Search code examples
emailsmtpimapbasic-authentication

Are IMAP/SMTP credentials always the same as the user's login credentials?

Greetings!

This question pertains to Normal (or Plain) IMAP/SMTP Authentication.

Can we be sure that a user's IMAP username is exactly the same as his full email address? Can the two be different? What about his SMTP username? Can he have different passwords for IMAP and SMTP?

To make things concrete, consider a webmail user, John Doe:

  • Email address: john.doe@example.com
  • Login password: foo.bar.baz

Given that John uses the above credentials to sign in with his webmail provider, here's a series of yes–no questions:

  1. Can we be certain that John's IMAP username is john.doe@example.com?
    • 1.1. Could it be john.doe, john or something else?
  2. Can we be certain that John's IMAP password is foo.bar.baz?
  3. Can we be certain that John's SMTP username is john.doe@example.com?
  4. Can we be certain that John's SMTP password is foo.bar.baz?
  5. Can we be certain that John's IMAP password is the same as his SMTP password?
  6. Can we be certain that John's IMAP username is the same as his SMTP username?

I've been looking for these answers for a while now. If you can link to an RFC, that'd be awesome.

Thanks in advance. :)

Solution

  • SMTP and IMAP can be handled by disjoint programs, so no assurances there. Dovecot IMAP for example lets you freely choose to map username against mailbox name.