Symptoms
-
A WordPress website is throwing an error in the WP Mail SMTP plugin upon attempting to send a test mail. In WP Mail SMTP's debug logs, the following can be found:
CONFIG_TEXT: 2025-10-22 23:37:26 CLIENT -> SERVER: EHLO 203.0.113.2
2025-10-22 23:37:26 SERVER -> CLIENT: 250-203.0.113.2250-PIPELINING250-SIZE 10240000250-ETRN250-STARTTLS250-AUTH DIGEST-MD5 CRAM-MD5 PLAIN LOGIN250-XFORWARD NAME ADDR PROTO HELO SOURCE PORT IDENT250-ENHANCEDSTATUSCODES250-8BITMIME250-DSN250 CHUNKING
2025-10-22 23:37:26 CLIENT -> SERVER: AUTH CRAM-MD5
2025-10-22 23:37:26 SERVER -> CLIENT: 334 PDEzODc2MDUxMDQuMTYzNDU4ODZAMTAtNjktNDMtMTk2LnFhLnBsZXNrLnRlY2g+
2025-10-22 23:37:26 CLIENT -> SERVER: [credentials hidden]
2025-10-22 23:37:26 SERVER -> CLIENT: 535 5.7.8 Error: authentication failed: authentication failure
2025-10-22 23:37:26 SMTP ERROR: Username command failed: 535 5.7.8 Error: authentication failed: authentication failure
SMTP Error: Could not authenticate. -
The following can be found in the
/var/log/maillogfile:CONFIG_TEXT: Oct 22 18:27:37 mail postfix/smtpd[2095857]: connect from example.com[203.0.113.2]
Oct 22 18:27:37 mail postfix/smtpd[2095857]: TLS SNI example.com from example.com[203.0.113.2] not matched, using default chain
Oct 22 18:27:37 mail postfix/smtpd[2095857]: warning: SASL authentication failure: no secret in database
Oct 22 18:27:37 mail postfix/smtpd[2095857]: warning: example.com[203.0.113.2]: SASL CRAM-MD5 authentication failed: authentication failure, sasl_username=john.doe@example.com
Oct 22 18:27:37 mail postfix/smtpd[2095857]: disconnect from example.com[203.0.113.2] ehlo=1 auth=0/1 quit=1 commands=2/3 -
The password storage method is set to Hashing, at Tools & Settings > Security Policy:
-
DIGEST-MD5andCRAM-MD5are enabled in both Postfix and Dovecot:# grep "mech_list" /etc/postfix/sasl/smtpd.conf
mech_list: DIGEST-MD5 CRAM-MD5 PLAIN LOGIN \# grep auth_mechanisms /etc/dovecot/dovecot.conf
auth_mechanisms = plain login digest-md5 cram-md5 apop \
Cause
The DIGEST-MD5 and CRAM-MD5 authentication methods require the server to have access to the actual password, which is not possible when password storage is set to Hashing under Tools & Settings > Security Policy.
Resolution
There are two possible solutions. One of them is a client-side solution, the other is a server-side solution.
Force WP Mail SMTP to use LOGIN, instead of CRAM-MD5. To do so:
- Connect to the server via SSH
-
Create the
/var/www/vhosts/example.com/httpdocs/wp-content/mu-plugins/force-smtp-login.phpfile with the following content:CONFIG_TEXT: <?php
add_action('phpmailer_init', function($phpmailer) {
// Force client-side auth type to LOGIN (not CRAM-MD5)
$phpmailer->AuthType = 'LOGIN';
});
More details at https://wpmailsmtp.com/docs/how-to-set-up-the-other-smtp-mailer-in-wp-mail-smtp/#custom-filter.
Warning: Please note that this solution may affect users whose the password is still not hashed and use the Thunderbird client with "Encrypted Password" configured — or other mail client that exclusively uses DIGEST-MD5 or CRAM-MD5.
Disable DIGEST-MD5 and CRAM-MD5 from both Postfix and Dovecot:
- Connect to the server via SSH
-
Make a backup of the
/etc/postfix/sasl/smtpd.confand/etc/dovecot/dovecot.conffiles:# cp -a /etc/postfix/sasl/smtpd.conf /etc/postfix/sasl/smtpd.conf_$(date +%F_%H-%M-%S)
# cp -a /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf_$(date +%F_%H-%M-%S)
-
Remove
DIGEST-MD5andCRAM-MD5fromauth_mechanisms, in the/etc/dovecot/dovecot.conffile.# sed -i "s#auth_mechanisms = plain login digest-md5 cram-md5 apop#auth_mechanisms = plain login apop#g" /etc/dovecot/dovecot.conf
-
Remove
DIGEST-MD5andCRAM-MD5frommech_list, in the/etc/postfix/sasl/smtpd.conffile.# sed -i "s#mech_list: DIGEST-MD5 CRAM-MD5 PLAIN LOGIN#mech_list: PLAIN LOGIN#g" /etc/postfix/sasl/smtpd.conf
-
Restart both Postfix and Dovecot:
# systemctl restart dovecot
# systemctl restart postfix
Comments
Thank you for this, the server side fix resolved my issue.
Please sign in to leave a comment.