Man Linux: Main Page and Category List


       fetchmail - fetch mail from a POP, IMAP, ETRN, or ODMR-capable server


       fetchmail [option...] [mailserver...]


       fetchmail  is  a mail-retrieval and forwarding utility; it fetches mail
       from  remote  mailservers  and  forwards  it  to  your  local  (client)
       machine's  delivery  system.   You  can  then handle the retrieved mail
       using normal mail user agents such as mutt(1), elm(1) or Mail(1).   The
       fetchmail utility can be run in a daemon mode to repeatedly poll one or
       more systems at a specified interval.

       The fetchmail program can gather mail from servers  supporting  any  of
       the  common  mail-retrieval protocols: POP2 (legacy, to be removed from
       future release), POP3, IMAP2bis, IMAP4, and IMAP4rev1.  It can also use
       the  ESMTP  ETRN  extension  and  ODMR.  (The RFCs describing all these
       protocols are listed at the end of this manual page.)

       While fetchmail is primarily intended to be used over on-demand  TCP/IP
       links  (such  as  SLIP  or PPP connections), it may also be useful as a
       message transfer agent for sites which refuse for security  reasons  to
       permit (sender-initiated) SMTP transactions with sendmail.

       For  troubleshooting,  tracing  and  debugging,  you  need  to increase
       fetchmail's verbosity to actually see what happens. To do that,  please
       run both of the two following commands, adding all of the options you'd
       normally use.

              env LC_ALL=C fetchmail -V -v --nodetach --nosyslog

              (This command line prints in English how  fetchmail  understands
              your configuration.)

              env LC_ALL=C fetchmail -vvv  --nodetach --nosyslog

              (This  command line actually runs fetchmail with verbose English

       Also      see       item       #G3       in       fetchmail's       FAQ

       You  can  omit  the LC_ALL=C part above if you want output in the local
       language (if supported). However if you are posting to  mailing  lists,
       please  leave it in. The maintainers do not necessarily understand your
       language, please use English.

       If fetchmail is used with a POP or an IMAP server (but not with ETRN or
       ODMR),  it has two fundamental modes of operation for each user account
       from which it retrieves mail: singledrop- and multidrop-mode.

       In singledrop-mode,
              fetchmail assumes  that  all  messages  in  the  user's  account
              (mailbox)  are intended for a single recipient.  The identity of
              the recipient will either default to the  local  user  currently
              executing  fetchmail, or will need to be explicitly specified in
              the configuration file.

              fetchmail   uses   singledrop-mode    when    the    fetchmailrc
              configuration contains at most a single local user specification
              for a given server account.

       In multidrop-mode,
              fetchmail assumes that the mail server account actually contains
              mail   intended   for   any   number  of  different  recipients.
              Therefore, fetchmail must attempt to deduce the proper "envelope
              recipient"  from the mail headers of each message.  In this mode
              of operation, fetchmail almost resembles a mail  transfer  agent

              Note  that  neither the POP nor IMAP protocols were intended for
              use in this fashion, and hence envelope information is often not
              directly   available.    The   ISP   must  stores  the  envelope
              information in some message header and. The ISP must also  store
              one  copy  of  the  message  per  recipient.  If  either  of the
              conditions is not fulfilled, this process is unreliable, because
              fetchmail  must  then  resort  to  guessing  the  true  envelope
              recipient(s) of a message. This usually fails for  mailing  list
              messages and Bcc:d mail, or mail for multiple recipients in your

              fetchmail uses multidrop-mode when  more  than  one  local  user
              and/or  a  wildcard is specified for a particular server account
              in the configuration file.

       In ETRN and ODMR modes,
              these considerations do not apply, as these protocols are  based
              on SMTP, which provides explicit envelope recipient information.
              These protocols always support multiple recipients.

       As each message is retrieved, fetchmail normally delivers it  via  SMTP
       to  port 25 on the machine it is running on (localhost), just as though
       it were being passed in over a normal TCP/IP link.  fetchmail  provides
       the  SMTP  server  with  an  envelope  recipient  derived in the manner
       described previously.  The mail will then  be  delivered  according  to
       your  MTA's  rules  (the  Mail  Transfer  Agent is usually sendmail(8),
       exim(8), or postfix(8)).  Invoking your  system's  MDA  (Mail  Delivery
       Agent)  is  the  duty of your MTA.  All the delivery-control mechanisms
       (such as .forward files) normally available through your system MTA and
       local delivery agents will therefore be applied as usual.

       If  your  fetchmail  configuration  sets  a  local  MDA  (see the --mda
       option), it will be used directly instead of talking SMTP to port 25.

       If the program fetchmailconf  is  available,  it  will  assist  you  in
       setting  up and editing a fetchmailrc configuration.  It runs under the
       X window system and requires  that  the  language  Python  and  the  Tk
       toolkit  (with  Python bindings) be present on your system.  If you are
       first setting up fetchmail for single-user mode, it is recommended that
       you  use  Novice  mode.   Expert  mode  provides  complete  control  of
       fetchmail configuration, including the multidrop features.   In  either
       case,  the 'Autoprobe' button will tell you the most capable protocol a
       given mailserver supports, and warn you of potential problems with that


       The  behavior  of fetchmail is controlled by command-line options and a
       run control file, ~/.fetchmailrc, the syntax of which we describe in  a
       later  section  (this  file  is  what the fetchmailconf program edits).
       Command-line options override ~/.fetchmailrc declarations.

       Each server name that you specify following the options on the  command
       line  will be queried.  If you don't specify any servers on the command
       line, each 'poll' entry in your ~/.fetchmailrc file will be queried.

       To facilitate the use of fetchmail in scripts and pipelines, it returns
       an appropriate exit code upon termination -- see EXIT CODES below.

       The  following  options modify the behavior of fetchmail.  It is seldom
       necessary to specify any of these once you have a working  .fetchmailrc
       file set up.

       Almost  all  options  have a corresponding keyword which can be used to
       declare them in a .fetchmailrc file.

       Some special options are not covered here, but are  documented  instead
       in sections on AUTHENTICATION and DAEMON MODE which follow.

   General Options
       -V | --version
              Displays the version information for your copy of fetchmail.  No
              mail fetch is performed.  Instead, for  each  server  specified,
              all  the  option information that would be computed if fetchmail
              were connecting to that server is displayed.  Any non-printables
              in  passwords  or other string names are shown as backslashed C-
              like escape sequences.  This option is useful for verifying that
              your options are set the way you want them.

       -c | --check
              Return  a status code to indicate whether there is mail waiting,
              without actually fetching  or  deleting  mail  (see  EXIT  CODES
              below).  This option turns off daemon mode (in which it would be
              useless).  It doesn't play well with queries to multiple  sites,
              and  doesn't  work  with  ETRN  or ODMR.  It will return a false
              positive if you leave read but undeleted  mail  in  your  server
              mailbox  and  your  fetch protocol can't tell kept messages from
              new ones.  This means it will work  with  IMAP,  not  work  with
              POP2, and may occasionally flake out under POP3.

       -s | --silent
              Silent  mode.   Suppresses all progress/status messages that are
              normally echoed to standard output during a fetch (but does  not
              suppress actual error messages).  The --verbose option overrides

       -v | --verbose
              Verbose mode.  All control messages passed between fetchmail and
              the  mailserver  are  echoed  to  stdout.   Overrides  --silent.
              Doubling this option (-v -v) causes extra diagnostic information
              to be printed.

              (since v6.3.10, Keyword: set no softbounce, since v6.3.10)
              Hard  bounce  mode. All permanent delivery errors cause messages
              to be deleted from the  upstream  server,  see  "no  softbounce"

              (since v6.3.10, Keyword: set softbounce, since v6.3.10)
              Soft  bounce  mode. All permanent delivery errors cause messages
              to be left on the upstream server if the protocol supports that.
              Default to match historic fetchmail documentation, to be changed
              to hard bounce mode in the next fetchmail release.

   Disposal Options
       -a | --all | (since v6.3.3) --fetchall
              (Keyword: fetchall, since v3.0)
              Retrieve both old (seen) and new messages from  the  mailserver.
              The  default is to fetch only messages the server has not marked
              seen.  Under POP3, this option  also  forces  the  use  of  RETR
              rather  than  TOP.   Note  that POP2 retrieval behaves as though
              --all is always on (see RETRIEVAL FAILURE MODES below) and  this
              option  does not work with ETRN or ODMR.  While the -a and --all
              command-line and fetchall rcfile options have been supported for
              a  long  time,  the  --fetchall command-line option was added in

       -k | --keep
              (Keyword: keep)
              Keep retrieved messages on  the  remote  mailserver.   Normally,
              messages  are  deleted  from  the folder on the mailserver after
              they have been retrieved.  Specifying  the  keep  option  causes
              retrieved  messages  to remain in your folder on the mailserver.
              This option does not work with ETRN or ODMR. If used with  POP3,
              it  is  recommended  to  also  specify the --uidl option or uidl

       -K | --nokeep
              (Keyword: nokeep)
              Delete retrieved messages  from  the  remote  mailserver.   This
              option forces retrieved mail to be deleted.  It may be useful if
              you have specified a default of keep in your .fetchmailrc.  This
              option is forced on with ETRN and ODMR.

       -F | --flush
              (Keyword: flush)
              POP3/IMAP  only.   This is a dangerous option and can cause mail
              loss when used improperly. It deletes old (seen)  messages  from
              the  mailserver  before  retrieving new messages.  Warning: This
              can cause mail loss if you check your mail  with  other  clients
              than  fetchmail,  and cause fetchmail to delete a message it had
              never fetched before.  It can also cause mail loss if  the  mail
              server  marks  the message seen after retrieval (IMAP2 servers).
              You should probably not use this option  in  your  configuration
              file.  If  you use it with POP3, you must use the 'uidl' option.
              What you probably want is the  default  setting:  if  you  don't
              specify  '-k', then fetchmail will automatically delete messages
              after successful delivery.

              POP3/IMAP only, since version 6.3.0.  Delete oversized  messages
              from  the  mailserver  before  retrieving new messages. The size
              limit should be separately specified with  the  --limit  option.
              This option does not work with ETRN or ODMR.

   Protocol and Query Options
       -p <proto> | --proto <proto> | --protocol <proto>
              (Keyword: proto[col])
              Specify  the  protocol to use when communicating with the remote
              mailserver.  If no protocol is specified, the default  is  AUTO.
              proto may be one of the following:

              AUTO   Tries  IMAP,  POP3,  and  POP2 (skipping any of these for
                     which support has not been compiled in).

              POP2   Post Office Protocol 2 (legacy, to be removed from future

              POP3   Post Office Protocol 3

              APOP   Use POP3 with old-fashioned MD5-challenge authentication.
                     Considered not resistant to man-in-the-middle attacks.

              RPOP   Use POP3 with RPOP authentication.

              KPOP   Use POP3 with Kerberos V4 authentication on port 1109.

              SDPS   Use POP3 with Demon Internet's SDPS extensions.

              IMAP   IMAP2bis, IMAP4, or  IMAP4rev1  (fetchmail  automatically
                     detects their capabilities).

              ETRN   Use the ESMTP ETRN option.

              ODMR   Use the the On-Demand Mail Relay ESMTP profile.

       All  these  alternatives  work in basically the same way (communicating
       with standard server daemons to  fetch  mail  already  delivered  to  a
       mailbox  on the server) except ETRN and ODMR.  The ETRN mode allows you
       to ask a compliant ESMTP server (such as BSD sendmail at release  8.8.0
       or  higher) to immediately open a sender-SMTP connection to your client
       machine and begin forwarding any items addressed to your client machine
       in  the server's queue of undelivered mail.   The ODMR mode requires an
       ODMR-capable server and works similarly to ETRN, except  that  it  does
       not require the client machine to have a static DNS.

       -U | --uidl
              (Keyword: uidl)
              Force  UIDL  use  (effective only with POP3).  Force client-side
              tracking of 'newness' of messages (UIDL stands  for  "unique  ID
              listing" and is described in RFC1939).  Use with 'keep' to use a
              mailbox as a baby news drop for a group of users. The fact  that
              seen  messages  are  skipped  is logged, unless error logging is
              done through syslog while running in  daemon  mode.   Note  that
              fetchmail  may  automatically  enable  this  option depending on
              upstream server capabilities.  Note also that this option may be
              removed  and  forced  enabled in a future fetchmail version. See
              also: --idfile.

       --idle (since 6.3.3)
              (Keyword: idle, since before 6.0.0)
              Enable IDLE use (effective only with IMAP). Note that this works
              with  only  one  folder  at a given time.  While the idle rcfile
              keyword had been supported for a long time, the --idle  command-
              line  option  was  added  in  version 6.3.3. IDLE use means that
              fetchmail tells the IMAP server to send notice of new  messages,
              so  they  can  be  retrieved  sooner than would be possible with
              regular polls.

       -P <portnumber> | --service <servicename>
              (Keyword: service) Since version 6.3.0.
              The service option permits you to  specify  a  service  name  to
              connect to.  You can specify a decimal port number here, if your
              services database lacks the required  service-port  assignments.
              See  the  FAQ  item R12 and the --ssl documentation for details.
              This replaces the older --port option.

       --port <portnumber>
              (Keyword: port)
              Obsolete version of --service that does not take service  names.
              Note: this option may be removed from a future version.

       --principal <principal>
              (Keyword: principal)
              The  principal option permits you to specify a service principal
              for mutual authentication.  This is applicable to POP3  or  IMAP
              with Kerberos authentication.

       -t <seconds> | --timeout <seconds>
              (Keyword: timeout)
              The  timeout  option  allows  you  to  set  a server-nonresponse
              timeout in seconds.  If a mailserver does not  send  a  greeting
              message  or respond to commands for the given number of seconds,
              fetchmail will drop  the  connection  to  it.   Without  such  a
              timeout fetchmail might hang until the TCP connection times out,
              trying to fetch mail from a down host, which may be  very  long.
              This  would  be particularly annoying for a fetchmail running in
              the background.  There is a default timeout which  fetchmail  -V
              will  report.   If a given connection receives too many timeouts
              in succession,  fetchmail  will  consider  it  wedged  and  stop
              retrying.   The  calling  user will be notified by email if this

              Beginning with  fetchmail  6.3.10,  the  SMTP  client  uses  the
              recommended minimum timeouts from RFC-5321 while waiting for the
              SMTP/LMTP server it is talking to.  You can raise  the  timeouts
              even more, but you cannot shorten it. This is to avoid a painful
              situation where fetchmail  has  been  configured  with  a  short
              timeout  (a  minute or less), ships a long message (many MBytes)
              to the local MTA,  which  then  takes  longer  than  timeout  to
              respond "OK", which it eventually will; that would mean the mail
              gets delivered properly, but fetchmail cannot notice it and will
              thus refetch this big message over and over again.

       --plugin <command>
              (Keyword: plugin)
              The  plugin  option  allows  you  to  use an external program to
              establish the TCP connection.  This is useful if you want to use
              ssh,  or  need some special firewalling setup.  The program will
              be looked up in $PATH and can optionally be passed the  hostname
              and  port  as  arguments  using "%h" and "%p" respectively (note
              that the interpolation logic  is  rather  primitive,  and  these
              tokens  must  be bounded by whitespace or beginning of string or
              end of string).  Fetchmail will write to the plugin's stdin  and
              read from the plugin's stdout.

       --plugout <command>
              (Keyword: plugout)
              Identical  to  the plugin option above, but this one is used for
              the SMTP connections.

       -r <name> | --folder <name>
              (Keyword: folder[s])
              Causes a specified non-default mail folder on the mailserver (or
              comma-separated list of folders) to be retrieved.  The syntax of
              the  folder  name  is  server-dependent.   This  option  is  not
              available under POP3, ETRN, or ODMR.

              (Keyword: tracepolls)
              Tell  fetchmail  to  poll trace information in the form 'polling
              account %s' and 'folder %s' to the Received line  it  generates,
              where  the  %s parts are replaced by the user's remote name, the
              poll label,  and  the  folder  (mailbox)  where  available  (the
              Received  header also normally includes the server's true name).
              This can be used to  facilitate  mail  filtering  based  on  the
              account  it  is  being  received from. The folder information is
              written only since version 6.3.4.

       --ssl  (Keyword: ssl)
              Causes the connection to the mail server  to  be  encrypted  via
              SSL.   Connect  to  the server using the specified base protocol
              over  a  connection  secured  by  SSL.   This   option   defeats
              opportunistic  starttls negotiation. It is highly recommended to
              use --sslproto 'SSL3' --sslcertck to validate  the  certificates
              presented   by   the   server  and  defeat  the  obsolete  SSLv2
              negotiation. More information is  available  in  the  README.SSL
              file that ships with fetchmail.

              Note  that  fetchmail  may  still  try  to negotiate SSL through
              starttls even if  this  option  is  omitted.  You  can  use  the
              --sslproto  option  to defeat this behavior or tell fetchmail to
              negotiate a particular SSL protocol.

              If no port is specified, the connection is attempted to the well
              known  port  of  the  SSL version of the base protocol.  This is
              generally a different port  than  the  port  used  by  the  base
              protocol.  For IMAP, this is port 143 for the clear protocol and
              port 993 for the SSL secured protocol, for POP3, it is port  110
              for the clear text and port 995 for the encrypted variant.

              If   your   system   lacks   the   corresponding   entries  from
              /etc/services, see the --service option and specify the  numeric
              port  number as given in the previous paragraph (unless your ISP
              had directed you to different ports, which is uncommon however).

       --sslcert <name>
              (Keyword: sslcert)
              For certificate-based client authentication.  Some SSL encrypted
              servers  require  client  side   keys   and   certificates   for
              authentication.    In   most  cases,  this  is  optional.   This
              specifies the location of  the  public  key  certificate  to  be
              presented  to  the  server  at  the  time  the  SSL  session  is
              established.  It is not required (but may be  provided)  if  the
              server  does  not  require  it.   It may be the same file as the
              private key (combined key and certificate file) but this is  not
              recommended. Also see --sslkey below.

              NOTE: If you use client authentication, the user name is fetched
              from the certificate's CommonName and  overrides  the  name  set
              with --user.

       --sslkey <name>
              (Keyword: sslkey)
              Specifies  the  file  name  of  the client side private SSL key.
              Some  SSL  encrypted  servers  require  client  side  keys   and
              certificates   for  authentication.   In  most  cases,  this  is
              optional.  This specifies the location of the private  key  used
              to sign transactions with the server at the time the SSL session
              is established.  It is not required (but may be provided) if the
              server  does  not  require  it.  It  may be the same file as the
              public key (combined key and certificate file) but this  is  not

              If a password is required to unlock the key, it will be prompted
              for at the time just prior to establishing the  session  to  the
              server.  This can cause some complications in daemon mode.

              Also see --sslcert above.

       --sslproto <name>
              (Keyword: sslproto)
              Forces  an  SSL/TLS  protocol.  Possible  values are '', 'SSL2',
              'SSL23', (use of these two values is discouraged and should only
              be  used  as  a  last  resort)  'SSL3', and 'TLS1'.  The default
              behaviour if this option is unset is:  for  connections  without
              --ssl,  use  'TLS1'  that  fetchmail  will opportunistically try
              STARTTLS negotiation with TLS1. You can  configure  this  option
              explicitly  if the default handshake (TLS1 if --ssl is not used,
              does not work for your server.

              Use  this  option  with  'TLS1'  value  to  enforce  a  STARTTLS
              connection.  In  this mode, it is highly recommended to also use
              --sslcertck (see below).

              To  defeat  opportunistic  TLSv1  negotiation  when  the  server
              advertises  STARTTLS  or STLS, use ''.  This option, even if the
              argument is the empty string, will also suppress the  diagnostic
              'SERVER: opportunistic upgrade to TLS.' message in verbose mode.
              The  default  is  to  try  appropriate  protocols  depending  on

              (Keyword: sslcertck)
              Causes  fetchmail  to  strictly  check  the  server  certificate
              against a set of local trusted certificates (see the sslcertfile
              and  sslcertpath  options).  If the server certificate cannot be
              obtained or is not signed by one of the trusted  ones  (directly
              or  indirectly), the SSL connection will fail, regardless of the
              sslfingerprint option.

              Note that CRL (certificate revocation lists) are only  supported
              in  OpenSSL  0.9.7  and  newer! Your system clock should also be
              reasonably accurate when using this option.

              Note that this optional behavior may become default behavior  in
              future fetchmail versions.

       --sslcertfile <file>
              (Keyword: sslcertfile, since v6.3.17)
              Sets the file fetchmail uses to look up local certificates.  The
              default  is  empty.   This  can  be   given   in   addition   to
              --sslcertpath below, and certificates specified in --sslcertfile
              will be processed before those in --sslcertpath.  The option can
              be used in addition to --sslcertpath.

              The  file  is  a  text  file.  It  contains the concatenation of
              trusted CA certificates in PEM format.

              Note that using this option will suppress  loading  the  default
              SSL  trusted CA certificates file unless you set the environment
              variable FETCHMAIL_INCLUDE_DEFAULT_X509_CA_CERTS to a  non-empty

       --sslcertpath <directory>
              (Keyword: sslcertpath)
              Sets the directory fetchmail uses to look up local certificates.
              The default is your OpenSSL  default  directory.  The  directory
              must  be  hashed the way OpenSSL expects it - every time you add
              or modify a certificate in the directory, you need  to  use  the
              c_rehash   tool   (which   comes  with  OpenSSL  in  the  tools/
              subdirectory). Also, after OpenSSL upgrades, you may need to run
              c_rehash; particularly when upgrading from 0.9.X to 1.0.0.

              This  can be given in addition to --sslcertfile above, which see
              for precedence rules.

              Note that using this option will suppress adding the default SSL
              trusted CA certificates directory unless you set the environment
              variable FETCHMAIL_INCLUDE_DEFAULT_X509_CA_CERTS to a  non-empty

       --sslcommonname <common name>
              (Keyword: sslcommonname; since v6.3.9)
              Use  of this option is discouraged. Before using it, contact the
              administrator of your upstream server and ask for a  proper  SSL
              certificate  to be used. If that cannot be attained, this option
              can be used to specify  the  name  (CommonName)  that  fetchmail
              expects  on  the  server  certificate.   A  correctly configured
              server will have this  set  to  the  hostname  by  which  it  is
              reached,  and by default fetchmail will expect as much. Use this
              option when the CommonName is set to some other value, to  avoid
              the  "Server  CommonName  mismatch"  warning,  and  only  if the
              upstream server can't be made to use proper certificates.

       --sslfingerprint <fingerprint>
              (Keyword: sslfingerprint)
              Specify the fingerprint of the server key (an MD5  hash  of  the
              key)  in  hexadecimal  notation with colons separating groups of
              two digits. The letter hex digits must be in upper case. This is
              the  default  format OpenSSL uses, and the one fetchmail uses to
              report the fingerprint when an SSL  connection  is  established.
              When  this  is  specified, fetchmail will compare the server key
              fingerprint with the given one, and the connection will fail  if
              they  do  not  match  regardless  of  the sslcertck setting. The
              connection will also fail if  fetchmail  cannot  obtain  an  SSL
              certificate  from  the server.  This can be used to prevent man-
              in-the-middle attacks, but the  finger  print  from  the  server
              needs  to  be  obtained  or  verified over a secure channel, and
              certainly not over the same Internet connection  that  fetchmail
              would use.

              Using this option will prevent printing certificate verification
              errors as long as --sslcertck is unset.

              To obtain the fingerprint of a certificate stored  in  the  file
              cert.pem, try:

                   openssl x509 -in cert.pem -noout -md5 -fingerprint

              For details, see x509(1ssl).

   Delivery Control Options
       -S <hosts> | --smtphost <hosts>
              (Keyword: smtp[host])
              Specify  a  hunt  list  of hosts to forward mail to (one or more
              hostnames, comma-separated). Hosts are tried in list order;  the
              first  one  that  is  up  becomes  the forwarding target for the
              current run.  If this option is not  specified,  'localhost'  is
              used  as  the  default.   Each  hostname  may have a port number
              following the host name.  The port number is separated from  the
              host  name  by  a  slash;  the  default  port is "smtp".  If you
              specify an absolute path name (beginning with a /), it  will  be
              interpreted  as  the  name  of  a  UNIX  socket  accepting  LMTP
              connections (such as is supported  by  the  Cyrus  IMAP  daemon)

                   --smtphost server1,server2/2525,server3,/var/imap/socket/lmtp

              This  option  can  be  used with ODMR, and will make fetchmail a
              relay between the ODMR server and SMTP or LMTP receiver.

       --fetchdomains <hosts>
              (Keyword: fetchdomains)
              In ETRN or ODMR mode, this option specifies the list of  domains
              the  server  should  ship mail for once the connection is turned
              around.   The  default  is  the  FQDN  of  the  machine  running

       -D <domain> | --smtpaddress <domain>
              (Keyword: smtpaddress)
              Specify  the domain to be appended to addresses in RCPT TO lines
              shipped to SMTP. When this is not specified,  the  name  of  the
              SMTP  server  (as specified by --smtphost) is used for SMTP/LMTP
              and 'localhost' is used for UNIX socket/BSMTP.

       --smtpname <user@domain>
              (Keyword: smtpname)
              Specify the domain and user to be put in RCPT TO  lines  shipped
              to SMTP.  The default user is the current local user.

       -Z <nnn> | --antispam <nnn[, nnn]...>
              (Keyword: antispam)
              Specifies  the  list  of  numeric  SMTP  errors  that  are to be
              interpreted as a spam-block response from the listener.  A value
              of  -1  disables  this option.  For the command-line option, the
              list values should be comma-separated.

       -m <command> | --mda <command>
              (Keyword: mda)
              This option lets fetchmail use a Message or Local Delivery Agent
              (MDA or LDA) directly, rather than forward via SMTP or LMTP.

              To  avoid  losing  mail,  use  this  option  only with MDAs like
              maildrop or MTAs like sendmail that exit with a  nonzero  status
              on disk-full and other delivery errors; the nonzero status tells
              fetchmail that delivery failed and  prevents  the  message  from
              being deleted on the server.

              If  fetchmail  is  running  as  root,  it sets its user id while
              delivering  mail  through  an  MDA  as  follows:    First,   the
              FETCHMAILUSER,  LOGNAME,  and  USER  environment  variables  are
              checked in this order. The value of the first variable from  his
              list  that is defined (even if it is empty!) is looked up in the
              system user database. If  none  of  the  variables  is  defined,
              fetchmail  will use the real user id it was started with. If one
              of the variables was defined, but the user  stated  there  isn't
              found,  fetchmail  continues  running  as root, without checking
              remaining variables on the list.  Practically, this  means  that
              if  you  run  fetchmail  as  root  (not recommended), it is most
              useful to define the FETCHMAILUSER environment variable  to  set
              the  user  that  the  MDA  should  run  as.  Some  MDAs (such as
              maildrop) are designed to be  setuid  root  and  setuid  to  the
              recipient's  user  id,  so you don't lose functionality this way
              even when running fetchmail as  unprivileged  user.   Check  the
              MDA's manual for details.

              Some  possible  MDAs  are  "/usr/sbin/sendmail  -i  -f %F -- %T"
              (Note: some several older or vendor sendmail versions mistake --
              for  an address, rather than an indicator to mark the end of the
              option arguments), "/usr/bin/deliver" and "/usr/bin/maildrop  -d
              %T".   Local  delivery  addresses  will be inserted into the MDA
              command wherever you place a %T; the mail message's From address
              will be inserted where you place an %F.

              Do  NOT  enclose the %F or %T string in single quotes!  For both
              %T and %F, fetchmail encloses the  addresses  in  single  quotes
              ('),  after  removing any single quotes they may contain, before
              the MDA command is passed to the shell.

              Do NOT use an MDA invocation that dispatches on the contents  of
              To/Cc/Bcc,  like  "sendmail  -i  -t"  or "qmail-inject", it will
              create mail loops and bring the just wrath of  many  postmasters
              down  upon  your  head.   This  is  one  of  the  most  frequent
              configuration errors!

              Also, do not try to combine multidrop mode with an MDA  such  as
              maildrop  that can only accept one address, unless your upstream
              stores one copy of the message per recipient and transports  the
              envelope recipient in a header; you will lose mail.

              The  well-known  procmail(1)  package  is very hard to configure
              properly, it has a very nasty "fall through to  the  next  rule"
              behavior on delivery errors (even temporary ones, such as out of
              disk space if another user's  mail  daemon  copies  the  mailbox
              around  to  purge old messages), so your mail will end up in the
              wrong mailbox sooner or later. The proper procmail configuration
              is  outside  the  scope  of  this document. Using maildrop(1) is
              usually much easier, and many users find the filter syntax  used
              by maildrop easier to understand.

              Finally,  we  strongly  advise that you do not use qmail-inject.
              The command line interface  is  non-standard  without  providing
              benefits  for  typical  use,  and fetchmail makes no attempts to
              accommodate qmail-inject's deviations from the standard. Some of
              qmail-inject's command-line and environment options are actually
              dangerous and can cause broken threads,  non-detected  duplicate
              messages and forwarding loops.

       --lmtp (Keyword: lmtp)
              Cause  delivery  via  LMTP  (Local  Mail  Transfer Protocol).  A
              service host and port must be explicitly specified on each  host
              in  the  smtphost  hunt  list  (see  above)  if  this  option is
              selected; the default port 25 will (in accordance with RFC 2033)
              not be accepted.

       --bsmtp <filename>
              (Keyword: bsmtp)
              Append  fetched  mail to a BSMTP file.  This simply contains the
              SMTP commands that would normally be generated by fetchmail when
              passing mail to an SMTP listener daemon.

              An  argument  of  '-'  causes  the  SMTP  batch to be written to
              standard output, which is of limited use: this only makes  sense
              for   debugging,   because   fetchmail's   regular   output   is
              interspersed on the same channel, so  this  isn't  suitable  for
              mail  delivery.  This  special  mode  may  be removed in a later

              Note that fetchmail's reconstruction of MAIL FROM  and  RCPT  TO
              lines is not guaranteed correct; the caveats discussed under THE
              USE AND ABUSE OF MULTIDROP MAILBOXES below apply.  This mode has
              precedence before --mda and SMTP/LMTP.

       --bad-header {reject|accept}
              (Keyword: bad-header; since v6.3.15)
              Specify  how  fetchmail  is  supposed to treat messages with bad
              headers, i. e. headers with bad syntax. Traditionally, fetchmail
              has  rejected  such  messages,  but  some  distributors modified
              fetchmail to accept them.  You  can  now  configure  fetchmail's
              behaviour per server.

   Resource Limit Control Options
       -l <maxbytes> | --limit <maxbytes>
              (Keyword: limit)
              Takes  a maximum octet size argument, where 0 is the default and
              also the special value  designating  "no  limit".   If  nonzero,
              messages  larger  than this size will not be fetched and will be
              left  on  the  server  (in  foreground  sessions,  the  progress
              messages  will  note  that  they are "oversized").  If the fetch
              protocol permits (in particular, under IMAP or POP3 without  the
              fetchall option) the message will not be marked seen.

              An  explicit  --limit  of 0 overrides any limits set in your run
              control file. This option  is  intended  for  those  needing  to
              strictly  control fetch time due to expensive and variable phone

              Combined with --limitflush, it can be used to  delete  oversized
              messages   waiting  on  a  server.   In  daemon  mode,  oversize
              notifications are mailed to the calling user (see the --warnings
              option). This option does not work with ETRN or ODMR.

       -w <interval> | --warnings <interval>
              (Keyword: warnings)
              Takes  an  interval  in seconds.  When you call fetchmail with a
              'limit' option in daemon mode, this  controls  the  interval  at
              which  warnings  about  oversized  messages  are  mailed  to the
              calling user (or the user specified by the 'postmaster' option).
              One  such  notification  is  always mailed at the end of the the
              first poll that the oversized message is detected.   Thereafter,
              re-notification  is  suppressed until after the warning interval
              elapses (it will take place at the end of  the  first  following

       -b <count> | --batchlimit <count>
              (Keyword: batchlimit)
              Specify  the  maximum number of messages that will be shipped to
              an SMTP listener before the connection is deliberately torn down
              and  rebuilt  (defaults  to  0,  meaning no limit).  An explicit
              --batchlimit of 0 overrides any limits set in your  run  control
              file.   While  sendmail(8)  normally  initiates  delivery  of  a
              message immediately after receiving the message terminator, some
              SMTP  listeners  are not so prompt.  MTAs like smail(8) may wait
              till the delivery socket is shut  down  to  deliver.   This  may
              produce  annoying delays when fetchmail is processing very large
              batches.  Setting the batch limit  to  some  nonzero  size  will
              prevent  these  delays.   This option does not work with ETRN or

       -B <number> | --fetchlimit <number>
              (Keyword: fetchlimit)
              Limit the number of messages accepted from a given server  in  a
              single  poll.   By  default  there  is  no  limit.  An  explicit
              --fetchlimit of 0 overrides any limits set in your  run  control
              file.  This option does not work with ETRN or ODMR.

       --fetchsizelimit <number>
              (Keyword: fetchsizelimit)
              Limit  the  number  of  sizes  of messages accepted from a given
              server in a  single  transaction.   This  option  is  useful  in
              reducing  the delay in downloading the first mail when there are
              too many mails in the mailbox.  By default, the  limit  is  100.
              If  set to 0, sizes of all messages are downloaded at the start.
              This option does not work with ETRN or ODMR.  For POP3, the only
              valid non-zero value is 1.

       --fastuidl <number>
              (Keyword: fastuidl)
              Do  a  binary instead of linear search for the first unseen UID.
              Binary search avoids downloading the UIDs  of  all  mails.  This
              saves  time  (especially  in  daemon mode) where downloading the
              same set of UIDs in each poll  is  a  waste  of  bandwidth.  The
              number  'n' indicates how rarely a linear search should be done.
              In daemon mode, linear search is used once  followed  by  binary
              searches  in 'n-1' polls if 'n' is greater than 1; binary search
              is always used if 'n' is 1; linear search is always used if  'n'
              is  0.  In  non-daemon  mode, binary search is used if 'n' is 1;
              otherwise linear search is used. The default value of 'n' is  4.
              This option works with POP3 only.

       -e <count> | --expunge <count>
              (Keyword: expunge)
              Arrange  for  deletions to be made final after a given number of
              messages.  Under POP2 or POP3, fetchmail cannot  make  deletions
              final  without  sending QUIT and ending the session -- with this
              option on, fetchmail will break a long  mail  retrieval  session
              into multiple sub-sessions, sending QUIT after each sub-session.
              This is a good defense  against  line  drops  on  POP3  servers.
              Under  IMAP,  fetchmail normally issues an EXPUNGE command after
              each deletion  in  order  to  force  the  deletion  to  be  done
              immediately.   This is safest when your connection to the server
              is flaky and expensive, as it avoids  resending  duplicate  mail
              after  a  line hit.  However, on large mailboxes the overhead of
              re-indexing after every message can slam the server pretty hard,
              so if your connection is reliable it is good to do expunges less
              frequently.  Also note that some servers enforce a  delay  of  a
              few seconds after each quit, so fetchmail may not be able to get
              back in immediately after an expunge -- you may see "lock  busy"
              errors if this happens. If you specify this option to an integer
              N, it tells fetchmail  to  only  issue  expunges  on  every  Nth
              delete.  An argument of zero suppresses expunges entirely (so no
              expunges at all will be done until the end of run).  This option
              does not work with ETRN or ODMR.

   Authentication Options
       -u <name> | --user <name> | --username <name>
              (Keyword: user[name])
              Specifies  the user identification to be used when logging in to
              the mailserver.  The appropriate  user  identification  is  both
              server  and  user-dependent.   The default is your login name on
              the  client  machine  that  is  running  fetchmail.   See   USER
              AUTHENTICATION below for a complete description.

       -I <specification> | --interface <specification>
              (Keyword: interface)
              Require  that  a  specific  interface  device  be  up and have a
              specific local or remote IPv4 (IPv6 is  not  supported  by  this
              option  yet)  address  (or  range)  before  polling.  Frequently
              fetchmail is used over a transient  point-to-point  TCP/IP  link
              established directly to a mailserver via SLIP or PPP.  That is a
              relatively secure channel.  But when other TCP/IP routes to  the
              mailserver  exist  (e.g.  when  the  link  is  connected  to  an
              alternate ISP), your username and password may be vulnerable  to
              snooping  (especially  when  daemon mode automatically polls for
              mail, shipping a clear password  over  the  net  at  predictable
              intervals).  The --interface option may be used to prevent this.
              When the specified link is not up  or  is  not  connected  to  a
              matching IP address, polling will be skipped.  The format is:


              The  field  before  the  first slash is the interface name (i.e.
              sl0, ppp0 etc.).  The field  before  the  second  slash  is  the
              acceptable  IP  address.   The field after the second slash is a
              mask which specifies a range of IP addresses to accept.   If  no
              mask  is  present  is  assumed  (i.e.  an exact
              match).  This option is currently only supported under Linux and
              FreeBSD.  Please  see  the monitor section for below for FreeBSD
              specific information.

              Note that this option may be removed  from  a  future  fetchmail

       -M <interface> | --monitor <interface>
              (Keyword: monitor)
              Daemon  mode  can  cause transient links which are automatically
              taken down after a period of  inactivity  (e.g.  PPP  links)  to
              remain  up indefinitely.  This option identifies a system TCP/IP
              interface  to  be  monitored  for  activity.   After  each  poll
              interval,  if  the link is up but no other activity has occurred
              on the link, then the  poll  will  be  skipped.   However,  when
              fetchmail  is woken up by a signal, the monitor check is skipped
              and the poll  goes  through  unconditionally.   This  option  is
              currently  only  supported  under  Linux  and  FreeBSD.  For the
              monitor and interface options to work for non root  users  under
              FreeBSD, the fetchmail binary must be installed SGID kmem.  This
              would be a security hole, but fetchmail runs with the  effective
              GID  set  to  that of the kmem group only when interface data is
              being collected.

              Note that this option may be removed  from  a  future  fetchmail

       --auth <type>
              (Keyword: auth[enticate])
              This  option  permits you to specify an authentication type (see
              USER AUTHENTICATION below for details).  The possible values are
              any,  password,  kerberos_v5,  kerberos  (or,  for  excruciating
              exactness, kerberos_v4), gssapi, cram-md5, otp, ntlm, msn  (only
              for POP3), external (only IMAP) and ssh.  When any (the default)
              is specified, fetchmail tries first methods that don't require a
              password  (EXTERNAL,  GSSAPI,  KERBEROS IV, KERBEROS 5); then it
              looks for methods that mask your  password  (CRAM-MD5,  X-OTP  -
              note  that  NTLM  and MSN are not autoprobed for POP3 and MSN is
              only supported for POP3); and only if the server doesn't support
              any  of those will it ship your password en clair.  Other values
              may  be  used  to  force  various  authentication  methods  (ssh
              suppresses  authentication and is thus useful for IMAP PREAUTH).
              (external suppresses authentication and is thus useful for  IMAP
              EXTERNAL).   Any  value other than password, cram-md5, ntlm, msn
              or otp suppresses fetchmail's normal  inquiry  for  a  password.
              Specify  ssh  when you are using an end-to-end secure connection
              such as an ssh tunnel; specify external when you  use  TLS  with
              client  authentication  and specify gssapi or kerberos_v4 if you
              are  using  a  protocol  variant  that  employs  GSSAPI  or  K4.
              Choosing    KPOP   protocol   automatically   selects   Kerberos
              authentication.  This option does not work with ETRN.

   Miscellaneous Options
       -f <pathname> | --fetchmailrc <pathname>
              Specify a non-default name for the  ~/.fetchmailrc  run  control
              file.   The pathname argument must be either "-" (a single dash,
              meaning to read the configuration  from  standard  input)  or  a
              filename.   Unless the --version option is also on, a named file
              argument  must  have  permissions  no  more   open   than   0700
              (u=rwx,g=,o=) or else be /dev/null.

       -i <pathname> | --idfile <pathname>
              (Keyword: idfile)
              Specify  an  alternate  name for the .fetchids file used to save
              message UIDs. NOTE: since fetchmail 6.3.0, write access  to  the
              directory containing the idfile is required, as fetchmail writes
              a temporary file and renames it  into  the  place  of  the  real
              idfile only if the temporary file has been written successfully.
              This avoids the truncation of idfiles when running out  of  disk

       --pidfile <pathname>
              (Keyword: pidfile; since fetchmail v6.3.4)
              Override  the  default  location  of  the PID file. Default: see
              "ENVIRONMENT" below.

       -n | --norewrite
              (Keyword: no rewrite)
              Normally, fetchmail edits RFC-822 address headers (To, From, Cc,
              Bcc, and Reply-To) in fetched mail so that any mail IDs local to
              the server are expanded to full addresses (@ and the  mailserver
              hostname  are  appended).  This enables replies on the client to
              get addressed correctly (otherwise your mailer might think  they
              should  be  addressed  to  local  users on the client machine!).
              This option disables the rewrite.  (This option is  provided  to
              pacify  people  who  are  paranoid about having an MTA edit mail
              headers and want  to  know  they  can  prevent  it,  but  it  is
              generally  not  a good idea to actually turn off rewrite.)  When
              using ETRN or ODMR, the rewrite option is ineffective.

       -E <line> | --envelope <line>
              (Keyword: envelope; Multidrop only)
              In the configuration file, an enhanced syntax is used:
              envelope [<count>] <line>

              This option changes the header fetchmail assumes  will  carry  a
              copy   of   the  mail's  envelope  address.   Normally  this  is
              'X-Envelope-To'.   Other  typically  found  headers   to   carry
              envelope  information  are  'X-Original-To'  and 'Delivered-To'.
              Now, since these headers are not standardized, practice  varies.
              See  the  discussion  of multidrop address handling below.  As a
              special case, 'envelope "Received"' enables parsing of sendmail-
              style  Received  lines.   This  is  the default, but discouraged
              because it is not fully reliable.

              Note that  fetchmail  expects  the  Received-line  to  be  in  a
              specific  format:  It  must contain "by host for address", where
              host must match one  of  the  mailserver  names  that  fetchmail
              recognizes for the account in question.

              The optional count argument (only available in the configuration
              file) determines how many header lines of this kind are skipped.
              A  count of 1 means: skip the first, take the second. A count of
              2 means: skip the first and second, take the third, and so on.

       -Q <prefix> | --qvirtual <prefix>
              (Keyword: qvirtual; Multidrop only)
              The string prefix assigned to this option will be  removed  from
              the  user  name  found in the header specified with the envelope
              option (before  doing  multidrop  name  mapping  or  localdomain
              checking, if either is applicable). This option is useful if you
              are using fetchmail to collect the mail for an entire domain and
              your  ISP  (or  your  mail redirection provider) is using qmail.
              One of the basic features of qmail is the Delivered-To:  message
              header.  Whenever qmail delivers a message to a local mailbox it
              puts the username and hostname of the envelope recipient on this
              line.   The  major reason for this is to prevent mail loops.  To
              set up qmail to batch mail for  a  disconnected  site  the  ISP-
              mailhost  will have normally put that site in its 'Virtualhosts'
              control file so it will add a prefix to all mail  addresses  for
              this     site.     This     results     in    mail    sent    to
              '' having a Delivered-To:  line
              of the form:


       The  ISP can make the 'mbox-userstr-' prefix anything they choose but a
       string matching the user host name is  likely.   By  using  the  option
       'envelope  Delivered-To:'  you can make fetchmail reliably identify the
       original envelope recipient, but you have to strip the  'mbox-userstr-'
       prefix  to  deliver  to  the correct user.  This is what this option is

              Parse  the  ~/.fetchmailrc  file,  interpret  any   command-line
              options  specified,  and dump a configuration report to standard
              output.  The configuration report is a data structure assignment
              in the language Python.  This option is meant to be used with an
              interactive ~/.fetchmailrc editor like fetchmailconf, written in

   Removed Options
       -T | --netsec
              Removed before version 6.3.0, the required underlying inet6_apps
              library had been discontinued and is no longer available.


       All modes except ETRN require  authentication  of  the  client  to  the
       server.   Normal user authentication in fetchmail is very much like the
       authentication mechanism of ftp(1).  The correct user-id  and  password
       depend upon the underlying security system at the mailserver.

       If  the mailserver is a Unix machine on which you have an ordinary user
       account, your regular login name and password are used with  fetchmail.
       If  you  use  the  same  login  name  on both the server and the client
       machines, you needn't worry about specifying  a  user-id  with  the  -u
       option  -- the default behavior is to use your login name on the client
       machine as the user-id on the server machine.  If you use  a  different
       login  name  on the server machine, specify that login name with the -u
       option.  e.g. if your  login  name  is  'jsmith'  on  a  machine  named
       'mailgrunt', you would start fetchmail as follows:

              fetchmail -u jsmith mailgrunt

       The  default behavior of fetchmail is to prompt you for your mailserver
       password before the connection is established.  This is the safest  way
       to   use   fetchmail  and  ensures  that  your  password  will  not  be
       compromised.  You may also specify your password in your ~/.fetchmailrc
       file.   This  is convenient when using fetchmail in daemon mode or with

   Using netrc files
       If you do not specify a password, and fetchmail cannot extract one from
       your ~/.fetchmailrc file, it will look for a ~/.netrc file in your home
       directory before requesting one interactively; if an entry matching the
       mailserver is found in that file, the password will be used.  Fetchmail
       first looks for a match on poll name; if it finds none, it checks for a
       match  on  via name.  See the ftp(1) man page for details of the syntax
       of the ~/.netrc file.  To show a practical example, a .netrc might look
       like this:

              login joe
              password topsecret

       You  can  repeat this block with different user information if you need
       to provide more than one password.

       This feature may allow you to avoid duplicating password information in
       more than one file.

       On mailservers that do not provide ordinary user accounts, your user-id
       and password are usually assigned by the server administrator when  you
       apply  for  a mailbox on the server.  Contact your server administrator
       if you don't know the correct user-id and  password  for  your  mailbox


       Early  versions  of  POP3  (RFC1081, RFC1225) supported a crude form of
       independent authentication using the .rhosts  file  on  the  mailserver
       side.   Under  this  RPOP  variant, a fixed per-user ID equivalent to a
       password was sent in clear over a link to a  reserved  port,  with  the
       command  RPOP  rather  than  PASS to alert the server that it should do
       special checking.  RPOP is supported  by  fetchmail  (you  can  specify
       'protocol RPOP' to have the program send 'RPOP' rather than 'PASS') but
       its use is strongly discouraged, and support will  be  removed  from  a
       future fetchmail version.  This facility was vulnerable to spoofing and
       was withdrawn in RFC1460.

       RFC1460 introduced APOP authentication.  In this variant of  POP3,  you
       register  an  APOP  password  on your server host (on some servers, the
       program to do this is called popauth(8)).  You put the same password in
       your ~/.fetchmailrc file.  Each time fetchmail logs in, it sends an MD5
       hash of your password and the server greeting time to the server, which
       can verify it by checking its authorization database.

       Note  that  APOP  is no longer considered resistant against man-in-the-
       middle attacks.

   RETR or TOP
       fetchmail makes some efforts to make the server  believe  messages  had
       not  been  retrieved,  by  using the TOP command with a large number of
       lines when possible.  TOP is a command that retrieves the  full  header
       and  a  fetchmail-specified  amount  of  body lines. It is optional and
       therefore not implemented  by  all  servers,  and  some  are  known  to
       implement  it  improperly.  On  many  servers however, the RETR command
       which retrieves the full message with header and body, sets the  "seen"
       flag  (for  instance, in a web interface), whereas the TOP command does
       not do that.

       fetchmail will always use  the  RETR  command  if  "fetchall"  is  set.
       fetchmail will also use the RETR command if "keep" is set and "uidl" is
       unset.  Finally, fetchmail will use the  RETR  command  on  Maillennium
       POP3/PROXY  servers  (used  by  Comcast)  to  avoid  a  deliberate  TOP
       misinterpretation in this server that causes message corruption.

       In all other cases, fetchmail will use the TOP  command.  This  implies
       that in "keep" setups, "uidl" must be set if "TOP" is desired.

       Note  that  this  description  is  true  for  the  current  version  of
       fetchmail,  but  the  behavior  may  change  in  future  versions.   In
       particular,  fetchmail  may  prefer  the  RETR  command because the TOP
       command causes much grief on some servers and is only optional.


       If your fetchmail was built  with  Kerberos  support  and  you  specify
       Kerberos  authentication (either with --auth or the .fetchmailrc option
       authenticate kerberos_v4) it will try to get a Kerberos ticket from the
       mailserver at the start of each query.  Note: if either the pollname or
       via name is 'hesiod', fetchmail will try to use Hesiod to look  up  the

       If  you  use  POP3  or  IMAP with GSSAPI authentication, fetchmail will
       expect  the  server  to  have  RFC1731-  or  RFC1734-conforming  GSSAPI
       capability,  and will use it.  Currently this has only been tested over
       Kerberos V, so  you're  expected  to  already  have  a  ticket-granting
       ticket.  You  may  pass  a  username different from your principal name
       using the standard --user command or by the .fetchmailrc option user.

       If your IMAP daemon returns the PREAUTH response in its greeting  line,
       fetchmail  will  notice  this  and skip the normal authentication step.
       This can be useful, e.g. if you start imapd explicitly using  ssh.   In
       this  case  you can declare the authentication value 'ssh' on that site
       entry to stop .fetchmail from asking you for a password when it  starts

       If you use client authentication with TLS1 and your IMAP daemon returns
       the AUTH=EXTERNAL response, fetchmail will notice this and will use the
       authentication  shortcut and will not send the passphrase. In this case
       you can declare the authentication value 'external'
        on that site to stop fetchmail from asking you for a password when  it
       starts up.

       If  you  are  using  POP3,  and  the  server issues a one-time-password
       challenge conforming to RFC1938, fetchmail will use your password as  a
       pass  phrase  to  generate  the  required response. This avoids sending
       secrets over the net unencrypted.

       Compuserve's RPA authentication is supported. If  you  compile  in  the
       support,   fetchmail   will   try   to   perform   an  RPA  pass-phrase
       authentication instead of sending over the  password  en  clair  if  it
       detects "" in the hostname.

       If  you  are  using  IMAP,  Microsoft's  NTLM  authentication  (used by
       Microsoft Exchange) is  supported.  If  you  compile  in  the  support,
       fetchmail  will  try  to  perform  an  NTLM  authentication (instead of
       sending over  the  password  en  clair)  whenever  the  server  returns
       AUTH=NTLM  in its capability response. Specify a user option value that
       looks like 'user@domain': the part to the left of the @ will be  passed
       as the username and the part to the right as the NTLM domain.

   Secure Socket Layers (SSL) and Transport Layer Security (TLS)
       Note  that  fetchmail  currently  uses  the  OpenSSL  library, which is
       severely underdocumented,  so  failures  may  occur  just  because  the
       programmers  are  not  aware  of OpenSSL's requirement of the day.  For
       instance, since v6.3.16, fetchmail calls  OpenSSL_add_all_algorithms(),
       which is necessary to support certificates with SHA256 on OpenSSL 0.9.8
       -- this information is deeply hidden in the documentation  and  not  at
       all obvious.  Please do not hesitate to report subtle SSL failures.

       You  can  access SSL encrypted services by specifying the --ssl option.
       You can also do this using the "ssl" user option  in  the  .fetchmailrc
       file.  With  SSL  encryption  enabled,  queries  are  initiated  over a
       connection after negotiating an SSL session, and the  connection  fails
       if  SSL  cannot  be  negotiated.  Some services, such as POP3 and IMAP,
       have different well known ports defined for the SSL encrypted services.
       The  encrypted ports will be selected automatically when SSL is enabled
       and no explicit port is specified. The --sslproto 'SSL3' option  should
       be  used  to  select  the  SSLv3 protocol (default if unset: v2 or v3).
       Also, the --sslcertck command line or sslcertck run control file option
       should be used to force strict certificate checking - see below.

       If  SSL is not configured, fetchmail will usually opportunistically try
       to use STARTTLS. STARTTLS can be enforced by using  --sslproto  "TLS1".
       TLS  connections  use  the  same port as the unencrypted version of the
       protocol and negotiate TLS via special command. The --sslcertck command
       line  or  sslcertck  run  control  file  option should be used to force
       strict certificate checking - see below.

       --sslcertck is recommended: When connecting to an SSL or TLS  encrypted
       server, the server presents a certificate to the client for validation.
       The certificate is checked to  verify  that  the  common  name  in  the
       certificate matches the name of the server being contacted and that the
       effective and expiration dates in the certificate indicate that  it  is
       currently  valid.   If  any  of these checks fail, a warning message is
       printed, but the connection continues.  The server certificate does not
       need  to  be  signed  by any specific Certifying Authority and may be a
       "self-signed" certificate. If the --sslcertck command  line  option  or
       sslcertck run control file option is used, fetchmail will instead abort
       if any of these checks fail, because it must assume  that  there  is  a
       man-in-the-middle  attack  in  this  scenario, hence fetchmail must not
       expose cleartest passwords. Use of the sslcertck or --sslcertck  option
       is therefore advised.

       Some  SSL  encrypted  servers may request a client side certificate.  A
       client  side  public  SSL  certificate  and  private  SSL  key  may  be
       specified.   If requested by the server, the client certificate is sent
       to the server for validation.  Some servers may require a valid  client
       certificate and may refuse connections if a certificate is not provided
       or if the certificate is not valid.  Some servers  may  require  client
       side  certificates be signed by a recognized Certifying Authority.  The
       format for the key files and the certificate files is that required  by
       the underlying SSL libraries (OpenSSL in the general case).

       A  word  of care about the use of SSL: While above mentioned setup with
       self-signed server certificates retrieved over the  wires  can  protect
       you  from  a  passive  eavesdropper,  it doesn't help against an active
       attacker. It's clearly an improvement over  sending  the  passwords  in
       clear,  but  you  should  be  aware  that a man-in-the-middle attack is
       trivially  possible  (in  particular  with   tools   such   as   dsniff
       <>,  ).   Use  of  strict certificate
       checking with  a  certification  authority  recognized  by  server  and
       client,  or  perhaps  of an SSH tunnel (see below for some examples) is
       preferable if you care seriously about the security of your mailbox and

       fetchmail  also  supports  authentication  to  the  ESMTP server on the
       client side according to RFC 2554.  You  can  specify  a  name/password
       pair  to be used with the keywords 'esmtpname' and 'esmtppassword'; the
       former defaults to the username of the calling user.


   Introducing the daemon mode
       In daemon mode, fetchmail puts itself  into  the  background  and  runs
       forever,  querying  each  specified  host and then sleeping for a given
       polling interval.

   Starting the daemon mode
       There are several ways to make fetchmail work in daemon  mode.  On  the
       command   line,   --daemon <interval>   or  -d <interval>  option  runs
       fetchmail in daemon mode.  You must specify a numeric argument which is
       a  polling  interval  (time to wait after completing a whole poll cycle
       with the last server and before starting the next poll cycle  with  the
       first server) in seconds.

       Example: simply invoking

              fetchmail -d 900

       will,  therefore,  poll  all the hosts described in your ~/.fetchmailrc
       file (except those explicitly excluded with the 'skip' verb) a bit less
       often  than  once every 15 minutes (exactly: 15 minutes + time that the
       poll takes).

       It is also possible to set a polling interval  in  your  ~/.fetchmailrc
       file  by saying 'set daemon <interval>', where <interval> is an integer
       number of seconds.  If you do this,  fetchmail  will  always  start  in
       daemon  mode  unless  you  override  it  with  the  command-line option
       --daemon 0 or -d0.

       Only one  daemon  process  is  permitted  per  user;  in  daemon  mode,
       fetchmail  sets  up  a  per-user  lockfile to guarantee this.  (You can
       however  cheat  and  set  the  FETCHMAILHOME  environment  variable  to
       overcome  this  setting, but in that case, it is your responsibility to
       make sure you aren't polling the same server with two processes at  the
       same time.)

   Awakening the background daemon
       Normally,  calling  fetchmail  with  a daemon in the background sends a
       wake-up signal to the daemon and quits without output.  The  background
       daemon  then  starts  its  next  poll  cycle  immediately.  The wake-up
       signal, SIGUSR1, can also be sent manually.  The  wake-up  action  also
       clears  any  'wedged' flags indicating that connections have wedged due
       to failed authentication or multiple timeouts.

   Terminating the background daemon
       The option --quit will kill a running daemon process instead of  waking
       it up (if there is no such process, fetchmail will notify you).  If the
       --quit option appears last on the command line, fetchmail will kill the
       running  daemon  process and then quit. Otherwise, fetchmail will first
       kill a running daemon process and then continue running with the  other

   Useful options for daemon mode
       The -L <filename> or --logfile <filename> option (keyword: set logfile)
       is only effective when fetchmail is detached and in daemon  mode.  Note
       that  the  logfile  must exist before fetchmail is run, you can use the
       touch(1) command with the filename as its sole argument to create it.
       This option allows you to redirect status  messages  into  a  specified
       logfile  (follow  the  option  with  the logfile name).  The logfile is
       opened for append,  so  previous  messages  aren't  deleted.   This  is
       primarily useful for debugging configurations. Note that fetchmail does
       not detect if the logfile is rotated, the logfile is only  opened  once
       when fetchmail starts. You need to restart fetchmail after rotating the
       logfile and before compressing it (if applicable).

       The --syslog option (keyword: set syslog) allows you to redirect status
       and error messages emitted to the syslog(3) system daemon if available.
       Messages are logged with an id of fetchmail, the facility LOG_MAIL, and
       priorities LOG_ERR, LOG_ALERT or LOG_INFO.  This option is intended for
       logging status and error messages which  indicate  the  status  of  the
       daemon  and  the results while fetching mail from the server(s).  Error
       messages for command line options and parsing the .fetchmailrc file are
       still  written to stderr, or to the specified log file.  The --nosyslog
       option turns off use of syslog(3),  assuming  it's  turned  on  in  the
       ~/.fetchmailrc file.

       The  -N or --nodetach option suppresses backgrounding and detachment of
       the daemon process from its  control  terminal.   This  is  useful  for
       debugging  or  when fetchmail runs as the child of a supervisor process
       such as init(8) or Gerrit Pape's runit(8).  Note that this also  causes
       the logfile option to be ignored (though perhaps it shouldn't).

       Note  that  while  running  in  daemon  mode polling a POP2 or IMAP2bis
       server, transient errors (such as DNS  failures  or  sendmail  delivery
       refusals) may force the fetchall option on for the duration of the next
       polling cycle.  This is a robustness  feature.   It  means  that  if  a
       message  is  fetched  (and  thus marked seen by the mailserver) but not
       delivered locally due to some transient error, it  will  be  re-fetched
       during  the  next  poll cycle.  (The IMAP logic doesn't delete messages
       until they're delivered, so this problem does not arise.)

       If you touch or change  the  ~/.fetchmailrc  file  while  fetchmail  is
       running  in  daemon mode, this will be detected at the beginning of the
       next poll cycle.  When a changed ~/.fetchmailrc is detected,  fetchmail
       rereads   it  and  restarts  from  scratch  (using  exec(2);  no  state
       information is retained in the new instance).  Note that  if  fetchmail
       needs  to  query for passwords, of that if you break the ~/.fetchmailrc
       file's syntax, the new instance will softly and silently vanish away on


       The  --postmaster <name> option (keyword: set postmaster) specifies the
       last-resort username to which multidrop mail is to be forwarded  if  no
       matching  local  recipient can be found. It is also used as destination
       of undeliverable mail if the 'bouncemail'  global  option  is  off  and
       additionally for spam-blocked mail if the 'bouncemail' global option is
       off and the 'spambounce' global option is on. This option  defaults  to
       the user who invoked fetchmail.  If the invoking user is root, then the
       default of this option is the user 'postmaster'.  Setting postmaster to
       the  empty string causes such mail as described above to be discarded -
       this however is usually a bad idea.  See also the  description  of  the
       'FETCHMAILUSER'  environment variable in the ENVIRONMENT section below.

       The --nobounce behaves like the  "set  no  bouncemail"  global  option,
       which see.

       The --invisible option (keyword: set invisible) tries to make fetchmail
       invisible.  Normally, fetchmail behaves like any other MTA would --  it
       generates  a  Received header into each message describing its place in
       the chain of transmission, and tells the MTA it forwards  to  that  the
       mail  came  from  the  machine  fetchmail itself is running on.  If the
       invisible option is on, the Received header is suppressed and fetchmail
       tries  to  spoof  the MTA it forwards to into thinking it came directly
       from the mailserver host.

       The --showdots option (keyword: set showdots) forces fetchmail to  show
       progress  dots even if the output goes to a file or fetchmail is not in
       verbose mode.   Fetchmail  shows  the  dots  by  default  when  run  in
       --verbose  mode  and  output goes to console. This option is ignored in
       --silent mode.

       By specifying the --tracepolls option, you can  ask  fetchmail  to  add
       information to the Received header on the form "polling {label} account
       {user}", where {label} is the account label (from the specified rcfile,
       normally  ~/.fetchmailrc)  and  {user} is the username which is used to
       log on to the mail server. This header can be used  to  make  filtering
       email where no useful header information is available and you want mail
       from different accounts sorted into different  mailboxes  (this  could,
       for  example, occur if you have an account on the same server running a
       mailing list, and are subscribed to the list using that  account).  The
       default is not adding any such header.  In .fetchmailrc, this is called


       The protocols fetchmail  uses  to  talk  to  mailservers  are  next  to
       bulletproof.   In normal operation forwarding to port 25, no message is
       ever deleted (or even marked for deletion) on the host until  the  SMTP
       listener  on  the  client  side  has acknowledged to fetchmail that the
       message has been either accepted for delivery or rejected due to a spam

       When forwarding to an MDA, however, there is more possibility of error.
       Some MDAs are 'safe' and  reliably  return  a  nonzero  status  on  any
       delivery  error,  even  one  due  to  temporary  resource  limits.  The
       maildrop(1) program is like this; so are most programs designed as mail
       transport  agents,  such as sendmail(1), including the sendmail wrapper
       of Postfix and exim(1).  These programs give back a  reliable  positive
       acknowledgement  and  can  be  used with the mda option with no risk of
       mail loss.  Unsafe MDAs, though, may return 0 even on delivery failure.
       If this happens, you will lose mail.

       The normal mode of fetchmail is to try to download only 'new' messages,
       leaving untouched  (and  undeleted)  messages  you  have  already  read
       directly  on  the server (or fetched with a previous fetchmail --keep).
       But you may find that messages you've already read on  the  server  are
       being  fetched  (and deleted) even when you don't specify --all.  There
       are several reasons this can happen.

       One could be that you're using POP2.  The  POP2  protocol  includes  no
       representation  of  'new' or 'old' state in messages, so fetchmail must
       treat all messages as new all the time.  But POP2 is obsolete, so  this
       is unlikely.

       A  potential  POP3 problem might be servers that insert messages in the
       middle of mailboxes (some VMS implementations of mail are rumored to do
       this).   The  fetchmail  code assumes that new messages are appended to
       the end of the mailbox; when this is not true it  may  treat  some  old
       messages  as  new and vice versa.  Using UIDL whilst setting fastuidl 0
       might fix this, otherwise, consider switching to IMAP.

       Yet another POP3 problem is that if they can't make  tempfiles  in  the
       user's home directory, some POP3 servers will hand back an undocumented
       response that causes fetchmail to spuriously report "No mail".

       The IMAP code uses the presence or absence of the server flag \Seen  to
       decide  whether or not a message is new.  This isn't the right thing to
       do, fetchmail should check the UIDVALIDITY and use UID, but it  doesn't
       do  that  yet.  Under Unix, it counts on your IMAP server to notice the
       BSD-style Status flags set by mail user agents and set the  \Seen  flag
       from  them when appropriate.  All Unix IMAP servers we know of do this,
       though it's not specified by the IMAP RFCs.  If you ever  trip  over  a
       server that doesn't, the symptom will be that messages you have already
       read on your host will look new to  the  server.   In  this  (unlikely)
       case,  only  messages  you  fetched  with fetchmail --keep will be both
       undeleted and marked old.

       In ETRN and ODMR modes, fetchmail does not actually retrieve  messages;
       instead,  it  asks the server's SMTP listener to start a queue flush to
       the client via SMTP.  Therefore it sends only undelivered messages.


       Many SMTP listeners allow administrators to set up 'spam filters'  that
       block  unsolicited  email  from specified domains.  A MAIL FROM or DATA
       line that triggers this feature will  elicit  an  SMTP  response  which
       (unfortunately) varies according to the listener.

       Newer versions of sendmail return an error code of 571.

       According  to RFC2821, the correct thing to return in this situation is
       550 "Requested action not taken: mailbox unavailable" (the  draft  adds
       "[E.g.,  mailbox  not  found, no access, or command rejected for policy

       Older versions of the exim MTA return 501 "Syntax error  in  parameters
       or arguments".

       The postfix MTA runs 554 as an antispam response.

       Zmailer  may  reject  code with a 500 response (followed by an enhanced
       status code that contains more information).

       Return codes which fetchmail treats as antispam responses and  discards
       the  message can be set with the 'antispam' option.  This is one of the
       only three circumstance under which fetchmail ever discards  mail  (the
       others  are the 552 and 553 errors described below, and the suppression
       of multidropped messages with a message-ID already seen).

       If fetchmail is fetching from an IMAP  server,  the  antispam  response
       will be detected and the message rejected immediately after the headers
       have been fetched, without reading the message body.  Thus,  you  won't
       pay for downloading spam message bodies.

       By default, the list of antispam responses is empty.

       If  the  spambounce  global  option  is  on,  mail that is spam-blocked
       triggers an RFC1892/RFC1894 bounce  message  informing  the  originator
       that we do not accept mail from it. See also BUGS.


       Besides  the  spam-blocking  described  above,  fetchmail takes special
       actions on the following SMTP/ESMTP error responses

       452 (insufficient system storage)
            Leave the message in the server mailbox for later retrieval.

       552 (message exceeds fixed maximum message size)
            Delete the message from  the  server.   Send  bounce-mail  to  the

       553 (invalid sending domain)
            Delete  the  message  from  the  server.   Don't  even try to send
            bounce-mail to the originator.

       Other errors trigger bounce mail back to the originator. See also BUGS.


       The  preferred  way to set up fetchmail is to write a .fetchmailrc file
       in your home directory (you may do this directly, with a  text  editor,
       or indirectly via fetchmailconf).  When there is a conflict between the
       command-line arguments and the arguments in this file, the command-line
       arguments take precedence.

       To  protect the security of your passwords, your ~/.fetchmailrc may not
       normally have more than 0700 (u=rwx,g=,o=) permissions; fetchmail  will
       complain and exit otherwise (this check is suppressed when --version is

       You may read the .fetchmailrc file as a list of commands to be executed
       when fetchmail is called with no arguments.

   Run Control Syntax
       Comments  begin  with  a  '#'  and  extend through the end of the line.
       Otherwise the file consists of a series of  server  entries  or  global
       option statements in a free-format, token-oriented syntax.

       There are four kinds of tokens: grammar keywords, numbers (i.e. decimal
       digit sequences), unquoted  strings,  and  quoted  strings.   A  quoted
       string  is  bounded  by  double  quotes and may contain whitespace (and
       quoted digits are treated as a string).  Note that quoted strings  will
       also contain line feed characters if they run across two or more lines,
       unless you use a backslash to join  lines  (see  below).   An  unquoted
       string  is  any  whitespace-delimited  token  that  is neither numeric,
       string quoted nor contains the special characters  ',',  ';',  ':',  or

       Any  amount  of  whitespace  separates tokens in server entries, but is
       otherwise ignored. You may use backslash escape sequences (\n  for  LF,
       \t  for  HT,  \b  for BS, \r for CR, \nnn for decimal (where nnn cannot
       start with a 0), \0ooo for octal, and  \xhh  for  hex)  to  embed  non-
       printable  characters  or  string  delimiters  in  strings.   In quoted
       strings, a backslash at the very end of a line will cause the backslash
       itself  and the line feed (LF or NL, new line) character to be ignored,
       so that you can wrap long strings. Without the backslash  at  the  line
       end, the line feed character would become part of the string.

       Warning:  while  these  resemble C-style escape sequences, they are not
       the same.  fetchmail only supports these eight styles. C supports  more
       escape  sequences that consist of backslash (\) and a single character,
       but does not support decimal codes and does not require the  leading  0
       in octal notation.  Example: fetchmail interprets \233 the same as \xE9
       (Latin small letter e with acute), where  C  would  interpret  \233  as
       octal 0233 = \x9B (CSI, control sequence introducer).

       Each  server  entry  consists  of one of the keywords 'poll' or 'skip',
       followed by a server name, followed by server options, followed by  any
       number  of  user  (or username) descriptions, followed by user options.
       Note: the most common cause of syntax errors  is  mixing  up  user  and
       server options or putting user options before the user descriptions.

       For  backward compatibility, the word 'server' is a synonym for 'poll'.

       You can use the noise  keywords  'and',  'with',  'has',  'wants',  and
       'options'  anywhere  in  an entry to make it resemble English.  They're
       ignored, but but can make entries much easier to read at a glance.  The
       punctuation characters ':', ';' and ',' are also ignored.

   Poll vs. Skip
       The  'poll' verb tells fetchmail to query this host when it is run with
       no arguments.  The 'skip' verb tells fetchmail not to  poll  this  host
       unless  it  is  explicitly named on the command line.  (The 'skip' verb
       allows you to experiment with test entries safely,  or  easily  disable
       entries for hosts that are temporarily down.)

   Keyword/Option Summary
       Here  are  the  legal  options.   Keyword  suffixes  enclosed in square
       brackets are  optional.   Those  corresponding  to  short  command-line
       options  are  followed  by  '-'  and the appropriate option letter.  If
       option is only relevant to a single mode of operation, it is  noted  as
       's' or 'm' for singledrop- or multidrop-mode, respectively.

       Here are the legal global options:

       Keyword             Opt   Mode   Function
       set daemon          -d           Set  a background poll interval in
       set postmaster                   Give the name of  the  last-resort
                                        mail   recipient   (default:  user
                                        running fetchmail, "postmaster" if
                                        run by the root user)
       set    bouncemail                Direct  error  mail  to the sender
       set no bouncemail                Direct error  mail  to  the  local
                                        postmaster     (as     per     the
                                        'postmaster' global option above).
       set no spambounce                Do  not  bounce  spam-blocked mail
       set    spambounce                Bounce blocked  spam-blocked  mail
                                        (as   per   the   'antispam'  user
                                        option) back to the destination as
                                        indicated   by   the  'bouncemail'
                                        global option.   Warning:  Do  not
                                        use  this  to  bounce spam back to
                                        the sender -  most  spam  is  sent
                                        with false sender address and thus
                                        this   option    hurts    innocent
       set no softbounce                Delete  permanently  undeliverable
                                        mail. It  is  recommended  to  use
                                        this  option  if the configuration
                                        has been thoroughly tested.
       set    softbounce                Keep   permanently   undeliverable
                                        mail  as  though a temporary error
                                        had occurred (default).

       set logfile         -L           Name of a file to append error and
                                        status messages to.
       set idfile          -i           Name  of  the  file  to  store UID
                                        lists in.
       set    syslog                    Do    error    logging     through
       set no syslog                    Turn  off  error  logging  through
                                        syslog(3). (default)
       set properties                   String value that  is  ignored  by
                                        fetchmail    (may   be   used   by
                                        extension scripts).

       Here are the legal server options:

       Keyword          Opt   Mode   Function
       via                           Specify DNS  name  of  mailserver,
                                     overriding poll name
       proto[col]       -p           Specify       protocol       (case
                                     insensitive):  POP2,  POP3,  IMAP,
                                     APOP, KPOP
       local[domains]         m      Specify  domain(s)  to be regarded
                                     as local
       port                          Specify   TCP/IP   service    port
                                     (obsolete, use 'service' instead).
       service          -P           Specify service  name  (a  numeric
                                     value    is   also   allowed   and
                                     considered a TCP/IP port  number).
       auth[enticate]                Set  authentication  type (default
       timeout          -t           Server   inactivity   timeout   in
                                     seconds (default 300)
       envelope         -E    m      Specify   envelope-address  header
       no envelope            m      Disable   looking   for   envelope
       qvirtual         -Q    m      Qmail  virtual  domain  prefix  to
                                     remove from user name
       aka                    m      Specify  alternate  DNS  names  of
       interface        -I           specify  IP interface(s) that must
                                     be up  for  server  poll  to  take
       monitor          -M           Specify  IP address to monitor for
       plugin                        Specify command through  which  to
                                     make server connections.
       plugout                       Specify  command  through which to
                                     make listener connections.
       dns                    m      Enable DNS  lookup  for  multidrop
       no dns                 m      Disable DNS lookup for multidrop
       checkalias             m      Do  comparison  by  IP address for
       no checkalias          m      Do   comparison   by   name    for
                                     multidrop (default)
       uidl             -U           Force   POP3  to  use  client-side
                                     UIDLs (recommended)
       no uidl                       Turn off POP3 use  of  client-side
                                     UIDLs (default)
       interval                      Only  check this site every N poll
                                     cycles; N is a numeric argument.
       tracepolls                    Add poll  tracing  information  to
                                     the Received header
       principal                     Set   Kerberos   principal   (only
                                     useful with IMAP and kerberos)
       esmtpname                     Set     name      for      RFC2554
                                     authentication    to   the   ESMTP

       esmtppassword                 Set    password    for     RFC2554
                                     authentication    to   the   ESMTP
       bad-header                    How to treat messages with  a  bad
                                     header. Can be reject (default) or

       Here are the legal user descriptions and options:

       Keyword            Opt   Mode   Function
       user[name]         -u           This is the user  description  and
                                       must   come   first  after  server
                                       description  and  after   possible
                                       server  options,  and  before user
                                       It sets the remote user name if by
                                       itself  or followed by 'there', or
                                       the local user name if followed by
       is                              Connect   local  and  remote  user
       to                              Connect  local  and  remote   user
       pass[word]                      Specify remote account password
       ssl                             Connect   to   server   over   the
                                       specified base protocol using  SSL
       sslcert                         Specify   file   for  client  side
                                       public SSL certificate
       sslcertfile                     Specify  file  with   trusted   CA
       sslcertpath                     Specify c_rehash-ed directory with
                                       trusted CA certificates.
       sslkey                          Specify  file  for   client   side
                                       private SSL key
       sslproto                        Force ssl protocol for connection
       folder             -r           Specify remote folder to query
       smtphost           -S           Specify smtp host(s) to forward to
       fetchdomains             m      Specify  domains  for  which  mail
                                       should be fetched
       smtpaddress        -D           Specify  the  domain  to be put in
                                       RCPT TO lines
       smtpname                        Specify the user and domain to  be
                                       put in RCPT TO lines
       antispam           -Z           Specify   what  SMTP  returns  are
                                       interpreted as spam-policy blocks
       mda                -m           Specify MDA for local delivery
       bsmtp              -o           Specify BSMTP batch file to append
       preconnect                      Command to be executed before each
       postconnect                     Command to be executed after  each
       keep               -k           Don't  delete  seen  messages from
                                       server   (for   POP3,   uidl    is
       flush              -F           Flush  all  seen  messages  before
                                       querying (DANGEROUS)
       limitflush                      Flush   all   oversized   messages
                                       before querying
       fetchall           -a           Fetch all messages whether seen or
       rewrite                         Rewrite destination addresses  for
                                       reply (default)
       stripcr                         Strip  carriage  returns from ends
                                       of lines
       forcecr                         Force carriage returns at ends  of
       pass8bits                       Force   BODY=8BITMIME   to   ESMTP

       dropstatus                      Strip Status and  X-Mozilla-Status
                                       lines out of incoming mail
       dropdelivered                   Strip  Delivered-To  lines  out of
                                       incoming mail
       mimedecode                      Convert quoted-printable to  8-bit
                                       in MIME messages
       idle                            Idle   waiting  for  new  messages
                                       after each poll (IMAP only)
       no keep            -K           Delete seen messages  from  server
       no flush                        Don't   flush  all  seen  messages
                                       before querying (default)
       no fetchall                     Retrieve   only    new    messages
       no rewrite                      Don't rewrite headers
       no stripcr                      Don't   strip   carriage   returns
       no forcecr                      Don't force  carriage  returns  at
                                       EOL (default)
       no pass8bits                    Don't force BODY=8BITMIME to ESMTP
                                       listener (default)
       no dropstatus                   Don't    drop    Status    headers
       no dropdelivered                Don't  drop  Delivered-To  headers
       no mimedecode                   Don't convert quoted-printable  to
                                       8-bit in MIME messages (default)
       no idle                         Don't   idle   waiting   for   new
                                       messages  after  each  poll  (IMAP
       limit              -l           Set message size limit
       warnings           -w           Set message size warning interval
       batchlimit         -b           Max   #  messages  to  forward  in
                                       single connect
       fetchlimit         -B           Max # messages to fetch in  single
       fetchsizelimit                  Max  #  message  sizes to fetch in
                                       single transaction
       fastuidl                        Use binary search for first unseen
                                       message (POP3 only)
       expunge            -e           Perform  an  expunge  on every #th
                                       message (IMAP and POP3 only)
       properties                      String   value   is   ignored   by
                                       fetchmail    (may   be   used   by
                                       extension scripts)

       All user options must begin with a user description (user  or  username
       option) and follow all server descriptions and options.

       In  the  .fetchmailrc  file,  the  'envelope'  string  argument  may be
       preceded by a whitespace-separated number.  This number, if  specified,
       is  the  number of such headers to skip over (that is, an argument of 1
       selects the second header of the given type).  This is sometime  useful
       for  ignoring bogus envelope headers created by an ISP's local delivery
       agent or  internal  forwards  (through  mail  inspection  systems,  for

   Keywords Not Corresponding To Option Switches
       The   'folder'   and  'smtphost'  options  (unlike  their  command-line
       equivalents) can  take  a  space-  or  comma-separated  list  of  names
       following them.

       All  options  correspond  to the obvious command-line arguments, except
       the following: 'via', 'interval', 'aka', 'is',  'to',  'dns'/'no  dns',
       'checkalias'/'no  checkalias', 'password', 'preconnect', 'postconnect',
       'localdomains',   'stripcr'/'no   stripcr',   'forcecr'/'no   forcecr',
       'pass8bits'/'no       pass8bits'       'dropstatus/no      dropstatus',
       'dropdelivered/no  dropdelivered',  'mimedecode/no   mimedecode',   'no
       idle', and 'no envelope'.

       The 'via' option is for if you want to have more than one configuration
       pointing at the same site.  If it is present, the string argument  will
       be  taken as the actual DNS name of the mailserver host to query.  This
       will override the argument of poll, which can then simply be a distinct
       label  for  the  configuration (e.g. what you would give on the command
       line to explicitly query this host).

       The 'interval' option (which takes a numeric argument)  allows  you  to
       poll a server less frequently than the basic poll interval.  If you say
       'interval N' the server this option is attached to will only be queried
       every N poll intervals.

   Singledrop vs. Multidrop options
       Please  ensure  you  read  the  section  titled  THE  USE  AND ABUSE OF
       MULTIDROP MAILBOXES if you intend to use multidrop mode.

       The 'is' or  'to'  keywords  associate  the  following  local  (client)
       name(s)  (or  server-name  to client-name mappings separated by =) with
       the mailserver user name in the entry.  If an is/to list has '*' as its
       last  name,  unrecognized  names  are  simply passed through. Note that
       until fetchmail version  6.3.4  inclusively,  these  lists  could  only
       contain  local  parts  of  user names (fetchmail would only look at the
       part before the @ sign). fetchmail versions  6.3.5  and  newer  support
       full  addresses  on the left hand side of these mappings, and they take
       precedence over any 'localdomains', 'aka', 'via' or similar mappings.

       A single local name can be used to support redirecting your  mail  when
       your  username on the client machine is different from your name on the
       mailserver.  When there is only a single local name, mail is  forwarded
       to  that  local  username regardless of the message's Received, To, Cc,
       and Bcc headers.  In this case, fetchmail never does DNS lookups.

       When there is more than one local name  (or  name  mapping),  fetchmail
       looks  at  the  envelope  header,  if  configured, and otherwise at the
       Received, To, Cc, and Bcc headers of retrieved mail (this is 'multidrop
       mode').   It  looks  for  addresses with hostname parts that match your
       poll name or your 'via', 'aka' or 'localdomains' options,  and  usually
       also  for  hostname  parts  which  DNS  tells  it  are  aliases  of the
       mailserver.  See the discussion of 'dns', 'checkalias', 'localdomains',
       and 'aka' for details on how matching addresses are handled.

       If  fetchmail  cannot  match  any  mailserver  usernames or localdomain
       addresses, the mail will be bounced.  Normally it will  be  bounced  to
       the sender, but if the 'bouncemail' global option is off, the mail will
       go to the local  postmaster  instead.   (see  the  'postmaster'  global
       option). See also BUGS.

       The  'dns'  option  (normally  on)  controls  the  way  addresses  from
       multidrop mailboxes are checked.  On, it enables logic  to  check  each
       host address that does not match an 'aka' or 'localdomains' declaration
       by looking it up with DNS.  When a mailserver  username  is  recognized
       attached to a matching hostname part, its local mapping is added to the
       list of local recipients.

       The 'checkalias' option (normally off) extends the lookups performed by
       the  'dns'  keyword  in  multidrop  mode,  providing a way to cope with
       remote MTAs that identify themselves using their canonical name,  while
       they're polled using an alias.  When such a server is polled, checks to
       extract the envelope address fail, and fetchmail  reverts  to  delivery
       using   the   To/Cc/Bcc   headers   (See  below  'Header  vs.  Envelope
       addresses').  Specifying this option instructs  fetchmail  to  retrieve
       all  the  IP  addresses associated with both the poll name and the name
       used by the remote MTA and to do a  comparison  of  the  IP  addresses.
       This  comes  in  handy  in situations where the remote server undergoes
       frequent  canonical  name  changes,  that   would   otherwise   require
       modifications to the rcfile.  'checkalias' has no effect if 'no dns' is
       specified in the rcfile.

       The 'aka' option is for use with multidrop mailboxes.  It allows you to
       pre-declare   a  list  of  DNS  aliases  for  a  server.   This  is  an
       optimization hack that allows you  to  trade  space  for  speed.   When
       fetchmail,  while  processing  a  multidrop  mailbox,  grovels  through
       message headers looking for  names  of  the  mailserver,  pre-declaring
       common ones can save it from having to do DNS lookups.  Note: the names
       you give as arguments to 'aka'  are  matched  as  suffixes  --  if  you
       specify  (say)  'aka',  this will match not just a hostname, but any hostname that  ends  with  '';  such  as
       (say) and

       The 'localdomains' option allows you to declare a list of domains which
       fetchmail should consider local.  When  fetchmail  is  parsing  address
       lines in multidrop modes, and a trailing segment of a host name matches
       a declared local domain, that address is passed through to the listener
       or MDA unaltered (local-name mappings are not applied).

       If  you  are  using  'localdomains',  you  may also need to specify 'no
       envelope', which disables  fetchmail's  normal  attempt  to  deduce  an
       envelope  address  from  the  Received  line or X-Envelope-To header or
       whatever header has been previously set by 'envelope'.  If you set  'no
       envelope'  in  the  defaults  entry  it  is  possible  to  undo that in
       individual entries by using 'envelope <string>'.  As  a  special  case,
       'envelope "Received"' restores the default parsing of Received lines.

       The  password  option requires a string argument, which is the password
       to be used with the entry's server.

       The 'preconnect' keyword allows you to specify a shell  command  to  be
       executed  just  before  each  time  fetchmail  establishes a mailserver
       connection.  This may be useful if you are attempting to set up  secure
       POP  connections  with  the  aid  of  ssh(1).  If the command returns a
       nonzero status, the poll of that mailserver will be aborted.

       Similarly, the 'postconnect' keyword similarly allows you to specify  a
       shell  command  to  be  executed  just  after  each  time  a mailserver
       connection is taken down.

       The 'forcecr' option controls whether lines terminated by LF  only  are
       given  CRLF  termination  before  forwarding.  Strictly speaking RFC821
       requires this, but few MTAs enforce the requirement it so  this  option
       is  normally  off  (only  one such MTA, qmail, is in significant use at
       time of writing).

       The 'stripcr' option controls whether carriage returns are stripped out
       of retrieved mail before it is forwarded.  It is normally not necessary
       to set this, because it defaults to 'on' (CR  stripping  enabled)  when
       there  is  an  MDA  declared  but  'off'  (CR  stripping disabled) when
       forwarding is via SMTP.   If  'stripcr'  and  'forcecr'  are  both  on,
       'stripcr' will override.

       The 'pass8bits' option exists to cope with Microsoft mail programs that
       stupidly slap a "Content-Transfer-Encoding: 7bit" on everything.   With
       this  option  off  (the  default)  and such a header present, fetchmail
       declares BODY=7BIT to an ESMTP-capable listener; this  causes  problems
       for  messages  actually  using 8-bit ISO or KOI-8 character sets, which
       will be garbled by having the high bits of all characters stripped.  If
       'pass8bits'  is on, fetchmail is forced to declare BODY=8BITMIME to any
       ESMTP-capable listener.  If the listener is  8-bit-clean  (as  all  the
       major ones now are) the right thing will probably result.

       The 'dropstatus' option controls whether nonempty Status and X-Mozilla-
       Status lines are retained in fetched mail (the default)  or  discarded.
       Retaining  them  allows  your  MUA  to  see what messages (if any) were
       marked seen on the server.  On the other hand, it can confuse some new-
       mail notifiers, which assume that anything with a Status line in it has
       been seen.  (Note: the empty Status lines inserted by  some  buggy  POP
       servers are unconditionally discarded.)

       The  'dropdelivered'  option controls whether Delivered-To headers will
       be kept in fetched mail (the default) or discarded. These  headers  are
       added by Qmail and Postfix mailservers in order to avoid mail loops but
       may get in your way if you try to "mirror" a mailserver within the same
       domain. Use with caution.

       The  'mimedecode'  option  controls  whether  MIME  messages  using the
       quoted-printable encoding are automatically converted into  pure  8-bit
       data.  If  you  are  delivering  mail  to an ESMTP-capable, 8-bit-clean
       listener (that includes all of the major MTAs like sendmail), then this
       will  automatically  convert  quoted-printable message headers and data
       into 8-bit data, making it easier to understand when reading  mail.  If
       your  e-mail  programs  know  how to deal with MIME messages, then this
       option is not needed.  The mimedecode option is off by default, because
       doing   RFC2047   conversion   on  headers  throws  away  character-set
       information and can lead to bad results if the encoding of the  headers
       differs from the body encoding.

       The  'idle'  option is intended to be used with IMAP servers supporting
       the RFC2177 IDLE command extension, but does not strictly  require  it.
       If it is enabled, and fetchmail detects that IDLE is supported, an IDLE
       will be issued at the end of each poll.  This will tell the IMAP server
       to  hold  the  connection  open  and notify the client when new mail is
       available.  If IDLE is not supported, fetchmail  will  simulate  it  by
       periodically  issuing NOOP. If you need to poll a link frequently, IDLE
       can save bandwidth by  eliminating  TCP/IP  connects  and  LOGIN/LOGOUT
       sequences. On the other hand, an IDLE connection will eat almost all of
       your fetchmail's time, because it will never drop  the  connection  and
       allow  other  polls  to occur unless the server times out the IDLE.  It
       also doesn't work with multiple folders; only  the  first  folder  will
       ever be polled.

       The  'properties'  option is an extension mechanism.  It takes a string
       argument, which is ignored by fetchmail itself.   The  string  argument
       may  be  used  to  store  configuration  information  for scripts which
       require it.  In particular, the output of  '--configdump'  option  will
       make  properties  associated  with  a user entry readily available to a
       Python script.

   Miscellaneous Run Control Options
       The words 'here' and 'there'  have  useful  English-like  significance.
       Normally  'user  eric  is esr' would mean that mail for the remote user
       'eric' is to be delivered to 'esr', but you can make  this  clearer  by
       saying 'user eric there is esr here', or reverse it by saying 'user esr
       here is eric there'

       Legal protocol identifiers for use with the 'protocol' keyword are:

           auto (or AUTO) (legacy, to be removed from future release)
           pop2 (or POP2) (legacy, to be removed from future release)
           pop3 (or POP3)
           sdps (or SDPS)
           imap (or IMAP)
           apop (or APOP)
           kpop (or KPOP)

       Legal  authentication  types   are   'any',   'password',   'kerberos',
       'kerberos_v4',  'kerberos_v5'  and  'gssapi',  'cram-md5', 'otp', 'msn'
       (only for POP3), 'ntlm', 'ssh', 'external' (only IMAP).  The 'password'
       type specifies authentication by normal transmission of a password (the
       password may be plain text or subject to  protocol-specific  encryption
       as  in  CRAM-MD5);  'kerberos' tells fetchmail to try to get a Kerberos
       ticket at the start of each query instead, and send an arbitrary string
       as   the   password;   and  'gssapi'  tells  fetchmail  to  use  GSSAPI
       authentication.  See the description of the 'auth' keyword for more.

       Specifying 'kpop' sets POP3 protocol over port 1109  with  Kerberos  V4
       authentication.  These defaults may be overridden by later options.

       There  are  some  global option statements: 'set logfile' followed by a
       string sets the same global specified  by  --logfile.   A  command-line
       --logfile  option  will  override  this.  Note  that  --logfile is only
       effective if fetchmail  detaches  itself  from  the  terminal  and  the
       logfile  already  exists  before  fetchmail  is  run,  and it overrides
       --syslog in this case.  Also, 'set daemon' sets the  poll  interval  as
       --daemon  does.   This  can  be  overridden  by a command-line --daemon
       option; in particular --daemon  0  can  be  used  to  force  foreground
       operation.  The  'set  postmaster'  statement sets the address to which
       multidrop mail defaults if there are no local matches.   Finally,  'set
       syslog' sends log messages to syslogd(8).


   Fetchmail crashing
       There  are  various  ways  in  that  fetchmail  may "crash", i. e. stop
       operation suddenly and unexpectedly. A "crash"  usually  refers  to  an
       error  condition  that  the  software did not handle by itself. A well-
       known failure mode is  the  "segmentation  fault"  or  "signal  11"  or
       "SIGSEGV" or just "segfault" for short. These can be caused by hardware
       or by software problems.  Software-induced  segfaults  can  usually  be
       reproduced  easily  and  in  the  same  place, whereas hardware-induced
       segfaults can go away if the computer is rebooted, or powered off for a
       few  hours,  and  can  happen  in  random locations even if you use the
       software the same way.

       For solving hardware-induced segfaults, find the faulty  component  and
       repair  or  replace it.  The Sig11 FAQ <>
       may help you with details.

       For solving software-induced  segfaults,  the  developers  may  need  a
       "stack backtrace".

   Enabling fetchmail core dumps
       By  default,  fetchmail  suppresses  core  dumps as these might contain
       passwords and other  sensitive  information.  For  debugging  fetchmail
       crashes,  obtaining  a  "stack backtrace" from a core dump is often the
       quickest way to solve the problem, and when posting your problem  on  a
       mailing list, the developers may ask you for a "backtrace".

       1.  To  get  useful backtraces, fetchmail needs to be installed without
       getting stripped  of  its  compilation  symbols.   Unfortunately,  most
       binary  packages  that  are installed are stripped, and core files from
       symbol-stripped programs are worthless. So you may  need  to  recompile
       fetchmail. On many systems, you can type

               file `which fetchmail`

       to  find  out  if  fetchmail  was  symbol-stripped or not. If yours was
       unstripped, fine, proceed, if it was stripped, you  need  to  recompile
       the  source code first. You do not usually need to install fetchmail in
       order to debug it.

       2. The shell environment that starts fetchmail  needs  to  enable  core
       dumps.  The  key  is the "maximum core (file) size" that can usually be
       configured with a tool named "limit" or "ulimit". See the documentation
       for  your  shell  for  details.  In the popular bash shell, "ulimit -Sc
       unlimited" will allow the core dump.

       3. You need to tell fetchmail, too, to allow core dumps.  To  do  this,
       run  fetchmail with the -d0 -v options.  It is often easier to also add
       --nosyslog -N as well.

       Finally, you need to reproduce the crash. You can just start  fetchmail
       from  the directory where you compiled it by typing ./fetchmail, so the
       complete command line will start with ./fetchmail -Nvd0 --nosyslog  and
       perhaps list your other options.

       After  the  crash,  run  your  debugger  to  obtain the core dump.  The
       debugger will often be GNU GDB, you can  then  type  (adjust  paths  as
       necessary)  gdb  ./fetchmail  fetchmail.core  and  then,  after GDB has
       started up and read all its files, type backtrace full, save the output
       (copy  & paste will do, the backtrace will be read by a human) and then
       type quit to leave gdb.  Note: on some systems,  the  core  files  have
       different  names,  they  might  contain a number instead of the program
       name, or number and name, but it will usually have "core"  as  part  of
       their name.


       When  trying  to  determine  the  originating  address  of  a  message,
       fetchmail looks through headers in the following order:

               Resent-Sender: (ignored if it doesn't contain an @ or !)
               Sender: (ignored if it doesn't contain an @ or !)

       The originating address is used for logging, and to set the  MAIL  FROM
       address  when  forwarding  to  SMTP.   This  order  is intended to cope
       gracefully with receiving mailing list messages in multidrop mode.  The
       intent  is  that  if  a local address doesn't exist, the bounce message
       won't be returned blindly to the author or  to  the  list  itself,  but
       rather to the list manager (which is less annoying).

       In multidrop mode, destination headers are processed as follows: First,
       fetchmail looks for the header specified by the  'envelope'  option  in
       order  to  determine  the  local  recipient  address.  If  the  mail is
       addressed to more than one recipient, the Received line  won't  contain
       any information regarding recipient addresses.

       Then  fetchmail  looks  for the Resent-To:, Resent-Cc:, and Resent-Bcc:
       lines.  If they exist, they should contain  the  final  recipients  and
       have  precedence over their To:/Cc:/Bcc: counterparts.  If the Resent-*
       lines don't exist, the To:, Cc:,  Bcc:  and  Apparently-To:  lines  are
       looked  for.  (The  presence of a Resent-To: is taken to imply that the
       person referred by the To: address has already  received  the  original
       copy of the mail.)


       Note  that  although  there are password declarations in a good many of
       the examples below, this  is  mainly  for  illustrative  purposes.   We
       recommend  stashing  account/password  pairs in your $HOME/.netrc file,
       where they can be used not just by fetchmail but by  ftp(1)  and  other

       The basic format is:

              poll   SERVERNAME   protocol  PROTOCOL  username  NAME  password


              poll protocol pop3 username "jsmith" password "secret1"

       Or, using some abbreviations:

              poll proto pop3 user "jsmith" password "secret1"

       Multiple servers may be listed:

              poll proto pop3 user "jsmith" pass "secret1"
              poll proto pop2 user "John.Smith" pass "My^Hat"

       Here's the same version with more whitespace and some noise words:

              poll proto pop3
                   user "jsmith", with password secret1, is "jsmith" here;
              poll proto pop2:
                   user "John.Smith", with password "My^Hat", is "John.Smith" here;

       If you need to include whitespace in a parameter string  or  start  the
       latter with a number, enclose the string in double quotes.  Thus:

              poll with proto pop3:
                   user "jsmith" there has password "4u but u can't krak this"
                   is jws here and wants mda "/bin/mail"

       You  may  have  an  initial  server  description  headed by the keyword
       'defaults' instead of 'poll' followed by a  name.   Such  a  record  is
       interpreted  as  defaults for all queries to use. It may be overwritten
       by individual server descriptions.  So, you could write:

              defaults proto pop3
                   user "jsmith"
                   pass "secret1"
                   user "jjsmith" there has password "secret2"

       It's possible to specify more than one user  per  server.   The  'user'
       keyword leads off a user description, and every user specification in a
       multi-user entry must include it.  Here's an example:

              poll proto pop3 port 3111
                   user "jsmith" with pass "secret1" is "smith" here
                   user jones with pass "secret2" is "jjones" here keep

       This associates the local username 'smith'  with  the
       username   'jsmith'   and   the   local   username  'jjones'  with  the username 'jones'.  Mail for 'jones'  is  kept  on  the
       server after download.

       Here's  what  a  simple retrieval configuration for a multidrop mailbox
       looks like:

                   user maildrop with pass secret1 to golux 'hurkle'='happy' snark here

       This says that the mailbox of account 'maildrop' on  the  server  is  a
       multidrop  box, and that messages in it should be parsed for the server
       user names 'golux', 'hurkle', and 'snark'.  It further  specifies  that
       'golux'  and 'snark' have the same name on the client as on the server,
       but mail for server user 'hurkle' should be delivered  to  client  user

       Note   that   fetchmail,  until  version  6.3.4,  did  NOT  allow  full
       user@domain specifications here, these would  never  match.   Fetchmail
       6.3.5  and  newer  support  user@domain specifications on the left-hand
       side of a user mapping.

       Here's an example of another kind of multidrop connection:

              poll localdomains
                   envelope X-Envelope-To
                   user maildrop with pass secret1 to * here

       This also says that the mailbox of account 'maildrop' on the server  is
       a   multidrop  box.   It  tells  fetchmail  that  any  address  in  the or  domains  (including  sub-domain  addresses
       like  '') should be passed through to the local
       SMTP listener without modification.  Be careful of mail loops if you do

       Here's  an  example configuration using ssh and the plugin option.  The
       queries are made directly on the stdin and stdout  of  imapd  via  ssh.
       Note that in this setup, IMAP authentication can be skipped.

              poll with proto imap:
                   plugin "ssh %h /usr/sbin/imapd" auth ssh;
                   user esr is esr here


       Use  the multiple-local-recipients feature with caution -- it can bite.
       All multidrop features are ineffective in ETRN and ODMR modes.

       Also, note that in multidrop mode duplicate mails  are  suppressed.   A
       piece  of mail is considered duplicate if it has the same message-ID as
       the message immediately preceding and more than  one  addressee.   Such
       runs of messages may be generated when copies of a message addressed to
       multiple users are delivered to a multidrop box.

   Header vs. Envelope addresses
       The fundamental problem is that by having your mailserver toss  several
       peoples'  mail  in  a  single  maildrop  box,  you may have thrown away
       potentially vital information about who each piece of mail was actually
       addressed  to  (the  'envelope  address',  as  opposed  to  the  header
       addresses in the RFC822 To/Cc headers - the Bcc is not available at the
       receiving  end).   This  'envelope  address' is the address you need in
       order to reroute mail properly.

       Sometimes fetchmail can deduce the envelope address.  If the mailserver
       MTA  is  sendmail  and the item of mail had just one recipient, the MTA
       will have written a 'by/for' clause that gives the  envelope  addressee
       into  its  Received  header.  But  this doesn't work reliably for other
       MTAs, nor if there is more than one recipient.  By  default,  fetchmail
       looks  for  envelope  addresses  in  these  lines; you can restore this
       default with -E "Received" or 'envelope Received'.

       As a better alternative, some SMTP listeners and/or mail servers insert
       a  header  in each message containing a copy of the envelope addresses.
       This header (when it exists) is often  'X-Original-To',  'Delivered-To'
       or  'X-Envelope-To'.   Fetchmail's assumption about this can be changed
       with the -E or 'envelope' option.  Note that writing an envelope header
       of  this  kind  exposes  the  names of recipients (including blind-copy
       recipients) to all receivers of the  messages,  so  the  upstream  must
       store one copy of the message per recipient to avoid becoming a privacy

       Postfix, since version  2.0,  writes  an  X-Original-To:  header  which
       contains a copy of the envelope as it was received.

       Qmail   and  Postfix  generally  write  a  'Delivered-To'  header  upon
       delivering the message to the mail spool  and  use  it  to  avoid  mail
       loops.   Qmail virtual domains however will prefix the user name with a
       string that normally matches the user's domain. To remove  this  prefix
       you can use the -Q or 'qvirtual' option.

       Sometimes,  unfortunately, neither of these methods works.  That is the
       point when you should contact your ISP and ask them to provide such  an
       envelope  header,  and  you should not use multidrop in this situation.
       When they all fail, fetchmail must fall back on the contents  of  To/Cc
       headers (Bcc headers are not available - see below) to try to determine
       recipient addressees --  and  these  are  unreliable.   In  particular,
       mailing-list  software  often  ships  mail with only the list broadcast
       address in the To header.

       Note that a future version of fetchmail may remove To/Cc parsing!

       When fetchmail cannot deduce a recipient address that is local, and the
       intended  recipient  address was anyone other than fetchmail's invoking
       user, mail will get lost.  This is what  makes  the  multidrop  feature
       risky without proper envelope information.

       A  related  problem is that when you blind-copy a mail message, the Bcc
       information is carried only as envelope address (it's removed from  the
       headers  by  the  sending  mail server, so fetchmail can see it only if
       there is an X-Envelope-To header).  Thus, blind-copying to someone  who
       gets  mail  over  a  fetchmail  multidrop link will fail unless the the
       mailserver host routinely writes X-Envelope-To or an equivalent  header
       into messages in your maildrop.

       In conclusion, mailing lists and Bcc'd mail can only work if the server
       you're fetching from

       (1)    stores one copy of the message per recipient in your domain and

       (2)    records  the  envelope   information   in   a   special   header
              (X-Original-To, Delivered-To, X-Envelope-To).

   Good Ways To Use Multidrop Mailboxes
       Multiple  local names can be used to administer a mailing list from the
       client side of a fetchmail collection.  Suppose your name is 'esr', and
       you  want  to  both  pick  up your own mail and maintain a mailing list
       called (say) "fetchmail-friends", and you want to keep the  alias  list
       on your client machine.

       On  your  server,  you can alias 'fetchmail-friends' to 'esr'; then, in
       your .fetchmailrc, declare 'to esr fetchmail-friends here'.  Then, when
       mail including 'fetchmail-friends' as a local address gets fetched, the
       list name will be appended to the list of recipients your SMTP listener
       sees.   Therefore  it will undergo alias expansion locally.  Be sure to
       include 'esr' in the local alias  expansion  of  fetchmail-friends,  or
       you'll  never  see  mail sent only to the list.  Also be sure that your
       listener has the "me-too"  option  set  (sendmail's  -oXm  command-line
       option  or  OXm  declaration)  so  your  name  isn't removed from alias
       expansions in messages you send.

       This trick is not without its problems, however.  You'll begin  to  see
       this  when  a message comes in that is addressed only to a mailing list
       you do not have declared as a  local  name.   Each  such  message  will
       feature  an  'X-Fetchmail-Warning'  header  which  is generated because
       fetchmail cannot find a valid local name in  the  recipient  addresses.
       Such  messages  default  (as  was described above) to being sent to the
       local user running fetchmail, but the program has no way to  know  that
       that's actually the right thing.

   Bad Ways To Abuse Multidrop Mailboxes
       Multidrop mailboxes and fetchmail serving multiple users in daemon mode
       do not mix.  The problem, again, is  mail  from  mailing  lists,  which
       typically does not have an individual recipient address on it.   Unless
       fetchmail can deduce an envelope address, such mail will only go to the
       account  running  fetchmail  (probably root).  Also, blind-copied users
       are very likely never to see their mail at all.

       If you're tempted to use fetchmail to retrieve mail for multiple  users
       from  a  single  mail drop via POP or IMAP, think again (and reread the
       section on header and envelope addresses above).  It would  be  smarter
       to  just let the mail sit in the mailserver's queue and use fetchmail's
       ETRN or ODMR modes to trigger SMTP sends periodically (of course,  this
       means  you  have  to  poll more frequently than the mailserver's expiry
       period).  If you can't arrange this, try setting up a UUCP feed.

       If you absolutely must use multidrop for this purpose, make  sure  your
       mailserver  writes  an  envelope-address header that fetchmail can see.
       Otherwise you will lose mail and it will come back to haunt you.

   Speeding Up Multidrop Checking
       Normally, when multiple users are declared fetchmail extracts recipient
       addresses  as described above and checks each host part with DNS to see
       if it's an alias of the mailserver.  If so, the name mappings described
       in  the  "to  ...  here"  declaration  are  done  and  the mail locally

       This is a convenient but also slow method.  To speed it up, pre-declare
       mailserver aliases with 'aka'; these are checked before DNS lookups are
       done.  If you're certain your aka list contains all DNS aliases of  the
       mailserver (and all MX names pointing at it - note this may change in a
       future version) you can  declare  'no  dns'  to  suppress  DNS  lookups
       entirely and only match against the aka list.


       Support  for  socks4/5  is  a  compile  time configuration option. Once
       compiled  in,  fetchmail  will  always  use  the  socks  libraries  and
       configuration  on  your  system,  there  are  no  run-time  switches in
       fetchmail - but you can still configure SOCKS: you  can  specify  which
       SOCKS   configuration  file  is  used  in  the  SOCKS_CONF  environment

       For instance, if you wanted to bypass the SOCKS  proxy  altogether  and
       have    fetchmail    connect    directly,    you    could   just   pass
       SOCKS_CONF=/dev/null in the environment, for example  (add  your  usual
       command line options - if any - to the end of this line):

       env SOCKS_CONF=/dev/null fetchmail


       To  facilitate  the  use  of fetchmail in shell scripts, an exit status
       code is returned to give an indication of what occurred during a  given

       The exit codes returned by fetchmail are as follows:

       0      One  or more messages were successfully retrieved (or, if the -c
              option was selected, were found waiting but not retrieved).

       1      There was no mail awaiting retrieval.  (There may have been  old
              mail still on the server but not selected for retrieval.) If you
              do not want "no mail" to be an error  condition  (for  instance,
              for cron jobs), use a POSIX-compliant shell and add

              || [ $? -eq 1 ]

              to  the end of the fetchmail command line, note that this leaves
              0 untouched, maps 1 to 0, and maps all other  codes  to  1.  See
              also item #C8 in the FAQ.

       2      An  error  was  encountered  when attempting to open a socket to
              retrieve mail.  If you don't know what a socket is, don't  worry
              about  it  -- just treat this as an 'unrecoverable error'.  This
              error can also be because a protocol fetchmail wants to  use  is
              not listed in /etc/services.

       3      The  user authentication step failed.  This usually means that a
              bad user-id, password, or APOP id was specified.  Or it may mean
              that you tried to run fetchmail under circumstances where it did
              not have standard input attached to a  terminal  and  could  not
              prompt for a missing password.

       4      Some sort of fatal protocol error was detected.

       5      There  was  a  syntax  error in the arguments to fetchmail, or a
              pre- or post-connect command failed.

       6      The run control file had bad permissions.

       7      There was an error condition reported by the server.   Can  also
              fire if fetchmail timed out while waiting for the server.

       8      Client-side  exclusion error.  This means fetchmail either found
              another copy of itself already running, or failed in such a  way
              that it isn't sure whether another copy is running.

       9      The user authentication step failed because the server responded
              "lock busy".  Try again after a brief pause!  This error is  not
              implemented  for  all  protocols,  nor  for all servers.  If not
              implemented for your server, "3" will be returned  instead,  see
              above.  May be returned when talking to qpopper or other servers
              that  can  respond  with  "lock  busy"  or  some  similar   text
              containing the word "lock".

       10     The fetchmail run failed while trying to do an SMTP port open or

       11     Fatal  DNS  error.   Fetchmail  encountered   an   error   while
              performing a DNS lookup at startup and could not proceed.

       12     BSMTP batch file could not be opened.

       13     Poll  terminated by a fetch limit (see the --fetchlimit option).

       14     Server busy indication.

       23     Internal error.  You should see a message on standard error with

       24 - 26, 28, 29
              These are internal codes and should not appear externally.

       When  fetchmail  queries  more than one host, return status is 0 if any
       query successfully retrieved mail. Otherwise the returned error  status
       is that of the last host queried.


            default run control file

            default  location  of  file  recording  last message UIDs seen per

            lock file to help prevent concurrent runs (non-root mode).

            your FTP run control file, which (if present) will be searched for
            passwords as a last resort before prompting for one interactively.

            lock file to  help  prevent  concurrent  runs  (root  mode,  Linux

            lock  file  to  help  prevent  concurrent runs (root mode, systems
            without /var/run).


              If this environment variable is set  to  a  valid  and  existing
              directory  name,  fetchmail will read $FETCHMAILHOME/fetchmailrc
              (the dot is missing in this case), $FETCHMAILHOME/.fetchids  and
              $FETCHMAILHOME/  rather  than from the user's home
              directory.  The .netrc file is always  looked  for  in  the  the
              invoking  user's  home  directory  regardless of FETCHMAILHOME's

              If this environment variable is set, it is used as the  name  of
              the  calling  user  (default  local  name)  for purposes such as
              mailing error notifications.  Otherwise, if either  the  LOGNAME
              or  USER  variable  is correctly set (e.g. the corresponding UID
              matches the session user ID) then  that  name  is  used  as  the
              default  local  name.   Otherwise  getpwuid(3)  must  be able to
              retrieve a password entry for the  session  ID  (this  elaborate
              logic  is  designed  to  handle  the  case of multiple names per
              userid gracefully).

              (since v6.3.17): If this environment variable  is  set  and  not
              empty,  fetchmail  will  always  load  the default X.509 trusted
              certificate locations  for  SSL/TLS  CA  certificates,  even  if
              --sslcertfile and --sslcertpath are given.  The latter locations
              take precedence over the  system  default  locations.   This  is
              useful  in  case  there  are  broken  certificates in the system
              directories and the user  has  no  administrator  privileges  to
              remedy the problem.

              If   the   HOME_ETC   variable   is  set,  fetchmail  will  read
              $HOME_ETC/.fetchmailrc instead of ~/.fetchmailrc.

              If HOME_ETC and FETCHMAILHOME are both  set,  HOME_ETC  will  be

              (only  if SOCKS support is compiled in) this variable is used by
              the socks library to find out which configuration file it should
              read. Set this to /dev/null to bypass the SOCKS proxy.


       If  a fetchmail daemon is running as root, SIGUSR1 wakes it up from its
       sleep  phase  and  forces  a  poll  of  all  non-skipped  servers.  For
       compatibility  reasons, SIGHUP can also be used in 6.3.X but may not be
       available in future fetchmail versions.

       If fetchmail is running in daemon mode as non-root, use SIGUSR1 to wake
       it  (this  is  so SIGHUP due to logout can retain the default action of
       killing it).

       Running fetchmail in foreground while a background fetchmail is running
       will do whichever of these is appropriate to wake it up.


       Please  check  the NEWS file that shipped with fetchmail for more known
       bugs than those listed here.

       Fetchmail cannot handle user names that  contain  blanks  after  a  "@"
       character, for instance "demonstr@ti on". These are rather uncommon and
       only hurt when using UID-based --keep setups, so the 6.3.X versions  of
       fetchmail won't be fixed.

       The  assumptions  that the DNS and in particular the checkalias options
       make are not often sustainable. For instance, it  has  become  uncommon
       for  an  MX  server  to  be  a  POP3  or  IMAP server at the same time.
       Therefore the MX lookups may go away in a future release.

       The mda and plugin options interact badly.  In order to  collect  error
       status from the MDA, fetchmail has to change its normal signal handling
       so that dead plugin processes don't get reaped until  the  end  of  the
       poll  cycle.   This  can  cause resource starvation if too many zombies
       accumulate.  So either don't deliver to a MDA  using  plugins  or  risk
       being overrun by an army of undead.

       The  --interface  option does not support IPv6 and it is doubtful if it
       ever will, since there is no  portable  way  to  query  interface  IPv6

       The  RFC822  address  parser  used  in  multidrop  mode  chokes on some
       @-addresses that are technically legal but bizarre.   Strange  uses  of
       quoting and embedded comments are likely to confuse it.

       In  a  message  with  multiple  envelope  headers,  only  the  last one
       processed will be visible to fetchmail.

       Use  of  some  of  these  protocols  requires  that  the  program  send
       unencrypted  passwords  over  the  TCP/IP connection to the mailserver.
       This creates a risk that name/password pairs might be snaffled  with  a
       packet  sniffer or more sophisticated monitoring software.  Under Linux
       and FreeBSD, the --interface option can be used to restrict polling  to
       availability  of  a  specific interface device with a specific local or
       remote IP address, but snooping is still possible if  (a)  either  host
       has a network device that can be opened in promiscuous mode, or (b) the
       intervening network link can be tapped.  We recommend the use of ssh(1)
       tunnelling  to  not  only  shroud your passwords but encrypt the entire

       Use of the %F or %T escapes in an mda  option  could  open  a  security
       hole,  because  they  pass  text  manipulable by an attacker to a shell
       command.   Potential  shell  characters  are  replaced  by  '_'  before
       execution.   The  hole  is  further  reduced by the fact that fetchmail
       temporarily discards any suid privileges it may have while running  the
       MDA.   For maximum safety, however, don't use an mda command containing
       %F or %T when fetchmail is run from the root account itself.

       Fetchmail's method of sending bounces due to  errors  or  spam-blocking
       and  spam  bounces  requires that port 25 of localhost be available for
       sending mail via SMTP.

       If you modify ~/.fetchmailrc while a background instance is running and
       break   the   syntax,   the  background  instance  will  die  silently.
       Unfortunately, it can't die noisily because we don't yet  know  whether
       syslog should be enabled.  On some systems, fetchmail dies quietly even
       if there is no syntax error; this seems to have something  to  do  with
       buggy terminal ioctl code in the kernel.

       The  -f  -  option (reading a configuration from stdin) is incompatible
       with the plugin option.

       The 'principal' option only handles Kerberos IV, not V.

       Interactively entered passwords are truncated after 63  characters.  If
       you  really  need  to  use  a  longer  password, you will have to use a
       configuration file.

       A backslash as the last character  of  a  configuration  file  will  be
       flagged as a syntax error rather than ignored.

       The  BSMTP error handling is virtually nonexistent and may leave broken
       messages behind.

       Send comments, bug reports, gripes, and the like to the fetchmail-devel
       list <>

       An   HTML   FAQ   <>   is
       available at the fetchmail home page, it  should  also  accompany  your


       Fetchmail  is currently maintained by Matthias Andree and Rob Funk with
       major assistance from Sunil Shetye (for code) and  Rob  MacGregor  (for
       the mailing lists).

       Most of the code is from Eric S. Raymond <> .  Too
       many other people to name here have contributed code and patches.

       This program is descended from and replaces popclient, by  Carl  Harris
       <>  ;  the  internals  have become quite different, but
       some of its interface design is directly traceable  to  that  ancestral

       This  manual  page  has  been  improved  by  Matthias Andree, R. Hannes
       Beinert, and Hector Garcia.


       README,    README.SSL,    README.SSL-SERVER,    The    Fetchmail    FAQ
       <>,     mutt(1),    elm(1),
       mail(1), sendmail(8), popd(8), imapd(8), netrc(5).

       The fetchmail home page. <>

       The maildrop home page. <>


       Note that this list is just  a  collection  of  references  and  not  a
       statement  as  to  the  actual  protocol conformance or requirements in

            RFC 821, RFC 2821, RFC 1869, RFC 1652, RFC  1870,  RFC  1983,  RFC
            1985, RFC 2554.

            RFC 822, RFC 2822, RFC 1123, RFC 1892, RFC 1894.

            RFC 937

            RFC  1081,  RFC  1225, RFC 1460, RFC 1725, RFC 1734, RFC 1939, RFC
            1957, RFC 2195, RFC 2449.

            RFC 1939.

            RFC 1081, RFC 1225.

            RFC 1176, RFC 1732.

            RFC 1730, RFC 1731, RFC 1732, RFC 2060, RFC 2061,  RFC  2195,  RFC
            2177, RFC 2683.

            RFC 1985.

            RFC 2645.

       OTP: RFC 1938.

            RFC 2033.

            RFC 1508.

       TLS: RFC 2595.