1. Tech

Your suggestion is on its way!

An email with a link to:


was emailed to:

Thanks for sharing About.com with others!

Details and Optional Commands of the Post Office Protocol (POP)

Find out how the NOOP, TOP and UIDL commands work, and what APOP authentication brings.

 Join the Discussion
• Recent Discussions
 Related Resources
• SMTP, Protocol of Internet Mail
• More About POP
• Handling POP Errors
 Free Newsletter
Your email address:

Even More POP

Now that we know what the Post Office Protocol is all about and how it works basically we are ready to poke our nose a bit deeper into the POP file.

In no particular order, we will have a look at some other or optional POP commands that your POP server may or may not implement.

Nothing Guaranteed

The authors of the Post Office Protocol did not forget a command that initiates a typical conversation: "Are you sleeping, dear?" -- "Yes." If you send


to the server that has no effect, but of course the server reports that it has successfully done nothing by replying with: +OK. That's it and it certainly helps to keep the connection (as well as the conversation) alive.

Message Identification

It may be desirable to uniquely identify messages across sessions, for example to keep a record of which messages have already been downloaded. The ID is generated by the POP server and returned in response to the command


The server, after having said +OK, lists the messages it has in store together with their message identifiers, separated by a whitespace:

1 5alsiuf0923rjslafk3
2 So93lj932LX34
18 83worijlad0jnsoL

We can also retrieve the ID for a single message by appending its number to the UIDL command. If we say


we get what we deserve: +OK 2 So93lj932LX34

If we try to retrieve the ID of a message that does not exist or only physically exists but is marked for deletion, the server responds with the familiar error message -ERR no such message.

Authentication Again

We have seen how the log-on to a POP server is done with the USER/PASS combination. This was not deemed secure enough since the password is sent ready-to-be-read over the network and an alternative method of authentication may be implemented.

The alternate method also involves a user name and a password, but how they are transmitted is different. The server includes a timestamp in its initial greeting which is unique every time. To log on, the email client then issues the


command, followed by its two parameters. The first is the user name identical to what would follow a USER command. The second argument, called 'digest' is where the password is hidden. The email client calculates the 'digest' from the timestamp given by the server and the password using the MD5 algorithm (MD stands for Message Digest, if I am not mistaken). The POP RFC gives an example for the for the APOP command in all its involvedness.

The server computes back from timestamp and digest to the password. If the passwords match, the log-on was successful. It should be clear that it is more difficult to get hold of the password as it is sent in a crippled form but once somebody got hold of it it is still no problem for her to access your mailbox. So this approach is no fix for the 'problem', which is that much more passwords are revealed by lazy humans than by lazy computers.

Message Preview

Another optional command of the Post Office Protocol allows you or your email client to take a sneak preview of your mail. The TOP command shows the top of a message. When we issue this, we have to supply a message number (of a message that does exist and is not 'deleted') and how many lines of the body of the mail we want to be shown. For example,

TOP 2 2

should give us first a +OK on a line by itself, then he message header, followed by the blank line that separates the header lines from the message body and finally 2 lines of the actual text. If the message does not exist, the response is negative: -ERR no mail, no TOP.

This command also makes it possible to retrieve only the headers, by simply asking for 0 lines of the body. The 'lines' argument may not be negative, however.

I Want to do it!

It is relatively easy to play with the POP commands yourself. A connection to port 110 (usually the port the POP server listens to, if your ISP has a different configuration you surely will notice) with telnet is all you need to get started. The server will be friendly and say hello, and you are ready to log on with USER and PASS (of course you can also try your luck with APOP if it is Sunday and the weather is bad). All the commands of the POP are, by the way, caseinsensitive, no need to lock your caps.


"Man is the only one that knows nothing, that can learn nothing without being taught. He can neither speak nor walk nor eat, and in short he can do nothing at the prompting of nature only, but weep."

Plinius the Elder
Natural History

Explore Email
By Category
    emailEmailcomputeTechb950eef60f66da3eb50171f32f539d6fb5000d9361090e8fhttp://email.about.comod526F6F741215liveHeinz Tschabitscheremailguide398000v3zNIP11970-01-0110/od/index.htm0526F6F741approved/od
  1. About.com
  2. Tech
  3. Email

©2016 About.com. All rights reserved.