diff -ur alpine-1.00+kerberos4/imap/src/c-client/mail.c alpine-1.00+athena-krb4/imap/src/c-client/mail.c
--- alpine-1.00+kerberos4/imap/src/c-client/mail.c	2008-04-16 16:07:59.000000000 -0400
+++ alpine-1.00+athena-krb4/imap/src/c-client/mail.c	2008-04-16 16:08:10.000000000 -0400
@@ -780,6 +780,12 @@
     }
   }
 
+#ifdef KERBEROS
+  /* kpop runs on a different port from pop3, so we have to set an override. */
+  if (!mb->port && mb->krbflag && !strcmp (mb->service,"pop3"))
+    mb->port = 1109;
+#endif
+
   hesiod_free_postoffice (hcontext,office);
   hesiod_end (hcontext);
 
@@ -878,6 +884,9 @@
 #ifdef HESIOD
 	else if (!compare_cstring (s,"hesiod")) mb->hesflag = T;
 #endif
+#ifdef KERBEROS
+	else if (!compare_cstring (s,"kerberos")) mb->krbflag = T;
+#endif
 	else if (!compare_cstring (s,"readonly")) mb->readonlyflag = T;
 	else if (!compare_cstring (s,"secure")) mb->secflag = T;
 	else if (!compare_cstring (s,"norsh")) mb->norsh = T;
diff -ur alpine-1.00+kerberos4/imap/src/c-client/mail.h alpine-1.00+athena-krb4/imap/src/c-client/mail.h
--- alpine-1.00+kerberos4/imap/src/c-client/mail.h	2008-04-16 16:07:59.000000000 -0400
+++ alpine-1.00+athena-krb4/imap/src/c-client/mail.h	2008-04-16 16:08:10.000000000 -0400
@@ -665,6 +665,9 @@
 #ifdef HESIOD
   unsigned int hesflag : 1;	/* Hesiod flag */
 #endif
+#ifdef KERBEROS
+  unsigned int krbflag : 1;    /* Kerberos flag */
+#endif
 } NETMBX;
 
 /* Item in an address list */
diff -ur alpine-1.00+kerberos4/imap/src/c-client/pop3.c alpine-1.00+athena-krb4/imap/src/c-client/pop3.c
--- alpine-1.00+kerberos4/imap/src/c-client/pop3.c	2007-04-04 22:11:38.000000000 -0400
+++ alpine-1.00+athena-krb4/imap/src/c-client/pop3.c	2008-04-16 16:08:10.000000000 -0400
@@ -561,6 +561,23 @@
   NETDRIVER *ssld = (NETDRIVER *) mail_parameters (NIL,GET_SSLDRIVER,NIL);
   sslstart_t stls = (sslstart_t) mail_parameters (NIL,GET_SSLSTART,NIL);
 				/* server has TLS? */
+
+#ifdef KERBEROS
+  if (mb->krbflag) {
+    /* We already took care of sending the ticket in tcp_unix.c, since
+     * that has to happen before the read of the server greeting.  So
+     * we just need to send the username here. */
+    if (mb->user && *mb->user)
+      strcpy (usr,mb->user);
+    else
+      strcpy (usr,myusername());
+    /* Send same PASS as USER. */
+    if (pop3_send (stream,"USER",usr) && pop3_send (stream,"PASS",usr))
+      return LONGT;		/* success */
+    else
+      return NIL;
+  }
+#endif
   if (stls && LOCAL->cap.stls && !mb->sslflag && !mb->notlsflag &&
       pop3_send (stream,"STLS",NIL)) {
     mb->tlsflag = T;		/* TLS OK, get into TLS at this end */
diff -ur alpine-1.00+kerberos4/imap/src/osdep/unix/tcp_unix.c alpine-1.00+athena-krb4/imap/src/osdep/unix/tcp_unix.c
--- alpine-1.00+kerberos4/imap/src/osdep/unix/tcp_unix.c	2007-08-16 15:43:35.000000000 -0400
+++ alpine-1.00+athena-krb4/imap/src/osdep/unix/tcp_unix.c	2008-04-16 16:08:10.000000000 -0400
@@ -293,6 +293,20 @@
 	now = time (0);		/* fake timeout if interrupt & time expired */
 	if ((i < 0) && (errno == EINTR) && ti && (ti <= now)) i = 0;
       } while ((i < 0) && (errno == EINTR));
+#ifdef KERBEROS
+      if (port == 1109 && i > 0) {
+	/* For kpop, we have to send kerberos authentication before we
+	 * can read anything.  So we have to do it here instead of in
+	 * the pop3 code. */
+	KTEXT_ST ticket;
+
+	if (krb_sendauth (0,sock,&ticket,"pop",hst,krb_realmofhost (hst),
+			  0,NULL,NULL,NULL,NULL,NULL,"KPOPV0.1") != KSUCCESS) {
+	  close (sock);
+	  return -1;		/* failure */
+	}
+      }
+#endif  
       if (i > 0) {		/* success, make sure really connected */
 				/* restore blocking status */
 	fcntl (sock,F_SETFL,flgs);