How do we disable LOGIN-REFERRALS? (part 2)

Thu Dec 3 15:53:51 UTC 2015

> On 03 Dec 2015, at 17:20, sb <serbr at runbox.com> wrote:
> 
> On 12/3/15 2:49 PM, Timo Sirainen wrote:
> 
>> There is no code that can be disabled on Dovecot side.
>> I think you need to read how LOGIN-REFERRALs actually work.
> 
> This is an excerpt from the RFC:
> 
>> A home server referral may be returned in response to an AUTHENTICATE
>>   or LOGIN command, or it may appear in the connection startup banner.
>>   If a server returns a home server referral in a tagged NO response,
>>   that server does not contain any mailboxes that are accessible to the
>>   user.  If a server returns a home server referral in a tagged OK
>>   response, it indicates that the user's personal mailboxes are
>>   elsewhere, but the server contains public mailboxes which are
>>   readable by the user.  After receiving a home server referral, the
>>   client can not make any assumptions as to whether this was a
>>   permanent or temporary move of the user.
> The client and the server exchange relevant messages.

Client doesn't send anything to Dovecot regarding the use of LOGIN-REFERRALS. It simply does a regular authentication and if Dovecot is configured to send a login-referral then Dovecot responds so to the LOGIN or AUTHENTICATE command. The client can't request a referral in any way.

> If dovecot cannot disable
> the relevant code then either dovecot does not implement the RFC or it does it
> so well that it cannot be disabled without rewriting dovecot's code. In either case,
> we want to disable LOGIN-REFERRAL, and have evidence that it has been disabled.
> Removing the keyword from the banner is not sufficient, and the documentation
> PasswordDatabase.ExtraFields.Host.txt is far from useful.

Dovecot never sends a login referral unless you have explicitly configured passdb to send it. There are no commands, requests or anything related to LOGIN-REFERRALS that can be sent by IMAP client to Dovecot. If you haven't configured a passdb to return a host field, there is zero code that can ever be executed that is in any way related to LOGIN-REFERRALS.