Connecting to imap on a Microsoft Exchange server with gsasl

Connecting to imap on a Microsoft Exchange server with gsasl

[Adam Sjøgren]

I am using Gnus to pull down my emails via imap from a Microsoft
Exchange server to my Ubuntu desktop (i.e. just using imap as a
mail-source, like pop). This works fine typing my password into Gnus.

However, we use Kerberos to authenticate on our Linux machines (login,
sudo, www, the works) - against the company Active Directory - so I have
a Kerberos ticket, and should be able to fetch email without having to
type my password again, I think.

I tried configuring Gnus to do this, but using :stream gssapi and
:authenticate gssapi didn't work.

Digging a little revealed that Gnus tries to use gsasl to connect and
authenticate, so I tried running gsasl by hand to see if that would make
me any wiser. The result is:

    $ gsasl --client --imap --authentication-id=my.initials --starttls --verbose server.name.elided
    Trying `server.name.elided...
    * OK Microsoft Exchange Server 2007 IMAP4 service ready
    . STARTTLS
    . OK Begin TLS negotiation now.
    . CAPABILITY
    * CAPABILITY IMAP4 IMAP4rev1 AUTH=NTLM AUTH=GSSAPI AUTH=PLAIN IDLE NAMESPACE LITERAL+
    . OK CAPABILITY completed.
    . AUTHENTICATE GSSAPI
    +
    error: Server did not return expected SASL data (it must begin with '+ '):
    +

    $ 

Hm. Does the server really return "+" while "+ " was expected? Let me
check, using gnutls-cli, just to be sure:

    $ gnutls-cli --insecure --starttls --crlf -p imap server.name.elided
    Resolving 'server.name.elided'...
    Connecting to 'ip.address.elided:143'...

    - Simple Client Mode:

    * OK Microsoft Exchange Server 2007 IMAP4 service ready
    1 STARTTLS
    1 OK Begin TLS negotiation now.
    ^D
    *** Starting TLS handshake
    - Certificate type: X.509 [...cert info elided...]
    - Compression: NULL
    2 AUTHENTICATE GSSAPI
    +
    ^C
    $ 

Indeed it does, no space!

Does a work around for this exist, I am being foolhardy in attempting to
get this working at all, am I overlooking something obvious, or?

Any good ideas, war stories about AD and Exchange, or anything else is
much appreciated :-)

This is on Ubuntu 10.04, gsasl 1.4.4, GNU Emacs snapshot from Julien
Danjous repository, Ma Gnus from git.

(I just tried on an Ubuntu 12.04 which has gsasl 1.6.1; on that machine
the gsasl command ends with "error: server did not return a token" after
the plus is received.)

I tried using gssapi in Thunderbird as well, just to test - it fails
with a vague message about the server not accepting the ticket, but the
message looks rather generic, so I don't know that this necessarily is
valuable information.


  Best regards,

    Adam


P.S. I have taken the liberty of crossposting this to both the gsasl
     mailing list and the Gnus user list - feel free to peel any one off.

-- 
 "Hur långt man än har kommit                                 Adam Sjøgren
  är det alltid längre kvar"                             asjo@koldfront.dk

Re: Connecting to imap on a Microsoft Exchange server with gsasl

[Lars Ingebrigtsen]

asjo@koldfront.dk (Adam Sjøgren) writes:

> My conclusion was that the chops needed to get it working, if it is at
> all is possible, are larger than, uh, mine.
>
> In case anyone is interested, the thread is here:
>
>  * http://lists.gnu.org/archive/html/help-gsasl/2012-09/threads.html

Right.  Doesn't seem like something that can be fixed up on the Gnus
side, at least.  :-)

-- 
(domestic pets only, the antidote for overdose, milk.)
  http://lars.ingebrigtsen.no  *  Lars Magne Ingebrigtsen

Re: Connecting to imap on a Microsoft Exchange server with gsasl

[Adam Sjøgren]

On Mon, 24 Dec 2012 18:30:35 +0100, Lars wrote:

> asjo@koldfront.dk (Adam Sjøgren) writes:

>> error: Server did not return expected SASL data (it must begin with '+ '):

> But perhaps this is something that nnimap could work around?  I'm not
> sure at all how gsasl works, and I don't have any servers to test
> with...

The thread continued on the sasl mailing list. I got some hints, and
tried some stuff (patching to ignore the plus), and tried to get
Thunderbird to do the auth (just to get an idea that it is possible);
without luck.

My conclusion was that the chops needed to get it working, if it is at
all is possible, are larger than, uh, mine.

In case anyone is interested, the thread is here:

 * http://lists.gnu.org/archive/html/help-gsasl/2012-09/threads.html


  Best regards,

    Adam

-- 
 "I wouldn't even think about playing music if I was          Adam Sjøgren
  born in these times ..."                               asjo@koldfront.dk

Re: Connecting to imap on a Microsoft Exchange server with gsasl

[Lars Ingebrigtsen]

asjo@koldfront.dk (Adam Sjøgren) writes:

>     +
>     error: Server did not return expected SASL data (it must begin with '+ '):
>     +
>
>     $ 
>
> Hm. Does the server really return "+" while "+ " was expected?

Geez.

But perhaps this is something that nnimap could work around?  I'm not
sure at all how gsasl works, and I don't have any servers to test
with...

-- 
(domestic pets only, the antidote for overdose, milk.)
  http://lars.ingebrigtsen.no  *  Lars Magne Ingebrigtsen