diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index c4b9971a20..2a859caac6 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -230,7 +230,10 @@ hostnogssenc  <replaceable>database</replaceable>  <replaceable>user</replaceabl
        virtue of being a superuser.
        The value <literal>replication</literal> specifies that the record
        matches if a physical replication connection is requested (note that
-       replication connections do not specify any particular database).
+       replication connections do not specify any particular database);
+       it does not match logical replication connections, which specify
+       <literal>replication=database</literal> and a <literal>dbname</literal>
+       in their connection string.
        Otherwise, this is the name of
        a specific <productname>PostgreSQL</productname> database.
        Multiple database names can be supplied by separating them with
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index 545635f41a..2314adb699 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -417,7 +417,7 @@ ClientAuthentication(Port *port)
 #endif
 					_("no encryption");
 
-				if (am_walsender)
+				if (am_walsender && !am_db_walsender)
 					ereport(FATAL,
 							(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
 					/* translator: last %s describes encryption state */
@@ -431,7 +431,9 @@ ClientAuthentication(Port *port)
 							 errmsg("pg_hba.conf rejects connection for host \"%s\", user \"%s\", database \"%s\", %s",
 									hostinfo, port->user_name,
 									port->database_name,
-									encryption_state)));
+									encryption_state),
+							 am_db_walsender ?
+							 errdetail("Logical replication connections do not match pg_hba.conf rules using the \"replication\" keyword.") : 0));
 				break;
 			}
 
@@ -463,7 +465,7 @@ ClientAuthentication(Port *port)
 #endif
 					_("no encryption");
 
-#define HOSTNAME_LOOKUP_DETAIL(port) \
+#define HOSTNAME_LOOKUP_DETAIL_LOG(port) \
 				(port->remote_hostname ? \
 				 (port->remote_hostname_resolv == +1 ? \
 				  errdetail_log("Client IP address resolved to \"%s\", forward lookup matches.", \
@@ -484,14 +486,14 @@ ClientAuthentication(Port *port)
 								  gai_strerror(port->remote_hostname_errcode)) : \
 					0))
 
-				if (am_walsender)
+				if (am_walsender && !am_db_walsender)
 					ereport(FATAL,
 							(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
 					/* translator: last %s describes encryption state */
 							 errmsg("no pg_hba.conf entry for replication connection from host \"%s\", user \"%s\", %s",
 									hostinfo, port->user_name,
 									encryption_state),
-							 HOSTNAME_LOOKUP_DETAIL(port)));
+							 HOSTNAME_LOOKUP_DETAIL_LOG(port)));
 				else
 					ereport(FATAL,
 							(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
@@ -500,7 +502,9 @@ ClientAuthentication(Port *port)
 									hostinfo, port->user_name,
 									port->database_name,
 									encryption_state),
-							 HOSTNAME_LOOKUP_DETAIL(port)));
+							 am_db_walsender ?
+							 errdetail("Logical replication connections do not match pg_hba.conf rules using the \"replication\" keyword.") : 0,
+							 HOSTNAME_LOOKUP_DETAIL_LOG(port)));
 				break;
 			}