Re: POP handling commands given in wrong state

Paul Smith <> Wed, 27 July 2011 08:51 UTC

Received: from (localhost []) by (8.14.4/8.14.3) with ESMTP id p6R8pATC055982 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 27 Jul 2011 01:51:11 -0700 (MST) (envelope-from
Received: (from majordom@localhost) by (8.14.4/8.13.5/Submit) id p6R8pAO1055981; Wed, 27 Jul 2011 01:51:10 -0700 (MST) (envelope-from
X-Authentication-Warning: majordom set sender to using -f
Received: from ( []) by (8.14.4/8.14.3) with ESMTP id p6R8p7ut055975 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <>; Wed, 27 Jul 2011 01:51:09 -0700 (MST) (envelope-from
Received: from ([]) by ([] running VPOP3) with ESMTP; Wed, 27 Jul 2011 09:49:56 +0100
Received: from [] ([]) by ([] running VPOP3) with ESMTP; Wed, 27 Jul 2011 09:49:53 +0100
Message-ID: <>
Date: Wed, 27 Jul 2011 09:49:53 +0100
From: Paul Smith <>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv: Gecko/20110616 Lightning/1.0b2 Thunderbird/3.1.11
MIME-Version: 1.0
To: Mykyta Yevstifeyev <>
CC:, Alexey Melnikov <>
Subject: Re: POP handling commands given in wrong state
References: <> <> <> <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Authenticated-Sender: paul
X-Server: VPOP3 Enterprise V4.0.0e - Registered
X-Organisation: Paul Smith Computer Services
Precedence: bulk
List-Archive: <>
List-ID: <>
List-Unsubscribe: <>

On 27/07/2011 05:57, Mykyta Yevstifeyev wrote:
>> Hmm, I think if you are talking about existing implementations using 
>> a deprecated system, then trying to alter the behaviour of them is 
>> unlikely to achieve anything...
> I wouldn't say it is deprecated; POP-over-TLS is used even more often 
> that STLS, as I've already mentioned.  We're trying to give it the 
> official documentation and set the standard behavior of the server/client.

It is 'discouraged' then. Also, because, as of now, there is no 
standards track document saying how POP3-over-TLS should work, I think 
you can safely call it non-standard. Non-standard + 'discouraged' + a 
better standardised option = seems to suggest that no one should be 
starting to use that system now... There is no good reason to use 
POP3-over-TLS instead of STLS, so I think it needs to be made clear that 
POP3-over-TLS is second-best compared to STLS (as someone who's 
implemented both, I found STLS a lot easier than POP3-over-TLS to 

If you are trying to specify what future servers who want to use this 
'discouraged' system should do, then simply say they must start up in 
the authorization stage after the TLS session has been started (just as 
with STLS). Anything else is too far from the POP3 standard, and as 
Randall said 'magic'.

I am not aware of any 'well known' POP3 clients which will skip the 
authorization stage, so any server which requires this must just be used 
for 'internal' use, and thus not really relevant for standards. Internal 
use servers can do anything they want so these aren't doing 
'POP3-over-TLS', they're doing 'almost-POP3-over-TLS' which is fine for 
internal use.

The only reason to do a POP3-over-TLS implementation nowadays should be 
to allow compatibility with some popular old software which doesn't 
support STLS. AFAIK, that is essentially old versions of Outlook/Outlook 
Express - those use USER/PASS after connecting over TLS.

I strongly feel that the POP3 session should start in the authorization 
stage, as understood by everyone who uses a standardised POP3 service 
(ie one where the developer has read RFC 1939). So, USER/AUTH/APOP is 
needed as one of the first commands after connecting.

As Randall suggested, use SASL EXTERNAL if you want (isn't this the 
whole point of SASL EXTERNAL?), but you should need an AUTH. What's the 
problem with needing that?

> In our case the AUTHORIZATION is safely replaced by TLS negotiation.  
> It also happens directly after TCP connection, but skipping the 
> greeting, which is replaced by TLS ServerHello message.
Which is breaking the POP3 standard, because the greeting is specified 
as a 'one line [text] greeting'

>> If you are just wanting to document existing behaviour, then this 
>> doesn't matter, as neither the extended response nor standard 
>> compliant behaviour is possible.
> But if we try to unify all existing behavior, this will be great, 
> won't it?

Well, what would be great IMHO would be to destroy all POP3-over-TLS 
implementations... They should never have been done in the first place!

But, failing that, it's fairly obvious the 'most correct' implementation 
is to do it as Gmail, Thunderbird, etc, etc have done, and have it as 
normal RFC 1939 but with a TLS 'wrapper' around the session.

The 'broken' implementation of not needing AUTH after session 
establishment is the one that needs to be fixed somehow. Either you 
kludge it by having some mechanism that the client needs to understand 
for the server to say 'I'm in the wrong state now', or you fix it 
properly by having the server enter AUTHORIZATION state.