faq

radius协议源码÷The Radius Stack will connect to a Radius Server. This stack implementation is built upo

Q: How do I set up an alert message that each IMAP user will see?
A: Create the file /etc/imapd.alert with the text of the message.  This
    text should be kept to one line if possible.  Note that this will
    cause an alert to every IMAP user every time they initiate an IMAP
    session, so it should only be used for critical messages.

SECURITY QUESTIONS:

Q: I've heard that IMAP servers are insecure.  Is this true?
A: There are no known security problems in this version of the IMAP
    toolkit, including the IMAP and POP servers.  The IMAP and POP
    servers limit what can be done while not logged in, and as part of
    the login process discard all privileges except those of the user.
   There were buffer overflow vulnerabilities in earlier versions which
    were used to mount widespread attacks against unlogged-in (and hence
    root-privileged) servers.  All known problems of this sort are fixed.
   There is every reason to believe that the bad guys are engaged in an
    ongoing effort to find vulnerabilities in the IMAP toolkit; but to
    the best of our knowledge these efforts have been futile in recent
    years.  Judging from CERT reports, they've had much greater success
    in other software, so it does not appear to be an ongoing problem
    for the IMAP toolkit.
   We are unhappy that any vulnerabilities existed in past versions, and
    we're doing our best to keep the IMAP toolkit free of vulnerabilities.
   Beware of vendors who claim that their implementations can not have
    vulnerabilities.  Any vendor who claims this is either naive or lying.


Q: Those /tmp lock files are protected 666, is that really right?
A: Yes.  Shared mailboxes won't work otherwise.  Also, you get into
    accidental denial of service problems (see the previous FAQs)
    with old lock files left lying around; this happens fairly
    frequently.
   The deliberate mischief that can be caused by fiddling with the
    lock files is small-scale; harassment level at most.  There are
    many -- and much more effective -- other ways of harassing another
    user on UNIX.  It's usually not difficult to determine the culprit.
   Before worrying about deliberate mischief, worry first about things
    happening by accident!

PROBLEMS AND ANNOYANCES:

Q: Why does mail disappear even though I set "keep mail on server"?
Q: Why do I get the message
     Moved ##### bytes of new mail to /home/user/mbox from /var/spool/mail/mbox
    and why did this happen?
A: This is probably caused by the mbox driver.  If the file "mbox" exists on
    the user's home directory and is in UNIX mailbox format, then when INBOX
    is opened this file will be selected as INBOX instead of the mail spool
    file.  Messages will be automatically transferred from the mail spool file
    into the mbox file.
   To disable this behavior, delete "mbox" from the EXTRADRIVERS list in the
    top-level Makefile and rebuild.  Note that if you do this, users won't
    be able to access the messages that have already been moved to mbox
    unless they open mbox instead of INBOX.


Q: Why isn't it showing the local host name as a fully-qualified domain
    name?
Q: Why is the local host name in the From/Sender/Message-ID headers of
    outgoing mail not coming out as a fully-qualified domain name?
A: Your UNIX system is misconfigured.  The entry for your system in
    /etc/hosts must have the fully-qualified domain name first, e.g.
	105.69.1.234	bombastic.blurdybloop.com bombastic
   A common mistake of novice system administrators is to have the
    short name first, e.g.
	105.69.1.234	bombastic bombastic.blurdybloop.com
    or to omit the fully qualified domain name entirely, e.g.
	105.69.1.234	bombastic
   The result of this is that when the IMAP toolkit does a gethostbyname()
    call to get the fully-qualified domain name, it would get "bombastic"
    instead of "bombastic.blurdybloop.com".
   On some systems, a configuration file (typically named /etc/svc.conf,
    /etc/netsvc.conf, or /etc/nsswitch.conf) can be used to configure the
    system to use the domain name system (DNS) instead of /etc/hosts, so
    it doesn't matter if /etc/hosts is misconfigured.
   Check the man pages for gethostbyname, hosts, svc, and/or netsvc for
    more information.
   Unfortunately, certain vendors, most notably SUN, have failed to
    make this clear in their documentation.  Most of SUN's documentation
    assumes a corporate network that is not connected to the Internet.
   net.folklore once (late 1980s) held that the proper procedure was to
    append the results of getdomainname(), and some versions of sendmail
    configuration files were distributed that did this.  This was
    incorrect; the string returned from getdomainname() is the Yellow
    Pages (a.k.a NIS) domain name, which is a completely different
    (albeit unfortunately named) entity from an Internet domain.  These
    were often fortuitously the same string, except when they weren't.
    Frequently, domain names would be spuriously doubled, e.g.
    "bombastic.blurdybloop.com.blurdybloop.com".  This practice has been
    thoroughly discredited for many years, but folklore dies hard.


Q: What does the message:
     Mailbox vulnerable - directory /var/spool/mail must have 1777 protection
    mean?  How can I fix this?
A: In order to update a mailbox in the default UNIX format, it is necessary
    to create a lock file to prevent the mailer from delivering mail while
    an update is in progress.  Some systems use a directory protection of
    775, requiring that all mail handling programs be setgid mail; or of
    755, requiring that all mail handling programs be setuid root.
   The IMAP toolkit does not run with any special privileges, and we plan
    to keep it that way.  It is antithetical to the concept of a toolkit
    if users can't write their own programs to use it.  Also, we've had
    enough bad experiences with security bugs while running privileged;
    the IMAP and POP servers have to be root when not logged in, in order
    to be able to log themselves in.  We don't want to go any deeper down
    that slippery slope.
   Directory protection 1777 is secure enough on most well-managed systems.
    If you can't trust your users with a 1777 mail spool (petty harassment
    is about the limit of the abuse exposure), then you have much worse
    problems then that.
   If you absolutely insist upon requiring privileges to create a lock file,
    external file locking can be done via a setgid mail program named
    /etc/mlock (this is defined by LOCKPGM in the c-client Makefile).  If
    the toolkit is unable to create a <mailbox>.lock file in the directory
    by itself, it will try to call mlock to do it.  We do not recommend
    doing this for performance reasons.
   A sample mlock program is part of the imap-utils package:
     ftp://ftp.cac.washington.edu/mail/imap-utils.tar.Z
    We have tried to make this sample program reasonably secure, but it
    has not been thoroughly audited.


Q: What does the message:
     Mailbox is open by another process, access is readonly
    mean?
A: A problem occurred in applying a lock to a /tmp lock file.  Either some
    other program has the mailbox open and won't relenquish it, or
    something is wrong with the protection of /tmp or the lock.


Q: What does the message:
     Can't get write access to mailbox, access is readonly
    mean?
A: The mailbox file is write-protected against you.


Q: What does the syslog message:
     imap/tcp server failing (looping)
    mean?  When it happens, IMAP service shuts down.  How can I fix this?
Q: What does the syslog message:
     pop3/tcp server failing (looping)
    mean?  When it happens, POP3 service shuts down.  How can I fix this?
A: The error message "server failing (looping), service terminated" is not
    from either the IMAP or POP servers.  Instead, it comes from inetd, the
    daemon which listens for TCP connections to a number of servers,
    including the IMAP and POP servers.
   inetd has a limit of 40 new server sessions per minute for any particular
    service.  If more than 40 sessions are initiated in a minute, inetd will
    issue the "failing (looping), service terminated" message and shut
    down the service for 10 minutes. 
   For larger server systems, the limit of 40 is much too low.  The limit was
    established many years ago when a system typically only ran a few dozen
    servers.
   On some versions of inetd, such as the one distributed with most versions
    of Linux, you can modify the /etc/inetd.conf file to have a larger number
    of servers by appending a colon followed by a number after the "nowait"
    word for the server entry.  For example, if your existing /etc/inetd.conf
    line reads:
     imap    stream  tcp     nowait  root    /usr/etc/imapd imapd
    try changing it to be:
     imap    stream  tcp     nowait:100  root    /usr/etc/imapd imapd
    Another example (using TCP wrappers):
     imap    stream  tcp     nowait  root    /usr/sbin/tcpd  imapd
    try changing it to be:
     imap    stream  tcp     nowait:100  root    /usr/sbin/tcpd  imapd
    to increase the limit to 100 sessions/minute.
   Before making this change, please read the information in "man inetd" to
    determine whether or not your inetd has this feature.  If it does not, and
    you make this change, the likely outcome is that you will disable IMAP
    service entirely.
  Another way to fix this problem is to edit the inetd.c source code
   (provided by your UNIX system vendor) to set higher limits, rebuild inetd,
   install the new binary, and reboot your system.  This should only be done
   by a UNIX system expert.  In the inetd.c source code, the limits TOOMANY
   (normally 40) is the maximum number of new server sessions permitted per
   minute, and RETRYTIME (normally 600) is the number of seconds inetd will
   shut down the server after it exceeds TOOMANY.


Q: What does the syslog message:
     Mailbox lock file /tmp/.600.1df3 open failure: Permission denied
    mean?
A: This usually means that some "helpful" person has protected /tmp so
    that it is no longer world-writeable.  /tmp must be world-writeable
    because lots of applications use it for scratch space.  To fix this,
    do "chmod 1777 /tmp" as root.
   If that isn't the answer, check the protection of the named file.  If
    it is something other than 666, then either someone is hacking or
    some "helpful" person modified the code to have a different default
    lock file protection.


Q: What does the syslog message:
     Command stream end of file, while reading line user=... host=...
    mean?
A: This message occurs when the session is disconnected without a proper
    LOGOUT (IMAP) or QUIT (POP) command being received by the server first.
   In many cases, this is perfectly normal; many client implementations
    are impolite and do this.  Some programmers think this sort of rudeness
    is "more efficient".
   The condition could, however, indicate a client or network connectivity
    problem.  The server has no way of knowing whether there's a problem or
    just a rude client, so it issues this message instead of a Logout.
   If the user isn't reporting a problem, you can probably ignore this
    message.


Q: What does the syslog message:
     Killed (lost mailbox lock) user=... host=...
    mean?
A: This message only happens when either the traditional UNIX mailbox format
    or MMDF format is in use.  This format only allows one session to have
    the mailbox open read/write at a time.
   The servers assume that if a second session attempts to open the mailbox,
    that means that the first session is probably owned by an abandoned client.
    The common scenario here is a user who leaves his client running at the
    office, and then tries to read his mail from home.  Through an internal
    mechanism called "kiss of death", the second session requests the first
    session to kill itself.  When the first session receives this "kiss of
    death", it issues the "Killed (lost mailbox lock)" syslog message and
    terminates.  The second session then seizes read/write access, and becomes
    the new "first" session.
   Certain poorly-designed clients routinely open multiple sessions to the
    same mailbox; the users of those clients tend to get this message a lot.
   Another cause of this message is a background "check for new mail" task
    which does its work by opening a POP session to server every few seconds.
    They do this because POP doesn't have a way to announce new mail.
   The solution to both situations is to replace the client with a good
    online IMAP client such as Pine.  Life is too short to waste on POP
    clients and poorly-designed IMAP clients.


Q: Why does my IMAP client show all of my files, recursively from my UNIX
    home directory?
A: By default, you are connected to your home directory.  Most clients have
    an option to configure your connected directory on the IMAP server.  In
    Pine, you specify this as the "Path" in your folder-collection, e.g.
     Nickname  : Secondary Folders
     Server    : imap.blurdybloop.com
     Path      : mail/
     View      : 
    In this example, the user is connected to the "mail" subdirectory of
    his home directory.
   Other servers call this the "folder prefix" or similar term.
   It is possible to modify the IMAP server so that all users are
    automatically connected to some other directory, e.g. a subdirectory
    of the user's home directory.  Read the file CONFIG for more details.