IMAP Replacement

For the IMAP/IMAPS-fetch-to-maildir use case there is now IMAPdl - an IMAP4v1 Download Client.

Some advantage it has in comparison to mailcp:

  • it is faster
  • it is more robust
  • it is able to resume the deletion of already fetched messages on the next run
  • the message flags are mapped to maildir flags

2014-06-03, Georg Sauthoff


mailcp is a small program to copy mail. My main usage of mailcp is to periodically deliver my mail from an IMAPS server to my local maildir-mailbox.

mailcp uses libvmime to support various mailbox types.


$ cat config
$ ./mailcp -r cert -d -f config

In this example mailcp is instructed to trust server certificates, which are signed by the root certificate from file cert, to delete the copied messages from the source, if the transfer was successful and to read source and destination from the file config.

other url schemes are:

    where protocol is one of {imap, imaps, pop3, pop3s, smtp, smtps,
                              maildir, sendmail }
    host must be non-empty - e.g. for maildir just set it to localhost

mailcp is designed as one-tool-for-one-job and it tries to follow the KISS (keep it simple) principle.

mailcp supports TLS in the expected way. I.e. if a server certificate does not validate, no connection is established. It is possible to supply trusted/root certificates in various formats for consideration by mailcp.

mailcp cares about data safety, i.e. if source messages are deleted, it is made sure that they reliably exist at the destination. libvmime was reviewed and lightly changed (changes were integrated into libvmime), such that fsync is called at the right places, and the posix system calls are checked for all eventualities.



  • GNU make
  • C++ Compiler (GCC g++ is fine)
  • libvmime (

    0.9.0 - currently this means svn trunk - or a future release

    $ make mailcp LDLIBS=-lvmime CXXFLAGS="-O -g -Wall" $ cp mailcp $PREFIX/bin

where PREFIX is your favourite destination

Or if you want to build a debug version:

in vmime src dir:

$ scons debug=yes prefix=$PREFIX
$ scons debug=yes prefix=$PREFIX install

in the mailcp dir:

$ make mailcp CXXFLAGS="-g -Wall -I$PREFIX/include" \
              LDLIBS="trunk/vmime/libvmime-debug.a -lgnutls -lgsasl"

For delivering mail from some imap/pop3 server to a local mailbox there exist several tools.

There is fetchmail, which has a scary config file syntax and spools fetched mail into the local MTA. In addition to that it has quite a history of security related issues.

getmail is written in python and tries to be a better fetchmail with easier config file syntax, direct delivery without unnecessary/dangerous MTA spooling, less security issues and overall better design. getmail supports TLS for imap-access etc. but the severe issue with its TLS-support is, that getmail does not do any server-certificate validation.

The author plans to support server-certificate validation at some point in the future, but only as an optional feature.

Thus, getmail nicely invites man-in-the-middle-attackers.

I.e. when using getmail with imaps an attacker is able to read your mail, delete your mail, manipulate your mail and spy your username/password.


  1. Why mailcp does not support spam filtering?

mailcp just copies mails and tries to be good at it. E.g. if you don't want to deliver all your mail from some imap server to ~/mail/in and instead filter spam to ~/mail/spam, just invoke first mailcp and then a specialized mail filter program.

Example: 1. mailcp imap-server -> ~/mail/incoming/ 2. call formail for ~/mail/incoming with procmail -f custom-procmailrc (pipes mail through spamassassin, crm114 or something like that) * filter rule for ham to ~/mail/inbox/ * filter rule for spam to ~/mail/spam/ => for convenience, just put both command lines into some wrapper shell-script

  1. Howto find out which certificates the remote server sends?

    $ openssl s_client -showcerts -connect


   $ gnutls-cli --port 993

And to check if a certain root certificate is the right one for a certain server:

   $ gnutls-cli --x509cafile someOverpaidRootCertificateAuthority.pem \
                --port 993