[Dovecot] GSSAPI auth failing for kmail

Mark Davies mark at ecs.vuw.ac.nz
Wed Feb 29 12:15:52 EET 2012



On 02/28/12 00:11, Timo Sirainen wrote:
>>> Looks like kmail is sending some kind of garbage to Dovecot. Set
>>> auth_debug_passwords=yes to make Dovecot log the auth traffic.
>>
>> Yeah, I did a network trace and it seems kmail is not sending the
>> full authentication request before trying to carry on.
> 
>>> 8	0.043625	130.195.5.88	130.195.5.13	IMAP	898	Request: 1 AUTHENTICATE GSSAPI YIICWgYJKoZIhvcSAQICAQBuggJJMI[...]jLyNiRZFsc9zFxpdwrZAB/WXRRS1zsM4SlDfE59CW1xfKAkqe
> 
> It uses SASL-IR to send the first seponse.
> 
>>> 9	0.044919	130.195.5.13	130.195.5.88	IMAP	70	Response: + 
> 
> Dovecot says "OK, give me more".

I poked some more at the kmail end of this but I cant see what its doing
differently from what it used to (but clearly there is something).

The new kmail sends

1 AUTHENTICATE GSSAPI YIICWgYJKoZIhvcSAQICAQBugg[...]wfuKg4VUptzPwb\r\n

and receives

+ \r\n

from dovecot, which it doesn't like and reports
clientAuthenticate: sasl_client_step failed with: -1

an older (working kmail) sends

1 AUTHENTICATE GSSAPI YIICiAYJKoZIhvcSAQICAQBugg[...]MpPurY7cZfRSEw==\r\n

and receives

+ YIGaBgkqhkiG9xIBAgI[...]iYoSGi9/uKVGyE64TAvkf25rCbFkNqk1D12g==\r\n

and carries on.

So what is it that differs in the two cases to cause dovecot to respond
differently?

cheers
mark



More information about the dovecot mailing list