How do we disable LOGIN-REFERRALS? (part 2)

sb serbr at runbox.com
Thu Dec 3 15:20:02 UTC 2015


On 12/3/15 2:49 PM, Timo Sirainen wrote:

> There is no code that can be disabled on Dovecot side.
> I think you need to read how LOGIN-REFERRALs actually work.

This is an excerpt from the RFC:

> A home server referral may be returned in response to an AUTHENTICATE
>    or LOGIN command, or it may appear in the connection startup banner.
>    If a server returns a home server referral in a tagged NO response,
>    that server does not contain any mailboxes that are accessible to the
>    user.  If a server returns a home server referral in a tagged OK
>    response, it indicates that the user's personal mailboxes are
>    elsewhere, but the server contains public mailboxes which are
>    readable by the user.  After receiving a home server referral, the
>    client can not make any assumptions as to whether this was a
>    permanent or temporary move of the user.
The client and the server exchange relevant messages. If dovecot cannot 
disable
the relevant code then either dovecot does not implement the RFC or it 
does it
so well that it cannot be disabled without rewriting dovecot's code. In 
either case,
we want to disable LOGIN-REFERRAL, and have evidence that it has been 
disabled.
Removing the keyword from the banner is not sufficient, and the 
documentation
PasswordDatabase.ExtraFields.Host.txt is far from useful.



More information about the dovecot mailing list