Cyrus SASL GSSAPI is not able to handle buffers in the advertised way -
Even if you limit the amount of data to decode on the server side to the SASL_MAXOUTBUF value that it reports it can fail with a syslog of (for example):
Jul 6 13:32:38 proton msgr-recv: encoded packet size too big (32828 > 32768)
It appears that the decode routine can coalesce received buffers, and in fact its actual requirement is that you may not encode on the client any more than the value returned on the server. However the value of SASL_MAXOUTBUF that is returned on the client is 60 bytes bigger than the value returned on the server.
The workaround is to subract 60 bytes from the value on the returned on the client before using it.