kerberized version of fetchmail? (corrected)

Globe Trotter itsme_410 at yahoo.com
Sun Nov 16 06:48:51 UTC 2003


Hi,

I think I figured out the error -- it should be POP3, not POP in the proto,
right?

However, I still have problems. I have Kerberos 5 tickets issued, obtained
using kinit and validated using kinit. However, I can not get errors. The
following example is what I have been following for my .fetchmailrc:


set daemon 600
poll user.mail.iastate.edu with proto POP3 auth gssapi uidl 
     principal pop.pop.iastate.edu at IASTATE.EDU 

user  'user' there with password  `ISU' is user here warnings 3600
mda  'procmail -f-'
keep

However, it does not work. I get the following error:

$fetchmail -c -vv
........
fetchmail: Scratch list of UIDs: <empty>
fetchmail: removing stale lockfile
fetchmail: 6.2.0 querying user.mail.iastate.edu (protocol POP3) at Sun 16 Nov
2003 12:39:50 AM CST: poll started
fetchmail: Kerberos V5 support not linked.
fetchmail: 6.2.0 querying user.mail.iastate.edu (protocol POP3) at Sun 16 Nov
2003 12:39:50 AM CST: poll completed
fetchmail: normal termination, status 7


I can not figure out how to link Kerberos V5 support. Should I use hesiod for
this. Ihave krb5 tickets issued to me:

$ klist 
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: user at IASTATE.EDU

Valid starting     Expires            Service principal
11/15/03 20:47:10  11/16/03 00:47:10  krbtgt/IASTATE.EDU at IASTATE.EDU


Kerberos 4 ticket cache: /tmp/tkt500
klist: You have no tickets cached


Reading the manpage seems to indicate that hesiod has to be linked somehow as
well as that principal is only for Kerberos 4. However, the error above
indicates that "Kerberos V5" support is not linked. How is this resolved? Can
someone please help -- does this mean that fetchmail has to be reinstalled with
Kerberos V support, explicitly?

Thanks and best wishes!


--- Nalin Dahyabhai <nalin at redhat.com> wrote:
> On Thu, Nov 13, 2003 at 09:09:00AM -0800, Globe Trotter wrote:
> > OK, so if I go for kerberos 5, how do I need to modify it? The server
> accepts
> > both 5 as well as 4.
> 
> Best thing is to find out what the server supports for authentication.
> To do that for a POP3 server, use netcat to connect to the port and
> issue the CAPA command:
>   nc popserver.example.com pop3
>   > +OK POP3 blahblahblah ready
>   CAPA
>   > +OK Here you go:
>   > STLS
>   > USER
>   > SASL GSSAPI LOGIN
>   QUIT
>   > +OK luvyoubuhbye
> The important part is the SASL capability, which lists the SASL methods
> which the server supports.  If you see GSSAPI listed, change "proto KPOP
> auth kerberos_v4" to "proto POP auth gssapi", of if you see KERBEROS_V5,
> try "proto POP auth kerberos_v5".
> 
> If it's an IMAP server, the commands you'll want to send will look more
> like this:
>   nc imapserver.example.com imap
>   > * OK [CAPABILITY] IMAP blahblahblah
>   0001 CAPABILITY
>   > * CAPABILITY STARTTLS AUTH=GSSAPI AUTH=LOGIN
>   > 0001 OK CAPABILITY completed
>   0002 LOGOUT
>   > * luvyoubuhbye
>   > 0002 OK LOGOUT completed
> and you'll want to look for AUTH= capabilities.  This, more or less, is
> what most mail clients (including fetchmail) will do.
> 
> HTH,
> 
> Nalin
> 
> 
> --
> fedora-list mailing list
> fedora-list at redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-list


__________________________________
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
http://antispam.yahoo.com/whatsnewfree





More information about the fedora-list mailing list