ManageSieve: authenticate "EXTERNAL" not behaving correctly

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

ManageSieve: authenticate "EXTERNAL" not behaving correctly

Marc Weustink
Hi,

I've enabled client certificate authentication for imap and managesieve.
When I use Thunderbird with the sieve plugin it tries to login, but
times out.

Initially I reported this to the sieve plugin, but we came to the
conclusion that it managesieve is misbehaving.

https://github.com/thsmi/sieve/issues/94

Thunderbird (win10-64) 52.4.0 (32bit)
Sieve 0.2.3k
Dovecot (Ubuntu 16.04.3 LTS) 2.2.33.1-1 (sid)


What happens is the following (p=plugin sends m=managesieve sends)

p:authenticate "EXTERNAL" ""
m:""

The response is unexpected. According to RFC 5804 an empty
challenge/response is sent as an empty string. So I would expect:

p:authenticate "EXTERNAL" ""
m:OK "Logged in."



With the use of gnutls-cli I could reproduce (c=I send m=managesieve sends)
  gnutls-cli --starttls --x509keyfile marc_mail.key --x509certfile
marc_mail.crt -p sieve 172.17.1.4

...
m:OK "TLS negotiation successful."
c:authenticate "EXTERNAL" ""
m:""
c:""
m:OK "Logged in."


However if I try the "imap" syntax (rfc4959) I get logged in at once

...
m:OK "TLS negotiation successful."
c:authenticate "EXTERNAL" "="
m:OK "Logged in."

Note that this is an imap only extention, "=" is an invalid base64 encoding.

Marc
Reply | Threaded
Open this post in threaded view
|

Re: ManageSieve: authenticate "EXTERNAL" not behaving correctly

Stephan Bosch-2
Op 10/26/2017 om 1:32 PM schreef Marc Weustink:

> Hi,
>
> I've enabled client certificate authentication for imap and
> managesieve. When I use Thunderbird with the sieve plugin it tries to
> login, but times out.
>
> Initially I reported this to the sieve plugin, but we came to the
> conclusion that it managesieve is misbehaving.
>
> https://github.com/thsmi/sieve/issues/94
>
> Thunderbird (win10-64) 52.4.0 (32bit)
> Sieve 0.2.3k
> Dovecot (Ubuntu 16.04.3 LTS) 2.2.33.1-1 (sid)
>
>
> What happens is the following (p=plugin sends m=managesieve sends)
>
> p:authenticate "EXTERNAL" ""
> m:""
>
> The response is unexpected. According to RFC 5804 an empty
> challenge/response is sent as an empty string. So I would expect:
>
> p:authenticate "EXTERNAL" ""
> m:OK "Logged in."
>
>
>
> With the use of gnutls-cli I could reproduce (c=I send m=managesieve
> sends)
>  gnutls-cli --starttls --x509keyfile marc_mail.key --x509certfile
> marc_mail.crt -p sieve 172.17.1.4
>
> ...
> m:OK "TLS negotiation successful."
> c:authenticate "EXTERNAL" ""
> m:""
> c:""
> m:OK "Logged in."
>
>
> However if I try the "imap" syntax (rfc4959) I get logged in at once
>
> ...
> m:OK "TLS negotiation successful."
> c:authenticate "EXTERNAL" "="
> m:OK "Logged in."
>
> Note that this is an imap only extention, "=" is an invalid base64
> encoding.

Will get back on this later.

Regards,

Stephan.
Reply | Threaded
Open this post in threaded view
|

Re: ManageSieve: authenticate "EXTERNAL" not behaving correctly

Marc Weustink
Stephan Bosch wrote:

> Op 10/26/2017 om 1:32 PM schreef Marc Weustink:
>> Hi,
>>
>> I've enabled client certificate authentication for imap and
>> managesieve. When I use Thunderbird with the sieve plugin it tries to
>> login, but times out.
>>
>> Initially I reported this to the sieve plugin, but we came to the
>> conclusion that it managesieve is misbehaving.
>>
>> https://github.com/thsmi/sieve/issues/94
>>
>> Thunderbird (win10-64) 52.4.0 (32bit)
>> Sieve 0.2.3k
>> Dovecot (Ubuntu 16.04.3 LTS) 2.2.33.1-1 (sid)
>>
>>
>> What happens is the following (p=plugin sends m=managesieve sends)
>>
>> p:authenticate "EXTERNAL" ""
>> m:""
>>
>> The response is unexpected. According to RFC 5804 an empty
>> challenge/response is sent as an empty string. So I would expect:
>>
>> p:authenticate "EXTERNAL" ""
>> m:OK "Logged in."
>>
>>
>>
>> With the use of gnutls-cli I could reproduce (c=I send m=managesieve
>> sends)
>>   gnutls-cli --starttls --x509keyfile marc_mail.key --x509certfile
>> marc_mail.crt -p sieve 172.17.1.4
>>
>> ...
>> m:OK "TLS negotiation successful."
>> c:authenticate "EXTERNAL" ""
>> m:""
>> c:""
>> m:OK "Logged in."
>>
>>
>> However if I try the "imap" syntax (rfc4959) I get logged in at once
>>
>> ...
>> m:OK "TLS negotiation successful."
>> c:authenticate "EXTERNAL" "="
>> m:OK "Logged in."
>>
>> Note that this is an imap only extention, "=" is an invalid base64
>> encoding.
>
> Will get back on this later.
>
> Regards,
>
> Stephan.
>
With the attached patch I could hac/workaround it

Marc


client-authenticate.patch (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: ManageSieve: authenticate "EXTERNAL" not behaving correctly

Stephan Bosch-2
In reply to this post by Stephan Bosch-2


Op 28-10-2017 om 17:18 schreef Stephan Bosch:

> Op 10/26/2017 om 1:32 PM schreef Marc Weustink:
>> Hi,
>>
>> I've enabled client certificate authentication for imap and
>> managesieve. When I use Thunderbird with the sieve plugin it tries to
>> login, but times out.
>>
>> Initially I reported this to the sieve plugin, but we came to the
>> conclusion that it managesieve is misbehaving.
>>
>> https://github.com/thsmi/sieve/issues/94
>>
>> Thunderbird (win10-64) 52.4.0 (32bit)
>> Sieve 0.2.3k
>> Dovecot (Ubuntu 16.04.3 LTS) 2.2.33.1-1 (sid)
>>
>>
>> What happens is the following (p=plugin sends m=managesieve sends)
>>
>> p:authenticate "EXTERNAL" ""
>> m:""
>>
>> The response is unexpected. According to RFC 5804 an empty
>> challenge/response is sent as an empty string. So I would expect:
>>
>> p:authenticate "EXTERNAL" ""
>> m:OK "Logged in."
>>
>>
>>
>> With the use of gnutls-cli I could reproduce (c=I send m=managesieve
>> sends)
>>   gnutls-cli --starttls --x509keyfile marc_mail.key --x509certfile
>> marc_mail.crt -p sieve 172.17.1.4
>>
>> ...
>> m:OK "TLS negotiation successful."
>> c:authenticate "EXTERNAL" ""
>> m:""
>> c:""
>> m:OK "Logged in."
>>
>>
>> However if I try the "imap" syntax (rfc4959) I get logged in at once
>>
>> ...
>> m:OK "TLS negotiation successful."
>> c:authenticate "EXTERNAL" "="
>> m:OK "Logged in."
>>
>> Note that this is an imap only extention, "=" is an invalid base64
>> encoding.
> Will get back on this later.

This was actually a Dovecot problem. Merged yesterday:

https://github.com/dovecot/core/commit/451698c60d7b3a763742c8e99503ab30596036f0
https://github.com/dovecot/core/commit/e4b72bd73bfffda7906faa248eab31f936cfc6fa
https://github.com/dovecot/core/commit/ad3e5fb08578161731085cfc025659753d2682cb
https://github.com/dovecot/core/commit/981f260cfa17a22faf4ff047e479e63cad01aa65

Regards,

Stephan.



Reply | Threaded
Open this post in threaded view
|

Re: ManageSieve: authenticate "EXTERNAL" not behaving correctly

Marc Weustink
Stephan Bosch wrote:
>
>
> Op 28-10-2017 om 17:18 schreef Stephan Bosch:
>> Op 10/26/2017 om 1:32 PM schreef Marc Weustink:
...

Great, Thanks.
Marc