pop3

Name

pop3 — Gromox POP3 server

Authentication

The POP3 server supports impersonation; see imap(8gx) for details.

Synopsis

pop3 [-c config]

Options

-c config

Read configuration directives from the given file. If this option is not specified, /etc/gromox/pop3.cfg will be read if it exists.

--version

Output version information and exit.

-?

Display option summary.

All time-based command-line options and configuration file directives are subject to the syntax described in gromox(7), section "Duration specifications".

Configuration directives (gromox.cfg)

The following directives are recognized when reading from /etc/gromox/gromox.cfg, or when the -c option is used to specify a custom file:

daemons_fd_limit

In gromox-pop3, this is treated as an alias for pop3_fd_limit.

pop3_fd_limit

Request that the file descriptor table be at least this large. The magic value 0 indicates that the system default hard limit (rlim_max, cf. setrlimit(2)) should be used.

Default: 0

pop3_accept_haproxy

This directive sets the expectation for incoming connections to carry haproxy's "PROXY" protocol extension version 2 (2), or no such header (0). When a (reverse) proxy is placed in front of gromox-pop3, the address that gxpop3 normally sees is the proxy address (e.g. ::1). A proxy can use this protocol extension to convey the actual client address, and gxpop3 can pick this up for its own reporting, which in turn is useful for e.g. fail2ban setups.

Default: 0

Configuration directives (pop3.cfg)

The following directives are recognized when reading from /etc/gromox/pop3.cfg, or when the -c option is used to specify a custom file:

block_interval_auths

The amount of time a user is blocked from connecting to the service after too many failed logins.

Default: 1 minute

config_file_path

Colon-separated list of directories in which further configuration files, especially those used by plugin instances, will be searched.

Default: /etc/gromox/pop3:/etc/gromox

context_average_mem

Default: 256K

context_average_units

Lower clamp is 256.

Default: 1024

context_max_mem

Network buffer per client.

Default: 2M

context_num

Default: 200

data_file_path

Colon-separated list of directories in which static data files will be searched.

Default: /usr/share/gromox/pop3

enable_capa_implementation

When enabled, the server will include an "IMPLEMENTATION" line in the CAPA response (RFC 2449 §6.9). This is disabled by default, as it can facilitate potential attackers' information gathering.

Default: no

host_id

A unique identifier for this system. It is used in the POP3 protocol greeting lines (positive as well as negative). The identifier should only use characters allowed for hostnames.

Default: (system hostname)

pop3_auth_times

The number of login tries a user is allowed before the account is blocked.

Default: 3

pop3_certificate_passwd

The password to unlock TLS certificates.

Default: (unset)

pop3_certificate_path

A colon-separated list of TLS certificate files. The complete certificate chain should be present (as there is no other config directive to pull CA certs in, and implicit loading from system directories is not guaranteed by Gromox).

Default: (unset)

pop3_cmd_debug

Log every incoming POP3 command and the return code of the operation in a minimal fashion to stderr (not pop3_log_file!). Level 1 emits commands that have failed execution, level 2 emits all commands.

Default: 0

pop3_conn_timeout

If a POP3 connection is inactive for the given period, the connection is terminated.

Default: 3 minutes

pop3_force_tls

This flag controls whether clients must utilize TLS, either by way of implicit TLS (cf. pop3_listen_tls_port), or through the STLS command.

Default: false

pop3_listen_addr

AF_INET6 socket address to bind the POP3 service to.

Default: ::

pop3_listen_port

The TCP port to expose the POP3 protocol service on. (The IP address is fixed to the wildcard address.)

Default: 110

pop3_listen_tls_port

The TCP port to expose implicit-TLS POP3 protocol service (POP3S) on. (The IP address is fixed to the wildcard address.)

Default: (unset)

pop3_log_file

Target for log messages here. Special values: "-" (stderr/syslog depending on parent PID) or "syslog" are recognized.

Default: - (auto)

pop3_log_level

Maximum verbosity of logging. 1=crit, 2=error, 3=warn, 4=notice, 5=info, 6=debug.

Default: 4 (notice)

pop3_private_key_path

A colon-separated list of TLS certificate private key files.

Default: (unset)

pop3_support_tls

This flag controls the offering of TLS modes. This affects both the implicit TLS port as well as the advertisement of the STARTTLS extension and availability of the STLS command (RFC 2595) to clients.

Default: false

pop3_thread_charge_num

Connection load factor (oversubscription ratio) for a processing thread.

Default: 40

pop3_thread_init_num

The initial and also minimum number of client processing threads to keep around. This is similar to php-fpm's start_servers/min_spare_servere. (The maximum number of threads, i.e. what would be max_spare_servers, is determined by: context_num divided by imap_thread_charge_num)

Default: 5

running_identity

An unprivileged user account to switch the process to after startup. To inhibit the switch, assign the empty value.

Default: gromox

tls_min_proto

The lowest TLS version to offer. Possible values are: tls1.0, tls1.1, tls1.2, and, if supported by the system, tls1.3.

Default: tls1.2

Files

• data_file_path/pop3_code.txt: Mapping from internal POP3 error codes to textual descriptions.

• /usr/lib/gromox/libgxs_*.so: service plugins

See also

gromox(7), midb_agent(4gx)