Disabling auth fallback to PAM

martin f krafft madduck at madduck.net
Tue Nov 17 20:51:18 UTC 2015


Hi folks,

According to the wiki,¹ it's considered a feature of Dovecot and its
ability to support multiple authentication sources that "if the
password doesn't match in the first database, it checks the next
one".

¹) http://wiki.dovecot.org/Authentication/MultipleDatabases

I think it's great that Dovecot allows auth sources to be stacked
like this, but I am not sold on the idea that the next database
ought to be tried when a *password* does not match. Let me
elaborate:

If the first database has knowledge of a user, then it can (should)
be considered authoritative, and if the provided password does not
match, it's an authentication error right away. Only if the first
source does not posess any knowledge about a given user, then should
Dovecot proceed to query/check with the next database.

Can this be configured somehow?
If not, would it make sense to make this behaviour configurable?

Thanks,

-- 
@martinkrafft | http://madduck.net/ | http://two.sentenc.es/
 
"the ships hung in the sky in much the same way that bricks don't."
                                 -- hitchhiker's guide to the galaxy
 
spamtraps: madduck.bogus at madduck.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: digital_signature_gpg.asc
Type: application/pgp-signature
Size: 1107 bytes
Desc: Digital signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current)
URL: <http://dovecot.org/pipermail/dovecot/attachments/20151118/c87c31da/attachment.sig>


More information about the dovecot mailing list