Malformed login packet
Maxim Dounin
mdounin at mdounin.ru
Tue Oct 13 14:06:13 UTC 2020
Hello!
On Tue, Oct 13, 2020 at 01:08:57PM +0000, Fabian Flückiger wrote:
> I am using NGINX as a mailproxy and recently discovered, that wireshark detects IMAP-LOGIN messages sent by nginx as "Malformed".
>
> The message contains: Line: 3 LOGIN {18}\r\n (HEX: 0000 33 20 4c 4f 47 49 4e 20 7b 31 38 7d 0d 0a)
This certainly isn't malformed (though incomplete). Most likely,
Wireshark fails to recognize IMAP string literal correctly.
> Some imap servers react to this with "BAD UNKNOWN Command" and close the connection.
Define "some imap servers".
> Here the full communication between nginx and backend:
>
> 3 LOGIN {18}
>
> + go ahead
>
> <redacted user> {9}
>
> + go ahead
>
> <redacted pass>
>
> 3 OK LOGIN completed
>
> 4 CAPABILITY
>
>
> BAD UNKNOWN Command
>
>
> any ideas?
The error seems to be returned to the "4 CAPABILITY" command.
This is not a command nginx sends, rather something it proxies
from the client.
Nevertheless, this seems to be incorrect behaviour of the backend
server: the CAPABILITY command looks perfectly valid. Moreover, even
for unrecognized commands correct response would be "* BAD ...",
that is, an untagged response, prefixed with the token "*".
--
Maxim Dounin
http://mdounin.ru/
More information about the nginx
mailing list