Now it's working fine! I finally succeeded. I worked around by increasing only the value of the line_length_limit option to 12288 ( same value as the default for smtpd_sasl_response_limit ) And create a specific keytab file containing the SPN ( /etc/postfix/smtp.keytab )
But I haven't thought about why the Kerberos ticket size is too big. Maybe I should ask the question about the samba list? In any case thank you all! Samuel Le lun. 4 oct. 2021 à 09:37, Sam R <sr42...@gmail.com> a écrit : > Good morning Viktor, > > Thank you for all this information, I will do the necessary for the > keytabs right away. > Concerning the clients, it is Thunderbird under Windows 10, the AD server > being Samba4. I will try to see why the Kerberos ticket is so long. I don't > think the problem is with Thunderbird but rather with Samba4. I'll check it > out. > > In the meantime, if I understand correctly, I must either increase : > - smtpd_sasl_response_limit ( currently 2048 ) > - line_length_limit ( currently 998 ) > - smtpd_sasl_response_limit and line_length_limit > > Samuel > > Le ven. 1 oct. 2021 à 19:15, Viktor Dukhovni <postfix-us...@dukhovni.org> > a écrit : > >> On Fri, Oct 01, 2021 at 12:47:29PM -0400, Viktor Dukhovni wrote: >> >> > > -- basics -- >> > > Postfix: 3.5.6 >> > >> > Since you're using Postfix 3.5, which by default supports long SASL >> > messages after the initial response, your client is in violation of the >> > SMTP SASL specification, and needs to have a bug filed against its SASL >> > GSSAPI implementation. If that client is also Postfix, file that bug >> > on this list. If not, reach out on the relevant forum, or bug tracking >> > system. >> >> Note that I rather expect the broken client is not Postfix 3.4 or later, >> since the Postfix SMTP client code since then reads in part: >> >> >> https://github.com/vdukhovni/postfix/blob/master/postfix/src/smtp/smtp_sasl_glue.c#L366-L388 >> >> /*- >> * Send the AUTH command and the optional initial client response. >> * >> * https://tools.ietf.org/html/rfc4954#page-4 >> * Note that the AUTH command is still subject to the line length >> * limitations defined in [SMTP]. If use of the initial response >> argument >> * would cause the AUTH command to exceed this length, the client >> MUST NOT >> * use the initial response parameter... >> * >> * https://tools.ietf.org/html/rfc5321#section-4.5.3.1.4 >> * The maximum total length of a command line including the command >> word >> * and the <CRLF> is 512 octets. >> * >> * Defer the initial response if the resulting command exceeds the >> limit. >> */ >> if (LEN(session->sasl_reply) > 0 >> && strlen(mechanism) + LEN(session->sasl_reply) + 8 <= 512) { >> smtp_chat_cmd(session, "AUTH %s %s", mechanism, >> STR(session->sasl_reply)); >> VSTRING_RESET(session->sasl_reply); /* no deferred initial >> reply */ >> } else { >> smtp_chat_cmd(session, "AUTH %s", mechanism); >> } >> >> > You can accommodate broken clients by raising line_length_limit even >> > on Postfix >= 3.4 systems where this should not otherwise be necessary >> > in most cases. >> >> So this is your short-term solution, as well as filing bugs against the >> actual broken clients. >> >> -- >> Viktor. >> >
