diff --git a/src/ldap.js b/src/ldap.js
index 48d2564a6..41dac1ae6 100644
--- a/src/ldap.js
+++ b/src/ldap.js
@@ -624,14 +624,19 @@ async function authenticateMailAddon(req, res, next) {
 
     if (addonId === 'recvmail' && !domain.enabled) return next(new ldap.NoSuchObjectError(req.dn.toString()));
 
+    const [getMailboxError, mailbox] = await safe(mail.getMailbox(parts[0], parts[1]));
+    if (getMailboxError) return next(new ldap.OperationsError(getMailboxError.message));
+
     const [appPasswordError] = await safe(verifyAppMailboxPassword(addonId, email, req.credentials || ''));
-    if (!appPasswordError) return res.end(); // validated as app
+    if (!appPasswordError) { // validated as app
+        if (addonId === 'recvmail' && (!mailbox || !mailbox.active)) return next(new ldap.NoSuchObjectError(req.dn.toString())); // recvmail requires active mailbox
+        return res.end();
+    }
 
     if (appPasswordError && appPasswordError.reason === BoxError.INVALID_CREDENTIALS) return next(new ldap.InvalidCredentialsError(req.dn.toString()));
     if (appPasswordError && appPasswordError.reason !== BoxError.NOT_FOUND) return next(new ldap.OperationsError(appPasswordError.message));
 
-    const [getMailboxError, mailbox] = await safe(mail.getMailbox(parts[0], parts[1]));
-    if (getMailboxError) return next(new ldap.OperationsError(getMailboxError.message));
+    // user password check requires an active mailbox for recvmail and sendmail addon
     if (!mailbox) return next(new ldap.NoSuchObjectError(req.dn.toString()));
     if (!mailbox.active) return next(new ldap.NoSuchObjectError(req.dn.toString()));