auth/dovecot_sasl: Update go-dovecot-sasl for Dovecot 2.4 compatibility

Fixes #808

Author: foxcpp

go.mod

@@ -17,7 +17,7 @@ require (
 	github.com/emersion/go-msgauth v0.6.8
 	github.com/emersion/go-sasl v0.0.0-20241020182733-b788ff22d5a6
 	github.com/emersion/go-smtp v0.21.3
-	github.com/foxcpp/go-dovecot-sasl v0.0.0-20200522223722-c4699d7a24bf
+	github.com/foxcpp/go-dovecot-sasl v0.0.0-20260303144336-f7632c6ec0ba
 	github.com/foxcpp/go-imap-backend-tests v0.0.0-20220105184719-e80aa29a5e16
 	github.com/foxcpp/go-imap-i18nlevel v0.0.0-20200208001533-d6ec88553005
 	github.com/foxcpp/go-imap-mess v0.0.0-20230108134257-b7ec3a649613

go.sum

@@ -306,6 +306,8 @@ github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/foxcpp/go-dovecot-sasl v0.0.0-20200522223722-c4699d7a24bf h1:rmBPY5fryjp9zLQYsUmQqqgsYq7qeVfrjtr96Tf9vD8=
 github.com/foxcpp/go-dovecot-sasl v0.0.0-20200522223722-c4699d7a24bf/go.mod h1:5yZUmwr851vgjyAfN7OEfnrmKOh/qLA5dbGelXYsu1E=
+github.com/foxcpp/go-dovecot-sasl v0.0.0-20260303144336-f7632c6ec0ba h1:yxQhqX9RQCvECZKBtqwCZoKy/6CLaozDZeWH9Lvndy0=
+github.com/foxcpp/go-dovecot-sasl v0.0.0-20260303144336-f7632c6ec0ba/go.mod h1:5yZUmwr851vgjyAfN7OEfnrmKOh/qLA5dbGelXYsu1E=
 github.com/foxcpp/go-imap v1.0.0-beta.1.0.20220623182312-df940c324887 h1:qUoaaHyrRpQw85ru6VQcC6JowdhrWl7lSbI1zRX1FTM=
 github.com/foxcpp/go-imap v1.0.0-beta.1.0.20220623182312-df940c324887/go.mod h1:Qlx1FSx2FTxjnjWpIlVNEuX+ylerZQNFE5NsmKFSejY=
 github.com/foxcpp/go-imap-backend-tests v0.0.0-20220105184719-e80aa29a5e16 h1:qheFPDpteiUy7Ym18R68OYenpk85UyKYGkhYTmddSBg=

internal/auth/sasl.go

@@ -54,6 +54,8 @@ type SASLAuth struct {
 	AuthMap       module.Table
 	AuthNormalize authz.NormalizeFunc
 
+	ErrorMap func(err error) error
+
 	Plain []module.PlainAuth
 }
 
@@ -132,20 +134,29 @@ type ContextData struct {
 }
 
 // CreateSASL creates the sasl.Server instance for the corresponding mechanism.
-func (s *SASLAuth) CreateSASL(mech string, remoteAddr net.Addr, successCb func(identity string, data ContextData) error) sasl.Server {
+func (s *SASLAuth) CreateSASL(
+	mech string, remoteAddr net.Addr,
+	successCb func(identity string, data ContextData) error,
+) sasl.Server {
 	switch mech {
 	case sasl.Plain:
 		return sasl.NewPlainServer(func(identity, username, password string) error {
 			if identity == "" {
 				identity = username
 			}
 			if identity != username {
+				if s.ErrorMap != nil {
+					return s.ErrorMap(ErrInvalidAuthCred)
+				}
 				return ErrInvalidAuthCred
 			}
 
 			err := s.AuthPlain(username, password)
 			if err != nil {
 				s.Log.Error("authentication failed", err, "username", username, "src_ip", remoteAddr)
+				if s.ErrorMap != nil {
+					return s.ErrorMap(ErrInvalidAuthCred)
+				}
 				return ErrInvalidAuthCred
 			}
 
@@ -162,12 +173,18 @@ func (s *SASLAuth) CreateSASL(mech string, remoteAddr net.Addr, successCb func(i
 		return sasllogin.NewLoginServer(func(username, password string) error {
 			username, err := s.usernameForAuth(context.Background(), username)
 			if err != nil {
+				if s.ErrorMap != nil {
+					return s.ErrorMap(ErrInvalidAuthCred)
+				}
 				return err
 			}
 
 			err = s.AuthPlain(username, password)
 			if err != nil {
 				s.Log.Error("authentication failed", err, "username", username, "src_ip", remoteAddr)
+				if s.ErrorMap != nil {
+					return s.ErrorMap(ErrInvalidAuthCred)
+				}
 				return ErrInvalidAuthCred
 			}
 

internal/endpoint/smtp/session.go

@@ -171,19 +171,7 @@ func (s *Session) AuthPlain(username, password string) error {
 
 		failedLogins.WithLabelValues(s.endp.name).Inc()
 
-		if exterrors.IsTemporary(err) {
-			return &smtp.SMTPError{
-				Code:         454,
-				EnhancedCode: smtp.EnhancedCode{4, 7, 0},
-				Message:      "Temporary authentication failure",
-			}
-		}
-
-		return &smtp.SMTPError{
-			Code:         535,
-			EnhancedCode: smtp.EnhancedCode{5, 7, 8},
-			Message:      "Invalid credentials",
-		}
+		return s.endp.authErrorMap(err)
 	}
 
 	s.connState.AuthUser = username

internal/endpoint/smtp/smtp.go

@@ -38,6 +38,7 @@ import (
 	modconfig "github.com/foxcpp/maddy/framework/config/module"
 	tls2 "github.com/foxcpp/maddy/framework/config/tls"
 	"github.com/foxcpp/maddy/framework/dns"
+	"github.com/foxcpp/maddy/framework/exterrors"
 	"github.com/foxcpp/maddy/framework/future"
 	"github.com/foxcpp/maddy/framework/log"
 	"github.com/foxcpp/maddy/framework/module"
@@ -285,6 +286,7 @@ func (endp *Endpoint) setConfig(cfg *config.Map) error {
 	}
 
 	endp.saslAuth.Log.Debug = endp.Log.Debug
+	endp.saslAuth.ErrorMap = endp.authErrorMap
 
 	// INTERNATIONALIZATION: See RFC 6531 Section 3.3.
 	endp.serv.Domain, err = idna.ToASCII(hostname)
@@ -326,6 +328,22 @@ func (endp *Endpoint) Start() error {
 	return nil
 }
 
+func (endp *Endpoint) authErrorMap(err error) error {
+	if exterrors.IsTemporary(err) {
+		return &smtp.SMTPError{
+			Code:         454,
+			EnhancedCode: smtp.EnhancedCode{4, 7, 0},
+			Message:      "Temporary authentication failure",
+		}
+	}
+
+	return &smtp.SMTPError{
+		Code:         535,
+		EnhancedCode: smtp.EnhancedCode{5, 7, 8},
+		Message:      "Invalid credentials",
+	}
+}
+
 func (endp *Endpoint) setupListeners(addresses []config.Endpoint) error {
 	for _, addr := range addresses {
 		var l net.Listener

tests/dovecot_sasl_test.go

@@ -1,10 +1,8 @@
 //go:build integration && (darwin || dragonfly || freebsd || linux || netbsd || openbsd || solaris)
-// +build integration
-// +build darwin dragonfly freebsd linux netbsd openbsd solaris
 
 /*
 Maddy Mail Server - Composable all-in-one email server.
-Copyright © 2019-2020 Max Mazurov <fox.cpp@disroot.org>, Maddy Mail Server contributors
+Copyright © 2019-2026 Max Mazurov <fox.cpp@disroot.org>, Maddy Mail Server contributors
 
 This program is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
@@ -26,9 +24,9 @@ package tests_test
 
 import (
 	"bufio"
+	"bytes"
 	"errors"
 	"flag"
-	"io/ioutil"
 	"os"
 	"os/exec"
 	"os/user"
@@ -47,7 +45,8 @@ func init() {
 	flag.StringVar(&DovecotExecutable, "integration.dovecot", "dovecot", "path to dovecot executable for interop tests")
 }
 
-const dovecotConf = `base_dir = $ROOT/run/
+const dovecotConf = `
+base_dir = $ROOT/run/
 state_dir = $ROOT/lib/
 log_path = /dev/stderr
 ssl = no
@@ -56,12 +55,14 @@ default_internal_user = $USER
 default_internal_group = $GROUP
 default_login_user = $USER
 
+auth_failure_delay = 0
+
 passdb {
 	driver = passwd-file
 	args = $ROOT/passwd
 }
 
-userdb {
+userdb file {
 	driver = passwd-file
 	args = $ROOT/passwd
 }
@@ -78,7 +79,7 @@ protocols = imap
 service imap-login {
 	chroot =
 	inet_listener imap {
-		address = 127.0.0.1
+		listen = 127.0.0.1
 		port = 0
 	}
 }
@@ -95,8 +96,64 @@ auth_verbose_passwords = yes
 mail_debug = yes
 `
 
+const dovecotConf24 = `dovecot_config_version = 2.4.0
+dovecot_storage_version = 2.4.0
+
+base_dir = $ROOT/run/
+state_dir = $ROOT/lib/
+mail_plugin_dir = $ROOT/lib/
+login_plugin_dir = $ROOT/lib/
+log_path = /dev/stderr
+ssl = no
+
+default_internal_user = $USER
+default_internal_group = $GROUP
+default_login_user = $USER
+
+auth_failure_delay = 0
+
+passdb file {
+	driver = passwd-file
+	passwd_file_path = $ROOT/passwd
+}
+
+userdb file {
+	driver = passwd-file
+	passwd_file_path = $ROOT/passwd
+}
+
+service auth {
+	unix_listener auth {
+		mode = 0666
+	}
+}
+
+# Turn on debugging information, to help troubleshooting issues.
+auth_verbose = yes
+auth_debug = yes
+auth_debug_passwords = yes
+auth_verbose_passwords = yes
+mail_debug = yes
+`
+
 const dovecotPasswd = `tester:{plain}123456:1000:1000::/home/user`
 
+func isDovecot24(t *testing.T, dovecotExec string) bool {
+	cmd := exec.Command(dovecotExec, "--version")
+	var stdout bytes.Buffer
+	cmd.Stdout = &stdout
+	if err := cmd.Run(); err != nil {
+		t.Fatal(err)
+	}
+
+	version, _, _ := strings.Cut(stdout.String(), "-")
+	t.Log("Dovecot version:", stdout.String())
+
+	parts := strings.SplitN(version, ".", 3)
+
+	return len(parts) >= 2 && parts[0] == "2" && parts[1] >= "4"
+}
+
 func runDovecot(t *testing.T) (string, *exec.Cmd) {
 	dovecotExec, err := exec.LookPath(DovecotExecutable)
 	if err != nil {
@@ -117,15 +174,20 @@ func runDovecot(t *testing.T) (string, *exec.Cmd) {
 		t.Fatal(err)
 	}
 
+	dovecotConfTemplate := dovecotConf
+	if isDovecot24(t, dovecotExec) {
+		dovecotConfTemplate = dovecotConf24
+	}
+
 	dovecotConf := strings.NewReplacer(
 		"$ROOT", tempDir,
 		"$USER", curUser.Username,
-		"$GROUP", curGroup.Name).Replace(dovecotConf)
-	err = ioutil.WriteFile(filepath.Join(tempDir, "dovecot.conf"), []byte(dovecotConf), os.ModePerm)
+		"$GROUP", curGroup.Name).Replace(dovecotConfTemplate)
+	err = os.WriteFile(filepath.Join(tempDir, "dovecot.conf"), []byte(dovecotConf), os.ModePerm)
 	if err != nil {
 		t.Fatal(err)
 	}
-	err = ioutil.WriteFile(filepath.Join(tempDir, "passwd"), []byte(dovecotPasswd), os.ModePerm)
+	err = os.WriteFile(filepath.Join(tempDir, "passwd"), []byte(dovecotPasswd), os.ModePerm)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -147,9 +209,14 @@ func runDovecot(t *testing.T) (string, *exec.Cmd) {
 		for scnr.Scan() {
 			line := scnr.Text()
 
-			// One of messages printed near completing initialization.
+			// One of messages printed near completing initialization (Dovecot 2.3 or older)
 			if strings.Contains(line, "starting up for imap") {
-				time.Sleep(500*time.Millisecond)
+				time.Sleep(500 * time.Millisecond)
+				ready <- struct{}{}
+			}
+			// Dovecot 2.4+
+			if strings.Contains(line, "starting up without any protocols") {
+				time.Sleep(500 * time.Millisecond)
 				ready <- struct{}{}
 			}