Submission login fails with XOAuth2 and long OAuth2 tokens

[AlesKrajnik]

I am using Roundcube 1.5.3 with Dovecot 2.3.19.1 and XOAuth2 authentication towards Dovecot's submission service. My OAuth2 server provides JWT tokens, signed with 1024-bit RSA keys.

Occassionally, I am facing Dovecot returning 500 5.5.2 Line too long response to the Roundcube's AUTH command. I was able to pinpoint the problem down to the RFC 4954 suggesting the following:

Note that the AUTH command is still subject to the line length limitations defined in [SMTP]. If use of the initial response argument would cause the AUTH command to exceed this length, the client MUST NOT use the initial response parameter (and instead proceed as defined in Section 5.1 of [SASL]).

If I understand it correctly, the maximum length of a token that can be sent the way it is now (with AUTH XOAUTH2 <token> command) is 512 bytes (SMTP line length limit) - 2 bytes (CRLF) - 13 bytes (length of the literal AUTH XOAUTH2 ) = 497, base64-encoded.

For longer tokens, Roundcube must use the multiline variant of sending AUTH XOAUTH2, waiting for 334 response from the server and then submitting the whole OAuth2 (JWT) token on the next line.

I am aware that the actual implementation lies in pear/Net_SMTP's codebase. However, the implementation was done by Roundcube team member and it's effectively also a bug in Roundcube, so I am posting the issue both here and in the other repository and I'll cross-link them. Hope that's okay.

Also, if I did not understand the issue or the RFC right, I'll be happy for a correction. Otherwise I will start working on a PR.

Thank you!

[AlesKrajnik]

SMTP debug log from my local development machine:

smtp: <f9ab3edc> Connecting to tls://host.docker.internal:587...
smtp: <f9ab3edc> Recv: 220 dovecot Dovecot ready.
smtp: <f9ab3edc> Send: EHLO localhost
smtp: <f9ab3edc> Recv: 250-dovecot
smtp: <f9ab3edc> Recv: 250-8BITMIME
smtp: <f9ab3edc> Recv: 250-BURL imap
smtp: <f9ab3edc> Recv: 250-CHUNKING
smtp: <f9ab3edc> Recv: 250-ENHANCEDSTATUSCODES
smtp: <f9ab3edc> Recv: 250-SIZE 62914560
smtp: <f9ab3edc> Recv: 250-STARTTLS
smtp: <f9ab3edc> Recv: 250 PIPELINING
smtp: <f9ab3edc> Send: STARTTLS
smtp: <f9ab3edc> Recv: 220 2.0.0 Begin TLS negotiation now.
smtp: <f9ab3edc> Send: EHLO localhost
smtp: <f9ab3edc> Recv: 250-dovecot
smtp: <f9ab3edc> Recv: 250-8BITMIME
smtp: <f9ab3edc> Recv: 250-AUTH PLAIN LOGIN OAUTHBEARER XOAUTH2
smtp: <f9ab3edc> Recv: 250-BURL imap
smtp: <f9ab3edc> Recv: 250-CHUNKING
smtp: <f9ab3edc> Recv: 250-ENHANCEDSTATUSCODES
smtp: <f9ab3edc> Recv: 250-SIZE 62914560
smtp: <f9ab3edc> Recv: 250 PIPELINING
smtp: <f9ab3edc> Send: AUTH XOAUTH2 dXNlcj1hbGVzQGV4YW1wbGUuY29tAWF1dGg9QmVhcmVyIGV5SjBlWEFpT2lKS1YxUWlMQ0poYkdjaU9pSlNVekkxTmlKOS5leUpoZFdRaU9pSmpOakV3WkRZNU5HVTBOemMwTm1aaFpXTXdaakJtT1RZNE1qY3pORFExTnlJc0ltcDBhU0k2SWpBM1pqWTBNR00yTUdZNU9EYzFNMkV6WkdZME5HWTBOMlV3WldVME1qWmlNRFV5TldWbE1Ea3pOVEkyTkdKbE1XWTNOV0pqTTJVM1pUQXpaVEJrTm1abFkyRmlaRGhrWkRsak9HVTRNRFExSWl3aWFXRjBJam94TmpVNE16azROekU0TENKdVltWWlPakUyTlRnek9UZzNNVGdzSW1WNGNDSTZNVFkxT0RNNU9UQXhPQ3dpYzNWaUlqb2lZV3hsYzBCbGVHRnRjR3hsTG1OdmJTSXNJbk5qYjNCbGN5STZXeUpsYldGcGJDSmRMQ0p6WTI5d1pTSTZJbVZ0WVdsc0luMC5nSjZhVkFPVmNBNnZRNTZxbllPUDd5SXNyRFRLZWJuczAzaFZBNzhEWGx1Zmd4S1B5S0hjXzROUjI5OEw2LWtRem9jSC0tSEVWSVp0UThNWEZxTnV2VmlmbnJ6REJpTEQ4bkF2RWlMUVhIYVNXaWJuNTdqOTRJVldQdlVmVEcxZktZbGZUS1VzRFUyeHM1dFRGVTEtMkpjUUZjSk5JT2lXT1FCcjVsSzNwdGJ3LVBFR29CSjVIQkxEM3gwU21yT3NMdnF1bHdpTTVWcFg0OEpHbU1RYkpJZG54eHBpcWFDS3A2RGF4WWFkNWhoWUczMHV5SmJHd01MR21rc2tYN2RNVHZxWncxYzRaRVhxZ2FsZG9wdWU2RnV4TXoyR2JRV19fQXVLUUpFd1dpVlF4Q3ExMUtvSWdhWnJXeXB3ajEzYV9xYlFhTklwWFZ4S1lYM2tzMjczemRtcDk3cENvMHMyVm1TNG5MOVdVM1l3RmVNbWJjRFN5UzU2blUwODhLWmZ1QzNLNkZlVnVjTktDczdpbVgzYW9rcUVZdFdSZzVQR04wNHVPcGJZd3FVQ3hCM0gzbEpzbUhUYTAtb0ZBb1ZNVTFmMGlSTnhHVkI2MVBJM2hwOU5UQmNnWkNxSEJ2TFRIVlRVR0tLMFdzRU9zeE5WUnZLM2V2ODFKNXQ4SDJGbWFyaG5FblRrYWxEbVlyb21RaElVMkNBZ3VmdjlKeVAwUHBjbWU5cFFXeUZsN04yeC1SVmxTb0l6enR2ZFZQQ205MDBDbEFFa2J6SVJzQzVyaFF0RU9OUnBiMldEZ3ZpU0pBQXNfeTJrYnhBWkxFTkFqV1VPdXhwOGFZcUFneUhSWXhYS1RNem1zZWsyOFpBX3NZc2Qxb2lvcGJ4VjVBWGVvbnU4NU1FNDFFcwEB
smtp: <f9ab3edc> Recv: 500 5.5.2 Line too long
errors: <f9ab3edc> PHP Error: Invalid response code received from server (POST /?_task=mail&_unlock=loading1658398818982&_framed=1&_lang=en&_action=send)
smtp: <f9ab3edc> Send: ****** [4]
smtp: <f9ab3edc> Recv: 221 2.0.0 Bye
errors: <f9ab3edc> SMTP Error: Authentication failure: Invalid response code received from server (Code: 500) in /var/www/htdocs/program/lib/Roundcube/rcube.php on line 1778 (POST /?_task=mail&_unlock=loading1658398818982&_framed=1&_lang=en&_action=send)

This is with 4096-bit RSA key signing the JWT. To mitigate the problem, I had to reduce to 2048-bit and then even to 1024-bit RSA key, to reduce the size of the tokens. Clearly, this is not a permanent solution as with longer JWT token the limit would be reached again.

[Westie]

Whilst Net_SMTP should support challenge auth, I've encounted this issue just now and as a test I've set line_length_limit = 8192 within postfix and I haven't had anything explode yet

[AlesKrajnik]

I am not aware of any similar settings for Dovecot's submission service.

[alecpl]

Makes sense. Linking with @thomascube as the author of the change in Net_SMTP. Pull requests welcome.

[AlesKrajnik]

Hi, pull request is there in Net_SMTP repo: pear/Net_SMTP#70.
@thomascube Please feel free to review & modify or give me feedback on how can I improve it.

[alecpl]

The fix is included in Net_SMTP 1.10.1.