Hello,
In the past (older dovecot versions) I've tuned the SQL "password_query" of our mail server so that when the user has the account blocked for some reason (expired, need password change, etc.) the query returns nologin=1 and a verbose reason like reason="Your account is expired please change the password" and it worked very well with IMAP clients.
I'm now seeing that despite the message returned by the SQL, the IMAP server always returns a generic error "NO [AUTHENTICATIONFAILED] Authentication failed."
I've setup an "always fail" query in a test installation (see below) and with that, a simple openssl/telnet login simulation fails without reporting the "ERRORDEBUG" reason.
password_query = SELECT '%n' AS username, '%d' AS domain, 'ERRORDEBUG' AS reason, '1' AS nologin, CONCAT('{PLAIN}',RAND()) AS password;
Tested with:
imapsrv# openssl s_client -connect imap2:993
- OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN] IPLNet IMAP ready. a login "someouser@dom" "password" a NO [AUTHENTICATIONFAILED] Authentication failed. Also using doveadm auth:
imapsrv# doveadm auth test someuser@dom Password: passdb: someuser@dom auth failed extra fields: user=someuser@dom I've already done some source digging without conclusions, the code to return the reason seem to be in place in the function "imap_client_auth_result" at src/imap-login/client-authenticate.c
What am I doing wrong?
Should the behaviour now be done in another way?
Best regards, keep the good work in this fine software!
--
Best regards,