Looking for NTLM config example
Now that I am running Thunderbird on Linux and away from Windows/Outlook, I'd like to take another run at setting up NTLM authentication from Thunderbird to my Samba4 AC/DC.
With the help of the samba maillist folks I was able to set up NTLM authentication for domain user login. I should be able to do the same for email!
But, I need help. I went to http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got lost immediately. Are "authenticaion submethods" synonymous with "password schemes"? The 7th line down says, "NTLM password scheme is required for NTLM, NTLM2 and NTLMv2.", but in the referenced link I found no reference to "NTLM password scheme".
The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what the 4 NTLM authentication submethods are, tells you what password schemes are, tells you what the NTLM client/server handshake is, but doesn't actually tell you how to configure dovecot config files. I'm much more interested in the "how to" than in: "NTLMv2: server and client nonce, MITM can't force downgrade" ... whatever that means.
Anyway, probably it's my lack of understanding terminology. I don't even know what a "nonce" is. But, I learn well from examples! Can somone please give me a sample 10-auth.conf for NTML and any other supporting settings or configs I need?
My current/working dovecot settings, which have been running perfectly for well over a year now, are:
$ dovecot -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key userdb { driver = passwd } verbose_ssl = yes
Here's what I've tried so far as 10-auth.conf:
disable_plaintext_auth = no auth_use_winbind = yes info_log_path = /var/log/dovecot_info auth_verbose = yes auth_debug_passwords = yes auth_verbose_passwords= plain auth_winbind_helper_path = /usr/bin/ntlm_auth
auth_mechanisms = ntlm plain login
userdb { driver = passwd args = username_format=%n allow_all_users=yes
}
Which gives me a dovecot -n of:
$ dovecot -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = ntlm plain login auth_use_winbind = yes auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir protocols = imap ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key userdb { args = username_format=%n allow_all_users=yes driver = passwd } verbose_ssl = yes
I configured Thunderbird for NTLM authentication, then tried sending a message, I got the following in /var/log/dovecot_info:
Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Apr 22 01:37:57 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Apr 22 01:37:57 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, session=<xFuyOgwx9wDAqAA6>
On Thunderbird I got the error, "Sending of the message failed. The Outlgoing server (SMTP) my.server.name does not support the selected authentication method. Please change the 'Autnentication method' in 'Account Settings | Outgoing Server (SMTP)'."
Clearly, something is configured wrong, but I've no clue what.
Can I get some advice?
THX --Mark
I've asked this several times over the past year with essentially zero responses. I'll keep it simple:
Does NTLM authentication work in Dovecot?
I'll post this one last time. If I still have no responses I'll have to conclude that no one has actually tried this authentication method and it therefore does not work.
Thanks, --Mark
-----Original Message----- From: Mark Foley <mfoley@ohprs.org> Date: Fri, 22 Apr 2016 02:07:24 -0400 Organization: Ohio Highway Patrol Retirement System To: dovecot@dovecot.org Subject: Looking for NTLM config example
Now that I am running Thunderbird on Linux and away from Windows/Outlook, I'd like to take another run at setting up NTLM authentication from Thunderbird to my Samba4 AC/DC.
With the help of the samba maillist folks I was able to set up NTLM authentication for domain user login. I should be able to do the same for email!
But, I need help. I went to http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got lost immediately. Are "authenticaion submethods" synonymous with "password schemes"? The 7th line down says, "NTLM password scheme is required for NTLM, NTLM2 and NTLMv2.", but in the referenced link I found no reference to "NTLM password scheme".
The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what the 4 NTLM authentication submethods are, tells you what password schemes are, tells you what the NTLM client/server handshake is, but doesn't actually tell you how to configure dovecot config files. I'm much more interested in the "how to" than in: "NTLMv2: server and client nonce, MITM can't force downgrade" ... whatever that means.
Anyway, probably it's my lack of understanding terminology. I don't even know what a "nonce" is. But, I learn well from examples! Can somone please give me a sample 10-auth.conf for NTML and any other supporting settings or configs I need?
My current/working dovecot settings, which have been running perfectly for well over a year now, are:
$ dovecot -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key userdb { driver = passwd } verbose_ssl = yes
Here's what I've tried so far as 10-auth.conf:
disable_plaintext_auth = no auth_use_winbind = yes info_log_path = /var/log/dovecot_info auth_verbose = yes auth_debug_passwords = yes auth_verbose_passwords= plain auth_winbind_helper_path = /usr/bin/ntlm_auth
auth_mechanisms = ntlm plain login
userdb { driver = passwd args = username_format=%n allow_all_users=yes
}
Which gives me a dovecot -n of:
$ dovecot -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = ntlm plain login auth_use_winbind = yes auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir protocols = imap ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key userdb { args = username_format=%n allow_all_users=yes driver = passwd } verbose_ssl = yes
I configured Thunderbird for NTLM authentication, then tried sending a message, I got the following in /var/log/dovecot_info:
Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Apr 22 01:37:57 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Apr 22 01:37:57 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, session=<xFuyOgwx9wDAqAA6>
On Thunderbird I got the error, "Sending of the message failed. The Outlgoing server (SMTP) my.server.name does not support the selected authentication method. Please change the 'Autnentication method' in 'Account Settings | Outgoing Server (SMTP)'."
Clearly, something is configured wrong, but I've no clue what.
Can I get some advice?
THX --Mark From dovecot-bounces@dovecot.org Fri Apr 22 02:07:47 2016 Return-Path: <dovecot-bounces@dovecot.org> X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.98.6 at mail X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.19__ (2011-06-06) on mail.hprs.local X-Spam-Level: X-Spam-Status: No, score=-106.0 required=3.0 tests=USER_IN_WHITELIST, USER_IN_WHITELIST_TO autolearn=unavailable version=3.3.2-_revision__1.19__ X-Original-To: dovecot@dovecot.org Delivered-To: dovecot@dovecot.org X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.98.6 at mail From: Mark Foley <mfoley@ohprs.org> Date: Fri, 22 Apr 2016 02:07:24 -0400 Organization: Ohio Highway Patrol Retirement System To: dovecot@dovecot.org Subject: Looking for NTLM config example User-Agent: Heirloom mailx 12.5 7/5/10 Content-Type: text/plain; charset=us-ascii X-BeenThere: dovecot@dovecot.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Dovecot Mailing List <dovecot.dovecot.org> List-Unsubscribe: <http://dovecot.org/cgi-bin/mailman/options/dovecot>, <mailto:dovecot-request@dovecot.org?subject=unsubscribe> List-Archive: <http://dovecot.org/pipermail/dovecot/> List-Post: <mailto:dovecot@dovecot.org> List-Help: <mailto:dovecot-request@dovecot.org?subject=help> List-Subscribe: <http://dovecot.org/cgi-bin/mailman/listinfo/dovecot>, <mailto:dovecot-request@dovecot.org?subject=subscribe> Errors-To: dovecot-bounces@dovecot.org Sender: "dovecot" <dovecot-bounces@dovecot.org> X-Spam-Report:
- -100 USER_IN_WHITELIST From: address is in the user's white-list
- -6.0 USER_IN_WHITELIST_TO User is listed in 'whitelist_to' Status: R
Now that I am running Thunderbird on Linux and away from Windows/Outlook, I'd like to take another run at setting up NTLM authentication from Thunderbird to my Samba4 AC/DC.
With the help of the samba maillist folks I was able to set up NTLM authentication for domain user login. I should be able to do the same for email!
But, I need help. I went to http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got lost immediately. Are "authenticaion submethods" synonymous with "password schemes"? The 7th line down says, "NTLM password scheme is required for NTLM, NTLM2 and NTLMv2.", but in the referenced link I found no reference to "NTLM password scheme".
The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what the 4 NTLM authentication submethods are, tells you what password schemes are, tells you what the NTLM client/server handshake is, but doesn't actually tell you how to configure dovecot config files. I'm much more interested in the "how to" than in: "NTLMv2: server and client nonce, MITM can't force downgrade" ... whatever that means.
Anyway, probably it's my lack of understanding terminology. I don't even know what a "nonce" is. But, I learn well from examples! Can somone please give me a sample 10-auth.conf for NTML and any other supporting settings or configs I need?
My current/working dovecot settings, which have been running perfectly for well over a year now, are:
$ dovecot -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key userdb { driver = passwd } verbose_ssl = yes
Here's what I've tried so far as 10-auth.conf:
disable_plaintext_auth = no auth_use_winbind = yes info_log_path = /var/log/dovecot_info auth_verbose = yes auth_debug_passwords = yes auth_verbose_passwords= plain auth_winbind_helper_path = /usr/bin/ntlm_auth
auth_mechanisms = ntlm plain login
userdb { driver = passwd args = username_format=%n allow_all_users=yes
}
Which gives me a dovecot -n of:
$ dovecot -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = ntlm plain login auth_use_winbind = yes auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir protocols = imap ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key userdb { args = username_format=%n allow_all_users=yes driver = passwd } verbose_ssl = yes
I configured Thunderbird for NTLM authentication, then tried sending a message, I got the following in /var/log/dovecot_info:
Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Apr 22 01:37:57 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Apr 22 01:37:57 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, session=<xFuyOgwx9wDAqAA6>
On Thunderbird I got the error, "Sending of the message failed. The Outlgoing server (SMTP) my.server.name does not support the selected authentication method. Please change the 'Autnentication method' in 'Account Settings | Outgoing Server (SMTP)'."
Clearly, something is configured wrong, but I've no clue what.
Can I get some advice?
THX --Mark
It should work. Although if you are using linux server you might want to use gssapi instead.
On June 25, 2016 at 7:43 PM Mark Foley <mfoley@ohprs.org> wrote:
I've asked this several times over the past year with essentially zero responses. I'll keep it simple:
Does NTLM authentication work in Dovecot?
I'll post this one last time. If I still have no responses I'll have to conclude that no one has actually tried this authentication method and it therefore does not work.
Thanks, --Mark
-----Original Message----- From: Mark Foley <mfoley@ohprs.org> Date: Fri, 22 Apr 2016 02:07:24 -0400 Organization: Ohio Highway Patrol Retirement System To: dovecot@dovecot.org Subject: Looking for NTLM config example
Now that I am running Thunderbird on Linux and away from Windows/Outlook, I'd like to take another run at setting up NTLM authentication from Thunderbird to my Samba4 AC/DC.
With the help of the samba maillist folks I was able to set up NTLM authentication for domain user login. I should be able to do the same for email!
But, I need help. I went to http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got lost immediately. Are "authenticaion submethods" synonymous with "password schemes"? The 7th line down says, "NTLM password scheme is required for NTLM, NTLM2 and NTLMv2.", but in the referenced link I found no reference to "NTLM password scheme".
The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what the 4 NTLM authentication submethods are, tells you what password schemes are, tells you what the NTLM client/server handshake is, but doesn't actually tell you how to configure dovecot config files. I'm much more interested in the "how to" than in: "NTLMv2: server and client nonce, MITM can't force downgrade" ... whatever that means.
Anyway, probably it's my lack of understanding terminology. I don't even know what a "nonce" is. But, I learn well from examples! Can somone please give me a sample 10-auth.conf for NTML and any other supporting settings or configs I need?
My current/working dovecot settings, which have been running perfectly for well over a year now, are:
$ dovecot -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key userdb { driver = passwd } verbose_ssl = yes
Here's what I've tried so far as 10-auth.conf:
disable_plaintext_auth = no auth_use_winbind = yes info_log_path = /var/log/dovecot_info auth_verbose = yes auth_debug_passwords = yes auth_verbose_passwords= plain auth_winbind_helper_path = /usr/bin/ntlm_auth
auth_mechanisms = ntlm plain login
userdb { driver = passwd args = username_format=%n allow_all_users=yes
}
Which gives me a dovecot -n of:
$ dovecot -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = ntlm plain login auth_use_winbind = yes auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir protocols = imap ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key userdb { args = username_format=%n allow_all_users=yes driver = passwd } verbose_ssl = yes
I configured Thunderbird for NTLM authentication, then tried sending a message, I got the following in /var/log/dovecot_info:
Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Apr 22 01:37:57 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Apr 22 01:37:57 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, session=<xFuyOgwx9wDAqAA6>
On Thunderbird I got the error, "Sending of the message failed. The Outlgoing server (SMTP) my.server.name does not support the selected authentication method. Please change the 'Autnentication method' in 'Account Settings | Outgoing Server (SMTP)'."
Clearly, something is configured wrong, but I've no clue what.
Can I get some advice?
THX --Mark From dovecot-bounces@dovecot.org Fri Apr 22 02:07:47 2016 Return-Path: <dovecot-bounces@dovecot.org> X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.98.6 at mail X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.19__ (2011-06-06) on mail.hprs.local X-Spam-Level: X-Spam-Status: No, score=-106.0 required=3.0 tests=USER_IN_WHITELIST, USER_IN_WHITELIST_TO autolearn=unavailable version=3.3.2-_revision__1.19__ X-Original-To: dovecot@dovecot.org Delivered-To: dovecot@dovecot.org X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.98.6 at mail From: Mark Foley <mfoley@ohprs.org> Date: Fri, 22 Apr 2016 02:07:24 -0400 Organization: Ohio Highway Patrol Retirement System To: dovecot@dovecot.org Subject: Looking for NTLM config example User-Agent: Heirloom mailx 12.5 7/5/10 Content-Type: text/plain; charset=us-ascii X-BeenThere: dovecot@dovecot.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Dovecot Mailing List <dovecot.dovecot.org> List-Unsubscribe: <http://dovecot.org/cgi-bin/mailman/options/dovecot>, <mailto:dovecot-request@dovecot.org?subject=unsubscribe> List-Archive: <http://dovecot.org/pipermail/dovecot/> List-Post: <mailto:dovecot@dovecot.org> List-Help: <mailto:dovecot-request@dovecot.org?subject=help> List-Subscribe: <http://dovecot.org/cgi-bin/mailman/listinfo/dovecot>, <mailto:dovecot-request@dovecot.org?subject=subscribe> Errors-To: dovecot-bounces@dovecot.org Sender: "dovecot" <dovecot-bounces@dovecot.org> X-Spam-Report:
- -100 USER_IN_WHITELIST From: address is in the user's white-list
- -6.0 USER_IN_WHITELIST_TO User is listed in 'whitelist_to' Status: R
Now that I am running Thunderbird on Linux and away from Windows/Outlook, I'd like to take another run at setting up NTLM authentication from Thunderbird to my Samba4 AC/DC.
With the help of the samba maillist folks I was able to set up NTLM authentication for domain user login. I should be able to do the same for email!
But, I need help. I went to http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got lost immediately. Are "authenticaion submethods" synonymous with "password schemes"? The 7th line down says, "NTLM password scheme is required for NTLM, NTLM2 and NTLMv2.", but in the referenced link I found no reference to "NTLM password scheme".
The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what the 4 NTLM authentication submethods are, tells you what password schemes are, tells you what the NTLM client/server handshake is, but doesn't actually tell you how to configure dovecot config files. I'm much more interested in the "how to" than in: "NTLMv2: server and client nonce, MITM can't force downgrade" ... whatever that means.
Anyway, probably it's my lack of understanding terminology. I don't even know what a "nonce" is. But, I learn well from examples! Can somone please give me a sample 10-auth.conf for NTML and any other supporting settings or configs I need?
My current/working dovecot settings, which have been running perfectly for well over a year now, are:
$ dovecot -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key userdb { driver = passwd } verbose_ssl = yes
Here's what I've tried so far as 10-auth.conf:
disable_plaintext_auth = no auth_use_winbind = yes info_log_path = /var/log/dovecot_info auth_verbose = yes auth_debug_passwords = yes auth_verbose_passwords= plain auth_winbind_helper_path = /usr/bin/ntlm_auth
auth_mechanisms = ntlm plain login
userdb { driver = passwd args = username_format=%n allow_all_users=yes
}
Which gives me a dovecot -n of:
$ dovecot -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = ntlm plain login auth_use_winbind = yes auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir protocols = imap ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key userdb { args = username_format=%n allow_all_users=yes driver = passwd } verbose_ssl = yes
I configured Thunderbird for NTLM authentication, then tried sending a message, I got the following in /var/log/dovecot_info:
Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Apr 22 01:37:57 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Apr 22 01:37:57 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, session=<xFuyOgwx9wDAqAA6>
On Thunderbird I got the error, "Sending of the message failed. The Outlgoing server (SMTP) my.server.name does not support the selected authentication method. Please change the 'Autnentication method' in 'Account Settings | Outgoing Server (SMTP)'."
Clearly, something is configured wrong, but I've no clue what.
Can I get some advice?
THX --Mark
Aki Tuomi
Thanks for the reply. When you say it [NTLM] "should" work, I understand you to be implying you've not actually tried NTLM yourself, right? I've never gotten a response from someone saying they have or are actually using it. Your subsequent messages about NTLM v[1|2] may be the problem, but email clients I've tried (Outlook, Thunderbird) don't really give a choice.
That's OK, I'd be glad to try something different that would work!!! I am trying your advice for gssapi. I've followed the instructions at http://wiki2.dovecot.org/Authentication/Kerberos. In my 10-auth.conf I changed the auth_mechanism line to:
auth_mechanisms = plain login gssapi
Which is only different from before with the addition of "gssapi". That's all I've done. I'm using the same userdb as before which is /etc/passwd. My doveconf -n is:
doveconf -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain login gssapi auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir
----------SNIP------------ passdb { driver = shadow } protocols = imap ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key userdb { driver = passwd } verbose_ssl = yes ------------PINS-------------
I attempted to connect from Thunderbird on Ubuntu 15.10 to Dovecot on a Slackware 14.1 AD/DC. I selected "Kerberos/GSSAPI" as the authentication method on Tbird. When trying the connection I got the following in my Dovecot log:
Jun 27 00:04:54 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Jun 27 00:04:54 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Jun 27 00:04:54 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Jun 27 00:04:54 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Jun 27 00:04:54 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.99, lip=98.102.63.107, session=<Zk1rnzo2IADAqABj>
So, any idea why this is not working? I'll say up-front that I do not have the auth_krb5_keytab configured in 10-auth.conf. I could find no such file on the host running Dovecot. Is that file needed? If so, I've got a message in to the Samba4 folks asking where it is located.
I'm also using Dovecot 2.2.15. Too old?
Do you think auth_krb5_keytab is my problem or something deeper?
THX --Mark
-----Original Message-----
Date: Sun, 26 Jun 2016 14:00:49 +0300 (EEST) From: aki.tuomi@dovecot.fi To: dovecot@dovecot.org Subject: Re: Looking for NTLM config example
It should work. Although if you are using linux server you might want to use gssapi instead.
On June 25, 2016 at 7:43 PM Mark Foley <mfoley@ohprs.org> wrote:
I've asked this several times over the past year with essentially zero responses. I'll keep it simple:
Does NTLM authentication work in Dovecot?
I'll post this one last time. If I still have no responses I'll have to conclude that no one has actually tried this authentication method and it therefore does not work.
Thanks, --Mark
-----Original Message----- From: Mark Foley <mfoley@ohprs.org> Date: Fri, 22 Apr 2016 02:07:24 -0400 Organization: Ohio Highway Patrol Retirement System To: dovecot@dovecot.org Subject: Looking for NTLM config example
Now that I am running Thunderbird on Linux and away from Windows/Outlook, I'd like to take another run at setting up NTLM authentication from Thunderbird to my Samba4 AC/DC.
With the help of the samba maillist folks I was able to set up NTLM authentication for domain user login. I should be able to do the same for email!
But, I need help. I went to http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got lost immediately. Are "authenticaion submethods" synonymous with "password schemes"? The 7th line down says, "NTLM password scheme is required for NTLM, NTLM2 and NTLMv2.", but in the referenced link I found no reference to "NTLM password scheme".
The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what the 4 NTLM authentication submethods are, tells you what password schemes are, tells you what the NTLM client/server handshake is, but doesn't actually tell you how to configure dovecot config files. I'm much more interested in the "how to" than in: "NTLMv2: server and client nonce, MITM can't force downgrade" ... whatever that means.
Anyway, probably it's my lack of understanding terminology. I don't even know what a "nonce" is. But, I learn well from examples! Can somone please give me a sample 10-auth.conf for NTML and any other supporting settings or configs I need?
My current/working dovecot settings, which have been running perfectly for well over a year now, are:
$ dovecot -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key userdb { driver = passwd } verbose_ssl = yes
Here's what I've tried so far as 10-auth.conf:
disable_plaintext_auth = no auth_use_winbind = yes info_log_path = /var/log/dovecot_info auth_verbose = yes auth_debug_passwords = yes auth_verbose_passwords= plain auth_winbind_helper_path = /usr/bin/ntlm_auth
auth_mechanisms = ntlm plain login
userdb { driver = passwd args = username_format=%n allow_all_users=yes
}
Which gives me a dovecot -n of:
$ dovecot -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = ntlm plain login auth_use_winbind = yes auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir protocols = imap ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key userdb { args = username_format=%n allow_all_users=yes driver = passwd } verbose_ssl = yes
I configured Thunderbird for NTLM authentication, then tried sending a message, I got the following in /var/log/dovecot_info:
Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Apr 22 01:37:57 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Apr 22 01:37:57 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, session=<xFuyOgwx9wDAqAA6>
On Thunderbird I got the error, "Sending of the message failed. The Outlgoing server (SMTP) my.server.name does not support the selected authentication method. Please change the 'Autnentication method' in 'Account Settings | Outgoing Server (SMTP)'."
Clearly, something is configured wrong, but I've no clue what.
Can I get some advice?
THX --Mark From dovecot-bounces@dovecot.org Fri Apr 22 02:07:47 2016 Return-Path: <dovecot-bounces@dovecot.org> X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.98.6 at mail X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.19__ (2011-06-06) on mail.hprs.local X-Spam-Level: X-Spam-Status: No, score=-106.0 required=3.0 tests=USER_IN_WHITELIST, USER_IN_WHITELIST_TO autolearn=unavailable version=3.3.2-_revision__1.19__ X-Original-To: dovecot@dovecot.org Delivered-To: dovecot@dovecot.org X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.98.6 at mail From: Mark Foley <mfoley@ohprs.org> Date: Fri, 22 Apr 2016 02:07:24 -0400 Organization: Ohio Highway Patrol Retirement System To: dovecot@dovecot.org Subject: Looking for NTLM config example User-Agent: Heirloom mailx 12.5 7/5/10 Content-Type: text/plain; charset=us-ascii X-BeenThere: dovecot@dovecot.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Dovecot Mailing List <dovecot.dovecot.org> List-Unsubscribe: <http://dovecot.org/cgi-bin/mailman/options/dovecot>, <mailto:dovecot-request@dovecot.org?subject=unsubscribe> List-Archive: <http://dovecot.org/pipermail/dovecot/> List-Post: <mailto:dovecot@dovecot.org> List-Help: <mailto:dovecot-request@dovecot.org?subject=help> List-Subscribe: <http://dovecot.org/cgi-bin/mailman/listinfo/dovecot>, <mailto:dovecot-request@dovecot.org?subject=subscribe> Errors-To: dovecot-bounces@dovecot.org Sender: "dovecot" <dovecot-bounces@dovecot.org> X-Spam-Report:
- -100 USER_IN_WHITELIST From: address is in the user's white-list
- -6.0 USER_IN_WHITELIST_TO User is listed in 'whitelist_to' Status: R
Now that I am running Thunderbird on Linux and away from Windows/Outlook, I'd like to take another run at setting up NTLM authentication from Thunderbird to my Samba4 AC/DC.
With the help of the samba maillist folks I was able to set up NTLM authentication for domain user login. I should be able to do the same for email!
But, I need help. I went to http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got lost immediately. Are "authenticaion submethods" synonymous with "password schemes"? The 7th line down says, "NTLM password scheme is required for NTLM, NTLM2 and NTLMv2.", but in the referenced link I found no reference to "NTLM password scheme".
The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what the 4 NTLM authentication submethods are, tells you what password schemes are, tells you what the NTLM client/server handshake is, but doesn't actually tell you how to configure dovecot config files. I'm much more interested in the "how to" than in: "NTLMv2: server and client nonce, MITM can't force downgrade" ... whatever that means.
Anyway, probably it's my lack of understanding terminology. I don't even know what a "nonce" is. But, I learn well from examples! Can somone please give me a sample 10-auth.conf for NTML and any other supporting settings or configs I need?
My current/working dovecot settings, which have been running perfectly for well over a year now, are:
$ dovecot -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key userdb { driver = passwd } verbose_ssl = yes
Here's what I've tried so far as 10-auth.conf:
disable_plaintext_auth = no auth_use_winbind = yes info_log_path = /var/log/dovecot_info auth_verbose = yes auth_debug_passwords = yes auth_verbose_passwords= plain auth_winbind_helper_path = /usr/bin/ntlm_auth
auth_mechanisms = ntlm plain login
userdb { driver = passwd args = username_format=%n allow_all_users=yes
}
Which gives me a dovecot -n of:
$ dovecot -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = ntlm plain login auth_use_winbind = yes auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir protocols = imap ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key userdb { args = username_format=%n allow_all_users=yes driver = passwd } verbose_ssl = yes
I configured Thunderbird for NTLM authentication, then tried sending a message, I got the following in /var/log/dovecot_info:
Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Apr 22 01:37:57 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Apr 22 01:37:57 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, session=<xFuyOgwx9wDAqAA6>
On Thunderbird I got the error, "Sending of the message failed. The Outlgoing server (SMTP) my.server.name does not support the selected authentication method. Please change the 'Autnentication method' in 'Account Settings | Outgoing Server (SMTP)'."
Clearly, something is configured wrong, but I've no clue what.
Can I get some advice?
THX --Mark
Aki Tuomi
On 27.06.2016 07:31, Mark Foley wrote:
Thanks for the reply. When you say it [NTLM] "should" work, I understand you to be implying you've not actually tried NTLM yourself, right? I've never gotten a response from someone saying they have or are actually using it. Your subsequent messages about NTLM v[1|2] may be the problem, but email clients I've tried (Outlook, Thunderbird) don't really give a choice.
That's OK, I'd be glad to try something different that would work!!! I am trying your advice for gssapi. I've followed the instructions at http://wiki2.dovecot.org/Authentication/Kerberos. In my 10-auth.conf I changed the auth_mechanism line to:
auth_mechanisms = plain login gssapi
Which is only different from before with the addition of "gssapi". That's all I've done. I'm using the same userdb as before which is /etc/passwd. My doveconf -n is:
doveconf -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain login gssapi auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir
----------SNIP------------ passdb { driver = shadow } protocols = imap ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key userdb { driver = passwd } verbose_ssl = yes ------------PINS-------------
I attempted to connect from Thunderbird on Ubuntu 15.10 to Dovecot on a Slackware 14.1 AD/DC. I selected "Kerberos/GSSAPI" as the authentication method on Tbird. When trying the connection I got the following in my Dovecot log:
Jun 27 00:04:54 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Jun 27 00:04:54 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Jun 27 00:04:54 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Jun 27 00:04:54 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Jun 27 00:04:54 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.99, lip=98.102.63.107, session=<Zk1rnzo2IADAqABj>
So, any idea why this is not working? I'll say up-front that I do not have the auth_krb5_keytab configured in 10-auth.conf. I could find no such file on the host running Dovecot. Is that file needed? If so, I've got a message in to the Samba4 folks asking where it is located.
I'm also using Dovecot 2.2.15. Too old?
Do you think auth_krb5_keytab is my problem or something deeper?
THX --Mark
You need to set up keytab. I'll assume you know nothing about kerberos, so please if you already knew all this, sorry.
For kerberos to work PROPERLY you need to have
- Functional AD or Kerberos environment
- Time synced against your KDC (which is your Domain Controller on Windows)
- /etc/krb5.conf configured
- Both forward / reverse DNS names correct for clients and servers. Reverse is only mandatory for servers, but having them right will work wonders. Most kerberos problems are about DNS problems.
- You need a keytab. This keytab needs to hold entries like IMAP/your.host.name@REALM and IMAP/$HOSTNAME@REALM. You can generate these on any Windows DC server (at least).
Only bullet 5. is about Dovecot really, but since this is usually rather hard to gather information, I'll recap these things here:
- Time sync
Install ntpd and configure it to use *your* *ad* *server*. (Not some generic service).
- /etc/krb5.conf
Here is a *SAMPLE* configuration:
[libdefaults] default_realm = YOUR.REALM dns_lookup_kdc = true krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true fcc-mit-ticketflags = true
[realms] YOUR.REALM = { default_domain = your.domain.name auth_to_local_names = { Administrator = root } } [domain_realm] your.domain.name = YOUR.REALM # this is not a mistake .your.domain.name = YOUR.REALM [login] krb4_convert = true krb4_get_tickets = false
Note that some windows environments require additional configuration to get this working.
- Forward/reverse DNS.
For your *server* this is *absolutely* must. It has to match for your clients and your server. So if your server name is mail.example.org, and it has IP 10.0.2.3, then 10.0.2.3 MUST resolve to mail.example.org. It will give you strange and convoluted errors otherwise.
- Keytab
This is bit tricky to generate, and there are various ways to do this. You can install samba, join it to your domain and use the samba tools to generate a keytab. It's not a bad idea, just remember to add the required spn's (service principal names) to the machine account. setspn -q is helpful here, also setspn command in general.
You can use either system keytab file (/etc/krb5.keytab), or you can put the dovecot specific (mainly IMAP/something) into dedicated keytab for the service. Either way you need to tell dovecot about it with auth_krb5_keytab setting.
You should have at least following entries in your keytab file. You can see them with klist -k /path/to/keytab. The KVNO can be different.
Keytab name: FILE:/etc/krb5.keytab KVNO Principal
3 host/mail.example.org@EXAMPLE.ORG 3 host/mail.example.org@EXAMPLE.ORG 3 host/mail.example.org@EXAMPLE.ORG 3 host/mail.example.org@EXAMPLE.ORG 3 host/mail.example.org@EXAMPLE.ORG 3 IMAP/mail.example.org@EXAMPLE.ORG 3 host/MAIL@EXAMPLE.ORG 3 host/MAIL@EXAMPLE.ORG 3 host/MAIL@EXAMPLE.ORG 3 host/MAIL@EXAMPLE.ORG 3 host/MAIL@EXAMPLE.ORG 3 IMAP/MAIL@EXAMPLE.ORG 3 MAIL$@EXAMPLE.ORG 3 MAIL$@EXAMPLE.ORG 3 MAIL$@EXAMPLE.ORG 3 MAIL$@EXAMPLE.ORG 3 MAIL$@EXAMPLE.ORG
This will at least get you somewhere. Kerberos is notoriously hard to debug, but it usually is about
a) DNS b) Keytab c) Mismatch of some name somewhere d) Encryption type support
Also, note that kerberos can only act as AUTHENTICATION system. It cannot act as USER DATABASE. For that you need to configure LDAP or something else. With Active Directory LDAP is probably a damn good idea.
If you want to try with something else first, which I recommend for the server in any case, is to see if you can get sssd working with Kerberos and LDAP. If you get that working, it's not very difficult anymore to get Dovecot running with it.
Aki Tuomi Dovecot oy
Aki, again, thanks A LOT for your reply. Concerning your checklist:
- Functional AD or Kerberos environment
Check!
- Time synced against your KDC (which is your Domain Controller on Windows)
Check! (needed for AD/DC anyway)
- /etc/krb5.conf configured
NO
- Both forward / reverse DNS names correct for clients and servers.
Reverse is only mandatory for servers, but having them right will work wonders. Most kerberos problems are about DNS problems.
Check!
- You need a keytab. This keytab needs to hold entries like IMAP/your.host.name@REALM and IMAP/$HOSTNAME@REALM. You can generate these on any Windows DC server (at least).
NO
So, I'm apparently lacking in the kerberos stuff. Here's the problem -- Samba4 uses Heimdal Kerberos and when I provisioned my domain apparently none of these needed kerberos files were set up. I can, however, kerberos authenticate from domain workstations both WIN7 and Linux.
I will (and have already) contacted the Samba list to see what needs to be done.
I'll post back what I find.
Maybe I can finally get to the bottom of this problem.
Thanks again -- Mark
-----Original Message----
Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] To: dovecot@dovecot.org From: Aki Tuomi <aki.tuomi@dovecot.fi> Organization: Dovecot Oy Date: Mon, 27 Jun 2016 09:18:54 +0300
On 27.06.2016 07:31, Mark Foley wrote:
Thanks for the reply. When you say it [NTLM] "should" work, I understand you to be implying you've not actually tried NTLM yourself, right? I've never gotten a response from someone saying they have or are actually using it. Your subsequent messages about NTLM v[1|2] may be the problem, but email clients I've tried (Outlook, Thunderbird) don't really give a choice.
That's OK, I'd be glad to try something different that would work!!! I am trying your advice for gssapi. I've followed the instructions at http://wiki2.dovecot.org/Authentication/Kerberos. In my 10-auth.conf I changed the auth_mechanism line to:
auth_mechanisms = plain login gssapi
Which is only different from before with the addition of "gssapi". That's all I've done. I'm using the same userdb as before which is /etc/passwd. My doveconf -n is:
doveconf -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain login gssapi auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir
----------SNIP------------ passdb { driver = shadow } protocols = imap ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key userdb { driver = passwd } verbose_ssl = yes ------------PINS-------------
I attempted to connect from Thunderbird on Ubuntu 15.10 to Dovecot on a Slackware 14.1 AD/DC. I selected "Kerberos/GSSAPI" as the authentication method on Tbird. When trying the connection I got the following in my Dovecot log:
Jun 27 00:04:54 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Jun 27 00:04:54 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Jun 27 00:04:54 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Jun 27 00:04:54 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Jun 27 00:04:54 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.99, lip=98.102.63.107, session=<Zk1rnzo2IADAqABj>
So, any idea why this is not working? I'll say up-front that I do not have the auth_krb5_keytab configured in 10-auth.conf. I could find no such file on the host running Dovecot. Is that file needed? If so, I've got a message in to the Samba4 folks asking where it is located.
I'm also using Dovecot 2.2.15. Too old?
Do you think auth_krb5_keytab is my problem or something deeper?
THX --Mark
You need to set up keytab. I'll assume you know nothing about kerberos, so please if you already knew all this, sorry.
For kerberos to work PROPERLY you need to have
- Functional AD or Kerberos environment
- Time synced against your KDC (which is your Domain Controller on Windows)
- /etc/krb5.conf configured
- Both forward / reverse DNS names correct for clients and servers. Reverse is only mandatory for servers, but having them right will work wonders. Most kerberos problems are about DNS problems.
- You need a keytab. This keytab needs to hold entries like IMAP/your.host.name@REALM and IMAP/$HOSTNAME@REALM. You can generate these on any Windows DC server (at least).
Only bullet 5. is about Dovecot really, but since this is usually rather hard to gather information, I'll recap these things here:
- Time sync
Install ntpd and configure it to use *your* *ad* *server*. (Not some generic service).
- /etc/krb5.conf
Here is a *SAMPLE* configuration:
[libdefaults] default_realm = YOUR.REALM dns_lookup_kdc = true krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true fcc-mit-ticketflags = true
[realms] YOUR.REALM = { default_domain = your.domain.name auth_to_local_names = { Administrator = root } } [domain_realm] your.domain.name = YOUR.REALM # this is not a mistake .your.domain.name = YOUR.REALM [login] krb4_convert = true krb4_get_tickets = false
Note that some windows environments require additional configuration to get this working.
- Forward/reverse DNS.
For your *server* this is *absolutely* must. It has to match for your clients and your server. So if your server name is mail.example.org, and it has IP 10.0.2.3, then 10.0.2.3 MUST resolve to mail.example.org. It will give you strange and convoluted errors otherwise.
- Keytab
This is bit tricky to generate, and there are various ways to do this. You can install samba, join it to your domain and use the samba tools to generate a keytab. It's not a bad idea, just remember to add the required spn's (service principal names) to the machine account. setspn -q is helpful here, also setspn command in general.
You can use either system keytab file (/etc/krb5.keytab), or you can put the dovecot specific (mainly IMAP/something) into dedicated keytab for the service. Either way you need to tell dovecot about it with auth_krb5_keytab setting.
You should have at least following entries in your keytab file. You can see them with klist -k /path/to/keytab. The KVNO can be different.
Keytab name: FILE:/etc/krb5.keytab KVNO Principal
3 host/mail.example.org@EXAMPLE.ORG 3 host/mail.example.org@EXAMPLE.ORG 3 host/mail.example.org@EXAMPLE.ORG 3 host/mail.example.org@EXAMPLE.ORG 3 host/mail.example.org@EXAMPLE.ORG 3 IMAP/mail.example.org@EXAMPLE.ORG 3 host/MAIL@EXAMPLE.ORG 3 host/MAIL@EXAMPLE.ORG 3 host/MAIL@EXAMPLE.ORG 3 host/MAIL@EXAMPLE.ORG 3 host/MAIL@EXAMPLE.ORG 3 IMAP/MAIL@EXAMPLE.ORG 3 MAIL$@EXAMPLE.ORG 3 MAIL$@EXAMPLE.ORG 3 MAIL$@EXAMPLE.ORG 3 MAIL$@EXAMPLE.ORG 3 MAIL$@EXAMPLE.ORG
This will at least get you somewhere. Kerberos is notoriously hard to debug, but it usually is about
a) DNS b) Keytab c) Mismatch of some name somewhere d) Encryption type support
Also, note that kerberos can only act as AUTHENTICATION system. It cannot act as USER DATABASE. For that you need to configure LDAP or something else. With Active Directory LDAP is probably a damn good idea.
If you want to try with something else first, which I recommend for the server in any case, is to see if you can get sssd working with Kerberos and LDAP. If you get that working, it's not very difficult anymore to get Dovecot running with it.
Aki Tuomi Dovecot oy
Hi,
On 27-06-2016 08:58, Mark Foley wrote:
So, I'm apparently lacking in the kerberos stuff. Here's the problem -- Samba4 uses Heimdal Kerberos and when I provisioned my domain apparently none of these needed kerberos files were set up. I can, however, kerberos authenticate from domain workstations both WIN7 and Linux.
You don't need any Samba4 stuff, to get it working. Samba is great, but can be hard to get right. I tend to steer clear of Samba when I don't really need it.
My first experience was with an OTRS helpdesk install, and trying to get it to do SSO. I was helped a great deal by wireshark, and this website: http://www.grolmsnet.de/kerbtut/
On a sidenote: mod_auth_kerb is rather ancient, in computer-terms. You'd be better off with mod_auth_gssapi. In the case of Dovecot we are not using Apache, of course.
With Dovecot I got the SSO working with Kerberos, and this part is working great. Other parts (shared mailboxes, that sort of stuff) aren't working for me yet. This is my own fault, not a dovecot one, haven't looked into it enough. Anyway, the SSO is working great.
One of the tricky bits is you need a kerberos keytab with two services. I used ktutil: # ktutil ktutil: read_kt mail-imap.keytab ktutil: read_kt mail-smtp.keytab ktutil: write_kt mail.keytab ktutil: quit
I'm using a windows 2003 r2 server as domain controller, to create a keytab file you need the windows 2003 support tools.
ktpass.exe -princ imap/mailserver.gcecad-service.nl@GCECAD-SERVICE.LOCAL -mapuser GCECAD-SERVICE\mail-imap -crypto RC4-HMAC-NT -pass koeltje234 -ptype KRB5_NT_PRINCIPAL -out mail-imap.keytab
ktpass.exe -princ smtp/mailserver.gcecad-service.nl@GCECAD-SERVICE.LOCAL -mapuser GCECAD-SERVICE\mail-smtp -crypto RC4-HMAC-NT -pass koeltje234 -ptype KRB5_NT_PRINCIPAL -out mail-smtp.keytab
Most instructions on the internet do not quite work out that well. RC4-HMAC-NT crypto is needed if you still have Windows XP machines. It should work with a newer crypto but have not tested that. FYI: Kerberos service names (imap, smtp) are sometimes capitalised, mostly when using HTTP. Great, isn't it?
On the dovecot server I had to install a kerberos package: # yum install krb5-workstation (I am using CentOS7, but it should not be too hard to translate this to your own distro)
My kerberos configuration: # vi /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false default_realm = GCECAD-SERVICE.LOCAL default_keytab_file = /etc/krb5.keytab default_ccache_name = KEYRING:persistent:%{uid} allow_weak_crypto = true default_tkt_enctypes = arcfour-hmac-md5 default_tgs_enctypes = arcfour-hmac-md5 permitted_enctypes = arcfour-hmac-md5
[appdefaults] pam = { debug = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true krb4_convert = false }
[realms] GCECAD-SERVICE.LOCAL = { kdc = this.is.the.dns.name.of.your.kdc admin_server = this.is.the.dns.name.of.your.kdc }
[domain_realm] .gcecad-service.local = GCECAD-SERVICE.LOCAL gcecad-service.local = GCECAD-SERVICE.LOCAL .gcecad-service.nl = GCECAD-SERVICE.LOCAL gcecad-service.nl = GCECAD-SERVICE.LOCAL
Dovecot config, the needed parts: In /etc/dovecot/conf.d/10-auth.conf : auth_krb5_keytab = /etc/dovecot/mail.keytab auth_mechanisms = plain gssapi
In /etc/dovecot/conf.d/auth-system.conf.ext : passdb { driver = pam } userdb { driver = static args = uid=2000 gid=2000 home=/var/vmail/%Ln allow_all_users=yes }
In /etc/pam.d/dovecot : #%PAM-1.0 auth sufficient pam_krb5.so no_user_check validate account sufficient pam_permit.so
I'm not entirely happy with the static userdb, because of the limitations with kerberos/pam, but this can of course be changed rather easily. The hardest part is to get the SSO working. One of the limitiations is stated here: http://wiki.dovecot.org/UserDatabase/Static
Postfix SMTP auth is using LMTP, reading from my notes.
I hope you can get a clearer picture with this rather long and chaotic reply.
-- Jan Jurkus | ICT Beheerder | GCE cad-service B.V. Postbus 12, 3220 AA Hellevoetsluis Daltonweg 9, 3225 LR Hellevoetsluis tel: 0181-336955 | fax: 0181-311899 j.jurkus@gcecad-service.nl | www.gcecad-service.nl
On June 28, 2016 at 12:02 AM Jan Jurkus <j.jurkus@gcecad-service.nl> wrote:
Hi,
I'm not entirely happy with the static userdb, because of the limitations with kerberos/pam, but this can of course be changed rather easily. The hardest part is to get the SSO working. One of the limitiations is stated here: http://wiki.dovecot.org/UserDatabase/Static
Postfix SMTP auth is using LMTP, reading from my notes.
I hope you can get a clearer picture with this rather long and chaotic reply.
As mentioned before, you can use ldap as userdb instead of static userdb. Username matching in AD environment should be done against userPrincipalName attribute.
This should let you get rid of pam as well.
Aki Tuomi Dovecot oy
-- Jan Jurkus | ICT Beheerder | GCE cad-service B.V. Postbus 12, 3220 AA Hellevoetsluis Daltonweg 9, 3225 LR Hellevoetsluis tel: 0181-336955 | fax: 0181-311899 j.jurkus@gcecad-service.nl | www.gcecad-service.nl
aki.tuomi@dovecot.fi wrote:
As mentioned before, you can use ldap as userdb instead of static userdb. Username matching in AD environment should be done against userPrincipalName attribute.
Do you see any problem with my continuing to use:
userdb { driver = passwd }
... with gssapi? (providing I get other configs correct)
--Mark
-----Original Message-----
Date: Tue, 28 Jun 2016 00:19:45 +0300 (EEST) From: aki.tuomi@dovecot.fi To: dovecot@dovecot.org Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example]
On June 28, 2016 at 12:02 AM Jan Jurkus <j.jurkus@gcecad-service.nl> wrote:
Hi,
I'm not entirely happy with the static userdb, because of the limitations with kerberos/pam, but this can of course be changed rather easily. The hardest part is to get the SSO working. One of the limitiations is stated here: http://wiki.dovecot.org/UserDatabase/Static
Postfix SMTP auth is using LMTP, reading from my notes.
I hope you can get a clearer picture with this rather long and chaotic reply.
As mentioned before, you can use ldap as userdb instead of static userdb. Username matching in AD environment should be done against userPrincipalName attribute.
This should let you get rid of pam as well.
Aki Tuomi Dovecot oy
-- Jan Jurkus | ICT Beheerder | GCE cad-service B.V. Postbus 12, 3220 AA Hellevoetsluis Daltonweg 9, 3225 LR Hellevoetsluis tel: 0181-336955 | fax: 0181-311899 j.jurkus@gcecad-service.nl | www.gcecad-service.nl
Jan, thanks for your helpful reply. You wrote:
With Dovecot I got the SSO working with Kerberos, and this part is working great. Other parts (shared mailboxes, that sort of stuff) aren't working for me yet. ...
I'm the opposite. My mailbox setup has been working great for a year and a half, though I've not bothered with shared mailboxes yet.
I've attempted to follow your instructions, but still having problems. First, my errors:
Jun 28 01:04:49 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Jun 28 01:04:49 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Jun 28 01:04:49 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Jun 28 01:04:49 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Jun 28 01:04:49 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, session=<Zg2Nk082LgDAqAA6>
Now, your instructions:
One of the tricky bits is you need a kerberos keytab with two services. I used ktutil: # ktutil ktutil: read_kt mail-imap.keytab ktutil: read_kt mail-smtp.keytab ktutil: write_kt mail.keytab ktutil: quit
I'm using a windows 2003 r2 server as domain controller, to create a keytab file you need the windows 2003 support tools.
ktpass.exe -princ imap/mailserver.gcecad-service.nl@GCECAD-SERVICE.LOCAL -mapuser GCECAD-SERVICE\mail-imap -crypto RC4-HMAC-NT -pass koeltje234 -ptype KRB5_NT_PRINCIPAL -out mail-imap.keytab
ktpass.exe -princ smtp/mailserver.gcecad-service.nl@GCECAD-SERVICE.LOCAL -mapuser GCECAD-SERVICE\mail-smtp -crypto RC4-HMAC-NT -pass koeltje234 -ptype KRB5_NT_PRINCIPAL -out mail-smtp.keytab
I ran ktutil, but the commands "read_kt mail-imap.keytab" and "read_kt mail-smtp.keytab" returned: No such file or directory while reading keytab "mail-imap.keytab"
Perhaps your subsequent ktpass commands are meant to create those. I do not have a ktpass command. I therefore do not have these files. I suppose that could be part of my problem. Can you share the actual contents of these file? I could create them by-hand. Does Dovecot and/or kerberos know where to look for these?
On the dovecot server I had to install a kerberos package:
Likewise, I installed kerberos for slackware. It tested OK. I was able to do a kinit and klist per the instruction at https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Contr...
My kerberos configuration: # vi /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
I added the [logging] section. Of note, these log file do not exists after multiple attempts with my gssapi connection. Probably a bad sign.
[libdefaults] dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false default_realm = GCECAD-SERVICE.LOCAL default_keytab_file = /etc/krb5.keytab default_ccache_name = KEYRING:persistent:%{uid} allow_weak_crypto = true default_tkt_enctypes = arcfour-hmac-md5 default_tgs_enctypes = arcfour-hmac-md5 permitted_enctypes = arcfour-hmac-md5
I added all these as well, changing your GCECAD-SERVICE.LOCAL to my HPRS.LOCAL
[appdefaults] pam = { debug = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true krb4_convert = false }
I also added this [appdefaults] section.
[realms] GCECAD-SERVICE.LOCAL = { kdc = this.is.the.dns.name.of.your.kdc admin_server = this.is.the.dns.name.of.your.kdc }
I tried with and without this section. Not sure what this.is.the.dns.name.of.your.kdc is supposed to be. I changed mine to the domain FDQN of the server:
[realms] HPRS.LOCAL = { kdc = mail.hprs.local admin_server = mail.hprs.local }
[domain_realm] .gcecad-service.local = GCECAD-SERVICE.LOCAL gcecad-service.local = GCECAD-SERVICE.LOCAL .gcecad-service.nl = GCECAD-SERVICE.LOCAL gcecad-service.nl = GCECAD-SERVICE.LOCAL
I also tried with and without this section. Again, not sure what should go there. I tried:
[domain_realm] .hprs.local = HPRS.LOCAL hprs.local = HPRS.LOCAL .hprs.nl = HPRS.LOCAL hprs.nl = HPRS.LOCAL
I'm a bit skeptical on the above as .nl your public top level domain.
In fact, after adding these sections I got no error logged in dovecot_log, but did get a message pop up on Thunderbird saying, "Could not connect to mail server mark@ohprs.org; the connection was refused."
Dovecot config, the needed parts: In /etc/dovecot/conf.d/10-auth.conf : auth_krb5_keytab = /etc/dovecot/mail.keytab auth_mechanisms = plain gssapi
I added those.
In /etc/dovecot/conf.d/auth-system.conf.ext : passdb { driver = pam } userdb { driver = static args = uid=2000 gid=2000 home=/var/vmail/%Ln allow_all_users=yes }
I used my same userdb and passdb settings (although I understand that passdb is not used by gssapi?)
passdb { driver = shadow } userdb { driver = passwd }
In /etc/pam.d/dovecot : #%PAM-1.0 auth sufficient pam_krb5.so no_user_check validate account sufficient pam_permit.so
The /etc/pam.d directory did not exist so I created it and added the dovecot file as shown. The permissions are a+r.
So, no go so far, but I am encouraged that you have it working. Perhaps you can point out what I might have missing or am otherwise done wrong?
THX --Mark
Aki,
To review your 5 points:
On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi <aki.tuomi@dovecot.fi> wrote:
- Functional AD or Kerberos environment
- Time synced against your KDC (which is your Domain Controller on Windows)
- /etc/krb5.conf configured
- Both forward / reverse DNS names correct for clients and servers. Reverse is only mandatory for servers, but having them right will work wonders. Most kerberos problems are about DNS problems.
- You need a keytab. This keytab needs to hold entries like IMAP/your.host.name@REALM and IMAP/$HOSTNAME@REALM. You can generate these on any Windows DC server (at least).
I believe I am good on 1,2 and 4. I downloaded and installed kerberos and tested it with kinit and klist according to the instructions at https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Contr...
As to the the keytab (#5) I did the following:
$ samba-tool domain exportkeytab /etc/krb5.keytab
which created the file. I made this owned and readable by group dovecot, per instructions at
http://wiki2.dovecot.org/Authentication/Kerberos. Running klist -k /etc/krb5.keytab
shows me
configuration listing all the users and computers in the domain, mostly in triplicate. A
partial list:
Keytab name: FILE:/etc/krb5.keytab KVNO Principal
18 COMMON$@HPRS.LOCAL 18 COMMON$@HPRS.LOCAL 18 COMMON$@HPRS.LOCAL 1 MAIL$@HPRS.LOCAL 1 MAIL$@HPRS.LOCAL 1 MAIL$@HPRS.LOCAL 1 charmaine@HPRS.LOCAL 1 charmaine@HPRS.LOCAL 1 charmaine@HPRS.LOCAL
where COMMON and MAIL are hosts and charmaine is a user. I don't really understand the listing, but am assuming it is OK.
setspn -q is helpful here, also setspn command in general.
I have no such command in my system. Is that a Windows thing?
As to the /etc/krb5.conf, the default one generated by samba is:
[libdefaults] default_realm = HPRS.LOCAL dns_lookup_realm = false dns_lookup_kdc = true
I'd like to modify that to your suggestions, but I need more help. You have (with my questions):
Here is a *SAMPLE* configuration:
[libdefaults] default_realm = YOUR.REALM dns_lookup_kdc = true krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms
Here, you have krb4_*. Do you mean that? My config file is krb5.conf. Should I rather have:
krb5_config = /etc/krb5.conf
Also, I have no /etc/krb*.realms file. Do I need this? If so, what should be in there?
kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true fcc-mit-ticketflags = true
[realms] YOUR.REALM = { default_domain = your.domain.name auth_to_local_names = { Administrator = root } }
I suppose my "YOUR.REALM" is HPRS.LOCAL, right? Is my "your.domain.name" my FQDN for my AD server: mail.hprs.local, or is it just hprs.local? (or something else!)
[domain_realm] your.domain.name = YOUR.REALM # this is not a mistake .your.domain.name = YOUR.REALM [login] krb4_convert = true krb4_get_tickets = false
Likewise here a question on the whole krb4 versus krb5 thing.
Your closing comment:
Also, note that kerberos can only act as AUTHENTICATION system. It cannot act as USER DATABASE. For that you need to configure LDAP or something else. With Active Directory LDAP is probably a damn good idea.
I have the following doveconf -n:
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_krb5_keytab = /etc/krb5.keytab auth_mechanisms = plain login gssapi auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key userdb { driver = passwd } verbose_ssl = yes
I assume the passwd driver for the userdb is OK? Seems to me it should work with gssapi, but in any case I still have all but this test workstation NOT using gssapi, so I still need to accomodate them.
Thanks, --Mark
On 28.06.2016 09:27, Mark Foley wrote:
Aki,
To review your 5 points:
On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi <aki.tuomi@dovecot.fi> wrote:
- Functional AD or Kerberos environment
- Time synced against your KDC (which is your Domain Controller on Windows)
- /etc/krb5.conf configured
- Both forward / reverse DNS names correct for clients and servers. Reverse is only mandatory for servers, but having them right will work wonders. Most kerberos problems are about DNS problems.
- You need a keytab. This keytab needs to hold entries like IMAP/your.host.name@REALM and IMAP/$HOSTNAME@REALM. You can generate these on any Windows DC server (at least). I believe I am good on 1,2 and 4. I downloaded and installed kerberos and tested it with kinit and klist according to the instructions at https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Contr...
As to the the keytab (#5) I did the following:
$ samba-tool domain exportkeytab /etc/krb5.keytab
which created the file. I made this owned and readable by group dovecot, per instructions at http://wiki2.dovecot.org/Authentication/Kerberos. Running
klist -k /etc/krb5.keytab
shows me configuration listing all the users and computers in the domain, mostly in triplicate. A partial list:Keytab name: FILE:/etc/krb5.keytab KVNO Principal
18 COMMON$@HPRS.LOCAL 18 COMMON$@HPRS.LOCAL 18 COMMON$@HPRS.LOCAL 1 MAIL$@HPRS.LOCAL 1 MAIL$@HPRS.LOCAL 1 MAIL$@HPRS.LOCAL 1 charmaine@HPRS.LOCAL 1 charmaine@HPRS.LOCAL 1 charmaine@HPRS.LOCAL
where COMMON and MAIL are hosts and charmaine is a user. I don't really understand the listing, but am assuming it is OK.
Strange that you do not have any host/ entries. Maybe it works without.
setspn -q is helpful here, also setspn command in general. I have no such command in my system. Is that a Windows thing?
Yes, but you can do those kind of things in Samba too.
As to the /etc/krb5.conf, the default one generated by samba is:
[libdefaults] default_realm = HPRS.LOCAL dns_lookup_realm = false dns_lookup_kdc = true
I'd like to modify that to your suggestions, but I need more help. You have (with my questions):
Here is a *SAMPLE* configuration:
[libdefaults] default_realm = YOUR.REALM dns_lookup_kdc = true krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms Here, you have krb4_*. Do you mean that? My config file is krb5.conf. Should I rather have:
You can remove the krb4_ stuff
krb5_config = /etc/krb5.conf
Also, I have no /etc/krb*.realms file. Do I need this? If so, what should be in there? You don't necessarely require that.
kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true fcc-mit-ticketflags = true
[realms] YOUR.REALM = { default_domain = your.domain.name auth_to_local_names = { Administrator = root } }
I suppose my "YOUR.REALM" is HPRS.LOCAL, right? Is my "your.domain.name" my FQDN for my AD server: mail.hprs.local, or is it just hprs.local? (or something else!)
HPRS.LOCAL is your REALM, hprs.local is your domain name.
[domain_realm] your.domain.name = YOUR.REALM # this is not a mistake .your.domain.name = YOUR.REALM [login] krb4_convert = true krb4_get_tickets = false Likewise here a question on the whole krb4 versus krb5 thing.
Your closing comment:
Also, note that kerberos can only act as AUTHENTICATION system. It cannot act as USER DATABASE. For that you need to configure LDAP or something else. With Active Directory LDAP is probably a damn good idea. I have the following doveconf -n:
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_krb5_keytab = /etc/krb5.keytab auth_mechanisms = plain login gssapi auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key userdb { driver = passwd } verbose_ssl = yes
I assume the passwd driver for the userdb is OK? Seems to me it should work with gssapi, but in any case I still have all but this test workstation NOT using gssapi, so I still need to accomodate them.
Thanks, --Mark
passwd driver is fine, yes, if you ensure that users can be found.
Aki
Also it seems we lack support for NTLMv2. If you want to use NTLM you need to permit use of NTLM(v1), which is usually not enabled by default.
Aki
On June 25, 2016 at 7:43 PM Mark Foley <mfoley@ohprs.org> wrote:
I've asked this several times over the past year with essentially zero responses. I'll keep it simple:
Does NTLM authentication work in Dovecot?
I'll post this one last time. If I still have no responses I'll have to conclude that no one has actually tried this authentication method and it therefore does not work.
Thanks, --Mark
-----Original Message----- From: Mark Foley <mfoley@ohprs.org> Date: Fri, 22 Apr 2016 02:07:24 -0400 Organization: Ohio Highway Patrol Retirement System To: dovecot@dovecot.org Subject: Looking for NTLM config example
Now that I am running Thunderbird on Linux and away from Windows/Outlook, I'd like to take another run at setting up NTLM authentication from Thunderbird to my Samba4 AC/DC.
With the help of the samba maillist folks I was able to set up NTLM authentication for domain user login. I should be able to do the same for email!
But, I need help. I went to http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got lost immediately. Are "authenticaion submethods" synonymous with "password schemes"? The 7th line down says, "NTLM password scheme is required for NTLM, NTLM2 and NTLMv2.", but in the referenced link I found no reference to "NTLM password scheme".
The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what the 4 NTLM authentication submethods are, tells you what password schemes are, tells you what the NTLM client/server handshake is, but doesn't actually tell you how to configure dovecot config files. I'm much more interested in the "how to" than in: "NTLMv2: server and client nonce, MITM can't force downgrade" ... whatever that means.
Anyway, probably it's my lack of understanding terminology. I don't even know what a "nonce" is. But, I learn well from examples! Can somone please give me a sample 10-auth.conf for NTML and any other supporting settings or configs I need?
My current/working dovecot settings, which have been running perfectly for well over a year now, are:
$ dovecot -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key userdb { driver = passwd } verbose_ssl = yes
Here's what I've tried so far as 10-auth.conf:
disable_plaintext_auth = no auth_use_winbind = yes info_log_path = /var/log/dovecot_info auth_verbose = yes auth_debug_passwords = yes auth_verbose_passwords= plain auth_winbind_helper_path = /usr/bin/ntlm_auth
auth_mechanisms = ntlm plain login
userdb { driver = passwd args = username_format=%n allow_all_users=yes
}
Which gives me a dovecot -n of:
$ dovecot -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = ntlm plain login auth_use_winbind = yes auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir protocols = imap ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key userdb { args = username_format=%n allow_all_users=yes driver = passwd } verbose_ssl = yes
I configured Thunderbird for NTLM authentication, then tried sending a message, I got the following in /var/log/dovecot_info:
Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Apr 22 01:37:57 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Apr 22 01:37:57 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, session=<xFuyOgwx9wDAqAA6>
On Thunderbird I got the error, "Sending of the message failed. The Outlgoing server (SMTP) my.server.name does not support the selected authentication method. Please change the 'Autnentication method' in 'Account Settings | Outgoing Server (SMTP)'."
Clearly, something is configured wrong, but I've no clue what.
Can I get some advice?
THX --Mark From dovecot-bounces@dovecot.org Fri Apr 22 02:07:47 2016 Return-Path: <dovecot-bounces@dovecot.org> X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.98.6 at mail X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.19__ (2011-06-06) on mail.hprs.local X-Spam-Level: X-Spam-Status: No, score=-106.0 required=3.0 tests=USER_IN_WHITELIST, USER_IN_WHITELIST_TO autolearn=unavailable version=3.3.2-_revision__1.19__ X-Original-To: dovecot@dovecot.org Delivered-To: dovecot@dovecot.org X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.98.6 at mail From: Mark Foley <mfoley@ohprs.org> Date: Fri, 22 Apr 2016 02:07:24 -0400 Organization: Ohio Highway Patrol Retirement System To: dovecot@dovecot.org Subject: Looking for NTLM config example User-Agent: Heirloom mailx 12.5 7/5/10 Content-Type: text/plain; charset=us-ascii X-BeenThere: dovecot@dovecot.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Dovecot Mailing List <dovecot.dovecot.org> List-Unsubscribe: <http://dovecot.org/cgi-bin/mailman/options/dovecot>, <mailto:dovecot-request@dovecot.org?subject=unsubscribe> List-Archive: <http://dovecot.org/pipermail/dovecot/> List-Post: <mailto:dovecot@dovecot.org> List-Help: <mailto:dovecot-request@dovecot.org?subject=help> List-Subscribe: <http://dovecot.org/cgi-bin/mailman/listinfo/dovecot>, <mailto:dovecot-request@dovecot.org?subject=subscribe> Errors-To: dovecot-bounces@dovecot.org Sender: "dovecot" <dovecot-bounces@dovecot.org> X-Spam-Report:
- -100 USER_IN_WHITELIST From: address is in the user's white-list
- -6.0 USER_IN_WHITELIST_TO User is listed in 'whitelist_to' Status: R
Now that I am running Thunderbird on Linux and away from Windows/Outlook, I'd like to take another run at setting up NTLM authentication from Thunderbird to my Samba4 AC/DC.
With the help of the samba maillist folks I was able to set up NTLM authentication for domain user login. I should be able to do the same for email!
But, I need help. I went to http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got lost immediately. Are "authenticaion submethods" synonymous with "password schemes"? The 7th line down says, "NTLM password scheme is required for NTLM, NTLM2 and NTLMv2.", but in the referenced link I found no reference to "NTLM password scheme".
The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what the 4 NTLM authentication submethods are, tells you what password schemes are, tells you what the NTLM client/server handshake is, but doesn't actually tell you how to configure dovecot config files. I'm much more interested in the "how to" than in: "NTLMv2: server and client nonce, MITM can't force downgrade" ... whatever that means.
Anyway, probably it's my lack of understanding terminology. I don't even know what a "nonce" is. But, I learn well from examples! Can somone please give me a sample 10-auth.conf for NTML and any other supporting settings or configs I need?
My current/working dovecot settings, which have been running perfectly for well over a year now, are:
$ dovecot -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key userdb { driver = passwd } verbose_ssl = yes
Here's what I've tried so far as 10-auth.conf:
disable_plaintext_auth = no auth_use_winbind = yes info_log_path = /var/log/dovecot_info auth_verbose = yes auth_debug_passwords = yes auth_verbose_passwords= plain auth_winbind_helper_path = /usr/bin/ntlm_auth
auth_mechanisms = ntlm plain login
userdb { driver = passwd args = username_format=%n allow_all_users=yes
}
Which gives me a dovecot -n of:
$ dovecot -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = ntlm plain login auth_use_winbind = yes auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir protocols = imap ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key userdb { args = username_format=%n allow_all_users=yes driver = passwd } verbose_ssl = yes
I configured Thunderbird for NTLM authentication, then tried sending a message, I got the following in /var/log/dovecot_info:
Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Apr 22 01:37:57 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Apr 22 01:37:57 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, session=<xFuyOgwx9wDAqAA6>
On Thunderbird I got the error, "Sending of the message failed. The Outlgoing server (SMTP) my.server.name does not support the selected authentication method. Please change the 'Autnentication method' in 'Account Settings | Outgoing Server (SMTP)'."
Clearly, something is configured wrong, but I've no clue what.
Can I get some advice?
THX --Mark
Aki Tuomi
While continuing to test gssapi, I thought I check out your suggestion on NTLM v1. I did set Thunderbird to NTLM v1 and modified the Dovecot config:
auth_debug_passwords = yes auth_mechanisms = plain login ntlm auth_use_winbind = yes auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir protocols = imap ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key userdb { args = username_format=%n allow_all_users=yes driver = passwd } verbose_ssl = yes
No joy. My dovecot log:
Jun 27 02:34:50 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Jun 27 02:34:50 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Jun 27 02:34:58 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Jun 27 02:34:58 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 26 secs): user=<>, rip=192.168.0.54, lip=192.168.0.2, session=<mNEutzw28QDAqAA2> Jun 27 02:34:58 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 8 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, session=<WugeuDw2AADAqAA6> Jun 27 02:34:58 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Jun 27 02:34:58 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
This looks quite similar to the output I got with the gssapi test. It seems there is nothing I can do to get AD authentication working with Dovecot. Do you (or anyone) have any ideas?
What does "disconnected before auth was ready" mean?
Has anyone on Planet Earth actually used either NTLM or GSSAPI successfully with Dovecot? Please speak up! Let me know you exist!
--Mark
-----Original Message-----
Date: Sun, 26 Jun 2016 15:08:03 +0300 (EEST) From: aki.tuomi@dovecot.fi To: dovecot@dovecot.org, Mark Foley <mfoley@ohprs.org> Subject: Re: Looking for NTLM config example
Also it seems we lack support for NTLMv2. If you want to use NTLM you need to permit use of NTLM(v1), which is usually not enabled by default.
Aki
On June 25, 2016 at 7:43 PM Mark Foley <mfoley@ohprs.org> wrote:
I've asked this several times over the past year with essentially zero responses. I'll keep it simple:
Does NTLM authentication work in Dovecot?
I'll post this one last time. If I still have no responses I'll have to conclude that no one has actually tried this authentication method and it therefore does not work.
Thanks, --Mark
-----Original Message----- From: Mark Foley <mfoley@ohprs.org> Date: Fri, 22 Apr 2016 02:07:24 -0400 Organization: Ohio Highway Patrol Retirement System To: dovecot@dovecot.org Subject: Looking for NTLM config example
Now that I am running Thunderbird on Linux and away from Windows/Outlook, I'd like to take another run at setting up NTLM authentication from Thunderbird to my Samba4 AC/DC.
With the help of the samba maillist folks I was able to set up NTLM authentication for domain user login. I should be able to do the same for email!
But, I need help. I went to http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got lost immediately. Are "authenticaion submethods" synonymous with "password schemes"? The 7th line down says, "NTLM password scheme is required for NTLM, NTLM2 and NTLMv2.", but in the referenced link I found no reference to "NTLM password scheme".
The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what the 4 NTLM authentication submethods are, tells you what password schemes are, tells you what the NTLM client/server handshake is, but doesn't actually tell you how to configure dovecot config files. I'm much more interested in the "how to" than in: "NTLMv2: server and client nonce, MITM can't force downgrade" ... whatever that means.
Anyway, probably it's my lack of understanding terminology. I don't even know what a "nonce" is. But, I learn well from examples! Can somone please give me a sample 10-auth.conf for NTML and any other supporting settings or configs I need?
My current/working dovecot settings, which have been running perfectly for well over a year now, are:
$ dovecot -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key userdb { driver = passwd } verbose_ssl = yes
Here's what I've tried so far as 10-auth.conf:
disable_plaintext_auth = no auth_use_winbind = yes info_log_path = /var/log/dovecot_info auth_verbose = yes auth_debug_passwords = yes auth_verbose_passwords= plain auth_winbind_helper_path = /usr/bin/ntlm_auth
auth_mechanisms = ntlm plain login
userdb { driver = passwd args = username_format=%n allow_all_users=yes
}
Which gives me a dovecot -n of:
$ dovecot -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = ntlm plain login auth_use_winbind = yes auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir protocols = imap ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key userdb { args = username_format=%n allow_all_users=yes driver = passwd } verbose_ssl = yes
I configured Thunderbird for NTLM authentication, then tried sending a message, I got the following in /var/log/dovecot_info:
Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Apr 22 01:37:57 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Apr 22 01:37:57 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, session=<xFuyOgwx9wDAqAA6>
On Thunderbird I got the error, "Sending of the message failed. The Outlgoing server (SMTP) my.server.name does not support the selected authentication method. Please change the 'Autnentication method' in 'Account Settings | Outgoing Server (SMTP)'."
Clearly, something is configured wrong, but I've no clue what.
Can I get some advice?
THX --Mark From dovecot-bounces@dovecot.org Fri Apr 22 02:07:47 2016 Return-Path: <dovecot-bounces@dovecot.org> X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.98.6 at mail X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.19__ (2011-06-06) on mail.hprs.local X-Spam-Level: X-Spam-Status: No, score=-106.0 required=3.0 tests=USER_IN_WHITELIST, USER_IN_WHITELIST_TO autolearn=unavailable version=3.3.2-_revision__1.19__ X-Original-To: dovecot@dovecot.org Delivered-To: dovecot@dovecot.org X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.98.6 at mail From: Mark Foley <mfoley@ohprs.org> Date: Fri, 22 Apr 2016 02:07:24 -0400 Organization: Ohio Highway Patrol Retirement System To: dovecot@dovecot.org Subject: Looking for NTLM config example User-Agent: Heirloom mailx 12.5 7/5/10 Content-Type: text/plain; charset=us-ascii X-BeenThere: dovecot@dovecot.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Dovecot Mailing List <dovecot.dovecot.org> List-Unsubscribe: <http://dovecot.org/cgi-bin/mailman/options/dovecot>, <mailto:dovecot-request@dovecot.org?subject=unsubscribe> List-Archive: <http://dovecot.org/pipermail/dovecot/> List-Post: <mailto:dovecot@dovecot.org> List-Help: <mailto:dovecot-request@dovecot.org?subject=help> List-Subscribe: <http://dovecot.org/cgi-bin/mailman/listinfo/dovecot>, <mailto:dovecot-request@dovecot.org?subject=subscribe> Errors-To: dovecot-bounces@dovecot.org Sender: "dovecot" <dovecot-bounces@dovecot.org> X-Spam-Report:
- -100 USER_IN_WHITELIST From: address is in the user's white-list
- -6.0 USER_IN_WHITELIST_TO User is listed in 'whitelist_to' Status: R
Now that I am running Thunderbird on Linux and away from Windows/Outlook, I'd like to take another run at setting up NTLM authentication from Thunderbird to my Samba4 AC/DC.
With the help of the samba maillist folks I was able to set up NTLM authentication for domain user login. I should be able to do the same for email!
But, I need help. I went to http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got lost immediately. Are "authenticaion submethods" synonymous with "password schemes"? The 7th line down says, "NTLM password scheme is required for NTLM, NTLM2 and NTLMv2.", but in the referenced link I found no reference to "NTLM password scheme".
The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what the 4 NTLM authentication submethods are, tells you what password schemes are, tells you what the NTLM client/server handshake is, but doesn't actually tell you how to configure dovecot config files. I'm much more interested in the "how to" than in: "NTLMv2: server and client nonce, MITM can't force downgrade" ... whatever that means.
Anyway, probably it's my lack of understanding terminology. I don't even know what a "nonce" is. But, I learn well from examples! Can somone please give me a sample 10-auth.conf for NTML and any other supporting settings or configs I need?
My current/working dovecot settings, which have been running perfectly for well over a year now, are:
$ dovecot -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key userdb { driver = passwd } verbose_ssl = yes
Here's what I've tried so far as 10-auth.conf:
disable_plaintext_auth = no auth_use_winbind = yes info_log_path = /var/log/dovecot_info auth_verbose = yes auth_debug_passwords = yes auth_verbose_passwords= plain auth_winbind_helper_path = /usr/bin/ntlm_auth
auth_mechanisms = ntlm plain login
userdb { driver = passwd args = username_format=%n allow_all_users=yes
}
Which gives me a dovecot -n of:
$ dovecot -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = ntlm plain login auth_use_winbind = yes auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir protocols = imap ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key userdb { args = username_format=%n allow_all_users=yes driver = passwd } verbose_ssl = yes
I configured Thunderbird for NTLM authentication, then tried sending a message, I got the following in /var/log/dovecot_info:
Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Apr 22 01:37:57 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Apr 22 01:37:57 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, session=<xFuyOgwx9wDAqAA6>
On Thunderbird I got the error, "Sending of the message failed. The Outlgoing server (SMTP) my.server.name does not support the selected authentication method. Please change the 'Autnentication method' in 'Account Settings | Outgoing Server (SMTP)'."
Clearly, something is configured wrong, but I've no clue what.
Can I get some advice?
THX --Mark
Aki Tuomi
On 6/27/2016 2:45 AM, Mark Foley wrote:
While continuing to test gssapi, I thought I check out your suggestion on NTLM v1. I did set Thunderbird to NTLM v1 ...
You are aware, I hope, that NTLM v1 is well over 20 years old and is trivially compromised today. Basically, it's about as secure as sending plaintext passwords. Since you're supporting SSL on your Dovecot server, why not require it, and not bother with NTLM auth?
TT> On 6/27/2016 2:45 AM, Mark Foley wrote:
While continuing to test gssapi, I thought I check out your suggestion on NTLM v1. I did set Thunderbird to NTLM v1 ...
TT> You are aware, I hope, that NTLM v1 is well over 20 years old and TT> is trivially compromised today. Basically, it's about as secure as TT> sending plaintext passwords. Since you're supporting SSL on your TT> Dovecot server, why not require it, and not bother with NTLM auth?
I can't speak for the OP, but I suspect he'd like to use a SSO for dovecot, utilizing the same credentials as is in their Samba AD infrastructure. [Thus, have Dovecot submit authentications for dovecot to the AD domain and get an ack/nak on success.] So, he's not eager to use NTLMv1, but isn't getting much love in how to setup proxy auth against AD. [I suspect asking on the Samba list isn't a bad idea, but I'm surprised he hasn't gotten some good pointers here. There really ought to be a FAQ of white-paper on it, and I'm dismayed there isn't.]
-Greg
On June 27, 2016 at 8:50 PM Gregory Sloop <gregs@sloop.net> wrote:
TT> On 6/27/2016 2:45 AM, Mark Foley wrote:
While continuing to test gssapi, I thought I check out your suggestion on NTLM v1. I did set Thunderbird to NTLM v1 ...
TT> You are aware, I hope, that NTLM v1 is well over 20 years old and TT> is trivially compromised today. Basically, it's about as secure as TT> sending plaintext passwords. Since you're supporting SSL on your TT> Dovecot server, why not require it, and not bother with NTLM auth?
I can't speak for the OP, but I suspect he'd like to use a SSO for dovecot, utilizing the same credentials as is in their Samba AD infrastructure. [Thus, have Dovecot submit authentications for dovecot to the AD domain and get an ack/nak on success.] So, he's not eager to use NTLMv1, but isn't getting much love in how to setup proxy auth against AD. [I suspect asking on the Samba list isn't a bad idea, but I'm surprised he hasn't gotten some good pointers here. There really ought to be a FAQ of white-paper on it, and I'm dismayed there isn't.]
-Greg
It's not very used feature as most with AD probably are using Exchange. I'll have a look at the NTLM authentication and see if we can improve it's documentation.
Aki Tuomi Dovecot oy
Hi folks,
I've been sifting through various threads on GSSAPI and NTLM support, and I'm wondering if anyone out there can confirm or deny GSSAPI IMAP auth support in Microsoft Outlook 2016 (Windows)? Perhaps there's some magic registry key to change IMAP auth from PLAIN to GSSAPI?
We're trying to do single sign-on + e-mail for Windows domain users; Thunderbird GSSAPI works fine, of course, but Outlook 2016 is the policy-mandated e-mail client for this particular environment (Windows 10 client desktop, Windows Server 2012 R2 AD, RHEL7 Dovecot).
It seems that Outlook 2016 might also support NTLMv1 / GSS-SPNEGO out of the box for IMAP accounts, but NTLMv1 is - rightly - disabled in this environment (and I also see 'NT_STATUS_UNSUCCESSFUL' reported by /usr/bin/ntlm_auth back to the Dovecot auth worker).
Thanks for any ideas out there!
Robert
On Tue, 24 Oct 2017 16:59:51 -0500, Robert Giles stated:
Hi folks,
I've been sifting through various threads on GSSAPI and NTLM support, and I'm wondering if anyone out there can confirm or deny GSSAPI IMAP auth support in Microsoft Outlook 2016 (Windows)? Perhaps there's some magic registry key to change IMAP auth from PLAIN to GSSAPI?
We're trying to do single sign-on + e-mail for Windows domain users; Thunderbird GSSAPI works fine, of course, but Outlook 2016 is the policy-mandated e-mail client for this particular environment (Windows 10 client desktop, Windows Server 2012 R2 AD, RHEL7 Dovecot).
It seems that Outlook 2016 might also support NTLMv1 / GSS-SPNEGO out of the box for IMAP accounts, but NTLMv1 is - rightly - disabled in this environment (and I also see 'NT_STATUS_UNSUCCESSFUL' reported by /usr/bin/ntlm_auth back to the Dovecot auth worker).
Thanks for any ideas out there!
In the past, I have had pretty good success posting a question regarding MS Outlook on these tech forums.
https://social.technet.microsoft.com/Forums/office/en-us/home?forum=outlook
https://answers.microsoft.com/en-us/msoffice/forum?tab=all&auth=1
YMMV of course.
Jerry
On 10/25/2017 at 12:00 PM, Jerry wrote:
In the past, I have had pretty good success posting a question regarding MS Outlook on these tech forums.
https://social.technet.microsoft.com/Forums/office/en-us/home?forum=outlook
That's an excellent idea, thanks:
For anyone that runs across this Dovecot thread later whilst hurriedly Googling for answers, I've posted a question here:
https://social.technet.microsoft.com/Forums/office/en-US/df7177c1-ffc2-453e-...
Robert
participants (8)
-
Aki Tuomi
-
aki.tuomi@dovecot.fi
-
Gregory Sloop
-
Jan Jurkus
-
Jerry
-
Mark Foley
-
Robert Giles
-
Tom Talpey