Is it possible to setup ntlm authentication then proxy it to the mail server ?
Hi,
This is my dovecot version:
root@freebsdsvr:~ # dovecot --version
2.3.21 (47349e2482)
I'm having trouble in making dovecot as proxy to the mail server when using ntlm authentication. My setup looks like this: email client ------> dovecot (will act as proxy) -------> mail server so basically the email client will connect to dovecot but dovecot will forward it to the mail server.
Proxying using auth_mechanism as PLAIN is working but if I use ntlm authentication it just connects into the dovecot server and dovecot server does not proxy to to the mail server.
I tried using passdb driver = sql, passdb driver = static, passdb driver = lua and all of them are working when the email client connects using plain auth, once dovecot authenticates the user it will proxy it to the mail server but when I use ntlm authentication it just connects to dovecot and does not do a proxy to the mail server.
I switched on all the debugs and I found out in the log that when I connect using PLAIN auth it calls the passdb and gets my default_fields or my proxy fields proxy=y
and host=mailserver_domain
which causes dovecot to proxy into the host(my mail server). but when I connect using NTLM auth it calls the passdb but it does not return my default fields for proxying (when it uses the sql passdb driver it just connects to the database and does not run the password_query) and I think it uses the output from the ntlm_auth
of samba that dovecot uses because it retunrs the field user=username and original_user=username@domain
This is the example logs that I recieved once I connect using ntlm and it does not proxy it to my mail server
Apr 18 03:37:29 freebsdsvr dovecot[12084]: auth: Debug: mysql(192.168.254.131): Connecting
Apr 18 03:37:29 freebsdsvr dovecot[12084]: auth: Debug: auth client connected (pid=12268)
Apr 18 03:37:29 freebsdsvr dovecot[12084]: auth: Debug: auth client connected (pid=12270)
Apr 18 03:37:30 freebsdsvr dovecot[12084]: auth: Debug: client in: AUTH 1 NTLM service=imap session=Js8TT04WcMnAqP5/ lip=192.168.254.131 rip=192.168.254.127 lport=143 rport=51568
Apr 18 03:37:30 freebsdsvr dovecot[12084]: auth: Debug: client passdb out: CONT 1
Apr 18 03:37:30 freebsdsvr dovecot[12084]: auth: Debug: client in: CONT 1 TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA= (previous base64 data may contain sensitive data)
Apr 18 03:37:30 freebsdsvr dovecot[12084]: auth: Debug: client passdb out: CONT 1 TlRMTVNTUAACAAAAFAAUADgAAAAFgooC57WwKq2q4U8sdAAAAAAAAAAFwAXABMAAAABgEAAAasdasdasdAAAA9FAFMAQwAuAE4ARQBUAC4AQQBVAAIAFABFAFMAQwAuAE4ARQBUACad4AQdsQBVAAEasAFABFAFMAQwAuAE4AdaRQBUAC4AQQBVAAQAAAADABQAZQBzAGMALgBuAGUAdAAuAGEAdQAHAAgA/h8T7O2Q2gEAAAAA
Apr 18 03:37:30 freebsdsvr dovecot[12084]: auth: Debug: client in: CONT 1 TlRMTVNTUAADAAAAGAAYAFwAAACIAIgAdAAAAAAAAeABAAAAABgAGAEAAAAAWABYARgAAAAAAAAAAAAAABYIIAHMAcwAzAFcATwBSAEsAUwBUAEEAVABJAE8ATgBXKrBA2vF7fMicRiasLK/IyI3fbM46rQ7JHcti/0TU02AqasdasdasdhceI+BaeqMjrAQEAAAAAAACAL88ampDaARzhirKymxxcAAAAAAIAFABFAFMAQwAuAE4ARQBUAC4AQQBVAAEAFABFAFMAQwAuAE4ARQBUAC4AQQBVAAQAAAADABQAZQBzAGMALgBuAGUAdAAuAGEAdQAHAAgA/h8T7O2Q2gEAAAAA (previous base64 data may contain sensitive data)
Apr 18 03:37:30 freebsdsvr dovecot[12084]: auth: Debug: auth(userName,192.168.254.127,<Js8TT04WcMnAqP5/>): Auth request finished
Apr 18 03:37:30 freebsdsvr dovecot[12084]: auth: Debug: client passdb out: OK 1 user=userName original_user=userName@FREEBSD-TEST
Here's the logs that I get when I connect via Plain Auth and it does the proxy to my mail server
Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker(12138): Debug: mysql(192.168.254.131): Connecting
Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker(12138): Debug: conn unix:auth-worker (uid=0): Server accepted connection (fd=15)
Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker(12138): Debug: conn unix:auth-worker (uid=0): Sending version handshake
Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker(12138): Debug: conn unix:auth-worker (uid=0): auth-worker<1>: Handling PASSV request
Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker(12138): Debug: conn unix:auth-worker (uid=0): auth-worker<1>: sql(ss3,192.168.254.127,<zwTdK04W9MbAqP5/>): Performing passdb lookup
Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker(12138): Debug: conn unix:auth-worker (uid=0): auth-worker<1>: sql(ss3,192.168.254.127,<zwTdK04W9MbAqP5/>): query: SELECT destuser, password, host, 'Y' as proxy FROM proxy WHERE user = 'userName';
Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker(12138): Debug: mysql(192.168.254.131): Finished query 'SELECT destuser, password, host, 'Y' as proxy FROM proxy WHERE user = 'userName';' in 0 msecs
Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker(12138): Debug: conn unix:auth-worker (uid=0): auth-worker<1>: sql(userName,192.168.254.127,<zwTdK04W9MbAqP5/>): Finished passdb lookup
Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker(12138): Debug: conn unix:auth-worker (uid=0): auth-worker<1>: Finished
Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth: Debug: sql(userName,192.168.254.127,<zwTdK04W9MbAqP5/>): Finished passdb lookup
Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth: Debug: auth(userName,192.168.254.127,<zwTdK04W9MbAqP5/>): Auth request finished
Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth: Debug: conn unix:dns-client: dns(mailserver.domain): Lookup started
Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth: Debug: conn unix:dns-client: Connecting
Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth: Debug: conn unix:dns-client (uid=0): Client connected (fd=27)
Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth: Debug: conn unix:dns-client (uid=0): Sending version handshake
Apr 18 03:27:40 freebsdsvr dovecot[12084]: auth: Debug: conn unix:dns-client (uid=0): dns(mailserver.domain): Lookup successful after 658 msecs
Apr 18 03:27:40 freebsdsvr dovecot[12084]: auth: Debug: client passdb out: OK 1 user=userName destuser=userName host=mailserver.domain proxy hostip=mailserverip pass=password
Is there a right way to configure ntlm to do proxy? because it does not seem to use the passdb in sql,lua, and static drivers.
This is my dovecot -n
root@freebsdsvr:~ # dovecot -n
# 2.3.21 (47349e2482): /usr/local/etc/dovecot/dovecot.conf
# OS: FreeBSD 13.2-RELEASE amd64 zfs
# Hostname: freebsdsvr
auth_debug = yes
auth_debug_passwords = yes
auth_mechanisms = plain login ntlm
auth_use_winbind = yes
auth_username_format = %n
auth_verbose = yes
auth_verbose_passwords = plain
auth_winbind_helper_path = /usr/local/bin/ntlm_auth
disable_plaintext_auth = no
mail_debug = yes
mail_gid = 1001
mail_location = maildir:/var/mail/vhosts/%n
mail_uid = 1001
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
protocols = imap pop3
service auth {
user = root
}
ssl_cert = </root/dovecot.crt
ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
ssl_key = # hidden, use -P to show it
passdb {
driver = sql
# Path for SQL configuration file, see example-config/dovecot-sql.conf.ext
args = /usr/local/etc/dovecot/dovecot-sql.conf.ext
}
userdb {
driver = prefetch
}
dovecot-sql.conf.ext
driver = mysql
connect = host=192.168.254.134 port=3306 dbname=mails user=karl password=adminpassword
password_query = SELECT destuser, password, host, 'Y' as proxy FROM proxy WHERE user = '%u';
Thanks :)
Yes, you would need to use the dovecot submission server for this:
https://doc.dovecot.org/admin_manual/submission_server/
Most people, however, use their MTA's submission server but use dovecot for the authentication backend:
https://doc.dovecot.org/configuration_manual/howto/simple_virtual_install/#s...
Peter
On 19/04/24 13:27, karl.l--- via dovecot wrote:
Hi,
This is my dovecot version:
root@freebsdsvr:~ # dovecot --version 2.3.21 (47349e2482)
I'm having trouble in making dovecot as proxy to the mail server when using ntlm authentication. My setup looks like this: email client ------> dovecot (will act as proxy) -------> mail server so basically the email client will connect to dovecot but dovecot will forward it to the mail server.
Proxying using auth_mechanism as PLAIN is working but if I use ntlm authentication it just connects into the dovecot server and dovecot server does not proxy to to the mail server.
I tried using passdb driver = sql, passdb driver = static, passdb driver = lua and all of them are working when the email client connects using plain auth, once dovecot authenticates the user it will proxy it to the mail server but when I use ntlm authentication it just connects to dovecot and does not do a proxy to the mail server.
You seem to be confusing IMAP with submission. The IMAP protocol is good for fetching mail and as a general interface to the mail storage (or mailbox). IMAP is not used for submitting new mail (except usually for storing a copy in the user's "Sent" folder).
Mail submission is done via the "submission" or (the implicit TLS version) "submissions" protocols. This is usually a function of your MTA (e.g. Postfix, exim, Sendmail, etc but generally not Dovecot). So any attempt to submit mail to the IMAP port is flawed.
All that said, Dovecot does come with a submission server that can "proxy" mail through to the submission service on your MTA. This can be used in the way you describe (but again it's not IMAP):
https://doc.dovecot.org/admin_manual/submission_server/
Most people, however, use their MTA's submission server but use dovecot for the authentication backend. This means that just the authentication credentials are passed through from your MTA to Dovecot and Dovecot answers with a yes/no to the MTA on whether it should allow the submission to proceed. In this case Dovecot is still doing the authentication but no proxy is needed for the actual submission:
https://doc.dovecot.org/configuration_manual/howto/simple_virtual_install/#s...
The latter solution is my recommendation unless you have a specific need for using the Dovecot submission server (e.g. BURL support).
Peter
Peter via dovecot skrev den 2024-04-19 10:12:
Yes, you would need to use the dovecot submission server for this:
https://doc.dovecot.org/admin_manual/submission_server/
Most people, however, use their MTA's submission server but use dovecot for the authentication backend:
https://doc.dovecot.org/configuration_manual/howto/simple_virtual_install/#s...
https://fedoraproject.org/wiki/Changes/Deprecate_ntlm_in_cyrus_sasl
hope dovecot is handle deprication better :)
Maybe use Wireshark to get an independent check on what the logs are saying?
On 4/18/24 20:27, karl.l--- via dovecot wrote:
Hi,
This is my dovecot version:
root@freebsdsvr:~ # dovecot --version 2.3.21 (47349e2482)
I'm having trouble in making dovecot as proxy to the mail server when using ntlm authentication. My setup looks like this: email client ------> dovecot (will act as proxy) -------> mail server so basically the email client will connect to dovecot but dovecot will forward it to the mail server.
Proxying using auth_mechanism as PLAIN is working but if I use ntlm authentication it just connects into the dovecot server and dovecot server does not proxy to to the mail server.
I tried using passdb driver = sql, passdb driver = static, passdb driver = lua and all of them are working when the email client connects using plain auth, once dovecot authenticates the user it will proxy it to the mail server but when I use ntlm authentication it just connects to dovecot and does not do a proxy to the mail server.
I switched on all the debugs and I found out in the log that when I connect using PLAIN auth it calls the passdb and gets my default_fields or my proxy fields
proxy=y
andhost=mailserver_domain
which causes dovecot to proxy into the host(my mail server). but when I connect using NTLM auth it calls the passdb but it does not return my default fields for proxying (when it uses the sql passdb driver it just connects to the database and does not run the password_query) and I think it uses the output from thentlm_auth
of samba that dovecot uses because it retunrs the field user=username and original_user=username@domainThis is the example logs that I recieved once I connect using ntlm and it does not proxy it to my mail server
Apr 18 03:37:29 freebsdsvr dovecot[12084]: auth: Debug: mysql(192.168.254.131): Connecting Apr 18 03:37:29 freebsdsvr dovecot[12084]: auth: Debug: auth client connected (pid=12268) Apr 18 03:37:29 freebsdsvr dovecot[12084]: auth: Debug: auth client connected (pid=12270) Apr 18 03:37:30 freebsdsvr dovecot[12084]: auth: Debug: client in: AUTH 1 NTLM service=imap session=Js8TT04WcMnAqP5/ lip=192.168.254.131 rip=192.168.254.127 lport=143 rport=51568 Apr 18 03:37:30 freebsdsvr dovecot[12084]: auth: Debug: client passdb out: CONT 1 Apr 18 03:37:30 freebsdsvr dovecot[12084]: auth: Debug: client in: CONT 1 TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA= (previous base64 data may contain sensitive data) Apr 18 03:37:30 freebsdsvr dovecot[12084]: auth: Debug: client passdb out: CONT 1 TlRMTVNTUAACAAAAFAAUADgAAAAFgooC57WwKq2q4U8sdAAAAAAAAAAFwAXABMAAAABgEAAAasdasdasdAAAA9FAFMAQwAuAE4ARQBUAC4AQQBVAAIAFABFAFMAQwAuAE4ARQBUACad4AQdsQBVAAEasAFABFAFMAQwAuAE4AdaRQBUAC4AQQBVAAQAAAADABQAZQBzAGMALgBuAGUAdAAuAGEAdQAHAAgA/h8T7O2Q2gEAAAAA Apr 18 03:37:30 freebsdsvr dovecot[12084]: auth: Debug: client in: CONT 1 TlRMTVNTUAADAAAAGAAYAFwAAACIAIgAdAAAAAAAAeABAAAAABgAGAEAAAAAWABYARgAAAAAAAAAAAAAABYIIAHMAcwAzAFcATwBSAEsAUwBUAEEAVABJAE8ATgBXKrBA2vF7fMicRiasLK/IyI3fbM46rQ7JHcti/0TU02AqasdasdasdhceI+BaeqMjrAQEAAAAAAACAL88ampDaARzhirKymxxcAAAAAAIAFABFAFMAQwAuAE4ARQBUAC4AQQBVAAEAFABFAFMAQwAuAE4ARQBUAC4AQQBVAAQAAAADABQAZQBzAGMALgBuAGUAdAAuAGEAdQAHAAgA/h8T7O2Q2gEAAAAA (previous base64 data may contain sensitive data) Apr 18 03:37:30 freebsdsvr dovecot[12084]: auth: Debug: auth(userName,192.168.254.127,<Js8TT04WcMnAqP5/>): Auth request finished Apr 18 03:37:30 freebsdsvr dovecot[12084]: auth: Debug: client passdb out: OK 1 user=userName original_user=userName@FREEBSD-TEST
Here's the logs that I get when I connect via Plain Auth and it does the proxy to my mail server
Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker(12138): Debug: mysql(192.168.254.131): Connecting Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker(12138): Debug: conn unix:auth-worker (uid=0): Server accepted connection (fd=15) Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker(12138): Debug: conn unix:auth-worker (uid=0): Sending version handshake Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker(12138): Debug: conn unix:auth-worker (uid=0): auth-worker<1>: Handling PASSV request Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker(12138): Debug: conn unix:auth-worker (uid=0): auth-worker<1>: sql(ss3,192.168.254.127,<zwTdK04W9MbAqP5/>): Performing passdb lookup Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker(12138): Debug: conn unix:auth-worker (uid=0): auth-worker<1>: sql(ss3,192.168.254.127,<zwTdK04W9MbAqP5/>): query: SELECT destuser, password, host, 'Y' as proxy FROM proxy WHERE user = 'userName'; Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker(12138): Debug: mysql(192.168.254.131): Finished query 'SELECT destuser, password, host, 'Y' as proxy FROM proxy WHERE user = 'userName';' in 0 msecs Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker(12138): Debug: conn unix:auth-worker (uid=0): auth-worker<1>: sql(userName,192.168.254.127,<zwTdK04W9MbAqP5/>): Finished passdb lookup Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker(12138): Debug: conn unix:auth-worker (uid=0): auth-worker<1>: Finished Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth: Debug: sql(userName,192.168.254.127,<zwTdK04W9MbAqP5/>): Finished passdb lookup Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth: Debug: auth(userName,192.168.254.127,<zwTdK04W9MbAqP5/>): Auth request finished Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth: Debug: conn unix:dns-client: dns(mailserver.domain): Lookup started Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth: Debug: conn unix:dns-client: Connecting Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth: Debug: conn unix:dns-client (uid=0): Client connected (fd=27) Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth: Debug: conn unix:dns-client (uid=0): Sending version handshake Apr 18 03:27:40 freebsdsvr dovecot[12084]: auth: Debug: conn unix:dns-client (uid=0): dns(mailserver.domain): Lookup successful after 658 msecs Apr 18 03:27:40 freebsdsvr dovecot[12084]: auth: Debug: client passdb out: OK 1 user=userName destuser=userName host=mailserver.domain proxy hostip=mailserverip pass=password
Is there a right way to configure ntlm to do proxy? because it does not seem to use the passdb in sql,lua, and static drivers.
This is my dovecot -n
root@freebsdsvr:~ # dovecot -n # 2.3.21 (47349e2482): /usr/local/etc/dovecot/dovecot.conf # OS: FreeBSD 13.2-RELEASE amd64 zfs # Hostname: freebsdsvr auth_debug = yes auth_debug_passwords = yes auth_mechanisms = plain login ntlm auth_use_winbind = yes auth_username_format = %n auth_verbose = yes auth_verbose_passwords = plain auth_winbind_helper_path = /usr/local/bin/ntlm_auth disable_plaintext_auth = no mail_debug = yes mail_gid = 1001 mail_location = maildir:/var/mail/vhosts/%n mail_uid = 1001 namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } protocols = imap pop3 service auth { user = root } ssl_cert = </root/dovecot.crt ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH ssl_key = # hidden, use -P to show it passdb { driver = sql # Path for SQL configuration file, see example-config/dovecot-sql.conf.ext args = /usr/local/etc/dovecot/dovecot-sql.conf.ext } userdb { driver = prefetch }
dovecot-sql.conf.ext
driver = mysql connect = host=192.168.254.134 port=3306 dbname=mails user=karl password=adminpassword password_query = SELECT destuser, password, host, 'Y' as proxy FROM proxy WHERE user = '%u';
Thanks :)
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
If you can do NTLM, you can do GSSAPI too. Which even Microsoft recommends. So
I would very strongly suggest using that.
Aki
On 21/04/2024 12:30 EEST Bob Gustafson via dovecot
<dovecot@dovecot.org> wrote:
Maybe use Wireshark to get an independent check on what the logs are
saying?
On 4/18/24 20:27, karl.l--- via dovecot wrote:
Hi,
This is my dovecot version:
root@freebsdsvr:~ # dovecot --version 2.3.21 (47349e2482)
I'm having trouble in making dovecot as proxy to the mail
server when using ntlm authentication.
My setup looks like this: email client ------> dovecot
(will act as proxy) -------> mail server
so basically the email client will connect to dovecot but
dovecot will forward it to the mail server.
Proxying using auth_mechanism as PLAIN is working but if I
use ntlm authentication it just connects into the dovecot
server and dovecot server does not proxy to to the mail
server.
I tried using passdb driver = sql, passdb driver = static,
passdb driver = lua
and all of them are working when the email client connects
using plain auth, once dovecot authenticates the user it
will proxy it to the mail server but when I use ntlm
authentication it just connects to dovecot and does not do
a proxy to the mail server.
I switched on all the debugs and I found out in the log
that when I connect using PLAIN auth it calls the passdb
and gets my default_fields or my proxy fields proxy=y
and host=mailserver_domain
which causes dovecot to
proxy into the host(my mail server). but when I connect
using NTLM auth it calls the passdb but it does not return
my default fields for proxying (when it uses the sql passdb
driver it just connects to the database and does not run
the password_query) and I think it uses the output from the
ntlm_auth
of samba that dovecot uses because it
retunrs the field user=username and
original_user=username@domain
This is the example logs that I recieved once I connect
using ntlm and it does not proxy it to my mail server
Apr 18 03:37:29 freebsdsvr dovecot[12084]: auth: Debug: mysql(192.168.254.131): Connecting Apr 18 03:37:29 freebsdsvr dovecot[12084]: auth: Debug: auth client connected (pid=12268) Apr 18 03:37:29 freebsdsvr dovecot[12084]: auth: Debug: auth client connected (pid=12270) Apr 18 03:37:30 freebsdsvr dovecot[12084]: auth: Debug: client in: AUTH 1 NTLM service=imap session=Js8TT04WcMnAqP5/ lip=192.168.254.131 rip=192.168.254.127 lport=143 rport=51568 Apr 18 03:37:30 freebsdsvr dovecot[12084]: auth: Debug: client passdb out: CONT 1 Apr 18 03:37:30 freebsdsvr dovecot[12084]: auth: Debug: client in: CONT 1 TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA= (previous base64 data may contain sensitive data) Apr 18 03:37:30 freebsdsvr dovecot[12084]: auth: Debug: client passdb out: CONT 1 TlRMTVNTUAACAAAAFAAUADgAAAAFgooC57WwKq2q4U8sdAAAAAAAAAAFwAXABMAAAABgEAAAasdasdasdAAAA9FAFMAQwAuAE4ARQBUAC4AQQBVAAIAFABFAFMAQwAuAE4ARQBUACad4AQdsQBVAAEasAFABFAFMAQwAuAE4AdaRQBUAC4AQQBVAAQAAAADABQAZQBzAGMALgBuAGUAdAAuAGEAdQAHAAgA/ h8T7O2Q2gEAAAAA Apr 18 03:37:30 freebsdsvr dovecot[12084]: auth: Debug: client in: CONT 1 TlRMTVNTUAADAAAAGAAYAFwAAACIAIgAdAAAAAAAAeABAAAAABgAGAEAAAAAWABYARgAAAAAAAAAAAAAABYIIAHMAcwAzAFcATwBSAEsAUwBUAEEAVABJAE8ATgBXKrBA2vF7fMicRiasLK/ IyI3fbM46rQ7JHcti/ 0TU02AqasdasdasdhceI+BaeqMjrAQEAAAAAAACAL88ampDaARzhirKymxxcAAAAAAIAFABFAFMAQwAuAE4ARQBUAC4AQQBVAAEAFABFAFMAQwAuAE4ARQBUAC4AQQBVAAQAAAADABQAZQBzAGMALgBuAGUAdAAuAGEAdQAHAAgA/ h8T7O2Q2gEAAAAA (previous base64 data may contain sensitive data) Apr 18 03:37:30 freebsdsvr dovecot[12084]: auth: Debug: auth(userName,192.168.254.127,<Js8TT04WcMnAqP5/>): Auth request finished Apr 18 03:37:30 freebsdsvr dovecot[12084]: auth: Debug: client passdb out: OK 1 user=userName original_user=userName@FREEBSD-TEST
Here's the logs that I get when I connect via Plain Auth
and it does the proxy to my mail server
Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker (12138): Debug: mysql(192.168.254.131): Connecting Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker (12138): Debug: conn unix:auth-worker (uid=0): Server accepted connection (fd=15) Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker (12138): Debug: conn unix:auth-worker (uid=0): Sending version handshake Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker (12138): Debug: conn unix:auth-worker (uid=0): auth- worker<1>: Handling PASSV request Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker (12138): Debug: conn unix:auth-worker (uid=0): auth- worker<1>: sql(ss3,192.168.254.127,<zwTdK04W9MbAqP5/>): Performing passdb lookup Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker (12138): Debug: conn unix:auth-worker (uid=0): auth- worker<1>: sql(ss3,192.168.254.127,<zwTdK04W9MbAqP5/>): query: SELECT destuser, password, host, 'Y' as proxy FROM proxy WHERE user = 'userName'; Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker (12138): Debug: mysql(192.168.254.131): Finished query 'SELECT destuser, password, host, 'Y' as proxy FROM proxy WHERE user = 'userName';' in 0 msecs Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker (12138): Debug: conn unix:auth-worker (uid=0): auth- worker<1>: sql(userName,192.168.254.127,<zwTdK04W9MbAqP5/ >): Finished passdb lookup Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker (12138): Debug: conn unix:auth-worker (uid=0): auth- worker<1>: Finished Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth: Debug: sql (userName,192.168.254.127,<zwTdK04W9MbAqP5/>): Finished passdb lookup Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth: Debug: auth(userName,192.168.254.127,<zwTdK04W9MbAqP5/>): Auth request finished Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth: Debug: conn unix:dns-client: dns(mailserver.domain): Lookup started Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth: Debug: conn unix:dns-client: Connecting Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth: Debug: conn unix:dns-client (uid=0): Client connected (fd=27) Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth: Debug: conn unix:dns-client (uid=0): Sending version handshake Apr 18 03:27:40 freebsdsvr dovecot[12084]: auth: Debug: conn unix:dns-client (uid=0): dns(mailserver.domain): Lookup successful after 658 msecs Apr 18 03:27:40 freebsdsvr dovecot[12084]: auth: Debug: client passdb out: OK 1 user=userName destuser=userName host=mailserver.domain proxy hostip=mailserverip pass=password
Is there a right way to configure ntlm to do proxy? because
it does not seem to use the passdb in sql,lua, and static
drivers.
>
This is my dovecot -n
root@freebsdsvr:~ # dovecot -n # 2.3.21 (47349e2482): /usr/local/etc/dovecot/dovecot.conf # OS: FreeBSD 13.2-RELEASE amd64 zfs # Hostname: freebsdsvr auth_debug = yes auth_debug_passwords = yes auth_mechanisms = plain login ntlm auth_use_winbind = yes auth_username_format = %n auth_verbose = yes auth_verbose_passwords = plain auth_winbind_helper_path = /usr/local/bin/ntlm_auth disable_plaintext_auth = no mail_debug = yes mail_gid = 1001 mail_location = maildir:/var/mail/vhosts/%n mail_uid = 1001 namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } protocols = imap pop3 service auth { user = root } ssl_cert = </root/dovecot.crt ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL: !eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH ssl_key = # hidden, use -P to show it passdb { driver = sql # Path for SQL configuration file, see example-config/ dovecot-sql.conf.ext args = /usr/local/etc/dovecot/dovecot-sql.conf.ext } userdb { driver = prefetch }
>
dovecot-sql.conf.ext
driver = mysql connect = host=192.168.254.134 port=3306 dbname=mails user=karl password=adminpassword password_query = SELECT destuser, password, host, 'Y' as proxy FROM proxy WHERE user = '%u';
>
Thanks :)
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-leave@dovecot.org
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-leave@dovecot.org
Hi Aki
We would like NTLM support so customers that have enabled it in outlook and other email clients can continue to authenticate when we update our dovecot server. We are not running kerberos/samba/active directory or any other directory system. I am not sure how GSSAPI would assist us with this requirement.
Given that we are using an sql passdb, will this work and if so any pointers would be appreciated.
Thanks
On 26/04/2024 13:00 EEST karl.l--- via dovecot <dovecot@dovecot.org> wrote: Hi Aki We would like NTLM support so customers that have enabled it in outlook and other email clients can continue to authenticate when we update our dovecot server. We are not running kerberos/samba/active directory or any other directory system. I am not sure how GSSAPI would assist us with this requirement. Given that we are using an sql passdb, will this work and if so any pointers would be appreciated. Thanks For the behaviour youre seeing, it does sound like a bug, but NTLM support is not been in since 2.3.14 anymore because Microsoft recommends not implementing it anymore and the implementation was unsafe. Aki
participants (5)
-
Aki Tuomi
-
Benny Pedersen
-
Bob Gustafson
-
karl.l@as7600.net
-
Peter