>> during development of a pop3 tool I found an issue that makes it possible >> for any user to check the validity of a user on a target system. If a user >> is valid and an invalid password has been supplied, then the system waits >> ~10 seconds until it sends a disconnect message and disconnect. If the >> username was not correct, then it disconnect immediately after the wrong >> password.
Is this really true? If so, I think it may be system dependent. On our mailserver running qpopper 4.04 on RH Linux 7.1 with PAM authentication, I don't see the claimed behavior. The username/password pair is submitted to PAM and if it fails there is the 10 second delay even if the username was invalid.