Hello, I was trying this bug,
I guess there is no bug right here.
On Tue, 11 Dec 2018 10:28:39 +0500 Igor Goldenberg
<goldenb...@metalural.ru> wrote:> Package: postfix
> Version: 3.1.8-0+deb9u1
> Severity: important
> File: /usr/lib/postfix/sbin/smtpd
>
> Dear Maintainer,
>
> after upgrading Debian from 8/jessie to 9/stretch I've started to
> receive periodical errors while client tries to send an email with
> authentication via Kerberos/GSSAPI via Postfix.
>
> The MUA is a Thunderbird 60.2.1 on Windows Server 2016 in AD domain.
> Thunderbird setted up to use STARTTLS with Kerberos / GSSAPI
> authentication method. Sometimes client got Kerberos error (ticket
> Kerberos/GSSAPI was not received by SMTP server) in the MUA and in the
> log I can see:
>
> Dec 11 09:40:00 mx1 postfix/smtpd[9857]: warning: SASL authentication
failure: Requested identity not authenticated identity
> Dec 11 09:40:00 mx1 postfix/smtpd[9857]: warning:
unknown[192.168.1.3]: SASL GSSAPI authentication failed: authentication
failure
>
> About 4-5% of total authenticaions has such error (~20 of total ~500 in
> a day). If user in the Thunderbird close error window and try to send
> an email again it usually sends successfully. It's non needed to relog on
> the windows server or restart a mail client, just do another try.
>
> Kerberos authentication also used in the Cyrus IMAP server on the same
> Debian host and there are no any errors with Kerberos at all. So I think
> something wrong on the Postfix side.
>
> Here is the SASL source code where this error ("Requested identity not
> authenticated identity") rises.
>
> File lib/common.c, begining from line 2625:
>
> static int
> _sasl_proxy_policy(sasl_conn_t *conn,
> void *context __attribute__((unused)),
> const char *requested_user, unsigned rlen,
> const char *auth_identity, unsigned alen,
> const char *def_realm __attribute__((unused)),
> unsigned urlen __attribute__((unused)),
> struct propctx *propctx __attribute__((unused)))
> {
> if (!conn)
> return SASL_BADPARAM;
>
> if (!requested_user || *requested_user == '\0')
> return SASL_OK;
Over here you can check if the client (MUA) not send a user
(request_user), it just return SASL_OK.
mutt as example,
set smtp_url = 'smtp://postfix00.zw.local:25/'
if set just as above, no request_user exist.
but instead of that it is set
set smtp_url = 'smtp://u...@postfix00.zw.local:25/'
so the authentication will get into next step.
>
> if (!auth_identity || !requested_user || rlen != alen ||
> (memcmp(auth_identity, requested_user, rlen) != 0)) {
> sasl_seterror(conn, 0,
> "Requested identity not authenticated identity");
> RETURN(conn, SASL_BADAUTH);
> }
>
> return SASL_OK;
> }
So if the request user at smtp_url differ from sasl authenticated user
it stops and return error.
>
> I think Postfix incorrectly use or 'auth_identity' or 'requested_user'
I really make up this setup and test both situation.
I think it's good to set this "bug" as not a bug.
--
Lucas Castro
