watch this The wheels are turning, slowly turning. home
Telnet and IMAP4 incompatible! 2004-10-15

Recently on the IMAP4 implementors mailing list, the creator of the IMAP4 protocol had this to say:

You can not telnet to a modern IMAP or POP3 server, since TELNET does not have session encryption to protect the confidentiality of the password.

I guess modern servers only support connections over SSL (and telnet-ssl must not count as “TELNET”), and logging in with anything other than plaintext passwords is impossible by hand. Since I do this all the time, I thought it a bit odd. I suppose Mr. Crispin simply wanted to discourage insecure logins, or perhaps he just thinks it is difficult enough to respond to, say, a Cram-MD5 challenge that it may as well be considered impossible in casual conversation.

I’ve had this Python utility lying around for a while, this seems like a good opportunity to share it.


import sys
import hmac

def main(args=None):
    if args is None:
        args = sys.argv[1:]
    response = hmac.HMAC(args[1], args[2].decode('base64')).hexdigest()
    print (args[0] + ' ' + response).encode('base64')

if __name__ == '__main__':

I use it pretty frequently, since I work with IMAP4, SMTP, and POP3 servers and clients a lot, and it is generally too time consuming to use an actual client, and usually actual clients won’t give me the information I want anyway. Here’s an example of its usage (italics are things I send to the server, the rest is from the shell or received from the server):

exarkun@boson:~$ telnet 143
Connected to
Escape character is '^]'.
01 authenticate cram-md5
telnet> z

[1]+  Stopped                 telnet 143
exarkun@boson:~$ hmac username password bk04TXh3SURQSlJVNGlZbENRUkZWVmVMRXFEeEJWUzA=

exarkun@boson:~$ fg
telnet 143
01 OK Authentication successful
02 logout
* BYE Nice talking to you
02 OK LOGOUT successful
Connection closed by foreign host.

Perhaps telnet and IMAP4 are not as incompatible as one may otherwise have been led to believe…