POP, the postoffice protocol

Last updated -[Thu Jun 2 07:33:01 2005 by cxh]-

Description of the pop installation

pop is the Post Office Protocol, a way for remote machines to connect to a Unix box and get mail. The most common pop situation is to use Eudora connect to Unix. I believe Netscape, Exmh and emacs can also use pop to read mail.

The pop server is running on doppler.eecs.berkeley.edu. You will need to set up the preferences of your mail reader so that doppler.eecs.berkeley.edu is the incoming and outgoing mail server.

APOP and eudora

The APOP facility allows POP users to log in without sending their passwd in clear text over the net.
Note that as of 8/99, Netscape 4.61 does not support APOP
As of 1/02, doppler is the host that is running APOP.

On doppler, run the popauth command and type in the passwd you want to use. This passwd need not be the same as your Kerberos or regular login passwd. I believe that there is a limit of 8 characters to the passwd.
On the machine running Eudora, select the Options choice from under the Tools menu. Find the Incoming Mail icon and select APOP.
Set your POP host to doppler.eecs.berkeley.edu.
Type Control-M to read mail, then type in your POP passwd from step 1 above.

Qpop places to go:

windows kerberos client dlls

Qpopper

Qpop FAQ

The qpopper INSTALL file says:

New users can be added by root or the 'pop' user with the 
following command:

	    popauth -user 

	Or removed with the following command:

	    popauth -delete 

Anyone can add themselves or change their password with the 
following command: 

	    popauth

Installing qpopper

Under Solaris, OpenSSL will work much better if you have a /dev/random
Summary about /dev/random at http://lists.gnupg.org/pipermail/gnupg-devel/2000-May/005156.html
/dev/random package

Install OpenSSL by downloading from http://www.openssl.org
Usually OpenSSL gets installed in /usr/local/ssl

cd /export/home/tools/openssl-xxx
./config
make >& make.out &
tail -f make.out
make test
umask 002
make install

Download Qpopper from
http://www.eudora.com/products/unsupported/qpopper/

Configure with:

rm config.cache config.status; ./configure --enable-apop=/etc/pop.auth --with-apopuid=pop --with-openssl=/usr/local/ssl --without-gdbm --enable-debugging=yes

Note that to use old databases in /etc/pop.auth.dir and /etc/pop.auth.pag you may need to edit config.h and comment out HAVE_GDBM_H
```
/* Define if you have the  header file.  */
/*#define HAVE_GDBM_H 1*/
```
If you want to only allow APOP, then edit config.h and add
```
#define APOP_ONLY 1
```
APOP uses an encrypted password to log users in, it is much more secure than USER/PASS POP authentication. However, for testing out SSL, do not add #define APOP_ONLY 1 quite yet

As root:

make
make install
cp popper/popper /usr/local/sbin/popper-ssl

Add the following line to /etc/inetd.conf

spop3 stream tcp nowait root	/usr/local/sbin/popper-ssl -d -t /var/spool/mqueue/pop.log -f /etc/mail/qpopper.config

Add the following line to /etc/services

spop3           995/tcp 			# Pop with SSL

Use ps -auxgww | grep inetd to figure out the PID of the inetd process and then call kill -1 inetd pid

Create /etc/mail/qopper.config:

set debug
set tls-support = stls 
set tls-server-cert-file = /etc/mail/certs/cert.pem 
set log-facility             = local0
set tls-support = alternate-port
set clear-text-password = tls
set chunky-writes = tls

Set up certificates, see How do I use TLS/SSL with Qpopper? question in the Qpopper FAQ
Note that when you get the Common Name question, be sure to type in the fully qualified domain name of the host that is running pop, or else you will get messages about how the certificate does not match the host.


    18  mkdir -p -m665 /etc/mail/certs

    20  chown root.mail /etc/mail/certs
    21  chmod 660 /etc/mail/certs
    22  /usr/local/ssl/bin/openssl req -new -nodes -out req.pem -keyout /etc/mail/certs/cert.pem
    23  chmod 600 /etc/mail/certs/cert.pem

    25  chown root /etc/mail/certs/cert.pem

    27  /usr/local/ssl/bin/openssl genrsa -des3 -out ca.key 1024

    29  /usr/local/ssl/bin/openssl openssl req -new -x509 -days 365 -key ca.key -out ca.crt
    30  /usr/local/ssl/bin/openssl req -new -x509 -days 365 -key ca.key -out ca.crt
    31  /usr/local/ssl/bin/openssl x509 -req -CA ca.crt -CAkey ca.key -days 365 -in req.pem -out signed-req.pem -CAcreateserial
    35  cat signed-req.pem >> /etc/mail/certs/cert.pem

Setting up Eudora
Eudora 5.1 is required to work with SSL. The Eudora 5.1 release notes at http://www.eudora.com/download/eudora/windows/5.1/full_elec/RelNotes.txt cover how to set up SSL

Download Eudora 5.0R from http://depot.berkeley.edu/software/email/epro_downloads.html
Download Eudora 5.1 Updater http://www.eudora.com/email/index.html

The Eudora release notes include the following about SSL

SSL is implemented on a per personality basis.  In your 
Personalities window, right-click on a personality that supports SSL.

Under Generic Properties tab, there is a Secure Sockets section 
where you can specify its usage.  The list includes:
Never, If Available, Required on Alternate Port, and Required 
(STARTTLS).  The default is "If Available".

The [Last SSL Info] button will only work if you have been able to 
send an email with the SSL personality.

Under Incoming Mail tab, there is also a Secure Sockets section with 
the same options.  You can click on the [Last SSL Info] button to 
view the Eudora SSL Connection Information Manager.

Note that there is a [Certificate Information Manager] button at the 
bottom of the dialog.

In the Certificate Information Manager, you can specify which 
certificates you trust.  You can click on the [Add to Trusted] and 
[Remove from Trusted] buttons to specify which certificates you trust.

Eudora has provided some Trusted Certificates, but you will have your 
own certificates too under Server Certificates.

A skull with cross bones represents a certificate that is not trusted.
A yellow face in the User Trusted Certificates branch will mean that 
the certificate is trusted.
If a certificate has expired, then you will see a red backwards L 
over the icon.

Tools -> Option -> Checking Mail should be set to

Server: doppler.eecs.berkeley.edu
Configuration: POP
Authentication Style: Passwords
Secure Sockets when Receiving: Required, Alternate Port

Note that you will need to add our temporary certificate to list of trusted certificates. To do this, first try to connect to doppler and read email. You will get a 'untrusted certificate' message, but then you will be able to add the certificate in the next step.
Go to Tools -> Options -> Checking Mail -> Last SSL Info -> Certificate Manager and click on the Ptolem Project certificate and then click on Add To Trusted.
Then try downloading email again, it should work.

Setting up Outlook Express to use SSL Found these instructions on the net:

1. Click on "Tools", and select "Accounts"
2. Click on the "Mail" tab
3. Select your mail account, and click "Properties"
4. Click on the "Advanced" tab.
5. Check "This server requires a secure connection (SSL)" for either/both "Outgoing Mail (SMTP)" and "Incoming Mail (POP3)".

Debugging
Debugging messages should appear in /var/spool/mqueue/pop.log
The ssldump program might be of use

These instructions are obsolete

cp popper /usr/local/etc/popper
cp popauth /usr/local/bin/popauth
chown pop /usr/local/bin/popauth
chmod u+s /usr/local/bin/popauth
cp *.8 /usr/local/man/man8

popauth should have the following permissions

-rwsr-xr-x   1 pop         31672 Dec 22 14:40 /usr/local/bin/popauth*

As root on the mail server:

touch /etc/pop.auth
chown pop /etc/pop.auth
chmod 600 /etc/pop.auth
/usr/local/sbin/popauth -init

`exmh` and `pop`

You can use pop with exmh. Note that the mh binaries on sww seem to have been setup so that pop won't work. The Solaris binaries are in /opt/mh/bin, the SunOS binaries are in /usr/local/mh/bin It looks like exmh won't work with poper, but it will work with popd. The trick is to have a ~/.xmhcheck file with the following line inbox dewitt.eecs.berkeley.edu YOURUSERNAME where YOURUSERNAME is your Unix user id. Then to change exmh's preferences by mousing on Preferences -> Incorporate Mail -> multidrop and then saving your preferences.

We are working on getting kerberos to work, but in the short term, exmh uses RPOP, which uses ~/.rhosts like the Berkely r* commands (rsh, rcp etc.). So, to get exmh to work, you will need to have the machine you are logging in from listed in your .rhosts file

Troubleshooting pop and exmh

Debugging qpop

The INSTALL file in the Qpopper distribution is very useful

DEBUGGING: Telnet to the qpopper port "telnet pop3." INETD is not servicing the POP port if you receive one of the following error messages:

"connect: Connection refused"
"connect: Connection closed"

If you receive message 1, check your services file and make sure the port name "POP3" is exactly the same as the one in inetd.conf. Also, it can indicate that you have not reset inetd (kill -HUP )(some systems can use inetd - c).
If you receive message 2, this indicates that inetd has the correct port assigned to the qpopper, but that either program cannot be located, or it is failing on startup. If you are compiling with a listed OS, chances are the POP program is not named correctly in the /etc/inetd.conf file. Otherwise, add the -d flag and check your log messages for the source of the problem.
If you have correctly installed the qpopper as far as inetd is concerned, you will see the following line, and the startup banner is displayed:
+OK QPOP (version 2.4) at starting. <13625.811191280@system>

Now, you need to run two commands to give yourself authorization to run qpopper. Make sure you have a message or two queued so you can ensure that the qpopper is pointing at the correct mail spool file. Be aware that the password is echoed back:
user +OK Password required for pass +OK mark has 2 message(s) (4123 octets).

If you have the authority and if you have two messages, you can enter QUIT to exit. LIST and UIDL are two commands to list messages by size and ID. At this point, Eudora or any other pop client should not have any problems communicating with your qpopper.
If you get the following message: “Unable to process From lines” (envelops), change recognition modes.
This indicates that your mailbox is corrupted; that is, the first line which includes the From header or MMDF separator is not recognizable. Or there may be a From line displayed that has never appeared before. Edit the mail spool file and send the first line. If the first line is blank, then remove it until you reach the From line.
If an error message displays indicating that your password is incorrect, you might be using a shadow password, and you may need to use the -DAUTH definition. Or, you might be using a UID less than 11 (default) which is automatically blocked from access.

Other things to check:

Under SunOS4.x, popauth was failing with a message like:

/usr/local/bin/popauth: /etc/pop.auth: unable to open POP authorization DB

trace shows that flock() was failing:

open ("/etc/pop.auth.pag", 02, 0) = 3
fstat (3, 0xf7ffefb0) = 0
flock (3, 06) = -1 EWOULDBLOCK (Operation would block)

My fix was to edit config.h, comment out #define HAVE_FLOCK 1, remove flock.o and recompile.

popauth should be suid pop:

cxh@carson 13% ls -l /usr/local/etc/popper
-rwxr-xr-x   1 root       352344 Aug 20 13:59 /usr/local/etc/popper*

popper is in /etc/inetd.conf on the pop host.

doppler:root: %C2> grep pop /etc/inetd.conf
pop3 stream tcp nowait root /usr/local/sbin/popper popper -s -t /var/spool/mqueue/pop.log
spop3 stream tcp nowait root    /usr/local/sbin/popper-ssl -t /var/spool/mqueue/pop.log -f /etc/mail/qpopper.config

pop3 is in the yp services map on the pop host.

doppler:root: %C2> ypcat services | grep pop
pop3            110/tcp                         # Post Office Protocol - Version 3
pop2            109/tcp         pop-2           # Post Office Protocol - V2
spop3           995/tcp                         # /etc/inetd.conf

Consult the exmh man page
Consult the popper man page.
Try running the local inc in /opt/mh/bin, rather than the inc in /usr/sww/bin. Use which inc to see which inc binary you running, then adjust your path accordingly.
Check that you have a ~/.xmhcheck file
Try rshing from the local host to the remote host. If you have problems, check your remote ~/.rhosts file.
Try using telnet hostname pop3. See Testing below for more information.
Try using inc -host hostname from the remote host. This command should connect to the pop host and get your mail for you. inc is the command that exmh runs. See for the tcl code that runs the inc command.
Look in /etc/inetd.conf and see where popper is logging to, then check that file.
As a last restore, running truss or trace on inc might help. Since inc is setuid root so that it can mess with the mail spool, truss won't work on it. The solution is to use which to determine where the inc binary is, then copy the binary elsewhere and run truss on it.

Notes about using exmh remotely

To send mail from a portable standalone machine, sendmail must be running. Under SunOS sendmail is started in /etc/rc.local. Under Solaris2, sendmail is started in /etc/rc2.d/S88sendmail, which is a link to /etc/init.d/sendmail.

Unlike Eudora, exmh will not easily save up mail to be sent all in one fell swoop. Possibly configuring sendmail to do that might do the trick.

One way to get mail to be queued is to rebuild MH with the message transport system set to mh rather than sendmail/smtp. conf/MH should look like:

#mts sendmail/smtp mts mh Then you will need to reconfigure mh and reinstall. mh-mts.doc says

When using the stand- alone system (NOT recommended), MH delivers local mail itself and queues UUCP and network mail. The network mail portion will probably have to be modified to reflect the local host's tastes, since there is no well- known practice in this area for all types of UNIX hosts.

One trick would be to have a version of MH built for sendmail/smtp and another for standalone mh as the mts.

To switch from the regular mode of mail, where each message is sent asap, to the batch mode, do the following:

Under Solaris /etc/mail/sendmail.cf should be changed to: # default delivery mode #Odbackground Odq
It may be necessary to edit /etc/init.c/sendmail, and change: /usr/lib/sendmail -bd -q1h; to /usr/lib/sendmail -bd -q; However, I believe that this step is unnecessary, see the sendmail man page for more information.
Then stop and restart sendmail with /etc/init.d/sendmail stop; /etc/init.d/sendmail start

To see what is in the queue, use the mailq command.

The command to flush the mail queue is

/usr/lib/sendmail -q
-v

Using pop and mh-e

The mh faq says:

Subject: 08.03 + How do I use POP with mh-e?
From: Andy Norman
Assume your POP server is called cuckoo. Add an entry to
your MH profile (~/.mh_profile) for 'inc' like so:
inc: -noaudit -norpop -noapop -host cuckoo
Add the following to ~/.netrc:
machine cuckoo.domain.name login joeuser password secret
Replace the hostname, login and password with your own, of course. The hostname probably has to be fully qualified (i.e., include the full domain name). This example assumes that you can send mail by other means (e.g., with SMTP). [05.95]

Pop daemon details

Below we discuss the various pop daemons. Most users won't care about these details.

Testing

To test a pop daemon, telnet to the port that the daemon is running on. cxh@markov 507% telnet dewitt pop3 Trying 128.32.240.53... Connected to dewitt.eecs.berkeley.edu. Escape character is '^]'. +OK QUALCOMM Pop server derived from UCB (version 2.1.4-R3) at dewitt.eecs.berkeley.edu starting. QUIT QUIT +OK Pop server at dewitt.eecs.berkeley.edu signing off. Connection closed by foreign host. cxh@markov 508%

`imapd`

imapd might be an alternative /usr/sww/doc/faq/mh.faq discusses imap

`popi`

popi is a mh program that can be used to connect to a pop host Unfortunately, the popi on sww is empty, probably for security reasons. -rwxr-xr-x 1 18 0 Dec 9 13:07 /usr/sww/bin/popi* popi is on mho in /usr/local/mh-6.8.3/bin/popi