Hello,
In the past (older dovecot versions) I've tuned the SQL
"password_query"
of our mail server so that when the user has the account blocked for
some reason (expired, need password change, etc.) the query returns
nologin=1 and a verbose reason like reason="Your account is expired
please change the password" and it worked very well with IMAP clients.
I'm now seeing that despite the message returned by the SQL, the IMAP
server always returns a generic error "NO [AUTHENTICATIONFAILED]
Authentication failed."
I've setup an "always fail" query in a test installation (see
below) and
with that, a simple openssl/telnet login simulation fails without
reporting the "ERRORDEBUG" reason.
> password_query = SELECT '%n' AS username, '%d' AS domain,
'ERRORDEBUG'
> AS reason, '1' AS nologin, CONCAT('{PLAIN}',RAND()) AS
password;
Tested with:
> imapsrv# openssl s_client -connect imap2:993
> ---
> * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
> IDLE AUTH=PLAIN] IPLNet IMAP ready.
> a login "someouser at dom" "password"
> a NO [AUTHENTICATIONFAILED] Authentication failed.
Also using doveadm auth:
> imapsrv# doveadm auth test someuser at dom
> Password:
> passdb: someuser at dom auth failed
> extra fields:
> ? user=someuser at dom
I've already done some source digging without conclusions, the code to
return the reason seem to be in place in the function
"imap_client_auth_result" at src/imap-login/client-authenticate.c
What am I doing wrong?
Should the behaviour now be done in another way?
Best regards, keep the good work in this fine software!
--
Best regards,
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Pedro Ribeiro
Polit?cnico de Lisboa, Servi?os da Presid?ncia
Departamento de Sistemas de Informa??o e Comunica??es
Phone: +351 210 464 700 (general) / VoIP: 80100
Helpdesk: helpdesk at net.ipl.pt / https://www.net.ipl.pt
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=