2.2.1 AUTH Extensions
The first category of POP3 messages is messages that fall within the AUTH extensibility framework. These messages are specified in [RFC1734] and [RFC1939]. Some messages have parameters that have to be customized by the extensibility mechanism (such as NTLM). The following customizations are introduced in this specification:
[RFC1734] section 2 defines the syntax of the AUTH command to initiate authentication. The parameter "mechanism" is defined to be the string "NTLM" for the NTLM POP3 Extension. The command to initiate an NTLM conversation by a client in Augmented Backus-Naur Form (ABNF), as specified in [RFC5234], is specified as follows. This is referred to as the POP3_AUTH_NTLM_Initiation_Command in this specification.
"AUTH NTLM" CRLF
If NTLM is supported, the POP3 server responds with a POP3 message to indicate that NTLM is supported, which is specified in [RFC1939]. The syntax of this command in ABNF form is specified as follows. This is referred to as the POP3_NTLM_Supported_Response command in this specification.
+ SP CRLF
If NTLM is not supported, the POP3 server returns a failure status code as defined by [RFC1734] and [RFC1939]. The only data in this message that is useful is the "-ERR" string. The remaining data is human-readable data and has no bearing on the authentication. The syntax of this command in ABNF form is specified as follows. This is referred to as the POP3_AUTH_NTLM_Fail_Response command in this specification.
-ERR SP <human_readable_string> CRLF
At every point of time during the authentication exchange, the client MUST parse the responses in the messages sent by the server and interpret them as defined by [RFC1734]. The responses define various states such as success in authenticating, failure to authenticate, and any other arbitrary failures that the software can encounter.
The client can send or receive any of the following messages during authentication (note that the syntax and meaning of all these messages are specified in [RFC1734]):
POP3_AUTH_NTLM_Blob_Response. This message is partially defined in [RFC1734]. The '+' status code indicates ongoing authentication and also indicates that the <Base 64-encoded-NTLM-message> is to be processed by the authentication subsystem. In this case, the client MUST de-encapsulate the data and pass it to the NTLM subsystem.
+ SP <Base 64-encoded-NTLM-message> CRLF
POP3_AUTH_NTLM_Fail_Response. This message is defined in [RFC1939] and indicates that the authentication has terminated unsuccessfully, either because the user name or password was incorrect or because of some other arbitrary error, such as a software or data corruption error.
-ERR SP <human-readable-string> CRLF
POP3_AUTH_NTLM_Succeeded_Response. This message is defined in [RFC1939] and indicates that the authentication negotiation has completed with the client successfully authenticating to the server.
+OK SP <human-readable-string> CRLF
POP3_AUTH_NTLM_Cancelled_Response. This message is defined in [RFC1939] and indicates that the authentication negotiation has been canceled with the client.
-ERR SP <human-readable-string> CRLF
NTLM messages encapsulated by the client and sent to the server are referred to as POP3_AUTH_NTLM_Blob_Command in this specification. They have the following syntax defined in ABNF, and they conform to the prescription as specified in [RFC1734].
<Base 64-encoded-NTLM-message> CRLF
The client is able to cancel the authentication request by issuing a POP3_AUTH_NTLM_Cancellation_Command. This has the following syntax defined in ABNF:
"*" CRLF