similar to: How to "Windows Authenticate"

Hi Mark, I haven't done it, but I've played with the scenario enough to have an idea. What you want to do is have Outlook auth via NTLM to Dovecot.? First that means having the machine be a domain member (usually via Samba) in order to properly process NTLM/Kerberos handshake - which it appears you have. Second that means having Dovecot know how to accept NTLM authentication (SPA) to

More info ... My dovecot error log shows: Sep 05 16:45:19 auth: Debug: client in: AUTH 1 NTLM service=imap Sep 05 16:45:19 auth: Debug: client passdb out: OK 1 user=mark at hprs original_user=mark at HPRS Sep 05 16:45:19 auth: Debug: master in: REQUEST 998899713 10219 1 f56352c207cb8f6dea4d264b2c0f8dc1 session_pid=10220 request_auth_token Sep 05

Comments interspersed with yours ... --Mark -----Original Message----- > Date: Sun, 06 Sep 2015 20:00:11 -0500 > From: Rick Romero <rick at havokmon.com> > To: dovecot at dovecot.org > Subject: Re: How to "Windows Authenticate" > > Hmm. I would expect to see 'mark at hprs.com'. Whatever your full domain > name is. Full user at domain would be

Now that I am running Thunderbird on Linux and away from Windows/Outlook, I'd like to take another run at setting up NTLM authentication from Thunderbird to my Samba4 AC/DC. With the help of the samba maillist folks I was able to set up NTLM authentication for domain user login. I should be able to do the same for email! But, I need help. I went to

Also it seems we lack support for NTLMv2. If you want to use NTLM you need to permit use of NTLM(v1), which is usually not enabled by default. Aki > On June 25, 2016 at 7:43 PM Mark Foley <mfoley at ohprs.org> wrote: > > > I've asked this several times over the past year with essentially zero responses. I'll keep it simple: > > Does NTLM authentication work in

It should work. Although if you are using linux server you might want to use gssapi instead. > On June 25, 2016 at 7:43 PM Mark Foley <mfoley at ohprs.org> wrote: > > > I've asked this several times over the past year with essentially zero responses. I'll keep it simple: > > Does NTLM authentication work in Dovecot? > > I'll post this one last time.

If I had time I would be all over this - but IMHO the main problem is that Dovecot != Exchange.? Even in small environments - unless I'm out of date, there's no calendar, tasks or contact lists within Dovecot. Your next best best is to use something like Horde that would allow you to auth via ActiveSync (on Outlook 2013 clients) and manage everything else that the users will want, with

I am running Dovecot 2.2.15 on Linux Slackware 14.1 and Samba 4.1.17 as the Active Directory/Domain Controller on the same host as Dovecot. Sendmail/procmail delivers mail to users' $HOME/Maildir. MS Outlook/IMAP is the client MTU used to connect with Dovecot to read mail on the Users' WIN7 workstations. I believe I have confirmed that MS Outlook will either ... 1) send the userid and

Quoting Mark Foley <mfoley at ohprs.org>: > Rick, > > Samba4 AD/DC and Dovecot work perfectly for everything including access > from > SmartPhones.? I've got roaming domain logins, redirected folders, > calendars and > contacts work just fine with Outlook and WebDav for sharing calendars; > don't > need them in Dovecot.? > ? Do you have that documented

with passdb ldap i guess. ---Aki TuomiDovecot oy -------- Original message --------From: Mark Foley <mfoley at ohprs.org> Date: 03/12/2017 21:18 (GMT+02:00) To: dovecot at dovecot.org Subject: Re: Howto authenticate smartPhone via Active Directory Yes, you are right. This link: https://www.redips.net/linux/android-email-postfix-auth/#section2 shows: passdb pam { } used for

Aki - made your suggested changes, but no joy :( My /etc/krb5.conf: ------SNIP-------- [libdefaults] default_realm = HPRS.LOCAL dns_lookup_realm = false dns_lookup_kdc = true [libdefaults] default_realm = HPRS.LOCAL dns_lookup_kdc = true kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true fcc-mit-ticketflags = true [realms] HPRS.LOCAL = {

Aki, you wrote: > Doh. Seems your dovecot isn't compiled with gssapi support? Can you compile it yourself? > > I'll try to check status of NTLM this week. I'm OK with continuing to try gssapi, esp. if NTLM is restricted to v1. I do have the Dovecot sources and will peruse the possible options after I send this. I am on version 2.2.15 and I see that the current downloadable

On 27.06.2016 07:31, Mark Foley wrote: > Thanks for the reply. When you say it [NTLM] "should" work, I understand you to be implying > you've not actually tried NTLM yourself, right? I've never gotten a response from someone > saying they have or are actually using it. Your subsequent messages about NTLM v[1|2] may be > the problem, but email clients I've tried

> On Jun 28, 2016, at 10:32 PM, Mark Foley <mfoley at ohprs.org> wrote: > > Aki - partial success! I rebuilt my dovecot with ./config --with-gssapi, and restarted. Now I > don't get that "Unknown authentication mechanism 'gssapi'" message in maillog, and mail is > delivered successfully to the other domain users having PLAIN authentication. That's a

I've switched a user to being an active directory user. That user's email client authorizes just fine with dovecot using GSSAPI. However, now his iPhone won't authorize. In the dovecot log file I get: Dec 01 14:27:28 auth: Debug: client in: AUTH 1 PLAIN service=imap secured session=q4n3W0xfggBiZj9s lip=98.102.63.107 rip=98.102.63.108 lport=993

Hi Mark, Just to let you know that we are running dovecot with AD. (and I guess: *many* people are running that combination) It worked without issues, we are using in dovecot-ldap.conf.ext: > auth_bind = yes this user/passwd filter: > = (&(objectclass=person)(sAMAccountName=%n)(!(userAccountControl=514))) > dn = cn=search_dovecit,cn=users,dc=company,dc=com > dnpass =

Am 30.06.2016 um 10:45 schrieb Mark Foley: > To revisit my problem: I have Dovecot running on the same host as Samba4 AD/DC. I've set > Thunderbird to authenticate with GSSAPI on a domain workstation. I have an /etc/krb5.keytab > file as required by Dovecot. I've also downloaded and installed Kerberos for access to > the k* commands (ktutil, kinit, klist, ...). > > In my

Am 30.06.2016 um 23:16 schrieb Mark Foley: > Achim, thanks a lot! A couple of questions on your suggested settings: > >> 1. Create an user >> samba-tool create user dovcot > I did this (actually `samba-tool user create dovecot`), but it asked for a password. I > entered one. You didn't mention that, so I hope it's OK. Yes > > >> 2. Add the spn

More info ... when I do MAIL=imap://mark at mail.ohprs.org/ mutt (using the domain of the registered certificate). I do not get the message "Certificate host check failed: certificate owner does not match hosthame ..." I do get the same (mutt?) edit screen shown below with the "(r)eject, accept (o)nce, (a)ccept always" action at the bottom. If I "accept (o)nce",

Did a few test here "auth_gssapi_hostname = "$ALL"" is no longer required with dovecot (2.2.13 here). Add "auth_debug=yes" to your dovecor config. 192.168.100.1 is my clients ip 192.168.100.101 is the servers ag is the domain account username I use to login to windows and also the username configured in thunderbird. On my debian system an package named