The new autoconfig code doesn't call verifyLogon if the user doesn't specify a password. GSSAPI auth doesn't require a password, so we should figure out a way of allowing empty passwords and verifying that the user can logon - perhaps we can check for the gssapi capability for imap/pop and remember it. There may be other cert-based authentication mechanisms, but GSSAPI is the most popular one, afaik.
I think I'll probably be the one doing the work on this. :) Did we want it to block rc1? Thanks, Blake.
Assignee: nobody → bwinton
Status: NEW → ASSIGNED
If it's not too hard to do, I think it should block rc1. I'd at least block rc1 on making sure autoconfig can be used to set up gssapi servers, and I will try that at some point in the near future.
Cert auth might also work without password. Gozer how much work would it be to setup a server which does auth based on the cert only and extracts the logging from the email embed in the cert ?
(In reply to comment #3) > Cert auth might also work without password. Gozer how much work would it be to > setup a server which does auth based on the cert only and extracts the logging > from the email embed in the cert ? My favorite imap server, cyrus doesn't seem to know how to do that, but it looks like dovecot can do it. I'd think it wouldn't be too difficult to setup. How soon would this be wanted ?
the next week or two would be fine - sometime relatively early in the rc1 dev cycle.
I've now got Courrier on imaps://mail-test.mozillamessaging.com:995/ running with client-cert authentication supported. If you already have a MoMo client cert, it should work.
(In reply to comment #2) > If it's not too hard to do, I think it should block rc1. I'd at least block rc1 > on making sure autoconfig can be used to set up gssapi servers, and I will try > that at some point in the near future. So, I tested this with a MoMo client cert against mail-test.mozillamessaging.com, and it seemed to work just fine. I'm going to see what I can do to check for passwordless servers, and attempt to verify the username/login, although since I don't think we would report an error (in case they just didn't want to put in their password, for some other reason), I'm not entirely sure what I'll do on success or failure. Still, let's burn that bridge when I get to it.
taking off the blocker list - it doesn't sound bad. We'd definitely still take a fix, if there are some quick safe improvements.
OS: Windows NT → All
Hardware: x86 → All
Target Milestone: Thunderbird 3.0rc1 → ---
I'm not really working on these, so I'm freeing them up for a community member to take. (Filter on [ossifrage] to delete all the notifications.)
Assignee: bwinton → nobody
Status: ASSIGNED → NEW
You need to log in before you can comment on or make changes to this bug.