On 6/27/2016 2:45 AM, Mark Foley wrote:> While continuing to test gssapi, I thought I check out your suggestion on NTLM v1. I did set > Thunderbird to NTLM v1 ...You are aware, I hope, that NTLM v1 is well over 20 years old and is trivially compromised today. Basically, it's about as secure as sending plaintext passwords. Since you're supporting SSL on your Dovecot server, why not require it, and not bother with NTLM auth?
TT> On 6/27/2016 2:45 AM, Mark Foley wrote:>> While continuing to test gssapi, I thought I check out your suggestion on NTLM v1. I did set >> Thunderbird to NTLM v1 ...TT> You are aware, I hope, that NTLM v1 is well over 20 years old and TT> is trivially compromised today. Basically, it's about as secure as TT> sending plaintext passwords. Since you're supporting SSL on your TT> Dovecot server, why not require it, and not bother with NTLM auth? I can't speak for the OP, but I suspect he'd like to use a SSO for dovecot, utilizing the same credentials as is in their Samba AD infrastructure. [Thus, have Dovecot submit authentications for dovecot to the AD domain and get an ack/nak on success.] So, he's not eager to use NTLMv1, but isn't getting much love in how to setup proxy auth against AD. [I suspect asking on the Samba list isn't a bad idea, but I'm surprised he hasn't gotten some good pointers here. There really ought to be a FAQ of white-paper on it, and I'm dismayed there isn't.] -Greg
> On June 27, 2016 at 8:50 PM Gregory Sloop <gregs at sloop.net> wrote: > > > > > TT> On 6/27/2016 2:45 AM, Mark Foley wrote: > >> While continuing to test gssapi, I thought I check out your suggestion on NTLM v1. I did set > >> Thunderbird to NTLM v1 ... > > TT> You are aware, I hope, that NTLM v1 is well over 20 years old and > TT> is trivially compromised today. Basically, it's about as secure as > TT> sending plaintext passwords. Since you're supporting SSL on your > TT> Dovecot server, why not require it, and not bother with NTLM auth? > > I can't speak for the OP, but I suspect he'd like to use a SSO for dovecot, utilizing the same credentials as is in their Samba AD infrastructure. [Thus, have Dovecot submit authentications for dovecot to the AD domain and get an ack/nak on success.] So, he's not eager to use NTLMv1, but isn't getting much love in how to setup proxy auth against AD. [I suspect asking on the Samba list isn't a bad idea, but I'm surprised he hasn't gotten some good pointers here. There really ought to be a FAQ of white-paper on it, and I'm dismayed there isn't.] > > -GregIt's not very used feature as most with AD probably are using Exchange. I'll have a look at the NTLM authentication and see if we can improve it's documentation. --- Aki Tuomi Dovecot oy
Hi folks, I've been sifting through various threads on GSSAPI and NTLM support, and I'm wondering if anyone out there can confirm or deny GSSAPI IMAP auth support in Microsoft Outlook 2016 (Windows)? Perhaps there's some magic registry key to change IMAP auth from PLAIN to GSSAPI? We're trying to do single sign-on + e-mail for Windows domain users; Thunderbird GSSAPI works fine, of course, but Outlook 2016 is the policy-mandated e-mail client for this particular environment (Windows 10 client desktop, Windows Server 2012 R2 AD, RHEL7 Dovecot). It seems that Outlook 2016 might also support NTLMv1 / GSS-SPNEGO out of the box for IMAP accounts, but NTLMv1 is - rightly - disabled in this environment (and I also see 'NT_STATUS_UNSUCCESSFUL' reported by /usr/bin/ntlm_auth back to the Dovecot auth worker). Thanks for any ideas out there! Robert -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4305 bytes Desc: S/MIME Cryptographic Signature URL: <https://dovecot.org/pipermail/dovecot/attachments/20171024/5cbdca72/attachment.p7s>