Re: GSSAPI auth Line too long

Tue, 30 May 2023 13:19:24 -0700

Start by removing PIPELINING unless you have a real need because of an inbound filtering device...
PIPELINING is kind of useless to advertise for most modern implementations where you do inline validation of data.. IMHO 

IMHO it should NOT be advertised by default anymore..

On 2023-05-30 10:54, Thomas Lemarchand via dovecot wrote:

Hello,


On version 2.3.20 (80a5ac675d), I have a problem with submission-login 
when using GSSAPI auth : it's not working, probably due to AUTH line 
being too long.
It appeared after I activated PAC on my Kerberos infrastructure. Now the 
Kerberos tickets contains MS-PAC data and are bigger. It's part of the 
RFC and is a valid use case : 
https://datatracker.ietf.org/doc/html/rfc4120#section-5.2.6


Logs :

May 30 17:13:00 auth: Debug: auth client connected (pid=378)

May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: Sent: 220 mail.int.k8s.lemarchand.io Dovecot 
ready.
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: Received new command: EHLO [192.168.202.16]
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: command EHLO: New command
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: command EHLO: Execute command
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: command EHLO: Pipeline blocked
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: command EHLO: 250 reply: Submitted
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: command EHLO: Replied
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: command EHLO: Ready to reply
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: Trigger output
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: command EHLO: Next to reply
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: Sending replies
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: command EHLO: Next to reply
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: command EHLO: Completed
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: command EHLO: Pipeline unblocked
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: Connection state reset
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: command EHLO: 250 reply: Sent: 
250-mail.int.k8s.lemarchand.io 8BITMIME AUTH GSSAPI PLAIN LOGIN BURL 
imap CHUNKING ENHANCEDSTATUSCODES SIZE P

IPELINING

May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: command EHLO: Finished
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: command EHLO: Destroy
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: command EHLO: 250 reply: Destroy
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: Trigger output
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: No more commands pending
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: Sending replies
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: No more commands pending
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: Client sent invalid command: Command line is 
too long
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: command [unknown]: Invalid command
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: command [unknown]: 500 reply: Submitted
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: command [unknown]: Replied
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: command [unknown]: Ready to reply
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: Trigger output
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: Sending replies
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: command [unknown]: Next to reply
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: command [unknown]: Completed
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: command [unknown]: 500 reply: Sent: 500 5.5.2 
Line too long
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: command [unknown]: Finished
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: command [unknown]: Destroy
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: command [unknown]: 500 reply: Destroy
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: Trigger output
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: No more commands pending
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: Sending replies
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: No more commands pending
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: Remote closed connection: Connection closed
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: Disconnected: Connection closed
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: Connection state reset



My guess is that it's due to 
https://github.com/dovecot/core/blob/main/src/lib-smtp/smtp-common.h#L10 
being too low (is it configurable ?), but I didn't read the code 
thoroughly.
Red Hat IDM now activates MS-PAC by default, so any installation based 
on IDM (or FreeIPA) may have the same problem.

What's your opinion ? Bug ?

Mail sent using password auth :'(




--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.

_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org






















					Reply via email to