[Dovecot] Dovecot "authentication failed" interaction with Postfix
Hi,
I'm not sure if I should be posting this question here or on the Postfix mailing list, but I'll start here.
When using Dovecot SASL with Postfix, is there a way to return a login-failed reason in the SMTP AUTH dialog using "nologin", similar to the way it can be done with Dovecot IMAP and POP?
Details:
I have a Dovecot authentication-only daemon working with a Postfix server doing SMTP AUTH. The Dovecot configuration uses a MySQL driver to get the password information, and one of the fields in the database is "access". In my SQL query, I return a row only if "access" is non-zero. This all works -- I can shut down an account from accessing mail while retaining the user's original password.
password_query = SELECT username AS user, password FROM mailbox WHERE username = '%u' AND access != 0
Now, in my Dovecot IMAP and POP server configuration, I'm using "access" in a similar way, except that instead of not returning a row when "access" is zero, I return the "nologin" extra field (along with a "reason" field). The MySQL query for this is slightly tricky, but it works:
password_query = SELECT username AS user, password, NULLIF(access != 0, 1) AS nologin, 'Access not allowed for this account' AS reason FROM mailbox WHERE username = '%u'
While this second query works correctly with IMAP and POP authentication, it does not work with Postfix SMTP AUTH. Assuming the password is correct, the user is authenticated even when "access" is zero. It seems that either Postfix and/or dovecot-auth (I'm not sure which) is ignoring the "nologin" field in this case.
In addition, when using the first SQL query, nothing is returned as a reason following Postfix's message. For example:
AUTH PLAIN (correct password) 535 5.7.0 Error: authentication failed: <-- no reason returned here
I'd like to return a reason here in the (optimistic :) hope that this will be shown to the user by the email client when an account is shut off.
Here's an example of it working correctly with IMAP with an account that is shut off:
001 LOGIN user (correct password) 001 NO Access not allowed for this account
On Sun, 2007-09-09 at 14:57 -1000, Julian Cowley wrote:
password_query = SELECT username AS user, password, NULLIF(access != 0, 1) AS nologin, 'Access not allowed for this account' AS reason FROM mailbox WHERE username = '%u' .. While this second query works correctly with IMAP and POP authentication, it does not work with Postfix SMTP AUTH. Assuming the password is correct, the user is authenticated even when "access" is zero. It seems that either Postfix and/or dovecot-auth (I'm not sure which) is ignoring the "nologin" field in this case.
The "nologin" is kind of a hack. I don't think Postfix should even support it. The correct way to implement this would be to use something like:
SELECT username AS user, password, if(access!=0, NULL, 'Access not allowed') AS reason WHERE username = '%u' AND access != 0;
This should fix Postfix, but I think Dovecot v1.0 doesn't like it then (v1.1 does). If it doesn't, you can kludge around it with returning "nologin" and:
.. AND (access != 0 or '%s' != 'smtp')
participants (2)
-
Julian Cowley
-
Timo Sirainen