Looking for NTLM config example

aki.tuomi at dovecot.fi aki.tuomi at dovecot.fi
Sun Jun 26 11:00:49 UTC 2016 

It should work. Although if you are using linux server you might want to use gssapi instead. 

> On June 25, 2016 at 7:43 PM Mark Foley <mfoley at ohprs.org> wrote:
> 
> 
> I've asked this several times over the past year with essentially zero responses. I'll keep it simple:
> 
> Does NTLM authentication work in Dovecot?
> 
> I'll post this one last time. If I still have no responses I'll have to conclude that no one
> has actually tried this authentication method and it therefore does not work.
> 
> Thanks, --Mark
> 
> -----Original Message-----
> From: Mark Foley <mfoley at ohprs.org>
> Date: Fri, 22 Apr 2016 02:07:24 -0400
> Organization: Ohio Highway Patrol Retirement System
> To: dovecot at dovecot.org
> Subject: Looking for NTLM config example
> 
> > Now that I am running Thunderbird on Linux and away from Windows/Outlook, I'd like to take
> > another run at setting up NTLM authentication from Thunderbird to my Samba4 AC/DC. 
> >
> > With the help of the samba maillist folks I was able to set up NTLM authentication for domain
> > user login.  I should be able to do the same for email!
> >
> > But, I need help. I went to http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got
> > lost immediately. Are "authenticaion submethods" synonymous with "password schemes"? The 7th
> > line down says, "NTLM password scheme is required for NTLM, NTLM2 and NTLMv2.", but in the
> > referenced link I found no reference to "NTLM password scheme".
> >
> > The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and
> > http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what the 4 NTLM
> > authentication submethods are, tells you what password schemes are, tells you what the NTLM
> > client/server handshake is, but doesn't actually tell you how to configure dovecot config
> > files.  I'm much more interested in the "how to" than in: "NTLMv2: server and client nonce,
> > MITM can't force downgrade" ...  whatever that means. 
> >
> > Anyway, probably it's my lack of understanding terminology.  I don't even know what a "nonce"
> > is.  But, I learn well from examples! Can somone please give me a sample 10-auth.conf for NTML
> > and any other supporting settings or configs I need?
> >
> > My current/working dovecot settings, which have been running perfectly for well over a year
> > now, are:
> >
> > $ dovecot -n
> > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> > # OS: Linux 3.10.17 x86_64 Slackware 14.1
> > auth_debug_passwords = yes
> > auth_mechanisms = plain login
> > auth_verbose = yes
> > auth_verbose_passwords = plain
> > disable_plaintext_auth = no
> > info_log_path = /var/log/dovecot_info
> > mail_location = maildir:~/Maildir
> > passdb {
> >   driver = shadow
> > }
> > protocols = imap
> > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
> > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key
> > userdb {
> >   driver = passwd
> > }
> > verbose_ssl = yes
> >
> >
> > Here's what I've tried so far as 10-auth.conf:
> >
> > disable_plaintext_auth = no
> > auth_use_winbind = yes
> > info_log_path = /var/log/dovecot_info
> > auth_verbose = yes
> > auth_debug_passwords = yes
> > auth_verbose_passwords= plain
> > auth_winbind_helper_path = /usr/bin/ntlm_auth
> >
> > auth_mechanisms = ntlm plain login
> >
> > userdb {
> >   driver = passwd
> >   args = username_format=%n allow_all_users=yes
> >
> > }
> >
> >
> > Which gives me a dovecot -n of:
> >
> > $ dovecot -n
> > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> > # OS: Linux 3.10.17 x86_64 Slackware 14.1
> > auth_debug_passwords = yes
> > auth_mechanisms = ntlm plain login
> > auth_use_winbind = yes
> > auth_verbose = yes
> > auth_verbose_passwords = plain
> > disable_plaintext_auth = no
> > info_log_path = /var/log/dovecot_info
> > mail_location = maildir:~/Maildir
> > protocols = imap
> > ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
> > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key
> > userdb {
> >   args = username_format=%n allow_all_users=yes
> >   driver = passwd
> > }
> > verbose_ssl = yes
> >
> >
> > I configured Thunderbird for NTLM authentication, then tried sending a message, I got the
> > following in /var/log/dovecot_info:
> >
> > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
> > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
> > Apr 22 01:37:57 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth
> > Apr 22 01:37:57 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, session=<xFuyOgwx9wDAqAA6>
> >
> >
> > On Thunderbird I got the error, "Sending of the message failed.  The Outlgoing server (SMTP)
> > my.server.name does not support the selected authentication method.  Please change the
> > 'Autnentication method' in 'Account Settings | Outgoing Server (SMTP)'."
> >
> > Clearly, something is configured wrong, but I've no clue what.
> >
> > Can I get some advice?
> >
> > THX --Mark
> From dovecot-bounces at dovecot.org  Fri Apr 22 02:07:47 2016
> Return-Path: <dovecot-bounces at dovecot.org>
> X-Virus-Status: Clean
> X-Virus-Scanned: clamav-milter 0.98.6 at mail
> X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.19__ (2011-06-06) on
> 	mail.hprs.local
> X-Spam-Level: 
> X-Spam-Status: No, score=-106.0 required=3.0 tests=USER_IN_WHITELIST,
> 	USER_IN_WHITELIST_TO autolearn=unavailable version=3.3.2-_revision__1.19__
> X-Original-To: dovecot at dovecot.org
> Delivered-To: dovecot at dovecot.org
> X-Virus-Status: Clean
> X-Virus-Scanned: clamav-milter 0.98.6 at mail
> From: Mark Foley <mfoley at ohprs.org>
> Date: Fri, 22 Apr 2016 02:07:24 -0400
> Organization: Ohio Highway Patrol Retirement System
> To: dovecot at dovecot.org
> Subject: Looking for NTLM config example
> User-Agent: Heirloom mailx 12.5 7/5/10
> Content-Type: text/plain; charset=us-ascii
> X-BeenThere: dovecot at dovecot.org
> X-Mailman-Version: 2.1.17
> Precedence: list
> List-Id: Dovecot Mailing List <dovecot.dovecot.org>
> List-Unsubscribe: <http://dovecot.org/cgi-bin/mailman/options/dovecot>,
> 	<mailto:dovecot-request at dovecot.org?subject=unsubscribe>
> List-Archive: <http://dovecot.org/pipermail/dovecot/>
> List-Post: <mailto:dovecot at dovecot.org>
> List-Help: <mailto:dovecot-request at dovecot.org?subject=help>
> List-Subscribe: <http://dovecot.org/cgi-bin/mailman/listinfo/dovecot>,
> 	<mailto:dovecot-request at dovecot.org?subject=subscribe>
> Errors-To: dovecot-bounces at dovecot.org
> Sender: "dovecot" <dovecot-bounces at dovecot.org>
> X-Spam-Report: 
> 	* -100 USER_IN_WHITELIST From: address is in the user's white-list
> 	* -6.0 USER_IN_WHITELIST_TO User is listed in 'whitelist_to'
> Status: R
> 
> Now that I am running Thunderbird on Linux and away from Windows/Outlook, I'd like to take
> another run at setting up NTLM authentication from Thunderbird to my Samba4 AC/DC. 
> 
> With the help of the samba maillist folks I was able to set up NTLM authentication for domain
> user login.  I should be able to do the same for email!
> 
> But, I need help. I went to http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got
> lost immediately. Are "authenticaion submethods" synonymous with "password schemes"? The 7th
> line down says, "NTLM password scheme is required for NTLM, NTLM2 and NTLMv2.", but in the
> referenced link I found no reference to "NTLM password scheme".
> 
> The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and
> http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what the 4 NTLM
> authentication submethods are, tells you what password schemes are, tells you what the NTLM
> client/server handshake is, but doesn't actually tell you how to configure dovecot config
> files.  I'm much more interested in the "how to" than in: "NTLMv2: server and client nonce,
> MITM can't force downgrade" ...  whatever that means. 
> 
> Anyway, probably it's my lack of understanding terminology.  I don't even know what a "nonce"
> is.  But, I learn well from examples! Can somone please give me a sample 10-auth.conf for NTML
> and any other supporting settings or configs I need?
> 
> My current/working dovecot settings, which have been running perfectly for well over a year
> now, are:
> 
> $ dovecot -n
> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> # OS: Linux 3.10.17 x86_64 Slackware 14.1
> auth_debug_passwords = yes
> auth_mechanisms = plain login
> auth_verbose = yes
> auth_verbose_passwords = plain
> disable_plaintext_auth = no
> info_log_path = /var/log/dovecot_info
> mail_location = maildir:~/Maildir
> passdb {
>   driver = shadow
> }
> protocols = imap
> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key
> userdb {
>   driver = passwd
> }
> verbose_ssl = yes
> 
> 
> Here's what I've tried so far as 10-auth.conf:
> 
> disable_plaintext_auth = no
> auth_use_winbind = yes
> info_log_path = /var/log/dovecot_info
> auth_verbose = yes
> auth_debug_passwords = yes
> auth_verbose_passwords= plain
> auth_winbind_helper_path = /usr/bin/ntlm_auth
> 
> auth_mechanisms = ntlm plain login
> 
> userdb {
>   driver = passwd
>   args = username_format=%n allow_all_users=yes
> 
> }
> 
> 
> Which gives me a dovecot -n of:
> 
> $ dovecot -n
> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> # OS: Linux 3.10.17 x86_64 Slackware 14.1
> auth_debug_passwords = yes
> auth_mechanisms = ntlm plain login
> auth_use_winbind = yes
> auth_verbose = yes
> auth_verbose_passwords = plain
> disable_plaintext_auth = no
> info_log_path = /var/log/dovecot_info
> mail_location = maildir:~/Maildir
> protocols = imap
> ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
> ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key
> userdb {
>   args = username_format=%n allow_all_users=yes
>   driver = passwd
> }
> verbose_ssl = yes
> 
> 
> I configured Thunderbird for NTLM authentication, then tried sending a message, I got the
> following in /var/log/dovecot_info:
> 
> Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
> Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
> Apr 22 01:37:57 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth
> Apr 22 01:37:57 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, session=<xFuyOgwx9wDAqAA6>
> 
> 
> On Thunderbird I got the error, "Sending of the message failed.  The Outlgoing server (SMTP)
> my.server.name does not support the selected authentication method.  Please change the
> 'Autnentication method' in 'Account Settings | Outgoing Server (SMTP)'."
> 
> Clearly, something is configured wrong, but I've no clue what.
> 
> Can I get some advice?
> 
> THX --Mark

---
Aki Tuomi

More information about the dovecot mailing list