Hi folks, According to the wiki,¹ it's considered a feature of Dovecot and its ability to support multiple authentication sources that "if the password doesn't match in the first database, it checks the next one".
¹) http://wiki.dovecot.org/Authentication/MultipleDatabases I think it's great that Dovecot allows auth sources to be stacked like this, but I am not sold on the idea that the next database ought to be tried when a *password* does not match. Let me elaborate: If the first database has knowledge of a user, then it can (should) be considered authoritative, and if the provided password does not match, it's an authentication error right away. Only if the first source does not posess any knowledge about a given user, then should Dovecot proceed to query/check with the next database. Can this be configured somehow? If not, would it make sense to make this behaviour configurable? Thanks, -- @martinkrafft | http://madduck.net/ | http://two.sentenc.es/ "the ships hung in the sky in much the same way that bricks don't." -- hitchhiker's guide to the galaxy spamtraps: madduck.bo...@madduck.net
digital_signature_gpg.asc
Description: Digital signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current)
