dovecot - Jun 2016 - Looking for GSSAPI config [was: Looking for NTLM config example]

It should work. Although if you are using linux server you might want to use
gssapi instead.
> On June 25, 2016 at 7:43 PM Mark Foley <mfoley at ohprs.org> wrote:
> 
> 
> I've asked this several times over the past year with essentially zero
responses. I'll keep it simple:
> 
> Does NTLM authentication work in Dovecot?
> 
> I'll post this one last time. If I still have no responses I'll
have to conclude that no one
> has actually tried this authentication method and it therefore does not
work.
> 
> Thanks, --Mark
> 
> -----Original Message-----
> From: Mark Foley <mfoley at ohprs.org>
> Date: Fri, 22 Apr 2016 02:07:24 -0400
> Organization: Ohio Highway Patrol Retirement System
> To: dovecot at dovecot.org
> Subject: Looking for NTLM config example
> 
> > Now that I am running Thunderbird on Linux and away from
Windows/Outlook, I'd like to take
> > another run at setting up NTLM authentication from Thunderbird to my
Samba4 AC/DC.
> >
> > With the help of the samba maillist folks I was able to set up NTLM
authentication for domain
> > user login.  I should be able to do the same for email!
> >
> > But, I need help. I went to
http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got
> > lost immediately. Are "authenticaion submethods" synonymous
with "password schemes"? The 7th
> > line down says, "NTLM password scheme is required for NTLM, NTLM2
and NTLMv2.", but in the
> > referenced link I found no reference to "NTLM password
scheme".
> >
> > The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and
> > http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what
the 4 NTLM
> > authentication submethods are, tells you what password schemes are,
tells you what the NTLM
> > client/server handshake is, but doesn't actually tell you how to
configure dovecot config
> > files.  I'm much more interested in the "how to" than
in: "NTLMv2: server and client nonce,
> > MITM can't force downgrade" ...  whatever that means. 
> >
> > Anyway, probably it's my lack of understanding terminology.  I
don't even know what a "nonce"
> > is.  But, I learn well from examples! Can somone please give me a
sample 10-auth.conf for NTML
> > and any other supporting settings or configs I need?
> >
> > My current/working dovecot settings, which have been running perfectly
for well over a year
> > now, are:
> >
> > $ dovecot -n
> > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> > # OS: Linux 3.10.17 x86_64 Slackware 14.1
> > auth_debug_passwords = yes
> > auth_mechanisms = plain login
> > auth_verbose = yes
> > auth_verbose_passwords = plain
> > disable_plaintext_auth = no
> > info_log_path = /var/log/dovecot_info
> > mail_location = maildir:~/Maildir
> > passdb {
> >   driver = shadow
> > }
> > protocols = imap
> > ssl_cert =
</etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
> > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key
> > userdb {
> >   driver = passwd
> > }
> > verbose_ssl = yes
> >
> >
> > Here's what I've tried so far as 10-auth.conf:
> >
> > disable_plaintext_auth = no
> > auth_use_winbind = yes
> > info_log_path = /var/log/dovecot_info
> > auth_verbose = yes
> > auth_debug_passwords = yes
> > auth_verbose_passwords= plain
> > auth_winbind_helper_path = /usr/bin/ntlm_auth
> >
> > auth_mechanisms = ntlm plain login
> >
> > userdb {
> >   driver = passwd
> >   args = username_format=%n allow_all_users=yes
> >
> > }
> >
> >
> > Which gives me a dovecot -n of:
> >
> > $ dovecot -n
> > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> > # OS: Linux 3.10.17 x86_64 Slackware 14.1
> > auth_debug_passwords = yes
> > auth_mechanisms = ntlm plain login
> > auth_use_winbind = yes
> > auth_verbose = yes
> > auth_verbose_passwords = plain
> > disable_plaintext_auth = no
> > info_log_path = /var/log/dovecot_info
> > mail_location = maildir:~/Maildir
> > protocols = imap
> > ssl_cert =
</etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
> > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key
> > userdb {
> >   args = username_format=%n allow_all_users=yes
> >   driver = passwd
> > }
> > verbose_ssl = yes
> >
> >
> > I configured Thunderbird for NTLM authentication, then tried sending a
message, I got the
> > following in /var/log/dovecot_info:
> >
> > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will
be used for ECDH and ECDHE key exchanges
> > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will
be used for ECDH and ECDHE key exchanges
> > Apr 22 01:37:57 auth: Debug: Loading modules from directory:
/usr/local/lib/dovecot/auth
> > Apr 22 01:37:57 imap-login: Info: Disconnected: Auth process broken
(disconnected before auth was ready, waited 0 secs): user=<>,
rip=192.168.0.58, lip=98.102.63.107, session=<xFuyOgwx9wDAqAA6>
> >
> >
> > On Thunderbird I got the error, "Sending of the message failed. 
The Outlgoing server (SMTP)
> > my.server.name does not support the selected authentication method. 
Please change the
> > 'Autnentication method' in 'Account Settings | Outgoing
Server (SMTP)'."
> >
> > Clearly, something is configured wrong, but I've no clue what.
> >
> > Can I get some advice?
> >
> > THX --Mark
> From dovecot-bounces at dovecot.org  Fri Apr 22 02:07:47 2016
> Return-Path: <dovecot-bounces at dovecot.org>
> X-Virus-Status: Clean
> X-Virus-Scanned: clamav-milter 0.98.6 at mail
> X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.19__ (2011-06-06)
on
> 	mail.hprs.local
> X-Spam-Level: 
> X-Spam-Status: No, score=-106.0 required=3.0 tests=USER_IN_WHITELIST,
> 	USER_IN_WHITELIST_TO autolearn=unavailable version=3.3.2-_revision__1.19__
> X-Original-To: dovecot at dovecot.org
> Delivered-To: dovecot at dovecot.org
> X-Virus-Status: Clean
> X-Virus-Scanned: clamav-milter 0.98.6 at mail
> From: Mark Foley <mfoley at ohprs.org>
> Date: Fri, 22 Apr 2016 02:07:24 -0400
> Organization: Ohio Highway Patrol Retirement System
> To: dovecot at dovecot.org
> Subject: Looking for NTLM config example
> User-Agent: Heirloom mailx 12.5 7/5/10
> Content-Type: text/plain; charset=us-ascii
> X-BeenThere: dovecot at dovecot.org
> X-Mailman-Version: 2.1.17
> Precedence: list
> List-Id: Dovecot Mailing List <dovecot.dovecot.org>
> List-Unsubscribe:
<http://dovecot.org/cgi-bin/mailman/options/dovecot>,
> 	<mailto:dovecot-request at dovecot.org?subject=unsubscribe>
> List-Archive: <http://dovecot.org/pipermail/dovecot/>
> List-Post: <mailto:dovecot at dovecot.org>
> List-Help: <mailto:dovecot-request at dovecot.org?subject=help>
> List-Subscribe:
<http://dovecot.org/cgi-bin/mailman/listinfo/dovecot>,
> 	<mailto:dovecot-request at dovecot.org?subject=subscribe>
> Errors-To: dovecot-bounces at dovecot.org
> Sender: "dovecot" <dovecot-bounces at dovecot.org>
> X-Spam-Report: 
> 	* -100 USER_IN_WHITELIST From: address is in the user's white-list
> 	* -6.0 USER_IN_WHITELIST_TO User is listed in 'whitelist_to'
> Status: R
> 
> Now that I am running Thunderbird on Linux and away from Windows/Outlook,
I'd like to take
> another run at setting up NTLM authentication from Thunderbird to my Samba4
AC/DC.
> 
> With the help of the samba maillist folks I was able to set up NTLM
authentication for domain
> user login.  I should be able to do the same for email!
> 
> But, I need help. I went to
http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got
> lost immediately. Are "authenticaion submethods" synonymous with
"password schemes"? The 7th
> line down says, "NTLM password scheme is required for NTLM, NTLM2 and
NTLMv2.", but in the
> referenced link I found no reference to "NTLM password scheme".
> 
> The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and
> http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what the
4 NTLM
> authentication submethods are, tells you what password schemes are, tells
you what the NTLM
> client/server handshake is, but doesn't actually tell you how to
configure dovecot config
> files.  I'm much more interested in the "how to" than in:
"NTLMv2: server and client nonce,
> MITM can't force downgrade" ...  whatever that means. 
> 
> Anyway, probably it's my lack of understanding terminology.  I
don't even know what a "nonce"
> is.  But, I learn well from examples! Can somone please give me a sample
10-auth.conf for NTML
> and any other supporting settings or configs I need?
> 
> My current/working dovecot settings, which have been running perfectly for
well over a year
> now, are:
> 
> $ dovecot -n
> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> # OS: Linux 3.10.17 x86_64 Slackware 14.1
> auth_debug_passwords = yes
> auth_mechanisms = plain login
> auth_verbose = yes
> auth_verbose_passwords = plain
> disable_plaintext_auth = no
> info_log_path = /var/log/dovecot_info
> mail_location = maildir:~/Maildir
> passdb {
>   driver = shadow
> }
> protocols = imap
> ssl_cert =
</etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key
> userdb {
>   driver = passwd
> }
> verbose_ssl = yes
> 
> 
> Here's what I've tried so far as 10-auth.conf:
> 
> disable_plaintext_auth = no
> auth_use_winbind = yes
> info_log_path = /var/log/dovecot_info
> auth_verbose = yes
> auth_debug_passwords = yes
> auth_verbose_passwords= plain
> auth_winbind_helper_path = /usr/bin/ntlm_auth
> 
> auth_mechanisms = ntlm plain login
> 
> userdb {
>   driver = passwd
>   args = username_format=%n allow_all_users=yes
> 
> }
> 
> 
> Which gives me a dovecot -n of:
> 
> $ dovecot -n
> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> # OS: Linux 3.10.17 x86_64 Slackware 14.1
> auth_debug_passwords = yes
> auth_mechanisms = ntlm plain login
> auth_use_winbind = yes
> auth_verbose = yes
> auth_verbose_passwords = plain
> disable_plaintext_auth = no
> info_log_path = /var/log/dovecot_info
> mail_location = maildir:~/Maildir
> protocols = imap
> ssl_cert =
</etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key
> userdb {
>   args = username_format=%n allow_all_users=yes
>   driver = passwd
> }
> verbose_ssl = yes
> 
> 
> I configured Thunderbird for NTLM authentication, then tried sending a
message, I got the
> following in /var/log/dovecot_info:
> 
> Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be
used for ECDH and ECDHE key exchanges
> Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be
used for ECDH and ECDHE key exchanges
> Apr 22 01:37:57 auth: Debug: Loading modules from directory:
/usr/local/lib/dovecot/auth
> Apr 22 01:37:57 imap-login: Info: Disconnected: Auth process broken
(disconnected before auth was ready, waited 0 secs): user=<>,
rip=192.168.0.58, lip=98.102.63.107, session=<xFuyOgwx9wDAqAA6>
> 
> 
> On Thunderbird I got the error, "Sending of the message failed.  The
Outlgoing server (SMTP)
> my.server.name does not support the selected authentication method.  Please
change the
> 'Autnentication method' in 'Account Settings | Outgoing Server
(SMTP)'."
> 
> Clearly, something is configured wrong, but I've no clue what.
> 
> Can I get some advice?
> 
> THX --Mark
---
Aki Tuomi

Thanks for the reply.  When you say it [NTLM] "should" work, I
understand you to be implying
you've not actually tried NTLM yourself, right? I've never gotten a
response from someone
saying they have or are actually using it. Your subsequent messages about NTLM
v[1|2] may be
the problem, but email clients I've tried (Outlook, Thunderbird) don't
really give a choice.

That's OK, I'd be glad to try something different that would work!!! I
am trying your advice
for gssapi.  I've followed the instructions at
http://wiki2.dovecot.org/Authentication/Kerberos.  In my 10-auth.conf I changed
the
auth_mechanism line to:

auth_mechanisms = plain login gssapi

Which is only different from before with the addition of "gssapi". 
That's all I've done.  I'm
using the same userdb as before which is /etc/passwd.  My doveconf -n is:

----------SNIP------------
> doveconf -n
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 3.10.17 x86_64 Slackware 14.1
auth_debug_passwords = yes
auth_mechanisms = plain login gssapi
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
	  driver = shadow
}
protocols = imap
ssl_cert =
</etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
userdb {
	  driver = passwd
}
verbose_ssl = yes
------------PINS-------------

I attempted to connect from Thunderbird on Ubuntu 15.10 to Dovecot on a
Slackware 14.1 AD/DC. I
selected "Kerberos/GSSAPI" as the authentication method on Tbird. When
trying the connection I
got the following in my Dovecot log:

Jun 27 00:04:54 imap-login: Debug: SSL: elliptic curve secp384r1 will be used
for ECDH and ECDHE key exchanges
Jun 27 00:04:54 imap-login: Debug: SSL: elliptic curve secp384r1 will be used
for ECDH and ECDHE key exchanges
Jun 27 00:04:54 auth: Debug: Loading modules from directory:
/usr/local/lib/dovecot/auth
Jun 27 00:04:54 auth: Debug: Loading modules from directory:
/usr/local/lib/dovecot/auth
Jun 27 00:04:54 imap-login: Info: Disconnected: Auth process broken
(disconnected before auth was ready, waited 0 secs): user=<>,
rip=192.168.0.99, lip=98.102.63.107, session=<Zk1rnzo2IADAqABj>

So, any idea why this is not working? I'll say up-front that I do not have
the auth_krb5_keytab
configured in 10-auth.conf. I could find no such file on the host running
Dovecot. Is that file
needed? If so, I've got a message in to the Samba4 folks asking where it is
located.

I'm also using Dovecot 2.2.15. Too old?

Do you think auth_krb5_keytab is my problem or something deeper?

THX --Mark

-----Original Message-----
> Date: Sun, 26 Jun 2016 14:00:49 +0300 (EEST)
> From: aki.tuomi at dovecot.fi
> To: dovecot at dovecot.org
> Subject: Re: Looking for NTLM config example
>
> It should work. Although if you are using linux server you might want to
use gssapi instead.
>
> > On June 25, 2016 at 7:43 PM Mark Foley <mfoley at ohprs.org>
wrote:
> > 
> > 
> > I've asked this several times over the past year with essentially
zero responses. I'll keep it simple:
> > 
> > Does NTLM authentication work in Dovecot?
> > 
> > I'll post this one last time. If I still have no responses
I'll have to conclude that no one
> > has actually tried this authentication method and it therefore does
not work.
> > 
> > Thanks, --Mark
> > 
> > -----Original Message-----
> > From: Mark Foley <mfoley at ohprs.org>
> > Date: Fri, 22 Apr 2016 02:07:24 -0400
> > Organization: Ohio Highway Patrol Retirement System
> > To: dovecot at dovecot.org
> > Subject: Looking for NTLM config example
> > 
> > > Now that I am running Thunderbird on Linux and away from
Windows/Outlook, I'd like to take
> > > another run at setting up NTLM authentication from Thunderbird to
my Samba4 AC/DC.
> > >
> > > With the help of the samba maillist folks I was able to set up
NTLM authentication for domain
> > > user login.  I should be able to do the same for email!
> > >
> > > But, I need help. I went to
http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got
> > > lost immediately. Are "authenticaion submethods"
synonymous with "password schemes"? The 7th
> > > line down says, "NTLM password scheme is required for NTLM,
NTLM2 and NTLMv2.", but in the
> > > referenced link I found no reference to "NTLM password
scheme".
> > >
> > > The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM
and
> > > http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you
what the 4 NTLM
> > > authentication submethods are, tells you what password schemes
are, tells you what the NTLM
> > > client/server handshake is, but doesn't actually tell you how
to configure dovecot config
> > > files.  I'm much more interested in the "how to"
than in: "NTLMv2: server and client nonce,
> > > MITM can't force downgrade" ...  whatever that means. 
> > >
> > > Anyway, probably it's my lack of understanding terminology. 
I don't even know what a "nonce"
> > > is.  But, I learn well from examples! Can somone please give me a
sample 10-auth.conf for NTML
> > > and any other supporting settings or configs I need?
> > >
> > > My current/working dovecot settings, which have been running
perfectly for well over a year
> > > now, are:
> > >
> > > $ dovecot -n
> > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> > > # OS: Linux 3.10.17 x86_64 Slackware 14.1
> > > auth_debug_passwords = yes
> > > auth_mechanisms = plain login
> > > auth_verbose = yes
> > > auth_verbose_passwords = plain
> > > disable_plaintext_auth = no
> > > info_log_path = /var/log/dovecot_info
> > > mail_location = maildir:~/Maildir
> > > passdb {
> > >   driver = shadow
> > > }
> > > protocols = imap
> > > ssl_cert =
</etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
> > > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key
> > > userdb {
> > >   driver = passwd
> > > }
> > > verbose_ssl = yes
> > >
> > >
> > > Here's what I've tried so far as 10-auth.conf:
> > >
> > > disable_plaintext_auth = no
> > > auth_use_winbind = yes
> > > info_log_path = /var/log/dovecot_info
> > > auth_verbose = yes
> > > auth_debug_passwords = yes
> > > auth_verbose_passwords= plain
> > > auth_winbind_helper_path = /usr/bin/ntlm_auth
> > >
> > > auth_mechanisms = ntlm plain login
> > >
> > > userdb {
> > >   driver = passwd
> > >   args = username_format=%n allow_all_users=yes
> > >
> > > }
> > >
> > >
> > > Which gives me a dovecot -n of:
> > >
> > > $ dovecot -n
> > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> > > # OS: Linux 3.10.17 x86_64 Slackware 14.1
> > > auth_debug_passwords = yes
> > > auth_mechanisms = ntlm plain login
> > > auth_use_winbind = yes
> > > auth_verbose = yes
> > > auth_verbose_passwords = plain
> > > disable_plaintext_auth = no
> > > info_log_path = /var/log/dovecot_info
> > > mail_location = maildir:~/Maildir
> > > protocols = imap
> > > ssl_cert =
</etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
> > > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key
> > > userdb {
> > >   args = username_format=%n allow_all_users=yes
> > >   driver = passwd
> > > }
> > > verbose_ssl = yes
> > >
> > >
> > > I configured Thunderbird for NTLM authentication, then tried
sending a message, I got the
> > > following in /var/log/dovecot_info:
> > >
> > > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1
will be used for ECDH and ECDHE key exchanges
> > > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1
will be used for ECDH and ECDHE key exchanges
> > > Apr 22 01:37:57 auth: Debug: Loading modules from directory:
/usr/local/lib/dovecot/auth
> > > Apr 22 01:37:57 imap-login: Info: Disconnected: Auth process
broken (disconnected before auth was ready, waited 0 secs): user=<>,
rip=192.168.0.58, lip=98.102.63.107, session=<xFuyOgwx9wDAqAA6>
> > >
> > >
> > > On Thunderbird I got the error, "Sending of the message
failed.  The Outlgoing server (SMTP)
> > > my.server.name does not support the selected authentication
method.  Please change the
> > > 'Autnentication method' in 'Account Settings |
Outgoing Server (SMTP)'."
> > >
> > > Clearly, something is configured wrong, but I've no clue
what.
> > >
> > > Can I get some advice?
> > >
> > > THX --Mark
> > From dovecot-bounces at dovecot.org  Fri Apr 22 02:07:47 2016
> > Return-Path: <dovecot-bounces at dovecot.org>
> > X-Virus-Status: Clean
> > X-Virus-Scanned: clamav-milter 0.98.6 at mail
> > X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.19__
(2011-06-06) on
> > 	mail.hprs.local
> > X-Spam-Level: 
> > X-Spam-Status: No, score=-106.0 required=3.0 tests=USER_IN_WHITELIST,
> > 	USER_IN_WHITELIST_TO autolearn=unavailable
version=3.3.2-_revision__1.19__
> > X-Original-To: dovecot at dovecot.org
> > Delivered-To: dovecot at dovecot.org
> > X-Virus-Status: Clean
> > X-Virus-Scanned: clamav-milter 0.98.6 at mail
> > From: Mark Foley <mfoley at ohprs.org>
> > Date: Fri, 22 Apr 2016 02:07:24 -0400
> > Organization: Ohio Highway Patrol Retirement System
> > To: dovecot at dovecot.org
> > Subject: Looking for NTLM config example
> > User-Agent: Heirloom mailx 12.5 7/5/10
> > Content-Type: text/plain; charset=us-ascii
> > X-BeenThere: dovecot at dovecot.org
> > X-Mailman-Version: 2.1.17
> > Precedence: list
> > List-Id: Dovecot Mailing List <dovecot.dovecot.org>
> > List-Unsubscribe:
<http://dovecot.org/cgi-bin/mailman/options/dovecot>,
> > 	<mailto:dovecot-request at dovecot.org?subject=unsubscribe>
> > List-Archive: <http://dovecot.org/pipermail/dovecot/>
> > List-Post: <mailto:dovecot at dovecot.org>
> > List-Help: <mailto:dovecot-request at dovecot.org?subject=help>
> > List-Subscribe:
<http://dovecot.org/cgi-bin/mailman/listinfo/dovecot>,
> > 	<mailto:dovecot-request at dovecot.org?subject=subscribe>
> > Errors-To: dovecot-bounces at dovecot.org
> > Sender: "dovecot" <dovecot-bounces at dovecot.org>
> > X-Spam-Report: 
> > 	* -100 USER_IN_WHITELIST From: address is in the user's
white-list
> > 	* -6.0 USER_IN_WHITELIST_TO User is listed in 'whitelist_to'
> > Status: R
> > 
> > Now that I am running Thunderbird on Linux and away from
Windows/Outlook, I'd like to take
> > another run at setting up NTLM authentication from Thunderbird to my
Samba4 AC/DC.
> > 
> > With the help of the samba maillist folks I was able to set up NTLM
authentication for domain
> > user login.  I should be able to do the same for email!
> > 
> > But, I need help. I went to
http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got
> > lost immediately. Are "authenticaion submethods" synonymous
with "password schemes"? The 7th
> > line down says, "NTLM password scheme is required for NTLM, NTLM2
and NTLMv2.", but in the
> > referenced link I found no reference to "NTLM password
scheme".
> > 
> > The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and
> > http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what
the 4 NTLM
> > authentication submethods are, tells you what password schemes are,
tells you what the NTLM
> > client/server handshake is, but doesn't actually tell you how to
configure dovecot config
> > files.  I'm much more interested in the "how to" than
in: "NTLMv2: server and client nonce,
> > MITM can't force downgrade" ...  whatever that means. 
> > 
> > Anyway, probably it's my lack of understanding terminology.  I
don't even know what a "nonce"
> > is.  But, I learn well from examples! Can somone please give me a
sample 10-auth.conf for NTML
> > and any other supporting settings or configs I need?
> > 
> > My current/working dovecot settings, which have been running perfectly
for well over a year
> > now, are:
> > 
> > $ dovecot -n
> > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> > # OS: Linux 3.10.17 x86_64 Slackware 14.1
> > auth_debug_passwords = yes
> > auth_mechanisms = plain login
> > auth_verbose = yes
> > auth_verbose_passwords = plain
> > disable_plaintext_auth = no
> > info_log_path = /var/log/dovecot_info
> > mail_location = maildir:~/Maildir
> > passdb {
> >   driver = shadow
> > }
> > protocols = imap
> > ssl_cert =
</etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
> > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key
> > userdb {
> >   driver = passwd
> > }
> > verbose_ssl = yes
> > 
> > 
> > Here's what I've tried so far as 10-auth.conf:
> > 
> > disable_plaintext_auth = no
> > auth_use_winbind = yes
> > info_log_path = /var/log/dovecot_info
> > auth_verbose = yes
> > auth_debug_passwords = yes
> > auth_verbose_passwords= plain
> > auth_winbind_helper_path = /usr/bin/ntlm_auth
> > 
> > auth_mechanisms = ntlm plain login
> > 
> > userdb {
> >   driver = passwd
> >   args = username_format=%n allow_all_users=yes
> > 
> > }
> > 
> > 
> > Which gives me a dovecot -n of:
> > 
> > $ dovecot -n
> > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> > # OS: Linux 3.10.17 x86_64 Slackware 14.1
> > auth_debug_passwords = yes
> > auth_mechanisms = ntlm plain login
> > auth_use_winbind = yes
> > auth_verbose = yes
> > auth_verbose_passwords = plain
> > disable_plaintext_auth = no
> > info_log_path = /var/log/dovecot_info
> > mail_location = maildir:~/Maildir
> > protocols = imap
> > ssl_cert =
</etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
> > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key
> > userdb {
> >   args = username_format=%n allow_all_users=yes
> >   driver = passwd
> > }
> > verbose_ssl = yes
> > 
> > 
> > I configured Thunderbird for NTLM authentication, then tried sending a
message, I got the
> > following in /var/log/dovecot_info:
> > 
> > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will
be used for ECDH and ECDHE key exchanges
> > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will
be used for ECDH and ECDHE key exchanges
> > Apr 22 01:37:57 auth: Debug: Loading modules from directory:
/usr/local/lib/dovecot/auth
> > Apr 22 01:37:57 imap-login: Info: Disconnected: Auth process broken
(disconnected before auth was ready, waited 0 secs): user=<>,
rip=192.168.0.58, lip=98.102.63.107, session=<xFuyOgwx9wDAqAA6>
> > 
> > 
> > On Thunderbird I got the error, "Sending of the message failed. 
The Outlgoing server (SMTP)
> > my.server.name does not support the selected authentication method. 
Please change the
> > 'Autnentication method' in 'Account Settings | Outgoing
Server (SMTP)'."
> > 
> > Clearly, something is configured wrong, but I've no clue what.
> > 
> > Can I get some advice?
> > 
> > THX --Mark
>
> ---
> Aki Tuomi

On 27.06.2016 07:31, Mark Foley wrote:
> Thanks for the reply.  When you say it [NTLM] "should" work, I
understand you to be implying
> you've not actually tried NTLM yourself, right? I've never gotten a
response from someone
> saying they have or are actually using it. Your subsequent messages about
NTLM v[1|2] may be
> the problem, but email clients I've tried (Outlook, Thunderbird)
don't really give a choice.
>
> That's OK, I'd be glad to try something different that would
work!!! I am trying your advice
> for gssapi.  I've followed the instructions at
> http://wiki2.dovecot.org/Authentication/Kerberos.  In my 10-auth.conf I
changed the
> auth_mechanism line to:
>
> auth_mechanisms = plain login gssapi
>
> Which is only different from before with the addition of
"gssapi".  That's all I've done.  I'm
> using the same userdb as before which is /etc/passwd.  My doveconf -n is:
>
> ----------SNIP------------
>> doveconf -n
> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> # OS: Linux 3.10.17 x86_64 Slackware 14.1
> auth_debug_passwords = yes
> auth_mechanisms = plain login gssapi
> auth_verbose = yes
> auth_verbose_passwords = plain
> disable_plaintext_auth = no
> info_log_path = /var/log/dovecot_info
> mail_location = maildir:~/Maildir
> passdb {
> 	  driver = shadow
> }
> protocols = imap
> ssl_cert =
</etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
> userdb {
> 	  driver = passwd
> }
> verbose_ssl = yes
> ------------PINS-------------
>
> I attempted to connect from Thunderbird on Ubuntu 15.10 to Dovecot on a
Slackware 14.1 AD/DC. I
> selected "Kerberos/GSSAPI" as the authentication method on Tbird.
When trying the connection I
> got the following in my Dovecot log:
>
> Jun 27 00:04:54 imap-login: Debug: SSL: elliptic curve secp384r1 will be
used for ECDH and ECDHE key exchanges
> Jun 27 00:04:54 imap-login: Debug: SSL: elliptic curve secp384r1 will be
used for ECDH and ECDHE key exchanges
> Jun 27 00:04:54 auth: Debug: Loading modules from directory:
/usr/local/lib/dovecot/auth
> Jun 27 00:04:54 auth: Debug: Loading modules from directory:
/usr/local/lib/dovecot/auth
> Jun 27 00:04:54 imap-login: Info: Disconnected: Auth process broken
(disconnected before auth was ready, waited 0 secs): user=<>,
rip=192.168.0.99, lip=98.102.63.107, session=<Zk1rnzo2IADAqABj>
>
> So, any idea why this is not working? I'll say up-front that I do not
have the auth_krb5_keytab
> configured in 10-auth.conf. I could find no such file on the host running
Dovecot. Is that file
> needed? If so, I've got a message in to the Samba4 folks asking where
it is located.
>
> I'm also using Dovecot 2.2.15. Too old?
>
> Do you think auth_krb5_keytab is my problem or something deeper?
>
> THX --Mark
>
You need to set up keytab. I'll assume you know nothing about kerberos,
so please if you already knew all this, sorry.

For kerberos to work PROPERLY you need to have

1. Functional AD or Kerberos environment
2. Time synced against your KDC (which is your Domain Controller on Windows)
3. /etc/krb5.conf configured
4. Both forward / reverse DNS names correct for clients and servers.
Reverse is only mandatory for servers, but having them right will work
wonders. Most kerberos problems are about DNS problems.
5. You need a keytab. This keytab needs to hold entries like
IMAP/your.host.name at REALM  and IMAP/$HOSTNAME at REALM. You can generate
these on any Windows DC server (at least).

Only bullet 5. is about Dovecot really, but since this is usually rather
hard to gather information, I'll recap these things here:

2. Time sync

Install ntpd and configure it to use *your* *ad* *server*. (Not some
generic service).

3. /etc/krb5.conf

Here is a *SAMPLE* configuration:

[libdefaults]
        default_realm = YOUR.REALM
        dns_lookup_kdc = true
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true
        fcc-mit-ticketflags = true

[realms]
        YOUR.REALM = {
                default_domain = your.domain.name
                auth_to_local_names = {
                        Administrator = root
                }
        }
[domain_realm]
      your.domain.name = YOUR.REALM
# this is not a mistake
      .your.domain.name = YOUR.REALM
[login]
        krb4_convert = true
        krb4_get_tickets = false

Note that some windows environments require additional configuration to
get this working.

4. Forward/reverse DNS.

For your *server* this is *absolutely* must. It has to match for your
clients and your server. So if your server name is mail.example.org, and
it has IP 10.0.2.3, then 10.0.2.3 MUST resolve to mail.example.org. It
will give you strange and convoluted errors otherwise.

5. Keytab

This is bit tricky to generate, and there are various ways to do this.
You can install samba, join it to your domain and use the samba tools to
generate a keytab. It's not a bad idea, just remember to add the
required spn's (service principal names) to the machine account. setspn
-q is helpful here, also setspn command in general.

You can use either system keytab file (/etc/krb5.keytab), or you can put
the dovecot specific (mainly IMAP/something) into dedicated keytab for
the service. Either way you need to tell dovecot about it with
auth_krb5_keytab setting.

You should have at least following entries in your keytab file. You can
see them with klist -k /path/to/keytab. The KVNO can be different.

Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
   3 host/mail.example.org at EXAMPLE.ORG
   3 host/mail.example.org at EXAMPLE.ORG
   3 host/mail.example.org at EXAMPLE.ORG
   3 host/mail.example.org at EXAMPLE.ORG
   3 host/mail.example.org at EXAMPLE.ORG
   3 IMAP/mail.example.org at EXAMPLE.ORG
   3 host/MAIL at EXAMPLE.ORG
   3 host/MAIL at EXAMPLE.ORG
   3 host/MAIL at EXAMPLE.ORG
   3 host/MAIL at EXAMPLE.ORG
   3 host/MAIL at EXAMPLE.ORG
   3 IMAP/MAIL at EXAMPLE.ORG
   3 MAIL$@EXAMPLE.ORG
   3 MAIL$@EXAMPLE.ORG
   3 MAIL$@EXAMPLE.ORG
   3 MAIL$@EXAMPLE.ORG
   3 MAIL$@EXAMPLE.ORG

This will at least get you somewhere. Kerberos is notoriously hard to
debug, but it usually is about

a) DNS
b) Keytab
c) Mismatch of some name somewhere
d) Encryption type support

Also, note that kerberos can only act as AUTHENTICATION system. It
cannot act as USER DATABASE. For that you need to configure LDAP or
something else. With Active Directory LDAP is probably a damn good idea.

If you want to try with something else first, which I recommend for the
server in any case, is to see if you can get sssd working with Kerberos
and LDAP. If you get that working, it's not very difficult anymore to
get Dovecot running with it.

----
Aki Tuomi
Dovecot oy