Hi There,
I hope this hasn't been covered in the archives before, I looked back a
fair way and couldn't see anyone with a similar problem.
We run QPopper 4.0.4 in a pretty much default installation. (No ./configure
options except prefix) We don't have (or want) STLS enabled.
One of our POP3 clients is actually a 3rd party service which allows
customers to check POP3 accounts from their WAP enabled phone. We have no
control over that 3rd party service or how it operates.
Problem: When that 3rd party attempts a POP3 connection to our server, it
first tries issuing the 'STLS' command. Despite the fact that STLS support
is not even compiled into QPopper, it recognises the command and responds
with "ERR - command not enabled", (which is fine) and then closes the
connection. (Which is not fine)
Closing the connection when a command which support of is not compiled in
seems wrong to me. This makes it impossible for the client to probe for
STLS and then fall back to a normal connection. In order to prove this I
commented the stls line out of the state table in pop_get_command.c thus:
{ auth1, "epop", 0, 0, pop_epop, {auth1, auth1} },
// { auth1, "stls", 0, 0, pop_stls, {halt, auth1} },
{ auth1, "user", 1, 1, pop_user, {auth1, auth2} },
{ auth1, "capa", 0, 0, pop_capa, {auth1, auth1} },
and found that the 3rd party that is probing the STLS command gets an ERR
message, and then continues to use normal POP3 methods and succeeds.
Without my change, the connection always gets dumped. (Obviously my change
is a hack, but it was just a way of testing my theory)
The question is, is QPopper in the wrong ? Or is the client trying to probe
STLS in the wrong ? Or is this just one of those ill defined grey areas of
interoperability that crops up from time to time.
It seems to me that if STLS support is not compiled in at all, then the
STLS command shouldn't be recognised at all, and just return an ERR command
not recognised, which could probably be done by putting an ifdef around the
line I commented out, similar to the ones for RPOP and APOP.
But if STLS support is compiled in, but it is DISABLED, then it should
report that the command is disabled, as it does now, but IMO it should
*NOT* then drop the connection. I'm guessing, but it looks like that could
be done by changing the halt to auth1 in the line I commented out, but
without understanding the code a lot better I wouldn't like to do that.
Comments anyone ?
Regards,
Simon
