diff --git a/helpers/get-error-code.js b/helpers/get-error-code.js
index a87fe0c612..f9f27e1ca1 100644
--- a/helpers/get-error-code.js
+++ b/helpers/get-error-code.js
@@ -73,7 +73,7 @@ function getErrorCode(err) {
   if (err.isBoom === true && typeof err?.output?.statusCode === 'number') {
     if ([403, 404].includes(err.output.statusCode)) return 550;
 
-    if (err.output.statusCode > 400 && err.output.statusCode < 500) return 421;
+    if (err.output.statusCode >= 400 && err.output.statusCode < 500) return 421;
   }
 
   return 550;
diff --git a/helpers/on-auth.js b/helpers/on-auth.js
index 64afe1979e..c8ddb0e381 100644
--- a/helpers/on-auth.js
+++ b/helpers/on-auth.js
@@ -679,6 +679,7 @@ async function onAuth(auth, session, fn) {
   } catch (err) {
     //
     // NOTE: if err.response === 'NO' then WildDuck POP3 will return error message too
+    //       similarly if `error.response` is set then IMAP will return that instead of TEMPFAIL
     //
     // NOTE: we should actually share error message if it was not a code bug
     //       (otherwise it won't be intuitive to users if they're late on payment)
@@ -686,9 +687,14 @@ async function onAuth(auth, session, fn) {
     //
     // <https://github.com/nodemailer/smtp-server/blob/a570d0164e4b4ef463eeedd80cadb37d5280e9da/lib/sasl.js#L189-L222>
     // <https://github.com/nodemailer/wildduck/issues/726>
-    fn(
-      refineAndLogError(err, session, this.server instanceof IMAPServer, this)
+    const error = refineAndLogError(
+      err,
+      session,
+      this.server instanceof IMAPServer,
+      this
     );
+    error.response = 'NO';
+    fn(error);
   }
 }
 
diff --git a/test/api/v1.js b/test/api/v1.js
index 7bc7693316..a1b2792ae9 100644
--- a/test/api/v1.js
+++ b/test/api/v1.js
@@ -182,6 +182,7 @@ test('creates alias with global catch-all', async (t) => {
   t.deepEqual(
     _.sortBy(Object.keys(res.body)),
     _.sortBy([
+      'max_quota',
       'created_at',
       'error_code_if_disabled',
       'has_imap',
@@ -229,6 +230,7 @@ test('creates alias with global catch-all', async (t) => {
   t.deepEqual(
     _.sortBy(Object.keys(res.body.domain)),
     _.sortBy([
+      'max_quota_per_alias',
       'allowlist',
       'denylist',
       'invites',
@@ -300,6 +302,7 @@ test('creates alias with global catch-all', async (t) => {
         'retention',
         'name',
         'is_enabled',
+        'max_quota',
         'error_code_if_disabled',
         'has_recipient_verification',
         'recipients',
@@ -1280,10 +1283,12 @@ test('create domain without catchall', async (t) => {
     t.is(res.body.length, 1);
     t.true(res.body[0].name === 'testdomain1.com');
     t.true(res.body[0].plan === 'enhanced_protection');
+
     // filter for properties for exposed values
     t.deepEqual(
       _.sortBy(Object.keys(res.body[0])),
       _.sortBy([
+        'max_quota_per_alias',
         'allowlist',
         'denylist',
         'created_at',