In particular, I'm looking at pop3_getauth and thinking how it would make
a lot more sense if this:
else if (ok == PS_AUTHFAIL ||
/* Some servers directly close the socket. However, if we
* have already authenticated before, then a previous CAPA
* must have succeeded. In that case, treat this as a
* genuine socket error and do not change the auth method.
*/
(ok == PS_SOCKET && !ctl->wehaveauthed))
{
ctl->server.authenticate = A_PASSWORD;
/* repoll immediately */
ok = PS_REPOLL;
break;
}
looked more like this:
else if (ok == PS_AUTHFAIL ||
/* Some servers directly close the socket. However, if we
* have already authenticated before, then a previous CAPA
* must have succeeded. In that case, treat this as a
* genuine socket error and do not change the auth method.
*/
(ok == PS_SOCKET && !ctl->wehaveauthed))
{
for (start = greeting; *start != 0 && *start != '<'; start++)
continue;
if (*start != 0) {
ctl->server.protocol = P_APOP;
} else {
ctl->server.authenticate = A_PASSWORD;
}
/* repoll immediately */
ok = PS_REPOLL;
break;
}
along with some code in the APOP case that fell back to PASSWORD if the
APOP wasn't available. That would be a logical progression if APOP were
an authentication mechanism, but given that it's stored as a protocol
I'm iffy about making any such change.
So in summary. Why shouldn't we map APOP protocol requests into POP3 protocol
requests with an authorization of APOP and put it in the normal path of "find
the most secure protocol" that is already there?
--
Kee Hinckley
http://www.messagefire.com/ Anti-Spam Service for your POP Account
http://commons.somewhere.com/buzz/ Writings on Technology and Society
I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.