Re: [Dovecot] NTLM authentication from Outlook
Hi all
I've enabled ntlm authentication in dovecot, and use dovecot sasl in postfix as well.
Authentication with ntlm works well from Mac OS X Mail.app, as well as from Outlook Express, but fails with Outlook. Strangely enough, ntml authentication works in Outlook when using smtp (via postfix), but neither from imap or pop3 (both dovecot). As dovecot sasl handles all authentication against a mysql userdb, this strikes me as very strange.
I've instructed my clients with Outlook to fetch mail using a ssl- encrypted connection, and to send using ntlm-authentication. This works, but I would like to have ntlm available as an option to all my clients, without forcing them to change mail-clients.
I've turned on auth_verbose, auth_debug and auth_debug_passwords, and compared the passwordstring with the one calculated using dovecotpw, and they match. The only odd thing is that the username is returned from Outlook as an all-caps string, so user@domain.tld becomes USER@DOMAIN.TLD. I don't know if it matters, but I don't think so, as changing the user-login to an all-caps version doesn't solve the problem.
Any hints will be most welcome.
/Lars
Greetings, everyone
I'm sorry, but I seem to have made a mistake regarding the
passwordstring from Outlook – seems like the string I looked at was
from MS Entourage... (that's what you get from trying to debug
something when you're too tired to think straight).
I've now enabled debugging again, and have tried logging in from
Outlook with ntlm-authentication. The log-entries are as follows:
Nov 16 23:29:09 SD-Server dovecot: auth(default): client in: AUTH 1 NTLM service=IMAP lip=192.168.2.2 rip=192.168.2.13 Nov 16 23:29:09 SD-Server dovecot: auth(default): client out: CONT 1 Nov 16 23:29:09 SD-Server dovecot: auth(default): client in: CONT 1 TlRM7IIog0ADQAuAAAFASgKAAAAD0AABgATVNTUAABYUEFSQkVKRFNHUlVQUAAAABGACgAAA lNQUNEU= Nov 16 23:29:09 SD-Server dovecot: auth(default): client out: CONT 1 TlRMTVNAAAAFAHgAeAAAAAAAADAA +H1XooTUAACAAAAyZ9yMNkAAdgBlAHIALgBsAG8AACYAJgBOAAAAUwBEAC0AUwBlAHIAYwBh AGwAAwAeAFMAyAC4AbABvsAAAAAGMAYRAAtAFMAZQByAHYAZQBQBAAA= Nov 16 23:29:09 SD-Server dovecot: auth(default): client in: CONT 1 TlRMAYAHwAAAAYABgAlAAAAAwADTVNTUAFQAAAAMAAAAAAAAEAH3ZyprYRPWIAAAAAAcgBkA EkATQBBAEMAWABQAAAAACsAAADAAAAGAABIAqMx1XpiwbAAAHAAcwAcABQNAEEAQwBYAFAAT ABpAHMAYQAgAFMAawBvAHYAZwBhAGAAAAAKIAgUBKAoAAAAPSQBAAAAAAAAAAAJILBz4x4RA Ixsp2rhFi8VB6g== Nov 16 23:29:09 SD-Server dovecot: auth(default): ntlm(?, 192.168.2.13): Username contains disallowed characters Nov 16 23:29:10 SD-Server dovecot: auth(default): client out: FAIL 1
The same account logs in without problems if I use a plaintext
password (SSL-encrypted, since plaintext-login is disabled).
in dovecot.conf I have the following:
auth default { mechanisms = plain digest-md5 cram-md5 ntlm rpa }
The authentication is done against a mysql-db, which until now has
worked with every client I've tested (except Outlook).
I have set up postfix to use dovecot-sasl, and use the same userdb
for smtp-authentication. Strangely enough the exact same data is
accepted when using ntml-authentication with smtp, though a warning
is added to my logs. This is an example of a log-entry from an
Outlook-user sending a mail:
Nov 14 16:40:49 SD-Server postfix/smtpd[8354]: connect from unknown
[hid.den.ip.adr]
Nov 14 16:40:49 SD-Server dovecot: auth-worker(default): mysql:
Connected to localhost (dovecot_auth)
Nov 14 16:40:51 SD-Server postfix/smtpd[8354]: warning: unknown
[hid.den.ip.adr]: SASL NTLM authentication failed:
TlRMTVNTUAACAAMAZYAAQByAHAFAooAOINYZ//
+97QAAAAAAAAUwBEAC0AUwBlAHIAdgBlAHIALgBsAG8AYwBhAGwAAwAeAFMARAAtAFAbABvA
GMAYAAAAHgAeADAQAAAAAACYAJgBOBZQByAC4sAAAAAAA=
Nov 14 16:40:51 SD-Server postfix/smtpd[8354]: AC6402D668E:
client=unknown[hid.den.ip.adr], sasl_method=NTLM,
sasl_username=user@domain.dk
Nov 14 16:40:51 SD-Server postfix/cleanup[8358]: AC6402D668E: message-
id=<006a01c70803$4dcd1b00$0200a8c0@acerce5220052b>
Nov 14 16:41:13 SD-Server postfix/qmgr[8494]: AC6402D668E:
from=<user@domain.dk>, size=819330, nrcpt=1 (queue active)
Nov 14 16:41:16 SD-Server postfix/smtpd[8354]: disconnect from unknown
[hid.den.ip.adr]
Nov 14 16:41:29 SD-Server postfix/smtp[8361]: AC6402D668E:
to=<user@otherdomain.dk>, relay=smtp.domain.dk[hid.den.ip.adr]:25,
delay=37, delays=22/0.08/0.06/15, dsn=2.0.0, status=sent (250
156794624 mailfe12 Message accepted for delivery)
Nov 14 16:41:29 SD-Server postfix/qmgr[8494]: AC6402D668E: removed
The same warning is issued from postfix when a user sends mail from
Outlook Express, but not when the same user sends from Thunderbird or
Mail.app. In fact, I've only seen these problems when the users are
using MS products. I really hope someone can shed some light on what
is going on.
Best regards Lars
On Fri, 2006-11-17 at 00:15 +0100, Lars Skovgaard wrote:
Nov 16 23:29:09 SD-Server dovecot: auth(default): ntlm(?, 192.168.2.13): Username contains disallowed characters
This means that the client sent some character which wasn't in auth_username_chars list. Unfortunately Dovecot doesn't show what the username is in that case, but I fixed that now in CVS:
http://dovecot.org/list/dovecot-cvs/2006-November/006907.html
participants (2)
-
Lars Skovgaard
-
Timo Sirainen