diff --git a/dovecot/keyproxy.go b/dovecot/keyproxy.go
index 41a372ebe174cd40491f338f77808b46729ee19b..b831c4c12c8adf21e0815cb9208f1f0522ae649c 100644
--- a/dovecot/keyproxy.go
+++ b/dovecot/keyproxy.go
@@ -47,7 +47,15 @@ type userdbResponse struct {
 }
 
 type passdbResponse struct {
-	PrivateKey string `json:"mail_crypt_global_private_key"`
+	PrivateKey string `json:"userdb_mail_crypt_global_private_key"`
+	NoAuth     bool   `json:"noauthenticate"`
+}
+
+func newPassDBResponse(privateKey string) *passdbResponse {
+	return &passdbResponse{
+		PrivateKey: privateKey,
+		NoAuth:     true,
+	}
 }
 
 var passwordSep = "/"
@@ -126,7 +134,7 @@ func (s *KeyLookupProxy) lookupPassdb(ctx context.Context, username, password st
 		log.Printf("keystore lookup for %s failed: %v", username, err)
 	} else {
 		log.Printf("passdb lookup for %s (from keystore)", username)
-		return &passdbResponse{PrivateKey: s.b64encode(priv)}, true, nil
+		return newPassDBResponse(s.b64encode(priv)), true, nil
 	}
 
 	// Otherwise, fetch encrypted keys from the db and attempt to
@@ -150,7 +158,7 @@ func (s *KeyLookupProxy) lookupPassdb(ctx context.Context, username, password st
 		return nil, false, err
 	}
 	log.Printf("passdb lookup for %s (decrypted)", username)
-	return &passdbResponse{PrivateKey: s.b64encode(priv)}, true, nil
+	return newPassDBResponse(s.b64encode(priv)), true, nil
 }
 
 func (s *KeyLookupProxy) b64encode(b []byte) string {