sieve icon indicating copy to clipboard operation
sieve copied to clipboard
verified publisher icon thsmi

SASL GSSAPI

Open thsmi opened this issue 13 years ago • 5 comments

Implement native support for SASL GSSAPI

Th show stopper concerning SASL GSSAPI is that nsIAuthModule is not exposed to javascript. It's just accessible from C++. So there's no way to use Thunderbird's native implementation from extensions.

One way to get around this would be to patch Thunderbird to expose the nsIAuthModule to Scripts.

The other way would be reimplementing nsAuthGSSAPI.cpp in JavaScript with C-Types.

As workaround there is a perl based proxy implementation: https://github.com/thsmi/sieve/tree/master/tools/GSSAPI%20Proxy

thsmi avatar Oct 11 '12 22:10 thsmi

+1 on this feature request.

arthurzenika avatar Oct 03 '14 08:10 arthurzenika

I do not know how current the nsIAuthModule argument is, but in case GSSAPI/GS2-KRB5 capable server is needed I can provide account for tests. The server is mail.aegee.org . The secret is abc . No channel binding is offered (-PLUS mechanisms). The principal is [email protected] .

dilyanpalauzov avatar Jan 06 '21 20:01 dilyanpalauzov

After more than one decade the nsIAuthModule got exposed to JavaScript in Thunderbird: https://bugzilla.mozilla.org/show_bug.cgi?id=1679731

But ironically classic addons which could make full use of this are gone.

thsmi avatar Mar 21 '21 19:03 thsmi

But ironically classic addons which could make full use of this are gone.

so is that a won't implement? If so can you add a means (to the TB webex version) of changing the authentication - currently it is sending something to timsieved server (cyrus/sieve is reporting PLAIN authentication failures), TB hasn't been configured with any passwords (it's using GSSAPI) so I'm not sure what the TB sieve extension is actually sending.

dekeonus avatar May 03 '21 05:05 dekeonus

so is that a won't implement?

Difficult to say depends on the Thunderbird developers. WebExtension are limited they and can access Thunderbird only via official WebExtension APIs as well as so called Experiments. It took more than 10 years until the GSSAPI got exposed to Javascript. So I is highly unlikely that it will ever popup in the WebExtension API. And concerning the Experiments, there is sadly only an official statement which says they will disabled in the future. But no one know what this means.

If so can you add a means (to the TB webex version) of changing the authentication

From my side this is highly unlikely. Currently all of the settings are hardwired to the corresponding Thunderbird account. Allowing both as a mix-in adds a tremendous amount of complexity. Which has little to no benefit for most users. My focus is currently on getting the next release ready and publishing a web application which can be run an a web server. If you need custom settings just use the standalone application.

currently it is sending something to timsieved server (cyrus/sieve is reporting PLAIN authentication failures), TB hasn't been configured with any passwords (it's using GSSAPI) so I'm not sure what the TB sieve extension is actually sending.

It uses Thunderbird internal APIs to ask for the account password. It would be interesting to see what Thunderbird returns to the webextension. SASL plain is unencrypted, you just need to base 64 decode the string.

thsmi avatar May 06 '21 17:05 thsmi