Bezüglich Harry Schmalzbauer's Nachricht vom 05.11.2014 18:04 (localtime): …
Sorry, I might have been unclear. Of course, AUTH=GSSAPI is offered if connection passes STARTTLS, along WITH PLAIN (and LOGIN), but the intention of "disable_plaintext_auth" is to prevent PLAIN if _no_ encryption level was negotiated. So you see LOGINDISABLED before TLS session and also _no_ GSSAPI! At that point (no encryption negotiated) I want to be able to get my kerberos ticket validated :-)
disable_plaintext_auth = yes works as expected for PLAIN (and LOGIN); it doesn't offer until encryption successfully took place. But I don't expect GSSAPI also beeing disabled (regardless if encryption is available or not). I have no idea why this could be the intended behaviour, and hope somebody can enlighten me :-)
Sorry for the noise. For those with the same intention and the same problem:
I had "ssl = required" set. That of course doesn't return any AUTH method unless encryptino was negotiated. Setting it to "ssl = yes" instead leads to expected results in all variants :-)
Thanks,
-Harry