In theory I totally agree but in practice there is this broken server which doesn't support any other way to login except by using USER but still doesn't advertise it. It's clearly is a bug in server implementation and using USER is the only way to work around it.
The server may not be broken.
They may have an administrative policy that clients should use the SSL POP3 service (port 995) instead of unencrypted POP3 port 110; but for the benefit of old pre-SSL clients (which also would not use CAPA) it allows the USER/PASS commands.
The alternative is to not be able to login at all which may be correct (although in fact I don't see anything specifically forbidding use of USER in RFC 2449, it only states that its presence in CAPA response means that USER/PASS are supported but doesn't say anything about its absence!) but is absolutely useless.
Not at all. Did you try the SSL POP3 service?
Speaking practically, what problems can I have if I still use USER even if the server doesn't advertise it?
Doing so violates the specifications, and may very well violate the intentions of the POP3 server administrator.
Worse, you may find yourself accused of "behaving just like Microsoft" in violating specifications for convenience. All too often the excuse of "a necessary workaround" has been offered as to why Outlook, etc. violates a specification.
Still worse, if it's considered to be something that c-client does, *I* will be accused of "behaving just like Microsoft." No thanks. :-)
AFAICS in the worst case the server will reply that command is not supported. This doesn't seem very bad to me.
No. If it doesn't reject until the PASS command then the result is that passwords are sent in the clear.
-- Mark --
http://staff.washington.edu/mrc Science does not emerge from voting, party politics, or public debate. Si vis pacem, para bellum.