Hi Mark, I haven't done it, but I've played with the scenario enough to have an idea. What you want to do is have Outlook auth via NTLM to Dovecot.? First that means having the machine be a domain member (usually via Samba) in order to properly process NTLM/Kerberos handshake - which it appears you have. Second that means having Dovecot know how to accept NTLM authentication (SPA) to pass to the Samba backend. A 'Dovecot NTLM' search led me here: http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm What's not on the page that I'd expect to see, are the compile-time requirements for inclucing samba/kerberos libs within Dovecot.? If it doesn't 'just work' with the config changes in the wiki, you may need to recompile with the right features. Also - check the permissions of the ntlm_auth program. That's caused many issues with Radius installs, IIRC. Hope that helps! Rick Quoting Mark Foley <mfoley at ohprs.org>:> This can't be that hard. I think I've enabled LDAP in Dovecot just by > including > dovecot-ldap.conf.ext in 10-auth.conf and using the default settings. I > now have > the configuration shown below. Two questions: > > 1. How do I set Outlook to authenticate with LDAP? Currently the Outlook > accounts still have the ID and password set in "Logon Information". > Checking > "Require logon using Secure Password Authentication (SPA)" doesn't work. > All I > can seem to find on the Internet is how to configure address books using > LDAP. > > 2. Should I remove "passdb { drive = shadow } from the dovecot > configuration? > > Anybody? > > $ doveconf -n > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > auth_debug_passwords = yes > auth_mechanisms = plain login > auth_verbose = yes > auth_verbose_passwords = plain > disable_plaintext_auth = no > info_log_path = /var/log/dovecot_info > mail_location = maildir:~/Maildir > passdb { > driver = shadow > } > passdb { > args = /etc/dovecot/dovecot-ldap.conf.ext > driver = ldap > } > protocols = imap > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key > userdb { > driver = passwd > } > userdb { > args = /etc/dovecot/dovecot-ldap.conf.ext > driver = ldap > } > verbose_ssl = yes > > -----Original Message----- > From: Mark Foley <mfoley at ohprs.org> > Date: Wed, 02 Sep 2015 13:31:35 -0400 > To: dovecot at dovecot.org > Subject: How to "Windows Authenticate" > >> I've been using Dovecot 2.2.15 as the IMAP server for Outlook >> (2010/2013) on >> Windows workstations for over 6 months with no problems.? Dovecot is >> hosted on >> the office Samba4 AC/DC server. >> >> I have been using auth_mechanisms plain login, and passdb driver >> shadow. >> >> What I'd like to do now is use the "Windows Authenticated" login so I >> don't have >> to have separate passwords for users logging into the Windows AD >> workstations >> and their Outlook clients. >> >> If anyone has actually done this I'd appreciate some tips. My various >> attempts >> have not been successful. >> >> Here is my current config: >> >> $ doveconf -n >> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf >> # OS: Linux 3.10.17 x86_64 Slackware 14.1 >> auth_debug_passwords = yes >> auth_mechanisms = plain login >> auth_verbose = yes >> auth_verbose_passwords = plain >> disable_plaintext_auth = no >> info_log_path = /var/log/dovecot_info >> mail_location = maildir:~/Maildir >> passdb { >> ? driver = shadow >> } >> protocols = imap >> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt >> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key >> userdb { >> ? driver = passwd >> } >> verbose_ssl = yes >> >> Thanks, Mark Foley > > From dovecot-bounces at dovecot.org? Wed Sep? 2 13:32:13 2015 > Return-Path: <dovecot-bounces at dovecot.org> > X-Virus-Status: Clean > X-Virus-Scanned: clamav-milter 0.98.6 at mail > X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.14__ > (2011-06-06) on > ? ? ? ? mail.hprs.local > X-Spam-Level: > X-Spam-Status: No, score=0.0 required=3.0 tests=noneautolearn=unavailable> ? ? ? ? version=3.3.2-_revision__1.14__ > X-Original-To: dovecot at dovecot.org > Delivered-To: dovecot at dovecot.org > X-Virus-Status: Clean > X-Virus-Scanned: clamav-milter 0.98.6 at mail > From: Mark Foley <mfoley at ohprs.org> > Date: Wed, 02 Sep 2015 13:31:35 -0400 > Organization: Ohio Highway Patrol Retirement System > To: dovecot at dovecot.org > Subject: How to "Windows Authenticate" > User-Agent: Heirloom mailx 12.5 7/5/10 > Content-Type: text/plain; charset=us-ascii > X-BeenThere: dovecot at dovecot.org > X-Mailman-Version: 2.1.17 > Precedence: list > List-Id: Dovecot Mailing List <dovecot.dovecot.org> > List-Unsubscribe: <http://dovecot.org/cgi-bin/mailman/options/dovecot>, > ? ? ? ? <mailto:dovecot-request at dovecot.org?subject=unsubscribe> > List-Archive: <http://dovecot.org/pipermail/dovecot/> > List-Post: <mailto:dovecot at dovecot.org> > List-Help: <mailto:dovecot-request at dovecot.org?subject=help> > List-Subscribe: <http://dovecot.org/cgi-bin/mailman/listinfo/dovecot>, > ? ? ? ? <mailto:dovecot-request at dovecot.org?subject=subscribe> > Errors-To: dovecot-bounces at dovecot.org > Sender: "dovecot" <dovecot-bounces at dovecot.org> > Status: R > > I've been using Dovecot 2.2.15 as the IMAP server for Outlook > (2010/2013) on > Windows workstations for over 6 months with no problems.? Dovecot is > hosted on > the office Samba4 AC/DC server. > > I have been using auth_mechanisms plain login, and passdb driver shadow. > > What I'd like to do now is use the "Windows Authenticated" login so I > don't have > to have separate passwords for users logging into the Windows AD > workstations > and their Outlook clients. > > If anyone has actually done this I'd appreciate some tips. My various > attempts > have not been successful. > > Here is my current config: > > $ doveconf -n > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > auth_debug_passwords = yes > auth_mechanisms = plain login > auth_verbose = yes > auth_verbose_passwords = plain > disable_plaintext_auth = no > info_log_path = /var/log/dovecot_info > mail_location = maildir:~/Maildir > passdb { > driver = shadow > } > protocols = imap > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key > userdb { > driver = passwd > } > verbose_ssl = yes > Thanks, Mark Foley
Rick et al, The link you gave was a start, but is targeted for Samba3 and is assuming a probably Windows [SBS]Server AD/DC separate from the DC hosting dovecot, and includes setting up kerberos. I'm using a Samba4 AD/DC with integrated kerberos (so I don't think there is any setup I can do there). Nevertheless I've followed the instructions otherwise; specifically adding to 10-auto.conf the following recommended lines: auth_use_winbind = yes auth_winbind_helper_path = /usr/bin/ntlm_auth mechanisms = plain ntlm login (Before, my 'mechanisms' were only plain and login). /usr/bin/ntlm_auth has global r/w privilege. I did not specify the static userdb since these users are configued in /etc/passwd and I thought that would work; example given in link (could that be an issue?): userdb static { args= uid=501 gid=501 home=/home/vmail/%1Ln/%Ln mail=maildir:/home/vmail/%d/%1Ln/%Ln:INBOX=/home/vmail/%d/%1Ln/%Ln allow_all_users=yes } This didn't work. Also, existing, working Outlook connections using 'logon' (i.e. the userID and PW are configured in Outlook) stopped working. I changed a test Outlook client to check the 'Request login using Secure Password Authentication (SPA)' and also checked: More Settings > Outgoing Server> My outgoing server (SMTP) requires authentication' and 'Use same settings asmy incoming mail server'. Note that on the "Change Account" dialog (where the SPA checkbox is) the 'User Name' and 'Password' retained their values and were not grayed out as I would have expected if using AD authentication. After doing the above and clicking 'Test Account Settings' I was re-promted to enter a password - also not expected. At bottom are the Dovecot log message I received after doing the 'Test Account Settings'. Surely, connecting from an Outlook client to Dovecot on a Samba4 AD/DC should be a very common implementation. Has someone done this successfully? Immediately below is my doveconf -n and below that the dovecot log messages.> doveconf -n# 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain ntlm login auth_use_winbind = yes auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key userdb { driver = passwd } verbose_ssl = yes dovecot log after doing 'Test Account Settings' in Outlook: Sep 05 16:45:19 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Sep 05 16:45:19 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Sep 05 16:45:19 auth: Debug: auth client connected (pid=10219) Sep 05 16:45:19 auth: Debug: client in: AUTH 1 NTLM service=imap session=HXssGAYf0ADAqAA6 lip=192.168.0.2 rip=192.168.0.58 lport=143 rport=52944 Sep 05 16:45:19 auth: Debug: client passdb out: CONT 1 Sep 05 16:45:19 auth: Debug: client passdb out: OK 1 user=mark at hprs original_user=mark at HPRS Sep 05 16:45:19 auth: Debug: master in: REQUEST 998899713 10219 1 f56352c207cb8f6dea4d264b2c0f8dc1 session_pid=10220 request_auth_token Sep 05 16:45:19 auth-worker(5498): Debug: shadow(mark at hprs,192.168.0.58): lookup Sep 05 16:45:19 auth-worker(5498): Info: shadow(mark at hprs,192.168.0.58): unknown user Sep 05 16:45:19 auth: Debug: master userdb out: NOTFOUND 998899713 Sep 05 16:45:19 imap-login: Info: Internal login failure (pid=10219 id=1) (internal failure, 1 successful auths): user=<mark at hprs>, method=NTLM, rip=192.168.0.58, lip=192.168.0.2, mpid=10220, session=<HXssGAYf0ADAqAA6> Sep 05 16:46:22 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Sep 05 16:46:22 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Sep 05 16:46:22 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Sep 05 16:46:22 auth: Debug: Read auth token secret from /usr/local/var/run/dovecot/auth-token-secret.dat Sep 05 16:46:22 auth: Debug: auth client connected (pid=13487) Sep 05 16:46:22 auth: Debug: client in: AUTH 1 NTLM service=imap session=IlvqGwYf0wDAqAA6 lip=192.168.0.2 rip=192.168.0.58 lport=143 rport=52947 Sep 05 16:46:22 auth: Debug: client passdb out: OK 1 user=mark at hprs original_user=mark at HPRS Sep 05 16:46:22 auth: Debug: master in: REQUEST 3030384641 13487 1 bac5f6531f9d4c3316f93bd4c4a63ddd session_pid=13491 request_auth_token Sep 05 16:46:22 auth-worker(13492): Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Sep 05 16:46:22 auth-worker(13492): Debug: shadow(mark at hprs,192.168.0.58): lookup Sep 05 16:46:22 auth-worker(13492): Info: shadow(mark at hprs,192.168.0.58): unknown user Sep 05 16:46:22 auth: Debug: master userdb out: NOTFOUND 3030384641 Sep 05 16:46:22 imap-login: Info: Internal login failure (pid=13487 id=1) (internal failure, 1 successful auths): user=<mark at hprs>, method=NTLM, rip=192.168.0.58, lip=192.168.0.2, mpid=13491, session=<IlvqGwYf0wDAqAA6> Thanks --Mark -----Original Message-----> Date: Thu, 03 Sep 2015 06:53:19 -0500 > From: Rick Romero <rick at havokmon.com> > To: dovecot at dovecot.org > Subject: Re: How to "Windows Authenticate" > > Hi Mark, > > I haven't done it, but I've played with the scenario enough to have an > idea. > > What you want to do is have Outlook auth via NTLM to Dovecot.? > > First that means having the machine be a domain member (usually via Samba) > in order to properly process NTLM/Kerberos handshake - which it appears you > have. > Second that means having Dovecot know how to accept NTLM authentication > (SPA) to pass to the Samba backend. > > A 'Dovecot NTLM' search led me here: > http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm > > What's not on the page that I'd expect to see, are the compile-time > requirements for inclucing samba/kerberos libs within Dovecot.? If it > doesn't 'just work' with the config changes in the wiki, you may need to > recompile with the right features. > > Also - check the permissions of the ntlm_auth program. That's caused many > issues with Radius installs, IIRC. > > Hope that helps! > > Rick > > Quoting Mark Foley <mfoley at ohprs.org>: > > > This can't be that hard. I think I've enabled LDAP in Dovecot just by > > including > > dovecot-ldap.conf.ext in 10-auth.conf and using the default settings. I > > now have > > the configuration shown below. Two questions: > > > > 1. How do I set Outlook to authenticate with LDAP? Currently the Outlook > > accounts still have the ID and password set in "Logon Information". > > Checking > > "Require logon using Secure Password Authentication (SPA)" doesn't work. > > All I > > can seem to find on the Internet is how to configure address books using > > LDAP. > > > > 2. Should I remove "passdb { drive = shadow } from the dovecot > > configuration? > > > > Anybody? > > > > $ doveconf -n > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > > auth_debug_passwords = yes > > auth_mechanisms = plain login > > auth_verbose = yes > > auth_verbose_passwords = plain > > disable_plaintext_auth = no > > info_log_path = /var/log/dovecot_info > > mail_location = maildir:~/Maildir > > passdb { > > driver = shadow > > } > > passdb { > > args = /etc/dovecot/dovecot-ldap.conf.ext > > driver = ldap > > } > > protocols = imap > > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt > > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key > > userdb { > > driver = passwd > > } > > userdb { > > args = /etc/dovecot/dovecot-ldap.conf.ext > > driver = ldap > > } > > verbose_ssl = yes > > > > -----Original Message----- > > From: Mark Foley <mfoley at ohprs.org> > > Date: Wed, 02 Sep 2015 13:31:35 -0400 > > To: dovecot at dovecot.org > > Subject: How to "Windows Authenticate" > > > >> I've been using Dovecot 2.2.15 as the IMAP server for Outlook > >> (2010/2013) on > >> Windows workstations for over 6 months with no problems.? Dovecot is > >> hosted on > >> the office Samba4 AC/DC server. > >> > >> I have been using auth_mechanisms plain login, and passdb driver > >> shadow. > >> > >> What I'd like to do now is use the "Windows Authenticated" login so I > >> don't have > >> to have separate passwords for users logging into the Windows AD > >> workstations > >> and their Outlook clients. > >> > >> If anyone has actually done this I'd appreciate some tips. My various > >> attempts > >> have not been successful. > >> > >> Here is my current config: > >> > >> $ doveconf -n > >> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > >> # OS: Linux 3.10.17 x86_64 Slackware 14.1 > >> auth_debug_passwords = yes > >> auth_mechanisms = plain login > >> auth_verbose = yes > >> auth_verbose_passwords = plain > >> disable_plaintext_auth = no > >> info_log_path = /var/log/dovecot_info > >> mail_location = maildir:~/Maildir > >> passdb { > >> ? driver = shadow > >> } > >> protocols = imap > >> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt > >> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key > >> userdb { > >> ? driver = passwd > >> } > >> verbose_ssl = yes > >> > >> Thanks, Mark Foley > > > > From dovecot-bounces at dovecot.org? Wed Sep? 2 13:32:13 2015 > > Return-Path: <dovecot-bounces at dovecot.org> > > X-Virus-Status: Clean > > X-Virus-Scanned: clamav-milter 0.98.6 at mail > > X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.14__ > > (2011-06-06) on > > ? ? ? ? mail.hprs.local > > X-Spam-Level: > > X-Spam-Status: No, score=0.0 required=3.0 tests=none > autolearn=unavailable > > ? ? ? ? version=3.3.2-_revision__1.14__ > > X-Original-To: dovecot at dovecot.org > > Delivered-To: dovecot at dovecot.org > > X-Virus-Status: Clean > > X-Virus-Scanned: clamav-milter 0.98.6 at mail > > From: Mark Foley <mfoley at ohprs.org> > > Date: Wed, 02 Sep 2015 13:31:35 -0400 > > Organization: Ohio Highway Patrol Retirement System > > To: dovecot at dovecot.org > > Subject: How to "Windows Authenticate" > > User-Agent: Heirloom mailx 12.5 7/5/10 > > Content-Type: text/plain; charset=us-ascii > > X-BeenThere: dovecot at dovecot.org > > X-Mailman-Version: 2.1.17 > > Precedence: list > > List-Id: Dovecot Mailing List <dovecot.dovecot.org> > > List-Unsubscribe: <http://dovecot.org/cgi-bin/mailman/options/dovecot>, > > ? ? ? ? <mailto:dovecot-request at dovecot.org?subject=unsubscribe> > > List-Archive: <http://dovecot.org/pipermail/dovecot/> > > List-Post: <mailto:dovecot at dovecot.org> > > List-Help: <mailto:dovecot-request at dovecot.org?subject=help> > > List-Subscribe: <http://dovecot.org/cgi-bin/mailman/listinfo/dovecot>, > > ? ? ? ? <mailto:dovecot-request at dovecot.org?subject=subscribe> > > Errors-To: dovecot-bounces at dovecot.org > > Sender: "dovecot" <dovecot-bounces at dovecot.org> > > Status: R > > > > I've been using Dovecot 2.2.15 as the IMAP server for Outlook > > (2010/2013) on > > Windows workstations for over 6 months with no problems.? Dovecot is > > hosted on > > the office Samba4 AC/DC server. > > > > I have been using auth_mechanisms plain login, and passdb driver > shadow. > > > > What I'd like to do now is use the "Windows Authenticated" login so I > > don't have > > to have separate passwords for users logging into the Windows AD > > workstations > > and their Outlook clients. > > > > If anyone has actually done this I'd appreciate some tips. My various > > attempts > > have not been successful. > > > > Here is my current config: > > > > $ doveconf -n > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > > auth_debug_passwords = yes > > auth_mechanisms = plain login > > auth_verbose = yes > > auth_verbose_passwords = plain > > disable_plaintext_auth = no > > info_log_path = /var/log/dovecot_info > > mail_location = maildir:~/Maildir > > passdb { > > driver = shadow > > } > > protocols = imap > > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt > > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key > > userdb { > > driver = passwd > > } > > verbose_ssl = yes > > Thanks, Mark Foley > From dovecot-bounces at dovecot.org Thu Sep 3 07:53:44 2015 > Return-Path: <dovecot-bounces at dovecot.org> > X-Virus-Status: Clean > X-Virus-Scanned: clamav-milter 0.98.6 at mail > X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.14__ (2011-06-06) on > mail.hprs.local > X-Spam-Level: > X-Spam-Status: No, score=0.0 required=3.0 tests=none autolearn=ham > version=3.3.2-_revision__1.14__ > X-Original-To: dovecot at dovecot.org > Delivered-To: dovecot at dovecot.org > Date: Thu, 03 Sep 2015 06:53:19 -0500 > From: Rick Romero <rick at havokmon.com> > To: dovecot at dovecot.org > Subject: Re: How to "Windows Authenticate" > User-Agent: Internet Messaging Program (IMP) H5 (6.2.2) > X-VFEmail-Originating-IP: MTA3LjEzNi4xNDQuMjMw > X-VFEmail-AntiSpam: Notify admin at vfemail.net of any spam, and include > VFEmail headers > Content-Type: text/plain; charset=UTF-8; format=flowed; DelSp=Yes > Content-Disposition: inline > Content-Description: Plaintext Message > X-Content-Filtered-By: Mailman/MimeDel 2.1.17 > X-BeenThere: dovecot at dovecot.org > X-Mailman-Version: 2.1.17 > Precedence: list > List-Id: Dovecot Mailing List <dovecot.dovecot.org> > List-Unsubscribe: <http://dovecot.org/cgi-bin/mailman/options/dovecot>, > <mailto:dovecot-request at dovecot.org?subject=unsubscribe> > List-Archive: <http://dovecot.org/pipermail/dovecot/> > List-Post: <mailto:dovecot at dovecot.org> > List-Help: <mailto:dovecot-request at dovecot.org?subject=help> > List-Subscribe: <http://dovecot.org/cgi-bin/mailman/listinfo/dovecot>, > <mailto:dovecot-request at dovecot.org?subject=subscribe> > Errors-To: dovecot-bounces at dovecot.org > Sender: "dovecot" <dovecot-bounces at dovecot.org> > Status: R > > Hi Mark, > > I haven't done it, but I've played with the scenario enough to have an > idea. > > What you want to do is have Outlook auth via NTLM to Dovecot.? > > First that means having the machine be a domain member (usually via Samba) > in order to properly process NTLM/Kerberos handshake - which it appears you > have. > Second that means having Dovecot know how to accept NTLM authentication > (SPA) to pass to the Samba backend. > > A 'Dovecot NTLM' search led me here: > http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm > > What's not on the page that I'd expect to see, are the compile-time > requirements for inclucing samba/kerberos libs within Dovecot.? If it > doesn't 'just work' with the config changes in the wiki, you may need to > recompile with the right features. > > Also - check the permissions of the ntlm_auth program. That's caused many > issues with Radius installs, IIRC. > > Hope that helps! > > Rick > > Quoting Mark Foley <mfoley at ohprs.org>: > > > This can't be that hard. I think I've enabled LDAP in Dovecot just by > > including > > dovecot-ldap.conf.ext in 10-auth.conf and using the default settings. I > > now have > > the configuration shown below. Two questions: > > > > 1. How do I set Outlook to authenticate with LDAP? Currently the Outlook > > accounts still have the ID and password set in "Logon Information". > > Checking > > "Require logon using Secure Password Authentication (SPA)" doesn't work. > > All I > > can seem to find on the Internet is how to configure address books using > > LDAP. > > > > 2. Should I remove "passdb { drive = shadow } from the dovecot > > configuration? > > > > Anybody? > > > > $ doveconf -n > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > > auth_debug_passwords = yes > > auth_mechanisms = plain login > > auth_verbose = yes > > auth_verbose_passwords = plain > > disable_plaintext_auth = no > > info_log_path = /var/log/dovecot_info > > mail_location = maildir:~/Maildir > > passdb { > > driver = shadow > > } > > passdb { > > args = /etc/dovecot/dovecot-ldap.conf.ext > > driver = ldap > > } > > protocols = imap > > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt > > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key > > userdb { > > driver = passwd > > } > > userdb { > > args = /etc/dovecot/dovecot-ldap.conf.ext > > driver = ldap > > } > > verbose_ssl = yes > > > > -----Original Message----- > > From: Mark Foley <mfoley at ohprs.org> > > Date: Wed, 02 Sep 2015 13:31:35 -0400 > > To: dovecot at dovecot.org > > Subject: How to "Windows Authenticate" > > > >> I've been using Dovecot 2.2.15 as the IMAP server for Outlook > >> (2010/2013) on > >> Windows workstations for over 6 months with no problems.? Dovecot is > >> hosted on > >> the office Samba4 AC/DC server. > >> > >> I have been using auth_mechanisms plain login, and passdb driver > >> shadow. > >> > >> What I'd like to do now is use the "Windows Authenticated" login so I > >> don't have > >> to have separate passwords for users logging into the Windows AD > >> workstations > >> and their Outlook clients. > >> > >> If anyone has actually done this I'd appreciate some tips. My various > >> attempts > >> have not been successful. > >> > >> Here is my current config: > >> > >> $ doveconf -n > >> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > >> # OS: Linux 3.10.17 x86_64 Slackware 14.1 > >> auth_debug_passwords = yes > >> auth_mechanisms = plain login > >> auth_verbose = yes > >> auth_verbose_passwords = plain > >> disable_plaintext_auth = no > >> info_log_path = /var/log/dovecot_info > >> mail_location = maildir:~/Maildir > >> passdb { > >> ? driver = shadow > >> } > >> protocols = imap > >> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt > >> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key > >> userdb { > >> ? driver = passwd > >> } > >> verbose_ssl = yes > >> > >> Thanks, Mark Foley > > > > From dovecot-bounces at dovecot.org? Wed Sep? 2 13:32:13 2015 > > Return-Path: <dovecot-bounces at dovecot.org> > > X-Virus-Status: Clean > > X-Virus-Scanned: clamav-milter 0.98.6 at mail > > X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.14__ > > (2011-06-06) on > > ? ? ? ? mail.hprs.local > > X-Spam-Level: > > X-Spam-Status: No, score=0.0 required=3.0 tests=none > autolearn=unavailable > > ? ? ? ? version=3.3.2-_revision__1.14__ > > X-Original-To: dovecot at dovecot.org > > Delivered-To: dovecot at dovecot.org > > X-Virus-Status: Clean > > X-Virus-Scanned: clamav-milter 0.98.6 at mail > > From: Mark Foley <mfoley at ohprs.org> > > Date: Wed, 02 Sep 2015 13:31:35 -0400 > > Organization: Ohio Highway Patrol Retirement System > > To: dovecot at dovecot.org > > Subject: How to "Windows Authenticate" > > User-Agent: Heirloom mailx 12.5 7/5/10 > > Content-Type: text/plain; charset=us-ascii > > X-BeenThere: dovecot at dovecot.org > > X-Mailman-Version: 2.1.17 > > Precedence: list > > List-Id: Dovecot Mailing List <dovecot.dovecot.org> > > List-Unsubscribe: <http://dovecot.org/cgi-bin/mailman/options/dovecot>, > > ? ? ? ? <mailto:dovecot-request at dovecot.org?subject=unsubscribe> > > List-Archive: <http://dovecot.org/pipermail/dovecot/> > > List-Post: <mailto:dovecot at dovecot.org> > > List-Help: <mailto:dovecot-request at dovecot.org?subject=help> > > List-Subscribe: <http://dovecot.org/cgi-bin/mailman/listinfo/dovecot>, > > ? ? ? ? <mailto:dovecot-request at dovecot.org?subject=subscribe> > > Errors-To: dovecot-bounces at dovecot.org > > Sender: "dovecot" <dovecot-bounces at dovecot.org> > > Status: R > > > > I've been using Dovecot 2.2.15 as the IMAP server for Outlook > > (2010/2013) on > > Windows workstations for over 6 months with no problems.? Dovecot is > > hosted on > > the office Samba4 AC/DC server. > > > > I have been using auth_mechanisms plain login, and passdb driver > shadow. > > > > What I'd like to do now is use the "Windows Authenticated" login so I > > don't have > > to have separate passwords for users logging into the Windows AD > > workstations > > and their Outlook clients. > > > > If anyone has actually done this I'd appreciate some tips. My various > > attempts > > have not been successful. > > > > Here is my current config: > > > > $ doveconf -n > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > > auth_debug_passwords = yes > > auth_mechanisms = plain login > > auth_verbose = yes > > auth_verbose_passwords = plain > > disable_plaintext_auth = no > > info_log_path = /var/log/dovecot_info > > mail_location = maildir:~/Maildir > > passdb { > > driver = shadow > > } > > protocols = imap > > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt > > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key > > userdb { > > driver = passwd > > } > > verbose_ssl = yes > > Thanks, Mark Foley >
More info ... My dovecot error log shows: Sep 05 16:45:19 auth: Debug: client in: AUTH 1 NTLM service=imap Sep 05 16:45:19 auth: Debug: client passdb out: OK 1 user=mark at hprs original_user=mark at HPRS Sep 05 16:45:19 auth: Debug: master in: REQUEST 998899713 10219 1 f56352c207cb8f6dea4d264b2c0f8dc1 session_pid=10220 request_auth_token Sep 05 16:45:19 auth-worker(5498): Debug: shadow(mark at hprs,192.168.0.58): lookup Sep 05 16:45:19 auth-worker(5498): Info: shadow(mark at hprs,192.168.0.58): unknown user Sep 05 16:45:19 auth: Debug: master userdb out: NOTFOUND 998899713 whereas the successful 'plain login' config'ed mechanism (before adding NTLM config) have: Sep 06 20:27:38 auth-worker(18616): Debug: shadow(mark,104.6.249.210): lookup The failed ntlm look-up is looking up user mark at hprs in shadow, which it doesn't find. Is there a way to strip the "@hprs" bit from the user so it can find the correct entry in /etc/shadow? That might fix the problem. --Mark -----Original Message----- From: Mark Foley <mfoley at ohprs.org> Date: Sat, 05 Sep 2015 17:12:50 -0400 To: dovecot at dovecot.org Subject: Re: How to "Windows Authenticate" Rick et al, The link you gave was a start, but is targeted for Samba3 and is assuming a probably Windows [SBS]Server AD/DC separate from the DC hosting dovecot, and includes setting up kerberos. I'm using a Samba4 AD/DC with integrated kerberos (so I don't think there is any setup I can do there). Nevertheless I've followed the instructions otherwise; specifically adding to 10-auto.conf the following recommended lines: auth_use_winbind = yes auth_winbind_helper_path = /usr/bin/ntlm_auth mechanisms = plain ntlm login (Before, my 'mechanisms' were only plain and login). /usr/bin/ntlm_auth has global r/w privilege. I did not specify the static userdb since these users are configued in /etc/passwd and I thought that would work; example given in link (could that be an issue?): userdb static { args= uid=501 gid=501 home=/home/vmail/%1Ln/%Ln mail=maildir:/home/vmail/%d/%1Ln/%Ln:INBOX=/home/vmail/%d/%1Ln/%Ln allow_all_users=yes } This didn't work. Also, existing, working Outlook connections using 'logon' (i.e. the userID and PW are configured in Outlook) stopped working. I changed a test Outlook client to check the 'Request login using Secure Password Authentication (SPA)' and also checked: More Settings > Outgoing Server> My outgoing server (SMTP) requires authentication' and 'Use same settings asmy incoming mail server'. Note that on the "Change Account" dialog (where the SPA checkbox is) the 'User Name' and 'Password' retained their values and were not grayed out as I would have expected if using AD authentication. After doing the above and clicking 'Test Account Settings' I was re-promted to enter a password - also not expected. At bottom are the Dovecot log message I received after doing the 'Test Account Settings'. Surely, connecting from an Outlook client to Dovecot on a Samba4 AD/DC should be a very common implementation. Has someone done this successfully? Immediately below is my doveconf -n and below that the dovecot log messages.> doveconf -n# 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain ntlm login auth_use_winbind = yes auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key userdb { driver = passwd } verbose_ssl = yes dovecot log after doing 'Test Account Settings' in Outlook: Sep 05 16:45:19 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Sep 05 16:45:19 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Sep 05 16:45:19 auth: Debug: auth client connected (pid=10219) Sep 05 16:45:19 auth: Debug: client in: AUTH 1 NTLM service=imap session=HXssGAYf0ADAqAA6 lip=192.168.0.2 rip=192.168.0.58 lport=143 rport=52944 Sep 05 16:45:19 auth: Debug: client passdb out: CONT 1 Sep 05 16:45:19 auth: Debug: client passdb out: OK 1 user=mark at hprs original_user=mark at HPRS Sep 05 16:45:19 auth: Debug: master in: REQUEST 998899713 10219 1 f56352c207cb8f6dea4d264b2c0f8dc1 session_pid=10220 request_auth_token Sep 05 16:45:19 auth-worker(5498): Debug: shadow(mark at hprs,192.168.0.58): lookup Sep 05 16:45:19 auth-worker(5498): Info: shadow(mark at hprs,192.168.0.58): unknown user Sep 05 16:45:19 auth: Debug: master userdb out: NOTFOUND 998899713 Sep 05 16:45:19 imap-login: Info: Internal login failure (pid=10219 id=1) (internal failure, 1 successful auths): user=<mark at hprs>, method=NTLM, rip=192.168.0.58, lip=192.168.0.2, mpid=10220, session=<HXssGAYf0ADAqAA6> Sep 05 16:46:22 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Sep 05 16:46:22 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Sep 05 16:46:22 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Sep 05 16:46:22 auth: Debug: Read auth token secret from /usr/local/var/run/dovecot/auth-token-secret.dat Sep 05 16:46:22 auth: Debug: auth client connected (pid=13487) Sep 05 16:46:22 auth: Debug: client in: AUTH 1 NTLM service=imap session=IlvqGwYf0wDAqAA6 lip=192.168.0.2 rip=192.168.0.58 lport=143 rport=52947 Sep 05 16:46:22 auth: Debug: client passdb out: OK 1 user=mark at hprs original_user=mark at HPRS Sep 05 16:46:22 auth: Debug: master in: REQUEST 3030384641 13487 1 bac5f6531f9d4c3316f93bd4c4a63ddd session_pid=13491 request_auth_token Sep 05 16:46:22 auth-worker(13492): Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Sep 05 16:46:22 auth-worker(13492): Debug: shadow(mark at hprs,192.168.0.58): lookup Sep 05 16:46:22 auth-worker(13492): Info: shadow(mark at hprs,192.168.0.58): unknown user Sep 05 16:46:22 auth: Debug: master userdb out: NOTFOUND 3030384641 Sep 05 16:46:22 imap-login: Info: Internal login failure (pid=13487 id=1) (internal failure, 1 successful auths): user=<mark at hprs>, method=NTLM, rip=192.168.0.58, lip=192.168.0.2, mpid=13491, session=<IlvqGwYf0wDAqAA6> Thanks --Mark -----Original Message-----> Date: Thu, 03 Sep 2015 06:53:19 -0500 > From: Rick Romero <rick at havokmon.com> > To: dovecot at dovecot.org > Subject: Re: How to "Windows Authenticate" > > Hi Mark, > > I haven't done it, but I've played with the scenario enough to have an > idea. > > What you want to do is have Outlook auth via NTLM to Dovecot.? > > First that means having the machine be a domain member (usually via Samba) > in order to properly process NTLM/Kerberos handshake - which it appears you > have. > Second that means having Dovecot know how to accept NTLM authentication > (SPA) to pass to the Samba backend. > > A 'Dovecot NTLM' search led me here: > http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm > > What's not on the page that I'd expect to see, are the compile-time > requirements for inclucing samba/kerberos libs within Dovecot.? If it > doesn't 'just work' with the config changes in the wiki, you may need to > recompile with the right features. > > Also - check the permissions of the ntlm_auth program. That's caused many > issues with Radius installs, IIRC. > > Hope that helps! > > Rick > > Quoting Mark Foley <mfoley at ohprs.org>: > > > This can't be that hard. I think I've enabled LDAP in Dovecot just by > > including > > dovecot-ldap.conf.ext in 10-auth.conf and using the default settings. I > > now have > > the configuration shown below. Two questions: > > > > 1. How do I set Outlook to authenticate with LDAP? Currently the Outlook > > accounts still have the ID and password set in "Logon Information". > > Checking > > "Require logon using Secure Password Authentication (SPA)" doesn't work. > > All I > > can seem to find on the Internet is how to configure address books using > > LDAP. > > > > 2. Should I remove "passdb { drive = shadow } from the dovecot > > configuration? > > > > Anybody? > > > > $ doveconf -n > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > > auth_debug_passwords = yes > > auth_mechanisms = plain login > > auth_verbose = yes > > auth_verbose_passwords = plain > > disable_plaintext_auth = no > > info_log_path = /var/log/dovecot_info > > mail_location = maildir:~/Maildir > > passdb { > > driver = shadow > > } > > passdb { > > args = /etc/dovecot/dovecot-ldap.conf.ext > > driver = ldap > > } > > protocols = imap > > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt > > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key > > userdb { > > driver = passwd > > } > > userdb { > > args = /etc/dovecot/dovecot-ldap.conf.ext > > driver = ldap > > } > > verbose_ssl = yes > > > > -----Original Message----- > > From: Mark Foley <mfoley at ohprs.org> > > Date: Wed, 02 Sep 2015 13:31:35 -0400 > > To: dovecot at dovecot.org > > Subject: How to "Windows Authenticate" > > > >> I've been using Dovecot 2.2.15 as the IMAP server for Outlook > >> (2010/2013) on > >> Windows workstations for over 6 months with no problems.? Dovecot is > >> hosted on > >> the office Samba4 AC/DC server. > >> > >> I have been using auth_mechanisms plain login, and passdb driver > >> shadow. > >> > >> What I'd like to do now is use the "Windows Authenticated" login so I > >> don't have > >> to have separate passwords for users logging into the Windows AD > >> workstations > >> and their Outlook clients. > >> > >> If anyone has actually done this I'd appreciate some tips. My various > >> attempts > >> have not been successful. > >> > >> Here is my current config: > >> > >> $ doveconf -n > >> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > >> # OS: Linux 3.10.17 x86_64 Slackware 14.1 > >> auth_debug_passwords = yes > >> auth_mechanisms = plain login > >> auth_verbose = yes > >> auth_verbose_passwords = plain > >> disable_plaintext_auth = no > >> info_log_path = /var/log/dovecot_info > >> mail_location = maildir:~/Maildir > >> passdb { > >> ? driver = shadow > >> } > >> protocols = imap > >> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt > >> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key > >> userdb { > >> ? driver = passwd > >> } > >> verbose_ssl = yes > >> > >> Thanks, Mark Foley > > > > From dovecot-bounces at dovecot.org? Wed Sep? 2 13:32:13 2015 > > Return-Path: <dovecot-bounces at dovecot.org> > > X-Virus-Status: Clean > > X-Virus-Scanned: clamav-milter 0.98.6 at mail > > X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.14__ > > (2011-06-06) on > > ? ? ? ? mail.hprs.local > > X-Spam-Level: > > X-Spam-Status: No, score=0.0 required=3.0 tests=none > autolearn=unavailable > > ? ? ? ? version=3.3.2-_revision__1.14__ > > X-Original-To: dovecot at dovecot.org > > Delivered-To: dovecot at dovecot.org > > X-Virus-Status: Clean > > X-Virus-Scanned: clamav-milter 0.98.6 at mail > > From: Mark Foley <mfoley at ohprs.org> > > Date: Wed, 02 Sep 2015 13:31:35 -0400 > > Organization: Ohio Highway Patrol Retirement System > > To: dovecot at dovecot.org > > Subject: How to "Windows Authenticate" > > User-Agent: Heirloom mailx 12.5 7/5/10 > > Content-Type: text/plain; charset=us-ascii > > X-BeenThere: dovecot at dovecot.org > > X-Mailman-Version: 2.1.17 > > Precedence: list > > List-Id: Dovecot Mailing List <dovecot.dovecot.org> > > List-Unsubscribe: <http://dovecot.org/cgi-bin/mailman/options/dovecot>, > > ? ? ? ? <mailto:dovecot-request at dovecot.org?subject=unsubscribe> > > List-Archive: <http://dovecot.org/pipermail/dovecot/> > > List-Post: <mailto:dovecot at dovecot.org> > > List-Help: <mailto:dovecot-request at dovecot.org?subject=help> > > List-Subscribe: <http://dovecot.org/cgi-bin/mailman/listinfo/dovecot>, > > ? ? ? ? <mailto:dovecot-request at dovecot.org?subject=subscribe> > > Errors-To: dovecot-bounces at dovecot.org > > Sender: "dovecot" <dovecot-bounces at dovecot.org> > > Status: R > > > > I've been using Dovecot 2.2.15 as the IMAP server for Outlook > > (2010/2013) on > > Windows workstations for over 6 months with no problems.? Dovecot is > > hosted on > > the office Samba4 AC/DC server. > > > > I have been using auth_mechanisms plain login, and passdb driver > shadow. > > > > What I'd like to do now is use the "Windows Authenticated" login so I > > don't have > > to have separate passwords for users logging into the Windows AD > > workstations > > and their Outlook clients. > > > > If anyone has actually done this I'd appreciate some tips. My various > > attempts > > have not been successful. > > > > Here is my current config: > > > > $ doveconf -n > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > > auth_debug_passwords = yes > > auth_mechanisms = plain login > > auth_verbose = yes > > auth_verbose_passwords = plain > > disable_plaintext_auth = no > > info_log_path = /var/log/dovecot_info > > mail_location = maildir:~/Maildir > > passdb { > > driver = shadow > > } > > protocols = imap > > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt > > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key > > userdb { > > driver = passwd > > } > > verbose_ssl = yes > > Thanks, Mark Foley > From dovecot-bounces at dovecot.org Thu Sep 3 07:53:44 2015 > Return-Path: <dovecot-bounces at dovecot.org> > X-Virus-Status: Clean > X-Virus-Scanned: clamav-milter 0.98.6 at mail > X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.14__ (2011-06-06) on > mail.hprs.local > X-Spam-Level: > X-Spam-Status: No, score=0.0 required=3.0 tests=none autolearn=ham > version=3.3.2-_revision__1.14__ > X-Original-To: dovecot at dovecot.org > Delivered-To: dovecot at dovecot.org > Date: Thu, 03 Sep 2015 06:53:19 -0500 > From: Rick Romero <rick at havokmon.com> > To: dovecot at dovecot.org > Subject: Re: How to "Windows Authenticate" > User-Agent: Internet Messaging Program (IMP) H5 (6.2.2) > X-VFEmail-Originating-IP: MTA3LjEzNi4xNDQuMjMw > X-VFEmail-AntiSpam: Notify admin at vfemail.net of any spam, and include > VFEmail headers > Content-Type: text/plain; charset=UTF-8; format=flowed; DelSp=Yes > Content-Disposition: inline > Content-Description: Plaintext Message > X-Content-Filtered-By: Mailman/MimeDel 2.1.17 > X-BeenThere: dovecot at dovecot.org > X-Mailman-Version: 2.1.17 > Precedence: list > List-Id: Dovecot Mailing List <dovecot.dovecot.org> > List-Unsubscribe: <http://dovecot.org/cgi-bin/mailman/options/dovecot>, > <mailto:dovecot-request at dovecot.org?subject=unsubscribe> > List-Archive: <http://dovecot.org/pipermail/dovecot/> > List-Post: <mailto:dovecot at dovecot.org> > List-Help: <mailto:dovecot-request at dovecot.org?subject=help> > List-Subscribe: <http://dovecot.org/cgi-bin/mailman/listinfo/dovecot>, > <mailto:dovecot-request at dovecot.org?subject=subscribe> > Errors-To: dovecot-bounces at dovecot.org > Sender: "dovecot" <dovecot-bounces at dovecot.org> > Status: R > > Hi Mark, > > I haven't done it, but I've played with the scenario enough to have an > idea. > > What you want to do is have Outlook auth via NTLM to Dovecot.? > > First that means having the machine be a domain member (usually via Samba) > in order to properly process NTLM/Kerberos handshake - which it appears you > have. > Second that means having Dovecot know how to accept NTLM authentication > (SPA) to pass to the Samba backend. > > A 'Dovecot NTLM' search led me here: > http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm > > What's not on the page that I'd expect to see, are the compile-time > requirements for inclucing samba/kerberos libs within Dovecot.? If it > doesn't 'just work' with the config changes in the wiki, you may need to > recompile with the right features. > > Also - check the permissions of the ntlm_auth program. That's caused many > issues with Radius installs, IIRC. > > Hope that helps! > > Rick > > Quoting Mark Foley <mfoley at ohprs.org>: > > > This can't be that hard. I think I've enabled LDAP in Dovecot just by > > including > > dovecot-ldap.conf.ext in 10-auth.conf and using the default settings. I > > now have > > the configuration shown below. Two questions: > > > > 1. How do I set Outlook to authenticate with LDAP? Currently the Outlook > > accounts still have the ID and password set in "Logon Information". > > Checking > > "Require logon using Secure Password Authentication (SPA)" doesn't work. > > All I > > can seem to find on the Internet is how to configure address books using > > LDAP. > > > > 2. Should I remove "passdb { drive = shadow } from the dovecot > > configuration? > > > > Anybody? > > > > $ doveconf -n > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > > auth_debug_passwords = yes > > auth_mechanisms = plain login > > auth_verbose = yes > > auth_verbose_passwords = plain > > disable_plaintext_auth = no > > info_log_path = /var/log/dovecot_info > > mail_location = maildir:~/Maildir > > passdb { > > driver = shadow > > } > > passdb { > > args = /etc/dovecot/dovecot-ldap.conf.ext > > driver = ldap > > } > > protocols = imap > > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt > > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key > > userdb { > > driver = passwd > > } > > userdb { > > args = /etc/dovecot/dovecot-ldap.conf.ext > > driver = ldap > > } > > verbose_ssl = yes > > > > -----Original Message----- > > From: Mark Foley <mfoley at ohprs.org> > > Date: Wed, 02 Sep 2015 13:31:35 -0400 > > To: dovecot at dovecot.org > > Subject: How to "Windows Authenticate" > > > >> I've been using Dovecot 2.2.15 as the IMAP server for Outlook > >> (2010/2013) on > >> Windows workstations for over 6 months with no problems.? Dovecot is > >> hosted on > >> the office Samba4 AC/DC server. > >> > >> I have been using auth_mechanisms plain login, and passdb driver > >> shadow. > >> > >> What I'd like to do now is use the "Windows Authenticated" login so I > >> don't have > >> to have separate passwords for users logging into the Windows AD > >> workstations > >> and their Outlook clients. > >> > >> If anyone has actually done this I'd appreciate some tips. My various > >> attempts > >> have not been successful. > >> > >> Here is my current config: > >> > >> $ doveconf -n > >> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > >> # OS: Linux 3.10.17 x86_64 Slackware 14.1 > >> auth_debug_passwords = yes > >> auth_mechanisms = plain login > >> auth_verbose = yes > >> auth_verbose_passwords = plain > >> disable_plaintext_auth = no > >> info_log_path = /var/log/dovecot_info > >> mail_location = maildir:~/Maildir > >> passdb { > >> ? driver = shadow > >> } > >> protocols = imap > >> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt > >> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key > >> userdb { > >> ? driver = passwd > >> } > >> verbose_ssl = yes > >> > >> Thanks, Mark Foley > > > > From dovecot-bounces at dovecot.org? Wed Sep? 2 13:32:13 2015 > > Return-Path: <dovecot-bounces at dovecot.org> > > X-Virus-Status: Clean > > X-Virus-Scanned: clamav-milter 0.98.6 at mail > > X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.14__ > > (2011-06-06) on > > ? ? ? ? mail.hprs.local > > X-Spam-Level: > > X-Spam-Status: No, score=0.0 required=3.0 tests=none > autolearn=unavailable > > ? ? ? ? version=3.3.2-_revision__1.14__ > > X-Original-To: dovecot at dovecot.org > > Delivered-To: dovecot at dovecot.org > > X-Virus-Status: Clean > > X-Virus-Scanned: clamav-milter 0.98.6 at mail > > From: Mark Foley <mfoley at ohprs.org> > > Date: Wed, 02 Sep 2015 13:31:35 -0400 > > Organization: Ohio Highway Patrol Retirement System > > To: dovecot at dovecot.org > > Subject: How to "Windows Authenticate" > > User-Agent: Heirloom mailx 12.5 7/5/10 > > Content-Type: text/plain; charset=us-ascii > > X-BeenThere: dovecot at dovecot.org > > X-Mailman-Version: 2.1.17 > > Precedence: list > > List-Id: Dovecot Mailing List <dovecot.dovecot.org> > > List-Unsubscribe: <http://dovecot.org/cgi-bin/mailman/options/dovecot>, > > ? ? ? ? <mailto:dovecot-request at dovecot.org?subject=unsubscribe> > > List-Archive: <http://dovecot.org/pipermail/dovecot/> > > List-Post: <mailto:dovecot at dovecot.org> > > List-Help: <mailto:dovecot-request at dovecot.org?subject=help> > > List-Subscribe: <http://dovecot.org/cgi-bin/mailman/listinfo/dovecot>, > > ? ? ? ? <mailto:dovecot-request at dovecot.org?subject=subscribe> > > Errors-To: dovecot-bounces at dovecot.org > > Sender: "dovecot" <dovecot-bounces at dovecot.org> > > Status: R > > > > I've been using Dovecot 2.2.15 as the IMAP server for Outlook > > (2010/2013) on > > Windows workstations for over 6 months with no problems.? Dovecot is > > hosted on > > the office Samba4 AC/DC server. > > > > I have been using auth_mechanisms plain login, and passdb driver > shadow. > > > > What I'd like to do now is use the "Windows Authenticated" login so I > > don't have > > to have separate passwords for users logging into the Windows AD > > workstations > > and their Outlook clients. > > > > If anyone has actually done this I'd appreciate some tips. My various > > attempts > > have not been successful. > > > > Here is my current config: > > > > $ doveconf -n > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > > auth_debug_passwords = yes > > auth_mechanisms = plain login > > auth_verbose = yes > > auth_verbose_passwords = plain > > disable_plaintext_auth = no > > info_log_path = /var/log/dovecot_info > > mail_location = maildir:~/Maildir > > passdb { > > driver = shadow > > } > > protocols = imap > > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt > > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key > > userdb { > > driver = passwd > > } > > verbose_ssl = yes > > Thanks, Mark Foley >