Re: problems with DIGEST-MD5 mechanism in postfix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 02/17/14 22:05 +0100, Matthias Leopold wrote:
i'm having trouble with switching our postfix servers from dovecot SASL to cyrus SASL for SMTP-AUTH. i'm using "auxprop_plugin: sql" with "sql_engine: pgsql". the username for authentication is the full email address: user@xxxxxxxxxx. the "sql_select" query uses the '%r' macro like this: 

and LOWER(a.name) = '%u' and a.domain = '%r'
this works for all clients, except for those who force DIGEST-MD5 mechanism (MS outlook 2013 with "SPA"). DIGEST-MD5 works with dovecot. with cyrus i get log messages like 

warning: SASL authentication failure: realm changed: authentication aborted
warning: host[x.x.x.x]: SASL DIGEST-MD5 authentication failed: authentication failure 

when i turn on debugging in smtpd i see this

xsasl_cyrus_server_auth_response: uncoded server challenge: nonce="xxx",realm="fqdn.of.mailserver",qop="auth",charset=utf-8,algorithm=md5-sess

xsasl_cyrus_server_next: decoded response: username="user",realm="domain.tld",nonce="xxx",digest-uri="smtp/fqdn.of.mailserver",cnonce="yyy",nc=00000001,response=zzz,qop=auth,charset=utf-8
so the realm really changes(?). why is this? how can i change this? of course i'm not an expert on cyrus sasl and i hope this is the right mailing list 

I can't explain the postfix output, but cyrus sasl should default to using
your local hostname when calculating the realm challenge. Make sure the
output of 'hostname -f' on the server matches the hostname the client is
using to connect to the server.

You can increase cyrus sasl logging with this in your smtpd.conf:

log_level: 7

and then configure your syslog daemon to log auth.*, which may provide
additional details about the authentication failure.


my setup:

main.cf:

smtpd_sasl_type = cyrus
cyrus_sasl_config_path = /etc/postfix/sasl
smtpd_sasl_path = smtpd
smtpd_sasl_local_domain =

smtpd.conf

mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5

OS: 			debian 6

libsasl2-2		2.1.23.dfsg1-7
libsasl2-modules	2.1.23.dfsg1-7
libsasl2-modules-sql	2.1.23.dfsg1-7
postfix			2.7.1-1+squeeze1

thx 4 help
matthias



--
Dan White
[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux