I solved the problem. The dovecot auth_gssapi_hostname entry did not have a correct reverse DNS entry.
Example: mail.example.com had an IP of 192.168.1.3 and the reverse pointer record for 192.168.1.3 was a different hostname; i.e. orange.example.com. Kerberos gssapi is strict. Thank you for your help. On Tue, Aug 15, 2017 at 11:55 PM, Aki Tuomi <aki.tu...@dovecot.fi> wrote: > The disconnect (no auth attempts) means that the client did not see any > reason to try logging in. > > You can use https://wiki.mozilla.org/MailNews:Logging to enable debug > logging. > > Aki > > > On 16.08.2017 09:50, Erik Haller wrote: > > I am migrating an existing dovecot server to a new server. The existing > > server uses pam_krb5 and works with the plain and gssapi methods. The new > > server plain/pam_krb5 normal password authentication works. However, the > > gssapi (tickets) authentication is producing the following error: > > > > === Begin Error ==== > > > > imap-login: Disconnected (no auth attempts in 0 secs): user=<>, > > rip=192.168.7.61, lip=192.168.7.97, TLS, session=<SPnD7NhWWtrAqAc9> > > > > === End Error === > > > > What is causing the "user=<>"? It should be "user=<erik>". > > > > I have been using Thunderbird SSL GSSAPI from a Debian Linux > testing/buster > > XFCE desktop to connect to the existing server for years. When I point it > > to the new server, I receive the above error. > > > > ssh kerberos gssapi authentication is working fine on the new server. > > > > Most of the doveconf setting between the existing and new servers are the > > same. > > > > The existing server is 32 bit. The new server is 64 bit running in an LXC > > container. The existing server dovecot version is the same as the new > > server. > > > > > > Notes: > > > > dovecot version: 2.2.31 (65cde28) > > OS: Debian Linux testing/buster > > Arch: amd64 > > > > Client: Mozilla Thunderbird 52.2.1 (latest) >