I recently upgraded from 2.3 to 2.4.1, a little unwillingly (thanks Fedora), and I've almost got 2.4.1 working on my failover mail server. The failover server's job is, if the main mail server is inaccessible, mail gets delivered to the failover instead. Then the main server will retrieve mail from the failover server when it can.
This has worked very well for many years. The way I implemented it was, I had two passdb's on the failover server: one for ordinary users who might need to access the failover server directly (login and password required), and one so that the main mail server could grab mail from the failover server (no password required). This broke when I went to 2.4.1; now, no matter what I do, Dovecot honors only one of the passdbs.
Here is the configuration as it stands now. The intention is that, if the user properly authenticates with the first passdb, they're authenticated and the second passdb isn't consulted. But if the user doesn't authenticate with the first passdb, Dovecot moves on to the second passdb.
the passdb for normal users to check their mail on the failover server
passdb passwd-file { passwd_file_path = /vmail/Maildir/passwdfile passdb_result_success = return-ok passdb_result_failure = continue-fail }
the passdb for the main server to grab mail from the failover server
passdb passwd-file { passwd_file_path = /vmail/Maildir/passwdfile passdb_skip = authenticated fields { nopassword = yes allow_nets = xxx.xxx.xxx.xxx/32 } passdb_result_success = return-ok passdb_result_failure = return-fail }
As things stand now, Dovecot always moves on to the second passdb and authenticates the user, or not, according to the outcome of the second passdb. The outcome of the first passdb does not seem to matter.
Curiously, if I comment out the second passdb, the first passdb authenticates users as expected.
I've tried all kinds of gyrations with passdb_result_success and passdb_result_failure, and none of them seem to work. The options I have there right now are, to the best of my knowledge, the ones that best match the flow I want to be seeing.
There's a chance there's a bug in 2.4.1, but I bet I'm doing something wrong. What am I doing wrong?
On 13/11/2025 14:05 EET Lou Duchez via dovecot <dovecot@dovecot.org> wrote:
I recently upgraded from 2.3 to 2.4.1, a little unwillingly (thanks Fedora), and I've almost got 2.4.1 working on my failover mail server. The failover server's job is, if the main mail server is inaccessible, mail gets delivered to the failover instead. Then the main server will retrieve mail from the failover server when it can.
This has worked very well for many years. The way I implemented it was, I had two passdb's on the failover server: one for ordinary users who might need to access the failover server directly (login and password required), and one so that the main mail server could grab mail from the failover server (no password required). This broke when I went to 2.4.1; now, no matter what I do, Dovecot honors only one of the passdbs.
Here is the configuration as it stands now. The intention is that, if the user properly authenticates with the first passdb, they're authenticated and the second passdb isn't consulted. But if the user doesn't authenticate with the first passdb, Dovecot moves on to the second passdb.
the passdb for normal users to check their mail on the failover server
passdb passwd-file { passwd_file_path = /vmail/Maildir/passwdfile passdb_result_success = return-ok passdb_result_failure = continue-fail }
the passdb for the main server to grab mail from the failover server
passdb passwd-file { passwd_file_path = /vmail/Maildir/passwdfile passdb_skip = authenticated fields { nopassword = yes allow_nets = xxx.xxx.xxx.xxx/32 } passdb_result_success = return-ok passdb_result_failure = return-fail }
As explained in https://doc.dovecot.org/2.4.1/installation/upgrade/2.3-to-2.4.html you need to give unique names to passdb.
So basically
passdb user-failover-passwd { driver = passwd-file passwd_file_path = /vmail/Maildir/passwdfile result_success = return-ok result_failure = continue-fail }
passdb server-to-failover { passwd_file_path = /vmail/Maildir/passwdfile skip = authenticated fields { nopassword = yes allow_nets = xxx.xxx.xxx.xxx/32 } result_success = return-ok result_failure = return-fail }
fwiw i would use static password for the second passdb instead of nopassword + allow_nets.
Aki
Thank you for your advice! I have it working now, by changing the second passdb to static.
I was not able to give arbitrary names to my two passdbs though; it seems that Dovecot expects names of mechanisms like "passwd-file" or "static", or else it doesn't work. Unless I'm doing something wrong, anyway. But if I'm correct, that means that Dovecot 2.4.1 is going to have trouble if you need to consult multiple passwd-files.
Here is what worked for me:
passdb passwd-file { passwd_file_path = /vmail/Maildir/passwdfile passdb_result_success = return-ok passdb_result_failure = continue-fail }
passdb static { fields { nopassword = yes allow_nets = xxx.xxx.xxx.xxx/32 } passdb_result_success = return-ok passdb_result_failure = return-fail }
On 11/13/2025 7:18 AM, Aki Tuomi via dovecot wrote:
On 13/11/2025 14:05 EET Lou Duchez via dovecot <dovecot@dovecot.org> wrote:
I recently upgraded from 2.3 to 2.4.1, a little unwillingly (thanks Fedora), and I've almost got 2.4.1 working on my failover mail server. The failover server's job is, if the main mail server is inaccessible, mail gets delivered to the failover instead. Then the main server will retrieve mail from the failover server when it can.
This has worked very well for many years. The way I implemented it was, I had two passdb's on the failover server: one for ordinary users who might need to access the failover server directly (login and password required), and one so that the main mail server could grab mail from the failover server (no password required). This broke when I went to 2.4.1; now, no matter what I do, Dovecot honors only one of the passdbs.
Here is the configuration as it stands now. The intention is that, if the user properly authenticates with the first passdb, they're authenticated and the second passdb isn't consulted. But if the user doesn't authenticate with the first passdb, Dovecot moves on to the second passdb.
the passdb for normal users to check their mail on the failover server
passdb passwd-file { passwd_file_path = /vmail/Maildir/passwdfile passdb_result_success = return-ok passdb_result_failure = continue-fail }
the passdb for the main server to grab mail from the failover server
passdb passwd-file { passwd_file_path = /vmail/Maildir/passwdfile passdb_skip = authenticated fields { nopassword = yes allow_nets = xxx.xxx.xxx.xxx/32 } passdb_result_success = return-ok passdb_result_failure = return-fail }
As explained in https://doc.dovecot.org/2.4.1/installation/upgrade/2.3-to-2.4.html you need to give unique names to passdb.
So basically
passdb user-failover-passwd { driver = passwd-file passwd_file_path = /vmail/Maildir/passwdfile result_success = return-ok result_failure = continue-fail }
passdb server-to-failover { passwd_file_path = /vmail/Maildir/passwdfile skip = authenticated fields { nopassword = yes allow_nets = xxx.xxx.xxx.xxx/32 } result_success = return-ok result_failure = return-fail }
fwiw i would use static password for the second passdb instead of nopassword + allow_nets.
Aki
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
On 13/11/2025 14:43 EET Lou Duchez via dovecot <dovecot@dovecot.org> wrote:
Thank you for your advice! I have it working now, by changing the second passdb to static.
I was not able to give arbitrary names to my two passdbs though; it seems that Dovecot expects names of mechanisms like "passwd-file" or "static", or else it doesn't work. Unless I'm doing something wrong, anyway. But if I'm correct, that means that Dovecot 2.4.1 is going to have trouble if you need to consult multiple passwd-files.
Here is what worked for me:
passdb passwd-file { passwd_file_path = /vmail/Maildir/passwdfile passdb_result_success = return-ok passdb_result_failure = continue-fail }
passdb static { fields { nopassword = yes allow_nets = xxx.xxx.xxx.xxx/32 } passdb_result_success = return-ok passdb_result_failure = return-fail }
Not really true, but if you use
passdb machine-to-user { }
you need to add
driver=static
so it knows which driver to use now.
Aki
Once again, you are right, and I thank you! I have added the "driver" parameters so that it's explicit, and when I have to change this again in 2040, I will understand how it works.
Here is what I have now, and I believe this will be the "final" version:
passdb ordinary_users {
driver = passwd-file
passwd_file_path = /vmail/Maildir/passwdfile passdb_result_success = return-ok passdb_result_failure = continue-fail }
passdb main_mail_server {
driver = static
fields { nopassword = yes allow_nets = xxx.xxx.xxx.xxx/32 } passdb_result_success = return-ok passdb_result_failure = return-fail }
On 11/13/2025 7:57 AM, Aki Tuomi via dovecot wrote:
On 13/11/2025 14:43 EET Lou Duchez via dovecot <dovecot@dovecot.org> wrote:
Thank you for your advice! I have it working now, by changing the second passdb to static.
I was not able to give arbitrary names to my two passdbs though; it seems that Dovecot expects names of mechanisms like "passwd-file" or "static", or else it doesn't work. Unless I'm doing something wrong, anyway. But if I'm correct, that means that Dovecot 2.4.1 is going to have trouble if you need to consult multiple passwd-files.
Here is what worked for me:
passdb passwd-file { passwd_file_path = /vmail/Maildir/passwdfile passdb_result_success = return-ok passdb_result_failure = continue-fail }
passdb static { fields { nopassword = yes allow_nets = xxx.xxx.xxx.xxx/32 } passdb_result_success = return-ok passdb_result_failure = return-fail } Not really true, but if you use
passdb machine-to-user { }
you need to add
driver=static
so it knows which driver to use now.
Aki
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
One thing I wanted to add, for the next person trying to figure these things out: If you're doing a passdb with "deny = yes" (for example, if you want to reject people on a blacklist), the passdb_result_success and passdb_result_failure are returning the result of the lookup, not whether the user is authenticated. Thus, if someone is found on the blacklist, the passdb will return "success" (meaning they're NOT authenticated), but if they're not on the list the passdb will return "failure" (which means they may yet be authenticated).
Here is how I set it up to reject people on my "deny.imap" and "deny.pop3" blacklists; note how "success" means "return-fail" while "failure" means "continue-ok":
passdb deny_wrong_protocols {
driver = passwd-file passwd_file_path = /vmail/Maildir/deny.%{protocol} deny = yes
passdb_result_success = return-fail passdb_result_failure = continue-ok
}
On 11/13/2025 8:07 AM, Lou Duchez via dovecot wrote:
Once again, you are right, and I thank you! I have added the "driver" parameters so that it's explicit, and when I have to change this again in 2040, I will understand how it works.
Here is what I have now, and I believe this will be the "final" version:
passdb ordinary_users {
driver = passwd-file
passwd_file_path = /vmail/Maildir/passwdfile passdb_result_success = return-ok passdb_result_failure = continue-fail }
passdb main_mail_server {
driver = static
fields { nopassword = yes allow_nets = xxx.xxx.xxx.xxx/32 } passdb_result_success = return-ok passdb_result_failure = return-fail }
On 11/13/2025 7:57 AM, Aki Tuomi via dovecot wrote:
On 13/11/2025 14:43 EET Lou Duchez via dovecot <dovecot@dovecot.org> wrote:
Thank you for your advice! I have it working now, by changing the second passdb to static.
I was not able to give arbitrary names to my two passdbs though; it seems that Dovecot expects names of mechanisms like "passwd-file" or "static", or else it doesn't work. Unless I'm doing something wrong, anyway. But if I'm correct, that means that Dovecot 2.4.1 is going to have trouble if you need to consult multiple passwd-files.
Here is what worked for me:
passdb passwd-file { passwd_file_path = /vmail/Maildir/passwdfile passdb_result_success = return-ok passdb_result_failure = continue-fail }
passdb static { fields { nopassword = yes allow_nets = xxx.xxx.xxx.xxx/32 } passdb_result_success = return-ok passdb_result_failure = return-fail } Not really true, but if you use
passdb machine-to-user { }
you need to add
driver=static
so it knows which driver to use now.
Aki
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
If nothing worked still, you might try using sql e.g. as first passdb method for main server and passwd file for failover server, refer to this https://doc.dovecot.org/2.3/configuration_manual/authentication/multiple_aut...
Zak.
On 2025-11-13 12:05, Lou Duchez via dovecot wrote:
I recently upgraded from 2.3 to 2.4.1, a little unwillingly (thanks Fedora), and I've almost got 2.4.1 working on my failover mail server. The failover server's job is, if the main mail server is inaccessible, mail gets delivered to the failover instead. Then the main server will retrieve mail from the failover server when it can.
This has worked very well for many years. The way I implemented it was, I had two passdb's on the failover server: one for ordinary users who might need to access the failover server directly (login and password required), and one so that the main mail server could grab mail from the failover server (no password required). This broke when I went to 2.4.1; now, no matter what I do, Dovecot honors only one of the passdbs.
Here is the configuration as it stands now. The intention is that, if the user properly authenticates with the first passdb, they're authenticated and the second passdb isn't consulted. But if the user doesn't authenticate with the first passdb, Dovecot moves on to the second passdb.
the passdb for normal users to check their mail on the failover
server passdb passwd-file { passwd_file_path = /vmail/Maildir/passwdfile passdb_result_success = return-ok passdb_result_failure = continue-fail }
the passdb for the main server to grab mail from the failover server
passdb passwd-file { passwd_file_path = /vmail/Maildir/passwdfile passdb_skip = authenticated fields { nopassword = yes allow_nets = xxx.xxx.xxx.xxx/32 } passdb_result_success = return-ok passdb_result_failure = return-fail }
As things stand now, Dovecot always moves on to the second passdb and authenticates the user, or not, according to the outcome of the second passdb. The outcome of the first passdb does not seem to matter.
Curiously, if I comment out the second passdb, the first passdb authenticates users as expected.
I've tried all kinds of gyrations with passdb_result_success and passdb_result_failure, and none of them seem to work. The options I have there right now are, to the best of my knowledge, the ones that best match the flow I want to be seeing.
There's a chance there's a bug in 2.4.1, but I bet I'm doing something wrong. What am I doing wrong?
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
If nothing worked still, you might try using sql e.g. as first passdb method for main server and passwd file for failover server, refer to this https://doc.dovecot.org/2.3/configuration_manual/authentication/multiple_aut...
Zak.
On 2025-11-13 12:05, Lou Duchez via dovecot wrote:
I recently upgraded from 2.3 to 2.4.1, a little unwillingly (thanks Fedora), and I've almost got 2.4.1 working on my failover mail server. The failover server's job is, if the main mail server is inaccessible, mail gets delivered to the failover instead. Then the main server will retrieve mail from the failover server when it can.
This has worked very well for many years. The way I implemented it was, I had two passdb's on the failover server: one for ordinary users who might need to access the failover server directly (login and password required), and one so that the main mail server could grab mail from the failover server (no password required). This broke when I went to 2.4.1; now, no matter what I do, Dovecot honors only one of the passdbs.
Here is the configuration as it stands now. The intention is that, if the user properly authenticates with the first passdb, they're authenticated and the second passdb isn't consulted. But if the user doesn't authenticate with the first passdb, Dovecot moves on to the second passdb.
the passdb for normal users to check their mail on the failover server
passdb passwd-file { passwd_file_path = /vmail/Maildir/passwdfile passdb_result_success = return-ok passdb_result_failure = continue-fail }
the passdb for the main server to grab mail from the failover server
passdb passwd-file { passwd_file_path = /vmail/Maildir/passwdfile passdb_skip = authenticated fields { nopassword = yes allow_nets = xxx.xxx.xxx.xxx/32 } passdb_result_success = return-ok passdb_result_failure = return-fail }
As things stand now, Dovecot always moves on to the second passdb and authenticates the user, or not, according to the outcome of the second passdb. The outcome of the first passdb does not seem to matter.
Curiously, if I comment out the second passdb, the first passdb authenticates users as expected.
I've tried all kinds of gyrations with passdb_result_success and passdb_result_failure, and none of them seem to work. The options I have there right now are, to the best of my knowledge, the ones that best match the flow I want to be seeing.
There's a chance there's a bug in 2.4.1, but I bet I'm doing something wrong. What am I doing wrong?
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
participants (3)
-
Aki Tuomi
-
Lou Duchez
-
Zakaria