[Dovecot] Dovecot SASL: SCRAM-SHA-1 Authentication Fails

Tue Feb 26 01:55:28 EET 2013

Dear all,

I use Dovecot SASL (2.1.15) on Ubuntu 12.04 for IMAP authentication and
Postfix SASL authentication. I tried to setup SCRAM-SHA-1 as SASL
mechanism. This works well on Dovecot's client side towards my OpenLDAP
server (with libsasl-2), but fails on the server side (IMAP and SMTP).
In the following, there's an extract from Dovecot's log, when using mutt
as SMTP client:

dovecot: auth: Debug: auth client connected (pid=0)
dovecot: auth: Debug: client in: 
AUTH#0111#011
SCRAM-SHA-1#011
service=smtp#011
nologin#011
lip=192.168.0.65#011
rip=192.168.0.65#011
secured#011
resp=<hidden>
dovecot: auth: scram-sha-1(?,192.168.0.65): authzid not supported
dovecot: auth: Debug: client passdb out: FAIL#0111
postfix/smtpd[7621]: warning: markaurel.gas.de[192.168.0.65]: SASL
SCRAM-SHA-1 authentication failed

Here's the log, when using mutt as IMAP client:
dovecot: auth: Debug: auth client connected (pid=23409)
dovecot: auth: Debug: client in: 
AUTH#0111#011
SCRAM-SHA-1#011
service=imap#011
secured#011
session=<session ID>#011
lip=192.168.0.65#011
rip=192.168.0.65#011
lport=143#011
rport=36543#011
resp=<hidden>
auth: scram-sha-1(?,192.168.0.65,<session ID>): authzid not supported
auth: Debug: client passdb out: FAIL#0111

In the following is mutt's output:
imap_authenticate: Trying method scram-sha-1
SASL local ip: 192.168.0.65;36543, remote ip:192.168.0.65;143
External SSF: 128
External authentication name: myname
mutt_sasl_cb_authname: getting authname for mail.mydomain.local:143
mutt_sasl_cb_authname: getting user for mail.gas.de:143
mutt_sasl_cb_pass: getting password for myname at mail.mydomain.local:143
Authentifiziere (SCRAM-SHA-1)...
4> a0002 AUTHENTICATE SCRAM-SHA-1 <uuencoded string>
4< a0002 NO [AUTHENTICATIONFAILED] Authentication failed.
IMAP queue drained
imap_auth_sasl: scram-sha-1 failed

I've configured mutt, so that it immediately retries the SASL
authentication using DIGEST-MD5. This 2nd try is succesful and mutt gets
access to the imap/smtp service.

Any hints, what's going wrong here?

Output of dovecot -n:
# 2.1.15 (e33fe1a7bb89): /etc/dovecot/dovecot.conf
# OS: Linux 3.2.0-37-generic x86_64 Ubuntu 12.04.2 LTS 
auth_debug = yes
auth_mechanisms = scram-sha-1 digest-md5 plain login
auth_verbose = yes
base_dir = /var/run/dovecot/
log_timestamp = "%Y-%m-%d %H:%M:%S "
mail_gid = vmail
mail_location = mdbox:~/mdbox
mail_privileged_group = mail
mail_uid = vmail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date ihave
namespace inbox {
  inbox = yes
  location = 
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix = 
  separator = .
}
passdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}
plugin {
  sieve = ~/.dovecot.sieve
  sieve_dir = ~/sieve
}
postmaster_address = postmaster at localhost
protocols = imap lmtp
quota_full_tempfail = yes
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
  unix_listener auth-userdb {
    group = vmail
    user = vmail
  }
}
service imap-login {
  inet_listener imap {
    address = 192.168.0.65
    port = 143
  }
  inet_listener imaps {
    address = 192.168.0.65
    port = 993
    ssl = yes
  }
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    group = postfix
    mode = 0660
    user = postfix
  }
}
ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_key = </etc/ssl/private/dovecot.pem
userdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}
protocol imap {
  mail_max_userip_connections = 10
  mail_plugins = " mail_log notify"
}