[solved] Re:gssapi considered as PLAIN?

Harry Schmalzbauer dovecot at omnilan.de
Wed Nov 5 17:51:20 UTC 2014

 Bezüglich Harry Schmalzbauer's Nachricht vom 05.11.2014 18:04 (localtime):
> Sorry, I might have been unclear.
> Of course, AUTH=GSSAPI is offered if connection passes STARTTLS, along
> WITH PLAIN (and LOGIN), but the intention of "disable_plaintext_auth" is
> to prevent PLAIN if _no_ encryption level was negotiated.
> So you see LOGINDISABLED before TLS session and also _no_ GSSAPI!
> At that point (no encryption negotiated) I want to be able to get my
> kerberos ticket validated :-)
> disable_plaintext_auth = yes works as expected for PLAIN (and LOGIN); it
> doesn't offer until encryption successfully took place.
> But I don't expect GSSAPI also beeing disabled (regardless if encryption
> is available or not).
> I have no idea why this could be the intended behaviour, and hope
> somebody can enlighten me :-)

Sorry for the noise. For those with the same intention and the same problem:

I had "ssl = required" set. That of course doesn't return any AUTH
method unless encryptino was negotiated.
Setting it to "ssl = yes" instead leads to expected results in all
variants :-)



More information about the dovecot mailing list