[Dovecot] auth child abort - "Requested NTLM scheme, but we have only SSHA256"

Shawn Heisey dovecot at elyograg.org
Mon Nov 1 16:43:37 EET 2010


On 11/1/2010 3:12 AM, LEVAI Daniel wrote:
> I noticed these messages in my logs. It seems that the user checked the
> "encrypted password" in her outlook or something, and wants NTLM auth.
> I'm storing all the passwords as SSHA256, and when the user tries to
> auth, this happens:

Basically, if you the client doesn't send cleartext and uses a different 
encryption than the server, you must have the cleartext available on the 
server side so you can encrypt it for comparison when a user 
authenticates.  Unless you want to use Microsoft's encryption or store 
cleartext passwords in your database, NTLM will not be an option for 
you.  Cleartext tends to be a very bad idea, and most people who heavily 
use UNIX or Linux are fundamentally opposed to using something 
proprietary to Microsoft unless left with no other choice.

If they chose NTLM because they are concerned about security, nothing 
beats TLS and/or SSL with a certificate issued by a trusted authority.

Shawn



More information about the dovecot mailing list