GSSAPI authentication for sieve

Sat, 24 May 2025 01:49:18 -0700 

Hi all,

I try to get GSSAPI working for sieve.
I already found there was an issue with GSSAPI in dovecot 2.4 and applied the 
patch from this thread

https://dovecot.org/mailman3/archives/list/dovecot@dovecot.org/thread/MWCLQCVEMHHIDHS54IKKRKGDGQQ6AGTV/#MWCLQCVEMHHIDHS54IKKRKGDGQQ6AGTV

With the patch GSSAPI now works for imap.

I do test this with "imtest" from cyrus tools

imat@speedy:~> imtest -v -p 143 -u imat -m GSSAPI 
manitou.disconnected.homeip.net
S: * OK [CAPABILITY IMAP4rev1 LOGIN-REFERRALS ID ENABLE IDLE SASL-IR LITERAL+ 
STARTTLS LOGINDISABLED AUTH=GSSAPI] Dovecot ready.
C: A01 AUTHENTICATE GSSAPI 
YIIDIgYJKoZIhvcSAQICAQBuggMRMIIDDaADAgEFoQMCAQ6iBwMFACAAAACjggIaYYICFjCCAhKgAwIBBaEZGxdESVNDT05ORUNURUQuSE9NRUlQLk5FVKIyMDCgAwIBA6EpMCcbBGltYXAbH21hbml0b3UuZGlzY29ubmVjdGVkLmhvbWVpcC5uZXSjggG6MIIBtqADAgESoQMCAQKiggGoBIIBpFcei+vGql9tb5TpNjKFgdKAo7p1IiSW8DXPJR2GkCrHVrm0LdtsUaky4zOCskwEQkLURA8CuxM5HGmXT38O56434VTStpRHWZx7Xu43UHHJpOjdf76YYqnIA7WEk76QQyUpnO3hQWCEwyAPf1GhQKGDWCosHEuvn3jNE8t8fWmnRtWSgr35w5GD9OHsYKwca14yUruNU/qfVL9I41bjiFcJ1FFjMyVa/+ogghBm4jDoiFTV7vB8WYpx8Vuuev0d48TZDqv7Kf5/G8TgH3bc59VLjCemLAzTjOQ4mZxTXBEh9OpibKPUozRd266ao7dAD4OHMWNORXKqWl/Ch0iC7q/QEg/qY7E0dm7wqMDROrzmaxWW8p5+y69AbjwylsgivknVcTmbQjVnGGvniDLTke8O6CvqeIum/uUli2FyBmSUt8kVju1GIfoysFP8BEu6gDXdbcsG2XbuoTvfzLyJNT7eomILhF9nZI1vFariqF3TJLo14/L4OCG05RrAH3o8kHTkUMz8rrZj5y0yzfQqlME66yBRezRRSccrrD5AWdHzRMvw26SB2TCB1qADAgESooHOBIHLTo7UMx+G8Q+Ly+Mmj35JBfLm+SWeCV1YGcJQ8O1hI6F3pKh4fMjx5L9v4v4NzbDWpZ8YlQtSBcDgyebiZjHaeqGf4bIcOaGyzfor3DhAn0q0n0Zx/SKJiTJuT9eT0pHwb/yaT9MzOZTP6C5HuXgxUN/2Po2qNwkzaU5gOH+sOYu6Y0AKoKGlkIQHejzns70FehWRn8wBbu8T9+8zKRU0qmBQXnqg/C10pSW7EUVD37VPhY0kLY6SB77KS/8aguWWC3OVAfw6bcAXVVM=
S: + 
YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvzFWfR5FTOl77CqiMZ7qWR4I6JqXdi0JbIG4xTYJNYvQSsvxAxyfEiGINTMW5QytlcMvfiJpTj0U2Fd3Hr/MzLcCeCRwJ9jTg8m2E1ZgpmzmpXzl7xGq+MRIvetu3Wdgxum+ZQ8jPS1obTnI1Vh7I
C: 
S: + BQQF/wAMAAAAAAAAHJz31AH///+2dWHfKNY/6f01FUw=
C: BQQE/wAMAAAAAAAABI42iwEAAABpbWF0C53m6npnJwjAfaEu
S: A01 OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT 
SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND 
URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED 
I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH 
LIST-STATUS BINARY MOVE REPLACE SNIPPET=FUZZY PREVIEW=FUZZY PREVIEW SPECIAL-USE 
STATUS=SIZE SAVEDATE COMPRESS=DEFLATE INPROGRESS NOTIFY LITERAL+] Logged in
Authenticated.
Security strength factor: 0
C: Q01 LOGOUT
* BYE Logging out
Q01 OK Logout completed (0.001 + 0.000 secs).
Connection closed.

When i try to use "sivtest" from cyrus tools, this does hang and it looks like 
sievtest is still waiting for some data

imat@speedy:~> sivtest -v -p 4190 -u imat -m GSSAPI 
manitou.disconnected.homeip.net
S: "IMPLEMENTATION" "Dovecot Pigeonhole"
S: "SIEVE" "fileinto reject envelope encoded-character vacation subaddress 
comparator-i;ascii-numeric relational regex imap4flags copy include body 
variables enotify environment mailbox date index ihave duplicate mime 
foreverypart extracttext"
S: "NOTIFY" "mailto"
S: "SASL" "GSSAPI"
S: "STARTTLS"
S: "VERSION" "1.0"
S: OK "Dovecot ready."
C: AUTHENTICATE "GSSAPI" {1076+}
YIIDIwYJKoZIhvcSAQICAQBuggMSMIIDDqADAgEFoQMCAQ6iBwMFACAAAACjggIbYYICFzCCAhOgAwIBBaEZGxdESVNDT05ORUNURUQuSE9NRUlQLk5FVKIzMDGgAwIBA6EqMCgbBXNpZXZlGx9tYW5pdG91LmRpc2Nvbm5lY3RlZC5ob21laXAubmV0o4IBujCCAbagAwIBEqEDAgECooIBqASCAaTS89GNFHQk6FCilKJkEP8Xl27g/A8b1T0pxGwipjYBug0+bprqG0xJucYaULvqi1PnTI+A6WJesi2434B+L0WAv1sdWhI60SpmmfnsZPD8uqbJmZEFMj9bQnS4VbNgduhEA+pgYp85q0PcP3I5DcMeypIC7rk2hv15qYnVSYhND/P3tOANikXc5JB3cWnnPc79gRW+Ozi75waihMIv7C3UvllUtb2tTUKqdGwz2D9/BT3e1ZfcueaWznhXmzieh4dHZyqvbm4UVVUuc4paI1QMUrImy6zEfXjEH0O8dbZN3FbiKjCdP7E/zFtd6PkWaI0lgk8qGP1JqaFtGgqo+EcDEgyh4DoTRuNGGJp7n1zmQGkgIHzsUNR+SydUhWijdWJSegeIrGsZ4/s8YZupdxpC8g1qComP0+holawe9/iAnCxmRNGrNXDSRnL8wMaVAgm7t0SrBUSOm/YHKZSlHpMIWw438Dp/FdWwuCm2jA5pTksRbzmpS9fguMwp65bX0xh/a0NkI2VWJfwUmgqws3LRv1WHsn2FB/k+w55oOMboOtO3SCCkgdkwgdagAwIBEqKBzgSBy9PZObV0yc813IAR4TwEzPtKepfhzLvT0vFekCieE0sCu7jig2m+bpKt1IbIngs+hiztVx4TXYJu/UjH8UKNYct7xFWAOamuh/Fp4AnTBQXxieMM9TGZsiot7NzH75kRUY6SifNYYbz579wBAMbPzId5n2NVdp2blEpaCDKhMdZf/AQqUj3eFbafs5ociy4cOfmQSNuW7hY4KpQ0JU0cdWQyh0+Xl+fE9tz1ctmRoTA4WIF3U1UcwB0CPxlFxlw6cW+OAP0mlWqJE5Yx
S: 
"YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvEb5fwEVTKq3wm3xJawxEVD9Ngdz3tmzW5a8wJAh9lSRYSE0aJS97LvUtT1mWqZTFx5AZMJGfM7KpcbmJc3cOkVhe5lTUQDir58n1RywkyWYM6RvKd1Vzeonxt/AyJi7rN1CMR9VIh2KZUItIsz1y"

here it hangs until timeout.

May 24 10:10:36 manitou dovecot[45007]: 
auth(i...@disconnected.homeip.net,192.168.42.24,sasl:gssapi)<mh73Nt01+OHAqCoY>: 
Request timed out waiting for client to continue authentication (150 secs)
May 24 10:11:06 manitou dovecot[45007]: managesieve-login: Login aborted: 
Inactivity during authentication (client didn't finish SASL auth, 1 attempts in 
180 secs) (auth_waiting_client): user=<>, method=GSSAPI, rip=192.168.42.24, 
lip=192.168.42.42, session=<mh73Nt01+OHAqCoY>

and sievtest does end with this

S: BYE "Disconnected for inactivity during authentication."
base64 decoding error
Authentication failed. generic failure
Security strength factor: 0
Connection closed.

The "base64 decoding error" probably is unrelated as it does try to decode the 
"S: BYE .....".

I also tested with other sieve clients, none does work (however different 
issues reported), while all tested imap clients do work.
My guess is some small fix like the one from above is also needed for 
dovecot-pigeonhole.

This is my used config

manitou:~ # dovecot -n
# 2.4.1-4 (7d8c0e5759): /etc/dovecot/dovecot.conf
# Pigeonhole version 2.4.1-4 (0a86619f)
# OS: Linux 6.14.6-1-default x86_64  
# Hostname: manitou.disconnected.homeip.net
# 4 default setting changes since version 2.4.0
dovecot_config_version = 2.4.0
auth_debug = yes
auth_debug_passwords = yes
auth_gssapi_hostname = manitou.disconnected.homeip.net
auth_krb5_keytab = /etc/dovecot/dovecot.keytab
auth_mechanisms = plain login gssapi
dovecot_storage_version = 2.4.0
protocols {
  imap = yes
  lmtp = yes
  sieve = yes
}
protocol lmtp {
  auth_username_format = %{user | username}
  mail_plugins = sieve
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    group = postfix
    mode = 0600
    user = postfix
  }
}
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
  unix_listener auth-userdb {
  }
}
namespace inbox {
  mail_driver = maildir
  mail_inbox_path = ~/Maildir/.INBOX
  mail_path = ~/Maildir
  inbox = yes
  separator = /
}
passdb pam {
  service_name = dovecot
}
userdb passwd {
  use_worker = yes
}
ssl_server {
  cert_file = /etc/ssl/servercerts/servercert.pem
  key_file = /etc/ssl/servercerts/serverkey.pem
}
service managesieve-login {
}
service managesieve {
}
sieve_script personal {
  active_path = ~/.dovecot.sieve
  path = ~/.sieve
}

What logs/infos are needed to dig into it ?

thanks and regards,
                               Tami

Attachment: signature.asc
Description: This is a digitally signed message part.

_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Reply via email to