Authentication errors and resultant SMTP errors
The authentication code performs various checks on the user account when attempting to authenticate, as for instance during SMTP AUTH processing. This may result in authentication errors being returned to the SMTP server, which will in turn issue an SMTP error back in response to the SMTP AUTH attempt. Errors of note include the following.
If the client's SMTP AUTH attempt uses either a bad username or a bad password, or the authentication mechanism is too weak for site policy, the SMTP server will issue the (same for each case) error response:
535 5.7.8 Bad username or password
though the SMTP server will optionally (
log_connection's bit 7/value 128 set) record the real cause of the authentication failure (respectively, "
No such user" or "
Bad password" or "
Authentication mechanism is too weak") in the message-id field of the "U" connection transaction log entry.
If the LDAP attribute
mailAllowedServiceAccess has been set to disallow SMTP access, the authentication attempt will be rejected with:
535 5.7.8 Authorization failure
If using this feature with the goal of disallowing certain users from sending messages, note that it is critically important to first configure so that users are required to use SMTP AUTH when submitting (see the
mustsaslserver channel option); otherwise, in preventing certain users from sending when they properly authenticate, the unintentional (and undesirable) effect is likely to be to discourage those users from attempting authentication, instead effectively encouraging those users to send without authentication!
If the user's LDAP attribute
mailUserStatus is set to
disabled, then the SMTP error will be:
525 5.7.13 Account disabled
with, if MTA connection transaction logging is enabled and in particular if the the optional SASL attempt logging is enabled, then in the resulting "U" connection transaction entry the message-id field will include additional detail: either "
Account disabled (inactive)" or "
Account disabled (hold)".
There are additional errors that may be returned, as for syntax problems in the client's SMTP AUTH command, or SASL mechanism problems, including:
501 5.7.0 Cannot decode BASE64 504 5.5.4 Unrecognized authentication type 501 5.5.0 Invalid input 523 5.7.10 Encryption needed to use mechanism 524 5.7.11 Password expired, has to be reset
Temporary LDAP errors will result in a temporary SMTP error:
454 4.7.0 Authentication server unavailable