The IMAP Server

There is a new IMAP server which is now in a pilot phase. It does provide all the features the old IMAP server on is having. According to the feedback of the users the server seems to be fully operational.

Main characteristics of the IMAP server

The IMAP server is based on the most recent release of dovecot (1.2rc3 as of April 17, 2009). It has been built with support for the sieve language (new implementation of the language for dovecot, version 0.1.4) and also implements the managesieve protocol as a dovecot addon (version 0.11.3). The following features are compiled in and are configured respectively:

Using the new IMAP server

The new server gets used by changing the mail routing information from the current maildrop (typically <username> to <username> on our central mail server

/!\ This can only be done by an administrator by changing the information in the file /var/forward/<username>

The following sections describe the use of as the primary IMAP mail server

The mail stores


The recommended way of authenticating is using Kerberos5 by presenting a valid ticket from the DESY.DE or IFH.DE realm. If a computer outside DESY is used then a Kerberos 5 ticket should be obtained before starting your mail reader.

This can be achieved with the command

kinit <username>@DESY.DE or
kinit <username>@IFH.DE

Access to the imap server is always encrypted. This means the TLS or SSL protocol must be used. This also means on the client side (the computer from where you start the mail reader) certificates have to be installed to be able to decrypt the server responses. Please see the mail reader specific sections for details how to do that.

Authentication using username and password is possible as well. Both authentication methods have successfully been tested with alpine and thunderbird, while in Outlook Kerberos5 authentication is not working yet.


Mail Filtering

The IMAP server does have an integrated filter called sieve that is engaged whenever new mail is delivered to the INBOX on The filter language is described in

Filters can be created using a web interface and get installed on in the location /var/spool/sieve/<username>.sieve. If there is no user defined filter then the global filter default.sieve is engaged:

require "fileinto";
if header :contains "X-Spam-Level" "*****" {
  fileinto "junk";

It filters all spam mails into the folder junk on the mail server, is not a local folder. More sophisticated mail filters can be created by using the web interface. Using the basic mode (the default) guarantees that syntactically correct filters get created without knowing the sieve language syntax. Advanced users can write their own sieve script. If there is no syntax error a (compiled) .svbin file is generated, otherwise a .sieve.err file is written that contains the error message. As it resides on the mail server, only administrators get access to these files. Therefore usage of the advanced mode is not recommended.

Creation of own filter rules should be simple as the web interface is fairly intuitive. Only the complete removal of own filter scripts is somewhat tricky. It can be achieved selecting "Advanced options", then writing "default" into the "Delete script name" field, selecting the "No" button beneath "Activate Script?" and then click on "Save changes"


Currently there is a global mail quota limit of 1000 MB configured. That holds true for each user as long as the attribute mailquota (size in Megabytes) in the vamos account information is not set. The mail quota setting and its current usage can be displayed using the command

  check_inbox -h

The displayed usage does not precisely reflect the summed up individual mail sizes on disk. If the mail quota for a user has been changed, the mail client has to be restarted, otherwise the changed quota does not become effective.

Delivery to the INBOX takes place even if quota is exceeded (up to a total size of 2000 MB). When Quota is above that limit then mail delivery is temporarily suspended until the INBOX is cleaned up. If that does not take place for 5 days, mail is bounced back as undeliverable. When the user is over quota, moving mails around is no longer possible, only deleting is still possible.

Mail client specific information


Alpine and Pine

Installing the certificates (requires root access)

This step is already done on DESY computers

<!> Notice!
The following procedure needs to be followed if you get warnings concerning certificates

Download chain.txt from the DFN Public Key Infrasrtucture server and copy the file to

Then change into the directory containing the certs directory, i.e. /etc/ssl and /etc/pki/tls respectively. If there is already a file or a symlink with the name cert.pem then remove it or move it out of the way. You have to create a symlink cert.pem-> certs/chain.txt by executing

ln -s certs/chain.txt cert.pem

If the file cert.pem is already existing and does not point to a file containing all the certificates required for verification of the mail server certificate the certs directory is searched for the individual required certificates which can be downloaded from

For each of the downloaded files the following command has to be issued (make sure you are in the certs directory), otherwise the certificates will not be found:

Configuring alpine by editing .pinerc

add or modify the following lines in .pinerc:

# the next line is optional and provides access to the junk folder to train the spam filter
junkmail {}#shared/junk
# the local folders (mbox format) and the folders on the server (maildir format)
folder-collections=mail/[],Folders on {}[]
# pressing <TAB> at the last mail in the INBOX checks and opens the next INBOX
# immediate startup (for non DESY computers required)

Configuring alpine by using the configure screen of alpine

The configure screen can be accessed from the main menu by selecting the setup menu and then select the "(C) Config" screen.

To set rsh-open-timeout=0 you may have to

Using alpine

To move or copy local folders or folders from an old IMAP server to the server do the following



<!> Notice!
The following procedure needs to be followed to avoid certificate warnings

Download the following certificates to your home directory:

Start thunderbird and create a new mail account:

Then in the newly created account change some settings:

To avoid security warnings about certificates that cannot be verified:

To have thunderbird look in all folders for new mail:

Sending mail

The instructions here do not belong to the IMAP server information, an SMTP server is responsible for sending mail. On DESY computers everything is already configured. On other computers within the DESY network the server can be configured as outgoing mail server. If the computer is not in the DESY network, then can only be used together with authenticated SMTP.

If you followed the instructions concerning certificates the infrastructure to use that should already be in place. You have to configure your mail client to use as the outgoing mail server, use your (UNIX) username (and password) for authentication and use an encrypted connection (TLS, not SSL) on port 25. For thunderbird that is done on config screens, for pine/alpine the line

enables authenticated smtp.

IMAPServer (last edited 2009-04-27 14:02:03 by WolfgangFriebel)