POP3 Interactive Testing

Back to top

What is POP3?

POP3 (pronounced as separate letters) is short for Post Office Pprotocol version 3. POP3 is also commonly referred to as POP. There were previous versions but they have almost universally been replaced by POP3. POP is a protocol used by Message User Agents (MUA) like Outlook, Thunderbird, etc. The POP protocol is normally used to download messages from the email server to the local machine. A very detailed description of POP can be found at Wikipedia.

In this guide we are looking at things that an administrator would be testing and verifying. This guide assumes that you already know the POP server's IP address and port that you wish to test. This guide is not going to cover the understanding of DNS and TCP/IP ports.

Back to top

Connecting to the POP Server

One of the most powerful tools to check all types of things on servers is the use of telnet with the port number of the daemon or service. The IEEE defined port for POP is 110, and all Internet accessible POP servers should be listening on port 110 for connections.

Below is an example of what a typical initial connection would look like:
The arrows denote messages from the server (<--) and commands sent to the server -->)

user@host ~ $ telnet pop.example.com 110

<--	Trying 10.0.0.1...
<--	Connected to pop.example.com.
<--	Escape character is '^]'.
<--	+OK pop3 server ready <d2dc99e8061cd1ef0cb7dc54079cc371@host>
-->	quit
<--	+OK goodbye
<--	Connection closed by foreign host.

In the next sections we will break down the parts of this connection.

Back to top

Standard POP Command / Response Format

Back to top

The first three lines (not including the telnet command) are all from the telnet program. The initial Banner / Greeting from the POP server is the line
+OK pop3 server ready <d2dc99e8061cd1ef0cb7dc54079cc371@host>

While all servers will have some variant on this, they should have at the very least the response (+OK or -ERR) and a human readable message.

  • Server Response (+OK)
  • Message (pop3 server ready)
  • APOP Support (<d2dc99e8061cd1ef0cb7dc54079cc371@host>) - optional

APOP support is an optional feature provided be some POP servers. It will be discussed later and shown how this line is used.

Back to top
Response Code

The server response codes are very simple. The only valid responses should be +OK and -ERR. POP is a very simple protocol and so are the response messages.

In almost all cases the response code will include a simple human readable message to explain the response.

Back to top

Basic POP Commands

There are several commands that can be used with a POP server. Below is a typical session with a server which will be broken down after it.

user@host ~ $ telnet pop.example.com 110

<--	Trying 10.0.0.1...
<--	Connected to pop.example.com.
<--	Escape character is '^]'.
<--	+OK pop3 server ready <d2dc99e8061cd1ef0cb7dc54079cc371@host>
-->	USER user@example.com
<--	+OK Password required for user@example.com
-->	PASS somepassword
<--	+OK user@example.com has 2 messages (499 octets)
-->	STAT
<--	+OK 2 499
-->	LIST
<--	+OK 2 messages (499 octets)
-->	1 234
-->	2 265
-->	.
<--	RETR 1
-->	+OK 234 octets
-->	<... Email messages is sent ...>
-->	.
<--	DELE 1
-->	+OK message 1 deleted
<--	QUIT
-->	+OK goodbye
<--	Connection closed by foreign host.
Back to top
USER

USER username - is expected by most all POP servers you connect to before any other commands. It is used to tell the server which user mailbox to apply future commands to.

Back to top
PASS

PASS password - This command is used to provide the password for the above user session. In most every case this will immediately follow the USER command.

Notice that once the password has been accepted that the response includes the total number of messages in the mailbox and the total disk storage size of the mailbox.

Back to top
STAT

STAT - is used to provide the mailbox status. The first number in the response (2 in this case) is the number of messages currently in stored in the mailbox. The second number (499 octets) is the storage space the mailbox is using on disk.

Back to top
LIST

LIST - is used to show a list of messages and their sizes. The output shows the message number representation (1, 2, 3, etc) as it is stored in the mailbox. The second number is the size of the message. When the list is finished there should be a single period (.) signifying the end of the list.

Back to top
RETR <message #>

RETR <message #> - is used to retrieve a specific message number from the mailbox. This message number corresponds to the number output by the LIST command. The output of this command will be the full raw email message ended by a single period (.) on a line.

Back to top
DELE <message #>

DELE <message #> - is used to delete a specific message from the mailbox. The message number corresponds to the number output by the LIST command.

This is a great way to deal with some clients that get stuck downloading a specific message for some reason. If you know the message number that it is stuck on, then you can just delete it.

Back to top
QUIT

QUIT - is used to tell the server that the session is complete and to close the TCP/IP connection.

Back to top

Authenticated POP (APOP)

APOP username <md5 hash> - APOP is used to pass the password portion of the login as an encrypted MD5 string. The MD5 tool will be required to compute the required hash to test.

Let's assume that we have a username of "bob" and a password of "test123".

An important part of the POP server banner is required to compute the MD5 hash. The portion after the message "<d2dc99e8061cd1ef0cb7dc54079cc371@host>", is the first part of the MD5 string. Then you add the password to the string to get "<d2dc99e8061cd1ef0cb7dc54079cc371@host>test123". Take the MD5 hash of the whole string and that is what is passed as the third argument to the APOP command.

In this example: md5(<d2dc99e8061cd1ef0cb7dc54079cc371@host>test123) = b5d18fe2604fa9045df20676d6a0cd3d

Here is an example of logging into a POP server using APOP.

user@host ~ $ telnet pop.example.com 110

<--	Trying 10.0.0.1...
<--	Connected to pop.example.com.
<--	Escape character is '^]'.
<--	+OK pop3 server ready <d2dc99e8061cd1ef0cb7dc54079cc371@host>
-->	APOP bob b5d18fe2604fa9045df20676d6a0cd3d
<--	+OK bob has 2 messages (499 octets)
<--	QUIT
-->	+OK goodbye
<--	Connection closed by foreign host.

Once you have successfully logged in with the APOP command all other commands previously discussed are the same.

Back to top
  • RFC 1939 (POP3) - The complete RFC for POP3, which includes APOP.
  • RFC 1734 (POP3 AUTH) - The RFC that covers the proposed AUTH command to POP. I don't believe this ever became a well supported option.