-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Submission login fails with XOAuth2 and long OAuth2 tokens #8623
Comments
SMTP debug log from my local development machine:
This is with 4096-bit RSA key signing the JWT. To mitigate the problem, I had to reduce to 2048-bit and then even to 1024-bit RSA key, to reduce the size of the tokens. Clearly, this is not a permanent solution as with longer JWT token the limit would be reached again. |
Whilst Net_SMTP should support challenge auth, I've encounted this issue just now and as a test I've set |
I am not aware of any similar settings for Dovecot's submission service. |
Makes sense. Linking with @thomascube as the author of the change in Net_SMTP. Pull requests welcome. |
Hi, pull request is there in Net_SMTP repo: pear/Net_SMTP#70. |
The fix is included in Net_SMTP 1.10.1. |
I am using Roundcube 1.5.3 with Dovecot 2.3.19.1 and XOAuth2 authentication towards Dovecot's submission service. My OAuth2 server provides JWT tokens, signed with 1024-bit RSA keys.
Occassionally, I am facing Dovecot returning
500 5.5.2 Line too long
response to the Roundcube's AUTH command. I was able to pinpoint the problem down to the RFC 4954 suggesting the following:If I understand it correctly, the maximum length of a token that can be sent the way it is now (with
AUTH XOAUTH2 <token>
command) is 512 bytes (SMTP line length limit) - 2 bytes (CRLF) - 13 bytes (length of the literalAUTH XOAUTH2
) = 497, base64-encoded.For longer tokens, Roundcube must use the multiline variant of sending
AUTH XOAUTH2
, waiting for 334 response from the server and then submitting the whole OAuth2 (JWT) token on the next line.I am aware that the actual implementation lies in pear/Net_SMTP's codebase. However, the implementation was done by Roundcube team member and it's effectively also a bug in Roundcube, so I am posting the issue both here and in the other repository and I'll cross-link them. Hope that's okay.
Also, if I did not understand the issue or the RFC right, I'll be happy for a correction. Otherwise I will start working on a PR.
Thank you!
The text was updated successfully, but these errors were encountered: