login with scram

[mjl-]

Describe the bug

I tried the latest snappymail (2.34.1) docker image with mox (https://www.xmox.nl), and noticed SCRAM login is failing. I believe the snappymail sasl/scram client isn't finishing the login transaction.

To Reproduce
Steps to reproduce the behavior:

1. Run mox locally (download a binary for your platform from https://beta.gobuilds.org/github.com/mjl-/mox and run it as "mox localserve".
2. Login as mox@localhost with password moxmoxmox.
3. It looks like you're being logged in, but instead you get back to the login screen. You don't see an error message, just have to login again. The snappymail console has more details:

[2024-02-14 13:57:02.556][1b7ca5e2] IMAP[WARNING]: MailSo\Imap\Exceptions\ResponseNotFoundException in /snappymail/snappymail/v/2.34.1/app/libraries/MailSo/Imap/Traits/ResponseParser.php:35
Stack trace:
#0 /snappymail/snappymail/v/2.34.1/app/libraries/MailSo/Imap/ImapClient.php(511): MailSo\Imap\ImapClient->partialParseResponse()
#1 /snappymail/snappymail/v/2.34.1/app/libraries/MailSo/Imap/ImapClient.php(455): MailSo\Imap\ImapClient->getResponse()
#2 /snappymail/snappymail/v/2.34.1/app/libraries/MailSo/Imap/ImapClient.php(261): MailSo\Imap\ImapClient->SendRequestGetResponse('LOGOUT')
#3 /snappymail/snappymail/v/2.34.1/app/libraries/MailSo/Net/NetClient.php(182): MailSo\Imap\ImapClient->Logout()
#4 /snappymail/snappymail/v/2.34.1/app/libraries/MailSo/Net/NetClient.php(45): MailSo\Net\NetClient->Disconnect()
#5 [internal function]: MailSo\Net\NetClient->__destruct()
#6 {main}
[2024-02-14 13:57:02.637][37757c32] IMAP[WARNING]: MailSo\Imap\Exceptions\ResponseNotFoundException in /snappymail/snappymail/v/2.34.1/app/libraries/MailSo/Imap/Traits/ResponseParser.php:35
Stack trace:
#0 /snappymail/snappymail/v/2.34.1/app/libraries/MailSo/Imap/ImapClient.php(559): MailSo\Imap\ImapClient->partialParseResponse()
#1 /snappymail/snappymail/v/2.34.1/app/libraries/MailSo/Imap/Commands/Folders.php(514): MailSo\Imap\ImapClient->yieldUntaggedResponses()
#2 /snappymail/snappymail/v/2.34.1/app/libraries/MailSo/Imap/Commands/Folders.php(614): MailSo\Imap\ImapClient->FolderList('', '*', false, true)
#3 /snappymail/snappymail/v/2.34.1/app/libraries/MailSo/Mail/MailClient.php(872): MailSo\Imap\ImapClient->FolderStatusList('', '*')
#4 /snappymail/snappymail/v/2.34.1/app/libraries/RainLoop/Actions/Folders.php(58): MailSo\Mail\MailClient->Folders('', '*', false)
#5 /snappymail/snappymail/v/2.34.1/app/libraries/RainLoop/ServiceActions.php(142): RainLoop\Actions->DoFolders()
#6 /snappymail/snappymail/v/2.34.1/app/libraries/RainLoop/Service.php(132): RainLoop\ServiceActi
#7 /snappymail/snappymail/v/2.34.1/app/libraries/RainLoop/Service.php(14): RainLoop\Service::Run
#8 /snappymail/snappymail/v/2.34.1/include.php(127): RainLoop\Service::Handle()
#9 /snappymail/index.php(11): include('/snappymail/sna...')
#10 {main}

Mox localserve prints the IMAP protocol messages and shows something like this (with long base64 data replaced with "..."):

"C: TAG1 AUTHENTICATE SCRAM-SHA-256 ...\r\n"
"S: + ...\r\n"
"C: ...\r\n"
"S: + ...\r\n"
"C: TAG2 LIST \"\" \"*\"\r\n"

After the last "S: + ...\r\n" message, the client (snappymail) should be sending a message to finish the continuation, then read the authentication response.

A transaction should look like this:

"C: TAG1 AUTHENTICATE SCRAM-SHA-256 ...\r\n"
"S: + ...\r\n"
"C: ...\r\n"
"S: + ...\r\n"
"C: \r\n"
"S: TAG1 OK [CAPABILITY ...] authenticate done\r\n"
"C: TAG2 LIST \"\" \"*\"\r\n"
...

See https://datatracker.ietf.org/doc/html/rfc9051#section-2.2.1 and these sentences:

• Clients MUST follow the syntax outlined in this specification strictly. It is a syntax error to send a command with missing or extraneous spaces or arguments.
• The next paragraph mentions AUTHENTICATE.
• In all cases, the client MUST send a complete command (including receiving all command continuation request responses and sending command continuations for the command) before initiating a new command.

And see the example scram session in the imap4rev2 rfc, https://www.xmox.nl/xr/v0.0.9/rfc/9051.html#L6221

imap4rev1 has similar wording, see https://datatracker.ietf.org/doc/html/rfc3501#section-2.2.1. It doesn't have the scram example.

If you read only the SASL en SCRAM docs, you would think the protocol messages end after the final client message. The empty line is an IMAP requirement, for continuations.

Possible solution

I think a change is needed at https://github.com/the-djmaze/snappymail/blob/v2.34.1/snappymail/v/0.0.0/app/libraries/MailSo/Imap/ImapClient.php#L184. If I add the following, I can log in:

                                        $this->sendRaw('');                                                                                                                      
                                        $oResponse = $this->getResponse();                                                                                                       

(I'm assuming getResponse throws an exception if the command doesn't return an "OK".)

I've seen a few other issues (now closed) about SCRAM, could be worth tagging those or its reporters in case they've disabled SCRAM after issues.

[the-djmaze]

Thanks!

The ResponseType::CONTINUATION was also missing 😉

[Neustradamus]

@mjl-: Thanks for your ticket and thanks @the-djmaze for the fix!

• 662121d