[exim-dev] Fixed: dovecot auth changes in 4.82

Góra strony
Delete this message
Reply to this message
Autor: Phil Pennock
Data:  
Dla: Thomas Morper
CC: Todd Lyons, exim-dev, Jeremy Harris
Stare tematy: Re: [exim] Exim 4.82 RC1 uploaded
Temat: [exim-dev] Fixed: dovecot auth changes in 4.82
On 2013-09-28 at 16:08 +0200, Thomas Morper wrote:
> On Sat, 28 Sep 2013, Jeremy Harris wrote:
>
> > Thanks for testing the RC. I don't see that behaviour here;
> > could you share the definition of the PLAIN authenticator config
> > you're using?
>
> It's plain (no pun intended) and simple:
>
>   begin authenticators
>     auth_plain:
>       driver = dovecot
>       public_name = PLAIN
>       server_socket = /var/run/dovecot/auth-client


> I'm using Dovecot 2.2.6, OS is Slackware 14.0 64-bit.


I knew changes to Dovecot auth sounded familiar:

commit 3f1df0e341c4ddc4add38fa97d9d34972655a6c7
Author: Phil Pennock <pdp@???>
Date: Mon Nov 19 23:44:33 2012 -0500

And indeed, I can reproduce the NULL with a fresh build of Exim.
Reverting the above commit removes the NULL from the output, so this is
definitely the cause. Apparently, the testing I did at the time did not
include PLAIN and an empty Dovecot CONT line.

My testing was against Dovecot 2.1.10 and that's still what I have
installed.

Without the commit above:
----------------------------8< cut here >8------------------------------
76689 SMTP<< AUTH PLAIN
76689 dovecot authentication
76689 received: VERSION 1       1
76689 received: MECH    PLAIN   plaintext
76689 received: MECH    LOGIN   plaintext
76689 received: MECH    DIGEST-MD5      dictionary      active  mutual-auth
76689 received: MECH    CRAM-MD5        dictionary      active
76689 received: MECH    GSSAPI
76689 received: SPID    76690
76689 received: CUID    1
76689 received: COOKIE  fe1bb46441b187f3d8435c36906ac067
76689 received: DONE
76689 sent: VERSION     1       0
76689 CPID      76689
76689 AUTH      1       PLAIN   service=smtp    secured rip=::1 lip=::1 nologin resp=
76689 received: CONT    1
76689 SMTP>> 334 
76689 tls_do_write(0x803130000, 6)
76689 SSL_write(SSL, 0x803130000, 6)
76689 outbytes=6 error=0
76689 Calling SSL_read(0x803108000, 0x8031a7000, 4096)
76689 received: OK      1       user=frederic
76689 auth_plain authenticator server_condition:
76689   $auth1 = frederic
76689   $1 = frederic
76689 SMTP>> 235 Authentication succeeded
76689 tls_do_write(0x803130000, 30)
----------------------------8< cut here >8------------------------------


With the commit above:
----------------------------8< cut here >8------------------------------
76430 SMTP<< AUTH PLAIN
76430 dovecot authentication
76430 received: VERSION 1       1
76430 received: MECH    PLAIN   plaintext
76430 received: MECH    LOGIN   plaintext
76430 received: MECH    DIGEST-MD5      dictionary      active  mutual-auth
76430 received: MECH    CRAM-MD5        dictionary      active
76430 received: MECH    GSSAPI
76430 received: SPID    76433
76430 received: CUID    1
76430 received: COOKIE  0290a68f32d3aa12b869914ae61dab6e
76430 received: DONE
76430 sent: VERSION     1       0
76430 CPID      76430
76430 AUTH      1       PLAIN   service=smtp    secured rip=::1 lip=::1 nologin resp=
76430 received: CONT    1
76430 dovecot: warning: ignoring trailing tab
76430 SMTP>> 334 NULL
76430 tls_do_write(0x803130000, 10)
76430 SSL_write(SSL, 0x803130000, 10)
76430 outbytes=10 error=0
76430 Calling SSL_read(0x803108000, 0x8031a7000, 4096)
76430 received: OK      1       user=frederic
76430 auth_plain authenticator server_condition:
76430   $auth1 = frederic
76430   $1 = frederic
76430 SMTP>> 235 Authentication succeeded
76430 tls_do_write(0x803130000, 30)
----------------------------8< cut here >8------------------------------


The clue is that "ignoring trailing tab" line.

I have pushed 970ba64 to fix this:
----------------------------8< cut here >8------------------------------
commit 970ba64f07bf5523c7098235664f2ce02962a128
Author: Phil Pennock <pdp@???>
Date: Mon Sep 30 00:57:07 2013 -0400

    Fix dovecot with empty 334 challenge.


    Thomas Morper reported, with 4.82RC1, that he saw "334 NULL" as the
    challenge when using AUTH PLAIN to Dovecot when the client does not send
    an initial response.  I could replicate.


    This was caused by commit 3f1df0e3 on 2012-11-19 (PP/13 of 4.82); I was
    too cautious in the robustness fixes; the clue came in this line of
    debug output:


        76430 dovecot: warning: ignoring trailing tab


    This change removes that check, and documents in a comment that this
    input is acceptable protocol-wise, and why.


    With this fix:


        AUTH PLAIN
        334
        AGZyZWRlcmljAGh1bXB0eS1kdW1wdHk=
        235 Authentication succeeded
----------------------------8< cut here >8------------------------------


Regards,
-Phil