On Wed, Apr 30, 2025 at 08:30:16PM +0300, Aki Tuomi via dovecot wrote:
GSSAPI is one of these pretty opaque protocols. Since it works with mutt, and does not work with gsasl, it could be some thing with gsasl.
I can only see one change in mech-gssapi, we use mech_gssapi_krb5_userok() always. Also we have added support for final response prosessing, which was missing in 2.3.21.1.
I've traced the issue to commit 1486c30 ("auth: Add support for channel binding"). With this commit reverted (along with 848cceb25c2 ("auth: mech-scram - Implement SCRAM-SHA-1-PLUS and SCRAM-SHA-256-PLUS"), which depends on it but isn't related to gssapi handling) then authentication from gsasl is again possible.
I haven't looked deeply into exactly what in this commit is causing the regression yet.
https://github.com/dovecot/core/commit/1486c30e191 https://github.com/dovecot/core/commit/848cceb25c2
noah