[Dovecot] auth child abort - "Requested NTLM scheme, but we have only SSHA256"
Shawn Heisey
dovecot at elyograg.org
Mon Nov 1 16:43:37 EET 2010
On 11/1/2010 3:12 AM, LEVAI Daniel wrote:
> I noticed these messages in my logs. It seems that the user checked the
> "encrypted password" in her outlook or something, and wants NTLM auth.
> I'm storing all the passwords as SSHA256, and when the user tries to
> auth, this happens:
Basically, if you the client doesn't send cleartext and uses a different
encryption than the server, you must have the cleartext available on the
server side so you can encrypt it for comparison when a user
authenticates. Unless you want to use Microsoft's encryption or store
cleartext passwords in your database, NTLM will not be an option for
you. Cleartext tends to be a very bad idea, and most people who heavily
use UNIX or Linux are fundamentally opposed to using something
proprietary to Microsoft unless left with no other choice.
If they chose NTLM because they are concerned about security, nothing
beats TLS and/or SSL with a certificate issued by a trusted authority.
Shawn
More information about the dovecot
mailing list