GSSAPI auth Line too long
Hello,
On version 2.3.20 (80a5ac675d), I have a problem with submission-login when using GSSAPI auth : it's not working, probably due to AUTH line being too long. It appeared after I activated PAC on my Kerberos infrastructure. Now the Kerberos tickets contains MS-PAC data and are bigger. It's part of the RFC and is a valid use case : https://datatracker.ietf.org/doc/html/rfc4120#section-5.2.6
Logs :
May 30 17:13:00 auth: Debug: auth client connected (pid=378) May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Sent: 220 mail.int.k8s.lemarchand.io Dovecot ready. May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Received new command: EHLO [192.168.202.16] May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: New command May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Execute command May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Pipeline blocked May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: 250 reply: Submitted May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Replied May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Ready to reply May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Trigger output May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Next to reply May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Sending replies May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Next to reply May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Completed May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Pipeline unblocked May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Connection state reset May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: 250 reply: Sent: 250-mail.int.k8s.lemarchand.io 8BITMIME AUTH GSSAPI PLAIN LOGIN BURL imap CHUNKING ENHANCEDSTATUSCODES SIZE P IPELINING May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Finished May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Destroy May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: 250 reply: Destroy May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Trigger output May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: No more commands pending May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Sending replies May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: No more commands pending May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Client sent invalid command: Command line is too long May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: Invalid command May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: 500 reply: Submitted May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: Replied May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: Ready to reply May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Trigger output May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Sending replies May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: Next to reply May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: Completed May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: 500 reply: Sent: 500 5.5.2 Line too long May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: Finished May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: Destroy May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: 500 reply: Destroy May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Trigger output May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: No more commands pending May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Sending replies May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: No more commands pending May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Remote closed connection: Connection closed May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Disconnected: Connection closed May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Connection state reset
My guess is that it's due to https://github.com/dovecot/core/blob/main/src/lib-smtp/smtp-common.h#L10 being too low (is it configurable ?), but I didn't read the code thoroughly. Red Hat IDM now activates MS-PAC by default, so any installation based on IDM (or FreeIPA) may have the same problem. What's your opinion ? Bug ?
Mail sent using password auth :'(
-- Thomas Lemarchand
On 30-05-2023 19:54, Thomas Lemarchand via dovecot wrote:
Hello,
On version 2.3.20 (80a5ac675d), I have a problem with submission-login when using GSSAPI auth : it's not working, probably due to AUTH line being too long. It appeared after I activated PAC on my Kerberos infrastructure. Now the Kerberos tickets contains MS-PAC data and are bigger. It's part of the RFC and is a valid use case : https://datatracker.ietf.org/doc/html/rfc4120#section-5.2.6
Correct, but you can and should increase line length:
imap_max_line_length = 2M
With this length it works for me with Samba-AD-DC.
- Kees.
Logs :
May 30 17:13:00 auth: Debug: auth client connected (pid=378) May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Sent: 220 mail.int.k8s.lemarchand.io Dovecot ready. May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Received new command: EHLO [192.168.202.16] May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: New command May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Execute command May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Pipeline blocked May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: 250 reply: Submitted May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Replied May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Ready to reply May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Trigger output May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Next to reply May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Sending replies May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Next to reply May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Completed May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Pipeline unblocked May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Connection state reset May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: 250 reply: Sent: 250-mail.int.k8s.lemarchand.io 8BITMIME AUTH GSSAPI PLAIN LOGIN BURL imap CHUNKING ENHANCEDSTATUSCODES SIZE P IPELINING May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Finished May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Destroy May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: 250 reply: Destroy May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Trigger output May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: No more commands pending May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Sending replies May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: No more commands pending May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Client sent invalid command: Command line is too long May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: Invalid command May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: 500 reply: Submitted May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: Replied May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: Ready to reply May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Trigger output May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Sending replies May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: Next to reply May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: Completed May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: 500 reply: Sent: 500 5.5.2 Line too long May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: Finished May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: Destroy May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: 500 reply: Destroy May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Trigger output May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: No more commands pending May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Sending replies May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: No more commands pending May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Remote closed connection: Connection closed May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Disconnected: Connection closed May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Connection state reset
My guess is that it's due to https://github.com/dovecot/core/blob/main/src/lib-smtp/smtp-common.h#L10 being too low (is it configurable ?), but I didn't read the code thoroughly. Red Hat IDM now activates MS-PAC by default, so any installation based on IDM (or FreeIPA) may have the same problem. What's your opinion ? Bug ?
Mail sent using password auth :'(
Thanks you for this idea, I already had "imap_max_line_length = 256k" , I tried 2M, unfortunately it still does not work.
-- Thomas
On 5/30/23 20:27, Kees van Vloten wrote:
On 30-05-2023 19:54, Thomas Lemarchand via dovecot wrote:
Hello,
On version 2.3.20 (80a5ac675d), I have a problem with submission-login when using GSSAPI auth : it's not working, probably due to AUTH line being too long. It appeared after I activated PAC on my Kerberos infrastructure. Now the Kerberos tickets contains MS-PAC data and are bigger. It's part of the RFC and is a valid use case : https://datatracker.ietf.org/doc/html/rfc4120#section-5.2.6
Correct, but you can and should increase line length:
imap_max_line_length = 2M
With this length it works for me with Samba-AD-DC.
- Kees.
Logs :
May 30 17:13:00 auth: Debug: auth client connected (pid=378) May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Sent: 220 mail.int.k8s.lemarchand.io Dovecot ready. May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Received new command: EHLO [192.168.202.16] May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: New command May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Execute command May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Pipeline blocked May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: 250 reply: Submitted May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Replied May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Ready to reply May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Trigger output May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Next to reply May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Sending replies May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Next to reply May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Completed May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Pipeline unblocked May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Connection state reset May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: 250 reply: Sent: 250-mail.int.k8s.lemarchand.io 8BITMIME AUTH GSSAPI PLAIN LOGIN BURL imap CHUNKING ENHANCEDSTATUSCODES SIZE P IPELINING May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Finished May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Destroy May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: 250 reply: Destroy May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Trigger output May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: No more commands pending May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Sending replies May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: No more commands pending May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Client sent invalid command: Command line is too long May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: Invalid command May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: 500 reply: Submitted May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: Replied May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: Ready to reply May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Trigger output May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Sending replies May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: Next to reply May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: Completed May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: 500 reply: Sent: 500 5.5.2 Line too long May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: Finished May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: Destroy May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: 500 reply: Destroy May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Trigger output May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: No more commands pending May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Sending replies May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: No more commands pending May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Remote closed connection: Connection closed May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Disconnected: Connection closed May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Connection state reset
My guess is that it's due to https://github.com/dovecot/core/blob/main/src/lib-smtp/smtp-common.h#L10 being too low (is it configurable ?), but I didn't read the code thoroughly. Red Hat IDM now activates MS-PAC by default, so any installation based on IDM (or FreeIPA) may have the same problem. What's your opinion ? Bug ?
Mail sent using password auth :'(
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
On 30/05/2023 20:54 EEST Thomas Lemarchand via dovecot <dovecot@dovecot.org> wrote:
Hello,
On version 2.3.20 (80a5ac675d), I have a problem with submission-login when using GSSAPI auth : it's not working, probably due to AUTH line being too long. It appeared after I activated PAC on my Kerberos infrastructure. Now the Kerberos tickets contains MS-PAC data and are bigger. It's part of the RFC and is a valid use case : https://datatracker.ietf.org/doc/html/rfc4120#section-5.2.6
Logs :
My guess is that it's due to https://github.com/dovecot/core/blob/main/src/lib-smtp/smtp-common.h#L10 being too low (is it configurable ?), but I didn't read the code thoroughly. Red Hat IDM now activates MS-PAC by default, so any installation based on IDM (or FreeIPA) may have the same problem. What's your opinion ? Bug ?
Mail sent using password auth :'(
-- Thomas Lemarchand
Hi!
This is an RFC limitation. SASL-IR may not exceed 998 bytes including AUTH GSSAPI and \r\n.
If the SASL-IR exceeds this, then the client must use interactive SASL.
Aki
Hi !
Are you saying I should open a bug report for Thunderbird developers ? I did not find a reference to a 998 bytes limit, do you have something I can refer to ?
Thank you.
Thomas Lemarchand
On 5/30/23 20:35, Aki Tuomi via dovecot wrote:
On 30/05/2023 20:54 EEST Thomas Lemarchand via dovecot <dovecot@dovecot.org> wrote:
Hello,
On version 2.3.20 (80a5ac675d), I have a problem with submission-login when using GSSAPI auth : it's not working, probably due to AUTH line being too long. It appeared after I activated PAC on my Kerberos infrastructure. Now the Kerberos tickets contains MS-PAC data and are bigger. It's part of the RFC and is a valid use case : https://datatracker.ietf.org/doc/html/rfc4120#section-5.2.6
Logs :
My guess is that it's due to https://github.com/dovecot/core/blob/main/src/lib-smtp/smtp-common.h#L10 being too low (is it configurable ?), but I didn't read the code thoroughly. Red Hat IDM now activates MS-PAC by default, so any installation based on IDM (or FreeIPA) may have the same problem. What's your opinion ? Bug ?
Mail sent using password auth :'(
-- Thomas Lemarchand
Hi!
This is an RFC limitation. SASL-IR may not exceed 998 bytes including AUTH GSSAPI and \r\n.
If the SASL-IR exceeds this, then the client must use interactive SASL.
Aki
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
Op 31-05-2023 om 11:00 schreef Thomas Lemarchand via dovecot:
Hi !
Are you saying I should open a bug report for Thunderbird developers ? I did not find a reference to a 998 bytes limit, do you have something I can refer to ?
Thank you.
Well, I have a working setup with postfix+dovecot (with submission-relay), samba-ad-dc and thunderbird using gssapi authentication on the clients (both windows and linux clients).
There must be something different in your setup causing the issue.
- Kees.
On 31/05/2023 12:00 EEST Thomas Lemarchand via dovecot <dovecot@dovecot.org> wrote:
Hi !
Are you saying I should open a bug report for Thunderbird developers ? I did not find a reference to a 998 bytes limit, do you have something I can refer to ?
Thank you.
Thomas Lemarchand
On 5/30/23 20:35, Aki Tuomi via dovecot wrote:
On 30/05/2023 20:54 EEST Thomas Lemarchand via dovecot <dovecot@dovecot.org> wrote:
Hello,
On version 2.3.20 (80a5ac675d), I have a problem with submission-login when using GSSAPI auth : it's not working, probably due to AUTH line being too long. It appeared after I activated PAC on my Kerberos infrastructure. Now the Kerberos tickets contains MS-PAC data and are bigger. It's part of the RFC and is a valid use case : https://datatracker.ietf.org/doc/html/rfc4120#section-5.2.6
Logs :
My guess is that it's due to https://github.com/dovecot/core/blob/main/src/lib-smtp/smtp-common.h#L10 being too low (is it configurable ?), but I didn't read the code thoroughly. Red Hat IDM now activates MS-PAC by default, so any installation based on IDM (or FreeIPA) may have the same problem. What's your opinion ? Bug ?
Mail sent using password auth :'(
-- Thomas Lemarchand
Hi!
This is an RFC limitation. SASL-IR may not exceed 998 bytes including AUTH GSSAPI and \r\n.
If the SASL-IR exceeds this, then the client must use interactive SASL.
Aki
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
Please see https://datatracker.ietf.org/doc/html/rfc4954#section-4
"Note that the AUTH command is still subject to the line length limitations defined in [SMTP]. If use of the initial response argument would cause the AUTH command to exceed this length, the client MUST NOT use the initial response parameter (and instead proceed as defined in Section 5.1 of [SASL])."
Aki
Start by removing PIPELINING unless you have a real need because of an inbound filtering device...
PIPELINING is kind of useless to advertise for most modern implementations where you do inline validation of data.. IMHO
IMHO it should NOT be advertised by default anymore..
On 2023-05-30 10:54, Thomas Lemarchand via dovecot wrote:
Hello,
On version 2.3.20 (80a5ac675d), I have a problem with submission-login when using GSSAPI auth : it's not working, probably due to AUTH line being too long. It appeared after I activated PAC on my Kerberos infrastructure. Now the Kerberos tickets contains MS-PAC data and are bigger. It's part of the RFC and is a valid use case : https://datatracker.ietf.org/doc/html/rfc4120#section-5.2.6
Logs :
May 30 17:13:00 auth: Debug: auth client connected (pid=378) May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Sent: 220 mail.int.k8s.lemarchand.io Dovecot ready. May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Received new command: EHLO [192.168.202.16] May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: New command May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Execute command May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Pipeline blocked May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: 250 reply: Submitted May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Replied May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Ready to reply May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Trigger output May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Next to reply May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Sending replies May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Next to reply May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Completed May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Pipeline unblocked May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Connection state reset May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: 250 reply: Sent: 250-mail.int.k8s.lemarchand.io 8BITMIME AUTH GSSAPI PLAIN LOGIN BURL imap CHUNKING ENHANCEDSTATUSCODES SIZE P IPELINING May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Finished May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Destroy May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: 250 reply: Destroy May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Trigger output May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: No more commands pending May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Sending replies May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: No more commands pending May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Client sent invalid command: Command line is too long May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: Invalid command May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: 500 reply: Submitted May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: Replied May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: Ready to reply May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Trigger output May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Sending replies May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: Next to reply May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: Completed May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: 500 reply: Sent: 500 5.5.2 Line too long May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: Finished May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: Destroy May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: 500 reply: Destroy May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Trigger output May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: No more commands pending May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Sending replies May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: No more commands pending May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Remote closed connection: Connection closed May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Disconnected: Connection closed May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Connection state reset
My guess is that it's due to https://github.com/dovecot/core/blob/main/src/lib-smtp/smtp-common.h#L10 being too low (is it configurable ?), but I didn't read the code thoroughly. Red Hat IDM now activates MS-PAC by default, so any installation based on IDM (or FreeIPA) may have the same problem. What's your opinion ? Bug ?
Mail sent using password auth :'(
-- "Catch the Magic of Linux..."
Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company.
participants (4)
-
Aki Tuomi
-
Kees van Vloten
-
Michael Peddemors
-
Thomas Lemarchand