Re: POP handling commands given in wrong state

[Mykyta Yevstifeyev <evnikita2@gmail.com>]

26.07.2011 12:51, Paul Smith wrote:
> On 26/07/2011 10:22, Mykyta Yevstifeyev wrote:
>> 26.07.2011 11:12, Paul Smith wrote:
>>> On 26/07/2011 05:59, Mykyta Yevstifeyev wrote:
>>>
>>> [ . .  .]
>>>
>>> If the state was server defined, so that it may change on the 
>>> server's decision, rather than by purely bad coding in the client, 
>>> then yes, an extended response code may be useful, but when it is 
>>> only bad coding in the client which can make it happen - no.
>> Paul,
>>
>> [Adding Alexey Melnikov to CC list; see below.]
>>
>> I meant just the situation like this.  Eg., when one is using 
>> POP3-over-TLS whereas TLS connection is established before POP 
>> transaction starts, TLS negotiation may be used instead USER-PASS or 
>> AUTH authentication, entering the server into the TRANSACTION state; 
>> on the other hand, the server may require authentication under TLS 
>> layer, entering AUTHORIZATION state after establishing TLS 
>> connection.  I and Alexey Melnikov are currently working on the 
>> POP-over-TLS specification 
>> (https://datatracker.ietf.org/doc/draft-melnikov-pop3-over-tls/) and 
>> the problem is that the client don't know what state is the server in 
>> after TLS negotiation.  If the client tries giving USER and received 
>> -ERR, it may mean that the user name is unknown or that the user is 
>> authenticated already, and the client can't know for sure what does 
>> it mean.  Don't you have other idea of indicating the state?
>
> Hmm. I'd say that was a problem with the POP3 over TLS idea
>
> It seems wrong to have to try to do something, and see if you get an 
> error to see what you should do next. I know ESMTP does it, and the 
> POP3 'CAPA' do it, but that's because those things were added as a 
> hindsight after the base spec had been deployed. For a new standard to 
> need it just feels wrong.
>
> Personally, I'd expect authentication to always be required, even if 
> it's redundant. It just seems too much of a change from the base POP3 
> spec to skip the authorization stage.
>
> So, you could have the TLS session established which establishes the 
> user's identity, and then do
> USER anything
> +OK
> PASS anything
> +OK
>
> or you could use the USER/PASS as a part of two factor authentication 
> (the certificate is something you have, the username/password is 
> something you know)
>
> Going straight from session establishment into transaction state seems 
> wrong to me, given the base POP3 spec which POP3-over-TLS is building on.
The matter is that many POP servers support authentication using X.509 
certificate which was supplied during TLS negotiation and do not require 
further authentication.  In such case issuing USER will lead to -ERR, as 
the server is already in TRANSACTION then.  Other servers implement 
POP-over-TLS so that further authentication is also required (eg. Gmail, 
which I personally am using).
>
>
> BTW - why are you looking at POP3-over-TLS? Isn't this idea obsolete - 
> isn't the 'STLS' command (RFC 2595) the way we should be doing things 
> now? I thought the POP3S way was deprecated.
>
> Note that the RFC 2595 says:
> "The STLS command is only permitted in AUTHORIZATION state and the 
> server remains in AUTHORIZATION state, even if client credentials are 
> supplied during the TLS negotiation." so with STLS you have to 
> authenticate (not sure why it's called 'authorization' state when it's 
> really 'authentication' state, but that's not relevant) even if the 
> TLS has already supplied the user details.
Yes, RFC 2595 discouraged use of POP-over-TLS.  However, it is now used 
even wider than STLS, which led to effort to document this mode.  See 
above for note on why authorization might not be necessary after TLS 
negotiation.

Mykyta
>
>
>