problems with sasl 2.1.26 and GSSAPI

Ragnar Sundblad ragge at csc.kth.se
Mon Jun 10 18:38:16 EDT 2013 

(I am starting a new thread, I cluttered up the previous one to badly.)

We are using:
Cyrus-imapd-2.4.17
Cyrus-sasl-2.1.26
heimdal 1.5.2
solaris 11.1 x86

We are setting up an aggregator (murder) configuration.

If we are using GSSAPI with TLS (TLS with certificates, only server
authenticated, no client certs), where GSSAPI is only used for client
authentication and TLS is used for encryption, things seem to work.


1.
If we not use TLS, and use Kerberos for encryption, things start to
behave badly. The sasl GSSAPI module demands that the encrypted data
is not larger than a certain value, normally hard coded to 4096 bytes.
This means that the sasl clients (imap proxy, lmtp proxy, sieve proxy,
etc) can not send clear text data larger than 4096 minus the encryption
overhead (typically 60 or 64 bytes). Several of those clients fail to
check how large clear text blobs they may send, and/or comply to that
in all cases, and send 4096 byte cleartext anyway. We have made some
ugly patches to just cut down the clear text data size in all cases. 

(Heimdal seem to have had a bug in this regard, but doesn't seem to
have that anymore.)

Is there anyone else out there running Kerberos (GSSAPI) authenticated
and Kerberos encrypted connection in a cyrus murder configuration,
preferably with sasl 2.1.26, that can tell if this is a problem with
just our installation?


2.
When we thought we had everything going, we now stumbled on another
problem, this time with Mac OS X Mail.app. If we disable TLS and only
use GSSAPI, it seems the server tries use encryption, but the client
continues to use clear text. Mac OS X seem to have sasl about 2.1.22,
but I am not sure if that is what is actually used in this case. Below
is the debug output from Mail.app and the log entry from the server.
Has onyone else seen this problem?


Thanks for any hints!

/ragge

If anyone is interrested in our patches, we can of course share them,
maybe post them here.

----------

The server logs:
Jun 11 00:20:55 fooserver.csc.kth.se imap[7316]: [ID 702911 auth.error] encoded packet size too big (858666784 > 4096)

858666784 = 0x332E3720 = "3.7 "
"3.7" is exactly what the client sends as can be seen below, actually
"3.7 CAPABILITY", in clear, when the server obviously is expecting GSSAPI
encrypted data.

----------

debug output from:
/Applications/Mail.app/Contents/MacOS/Mail -LogActivityOnHost fooserver.csc.kth.se

CONNECTED Jun 11 00:20:55.543 [kCFStreamSocketSecurityLevelNone]  -- host:fooserver.csc.kth.se -- port:143 -- socket:0x7fdae28d50b0 -- thread:0x7fdae4aa1780

READ Jun 11 00:20:55.553 [kCFStreamSocketSecurityLevelNone]  -- host:fooserver.csc.kth.se -- port:143 -- socket:0x7fdae28d50b0 -- thread:0x7fdae4aa1780
* OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE MUPDATE=mupdate://fooserver.csc.kth.se/ STARTTLS AUTH=GSSAPI AUTH=PLAIN SASL-IR] fooserver.csc.kth.se Cyrus IMAP Murder v2.4.17 server ready

WROTE Jun 11 00:20:55.558 [kCFStreamSocketSecurityLevelNone]  -- host:fooserver.csc.kth.se -- port:143 -- socket:0x7fdae28d50b0 -- thread:0x7fdae2ab6320
1.7 ID ("name" "Mac OS X Mail" "version" "6.5 (1508)" "os" "Mac OS X" "os-version" "10.8.4 (12E55)" "vendor" "Apple Inc.")

READ Jun 11 00:20:55.570 [kCFStreamSocketSecurityLevelNone]  -- host:fooserver.csc.kth.se -- port:143 -- socket:0x7fdae28d50b0 -- thread:0x7fdae2ab6320
* ID ("name" "Cyrus IMAPD" "version" "v2.4.17 d1df8aff 2012-12-01" "vendor" "Project Cyrus" "support-url" "http://www.cyrusimap.org" "os" "SunOS" "os-version" "5.11" "environment" "Built w/Cyrus SASL 2.1.26; Running w/Cyrus SASL 2.1.26; Built w/Berkeley DB 5.1.25: (January 28, 2011); Running w/Berkeley DB 5.1.25: (January 28, 2011); Built w/OpenSSL 1.0.0j 10 May 2012; Running w/OpenSSL 1.0.0k 5 Feb 2013; Built w/zlib 1.2.3-T4mods; Running w/zlib 1.2.3-T4mods; CMU Sieve 2.4; NET-SNMP; mmap = shared; lock = fcntl; nonblock = fcntl; idle = poll")
1.7 OK Completed

WROTE Jun 11 00:20:55.632 [kCFStreamSocketSecurityLevelNone]  -- host:fooserver.csc.kth.se -- port:143 -- socket:0x7fdae28d50b0 -- thread:0x7fdae2e624c0
2.7 AUTHENTICATE GSSAPI YIICxxxx....

READ Jun 11 00:20:55.704 [kCFStreamSocketSecurityLevelNone]  -- host:fooserver.csc.kth.se -- port:143 -- socket:0x7fdae28d50b0 -- thread:0x7fdae2e624c0
+ YIGZxxxxxx...

WROTE Jun 11 00:20:55.705 [kCFStreamSocketSecurityLevelNone]  -- host:fooserver.csc.kth.se -- port:143 -- socket:0x7fdae28d50b0 -- thread:0x7fdae2e624c0

READ Jun 11 00:20:55.713 [kCFStreamSocketSecurityLevelNone]  -- host:fooserver.csc.kth.se -- port:143 -- socket:0x7fdae28d50b0 -- thread:0x7fdae2e624c0
+ BQQxxxx....

WROTE Jun 11 00:20:55.714 [kCFStreamSocketSecurityLevelNone]  -- host:fooserver.csc.kth.se -- port:143 -- socket:0x7fdae28d50b0 -- thread:0x7fdae2e624c0
BQQxxxx....

READ Jun 11 00:20:55.725 [kCFStreamSocketSecurityLevelNone]  -- host:fooserver.csc.kth.se -- port:143 -- socket:0x7fdae28d50b0 -- thread:0x7fdae2e624c0
2.7 OK Success (privacy protection) SESSIONID=<fooserver.csc.kth.se-7316-1370902855-1>

WROTE Jun 11 00:20:55.727 [kCFStreamSocketSecurityLevelNone]  -- host:fooserver.csc.kth.se -- port:143 -- socket:0x7fdae28d50b0 -- thread:0x7fdae1cb0d10
3.7 CAPABILITY

READ Jun 11 00:20:55.737 [kCFStreamSocketSecurityLevelNone]  -- host:fooserver.csc.kth.se -- port:143 -- socket:0x7fdae28d50b0 -- thread:0x7fdae1cb0d10
??
X???1??7o\???#?>s:<j>p??Lڵ[x?0<?Y?
                                  ??jro2qHo??"ȴC2
? ??;:h?$\U??E??
?Q?)?we??X?     u???
           ,?&~?r?qCW2013-06-11 00:20:55.737 Mail[2685:b907] _NSSocket:248 CFReadStreamRead() failed; socket=0x7fdae28d50b0 error=(*Unknown*,0)

More information about the Cyrus-sasl mailing list