I am running Dovecot 2.2.15 on Linux Slackware 14.1 and Samba 4.1.17 as the
Active Directory/Domain Controller on the same host as Dovecot.
Sendmail/procmail delivers mail to users' $HOME/Maildir. MS Outlook/IMAP is
the
client MTU used to connect with Dovecot to read mail on the Users' WIN7
workstations.
I believe I have confirmed that MS Outlook will either ...
1) send the userid and password configured in the Outlook settings to Dovecot
for authorizing. This mechanism has been working fine for months.
or ...
2) Use NTML authorization if "Require login using Secure Password
Authentication
(SPA)" is checked:
https://en.wikipedia.org/wiki/Secure_Password_Authentication
Those, I believe, are the only two choices with Outlook (other than Exchange).
Therefore, in order not to configure a Domain-distinct password in Outlook, I
need to use the NTLM auth_mechanism for AD "Windows Authentication"
with
Dovecot. I've tried the settings below (just trying one user at the
moment):
$ doveconf -n
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 3.10.17 x86_64 Slackware 14.1
auth_debug_passwords = yes
auth_mechanisms = plain ntlm
auth_use_winbind = yes
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
protocols = imap
ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt
ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
userdb {
args = uid=3000026 gid=100 home=/home/HPRS/mark allow_all_users=yes
driver = static
}
verbose_ssl = yes
Dovecot log results after setting my Outlook to SPA and clicking the 'Test
Account Settings' give me:
Sep 13 00:53:12 auth: Debug: Loading modules from directory:
/usr/local/lib/dovecot/auth
Sep 13 00:53:12 imap-login: Info: Disconnected: Auth process broken
(disconnected before auth was ready, waited 0 secs): user=<>,
rip=192.168.0.58, lip=98.102.63.107, session=<2PnkuZkfqADAqAA6>
Can someone tell me what this means and how to fix it?
Note that I have read http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm over
and
over, so simply referring me to that link will not help.
Thanks, Mark
Does the Dovecot NTLM mechanism work with MS Outlook?
[ ] YES
[ ] NO
Please check one ... anybody.
--Mark
-----Original Message-----
From: Mark Foley <mfoley at ohprs.org>
Date: Sun, 13 Sep 2015 01:10:57 -0400
To: dovecot at dovecot.org
Subject: Re: How to "Windows Authenticate"
I am running Dovecot 2.2.15 on Linux Slackware 14.1 and Samba 4.1.17 as the
Active Directory/Domain Controller on the same host as Dovecot.
Sendmail/procmail delivers mail to users' $HOME/Maildir. MS Outlook/IMAP is
the
client MTU used to connect with Dovecot to read mail on the Users' WIN7
workstations.
I believe I have confirmed that MS Outlook will either ...
1) send the userid and password configured in the Outlook settings to Dovecot
for authorizing. This mechanism has been working fine for months.
or ...
2) Use NTML authorization if "Require login using Secure Password
Authentication
(SPA)" is checked:
https://en.wikipedia.org/wiki/Secure_Password_Authentication
Those, I believe, are the only two choices with Outlook (other than Exchange).
Therefore, in order not to configure a Domain-distinct password in Outlook, I
need to use the NTLM auth_mechanism for AD "Windows Authentication"
with
Dovecot. I've tried the settings below (just trying one user at the
moment):
$ doveconf -n
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 3.10.17 x86_64 Slackware 14.1
auth_debug_passwords = yes
auth_mechanisms = plain ntlm
auth_use_winbind = yes
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
protocols = imap
ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt
ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
userdb {
args = uid=3000026 gid=100 home=/home/HPRS/mark allow_all_users=yes
driver = static
}
verbose_ssl = yes
Dovecot log results after setting my Outlook to SPA and clicking the 'Test
Account Settings' give me:
Sep 13 00:53:12 auth: Debug: Loading modules from directory:
/usr/local/lib/dovecot/auth
Sep 13 00:53:12 imap-login: Info: Disconnected: Auth process broken
(disconnected before auth was ready, waited 0 secs): user=<>,
rip=192.168.0.58, lip=98.102.63.107, session=<2PnkuZkfqADAqAA6>
Can someone tell me what this means and how to fix it?
Note that I have read http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm over
and
over, so simply referring me to that link will not help.
Thanks, Mark
> On 16 Sep 2015, at 19:10, Mark Foley <mfoley at ohprs.org> wrote: > > Does the Dovecot NTLM mechanism work with MS Outlook? > > [ ] YES > [ ] NO > > Please check one ... anybody. > > ?MarkThe URL on the wiki, which had probably been shared before with you; http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm suggests it does. The URL quotes: Step 5. Passwordless authentication If you have logged on from Windows to the AD domain, try leaving the password field, on the account, on the MUA, blank. The username / password, from the initial logon to the Windows machine, are seamlessly picked up and supplied to the challenge-response process between the MUA, Dovecot and AD. Employing this way of authentication we achieve single sign-on and we don't need to maintain MUA local passwords. Did you follow the suggestions that are on that page? (all of them). Thank you, Remko -- /"\ Best regards, | remko at FreeBSD.org \ / Remko Lodder | remko at EFnet X http://www.evilcoder.org/ | / \ ASCII Ribbon Campaign | Against HTML Mail and News -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 841 bytes Desc: Message signed with OpenPGP using GPGMail URL: <http://dovecot.org/pipermail/dovecot/attachments/20150916/0b8fb93d/attachment.sig>
> On 16 Sep 2015, at 19:10, Mark Foley <mfoley at ohprs.org> wrote: > > Does the Dovecot NTLM mechanism work with MS Outlook? > > [ ] YES > [ ] NO > > Please check one ... anybody. > > --Mark > >[checking not suited for work]: <mfoley at ohprs.org>: host mail.ohprs.org[98.102.63.107] said: 550 5.7.1 Access denied (in reply to MAIL FROM command) You are welcome :-p -- /"\ Best regards, | remko at FreeBSD.org \ / Remko Lodder | remko at EFnet X http://www.evilcoder.org/ | / \ ASCII Ribbon Campaign | Against HTML Mail and News -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 841 bytes Desc: Message signed with OpenPGP using GPGMail URL: <http://dovecot.org/pipermail/dovecot/attachments/20150916/96bb3095/attachment.sig>