[Dovecot] [PATCH] Support GSS-SPNEGO natively

Jason Gunthorpe jgunthorpe at obsidianresearch.com
Tue Aug 12 20:04:55 EEST 2008


On Tue, Aug 12, 2008 at 10:27:40AM +0200, Angel Marin wrote:
> Jason Gunthorpe wrote:
> >I cooked this up while trying to figure out why thunderbird on Windows
> >w/ SSPI was not working, but it turned out thunderbird does not use
> >it, so I haven't been able to test it yet. I'm presenting it for
> >discussion only, unless someone else can try it :)
> 
> thunderbird does all combinations of GSS auth w/ & w/o SSPI I've ever 
> tried; it's just a pain to find the correct combination of 
> network.negotiate-auth.* and network.auth.use-sspi settings for any 
> given case :) (plus enabling secure auth for the TB account at test)

Really? I was looking through the source to TB and I can't find where
it would use AUTH=GSS-SPNEGO..

For instance in 
mailnews/imap/src/nsImapServerResponseParser.cpp 

Where it parses the CAPABILITY reply it only looks for AUTH=GSSAPI

Then when it goes to do the auth DoGSSAPIStep1 creates a sasl-gssapi
which creates either a kerb-gss or a kerb-sspi and both of those set
PACKAGE_KERBEROS to disable SPNEGO.

I've been assuming AUTH=GSS-SPNEGO is only used by outlook?
 
Jason


More information about the dovecot mailing list