# HG changeset patch
# User Timo Sirainen <tss@iki.fi>
# Date 1202317345 -7200
# Node ID 56f8ac7a3a777c2a32b603a9db9d5ff63ce7bdb3
# Parent  492c5dfc5fd80633888da40fc4f12cf9fc635c38
If proxy fails to log in to the backend server, forward the error message
instead of always replying with a generic "Authentication failed", which
could hide temporary failure and "too many connections" errors. However if
the backend isn't Dovecot, this could allow an attacker to find out what
users exist on the system.

diff -r 492c5dfc5fd8 -r 56f8ac7a3a77 src/imap-login/imap-proxy.c
--- a/src/imap-login/imap-proxy.c	Tue Feb 05 00:20:51 2008 +0200
+++ b/src/imap-login/imap-proxy.c	Wed Feb 06 19:02:25 2008 +0200
@@ -66,10 +66,20 @@
 		client_destroy(client, msg);
 		return -1;
 	} else if (strncmp(line, "P ", 2) == 0) {
-		/* Login failed. Send our own failure reply so client can't
-		   figure out if user exists or not just by looking at the
-		   reply string. */
-		client_send_tagline(client, "NO "AUTH_FAILED_MSG);
+		/* If the backend server isn't Dovecot, the error message may
+		   be different from Dovecot's "user doesn't exist" error. This
+		   would allow an attacker to find out what users exist in the
+		   system.
+
+		   The optimal way to handle this would be to replace the
+		   backend's "password failed" error message with Dovecot's
+		   AUTH_FAILED_MSG, but this would require a new setting and
+		   the sysadmin to actually bother setting it properly.
+
+		   So for now we'll just forward the error message. This
+		   shouldn't be a real problem since of course everyone will
+		   be using only Dovecot as their backend :) */
+		client_send_tagline(client, line + 2);
 
 		/* allow client input again */
 		i_assert(client->io == NULL);
diff -r 492c5dfc5fd8 -r 56f8ac7a3a77 src/pop3-login/pop3-proxy.c
--- a/src/pop3-login/pop3-proxy.c	Tue Feb 05 00:20:51 2008 +0200
+++ b/src/pop3-login/pop3-proxy.c	Wed Feb 06 19:02:25 2008 +0200
@@ -118,10 +118,12 @@
 		return;
 	}
 
-	/* Login failed. Send our own failure reply so client can't
-	   figure out if user exists or not just by looking at the
-	   reply string. */
-	client_send_line(client, "-ERR "AUTH_FAILED_MSG);
+	/* Login failed. Pass through the error message to client
+	   (see imap-proxy code for potential problems with this) */
+	if (strncmp(line, "-ERR ", 5) != 0)
+		client_send_line(client, "-ERR "AUTH_FAILED_MSG);
+	else
+		client_send_line(client, line);
 
 	/* allow client input again */
 	i_assert(client->io == NULL);