Bezüglich Jan Behrend's Nachricht vom 05.11.2014 17:15 (localtime): > On Wed, 2014-11-05 at 17:04 +0100, Harry Schmalzbauer wrote: >> Bezüglich Jan Behrend's Nachricht vom 05.11.2014 17:01 (localtime): >>> On Wed, 2014-11-05 at 16:52 +0100, Harry Schmalzbauer wrote: >>>> Bezüglich Hans Morten Kind's Nachricht vom 05.11.2014 16:48 (localtime): >>>>> On Wed, Nov 05, 2014 at 04:22:12PM +0100, Harry Schmalzbauer wrote: >>>>>> as soon as I set "disable_plaintext_auth = yes", AUTH=GSSAPI vanishes >>>>>> from capabilities. >>>>> Try setting login_trusted_networks to something you trust. >>> root@mailbox1:/etc/dovecot/conf.d# doveconf auth_mechanisms >>> auth_mechanisms = plain login gssapi >>> root@mailbox1:/etc/dovecot/conf.d# doveconf disable_plaintext_auth >>> disable_plaintext_auth = yes >>> root@mailbox1:/etc/dovecot/conf.d# doveconf login_trusted_networks >>> login_trusted_networks = >>> >>> >>> a CAPABILITY >>> * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE >>> AUTH=PLAIN AUTH=LOGIN AUTH=GSSAPI >> You don't see LOGINDISABLED, so I guess rip==lip (you tested >> @localhost), right? > No, but I didn't show all of it ;-). Here it is: > > jbehrend@jb1:~$ gnutls-cli --starttls > --x509cafile /etc/ssl/certs/Max-Planck-Gesellschaft.pem -p 143 > imap.mpifr-bonn.mpg.de > Processed 1 CA certificate(s). > Resolving 'imap.mpifr-bonn.mpg.de'... > Connecting to '134.104.18.77:143'... > > - Simple Client Mode: > > * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE > IDLE STARTTLS LOGINDISABLED] Dovecot ready. > a starttls > a OK Begin TLS negotiation now. > *** Starting TLS handshake > - Ephemeral Diffie-Hellman parameters > - Using prime: 1024 bits > - Secret key: 1023 bits > - Peer's public key: 1023 bits > - Certificate type: X.509 > - Got a certificate list of 1 certificates. > - Certificate[0] info: > - subject > `C=DE,ST=Nordrhein-Westfalen,L=Bonn,O=Max-Planck-Gesellschaft,OU=Max-Planck-Institut > fuer Radioastronomie,CN=imap.mpifr-bonn.mpg.de', issuer > `C=DE,O=Max-Planck-Gesellschaft,CN=MPG CA,EMAIL=mpg...@mpg.de', RSA key 4096 > bits, signed using RSA-SHA1, activated `2014-05-06 11:17:21 UTC', expires > `2019-05-05 11:17:21 UTC', SHA-1 fingerprint > `c0b4fb497ac212f0e05de24f2c097a0b712435cc' > - The hostname in the certificate matches 'imap.mpifr-bonn.mpg.de'. > - Peer's certificate is trusted > - Version: TLS1.2 > - Key Exchange: DHE-RSA > - Cipher: AES-128-CBC > - MAC: SHA1 > - Compression: NULL > a CAPABILITY > * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE > AUTH=PLAIN AUTH=LOGIN AUTH=GSSAPI > a OK Pre-login capabilities listed, post-login capabilities have more.
Sorry, I might have been unclear. Of course, AUTH=GSSAPI is offered if connection passes STARTTLS, along WITH PLAIN (and LOGIN), but the intention of "disable_plaintext_auth" is to prevent PLAIN if _no_ encryption level was negotiated. So you see LOGINDISABLED before TLS session and also _no_ GSSAPI! At that point (no encryption negotiated) I want to be able to get my kerberos ticket validated :-) disable_plaintext_auth = yes works as expected for PLAIN (and LOGIN); it doesn't offer until encryption successfully took place. But I don't expect GSSAPI also beeing disabled (regardless if encryption is available or not). I have no idea why this could be the intended behaviour, and hope somebody can enlighten me :-) Thanks, -Harry