Package: dovecot-imapd Version: 1:1.0.7-1 Severity: minor Tags: patch
When attempting to use an unsupported SASL mechanism, Dovecot responds: BAD Unsupported authentication mechanism. whereas it SHOULD (according to RFC 3501 6.2.2) use NO instead. One solution is to change client-authenticate.c:211 to msg = reply = "NO ";since the only possible cases for BAD to occur are that the command is unknown, which is not permitted because AUTH=PLAIN is required to be supported; the arguments are invalid, which is already handled in cmd_authenticate by returning -1; or the authentication exchange was somehow cancelled, which I see no code for (which is probably a separate bug).
Note that this also occurs when using LOGIN when it is not supported because no password database is enabled.
Transcript of a session with unsupported SASL mechanism: lakeview ok % imtest -m DIGEST-MD5 -u bmc crustytoothpaste.ath.cx S: * OK Dovecot ready. C: C01 CAPABILITY S: * CAPABILITY IMAP4rev1 SASL-IR SORT THREAD=REFERENCES MULTIAPPEND UNSELECT LITERAL+ IDLE CHILDREN NAMESPACE LOGIN-REFERRALS STARTTLS LOGINDISABLED AUTH=GSSAPI S: C01 OK Capability completed. C: A01 AUTHENTICATE DIGEST-MD5 S: A01 BAD Unsupported authentication mechanism. base64 decoding error Authentication failed. generic failure Security strength factor: 0 * LOGOUT * BYE Logging out * OK Logout completed. Connection closed. -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.23-1-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/bash -- brian m. carlson / brian with sandals: Houston, Texas, US +1 713 440 7475 | http://crustytoothpaste.ath.cx/~bmc | My opinion only a typesetting engine: http://crustytoothpaste.ath.cx/~bmc/code/thwack OpenPGP: RSA v4 4096b 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
signature.asc
Description: Digital signature
