smtpsrv: Fix error code on transient authentication issues

When we can't authenticate due to a transient issue, for example if we rely on Dovecot and it is not responding, we should use a differentiated error code to avoid confusing users. However, today we return the same error code as when the user enters the wrong password, which could confuse users as their MUA might think their credentials are no longer valid. This patch fixes the issue by returning a differentiated error code in that case, as per RFC 4954. Thanks to Max Mazurov (fox.cpp@disroot.org) for reporting this problem.
2025-12-17 14:37:02 +00:00 · 2020-05-23 01:02:07 +01:00
parent b4c8244e48
commit d83c1dc591
2 changed files with 51 additions and 0 deletions
--- a/internal/smtpsrv/conn.go
+++ b/internal/smtpsrv/conn.go
@@ -1004,9 +1004,12 @@ func (c *Conn) AUTH(params string) (code int, msg string) {
 		return 501, fmt.Sprintf("5.5.2 Error decoding AUTH response: %v", err)
 	}

+	// https://tools.ietf.org/html/rfc4954#section-6
 	authOk, err := c.authr.Authenticate(user, domain, passwd)
 	if err != nil {
 		c.tr.Errorf("error authenticating %q@%q: %v", user, domain, err)
+		maillog.Auth(c.conn.RemoteAddr(), user+"@"+domain, false)
+		return 454, "4.7.0 Temporary authentication failure"
 	}
 	if authOk {
 		c.authUser = user