Re: POP handling commands given in wrong state

Paul Smith <> Tue, 26 July 2011 13:45 UTC

Received: from (localhost []) by (8.14.4/8.14.3) with ESMTP id p6QDj0Xk003605 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 26 Jul 2011 06:45:00 -0700 (MST) (envelope-from
Received: (from majordom@localhost) by (8.14.4/8.13.5/Submit) id p6QDj0Fx003604; Tue, 26 Jul 2011 06:45:00 -0700 (MST) (envelope-from
X-Authentication-Warning: majordom set sender to using -f
Received: from ( []) by (8.14.4/8.14.3) with ESMTP id p6QDivU8003594 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <>; Tue, 26 Jul 2011 06:44:58 -0700 (MST) (envelope-from
Received: from ([]) by ([] running VPOP3) with ESMTP; Tue, 26 Jul 2011 14:39:57 +0100
Received: from [] ([]) by ([] running VPOP3) with ESMTP; Tue, 26 Jul 2011 14:32:17 +0100
Message-ID: <>
Date: Tue, 26 Jul 2011 14:32:16 +0100
From: Paul Smith <>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv: Gecko/20110616 Lightning/1.0b2 Thunderbird/3.1.11
MIME-Version: 1.0
To: Mykyta Yevstifeyev <>
Subject: Re: POP handling commands given in wrong state
References: <> <> <> <> <>
In-Reply-To: <>
Content-Type: multipart/alternative; boundary="------------050608030700090309090108"
X-Authenticated-Sender: paul
X-Server: VPOP3 Enterprise V4.0.0e - Registered
X-Organisation: Paul Smith Computer Services
Precedence: bulk
List-Archive: <>
List-ID: <>
List-Unsubscribe: <>

On 26/07/2011 14:19, Mykyta Yevstifeyev wrote:
>> Going straight from session establishment into transaction state 
>> seems wrong to me, given the base POP3 spec which POP3-over-TLS is 
>> building on.
> The matter is that many POP servers support authentication using X.509 
> certificate which was supplied during TLS negotiation and do not 
> require further authentication.  In such case issuing USER will lead 
> to -ERR, as the server is already in TRANSACTION then.  Other servers 
> implement POP-over-TLS so that further authentication is also required 
> (eg. Gmail, which I personally am using).
>> BTW - why are you looking at POP3-over-TLS? Isn't this idea obsolete 
>> - isn't the 'STLS' command (RFC 2595) the way we should be doing 
>> things now? I thought the POP3S way was deprecated.
>> Note that the RFC 2595 says:
>> "The STLS command is only permitted in AUTHORIZATION state and the 
>> server remains in AUTHORIZATION state, even if client credentials are 
>> supplied during the TLS negotiation." so with STLS you have to 
>> authenticate (not sure why it's called 'authorization' state when 
>> it's really 'authentication' state, but that's not relevant) even if 
>> the TLS has already supplied the user details.
> Yes, RFC 2595 discouraged use of POP-over-TLS.  However, it is now 
> used even wider than STLS, which led to effort to document this mode.  
> See above for note on why authorization might not be necessary after 
> TLS negotiation.

Hmm, I think if you are talking about existing implementations using a 
deprecated system, then trying to alter the behaviour of them is 
unlikely to achieve anything...

Personally, I'd say that a POP3 server that skips the authorization 
state because of the certificate is not standards compliant, because 
there is no standard which allows that behaviour.

RFC 1939 section 3 says "Once the TCP connection has been opened and the 
POP3 server has sent the greeting, the session enters the AUTHORIZATION 
state. In this state, the client must identify itself to the POP3 server."

Potentially, the client could identify itself using the certificate - 
HOWEVER, this has to happen *after the POP3 server has sent the 
greeting* for it to be standards compliant, so it can't be done using 
the certificate with POP3-over-TLS (it could have been, using the STLS 
extension, except that specifically excludes that option)

So, any server which does not enter AUTHORIZATION state after the 
connection has been opened and the POP3 server has sent the greeting is 
NOT RFC 1939 compliant.

If you are wanting to change the behaviour of existing POP3-over-TLS 
server implementations so they send a POP3 extended response, then you 
should rather change their behaviour so they are compliant to the 
existing RFC 1939 instead...

If you are just wanting to document existing behaviour, then this 
doesn't matter, as neither the extended response nor standard compliant 
behaviour is possible.