Hello,
In the past (older dovecot versions) I've tuned the SQL "password_query"
of our mail server so that when the user has the account blocked for
some reason (expired, need password change, etc.) the query returns
nologin=1 and a verbose reason like reason="Your account is expired
please change the password" and it worked very well with IMAP clients.
I'm now seeing that despite the message returned by the SQL, the IMAP
server always returns a generic error "NO [AUTHENTICATIONFAILED]
Authentication failed."
I've setup an "always fail" query in a test installation (see below) and
with that, a simple openssl/telnet login simulation fails without
reporting the "ERRORDEBUG" reason.
password_query = SELECT '%n' AS username, '%d' AS domain, 'ERRORDEBUG'
AS reason, '1' AS nologin, CONCAT('{PLAIN}',RAND()) AS password;
Tested with:
imapsrv# openssl s_client -connect imap2:993
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
IDLE AUTH=PLAIN] IPLNet IMAP ready.
a login "someouser@dom" "password"
a NO [AUTHENTICATIONFAILED] Authentication failed.
Also using doveadm auth:
imapsrv# doveadm auth test someuser@dom
Password:
passdb: someuser@dom auth failed
extra fields:
user=someuser@dom
I've already done some source digging without conclusions, the code to
return the reason seem to be in place in the function
"imap_client_auth_result" at src/imap-login/client-authenticate.c
What am I doing wrong?
Should the behaviour now be done in another way?
Best regards, keep the good work in this fine software!
--
Best regards,
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Pedro Ribeiro
Politécnico de Lisboa, Serviços da Presidência
Departamento de Sistemas de Informação e Comunicações
Phone: +351 210 464 700 (general) / VoIP: 80100
Helpdesk: helpd...@net.ipl.pt / https://www.net.ipl.pt
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
