ManageSieve: authenticate "EXTERNAL" not behaving correctly
Hi,
I've enabled client certificate authentication for imap and managesieve. When I use Thunderbird with the sieve plugin it tries to login, but times out.
Initially I reported this to the sieve plugin, but we came to the conclusion that it managesieve is misbehaving.
https://github.com/thsmi/sieve/issues/94
Thunderbird (win10-64) 52.4.0 (32bit) Sieve 0.2.3k Dovecot (Ubuntu 16.04.3 LTS) 2.2.33.1-1 (sid)
What happens is the following (p=plugin sends m=managesieve sends)
p:authenticate "EXTERNAL" "" m:""
The response is unexpected. According to RFC 5804 an empty challenge/response is sent as an empty string. So I would expect:
p:authenticate "EXTERNAL" "" m:OK "Logged in."
With the use of gnutls-cli I could reproduce (c=I send m=managesieve sends) gnutls-cli --starttls --x509keyfile marc_mail.key --x509certfile marc_mail.crt -p sieve 172.17.1.4
... m:OK "TLS negotiation successful." c:authenticate "EXTERNAL" "" m:"" c:"" m:OK "Logged in."
However if I try the "imap" syntax (rfc4959) I get logged in at once
... m:OK "TLS negotiation successful." c:authenticate "EXTERNAL" "=" m:OK "Logged in."
Note that this is an imap only extention, "=" is an invalid base64 encoding.
Marc
Op 10/26/2017 om 1:32 PM schreef Marc Weustink:
Hi,
I've enabled client certificate authentication for imap and managesieve. When I use Thunderbird with the sieve plugin it tries to login, but times out.
Initially I reported this to the sieve plugin, but we came to the conclusion that it managesieve is misbehaving.
https://github.com/thsmi/sieve/issues/94
Thunderbird (win10-64) 52.4.0 (32bit) Sieve 0.2.3k Dovecot (Ubuntu 16.04.3 LTS) 2.2.33.1-1 (sid)
What happens is the following (p=plugin sends m=managesieve sends)
p:authenticate "EXTERNAL" "" m:""
The response is unexpected. According to RFC 5804 an empty challenge/response is sent as an empty string. So I would expect:
p:authenticate "EXTERNAL" "" m:OK "Logged in."
With the use of gnutls-cli I could reproduce (c=I send m=managesieve sends) gnutls-cli --starttls --x509keyfile marc_mail.key --x509certfile marc_mail.crt -p sieve 172.17.1.4
... m:OK "TLS negotiation successful." c:authenticate "EXTERNAL" "" m:"" c:"" m:OK "Logged in."
However if I try the "imap" syntax (rfc4959) I get logged in at once
... m:OK "TLS negotiation successful." c:authenticate "EXTERNAL" "=" m:OK "Logged in."
Note that this is an imap only extention, "=" is an invalid base64 encoding.
Will get back on this later.
Regards,
Stephan.
Stephan Bosch wrote:
Op 10/26/2017 om 1:32 PM schreef Marc Weustink:
Hi,
I've enabled client certificate authentication for imap and managesieve. When I use Thunderbird with the sieve plugin it tries to login, but times out.
Initially I reported this to the sieve plugin, but we came to the conclusion that it managesieve is misbehaving.
https://github.com/thsmi/sieve/issues/94
Thunderbird (win10-64) 52.4.0 (32bit) Sieve 0.2.3k Dovecot (Ubuntu 16.04.3 LTS) 2.2.33.1-1 (sid)
What happens is the following (p=plugin sends m=managesieve sends)
p:authenticate "EXTERNAL" "" m:""
The response is unexpected. According to RFC 5804 an empty challenge/response is sent as an empty string. So I would expect:
p:authenticate "EXTERNAL" "" m:OK "Logged in."
With the use of gnutls-cli I could reproduce (c=I send m=managesieve sends) gnutls-cli --starttls --x509keyfile marc_mail.key --x509certfile marc_mail.crt -p sieve 172.17.1.4
... m:OK "TLS negotiation successful." c:authenticate "EXTERNAL" "" m:"" c:"" m:OK "Logged in."
However if I try the "imap" syntax (rfc4959) I get logged in at once
... m:OK "TLS negotiation successful." c:authenticate "EXTERNAL" "=" m:OK "Logged in."
Note that this is an imap only extention, "=" is an invalid base64 encoding.
Will get back on this later.
Regards,
Stephan.
With the attached patch I could hac/workaround it
Marc
Op 28-10-2017 om 17:18 schreef Stephan Bosch:
Op 10/26/2017 om 1:32 PM schreef Marc Weustink:
Hi,
I've enabled client certificate authentication for imap and managesieve. When I use Thunderbird with the sieve plugin it tries to login, but times out.
Initially I reported this to the sieve plugin, but we came to the conclusion that it managesieve is misbehaving.
https://github.com/thsmi/sieve/issues/94
Thunderbird (win10-64) 52.4.0 (32bit) Sieve 0.2.3k Dovecot (Ubuntu 16.04.3 LTS) 2.2.33.1-1 (sid)
What happens is the following (p=plugin sends m=managesieve sends)
p:authenticate "EXTERNAL" "" m:""
The response is unexpected. According to RFC 5804 an empty challenge/response is sent as an empty string. So I would expect:
p:authenticate "EXTERNAL" "" m:OK "Logged in."
With the use of gnutls-cli I could reproduce (c=I send m=managesieve sends) gnutls-cli --starttls --x509keyfile marc_mail.key --x509certfile marc_mail.crt -p sieve 172.17.1.4
... m:OK "TLS negotiation successful." c:authenticate "EXTERNAL" "" m:"" c:"" m:OK "Logged in."
However if I try the "imap" syntax (rfc4959) I get logged in at once
... m:OK "TLS negotiation successful." c:authenticate "EXTERNAL" "=" m:OK "Logged in."
Note that this is an imap only extention, "=" is an invalid base64 encoding. Will get back on this later.
This was actually a Dovecot problem. Merged yesterday:
https://github.com/dovecot/core/commit/451698c60d7b3a763742c8e99503ab3059603... https://github.com/dovecot/core/commit/e4b72bd73bfffda7906faa248eab31f936cfc... https://github.com/dovecot/core/commit/ad3e5fb08578161731085cfc025659753d268... https://github.com/dovecot/core/commit/981f260cfa17a22faf4ff047e479e63cad01a...
Regards,
Stephan.
Stephan Bosch wrote:
Op 28-10-2017 om 17:18 schreef Stephan Bosch:
Op 10/26/2017 om 1:32 PM schreef Marc Weustink:
...
Will get back on this later.
This was actually a Dovecot problem. Merged yesterday:
https://github.com/dovecot/core/commit/451698c60d7b3a763742c8e99503ab3059603...
https://github.com/dovecot/core/commit/e4b72bd73bfffda7906faa248eab31f936cfc...
https://github.com/dovecot/core/commit/ad3e5fb08578161731085cfc025659753d268...
https://github.com/dovecot/core/commit/981f260cfa17a22faf4ff047e479e63cad01a...
Great, Thanks. Marc
participants (2)
-
Marc Weustink
-
Stephan Bosch