we're using 6.22.8 Rev5 with IMAP authentication and have some problems with changed passwords in our LDAP backend.

When a user changes the password and tries to logon while the new pwd is not fully synchronized in our AD tree the login fails - so far so correct. But even after checking the AD sync (and w/o login tries for up to one hour) the login still fails - this got me curious.

On the IMAP server (dovecot, if this is important) I don't see any failed (or successful) login attempts, though the OX log shows the normal AuthenticationFailedException. In the release notes of 6.20.5 [0] I found the property com.openexchange.imap.failedAuthTimeout - but our server already had this set to 10000 (10 seconds according to the description).

It feels as if OX is ignoring this setting and locked IMAP accounts are not cleared, can anyone see this behaviour?

We can reproduce this rather easy:
* Login with a non-existing user
-> OX log: AuthenticationFailedException
-> IMAP server auth log: PAM authentication failure
* Wait 20 seconds (or simply longer then the configured time for failedAuthTimeout)
* Login with the same non-existing user (same password as before, I believe OX caches failed logins as user/pwd combinations)
-> OX log: AuthenticationFailedException
-> IMAP server auth log: No entry for this login attempt

We aware of this problem for some time but believed in a PEBKAC, though it seems our users are for once not blameable :)

Any ideas?

Thanks, Renke

[0] https://software.open-xchange.com/OX...es-v6.20.5.pdf