[28211] in Kerberos
Re: Thunderbird issues, KfW, Windows domain + separate KDC
daemon@ATHENA.MIT.EDU (Shumon Huque)
Mon Aug 6 23:55:54 2007
Date: Mon, 6 Aug 2007 23:55:37 -0400
From: Shumon Huque <shuque@isc.upenn.edu>
To: Jeff Blaine <jblaine@kickflop.net>
Message-ID: <20070807035536.GA17467@isc.upenn.edu>
Mime-Version: 1.0
Content-Disposition: inline
In-Reply-To: <46B76742.9080601@kickflop.net>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Mon, Aug 06, 2007 at 02:24:02PM -0400, Jeff Blaine wrote:
> Ken was right. Removing sasl_minimum_layer from imapd.conf
> solved the problem... sadly.
>
> Maybe someone else will find my write-up next time:
>
> http://www.kickflop.net/blog/2007/08/06/thunderbird-kerberos-for-windows-and-cyrus-imap/
I would recommend also configuring Thunderbird to use TLS,
ie. in addition to checking "use secure authentication",
check "Use secure connection: TLS". The server will have to
support TLS of course. This will protect Kerberos authenticated
Thunderbird sessions from session hijacking in the absence of
SASL security layers.
It's too bad that much software doesn't bother implementing
security layers, thus forcing you to run TLS too (ie. another
heavyweight security layer with it's attendant certificate
management burden). Another popular IMAP server, UW imapd,
also doesn't support SASL security layers.
--Shumon.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos