It should work. Although if you are using linux server you might want to use gssapi instead.> On June 25, 2016 at 7:43 PM Mark Foley <mfoley at ohprs.org> wrote: > > > I've asked this several times over the past year with essentially zero responses. I'll keep it simple: > > Does NTLM authentication work in Dovecot? > > I'll post this one last time. If I still have no responses I'll have to conclude that no one > has actually tried this authentication method and it therefore does not work. > > Thanks, --Mark > > -----Original Message----- > From: Mark Foley <mfoley at ohprs.org> > Date: Fri, 22 Apr 2016 02:07:24 -0400 > Organization: Ohio Highway Patrol Retirement System > To: dovecot at dovecot.org > Subject: Looking for NTLM config example > > > Now that I am running Thunderbird on Linux and away from Windows/Outlook, I'd like to take > > another run at setting up NTLM authentication from Thunderbird to my Samba4 AC/DC. > > > > With the help of the samba maillist folks I was able to set up NTLM authentication for domain > > user login. I should be able to do the same for email! > > > > But, I need help. I went to http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got > > lost immediately. Are "authenticaion submethods" synonymous with "password schemes"? The 7th > > line down says, "NTLM password scheme is required for NTLM, NTLM2 and NTLMv2.", but in the > > referenced link I found no reference to "NTLM password scheme". > > > > The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and > > http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what the 4 NTLM > > authentication submethods are, tells you what password schemes are, tells you what the NTLM > > client/server handshake is, but doesn't actually tell you how to configure dovecot config > > files. I'm much more interested in the "how to" than in: "NTLMv2: server and client nonce, > > MITM can't force downgrade" ... whatever that means. > > > > Anyway, probably it's my lack of understanding terminology. I don't even know what a "nonce" > > is. But, I learn well from examples! Can somone please give me a sample 10-auth.conf for NTML > > and any other supporting settings or configs I need? > > > > My current/working dovecot settings, which have been running perfectly for well over a year > > now, are: > > > > $ dovecot -n > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > > auth_debug_passwords = yes > > auth_mechanisms = plain login > > auth_verbose = yes > > auth_verbose_passwords = plain > > disable_plaintext_auth = no > > info_log_path = /var/log/dovecot_info > > mail_location = maildir:~/Maildir > > passdb { > > driver = shadow > > } > > protocols = imap > > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt > > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key > > userdb { > > driver = passwd > > } > > verbose_ssl = yes > > > > > > Here's what I've tried so far as 10-auth.conf: > > > > disable_plaintext_auth = no > > auth_use_winbind = yes > > info_log_path = /var/log/dovecot_info > > auth_verbose = yes > > auth_debug_passwords = yes > > auth_verbose_passwords= plain > > auth_winbind_helper_path = /usr/bin/ntlm_auth > > > > auth_mechanisms = ntlm plain login > > > > userdb { > > driver = passwd > > args = username_format=%n allow_all_users=yes > > > > } > > > > > > Which gives me a dovecot -n of: > > > > $ dovecot -n > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > > auth_debug_passwords = yes > > auth_mechanisms = ntlm plain login > > auth_use_winbind = yes > > auth_verbose = yes > > auth_verbose_passwords = plain > > disable_plaintext_auth = no > > info_log_path = /var/log/dovecot_info > > mail_location = maildir:~/Maildir > > protocols = imap > > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt > > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key > > userdb { > > args = username_format=%n allow_all_users=yes > > driver = passwd > > } > > verbose_ssl = yes > > > > > > I configured Thunderbird for NTLM authentication, then tried sending a message, I got the > > following in /var/log/dovecot_info: > > > > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges > > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges > > Apr 22 01:37:57 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth > > Apr 22 01:37:57 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, session=<xFuyOgwx9wDAqAA6> > > > > > > On Thunderbird I got the error, "Sending of the message failed. The Outlgoing server (SMTP) > > my.server.name does not support the selected authentication method. Please change the > > 'Autnentication method' in 'Account Settings | Outgoing Server (SMTP)'." > > > > Clearly, something is configured wrong, but I've no clue what. > > > > Can I get some advice? > > > > THX --Mark > From dovecot-bounces at dovecot.org Fri Apr 22 02:07:47 2016 > Return-Path: <dovecot-bounces at dovecot.org> > X-Virus-Status: Clean > X-Virus-Scanned: clamav-milter 0.98.6 at mail > X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.19__ (2011-06-06) on > mail.hprs.local > X-Spam-Level: > X-Spam-Status: No, score=-106.0 required=3.0 tests=USER_IN_WHITELIST, > USER_IN_WHITELIST_TO autolearn=unavailable version=3.3.2-_revision__1.19__ > X-Original-To: dovecot at dovecot.org > Delivered-To: dovecot at dovecot.org > X-Virus-Status: Clean > X-Virus-Scanned: clamav-milter 0.98.6 at mail > From: Mark Foley <mfoley at ohprs.org> > Date: Fri, 22 Apr 2016 02:07:24 -0400 > Organization: Ohio Highway Patrol Retirement System > To: dovecot at dovecot.org > Subject: Looking for NTLM config example > User-Agent: Heirloom mailx 12.5 7/5/10 > Content-Type: text/plain; charset=us-ascii > X-BeenThere: dovecot at dovecot.org > X-Mailman-Version: 2.1.17 > Precedence: list > List-Id: Dovecot Mailing List <dovecot.dovecot.org> > List-Unsubscribe: <http://dovecot.org/cgi-bin/mailman/options/dovecot>, > <mailto:dovecot-request at dovecot.org?subject=unsubscribe> > List-Archive: <http://dovecot.org/pipermail/dovecot/> > List-Post: <mailto:dovecot at dovecot.org> > List-Help: <mailto:dovecot-request at dovecot.org?subject=help> > List-Subscribe: <http://dovecot.org/cgi-bin/mailman/listinfo/dovecot>, > <mailto:dovecot-request at dovecot.org?subject=subscribe> > Errors-To: dovecot-bounces at dovecot.org > Sender: "dovecot" <dovecot-bounces at dovecot.org> > X-Spam-Report: > * -100 USER_IN_WHITELIST From: address is in the user's white-list > * -6.0 USER_IN_WHITELIST_TO User is listed in 'whitelist_to' > Status: R > > Now that I am running Thunderbird on Linux and away from Windows/Outlook, I'd like to take > another run at setting up NTLM authentication from Thunderbird to my Samba4 AC/DC. > > With the help of the samba maillist folks I was able to set up NTLM authentication for domain > user login. I should be able to do the same for email! > > But, I need help. I went to http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got > lost immediately. Are "authenticaion submethods" synonymous with "password schemes"? The 7th > line down says, "NTLM password scheme is required for NTLM, NTLM2 and NTLMv2.", but in the > referenced link I found no reference to "NTLM password scheme". > > The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and > http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what the 4 NTLM > authentication submethods are, tells you what password schemes are, tells you what the NTLM > client/server handshake is, but doesn't actually tell you how to configure dovecot config > files. I'm much more interested in the "how to" than in: "NTLMv2: server and client nonce, > MITM can't force downgrade" ... whatever that means. > > Anyway, probably it's my lack of understanding terminology. I don't even know what a "nonce" > is. But, I learn well from examples! Can somone please give me a sample 10-auth.conf for NTML > and any other supporting settings or configs I need? > > My current/working dovecot settings, which have been running perfectly for well over a year > now, are: > > $ dovecot -n > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > auth_debug_passwords = yes > auth_mechanisms = plain login > auth_verbose = yes > auth_verbose_passwords = plain > disable_plaintext_auth = no > info_log_path = /var/log/dovecot_info > mail_location = maildir:~/Maildir > passdb { > driver = shadow > } > protocols = imap > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key > userdb { > driver = passwd > } > verbose_ssl = yes > > > Here's what I've tried so far as 10-auth.conf: > > disable_plaintext_auth = no > auth_use_winbind = yes > info_log_path = /var/log/dovecot_info > auth_verbose = yes > auth_debug_passwords = yes > auth_verbose_passwords= plain > auth_winbind_helper_path = /usr/bin/ntlm_auth > > auth_mechanisms = ntlm plain login > > userdb { > driver = passwd > args = username_format=%n allow_all_users=yes > > } > > > Which gives me a dovecot -n of: > > $ dovecot -n > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > auth_debug_passwords = yes > auth_mechanisms = ntlm plain login > auth_use_winbind = yes > auth_verbose = yes > auth_verbose_passwords = plain > disable_plaintext_auth = no > info_log_path = /var/log/dovecot_info > mail_location = maildir:~/Maildir > protocols = imap > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key > userdb { > args = username_format=%n allow_all_users=yes > driver = passwd > } > verbose_ssl = yes > > > I configured Thunderbird for NTLM authentication, then tried sending a message, I got the > following in /var/log/dovecot_info: > > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges > Apr 22 01:37:57 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth > Apr 22 01:37:57 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, session=<xFuyOgwx9wDAqAA6> > > > On Thunderbird I got the error, "Sending of the message failed. The Outlgoing server (SMTP) > my.server.name does not support the selected authentication method. Please change the > 'Autnentication method' in 'Account Settings | Outgoing Server (SMTP)'." > > Clearly, something is configured wrong, but I've no clue what. > > Can I get some advice? > > THX --Mark--- Aki Tuomi
Mark Foley
2016-Jun-27 04:31 UTC
Looking for GSSAPI config [was: Looking for NTLM config example]
Thanks for the reply. When you say it [NTLM] "should" work, I understand you to be implying you've not actually tried NTLM yourself, right? I've never gotten a response from someone saying they have or are actually using it. Your subsequent messages about NTLM v[1|2] may be the problem, but email clients I've tried (Outlook, Thunderbird) don't really give a choice. That's OK, I'd be glad to try something different that would work!!! I am trying your advice for gssapi. I've followed the instructions at http://wiki2.dovecot.org/Authentication/Kerberos. In my 10-auth.conf I changed the auth_mechanism line to: auth_mechanisms = plain login gssapi Which is only different from before with the addition of "gssapi". That's all I've done. I'm using the same userdb as before which is /etc/passwd. My doveconf -n is: ----------SNIP------------> doveconf -n# 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain login gssapi auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key userdb { driver = passwd } verbose_ssl = yes ------------PINS------------- I attempted to connect from Thunderbird on Ubuntu 15.10 to Dovecot on a Slackware 14.1 AD/DC. I selected "Kerberos/GSSAPI" as the authentication method on Tbird. When trying the connection I got the following in my Dovecot log: Jun 27 00:04:54 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Jun 27 00:04:54 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Jun 27 00:04:54 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Jun 27 00:04:54 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Jun 27 00:04:54 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.99, lip=98.102.63.107, session=<Zk1rnzo2IADAqABj> So, any idea why this is not working? I'll say up-front that I do not have the auth_krb5_keytab configured in 10-auth.conf. I could find no such file on the host running Dovecot. Is that file needed? If so, I've got a message in to the Samba4 folks asking where it is located. I'm also using Dovecot 2.2.15. Too old? Do you think auth_krb5_keytab is my problem or something deeper? THX --Mark -----Original Message-----> Date: Sun, 26 Jun 2016 14:00:49 +0300 (EEST) > From: aki.tuomi at dovecot.fi > To: dovecot at dovecot.org > Subject: Re: Looking for NTLM config example > > It should work. Although if you are using linux server you might want to use gssapi instead. > > > On June 25, 2016 at 7:43 PM Mark Foley <mfoley at ohprs.org> wrote: > > > > > > I've asked this several times over the past year with essentially zero responses. I'll keep it simple: > > > > Does NTLM authentication work in Dovecot? > > > > I'll post this one last time. If I still have no responses I'll have to conclude that no one > > has actually tried this authentication method and it therefore does not work. > > > > Thanks, --Mark > > > > -----Original Message----- > > From: Mark Foley <mfoley at ohprs.org> > > Date: Fri, 22 Apr 2016 02:07:24 -0400 > > Organization: Ohio Highway Patrol Retirement System > > To: dovecot at dovecot.org > > Subject: Looking for NTLM config example > > > > > Now that I am running Thunderbird on Linux and away from Windows/Outlook, I'd like to take > > > another run at setting up NTLM authentication from Thunderbird to my Samba4 AC/DC. > > > > > > With the help of the samba maillist folks I was able to set up NTLM authentication for domain > > > user login. I should be able to do the same for email! > > > > > > But, I need help. I went to http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got > > > lost immediately. Are "authenticaion submethods" synonymous with "password schemes"? The 7th > > > line down says, "NTLM password scheme is required for NTLM, NTLM2 and NTLMv2.", but in the > > > referenced link I found no reference to "NTLM password scheme". > > > > > > The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and > > > http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what the 4 NTLM > > > authentication submethods are, tells you what password schemes are, tells you what the NTLM > > > client/server handshake is, but doesn't actually tell you how to configure dovecot config > > > files. I'm much more interested in the "how to" than in: "NTLMv2: server and client nonce, > > > MITM can't force downgrade" ... whatever that means. > > > > > > Anyway, probably it's my lack of understanding terminology. I don't even know what a "nonce" > > > is. But, I learn well from examples! Can somone please give me a sample 10-auth.conf for NTML > > > and any other supporting settings or configs I need? > > > > > > My current/working dovecot settings, which have been running perfectly for well over a year > > > now, are: > > > > > > $ dovecot -n > > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > > > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > > > auth_debug_passwords = yes > > > auth_mechanisms = plain login > > > auth_verbose = yes > > > auth_verbose_passwords = plain > > > disable_plaintext_auth = no > > > info_log_path = /var/log/dovecot_info > > > mail_location = maildir:~/Maildir > > > passdb { > > > driver = shadow > > > } > > > protocols = imap > > > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt > > > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key > > > userdb { > > > driver = passwd > > > } > > > verbose_ssl = yes > > > > > > > > > Here's what I've tried so far as 10-auth.conf: > > > > > > disable_plaintext_auth = no > > > auth_use_winbind = yes > > > info_log_path = /var/log/dovecot_info > > > auth_verbose = yes > > > auth_debug_passwords = yes > > > auth_verbose_passwords= plain > > > auth_winbind_helper_path = /usr/bin/ntlm_auth > > > > > > auth_mechanisms = ntlm plain login > > > > > > userdb { > > > driver = passwd > > > args = username_format=%n allow_all_users=yes > > > > > > } > > > > > > > > > Which gives me a dovecot -n of: > > > > > > $ dovecot -n > > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > > > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > > > auth_debug_passwords = yes > > > auth_mechanisms = ntlm plain login > > > auth_use_winbind = yes > > > auth_verbose = yes > > > auth_verbose_passwords = plain > > > disable_plaintext_auth = no > > > info_log_path = /var/log/dovecot_info > > > mail_location = maildir:~/Maildir > > > protocols = imap > > > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt > > > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key > > > userdb { > > > args = username_format=%n allow_all_users=yes > > > driver = passwd > > > } > > > verbose_ssl = yes > > > > > > > > > I configured Thunderbird for NTLM authentication, then tried sending a message, I got the > > > following in /var/log/dovecot_info: > > > > > > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges > > > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges > > > Apr 22 01:37:57 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth > > > Apr 22 01:37:57 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, session=<xFuyOgwx9wDAqAA6> > > > > > > > > > On Thunderbird I got the error, "Sending of the message failed. The Outlgoing server (SMTP) > > > my.server.name does not support the selected authentication method. Please change the > > > 'Autnentication method' in 'Account Settings | Outgoing Server (SMTP)'." > > > > > > Clearly, something is configured wrong, but I've no clue what. > > > > > > Can I get some advice? > > > > > > THX --Mark > > From dovecot-bounces at dovecot.org Fri Apr 22 02:07:47 2016 > > Return-Path: <dovecot-bounces at dovecot.org> > > X-Virus-Status: Clean > > X-Virus-Scanned: clamav-milter 0.98.6 at mail > > X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.19__ (2011-06-06) on > > mail.hprs.local > > X-Spam-Level: > > X-Spam-Status: No, score=-106.0 required=3.0 tests=USER_IN_WHITELIST, > > USER_IN_WHITELIST_TO autolearn=unavailable version=3.3.2-_revision__1.19__ > > X-Original-To: dovecot at dovecot.org > > Delivered-To: dovecot at dovecot.org > > X-Virus-Status: Clean > > X-Virus-Scanned: clamav-milter 0.98.6 at mail > > From: Mark Foley <mfoley at ohprs.org> > > Date: Fri, 22 Apr 2016 02:07:24 -0400 > > Organization: Ohio Highway Patrol Retirement System > > To: dovecot at dovecot.org > > Subject: Looking for NTLM config example > > User-Agent: Heirloom mailx 12.5 7/5/10 > > Content-Type: text/plain; charset=us-ascii > > X-BeenThere: dovecot at dovecot.org > > X-Mailman-Version: 2.1.17 > > Precedence: list > > List-Id: Dovecot Mailing List <dovecot.dovecot.org> > > List-Unsubscribe: <http://dovecot.org/cgi-bin/mailman/options/dovecot>, > > <mailto:dovecot-request at dovecot.org?subject=unsubscribe> > > List-Archive: <http://dovecot.org/pipermail/dovecot/> > > List-Post: <mailto:dovecot at dovecot.org> > > List-Help: <mailto:dovecot-request at dovecot.org?subject=help> > > List-Subscribe: <http://dovecot.org/cgi-bin/mailman/listinfo/dovecot>, > > <mailto:dovecot-request at dovecot.org?subject=subscribe> > > Errors-To: dovecot-bounces at dovecot.org > > Sender: "dovecot" <dovecot-bounces at dovecot.org> > > X-Spam-Report: > > * -100 USER_IN_WHITELIST From: address is in the user's white-list > > * -6.0 USER_IN_WHITELIST_TO User is listed in 'whitelist_to' > > Status: R > > > > Now that I am running Thunderbird on Linux and away from Windows/Outlook, I'd like to take > > another run at setting up NTLM authentication from Thunderbird to my Samba4 AC/DC. > > > > With the help of the samba maillist folks I was able to set up NTLM authentication for domain > > user login. I should be able to do the same for email! > > > > But, I need help. I went to http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got > > lost immediately. Are "authenticaion submethods" synonymous with "password schemes"? The 7th > > line down says, "NTLM password scheme is required for NTLM, NTLM2 and NTLMv2.", but in the > > referenced link I found no reference to "NTLM password scheme". > > > > The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and > > http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what the 4 NTLM > > authentication submethods are, tells you what password schemes are, tells you what the NTLM > > client/server handshake is, but doesn't actually tell you how to configure dovecot config > > files. I'm much more interested in the "how to" than in: "NTLMv2: server and client nonce, > > MITM can't force downgrade" ... whatever that means. > > > > Anyway, probably it's my lack of understanding terminology. I don't even know what a "nonce" > > is. But, I learn well from examples! Can somone please give me a sample 10-auth.conf for NTML > > and any other supporting settings or configs I need? > > > > My current/working dovecot settings, which have been running perfectly for well over a year > > now, are: > > > > $ dovecot -n > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > > auth_debug_passwords = yes > > auth_mechanisms = plain login > > auth_verbose = yes > > auth_verbose_passwords = plain > > disable_plaintext_auth = no > > info_log_path = /var/log/dovecot_info > > mail_location = maildir:~/Maildir > > passdb { > > driver = shadow > > } > > protocols = imap > > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt > > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key > > userdb { > > driver = passwd > > } > > verbose_ssl = yes > > > > > > Here's what I've tried so far as 10-auth.conf: > > > > disable_plaintext_auth = no > > auth_use_winbind = yes > > info_log_path = /var/log/dovecot_info > > auth_verbose = yes > > auth_debug_passwords = yes > > auth_verbose_passwords= plain > > auth_winbind_helper_path = /usr/bin/ntlm_auth > > > > auth_mechanisms = ntlm plain login > > > > userdb { > > driver = passwd > > args = username_format=%n allow_all_users=yes > > > > } > > > > > > Which gives me a dovecot -n of: > > > > $ dovecot -n > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > > auth_debug_passwords = yes > > auth_mechanisms = ntlm plain login > > auth_use_winbind = yes > > auth_verbose = yes > > auth_verbose_passwords = plain > > disable_plaintext_auth = no > > info_log_path = /var/log/dovecot_info > > mail_location = maildir:~/Maildir > > protocols = imap > > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt > > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key > > userdb { > > args = username_format=%n allow_all_users=yes > > driver = passwd > > } > > verbose_ssl = yes > > > > > > I configured Thunderbird for NTLM authentication, then tried sending a message, I got the > > following in /var/log/dovecot_info: > > > > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges > > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges > > Apr 22 01:37:57 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth > > Apr 22 01:37:57 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, session=<xFuyOgwx9wDAqAA6> > > > > > > On Thunderbird I got the error, "Sending of the message failed. The Outlgoing server (SMTP) > > my.server.name does not support the selected authentication method. Please change the > > 'Autnentication method' in 'Account Settings | Outgoing Server (SMTP)'." > > > > Clearly, something is configured wrong, but I've no clue what. > > > > Can I get some advice? > > > > THX --Mark > > --- > Aki Tuomi
Aki Tuomi
2016-Jun-27 06:18 UTC
Looking for GSSAPI config [was: Looking for NTLM config example]
On 27.06.2016 07:31, Mark Foley wrote:> Thanks for the reply. When you say it [NTLM] "should" work, I understand you to be implying > you've not actually tried NTLM yourself, right? I've never gotten a response from someone > saying they have or are actually using it. Your subsequent messages about NTLM v[1|2] may be > the problem, but email clients I've tried (Outlook, Thunderbird) don't really give a choice. > > That's OK, I'd be glad to try something different that would work!!! I am trying your advice > for gssapi. I've followed the instructions at > http://wiki2.dovecot.org/Authentication/Kerberos. In my 10-auth.conf I changed the > auth_mechanism line to: > > auth_mechanisms = plain login gssapi > > Which is only different from before with the addition of "gssapi". That's all I've done. I'm > using the same userdb as before which is /etc/passwd. My doveconf -n is: > > ----------SNIP------------ >> doveconf -n > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > auth_debug_passwords = yes > auth_mechanisms = plain login gssapi > auth_verbose = yes > auth_verbose_passwords = plain > disable_plaintext_auth = no > info_log_path = /var/log/dovecot_info > mail_location = maildir:~/Maildir > passdb { > driver = shadow > } > protocols = imap > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key > userdb { > driver = passwd > } > verbose_ssl = yes > ------------PINS------------- > > I attempted to connect from Thunderbird on Ubuntu 15.10 to Dovecot on a Slackware 14.1 AD/DC. I > selected "Kerberos/GSSAPI" as the authentication method on Tbird. When trying the connection I > got the following in my Dovecot log: > > Jun 27 00:04:54 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges > Jun 27 00:04:54 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges > Jun 27 00:04:54 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth > Jun 27 00:04:54 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth > Jun 27 00:04:54 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.99, lip=98.102.63.107, session=<Zk1rnzo2IADAqABj> > > So, any idea why this is not working? I'll say up-front that I do not have the auth_krb5_keytab > configured in 10-auth.conf. I could find no such file on the host running Dovecot. Is that file > needed? If so, I've got a message in to the Samba4 folks asking where it is located. > > I'm also using Dovecot 2.2.15. Too old? > > Do you think auth_krb5_keytab is my problem or something deeper? > > THX --Mark >You need to set up keytab. I'll assume you know nothing about kerberos, so please if you already knew all this, sorry. For kerberos to work PROPERLY you need to have 1. Functional AD or Kerberos environment 2. Time synced against your KDC (which is your Domain Controller on Windows) 3. /etc/krb5.conf configured 4. Both forward / reverse DNS names correct for clients and servers. Reverse is only mandatory for servers, but having them right will work wonders. Most kerberos problems are about DNS problems. 5. You need a keytab. This keytab needs to hold entries like IMAP/your.host.name at REALM and IMAP/$HOSTNAME at REALM. You can generate these on any Windows DC server (at least). Only bullet 5. is about Dovecot really, but since this is usually rather hard to gather information, I'll recap these things here: 2. Time sync Install ntpd and configure it to use *your* *ad* *server*. (Not some generic service). 3. /etc/krb5.conf Here is a *SAMPLE* configuration: [libdefaults] default_realm = YOUR.REALM dns_lookup_kdc = true krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true fcc-mit-ticketflags = true [realms] YOUR.REALM = { default_domain = your.domain.name auth_to_local_names = { Administrator = root } } [domain_realm] your.domain.name = YOUR.REALM # this is not a mistake .your.domain.name = YOUR.REALM [login] krb4_convert = true krb4_get_tickets = false Note that some windows environments require additional configuration to get this working. 4. Forward/reverse DNS. For your *server* this is *absolutely* must. It has to match for your clients and your server. So if your server name is mail.example.org, and it has IP 10.0.2.3, then 10.0.2.3 MUST resolve to mail.example.org. It will give you strange and convoluted errors otherwise. 5. Keytab This is bit tricky to generate, and there are various ways to do this. You can install samba, join it to your domain and use the samba tools to generate a keytab. It's not a bad idea, just remember to add the required spn's (service principal names) to the machine account. setspn -q is helpful here, also setspn command in general. You can use either system keytab file (/etc/krb5.keytab), or you can put the dovecot specific (mainly IMAP/something) into dedicated keytab for the service. Either way you need to tell dovecot about it with auth_krb5_keytab setting. You should have at least following entries in your keytab file. You can see them with klist -k /path/to/keytab. The KVNO can be different. Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 3 host/mail.example.org at EXAMPLE.ORG 3 host/mail.example.org at EXAMPLE.ORG 3 host/mail.example.org at EXAMPLE.ORG 3 host/mail.example.org at EXAMPLE.ORG 3 host/mail.example.org at EXAMPLE.ORG 3 IMAP/mail.example.org at EXAMPLE.ORG 3 host/MAIL at EXAMPLE.ORG 3 host/MAIL at EXAMPLE.ORG 3 host/MAIL at EXAMPLE.ORG 3 host/MAIL at EXAMPLE.ORG 3 host/MAIL at EXAMPLE.ORG 3 IMAP/MAIL at EXAMPLE.ORG 3 MAIL$@EXAMPLE.ORG 3 MAIL$@EXAMPLE.ORG 3 MAIL$@EXAMPLE.ORG 3 MAIL$@EXAMPLE.ORG 3 MAIL$@EXAMPLE.ORG This will at least get you somewhere. Kerberos is notoriously hard to debug, but it usually is about a) DNS b) Keytab c) Mismatch of some name somewhere d) Encryption type support Also, note that kerberos can only act as AUTHENTICATION system. It cannot act as USER DATABASE. For that you need to configure LDAP or something else. With Active Directory LDAP is probably a damn good idea. If you want to try with something else first, which I recommend for the server in any case, is to see if you can get sssd working with Kerberos and LDAP. If you get that working, it's not very difficult anymore to get Dovecot running with it. ---- Aki Tuomi Dovecot oy