[Dovecot] Improper use of IN-USE in case of a failed authentication
rweikusat at mssgmbh.com
Mon Mar 29 00:35:30 EEST 2010
Timo Sirainen <tss at iki.fi> writes:
> On Sun, 2010-03-28 at 23:09 +0200, Rainer Weikusat wrote:
>> RFC2449 defines the IN-USE extended POP3 response code as
>> 8.1.2. The IN-USE response code
>> This occurs on an -ERR response to an AUTH, APOP, or PASS
>> command. It indicates the authentication was successful, but
>> the user's maildrop is currently in use (probably by another
>> POP3 client).
>> In contrast to this, the POP3 login code in client_authenticate.c will
>> send IN-USE whenever authentication was not successful because of
>> some kind of internal failure[*].
> Yes. In both cases the failure is temporary.
The RFC excerpt above states that "It indicates the authentication was
successful but the users' maildrop is currently in use". The
difference arguably doesn't matter much for the intended purpose of the
response code, namely, provide a more reliably way to check for
'mailbox locked' states than trying to analyze the 'user message' part
of the string, it just means that IN-USE does not communicate anything
about the validity of the credentials which were being used.
More information about the dovecot