diff --git a/src/ldap.js b/src/ldap.js
index 4bddde3ca..ab725524d 100644
--- a/src/ldap.js
+++ b/src/ldap.js
@@ -432,8 +432,6 @@ function authenticateMailbox(req, res, next) {
             if (error && error.reason === MailError.NOT_FOUND) return next(new ldap.NoSuchObjectError(req.dn.toString()));
             if (error) return next(new ldap.OperationsError(error.message));
 
-            if (!domain.enabled) return next(new ldap.NoSuchObjectError(req.dn.toString()));
-
             if (mailbox.ownerType === mailboxdb.TYPE_APP) {
                 var addonId = req.dn.rdns[1].attrs.ou.value.toLowerCase(); // 'sendmail' or 'recvmail'
                 var name;
@@ -449,6 +447,8 @@ function authenticateMailbox(req, res, next) {
                     return res.end();
                 });
             } else if (mailbox.ownerType === mailboxdb.TYPE_USER) {
+                if (!domain.enabled) return next(new ldap.NoSuchObjectError(req.dn.toString()));
+
                 user.verifyWithUsername(parts[0], req.credentials || '', function (error, user) {
                     if (error && error.reason === UserError.NOT_FOUND) return next(new ldap.NoSuchObjectError(req.dn.toString()));
                     if (error && error.reason === UserError.WRONG_PASSWORD) return next(new ldap.InvalidCredentialsError(req.dn.toString()));
diff --git a/src/test/ldap-test.js b/src/test/ldap-test.js
index 7bc30d896..f1f6e9851 100644
--- a/src/test/ldap-test.js
+++ b/src/test/ldap-test.js
@@ -901,7 +901,7 @@ describe('Ldap', function () {
     describe('app sendmail bind', function () {
         // these tests should work even when email is disabled
         before(function (done) {
-            maildb.update(DOMAIN_0.domain, { enabled: true }, done);
+            maildb.update(DOMAIN_0.domain, { enabled: false }, done);
         });
 
         it('does not allow with invalid app', function (done) {