Details and Optional Commands of the Post Office Protocol (POP)
Find out how the NOOP, TOP and UIDL commands work, and what APOP authentication brings.
Even More POP
In no particular order, we will have a look at some other or optional POP commands that your POP server may or may not implement.
The authors of the Post Office Protocol did not forget a command that initiates a typical conversation: "Are you sleeping, dear?" -- "Yes." If you send
to the server that has no effect, but of course the server reports that it has successfully done nothing by replying with: +OK. That's it and it certainly helps to keep the connection (as well as the conversation) alive.
It may be desirable to uniquely identify messages across sessions, for example to keep a record of which messages have already been downloaded. The ID is generated by the POP server and returned in response to the command
The server, after having said +OK, lists the messages it has in store together with their message identifiers, separated by a whitespace:
We can also retrieve the ID for a single message by appending its number to the UIDL command. If we say
we get what we deserve: +OK 2 So93lj932LX34
If we try to retrieve the ID of a message that does not exist or only physically exists but is marked for deletion, the server responds with the familiar error message -ERR no such message.
We have seen how the log-on to a POP server is done with the USER/PASS combination. This was not deemed secure enough since the password is sent ready-to-be-read over the network and an alternative method of authentication may be implemented.
The alternate method also involves a user name and a password, but how they are transmitted is different. The server includes a timestamp in its initial greeting which is unique every time. To log on, the email client then issues the
command, followed by its two parameters. The first is the user name identical to what would follow a USER command. The second argument, called 'digest' is where the password is hidden. The email client calculates the 'digest' from the timestamp given by the server and the password using the MD5 algorithm (MD stands for Message Digest, if I am not mistaken). The POP RFC gives an example for the for the APOP command in all its involvedness.
The server computes back from timestamp and digest to the password. If the passwords match, the log-on was successful. It should be clear that it is more difficult to get hold of the password as it is sent in a crippled form but once somebody got hold of it it is still no problem for her to access your mailbox. So this approach is no fix for the 'problem', which is that much more passwords are revealed by lazy humans than by lazy computers.
Another optional command of the Post Office Protocol allows you or your email client to take a sneak preview of your mail. The TOP command shows the top of a message. When we issue this, we have to supply a message number (of a message that does exist and is not 'deleted') and how many lines of the body of the mail we want to be shown. For example,
TOP 2 2
should give us first a +OK on a line by itself, then he message header, followed by the blank line that separates the header lines from the message body and finally 2 lines of the actual text. If the message does not exist, the response is negative: -ERR no mail, no TOP.
This command also makes it possible to retrieve only the headers, by simply asking for 0 lines of the body. The 'lines' argument may not be negative, however.
I Want to do it!
It is relatively easy to play with the POP commands yourself. A connection to port 110 (usually the port the POP server listens to, if your ISP has a different configuration you surely will notice) with telnet is all you need to get started. The server will be friendly and say hello, and you are ready to log on with USER and PASS (of course you can also try your luck with APOP if it is Sunday and the weather is bad). All the commands of the POP are, by the way, caseinsensitive, no need to lock your caps.