cf. https://tools.ietf.org/html/rfc1939
Well, POP3 clients being webmail services which import from
POP3, mainly... Just wondering, are there POP3 clients which do
NOT support USER/PASS and enforce the use of APOP for
authentication?
Background: POP3 is one mailbox per-user, so we'll rely on
the username being $NEWSGROUP.$SLICE (same idea as IMAP, to
limit mailboxes to 50k to avoid problems).
POP3 clients can be distinguished by PASS (password cookie), to
keep track of per-client message deletions. The output of
`uuidgen` or `dbus-uuidgen` is a sufficiently-unique cookie for
distinguishing clients from each other.
Initially, that would be:
username: $NEWSGROUP.$SLICE
password: $UUID
for POP3 USER/PASS support.
However, supporting APOP that way would inflict a usability
problem for all users since the password is sent as a digest and
the actual password is never sent unencrypted. Our POP3 server
would have no clue how to match a digest to a password since
many clients will be sharing the username.
So far, the solution I come up with is to require another UUID
to be part of the username, too:
username: $UUID_1@$NEWSGROUP.$SLICE
password: $UUID_2
Which may be an extremely long username... Now I'm thinking
it's safe for UUID_1 and UUID_2 to be the same, to save storage
space on the server and to save users from dealing with
excessively long, compression-unfriendly field entries. So,
this:
username: $UUID@$NEWSGROUP.$SLICE
password: $UUID
