[Dovecot] Improvements to "Authentication failed" error

Timo Sirainen tss at iki.fi
Mon Oct 6 00:51:59 EEST 2008


Probably one of the most commonly asked question is "Why does Dovecot
just say authentication failed"? It would be nice to be able to get rid
of these questions by having Dovecot itself point out the
http://wiki.dovecot.org/WhyDoesItNotWork link. But how to do this? There
are two groups of people here:

1) People who look at logs after seeing the "Authentication failed" from
a client/telnet session.

2) People who don't even think about looking at logs.

I'm thinking that the group 1 could be handled by having Dovecot log the
link once as informational message if the first authentication attempt
fails and it's from localhost. This shouldn't cause problems I think.

Group 2 is more difficult though, and I fear they're also the ones
asking this question more often than group 1.. I think the only solution
would be to change the IMAP/POP3 error message for them. So instead of:

NO Authentication failed.

they'd get something more usable. So:

2a) NO Authentication failed. See http://wiki.dovecot.org/WhyDoesItNotWork.
2b) NO Authentication failed. Refer to server log for more information.
2c) NO Authentication failed. Enable auth_debug in server for more information.

But there are some problems I think:

 - If it's done only for connections from localhost, the error messages
would be different from localhost vs. elsewhere, which might confuse
some log parser scripts.

 - Some people are running stunnel or some other proxies, causing all
connections to appear from localhost. Also webmails often run in
localhost. So it can't be assumed that only admins will see the error
message. I think this rules out 2a) message. I'm certain I don't want
end users emailing me and asking why they can't connect to their server
because they saw that link.

 - Sending 2b) for all connections could be a solution, but it might be
confusing for end users. They of course can't refer to server log.. Also
unless the wiki link is logged for every failure or auth_debug is
enabled, there's nothing useful in the server log.

 - Sending 2c) for all connections when auth_debug isn't enabled (and
plain "Authentication failed" when it is) might also work, but it's
again confusing to end users since they can't do that.

Any thoughts?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20081006/430b6a30/attachment.bin 


More information about the dovecot mailing list