The Nonauthenticated State
All IMAP sessions begin in the Nonauthenticated State. The client cannot issue most commands until properly authenticating to the server. This is done by the client issuing either the AUTHENTICATE or LOGIN commands.
Once a LOGIN or AUTHENTICATE is completed successfully, the IMAP session enters the Authenticated State.
In most cases, authentication uses the basic username/password scheme. This is initiated by the client with a LOGIN command. The username and password to use are given as arguments to the command, on the same line.
The server response for a LOGIN command is a single line result, showing the tagged server status response.
An example login using basic authentication looks like this for a user named “wallace” and a password of “gromit”:
Client: A345 LOGIN wallace gromit Server: A345 OK LOGIN completed
The AUTHENTICATE command requests authentication by a named authentication mechanism. This command is only used if the basic authentication scheme (based on a username and password) is not to be used. This command allows IMAP servers and clients to support an unlimited number of authentication mechanisms and allows the client to choose the most secure one at the time of the request. To ensure that every IMAP client has the ability to connect to any IMAP server, the basic username/password mechanism must be supported by all implementations.
How do we know in advance which authentication mechanisms a given server supports? The CAPABILITY command will return ...
Get Programming Internet Email now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
