1// Package imapserver implements an IMAPv4 server, rev2 (RFC 9051) and rev1 with extensions (RFC 3501 and more).
7IMAP4rev2 includes functionality that was in extensions for IMAP4rev1. The
8extensions sometimes include features not in IMAP4rev2. We want IMAP4rev1-only
9implementations to use extensions, so we implement the full feature set of the
10extension and announce it as capability. The extensions: LITERAL+, IDLE,
11NAMESPACE, BINARY, UNSELECT, UIDPLUS, ESEARCH, SEARCHRES, SASL-IR, ENABLE,
12LIST-EXTENDED, SPECIAL-USE, MOVE, UTF8=ONLY.
14We take a liberty with UTF8=ONLY. We are supposed to wait for ENABLE of
15UTF8=ACCEPT or IMAP4rev2 before we respond with quoted strings that contain
16non-ASCII UTF-8. Until that's enabled, we do use UTF-7 for mailbox names. See
19- We never execute multiple commands at the same time for a connection. We expect a client to open multiple connections instead.
../rfc/9051:1110
20- Do not write output on a connection with an account lock held. Writing can block, a slow client could block account operations.
21- When handling commands that modify the selected mailbox, always check that the mailbox is not opened readonly. And always revalidate the selected mailbox, another session may have deleted the mailbox.
22- After making changes to an account/mailbox/message, you must broadcast changes. You must do this with the account lock held. Otherwise, other later changes (e.g. message deliveries) may be made and broadcast before changes that were made earlier. Make sure to commit changes in the database first, because the commit may fail.
23- Mailbox hierarchies are slash separated, no leading slash. We keep the case, except INBOX is renamed to Inbox, also for submailboxes in INBOX. We don't allow existence of a child where its parent does not exist. We have no \NoInferiors or \NoSelect. Newly created mailboxes are automatically subscribed.
24- For CONDSTORE and QRESYNC support, we set "modseq" for each change/expunge. Once expunged, a modseq doesn't change anymore. We don't yet remove old expunged records. The records aren't too big. Next step may be to let an admin reclaim space manually.
28- todo: do not return binary data for a fetch body. at least not for imap4rev1. we should be encoding it as base64?
29- todo: try to recover from syntax errors when the last command line ends with a }, i.e. a literal. we currently abort the entire connection. we may want to read some amount of literal data and continue with a next command.
62 "golang.org/x/text/unicode/norm"
64 "github.com/prometheus/client_golang/prometheus"
65 "github.com/prometheus/client_golang/prometheus/promauto"
67 "github.com/mjl-/bstore"
68 "github.com/mjl-/flate"
70 "github.com/mjl-/mox/config"
71 "github.com/mjl-/mox/junk"
72 "github.com/mjl-/mox/message"
73 "github.com/mjl-/mox/metrics"
74 "github.com/mjl-/mox/mlog"
75 "github.com/mjl-/mox/mox-"
76 "github.com/mjl-/mox/moxio"
77 "github.com/mjl-/mox/moxvar"
78 "github.com/mjl-/mox/ratelimit"
79 "github.com/mjl-/mox/scram"
80 "github.com/mjl-/mox/store"
84 metricIMAPConnection = promauto.NewCounterVec(
85 prometheus.CounterOpts{
86 Name: "mox_imap_connection_total",
87 Help: "Incoming IMAP connections.",
90 "service", // imap, imaps
93 metricIMAPCommands = promauto.NewHistogramVec(
94 prometheus.HistogramOpts{
95 Name: "mox_imap_command_duration_seconds",
96 Help: "IMAP command duration and result codes in seconds.",
97 Buckets: []float64{0.001, 0.005, 0.01, 0.05, 0.100, 0.5, 1, 5, 10, 20},
101 "result", // ok, panic, ioerror, badsyntax, servererror, usererror, error
106var unhandledPanics atomic.Int64 // For tests.
108var limiterConnectionrate, limiterConnections *ratelimit.Limiter
111 // Also called by tests, so they don't trigger the rate limiter.
117 limiterConnectionrate = &ratelimit.Limiter{
118 WindowLimits: []ratelimit.WindowLimit{
121 Limits: [...]int64{300, 900, 2700},
125 limiterConnections = &ratelimit.Limiter{
126 WindowLimits: []ratelimit.WindowLimit{
128 Window: time.Duration(math.MaxInt64), // All of time.
129 Limits: [...]int64{30, 90, 270},
135// Delay after bad/suspicious behaviour. Tests set these to zero.
136var badClientDelay = time.Second // Before reads and after 1-byte writes for probably spammers.
137var authFailDelay = time.Second // After authentication failure.
139// Capabilities (extensions) the server supports. Connections will add a few more,
140// e.g. STARTTLS, LOGINDISABLED, AUTH=PLAIN.
142// We always announce support for SCRAM PLUS-variants, also on connections without
143// TLS. The client should not be selecting PLUS variants on non-TLS connections,
144// instead opting to do the bare SCRAM variant without indicating the server claims
145// to support the PLUS variant (skipping the server downgrade detection check).
146var serverCapabilities = strings.Join([]string{
162 "CREATE-SPECIAL-USE", //
165 "AUTH=SCRAM-SHA-256", //
167 "AUTH=SCRAM-SHA-1", //
170 "APPENDLIMIT=9223372036854775807", //
../rfc/7889:129, we support the max possible size, 1<<63 - 1
175 "QUOTA=RES-STORAGE", //
188 // "COMPRESS=DEFLATE", //
../rfc/4978, disabled for interoperability issues: The flate reader (inflate) still blocks on partial flushes, preventing progress.
195 connBroken bool // Once broken, we won't flush any more data.
196 tls bool // Whether TLS has been initialized.
197 viaHTTPS bool // Whether this connection came in via HTTPS (using TLS ALPN).
199 br *bufio.Reader // From remote, with TLS unwrapped in case of TLS, and possibly wrapping inflate.
200 tr *moxio.TraceReader // Kept to change trace level when reading/writing cmd/auth/data.
201 line chan lineErr // If set, instead of reading from br, a line is read from this channel. For reading a line in IDLE while also waiting for mailbox/account updates.
202 lastLine string // For detecting if syntax error is fatal, i.e. if this ends with a literal. Without crlf.
203 xbw *bufio.Writer // To remote, with TLS added in case of TLS, and possibly wrapping deflate, see conn.xflateWriter. Writes go through xtw to conn.Write, which panics on errors, hence the "x".
204 xtw *moxio.TraceWriter
205 xflateWriter *moxio.FlateWriter // For flushing output after flushing conn.xbw, and for closing.
206 xflateBW *bufio.Writer // Wraps raw connection writes, xflateWriter writes here, also needs flushing.
207 slow bool // If set, reads are done with a 1 second sleep, and writes are done 1 byte at a time, to keep spammers busy.
208 lastlog time.Time // For printing time since previous log line.
209 baseTLSConfig *tls.Config // Base TLS config to use for handshake.
211 noRequireSTARTTLS bool
212 cmd string // Currently executing, for deciding to xapplyChanges and logging.
213 cmdMetric string // Currently executing, for metrics.
215 ncmds int // Number of commands processed. Used to abort connection when first incoming command is unknown/invalid.
216 log mlog.Log // Used for all synchronous logging on this connection, see logbg for logging in a separate goroutine.
217 enabled map[capability]bool // All upper-case.
218 compress bool // Whether compression is enabled, via compress command.
219 notify *notify // For the NOTIFY extension. Event/change filtering active if non-nil.
221 // Set by SEARCH with SAVE. Can be used by commands accepting a sequence-set with
222 // value "$". When used, UIDs must be verified to still exist, because they may
223 // have been expunged. Cleared by a SELECT or EXAMINE.
224 // Nil means no searchResult is present. An empty list is a valid searchResult,
225 // just not matching any messages.
227 searchResult []store.UID
229 // userAgent is set by the ID command, which can happen at any time (before or
230 // after the authentication attempt we want to log it with).
232 // loginAttempt is set during authentication, typically picked up by the ID command
233 // that soon follows, or it will be flushed within 1s, or on connection teardown.
234 loginAttempt *store.LoginAttempt
235 loginAttemptTime time.Time
237 // Only set when connection has been authenticated. These can be set even when
238 // c.state is stateNotAuthenticated, for TLS client certificate authentication. In
239 // that case, credentials aren't used until the authentication command with the
240 // SASL "EXTERNAL" mechanism.
241 authFailed int // Number of failed auth attempts. For slowing down remote with many failures.
242 noPreauth bool // If set, don't switch connection to "authenticated" after TLS handshake with client certificate authentication.
243 username string // Full username as used during login.
244 account *store.Account
245 comm *store.Comm // For sending/receiving changes on mailboxes in account, e.g. from messages incoming on smtp, or another imap client.
247 mailboxID int64 // Only for StateSelected.
248 readonly bool // If opened mailbox is readonly.
249 uidonly bool // If uidonly is enabled, uids is empty and cannot be used.
250 uidnext store.UID // We don't return search/fetch/etc results for uids >= uidnext, which is updated when applying changes.
251 exists uint32 // Needed for uidonly, equal to len(uids) for non-uidonly sessions.
252 uids []store.UID // UIDs known in this session, sorted. todo future: store more space-efficiently, as ranges.
255// capability for use with ENABLED and CAPABILITY. We always keep this upper case,
256// e.g. IMAP4REV2. These values are treated case-insensitive, but it's easier for
257// comparison to just always have the same case.
258type capability string
261 capIMAP4rev2 capability = "IMAP4REV2"
262 capUTF8Accept capability = "UTF8=ACCEPT"
263 capCondstore capability = "CONDSTORE"
264 capQresync capability = "QRESYNC"
265 capMetadata capability = "METADATA"
266 capUIDOnly capability = "UIDONLY"
277 stateNotAuthenticated state = iota
282func stateCommands(cmds ...string) map[string]struct{} {
283 r := map[string]struct{}{}
284 for _, cmd := range cmds {
291 commandsStateAny = stateCommands("capability", "noop", "logout", "id")
292 commandsStateNotAuthenticated = stateCommands("starttls", "authenticate", "login")
293 commandsStateAuthenticated = stateCommands("enable", "select", "examine", "create", "delete", "rename", "subscribe", "unsubscribe", "list", "namespace", "status", "append", "idle", "lsub", "getquotaroot", "getquota", "getmetadata", "setmetadata", "compress", "esearch", "notify")
294 commandsStateSelected = stateCommands("close", "unselect", "expunge", "search", "fetch", "store", "copy", "move", "uid expunge", "uid search", "uid fetch", "uid store", "uid copy", "uid move", "replace", "uid replace", "esearch")
297// Commands that use sequence numbers. Cannot be used when UIDONLY is enabled.
298// Commands like UID SEARCH have additional checks for some parameters.
299var commandsSequence = stateCommands("search", "fetch", "store", "copy", "move", "replace")
301var commands = map[string]func(c *conn, tag, cmd string, p *parser){
303 "capability": (*conn).cmdCapability,
304 "noop": (*conn).cmdNoop,
305 "logout": (*conn).cmdLogout,
309 "starttls": (*conn).cmdStarttls,
310 "authenticate": (*conn).cmdAuthenticate,
311 "login": (*conn).cmdLogin,
313 // Authenticated and selected.
314 "enable": (*conn).cmdEnable,
315 "select": (*conn).cmdSelect,
316 "examine": (*conn).cmdExamine,
317 "create": (*conn).cmdCreate,
318 "delete": (*conn).cmdDelete,
319 "rename": (*conn).cmdRename,
320 "subscribe": (*conn).cmdSubscribe,
321 "unsubscribe": (*conn).cmdUnsubscribe,
322 "list": (*conn).cmdList,
323 "lsub": (*conn).cmdLsub,
324 "namespace": (*conn).cmdNamespace,
325 "status": (*conn).cmdStatus,
326 "append": (*conn).cmdAppend,
327 "idle": (*conn).cmdIdle,
328 "getquotaroot": (*conn).cmdGetquotaroot,
329 "getquota": (*conn).cmdGetquota,
330 "getmetadata": (*conn).cmdGetmetadata,
331 "setmetadata": (*conn).cmdSetmetadata,
332 "compress": (*conn).cmdCompress,
333 "esearch": (*conn).cmdEsearch,
337 "check": (*conn).cmdCheck,
338 "close": (*conn).cmdClose,
339 "unselect": (*conn).cmdUnselect,
340 "expunge": (*conn).cmdExpunge,
341 "uid expunge": (*conn).cmdUIDExpunge,
342 "search": (*conn).cmdSearch,
343 "uid search": (*conn).cmdUIDSearch,
344 "fetch": (*conn).cmdFetch,
345 "uid fetch": (*conn).cmdUIDFetch,
346 "store": (*conn).cmdStore,
347 "uid store": (*conn).cmdUIDStore,
348 "copy": (*conn).cmdCopy,
349 "uid copy": (*conn).cmdUIDCopy,
350 "move": (*conn).cmdMove,
351 "uid move": (*conn).cmdUIDMove,
353 "replace": (*conn).cmdReplace,
354 "uid replace": (*conn).cmdUIDReplace,
357var errIO = errors.New("io error") // For read/write errors and errors that should close the connection.
358var errProtocol = errors.New("protocol error") // For protocol errors for which a stack trace should be printed.
362// check err for sanity.
363// if not nil and checkSanity true (set during tests), then panic. if not nil during normal operation, just log.
364func (c *conn) xsanity(err error, format string, args ...any) {
369 panic(fmt.Errorf("%s: %s", fmt.Sprintf(format, args...), err))
371 c.log.Errorx(fmt.Sprintf(format, args...), err)
374func (c *conn) xbrokenf(format string, args ...any) {
376 panic(fmt.Errorf(format, args...))
381// Listen initializes all imap listeners for the configuration, and stores them for Serve to start them.
383 names := slices.Sorted(maps.Keys(mox.Conf.Static.Listeners))
384 for _, name := range names {
385 listener := mox.Conf.Static.Listeners[name]
387 var tlsConfig *tls.Config
388 var noTLSClientAuth bool
389 if listener.TLS != nil {
390 tlsConfig = listener.TLS.Config
391 noTLSClientAuth = listener.TLS.ClientAuthDisabled
394 if listener.IMAP.Enabled {
395 port := config.Port(listener.IMAP.Port, 143)
396 for _, ip := range listener.IPs {
397 listen1("imap", name, ip, port, tlsConfig, false, noTLSClientAuth, listener.IMAP.NoRequireSTARTTLS)
401 if listener.IMAPS.Enabled {
402 port := config.Port(listener.IMAPS.Port, 993)
403 for _, ip := range listener.IPs {
404 listen1("imaps", name, ip, port, tlsConfig, true, noTLSClientAuth, false)
412func listen1(protocol, listenerName, ip string, port int, tlsConfig *tls.Config, xtls, noTLSClientAuth, noRequireSTARTTLS bool) {
413 log := mlog.New("imapserver", nil)
414 addr := net.JoinHostPort(ip, fmt.Sprintf("%d", port))
415 if os.Getuid() == 0 {
416 log.Print("listening for imap",
417 slog.String("listener", listenerName),
418 slog.String("addr", addr),
419 slog.String("protocol", protocol))
421 network := mox.Network(ip)
422 ln, err := mox.Listen(network, addr)
424 log.Fatalx("imap: listen for imap", err, slog.String("protocol", protocol), slog.String("listener", listenerName))
427 // Each listener gets its own copy of the config, so session keys between different
428 // ports on same listener aren't shared. We rotate session keys explicitly in this
429 // base TLS config because each connection clones the TLS config before using. The
430 // base TLS config would never get automatically managed/rotated session keys.
431 if tlsConfig != nil {
432 tlsConfig = tlsConfig.Clone()
433 mox.StartTLSSessionTicketKeyRefresher(mox.Shutdown, log, tlsConfig)
438 conn, err := ln.Accept()
440 log.Infox("imap: accept", err, slog.String("protocol", protocol), slog.String("listener", listenerName))
444 metricIMAPConnection.WithLabelValues(protocol).Inc()
445 go serve(listenerName, mox.Cid(), tlsConfig, conn, xtls, noTLSClientAuth, noRequireSTARTTLS, false, "")
449 servers = append(servers, serve)
452// ServeTLSConn serves IMAP on a TLS connection.
453func ServeTLSConn(listenerName string, conn *tls.Conn, tlsConfig *tls.Config) {
454 serve(listenerName, mox.Cid(), tlsConfig, conn, true, true, false, true, "")
457func ServeConnPreauth(listenerName string, cid int64, conn net.Conn, preauthAddress string) {
458 serve(listenerName, cid, nil, conn, false, true, true, false, preauthAddress)
461// Serve starts serving on all listeners, launching a goroutine per listener.
463 for _, serve := range servers {
469// Logbg returns a logger for logging in the background (in a goroutine), eg for
470// logging LoginAttempts. The regular c.log has a handler that evaluates fields on
471// the connection at time of logging, which may happen at the same time as
472// modifications to those fields.
473func (c *conn) logbg() mlog.Log {
474 log := mlog.New("imapserver", nil).WithCid(c.cid)
475 if c.username != "" {
476 log = log.With(slog.String("username", c.username))
481// returns whether this connection accepts utf-8 in strings.
482func (c *conn) utf8strings() bool {
483 return c.enabled[capIMAP4rev2] || c.enabled[capUTF8Accept]
486func (c *conn) xdbwrite(fn func(tx *bstore.Tx)) {
487 err := c.account.DB.Write(context.TODO(), func(tx *bstore.Tx) error {
491 xcheckf(err, "transaction")
494func (c *conn) xdbread(fn func(tx *bstore.Tx)) {
495 err := c.account.DB.Read(context.TODO(), func(tx *bstore.Tx) error {
499 xcheckf(err, "transaction")
502// Closes the currently selected/active mailbox, setting state from selected to authenticated.
503// Does not remove messages marked for deletion.
504func (c *conn) unselect() {
505 // Flush any pending delayed changes as if the mailbox is still selected. Probably
506 // better than causing STATUS responses for the mailbox being unselected but which
507 // is still selected.
508 c.flushNotifyDelayed()
510 if c.state == stateSelected {
511 c.state = stateAuthenticated
519func (c *conn) flushNotifyDelayed() {
523 delayed := c.notify.Delayed
524 c.notify.Delayed = nil
525 c.flushChanges(delayed)
528// flushChanges is called for NOTIFY changes we shouldn't send untagged messages
529// about but must process for message removals. We don't update the selected
530// mailbox message sequence numbers, since the client would have no idea we
531// adjusted message sequence numbers. Combined with NOTIFY NONE, this means
532// messages may be erased that the client thinks still exists in its session.
533func (c *conn) flushChanges(changes []store.Change) {
534 for _, change := range changes {
535 switch ch := change.(type) {
536 case store.ChangeRemoveUIDs:
537 c.comm.RemovalSeen(ch)
542func (c *conn) setSlow(on bool) {
544 c.log.Debug("connection changed to slow")
545 } else if !on && c.slow {
546 c.log.Debug("connection restored to regular pace")
551// Write makes a connection an io.Writer. It panics for i/o errors. These errors
552// are handled in the connection command loop.
553func (c *conn) Write(buf []byte) (int, error) {
561 err := c.conn.SetWriteDeadline(time.Now().Add(30 * time.Second))
562 c.log.Check(err, "setting write deadline")
564 nn, err := c.conn.Write(buf[:chunk])
566 c.xbrokenf("write: %s (%w)", err, errIO)
570 if len(buf) > 0 && badClientDelay > 0 {
571 mox.Sleep(mox.Context, badClientDelay)
577func (c *conn) xtraceread(level slog.Level) func() {
580 c.tr.SetTrace(mlog.LevelTrace)
584func (c *conn) xtracewrite(level slog.Level) func() {
586 c.xtw.SetTrace(level)
589 c.xtw.SetTrace(mlog.LevelTrace)
593// Cache of line buffers for reading commands.
595var bufpool = moxio.NewBufpool(8, 16*1024)
597// read line from connection, not going through line channel.
598func (c *conn) readline0() (string, error) {
599 if c.slow && badClientDelay > 0 {
600 mox.Sleep(mox.Context, badClientDelay)
603 d := 30 * time.Minute
604 if c.state == stateNotAuthenticated {
607 err := c.conn.SetReadDeadline(time.Now().Add(d))
608 c.log.Check(err, "setting read deadline")
610 line, err := bufpool.Readline(c.log, c.br)
611 if err != nil && errors.Is(err, moxio.ErrLineTooLong) {
612 return "", fmt.Errorf("%s (%w)", err, errProtocol)
613 } else if err != nil {
614 return "", fmt.Errorf("%s (%w)", err, errIO)
619func (c *conn) lineChan() chan lineErr {
621 c.line = make(chan lineErr, 1)
623 line, err := c.readline0()
624 c.line <- lineErr{line, err}
630// readline from either the c.line channel, or otherwise read from connection.
631func (c *conn) xreadline(readCmd bool) string {
637 line, err = le.line, le.err
639 line, err = c.readline0()
642 if readCmd && errors.Is(err, os.ErrDeadlineExceeded) {
643 err := c.conn.SetDeadline(time.Now().Add(10 * time.Second))
644 c.log.Check(err, "setting deadline")
645 c.xwritelinef("* BYE inactive")
648 if !errors.Is(err, errIO) && !errors.Is(err, errProtocol) {
649 c.xbrokenf("%s (%w)", err, errIO)
655 // We typically respond immediately (IDLE is an exception).
656 // The client may not be reading, or may have disappeared.
657 // Don't wait more than 5 minutes before closing down the connection.
658 // The write deadline is managed in IDLE as well.
659 // For unauthenticated connections, we require the client to read faster.
660 wd := 5 * time.Minute
661 if c.state == stateNotAuthenticated {
662 wd = 30 * time.Second
664 err = c.conn.SetWriteDeadline(time.Now().Add(wd))
665 c.log.Check(err, "setting write deadline")
670// write tagged command response, but first write pending changes.
671func (c *conn) xwriteresultf(format string, args ...any) {
672 c.xbwriteresultf(format, args...)
676// write buffered tagged command response, but first write pending changes.
677func (c *conn) xbwriteresultf(format string, args ...any) {
679 case "fetch", "store", "search":
681 case "select", "examine":
682 // We don't send changes before having confirmed opening the mailbox, to prevent
683 // clients from trying to interpret changes when it considers there isn't a
684 // selected mailbox yet.
687 overflow, changes := c.comm.Get()
688 c.xapplyChanges(overflow, changes, true)
691 c.xbwritelinef(format, args...)
694func (c *conn) xwritelinef(format string, args ...any) {
695 c.xbwritelinef(format, args...)
699// Buffer line for write.
700func (c *conn) xbwritelinef(format string, args ...any) {
702 fmt.Fprintf(c.xbw, format, args...)
705func (c *conn) xflush() {
706 // If the connection is already broken, we're not going to write more.
712 xcheckf(err, "flush") // Should never happen, the Write caused by the Flush should panic on i/o error.
714 // If compression is enabled, we need to flush its stream.
716 // Note: Flush writes a sync message if there is nothing to flush. Ideally we
717 // wouldn't send that, but we would have to keep track of whether data needs to be
719 err := c.xflateWriter.Flush()
720 xcheckf(err, "flush deflate")
722 // The flate writer writes to a bufio.Writer, we must also flush that.
723 err = c.xflateBW.Flush()
724 xcheckf(err, "flush deflate writer")
728func (c *conn) parseCommand(tag *string, line string) (cmd string, p *parser) {
729 p = newParser(line, c)
735 return cmd, newParser(p.remainder(), c)
738func (c *conn) xreadliteral(size int64, sync bool) []byte {
742 buf := make([]byte, size)
744 if err := c.conn.SetReadDeadline(time.Now().Add(30 * time.Second)); err != nil {
745 c.log.Errorx("setting read deadline", err)
748 _, err := io.ReadFull(c.br, buf)
750 c.xbrokenf("reading literal: %s (%w)", err, errIO)
756var cleanClose struct{} // Sentinel value for panic/recover indicating clean close of connection.
758// serve handles a single IMAP connection on nc.
760// If xtls is set, immediate TLS should be enabled on the connection, unless
761// viaHTTP is set, which indicates TLS is already active with the connection coming
762// from the webserver with IMAP chosen through ALPN. activated. If viaHTTP is set,
763// the TLS config ddid not enable client certificate authentication. If xtls is
764// false and tlsConfig is set, STARTTLS may enable TLS later on.
766// If noRequireSTARTTLS is set, TLS is not required for authentication.
768// If accountAddress is not empty, it is the email address of the account to open
771// The connection is closed before returning.
772func serve(listenerName string, cid int64, tlsConfig *tls.Config, nc net.Conn, xtls, noTLSClientAuth, noRequireSTARTTLS, viaHTTPS bool, preauthAddress string) {
774 if a, ok := nc.RemoteAddr().(*net.TCPAddr); ok {
777 // For tests and for imapserve.
778 remoteIP = net.ParseIP("127.0.0.10")
786 noTLSClientAuth: noTLSClientAuth,
788 baseTLSConfig: tlsConfig,
790 noRequireSTARTTLS: noRequireSTARTTLS,
791 enabled: map[capability]bool{},
793 cmdStart: time.Now(),
795 var logmutex sync.Mutex
796 // Also see (and possibly update) c.logbg, for logging in a goroutine.
797 c.log = mlog.New("imapserver", nil).WithFunc(func() []slog.Attr {
799 defer logmutex.Unlock()
802 slog.Int64("cid", c.cid),
803 slog.Duration("delta", now.Sub(c.lastlog)),
806 if c.username != "" {
807 l = append(l, slog.String("username", c.username))
811 c.tr = moxio.NewTraceReader(c.log, "C: ", c.conn)
812 // todo: tracing should be done on whatever comes out of c.br. the remote connection write a command plus data, and bufio can read it in one read, causing a command parser that sets the tracing level to data to have no effect. we are now typically logging sent messages, when mail clients append to the Sent mailbox.
813 c.br = bufio.NewReader(c.tr)
814 c.xtw = moxio.NewTraceWriter(c.log, "S: ", c)
815 c.xbw = bufio.NewWriter(c.xtw)
817 // Many IMAP connections use IDLE to wait for new incoming messages. We'll enable
818 // keepalive to get a higher chance of the connection staying alive, or otherwise
819 // detecting broken connections early.
822 tcpconn = nc.(*tls.Conn).NetConn()
824 if tc, ok := tcpconn.(*net.TCPConn); ok {
825 if err := tc.SetKeepAlivePeriod(5 * time.Minute); err != nil {
826 c.log.Errorx("setting keepalive period", err)
827 } else if err := tc.SetKeepAlive(true); err != nil {
828 c.log.Errorx("enabling keepalive", err)
832 c.log.Info("new connection",
833 slog.Any("remote", c.conn.RemoteAddr()),
834 slog.Any("local", c.conn.LocalAddr()),
835 slog.Bool("tls", xtls),
836 slog.Bool("viahttps", viaHTTPS),
837 slog.String("listener", listenerName))
840 err := c.conn.Close()
842 c.log.Debugx("closing connection", err)
845 // If changes for NOTIFY's SELECTED-DELAYED are still pending, we'll acknowledge
846 // their message removals so the files can be erased.
847 c.flushNotifyDelayed()
849 if c.account != nil {
851 err := c.account.Close()
852 c.xsanity(err, "close account")
858 if x == nil || x == cleanClose {
859 c.log.Info("connection closed")
860 } else if err, ok := x.(error); ok && isClosed(err) {
861 c.log.Infox("connection closed", err)
863 c.log.Error("unhandled panic", slog.Any("err", x))
865 metrics.PanicInc(metrics.Imapserver)
866 unhandledPanics.Add(1) // For tests.
870 if xtls && !viaHTTPS {
871 // Start TLS on connection. We perform the handshake explicitly, so we can set a
872 // timeout, do client certificate authentication, log TLS details afterwards.
873 c.xtlsHandshakeAndAuthenticate(c.conn)
877 case <-mox.Shutdown.Done():
879 c.xwritelinef("* BYE mox shutting down")
884 if !limiterConnectionrate.Add(c.remoteIP, time.Now(), 1) {
885 c.xwritelinef("* BYE connection rate from your ip or network too high, slow down please")
889 // If remote IP/network resulted in too many authentication failures, refuse to serve.
890 if !mox.LimiterFailedAuth.CanAdd(c.remoteIP, time.Now(), 1) {
891 metrics.AuthenticationRatelimitedInc("imap")
892 c.log.Debug("refusing connection due to many auth failures", slog.Any("remoteip", c.remoteIP))
893 c.xwritelinef("* BYE too many auth failures")
897 if !limiterConnections.Add(c.remoteIP, time.Now(), 1) {
898 c.log.Debug("refusing connection due to many open connections", slog.Any("remoteip", c.remoteIP))
899 c.xwritelinef("* BYE too many open connections from your ip or network")
902 defer limiterConnections.Add(c.remoteIP, time.Now(), -1)
904 // We register and unregister the original connection, in case it c.conn is
905 // replaced with a TLS connection later on.
906 mox.Connections.Register(nc, "imap", listenerName)
907 defer mox.Connections.Unregister(nc)
909 if preauthAddress != "" {
910 acc, _, _, err := store.OpenEmail(c.log, preauthAddress, false)
912 c.log.Debugx("open account for preauth address", err, slog.String("address", preauthAddress))
913 c.xwritelinef("* BYE open account for address: %s", err)
916 c.username = preauthAddress
918 c.comm = store.RegisterComm(c.account)
921 if c.account != nil && !c.noPreauth {
922 c.state = stateAuthenticated
923 c.xwritelinef("* PREAUTH [CAPABILITY %s] mox imap welcomes %s", c.capabilities(), c.username)
925 c.xwritelinef("* OK [CAPABILITY %s] mox imap", c.capabilities())
928 // Ensure any pending loginAttempt is written before we stop.
930 if c.loginAttempt != nil {
931 store.LoginAttemptAdd(context.Background(), c.logbg(), *c.loginAttempt)
933 c.loginAttemptTime = time.Time{}
939 c.xflush() // For flushing errors, or commands that did not flush explicitly.
941 // Flush login attempt if it hasn't already been flushed by an ID command within 1s
942 // after authentication.
943 if c.loginAttempt != nil && (c.loginAttempt.UserAgent != "" || time.Since(c.loginAttemptTime) >= time.Second) {
944 store.LoginAttemptAdd(context.Background(), c.logbg(), *c.loginAttempt)
946 c.loginAttemptTime = time.Time{}
951// isClosed returns whether i/o failed, typically because the connection is closed.
952// For connection errors, we often want to generate fewer logs.
953func isClosed(err error) bool {
954 return errors.Is(err, errIO) || errors.Is(err, errProtocol) || mlog.IsClosed(err)
957// newLoginAttempt initializes a c.loginAttempt, for adding to the store after
958// filling in the results and other details.
959func (c *conn) newLoginAttempt(useTLS bool, authMech string) {
960 if c.loginAttempt != nil {
961 store.LoginAttemptAdd(context.Background(), c.logbg(), *c.loginAttempt)
964 c.loginAttemptTime = time.Now()
966 var state *tls.ConnectionState
967 if tc, ok := c.conn.(*tls.Conn); ok && useTLS {
968 v := tc.ConnectionState()
972 localAddr := c.conn.LocalAddr().String()
973 localIP, _, _ := net.SplitHostPort(localAddr)
978 c.loginAttempt = &store.LoginAttempt{
979 RemoteIP: c.remoteIP.String(),
981 TLS: store.LoginAttemptTLS(state),
983 UserAgent: c.userAgent, // May still be empty, to be filled in later.
985 Result: store.AuthError, // Replaced by caller.
989// makeTLSConfig makes a new tls config that is bound to the connection for
990// possible client certificate authentication.
991func (c *conn) makeTLSConfig() *tls.Config {
992 // We clone the config so we can set VerifyPeerCertificate below to a method bound
993 // to this connection. Earlier, we set session keys explicitly on the base TLS
994 // config, so they can be used for this connection too.
995 tlsConf := c.baseTLSConfig.Clone()
997 if c.noTLSClientAuth {
1001 // Allow client certificate authentication, for use with the sasl "external"
1002 // authentication mechanism.
1003 tlsConf.ClientAuth = tls.RequestClientCert
1005 // We verify the client certificate during the handshake. The TLS handshake is
1006 // initiated explicitly for incoming connections and during starttls, so we can
1007 // immediately extract the account name and address used for authentication.
1008 tlsConf.VerifyPeerCertificate = c.tlsClientAuthVerifyPeerCert
1013// tlsClientAuthVerifyPeerCert can be used as tls.Config.VerifyPeerCertificate, and
1014// sets authentication-related fields on conn. This is not called on resumed TLS
1016func (c *conn) tlsClientAuthVerifyPeerCert(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
1017 if len(rawCerts) == 0 {
1021 // If we had too many authentication failures from this IP, don't attempt
1022 // authentication. If this is a new incoming connetion, it is closed after the TLS
1024 if !mox.LimiterFailedAuth.CanAdd(c.remoteIP, time.Now(), 1) {
1028 cert, err := x509.ParseCertificate(rawCerts[0])
1030 c.log.Debugx("parsing tls client certificate", err)
1033 if err := c.tlsClientAuthVerifyPeerCertParsed(cert); err != nil {
1034 c.log.Debugx("verifying tls client certificate", err)
1035 return fmt.Errorf("verifying client certificate: %w", err)
1040// tlsClientAuthVerifyPeerCertParsed verifies a client certificate. Called both for
1041// fresh and resumed TLS connections.
1042func (c *conn) tlsClientAuthVerifyPeerCertParsed(cert *x509.Certificate) error {
1043 if c.account != nil {
1044 return fmt.Errorf("cannot authenticate with tls client certificate after previous authentication")
1047 // todo: it would be nice to postpone storing the loginattempt for tls pubkey auth until we have the ID command. but delaying is complicated because we can't get the tls information in this function. that's why we store the login attempt in a goroutine below, where it can can get a lock when accessing the tls connection only when this function has returned. we can't access c.loginAttempt (we would turn it into a slice) in a goroutine without adding more locking. for now we'll do without user-agent/id for tls pub key auth.
1048 c.newLoginAttempt(false, "tlsclientauth")
1050 // Get TLS connection state in goroutine because we are called while performing the
1051 // TLS handshake, which already has the tls connection locked.
1052 conn := c.conn.(*tls.Conn)
1053 la := *c.loginAttempt
1054 c.loginAttempt = nil
1055 logbg := c.logbg() // Evaluate attributes now, can't do it in goroutine.
1058 // In case of panic don't take the whole program down.
1061 c.log.Error("recover from panic", slog.Any("panic", x))
1063 metrics.PanicInc(metrics.Imapserver)
1067 state := conn.ConnectionState()
1068 la.TLS = store.LoginAttemptTLS(&state)
1069 store.LoginAttemptAdd(context.Background(), logbg, la)
1072 if la.Result == store.AuthSuccess {
1073 mox.LimiterFailedAuth.Reset(c.remoteIP, time.Now())
1075 mox.LimiterFailedAuth.Add(c.remoteIP, time.Now(), 1)
1079 // For many failed auth attempts, slow down verification attempts.
1080 if c.authFailed > 3 && authFailDelay > 0 {
1081 mox.Sleep(mox.Context, time.Duration(c.authFailed-3)*authFailDelay)
1083 c.authFailed++ // Compensated on success.
1085 // On the 3rd failed authentication, start responding slowly. Successful auth will
1086 // cause fast responses again.
1087 if c.authFailed >= 3 {
1092 shabuf := sha256.Sum256(cert.RawSubjectPublicKeyInfo)
1093 fp := base64.RawURLEncoding.EncodeToString(shabuf[:])
1094 c.loginAttempt.TLSPubKeyFingerprint = fp
1095 pubKey, err := store.TLSPublicKeyGet(context.TODO(), fp)
1097 if err == bstore.ErrAbsent {
1098 c.loginAttempt.Result = store.AuthBadCredentials
1100 return fmt.Errorf("looking up tls public key with fingerprint %s, subject %q, issuer %q: %v", fp, cert.Subject, cert.Issuer, err)
1102 c.loginAttempt.LoginAddress = pubKey.LoginAddress
1104 // Verify account exists and still matches address. We don't check for account
1105 // login being disabled if preauth is disabled. In that case, sasl external auth
1106 // will be done before credentials can be used, and login disabled will be checked
1107 // then, where it will result in a more helpful error message.
1108 checkLoginDisabled := !pubKey.NoIMAPPreauth
1109 acc, accName, _, err := store.OpenEmail(c.log, pubKey.LoginAddress, checkLoginDisabled)
1110 c.loginAttempt.AccountName = accName
1112 if errors.Is(err, store.ErrLoginDisabled) {
1113 c.loginAttempt.Result = store.AuthLoginDisabled
1115 // note: we cannot send a more helpful error message to the client.
1116 return fmt.Errorf("opening account for address %s for public key %s: %w", pubKey.LoginAddress, fp, err)
1121 c.xsanity(err, "close account")
1124 c.loginAttempt.AccountName = acc.Name
1125 if acc.Name != pubKey.Account {
1126 return fmt.Errorf("tls client public key %s is for account %s, but email address %s is for account %s", fp, pubKey.Account, pubKey.LoginAddress, acc.Name)
1129 c.loginAttempt.Result = store.AuthSuccess
1132 c.noPreauth = pubKey.NoIMAPPreauth
1134 acc = nil // Prevent cleanup by defer.
1135 c.username = pubKey.LoginAddress
1136 c.comm = store.RegisterComm(c.account)
1137 c.log.Debug("tls client authenticated with client certificate",
1138 slog.String("fingerprint", fp),
1139 slog.String("username", c.username),
1140 slog.String("account", c.account.Name),
1141 slog.Any("remote", c.remoteIP))
1145// xtlsHandshakeAndAuthenticate performs the TLS handshake, and verifies a client
1146// certificate if present.
1147func (c *conn) xtlsHandshakeAndAuthenticate(conn net.Conn) {
1148 tlsConn := tls.Server(conn, c.makeTLSConfig())
1150 c.tr = moxio.NewTraceReader(c.log, "C: ", c.conn)
1151 c.br = bufio.NewReader(c.tr)
1153 cidctx := context.WithValue(mox.Context, mlog.CidKey, c.cid)
1154 ctx, cancel := context.WithTimeout(cidctx, time.Minute)
1156 c.log.Debug("starting tls server handshake")
1157 if err := tlsConn.HandshakeContext(ctx); err != nil {
1158 c.xbrokenf("tls handshake: %s (%w)", err, errIO)
1162 cs := tlsConn.ConnectionState()
1163 if cs.DidResume && len(cs.PeerCertificates) > 0 && !c.noTLSClientAuth {
1164 // Verify client after session resumption.
1165 err := c.tlsClientAuthVerifyPeerCertParsed(cs.PeerCertificates[0])
1167 c.xwritelinef("* BYE [ALERT] Error verifying client certificate after TLS session resumption: %s", err)
1168 c.xbrokenf("tls verify client certificate after resumption: %s (%w)", err, errIO)
1172 version, ciphersuite := moxio.TLSInfo(cs)
1173 attrs := []slog.Attr{
1174 slog.String("version", version),
1175 slog.String("ciphersuite", ciphersuite),
1176 slog.String("sni", cs.ServerName),
1177 slog.Bool("resumed", cs.DidResume),
1178 slog.Bool("notlsclientauth", c.noTLSClientAuth),
1179 slog.Int("clientcerts", len(cs.PeerCertificates)),
1181 if c.account != nil {
1182 attrs = append(attrs,
1183 slog.String("account", c.account.Name),
1184 slog.String("username", c.username),
1187 c.log.Debug("tls handshake completed", attrs...)
1190func (c *conn) command() {
1191 var tag, cmd, cmdlow string
1197 metricIMAPCommands.WithLabelValues(c.cmdMetric, result).Observe(float64(time.Since(c.cmdStart)) / float64(time.Second))
1200 logFields := []slog.Attr{
1201 slog.String("cmd", c.cmd),
1202 slog.Duration("duration", time.Since(c.cmdStart)),
1207 if x == nil || x == cleanClose {
1208 c.log.Debug("imap command done", logFields...)
1210 if x == cleanClose {
1211 // If compression was enabled, we flush & close the deflate stream.
1213 // Note: Close and flush can Write and may panic with an i/o error.
1214 if err := c.xflateWriter.Close(); err != nil {
1215 c.log.Debugx("close deflate writer", err)
1216 } else if err := c.xflateBW.Flush(); err != nil {
1217 c.log.Debugx("flush deflate buffer", err)
1225 err, ok := x.(error)
1227 c.log.Error("imap command panic", append([]slog.Attr{slog.Any("panic", x)}, logFields...)...)
1232 var sxerr syntaxError
1234 var serr serverError
1236 c.log.Infox("imap command ioerror", err, logFields...)
1238 if errors.Is(err, errProtocol) {
1242 } else if errors.As(err, &sxerr) {
1243 result = "badsyntax"
1245 // Other side is likely speaking something else than IMAP, send error message and
1246 // stop processing because there is a good chance whatever they sent has multiple
1248 c.xwritelinef("* BYE please try again speaking imap")
1249 c.xbrokenf("not speaking imap (%w)", errIO)
1251 c.log.Debugx("imap command syntax error", sxerr.err, logFields...)
1252 c.log.Info("imap syntax error", slog.String("lastline", c.lastLine))
1253 fatal := strings.HasSuffix(c.lastLine, "+}")
1255 err := c.conn.SetWriteDeadline(time.Now().Add(5 * time.Second))
1256 c.log.Check(err, "setting write deadline")
1258 if sxerr.line != "" {
1259 c.xbwritelinef("%s", sxerr.line)
1262 if sxerr.code != "" {
1263 code = "[" + sxerr.code + "] "
1265 c.xbwriteresultf("%s BAD %s%s unrecognized syntax/command: %v", tag, code, cmd, sxerr.errmsg)
1268 panic(fmt.Errorf("aborting connection after syntax error for command with non-sync literal: %w", errProtocol))
1270 } else if errors.As(err, &serr) {
1271 result = "servererror"
1272 c.log.Errorx("imap command server error", err, logFields...)
1274 c.xbwriteresultf("%s NO %s %v", tag, cmd, err)
1275 } else if errors.As(err, &uerr) {
1276 result = "usererror"
1277 c.log.Debugx("imap command user error", err, logFields...)
1278 if uerr.code != "" {
1279 c.xbwriteresultf("%s NO [%s] %s %v", tag, uerr.code, cmd, err)
1281 c.xbwriteresultf("%s NO %s %v", tag, cmd, err)
1284 // Other type of panic, we pass it on, aborting the connection.
1286 c.log.Errorx("imap command panic", err, logFields...)
1293 // If NOTIFY is enabled, we wait for either a line (with a command) from the
1294 // client, or a change event. If we see a line, we continue below as for the
1295 // non-NOTIFY case, parsing the command.
1297 if c.notify != nil {
1301 case le := <-c.lineChan():
1303 if err := le.err; err != nil {
1304 if errors.Is(err, os.ErrDeadlineExceeded) {
1305 err := c.conn.SetDeadline(time.Now().Add(10 * time.Second))
1306 c.log.Check(err, "setting write deadline")
1307 c.xwritelinef("* BYE inactive")
1310 if !errors.Is(err, errIO) && !errors.Is(err, errProtocol) {
1311 c.xbrokenf("%s (%w)", err, errIO)
1318 case <-c.comm.Pending:
1319 overflow, changes := c.comm.Get()
1320 c.xapplyChanges(overflow, changes, false)
1323 case <-mox.Shutdown.Done():
1325 c.xwritelinef("* BYE shutting down")
1326 c.xbrokenf("shutting down (%w)", errIO)
1330 // Reset the write deadline. In case of little activity, with a command timeout of
1331 // 30 minutes, we have likely passed it.
1332 err := c.conn.SetWriteDeadline(time.Now().Add(5 * time.Minute))
1333 c.log.Check(err, "setting write deadline")
1335 // Without NOTIFY, we just read a line.
1336 line = c.xreadline(true)
1338 cmd, p = c.parseCommand(&tag, line)
1339 cmdlow = strings.ToLower(cmd)
1341 c.cmdStart = time.Now()
1342 c.cmdMetric = "(unrecognized)"
1345 case <-mox.Shutdown.Done():
1347 c.xwritelinef("* BYE shutting down")
1348 c.xbrokenf("shutting down (%w)", errIO)
1352 fn := commands[cmdlow]
1354 xsyntaxErrorf("unknown command %q", cmd)
1359 // Check if command is allowed in this state.
1360 if _, ok1 := commandsStateAny[cmdlow]; ok1 {
1361 } else if _, ok2 := commandsStateNotAuthenticated[cmdlow]; ok2 && c.state == stateNotAuthenticated {
1362 } else if _, ok3 := commandsStateAuthenticated[cmdlow]; ok3 && c.state == stateAuthenticated || c.state == stateSelected {
1363 } else if _, ok4 := commandsStateSelected[cmdlow]; ok4 && c.state == stateSelected {
1364 } else if ok1 || ok2 || ok3 || ok4 {
1365 xuserErrorf("not allowed in this connection state")
1367 xserverErrorf("unrecognized command")
1371 if _, ok := commandsSequence[cmdlow]; ok && c.uidonly {
1372 xsyntaxCodeErrorf("UIDREQUIRED", "cannot use message sequence numbers with uidonly")
1378func (c *conn) broadcast(changes []store.Change) {
1379 if len(changes) == 0 {
1382 c.log.Debug("broadcast changes", slog.Any("changes", changes))
1383 c.comm.Broadcast(changes)
1386// matchStringer matches a string against reference + mailbox patterns.
1387type matchStringer interface {
1388 MatchString(s string) bool
1391type noMatch struct{}
1393// MatchString for noMatch always returns false.
1394func (noMatch) MatchString(s string) bool {
1398// xmailboxPatternMatcher returns a matcher for mailbox names given the reference and patterns.
1399// Patterns can include "%" and "*", matching any character excluding and including a slash respectively.
1400func xmailboxPatternMatcher(ref string, patterns []string) matchStringer {
1401 if strings.HasPrefix(ref, "/") {
1406 for _, pat := range patterns {
1407 if strings.HasPrefix(pat, "/") {
1413 s = path.Join(ref, pat)
1416 // Fix casing for all Inbox paths.
1417 first := strings.SplitN(s, "/", 2)[0]
1418 if strings.EqualFold(first, "Inbox") {
1419 s = "Inbox" + s[len("Inbox"):]
1424 for _, c := range s {
1427 } else if c == '*' {
1430 rs += regexp.QuoteMeta(string(c))
1433 subs = append(subs, rs)
1439 rs := "^(" + strings.Join(subs, "|") + ")$"
1440 re, err := regexp.Compile(rs)
1441 xcheckf(err, "compiling regexp for mailbox patterns")
1445func (c *conn) sequence(uid store.UID) msgseq {
1447 panic("sequence with uidonly")
1449 return uidSearch(c.uids, uid)
1452func uidSearch(uids []store.UID, uid store.UID) msgseq {
1459 return msgseq(i + 1)
1469func (c *conn) xsequence(uid store.UID) msgseq {
1471 panic("xsequence with uidonly")
1473 seq := c.sequence(uid)
1475 xserverErrorf("unknown uid %d (%w)", uid, errProtocol)
1480func (c *conn) sequenceRemove(seq msgseq, uid store.UID) {
1482 panic("sequenceRemove with uidonly")
1485 if c.uids[i] != uid {
1486 xserverErrorf("got uid %d at msgseq %d, expected uid %d", uid, seq, c.uids[i])
1488 copy(c.uids[i:], c.uids[i+1:])
1489 c.uids = c.uids[:c.exists-1]
1491 c.checkUIDs(c.uids, true)
1494// add uid to session, through c.uidnext, and if uidonly isn't enabled to c.uids.
1495// care must be taken that pending changes are fetched while holding the account
1496// wlock, and applied before adding this uid, because those pending changes may
1497// contain another new uid that has to be added first.
1498func (c *conn) uidAppend(uid store.UID) {
1500 if uid < c.uidnext {
1501 panic(fmt.Sprintf("new uid %d < uidnext %d", uid, c.uidnext))
1508 if uidSearch(c.uids, uid) > 0 {
1509 xserverErrorf("uid already present (%w)", errProtocol)
1511 if c.exists > 0 && uid < c.uids[c.exists-1] {
1512 xserverErrorf("new uid %d is smaller than last uid %d (%w)", uid, c.uids[c.exists-1], errProtocol)
1516 c.uids = append(c.uids, uid)
1517 c.checkUIDs(c.uids, true)
1520// sanity check that uids are in ascending order.
1521func (c *conn) checkUIDs(uids []store.UID, checkExists bool) {
1526 if checkExists && uint32(len(uids)) != c.exists {
1527 panic(fmt.Sprintf("exists %d does not match len(uids) %d", c.exists, len(c.uids)))
1530 for i, uid := range uids {
1531 if uid == 0 || i > 0 && uid <= uids[i-1] {
1532 xserverErrorf("bad uids %v", uids)
1537func slicesAny[T any](l []T) []any {
1538 r := make([]any, len(l))
1539 for i, v := range l {
1545// newCachedLastUID returns a method that returns the highest uid for a mailbox,
1546// for interpretation of "*". If mailboxID is for the selected mailbox, the UIDs
1547// visible in the session are taken into account. If there is no UID, 0 is
1548// returned. If an error occurs, xerrfn is called, which should not return.
1549func (c *conn) newCachedLastUID(tx *bstore.Tx, mailboxID int64, xerrfn func(err error)) func() store.UID {
1552 return func() store.UID {
1556 if c.mailboxID == mailboxID {
1561 return c.uids[c.exists-1]
1564 q := bstore.QueryTx[store.Message](tx)
1565 q.FilterNonzero(store.Message{MailboxID: mailboxID})
1566 q.FilterEqual("Expunged", false)
1567 if c.mailboxID == mailboxID {
1568 q.FilterLess("UID", c.uidnext)
1573 if err == bstore.ErrAbsent {
1579 panic(err) // xerrfn should have called panic.
1587// xnumSetEval evaluates nums to uids given the current session state and messages
1588// in the selected mailbox. The returned UIDs are sorted, without duplicates.
1589func (c *conn) xnumSetEval(tx *bstore.Tx, isUID bool, nums numSet) []store.UID {
1590 if nums.searchResult {
1591 // UIDs that do not exist can be ignored.
1596 // Update previously stored UIDs. Some may have been deleted.
1597 // Once deleted a UID will never come back, so we'll just remove those uids.
1599 var uids []store.UID
1600 if len(c.searchResult) > 0 {
1601 q := bstore.QueryTx[store.Message](tx)
1602 q.FilterNonzero(store.Message{MailboxID: c.mailboxID})
1603 q.FilterEqual("Expunged", false)
1604 q.FilterEqual("UID", slicesAny(c.searchResult)...)
1606 for m, err := range q.All() {
1607 xcheckf(err, "looking up messages from search result")
1608 uids = append(uids, m.UID)
1611 c.searchResult = uids
1614 for _, uid := range c.searchResult {
1615 if uidSearch(c.uids, uid) > 0 {
1616 c.searchResult[o] = uid
1620 c.searchResult = c.searchResult[:o]
1622 return c.searchResult
1626 uids := map[store.UID]struct{}{}
1628 // Sequence numbers that don't exist, or * on an empty mailbox, should result in a BAD response.
../rfc/9051:7018
1629 for _, r := range nums.ranges {
1633 xsyntaxErrorf("invalid seqset * on empty mailbox")
1635 ia = int(c.exists) - 1
1637 ia = int(r.first.number - 1)
1638 if ia >= int(c.exists) {
1639 xsyntaxErrorf("msgseq %d not in mailbox", r.first.number)
1643 uids[c.uids[ia]] = struct{}{}
1648 ib = int(c.exists) - 1
1650 ib = int(r.last.number - 1)
1651 if ib >= int(c.exists) {
1652 xsyntaxErrorf("msgseq %d not in mailbox", r.last.number)
1658 for _, uid := range c.uids[ia : ib+1] {
1659 uids[uid] = struct{}{}
1662 return slices.Sorted(maps.Keys(uids))
1665 // UIDs that do not exist can be ignored.
1670 uids := map[store.UID]struct{}{}
1673 xlastUID := c.newCachedLastUID(tx, c.mailboxID, func(xerr error) { xuserErrorf("%s", xerr) })
1674 for _, r := range nums.xinterpretStar(xlastUID).ranges {
1675 q := bstore.QueryTx[store.Message](tx)
1676 q.FilterNonzero(store.Message{MailboxID: c.mailboxID})
1677 q.FilterEqual("Expunged", false)
1679 q.FilterEqual("UID", r.first.number)
1681 q.FilterGreaterEqual("UID", r.first.number)
1682 q.FilterLessEqual("UID", r.last.number)
1684 q.FilterLess("UID", c.uidnext)
1686 for m, err := range q.All() {
1687 xcheckf(err, "enumerating uids")
1688 uids[m.UID] = struct{}{}
1691 return slices.Sorted(maps.Keys(uids))
1694 for _, r := range nums.ranges {
1700 uida := store.UID(r.first.number)
1702 uida = c.uids[c.exists-1]
1705 uidb := store.UID(last.number)
1707 uidb = c.uids[c.exists-1]
1711 uida, uidb = uidb, uida
1714 // Binary search for uida.
1719 if uida < c.uids[m] {
1721 } else if uida > c.uids[m] {
1728 for _, uid := range c.uids[s:] {
1729 if uid >= uida && uid <= uidb {
1730 uids[uid] = struct{}{}
1731 } else if uid > uidb {
1736 return slices.Sorted(maps.Keys(uids))
1739func (c *conn) ok(tag, cmd string) {
1740 c.xbwriteresultf("%s OK %s done", tag, cmd)
1744// xcheckmailboxname checks if name is valid, returning an INBOX-normalized name.
1745// I.e. it changes various casings of INBOX and INBOX/* to Inbox and Inbox/*.
1746// Name is invalid if it contains leading/trailing/double slashes, or when it isn't
1747// unicode-normalized, or when empty or has special characters.
1748func xcheckmailboxname(name string, allowInbox bool) string {
1749 name, isinbox, err := store.CheckMailboxName(name, allowInbox)
1751 xuserErrorf("special mailboxname Inbox not allowed")
1752 } else if err != nil {
1753 xusercodeErrorf("CANNOT", "%s", err)
1758// Lookup mailbox by name.
1759// If the mailbox does not exist, panic is called with a user error.
1760// Must be called with account rlock held.
1761func (c *conn) xmailbox(tx *bstore.Tx, name string, missingErrCode string) store.Mailbox {
1762 mb, err := c.account.MailboxFind(tx, name)
1763 xcheckf(err, "finding mailbox")
1765 // missingErrCode can be empty, or e.g. TRYCREATE or ALREADYEXISTS.
1766 xusercodeErrorf(missingErrCode, "%w", store.ErrUnknownMailbox)
1771// Lookup mailbox by ID.
1772// If the mailbox does not exist, panic is called with a user error.
1773// Must be called with account rlock held.
1774func (c *conn) xmailboxID(tx *bstore.Tx, id int64) store.Mailbox {
1775 mb, err := store.MailboxID(tx, id)
1776 if err == bstore.ErrAbsent {
1777 xuserErrorf("%w", store.ErrUnknownMailbox)
1778 } else if err == store.ErrMailboxExpunged {
1780 xusercodeErrorf("NONEXISTENT", "mailbox has been deleted")
1785// Apply changes to our session state.
1786// Should not be called while holding locks, as changes are written to client connections, which can block.
1787// Does not flush output.
1788func (c *conn) xapplyChanges(overflow bool, changes []store.Change, sendDelayed bool) {
1789 // If more changes were generated than we can process, we send a
1792 if c.notify != nil && len(c.notify.Delayed) > 0 {
1793 changes = append(c.notify.Delayed, changes...)
1795 c.flushChanges(changes)
1796 // We must not send any more unsolicited untagged responses to the client for
1798 c.notify = ¬ify{}
1799 c.xbwritelinef("* OK [NOTIFICATIONOVERFLOW] out of sync after too many pending changes")
1803 // applyChanges for IDLE and NOTIFY. When explicitly in IDLE while NOTIFY is
1805 if c.notify != nil {
1806 c.xapplyChangesNotify(changes, sendDelayed)
1809 if len(changes) == 0 {
1813 // Even in the case of a panic (e.g. i/o errors), we must mark removals as seen.
1814 origChanges := changes
1816 for _, change := range origChanges {
1817 if ch, ok := change.(store.ChangeRemoveUIDs); ok {
1818 c.comm.RemovalSeen(ch)
1823 err := c.conn.SetWriteDeadline(time.Now().Add(5 * time.Minute))
1824 c.log.Check(err, "setting write deadline")
1826 c.log.Debug("applying changes", slog.Any("changes", changes))
1828 // Only keep changes for the selected mailbox, and changes that are always relevant.
1829 var n []store.Change
1830 for _, change := range changes {
1832 switch ch := change.(type) {
1833 case store.ChangeAddUID:
1835 case store.ChangeRemoveUIDs:
1837 case store.ChangeFlags:
1839 case store.ChangeRemoveMailbox, store.ChangeAddMailbox, store.ChangeRenameMailbox, store.ChangeAddSubscription, store.ChangeRemoveSubscription:
1840 n = append(n, change)
1842 case store.ChangeAnnotation:
1843 // note: annotations may have a mailbox associated with them, but we pass all
1846 if c.enabled[capMetadata] {
1847 n = append(n, change)
1850 case store.ChangeMailboxCounts, store.ChangeMailboxSpecialUse, store.ChangeMailboxKeywords, store.ChangeThread:
1852 panic(fmt.Errorf("missing case for %#v", change))
1854 if c.state == stateSelected && mbID == c.mailboxID {
1855 n = append(n, change)
1860 qresync := c.enabled[capQresync]
1861 condstore := c.enabled[capCondstore]
1864 for i < len(changes) {
1865 // First process all new uids. So we only send a single EXISTS.
1866 var adds []store.ChangeAddUID
1867 for ; i < len(changes); i++ {
1868 ch, ok := changes[i].(store.ChangeAddUID)
1873 adds = append(adds, ch)
1876 // Write the exists, and the UID and flags as well. Hopefully the client waits for
1877 // long enough after the EXISTS to see these messages, and doesn't request them
1878 // again with a FETCH.
1879 c.xbwritelinef("* %d EXISTS", c.exists)
1880 for _, add := range adds {
1881 var modseqStr string
1883 modseqStr = fmt.Sprintf(" MODSEQ (%d)", add.ModSeq.Client())
1887 c.xbwritelinef("* %d UIDFETCH (FLAGS %s%s)", add.UID, flaglist(add.Flags, add.Keywords).pack(c), modseqStr)
1889 seq := c.xsequence(add.UID)
1890 c.xbwritelinef("* %d FETCH (UID %d FLAGS %s%s)", seq, add.UID, flaglist(add.Flags, add.Keywords).pack(c), modseqStr)
1896 change := changes[i]
1899 switch ch := change.(type) {
1900 case store.ChangeRemoveUIDs:
1901 var vanishedUIDs numSet
1902 for _, uid := range ch.UIDs {
1906 vanishedUIDs.append(uint32(uid))
1910 seq := c.xsequence(uid)
1911 c.sequenceRemove(seq, uid)
1913 vanishedUIDs.append(uint32(uid))
1915 c.xbwritelinef("* %d EXPUNGE", seq)
1918 if !vanishedUIDs.empty() {
1920 for _, s := range vanishedUIDs.Strings(4*1024 - 32) {
1921 c.xbwritelinef("* VANISHED %s", s)
1925 case store.ChangeFlags:
1926 var modseqStr string
1928 modseqStr = fmt.Sprintf(" MODSEQ (%d)", ch.ModSeq.Client())
1932 c.xbwritelinef("* %d UIDFETCH (FLAGS %s%s)", ch.UID, flaglist(ch.Flags, ch.Keywords).pack(c), modseqStr)
1934 // The uid can be unknown if we just expunged it while another session marked it as deleted just before.
1935 seq := c.sequence(ch.UID)
1939 c.xbwritelinef("* %d FETCH (UID %d FLAGS %s%s)", seq, ch.UID, flaglist(ch.Flags, ch.Keywords).pack(c), modseqStr)
1942 case store.ChangeRemoveMailbox:
1943 // Only announce \NonExistent to modern clients, otherwise they may ignore the
1944 // unrecognized \NonExistent and interpret this as a newly created mailbox, while
1945 // the goal was to remove it...
1946 if c.enabled[capIMAP4rev2] {
1947 c.xbwritelinef(`* LIST (\NonExistent) "/" %s`, mailboxt(ch.Name).pack(c))
1950 case store.ChangeAddMailbox:
1951 c.xbwritelinef(`* LIST (%s) "/" %s`, strings.Join(ch.Flags, " "), mailboxt(ch.Mailbox.Name).pack(c))
1953 case store.ChangeRenameMailbox:
1956 if c.enabled[capIMAP4rev2] {
1957 oldname = fmt.Sprintf(` ("OLDNAME" (%s))`, mailboxt(ch.OldName).pack(c))
1959 c.xbwritelinef(`* LIST (%s) "/" %s%s`, strings.Join(ch.Flags, " "), mailboxt(ch.NewName).pack(c), oldname)
1961 case store.ChangeAddSubscription:
1962 c.xbwritelinef(`* LIST (%s) "/" %s`, strings.Join(append([]string{`\Subscribed`}, ch.ListFlags...), " "), mailboxt(ch.MailboxName).pack(c))
1964 case store.ChangeRemoveSubscription:
1965 c.xbwritelinef(`* LIST (%s) "/" %s`, strings.Join(ch.ListFlags, " "), mailboxt(ch.MailboxName).pack(c))
1967 case store.ChangeAnnotation:
1969 c.xbwritelinef(`* METADATA %s %s`, mailboxt(ch.MailboxName).pack(c), astring(ch.Key).pack(c))
1972 panic(fmt.Sprintf("internal error, missing case for %#v", change))
1977// xapplyChangesNotify is like xapplyChanges, but for NOTIFY, with configurable
1978// mailboxes to notify about, and configurable events to send, including which
1979// fetch attributes to return. All calls must go through xapplyChanges, for overflow
1981func (c *conn) xapplyChangesNotify(changes []store.Change, sendDelayed bool) {
1982 if sendDelayed && len(c.notify.Delayed) > 0 {
1983 changes = append(c.notify.Delayed, changes...)
1984 c.notify.Delayed = nil
1987 if len(changes) == 0 {
1991 // Even in the case of a panic (e.g. i/o errors), we must mark removals as seen.
1992 // For selected-delayed, we may have postponed handling the message, so we call
1993 // RemovalSeen when handling a change, and mark how far we got, so we only process
1994 // changes that we haven't processed yet.
1995 unhandled := changes
1997 for _, change := range unhandled {
1998 if ch, ok := change.(store.ChangeRemoveUIDs); ok {
1999 c.comm.RemovalSeen(ch)
2004 c.log.Debug("applying notify changes", slog.Any("changes", changes))
2006 err := c.conn.SetWriteDeadline(time.Now().Add(5 * time.Minute))
2007 c.log.Check(err, "setting write deadline")
2009 qresync := c.enabled[capQresync]
2010 condstore := c.enabled[capCondstore]
2012 // Prepare for providing a read-only transaction on first-use, for MessageNew fetch
2017 err := tx.Rollback()
2018 c.log.Check(err, "rolling back tx")
2021 xtx := func() *bstore.Tx {
2027 tx, err = c.account.DB.Begin(context.TODO(), false)
2032 // On-demand mailbox lookups, with cache.
2033 mailboxes := map[int64]store.Mailbox{}
2034 xmailbox := func(id int64) store.Mailbox {
2035 if mb, ok := mailboxes[id]; ok {
2038 mb := store.Mailbox{ID: id}
2039 err := xtx().Get(&mb)
2040 xcheckf(err, "get mailbox")
2045 // Keep track of last command, to close any open message file (for fetching
2046 // attributes) in case of a panic.
2055 for index, change := range changes {
2056 switch ch := change.(type) {
2057 case store.ChangeAddUID:
2059 // todo:
../rfc/5465:525 group ChangeAddUID for the same mailbox, so we can send a single EXISTS. useful for imports.
2061 mb := xmailbox(ch.MailboxID)
2062 ms, ev, ok := c.notify.match(c, xtx, mb.ID, mb.Name, eventMessageNew)
2067 // For non-selected mailbox, send STATUS with UIDNEXT, MESSAGES. And HIGESTMODSEQ
2069 // There is no mention of UNSEEN for MessageNew, but clients will want to show a
2070 // new "unread messages" count, and they will have to understand it since
2071 // FlagChange is specified as sending UNSEEN.
2072 if mb.ID != c.mailboxID {
2073 if condstore || qresync {
2074 c.xbwritelinef("* STATUS %s (UIDNEXT %d MESSAGES %d HIGHESTMODSEQ %d UNSEEN %d)", mailboxt(mb.Name).pack(c), ch.UID+1, ch.MessageCountIMAP, ch.ModSeq, ch.Unseen)
2076 c.xbwritelinef("* STATUS %s (UIDNEXT %d MESSAGES %d UNSEEN %d)", mailboxt(mb.Name).pack(c), ch.UID+1, ch.MessageCountIMAP, ch.Unseen)
2081 // Delay sending all message events, we want to prevent synchronization issues
2083 if ms.Kind == mbspecSelectedDelayed && !sendDelayed {
2084 c.notify.Delayed = append(c.notify.Delayed, change)
2091 c.xbwritelinef("* %d EXISTS", c.exists)
2093 // If client did not specify attributes, we'll send the defaults.
2094 if len(ev.FetchAtt) == 0 {
2095 var modseqStr string
2097 modseqStr = fmt.Sprintf(" MODSEQ (%d)", ch.ModSeq.Client())
2099 // NOTIFY does not specify the default fetch attributes to return, we send UID and
2103 c.xbwritelinef("* %d UIDFETCH (FLAGS %s%s)", ch.UID, flaglist(ch.Flags, ch.Keywords).pack(c), modseqStr)
2105 c.xbwritelinef("* %d FETCH (UID %d FLAGS %s%s)", c.xsequence(ch.UID), ch.UID, flaglist(ch.Flags, ch.Keywords).pack(c), modseqStr)
2110 // todo:
../rfc/5465:543 mark messages as \seen after processing if client didn't use the .PEEK-variants.
2111 cmd = &fetchCmd{conn: c, isUID: true, rtx: xtx(), mailboxID: ch.MailboxID, uid: ch.UID}
2112 data, err := cmd.process(ev.FetchAtt)
2114 // There is no good way to notify the client about errors. We continue below to
2115 // send a FETCH with just the UID. And we send an untagged NO in the hope a client
2116 // developer sees the message.
2117 c.log.Errorx("generating notify fetch response", err, slog.Int64("mailboxid", ch.MailboxID), slog.Any("uid", ch.UID))
2118 c.xbwritelinef("* NO generating notify fetch response: %s", err.Error())
2119 // Always add UID, also for uidonly, to ensure a non-empty list.
2120 data = listspace{bare("UID"), number(ch.UID)}
2124 fmt.Fprintf(cmd.conn.xbw, "* %d UIDFETCH ", ch.UID)
2126 fmt.Fprintf(cmd.conn.xbw, "* %d FETCH ", c.xsequence(ch.UID))
2129 defer c.xtracewrite(mlog.LevelTracedata)()
2130 data.xwriteTo(cmd.conn, cmd.conn.xbw)
2131 c.xtracewrite(mlog.LevelTrace) // Restore.
2132 cmd.conn.xbw.Write([]byte("\r\n"))
2138 case store.ChangeRemoveUIDs:
2140 mb := xmailbox(ch.MailboxID)
2141 ms, _, ok := c.notify.match(c, xtx, mb.ID, mb.Name, eventMessageExpunge)
2143 unhandled = changes[index+1:]
2144 c.comm.RemovalSeen(ch)
2148 // For non-selected mailboxes, we send STATUS with at least UIDNEXT and MESSAGES.
2150 // In case of QRESYNC, we send HIGHESTMODSEQ. Also for CONDSTORE, which isn't
2153 // There is no mention of UNSEEN, but clients will want to show a new "unread
2154 // messages" count, and they can parse it since FlagChange is specified as sending
2156 if mb.ID != c.mailboxID {
2157 unhandled = changes[index+1:]
2158 c.comm.RemovalSeen(ch)
2159 if condstore || qresync {
2160 c.xbwritelinef("* STATUS %s (UIDNEXT %d MESSAGES %d HIGHESTMODSEQ %d UNSEEN %d)", mailboxt(mb.Name).pack(c), ch.UIDNext, ch.MessageCountIMAP, ch.ModSeq, ch.Unseen)
2162 c.xbwritelinef("* STATUS %s (UIDNEXT %d MESSAGES %d UNSEEN %d)", mailboxt(mb.Name).pack(c), ch.UIDNext, ch.MessageCountIMAP, ch.Unseen)
2167 // Delay sending all message events, we want to prevent synchronization issues
2169 if ms.Kind == mbspecSelectedDelayed && !sendDelayed {
2170 unhandled = changes[index+1:] // We'll call RemovalSeen in the future.
2171 c.notify.Delayed = append(c.notify.Delayed, change)
2175 unhandled = changes[index+1:]
2176 c.comm.RemovalSeen(ch)
2178 var vanishedUIDs numSet
2179 for _, uid := range ch.UIDs {
2183 vanishedUIDs.append(uint32(uid))
2187 seq := c.xsequence(uid)
2188 c.sequenceRemove(seq, uid)
2190 vanishedUIDs.append(uint32(uid))
2192 c.xbwritelinef("* %d EXPUNGE", seq)
2195 if !vanishedUIDs.empty() {
2197 for _, s := range vanishedUIDs.Strings(4*1024 - 32) {
2198 c.xbwritelinef("* VANISHED %s", s)
2202 case store.ChangeFlags:
2204 mb := xmailbox(ch.MailboxID)
2205 ms, _, ok := c.notify.match(c, xtx, mb.ID, mb.Name, eventFlagChange)
2208 } else if mb.ID != c.mailboxID {
2211 // We include UNSEEN, so clients can update the number of unread messages.
../rfc/5465:479
2212 if condstore || qresync {
2213 c.xbwritelinef("* STATUS %s (HIGHESTMODSEQ %d UIDVALIDITY %d UNSEEN %d)", mailboxt(mb.Name).pack(c), ch.ModSeq, ch.UIDValidity, ch.Unseen)
2215 c.xbwritelinef("* STATUS %s (UIDVALIDITY %d UNSEEN %d)", mailboxt(mb.Name).pack(c), ch.UIDValidity, ch.Unseen)
2220 // Delay sending all message events, we want to prevent synchronization issues
2222 if ms.Kind == mbspecSelectedDelayed && !sendDelayed {
2223 c.notify.Delayed = append(c.notify.Delayed, change)
2227 // The uid can be unknown if we just expunged it while another session marked it as deleted just before.
2230 seq = c.sequence(ch.UID)
2236 var modseqStr string
2238 modseqStr = fmt.Sprintf(" MODSEQ (%d)", ch.ModSeq.Client())
2243 c.xbwritelinef("* %d UIDFETCH (FLAGS %s%s)", ch.UID, flaglist(ch.Flags, ch.Keywords).pack(c), modseqStr)
2245 c.xbwritelinef("* %d FETCH (UID %d FLAGS %s%s)", seq, ch.UID, flaglist(ch.Flags, ch.Keywords).pack(c), modseqStr)
2248 case store.ChangeThread:
2252 case store.ChangeRemoveMailbox:
2253 mb := xmailbox(ch.MailboxID)
2254 _, _, ok := c.notify.match(c, xtx, mb.ID, mb.Name, eventMailboxName)
2260 c.xbwritelinef(`* LIST (\NonExistent) "/" %s`, mailboxt(ch.Name).pack(c))
2262 case store.ChangeAddMailbox:
2263 mb := xmailbox(ch.Mailbox.ID)
2264 _, _, ok := c.notify.match(c, xtx, mb.ID, mb.Name, eventMailboxName)
2268 c.xbwritelinef(`* LIST (%s) "/" %s`, strings.Join(ch.Flags, " "), mailboxt(ch.Mailbox.Name).pack(c))
2270 case store.ChangeRenameMailbox:
2271 mb := xmailbox(ch.MailboxID)
2272 _, _, ok := c.notify.match(c, xtx, mb.ID, mb.Name, eventMailboxName)
2277 oldname := fmt.Sprintf(` ("OLDNAME" (%s))`, mailboxt(ch.OldName).pack(c))
2278 c.xbwritelinef(`* LIST (%s) "/" %s%s`, strings.Join(ch.Flags, " "), mailboxt(ch.NewName).pack(c), oldname)
2281 case store.ChangeAddSubscription:
2282 _, _, ok := c.notify.match(c, xtx, 0, ch.MailboxName, eventSubscriptionChange)
2286 c.xbwritelinef(`* LIST (%s) "/" %s`, strings.Join(append([]string{`\Subscribed`}, ch.ListFlags...), " "), mailboxt(ch.MailboxName).pack(c))
2288 case store.ChangeRemoveSubscription:
2289 _, _, ok := c.notify.match(c, xtx, 0, ch.MailboxName, eventSubscriptionChange)
2294 c.xbwritelinef(`* LIST (%s) "/" %s`, strings.Join(ch.ListFlags, " "), mailboxt(ch.MailboxName).pack(c))
2296 case store.ChangeMailboxCounts:
2299 case store.ChangeMailboxSpecialUse:
2300 // todo: can we send special-use flags as part of an untagged LIST response?
2303 case store.ChangeMailboxKeywords:
2305 mb := xmailbox(ch.MailboxID)
2306 ms, _, ok := c.notify.match(c, xtx, mb.ID, mb.Name, eventFlagChange)
2309 } else if mb.ID != c.mailboxID {
2313 // Delay sending all message events, we want to prevent synchronization issues
2315 // This change is about mailbox keywords, but it's specified under the FlagChange
2318 if ms.Kind == mbspecSelectedDelayed && !sendDelayed {
2319 c.notify.Delayed = append(c.notify.Delayed, change)
2324 if len(ch.Keywords) > 0 {
2325 keywords = " " + strings.Join(ch.Keywords, " ")
2327 c.xbwritelinef(`* FLAGS (\Seen \Answered \Flagged \Deleted \Draft $Forwarded $Junk $NotJunk $Phishing $MDNSent%s)`, keywords)
2329 case store.ChangeAnnotation:
2330 // Client does not have to enable METADATA/METADATA-SERVER. Just asking for these
2331 // events is enough.
2334 if ch.MailboxID == 0 {
2336 _, _, ok := c.notify.match(c, xtx, 0, "", eventServerMetadataChange)
2342 mb := xmailbox(ch.MailboxID)
2343 _, _, ok := c.notify.match(c, xtx, mb.ID, mb.Name, eventMailboxMetadataChange)
2352 c.xbwritelinef(`* METADATA %s %s`, mailboxt(ch.MailboxName).pack(c), astring(ch.Key).pack(c))
2355 panic(fmt.Sprintf("internal error, missing case for %#v", change))
2359 // If we have too many delayed changes, we will warn about notification overflow,
2361 if len(c.notify.Delayed) > selectedDelayedChangesMax {
2362 l := c.notify.Delayed
2363 c.notify.Delayed = nil
2366 c.notify = ¬ify{}
2367 c.xbwritelinef("* OK [NOTIFICATIONOVERFLOW] out of sync after too many pending changes for selected mailbox")
2371// Capability returns the capabilities this server implements and currently has
2372// available given the connection state.
2375func (c *conn) cmdCapability(tag, cmd string, p *parser) {
2381 caps := c.capabilities()
2384 c.xbwritelinef("* CAPABILITY %s", caps)
2388// capabilities returns non-empty string with available capabilities based on connection state.
2389// For use in cmdCapability and untagged OK responses on connection start, login and authenticate.
2390func (c *conn) capabilities() string {
2391 caps := serverCapabilities
2393 // We only allow starting without TLS when explicitly configured, in violation of RFC.
2394 if !c.tls && c.baseTLSConfig != nil {
2397 if c.tls || c.noRequireSTARTTLS {
2398 caps += " AUTH=PLAIN"
2400 caps += " LOGINDISABLED"
2402 if c.tls && len(c.conn.(*tls.Conn).ConnectionState().PeerCertificates) > 0 && !c.viaHTTPS && !c.noTLSClientAuth {
2403 caps += " AUTH=EXTERNAL"
2408// No op, but useful for retrieving pending changes as untagged responses, e.g. of
2412func (c *conn) cmdNoop(tag, cmd string, p *parser) {
2420// Logout, after which server closes the connection.
2423func (c *conn) cmdLogout(tag, cmd string, p *parser) {
2430 c.state = stateNotAuthenticated
2432 c.xbwritelinef("* BYE thanks")
2437// Clients can use ID to tell the server which software they are using. Servers can
2438// respond with their version. For statistics/logging/debugging purposes.
2441func (c *conn) cmdID(tag, cmd string, p *parser) {
2446 var params map[string]string
2449 params = map[string]string{}
2451 if len(params) > 0 {
2457 if _, ok := params[k]; ok {
2458 xsyntaxErrorf("duplicate key %q", k)
2461 values = append(values, fmt.Sprintf("%s=%q", k, v))
2468 c.userAgent = strings.Join(values, " ")
2470 // The ID command is typically sent soon after authentication. So we've prepared
2471 // the LoginAttempt and write it now.
2472 if c.loginAttempt != nil {
2473 c.loginAttempt.UserAgent = c.userAgent
2474 store.LoginAttemptAdd(context.Background(), c.logbg(), *c.loginAttempt)
2475 c.loginAttempt = nil
2476 c.loginAttemptTime = time.Time{}
2479 // We just log the client id.
2480 c.log.Info("client id", slog.Any("params", params))
2484 if c.state == stateAuthenticated || c.state == stateSelected {
2485 c.xbwritelinef(`* ID ("name" "mox" "version" %s)`, string0(moxvar.Version).pack(c))
2487 c.xbwritelinef(`* ID ("name" "mox")`)
2492// Compress enables compression on the connection. Deflate is the only algorithm
2493// specified. TLS doesn't do compression nowadays, so we don't have to check for that.
2495// Status: Authenticated. The RFC doesn't mention this in prose, but the command is
2496// added to ABNF production rule "command-auth".
2497func (c *conn) cmdCompress(tag, cmd string, p *parser) {
2505 // Will do compression only once.
2508 xusercodeErrorf("COMPRESSIONACTIVE", "compression already active with previous compress command")
2511 if !strings.EqualFold(alg, "deflate") {
2512 xuserErrorf("compression algorithm not supported")
2515 // We must flush now, before we initialize flate.
2516 c.log.Debug("compression enabled")
2519 c.xflateBW = bufio.NewWriter(c)
2520 fw0, err := flate.NewWriter(c.xflateBW, flate.DefaultCompression)
2521 xcheckf(err, "deflate") // Cannot happen.
2522 xfw := moxio.NewFlateWriter(fw0)
2525 c.xflateWriter = xfw
2526 c.xtw = moxio.NewTraceWriter(c.log, "S: ", c.xflateWriter)
2527 c.xbw = bufio.NewWriter(c.xtw) // The previous c.xbw will not have buffered data.
2529 rc := xprefixConn(c.conn, c.br) // c.br may contain buffered data.
2530 // We use the special partial reader. Some clients write commands and flush the
2531 // buffer in "partial flush" mode instead of "sync flush" mode. The "sync flush"
2532 // mode emits an explicit zero-length data block that triggers the Go stdlib flate
2533 // reader to return data to us. It wouldn't for blocks written in "partial flush"
2534 // mode, and it would block us indefinitely while trying to read another flate
2535 // block. The partial reader returns data earlier, but still eagerly consumes all
2536 // blocks in its buffer.
2537 // todo: also _write_ in partial mode since it uses fewer bytes than a sync flush (which needs an additional 4 bytes for the zero-length data block). we need a writer that can flush in partial mode first. writing with sync flush will work with clients that themselves write with partial flush.
2538 fr := flate.NewReaderPartial(rc)
2539 c.tr = moxio.NewTraceReader(c.log, "C: ", fr)
2540 c.br = bufio.NewReader(c.tr)
2543// STARTTLS enables TLS on the connection, after a plain text start.
2544// Only allowed if TLS isn't already enabled, either through connecting to a
2545// TLS-enabled TCP port, or a previous STARTTLS command.
2546// After STARTTLS, plain text authentication typically becomes available.
2548// Status: Not authenticated.
2549func (c *conn) cmdStarttls(tag, cmd string, p *parser) {
2558 if c.baseTLSConfig == nil {
2559 xsyntaxErrorf("starttls not announced")
2562 conn := xprefixConn(c.conn, c.br)
2563 // We add the cid to facilitate debugging in case of TLS connection failure.
2564 c.ok(tag, cmd+" ("+mox.ReceivedID(c.cid)+")")
2566 c.xtlsHandshakeAndAuthenticate(conn)
2569 // We are not sending unsolicited CAPABILITIES for newly available authentication
2570 // mechanisms, clients can't depend on us sending it and should ask it themselves.
2574// Authenticate using SASL. Supports multiple back and forths between client and
2575// server to finish authentication, unlike LOGIN which is just a single
2576// username/password.
2578// We may already have ambient TLS credentials that have not been activated.
2580// Status: Not authenticated.
2581func (c *conn) cmdAuthenticate(tag, cmd string, p *parser) {
2585 // For many failed auth attempts, slow down verification attempts.
2586 if c.authFailed > 3 && authFailDelay > 0 {
2587 mox.Sleep(mox.Context, time.Duration(c.authFailed-3)*authFailDelay)
2590 // If authentication fails due to missing derived secrets, we don't hold it against
2591 // the connection. There is no way to indicate server support for an authentication
2592 // mechanism, but that a mechanism won't work for an account.
2593 var missingDerivedSecrets bool
2595 c.authFailed++ // Compensated on success.
2597 if missingDerivedSecrets {
2600 // On the 3rd failed authentication, start responding slowly. Successful auth will
2601 // cause fast responses again.
2602 if c.authFailed >= 3 {
2607 c.newLoginAttempt(true, "")
2609 if c.loginAttempt.Result == store.AuthSuccess {
2610 mox.LimiterFailedAuth.Reset(c.remoteIP, time.Now())
2611 } else if !missingDerivedSecrets {
2612 mox.LimiterFailedAuth.Add(c.remoteIP, time.Now(), 1)
2618 authType := p.xatom()
2620 xreadInitial := func() []byte {
2624 line = c.xreadline(false)
2628 line = p.remainder()
2631 line = "" // Base64 decode will result in empty buffer.
2636 c.loginAttempt.Result = store.AuthAborted
2637 xsyntaxErrorf("authenticate aborted by client")
2639 buf, err := base64.StdEncoding.DecodeString(line)
2641 xsyntaxErrorf("parsing base64: %v", err)
2646 xreadContinuation := func() []byte {
2647 line := c.xreadline(false)
2649 c.loginAttempt.Result = store.AuthAborted
2650 xsyntaxErrorf("authenticate aborted by client")
2652 buf, err := base64.StdEncoding.DecodeString(line)
2654 xsyntaxErrorf("parsing base64: %v", err)
2659 // The various authentication mechanisms set account and username. We may already
2660 // have an account and username from TLS client authentication. Afterwards, we
2661 // check that the account is the same.
2662 var account *store.Account
2666 err := account.Close()
2667 c.xsanity(err, "close account")
2671 switch strings.ToUpper(authType) {
2673 c.loginAttempt.AuthMech = "plain"
2675 if !c.noRequireSTARTTLS && !c.tls {
2677 xusercodeErrorf("PRIVACYREQUIRED", "tls required for login")
2680 // Plain text passwords, mark as traceauth.
2681 defer c.xtraceread(mlog.LevelTraceauth)()
2682 buf := xreadInitial()
2683 c.xtraceread(mlog.LevelTrace) // Restore.
2684 plain := bytes.Split(buf, []byte{0})
2685 if len(plain) != 3 {
2686 xsyntaxErrorf("bad plain auth data, expected 3 nul-separated tokens, got %d tokens", len(plain))
2688 authz := norm.NFC.String(string(plain[0]))
2689 username = norm.NFC.String(string(plain[1]))
2690 password := string(plain[2])
2691 c.loginAttempt.LoginAddress = username
2693 if authz != "" && authz != username {
2694 xusercodeErrorf("AUTHORIZATIONFAILED", "cannot assume role")
2698 account, c.loginAttempt.AccountName, err = store.OpenEmailAuth(c.log, username, password, false)
2700 if errors.Is(err, store.ErrUnknownCredentials) {
2701 c.loginAttempt.Result = store.AuthBadCredentials
2702 c.log.Info("authentication failed", slog.String("username", username))
2703 xusercodeErrorf("AUTHENTICATIONFAILED", "bad credentials")
2705 xusercodeErrorf("", "error")
2709 c.loginAttempt.AuthMech = strings.ToLower(authType)
2715 chal := fmt.Sprintf("<%d.%d@%s>", uint64(mox.CryptoRandInt()), time.Now().UnixNano(), mox.Conf.Static.HostnameDomain.ASCII)
2716 c.xwritelinef("+ %s", base64.StdEncoding.EncodeToString([]byte(chal)))
2718 resp := xreadContinuation()
2719 t := strings.Split(string(resp), " ")
2720 if len(t) != 2 || len(t[1]) != 2*md5.Size {
2721 xsyntaxErrorf("malformed cram-md5 response")
2723 username = norm.NFC.String(t[0])
2724 c.loginAttempt.LoginAddress = username
2725 c.log.Debug("cram-md5 auth", slog.String("address", username))
2727 account, c.loginAttempt.AccountName, _, err = store.OpenEmail(c.log, username, false)
2729 if errors.Is(err, store.ErrUnknownCredentials) {
2730 c.loginAttempt.Result = store.AuthBadCredentials
2731 c.log.Info("failed authentication attempt", slog.String("username", username), slog.Any("remote", c.remoteIP))
2732 xusercodeErrorf("AUTHENTICATIONFAILED", "bad credentials")
2734 xserverErrorf("looking up address: %v", err)
2736 var ipadhash, opadhash hash.Hash
2737 account.WithRLock(func() {
2738 err := account.DB.Read(context.TODO(), func(tx *bstore.Tx) error {
2739 password, err := bstore.QueryTx[store.Password](tx).Get()
2740 if err == bstore.ErrAbsent {
2741 c.log.Info("failed authentication attempt", slog.String("username", username), slog.Any("remote", c.remoteIP))
2742 xusercodeErrorf("AUTHENTICATIONFAILED", "bad credentials")
2748 ipadhash = password.CRAMMD5.Ipad
2749 opadhash = password.CRAMMD5.Opad
2752 xcheckf(err, "tx read")
2754 if ipadhash == nil || opadhash == nil {
2755 c.log.Info("cram-md5 auth attempt without derived secrets set, save password again to store secrets", slog.String("username", username))
2756 c.log.Info("failed authentication attempt", slog.String("username", username), slog.Any("remote", c.remoteIP))
2757 missingDerivedSecrets = true
2758 xusercodeErrorf("AUTHENTICATIONFAILED", "bad credentials")
2762 ipadhash.Write([]byte(chal))
2763 opadhash.Write(ipadhash.Sum(nil))
2764 digest := fmt.Sprintf("%x", opadhash.Sum(nil))
2766 c.log.Info("failed authentication attempt", slog.String("username", username), slog.Any("remote", c.remoteIP))
2767 xusercodeErrorf("AUTHENTICATIONFAILED", "bad credentials")
2770 case "SCRAM-SHA-256-PLUS", "SCRAM-SHA-256", "SCRAM-SHA-1-PLUS", "SCRAM-SHA-1":
2771 // todo: improve handling of errors during scram. e.g. invalid parameters. should we abort the imap command, or continue until the end and respond with a scram-level error?
2772 // todo: use single implementation between ../imapserver/server.go and ../smtpserver/server.go
2774 // No plaintext credentials, we can log these normally.
2776 c.loginAttempt.AuthMech = strings.ToLower(authType)
2777 var h func() hash.Hash
2778 switch c.loginAttempt.AuthMech {
2779 case "scram-sha-1", "scram-sha-1-plus":
2781 case "scram-sha-256", "scram-sha-256-plus":
2784 xserverErrorf("missing case for scram variant")
2787 var cs *tls.ConnectionState
2788 requireChannelBinding := strings.HasSuffix(c.loginAttempt.AuthMech, "-plus")
2789 if requireChannelBinding && !c.tls {
2790 xuserErrorf("cannot use plus variant with tls channel binding without tls")
2793 xcs := c.conn.(*tls.Conn).ConnectionState()
2796 c0 := xreadInitial()
2797 ss, err := scram.NewServer(h, c0, cs, requireChannelBinding)
2799 c.log.Infox("scram protocol error", err, slog.Any("remote", c.remoteIP))
2800 xuserErrorf("scram protocol error: %s", err)
2802 username = ss.Authentication
2803 c.loginAttempt.LoginAddress = username
2804 c.log.Debug("scram auth", slog.String("authentication", username))
2805 // We check for login being disabled when finishing.
2806 account, c.loginAttempt.AccountName, _, err = store.OpenEmail(c.log, username, false)
2808 // todo: we could continue scram with a generated salt, deterministically generated
2809 // from the username. that way we don't have to store anything but attackers cannot
2810 // learn if an account exists. same for absent scram saltedpassword below.
2811 xuserErrorf("scram not possible")
2813 if ss.Authorization != "" && ss.Authorization != username {
2814 xuserErrorf("authentication with authorization for different user not supported")
2816 var xscram store.SCRAM
2817 account.WithRLock(func() {
2818 err := account.DB.Read(context.TODO(), func(tx *bstore.Tx) error {
2819 password, err := bstore.QueryTx[store.Password](tx).Get()
2820 if err == bstore.ErrAbsent {
2821 c.log.Info("failed authentication attempt", slog.String("username", username), slog.Any("remote", c.remoteIP))
2822 xusercodeErrorf("AUTHENTICATIONFAILED", "bad credentials")
2824 xcheckf(err, "fetching credentials")
2825 switch c.loginAttempt.AuthMech {
2826 case "scram-sha-1", "scram-sha-1-plus":
2827 xscram = password.SCRAMSHA1
2828 case "scram-sha-256", "scram-sha-256-plus":
2829 xscram = password.SCRAMSHA256
2831 xserverErrorf("missing case for scram credentials")
2833 if len(xscram.Salt) == 0 || xscram.Iterations == 0 || len(xscram.SaltedPassword) == 0 {
2834 missingDerivedSecrets = true
2835 c.log.Info("scram auth attempt without derived secrets set, save password again to store secrets", slog.String("username", username))
2836 xuserErrorf("scram not possible")
2840 xcheckf(err, "read tx")
2842 s1, err := ss.ServerFirst(xscram.Iterations, xscram.Salt)
2843 xcheckf(err, "scram first server step")
2844 c.xwritelinef("+ %s", base64.StdEncoding.EncodeToString([]byte(s1)))
2845 c2 := xreadContinuation()
2846 s3, err := ss.Finish(c2, xscram.SaltedPassword)
2848 c.xwritelinef("+ %s", base64.StdEncoding.EncodeToString([]byte(s3)))
2851 c.xreadline(false) // Should be "*" for cancellation.
2852 if errors.Is(err, scram.ErrInvalidProof) {
2853 c.loginAttempt.Result = store.AuthBadCredentials
2854 c.log.Info("failed authentication attempt", slog.String("username", username), slog.Any("remote", c.remoteIP))
2855 xusercodeErrorf("AUTHENTICATIONFAILED", "bad credentials")
2856 } else if errors.Is(err, scram.ErrChannelBindingsDontMatch) {
2857 c.loginAttempt.Result = store.AuthBadChannelBinding
2858 c.log.Warn("bad channel binding during authentication, potential mitm", slog.String("username", username), slog.Any("remote", c.remoteIP))
2859 xusercodeErrorf("AUTHENTICATIONFAILED", "channel bindings do not match, potential mitm")
2860 } else if errors.Is(err, scram.ErrInvalidEncoding) {
2861 c.loginAttempt.Result = store.AuthBadProtocol
2862 c.log.Infox("bad scram protocol message", err, slog.String("username", username), slog.Any("remote", c.remoteIP))
2863 xuserErrorf("bad scram protocol message: %s", err)
2865 xuserErrorf("server final: %w", err)
2869 // The message should be empty. todo: should we require it is empty?
2873 c.loginAttempt.AuthMech = "external"
2876 buf := xreadInitial()
2877 username = norm.NFC.String(string(buf))
2878 c.loginAttempt.LoginAddress = username
2881 xusercodeErrorf("AUTHENTICATIONFAILED", "tls required for tls client certificate authentication")
2883 if c.account == nil {
2884 xusercodeErrorf("AUTHENTICATIONFAILED", "missing client certificate, required for tls client certificate authentication")
2888 username = c.username
2889 c.loginAttempt.LoginAddress = username
2892 account, c.loginAttempt.AccountName, _, err = store.OpenEmail(c.log, username, false)
2893 xcheckf(err, "looking up username from tls client authentication")
2896 c.loginAttempt.AuthMech = "(unrecognized)"
2897 xuserErrorf("method not supported")
2900 if accConf, ok := account.Conf(); !ok {
2901 xserverErrorf("cannot get account config")
2902 } else if accConf.LoginDisabled != "" {
2903 c.loginAttempt.Result = store.AuthLoginDisabled
2904 c.log.Info("account login disabled", slog.String("username", username))
2905 // No AUTHENTICATIONFAILED code, clients could prompt users for different password.
2906 xuserErrorf("%w: %s", store.ErrLoginDisabled, accConf.LoginDisabled)
2909 // We may already have TLS credentials. They won't have been enabled, or we could
2910 // get here due to the state machine that doesn't allow authentication while being
2911 // authenticated. But allow another SASL authentication, but it has to be for the
2912 // same account. It can be for a different username (email address) of the account.
2913 if c.account != nil {
2914 if account != c.account {
2915 c.log.Debug("sasl authentication for different account than tls client authentication, aborting connection",
2916 slog.String("saslmechanism", c.loginAttempt.AuthMech),
2917 slog.String("saslaccount", account.Name),
2918 slog.String("tlsaccount", c.account.Name),
2919 slog.String("saslusername", username),
2920 slog.String("tlsusername", c.username),
2922 xusercodeErrorf("AUTHENTICATIONFAILED", "authentication failed, tls client certificate public key belongs to another account")
2923 } else if username != c.username {
2924 c.log.Debug("sasl authentication for different username than tls client certificate authentication, switching to sasl username",
2925 slog.String("saslmechanism", c.loginAttempt.AuthMech),
2926 slog.String("saslusername", username),
2927 slog.String("tlsusername", c.username),
2928 slog.String("account", c.account.Name),
2933 account = nil // Prevent cleanup.
2935 c.username = username
2937 c.comm = store.RegisterComm(c.account)
2941 c.loginAttempt.AccountName = c.account.Name
2942 c.loginAttempt.LoginAddress = c.username
2943 c.loginAttempt.Result = store.AuthSuccess
2945 c.state = stateAuthenticated
2946 c.xwriteresultf("%s OK [CAPABILITY %s] authenticate done", tag, c.capabilities())
2949// Login logs in with username and password.
2951// Status: Not authenticated.
2952func (c *conn) cmdLogin(tag, cmd string, p *parser) {
2955 c.newLoginAttempt(true, "login")
2957 if c.loginAttempt.Result == store.AuthSuccess {
2958 mox.LimiterFailedAuth.Reset(c.remoteIP, time.Now())
2960 mox.LimiterFailedAuth.Add(c.remoteIP, time.Now(), 1)
2964 // todo: get this line logged with traceauth. the plaintext password is included on the command line, which we've already read (before dispatching to this function).
2968 username := norm.NFC.String(p.xastring())
2969 c.loginAttempt.LoginAddress = username
2971 password := p.xastring()
2974 if !c.noRequireSTARTTLS && !c.tls {
2976 xusercodeErrorf("PRIVACYREQUIRED", "tls required for login")
2979 // For many failed auth attempts, slow down verification attempts.
2980 if c.authFailed > 3 && authFailDelay > 0 {
2981 mox.Sleep(mox.Context, time.Duration(c.authFailed-3)*authFailDelay)
2983 c.authFailed++ // Compensated on success.
2985 // On the 3rd failed authentication, start responding slowly. Successful auth will
2986 // cause fast responses again.
2987 if c.authFailed >= 3 {
2992 account, accName, err := store.OpenEmailAuth(c.log, username, password, true)
2993 c.loginAttempt.AccountName = accName
2996 if errors.Is(err, store.ErrUnknownCredentials) {
2997 c.loginAttempt.Result = store.AuthBadCredentials
2998 code = "AUTHENTICATIONFAILED"
2999 c.log.Info("failed authentication attempt", slog.String("username", username), slog.Any("remote", c.remoteIP))
3000 } else if errors.Is(err, store.ErrLoginDisabled) {
3001 c.loginAttempt.Result = store.AuthLoginDisabled
3002 c.log.Info("account login disabled", slog.String("username", username))
3003 // There is no specific code for "account disabled" in IMAP. AUTHORIZATIONFAILED is
3004 // not a good idea, it will prompt users for a password. ALERT seems reasonable,
3005 // but may cause email clients to suppress the message since we are not yet
3007 xuserErrorf("%s", err)
3009 xusercodeErrorf(code, "login failed")
3013 err := account.Close()
3014 c.xsanity(err, "close account")
3018 // We may already have TLS credentials. They won't have been enabled, or we could
3019 // get here due to the state machine that doesn't allow authentication while being
3020 // authenticated. But allow another SASL authentication, but it has to be for the
3021 // same account. It can be for a different username (email address) of the account.
3022 if c.account != nil {
3023 if account != c.account {
3024 c.log.Debug("sasl authentication for different account than tls client authentication, aborting connection",
3025 slog.String("saslmechanism", "login"),
3026 slog.String("saslaccount", account.Name),
3027 slog.String("tlsaccount", c.account.Name),
3028 slog.String("saslusername", username),
3029 slog.String("tlsusername", c.username),
3031 xusercodeErrorf("AUTHENTICATIONFAILED", "authentication failed, tls client certificate public key belongs to another account")
3032 } else if username != c.username {
3033 c.log.Debug("sasl authentication for different username than tls client certificate authentication, switching to sasl username",
3034 slog.String("saslmechanism", "login"),
3035 slog.String("saslusername", username),
3036 slog.String("tlsusername", c.username),
3037 slog.String("account", c.account.Name),
3042 account = nil // Prevent cleanup.
3044 c.username = username
3046 c.comm = store.RegisterComm(c.account)
3048 c.loginAttempt.LoginAddress = c.username
3049 c.loginAttempt.AccountName = c.account.Name
3050 c.loginAttempt.Result = store.AuthSuccess
3053 c.state = stateAuthenticated
3054 c.xwriteresultf("%s OK [CAPABILITY %s] login done", tag, c.capabilities())
3057// Enable explicitly opts in to an extension. A server can typically send new kinds
3058// of responses to a client. Most extensions do not require an ENABLE because a
3059// client implicitly opts in to new response syntax by making a requests that uses
3060// new optional extension request syntax.
3062// State: Authenticated and selected.
3063func (c *conn) cmdEnable(tag, cmd string, p *parser) {
3069 caps := []string{p.xatom()}
3072 caps = append(caps, p.xatom())
3075 // Clients should only send capabilities that need enabling.
3076 // We should only echo that we recognize as needing enabling.
3079 for _, s := range caps {
3080 cap := capability(strings.ToUpper(s))
3085 c.enabled[cap] = true
3088 c.enabled[cap] = true
3092 c.enabled[cap] = true
3095 c.enabled[cap] = true
3102 if qresync && !c.enabled[capCondstore] {
3103 c.xensureCondstore(nil)
3104 enabled += " CONDSTORE"
3108 c.xbwritelinef("* ENABLED%s", enabled)
3113// If a mailbox is selected, an untagged OK with HIGHESTMODSEQ is written to the
3114// client. If tx is non-nil, it is used to read the HIGHESTMODSEQ from the
3115// database. Otherwise a new read-only transaction is created.
3116func (c *conn) xensureCondstore(tx *bstore.Tx) {
3117 if !c.enabled[capCondstore] {
3118 c.enabled[capCondstore] = true
3119 // todo spec: can we send an untagged enabled response?
3121 if c.mailboxID <= 0 {
3125 var mb store.Mailbox
3127 c.xdbread(func(tx *bstore.Tx) {
3128 mb = c.xmailboxID(tx, c.mailboxID)
3131 mb = c.xmailboxID(tx, c.mailboxID)
3133 c.xbwritelinef("* OK [HIGHESTMODSEQ %d] after condstore-enabling command", mb.ModSeq.Client())
3137// State: Authenticated and selected.
3138func (c *conn) cmdSelect(tag, cmd string, p *parser) {
3139 c.cmdSelectExamine(true, tag, cmd, p)
3142// State: Authenticated and selected.
3143func (c *conn) cmdExamine(tag, cmd string, p *parser) {
3144 c.cmdSelectExamine(false, tag, cmd, p)
3147// Select and examine are almost the same commands. Select just opens a mailbox for
3148// read/write and examine opens a mailbox readonly.
3150// State: Authenticated and selected.
3151func (c *conn) cmdSelectExamine(isselect bool, tag, cmd string, p *parser) {
3159 name := p.xmailbox()
3161 var qruidvalidity uint32
3162 var qrmodseq int64 // QRESYNC required parameters.
3163 var qrknownUIDs, qrknownSeqSet, qrknownUIDSet *numSet // QRESYNC optional parameters.
3165 seen := map[string]bool{}
3167 for len(seen) == 0 || !p.take(")") {
3168 w := p.xtakelist("CONDSTORE", "QRESYNC")
3170 xsyntaxErrorf("duplicate select parameter %s", w)
3180 // Note: unlike with CONDSTORE, there are no QRESYNC-related commands/parameters
3181 // that enable capabilities.
3182 if !c.enabled[capQresync] {
3184 xsyntaxErrorf("QRESYNC must first be enabled")
3190 qrmodseq = p.xnznumber64()
3192 seqMatchData := p.take("(")
3196 seqMatchData = p.take(" (")
3199 ss0 := p.xnumSet0(false, false)
3200 qrknownSeqSet = &ss0
3202 ss1 := p.xnumSet0(false, false)
3203 qrknownUIDSet = &ss1
3209 panic("missing case for select param " + w)
3215 // Deselect before attempting the new select. This means we will deselect when an
3216 // error occurs during select.
3218 if c.state == stateSelected {
3220 c.xbwritelinef("* OK [CLOSED] x")
3224 if c.uidonly && qrknownSeqSet != nil {
3226 xsyntaxCodeErrorf("UIDREQUIRED", "cannot use message sequence match data with uidonly enabled")
3229 name = xcheckmailboxname(name, true)
3231 var mb store.Mailbox
3232 c.account.WithRLock(func() {
3233 c.xdbread(func(tx *bstore.Tx) {
3234 mb = c.xmailbox(tx, name, "")
3236 var firstUnseen msgseq = 0
3238 c.uidnext = mb.UIDNext
3240 c.exists = uint32(mb.MailboxCounts.Total + mb.MailboxCounts.Deleted)
3242 c.uids = []store.UID{}
3244 q := bstore.QueryTx[store.Message](tx)
3245 q.FilterNonzero(store.Message{MailboxID: mb.ID})
3246 q.FilterEqual("Expunged", false)
3248 err := q.ForEach(func(m store.Message) error {
3249 c.uids = append(c.uids, m.UID)
3250 if firstUnseen == 0 && !m.Seen {
3251 firstUnseen = msgseq(len(c.uids))
3255 xcheckf(err, "fetching uids")
3257 c.exists = uint32(len(c.uids))
3261 if len(mb.Keywords) > 0 {
3262 flags = " " + strings.Join(mb.Keywords, " ")
3264 c.xbwritelinef(`* FLAGS (\Seen \Answered \Flagged \Deleted \Draft $Forwarded $Junk $NotJunk $Phishing $MDNSent%s)`, flags)
3265 c.xbwritelinef(`* OK [PERMANENTFLAGS (\Seen \Answered \Flagged \Deleted \Draft $Forwarded $Junk $NotJunk $Phishing $MDNSent \*)] x`)
3266 if !c.enabled[capIMAP4rev2] {
3267 c.xbwritelinef(`* 0 RECENT`)
3269 c.xbwritelinef(`* %d EXISTS`, c.exists)
3270 if !c.enabled[capIMAP4rev2] && firstUnseen > 0 {
3272 c.xbwritelinef(`* OK [UNSEEN %d] x`, firstUnseen)
3274 c.xbwritelinef(`* OK [UIDVALIDITY %d] x`, mb.UIDValidity)
3275 c.xbwritelinef(`* OK [UIDNEXT %d] x`, mb.UIDNext)
3276 c.xbwritelinef(`* LIST () "/" %s`, mailboxt(mb.Name).pack(c))
3277 if c.enabled[capCondstore] {
3280 c.xbwritelinef(`* OK [HIGHESTMODSEQ %d] x`, mb.ModSeq.Client())
3284 if qruidvalidity == mb.UIDValidity {
3285 // We send the vanished UIDs at the end, so we can easily combine the modseq
3286 // changes and vanished UIDs that result from that, with the vanished UIDs from the
3287 // case where we don't store enough history.
3288 vanishedUIDs := map[store.UID]struct{}{}
3290 var preVanished store.UID
3291 var oldClientUID store.UID
3292 // If samples of known msgseq and uid pairs are given (they must be in order), we
3293 // use them to determine the earliest UID for which we send VANISHED responses.
3295 if qrknownSeqSet != nil {
3296 if !qrknownSeqSet.isBasicIncreasing() {
3297 xuserErrorf("QRESYNC known message sequence set must be numeric and strictly increasing")
3299 if !qrknownUIDSet.isBasicIncreasing() {
3300 xuserErrorf("QRESYNC known uid set must be numeric and strictly increasing")
3302 seqiter := qrknownSeqSet.newIter()
3303 uiditer := qrknownUIDSet.newIter()
3305 msgseq, ok0 := seqiter.Next()
3306 uid, ok1 := uiditer.Next()
3309 } else if !ok0 || !ok1 {
3310 xsyntaxErrorf("invalid combination of known sequence set and uid set, must be of equal length")
3312 i := int(msgseq - 1)
3313 // Access to c.uids is safe, qrknownSeqSet and uidonly cannot both be set.
3314 if i < 0 || i >= int(c.exists) || c.uids[i] != store.UID(uid) {
3315 if uidSearch(c.uids, store.UID(uid)) <= 0 {
3316 // We will check this old client UID for consistency below.
3317 oldClientUID = store.UID(uid)
3321 preVanished = store.UID(uid + 1)
3325 // We gather vanished UIDs and report them at the end. This seems OK because we
3326 // already sent HIGHESTMODSEQ, and a client should know not to commit that value
3327 // until after it has seen the tagged OK of this command. The RFC has a remark
3328 // about ordering of some untagged responses, it's not immediately clear what it
3329 // means, but given the examples appears to allude to servers that decide to not
3330 // send expunge/vanished before the tagged OK.
3333 if oldClientUID > 0 {
3334 // The client sent a UID that is now removed. This is typically fine. But we check
3335 // that it is consistent with the modseq the client sent. If the UID already didn't
3336 // exist at that modseq, the client may be missing some information.
3337 q := bstore.QueryTx[store.Message](tx)
3338 q.FilterNonzero(store.Message{MailboxID: mb.ID, UID: oldClientUID})
3341 // If client claims to be up to date up to and including qrmodseq, and the message
3342 // was deleted at or before that time, we send changes from just before that
3343 // modseq, and we send vanished for all UIDs.
3344 if m.Expunged && qrmodseq >= m.ModSeq.Client() {
3345 qrmodseq = m.ModSeq.Client() - 1
3348 c.xbwritelinef("* OK [ALERT] Synchronization inconsistency in client detected. Client tried to sync with a UID that was removed at or after the MODSEQ it sent in the request. Sending all historic message removals for selected mailbox. Full synchronization recommended.")
3350 } else if err != bstore.ErrAbsent {
3351 xcheckf(err, "checking old client uid")
3355 q := bstore.QueryTx[store.Message](tx)
3356 q.FilterNonzero(store.Message{MailboxID: mb.ID})
3357 // Note: we don't filter by Expunged.
3358 q.FilterGreater("ModSeq", store.ModSeqFromClient(qrmodseq))
3359 q.FilterLessEqual("ModSeq", mb.ModSeq)
3360 q.FilterLess("UID", c.uidnext)
3362 err := q.ForEach(func(m store.Message) error {
3363 if m.Expunged && m.UID < preVanished {
3367 if qrknownUIDs != nil && !qrknownUIDs.contains(uint32(m.UID)) {
3371 vanishedUIDs[m.UID] = struct{}{}
3376 c.xbwritelinef("* %d UIDFETCH (FLAGS %s MODSEQ (%d))", m.UID, flaglist(m.Flags, m.Keywords).pack(c), m.ModSeq.Client())
3377 } else if msgseq := c.sequence(m.UID); msgseq > 0 {
3378 c.xbwritelinef("* %d FETCH (UID %d FLAGS %s MODSEQ (%d))", msgseq, m.UID, flaglist(m.Flags, m.Keywords).pack(c), m.ModSeq.Client())
3382 xcheckf(err, "listing changed messages")
3384 highDeletedModSeq, err := c.account.HighestDeletedModSeq(tx)
3385 xcheckf(err, "getting highest deleted modseq")
3387 // If we don't have enough history, we go through all UIDs and look them up, and
3388 // add them to the vanished list if they have disappeared.
3389 if qrmodseq < highDeletedModSeq.Client() {
3390 // If no "known uid set" was in the request, we substitute 1:max or the empty set.
3392 if qrknownUIDs == nil {
3393 qrknownUIDs = &numSet{ranges: []numRange{{first: setNumber{number: 1}, last: &setNumber{number: uint32(c.uidnext - 1)}}}}
3397 // note: qrknownUIDs will not contain "*".
3398 for _, r := range qrknownUIDs.xinterpretStar(func() store.UID { return 0 }).ranges {
3399 // Gather UIDs for this range.
3400 var uids []store.UID
3401 q := bstore.QueryTx[store.Message](tx)
3402 q.FilterNonzero(store.Message{MailboxID: mb.ID})
3403 q.FilterEqual("Expunged", false)
3405 q.FilterEqual("UID", r.first.number)
3407 q.FilterGreaterEqual("UID", r.first.number)
3408 q.FilterLessEqual("UID", r.last.number)
3411 for m, err := range q.All() {
3412 xcheckf(err, "enumerating uids")
3413 uids = append(uids, m.UID)
3416 // Find UIDs missing from the database.
3419 uid, ok := iter.Next()
3423 if uidSearch(uids, store.UID(uid)) <= 0 {
3424 vanishedUIDs[store.UID(uid)] = struct{}{}
3429 // Ensure it is in ascending order, no needless first/last ranges. qrknownUIDs cannot contain a star.
3430 iter := qrknownUIDs.newIter()
3432 v, ok := iter.Next()
3436 if c.sequence(store.UID(v)) <= 0 {
3437 vanishedUIDs[store.UID(v)] = struct{}{}
3443 // Now that we have all vanished UIDs, send them over compactly.
3444 if len(vanishedUIDs) > 0 {
3445 l := slices.Sorted(maps.Keys(vanishedUIDs))
3447 for _, s := range compactUIDSet(l).Strings(4*1024 - 32) {
3448 c.xbwritelinef("* VANISHED (EARLIER) %s", s)
3456 c.xbwriteresultf("%s OK [READ-WRITE] x", tag)
3459 c.xbwriteresultf("%s OK [READ-ONLY] x", tag)
3463 c.state = stateSelected
3464 c.searchResult = nil
3468// Create makes a new mailbox, and its parents too if absent.
3470// State: Authenticated and selected.
3471func (c *conn) cmdCreate(tag, cmd string, p *parser) {
3477 name := p.xmailbox()
3479 var useAttrs []string // Special-use attributes without leading \.
3482 // We only support "USE", and there don't appear to be more types of parameters.
3487 useAttrs = append(useAttrs, p.xatom())
3503 name = xcheckmailboxname(name, false)
3505 var specialUse store.SpecialUse
3506 specialUseBools := map[string]*bool{
3507 "archive": &specialUse.Archive,
3508 "drafts": &specialUse.Draft,
3509 "junk": &specialUse.Junk,
3510 "sent": &specialUse.Sent,
3511 "trash": &specialUse.Trash,
3513 for _, s := range useAttrs {
3514 p, ok := specialUseBools[strings.ToLower(s)]
3517 xusercodeErrorf("USEATTR", `cannot create mailbox with special-use attribute \%s`, s)
3522 var changes []store.Change
3523 var created []string // Created mailbox names.
3525 c.account.WithWLock(func() {
3526 c.xdbwrite(func(tx *bstore.Tx) {
3529 _, changes, created, exists, err = c.account.MailboxCreate(tx, name, specialUse)
3532 xuserErrorf("mailbox already exists")
3534 xcheckf(err, "creating mailbox")
3537 c.broadcast(changes)
3540 for _, n := range created {
3543 if c.enabled[capIMAP4rev2] && n == name && name != origName && !(name == "Inbox" || strings.HasPrefix(name, "Inbox/")) {
3544 oldname = fmt.Sprintf(` ("OLDNAME" (%s))`, mailboxt(origName).pack(c))
3546 c.xbwritelinef(`* LIST (\Subscribed) "/" %s%s`, mailboxt(n).pack(c), oldname)
3551// Delete removes a mailbox and all its messages and annotations.
3552// Inbox cannot be removed.
3554// State: Authenticated and selected.
3555func (c *conn) cmdDelete(tag, cmd string, p *parser) {
3561 name := p.xmailbox()
3564 name = xcheckmailboxname(name, false)
3566 c.account.WithWLock(func() {
3567 var mb store.Mailbox
3568 var changes []store.Change
3570 c.xdbwrite(func(tx *bstore.Tx) {
3571 mb = c.xmailbox(tx, name, "NONEXISTENT")
3573 var hasChildren bool
3575 changes, hasChildren, err = c.account.MailboxDelete(context.TODO(), c.log, tx, &mb)
3577 xusercodeErrorf("HASCHILDREN", "mailbox has a child, only leaf mailboxes can be deleted")
3579 xcheckf(err, "deleting mailbox")
3582 c.broadcast(changes)
3588// Rename changes the name of a mailbox.
3589// Renaming INBOX is special, it moves the inbox messages to a new mailbox, leaving
3590// inbox empty, but copying metadata annotations.
3591// Renaming a mailbox with submailboxes also renames all submailboxes.
3592// Subscriptions stay with the old name, though newly created missing parent
3593// mailboxes for the destination name are automatically subscribed.
3595// State: Authenticated and selected.
3596func (c *conn) cmdRename(tag, cmd string, p *parser) {
3607 src = xcheckmailboxname(src, true)
3608 dst = xcheckmailboxname(dst, false)
3610 var cleanupIDs []int64
3612 for _, id := range cleanupIDs {
3613 p := c.account.MessagePath(id)
3615 c.xsanity(err, "cleaning up message")
3619 c.account.WithWLock(func() {
3620 var changes []store.Change
3622 c.xdbwrite(func(tx *bstore.Tx) {
3623 mbSrc := c.xmailbox(tx, src, "NONEXISTENT")
3625 // Handle common/simple case first.
3627 var modseq store.ModSeq
3628 var alreadyExists bool
3630 changes, _, alreadyExists, err = c.account.MailboxRename(tx, &mbSrc, dst, &modseq)
3632 xusercodeErrorf("ALREADYEXISTS", "%s", err)
3634 xcheckf(err, "renaming mailbox")
3638 // Inbox is very special. Unlike other mailboxes, its children are not moved. And
3639 // unlike a regular move, its messages are moved to a newly created mailbox. We do
3640 // indeed create a new destination mailbox and actually move the messages.
3642 exists, err := c.account.MailboxExists(tx, dst)
3643 xcheckf(err, "checking if destination mailbox exists")
3645 xusercodeErrorf("ALREADYEXISTS", "destination mailbox %q already exists", dst)
3648 xuserErrorf("cannot move inbox to itself")
3651 var modseq store.ModSeq
3652 mbDst, chl, err := c.account.MailboxEnsure(tx, dst, false, store.SpecialUse{}, &modseq)
3653 xcheckf(err, "creating destination mailbox")
3657 qa := bstore.QueryTx[store.Annotation](tx)
3658 qa.FilterNonzero(store.Annotation{MailboxID: mbSrc.ID})
3659 qa.FilterEqual("Expunged", false)
3660 annotations, err := qa.List()
3661 xcheckf(err, "get annotations to copy for inbox")
3662 for _, a := range annotations {
3664 a.MailboxID = mbDst.ID
3666 a.CreateSeq = modseq
3667 err := tx.Insert(&a)
3668 xcheckf(err, "copy annotation to destination mailbox")
3669 changes = append(changes, a.Change(mbDst.Name))
3671 c.xcheckMetadataSize(tx)
3673 // Build query that selects messages to move.
3674 q := bstore.QueryTx[store.Message](tx)
3675 q.FilterNonzero(store.Message{MailboxID: mbSrc.ID})
3676 q.FilterEqual("Expunged", false)
3679 newIDs, chl := c.xmoveMessages(tx, q, 0, modseq, &mbSrc, &mbDst)
3680 changes = append(changes, chl...)
3686 c.broadcast(changes)
3692// Subscribe marks a mailbox path as subscribed. The mailbox does not have to
3693// exist. Subscribed may mean an email client will show the mailbox in its UI
3694// and/or periodically fetch new messages for the mailbox.
3696// State: Authenticated and selected.
3697func (c *conn) cmdSubscribe(tag, cmd string, p *parser) {
3703 name := p.xmailbox()
3706 name = xcheckmailboxname(name, true)
3708 c.account.WithWLock(func() {
3709 var changes []store.Change
3711 c.xdbwrite(func(tx *bstore.Tx) {
3713 changes, err = c.account.SubscriptionEnsure(tx, name)
3714 xcheckf(err, "ensuring subscription")
3717 c.broadcast(changes)
3723// Unsubscribe marks a mailbox as not subscribed. The mailbox doesn't have to exist.
3725// State: Authenticated and selected.
3726func (c *conn) cmdUnsubscribe(tag, cmd string, p *parser) {
3732 name := p.xmailbox()
3735 name = xcheckmailboxname(name, true)
3737 c.account.WithWLock(func() {
3738 var changes []store.Change
3740 c.xdbwrite(func(tx *bstore.Tx) {
3742 err := tx.Delete(&store.Subscription{Name: name})
3743 if err == bstore.ErrAbsent {
3744 exists, err := c.account.MailboxExists(tx, name)
3745 xcheckf(err, "checking if mailbox exists")
3747 xuserErrorf("mailbox does not exist")
3751 xcheckf(err, "removing subscription")
3754 exists, err := c.account.MailboxExists(tx, name)
3755 xcheckf(err, "looking up mailbox existence")
3757 flags = []string{`\NonExistent`}
3760 changes = []store.Change{store.ChangeRemoveSubscription{MailboxName: name, ListFlags: flags}}
3763 c.broadcast(changes)
3765 // todo: can we send untagged message about a mailbox no longer being subscribed?
3771// LSUB command for listing subscribed mailboxes.
3772// Removed in IMAP4rev2, only in IMAP4rev1.
3774// State: Authenticated and selected.
3775func (c *conn) cmdLsub(tag, cmd string, p *parser) {
3783 pattern := p.xlistMailbox()
3786 re := xmailboxPatternMatcher(ref, []string{pattern})
3789 c.xdbread(func(tx *bstore.Tx) {
3790 q := bstore.QueryTx[store.Subscription](tx)
3792 subscriptions, err := q.List()
3793 xcheckf(err, "querying subscriptions")
3795 have := map[string]bool{}
3796 subscribedKids := map[string]bool{}
3797 ispercent := strings.HasSuffix(pattern, "%")
3798 for _, sub := range subscriptions {
3801 for p := mox.ParentMailboxName(name); p != ""; p = mox.ParentMailboxName(p) {
3802 subscribedKids[p] = true
3805 if !re.MatchString(name) {
3809 line := fmt.Sprintf(`* LSUB () "/" %s`, mailboxt(name).pack(c))
3810 lines = append(lines, line)
3818 qmb := bstore.QueryTx[store.Mailbox](tx)
3819 qmb.FilterEqual("Expunged", false)
3821 err = qmb.ForEach(func(mb store.Mailbox) error {
3822 if have[mb.Name] || !subscribedKids[mb.Name] || !re.MatchString(mb.Name) {
3825 line := fmt.Sprintf(`* LSUB (\NoSelect) "/" %s`, mailboxt(mb.Name).pack(c))
3826 lines = append(lines, line)
3829 xcheckf(err, "querying mailboxes")
3833 for _, line := range lines {
3834 c.xbwritelinef("%s", line)
3839// The namespace command returns the mailbox path separator. We only implement
3840// the personal mailbox hierarchy, no shared/other.
3842// In IMAP4rev2, it was an extension before.
3844// State: Authenticated and selected.
3845func (c *conn) cmdNamespace(tag, cmd string, p *parser) {
3852 c.xbwritelinef(`* NAMESPACE (("" "/")) NIL NIL`)
3856// The status command returns information about a mailbox, such as the number of
3857// messages, "uid validity", etc. Nowadays, the extended LIST command can return
3858// the same information about many mailboxes for one command.
3860// State: Authenticated and selected.
3861func (c *conn) cmdStatus(tag, cmd string, p *parser) {
3867 name := p.xmailbox()
3870 attrs := []string{p.xstatusAtt()}
3873 attrs = append(attrs, p.xstatusAtt())
3877 name = xcheckmailboxname(name, true)
3879 var mb store.Mailbox
3881 var responseLine string
3882 c.account.WithRLock(func() {
3883 c.xdbread(func(tx *bstore.Tx) {
3884 mb = c.xmailbox(tx, name, "")
3885 responseLine = c.xstatusLine(tx, mb, attrs)
3889 c.xbwritelinef("%s", responseLine)
3894func (c *conn) xstatusLine(tx *bstore.Tx, mb store.Mailbox, attrs []string) string {
3895 status := []string{}
3896 for _, a := range attrs {
3897 A := strings.ToUpper(a)
3900 status = append(status, A, fmt.Sprintf("%d", mb.Total+mb.Deleted))
3902 status = append(status, A, fmt.Sprintf("%d", mb.UIDNext))
3904 status = append(status, A, fmt.Sprintf("%d", mb.UIDValidity))
3906 status = append(status, A, fmt.Sprintf("%d", mb.Unseen))
3908 status = append(status, A, fmt.Sprintf("%d", mb.Deleted))
3910 status = append(status, A, fmt.Sprintf("%d", mb.Size))
3912 status = append(status, A, "0")
3915 status = append(status, A, "NIL")
3916 case "HIGHESTMODSEQ":
3918 status = append(status, A, fmt.Sprintf("%d", mb.ModSeq.Client()))
3919 case "DELETED-STORAGE":
3921 // How much storage space could be reclaimed by expunging messages with the
3922 // \Deleted flag. We could keep track of this number and return it efficiently.
3923 // Calculating it each time can be slow, and we don't know if clients request it.
3924 // Clients are not likely to set the deleted flag without immediately expunging
3925 // nowadays. Let's wait for something to need it to go through the trouble, and
3926 // always return 0 for now.
3927 status = append(status, A, "0")
3929 xsyntaxErrorf("unknown attribute %q", a)
3932 return fmt.Sprintf("* STATUS %s (%s)", mailboxt(mb.Name).pack(c), strings.Join(status, " "))
3935func flaglist(fl store.Flags, keywords []string) listspace {
3937 flag := func(v bool, s string) {
3939 l = append(l, bare(s))
3942 flag(fl.Seen, `\Seen`)
3943 flag(fl.Answered, `\Answered`)
3944 flag(fl.Flagged, `\Flagged`)
3945 flag(fl.Deleted, `\Deleted`)
3946 flag(fl.Draft, `\Draft`)
3947 flag(fl.Forwarded, `$Forwarded`)
3948 flag(fl.Junk, `$Junk`)
3949 flag(fl.Notjunk, `$NotJunk`)
3950 flag(fl.Phishing, `$Phishing`)
3951 flag(fl.MDNSent, `$MDNSent`)
3952 for _, k := range keywords {
3953 l = append(l, bare(k))
3958// Append adds a message to a mailbox.
3959// The MULTIAPPEND extension is implemented, allowing multiple flags/datetime/data
3962// State: Authenticated and selected.
3963func (c *conn) cmdAppend(tag, cmd string, p *parser) {
3967 // A message that we've (partially) read from the client, and will be delivering to
3969 type appendMsg struct {
3970 storeFlags store.Flags
3974 file *os.File // Message file we are appending. Can be nil if we are writing to a nopWriteCloser due to being over quota.
3977 m store.Message // New message. Delivered file for m.ID is removed on error.
3980 var appends []*appendMsg
3983 for _, a := range appends {
3984 if !commit && a.m.ID != 0 {
3985 p := c.account.MessagePath(a.m.ID)
3987 c.xsanity(err, "cleaning up temporary append file after error")
3994 name := p.xmailbox()
3997 // Check how much quota space is available. We'll keep track of remaining quota as
3998 // we accept multiple messages.
3999 quotaMsgMax := c.account.QuotaMessageSize()
4000 quotaUnlimited := quotaMsgMax == 0
4001 var quotaAvail int64
4003 if !quotaUnlimited {
4004 c.account.WithRLock(func() {
4005 c.xdbread(func(tx *bstore.Tx) {
4006 du := store.DiskUsage{ID: 1}
4008 xcheckf(err, "get quota disk usage")
4009 quotaAvail = quotaMsgMax - du.MessageSize
4014 var overQuota bool // For response code.
4015 var cancel bool // In case we've seen zero-sized message append.
4018 // Append msg early, for potential cleanup.
4020 appends = append(appends, &a)
4022 if p.hasPrefix("(") {
4023 // Error must be a syntax error, to properly abort the connection due to literal.
4025 a.storeFlags, a.keywords, err = store.ParseFlagsKeywords(p.xflagList())
4027 xsyntaxErrorf("parsing flags: %v", err)
4031 if p.hasPrefix(`"`) {
4032 a.time = p.xdateTime()
4037 // todo: only with utf8 should we we accept message headers with utf-8. we currently always accept them.
4038 // todo: this is only relevant if we also support the CATENATE extension?
4040 utf8 := p.take("UTF8 (")
4045 // For utf8, we already consumed the required ~ above.
4046 size, synclit := p.xliteralSize(!utf8, false)
4048 if !quotaUnlimited && !overQuota {
4050 overQuota = quotaAvail < 0
4058 // Check for mailbox on first iteration.
4059 if len(appends) <= 1 {
4060 name = xcheckmailboxname(name, true)
4061 c.xdbread(func(tx *bstore.Tx) {
4062 c.xmailbox(tx, name, "TRYCREATE")
4068 xusercodeErrorf("OVERQUOTA", "account over maximum total message size %d", quotaMsgMax)
4073 xuserErrorf("empty message, cancelling append")
4076 // Read the message into a temporary file.
4078 a.file, err = store.CreateMessageTemp(c.log, "imap-append")
4079 xcheckf(err, "creating temp file for message")
4080 defer store.CloseRemoveTempFile(c.log, a.file, "temporary message file")
4085 // We'll discard the message and return an error as soon as we can (possible
4086 // synchronizing literal of next message, or after we've seen all messages).
4087 if overQuota || cancel {
4091 a.file, err = store.CreateMessageTemp(c.log, "imap-append")
4092 xcheckf(err, "creating temp file for message")
4093 defer store.CloseRemoveTempFile(c.log, a.file, "temporary message file")
4098 defer c.xtracewrite(mlog.LevelTracedata)()
4099 a.mw = message.NewWriter(f)
4100 msize, err := io.Copy(a.mw, io.LimitReader(c.br, size))
4101 c.xtracewrite(mlog.LevelTrace) // Restore.
4103 // Cannot use xcheckf due to %w handling of errIO.
4104 c.xbrokenf("reading literal message: %s (%w)", err, errIO)
4107 c.xbrokenf("read %d bytes for message, expected %d (%w)", msize, size, errIO)
4111 line := c.xreadline(false)
4112 p = newParser(line, c)
4117 // The MULTIAPPEND extension allows more appends.
4124 name = xcheckmailboxname(name, true)
4128 xusercodeErrorf("OVERQUOTA", "account over maximum total message size %d", quotaMsgMax)
4133 xuserErrorf("empty message, cancelling append")
4136 var mb store.Mailbox
4138 var pendingChanges []store.Change
4140 // In case of panic.
4141 c.flushChanges(pendingChanges)
4146 c.account.WithWLock(func() {
4147 var changes []store.Change
4149 c.xdbwrite(func(tx *bstore.Tx) {
4150 mb = c.xmailbox(tx, name, "TRYCREATE")
4152 nkeywords := len(mb.Keywords)
4154 // Check quota for all messages at once.
4155 ok, maxSize, err := c.account.CanAddMessageSize(tx, totalSize)
4156 xcheckf(err, "checking quota")
4159 xusercodeErrorf("OVERQUOTA", "account over maximum total message size %d", maxSize)
4162 modseq, err := c.account.NextModSeq(tx)
4163 xcheckf(err, "get next mod seq")
4167 msgDirs := map[string]struct{}{}
4168 for _, a := range appends {
4169 a.m = store.Message{
4171 MailboxOrigID: mb.ID,
4173 Flags: a.storeFlags,
4174 Keywords: a.keywords,
4180 // todo: do a single junk training
4181 err = c.account.MessageAdd(c.log, tx, &mb, &a.m, a.file, store.AddOpts{SkipDirSync: true})
4182 xcheckf(err, "delivering message")
4184 changes = append(changes, a.m.ChangeAddUID(mb))
4186 msgDirs[filepath.Dir(c.account.MessagePath(a.m.ID))] = struct{}{}
4189 changes = append(changes, mb.ChangeCounts())
4190 if nkeywords != len(mb.Keywords) {
4191 changes = append(changes, mb.ChangeKeywords())
4194 err = tx.Update(&mb)
4195 xcheckf(err, "updating mailbox counts")
4197 for dir := range msgDirs {
4198 err := moxio.SyncDir(c.log, dir)
4199 xcheckf(err, "sync dir")
4205 // Fetch pending changes, possibly with new UIDs, so we can apply them before adding our own new UID.
4206 overflow, pendingChanges = c.comm.Get()
4208 // Broadcast the change to other connections.
4209 c.broadcast(changes)
4212 if c.mailboxID == mb.ID {
4214 pendingChanges = nil
4215 c.xapplyChanges(overflow, l, true)
4216 for _, a := range appends {
4217 c.uidAppend(a.m.UID)
4219 // todo spec: with condstore/qresync, is there a mechanism to let the client know the modseq for the appended uid? in theory an untagged fetch with the modseq after the OK APPENDUID could make sense, but this probably isn't allowed.
4220 c.xbwritelinef("* %d EXISTS", c.exists)
4226 if len(appends) == 1 {
4227 uidset = fmt.Sprintf("%d", appends[0].m.UID)
4229 uidset = fmt.Sprintf("%d:%d", appends[0].m.UID, appends[len(appends)-1].m.UID)
4231 c.xwriteresultf("%s OK [APPENDUID %d %s] appended", tag, mb.UIDValidity, uidset)
4234// Idle makes a client wait until the server sends untagged updates, e.g. about
4235// message delivery or mailbox create/rename/delete/subscription, etc. It allows a
4236// client to get updates in real-time, not needing the use for NOOP.
4238// State: Authenticated and selected.
4239func (c *conn) cmdIdle(tag, cmd string, p *parser) {
4246 c.xwritelinef("+ waiting")
4248 // With NOTIFY enabled, flush all pending changes.
4249 if c.notify != nil && len(c.notify.Delayed) > 0 {
4250 c.xapplyChanges(false, nil, true)
4258 case le := <-c.lineChan():
4260 if err := le.err; err != nil {
4261 if errors.Is(le.err, os.ErrDeadlineExceeded) {
4262 err := c.conn.SetDeadline(time.Now().Add(10 * time.Second))
4263 c.log.Check(err, "setting deadline")
4264 c.xwritelinef("* BYE inactive")
4267 if !errors.Is(err, errIO) && !errors.Is(err, errProtocol) {
4268 c.xbrokenf("%s (%w)", err, errIO)
4274 case <-c.comm.Pending:
4275 overflow, changes := c.comm.Get()
4276 c.xapplyChanges(overflow, changes, true)
4278 case <-mox.Shutdown.Done():
4280 c.xwritelinef("* BYE shutting down")
4281 c.xbrokenf("shutting down (%w)", errIO)
4285 // Reset the write deadline. In case of little activity, with a command timeout of
4286 // 30 minutes, we have likely passed it.
4287 err := c.conn.SetWriteDeadline(time.Now().Add(5 * time.Minute))
4288 c.log.Check(err, "setting write deadline")
4290 if strings.ToUpper(line) != "DONE" {
4291 // We just close the connection because our protocols are out of sync.
4292 c.xbrokenf("%w: in IDLE, expected DONE", errIO)
4298// Return the quota root for a mailbox name and any current quota's.
4300// State: Authenticated and selected.
4301func (c *conn) cmdGetquotaroot(tag, cmd string, p *parser) {
4306 name := p.xmailbox()
4309 // This mailbox does not have to exist. Caller just wants to know which limits
4310 // would apply. We only have one limit, so we don't use the name otherwise.
4312 name = xcheckmailboxname(name, true)
4314 // Get current usage for account.
4315 var quota, size int64 // Account only has a quota if > 0.
4316 c.account.WithRLock(func() {
4317 quota = c.account.QuotaMessageSize()
4319 c.xdbread(func(tx *bstore.Tx) {
4320 du := store.DiskUsage{ID: 1}
4322 xcheckf(err, "gather used quota")
4323 size = du.MessageSize
4328 // We only have one per account quota, we name it "" like the examples in the RFC.
4330 c.xbwritelinef(`* QUOTAROOT %s ""`, astring(name).pack(c))
4332 // We only write the quota response if there is a limit. The syntax doesn't allow
4333 // an empty list, so we cannot send the current disk usage if there is no limit.
4336 c.xbwritelinef(`* QUOTA "" (STORAGE %d %d)`, (size+1024-1)/1024, (quota+1024-1)/1024)
4341// Return the quota for a quota root.
4343// State: Authenticated and selected.
4344func (c *conn) cmdGetquota(tag, cmd string, p *parser) {
4349 root := p.xastring()
4352 // We only have a per-account root called "".
4354 xuserErrorf("unknown quota root")
4357 var quota, size int64
4358 c.account.WithRLock(func() {
4359 quota = c.account.QuotaMessageSize()
4361 c.xdbread(func(tx *bstore.Tx) {
4362 du := store.DiskUsage{ID: 1}
4364 xcheckf(err, "gather used quota")
4365 size = du.MessageSize
4370 // We only write the quota response if there is a limit. The syntax doesn't allow
4371 // an empty list, so we cannot send the current disk usage if there is no limit.
4374 c.xbwritelinef(`* QUOTA "" (STORAGE %d %d)`, (size+1024-1)/1024, (quota+1024-1)/1024)
4379// Check is an old deprecated command that is supposed to execute some mailbox consistency checks.
4382func (c *conn) cmdCheck(tag, cmd string, p *parser) {
4388 c.account.WithRLock(func() {
4389 c.xdbread(func(tx *bstore.Tx) {
4390 c.xmailboxID(tx, c.mailboxID) // Validate.
4397// Close undoes select/examine, closing the currently opened mailbox and deleting
4398// messages that were marked for deletion with the \Deleted flag.
4401func (c *conn) cmdClose(tag, cmd string, p *parser) {
4408 c.xexpunge(nil, true)
4414// expunge messages marked for deletion in currently selected/active mailbox.
4415// if uidSet is not nil, only messages matching the set are expunged.
4417// Messages that have been marked expunged from the database are returned. While
4418// other sessions still reference the message, it is not cleared from the database
4419// yet, and the message file is not yet removed.
4421// The highest modseq in the mailbox is returned, typically associated with the
4422// removal of the messages, but if no messages were expunged the current latest max
4423// modseq for the mailbox is returned.
4424func (c *conn) xexpunge(uidSet *numSet, missingMailboxOK bool) (expunged []store.Message, highestModSeq store.ModSeq) {
4425 c.account.WithWLock(func() {
4426 var changes []store.Change
4428 c.xdbwrite(func(tx *bstore.Tx) {
4429 mb, err := store.MailboxID(tx, c.mailboxID)
4430 if err == bstore.ErrAbsent || err == store.ErrMailboxExpunged {
4431 if missingMailboxOK {
4435 xusercodeErrorf("NONEXISTENT", "%w", store.ErrUnknownMailbox)
4437 xcheckf(err, "get mailbox")
4439 xlastUID := c.newCachedLastUID(tx, c.mailboxID, func(err error) { xuserErrorf("%s", err) })
4441 qm := bstore.QueryTx[store.Message](tx)
4442 qm.FilterNonzero(store.Message{MailboxID: c.mailboxID})
4443 qm.FilterEqual("Deleted", true)
4444 qm.FilterEqual("Expunged", false)
4445 qm.FilterLess("UID", c.uidnext)
4446 qm.FilterFn(func(m store.Message) bool {
4447 // Only remove if this session knows about the message and if present in optional
4449 return uidSet == nil || uidSet.xcontainsKnownUID(m.UID, c.searchResult, xlastUID)
4452 expunged, err = qm.List()
4453 xcheckf(err, "listing messages to expunge")
4455 if len(expunged) == 0 {
4456 highestModSeq = mb.ModSeq
4460 // Assign new modseq.
4461 modseq, err := c.account.NextModSeq(tx)
4462 xcheckf(err, "assigning next modseq")
4463 highestModSeq = modseq
4466 chremuids, chmbcounts, err := c.account.MessageRemove(c.log, tx, modseq, &mb, store.RemoveOpts{}, expunged...)
4467 xcheckf(err, "expunging messages")
4468 changes = append(changes, chremuids, chmbcounts)
4470 err = tx.Update(&mb)
4471 xcheckf(err, "update mailbox")
4474 c.broadcast(changes)
4477 return expunged, highestModSeq
4480// Unselect is similar to close in that it closes the currently active mailbox, but
4481// it does not remove messages marked for deletion.
4484func (c *conn) cmdUnselect(tag, cmd string, p *parser) {
4494// Expunge deletes messages marked with \Deleted in the currently selected mailbox.
4495// Clients are wiser to use UID EXPUNGE because it allows a UID sequence set to
4496// explicitly opt in to removing specific messages.
4499func (c *conn) cmdExpunge(tag, cmd string, p *parser) {
4506 xuserErrorf("mailbox open in read-only mode")
4509 c.cmdxExpunge(tag, cmd, nil)
4512// UID expunge deletes messages marked with \Deleted in the currently selected
4513// mailbox if they match a UID sequence set.
4516func (c *conn) cmdUIDExpunge(tag, cmd string, p *parser) {
4521 uidSet := p.xnumSet()
4525 xuserErrorf("mailbox open in read-only mode")
4528 c.cmdxExpunge(tag, cmd, &uidSet)
4531// Permanently delete messages for the currently selected/active mailbox. If uidset
4532// is not nil, only those UIDs are expunged.
4534func (c *conn) cmdxExpunge(tag, cmd string, uidSet *numSet) {
4537 expunged, highestModSeq := c.xexpunge(uidSet, false)
4540 var vanishedUIDs numSet
4541 qresync := c.enabled[capQresync]
4542 for _, m := range expunged {
4546 vanishedUIDs.append(uint32(m.UID))
4549 seq := c.xsequence(m.UID)
4550 c.sequenceRemove(seq, m.UID)
4552 vanishedUIDs.append(uint32(m.UID))
4554 c.xbwritelinef("* %d EXPUNGE", seq)
4557 if !vanishedUIDs.empty() {
4559 for _, s := range vanishedUIDs.Strings(4*1024 - 32) {
4560 c.xbwritelinef("* VANISHED %s", s)
4564 if c.enabled[capCondstore] {
4565 c.xwriteresultf("%s OK [HIGHESTMODSEQ %d] expunged", tag, highestModSeq.Client())
4572func (c *conn) cmdSearch(tag, cmd string, p *parser) {
4573 c.cmdxSearch(false, false, tag, cmd, p)
4577func (c *conn) cmdUIDSearch(tag, cmd string, p *parser) {
4578 c.cmdxSearch(true, false, tag, cmd, p)
4582func (c *conn) cmdFetch(tag, cmd string, p *parser) {
4583 c.cmdxFetch(false, tag, cmd, p)
4587func (c *conn) cmdUIDFetch(tag, cmd string, p *parser) {
4588 c.cmdxFetch(true, tag, cmd, p)
4592func (c *conn) cmdStore(tag, cmd string, p *parser) {
4593 c.cmdxStore(false, tag, cmd, p)
4597func (c *conn) cmdUIDStore(tag, cmd string, p *parser) {
4598 c.cmdxStore(true, tag, cmd, p)
4602func (c *conn) cmdCopy(tag, cmd string, p *parser) {
4603 c.cmdxCopy(false, tag, cmd, p)
4607func (c *conn) cmdUIDCopy(tag, cmd string, p *parser) {
4608 c.cmdxCopy(true, tag, cmd, p)
4612func (c *conn) cmdMove(tag, cmd string, p *parser) {
4613 c.cmdxMove(false, tag, cmd, p)
4617func (c *conn) cmdUIDMove(tag, cmd string, p *parser) {
4618 c.cmdxMove(true, tag, cmd, p)
4622func (c *conn) cmdReplace(tag, cmd string, p *parser) {
4623 c.cmdxReplace(false, tag, cmd, p)
4627func (c *conn) cmdUIDReplace(tag, cmd string, p *parser) {
4628 c.cmdxReplace(true, tag, cmd, p)
4631func (c *conn) gatherCopyMoveUIDs(tx *bstore.Tx, isUID bool, nums numSet) []store.UID {
4632 // Gather uids, then sort so we can return a consistently simple and hard to
4633 // misinterpret COPYUID/MOVEUID response. It seems safer to have UIDs in ascending
4634 // order, because requested uid set of 12:10 is equal to 10:12, so if we would just
4635 // echo whatever the client sends us without reordering, the client can reorder our
4636 // response and interpret it differently than we intended.
4638 return c.xnumSetEval(tx, isUID, nums)
4641// Copy copies messages from the currently selected/active mailbox to another named
4645func (c *conn) cmdxCopy(isUID bool, tag, cmd string, p *parser) {
4652 name := p.xmailbox()
4655 name = xcheckmailboxname(name, true)
4657 // Files that were created during the copy. Remove them if the operation fails.
4660 for _, id := range newIDs {
4661 p := c.account.MessagePath(id)
4663 c.xsanity(err, "cleaning up created file")
4668 var uids []store.UID
4670 var mbDst store.Mailbox
4672 var newUIDs []store.UID
4673 var flags []store.Flags
4674 var keywords [][]string
4675 var modseq store.ModSeq // For messages in new mailbox, assigned when first message is copied.
4677 c.account.WithWLock(func() {
4679 c.xdbwrite(func(tx *bstore.Tx) {
4680 mbSrc := c.xmailboxID(tx, c.mailboxID) // Validate.
4682 mbDst = c.xmailbox(tx, name, "TRYCREATE")
4683 if mbDst.ID == mbSrc.ID {
4684 xuserErrorf("cannot copy to currently selected mailbox")
4687 uids = c.gatherCopyMoveUIDs(tx, isUID, nums)
4690 xuserErrorf("no matching messages to copy")
4693 nkeywords = len(mbDst.Keywords)
4696 modseq, err = c.account.NextModSeq(tx)
4697 xcheckf(err, "assigning next modseq")
4698 mbSrc.ModSeq = modseq
4699 mbDst.ModSeq = modseq
4701 err = tx.Update(&mbSrc)
4702 xcheckf(err, "updating source mailbox for modseq")
4704 // Reserve the uids in the destination mailbox.
4705 uidFirst := mbDst.UIDNext
4706 err = mbDst.UIDNextAdd(len(uids))
4707 xcheckf(err, "adding uid")
4709 // Fetch messages from database.
4710 q := bstore.QueryTx[store.Message](tx)
4711 q.FilterNonzero(store.Message{MailboxID: c.mailboxID})
4712 q.FilterEqual("UID", slicesAny(uids)...)
4713 q.FilterEqual("Expunged", false)
4714 xmsgs, err := q.List()
4715 xcheckf(err, "fetching messages")
4717 if len(xmsgs) != len(uids) {
4718 xserverErrorf("uid and message mismatch")
4721 // See if quota allows copy.
4723 for _, m := range xmsgs {
4726 if ok, maxSize, err := c.account.CanAddMessageSize(tx, totalSize); err != nil {
4727 xcheckf(err, "checking quota")
4730 xusercodeErrorf("OVERQUOTA", "account over maximum total message size %d", maxSize)
4732 err = c.account.AddMessageSize(c.log, tx, totalSize)
4733 xcheckf(err, "updating disk usage")
4735 msgs := map[store.UID]store.Message{}
4736 for _, m := range xmsgs {
4739 nmsgs := make([]store.Message, len(xmsgs))
4741 conf, _ := c.account.Conf()
4743 mbKeywords := map[string]struct{}{}
4746 // Insert new messages into database.
4747 var origMsgIDs, newMsgIDs []int64
4748 for i, uid := range uids {
4751 xuserErrorf("messages changed, could not fetch requested uid")
4754 origMsgIDs = append(origMsgIDs, origID)
4756 m.UID = uidFirst + store.UID(i)
4757 m.CreateSeq = modseq
4759 m.MailboxID = mbDst.ID
4760 if m.IsReject && m.MailboxDestinedID != 0 {
4761 // Incorrectly delivered to Rejects mailbox. Adjust MailboxOrigID so this message
4762 // is used for reputation calculation during future deliveries.
4763 m.MailboxOrigID = m.MailboxDestinedID
4767 m.JunkFlagsForMailbox(mbDst, conf)
4769 err := tx.Insert(&m)
4770 xcheckf(err, "inserting message")
4773 newUIDs = append(newUIDs, m.UID)
4774 newMsgIDs = append(newMsgIDs, m.ID)
4775 flags = append(flags, m.Flags)
4776 keywords = append(keywords, m.Keywords)
4777 for _, kw := range m.Keywords {
4778 mbKeywords[kw] = struct{}{}
4781 qmr := bstore.QueryTx[store.Recipient](tx)
4782 qmr.FilterNonzero(store.Recipient{MessageID: origID})
4783 mrs, err := qmr.List()
4784 xcheckf(err, "listing message recipients")
4785 for _, mr := range mrs {
4788 err := tx.Insert(&mr)
4789 xcheckf(err, "inserting message recipient")
4792 mbDst.Add(m.MailboxCounts())
4795 mbDst.Keywords, _ = store.MergeKeywords(mbDst.Keywords, slices.Sorted(maps.Keys(mbKeywords)))
4797 err = tx.Update(&mbDst)
4798 xcheckf(err, "updating destination mailbox for uids, keywords and counts")
4800 // Copy message files to new message ID's.
4801 syncDirs := map[string]struct{}{}
4802 for i := range origMsgIDs {
4803 src := c.account.MessagePath(origMsgIDs[i])
4804 dst := c.account.MessagePath(newMsgIDs[i])
4805 dstdir := filepath.Dir(dst)
4806 if _, ok := syncDirs[dstdir]; !ok {
4807 os.MkdirAll(dstdir, 0770)
4808 syncDirs[dstdir] = struct{}{}
4810 err := moxio.LinkOrCopy(c.log, dst, src, nil, true)
4811 xcheckf(err, "link or copy file %q to %q", src, dst)
4812 newIDs = append(newIDs, newMsgIDs[i])
4815 for dir := range syncDirs {
4816 err := moxio.SyncDir(c.log, dir)
4817 xcheckf(err, "sync directory")
4820 err = c.account.RetrainMessages(context.TODO(), c.log, tx, nmsgs)
4821 xcheckf(err, "train copied messages")
4826 // Broadcast changes to other connections.
4827 if len(newUIDs) > 0 {
4828 changes := make([]store.Change, 0, len(newUIDs)+2)
4829 for i, uid := range newUIDs {
4830 add := store.ChangeAddUID{
4831 MailboxID: mbDst.ID,
4835 Keywords: keywords[i],
4836 MessageCountIMAP: mbDst.MessageCountIMAP(),
4837 Unseen: uint32(mbDst.MailboxCounts.Unseen),
4839 changes = append(changes, add)
4841 changes = append(changes, mbDst.ChangeCounts())
4842 if nkeywords != len(mbDst.Keywords) {
4843 changes = append(changes, mbDst.ChangeKeywords())
4845 c.broadcast(changes)
4850 c.xwriteresultf("%s OK [COPYUID %d %s %s] copied", tag, mbDst.UIDValidity, compactUIDSet(uids).String(), compactUIDSet(newUIDs).String())
4853// Move moves messages from the currently selected/active mailbox to a named mailbox.
4856func (c *conn) cmdxMove(isUID bool, tag, cmd string, p *parser) {
4863 name := p.xmailbox()
4866 name = xcheckmailboxname(name, true)
4869 xuserErrorf("mailbox open in read-only mode")
4873 var uids []store.UID
4875 var mbDst store.Mailbox
4876 var uidFirst store.UID
4877 var modseq store.ModSeq
4879 var cleanupIDs []int64
4881 for _, id := range cleanupIDs {
4882 p := c.account.MessagePath(id)
4884 c.xsanity(err, "removing destination message file %v", p)
4888 c.account.WithWLock(func() {
4889 var changes []store.Change
4891 c.xdbwrite(func(tx *bstore.Tx) {
4892 mbSrc := c.xmailboxID(tx, c.mailboxID) // Validate.
4893 mbDst = c.xmailbox(tx, name, "TRYCREATE")
4894 if mbDst.ID == c.mailboxID {
4895 xuserErrorf("cannot move to currently selected mailbox")
4898 uids = c.gatherCopyMoveUIDs(tx, isUID, nums)
4901 xuserErrorf("no matching messages to move")
4904 uidFirst = mbDst.UIDNext
4906 // Assign a new modseq, for the new records and for the expunged records.
4908 modseq, err = c.account.NextModSeq(tx)
4909 xcheckf(err, "assigning next modseq")
4911 // Make query selecting messages to move.
4912 q := bstore.QueryTx[store.Message](tx)
4913 q.FilterNonzero(store.Message{MailboxID: mbSrc.ID})
4914 q.FilterEqual("UID", slicesAny(uids)...)
4915 q.FilterEqual("Expunged", false)
4918 newIDs, chl := c.xmoveMessages(tx, q, len(uids), modseq, &mbSrc, &mbDst)
4919 changes = append(changes, chl...)
4925 c.broadcast(changes)
4930 newUIDs := numSet{ranges: []numRange{{setNumber{number: uint32(uidFirst)}, &setNumber{number: uint32(mbDst.UIDNext - 1)}}}}
4931 c.xbwritelinef("* OK [COPYUID %d %s %s] moved", mbDst.UIDValidity, compactUIDSet(uids).String(), newUIDs.String())
4932 qresync := c.enabled[capQresync]
4933 var vanishedUIDs numSet
4934 for i := range uids {
4938 vanishedUIDs.append(uint32(uids[i]))
4942 seq := c.xsequence(uids[i])
4943 c.sequenceRemove(seq, uids[i])
4945 vanishedUIDs.append(uint32(uids[i]))
4947 c.xbwritelinef("* %d EXPUNGE", seq)
4950 if !vanishedUIDs.empty() {
4952 for _, s := range vanishedUIDs.Strings(4*1024 - 32) {
4953 c.xbwritelinef("* VANISHED %s", s)
4959 c.xwriteresultf("%s OK [HIGHESTMODSEQ %d] move", tag, modseq.Client())
4965// q must yield messages from a single mailbox.
4966func (c *conn) xmoveMessages(tx *bstore.Tx, q *bstore.Query[store.Message], expectCount int, modseq store.ModSeq, mbSrc, mbDst *store.Mailbox) (newIDs []int64, changes []store.Change) {
4967 newIDs = make([]int64, 0, expectCount)
4973 for _, id := range newIDs {
4974 p := c.account.MessagePath(id)
4976 c.xsanity(err, "removing added message file %v", p)
4981 mbSrc.ModSeq = modseq
4982 mbDst.ModSeq = modseq
4987 err := jf.CloseDiscard()
4988 c.log.Check(err, "closing junk filter after error")
4992 accConf, _ := c.account.Conf()
4994 changeRemoveUIDs := store.ChangeRemoveUIDs{
4995 MailboxID: mbSrc.ID,
4998 changes = make([]store.Change, 0, expectCount+4) // mbsrc removeuids, mbsrc counts, mbdst counts, mbdst keywords
5000 nkeywords := len(mbDst.Keywords)
5004 xcheckf(err, "listing messages to move")
5006 if expectCount > 0 && len(l) != expectCount {
5007 xcheckf(fmt.Errorf("moved %d messages, expected %d", len(l), expectCount), "move messages")
5010 // For newly created message directories that we sync after hardlinking/copying files.
5011 syncDirs := map[string]struct{}{}
5013 for _, om := range l {
5015 nm.MailboxID = mbDst.ID
5016 nm.UID = mbDst.UIDNext
5017 err := mbDst.UIDNextAdd(1)
5018 xcheckf(err, "adding uid")
5020 nm.CreateSeq = modseq
5022 if nm.IsReject && nm.MailboxDestinedID != 0 {
5023 // Incorrectly delivered to Rejects mailbox. Adjust MailboxOrigID so this message
5024 // is used for reputation calculation during future deliveries.
5025 nm.MailboxOrigID = nm.MailboxDestinedID
5030 nm.JunkFlagsForMailbox(*mbDst, accConf)
5032 err = tx.Update(&nm)
5033 xcheckf(err, "updating message with new mailbox")
5035 mbDst.Add(nm.MailboxCounts())
5037 mbSrc.Sub(om.MailboxCounts())
5041 om.TrainedJunk = nil
5042 err = tx.Insert(&om)
5043 xcheckf(err, "inserting expunged message in old mailbox")
5045 dstPath := c.account.MessagePath(om.ID)
5046 dstDir := filepath.Dir(dstPath)
5047 if _, ok := syncDirs[dstDir]; !ok {
5048 os.MkdirAll(dstDir, 0770)
5049 syncDirs[dstDir] = struct{}{}
5052 err = moxio.LinkOrCopy(c.log, dstPath, c.account.MessagePath(nm.ID), nil, false)
5053 xcheckf(err, "duplicating message in old mailbox for current sessions")
5054 newIDs = append(newIDs, nm.ID)
5055 // We don't sync the directory. In case of a crash and files disappearing, the
5056 // eraser will simply not find the file at next startup.
5058 err = tx.Insert(&store.MessageErase{ID: om.ID, SkipUpdateDiskUsage: true})
5059 xcheckf(err, "insert message erase")
5061 mbDst.Keywords, _ = store.MergeKeywords(mbDst.Keywords, nm.Keywords)
5063 if accConf.JunkFilter != nil && nm.NeedsTraining() {
5064 // Lazily open junk filter.
5066 jf, _, err = c.account.OpenJunkFilter(context.TODO(), c.log)
5067 xcheckf(err, "open junk filter")
5069 err := c.account.RetrainMessage(context.TODO(), c.log, tx, jf, &nm)
5070 xcheckf(err, "retrain message after moving")
5073 changeRemoveUIDs.UIDs = append(changeRemoveUIDs.UIDs, om.UID)
5074 changeRemoveUIDs.MsgIDs = append(changeRemoveUIDs.MsgIDs, om.ID)
5075 changes = append(changes, nm.ChangeAddUID(*mbDst))
5077 xcheckf(err, "move messages")
5079 for dir := range syncDirs {
5080 err := moxio.SyncDir(c.log, dir)
5081 xcheckf(err, "sync directory")
5084 changeRemoveUIDs.UIDNext = mbDst.UIDNext
5085 changeRemoveUIDs.MessageCountIMAP = mbDst.MessageCountIMAP()
5086 changeRemoveUIDs.Unseen = uint32(mbDst.MailboxCounts.Unseen)
5087 changes = append(changes, changeRemoveUIDs, mbSrc.ChangeCounts())
5089 err = tx.Update(mbSrc)
5090 xcheckf(err, "updating counts for inbox")
5092 changes = append(changes, mbDst.ChangeCounts())
5093 if len(mbDst.Keywords) > nkeywords {
5094 changes = append(changes, mbDst.ChangeKeywords())
5097 err = tx.Update(mbDst)
5098 xcheckf(err, "updating uidnext and counts in destination mailbox")
5103 xcheckf(err, "saving junk filter")
5110// Store sets a full set of flags, or adds/removes specific flags.
5113func (c *conn) cmdxStore(isUID bool, tag, cmd string, p *parser) {
5120 var unchangedSince *int64
5123 p.xtake("UNCHANGEDSINCE")
5130 c.xensureCondstore(nil)
5132 var plus, minus bool
5135 } else if p.take("-") {
5139 silent := p.take(".SILENT")
5141 var flagstrs []string
5142 if p.hasPrefix("(") {
5143 flagstrs = p.xflagList()
5145 flagstrs = append(flagstrs, p.xflag())
5147 flagstrs = append(flagstrs, p.xflag())
5153 xuserErrorf("mailbox open in read-only mode")
5156 flags, keywords, err := store.ParseFlagsKeywords(flagstrs)
5158 xuserErrorf("parsing flags: %v", err)
5160 var mask store.Flags
5162 mask, flags = flags, store.FlagsAll
5164 mask, flags = flags, store.Flags{}
5166 mask = store.FlagsAll
5169 var mb, origmb store.Mailbox
5170 var updated []store.Message
5171 var changed []store.Message // ModSeq more recent than unchangedSince, will be in MODIFIED response code, and we will send untagged fetch responses so client is up to date.
5172 var modseq store.ModSeq // Assigned when needed.
5173 modified := map[int64]bool{}
5175 c.account.WithWLock(func() {
5176 var mbKwChanged bool
5177 var changes []store.Change
5179 c.xdbwrite(func(tx *bstore.Tx) {
5180 mb = c.xmailboxID(tx, c.mailboxID) // Validate.
5183 uids := c.xnumSetEval(tx, isUID, nums)
5189 // Ensure keywords are in mailbox.
5191 mb.Keywords, mbKwChanged = store.MergeKeywords(mb.Keywords, keywords)
5193 err := tx.Update(&mb)
5194 xcheckf(err, "updating mailbox with keywords")
5198 q := bstore.QueryTx[store.Message](tx)
5199 q.FilterNonzero(store.Message{MailboxID: c.mailboxID})
5200 q.FilterEqual("UID", slicesAny(uids)...)
5201 q.FilterEqual("Expunged", false)
5202 err := q.ForEach(func(m store.Message) error {
5203 // Client may specify a message multiple times, but we only process it once.
../rfc/7162:823
5208 mc := m.MailboxCounts()
5210 origFlags := m.Flags
5211 m.Flags = m.Flags.Set(mask, flags)
5212 oldKeywords := slices.Clone(m.Keywords)
5214 m.Keywords, _ = store.RemoveKeywords(m.Keywords, keywords)
5216 m.Keywords, _ = store.MergeKeywords(m.Keywords, keywords)
5218 m.Keywords = keywords
5221 keywordsChanged := func() bool {
5222 sort.Strings(oldKeywords)
5223 n := slices.Clone(m.Keywords)
5225 return !slices.Equal(oldKeywords, n)
5228 // If the message has a more recent modseq than the check requires, we won't modify
5229 // it and report in the final command response.
5232 // unchangedSince 0 always fails the check, we don't turn it into 1 like with our
5233 // internal modseqs. RFC implies that is not required for non-system flags, but we
5235 if unchangedSince != nil && m.ModSeq.Client() > *unchangedSince {
5236 changed = append(changed, m)
5241 // It requires that we keep track of the flags we think the client knows (but only
5242 // on this connection). We don't track that. It also isn't clear why this is
5243 // allowed because it is skipping the condstore conditional check, and the new
5244 // combination of flags could be unintended.
5247 if origFlags == m.Flags && !keywordsChanged() {
5248 // Note: since we didn't update the modseq, we are not adding m.ID to "modified",
5249 // it would skip the modseq check above. We still add m to list of updated, so we
5250 // send an untagged fetch response. But we don't broadcast it.
5251 updated = append(updated, m)
5256 mb.Add(m.MailboxCounts())
5258 // Assign new modseq for first actual change.
5261 modseq, err = c.account.NextModSeq(tx)
5262 xcheckf(err, "next modseq")
5266 modified[m.ID] = true
5267 updated = append(updated, m)
5269 changes = append(changes, m.ChangeFlags(origFlags, mb))
5271 return tx.Update(&m)
5273 xcheckf(err, "storing flags in messages")
5275 if mb.MailboxCounts != origmb.MailboxCounts || modseq != 0 {
5276 err := tx.Update(&mb)
5277 xcheckf(err, "updating mailbox counts")
5279 if mb.MailboxCounts != origmb.MailboxCounts {
5280 changes = append(changes, mb.ChangeCounts())
5283 changes = append(changes, mb.ChangeKeywords())
5286 err = c.account.RetrainMessages(context.TODO(), c.log, tx, updated)
5287 xcheckf(err, "training messages")
5290 c.broadcast(changes)
5293 // In the RFC, the section about STORE/UID STORE says we must return MODSEQ when
5294 // UNCHANGEDSINCE was specified. It does not specify it in case UNCHANGEDSINCE
5295 // isn't specified. For that case it does say MODSEQ is needed in unsolicited
5296 // untagged fetch responses. Implying that solicited untagged fetch responses
5297 // should not include MODSEQ (why else mention unsolicited explicitly?). But, in
5298 // the introduction to CONDSTORE it does explicitly specify MODSEQ should be
5299 // included in untagged fetch responses at all times with CONDSTORE-enabled
5300 // connections. It would have been better if the command behaviour was specified in
5301 // the command section, not the introduction to the extension.
5304 if !silent || c.enabled[capCondstore] {
5305 for _, m := range updated {
5308 args = append(args, fmt.Sprintf("FLAGS %s", flaglist(m.Flags, m.Keywords).pack(c)))
5310 if c.enabled[capCondstore] {
5311 args = append(args, fmt.Sprintf("MODSEQ (%d)", m.ModSeq.Client()))
5316 // Ensure list is non-empty.
5318 args = append(args, fmt.Sprintf("UID %d", m.UID))
5320 c.xbwritelinef("* %d UIDFETCH (%s)", m.UID, strings.Join(args, " "))
5322 args = append([]string{fmt.Sprintf("UID %d", m.UID)}, args...)
5323 c.xbwritelinef("* %d FETCH (%s)", c.xsequence(m.UID), strings.Join(args, " "))
5328 // We don't explicitly send flags for failed updated with silent set. The regular
5329 // notification will get the flags to the client.
5332 if len(changed) == 0 {
5337 // Write unsolicited untagged fetch responses for messages that didn't pass the
5340 var mnums []store.UID
5341 for _, m := range changed {
5344 c.xbwritelinef("* %d UIDFETCH (FLAGS %s MODSEQ (%d))", m.UID, flaglist(m.Flags, m.Keywords).pack(c), m.ModSeq.Client())
5346 c.xbwritelinef("* %d FETCH (UID %d FLAGS %s MODSEQ (%d))", c.xsequence(m.UID), m.UID, flaglist(m.Flags, m.Keywords).pack(c), m.ModSeq.Client())
5349 mnums = append(mnums, m.UID)
5351 mnums = append(mnums, store.UID(c.xsequence(m.UID)))
5356 set := compactUIDSet(mnums)
5358 c.xwriteresultf("%s OK [MODIFIED %s] conditional store did not modify all", tag, set.String())