From 766c5e85801b9719e3447b935f03bb5dd84fda9e Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Wed, 9 Apr 2025 08:02:30 +0200
Subject: [PATCH 1/3] [Dovecot] Ignore app passwords protocol access on SOGo
 request

---
 data/conf/dovecot/auth/mailcowauth.php   | 4 +++-
 data/conf/dovecot/auth/passwd-verify.lua | 2 +-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/data/conf/dovecot/auth/mailcowauth.php b/data/conf/dovecot/auth/mailcowauth.php
index 667419c57..4eda382b7 100644
--- a/data/conf/dovecot/auth/mailcowauth.php
+++ b/data/conf/dovecot/auth/mailcowauth.php
@@ -79,7 +79,9 @@ if ($isSOGoRequest) {
   }
 }
 if ($result === false){
-  $result = apppass_login($post['username'], $post['password'], array($post['service'] => true), array(
+  // If it's a SOGo Request, don't check for protocol access
+  $service = (isSOGoRequest) ? false : array($post['service'] => true);
+  $result = apppass_login($post['username'], $post['password'], $service, array(
     'is_internal' => true,
     'remote_addr' => $post['real_rip']
   ));
diff --git a/data/conf/dovecot/auth/passwd-verify.lua b/data/conf/dovecot/auth/passwd-verify.lua
index 18c18dbe3..19dcc4bd6 100644
--- a/data/conf/dovecot/auth/passwd-verify.lua
+++ b/data/conf/dovecot/auth/passwd-verify.lua
@@ -29,7 +29,7 @@ function auth_password_verify(request, password)
     insecure = true
   }
 
-  if c ~= 200 then
+  if c ~= 200 and c ~= 401 then
     dovecot.i_info("HTTP request failed with " .. c .. " for user " .. request.user)
     return dovecot.auth.PASSDB_RESULT_INTERNAL_FAILURE, "Upstream error"
   end

From c4d0f35008b9dfa1f8f2e87e55d308cc220bf181 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Tue, 15 Apr 2025 10:49:56 +0200
Subject: [PATCH 2/3] [Dovecot] Fix EAS login and improve logging

---
 data/conf/dovecot/auth/mailcowauth.php   |  2 +-
 data/conf/dovecot/auth/passwd-verify.lua | 11 +++++++++--
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/data/conf/dovecot/auth/mailcowauth.php b/data/conf/dovecot/auth/mailcowauth.php
index 4eda382b7..c625522ba 100644
--- a/data/conf/dovecot/auth/mailcowauth.php
+++ b/data/conf/dovecot/auth/mailcowauth.php
@@ -80,7 +80,7 @@ if ($isSOGoRequest) {
 }
 if ($result === false){
   // If it's a SOGo Request, don't check for protocol access
-  $service = (isSOGoRequest) ? false : array($post['service'] => true);
+  $service = ($isSOGoRequest) ? false : array($post['service'] => true);
   $result = apppass_login($post['username'], $post['password'], $service, array(
     'is_internal' => true,
     'remote_addr' => $post['real_rip']
diff --git a/data/conf/dovecot/auth/passwd-verify.lua b/data/conf/dovecot/auth/passwd-verify.lua
index 19dcc4bd6..b8843c996 100644
--- a/data/conf/dovecot/auth/passwd-verify.lua
+++ b/data/conf/dovecot/auth/passwd-verify.lua
@@ -34,8 +34,15 @@ function auth_password_verify(request, password)
     return dovecot.auth.PASSDB_RESULT_INTERNAL_FAILURE, "Upstream error"
   end
 
-  local api_response = json.decode(table.concat(res))
-  if api_response.success == true then
+  local response_str = table.concat(res)
+  local is_response_valid, response_json = pcall(json.decode, response_str)
+
+  if not is_response_valid then
+    dovecot.i_info("Invalid JSON received: " .. response_str)
+    return dovecot.auth.PASSDB_RESULT_INTERNAL_FAILURE, "Invalid response format"
+  end
+
+  if response_json.success == true then
     return dovecot.auth.PASSDB_RESULT_OK, ""
   end
 

From 401b744808ff127b625001d8512d80d108d58a6a Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Thu, 8 May 2025 11:38:29 +0200
Subject: [PATCH 3/3] [Dovecot] return PASSDB_RESULT_PASSWORD_MISMATCH instead
 of PASSDB_RESULT_INTERNAL_FAILURE

---
 data/conf/dovecot/auth/passwd-verify.lua | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/data/conf/dovecot/auth/passwd-verify.lua b/data/conf/dovecot/auth/passwd-verify.lua
index b8843c996..ea847932d 100644
--- a/data/conf/dovecot/auth/passwd-verify.lua
+++ b/data/conf/dovecot/auth/passwd-verify.lua
@@ -29,9 +29,12 @@ function auth_password_verify(request, password)
     insecure = true
   }
 
+  -- Returning PASSDB_RESULT_PASSWORD_MISMATCH will reset the user's auth cache entry.
+  -- Returning PASSDB_RESULT_INTERNAL_FAILURE keeps the existing cache entry,
+  -- even if the TTL has expired. Useful to avoid cache eviction during backend issues.
   if c ~= 200 and c ~= 401 then
     dovecot.i_info("HTTP request failed with " .. c .. " for user " .. request.user)
-    return dovecot.auth.PASSDB_RESULT_INTERNAL_FAILURE, "Upstream error"
+    return dovecot.auth.PASSDB_RESULT_PASSWORD_MISMATCH, "Upstream error"
   end
 
   local response_str = table.concat(res)
@@ -39,7 +42,7 @@ function auth_password_verify(request, password)
 
   if not is_response_valid then
     dovecot.i_info("Invalid JSON received: " .. response_str)
-    return dovecot.auth.PASSDB_RESULT_INTERNAL_FAILURE, "Invalid response format"
+    return dovecot.auth.PASSDB_RESULT_PASSWORD_MISMATCH, "Invalid response format"
   end
 
   if response_json.success == true then