[Dovecot] NTLM authentication mechanism with Postfix

Matthew Larsen utegrad at gmail.com
Thu Jun 27 03:27:10 EEST 2013


I'm working on getting authentication for Postfix smtpd clients
working with Dovecot.  I've got both plain text and GSSAPI mechanisms
working.  Winbind also works for shell access and the command line
test work fine.

If I can get NTLM authentication working I can use Postfix as a drop
in replacement for a MS MTA I want get rid of.

I'm hoping the community might be able to offer some insight into what
I'm missing to get NTLM authentication working with Dovecot and
Postfix.  Something related to winbind I suspect.


When I use the NTLM mechanism I get this in my maillog file.  Nothing
seems to show up in the winbind files for this.

----  log file from NTLM mechanism used ----

Jun 26 17:02:53 SBSMTPNV05 postfix/smtpd[2221]: connect from
nvit01b.mydomain.com[10.20.2.0]
Jun 26 17:02:53 SBSMTPNV05 dovecot: auth: Debug: client in:
AUTH#0112#011NTLM#011service=smtp#011nologin#011lip=10.20.4.12#011rip=10.20.2.0#011resp=TlRM...A=
Jun 26 17:02:53 SBSMTPNV05 dovecot: auth: Debug: client out:
CONT#0112#011TlRM....A
Jun 26 17:02:53 SBSMTPNV05 dovecot: auth: Debug: client in:
CONT#0112#011TlRM....Q=
Jun 26 17:02:53 SBSMTPNV05 dovecot: auth: winbind(?,10.20.2.0): user
not authenticated: NT_STATUS_UNSUCCESSFUL
Jun 26 17:02:55 SBSMTPNV05 postfix/smtpd[2221]: warning:
nvit01b.mydomain.com[10.20.2.0]: SASL NTLM authentication failed:
TlRM....A
Jun 26 17:02:55 SBSMTPNV05 dovecot: auth: Debug: client out: FAIL#0112
Jun 26 17:02:59 SBSMTPNV05 postfix/smtpd[2221]: disconnect from
nvit01b.mydomain.com[10.20.2.0]

------------------------------------------


---- log file from GSSAPI mechanism used -----

Jun 26 17:02:08 SBSMTPNV05 postfix/smtpd[2221]: connect from
nvit01b.mydomain.com[10.20.2.0]
Jun 26 17:02:08 SBSMTPNV05 dovecot: auth: Debug: auth client connected
(pid=2221)
Jun 26 17:02:08 SBSMTPNV05 dovecot: auth: Debug: client in:
AUTH#0111#011GSSAPI#011service=smtp#011nologin#011lip=10.20.4.12#011rip=10.20.2.0#011resp=YIIN....
Jun 26 17:02:08 SBSMTPNV05 dovecot: auth: Debug: ....g==
Jun 26 17:02:08 SBSMTPNV05 dovecot: auth: Debug: gssapi(?,10.20.2.0):
Obtaining credentials for smtp@
Jun 26 17:02:08 SBSMTPNV05 dovecot: auth: Debug:
gssapi(myusername at MYDOMAIN.COM,10.20.2.0): security context state
completed.
Jun 26 17:02:08 SBSMTPNV05 dovecot: auth: Debug: client out:
CONT#0111#011YIGVB....E=
Jun 26 17:02:08 SBSMTPNV05 dovecot: auth: Debug: client in: CONT#0111#011
Jun 26 17:02:08 SBSMTPNV05 dovecot: auth: Debug:
gssapi(myusername at MYDOMAIN.COM,10.20.2.0): Negotiated security layer
Jun 26 17:02:08 SBSMTPNV05 dovecot: auth: Debug: client out:
CONT#0111#011BQQF/w....M=
Jun 26 17:02:08 SBSMTPNV05 dovecot: auth: Debug: client in:
CONT#0111#011BQQE/w....u
Jun 26 17:02:08 SBSMTPNV05 dovecot: auth: Debug: client out:
OK#0111#011user=myusername
Jun 26 17:02:08 SBSMTPNV05 postfix/smtpd[2221]: AE80A80592:
client=nvit01b.mydomain.com[10.20.2.0], sasl_method=GSSAPI,
sasl_username=myusername
Jun 26 17:02:08 SBSMTPNV05 postfix/cleanup[2219]: AE80A80592:
message-id=<51CB8100.1010103 at example.com>
Jun 26 17:02:08 SBSMTPNV05 postfix/qmgr[1999]: AE80A80592:
from=<matthew at example.com>, size=2178, nrcpt=1 (queue active)
Jun 26 17:02:08 SBSMTPNV05 postfix/smtpd[2221]: disconnect from
nvit01b.mydomain.com[10.20.2.0]
Jun 26 17:02:09 SBSMTPNV05 postfix/smtp[2220]: AE80A80592:
to=<utegrad at gmail.com>,
relay=gmail-smtp-in.l.google.com[74.125.129.27]:25, delay=0.93,
delays=0.09/0/0.15/0.69, dsn=2.0.0, status=sent (250 2.0.0 OK
1372291329 y9si419401pay.83 - gsmtp)
Jun 26 17:02:09 SBSMTPNV05 postfix/qmgr[1999]: AE80A80592: removed

----------------------------------------------


---- log file from plain text mechanism -----

Jun 26 17:01:08 SBSMTPNV05 postfix/smtpd[2209]: connect from
nvit01b.mydomain.com[10.20.2.0]
Jun 26 17:01:08 SBSMTPNV05 dovecot: auth: Debug: Loading modules from
directory: /usr/lib64/dovecot/auth
Jun 26 17:01:08 SBSMTPNV05 dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libauthdb_ldap.so
Jun 26 17:01:08 SBSMTPNV05 dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libdriver_sqlite.so
Jun 26 17:01:08 SBSMTPNV05 dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libmech_gssapi.so
Jun 26 17:01:08 SBSMTPNV05 dovecot: auth: Debug: auth client connected
(pid=2209)
Jun 26 17:01:08 SBSMTPNV05 dovecot: auth: Debug: client in:
AUTH#0111#011PLAIN#011service=smtp#011nologin#011lip=10.20.4.12#011rip=10.20.2.0#011secured#011resp=AG1sYXJzZW4ASWRvbnR3YW50Mg==
Jun 26 17:01:08 SBSMTPNV05 dovecot: auth: Debug: Loading modules from
directory: /usr/lib64/dovecot/auth
Jun 26 17:01:08 SBSMTPNV05 dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libauthdb_ldap.so
Jun 26 17:01:08 SBSMTPNV05 dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libdriver_sqlite.so
Jun 26 17:01:08 SBSMTPNV05 dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libmech_gssapi.so
Jun 26 17:01:08 SBSMTPNV05 dovecot: auth: Debug:
pam(myusername,10.20.2.0): lookup service=dovecot
Jun 26 17:01:08 SBSMTPNV05 dovecot: auth: Debug:
pam(myusername,10.20.2.0): #1/1 style=1 msg=Password:
Jun 26 17:01:09 SBSMTPNV05 dovecot: auth: Debug: client out:
OK#0111#011user=myusername
Jun 26 17:01:09 SBSMTPNV05 postfix/smtpd[2209]: 82C3780592:
client=nvit01b.mydomain.com[10.20.2.0], sasl_method=PLAIN,
sasl_username=myusername
Jun 26 17:01:09 SBSMTPNV05 postfix/cleanup[2219]: 82C3780592:
message-id=<51CB80C4.6020107 at example.com>
Jun 26 17:01:09 SBSMTPNV05 postfix/qmgr[1999]: 82C3780592:
from=<matthew at example.com>, size=2728, nrcpt=1 (queue active)
Jun 26 17:01:09 SBSMTPNV05 postfix/smtpd[2209]: disconnect from
nvit01b.mydomain.com[10.20.2.0]
Jun 26 17:01:10 SBSMTPNV05 postfix/smtp[2220]: 82C3780592:
to=<utegrad at gmail.com>,
relay=gmail-smtp-in.l.google.com[74.125.129.27]:25, delay=1.3,
delays=0.05/0.04/0.46/0.74, dsn=2.0.0, status=sent (250 2.0.0 OK
1372291270 sb1si125565pbb.232 - gsmtp)
Jun 26 17:01:10 SBSMTPNV05 postfix/qmgr[1999]: 82C3780592: removed

---------------------------------------------


Here's some of the supporting configuration information:

---- postconf -n -----------

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 1
debug_peer_list =
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
line_length_limit = 6144
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost
myhostname = srvsbsmtp05.mydomain.com
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_recipient_restrictions =
permit_sasl_authenticated,reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous,noplaintext
smtpd_sasl_type = dovecot
unknown_local_recipient_reject_code = 550

----------------------------------


---- doveconf -n ----

# 2.0.9: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-358.11.1.el6.x86_64 x86_64 CentOS release 6.4 (Final)
auth_debug_passwords = yes
auth_mechanisms = plain gssapi ntlm login
auth_use_winbind = yes
listen = *
mbox_write_locks = fcntl
passdb {
  driver = pam
}
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0666
    user = postfix
  }
}
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem
userdb {
  driver = passwd
}

-----------------------

---- Samba configuration ----

[global]
        workgroup = MYDOMAIN
        realm = MYDOMAIN.COM
        server string = Samba Server Version %v
        security = ADS
        kerberos method = system keytab
        log file = /var/log/samba/log.%m
        max log size = 50
        printcap name = /dev/null
        domain master = No
        template shell = /bin/bash
        winbind separator = +
        winbind use default domain = Yes
        idmap config * : range = 10000-50000
        idmap config * : backend = tdb
        printing = bsd
        cups options = raw
        print command = lpr -r -P'%p' %s
        lpq command = lpq -P'%p'
        lprm command = lprm -P'%p' %j

------------------------------


More information about the dovecot mailing list