Unix E-mail Clients

Unlike Windows systems where most machines are clients that connect to remote servers, Unix machines have traditionally handled their own mail - running a daemon for incoming messages and sending outbound mail directly to its destination. The mailstore was held under a subdirectory in the user's home.

With the increasing mobility of users and their use of multiple machines, IMAP has gained popularity as a way of presenting a consistent view of mail and the need to protect against spam has resulted in the creation of mail hubs for both IMAP servers and to safely gather and forward outbound mail. Indeed, Stanford now requires all mail leaving campus to exit through smtp.stanford.edu so our mail server at gpo.stanford.edu eventually forwards outbound mail there.

Configuring Unix e-mail clients for encrypted communications to these hubs falls into three categories:

Direct Configuration
The client knows about SSL/TLS for outbound mail and secure IMAP and certificates for inbound mail.
SSH tunnel to remote proxy
Knowing that the Unix "sendmail" program for outbound mail and the "/etc/rimapd" alias for inbound IMAP will communicate through traditional Unix pipes, some clients allow you to configure an ssh tunnel to the mail hub. This approach can be simpler to specify and can leverage an "ssh identity" for authentication instead of a userid/password.
Local proxy
For clients which are unaware of encrypted communication, local proxy programs can sometimes provide authentication external to the mail client.

Direct Configuration

Pine
Pine's configuration data in .pinerc can be edited directly or updated through the Setup->Config menu.
The updates to connect to our IMAP server are:
inbox-path={gpo.stanford.edu/ssl}INBOX
folder-collections=Mail {gpo.stanford.edu}[]
feature-list=quell-empty-directories
and for the outbound smtp
smtp-server=gpo.stanford.edu/novalidate-cert
Mutt
Use .muttrc to set the following variables for IMAP:
set imap_force_ssl=yes
set imap_servernoise=yes
set imap_home_namespace=Mail
set spoolfile = {descartes@gpo.stanford.edu}INBOX
set folder = {descartes@gpo.stanford.edu}Mail
set certificate_file=~/.mutt-certificates
You will be prompted to accept the server certificate at first use.
Thunderbird
Thunderbird permits you to have multiple mail accounts as long as you use IMAP, but it only allows a single outgoing mail server. The default "Local Mail" account simply holds a folder structure for use with POP.

Create Account
Mail accounts are managed by the dialog:
Tools->Account Settings To create an account, use "Add Account...". After entering data about yourself, choose IMAP as your incoming server type and enter gpo.stanford.edu for both the incoming and outgoing server names.
Edit Properties
Once the basic account is created, you will need to edit the properties before attempting to use it. Start again with "Edit->Preferences->Mail Servers"
Check "Always" under "Use Secure Socket Layer" and then select "Edit..." for gpo.stanford.edu

IMAP tab"
Check "Use secure connection (SSL)".

Exit Thunderbird
Yes, bizarre as it seems, you must now exit Thunderbird and re-invoke it before trying to access the mail account.

Tunnel Configuration

The following descriptions assume that you've created an ssh identity which allows you to login to gpo,stanford.edu without needing to enter a password. Indeed, prior to changing the mail client's configuration, make sure to try:

ssh gpo.stanford.edu /etc/rimapd
to ensure that you don't get prompted for a password otherwise the client will fail since it can't respond to the ssh prompt. This command will generate a response like the following from imap:

* PREAUTH [CAPABILITY IMAP4rev1 SORT THREAD=REFERENCES MULTIAPPEND UNSELECT IDLE CHILDREN LISTEXT LIST-SUBSCRIBED NAMESPACE] Logged in as descartes
You then terminate this imap session by typing ctrl-d.
Note:It's important that the response be as above.

Pine
The Pine tunnel uses ssh to invoke /etc/rimapd on the server for IMAP inbound service and /usr/sbin/sendmail for outbound messages:

sendmail-path=/usr/bin/ssh gpo.stanford.edu /usr/sbin/sendmail -t

inbox-path={gpo.stanford.edu}INBOX

folder-collections=Mail {gpo.stanford.edu}Mail/[]

feature-list=quell-empty-directories

rsh-open-timeout=0

ssh-path=/usr/bin/ssh

Mutt
The Mutt tunnel uses ssh to invoke /etc/rimapd on the server for IMAP inbound service:

set certificate_file=~/.mutt-certificates

set imap_list_subscribed=no

set spoolfile=imaps://descartes@gpo.stanford.edu/INBOX

set folder=imaps://descartes@gpo.stanford.edu/

set tunnel="ssh -q gpo.stanford.edu /etc/rimapd"

set move=no

Proxy Configuration

Mail is a very personal thing and you may want to continue using a client which does not speak IMAP.

Clients in this category include:

elm
emacs-vm
mail
mailx
mh and xmh

Configuring these programs involves pointing them at the right mailspool in your startup script. Using csh this used to be:

setenv MAIL /var/mail/$USER
now you need to put a local spool in your home, e.g.:

setenv MAIL $HOME/Mailbox
and use an inbound proxy to retrieve the remote IMAP mailspool so that the client can process folders locally.

Inbound Proxy

To fill in the local mailspool, you can use an IMAP-aware client like fetchmail. A sample line from .fetchmailrc would contain:

poll gpo.stanford.edu with proto IMAP
       user 'descartes' there is 'descartes' here options keep ssl
       sslfingerprint "C0:27:DD:C6:89:66:3F:BD:E3:C1:15:5C:C8:B9:1A:76"

where "sslfingerprint" provides a cursory check on the authenticity of our SSL certificate.

Outbound Proxy

All these clients are going to invoke the default /usr/sbin/sendmail program for outbound mail. This will be sufficient if your machine is on a public IP address and can thus reach the destination machine directly. Otherwise you need to find or create a cover program for /usr/sbin/sendmail which can connect to gpo.stanford.edu using SSL/TLS and userid/password authentication.