Dovecot auth SASL for exim and plain auth issue without initial response

Stephan Bosch stephan at rename-it.nl
Wed Jan 3 01:48:44 EET 2018


Op 1/2/2018 om 10:48 PM schreef Daniel Kenzelmann:
> Hi,
>
> I'm not entirely sure whether this issue is with exim or with dovecot.
>
> First some background:
> I'm using exim with dovecot-auth which in turn is using LDAP for
> authentication.
>
> When using AUTH PLAIN with the optional initial response argument,
> everything is fine.
>
> However when using AUTH PLAIN without the optional response argument,
> instead of getting an empty challenge ("334 ") as per RFC i am getting
> a "535 Incorrect authentication data".
>
> Example:
> Working:
> 220 XXXX ESMTP 2018-01-02 22:32:33+0100
> EHLO test
> 250-XXXX Hello XXXXX [x.x.x.x]
> 250-SIZE 52428800
> 250-8BITMIME
> 250-PIPELINING
> 250-AUTH PLAIN LOGIN
> 250-CHUNKING
> 250 HELP
> AUTH PLAIN XXXXXXXXXXXXXXXXXXXXXXXX==
> 235 Authentication succeeded
>
> NOT-WORKING:
> 220 XXXX ESMTP 2018-01-02 22:34:37+0100
> EHLO test
> 250-XXXX Hello XXXXX [x.x.x.x]
> 250-SIZE 52428800
> 250-8BITMIME
> 250-PIPELINING
> 250-AUTH PLAIN LOGIN
> 250-CHUNKING
> 250 HELP
> AUTH PLAIN
> 535 Incorrect authentication data
>
>
> Here the SASL mechanism should return an empty challenge as per RFC
> (i.e. "334 " in SMTP):

This is a an error produced by Exim. I find the Exim error handling in
Exim's implementation of the AUTH command rather peculiar. Still, I
managed to decipher at least part of it.

That error is produced when FAIL status is returned from the driver:

https://github.com/Exim/exim/blob/master/src/src/smtp_in.c#L3665

This FAIL status can be returned by the driver itself, but -- in this
case more likely -- the Dovecot driver in Exim also returns FAIL status
when Dovecot auth service returns "FAIL":

https://github.com/Exim/exim/blob/master/src/src/auths/dovecot.c#L472

So, this may very well be an issue triggered by Dovecot. What version of
Dovecot is this? Some things were modified in initial response handling
recently (v2.3) and I may have messed up something.

Does Dovecot log anything interesting with auth_verbose and auth_debug
enabled?

Regards,

Stephan.






More information about the dovecot mailing list