Bug#611674: cyrus-clients-2.4: smtptest falsely claims user is authenticated
Dan White
dwhite at olp.net
Wed Feb 2 04:21:54 UTC 2011
On 01/02/11 22:49 -0200, Henrique de Moraes Holschuh wrote:
>On Mon, 31 Jan 2011, brian m. carlson wrote:
>> If I use smtptest with the -a and -u options but without -m, it claims
>> that I am authenticated when I am not. It does not even try to issue an
>> AUTH command. I am certain that bk2204 at example.com is not an authorized
>> user at the domain I've specified (since I administer that server).
>
>...
>
>> S: 220 2.0.0 Ready to start TLS
>> verify error:num=18:self signed certificate
>> TLS connection established: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
>> C: EHLO smtptest
>> S: 250-castro.crustytoothpaste.net Hello [IPv6:2001:470:1f05:79:216:d3ff:feb3:801e], pleased to meet you
>> S: 250-ENHANCEDSTATUSCODES
>> S: 250-PIPELINING
>> S: 250-EXPN
>> S: 250-VERB
>> S: 250-8BITMIME
>> S: 250-SIZE
>> S: 250-DSN
>> S: 250-ETRN
>> S: 250-AUTH GSSAPI CRAM-MD5 DIGEST-MD5 PLAIN
>> S: 250-DELIVERBY
>> S: 250 HELP
>> Authenticated.
>> Security strength factor: 256
>
>We need the full telemetry to see what SASL is doing. Please run it in
>verbose mode. If it autenticated through GSSAPI, for example, it might not
>require a password.
>
>Did you, perchance, try to do something that requires one to be
>authenticated to work?
This does not appear to be related specifically to smtptest, but possibly
to several of the *test binaries using the imtest.c source.
To simplify things, this works like so using 2.2.13:
$ smtptest mail.olp.net
S: 220 pinky.olp.net ESMTP Postfix (Debian/GNU)
C: EHLO example.com
S: 250-pinky.olp.net
S: 250-PIPELINING
S: 250-SIZE 23405714
S: 250-VRFY
S: 250-ETRN
S: 250-STARTTLS
S: 250-AUTH GSSAPI OTP LOGIN PLAIN DIGEST-MD5 CRAM-MD5
S: 250-AUTH=GSSAPI OTP LOGIN PLAIN DIGEST-MD5 CRAM-MD5
S: 250-ENHANCEDSTATUSCODES
S: 250-8BITMIME
S: 250 DSN
C: AUTH DIGEST-MD5
<output cut>
Authentication failed. generic failure
and
$ lmtptest -p 2004 neo.olp.net
S: 220 neo Cyrus LMTP Murder v2.3.12-Debian-2.3.12-1-5 server ready
C: LHLO example.com
S: 250-neo
S: 250-8BITMIME
S: 250-ENHANCEDSTATUSCODES
S: 250-PIPELINING
S: 250-SIZE
S: 250-STARTTLS
S: 250-AUTH CRAM-MD5 PLAIN GSSAPI OTP DIGEST-MD5 LOGIN
S: 250 IGNOREQUOTA
C: AUTH DIGEST-MD5
<output removed>
S: 501 5.5.4 undefined error!
Authentication failed. generic failure
However, using an upstream 2.4.6 installation (not installed from a Debian
package):
$ smtptest mail.olp.net
S: 220 pinky.olp.net ESMTP Postfix (Debian/GNU)
C: EHLO smtptest
S: 250-pinky.olp.net
S: 250-PIPELINING
S: 250-SIZE 23405714
S: 250-VRFY
S: 250-ETRN
S: 250-STARTTLS
S: 250-AUTH GSSAPI OTP LOGIN PLAIN DIGEST-MD5 CRAM-MD5
S: 250-AUTH=GSSAPI OTP LOGIN PLAIN DIGEST-MD5 CRAM-MD5
S: 250-ENHANCEDSTATUSCODES
S: 250-8BITMIME
S: 250 DSN
Authenticated.
Security strength factor: 0
# lmtptest -p 2004 neo.olp.net
S: 220 neo Cyrus LMTP Murder v2.3.12-Debian-2.3.12-1-5 server ready
C: LHLO lmtptest
S: 250-neo
S: 250-8BITMIME
S: 250-ENHANCEDSTATUSCODES
S: 250-PIPELINING
S: 250-SIZE
S: 250-STARTTLS
S: 250-AUTH CRAM-MD5 PLAIN GSSAPI OTP DIGEST-MD5 LOGIN
S: 250 IGNOREQUOTA
Authenticated.
Security strength factor: 0
Only if I specify a -m option does the client attempt to authenticate.
--
Dan White
More information about the Pkg-Cyrus-imapd-Debian-devel
mailing list