Sometimes reading the right RFC (1939) helps... what I've been trying
to do (allow a user to use either POP or APOP) is not really a good idea:
>From RFC 1939:
> It is conjectured that use of the APOP command provides origin
> identification and replay protection for a POP3 session.
> Accordingly, a POP3 server which implements both the PASS and APOP
> commands should not allow both methods of access for a given user;
> that is, for a given mailbox name, either the USER/PASS command
> sequence or the APOP command is allowed, but not both.
