> They may have an administrative policy that clients should use the SSL > POP3 service (port 995) instead of unencrypted POP3 port 110; but for the > benefit of old pre-SSL clients (which also would not use CAPA) it allows > the USER/PASS commands. Ok, but if they [still] allow it, there mustn't be much harm in using it.
There is a substantial amount of harm if the purpose of allowing USER when not advertised is to provide temporary reclama for old clients. By doing the old client behavior, you could stymie the site's migration plans.
Doing so is the type of behavior that Microsoft is often accused of doing: taking the expedient approach instead of the correct one. I find it sadly ironic that the open source community would even think of doing this, after all the years of Microsoft-bashing over this very issue.
> > Speaking practically, what problems can I have if I still use USER > > the server doesn't advertise it?
Doing so violates the specifications, and may very well violate the
intentions of the POP3 server administrator.
Again, not in this case.
It most certainly does violate the specification.
The minute your software is installed at a site which has such reclama, it also violates the intentions of the server administrator and adds to his (or her) headaches. Your software has no way of knowing that this is the case.
I understand your point of view but you should realize, of course, that I am going to patch my c-client version (once again) because I can't tell the user with a straight face that I am not going to fix it when it's a whole of one line fix.
In that case, honesty and morality requires that you also disclose to your user that your client is BROKEN and NON-COMPLIANT with the specifications, and that as a result it has a SECURITY BUG that will continue even when your user upgrades his server.
The entire reason why USER is part of CAPA is to enable the behavior of client code (such as in c-client that you advocate disabling. You are breaking an important and valuable security mechanism that many people spent a long time developing.
And for what reason? So your client works with one particular broken server!
I still can't prevent myself from thinking that all this is a big waste of effort
Then don't do it!
There is no law that says that you have to support broken servers. The world does not become a better place by adding security bugs in order to accomodate broken software.
If a site doesn't want to fix its server to comply with specifications and run your client, then your client isn't important to that site -- and that site shouldn't be important to you either. There are many other sites which run compliant servers; quite enough to keep you in business.
-- Mark --
http://staff.washington.edu/mrc Science does not emerge from voting, party politics, or public debate. Si vis pacem, para bellum.
