On 050, 02 19, 2007 at 04:33:48PM -0700, Cassidy B. Larson wrote:
Started implementing the MasterUser changes to my config files so I can finally offer SPA for pop3/imap.
Things are working fine with the MasterUser (horray!), however one of my guys started using SPA with Outlook Express and started getting another users mailbox.
Turns out to be related to NTLM. His Outlook express is configured for the username of 'johnsmith'. However, you'll see the NTLM took the username from his XP machine login, it appears, which is just "John". However, what is really weird, is the "failed" on the "client out" line, but then the proxy went ahead and proxied to the storage server.
Here's some output from debuggage:
dovecot: Feb 19 16:15:56 Info: auth(mail.infowest.com): client in: AUTH 1 NTLM service=POP3 lip=204.17.177.60 rip=209.33.215.142 resp= dovecot: Feb 19 16:15:56 Info: auth(mail.infowest.com): client out: CONT 1 dovecot: Feb 19 16:15:56 Info: auth-worker(mail.infowest.com): sql(John, 209.33.215.142): query: SELECT a.clearpasswd AS password, v.storeIP AS host, CONCAT(IF('John' LIKE '%@%.%',CONCAT(LCASE('John'),''),CONCAT(LCASE('John'),'@',p.host)),'*masteruser') AS destuser, 'Y' AS nologin, 'Y' AS nodelay, 'Y' AS proxy, 'masterpass' AS ^^^^^^^^^^^^^ Hmm, suspicious.
pass FROM iwmailsystem.virtmailbox AS v INNER JOIN iwmailsystem.popserversAS p ON ( p.storeIP = '204.17.177.60') INNER JOIN authenticate.users AS a ON (a.userID= IF('John' LIKE '%@%.%',CONCAT(LCASE('John'),''),CONCAT(LCASE('John'),'@', p.host))) WHERE v.userID = IF('John' LIKE '%@%.%',CONCAT(LCASE('John'),''),CONCAT(LCASE('John'),'@',p.host)) AND v.client_active=1; dovecot: Feb 19 16:15:56 Info: auth(mail.infowest.com): password(John, 209.33.215.142): Credentials: 8447128CC04AD05D1CD15F0C2F17F136
Seems like your SELECT returned some data about user 'John' with proxy=Y and dovecot preferred proxy=Y over authentication failure...
dovecot: Feb 19 16:15:57 Info: auth(mail.infowest.com): client out: FAIL 1 user=John host=204.17.177.76 destuser= john@host.com*masteruser nologin proxy pass=masterpass dovecot: Feb 19 16:15:57 Info: pop3-login: proxy(John): started proxying to 204.17.177.76:110: user=<John>, method=NTLM, rip=209.33.215.142, lip= 204.17.177.60
Questions:
- So is it possible to use OE for SPA authentication without it sending the "XP username", but the actual account username OE is configured for ?
No. Microsoft does this intentionaly to provide so called "single signon".
- Why, when it "FAIL"ed did it still proxy? This seems bad :)
We should ask Timo I think :)
-- Andrey Panin | Linux and UNIX system administrator pazke@donpac.ru | PGP key: wwwkeys.pgp.net