The Nonauthenticated State
All IMAP sessions begin in the Nonauthenticated State. The client cannot issue most commands until properly authenticating to the server. This is done by the client issuing either the AUTHENTICATE or LOGIN commands.
Once a LOGIN or AUTHENTICATE is completed successfully, the IMAP session enters the Authenticated State.
In most cases, authentication uses the basic username/password scheme. This is initiated by the client with a LOGIN command. The username and password to use are given as arguments to the command, on the same line.
The server response for a LOGIN command is a single line result, showing the tagged server status response.
An example login using basic authentication looks like this for a user named “wallace” and a password of “gromit”:
Client: A345 LOGIN wallace gromit Server: A345 OK LOGIN completed
The AUTHENTICATE command requests authentication by a named authentication mechanism. This command is only used if the basic authentication scheme (based on a username and password) is not to be used. This command allows IMAP servers and clients to support an unlimited number of authentication mechanisms and allows the client to choose the most secure one at the time of the request. To ensure that every IMAP client has the ability to connect to any IMAP server, the basic username/password mechanism must be supported by all implementations.
How do we know in advance which authentication mechanisms a given server supports? The CAPABILITY command will return any special authentication mechanisms in its response, preceded with the string “AUTH=” (see the CAPABILITY example, given previously).
If a server supports the mechanism requested by the client, the server responds with a protocol exchange to complete the authentication. If not, the server returns a BAD result. The BAD result is also sent from the server if the authentication fails for any other reason (e.g., bad credentials).
Because each new authentication mechanism defines its own protocol, we won’t show an example here. If you would like to implement an IMAP server or client with enhanced authentication capability, we refer you to the various RFCs. Table 11-4 lists the commands that are valid in the Nonauthenticated State.
Command | Arguments | Description | Response |
AUTHENTICATE | Authentication mechanism name | The client uses this command to request authentication using the specified mechanism. If the server supports the mechanism, an authentication protocol exchange follows. | Continuation data may be requested. |
LOGIN | username and password | This command uses the most simple authentication means to authenticate a user to the server. | None |