Applicable to:
- Plesk for Linux
Symptoms
- On attempt to send an email via Microsoft Outlook, the login/password prompt appears and does not accept credentials.
- The warning below can be found in the
/var/log/maillog:
CONFIG_TEXT: mail.example.com postfix/smtpd[17318]: warning: SASL authentication failure: realm changed: authentication aborted
Cause
Current implementation of a DIGEST-MD5 authentication in libsasl2 library is incompatible with Microsoft Outlook.
Resolution
- Login to the server via SSH.
-
Back up the file:
For CentOS/RHEL-based distributions:# cp /usr/lib64/sasl2/smtpd.conf /usr/lib64/sasl2/smtpd.conf.bak
For Debian/Ubuntu-based distributions:
# cp /etc/postfix/sasl/smtpd.conf /etc/postfix/sasl/smtpd.conf.bak
-
Disable Digest-MD5 authentication for postfix by editing
/usr/lib64/sasl2/smtpd.conffor CentOS or/etc/postfix/sasl/smtpd.conffor Debian/Ubuntu using a text editor and replacing the following line:CONFIG_TEXT: mech_list: DIGEST-MD5 CRAM-MD5 PLAIN LOGIN
with
CONFIG_TEXT: mech_list: CRAM-MD5 PLAIN LOGIN
-
Restart the Postfix service to apply changes:
# service postfix restart
Comments
We first noticed this problem like 10 years ago, and disabled DIGEST-MD5. Now I see that this value is still the default for new Plesk Obsidian 18.0.68 installations…
According to https://datatracker.ietf.org/doc/html/rfc6331 DIGEST-MD5 has been marked as historic in 2011. I guess Plesk should start not using this anymore by default.
With Plesk 18.0.72 now being able to hash passwords, you should also remove CRAM-MD5 from the list as this doesn't work with hashed passwords (server needs to know the plaintext password). Will lead to "SASL CRAM-MD5 authentication failed" errors.
What about auth_mechanisms = plain login scram-sha256?
Please sign in to leave a comment.