Re: GSSAPI auth Line too long

Tue, 30 May 2023 11:33:56 -0700 


On 30-05-2023 19:54, Thomas Lemarchand via dovecot wrote:

Hello,


On version 2.3.20 (80a5ac675d), I have a problem with submission-login 
when using GSSAPI auth : it's not working, probably due to AUTH line 
being too long.
It appeared after I activated PAC on my Kerberos infrastructure. Now 
the Kerberos tickets contains MS-PAC data and are bigger. It's part of 
the RFC and is a valid use case : 
https://datatracker.ietf.org/doc/html/rfc4120#section-5.2.6



Correct, but you can and should increase line length:

imap_max_line_length = 2M

With this length it works for me with Samba-AD-DC.

- Kees.


Logs :

May 30 17:13:00 auth: Debug: auth client connected (pid=378)

May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: Sent: 220 mail.int.k8s.lemarchand.io Dovecot 
ready.
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: Received new command: EHLO [192.168.202.16]
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: command EHLO: New command
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: command EHLO: Execute command
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: command EHLO: Pipeline blocked
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: command EHLO: 250 reply: Submitted
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: command EHLO: Replied
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: command EHLO: Ready to reply
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: Trigger output
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: command EHLO: Next to reply
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: Sending replies
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: command EHLO: Next to reply
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: command EHLO: Completed
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: command EHLO: Pipeline unblocked
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: Connection state reset
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: command EHLO: 250 reply: Sent: 
250-mail.int.k8s.lemarchand.io 8BITMIME AUTH GSSAPI PLAIN LOGIN BURL 
imap CHUNKING ENHANCEDSTATUSCODES SIZE P

IPELINING

May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: command EHLO: Finished
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: command EHLO: Destroy
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: command EHLO: 250 reply: Destroy
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: Trigger output
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: No more commands pending
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: Sending replies
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: No more commands pending
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: Client sent invalid command: Command line is 
too long
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: command [unknown]: Invalid command
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: command [unknown]: 500 reply: Submitted
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: command [unknown]: Replied
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: command [unknown]: Ready to reply
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: Trigger output
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: Sending replies
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: command [unknown]: Next to reply
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: command [unknown]: Completed
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: command [unknown]: 500 reply: Sent: 500 
5.5.2 Line too long
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: command [unknown]: Finished
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: command [unknown]: Destroy
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: command [unknown]: 500 reply: Destroy
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: Trigger output
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: No more commands pending
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: Sending replies
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: No more commands pending
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: Remote closed connection: Connection closed
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: Disconnected: Connection closed
May 30 17:13:00 submission-login: Debug: smtp-server: conn 
10.200.114.128:13587 [1]: Connection state reset



My guess is that it's due to 
https://github.com/dovecot/core/blob/main/src/lib-smtp/smtp-common.h#L10 
being too low (is it configurable ?), but I didn't read the code 
thoroughly.
Red Hat IDM now activates MS-PAC by default, so any installation based 
on IDM (or FreeIPA) may have the same problem.

What's your opinion ? Bug ?

Mail sent using password auth :'(


_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org






















					Reply via email to