[pfx-dev] Re: [PATCH] Fix GSSAPI authentication with Microsoft Exchange

Sat, 01 Mar 2025 00:26:20 -0800 

On Sat, Mar 01, 2025 at 08:15:08AM +0100, michael-dev via Postfix-devel wrote:

> Microsoft Exchange sends non-empty string which postfix interprets as
> non-empty initial challenge while it is clearly not.
> 
> Fix compatibility by ignoring the irrelevant data.
> 
> Trace of failed connection:
> 
> 220 exchange.example.org Microsoft ESMTP MAIL Service ready at ...
> EHLO test.localdomain
> 250-exchange.example.org Hello [...]
> 250-SIZE 37748736
> 250-PIPELINING
> 250-DSN
> 250-ENHANCEDSTATUSCODES
> 250-STARTTLS
> 250-AUTH GSSAPI NTLM
> 250-8BITMIME
> 250-BINARYMIME
> 250-CHUNKING
> 250 SMTPUTF8
> AUTH GSSAPI
> 334 GSSAPI supported
> QUIT
> 535 5.7.3 Authentication unsuccessful

This looks like a clear violation of

    https://datatracker.ietf.org/doc/html/rfc2554#section-4

> --- a/src/smtp/smtp_sasl_glue.c
> +++ b/src/smtp/smtp_sasl_glue.c
> @@ -420,13 +420,14 @@
>            * Deferred initial response, the server challenge must be empty.
>            * Cleared after actual transmission to the server.
>            */
> -         if (*line) {
> -             dsb_update(why, "4.7.0", DSB_DEF_ACTION,
> -                        DSB_SKIP_RMTA, DSB_DTYPE_SASL, "protocol error",
> -                        "SASL authentication failed; non-empty initial "
> -                        "%s challenge from server %s: %s", mechanism,
> -                        session->namaddr, STR(session->sasl_reply));
> -             return (-1);
> +         if (*line && msg_verbose) {
> +             /*
> +              * Microsoft Exchange sends "334 GSSAPI supported" instead of
> +              * empty challenge, so ignore any non-empty data and warn
> +              * about it
> +              */
> +             msg_info("%s: %s: SASL ignore non-empty initial challenge: %s",
> +                 myname, session->namaddrport, line);
>           }
>       } else {
>           result = xsasl_client_next(session->sasl_client, line,

Should we really unconditionally ignore protocol violations that might
indicate that the client and server are out of sync???

I'm inclined to suggest that at most this should be an off by default
work-around.  And a bug should be opened with Microsoft.

-- 
    Viktor.
_______________________________________________
Postfix-devel mailing list -- postfix-devel@postfix.org
To unsubscribe send an email to postfix-devel-le...@postfix.org

Reply via email to