[Dovecot] Dovecot SASL: SCRAM-SHA-1 Authentication Fails
Thomas Reim
reimth at gmail.com
Tue Feb 26 01:55:28 EET 2013
Dear all,
I use Dovecot SASL (2.1.15) on Ubuntu 12.04 for IMAP authentication and
Postfix SASL authentication. I tried to setup SCRAM-SHA-1 as SASL
mechanism. This works well on Dovecot's client side towards my OpenLDAP
server (with libsasl-2), but fails on the server side (IMAP and SMTP).
In the following, there's an extract from Dovecot's log, when using mutt
as SMTP client:
dovecot: auth: Debug: auth client connected (pid=0)
dovecot: auth: Debug: client in:
AUTH#0111#011
SCRAM-SHA-1#011
service=smtp#011
nologin#011
lip=192.168.0.65#011
rip=192.168.0.65#011
secured#011
resp=<hidden>
dovecot: auth: scram-sha-1(?,192.168.0.65): authzid not supported
dovecot: auth: Debug: client passdb out: FAIL#0111
postfix/smtpd[7621]: warning: markaurel.gas.de[192.168.0.65]: SASL
SCRAM-SHA-1 authentication failed
Here's the log, when using mutt as IMAP client:
dovecot: auth: Debug: auth client connected (pid=23409)
dovecot: auth: Debug: client in:
AUTH#0111#011
SCRAM-SHA-1#011
service=imap#011
secured#011
session=<session ID>#011
lip=192.168.0.65#011
rip=192.168.0.65#011
lport=143#011
rport=36543#011
resp=<hidden>
auth: scram-sha-1(?,192.168.0.65,<session ID>): authzid not supported
auth: Debug: client passdb out: FAIL#0111
In the following is mutt's output:
imap_authenticate: Trying method scram-sha-1
SASL local ip: 192.168.0.65;36543, remote ip:192.168.0.65;143
External SSF: 128
External authentication name: myname
mutt_sasl_cb_authname: getting authname for mail.mydomain.local:143
mutt_sasl_cb_authname: getting user for mail.gas.de:143
mutt_sasl_cb_pass: getting password for myname at mail.mydomain.local:143
Authentifiziere (SCRAM-SHA-1)...
4> a0002 AUTHENTICATE SCRAM-SHA-1 <uuencoded string>
4< a0002 NO [AUTHENTICATIONFAILED] Authentication failed.
IMAP queue drained
imap_auth_sasl: scram-sha-1 failed
I've configured mutt, so that it immediately retries the SASL
authentication using DIGEST-MD5. This 2nd try is succesful and mutt gets
access to the imap/smtp service.
Any hints, what's going wrong here?
Output of dovecot -n:
# 2.1.15 (e33fe1a7bb89): /etc/dovecot/dovecot.conf
# OS: Linux 3.2.0-37-generic x86_64 Ubuntu 12.04.2 LTS
auth_debug = yes
auth_mechanisms = scram-sha-1 digest-md5 plain login
auth_verbose = yes
base_dir = /var/run/dovecot/
log_timestamp = "%Y-%m-%d %H:%M:%S "
mail_gid = vmail
mail_location = mdbox:~/mdbox
mail_privileged_group = mail
mail_uid = vmail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date ihave
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
separator = .
}
passdb {
args = /etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
}
plugin {
sieve = ~/.dovecot.sieve
sieve_dir = ~/sieve
}
postmaster_address = postmaster at localhost
protocols = imap lmtp
quota_full_tempfail = yes
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
unix_listener auth-userdb {
group = vmail
user = vmail
}
}
service imap-login {
inet_listener imap {
address = 192.168.0.65
port = 143
}
inet_listener imaps {
address = 192.168.0.65
port = 993
ssl = yes
}
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0660
user = postfix
}
}
ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_key = </etc/ssl/private/dovecot.pem
userdb {
args = /etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
}
protocol imap {
mail_max_userip_connections = 10
mail_plugins = " mail_log notify"
}
More information about the dovecot
mailing list