pam_mail

pam_mail is not a standalone command but a PAM module configured in /etc/pam.d/service-name files. Its typical usage within a PAM configuration file is:

auth optional pam_mail.so [options]
session optional pam_mail.so [options]

Where service-name is the PAM service (e.g., login, sshd), auth or session specifies the PAM module type, optional is a control flag, pam_mail.so is the module library, and [options] are zero or more module-specific parameters.

noopen
    Instructs the module not to open the mail spool file; it will only check for its existence and modification times.

nocheck
    Prevents the module from checking for new mail. It will only warn if an empty mail spool file exists.

emptyok
    Suppresses warnings if the mail spool file is empty.

standard
    Forces the module to check only the standard mail spool location, typically /var/spool/mail/$USER. Mutually exclusive with dir.

dir=directory
    Specifies an alternative directory to check for mail spool files. Overrides the standard option and is mutually exclusive with it.

hash=N
    When checking Maildir-style spools, this limits the number of directories to search within the tmp, new, and cur subdirectories to N. A value of 0 means no limit.

quiet
    Prevents the module from printing any messages to the user; it only returns success or failure.

noenv
    Prevents the module from setting the MAIL and MAIL_DIR environment variables for the user's session.

pam_mail is a Pluggable Authentication Modules (PAM) module designed to notify users of new mail during the login process. It integrates seamlessly into the PAM authentication and session management stack, typically configured within files in the /etc/pam.d/ directory.

When used as a session module, it checks the user's mail spool for new messages and, if new mail is found, it will print a message to the user's terminal, often displaying the number of new and old messages. As an auth module, it can be used to ensure the mail spool is present, returning success or failure accordingly. The module supports both traditional mbox-style mail spools (e.g., /var/spool/mail/$USER) and Maildir-style setups (e.g., ~/Maildir), with various options available to customize its behavior, such as specifying mail directories, suppressing messages, or controlling environment variable settings. Its primary goal is to enhance user experience by providing timely mail notifications post-authentication.

pam_mail relies on the system's mail spool conventions. Misconfiguration of mail spools or mail clients might lead to incorrect notifications or none at all.

The standard and dir options are mutually exclusive; using both will result in an error or unexpected behavior.

For security-sensitive environments, ensure that mail spool directories have appropriate permissions to prevent unauthorized access, as pam_mail directly interacts with these files.

When used as an auth module, it primarily checks for the presence of a mail spool, not necessarily new mail, which might not be its intended use case for most systems. It's more commonly used in the session phase.

pam_mail is typically placed in the session type stack in PAM configuration files (e.g., /etc/pam.d/login, /etc/pam.d/sshd). This ensures that the module runs after successful authentication, just before the user's session is fully established, allowing it to display mail notifications directly to the user's terminal. If placed in the auth stack, its primary function is to check for the mail spool's existence, returning success or failure, rather than providing interactive notifications.

By default, pam_mail checks common mail spool locations. For traditional mbox format, this is typically /var/spool/mail/username. For Maildir format, it looks for ~/Maildir or other standard Maildir paths within the user's home directory. The module intelligently handles both types, but explicit dir or standard options can override this auto-detection for specific configurations.

pam_mail is part of the Linux-PAM (Pluggable Authentication Modules for Linux) project, which originated in the mid-1990s as a flexible way to manage authentication services independent of applications. PAM was initially developed by Sun Microsystems and later adopted and extended by the Linux community. pam_mail was included as one of the standard modules to provide a common service of notifying users about new mail, integrating this functionality directly into the login and session establishment process, rather than requiring applications to implement it separately. Its design reflects the modular philosophy of PAM, allowing administrators to easily add or remove this specific functionality without modifying application code.

pam(8), pam_unix(8), mail(1), newmail(1)