• Hi, Pleskians! We are running a UX testing of our upcoming product intended for server management and monitoring.
    We would like to invite you to have a call with us and have some fun checking our prototype. The agenda is pretty simple - we bring new design and some scenarios that you need to walk through and succeed. We will be watching and taking insights for further development of the design.
    If you would like to participate, please use this link to book a meeting. We will sent the link to the clickable prototype at the meeting.
  • Our UX team believes in the in the power of direct feedback and would like to invite you to participate in interviews, tests, and surveys.
    To stay in the loop and never miss an opportunity to share your thoughts, please subscribe to our UX research program. If you were previously part of the Plesk UX research program, please re-subscribe to continue receiving our invitations.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Issue Android Mail APP - IMAP digest-md5 always fails once

D

daanse

Regular Pleskian
Hi,

we are using Plesk Onyx
Debian 8.11‬ - Version 17.8.11 Update #22

with Dovcot:
# dovecot --version
2.3.0.1 (ffd8a29)

and
Some Mail Account on default Android Mail App:
Android Version: 8.0.0 on Samsung S7

And regardless what we setup with or without SSL it has always a FAIL Login in first place and then via PLAIN a successful Login.

We enabled debug on auth and it shows a Password mismatch with DIGEST-MD5 method.
This Customer (and 1-2 few others) had this Problem since a long time with us.

Usually we tell them to use K9 Mail App.

Whats the Problem here? Can we prove that behaviour?

Code: 
Oct  6 14:31:21 host04 dovecot: auth: digest-md5([email protected],2.247.241.39,<80G+kI53VlEC9/En>): Password mismatch
Oct  6 14:31:23 host04 dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<[email protected]>, method=DIGEST-MD5, rip=x.xx.xx.xx, lip=xx.xx.xx.xx, TLS, session=<80G+kI53VlEC9/En>
Oct  6 14:31:28 host04 dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=xx.xx.xx.xx, lip=xx.xx.xx.xx, mpid=2943, TLS, session=<KAXukI537BQC9/En>
 
Hello, my users have the same problem with the Samsung MailApp. I have now written to Samsung and expect the days answer.
 
WE have made an Workaround with following advice:

Code: 
# nano /etc/dovecot/dovecot.conf

and there you can find:
Code: 
auth_mechanisms = plain login digest-md5 cram-md5 apop

delete "digest-md5" there and you are good to go.
 
This is not a valid solution.
Without "digest-md5" Android Mail APP works fine, but then Microsoft Outlook doesn't work correctly.
:(
 
Yep we are getting this. Once client (the boss of the company) was always getting blocked. Not good.

Any long term proper fix for this?
 
Last edited:
I have the exact same issue as well!

It only seems to affects Android phones using IMAP, it tries,(and fails), using DIGEST-MD5, then works on the second try, but after a short amount of time, the fail-to-ban has been triggered.

Still no solution?
 
@IgorG I observed the same here. The Samsung client unfortunately does not allow to select the authentication mechanism. It first tries to use DIGEST-MD5 (auth failed). After 4 seconds the client reconnects sucssefully using PLAIN.

As the support articles Cannot set up Plesk mail IMAP account in Outlook: SASL DIGEST-MD5 authentication failed: authentication failure and Outlook fails to send an email: SASL authentication failure. On Plesk for Linux suggest, removing DIGEST-MD5 for Dovcot and Postfix might help.

However, I wonder about this post @192748:
Ferran said:
This is not a valid solution.
Without "digest-md5" Android Mail APP works fine, but then Microsoft Outlook doesn't work correctly.
:(
Click to expand...
Does the proposed effect create any issue for Outlook clients? If so, will all Outlook versions be affected?
 
No fix is needed. Digest-MD5 is a legitimate algorithm, it just does not work with the Android apps if Fail2Ban is active. As the app always tries to use Digest-MD5 first, it causes wrong login attempts, this in turn causes Fail2Ban to trigger an ip block. The problem here is that the Android app always tries digest-md5 and does not include an option where the user can either disable secure password authentication or choose the algorithm he/she wants to use. So your only choice is to remove digest-md5 from the server.

The Outlook issue that has been described before, is caused by a problematic behavior of Outlook when the SPA checkbox is checked (secure password authentication). Outlook stores the algorithm for password encryption only once when the account is configured. If the algorithm is changed later (e.g. if digest-md5 is removed from the server's configuration), it does not adapt to the new situation unless the client configuration is removed and added again.

Bottom line: If you or your clients are using Outlook SPA, they should deactivate that checkbox. You can then safely remove digest-md5 from the server configuration so that your Android apps work fine.
 
You must log in or register to reply here.

Similar threads

C
Question Plesk Obsidian 18.0.65 Update 2 imap-login: Disconnected: Connection closed (auth failed
Replies
3
Views
691
Compy
C
D
Resolved MS Outlook IMAP cannot connect
Replies
1
Views
2K
Dominik_
D
D
Input Latest Windows Insider and Outlook (Android) Updates cause issues with dovecot on IMAP
Replies
1
Views
1K
Daedalus3
D
S
Resolved Dovecot Broken After Latest Update
Replies
4
Views
2K
scpcomp
S
EnriqueR
Question Incoming mail is stored in Junk folder
Replies
6
Views
790
EnriqueR
EnriqueR
Back
Top