A suggestion for a suitable configuration file can be generated using the --configure option. The
default configuration file is ~/.mpoprc or $XDG_CONFIG_HOME/mpop/config. Settings in this file can be
changed by command line options.
A configuration file is a simple text file. Empty lines and comment lines (first non-blank character is
'#') are ignored. Every other line must contain a command and may contain an argument to that command.
The argument may be enclosed in double quotes (").
If a file name starts with the tilde (~), this tilde will be replaced by $HOME.
If a command accepts the argument on, it also accepts an empty argument and treats that as if it was on.
Commands are organized in accounts. Each account starts with the account command and defines the settings
for one POP3 account.
Commands are as follows:
defaults
Set defaults. The following configuration commands will set default values for all following
account definitions.
account name [:account[,...]]
Start a new account definition with the given name. The current default values are filled in.
If a colon and a list of previously defined accounts is given after the account name, the new
account, with the filled in default values, will inherit all settings from the accounts in the
list.
eval cmd
Replace the current configuration file line with the first line of the output (stdout) of the
command cmd. This can be used to decrypt settings or to create them via scripts. For example, evalechohostlocalhost replaces the current line with hostlocalhost.
Note that every eval line will be evaluated when the configuration file is read.
Note that for passwords you can also use the passwordeval command instead of evalpasswordcmd.
This has the advantage that the command is only evaluated if needed.
host hostname
The POP3 server to retrieve mails from. The argument may be a host name or a network address.
Every account definition must contain this command.
port number
The port that the POP3 server listens on. The default is 110 ("pop3"), unless TLS without STARTTLS
is used, in which case it is 995 ("pop3s").
source_ip [IP]
Set a source IP address to bind the outgoing connection to. Useful only in special cases on multi-
home systems. An empty argument disables this.
proxy_host [IP|hostname]
Use a SOCKS proxy. All network traffic will go through this proxy host, including DNS queries,
except for a DNS query that might be necessary to resolve the proxy host name itself (this can be
avoided by using an IP address as proxy host name). An empty hostname argument disables proxy
usage. The supported SOCKS protocol version is 5. If you want to use this with Tor, see also
"Using mpop with Tor" below.
proxy_port [number]
Set the port number for the proxy host. An empty number argument resets this to the default port,
which is 1080 ("socks").
socket socketname
Set the file name of a unix domain socket to connect to. This overrides both host/port and
proxy_host/proxy_port.
timeout (off|seconds)
Set or unset a network timeout, in seconds. The default is 180 seconds. The argument off means
that no timeout will be set, which means that the operating system default will be used.
pipelining (auto|on|off)
Enable or disable POP3 pipelining. You should never need to change the default setting, which is
auto: mpop enables pipelining for POP3 servers that advertise this capability, and disables it for
all other servers. Pipelining can speed up a POP3 session substantially.
auth [(on|method)]
Choose an authentication method. The default argument on chooses a method automatically.
Usually a user name and a password are used for authentication. The user name is specified in the
configuration file with the user command. There are five different methods to specify the
password:
1. Add the password to the system key ring. Currently supported key rings are the Gnome key ring
and the Mac OS X Keychain. For the Gnome key ring, use the command secret-tool (part of Gnome's
libsecret) to store passwords: secret-tool store --label=mpop host pop.freemail.example service
pop3 user joe.smith. On Mac OS X, use the following command: security add-internet-password -s
pop.freemail.example -r pop3 -a joe.smith -w. In both examples, replace pop.freemail.example with
the POP3 server name, and joe.smith with your user name.
2. Store the password in an encrypted files, and use passwordeval to specify a command to decrypt
that file, e.g. using GnuPG. See EXAMPLES.
3. Store the password in the configuration file using the password command. (Usually it is not
considered a good idea to store passwords in cleartext files. If you do it anyway, you must make
sure that the file can only be read by yourself.)
4. Store the password in ~/.netrc. This method is probably obsolete.
5. Type the password into the terminal when it is required.
It is recommended to use method 1 or 2.
Multiple authentication methods exist. Most servers support only some of them.
The following user / password methods are supported: user (a simple plain text method supported by
all servers), plain (another simple cleartext method, supported by almost all servers),
scram-sha-1 and scram-sha-1-plus (a method that avoids cleartext passwords and requires the server
to prove that it is in posession of the (hashed and salted) password, which prevents some man-in-
the-middle-attacks. The -plus variant additionally uses TLS channel binding information for even
better security guarantees), scram-sha-256 and scram-sha-256-plus (same but with a stronger hash
function), apop (an obsolete method that avoids cleartext passwords, but is not considered secure
anymore), cram-md5 (an obsolete method that avoids cleartext passwords, but is not considered
secure anymore), digest-md5 (an overcomplicated obsolete method that avoids cleartext passwords,
but is not considered secure anymore), login (a non-standard cleartext method similar to but worse
than the plain method), ntlm (an obscure non-standard method that is now considered broken; it
sometimes requires a special domain parameter passed via ntlmdomain).
If no method is specified, mpop will autoselect one based on security benefits. With TLS, the
order is scram-sha-256-plus, scram-sha-1-plus, scram-sha-256, scram-sha-1, plain, followed by some
of the obsolete methods if nothing else is available. Without TLS, only scram-sha-256 and
scram-sha-1 are considered.
There are currently three authentication methods that are not based on user / password information
and have to be chosen manually: oauthbearer or its predecessor xoauth2 (an OAuth2 token from the
mail provider is used as the password. See the documentation of your mail provider for details on
how to get this token. The passwordeval command can be used to pass the regularly changing tokens
into mpop from a script or an environment variable), external (the authentication happens outside
of the protocol, typically by sending a TLS client certificate, and the method merely confirms
that this authentication succeeded), and gssapi (the Kerberos framework takes care of secure
authentication, only a user name is required).
It depends on the underlying authentication library and its version whether a particular method is
supported or not. Use --version to find out which methods are supported.
user login
Set the user name for authentication. An empty argument unsets the user name.
password secret
Set the password for authentication. An empty argument unsets the password. Consider using the
passwordeval command or a key ring instead of this command, to avoid storing cleartext passwords
in the configuration file.
passwordeval [cmd]
Set the password for authentication to the output (stdout) of the command cmd. This can be used
e.g. to decrypt password files on the fly or to query key rings, and thus to avoid storing
cleartext passwords.
ntlmdomain [domain]
Set a domain for the ntlm authentication method. This is obsolete.
tls [(on|off)]
Enable or disable TLS (also known as SSL) for secured connections.
Transport Layer Security (TLS) "... provides communications privacy over the Internet. The
protocol allows client/server applications to communicate in a way that is designed to prevent
eavesdropping, tampering, or message forgery" (quote from RFC2246).
A server can use TLS in one of two modes: via a STARTTLS command (the session starts with the
normal protocol initialization, and TLS is then started using the protocol's STARTTLS command), or
immediately (TLS is initialized before the normal protocol initialization; this requires a
separate port). The first mode is the default, but you can switch to the second mode by disabling
tls_starttls.
When TLS is started, the server sends a certificate to identify itself. To verify the server
identity, a client program is expected to check that the certificate is formally correct and that
it was issued by a Certificate Authority (CA) that the user trusts. (There can also be certificate
chains with intermediate CAs.)
The list of trusted CAs is specified using the tls_trust_file command. The default value ist
"system" and chooses the system-wide default, but you can also choose the trusted CAs yourself.
A fundamental problem with this is that you need to trust CAs. Like any other organization, a CA
can be incompetent, malicious, subverted by bad people, or forced by government agencies to
compromise end users without telling them. All of these things happened and continue to happen
worldwide. The idea to have central organizations that have to be trusted for your communication
to be secure is fundamentally broken.
Instead of putting trust in a CA, you can choose to trust only a single certificate for the server
you want to connect to. For that purpose, specify the certificate fingerprint with
tls_fingerprint. This makes sure that no man-in-the-middle can fake the identity of the server by
presenting you a fraudulent certificate issued by some CA that happens to be in your trust list.
However, you have to update the fingerprint whenever the server certificate changes, and you have
to make sure that the change is legitimate each time, e.g. when the old certificate expired. This
is inconvenient, but it's the price to pay.
Information about a server certificate can be obtained with --serverinfo--tls--tls-certcheck=off. This includes the issuer CA of the certificate (so you can trust that CA via
tls_trust_file), and the fingerprint of the certificate (so you can trust that particular
certificate via tls_fingerprint).
TLS also allows the server to verify the identity of the client. For this purpose, the client has
to present a certificate issued by a CA that the server trusts. To present that certificate, the
client also needs the matching key file. You can set the certificate and key files using
tls_cert_file and tls_key_file. This mechanism can also be used to authenticate users, so that
traditional user / password authentication is not necessary anymore. See the external mechanism in
auth.
You can also use client certificates stored on some external authentication device by specifying
GnuTLS device URIs in tls_cert_file and tls_key_file. You can find the correct URIs using p11tool--list-privkeys--login (p11tool is bundled with GnuTLS). If your device requires a PIN to access
the data, you can specify that using one of the password mechanisms (e.g. passwordeval, password).
tls_starttls [(on|off)]
Choose the TLS variant: start TLS from within the session (on, default), or tunnel the session
through TLS (off).
tls_trust_file file
Activate server certificate verification using a list of trusted Certification Authorities (CAs).
The default is the special value "system", which selects the system default. An empty argument
disables trust in CAs. If you select a file, it must be in PEM format, and you should also use
tls_crl_file.
tls_crl_file [file]
This sets a certificate revocation list (CRL) file for TLS, to check for revoked certificates (an
empty argument, which is the default, disables this).
OCSP is an alternative to CRL files. When GnuTLS is used, stapled OCSP information will be
checked automatically, and the MustStaple TLS extension is supported, however no manual OCSP
queries will be sent when stapled OCSP information is missing. With other TLS libraries, behavior
may be different.
tls_fingerprint [fingerprint]
Set the fingerprint of a single certificate to accept for TLS. This certificate will be trusted
regardless of its contents (this overrides tls_trust_file). The fingerprint should be of type
SHA256, but can for backwards compatibility also be of type SHA1 or MD5 (please avoid this). The
format should be 01:23:45:67:.... Use --serverinfo--tls--tls-certcheck=off--tls-fingerprint=
to get the server certificate fingerprint.
tls_key_file file
Send a client certificate to the server (use this together with tls_cert_file}). The file must
contain the private key of a certificate in PEM format. An empty argument disables this feature.
tls_cert_file file
Send a client certificate to the server (use this together with tls_key_file). The file must
contain a certificate in PEM format. An empty argument disables this feature.
tls_certcheck [(on|off)]
Enable or disable checks of the server certificate. They are enabled by default. Disabling them
will override tls_trust_file and tls_fingerprint. WARNING: When the checks are disabled, TLS
sessions will not be secure!
tls_priorities [priorities]
Set priorities for TLS session parameters. The default is set by the TLS library and can be
selected by using an empty argument to this command. The interpretation of the priorities string
depends on the TLS library. Use --version to find out which TLS library you use.
For GnuTLS, see the section on Priority Strings in the manual.
For libtls, the priorites string is a space-separated list of parameter strings prefixed with
either PROTOCOLS=, CIPHERS=, or ECDHECURVES=. These parameter strings will be passed to the
functions tls_config_parse_protocols, tls_config_set_ciphers, and tls_config_set_ecdhecurves.
Unrecognized parts of the priorities string will be ignored. Example: "PROTOCOLS=TLSv1.3
CIPHERS=ECDHE-RSA-AES128-SHA256 ECDHECURVES=P-384".
tls_host_override [host]
By default, TLS host verification uses the host name given by the host command. This command
allows one to use a different host name for verification. This is only useful in special cases.
tls_min_dh_prime_bits [bits]
Deprecated, use tls_priorities instead. Set or unset the minimum number of Diffie-Hellman (DH)
prime bits accepted for TLS sessions. The default is set by the TLS library and can be selected by
using an empty argument to this command. Only lower the default (for example to 512 bits) if there
is no other way to make TLS work with the remote server.
delivery methodmethod_arguments...
How to deliver messages received from this account.
delivery mda command
Deliver the mails through a mail delivery agent (MDA).
All occurrences of %F in the command will be replaced with the envelope from address of the
current message (or MAILER-DAEMON if none is found). Note that this address is guaranteed
to contain only letters a-z and A-Z, digits 0-9, and any of ".@_-+/", even though that is
only a subset of what is theoretically allowed in a mail address. Other characters,
including those interpreted by the shell, are replaced with "_". Nevertheless, you should
put %F into single quotes: '%F'.
Use "delivery mda /usr/bin/procmail -f '%F' -d $USER" for the procmail MDA.
Use "delivery mda /usr/sbin/sendmail -oi -oem -f '%F' -- $USER" to let your MTA handle the
mail.
Use "delivery mda /usr/local/bin/msmtp --host=localhost --from='%F' --
$USER@`hostname`.`dnsdomainname`" to pass the mail to your MTA via SMTP. (This is what
fetchmail does by default.)
delivery maildir directory
Deliver the mails to the given maildir directory. The directory must exist and it must have
the maildir subdirectories cur, new, and tmp; mpop will not create directories. This
delivery type only works on file systems that support hard links.
delivery mbox mbox-file
Deliver the mails to the given file in mbox format. The file will be locked with fcntl(2).
mpop uses the MBOXRD mbox format variant; see the documentation of the mbox format.
delivery exchange directory
Deliver the mails to the given Exchange pickup directory. The directory must exist.
If the delivery method needs to parse the mail headers for an envelope from address (the mda
method if the command contains %F, and the mbox method), then it needs to create a temporary file
to store the mail headers (but not the body) in.
uidls_file filename
The file to store UIDLs in. These are needed to identify new messages. %U in the filename will be
replaced by the username of the current account. %H in the filename will be replaced by the
hostname of the current account. If the filename contains directories that do not exist, mpop
will create them. mpop locks this file for exclusive access when accessing the associated POP3
account.
The default value is "~/.mpop_uidls/%U_at_%H". You can also use a single UIDLS file for multiple
accounts, but then you cannot poll more than one of these accounts at the same time.
only_new [(on|off)]
By default, mpop processes only new messages (new messages are those that were not already
successfully retrieved in an earlier session). If this option is turned off, mpop will process all
messages.
keep [(on|off)]
Keep all mails on the POP3 server, never delete them. The default behaviour is to delete mails
that have been successfully retrieved or filtered by kill filters.
killsize (off|size)
Mails larger than the given size will be deleted (unless the keep command is used, in which case
they will just be skipped). The size argument must be zero or greater. If it is followed by a `k'
or an `m', the size is measured in kibibytes/mebibytes instead of bytes. Note that some POP3
servers report slightly incorrect sizes for mails; see NOTES below.
When killsize is set to 0 and keep is set to on, then all mails are marked as retrieved, but no
mail gets deleted from the server. This can be used to synchronize the UID list on the client to
the UID list on the server.
skipsize (off|size)
Mails larger than the given size will be skipped (not downloaded). The size argument must be zero
or greater. If it is followed by a `k' or an `m', the size is measured in kibibytes/mebibytes
instead of bytes. Note that some POP3 servers report slightly incorrect sizes for mails; see
NOTES below.
filter [command]
Set a filter which will decide whether to retrieve, skip, or delete each mail by investigating the
mail's headers. The POP3 server must support the POP3 TOP command for this to work; see option
--serverinfo above. An empty argument disables filtering.
All occurrences of %F in the command will be replaced with the envelope from address of the
current message (or MAILER-DAEMON if none is found). Note that this address is guaranteed to
contain only letters a-z and A-Z, digits 0-9, and any of ".@_-+/", even though that is only a
subset of what is theoretically allowed in a mail address. Other characters, including those
interpreted by the shell, are replaced with "_". Nevertheless, you should put %F into single
quotes: '%F'.
All occurrences of %S in the command will be replaced with the size of the current mail as
reported by the POP3 server.
The mail headers (plus the blank line separating the headers from the body) will be piped to the
command. Based on the return code, mpop decides what to do with the mail:
0: proceed normally; no special action
1: delete the mail; do not retrieve it
2: skip the mail; do not retrieve it
Return codes greater than or equal to 3 mean that an error occurred. The sysexits.h error codes
may be used to give information about the kind of the error, but this is not necessary.
received_header [(on|off)]
Enable or disable adding a Received header. By default, mpop prepends a Received header to the
mail during delivery. This is required by the RFCs if the mail is subsequently further delivered
e.g. via SMTP.