• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue Android Mail APP - IMAP digest-md5 always fails once

D

daanse

Regular Pleskian
Hi,

we are using Plesk Onyx
Debian 8.11‬ - Version 17.8.11 Update #22

with Dovcot:
# dovecot --version
2.3.0.1 (ffd8a29)

and
Some Mail Account on default Android Mail App:
Android Version: 8.0.0 on Samsung S7

And regardless what we setup with or without SSL it has always a FAIL Login in first place and then via PLAIN a successful Login.

We enabled debug on auth and it shows a Password mismatch with DIGEST-MD5 method.
This Customer (and 1-2 few others) had this Problem since a long time with us.

Usually we tell them to use K9 Mail App.

Whats the Problem here? Can we prove that behaviour?

Code: 
Oct  6 14:31:21 host04 dovecot: auth: digest-md5([email protected],2.247.241.39,<80G+kI53VlEC9/En>): Password mismatch
Oct  6 14:31:23 host04 dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<[email protected]>, method=DIGEST-MD5, rip=x.xx.xx.xx, lip=xx.xx.xx.xx, TLS, session=<80G+kI53VlEC9/En>
Oct  6 14:31:28 host04 dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=xx.xx.xx.xx, lip=xx.xx.xx.xx, mpid=2943, TLS, session=<KAXukI537BQC9/En>
 
Hello, my users have the same problem with the Samsung MailApp. I have now written to Samsung and expect the days answer.
 
WE have made an Workaround with following advice:

Code: 
# nano /etc/dovecot/dovecot.conf

and there you can find:
Code: 
auth_mechanisms = plain login digest-md5 cram-md5 apop

delete "digest-md5" there and you are good to go.
 
This is not a valid solution.
Without "digest-md5" Android Mail APP works fine, but then Microsoft Outlook doesn't work correctly.
:(
 
Yep we are getting this. Once client (the boss of the company) was always getting blocked. Not good.

Any long term proper fix for this?
 
Last edited:
I have the exact same issue as well!

It only seems to affects Android phones using IMAP, it tries,(and fails), using DIGEST-MD5, then works on the second try, but after a short amount of time, the fail-to-ban has been triggered.

Still no solution?
 
@IgorG I observed the same here. The Samsung client unfortunately does not allow to select the authentication mechanism. It first tries to use DIGEST-MD5 (auth failed). After 4 seconds the client reconnects sucssefully using PLAIN.

As the support articles Cannot set up Plesk mail IMAP account in Outlook: SASL DIGEST-MD5 authentication failed: authentication failure and Outlook fails to send an email: SASL authentication failure. On Plesk for Linux suggest, removing DIGEST-MD5 for Dovcot and Postfix might help.

However, I wonder about this post @192748:
Ferran said:
This is not a valid solution.
Without "digest-md5" Android Mail APP works fine, but then Microsoft Outlook doesn't work correctly.
:(
Click to expand...
Does the proposed effect create any issue for Outlook clients? If so, will all Outlook versions be affected?
 
No fix is needed. Digest-MD5 is a legitimate algorithm, it just does not work with the Android apps if Fail2Ban is active. As the app always tries to use Digest-MD5 first, it causes wrong login attempts, this in turn causes Fail2Ban to trigger an ip block. The problem here is that the Android app always tries digest-md5 and does not include an option where the user can either disable secure password authentication or choose the algorithm he/she wants to use. So your only choice is to remove digest-md5 from the server.

The Outlook issue that has been described before, is caused by a problematic behavior of Outlook when the SPA checkbox is checked (secure password authentication). Outlook stores the algorithm for password encryption only once when the account is configured. If the algorithm is changed later (e.g. if digest-md5 is removed from the server's configuration), it does not adapt to the new situation unless the client configuration is removed and added again.

Bottom line: If you or your clients are using Outlook SPA, they should deactivate that checkbox. You can then safely remove digest-md5 from the server configuration so that your Android apps work fine.
 
You must log in or register to reply here.

Similar threads

D
Resolved MS Outlook IMAP cannot connect
Replies
1
Views
2K
Dominik_
D
D
Input Latest Windows Insider and Outlook (Android) Updates cause issues with dovecot on IMAP
Replies
1
Views
1K
Daedalus3
D
W
Resolved disable plaintext (PLAIN) authentication in imap/dovecot and smtp/postfix breaking webmail/roundcube
Replies
2
Views
7K
Wolfgang Reidlinger
W
I
Issue Emails can not receive
Replies
2
Views
1K
cientiros
C
Bitpalast
Issue gmx.* (web.de etc.) POP3 collector service fails to access Plesk based mail server
Replies
2
Views
2K
Bitpalast
Bitpalast
Back
Top