Thunderbird issues, KfW, Windows domain + separate KDC

Shumon Huque shuque at isc.upenn.edu
Mon Aug 6 23:55:37 EDT 2007


On Mon, Aug 06, 2007 at 02:24:02PM -0400, Jeff Blaine wrote:
> Ken was right.  Removing sasl_minimum_layer from imapd.conf
> solved the problem... sadly.
> 
> Maybe someone else will find my write-up next time:
> 
> http://www.kickflop.net/blog/2007/08/06/thunderbird-kerberos-for-windows-and-cyrus-imap/

I would recommend also configuring Thunderbird to use TLS,
ie. in addition to checking "use secure authentication",
check "Use secure connection: TLS". The server will have to
support TLS of course. This will protect Kerberos authenticated 
Thunderbird sessions from session hijacking in the absence of 
SASL security layers. 

It's too bad that much software doesn't bother implementing
security layers, thus forcing you to run TLS too (ie. another
heavyweight security layer with it's attendant certificate
management burden). Another popular IMAP server, UW imapd, 
also doesn't support SASL security layers.

--Shumon.



More information about the Kerberos mailing list