Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

GSSAPI for SMTP

92 views
Skip to first unread message

Nikolay Shopik

unread,
Jan 11, 2009, 7:12:09 AM1/11/09
to
Does Thunderbird support GSSAPI for SMTP?
I can't find any bugs on that support. So far only IMAP(303160) and
LDAP(308118) patch in process of review.

https://wiki.mozilla.org/Thunderbird:Supported_authentication_methods
Is kinda outdated

David Bienvenu

unread,
Jan 11, 2009, 2:05:04 PM1/11/09
to
Yes, we support GSSAPI for SMTP. It was all part of
https://bugzilla.mozilla.org/show_bug.cgi?id=303160

- David

Nikolay Shopik

unread,
Jan 14, 2009, 7:21:49 AM1/14/09
to
On 11.01.2009 22:05, David Bienvenu wrote:
> Yes, we support GSSAPI for SMTP. It was all part of
> https://bugzilla.mozilla.org/show_bug.cgi?id=303160

I'm trying to make it work on Windows platform, is there any special
steps I need accomplish to make work transparent authentication - so TB
will use my current credentials?

David Bienvenu

unread,
Jan 14, 2009, 10:24:49 AM1/14/09
to
You may need to set "network.auth.use-sspi" to false, if you're not
using sspi. But that applies to all the protocols, not just SMTP.

- David

Nikolay Shopik

unread,
Jan 14, 2009, 11:19:18 AM1/14/09
to
On 14.01.2009 18:24, David Bienvenu wrote:
> You may need to set "network.auth.use-sspi" to false, if you're not
> using sspi. But that applies to all the protocols, not just SMTP.

Tried false and true, I'm kinda confused about SSPI and GSSAPI in
Windows. Its always trying to use NTLM authentication. My SMTP settings
is use name and password while I'm tried to leave user name empty and
enable "use secure authentication" checkbox. Empty user name don't at
all and if I enter user name there will be log like this.

EHLO [192.168.23.1]
250-guard-01b5d2548 Hello [192.168.23.1]
250-AUTH GSSAPI NTLM
250-TURN
250-SIZE 2097152
250-ETRN
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-8bitmime
250-BINARYMIME
250-CHUNKING
250-VRFY
250 OK
AUTH NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=
334
[snip]
535 5.7.3 Authentication unsuccessful
QUIT

Looks like we are missing gui for use current credentials.

Simon Wilkinson

unread,
Jan 14, 2009, 11:48:46 AM1/14/09
to Nikolay Shopik, dev-apps-t...@lists.mozilla.org

On 14 Jan 2009, at 16:19, Nikolay Shopik wrote:
>
> Looks like we are missing gui for use current credentials.

We use current credentials by default. You should be able to make it
work by simply having no username and password.

What is missing is any kind of meaningful error reporting for GSSAPI
- there's an open bug on this, which I really must get around to
looking at at some point - I'm really waiting for my LDAP code to
land before I start thinking about SASL in Thunderbird again. There
is a debug flag you can use which will print out these errors to
stdout - unfortunately, I can't remember what it is off the top of my
head, and I'm too network challenged to be able to look it up at
present.

From the trace you've posted, however, it looks like we're failing
to initiate a GSSAPI session for your server. Do you have the correct
smtp/<hostname> principal created in your KDC? What's in your
credentials cache after a failed authenticate attempt.

S.


Nikolay Shopik

unread,
Jan 14, 2009, 12:16:24 PM1/14/09
to
On 14.01.2009 19:48, Simon Wilkinson wrote:
> From the trace you've posted, however, it looks like we're failing to
> initiate a GSSAPI session for your server. Do you have the correct
> smtp/<hostname> principal created in your KDC? What's in your
> credentials cache after a failed authenticate attempt.

This is Windows 2003 DC with smtp installed for testing purpose. I'm
using http://ldapadmin.sourceforge.net to make connection to DC using
GSS-API and its working just fine.

Nikolay Shopik

unread,
Jan 14, 2009, 1:24:51 PM1/14/09
to
On 14.01.2009 19:48, Simon Wilkinson wrote:
> From the trace you've posted, however, it looks like we're failing to
> initiate a GSSAPI session for your server. Do you have the correct
> smtp/<hostname> principal created in your KDC? What's in your
> credentials cache after a failed authenticate attempt.

I add Firefox 3.0.5 to my test to make sure kerberos actually working
with my Windows DC. I've installed IIS web server enabled integrated
authentication only, set these settings:
network.negotiate-auth.delegation-uris = https://,http://
network.negotiate-auth.trusted-uris = https://,http://
Point FF to IIS address and it open pages w/o any password prompts.

Nikolay Shopik

unread,
Jan 14, 2009, 1:44:58 PM1/14/09
to
On 14.01.2009 19:48, Simon Wilkinson wrote:
> Do you have the correct smtp/<hostname> principal created in your KDC?
You are absolutly correct, I don't have principal configured for SMTP.
error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)
Server Name (Service and Instance): smtp/192.168.23.131

Nikolay Shopik

unread,
Jan 14, 2009, 2:52:20 PM1/14/09
to
On 14.01.2009 21:44, Nikolay Shopik wrote:
> You are absolutly correct, I don't have principal configured for SMTP.
> error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)
> Server Name (Service and Instance): smtp/192.168.23.131
Windows DC have different SPN - SMTPSVC/FQDN instead SMTP/FQDN, so you
have to install windows support tools to manage SPN. You need setspn.exe
from these tools.
I make progress and TB able perform auth but SMTP complain - 5.5.2
Unrecognized command. Tcpdump of packets are looks like this

EHLO [192.168.23.132]
250-guard-01b5d2548.inblock.test Hello [192.168.23.132]


250-AUTH GSSAPI NTLM
250-TURN
250-SIZE 2097152
250-ETRN
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-8bitmime
250-BINARYMIME
250-CHUNKING
250-VRFY
250 OK

AUTH GSSAPI
[snip]
500 5.5.2 Unrecognized command

Sound like Windows SMTP service bug?

0 new messages