Closed Bug 1485724 Opened 7 years ago Closed 2 years ago

SMTP GSSAPI AUTH command should not exceed the SMTP line length

Categories

(Thunderbird :: Security, enhancement)

Product:
Thunderbird
Component:
Security
Type:
enhancement

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1883529

People

(Reporter: kacper, Unassigned)

References

Details

The SMTP GSSAPI AUTH command should not exceed the SMTP line length as defined by RFC4954 (https://tools.ietf.org/html/rfc4954#page-4). "Note that the AUTH command is still subject to the line length limitations defined in [SMTP]. If use of the initial response argument would cause the AUTH command to exceed this length, the client MUST NOT use the initial response parameter (and instead proceed as defined in Section 5.1 of [RFC 2222])." RFC 2222: "If the initial client response parameter is not given, or if a protocol's profile does not permit the command which initiates an authentication protocol exchange to contain an initial client response, then the server issues a challenge with no data. The client's response to this challenge is then used as the initial client response. (The server then proceeds to send the next challenge, indicates completion, or indicates failure.)" In short if the GSSAPI token is too long (as defined in RFC 2821 (SMTP)) for the AUTH command it should not be included in the AUTH command. The client should issue a AUTH GSSAPI command and be returned 334 after which the GSSAPI token can be sent to the server. C: EHLO client.example.com S: 250-smtp.example.com Hello client.example.com S: 250 AUTH GSSAPI DIGEST-MD5 PLAIN C: AUTH GSSAPI (note: there is a single space following the 334 on the following line) S: 334 C: dGVzdAB0ZXN0ADEyMzQ= S: 235 2.7.0 Authentication successful
How specifically is Thunderbird not conforming?
Component: Untriaged → Security
Flags: needinfo?(kacper)
(In reply to Wayne Mery (:wsmwk) from comment #1) > How specifically is Thunderbird not conforming? When the GSSAPI token becomes too long (due to Kerberos PAC data, e.g. group information etc.) thunderbird still sends it along the initial AUTH GSSAPI command exceeding the specified limit for such command according to the SMTP specs. Postfix for example trims the command if it excceds 998 (excluding <CR><RL>) resulting in a bad GSSAPI token being passed to the SASL backend (see http://postfix.1071664.n5.nabble.com/GSSAPI-and-Success-as-a-error-code-tp97224p97251.html), other MTA's might do similar as per the SMTP specs.
Flags: needinfo?(kacper)
Severity: normal → S3
See Also: → 1883529
Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Duplicate of bug: 1883529
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.