Changing Your Password
Change your IMAP password (CSAIL Login required)
Vacation Auto-responder Instructions
Important: You must tell the vacation autoresponder about any addresses that get forwarded to your CSAIL address that you want it to reply to! (This is important, for instance, for people who have their
@mit.edu address forwarded to their
@csail.mit.edu address.) That’s because the autoresponder only responds to message that it can tell have a personal address of yours in the headers (so it doesn’t respond to mailing-list posts and the like). For that to work it needs to know all the addresses to treat as yours.
- Log into webmail.csail.mit.edu using your CSAIL username and IMAP (email) password
- Click the drop-down menu at top center labelled “Mail”.
- Click “Filters”.
- Click “Vacation” to edit the vacation rule.
- “Subject of vacation message”: If blank, your response will have
Subject: Re: [sender's original subject]. If filled in, your response will have
Subject: [exact text you fill in].
- “Reason” will be the entire message body sent out (original sender’s message will not be included at bottom)
- Autoresponses will start and stop automatically according to “Start/End of vacation” only if the overall Vacation Rule is enabled.
- “Subject of vacation message”: If blank, your response will have
- Click the “Advanced Settings” tab.
- The “My email addresses:” field will already be populated with your CSAIL email address. Add any other addresses which belong to you as an individual and which might get forwarded to your CSAIL address, and for which you want to generate vacation responses. (If you don’t have any other email addresses that forward to your CSAIL address, or you don’t want a vacation response generated from CSAIL for messages forwarded from other addresses, you can skip this and the preceding step.)
- Click “Save and Enable”
- Click “Log out” in top right, if desired.
CSAIL provides spam filtering using SpamAssassin, a powerful free software solution. It works automatically on the mail server. You can change the settings so that it works better for you.
- Change basic SpamAssassin configuration
- If you want to see messages that the server has marked as spam and check for false positives, check your
- To report missed spam to the server, drag any spam from
your inbox to the
- If you are getting “false positives,” then subscribe to the NotSpam folder. Copy the message from Spam to NotSpam. The server will start ‘learning’ messages that you mark as NotSpam. After a few iterations, it should stop marking these messages as spam.
- The server starts “learning” from messages saved to MissedSpam and NotSpam after enough messages are saved to both folders. The more messages you can categorize in both folders, the better.
You have a choice of reading
@csail.mit.edu email in a number of
locations and formats. Many people choose to read email directly from
the CSAIL IMAP server. Creating a CSAIL IMAP account will
automatically revert any custom forwarding options specified using the
Please note that the conventional UNIX means of forwarding email, placing a
.forward file in your home directory, does not work at CSAIL.
To forward your email to an arbitrary address:
Visit WebINQUIR (CSAIL Login required). Choose the “view and edit your personal information” link,
then edit the field called “email forwarding”. Note that it may take up
to one hour for the change to take effect. Also, be careful to make
sure that your mail forwarding doesn’t loop – for example, sending
firstname.lastname@example.org when Athena forwarding sends it
email@example.com will result in lost mail.
To forward a copy of your email to an arbitrary address while maintaining standard delivery to your CSAIL IMAP mailbox:
Log into the CSAIL webmail. Next, click the “filters” icon along the top row. The icons will change; next click the “forward” icon. Check the “keep a copy” checkbox, then supply your secondary address and save.
Note 1: When using this configuration, please don’t let tons of mail pile up in your CSAIL IMAP mailbox.
Note 2: Mail from addresses on your whitelist will not be forwarded. We suggest you disable your webmail whitelist.
Note 3: Due to a bug in the webmail software, some users see an incorrect message that login was unsuccessful even after a successful login. If you see the webmail navigational sidebar on the left (with “Horde” and “Dynamic Mail” links) you can click on “Mail” or “Dynamic Mail” and ignore the message.
Getting support with forwarded email
Many people choose to have their CSAIL email addresses forwarded to their
@gmail.com addresses, or elsewhere. And many people choose to other addresses like their
@mit.edu addresses forwarded to their CSAIL email addresses and delivered here. Those choices affect who can help you with problems with your mail.
TIG sysadmins can generally trace recent messages through our own mail servers, but we can’t reliably tell you what happened to a message after we handed it off to a non-CSAIL mail server, or what happened to prevent it reaching us in the first place. (If a message did reach our mail servers but was not delivered for some reason, TIG generally can confirm that and explain why!)
So if, for instance, you forward your CSAIL email to your
@mit.edu address, and you’re trying to track down why you’re not getting a recent message you were expecting, TIG might be able to tell you the message was received from thus-and-such a mail server at 8:45am yesterday, and passed along to the server responsible for accepting mail for
mit.edu at 8:46am yesterday, but we wouldn’t have any way to look up what happened to it after that. (Assuming the message made it through the front-line spam filtering they contract with Microsoft for, IS&T’s mail administrators would be able to look up what happened to it after they received it.) We can sometimes make educated guesses, of course.
Phishing messages are spammers’ attempts to obtain your username and password, either for direct financial gain or so that they can use your email account to send spam. As always, TIG is working to make sure these people can’t get such requests through to us, but it’s hard to predict what their next message will look like.
Reporting phishing messages
To report a phishing message, send it to
If at all possible, please either forward it (with full headers) as an
attachment, or use your mail client’s “bounce” or “redirect” function
to redirect the message, leaving the original headers intact. But if
your mail client doesn’t make that easy, feel free to just forward the
message in whatever way is convenient.
We very much appreciate phishing reports submitted this way; they let us be proactive about blocking future similar phishing attempts, and/or warning other people (besides you) who may have received the same phishing attack. However, when you submit a phishing attempt this way, we’ll generally assume you know it’s a phishing attempt and you don’t need any further help with it, so you probably won’t get a response. If you have questions or comments about a phishing message you’ve received (or something you think is legitimate, but aren’t sure), please contact firstname.lastname@example.org in the normal way, and we’ll reply.
The Clam anti-virus package checks all incoming email for viruses. Note that email virus scanning does not replace having up to date virus scanners on your own machine, but it should help cut down on the problems.
Encrypted (and/or signed) mail with PGP/GnuPG
Encryption can be used with mail in two ways: To encrypt a message so that only the recipient (or recipients) can read it, and it’s safe from snooping in transit (e.g., when it’s being stored on various mail servers on its way to its destination, or if a network connection between the sender and the recipient is being tapped), or to add a cryptographic signature to a message to prove that it was actually sent by the person it claims to be from. The only really common and widely supported mechanism for this is called PGP, originally the name of a commercial product called “Pretty Good Privacy”, but now often used in a generic sense for the encryption standard. The most common implementation of this standard is GnuPG, which is Free Software, and generally interoperable with commercial implementations. (Technically, PGP is the commercial software, GnuPG, a/k/a GPG, is the competing but interoperable Free Software package, and OpenPGP is the standard they and other interoperable pieces of software implement.)
The PGP/GnuPG standard relies on public-key cryptography, and identifies you by a secret key, which as the name suggests should be kept private, and a public key which you can share with others. These can be used for encryption, authentication (or “non-repudiability”), or both.
Using encryption with Thunderbird
Thunderbird, the most commonly used IMAP email client at CSAIL, supports PGP-style encryption through the “Enigmail” add-on. In Thunderbird, you can install add-ons (such as Enigmail) by choosing Tools Add-ons and using the search box in the upper-right. (You can also browse add-ons by selecting the “Get Add-ons” tab, but that’s a pretty hard way to search for a specific one.) Once you’ve installed “Enigmail” and restarted Thunderbird, you’ll have a new “Enigmail” menu, and you can get yourself set up to use encryption with the “Setup wizard” you’ll find on that menu. (If you already have a keypair, you can import it so Thunderbird can use it; otherwise you can create a new one.)
Using encryption with CSAIL’s webmail
CSAIL uses the Horde project’s software suite for our webmail interface (at https://webmail.csail.mit.edu). Horde’s mail component supports PGP-style encryption, so you can send or receive encrypted mail, sign your messages to prove they come from you, and verify the signatures on other people’s messages (assuming you have their public keys available).
To set up encryption, log into Horde and then from the white gear menu
(next to “Others ▼”), choose “Preferences” “Mail”. Then on the
“Preferences for Mail” page you get, at the bottom of the left-hand
column, select “PGP” to “Configure PGP encryption support”. You can turn
on “Enable PGP functionality?” (paying attention to the note that you
need to configure your browser to allow pop-up windows from
webmail.csail.mit.edu in order for that to work), and set the other
options as you like.
In order to sign mail, or receive mail encrypted for you, you’ll need a
keypair. You can have the webmail system itself create one with the
“Create Keys” button, or you can import an existing key (as displayed
with the command
gpg -a --export-secret-keys email@example.com) with the “Import Key” button (which will pop up a new window, so you need your browser configured appropriately).
Sharing your IMAP folders with others
If you have a folder of messages you’d like to share with others:
- Log into CSAIL webmail
- Click the preferences cog Preferences Mail
- Choose Share Mailboxes
- In the bottom left, click the drop-down folder list (which starts out as “INBOX”) and select the folder you want to share
- The permission listed will be for the current mailbox selected. In the blank box underneath your own name, enter the CSAIL username of the person you want to share with and select a template for access from the dropdown next to it (e.g., “Read”, “All”, etc.) to set the permissions.
- Click “Save”
- Repeat as desired for additional users and/or folders.
Viewing folders shared with you
If you have shared IMAP folders you would like to view, they are generally not available by default in most email clients. *For Thunderbird:*The instructions below are for Thunderbird (MacOS and Windows.) Other email client configurations are not dissimilar.
- Click File Subscribe
- In your folder list, expand the “shared” folder, select the appropriate folder, and click Subscribe.
- Repeat until all desired folders have check marks next to them, then click OK
- The shared folder(s) will now be available for viewing messages at
the bottom of your folder list
- NIST SP800-177 is the federal government’s recommendations for email server configuration. The introductory sections of the document contain an excellent description of the technology used for email and the sorts of security threats faced by email users and administrators.