Re: IdPOP3Server returns '+OK Login OK' without the authentication

Giganews Newsgroups
Subject: Re: IdPOP3Server returns '+OK Login OK' without the authentication
Posted by:  Remy Lebeau \(Indy Team\) (no.spam@no.spam.com)
Date: Tue, 9 Jan 2007

"Fumio Kawamata" <fum…@my.email.ne.jp> wrote in message
news:20070108214812.8C9D.FUM…@my.email.ne.jp...

>  +OK Welcome to Indy POP3 Server
>  USER myaccount#actual_pop3server:110 abc (*)
>  +OK Password required
>  PASS ********
>  +OK Login OK
>  STAT
>  -ERR Command Not Handled: STAT

There is nothing wrong with that log.  Why do you think it is broken?

> It seemed that the IdPOP3Server returns '+OK Login OK' without
> the authentication

No, it does not.  Authentication does occur.

> I did not handle the IdPOP3ServerCheckUser yet.

OnCheckUser is triggered when the PASS command has been received.
Authentication does not occur when the USER command is received.  That
is by design.

> it confused me that the IdPOP3Server returns '+OK Login OK'
> without checking the user name and the password.

Yes, it does check the username and password before sending the '+OK
Login OK' response.  The OnCheckUser event is triggered before the
PASS response is sent to the client.  It is the event handler's
responsibility to raise an exception if the authentication fails.  If
no exception is raised, then authentication is asumed to be
successful.

> I searched about this behavior in this newsgroup but I could not
> find the answer.  So, I will ask.  Is this a correct behavior
> of the TIdPOP3Server?

Yes, it is.  There is nothing wrong with what you have described so
far.  The USER command sends back an +OK response witout triggering
the OnCheckUser event.  The PASS command will trigger the OnCheckUser
event before then sending back its own +OK response.

Gambit

Replies

In response to

IdPOP3Server returns '+OK Login OK' without the authentication posted by Fumio Kawamata on Mon, 08 Jan 2007