[Bug 1088136] Re: AUTH cannot handle a request with an initial-response over 2048 bytes (GSSAPI-related)
This bug was fixed in the package exim4 - 4.76-3ubuntu3.2 --- exim4 (4.76-3ubuntu3.2) precise-proposed; urgency=low * Increase smtp_cmd_buffer_size to 16384 (upstream bug #879, fixed in 4.77). This allows using smtp kerberos/gssapi auth against AD/samba4 on windows. (LP: #1088136) -- Sergey UrushkinWed, 12 Dec 2012 16:05:42 -0800 ** Changed in: exim4 (Ubuntu Precise) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to exim4 in Ubuntu. https://bugs.launchpad.net/bugs/1088136 Title: AUTH cannot handle a request with an initial-response over 2048 bytes (GSSAPI-related) To manage notifications about this bug go to: https://bugs.launchpad.net/exim/+bug/1088136/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1088136] Re: AUTH cannot handle a request with an initial-response over 2048 bytes (GSSAPI-related)
The package from precise-proposed 4.76-3ubuntu3.2 fixes this bug. So, I'll change the tag. ** Tags removed: verification-needed ** Tags added: verification-done -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to exim4 in Ubuntu. https://bugs.launchpad.net/bugs/1088136 Title: AUTH cannot handle a request with an initial-response over 2048 bytes (GSSAPI-related) To manage notifications about this bug go to: https://bugs.launchpad.net/exim/+bug/1088136/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1088136] Re: AUTH cannot handle a request with an initial-response over 2048 bytes (GSSAPI-related)
** Branch linked: lp:~ubuntu-branches/ubuntu/precise/exim4/precise- proposed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to exim4 in Ubuntu. https://bugs.launchpad.net/bugs/1088136 Title: AUTH cannot handle a request with an initial-response over 2048 bytes (GSSAPI-related) To manage notifications about this bug go to: https://bugs.launchpad.net/exim/+bug/1088136/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1088136] Re: AUTH cannot handle a request with an initial-response over 2048 bytes (GSSAPI-related)
Hello urusha, or anyone else affected, Accepted exim4 into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/exim4/4.76-3ubuntu3.2 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! ** Changed in: exim4 (Ubuntu Precise) Status: Triaged => Fix Committed ** Tags added: verification-needed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to exim4 in Ubuntu. https://bugs.launchpad.net/bugs/1088136 Title: AUTH cannot handle a request with an initial-response over 2048 bytes (GSSAPI-related) To manage notifications about this bug go to: https://bugs.launchpad.net/exim/+bug/1088136/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1088136] Re: AUTH cannot handle a request with an initial-response over 2048 bytes (GSSAPI-related)
I've uploaded this to the precise -proposed queue now. ** Changed in: exim4 (Ubuntu Precise) Status: New => Triaged -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to exim4 in Ubuntu. https://bugs.launchpad.net/bugs/1088136 Title: AUTH cannot handle a request with an initial-response over 2048 bytes (GSSAPI-related) To manage notifications about this bug go to: https://bugs.launchpad.net/exim/+bug/1088136/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1088136] Re: AUTH cannot handle a request with an initial-response over 2048 bytes (GSSAPI-related)
Thanks! Marc has kindly sorted the bug statuses out for us, and I see that you've subscribed ~ubuntu-sponsors so this is now in the sponsorship queue. The next step is to wait for a sponsor to review your debdiff. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to exim4 in Ubuntu. https://bugs.launchpad.net/bugs/1088136 Title: AUTH cannot handle a request with an initial-response over 2048 bytes (GSSAPI-related) To manage notifications about this bug go to: https://bugs.launchpad.net/exim/+bug/1088136/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1088136] Re: AUTH cannot handle a request with an initial-response over 2048 bytes (GSSAPI-related)
Hi! I'm confirming that this bug is fixed in raring an quantal. How could I mark it "Fix released" for raring? I've also updated bug description, made test case more detailed, is it detailed enough now? And here is updated debdiff. Thank you. ** Patch added: "updated exim4.debdiff" https://bugs.launchpad.net/ubuntu/+source/exim4/+bug/1088136/+attachment/3456247/+files/exim4.debdiff -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to exim4 in Ubuntu. https://bugs.launchpad.net/bugs/1088136 Title: AUTH cannot handle a request with an initial-response over 2048 bytes (GSSAPI-related) To manage notifications about this bug go to: https://bugs.launchpad.net/exim/+bug/1088136/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1088136] Re: AUTH cannot handle a request with an initial-response over 2048 bytes (GSSAPI-related)
** Also affects: exim4 (Ubuntu Precise) Importance: Undecided Status: New ** Also affects: exim4 (Ubuntu Quantal) Importance: Undecided Status: New ** Also affects: exim4 (Ubuntu Raring) Importance: Medium Status: New ** Changed in: exim4 (Ubuntu Quantal) Status: New => Fix Released ** Changed in: exim4 (Ubuntu Precise) Importance: Undecided => Medium ** Changed in: exim4 (Ubuntu Raring) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to exim4 in Ubuntu. https://bugs.launchpad.net/bugs/1088136 Title: AUTH cannot handle a request with an initial-response over 2048 bytes (GSSAPI-related) To manage notifications about this bug go to: https://bugs.launchpad.net/exim/+bug/1088136/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1088136] Re: AUTH cannot handle a request with an initial-response over 2048 bytes (GSSAPI-related)
** Description changed:
smtp_cmd_buffer_size is currently 2048 bytes. 2048 bytes is not sufficient
for
clients that send an AUTH with an initial-response for GSSAPI when Windows
Kerberos tickets are used that contain a PAC -- as of Windows 2003, the
maximum
ticket size is 12000 bytes.
MUAs that use AUTH GSSAPI without an initial-response are not impacted by the
2048 limit, since the remainder of the SASL session is handled by
auth_get_data
in Exim, which uses big_buffer and has sufficient space to process large
Kerberos tickets.
Thunderbird will always send an AUTH GSSAPI with an initial-response, which
makes it subject to the 2048 byte limit. A large Kerberos ticket will easily
surpass 2048 bytes when base64-encoded, causing the AUTH to fail.
RFC 4954 recommends 12288 bytes as a line limit to handle AUTH. For a base64
encoded max-size Windows Kerberos ticket, at least 16000 bytes are needed.
This bug is fixed upstream (4.77). It would be nice to backport it to
precise.
[Impact]
smtp_cmd_buffer_size is currently 2048 bytes. 2048 bytes is not sufficient
for
clients that send an AUTH with an initial-response for GSSAPI when Windows
Kerberos tickets are used that contain a PAC. For a base64
encoded max-size Windows Kerberos ticket, at least 16000 bytes are needed.
+ Fixing this bug lets us to use exim4 smtp server with AD kerberos
authentication and windows clients, so I think it's worth fixing.
[Test Case]
- 1. Configure exim4 to use GSSAPI auth.
- 2. Configure thunderbird to use GSSAPI smtp auth on windows
xp/vista/7/2003/2008.
- 3. Auth will always fail.
+ 1. You need a configured AD/samba4 domain
+ 2. Configure exim4 to use GSSAPI auth (here is dovecot method):
+ - # apt-get instal dovecot-imapd exim4-daemon-heavy
+ - /etc/krb5.keytab should contain 'smtp/fqdn.host.name@YOUR.REALM'
credentials (import it somehow), just for test make it readable for all. (chmod
644 /etc/krb5.keytab)
+ - your dovecot config should contain something like this:
+ auth_mechanisms = gssapi
+ auth_default_realm = YOUR.REALM
+ auth_realms = YOUR.REALM
+ auth_gssapi_hostname = fqdn.host.name
+ auth_krb5_keytab = /etc/krb5.keytab
+ service auth {
+ unix_listener auth-client {
+ mode = 0600
+ user = Debian-exim
+ }
+ - your exim's 'begin authenticators' section of the config should contain
something like:
+ auth_gssapi:
+ driver= dovecot
+ public_name = GSSAPI
+ server_socket = /var/run/dovecot/auth-client
+ server_set_id = $auth1
+ 3. Configure thunderbird to use GSSAPI smtp auth on windows
xp/vista/7/2003/2008 (member of your AD domain).
+ - install thunderbird or use thunderbird portable
+ - configure any (e.g. it could be nonexisting at all) IMAP/POP mail account
in thunderbird (using some domain member account)
+ - in account settings set authentication address/port to your exim server,
username to your domain username, auth method to 'Kerberos/GSSAPI'
+ 4. Try to send mail. Auth will always fail. In exim's log there will be
messages like these:
+ 2012-12-09 00:04:46 SMTP syntax error in "AUTH GSSAPI
YIIGSQYJKoZIhvcSAQICAQBuggY4MIIGNKADAgEFoQMCAQ6iBwMFACCjggS+YYIEujCCBLagAwIBBaELGwlURUxST1MuUlWiJzAloAMCAQKhHjAcGwRzbXRwGxR1dG1wMTJ0ZXN0LnRlbHJvcy5ydaOCBHcwggRzoAMCARehAwIBAqKCBGUEggRhI5eKDsWe+sqexT9BL5+35Gp7+IkML3W1YrbzW9H1yQyx1RzyFZkav6JcFgRf2E9QqXJv5qIl93+hBEN6K1skn0mmJeXCMd7FHQ/QJZwBTXY74z5mBVyJimPn9wmQrj8KD8+643hAjKTwCTmSoP32pH93vNudW39jjYxYWWagck9DieynL61W+QpXHIIwE95K2nVvUB2LzmL9L2czfRAe1uxegnZG4iLrAW7loJfB9S3q1sU7hU5t1e4rOxEs6iYCejSn0nq/So36xFBYdrWb6xD+VfrX14FJ3ypZN6pbTcTKQFpmfVasKt7SXK6rrcDAM5M9OagE5Tc4JlJh2ojDlSRuflDdOHYga3BGwIlS6OqsEQrPbt7LcBPiyjGAb9iqojn/ZZmKR7YaDbsTu1ToxJFGzkf7RU1fBVHL73r5RiT+rEjELOjWOQZZ4nAd2ppwQUq/cKW2k2xHsODU7i2PzM5CvbSkiaV8/EmfiQoY0Q8al5y/5bqu++GLkXBla03vm2uhm/pW+JuvrcK39dkXijSBfTCAlN6nYuCHUA7vI4VeRV2pTAg9EM/rf+G8CMrMtB54P1lnAiXVkuayFLTFQYz6hjkGKetSi0XLLMS3W0Qi7jK6jc7BpleNfJ6pMjhxAa7t2sJ+Gtu8eQpICnT/PWxlSNOsUB8yVzrB2htB39B+r5XDRbYP4OsINffW4SrF1nG7/uyMxTFh3jSpX6vJ0qZPZHy9dskxjTQymE6GM9SVqZsORen+vUaADp8DIfXUxcRFokyszhmovYPsu3lKR7mwmy39q+Z2AKDatvpkf/CMtCQCqwtVXWx7bg8aJb2KMbPmVVbf15PuXhRK4iypgY8KvDi4Y+uVgdYld4PnvFlH4tUp4pqkWvZBPIYDDGDhvIWKZFnx0Kl3ETQrZ/49XRG0/we81QuH8dpzQSKjzjS2dsAIkNDzG5Z/Qg1yBQbjS0zGNS0EY0I/Qi+vQtp+kAPMikZtvulDL/kyPAvjH8q3sv2XUdhfV1c4+8mLD1gof7JgOLQ+bxXcNcjWnLqXsY2hfV1HNSd+FBkMc3ubPrMxzCVIW86p4Me+CuAI46k43Pror3bgROP2WRWZmFTKRq879dS85PkOJfCDK0jOJEZOZW+Y5nAPAqITXhTbAJzH14LhiGyjUascTdqgJW5rqm16hcINDYYwZZYZgiIbb7CDUdPi0ti8uq7U0dWhhGG2rJAi5zWQtghXL/Ottd6dDIyR54BzcD3nAnAxfeBtOo1wZfd1lebF0kKE3vO+UmwJ1QHRRKNKQmv+XicII75B8YM3pHC2YXwpZRYCgEvSjqHMoT8fp3VEDGgUaGYAP+nSlP0+6zfI7AQdRVQ4nHbz5tBzJEQeJ67Kl9DRqGapfDbiUtGh+Da2Nd354eG4kiBXRJc8EZ50+/hLlWWWqmhDBJfVFg/qxeVB1DCx1IABMm0vTBlWCfV8V42S2Yzuk0wxTzEr++Vq6MtEI3I/zfsix/ykggFbMIIBV6ADAgEXooIBTgSCAUowRsO1Lr+r/PfELwWhCABk8wMxMYFOEOC1p68G1N4zCAOOKTy7vEE8K36abJ1XlF+DmT4bYZ0pG
[Bug 1088136] Re: AUTH cannot handle a request with an initial-response over 2048 bytes (GSSAPI-related)
Thank you for taking the time prepare this patch and helping to make Ubuntu better. There are just a few things we need to do in order to get this fix ready for sponsoring and then for the stable release team to approve. Please note that I'm making these comments as a bug triager only. I cannot sponsor this package, but this might save you some time getting this patch through the sponsorship queue. Most of these are requirements from https://wiki.ubuntu.com/StableReleaseUpdates Can you please confirm that this bug is definitely fixed in the current development release (Raring)? This needs to be done first, and then this bug needs to be marked Fix Released with a task added for Precise. The test case needs to allow someone who is not familiar with the affected package to reproduce the bug and verify that the updated package fixes the problem. This requirement is from SRU policy. I don't think your test case is detailed enough for me, and I am familiar with GSSAPI (via Kerberos)! Please could you provide sufficient detail in your test case? The changelog should detail exactly what is being fixed, rather than just referring to the upstream bug. The version number in the changelog should be 4.76-3ubuntu3.2 rather than 4.76-3ubuntu3.1+bug1088136, and targeted at precise-proposed rather than precise. I'm sure a sponsor would make these minor changes for you, but you might want to be aware of this and/or correct it. It's great that you have DEP-3 headers in the patch. It could help though if you added a Bug-Ubuntu header that points to this bug. Once you're happy, please subscribe ~ubuntu-sponsors to this bug to make sure it makes it in the sponsorship queue. ~ubuntu-sru will need to be subscribed to approve the upload, but it is a sponsor who will actually need to do the upload itself. Thanks again for your help! ** Changed in: exim4 (Ubuntu) Importance: Undecided => Medium -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to exim4 in Ubuntu. https://bugs.launchpad.net/bugs/1088136 Title: AUTH cannot handle a request with an initial-response over 2048 bytes (GSSAPI-related) To manage notifications about this bug go to: https://bugs.launchpad.net/exim/+bug/1088136/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1088136] Re: AUTH cannot handle a request with an initial-response over 2048 bytes (GSSAPI-related)
** Changed in: exim Status: Unknown => Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to exim4 in Ubuntu. https://bugs.launchpad.net/bugs/1088136 Title: AUTH cannot handle a request with an initial-response over 2048 bytes (GSSAPI-related) To manage notifications about this bug go to: https://bugs.launchpad.net/exim/+bug/1088136/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1088136] Re: AUTH cannot handle a request with an initial-response over 2048 bytes (GSSAPI-related)
This debdiff includes fix for this bug. ** Patch added: "exim4 debdiff" https://bugs.launchpad.net/ubuntu/+source/exim4/+bug/1088136/+attachment/3455194/+files/exim4.debdiff ** Bug watch added: bugs.exim.org/ #879 http://bugs.exim.org/show_bug.cgi?id=879 ** Also affects: exim via http://bugs.exim.org/show_bug.cgi?id=879 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to exim4 in Ubuntu. https://bugs.launchpad.net/bugs/1088136 Title: AUTH cannot handle a request with an initial-response over 2048 bytes (GSSAPI-related) To manage notifications about this bug go to: https://bugs.launchpad.net/exim/+bug/1088136/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
