[28211] in Kerberos

home help back first fref pref prev next nref lref last post

Re: Thunderbird issues, KfW, Windows domain + separate KDC

daemon@ATHENA.MIT.EDU (Shumon Huque)
Mon Aug 6 23:55:54 2007

Date: Mon, 6 Aug 2007 23:55:37 -0400
From: Shumon Huque <shuque@isc.upenn.edu>
To: Jeff Blaine <jblaine@kickflop.net>
Message-ID: <20070807035536.GA17467@isc.upenn.edu>
Mime-Version: 1.0
Content-Disposition: inline
In-Reply-To: <46B76742.9080601@kickflop.net>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

On Mon, Aug 06, 2007 at 02:24:02PM -0400, Jeff Blaine wrote:
> Ken was right.  Removing sasl_minimum_layer from imapd.conf
> solved the problem... sadly.
> 
> Maybe someone else will find my write-up next time:
> 
> http://www.kickflop.net/blog/2007/08/06/thunderbird-kerberos-for-windows-and-cyrus-imap/

I would recommend also configuring Thunderbird to use TLS,
ie. in addition to checking "use secure authentication",
check "Use secure connection: TLS". The server will have to
support TLS of course. This will protect Kerberos authenticated 
Thunderbird sessions from session hijacking in the absence of 
SASL security layers. 

It's too bad that much software doesn't bother implementing
security layers, thus forcing you to run TLS too (ie. another
heavyweight security layer with it's attendant certificate
management burden). Another popular IMAP server, UW imapd, 
also doesn't support SASL security layers.

--Shumon.
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post