On 2013-09-28 at 16:08 +0200, Thomas Morper wrote:
> On Sat, 28 Sep 2013, Jeremy Harris wrote:
>
> > Thanks for testing the RC. I don't see that behaviour here;
> > could you share the definition of the PLAIN authenticator config
> > you're using?
>
> It's plain (no pun intended) and simple:
>
> begin authenticators
> auth_plain:
> driver = dovecot
> public_name = PLAIN
> server_socket = /var/run/dovecot/auth-client
> I'm using Dovecot 2.2.6, OS is Slackware 14.0 64-bit.
I knew changes to Dovecot auth sounded familiar:
commit 3f1df0e341c4ddc4add38fa97d9d34972655a6c7
Author: Phil Pennock <pdp@???>
Date: Mon Nov 19 23:44:33 2012 -0500
And indeed, I can reproduce the NULL with a fresh build of Exim.
Reverting the above commit removes the NULL from the output, so this is
definitely the cause. Apparently, the testing I did at the time did not
include PLAIN and an empty Dovecot CONT line.
My testing was against Dovecot 2.1.10 and that's still what I have
installed.
Without the commit above:
----------------------------8< cut here >8------------------------------
76689 SMTP<< AUTH PLAIN
76689 dovecot authentication
76689 received: VERSION 1 1
76689 received: MECH PLAIN plaintext
76689 received: MECH LOGIN plaintext
76689 received: MECH DIGEST-MD5 dictionary active mutual-auth
76689 received: MECH CRAM-MD5 dictionary active
76689 received: MECH GSSAPI
76689 received: SPID 76690
76689 received: CUID 1
76689 received: COOKIE fe1bb46441b187f3d8435c36906ac067
76689 received: DONE
76689 sent: VERSION 1 0
76689 CPID 76689
76689 AUTH 1 PLAIN service=smtp secured rip=::1 lip=::1 nologin resp=
76689 received: CONT 1
76689 SMTP>> 334
76689 tls_do_write(0x803130000, 6)
76689 SSL_write(SSL, 0x803130000, 6)
76689 outbytes=6 error=0
76689 Calling SSL_read(0x803108000, 0x8031a7000, 4096)
76689 received: OK 1 user=frederic
76689 auth_plain authenticator server_condition:
76689 $auth1 = frederic
76689 $1 = frederic
76689 SMTP>> 235 Authentication succeeded
76689 tls_do_write(0x803130000, 30)
----------------------------8< cut here >8------------------------------
With the commit above:
----------------------------8< cut here >8------------------------------
76430 SMTP<< AUTH PLAIN
76430 dovecot authentication
76430 received: VERSION 1 1
76430 received: MECH PLAIN plaintext
76430 received: MECH LOGIN plaintext
76430 received: MECH DIGEST-MD5 dictionary active mutual-auth
76430 received: MECH CRAM-MD5 dictionary active
76430 received: MECH GSSAPI
76430 received: SPID 76433
76430 received: CUID 1
76430 received: COOKIE 0290a68f32d3aa12b869914ae61dab6e
76430 received: DONE
76430 sent: VERSION 1 0
76430 CPID 76430
76430 AUTH 1 PLAIN service=smtp secured rip=::1 lip=::1 nologin resp=
76430 received: CONT 1
76430 dovecot: warning: ignoring trailing tab
76430 SMTP>> 334 NULL
76430 tls_do_write(0x803130000, 10)
76430 SSL_write(SSL, 0x803130000, 10)
76430 outbytes=10 error=0
76430 Calling SSL_read(0x803108000, 0x8031a7000, 4096)
76430 received: OK 1 user=frederic
76430 auth_plain authenticator server_condition:
76430 $auth1 = frederic
76430 $1 = frederic
76430 SMTP>> 235 Authentication succeeded
76430 tls_do_write(0x803130000, 30)
----------------------------8< cut here >8------------------------------
The clue is that "ignoring trailing tab" line.
I have pushed 970ba64 to fix this:
----------------------------8< cut here >8------------------------------
commit 970ba64f07bf5523c7098235664f2ce02962a128
Author: Phil Pennock <pdp@???>
Date: Mon Sep 30 00:57:07 2013 -0400
Fix dovecot with empty 334 challenge.
Thomas Morper reported, with 4.82RC1, that he saw "334 NULL" as the
challenge when using AUTH PLAIN to Dovecot when the client does not send
an initial response. I could replicate.
This was caused by commit 3f1df0e3 on 2012-11-19 (PP/13 of 4.82); I was
too cautious in the robustness fixes; the clue came in this line of
debug output:
76430 dovecot: warning: ignoring trailing tab
This change removes that check, and documents in a comment that this
input is acceptable protocol-wise, and why.
With this fix:
AUTH PLAIN
334
AGZyZWRlcmljAGh1bXB0eS1kdW1wdHk=
235 Authentication succeeded
----------------------------8< cut here >8------------------------------
Regards,
-Phil
