SASL Realm Changed

[adrianmaule]

Hi all, got an odd one:

There are a few email addresses in our Postfix/SASL/Dovecot email server of 3000+ users and 1200+ domains that are unable to SMTP authenticate. The error in the log file shows:

SASL authentication failure: realm changed: authentication aborted
SASL DIGEST-MD5 authentication failed

This reliably occurs with just a few email addresses and never with any of the others. How do I go about troubleshooting and resolving this issue?

[nplusplus]

Hi, adrianmaule,

First, I would see if you can increase the verbosity of the logging. Then, I would try to recreate the problem by trying to replicate what commonalities there are between the email addresses, usernames, passwords, and email clients of the accounts that fail. Then, you should see if there is a way to capture authentication traffic in the clear (probably harder than it sounds).

What authentication backend are you using? Dovecot is the SASL glue, not the authentication directory, right? So you might try to check how the credentials appear to the backend when they are presented. It sort of sounds like you are using Kerberos with the "realm changed" error. That error also makes me think that Postfix or Dovecot is not mapping the account to the credentials correctly such that the account/email address is getting incorrectly passed on.

- N

[adrianmaule]

I've tested with the user's account. The email address is service@xxxxx.xxx. We created a test account service1@xxxxx.xxx. Further, we created an account service@xxxxx.xxx (a different domain). All of them fail in the same way.

[adrianmaule]

There is one other email address that this occurs to and it's frank@xxxxxx.xxx (another domain yet). 'Frank' has another email domain with us and he is now using THAT address frank@otherdomain.tld for his smtp authentication.

One thing I do notice is that my postfix is advertising CRAM-MD5 and DIGEST-MD5, which is what these logins are choking on.