1// Package imapserver implements an IMAPv4 server, rev2 (RFC 9051) and rev1 with extensions (RFC 3501 and more).
7IMAP4rev2 includes functionality that was in extensions for IMAP4rev1. The
8extensions sometimes include features not in IMAP4rev2. We want IMAP4rev1-only
9implementations to use extensions, so we implement the full feature set of the
10extension and announce it as capability. The extensions: LITERAL+, IDLE,
11NAMESPACE, BINARY, UNSELECT, UIDPLUS, ESEARCH, SEARCHRES, SASL-IR, ENABLE,
12LIST-EXTENDED, SPECIAL-USE, MOVE, UTF8=ONLY.
14We take a liberty with UTF8=ONLY. We are supposed to wait for ENABLE of
15UTF8=ACCEPT or IMAP4rev2 before we respond with quoted strings that contain
16non-ASCII UTF-8. Until that's enabled, we do use UTF-7 for mailbox names. See
19- We never execute multiple commands at the same time for a connection. We expect a client to open multiple connections instead.
../rfc/9051:1110
20- Do not write output on a connection with an account lock held. Writing can block, a slow client could block account operations.
21- When handling commands that modify the selected mailbox, always check that the mailbox is not opened readonly. And always revalidate the selected mailbox, another session may have deleted the mailbox.
22- After making changes to an account/mailbox/message, you must broadcast changes. You must do this with the account lock held. Otherwise, other later changes (e.g. message deliveries) may be made and broadcast before changes that were made earlier. Make sure to commit changes in the database first, because the commit may fail.
23- Mailbox hierarchies are slash separated, no leading slash. We keep the case, except INBOX is renamed to Inbox, also for submailboxes in INBOX. We don't allow existence of a child where its parent does not exist. We have no \NoInferiors or \NoSelect. Newly created mailboxes are automatically subscribed.
24- For CONDSTORE and QRESYNC support, we set "modseq" for each change/expunge. Once expunged, a modseq doesn't change anymore. We don't yet remove old expunged records. The records aren't too big. Next step may be to let an admin reclaim space manually.
28- todo: do not return binary data for a fetch body. at least not for imap4rev1. we should be encoding it as base64?
29- todo: on expunge we currently remove the message even if other sessions still have a reference to the uid. if they try to query the uid, they'll get an error. we could be nicer and only actually remove the message when the last reference has gone. we could add a new flag to store.Message marking the message as expunged, not give new session access to such messages, and make store remove them at startup, and clean them when the last session referencing the session goes. however, it will get much more complicated. renaming messages would need special handling. and should we do the same for removed mailboxes?
30- todo: try to recover from syntax errors when the last command line ends with a }, i.e. a literal. we currently abort the entire connection. we may want to read some amount of literal data and continue with a next command.
31- todo future: more extensions: OBJECTID, MULTISEARCH, REPLACE, NOTIFY, CATENATE, MULTIAPPEND, SORT, THREAD, CREATE-SPECIAL-USE.
61 "golang.org/x/exp/maps"
63 "github.com/prometheus/client_golang/prometheus"
64 "github.com/prometheus/client_golang/prometheus/promauto"
66 "github.com/mjl-/bstore"
68 "github.com/mjl-/mox/config"
69 "github.com/mjl-/mox/message"
70 "github.com/mjl-/mox/metrics"
71 "github.com/mjl-/mox/mlog"
72 "github.com/mjl-/mox/mox-"
73 "github.com/mjl-/mox/moxio"
74 "github.com/mjl-/mox/moxvar"
75 "github.com/mjl-/mox/ratelimit"
76 "github.com/mjl-/mox/scram"
77 "github.com/mjl-/mox/store"
81 metricIMAPConnection = promauto.NewCounterVec(
82 prometheus.CounterOpts{
83 Name: "mox_imap_connection_total",
84 Help: "Incoming IMAP connections.",
87 "service", // imap, imaps
90 metricIMAPCommands = promauto.NewHistogramVec(
91 prometheus.HistogramOpts{
92 Name: "mox_imap_command_duration_seconds",
93 Help: "IMAP command duration and result codes in seconds.",
94 Buckets: []float64{0.001, 0.005, 0.01, 0.05, 0.100, 0.5, 1, 5, 10, 20},
98 "result", // ok, panic, ioerror, badsyntax, servererror, usererror, error
103var limiterConnectionrate, limiterConnections *ratelimit.Limiter
106 // Also called by tests, so they don't trigger the rate limiter.
112 limiterConnectionrate = &ratelimit.Limiter{
113 WindowLimits: []ratelimit.WindowLimit{
116 Limits: [...]int64{300, 900, 2700},
120 limiterConnections = &ratelimit.Limiter{
121 WindowLimits: []ratelimit.WindowLimit{
123 Window: time.Duration(math.MaxInt64), // All of time.
124 Limits: [...]int64{30, 90, 270},
130// Delay after bad/suspicious behaviour. Tests set these to zero.
131var badClientDelay = time.Second // Before reads and after 1-byte writes for probably spammers.
132var authFailDelay = time.Second // After authentication failure.
134// Capabilities (extensions) the server supports. Connections will add a few more, e.g. STARTTLS, LOGINDISABLED, AUTH=PLAIN.
159// We always announce support for SCRAM PLUS-variants, also on connections without
160// TLS. The client should not be selecting PLUS variants on non-TLS connections,
161// instead opting to do the bare SCRAM variant without indicating the server claims
162// to support the PLUS variant (skipping the server downgrade detection check).
163const serverCapabilities = "IMAP4rev2 IMAP4rev1 ENABLE LITERAL+ IDLE SASL-IR BINARY UNSELECT UIDPLUS ESEARCH SEARCHRES MOVE UTF8=ACCEPT LIST-EXTENDED SPECIAL-USE LIST-STATUS AUTH=SCRAM-SHA-256-PLUS AUTH=SCRAM-SHA-256 AUTH=SCRAM-SHA-1-PLUS AUTH=SCRAM-SHA-1 AUTH=CRAM-MD5 ID APPENDLIMIT=9223372036854775807 CONDSTORE QRESYNC STATUS=SIZE QUOTA QUOTA=RES-STORAGE"
169 tls bool // Whether TLS has been initialized.
170 br *bufio.Reader // From remote, with TLS unwrapped in case of TLS.
171 line chan lineErr // If set, instead of reading from br, a line is read from this channel. For reading a line in IDLE while also waiting for mailbox/account updates.
172 lastLine string // For detecting if syntax error is fatal, i.e. if this ends with a literal. Without crlf.
173 bw *bufio.Writer // To remote, with TLS added in case of TLS.
174 tr *moxio.TraceReader // Kept to change trace level when reading/writing cmd/auth/data.
175 tw *moxio.TraceWriter
176 slow bool // If set, reads are done with a 1 second sleep, and writes are done 1 byte at a time, to keep spammers busy.
177 lastlog time.Time // For printing time since previous log line.
178 tlsConfig *tls.Config // TLS config to use for handshake.
180 noRequireSTARTTLS bool
181 cmd string // Currently executing, for deciding to applyChanges and logging.
182 cmdMetric string // Currently executing, for metrics.
184 ncmds int // Number of commands processed. Used to abort connection when first incoming command is unknown/invalid.
186 enabled map[capability]bool // All upper-case.
188 // Set by SEARCH with SAVE. Can be used by commands accepting a sequence-set with
189 // value "$". When used, UIDs must be verified to still exist, because they may
190 // have been expunged. Cleared by a SELECT or EXAMINE.
191 // Nil means no searchResult is present. An empty list is a valid searchResult,
192 // just not matching any messages.
194 searchResult []store.UID
196 // Only when authenticated.
197 authFailed int // Number of failed auth attempts. For slowing down remote with many failures.
198 username string // Full username as used during login.
199 account *store.Account
200 comm *store.Comm // For sending/receiving changes on mailboxes in account, e.g. from messages incoming on smtp, or another imap client.
202 mailboxID int64 // Only for StateSelected.
203 readonly bool // If opened mailbox is readonly.
204 uids []store.UID // UIDs known in this session, sorted. todo future: store more space-efficiently, as ranges.
207// capability for use with ENABLED and CAPABILITY. We always keep this upper case,
208// e.g. IMAP4REV2. These values are treated case-insensitive, but it's easier for
209// comparison to just always have the same case.
210type capability string
213 capIMAP4rev2 capability = "IMAP4REV2"
214 capUTF8Accept capability = "UTF8=ACCEPT"
215 capCondstore capability = "CONDSTORE"
216 capQresync capability = "QRESYNC"
227 stateNotAuthenticated state = iota
232func stateCommands(cmds ...string) map[string]struct{} {
233 r := map[string]struct{}{}
234 for _, cmd := range cmds {
241 commandsStateAny = stateCommands("capability", "noop", "logout", "id")
242 commandsStateNotAuthenticated = stateCommands("starttls", "authenticate", "login")
243 commandsStateAuthenticated = stateCommands("enable", "select", "examine", "create", "delete", "rename", "subscribe", "unsubscribe", "list", "namespace", "status", "append", "idle", "lsub", "getquotaroot", "getquota")
244 commandsStateSelected = stateCommands("close", "unselect", "expunge", "search", "fetch", "store", "copy", "move", "uid expunge", "uid search", "uid fetch", "uid store", "uid copy", "uid move")
247var commands = map[string]func(c *conn, tag, cmd string, p *parser){
249 "capability": (*conn).cmdCapability,
250 "noop": (*conn).cmdNoop,
251 "logout": (*conn).cmdLogout,
255 "starttls": (*conn).cmdStarttls,
256 "authenticate": (*conn).cmdAuthenticate,
257 "login": (*conn).cmdLogin,
259 // Authenticated and selected.
260 "enable": (*conn).cmdEnable,
261 "select": (*conn).cmdSelect,
262 "examine": (*conn).cmdExamine,
263 "create": (*conn).cmdCreate,
264 "delete": (*conn).cmdDelete,
265 "rename": (*conn).cmdRename,
266 "subscribe": (*conn).cmdSubscribe,
267 "unsubscribe": (*conn).cmdUnsubscribe,
268 "list": (*conn).cmdList,
269 "lsub": (*conn).cmdLsub,
270 "namespace": (*conn).cmdNamespace,
271 "status": (*conn).cmdStatus,
272 "append": (*conn).cmdAppend,
273 "idle": (*conn).cmdIdle,
274 "getquotaroot": (*conn).cmdGetquotaroot,
275 "getquota": (*conn).cmdGetquota,
278 "check": (*conn).cmdCheck,
279 "close": (*conn).cmdClose,
280 "unselect": (*conn).cmdUnselect,
281 "expunge": (*conn).cmdExpunge,
282 "uid expunge": (*conn).cmdUIDExpunge,
283 "search": (*conn).cmdSearch,
284 "uid search": (*conn).cmdUIDSearch,
285 "fetch": (*conn).cmdFetch,
286 "uid fetch": (*conn).cmdUIDFetch,
287 "store": (*conn).cmdStore,
288 "uid store": (*conn).cmdUIDStore,
289 "copy": (*conn).cmdCopy,
290 "uid copy": (*conn).cmdUIDCopy,
291 "move": (*conn).cmdMove,
292 "uid move": (*conn).cmdUIDMove,
295var errIO = errors.New("io error") // For read/write errors and errors that should close the connection.
296var errProtocol = errors.New("protocol error") // For protocol errors for which a stack trace should be printed.
300// check err for sanity.
301// if not nil and checkSanity true (set during tests), then panic. if not nil during normal operation, just log.
302func (c *conn) xsanity(err error, format string, args ...any) {
307 panic(fmt.Errorf("%s: %s", fmt.Sprintf(format, args...), err))
309 c.log.Errorx(fmt.Sprintf(format, args...), err)
314// Listen initializes all imap listeners for the configuration, and stores them for Serve to start them.
316 names := maps.Keys(mox.Conf.Static.Listeners)
318 for _, name := range names {
319 listener := mox.Conf.Static.Listeners[name]
321 var tlsConfig *tls.Config
322 if listener.TLS != nil {
323 tlsConfig = listener.TLS.Config
326 if listener.IMAP.Enabled {
327 port := config.Port(listener.IMAP.Port, 143)
328 for _, ip := range listener.IPs {
329 listen1("imap", name, ip, port, tlsConfig, false, listener.IMAP.NoRequireSTARTTLS)
333 if listener.IMAPS.Enabled {
334 port := config.Port(listener.IMAPS.Port, 993)
335 for _, ip := range listener.IPs {
336 listen1("imaps", name, ip, port, tlsConfig, true, false)
344func listen1(protocol, listenerName, ip string, port int, tlsConfig *tls.Config, xtls, noRequireSTARTTLS bool) {
345 log := mlog.New("imapserver", nil)
346 addr := net.JoinHostPort(ip, fmt.Sprintf("%d", port))
347 if os.Getuid() == 0 {
348 log.Print("listening for imap",
349 slog.String("listener", listenerName),
350 slog.String("addr", addr),
351 slog.String("protocol", protocol))
353 network := mox.Network(ip)
354 ln, err := mox.Listen(network, addr)
356 log.Fatalx("imap: listen for imap", err, slog.String("protocol", protocol), slog.String("listener", listenerName))
359 ln = tls.NewListener(ln, tlsConfig)
364 conn, err := ln.Accept()
366 log.Infox("imap: accept", err, slog.String("protocol", protocol), slog.String("listener", listenerName))
370 metricIMAPConnection.WithLabelValues(protocol).Inc()
371 go serve(listenerName, mox.Cid(), tlsConfig, conn, xtls, noRequireSTARTTLS)
375 servers = append(servers, serve)
378// Serve starts serving on all listeners, launching a goroutine per listener.
380 for _, serve := range servers {
386// returns whether this connection accepts utf-8 in strings.
387func (c *conn) utf8strings() bool {
388 return c.enabled[capIMAP4rev2] || c.enabled[capUTF8Accept]
391func (c *conn) encodeMailbox(s string) string {
398func (c *conn) xdbwrite(fn func(tx *bstore.Tx)) {
399 err := c.account.DB.Write(context.TODO(), func(tx *bstore.Tx) error {
403 xcheckf(err, "transaction")
406func (c *conn) xdbread(fn func(tx *bstore.Tx)) {
407 err := c.account.DB.Read(context.TODO(), func(tx *bstore.Tx) error {
411 xcheckf(err, "transaction")
414// Closes the currently selected/active mailbox, setting state from selected to authenticated.
415// Does not remove messages marked for deletion.
416func (c *conn) unselect() {
417 if c.state == stateSelected {
418 c.state = stateAuthenticated
424func (c *conn) setSlow(on bool) {
426 c.log.Debug("connection changed to slow")
427 } else if !on && c.slow {
428 c.log.Debug("connection restored to regular pace")
433// Write makes a connection an io.Writer. It panics for i/o errors. These errors
434// are handled in the connection command loop.
435func (c *conn) Write(buf []byte) (int, error) {
443 err := c.conn.SetWriteDeadline(time.Now().Add(30 * time.Second))
444 c.log.Check(err, "setting write deadline")
446 nn, err := c.conn.Write(buf[:chunk])
448 panic(fmt.Errorf("write: %s (%w)", err, errIO))
452 if len(buf) > 0 && badClientDelay > 0 {
453 mox.Sleep(mox.Context, badClientDelay)
459func (c *conn) xtrace(level slog.Level) func() {
465 c.tr.SetTrace(mlog.LevelTrace)
466 c.tw.SetTrace(mlog.LevelTrace)
470// Cache of line buffers for reading commands.
472var bufpool = moxio.NewBufpool(8, 16*1024)
474// read line from connection, not going through line channel.
475func (c *conn) readline0() (string, error) {
476 if c.slow && badClientDelay > 0 {
477 mox.Sleep(mox.Context, badClientDelay)
480 d := 30 * time.Minute
481 if c.state == stateNotAuthenticated {
484 err := c.conn.SetReadDeadline(time.Now().Add(d))
485 c.log.Check(err, "setting read deadline")
487 line, err := bufpool.Readline(c.log, c.br)
488 if err != nil && errors.Is(err, moxio.ErrLineTooLong) {
489 return "", fmt.Errorf("%s (%w)", err, errProtocol)
490 } else if err != nil {
491 return "", fmt.Errorf("%s (%w)", err, errIO)
496func (c *conn) lineChan() chan lineErr {
498 c.line = make(chan lineErr, 1)
500 line, err := c.readline0()
501 c.line <- lineErr{line, err}
507// readline from either the c.line channel, or otherwise read from connection.
508func (c *conn) readline(readCmd bool) string {
514 line, err = le.line, le.err
516 line, err = c.readline0()
519 if readCmd && errors.Is(err, os.ErrDeadlineExceeded) {
520 err := c.conn.SetWriteDeadline(time.Now().Add(10 * time.Second))
521 c.log.Check(err, "setting write deadline")
522 c.writelinef("* BYE inactive")
524 if !errors.Is(err, errIO) && !errors.Is(err, errProtocol) {
525 err = fmt.Errorf("%s (%w)", err, errIO)
531 // We typically respond immediately (IDLE is an exception).
532 // The client may not be reading, or may have disappeared.
533 // Don't wait more than 5 minutes before closing down the connection.
534 // The write deadline is managed in IDLE as well.
535 // For unauthenticated connections, we require the client to read faster.
536 wd := 5 * time.Minute
537 if c.state == stateNotAuthenticated {
538 wd = 30 * time.Second
540 err = c.conn.SetWriteDeadline(time.Now().Add(wd))
541 c.log.Check(err, "setting write deadline")
546// write tagged command response, but first write pending changes.
547func (c *conn) writeresultf(format string, args ...any) {
548 c.bwriteresultf(format, args...)
552// write buffered tagged command response, but first write pending changes.
553func (c *conn) bwriteresultf(format string, args ...any) {
555 case "fetch", "store", "search":
559 c.applyChanges(c.comm.Get(), false)
562 c.bwritelinef(format, args...)
565func (c *conn) writelinef(format string, args ...any) {
566 c.bwritelinef(format, args...)
570// Buffer line for write.
571func (c *conn) bwritelinef(format string, args ...any) {
573 fmt.Fprintf(c.bw, format, args...)
576func (c *conn) xflush() {
578 xcheckf(err, "flush") // Should never happen, the Write caused by the Flush should panic on i/o error.
581func (c *conn) readCommand(tag *string) (cmd string, p *parser) {
582 line := c.readline(true)
583 p = newParser(line, c)
589 return cmd, newParser(p.remainder(), c)
592func (c *conn) xreadliteral(size int64, sync bool) string {
596 buf := make([]byte, size)
598 if err := c.conn.SetReadDeadline(time.Now().Add(30 * time.Second)); err != nil {
599 c.log.Errorx("setting read deadline", err)
602 _, err := io.ReadFull(c.br, buf)
604 // Cannot use xcheckf due to %w handling of errIO.
605 panic(fmt.Errorf("reading literal: %s (%w)", err, errIO))
611func (c *conn) xhighestModSeq(tx *bstore.Tx, mailboxID int64) store.ModSeq {
612 qms := bstore.QueryTx[store.Message](tx)
613 qms.FilterNonzero(store.Message{MailboxID: mailboxID})
614 qms.SortDesc("ModSeq")
617 if err == bstore.ErrAbsent {
618 return store.ModSeq(0)
620 xcheckf(err, "looking up highest modseq for mailbox")
624var cleanClose struct{} // Sentinel value for panic/recover indicating clean close of connection.
626func serve(listenerName string, cid int64, tlsConfig *tls.Config, nc net.Conn, xtls, noRequireSTARTTLS bool) {
628 if a, ok := nc.RemoteAddr().(*net.TCPAddr); ok {
631 // For net.Pipe, during tests.
632 remoteIP = net.ParseIP("127.0.0.10")
640 tlsConfig: tlsConfig,
642 noRequireSTARTTLS: noRequireSTARTTLS,
643 enabled: map[capability]bool{},
645 cmdStart: time.Now(),
647 var logmutex sync.Mutex
648 c.log = mlog.New("imapserver", nil).WithFunc(func() []slog.Attr {
650 defer logmutex.Unlock()
653 slog.Int64("cid", c.cid),
654 slog.Duration("delta", now.Sub(c.lastlog)),
657 if c.username != "" {
658 l = append(l, slog.String("username", c.username))
662 c.tr = moxio.NewTraceReader(c.log, "C: ", c.conn)
663 c.tw = moxio.NewTraceWriter(c.log, "S: ", c)
664 // todo: tracing should be done on whatever comes out of c.br. the remote connection write a command plus data, and bufio can read it in one read, causing a command parser that sets the tracing level to data to have no effect. we are now typically logging sent messages, when mail clients append to the Sent mailbox.
665 c.br = bufio.NewReader(c.tr)
666 c.bw = bufio.NewWriter(c.tw)
668 // Many IMAP connections use IDLE to wait for new incoming messages. We'll enable
669 // keepalive to get a higher chance of the connection staying alive, or otherwise
670 // detecting broken connections early.
673 xconn = c.conn.(*tls.Conn).NetConn()
675 if tcpconn, ok := xconn.(*net.TCPConn); ok {
676 if err := tcpconn.SetKeepAlivePeriod(5 * time.Minute); err != nil {
677 c.log.Errorx("setting keepalive period", err)
678 } else if err := tcpconn.SetKeepAlive(true); err != nil {
679 c.log.Errorx("enabling keepalive", err)
683 c.log.Info("new connection",
684 slog.Any("remote", c.conn.RemoteAddr()),
685 slog.Any("local", c.conn.LocalAddr()),
686 slog.Bool("tls", xtls),
687 slog.String("listener", listenerName))
692 if c.account != nil {
694 err := c.account.Close()
695 c.xsanity(err, "close account")
701 if x == nil || x == cleanClose {
702 c.log.Info("connection closed")
703 } else if err, ok := x.(error); ok && isClosed(err) {
704 c.log.Infox("connection closed", err)
706 c.log.Error("unhandled panic", slog.Any("err", x))
708 metrics.PanicInc(metrics.Imapserver)
713 case <-mox.Shutdown.Done():
715 c.writelinef("* BYE mox shutting down")
720 if !limiterConnectionrate.Add(c.remoteIP, time.Now(), 1) {
721 c.writelinef("* BYE connection rate from your ip or network too high, slow down please")
725 // If remote IP/network resulted in too many authentication failures, refuse to serve.
726 if !mox.LimiterFailedAuth.CanAdd(c.remoteIP, time.Now(), 1) {
727 metrics.AuthenticationRatelimitedInc("imap")
728 c.log.Debug("refusing connection due to many auth failures", slog.Any("remoteip", c.remoteIP))
729 c.writelinef("* BYE too many auth failures")
733 if !limiterConnections.Add(c.remoteIP, time.Now(), 1) {
734 c.log.Debug("refusing connection due to many open connections", slog.Any("remoteip", c.remoteIP))
735 c.writelinef("* BYE too many open connections from your ip or network")
738 defer limiterConnections.Add(c.remoteIP, time.Now(), -1)
740 // We register and unregister the original connection, in case it c.conn is
741 // replaced with a TLS connection later on.
742 mox.Connections.Register(nc, "imap", listenerName)
743 defer mox.Connections.Unregister(nc)
745 c.writelinef("* OK [CAPABILITY %s] mox imap", c.capabilities())
749 c.xflush() // For flushing errors, or possibly commands that did not flush explicitly.
753// isClosed returns whether i/o failed, typically because the connection is closed.
754// For connection errors, we often want to generate fewer logs.
755func isClosed(err error) bool {
756 return errors.Is(err, errIO) || errors.Is(err, errProtocol) || moxio.IsClosed(err)
759func (c *conn) command() {
760 var tag, cmd, cmdlow string
766 metricIMAPCommands.WithLabelValues(c.cmdMetric, result).Observe(float64(time.Since(c.cmdStart)) / float64(time.Second))
769 logFields := []slog.Attr{
770 slog.String("cmd", c.cmd),
771 slog.Duration("duration", time.Since(c.cmdStart)),
776 if x == nil || x == cleanClose {
777 c.log.Debug("imap command done", logFields...)
786 c.log.Error("imap command panic", append([]slog.Attr{slog.Any("panic", x)}, logFields...)...)
791 var sxerr syntaxError
795 c.log.Infox("imap command ioerror", err, logFields...)
797 if errors.Is(err, errProtocol) {
801 } else if errors.As(err, &sxerr) {
804 // Other side is likely speaking something else than IMAP, send error message and
805 // stop processing because there is a good chance whatever they sent has multiple
807 c.writelinef("* BYE please try again speaking imap")
810 c.log.Debugx("imap command syntax error", sxerr.err, logFields...)
811 c.log.Info("imap syntax error", slog.String("lastline", c.lastLine))
812 fatal := strings.HasSuffix(c.lastLine, "+}")
814 err := c.conn.SetWriteDeadline(time.Now().Add(5 * time.Second))
815 c.log.Check(err, "setting write deadline")
817 if sxerr.line != "" {
818 c.bwritelinef("%s", sxerr.line)
821 if sxerr.code != "" {
822 code = "[" + sxerr.code + "] "
824 c.bwriteresultf("%s BAD %s%s unrecognized syntax/command: %v", tag, code, cmd, sxerr.errmsg)
827 panic(fmt.Errorf("aborting connection after syntax error for command with non-sync literal: %w", errProtocol))
829 } else if errors.As(err, &serr) {
830 result = "servererror"
831 c.log.Errorx("imap command server error", err, logFields...)
833 c.bwriteresultf("%s NO %s %v", tag, cmd, err)
834 } else if errors.As(err, &uerr) {
836 c.log.Debugx("imap command user error", err, logFields...)
838 c.bwriteresultf("%s NO [%s] %s %v", tag, uerr.code, cmd, err)
840 c.bwriteresultf("%s NO %s %v", tag, cmd, err)
843 // Other type of panic, we pass it on, aborting the connection.
845 c.log.Errorx("imap command panic", err, logFields...)
851 cmd, p = c.readCommand(&tag)
852 cmdlow = strings.ToLower(cmd)
854 c.cmdStart = time.Now()
855 c.cmdMetric = "(unrecognized)"
858 case <-mox.Shutdown.Done():
860 c.writelinef("* BYE shutting down")
865 fn := commands[cmdlow]
867 xsyntaxErrorf("unknown command %q", cmd)
872 // Check if command is allowed in this state.
873 if _, ok1 := commandsStateAny[cmdlow]; ok1 {
874 } else if _, ok2 := commandsStateNotAuthenticated[cmdlow]; ok2 && c.state == stateNotAuthenticated {
875 } else if _, ok3 := commandsStateAuthenticated[cmdlow]; ok3 && c.state == stateAuthenticated || c.state == stateSelected {
876 } else if _, ok4 := commandsStateSelected[cmdlow]; ok4 && c.state == stateSelected {
877 } else if ok1 || ok2 || ok3 || ok4 {
878 xuserErrorf("not allowed in this connection state")
880 xserverErrorf("unrecognized command")
886func (c *conn) broadcast(changes []store.Change) {
887 if len(changes) == 0 {
890 c.log.Debug("broadcast changes", slog.Any("changes", changes))
891 c.comm.Broadcast(changes)
894// matchStringer matches a string against reference + mailbox patterns.
895type matchStringer interface {
896 MatchString(s string) bool
901// MatchString for noMatch always returns false.
902func (noMatch) MatchString(s string) bool {
906// xmailboxPatternMatcher returns a matcher for mailbox names given the reference and patterns.
907// Patterns can include "%" and "*", matching any character excluding and including a slash respectively.
908func xmailboxPatternMatcher(ref string, patterns []string) matchStringer {
909 if strings.HasPrefix(ref, "/") {
914 for _, pat := range patterns {
915 if strings.HasPrefix(pat, "/") {
921 s = path.Join(ref, pat)
924 // Fix casing for all Inbox paths.
925 first := strings.SplitN(s, "/", 2)[0]
926 if strings.EqualFold(first, "Inbox") {
927 s = "Inbox" + s[len("Inbox"):]
932 for _, c := range s {
938 rs += regexp.QuoteMeta(string(c))
941 subs = append(subs, rs)
947 rs := "^(" + strings.Join(subs, "|") + ")$"
948 re, err := regexp.Compile(rs)
949 xcheckf(err, "compiling regexp for mailbox patterns")
953func (c *conn) sequence(uid store.UID) msgseq {
954 return uidSearch(c.uids, uid)
957func uidSearch(uids []store.UID, uid store.UID) msgseq {
974func (c *conn) xsequence(uid store.UID) msgseq {
975 seq := c.sequence(uid)
977 xserverErrorf("unknown uid %d (%w)", uid, errProtocol)
982func (c *conn) sequenceRemove(seq msgseq, uid store.UID) {
984 if c.uids[i] != uid {
985 xserverErrorf(fmt.Sprintf("got uid %d at msgseq %d, expected uid %d", uid, seq, c.uids[i]))
987 copy(c.uids[i:], c.uids[i+1:])
988 c.uids = c.uids[:len(c.uids)-1]
994// add uid to the session. care must be taken that pending changes are fetched
995// while holding the account wlock, and applied before adding this uid, because
996// those pending changes may contain another new uid that has to be added first.
997func (c *conn) uidAppend(uid store.UID) {
998 if uidSearch(c.uids, uid) > 0 {
999 xserverErrorf("uid already present (%w)", errProtocol)
1001 if len(c.uids) > 0 && uid < c.uids[len(c.uids)-1] {
1002 xserverErrorf("new uid %d is smaller than last uid %d (%w)", uid, c.uids[len(c.uids)-1], errProtocol)
1004 c.uids = append(c.uids, uid)
1010// sanity check that uids are in ascending order.
1011func checkUIDs(uids []store.UID) {
1012 for i, uid := range uids {
1013 if uid == 0 || i > 0 && uid <= uids[i-1] {
1014 xserverErrorf("bad uids %v", uids)
1019func (c *conn) xnumSetUIDs(isUID bool, nums numSet) []store.UID {
1020 _, uids := c.xnumSetConditionUIDs(false, true, isUID, nums)
1024func (c *conn) xnumSetCondition(isUID bool, nums numSet) []any {
1025 uidargs, _ := c.xnumSetConditionUIDs(true, false, isUID, nums)
1029func (c *conn) xnumSetConditionUIDs(forDB, returnUIDs bool, isUID bool, nums numSet) ([]any, []store.UID) {
1030 if nums.searchResult {
1031 // Update previously stored UIDs. Some may have been deleted.
1032 // Once deleted a UID will never come back, so we'll just remove those uids.
1034 for _, uid := range c.searchResult {
1035 if uidSearch(c.uids, uid) > 0 {
1036 c.searchResult[o] = uid
1040 c.searchResult = c.searchResult[:o]
1041 uidargs := make([]any, len(c.searchResult))
1042 for i, uid := range c.searchResult {
1045 return uidargs, c.searchResult
1049 var uids []store.UID
1051 add := func(uid store.UID) {
1053 uidargs = append(uidargs, uid)
1056 uids = append(uids, uid)
1061 // Sequence numbers that don't exist, or * on an empty mailbox, should result in a BAD response.
../rfc/9051:7018
1062 for _, r := range nums.ranges {
1065 if len(c.uids) == 0 {
1066 xsyntaxErrorf("invalid seqset * on empty mailbox")
1068 ia = len(c.uids) - 1
1070 ia = int(r.first.number - 1)
1071 if ia >= len(c.uids) {
1072 xsyntaxErrorf("msgseq %d not in mailbox", r.first.number)
1081 if len(c.uids) == 0 {
1082 xsyntaxErrorf("invalid seqset * on empty mailbox")
1084 ib = len(c.uids) - 1
1086 ib = int(r.last.number - 1)
1087 if ib >= len(c.uids) {
1088 xsyntaxErrorf("msgseq %d not in mailbox", r.last.number)
1094 for _, uid := range c.uids[ia : ib+1] {
1098 return uidargs, uids
1101 // UIDs that do not exist can be ignored.
1102 if len(c.uids) == 0 {
1106 for _, r := range nums.ranges {
1112 uida := store.UID(r.first.number)
1114 uida = c.uids[len(c.uids)-1]
1117 uidb := store.UID(last.number)
1119 uidb = c.uids[len(c.uids)-1]
1123 uida, uidb = uidb, uida
1126 // Binary search for uida.
1131 if uida < c.uids[m] {
1133 } else if uida > c.uids[m] {
1140 for _, uid := range c.uids[s:] {
1141 if uid >= uida && uid <= uidb {
1143 } else if uid > uidb {
1149 return uidargs, uids
1152func (c *conn) ok(tag, cmd string) {
1153 c.bwriteresultf("%s OK %s done", tag, cmd)
1157// xcheckmailboxname checks if name is valid, returning an INBOX-normalized name.
1158// I.e. it changes various casings of INBOX and INBOX/* to Inbox and Inbox/*.
1159// Name is invalid if it contains leading/trailing/double slashes, or when it isn't
1160// unicode-normalized, or when empty or has special characters.
1161func xcheckmailboxname(name string, allowInbox bool) string {
1162 name, isinbox, err := store.CheckMailboxName(name, allowInbox)
1164 xuserErrorf("special mailboxname Inbox not allowed")
1165 } else if err != nil {
1166 xusercodeErrorf("CANNOT", "%s", err)
1171// Lookup mailbox by name.
1172// If the mailbox does not exist, panic is called with a user error.
1173// Must be called with account rlock held.
1174func (c *conn) xmailbox(tx *bstore.Tx, name string, missingErrCode string) store.Mailbox {
1175 mb, err := c.account.MailboxFind(tx, name)
1176 xcheckf(err, "finding mailbox")
1178 // missingErrCode can be empty, or e.g. TRYCREATE or ALREADYEXISTS.
1179 xusercodeErrorf(missingErrCode, "%w", store.ErrUnknownMailbox)
1184// Lookup mailbox by ID.
1185// If the mailbox does not exist, panic is called with a user error.
1186// Must be called with account rlock held.
1187func (c *conn) xmailboxID(tx *bstore.Tx, id int64) store.Mailbox {
1188 mb := store.Mailbox{ID: id}
1190 if err == bstore.ErrAbsent {
1191 xuserErrorf("%w", store.ErrUnknownMailbox)
1196// Apply changes to our session state.
1197// If initial is false, updates like EXISTS and EXPUNGE are written to the client.
1198// If initial is true, we only apply the changes.
1199// Should not be called while holding locks, as changes are written to client connections, which can block.
1200// Does not flush output.
1201func (c *conn) applyChanges(changes []store.Change, initial bool) {
1202 if len(changes) == 0 {
1206 err := c.conn.SetWriteDeadline(time.Now().Add(5 * time.Minute))
1207 c.log.Check(err, "setting write deadline")
1209 c.log.Debug("applying changes", slog.Any("changes", changes))
1211 // Only keep changes for the selected mailbox, and changes that are always relevant.
1212 var n []store.Change
1213 for _, change := range changes {
1215 switch ch := change.(type) {
1216 case store.ChangeAddUID:
1218 case store.ChangeRemoveUIDs:
1220 case store.ChangeFlags:
1222 case store.ChangeRemoveMailbox, store.ChangeAddMailbox, store.ChangeRenameMailbox, store.ChangeAddSubscription:
1223 n = append(n, change)
1225 case store.ChangeMailboxCounts, store.ChangeMailboxSpecialUse, store.ChangeMailboxKeywords, store.ChangeThread:
1227 panic(fmt.Errorf("missing case for %#v", change))
1229 if c.state == stateSelected && mbID == c.mailboxID {
1230 n = append(n, change)
1235 qresync := c.enabled[capQresync]
1236 condstore := c.enabled[capCondstore]
1239 for i < len(changes) {
1240 // First process all new uids. So we only send a single EXISTS.
1241 var adds []store.ChangeAddUID
1242 for ; i < len(changes); i++ {
1243 ch, ok := changes[i].(store.ChangeAddUID)
1247 seq := c.sequence(ch.UID)
1248 if seq > 0 && initial {
1252 adds = append(adds, ch)
1258 // Write the exists, and the UID and flags as well. Hopefully the client waits for
1259 // long enough after the EXISTS to see these messages, and doesn't request them
1260 // again with a FETCH.
1261 c.bwritelinef("* %d EXISTS", len(c.uids))
1262 for _, add := range adds {
1263 seq := c.xsequence(add.UID)
1264 var modseqStr string
1266 modseqStr = fmt.Sprintf(" MODSEQ (%d)", add.ModSeq.Client())
1268 c.bwritelinef("* %d FETCH (UID %d FLAGS %s%s)", seq, add.UID, flaglist(add.Flags, add.Keywords).pack(c), modseqStr)
1273 change := changes[i]
1276 switch ch := change.(type) {
1277 case store.ChangeRemoveUIDs:
1278 var vanishedUIDs numSet
1279 for _, uid := range ch.UIDs {
1282 seq = c.sequence(uid)
1287 seq = c.xsequence(uid)
1289 c.sequenceRemove(seq, uid)
1292 vanishedUIDs.append(uint32(uid))
1294 c.bwritelinef("* %d EXPUNGE", seq)
1300 for _, s := range vanishedUIDs.Strings(4*1024 - 32) {
1301 c.bwritelinef("* VANISHED %s", s)
1304 case store.ChangeFlags:
1305 // The uid can be unknown if we just expunged it while another session marked it as deleted just before.
1306 seq := c.sequence(ch.UID)
1311 var modseqStr string
1313 modseqStr = fmt.Sprintf(" MODSEQ (%d)", ch.ModSeq.Client())
1315 c.bwritelinef("* %d FETCH (UID %d FLAGS %s%s)", seq, ch.UID, flaglist(ch.Flags, ch.Keywords).pack(c), modseqStr)
1317 case store.ChangeRemoveMailbox:
1318 // Only announce \NonExistent to modern clients, otherwise they may ignore the
1319 // unrecognized \NonExistent and interpret this as a newly created mailbox, while
1320 // the goal was to remove it...
1321 if c.enabled[capIMAP4rev2] {
1322 c.bwritelinef(`* LIST (\NonExistent) "/" %s`, astring(c.encodeMailbox(ch.Name)).pack(c))
1324 case store.ChangeAddMailbox:
1325 c.bwritelinef(`* LIST (%s) "/" %s`, strings.Join(ch.Flags, " "), astring(c.encodeMailbox(ch.Mailbox.Name)).pack(c))
1326 case store.ChangeRenameMailbox:
1329 if c.enabled[capIMAP4rev2] {
1330 oldname = fmt.Sprintf(` ("OLDNAME" (%s))`, string0(c.encodeMailbox(ch.OldName)).pack(c))
1332 c.bwritelinef(`* LIST (%s) "/" %s%s`, strings.Join(ch.Flags, " "), astring(c.encodeMailbox(ch.NewName)).pack(c), oldname)
1333 case store.ChangeAddSubscription:
1334 c.bwritelinef(`* LIST (%s) "/" %s`, strings.Join(append([]string{`\Subscribed`}, ch.Flags...), " "), astring(c.encodeMailbox(ch.Name)).pack(c))
1336 panic(fmt.Sprintf("internal error, missing case for %#v", change))
1341// Capability returns the capabilities this server implements and currently has
1342// available given the connection state.
1345func (c *conn) cmdCapability(tag, cmd string, p *parser) {
1351 caps := c.capabilities()
1354 c.bwritelinef("* CAPABILITY %s", caps)
1358// capabilities returns non-empty string with available capabilities based on connection state.
1359// For use in cmdCapability and untagged OK responses on connection start, login and authenticate.
1360func (c *conn) capabilities() string {
1361 caps := serverCapabilities
1363 // We only allow starting without TLS when explicitly configured, in violation of RFC.
1364 if !c.tls && c.tlsConfig != nil {
1367 if c.tls || c.noRequireSTARTTLS {
1368 caps += " AUTH=PLAIN"
1370 caps += " LOGINDISABLED"
1375// No op, but useful for retrieving pending changes as untagged responses, e.g. of
1379func (c *conn) cmdNoop(tag, cmd string, p *parser) {
1387// Logout, after which server closes the connection.
1390func (c *conn) cmdLogout(tag, cmd string, p *parser) {
1397 c.state = stateNotAuthenticated
1399 c.bwritelinef("* BYE thanks")
1404// Clients can use ID to tell the server which software they are using. Servers can
1405// respond with their version. For statistics/logging/debugging purposes.
1408func (c *conn) cmdID(tag, cmd string, p *parser) {
1413 var params map[string]string
1415 params = map[string]string{}
1417 if len(params) > 0 {
1423 if _, ok := params[k]; ok {
1424 xsyntaxErrorf("duplicate key %q", k)
1433 // We just log the client id.
1434 c.log.Info("client id", slog.Any("params", params))
1438 c.bwritelinef(`* ID ("name" "mox" "version" %s)`, string0(moxvar.Version).pack(c))
1442// STARTTLS enables TLS on the connection, after a plain text start.
1443// Only allowed if TLS isn't already enabled, either through connecting to a
1444// TLS-enabled TCP port, or a previous STARTTLS command.
1445// After STARTTLS, plain text authentication typically becomes available.
1447// Status: Not authenticated.
1448func (c *conn) cmdStarttls(tag, cmd string, p *parser) {
1459 if n := c.br.Buffered(); n > 0 {
1460 buf := make([]byte, n)
1461 _, err := io.ReadFull(c.br, buf)
1462 xcheckf(err, "reading buffered data for tls handshake")
1463 conn = &prefixConn{buf, conn}
1465 // We add the cid to facilitate debugging in case of TLS connection failure.
1466 c.ok(tag, cmd+" ("+mox.ReceivedID(c.cid)+")")
1468 cidctx := context.WithValue(mox.Context, mlog.CidKey, c.cid)
1469 ctx, cancel := context.WithTimeout(cidctx, time.Minute)
1471 tlsConn := tls.Server(conn, c.tlsConfig)
1472 c.log.Debug("starting tls server handshake")
1473 if err := tlsConn.HandshakeContext(ctx); err != nil {
1474 panic(fmt.Errorf("starttls handshake: %s (%w)", err, errIO))
1477 tlsversion, ciphersuite := moxio.TLSInfo(tlsConn)
1478 c.log.Debug("tls server handshake done", slog.String("tls", tlsversion), slog.String("ciphersuite", ciphersuite))
1481 c.tr = moxio.NewTraceReader(c.log, "C: ", c.conn)
1482 c.tw = moxio.NewTraceWriter(c.log, "S: ", c)
1483 c.br = bufio.NewReader(c.tr)
1484 c.bw = bufio.NewWriter(c.tw)
1488// Authenticate using SASL. Supports multiple back and forths between client and
1489// server to finish authentication, unlike LOGIN which is just a single
1490// username/password.
1492// Status: Not authenticated.
1493func (c *conn) cmdAuthenticate(tag, cmd string, p *parser) {
1497 // For many failed auth attempts, slow down verification attempts.
1498 if c.authFailed > 3 && authFailDelay > 0 {
1499 mox.Sleep(mox.Context, time.Duration(c.authFailed-3)*authFailDelay)
1502 // If authentication fails due to missing derived secrets, we don't hold it against
1503 // the connection. There is no way to indicate server support for an authentication
1504 // mechanism, but that a mechanism won't work for an account.
1505 var missingDerivedSecrets bool
1507 c.authFailed++ // Compensated on success.
1509 if missingDerivedSecrets {
1512 // On the 3rd failed authentication, start responding slowly. Successful auth will
1513 // cause fast responses again.
1514 if c.authFailed >= 3 {
1519 var authVariant string
1520 authResult := "error"
1522 metrics.AuthenticationInc("imap", authVariant, authResult)
1523 if authResult == "ok" {
1524 mox.LimiterFailedAuth.Reset(c.remoteIP, time.Now())
1525 } else if !missingDerivedSecrets {
1526 mox.LimiterFailedAuth.Add(c.remoteIP, time.Now(), 1)
1532 authType := p.xatom()
1534 xreadInitial := func() []byte {
1538 line = c.readline(false)
1542 line = p.remainder()
1545 line = "" // Base64 decode will result in empty buffer.
1550 authResult = "aborted"
1551 xsyntaxErrorf("authenticate aborted by client")
1553 buf, err := base64.StdEncoding.DecodeString(line)
1555 xsyntaxErrorf("parsing base64: %v", err)
1560 xreadContinuation := func() []byte {
1561 line := c.readline(false)
1563 authResult = "aborted"
1564 xsyntaxErrorf("authenticate aborted by client")
1566 buf, err := base64.StdEncoding.DecodeString(line)
1568 xsyntaxErrorf("parsing base64: %v", err)
1573 switch strings.ToUpper(authType) {
1575 authVariant = "plain"
1577 if !c.noRequireSTARTTLS && !c.tls {
1579 xusercodeErrorf("PRIVACYREQUIRED", "tls required for login")
1582 // Plain text passwords, mark as traceauth.
1583 defer c.xtrace(mlog.LevelTraceauth)()
1584 buf := xreadInitial()
1585 c.xtrace(mlog.LevelTrace) // Restore.
1586 plain := bytes.Split(buf, []byte{0})
1587 if len(plain) != 3 {
1588 xsyntaxErrorf("bad plain auth data, expected 3 nul-separated tokens, got %d tokens", len(plain))
1590 authz := string(plain[0])
1591 authc := string(plain[1])
1592 password := string(plain[2])
1594 if authz != "" && authz != authc {
1595 xusercodeErrorf("AUTHORIZATIONFAILED", "cannot assume role")
1598 acc, err := store.OpenEmailAuth(c.log, authc, password)
1600 if errors.Is(err, store.ErrUnknownCredentials) {
1601 authResult = "badcreds"
1602 c.log.Info("authentication failed", slog.String("username", authc))
1603 xusercodeErrorf("AUTHENTICATIONFAILED", "bad credentials")
1605 xusercodeErrorf("", "error")
1611 authVariant = strings.ToLower(authType)
1617 chal := fmt.Sprintf("<%d.%d@%s>", uint64(mox.CryptoRandInt()), time.Now().UnixNano(), mox.Conf.Static.HostnameDomain.ASCII)
1618 c.writelinef("+ %s", base64.StdEncoding.EncodeToString([]byte(chal)))
1620 resp := xreadContinuation()
1621 t := strings.Split(string(resp), " ")
1622 if len(t) != 2 || len(t[1]) != 2*md5.Size {
1623 xsyntaxErrorf("malformed cram-md5 response")
1626 c.log.Debug("cram-md5 auth", slog.String("address", addr))
1627 acc, _, err := store.OpenEmail(c.log, addr)
1629 if errors.Is(err, store.ErrUnknownCredentials) {
1630 c.log.Info("failed authentication attempt", slog.String("username", addr), slog.Any("remote", c.remoteIP))
1631 xusercodeErrorf("AUTHENTICATIONFAILED", "bad credentials")
1633 xserverErrorf("looking up address: %v", err)
1638 c.xsanity(err, "close account")
1641 var ipadhash, opadhash hash.Hash
1642 acc.WithRLock(func() {
1643 err := acc.DB.Read(context.TODO(), func(tx *bstore.Tx) error {
1644 password, err := bstore.QueryTx[store.Password](tx).Get()
1645 if err == bstore.ErrAbsent {
1646 c.log.Info("failed authentication attempt", slog.String("username", addr), slog.Any("remote", c.remoteIP))
1647 xusercodeErrorf("AUTHENTICATIONFAILED", "bad credentials")
1653 ipadhash = password.CRAMMD5.Ipad
1654 opadhash = password.CRAMMD5.Opad
1657 xcheckf(err, "tx read")
1659 if ipadhash == nil || opadhash == nil {
1660 c.log.Info("cram-md5 auth attempt without derived secrets set, save password again to store secrets", slog.String("username", addr))
1661 c.log.Info("failed authentication attempt", slog.String("username", addr), slog.Any("remote", c.remoteIP))
1662 missingDerivedSecrets = true
1663 xusercodeErrorf("AUTHENTICATIONFAILED", "bad credentials")
1667 ipadhash.Write([]byte(chal))
1668 opadhash.Write(ipadhash.Sum(nil))
1669 digest := fmt.Sprintf("%x", opadhash.Sum(nil))
1671 c.log.Info("failed authentication attempt", slog.String("username", addr), slog.Any("remote", c.remoteIP))
1672 xusercodeErrorf("AUTHENTICATIONFAILED", "bad credentials")
1676 acc = nil // Cancel cleanup.
1679 case "SCRAM-SHA-256-PLUS", "SCRAM-SHA-256", "SCRAM-SHA-1-PLUS", "SCRAM-SHA-1":
1680 // todo: improve handling of errors during scram. e.g. invalid parameters. should we abort the imap command, or continue until the end and respond with a scram-level error?
1681 // todo: use single implementation between ../imapserver/server.go and ../smtpserver/server.go
1683 // No plaintext credentials, we can log these normally.
1685 authVariant = strings.ToLower(authType)
1686 var h func() hash.Hash
1687 switch authVariant {
1688 case "scram-sha-1", "scram-sha-1-plus":
1690 case "scram-sha-256", "scram-sha-256-plus":
1693 xserverErrorf("missing case for scram variant")
1696 var cs *tls.ConnectionState
1697 requireChannelBinding := strings.HasSuffix(authVariant, "-plus")
1698 if requireChannelBinding && !c.tls {
1699 xuserErrorf("cannot use plus variant with tls channel binding without tls")
1702 xcs := c.conn.(*tls.Conn).ConnectionState()
1705 c0 := xreadInitial()
1706 ss, err := scram.NewServer(h, c0, cs, requireChannelBinding)
1708 xsyntaxErrorf("starting scram: %s", err)
1710 c.log.Debug("scram auth", slog.String("authentication", ss.Authentication))
1711 acc, _, err := store.OpenEmail(c.log, ss.Authentication)
1713 // todo: we could continue scram with a generated salt, deterministically generated
1714 // from the username. that way we don't have to store anything but attackers cannot
1715 // learn if an account exists. same for absent scram saltedpassword below.
1716 xuserErrorf("scram not possible")
1721 c.xsanity(err, "close account")
1724 if ss.Authorization != "" && ss.Authorization != ss.Authentication {
1725 xuserErrorf("authentication with authorization for different user not supported")
1727 var xscram store.SCRAM
1728 acc.WithRLock(func() {
1729 err := acc.DB.Read(context.TODO(), func(tx *bstore.Tx) error {
1730 password, err := bstore.QueryTx[store.Password](tx).Get()
1731 if err == bstore.ErrAbsent {
1732 c.log.Info("failed authentication attempt", slog.String("username", ss.Authentication), slog.Any("remote", c.remoteIP))
1733 xusercodeErrorf("AUTHENTICATIONFAILED", "bad credentials")
1735 xcheckf(err, "fetching credentials")
1736 switch authVariant {
1737 case "scram-sha-1", "scram-sha-1-plus":
1738 xscram = password.SCRAMSHA1
1739 case "scram-sha-256", "scram-sha-256-plus":
1740 xscram = password.SCRAMSHA256
1742 xserverErrorf("missing case for scram credentials")
1744 if len(xscram.Salt) == 0 || xscram.Iterations == 0 || len(xscram.SaltedPassword) == 0 {
1745 missingDerivedSecrets = true
1746 c.log.Info("scram auth attempt without derived secrets set, save password again to store secrets", slog.String("address", ss.Authentication))
1747 xuserErrorf("scram not possible")
1751 xcheckf(err, "read tx")
1753 s1, err := ss.ServerFirst(xscram.Iterations, xscram.Salt)
1754 xcheckf(err, "scram first server step")
1755 c.writelinef("+ %s", base64.StdEncoding.EncodeToString([]byte(s1)))
1756 c2 := xreadContinuation()
1757 s3, err := ss.Finish(c2, xscram.SaltedPassword)
1759 c.writelinef("+ %s", base64.StdEncoding.EncodeToString([]byte(s3)))
1762 c.readline(false) // Should be "*" for cancellation.
1763 if errors.Is(err, scram.ErrInvalidProof) {
1764 authResult = "badcreds"
1765 c.log.Info("failed authentication attempt", slog.String("username", ss.Authentication), slog.Any("remote", c.remoteIP))
1766 xusercodeErrorf("AUTHENTICATIONFAILED", "bad credentials")
1768 xuserErrorf("server final: %w", err)
1772 // The message should be empty. todo: should we require it is empty?
1776 acc = nil // Cancel cleanup.
1777 c.username = ss.Authentication
1780 xuserErrorf("method not supported")
1786 c.comm = store.RegisterComm(c.account)
1787 c.state = stateAuthenticated
1788 c.writeresultf("%s OK [CAPABILITY %s] authenticate done", tag, c.capabilities())
1791// Login logs in with username and password.
1793// Status: Not authenticated.
1794func (c *conn) cmdLogin(tag, cmd string, p *parser) {
1797 authResult := "error"
1799 metrics.AuthenticationInc("imap", "login", authResult)
1802 // todo: get this line logged with traceauth. the plaintext password is included on the command line, which we've already read (before dispatching to this function).
1806 userid := p.xastring()
1808 password := p.xastring()
1811 if !c.noRequireSTARTTLS && !c.tls {
1813 xusercodeErrorf("PRIVACYREQUIRED", "tls required for login")
1816 // For many failed auth attempts, slow down verification attempts.
1817 if c.authFailed > 3 && authFailDelay > 0 {
1818 mox.Sleep(mox.Context, time.Duration(c.authFailed-3)*authFailDelay)
1820 c.authFailed++ // Compensated on success.
1822 // On the 3rd failed authentication, start responding slowly. Successful auth will
1823 // cause fast responses again.
1824 if c.authFailed >= 3 {
1829 acc, err := store.OpenEmailAuth(c.log, userid, password)
1831 authResult = "badcreds"
1833 if errors.Is(err, store.ErrUnknownCredentials) {
1834 code = "AUTHENTICATIONFAILED"
1835 c.log.Info("failed authentication attempt", slog.String("username", userid), slog.Any("remote", c.remoteIP))
1837 xusercodeErrorf(code, "login failed")
1843 c.comm = store.RegisterComm(acc)
1844 c.state = stateAuthenticated
1846 c.writeresultf("%s OK [CAPABILITY %s] login done", tag, c.capabilities())
1849// Enable explicitly opts in to an extension. A server can typically send new kinds
1850// of responses to a client. Most extensions do not require an ENABLE because a
1851// client implicitly opts in to new response syntax by making a requests that uses
1852// new optional extension request syntax.
1854// State: Authenticated and selected.
1855func (c *conn) cmdEnable(tag, cmd string, p *parser) {
1861 caps := []string{p.xatom()}
1864 caps = append(caps, p.xatom())
1867 // Clients should only send capabilities that need enabling.
1868 // We should only echo that we recognize as needing enabling.
1871 for _, s := range caps {
1872 cap := capability(strings.ToUpper(s))
1877 c.enabled[cap] = true
1880 c.enabled[cap] = true
1886 if qresync && !c.enabled[capCondstore] {
1887 c.xensureCondstore(nil)
1888 enabled += " CONDSTORE"
1892 c.bwritelinef("* ENABLED%s", enabled)
1897// If a mailbox is selected, an untagged OK with HIGHESTMODSEQ is written to the
1898// client. If tx is non-nil, it is used to read the HIGHESTMODSEQ from the
1899// database. Otherwise a new read-only transaction is created.
1900func (c *conn) xensureCondstore(tx *bstore.Tx) {
1901 if !c.enabled[capCondstore] {
1902 c.enabled[capCondstore] = true
1903 // todo spec: can we send an untagged enabled response?
1905 if c.mailboxID <= 0 {
1908 var modseq store.ModSeq
1910 modseq = c.xhighestModSeq(tx, c.mailboxID)
1912 c.xdbread(func(tx *bstore.Tx) {
1913 modseq = c.xhighestModSeq(tx, c.mailboxID)
1916 c.bwritelinef("* OK [HIGHESTMODSEQ %d] after condstore-enabling command", modseq.Client())
1920// State: Authenticated and selected.
1921func (c *conn) cmdSelect(tag, cmd string, p *parser) {
1922 c.cmdSelectExamine(true, tag, cmd, p)
1925// State: Authenticated and selected.
1926func (c *conn) cmdExamine(tag, cmd string, p *parser) {
1927 c.cmdSelectExamine(false, tag, cmd, p)
1930// Select and examine are almost the same commands. Select just opens a mailbox for
1931// read/write and examine opens a mailbox readonly.
1933// State: Authenticated and selected.
1934func (c *conn) cmdSelectExamine(isselect bool, tag, cmd string, p *parser) {
1942 name := p.xmailbox()
1944 var qruidvalidity uint32
1945 var qrmodseq int64 // QRESYNC required parameters.
1946 var qrknownUIDs, qrknownSeqSet, qrknownUIDSet *numSet // QRESYNC optional parameters.
1948 seen := map[string]bool{}
1950 for len(seen) == 0 || !p.take(")") {
1951 w := p.xtakelist("CONDSTORE", "QRESYNC")
1953 xsyntaxErrorf("duplicate select parameter %s", w)
1963 // Note: unlike with CONDSTORE, there are no QRESYNC-related commands/parameters
1964 // that enable capabilities.
1965 if !c.enabled[capQresync] {
1967 xsyntaxErrorf("QRESYNC must first be enabled")
1973 qrmodseq = p.xnznumber64()
1975 seqMatchData := p.take("(")
1979 seqMatchData = p.take(" (")
1982 ss0 := p.xnumSet0(false, false)
1983 qrknownSeqSet = &ss0
1985 ss1 := p.xnumSet0(false, false)
1986 qrknownUIDSet = &ss1
1992 panic("missing case for select param " + w)
1998 // Deselect before attempting the new select. This means we will deselect when an
1999 // error occurs during select.
2001 if c.state == stateSelected {
2003 c.bwritelinef("* OK [CLOSED] x")
2007 name = xcheckmailboxname(name, true)
2009 var highestModSeq store.ModSeq
2010 var highDeletedModSeq store.ModSeq
2011 var firstUnseen msgseq = 0
2012 var mb store.Mailbox
2013 c.account.WithRLock(func() {
2014 c.xdbread(func(tx *bstore.Tx) {
2015 mb = c.xmailbox(tx, name, "")
2017 q := bstore.QueryTx[store.Message](tx)
2018 q.FilterNonzero(store.Message{MailboxID: mb.ID})
2019 q.FilterEqual("Expunged", false)
2021 c.uids = []store.UID{}
2023 err := q.ForEach(func(m store.Message) error {
2024 c.uids = append(c.uids, m.UID)
2025 if firstUnseen == 0 && !m.Seen {
2034 xcheckf(err, "fetching uids")
2036 // Condstore extension, find the highest modseq.
2037 if c.enabled[capCondstore] {
2038 highestModSeq = c.xhighestModSeq(tx, mb.ID)
2040 // For QRESYNC, we need to know the highest modset of deleted expunged records to
2041 // maintain synchronization.
2042 if c.enabled[capQresync] {
2043 highDeletedModSeq, err = c.account.HighestDeletedModSeq(tx)
2044 xcheckf(err, "getting highest deleted modseq")
2048 c.applyChanges(c.comm.Get(), true)
2051 if len(mb.Keywords) > 0 {
2052 flags = " " + strings.Join(mb.Keywords, " ")
2054 c.bwritelinef(`* FLAGS (\Seen \Answered \Flagged \Deleted \Draft $Forwarded $Junk $NotJunk $Phishing $MDNSent%s)`, flags)
2055 c.bwritelinef(`* OK [PERMANENTFLAGS (\Seen \Answered \Flagged \Deleted \Draft $Forwarded $Junk $NotJunk $Phishing $MDNSent \*)] x`)
2056 if !c.enabled[capIMAP4rev2] {
2057 c.bwritelinef(`* 0 RECENT`)
2059 c.bwritelinef(`* %d EXISTS`, len(c.uids))
2060 if !c.enabled[capIMAP4rev2] && firstUnseen > 0 {
2062 c.bwritelinef(`* OK [UNSEEN %d] x`, firstUnseen)
2064 c.bwritelinef(`* OK [UIDVALIDITY %d] x`, mb.UIDValidity)
2065 c.bwritelinef(`* OK [UIDNEXT %d] x`, mb.UIDNext)
2066 c.bwritelinef(`* LIST () "/" %s`, astring(c.encodeMailbox(mb.Name)).pack(c))
2067 if c.enabled[capCondstore] {
2070 c.bwritelinef(`* OK [HIGHESTMODSEQ %d] x`, highestModSeq.Client())
2074 if qruidvalidity == mb.UIDValidity {
2075 // We send the vanished UIDs at the end, so we can easily combine the modseq
2076 // changes and vanished UIDs that result from that, with the vanished UIDs from the
2077 // case where we don't store enough history.
2078 vanishedUIDs := map[store.UID]struct{}{}
2080 var preVanished store.UID
2081 var oldClientUID store.UID
2082 // If samples of known msgseq and uid pairs are given (they must be in order), we
2083 // use them to determine the earliest UID for which we send VANISHED responses.
2085 if qrknownSeqSet != nil {
2086 if !qrknownSeqSet.isBasicIncreasing() {
2087 xuserErrorf("QRESYNC known message sequence set must be numeric and strictly increasing")
2089 if !qrknownUIDSet.isBasicIncreasing() {
2090 xuserErrorf("QRESYNC known uid set must be numeric and strictly increasing")
2092 seqiter := qrknownSeqSet.newIter()
2093 uiditer := qrknownUIDSet.newIter()
2095 msgseq, ok0 := seqiter.Next()
2096 uid, ok1 := uiditer.Next()
2099 } else if !ok0 || !ok1 {
2100 xsyntaxErrorf("invalid combination of known sequence set and uid set, must be of equal length")
2102 i := int(msgseq - 1)
2103 if i < 0 || i >= len(c.uids) || c.uids[i] != store.UID(uid) {
2104 if uidSearch(c.uids, store.UID(uid)) <= 0 {
2105 // We will check this old client UID for consistency below.
2106 oldClientUID = store.UID(uid)
2110 preVanished = store.UID(uid + 1)
2114 // We gather vanished UIDs and report them at the end. This seems OK because we
2115 // already sent HIGHESTMODSEQ, and a client should know not to commit that value
2116 // until after it has seen the tagged OK of this command. The RFC has a remark
2117 // about ordering of some untagged responses, it's not immediately clear what it
2118 // means, but given the examples appears to allude to servers that decide to not
2119 // send expunge/vanished before the tagged OK.
2122 // We are reading without account lock. Similar to when we process FETCH/SEARCH
2123 // requests. We don't have to reverify existence of the mailbox, so we don't
2124 // rlock, even briefly.
2125 c.xdbread(func(tx *bstore.Tx) {
2126 if oldClientUID > 0 {
2127 // The client sent a UID that is now removed. This is typically fine. But we check
2128 // that it is consistent with the modseq the client sent. If the UID already didn't
2129 // exist at that modseq, the client may be missing some information.
2130 q := bstore.QueryTx[store.Message](tx)
2131 q.FilterNonzero(store.Message{MailboxID: mb.ID, UID: oldClientUID})
2134 // If client claims to be up to date up to and including qrmodseq, and the message
2135 // was deleted at or before that time, we send changes from just before that
2136 // modseq, and we send vanished for all UIDs.
2137 if m.Expunged && qrmodseq >= m.ModSeq.Client() {
2138 qrmodseq = m.ModSeq.Client() - 1
2141 c.bwritelinef("* OK [ALERT] Synchronization inconsistency in client detected. Client tried to sync with a UID that was removed at or after the MODSEQ it sent in the request. Sending all historic message removals for selected mailbox. Full synchronization recommended.")
2143 } else if err != bstore.ErrAbsent {
2144 xcheckf(err, "checking old client uid")
2148 q := bstore.QueryTx[store.Message](tx)
2149 q.FilterNonzero(store.Message{MailboxID: mb.ID})
2150 // Note: we don't filter by Expunged.
2151 q.FilterGreater("ModSeq", store.ModSeqFromClient(qrmodseq))
2152 q.FilterLessEqual("ModSeq", highestModSeq)
2154 err := q.ForEach(func(m store.Message) error {
2155 if m.Expunged && m.UID < preVanished {
2159 if qrknownUIDs != nil && !qrknownUIDs.contains(uint32(m.UID)) {
2163 vanishedUIDs[m.UID] = struct{}{}
2166 msgseq := c.sequence(m.UID)
2168 c.bwritelinef("* %d FETCH (UID %d FLAGS %s MODSEQ (%d))", msgseq, m.UID, flaglist(m.Flags, m.Keywords).pack(c), m.ModSeq.Client())
2172 xcheckf(err, "listing changed messages")
2175 // Add UIDs from client's known UID set to vanished list if we don't have enough history.
2176 if qrmodseq < highDeletedModSeq.Client() {
2177 // If no known uid set was in the request, we substitute 1:max or the empty set.
2179 if qrknownUIDs == nil {
2180 if len(c.uids) > 0 {
2181 qrknownUIDs = &numSet{ranges: []numRange{{first: setNumber{number: 1}, last: &setNumber{number: uint32(c.uids[len(c.uids)-1])}}}}
2183 qrknownUIDs = &numSet{}
2187 iter := qrknownUIDs.newIter()
2189 v, ok := iter.Next()
2193 if c.sequence(store.UID(v)) <= 0 {
2194 vanishedUIDs[store.UID(v)] = struct{}{}
2199 // Now that we have all vanished UIDs, send them over compactly.
2200 if len(vanishedUIDs) > 0 {
2201 l := maps.Keys(vanishedUIDs)
2202 sort.Slice(l, func(i, j int) bool {
2206 for _, s := range compactUIDSet(l).Strings(4*1024 - 32) {
2207 c.bwritelinef("* VANISHED (EARLIER) %s", s)
2213 c.bwriteresultf("%s OK [READ-WRITE] x", tag)
2216 c.bwriteresultf("%s OK [READ-ONLY] x", tag)
2220 c.state = stateSelected
2221 c.searchResult = nil
2225// Create makes a new mailbox, and its parents too if absent.
2227// State: Authenticated and selected.
2228func (c *conn) cmdCreate(tag, cmd string, p *parser) {
2234 name := p.xmailbox()
2240 name = xcheckmailboxname(name, false)
2242 var changes []store.Change
2243 var created []string // Created mailbox names.
2245 c.account.WithWLock(func() {
2246 c.xdbwrite(func(tx *bstore.Tx) {
2249 changes, created, exists, err = c.account.MailboxCreate(tx, name)
2252 xuserErrorf("mailbox already exists")
2254 xcheckf(err, "creating mailbox")
2257 c.broadcast(changes)
2260 for _, n := range created {
2263 if c.enabled[capIMAP4rev2] && n == name && name != origName && !(name == "Inbox" || strings.HasPrefix(name, "Inbox/")) {
2264 oldname = fmt.Sprintf(` ("OLDNAME" (%s))`, string0(c.encodeMailbox(origName)).pack(c))
2266 c.bwritelinef(`* LIST (\Subscribed) "/" %s%s`, astring(c.encodeMailbox(n)).pack(c), oldname)
2271// Delete removes a mailbox and all its messages.
2272// Inbox cannot be removed.
2274// State: Authenticated and selected.
2275func (c *conn) cmdDelete(tag, cmd string, p *parser) {
2281 name := p.xmailbox()
2284 name = xcheckmailboxname(name, false)
2286 // Messages to remove after having broadcasted the removal of messages.
2287 var removeMessageIDs []int64
2289 c.account.WithWLock(func() {
2290 var mb store.Mailbox
2291 var changes []store.Change
2293 c.xdbwrite(func(tx *bstore.Tx) {
2294 mb = c.xmailbox(tx, name, "NONEXISTENT")
2296 var hasChildren bool
2298 changes, removeMessageIDs, hasChildren, err = c.account.MailboxDelete(context.TODO(), c.log, tx, mb)
2300 xusercodeErrorf("HASCHILDREN", "mailbox has a child, only leaf mailboxes can be deleted")
2302 xcheckf(err, "deleting mailbox")
2305 c.broadcast(changes)
2308 for _, mID := range removeMessageIDs {
2309 p := c.account.MessagePath(mID)
2311 c.log.Check(err, "removing message file for mailbox delete", slog.String("path", p))
2317// Rename changes the name of a mailbox.
2318// Renaming INBOX is special, it moves the inbox messages to a new mailbox, leaving inbox empty.
2319// Renaming a mailbox with submailboxes also renames all submailboxes.
2320// Subscriptions stay with the old name, though newly created missing parent
2321// mailboxes for the destination name are automatically subscribed.
2323// State: Authenticated and selected.
2324func (c *conn) cmdRename(tag, cmd string, p *parser) {
2335 src = xcheckmailboxname(src, true)
2336 dst = xcheckmailboxname(dst, false)
2338 c.account.WithWLock(func() {
2339 var changes []store.Change
2341 c.xdbwrite(func(tx *bstore.Tx) {
2342 srcMB := c.xmailbox(tx, src, "NONEXISTENT")
2344 // Inbox is very special. Unlike other mailboxes, its children are not moved. And
2345 // unlike a regular move, its messages are moved to a newly created mailbox. We do
2346 // indeed create a new destination mailbox and actually move the messages.
2349 exists, err := c.account.MailboxExists(tx, dst)
2350 xcheckf(err, "checking if destination mailbox exists")
2352 xusercodeErrorf("ALREADYEXISTS", "destination mailbox %q already exists", dst)
2355 xuserErrorf("cannot move inbox to itself")
2358 uidval, err := c.account.NextUIDValidity(tx)
2359 xcheckf(err, "next uid validity")
2361 dstMB := store.Mailbox{
2363 UIDValidity: uidval,
2365 Keywords: srcMB.Keywords,
2368 err = tx.Insert(&dstMB)
2369 xcheckf(err, "create new destination mailbox")
2371 modseq, err := c.account.NextModSeq(tx)
2372 xcheckf(err, "assigning next modseq")
2374 changes = make([]store.Change, 2) // Placeholders filled in below.
2376 // Move existing messages, with their ID's and on-disk files intact, to the new
2377 // mailbox. We keep the expunged messages, the destination mailbox doesn't care
2379 var oldUIDs []store.UID
2380 q := bstore.QueryTx[store.Message](tx)
2381 q.FilterNonzero(store.Message{MailboxID: srcMB.ID})
2382 q.FilterEqual("Expunged", false)
2384 err = q.ForEach(func(m store.Message) error {
2389 oldUIDs = append(oldUIDs, om.UID)
2391 mc := m.MailboxCounts()
2395 m.MailboxID = dstMB.ID
2396 m.UID = dstMB.UIDNext
2398 m.CreateSeq = modseq
2400 if err := tx.Update(&m); err != nil {
2401 return fmt.Errorf("updating message to move to new mailbox: %w", err)
2404 changes = append(changes, m.ChangeAddUID())
2406 if err := tx.Insert(&om); err != nil {
2407 return fmt.Errorf("adding empty expunge message record to inbox: %w", err)
2411 xcheckf(err, "moving messages from inbox to destination mailbox")
2413 err = tx.Update(&dstMB)
2414 xcheckf(err, "updating uidnext and counts in destination mailbox")
2416 err = tx.Update(&srcMB)
2417 xcheckf(err, "updating counts for inbox")
2419 var dstFlags []string
2420 if tx.Get(&store.Subscription{Name: dstMB.Name}) == nil {
2421 dstFlags = []string{`\Subscribed`}
2423 changes[0] = store.ChangeRemoveUIDs{MailboxID: srcMB.ID, UIDs: oldUIDs, ModSeq: modseq}
2424 changes[1] = store.ChangeAddMailbox{Mailbox: dstMB, Flags: dstFlags}
2425 // changes[2:...] are ChangeAddUIDs
2426 changes = append(changes, srcMB.ChangeCounts(), dstMB.ChangeCounts())
2430 var notExists, alreadyExists bool
2432 changes, _, notExists, alreadyExists, err = c.account.MailboxRename(tx, srcMB, dst)
2435 xusercodeErrorf("NONEXISTENT", "%s", err)
2436 } else if alreadyExists {
2437 xusercodeErrorf("ALREADYEXISTS", "%s", err)
2439 xcheckf(err, "renaming mailbox")
2441 c.broadcast(changes)
2447// Subscribe marks a mailbox path as subscribed. The mailbox does not have to
2448// exist. Subscribed may mean an email client will show the mailbox in its UI
2449// and/or periodically fetch new messages for the mailbox.
2451// State: Authenticated and selected.
2452func (c *conn) cmdSubscribe(tag, cmd string, p *parser) {
2458 name := p.xmailbox()
2461 name = xcheckmailboxname(name, true)
2463 c.account.WithWLock(func() {
2464 var changes []store.Change
2466 c.xdbwrite(func(tx *bstore.Tx) {
2468 changes, err = c.account.SubscriptionEnsure(tx, name)
2469 xcheckf(err, "ensuring subscription")
2472 c.broadcast(changes)
2478// Unsubscribe marks a mailbox as not subscribed. The mailbox doesn't have to exist.
2480// State: Authenticated and selected.
2481func (c *conn) cmdUnsubscribe(tag, cmd string, p *parser) {
2487 name := p.xmailbox()
2490 name = xcheckmailboxname(name, true)
2492 c.account.WithWLock(func() {
2493 c.xdbwrite(func(tx *bstore.Tx) {
2495 err := tx.Delete(&store.Subscription{Name: name})
2496 if err == bstore.ErrAbsent {
2497 exists, err := c.account.MailboxExists(tx, name)
2498 xcheckf(err, "checking if mailbox exists")
2500 xuserErrorf("mailbox does not exist")
2504 xcheckf(err, "removing subscription")
2507 // todo: can we send untagged message about a mailbox no longer being subscribed?
2513// LSUB command for listing subscribed mailboxes.
2514// Removed in IMAP4rev2, only in IMAP4rev1.
2516// State: Authenticated and selected.
2517func (c *conn) cmdLsub(tag, cmd string, p *parser) {
2525 pattern := p.xlistMailbox()
2528 re := xmailboxPatternMatcher(ref, []string{pattern})
2531 c.xdbread(func(tx *bstore.Tx) {
2532 q := bstore.QueryTx[store.Subscription](tx)
2534 subscriptions, err := q.List()
2535 xcheckf(err, "querying subscriptions")
2537 have := map[string]bool{}
2538 subscribedKids := map[string]bool{}
2539 ispercent := strings.HasSuffix(pattern, "%")
2540 for _, sub := range subscriptions {
2543 for p := path.Dir(name); p != "."; p = path.Dir(p) {
2544 subscribedKids[p] = true
2547 if !re.MatchString(name) {
2551 line := fmt.Sprintf(`* LSUB () "/" %s`, astring(c.encodeMailbox(name)).pack(c))
2552 lines = append(lines, line)
2560 qmb := bstore.QueryTx[store.Mailbox](tx)
2562 err = qmb.ForEach(func(mb store.Mailbox) error {
2563 if have[mb.Name] || !subscribedKids[mb.Name] || !re.MatchString(mb.Name) {
2566 line := fmt.Sprintf(`* LSUB (\NoSelect) "/" %s`, astring(c.encodeMailbox(mb.Name)).pack(c))
2567 lines = append(lines, line)
2570 xcheckf(err, "querying mailboxes")
2574 for _, line := range lines {
2575 c.bwritelinef("%s", line)
2580// The namespace command returns the mailbox path separator. We only implement
2581// the personal mailbox hierarchy, no shared/other.
2583// In IMAP4rev2, it was an extension before.
2585// State: Authenticated and selected.
2586func (c *conn) cmdNamespace(tag, cmd string, p *parser) {
2593 c.bwritelinef(`* NAMESPACE (("" "/")) NIL NIL`)
2597// The status command returns information about a mailbox, such as the number of
2598// messages, "uid validity", etc. Nowadays, the extended LIST command can return
2599// the same information about many mailboxes for one command.
2601// State: Authenticated and selected.
2602func (c *conn) cmdStatus(tag, cmd string, p *parser) {
2608 name := p.xmailbox()
2611 attrs := []string{p.xstatusAtt()}
2614 attrs = append(attrs, p.xstatusAtt())
2618 name = xcheckmailboxname(name, true)
2620 var mb store.Mailbox
2622 var responseLine string
2623 c.account.WithRLock(func() {
2624 c.xdbread(func(tx *bstore.Tx) {
2625 mb = c.xmailbox(tx, name, "")
2626 responseLine = c.xstatusLine(tx, mb, attrs)
2630 c.bwritelinef("%s", responseLine)
2635func (c *conn) xstatusLine(tx *bstore.Tx, mb store.Mailbox, attrs []string) string {
2636 status := []string{}
2637 for _, a := range attrs {
2638 A := strings.ToUpper(a)
2641 status = append(status, A, fmt.Sprintf("%d", mb.Total+mb.Deleted))
2643 status = append(status, A, fmt.Sprintf("%d", mb.UIDNext))
2645 status = append(status, A, fmt.Sprintf("%d", mb.UIDValidity))
2647 status = append(status, A, fmt.Sprintf("%d", mb.Unseen))
2649 status = append(status, A, fmt.Sprintf("%d", mb.Deleted))
2651 status = append(status, A, fmt.Sprintf("%d", mb.Size))
2653 status = append(status, A, "0")
2656 status = append(status, A, "NIL")
2657 case "HIGHESTMODSEQ":
2659 status = append(status, A, fmt.Sprintf("%d", c.xhighestModSeq(tx, mb.ID).Client()))
2660 case "DELETED-STORAGE":
2662 // How much storage space could be reclaimed by expunging messages with the
2663 // \Deleted flag. We could keep track of this number and return it efficiently.
2664 // Calculating it each time can be slow, and we don't know if clients request it.
2665 // Clients are not likely to set the deleted flag without immediately expunging
2666 // nowadays. Let's wait for something to need it to go through the trouble, and
2667 // always return 0 for now.
2668 status = append(status, A, "0")
2670 xsyntaxErrorf("unknown attribute %q", a)
2673 return fmt.Sprintf("* STATUS %s (%s)", astring(c.encodeMailbox(mb.Name)).pack(c), strings.Join(status, " "))
2676func flaglist(fl store.Flags, keywords []string) listspace {
2678 flag := func(v bool, s string) {
2680 l = append(l, bare(s))
2683 flag(fl.Seen, `\Seen`)
2684 flag(fl.Answered, `\Answered`)
2685 flag(fl.Flagged, `\Flagged`)
2686 flag(fl.Deleted, `\Deleted`)
2687 flag(fl.Draft, `\Draft`)
2688 flag(fl.Forwarded, `$Forwarded`)
2689 flag(fl.Junk, `$Junk`)
2690 flag(fl.Notjunk, `$NotJunk`)
2691 flag(fl.Phishing, `$Phishing`)
2692 flag(fl.MDNSent, `$MDNSent`)
2693 for _, k := range keywords {
2694 l = append(l, bare(k))
2699// Append adds a message to a mailbox.
2701// State: Authenticated and selected.
2702func (c *conn) cmdAppend(tag, cmd string, p *parser) {
2708 name := p.xmailbox()
2710 var storeFlags store.Flags
2711 var keywords []string
2712 if p.hasPrefix("(") {
2713 // Error must be a syntax error, to properly abort the connection due to literal.
2715 storeFlags, keywords, err = store.ParseFlagsKeywords(p.xflagList())
2717 xsyntaxErrorf("parsing flags: %v", err)
2722 if p.hasPrefix(`"`) {
2728 // todo: only with utf8 should we we accept message headers with utf-8. we currently always accept them.
2729 // todo: this is only relevant if we also support the CATENATE extension?
2731 utf8 := p.take("UTF8 (")
2732 size, sync := p.xliteralSize(0, utf8)
2734 name = xcheckmailboxname(name, true)
2735 c.xdbread(func(tx *bstore.Tx) {
2736 c.xmailbox(tx, name, "TRYCREATE")
2742 // Read the message into a temporary file.
2743 msgFile, err := store.CreateMessageTemp(c.log, "imap-append")
2744 xcheckf(err, "creating temp file for message")
2747 err := msgFile.Close()
2748 c.xsanity(err, "closing APPEND temporary file")
2750 c.xsanity(err, "removing APPEND temporary file")
2752 defer c.xtrace(mlog.LevelTracedata)()
2753 mw := message.NewWriter(msgFile)
2754 msize, err := io.Copy(mw, io.LimitReader(c.br, size))
2755 c.xtrace(mlog.LevelTrace) // Restore.
2757 // Cannot use xcheckf due to %w handling of errIO.
2758 panic(fmt.Errorf("reading literal message: %s (%w)", err, errIO))
2761 xserverErrorf("read %d bytes for message, expected %d (%w)", msize, size, errIO)
2765 line := c.readline(false)
2766 np := newParser(line, c)
2770 line := c.readline(false)
2771 np := newParser(line, c)
2776 name = xcheckmailboxname(name, true)
2779 var mb store.Mailbox
2781 var pendingChanges []store.Change
2783 c.account.WithWLock(func() {
2784 var changes []store.Change
2785 c.xdbwrite(func(tx *bstore.Tx) {
2786 mb = c.xmailbox(tx, name, "TRYCREATE")
2788 // Ensure keywords are stored in mailbox.
2789 var mbKwChanged bool
2790 mb.Keywords, mbKwChanged = store.MergeKeywords(mb.Keywords, keywords)
2792 changes = append(changes, mb.ChangeKeywords())
2797 MailboxOrigID: mb.ID,
2804 ok, maxSize, err := c.account.CanAddMessageSize(tx, m.Size)
2805 xcheckf(err, "checking quota")
2808 xusercodeErrorf("OVERQUOTA", "account over maximum total message size %d", maxSize)
2811 mb.Add(m.MailboxCounts())
2813 // Update mailbox before delivering, which updates uidnext which we mustn't overwrite.
2814 err = tx.Update(&mb)
2815 xcheckf(err, "updating mailbox counts")
2817 err = c.account.DeliverMessage(c.log, tx, &m, msgFile, true, false, false, true)
2818 xcheckf(err, "delivering message")
2821 // Fetch pending changes, possibly with new UIDs, so we can apply them before adding our own new UID.
2823 pendingChanges = c.comm.Get()
2826 // Broadcast the change to other connections.
2827 changes = append(changes, m.ChangeAddUID(), mb.ChangeCounts())
2828 c.broadcast(changes)
2831 if c.mailboxID == mb.ID {
2832 c.applyChanges(pendingChanges, false)
2834 // todo spec: with condstore/qresync, is there a mechanism to the client know the modseq for the appended uid? in theory an untagged fetch with the modseq after the OK APPENDUID could make sense, but this probably isn't allowed.
2835 c.bwritelinef("* %d EXISTS", len(c.uids))
2838 c.writeresultf("%s OK [APPENDUID %d %d] appended", tag, mb.UIDValidity, m.UID)
2841// Idle makes a client wait until the server sends untagged updates, e.g. about
2842// message delivery or mailbox create/rename/delete/subscription, etc. It allows a
2843// client to get updates in real-time, not needing the use for NOOP.
2845// State: Authenticated and selected.
2846func (c *conn) cmdIdle(tag, cmd string, p *parser) {
2853 c.writelinef("+ waiting")
2859 case le := <-c.lineChan():
2861 xcheckf(le.err, "get line")
2864 case <-c.comm.Pending:
2865 c.applyChanges(c.comm.Get(), false)
2867 case <-mox.Shutdown.Done():
2869 c.writelinef("* BYE shutting down")
2874 // Reset the write deadline. In case of little activity, with a command timeout of
2875 // 30 minutes, we have likely passed it.
2876 err := c.conn.SetWriteDeadline(time.Now().Add(5 * time.Minute))
2877 c.log.Check(err, "setting write deadline")
2879 if strings.ToUpper(line) != "DONE" {
2880 // We just close the connection because our protocols are out of sync.
2881 panic(fmt.Errorf("%w: in IDLE, expected DONE", errIO))
2887// Return the quota root for a mailbox name and any current quota's.
2889// State: Authenticated and selected.
2890func (c *conn) cmdGetquotaroot(tag, cmd string, p *parser) {
2895 name := p.xmailbox()
2898 // This mailbox does not have to exist. Caller just wants to know which limits
2899 // would apply. We only have one limit, so we don't use the name otherwise.
2901 name = xcheckmailboxname(name, true)
2903 // Get current usage for account.
2904 var quota, size int64 // Account only has a quota if > 0.
2905 c.account.WithRLock(func() {
2906 quota = c.account.QuotaMessageSize()
2908 c.xdbread(func(tx *bstore.Tx) {
2909 du := store.DiskUsage{ID: 1}
2911 xcheckf(err, "gather used quota")
2912 size = du.MessageSize
2917 // We only have one per account quota, we name it "" like the examples in the RFC.
2919 c.bwritelinef(`* QUOTAROOT %s ""`, astring(name).pack(c))
2921 // We only write the quota response if there is a limit. The syntax doesn't allow
2922 // an empty list, so we cannot send the current disk usage if there is no limit.
2925 c.bwritelinef(`* QUOTA "" (STORAGE %d %d)`, (size+1024-1)/1024, (quota+1024-1)/1024)
2930// Return the quota for a quota root.
2932// State: Authenticated and selected.
2933func (c *conn) cmdGetquota(tag, cmd string, p *parser) {
2938 root := p.xastring()
2941 // We only have a per-account root called "".
2943 xuserErrorf("unknown quota root")
2946 var quota, size int64
2947 c.account.WithRLock(func() {
2948 quota = c.account.QuotaMessageSize()
2950 c.xdbread(func(tx *bstore.Tx) {
2951 du := store.DiskUsage{ID: 1}
2953 xcheckf(err, "gather used quota")
2954 size = du.MessageSize
2959 // We only write the quota response if there is a limit. The syntax doesn't allow
2960 // an empty list, so we cannot send the current disk usage if there is no limit.
2963 c.bwritelinef(`* QUOTA "" (STORAGE %d %d)`, (size+1024-1)/1024, (quota+1024-1)/1024)
2968// Check is an old deprecated command that is supposed to execute some mailbox consistency checks.
2971func (c *conn) cmdCheck(tag, cmd string, p *parser) {
2977 c.account.WithRLock(func() {
2978 c.xdbread(func(tx *bstore.Tx) {
2979 c.xmailboxID(tx, c.mailboxID) // Validate.
2986// Close undoes select/examine, closing the currently opened mailbox and deleting
2987// messages that were marked for deletion with the \Deleted flag.
2990func (c *conn) cmdClose(tag, cmd string, p *parser) {
3002 remove, _ := c.xexpunge(nil, true)
3005 for _, m := range remove {
3006 p := c.account.MessagePath(m.ID)
3008 c.xsanity(err, "removing message file for expunge for close")
3016// expunge messages marked for deletion in currently selected/active mailbox.
3017// if uidSet is not nil, only messages matching the set are deleted.
3019// messages that have been marked expunged from the database are returned, but the
3020// corresponding files still have to be removed.
3022// the highest modseq in the mailbox is returned, typically associated with the
3023// removal of the messages, but if no messages were expunged the current latest max
3024// modseq for the mailbox is returned.
3025func (c *conn) xexpunge(uidSet *numSet, missingMailboxOK bool) (remove []store.Message, highestModSeq store.ModSeq) {
3026 var modseq store.ModSeq
3028 c.account.WithWLock(func() {
3029 var mb store.Mailbox
3031 c.xdbwrite(func(tx *bstore.Tx) {
3032 mb = store.Mailbox{ID: c.mailboxID}
3034 if err == bstore.ErrAbsent {
3035 if missingMailboxOK {
3038 xuserErrorf("%w", store.ErrUnknownMailbox)
3041 qm := bstore.QueryTx[store.Message](tx)
3042 qm.FilterNonzero(store.Message{MailboxID: c.mailboxID})
3043 qm.FilterEqual("Deleted", true)
3044 qm.FilterEqual("Expunged", false)
3045 qm.FilterFn(func(m store.Message) bool {
3046 // Only remove if this session knows about the message and if present in optional uidSet.
3047 return uidSearch(c.uids, m.UID) > 0 && (uidSet == nil || uidSet.containsUID(m.UID, c.uids, c.searchResult))
3050 remove, err = qm.List()
3051 xcheckf(err, "listing messages to delete")
3053 if len(remove) == 0 {
3054 highestModSeq = c.xhighestModSeq(tx, c.mailboxID)
3058 // Assign new modseq.
3059 modseq, err = c.account.NextModSeq(tx)
3060 xcheckf(err, "assigning next modseq")
3061 highestModSeq = modseq
3063 removeIDs := make([]int64, len(remove))
3064 anyIDs := make([]any, len(remove))
3066 for i, m := range remove {
3069 mb.Sub(m.MailboxCounts())
3071 // Update "remove", because RetrainMessage below will save the message.
3072 remove[i].Expunged = true
3073 remove[i].ModSeq = modseq
3075 qmr := bstore.QueryTx[store.Recipient](tx)
3076 qmr.FilterEqual("MessageID", anyIDs...)
3077 _, err = qmr.Delete()
3078 xcheckf(err, "removing message recipients")
3080 qm = bstore.QueryTx[store.Message](tx)
3081 qm.FilterIDs(removeIDs)
3082 n, err := qm.UpdateNonzero(store.Message{Expunged: true, ModSeq: modseq})
3083 if err == nil && n != len(removeIDs) {
3084 err = fmt.Errorf("only %d messages set to expunged, expected %d", n, len(removeIDs))
3086 xcheckf(err, "marking messages marked for deleted as expunged")
3088 err = tx.Update(&mb)
3089 xcheckf(err, "updating mailbox counts")
3091 err = c.account.AddMessageSize(c.log, tx, -totalSize)
3092 xcheckf(err, "updating disk usage")
3094 // Mark expunged messages as not needing training, then retrain them, so if they
3095 // were trained, they get untrained.
3096 for i := range remove {
3097 remove[i].Junk = false
3098 remove[i].Notjunk = false
3100 err = c.account.RetrainMessages(context.TODO(), c.log, tx, remove, true)
3101 xcheckf(err, "untraining expunged messages")
3104 // Broadcast changes to other connections. We may not have actually removed any
3105 // messages, so take care not to send an empty update.
3106 if len(remove) > 0 {
3107 ouids := make([]store.UID, len(remove))
3108 for i, m := range remove {
3111 changes := []store.Change{
3112 store.ChangeRemoveUIDs{MailboxID: c.mailboxID, UIDs: ouids, ModSeq: modseq},
3115 c.broadcast(changes)
3118 return remove, highestModSeq
3121// Unselect is similar to close in that it closes the currently active mailbox, but
3122// it does not remove messages marked for deletion.
3125func (c *conn) cmdUnselect(tag, cmd string, p *parser) {
3135// Expunge deletes messages marked with \Deleted in the currently selected mailbox.
3136// Clients are wiser to use UID EXPUNGE because it allows a UID sequence set to
3137// explicitly opt in to removing specific messages.
3140func (c *conn) cmdExpunge(tag, cmd string, p *parser) {
3147 xuserErrorf("mailbox open in read-only mode")
3150 c.cmdxExpunge(tag, cmd, nil)
3153// UID expunge deletes messages marked with \Deleted in the currently selected
3154// mailbox if they match a UID sequence set.
3157func (c *conn) cmdUIDExpunge(tag, cmd string, p *parser) {
3162 uidSet := p.xnumSet()
3166 xuserErrorf("mailbox open in read-only mode")
3169 c.cmdxExpunge(tag, cmd, &uidSet)
3172// Permanently delete messages for the currently selected/active mailbox. If uidset
3173// is not nil, only those UIDs are removed.
3175func (c *conn) cmdxExpunge(tag, cmd string, uidSet *numSet) {
3178 remove, highestModSeq := c.xexpunge(uidSet, false)
3181 for _, m := range remove {
3182 p := c.account.MessagePath(m.ID)
3184 c.xsanity(err, "removing message file for expunge")
3189 var vanishedUIDs numSet
3190 qresync := c.enabled[capQresync]
3191 for _, m := range remove {
3192 seq := c.xsequence(m.UID)
3193 c.sequenceRemove(seq, m.UID)
3195 vanishedUIDs.append(uint32(m.UID))
3197 c.bwritelinef("* %d EXPUNGE", seq)
3200 if !vanishedUIDs.empty() {
3202 for _, s := range vanishedUIDs.Strings(4*1024 - 32) {
3203 c.bwritelinef("* VANISHED %s", s)
3207 if c.enabled[capCondstore] {
3208 c.writeresultf("%s OK [HIGHESTMODSEQ %d] expunged", tag, highestModSeq.Client())
3215func (c *conn) cmdSearch(tag, cmd string, p *parser) {
3216 c.cmdxSearch(false, tag, cmd, p)
3220func (c *conn) cmdUIDSearch(tag, cmd string, p *parser) {
3221 c.cmdxSearch(true, tag, cmd, p)
3225func (c *conn) cmdFetch(tag, cmd string, p *parser) {
3226 c.cmdxFetch(false, tag, cmd, p)
3230func (c *conn) cmdUIDFetch(tag, cmd string, p *parser) {
3231 c.cmdxFetch(true, tag, cmd, p)
3235func (c *conn) cmdStore(tag, cmd string, p *parser) {
3236 c.cmdxStore(false, tag, cmd, p)
3240func (c *conn) cmdUIDStore(tag, cmd string, p *parser) {
3241 c.cmdxStore(true, tag, cmd, p)
3245func (c *conn) cmdCopy(tag, cmd string, p *parser) {
3246 c.cmdxCopy(false, tag, cmd, p)
3250func (c *conn) cmdUIDCopy(tag, cmd string, p *parser) {
3251 c.cmdxCopy(true, tag, cmd, p)
3255func (c *conn) cmdMove(tag, cmd string, p *parser) {
3256 c.cmdxMove(false, tag, cmd, p)
3260func (c *conn) cmdUIDMove(tag, cmd string, p *parser) {
3261 c.cmdxMove(true, tag, cmd, p)
3264func (c *conn) gatherCopyMoveUIDs(isUID bool, nums numSet) ([]store.UID, []any) {
3265 // Gather uids, then sort so we can return a consistently simple and hard to
3266 // misinterpret COPYUID/MOVEUID response. It seems safer to have UIDs in ascending
3267 // order, because requested uid set of 12:10 is equal to 10:12, so if we would just
3268 // echo whatever the client sends us without reordering, the client can reorder our
3269 // response and interpret it differently than we intended.
3271 uids := c.xnumSetUIDs(isUID, nums)
3272 sort.Slice(uids, func(i, j int) bool {
3273 return uids[i] < uids[j]
3275 uidargs := make([]any, len(uids))
3276 for i, uid := range uids {
3279 return uids, uidargs
3282// Copy copies messages from the currently selected/active mailbox to another named
3286func (c *conn) cmdxCopy(isUID bool, tag, cmd string, p *parser) {
3293 name := p.xmailbox()
3296 name = xcheckmailboxname(name, true)
3298 uids, uidargs := c.gatherCopyMoveUIDs(isUID, nums)
3300 // Files that were created during the copy. Remove them if the operation fails.
3301 var createdIDs []int64
3307 for _, id := range createdIDs {
3308 p := c.account.MessagePath(id)
3310 c.xsanity(err, "cleaning up created file")
3315 var mbDst store.Mailbox
3316 var origUIDs, newUIDs []store.UID
3317 var flags []store.Flags
3318 var keywords [][]string
3319 var modseq store.ModSeq // For messages in new mailbox, assigned when first message is copied.
3321 c.account.WithWLock(func() {
3322 var mbKwChanged bool
3324 c.xdbwrite(func(tx *bstore.Tx) {
3325 mbSrc := c.xmailboxID(tx, c.mailboxID) // Validate.
3326 mbDst = c.xmailbox(tx, name, "TRYCREATE")
3327 if mbDst.ID == mbSrc.ID {
3328 xuserErrorf("cannot copy to currently selected mailbox")
3331 if len(uidargs) == 0 {
3332 xuserErrorf("no matching messages to copy")
3336 modseq, err = c.account.NextModSeq(tx)
3337 xcheckf(err, "assigning next modseq")
3339 // Reserve the uids in the destination mailbox.
3340 uidFirst := mbDst.UIDNext
3341 mbDst.UIDNext += store.UID(len(uidargs))
3343 // Fetch messages from database.
3344 q := bstore.QueryTx[store.Message](tx)
3345 q.FilterNonzero(store.Message{MailboxID: c.mailboxID})
3346 q.FilterEqual("UID", uidargs...)
3347 q.FilterEqual("Expunged", false)
3348 xmsgs, err := q.List()
3349 xcheckf(err, "fetching messages")
3351 if len(xmsgs) != len(uidargs) {
3352 xserverErrorf("uid and message mismatch")
3355 // See if quota allows copy.
3357 for _, m := range xmsgs {
3360 if ok, maxSize, err := c.account.CanAddMessageSize(tx, totalSize); err != nil {
3361 xcheckf(err, "checking quota")
3364 xusercodeErrorf("OVERQUOTA", "account over maximum total message size %d", maxSize)
3366 err = c.account.AddMessageSize(c.log, tx, totalSize)
3367 xcheckf(err, "updating disk usage")
3369 msgs := map[store.UID]store.Message{}
3370 for _, m := range xmsgs {
3373 nmsgs := make([]store.Message, len(xmsgs))
3375 conf, _ := c.account.Conf()
3377 mbKeywords := map[string]struct{}{}
3379 // Insert new messages into database.
3380 var origMsgIDs, newMsgIDs []int64
3381 for i, uid := range uids {
3384 xuserErrorf("messages changed, could not fetch requested uid")
3387 origMsgIDs = append(origMsgIDs, origID)
3389 m.UID = uidFirst + store.UID(i)
3390 m.CreateSeq = modseq
3392 m.MailboxID = mbDst.ID
3393 if m.IsReject && m.MailboxDestinedID != 0 {
3394 // Incorrectly delivered to Rejects mailbox. Adjust MailboxOrigID so this message
3395 // is used for reputation calculation during future deliveries.
3396 m.MailboxOrigID = m.MailboxDestinedID
3400 m.JunkFlagsForMailbox(mbDst, conf)
3401 err := tx.Insert(&m)
3402 xcheckf(err, "inserting message")
3405 origUIDs = append(origUIDs, uid)
3406 newUIDs = append(newUIDs, m.UID)
3407 newMsgIDs = append(newMsgIDs, m.ID)
3408 flags = append(flags, m.Flags)
3409 keywords = append(keywords, m.Keywords)
3410 for _, kw := range m.Keywords {
3411 mbKeywords[kw] = struct{}{}
3414 qmr := bstore.QueryTx[store.Recipient](tx)
3415 qmr.FilterNonzero(store.Recipient{MessageID: origID})
3416 mrs, err := qmr.List()
3417 xcheckf(err, "listing message recipients")
3418 for _, mr := range mrs {
3421 err := tx.Insert(&mr)
3422 xcheckf(err, "inserting message recipient")
3425 mbDst.Add(m.MailboxCounts())
3428 mbDst.Keywords, mbKwChanged = store.MergeKeywords(mbDst.Keywords, maps.Keys(mbKeywords))
3430 err = tx.Update(&mbDst)
3431 xcheckf(err, "updating destination mailbox for uids, keywords and counts")
3433 // Copy message files to new message ID's.
3434 syncDirs := map[string]struct{}{}
3435 for i := range origMsgIDs {
3436 src := c.account.MessagePath(origMsgIDs[i])
3437 dst := c.account.MessagePath(newMsgIDs[i])
3438 dstdir := filepath.Dir(dst)
3439 if _, ok := syncDirs[dstdir]; !ok {
3440 os.MkdirAll(dstdir, 0770)
3441 syncDirs[dstdir] = struct{}{}
3443 err := moxio.LinkOrCopy(c.log, dst, src, nil, true)
3444 xcheckf(err, "link or copy file %q to %q", src, dst)
3445 createdIDs = append(createdIDs, newMsgIDs[i])
3448 for dir := range syncDirs {
3449 err := moxio.SyncDir(c.log, dir)
3450 xcheckf(err, "sync directory")
3453 err = c.account.RetrainMessages(context.TODO(), c.log, tx, nmsgs, false)
3454 xcheckf(err, "train copied messages")
3457 // Broadcast changes to other connections.
3458 if len(newUIDs) > 0 {
3459 changes := make([]store.Change, 0, len(newUIDs)+2)
3460 for i, uid := range newUIDs {
3461 changes = append(changes, store.ChangeAddUID{MailboxID: mbDst.ID, UID: uid, ModSeq: modseq, Flags: flags[i], Keywords: keywords[i]})
3463 changes = append(changes, mbDst.ChangeCounts())
3465 changes = append(changes, mbDst.ChangeKeywords())
3467 c.broadcast(changes)
3471 // All good, prevent defer above from cleaning up copied files.
3475 c.writeresultf("%s OK [COPYUID %d %s %s] copied", tag, mbDst.UIDValidity, compactUIDSet(origUIDs).String(), compactUIDSet(newUIDs).String())
3478// Move moves messages from the currently selected/active mailbox to a named mailbox.
3481func (c *conn) cmdxMove(isUID bool, tag, cmd string, p *parser) {
3488 name := p.xmailbox()
3491 name = xcheckmailboxname(name, true)
3494 xuserErrorf("mailbox open in read-only mode")
3497 uids, uidargs := c.gatherCopyMoveUIDs(isUID, nums)
3499 var mbSrc, mbDst store.Mailbox
3500 var changes []store.Change
3501 var newUIDs []store.UID
3502 var modseq store.ModSeq
3504 c.account.WithWLock(func() {
3505 c.xdbwrite(func(tx *bstore.Tx) {
3506 mbSrc = c.xmailboxID(tx, c.mailboxID) // Validate.
3507 mbDst = c.xmailbox(tx, name, "TRYCREATE")
3508 if mbDst.ID == c.mailboxID {
3509 xuserErrorf("cannot move to currently selected mailbox")
3512 if len(uidargs) == 0 {
3513 xuserErrorf("no matching messages to move")
3516 // Reserve the uids in the destination mailbox.
3517 uidFirst := mbDst.UIDNext
3519 mbDst.UIDNext += store.UID(len(uids))
3521 // Assign a new modseq, for the new records and for the expunged records.
3523 modseq, err = c.account.NextModSeq(tx)
3524 xcheckf(err, "assigning next modseq")
3526 // Update existing record with new UID and MailboxID in database for messages. We
3527 // add a new but expunged record again in the original/source mailbox, for qresync.
3528 // Keeping the original ID for the live message means we don't have to move the
3529 // on-disk message contents file.
3530 q := bstore.QueryTx[store.Message](tx)
3531 q.FilterNonzero(store.Message{MailboxID: c.mailboxID})
3532 q.FilterEqual("UID", uidargs...)
3533 q.FilterEqual("Expunged", false)
3535 msgs, err := q.List()
3536 xcheckf(err, "listing messages to move")
3538 if len(msgs) != len(uidargs) {
3539 xserverErrorf("uid and message mismatch")
3542 keywords := map[string]struct{}{}
3544 conf, _ := c.account.Conf()
3545 for i := range msgs {
3547 if m.UID != uids[i] {
3548 xserverErrorf("internal error: got uid %d, expected %d, for index %d", m.UID, uids[i], i)
3551 mbSrc.Sub(m.MailboxCounts())
3553 // Copy of message record that we'll insert when UID is freed up.
3556 om.ID = 0 // Assign new ID.
3559 m.MailboxID = mbDst.ID
3560 if m.IsReject && m.MailboxDestinedID != 0 {
3561 // Incorrectly delivered to Rejects mailbox. Adjust MailboxOrigID so this message
3562 // is used for reputation calculation during future deliveries.
3563 m.MailboxOrigID = m.MailboxDestinedID
3567 mbDst.Add(m.MailboxCounts())
3570 m.JunkFlagsForMailbox(mbDst, conf)
3573 xcheckf(err, "updating moved message in database")
3575 // Now that UID is unused, we can insert the old record again.
3576 err = tx.Insert(&om)
3577 xcheckf(err, "inserting record for expunge after moving message")
3579 for _, kw := range m.Keywords {
3580 keywords[kw] = struct{}{}
3584 // Ensure destination mailbox has keywords of the moved messages.
3585 var mbKwChanged bool
3586 mbDst.Keywords, mbKwChanged = store.MergeKeywords(mbDst.Keywords, maps.Keys(keywords))
3588 changes = append(changes, mbDst.ChangeKeywords())
3591 err = tx.Update(&mbSrc)
3592 xcheckf(err, "updating source mailbox counts")
3594 err = tx.Update(&mbDst)
3595 xcheckf(err, "updating destination mailbox for uids, keywords and counts")
3597 err = c.account.RetrainMessages(context.TODO(), c.log, tx, msgs, false)
3598 xcheckf(err, "retraining messages after move")
3600 // Prepare broadcast changes to other connections.
3601 changes = make([]store.Change, 0, 1+len(msgs)+2)
3602 changes = append(changes, store.ChangeRemoveUIDs{MailboxID: c.mailboxID, UIDs: uids, ModSeq: modseq})
3603 for _, m := range msgs {
3604 newUIDs = append(newUIDs, m.UID)
3605 changes = append(changes, m.ChangeAddUID())
3607 changes = append(changes, mbSrc.ChangeCounts(), mbDst.ChangeCounts())
3610 c.broadcast(changes)
3615 c.bwritelinef("* OK [COPYUID %d %s %s] moved", mbDst.UIDValidity, compactUIDSet(uids).String(), compactUIDSet(newUIDs).String())
3616 qresync := c.enabled[capQresync]
3617 var vanishedUIDs numSet
3618 for i := 0; i < len(uids); i++ {
3619 seq := c.xsequence(uids[i])
3620 c.sequenceRemove(seq, uids[i])
3622 vanishedUIDs.append(uint32(uids[i]))
3624 c.bwritelinef("* %d EXPUNGE", seq)
3627 if !vanishedUIDs.empty() {
3629 for _, s := range vanishedUIDs.Strings(4*1024 - 32) {
3630 c.bwritelinef("* VANISHED %s", s)
3634 if c.enabled[capQresync] {
3636 c.writeresultf("%s OK [HIGHESTMODSEQ %d] move", tag, modseq.Client())
3642// Store sets a full set of flags, or adds/removes specific flags.
3645func (c *conn) cmdxStore(isUID bool, tag, cmd string, p *parser) {
3652 var unchangedSince *int64
3655 p.xtake("UNCHANGEDSINCE")
3662 c.xensureCondstore(nil)
3664 var plus, minus bool
3667 } else if p.take("-") {
3671 silent := p.take(".SILENT")
3673 var flagstrs []string
3674 if p.hasPrefix("(") {
3675 flagstrs = p.xflagList()
3677 flagstrs = append(flagstrs, p.xflag())
3679 flagstrs = append(flagstrs, p.xflag())
3685 xuserErrorf("mailbox open in read-only mode")
3688 flags, keywords, err := store.ParseFlagsKeywords(flagstrs)
3690 xuserErrorf("parsing flags: %v", err)
3692 var mask store.Flags
3694 mask, flags = flags, store.FlagsAll
3696 mask, flags = flags, store.Flags{}
3698 mask = store.FlagsAll
3701 var mb, origmb store.Mailbox
3702 var updated []store.Message
3703 var changed []store.Message // ModSeq more recent than unchangedSince, will be in MODIFIED response code, and we will send untagged fetch responses so client is up to date.
3704 var modseq store.ModSeq // Assigned when needed.
3705 modified := map[int64]bool{}
3707 c.account.WithWLock(func() {
3708 var mbKwChanged bool
3709 var changes []store.Change
3711 c.xdbwrite(func(tx *bstore.Tx) {
3712 mb = c.xmailboxID(tx, c.mailboxID) // Validate.
3715 uidargs := c.xnumSetCondition(isUID, nums)
3717 if len(uidargs) == 0 {
3721 // Ensure keywords are in mailbox.
3723 mb.Keywords, mbKwChanged = store.MergeKeywords(mb.Keywords, keywords)
3725 err := tx.Update(&mb)
3726 xcheckf(err, "updating mailbox with keywords")
3730 q := bstore.QueryTx[store.Message](tx)
3731 q.FilterNonzero(store.Message{MailboxID: c.mailboxID})
3732 q.FilterEqual("UID", uidargs...)
3733 q.FilterEqual("Expunged", false)
3734 err := q.ForEach(func(m store.Message) error {
3735 // Client may specify a message multiple times, but we only process it once.
../rfc/7162:823
3740 mc := m.MailboxCounts()
3742 origFlags := m.Flags
3743 m.Flags = m.Flags.Set(mask, flags)
3744 oldKeywords := append([]string{}, m.Keywords...)
3746 m.Keywords, _ = store.RemoveKeywords(m.Keywords, keywords)
3748 m.Keywords, _ = store.MergeKeywords(m.Keywords, keywords)
3750 m.Keywords = keywords
3753 keywordsChanged := func() bool {
3754 sort.Strings(oldKeywords)
3755 n := append([]string{}, m.Keywords...)
3757 return !slices.Equal(oldKeywords, n)
3760 // If the message has a more recent modseq than the check requires, we won't modify
3761 // it and report in the final command response.
3764 // unchangedSince 0 always fails the check, we don't turn it into 1 like with our
3765 // internal modseqs. RFC implies that is not required for non-system flags, but we
3767 if unchangedSince != nil && m.ModSeq.Client() > *unchangedSince {
3768 changed = append(changed, m)
3773 // It requires that we keep track of the flags we think the client knows (but only
3774 // on this connection). We don't track that. It also isn't clear why this is
3775 // allowed because it is skipping the condstore conditional check, and the new
3776 // combination of flags could be unintended.
3779 if origFlags == m.Flags && !keywordsChanged() {
3780 // Note: since we didn't update the modseq, we are not adding m.ID to "modified",
3781 // it would skip the modseq check above. We still add m to list of updated, so we
3782 // send an untagged fetch response. But we don't broadcast it.
3783 updated = append(updated, m)
3788 mb.Add(m.MailboxCounts())
3790 // Assign new modseq for first actual change.
3793 modseq, err = c.account.NextModSeq(tx)
3794 xcheckf(err, "next modseq")
3797 modified[m.ID] = true
3798 updated = append(updated, m)
3800 changes = append(changes, m.ChangeFlags(origFlags))
3802 return tx.Update(&m)
3804 xcheckf(err, "storing flags in messages")
3806 if mb.MailboxCounts != origmb.MailboxCounts {
3807 err := tx.Update(&mb)
3808 xcheckf(err, "updating mailbox counts")
3810 changes = append(changes, mb.ChangeCounts())
3813 changes = append(changes, mb.ChangeKeywords())
3816 err = c.account.RetrainMessages(context.TODO(), c.log, tx, updated, false)
3817 xcheckf(err, "training messages")
3820 c.broadcast(changes)
3823 // In the RFC, the section about STORE/UID STORE says we must return MODSEQ when
3824 // UNCHANGEDSINCE was specified. It does not specify it in case UNCHANGEDSINCE
3825 // isn't specified. For that case it does say MODSEQ is needed in unsolicited
3826 // untagged fetch responses. Implying that solicited untagged fetch responses
3827 // should not include MODSEQ (why else mention unsolicited explicitly?). But, in
3828 // the introduction to CONDSTORE it does explicitly specify MODSEQ should be
3829 // included in untagged fetch responses at all times with CONDSTORE-enabled
3830 // connections. It would have been better if the command behaviour was specified in
3831 // the command section, not the introduction to the extension.
3834 if !silent || c.enabled[capCondstore] {
3835 for _, m := range updated {
3838 flags = fmt.Sprintf(" FLAGS %s", flaglist(m.Flags, m.Keywords).pack(c))
3840 var modseqStr string
3841 if c.enabled[capCondstore] {
3842 modseqStr = fmt.Sprintf(" MODSEQ (%d)", m.ModSeq.Client())
3845 c.bwritelinef("* %d FETCH (UID %d%s%s)", c.xsequence(m.UID), m.UID, flags, modseqStr)
3849 // We don't explicitly send flags for failed updated with silent set. The regular
3850 // notification will get the flags to the client.
3853 if len(changed) == 0 {
3858 // Write unsolicited untagged fetch responses for messages that didn't pass the
3861 var mnums []store.UID
3862 for _, m := range changed {
3863 c.bwritelinef("* %d FETCH (UID %d FLAGS %s MODSEQ (%d))", c.xsequence(m.UID), m.UID, flaglist(m.Flags, m.Keywords).pack(c), m.ModSeq.Client())
3865 mnums = append(mnums, m.UID)
3867 mnums = append(mnums, store.UID(c.xsequence(m.UID)))
3871 sort.Slice(mnums, func(i, j int) bool {
3872 return mnums[i] < mnums[j]
3874 set := compactUIDSet(mnums)
3876 c.writeresultf("%s OK [MODIFIED %s] conditional store did not modify all", tag, set.String())