auth retries roundcube -> imap with wrong password

[_Lars_]

[debian "buster" // dovecot-core 2.3.4.1-5+deb10u3 // roundcube 1.4.8+dfsg.1-1~bpo10+1 from buster-backports]

Dovecot is setup to authenticate against the local Active Directory which is configured to lock an account after five authentication failures.

Issue:
When someone tries to login into roundcube with a wrong password then roundcube doesn't come back for a while and after that the AD account is locked.
So I sniffed the IMAP connection and after hitting "Login" and while the login screen says "loading" I see more than five IMAP login attempts:

Code Select Expand


* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot (Debian) ready.
A0001 AUTHENTICATE PLAIN ##########
A0001 NO [AUTHENTICATIONFAILED] Authentication failed.
[...]
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot (Debian) ready.
A0006 AUTHENTICATE PLAIN ##########
A0006 NO [AUTHENTICATIONFAILED] Authentication failed.
[...]


Maybe it's me and the way I'm searching but I don't find anything related to this issue. Where can I adjust the authentication behaviour of roundcube, especially if a wrong Password is typed in?

thanks
Lars

[alec]

This is not normal, do you have any plugins enabled?

[_Lars_]

At the moment there is only 'managesieve" active but this problem occured before.

[JohnDoh]

The retries are a Debian package specific issue. They include a bad patch. See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=960302.

[_Lars_]

Thanks for pointing me in the right direction. The initial patch introduced in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947320 is indeed ugly.
I'm not sure why it is a good idea to hammer a bad responding IMAP server with more login attempts.