In the enclosed patch, there are four changes 
1. add support for the optional CAPA pop command, since it is needed
   for starttls support discovery
2. add support for the STLS pop command
3. replace home-grown file-like methods and replace them with ssl
   socket's makefile() in POP3_SSL
4. Properly shutdown sockets at close() time to avoid server-side pile-up

The needed changes to documentation if the patch gets accepted

You might split your patch into smaller patches, example:
  * patch 1: implement CAPA method
  * patch 2: POP3_SSL refatoring
  * patch 3: stls() method

Comments:
- Do you really need to keep a reference to the "raw" socket 
(self._sock) for a SSL connection?
- I don't understand what is sock.shutdown(SHUT_RDWR). When is it 
needed? Does it change the behaviour?
- Could you write a method to parse the capabilities because I hate 
long lambda function. You may write doctest for the new method :-)

I understand the need to keep things simple, but this time the split
seemed a bit overkill. If needed, I'll redo the patch into a small
series. Thinking of it... I was unsure if it really made sense to split
out smtp/pop/imap patches instead of sending them all at once... :-)

As for the shutdown before close, it's needed to let the server know
we are leaving, instead of waiting until socket timeout. This is the
reason I need to keep the reference to the wrapped socket.

You don't usually configure maildrop servers to limit the number/rate of
connects as you do on smtp servers; still, you could get into problems
with stateful forewalls or the like.

> As for the shutdown before close, it's needed to let the server know
> we are leaving, instead of waiting until socket timeout.

Extracts of an UNIX FAQ [1]:
"Generally the difference between close() and shutdown() is: close() 
closes the socket id for the process but the connection is still 
opened if another process shares this socket id."

"i have noticed on some (mostly non-unix) operating systems though a 
close by all processes (threads) is not enough to correctly flush 
data, (or threads) is not. A shutdown must be done, but on many 
systems it is superfulous."

So shutdown() is useless on most OS, but it looks like it's better to 
use it ;-)

> This is the reason I need to keep the reference to the wrapped 
socket.

You don't need to do that. The wrapper already calls shutdown() of the 
parent socket (see Lib/ssl.py).

[1] http://www.developerweb.net/forum/archive/index.php/t-2940.html

I'm reasonably sure Victor is right about the original socket being
unneeded. How does the series look now?

"lst[1:] if len(lst)>1 else []" is useless, lst[1:] alone does the 
same :-) So it can be simplify to:
  def _parsecap(line):
     lst = line.split()
     return lst[0], lst[1:]

You might add a real example in the capa() docstring.

About poplib_02_sock_shutdown.diff: I'm not sure that poplib is the 
right place to fix the issue... if there is really an issue. Why not 
calling shutdown directly in socket.close()? :-)

You removed self._sock, nice.

Changed CAPA as requested: now there is a proper docstring, and the
useless if ... else ... is gone.

As for the shutdown/close comment, I think there could be cases
where you are going to close but don't want to shutdown: e.g. you might
close a dup-ed socket, but the other owner would want to continue
working with his copy of the socket.

There is a problem I forgot to state with test_anonlogin:
since I try and test both SSL and starttls, the DoS checker at cmu kicks
in and refuse the login attempt in PopSSLTest. Since I'd rather avoid
cheating, I'm leaning to try logging in as SomeUser, and expecting a
failure in both cases. Comments?

I'm enclosing the expected-failure version of test_popnet. It's much
simpler to talk and comment about something you can see!

How is going? Any hope for 2.7/3.2?

Ping...

Any hope for 2.7/3.2?