Re: [bug-mailutils] using GSSAPI in /usr/bin/mail when connecting to an IMAP server?

[Sergey Poznyakoff]

Hi Daniel,

To begin with, my sincere apologies for not being able to reply earlier!

> i have a functioning KRB5 domain with a GSSAPI-enabled (via SASL) IMAP
> server (cyrus).  Other GSSAPI-capable MUAs (e.g. mutt) are capable of
> using a krb5 credentials cache to connect properly to their mailbox
> without additional authentication.  i'd like to set up /usr/bin/mail
> to do this as well, if that's possible.

Although the works to implement it are in progress, bin/mail in its
current state is not able to handle SASL authentication.  For the time
being the best solution is probably to use GNU Anubis as a mail
processor.  This program is able to get plaintext SMTP connections and
to connect to the remote SMTP using a wide variety of authentication
schemes supported by gnutls.  You will find more information about it,
including links to the documentation and downloads on its home page:
http://www.gnu.org/software/anubis

I plan to finish adding GSSAPI support to bin/mail as soon as possible.

> i see that mail has a --tls=BOOL option for connecting with
> TLS-capable servers.  What i can't tell is how the TLS certificates
> are verified.  Without proper certificate validation, TLS connections
> are vulnerable to man-in-the-middle attacks from an active attacker
> (one who can intercept and modify traffic).

This and another point mentioned by you (forcing mail to use TLS) are
very important features indeed.

> If mailutils isn't capable of these distinctions, are they desired
> features?

Sure, they are.  It would be great if you could help us implement them.

Regards,
Sergey