diff options
authorDaniel Kahn Gillmor <>2020-03-18 22:07:33 -0400
committerSean Whitton <>2020-03-19 13:23:09 -0700
commitddfda64826800a7b737fa161fd9d793fa6b42f06 (patch)
parent51e0c8a488b7a8d195d32d0bc58e5ef24b38e626 (diff)
imap-dl: use retriever.authentication configuration
After discussion with Sean Whitton and Robbie Harwood, I think makes more sense to have a straight "retriever.authentication" configuration setting rather than a rather odd boolean "use_kerberos". This is a divergence from getmail, but that seems OK at this point. The implementation now also makes it pretty straightforward to add new authentication mechanisms if someone wants to add them. One additional thing that would be nice would be for imap-dl to be able to dynamically choose the "best" available authentication method. Signed-off-by: Daniel Kahn Gillmor <>
2 files changed, 18 insertions, 9 deletions
diff --git a/imap-dl b/imap-dl
index 83ce84f..4f5abbb 100755
--- a/imap-dl
+++ b/imap-dl
@@ -185,12 +185,21 @@ def scan_msgs(configfile:str, verbose:bool) -> None:
port=int(conf.get('retriever', 'port', fallback=993)),
ssl_context=ctx) as imap:
username:str = conf.get('retriever', 'username')
- use_kerberos = conf.getboolean('retriever', 'use_kerberos',
- fallback=False)
- if use_kerberos:
+ authentication:str = conf.get('retriever', 'authentication',
+ fallback='basic')
+ # FIXME: have the default automatically choose an opinionated
+ # best authentication method. e.g., if the gssapi module is
+ # installed and the user has a reasonable identity in their
+ # local credential cache, choose kerberos, otherwise, choose
+ # "basic".
+ if authentication == 'kerberos':
auth_gssapi(username, imap, conf, server)
- else:
+ elif authentication == 'basic':
auth_builtin(username, imap, conf, server)
+ else:
+ # FIXME: implement other authentication mechanisms
+ raise Exception(f'retriever.authentication should be one of:\n'
+ '"basic" or "kerberos", got "{authentication}"')
if verbose: # only enable debugging after login to avoid leaking credentials in the log
imap.debug = 4
diff --git a/imap-dl.1.pod b/imap-dl.1.pod
index 5864267..88e3129 100644
--- a/imap-dl.1.pod
+++ b/imap-dl.1.pod
@@ -43,14 +43,14 @@ options:
B<retriever.server> is the dns name of the mailserver.
+B<retriever.authentication> is either "basic" (the default, using the
+IMAP LOGIN verb) or "kerberos" (IMAP AUTHENTICATE with GSSAPI,
+requires the python3-gssapi module).
B<retriever.username> is the username of the IMAP account.
B<retriever.password> is the password for the IMAP account when using
-plaintext passwords.
-B<retriever.use_kerberos> (boolean) requests that Kerberos (through GSSAPI) is
-to be used instead of password-based auth. There is no need to specify
-password when using Kerberos. This requires the python3-gssapi module.
+B<retriever.authentication> is set to "basic".
B<retriever.ssl_ciphers> is an OpenSSL cipher string to use instead of the
defaults. (The defaults are good; this should be avoided except to work