dovecot - Sep 2007 - Dovecot "authentication failed" interaction with Postfix

Hi,

I'm not sure if I should be posting this question here or on the Postfix 
mailing list, but I'll start here.

When using Dovecot SASL with Postfix, is there a way to return a 
login-failed reason in the SMTP AUTH dialog using "nologin", similar
to
the way it can be done with Dovecot IMAP and POP?

Details:

I have a Dovecot authentication-only daemon working with a Postfix server 
doing SMTP AUTH.  The Dovecot configuration uses a MySQL driver to get the 
password information, and one of the fields in the database is
"access".
In my SQL query, I return a row only if "access" is non-zero.  This
all
works -- I can shut down an account from accessing mail while retaining 
the user's original password.

password_query = SELECT username AS user, password FROM mailbox WHERE username =
'%u' AND access != 0

Now, in my Dovecot IMAP and POP server configuration, I'm using
"access"
in a similar way, except that instead of not returning a row when
"access"
is zero, I return the "nologin" extra field (along with a
"reason" field).
The MySQL query for this is slightly tricky, but it works:

password_query = SELECT username AS user, password, NULLIF(access != 0, 1) AS
nologin, 'Access not allowed for this account' AS reason FROM mailbox
WHERE username = '%u'

While this second query works correctly with IMAP and POP authentication, 
it does not work with Postfix SMTP AUTH.  Assuming the password is 
correct, the user is authenticated even when "access" is zero.  It
seems
that either Postfix and/or dovecot-auth (I'm not sure which) is ignoring 
the "nologin" field in this case.

In addition, when using the first SQL query, nothing is returned as a 
reason following Postfix's message.  For example:

AUTH PLAIN (correct password)
535 5.7.0 Error: authentication failed:     <-- no reason returned here

I'd like to return a reason here in the (optimistic :) hope that this will 
be shown to the user by the email client when an account is shut off.

Here's an example of it working correctly with IMAP with an account that 
is shut off:

001 LOGIN user (correct password)
001 NO Access not allowed for this account

On Sun, 2007-09-09 at 14:57 -1000, Julian Cowley wrote:
> password_query = SELECT username AS user, password, NULLIF(access != 0, 1)
AS nologin, 'Access not allowed for this account' AS reason FROM mailbox
WHERE username = '%u'
..
> While this second query works correctly with IMAP and POP authentication, 
> it does not work with Postfix SMTP AUTH.  Assuming the password is 
> correct, the user is authenticated even when "access" is zero. 
It seems
> that either Postfix and/or dovecot-auth (I'm not sure which) is
ignoring
> the "nologin" field in this case.
The "nologin" is kind of a hack. I don't think Postfix should even
support it. The correct way to implement this would be to use something
like:

SELECT username AS user, password, if(access!=0, NULL, 'Access not
allowed') AS reason WHERE username = '%u' AND access != 0;

This should fix Postfix, but I think Dovecot v1.0 doesn't like it then
(v1.1 does). If it doesn't, you can kludge around it with returning
"nologin" and:

.. AND (access != 0 or '%s' != 'smtp')

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20070922/2784e32a/attachment-0002.bin>