Personal Information Manager Software

Evaluating Citadel

James F. Carter <jimc@math.ucla.edu>, 2011-01-30

Key Web Links:

www.citadel.org, Citadel home site.
Citserver Administration Manual
Application Layer Protocol, telling what Citserver can be asked to do.
Uncensored Citadel Server. (Registration required.) The Citadel Support room on this server is where you get support.

Citadel versus Ideal PIM Client

I'm going through my design for an ideal PIM suite, and evaluating Citadel in the server role and its Webcit web interface, or Thunderbird plus Lightning, as the client.

PIM Object Types

Supports contacts, calendar, tasks and notes. Good.

E-Mail Management

E-mail management is a major theme in Citadel. UCLA-Mathnet's present design is a UW-IMAP server on each home directory server, holding the mail for users resident there, to collect all eggs in one basket: a person loses service if his homedir server goes down, but not if a different server is lost. We would have to seriously consider using a Citadel instance on each homedir server to provide mail over IMAP.

Citadel is capable of replicating rooms (collections of PIM and other objects) among multiple instances.

Webmail is very popular at UCLA-Mathnet (using Horde). Citadel would be an ideal replacement for Horde if it served IMAP itself. On the other hand, when a faculty member's password is stolen by a keystroke logger, spammers utilize webmail, authenticating as him, getting us on blacklists. In this case it's an advantage to put the webmail server on a separate machine.

Multi-User Access to PIM Objects

Citadel can set up readonly or read-write access to rooms with what looks like the kind of granularity that we need.

Network Service to Wild-Side Clients

Citadel has a long history of serving Internet chat rooms. Likely it has a lot of exposure to hackers, and corresponding bug fixes. We need to get some more explicit information on this issue from the developers.

Services and Protocols Supported

Citadel supports a lot of protocols. For each of them a SSL/TLS connection can be activated (STARTTLS or equivalent) (except see XMPP).

Citadel/504 -- This is the IANA-registered native chat room protocol.
SMTP -- Sending and receiving e-mail. Includes ESMTP. But the controls and restrictions on authenticated access are a lot less elaborate than for Postfix, and likely we would use Citadel as the Mail Delivery Agent (MDA) but not the Mail Submission Agent (MSA) which accepts incoming mail from the spammers. Inter-mailer transport is via LMTP, which Citadel and Postfix both support (including UNIX domain sockets, which are preferable in this context).
IMAP -- Passing mail to the user's reader software. IMAP is a major theme of Citadel. It can also be used to get access to PIM objects. See the discussion previously about replacing our existing IMAP servers with Citadel.
POP3 -- Analogous to IMAP but deprecated in our environment.
XMPP -- As a chat room server, Citadel has been upgraded to use the modern instant message protocol, XMPP. It interoperates with the native chat room protocol. The current version has a regression in SSL support in XMPP -- which my testing indicates has been fixed; I have been using SSL with no problems.
HTTP -- Citadel includes a web client called Webcit that runs on the server and translates the native protocol to semantically approprite Ajaxified web pages, e.g. contacts, calendars, or mail folders. In other words, you can use all features of Citadel from any web browser (on which Ajax works). It also provides semantic support for the GroupDAV PIM protocol, which in this context interoperates with iCalendar (iCal). However, it does not do the superior CalDAV protocol.

Client Software

Citadel includes the Webcit web client, and a text-mode (ncurses) client of the kind commonly used for chat rooms, but for GUI desktop support the user needs something like Thunderbird with Lightning. It remains to be seen how flexible client software is in dealing with Webcit's supported protocols, on Android and iPhone. A back version of Android's web browser has trouble with the Ajax login form, but it also has trouble with other seemingly innocent forms.

Single Sign-On

Citadel can be configured to use PAM authentication, and this is the mode I use for testing, but it does not do real SASL, and in particular it knows nothing of GSSAPI. Webcit uses either its own login form (HTTP) or the protocol-specific analog of Plain Authentication (loginID and password). This is the kind of authentication commonly provided on mail reading software and groupware, and while I would like something better, we can't give Citadel a negative rating for doing what everyone else does.

Location of PIM Objects

I would like to store both PIM objects and mail in the users' home directories. But Citadel has a Berkeley DB file where all the content is saved. At Mathnet we make a special backup of users' mailboxes and restore them on request. We would need to write our own utilities to extract room content so as to continue this service.

Federation

A normally supported mode for Citadel is to have several federated servers, with some rooms replicated on all servers and others (such as personal mailboxes) accessible on only one. However, there is no indication in the documentation that Citadel could federate with other servers of a foreign type, e.g. to read or deposit mail or PIM objects in a folder belonging to the user but on a Zimbra or generic IMAP server.

LDAP Support

Citadel includes LDAP support, both RFC 4519 (POSIX) and Windows Active Directory. When we move to LDAP, Citadel can move with us.

Instant Message

This is not on the list of requirements, but other organizations make good use of instant messaging to coordinate work in the field, and there is a good chance that it would also prove useful to UCLA-Mathnet. Instant messages can be sent and received via native (text-based) Citadel, Webcit and XMPP; all interoperate.

Usage Scenario

Going beyond the feature checklist from the ideal PIM design, perhaps the best way to evaluate Citadel is to lay down a sequence of operations which a client user might actually do that covers all the major features, and see how Citadel behaves on this scenario.

Connect via TLS

The user configures his mail reader, calendar software, XMPP client, etc. with Citadel's URI, and specifying mandatory TLS and mandatory authentication (the latter for SMTP). What is the needed URI, and does our documention show it? Can Citadel and the client accomplish the connection? What possibilities are there for single sign-on (transitive authentication)? (Look for GSSAPI, X.509, others.)

If you have your own departmental certificate authority, make sure to make its root certificate available to the clients before starting the test, to avoid embarrassing complaints that the server's certificate is not trusted. If the server presents a self-signed certificate with a Common Name of '*' then you have forgotten to set up the keys directory for citserver or webcit; either program will then manufacture a self-signed certificate with dubious trust value (rather than just exiting).

HTTPS for Webcit -- Works, no problems. Firefox and Opera use their own special root certificate storage.
IMAP with Thunderbird -- Works, no problems. Uses its own root certificate storage.
IMAP with Pine/Alpine -- Works, no problems. Uses OpenSSL root certificate storage (/etc/ssl/certs).
SMTP (outgoing mail) -- My MTA will present a X.509 certificate, but Citadel does not use it for authentication; it only does Plain authentication. Similarly when Citadel connects to another MTA that could accept a X.509 certificate. For a smart host (to which all outgoing mail is sent) you can specify it as user:password@host:port, to use Plain authentication, but this is not per-user authentication.
GroupDAV/iCalendar with Thunderbird -- Works, no problems.
XMPP -- Works. Pidgin uses its own root certificate storage and has a very limited collection of commercial roots. Pidgin, on the Add/Modify Account tab, needs:
- Your Username (loginID) on the server system
- Domain, e.g. math.ucla.edu or cft.ca.us
- Resource: this is an arbitrary identifier to distinguish multiple instances of the same user. It may not be empty and must be unique. Often the client hostname will be unique.
- For security reasons do not give the password on this page or let it remember the password.
- With PAM authentication on Citadel you should not select Create the account on the server since it is already created.
- (On the Advanced tab:)
- Connection security: require encryption, no plaintext auth.
- Connect port: 5222 (is the default)
- Connect server: Fill in the (public) FQDN of the server.
- Leave the rest at the defaults.
- No Proxy (on the Proxy tab) -- global proxy setting is the default but is often lameass.

Compose Webmail

Use Webcit to compose a mail message and send it out.

Does composition go smoothly?
The web-based editor for composition works fine except for one complaint: an absolute font size is set and it comes out too small on my display.
Is the mail sent out?
Yes.
Did the MTA use the (possibly mandatory) authenticated mailing feature?
No, this is not supported on a per-user basis. (You can give one user and password for sending to a fixed outgoing relay (smart host).)
Does Citadel get the sender address right?

The default sender is First_Last@serverhost, e.g. Jim_Carter@simba.math.ucla.edu. Under Advanced - Edit Your Contact Information, find Primary E-Mail Address and fill in the desired sender address, e.g. jimc@math.ucla.edu. However, the server must be configured to allow users to masquerade this domain. See Administration - Domain Names and Internet Mail Configuration - Masqueradable Domains.
Does Citadel get the recipient address right?

*** Off-site mail is sent out with the recipient unmodified. However, for internal recipients it expects to send to what's in the Global Address Book, i.e. First_Last. I have not yet figured out how to get it to use the UNIX loginID.
Does the message look like spam to the recipient?
It isn't mucked up with advertising or lurid templates, but it comes out as multipart/alternative with text and HTML forks, and as far as I can see there's no way to turn this off.
(In our environment, outgoing mail from a GUI client would go direct to a special Spam Stigma Removal Service on our MTA, not through Citadel.)

Accept Incoming Mail

Reconfigure the mail infrastructure to deliver mail to Citadel, and send some spam and some non-spam.

Does the mail arrive?
Yes.
Can the user opt in to spam filtering? Can the user not opt in? (For us this is legally required.)

*** No, either all mail is run through SpamAssassin during submission, or none is. Spam is rejected by a status code 5xx to the sender. We require per-user opt-in for legal reasons, so this would have to be hacked.
*** I tried and failed to get it to run all the mail through SpamAssassin.
Does the good mail land in the system mailbox?
Yes.
Is the spam detected and does it land someplace reasonable?
Not tested due to problems connecting to SpamAssassin (spamd). But Citadel's policy is to reject spam with 5xx, never deliver it.

Read Webmail

Use Webcit to read the mail received in the previous step.

Is the index reasonable?
Yes.
Is the body readable?
Yes.
Can you view the headers if needed?
Yes.
Reply to the mail, quoting it. Can you avoid top-posting?
**Need to test.
Is your signature file appended?
Yes. The signature is stored within Citadel; it isn't reading $HOME/.signature.
As seen by the recipient you reply to, does the mail look presentable?
Yes.

Read Mail with GUI Client

Read mail with separate client software. Does Citadel deliver the mail using IMAP? Do client features work as usual? Can the client work around Mathnet's wacked-out namespace issue? (Or does Mathnet have to fix that, at long last, atomically with the installation of Citadel?) List of clients to check:

Pine/Alpine

**** Citadel provides personal mail folders such as Drafts, Sent-Mail, etc. as subdirectories of the INBOX directory (folder). And it insists that they be used. At Mathnet (and probably elsewhere), the default folder would be just Drafts etc. at the toplevel of the namespace. So I had to edit my .pinerc file (using Pine's configuration editor), like this:

UW-IMAP: postponed-folder=~/Mail/Drafts
Citadel: postponed-folder=INBOX/Drafts

This is probably a showstopper because at the UCLA Mathematics Department we would have a great deal of trouble to get our users, many of them elderly, to adjust their GUI clients accordingly.
Thunderbird -- Test terminated before getting to Thunderbird.
K-9 for Android -- Also not tested.
Whatever the iPhone has -- Also not tested.
Configure something to use POP3. Can we just refuse to support this? (Not tested.)

Calendar using Webcit

This is all using Webcit.

Create an event in your personal calendar.
Evaluate what fields are under-supported in the provided form.
Create all-day and repeated events.
How do they handle expired events? Can you use your calendar in a kind of diary mode, to record past activities?
Try editing the room's parameters. Look for message expire policy and either set it to a long time or to forever (either is allowed). In this context PIM objects are messages. There is also an expire policy inherited from the floor containing the room.
Create a shared or group calendar with some events in it.
Can the individual client (different from the creator) view it and/or create events?
Can he view the personal and group calendar at the same time? (Union calendar view.)
Can you move events from one list to another?
The room aide (or general aide) can move a message out. It appears that the default configuration is to make the owner of a private room a room aide. (This can be turned off but we want it on.)
Can you add participants? From your contact list?
Receive mail with a vEvent object as an attachment. Can you add this event to your calendar?
Microsoft Exchange has elaborate facilities for accepting or declining events by mail. What does Citadel provide here?
Citserver itself has these commands:
- ICAL sgi -- Emit server generated invitations to a meeting with listed participants.
- ICAL respond -- Victim responds to mail including a vEvent object (meeting invitation) by accepting or declining.
- ICAL conflicts -- Victim compares a vEvent to see if he already has conflicting meetings.
- ICAL handle_rsvp -- Meeting maker updates the vEvent according to whether the victim accepted or declined.
- ICAL freebusy -- Find when a given user is available for a meeting.
Wnat Webcit does with them needs some research.
In addition there are the ICAL getics and ICAL putics commands which bulkload the entire calendar: getics is to send it to the client and putics is to replace the entire calendar with uploaded material.

Calendar using GUI Client

Do these clients behave normally with calendars served from Citadel? (Both viewing and creating events.)

Lightning plugin for Thunderbird and/or Firefox.
iPhone calendar client
Android calendar client -- No way to configure it for other than Google Calendar, hiss, boo!

Contact List using Webcit

The evaluation is similar to the calendar case with these additions:

Create some contacts in your personal contact list.
Receive some mail; can you transfer the sender to your contact list?
Create a group contact list with some contacts in it.
Compose some mail; can you get recipients from both of these contact lists?
Can you declare one list to be the union of several others?
Can you use a contact list in the mode of a mailing list?
Yes, and not only that, you can enable self-service subscription, with an e-mail confirmation message.

Contact List using GUI Client

Do these clients behave normally with contacts served from Citadel? (Both viewing and creating them.)

Thunderbird -- Lightning is irrelevant; identify the right plugin.
iPhone contact list client
Android contact list client, and check from K-9 mail reader.

Task List using Webcit

Basically, the evaluation is the same as for the calendar, with these additions:

Can the tasks be ordered by priority?
How do they handle due dates?

Instant Message (XMPP)

This should be tested on these clients:

Webcit -- Tested, works for basic chat.
Pidgin (either Linux desktop or Windows) -- Tested, works for basic chat.
Android's Jabiru -- Test terminated before getting to Jabiru.
Whatever the iPhone provides -- Not tested either.

Instant message activities to be tested:

Basic instant message chat -- Works, interoperates between Pidgin and Webcit
Are there buddy restrictions (i.e. do you need to establish a relation to chat)? You can chat with anyone, but presence notifications are sent only to buddies.
Presence: is the client notified when the buddy logs in and drops off? -- **** Yes, but logging out kills the buddy relation! This is bad, but it's an explicit design feature of the Citadel XMPP service implementation.
Fine grained presence: Can the participant set sub-states such as do not disturb or chatty? Pidgin can send these. But I have never seen them arrive at the partner's client.
Does Citadel propagate a signal that the buddy is typing? Pidgin can send this. Citadel does not forward it, possibly for the same reason it doesn't send fine-grained presence.
What other extensions are there, such as URL pass-through, attached files, or voice chat? -- If I correctly read RFC 3920, the server has no part in extensions: the client sends whatever XML stanza it pleases, the server is supposed to pass it on without interpretation, and the partner responds to the best of its ability, if any.

Heterogeneous Complaints

While Citadel contributes positively in our environment, it certainly is not perfect. Here is a list of items I've found, not too well organized. I'll try to annotate the issues as I fix, or don't fix them.

User Interface (Webcit)

Lame Use of Browser Cache: Using Opera-11.00. The browser takes a long time to render each page, and from tcpdump it looks like it does at least a HEAD request for each of at least 40 elements (Javascript, CSS and icons). The main page has don't cache headers, but the rest appear to have a lifetime of at least 1 hour. (Needs more investigation.)
__CitadelSMTPspoolout__ as a Page Title: When you hit Advanced in the left sidebar, the page has this identifier as its page title. The same page title appears on all the pages under Your Info, and likely other dependent pages as well.
No Tree Structure for Admin Mail Menu: Administration - View the Outbound SMTP Queue: when you get into this page the only way you can get out is to hit a button (like Administration) in the left side bar.

Authentication

SASL, GSSAPI and Kerberos: I would very much like to use our Kerberos credentials to authenticate to Citadel. This would be on all relevant protocols: IMAP (highest priority), POP3 (deprecated in our environment), XMPP, and presumaby Citadel on 504. The latter two require convincing the clients to present the credential. Also important is single sign-on using Webcit. There is said to be a way to get Firefox to do GSSAPI, but it's also acceptable for Webcit to solicit a certificate when setting up the SSL connection, and to honor it if it's signed by our pet certificate authority.
Helps Password Guessing Attack: On Webcit's login page, when responding to a password guessing attack, it announces User Not Found or Wrong Password as appropriate. The attacker can start by identifying users, and then chew on their passwords. Better to just say Login Incorrect, which requires him to search a Cartesian product space, not knowing if a particular target user even exists. This is how OpenSSH does it. We are attacked in this way multiple times per day. (This issue was pointed out by Chris.)
Cookie Lifetime: The Webcit session cookie (which is not restricted to secure connections) has no listed expiration date. It appears to be very volatile, disappearing possibly on a page reload. There is a cookie called WC_rooms_expanded which lasts until the end of time; its payload appears to be innocuous.

Administration and SMTP Server

Restart after Paging

In Administration - Restart after paging users, it shows a box titled Message to your Users whose content is didn't find Template [box_serverrestartpage] 21 21, and it doesn't restart.

Doesn't Send Mail (fixed)

It's supposed to send to a smart host at otter.mine.nu:587. Viewing the outbound queue: connection refused. Guess what, Postfix is not listening on that port. Because that feature is not turned on, because CFT never uses it anyway for incoming mail. (Until now, all mail was outsourced.) Exponential backoff running the queue is good for scalability but a pain for debugging. I changed to localhost:25 and did /usr/local/citadel/sendcommand SMTP runqueue and the message was sent out.

Wrong Host Name (fixed)

The message was rejected by the recipient because the envelope said it was from jimc@jacinth.cft.ca.us. This is not publicly resolvable. It needs to use otter.mine.nu, which is a public name, although it doesn't accept incoming mail. This is set in Administration - Site Configuration - General. Changing the hostname requires restarting the server. Now the recipient swallows it.

1 Minute Wait to Run SMTP Queue

If you submit a mail message when the queue is empty, Citadel will not ship it out immediately but rather will wait about 1 minute to run the queue. (Based on a sample size of 1 message.) This is not too unreasonable, but annoying to an impatient person. Here's a suggestion: if the queue hasn't been run for more than 1 minute, send the message immediately, otherwise wait for the next scheduled time.

Authenticated SMTP (FYI, not a bug)

The admin guide says that Citadel always refuses third party relay from unauthenticated clients: an incoming message must be addressed to a local user. To relay, the client must authenticate. Default behavior is to toss the incoming body From line and rebuild it using the authenticated user name. This can be turned off, not recommended.

Also, if an outside source sends in mail allegedly from your own domain, Citadel normally rejects it. This can also be turned off.

Spam Suppression

Citadel has a nice design where it runs messages through SpamAssassin before accepting them for delivery; it rejects spam with a 5xx status code. Unfortunately we can't handle that for legal reasons. UCLA-Mathnet needs per-user opt-in, and needs to deposit spam in a separate maibox (folder).

Electronic Mail

HTML Mail, Yuck

This is what a message looks like when sent by Citadel. I've excluded Received headers after the local Postfix got it.

Return-Path: 
Received: from otter.mine.nu (localhost [127.0.0.1])
	by jacinth.cft.ca.us (Postfix) with ESMTP id 7DC3740FE0
	for ; Thu,  3 Feb 2011 22:42:32 -0800 (PST)
To: jimc@pic.ucla.edu
Date: Thu, 03 Feb 2011 22:41:42 -0800
Subject: Test message from Citadel
Message-ID: <0000000136@otter.mine.nu>
From: "Jim Carter" 
MIME-Version: 1.0
X-Mailer: WebCit 7.85
Content-type: multipart/alternative; boundary="Citadel--Multipart--jacinth.cft.ca.us--215d--0004"
X-UID: 185025                                                  
Status: RO
Content-Length: 1072

This is a multipart message in MIME format.

--Citadel--Multipart--jacinth.cft.ca.us--215d--0004
Content-type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Citadel@otter.mine.nu -> Postfix@otter.mine.nu -> Laguna, will laguna swa=
llow
it? =20

--=C2=A0
James F. Carter          Voice 310 825 2897    FAX 310 206 6673
UCLA-Mathnet;  6115 MSA; 405 Hilgard Ave.; Los Angeles, CA, USA 90095-155=
5
Email: jimc@math.ucla.edu  http://www.math.ucla.edu/~jimc (q.v. for PGP k=
ey)
--Citadel--Multipart--jacinth.cft.ca.us--215d--0004
Content-type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable

(html)(body)

Citadel@otter.mine.nu -> Postfix@otter.mine.nu -> Laguna, will l=
aguna swallow it?
--=C2=A0
James F. Carter          Voice 310 825 2897    FAX 310 2=
06 6673
UCLA-Mathnet;  6115 MSA; 405 Hilgard Ave.; Los Angeles, CA,=20=
USA 90095-1555
Email: jimc@math.ucla.edu  http://www.math.ucla.edu/~=
jimc (q.v. for PGP key)
(/body)(/html)

--Citadel--Multipart--jacinth.cft.ca.us--215d--0004--

My objections to the message are these:

I wish the user could have a choice to send one, the other, or both of the text/plain and text/html parts. In some circles the use of HTML mail gives a very negative impression, and it's a fact that most spam (that I see when checking our spam suppression software) is sent in HTML format. I would turn off the HTML if the choice were available.
It would appear that the client's MSGP command can specify just text/plain, for reading with the MSG4 command, but it would not affect outgoing mail, which is the point here.
Horde/IMP (webmail) puts in a X-header identifying the submitting user and the host from which he connected. This is very useful when a user's password is stolen by a keystroke logger, and I have to identify which user it is, even though the body sender is forged, pointing back to the spammer's fraud hosting site. Of course Webcit has to tell Citadel the connect host at login time. (Evidently it does so: see Online Users tab, there is a field for From Host which is accurate. This must be a consequence of the IDEN command.)

Mandatory Mail Alias

The mailer wants to send from Jim_Carter@otter.mine.nu, but I need at least a Reply-To and preferably the actual From, saying jimc@math.ucla.edu.

Try this: Go to the Mail room. Hit Advanced (in sidebar). In the lower right item group find Edit This Room. Pick the tab . . . I guess that's now how you configure it.

Dothbert replies: You configure your outgoing/incoming mail alias in your personal vCard.

How to do that: (A) Contacts - pick (or create) a vCard for your Display Name and fill in your Primary Internet E-mail Address and Internet E-Mail Aliases. Hmm, this was ineffective when jimc was the display name. Trying a display name of Jim Carter (with a space). That also was ineffective. (Odd, I now have 3 identical e-mail aliases.) Trying Jim_Carter. That also was ineffective. Under the Online Users tab you see yourself online and the first column gives a link to Edit something. You're editing your room, host and user name as shown in the Who is Online list.

Next try: Hit Advanced. Lower left corner, Your Info, Update Your Contact Information. I have a complete vCard there using Jim Carter (with a space) as the Display Name, and jimc@jacinth.cft.ca.us as the Primary Internet E-mail Address (which was not being used). Changing this to jimc@math.ucla.edu and removing the similar Internet E-Mail Alias: Ineffective, still using Jim_Carter@otter.mine.nu as the From address.

Use the source, Luke! Look at the GVEA command for a list of legal From addresses. Implemented in ./modules/vcard/serv_vcard.c subrt cmd_gvea. Content is CC->cs_inet_email (a string with the actual address, the primary one) followed by CC->cs_inet_other_emails. cs_inet_email is used many places. Possibilities are ./msgbase.c ./user_ops.c ./modules/vcard/serv_vcard.c . In the latter, vcard_upload_aftersave extracts field [M] from an altered vCard into these 2 memory areas. The same is done at login in vcard_session_login_hook. The card from which it is extracted is obtained by vcard_get_user(&CCC->user) which is defined in the same file. It's M.O. is to call CtdlMailboxName(u, USERCONFIGROOM) where u is a struct ctdluser. USERCONFIGROOM = My Citadel Config and this is most likely the vCard that you edit in Your Info (see above).

Another message to Dothebart:

I'm feeling kind of stupid about this, but I have three different vCard-like objects and am having trouble to influence them and get them used.
Advanced - Your Info - Change Your Preferences and Settings: Preferred Email Address shows as <Jim_Carter@otter.mine.nu> and Webcit actually uses this to compose outgoing mail. The dropdown list has only this value and it cannot be edited arbitrarily. When I use the text client and .G My Citadel Config, there is a message with subject Webcit Preferences which is very similar to the content here, except one row says Defaultfrom|jimc@jacinth.cft.ca.us which is different. I didn't tempt fate by trying to alter it. There is another object (no subject) whose Part 1 has mime-type text/x-vcard but I couldn't figure out how to do MSG4 to display it.
Advanced - Your Info - Update Your Contact Information: This shows a vCard form. I tried filling the desired address into Primary Internet E-Mail Address and Internet E-Mail Aliases (one, the other, or both), but it was never available as a selectable From address (or anywhere else that I looked). I did hit Save, and also logged out and logged in again, without effect.
Is there a way to send a raw API command using either Webcit or the text client? I'm curious to see what GVEA would report. I don't think I can use sendcommand because it would not be in the context of a logged-in session, so the server would not know whose addresses to report.
When you use getmail, what is the name of a specific user's aliased rooms such as Mail or My Citadel Config? If I knew that, I could inspect the mysterious vCard. Then, of course, the challenge will be to alter one or the other message.

XMPP (Instant Message)

Coarse grained presence

Pidgin lets you set several kinds of presence, e.g. do not disturb, and custom status messages, e.g. out to lunch. With ejabberd these would be propagated to the partner, but with Citadel you are either available or offline. The transition between these is reported promptly to the partner, but status variants are never seen by the partner. Hmm, see the Online Users tab; the third column (which I had never been able to figure out) shows a sleepy icon for a user who is logged in via Pidgin but is (literally) asleep.

Volatile Buddies

In a normal instant message context, pairs of people designate themselves as friends or buddies (the term normally used in XMPP). This means that they receive XMPP presence notifications, which are not sent to non-buddies. Becoming a buddy requires authorization from the other partner. The buddy state persists until one or both of the buddies unsubscribes.

Citadel has a unique view of the buddy relation: it cancels the buddy relation as soon as one of the users logs out, and it has a special cache of non-buddies called the mortuary so it can transmit these cancellations to a client who logs in later. Also I don't see any code to handle authorizations and authorization requests from the client are never answered. It would appear that the buddy state is supposed to be re-established whenever the user logs in.

I want to use the presence mechanism to monitor when my buddy comes online (and therefore is available to chat) or drops off. I also want to see sub-states such as do not disturb or out to lunch. I think Citadel is not going to provide these functions for me, and under the circumstances I think it isn't justified to rewrite Citadel's code to match my interpretation of normal use of the buddy concept.

Conclusion

I very much wanted Citadel to work for us; it would solve several of our current problems in one stroke. But I'm afraid Citadel has too many problem areas or showstoppers. Here are the problems by function:

Calendar and PIM Objects

Citadel uses the GroupDAV protocol, which in the context of the Thunderbird/Lightning client is upward compatible with iCalendar. In this protocol the client retrieves the entire calendar, makes changes, and rewrites the entire calendar. I worry that some users would have large calendars, contact lists, etc.; the department's event calendar normally has at least 20 events per week and extends several months in the future, and I have read forum postings (about other software) where users complain about capacity limits that can't accomodate their multi thousands (literally) of contacts. The probability of a race condition is proportional to the square of the object size. I worry about being able to do a stress test to gain confidence that race conditions are not happening.

The CalDAV protocol (which Citadel does not support) is superior because it retrieves and sends back PIM objects one at a time. Citadel also provides access to the PIM objects via IMAP, one at a time; this is how Kolab and Horde would communicate.

Incoming Mail (SMTP)

When mail is sent from off-site to Citadel, we require the client to authenticate before we will relay mail to an off-site destination, preventing spam. We have other mail services also available only to our authenticated users. In mail submission Citadel can use Plain authentication but cannot authenticate either by GSSAPI or by interpreting the sender's X.509 certificate optionally presented to set up TLS, which Postfix can do.

Due to legal requirements specific to our organization, we cannot make judgments about the content of mail which is correct as to form. Therefore we need to offer users an opt-in spam solution, and also, we have to actually deliver the spam, normally to a separate folder. Citadel takes the opposite approach: if configured, all mail is run through SpamAssassin during submission, and if it fails it is tossed with a 5xx result code. This design is attractive for a commercial site, but is forbidden in our case.

We also have a very effective spam suppressor, legal for us, called a greylist, and the hooks to use it are not obvious in Citadel.

Reading Mail (IMAP)

Our IMAP namespace was set up years ago and not optimally. Citadel has its own idea of the IMAP namespace which differs both from ours and from the arrangement which we would like to change to. This namespace cannot be configured. It will be traumatic and labor-intensive to get our users, particularly the elderly ones, to change their IMAP namespace. This issue is probably a showstopper for IMAP on Citadel.

Instant Message (XMPP)

While basic messaging works fine in Citadel, it has a bizarre interpretation of the buddy relation (equivalent to friends in other instant message protocols) which makes presence essentially useless. Also, I have never gotten it to respond to an IQ (information query). At least for my use-case, this is a showstopper.

Web Client (HTTP/S)

The brightest spot with Citadel is the web client, an obvious but neglected partner to any server that makes it useful even to users who cannot (or will not) install a dedicated client locally, e.g. on a web-enabled mobile phone.

So in conclusion, Citadel comes very close to doing what I want, but in each aspect (except Webcit) it turns out to have deficiencies which I cannot overcome or ignore. Thus I must reluctantly look for other server software.