AUTH cannot handle a request with an initial-response over 2048 bytes (GSSAPI-related)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
exim |
Fix Released
|
Unknown
|
|||
exim4 (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Precise |
Fix Released
|
Medium
|
Unassigned | ||
Quantal |
Fix Released
|
Undecided
|
Unassigned | ||
Raring |
Fix Released
|
Medium
|
Unassigned |
Bug Description
smtp_cmd_
clients that send an AUTH with an initial-response for GSSAPI when Windows
Kerberos tickets are used that contain a PAC -- as of Windows 2003, the maximum
ticket size is 12000 bytes.
MUAs that use AUTH GSSAPI without an initial-response are not impacted by the
2048 limit, since the remainder of the SASL session is handled by auth_get_data
in Exim, which uses big_buffer and has sufficient space to process large
Kerberos tickets.
Thunderbird will always send an AUTH GSSAPI with an initial-response, which
makes it subject to the 2048 byte limit. A large Kerberos ticket will easily
surpass 2048 bytes when base64-encoded, causing the AUTH to fail.
RFC 4954 recommends 12288 bytes as a line limit to handle AUTH. For a base64
encoded max-size Windows Kerberos ticket, at least 16000 bytes are needed.
This bug is fixed upstream (4.77). It would be nice to backport it to precise.
[Impact]
smtp_cmd_
clients that send an AUTH with an initial-response for GSSAPI when Windows
Kerberos tickets are used that contain a PAC. For a base64
encoded max-size Windows Kerberos ticket, at least 16000 bytes are needed.
Fixing this bug lets us to use exim4 smtp server with AD kerberos authentication and windows clients, so I think it's worth fixing.
[Test Case]
1. You need a configured AD/samba4 domain
2. Configure exim4 to use GSSAPI auth (here is dovecot method):
- # apt-get instal dovecot-imapd exim4-daemon-heavy
- /etc/krb5.keytab should contain '<email address hidden>' credentials (import it somehow), just for test make it readable for all. (chmod 644 /etc/krb5.keytab)
- your dovecot config should contain something like this:
auth_mechanisms = gssapi
auth_default_realm = YOUR.REALM
auth_realms = YOUR.REALM
auth_gssapi_
auth_krb5_keytab = /etc/krb5.keytab
service auth {
unix_listener auth-client {
mode = 0600
user = Debian-exim
}
- your exim's 'begin authenticators' section of the config should contain something like:
auth_gssapi:
driver = dovecot
public_name = GSSAPI
server_socket = /var/run/
server_set_id = $auth1
3. Configure thunderbird to use GSSAPI smtp auth on windows xp/vista/
- install thunderbird or use thunderbird portable
- configure any (e.g. it could be nonexisting at all) IMAP/POP mail account in thunderbird (using some domain member account)
- in account settings set authentication address/port to your exim server, username to your domain username, auth method to 'Kerberos/GSSAPI'
4. Try to send mail. Auth will always fail. In exim's log there will be messages like these:
2012-12-09 00:04:46 SMTP syntax error in "AUTH GSSAPI YIIGSQYJKoZIhvc
2012-12-09 00:04:46 SMTP syntax error in "3LbXXOLpS9xBCl
5. Same time dovecot imap/pop3 gssapi auth works fine. Installing exim from quantal to precise fixes this bug.
[Regression Potential]
The fix for this bug is one-line-patch applied to upstream (4.77) more than year ago, so it already has got sufficient testing. Quantal and raring already contains fixed version (we use the version from quantal installed to precise in production).
Related branches
affects: | heimdal (Ubuntu) → exim4 (Ubuntu) |
description: | updated |
Changed in exim: | |
status: | Unknown → Fix Released |
description: | updated |
Changed in exim4 (Ubuntu Quantal): | |
status: | New → Fix Released |
Changed in exim4 (Ubuntu Precise): | |
importance: | Undecided → Medium |
Changed in exim4 (Ubuntu Raring): | |
status: | New → Fix Released |
This debdiff includes fix for this bug.