Rainer Weikusat
2010-Mar-28 21:09 UTC
[Dovecot] Improper use of IN-USE in case of a failed authentication
RFC2449 defines the IN-USE extended POP3 response code as 8.1.2. The IN-USE response code This occurs on an -ERR response to an AUTH, APOP, or PASS command. It indicates the authentication was successful, but the user's maildrop is currently in use (probably by another POP3 client). http://www.faqs.org/rfcs/rfc2449.html In contrast to this, the POP3 login code in client_authenticate.c will send IN-USE whenever authentication was not successful because of some kind of internal failure[*]. [*] Noticed during experiments with a shell SQL database driver which only ever returns errors as reaction to any query. I happen to know of at least one (partial) client implementation (I happen to have written which is used by an iPhone application for POP3 user credential verification) which actually interprets IN-USE as it is defined by the RFC.
Timo Sirainen
2010-Mar-28 21:16 UTC
[Dovecot] Improper use of IN-USE in case of a failed authentication
On Sun, 2010-03-28 at 23:09 +0200, Rainer Weikusat wrote:> RFC2449 defines the IN-USE extended POP3 response code as > > 8.1.2. The IN-USE response code > > This occurs on an -ERR response to an AUTH, APOP, or PASS > command. It indicates the authentication was successful, but > the user's maildrop is currently in use (probably by another > POP3 client). > http://www.faqs.org/rfcs/rfc2449.html > > In contrast to this, the POP3 login code in client_authenticate.c will > send IN-USE whenever authentication was not successful because of > some kind of internal failure[*].Yes. In both cases the failure is temporary.> I happen to know of at least one (partial) client implementation (I > happen to have written which is used by an iPhone application for POP3 > user credential verification) which actually interprets IN-USE as > it is defined by the RFC.What about the reverse? If no IN-USE is sent, how many clients will just treat it as authentication failure and ask the user for the password again, without showing the "internal failure" error at all? (I don't know the answer. I assumed IN-USE would cause less problems.) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20100329/8ec7f9f5/attachment-0002.bin>
Rainer Weikusat
2010-Mar-28 21:35 UTC
[Dovecot] Improper use of IN-USE in case of a failed authentication
Timo Sirainen <tss at iki.fi> writes:> On Sun, 2010-03-28 at 23:09 +0200, Rainer Weikusat wrote: >> RFC2449 defines the IN-USE extended POP3 response code as >> >> 8.1.2. The IN-USE response code >> >> This occurs on an -ERR response to an AUTH, APOP, or PASS >> command. It indicates the authentication was successful, but >> the user's maildrop is currently in use (probably by another >> POP3 client). >> http://www.faqs.org/rfcs/rfc2449.html >> >> In contrast to this, the POP3 login code in client_authenticate.c will >> send IN-USE whenever authentication was not successful because of >> some kind of internal failure[*]. > > Yes. In both cases the failure is temporary.The RFC excerpt above states that "It indicates the authentication was successful but the users' maildrop is currently in use". The difference arguably doesn't matter much for the intended purpose of the response code, namely, provide a more reliably way to check for 'mailbox locked' states than trying to analyze the 'user message' part of the string, it just means that IN-USE does not communicate anything about the validity of the credentials which were being used.