The Post Office Protocol (POP3)
use SMTP to send outgoing mail to an SMTP server. To retrieve mail messages, however, the Post Office Protocol (currently version 3)
is used. POP3 is a stateful protocol, progressing from one state to another, depending on the results of the transaction in progress and the commands that are issued. The states are listed here:
In this state, the
a username and password to authenticate the client to the mail server. In its original implementation, the protocol supports clear-text for username and password transmissions. This, of course, can be a security problem, and other techniques should be used in a secure environment.
In this state, the client issues commands and receives responses from the server.
In this state, the client has finished its commands (by issuing the
command), and the server can then delete messages that were
for deletion and close the TCP connection.
In the following sections, you'll see what happens during each state and the POP3 commands that can be used in each state. Similar to SMTP, commands are not case-sensitive and are either 3 or 4 characters long. The total length of arguments allowed for a command is 40 characters. Responses, however, can be up to 512
Finally, the status indicators that the POP3 server can return to the client are limited to only two:
Each of these status indicators can be followed by text that describes the response. In many cases, the response consists of multiple lines. Both the
status indicators must be sent by the server in uppercase only. When multiple lines are sent as part of a response, the same method used by SMTP to mark the end of the response is used: the period character on a line by itself.
The AUTHORIZATION State
A POP3 server typically listens on TCP port number 110 for incoming
from POP3 clients. After a TCP connection is established between the client and the POP3 server, the POP3 server sends a greeting to the client. At this point, the process is said to be in the AUTHORIZATION state. During this state, the client uses some authentication method to identify itself to the POP3 server. This can be clear-text username and password combinations, or it can be a more secure authorization method. For more information about secure forms of authentication when using POP3, see RFC 1734, "POP3 AUTHentication command." This RFC defines the
command that can be used to negotiate an authentication mechanism between the client and the server.
After the client has been authenticated to the POP3 server, the server attempts to gain an exclusive lock on the client's mailbox files. This lock
changes to the mailbox during the session so that the current collection of messages remains the same through the UPDATE state. Failure to lock the mailbox could allow new messages to
. As you'll find out in the
section, the server uses message
to identify each message in the mailbox. If new messages were allowed to enter the mailbox while the users were accessing it, it would be possible for confusion to exist during the UPDATE state,
if messages are to be deleted. Thus, the mailbox is locked so that it will
consistent for the current session.
The TRANSACTION State
After authentication has been performed successfully, the process enters into the TRANSACTION state, in which the client can send commands to the POP3 server. When finished issuing commands to the server, the client uses the
command to terminate the session. At this point, the server enters the UPDATE state.
The POP3 server
a unique message number, beginning with 1, to each message in the mailbox. During this TRANSACTION state, the client can use the following commands to communicate with the POP3 server:
This "status" command results in the server returning information about the mailbox to the client. This is called a
. The format is the
status indicator followed by a single space and then the number of messages currently in the mailbox. The drop listing also contains the
of the messages contained in the mailbox in octets (bytes).
This command can be
followed by a message number. If a message number is included, the POP3 server returns a "scan listing" for the specified message. If no message number is specified, the server responds with the
status indicator and then lists, line by line, a scan listing for each message in the mailbox. The scan listing consists of the message number followed by one single space and then the size of the message in octets.
This is the retrieve command used to pull copies of messages from the server. A message number must follow the
command. The server responds with the
status indicator, followed by a multiline response that consists of the actual text of the mail message itself. The message is
with the period character.
This command allows the client to request that a message be deleted from the POP3 server. Again, a specific message number is required. The message will be marked as deleted, but it still exists in the mailbox until the session enters the UPDATE state.
Again, the no operation command does nothing, but the POP3 server responds with the
This "reset" command causes any messages that have been marked as deleted to be reset to a nondelete state.
After the client has finished issuing commands to the server and processing the responses the POP3 server returns, the client issues the
that it is finished. This ends the TRANSACTION state.
The UPDATE State
command has been received by the POP3 server, the session enters the UPDATE state. In this state, the POP3 server can delete the mail messages that were previously marked for deletion by the client. Again, if the session is terminated (by a network failure, for example) before the client can issue the
command, messages that were marked for deletion are not deleted because the session never makes it to the UPDATE state.
When the POP3 server deletes messages during this state, it sends the
status indicator back to the client. If an error occurs trying to delete any of the messages, the
status indicator is returned to the client.
After deleting the messages, the server
other housekeeping chores, such as removing its lock on the mailbox, and then terminates the TCP connection.