Facebook
Twitter
Problem description:
For many years and across a five digit large number of domains and customers we've seen some customers failing logins from their smartphones and sometimes from MS Outlook and Apple Mail. For many users it was a pain to configure their phones correctly. On Samsung's Android Mail App for example, users configured their accounts and were able to log in, receive and send emails, yet the server logged a second auth attempt that failed. These failed attempts triggered Fail2Ban blocks of the customers' IP addresses, although the customers had entered their access credentials correctly. Users however sometimes cannot choose the auth mechanism, e.g. on Android Mail.
Similar issues have been described in these Plesk FAQ articles:
support.plesk.com
and
support.plesk.com
But it was not clear to us whether the suggested change to remove "digest-md5" from Dovecot will
a) really solve the issue, including a solution for Android and Apple Mail where customers cannot choose an auth mechanism on their own
b) not cause new issues with existing customer configurations
Recently we went through significant testing efforts on several servers with a very high number of domains and email users that can be considered representative.
Solution:
Among all ranging from Thunderbird, Outlook, Android Mail, Apple Mail, iPhone Mail we found that the only viable solution to the "failed auth" issue caused by DIGEST-MD5 password mechanism is to remove the "digest-md5" entry from Dovecot as mentioned in the FAQs.
I am personally convinced due to the number of affected domains and customers here across many servers this is a major change that could bring a big benefit to all Plesk users. It will save hundreds of thousands of server admins headaches.
A user named "Bob B" had posted this feature request on Uservoice a couple of months ago:
This is a very important request. Even if you might not have run into the issue yet or might not have noticed that there is an issue on your system, this is the thing to vote for now.
Please vote for this feature suggestion. It will make your admin life easier in the future for sure.
For many years and across a five digit large number of domains and customers we've seen some customers failing logins from their smartphones and sometimes from MS Outlook and Apple Mail. For many users it was a pain to configure their phones correctly. On Samsung's Android Mail App for example, users configured their accounts and were able to log in, receive and send emails, yet the server logged a second auth attempt that failed. These failed attempts triggered Fail2Ban blocks of the customers' IP addresses, although the customers had entered their access credentials correctly. Users however sometimes cannot choose the auth mechanism, e.g. on Android Mail.
Similar issues have been described in these Plesk FAQ articles:
Outlook fails to send an email: SASL authentication failure. On Plesk for Linux
Applicable to: Plesk for Linux Symptoms On attempt to send an email via Microsoft Outlook, the login/password prompt appears and does not accept credentials. The warning below can be found in t...
support.plesk.com
Cannot set up Plesk mail IMAP account in Outlook: SASL DIGEST-MD5 authentication failed: authentication failure
Applicable to: Plesk Onyx for Linux Symptoms When trying to set up an IMAP account in Outlook or Samsung Email android app, IMAP option is not available in the "Account type" field: One of ...
support.plesk.com
a) really solve the issue, including a solution for Android and Apple Mail where customers cannot choose an auth mechanism on their own
b) not cause new issues with existing customer configurations
Recently we went through significant testing efforts on several servers with a very high number of domains and email users that can be considered representative.
Solution:
Among all ranging from Thunderbird, Outlook, Android Mail, Apple Mail, iPhone Mail we found that the only viable solution to the "failed auth" issue caused by DIGEST-MD5 password mechanism is to remove the "digest-md5" entry from Dovecot as mentioned in the FAQs.
I am personally convinced due to the number of affected domains and customers here across many servers this is a major change that could bring a big benefit to all Plesk users. It will save hundreds of thousands of server admins headaches.
A user named "Bob B" had posted this feature request on Uservoice a couple of months ago:
Remove digest-md5 from dovecot and postfix configs
Seeing as the current implementation does not work with Outlook (and a lot of people use Outlook), it would make sense to remove the digest-md5 option from dovecot and postfix configs. These options keep coming back on a Plesk update so it would better to just remove them completely...
plesk.uservoice.com
This is a very important request. Even if you might not have run into the issue yet or might not have noticed that there is an issue on your system, this is the thing to vote for now.
Please vote for this feature suggestion. It will make your admin life easier in the future for sure.
