dovecot - Jun 2016 - Looking for NTLM config example

On 6/27/2016 2:45 AM, Mark Foley wrote:
> While continuing to test gssapi, I thought I check out your suggestion on
NTLM v1. I did set
> Thunderbird to NTLM v1 ...
You are aware, I hope, that NTLM v1 is well over 20 years old and
is trivially compromised today. Basically, it's about as secure as
sending plaintext passwords. Since you're supporting SSL on your
Dovecot server, why not require it, and not bother with NTLM auth?

TT> On 6/27/2016 2:45 AM, Mark Foley wrote:
>> While continuing to test gssapi, I thought I check out your suggestion
on NTLM v1. I did set
>> Thunderbird to NTLM v1 ...
TT> You are aware, I hope, that NTLM v1 is well over 20 years old and
TT> is trivially compromised today. Basically, it's about as secure as
TT> sending plaintext passwords. Since you're supporting SSL on your
TT> Dovecot server, why not require it, and not bother with NTLM auth?

I can't speak for the OP, but I suspect he'd like to use a SSO for
dovecot, utilizing the same credentials as is in their Samba AD infrastructure.
[Thus, have Dovecot submit authentications for dovecot to the AD domain and get
an ack/nak on success.] So, he's not eager to use NTLMv1, but isn't
getting much love in how to setup proxy auth against AD. [I suspect asking on
the Samba list isn't a bad idea, but I'm surprised he hasn't gotten
some good pointers here. There really ought to be a FAQ of white-paper on it,
and I'm dismayed there isn't.]

-Greg

> On June 27, 2016 at 8:50 PM Gregory Sloop <gregs at sloop.net> wrote:
> 
> 
> 
> 
> TT> On 6/27/2016 2:45 AM, Mark Foley wrote:
> >> While continuing to test gssapi, I thought I check out your
suggestion on NTLM v1. I did set
> >> Thunderbird to NTLM v1 ...
> 
> TT> You are aware, I hope, that NTLM v1 is well over 20 years old and
> TT> is trivially compromised today. Basically, it's about as secure
as
> TT> sending plaintext passwords. Since you're supporting SSL on your
> TT> Dovecot server, why not require it, and not bother with NTLM auth?
> 
> I can't speak for the OP, but I suspect he'd like to use a SSO for
dovecot, utilizing the same credentials as is in their Samba AD infrastructure.
[Thus, have Dovecot submit authentications for dovecot to the AD domain and get
an ack/nak on success.] So, he's not eager to use NTLMv1, but isn't
getting much love in how to setup proxy auth against AD. [I suspect asking on
the Samba list isn't a bad idea, but I'm surprised he hasn't gotten
some good pointers here. There really ought to be a FAQ of white-paper on it,
and I'm dismayed there isn't.]
> 
> -Greg
It's not very used feature as most with AD probably are using Exchange.
I'll have a look at the NTLM authentication and see if we can improve
it's documentation.

---
Aki Tuomi 
Dovecot oy

Hi folks,

I've been sifting through various threads on GSSAPI and NTLM support, 
and I'm wondering if anyone out there can confirm or deny GSSAPI IMAP 
auth support in Microsoft Outlook 2016 (Windows)?  Perhaps there's some 
magic registry key to change IMAP auth from PLAIN to GSSAPI?

We're trying to do single sign-on + e-mail for Windows domain users; 
Thunderbird GSSAPI works fine, of course, but Outlook 2016 is the 
policy-mandated e-mail client for this particular environment (Windows 
10 client desktop, Windows Server 2012 R2 AD, RHEL7 Dovecot).

It seems that Outlook 2016 might also support NTLMv1 / GSS-SPNEGO out of 
the box for IMAP accounts, but NTLMv1 is - rightly - disabled in this 
environment (and I also see 'NT_STATUS_UNSUCCESSFUL' reported by 
/usr/bin/ntlm_auth back to the Dovecot auth worker).

Thanks for any ideas out there!

Robert

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4305 bytes
Desc: S/MIME Cryptographic Signature
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20171024/5cbdca72/attachment.p7s>