+if ((rc = gsasl_server_mechlist(gsasl_ctx, &p)) != GSASL_OK)
+ log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s authenticator: "
+ "failed to retrieve list of mechanisms: %s (%s)",
+ ablock->name, gsasl_strerror_name(rc), gsasl_strerror(rc));
+
+HDEBUG(D_auth) debug_printf("GNU SASL supports: %s\n", p);
+
+supported = gsasl_client_support_p(gsasl_ctx, CCS ob->server_mech);
+if (!supported)
+ log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s authenticator: "
+ "GNU SASL does not support mechanism \"%s\"",
+ ablock->name, ob->server_mech);
+
+if ( !ablock->server_condition
+ && ( streqic(ob->server_mech, US"EXTERNAL")
+ || streqic(ob->server_mech, US"ANONYMOUS")
+ || streqic(ob->server_mech, US"PLAIN")
+ || streqic(ob->server_mech, US"LOGIN")
+ ) )
+ log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s authenticator: "
+ "Need server_condition for %s mechanism",
+ ablock->name, ob->server_mech);
+
+/* This does *not* scale to new SASL mechanisms. Need a better way to ask
+which properties will be needed. */
+
+if ( !ob->server_realm
+ && streqic(ob->server_mech, US"DIGEST-MD5"))
+ log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s authenticator: "
+ "Need server_realm for %s mechanism",
+ ablock->name, ob->server_mech);
+
+/* At present, for mechanisms we don't panic on absence of server_condition;
+need to figure out the most generically correct approach to deciding when
+it's critical and when it isn't. Eg, for simple validation (PLAIN mechanism,
+etc) it clearly is critical.
+
+So don't activate without server_condition, this might be relaxed in the future.
+*/
+
+if (ablock->server_condition) ablock->server = TRUE;
+ablock->client = FALSE;