As to APOP not being relevant to message submission, it CAN BE if the
POP session that was initiated via APOP then has XTND XMIT commands
submitted (to have the POP Server act as a MSA for relating to a MTA).
I'm not sure XTND XMIT is particularly relevant - it has so many
problems of its own that the added issue of dragging POP authentication
matters into the MSA realm seems rather trivial.
POP-before-SMTP, OTOH, is very common, and that makes POP authentication very
relevant indeed. POP-before-SMTP also carries with it an additional, unique
of security risks. Do we need to document them as well?
It seems likely that there will be some set of people who want to claim
that POP-before-SMTP is a good way to authenticate originators. So if
it's not a good way to do that, we should probably say so. Similar
logic would apply in the case of XTND XMIT. Though I hope that we
don't find too many more ways that people are currently doing
authenticated message submission.
Lately I've been thinking that trying to document security concerns
with authetication methods on a protocol-specific or service-specific
basis is not the way to go - instead what we might need is a survey of
authentication methods along with an applicability statement for
each. That way the task of maintaining that list of applicability
statements can get put in the hands of security experts. But that's
probably a longer-term solution. I'd hate to make that list part of
the critical path for this document or any other document.