[Dovecot] Dovecot "authentication failed" interaction with Postfix

Julian Cowley julian at lava.net
Mon Sep 10 03:57:21 EEST 2007 

Hi,

I'm not sure if I should be posting this question here or on the Postfix 
mailing list, but I'll start here.

When using Dovecot SASL with Postfix, is there a way to return a 
login-failed reason in the SMTP AUTH dialog using "nologin", similar to 
the way it can be done with Dovecot IMAP and POP?

Details:

I have a Dovecot authentication-only daemon working with a Postfix server 
doing SMTP AUTH.  The Dovecot configuration uses a MySQL driver to get the 
password information, and one of the fields in the database is "access". 
In my SQL query, I return a row only if "access" is non-zero.  This all 
works -- I can shut down an account from accessing mail while retaining 
the user's original password.

password_query = SELECT username AS user, password FROM mailbox WHERE username = '%u' AND access != 0

Now, in my Dovecot IMAP and POP server configuration, I'm using "access" 
in a similar way, except that instead of not returning a row when "access" 
is zero, I return the "nologin" extra field (along with a "reason" field). 
The MySQL query for this is slightly tricky, but it works:

password_query = SELECT username AS user, password, NULLIF(access != 0, 1) AS nologin, 'Access not allowed for this account' AS reason FROM mailbox WHERE username = '%u'

While this second query works correctly with IMAP and POP authentication, 
it does not work with Postfix SMTP AUTH.  Assuming the password is 
correct, the user is authenticated even when "access" is zero.  It seems 
that either Postfix and/or dovecot-auth (I'm not sure which) is ignoring 
the "nologin" field in this case.

In addition, when using the first SQL query, nothing is returned as a 
reason following Postfix's message.  For example:

AUTH PLAIN (correct password)
535 5.7.0 Error: authentication failed:     <-- no reason returned here

I'd like to return a reason here in the (optimistic :) hope that this will 
be shown to the user by the email client when an account is shut off.

Here's an example of it working correctly with IMAP with an account that 
is shut off:

001 LOGIN user (correct password)
001 NO Access not allowed for this account

More information about the dovecot mailing list