On 30-05-2023 19:54, Thomas Lemarchand via dovecot wrote:
Hello,
On version 2.3.20 (80a5ac675d), I have a problem with submission-login
when using GSSAPI auth : it's not working, probably due to AUTH line
being too long.
It appeared after I activated PAC on my Kerberos infrastructure. Now
the Kerberos tickets contains MS-PAC data and are bigger. It's part of
the RFC and is a valid use case :
https://datatracker.ietf.org/doc/html/rfc4120#section-5.2.6
Correct, but you can and should increase line length:
imap_max_line_length = 2M
With this length it works for me with Samba-AD-DC.
- Kees.
Logs :
May 30 17:13:00 auth: Debug: auth client connected (pid=378)
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: Sent: 220 mail.int.k8s.lemarchand.io Dovecot
ready.
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: Received new command: EHLO [192.168.202.16]
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: command EHLO: New command
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: command EHLO: Execute command
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: command EHLO: Pipeline blocked
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: command EHLO: 250 reply: Submitted
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: command EHLO: Replied
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: command EHLO: Ready to reply
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: Trigger output
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: command EHLO: Next to reply
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: Sending replies
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: command EHLO: Next to reply
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: command EHLO: Completed
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: command EHLO: Pipeline unblocked
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: Connection state reset
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: command EHLO: 250 reply: Sent:
250-mail.int.k8s.lemarchand.io 8BITMIME AUTH GSSAPI PLAIN LOGIN BURL
imap CHUNKING ENHANCEDSTATUSCODES SIZE P
IPELINING
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: command EHLO: Finished
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: command EHLO: Destroy
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: command EHLO: 250 reply: Destroy
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: Trigger output
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: No more commands pending
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: Sending replies
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: No more commands pending
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: Client sent invalid command: Command line is
too long
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: command [unknown]: Invalid command
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: command [unknown]: 500 reply: Submitted
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: command [unknown]: Replied
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: command [unknown]: Ready to reply
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: Trigger output
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: Sending replies
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: command [unknown]: Next to reply
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: command [unknown]: Completed
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: command [unknown]: 500 reply: Sent: 500
5.5.2 Line too long
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: command [unknown]: Finished
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: command [unknown]: Destroy
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: command [unknown]: 500 reply: Destroy
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: Trigger output
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: No more commands pending
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: Sending replies
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: No more commands pending
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: Remote closed connection: Connection closed
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: Disconnected: Connection closed
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: Connection state reset
My guess is that it's due to
https://github.com/dovecot/core/blob/main/src/lib-smtp/smtp-common.h#L10
being too low (is it configurable ?), but I didn't read the code
thoroughly.
Red Hat IDM now activates MS-PAC by default, so any installation based
on IDM (or FreeIPA) may have the same problem.
What's your opinion ? Bug ?
Mail sent using password auth :'(
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org