POP3

Section [POP3]

Added in version 1.0.0.dev5.

POP3.Server: list

Each server entry is mapped to an instance of pop3.POP3ServerConfig

Represents a list of POP3 server configuration sections. For guidance on defining section lists, refer to the general configuration documentation Array Tables of TOML.

Server.Port: int

Linked to pop3.POP3ServerConfig.pop3_port

Defines the port used by the POP3 server instance. This option is mandatory.

Important

This value must be specified within a [[POP3.Server]] section.

The attributes described below may also be specified in the global [POP3] section, where they will serve as default values for all individual server entries — unless explicitly overridden.

Server.FQDN: str = "Dementor"

Linked to pop3.POP3ServerConfig.pop3_fqdn. Can also be set in [POP3] or [Globals]

Specifies the Fully Qualified Domain Name (FQDN) hostname used by the POP3 server. The hostname portion of the FQDN will be included in server responses. The domain part is optional.

Server.Banner: str = "POP3 Server ready"

Linked to pop3.POP3ServerConfig.pop3_banner. Can also be set in [POP3]

Defines a custom banner to send in the server’s greeting message.

Server.AuthMechanisms: list[str] = [ "NTLM", "PLAIN", "LOGIN" ]

Linked to pop3.POP3ServerConfig.pop3_auth_mechs. Can also be set in [POP3]

Lists the supported SMTP authentication mechanisms. Currently implemented options:

  • LOGIN: Base64-encoded challenge-based login.

  • PLAIN: Sends credentials in cleartext.

  • NTLM: Implements NTLM authentication per [MS-SMTPNTLM]

You may remove LOGIN and PLAIN to force NTLM. For downgrade attacks, see SMTP.Server.Downgrade.

Server.Downgrade: bool = true

Linked to pop3.POP3ServerConfig.pop3_downgrade. Can also be set in [POP3]

Attempts to downgrade authentication from NTLM to weaker methods like LOGIN. This is only effective if the client is configured to permit plaintext authentication. See SMTP/IMAP/POP3 Downgrade for practical usage.

Server.TLS: bool = false

Linked to pop3.POP3ServerConfig.use_ssl. Can also be set in [POP3]

Enables SSL/TLS support using a custom certificate.

Server.Cert: str

Linked to pop3.POP3ServerConfig.certfile. Can also be set in [POP3] or [Globals]

Specifies the path to the certificate used when TLS is enabled.

Server.Key: str

Linked to pop3.POP3ServerConfig.keyfile. Can also be set in [POP3] or [Globals]

Specifies the private key file corresponding to the certificate used for TLS.

POP3.ExtendedSessionSecurity: bool = true

Maps to pop3.POP3ServerConfig.ntlm_ess

Enables NTLM Extended Session Security (ESS). When enabled, NTLMv1/NTLMv2-SSP hashes are captured instead of raw NTLM hashes. Resolution precedence:

  1. POP3.ExtendedSessionSecurity

  2. NTLM.ExtendedSessionSecurity (fallback)

POP3.Challenge: str = NTLM.Challenge

Maps to pop3.POP3ServerConfig.ntlm_challenge

Sets the NTLM challenge value. Resolution order:

  1. POP3.Challenge

  2. NTLM.Challenge

Default Configuration

POP3 configuration section (default values)
1[POP3]
2Banner = "POP3 Server ready"
3AuthMechanisms = ["NTLM", "PLAIN", "LOGIN"]
4Downgrade = true
5
6[[POP3.Server]]
7# plaintext
8Port = 110

Note

The default configuration does NOT include a POP3 server wrapped in an SSLContext. You can specify a custom POP3 server with TLS enabled like this:

Dementor.toml
[POP3]
# ...

[[POP3.Server]]
Port = 995
TLS = true  # must be set
Cert = "/path/to/certificate"
Key = "/path/to/key"