On 30/05/2023 20:54 EEST Thomas Lemarchand via dovecot dovecot@dovecot.org wrote:
Hello,
On version 2.3.20 (80a5ac675d), I have a problem with submission-login when using GSSAPI auth : it's not working, probably due to AUTH line being too long. It appeared after I activated PAC on my Kerberos infrastructure. Now the Kerberos tickets contains MS-PAC data and are bigger. It's part of the RFC and is a valid use case : https://datatracker.ietf.org/doc/html/rfc4120#section-5.2.6
Logs :
My guess is that it's due to https://github.com/dovecot/core/blob/main/src/lib-smtp/smtp-common.h#L10 being too low (is it configurable ?), but I didn't read the code thoroughly. Red Hat IDM now activates MS-PAC by default, so any installation based on IDM (or FreeIPA) may have the same problem. What's your opinion ? Bug ?
Mail sent using password auth :'(
-- Thomas Lemarchand
Hi!
This is an RFC limitation. SASL-IR may not exceed 998 bytes including AUTH GSSAPI and \r\n.
If the SASL-IR exceeds this, then the client must use interactive SASL.
Aki