Re: Need help in understanding auth digest-md5 and realm

On October 27, 2017 at 6:00 PM Admin Beckspaced admin@beckspaced.com wrote:

Hello dovecot community,

I've setup dovecot and need a bit help in understanding the auth mechanism digest-md5 and realm

in 10-auth.conf I got

auth_mechanisms = plain login digest-md5 cram-md5 apop #auth_realms = #auth_default_realm =

So i got empty realms.

Auth normally works fine and clients can auth with mechanism digest-md5 and I see the following log entries:

dovecot: auth: Debug: sql(user@temizbau.de,46.85.229.153,<klUjO3FcTy8uVeWZ>): Generating DIGEST-MD5 from user 'user@temizbau.de', password 'xxxx' dovecot: auth: Debug: sql(user@gruene-wiesentheid.de,87.168.26.5,): Generating DIGEST-MD5 from user 'user@gruene-wiesentheid.de@', password 'xxxxxxxxxx' dovecot: auth: Debug: sql(user@vitaler-genuss.de,81.209.203.170,<tzxyT3FcT9RR0cuq>): Generating DIGEST-MD5 from user 'user@vitaler-genuss.de', password 'xxxxxxxxxxx'

But sometimes clients get a password mismatch and I the see the following log entries:

dovecot: auth: Debug: sql(user@temizbau.de,80.187.103.15,<adzhAnVclmxQu2cP>): Generating DIGEST-MD5 from user 'user@temizbau.de@mail.beckspaced.com', password 'xxxx' dovecot: auth: Debug: sql(user@thansadet.com,87.218.86.165,<LWItYHVc6r1X2lal>): Generating DIGEST-MD5 from user 'user@thansadet.com@mail.beckspaced.com', password 'xxxxxxxxxx' dovecot: auth: Debug: sql(user@plaa-thansadetresort.com,110.164.127.146,): Generating DIGEST-MD5 from user 'user@plaa-thansadetresort.com@imap.beckspaced.com', password 'xxxxxxxxxx'

when there's a password mismatch I see a different user string for generating the digest-md5 hash. i suppose users use a different mail client and the mail client does things differently?

How can I fix this password mismatch thing?

Do i just need to set an auth_realms of some random string in the 10-auth.conifig Or does the auth_realms need to be a host name? Domain name of some sort?

For the moment I just removed the digest-md5 mechanism ... Or could I just simply not offer that mechanism?

If someone could shed some light on this I would be more than grateful ;)

Thanks & greetings Becki

We actually discovered that Android has a bug with DIGEST-MD5, which Google refuses to fix. Also DIGEST-MD5/CRAM-MD5 etc are not really good idea with SSL anyways.

Aki