SASL Realm Changed
Hi all, got an odd one:
There are a few email addresses in our Postfix/SASL/Dovecot email server of 3000+ users and 1200+ domains that are unable to SMTP authenticate. The error in the log file shows:
SASL authentication failure: realm changed: authentication aborted
SASL DIGEST-MD5 authentication failed
This reliably occurs with just a few email addresses and never with any of the others. How do I go about troubleshooting and resolving this issue?
First, I would see if you can increase the verbosity of the logging. Then, I would try to recreate the problem by trying to replicate what commonalities there are between the email addresses, usernames, passwords, and email clients of the accounts that fail. Then, you should see if there is a way to capture authentication traffic in the clear (probably harder than it sounds).
What authentication backend are you using? Dovecot is the SASL glue, not the authentication directory, right? So you might try to check how the credentials appear to the backend when they are presented. It sort of sounds like you are using Kerberos with the "realm changed" error. That error also makes me think that Postfix or Dovecot is not mapping the account to the credentials correctly such that the account/email address is getting incorrectly passed on.
I've tested with the user's account. The email address is email@example.com. We created a test account firstname.lastname@example.org. Further, we created an account email@example.com (a different domain). All of them fail in the same way.
One other email address
There is one other email address that this occurs to and it's firstname.lastname@example.org (another domain yet). 'Frank' has another email domain with us and he is now using THAT address email@example.com for his smtp authentication.
One thing I do notice is that my postfix is advertising CRAM-MD5 and DIGEST-MD5, which is what these logins are choking on.