2.3.13 broken submission relay smtp parser

Tony Hain tony at tndh.net
Wed Jun 9 20:05:28 EEST 2021 

Thanks Stephan,

That appears to be a new feature of 4.94 in response to CVE-2020-28018. One could argue that it is an Exim bug, and they really need to fix it. At the same time that character is not likely to cause any parsers to expose security holes so it is unclear why it is precluded in an smtp protocol response other than 40 year old historic syntax conventions. 

I will see what I can do to turn that off in exim, but it would be good if the dovecot team reconsidered Postel's mantra:
"be conservative in what you send and liberal in what you accept". Granted security considerations moderate how liberal one can be, but pedantic parsing rules that make no difference only reduce the utility of the software. In any case the logging could be more helpful if it would include the objectionable string.

Tony


> -----Original Message-----
> From: dovecot [mailto:dovecot-bounces at dovecot.org] On Behalf Of
> Stephan Bosch
> Sent: Wednesday, June 09, 2021 5:21 AM
> To: Tony Hain; dovecot at dovecot.org
> Subject: Re: 2.3.13 broken submission relay smtp parser
> 
> 
> 
> On 09/06/2021 07:57, Tony Hain wrote:
> > I have a new install of dovecot 2.3.13, along with exim 4.94, in an Azure
> > hosted FreeBSD 12.2 VM. I have been running exim on local hardware with
> > FreeBSD for 15+ years, but dovecot and Azure are a new "learning
> > experience". I am getting an error response in dovecot.log when trying to
> > use the submission relay function, which is apparently new in 2.3...  It
> > would appear the parser is either broken or has a character set limitation
> > that no other smtp implementation has. I finally gave up trying to figure
> > out what I might have done wrong in setting up exim and pointed dovecot
> at
> > mailjet and got the same error.
> >
> > Jun 08 19:39:42
> > submission(testing at dispatch.tndh.net)<89538><lOfAL0zEFNmsOCrh>:
> Warning:
> > smtp-client: conn in-v3.mailjet.com:587 (104.199.96.85:587) [1]: Received
> > invalid EHLO response line: Unexpected character in EHLO keyword
> > Jun 08 19:39:42
> > submission(testing at dispatch.tndh.net)<89538><lOfAL0zEFNmsOCrh>:
> Warning:
> > smtp-client: conn in-v3.mailjet.com:587 (104.199.96.85:587) [1]: Received
> > invalid EHLO response line: Unexpected character in EHLO keyword
> >
> > I didn't try the mailjet path with telnet, but I had done that earlier with
> > the local exim server and I can't see any invalid characters, even in the
> > tcpdump pcap file.
> >
> > Jun 08 10:49:42
> > submission(testing at dispatch.tndh.net)<29791><j8NnyETEqV2sOCq3>:
> Warning:
> > smtp-client: conn 127.0.0.1:58 [1]: Received invalid EHLO response line:
> > Unexpected character in EHLO keyword
> > # telnet localhost 58
> > Trying 127.0.0.1...
> > Connected to localhost.
> > Escape character is '^]'.
> > 220 secure smtp server
> > ehlo dovecot.tndh.net
> > 250-exim.tndh.net Hello dovecot.tndh.net [127.0.0.1]
> > 250-SIZE 536870912
> > 250-8BITMIME
> > 250-VRFY
> > 250-PIPELINING
> > 250-X_PIPE_CONNECT
> > 250-AUTH CRAM-MD5
> > 250-CHUNKING
> > 250-SMTPUTF8
> > 250 HELP
> 
> There is  your problem. We should probably allow this in Dovecot (seen
> this problem before), but the underscore in the X_PIPE_CONNECT
> capability is not allowed in SMTP.
> 
> Regards,
> 
> Stephan.
> 
> >
> > This might be some confusion about starttls on the mailjet path, but if that
> > is true the error message is wrong; and it wouldn't be true for the local
> > exim open smtp port. If it really is smtp, it would be most helpful if the
> > error message actually reported what string it is taking issue with.
> >
> > I have the dovecot-sysreport, but I am not encouraged about sending it
> when
> > stdout presented:
> > # dovecot-sysreport
> > Gathering configurations ...
> > grep: The -P option is not supportedgrep:
> > The -P option is not supported
> > grep: The -P option is not supported
> > Gathering system informations ...
> > Creating archive ...
> > All done! Please report file dovecot-sysreport-TNDH-mail-
> 1623209001.tar.gz
> > Removing temp files at /tmp/tmp.kphlba44 ...
> > #
> >
> > While dovecot -n stdout presented the line:
> > ssl_key = # hidden, use -P to show it
> >
> > expecting people to put sensitive configuration on a public mail list
> > without knowing what the tool is including is a challenge, but when the tool
> > is errantly using the command line option that is also used for exposing the
> > private data by a related tool, it is even less likely that I want to do
> > that. While the dovecot -n option did hide passwords, it did not hide the
> > username associated with that. I will put dovecot -n (redacted) here, but
> > until I have time to see exactly what the sysreport included, I am not
> > releasing that.
> >
> > # 2.3.13 (89f716dc2): /usr/local/etc/dovecot/dovecot.conf
> > # Pigeonhole version 0.5.13 (cdd19fe3)
> > # OS: FreeBSD 12.2-RELEASE-p4 amd64  ufs
> > # Hostname: TNDH-
> mail.g4msrgoph2uevil3ys5jvbbpza.jx.internal.cloudapp.net
> > auth_debug = yes
> > auth_debug_passwords = yes
> > auth_verbose = yes
> > debug_log_path = /var/log/dovecot-debug.log
> > disable_plaintext_auth = no
> > first_valid_uid = 220
> > hostname = dispatch.tndh.net
> > imap_idle_notify_interval = 20 mins
> > info_log_path = /var/log/dovecot-info.log
> > last_valid_uid = 220
> > log_debug = (event=* AND cat=*)
> > log_path = /var/log/dovecot.log
> > login_greeting = tndh.net Mailer Server Ready ...
> > login_trusted_networks = 127.0.0.1 10.0.0.4
> > mail_debug = yes
> > mail_location = maildir:/usr/local/var/dovecot/vhosts/%d/%n
> > mail_plugins = mail_log notify notify_status
> > managesieve_notify_capability = mailto
> > managesieve_sieve_capability = fileinto reject envelope encoded-
> character
> > vacation subaddress comparator-i;ascii-numeric relational regex imap4flags
> > copy include variables body enotify environment mailbox date index ihave
> > duplicate mime foreverypart extracttext
> > namespace inbox {
> >    inbox = yes
> >    location =
> >    mailbox Drafts {
> >      auto = subscribe
> >      special_use = \Drafts
> >    }
> >    mailbox Junk {
> >      auto = subscribe
> >      special_use = \Junk
> >    }
> >    mailbox Sent {
> >      auto = subscribe
> >      special_use = \Sent
> >    }
> >    mailbox Trash {
> >      auto = subscribe
> >      special_use = \Trash
> >    }
> >    mailbox virtual/Flagged {
> >      auto = subscribe
> >      special_use = \Flagged
> >    }
> >    prefix =
> >    separator = /
> >    type = private
> > }
> > passdb {
> >    args = username_format=%n /usr/local/var/dovecot/db/%d/passwd
> >    driver = passwd-file
> > }
> > plugin {
> >    expire = Trash
> >    mail_home = /usr/local/var/dovecot/vhosts/%d/%n
> >    mail_log_events = delete undelete expunge copy mailbox_delete
> > mailbox_rename
> >    mail_log_fields = uid box msgid size
> >    recipient_delimiter = +
> >    sieve = /usr/local/var/dovecot/vhosts/%d/%n/sieve/.dovecot.sieve
> >    sieve_after = /usr/local/var/dovecot/vhosts/%d/%n/sieve/sieve-after.d
> >    sieve_before = /usr/local/var/dovecot/vhosts/%d/%n/sieve/sieve-
> before.d
> >    sieve_dir = /usr/local/var/dovecot/vhosts/%d/%n/sieve
> >    sieve_global_path = /usr/local/var/dovecot/vhosts/sieve/default.sieve
> > }
> > pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
> > protocols = imap pop3 lmtp submission
> > service auth-worker {
> >    user = vmail
> > }
> > service imap-login {
> >    inet_listener imap {
> >      port = 143
> >    }
> >    inet_listener imaps {
> >      port = 993
> >      ssl = yes
> >    }
> > }
> > service stats {
> >    unix_listener stats-writer {
> >      mode = 0666
> >    }
> > }
> > service submission-login {
> >    inet_listener submission {
> >      port = 465
> >      ssl = yes
> >    }
> > }
> > ssl_cert = </usr/local/etc/dovecot/ssl/certs/dovecot.pem
> > ssl_key = # hidden, use -P to show it
> > submission_relay_host = in-v3.mailjet.com
> > submission_relay_password = # hidden, use -P to show it
> > submission_relay_port = 587
> > submission_relay_rawlog_dir = /var/log
> > submission_relay_ssl = starttls
> > submission_relay_user = **-as-if-I-want-this-on-a-public-list-**
> > userdb {
> >    args = username_format=%n /usr/local/var/dovecot/db/%d/passwd
> >    driver = passwd-file
> > }
> > verbose_ssl = yes
> > protocol lmtp {
> >    mail_fsync = optimized
> >    mail_plugins = mail_log notify notify_status sieve
> > }
> > protocol imap {
> >    mail_max_userip_connections = 10
> >    mail_plugins = mail_log notify notify_status imap_sieve
> > }
> > protocol pop3 {
> >    mail_max_userip_connections = 10
> >    mail_plugins = mail_log notify notify_status
> > }
> > protocol lda {
> >    mail_fsync = optimized
> >    mail_plugins = mail_log notify notify_status sieve
> > }
> >

More information about the dovecot mailing list