problems with DIGEST-MD5 mechanism in postfix

Matthias Leopold matthias at aic.at
Mon Feb 17 16:05:52 EST 2014


hi,

i'm having trouble with switching our postfix servers from dovecot SASL 
to cyrus SASL for SMTP-AUTH. i'm using "auxprop_plugin: sql" with 
"sql_engine: pgsql". the username for authentication is the full email 
address: user at domain.tld. the "sql_select" query uses the '%r' macro 
like this:

and LOWER(a.name) = '%u' and a.domain = '%r'

this works for all clients, except for those who force DIGEST-MD5 
mechanism (MS outlook 2013 with "SPA"). DIGEST-MD5 works with dovecot. 
with cyrus i get log messages like

warning: SASL authentication failure: realm changed: authentication aborted
warning: host[x.x.x.x]: SASL DIGEST-MD5 authentication failed: 
authentication failure

when i turn on debugging in smtpd i see this

xsasl_cyrus_server_auth_response: uncoded server challenge: 
nonce="xxx",realm="fqdn.of.mailserver",qop="auth",charset=utf-8,algorithm=md5-sess

xsasl_cyrus_server_next: decoded response: 
username="user",realm="domain.tld",nonce="xxx",digest-uri="smtp/fqdn.of.mailserver",cnonce="yyy",nc=00000001,response=zzz,qop=auth,charset=utf-8

so the realm really changes(?). why is this? how can i change this? of 
course i'm not an expert on cyrus sasl and i hope this is the right 
mailing list

my setup:

main.cf:

smtpd_sasl_type = cyrus
cyrus_sasl_config_path = /etc/postfix/sasl
smtpd_sasl_path = smtpd
smtpd_sasl_local_domain =

smtpd.conf

mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5

OS: 			debian 6

libsasl2-2		2.1.23.dfsg1-7
libsasl2-modules	2.1.23.dfsg1-7
libsasl2-modules-sql	2.1.23.dfsg1-7
postfix			2.7.1-1+squeeze1

thx 4 help
matthias


More information about the Cyrus-sasl mailing list