Dovecot says: "Requested CRAM-MD5 scheme, but we have only CRYPT" yet CRAM-MD5 is available

Question

Following upgrade of Fedora Core 16 to Fedora Core 21, the new Dovecot installation isn't authenticating correctly and it's not at all clear why.

We have 50+ email accounts served by this server, so I was hoping to keep the previous schemes working for people.

We've been using CRAM-MD5 quite successfully for many years. I moved over the configuration, updated as necessary for the new version (2.2.15-3), and tried to connect. The log says:

Requested CRAM-MD5 scheme, but we have only CRYPT

Yet, when I follow the guidance from the Dovecot web site on testing (which can be found here http://wiki2.dovecot.org/TestInstallation ), the test command shows that CRAM-MD5 is indeed available:

# telnet localhost 143
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
 IDLE STARTTLS AUTH=CRAM-MD5 AUTH=DIGEST-MD5 AUTH=PLAIN AUTH=LOGIN]
 Dovecot ready.

As can be seen, CRAM-MD5 is the first supported authorization type listed.

Further, the dovecot parameter testing program shows no issues, either:

# dovecot -n
# 2.2.15: /etc/dovecot/dovecot.conf
# OS: Linux 3.17.4-301.fc21.x86_64 x86_64 Fedora release 21 (Twenty One)
auth_debug = yes
auth_debug_passwords = yes
auth_mechanisms = cram-md5 digest-md5 plain login
auth_verbose = yes
listen = *
login_trusted_networks = 192.168.1.4 192.168.1.5 192.168.1.6
192.168.1.12 192.168.1.14 192.168.1.10 127.0.0.1
mail_location = mbox:~/mail:INBOX=/var/spool/mail/%u
mbox_write_locks = fcntl
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix =
}
passdb {
  driver = passwd
}
quota_full_tempfail = yes
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    user = postfix
  }
}
ssl = required
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem
userdb {
  driver = passwd
}
verbose_proctitle = yes

I've checked the permissions on the cram-md5 file are the same as on the old system, etc.

Any and all help greatly appreciated.

Answer 1

...I eventually figured out that the file ownership and permissions details have changed. And, I made a small error in the configuration files, too.

As many software packages do, the new scheme installs with examples that include many comments and commented out lines that prompt you to get the configuration you want. However, there was no line like this in my old configuration file:

passdb {
  args = /etc/cram-md5.pwd
  driver = passwd-file
}

Of course, the file doesn't have to be called cram-md5.pwd, nor does it have to be in /etc. However, SOMEWHERE you have to point at the file!

That alone wasn't sufficient, however.

In addition, the older installation has this file wholly owned by root. The new installation liked the file to have at least group ownership by dovecot, and read and write permissions on the file.

I just picked any ole passdb "container" and put these two lines in it and suddenly it started working!

I still have some things that aren't working properly, but these are configuration options I never had working before (like tls security), so nobody is depending on these features at present!