** Description changed:
smtp_cmd_buffer_size is currently 2048 bytes. 2048 bytes is not sufficient
for
clients that send an AUTH with an initial-response for GSSAPI when Windows
Kerberos tickets are used that contain a PAC -- as of Windows 2003, the
maximum
ticket size is 12000 bytes.
MUAs that use AUTH GSSAPI without an initial-response are not impacted by the
2048 limit, since the remainder of the SASL session is handled by
auth_get_data
in Exim, which uses big_buffer and has sufficient space to process large
Kerberos tickets.
Thunderbird will always send an AUTH GSSAPI with an initial-response, which
makes it subject to the 2048 byte limit. A large Kerberos ticket will easily
surpass 2048 bytes when base64-encoded, causing the AUTH to fail.
RFC 4954 recommends 12288 bytes as a line limit to handle AUTH. For a base64
encoded max-size Windows Kerberos ticket, at least 16000 bytes are needed.
This bug is fixed upstream (4.77). It would be nice to backport it to
precise.
[Impact]
smtp_cmd_buffer_size is currently 2048 bytes. 2048 bytes is not sufficient
for
clients that send an AUTH with an initial-response for GSSAPI when Windows
Kerberos tickets are used that contain a PAC. For a base64
encoded max-size Windows Kerberos ticket, at least 16000 bytes are needed.
+ Fixing this bug lets us to use exim4 smtp server with AD kerberos
authentication and windows clients, so I think it's worth fixing.
[Test Case]
- 1. Configure exim4 to use GSSAPI auth.
- 2. Configure thunderbird to use GSSAPI smtp auth on windows
xp/vista/7/2003/2008.
- 3. Auth will always fail.
+ 1. You need a configured AD/samba4 domain
+ 2. Configure exim4 to use GSSAPI auth (here is dovecot method):
+ - # apt-get instal dovecot-imapd exim4-daemon-heavy
+ - /etc/krb5.keytab should contain 'smtp/fqdn.host.name@YOUR.REALM'
credentials (import it somehow), just for test make it readable for all. (chmod
644 /etc/krb5.keytab)
+ - your dovecot config should contain something like this:
+ auth_mechanisms = gssapi
+ auth_default_realm = YOUR.REALM
+ auth_realms = YOUR.REALM
+ auth_gssapi_hostname = fqdn.host.name
+ auth_krb5_keytab = /etc/krb5.keytab
+ service auth {
+ unix_listener auth-client {
+ mode = 0600
+ user = Debian-exim
+ }
+ - your exim's 'begin authenticators' section of the config should contain
something like:
+ auth_gssapi:
+ driver = dovecot
+ public_name = GSSAPI
+ server_socket = /var/run/dovecot/auth-client
+ server_set_id = $auth1
+ 3. Configure thunderbird to use GSSAPI smtp auth on windows
xp/vista/7/2003/2008 (member of your AD domain).
+ - install thunderbird or use thunderbird portable
+ - configure any (e.g. it could be nonexisting at all) IMAP/POP mail account
in thunderbird (using some domain member account)
+ - in account settings set authentication address/port to your exim server,
username to your domain username, auth method to 'Kerberos/GSSAPI'
+ 4. Try to send mail. Auth will always fail. In exim's log there will be
messages like these:
+ 2012-12-09 00:04:46 SMTP syntax error in "AUTH GSSAPI
YIIGSQYJKoZIhvcSAQICAQBuggY4MIIGNKADAgEFoQMCAQ6iBwMFACAAAACjggS+YYIEujCCBLagAwIBBaELGwlURUxST1MuUlWiJzAloAMCAQKhHjAcGwRzbXRwGxR1dG1wMTJ0ZXN0LnRlbHJvcy5ydaOCBHcwggRzoAMCARehAwIBAqKCBGUEggRhI5eKDsWe+sqexT9BL5+35Gp7+IkML3W1YrbzW9H1yQyx1RzyFZkav6JcFgRf2E9QqXJv5qIl93+hBEN6K1skn0mmJeXCMd7FHQ/QJZwBTXY74z5mBVyJimPn9wmQrj8KD8+643hAjKTwCTmSoP32pH93vNudW39jjYxYWWagck9DieynL61W+QpXHIIwE95K2nVvUB2LzmL9L2czfRAe1uxegnZG4iLrAW7loJfB9S3q1sU7hU5t1e4rOxEs6iYCejSn0nq/So36xFBYdrWb6xD+VfrX14FJ3ypZN6pbTcTKQFpmfVasKt7SXK6rrcDAM5M9OagE5Tc4JlJh2ojDlSRuflDdOHYga3BGwIlS6OqsEQrPbt7LcBPiyjGAb9iqojn/ZZmKR7YaDbsTu1ToxJFGzkf7RU1fBVHL73r5RiT+rEjELOjWOQZZ4nAd2ppwQUq/cKW2k2xHsODU7i2PzM5CvbSkiaV8/EmfiQoY0Q8al5y/5bqu++GLkXBla03vm2uhm/pW+JuvrcK39dkXijSBfTCAlN6nYuCHUA7vI4VeRV2pTAg9EM/rf+G8CMrMtB54P1lnAiXVkuayFLTFQYz6hjkGKetSi0XLLMS3W0Qi7jK6jc7BpleNfJ6pMjhxAa7t2sJ+Gtu8eQpICnT/PWxlSNOsUB8yVzrB2htB39B+r5XDRbYP4OsINffW4SrF1nG7/uyMxTFh3jSpX6vJ0qZPZHy9dskxjTQymE6GM9SVqZsORen+vUaADp8DIfXUxcRFokyszhmovYPsu3lKR7mwmy39q+Z2AKDatvpkf/CMtCQCqwtVXWx7bg8aJb2KMbPmVVbf15PuXhRK4iypgY8KvDi4Y+uVgdYld4PnvFlH4tUp4pqkWvZBPIYDDGDhvIWKZFnx0Kl3ETQrZ/49XRG0/we81QuH8dpzQSKjzjS2dsAIkNDzG5Z/Qg1yBQbjS0zGNS0EY0I/Qi+vQtp+kAPMikZtvulDL/kyPAvjH8q3sv2XUdhfV1c4+8mLD1gof7JgOLQ+bxXcNcjWnLqXsY2hfV1HNSd+FBkMc3ubPrMxzCVIW86p4Me+CuAI46k43Pror3bgROP2WRWZmFTKRq879dS85PkOJfCDK0jOJEZOZW+Y5nAPAqITXhTbAJzH14LhiGyjUascTdqgJW5rqm16hcINDYYwZZYZgiIbb7CDUdPi0ti8uq7U0dWhhGG2rJAi5zWQtghXL/Ottd6dDIyR54BzcD3nAnAxfeBtOo1wZfd1lebF0kKE3vO+UmwJ1QHRRKNKQmv+XicII75B8YM3pHC2YXwpZRYCgEvSjqHMoT8fp3VEDGgUaGYAP+nSlP0+6zfI7AQdRVQ4nHbz5tBzJEQeJ67Kl9DRqGapfDbiUtGh+Da2Nd354eG4kiBXRJc8EZ50+/hLlWWWqmhDBJfVFg/qxeVB1DCx1IABMm0vTBlWCfV8V42S2Yzuk0wxTzEr++Vq6MtEI3I/zfsix/ykggFbMIIBV6ADAgEXooIBTgSCAUowRsO1Lr+r/PfELwWhCABk8wMxMYFOEOC1p68G1N4zCAOOKTy7vEE8K36abJ1XlF+DmT4bYZ0pGMA/5ffq8ntBk5B83RsKfN3Pgbxwxn3yg22Bx3RLzjYRu22exuJ91SixBWzV+YAlzcTsrYKgMvxfaMbHeC50gBrV0/7r1a3DJSZ3f6uMFwpb/vfHUSTxRnj/nESwTrxr7QB/aVl1/gu75xLRCUE91d0+a5EN2650sSCN126XAcTG+ySQldWo2SpdIobYPALOhGgSeNL23/7HMDFDMlk0lyiBunv3qFycUdOq+cW/2MO6j9lhXGUcaGm3tyRU"
H=([172.25.0.12]) [172.25.0.12] I=[172.25.0.214]:465 unrecognized command
+ 2012-12-09 00:04:46 SMTP syntax error in
"3LbXXOLpS9xBClRbWZIYQ7iQ7UkbwPqZ+715Afyj1HfFLTQGDB7pvPj6w/0QwmzpKIuJ1hyE7TAwn7GCdQYlP4p3dFLgwQttuD30zASNrjx4q/mEvA="
H=([172.25.0.12]) [172.25.0.12] I=[172.25.0.214]:465 unrecognized command
+ 5. Same time dovecot imap/pop3 gssapi auth works fine. Installing exim from
quantal to precise fixes this bug.
[Regression Potential]
- The fix for this bug is one-line-patch applied to upstream (4.77) more than
year ago, so it already has got sufficient testing.
+ The fix for this bug is one-line-patch applied to upstream (4.77) more than
year ago, so it already has got sufficient testing. Quantal and raring already
contains fixed version (we use the version from quantal installed to precise in
production).
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to exim4 in Ubuntu.
https://bugs.launchpad.net/bugs/1088136
Title:
AUTH cannot handle a request with an initial-response over 2048 bytes
(GSSAPI-related)
To manage notifications about this bug go to:
https://bugs.launchpad.net/exim/+bug/1088136/+subscriptions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
