Ubuntu
exim4 package

AUTH cannot handle a request with an initial-response over 2048 bytes (GSSAPI-related)

Bug #1088136 reported by urusha
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
exim
Fix Released
Unknown
exim4 (Ubuntu)
Fix Released
Medium
Unassigned
Precise
Fix Released
Medium
Unassigned
Quantal
Fix Released
Undecided
Unassigned
Raring
Fix Released
Medium
Unassigned

Bug Description

smtp_cmd_buffer_size is currently 2048 bytes. 2048 bytes is not sufficient for
clients that send an AUTH with an initial-response for GSSAPI when Windows
Kerberos tickets are used that contain a PAC -- as of Windows 2003, the maximum
ticket size is 12000 bytes.

MUAs that use AUTH GSSAPI without an initial-response are not impacted by the
2048 limit, since the remainder of the SASL session is handled by auth_get_data
in Exim, which uses big_buffer and has sufficient space to process large
Kerberos tickets.

Thunderbird will always send an AUTH GSSAPI with an initial-response, which
makes it subject to the 2048 byte limit. A large Kerberos ticket will easily
surpass 2048 bytes when base64-encoded, causing the AUTH to fail.

RFC 4954 recommends 12288 bytes as a line limit to handle AUTH. For a base64
encoded max-size Windows Kerberos ticket, at least 16000 bytes are needed.

This bug is fixed upstream (4.77). It would be nice to backport it to precise.

[Impact]
smtp_cmd_buffer_size is currently 2048 bytes. 2048 bytes is not sufficient for
clients that send an AUTH with an initial-response for GSSAPI when Windows
Kerberos tickets are used that contain a PAC. For a base64
encoded max-size Windows Kerberos ticket, at least 16000 bytes are needed.
Fixing this bug lets us to use exim4 smtp server with AD kerberos authentication and windows clients, so I think it's worth fixing.

[Test Case]
1. You need a configured AD/samba4 domain
2. Configure exim4 to use GSSAPI auth (here is dovecot method):
 - # apt-get instal dovecot-imapd exim4-daemon-heavy
 - /etc/krb5.keytab should contain '<email address hidden>' credentials (import it somehow), just for test make it readable for all. (chmod 644 /etc/krb5.keytab)
 - your dovecot config should contain something like this:
auth_mechanisms = gssapi
auth_default_realm = YOUR.REALM
auth_realms = YOUR.REALM
auth_gssapi_hostname = fqdn.host.name
auth_krb5_keytab = /etc/krb5.keytab
service auth {
  unix_listener auth-client {
    mode = 0600
    user = Debian-exim
  }
 - your exim's 'begin authenticators' section of the config should contain something like:
auth_gssapi:
    driver = dovecot
    public_name = GSSAPI
    server_socket = /var/run/dovecot/auth-client
    server_set_id = $auth1
3. Configure thunderbird to use GSSAPI smtp auth on windows xp/vista/7/2003/2008 (member of your AD domain).
 - install thunderbird or use thunderbird portable
 - configure any (e.g. it could be nonexisting at all) IMAP/POP mail account in thunderbird (using some domain member account)
 - in account settings set authentication address/port to your exim server, username to your domain username, auth method to 'Kerberos/GSSAPI'
4. Try to send mail. Auth will always fail. In exim's log there will be messages like these:
2012-12-09 00:04:46 SMTP syntax error in "AUTH GSSAPI YIIGSQYJKoZIhvcSAQICAQBuggY4MIIGNKADAgEFoQMCAQ6iBwMFACAAAACjggS+YYIEujCCBLagAwIBBaELGwlURUxST1MuUlWiJzAloAMCAQKhHjAcGwRzbXRwGxR1dG1wMTJ0ZXN0LnRlbHJvcy5ydaOCBHcwggRzoAMCARehAwIBAqKCBGUEggRhI5eKDsWe+sqexT9BL5+35Gp7+IkML3W1YrbzW9H1yQyx1RzyFZkav6JcFgRf2E9QqXJv5qIl93+hBEN6K1skn0mmJeXCMd7FHQ/QJZwBTXY74z5mBVyJimPn9wmQrj8KD8+643hAjKTwCTmSoP32pH93vNudW39jjYxYWWagck9DieynL61W+QpXHIIwE95K2nVvUB2LzmL9L2czfRAe1uxegnZG4iLrAW7loJfB9S3q1sU7hU5t1e4rOxEs6iYCejSn0nq/So36xFBYdrWb6xD+VfrX14FJ3ypZN6pbTcTKQFpmfVasKt7SXK6rrcDAM5M9OagE5Tc4JlJh2ojDlSRuflDdOHYga3BGwIlS6OqsEQrPbt7LcBPiyjGAb9iqojn/ZZmKR7YaDbsTu1ToxJFGzkf7RU1fBVHL73r5RiT+rEjELOjWOQZZ4nAd2ppwQUq/cKW2k2xHsODU7i2PzM5CvbSkiaV8/EmfiQoY0Q8al5y/5bqu++GLkXBla03vm2uhm/pW+JuvrcK39dkXijSBfTCAlN6nYuCHUA7vI4VeRV2pTAg9EM/rf+G8CMrMtB54P1lnAiXVkuayFLTFQYz6hjkGKetSi0XLLMS3W0Qi7jK6jc7BpleNfJ6pMjhxAa7t2sJ+Gtu8eQpICnT/PWxlSNOsUB8yVzrB2htB39B+r5XDRbYP4OsINffW4SrF1nG7/uyMxTFh3jSpX6vJ0qZPZHy9dskxjTQymE6GM9SVqZsORen+vUaADp8DIfXUxcRFokyszhmovYPsu3lKR7mwmy39q+Z2AKDatvpkf/CMtCQCqwtVXWx7bg8aJb2KMbPmVVbf15PuXhRK4iypgY8KvDi4Y+uVgdYld4PnvFlH4tUp4pqkWvZBPIYDDGDhvIWKZFnx0Kl3ETQrZ/49XRG0/we81QuH8dpzQSKjzjS2dsAIkNDzG5Z/Qg1yBQbjS0zGNS0EY0I/Qi+vQtp+kAPMikZtvulDL/kyPAvjH8q3sv2XUdhfV1c4+8mLD1gof7JgOLQ+bxXcNcjWnLqXsY2hfV1HNSd+FBkMc3ubPrMxzCVIW86p4Me+CuAI46k43Pror3bgROP2WRWZmFTKRq879dS85PkOJfCDK0jOJEZOZW+Y5nAPAqITXhTbAJzH14LhiGyjUascTdqgJW5rqm16hcINDYYwZZYZgiIbb7CDUdPi0ti8uq7U0dWhhGG2rJAi5zWQtghXL/Ottd6dDIyR54BzcD3nAnAxfeBtOo1wZfd1lebF0kKE3vO+UmwJ1QHRRKNKQmv+XicII75B8YM3pHC2YXwpZRYCgEvSjqHMoT8fp3VEDGgUaGYAP+nSlP0+6zfI7AQdRVQ4nHbz5tBzJEQeJ67Kl9DRqGapfDbiUtGh+Da2Nd354eG4kiBXRJc8EZ50+/hLlWWWqmhDBJfVFg/qxeVB1DCx1IABMm0vTBlWCfV8V42S2Yzuk0wxTzEr++Vq6MtEI3I/zfsix/ykggFbMIIBV6ADAgEXooIBTgSCAUowRsO1Lr+r/PfELwWhCABk8wMxMYFOEOC1p68G1N4zCAOOKTy7vEE8K36abJ1XlF+DmT4bYZ0pGMA/5ffq8ntBk5B83RsKfN3Pgbxwxn3yg22Bx3RLzjYRu22exuJ91SixBWzV+YAlzcTsrYKgMvxfaMbHeC50gBrV0/7r1a3DJSZ3f6uMFwpb/vfHUSTxRnj/nESwTrxr7QB/aVl1/gu75xLRCUE91d0+a5EN2650sSCN126XAcTG+ySQldWo2SpdIobYPALOhGgSeNL23/7HMDFDMlk0lyiBunv3qFycUdOq+cW/2MO6j9lhXGUcaGm3tyRU" H=([172.25.0.12]) [172.25.0.12] I=[172.25.0.214]:465 unrecognized command
2012-12-09 00:04:46 SMTP syntax error in "3LbXXOLpS9xBClRbWZIYQ7iQ7UkbwPqZ+715Afyj1HfFLTQGDB7pvPj6w/0QwmzpKIuJ1hyE7TAwn7GCdQYlP4p3dFLgwQttuD30zASNrjx4q/mEvA=" H=([172.25.0.12]) [172.25.0.12] I=[172.25.0.214]:465 unrecognized command
5. Same time dovecot imap/pop3 gssapi auth works fine. Installing exim from quantal to precise fixes this bug.

[Regression Potential]
The fix for this bug is one-line-patch applied to upstream (4.77) more than year ago, so it already has got sufficient testing. Quantal and raring already contains fixed version (we use the version from quantal installed to precise in production).

See original description
urusha (urusha)
affects: heimdal (Ubuntu) → exim4 (Ubuntu)
description: updated
Revision history for this message
urusha (urusha) wrote :

This debdiff includes fix for this bug.

Bug Watch Updater (bug-watch-updater)
Changed in exim:
status: Unknown → Fix Released
Revision history for this message
Robie Basak (racb) wrote :

Thank you for taking the time prepare this patch and helping to make Ubuntu better.

There are just a few things we need to do in order to get this fix ready for sponsoring and then for the stable release team to approve. Please note that I'm making these comments as a bug triager only. I cannot sponsor this package, but this might save you some time getting this patch through the sponsorship queue. Most of these are requirements from https://wiki.ubuntu.com/StableReleaseUpdates

Can you please confirm that this bug is definitely fixed in the current development release (Raring)? This needs to be done first, and then this bug needs to be marked Fix Released with a task added for Precise.

The test case needs to allow someone who is not familiar with the affected package to reproduce the bug and verify that the updated package fixes the problem. This requirement is from SRU policy. I don't think your test case is detailed enough for me, and I am familiar with GSSAPI (via Kerberos)! Please could you provide sufficient detail in your test case?

The changelog should detail exactly what is being fixed, rather than just referring to the upstream bug.

The version number in the changelog should be 4.76-3ubuntu3.2 rather than 4.76-3ubuntu3.1+bug1088136, and targeted at precise-proposed rather than precise. I'm sure a sponsor would make these minor changes for you, but you might want to be aware of this and/or correct it.

It's great that you have DEP-3 headers in the patch. It could help though if you added a Bug-Ubuntu header that points to this bug.

Once you're happy, please subscribe ~ubuntu-sponsors to this bug to make sure it makes it in the sponsorship queue. ~ubuntu-sru will need to be subscribed to approve the upload, but it is a sponsor who will actually need to do the upload itself.

Thanks again for your help!

Changed in exim4 (Ubuntu):
importance: Undecided → Medium
urusha (urusha)
description: updated
Marc Deslauriers (mdeslaur)
Changed in exim4 (Ubuntu Quantal):
status: New → Fix Released
Changed in exim4 (Ubuntu Precise):
importance: Undecided → Medium
Changed in exim4 (Ubuntu Raring):
status: New → Fix Released
Revision history for this message
urusha (urusha) wrote :

Hi!
I'm confirming that this bug is fixed in raring an quantal. How could I mark it "Fix released" for raring?
I've also updated bug description, made test case more detailed, is it detailed enough now?
And here is updated debdiff.
Thank you.

Revision history for this message
Robie Basak (racb) wrote :

Thanks! Marc has kindly sorted the bug statuses out for us, and I see that you've subscribed ~ubuntu-sponsors so this is now in the sponsorship queue. The next step is to wait for a sponsor to review your debdiff.

Revision history for this message
Brian Murray (brian-murray) wrote :

I've uploaded this to the precise -proposed queue now.

Changed in exim4 (Ubuntu Precise):
status: New → Triaged
Revision history for this message
Clint Byrum (clint-fewbar) wrote : Please test proposed package

Hello urusha, or anyone else affected,

Accepted exim4 into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/exim4/4.76-3ubuntu3.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in exim4 (Ubuntu Precise):
status: Triaged → Fix Committed
tags: added: verification-needed
Revision history for this message
Brian Murray (brian-murray) wrote : [exim4/precise] verification still needed

The fix for this bug has been awaiting testing feedback in the -proposed repository for precise for more than 90 days. Please test this fix and update the bug appropriately with the results. In the event that the fix for this bug is still not verified 15 days from now, the package will be removed from the -proposed repository.

tags: added: removal-candidate
Revision history for this message
urusha (urusha) wrote :

The package from precise-proposed 4.76-3ubuntu3.2 fixes this bug. So, I'll change the tag.

tags: added: verification-done
removed: verification-needed
Revision history for this message
Brian Murray (brian-murray) wrote : Update Released

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package exim4 - 4.76-3ubuntu3.2

---------------
exim4 (4.76-3ubuntu3.2) precise-proposed; urgency=low

  * Increase smtp_cmd_buffer_size to 16384 (upstream bug #879, fixed in 4.77).
    This allows using smtp kerberos/gssapi auth against AD/samba4 on windows.
    (LP: #1088136)
 -- Sergey Urushkin <email address hidden> Wed, 12 Dec 2012 16:05:42 -0800

Changed in exim4 (Ubuntu Precise):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.