[Dovecot] NTLM oddities

Andrey Panin pazke at donpac.ru
Tue Feb 20 06:52:59 UTC 2007

On 050, 02 19, 2007 at 04:33:48PM -0700, Cassidy B. Larson wrote:
> Started implementing the MasterUser changes to my config files so I can
> finally offer SPA for pop3/imap.
> Things are working fine with the MasterUser (horray!), however one of my
> guys started using SPA with Outlook Express and started getting another
> users mailbox.
> Turns out to be related to NTLM.  His Outlook express is configured for the
> username of 'johnsmith'. However, you'll see the NTLM took the username from
> his XP machine login, it appears, which is just "John".  However, what is
> really weird, is the "failed" on the "client out" line, but then the proxy
> went ahead and proxied to the storage server.
> Here's some output from debuggage:
> dovecot: Feb 19 16:15:56 Info: auth(mail.infowest.com): client in: AUTH
> 1       NTLM    service=POP3    lip=       rip=
> resp=
> dovecot: Feb 19 16:15:56 Info: auth(mail.infowest.com): client out:
> CONT        1
> dovecot: Feb 19 16:15:56 Info: auth-worker(mail.infowest.com): sql(John,
> query: SELECT a.clearpasswd AS password, v.storeIP AS host,
> '%@%.%',CONCAT(LCASE('John'),''),CONCAT(LCASE('John'),'@',p.host)),'*masteruser')
> AS destuser, 'Y' AS nologin, 'Y' AS nodelay, 'Y' AS proxy, 'masterpass' AS
						Hmm, suspicious.

> pass FROM iwmailsystem.virtmailbox AS v INNER JOIN
> iwmailsystem.popserversAS p ON (
> p.storeIP = '') INNER JOIN authenticate.users AS a ON
> (a.userID= IF('John' LIKE
> '%@%.%',CONCAT(LCASE('John'),''),CONCAT(LCASE('John'),'@',
> p.host))) WHERE v.userID = IF('John' LIKE
> '%@%.%',CONCAT(LCASE('John'),''),CONCAT(LCASE('John'),'@',p.host)) AND
> v.client_active=1;
> dovecot: Feb 19 16:15:56 Info: auth(mail.infowest.com): password(John,
> Credentials: 8447128CC04AD05D1CD15F0C2F17F136

Seems like your SELECT returned some data about user 'John' with proxy=Y and
dovecot preferred proxy=Y over authentication failure...

> dovecot: Feb 19 16:15:57 Info: auth(mail.infowest.com): client out:
> FAIL        1       user=John       host=      destuser=
> john at host.com*masteruser   nologin proxy   pass=masterpass
> dovecot: Feb 19 16:15:57 Info: pop3-login: proxy(John): started proxying to
> user=<John>, method=NTLM, rip=, lip=
> Questions:
> 1) So is it possible to use OE for SPA authentication without it sending the
> "XP username", but the actual account username OE is configured for ?

No. Microsoft does this intentionaly to provide so called "single signon".

> 2) Why, when it "FAIL"ed did it still proxy?  This seems bad :)

We should ask Timo I think :)

Andrey Panin		| Linux and UNIX system administrator
pazke at donpac.ru		| PGP key: wwwkeys.pgp.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://dovecot.org/pipermail/dovecot/attachments/20070220/cb8a2719/attachment-0001.pgp 

More information about the dovecot mailing list