Bug#1010915: mutt: GSSAPI SMTP authentication no longer works

[Kevin J. McCarthy]

I've pushed the fix into the stable branch: 
, 
and will release 2.2.5 in the next few days.


My apologies for the botched patch file included in my previous email. 
I realized I did this when backing out format=flowed formatting and 
accidentally trimmed a trailing space in the patch itself.


-Kevin


signature.asc
Description: PGP signature

Bug#1010915: mutt: GSSAPI SMTP authentication no longer works

[Kevin J. McCarthy]

On Fri, May 13, 2022 at 11:24:44PM +, brian m. carlson wrote:

I built the Debian package with the patch applied below.  It didn't
quite apply cleanly with patch -p1, but I copied and pasted the change.
It does appear to work, and I'm using the patched version to send this.

Thanks so much for the fast turnaround time.


That's fantastic news!  Thank *you* for testing the patch.  Not sure why 
it didn't apply cleanly, but I'm glad you were able to make the changes 
yourself.


I'll give a little more time for Gábor to reply, but unless there is a 
problem, will commit this to stable this weekend, and will try to get a 
release out in the next week.


Thank you,

-Kevin


signature.asc
Description: PGP signature

Bug#1010915: mutt: GSSAPI SMTP authentication no longer works

[brian m. carlson]

On 2022-05-13 at 22:52:29, Kevin J. McCarthy wrote:
> On Fri, 13 May 2022 15:02:38 -0700 "Kevin J. McCarthy"  wrote:
> > Thanks for the bug report.  Yes, it most definitely is.  I'll take a
> > look to see what I can find.  Perhaps I've missed setting up some
> > callback information that gsasl needs.
> >
> > Would you be able to test a patch if/when I create one?  If so, please
> > make sure you are subscribed to this ticket and I'll work on something
> > this weekend.
> 
> Brian and Gábor, I did indeed miss a callback value needed by GSSAPI:
> hostname.  The Mutt IMAP/GSSAPI auth code is using the server hostname
> for this field, contradicting the gsasl documentation which says to
> supply the "local host name".  I'm trying the server hostname below.

Oh, yeah, that would do it.  Kerberos definitely wants to have the
hostname.

> If possible could you try either the git branch
> 'kevin/gsasl-gssapi-fixes' on GitLab
>  or
> alternatively try recompiling the source Debian package with the below
> patch applied?

I built the Debian package with the patch applied below.  It didn't
quite apply cleanly with patch -p1, but I copied and pasted the change.
It does appear to work, and I'm using the patched version to send this.

Thanks so much for the fast turnaround time.
-- 
brian m. carlson (he/him or they/them)
Toronto, Ontario, CA


signature.asc
Description: PGP signature

Bug#1010915: mutt: GSSAPI SMTP authentication no longer works

[Kevin J. McCarthy]

On Fri, 13 May 2022 15:02:38 -0700 "Kevin J. McCarthy"  wrote:
> Thanks for the bug report.  Yes, it most definitely is.  I'll take a
> look to see what I can find.  Perhaps I've missed setting up some
> callback information that gsasl needs.
>
> Would you be able to test a patch if/when I create one?  If so, please
> make sure you are subscribed to this ticket and I'll work on something
> this weekend.

Brian and Gábor, I did indeed miss a callback value needed by GSSAPI:
hostname.  The Mutt IMAP/GSSAPI auth code is using the server hostname
for this field, contradicting the gsasl documentation which says to
supply the "local host name".  I'm trying the server hostname below.

If possible could you try either the git branch
'kevin/gsasl-gssapi-fixes' on GitLab
 or
alternatively try recompiling the source Debian package with the below
patch applied?

Thank you!

- - - - - - 8< - - - - -

 From 9db29e904d1843a61b3a858d16d400af704fdadf Mon Sep 17 00:00:00 2001
From: Kevin McCarthy 
Date: Fri, 13 May 2022 15:37:58 -0700
Subject: [PATCH] Set gsasl hostname callback value.

This is needed for GSSAPI, and apparently DIGEST-MD5 too.

The documentation is a little vague, saying it "should be the local
host name of the machine", however the imap/auth_gss.c code seems to
be using the server-name.
---
  mutt_sasl_gnu.c | 5 +
  1 file changed, 5 insertions(+)

diff --git a/mutt_sasl_gnu.c b/mutt_sasl_gnu.c
index 7ebe4293..37d39657 100644
--- a/mutt_sasl_gnu.c
+++ b/mutt_sasl_gnu.c
@@ -219,6 +219,11 @@ static int mutt_gsasl_callback (Gsasl *ctx, Gsasl_session 
*sctx,
rc = GSASL_OK;
break;
  
+case GSASL_HOSTNAME:
+  gsasl_property_set (sctx, GSASL_HOSTNAME, conn->account.host);
+  rc = GSASL_OK;
+  break;
+
  default:
break;
}
-- 
GitLab



signature.asc
Description: PGP signature

Bug#1010915: mutt: GSSAPI SMTP authentication no longer works

[Kevin J. McCarthy]

On Fri, 13 May 2022 17:54:14 +0200  wrote:

I've run into this issue too, and it is clearly gsasl which is broken:

[2022-05-13 17:40:38] smtp_authenticate: Trying method GSSAPI LOGIN PLAIN
[2022-05-13 17:40:38] mutt_gsasl_get_mech() returned no usable mech
[2022-05-13 17:40:38] No authenticators available


Gabor, there is a problem with gsasl, which I'll try to work on this 
weekend.  If you can help test patches, please make sure you are 
subscribed to this ticket.


However, you'll also need to fix your $smtp_authenticators value - it 
should be colon separated, for example: "GSSAPI:LOGIN:PLAIN".


-Kevin


signature.asc
Description: PGP signature

Bug#1010915: mutt: GSSAPI SMTP authentication no longer works

[Kevin J. McCarthy]

On Fri, 13 May 2022 01:58:53 + "brian m. carlson" 
 wrote:

I use Kerberos on my personal network at home, and therefore I use
GSSAPI authentication for IMAP and SMTP.  While GSSAPI with IMAP works
fine, recently, GSSAPI with SMTP stopped working.  I suspect this is
related to the move to gsasl.


Thanks for the bug report.  Yes, it most definitely is.  I'll take a 
look to see what I can find.  Perhaps I've missed setting up some 
callback information that gsasl needs.


Would you be able to test a patch if/when I create one?  If so, please 
make sure you are subscribed to this ticket and I'll work on something 
this weekend.


Thank you,

-Kevin


signature.asc
Description: PGP signature

Bug#1010915: mutt: GSSAPI SMTP authentication no longer works

[Gábor Gombás]

Package: mutt
Version: 2.2.3-2
Followup-For: Bug #1010915

Hi,

I've run into this issue too, and it is clearly gsasl which is broken:

[2022-05-13 17:40:38] smtp_authenticate: Trying method GSSAPI LOGIN PLAIN
[2022-05-13 17:40:38] mutt_gsasl_get_mech() returned no usable mech
[2022-05-13 17:40:38] No authenticators available

Gabor

-- Package-specific info:
Mutt 2.2.3 (2022-04-12)
Copyright (C) 1996-2022 Michael R. Elkins and others.
Mutt comes with ABSOLUTELY NO WARRANTY; for details type `mutt -vv'.
Mutt is free software, and you are welcome to redistribute it
under certain conditions; type `mutt -vv' for details.

System: Linux 5.17.5-1-g6be07be25066 (x86_64)
ncurses: ncurses 6.3.20220423 (compiled with 6.3)
libidn2: 2.3.2 (compiled with 2.3.2)
hcache backend: tokyocabinet 1.4.48

Compiler:
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/11/lto-wrapper
OFFLOAD_TARGET_NAMES=nvptx-none:amdgcn-amdhsa
OFFLOAD_TARGET_DEFAULT=1
Target: x86_64-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Debian 11.2.0-20' 
--with-bugurl=file:///usr/share/doc/gcc-11/README.Bugs 
--enable-languages=c,ada,c++,go,brig,d,fortran,objc,obj-c++,m2 --prefix=/usr 
--with-gcc-major-version-only --program-suffix=-11 
--program-prefix=x86_64-linux-gnu- --enable-shared --enable-linker-build-id 
--libexecdir=/usr/lib --without-included-gettext --enable-threads=posix 
--libdir=/usr/lib --enable-nls --enable-bootstrap --enable-clocale=gnu 
--enable-libstdcxx-debug --enable-libstdcxx-time=yes 
--with-default-libstdcxx-abi=new --enable-gnu-unique-object 
--disable-vtable-verify --enable-plugin --enable-default-pie --with-system-zlib 
--enable-libphobos-checking=release --with-target-system-zlib=auto 
--enable-objc-gc=auto --enable-multiarch --disable-werror --enable-cet 
--with-arch-32=i686 --with-abi=m64 --with-multilib-list=m32,m64,mx32 
--enable-multilib --with-tune=generic 
--enable-offload-targets=nvptx-none=/build/gcc-11-GT6Wjf/gcc-11-11.2.0/debian/tmp-nvptx/usr,amdgcn-amdhsa=/build/gcc-11-GT6Wjf/gcc-11-11.2.0/debian/tmp-gcn/usr
 --without-cuda-driver --enable-checking=release --build=x86_64-linux-gnu 
--host=x86_64-linux-gnu --target=x86_64-linux-gnu 
--with-build-config=bootstrap-lto-lean --enable-link-serialization=2
Thread model: posix
Supported LTO compression algorithms: zlib zstd
gcc version 11.2.0 (Debian 11.2.0-20) 

Configure options: --build=x86_64-linux-gnu --prefix=/usr 
'--includedir=${prefix}/include' '--mandir=${prefix}/share/man' 
'--infodir=${prefix}/share/info' --sysconfdir=/etc --localstatedir=/var 
--disable-option-checking --disable-silent-rules 
'--libdir=${prefix}/lib/x86_64-linux-gnu' --runstatedir=/run 
--disable-maintainer-mode --disable-dependency-tracking 
--with-mailpath=/var/mail --enable-compressed --enable-debug --enable-fcntl 
--enable-hcache --enable-gpgme --enable-imap --enable-smtp --enable-pop 
--enable-sidebar --enable-dotlock --disable-fmemopen --with-curses 
--with-gnutls --with-gss --with-idn2 --with-mixmaster --with-gsasl 
--without-gdbm --without-bdb --without-qdbm --with-tokyocabinet 
build_alias=x86_64-linux-gnu 'CFLAGS=-g -O2 
-ffile-prefix-map=/build/mutt-OjBqXe/mutt-2.2.3=. -fstack-protector-strong 
-Wformat -Werror=format-security' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now' 
'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'

Compilation CFLAGS: -Wall -pedantic -Wno-long-long -g -O2 
-ffile-prefix-map=/build/mutt-OjBqXe/mutt-2.2.3=. -fstack-protector-strong 
-Wformat -Werror=format-security

Compile options:
-DOMAIN
+DEBUG
-HOMESPOOL  +USE_SETGID  +USE_DOTLOCK  +DL_STANDALONE  +USE_FCNTL  -USE_FLOCK   
+USE_POP  +USE_IMAP  +USE_SMTP  
-USE_SSL_OPENSSL  +USE_SSL_GNUTLS  -USE_SASL  +USE_GSASL  +USE_GSS  
+HAVE_GETADDRINFO  
+HAVE_REGCOMP  -USE_GNU_REGEX  
+HAVE_COLOR  +HAVE_START_COLOR  +HAVE_TYPEAHEAD  +HAVE_BKGDSET  
+HAVE_CURS_SET  +HAVE_META  +HAVE_RESIZETERM  +HAVE_FUTIMENS  
+CRYPT_BACKEND_CLASSIC_PGP  +CRYPT_BACKEND_CLASSIC_SMIME  +CRYPT_BACKEND_GPGME  
-EXACT_ADDRESS  -SUN_ATTACHMENT  
+ENABLE_NLS  -LOCALES_HACK  +HAVE_WC_FUNCS  +HAVE_LANGINFO_CODESET  
+HAVE_LANGINFO_YESEXPR  
+HAVE_ICONV  -ICONV_NONTRANS  -HAVE_LIBIDN  +HAVE_LIBIDN2  +HAVE_GETSID  
+USE_HCACHE  
+USE_SIDEBAR  +USE_COMPRESSED  +USE_INOTIFY  
-ISPELL
SENDMAIL="/usr/sbin/sendmail"
MAILPATH="/var/mail"
PKGDATADIR="/usr/share/mutt"
SYSCONFDIR="/etc"
EXECSHELL="/bin/sh"
MIXMASTER="mixmaster"

To contact the developers, please mail to .
To report a bug, please contact the Mutt maintainers via gitlab:
https://gitlab.com/muttmua/mutt/issues


-- System Information:
Debian Release: bookworm/sid
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'stable-updates'), (500, 
'stable-security'), (103, 'testing'), (102, 'unstable'), (101, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.17.5-1-g6be07be25066 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE not set
Shell: 

Bug#1010915: mutt: GSSAPI SMTP authentication no longer works

[brian m. carlson]

Package: mutt
Version: 2.2.4-1
Severity: important

I use Kerberos on my personal network at home, and therefore I use
GSSAPI authentication for IMAP and SMTP.  While GSSAPI with IMAP works
fine, recently, GSSAPI with SMTP stopped working.  I suspect this is
related to the move to gsasl.

When it fails, mutt merely says "SASL authentication failed".  What
Postfix (Debian bullseye) reports is this:

  May 13 01:52:52 ring postfix/submission/smtpd[2307029]: Anonymous TLS 
connection established from : TLSv1.2 with cipher 
ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)
  May 13 01:52:53 ring postfix/submission/smtpd[2307029]: warning: : 
SASL GSSAPI authentication aborted
  May 13 01:52:54 ring postfix/submission/smtpd[2307029]: lost connection after 
AUTH from 
  May 13 01:52:54 ring postfix/submission/smtpd[2307029]: disconnect from 
 ehlo=2 starttls=1 auth=0/1 commands=3/4

I've filed this as important because it prevents me from sending emails,
which is an important functionality of any mail client.  Downgrading to
2.0.5-4.1 works.

-- Package-specific info:
Mutt 2.2.4 (2022-04-30)
Copyright (C) 1996-2022 Michael R. Elkins and others.
Mutt comes with ABSOLUTELY NO WARRANTY; for details type `mutt -vv'.
Mutt is free software, and you are welcome to redistribute it
under certain conditions; type `mutt -vv' for details.

System: Linux 5.16.0-6-amd64 (x86_64)
ncurses: ncurses 6.3.20220423 (compiled with 6.3)
libidn2: 2.3.2 (compiled with 2.3.2)
hcache backend: tokyocabinet 1.4.48

Compiler:
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/11/lto-wrapper
OFFLOAD_TARGET_NAMES=nvptx-none:amdgcn-amdhsa
OFFLOAD_TARGET_DEFAULT=1
Target: x86_64-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Debian 11.3.0-1' 
--with-bugurl=file:///usr/share/doc/gcc-11/README.Bugs 
--enable-languages=c,ada,c++,go,brig,d,fortran,objc,obj-c++,m2 --prefix=/usr 
--with-gcc-major-version-only --program-suffix=-11 
--program-prefix=x86_64-linux-gnu- --enable-shared --enable-linker-build-id 
--libexecdir=/usr/lib --without-included-gettext --enable-threads=posix 
--libdir=/usr/lib --enable-nls --enable-bootstrap --enable-clocale=gnu 
--enable-libstdcxx-debug --enable-libstdcxx-time=yes 
--with-default-libstdcxx-abi=new --enable-gnu-unique-object 
--disable-vtable-verify --enable-plugin --enable-default-pie --with-system-zlib 
--enable-libphobos-checking=release --with-target-system-zlib=auto 
--enable-objc-gc=auto --enable-multiarch --disable-werror --enable-cet 
--with-arch-32=i686 --with-abi=m64 --with-multilib-list=m32,m64,mx32 
--enable-multilib --with-tune=generic 
--enable-offload-targets=nvptx-none=/build/gcc-11-m8KK5z/gcc-11-11.3.0/debian/tmp-nvptx/usr,amdgcn-amdhsa=/build/gcc-11-m8KK5z/gcc-11-11.3.0/debian/tmp-gcn/usr
 --without-cuda-driver --enable-checking=release --build=x86_64-linux-gnu 
--host=x86_64-linux-gnu --target=x86_64-linux-gnu 
--with-build-config=bootstrap-lto-lean --enable-link-serialization=2
Thread model: posix
Supported LTO compression algorithms: zlib zstd
gcc version 11.3.0 (Debian 11.3.0-1) 

Configure options: --build=x86_64-linux-gnu --prefix=/usr 
'--includedir=${prefix}/include' '--mandir=${prefix}/share/man' 
'--infodir=${prefix}/share/info' --sysconfdir=/etc --localstatedir=/var 
--disable-option-checking --disable-silent-rules 
'--libdir=${prefix}/lib/x86_64-linux-gnu' --runstatedir=/run 
--disable-maintainer-mode --disable-dependency-tracking 
--with-mailpath=/var/mail --enable-compressed --enable-debug --enable-fcntl 
--enable-hcache --enable-gpgme --enable-imap --enable-smtp --enable-pop 
--enable-sidebar --enable-dotlock --disable-fmemopen --with-curses 
--with-gnutls --with-gss --with-idn2 --with-mixmaster --with-gsasl 
--without-gdbm --without-bdb --without-qdbm --with-tokyocabinet 
build_alias=x86_64-linux-gnu 'CFLAGS=-g -O2 
-ffile-prefix-map=/build/mutt-ziEvPb/mutt-2.2.4=. -fstack-protector-strong 
-Wformat -Werror=format-security' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now' 
'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'

Compilation CFLAGS: -Wall -pedantic -Wno-long-long -g -O2 
-ffile-prefix-map=/build/mutt-ziEvPb/mutt-2.2.4=. -fstack-protector-strong 
-Wformat -Werror=format-security

Compile options:
-DOMAIN
+DEBUG
-HOMESPOOL  +USE_SETGID  +USE_DOTLOCK  +DL_STANDALONE  +USE_FCNTL  -USE_FLOCK   
+USE_POP  +USE_IMAP  +USE_SMTP  
-USE_SSL_OPENSSL  +USE_SSL_GNUTLS  -USE_SASL  +USE_GSASL  +USE_GSS  
+HAVE_GETADDRINFO  
+HAVE_REGCOMP  -USE_GNU_REGEX  
+HAVE_COLOR  +HAVE_START_COLOR  +HAVE_TYPEAHEAD  +HAVE_BKGDSET  
+HAVE_CURS_SET  +HAVE_META  +HAVE_RESIZETERM  +HAVE_FUTIMENS  
+CRYPT_BACKEND_CLASSIC_PGP  +CRYPT_BACKEND_CLASSIC_SMIME  +CRYPT_BACKEND_GPGME  
-EXACT_ADDRESS  -SUN_ATTACHMENT  
+ENABLE_NLS  -LOCALES_HACK  +HAVE_WC_FUNCS  +HAVE_LANGINFO_CODESET  
+HAVE_LANGINFO_YESEXPR  
+HAVE_ICONV  -ICONV_NONTRANS  -HAVE_LIBIDN  +HAVE_LIBIDN2  +HAVE_GETSID  
+USE_HCACHE  
+USE_SIDEBAR  +USE_COMPRESSED  +USE_INOTIFY  
-ISPELL
SENDMAIL="/usr/sbin/sendmail"