[exim-dev] [Bug 879] New: AUTH cannot handle a request with …

Top Page
Delete this message
Reply to this message
Author: Paul Fisher
Date:  
To: exim-dev
New-Topics: [exim-dev] [Bug 879] AUTH cannot handle a request with an initial-response over 2048 bytes (GSSAPI-related), [exim-dev] [Bug 879] AUTH cannot handle a request with an initial-response over 2048 bytes (GSSAPI-related), [exim-dev] [Bug 879] AUTH cannot handle a request with an initial-response over 2048 bytes (GSSAPI-related)
Subject: [exim-dev] [Bug 879] New: AUTH cannot handle a request with an initial-response over 2048 bytes (GSSAPI-related)
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=879
           Summary: AUTH cannot handle a request with an initial-response
                    over 2048 bytes (GSSAPI-related)
           Product: Exim
           Version: 4.69
          Platform: All
        OS/Version: Linux
            Status: NEW
          Severity: bug
          Priority: medium
         Component: SMTP Authentication
        AssignedTo: nigel@???
        ReportedBy: pnfisher@???
                CC: exim-dev@???



Created an attachment (id=322)
--> (http://bugs.exim.org/attachment.cgi?id=322)
Increase smtp_cmd_buffer_size to 16384

smtp_cmd_buffer_size is currently 2048 bytes. 2048 bytes is not sufficient for
clients that send an AUTH with an initial-response for GSSAPI when Windows
Kerberos tickets are used that contain a PAC -- as of Windows 2003, the maximum
ticket size is 12000 bytes.

MUAs that use AUTH GSSAPI without an initial-response are not impacted by the
2048 limit, since the remainder of the SASL session is handled by auth_get_data
in Exim, which uses big_buffer and has sufficient space to process large
Kerberos tickets.

Thunderbird will always send an AUTH GSSAPI with an initial-response, which
makes it subject to the 2048 byte limit. A large Kerberos ticket will easily
surpass 2048 bytes when base64-encoded, causing the AUTH to fail.

RFC 4954 recommends 12288 bytes as a line limit to handle AUTH. For a base64
encoded max-size Windows Kerberos ticket, at least 16000 bytes are needed.
I've attached a patch which sets smtp_cmd_buffer_size to 16384.

We're running this patch in production.


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email