[Dovecot] NTLM authentication in Thunderbird vs Outlook 2010.

Hi List,

I am using the Dovecot 2.1.12 with NTLM authentication enabled. The Dovecot is set up in cluster with directors, 60 000 connections simultaneously. I have noticed that NTLM authentication is processed differently for Thunderbird and Outlook 2010 users. It actually makes Outlook 2010 clients query LDAP more often that Thunderbird ones which is not good potentially for overall performance. Dovecot do not see a domain in NTLM Type 3 message but it does exist there. Could somebody explain please why it is happening?

Tcpdump Thunderbird:

1. IP proxy.netregistry.net.19228 > dovecot-test-1.private.netregistry.net.pop3 E..3..@.}..........)K..n#...9...P..qXT..AUTH NTLM

2. IP dovecot-test-1.private.netregistry.net.pop3 > proxy.netregistry.net.19228 E..,..@.@.,....).....nK.9...#...P....W..+

3. IP proxy.netregistry.net.19228 > dovecot-test-1.private.netregistry.net.pop3 E..V..@.}..........)K..n#...9...P..m.n..TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=

4. IP dovecot-test-1.private.netregistry.net.pop3 > proxy.netregistry.net.19228 E.....@.@.,@...).....nK.9...#..:P.......+ TlRMTVNTUAACAAAAHAAcADAAAAAFAooAbuK/LV9v9xIAA AAAAAAAACQAJABMAAAAZABvAHYAZQBjAG8AdAAtAHQAZQBzAHQALQAxAAMAHABkAG8 AdgBlAGMAbwB0AC0AdABlAHMAdAAtADEAAAAAAA==

5. IP proxy.netregistry.net.19228 > dovecot-test-1.private.netregistry.net.pop3 E..&..@.}..........)K..n#..:9...P...|...TlRMTVNTUAADAAAAGAAYAIwAAAAYABgApAAAAAAAAABAAA AAOAA4AEAAAAAUABQAeAAAAAAAAAAAAAAABQIIAG0AaQBnAHIAYQB0AGkAbwBuAC4AdAB lAHMAdABAAG4AZQB0AHcAbwByAGsALgBpAGQALgBhAHUAbQB5AHAAcgBvAGoAZQBjAHQA cwBEqdTLLSMLdQAAAAAAAAAAAAAAAAAAAADZv(...)=

Base64 decoding of the last message (NTLM Type 3): NTLMSSP?.m.i.g.r.a.t.i.o.n...t.e.s.t.@.n.e.t.w.o.r.k...i.d...a.u.m.y.p.r.o.j.e.c.t.s.D-#?u.......................(....)Nh\P

6. IP dovecot-test-1.private.netregistry.net.pop3 > proxy.netregistry.net.19228 E..(..@.@.,....).....nK.9...#..8P.. .'..
7. IP dovecot-test-1.private.netregistry.net.pop3 > proxy.netregistry.net.19228 E..8..@.@.,....).....nK.9...#..8P.. .c..+OK Logged in.

From logs: Nov 19 18:14:53 dovecot-test-1 dovecot: auth: Debug: ldap(migration.test@network.id.au,203.30.252.5,<sI7Ga4LrOADLHvwF>): pass search: base=ou=email, dc=netregistry, dc=net scope=subtree filter=(&(objectClass=nrPOPAccount)(uid=migration.test@network.id.au)) fields=uid,userPassword Nov 19 18:14:53 dovecot-test-1 dovecot: auth: Debug: ldap(migration.test@network.id.au,203.30.252.5,<sI7Ga4LrOADLHvwF>): result: uid=migration.test@network.id.au userPassword=Secret123 All good.

Outlook 2010:

1. IP proxy.netregistry.net.47129 > dovecot-test-1.private.netregistry.net.pop3 E..3..@.}..........)...n...Q..f9P..qOv..AUTH NTLM

2. IP dovecot-test-1.private.netregistry.net.pop3 > proxy.netregistry.net.47129 E..,..@.@.P....).....n....f9...\P....W..+

3. IP proxy.netregistry.net.47129 > dovecot-test-1.private.netregistry.net.pop3 E..b..@.}..........)...n...\..f=P..m....TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==

4. IP dovecot-test-1.private.netregistry.net.pop3 > proxy.netregistry.net.47129 E.....@.@.Pe...).....n....f=....P.......+ TlRMTVNTUAACAAAAHAAcADAAAAAFAooAQlAQ6i5tIiIAAAAAAAAAACQAJA BMAAAAZABvAHYAZQBjAG8AdAAtAHQAZQBzAHQALQAxAAMAHABkAG8AdgBlAGMAbwB0AC0AdABlAHM AdAAtADEAAAAAAA==

5. IP proxy.netregistry.net.47129 > dovecot-test-1.private.netregistry.net.pop3 E.....@.}..........)...n......f.P....c..TlRMTVNTUAADAAAAGAAYAJIAAAAYABgAqgAAABoAGgBIAAAAHAAcAGIAAAAUA BQAfgAAAAAAAADCAAAABQKIAgUBKAoAAAAPbgBlAHQAdwBvAHIAawAuAGkAZAAuAGEAdQBtAGkAZwByAG EAdABpAG8AbgAuAHQAZQBzAHQATQBZAFAAUgBPAEoARQBDAFQAUwADFLugRfGh3gAAAAAAAAAAAAAAAA AAAAA(...)=

Base64 decoding of the last message (NTLM Type 3): NTLMSSP.....................H....b..~.?????( ...?n.e.t.w.o.r.k...i.d...a.u.m.i.g.r.a.t.i.o.n...t.e.s.t.M.Y.P.R.O.J.E.C.T.S.??E..(....)..q?%/

6. IP dovecot-test-1.private.netregistry.net.pop3 > proxy.netregistry.net.47129 E..(..@.@.Q....).....n....f.....P.. .5..
7. IP dovecot-test-1.private.netregistry.net.pop3 > proxy.netregistry.net.47129 E..E..@.@.P....).....n....f.....P.. .p..-ERR Authentication failed.

From logs: Nov 19 18:33:24 dovecot-test-1 dovecot: auth: Debug: ldap(migration.test,203.30.252.5,): pass search: base=ou=email, dc=netregistry, dc=net scope=subtree filter=(&(objectClass=nrPOPAccount)(uid=migration.test)) fields=uid,userPassword Nov 19 18:33:24 dovecot-test-1 dovecot: auth: ldap(migration.test,203.30.252.5,): unknown user Well, WHERE is my domain in the LDAP query? :)

8. IP proxy.netregistry.net.47129 > dovecot-test-1.private.netregistry.net.pop3 E..K..@.}..........)...n......f.P...X,..USER migration.test@network.id.au

9. IP dovecot-test-1.private.netregistry.net.pop3 > proxy.netregistry.net.47129 E..(..@.@.P....).....n....f.....P.. ....

10. IP dovecot-test-1.private.netregistry.net.pop3 > proxy.netregistry.net.47129 E..-..@.@.P....).....n....f.....P.. .X..+OK

11. IP proxy.netregistry.net.47129 > dovecot-test-1.private.netregistry.net.pop3 E..7..@.}..........)...n......f.P...l;..PASS Secret123

12. IP dovecot-test-1.private.netregistry.net.pop3 > proxy.netregistry.net.47129 E..(..@.@.P....).....n....f.....P.. ....

13. IP dovecot-test-1.private.netregistry.net.pop3 > proxy.netregistry.net.47129 E..8..@.@.P....).....n....f.....P.. .c..+OK Logged in.

Configuration file

This is LDAP configuration on one of director servers where clients are authenticated.

uris = ldap://ldap-node-2.mynetwork.net, ldap://ldap-node-3.mynetwork.net debug_level = 0 base = ou=email, dc=netregistry, dc=net

user_attrs = homeDirectory=home, uidNumber=uid, gidNumber=gid, mailQuotaSize=quota_rule=*:storage=%$ user_filter = (&(objectClass=nrPOPAccount)(uid=%u)) pass_attrs = uid=user, userPassword=password, =proxy=y, =destuser=%u, =pass=Secret456 pass_filter = (&(objectClass=nrPOPAccount)(uid=%u))

default_pass_scheme = PLAIN

Regards, Alexandr Sabitov System Administrator