Skip to main content

POP URL Scheme

The information below is for an old version of the document that is already published as an RFC.
Document Type
This is an older version of an Internet-Draft that was ultimately published as RFC 2384.
Author Randall Gellens
Last updated 2020-01-21 (Latest revision 1998-02-13)
RFC stream Legacy stream
Intended RFC status Proposed Standard
Stream Legacy state (None)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Became RFC 2384 (Proposed Standard)
Telechat date (None)
Responsible AD (None)
Send notices to (None)
Internet Draft: POP URL Scheme                               R. Gellens
Document: draft-gellens-pop-url-01.txt           QUALCOMM, Incorporated
Expires: 12 August 1998                                12 February 1998

                             POP URL Scheme

Status of this Memo:

    This document is an Internet Draft.  Internet Drafts are working
    documents of the Internet Engineering Task Force (IETF), its Areas,
    and its Working Groups.  Note that other groups may also distribute
    working documents as Internet Drafts.

    Internet Drafts are draft documents valid for a maximum of six
    months.  Internet Drafts may be updated, replaced, or obsoleted by
    other documents at any time.  It is not appropriate to use Internet
    Drafts as reference material or to cite them other than as a
    "working draft" or "work in progress."

    To learn the current status of any Internet Draft, please check the
    "1id-abstracts.txt" listing contained in the Internet Drafts shadow
    directories on (Africa), (Europe), (Pacific Rim), (US East Coast), or (US West Coast).

    A version of this draft document is intended for submission to the
    RFC editor as a Proposed Standard for the Internet Community.
    Discussion and suggestions for improvement are requested.

1.  Introduction

    [POP3] is a widely-deployed mail access protocol.  Many programs
    access POP3 message stores, and thus need POP3 configuration
    information.  Since there are multiple configuration elements which
    are required in order to access a mailbox, a single string
    representation is convenient.

    A POP3 mailbox (like an [IMAP4] mailbox) is a network resource, and
    URLs are a widely-supported generalized representation of network

    A means of specifying a POP3 mailbox as a URL will likely be useful
    in many programs and protocols.  [ACAP] is one case where a string
    encapsulation of elements required to access network services is
    needed.  For example, an [IMAP4] message store is usually specified
    in ACAP datasets as an [IMAP-URL].

Gellens                   Expires August 1998                   [Page 1]

Internet Draft               POP URL Scheme               February 1998

    This memo defines a URL scheme for referencing a POP mailbox.

2.  Conventions Used in this Document

    The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", and "MAY"
    in this document are to be interpreted as defined in "Key words for
    use in RFCs to Indicate Requirement Levels" [KEYWORDS].

3.  POP Scheme

    The POP URL scheme designates a POP server, and optionally a port
    number, authentication mechanism, authentication ID, and/or
    authorization ID.

    The POP URL follows the common Internet scheme syntax as defined in
    RFC 1738 [BASIC-URL] except that clear text passwords are not
    permitted.  If :<port> is omitted, the port defaults to 110.

    The POP URL is described using [ABNF] in Section 8.

    A POP URL is of the general form:


    Where <user>, <host>, and <port> are as defined in RFC 1738, and
    some or all of the elements, except "pop:" and <host>, may be

4.  POP User Name and Authentication Mechanism

    An authorization (which mailbox to access) and authentication
    (whose password to check against) identity (referred to as "user
    name" for simplicity) and/or authentication mechanism name may be
    supplied.  These are used in the "USER", "APOP", or "AUTH"
    [POP-AUTH] commands after making the connection to the POP server.
    If the URL doesn't supply an authentication identifier, the program
    interpreting the POP URL SHOULD request one from the user.

    An authentication mechanism can be expressed by adding
    ";AUTH=<enc_auth_type>" to the end of the user name.  If the
    authentication mechanism is not "APOP", it is a SASL POP [POP-AUTH]
    mechanism. When such an <enc_auth_type> is indicated, the client
    SHOULD request appropriate credentials from that mechanism and use
    the "AUTH" or "APOP" commands instead of the "USER" command.  If no
    user name is specified, one SHOULD be obtained from the mechanism
    or requested from the user as appropriate.

Gellens                   Expires August 1998                   [Page 2]

Internet Draft               POP URL Scheme               February 1998

    The string ";AUTH=*" indicates that the client SHOULD select an
    appropriate authentication mechanism.  It MAY use any mechanism
    supported by the POP server.

    If a user name is included with no authentication mechanism, then
    ";AUTH=*" is assumed.

    Since URLs can easily come from untrusted sources, care must be
    taken when resolving a URL which requires or requests any sort of
    authentication.  If authentication credentials are supplied to the
    wrong server, it may compromise the security of the user's account.
    The program resolving the URL should make sure it meets at least
    one of the following criteria in this case:

    (1) The URL comes from a trusted source, such as a referral server
    which the client has validated and trusts according to site policy.
    Note that user entry of the URL may or may not count as a trusted
    source, depending on the experience level of the user and site

    (2) Explicit local site policy permits the client to connect to the
    server in the URL.  For example, if the client knows the site
    domain name, site policy may dictate that any hostname ending in
    that domain is trusted.

    (3) The user confirms that connecting to that domain name with the
    specified credentials and/or mechanism is permitted.

    (4) A mechanism is used which validates the server before passing
    potentially compromising client credentials.

    (5) An authentication mechanism is used which will not reveal
    information to the server which could be used to compromise future

    A URL containing ";AUTH=*" should be treated with extra care since
    it might fall back on a weaker security mechanism. Finally, clients
    are discouraged from using a plain text password as a fallback with
    ";AUTH=*" unless the connection has strong encryption (e.g., a key
    length of greater than 56 bits).

    Note that if unsafe or reserved characters such as " " or ";" are
    present in the user name or authentication mechanism, they MUST be
    encoded as described in RFC 1738 [BASIC-URL].

5.  Relative POP URLs

    Relative POP URLs are not permitted.

Gellens                   Expires August 1998                   [Page 3]

Internet Draft               POP URL Scheme               February 1998

6.  Multinational Considerations

    Since 8-bit characters are not permitted in URLs, [UTF8] characters
    are encoded as required by the URL specification [BASIC-URL].

7.  Examples

    The following examples demonstrate how a POP client program might
    translate various POP URLs into a series of POP commands. Commands
    sent from the client to the server are prefixed with "C:", and
    responses sent from the server to the client are prefixed with

    The URL:


    Results in the following client commands:

       <request password from user>
       <connect to, port 110>
       S: +OK POP3 server ready <>
       C: USER rg
       S: +OK
       C: PASS secret
       S: +OK rg's mailbox has 2 messages (320 octets)

    The URL:


    Results in the following client commands:

       <client requests password from user>
       <connect to, port 8110>
       S: +OK POP3 server ready <>
       C: APOP rg c4c9334bac560ecc979e58001b3e22fb
       S: +OK mailbox has 1 message (369 octets)

    The URL:


    Results in the following client commands:

       <connect to, port 110>
       S: +OK POP3 server ready <>
       S: + dGVzdHNhbHQBAAAAaW1hcEBlbGVhbm9yLmlubm9zb2Z0LmNvbQBq

Gellens                   Expires August 1998                   [Page 4]

Internet Draft               POP URL Scheme               February 1998

       C: AQAAAMg9jU8CeB4KOfk7sUhSQPs=
       S: + U0odqYw3B7XIIW0oSz65OQ==
       S: +OK mailbox has 1 message (369 octets)

8.  ABNF for POP URL scheme

    The POP URL scheme is described using [ABNF]:

       achar            = uchar / "&" / "=" / "~"
                               ; see [BASIC-URL] for "uchar" definition

       auth             = ";AUTH=" ( "*" / enc_auth_type )

       enc_auth_type    = 1*achar
                             ; encoded version of [POP-AUTH] "auth_type"

       enc_user         = 1*achar
                             ; encoded version of [POP3] mailbox

       popurl           = "pop://" server

       server           = [userauth "@"] hostport
                             ; See [BASIC-URL] for "hostport" definition

       userauth         = enc_user [auth]

9.  Security Considerations

    Security considerations discussed in the [POP3] specification and
    the [BASIC-URL] specification are relevant.  Security
    considerations related to authenticated URLs are discussed in
    section 4 of this document.

    Many email clients store the plain text password for later use
    after logging into a POP server.  Such clients MUST NOT use a
    stored password in response to a POP URL without explicit
    permission from the user to supply that password to the specified
    host name.

10.  Acknowledgements

    This document borrows heavily from Chris Newman's [IMAP-URL]
    specification, and has attempted to follow the advice in

Gellens                   Expires August 1998                   [Page 5]

Internet Draft               POP URL Scheme               February 1998

11.  References

    [ABNF] Crocker, Overell, "Augmented BNF for Syntax Specifications:
    ABNF", RFC 2234, Internet Mail Consortium, Demon Internet Ltd.,
    November 1997. <>

    [ACAP] Newman, Myers, "ACAP -- Application Configuration Access
    Protocol", RFC 2244, Innosoft, Netscape, November 1997.

    [BASIC-URL] Berners-Lee, Masinter, McCahill, "Uniform Resource
    Locators (URL)", RFC 1738, CERN, Xerox Corporation, University of
    Minnesota, December 1994. <>

    [IMAP-URL] Newman, C., "IMAP URL Scheme", RFC 2192, Innosoft,
    September 1997. <>

    [IMAP4] Crispin, M., "Internet Message Access Protocol - Version
    4rev1", RFC 2060, University of Washington, December 1996.

    [KEYWORDS] Bradner, "Key words for use in RFCs to Indicate
    Requirement Levels", RFC 2119, Harvard University, March 1997.

    [POP-AUTH] Myers, J., "POP3 AUTHentication command", Netscape
    Communications, November 1997, work in progress.

    [POP3] Myers, J., Rose, M., "Post Office Protocol -- Version 3",
    RFC 1939, Carnegie Mellon, Dover Beach Consulting, Inc., May 1996.

    [URL-GUIDELINES] Masinter, Alvestrand, Zigmond, "Guidelines for new
    URL Schemes", Xerox Corporation, UNINETT A/S, Wink Communications,
    work in progress, December 1997.

    [UTF8] Yergeau, F. "UTF-8, a transformation format of Unicode and
    ISO 10646", RFC 2044, Alis Technologies, October 1996.

12.  Author's Address

   Randall Gellens                    +1 619 651 5115
   QUALCOMM, Incorporated             +1 619 651 5334 (fax)
   6455 Lusk Blvd.                    Randy@Qualcomm.Com
   San Diego, CA  92121-2779

Gellens                   Expires August 1998                   [Page 6]