Find the answer to your Linux question:
Results 1 to 4 of 4
Hi all, got an odd one: There are a few email addresses in our Postfix/SASL/Dovecot email server of 3000+ users and 1200+ domains that are unable to SMTP authenticate. The ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Aug 2010
    Posts
    3

    SASL Realm Changed


    Hi all, got an odd one:

    There are a few email addresses in our Postfix/SASL/Dovecot email server of 3000+ users and 1200+ domains that are unable to SMTP authenticate. The error in the log file shows:

    SASL authentication failure: realm changed: authentication aborted
    SASL DIGEST-MD5 authentication failed

    This reliably occurs with just a few email addresses and never with any of the others. How do I go about troubleshooting and resolving this issue?

  2. #2
    Linux Newbie nplusplus's Avatar
    Join Date
    Apr 2010
    Location
    Charlotte, NC, USA
    Posts
    106
    Hi, adrianmaule,

    First, I would see if you can increase the verbosity of the logging. Then, I would try to recreate the problem by trying to replicate what commonalities there are between the email addresses, usernames, passwords, and email clients of the accounts that fail. Then, you should see if there is a way to capture authentication traffic in the clear (probably harder than it sounds).

    What authentication backend are you using? Dovecot is the SASL glue, not the authentication directory, right? So you might try to check how the credentials appear to the backend when they are presented. It sort of sounds like you are using Kerberos with the "realm changed" error. That error also makes me think that Postfix or Dovecot is not mapping the account to the credentials correctly such that the account/email address is getting incorrectly passed on.

    - N

  3. #3
    Just Joined!
    Join Date
    Aug 2010
    Posts
    3
    I've tested with the user's account. The email address is service@xxxxx.xxx. We created a test account service1@xxxxx.xxx. Further, we created an account service@xxxxx.xxx (a different domain). All of them fail in the same way.

  4. $spacer_open
    $spacer_close
  5. #4
    Just Joined!
    Join Date
    Aug 2010
    Posts
    3

    One other email address

    There is one other email address that this occurs to and it's frank@xxxxxx.xxx (another domain yet). 'Frank' has another email domain with us and he is now using THAT address frank@otherdomain.tld for his smtp authentication.

    One thing I do notice is that my postfix is advertising CRAM-MD5 and DIGEST-MD5, which is what these logins are choking on.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •