1MPOP(1) General Commands Manual MPOP(1)
2
3
4
6 mpop - A POP3 client
7
9 Mail retrieval mode (default):
10 mpop [option...] [--] [account...]
11 mpop --host=host [option...]
12
13 Configuration mode:
14 mpop --configure <mailaddress>
15
16 Server information mode:
17 mpop [option...] --serverinfo [account...]
18 mpop --host=host [option...] --serverinfo
19
21 In mail retrieval mode of operation, mpop retrieves mails from one or
22 more POP3 mailboxes, optionally does some filtering, and delivers them
23 through a mail delivery agent (MDA), to a maildir folder, or to an mbox
24 file. Mails that were successfully delivered before will not be re‐
25 trieved a second time, even if errors occur or mpop is terminated in
26 the middle of a session.
27 In server information mode, mpop prints information about one or more
28 POP3 servers.
29 If no account names are given on the command line, one named default
30 will be used.
31 The best way to start is probably to have a look at the EXAMPLES sec‐
32 tion.
33
35 The standard sendmail exit codes are used, as defined in sysexits.h.
36
38 Options override configuration file settings, for every used account.
39
40 General Options
41
42 --version
43 Print version information, including information about
44 the libraries used.
45
46 --help Print help.
47
48 -P, --pretend
49 Print the configuration settings that would be used, but
50 do not take further action. An asterisk (`*') will be
51 printed instead of your password.
52
53 -d, --debug
54 Print lots of debugging information, including the whole
55 conversation with the server. Be careful with this op‐
56 tion: the (potentially dangerous) output will not be san‐
57 itized, and your password may get printed in an easily
58 decodable format!
59 This option implies --half-quiet, because the progress
60 output would interfere with the debugging output.
61
62 Changing the mode of operation
63
64 --configure=mailaddress
65 Generate a configuration for the given mail address and
66 print it. This can be modified or copied unchanged to the
67 configuration file. Note that this only works for mail
68 domains that publish appropriate SRV records; see RFC
69 8314.
70
71 -S, --serverinfo
72 Print information about the POP3 server(s) and exit. This
73 includes information about supported features (pipelin‐
74 ing, authentication methods, TOP command, ...), about pa‐
75 rameters (time for which mails will not be deleted, mini‐
76 mum time between logins, ...), and about the TLS certifi‐
77 cate (if TLS is active).
78
79 Configuration options
80
81 -C, --file=conffile
82 Use the given file instead of ~/.mpoprc or $XDG_CON‐
83 FIG_HOME/mpop/config as the user configuration file.
84
85 --host=hostname
86 Use this server with settings from the command line; do
87 not use any configuration file data. This option disables
88 loading of the configuration file. You cannot use both
89 this option and account names on the command line.
90
91 --port=number
92 Set the port number to connect to. See the port command.
93
94 --source-ip=[IP]
95 Set or unset an IP address to bind the socket to. See the
96 source_ip command.
97
98 --proxy-host=[IP|hostname]
99 Set or unset a SOCKS proxy to use. See the proxy_host
100 command.
101
102 --proxy-port=[number]
103 Set or unset a port number for the proxy host. See the
104 proxy_port command.
105
106 --socket=[socketname]
107 Set or unset a local unix domain socket name to connect
108 to. See the socket command.
109
110 --timeout=(off|seconds)
111 Set a network timeout. See the timeout command.
112
113 --pipelining=(auto|on|off)
114 Enable or disable POP3 pipelining. See the pipelining
115 command.
116
117 --received-header[=(on|off)]
118 Enable or disable the Received header. See the re‐
119 ceived_header command.
120
121 --auth[=(on|method)]
122 Set the authentication method to automatic (with "on") or
123 manually choose an authentication method. See the auth
124 command.
125
126 --user=[username]
127 Set or unset the user name for authentication. See the
128 user command.
129
130 --passwordeval=[eval]
131 Evaluate password for authentication. See the passworde‐
132 val command.
133
134 --tls[=(on|off)]
135 Enable or disable TLS/SSL. See the tls command.
136
137 --tls-starttls[=(on|off)]
138 Enable or disable STARTTLS for TLS. See the tls_starttls
139 command.
140
141 --tls-trust-file=[file]
142 Set or unset a trust file for TLS. See the tls_trust_file
143 command.
144
145 --tls-crl-file=[file]
146 Set or unset a certificate revocation list (CRL) file for
147 TLS. See the tls_crl_file command.
148
149 --tls-fingerprint=[fingerprint]
150 Set or unset the fingerprint of a trusted TLS certifi‐
151 cate. See the tls_fingerprint command.
152
153 --tls-key-file=[file]
154 Set or unset a key file for TLS. See the tls_key_file
155 command.
156
157 --tls-cert-file=[file]
158 Set or unset a cert file for TLS. See the tls_cert_file
159 command.
160
161 --tls-certcheck[=(on|off)]
162 Enable or disable server certificate checks for TLS. See
163 the tls_certcheck command.
164
165 --tls-min-dh-prime-bits=[bits]
166 Set or unset minimum bit size of the Diffie-Hellmann (DH)
167 prime. See the tls_min_dh_prime_bits command.
168
169 --tls-priorities=[priorities]
170 Set or unset TLS priorities. See the tls_priorities com‐
171 mand.
172
173 --tls-host-override=[host]
174 Set or unset override for TLS host verification. See the
175 tls_host_override command.
176
177 Options specific to mail retrieval mode
178
179 -q, --quiet
180 Do not print status or progress information.
181
182 -Q, --half-quiet
183 Print status but not progress information.
184
185 -a, --all-accounts
186 Query all accounts in the configuration file.
187
188 -A, --auth-only
189 Authenticate only; do not retrieve mail. Useful for SMTP-
190 after-POP.
191
192 -s, --status-only
193 Print number and size of mails in each account only; do
194 not retrieve mail.
195
196 -n, --only-new[=(on|off)]
197 Process only new messages. See the only_new command.
198
199 -k, --keep[=(on|off)]
200 Do not delete mails from POP3 servers, regardless of
201 other options or settings. See the keep command.
202
203 --killsize=(off|size)
204 Set or unset kill size. See the killsize command.
205
206 --skipsize=(off|size)
207 Set or unset skip size. See the skipsize command.
208
209 --filter=[program]
210 Set a filter which will decide whether to retrieve, skip,
211 or delete each mail by investigating the mail's headers.
212 See the filter command.
213
214 --delivery=method,method_arguments...
215 How to deliver messages received from this account. See
216 the delivery command. Note that a comma is used instead
217 of a blank to separate the method from its arguments.
218
219 --uidls-file=filename
220 File to store UIDLs in. See the uidls_file command.
221
223 A suggestion for a suitable configuration file can be generated using
224 the --configure option. The default configuration file is ~/.mpoprc or
225 $XDG_CONFIG_HOME/mpop/config. Settings in this file can be changed by
226 command line options.
227 A configuration file is a simple text file. Empty lines and comment
228 lines (first non-blank character is '#') are ignored. Every other line
229 must contain a command and may contain an argument to that command.
230 The argument may be enclosed in double quotes (").
231 If a file name starts with the tilde (~), this tilde will be replaced
232 by $HOME.
233 If a command accepts the argument on, it also accepts an empty argument
234 and treats that as if it was on.
235 Commands are organized in accounts. Each account starts with the ac‐
236 count command and defines the settings for one POP3 account.
237
238 Commands are as follows:
239
240 defaults
241 Set defaults. The following configuration commands will set de‐
242 fault values for all following account definitions.
243
244 account name [:account[,...]]
245 Start a new account definition with the given name. The current
246 default values are filled in.
247 If a colon and a list of previously defined accounts is given
248 after the account name, the new account, with the filled in de‐
249 fault values, will inherit all settings from the accounts in the
250 list.
251
252 host hostname
253 The POP3 server to retrieve mails from. The argument may be a
254 host name or a network address. Every account definition must
255 contain this command.
256
257 port number
258 The port that the POP3 server listens on. The default is 110
259 ("pop3"), unless TLS without STARTTLS is used, in which case it
260 is 995 ("pop3s").
261
262 source_ip [IP]
263 Set a source IP address to bind the outgoing connection to. Use‐
264 ful only in special cases on multi-home systems. An empty argu‐
265 ment disables this.
266
267 proxy_host [IP|hostname]
268 Use a SOCKS proxy. All network traffic will go through this
269 proxy host, including DNS queries, except for a DNS query that
270 might be necessary to resolve the proxy host name itself (this
271 can be avoided by using an IP address as proxy host name). An
272 empty hostname argument disables proxy usage. The supported
273 SOCKS protocol version is 5. If you want to use this with Tor,
274 see also "Using mpop with Tor" below.
275
276 proxy_port [number]
277 Set the port number for the proxy host. An empty number argument
278 resets this to the default port, which is 1080 ("socks").
279
280 socket socketname
281 Set the file name of a unix domain socket to connect to. This
282 overrides both host/port and proxy_host/proxy_port.
283
284 timeout (off|seconds)
285 Set or unset a network timeout, in seconds. The default is 180
286 seconds. The argument off means that no timeout will be set,
287 which means that the operating system default will be used.
288
289 pipelining (auto|on|off)
290 Enable or disable POP3 pipelining. You should never need to
291 change the default setting, which is auto: mpop enables pipelin‐
292 ing for POP3 servers that advertise this capability, and dis‐
293 ables it for all other servers. Pipelining can speed up a POP3
294 session substantially.
295
296 auth [(on|method)]
297 Choose an authentication method. The default argument on chooses
298 a method automatically.
299 Usually a user name and a password are used for authentication.
300 The user name is specified in the configuration file with the
301 user command. There are five different methods to specify the
302 password:
303 1. Add the password to the system key ring. Currently supported
304 key rings are the Gnome key ring and the Mac OS X Keychain. For
305 the Gnome key ring, use the command secret-tool (part of Gnome's
306 libsecret) to store passwords: secret-tool store --label=mpop
307 host pop.freemail.example service pop3 user joe.smith. On Mac
308 OS X, use the following command: security add-internet-password
309 -s pop.freemail.example -r pop3 -a joe.smith -w. In both exam‐
310 ples, replace pop.freemail.example with the POP3 server name,
311 and joe.smith with your user name.
312 2. Store the password in an encrypted files, and use passworde‐
313 val to specify a command to decrypt that file, e.g. using GnuPG.
314 See EXAMPLES.
315 3. Store the password in the configuration file using the pass‐
316 word command. (Usually it is not considered a good idea to
317 store passwords in cleartext files. If you do it anyway, you
318 must make sure that the file can only be read by yourself.)
319 4. Store the password in ~/.netrc. This method is probably obso‐
320 lete.
321 5. Type the password into the terminal when it is required.
322 It is recommended to use method 1 or 2.
323 Multiple authentication methods exist. Most servers support only
324 some of them. Historically, sophisticated methods were devel‐
325 oped to protect passwords from being sent unencrypted to the
326 server, but nowadays everybody needs TLS anyway, so the simple
327 methods suffice since the whole session is protected. A suitable
328 authentication method is chosen automatically, and when TLS is
329 disabled for some reason, only methods that avoid sending clear‐
330 text passwords are considered.
331 The following user / password methods are supported: user (a
332 simple plain text method supported by all servers), plain (an‐
333 other simple cleartext method, supported by almost all servers),
334 scram-sha-1 (a method that avoids cleartext passwords), apop (an
335 obsolete method that avoids cleartext passwords, but is not con‐
336 sidered secure anymore), cram-md5 (an obsolete method that
337 avoids cleartext passwords, but is not considered secure any‐
338 more), digest-md5 (an overcomplicated obsolete method that
339 avoids cleartext passwords, but is not considered secure any‐
340 more), login (a non-standard cleartext method similar to but
341 worse than the plain method), ntlm (an obscure non-standard
342 method that is now considered broken; it sometimes requires a
343 special domain parameter passed via ntlmdomain).
344 There are currently three authentication methods that are not
345 based on user / password information and have to be chosen manu‐
346 ally: oauthbearer (an OAuth2 token from the mail provider is
347 used as the password. See the documentation of your mail
348 provider for details on how to get this token. The passwordeval
349 command can be used to pass the regularly changing tokens into
350 mpop from a script or an environment variable), external (the
351 authentication happens outside of the protocol, typically by
352 sending a TLS client certificate, and the method merely confirms
353 that this authentication succeeded), and gssapi (the Kerberos
354 framework takes care of secure authentication, only a user name
355 is required).
356 It depends on the underlying authentication library and its ver‐
357 sion whether a particular method is supported or not. Use --ver‐
358 sion to find out which methods are supported.
359
360 user login
361 Set the user name for authentication. An empty argument unsets
362 the user name.
363
364 password secret
365 Set the password for authentication. An empty argument unsets
366 the password. Consider using the passwordeval command or a key
367 ring instead of this command, to avoid storing cleartext pass‐
368 words in the configuration file.
369
370 passwordeval [eval]
371 Set the password for authentication to the output (stdout) of
372 the command eval. This can be used e.g. to decrypt password
373 files on the fly or to query key rings, and thus to avoid stor‐
374 ing cleartext passwords.
375
376 ntlmdomain [domain]
377 Set a domain for the ntlm authentication method. This is obso‐
378 lete.
379
380 tls [(on|off)]
381 Enable or disable TLS (also known as SSL) for secured connec‐
382 tions.
383 Transport Layer Security (TLS) "... provides communications pri‐
384 vacy over the Internet. The protocol allows client/server ap‐
385 plications to communicate in a way that is designed to prevent
386 eavesdropping, tampering, or message forgery" (quote from
387 RFC2246).
388 A server can use TLS in one of two modes: via a STARTTLS command
389 (the session starts with the normal protocol initialization, and
390 TLS is then started using the protocol's STARTTLS command), or
391 immediately (TLS is initialized before the normal protocol ini‐
392 tialization; this requires a separate port). The first mode is
393 the default, but you can switch to the second mode by disabling
394 tls_starttls.
395 When TLS is started, the server sends a certificate to identify
396 itself. To verify the server identity, a client program is ex‐
397 pected to check that the certificate is formally correct and
398 that it was issued by a Certificate Authority (CA) that the user
399 trusts. (There can also be certificate chains with intermediate
400 CAs.)
401 The list of trusted CAs is specified using the tls_trust_file
402 command. The default value ist "system" and chooses the system-
403 wide default, but you can also choose the trusted CAs yourself.
404 One practical problem with this approach is that the client pro‐
405 gram should also check if the server certificate has been re‐
406 voked for some reason, using a Certificate Revocation List
407 (CRL). A CRL file can be specified using the tls_crl_file com‐
408 mand, but getting the relevant CRL files and keeping them up to
409 date is not straightforward. You are basically on your own.
410 A much more serious and fundamental problem is that you need to
411 trust CAs. Like any other organization, a CA can be incompe‐
412 tent, malicious, subverted by bad people, or forced by govern‐
413 ment agencies to compromise end users without telling them. All
414 of these things happened and continue to happen worldwide. The
415 idea to have central organizations that have to be trusted for
416 your communication to be secure is fundamentally broken.
417 Instead of putting trust in a CA, you can choose to trust only a
418 single certificate for the server you want to connect to. For
419 that purpose, specify the certificate fingerprint with tls_fin‐
420 gerprint. This makes sure that no man-in-the-middle can fake the
421 identity of the server by presenting you a fraudulent certifi‐
422 cate issued by some CA that happens to be in your trust list.
423 However, you have to update the fingerprint whenever the server
424 certificate changes, and you have to make sure that the change
425 is legitimate each time, e.g. when the old certificate expired.
426 This is inconvenient, but it's the price to pay.
427 Information about a server certificate can be obtained with
428 --serverinfo --tls --tls-certcheck=off. This includes the issuer
429 CA of the certificate (so you can trust that CA via
430 tls_trust_file), and the fingerprint of the certificate (so you
431 can trust that particular certificate via tls_fingerprint).
432 TLS also allows the server to verify the identity of the client.
433 For this purpose, the client has to present a certificate issued
434 by a CA that the server trusts. To present that certificate, the
435 client also needs the matching key file. You can set the cer‐
436 tificate and key files using tls_cert_file and tls_key_file.
437 This mechanism can also be used to authenticate users, so that
438 traditional user / password authentication is not necessary any‐
439 more. See the external mechanism in auth.
440 You can also use client certificates stored on some external au‐
441 thentication device by specifying GnuTLS device URIs in
442 tls_cert_file and tls_key_file. You can find the correct URIs
443 using p11tool --list-privkeys --login (p11tool is bundled with
444 GnuTLS). If your device requires a PIN to access the data, you
445 can specify that using one of the password mechanisms (e.g.
446 passwordeval, password).
447
448 tls_starttls [(on|off)]
449 Choose the TLS variant: start TLS from within the session (on,
450 default), or tunnel the session through TLS (off).
451
452 tls_trust_file file
453 Activate server certificate verification using a list of trusted
454 Certification Authorities (CAs). The default is the special
455 value "system", which selects the system default. An empty argu‐
456 ment disables trust in CAs. If you select a file, it must be in
457 PEM format, and you should also use tls_crl_file.
458
459 tls_crl_file [file]
460 Set a certificate revocation list (CRL) file for TLS, to check
461 for revoked certificates. An empty argument disables this.
462
463 tls_fingerprint [fingerprint]
464 Set the fingerprint of a single certificate to accept for TLS.
465 This certificate will be trusted regardless of its contents
466 (this overrides tls_trust_file). The fingerprint should be of
467 type SHA256, but can for backwards compatibility also be of type
468 SHA1 or MD5 (please avoid this). The format should be
469 01:23:45:67:.... Use --serverinfo --tls --tls-certcheck=off
470 --tls-fingerprint= to get the server certificate fingerprint.
471
472 tls_key_file file
473 Send a client certificate to the server (use this together with
474 tls_cert_file}). The file must contain the private key of a
475 certificate in PEM format. An empty argument disables this fea‐
476 ture.
477
478 tls_cert_file file
479 Send a client certificate to the server (use this together with
480 tls_key_file). The file must contain a certificate in PEM for‐
481 mat. An empty argument disables this feature.
482
483 tls_certcheck [(on|off)]
484 Enable or disable checks of the server certificate. They are en‐
485 abled by default. Disabling them will override tls_trust_file
486 and tls_fingerprint. WARNING: When the checks are disabled, TLS
487 sessions will not be secure!
488
489 tls_min_dh_prime_bits [bits]
490 Set or unset the minimum number of Diffie-Hellman (DH) prime
491 bits that mpop will accept for TLS sessions. The default is set
492 by the TLS library and can be selected by using an empty argu‐
493 ment to this command. Only lower the default (for example to
494 512 bits) if there is no other way to make TLS work with the re‐
495 mote server.
496
497 tls_priorities [priorities]
498 Set the priorities for TLS sessions. The default is set by the
499 TLS library and can be selected by using an empty argument to
500 this command. See the GnuTLS documentation of the gnutls_prior‐
501 ity_init function for a description of the priorities string.
502
503 tls_host_override [host]
504 By default, TLS host verification uses the host name given by
505 the host command. This command allows to use a different host
506 name for verification. This is only useful in special cases.
507
508 delivery method method_arguments...
509 How to deliver messages received from this account.
510
511 delivery mda command
512 Deliver the mails through a mail delivery agent (MDA).
513 All occurrences of %F in the command will be replaced
514 with the envelope from address of the current message (or
515 MAILER-DAEMON if none is found). Note that this address
516 is guaranteed to contain only letters a-z and A-Z, digits
517 0-9, and any of ".@_-+/", even though that is only a sub‐
518 set of what is theoretically allowed in a mail address.
519 Other characters, including those interpreted by the
520 shell, are replaced with "_". Nevertheless, you should
521 put %F into single quotes: '%F'.
522 Use "delivery mda /usr/bin/procmail -f '%F' -d $USER" for
523 the procmail MDA.
524 Use "delivery mda /usr/sbin/sendmail -oi -oem -f '%F' --
525 $USER" to let your MTA handle the mail.
526 Use "delivery mda /usr/local/bin/msmtp --host=localhost
527 --from='%F' -- $USER@`hostname`.`dnsdomainname`" to pass
528 the mail to your MTA via SMTP. (This is what fetchmail
529 does by default.)
530
531 delivery maildir directory
532 Deliver the mails to the given maildir directory. The di‐
533 rectory must exist and it must have the maildir subdirec‐
534 tories cur, new, and tmp; mpop will not create directo‐
535 ries. This delivery type only works on file systems that
536 support hard links.
537
538 delivery mbox mbox-file
539 Deliver the mails to the given file in mbox format. The
540 file will be locked with fcntl(2). mpop uses the MBOXRD
541 mbox format variant; see the documentation of the mbox
542 format.
543
544 delivery exchange directory
545 Deliver the mails to the given Exchange pickup directory.
546 The directory must exist.
547
548 If the delivery method needs to parse the mail headers for an
549 envelope from address (the mda method if the command contains
550 %F, and the mbox method), then it needs to create a temporary
551 file to store the mail headers (but not the body) in. See $TM‐
552 PDIR in the FILES / ENVIRONMENT section.
553
554 uidls_file filename
555 The file to store UIDLs in. These are needed to identify new
556 messages. %U in the filename will be replaced by the username
557 of the current account. %H in the filename will be replaced by
558 the hostname of the current account. If the filename contains
559 directories that do not exist, mpop will create them. mpop
560 locks this file for exclusive access when accessing the associ‐
561 ated POP3 account.
562 The default value is "~/.mpop_uidls/%U_at_%H". You can also use
563 a single UIDLS file for multiple accounts, but then you cannot
564 poll more than one of these accounts at the same time.
565
566 only_new [(on|off)]
567 By default, mpop processes only new messages (new messages are
568 those that were not already successfully retrieved in an earlier
569 session). If this option is turned off, mpop will process all
570 messages.
571
572 keep [(on|off)]
573 Keep all mails on the POP3 server, never delete them. The de‐
574 fault behaviour is to delete mails that have been successfully
575 retrieved or filtered by kill filters.
576
577 killsize (off|size)
578 Mails larger than the given size will be deleted (unless the
579 keep command is used, in which case they will just be skipped).
580 The size argument must be zero or greater. If it is followed by
581 a `k' or an `m', the size is measured in kibibytes/mebibytes in‐
582 stead of bytes. Note that some POP3 servers report slightly in‐
583 correct sizes for mails; see NOTES below.
584 When killsize is set to 0 and keep is set to on, then all mails
585 are marked as retrieved, but no mail gets deleted from the
586 server. This can be used to synchronize the UID list on the
587 client to the UID list on the server.
588
589 skipsize (off|size)
590 Mails larger than the given size will be skipped (not down‐
591 loaded). The size argument must be zero or greater. If it is
592 followed by a `k' or an `m', the size is measured in
593 kibibytes/mebibytes instead of bytes. Note that some POP3
594 servers report slightly incorrect sizes for mails; see NOTES be‐
595 low.
596
597 filter [command]
598 Set a filter which will decide whether to retrieve, skip, or
599 delete each mail by investigating the mail's headers. The POP3
600 server must support the POP3 TOP command for this to work; see
601 option --serverinfo above. An empty argument disables filtering.
602 All occurrences of %F in the command will be replaced with the
603 envelope from address of the current message (or MAILER-DAEMON
604 if none is found). Note that this address is guaranteed to con‐
605 tain only letters a-z and A-Z, digits 0-9, and any of ".@_-+/",
606 even though that is only a subset of what is theoretically al‐
607 lowed in a mail address. Other characters, including those in‐
608 terpreted by the shell, are replaced with "_". Nevertheless, you
609 should put %F into single quotes: '%F'.
610 All occurrences of %S in the command will be replaced with the
611 size of the current mail as reported by the POP3 server.
612 The mail headers (plus the blank line separating the headers
613 from the body) will be piped to the command. Based on the return
614 code, mpop decides what to do with the mail:
615 0: proceed normally; no special action
616 1: delete the mail; do not retrieve it
617 2: skip the mail; do not retrieve it
618 Return codes greater than or equal to 3 mean that an error oc‐
619 curred. The sysexits.h error codes may be used to give informa‐
620 tion about the kind of the error, but this is not necessary.
621
622 received_header [(on|off)]
623 Enable or disable adding a Received header. By default, mpop
624 prepends a Received header to the mail during delivery. This is
625 required by the RFCs if the mail is subsequently further deliv‐
626 ered e.g. via SMTP.
627
629 There are three filtering commands available. They will be executed in
630 the following order:
631 killsize
632 skipsize
633 filter
634 If a filtering command applies to a mail, the remaining filters will
635 not be executed.
636
638 Configuration file
639
640 # Example for a user configuration file ~/.mpoprc
641 #
642 # This file focusses on TLS, authentication, and the mail delivery
643 method.
644 # Features not used here include mail filtering, timeouts, SOCKS prox‐
645 ies,
646 # TLS parameters, and more.
647
648 # Set default values for all following accounts.
649 defaults
650
651 # Always use TLS.
652 tls on
653
654 # Set a list of trusted CAs for TLS. The default is to use system set‐
655 tings, but
656 # you can select your own file.
657 #tls_trust_file /etc/ssl/certs/ca-certificates.crt
658
659 # If you select your own file, you should also use the tls_crl_file
660 command to
661 # check for revoked certificates, but unfortunately getting revocation
662 lists and
663 # keeping them up to date is not straightforward.
664 #tls_crl_file ~/.tls-crls
665
666 # Deliver mail to an MBOX mail file:
667 delivery mbox ~/Mail/inbox
668 # Deliver mail to a maildir folder:
669 #delivery maildir ~/Mail/incoming
670 # Deliver mail via procmail:
671 #delivery mda "/usr/bin/procmail -f '%F' -d $USER"
672 # Deliver mail via the local SMTP server:
673 #delivery mda "/usr/bin/msmtp --host=localhost --from='%F' -- $USER"
674 # Deliver mail to an Exchange pickup directory:
675 #delivery exchange c:\exchange\pickup
676
677 # Use an UIDLS file in ~/.local/share instead of ~/.mpop_uidls
678 uidls_file ~/.local/share/%U_at_%H
679
680 # A freemail service
681 account freemail
682
683 # Host name of the POP3 server
684 host pop.freemail.example
685
686 # As an alternative to tls_trust_file/tls_crl_file, you can use
687 tls_fingerprint
688 # to pin a single certificate. You have to update the fingerprint when
689 the
690 # server certificate changes, but an attacker cannot trick you into ac‐
691 cepting
692 # a fraudulent certificate. Get the fingerprint with
693 # $ mpop --serverinfo --tls --tls-certcheck=off --host=pop.freemail.ex‐
694 ample
695 #tls_fingerprint 00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:00:11
696 :22:33
697
698 # Authentication. The password is given using one of five methods, see
699 below.
700 user joe.smith
701
702 # Password method 1: Add the password to the system keyring, and let
703 mpop get
704 # it automatically. To set the keyring password using Gnome's libse‐
705 cret:
706 # $ secret-tool store --label=mpop \
707 # host pop.freemail.example \
708 # service pop3 \
709 # user joe.smith
710
711 # Password method 2: Store the password in an encrypted file, and tell
712 mpop
713 # which command to use to decrypt it. This is usually used with GnuPG,
714 as in
715 # this example. Usually gpg-agent will ask once for the decryption
716 password.
717 passwordeval gpg2 --no-tty -q -d ~/.mpop-password.gpg
718
719 # Password method 3: Store the password directly in this file. Usually
720 it is not
721 # a good idea to store passwords in cleartext files. If you do it any‐
722 way, at
723 # least make sure that this file can only be read by yourself.
724 #password secret123
725
726 # Password method 4: Store the password in ~/.netrc. This method is
727 probably not
728 # relevant anymore.
729
730 # Password method 5: Do not specify a password. Mpop will then prompt
731 you for
732 # it. This means you need to be able to type into a terminal when mpop
733 runs.
734
735 # A second mail box at the same freemail service
736 account freemail2 : freemail
737 user joey
738
739 # The POP3 server of your ISP
740 account isp
741 host mail.isp.example
742 auth on
743 user 12345
744 # Your ISP runs SpamAssassin, so test each mail for the "X-Spam-Status:
745 Yes"
746 # header, and delete all mails with this header before downloading
747 them.
748 filter if [ "`grep "^X-Spam-Status: Yes"`" ]; then exit 1; else exit
749 0; fi
750
751 # Set a default account
752 account default : freemail
753
754
755 Filtering with SpamAssassin
756
757 The command filter "/path/to/spamc -c > /dev/null" will delete all
758 mails that SpamAssassin thinks are spam. Since no message body is
759 passed to SpamAssassin, you should disable all body-specific tests in
760 the SpamAssassin configuration file; for example set use_bayes 0.
761
762 If your mail provider runs SpamAssassin for you, you just have to check
763 for the result. The following script can do that when used as an mpop
764 filter:
765 #!/bin/sh
766 if [ "`grep "^X-Spam-Status: Yes"`" ]; then
767 exit 1 # kill this message
768 else
769 exit 0 # proceed normally
770 fi
771 Since the filter command is passed to a shell, you can also use this
772 directly:
773 filter if [ "`grep "^X-Spam-Status: Yes"`" ]; then exit 1; else exit 0;
774 fi
775
776
777 Using mpop with Tor
778
779 Use the following settings:
780 proxy_host 127.0.0.1
781 proxy_port 9050
782 tls on
783 Use an IP address as proxy host name, so that mpop does not leak a DNS
784 query when resolving it.
785 TLS is required to prevent exit hosts from reading your POP3 session.
786
787
788
790 ~/.mpoprc or $XDG_CONFIG_HOME/mpop/config
791 Default configuration file.
792
793 ~/.mpop_uidls
794 Default directory to store UIDLs files in.
795
796 ~/.netrc and SYSCONFDIR/netrc
797 The netrc file contains login information. Before prompting for
798 a password, msmtp will search it in ~/.netrc and
799 SYSCONFDIR/netrc.
800
802 $USER, $LOGNAME
803 These variables override the user's login name. $LOGNAME is only
804 used if $USER is unset. The user's login name is used for Re‐
805 ceived headers.
806
807 $TMPDIR
808 Directory to create temporary files in. If this is unset, a sys‐
809 tem specific default directory is used.
810
812 mpop was written by Martin Lambers <marlam@marlam.de>
813 Other authors are listed in the AUTHORS file in the source distribu‐
814 tion.
815
817 procmail(1), spamassassin(1), netrc(5) or ftp(1), mbox(5), fcntl(2)
818
819
820
821 2020-06 MPOP(1)