SASL GSSAPI

[thsmi]

Implement native support for SASL GSSAPI

Th show stopper concerning SASL GSSAPI is that nsIAuthModule is not exposed to javascript. It's just accessible from C++. So there's no way to use Thunderbird's native implementation from extensions.

One way to get around this would be to patch Thunderbird to expose the nsIAuthModule to Scripts.

The other way would be reimplementing nsAuthGSSAPI.cpp in JavaScript with C-Types.

As workaround there is a perl based proxy implementation: https://github.com/thsmi/sieve/tree/master/tools/GSSAPI%20Proxy

[arthurzenika]

+1 on this feature request.

[dilyanpalauzov]

I do not know how current the nsIAuthModule argument is, but in case GSSAPI/GS2-KRB5 capable server is needed I can provide account for tests. The server is mail.aegee.org . The secret is abc . No channel binding is offered (-PLUS mechanisms). The principal is [email protected] .

[thsmi]

After more than one decade the nsIAuthModule got exposed to JavaScript in Thunderbird:
https://bugzilla.mozilla.org/show_bug.cgi?id=1679731

But ironically classic addons which could make full use of this are gone.

[dekeonus]

But ironically classic addons which could make full use of this are gone.

so is that a won't implement?
If so can you add a means (to the TB webex version) of changing the authentication - currently it is sending something to timsieved server (cyrus/sieve is reporting PLAIN authentication failures), TB hasn't been configured with any passwords (it's using GSSAPI) so I'm not sure what the TB sieve extension is actually sending.

[thsmi]

so is that a won't implement?

Difficult to say depends on the Thunderbird developers. WebExtension are limited they and can access Thunderbird only via official WebExtension APIs as well as so called Experiments. It took more than 10 years until the GSSAPI got exposed to Javascript. So I is highly unlikely that it will ever popup in the WebExtension API. And concerning the Experiments, there is sadly only an official statement which says they will disabled in the future. But no one know what this means.

If so can you add a means (to the TB webex version) of changing the authentication

From my side this is highly unlikely. Currently all of the settings are hardwired to the corresponding Thunderbird account. Allowing both as a mix-in adds a tremendous amount of complexity. Which has little to no benefit for most users. My focus is currently on getting the next release ready and publishing a web application which can be run an a web server. If you need custom settings just use the standalone application.

currently it is sending something to timsieved server (cyrus/sieve is reporting PLAIN authentication failures), TB hasn't been configured with any passwords (it's using GSSAPI) so I'm not sure what the TB sieve extension is actually sending.

It uses Thunderbird internal APIs to ask for the account password. It would be interesting to see what Thunderbird returns to the webextension. SASL plain is unencrypted, you just need to base 64 decode the string.