[Dovecot] [PATCH, RFC] add APOP authentication mechanism
Timo Sirainen
tss at iki.fi
Sat Jul 3 01:01:15 EEST 2004
On Fri, 2004-07-02 at 10:27, Andrey Panin wrote:
> AUTHNTICATE APOP will not work in IMAP session anyway because it
> doesn't pass initial responce required for APOP, so looks like
> this check is not really necessary.
Currently it doesn't, but there most likely will be extension which adds
initial response support for IMAP. I think there already was a draft.
> > POP3 RFC also says:
> >
> > It is conjectured that use of the APOP command provides origin
> > identification and replay protection for a POP3 session.
> > Accordingly, a POP3 server which implements both the PASS and APOP
> > commands should not allow both methods of access for a given user;
> > that is, for a given mailbox name, either the USER/PASS command
> > sequence or the APOP command is allowed, but not both.
>
> Yeah, I read this RFC part and IMHO it's quite stupid. IIRC here is no
> such restriction for AUTH command, why APOP should be different ?
I thought the same.. And I don't see a "MUST" there, so maybe it's not
that important.
Anyway, I committed the patch with several other changes to implement
dovecot-auth-trusted challenge.
There's still one problem. It's possible that connecting to dovecot-auth
takes longer than accepting a POP3 client. In that case
get_apop_challenge() fails because it doesn't know about auth
connections yet. So, the greeting string should really be delayed until
all auth connections are done. I left it there as FIXME, but moving it
into clients_notify_auth_connected() probably would fix it..
I didn't actually test any of my changes, so it might be broken as
well..
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20040703/f5a18a85/attachment.pgp
More information about the dovecot
mailing list