Marc Weustink
2017-Oct-26 11:32 UTC
ManageSieve: authenticate "EXTERNAL" not behaving correctly
Hi, I've enabled client certificate authentication for imap and managesieve. When I use Thunderbird with the sieve plugin it tries to login, but times out. Initially I reported this to the sieve plugin, but we came to the conclusion that it managesieve is misbehaving. https://github.com/thsmi/sieve/issues/94 Thunderbird (win10-64) 52.4.0 (32bit) Sieve 0.2.3k Dovecot (Ubuntu 16.04.3 LTS) 2.2.33.1-1 (sid) What happens is the following (p=plugin sends m=managesieve sends) p:authenticate "EXTERNAL" "" m:"" The response is unexpected. According to RFC 5804 an empty challenge/response is sent as an empty string. So I would expect: p:authenticate "EXTERNAL" "" m:OK "Logged in." With the use of gnutls-cli I could reproduce (c=I send m=managesieve sends) gnutls-cli --starttls --x509keyfile marc_mail.key --x509certfile marc_mail.crt -p sieve 172.17.1.4 ... m:OK "TLS negotiation successful." c:authenticate "EXTERNAL" "" m:"" c:"" m:OK "Logged in." However if I try the "imap" syntax (rfc4959) I get logged in at once ... m:OK "TLS negotiation successful." c:authenticate "EXTERNAL" "=" m:OK "Logged in." Note that this is an imap only extention, "=" is an invalid base64 encoding. Marc
Stephan Bosch
2017-Oct-28 15:18 UTC
ManageSieve: authenticate "EXTERNAL" not behaving correctly
Op 10/26/2017 om 1:32 PM schreef Marc Weustink:> Hi, > > I've enabled client certificate authentication for imap and > managesieve. When I use Thunderbird with the sieve plugin it tries to > login, but times out. > > Initially I reported this to the sieve plugin, but we came to the > conclusion that it managesieve is misbehaving. > > https://github.com/thsmi/sieve/issues/94 > > Thunderbird (win10-64) 52.4.0 (32bit) > Sieve 0.2.3k > Dovecot (Ubuntu 16.04.3 LTS) 2.2.33.1-1 (sid) > > > What happens is the following (p=plugin sends m=managesieve sends) > > p:authenticate "EXTERNAL" "" > m:"" > > The response is unexpected. According to RFC 5804 an empty > challenge/response is sent as an empty string. So I would expect: > > p:authenticate "EXTERNAL" "" > m:OK "Logged in." > > > > With the use of gnutls-cli I could reproduce (c=I send m=managesieve > sends) > ?gnutls-cli --starttls --x509keyfile marc_mail.key --x509certfile > marc_mail.crt -p sieve 172.17.1.4 > > ... > m:OK "TLS negotiation successful." > c:authenticate "EXTERNAL" "" > m:"" > c:"" > m:OK "Logged in." > > > However if I try the "imap" syntax (rfc4959) I get logged in at once > > ... > m:OK "TLS negotiation successful." > c:authenticate "EXTERNAL" "=" > m:OK "Logged in." > > Note that this is an imap only extention, "=" is an invalid base64 > encoding.Will get back on this later. Regards, Stephan.
Marc Weustink
2017-Nov-01 14:17 UTC
ManageSieve: authenticate "EXTERNAL" not behaving correctly
Stephan Bosch wrote:> Op 10/26/2017 om 1:32 PM schreef Marc Weustink: >> Hi, >> >> I've enabled client certificate authentication for imap and >> managesieve. When I use Thunderbird with the sieve plugin it tries to >> login, but times out. >> >> Initially I reported this to the sieve plugin, but we came to the >> conclusion that it managesieve is misbehaving. >> >> https://github.com/thsmi/sieve/issues/94 >> >> Thunderbird (win10-64) 52.4.0 (32bit) >> Sieve 0.2.3k >> Dovecot (Ubuntu 16.04.3 LTS) 2.2.33.1-1 (sid) >> >> >> What happens is the following (p=plugin sends m=managesieve sends) >> >> p:authenticate "EXTERNAL" "" >> m:"" >> >> The response is unexpected. According to RFC 5804 an empty >> challenge/response is sent as an empty string. So I would expect: >> >> p:authenticate "EXTERNAL" "" >> m:OK "Logged in." >> >> >> >> With the use of gnutls-cli I could reproduce (c=I send m=managesieve >> sends) >> ?gnutls-cli --starttls --x509keyfile marc_mail.key --x509certfile >> marc_mail.crt -p sieve 172.17.1.4 >> >> ... >> m:OK "TLS negotiation successful." >> c:authenticate "EXTERNAL" "" >> m:"" >> c:"" >> m:OK "Logged in." >> >> >> However if I try the "imap" syntax (rfc4959) I get logged in at once >> >> ... >> m:OK "TLS negotiation successful." >> c:authenticate "EXTERNAL" "=" >> m:OK "Logged in." >> >> Note that this is an imap only extention, "=" is an invalid base64 >> encoding. > > Will get back on this later. > > Regards, > > Stephan. >With the attached patch I could hac/workaround it Marc -------------- next part -------------- diff -U 5 dovecot-2.2.33.1/pigeonhole/src/managesieve-login/client-authenticate.c dovecot-2.2.33.1~mwe/pigeonhole/src/managesieve-login/client-authenticate.c --- dovecot-2.2.33.1/pigeonhole/src/managesieve-login/client-authenticate.c 2017-11-01 15:06:28.000000000 +0100 +++ dovecot-2.2.33.1~mwe/pigeonhole/src/managesieve-login/client-authenticate.c 2017-11-01 14:55:43.869493098 +0100 @@ -306,12 +306,20 @@ return 1; } if ( ret == 0 ) return 0; - init_response = ( client->auth_response == NULL ? NULL : - t_strdup(str_c(client->auth_response)) ); + + if ( client->auth_response == NULL ) { + init_response = NULL; + } else if (( strncasecmp(client->auth_mech_name, "EXTERNAL", 8) == 0 ) && ( str_len( client->auth_response ) == 0 )) { + /* MWE: hack/workaround to pass empty response */ + init_response = t_strdup("="); + } else { + init_response = t_strdup(str_c(client->auth_response)); + } + msieve_client->auth_mech_name_parsed = FALSE; if ( (ret=client_auth_begin (client, t_strdup(client->auth_mech_name), init_response)) < 0 ) return ret;
Stephan Bosch
2017-Nov-28 14:08 UTC
ManageSieve: authenticate "EXTERNAL" not behaving correctly
Op 28-10-2017 om 17:18 schreef Stephan Bosch:> Op 10/26/2017 om 1:32 PM schreef Marc Weustink: >> Hi, >> >> I've enabled client certificate authentication for imap and >> managesieve. When I use Thunderbird with the sieve plugin it tries to >> login, but times out. >> >> Initially I reported this to the sieve plugin, but we came to the >> conclusion that it managesieve is misbehaving. >> >> https://github.com/thsmi/sieve/issues/94 >> >> Thunderbird (win10-64) 52.4.0 (32bit) >> Sieve 0.2.3k >> Dovecot (Ubuntu 16.04.3 LTS) 2.2.33.1-1 (sid) >> >> >> What happens is the following (p=plugin sends m=managesieve sends) >> >> p:authenticate "EXTERNAL" "" >> m:"" >> >> The response is unexpected. According to RFC 5804 an empty >> challenge/response is sent as an empty string. So I would expect: >> >> p:authenticate "EXTERNAL" "" >> m:OK "Logged in." >> >> >> >> With the use of gnutls-cli I could reproduce (c=I send m=managesieve >> sends) >> ?gnutls-cli --starttls --x509keyfile marc_mail.key --x509certfile >> marc_mail.crt -p sieve 172.17.1.4 >> >> ... >> m:OK "TLS negotiation successful." >> c:authenticate "EXTERNAL" "" >> m:"" >> c:"" >> m:OK "Logged in." >> >> >> However if I try the "imap" syntax (rfc4959) I get logged in at once >> >> ... >> m:OK "TLS negotiation successful." >> c:authenticate "EXTERNAL" "=" >> m:OK "Logged in." >> >> Note that this is an imap only extention, "=" is an invalid base64 >> encoding. > Will get back on this later.This was actually a Dovecot problem. Merged yesterday: https://github.com/dovecot/core/commit/451698c60d7b3a763742c8e99503ab30596036f0 https://github.com/dovecot/core/commit/e4b72bd73bfffda7906faa248eab31f936cfc6fa https://github.com/dovecot/core/commit/ad3e5fb08578161731085cfc025659753d2682cb https://github.com/dovecot/core/commit/981f260cfa17a22faf4ff047e479e63cad01aa65 Regards, Stephan.
Reasonably Related Threads
- ManageSieve: authenticate "EXTERNAL" not behaving correctly
- ManageSieve: authenticate "EXTERNAL" not behaving correctly
- Dovecot auth SASL for exim and plain auth issue without initial response
- Dovecot auth SASL for exim and plain auth issue without initial response
- "nopassword" extra field useless with LDAP passdb