strong></a></p> + + <dl> + <dd> + Yes! + + <p>Pine is a <em>wonderful</em> client. It's fast, it uses IMAP well, + and it generates text mail (life is too short to waste on HTML mail). + Also, there are some really wonderful things in progress in the Pine + world.</p> + + <p>There are some good GUI clients out there, mostly from smaller + vendors. Without naming names, look for the vendors who are active in + the IMAP protocol development community, and their products.</p> + + <p>Netscape, Eudora, and Outlook <em>can</em> be configured with enough + effort to be good citizens and work well for users, <em>but</em> they + can also be badly misconfigured, and often the misconfiguration is the + default.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="7.43"><strong>7.43 But wait! PC Pine (or other PC program build with + c-client) crashes with the message</strong> <tt>incomplete SecBuffer + exceeds maximum buffer size</tt> <strong>when I use SSL connections. + This is a bug in c-client, right?</strong></a></p> + + <dl> + <dd> + It's a bug in the Microsoft SChannel.DLL, which implements SSL. + Microsoft admits it (albeit with an unstatement: "it's not fully RFC + compliant"). The problem is that SChannel indicates that the maximum + SSL packet data size is 5 bytes smaller than the actual maximum. Thus, + any IMAP server which transmits a maximum sized SSL packet will not + work with PC Pine or any other program which uses SChannel. + + <p>It can take a while for the problem to show up. The client has to do + something that causes at least 16K of contiguous data. Many clients do + partial fetching, which tends to reduce the number of cases where this + can happen. However, <em>all</em> software which uses SChannel to + support SSL is affected by this bug.</p> + + <p>This problem does not affect UNIX code, since OpenSSL is used on + UNIX.</p> + + <p>This problem most recently showed up with the CommunigatePro IMAP + server. They have an update which trims down their maximum contiguous + data to less than 16K, in order to work around the problem.</p> + + <p>This problem has also shown up with the Exchange IMAP server with + UNIX clients (including Pine built with an older version of c-client) + which sends full-sized 16K SSL packets. Modern c-client works around + the problem by trimming down its maximum outgoing SSL packet size to + 8K.</p> + + <p>Microsoft has developed a hotfix for this bug. Look up MSKB article + number 300562. Contrary to the article text which implies that this is + a Pine issue, this bug also affect Microsoft Exchange server with *any* + UNIX based client that transmits full-sized SSL payloads.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="7.44"><strong>7.44 My qpopper users keep on getting the DON'T DELETE + THIS MESSAGE -- FOLDER INTERNAL DATA if they also use Pine or IMAP. How + can I fix this?</strong></a></p> + + <dl> + <dd> + This is an incompatibility between qpopper and the c-client library + used by Pine, imapd, and ipop[23]d. + + <p>Assuming that you want to continue using qpopper, look into + qpopper's <strong>--enable-uw-kludge-flag</strong> configuration flag, + which is documented as "check for and hide UW 'Folder Internal Data' + messages".</p> + + <p>The other alternative is to switch from qpopper to ipop3d.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="7.45"><strong>7.45 Help! I installed the servers but I can't connect + to them from my client!</strong></a></p> + + <dl> + <dd> + Review the installation instructions carefully. Make sure that you have + not skipped any of the steps. Make sure that you have made the correct + entries in the configuration files; pay careful attention to the exact + spelling of the service names and the path names. Make sure as well + that you have properly restarted inetd. + + <p>If you have a system with Yellow Pages/NIS such as Solaris, have you + updated the service names there as well as in /etc/services?</p> + + <p>If you have a system with TCP wrappers, have you properly updated + the TCP wrapper files (e.g. /etc/hosts.allow and /etc/hosts.deny) for + the servers?</p> + + <p>If you have a system which uses xinetd instead of inetd, have you + made sure that you have made the correct corresponding xinetd changes + for those services?</p> + + <p>Try telneting to the server port (143 for IMAP, 110 for POP3). If + you get a "refused" error, that probably means that you don't have the + service set up in inetd.conf. If the connection opens and then closes + with no message, the service is set up, but either the path name of the + server binary in inetd.conf is wrong or your TCP wrappers are + configured to deny access.</p> + + <p>If you don't know how to make the corresponding changes to these + files, seek the help of a local expert for your system.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="7.46"><strong>7.46 Why do I get the message</strong> <tt>Can not + authenticate to SMTP server: 421 SMTP connection went away!</tt> + <strong>and why did this happen? There was also something about</strong> + <tt>SECURITY PROBLEM: insecure server advertised AUTH=PLAIN</tt></a></p> + + <dl> + <dd> + Some versions of qmail, including that running on mail.smtp.yahoo.com, + disconnect the SMTP session if you fail to authenticate prior to + attempting to transmit mail. An attempt to authenticate was made, but + it failed because the server had already disconnected. + + <p>To work around this, you need to specify /user=... in the host name + specification.</p> + + <p>The SECURITY PROBLEM came about because the server advertised the + AUTH=PLAIN SASL authentication mechanism outside of a TLS-encrypted + session, in violation of RFC 4616. This message is just a warning, and + in fact occurred after the server had disconnected.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="7.47"><strong>7.47 Why do I get the message</strong> <tt>SMTP + Authentication cancelled</tt> <strong>and why did this happen? There was + also something about</strong> <tt>SECURITY PROBLEM: insecure server + advertised AUTH=PLAIN</tt></a></p> + + <dl> + <dd> + This is a bug in the SMTP server. + + <p>Some versions of qmail, including that running on + mail.smtp.yahoo.com, have a bug in their implementation of SASL in + their SMTP server, which renders it non-compliant with the + standard.</p> + + <p>If the client does not provide an initial response in the command + line for an authentication mechanism whose profile does not have an + initial challenge, qmail issues a bogus response:</p> + <pre> + 334 ok, go on +</pre>The problem is the "ok, go on". This violates RFC 4954's requirement +that the text part in a 334 response be a BASE64 encoded string; in other +words, it is a protocol syntax error. + + <p>In the case of AUTH=PLAIN, RFC 4422 (page 7) requires that the + encoded string have no data. In other words, the appropropiate + standards-compliant server response is "334" followed by a SPACE and a + CRLF.</p> + + <p>The SECURITY PROBLEM came about because the server advertised the + AUTH=PLAIN SASL authentication mechanism outside of a TLS-encrypted + session, in violation of RFC 4616. This message is just a warning, and + is not related the "Authentication cancelled" problem.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="7.48"><strong>7.48 Why do I get the message</strong> <tt>Invalid + base64 string</tt> <strong>when I try to authenticate to a Cyrus + server?</strong></a></p> + + <dl> + <dd> + This slightly misleading message is the way that a Cyrus server + indicates that an authentication exchange was cancelled. It is not + indicative of a bug or protocol violation. + + <p>The most common reason that this happens is if the Cyrus server + offers Kerberos authentication, c-client is built with Kerberos + support, but your client system is not within the Kerberos realm. In + this case, the client code will try to authenticate via Kerberos, fail + to get the Kerberos credentials, cancel the authentication attempt, and + try the next available authentication technology.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><br></p> + + <h2><a name="additional">8. Where to Go For Additional Information</a></h2> + <hr> + + <p><a name="8.1"><strong>8.1 Where can I go to ask questions?</strong></a><br> + <a name="8.2"><strong>8.2 I have some ideas for enhancements to IMAP. Where + should I go?</strong></a></p> + + <dl> + <dd> + If you have questions about the IMAP protocol, or want to participate + in discussions of future directions of the IMAP protocol, the + appropriate mailing list is imap-protocol@u.washington.edu. You can + subscribe to this list via <a href= + "mailto:imap-protocol-request@u.washington.edu"><tt>imap-protocol-request@u.washington.edu</tt></a> + + <p>If you have questions about this software, you can send me email + directly or use the imap-uw@u.washington.edu mailing list. You can + subscribe to this list via <a href= + "mailto:imap-uw-request@u.washington.edu"><tt>imap-uw-request@u.washington.edu</tt></a></p> + + <p>If you have general questions about the use of IMAP software + (not specific to the UW IMAP toolkit) use the + imap-use@u.washington.edu mailing list. You can subscribe to + this list via <a href= + "mailto:imap-use-request@u.washington.edu"><tt>imap-use-request@u.washington.edu</tt></a></p> + + <p>You must be a subscriber to post to these lists. As an + alternative, you can use the + <strong>comp.mail.imap</strong> newsgroup.</p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="8.3"><strong>8.3 Where can I read more about IMAP and other email + protocols?</strong></a></p> + + <dl> + <dd>We recommend <em>Internet Email Protocols: A Developer's Guide</em>, + by Kevin Johnson, published by Addison Wesley, ISBN 0-201-43288-9.</dd> + </dl> + + <p><a href="#top">Back to top</a></p> + <hr> + + <p><a name="8.4"><strong>8.4 Where can I find out more about setting up and + administering an IMAP server?</strong></a></p> + + <dl> + <dd> + We recommend <em>Managing IMAP</em>, by Dianna Mullet & Kevin + Mullet, published by O'Reilly, ISBN 0-596-00012-X. + + <p>This book also has an excellent comparison of the UW and Cyrus IMAP + servers.<br></p> + </dd> + </dl> + + <p><a href="#top">Back to top</a></p> + + <p>Last Updated: 15 November 2007</p> + +<!--chtml include "//imap/incs/bottom.inc"--> + |