Disabling auth fallback to PAM

Timo Sirainen tss at iki.fi
Sat Nov 21 01:14:11 UTC 2015

> On 17 Nov 2015, at 22:51, martin f krafft <madduck at madduck.net> wrote:
> Hi folks,
> According to the wiki,¹ it's considered a feature of Dovecot and its
> ability to support multiple authentication sources that "if the
> password doesn't match in the first database, it checks the next
> one".
> ¹) http://wiki.dovecot.org/Authentication/MultipleDatabases
> I think it's great that Dovecot allows auth sources to be stacked
> like this, but I am not sold on the idea that the next database
> ought to be tried when a *password* does not match. Let me
> elaborate:
> If the first database has knowledge of a user, then it can (should)
> be considered authoritative, and if the provided password does not
> match, it's an authentication error right away. Only if the first
> source does not posess any knowledge about a given user, then should
> Dovecot proceed to query/check with the next database.
> Can this be configured somehow?
> If not, would it make sense to make this behaviour configurable?

Well, your topic is PAM.. And PAM doesn't necessarily tell you if the problem is that the user doesn't exist or that the password doesn't match. Another similar problem is checkpassword script. And LDAP with auth_bind=yes. And some ways of configuring SQL..

But.. Right now passdb has result_success, result_failure and result_internalfail. I suppose it should be possible to add result_user_unknown there that defaults to result_failure if it's not explicitly set. It wouldn't work with all passdb setups, but it would work for some. I've added it to my TODO list, but that's quite long already and this is near the bottom of it. So if you want it to be added to Dovecot anytime soon please send a patch. Shouldn't be difficult to implement.

More information about the dovecot mailing list