Need to authenticate Outlook and NTLM

Stuart Henderson stu at spacehopper.org
Mon Feb 18 12:17:16 EET 2019


On 2019-02-13, Mark Foley via dovecot <dovecot at dovecot.org> wrote:
> Is it possible that no one on this list is authenticating Outlook with Dovecot and NTLM?

Yes, it's possible, the outdated instructions you found on the wiki
suggests it's an uncommon configiration.

No actual answers from me, but it might give you some clues:

> More on this ...
>
> I short-sheeted ntlm_auth to see what was being passed to it. It is getting as arg1:
>
> --helper-protocol=squid-2.5-ntlmssp
>
> I tried running ntlm_auth at the command line as:
>
> ntlm_auth --username=user --password=password --helper-protocol=squid-2.5-ntlmssp
>
> It did nothing, just hung there. The ntlm_auth man page says:
>
> --helper-protocol=PROTO
>   Operate as a stdio-based helper. Valid helper protocols are:

The squid auth helpers are stdio-based, they run in a loop, reading from
stdin, checking authentication, and return results on stdout. This avoids both
passing sensitive data on the command line (visible to ps, at least briefly)
and the need to keep forking and initialising a new process.

So it's normal that it would just sit waiting for input.

Dovecot is just reusing the same protocol that squid uses.

> After more searching I came across this post, https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774263
> which, in summary, said that ntlm_auth had to run as root. So, I added the following to my
> dovecot config per that post's suggestion:
>
> service auth {
>   user = root
> }
>
> After restarting and trying again to connect from Outlook I got the message:
>
> auth: Info: ntlm(?,192.168.0.58,<SCINjFqBKcXAqAA6>): user not authenticated: NT_STATUS_NO_MEMORY

I don't know the full details of how samba/ntlm works, but this seems like
an error coming from the server you're attempting to authenticate against.
I think you should start debugging on the samba side - make sure tools
like wbinfo are working, if not then debug those with samba, then move
on to Dovecot after you have that working.




More information about the dovecot mailing list