3.2.5.3 Processing a Request in the UsernameReceived State

When the server receives a request in the UsernameReceived state, the server MUST attempt to parse it according to the auth_login_password_response ABNF rule specified in section 2.2.2. The server MUST attempt to base64-decode the Username associated with the connection and the password included in the request and check that the Username corresponds to a valid user and that the password is a valid password for that user. The process of validating the Username and password is implementation-specific.

If the username and password are valid, the server MUST end the authentication by responding with a 235 response, as specified in [RFC4954] section 6. If the username or password is invalid, the server MUST end the authentication by responding with a 535 response, as specified in [RFC4954] section 6.