[Dovecot] Concerned about Dovecot's new NTLM code

Andrey Panin pazke at donpac.ru
Mon Sep 27 09:44:06 EEST 2004


> I'm pleased to see another project increasing compatibility with windows
> clients, by the addition of NTLM login support, but I'm a bit worried
> about a few implementation details, and hope to offer an alternate
> approach.
>
> I mean no disrespect to those who have implemented to the code so far,
> but I feel that the idea of 'everybody re-implement NTLM' is prone to
> failure.
>
> Firstly, to bugs I've noticed by casual inspection of your
> implementation:
>
>  - Unicode support is by 'null padding' - there is no real support for
> non-ascii characters.

Does it really matter ? Do you know many people who use non-ascii
characters in their email addresses and passwords ? :)

>  - NTLM2 (a negotiated scheme to avoid sending the LM response) is
> unsupported

Did you RTFS ? Or may be I missed something ?

>  - NTLMSSP is NDR, not 'C struct pushed to the wire', it needs to be
> correctly marshaled and unmarshaled.

Yes, it's not a C struct, so what ? Where is the actual bug ?

> There are other missing features, some of which are rumoured to become
> mandatory flags in future, but more importantly, because the
> implementation is standalone, it has no ability to integrate into an
> NT/Win2k/Samba domain.

It can be directly integrated with password backends using NTLM password
scheme.

> As part of the Samba team, I have worked with other projects - Squid in
> particular, to deliver server-side (and client-side) NTLMSSP
> authentication, without the need to re-implement the NTLMSSP protocol.
>
> This is done by a callout to 'ntlm_auth', a Samba 3.0 utility designed
> for this purpose, which in turn can contact domain controllers, allowing
> for seamless single sign on.
>
> http://samba.org/samba/docs/man/ntlm_auth.1.html

So you'll need Samba to run POP3/IMAP server. Doesn't look convinent to me.
Many people have no windows domain infrastructure, but want to provide
secure authentication for poor MS Outlook users.

> I have recently completed reworking mod_ntlm_winbind for a similar
> purpose, and have patches for cyrus-sasl in my 'lorikeet' subversion
> repository.  These should serve as good examples for the simple
> fork()/exec() modal that is used, and also show the support for
> GSS-SPNEGO (aka HTTP Negotiate) that ntlm_auth also provides.
>
> http://download.samba.org/ftp/unpacked/lorikeet/trunk/
>
> My hope is that I can tempt a Dovecot developer to take on the challenge
> of modifying the dovecot to use ntlm_auth, and am most willing to answer
> any questions (here, by private mail or on the samba-technical list)
> that you may have on the issue.




More information about the dovecot mailing list