#1010915 mutt: GSSAPI SMTP authentication no longer works

Package:
mutt
Source:
mutt
Description:
text-based mailreader supporting MIME, GPG, PGP and threading
Submitter:
"brian m. carlson"
Date:
2026-06-24 22:09:02 UTC
Severity:
important
Tags:
#1010915#5
Date:
2022-05-13 01:58:53 UTC
From:
To:
I use Kerberos on my personal network at home, and therefore I use
GSSAPI authentication for IMAP and SMTP.  While GSSAPI with IMAP works
fine, recently, GSSAPI with SMTP stopped working.  I suspect this is
related to the move to gsasl.

When it fails, mutt merely says "SASL authentication failed".  What
Postfix (Debian bullseye) reports is this:

  May 13 01:52:52 ring postfix/submission/smtpd[2307029]: Anonymous TLS connection established from <server>: TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)
  May 13 01:52:53 ring postfix/submission/smtpd[2307029]: warning: <server>: SASL GSSAPI authentication aborted
  May 13 01:52:54 ring postfix/submission/smtpd[2307029]: lost connection after AUTH from <server>
  May 13 01:52:54 ring postfix/submission/smtpd[2307029]: disconnect from <server> ehlo=2 starttls=1 auth=0/1 commands=3/4

I've filed this as important because it prevents me from sending emails,
which is an important functionality of any mail client.  Downgrading to
2.0.5-4.1 works.
#1010915#10
Date:
2022-05-13 15:54:14 UTC
From:
To:
Hi,

I've run into this issue too, and it is clearly gsasl which is broken:

[2022-05-13 17:40:38] smtp_authenticate: Trying method GSSAPI LOGIN PLAIN
[2022-05-13 17:40:38] mutt_gsasl_get_mech() returned no usable mech
[2022-05-13 17:40:38] No authenticators available

Gabor
#1010915#15
Date:
2022-05-13 22:02:38 UTC
From:
To:
Thanks for the bug report.  Yes, it most definitely is.  I'll take a
look to see what I can find.  Perhaps I've missed setting up some
callback information that gsasl needs.

Would you be able to test a patch if/when I create one?  If so, please
make sure you are subscribed to this ticket and I'll work on something
this weekend.

Thank you,
#1010915#20
Date:
2022-05-13 22:07:19 UTC
From:
To:
Gabor, there is a problem with gsasl, which I'll try to work on this
weekend.  If you can help test patches, please make sure you are
subscribed to this ticket.

However, you'll also need to fix your $smtp_authenticators value - it
should be colon separated, for example: "GSSAPI:LOGIN:PLAIN".
#1010915#25
Date:
2022-05-13 22:52:29 UTC
From:
To:
Brian and Gábor, I did indeed miss a callback value needed by GSSAPI:
hostname.  The Mutt IMAP/GSSAPI auth code is using the server hostname
for this field, contradicting the gsasl documentation which says to
supply the "local host name".  I'm trying the server hostname below.

If possible could you try either the git branch
'kevin/gsasl-gssapi-fixes' on GitLab
<https://gitlab.com/muttmua/mutt/-/commits/kevin/gsasl-gssapi-fixes> or
alternatively try recompiling the source Debian package with the below
patch applied?

Thank you!

- - - - - - 8< - - - - -

 From 9db29e904d1843a61b3a858d16d400af704fdadf Mon Sep 17 00:00:00 2001
From: Kevin McCarthy <kevin@8t8.us>
Date: Fri, 13 May 2022 15:37:58 -0700
Subject: [PATCH] Set gsasl hostname callback value.

This is needed for GSSAPI, and apparently DIGEST-MD5 too.

The documentation is a little vague, saying it "should be the local
host name of the machine", however the imap/auth_gss.c code seems to
be using the server-name.
---
  mutt_sasl_gnu.c | 5 +++++
  1 file changed, 5 insertions(+)

diff --git a/mutt_sasl_gnu.c b/mutt_sasl_gnu.c
index 7ebe4293..37d39657 100644
--- a/mutt_sasl_gnu.c
+++ b/mutt_sasl_gnu.c
@@ -219,6 +219,11 @@ static int mutt_gsasl_callback (Gsasl *ctx, Gsasl_session *sctx,
        rc = GSASL_OK;
        break;

+    case GSASL_HOSTNAME:
+      gsasl_property_set (sctx, GSASL_HOSTNAME, conn->account.host);
+      rc = GSASL_OK;
+      break;
+
      default:
        break;
    }
#1010915#30
Date:
2022-05-13 23:24:44 UTC
From:
To:
Oh, yeah, that would do it.  Kerberos definitely wants to have the
hostname.

I built the Debian package with the patch applied below.  It didn't
quite apply cleanly with patch -p1, but I copied and pasted the change.
It does appear to work, and I'm using the patched version to send this.

Thanks so much for the fast turnaround time.
#1010915#35
Date:
2022-05-14 00:43:31 UTC
From:
To:
That's fantastic news!  Thank *you* for testing the patch.  Not sure why
it didn't apply cleanly, but I'm glad you were able to make the changes
yourself.

I'll give a little more time for Gábor to reply, but unless there is a
problem, will commit this to stable this weekend, and will try to get a
release out in the next week.

Thank you,
#1010915#40
Date:
2022-05-14 19:34:42 UTC
From:
To:
I've pushed the fix into the stable branch:
<https://gitlab.com/muttmua/mutt/-/commit/6688bfbfe4fd1d50512d5a7abbf1bf2314b8095c.patch>,
and will release 2.2.5 in the next few days.

My apologies for the botched patch file included in my previous email.
I realized I did this when backing out format=flowed formatting and
accidentally trimmed a trailing space in the patch itself.