Start by removing PIPELINING unless you have a real need because of an
inbound filtering device...
PIPELINING is kind of useless to advertise for most modern
implementations where you do inline validation of data.. IMHO
IMHO it should NOT be advertised by default anymore..
On 2023-05-30 10:54, Thomas Lemarchand via dovecot wrote:
Hello,
On version 2.3.20 (80a5ac675d), I have a problem with submission-login
when using GSSAPI auth : it's not working, probably due to AUTH line
being too long.
It appeared after I activated PAC on my Kerberos infrastructure. Now the
Kerberos tickets contains MS-PAC data and are bigger. It's part of the
RFC and is a valid use case :
https://datatracker.ietf.org/doc/html/rfc4120#section-5.2.6
Logs :
May 30 17:13:00 auth: Debug: auth client connected (pid=378)
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: Sent: 220 mail.int.k8s.lemarchand.io Dovecot
ready.
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: Received new command: EHLO [192.168.202.16]
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: command EHLO: New command
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: command EHLO: Execute command
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: command EHLO: Pipeline blocked
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: command EHLO: 250 reply: Submitted
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: command EHLO: Replied
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: command EHLO: Ready to reply
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: Trigger output
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: command EHLO: Next to reply
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: Sending replies
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: command EHLO: Next to reply
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: command EHLO: Completed
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: command EHLO: Pipeline unblocked
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: Connection state reset
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: command EHLO: 250 reply: Sent:
250-mail.int.k8s.lemarchand.io 8BITMIME AUTH GSSAPI PLAIN LOGIN BURL
imap CHUNKING ENHANCEDSTATUSCODES SIZE P
IPELINING
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: command EHLO: Finished
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: command EHLO: Destroy
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: command EHLO: 250 reply: Destroy
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: Trigger output
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: No more commands pending
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: Sending replies
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: No more commands pending
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: Client sent invalid command: Command line is
too long
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: command [unknown]: Invalid command
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: command [unknown]: 500 reply: Submitted
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: command [unknown]: Replied
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: command [unknown]: Ready to reply
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: Trigger output
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: Sending replies
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: command [unknown]: Next to reply
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: command [unknown]: Completed
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: command [unknown]: 500 reply: Sent: 500 5.5.2
Line too long
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: command [unknown]: Finished
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: command [unknown]: Destroy
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: command [unknown]: 500 reply: Destroy
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: Trigger output
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: No more commands pending
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: Sending replies
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: No more commands pending
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: Remote closed connection: Connection closed
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: Disconnected: Connection closed
May 30 17:13:00 submission-login: Debug: smtp-server: conn
10.200.114.128:13587 [1]: Connection state reset
My guess is that it's due to
https://github.com/dovecot/core/blob/main/src/lib-smtp/smtp-common.h#L10
being too low (is it configurable ?), but I didn't read the code
thoroughly.
Red Hat IDM now activates MS-PAC by default, so any installation based
on IDM (or FreeIPA) may have the same problem.
What's your opinion ? Bug ?
Mail sent using password auth :'(
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org