In a previous article, I explained how to configure cyrus support for SASL GSSAPI Kerberos authentication. This article is a howto for installing and configuring the mutt e-mail client to access an IMAP server using GSSAPI Kerberos authentication. The procedure was tested on Debian Stable 4.0 (Etch).

Mutt, has support for GSSAPI authentication to access Kerberos-capable e-mail servers such as cyrus. However, mutt by default does not support this feature, it offers compile time options that allows the integration of GSSAPI authentication.

To check if your mutt binary has support for gssapi, type

 mutt -v | grep GSS

If you see ”-USE_GSS”, it means that the mutt binary does not support GSSAPI authentication, if you see ”+USE_GSS”, that means it has.

If your mutt binary does not support GSSAPI Kerberos authentication, you can follow these steps to compile mutt from source and build a binary that includes the feature.

• Install heimdal 1.1

Download the source from http://www.h5l.org/dist/src/heimdal-1.1.tar.gz , then extract, configure, compile and install it

configure
make
make install

This will install heimdal in /usr/heimdal

• Install ncursus development libraries

  sudo apt-get install libncurses5-dev

• Download mutt source and install it

wget http://prdownloads.sourceforge.net/mutt/mutt-1.5.17.tar.gz?download
tar xfz mutt-1.5.17.tar.gz
cd mutt-1.5.17
./configure --with-gss=/usr/heimdal --enable-imap
make
make install

• Test

   mutt -v 

You should see the flags +USE_IMAP and +USE_GSS. If not, then something went wrong during configuration or compilation.

Edit the mutt configuration file, usually (~/.muttrc) and make sure you have the following two lines

 
mailboxes = imap://your.imap.server/INBOX
set imap_authenticatiors = "gssapi"

To test if your IMAP server supports GSSAPI authentication, you can to connect to it using telnet, then issue the CAPABILITY command. This is a sample session:

  $telnet srv.com imap
  Trying 155.50.44.55...
  Connected to srv.com.
  Escape character is '^]'.
  * OK vornos.com Cyrus IMAP4 v2.3.1 server ready
  a001 CAPABILITY
  * CAPABILITY IMAP4 IMAP4rev1 ACL RIGHTS=kxte QUOTA LITERAL+   MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE IDLE AUTH=OTP AUTH=NTLM AUTH=GSSAPI AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR URLAUTH
  a001 OK Completed
  a002 logout
  * BYE LOGOUT received
  a002 OK Completed
  Connection closed by foreign host.

If “AUTH=GSSAPI” is part of the server output, then the GSSAPI authentication is supported.

• IMAP commands
• Mutt manual