problems with DIGEST-MD5 mechanism in postfix
Dan White
dwhite at olp.net
Wed Feb 19 09:44:39 EST 2014
On 02/17/14 22:05 +0100, Matthias Leopold wrote:
>i'm having trouble with switching our postfix servers from dovecot
>SASL to cyrus SASL for SMTP-AUTH. i'm using "auxprop_plugin: sql"
>with "sql_engine: pgsql". the username for authentication is the full
>email address: user at domain.tld. the "sql_select" query uses the '%r'
>macro like this:
>
>and LOWER(a.name) = '%u' and a.domain = '%r'
>
>this works for all clients, except for those who force DIGEST-MD5
>mechanism (MS outlook 2013 with "SPA"). DIGEST-MD5 works with
>dovecot. with cyrus i get log messages like
>
>warning: SASL authentication failure: realm changed: authentication aborted
>warning: host[x.x.x.x]: SASL DIGEST-MD5 authentication failed:
>authentication failure
>
>when i turn on debugging in smtpd i see this
>
>xsasl_cyrus_server_auth_response: uncoded server challenge: nonce="xxx",realm="fqdn.of.mailserver",qop="auth",charset=utf-8,algorithm=md5-sess
>
>xsasl_cyrus_server_next: decoded response: username="user",realm="domain.tld",nonce="xxx",digest-uri="smtp/fqdn.of.mailserver",cnonce="yyy",nc=00000001,response=zzz,qop=auth,charset=utf-8
>
>so the realm really changes(?). why is this? how can i change this?
>of course i'm not an expert on cyrus sasl and i hope this is the
>right mailing list
I can't explain the postfix output, but cyrus sasl should default to using
your local hostname when calculating the realm challenge. Make sure the
output of 'hostname -f' on the server matches the hostname the client is
using to connect to the server.
You can increase cyrus sasl logging with this in your smtpd.conf:
log_level: 7
and then configure your syslog daemon to log auth.*, which may provide
additional details about the authentication failure.
>my setup:
>
>main.cf:
>
>smtpd_sasl_type = cyrus
>cyrus_sasl_config_path = /etc/postfix/sasl
>smtpd_sasl_path = smtpd
>smtpd_sasl_local_domain =
>
>smtpd.conf
>
>mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
>
>OS: debian 6
>
>libsasl2-2 2.1.23.dfsg1-7
>libsasl2-modules 2.1.23.dfsg1-7
>libsasl2-modules-sql 2.1.23.dfsg1-7
>postfix 2.7.1-1+squeeze1
>
>thx 4 help
>matthias
>
--
Dan White
More information about the Cyrus-sasl
mailing list