On 03 Dec 2015, at 17:20, sb serbr@runbox.com wrote:
On 12/3/15 2:49 PM, Timo Sirainen wrote:
There is no code that can be disabled on Dovecot side. I think you need to read how LOGIN-REFERRALs actually work.
This is an excerpt from the RFC:
A home server referral may be returned in response to an AUTHENTICATE or LOGIN command, or it may appear in the connection startup banner. If a server returns a home server referral in a tagged NO response, that server does not contain any mailboxes that are accessible to the user. If a server returns a home server referral in a tagged OK response, it indicates that the user's personal mailboxes are elsewhere, but the server contains public mailboxes which are readable by the user. After receiving a home server referral, the client can not make any assumptions as to whether this was a permanent or temporary move of the user. The client and the server exchange relevant messages.
Client doesn't send anything to Dovecot regarding the use of LOGIN-REFERRALS. It simply does a regular authentication and if Dovecot is configured to send a login-referral then Dovecot responds so to the LOGIN or AUTHENTICATE command. The client can't request a referral in any way.
If dovecot cannot disable the relevant code then either dovecot does not implement the RFC or it does it so well that it cannot be disabled without rewriting dovecot's code. In either case, we want to disable LOGIN-REFERRAL, and have evidence that it has been disabled. Removing the keyword from the banner is not sufficient, and the documentation PasswordDatabase.ExtraFields.Host.txt is far from useful.
Dovecot never sends a login referral unless you have explicitly configured passdb to send it. There are no commands, requests or anything related to LOGIN-REFERRALS that can be sent by IMAP client to Dovecot. If you haven't configured a passdb to return a host field, there is zero code that can ever be executed that is in any way related to LOGIN-REFERRALS.