InterIMAP - Fast bidirectional synchronization for QRESYNC-capable IMAP servers


interimap [OPTION …] [COMMAND] [MAILBOX …]


interimap performs stateful synchronization between two IMAP4rev1 servers. Such synchronization is made possible by the QRESYNC IMAP extension; for convenience reasons servers must also support the LIST-EXTENDED, LIST-STATUS (or NOTIFY) and UIDPLUS IMAP extensions. See also the supported extensions section below.

Stateful synchronization is only possible for mailboxes supporting persistent message Unique Identifiers (UID) and persistent storage of mod-sequences (MODSEQ); any non-compliant mailbox will cause interimap to abort. Furthermore, because UIDs are allocated not by the client but by the server, interimap needs to keep track of associations between local and remote UIDs for each mailbox. The synchronization state of a mailbox consists of its UIDNEXT and HIGHESTMODSEQ values on each server; it is then assumed that each message with UID smaller than UIDNEXT have been replicated to the other server, and that the metadata (such as flags) of each message with MODSEQ at most HIGHESTMODSEQ have been synchronized. Conceptually, the synchronization algorithm is derived from RFC 4549 with the RFC 7162 (sec. 6) amendments, and works as follows:

  1. SELECT (on both servers) a mailbox the current UIDNEXT or HIGHESTMODSEQ values of which differ from the values found in the database (for either server). Use the QRESYNC SELECT parameter from RFC 7162 to list changes (vanished messages and flag updates) since HIGHESTMODSEQ to messages with UID smaller than UIDNEXT.

  2. Propagate these changes onto the other server: get the corresponding UIDs from the database, then:
    1. issue a UID STORE command, followed by UID EXPUNGE, to remove messages that have not already been deleted on both servers; and
    2. issue some UID STORE commands to propagate flag updates (send a single command for each flag list in order the reduce the number of round trips).

    (Conflicts may occur if the metadata of a message has been updated on both servers with different flag lists; in that case, interimap issues a warning and updates the message on each server with the union of both flag lists.) Repeat this step if the server sent some updates in the meantime. Otherwise, update the HIGHESTMODSEQ value in the database.

  3. Process new messages (if the current UIDNEXT value of the mailbox differs from the one found in the database) by issuing a UID FETCH command; process each received message on-the-fly by issuing an APPEND command with the message’s RFC822 body, FLAGS and INTERNALDATE. Repeat this step if the server received new messages in the meantime. Otherwise, update the UIDNEXT value in the database. Go back to step 2 if the server sent some metadata (such as flag) updates in the meantime.

  4. Go back to step 1 to proceed with the next unsynchronized mailbox.


By default, interimap synchronizes each mailbox listed by the LIST "" "*" IMAP command; the list-mailbox, list-select-opts and ignore-mailbox options from the configuration file can be used to shrink that list and save bandwidth. However if some extra argument are provided on the command line, interimap ignores these options and synchronizes the given MAILBOXes instead. Note that each MAILBOX is taken “as is”; in particular, it must be UTF-7 encoded, unquoted, and the list wildcards ‘*’ and ‘%’ are passed verbatim to the IMAP server. If the local and remote hierarchy delimiter differ, then within the MAILBOX names the local delimiter should be used (it is transparently substituted for remote commands and responses).

If the synchronization was interrupted during a previous run while some messages were being replicated (but before the UIDNEXT or HIGHESTMODSEQ values have been updated), interimap performs a “full synchronization” on theses messages: downloading the whole UID and flag lists on each servers allows interimap to detect messages that have been removed or for which their flags have changed in the meantime. Finally, after propagating the offline changes for these messages, interimap resumes the synchronization for the rest of the mailbox.

Specifying one of the commands below makes interimap perform an action other than the default QRESYNC-based synchronization.

--repair [MAILBOX …]

List the database anomalies and try to repair them. (Consider only the given MAILBOXes if non-optional arguments are provided.) This is done by performing a so-called “full synchronization”, namely: 1/ download all UIDs along with their flag list both from the local and remote servers; 2/ ensure that each entry in the database corresponds to an existing UID; and 3/ ensure that both flag lists match. Any message found on a server but not in the database is replicated on the other server (which in the worst case, might yield a message duplicate). Flag conflicts are solved by updating each message to the union of both lists.

--delete MAILBOX [MAILBOX …]

Delete the given MAILBOXes on each target (by default each server plus the database, unless --target specifies otherwise) where it exists. Note that per the IMAP4rev1 standard deletion is not recursive. Thus MAILBOX’s children are not deleted.

--rename SOURCE DEST

Rename the mailbox SOURCE to DEST on each target (by default each server plus the database, unless --target specifies otherwise) where it exists. interimap aborts if DEST already exists on either target. Note that per the IMAP4rev1 standard renaming is recursive. Thus SOURCE’s children are moved to become DEST’s children instead.



Specify an alternate configuration file. Relative paths start from $XDG_CONFIG_HOME/interimap, or ~/.config/interimap if the XDG_CONFIG_HOME environment variable is unset.


Limit the scope of a --delete or --rename command to the given target. Can be repeated to act on multiple targets. By default all three targets are considered.


Don’t exit after a successful synchronization. Instead, keep synchronizing forever. Sleep for the given number of seconds (by default 1 minute if --notify is unset, and 15 minutes if --notify is set) between two synchronizations. Setting this options enables SO_KEEPALIVE on the socket for types other than tunnel.


Whether to use the IMAP NOTIFY extension to instruct the server to automatically send updates to the client. (Both local and remote servers must support RFC 5465 for this to work.) This greatly reduces IMAP traffic since interimap can rely on server notifications instead of manually polling for updates. If the connection remains idle for 15 minutes (configurable with --watch), then interimap sends a NOOP command to avoid being logged out for inactivity.

-q, --quiet

Try to be quiet.


Turn on debug mode. Debug messages, which includes all IMAP traffic besides literals, are written to the given logfile. The LOGIN and AUTHENTICATE commands are however redacted (in order to avoid disclosing authentication credentials) unless the --debug flag is set multiple times.

-h, --help

Output a brief help and exit.


Show the version number and exit.

Configuration file

Unless told otherwise by the --config=FILE command-line option, interimap reads its configuration from $XDG_CONFIG_HOME/interimap/config (or ~/.config/interimap/config if the XDG_CONFIG_HOME environment variable is unset) as an INI file. The syntax of the configuration file is a series of OPTION=VALUE lines organized under some [SECTION]; lines starting with a ‘#’ or ‘;’ character are ignored as comments. The [local] and [remote] sections define the two IMAP servers to synchronize. Valid options are:


SQLite version 3 database file to use to keep track of associations between local and remote UIDs, as well as the UIDVALIDITY, UIDNEXT and HIGHESTMODSEQ of each known mailbox on both servers. Relative paths start from $XDG_DATA_HOME/interimap, or ~/.local/share/interimap if the XDG_DATA_HOME environment variable is unset. This option is only available in the default section. (Default: HOST.db, where HOST is taken from the [remote] or [local] sections, in that order.)


An optional “reference name” to use for the initial LIST command, indicating the context in which the MAILBOXes are interpreted. For instance, by specifying list-reference=perso/ in the [local] section, MAILBOX names are interpreted relative to perso/ on the local server; in other words the remote mailbox hierarchy is mapped to the perso/ sub-hierarchy on the local server. This is useful for synchronizing multiple remote servers against different namespaces belonging to the same local IMAP server (using a different interimap instance for each local namespace ↔ remote synchronization).

(Note that if the reference name is not a level of mailbox hierarchy and/or does not end with the hierarchy delimiter, by RFC 3501 its interpretation by the IMAP server is implementation-dependent.)


A space separated list of mailbox patterns to use when issuing the initial LIST command (overridden by the MAILBOXes given as command-line arguments). Names containing special characters such as spaces or brackets need to be enclosed in double quotes. Within double quotes C-style backslash escape sequences can be used (‘\t’ for an horizontal tab, ‘\n’ for a new line, ‘\\’ for a backslash, etc.), as well as hexadecimal escape sequences ‘\xHH’. Furthermore, non-ASCII names must be UTF-7 encoded. Two wildcards are available, and passed verbatim to the IMAP server: a ‘*’ character matches zero or more characters, while a ‘%’ character matches zero or more characters up to the hierarchy delimiter. Hard-coding the hierarchy delimiter in this setting is not advised because the server might silently change it at some point. A null character should be used instead. For instance, if list-mailbox is set "foo\x00bar" then, assuming the hierarchy delimiter is ‘/’, only the mailbox named foo/bar is considered for synchronization.

This option is only available in the default section. (The default pattern, *, matches all visible mailboxes on the server.)


An optional space separated list of selectors for the initial LIST command. (Requires a server supporting the LIST-EXTENDED IMAP extension.) Useful values are SUBSCRIBED (to list only subscribed mailboxes), REMOTE (to also list remote mailboxes on a server supporting mailbox referrals), and RECURSIVEMATCH (to list parent mailboxes with children matching one of the above list-mailbox patterns). This option is only available in the default section.


An optional Perl Compatible Regular Expressions (PCRE) covering mailboxes to exclude: any (UTF-7 encoded and unquoted) mailbox listed in the initial LIST responses is ignored if it matches the given expression after trimming the reference names and substituting the hierarchy delimiter with the null character. For instance, specifying ^virtual(?:\x00|$) excludes the mailbox named “virtual” as well as its descendants. Note that the MAILBOXes given as command-line arguments bypass the check and are always considered for synchronization. This option is only available in the default section.


A file name to use to log debug and informational messages. (By default these messages are written to the error output.) This option is only available in the default section.


A printf(3)-like format string to use as prefix for each log message. Interpreted sequences are %n and %m, expanding respectively to the component name (local/remote) and to the name of the mailbox relevant for the log entry. Conditions on a specifier %X can be obtained with %?X?then? or %?X?then&else?, which expands to then if the %X specifier expands to a non-empty string, and to else (or the empty string if there is no else condition) if it doesn’t. Literal % characters need to be escaped as %%, while &, ? and \ characters need to be \-escaped. (Default: %?n?%?m?%n(%m)&%n?: ?.)


One of imap, imaps or tunnel. type=imap and type=imaps are respectively used for IMAP and IMAP over SSL/TLS connections over an INET socket. type=tunnel causes interimap to create an unnamed pair of connected sockets for inter-process communication with a command instead of opening a network socket. Note that specifying type=tunnel in the [remote] section makes the default database to be localhost.db. (Default: imaps.)


Server hostname or IP address, for type=imap and type=imaps. The value can optionally be enclosed in square brackets to force its interpretation as an IP literal (hence skip name resolution). (Default: localhost.)


Server port. (Default: 143 for type=imap, 993 for type=imaps.)


Optional SOCKS proxy to use for TCP connections to the IMAP server (type=imap and type=imaps only), formatted as PROTOCOL://[USER:PASSWORD@]PROXYHOST[:PROXYPORT]. If PROXYPORT is omitted, it is assumed at port 1080. Only SOCKSv5 is supported (with optional username/password authentication), in two flavors: socks5:// to resolve hostname locally, and socks5h:// to let the proxy resolve hostname.


Command to use for type=tunnel. Must speak the IMAP4rev1 protocol on its standard output, and understand it on its standard input. The value is passed to `/bin/sh -c` if it contains shell metacharacters; otherwise it is split into words and the resulting list is passed to execvp(3).


Whether to use the STARTTLS directive to upgrade to a secure connection. Setting this to YES for a server not advertising the STARTTLS capability causes interimap to immediately abort the connection. (Ignored for types other than imap. Default: YES.)


Space-separated list of preferred authentication mechanisms. interimap uses the first mechanism in that list that is also advertised (prefixed with AUTH=) in the server’s capability list. Supported authentication mechanisms are PLAIN and LOGIN. (Default: PLAIN LOGIN.)

username, password

Username and password to authenticate with. Can be required for non pre-authenticated connections, depending on the chosen authentication mechanism.


Whether to use the IMAP COMPRESS extension for servers advertising it. (Default: NO for the [local] section, YES for the [remote] section.)


Whether to redirect command’s standard error to /dev/null for type=tunnel. This option is ignored when the --debug flag is set. (Default: NO.)


Space-separated list of SSL/TLS protocol versions to explicitly enable (or disable if prefixed with an exclamation mark !). Potentially known protocols are SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2, and TLSv1.3, depending on the OpenSSL version used. Enabling a protocol is a short-hand for disabling all other protocols.

DEPRECATED: Use SSL_protocol_min and/or SSL_protocol_max instead.

SSL_protocol_min, SSL_protocol_max

Set minimum resp. maximum SSL/TLS protocol version to use for the connection. Potentially recognized values are SSLv3, TLSv1, TLSv1.1, TLSv1.2, and TLSv1.3, depending on the OpenSSL version used.

SSL_cipherlist, SSL_ciphersuites

Sets the TLSv1.2 and below cipher list resp. TLSv1.3 cipher suites. The combination of these lists is sent to the server, which then determines which cipher to use (normally the first supported one from the list sent by the client). The default suites depend on the OpenSSL version and its configuration, see ciphers(1ssl) for more information.


Space-separated list of acceptable fingerprints for the server certificate’s Subject Public Key Info, in the form [ALGO$]DIGEST_HEX where ALGO is the digest algorithm (by default sha256). Attempting to connect to a server with a non-matching certificate SPKI fingerprint causes interimap to abort the connection during the SSL/TLS handshake. The following command can be used to compute the SHA-256 digest of a certificate’s Subject Public Key Info:

$ openssl x509 -in /path/to/server/certificate.pem -pubkey \
	| openssl pkey -pubin -outform DER \
	| openssl dgst -sha256

Specifying multiple digest values can be useful in key rollover scenarios and/or when the server supports certificates of different types (for instance a dual-cert RSA/ECDSA setup). In that case the connection is aborted when none of the specified digests matches.


Whether to 1/ verify the server certificate chain; and 2/ match its Subject Alternative Name (SAN) or Subject CommonName (CN) against the value of the host option. (Default: YES.)

Note that using SSL_fingerprint to specify the fingerprint of the server certificate provides an independent server authentication measure as it pins directly its key material and ignore its chain of trust.


File containing trusted certificates to use during server certificate verification when SSL_verify=YES.

Trusted CA certificates are loaded from the default system locations unless one (or both) of SSL_CAfile or SSL_CApath is set.


Directory to use for server certificate verification when SSL_verify=YES. This directory must be in “hash format”, see verify(1ssl) for more information.

Trusted CA certificates are loaded from the default system locations unless one (or both) of SSL_CAfile or SSL_CApath is set.


Name to use for the TLS SNI (Server Name Indication) extension. The default value is taken from the host option when it is a hostname, and to the empty string when it is an IP literal. Setting SSL_hostname to the empty string explicitly disables SNI.

Supported extensions

interimap takes advantage of servers supporting the following extensions to the IMAP4rev1 protocol (those marked as “recommended” give the most significant performance gain):

Known bugs and limitations


See also

A getting started guide is available there.