Need help in understanding auth digest-md5 and realm

Aki Tuomi aki.tuomi at dovecot.fi
Fri Oct 27 21:35:16 EEST 2017 

> On October 27, 2017 at 6:00 PM Admin Beckspaced <admin at beckspaced.com> wrote:
> 
> 
> Hello dovecot community,
> 
> I've setup dovecot and need a bit help in understanding the auth 
> mechanism digest-md5 and realm
> 
> in 10-auth.conf I got
> 
> auth_mechanisms = plain login digest-md5 cram-md5 apop
> #auth_realms =
> #auth_default_realm =
> 
> So i got empty realms.
> 
> Auth normally works fine and clients can auth with mechanism digest-md5 
> and I see the following log entries:
> 
> dovecot: auth: Debug: 
> sql(user at temizbau.de,46.85.229.153,<klUjO3FcTy8uVeWZ>): Generating 
> DIGEST-MD5 from user 'user at temizbau.de', password 'xxxx'
> dovecot: auth: Debug: 
> sql(user at gruene-wiesentheid.de,87.168.26.5,<ISVLQXFcT/xXqBoF>): 
> Generating DIGEST-MD5 from user 'user at gruene-wiesentheid.de@', password 
> 'xxxxxxxxxx'
> dovecot: auth: Debug: 
> sql(user at vitaler-genuss.de,81.209.203.170,<tzxyT3FcT9RR0cuq>): 
> Generating DIGEST-MD5 from user 'user at vitaler-genuss.de', password 
> 'xxxxxxxxxxx'
> 
> But sometimes clients get a password mismatch and I the see the 
> following log entries:
> 
> dovecot: auth: Debug: 
> sql(user at temizbau.de,80.187.103.15,<adzhAnVclmxQu2cP>): Generating 
> DIGEST-MD5 from user 'user at temizbau.de@mail.beckspaced.com', password 'xxxx'
> dovecot: auth: Debug: 
> sql(user at thansadet.com,87.218.86.165,<LWItYHVc6r1X2lal>): Generating 
> DIGEST-MD5 from user 'user at thansadet.com@mail.beckspaced.com', password 
> 'xxxxxxxxxx'
> dovecot: auth: Debug: 
> sql(user at plaa-thansadetresort.com,110.164.127.146,<aGhcvHBcStJupH+S>): 
> Generating DIGEST-MD5 from user 
> 'user at plaa-thansadetresort.com@imap.beckspaced.com', password 'xxxxxxxxxx'
> 
> when there's a password mismatch I see a different user string for 
> generating the digest-md5 hash.
> i suppose users use a different mail client and the mail client does 
> things differently?
> 
> How can I fix this password mismatch thing?
> 
> Do i just need to set an auth_realms of some random string in the 
> 10-auth.conifig
> Or does the auth_realms need to be a host name? Domain name of some sort?
> 
> For the moment I just removed the digest-md5 mechanism ...
> Or could I just simply not offer that mechanism?
> 
> If someone could shed some light on this I would be more than grateful ;)
> 
> Thanks & greetings
> Becki

We actually discovered that Android has a bug with DIGEST-MD5, which Google refuses to fix. Also DIGEST-MD5/CRAM-MD5 etc are not really good idea with SSL anyways.

Aki

More information about the dovecot mailing list