We are trying ZCS Network Edition and want to make it fit in with our environment. I've successfully configured ZCS to auth against Kerberos (which works great via the web interface), but I'd like to allow non-Kerberos clients to get mail via IMAP SSL. In other words, I'm looking to have the ZCS auth against kerberos on behalf of the client but not force the client to be configured to use Kerberos/GSSAPI auth directly. I feel like I must be missing something really obvious.

Is there a way to accomplish this?

Also, once Kerberos is enabled, I can't seem to get rid of the password change dialog. The user can access it, attempt to change a password and receive a success message but of course the Kerberos password is not altered...

Any pointers in the right direction would be very helpful. Thanks!