Word on the street is Eric S. Johansson said:
another possibility (assuming I want to use the "make the user wait" model) is to create a simple proxy which only handles the authentication phase. it establishes a connection with the remote server based on given username and password, runs the pop3 fetch and filter, and drops messages into a local maildir. then, pass the connection to a local dovecot, replaying the authentication sequence (or even bypassing given that the system authenticated on a "authoritative" source) but now connecting the users mail client to the dovecot pop3 server.
Yet another model, if you don't need the first LIST to block, would be to write a simple script to "tail -f" the dovecot log file, watch for successful auths, and then launch fetchmail for that user. Could be done in Perl in about 20 lines :)
Skye