auth: client protocol: Recognize empty initial response field as an a…

…bsent initial response for older clients. Particularly, Exim sends an empty initial response field in the AUTH request for an authentication command that has no initial response. Originally, Dovecot allowed this, but this was recently changed so that the EXTERNAL SASL mechanism works properly from ManageSieve. This commit makes it allowed again for older authentication clients to send an empty initial response field for an authentication command that has no initial response part. Sending '=' for an empty initial response is still allowed in general.
dovecot · Jan 4, 2018 · 8de6351 · 8de6351
1 parent bf5315c
commit 8de6351
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/src/auth/auth-request-handler.c b/src/auth/auth-request-handler.c
@@ -14,6 +14,7 @@
 #include "auth-penalty.h"
 #include "auth-request.h"
 #include "auth-token.h"
+#include "auth-client-connection.h"
 #include "auth-master-connection.h"
 #include "auth-request-handler.h"
 #include "auth-policy.h"
@@ -583,6 +584,13 @@ bool auth_request_handler_auth_begin(struct auth_request_handler *handler,
 		/* No initial response */
 		request->initial_response = NULL;
 		request->initial_response_len = 0;
+	} else if (handler->conn->version_minor < 2 && *initial_resp == '\0') {
+		/* Some authentication clients like Exim send and empty initial
+		   response field when it is in fact absent in the
+		   authentication command. This was allowed for older versions
+		   of the Dovecot authentication protocol. */
+		request->initial_response = NULL;
+		request->initial_response_len = 0;
 	} else if (*initial_resp == '\0' || strcmp(initial_resp, "=") == 0 ) {
 		/* Empty initial response - Protocols that use SASL often
 		   use '=' to indicate an empty initial response; i.e., to