The TCP/IP Guide  9  TCP/IP Application Layer Protocols, Services and Applications (OSI Layers 5, 6 and 7)       9  TCP/IP Key Applications and Application Protocols            9  TCP/IP File and Message Transfer Applications and Protocols (FTP, TFTP, Electronic Mail, USENET, HTTP/WWW, Gopher)                 9  TCP/IP Electronic Mail System: Concepts and Protocols (RFC 822, MIME, SMTP, POP3, IMAP)                      9  TCP/IP Electronic Mail Access and Retrieval Protocols and Methods                           9  TCP/IP Post Office Protocol (POP/POP3)

POP3 General Operation, Client/Server Communication and Session States 1 2 3 POP3 Transaction State: Mail and Information Exchange Process and Commands

Alternative Authentication Using APOP

Since user/password authorization is considered by many people to be insufficient for the security needs of modern internetworks, the POP3 standard also defines an alternative authentication method, using the APOP command. This is a more sophisticated technique based on the MD5 “message digest” encryption algorithm.

If the server supports this technique, in its opening greeting it provides a string indicating a timestamp that is unique for each POP3 session. The client then performs an MD5 calculation using this timestamp value and a “shared secret” known by the server and client. The result of this calculation is included in the client's APOP command. If it matches the server's calculation, authentication is successful; otherwise the session remains in the Authorization state.

The Post Office Protocol was also designed to allow it to be extended through the addition of other authentication mechanisms. This process is based on the use of the optional AUTH command, as described in RFC 1734.

POP3 General Operation, Client/Server Communication and Session States 1 2 3 POP3 Transaction State: Mail and Information Exchange Process and Commands