Hello Дилян, thanks!
upstream cyrus-sasl has removed support for DIGEST-MD5 —https://github.com/cyrusimap/cyrus-sasl/pull/773 . Sooner or later you will have to say Good bye to DIGEST-MD5, too.
Ok, thanks. IMHO it was a "cheap" auth method for this usage (frontend to backend auth). I switched now to PLAIN+TLS with saslauthd -> pam -> pam_userdb at the backends. What do other murder admins do? Are there any …?
Migration to Cyrus IMAP 3.10 requires running version 3.6.3 (or later), or 3.8.1 (or later) —https://www.cyrusimap.org/3.10/imap/download/upgrade.html#versions-to-upgrade-from .
Oh. I hoped to migrate all the mailboxes with XFER from 3.2.11 backends to the new 3.10, and finally upgrade the mupdate master and frontends, according to
https://www.cyrusimap.org/3.10/imap/download/upgrade.html#special-note-for-murder-configurations Frank
I suggest switching in your 3.2 setup to something different than DIGEST-MD5, and then upgrading to a Cyrus IMAP version lower than 3.10. Greetings // Дилян -----Original Message----- From: Frank Richter<[email protected]> Reply-To: Info<[email protected]> To: cyrus via Info<[email protected]> Subject: Migration murder from 3.2 to 3.10 (Debian 11 to 13) – frontend to backend auth error Date: 25/02/26 14:11:05 Hello, I’m about to update our cyrus-imapd murder from Debian 11 (cyrus-imapd 3.2.11 self-build, cyrus-sasl 2.1.27+dfsg-2.1+deb11u1) to Debian 13 (cyrus-imapd 3.10.2, cyrus-sasl 2.1.28+dfsg1-9). Authentication from frontend to backend is done with DIGEST-MD5: frontend: proxy_authname: _frontend proxy_password: … backend: sasl_mech_list: DIGEST-MD5 sasl_pwcheck_method: auxprop sasl_auxprop_plugin: sasldb I’ve set up /etc/sasldb2 with saslpasswd2 -c _frontend with password, sasldblistusers2 shows: [email protected]: userPassword This works for 3.2.X murder cluster for years. Now I’ve setup a new backend server "prepaid.hrz.tu-chenitz.de" with 3.10.2. Test with imtest from frontend with 3.2.11 is ok: imtest -u test -a _frontend -t '' prepaid.hrz.tu-chenitz.de S: * OK [CAPABILITY IMAP4rev1 IMAP4rev2 AUTH=DIGEST-MD5 ENABLE ID LITERAL+ LOGINDISABLED SASL-IR STARTTLS MUPDATE=mupdate://mupdate.hrz.tu-chemnitz.de/] prepaid.hrz.tu-chemnitz.de Cyrus IMAP 3.10.2-Debian-3.10.2-1 server ready S: * OK [CAPABILITY IMAP4rev1 IMAP4rev2 AUTH=DIGEST-MD5 ENABLE ID LITERAL+ LOGINDISABLED SASL-IR STARTTLS MUPDATE=mupdate://mupdate.hrz.tu-chemnitz.de/] prepaid.hrz.tu-chemnitz.de Cyrus IMAP 3.10.2-Debian-3.10.2-1 server ready C: S01 STARTTLS S: S01 OK Begin TLS negotiation now verify error:num=19:self signed certificate in certificate chain TLS connection established: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) C: C01 CAPABILITY S: * CAPABILITY IMAP4rev1 IMAP4rev2 ACL ANNOTATE-EXPERIMENT-1 APPENDLIMIT=2147483647 AUTH=DIGEST-MD5 BINARY CATENATE CHILDREN COMPRESS=DEFLATE CONDSTORE CREATE-SPECIAL-USE ENABLE ESEARCH ESORT ID IDLE LIST-EXTENDED LIST-METADATA LIST-MYRIGHTS LIST-STATUS LITERAL+ MAILBOX-REFERRALS METADATA MOVE MULTIAPPEND MULTISEARCH NAMESPACE NOTIFY OBJECTID PREVIEW QRESYNC QUOTA QUOTA=RES-STORAGE QUOTA=RES-MESSAGE QUOTA=RES-ANNOTATION-STORAGE QUOTA=RES-MAILBOX QUOTASET REPLACE RIGHTS=kxten SASL-IR SAVEDATE SEARCH=FUZZY SEARCHRES SORT SORT=DISPLAY SPECIAL-USE STATUS=SIZE THREAD=ORDEREDSUBJECT THREAD=REFERENCES UIDONLY UIDPLUS UNSELECT URL-PARTIAL URLAUTH URLAUTH=BINARY WITHIN DIGEST=SHA1 MUPDATE=mupdate://mupdate.hrz.tu-chemnitz.de/ NO_ATOMIC_RENAME SCAN SORT=MODSEQ SORT=UID THREAD=REFS X-CREATEDMODSEQ X-REPLICATION X-REPLICATION-ARCHIVE X-SIEVE-MAILBOX XLIST XMOVE S: C01 OK Completed C: A01 AUTHENTICATE DIGEST-MD5 S: + bm9… Please enter your password: C: dXNl… S: + cnN… C: S: A01 OK [CAPABILITY IMAP4rev1 IMAP4rev2 ACL ANNOTATE-EXPERIMENT-1 APPENDLIMIT=2147483647 BINARY CATENATE CHILDREN COMPRESS=DEFLATE CONDSTORE CREATE-SPECIAL-USE ENABLE ESEARCH ESORT ID IDLE LIST-EXTENDED LIST-METADATA LIST-MYRIGHTS LIST-STATUS LITERAL+ LOGINDISABLED MAILBOX-REFERRALS METADATA MOVE MULTIAPPEND MULTISEARCH NAMESPACE NOTIFY OBJECTID PREVIEW QRESYNC QUOTA QUOTA=RES-STORAGE QUOTA=RES-MESSAGE QUOTA=RES-ANNOTATION-STORAGE QUOTA=RES-MAILBOX QUOTASET REPLACE RIGHTS=kxten SAVEDATE SEARCH=FUZZY SEARCHRES SORT SORT=DISPLAY SPECIAL-USE STATUS=SIZE THREAD=ORDEREDSUBJECT THREAD=REFERENCES UIDONLY UIDPLUS UNSELECT URL-PARTIAL URLAUTH URLAUTH=BINARY WITHIN DIGEST=SHA1 MUPDATE=mupdate://mupdate.hrz.tu-chemnitz.de/ NO_ATOMIC_RENAME SCAN SORT=MODSEQ SORT=UID THREAD=REFS X-CREATEDMODSEQ X-REPLICATION X-REPLICATION-ARCHIVE X-SIEVE-MAILBOX XLIST XMOVE] Success (tls protection) SESSIONID=<cyrus-1772020321-43207-1-10610630412189950369> Authenticated. Security strength factor: 256 . SELECT INBOX * 3 EXISTS * 0 RECENT * FLAGS (\Answered \Flagged \Draft \Deleted \Seen NonJunk $Label4) … . OK [READ-WRITE] Completed But the imapd on 3.2-frontend doesn’t work with the 3.10 backend: Log on backend: 2026-02-25T12:45:12.601428+01:00 prepaid cyrus/master[43240]: about to exec /usr/lib/cyrus/bin/imapd 2026-02-25T12:45:12.627416+01:00 prepaid cyrus/imap[43240]: SQL backend defaulting to engine 'pgsql' 2026-02-25T12:45:12.627467+01:00 prepaid cyrus/imap[43240]: zoneinfo_dir is unset, libical will find its own timezone data 2026-02-25T12:45:12.627787+01:00 prepaid cyrus/imap[43240]: ical_support_init: found 418 timezones 2026-02-25T12:45:12.630623+01:00 prepaid cyrus/imap[43240]: executed 2026-02-25T12:45:50.398725+01:00 prepaid cyrus/imap[43240]: accepted connection 2026-02-25T12:45:50.405919+01:00 prepaid cyrus/imap[43240]: extractor_init(0x55d682207b10) 2026-02-25T12:45:50.406813+01:00 prepaid cyrus/imap[43240]: SASL DIGEST-MD5 server step 1 2026-02-25T12:45:50.407430+01:00 prepaid cyrus/imap[43240]: SASL DIGEST-MD5 server step 2 2026-02-25T12:45:50.410526+01:00 prepaid cyrus/imap[43240]: SASL DIGEST-MD5 create_layer_keys() 2026-02-25T12:45:50.417187+01:00 prepaid cyrus/imap[43240]: login: julian.hrz.tu-chemnitz.de [2001:638:911:b0e:134:109:228:25] fri DIGEST-MD5 User logged in SESSIONID=<cyrus-1772019950-43240-1-7292512404913775762> 2026-02-25T12:45:50.418740+01:00 prepaid cyrus/imap[43240]: fetching user_deny.db entry for 'fri' 2026-02-25T12:45:50.463437+01:00 prepaid cyrus/imap[43240]: decoding error: generic failure; SASL(-1): generic failure: user: [email protected] property: cmusaslsecretDIGEST-MD5 not found in sasldb, closing connection 2026-02-25T12:45:50.464542+01:00 prepaid cyrus/imap[43240]: session ended: sessionid=<cyrus-1772019950-43240-1-7292512404913775762> userid=<fri> id.name=<(null)> Can anybody explain the "decoding error: … cmusaslsecretDIGEST-MD5 not found in sasldb"? And how to correct it? Is DIGEST-MD5 still sufficient or are there better SASL mechanisms to authenticate frontend to backend? Thanks in advance, Frank
-- Frank Richter Facharbeitsgruppe Datenkommunikation Universitätsrechenzentrum Technische Universität Chemnitz Straße der Nationen 62 | R. B302A 09111 Chemnitz Germany Tel: +49 371 531 31879 [email protected] www.tu-chemnitz.de/urz
smime.p7s
Description: Kryptografische S/MIME-Signatur
