[Dovecot] NTLM authentication from Outlook
Lars Skovgaard
lars at skovgaarddesign.dk
Thu Nov 16 23:15:02 UTC 2006
> Hi all
>
> I've enabled ntlm authentication in dovecot, and use dovecot sasl in
> postfix as well.
>
> Authentication with ntlm works well from Mac OS X Mail.app, as well
> as from Outlook Express, but fails with Outlook. Strangely enough,
> ntml authentication works in Outlook when using smtp (via postfix),
> but neither from imap or pop3 (both dovecot). As dovecot sasl handles
> all authentication against a mysql userdb, this strikes me as very
> strange.
>
> I've instructed my clients with Outlook to fetch mail using a ssl-
> encrypted connection, and to send using ntlm-authentication. This
> works, but I would like to have ntlm available as an option to all my
> clients, without forcing them to change mail-clients.
>
> I've turned on auth_verbose, auth_debug and auth_debug_passwords, and
> compared the passwordstring with the one calculated using dovecotpw,
> and they match. The only odd thing is that the username is returned
> from Outlook as an all-caps string, so user at domain.tld becomes
> USER at DOMAIN.TLD. I don't know if it matters, but I don't think so, as
> changing the user-login to an all-caps version doesn't solve the
> problem.
>
> Any hints will be most welcome.
>
> /Lars
Greetings, everyone
I'm sorry, but I seem to have made a mistake regarding the
passwordstring from Outlook – seems like the string I looked at was
from MS Entourage... (that's what you get from trying to debug
something when you're too tired to think straight).
I've now enabled debugging again, and have tried logging in from
Outlook with ntlm-authentication. The log-entries are as follows:
Nov 16 23:29:09 SD-Server dovecot: auth(default): client in: AUTH 1
NTLM service=IMAP lip=192.168.2.2 rip=192.168.2.13
Nov 16 23:29:09 SD-Server dovecot: auth(default): client out: CONT 1
Nov 16 23:29:09 SD-Server dovecot: auth(default): client in: CONT 1
TlRM7IIog0ADQAuAAAFASgKAAAAD0AABgATVNTUAABYUEFSQkVKRFNHUlVQUAAAABGACgAAA
lNQUNEU=
Nov 16 23:29:09 SD-Server dovecot: auth(default): client out: CONT 1
TlRMTVNAAAAFAHgAeAAAAAAAADAA
+H1XooTUAACAAAAyZ9yMNkAAdgBlAHIALgBsAG8AACYAJgBOAAAAUwBEAC0AUwBlAHIAYwBh
AGwAAwAeAFMAyAC4AbABvsAAAAAGMAYRAAtAFMAZQByAHYAZQBQBAAA=
Nov 16 23:29:09 SD-Server dovecot: auth(default): client in: CONT 1
TlRMAYAHwAAAAYABgAlAAAAAwADTVNTUAFQAAAAMAAAAAAAAEAH3ZyprYRPWIAAAAAAcgBkA
EkATQBBAEMAWABQAAAAACsAAADAAAAGAABIAqMx1XpiwbAAAHAAcwAcABQNAEEAQwBYAFAAT
ABpAHMAYQAgAFMAawBvAHYAZwBhAGAAAAAKIAgUBKAoAAAAPSQBAAAAAAAAAAAJILBz4x4RA
Ixsp2rhFi8VB6g==
Nov 16 23:29:09 SD-Server dovecot: auth(default): ntlm(?,
192.168.2.13): Username contains disallowed characters
Nov 16 23:29:10 SD-Server dovecot: auth(default): client out: FAIL 1
The same account logs in without problems if I use a plaintext
password (SSL-encrypted, since plaintext-login is disabled).
in dovecot.conf I have the following:
auth default {
mechanisms = plain digest-md5 cram-md5 ntlm rpa
}
The authentication is done against a mysql-db, which until now has
worked with every client I've tested (except Outlook).
I have set up postfix to use dovecot-sasl, and use the same userdb
for smtp-authentication. Strangely enough the exact same data is
accepted when using ntml-authentication with smtp, though a warning
is added to my logs. This is an example of a log-entry from an
Outlook-user sending a mail:
Nov 14 16:40:49 SD-Server postfix/smtpd[8354]: connect from unknown
[hid.den.ip.adr]
Nov 14 16:40:49 SD-Server dovecot: auth-worker(default): mysql:
Connected to localhost (dovecot_auth)
Nov 14 16:40:51 SD-Server postfix/smtpd[8354]: warning: unknown
[hid.den.ip.adr]: SASL NTLM authentication failed:
TlRMTVNTUAACAAMAZYAAQByAHAFAooAOINYZ//
+97QAAAAAAAAUwBEAC0AUwBlAHIAdgBlAHIALgBsAG8AYwBhAGwAAwAeAFMARAAtAFAbABvA
GMAYAAAAHgAeADAQAAAAAACYAJgBOBZQByAC4sAAAAAAA=
Nov 14 16:40:51 SD-Server postfix/smtpd[8354]: AC6402D668E:
client=unknown[hid.den.ip.adr], sasl_method=NTLM,
sasl_username=user at domain.dk
Nov 14 16:40:51 SD-Server postfix/cleanup[8358]: AC6402D668E: message-
id=<006a01c70803$4dcd1b00$0200a8c0 at acerce5220052b>
Nov 14 16:41:13 SD-Server postfix/qmgr[8494]: AC6402D668E:
from=<user at domain.dk>, size=819330, nrcpt=1 (queue active)
Nov 14 16:41:16 SD-Server postfix/smtpd[8354]: disconnect from unknown
[hid.den.ip.adr]
Nov 14 16:41:29 SD-Server postfix/smtp[8361]: AC6402D668E:
to=<user at otherdomain.dk>, relay=smtp.domain.dk[hid.den.ip.adr]:25,
delay=37, delays=22/0.08/0.06/15, dsn=2.0.0, status=sent (250
156794624 mailfe12 Message accepted for delivery)
Nov 14 16:41:29 SD-Server postfix/qmgr[8494]: AC6402D668E: removed
The same warning is issued from postfix when a user sends mail from
Outlook Express, but not when the same user sends from Thunderbird or
Mail.app. In fact, I've only seen these problems when the users are
using MS products. I really hope someone can shed some light on what
is going on.
Best regards
Lars
More information about the dovecot
mailing list