Probably one of the most commonly asked question is "Why does Dovecot just say authentication failed"? It would be nice to be able to get rid of these questions by having Dovecot itself point out the http://wiki.dovecot.org/WhyDoesItNotWork link. But how to do this? There are two groups of people here:
People who look at logs after seeing the "Authentication failed" from a client/telnet session.
People who don't even think about looking at logs.
I'm thinking that the group 1 could be handled by having Dovecot log the link once as informational message if the first authentication attempt fails and it's from localhost. This shouldn't cause problems I think.
Group 2 is more difficult though, and I fear they're also the ones asking this question more often than group 1.. I think the only solution would be to change the IMAP/POP3 error message for them. So instead of:
NO Authentication failed.
they'd get something more usable. So:
2a) NO Authentication failed. See http://wiki.dovecot.org/WhyDoesItNotWork. 2b) NO Authentication failed. Refer to server log for more information. 2c) NO Authentication failed. Enable auth_debug in server for more information.
But there are some problems I think:
If it's done only for connections from localhost, the error messages would be different from localhost vs. elsewhere, which might confuse some log parser scripts.
Some people are running stunnel or some other proxies, causing all connections to appear from localhost. Also webmails often run in localhost. So it can't be assumed that only admins will see the error message. I think this rules out 2a) message. I'm certain I don't want end users emailing me and asking why they can't connect to their server because they saw that link.
Sending 2b) for all connections could be a solution, but it might be confusing for end users. They of course can't refer to server log.. Also unless the wiki link is logged for every failure or auth_debug is enabled, there's nothing useful in the server log.
Sending 2c) for all connections when auth_debug isn't enabled (and plain "Authentication failed" when it is) might also work, but it's again confusing to end users since they can't do that.
Any thoughts?