I use Kerberos on my personal network at home, and therefore I use GSSAPI authentication for IMAP and SMTP. While GSSAPI with IMAP works fine, recently, GSSAPI with SMTP stopped working. I suspect this is related to the move to gsasl. When it fails, mutt merely says "SASL authentication failed". What Postfix (Debian bullseye) reports is this: May 13 01:52:52 ring postfix/submission/smtpd[2307029]: Anonymous TLS connection established from <server>: TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits) May 13 01:52:53 ring postfix/submission/smtpd[2307029]: warning: <server>: SASL GSSAPI authentication aborted May 13 01:52:54 ring postfix/submission/smtpd[2307029]: lost connection after AUTH from <server> May 13 01:52:54 ring postfix/submission/smtpd[2307029]: disconnect from <server> ehlo=2 starttls=1 auth=0/1 commands=3/4 I've filed this as important because it prevents me from sending emails, which is an important functionality of any mail client. Downgrading to 2.0.5-4.1 works.
Hi, I've run into this issue too, and it is clearly gsasl which is broken: [2022-05-13 17:40:38] smtp_authenticate: Trying method GSSAPI LOGIN PLAIN [2022-05-13 17:40:38] mutt_gsasl_get_mech() returned no usable mech [2022-05-13 17:40:38] No authenticators available Gabor
Thanks for the bug report. Yes, it most definitely is. I'll take a look to see what I can find. Perhaps I've missed setting up some callback information that gsasl needs. Would you be able to test a patch if/when I create one? If so, please make sure you are subscribed to this ticket and I'll work on something this weekend. Thank you,
Gabor, there is a problem with gsasl, which I'll try to work on this weekend. If you can help test patches, please make sure you are subscribed to this ticket. However, you'll also need to fix your $smtp_authenticators value - it should be colon separated, for example: "GSSAPI:LOGIN:PLAIN".
Brian and Gábor, I did indeed miss a callback value needed by GSSAPI:
hostname. The Mutt IMAP/GSSAPI auth code is using the server hostname
for this field, contradicting the gsasl documentation which says to
supply the "local host name". I'm trying the server hostname below.
If possible could you try either the git branch
'kevin/gsasl-gssapi-fixes' on GitLab
<https://gitlab.com/muttmua/mutt/-/commits/kevin/gsasl-gssapi-fixes> or
alternatively try recompiling the source Debian package with the below
patch applied?
Thank you!
- - - - - - 8< - - - - -
From 9db29e904d1843a61b3a858d16d400af704fdadf Mon Sep 17 00:00:00 2001
From: Kevin McCarthy <kevin@8t8.us>
Date: Fri, 13 May 2022 15:37:58 -0700
Subject: [PATCH] Set gsasl hostname callback value.
This is needed for GSSAPI, and apparently DIGEST-MD5 too.
The documentation is a little vague, saying it "should be the local
host name of the machine", however the imap/auth_gss.c code seems to
be using the server-name.
---
mutt_sasl_gnu.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/mutt_sasl_gnu.c b/mutt_sasl_gnu.c
index 7ebe4293..37d39657 100644
--- a/mutt_sasl_gnu.c
+++ b/mutt_sasl_gnu.c
@@ -219,6 +219,11 @@ static int mutt_gsasl_callback (Gsasl *ctx, Gsasl_session *sctx,
rc = GSASL_OK;
break;
+ case GSASL_HOSTNAME:
+ gsasl_property_set (sctx, GSASL_HOSTNAME, conn->account.host);
+ rc = GSASL_OK;
+ break;
+
default:
break;
}
Oh, yeah, that would do it. Kerberos definitely wants to have the hostname. I built the Debian package with the patch applied below. It didn't quite apply cleanly with patch -p1, but I copied and pasted the change. It does appear to work, and I'm using the patched version to send this. Thanks so much for the fast turnaround time.
That's fantastic news! Thank *you* for testing the patch. Not sure why it didn't apply cleanly, but I'm glad you were able to make the changes yourself. I'll give a little more time for Gábor to reply, but unless there is a problem, will commit this to stable this weekend, and will try to get a release out in the next week. Thank you,
I've pushed the fix into the stable branch: <https://gitlab.com/muttmua/mutt/-/commit/6688bfbfe4fd1d50512d5a7abbf1bf2314b8095c.patch>, and will release 2.2.5 in the next few days. My apologies for the botched patch file included in my previous email. I realized I did this when backing out format=flowed formatting and accidentally trimmed a trailing space in the patch itself.