[Dovecot] Improper use of IN-USE in case of a failed authentication
RFC2449 defines the IN-USE extended POP3 response code as
8.1.2. The IN-USE response code
This occurs on an -ERR response to an AUTH, APOP, or PASS
command. It indicates the authentication was successful, but
the user's maildrop is currently in use (probably by another
POP3 client).
http://www.faqs.org/rfcs/rfc2449.htmlIn contrast to this, the POP3 login code in client_authenticate.c will send IN-USE whenever authentication was not successful because of some kind of internal failure[*].
[*] Noticed during experiments with a shell SQL database
driver which only ever returns errors as reaction to any
query.I happen to know of at least one (partial) client implementation (I happen to have written which is used by an iPhone application for POP3 user credential verification) which actually interprets IN-USE as it is defined by the RFC.
On Sun, 2010-03-28 at 23:09 +0200, Rainer Weikusat wrote:
RFC2449 defines the IN-USE extended POP3 response code as
8.1.2. The IN-USE response code
This occurs on an -ERR response to an AUTH, APOP, or PASS command. It indicates the authentication was successful, but the user's maildrop is currently in use (probably by another POP3 client). http://www.faqs.org/rfcs/rfc2449.html
In contrast to this, the POP3 login code in client_authenticate.c will send IN-USE whenever authentication was not successful because of some kind of internal failure[*].
Yes. In both cases the failure is temporary.
I happen to know of at least one (partial) client implementation (I happen to have written which is used by an iPhone application for POP3 user credential verification) which actually interprets IN-USE as it is defined by the RFC.
What about the reverse? If no IN-USE is sent, how many clients will just treat it as authentication failure and ask the user for the password again, without showing the "internal failure" error at all? (I don't know the answer. I assumed IN-USE would cause less problems.)
Timo Sirainen <tss@iki.fi> writes:
On Sun, 2010-03-28 at 23:09 +0200, Rainer Weikusat wrote:
RFC2449 defines the IN-USE extended POP3 response code as
8.1.2. The IN-USE response code
This occurs on an -ERR response to an AUTH, APOP, or PASS command. It indicates the authentication was successful, but the user's maildrop is currently in use (probably by another POP3 client). http://www.faqs.org/rfcs/rfc2449.html
In contrast to this, the POP3 login code in client_authenticate.c will send IN-USE whenever authentication was not successful because of some kind of internal failure[*].
Yes. In both cases the failure is temporary.
The RFC excerpt above states that "It indicates the authentication was successful but the users' maildrop is currently in use". The difference arguably doesn't matter much for the intended purpose of the response code, namely, provide a more reliably way to check for 'mailbox locked' states than trying to analyze the 'user message' part of the string, it just means that IN-USE does not communicate anything about the validity of the credentials which were being used.
participants (2)
-
Rainer Weikusat
-
Timo Sirainen