login failure "reason" not returned (dovecot-2.2.32)

[Pedro Ribeiro]

Hello,

In the past (older dovecot versions) I've tuned the SQL "password_query" 
of our mail server so that when the user has the account blocked for 
some reason (expired, need password change, etc.) the query returns 
nologin=1 and a verbose reason like reason="Your account is expired 
please change the password" and it worked very well with IMAP clients.

I'm now seeing that despite the message returned by the SQL, the IMAP 
server always returns a generic error "NO [AUTHENTICATIONFAILED] 
Authentication failed."

I've setup an "always fail" query in a test installation (see below) and 
with that, a simple openssl/telnet login simulation fails without 
reporting the "ERRORDEBUG" reason.

> password_query = SELECT '%n' AS username, '%d' AS domain, 'ERRORDEBUG' 
> AS reason, '1' AS nologin, CONCAT('{PLAIN}',RAND()) AS password;

Tested with:

> imapsrv# openssl s_client -connect imap2:993
> ---
> * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE 
> IDLE AUTH=PLAIN] IPLNet IMAP ready.
> a login "someouser at dom" "password"
> a NO [AUTHENTICATIONFAILED] Authentication failed.
Also using doveadm auth:

> imapsrv# doveadm auth test someuser at dom
> Password:
> passdb: someuser at dom auth failed
> extra fields:
>   user=someuser at dom
I've already done some source digging without conclusions, the code to 
return the reason seem to be in place in the function 
"imap_client_auth_result" at src/imap-login/client-authenticate.c

What am I doing wrong?

Should the behaviour now be done in another way?

Best regards, keep the good work in this fine software!


-- 

Best regards,

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Pedro Ribeiro
Politécnico de Lisboa, Serviços da Presidência
Departamento de Sistemas de Informação e Comunicações
Phone:   +351 210 464 700 (general) / VoIP: 80100
Helpdesk: helpdesk at net.ipl.pt / https://www.net.ipl.pt
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=