Kerberos

DavMail now includes Windows authentication support, aka Kerberos. A new option is available in DavMail settings to rely on Kerberos token for Exchange authentication.

Windows workstation Kerberos setup

On windows, you have a valid Kerberos ticket on any workstation using your Active Directory logon. However, on recent Windows versions the TGT is not readable from Java. The workaround is to change the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\
REG_DWORD name: allowtgtsessionkey
Value: 1

More details at: JGSS Troubleshooting

Linux workstation Kerberos setup

Windows kerberos token is not available on a default Linux workstation setup. You will need to configure /etc/krb5.conf with Active directory domain name. You may also need to provide a kdc (Active Directory Domain controller):

[libdefaults]
    default_realm = CORP.COMPANY.COM

[realms]
    CORP.COMPANY.COM  = {
        kdc = 192.168.184.129
        default_domain = CORP.COMPANY.COM
    }

Then create Kerberos ticket: kinit username.

Check ticket withklist

DavMail configuration

In Kerberos mode, password provided by clients (IMAP, SMTP, POP, HTTP, LDAP) is ignored, thus you must make sure external connections to DavMail are disabled.

There is no way in current implementation to define a local password to secure client to DavMail communication.

DavMail needs direct access to Kerberos ticket, which means Kerberos will not work in server mode.