[Dovecot] NTLM oddities
Started implementing the MasterUser changes to my config files so I can finally offer SPA for pop3/imap.
Things are working fine with the MasterUser (horray!), however one of my guys started using SPA with Outlook Express and started getting another users mailbox.
Turns out to be related to NTLM. His Outlook express is configured for the username of 'johnsmith'. However, you'll see the NTLM took the username from his XP machine login, it appears, which is just "John". However, what is really weird, is the "failed" on the "client out" line, but then the proxy went ahead and proxied to the storage server.
Here's some output from debuggage:
dovecot: Feb 19 16:15:56 Info: auth(mail.infowest.com): client in: AUTH 1 NTLM service=POP3 lip=204.17.177.60 rip=209.33.215.142 resp= dovecot: Feb 19 16:15:56 Info: auth(mail.infowest.com): client out: CONT 1 dovecot: Feb 19 16:15:56 Info: auth-worker(mail.infowest.com): sql(John, 209.33.215.142): query: SELECT a.clearpasswd AS password, v.storeIP AS host, CONCAT(IF('John' LIKE '%@%.%',CONCAT(LCASE('John'),''),CONCAT(LCASE('John'),'@',p.host)),'*masteruser') AS destuser, 'Y' AS nologin, 'Y' AS nodelay, 'Y' AS proxy, 'masterpass' AS pass FROM iwmailsystem.virtmailbox AS v INNER JOIN iwmailsystem.popserversAS p ON ( p.storeIP = '204.17.177.60') INNER JOIN authenticate.users AS a ON (a.userID= IF('John' LIKE '%@%.%',CONCAT(LCASE('John'),''),CONCAT(LCASE('John'),'@', p.host))) WHERE v.userID = IF('John' LIKE '%@%.%',CONCAT(LCASE('John'),''),CONCAT(LCASE('John'),'@',p.host)) AND v.client_active=1; dovecot: Feb 19 16:15:56 Info: auth(mail.infowest.com): password(John, 209.33.215.142): Credentials: 8447128CC04AD05D1CD15F0C2F17F136 dovecot: Feb 19 16:15:57 Info: auth(mail.infowest.com): client out: FAIL 1 user=John host=204.17.177.76 destuser= john@host.com*masteruser nologin proxy pass=masterpass dovecot: Feb 19 16:15:57 Info: pop3-login: proxy(John): started proxying to 204.17.177.76:110: user=<John>, method=NTLM, rip=209.33.215.142, lip= 204.17.177.60
Questions:
So is it possible to use OE for SPA authentication without it sending the "XP username", but the actual account username OE is configured for ?
Why, when it "FAIL"ed did it still proxy? This seems bad :)
Thanks,
Cassidy
On 050, 02 19, 2007 at 04:33:48PM -0700, Cassidy B. Larson wrote:
Started implementing the MasterUser changes to my config files so I can finally offer SPA for pop3/imap.
Things are working fine with the MasterUser (horray!), however one of my guys started using SPA with Outlook Express and started getting another users mailbox.
Turns out to be related to NTLM. His Outlook express is configured for the username of 'johnsmith'. However, you'll see the NTLM took the username from his XP machine login, it appears, which is just "John". However, what is really weird, is the "failed" on the "client out" line, but then the proxy went ahead and proxied to the storage server.
Here's some output from debuggage:
dovecot: Feb 19 16:15:56 Info: auth(mail.infowest.com): client in: AUTH 1 NTLM service=POP3 lip=204.17.177.60 rip=209.33.215.142 resp= dovecot: Feb 19 16:15:56 Info: auth(mail.infowest.com): client out: CONT 1 dovecot: Feb 19 16:15:56 Info: auth-worker(mail.infowest.com): sql(John, 209.33.215.142): query: SELECT a.clearpasswd AS password, v.storeIP AS host, CONCAT(IF('John' LIKE '%@%.%',CONCAT(LCASE('John'),''),CONCAT(LCASE('John'),'@',p.host)),'*masteruser') AS destuser, 'Y' AS nologin, 'Y' AS nodelay, 'Y' AS proxy, 'masterpass' AS ^^^^^^^^^^^^^ Hmm, suspicious.
pass FROM iwmailsystem.virtmailbox AS v INNER JOIN iwmailsystem.popserversAS p ON ( p.storeIP = '204.17.177.60') INNER JOIN authenticate.users AS a ON (a.userID= IF('John' LIKE '%@%.%',CONCAT(LCASE('John'),''),CONCAT(LCASE('John'),'@', p.host))) WHERE v.userID = IF('John' LIKE '%@%.%',CONCAT(LCASE('John'),''),CONCAT(LCASE('John'),'@',p.host)) AND v.client_active=1; dovecot: Feb 19 16:15:56 Info: auth(mail.infowest.com): password(John, 209.33.215.142): Credentials: 8447128CC04AD05D1CD15F0C2F17F136
Seems like your SELECT returned some data about user 'John' with proxy=Y and dovecot preferred proxy=Y over authentication failure...
dovecot: Feb 19 16:15:57 Info: auth(mail.infowest.com): client out: FAIL 1 user=John host=204.17.177.76 destuser= john@host.com*masteruser nologin proxy pass=masterpass dovecot: Feb 19 16:15:57 Info: pop3-login: proxy(John): started proxying to 204.17.177.76:110: user=<John>, method=NTLM, rip=209.33.215.142, lip= 204.17.177.60
Questions:
- So is it possible to use OE for SPA authentication without it sending the "XP username", but the actual account username OE is configured for ?
No. Microsoft does this intentionaly to provide so called "single signon".
- Why, when it "FAIL"ed did it still proxy? This seems bad :)
We should ask Timo I think :)
-- Andrey Panin | Linux and UNIX system administrator pazke@donpac.ru | PGP key: wwwkeys.pgp.net
On Mon, 2007-02-19 at 16:33 -0700, Cassidy B. Larson wrote:
dovecot: Feb 19 16:15:57 Info: auth(mail.infowest.com): client out: FAIL 1 user=John host=204.17.177.76 destuser=john@host.com*masteruser nologin proxy pass=masterpass
Well, I'm not sure if dovecot-auth should return proxy/host/etc. when auth failed, but since it's not easy to change that I just made sure that proxying isn't started unless authentication succeeded.
Well, I'm not sure if dovecot-auth should return proxy/host/etc. when auth failed, but since it's not easy to change that I just made sure that proxying isn't started unless authentication succeeded.
Your change correctly fixes this. Running RC23 on my proxies and authenticating/proxing correctly with NTLM. As an added bonus, no more downloading other users mailboxes :)
Thanks as usual,
-cassidy
participants (3)
-
Andrey Panin
-
Cassidy B. Larson
-
Timo Sirainen