diff --git a/cyrus-sasl-2.1.26-revert-upstream-080e51c7fa0421eb2f0210d34cf0ac48a228b1e9.patch b/cyrus-sasl-2.1.26-revert-upstream-080e51c7fa0421eb2f0210d34cf0ac48a228b1e9.patch
new file mode 100644
index 0000000..2f5c5c7
--- /dev/null
+++ b/cyrus-sasl-2.1.26-revert-upstream-080e51c7fa0421eb2f0210d34cf0ac48a228b1e9.patch
@@ -0,0 +1,17 @@
+diff --git a/plugins/gssapi.c b/plugins/gssapi.c
+index e6fcf46..a27eb2b 100644
+--- a/plugins/gssapi.c
++++ b/plugins/gssapi.c
+@@ -1594,10 +1594,10 @@ static int gssapi_client_mech_step(void *conn_context,
+ 	}
+ 
+ 	/* Setup req_flags properly */
+-	req_flags = GSS_C_INTEG_FLAG;
++	req_flags = GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG;
+ 	if (params->props.max_ssf > params->external_ssf) {
+ 	    /* We are requesting a security layer */
+-	    req_flags |= GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG;
++	    req_flags |= GSS_C_INTEG_FLAG;
+ 	    /* Any SSF bigger than 1 is confidentiality. */
+ 	    /* Let's check if the client of the API requires confidentiality,
+ 	       and it wasn't already provided by an external layer */
diff --git a/cyrus-sasl.spec b/cyrus-sasl.spec
index 7aae1ad..542a42e 100644
--- a/cyrus-sasl.spec
+++ b/cyrus-sasl.spec
@@ -45,6 +45,9 @@ Patch47: cyrus-sasl-2.1.26-ppc.patch
 # detect gsskrb5_register_acceptor_identity macro (#976538)
 Patch48: cyrus-sasl-2.1.26-keytab.patch
 Patch49: cyrus-sasl-2.1.26-md5global.patch
+# revert upstream commit 080e51c7fa0421eb2f0210d34cf0ac48a228b1e9 (#984079)
+# https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480
+Patch50: cyrus-sasl-2.1.26-revert-upstream-080e51c7fa0421eb2f0210d34cf0ac48a228b1e9.patch
 
 Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires: autoconf, automake, libtool, gdbm-devel, groff
@@ -185,6 +188,7 @@ chmod -x include/*.h
 %patch47 -p1 -b .ppc
 %patch48 -p1 -b .keytab
 %patch49 -p1 -b .md5global.h
+%patch50 -p1 -b .gssapi
 
 %build
 # Find Kerberos.