[debian "buster" // dovecot-core 2.3.4.1-5+deb10u3 // roundcube 1.4.8+dfsg.1-1~bpo10+1 from buster-backports]
Dovecot is setup to authenticate against the local Active Directory which is configured to lock an account after five authentication failures.
Issue:
When someone tries to login into roundcube with a wrong password then roundcube doesn't come back for a while and after that the AD account is locked.
So I sniffed the IMAP connection and after hitting "Login" and while the login screen says "loading" I see more than five IMAP login attempts:
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot (Debian) ready.
A0001 AUTHENTICATE PLAIN ##########
A0001 NO [AUTHENTICATIONFAILED] Authentication failed.
[...]
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot (Debian) ready.
A0006 AUTHENTICATE PLAIN ##########
A0006 NO [AUTHENTICATIONFAILED] Authentication failed.
[...]
Maybe it's me and the way I'm searching but I don't find anything related to this issue. Where can I adjust the authentication behaviour of roundcube, especially if a wrong Password is typed in?
thanks
Lars
This is not normal, do you have any plugins enabled?
At the moment there is only 'managesieve" active but this problem occured before.
The retries are a Debian package specific issue. They include a bad patch. See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=960302.
Thanks for pointing me in the right direction. The initial patch introduced in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947320 is indeed ugly.
I'm not sure why it is a good idea to hammer a bad responding IMAP server with more login attempts. >:(