[Dovecot] NTLM authentication in Thunderbird vs Outlook 2010.

Wed Nov 20 02:50:17 EET 2013

Hi List,

I am using the Dovecot 2.1.12 with NTLM authentication enabled.
The Dovecot is set up in cluster with directors, 60 000 connections simultaneously.
I have noticed that NTLM authentication is processed differently for Thunderbird and Outlook 2010 users.
It actually makes Outlook 2010 clients query LDAP more often that Thunderbird ones which is not good potentially
for overall performance.
Dovecot do not see a domain in NTLM Type 3 message but it does exist there.
Could somebody explain please why it is happening?

Tcpdump
Thunderbird:
1) IP proxy.netregistry.net.19228 > dovecot-test-1.private.netregistry.net.pop3
E..3.. at .}..........)K..n#...9...P..qXT..AUTH NTLM

2) IP dovecot-test-1.private.netregistry.net.pop3 > proxy.netregistry.net.19228
E..,.. at .@.,....).....nK.9...#...P....W..+

3) IP proxy.netregistry.net.19228 > dovecot-test-1.private.netregistry.net.pop3
E..V.. at .}..........)K..n#...9...P..m.n..TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=

4) IP dovecot-test-1.private.netregistry.net.pop3 > proxy.netregistry.net.19228
E..... at .@., at ...).....nK.9...#..:P.......+ TlRMTVNTUAACAAAAHAAcADAAAAAFAooAbuK/LV9v9xIAA
AAAAAAAACQAJABMAAAAZABvAHYAZQBjAG8AdAAtAHQAZQBzAHQALQAxAAMAHABkAG8
AdgBlAGMAbwB0AC0AdABlAHMAdAAtADEAAAAAAA==

5) IP proxy.netregistry.net.19228 > dovecot-test-1.private.netregistry.net.pop3
E..&.. at .}..........)K..n#..:9...P...|...TlRMTVNTUAADAAAAGAAYAIwAAAAYABgApAAAAAAAAABAAA
AAOAA4AEAAAAAUABQAeAAAAAAAAAAAAAAABQIIAG0AaQBnAHIAYQB0AGkAbwBuAC4AdAB
lAHMAdABAAG4AZQB0AHcAbwByAGsALgBpAGQALgBhAHUAbQB5AHAAcgBvAGoAZQBjAHQA
cwBEqdTLLSMLdQAAAAAAAAAAAAAAAAAAAADZv(...)=

Base64 decoding of the last message (NTLM Type 3):  NTLMSSP?.m.i.g.r.a.t.i.o.n...t.e.s.t. at .n.e.t.w.o.r.k...i.d...a.u.m.y.p.r.o.j.e.c.t.s.D-#?u.......................(....)Nh\P

6) IP dovecot-test-1.private.netregistry.net.pop3 > proxy.netregistry.net.19228
E..(.. at .@.,....).....nK.9...#..8P.. .'..
7) IP dovecot-test-1.private.netregistry.net.pop3 > proxy.netregistry.net.19228
E..8.. at .@.,....).....nK.9...#..8P.. .c..+OK Logged in.

>From logs:
Nov 19 18:14:53 dovecot-test-1 dovecot: auth: Debug: ldap(migration.test at network.id.au,203.30.252.5,<sI7Ga4LrOADLHvwF>): pass search: base=ou=email, dc=netregistry, dc=net scope=subtree filter=(&(objectClass=nrPOPAccount)(uid=migration.test at network.id.au)) fields=uid,userPassword
Nov 19 18:14:53 dovecot-test-1 dovecot: auth: Debug: ldap(migration.test at network.id.au,203.30.252.5,<sI7Ga4LrOADLHvwF>): result: uid=migration.test at network.id.au userPassword=Secret123
All good.

Outlook 2010:
1) IP proxy.netregistry.net.47129 > dovecot-test-1.private.netregistry.net.pop3
E..3.. at .}..........)...n...Q..f9P..qOv..AUTH NTLM

2) IP dovecot-test-1.private.netregistry.net.pop3 > proxy.netregistry.net.47129
E..,.. at .@.P....).....n....f9...\P....W..+

3) IP proxy.netregistry.net.47129 > dovecot-test-1.private.netregistry.net.pop3
E..b.. at .}..........)...n...\..f=P..m....TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==

4) IP dovecot-test-1.private.netregistry.net.pop3 > proxy.netregistry.net.47129
E..... at .@.Pe...).....n....f=....P.......+ TlRMTVNTUAACAAAAHAAcADAAAAAFAooAQlAQ6i5tIiIAAAAAAAAAACQAJA
BMAAAAZABvAHYAZQBjAG8AdAAtAHQAZQBzAHQALQAxAAMAHABkAG8AdgBlAGMAbwB0AC0AdABlAHM
AdAAtADEAAAAAAA==

5) IP proxy.netregistry.net.47129 > dovecot-test-1.private.netregistry.net.pop3
E..... at .}..........)...n......f.P....c..TlRMTVNTUAADAAAAGAAYAJIAAAAYABgAqgAAABoAGgBIAAAAHAAcAGIAAAAUA
BQAfgAAAAAAAADCAAAABQKIAgUBKAoAAAAPbgBlAHQAdwBvAHIAawAuAGkAZAAuAGEAdQBtAGkAZwByAG
EAdABpAG8AbgAuAHQAZQBzAHQATQBZAFAAUgBPAEoARQBDAFQAUwADFLugRfGh3gAAAAAAAAAAAAAAAA
AAAAA(...)=

Base64 decoding of the last message (NTLM Type 3): NTLMSSP.....................H....b..~.?????(
...?n.e.t.w.o.r.k...i.d...a.u.m.i.g.r.a.t.i.o.n...t.e.s.t.M.Y.P.R.O.J.E.C.T.S.??E..(....)..q?%/

6) IP dovecot-test-1.private.netregistry.net.pop3 > proxy.netregistry.net.47129
E..(.. at .@.Q....).....n....f.....P.. .5..
7) IP dovecot-test-1.private.netregistry.net.pop3 > proxy.netregistry.net.47129
E..E.. at .@.P....).....n....f.....P.. .p..-ERR Authentication failed.

>From logs:
Nov 19 18:33:24 dovecot-test-1 dovecot: auth: Debug: ldap(migration.test,203.30.252.5,<Hab+rYLrPQDLHvwF>): pass search: base=ou=email, dc=netregistry, dc=net scope=subtree filter=(&(objectClass=nrPOPAccount)(uid=migration.test)) fields=uid,userPassword
Nov 19 18:33:24 dovecot-test-1 dovecot: auth: ldap(migration.test,203.30.252.5,<Hab+rYLrPQDLHvwF>): unknown user
Well, WHERE is my domain in the LDAP query? :)

8) IP proxy.netregistry.net.47129 > dovecot-test-1.private.netregistry.net.pop3
E..K.. at .}..........)...n......f.P...X,..USER migration.test at network.id.au

9) IP dovecot-test-1.private.netregistry.net.pop3 > proxy.netregistry.net.47129
E..(.. at .@.P....).....n....f.....P.. ....
10) IP dovecot-test-1.private.netregistry.net.pop3 > proxy.netregistry.net.47129
E..-.. at .@.P....).....n....f.....P.. .X..+OK

11) IP proxy.netregistry.net.47129 > dovecot-test-1.private.netregistry.net.pop3
E..7.. at .}..........)...n......f.P...l;..PASS Secret123

12) IP dovecot-test-1.private.netregistry.net.pop3 > proxy.netregistry.net.47129
E..(.. at .@.P....).....n....f.....P.. ....
13) IP dovecot-test-1.private.netregistry.net.pop3 > proxy.netregistry.net.47129
E..8.. at .@.P....).....n....f.....P.. .c..+OK Logged in.

Configuration file

This is LDAP configuration on one of director servers where clients are authenticated.

uris =  ldap://ldap-node-2.mynetwork.net, ldap://ldap-node-3.mynetwork.net
debug_level = 0
base = ou=email, dc=netregistry, dc=net

user_attrs = homeDirectory=home, uidNumber=uid, gidNumber=gid, mailQuotaSize=quota_rule=*:storage=%$
user_filter = (&(objectClass=nrPOPAccount)(uid=%u))
pass_attrs = uid=user, userPassword=password, =proxy=y, =destuser=%u, =pass=Secret456
pass_filter = (&(objectClass=nrPOPAccount)(uid=%u))

default_pass_scheme = PLAIN

Regards,
Alexandr Sabitov
System Administrator