problems with DIGEST-MD5 mechanism in postfix

Dan White dwhite at olp.net
Wed Feb 19 09:44:39 EST 2014 

On 02/17/14 22:05 +0100, Matthias Leopold wrote:
>i'm having trouble with switching our postfix servers from dovecot 
>SASL to cyrus SASL for SMTP-AUTH. i'm using "auxprop_plugin: sql" 
>with "sql_engine: pgsql". the username for authentication is the full 
>email address: user at domain.tld. the "sql_select" query uses the '%r' 
>macro like this:
>
>and LOWER(a.name) = '%u' and a.domain = '%r'
>
>this works for all clients, except for those who force DIGEST-MD5 
>mechanism (MS outlook 2013 with "SPA"). DIGEST-MD5 works with 
>dovecot. with cyrus i get log messages like
>
>warning: SASL authentication failure: realm changed: authentication aborted
>warning: host[x.x.x.x]: SASL DIGEST-MD5 authentication failed: 
>authentication failure
>
>when i turn on debugging in smtpd i see this
>
>xsasl_cyrus_server_auth_response: uncoded server challenge: nonce="xxx",realm="fqdn.of.mailserver",qop="auth",charset=utf-8,algorithm=md5-sess
>
>xsasl_cyrus_server_next: decoded response: username="user",realm="domain.tld",nonce="xxx",digest-uri="smtp/fqdn.of.mailserver",cnonce="yyy",nc=00000001,response=zzz,qop=auth,charset=utf-8
>
>so the realm really changes(?). why is this? how can i change this? 
>of course i'm not an expert on cyrus sasl and i hope this is the 
>right mailing list

I can't explain the postfix output, but cyrus sasl should default to using
your local hostname when calculating the realm challenge. Make sure the
output of 'hostname -f' on the server matches the hostname the client is
using to connect to the server.

You can increase cyrus sasl logging with this in your smtpd.conf:

log_level: 7

and then configure your syslog daemon to log auth.*, which may provide
additional details about the authentication failure.

>my setup:
>
>main.cf:
>
>smtpd_sasl_type = cyrus
>cyrus_sasl_config_path = /etc/postfix/sasl
>smtpd_sasl_path = smtpd
>smtpd_sasl_local_domain =
>
>smtpd.conf
>
>mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
>
>OS: 			debian 6
>
>libsasl2-2		2.1.23.dfsg1-7
>libsasl2-modules	2.1.23.dfsg1-7
>libsasl2-modules-sql	2.1.23.dfsg1-7
>postfix			2.7.1-1+squeeze1
>
>thx 4 help
>matthias
>

-- 
Dan White

More information about the Cyrus-sasl mailing list