I have not done extensive research on this error yet, but on Plesk servers running Postfix you may see this in your /usr/local/psa/var/log/maillog file from legit clients:
Aug 14 11:36:58 server1 postfix/smtpd: warning: customer-isp.net[192.0.2.1]: SASL DIGEST-MD5 authentication failed: authentication failure
Aug 14 11:36:58 server1 postfix/smtpd: A5CC82CA87F: client=customer-isp.net[192.0.2.1], sasl_method=CRAM-MD5, email@example.com
Notice that the failed DIGEST-MD5 authentication was immediately followed by a successful CRAM-MD5 authentication by the same customer (going by IP). This is where I need to do some more research, but for the time being, my theory is that there exists some email client(s) that does not handle DIGEST-MD5 properly, so it tries it first, since the server advertises the ability to do it, fails, backs down to CRAM-MD5 which works fine.
Now, also in the logs, I very occasionally see successful DIGEST-MD5 authentications. This tells me that some rarely used email client, or perhaps a rarely configured option in a common email client, does indeed support DIGEST-MD5 properly, and that Plesk/Postfix also support it properly, so turning it off may prevent someone from using it. After turning it off, the same user who had been using it, flipped to CRAM-MD5, so at this point in time I’m going to assume that any email program that can do DIGEST-MD5 can also likely do CRAM-MD5 so turning digest off will have no negative effects.
Why did I want to turn it off to begin with? Well, after implementing Fail2Ban (article on how to do that) on the server to block IP addresses of spammers and script kiddies, legit customers whose email clients were attempting DIGEST-MD5, failing, and then dropping to CRAM-MD5 started getting blocked by Fail2Ban because of their initial failures. Rather than tune Fail2Ban to ignore DIGEST-MD5 attempts, which would mean spammers could then just brute force away using DIGEST-MD5 with no consequence, I chose to remove the option of using DIGEST-MD5, at least until the point at which more email clients want to use it, and use it properly.
So, the fix is to simply get rid of DIGEST-MD5 as an option. To do that, edit /usr/lib64/sasl2/smtpd.conf. The default contents of the file will be:
pwcheck_method: auxprop saslauthd auxprop_plugin: plesk saslauthd_path: /var/spool/postfix/private/plesk_saslauthd mech_list: DIGEST-MD5 CRAM-MD5 PLAIN LOGIN auto_transition: yes sql_engine: intentionally disabled log_level: 4
So change it to:
pwcheck_method: auxprop saslauthd auxprop_plugin: plesk saslauthd_path: /var/spool/postfix/private/plesk_saslauthd mech_list: CRAM-MD5 PLAIN LOGIN auto_transition: yes sql_engine: intentionally disabled log_level: 4
That does require a Postfix restart to take effect; i.e. (centos/redhat/scientific):