Mail User Agent configuration

Note: the new CAL accounts started receiving e-mail on 1 Aug, 2006

There are two ways to access your CAL e-mail account remotely: webmail and IMAP.


To access your account via webmail, go to and log in with your user name.


To access your account with IMAP and SMTP, you'll need to configure your Mail User Agent properly.

The basic settings are (if you don't understand these, skip to the example section for your favorite MUA):

IMAP Service: either imaps (SSL-wrapped, port 993) or STARTTLS-capable imap (port 143) to
SMTP relay Service: SMTP AUTH with STARTTLS required on submission (port 587) to

The TLS/SSL certificates are signed by the CAL Certificate Authority. Available SASL Authentication methods for both SMTP and IMAP are: GSSAPI (only within Pupin Hall) and LOGIN/PLAIN (everywhere, only permitted under an SSL or TLS layer).

The examples below assume your CAL username is foo. If there is no example for your favorite MUA, please add a section documenting it, or ask for help.


initial, wizard setup

Go to Edit|Account Settings, and click the Add Account button (note: if this your first time opening Thunderbird, this step will probably happen automatically). This will take you through a wizard that can do most, but not all, of the configuration.

In the New Account Setup screen, Choose Email account and click Next

Then, in Identity, enter your full name and your CAL account ( and click Next)

Next, in Server Information, choose IMAP and set the Incoming Server to If Thunderbird lets you choose an outgoing (SMTP) server, enter for that as well. Click Next

Next, in User Names, put your username, bare, as Incoming User Name. e.g., foo Click Next

Now choose a name for thunderbird to associate with this account (e.g., and click "Finish"

That's the first bit! Now you need to make a couple changes that couldn't be done in the wizard.

final tuning

Firstly, you may want to import the CAL Certificate Authority's root certificate into Thunderbird. Instructions on how to do this for Thunderbird are here.

Choose Edit|Account Settings... again, if that dialog box isn't already open.

In the left-hand pane, open the account you just made: (you may need to click the little + to expand that part of the tree), and select the Server Settings node underneath it.

Under the Security Settings, for Use secure connection, please choose SSL.

Again in the left-hand pane, select Outgoing Server (SMTP). If thunderbird let you enter an SMTP server during the wizard phase, you should see listed in the right-hand pane. If so, select it and click Edit. If not, click Add.

In the new dialog box, you want to set the following fields:

DescriptionCAL SMTP Server
Server Name
Port587 (note this is the submission port, not the standard smtp port)
Use name and Passwordchecked
User Name foo (of course, put your own user name here)
Use Secure Connection TLS (note that this field is TLS while the IMAP field uses SSL for this version of Thunderbird)

Click OK, OK, and proceed to check your e-mail!

If you would like for Thunderbird to allow you to see the contents of your spam folder (so you can see if there are false positives, or maybe you just like reading about shady business propositions and cheap prescription drugs), you must "subscribe" to the spam folder in Thunderbird. Choose "File|Subscribe...", select the relevant account, and subscribe to the folders in which you are interested.


GNOME Evolution is an IMAP-capable groupware suite for GNU/Linux. It is installed by default on all the CAL Configured Workstations. You probably want to start by importing the CAL root certificate for use with Evolution. These instructions are based on version 2.6.1.

Choose Edit|Preferences... and make sure the "Mail Accounts" icon is selected in the dialog box that comes up. Click Add, which will bring up the "Evolution Account Assistant". Click Forward and put your CAL account ( in the "E-mail Address" field. Click Forward. On the "Receiving E-mail" screen, choose the following:

Server Type IMAP
Username foo (of course, put your own user name here)
Use Secure Connection TLS Encryption
Authentication Type GSSAPI or Password If this machine is a Configured Workstation, or is only used within Pupin Hall, and you have the krb5 libraries installed, choose: GSSAPI. Otherwise, choose: Password

Click Forward. You can leave the next page (Receiving Options) entirely unchecked, or select features you think you would like to use. Click Forward again. On the "Sending E-mail" page, if you don't have a functioning MTA on your machine (e.g. if you are not on a Configured Workstation), choose the following options:

Server Type SMTP
Server Note the trailing ":587"!''
Server Requires Authentication check!
Use Secure Connection TLS Encryption
Authentication Type PLAIN
Username foo Put your own username here, of course''

Click Forward, choose a name for this account to identify it within evolution ( would be reasonable) and click Apply. That's it!

Note that if selected GSSAPI authentication, you'll need to make sure you have properly initialized your Kerberos Credentials Cache before checking your e-mail.

Apple Mail

The first think you probably want to do (if you haven't already) is to import the CAL root certificate. This is not necessary but will simplify the following steps and stop your Mac from always questioning the CAL certificates.

Go to Preferences, then click on Accounts and add a new account by clicking on +. Set the account type to be IMAP and enter your email address (i.e. Click on continue.

For the incoming Mail server, enter and click continue. At this point you will get an error message saying that it was unable to connect -- ignore this (we'll fix this later). Click continue again. It will now ask for the authentication method for incoming mail. Check the SSL box and set it to Password.

In order to see other folders you need to set the account's IMAP path prefix to "INBOX" (found under prefs->accounts->your account->advanced). This also makes it possible for Mail to create the sent items, trash and drafts folders.

For the outgoing mail server, set it to, check the Use Authentication box and enter your username and password. Again you will get an error message, but push on and finish creating the acount.

Once the account has been created, you will need to edit it. Again, from the preferences, choose Accounts. Select the new account you have created and click on Server Settings. You will need to change the port from 25 to 587. Make sure the Use SSL box is checked and Password authentication is selected. Click OK.

Finally, you will need to go back and put it online by ctrl-clicking on the new INBOX and selecting take online. You will get an error because it cannot determine the authenticity of the certificate, but at this point you can examine the certificate and accept it. The same thing will happen again the first time you try to send a message.


pine is not currently installed or supported on CAL due to its history of security problems. However, mutt is an alternative, text-based mail program fully supported on CAL. It is possible to configure mutt to use the keybinding of pine. First, follow the instructions on how to get mutt installed and working. Then, by adding two lines to your ~/.muttrc file, you should be able to navigate mutt in a way similar to pine.

source /usr/share/doc/mutt/examples/Pine.rc
source /etc/Muttrc.d/cal.rc


mutt is a well-maintained, free, console-based, IMAP-capable mail client. Configuring mutt is done by editing a text configuration file, stored in ~/.muttrc

On CAL configured workstations, you don't need to do any configuration to get mutt to work with your CAL mail account. It is already set up, thanks to /etc/Muttrc.d/cal.rc. (Note: you do need to make sure that your Kerberos Credentials Cache is properly initialized, but this is taken care of automatically when you log in at the console of a CW)

On non-CAL-configured workstations residing in Pupin, make sure your krb5 libraries are properly configured. Make sure that SASL's GSSAPI module is installed (debian and ubuntu users run: sudo apt-get install libsasl2-gssapi-mit). Use this ~/.muttrc file (note: replace "foo" with your CAL username!)

set imap_authenticators="gssapi"
set spoolfile="imap://"
set folder="imap://"
set ssl_force_tls="yes"
set record="=Sent"
set postponed="=Drafts"
set move="no"

Now, as long as you have an active Kerberos ticket, you may check your astro email with mutt without having to type in your password.

On systems without properly configured krb5 libraries, or systems outside of Pupin Hall, you will be unable to use gssapi to authenticate and you will have to enter your password every time you want to run mutt. You can do this by using the following ~/.muttrc file: (note: replace "foo" with your CAL username!)

set imap_authenticators="login"
set spoolfile="imap://"
set folder="imap://"
set ssl_force_tls="yes"
set record="=Sent"
set postponed="=Drafts"
set move="no"

You may also want to instruct mutt to trust the CAL Certificate Authority by appending its root certificate to mutt's certificate_file (which by default is ~/.mutt_certificates). This will avoid prompting for accepting new certificates, and will let you interact more smoothly with CAL servers using encryption.

Note that mutt requires there to be a running sendmail-style interface on your local machine in order to send mail. Most UNIX-style machines have such a service in place. mutt simply hands off outgoing mail to that interface, and doesn't need to connect to an outbound server at all. If your computer does not have such a system in place, you might consider nullmailer or an even simpler tool like ssmtp.


/usr/bin/mail on the CAL Configured Workstations is provided by GNU mailutils. This version of mail is IMAP-capable.

To access the inbox for user foo from mail, invoke it in the following way:

mail --tls=yes -f imap://

On the Configured Workstations, by default, simply running:


is all that is needed.


gnus is a newsreader/MUA that runs within emacs. To use it to check your CAL mail from a CW, create ~/.gnus.el with the following contents:

;; default to checking CAL e-mail over IMAP
(setq gnus-select-method '(nnimap ""
				  (nnimap-address "")
				  (nnimap-port 143)
				  (nnimap-stream gssapi)
				  (nnimap-authenticator gssapi)

Then launch emacs and do

M-x gnus

And you'll be in the group view. from the group view, there are a couple things you can do:

"subscribe" to new folder
show all folders you are subscribed to, whether they have unread messages or not
only show subscribed folders with unread messages
refresh mail lists
quit gnus

(Note: you do need to make sure that your Kerberos Credentials Cache is properly initialized, but this is taken care of automatically when you log in at the console of a CW)