Oh right. Version information: # postconf mail_version mail_version = 3.5.18
Git tells me Dovecot xsasl code hasn't changed much since then, so I'd say this bug is still open. On 1-11-2023 23:57, Stephan Bosch via Postfix-devel wrote:
Hi, I'm a Dovecot developer. While testing some changes in the Dovecot auth service, I was writing a CI test for the interaction between Postfix and Dovecot for SASL authentication. The following is a fragment of the protocol exchange between my simple python SMTP client and Postfix: 23:30:33.631726 send: 'AUTH OAUTHBEARER =\r\n' 23:30:33.632525 reply: b'334 eyJzdGF0dXMiOiJpbnZhbGlkX3Rva2VuIiwib3BlbmlkLWNvbmZpZ3VyYXRpb24iOiJodHRwczovL2lkLm9wZW4teGNoYW5nZS5jb20vb2lkYy9jb25maWcifQ==\r\n' 23:30:33.632739 send: 'AQ==\r\n' 23:30:35.134303 reply: b'535 5.7.8 Error: authentication failed: eyJzdGF0dXMiOiJpbnZhbGlkX3Rva2VuIiwib3BlbmlkLWNvbmZpZ3VyYXRpb24iOiJodHRwczovL2lkLm9wZW4teGNoYW5nZS5jb20vb2lkYy9jb25maWcifQ==\r\n' This session is supposed to fail, but the final error message produced by Postfix is wrong. It is using the data from the last CONT challenge as error message for some reason. Note that Dovecot only sends a reason= field in the final FAIL response when something special needs to be returned; for a simple authentication failure the field is absent. The following is the Dovecot log for this authentication attempt: Nov 01 23:28:26.821587 auth: Debug: client in: AUTH 8 OAUTHBEARER service=smtp nologin lip=127.0.0.1 rip=127.0.0.1 resp=<hidden> Nov 01 23:28:26.821839 auth: Info: oauthbearer(?,127.0.0.1): Invalid continued data Nov 01 23:28:26.821839 auth: Debug: client passdb out: CONT 8 eyJzdGF0dXMiOiJpbnZhbGlkX3Rva2VuIiwib3BlbmlkLWNvbmZpZ3VyYXRpb24iOiJodHRwczovL2lkLm9wZW4teGNoYW5nZS5jb20vb2lkYy9jb25maWcifQ== Nov 01 23:28:26.822501 auth: Debug: client in: CONT<hidden> Nov 01 23:28:26.822501 auth: Debug: auth(?,127.0.0.1): Auth request finished Nov 01 23:28:26.822501 auth: Debug: handling failure, nodelay=0 Nov 01 23:28:28.324759 auth: Debug: client passdb out: FAIL 8 Looks like Postfix is not expecting the absence of the reason= field and somehow uses the data from the previous CONT auth service response as the reason. Regards, Stephan. _______________________________________________ Postfix-devel mailing list -- postfix-devel@postfix.org To unsubscribe send an email to postfix-devel-le...@postfix.org
_______________________________________________ Postfix-devel mailing list -- postfix-devel@postfix.org To unsubscribe send an email to postfix-devel-le...@postfix.org
