1
1
This is mpop.info, produced by makeinfo version 4.8 from mpop.texi.
3
This manual was last updated April 7, 2007 for version 1.0.9 of mpop.
3
This manual was last updated June 6, 2007 for version 1.0.10 of mpop.
5
5
Copyright (C) 2005, 2006, 2007 Martin Lambers
34
This manual was last updated April 7, 2007 for version 1.0.9 of mpop.
34
This manual was last updated June 6, 2007 for version 1.0.10 of mpop.
36
36
Copyright (C) 2005, 2006, 2007 Martin Lambers
218
218
Transport Layer Security::.
220
220
`tls_starttls [(on|off)]'
221
This command enables or disables the use of the STARTTLS POP3
222
command to start TLS encryption. It is enabled by default. *Note
223
Transport Layer Security::.
221
This command chooses the TLS/SSL variant: with STARTTLS (`on',
222
default) or POP3-over-TLS (`off'). Most servers support the latter
223
variant, which is also commonly referred to as "POP3 with SSL".
224
*Note Transport Layer Security::.
225
226
`tls_trust_file [FILE]'
226
227
This command activates strict server certificate verification.
486
487
Set or unset the user name for authentication. *Note user::.
488
489
`--tls[=(on|off)]'
489
Enable or disable TLS. *Note tls::.
490
Enable or disable TLS/SSL. *Note tls::.
491
492
`--tls-starttls[=(on|off)]'
492
493
Enable or disable STARTTLS for TLS encryption. *Note
576
577
4.1 Transport Layer Security
577
578
============================
579
Quoting from RFC2246 - the TLS 1.0 protocol specification:
580
Transport Layer Security (TLS) is a new name for Secure Socket Layer
581
(SSL). The TLS 1.0 protocol is an updated version of the SSL 3.0
582
protocol. TLS and SSL mean the same thing.
584
Quoting from RFC2246 - the TLS 1.0 protocol specification:
580
585
"The TLS protocol provides communications privacy over the Internet.
581
586
The protocol allows client/server applications to communicate in a way
582
587
that is designed to prevent eavesdropping, tampering, or message
585
590
POP3 servers can use TLS in one of two modes:
587
592
This is known as POP3 tunneled through TLS. The default port for
588
this mode is 995 (pop3s).
593
this mode is 995 (pop3s). This is what most servers support, and
594
is often simply called "POP3 with SSL".
590
596
* Via the STARTTLS POP3 command
591
597
The POP3 session begins normally. The client sends the STLS
609
615
*Note tls_trust_file::, *Note --tls-trust-file::, *Note tls_certcheck::,
610
616
*Note --tls-certcheck::.
618
If your system has a file that collects all system-wide trusted CA
619
certificates, it is easiest to just use this in the `defaults' section
620
of your configuration file. On Debian-based systems, for example, the
621
adequate command would be `tls_trust_file
622
/etc/ssl/certs/ca-certificates.crt'.
624
But you can also find out manually which CA certificate you need to
625
trust. The following example works as of 2007-04-18.
627
For the Gmail POP server, you first issue the following command:
628
$ mpop --serverinfo --host=pop.gmail.com --tls=on --tls-starttls=off \
630
The option `--tls-starttls=off' is needed for Gmail, but may not be
631
necessary for other servers. The option `--tls-certcheck=off' allows
632
mpop to accept any certificate, so that it can print some information
635
According to the output of this command, the issuer of the server
636
certificate is "Equifax Secure Certificate Authority". This means that
637
you have to trust the Equifax CA to use full TLS security. You can
638
download the appropriate certificate from
639
`http://www.geotrust.com/resources/root_certificates/index.asp'
640
(Equifax was bought by GeoTrust). The file you need for the
641
`tls_trust_file' command is `Equifax_Secure_Certificate_Authority.cer'.
643
The following command should now succeed:
644
$ mpop --serverinfo --host=pop.gmail.com --tls=on --tls-starttls=off \
645
--tls-trust-file=Equifax_Secure_Certificate_Authority.cer
612
647
If the server requests it, the client can send a certificate, too.
613
648
This allows the server to verify the identity of the client. See the
614
649
EXTERNAL mechanism in *Note Authentication::. The
1007
1042
# Enable full TLS certificate checks.
1008
1043
tls_trust_file /etc/ssl/certs/ca-certificates.crt
1009
1044
# Use the POP3-over-TLS variant instead of the STARTTLS variant.
1045
# This is also known as "POP3 with SSL". Most servers support this.
1010
1046
tls_starttls off
1011
1047
# Use the procmail mail delivery agent.
1012
1048
delivery mda "/usr/bin/procmail -f '%F' -d $USER"
1117
1153
Ref: ntlmdomain7560
1119
1155
Ref: tls_starttls8251
1120
Ref: tls_trust_file8449
1121
Ref: tls_key_file8885
1122
Ref: tls_cert_file9212
1123
Ref: tls_certcheck9515
1124
Ref: tls_force_sslv39771
1126
Ref: uidls_file12093
1132
Node: Invocation15478
1133
Ref: Environment / Files15870
1134
Ref: --serverinfo17704
1135
Ref: --pipelining18832
1138
Ref: --tls-starttls19218
1139
Ref: --tls-trust-file19326
1140
Ref: --tls-key-file19433
1141
Ref: --tls-cert-file19529
1142
Ref: --tls-certcheck19628
1143
Ref: --tls-force-sslv319755
1145
Ref: --all-accounts19994
1146
Ref: --auth-only20068
1147
Ref: --status-only20161
1148
Ref: --only-new20268
1150
Ref: --killsize20479
1151
Ref: --skipsize20551
1153
Ref: --delivery20791
1154
Ref: --uidls-file21005
1155
Node: POP3 features21079
1156
Node: Transport Layer Security21423
1157
Node: Authentication23837
1158
Node: Pipelining28608
1159
Node: Defective POP3 servers29872
1160
Node: Mail retrieval mode30821
1161
Node: Server information mode32448
1162
Node: Filtering35721
1163
Node: Examples37638
1164
Node: A configuration file37826
1165
Node: Filtering with SpamAssassin39517
1166
Node: Development40473
1156
Ref: tls_trust_file8526
1157
Ref: tls_key_file8962
1158
Ref: tls_cert_file9289
1159
Ref: tls_certcheck9592
1160
Ref: tls_force_sslv39848
1162
Ref: uidls_file12170
1168
Node: Invocation15555
1169
Ref: Environment / Files15947
1170
Ref: --serverinfo17781
1171
Ref: --pipelining18909
1174
Ref: --tls-starttls19299
1175
Ref: --tls-trust-file19407
1176
Ref: --tls-key-file19514
1177
Ref: --tls-cert-file19610
1178
Ref: --tls-certcheck19709
1179
Ref: --tls-force-sslv319836
1181
Ref: --all-accounts20075
1182
Ref: --auth-only20149
1183
Ref: --status-only20242
1184
Ref: --only-new20349
1186
Ref: --killsize20560
1187
Ref: --skipsize20632
1189
Ref: --delivery20872
1190
Ref: --uidls-file21086
1191
Node: POP3 features21160
1192
Node: Transport Layer Security21504
1193
Node: Authentication25625
1194
Node: Pipelining30396
1195
Node: Defective POP3 servers31660
1196
Node: Mail retrieval mode32609
1197
Node: Server information mode34236
1198
Node: Filtering37509
1199
Node: Examples39426
1200
Node: A configuration file39614
1201
Node: Filtering with SpamAssassin41378
1202
Node: Development42334