[Dovecot] Improper use of IN-USE in case of a failed authentication

Timo Sirainen tss at iki.fi
Mon Mar 29 00:16:57 EEST 2010


On Sun, 2010-03-28 at 23:09 +0200, Rainer Weikusat wrote:
> RFC2449 defines the IN-USE extended POP3 response code as
> 
> 	8.1.2.  The IN-USE response code
> 
> 	This occurs on an -ERR response to an AUTH, APOP, or PASS
> 	command.  It indicates the authentication was successful, but
> 	the user's maildrop is currently in use (probably by another
> 	POP3 client).
> 	http://www.faqs.org/rfcs/rfc2449.html
> 
> In contrast to this, the POP3 login code in client_authenticate.c will
> send IN-USE whenever authentication was not successful because of
> some kind of internal failure[*].

Yes. In both cases the failure is temporary.

> I happen to know of at least one (partial) client implementation (I
> happen to have written which is used by an iPhone application for POP3
> user credential verification) which actually interprets IN-USE as
> it is defined by the RFC.

What about the reverse? If no IN-USE is sent, how many clients will just
treat it as authentication failure and ask the user for the password
again, without showing the "internal failure" error at all? (I don't
know the answer. I assumed IN-USE would cause less problems.)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20100329/8ec7f9f5/attachment.bin 


More information about the dovecot mailing list