cf. https://tools.ietf.org/html/rfc1939
Well, POP3 clients being webmail services which import from POP3, mainly... Just wondering, are there POP3 clients which do NOT support USER/PASS and enforce the use of APOP for authentication? Background: POP3 is one mailbox per-user, so we'll rely on the username being $NEWSGROUP.$SLICE (same idea as IMAP, to limit mailboxes to 50k to avoid problems). POP3 clients can be distinguished by PASS (password cookie), to keep track of per-client message deletions. The output of `uuidgen` or `dbus-uuidgen` is a sufficiently-unique cookie for distinguishing clients from each other. Initially, that would be: username: $NEWSGROUP.$SLICE password: $UUID for POP3 USER/PASS support. However, supporting APOP that way would inflict a usability problem for all users since the password is sent as a digest and the actual password is never sent unencrypted. Our POP3 server would have no clue how to match a digest to a password since many clients will be sharing the username. So far, the solution I come up with is to require another UUID to be part of the username, too: username: $UUID_1@$NEWSGROUP.$SLICE password: $UUID_2 Which may be an extremely long username... Now I'm thinking it's safe for UUID_1 and UUID_2 to be the same, to save storage space on the server and to save users from dealing with excessively long, compression-unfriendly field entries. So, this: username: $UUID@$NEWSGROUP.$SLICE password: $UUID