gssapi considered as PLAIN?

Jan Behrend jbehrend at mpifr-bonn.mpg.de
Wed Nov 5 16:15:42 UTC 2014 

On Wed, 2014-11-05 at 17:04 +0100, Harry Schmalzbauer wrote:
>  Bezüglich Jan Behrend's Nachricht vom 05.11.2014 17:01 (localtime):
> > On Wed, 2014-11-05 at 16:52 +0100, Harry Schmalzbauer wrote:
> >>  Bezüglich Hans Morten Kind's Nachricht vom 05.11.2014 16:48 (localtime):
> >>> On Wed, Nov 05, 2014 at 04:22:12PM +0100, Harry Schmalzbauer wrote:
> >>>> as soon as I set "disable_plaintext_auth = yes", AUTH=GSSAPI vanishes
> >>>> from capabilities.
> >>> Try setting login_trusted_networks to something you trust.
> > root at mailbox1:/etc/dovecot/conf.d# doveconf auth_mechanisms
> > auth_mechanisms = plain login gssapi
> > root at mailbox1:/etc/dovecot/conf.d# doveconf disable_plaintext_auth
> > disable_plaintext_auth = yes
> > root at mailbox1:/etc/dovecot/conf.d# doveconf login_trusted_networks
> > login_trusted_networks = 
> >
> >
> > a CAPABILITY
> > * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
> > AUTH=PLAIN AUTH=LOGIN AUTH=GSSAPI
> 
> You don't see LOGINDISABLED, so I guess rip==lip (you tested
> @localhost), right?

No, but I didn't show all of it ;-).  Here it is:

jbehrend at jb1:~$ gnutls-cli --starttls
--x509cafile /etc/ssl/certs/Max-Planck-Gesellschaft.pem -p 143
imap.mpifr-bonn.mpg.de
Processed 1 CA certificate(s).
Resolving 'imap.mpifr-bonn.mpg.de'...
Connecting to '134.104.18.77:143'...

- Simple Client Mode:

* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
IDLE STARTTLS LOGINDISABLED] Dovecot ready.
a starttls
a OK Begin TLS negotiation now.
*** Starting TLS handshake
- Ephemeral Diffie-Hellman parameters
 - Using prime: 1024 bits
 - Secret key: 1023 bits
 - Peer's public key: 1023 bits
- Certificate type: X.509
 - Got a certificate list of 1 certificates.
 - Certificate[0] info:
  - subject
`C=DE,ST=Nordrhein-Westfalen,L=Bonn,O=Max-Planck-Gesellschaft,OU=Max-Planck-Institut fuer Radioastronomie,CN=imap.mpifr-bonn.mpg.de', issuer `C=DE,O=Max-Planck-Gesellschaft,CN=MPG CA,EMAIL=mpg-ca at mpg.de', RSA key 4096 bits, signed using RSA-SHA1, activated `2014-05-06 11:17:21 UTC', expires `2019-05-05 11:17:21 UTC', SHA-1 fingerprint `c0b4fb497ac212f0e05de24f2c097a0b712435cc'
- The hostname in the certificate matches 'imap.mpifr-bonn.mpg.de'.
- Peer's certificate is trusted
- Version: TLS1.2
- Key Exchange: DHE-RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
a CAPABILITY
* CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
AUTH=PLAIN AUTH=LOGIN AUTH=GSSAPI
a OK Pre-login capabilities listed, post-login capabilities have more.


Cheers Jan

-- 
MAX-PLANCK-INSTITUT fuer Radioastronomie
Jan Behrend - Rechenzentrum
----------------------------------------
Auf dem Huegel 69, D-53121 Bonn                                  
Tel: +49 (228) 525 359, Fax: +49 (228) 525 229
jbehrend at mpifr-bonn.mpg.de http://www.mpifr-bonn.mpg.de


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6071 bytes
Desc: not available
URL: <http://dovecot.org/pipermail/dovecot/attachments/20141105/e4f430ab/attachment.bin>

More information about the dovecot mailing list