NTLM fails: dovecot: auth: Fatal: Unknown authentication mechanism 'NTLM'
After upgrading Debian to 11 I found Dovecot at version 2.3.13 (89f716dc2). Now auth method NTLM fails and is not even listed:
# doveadm pw -l SHA1 SSHA512 SCRAM-SHA-256 BLF-CRYPT PLAIN HMAC-MD5 OTP SHA512 SHA DES-CRYPT CRYPT SSHA MD5-CRYPT PLAIN-MD4 PLAIN-MD5 SCRAM-SHA-1 SHA512-CRYPT CLEAR CLEARTEXT ARGON2I ARGON2ID SSHA256 MD5 PBKDF2 SHA256 CRAM-MD5 PLAIN-TRUNC SHA256-CRYPT SMD5 DIGEST-MD5 LDAP-MD5
/var/log/dovecot.log Jan 22 16:20:32 auth: Fatal: Unknown authentication mechanism 'NTLM' Jan 22 16:20:32 master: Error: service(auth): command startup failed, throttling for 2.000 secs Jan 22 16:20:34 auth: Fatal: Unknown authentication mechanism 'NTLM' Jan 22 16:20:34 master: Error: service(auth): command startup failed, throttling for 4.000 secs Jan 22 16:20:38 auth: Fatal: Unknown authentication mechanism 'NTLM' Jan 22 16:20:38 master: Error: service(auth): command startup failed, throttling for 8.000 secs Jan 22 16:20:46 auth: Fatal: Unknown authentication mechanism 'NTLM' Jan 22 16:20:46 master: Error: service(auth): command startup failed, throttling for 16.000 secs
# doveconf -n # 2.3.13 (89f716dc2): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.13 (cdd19fe3) # OS: Linux 5.10.0-11-amd64 x86_64 Debian 11.2 # Hostname: imail.khmfdbyekekelj1rmytwnfh1bc.dx.internal.cloudapp.net auth_mechanisms = plain login ntlm debug_log_path = /var/log/dovecot-debug.log info_log_path = /var/log/dovecot-info.log log_path = /var/log/dovecot.log maildir_stat_dirs = yes managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext namespace compat { alias_for = hidden = yes inbox = no list = no location = prefix = INBOX. separator = . } namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = separator = . } passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } plugin { mail_plugins = " quota trash sieve" sieve = file:~/sieve;active=~/.dovecot.sieve } protocols = " imap sieve" service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } unix_listener auth-client { mode = 0660 } } service stats { unix_listener stats-reader { group = vmail mode = 0660 user = vmail } unix_listener stats-writer { group = vmail mode = 0660 user = vmail } } ssl_cert = </etc/letsencrypt/live/imail1.sutinen.com/fullchain.pem ssl_client_ca_dir = /etc/ssl/certs ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it userdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } protocol lmtp { mail_plugins = " quota trash sieve" postmaster_address = admin-kosmosisland.com@kosmosisland.com } protocol lda { mail_plugins = " quota trash sieve" }
Regards, David Koski
Is NTLM now dead? The Readme says:
2020-10-23 16:24:09 -0400 Josef 'Jeff' Sipek <jeff.sipek@open-xchange.com> (48d6f7282)
auth: Remove ntlm mechanism & the LANMAN and NTLM password schemes
M COPYING M configure.ac M src/Makefile.am M src/auth/Makefile.am D src/auth/mech-ntlm.c M src/auth/mech.c M src/auth/password-scheme.c M src/auth/test-libpassword.c M src/auth/test-mech.c M src/doveadm/Makefile.am D src/lib-ntlm/Makefile.am D src/lib-ntlm/ntlm-des.c D src/lib-ntlm/ntlm-des.h D src/lib-ntlm/ntlm-encrypt.c D src/lib-ntlm/ntlm-encrypt.h D src/lib-ntlm/ntlm-flags.h D src/lib-ntlm/ntlm-message.c D src/lib-ntlm/ntlm-message.h D src/lib-ntlm/ntlm-types.h D src/lib-ntlm/ntlm.h
David
On 1/22/22 4:22 PM, David Koski wrote:
After upgrading Debian to 11 I found Dovecot at version 2.3.13 (89f716dc2). Now auth method NTLM fails and is not even listed:
# doveadm pw -l SHA1 SSHA512 SCRAM-SHA-256 BLF-CRYPT PLAIN HMAC-MD5 OTP SHA512 SHA DES-CRYPT CRYPT SSHA MD5-CRYPT PLAIN-MD4 PLAIN-MD5 SCRAM-SHA-1 SHA512-CRYPT CLEAR CLEARTEXT ARGON2I ARGON2ID SSHA256 MD5 PBKDF2 SHA256 CRAM-MD5 PLAIN-TRUNC SHA256-CRYPT SMD5 DIGEST-MD5 LDAP-MD5
/var/log/dovecot.log Jan 22 16:20:32 auth: Fatal: Unknown authentication mechanism 'NTLM' Jan 22 16:20:32 master: Error: service(auth): command startup failed, throttling for 2.000 secs Jan 22 16:20:34 auth: Fatal: Unknown authentication mechanism 'NTLM' Jan 22 16:20:34 master: Error: service(auth): command startup failed, throttling for 4.000 secs Jan 22 16:20:38 auth: Fatal: Unknown authentication mechanism 'NTLM' Jan 22 16:20:38 master: Error: service(auth): command startup failed, throttling for 8.000 secs Jan 22 16:20:46 auth: Fatal: Unknown authentication mechanism 'NTLM' Jan 22 16:20:46 master: Error: service(auth): command startup failed, throttling for 16.000 secs
# doveconf -n # 2.3.13 (89f716dc2): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.13 (cdd19fe3) # OS: Linux 5.10.0-11-amd64 x86_64 Debian 11.2 # Hostname: imail.khmfdbyekekelj1rmytwnfh1bc.dx.internal.cloudapp.net auth_mechanisms = plain login ntlm debug_log_path = /var/log/dovecot-debug.log info_log_path = /var/log/dovecot-info.log log_path = /var/log/dovecot.log maildir_stat_dirs = yes managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext namespace compat { alias_for = hidden = yes inbox = no list = no location = prefix = INBOX. separator = . } namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = separator = . } passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } plugin { mail_plugins = " quota trash sieve" sieve = file:~/sieve;active=~/.dovecot.sieve } protocols = " imap sieve" service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } unix_listener auth-client { mode = 0660 } } service stats { unix_listener stats-reader { group = vmail mode = 0660 user = vmail } unix_listener stats-writer { group = vmail mode = 0660 user = vmail } } ssl_cert = </etc/letsencrypt/live/imail1.sutinen.com/fullchain.pem ssl_client_ca_dir = /etc/ssl/certs ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it userdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } protocol lmtp { mail_plugins = " quota trash sieve" postmaster_address = admin-kosmosisland.com@kosmosisland.com } protocol lda { mail_plugins = " quota trash sieve" }
Regards, David Koski
On 23 January 2022 1.29.43 UTC, David Koski <david@kosmosisland.com> wrote:
Is NTLM now dead? The Readme says:
2020-10-23 16:24:09 -0400 Josef 'Jeff' Sipek <jeff.sipek@open-xchange.com> (48d6f7282)
auth: Remove ntlm mechanism & the LANMAN and NTLM password schemes
Regards, David Koski
You should use GSSAPI instead.
Aki
Hello Aki,
Thank you, that works. But it doesn't solve my main problem. Newer versions of Outlook started to parse the "@domain" out of the "user@domain" which yielded only "user". I found that by prepending a '\' (backslash) it would yield "user@domain" correctly. But with GSSAPI, the backslash fails and removing it allows for correct authentication of the whole user name including "@domain". The problem now is having to configure all the many clients in the field that have the backslash prepended to the user name. Is here a way around this with version 2.3?
Regards, David Koski david@kosmosisland.com dkoski@sutinen.com
On 23 January 2022 1.29.43 UTC, David Koski <david@kosmosisland.com> wrote:
Is NTLM now dead? The Readme says:
2020-10-23 16:24:09 -0400 Josef 'Jeff' Sipek <jeff.sipek@open-xchange.com> (48d6f7282)
   auth: Remove ntlm mechanism & the LANMAN and NTLM password schemes
Regards, David Koski
You should use GSSAPI instead.
Aki
You can probably use auth_default_realm for this, see https://doc.dovecot.org/settings/core/?highlight=realm#core_setting-auth_def...
Aki
On 24/01/2022 20:05 david@kosmosisland.com wrote:
Hello Aki,
Thank you, that works. But it doesn't solve my main problem. Newer versions of Outlook started to parse the "@domain" out of the "user@domain" which yielded only "user". I found that by prepending a '\' (backslash) it would yield "user@domain" correctly. But with GSSAPI, the backslash fails and removing it allows for correct authentication of the whole user name including "@domain". The problem now is having to configure all the many clients in the field that have the backslash prepended to the user name. Is here a way around this with version 2.3?
Regards, David Koski david@kosmosisland.com dkoski@sutinen.com
On 23 January 2022 1.29.43 UTC, David Koski <david@kosmosisland.com> wrote:
Is NTLM now dead? The Readme says:
2020-10-23 16:24:09 -0400 Josef 'Jeff' Sipek <jeff.sipek@open-xchange.com> (48d6f7282)
   auth: Remove ntlm mechanism & the LANMAN and NTLM password schemes
Regards, David Koski
You should use GSSAPI instead.
Aki
participants (3)
-
Aki Tuomi
-
David Koski
-
david@kosmosisland.com