* APOP-only POP3 clients?
@ 2022-05-27 10:53 Eric Wong
2022-05-27 12:28 ` Konstantin Ryabitsev
0 siblings, 1 reply; 2+ messages in thread
From: Eric Wong @ 2022-05-27 10:53 UTC (permalink / raw)
To: meta
cf. https://tools.ietf.org/html/rfc1939
Well, POP3 clients being webmail services which import from
POP3, mainly... Just wondering, are there POP3 clients which do
NOT support USER/PASS and enforce the use of APOP for
authentication?
Background: POP3 is one mailbox per-user, so we'll rely on
the username being $NEWSGROUP.$SLICE (same idea as IMAP, to
limit mailboxes to 50k to avoid problems).
POP3 clients can be distinguished by PASS (password cookie), to
keep track of per-client message deletions. The output of
`uuidgen` or `dbus-uuidgen` is a sufficiently-unique cookie for
distinguishing clients from each other.
Initially, that would be:
username: $NEWSGROUP.$SLICE
password: $UUID
for POP3 USER/PASS support.
However, supporting APOP that way would inflict a usability
problem for all users since the password is sent as a digest and
the actual password is never sent unencrypted. Our POP3 server
would have no clue how to match a digest to a password since
many clients will be sharing the username.
So far, the solution I come up with is to require another UUID
to be part of the username, too:
username: $UUID_1@$NEWSGROUP.$SLICE
password: $UUID_2
Which may be an extremely long username... Now I'm thinking
it's safe for UUID_1 and UUID_2 to be the same, to save storage
space on the server and to save users from dealing with
excessively long, compression-unfriendly field entries. So,
this:
username: $UUID@$NEWSGROUP.$SLICE
password: $UUID
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: APOP-only POP3 clients?
2022-05-27 10:53 APOP-only POP3 clients? Eric Wong
@ 2022-05-27 12:28 ` Konstantin Ryabitsev
0 siblings, 0 replies; 2+ messages in thread
From: Konstantin Ryabitsev @ 2022-05-27 12:28 UTC (permalink / raw)
To: Eric Wong; +Cc: meta
On Fri, May 27, 2022 at 10:53:02AM +0000, Eric Wong wrote:
> Which may be an extremely long username... Now I'm thinking
> it's safe for UUID_1 and UUID_2 to be the same, to save storage
> space on the server and to save users from dealing with
> excessively long, compression-unfriendly field entries. So,
> this:
> username: $UUID@$NEWSGROUP.$SLICE
> password: $UUID
1. I'd even say that we don't need all the entropy of uuid here and it's
probably sufficient to grab 8-12 bytes from /dev/random and z-base-32
encode them (z-base-32 to produce case-insensitive strings)
2. You can make password be "p" :)
-K
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-05-27 12:28 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-05-27 10:53 APOP-only POP3 clients? Eric Wong
2022-05-27 12:28 ` Konstantin Ryabitsev
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).