Need help in understanding auth digest-md5 and realm
Hello dovecot community,
I've setup dovecot and need a bit help in understanding the auth mechanism digest-md5 and realm
in 10-auth.conf I got
auth_mechanisms = plain login digest-md5 cram-md5 apop #auth_realms = #auth_default_realm =
So i got empty realms.
Auth normally works fine and clients can auth with mechanism digest-md5 and I see the following log entries:
dovecot: auth: Debug: sql(user@temizbau.de,46.85.229.153,<klUjO3FcTy8uVeWZ>): Generating DIGEST-MD5 from user 'user@temizbau.de', password 'xxxx' dovecot: auth: Debug: sql(user@gruene-wiesentheid.de,87.168.26.5,<ISVLQXFcT/xXqBoF>): Generating DIGEST-MD5 from user 'user@gruene-wiesentheid.de@', password 'xxxxxxxxxx' dovecot: auth: Debug: sql(user@vitaler-genuss.de,81.209.203.170,<tzxyT3FcT9RR0cuq>): Generating DIGEST-MD5 from user 'user@vitaler-genuss.de', password 'xxxxxxxxxxx'
But sometimes clients get a password mismatch and I the see the following log entries:
dovecot: auth: Debug: sql(user@temizbau.de,80.187.103.15,<adzhAnVclmxQu2cP>): Generating DIGEST-MD5 from user 'user@temizbau.de@mail.beckspaced.com', password 'xxxx' dovecot: auth: Debug: sql(user@thansadet.com,87.218.86.165,<LWItYHVc6r1X2lal>): Generating DIGEST-MD5 from user 'user@thansadet.com@mail.beckspaced.com', password 'xxxxxxxxxx' dovecot: auth: Debug: sql(user@plaa-thansadetresort.com,110.164.127.146,<aGhcvHBcStJupH+S>): Generating DIGEST-MD5 from user 'user@plaa-thansadetresort.com@imap.beckspaced.com', password 'xxxxxxxxxx'
when there's a password mismatch I see a different user string for generating the digest-md5 hash. i suppose users use a different mail client and the mail client does things differently?
How can I fix this password mismatch thing?
Do i just need to set an auth_realms of some random string in the 10-auth.conifig Or does the auth_realms need to be a host name? Domain name of some sort?
For the moment I just removed the digest-md5 mechanism ... Or could I just simply not offer that mechanism?
If someone could shed some light on this I would be more than grateful ;)
Thanks & greetings Becki
Am 28.10.2017 um 08:30 schrieb Admin Beckspaced:
Those methods encrypt the password itself which was a good thing back in the days when most connections were unencrypted. The disadvantage is that they require the password to be saved in cleartext.
If you can enforce an encrypted connection it is better to use PLAIN/LOGIN and save the passwords as hashes (preferably with salts).
-- Alex JOST
The issue is https://issuetracker.google.com/issues/36996387, and exactly what happens is bit unknown. From our point of view, Android sends all other values correctly except final hash when using digest-md5.
Aki
participants (4)
-
Admin Beckspaced
-
Aki Tuomi
-
Alex JOST
-
Jerry