MPOP(1)MPOP(1)NAMEmpop - A POP3 client
SYNOPSIS
Mail retrieval mode (default):
mpop [option...] [--] [account...]
mpop --host=host [option...]
Server information mode:
mpop [option...] --serverinfo [account...]
mpop --host=host [option...] --serverinfo
DESCRIPTION
In mail retrieval mode of operation, mpop retrieves mails from one or
more POP3 mailboxes, optionally does some filtering, and delivers them
through a mail delivery agent (MDA), to a maildir folder, or to an mbox
file. Mails that were successfully delivered before will not be
retrieved a second time, even if errors occur or mpop is terminated in
the middle of a session.
In server information mode, mpop prints information about one or more
POP3 servers.
If no account names are given on the command line, one named default
will be used.
The best way to start is probably to have a look at the EXAMPLES sec‐
tion.
EXIT STATUS
The standard sendmail exit codes are used, as defined in sysexits.h.
OPTIONS
Options override configuration file settings, for every used account.
General Options
--version
Print version information, including information about
the libraries used.
--help Print help.
-P, --pretend
Print the configuration settings that would be used, but
do not take further action. An asterisk (`*') will be
printed instead of your password.
-d, --debug
Print lots of debugging information, including the whole
conversation with the server. Be careful with this
option: the (potentially dangerous) output will not be
sanitized, and your password may get printed in an easily
decodable format!
This option implies --half-quiet, because the progress
output would interfere with the debugging output.
Changing the mode of operation
-S, --serverinfo
Print information about the POP3 server(s) and exit. This
includes information about supported features (pipelin‐
ing, authentication methods, TOP command, ...), about
parameters (time for which mails will not be deleted,
minimum time between logins, ...), and about the TLS cer‐
tificate (if TLS is active).
Configuration options
-C, --file=conffile
Use the given file instead of ~/.mpoprc as configuration
file.
--host=hostname
Use this server with settings from the command line; do
not use any configuration file data. This option disables
loading of the configuration file. You cannot use both
this option and account names on the command line.
--port=number
Set the port number to connect to. See the port command.
--timeout=(off|seconds)
Set a network timeout. See the timeout command.
--pipelining=(auto|on|off)
Enable or disable POP3 pipelining. See the pipelining
command.
--proxy-host=[IP|hostname]
Set or unset a SOCKS proxy to use. See the proxy_host
command.
--proxy-port=[number]
Set or unset a port number for the proxy host. See the
proxy_port command.
--received-header[=(on|off)]
Enable or disable the Received header. See the
received_header command.
--auth[=(on|method)]
Set the authentication method to automatic (with "on") or
manually choose an authentication method. See the auth
command.
--user=[username]
Set or unset the user name for authentication. See the
user command.
--passwordeval=[eval]
Evaluate password for authentication. See the passworde‐
val command.
--tls[=(on|off)]
Enable or disable TLS/SSL. See the tls command.
--tls-starttls[=(on|off)]
Enable or disable STARTTLS for TLS. See the tls_starttls
command.
--tls-trust-file=[file]
Set or unset a trust file for TLS. See the tls_trust_file
command.
--tls-crl-file=[file]
Set or unset a certificate revocation list (CRL) file for
TLS. See the tls_crl_file command.
--tls-fingerprint=[fingerprint]
Set ot unset the fingerprint of a trusted TLS certifi‐
cate. See the tls_fingerprint command.
--tls-key-file=[file]
Set or unset a key file for TLS. See the tls_key_file
command.
--tls-cert-file=[file]
Set or unset a cert file for TLS. See the tls_cert_file
command.
--tls-certcheck[=(on|off)]
Enable or disable server certificate checks for TLS. See
the tls_certcheck command.
--tls-min-dh-prime-bits=[bits]
Set or unset minimum bit size of the Diffie-Hellmann (DH)
prime. See the tls_min_dh_prime_bits command.
--tls-priorities=[priorities]
Set or unset TLS priorities. See the tls_priorities com‐
mand.
Options specific to mail retrieval mode
-q, --quiet
Do not print status or progress information.
-Q, --half-quiet
Print status but not progress information.
-a, --all-accounts
Query all accounts in the configuration file.
-A, --auth-only
Authenticate only; do not retrieve mail. Useful for SMTP-
after-POP.
-s, --status-only
Print number and size of mails in each account only; do
not retrieve mail.
-n, --only-new[=(on|off)]
Process only new messages. See the only_new command.
-k, --keep[=(on|off)]
Do not delete mails from POP3 servers, regardless of
other options or settings. See the keep command.
--killsize=(off|size)
Set or unset kill size. See the killsize command.
--skipsize=(off|size)
Set or unset skip size. See the skipsize command.
--filter=[program]
Set a filter which will decide whether to retrieve, skip,
or delete each mail by investigating the mail's headers.
See the filter command.
--delivery=method,method_arguments...
How to deliver messages received from this account. See
the delivery command. Note that a comma is used instead
of a blank to separate the method from its arguments.
--uidls-file=filename
File to store UIDLs in. See the uidls_file command.
USAGE
The default configuration file is ~/.mpoprc. Settings in this file can
be changed by command line options.
A configuration file is a simple text file. Empty lines and comment
lines (first non-blank character is '#') are ignored. Every other line
must contain a command and may contain an argument to that command.
The argument may be enclosed in double quotes (").
If a file name starts with the tilde (~), this tilde will be replaced
by $HOME.
If a command accepts the argument on, it also accepts an empty argument
and treats that as if it was on.
Commands are organized in accounts. Each account starts with the
account command and defines the settings for one POP3 account.
Commands are as follows:
defaults
Set defaults. The following configuration commands will set
default values for all following account definitions.
account name [:account[,...]]
Start a new account definition with the given name. The current
default values are filled in.
If a colon and a list of previously defined accounts is given
after the account name, the new account, with the filled in
default values, will inherit all settings from the accounts in
the list.
host hostname
The POP3 server to retrieve mails from. The argument may be a
host name or a network address. Every account definition must
contain this command.
port number
The port that the POP3 server listens on. The default is 110
("pop3"), unless TLS without STARTTLS is used, in which case it
is 995 ("pop3s").
timeout (off|seconds)
Set or unset a network timeout, in seconds. The default is 180
seconds. The argument off means that no timeout will be set,
which means that the operating system default will be used.
pipelining (auto|on|off)
Enable or disable POP3 pipelining. You should never need to
change the default setting, which is auto: mpop enables pipelin‐
ing for POP3 servers that advertise this capability, and dis‐
ables it for all other servers. Pipelining can speed up a POP3
session substantially.
proxy_host [IP|hostname]
Use a SOCKS proxy. All network traffic will go through this
proxy host, including DNS queries, except for a DNS query that
might be necessary to resolve the proxy host name itself (this
can be avoided by using an IP address as proxy host name). An
empty hostname argument disables proxy usage. The supported
SOCKS protocol version is 5. If you want to use this with Tor,
see also "Using mpop with Tor" below.
proxy_port [number]
Set the port number for the proxy host. An empty number argument
resets this to the default port, which is 1080 ("socks").
auth [(on|method)]
Choose an authentication method. The default argument on chooses
a method automatically.
Usually a user name and a password are used for authentication.
The user name is specified in the configuration file with the
user command. There are five different methods to specify the
password:
1. Add the password to the system key ring. Currently supported
key rings are the Gnome key ring and the Mac OS X Keychain. For
the Gnome key ring, use the command secret-tool (part of Gnome's
libsecret) to store passwords: secret-tool store --label=mpop
host pop.freemail.example service pop3 user joe.smith. On Mac
OS X, use the Keychain Access GUI application. The account name
is same as the user name. The keychain item name is
pop3://<hostname> where <hostname> matches the host argument.
2. Store the password in an encrypted files, and use passworde‐
val to specify a command to decrypt that file, e.g. using GnuPG.
See EXAMPLES.
3. Store the password in the configuration file using the pass‐
word command. (Usually it is not considered a good idea to
store passwords in plain text files. If you do it anyway, you
must make sure that the file can only be read by yourself.)
4. Store the password in ~/.netrc. This method is probably obso‐
lete.
5. Type the password into the terminal when it is required.
It is recommended to use method 1 or 2.
Multiple authentication methods exist. Most servers support only
some of them. Historically, sophisticated methods were devel‐
oped to protect passwords from being sent unencrypted to the
server, but nowadays everybody needs TLS anyway, so the simple
methods suffice since the whole session is protected. A suitable
authentication method is chosen automatically, and when TLS is
disabled for some reason, only methods that avoid sending clear
text passwords are considered.
The following user / password methods are supported: user (a
simple plain text method supported by all servers), plain
(another simple plain text method, with base64 encoding, sup‐
ported by almost all servers), scram-sha-1 (a method that avoids
clear-text passwords), cram-md5 (an obsolete method that avoids
clear-text passwords), apop (an obsolete method that avoids
clear-text passwords, but is vulnerable to man-in-the-middle
attacks), digest-md5 (an overcomplicated obsolete method that
avoids clear-text passwords, but is not considered secure any‐
more), login (a non-standard clear-text method similar to but
worse than the plain method), ntlm (an obscure non-standard
method that is now considered broken; it sometimes requires a
special domain parameter passed via ntlmdomain).
There are currently two authentication methods that are not
based on user / password information and have to be chosen manu‐
ally: external (the authentication happens outside of the proto‐
col, typically by sending a TLS client certificate, and the
method merely confirms that this authentication succeeded), and
gssapi (the Kerberos framework takes care of secure authentica‐
tion, only a user name is required).
It depends on the underlying authentication library and its ver‐
sion whether a particular method is supported or not. Use --ver‐
sion to find out which methods are supported.
user login
Set the user name for authentication. An empty argument unsets
the user name.
password secret
Set the password for authentication. An empty argument unsets
the password. Consider using the passwordeval command or a key
ring instead of this command, to avoid storing plain text pass‐
words in the configuration file.
passwordeval [eval]
Set the password for authentication to the output (stdout) of
the command eval. This can be used e.g. to decrypt password
files on the fly or to query key rings, and thus to avoid stor‐
ing plain text passwords.
ntlmdomain [domain]
Set a domain for the ntlm authentication method. This is obso‐
lete.
tls [(on|off)]
Enable or disable TLS (also known as SSL) for secured connec‐
tions. You also need tls_trust_file or tls_fingerprint, and for
some servers you may need to disable tls_starttls.
Transport Layer Security (TLS) "... provides communications pri‐
vacy over the Internet. The protocol allows client/server
applications to communicate in a way that is designed to prevent
eavesdropping, tampering, or message forgery" (quote from
RFC2246).
A server can use TLS in one of two modes: via a STARTTLS command
(the session starts with the normal protocol initialization, and
TLS is then started using the protocol's STARTTLS command), or
immediately (TLS is initialized before the normal protocol ini‐
tialization; this requires a separate port). The first mode is
the default, but you can switch to the second mode by disabling
tls_starttls.
When TLS is started, the server sends a certificate to identify
itself. To verify the server identity, a client program is
expected to check that the certificate is formally correct and
that it was issued by a Certificate Authority (CA) that the user
trusts. (There can also be certificate chains with intermediate
CAs.)
The list of trusted CAs is specified using the tls_trust_file
command. Usually there is some system-wide default file avail‐
able, e.g. /usr/local/share/certs/ca-root-nss.crt on DragonFly-
based systems, but you can also choose to select the trusted CAs
yourself.
One practical problem with this approach is that the client pro‐
gram should also check if the server certificate has been
revoked for some reason, using a Certificate Revocation List
(CRL). A CRL file can be specified using the tls_crl_file com‐
mand, but getting the relevant CRL files and keeping them up to
date is not straightforward. You are basically on your own.
A much more serious and fundamental problem is is that you need
to trust CAs. Like any other organization, a CA can be incompe‐
tent, malicious, subverted by bad people, or forced by govern‐
ment agencies to compromise end users without telling them. All
of these things happened and continue to happen worldwide. The
idea to have central organizations that have to be trusted for
your communication to be secure is fundamentally broken.
Instead of putting trust in a CA, you can choose to trust only a
single certificate for the server you want to connect to. For
that purpose, specify the certificate fingerprint with tls_fin‐
gerprint. This makes sure that no man-in-the-middle can fake the
identity of the server by presenting you a fraudulent certifi‐
cate issued by some CA that happens to be in your trust list.
However, you have to update the fingerprint whenever the server
certificate changes, and you have to make sure that the change
is legitimate each time, e.g. when the old certificate expired.
This is inconvenient, but it's the price to pay.
Information about a server certificate can be obtained with
--serverinfo --tls --tls-certcheck=off. This includes the issuer
CA of the certificate (so you can trust that CA via
tls_trust_file), and the fingerprint of the certificate (so you
can trust that particular certificate via tls_fingerprint).
TLS also allows the server to verify the identity of the client.
For this purpose, the client has to present a certificate issued
by a CA that the server trusts. To present that certificate, the
client also needs the matching key file. You can set the cer‐
tificate and key files using tls_cert_file and tls_key_file.
This mechanism can also be used to authenticate users, so that
traditional user / password authentication is not necessary any‐
more. See the external mechanism in auth.
tls_starttls [(on|off)]
Choose the TLS variant: start TLS from within the session (on,
default), or tunnel the session through TLS (off).
tls_trust_file file
Activate server certificate verification using a list of truted
Certification Authorities (CAs). The file must be in PEM format.
Some systems provide a system-wide default file, e.g.
/usr/local/share/certs/ca-root-nss.crt on DragonFly-based sys‐
tems with the ca_root_nss package. An empty argument disables
this. You should also use tls_crl_file.
tls_crl_file [file]
Set a certificate revocation list (CRL) file for TLS, to check
for revoked certificates. An empty argument disables this.
tls_fingerprint [fingerprint]
Set the fingerprint of a single certificate to accept for TLS.
This certificate will be trusted regardless of its contents. The
fingerprint can be either an SHA1 (recommended) or an MD5 fin‐
gerprint in the format 01:23:45:67:.... Use --serverinfo --tls
--tls-certcheck=off to get the server certificate fingerprints.
tls_key_file file
Send a client certificate to the server (use this together with
tls_cert_file}). The file must contain the private key of a
certificate in PEM format. An empty argument disables this fea‐
ture.
tls_cert_file file
Send a client certificate to the server (use this together with
tls_key_file). The file must contain a certificate in PEM for‐
mat. An empty argument disables this feature.
tls_certcheck [(on|off)]
Enable or disable checks of the server certificate. WARNING:
When the checks are disabled, TLS sessions will be vulnerable to
man-in-the-middle attacks!
tls_min_dh_prime_bits [bits]
Set or unset the minimum number of Diffie-Hellman (DH) prime
bits that mpop will accept for TLS sessions. The default is set
by the TLS library and can be selected by using an empty argu‐
ment to this command. Only lower the default (for example to
512 bits) if there is no other way to make TLS work with the
remote server.
tls_priorities [priorities]
Set the priorities for TLS sessions. The default is set by the
TLS library and can be selected by using an empty argument to
this command. See the GnuTLS documentation of the gnutls_prior‐
ity_init function for a description of the priorities string.
delivery method method_arguments...
How to deliver messages received from this account.
delivery mda command
Deliver the mails through a mail delivery agent (MDA).
All occurences of %F in the command will be replaced with
the envelope from address of the current message (or
MAILER-DAEMON if none is found). Note that this address
is guaranteed to contain only letters a-z and A-Z, digits
0-9, and any of ".@_-+/", even though that is only a sub‐
set of what is theoretically allowed in a mail address.
Other characters, including those interpreted by the
shell, are replaced with "_". Nevertheless, you should
put %F into single quotes: '%F'.
Use "delivery mda /usr/bin/procmail -f '%F' -d $USER" for
the procmail MDA.
Use "delivery mda /usr/sbin/sendmail -oi -oem -f '%F' --
$USER" to let your MTA handle the mail.
Use "delivery mda /usr/local/bin/msmtp --host=localhost
--from='%F' -- $USER@`hostname`.`dnsdomainname`" to pass
the mail to your MTA via SMTP. (This is what fetchmail
does by default.)
delivery maildir directory
Deliver the mails to the given maildir directory. The
directory must exist and it must have the maildir subdi‐
rectories cur, new, and tmp; mpop will not create direc‐
tories. This delivery type only works on file systems
that support hard links.
delivery mbox mbox-file
Deliver the mails to the given file in mbox format. The
file will be locked with fcntl(2). mpop uses the MBOXRD
mbox format variant; see the documentation of the mbox
format.
delivery exchange directory
Deliver the mails to the given Exchange pickup directory.
The directory must exist.
If the delivery method needs to parse the mail headers for an
envelope from address (the mda method if the command contains
%F, and the mbox method), then it needs to create a temporary
file to store the mail headers (but not the body) in. See
$TMPDIR in the FILES / ENVIRONMENT section.
uidls_file filename
The file to store UIDLs in. These are needed to identify new
messages. %U in the filename will be replaced by the username
of the current account. %H in the filename will be replaced by
the hostname of the current account. If the filename contains
directories that do not exist, mpop will create them. mpop
locks this file for exclusive access when accessing the associ‐
ated POP3 account.
The default value is "~/.mpop_uidls/%U_at_%H". You can also use
a single UIDLS file for multiple accounts, but then you cannot
poll more than one of these accounts at the same time.
only_new [(on|off)]
By default, mpop processes only new messages (new messages are
those that were not already successfully retrieved in an earlier
session). If this option is turned off, mpop will process all
messages.
keep [(on|off)]
Keep all mails on the POP3 server, never delete them. The
default behaviour is to delete mails that have been successfully
retrieved or filtered by kill filters.
killsize (off|size)
Mails larger than the given size will be deleted (unless the
keep command is used, in which case they will just be skipped).
The size argument must be zero or greater. If it is followed by
a `k' or an `m', the size is measured in kibibytes/mebibytes
instead of bytes. Note that some POP3 servers report slightly
incorrect sizes for mails; see NOTES below.
When killsize is set to 0 and keep is set to on, then all mails
are marked as retrieved, but no mail gets deleted from the
server. This can be used to synchronize the UID list on the
client to the UID list on the server.
skipsize (off|size)
Mails larger than the given size will be skipped (not down‐
loaded). The size argument must be zero or greater. If it is
followed by a `k' or an `m', the size is measured in
kibibytes/mebibytes instead of bytes. Note that some POP3
servers report slightly incorrect sizes for mails; see NOTES
below.
filter [command]
Set a filter which will decide whether to retrieve, skip, or
delete each mail by investigating the mail's headers. The POP3
server must support the POP3 TOP command for this to work; see
option --serverinfo above. An empty argument disables filtering.
All occurences of %F in the command will be replaced with the
envelope from address of the current message (or MAILER-DAEMON
if none is found). Note that this address is guaranteed to con‐
tain only letters a-z and A-Z, digits 0-9, and any of ".@_-+/",
even though that is only a subset of what is theoretically
allowed in a mail address. Other characters, including those
interpreted by the shell, are replaced with "_". Nevertheless,
you should put %F into single quotes: '%F'.
All occurences of %S in the command will be replaced with the
size of the current mail as reported by the POP3 server.
The mail headers (plus the blank line separating the headers
from the body) will be piped to the command. Based on the return
code, mpop decides what to do with the mail:
0: proceed normally; no special action
1: delete the mail; do not retrieve it
2: skip the mail; do not retrieve it
Return codes greater than or equal to 3 mean that an error
occured. The sysexits.h error codes may be used to give informa‐
tion about the kind of the error, but this is not necessary.
received_header [(on|off)]
Enable or disable adding a Received header. By default, mpop
prepends a Received header to the mail during delivery. This is
required by the RFCs if the mail is subsequently further deliv‐
ered e.g. via SMTP.
FILTERING
There are three filtering commands available. They will be executed in
the following order:
killsize
skipsize
filter
If a filtering command applies to a mail, the remaining filters will
not be executed.
EXAMPLES
Configuration file
# Example for a user configuration file ~/.mpoprc
#
# This file focusses on TLS, authentication, and the mail delivery
method.
# Features not used here include mail filtering, timeouts, SOCKS prox‐
ies,
# TLS parameters, and more.
# Set default values for all following accounts.
defaults
# Always use TLS.
tls on
# Set a list of trusted CAs for TLS. You can use a system-wide default
file,
# as in this example, or download the root certificate of your CA and
use that.
tls_trust_file /usr/local/share/certs/ca-root-nss.crt
# Additionally, you should use the tls_crl_file command to check for
revoked
# certificates, but unfortunately getting revocation lists and keeping
them
# up to date is not straightforward.
#tls_crl_file ~/.tls-crls
# Deliver mail to an MBOX mail file:
delivery mbox ~/Mail/inbox
# Deliver mail to a maildir folder:
#delivery maildir ~/Mail/incoming
# Deliver mail via procmail:
#delivery mda "/usr/bin/procmail -f '%F' -d $USER"
# Deliver mail via the local SMTP server:
#delivery mda "/usr/bin/msmtp --host=localhost --from='%F' -- $USER"
# Deliver mail to an Exchange pickup directory:
#delivery exchange c:\exchange\pickup
# A freemail service
account freemail
# Host name of the POP3 server
host pop.freemail.example
# As an alternative to tls_trust_file/tls_crl_file, you can use
tls_fingerprint
# to pin a single certificate. You have to update the fingerprint when
the
# server certificate changes, but an attacker cannot trick you into
accepting
# a fraudulent certificate. Get the fingerprint with
# $ mpop--serverinfo--tls --tls-certcheck=off
--host=pop.freemail.example
tls_fingerprint 00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:00:11
:22:33
# Authentication. The password is given using one of five methods, see
below.
user joe.smith
# Password method 1: Add the password to the system keyring, and let
mpop get
# it automatically. To set the keyring password using Gnome's libse‐
cret:
# $ secret-tool store --label=mpop \
# host pop.freemail.example \
# service pop3 \
# user joe.smith
# Password method 2: Store the password in an encrypted file, and tell
mpop
# which command to use to decrypt it. This is usually used with GnuPG,
as in
# this example. Usually gpg-agent will ask once for the decryption
password.
passwordeval gpg2 --no-tty -q -d ~/.mpop-password.gpg
# Password method 3: Store the password directly in this file. Usually
it is not
# a good idea to store passwords in plain text files. If you do it any‐
way, at
# least make sure that this file can only be read by yourself.
#password secret123
# Password method 4: Store the password in ~/.netrc. This method is
probably not
# relevant anymore.
# Password method 5: Do not specify a password. Mpop will then prompt
you for
# it. This means you need to be able to type into a terminal when mpop
runs.
# A second mail box at the same freemail service
account freemail2 : freemail
user joey
# The POP3 server of your ISP
account isp
host mail.isp.example
auth on
user 12345
# Your ISP runs SpamAssassin, so test each mail for the "X-Spam-Status:
Yes"
# header, and delete all mails with this header before downloading
them.
filter if [ "`grep "^X-Spam-Status: Yes"`" ]; then exit 1; else exit
0; fi
# Set a default account
account default : freemail
Filtering with SpamAssassin
The command filter "/path/to/spamc -c > /dev/null" will delete all
mails that SpamAssassin thinks are spam. Since no message body is
passed to SpamAssassin, you should disable all body-specific tests in
the SpamAssassin configuration file; for example set use_bayes 0.
If your mail provider runs SpamAssassin for you, you just have to check
for the result. The following script can do that when used as an mpop
filter:
#!/bin/sh
if [ "`grep "^X-Spam-Status: Yes"`" ]; then
exit 1 # kill this message
else
exit 0 # proceed normally
fi
Since the filter command is passed to a shell, you can also use this
directly:
filter if [ "`grep "^X-Spam-Status: Yes"`" ]; then exit 1; else exit 0;
fi
Using mpop with Tor
Use the following settings:
proxy_host 127.0.0.1
proxy_port 9050
tls on
Use an IP address as proxy host name, so that mpop does not leak a DNS
query when resolving it.
TLS is required to prevent exit hosts from reading your POP3 session.
You also need tls_trust_file or tls_fingerprint to check the server
identity.
FILES
~/.mpoprc
Default configuration file.
~/.mpop_uidls
Default directory to store UIDLs files in.
~/.netrc and SYSCONFDIR/netrc
The netrc file contains login information. Before prompting for
a password, msmtp will search it in ~/.netrc and
SYSCONFDIR/netrc.
ENVIRONMENT
$USER, $LOGNAME
These variables override the user's login name. $LOGNAME is only
used if $USER is unset. The user's login name is used for
Received headers.
$TMPDIR
Directory to create temporary files in. If this is unset, a sys‐
tem specific default directory is used.
AUTHORmpop was written by Martin Lambers <marlam@marlam.de>
Other authors are listed in the AUTHORS file in the source distribu‐
tion.
SEE ALSOprocmail(1), spamassassin(1), netrc(5) or ftp(1), mbox(5), fcntl(2)
2015-01 MPOP(1)
