POP3 protocol analysis

POP3 details 2.1. The typical communication process of receiving emails from the email server is as follows. 1) The user runs the user agent (such as Foxmail and Outlook Express ). 2) The user agent (hereinafter referred to as the client) establishes a TCP connection with port 110 of the mail server (hereinafter referred to as the server. 3) the client sends various commands to the server to request various services (such as querying email information and downloading an email ). 4) The server parses the user's commands, makes corresponding actions, and returns a response to the client. 5) 3) and 4) Alternate until all emails are received and forwarded to step 6), or the connection between the two is accidentally interrupted and exits directly. 6) The user agent parses the emails obtained from the server and presents them to the user in an appropriate form (such as readable. 2), 3), and 4) Communicate with POP3. We can see that commands and responses are the focus of POP3 communication, and we will focus on them. 2.2. commands and responses 2.2.1. There are not many POP3 commands in the format of COMMAND [Parameter] <CRLF>. COMMAND is the COMMAND name in ASCII format, Parameter is the corresponding COMMAND Parameter, and <CRLF> is the carriage return line break (0DH, 0AH ). The response of the www.2cto.com server is composed of a single command line or multiple command lines. The response starts with "+ OK" or "-ERR" on the first line, then add some ASCII text. "+ OK" and "-ERR" respectively indicate whether the operation status is successful or failed. 2.2.2. There are three statuses in the POP3 protocol: positive status, processing status, and update status. Command Execution can change the Protocol state. For a specific command, it can only be used in a specific State. For more information, see table 1 and RFC193. When a connection is established between the client and the server, its status is authentication. Once the client provides its identity and is successfully confirmed, the status is transferred to the processing status; after the corresponding operations are completed, the client issues the QUIT command (For details, refer to the subsequent content), then enters the update status, and then returns to the approval status. Of course, the QUIT command is executed in the approval status, releases a connection. The transfer between statuses 1 is shown. --- Establish connection --- | approve | -- authentication succeeded -- | process | -- execute QUIT -- | update | _______-QUIT ends _____________ |
Figure 1 POP3 status transition diagram approve status processing status update status establish connection execution QUITQUIT completion execution QUIT, release connection authentication successful 2.2.3. the syntax of commands and responses in one example is syntax. The meaning of each command and response is semantics, and the time relationship between each command and response is synchronization. We still use a simple POP3 communication process to describe the three elements of the Protocol. C: telnet pop3.126.com 110/* to connect to the 126 Mail Server via telnet */S: + OK Welcome to coremail Mail Pop3 Server (126 coms [3adb99eb4207ae5256632eecb8f8b4855])/* + OK, the command is successful, and the subsequent information varies with the server */C: USER bripengandre/* adopts plaintext authentication */S: + OK core mail www.2cto.com C: PASS Pop3world/* Send email password */S: + OK 654 message (s) [30930370 byte (s)]/* authentication successful, transfer to processing status */C: LIST 1/* display the information of the first email */S: + OK 1 5184. /* the size of the first email is 5184 bytes */C: UIDL 1/* returns the unique ID of the first email. Identifier */S: + OK 1 1tbisBsHaEX9byI9EQAAsd/* The long string after the number 1 is the unique identifier of the first email */C: RETR 1/* download the first email */S: + OK 5184 octets/* the size of the first email is 5184 bytes */S: Receive... /* Specific content of the first email */S :... C: QUIT/* Transfer to update status, and then transfer to authentication status */S: + OKC: QUIT/* exit connection */S: + OK core mail/* successfully exits the connection */for the above process, add the following content. 1) The line starting with "C:" (excluding "C:") is the input of the client, and the line starting with "S:" (excluding "S :") is the output of the server. 2) The preceding command may not succeed at a time, and the server will return an error response (starting with "-ERR"). The client should follow the time sequence specified by the Protocol, to enter Subsequent commands (or re-Execute failed commands, reset sessions, or quit sessions ). 3) the above process is schematic, and the actual process may be quite different from it. For example, encryption authentication (MD5 Digest authentication) may be used in the actual process ). 4) emails downloaded by RETR may be hard to understand, because they may use quoted-printable or base64 encoding. We can use user agent software such as Foxmail to decode them. Www.2cto.com 2.2.4. Common commands and response SMTP commands are case-insensitive, but the parameters are case-sensitive. For more information, see RFC1939. Common commands are shown in table 1. Description of the status in which the command parameter is used to authenticate USERUsername. If the command and the following pass command are successful, the status will be converted to update APOPName, digest authentication Digest is the MD5 message Digest STATNone Processing request server sends back mailbox statistics, such as the total number of emails and Total Bytes UIDL [Msg #] (Mail number, the same below) unique Identifier of the Response Message. Each identifier of a POP3 session will be a unique LIST [Msg #] Unique Identifier of the Response Message, each identifier of a POP3 session will be a unique RETR [Msg #]. The processing server will mark all the text DELE [Msg #] of the emails identified by parameters delete, the TOP [Msg #] processing server executed by the QUIT command returns the mail header + the first n lines of content identified by the parameter. n must be a positive integer NOOPNone. The processing server returns a positive response, used to test whether the connection is successfully processed and authenticated by QUITNone. 1) if the server In the "processing" status, it will enter the "Update" status to delete any emails marked as deleted, and return to the "authentication" status. 2) If the server is in the "authenticated" status, terminate the session and exit the Common commands connecting Table 1 POP3. The response starts with "+ OK" or "-ERR" as described in 2.2.1, followed by some readable descriptions and other parameters (for RETR, this parameter is the content of the email ). For more information, see RFC1939. Chapter 3rd. The biggest disadvantage of POP3 VS IMAPPOP3 over the Internet Message Access Protocol IMAP (Internet Message Access Protocol) is that it is only an offline Protocol, and the interaction between customers and servers is not particularly good. For example, you cannot directly create folders in your mailbox, and you may not be able to selectively download a part of the email (although the TOP Command partially implements this function, it is not interactive. However, it also has its own advantages, that is, the Protocol is simple, easy to implement, and the cost is low. This is the most important reason why POP3 is widely used and IMAP is almost eliminated. Chapter 7. Implementation solution IDProtocolCaptured contentsuser namepasswordsenderreceiversubjectcontentsattachments5POP3 √ Table 2 POP3 analysis requirements table 2 provides protocol analysis requirements. It is easy to see that it is easier to obtain fields. We can capture the interaction information between the client and the server, and then extract the desired field based on each command word or response word. For example, to obtain the user name, for plaintext verification, we only need to detect the USER in the sending information of the client, and then extract the parameter after the USER command. It should be noted that, although the client-server interaction information may be encoded or encrypted, we can still obtain the required information through decoding or decryption. Author lijun_soft