[Dovecot] NTLM authentication from Outlook

Lars Skovgaard lars at skovgaarddesign.dk
Thu Nov 16 23:15:02 UTC 2006 

> Hi all
>
> I've enabled ntlm authentication in dovecot, and use dovecot sasl in
> postfix as well.
>
> Authentication with ntlm works well from Mac OS X Mail.app, as well
> as from Outlook Express, but fails with Outlook. Strangely enough,
> ntml authentication works in Outlook when using smtp (via postfix),
> but neither from imap or pop3 (both dovecot). As dovecot sasl handles
> all authentication against a mysql userdb, this strikes me as very
> strange.
>
> I've instructed my clients with Outlook to fetch mail using a ssl-
> encrypted connection, and to send using ntlm-authentication. This
> works, but I would like to have ntlm available as an option to all my
> clients, without forcing them to change mail-clients.
>
> I've turned on auth_verbose, auth_debug and auth_debug_passwords, and
> compared the passwordstring with the one calculated using dovecotpw,
> and they match. The only odd thing is that the username is returned
> from Outlook as an all-caps string, so user at domain.tld becomes
> USER at DOMAIN.TLD. I don't know if it matters, but I don't think so, as
> changing the user-login to an all-caps version doesn't solve the
> problem.
>
> Any hints will be most welcome.
>
> /Lars

Greetings, everyone

I'm sorry, but I seem to have made a mistake regarding the  
passwordstring from Outlook – seems like the string I looked at was  
from MS Entourage... (that's what you get from trying to debug  
something when you're too tired to think straight).

I've now enabled debugging again, and have tried logging in from  
Outlook with ntlm-authentication. The log-entries are as follows:

Nov 16 23:29:09 SD-Server dovecot: auth(default): client in: AUTH	1	 
NTLM	service=IMAP	lip=192.168.2.2	rip=192.168.2.13
Nov 16 23:29:09 SD-Server dovecot: auth(default): client out: CONT	1	
Nov 16 23:29:09 SD-Server dovecot: auth(default): client in: CONT	1	 
TlRM7IIog0ADQAuAAAFASgKAAAAD0AABgATVNTUAABYUEFSQkVKRFNHUlVQUAAAABGACgAAA 
lNQUNEU=
Nov 16 23:29:09 SD-Server dovecot: auth(default): client out: CONT	1	 
TlRMTVNAAAAFAHgAeAAAAAAAADAA 
+H1XooTUAACAAAAyZ9yMNkAAdgBlAHIALgBsAG8AACYAJgBOAAAAUwBEAC0AUwBlAHIAYwBh 
AGwAAwAeAFMAyAC4AbABvsAAAAAGMAYRAAtAFMAZQByAHYAZQBQBAAA=
Nov 16 23:29:09 SD-Server dovecot: auth(default): client in: CONT	1	 
TlRMAYAHwAAAAYABgAlAAAAAwADTVNTUAFQAAAAMAAAAAAAAEAH3ZyprYRPWIAAAAAAcgBkA 
EkATQBBAEMAWABQAAAAACsAAADAAAAGAABIAqMx1XpiwbAAAHAAcwAcABQNAEEAQwBYAFAAT 
ABpAHMAYQAgAFMAawBvAHYAZwBhAGAAAAAKIAgUBKAoAAAAPSQBAAAAAAAAAAAJILBz4x4RA 
Ixsp2rhFi8VB6g==
Nov 16 23:29:09 SD-Server dovecot: auth(default): ntlm(?, 
192.168.2.13): Username contains disallowed characters
Nov 16 23:29:10 SD-Server dovecot: auth(default): client out: FAIL	1

The same account logs in without problems if I use a plaintext  
password (SSL-encrypted, since plaintext-login is disabled).

in dovecot.conf I have the following:

auth default {
	mechanisms = plain digest-md5 cram-md5 ntlm rpa
}

The authentication is done against a mysql-db, which until now has  
worked with every client I've tested (except Outlook).

I have set up postfix to use dovecot-sasl, and use the same userdb  
for smtp-authentication. Strangely enough the exact same data is  
accepted when using ntml-authentication with smtp, though a warning  
is added to my logs. This is an example of a log-entry from an  
Outlook-user sending a mail:

Nov 14 16:40:49 SD-Server postfix/smtpd[8354]: connect from unknown 
[hid.den.ip.adr]
Nov 14 16:40:49 SD-Server dovecot: auth-worker(default): mysql:  
Connected to localhost (dovecot_auth)
Nov 14 16:40:51 SD-Server postfix/smtpd[8354]: warning: unknown 
[hid.den.ip.adr]: SASL NTLM authentication failed:  
TlRMTVNTUAACAAMAZYAAQByAHAFAooAOINYZ// 
+97QAAAAAAAAUwBEAC0AUwBlAHIAdgBlAHIALgBsAG8AYwBhAGwAAwAeAFMARAAtAFAbABvA 
GMAYAAAAHgAeADAQAAAAAACYAJgBOBZQByAC4sAAAAAAA=
Nov 14 16:40:51 SD-Server postfix/smtpd[8354]: AC6402D668E:  
client=unknown[hid.den.ip.adr], sasl_method=NTLM,  
sasl_username=user at domain.dk
Nov 14 16:40:51 SD-Server postfix/cleanup[8358]: AC6402D668E: message- 
id=<006a01c70803$4dcd1b00$0200a8c0 at acerce5220052b>
Nov 14 16:41:13 SD-Server postfix/qmgr[8494]: AC6402D668E:  
from=<user at domain.dk>, size=819330, nrcpt=1 (queue active)
Nov 14 16:41:16 SD-Server postfix/smtpd[8354]: disconnect from unknown 
[hid.den.ip.adr]
Nov 14 16:41:29 SD-Server postfix/smtp[8361]: AC6402D668E:  
to=<user at otherdomain.dk>, relay=smtp.domain.dk[hid.den.ip.adr]:25,  
delay=37, delays=22/0.08/0.06/15, dsn=2.0.0, status=sent (250  
156794624 mailfe12 Message accepted for delivery)
Nov 14 16:41:29 SD-Server postfix/qmgr[8494]: AC6402D668E: removed

The same warning is issued from postfix when a user sends mail from  
Outlook Express, but not when the same user sends from Thunderbird or  
Mail.app. In fact, I've only seen these problems when the users are  
using MS products. I really hope someone can shed some light on what  
is going on.

Best regards
Lars

More information about the dovecot mailing list