Admin Beckspaced
2017-Oct-27 15:00 UTC
Need help in understanding auth digest-md5 and realm
Hello dovecot community, I've setup dovecot and need a bit help in understanding the auth mechanism digest-md5 and realm in 10-auth.conf I got auth_mechanisms = plain login digest-md5 cram-md5 apop #auth_realms #auth_default_realm So i got empty realms. Auth normally works fine and clients can auth with mechanism digest-md5 and I see the following log entries: dovecot: auth: Debug: sql(user at temizbau.de,46.85.229.153,<klUjO3FcTy8uVeWZ>): Generating DIGEST-MD5 from user 'user at temizbau.de', password 'xxxx' dovecot: auth: Debug: sql(user at gruene-wiesentheid.de,87.168.26.5,<ISVLQXFcT/xXqBoF>): Generating DIGEST-MD5 from user 'user at gruene-wiesentheid.de@', password 'xxxxxxxxxx' dovecot: auth: Debug: sql(user at vitaler-genuss.de,81.209.203.170,<tzxyT3FcT9RR0cuq>): Generating DIGEST-MD5 from user 'user at vitaler-genuss.de', password 'xxxxxxxxxxx' But sometimes clients get a password mismatch and I the see the following log entries: dovecot: auth: Debug: sql(user at temizbau.de,80.187.103.15,<adzhAnVclmxQu2cP>): Generating DIGEST-MD5 from user 'user at temizbau.de@mail.beckspaced.com', password 'xxxx' dovecot: auth: Debug: sql(user at thansadet.com,87.218.86.165,<LWItYHVc6r1X2lal>): Generating DIGEST-MD5 from user 'user at thansadet.com@mail.beckspaced.com', password 'xxxxxxxxxx' dovecot: auth: Debug: sql(user at plaa-thansadetresort.com,110.164.127.146,<aGhcvHBcStJupH+S>): Generating DIGEST-MD5 from user 'user at plaa-thansadetresort.com@imap.beckspaced.com', password 'xxxxxxxxxx' when there's a password mismatch I see a different user string for generating the digest-md5 hash. i suppose users use a different mail client and the mail client does things differently? How can I fix this password mismatch thing? Do i just need to set an auth_realms of some random string in the 10-auth.conifig Or does the auth_realms need to be a host name? Domain name of some sort? For the moment I just removed the digest-md5 mechanism ... Or could I just simply not offer that mechanism? If someone could shed some light on this I would be more than grateful ;) Thanks & greetings Becki
> On October 27, 2017 at 6:00 PM Admin Beckspaced <admin at beckspaced.com> wrote: > > > Hello dovecot community, > > I've setup dovecot and need a bit help in understanding the auth > mechanism digest-md5 and realm > > in 10-auth.conf I got > > auth_mechanisms = plain login digest-md5 cram-md5 apop > #auth_realms > #auth_default_realm > > So i got empty realms. > > Auth normally works fine and clients can auth with mechanism digest-md5 > and I see the following log entries: > > dovecot: auth: Debug: > sql(user at temizbau.de,46.85.229.153,<klUjO3FcTy8uVeWZ>): Generating > DIGEST-MD5 from user 'user at temizbau.de', password 'xxxx' > dovecot: auth: Debug: > sql(user at gruene-wiesentheid.de,87.168.26.5,<ISVLQXFcT/xXqBoF>): > Generating DIGEST-MD5 from user 'user at gruene-wiesentheid.de@', password > 'xxxxxxxxxx' > dovecot: auth: Debug: > sql(user at vitaler-genuss.de,81.209.203.170,<tzxyT3FcT9RR0cuq>): > Generating DIGEST-MD5 from user 'user at vitaler-genuss.de', password > 'xxxxxxxxxxx' > > But sometimes clients get a password mismatch and I the see the > following log entries: > > dovecot: auth: Debug: > sql(user at temizbau.de,80.187.103.15,<adzhAnVclmxQu2cP>): Generating > DIGEST-MD5 from user 'user at temizbau.de@mail.beckspaced.com', password 'xxxx' > dovecot: auth: Debug: > sql(user at thansadet.com,87.218.86.165,<LWItYHVc6r1X2lal>): Generating > DIGEST-MD5 from user 'user at thansadet.com@mail.beckspaced.com', password > 'xxxxxxxxxx' > dovecot: auth: Debug: > sql(user at plaa-thansadetresort.com,110.164.127.146,<aGhcvHBcStJupH+S>): > Generating DIGEST-MD5 from user > 'user at plaa-thansadetresort.com@imap.beckspaced.com', password 'xxxxxxxxxx' > > when there's a password mismatch I see a different user string for > generating the digest-md5 hash. > i suppose users use a different mail client and the mail client does > things differently? > > How can I fix this password mismatch thing? > > Do i just need to set an auth_realms of some random string in the > 10-auth.conifig > Or does the auth_realms need to be a host name? Domain name of some sort? > > For the moment I just removed the digest-md5 mechanism ... > Or could I just simply not offer that mechanism? > > If someone could shed some light on this I would be more than grateful ;) > > Thanks & greetings > BeckiWe actually discovered that Android has a bug with DIGEST-MD5, which Google refuses to fix. Also DIGEST-MD5/CRAM-MD5 etc are not really good idea with SSL anyways. Aki
Admin Beckspaced
2017-Oct-28 06:30 UTC
Need help in understanding auth digest-md5 and realm
On 27.10.2017 20:35, Aki Tuomi wrote:>> On October 27, 2017 at 6:00 PM Admin Beckspaced <admin at beckspaced.com> wrote: >> >> >> Hello dovecot community, >> ... >> >> If someone could shed some light on this I would be more than grateful ;) >> >> Thanks & greetings >> Becki > We actually discovered that Android has a bug with DIGEST-MD5, which Google refuses to fix. Also DIGEST-MD5/CRAM-MD5 etc are not really good idea with SSL anyways. > > Aki > >Hello Aki, thanks for your reply ... so if there's a bug which Google won't fix it's perhaps best to not offer digest-md5? what do you mean by it's not a good idea to use DIGEST-MD5/CRAM-MD5 with SSL? Thanks & Greetings Becki
On Fri, 27 Oct 2017 21:35:16 +0300 (EEST), Aki Tuomi stated:>We actually discovered that Android has a bug with DIGEST-MD5, which Google >refuses to fix. Also DIGEST-MD5/CRAM-MD5 etc are not really good idea with >SSL anywaysCould you actually describe what that bug is? I actually know someone at Google and they might be able to get it investigated and perhaps corrected. The more info you could supply, the better. Thanks :) -- Jerry