Authentication errors and resultant SMTP errors

From Messaging Server Technical Reference Wiki
Jump to: navigation, search

The authentication code performs various checks on the user account when attempting to authenticate, as for instance during SMTP AUTH processing. This may result in authentication errors being returned to the SMTP server, which will in turn issue an SMTP error back in response to the SMTP AUTH attempt. Errors of note include the following.

If the client's SMTP AUTH attempt uses either a bad username or a bad password, or the authentication mechanism is too weak for site policy, the SMTP server will issue the (same for each case) error response:

535 5.7.8 Bad username or password 

though the SMTP server will optionally (log_message_id=1 and log_connection's bit 7/value 128 set) record the real cause of the authentication failure (respectively, "No such user" or "Bad password" or "Authentication mechanism is too weak") in the message-id field of the "U" connection transaction log entry.

If the LDAP attribute mailAllowedServiceAccess has been set to disallow SMTP access, the authentication attempt will be rejected with:

535 5.7.8 Authorization failure 

If using this feature with the goal of disallowing certain users from sending messages, note that it is critically important to first configure so that users are required to use SMTP AUTH when submitting (see the mustsaslserver channel option); otherwise, in preventing certain users from sending when they properly authenticate, the unintentional (and undesirable) effect is likely to be to discourage those users from attempting authentication, instead effectively encouraging those users to send without authentication!

If the user's LDAP attribute mailUserStatus is set to inactive or disabled, then the SMTP error will be:

525 5.7.13 Account disabled 

with, if MTA connection transaction logging is enabled and in particular if the the optional SASL attempt logging is enabled, then in the resulting "U" connection transaction entry the message-id field will include additional detail: either "Account disabled (inactive)" or "Account disabled (hold)".

There are additional errors that may be returned, as for syntax problems in the client's SMTP AUTH command, or SASL mechanism problems, including:

501 5.7.0 Cannot decode BASE64 
504 5.5.4 Unrecognized authentication type 
501 5.5.0 Invalid input 
523 5.7.10 Encryption needed to use mechanism 
524 5.7.11 Password expired, has to be reset 

Temporary LDAP errors will result in a temporary SMTP error:

454 4.7.0 Authentication server unavailable 

See also: