From 094ca96844842928810f14844413109fc6cdd890 Mon Sep 17 00:00:00 2001 From: Eduardo Chappa Date: Sun, 3 Feb 2013 00:59:38 -0700 Subject: Initial Alpine Version --- imap/docs/FAQ.txt | 2993 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 2993 insertions(+) create mode 100644 imap/docs/FAQ.txt (limited to 'imap/docs/FAQ.txt') diff --git a/imap/docs/FAQ.txt b/imap/docs/FAQ.txt new file mode 100644 index 00000000..797bed09 --- /dev/null +++ b/imap/docs/FAQ.txt @@ -0,0 +1,2993 @@ +/* ======================================================================== + * Copyright 1988-2007 University of Washington + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * + * ======================================================================== + */ + + IMAP Toolkit Frequently Asked Questions + +Table of Contents + + * 1. General/Software Feature Questions + + 1.1 Can I set up a POP or IMAP server on UNIX/Linux/OSF/etc.? + + 1.2 I am currently using qpopper as my POP3 server on UNIX. + Do I need to replace it with ipop3d in order to run imapd? + + 1.3 Can I set up a POP or IMAP server on Windows XP, 2000, + NT, Me, 98, or 95? + + 1.4 Can I set up a POP or IMAP server on Windows 3.1 or DOS? + + 1.5 Can I set up a POP or IMAP server on Macintosh? + + 1.6 Can I set up a POP or IMAP server on VAX/VMS? + + 1.7 Can I set up a POP or IMAP server on TOPS-20? + + 1.8 Are hierarchical mailboxes supported? + + 1.9 Are "dual-use" mailboxes supported? + + 1.10 Can I have a mailbox that has both messages and + sub-mailboxes? + + 1.11 What is the difference between "mailbox" and "folder"? + + 1.12 What is the status of internationalization? + + 1.13 Can I use SSL? + + 1.14 Can I use TLS and the STARTTLS facility? + + 1.15 Can I use CRAM-MD5 authentication? + + 1.16 Can I use APOP authentication? + + 1.17 Can I use Kerberos V5? + + 1.18 Can I use PAM for plaintext passwords? + + 1.19 Can I use Kerberos 5 for plaintext passwords? + + 1.20 Can I use AFS for plaintext passwords? + + 1.21 Can I use DCE for plaintext passwords? + + 1.22 Can I use the CRAM-MD5 database for plaintext passwords? + + 1.23 Can I disable plaintext passwords? + + 1.24 Can I disable plaintext passwords on unencrypted + sessions, but allow them on encrypted sessions? + + 1.25 Can I use virtual hosts? + + 1.26 Can I use RPOP authentication? + + 1.27 Can I use Kerberos V4? + + 1.28 Is there support for S/Key or OTP? + + 1.29 Is there support for NTLM or SPA? + + 1.30 Is there support for mh? + + 1.31 Is there support for qmail and the maildir format? + + 1.32 Is there support for the Cyrus mailbox format? + + 1.33 Is this software Y2K compliant? + * 2. What Do I Need to Build This Software? + + 2.1 What do I need to build this software with SSL on UNIX? + + 2.2 What do I need to build this software with Kerberos V on + UNIX? + + 2.3 What do I need to use a C++ compiler with this software + to build my own application? + + 2.4 What do I need to build this software on Windows? + + 2.5 What do I need to build this software on DOS? + + 2.6 Can't I use Borland C to build this software on the PC? + + 2.7 What do I need to build this software on the Mac? + + 2.8 What do I need to build this software on VMS? + + 2.9 What do I need to build this software on TOPS-20? + + 2.10 What do I need to build this software on Amiga or OS/2? + + 2.11 What do I need to build this software on Windows CE? + * 3. Build and Configuration Questions + + 3.1 How do I configure the IMAP and POP servers on UNIX? + + 3.2 I built and installed the servers according to the BUILD + instructions. It can't be that easy. Don't I need to write a + config file? + + 3.3 How do I make the IMAP and POP servers look for INBOX at + some place other than the mail spool directory? + + 3.4 How do I make the IMAP server look for secondary folders + at some place other than the user's home directory? + + 3.5 How do I configure SSL? + + 3.6 How do I configure TLS and the STARTTLS facility? + + 3.7 How do I build/install OpenSSL and obtain/create + certificates for use with SSL? + + 3.8 How do I configure CRAM-MD5 authentication? + + 3.9 How do I configure APOP authentication? + + 3.10 How do I configure Kerberos V5? + + 3.11 How do I configure PAM for plaintext passwords? + + 3.12 It looks like all I have to do to make the server use + Kerberos is to build with PAM on my Linux system, and set it + up in PAM for Kerberos passwords. Right? + + 3.13 How do I configure Kerberos 5 for plaintext passwords? + + 3.14 How do I configure AFS for plaintext passwords? + + 3.15 How do I configure DCE for plaintext passwords? + + 3.16 How do I configure the CRAM-MD5 database for plaintext + passwords? + + 3.17 How do I disable plaintext passwords? + + 3.18 How do I disable plaintext passwords on unencrypted + sessions, but allow them in SSL or TLS sessions? + + 3.19 How do I configure virtual hosts? + + 3.20 Why do I get compiler warning messages such as: + o passing arg 3 of `scandir' from incompatible pointer + type + o Pointers are not assignment-compatible. + o Argument #4 is not the correct type. + during the build? + + 3.21 Why do I get compiler warning messages such as + o Operation between types "void(*)(int)" and "void*" is + not allowed. + o Function argument assignment between types "void*" and + "void(*)(int)" is not allowed. + o Pointers are not assignment-compatible. + o Argument #5 is not the correct type. + during the build? + + 3.22 Why do I get linker warning messages such as: + o mtest.c:515: the `gets' function is dangerous and should + not be used. + during the build? Isn't this a security bug? + + 3.23 Why do I get linker warning messages such as: + o auth_ssl.c:92: the `tmpnam' function is dangerous and + should not be used. + during the build? Isn't this a security bug? + + 3.24 OK, suppose I see a warning message about a function + being "dangerous and should not be used" for something other + than this gets() or tmpnam() call? + * 4. Operational Questions + + 4.1 How can I enable anonymous IMAP logins? + + 4.2 How do I set up an alert message that each IMAP user will + see? + + 4.3 How does the c-client library choose which of its several + mechanisms to use to establish an IMAP connection to the + server? I noticed that it can connect on port 143, port 993, + via rsh, and via ssh. + + 4.4 I am using a TLS-capable IMAP server, so I don't need to + use /ssl to get encryption. However, I want to be certain + that my session is TLS encrypted before I send my password. + How to I do this? + + 4.5 How do I use one of the alternative formats described in + the formats.txt document? In particular, I hear that mbx + format will give me better performance and allow shared + access. + + 4.6 How do I set up shared mailboxes? + + 4.7 How can I make the server syslogs go to someplace other + than the mail syslog? + * 5. Security Questions + + 5.1 I see that the IMAP server allows access to arbitary + files on the system, including /etc/passwd! How do I disable + this? + + 5.2 I've heard that IMAP servers are insecure. Is this true? + + 5.3 How do I know that I have the most secure version of the + server? + + 5.4 I see all these strcpy() and sprintf() calls, those are + unsafe, aren't they? + + 5.5 Those /tmp lock files are protected 666, is that really + right? + * 6. Why Did You Do This Strange Thing? Questions + + 6.1 Why don't you use GNU autoconfig / automake / + autoblurdybloop? + + 6.2 Why do you insist upon a build with -g? Doesn't it waste + disk and memory space? + + 6.3 Why don't you make c-client a shared library? + + 6.4 Why don't you use iconv() for internationalization + support? + + 6.5 Why is the IMAP server connected to the home directory by + default? + + 6.6 I have a Windows system. Why isn't the server plug and + play for me? + + 6.7 I looked at the UNIX SSL code and saw that you have the + SSL data payload size set to 8192 bytes. SSL allows 16K; why + aren't you using the full size? + + 6.8 Why is an mh format INBOX called #mhinbox instead of just + INBOX? + + 6.9 Why don't you support the maildir format? + + 6.10 Why don't you support the Cyrus format? + + 6.11 Why is it creating extra forks on my SVR4 system? + + 6.12 Why are you so fussy about the date/time format in the + internal "From " line in traditional UNIX mailbox files? My + other mail program just considers every line that starts with + "From " to be the start of the message. + + 6.13 Why is traditional UNIX format the default format? + + 6.14 Why do you write this "DON'T DELETE THIS MESSAGE -- + FOLDER INTERNAL DATA" message at the start of traditional + UNIX and MMDF format mailboxes? + + 6.15 Why don't you stash the mailbox metadata in the first + real message of the mailbox instead of writing this fake + FOLDER INTERNAL DATA message? + + 6.16 Why aren't "dual-use" mailboxes the default? + + 6.17 Why do you use ucbcc to build on Solaris? + + 6.18 Why should I care about some old system with BSD + libraries? cc is the right thing on my Solaris system! + + 6.19 Why do you insist upon writing .lock files in the spool + directory? + + 6.20 Why should I care about compatibility with the past? + * 7. Problems and Annoyances + + 7.1 Help! My INBOX is empty! What happened to my messages? + + 7.2 Help! All my messages in a non-INBOX mailbox have been + concatenated into one message which claims to be from me and + has a subject of the file name of the mailbox! What's going + on? + + 7.3 Why do I get the message: + o CREATE failed: Can't create mailbox node xxxxxxxxx: File + exists + and how do I fix it? + + 7.4 Why can't I log in to the server? The user name and + password are right! + + 7.5 Help! My load average is soaring and I see hundreds of + POP and IMAP servers, many logged in as the same user! + + 7.6 Why does mail disappear even though I set "keep mail on + server"? + + 7.7 Why do I get the message + o Moved ##### bytes of new mail to /home/user/mbox from + /var/spool/mail/user + and why did this happen? + + 7.8 Why isn't it showing the local host name as a + fully-qualified domain name? + + 7.9 Why is the local host name in the From/Sender/Message-ID + headers of outgoing mail not coming out as a fully-qualified + domain name? + + 7.10 What does the message: + o Mailbox vulnerable - directory /var/spool/mail must have + 1777 protection + mean? How can I fix this? + + 7.11 What does the message: + o Mailbox is open by another process, access is readonly + mean? How do I fix this? + + 7.12 What does the message: + o Can't get write access to mailbox, access is readonly + mean? + + 7.13 I set my POP3 client to "delete messages from server" + but they never get deleted. What is wrong? + + 7.14 What do messages such as: + o Message ... UID ... already has UID ... + o Message ... UID ... less than ... + o Message ... UID ... greater than last ... + o Invalid UID ... in message ..., rebuilding UIDs + mean? + + 7.15 What do the error messages: + o Unable to read internal header at ... + o Unable to find CRLF at ... + o Unable to parse internal header at ... + o Unable to parse message date at ... + o Unable to parse message flags at ... + o Unable to parse message UID at ... + o Unable to parse message size at ... + o Last message (at ... ) runs past end of file ... + mean? I am using mbx format. + + 7.16 What do the syslog messages: + o imap/tcp server failing (looping) + o pop3/tcp server failing (looping) + mean? When it happens, the listed service shuts down. How can + I fix this? + + 7.17 What does the syslog message: + o Mailbox lock file /tmp/.600.1df3 open failure: + Permission denied + mean? + + 7.18 What do the syslog messages: + o Command stream end of file, while reading line user=... + host=... + o Command stream end of file, while reading char user=... + host=... + o Command stream end of file, while writing text user=... + host=... + mean? + + 7.19 Why did my POP or IMAP session suddenly disconnect? The + syslog has the message: + o Killed (lost mailbox lock) user=... host=... + + 7.20 Why does my IMAP client show all the files on the + system, recursively from the UNIX root directory? + + 7.21 Why does my IMAP client show all of my files, + recursively from my UNIX home directory? + + 7.22 Why does my IMAP client show that I have mailboxes named + "#mhinbox", "#mh", "#shared", "#ftp", "#news", and "#public"? + + 7.23 Why does my IMAP client show all my files in my home + directory? + + 7.24 Why is there a long delay before I get connected to the + IMAP or POP server, no matter what client I use? + + 7.25 Why is there a long delay in Pine or any other c-client + based application call before I get connected to the IMAP + server? The hang seems to be in the c-client mail_open() + call. I don't have this problem with any other IMAP client. + There is no delay connecting to a POP3 or NNTP server with + mail_open(). + + 7.26 Why does a message sometimes get split into two or more + messages on my SUN system? + + 7.27 Why did my POP or IMAP session suddenly disconnect? The + syslog has the message: + o Autologout user=<...my user name...> host=<...my imap + server...> + + 7.28 What does the UNIX error message: + o TLS/SSL failure: myserver: SSL negotiation failed + mean? + + 7.29 What does the PC error message: + o TLS/SSL failure: myserver: Unexpected TCP input + disconnect + mean? + + 7.30 What does the error message: + o TLS/SSL failure: myserver: Server name does not match + certificate + mean? + + 7.31 What does the UNIX error message: + o TLS/SSL failure: myserver: self-signed certificate + mean? + + 7.32 What does the PC error message + o TLS/SSL failure: myserver: Self-signed certificate or + untrusted authority + mean? + + 7.33 What does the UNIX error message: + o TLS/SSL failure: myserver: unable to get local issuer + certificate + mean? + + 7.34 Why does reading certain messages hang when using + Netscape? It works fine with Pine! + + 7.35 Why does Netscape say that there's a problem with the + IMAP server and that I should "Contact your mail server + administrator."? + + 7.36 Why is one user creating huge numbers of IMAP or POP + server sessions? + + 7.37 Why don't I get any new mail notifications from Outlook + Express or Outlook after a while? + + 7.38 Why don't I get any new mail notifications from + Entourage? + + 7.39 Why doesn't Entourage work at all? + + 7.40 Why doesn't Netscape Notify (NSNOTIFY.EXE) work at all? + + 7.41 Why can't I connect via SSL to Eudora? It says the + connection has been broken, and in the server syslogs I see + "Command stream end of file". + + 7.42 Sheesh. Aren't there any good IMAP clients out there? + + 7.43 But wait! PC Pine (or other PC program build with + c-client) crashes with the message + o incomplete SecBuffer exceeds maximum buffer size + when I use SSL connections. This is a bug in c-client, right? + + 7.44 My qpopper users keep on getting the DON'T DELETE THIS + MESSAGE -- FOLDER INTERNAL DATA if they also use Pine or + IMAP. How can I fix this? + + 7.45 Help! I installed the servers but I can't connect to + them from my client! + + 7.46 Why do I get the message + o Can not authenticate to SMTP server: 421 SMTP connection + went away! + and why did this happen? There was also something about + o SECURITY PROBLEM: insecure server advertised AUTH=PLAIN + + 7.47 Why do I get the message + o SMTP Authentication cancelled + and why did this happen? There was also something about + o SECURITY PROBLEM: insecure server advertised AUTH=PLAIN + + 7.48 Why do I get the message + o Invalid base64 string + when I try to authenticate to a Cyrus server? + * 8. Where to Go For Additional Information + + 8.1 Where can I go to ask questions? + + 8.2 I have some ideas for enhancements to IMAP. Where should + I go? + + 8.3 Where can I read more about IMAP and other email + protocols? + + 8.4 Where can I find out more about setting up and + administering an IMAP server? + _________________________________________________________________ + +1. General/Software Feature Questions + _________________________________________________________________ + + 1.1 Can I set up a POP or IMAP server on UNIX/Linux/OSF/etc.? + + Yes. Refer to the UNIX specific notes in files CONFIG and + BUILD. + _________________________________________________________________ + + 1.2 I am currently using qpopper as my POP3 server on UNIX. Do I need + to replace it with ipop3d in order to run imapd? + + Not necessarily. + + Although ipop3d interoperates with imapd better than qpopper, + imapd and qpopper will work together. The few qpopper/imapd + interoperability issues mostly affect users who use both IMAP + and POP3 clients; those users would probably be better served + if their POP3 server is ipop3d. + + If you are happy with qpopper and just want to add imapd, you + should do that, and defer a decision on changing qpopper to + ipop3d. That way, you can get comfortable with imapd's + performance, without changing anything for your qpopper users. + + Many sites have subsequently decided to change from qpopper to + ipop3d in order to get better POP3/IMAP interoperability. If + you need to do this, you'll know. There also seems to be a way + to make qpopper work better with imapd; see the answer to the + My qpopper users keep on getting the DON'T DELETE THIS MESSAGE + -- FOLDER INTERNAL DATA if they also use Pine or IMAP. How can + I fix this? question. + _________________________________________________________________ + + 1.3 Can I set up a POP or IMAP server on Windows XP, 2000, NT, Me, 98, + or 95? + + Yes. Refer to the NT specific notes in files CONFIG and BUILD. + Also, for DOS-based versions of Windows (Windows Me, 98, and + 95) you *must* set up CRAM-MD5 authentication, as described in + md5.txt. + + There is no file access control on Windows 9x or Me, so you + probably will have to do modifications to env_unix.c to prevent + people from hacking others' mail. + + Note, however, that the server is not plug and play the way it + is for UNIX. + _________________________________________________________________ + + 1.4 Can I set up a POP or IMAP server on Windows 3.1 or DOS? + 1.5 Can I set up a POP or IMAP server on Macintosh? + 1.6 Can I set up a POP or IMAP server on VAX/VMS? + + Yes, it's just a small matter of programming. + _________________________________________________________________ + + 1.7 Can I set up a POP or IMAP server on TOPS-20? + + You have a TOPS-20 system? Cool. + + If IMAP2 (RFC 1176) is good enough for you, you can use MAPSER + which is about the ultimate gonzo pure TOPS-20 extended + addressing assembly language program. Unfortunately, IMAP2 is + barely good enough for Pine these days, and most other IMAP + clients won't work with IMAP2 at all. Maybe someone will hack + MAPSER to do IMAP4rev1 some day. + + We don't know if anyone wrote a POP3 server for TOPS-20. There + definitely was a POP2 server once upon a time. + + Or you can port the POP and IMAP server from this IMAP toolkit + to it. All that you need for a first stab is to port the MTX + driver. That'll probably be just a couple of hours of hacking. + _________________________________________________________________ + + 1.8 Are hierarchical mailboxes supported? + 1.9 Are "dual-use" mailboxes supported? + 1.10 Can I have a mailbox that has both messages and sub-mailboxes? + + Yes. However, there is one important caveat. + + Some mailbox formats, including the default which is the + traditional UNIX mailbox format, are stored as a single file + containing all the messages. UNIX does not permit a name in the + filesystem to be both a file and a directory; consequently you + can not have a sub-mailbox within a mailbox that is in one of + these formats. + + This is not a limitation of the software; this is a limitation + of UNIX. For example, there are mailbox formats in which the + name is a directory and each message is a file within that + directory; these formats support sub-mailboxes within such + mailboxes. However, for technical reasons, the "flat file" + formats are generally preferred since they perform better. Read + imap-2007/docs/formats.txt for more information on this topic. + + It is always permissible to create a directory that is not a + mailbox, and have sub-mailboxes under it. The easiest way to + create a directory is to create a new mailbox inside a + directory that doesn't already exist. For example, if you + create "Mail/testbox" on UNIX, the directory "Mail/" will + automatically be created and then the mailbox "testbox" will be + created as a sub-mailbox of "Mail/". + + It is also possible to create the name "Mail/" directly. Check + the documentation for your client software to see how to do + this with that software. + + Of course, on Windows systems you would use "\" instead of "/". + _________________________________________________________________ + + 1.11 What is the difference between "mailbox" and "folder"? + + The term "mailbox" is IMAP-speak for what a lot of software + calls a "folder" or a "mail folder". However, "folder" is often + used in other contexts to refer to a directory, for example, in + the graphic user interface on both Windows and Macintosh. + + A "mailbox" is specifically defined as a named object that + contains messages. It is not required to be capable of + containing other types of objects including other mailboxes; + although some mailbox formats will permit this. + + In IMAP-speak, a mailbox which can not contain other mailboxes + is called a "no-inferiors mailbox". Similarly, a directory + which can not contain messages is not a mailbox and is called a + "no-select name". + _________________________________________________________________ + + 1.12 What is the status of internationalization? + + The IMAP toolkit is partially internationalized and + multilingualized. + + Searching is supported in the following charsets: US-ASCII, + UTF-8, ISO-8859-1, ISO-8859-2, ISO-8859-3, ISO-8859-4, + ISO-8859-5, ISO-8859-6, ISO-8859-7, ISO-8859-8, ISO-8859-9, + ISO-8859-10, ISO-8859-11, ISO-8859-13, ISO-8859-14, + ISO-8859-15, ISO-8859-16, KOI8-R, KOI8-U (alias KOI8-RU), + TIS-620, VISCII, ISO-2022-JP, ISO-2022-KR, ISO-2022-CN, + ISO-2022-JP-1, ISO-2022-JP-2, GB2312 (alias CN-GB), + CN-GB-12345, BIG5 (alias CN-BIG5), EUC-JP, EUC-KR, Shift_JIS, + Shift-JIS, KS_C_5601-1987, KS_C_5601-1992, WINDOWS_874, + WINDOWS-1250, WINDOWS-1251, WINDOWS-1252, WINDOWS-1253, + WINDOWS-1254, WINDOWS-1255, WINDOWS-1256, WINDOWS-1257, + WINDOWS-1258. + + All ISO-2022-?? charsets are treated identically, and support + ASCII, JIS Roman, hankaku katakana, ISO-8859-[1 - 10], TIS, GB + 2312, JIS X 0208, JIS X 0212, KSC 5601, and planes 1 and 2 of + CNS 11643. + + EUC-JP includes support for JIS X 0212 and hankaku katakana. + + c-client library support also exists to convert text in any of + the above charsets into Unicode, including headers with MIME + encoded-words. + + There is no support for localization (e.g. non-English error + messages) at the present time, but such support is planned. + _________________________________________________________________ + + 1.13 Can I use SSL? + + Yes. See the answer to the How do I configure SSL? question. + _________________________________________________________________ + + 1.14 Can I use TLS and the STARTTLS facility? + + Yes. See the answer to the How do I configure TLS and the + STARTTLS facility? question. + _________________________________________________________________ + + 1.15 Can I use CRAM-MD5 authentication? + + Yes. See the answer to the How do I configure CRAM-MD5 + authentication? question. + _________________________________________________________________ + + 1.16 Can I use APOP authentication? + + Yes. See the How do I configure APOP authentication? question. + + Note that there is no client support for APOP authentication. + _________________________________________________________________ + + 1.17 Can I use Kerberos V5? + + Yes. See the answer to the How do I configure Kerberos V5? + question. + _________________________________________________________________ + + 1.18 Can I use PAM for plaintext passwords? + + Yes. See the answer to the How do I configure PAM for plaintext + passwords? question. + _________________________________________________________________ + + 1.19 Can I use Kerberos 5 for plaintext passwords? + + Yes. See the answer to the How do I configure Kerberos 5 for + plaintext passwords? question. + _________________________________________________________________ + + 1.20 Can I use AFS for plaintext passwords? + + Yes. See the answer to the How do I configure AFS for plaintext + passwords? question. + _________________________________________________________________ + + 1.21 Can I use DCE for plaintext passwords? + + Yes. See the answer to the How do I configure DCE for plaintext + passwords? question. + _________________________________________________________________ + + 1.22 Can I use the CRAM-MD5 database for plaintext passwords? + + Yes. See the answer to the How do I configure the CRAM-MD5 + database for plaintext passwords? question. + _________________________________________________________________ + + 1.23 Can I disable plaintext passwords? + + Yes. See the answer to the How do I disable plaintext + passwords? question. + _________________________________________________________________ + + 1.24 Can I disable plaintext passwords on unencrypted sessions, but + allow them on encrypted sessions? + + Yes. See the answer to the How do I disable plaintext passwords + on unencrypted sessions, but allow them in SSL or TLS sessions? + question. + _________________________________________________________________ + + 1.25 Can I use virtual hosts? + + Yes. See the answer to the How do I configure virtual hosts? + question. + _________________________________________________________________ + + 1.26 Can I use RPOP authentication? + + There is no support for RPOP authentication. + _________________________________________________________________ + + 1.27 Can I use Kerberos V4? + + Kerberos V4 is not supported. Kerberos V4 client-only + contributed code is available in + +ftp://ftp.cac.washington.edu/mail/kerberos4-patches.tar.Z + + This is a patchkit which must be applied to the IMAP toolkit + according to the instructions in the patchkit's README. We can + not promise that this code works. + _________________________________________________________________ + + 1.28 Is there support for S/Key or OTP? + + There is currently no support for S/Key or OTP. There may be an + OTP SASL authenticator available from third parties. + _________________________________________________________________ + + 1.29 Is there support for NTLM or SPA? + + There is currently no support for NTLM or SPA, nor are there + any plans to add such support. In general, I avoid + vendor-specific mechanisms. I also believe that these + mechanisms are being deprecated by their vendor. + + There may be an NTLM SASL authenticator available from third + parties. + _________________________________________________________________ + + 1.30 Is there support for mh? + + Yes, but only as a legacy format. Your mh format INBOX is + accessed by the name "#mhinbox", and all other mh format + mailboxes are accessed by prefixing "#mh/" to the name, e.g. + "#mh/foo". The mh support uses the "Path:" entry in your + .mh_profile file to identify the root directory of your mh + format mailboxes. + + Non-legacy use of mh format is not encouraged. There is no + support for permanent flags or unique identifiers; furthermore + there are known severe performance problems with the mh format. + _________________________________________________________________ + + 1.31 Is there support for qmail and the maildir format? + + There is no support for qmail or the maildir format in our + distribution, nor are there any plans to add such support. + Maildir support may be available from third parties. + _________________________________________________________________ + + 1.32 Is there support for the Cyrus mailbox format? + + No. + _________________________________________________________________ + + 1.33 Is this software Y2K compliant? + + Please read the files Y2K and calendar.txt. + _________________________________________________________________ + +2. What Do I Need to Build This Software? + _________________________________________________________________ + + 2.1 What do I need to build this software with SSL on UNIX? + + You need to build and install OpenSSL first. + _________________________________________________________________ + + 2.2 What do I need to build this software with Kerberos V on UNIX? + + You need to build and install MIT Kerberos first. + _________________________________________________________________ + + 2.3 What do I need to use a C++ compiler with this software to build + my own application? + + If you are building an application using the c-client library, + use the new c-client.h file instead of including the other + include files. It seems that c-client.h should define away all + the troublesome names that conflict with C++. + + If you use gcc, you may need to use -fno-operator-names as + well. + _________________________________________________________________ + + 2.4 What do I need to build this software on Windows? + + You need Microsoft Visual C++ 6.0, Visual C++ .NET, or Visual + C# .NET (which you can buy from any computer store), along with + the Microsoft Platform SDK (which you can download from + Microsoft's web site). + + You do not need to install the entire Platform SDK; it suffices + to install just the Core SDK and the Internet Development SDK. + _________________________________________________________________ + + 2.5 What do I need to build this software on DOS? + + It's been several years since we last attempted to do this. At + the time, we used Microsoft C. + _________________________________________________________________ + + 2.6 Can't I use Borland C to build this software on the PC? + + Probably not. If you know otherwise, please let us know. + _________________________________________________________________ + + 2.7 What do I need to build this software on the Mac? + + It has been several years since we last attempted to do this. + At the time, we used Symantec THINK C; but today you'll need a + C compiler which allows segments to be more than 32K. + _________________________________________________________________ + + 2.8 What do I need to build this software on VMS? + + You need the VMS C compiler, and either the Multinet or Netlib + TCP. + _________________________________________________________________ + + 2.9 What do I need to build this software on TOPS-20? + + You need the TOPS-20 KCC compiler. + _________________________________________________________________ + + 2.10 What do I need to build this software on Amiga or OS/2? + + We don't know. + _________________________________________________________________ + + 2.11 What do I need to build this software on Windows CE? + + This port is incomplete. Someone needs to finish it. + _________________________________________________________________ + +3. Build and Configuration Questions + _________________________________________________________________ + + 3.1 How do I configure the IMAP and POP servers on UNIX? + 3.2 I built and installed the servers according to the BUILD + instructions. It can't be that easy. Don't I need to write a config + file? + + For ordinary "vanilla" UNIX systems, this software is plug and + play; just build it, install it, and you're done. If you have a + modified system, then you may want to do additional work; most + of this is to a single source code file (env_unix.c on UNIX + systems). Read the file CONFIG for more details. + + Yes, it's that easy. There are some additional options, such as + SSL or Kerberos, which require additional steps to build. See + the relevant questions below. + _________________________________________________________________ + + 3.3 How do I make the IMAP and POP servers look for INBOX at some + place other than the mail spool directory? + 3.4 How do I make the IMAP server look for secondary folders at some + place other than the user's home directory? + + Please read the file CONFIG for discussion of this and other + issues. + _________________________________________________________________ + + 3.5 How do I configure SSL? + 3.6 How do I configure TLS and the STARTTLS facility? + + imap-2007 supports SSL and TLS client functionality on UNIX and + 32-bit Windows for IMAP, POP3, SMTP, and NNTP; and SSL and TLS + server functionality on UNIX for IMAP and POP3. + + UNIX SSL build requires that a third-party software package, + OpenSSL, be installed on the system first. Read + imap-2007/docs/SSLBUILD for more information. + + SSL is supported via undocumented Microsoft interfaces in + Windows 9x and NT4; and via standard interfaces in Windows + 2000, Windows Millenium, and Windows XP. + _________________________________________________________________ + + 3.7 How do I build/install OpenSSL and obtain/create certificates for + use with SSL? + + If you need help in doing this, try the contacts mentioned in + the OpenSSL README. We do not offer support for OpenSSL or + certificates. + _________________________________________________________________ + + 3.8 How do I configure CRAM-MD5 authentication? + 3.9 How do I configure APOP authentication? + + CRAM-MD5 authentication is enabled in the IMAP and POP3 client + code on all platforms. Read md5.txt to learn how to set up + CRAM-MD5 and APOP authentication on UNIX and NT servers. + + There is no support for APOP client authentication. + _________________________________________________________________ + + 3.10 How do I configure Kerberos V5? + + imap-2007 supports client and server functionality on UNIX and + 32-bit Windows. + + Kerberos V5 is supported by default in Windows 2000 builds: + + nmake -f makefile.w2k + + Other builds require that a third-party Kerberos package, e.g. + MIT Kerberos, be installed on the system first. + + To build with Kerberos V5 on UNIX, include + EXTRAAUTHENTICATORS=gss in the make command line, e.g. + + make lnp EXTRAAUTHENTICATORS=gss + + To build with Kerberos V5 on Windows 9x, Windows Millenium, and + NT4, use the "makefile.ntk" file instead of "makefile.nt": + + + nmake -f makefile.ntk + _________________________________________________________________ + + 3.11 How do I configure PAM for plaintext passwords? + + On Linux systems, use the lnp port, e.g. + + make lnp + + On Solaris systems and other systems with defective PAM + implementations, build with PASSWDTYPE=pmb, e.g. + + make sol PASSWDTYPE=pmb + + On all other systems, build with PASSWDTYPE=pam, e.g + + make foo PASSWDTYPE=pam + + If you build with PASSWDTYPE=pam and authentication does not + work, try rebuilding (after a "make clean") with + PASSWDTYPE=pmb. + _________________________________________________________________ + + 3.12 It looks like all I have to do to make the server use Kerberos is + to build with PAM on my Linux system, and set it up in PAM for + Kerberos passwords. Right? + + Yes and no. + + Doing this will make plaintext password authentication use the + Kerberos password instead of the /etc/passwd password. + + However, this will NOT give you Kerberos-secure authentication. + See the answer to the How do I configure Kerberos V5? question + for how to build with Kerberos-secure authentication. + _________________________________________________________________ + + 3.13 How do I configure Kerberos 5 for plaintext passwords? + + Build with PASSWDTYPE=gss, e.g. + + make sol PASSWDTYPE=gss + + However, this will NOT give you Kerberos-secure authentication. + See the answer to the How do I configure Kerberos V5? question + for how to build with Kerberos-secure authentication. + _________________________________________________________________ + + 3.14 How do I configure AFS for plaintext passwords? + + Build with PASSWDTYPE=afs, e.g + + make sol PASSWDTYPE=afs + _________________________________________________________________ + + 3.15 How do I configure DCE for plaintext passwords? + + Build with PASSWDTYPE=dce, e.g + + make sol PASSWDTYPE=dce + _________________________________________________________________ + + 3.16 How do I configure the CRAM-MD5 database for plaintext passwords? + + The CRAM-MD5 password database is automatically used for + plaintext password if it exists. + + Note that this is NOT CRAM-MD5-secure authentication. You + probably want to consider disabling plaintext passwords for + non-SSL/TLS sessions. See the next two questions. + _________________________________________________________________ + + 3.17 How do I disable plaintext passwords? + + Server-level plaintext passwords can be disabled by setting + PASSWDTYPE=nul, e.g. + + make lnx EXTRAAUTHENTICATORS=gss PASSWDTYPE=nul + + Note that you must have a CRAM-MD5 database installed or + specify at least one EXTRAAUTHENTICATOR, otherwise it will not + be possible to log in to the server. + + When plaintext passwords are disabled, the IMAP server will + advertise the LOGINDISABLED capability and the POP3 server will + not advertise the USER capability. + + 3.18 How do I disable plaintext passwords on unencrypted sessions, but + allow them in SSL or TLS sessions? + + Do not set PASSWDTYPE=nul or SSLTYPE=unix. Set SSLTYPE=nopwd + instead, e.g. + + make lnx SSLTYPE=nopwd + + When plaintext passwords are disabled, the IMAP server will + advertise the LOGINDISABLED capability and the POP3 server will + not advertise the USER capability. + + Plaintext passwords will always be enabled in SSL sessions; the + IMAP server will not advertise the LOGINDISABLED capability and + the POP3 server will advertise the USER capability. + + If the client does a successful start-TLS in a non-SSL session, + plaintext passwords will be enabled, and a new CAPABILITY or + CAPA command (which is required after start-TLS) will show the + effect as in SSL sessions. + _________________________________________________________________ + + 3.19 How do I configure virtual hosts? + + This is automatic, but with certain restrictions. + + The most important one is that each virtual host must have its + own IP address; otherwise the server has no way of knowing + which virtual host is desired. + + As distributed, the software uses a global password file; hence + user "fred" on one virtual host is "fred" on all virtual hosts. + You may want to modify the checkpw() routine to implement some + other policy (e.g. separate password files). + + Note that the security model assumes that all users have their + own unique UNIX UID number. So if you use separate password + files you should make certain that the UID numbers do not + overlap between different files. + + More advanced virtual host support may be available as patches + from third parties. + _________________________________________________________________ + + 3.20 Why do I get compiler warning messages such as: + passing arg 3 of `scandir' from incompatible pointer type + Pointers are not assignment-compatible. + Argument #4 is not the correct type. + + during the build? + + You can safely ignore these messages. + + Over the years, the prototype for scandir() has changed, and + thus is variant across different UNIX platforms. In particular, + the definitions of the third argument (type select_t) and + fourth argument (type compar_t) have changed over the years, + the issue being whether or not the arguments to the functions + pointed to by these function pointers are of type const or not. + + The way that c-client calls scandir() will tend to generate + these compiler warnings on newer systems such as Linux; + however, it will still build. The problem with fixing the call + is that then it won't build on older systems. + _________________________________________________________________ + + 3.21 Why do I get compiler warning messages such as + Operation between types "void(*)(int)" and "void*" is not allowed. + Function argument assignment between types "void*" and "void(*)(int)" is not a +llowed. + Pointers are not assignment-compatible. + Argument #5 is not the correct type. + + during the build? + + You can safely ignore these messages. + + All known systems have no problem with casting a function + pointer to/from a void* pointer, certain C compilers issue a + compiler diagnostic because this facility is listed as a + "Common extension" by the C standard: + + K.5.7 Function pointer casts + [#1] A pointer to an object or to void may be cast to a pointer + to a function, allowing data to be invoked as a function (6.3.4). + [#2] A pointer to a function may be cast to a pointer to an + object or to void, allowing a function to be inspected or + modified (for example, by a debugger) (6.3.4). + + It may be just a "common extension", but this facility is + relied upon heavily by c-client. + _________________________________________________________________ + + 3.22 Why do I get linker warning messages such as: +mtest.c:515: the `gets' function is dangerous and should not be used. + + during the build? Isn't this a security bug? + + You can safely ignore this message. + + Certain linkers, most notably on Linux, give this warning + message. It is indeed true that the traditional gets() function + is not a safe one. + + However, the mtest program is only a demonstration program, a + model of a very basic application program using c-client. It is + not something that you would install, much less run in any + security-sensitive context. + + mtest has numerous other shortcuts that you wouldn't want to do + in a real application program. + + The only "security bug" with mtest would be if it was run by + some script in a security-sensitive context, but mtest isn't + particularly useful for such purposes. If you wanted to write a + script to automate some email task using c-client, you'd be + better off using imapd instead of mtest. + + mtest only has two legitimate uses. It's a useful testbed for + me when debugging new versions of c-client, and it's useful as + a model for someone writing a simple c-client application to + see how the various calls work. + + By the way, if you need a more advanced example of c-client + programming than mtest (and you probably will), I recommend + that you look at the source code for imapd and Pine. + _________________________________________________________________ + + 3.23 Why do I get linker warning messages such as: + auth_ssl.c:92: the `tmpnam' function is dangerous and should not be used. + + during the build? Isn't this a security bug? + + You can safely ignore this message. + + Certain linkers, most notably on Linux, give this warning + message, based upon two known issues with tmpnam(): + + there can be a buffer overflow if an inadequate buffer is + allocated. + there can be a timing race caused by certain incautious + usage of the return value. + + Neither of these issues applies in the particular use that is + made of tmpnam(). More importantly, the tmpnam() call is never + executed on Linux systems. + _________________________________________________________________ + + 3.24 OK, suppose I see a warning message about a function being + "dangerous and should not be used" for something other than this + gets() or tmpnam() call? + + Please forward the details for investigation. + _________________________________________________________________ + +4. Operational Questions + _________________________________________________________________ + + 4.1 How can I enable anonymous IMAP logins? + + Create the file /etc/anonymous.newsgroups. At the present time, + this file should be empty. This will permit IMAP logins as + anonymous as well as the ANONYMOUS SASL authenticator. + Anonymous users have access to mailboxes in the #news., #ftp/, + and #public/ namespaces only. + _________________________________________________________________ + + 4.2 How do I set up an alert message that each IMAP user will see? + + Create the file /etc/imapd.alert with the text of the message. + This text should be kept to one line if possible. Note that + this will cause an alert to every IMAP user every time they + initiate an IMAP session, so it should only be used for + critical messages. + _________________________________________________________________ + + 4.3 How does the c-client library choose which of its several + mechanisms to use to establish an IMAP connection to the server? I + noticed that it can connect on port 143, port 993, via rsh, and via + ssh. + + c-client chooses how to establish an IMAP connection via the + following rules: + + + If /ssl is specified, use an SSL connection. Fail otherwise. + + Else if client is a UNIX system and "ssh server exec + /etc/rimapd" works, use that + + Else if /tryssl is specified and an SSL connection works, use + that. + + Else if client is a UNIX system and "rsh server exec + /etc/rimapd" works, use that. + + Else use a non-SSL connection. + _________________________________________________________________ + + 4.4 I am using a TLS-capable IMAP server, so I don't need to use /ssl + to get encryption. However, I want to be certain that my session is + TLS encrypted before I send my password. How to I do this? + + Use the /tls option in the mailbox name. This will cause an + error message and the connection to fail if the server does not + negotiate STARTTLS. + _________________________________________________________________ + + 4.5 How do I use one of the alternative formats described in the + formats.txt document? In particular, I hear that mbx format will give + me better performance and allow shared access. + + The rumors about mbx format being preferred are true. It is + faster than the traditional UNIX mailbox format and permits + shared access. + + However, and this is very important, note that using an + alternative mailbox format is an advanced facility, and only + expert users should undertake it. If you don't understand any + of the following notes, you may not be enough of an expert yet, + and are probably better off not going this route until you are + more comfortable with your understanding. + + Some of the formats, including mbx, are only supported by the + software based on the c-client library, and are not recognized + by other mailbox programs. The "vi" editor will corrupt any mbx + format mailbox that it encounters. + + Another problem is that the certain formats, including mbx, use + advanced file access and locking techniques that do not work + reliably with NFS. NFS is not a real filesystem. Use IMAP + instead of NFS for distributed access. + + Each of the following steps are in escalating order of + involvement. The further you go down this list, the more deeply + committed you become: + + + The simplest way to create a mbx-format mailbox is to prefix + the name with "#driver.mbx/" when creating a mailbox through + c-client. For example, if you create "#driver.mbx/foo", the + mailbox "foo" will be created in mbx format. Only use + "#driver.mbx/" when creating the mailbox. At all other times, + just use the name ("foo" in this example); the software will + automatically select the driver for mbx whenever that mailbox + is accessed without you doing anything else. + + You can use the "mailutil copy" command to copy an existing + mailbox to a new mailbox in mbx format. Read the man page + provided with the mailutil program for details. + + If you create an mbx-format INBOX, by creating + "#driver.mbx/INBOX" (note that "INBOX" must be all + uppercase), then subsequent access to INBOX by any c-client + based application will use the mbx-format INBOX. Any mail + delivered to the traditional format mailbox in the spool + directory (e.g. /var/spool/mail/$USER) will automatically be + copied into the mbx-format INBOX and the spool directory copy + removed. + + You can cause any newly-created mailboxes to be in mbx-format + by default by changing the definition of + CREATEPROTO=unixproto to be CREATEPROTO=mbxproto in + src/osdep/unix/Makefile, then rebuilding the IMAP toolkit (do + a "make clean" first). Do not change EMPTYPROTO, since mbx + format mailboxes are never a zero-byte file. If you use Pine + or the imap-utils, you should probably also rebuild them with + the new IMAP toolkit too. + + You can deliver directly to the mbx-format INBOX by use of + the tmail or dmail programs. tmail is for direct invocation + from sendmail (or whatever MTA program you use); dmail is for + calls from procmail. Both of these programs have man pages + which must be read carefully before making this change. + + Most other servers (e.g. Cyrus) require use of a non-standard + format. A full-fledged format conversion is not significantly + different from what you have to do with other servers. The + difference, which makes format conversion procedures somewhat + more complicated with this server, is that there is no "all or + nothing" requirement with this server. There are many points in + between. A format conversion can be anything from a single + mailbox or single user, to systemwide. + + This is good in that you can decide how far to go, or do the + steps incrementally as you become more comfortable with the + result. On the other hand, there's no "One True Way" which can + be boiled down to a simple set of pedagogical instructions. + + A number of sites have done full-fledged format conversions, + and are reportedly quite happy with the results. Feel free to + ask in the comp.mail.imap newsgroup or the imap-uw mailing + list for advice or help. + _________________________________________________________________ + + 4.6 How do I set up shared mailboxes? + + At the simplest level, a shared mailbox is one which has UNIX + file and directory protections which permit multiple users to + access it. What this means is that your existing skills and + tools to create and manage shared files on your UNIX system + apply to shared mailboxes; e.g. + + chmod 666 mailbox + + You may want to consider the use of a mailbox format which + permits multiple simultaneous read/write sessions, such as the + mbx format. The traditional UNIX format only allows one + read/write session to a mailbox at a time. + + An additional convenience item are three system directories, + which can be set up for shared namespaces. These are: #ftp, + #shared, and #public, and are defined by creating the + associated UNIX users and home directories as described below. + + #ftp/ refers to the anonymous ftp filesystem exported by the + ftp server, and is equivalent to the home directory for UNIX + user "ftp". For example, #ftp/foo/bar refers to the file + /foo/bar in the anonymous FTP filesystem, or ~ftp/foo/bar for + normal users. Anonymous FTP files are available to anonymous + IMAP logins. By default, newly-created files in #ftp/ are + protected 644. + + #public/ refers to an IMAP toolkit convention called "public" + files, and is equivalent to the home directory for UNIX user + "imappublic". For example, #public/foo/bar refers to the file + ~imappublic/foo/bar. Public files are available to anonymous + IMAP logins. By default, newly-created files in #public are + created with protection 0666. + + #shared/ refers to an IMAP toolkit convention called "shared" + files, and is equivalent to the home directory for UNIX user + "imapshared". For example, #shared/foo/bar refers to the file + ~imapshared/foo/bar. Shared files are not available to + anonymous IMAP logins. By default, newly-created files in + #shared are created with protection 0660. + _________________________________________________________________ + + 4.7 How can I make the server syslogs go to someplace other than the + mail syslog? + + The openlog() call that sets the syslog facility is in + src/osdep/unix/env_unix.c in routine server_init(). You need to + edit this file to change the syslog facility from LOG_MAIL to + the facility you want, then rebuild. You also need to set up + your /etc/syslog.conf properly. + + Refer to the man pages for syslog and syslogd for more + information on what the available syslog facilities are and how + to configure syslogs. If you still don't understand what to do, + find a UNIX system expert. + _________________________________________________________________ + +5. Security Questions + _________________________________________________________________ + + 5.1 I see that the IMAP server allows access to arbitary files on the + system, including /etc/passwd! How do I disable this? + + You should not worry about this if your IMAP users are allowed + shell access. The IMAP server does not permit any access that + the user can not have via the shell. + + If, and only if, you deny your IMAP users shell access, you may + want to consider one of three choices. Note that these choices + reduce IMAP functionality, and may have undesirable side + effects. Each of these choices involves an edit to file + src/osdep/unix/env_unix.c + + The first (and recommended) choice is to set restrictBox as + described in file CONFIG. This will disable access to the + filesystem root, to other users' home directory, and to + superior directory. + + The second (and strongly NOT recommended) choice is to set + closedBox as described in file CONFIG. This puts each IMAP + session into a so-called "chroot jail", and thus setting this + option is extremely dangerous; it can make your system much + less secure and open to root compromise attacks. So do not use + this option unless you are absolutely certain that you + understand all the issues of a "chroot jail." + + The third choice is to rewrite routine mailboxfile() to + implement whatever mapping from mailbox name to filesystem name + (and restrictions) that you wish. This is the most general + choice. As a guide, you can see at the start of routine + mailboxfile() what the restrictBox choice does. + _________________________________________________________________ + + 5.2 I've heard that IMAP servers are insecure. Is this true? + + There are no known security problems in this version of the + IMAP toolkit, including the IMAP and POP servers. The IMAP and + POP servers limit what can be done while not logged in, and as + part of the login process discard all privileges except those + of the user. + + As with other software packages, there have been buffer + overflow vulnerabilities in past versions. All known problems + of this nature are fixed in this version. + + There is every reason to believe that the bad guys are engaged + in an ongoing effort to find vulnerabilities in the IMAP + toolkit. We look for such problems, and when one is found we + fix it. + + It's unfortunate that any vulnerabilities existed in past + versions, and we're doing my best to keep the IMAP toolkit free + of vulnerabilities. No new vulnerabilities have been discovered + in quite a while, but efforts will not be relaxed. + + Beware of vendors who claim that their implementations can not + have vulnerabilities. + _________________________________________________________________ + + 5.3 How do I know that I have the most secure version of the server? + + The best way is to keep your server software up to date. The + bad guys are always looking for ways to crack software, and + when they find one, let all their friends know. + + Oldtimers used to refer to a concept of software rot: if your + software hasn't been updated in a while, it would "rot" -- tend + to acquire problems that it didn't have when it was new. + + The latest release version of the IMAP toolkit is always + available at ftp://ftp.cac.washington.edu/mail/imap.tar.Z + _________________________________________________________________ + + 5.4 I see all these strcpy() and sprintf() calls, those are unsafe, + aren't they? + + Yes and no. + + It can be unsafe to do these calls if you do not know that the + string being written will fit in the buffer. However, they are + perfectly safe if you do know that. + + Beware of programmers who advocate doing a brute-force change + of all instances of + + strcpy (s,t); + + to + + strncpy (s,t,n)[n] = '\0'; + + and similar measures in the name of "fixing all possible buffer + overflows." + + There are examples in which a security bug was introduced + because of this type of "fix", due to the programmer using the + wrong value for n. In one case, the programmer thought that n + was larger than it actually was, causing a NUL to be written + out of the buffer; in another, n was too small, and a security + credential was truncated. + + What is particularly ironic was that in both cases, the + original strcpy() was safe, because the size of the source + string was known to be safe. + + With all this in mind, the software has been inspected, and it + is believed that all places where buffer overflows can happen + have been fixed. The strcpy()s that are still are in the code + occur after a size check was done in some other way. + + Note that the common C idiom of + + *s++ = c; + + is just as vulnerable to buffer overflows. You can't cure + buffer overflows by outlawing certain functions, nor is it + desirable to do so; sometimes operations like strcpy() + translate into fast machine instructions for better + performance. + + Nothing replaces careful study of code. That's how the bad guys + find bugs. Security is not accomplished by means of brute-force + shortcuts. + _________________________________________________________________ + + 5.5 Those /tmp lock files are protected 666, is that really right? + + Yes. Shared mailboxes won't work otherwise. Also, you get into + accidental denial of service problems with old lock files left + lying around; this happens fairly frequently. + + The deliberate mischief that can be caused by fiddling with the + lock files is small-scale; harassment level at most. There are + many -- and much more effective -- other ways of harassing + another user on UNIX. It's usually not difficult to determine + the culprit. + + Before worrying about deliberate mischief, worry first about + things happening by accident! + _________________________________________________________________ + +6. Why Did You Do This Strange Thing? Questions + _________________________________________________________________ + + 6.1 Why don't you use GNU autoconfig / automake / autoblurdybloop? + + Autoconfig et al are not available on all the platforms where + the IMAP toolkit is supported; and do not work correctly on + some of the platforms where they do exist. Furthermore, these + programs add another layer of complexity to an already complex + process. + + Coaxing software that uses autoconfig to build properly on + platforms which were not specifically considered by that + software wastes an inordinate amount of time. When (not if) + autoconfig fails to do the right thing, the result is an + inpenetrable morass to untangle in order to find the problem + and fix it. + + The concept behind autoconfig is good, but the execution is + flawed. It rarely does the right thing on a platform that + wasn't specifically considered. Human life is too short to + debug autoconfig problems, especially since the current + mechanism is so much easier. + _________________________________________________________________ + + 6.2 Why do you insist upon a build with -g? Doesn't it waste disk and + memory space? + + From time to time a submitted port has snuck in without -g. + This has always ended up causing problems. There are only two + valid excuses for not using -g in a port: + + + The compiler does not support -g + + An alternate form of -g is needed with optimization, e.g. + -g3. + + There will be no new ports added without -g (or a suitable + alternative) being set. + + -g has not been arbitrarily added to the ports which do not + currently have it because we don't know if doing so would break + the build. However, any support issues with one of those port + will lead to the correct -g setting being determined and + permanently added. + + Processors are fast enough (and disk space is cheap enough) + that -g should be automatic in all compilers with no way of + turning it off, and /bin/strip should be a symlink to + /bin/true. Human life is too short to deal with binaries built + without -g. Such binaries should be a bad memory of the days of + KIPS processors and disks that costs several dollars per + kilobyte. + _________________________________________________________________ + + 6.3 Why don't you make c-client a shared library? + + All too often, shared libraries create far more problems than + they solve. + + Remember that you only gain the benefit of a shared library + when there are multiple applications which use that shared + library. Even without shared libraries, on most modern + operating systems (and many ancient ones too!) applications + will share their text segments between across multiple + processes running the same application. This means that if your + system only runs one application (e.g. imapd) that uses the + c-client library, then you gain no benefit from making c-client + a shared library even if it has 100 imapd processes. You will, + however suffer added complexity. + + If you have a server system that just runs imapd and ipop3d, + then making c-client a shared library will save just one copy + of c-client no matter how many IMAP/POP3 processes are running. + + The problem with shared libraries is that you have to keep + around a copy of the library every time something changes in + the library that would affect the interface the library + presents to the application. So, you end up having many copies + of the same shared library. + + If you don't keep multiple copies of the shared library, then + one of two things happens. If there was proper versioning, then + you'll get a message such as "cannot open shared object file" + or "minor versions don't match" and the application won't run. + Otherwise, the application will run, but will fail in + mysterious ways. + + Several sites and third-party distributors have modified the + c-client makefile in order to make c-client be a shared + library. When (not if) a c-client based application fails in + mysterious ways because of a library compatibility problem, the + result is a bug report. A lot of time and effort ends up + getting wasted investigating such bug reports. + + Memory is so cheap these days that it's not worth it. Human + life is too short to deal with shared library compatibility + problems. + _________________________________________________________________ + + 6.4 Why don't you use iconv() for internationalization support? + + iconv() is not ubiquitous enough. + _________________________________________________________________ + + 6.5 Why is the IMAP server connected to the home directory by default? + + The IMAP server has no way of knowing what you might call + "mail" as opposed to "some other file"; in fact, you can use + IMAP to access any file. + + The IMAP server also doesn't know whether your preferred + subdirectory for mailbox files is "mail/", ".mail/", "Mail/", + "Mailboxes/", or any of a zillion other possibilities. If one + such name were chosen, it would undoubtably anger the partisans + of all the other names. + + It is possible to modify the software so that the default + connected directory is someplace else. Please read the file + CONFIG for discussion of this and other issues. + _________________________________________________________________ + + 6.6 I have a Windows system. Why isn't the server plug and play for + me? + + There is no standard for how mail is stored on Windows; nor a + single standard SMTP server. The closest to either would be the + SMTP server in Microsoft's IIS. + + So there's no default by which to make assumptions. As the + software is set up, it assumes that the each user has an + Windows login account and private home directory, and that mail + is stored on that home directory as files in one of the popular + UNIX formats. It also assumes that there is some tool + equivalent to inetd on UNIX that does the TCP/IP listening and + server startup. + + Basically, unless you're an email software hacker, you probably + want to look elsewhere if you want IMAP/POP servers for + Windows. + _________________________________________________________________ + + 6.7 I looked at the UNIX SSL code and saw that you have the SSL data + payload size set to 8192 bytes. SSL allows 16K; why aren't you using + the full size? + + This is to avoid an interoperability problem with: + + + PC IMAP clients that use Microsoft's SChannel.DLL (SSPI) for + SSL support + + Microsoft Exchange server (which also uses SChannel). + + SChannel has a bug that makes it think that the maximum SSL + data payload size is 16379 bytes -- 5 bytes too small. Thus, + c-client has to make sure that it never transmits full sized + SSL packets. + + The reason for using 8K (as opposed to, say, 16379 bytes, or + 15K, or...) is that it corresponds with the TCP buffer size + that the software uses elsewhere for input; there's a slight + performance benefit to having the two sizes correspond or at + least be a multiple of each other. Also, it keeps the size as a + power of two, which might be significant on some platforms. + + There wasn't a significant difference that we could measure + between 8K and 15K. + + Microsoft has developed a hotfix for this bug. Look up MSKB + article number 300562. Contrary to the article text which + implies that this is a Pine issue, this bug also affects + Microsoft Exchange server with any client that transmits + full-sized SSL payloads. + _________________________________________________________________ + + 6.8 Why is an mh format INBOX called #mhinbox instead of just INBOX? + + It's a long story. In brief, the mh format driver is less + functional than any of the other drivers. It turned out that + there were some users (including high-level administrators) who + tried mh years ago and no longer use it, but still had an mh + profile left behind. + + When the mh driver used INBOX, it would see the mh profile, and + proceed to move the user's INBOX into the mh format INBOX. This + caused considerable confusion as some things stopped working. + _________________________________________________________________ + + 6.9 Why don't you support the maildir format? + + It is technically difficult to support maildir in IMAP while + maintaining acceptable performance, robustness, following the + requirements of the IMAP protocol specification, and following + the requirements of maildir. + + No one has succeeded in accomplishing all four together. The + various maildir drivers offered as patches all have these + problems. The problem is exacerbated because this + implementation supports multiple formats; consequently this + implementation can't make any performance shortcuts by assuming + that all the world is maildir. + + We can't do a better job than the maildir fan community has + done with their maildir drivers. Similarly, if the maildir fan + community provides the maildir driver, they take on the + responsibility for answering maildir-specific support + questions. This is as it should be, and that is why maildir + support is left to the maildir fan community. + _________________________________________________________________ + + 6.10 Why don't you support the Cyrus format? + + There's no point to doing so. An implementation which supports + multiple formats will never do as well as one which is + optimized to support one single format. + + If you want to use Cyrus mailbox format, you should use the + Cyrus server, which is the native implementation of that format + and is specifically optimized for that format. That's also why + Cyrus doesn't implement any other format. + _________________________________________________________________ + + 6.11 Why is it creating extra forks on my SVR4 system? + + This is because your system only has fcntl() style locking and + not flock() style locking. fcntl() locking has a design flaw + that causes a close() to release any locks made by that process + on the file opened on that file descriptor, even if the lock + was made on a different file descriptor. + + This design flaw causes unexpected loss of lock, and consequent + mailbox corruption. The workaround is to do certain "dangerous + operations" in another fork, thus avoiding doing a close() in + the vulnerable fork. + + The best way to solve this problem is to upgrade your SVR4 + (Solaris, AIX, HP-UX, SGI) or OSF/1 system to a more advanced + operating system, such as Linux or BSD. These more advanced + operating systems have fcntl() locking for compatibility with + SVR4, but also have flock() locking. + + Beware of certain SVR4 systems, such as AIX, which have an + "flock()" function in their C library that is just a jacket + that does an fcntl() lock. This is not a true flock(), and has + the same design flaw as fcntl(). + _________________________________________________________________ + + 6.12 Why are you so fussy about the date/time format in the internal + "From " line in traditional UNIX mailbox files? My other mail program + just considers every line that starts with "From " to be the start of + the message. + + You just answered your own question. If any line that starts + with "From " is treated as the start of a message, then every + message text line which starts with "From " has to be quoted + (typically by prefixing a ">" character). People complain about + this -- "why did a > get stuck in my message?" + + So, good mail reading software only considers a line to be a + "From " line if it follows the actual specification for a + "From " line. This means, among other things, that the day of + week is fixed-format: "May 14", but "May 7" (note the extra + space) as opposed to "May 7". ctime() format for the date is + the most common, although POSIX also allows a numeric timezone + after the year. For compatibility with ancient software, the + seconds are optional, the timezone may appear before the year, + the old 3-letter timezones are also permitted, and "remote from + xxx" may appear after the whole thing. + + Unfortunately, some software written by novices use other + formats. The most common error is to have a variable-width day + of month, perhaps in the erroneous belief that RFC 2822 (or RFC + 822) defines the format of the date/time in the "From " line + (it doesn't; no RFC describes internal formats). I've seen a + few other goofs, such as a single-digit second, but these are + less common. + + If you are writing your own software that writes mailbox files, + and you really aren't all that savvy with all the ins and outs + and ancient history, you should seriously consider using the + c-client library (e.g. routine mail_append()) instead of doing + the file writes yourself. If you must do it yourself, use + ctime(), as in: + + fprintf (mbx,"From %s@%h %s",user,host,ctime (time (0))); + + rather than try to figure out a good format yourself. ctime() + is the most traditional format and nobody will flame you for + using it. + _________________________________________________________________ + + 6.13 Why is traditional UNIX format the default format? + + Compatibility with the past 30 or so years of UNIX history. + This server is the only one that completely interoperates with + legacy UNIX mail tools. + _________________________________________________________________ + + 6.14 Why do you write this "DON'T DELETE THIS MESSAGE -- FOLDER + INTERNAL DATA" message at the start of traditional UNIX and MMDF + format mailboxes? + + This pseudo-message serves two purposes. + + First, it establishes the mailbox format even when the mailbox + has no messages. Otherwise, a mailbox with no messages is a + zero-byte file, which could be one of several formats. + + Second, it holds mailbox metadata used by IMAP: the UID + validity, the last assigned UID, and mailbox keywords. Without + this metadata, which must be preserved even when the mailbox + has no messages, the traditional UNIX format wouldn't be able + to support the full capabilities of IMAP. + _________________________________________________________________ + + 6.15 Why don't you stash the mailbox metadata in the first real + message of the mailbox instead of writing this fake FOLDER INTERNAL + DATA message? + + In fact, that is what is done if the mailbox is non-empty and + does not already have a FOLDER INTERNAL DATA message. + + One problem with doing that is that if some external program + removes the first message, the metadata is lost and must be + recreated, thus losing any prior UID or keyword list status + that IMAP clients may depend upon. + + Another problem is that this doesn't help if the last message + is deleted. This will result in an empty mailbox, and the + necessity to create a FOLDER INTERNAL DATA message. + _________________________________________________________________ + + 6.16 Why aren't "dual-use" mailboxes the default? + + Compatibility with the past 30 or so years of UNIX history, not + to mention compatibility with user expectations when using + shell tools. + _________________________________________________________________ + + 6.17 Why do you use ucbcc to build on Solaris? + + It is a long, long story about why cc is set to ucbcc. You need + to invoke the C compiler so that it links with the SVR4 + libraries and not the BSD libraries, otherwise readdir() will + return the wrong information. + + Of all the names in the most common path, ucbcc is the only + name to be found (on /usr/ccs/bin) that points to a suitable + compiler. cc is likely to be /usr/ucb/cc which is absolutely + not the compiler that you want. The real SVR4 cc is probably + something like /opt/SUNWspro/bin/cc which is rarely in anyone's + path by default. + + ucbcc is probably a link to acc, e.g. + /opt/SUNWspro/SC4.0/bin/acc, and is the UCB C compiler using + the SVR4 libraries. + + If ucbcc isn't on your system, then punt on the SUN C compiler + and use gcc instead (the gso port instead of the sol port). + + If, in spite of all the above warnings, you choose to change + "ucbcc" to "cc", you will probably find that the -O2 needs to + be changed to -O. If you don't get any error messages with -O2, + that's a pretty good indicator that you goofed and are running + the compiler that will link with the BSD libraries. + + To recap: + + + The sol port is designed to be built using the UCB compiler + using the SVR4 libraries. This compiler is "ucbcc", which is + lunk to acc. You use -O2 as one of the CFLAGS. + + If you build the sol port with the UCB compiler using the BSD + libraries, you will get no error messages but you will get + bad binaries (the most obvious symptom is dropping the first + two characters return filenames from the imapd LIST command. + This compiler also uses -O2, and is very often what the user + gets from "cc". BEWARE + + If you build the sol port with the real SVR4 compiler, which + is often hidden away or unavailable on many systems, then you + will get errors from -O2 and you need to change that to -O. + But you will get a good binary. However, you should try it + with -O2 first, to make sure that you got this compiler and + not the UCB compiler using BSD libraries. + _________________________________________________________________ + + 6.18 Why should I care about some old system with BSD libraries? cc is + the right thing on my Solaris system! + + Because there still are sites that use such systems. On those + systems, the assumption that "cc" does the right thing will + lead to corrupt binaries with no error message or other warning + that anything is amiss. + + Too many sites have fallen victim to this problem. + _________________________________________________________________ + + 6.19 Why do you insist upon writing .lock files in the spool + directory? + + Compatibility with the past 30 years of UNIX software which + deals with the spool directory, especially software which + delivers mail. Otherwise, it is possible to lose mail. + _________________________________________________________________ + + 6.20 Why should I care about compatibility with the past? + + This is one of those questions in which the answer never + convinces those who ask it. Somehow, everybody who ever asks + this question ends up answering it for themselves as they get + older, with the very answer that they rejected years earlier. + _________________________________________________________________ + +7. Problems and Annoyances + _________________________________________________________________ + + 7.1 Help! My INBOX is empty! What happened to my messages? + + If you are seeing "0 messages" when you open INBOX and you know + you have messages there (and perhaps have looked at your mail + spool file and see that messages are there), then probably + there is something wrong with the very first line of your mail + spool file. Make sure that the first five bytes of the file are + "From ", followed by an email address and a date/time in + ctime() format, e.g.: + + From fred@foo.bar Mon May 7 20:54:30 2001 + _________________________________________________________________ + + 7.2 Help! All my messages in a non-INBOX mailbox have been + concatenated into one message which claims to be from me and has a + subject of the file name of the mailbox! What's going on? + + Something wrong with the very first line of the mailbox. Make + sure that the first five bytes of the file are "From ", + followed by an email address and a date/time in ctime() format, + e.g.: + + From fred@foo.bar Mon May 7 20:54:30 2001 + _________________________________________________________________ + + 7.3 Why do I get the message: CREATE failed: Can't create mailbox node + xxxxxxxxx: File exists and how do I fix it? + + See the answer to the Are hierarchical mailboxes supported? + question. + _________________________________________________________________ + + 7.4 Why can't I log in to the server? The user name and password are + right! + + There are a myriad number of possible answers to this question. + The only way to say for sure what is wrong is run the server + under a debugger such as gdb while root (yes, you must be root) + with a breakpoint at routines checkpw() and loginpw(), then + single-step until you see which test rejected you. The server + isn't going to give any error messages other than "login + failed" in the name of not giving out any unnecessary + information to unauthorized individuals. + + Here are some of the more common reasons why login may fail: + + + You didn't really give the correct user name and/or password. + + Your client doesn't send the LOGIN command correctly; for + example, IMAP2 clients won't send a password containing a "*" + correctly to an IMAP4 server. + + If you have set up a CRAM-MD5 database, remember that the + password used is the one in the CRAM-MD5 database, and + furthermore that there must also be an entry in /etc/passwd + (but the /etc/passwd password is not used). + + If you are using PAM, have you created a service file for the + server in /etc/pam.d? + + If you are using shadow passwords, have you used an + appropriate port when building? In particular, note that + "lnx" is for Linux systems without shadow passwords; you + probably want "slx" or "lnp" instead. + + If your system has account or password expirations, check to + see that the expiration date hasn't passed. + + You can't log in as root or any other UID 0 user. This is for + your own safety, not to mention the fact that the servers use + UID 0 as meaning "not logged in". + _________________________________________________________________ + + 7.5 Help! My load average is soaring and I see hundreds of POP and + IMAP servers, many logged in as the same user! + + Certain inferior losing GUI mail reading programs have a + "synchronize all mailboxes at startup" (IMAP) or "check for new + mail every second" (POP) feature which causes a rapid and + unchecked spawning of servers. + + This is not a problem in the server; the client is really + asking for all those server sessions. Unfortunately, there + isn't much that the POP and IMAP servers can do about it; they + don't spawned themselves. + + Some sites have added code to record the number of server + sessions spawned per user per hour, and disable login for a + user who has exceeded a predetermined rate. This doesn't stop + the servers from being spawned; it just means that a server + session will commit suicide a bit faster. + + Another possibility is to detect excessive server spawning + activity at the level where the server is spawned, which would + be inetd or possibly tcpd. The problem here is that this is a + hard time to quantify. 50 sessions in a minute from a + multi-user timesharing system may be perfectly alright, whereas + 10 sessions a minute from a PC may be too much. + + The real solution is to fix the client configuration, by + disabling those evil features. Also tell the vendors of those + clients how you feel about distributing denial-of-service + attack tools in the guise of mail reading programs. + _________________________________________________________________ + + 7.6 Why does mail disappear even though I set "keep mail on server"? + 7.7 Why do I get the message Moved ##### bytes of new mail to + /home/user/mbox from /var/spool/mail/user and why did this happen? + + This is probably caused by the mbox driver. If the file "mbox" + exists on the user's home directory and is in UNIX mailbox + format, then when INBOX is opened this file will be selected as + INBOX instead of the mail spool file. Messages will be + automatically transferred from the mail spool file into the + mbox file. + + To disable this behavior, delete "mbox" from the EXTRADRIVERS + list in the top-level Makefile and rebuild. Note that if you do + this, users won't be able to access the messages that have + already been moved to mbox unless they open mbox instead of + INBOX. + _________________________________________________________________ + + 7.8 Why isn't it showing the local host name as a fully-qualified + domain name? + 7.9 Why is the local host name in the From/Sender/Message-ID headers + of outgoing mail not coming out as a fully-qualified domain name? + + Your UNIX system is misconfigured. The entry for your system in + /etc/hosts must have the fully-qualified domain name first, + e.g. + + 105.69.1.234 myserver.example.com myserver + + A common mistake of novice system administrators is to have the + short name first, e.g. + + 105.69.1.234 myserver myserver.example.com + + or to omit the fully qualified domain name entirely, e.g. + + 105.69.1.234 myserver + + The result of this is that when the IMAP toolkit does a + gethostbyname() call to get the fully-qualified domain name, it + would get "myserver" instead of "myserver.example.com". + + On some systems, a configuration file (typically named + /etc/svc.conf, /etc/netsvc.conf, or /etc/nsswitch.conf) can be + used to configure the system to use the domain name system + (DNS) instead of /etc/hosts, so it doesn't matter if /etc/hosts + is misconfigured. + + Check the man pages for gethostbyname, hosts, svc, and/or + netsvc for more information. + + Unfortunately, certain vendors, most notably SUN, have failed + to make this clear in their documentation. Most of SUN's + documentation assumes a corporate network that is not connected + to the Internet. + + net.folklore once (late 1980s) held that the proper procedure + was to append the results of getdomainname() to the name + returned by gethostname(), and some versions of sendmail + configuration files were distributed that did this. This was + incorrect; the string returned from getdomainname() is the + Yellow Pages (a.k.a NIS) domain name, which is a completely + different (albeit unfortunately named) entity from an Internet + domain. These were often fortuitously the same string, except + when they weren't. Frequently, this would result in host names + with spuriously doubled domain names, e.g. + + myserver.example.com.example.com + + This practice has been thoroughly discredited for many years, + but folklore dies hard. + _________________________________________________________________ + + 7.10 What does the message: Mailbox vulnerable - directory + /var/spool/mail must have 1777 protection mean? How can I fix this? + + In order to update a mailbox in the default UNIX format, it is + necessary to create a lock file to prevent the mailer from + delivering mail while an update is in progress. Some systems + use a directory protection of 775, requiring that all mail + handling programs be setgid mail; or of 755, requiring that all + mail handling programs be setuid root. + + The IMAP toolkit does not run with any special privileges, and + I plan to keep it that way. It is antithetical to the concept + of a toolkit if users can't write their own programs to use it. + Also, I've had enough bad experiences with security bugs while + running privileged; the IMAP and POP servers have to be root + when not logged in, in order to be able to log themselves in. I + don't want to go any deeper down that slippery slope. + + Directory protection 1777 is secure enough on most well-managed + systems. If you can't trust your users with a 1777 mail spool + (petty harassment is about the limit of the abuse exposure), + then you have much worse problems then that. + + If you absolutely insist upon requiring privileges to create a + lock file, external file locking can be done via a setgid mail + program named /etc/mlock (this is defined by LOCKPGM in the + c-client Makefile). If the toolkit is unable to create a + <...mailbox...>.lock file in the directory by itself, it will + try to call mlock to do it. I do not recommend doing this for + performance reasons. + + A sample mlock program is included as part of imap-2007. We + have tried to make this sample program secure, but it has not + been thoroughly audited. + _________________________________________________________________ + + 7.11 What does the message: Mailbox is open by another process, access + is readonly mean? How do I fix this? + + A problem occurred in applying a lock to a /tmp lock file. + Either some other program has the mailbox open and won't + relenquish it, or something is wrong with the protection of + /tmp or the lock. + + Make sure that the /tmp directory is protected 1777. Some + security scripts incorrectly set the protection of the /tmp + directory to 775, which disables /tmp for all non-privileged + programs. + _________________________________________________________________ + + 7.12 What does the message: Can't get write access to mailbox, access + is readonly mean? + + The mailbox file is write-protected against you. + _________________________________________________________________ + + 7.13 I set my POP3 client to "delete messages from server" but they + never get deleted. What is wrong? + + Make sure that your mailbox is not read-only: that the mailbox + is owned by you and write enabled (protection 0600), and that + the /tmp directory is longer world-writeable. /tmp must be + world-writeable because lots of applications use it for scratch + space. To fix this, do + + + chmod 1777 /tmp + + as root. + + Make sure that your POP3 client issues a QUIT command when it + finishes. The POP3 protocol specifies that deletions are + discarded unless a proper QUIT is done. + + Make sure that you are not opening multiple POP3 sessions to + the same mailbox. It is a requirement of the POP3 protocol than + only one POP3 session be in effect to a mailbox at a time, + however some, poorly-written POP3 clients violate this. Also, + some background "check for new mail" tasks also cause a + violation. See the answer to the What does the syslog message: + Killed (lost mailbox lock) user=... host=... mean? question for + more details. + _________________________________________________________________ + + 7.14 What do messages such as: + Message ... UID ... already has UID ... + Message ... UID ... less than ... + Message ... UID ... greater than last ... + Invalid UID ... in message ..., rebuilding UIDs + + mean? + + Something happened to corrupt the unique identifier regime in + the mailbox. In traditional UNIX-format mailboxes, this can + happen if the user deleted the "DO NOT DELETE" internal + message. + + This problem is relatively harmless; a new valid unique + identifier regime will be created. The main effect is that any + references to the old UIDs will no longer be useful. + + So, unless it is a chronic problem or you feel like debugging, + you can safely ignore these messages. + _________________________________________________________________ + + 7.15 What do the error messages: + Unable to read internal header at ... + Unable to find CRLF at ... + Unable to parse internal header at ... + Unable to parse message date at ... + Unable to parse message flags at ... + Unable to parse message UID at ... + Unable to parse message size at ... + Last message (at ... ) runs past end of file ... + + mean? I am using mbx format. + + The mbx-format mailbox is corrupted and needs to be repaired. + + You should make an effort to find out why the corruption + happened. Was there an obvious system problem (crash or disk + failure)? Did the user accidentally access the file via NFS? + Mailboxes don't get corrupted by themselves; something caused + the problem. + + Some people have developed automated scripts, but if you're + comfortable using emacs it's pretty easy to fix it manually. Do + not use vi or any other editor unless you are certain that + editor can handle binary!!! + + If you are not comfortable with emacs, or if the file is too + large to read with emacs, see the "step-by-step" technique + later on for another way of doing it. + + After the word "at" in the error message is the byte position + it got to when it got unhappy with the file, e.g. if you see: + + Unable to parse internal header at 43921: ne bombastic blurdybloop + + The problem occurs at the 43,931 byte in the file. That's the + point you need to fix. c-client is expecting an internal header + at that byte number, looking something like: + + 6-Jan-1998 17:42:24 -0800,1045;000000100001-00000001 + + The format of this internal line is: + + dd-mmm-yyyy hh:mm:ss +zzzz,ssss;ffffffffFFFF-UUUUUUUU + + The only thing that is variable is the "ssss" field, it can be + as many digits as needed. All other fields (inluding the "dd") + are fixed width. So, the easiest thing to do is to look forward + in the file for the next internal header, and delete everything + from the error point to that internal header. + + Here's what to do if you want to be smarter and do a little bit + more work. Generally, you're in the middle of a message, and + there's nothing wrong with that message. The problem happened + in the *previous* message. So, search back to the previous + internal header. Now, remember that "ssss" field? That's the + size of that message. + + Mark where you are in the file, move the cursor to the line + after the internal header, and skip that many bytes ("ssss") + forward. If you're at the point of the error in the file, then + that message is corrupt. If you're at a different point, then + perhaps the previous message is corrupt and has a too long size + count that "ate" into this message. + + Basically, what you need to do is make sure that all those size + counts are right, and that moving "ssss" bytes from the line + after the internal header will land you at another internal + header. + + Usually, once you know what you're looking at, it's pretty easy + to work out the corruption, and the best remedial action. + Repair scripts will make the problem go away but may not always + do the smartest/best salvage of the user's data. Manual repair + is more flexible and usually preferable. + + Here is a step-by-step technique for fixing corrupt mbx files + that's a bit cruder than the procedure outlined above, but + works for any size file. + + In this example, suppose that the corrupt file is INBOX, the + error message is + + Unable to find CRLF at 132551754 + + and the size of the INBOX file is 132867870 bytes. + + The first step is to split the mailbox file at the point of the + error: + + + Rename the INBOX file to some other name, such as INBOX.bad. + + Copy the first 132,551,754 bytes of INBOX.bad to another + file, such as INBOX.new. + + Extract the trailing 316,116 bytes (132867870-132551754) of + INBOX.bad into another file, such as INBOX.tail. + + You no longer need INBOX.bad. Delete it. + + In other words, use the number from the "Unable to find CRLF + at" as the point to split INBOX into two new files, INBOX.new + and INBOX.tail. + + Now, remove the erroneous data: + + + Verify that you can open INBOX.new in IMAP or Pine. + + The last message of INBOX.new is probably corrupted. Copy it + to another file, such as badmsg.1, then delete and expunge + that last message from INBOX.new + + Locate the first occurance of text in INBOX.tail which looks + like an internal header, as described above. + + Remove all the text which occurs prior to that point, and + place it into another file, such as badmsg.2. Note that in + the case of a single digit date, there is a leading space + which must not be removed (e.g. " 6-Nov-2001" not + "6-Nov-2001"). + + Reassemble the mailbox: + + + Append INBOX.tail to INBOX.new. + + You no longer need INBOX.tail. Delete it. + + Verify that you can open INBOX.new in IMAP or Pine. + + Reinstall INBOX.new as INBOX: + + + Check to see if you have received any new messages while + repairing INBOX. + + If you haven't received any new messages while repairing + INBOX, just rename INBOX.new to INBOX. + + If you have received new messages, be sure to copy the new + messages from INBOX to INBOX.new before doing the rename. + + You now have a working INBOX, as well as two files with + corrupted data (badmsg.1 and badmsg.2). There may be some + useful data in the two badmsg files that you might want to try + salvaging; otherwise you can delete the two badmsg files. + _________________________________________________________________ + + 7.16 What do the syslog messages: + + imap/tcp server failing (looping) + pop3/tcp server failing (looping) + + mean? When it happens, the listed service shuts down. How can I fix + this? + + The error message "server failing (looping), service + terminated" is not from either the IMAP or POP servers. + Instead, it comes from inetd, the daemon which listens for TCP + connections to a number of servers, including the IMAP and POP + servers. + + inetd has a limit of 40 new server sessions per minute for any + particular service. If more than 40 sessions are initiated in a + minute, inetd will issue the "failing (looping), service + terminated" message and shut down the service for 10 minutes. + inetd does this to prevent system resource consumption by a + client which is spawning infinite numbers of servers. It should + be noted that this is a denial of service; however for some + systems the alternative is a crash which would be a worse + denial of service! + + For larger server systems, the limit of 40 is much too low. The + limit was established many years ago when a system typically + only ran a few dozen servers. + + On some versions of inetd, such as the one distributed with + most versions of Linux, you can modify the /etc/inetd.conf file + to have a larger number of servers by appending a period + followed by a number after the nowait word for the server + entry. For example, if your existing /etc/inetd.conf line + reads: + + imap stream tcp nowait root /usr/etc/imapd imapd + + try changing it to be: + + imap stream tcp nowait.100 root /usr/etc/imapd imapd + + Another example (using TCP wrappers): + + imap stream tcp nowait root /usr/sbin/tcpd imapd + + try changing it to be: + + imap stream tcp nowait.100 root /usr/sbin/tcpd imapd + + to increase the limit to 100 sessions/minute. + + Before making this change, please read the information in "man + inetd" to determine whether or not your inetd has this feature. + If it does not, and you make this change, the likely outcome is + that you will disable IMAP service entirely. + + Another way to fix this problem is to edit the inetd.c source + code (provided by your UNIX system vendor) to set higher + limits, rebuild inetd, install the new binary, and reboot your + system. This should only be done by a UNIX system expert. In + the inetd.c source code, the limits TOOMANY (normally 40) is + the maximum number of new server sessions permitted per minute, + and RETRYTIME (normally 600) is the number of seconds inetd + will shut down the server after it exceeds TOOMANY. + _________________________________________________________________ + + 7.17 What does the syslog message: Mailbox lock file /tmp/.600.1df3 + open failure: Permission denied mean? + + This usually means that some "helpful" security script person + has protected /tmp so that it is no longer world-writeable. + /tmp must be world-writeable because lots of applications use + it for scratch space. To fix this, do + + chmod 1777 /tmp + + as root. + + If that isn't the answer, check the protection of the named + file. If it is something other than 666, then either someone is + hacking or some "helpful" person modified the code to have a + different default lock file protection. + _________________________________________________________________ + + 7.18 What do the syslog messages: + Command stream end of file, while reading line user=... host=... + Command stream end of file, while reading char user=... host=... + Command stream end of file, while writing text user=... host=... + + mean? + + This message occurs when the session is disconnected without a + proper LOGOUT (IMAP) or QUIT (POP) command being received by + the server first. + + In many cases, this is perfectly normal; many client + implementations are impolite and do this. Some programmers + think this sort of rudeness is "more efficient". + + The condition could, however, indicate a client or network + connectivity problem. The server has no way of knowing whether + there's a problem or just a rude client, so it issues this + message instead of a Logout. + + Certain inferior losing clients disconnect abruptly after a + failed login, and instead of saying that the login failed, just + say that they can't access the mailbox. They then complain to + the system manager, who looks in the syslog and finds this + message. Not very helpful, eh? See the answer to the Why can't + I log in to the server? The user name and password are right! + question. + + If the user isn't reporting a problem, you can probably ignore + this message. + _________________________________________________________________ + + 7.19 Why did my POP or IMAP session suddenly disconnect? The syslog + has the message: Killed (lost mailbox lock) user=... host=... + + This message only happens when either the traditional UNIX + mailbox format or MMDF format is in use. This format only + allows one session to have the mailbox open read/write at a + time. + + The servers assume that if a second session attempts to open + the mailbox, that means that the first session is probably + owned by an abandoned client. The common scenario here is a + user who leaves his client running at the office, and then + tries to read his mail from home. Through an internal mechanism + called kiss of death, the second session requests the first + session to kill itself. When the first session receives the + "kiss of death", it issues the "Killed (lost mailbox lock)" + syslog message and terminates. The second session then seizes + read/write access, and becomes the new "first" session. + + Certain poorly-designed clients routinely open multiple + sessions to the same mailbox; the users of those clients tend + to get this message a lot. + + Another cause of this message is a background "check for new + mail" task which does its work by opening a POP session to + server every few seconds. They do this because POP doesn't have + a way to announce new mail. + + The solution to both situations is to replace the client with a + good online IMAP client such as Pine. Life is too short to + waste on POP clients and poorly-designed IMAP clients. + _________________________________________________________________ + + 7.20 Why does my IMAP client show all the files on the system, + recursively from the UNIX root directory? + 7.21 Why does my IMAP client show all of my files, recursively from my + UNIX home directory? + + A well-written client should only show one level of hierarchy + and then stop, awaiting explicit user action before going + lower. However, some poorly-designed clients will recursively + list all files, which may be a very long list (especially if + you have symbolic links to directories that create a loop in + the filesystem graph!). + + This behavior has also been observed in some third-party + c-client drivers, including maildir drivers. Consequently, this + problem has even been observed in Pine. It is important to + understand that this is not a problem in Pine or c-client; it + is a problem in the third-party driver. A Pine built without + that third-party driver will not have this problem. + + See also the answer to Why does my IMAP client show all my + files in my home directory? + _________________________________________________________________ + + 7.22 Why does my IMAP client show that I have mailboxes named + "#mhinbox", "#mh", "#shared", "#ftp", "#news", and "#public"? + + These are IMAP namespace names. They represent other + hierarchies in which messages may exist. These hierarchies may + not necessarily exist on a server, but the namespace name is + still in the namespace list in order to mark it as reserved. + + A few poorly-designed clients display all namespace names as if + they were top-level mailboxes in a user's list of mailboxes, + whether or not they actually exist. This is a flaw in those + clients. + _________________________________________________________________ + + 7.23 Why does my IMAP client show all my files in my home directory? + + As distributed, the IMAP server is connected to your home + directory by default. It has no way of knowing what you might + call "mail" as opposed to "some other file"; in fact, you can + use IMAP to access any file. + + Most clients have an option to configure your connected + directory on the IMAP server. For example, in Pine you can + specify this as the "Path" in your folder-collection, e.g. + + Nickname : Secondary Folders + Server : imap.example.com + Path : mail/ + View : + + In this example, the user is connected to the "mail" + subdirectory of his home directory. + + Other servers call this the "folder prefix" or similar term. + + It is possible to modify the IMAP server so that all users are + automatically connected to some other directory, e.g. a + subdirectory of the user's home directory. Read the file CONFIG + for more details. + _________________________________________________________________ + + 7.24 Why is there a long delay before I get connected to the IMAP or + POP server, no matter what client I use? + + There are two common occurances of this problem: + + + You are running a system (e.g. certain versions of Linux) + which by default attempts to connect to an "IDENT" protocol + (port 113) server on your client. However, a firewall or NAT + box is blocking connections to that port, so the connection + attempt times out. + The IDENT protocol is a well-known bad idea that does not + deliver any real security but causes incredible problems. The + idea is that this will give the server a record of the user + name, or at least what some program listening on port 113 + says is the user name. So, if somebody coming from port nnnnn + on a system does something bad, IDENT may give you the userid + of the bad guy. + The problem is, IDENT is only meaningful on a timesharing + system which has an administrator who is privileged and users + who are not. It is of no value on a personal system which has + no separate concept of "system administrator" vs. + "unprivileged user". + On either type of system, security-minded people either turn + IDENT off or replace it with an IDENT server that lies. Among + other things, IDENT gives spammers the ability to harvest + email addresses from anyone who connects to a web page. + This problem has been showing up quite frequently on systems + which use xinetd instead of inetd. Look for files named + /etc/xinetd.conf, /etc/xinetd.d/imapd, /etc/inetd.d/ipop2d, + and /etc/xinetd.d/ipop3d. In those files, look for lines + containing "USERID", e.g. + log_on_success += USERID + Hunt down such lines, and delete them ruthlessly from all + files in which they occur. Don't be shy about it. + + The DNS is taking a long time to do a reverse DNS (PTR + record) lookup of the IP address of your client. This is a + problem in your DNS, which either you or you ISP need to + resolve. Ideally, the DNS should return the client's name; + but if it can't it should at least return an error quickly. + + As you may have noticed, neither of these are actual problems + in the IMAP or POP servers; they are configuration issues with + either your system or your network infrastructure. If this is + all new to you, run (don't walk) to the nearest technical + bookstore and get yourself a good pedagogical text on system + administration for the type of system you are running. + _________________________________________________________________ + + 7.25 Why is there a long delay in Pine or any other c-client based + application call before I get connected to the IMAP server? The hang + seems to be in the c-client mail_open() call. I don't have this + problem with any other IMAP client. There is no delay connecting to a + POP3 or NNTP server with mail_open(). + + By default, the c-client library attempts to make a connection + through rsh (and ssh, if you enable that). If the command: + + rsh imapserver exec /etc/rimapd + + (or ssh if that is enabled) returns with a "* PREAUTH" + response, it will use the resulting rsh session as the IMAP + session and not require an authentication step on the server. + + Unfortunately, rsh has a design error that treats "TCP + connection refused" as "temporary failure, try again"; it + expects the "rsh not allowed" case to be implemented as a + successful connection followed by an error message and close + the connection. + + It must be emphasized that this is a bug in rsh. It is not a + bug in the IMAP toolkit. + + The use of rsh can be disabled in any the following ways: + + + You can disable it for this particular session by either: + o setting an explicit port number in the mailbox name, + e.g. + {imapserver.foo.com:143}INBOX + o using SSL (the /ssl switch) + + You can disable rsh globally by setting the rsh timeout value + to 0 with the call: + mail_parameters (NIL,SET_RSHTIMEOUT,0); + _________________________________________________________________ + + 7.26 Why does a message sometimes get split into two or more messages + on my SUN system? + + This is caused by an interaction of two independent design + problems in SUN mail software. The first problem is that the + "forward message" option in SUN's mail tool program includes + the internal "From " header line in the text that it forwarded. + This internal header line is specific to traditional UNIX + mailbox files and is not suitable for use in forwarded + messages. + + The second problem is that the mail delivery agent assumes that + mail reading programs will not use the traditional UNIX mailbox + format but instead an incompatible variant that depends upon a + Content-Length: message header. Content-Length is widely + recognized to have been a terrible mistake, and is no longer + recommended for use in mail (it is used in other facilities + that use MIME). + + One symptom of the problem is that under certain circumstances, + a message may get broken up into several messages. I'm also + aware of security bugs caused by programs that foolishly trust + "Content-Length:" headers with evil values. + + To fix the mailer on your system, edit your sendmail.cf to + change the Mlocal line to have the -E flag. A typical entry + will lool like: + + Mlocal, P=/usr/lib/mail.local, F=flsSDFMmnPE, S=10, R=20, + A=mail.local -d $u + + This fix will also work around the problem with mail tool, + because it will insert a ">" before the internal header line to + prevent it from being interpreted by mail reading software as + an internal header line. + _________________________________________________________________ + + 7.27 Why did my POP or IMAP session suddenly disconnect? The syslog + has the message: + Autologout user=<...my user name...> host=<...my client system...> + + This is a problem in your client. + + In the case of IMAP, it failed to communicate with the IMAP + server for over 30 minutes; in the case of POP, it failed to + communicate with the POP server for over 10 minutes. + _________________________________________________________________ + + 7.28 What does the UNIX error message: TLS/SSL failure: myserver: SSL + negotiation failed mean? + 7.29 What does the PC error message: TLS/SSL failure: myserver: + Unexpected TCP input disconnect mean? + + This usually means that an attempt to negotiate TLS encryption + via the STARTTLS command failed, because the server advertises + STARTTLS functionality, but doesn't actually have it (e.g. + because no certificates are installed). + + Use the /notls option in the mailbox name to disable TLS + negotiation. + _________________________________________________________________ + + 7.30 What does the error message: TLS/SSL failure: myserver: Server + name does not match certificate mean? + + An SSL or TLS session encryption failed because the server name + in the server's certificate does not match the name that you + gave it. This could indicate that the server is not really the + system you think that it is, but can be also be called if you + gave a nickname for the server or name that was not + fully-qualified. You must use the fully-qualified domain name + for the server in order to validate its certificate + + Use the /novalidate-cert option in the mailbox name to disable + validation of the certificate. + _________________________________________________________________ + + 7.31 What does the UNIX error message: TLS/SSL failure: myserver: + self-signed certificate mean? + 7.32 What does the PC error message: TLS/SSL failure: myserver: + Self-signed certificate or untrusted authority mean? + + An SSL or TLS session encryption failed because your server's + certificate is "self-signed"; that is, it is not signed by any + Certificate Authority (CA) and thus can not be validated. A + CA-signed certificate costs money, and some smaller sites + either don't want to pay for it or haven't gotten one yet. The + bad part about this is that this means there is no guarantee + that the server is really the system you think that it is. + + Use the /novalidate-cert option in the mailbox name to disable + validation of the certificate. + _________________________________________________________________ + + 7.33 What does the UNIX error message: TLS/SSL failure: myserver: + unable to get local issuer certificate mean? + + An SSL or TLS session encryption failed because your system + does not have the Certificate Authority (CA) certificates + installed on OpenSSL's certificates directory. On most systems, + this directory is /usr/local/ssl/certs). As a result, it is not + possible to validate the server's certificate. + + If CA certificates are properly installed, you should see + factory.pem and about a dozen other .pem names such as + thawteCb.pem. + + As a workaround, you can use the /novalidate-cert option in the + mailbox name to disable validation of the certificate; however, + note that you are then vulnerable to various security attacks + by bad guys. + + The correct fix is to copy all the files from the certs/ + directory in the OpenSSL distribution to the + /usr/local/ssl/certs (or whatever) directory. Note that you + need to do this after building OpenSSL, because the OpenSSL + build creates a number of needed symbolic links. For some + bizarre reason, the OpenSSL "make install" doesn't do this for + you, so you must do it manually. + _________________________________________________________________ + + 7.34 Why does reading certain messages hang when using Netscape? It + works fine with Pine! + + There are two possible causes. + + Check the mail syslog. If you see the message "Killed (lost + mailbox lock)" for the impacted user(s), read the FAQ entry + regarding that message. + + Check the affected mailbox to see if there are embedded NUL + characters in the message. NULs in message texts are a + technical violation of both the message format and IMAP + specifications. Most clients don't care, but apparently + Netscape does. + + You can work around this by rebuilding imapd with the + NETSCAPE_BRAIN_DAMAGE option set (see src/imapd/Makefile); this + will cause imapd to convert all NULs to 0x80 characters. A + better solution is to enable the feature in your MTA to + MIME-convert messages with binary content. See the + documentation for your MTA for how to do this. + _________________________________________________________________ + + 7.35 Why does Netscape say that there's a problem with the IMAP server + and that I should "Contact your mail server administrator."? + + Certain versions of Netscape do this when you click the Manage + Mail button, which uses an undocumented feature of Netscape's + proprietary IMAP server. + + You can work around this by rebuilding imapd with the + NETSCAPE_BRAIN_DAMAGE option set (see src/imapd/Makefile) to a + URL that points either to an alternative IMAP client (e.g. + Pine) or perhaps to a homebrew mail account management page. + _________________________________________________________________ + + 7.36 Why is one user creating huge numbers of IMAP or POP server + sessions? + + The user is probably using Outlook Express, Eudora, or a + similar program. See the answer to the Help! My load average is + soaring and I see hundreds of POP and IMAP servers, many logged + in as the same user! question. + _________________________________________________________________ + + 7.37 Why don't I get any new mail notifications from Outlook Express + or Outlook after a while? + + This is a known bug in Outlook Express. Microsoft is aware of + the problem and its cause. They have informed us that they do + not have any plans to fix it at the present time. + + The problem is also reported in Outlook 2000, but not verified. + + Outlook Express uses the IMAP IDLE command to avoid having to + "ping" the server every few minutes for new mail. + Unfortunately, Outlook Express overlooks the part in the IDLE + specification which requires that a client terminate and + restart the IDLE before the IMAP 30 minute inactivity + autologout timer triggers. + + When this happens, Outlook Express displays "Not connected" at + the bottom of the window. Since it's no longer connected to the + IMAP server, it isn't going to notice any new mail. + + As soon as the user does anything that would cause an IMAP + operation, Outlook Express will reconnect and new mail will + flow again. If the user does something that causes an IMAP + operation at least every 29 minutes, the problem won't happen. + + Modern versions of imapd attempt to work around the problem by + automatically reporting fake new mail after 29 minutes. This + causes Outlook Express to exit the IDLE state; as soon as this + happens imapd revokes the fake new mail. As long as this + behavior isn't known to cause problems with other clients, this + workaround will remain in imapd. + _________________________________________________________________ + + 7.38 Why don't I get any new mail notifications from Entourage? + + This is a known bug in Entourage. + + You built an older version of imapd with the + MICROSOFT_BRAIN_DAMAGE option set, in order to disable support + for the IDLE command. However, Entourage won't get new mail + unless IDLE command support exists. + + Note: the MICROSOFT_BRAIN_DAMAGE option no longer exists in + modern versions, as the Outlook Express problem which it + attempted to solve has been worked around in another way. + _________________________________________________________________ + + 7.39 Why doesn't Entourage work at all? + + It's hard to know. Entourage breaks almost every rule in the + book for IMAP. It is highly instructive to do a packet trace on + Entourage, as an example of how not to use IMAP. It does things + like STATUS (MESSAGES) on the currently selected mailbox and + re-fetching the same static data over and over again. + + It seems that every time we understand what it is doing wrong + in Entourage and come up with a workaround, we learn about + something else that's broken. + + Try building imapd with the ENTOURAGE_BRAIN_DAMAGE option set, + in order to disable the diagnostic that occurs when doing + STATUS on the currently selected mailbox. + _________________________________________________________________ + + 7.40 Why doesn't Netscape Notify (NSNOTIFY.EXE) work at all? + + This is a bug in NSNOTIFY; it doesn't handle unsolicited data + from the server correctly. + + Fortunately, there is no reason to use this program with IMAP; + NSNOTIFY is a polling program to let you know when new mail has + appeared in your maildrop. This is necessary with POP; but + since IMAP dynamically announces new mail in the session you're + better off (and will actually cause less load on the server!) + keeping your mail reading program's IMAP session open and let + IMAP do the notifying for you. + + Consequently, the recommended fix for the NSNOTIFY problem is + to delete the NSNOTIFY binary. + _________________________________________________________________ + + 7.41 Why can't I connect via SSL to Eudora? It says the connection has + been broken, and in the server syslogs I see "Command stream end of + file". + + There is a report that you can fix the problem by going into + Eudora's advanced network configuration menu and increasing the + network buffer size to 8192. + _________________________________________________________________ + + 7.42 Sheesh. Aren't there any good IMAP clients out there? + + Yes! + + Pine is a wonderful client. It's fast, it uses IMAP well, and + it generates text mail (life is too short to waste on HTML + mail). Also, there are some really wonderful things in progress + in the Pine world. + + There are some good GUI clients out there, mostly from smaller + vendors. Without naming names, look for the vendors who are + active in the IMAP protocol development community, and their + products. + + Netscape, Eudora, and Outlook can be configured with enough + effort to be good citizens and work well for users, but they + can also be badly misconfigured, and often the misconfiguration + is the default. + _________________________________________________________________ + + 7.43 But wait! PC Pine (or other PC program build with c-client) + crashes with the message incomplete SecBuffer exceeds maximum buffer + size when I use SSL connections. This is a bug in c-client, right? + + It's a bug in the Microsoft SChannel.DLL, which implements SSL. + Microsoft admits it (albeit with an unstatement: "it's not + fully RFC compliant"). The problem is that SChannel indicates + that the maximum SSL packet data size is 5 bytes smaller than + the actual maximum. Thus, any IMAP server which transmits a + maximum sized SSL packet will not work with PC Pine or any + other program which uses SChannel. + + It can take a while for the problem to show up. The client has + to do something that causes at least 16K of contiguous data. + Many clients do partial fetching, which tends to reduce the + number of cases where this can happen. However, all software + which uses SChannel to support SSL is affected by this bug. + + This problem does not affect UNIX code, since OpenSSL is used + on UNIX. + + This problem most recently showed up with the CommunigatePro + IMAP server. They have an update which trims down their maximum + contiguous data to less than 16K, in order to work around the + problem. + + This problem has also shown up with the Exchange IMAP server + with UNIX clients (including Pine built with an older version + of c-client) which sends full-sized 16K SSL packets. Modern + c-client works around the problem by trimming down its maximum + outgoing SSL packet size to 8K. + + Microsoft has developed a hotfix for this bug. Look up MSKB + article number 300562. Contrary to the article text which + implies that this is a Pine issue, this bug also affect + Microsoft Exchange server with *any* UNIX based client that + transmits full-sized SSL payloads. + _________________________________________________________________ + + 7.44 My qpopper users keep on getting the DON'T DELETE THIS MESSAGE -- + FOLDER INTERNAL DATA if they also use Pine or IMAP. How can I fix + this? + + This is an incompatibility between qpopper and the c-client + library used by Pine, imapd, and ipop[23]d. + + Assuming that you want to continue using qpopper, look into + qpopper's --enable-uw-kludge-flag configuration flag, which is + documented as "check for and hide UW 'Folder Internal Data' + messages". + + The other alternative is to switch from qpopper to ipop3d. + _________________________________________________________________ + + 7.45 Help! I installed the servers but I can't connect to them from my + client! + + Review the installation instructions carefully. Make sure that + you have not skipped any of the steps. Make sure that you have + made the correct entries in the configuration files; pay + careful attention to the exact spelling of the service names + and the path names. Make sure as well that you have properly + restarted inetd. + + If you have a system with Yellow Pages/NIS such as Solaris, + have you updated the service names there as well as in + /etc/services? + + If you have a system with TCP wrappers, have you properly + updated the TCP wrapper files (e.g. /etc/hosts.allow and + /etc/hosts.deny) for the servers? + + If you have a system which uses xinetd instead of inetd, have + you made sure that you have made the correct corresponding + xinetd changes for those services? + + Try telneting to the server port (143 for IMAP, 110 for POP3). + If you get a "refused" error, that probably means that you + don't have the service set up in inetd.conf. If the connection + opens and then closes with no message, the service is set up, + but either the path name of the server binary in inetd.conf is + wrong or your TCP wrappers are configured to deny access. + + If you don't know how to make the corresponding changes to + these files, seek the help of a local expert for your system. + _________________________________________________________________ + + 7.46 Why do I get the message Can not authenticate to SMTP server: 421 + SMTP connection went away! and why did this happen? There was also + something about SECURITY PROBLEM: insecure server advertised + AUTH=PLAIN + + Some versions of qmail, including that running on + mail.smtp.yahoo.com, disconnect the SMTP session if you fail to + authenticate prior to attempting to transmit mail. An attempt + to authenticate was made, but it failed because the server had + already disconnected. + + To work around this, you need to specify /user=... in the host + name specification. + + The SECURITY PROBLEM came about because the server advertised + the AUTH=PLAIN SASL authentication mechanism outside of a + TLS-encrypted session, in violation of RFC 4616. This message + is just a warning, and in fact occurred after the server had + disconnected. + _________________________________________________________________ + + 7.47 Why do I get the message SMTP Authentication cancelled and why + did this happen? There was also something about SECURITY PROBLEM: + insecure server advertised AUTH=PLAIN + + This is a bug in the SMTP server. + + Some versions of qmail, including that running on + mail.smtp.yahoo.com, have a bug in their implementation of SASL + in their SMTP server, which renders it non-compliant with the + standard. + + If the client does not provide an initial response in the + command line for an authentication mechanism whose profile does + not have an initial challenge, qmail issues a bogus response: + + 334 ok, go on + + The problem is the "ok, go on". This violates RFC 4954's + requirement that the text part in a 334 response be a BASE64 + encoded string; in other words, it is a protocol syntax error. + + In the case of AUTH=PLAIN, RFC 4422 (page 7) requires that the + encoded string have no data. In other words, the appropropiate + standards-compliant server response is "334" followed by a + SPACE and a CRLF. + + The SECURITY PROBLEM came about because the server advertised + the AUTH=PLAIN SASL authentication mechanism outside of a + TLS-encrypted session, in violation of RFC 4616. This message + is just a warning, and is not related the "Authentication + cancelled" problem. + _________________________________________________________________ + + 7.48 Why do I get the message Invalid base64 string when I try to + authenticate to a Cyrus server? + + This slightly misleading message is the way that a Cyrus server + indicates that an authentication exchange was cancelled. It is + not indicative of a bug or protocol violation. + + The most common reason that this happens is if the Cyrus server + offers Kerberos authentication, c-client is built with Kerberos + support, but your client system is not within the Kerberos + realm. In this case, the client code will try to authenticate + via Kerberos, fail to get the Kerberos credentials, cancel the + authentication attempt, and try the next available + authentication technology. + _________________________________________________________________ + +8. Where to Go For Additional Information + _________________________________________________________________ + + 8.1 Where can I go to ask questions? + 8.2 I have some ideas for enhancements to IMAP. Where should I go? + + If you have questions about the IMAP protocol, or want to + participate in discussions of future directions of the IMAP + protocol, the appropriate mailing list is + imap-protocol@u.washington.edu. You can subscribe to this + list via imap-protocol-request@u.washington.edu + + If you have questions about this software, you can send me + email directly or use the imap-uw@u.washington.edu mailing + list. You can subscribe to this list via + imap-uw-request@u.washington.edu + + If you have general questions about the use of IMAP software + (not specific to the UW IMAP toolkit) use the + imap-use@u.washington.edu mailing list. You can subscribe to + this list via imap-use-request@u.washington.edu + + You must be a subscriber to post to these lists. As an + alternative, you can use the comp.mail.imap newsgroup. + _________________________________________________________________ + + 8.3 Where can I read more about IMAP and other email protocols? + + We recommend Internet Email Protocols: A Developer's Guide, by + Kevin Johnson, published by Addison Wesley, ISBN 0-201-43288-9. + _________________________________________________________________ + + 8.4 Where can I find out more about setting up and administering an + IMAP server? + + We recommend Managing IMAP, by Dianna Mullet & Kevin Mullet, + published by O'Reilly, ISBN 0-596-00012-X. + + This book also has an excellent comparison of the UW and Cyrus + IMAP servers. + + Last Updated: 15 November 2007 -- cgit v1.2.3-54-g00ecf