9 Advanced usage

9.1 Region

In Summary mode, there are commands which work for a region if called with ‘C-u’. If a visible region is specified, these commands work for the region without ‘C-u’.

For Emacs, you can use the visible region feature by putting the following into your "~/.emacs".

(transient-mark-mode 1)

Here is a summary of such commands.

‘?’, ‘/’, ‘tt’, ‘x’, ‘lx’, ‘ma’, ‘Md’, ‘S’, ‘mlc’, ‘mli’, ‘*’, ‘$’, ‘d’, ‘u’

Also you can specify a repeat count before you call ‘*’, ‘$’, ‘d’, and ‘u’. For example, typing ‘3d’ puts the ‘*’ mark onto three messages. You don’t have to type ‘C-u’ before the number.

9.2 Visiting another buffer

If you want to move to +queue after making a message and putting it to +queue with ‘C-cC-m’ in Draft mode, set ‘mew-visit-queue-after-sending’ to ‘t’.

If you want to visit to an appropriate inbox after setting the "case" with ‘C’ in Summary mode, set ‘mew-visit-inbox-after-setting-case’ to ‘t’.

If you want to move from Summary mode to a draft (Draft mode) whose name is the smallest number, type ‘C-cC-o’.

9.3 Secure SHell

Mew supports SSH version 1 and version 2 and OpenSSH for SSH. You must execute "ssh" on the command and obtain server’s public key before you use Mew with SSH. That is, you should set up so that you can login the server with your user password or with the password to decrypt the secret key of the local machine. In addition, you can omit the password to decrypt the secret key if you use "ssh-agent".

After that, you should configure SSH variables relating to each protocol. For example, if you want to use POP over SSH, set ‘mew-pop-ssh-server’ to your SSH server name.

While a connection is protected by SSH, a picture of a lock is shown in the mode line.

The implementation of Mew does not allow to use both SSH and TLS at the same time. If you need to use TLS over an SSH tunnel, please configure TLS only with Mew and set up an SSH tunnel on a command line.

9.4 Transport Layer Security / Secure Socket Layer

Mew supports TLS (Transport Layer Security) for confidentiality and integrity of TCP transport. To use this feature, Emacs built with GnuTLS library or a “stunnel” program version 5.15 or later is required.

SSL (Secure Socket Layer) was developed by Netscape Communications, Inc. back in 1990s and TLS has been developed as the successor. While these two protocols are compatible with each other in some degree, and GnuTLS and “stunnel” support the both, as of 2020, SSL is considered as a “should not use” protocol because a lot of security flaws were found in the protocol.

For this histrical reason, there are still variables and functions for TLS functionality with “ssl” keyword in Mew.

To enable TLS functionality, you have to configure variables for “stunnel” program or GnuTLS library, and then ones for enabling TLS of each supported protocols.

9.5 TLS by Stunnel

Before you use Mew with TLS, you must be sure that an TLS connection can be established to your TLS server. Since "stunnel" is linked to the "openssl" library, you should understand "openssl". Before you use TLS, you should understand the trust model of certificate authorities (CA).

Suppose we use "~/.certs" as a directory where certificates of trusted CAs are contained. You need to copy PEM-format certificates embedded in the source of "openssl" to this directory. Each name should be "<hash>.0".

Here we call a sample CA certificate "ca.pem". You can calculate <hash> as follows:

% openssl x509 -hash -noout -in ca.pem

To copy the certificate, do as follows:

% cp ca.pem ~/.certs/`openssl x509 -hash -noout -in ca.pem`.0

The certificates in the source of "openssl" do not cover all CAs. If the certificate of your TLS server is signed by another CA, you must copy the certificate of the CA to the directory. You can find trusted CA certificates on Internet from the following URLs:

https://www.ccadb.org
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/

There are two important Mew variables to control "stunnel". ‘mew-ssl-cert-directory’ is the directory where you install certificates of trusted CAs. Its default value is "~/.certs". Also, you can set the verification level with ‘mew-ssl-verify-level’. It’s default to 1. The meanings of the values are as follows:

0

No verification.

1

Verify server’s certificate if present. If verification failed, an TLS connection is not created. If not present, a TLS connection is created.

2

Verify server’s certificate. If verification failed, a TLS connection is not created. If not present, a TLS connection is not created.

3

Verify server’s certificate which locally installed (not one from the server).

You can get started with using stunnel after configuring the variables.

9.6 TLS by GnuTLS Library

Mew requires no specific configuration to support TLS if you are using an Emacs built with GnuTLS library. You can configure the certificate verification level and trusted root CAs by using the following variables.

The policy for verification of the server certificates is handled by Emacs Network Security Manager (NSM). It is configured by ‘network-security-level’, and the default value is ‘'medium’. If it is set to ‘'low’, no verification is performed. If ‘'medium’, NSM will check whether the certificate used to establish the identity of the server we’re connecting to can be verified by using the specified root CA list. A dialog for choosing whether the certificate should be accepted or not will be displayed if it is an invalid certificate including self-signed one. Also, if the connection is unencrypted, but it was encrypted in previous sessions, a similar dialog will be displayed. ‘'high’ will perform additional checks such as a validated certificate which changes the public key and weak cipher/protocols. For more details, see See (emacs)Network Security.

It is recommended to use ‘network-security-level’ to specify the verification level when using GnuTLS. However, Mew traditionally used ‘mew-ssl-verify-level’ variable to specify the verification level for Stunnel program. To keep backward compatibility with it, ‘network-security-level’ will be temporarily set to ‘'low’ if and only if ‘mew-ssl-verify-level’ is ‘0’. Note that the default value of ‘mew-ssl-verify-level’ is ‘1’ and there will be no change with ‘network-security-level’ when ‘mew-ssl-verify-level’ is not ‘0’.

GnuTLS has own variable, ‘gnutls-verify-error’, to configure the verification level. This variable controls if the TCP connection must be disconnected or not if verification of the server certificates failed upon the connection established. The default value is ‘nil’, which means connection will not be closed immediately even when the verification fails. In this case, NSM will perform the verification and decides whether the connection should be disconnected or not. You might think it is a bit odd that the default value of this variable is set to ‘nil’. This is because Emacs itself will check more details of the certificates and the connection than GnuTLS does. For this reason, establishing a TCP connection and decision on disconnect are separated.

If you set ‘gnutls-verify-error’ manually, GnuTLS will terminate the TCP session when the verification of the server certificates fails. In this case, no further verification by NSM will be performed. Note that configurations by using ‘network-security-level’ or ‘mew-ssl-verify-level’ will be ignored in this case. It is recommended to use ‘network-security-level’ over ‘gnutls-verify-error’ unless you have a specific reason.

The trusted root CA list can be specified in ‘mew-ssl-trustfiles’. However, GnuTLS has the default list of the trusted files and they are always used first on Emacs version 26.3 and prior. Note that you cannot disable them even if you set an empty list to the variable.

9.7 Configuration Variables for TLS

Then configure TLS-related variables of each protocol. For example, if you want to use POP over TLS, set ‘mew-pop-ssl’ to ‘t’. To specify the TLS implementation, ‘'tunnel’ or ‘'native’ can be used instead of ‘t’ for stunnel or GnuTLS, respectively. For protocols with ‘t’, the value of ‘mew-ssl-default’ is used as the default TLS implementation. Also, if its port is not a standard one, configure ‘mew-pop-ssl-port’.

(setq mew-pop-ssl t)

To use TLS for SMTP, configure as follows:

(setq mew-smtp-ssl t)

While a connection is protected by TLS, a picture of a lock is shown in the mode line.

Mew can upgrade a plain TCP connection to a TLS connection by using STARTTLS extension in each supported protocols. Before using this, you have to configure variables according to Transport Layer Security / Secure Socket Layer.

STARTTLS will be enabled when the port number for normal TCP connections of the protocol is set to the same as the port number for TLS connections. Configure as follows for POP, for instance:

;; A default value of mew-pop-port is "pop3" (110)
(setq mew-pop-ssl t)
(setq mew-pop-ssl-port mew-pop-port) ;; The default is "pop3s" (995)

The following is an example to enable STARTTLS for Message Submission.

(setq mew-smtp-port "submission") ;; The default is "smtp" (25)
(setq mew-smtp-ssl t)
(setq mew-smtp-ssl-port mew-smtp-port) ;; The default is 465

9.8 Spam messages

(1) In the case where a spam filter is running on your POP server or your IMAP server.

You can put the ‘D’ mark to spam messages while you are retrieving messages in +inbox or you are scanning messages in $inbox/%inbox.

If you use "bogofilter", put the following to your "~/.mew.el".

(defun mew-spam-bogofilter (val)
  (let ((case-fold-search t))
    (if (string-match "yes" val) ?D)))

(setq mew-inbox-action-alist
      '(("X-Bogosity:" mew-spam-bogofilter)))

If you want to put the ‘o’ mark so as to be refiled to the +spam folder, instead of putting to the ‘D’ mark, you should program the function as follows:

(defun mew-spam-bogofilter (val)
  (let ((case-fold-search t))
    (if (string-match "yes" val) "+spam")))

If you use "spamassassin", put the following to your "~/.mew.el".

(setq mew-spam: "X-Spam-Flag:")
(defun mew-spam-assassin (val)
  (let ((case-fold-search t))
    (if (string-match "yes" val) ?D)))

(setq mew-inbox-action-alist
      '(("X-Spam-Flag:" mew-spam-assassin)))

In the case where you want to use bsfilter, see a document in the bsfilter package.

(2) In the case where a spam filter is running in your IMAP server.

You can delete or move spam messages while you are scanning %inbox. If you use "bogofilter", put the following to your "~/.mew.el".

(setq mew-imap-spam-field "X-Bogosity")
(setq mew-imap-spam-word "Yes")

If ‘mew-imap-spam-folder’ or ‘mew-imap-trash-folder’ is defined, spam messages are moved to the folder. Otherwise, they are removed.

(3) In the case where you installed "bogofilter" in your local machine, you can put the ‘*’ mark to spam messages. First you need to install the following script, say "bogo":

#!/bin/sh

bogofilter -v -T -B $* | grep S

Type ‘?’ and ‘RET’, then specify "bogo", and spam messages are marked with ‘*’. After that, you may want to process them with ‘md’ + ‘x’.

(4) In the case where you use POP and a spam filter does not run on the POP server but you want to mark spam messages when retrieving.

Since bsfilter can be a POP proxy server, you can implement your policy. See a document in the bsfilter package.

9.9 Spam messages(2)

If you want to let your filter learn the current message in Summary as a spam, type ‘ls’. Likewise type ‘lh’ to let your filter learn it as a ham (non-spam).

To use these commands, you need to configure four variables in advance. We consider bogofilter as an example and see three cases.

(1) To let your local filter learn:

(setq mew-spam-prog "bogofilter")
(setq mew-spam-prog-args '("-s" "-N" "-v"))
(setq mew-ham-prog "bogofilter")
(setq mew-ham-prog-args '("-n" "-S" "-v"))

(2) To let your filter on your <server> learn via SSH:

(setq mew-spam-prog "ssh")
(setq mew-spam-prog-args '("<server>" "bogofilter" "-s" "-N" "-v"))
(setq mew-ham-prog "ssh")
(setq mew-ham-prog-args '("<server>" "bogofilter" "-n" "-S" "-v"))

(3) To pass through your <firewall> with SSH and to let your filter on your <server> learn via SSH:

(setq mew-spam-prog "ssh")
(setq mew-spam-prog-args '("-A" "<firewall>" "ssh" "<server>" "bogofilter" "-s" "-N" "-v"))
(setq mew-ham-prog "ssh")
(setq mew-ham-prog-args '("-A" "<firewall>" "ssh" "<server>" "bogofilter" "-n" "-S" "-v"))

If you use SSH, you need to configure related hosts so that you can login them without passwords.

9.10 Warning addresses

Suppose you are writing a message which must be closed in your company. You might write an non-employee’s address by mistake. If you tells your company’s domains, for instance, to Mew, it turns non-employee’s addresses to red.

There are four variables to decide which address should trun red. They are all a list of strings. Mew takes the following rules:

1. If an address is specified in ‘mew-safe-addresses’, no warning.
2. If the address is specified in ‘mew-warn-addresses’, warning.
3. If its domain is specified in ‘mew-safe-domains’, no warning.
4. If its domain is specified in ‘mew-warn-domains’, warning.
5. If either ‘mew-warn-addresses’ or ‘mew-safe-domains’ defined, warning.
6. No warning.

Here is an example that an address whose domain is not "@example.org" turns red.

(setq mew-safe-domains '("example.org"))

If you want "customers@example.org" to turn red even its domain is "@example.org", add the following line.

(setq mew-warn-addresses '("customers@example.org"))

9.11 Biff

The functionality to check new messages is called biff. With the following configuration Mew sees how many new messages have arrived every 5 minutes.

(setq mew-use-biff t)

If one or more new messages exist, the total number is displayed in the mode line.

The server and the protocol, which Mew checks, are decided according to ‘mew-proto’ and the "case" (‘mew-case’) on boot time.

With the following configuration, Mew beeps when the number of new messages changes from zero to one or more.

(setq mew-use-biff-bell t)

To change the interval time of biff, set ‘mew-biff-interval’. Below is an example to set it to 10 minutes.

(setq mew-biff-interval 10)

9.12 Edit

Edit mode is a mode to edit a message to generate another new message. The followings are typical examples:

• - Saving a new message with big attachments removed
• - Saving a decrypted message whose original one is encrypted with PGP/MIME or S/MIME

To edit a current message in Edit mode, type ‘M-e’. Then, a new draft is prepared like Draft mode. In Edit mode, you can edit a message as if you were in Draft mode.

To save edited message to a new message, type ‘C-cC-c’ or ‘C-cC-m’. They are the exactly same command. To execute one of them, you are asked a folder to save the new message.

Please take care that you may confuse this command as retry sending (see section Write, answer, and forward). Retry seinding is to send a message after editing while Edit mode is to save a message after modifying.

The following is summary of commands relating to Edit mode. To enter Edit mode from Summary mode, use the following command.

‘M-e’

Entering Edit mode with the current message.

The following is a summary of commands in Edit mode.

‘C-cC-c’

Saving the edited message to a new message.

‘C-cC-m’

The same as ‘C-cC-c’

‘Other commands’

The same as the other commands in Draft mode

9.13 XOAUTH2

Gmail and other services now require XOAUTH2 as an authentication mechanism. Mew can also use XOAUTH2 if you configure the authentication and authorization yourself. Once you have issued your client ID and client secret, set them in the following variables.

(setq mew-oauth2-client-id "<client id>")
(setq mew-oauth2-client-secret "<client secret>")

If everything is set up properly, the authorization screen will be displayed in your local browser only once when you start using it. The issued access token will be saved using Mew’s password mechanism.

Currently, communication with XOAUTH2 has been confirmed with gmail and MS365. For MS365, the following settings are also required.

(setq mew-oauth2-auth-url "https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize")
(setq mew-oauth2-token-url "https://login.microsoftonline.com/organizations/oauth2/v2.0/token")
(setq mew-oauth2-resource-url "https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/SMTP.Send offline_access")

This document was generated on July 8, 2025 using texi2html 5.0.