[Dovecot] NTLM oddities
pazke at donpac.ru
Tue Feb 20 06:52:59 UTC 2007
On 050, 02 19, 2007 at 04:33:48PM -0700, Cassidy B. Larson wrote:
> Started implementing the MasterUser changes to my config files so I can
> finally offer SPA for pop3/imap.
> Things are working fine with the MasterUser (horray!), however one of my
> guys started using SPA with Outlook Express and started getting another
> users mailbox.
> Turns out to be related to NTLM. His Outlook express is configured for the
> username of 'johnsmith'. However, you'll see the NTLM took the username from
> his XP machine login, it appears, which is just "John". However, what is
> really weird, is the "failed" on the "client out" line, but then the proxy
> went ahead and proxied to the storage server.
> Here's some output from debuggage:
> dovecot: Feb 19 16:15:56 Info: auth(mail.infowest.com): client in: AUTH
> 1 NTLM service=POP3 lip=18.104.22.168 rip=22.214.171.124
> dovecot: Feb 19 16:15:56 Info: auth(mail.infowest.com): client out:
> CONT 1
> dovecot: Feb 19 16:15:56 Info: auth-worker(mail.infowest.com): sql(John,
> 126.96.36.199): query: SELECT a.clearpasswd AS password, v.storeIP AS host,
> CONCAT(IF('John' LIKE
> AS destuser, 'Y' AS nologin, 'Y' AS nodelay, 'Y' AS proxy, 'masterpass' AS
> pass FROM iwmailsystem.virtmailbox AS v INNER JOIN
> iwmailsystem.popserversAS p ON (
> p.storeIP = '188.8.131.52') INNER JOIN authenticate.users AS a ON
> (a.userID= IF('John' LIKE
> p.host))) WHERE v.userID = IF('John' LIKE
> '%@%.%',CONCAT(LCASE('John'),''),CONCAT(LCASE('John'),'@',p.host)) AND
> dovecot: Feb 19 16:15:56 Info: auth(mail.infowest.com): password(John,
> 184.108.40.206): Credentials: 8447128CC04AD05D1CD15F0C2F17F136
Seems like your SELECT returned some data about user 'John' with proxy=Y and
dovecot preferred proxy=Y over authentication failure...
> dovecot: Feb 19 16:15:57 Info: auth(mail.infowest.com): client out:
> FAIL 1 user=John host=220.127.116.11 destuser=
> john at host.com*masteruser nologin proxy pass=masterpass
> dovecot: Feb 19 16:15:57 Info: pop3-login: proxy(John): started proxying to
> 18.104.22.168:110: user=<John>, method=NTLM, rip=22.214.171.124, lip=
> 1) So is it possible to use OE for SPA authentication without it sending the
> "XP username", but the actual account username OE is configured for ?
No. Microsoft does this intentionaly to provide so called "single signon".
> 2) Why, when it "FAIL"ed did it still proxy? This seems bad :)
We should ask Timo I think :)
Andrey Panin | Linux and UNIX system administrator
pazke at donpac.ru | PGP key: wwwkeys.pgp.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: Digital signature
Url : http://dovecot.org/pipermail/dovecot/attachments/20070220/cb8a2719/attachment-0001.pgp
More information about the dovecot