Authentication errors and resultant SMTP errors

The authentication code performs various checks on the user account when attempting to authenticate, as for instance during SMTP AUTH processing. This may result in authentication errors being returned to the SMTP server, which will in  turn issue an SMTP error back in response to the SMTP AUTH attempt. Errors of note include the following.

If the client&#x27;s SMTP AUTH attempt uses either a bad username or a bad password, or the authentication mechanism is too weak for site policy,  the SMTP server will issue the (same for each case) error response: 535 5.7.8 Bad username or password though the SMTP server will optionally (  and   &#x27;s bit 7/value 128 set)  record the real cause of the  authentication failure (respectively, " " or  " " or " ")  in the message-id field of the "U"  connection transaction log entry.

If the LDAP attribute   has been  set to disallow SMTP access, the authentication attempt will be  rejected with: 535 5.7.8 Authorization failure If using this feature with the goal of disallowing certain users from sending messages, note that it is critically important to first  configure so that users are required to use SMTP AUTH when  submitting (see the    channel option); otherwise, in  preventing certain users from sending when they properly authenticate,  the unintentional (and undesirable) effect is likely to be to  discourage those users from attempting authentication, instead  effectively encouraging those users to send without authentication!

If the user&#x27;s LDAP attribute  is set to    or , then the SMTP error  will be: 525 5.7.13 Account disabled with, if MTA connection transaction logging is enabled and in  particular if the optional SASL attempt logging is enabled, then in  the resulting "U" connection transaction entry the message-id field will  include additional detail: either " " or  " ".

There are additional errors that may be returned, as for syntax problems in the client&#x27;s SMTP AUTH command, or SASL mechanism problems,  including: 501 5.7.0 Cannot decode BASE64 504 5.5.4 Unrecognized authentication type 501 5.5.0 Invalid input 523 5.7.10 Encryption needed to use mechanism 524 5.7.11 Password expired, has to be reset Temporary LDAP errors will result in a temporary SMTP error: 454 4.7.0 Authentication server unavailable

See also:
 * maysasl Option
 * log_message_id MTA Option
 * log_connection MTA Option
 * MTA transaction logging
 * tcpaccessattr Option