9 date 92.10.26.16.46.29; author jromine; state Exp;
14 date 92.10.26.16.45.51; author jromine; state Exp;
25 @MD5 API changes forced APOP changes
32 draft POP Version 3: More Service Offerings Apr 92
35 Post Office Protocol: Version 3
36 More Service Offerings
38 Fri Apr 17 21:03:20 1992
42 Dover Beach Consulting, Inc.
43 mrose@@dbc.mtview.ca.us
50 1. Status of this Memo
52 This memo provides information for the Internet community. It
53 does not specify any standard. Distribution of this memo is
54 unlimited. Please send comments to the author.
59 This memo suggests some modest enhancements to version 3 of
60 the Post Office Protocol (RFC 1081). All of these extensions
61 are optional. In particular, administrators should examine
62 their environment to see if any of these enhancements are
91 draft POP Version 3: More Service Offerings Apr 92
94 3. Historical Overview
96 The Post Office Protocol (POP) was developed to provide a
97 simple mechanism for workstations to download their mailboxes
98 from workgroup and departmental servers. Typically, the
99 workstations and servers are interconnected via a LAN or
100 perhaps an internet-mesh with reasonable throughput and
103 As use of the Internet suite of protocols has grown, different
104 kind of environments are beginning to use the POP. This memo
105 suggests optional enhancements to the POP to allow it to
106 function better in these environments.
150 draft POP Version 3: More Service Offerings Apr 92
155 Each POP session starts with a USER/PASS exchange. This
156 results in a POP-subscriber password being sent in the clear
157 on the network. For intermittent use of POP, this may not
158 introduce a sizable risk. However, many POP client
159 implementations connect to the POP server on a regular
160 basis -- to check for new mail. Further the interval of
161 session initiation may be on the order of five minutes.
162 Hence, the risk of password capture is greatly enhanced.
164 A new method of authentication is required which provides for
165 both origin authentication and replay protection, but which
166 does not involve sending a password in the clear over the
167 network. This memo introduces a new command, APOP, to provide
170 A POP server which implements the APOP command will include a
171 timestamp in its banner greeting. The syntax of the timestamp
172 corresponds to the `msg-id' in RFC 822, and MUST be different
173 each time the POP server issues a banner greeting. For
174 example, on a UNIX implementation in which a separate UNIX
175 process is used for each instance of a POP server, the syntax
176 of the timestamp might be:
178 <process-ID.clock@@hostname>
180 where `process-ID' is the decimal value of the process's PID,
181 clock is the decimal value of the system clock, and hostname
182 is the fully-qualified domain-name corresponding to the host
183 where the POP server is running.
185 The POP client makes note of this timestamp, and then issues
186 the APOP command. The syntax of this command is:
190 The `name' parameter is a locally-significant string which
191 identifies a particular POP-subscriber. The `digest'
192 parameter is calculated by applying the MD5 algorithm[1] to a
193 string consisting of the timestamp (including angle-brackets)
194 followed by a shared secret. This shared secret is a string
195 known only to the POP client and POP server. Great care
196 should be taken to prevent unauthorized disclosure of the
197 secret, as knowledge of the secret will allow any entity to
209 draft POP Version 3: More Service Offerings Apr 92
212 successfully masquerade as the named POP-subscriber. The
213 `digest' parameter itself is a 16-octet value which is sent in
216 When the POP server receives the APOP command, it verifies the
217 digest provided. If the digest is correct, the POP server
218 issues a positive response, and the POP session enters the
219 TRANSACTION state. Otherwise, a negative response is issued
220 and the POP session remains in the AUTHORIZATION state.
224 S: +OK POP server ready <1896.697170952@@dbc.mtview.ca.us>
226 S: +OK password required for mrose
227 C: APOP c4c9334bac560ecc979e58001b3e22fb
228 S: +OK maildrop has 1 message (369 octets)
230 In this example, the shared secret is the string `tanstaaf'.
231 Hence, the MD5 algorithm is applied to the string
233 <1896.697170952@@dbc.mtview.ca.us>tanstaaf
235 which produces a digest value of
237 c4c9334bac560ecc979e58001b3e22fb
268 draft POP Version 3: More Service Offerings Apr 92
271 5. The XTND SCAN command
273 The current POP model works best when network latency and
274 throughput is on the order provided by most LANs. However,
275 when POP is used over low-speed connections (e.g., 2400 baud
276 dialup lines), the POP does not work well.
278 Historically, the POP model has been to make only minimal
279 requirements on the POP server. In order to more effectively
280 operate over low-speed connections, this model must be
281 modified somewhat. Implementation experience shows that the
282 largest improvement can be achieved by making one shift:
283 having the POP server generate a scan listing for the POP
284 client. This memo introduces a new command, XTND SCAN, to
285 provide this functionality.
287 A POP client issues the XTND SCAN command during the
288 TRANSACTION state. The syntax of this command is:
290 XTND SCAN width [format]
292 The `width' parameter is the maximum length for a scan
293 listing. The optional `format' parameter is a quoted-string
294 with the semantics of an mh-format(5) string[2]. If the
295 `format' parameter is not given, the POP server uses a
296 locally-defined default value. Note that the resulting format
297 string must not contain CR or LF.
299 The `format' parameter is the only token in the POP which must
300 be enclosed in double-quotation marks. Within the string, two
301 special sequences are recognized:
306 Otherwise, each character is used verbatim. Note that this
307 string can be quite long (on the order of 400 characters).
309 When the POP server receives the XTND SCAN command and if it
310 implements it, it issues a positive response. Otherwise a
311 negative response is issued. Thereafter, whenever the POP
312 client issues a LIST command, the syntax of the resulting
313 `scan listing' is of the form:
327 draft POP Version 3: More Service Offerings Apr 92
330 As with the standard POP, the `msgno' field gives the message
331 number and the `size' field gives the size of the message in
332 octets. The `string' parameter, which immediately follows the
333 `#' character is the string calculated when the formatting
334 string is applied to the message. Note that the `string' may
339 S: XTND SCAN 80 "%4(msg)%<(cur)+%| %>%<{replied}-%|...
342 C: +OK 1 369 # 1 02/03 17:49PST To:mrose test<<
386 draft POP Version 3: More Service Offerings Apr 92
391 MH 6.7.4 implements the POP extensions described in this memo.
392 Contact Bug-MH@@ics.uci.edu for information on how to get MH.
445 draft POP Version 3: More Service Offerings Apr 92
450 The author gratefully acknowledges the comments of Alfred
451 Grimstad and Neil Ostroff of Bellcore, and Keith McCloghrie of
504 draft POP Version 3: More Service Offerings Apr 92
509 [1] R.L. Rivest, The MD5 Message-Digest Algorithm. Request
510 for Comments 1321, (April, 1992).
512 [2] M.T. Rose, J.L. Romine, The Rand MH Message Handling
513 System: User's Manual, November, 1985.
563 draft POP Version 3: More Service Offerings Apr 92
569 1 Status of this Memo ................................... 1
570 2 Abstract .............................................. 1
571 3 Historical Overview ................................... 2
572 4 The APOP command ...................................... 3
573 4.1 Usage Example ....................................... 4
574 5 The XTND SCAN command ................................. 5
575 5.1 Usage Example ....................................... 6
576 6 Implementations ....................................... 7
577 7 Acknowledgements ...................................... 8
578 8 References ............................................ 9
628 draft POP Version 3: More Service Offerings Feb 92
631 Tue Feb 4 08:30:31 1992
634 draft POP Version 3: More Service Offerings Feb 92
637 draft POP Version 3: More Service Offerings Feb 92
640 draft POP Version 3: More Service Offerings Feb 92
643 C: APOP mrose c4c9334bac560ecc979e58001b3e22fb
649 draft POP Version 3: More Service Offerings Feb 92
652 be enclosed in double-quotation marks. Within the string,
653 three special sequences are recognized:
659 draft POP Version 3: More Service Offerings Feb 92
666 draft POP Version 3: More Service Offerings Feb 92
673 Grimstad and Neil Ostroff of Bellcore.