Need to authenticate Outlook and NTLM

Aki Tuomi aki.tuomi at
Mon Feb 18 13:03:22 EET 2019

On 18.2.2019 12.17, Stuart Henderson via dovecot wrote:
> On 2019-02-13, Mark Foley via dovecot <dovecot at> wrote:
>> Is it possible that no one on this list is authenticating Outlook with Dovecot and NTLM?
> Yes, it's possible, the outdated instructions you found on the wiki
> suggests it's an uncommon configiration.
> No actual answers from me, but it might give you some clues:
>> More on this ...
>> I short-sheeted ntlm_auth to see what was being passed to it. It is getting as arg1:
>> --helper-protocol=squid-2.5-ntlmssp
>> I tried running ntlm_auth at the command line as:
>> ntlm_auth --username=user --password=password --helper-protocol=squid-2.5-ntlmssp
>> It did nothing, just hung there. The ntlm_auth man page says:
>> --helper-protocol=PROTO
>>   Operate as a stdio-based helper. Valid helper protocols are:
> The squid auth helpers are stdio-based, they run in a loop, reading from
> stdin, checking authentication, and return results on stdout. This avoids both
> passing sensitive data on the command line (visible to ps, at least briefly)
> and the need to keep forking and initialising a new process.
> So it's normal that it would just sit waiting for input.
> Dovecot is just reusing the same protocol that squid uses.
>> After more searching I came across this post,
>> which, in summary, said that ntlm_auth had to run as root. So, I added the following to my
>> dovecot config per that post's suggestion:
>> service auth {
>>   user = root
>> }
>> After restarting and trying again to connect from Outlook I got the message:
>> auth: Info: ntlm(?,,<SCINjFqBKcXAqAA6>): user not authenticated: NT_STATUS_NO_MEMORY
> I don't know the full details of how samba/ntlm works, but this seems like
> an error coming from the server you're attempting to authenticate against.
> I think you should start debugging on the samba side - make sure tools
> like wbinfo are working, if not then debug those with samba, then move
> on to Dovecot after you have that working.
You might need to configure auth and auth-worker processes with larger
vsz_limit, or configure default_vsz_limit = 1G


More information about the dovecot mailing list