3
<title>mpop 1.0.9</title>
3
<title>mpop 1.0.10</title>
4
4
<meta http-equiv="Content-Type" content="text/html">
5
<meta name="description" content="mpop 1.0.9">
5
<meta name="description" content="mpop 1.0.10">
6
6
<meta name="generator" content="makeinfo 4.8">
7
7
<link title="Top" rel="top" href="#Top">
8
8
<link href="http://www.gnu.org/software/texinfo/" rel="generator-home" title="Texinfo Homepage">
10
This manual was last updated April 7, 2007 for version
10
This manual was last updated June 6, 2007 for version
13
13
Copyright (C) 2005, 2006, 2007 Martin Lambers
100
100
<h2 class="unnumbered">mpop</h2>
102
<p>This manual was last updated April 7, 2007 for version
102
<p>This manual was last updated June 6, 2007 for version
105
105
<p>Copyright (C) 2005, 2006, 2007 Martin Lambers
284
284
(highly recommended) or to disable `<samp><span class="samp">tls_certcheck</span></samp>'.
285
285
See <a href="#Transport-Layer-Security">Transport Layer Security</a>.
286
286
<a name="tls_005fstarttls"></a>
287
<br><dt>`<samp><span class="samp">tls_starttls [(on|off)]</span></samp>'<dd><a name="index-tls_005fstarttls-12"></a>This command enables or disables the use of the STARTTLS POP3 command to start
288
TLS encryption. It is enabled by default.
287
<br><dt>`<samp><span class="samp">tls_starttls [(on|off)]</span></samp>'<dd><a name="index-tls_005fstarttls-12"></a>This command chooses the TLS/SSL variant: with STARTTLS (`<samp><span class="samp">on</span></samp>', default) or
288
POP3-over-TLS (`<samp><span class="samp">off</span></samp>'). Most servers support the latter variant, which is
289
also commonly referred to as "POP3 with SSL".
289
290
See <a href="#Transport-Layer-Security">Transport Layer Security</a>.
290
291
<a name="tls_005ftrust_005ffile"></a>
291
292
<br><dt>`<samp><span class="samp">tls_trust_file [</span><var>file</var><span class="samp">]</span></samp>'<dd><a name="index-tls_005ftrust_005ffile-13"></a>This command activates strict server certificate verification.
506
507
authentication method. See <a href="#auth">auth</a>.
507
508
<a name="g_t_002d_002duser"></a>
508
509
<dt>`<samp><span class="samp">--user=[</span><var>username</var><span class="samp">]</span></samp>'<dd><a name="index-g_t_002d_002duser-40"></a>Set or unset the user name for authentication. See <a href="#user">user</a>.
509
<dt>`<samp><span class="samp">--tls[=(on|off)]</span></samp>'<dd><a name="index-g_t_002d_002dtls-41"></a>Enable or disable TLS. See <a href="#tls">tls</a>.
510
<dt>`<samp><span class="samp">--tls[=(on|off)]</span></samp>'<dd><a name="index-g_t_002d_002dtls-41"></a>Enable or disable TLS/SSL. See <a href="#tls">tls</a>.
510
511
<a name="g_t_002d_002dtls_002dstarttls"></a>
511
512
<dt>`<samp><span class="samp">--tls-starttls[=(on|off)]</span></samp>'<dd><a name="index-g_t_002d_002dtls_002dstarttls-42"></a>Enable or disable STARTTLS for TLS encryption. See <a href="#tls_005fstarttls">tls_starttls</a>.
512
513
<a name="g_t_002d_002dtls_002dtrust_002dfile"></a>
581
582
<h3 class="section">4.1 Transport Layer Security</h3>
583
<p>Quoting from RFC2246 - the TLS 1.0 protocol specification:<br>
584
<p>Transport Layer Security (TLS) is a new name for Secure Socket Layer (SSL).
585
The TLS 1.0 protocol is an updated version of the SSL 3.0 protocol. TLS and
586
SSL mean the same thing.
588
<p>Quoting from RFC2246 - the TLS 1.0 protocol specification:<br>
584
589
"The TLS protocol provides communications privacy over the Internet.
585
590
The protocol allows client/server applications to communicate in a way that
586
591
is designed to prevent eavesdropping, tampering, or message forgery."
590
595
<li>Immediately<br>
591
596
This is known as POP3 tunneled through TLS. The default port for this mode is
597
995 (pop3s). This is what most servers support, and is often simply called
593
599
<li>Via the STARTTLS POP3 command<br>
594
600
The POP3 session begins normally. The client sends the STLS command when it
595
601
wishes to begin TLS encryption. The default port for this mode is the default
613
619
See <a href="#tls_005ftrust_005ffile">tls_trust_file</a>, <a href="#g_t_002d_002dtls_002dtrust_002dfile">–tls-trust-file</a>, <a href="#tls_005fcertcheck">tls_certcheck</a>,
614
620
<a href="#g_t_002d_002dtls_002dcertcheck">–tls-certcheck</a>.
622
<p>If your system has a file that collects all system-wide trusted CA
623
certificates, it is easiest to just use this in the `<samp><span class="samp">defaults</span></samp>' section of
624
your configuration file. On Debian-based systems, for example, the adequate
625
command would be `<samp><span class="samp">tls_trust_file /etc/ssl/certs/ca-certificates.crt</span></samp>'.
627
<p>But you can also find out manually which CA certificate you need to
628
trust. The following example works as of 2007-04-18.
630
<p>For the Gmail POP server, you first issue the following command:
631
<pre class="example"> $ mpop --serverinfo --host=pop.gmail.com --tls=on --tls-starttls=off \
634
<p>The option `<samp><span class="samp">--tls-starttls=off</span></samp>' is needed for Gmail, but may not be
635
necessary for other servers. The option `<samp><span class="samp">--tls-certcheck=off</span></samp>' allows
636
mpop to accept any certificate, so that it can print some information about it.
638
<p>According to the output of this command, the issuer of the server certificate
639
is "Equifax Secure Certificate Authority". This means that you have to trust the
640
Equifax CA to use full TLS security. You can download the appropriate
642
<a href="http://www.geotrust.com/resources/root_certificates/index.asp">http://www.geotrust.com/resources/root_certificates/index.asp</a> (Equifax was
643
bought by GeoTrust). The file you need for the `<samp><span class="samp">tls_trust_file</span></samp>' command is
644
<samp><span class="file">Equifax_Secure_Certificate_Authority.cer</span></samp>.
646
<p>The following command should now succeed:
647
<pre class="example"> $ mpop --serverinfo --host=pop.gmail.com --tls=on --tls-starttls=off \
648
--tls-trust-file=Equifax_Secure_Certificate_Authority.cer
616
650
<p>If the server requests it, the client can send a certificate, too. This allows
617
651
the server to verify the identity of the client. See the EXTERNAL mechanism in
618
652
<a href="#Authentication">Authentication</a>. The `<samp><span class="samp">tls_key_file</span></samp>'/`<samp><span class="samp">tls_cert_file</span></samp>' commands or
1003
1037
# Enable full TLS certificate checks.
1004
1038
tls_trust_file /etc/ssl/certs/ca-certificates.crt
1005
1039
# Use the POP3-over-TLS variant instead of the STARTTLS variant.
1040
# This is also known as "POP3 with SSL". Most servers support this.
1006
1041
tls_starttls off
1007
1042
# Use the procmail mail delivery agent.
1008
1043
delivery mda "/usr/bin/procmail -f '%F' -d $USER"