On June 27, 2016 at 8:50 PM Gregory Sloop gregs@sloop.net wrote:
TT> On 6/27/2016 2:45 AM, Mark Foley wrote:
While continuing to test gssapi, I thought I check out your suggestion on NTLM v1. I did set Thunderbird to NTLM v1 ...
TT> You are aware, I hope, that NTLM v1 is well over 20 years old and TT> is trivially compromised today. Basically, it's about as secure as TT> sending plaintext passwords. Since you're supporting SSL on your TT> Dovecot server, why not require it, and not bother with NTLM auth?
I can't speak for the OP, but I suspect he'd like to use a SSO for dovecot, utilizing the same credentials as is in their Samba AD infrastructure. [Thus, have Dovecot submit authentications for dovecot to the AD domain and get an ack/nak on success.] So, he's not eager to use NTLMv1, but isn't getting much love in how to setup proxy auth against AD. [I suspect asking on the Samba list isn't a bad idea, but I'm surprised he hasn't gotten some good pointers here. There really ought to be a FAQ of white-paper on it, and I'm dismayed there isn't.]
-Greg
It's not very used feature as most with AD probably are using Exchange. I'll have a look at the NTLM authentication and see if we can improve it's documentation.
Aki Tuomi Dovecot oy