[ You are viewing a single post. The sidebar has been removed to give the article some room. ]

Thunderbird, Kerberos for Windows, and Cyrus IMAP

This isn’t a step-by-step guide but provides some notes from my trial and frequent error.

Client

  1. If you have credentials for more than one Kerberos realm, make sure your Default identity (in KfW) is set to the realm you want Thunderbird to authenticate to. You can set this by right-clicking on the identity. If you change which identity is your default, restart KfW.
  2. In Thunderbird, go to Options –> Advanced –> Config Editor. Toggle the value network.auth.use-sspi to false. Restart Thunderbird
  3. For your account settings, you must use a fully qualified domain name (not just a host name or an IP address).

KDC

  1. Add principal imap/mailserver.yourdomain.com
  2. Extract imap/mailserver.yourdomain.com into mailserver.yourdomain.com’s keytab

Mail Server

  1. Read and understand completely the Cyrus IMAP documentation!
  2. On your mail server (where Cyrus imapd is running… which you built to support Kerberos 5 via GSSAPI…), /etc/imapd.conf cannot specify a sasl_minimum_layer as Thunderbird does not support even layer 1.
  3. The relevant options I use are:
    allowplaintext: false
    force_sasl_mech: gssapi
    sasl_log_level: 4

Thanks to Ken Hornstein and Jeffrey Altman for their help.

Maybe see also: bugzilla.mozilla.org

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • del.icio.us
  • digg
  • Furl
  • Reddit
  • Spurl
This entry was written by Administrator, posted on August 6, 2007 at 1:06 pm, filed under Sysadmin. Bookmark the permalink. Follow any comments here with the RSS feed for this post. Post a comment or leave a trackback: Trackback URL.

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*