How to "Windows Authenticate"

Mark Foley mfoley at
Wed Sep 16 21:44:24 UTC 2015

Love your "ASCII Ribbon Campaign" signature! I still use mailx myself.

I'll have to check out that "access denied" message for the email to
mfoley at I haven't seen that before. is not blocked in my
access.db. Hmmm ...

Anyway, yes, I've been through those instructions over and over and they
certainly do "suggest" it should work, but I haven't yet found anyone that has
actually got it working. I assume you have not either, right?

The platform these instructions are targeted to are not quite my setup as the
Dovecot host is also the AD/DC using Samba4, so the DC/join instructions don't
apply, nor does the Kerberos: "Please note that you do not need to install or
configure any other Kerberos KDC for Samba to work.  Samba includes a
AD-compatible KDC, currently based on an included copy of the Heimdal project."

Also, the instruction in the link you reference must be a bit out of date
because the suggested userdb:

userdb static {
   args= uid=501 gid=501 home=/home/vmail/%1Ln/%Ln

gives an error with my dovecot 2.2.15. The word "static" has to go inside the
curly-braces as "driver static" and the "allow_all_users" has to be added to the
'args' string. Otherwise, Dovecot won't run the config as shown in the link.

Otherwise and with the above changes to the userdb, I believe I've followed all
applicable instructions in that link.  The error I get with my config in the
Dovecot log is:

Sep 13 00:53:12 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth
Sep 13 00:53:12 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=, lip=, session=<2PnkuZkfqADAqAA6>

Any idea what would generate this message?


-----Original Message-----
> Subject: Re: How to "Windows Authenticate"
> From: Remko Lodder <remko at>
> Date: Wed, 16 Sep 2015 19:38:08 +0200
> To: Mark Foley <mfoley at>
> Cc: dovecot at
> > On 16 Sep 2015, at 19:10, Mark Foley <mfoley at> wrote:
> > 
> > Does the Dovecot NTLM mechanism work with MS Outlook?
> > 
> > [ ] YES
> > [ ] NO
> > 
> > Please check one ... anybody.
> > 
> > ???Mark
> The URL on the wiki, which had probably been shared before with you;
> suggests it does.
> The URL quotes:
> Step 5. Passwordless authentication
> If you have logged on from Windows to the AD domain, try leaving the password field, on the account, on the MUA, blank. The username / password, from the initial logon to the Windows machine, are seamlessly picked up and supplied to the challenge-response process between the MUA, Dovecot and AD. Employing this way of authentication  we achieve single sign-on and we don't need to maintain MUA local passwords.
> Did you follow the suggestions that are on that page? (all of them).
> Thank you,
> Remko
> --
> /"\   Best regards,                      | remko at
> \ /   Remko Lodder                       | remko at EFnet
>  X          |
> / \   ASCII Ribbon Campaign              | Against HTML Mail and News

More information about the dovecot mailing list