DIGEST-MD5 issues

[Chris1]

Hello,

We appear to be having problems with some users authenticating with DIGEST-MD5 on Dovecot.

It seems to be Android phones with the latest update Marshmallow that are are having the issue.

They first attempt to connect via DIGEST MD5 and fail, then tries PLAIN and succeeds. This is of course getting caught in Fail2Ban which eventually leads to blocking their IP address.

I have since temporarily disabled DIGEST-MD5 on Dovecot.

Is anyone else noticing this same issue?

 

[UFHH01]

Microsoft Outlook ( up to version 2016 ) has this issue as well.

 

[Chris1]

Is it best just to disable these problematic connection methods? I checked a cPanel server and notice they just offer PLAIN and LOGIN.

 

[Pedro1]

I have the same problem.
I migrate from Courier to Dovecot to prepare a migration to Onyx.
And now I have a lot of problems in Android devices.

Chris1 how do you disabled DIGEST-MD5 on Dovecot?
Is it secure?

best regards

 

[daanse]

How did you solved that Problem please?

 

[UFHH01]

Hi daanse,

How did you solved that Problem please?

Just consider to use another set of cipher suites. Best practice is to use "Intermediate" cipher suites, suggested by Mozilla:

=> Security/Server Side TLS - MozillaWiki​

From my point of view it's rather irresponsible not to offer DIGEST-MD5 and CRAM-MD5 for security reasons.

 

[daanse]

From my point of view it's rather irresponsible not to offer DIGEST-MD5 and CRAM-MD5 for security reasons.

Yes, but that Device is messing arround with Connections and always makes a fail. So what can i do?
I really not want to miss any Sercurity related Settings, but i want the connection work in both cases.
And i have tested it, it doesn't
(Issue - Fail2Ban dovecot/Imap gets banned by false Settings)

 

[john_in_Toronto]

I have this exact same issue as well.

What is the best solution for it?