11. Формат сообщения
All messages transmitted during a POP3 session are assumed to conform to the standard for the format of Internet text messages [RFC822].
It is important to note that the octet count for a message on the server host may differ from the octet count assigned to that message due to local conventions for designating end-of-line. Usually, during the AUTHORIZATION state of the POP3 session, the POP3 server can calculate the size of each message in octets when it opens the maildrop. For example, if the POP3 server host internally represents end-of-line as a single character, then the POP3 server simply counts each occurrence of this character in a message as two octets. Note that lines in the message which start with the termination octet need not (and must not) be counted twice, since the POP3 client will remove all byte-stuffed termination characters when it receives a multi-line response.
|[RFC821]||Postel, J., «Simple Mail Transfer Protocol», STD 10, RFC 821, USC/Information Sciences Institute, Август 1982.|
|[RFC822]||Crocker, D., «Standard for the Format of ARPA-Internet Text Messages», STD 11, RFC 822, University of Delaware, Август 1982.|
|[RFC1321]||R. Rivest, «Алгоритм цифровых подписей MD5», RFC 1321, Апрель 1992.|
|[RFC1730]||Crispin, M., «Internet Message Access Protocol — Version 4», RFC 1730, University of Washington, Декабрь 1994.|
|[RFC1734]||Myers, J., «POP3 AUTHentication command», RFC 1734, Carnegie Mellon, Декабрь 1994.|
13. Вопросы безопасности
It is conjectured that use of the APOP command provides origin identification and replay protection for a POP3 session. Accordingly, a POP3 server which implements both the PASS and APOP commands should not allow both methods of access for a given user; that is, for a given mailbox name, either the USER/PASS command sequence or the APOP command is allowed, but not both.
Further, note that as the length of the shared secret increases, so does the difficulty of deriving it.
Servers that answer -ERR to the USER command are giving potential attackers clues about which names are valid.
Use of the PASS command sends passwords in the clear over the network.
Use of the RETR and TOP commands sends mail in the clear over the network.
Otherwise, security issues are not discussed in this memo.
The POP family has a long and checkered history. Although primarily a minor revision to RFC 1460, POP3 is based on the ideas presented in RFCs 918, 937, and 1081.
In addition, Alfred Grimstad, Keith McCloghrie, and Neil Ostroff provided significant comments on the APOP command.
15. Адреса авторов
John G. Myers
5000 Forbes Ave
Pittsburgh, PA 15213
Marshall T. Rose
Dover Beach Consulting, Inc.
420 Whisman Court
Mountain View, CA 94043-2186