Now that I am running Thunderbird on Linux and away from Windows/Outlook,
I'd like to take
another run at setting up NTLM authentication from Thunderbird to my Samba4
AC/DC.
With the help of the samba maillist folks I was able to set up NTLM
authentication for domain
user login. I should be able to do the same for email!
But, I need help. I went to
http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got
lost immediately. Are "authenticaion submethods" synonymous with
"password schemes"? The 7th
line down says, "NTLM password scheme is required for NTLM, NTLM2 and
NTLMv2.", but in the
referenced link I found no reference to "NTLM password scheme".
The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and
http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what the 4
NTLM
authentication submethods are, tells you what password schemes are, tells you
what the NTLM
client/server handshake is, but doesn't actually tell you how to configure
dovecot config
files. I'm much more interested in the "how to" than in:
"NTLMv2: server and client nonce,
MITM can't force downgrade" ... whatever that means.
Anyway, probably it's my lack of understanding terminology. I don't
even know what a "nonce"
is. But, I learn well from examples! Can somone please give me a sample
10-auth.conf for NTML
and any other supporting settings or configs I need?
My current/working dovecot settings, which have been running perfectly for well
over a year
now, are:
$ dovecot -n
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 3.10.17 x86_64 Slackware 14.1
auth_debug_passwords = yes
auth_mechanisms = plain login
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
driver = shadow
}
protocols = imap
ssl_cert =
</etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key
userdb {
driver = passwd
}
verbose_ssl = yes
Here's what I've tried so far as 10-auth.conf:
disable_plaintext_auth = no
auth_use_winbind = yes
info_log_path = /var/log/dovecot_info
auth_verbose = yes
auth_debug_passwords = yes
auth_verbose_passwords= plain
auth_winbind_helper_path = /usr/bin/ntlm_auth
auth_mechanisms = ntlm plain login
userdb {
driver = passwd
args = username_format=%n allow_all_users=yes
}
Which gives me a dovecot -n of:
$ dovecot -n
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 3.10.17 x86_64 Slackware 14.1
auth_debug_passwords = yes
auth_mechanisms = ntlm plain login
auth_use_winbind = yes
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
protocols = imap
ssl_cert =
</etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key
userdb {
args = username_format=%n allow_all_users=yes
driver = passwd
}
verbose_ssl = yes
I configured Thunderbird for NTLM authentication, then tried sending a message,
I got the
following in /var/log/dovecot_info:
Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used
for ECDH and ECDHE key exchanges
Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used
for ECDH and ECDHE key exchanges
Apr 22 01:37:57 auth: Debug: Loading modules from directory:
/usr/local/lib/dovecot/auth
Apr 22 01:37:57 imap-login: Info: Disconnected: Auth process broken
(disconnected before auth was ready, waited 0 secs): user=<>,
rip=192.168.0.58, lip=98.102.63.107, session=<xFuyOgwx9wDAqAA6>
On Thunderbird I got the error, "Sending of the message failed. The
Outlgoing server (SMTP)
my.server.name does not support the selected authentication method. Please
change the
'Autnentication method' in 'Account Settings | Outgoing Server
(SMTP)'."
Clearly, something is configured wrong, but I've no clue what.
Can I get some advice?
THX --Mark
I've asked this several times over the past year with essentially zero responses. I'll keep it simple: Does NTLM authentication work in Dovecot? I'll post this one last time. If I still have no responses I'll have to conclude that no one has actually tried this authentication method and it therefore does not work. Thanks, --Mark -----Original Message----- From: Mark Foley <mfoley at ohprs.org> Date: Fri, 22 Apr 2016 02:07:24 -0400 Organization: Ohio Highway Patrol Retirement System To: dovecot at dovecot.org Subject: Looking for NTLM config example> Now that I am running Thunderbird on Linux and away from Windows/Outlook, I'd like to take > another run at setting up NTLM authentication from Thunderbird to my Samba4 AC/DC. > > With the help of the samba maillist folks I was able to set up NTLM authentication for domain > user login. I should be able to do the same for email! > > But, I need help. I went to http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got > lost immediately. Are "authenticaion submethods" synonymous with "password schemes"? The 7th > line down says, "NTLM password scheme is required for NTLM, NTLM2 and NTLMv2.", but in the > referenced link I found no reference to "NTLM password scheme". > > The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and > http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what the 4 NTLM > authentication submethods are, tells you what password schemes are, tells you what the NTLM > client/server handshake is, but doesn't actually tell you how to configure dovecot config > files. I'm much more interested in the "how to" than in: "NTLMv2: server and client nonce, > MITM can't force downgrade" ... whatever that means. > > Anyway, probably it's my lack of understanding terminology. I don't even know what a "nonce" > is. But, I learn well from examples! Can somone please give me a sample 10-auth.conf for NTML > and any other supporting settings or configs I need? > > My current/working dovecot settings, which have been running perfectly for well over a year > now, are: > > $ dovecot -n > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > auth_debug_passwords = yes > auth_mechanisms = plain login > auth_verbose = yes > auth_verbose_passwords = plain > disable_plaintext_auth = no > info_log_path = /var/log/dovecot_info > mail_location = maildir:~/Maildir > passdb { > driver = shadow > } > protocols = imap > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key > userdb { > driver = passwd > } > verbose_ssl = yes > > > Here's what I've tried so far as 10-auth.conf: > > disable_plaintext_auth = no > auth_use_winbind = yes > info_log_path = /var/log/dovecot_info > auth_verbose = yes > auth_debug_passwords = yes > auth_verbose_passwords= plain > auth_winbind_helper_path = /usr/bin/ntlm_auth > > auth_mechanisms = ntlm plain login > > userdb { > driver = passwd > args = username_format=%n allow_all_users=yes > > } > > > Which gives me a dovecot -n of: > > $ dovecot -n > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > auth_debug_passwords = yes > auth_mechanisms = ntlm plain login > auth_use_winbind = yes > auth_verbose = yes > auth_verbose_passwords = plain > disable_plaintext_auth = no > info_log_path = /var/log/dovecot_info > mail_location = maildir:~/Maildir > protocols = imap > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key > userdb { > args = username_format=%n allow_all_users=yes > driver = passwd > } > verbose_ssl = yes > > > I configured Thunderbird for NTLM authentication, then tried sending a message, I got the > following in /var/log/dovecot_info: > > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges > Apr 22 01:37:57 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth > Apr 22 01:37:57 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, session=<xFuyOgwx9wDAqAA6> > > > On Thunderbird I got the error, "Sending of the message failed. The Outlgoing server (SMTP) > my.server.name does not support the selected authentication method. Please change the > 'Autnentication method' in 'Account Settings | Outgoing Server (SMTP)'." > > Clearly, something is configured wrong, but I've no clue what. > > Can I get some advice? > > THX --Mark >From dovecot-bounces at dovecot.org Fri Apr 22 02:07:47 2016Return-Path: <dovecot-bounces at dovecot.org> X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.98.6 at mail X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.19__ (2011-06-06) on mail.hprs.local X-Spam-Level: X-Spam-Status: No, score=-106.0 required=3.0 tests=USER_IN_WHITELIST, USER_IN_WHITELIST_TO autolearn=unavailable version=3.3.2-_revision__1.19__ X-Original-To: dovecot at dovecot.org Delivered-To: dovecot at dovecot.org X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.98.6 at mail From: Mark Foley <mfoley at ohprs.org> Date: Fri, 22 Apr 2016 02:07:24 -0400 Organization: Ohio Highway Patrol Retirement System To: dovecot at dovecot.org Subject: Looking for NTLM config example User-Agent: Heirloom mailx 12.5 7/5/10 Content-Type: text/plain; charset=us-ascii X-BeenThere: dovecot at dovecot.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Dovecot Mailing List <dovecot.dovecot.org> List-Unsubscribe: <http://dovecot.org/cgi-bin/mailman/options/dovecot>, <mailto:dovecot-request at dovecot.org?subject=unsubscribe> List-Archive: <http://dovecot.org/pipermail/dovecot/> List-Post: <mailto:dovecot at dovecot.org> List-Help: <mailto:dovecot-request at dovecot.org?subject=help> List-Subscribe: <http://dovecot.org/cgi-bin/mailman/listinfo/dovecot>, <mailto:dovecot-request at dovecot.org?subject=subscribe> Errors-To: dovecot-bounces at dovecot.org Sender: "dovecot" <dovecot-bounces at dovecot.org> X-Spam-Report: * -100 USER_IN_WHITELIST From: address is in the user's white-list * -6.0 USER_IN_WHITELIST_TO User is listed in 'whitelist_to' Status: R Now that I am running Thunderbird on Linux and away from Windows/Outlook, I'd like to take another run at setting up NTLM authentication from Thunderbird to my Samba4 AC/DC. With the help of the samba maillist folks I was able to set up NTLM authentication for domain user login. I should be able to do the same for email! But, I need help. I went to http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got lost immediately. Are "authenticaion submethods" synonymous with "password schemes"? The 7th line down says, "NTLM password scheme is required for NTLM, NTLM2 and NTLMv2.", but in the referenced link I found no reference to "NTLM password scheme". The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what the 4 NTLM authentication submethods are, tells you what password schemes are, tells you what the NTLM client/server handshake is, but doesn't actually tell you how to configure dovecot config files. I'm much more interested in the "how to" than in: "NTLMv2: server and client nonce, MITM can't force downgrade" ... whatever that means. Anyway, probably it's my lack of understanding terminology. I don't even know what a "nonce" is. But, I learn well from examples! Can somone please give me a sample 10-auth.conf for NTML and any other supporting settings or configs I need? My current/working dovecot settings, which have been running perfectly for well over a year now, are: $ dovecot -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key userdb { driver = passwd } verbose_ssl = yes Here's what I've tried so far as 10-auth.conf: disable_plaintext_auth = no auth_use_winbind = yes info_log_path = /var/log/dovecot_info auth_verbose = yes auth_debug_passwords = yes auth_verbose_passwords= plain auth_winbind_helper_path = /usr/bin/ntlm_auth auth_mechanisms = ntlm plain login userdb { driver = passwd args = username_format=%n allow_all_users=yes } Which gives me a dovecot -n of: $ dovecot -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = ntlm plain login auth_use_winbind = yes auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir protocols = imap ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key userdb { args = username_format=%n allow_all_users=yes driver = passwd } verbose_ssl = yes I configured Thunderbird for NTLM authentication, then tried sending a message, I got the following in /var/log/dovecot_info: Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Apr 22 01:37:57 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Apr 22 01:37:57 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, session=<xFuyOgwx9wDAqAA6> On Thunderbird I got the error, "Sending of the message failed. The Outlgoing server (SMTP) my.server.name does not support the selected authentication method. Please change the 'Autnentication method' in 'Account Settings | Outgoing Server (SMTP)'." Clearly, something is configured wrong, but I've no clue what. Can I get some advice? THX --Mark
It should work. Although if you are using linux server you might want to use gssapi instead.> On June 25, 2016 at 7:43 PM Mark Foley <mfoley at ohprs.org> wrote: > > > I've asked this several times over the past year with essentially zero responses. I'll keep it simple: > > Does NTLM authentication work in Dovecot? > > I'll post this one last time. If I still have no responses I'll have to conclude that no one > has actually tried this authentication method and it therefore does not work. > > Thanks, --Mark > > -----Original Message----- > From: Mark Foley <mfoley at ohprs.org> > Date: Fri, 22 Apr 2016 02:07:24 -0400 > Organization: Ohio Highway Patrol Retirement System > To: dovecot at dovecot.org > Subject: Looking for NTLM config example > > > Now that I am running Thunderbird on Linux and away from Windows/Outlook, I'd like to take > > another run at setting up NTLM authentication from Thunderbird to my Samba4 AC/DC. > > > > With the help of the samba maillist folks I was able to set up NTLM authentication for domain > > user login. I should be able to do the same for email! > > > > But, I need help. I went to http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got > > lost immediately. Are "authenticaion submethods" synonymous with "password schemes"? The 7th > > line down says, "NTLM password scheme is required for NTLM, NTLM2 and NTLMv2.", but in the > > referenced link I found no reference to "NTLM password scheme". > > > > The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and > > http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what the 4 NTLM > > authentication submethods are, tells you what password schemes are, tells you what the NTLM > > client/server handshake is, but doesn't actually tell you how to configure dovecot config > > files. I'm much more interested in the "how to" than in: "NTLMv2: server and client nonce, > > MITM can't force downgrade" ... whatever that means. > > > > Anyway, probably it's my lack of understanding terminology. I don't even know what a "nonce" > > is. But, I learn well from examples! Can somone please give me a sample 10-auth.conf for NTML > > and any other supporting settings or configs I need? > > > > My current/working dovecot settings, which have been running perfectly for well over a year > > now, are: > > > > $ dovecot -n > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > > auth_debug_passwords = yes > > auth_mechanisms = plain login > > auth_verbose = yes > > auth_verbose_passwords = plain > > disable_plaintext_auth = no > > info_log_path = /var/log/dovecot_info > > mail_location = maildir:~/Maildir > > passdb { > > driver = shadow > > } > > protocols = imap > > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt > > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key > > userdb { > > driver = passwd > > } > > verbose_ssl = yes > > > > > > Here's what I've tried so far as 10-auth.conf: > > > > disable_plaintext_auth = no > > auth_use_winbind = yes > > info_log_path = /var/log/dovecot_info > > auth_verbose = yes > > auth_debug_passwords = yes > > auth_verbose_passwords= plain > > auth_winbind_helper_path = /usr/bin/ntlm_auth > > > > auth_mechanisms = ntlm plain login > > > > userdb { > > driver = passwd > > args = username_format=%n allow_all_users=yes > > > > } > > > > > > Which gives me a dovecot -n of: > > > > $ dovecot -n > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > > auth_debug_passwords = yes > > auth_mechanisms = ntlm plain login > > auth_use_winbind = yes > > auth_verbose = yes > > auth_verbose_passwords = plain > > disable_plaintext_auth = no > > info_log_path = /var/log/dovecot_info > > mail_location = maildir:~/Maildir > > protocols = imap > > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt > > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key > > userdb { > > args = username_format=%n allow_all_users=yes > > driver = passwd > > } > > verbose_ssl = yes > > > > > > I configured Thunderbird for NTLM authentication, then tried sending a message, I got the > > following in /var/log/dovecot_info: > > > > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges > > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges > > Apr 22 01:37:57 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth > > Apr 22 01:37:57 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, session=<xFuyOgwx9wDAqAA6> > > > > > > On Thunderbird I got the error, "Sending of the message failed. The Outlgoing server (SMTP) > > my.server.name does not support the selected authentication method. Please change the > > 'Autnentication method' in 'Account Settings | Outgoing Server (SMTP)'." > > > > Clearly, something is configured wrong, but I've no clue what. > > > > Can I get some advice? > > > > THX --Mark > From dovecot-bounces at dovecot.org Fri Apr 22 02:07:47 2016 > Return-Path: <dovecot-bounces at dovecot.org> > X-Virus-Status: Clean > X-Virus-Scanned: clamav-milter 0.98.6 at mail > X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.19__ (2011-06-06) on > mail.hprs.local > X-Spam-Level: > X-Spam-Status: No, score=-106.0 required=3.0 tests=USER_IN_WHITELIST, > USER_IN_WHITELIST_TO autolearn=unavailable version=3.3.2-_revision__1.19__ > X-Original-To: dovecot at dovecot.org > Delivered-To: dovecot at dovecot.org > X-Virus-Status: Clean > X-Virus-Scanned: clamav-milter 0.98.6 at mail > From: Mark Foley <mfoley at ohprs.org> > Date: Fri, 22 Apr 2016 02:07:24 -0400 > Organization: Ohio Highway Patrol Retirement System > To: dovecot at dovecot.org > Subject: Looking for NTLM config example > User-Agent: Heirloom mailx 12.5 7/5/10 > Content-Type: text/plain; charset=us-ascii > X-BeenThere: dovecot at dovecot.org > X-Mailman-Version: 2.1.17 > Precedence: list > List-Id: Dovecot Mailing List <dovecot.dovecot.org> > List-Unsubscribe: <http://dovecot.org/cgi-bin/mailman/options/dovecot>, > <mailto:dovecot-request at dovecot.org?subject=unsubscribe> > List-Archive: <http://dovecot.org/pipermail/dovecot/> > List-Post: <mailto:dovecot at dovecot.org> > List-Help: <mailto:dovecot-request at dovecot.org?subject=help> > List-Subscribe: <http://dovecot.org/cgi-bin/mailman/listinfo/dovecot>, > <mailto:dovecot-request at dovecot.org?subject=subscribe> > Errors-To: dovecot-bounces at dovecot.org > Sender: "dovecot" <dovecot-bounces at dovecot.org> > X-Spam-Report: > * -100 USER_IN_WHITELIST From: address is in the user's white-list > * -6.0 USER_IN_WHITELIST_TO User is listed in 'whitelist_to' > Status: R > > Now that I am running Thunderbird on Linux and away from Windows/Outlook, I'd like to take > another run at setting up NTLM authentication from Thunderbird to my Samba4 AC/DC. > > With the help of the samba maillist folks I was able to set up NTLM authentication for domain > user login. I should be able to do the same for email! > > But, I need help. I went to http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got > lost immediately. Are "authenticaion submethods" synonymous with "password schemes"? The 7th > line down says, "NTLM password scheme is required for NTLM, NTLM2 and NTLMv2.", but in the > referenced link I found no reference to "NTLM password scheme". > > The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and > http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what the 4 NTLM > authentication submethods are, tells you what password schemes are, tells you what the NTLM > client/server handshake is, but doesn't actually tell you how to configure dovecot config > files. I'm much more interested in the "how to" than in: "NTLMv2: server and client nonce, > MITM can't force downgrade" ... whatever that means. > > Anyway, probably it's my lack of understanding terminology. I don't even know what a "nonce" > is. But, I learn well from examples! Can somone please give me a sample 10-auth.conf for NTML > and any other supporting settings or configs I need? > > My current/working dovecot settings, which have been running perfectly for well over a year > now, are: > > $ dovecot -n > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > auth_debug_passwords = yes > auth_mechanisms = plain login > auth_verbose = yes > auth_verbose_passwords = plain > disable_plaintext_auth = no > info_log_path = /var/log/dovecot_info > mail_location = maildir:~/Maildir > passdb { > driver = shadow > } > protocols = imap > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key > userdb { > driver = passwd > } > verbose_ssl = yes > > > Here's what I've tried so far as 10-auth.conf: > > disable_plaintext_auth = no > auth_use_winbind = yes > info_log_path = /var/log/dovecot_info > auth_verbose = yes > auth_debug_passwords = yes > auth_verbose_passwords= plain > auth_winbind_helper_path = /usr/bin/ntlm_auth > > auth_mechanisms = ntlm plain login > > userdb { > driver = passwd > args = username_format=%n allow_all_users=yes > > } > > > Which gives me a dovecot -n of: > > $ dovecot -n > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > auth_debug_passwords = yes > auth_mechanisms = ntlm plain login > auth_use_winbind = yes > auth_verbose = yes > auth_verbose_passwords = plain > disable_plaintext_auth = no > info_log_path = /var/log/dovecot_info > mail_location = maildir:~/Maildir > protocols = imap > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key > userdb { > args = username_format=%n allow_all_users=yes > driver = passwd > } > verbose_ssl = yes > > > I configured Thunderbird for NTLM authentication, then tried sending a message, I got the > following in /var/log/dovecot_info: > > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges > Apr 22 01:37:57 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth > Apr 22 01:37:57 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, session=<xFuyOgwx9wDAqAA6> > > > On Thunderbird I got the error, "Sending of the message failed. The Outlgoing server (SMTP) > my.server.name does not support the selected authentication method. Please change the > 'Autnentication method' in 'Account Settings | Outgoing Server (SMTP)'." > > Clearly, something is configured wrong, but I've no clue what. > > Can I get some advice? > > THX --Mark--- Aki Tuomi
Also it seems we lack support for NTLMv2. If you want to use NTLM you need to permit use of NTLM(v1), which is usually not enabled by default. Aki> On June 25, 2016 at 7:43 PM Mark Foley <mfoley at ohprs.org> wrote: > > > I've asked this several times over the past year with essentially zero responses. I'll keep it simple: > > Does NTLM authentication work in Dovecot? > > I'll post this one last time. If I still have no responses I'll have to conclude that no one > has actually tried this authentication method and it therefore does not work. > > Thanks, --Mark > > -----Original Message----- > From: Mark Foley <mfoley at ohprs.org> > Date: Fri, 22 Apr 2016 02:07:24 -0400 > Organization: Ohio Highway Patrol Retirement System > To: dovecot at dovecot.org > Subject: Looking for NTLM config example > > > Now that I am running Thunderbird on Linux and away from Windows/Outlook, I'd like to take > > another run at setting up NTLM authentication from Thunderbird to my Samba4 AC/DC. > > > > With the help of the samba maillist folks I was able to set up NTLM authentication for domain > > user login. I should be able to do the same for email! > > > > But, I need help. I went to http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got > > lost immediately. Are "authenticaion submethods" synonymous with "password schemes"? The 7th > > line down says, "NTLM password scheme is required for NTLM, NTLM2 and NTLMv2.", but in the > > referenced link I found no reference to "NTLM password scheme". > > > > The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and > > http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what the 4 NTLM > > authentication submethods are, tells you what password schemes are, tells you what the NTLM > > client/server handshake is, but doesn't actually tell you how to configure dovecot config > > files. I'm much more interested in the "how to" than in: "NTLMv2: server and client nonce, > > MITM can't force downgrade" ... whatever that means. > > > > Anyway, probably it's my lack of understanding terminology. I don't even know what a "nonce" > > is. But, I learn well from examples! Can somone please give me a sample 10-auth.conf for NTML > > and any other supporting settings or configs I need? > > > > My current/working dovecot settings, which have been running perfectly for well over a year > > now, are: > > > > $ dovecot -n > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > > auth_debug_passwords = yes > > auth_mechanisms = plain login > > auth_verbose = yes > > auth_verbose_passwords = plain > > disable_plaintext_auth = no > > info_log_path = /var/log/dovecot_info > > mail_location = maildir:~/Maildir > > passdb { > > driver = shadow > > } > > protocols = imap > > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt > > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key > > userdb { > > driver = passwd > > } > > verbose_ssl = yes > > > > > > Here's what I've tried so far as 10-auth.conf: > > > > disable_plaintext_auth = no > > auth_use_winbind = yes > > info_log_path = /var/log/dovecot_info > > auth_verbose = yes > > auth_debug_passwords = yes > > auth_verbose_passwords= plain > > auth_winbind_helper_path = /usr/bin/ntlm_auth > > > > auth_mechanisms = ntlm plain login > > > > userdb { > > driver = passwd > > args = username_format=%n allow_all_users=yes > > > > } > > > > > > Which gives me a dovecot -n of: > > > > $ dovecot -n > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > > auth_debug_passwords = yes > > auth_mechanisms = ntlm plain login > > auth_use_winbind = yes > > auth_verbose = yes > > auth_verbose_passwords = plain > > disable_plaintext_auth = no > > info_log_path = /var/log/dovecot_info > > mail_location = maildir:~/Maildir > > protocols = imap > > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt > > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key > > userdb { > > args = username_format=%n allow_all_users=yes > > driver = passwd > > } > > verbose_ssl = yes > > > > > > I configured Thunderbird for NTLM authentication, then tried sending a message, I got the > > following in /var/log/dovecot_info: > > > > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges > > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges > > Apr 22 01:37:57 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth > > Apr 22 01:37:57 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, session=<xFuyOgwx9wDAqAA6> > > > > > > On Thunderbird I got the error, "Sending of the message failed. The Outlgoing server (SMTP) > > my.server.name does not support the selected authentication method. Please change the > > 'Autnentication method' in 'Account Settings | Outgoing Server (SMTP)'." > > > > Clearly, something is configured wrong, but I've no clue what. > > > > Can I get some advice? > > > > THX --Mark > From dovecot-bounces at dovecot.org Fri Apr 22 02:07:47 2016 > Return-Path: <dovecot-bounces at dovecot.org> > X-Virus-Status: Clean > X-Virus-Scanned: clamav-milter 0.98.6 at mail > X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.19__ (2011-06-06) on > mail.hprs.local > X-Spam-Level: > X-Spam-Status: No, score=-106.0 required=3.0 tests=USER_IN_WHITELIST, > USER_IN_WHITELIST_TO autolearn=unavailable version=3.3.2-_revision__1.19__ > X-Original-To: dovecot at dovecot.org > Delivered-To: dovecot at dovecot.org > X-Virus-Status: Clean > X-Virus-Scanned: clamav-milter 0.98.6 at mail > From: Mark Foley <mfoley at ohprs.org> > Date: Fri, 22 Apr 2016 02:07:24 -0400 > Organization: Ohio Highway Patrol Retirement System > To: dovecot at dovecot.org > Subject: Looking for NTLM config example > User-Agent: Heirloom mailx 12.5 7/5/10 > Content-Type: text/plain; charset=us-ascii > X-BeenThere: dovecot at dovecot.org > X-Mailman-Version: 2.1.17 > Precedence: list > List-Id: Dovecot Mailing List <dovecot.dovecot.org> > List-Unsubscribe: <http://dovecot.org/cgi-bin/mailman/options/dovecot>, > <mailto:dovecot-request at dovecot.org?subject=unsubscribe> > List-Archive: <http://dovecot.org/pipermail/dovecot/> > List-Post: <mailto:dovecot at dovecot.org> > List-Help: <mailto:dovecot-request at dovecot.org?subject=help> > List-Subscribe: <http://dovecot.org/cgi-bin/mailman/listinfo/dovecot>, > <mailto:dovecot-request at dovecot.org?subject=subscribe> > Errors-To: dovecot-bounces at dovecot.org > Sender: "dovecot" <dovecot-bounces at dovecot.org> > X-Spam-Report: > * -100 USER_IN_WHITELIST From: address is in the user's white-list > * -6.0 USER_IN_WHITELIST_TO User is listed in 'whitelist_to' > Status: R > > Now that I am running Thunderbird on Linux and away from Windows/Outlook, I'd like to take > another run at setting up NTLM authentication from Thunderbird to my Samba4 AC/DC. > > With the help of the samba maillist folks I was able to set up NTLM authentication for domain > user login. I should be able to do the same for email! > > But, I need help. I went to http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got > lost immediately. Are "authenticaion submethods" synonymous with "password schemes"? The 7th > line down says, "NTLM password scheme is required for NTLM, NTLM2 and NTLMv2.", but in the > referenced link I found no reference to "NTLM password scheme". > > The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and > http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what the 4 NTLM > authentication submethods are, tells you what password schemes are, tells you what the NTLM > client/server handshake is, but doesn't actually tell you how to configure dovecot config > files. I'm much more interested in the "how to" than in: "NTLMv2: server and client nonce, > MITM can't force downgrade" ... whatever that means. > > Anyway, probably it's my lack of understanding terminology. I don't even know what a "nonce" > is. But, I learn well from examples! Can somone please give me a sample 10-auth.conf for NTML > and any other supporting settings or configs I need? > > My current/working dovecot settings, which have been running perfectly for well over a year > now, are: > > $ dovecot -n > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > auth_debug_passwords = yes > auth_mechanisms = plain login > auth_verbose = yes > auth_verbose_passwords = plain > disable_plaintext_auth = no > info_log_path = /var/log/dovecot_info > mail_location = maildir:~/Maildir > passdb { > driver = shadow > } > protocols = imap > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key > userdb { > driver = passwd > } > verbose_ssl = yes > > > Here's what I've tried so far as 10-auth.conf: > > disable_plaintext_auth = no > auth_use_winbind = yes > info_log_path = /var/log/dovecot_info > auth_verbose = yes > auth_debug_passwords = yes > auth_verbose_passwords= plain > auth_winbind_helper_path = /usr/bin/ntlm_auth > > auth_mechanisms = ntlm plain login > > userdb { > driver = passwd > args = username_format=%n allow_all_users=yes > > } > > > Which gives me a dovecot -n of: > > $ dovecot -n > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > auth_debug_passwords = yes > auth_mechanisms = ntlm plain login > auth_use_winbind = yes > auth_verbose = yes > auth_verbose_passwords = plain > disable_plaintext_auth = no > info_log_path = /var/log/dovecot_info > mail_location = maildir:~/Maildir > protocols = imap > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key > userdb { > args = username_format=%n allow_all_users=yes > driver = passwd > } > verbose_ssl = yes > > > I configured Thunderbird for NTLM authentication, then tried sending a message, I got the > following in /var/log/dovecot_info: > > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges > Apr 22 01:37:57 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth > Apr 22 01:37:57 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, session=<xFuyOgwx9wDAqAA6> > > > On Thunderbird I got the error, "Sending of the message failed. The Outlgoing server (SMTP) > my.server.name does not support the selected authentication method. Please change the > 'Autnentication method' in 'Account Settings | Outgoing Server (SMTP)'." > > Clearly, something is configured wrong, but I've no clue what. > > Can I get some advice? > > THX --Mark--- Aki Tuomi