Start by removing PIPELINING unless you have a real need because of an inbound filtering device...
PIPELINING is kind of useless to advertise for most modern implementations where you do inline validation of data.. IMHO
IMHO it should NOT be advertised by default anymore..
On 2023-05-30 10:54, Thomas Lemarchand via dovecot wrote:
Hello,
On version 2.3.20 (80a5ac675d), I have a problem with submission-login when using GSSAPI auth : it's not working, probably due to AUTH line being too long. It appeared after I activated PAC on my Kerberos infrastructure. Now the Kerberos tickets contains MS-PAC data and are bigger. It's part of the RFC and is a valid use case : https://datatracker.ietf.org/doc/html/rfc4120#section-5.2.6
Logs :
May 30 17:13:00 auth: Debug: auth client connected (pid=378) May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Sent: 220 mail.int.k8s.lemarchand.io Dovecot ready. May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Received new command: EHLO [192.168.202.16] May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: New command May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Execute command May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Pipeline blocked May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: 250 reply: Submitted May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Replied May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Ready to reply May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Trigger output May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Next to reply May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Sending replies May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Next to reply May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Completed May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Pipeline unblocked May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Connection state reset May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: 250 reply: Sent: 250-mail.int.k8s.lemarchand.io 8BITMIME AUTH GSSAPI PLAIN LOGIN BURL imap CHUNKING ENHANCEDSTATUSCODES SIZE P IPELINING May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Finished May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Destroy May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: 250 reply: Destroy May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Trigger output May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: No more commands pending May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Sending replies May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: No more commands pending May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Client sent invalid command: Command line is too long May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: Invalid command May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: 500 reply: Submitted May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: Replied May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: Ready to reply May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Trigger output May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Sending replies May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: Next to reply May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: Completed May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: 500 reply: Sent: 500 5.5.2 Line too long May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: Finished May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: Destroy May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: 500 reply: Destroy May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Trigger output May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: No more commands pending May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Sending replies May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: No more commands pending May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Remote closed connection: Connection closed May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Disconnected: Connection closed May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Connection state reset
My guess is that it's due to https://github.com/dovecot/core/blob/main/src/lib-smtp/smtp-common.h#L10 being too low (is it configurable ?), but I didn't read the code thoroughly. Red Hat IDM now activates MS-PAC by default, so any installation based on IDM (or FreeIPA) may have the same problem. What's your opinion ? Bug ?
Mail sent using password auth :'(
-- "Catch the Magic of Linux..."
Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company.