#68 Provide passthrough Authentication via Kerberos/GSSAPI


Allow Davmail to do pass through authenticate Kerberos on all protocols.

This is very useful for environments that authenticate their Linux systems via AD (whether via native or third party systems such as Quest or Likewise etc) or have a Kerberos to AD trust in place.

It saves the user from getting a second challenge for passwords when opening the email programs (or multiple ones, one for each protocol). This is particularly annoying as most AD environments insist on regular password changes. It is also possible that certain sites maybe very unhappy for users to save passwords in email programs (thereby allowing another user with root access to su to them and read all their emails, Kerberos reduces this risk).

I'm not sure if you select IMAP Kerbeos/GSSAPI in Thunderbird say , what is exactly passed. I don't know enough about it but I'd guess you might only get the "IMAP/" tickets. I'd guess DavMail would need access to the TGT to get a "HTTP/" ticket for passwordless connection to exchange WEBDAV/EWS.

I suppose if the above is true this Kerberized authentication may only be possible if DavMail is on the users local machine (where it can read the users TGT) and not on the server version. I don't know.

It would be nice if all the protocols had Kerberos pasthrough, IMAP, LDAP, SMTP, CALDAV etc.
Not sure if Thunderbird (lightning) supports Kerberized Caldav ?



  • I'm also interested in this feature.
    Now i'm running thunderbird with davmail against exchange 2007 and we mainly use sso because we are not allowed to save passwords in applications (policy). Now when i start thunderbird with the lightning plugin i have to login 4 times.
    One for email,adressbook,sending (smtp) and calendar. The webinterface works single sign on within firefox but i'm not sure how easy or dificult it would be to implement this.

    I use this software now 2 weeks and it works!