problems with DIGEST-MD5 mechanism in postfix
Matthias Leopold
matthias at aic.at
Mon Feb 17 16:05:52 EST 2014
hi,
i'm having trouble with switching our postfix servers from dovecot SASL
to cyrus SASL for SMTP-AUTH. i'm using "auxprop_plugin: sql" with
"sql_engine: pgsql". the username for authentication is the full email
address: user at domain.tld. the "sql_select" query uses the '%r' macro
like this:
and LOWER(a.name) = '%u' and a.domain = '%r'
this works for all clients, except for those who force DIGEST-MD5
mechanism (MS outlook 2013 with "SPA"). DIGEST-MD5 works with dovecot.
with cyrus i get log messages like
warning: SASL authentication failure: realm changed: authentication aborted
warning: host[x.x.x.x]: SASL DIGEST-MD5 authentication failed:
authentication failure
when i turn on debugging in smtpd i see this
xsasl_cyrus_server_auth_response: uncoded server challenge:
nonce="xxx",realm="fqdn.of.mailserver",qop="auth",charset=utf-8,algorithm=md5-sess
xsasl_cyrus_server_next: decoded response:
username="user",realm="domain.tld",nonce="xxx",digest-uri="smtp/fqdn.of.mailserver",cnonce="yyy",nc=00000001,response=zzz,qop=auth,charset=utf-8
so the realm really changes(?). why is this? how can i change this? of
course i'm not an expert on cyrus sasl and i hope this is the right
mailing list
my setup:
main.cf:
smtpd_sasl_type = cyrus
cyrus_sasl_config_path = /etc/postfix/sasl
smtpd_sasl_path = smtpd
smtpd_sasl_local_domain =
smtpd.conf
mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
OS: debian 6
libsasl2-2 2.1.23.dfsg1-7
libsasl2-modules 2.1.23.dfsg1-7
libsasl2-modules-sql 2.1.23.dfsg1-7
postfix 2.7.1-1+squeeze1
thx 4 help
matthias
More information about the Cyrus-sasl
mailing list