In article <[EMAIL PROTECTED]>, Simon Wilkinson <[EMAIL PROTECTED]> wrote: ]At the moment, if the 'Use Secure Authentication' option is set for a ]given protocol, the server at the other end offers GSSAPI as one of its ]supported SASL mechanisms, and the first call to init_secure_context for ]that server succeeds, we'll try to do GSSAPI auth against that server. ]If GSSAPI fails, then we'll fall back to trying a different ]authentication scheme.
This isn't a correct implementation, then. IMAP "secure authentication" is supposed to enable non-cleartext authentication when lower-level encryption isn't available. It makes no sense to have this enabled to enable kerberos auth. You need to be able to separately specify that you want kerberos authentication, on a per-account basis, without the "Use Secure Authentication" option enabled. Since our server does not support secure authentication, your implementation does the following right now: (a) If I already have a kerberos ticket in my cache, I get my mail as expected. (b) If my ticket cache is empty, Thunderbird correctly posts a "your server does not support secure authentication" dialog. My key manager never prompts me to obtain a ticket. You also need to be able to explicitly select (or deselect) kerberos auth because the server has a preferential list of authentication methods that may not match the client's needs. I want to force kerberos auth, and others may want to do, say, CRAM-MD5, if available, even if kerberos is preferred. Finally, whatever method is being used to offer kerberos authentication for SMTP completely doesn't work for me, either, regardless of whether I have tickets in my cache or not. I get a "relaying denied" error, so GSSAPI auth is clearly not working, even though the server very clearly offers it, and indeed it works fine with Apple's Mail and Mulberry. Can someone say more about how the SMTP code decides to use GSSAPI or not? I bet this is another case where you need to be able to explicitly select your authentication method for each server, just like with IMAP. Every other mail client I've used does it that way. -- ________ Jim Alexander __________________ [EMAIL PROTECTED] ________________ I have yet to see a problem, however complicated, which, when you looked at it in the right way, did not become still more complicated. -- Poul Anderson ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos