Contributed by jose on from the homebrew-documentation dept.
"If you are using imap-uw 4.44 from the packages or ports and do not have Kerberos setup you may note delays over 60 seconds connecting with anything that uses the c-client.It has come up several times on the OpenBSD mail lists with a suggested fixes and work arounds."
"The situation may be posted on a faq or fuq, but till then I put some information here: http://www.cocoavillagepublishing.com/development/tools/openbsd/tips/imap-uw/As a user of pine (not that I like it, it just works and I'm too lazy to try anything new right now), thanks for the info!Here is the summary, fixes and observations. You are welcome to send me correction, suggestions and additions and I'll correct on my website. -paul
Long delay connecting with imap-uw ================================== Summary of issue: ----------------- The packages that use c-client from imap-uw version 4.4 is by default configured to take advantage of Kerberos authentication. If you do not have your dns nor Kerberos configuration files setup to use Kerberos servers then the imap-uw will experience Kerberos lookups failing and applications like pine or something using c-client like a web email application like squirrel or twig can experience delays greater than 60 seconds when connecting. The recursive search for Kerberos authentication causes the delay. Fixes: ------ The solution is to properly configure your servers to support Kerberos, hack dns zone for server domain enough to get around, or edit Makefiles removing Kerberos and remake the ports. If you understand Kerberos and set it up properly then you don't have this problem. Explaining Kerberos is beyond a paragraph and you can look to the FAQ for a good start. http://www.openbsd.org/faq/faq10.html#Kerberos The following hack to a dns zone seems to work by stopping a recursive search through DNS without having to edit conf files for Kerberos. If your server has a domain like "mail.yourdomainhere.com" and you use the BIND name server as supplied with OpenBSD and the records would look like: $ORIGIN yourdomainhere.com. krb4-realm IN TXT "#yourdomainhere.com" krb5-realm IN TXT "#yourdomainhere.com" _kerberos IN TXT "#yourdomainhere.com" A clue to this approach is in the source file in kerberosV/src/lib/krb5/get_host_realm.c The other fix is to recompile imap-uw from the ports tree after editing the Makefile to leave out the EXTRAAUTHENTICATORS="gss" (kerberos) MAKE_FLAG For the port c-client for version 4.44 that is removing line 27 on file /usr/ports/mail/c-client/Makefile Observations: ------------- If you are comfortable with doing your own ports and you will never use Kerberos with imap-uw then perhaps the kiss solution is to remove the feature. If you are short on time and are familiar with dns, then the dns hack may be the answer. If you want to do it right and understand Kerberos and have time and spare hair to pull then understand and implement Kerberos properly. In short, its a feature not a bug that the 4.44 c-client package supports Kerberos. The bug is that you may have not setup Kerberos properly for it. :)Note the above information includes post from fellow OpenBSD users; http://naughty.monkey.org/openbsd/archive/misc/0204/msg02271.html http://naughty.monkey.org/openbsd/archive/misc/0211/msg00199.html "
(Comments are closed)
By Tom C. () tomclark@spindlecode.com on mailto:tomclark@spindlecode.com
Tom C.
Comments
By Jan-Uwe Finck () on
By Hans Insulander () hin@openbsd.org on mailto:hin@openbsd.org
Your talk about links is just bullshit. You're probably confusing the Kerberos 4 compatibility in Kerberos 5 with actually running Kerberos 4. There are some rough spots, but in general it works. I know of several sites that are running this in production environments.
But in general, I agree; the Kerberos documentation could be much better. I would really appreciate if you could send me some feedback about the documentation instead of just whining about it. I have seen absolutely nothing from you about this in the past.
Comments
By Anonymous Coward () on
Tom Clark
Comments
By jose () on http://www.monkey.org/~jose/
By mirabile () on
has been another fix for this problem, namely in
the c-client package, but it was not integrated.
The bug fix is from news:comp.mail.pine from
(IIRC) Eduardo Chappa, if not him it was another
pine staff member. It fixes a one-liner in c-client.
pine 4.50 is due RSN, and will contain that fix, too.
By Anonymous Coward () on
By Anonymous Coward () on