[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [msmtp-users] GSSAPI, NTLM LOGIN ? problematic Re: GSSAPI error in client



Martin Lambers <marlam@...23...> writes:

>> > These three methods are really the only useful ones now, as far as I
>> > can see.
>> 
>> GSSAPI and GS2-KRB5 are useful for Kerberos people. 
>
> Yes, but I have never encountered these Kerberos people ;)
> Do you know in which scenarios Kerberos is actually being used?

It is massively used in educational organizations, and some Enterprises
(but mostly due to Windows so it is not always relevant).  If you don't
have an existing environment to test things in, supporting this is
somewhat tricky -- you can install the Kerberos environment yourself,
but setting it up is time consuming, and you never know if what you run
mirrors what "real" people will see.  So I suggest to just ignore
GSSAPI/GS2 until someone comes along and help you with that part.

>> There ought to be some checks to make sure GSSAPI/GS2 isn't selected
>> if it is likely that it won't succeed (e.g., no Kerberos tickets
>> available).  I thought GNU SASL checked that, but I'm not confident.
>
> Probably GNU SASL checks this. Msmtp does not use
> gsasl_client_suggest_mechanism(), but chooses the method itself.
> I did some digging to find out why. Currently a comment reads
> "TODO: use gsasl_client_suggest_mechanism()?".
> In msmtp-1.2.2 (more than ten years ago) that comment read
> "Do not use gsasl_client_suggest_mechanism() because it seems to always
> return ANONYMOUS (libgsasl 0.0.7)".
> I guess that problem was solved in the meantime...

Maybe, not sure.  The "recommendation" algorithm is a bit stupid.  Do
many servers really offer ANONYMOUS?  It shouldn't suggest ANONYMOUS if
the server didn't mention it.

> Thanks for your work on all the essential libraries that msmtp depends
> on!

You are welcome. :-)

/Simon

Attachment: signature.asc
Description: PGP signature