[Dovecot] Dovecot SASL: SCRAM-SHA-1 Authentication Fails
Dear all,
I use Dovecot SASL (2.1.15) on Ubuntu 12.04 for IMAP authentication and Postfix SASL authentication. I tried to setup SCRAM-SHA-1 as SASL mechanism. This works well on Dovecot's client side towards my OpenLDAP server (with libsasl-2), but fails on the server side (IMAP and SMTP). In the following, there's an extract from Dovecot's log, when using mutt as SMTP client:
dovecot: auth: Debug: auth client connected (pid=0) dovecot: auth: Debug: client in: AUTH#0111#011 SCRAM-SHA-1#011 service=smtp#011 nologin#011 lip=192.168.0.65#011 rip=192.168.0.65#011 secured#011 resp=<hidden> dovecot: auth: scram-sha-1(?,192.168.0.65): authzid not supported dovecot: auth: Debug: client passdb out: FAIL#0111 postfix/smtpd[7621]: warning: markaurel.gas.de[192.168.0.65]: SASL SCRAM-SHA-1 authentication failed
Here's the log, when using mutt as IMAP client: dovecot: auth: Debug: auth client connected (pid=23409) dovecot: auth: Debug: client in: AUTH#0111#011 SCRAM-SHA-1#011 service=imap#011 secured#011 session=<session ID>#011 lip=192.168.0.65#011 rip=192.168.0.65#011 lport=143#011 rport=36543#011 resp=<hidden> auth: scram-sha-1(?,192.168.0.65,<session ID>): authzid not supported auth: Debug: client passdb out: FAIL#0111
In the following is mutt's output: imap_authenticate: Trying method scram-sha-1 SASL local ip: 192.168.0.65;36543, remote ip:192.168.0.65;143 External SSF: 128 External authentication name: myname mutt_sasl_cb_authname: getting authname for mail.mydomain.local:143 mutt_sasl_cb_authname: getting user for mail.gas.de:143 mutt_sasl_cb_pass: getting password for myname@mail.mydomain.local:143 Authentifiziere (SCRAM-SHA-1)... 4> a0002 AUTHENTICATE SCRAM-SHA-1 <uuencoded string> 4< a0002 NO [AUTHENTICATIONFAILED] Authentication failed. IMAP queue drained imap_auth_sasl: scram-sha-1 failed
I've configured mutt, so that it immediately retries the SASL authentication using DIGEST-MD5. This 2nd try is succesful and mutt gets access to the imap/smtp service.
Any hints, what's going wrong here?
Output of dovecot -n: # 2.1.15 (e33fe1a7bb89): /etc/dovecot/dovecot.conf # OS: Linux 3.2.0-37-generic x86_64 Ubuntu 12.04.2 LTS auth_debug = yes auth_mechanisms = scram-sha-1 digest-md5 plain login auth_verbose = yes base_dir = /var/run/dovecot/ log_timestamp = "%Y-%m-%d %H:%M:%S " mail_gid = vmail mail_location = mdbox:~/mdbox mail_privileged_group = mail mail_uid = vmail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = separator = . } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } plugin { sieve = ~/.dovecot.sieve sieve_dir = ~/sieve } postmaster_address = postmaster@localhost protocols = imap lmtp quota_full_tempfail = yes service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } unix_listener auth-userdb { group = vmail user = vmail } } service imap-login { inet_listener imap { address = 192.168.0.65 port = 143 } inet_listener imaps { address = 192.168.0.65 port = 993 ssl = yes } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0660 user = postfix } } ssl_cert = </etc/ssl/certs/dovecot.pem ssl_key = </etc/ssl/private/dovecot.pem userdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } protocol imap { mail_max_userip_connections = 10 mail_plugins = " mail_log notify" }
On 26.2.2013, at 1.55, Thomas Reim <reimth@gmail.com> wrote:
I use Dovecot SASL (2.1.15) on Ubuntu 12.04 for IMAP authentication and Postfix SASL authentication. I tried to setup SCRAM-SHA-1 as SASL mechanism. This works well on Dovecot's client side towards my OpenLDAP server (with libsasl-2), but fails on the server side (IMAP and SMTP). In the following, there's an extract from Dovecot's log, when using mutt as SMTP client:
dovecot: auth: scram-sha-1(?,192.168.0.65): authzid not supported
I guess mutt sets the authzid to the same as username. This is arguably a bug in mutt (or cyrus-sasl or whatever SASL library it's using?) because SCRAM-SHA1 RFC discourages doing it, but then again there's really no reason why Dovecot couldn't also support it. This should help: http://hg.dovecot.org/dovecot-2.1/rev/0af0def22533
participants (2)
-
Thomas Reim
-
Timo Sirainen