I saw some past chatter on this in the list archives, but here is another stab and another rational. This patch follows a similar patch to openssh in that it allows any key in the specified keytab to match the incoming host key. This is necessary for multihomed hosts. See: https://bugzilla.mindrot.org/show_bug.cgi?id=928 IMAP/POP seem to be a strong candidate to be multihomed because they are very likely to have an internal to a firewall and external to a firewall name. Due to the way MIT kerberos handles host name resolution via reverse IP lookup this can often result in multiple principle names and there is simply nothing to be done about it. This is my situation.. When you add windows into the mix, which uses a totally different set of rules to determine the principle all hope seems to be lost to have a single service principle name for an imap server :( I was able to make things work for my environment using only the auth_gssapi_hostname feature if only MIT kerberos was used, but as soon as windows SSPI was involved it choose a different hostname. Thus we want to have GSSAPI to match any service principle in the keytab. As far as security concerns go, the admin can configure the keytab for dovecot to be seperate from the system key tab and contain only valid imap SPNs, but in truth it probably doesn't matter. I choose to just use the magic configurable: auth_gssapi_hostname = $ALL rather than introduce more configurables FWIW, after applying this I now am happy to say I have an Active Directory KDC, with dovecot providing gssapi auth to thunderbird on both linux (mit kerb 1.6) and windows (sspi).. --- dovecot-1.0.13/src/auth/mech-gssapi.c 2007-12-11 11:52:08.000000000 -0700 +++ dovecot-1.0.13-jgg/src/auth/mech-gssapi.c 2008-08-11 23:52:15.000000000 -0600 @@ -101,6 +101,13 @@ gss_name_t gss_principal; const char *service_name; + if (strcmp(request->auth->gssapi_hostname,"$ALL") == 0) { + auth_request_log_info(request, "gssapi", + "Using all keytab entires"); + *ret = GSS_C_NO_CREDENTIAL; + return GSS_S_COMPLETE; + } + if (strcasecmp(request->service, "POP3") == 0) { /* The standard POP3 service name with GSSAPI is called just "pop". */