I am running Dovecot 2.2.15 on Linux Slackware 14.1 and Samba 4.1.17 as the Active Directory/Domain Controller on the same host as Dovecot. Sendmail/procmail delivers mail to users' $HOME/Maildir. MS Outlook/IMAP is the client MTU used to connect with Dovecot to read mail on the Users' WIN7 workstations. I believe I have confirmed that MS Outlook will either ... 1) send the userid and password configured in the Outlook settings to Dovecot for authorizing. This mechanism has been working fine for months. or ... 2) Use NTML authorization if "Require login using Secure Password Authentication (SPA)" is checked: https://en.wikipedia.org/wiki/Secure_Password_Authentication Those, I believe, are the only two choices with Outlook (other than Exchange). Therefore, in order not to configure a Domain-distinct password in Outlook, I need to use the NTLM auth_mechanism for AD "Windows Authentication" with Dovecot. I've tried the settings below (just trying one user at the moment): $ doveconf -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain ntlm auth_use_winbind = yes auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir protocols = imap ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key userdb { args = uid=3000026 gid=100 home=/home/HPRS/mark allow_all_users=yes driver = static } verbose_ssl = yes Dovecot log results after setting my Outlook to SPA and clicking the 'Test Account Settings' give me: Sep 13 00:53:12 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Sep 13 00:53:12 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, session=<2PnkuZkfqADAqAA6> Can someone tell me what this means and how to fix it? Note that I have read http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm over and over, so simply referring me to that link will not help. Thanks, Mark
Does the Dovecot NTLM mechanism work with MS Outlook? [ ] YES [ ] NO Please check one ... anybody. --Mark -----Original Message----- From: Mark Foley <mfoley at ohprs.org> Date: Sun, 13 Sep 2015 01:10:57 -0400 To: dovecot at dovecot.org Subject: Re: How to "Windows Authenticate" I am running Dovecot 2.2.15 on Linux Slackware 14.1 and Samba 4.1.17 as the Active Directory/Domain Controller on the same host as Dovecot. Sendmail/procmail delivers mail to users' $HOME/Maildir. MS Outlook/IMAP is the client MTU used to connect with Dovecot to read mail on the Users' WIN7 workstations. I believe I have confirmed that MS Outlook will either ... 1) send the userid and password configured in the Outlook settings to Dovecot for authorizing. This mechanism has been working fine for months. or ... 2) Use NTML authorization if "Require login using Secure Password Authentication (SPA)" is checked: https://en.wikipedia.org/wiki/Secure_Password_Authentication Those, I believe, are the only two choices with Outlook (other than Exchange). Therefore, in order not to configure a Domain-distinct password in Outlook, I need to use the NTLM auth_mechanism for AD "Windows Authentication" with Dovecot. I've tried the settings below (just trying one user at the moment): $ doveconf -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain ntlm auth_use_winbind = yes auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir protocols = imap ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key userdb { args = uid=3000026 gid=100 home=/home/HPRS/mark allow_all_users=yes driver = static } verbose_ssl = yes Dovecot log results after setting my Outlook to SPA and clicking the 'Test Account Settings' give me: Sep 13 00:53:12 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Sep 13 00:53:12 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, session=<2PnkuZkfqADAqAA6> Can someone tell me what this means and how to fix it? Note that I have read http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm over and over, so simply referring me to that link will not help. Thanks, Mark
> On 16 Sep 2015, at 19:10, Mark Foley <mfoley at ohprs.org> wrote: > > Does the Dovecot NTLM mechanism work with MS Outlook? > > [ ] YES > [ ] NO > > Please check one ... anybody. > > ?MarkThe URL on the wiki, which had probably been shared before with you; http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm suggests it does. The URL quotes: Step 5. Passwordless authentication If you have logged on from Windows to the AD domain, try leaving the password field, on the account, on the MUA, blank. The username / password, from the initial logon to the Windows machine, are seamlessly picked up and supplied to the challenge-response process between the MUA, Dovecot and AD. Employing this way of authentication we achieve single sign-on and we don't need to maintain MUA local passwords. Did you follow the suggestions that are on that page? (all of them). Thank you, Remko -- /"\ Best regards, | remko at FreeBSD.org \ / Remko Lodder | remko at EFnet X http://www.evilcoder.org/ | / \ ASCII Ribbon Campaign | Against HTML Mail and News -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 841 bytes Desc: Message signed with OpenPGP using GPGMail URL: <http://dovecot.org/pipermail/dovecot/attachments/20150916/0b8fb93d/attachment.sig>
> On 16 Sep 2015, at 19:10, Mark Foley <mfoley at ohprs.org> wrote: > > Does the Dovecot NTLM mechanism work with MS Outlook? > > [ ] YES > [ ] NO > > Please check one ... anybody. > > --Mark > >[checking not suited for work]: <mfoley at ohprs.org>: host mail.ohprs.org[98.102.63.107] said: 550 5.7.1 Access denied (in reply to MAIL FROM command) You are welcome :-p -- /"\ Best regards, | remko at FreeBSD.org \ / Remko Lodder | remko at EFnet X http://www.evilcoder.org/ | / \ ASCII Ribbon Campaign | Against HTML Mail and News -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 841 bytes Desc: Message signed with OpenPGP using GPGMail URL: <http://dovecot.org/pipermail/dovecot/attachments/20150916/96bb3095/attachment.sig>