GSSAPI authentication for sieve

24 May 2025

      Hi all,
I try to get GSSAPI working for sieve.
I already found there was an issue with GSSAPI in dovecot 2.4 and applied the patch from this thread
https://dovecot.org/mailman3/archives/list/dovecot@dovecot.org/thread/MWCLQC...
With the patch GSSAPI now works for imap.
I do test this with "imtest" from cyrus tools
imat@speedy:~> imtest -v -p 143 -u imat -m GSSAPI manitou.disconnected.homeip.net
S: * OK [CAPABILITY IMAP4rev1 LOGIN-REFERRALS ID ENABLE IDLE SASL-IR LITERAL+ STARTTLS LOGINDISABLED AUTH=GSSAPI] Dovecot ready.
C: A01 AUTHENTICATE GSSAPI YIIDIgYJKoZIhvcSAQICAQBuggMRMIIDDaADAgEFoQMCAQ6iBwMFACAAAACjggIaYYICFjCCAhKgAwIBBaEZGxdESVNDT05ORUNURUQuSE9NRUlQLk5FVKIyMDCgAwIBA6EpMCcbBGltYXAbH21hbml0b3UuZGlzY29ubmVjdGVkLmhvbWVpcC5uZXSjggG6MIIBtqADAgESoQMCAQKiggGoBIIBpFcei+vGql9tb5TpNjKFgdKAo7p1IiSW8DXPJR2GkCrHVrm0LdtsUaky4zOCskwEQkLURA8CuxM5HGmXT38O56434VTStpRHWZx7Xu43UHHJpOjdf76YYqnIA7WEk76QQyUpnO3hQWCEwyAPf1GhQKGDWCosHEuvn3jNE8t8fWmnRtWSgr35w5GD9OHsYKwca14yUruNU/qfVL9I41bjiFcJ1FFjMyVa/+ogghBm4jDoiFTV7vB8WYpx8Vuuev0d48TZDqv7Kf5/G8TgH3bc59VLjCemLAzTjOQ4mZxTXBEh9OpibKPUozRd266ao7dAD4OHMWNORXKqWl/Ch0iC7q/QEg/qY7E0dm7wqMDROrzmaxWW8p5+y69AbjwylsgivknVcTmbQjVnGGvniDLTke8O6CvqeIum/uUli2FyBmSUt8kVju1GIfoysFP8BEu6gDXdbcsG2XbuoTvfzLyJNT7eomILhF9nZI1vFariqF3TJLo14/L4OCG05RrAH3o8kHTkUMz8rrZj5y0yzfQqlME66yBRezRRSccrrD5AWdHzRMvw26SB2TCB1qADAgESooHOBIHLTo7UMx+G8Q+Ly+Mmj35JBfLm+SWeCV1YGcJQ8O1hI6F3pKh4fMjx5L9v4v4NzbDWpZ8YlQtSBcDgyebiZjHaeqGf4bIcOaGyzfor3DhAn0q0n0Zx/SKJiTJuT9eT0pHwb/yaT9MzOZTP6C5HuXgxUN/2Po2qNwkzaU5gOH+sOYu6Y0AKoKGlkIQHejzns70FehWRn8wBbu8T9+8zKRU0qmBQXnqg/C10pSW7EUVD37VPhY0kLY6SB77KS/8aguWWC3OVAfw6bcAXVVM=
S: + YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvzFWfR5FTOl77CqiMZ7qWR4I6JqXdi0JbIG4xTYJNYvQSsvxAxyfEiGINTMW5QytlcMvfiJpTj0U2Fd3Hr/MzLcCeCRwJ9jTg8m2E1ZgpmzmpXzl7xGq+MRIvetu3Wdgxum+ZQ8jPS1obTnI1Vh7I
C:
S: + BQQF/wAMAAAAAAAAHJz31AH///+2dWHfKNY/6f01FUw=
C: BQQE/wAMAAAAAAAABI42iwEAAABpbWF0C53m6npnJwjAfaEu
S: A01 OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE REPLACE SNIPPET=FUZZY PREVIEW=FUZZY PREVIEW SPECIAL-USE STATUS=SIZE SAVEDATE COMPRESS=DEFLATE INPROGRESS NOTIFY LITERAL+] Logged in
Authenticated.
Security strength factor: 0
C: Q01 LOGOUT

BYE Logging out
Q01 OK Logout completed (0.001 + 0.000 secs).
Connection closed.

When i try to use "sivtest" from cyrus tools, this does hang and it looks like sievtest is still waiting for some data
imat@speedy:~> sivtest -v -p 4190 -u imat -m GSSAPI manitou.disconnected.homeip.net
S: "IMPLEMENTATION" "Dovecot Pigeonhole"
S: "SIEVE" "fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include body variables enotify environment mailbox date index ihave duplicate mime foreverypart extracttext"
S: "NOTIFY" "mailto"
S: "SASL" "GSSAPI"
S: "STARTTLS"
S: "VERSION" "1.0"
S: OK "Dovecot ready."
C: AUTHENTICATE "GSSAPI" {1076+}
YIIDIwYJKoZIhvcSAQICAQBuggMSMIIDDqADAgEFoQMCAQ6iBwMFACAAAACjggIbYYICFzCCAhOgAwIBBaEZGxdESVNDT05ORUNURUQuSE9NRUlQLk5FVKIzMDGgAwIBA6EqMCgbBXNpZXZlGx9tYW5pdG91LmRpc2Nvbm5lY3RlZC5ob21laXAubmV0o4IBujCCAbagAwIBEqEDAgECooIBqASCAaTS89GNFHQk6FCilKJkEP8Xl27g/A8b1T0pxGwipjYBug0+bprqG0xJucYaULvqi1PnTI+A6WJesi2434B+L0WAv1sdWhI60SpmmfnsZPD8uqbJmZEFMj9bQnS4VbNgduhEA+pgYp85q0PcP3I5DcMeypIC7rk2hv15qYnVSYhND/P3tOANikXc5JB3cWnnPc79gRW+Ozi75waihMIv7C3UvllUtb2tTUKqdGwz2D9/BT3e1ZfcueaWznhXmzieh4dHZyqvbm4UVVUuc4paI1QMUrImy6zEfXjEH0O8dbZN3FbiKjCdP7E/zFtd6PkWaI0lgk8qGP1JqaFtGgqo+EcDEgyh4DoTRuNGGJp7n1zmQGkgIHzsUNR+SydUhWijdWJSegeIrGsZ4/s8YZupdxpC8g1qComP0+holawe9/iAnCxmRNGrNXDSRnL8wMaVAgm7t0SrBUSOm/YHKZSlHpMIWw438Dp/FdWwuCm2jA5pTksRbzmpS9fguMwp65bX0xh/a0NkI2VWJfwUmgqws3LRv1WHsn2FB/k+w55oOMboOtO3SCCkgdkwgdagAwIBEqKBzgSBy9PZObV0yc813IAR4TwEzPtKepfhzLvT0vFekCieE0sCu7jig2m+bpKt1IbIngs+hiztVx4TXYJu/UjH8UKNYct7xFWAOamuh/Fp4AnTBQXxieMM9TGZsiot7NzH75kRUY6SifNYYbz579wBAMbPzId5n2NVdp2blEpaCDKhMdZf/AQqUj3eFbafs5ociy4cOfmQSNuW7hY4KpQ0JU0cdWQyh0+Xl+fE9tz1ctmRoTA4WIF3U1UcwB0CPxlFxlw6cW+OAP0mlWqJE5Yx
S: "YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvEb5fwEVTKq3wm3xJawxEVD9Ngdz3tmzW5a8wJAh9lSRYSE0aJS97LvUtT1mWqZTFx5AZMJGfM7KpcbmJc3cOkVhe5lTUQDir58n1RywkyWYM6RvKd1Vzeonxt/AyJi7rN1CMR9VIh2KZUItIsz1y"
here it hangs until timeout.
May 24 10:10:36 manitou dovecot[45007]: auth(imat@disconnected.homeip.net,192.168.42.24,sasl:gssapi)<mh73Nt01+OHAqCoY>: Request timed out waiting for client to continue authentication (150 secs)
May 24 10:11:06 manitou dovecot[45007]: managesieve-login: Login aborted: Inactivity during authentication (client didn't finish SASL auth, 1 attempts in 180 secs) (auth_waiting_client): user=<>, method=GSSAPI, rip=192.168.42.24, lip=192.168.42.42, session=<mh73Nt01+OHAqCoY>
and sievtest does end with this
S: BYE "Disconnected for inactivity during authentication."
base64 decoding error
Authentication failed. generic failure
Security strength factor: 0
Connection closed.
The "base64 decoding error" probably is unrelated as it does try to decode the "S: BYE .....".
I also tested with other sieve clients, none does work (however different issues reported), while all tested imap clients do work.
My guess is some small fix like the one from above is also needed for dovecot-pigeonhole.
This is my used config
manitou:~ # dovecot -n
2.4.1-4 (7d8c0e5759): /etc/dovecot/dovecot.conf
Pigeonhole version 2.4.1-4 (0a86619f)
OS: Linux 6.14.6-1-default x86_64
Hostname: manitou.disconnected.homeip.net
4 default setting changes since version 2.4.0
dovecot_config_version = 2.4.0
auth_debug = yes
auth_debug_passwords = yes
auth_gssapi_hostname = manitou.disconnected.homeip.net
auth_krb5_keytab = /etc/dovecot/dovecot.keytab
auth_mechanisms = plain login gssapi
dovecot_storage_version = 2.4.0
protocols {
imap = yes
lmtp = yes
sieve = yes
}
protocol lmtp {
auth_username_format = %{user | username}
mail_plugins = sieve
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
}
}
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
unix_listener auth-userdb {
}
}
namespace inbox {
mail_driver = maildir
mail_inbox_path = ~/Maildir/.INBOX
mail_path = ~/Maildir
inbox = yes
separator = /
}
passdb pam {
service_name = dovecot
}
userdb passwd {
use_worker = yes
}
ssl_server {
cert_file = /etc/ssl/servercerts/servercert.pem
key_file = /etc/ssl/servercerts/serverkey.pem
}
service managesieve-login {
}
service managesieve {
}
sieve_script personal {
active_path = ~/.dovecot.sieve
path = ~/.sieve
}
What logs/infos are needed to dig into it ?
thanks and regards,
Tami

GSSAPI authentication for sieve

Paul Zirnik

2.4.1-4 (7d8c0e5759): /etc/dovecot/dovecot.conf

Pigeonhole version 2.4.1-4 (0a86619f)

OS: Linux 6.14.6-1-default x86_64

Hostname: manitou.disconnected.homeip.net

4 default setting changes since version 2.4.0