Started implementing the MasterUser changes to my config files so I can
finally offer SPA for pop3/imap.
Things are working fine with the MasterUser (horray!), however one of my
guys started using SPA with Outlook Express and started getting another
users mailbox.
Turns out to be related to NTLM. His Outlook express is configured for the
username of 'johnsmith'. However, you'll see the NTLM took the
username from
his XP machine login, it appears, which is just "John". However, what
is
really weird, is the "failed" on the "client out" line, but
then the proxy
went ahead and proxied to the storage server.
Here's some output from debuggage:
dovecot: Feb 19 16:15:56 Info: auth(mail.infowest.com): client in: AUTH
1 NTLM service=POP3 lip=204.17.177.60 rip=209.33.215.142
respdovecot: Feb 19 16:15:56 Info: auth(mail.infowest.com): client out:
CONT 1
dovecot: Feb 19 16:15:56 Info: auth-worker(mail.infowest.com): sql(John,
209.33.215.142): query: SELECT a.clearpasswd AS password, v.storeIP AS host,
CONCAT(IF('John' LIKE
'%@%.%',CONCAT(LCASE('John'),''),CONCAT(LCASE('John'),'@',p.host)),'*masteruser')
AS destuser, 'Y' AS nologin, 'Y' AS nodelay, 'Y' AS
proxy, 'masterpass' AS
pass FROM iwmailsystem.virtmailbox AS v INNER JOIN
iwmailsystem.popserversAS p ON (
p.storeIP = '204.17.177.60') INNER JOIN authenticate.users AS a ON
(a.userID= IF('John' LIKE
'%@%.%',CONCAT(LCASE('John'),''),CONCAT(LCASE('John'),'@',
p.host))) WHERE v.userID = IF('John' LIKE
'%@%.%',CONCAT(LCASE('John'),''),CONCAT(LCASE('John'),'@',p.host))
AND
v.client_active=1;
dovecot: Feb 19 16:15:56 Info: auth(mail.infowest.com): password(John,
209.33.215.142): Credentials: 8447128CC04AD05D1CD15F0C2F17F136
dovecot: Feb 19 16:15:57 Info: auth(mail.infowest.com): client out:
FAIL 1 user=John host=204.17.177.76 destuserjohn at
host.com*masteruser nologin proxy pass=masterpass
dovecot: Feb 19 16:15:57 Info: pop3-login: proxy(John): started proxying to
204.17.177.76:110: user=<John>, method=NTLM, rip=209.33.215.142,
lip204.17.177.60
Questions:
1) So is it possible to use OE for SPA authentication without it sending the
"XP username", but the actual account username OE is configured for ?
2) Why, when it "FAIL"ed did it still proxy? This seems bad :)
Thanks,
Cassidy
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20070219/6a741f6d/attachment.html>
On 050, 02 19, 2007 at 04:33:48PM -0700, Cassidy B. Larson wrote:> Started implementing the MasterUser changes to my config files so I can > finally offer SPA for pop3/imap. > > Things are working fine with the MasterUser (horray!), however one of my > guys started using SPA with Outlook Express and started getting another > users mailbox. > > Turns out to be related to NTLM. His Outlook express is configured for the > username of 'johnsmith'. However, you'll see the NTLM took the username from > his XP machine login, it appears, which is just "John". However, what is > really weird, is the "failed" on the "client out" line, but then the proxy > went ahead and proxied to the storage server. > > Here's some output from debuggage: > > dovecot: Feb 19 16:15:56 Info: auth(mail.infowest.com): client in: AUTH > 1 NTLM service=POP3 lip=204.17.177.60 rip=209.33.215.142 > resp> dovecot: Feb 19 16:15:56 Info: auth(mail.infowest.com): client out: > CONT 1 > dovecot: Feb 19 16:15:56 Info: auth-worker(mail.infowest.com): sql(John, > 209.33.215.142): query: SELECT a.clearpasswd AS password, v.storeIP AS host, > CONCAT(IF('John' LIKE > '%@%.%',CONCAT(LCASE('John'),''),CONCAT(LCASE('John'),'@',p.host)),'*masteruser') > AS destuser, 'Y' AS nologin, 'Y' AS nodelay, 'Y' AS proxy, 'masterpass' AS^^^^^^^^^^^^^ Hmm, suspicious.> pass FROM iwmailsystem.virtmailbox AS v INNER JOIN > iwmailsystem.popserversAS p ON ( > p.storeIP = '204.17.177.60') INNER JOIN authenticate.users AS a ON > (a.userID= IF('John' LIKE > '%@%.%',CONCAT(LCASE('John'),''),CONCAT(LCASE('John'),'@', > p.host))) WHERE v.userID = IF('John' LIKE > '%@%.%',CONCAT(LCASE('John'),''),CONCAT(LCASE('John'),'@',p.host)) AND > v.client_active=1; > dovecot: Feb 19 16:15:56 Info: auth(mail.infowest.com): password(John, > 209.33.215.142): Credentials: 8447128CC04AD05D1CD15F0C2F17F136Seems like your SELECT returned some data about user 'John' with proxy=Y and dovecot preferred proxy=Y over authentication failure...> dovecot: Feb 19 16:15:57 Info: auth(mail.infowest.com): client out: > FAIL 1 user=John host=204.17.177.76 destuser> john at host.com*masteruser nologin proxy pass=masterpass > dovecot: Feb 19 16:15:57 Info: pop3-login: proxy(John): started proxying to > 204.17.177.76:110: user=<John>, method=NTLM, rip=209.33.215.142, lip> 204.17.177.60 > > > Questions: > 1) So is it possible to use OE for SPA authentication without it sending the > "XP username", but the actual account username OE is configured for ?No. Microsoft does this intentionaly to provide so called "single signon".> 2) Why, when it "FAIL"ed did it still proxy? This seems bad :)We should ask Timo I think :) -- Andrey Panin | Linux and UNIX system administrator pazke at donpac.ru | PGP key: wwwkeys.pgp.net -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20070220/cb8a2719/attachment.bin>
On Mon, 2007-02-19 at 16:33 -0700, Cassidy B. Larson wrote:> dovecot: Feb 19 16:15:57 Info: auth(mail.infowest.com): client out: > FAIL 1 user=John host=204.17.177.76 > destuser=john at host.com*masteruser nologin proxy pass=masterpassWell, I'm not sure if dovecot-auth should return proxy/host/etc. when auth failed, but since it's not easy to change that I just made sure that proxying isn't started unless authentication succeeded. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20070220/05adeaa7/attachment.bin>