how to show FreeIPA/Kerberos Password expired on webmail login

Robert Kudyba rkudyba at fordham.edu
Fri Apr 30 23:09:25 EEST 2021 

Using dovecot-2.3.14-1.fc33.x86_64 with FreeIPA & Kerberos if a user's
password is expired in a web mail login, e.g., with Squirrelmail, the user
sees:
"Unknown user or password incorrect."

The dovecot logs show:
auth: Debug: client passdb out: FAIL    1       user=ouruser at ourdomain.edu
    code=pass_expired     reason=Password expired  original_user=ouruser
imap-login: Debug: Ignoring unknown passdb extra field: original_user
imap-login: Info: Aborted login (password expired): user=<
ouruser at ourdomain.edu>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1,
secured, session=<jC/SEjbBGMV/AAAB>

Would this  be a feature request to show this message to users?

Also with debug logging there is a lot of log noise and are these errors
normal?

Error: passwd-file: open(/etc/dovecot/users) failed: No such file or
directory

as well as:

auth: Debug: http-client: conn x.x.x.x:8084 [1]: Client connection failed
(fd=23)
auth: Debug: http-client[1]: peer x.x.x.x:8084: Connection failed (1
connections exist, 0 pending)
auth: Debug: http-client: peer x.x.x.x:8084: Failed to make connection (1
connections exist, 0 pending)
auth: Debug: http-client[1]: peer x.x.x.x:8084: Failed to establish any
connection within our peer pool: connect(x.x.x.x:8084) failed: Connection
refused (1 connections exist, 0 pending)
auth: Debug: http-client[1]: queue https://x.x.x.x:8084: Failed to set up
connection to x.x.x.x:8084 (SSL=x.x.x.x): connect(x.x.x.x:8084) failed:
Connection refused (1 peers pending, 1 requests pending)
auth: Debug: http-client[1]: peer x.x.x.x:8084: Unlinked queue
https://x.x.x.x:8084 (0 queues linked)
auth: Debug: http-client[1]: queue https://x.x.x.x:8084: Failed to set up
any connection; failing all queued requests
auth: Debug: http-client[1]: request [Req1: POST
https://x.x.x.x:8084/?command=allow]: Error: 9003 connect(x.x.x.x:8084)
failed: Connection refused
auth: Debug: http-client[1]: queue https://x.x.x.x:8084: Dropping request
[Req1: POST https://x.x.x.x:8084/?command=allow]
auth: Debug: http-client: host x.x.x.x: Host is idle (timeout = 100 msecs)
auth: Error: policy(ouruser at ourdomain.edu,127.0.0.1,<jC/SEjbBGMV/AAAB>):
Policy server HTTP error: connect(x.x.x.x:8084) failed: Connection refused
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20210430/34f1f80a/attachment-0001.html>

More information about the dovecot mailing list