[pkg-fetchmail-maint] Bug#568455: fetchmail, TLS/SSL with Exchange 2007 results in Autorization failures

Matthias Andree matthias.andree at gmx.de
Mon Feb 8 08:32:56 UTC 2010 

(sorry for breaking threading, replying through web interface to BTS)

Apparently the POP3/IMAP server or the client is misconfigured.

The server might offer Kerberos without proper setup (that's in case the  
user isn't recognized), or the client may not have the required  
credentials (use "kinit LOGIN" before running fetchmail).

I can authenticate with GSSAPI to a Kerberized Cyrus IMAP/POP3 server, so  
I need further evidence before I believe this to be a fetchmail bug.

The fetchmail client option to work around would be "auth", quoting the  
manpage.

        --auth <type>
               (Keyword: auth[enticate])
               This option permits you  to  specify  an  authentication
               type  (see  USER AUTHENTICATION below for details).  The
               possible values are any, password, kerberos_v5, kerberos
               (or,  for  excruciating exactness, kerberos_v4), gssapi,
               cram-md5, otp, ntlm, msn (only for POP3), external (only
               IMAP)  and  ssh.   When  any (the default) is specified,
               fetchmail tries first methods that don't require a pass-
               word  (EXTERNAL,  GSSAPI, KERBEROS IV, KERBEROS 5); then
               it looks for methods that mask your password  (CRAM-MD5,
               X-OTP  -  note  that NTLM and MSN are not autoprobed for
               POP3 and MSN is only supported for POP3);  and  only  if
               the  server  doesn't  support  any of those will it ship
               your password en clair.  Other values  may  be  used  to
               force  various  authentication  methods  (ssh suppresses
               authentication and is thus  useful  for  IMAP  PREAUTH).
               (external  suppresses  authentication and is thus useful
               for IMAP EXTERNAL).   Any  value  other  than  password,
               cram-md5, ntlm, msn or otp suppresses fetchmail's normal
               inquiry for a password.  Specify ssh when you are  using
               an  end-to-end  secure connection such as an ssh tunnel;
               specify external when you use TLS with client  authenti-
               cation  and  specify  gssapi  or  kerberos_v4 if you are
               using a protocol variant  that  employs  GSSAPI  or  K4.
               Choosing  KPOP  protocol  automatically selects Kerberos
               authentication.  This option does not work with ETRN.

NTLM or password should work for you.

I believe this was somewhat obvious enough, but let me know your  
suggestions for improvement.

HTH

-- 
Matthias Andree

More information about the pkg-fetchmail-maint mailing list