Share via

2.2.1 AUTH Extensions

  • Article

The first category of POP3 messages is messages that fall within the AUTH extensibility framework. These messages are specified in [RFC1734] and [RFC1939]. Some messages have parameters that have to be customized by the extensibility mechanism (such as NTLM). The following customizations are introduced in this specification:

  • [RFC1734] section 2 defines the syntax of the AUTH command to initiate authentication. The parameter "mechanism" is defined to be the string "NTLM" for the NTLM POP3 Extension. The command to initiate an NTLM conversation by a client in Augmented Backus-Naur Form (ABNF), as specified in [RFC5234], is specified as follows. This is referred to as the POP3_AUTH_NTLM_Initiation_Command in this specification.

     "AUTH NTLM" CRLF

  • If NTLM is supported, the POP3 server responds with a POP3 message to indicate that NTLM is supported, which is specified in [RFC1939]. The syntax of this command in ABNF form is specified as follows. This is referred to as the POP3_NTLM_Supported_Response command in this specification.

     + SP CRLF

  • If NTLM is not supported, the POP3 server returns a failure status code as defined by [RFC1734] and [RFC1939]. The only data in this message that is useful is the "-ERR" string. The remaining data is human-readable data and has no bearing on the authentication. The syntax of this command in ABNF form is specified as follows. This is referred to as the POP3_AUTH_NTLM_Fail_Response command in this specification.

     -ERR SP <human_readable_string> CRLF

  • At every point of time during the authentication exchange, the client MUST parse the responses in the messages sent by the server and interpret them as defined by [RFC1734]. The responses define various states such as success in authenticating, failure to authenticate, and any other arbitrary failures that the software can encounter.

The client can send or receive any of the following messages during authentication (note that the syntax and meaning of all these messages are specified in [RFC1734]):

  • POP3_AUTH_NTLM_Blob_Response. This message is partially defined in [RFC1734]. The '+' status code indicates ongoing authentication and also indicates that the <Base 64-encoded-NTLM-message> is to be processed by the authentication subsystem. In this case, the client MUST de-encapsulate the data and pass it to the NTLM subsystem.

     + SP <Base 64-encoded-NTLM-message> CRLF

  • POP3_AUTH_NTLM_Fail_Response. This message is defined in [RFC1939] and indicates that the authentication has terminated unsuccessfully, either because the user name or password was incorrect or because of some other arbitrary error, such as a software or data corruption error.

     -ERR SP <human-readable-string> CRLF

  • POP3_AUTH_NTLM_Succeeded_Response. This message is defined in [RFC1939] and indicates that the authentication negotiation has completed with the client successfully authenticating to the server.

     +OK SP <human-readable-string> CRLF

  • POP3_AUTH_NTLM_Cancelled_Response. This message is defined in [RFC1939] and indicates that the authentication negotiation has been canceled with the client.

     -ERR SP <human-readable-string> CRLF

  • NTLM messages encapsulated by the client and sent to the server are referred to as POP3_AUTH_NTLM_Blob_Command in this specification. They have the following syntax defined in ABNF, and they conform to the prescription as specified in [RFC1734].

     <Base 64-encoded-NTLM-message> CRLF

  • The client is able to cancel the authentication request by issuing a POP3_AUTH_NTLM_Cancellation_Command. This has the following syntax defined in ABNF:

     "*" CRLF