diff --git a/data/conf/dovecot/auth/mailcowauth.php b/data/conf/dovecot/auth/mailcowauth.php index 667419c57..c625522ba 100644 --- a/data/conf/dovecot/auth/mailcowauth.php +++ b/data/conf/dovecot/auth/mailcowauth.php @@ -79,7 +79,9 @@ if ($isSOGoRequest) { } } if ($result === false){ - $result = apppass_login($post['username'], $post['password'], array($post['service'] => true), array( + // If it's a SOGo Request, don't check for protocol access + $service = ($isSOGoRequest) ? false : array($post['service'] => true); + $result = apppass_login($post['username'], $post['password'], $service, array( 'is_internal' => true, 'remote_addr' => $post['real_rip'] )); diff --git a/data/conf/dovecot/auth/passwd-verify.lua b/data/conf/dovecot/auth/passwd-verify.lua index 18c18dbe3..ea847932d 100644 --- a/data/conf/dovecot/auth/passwd-verify.lua +++ b/data/conf/dovecot/auth/passwd-verify.lua @@ -29,13 +29,23 @@ function auth_password_verify(request, password) insecure = true } - if c ~= 200 then + -- Returning PASSDB_RESULT_PASSWORD_MISMATCH will reset the user's auth cache entry. + -- Returning PASSDB_RESULT_INTERNAL_FAILURE keeps the existing cache entry, + -- even if the TTL has expired. Useful to avoid cache eviction during backend issues. + if c ~= 200 and c ~= 401 then dovecot.i_info("HTTP request failed with " .. c .. " for user " .. request.user) - return dovecot.auth.PASSDB_RESULT_INTERNAL_FAILURE, "Upstream error" + return dovecot.auth.PASSDB_RESULT_PASSWORD_MISMATCH, "Upstream error" end - local api_response = json.decode(table.concat(res)) - if api_response.success == true then + local response_str = table.concat(res) + local is_response_valid, response_json = pcall(json.decode, response_str) + + if not is_response_valid then + dovecot.i_info("Invalid JSON received: " .. response_str) + return dovecot.auth.PASSDB_RESULT_PASSWORD_MISMATCH, "Invalid response format" + end + + if response_json.success == true then return dovecot.auth.PASSDB_RESULT_OK, "" end