Re: GSSAPI auth Line too long
> On 31/05/2023 12:00 EEST Thomas Lemarchand via dovecot > wrote: > > > Hi ! > > Are you saying I should open a bug report for Thunderbird developers ? > I did not find a reference to a 998 bytes limit, do you have something I > can refer to ? > > Thank you. > -- > Thomas Lemarchand > > On 5/30/23 20:35, Aki Tuomi via dovecot wrote: > >> On 30/05/2023 20:54 EEST Thomas Lemarchand via dovecot > >> wrote: > >> > >> > >> Hello, > >> > >> On version 2.3.20 (80a5ac675d), I have a problem with submission-login > >> when using GSSAPI auth : it's not working, probably due to AUTH line > >> being too long. > >> It appeared after I activated PAC on my Kerberos infrastructure. Now the > >> Kerberos tickets contains MS-PAC data and are bigger. It's part of the > >> RFC and is a valid use case : > >> https://datatracker.ietf.org/doc/html/rfc4120#section-5.2.6 > >> > >> Logs : > >> > >> > >> My guess is that it's due to > >> https://github.com/dovecot/core/blob/main/src/lib-smtp/smtp-common.h#L10 > >> being too low (is it configurable ?), but I didn't read the code > >> thoroughly. > >> Red Hat IDM now activates MS-PAC by default, so any installation based > >> on IDM (or FreeIPA) may have the same problem. > >> What's your opinion ? Bug ? > >> > >> Mail sent using password auth :'( > >> > >> -- > >> Thomas Lemarchand > >> > >> > > Hi! > > > > This is an RFC limitation. SASL-IR may not exceed 998 bytes including AUTH > > GSSAPI and \r\n. > > > > If the SASL-IR exceeds this, then the client must use interactive SASL. > > > > Aki > > ___ > > dovecot mailing list -- dovecot@dovecot.org > > To unsubscribe send an email to dovecot-le...@dovecot.org > > > > ___ > dovecot mailing list -- dovecot@dovecot.org > To unsubscribe send an email to dovecot-le...@dovecot.org Please see https://datatracker.ietf.org/doc/html/rfc4954#section-4 "Note that the AUTH command is still subject to the line length limitations defined in [SMTP]. If use of the initial response argument would cause the AUTH command to exceed this length, the client MUST NOT use the initial response parameter (and instead proceed as defined in Section 5.1 of [SASL])." Aki ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: GSSAPI auth Line too long
Op 31-05-2023 om 11:00 schreef Thomas Lemarchand via dovecot: Hi ! Are you saying I should open a bug report for Thunderbird developers ? I did not find a reference to a 998 bytes limit, do you have something I can refer to ? Thank you. Well, I have a working setup with postfix+dovecot (with submission-relay), samba-ad-dc and thunderbird using gssapi authentication on the clients (both windows and linux clients). There must be something different in your setup causing the issue. - Kees. ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: GSSAPI auth Line too long
Hi ! Are you saying I should open a bug report for Thunderbird developers ? I did not find a reference to a 998 bytes limit, do you have something I can refer to ? Thank you. -- Thomas Lemarchand On 5/30/23 20:35, Aki Tuomi via dovecot wrote: On 30/05/2023 20:54 EEST Thomas Lemarchand via dovecot wrote: Hello, On version 2.3.20 (80a5ac675d), I have a problem with submission-login when using GSSAPI auth : it's not working, probably due to AUTH line being too long. It appeared after I activated PAC on my Kerberos infrastructure. Now the Kerberos tickets contains MS-PAC data and are bigger. It's part of the RFC and is a valid use case : https://datatracker.ietf.org/doc/html/rfc4120#section-5.2.6 Logs : My guess is that it's due to https://github.com/dovecot/core/blob/main/src/lib-smtp/smtp-common.h#L10 being too low (is it configurable ?), but I didn't read the code thoroughly. Red Hat IDM now activates MS-PAC by default, so any installation based on IDM (or FreeIPA) may have the same problem. What's your opinion ? Bug ? Mail sent using password auth :'( -- Thomas Lemarchand Hi! This is an RFC limitation. SASL-IR may not exceed 998 bytes including AUTH GSSAPI and \r\n. If the SASL-IR exceeds this, then the client must use interactive SASL. Aki ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: GSSAPI auth Line too long
Start by removing PIPELINING unless you have a real need because of an inbound filtering device... PIPELINING is kind of useless to advertise for most modern implementations where you do inline validation of data.. IMHO IMHO it should NOT be advertised by default anymore.. On 2023-05-30 10:54, Thomas Lemarchand via dovecot wrote: Hello, On version 2.3.20 (80a5ac675d), I have a problem with submission-login when using GSSAPI auth : it's not working, probably due to AUTH line being too long. It appeared after I activated PAC on my Kerberos infrastructure. Now the Kerberos tickets contains MS-PAC data and are bigger. It's part of the RFC and is a valid use case : https://datatracker.ietf.org/doc/html/rfc4120#section-5.2.6 Logs : May 30 17:13:00 auth: Debug: auth client connected (pid=378) May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Sent: 220 mail.int.k8s.lemarchand.io Dovecot ready. May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Received new command: EHLO [192.168.202.16] May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: New command May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Execute command May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Pipeline blocked May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: 250 reply: Submitted May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Replied May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Ready to reply May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Trigger output May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Next to reply May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Sending replies May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Next to reply May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Completed May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Pipeline unblocked May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Connection state reset May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: 250 reply: Sent: 250-mail.int.k8s.lemarchand.io 8BITMIME AUTH GSSAPI PLAIN LOGIN BURL imap CHUNKING ENHANCEDSTATUSCODES SIZE P IPELINING May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Finished May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Destroy May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: 250 reply: Destroy May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Trigger output May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: No more commands pending May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Sending replies May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: No more commands pending May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Client sent invalid command: Command line is too long May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: Invalid command May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: 500 reply: Submitted May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: Replied May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: Ready to reply May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Trigger output May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Sending replies May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: Next to reply May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: Completed May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: 500 reply: Sent: 500 5.5.2 Line too long May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: Finished May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: Destroy May 30 17:13:00
Re: GSSAPI auth Line too long
Thanks you for this idea, I already had "imap_max_line_length = 256k" , I tried 2M, unfortunately it still does not work. -- Thomas On 5/30/23 20:27, Kees van Vloten wrote: On 30-05-2023 19:54, Thomas Lemarchand via dovecot wrote: Hello, On version 2.3.20 (80a5ac675d), I have a problem with submission-login when using GSSAPI auth : it's not working, probably due to AUTH line being too long. It appeared after I activated PAC on my Kerberos infrastructure. Now the Kerberos tickets contains MS-PAC data and are bigger. It's part of the RFC and is a valid use case : https://datatracker.ietf.org/doc/html/rfc4120#section-5.2.6 Correct, but you can and should increase line length: imap_max_line_length = 2M With this length it works for me with Samba-AD-DC. - Kees. Logs : May 30 17:13:00 auth: Debug: auth client connected (pid=378) May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Sent: 220 mail.int.k8s.lemarchand.io Dovecot ready. May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Received new command: EHLO [192.168.202.16] May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: New command May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Execute command May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Pipeline blocked May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: 250 reply: Submitted May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Replied May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Ready to reply May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Trigger output May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Next to reply May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Sending replies May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Next to reply May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Completed May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Pipeline unblocked May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Connection state reset May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: 250 reply: Sent: 250-mail.int.k8s.lemarchand.io 8BITMIME AUTH GSSAPI PLAIN LOGIN BURL imap CHUNKING ENHANCEDSTATUSCODES SIZE P IPELINING May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Finished May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Destroy May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: 250 reply: Destroy May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Trigger output May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: No more commands pending May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Sending replies May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: No more commands pending May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Client sent invalid command: Command line is too long May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: Invalid command May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: 500 reply: Submitted May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: Replied May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: Ready to reply May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Trigger output May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Sending replies May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: Next to reply May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: Completed May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: 500 reply: Sent: 500 5.5.2 Line too long May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: Finished May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command
Re: GSSAPI auth Line too long
> On 30/05/2023 20:54 EEST Thomas Lemarchand via dovecot > wrote: > > > Hello, > > On version 2.3.20 (80a5ac675d), I have a problem with submission-login > when using GSSAPI auth : it's not working, probably due to AUTH line > being too long. > It appeared after I activated PAC on my Kerberos infrastructure. Now the > Kerberos tickets contains MS-PAC data and are bigger. It's part of the > RFC and is a valid use case : > https://datatracker.ietf.org/doc/html/rfc4120#section-5.2.6 > > Logs : > > > My guess is that it's due to > https://github.com/dovecot/core/blob/main/src/lib-smtp/smtp-common.h#L10 > being too low (is it configurable ?), but I didn't read the code thoroughly. > Red Hat IDM now activates MS-PAC by default, so any installation based > on IDM (or FreeIPA) may have the same problem. > What's your opinion ? Bug ? > > Mail sent using password auth :'( > > -- > Thomas Lemarchand > > Hi! This is an RFC limitation. SASL-IR may not exceed 998 bytes including AUTH GSSAPI and \r\n. If the SASL-IR exceeds this, then the client must use interactive SASL. Aki ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: GSSAPI auth Line too long
On 30-05-2023 19:54, Thomas Lemarchand via dovecot wrote: Hello, On version 2.3.20 (80a5ac675d), I have a problem with submission-login when using GSSAPI auth : it's not working, probably due to AUTH line being too long. It appeared after I activated PAC on my Kerberos infrastructure. Now the Kerberos tickets contains MS-PAC data and are bigger. It's part of the RFC and is a valid use case : https://datatracker.ietf.org/doc/html/rfc4120#section-5.2.6 Correct, but you can and should increase line length: imap_max_line_length = 2M With this length it works for me with Samba-AD-DC. - Kees. Logs : May 30 17:13:00 auth: Debug: auth client connected (pid=378) May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Sent: 220 mail.int.k8s.lemarchand.io Dovecot ready. May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Received new command: EHLO [192.168.202.16] May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: New command May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Execute command May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Pipeline blocked May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: 250 reply: Submitted May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Replied May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Ready to reply May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Trigger output May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Next to reply May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Sending replies May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Next to reply May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Completed May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Pipeline unblocked May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Connection state reset May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: 250 reply: Sent: 250-mail.int.k8s.lemarchand.io 8BITMIME AUTH GSSAPI PLAIN LOGIN BURL imap CHUNKING ENHANCEDSTATUSCODES SIZE P IPELINING May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Finished May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: Destroy May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command EHLO: 250 reply: Destroy May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Trigger output May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: No more commands pending May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Sending replies May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: No more commands pending May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Client sent invalid command: Command line is too long May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: Invalid command May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: 500 reply: Submitted May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: Replied May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: Ready to reply May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Trigger output May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Sending replies May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: Next to reply May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: Completed May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: 500 reply: Sent: 500 5.5.2 Line too long May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: Finished May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: Destroy May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: 500 reply: Destroy May 30 17:13:00 submission-login:
