--- a/src/auth/auth-request.c	Sun May 13 21:28:41 2007 +0300
+++ b/src/auth/auth-request.c	Sun May 13 21:47:42 2007 +0300
@@ -961,12 +961,17 @@
 		request->no_failure_delay = TRUE;
 	} else if (strcmp(name, "nopassword") == 0) {
 		/* NULL password - anything goes */
-		if (request->passdb_password != NULL &&
-		    *request->passdb_password != '\0') {
-			auth_request_log_error(request,
-				request->passdb->passdb->iface.name,
-				"nopassword set but password is non-empty");
-			return;
+		const char *password = request->passdb_password;
+
+		if (password != NULL) {
+			(void)password_get_scheme(&password);
+			if (*password != '\0') {
+				auth_request_log_error(request,
+					request->passdb->passdb->iface.name,
+					"nopassword set but password is "
+					"non-empty");
+				return;
+			}
 		}
 		request->no_password = TRUE;
 		request->passdb_password = NULL;
@@ -1048,6 +1053,11 @@
 		return 0;
 	}
 
+	if (request->no_password) {
+		auth_request_log_info(request, subsystem, "No password");
+		return 1;
+	}
+
 	ret = password_decode(crypted_password, scheme,
 			      &raw_password, &raw_password_size);
 	if (ret <= 0) {

--- a/src/auth/passdb-ldap.c	Sun May 13 21:28:41 2007 +0300
+++ b/src/auth/passdb-ldap.c	Sun May 13 21:47:42 2007 +0300
@@ -209,12 +209,15 @@
 	} else if (ldap_next_entry(conn->ld, entry) != NULL) {
 		auth_request_log_error(auth_request, "ldap",
 			"pass_filter matched multiple objects, aborting");
+	} else if (auth_request->passdb_password == NULL &&
+		   !auth_request->no_password) {
+		auth_request_log_info(auth_request, "ldap",
+			"Empty password returned without no_password");
+		passdb_result = PASSDB_RESULT_PASSWORD_MISMATCH;
 	} else {
 		/* passdb_password may change on the way,
 		   so we'll need to strdup. */
 		password = t_strdup(auth_request->passdb_password);
-		if (password == NULL)
-			auth_request->no_password = TRUE;
 		passdb_result = PASSDB_RESULT_OK;
 	}
 

--- a/src/auth/passdb-sql.c	Sun May 13 21:28:41 2007 +0300
+++ b/src/auth/passdb-sql.c	Sun May 13 21:47:42 2007 +0300
@@ -86,12 +86,15 @@
 		} else if (sql_result_next_row(result) > 0) {
 			auth_request_log_error(auth_request, "sql",
 				"Password query returned multiple matches");
+		} else if (auth_request->passdb_password == NULL &&
+			   !auth_request->no_password) {
+			auth_request_log_info(auth_request, "sql",
+				"Empty password returned without no_password");
+			passdb_result = PASSDB_RESULT_PASSWORD_MISMATCH;
 		} else {
 			/* passdb_password may change on the way,
 			   so we'll need to strdup. */
 			password = t_strdup(auth_request->passdb_password);
-			if (password == NULL)
-				auth_request->no_password = TRUE;
 			passdb_result = PASSDB_RESULT_OK;
 		}
 	}

--- a/src/auth/password-scheme.c	Sun May 13 21:28:41 2007 +0300
+++ b/src/auth/password-scheme.c	Sun May 13 21:47:42 2007 +0300
@@ -255,6 +255,11 @@
 {
 	const char *password;
 
+	if (size == 0) {
+		/* the default mycrypt() handler would return match */
+		return FALSE;
+	}
+
 	password = t_strndup(raw_password, size);
 	return strcmp(mycrypt(plaintext, password), password) == 0;
 }