Hi,
> A colleague of mine discovered that saslauthd of cyrus-sasl cannot log in to > dovecot imapd 2.x since that is sending > > "* CAPABILITY ..." > "saslauthd OK ..." > > rather than just > > "saslauthd OK ..." > > for a login reply. Either is valid IMAP protocol, see [1]. this issue occurs when SASL is used with the rimap mechanism knocking on the IMAP server to validate login credentials used to authenticate. While we spotted the issue on Dovecot, the underlying issue applies to all IMAP servers in principle, as SASL violates the IMAP protocol as Sebastian cited. The actual difference between Dovecot 1 and 2 is this: # telnet localhost imap Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. ... c: 10 LOGIN [email protected] XYZ s: 10 OK Open Sesame! c: 20 LOGOUT s:* BYE Logging out s:20 OK Logout completed. Connection closed by foreign host. [root@wv-mail-smtp2:~at]# telnet localhost imap Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. ... c: 10 LOGIN [email protected] XYZ s: * CAPABILITY IMAP4 IMAP4REV1 LITERAL+ QUOTA ACL RIGHTS=texk s: 10 OK Open Sesame! c: 20 LOGOUT s: * BYE Logging out s: 20 OK Logout completed. Connection closed by foreign host. SASL, however, parses the /first/ line of the reply for the possible status code only. Thus, it does not recognize the reply and fails out with errors like Jul 2 12:18:59 mail-host saslauthd[20625]: auth_rimap: unexpected response to auth request: * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS SPECIAL-USE QUOTA ACL RIGHTS=texk Jul 2 12:18:59 mail-host saslauthd[20625]: do_auth : auth failure: [[email protected]] [service=smtp] [realmdovecot2.host] [mech=rimap] [reason=[ALERT] Unexpected response from remote authentication server] The reply, however, is perfectly valid and allowed by RFC 3501 S. 6.2.3 Ondřej, since this effectively breaks the interaction of SASL with Dovecot in Debian when rimap is in use, please consider uploading the patch to proposed updates for Squeeze and Wheezy. I owe you a cookie if you do. :-) -- with kind regards, Arno Töll IRC: daemonkeeper on Freenode/OFTC GnuPG Key-ID: 0x9D80F36D
signature.asc
Description: OpenPGP digital signature
