dovecot - Oct 2008 - Improvements to "Authentication failed" error

Probably one of the most commonly asked question is "Why does Dovecot
just say authentication failed"? It would be nice to be able to get rid
of these questions by having Dovecot itself point out the
http://wiki.dovecot.org/WhyDoesItNotWork link. But how to do this? There
are two groups of people here:

1) People who look at logs after seeing the "Authentication failed"
from
a client/telnet session.

2) People who don't even think about looking at logs.

I'm thinking that the group 1 could be handled by having Dovecot log the
link once as informational message if the first authentication attempt
fails and it's from localhost. This shouldn't cause problems I think.

Group 2 is more difficult though, and I fear they're also the ones
asking this question more often than group 1.. I think the only solution
would be to change the IMAP/POP3 error message for them. So instead of:

NO Authentication failed.

they'd get something more usable. So:

2a) NO Authentication failed. See http://wiki.dovecot.org/WhyDoesItNotWork.
2b) NO Authentication failed. Refer to server log for more information.
2c) NO Authentication failed. Enable auth_debug in server for more information.

But there are some problems I think:

 - If it's done only for connections from localhost, the error messages
would be different from localhost vs. elsewhere, which might confuse
some log parser scripts.

 - Some people are running stunnel or some other proxies, causing all
connections to appear from localhost. Also webmails often run in
localhost. So it can't be assumed that only admins will see the error
message. I think this rules out 2a) message. I'm certain I don't want
end users emailing me and asking why they can't connect to their server
because they saw that link.

 - Sending 2b) for all connections could be a solution, but it might be
confusing for end users. They of course can't refer to server log.. Also
unless the wiki link is logged for every failure or auth_debug is
enabled, there's nothing useful in the server log.

 - Sending 2c) for all connections when auth_debug isn't enabled (and
plain "Authentication failed" when it is) might also work, but
it's
again confusing to end users since they can't do that.

Any thoughts?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20081006/430b6a30/attachment-0002.bin>

On Mon, 2008-10-06 at 00:51 +0300, Timo Sirainen wrote:
> 2) People who don't even think about looking at logs.
Oh, one more alternative to this I thought of:

Even though these people don't read logs, they probably restart Dovecot
manually at some point (if they don't give up immediately). Dovecot
could track if all auth attempts in its existence have failed
(e.g. /var/lib/dovecot/auth-fails exists) and if so, when starting up
it'd write something like:

If you have trouble with authentication failures, enable
auth_debug_passwords setting. http://wiki.dovecot.org/WhyDoesItNotWork

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20081006/6fbf08b3/attachment-0002.bin>

Timo Sirainen wrote:
> Probably one of the most commonly asked question is "Why does Dovecot
> just say authentication failed"? It would be nice to be able to get
rid
> of these questions by having Dovecot itself point out the
> http://wiki.dovecot.org/WhyDoesItNotWork link. But how to do this? There
> are two groups of people here:
> 
> 1) People who look at logs after seeing the "Authentication
failed" from
> a client/telnet session.
> 
> 2) People who don't even think about looking at logs.
> 
> Any thoughts?

Honestly - and no offense to anyone on this list who's new - people need
to learn how to help themselves to a certain point. "My password
doesn't
work and I know it's right" without ever bothering to 1) look at the
documentation or 2) look at a log is hopeless. At the very least
*everyone* should be able to read the documentation. The documentation
which will tell them #2. I mean, is it really that hard? Reading the
docs and asking "I don't understand blah blah on page blah" is
understandable, but someone not reading and expecting the same answer to
the same question over and over (hence docs or a FAQ) is not your problem.

There's no point in trying to program in fancy conditions for errors
like this. It's just silly. Even if you make these changes I'll bet you
it doesn't make a difference. The same group you're trying to help will
see the long, wordy error message, glaze over it, and go straight to "my
password doesn't work and I know it's right".

~Seth

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, Oct 06, 2008 at 12:58:35AM +0300, Timo Sirainen
wrote:
> On Mon, 2008-10-06 at 00:51 +0300, Timo Sirainen wrote:
> > 2) People who don't even think about looking at logs.
> 
> Oh, one more alternative to this I thought of:
I think still 2b is best ("refer to server log"). You might add
"or
system administrator", but I'd think even this is overkill.

I bet there will be people not reading even this[1]. Thiy'll have to
do the first step sometime.

[1] and no, I don't think it's bad intentions or lazyness -- it's
just
lack of habit in debugging.

Regards
- -- tom?s
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFI6aakBcgs9XrR2kYRAjXOAJ48QAPgJPjaoaHsEa2pT4PKm7B+oQCfUyXu
zMFH2DA6Na0hZAlMltmc4e4=oa/j
-----END PGP SIGNATURE-----

* Timo Sirainen <dovecot at dovecot.org>:
> Probably one of the most commonly asked question is "Why does Dovecot
> just say authentication failed"? It would be nice to be able to get
rid
> of these questions by having Dovecot itself point out the
> http://wiki.dovecot.org/WhyDoesItNotWork link. But how to do this? There
> are two groups of people here:
> 
> 1) People who look at logs after seeing the "Authentication
failed" from
> a client/telnet session.
> 
> 2) People who don't even think about looking at logs.
> 
> I'm thinking that the group 1 could be handled by having Dovecot log
the
> link once as informational message if the first authentication attempt
> fails and it's from localhost. This shouldn't cause problems I
think.
> 
> Group 2 is more difficult though, and I fear they're also the ones
> asking this question more often than group 1.. I think the only solution
> would be to change the IMAP/POP3 error message for them. So instead of:
> 
> NO Authentication failed.

I don't agree. To me the problem is a role conflict (user vs. sysadm) and
lack
to follow sysadm standard procedures. 

The "NO Authentication failed." message is a message sent to the user.
It's
meant to be simple and the message we are talking about says exactly what
happend. All the options you are thinking off, are making it more complicated
and this would irritate any user (role).

I would not send a mixture of user and sysadm notes in the failure message.
Pointing people to the log points to a starting point only, but it's not a
debugging procedure. I don't think this will solve the problem. People will
have a look at the log and then they will show up on the list and yell
"Authentication failed and I took a look at the log, but it didn't tell
what's
wrong."

Instead I'd leave the message as simple as it is and - if you haven't
done so
yet- I would prepare documentation that describes debugging procedures and I
would send that link to anybody who refuses to show up prepared. This gives
them what they need: Instructions to debug authentication problems.


p at rick


-- 
state of mind
Agentur f?r Kommunikation, Design und Softwareentwicklung

Patrick Koetter            Tel: 089 45227227
Echinger Strasse 3         Fax: 089 45227226
85386 Eching               Web: http://www.state-of-mind.de

Amtsgericht M?nchen        Partnerschaftsregister PR 563