diff options
2 files changed, 18 insertions, 9 deletions
diff --git a/imap-dl b/imap-dl
index 83ce84f..4f5abbb 100755
--- a/imap-dl
+++ b/imap-dl
@@ -185,12 +185,21 @@ def scan_msgs(configfile:str, verbose:bool) -> None:
port=int(conf.get('retriever', 'port', fallback=993)),
ssl_context=ctx) as imap:
username:str = conf.get('retriever', 'username')
- use_kerberos = conf.getboolean('retriever', 'use_kerberos',
- fallback=False)
- if use_kerberos:
+ authentication:str = conf.get('retriever', 'authentication',
+ fallback='basic')
+ # FIXME: have the default automatically choose an opinionated
+ # best authentication method. e.g., if the gssapi module is
+ # installed and the user has a reasonable identity in their
+ # local credential cache, choose kerberos, otherwise, choose
+ # "basic".
+ if authentication == 'kerberos':
auth_gssapi(username, imap, conf, server)
- else:
+ elif authentication == 'basic':
auth_builtin(username, imap, conf, server)
+ else:
+ # FIXME: implement other authentication mechanisms
+ raise Exception(f'retriever.authentication should be one of:\n'
+ '"basic" or "kerberos", got "{authentication}"')
if verbose: # only enable debugging after login to avoid leaking credentials in the log
imap.debug = 4
diff --git a/imap-dl.1.pod b/imap-dl.1.pod
index 5864267..88e3129 100644
--- a/imap-dl.1.pod
+++ b/imap-dl.1.pod
@@ -43,14 +43,14 @@ options:
B<retriever.server> is the dns name of the mailserver.
+B<retriever.authentication> is either "basic" (the default, using the
+IMAP LOGIN verb) or "kerberos" (IMAP AUTHENTICATE with GSSAPI,
+requires the python3-gssapi module).
B<retriever.username> is the username of the IMAP account.
B<retriever.password> is the password for the IMAP account when using
-plaintext passwords.
-B<retriever.use_kerberos> (boolean) requests that Kerberos (through GSSAPI) is
-to be used instead of password-based auth. There is no need to specify
-password when using Kerberos. This requires the python3-gssapi module.
+B<retriever.authentication> is set to "basic".
B<retriever.ssl_ciphers> is an OpenSSL cipher string to use instead of the
defaults. (The defaults are good; this should be avoided except to work