Need to authenticate Outlook and NTLM

Aki Tuomi aki.tuomi at open-xchange.com
Tue Feb 19 08:53:13 EET 2019 

On 19.2.2019 4.48, Mark Foley via dovecot wrote:
> On Mon, 18 Feb 2019 10:17:16 -0000 Stuart Henderson wrote:
>> On 2019-02-13, Mark Foley via dovecot <dovecot at dovecot.org> wrote:
>>> Is it possible that no one on this list is authenticating Outlook with Dovecot and NTLM?
>> Yes, it's possible, the outdated instructions you found on the wiki
>> suggests it's an uncommon configiration.
> Hmmm, really? And yet Windows/Outlook is still the predominant email client out there
> (unfortunately). Maybe everyone is going to outlook.com?
>
>> No actual answers from me, but it might give you some clues:
>>
>>> More on this ...
>>>
>>> I short-sheeted ntlm_auth to see what was being passed to it. It is getting as arg1:
>>>
>>> --helper-protocol=squid-2.5-ntlmssp
>>>
>>> I tried running ntlm_auth at the command line as:
>>>
>>> ntlm_auth --username=user --password=password --helper-protocol=squid-2.5-ntlmssp
>>>
>>> It did nothing, just hung there. The ntlm_auth man page says:
>>>
>>> --helper-protocol=PROTO
>>>   Operate as a stdio-based helper. Valid helper protocols are:
>> The squid auth helpers are stdio-based, they run in a loop, reading from
>> stdin, checking authentication, and return results on stdout. This avoids both
>> passing sensitive data on the command line (visible to ps, at least briefly)
>> and the need to keep forking and initialising a new process.
>>
>> So it's normal that it would just sit waiting for input.
>>
>> Dovecot is just reusing the same protocol that squid uses.
> If --username and --password are passed on the command line, what is it waiting for on stdin?
> Normally, ntlm_auth, with id and pw passed on the command line prints, "NT_STATUS_OK: The
> operation completed successfully. (0x0)" to stdout. There is no further stdin input needed.
>
> Is there a way to disable the --helper-protocol in Dovecot? 
>
>>> After more searching I came across this post, https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774263
>>> which, in summary, said that ntlm_auth had to run as root. So, I added the following to my
>>> dovecot config per that post's suggestion:
>>>
>>> service auth {
>>>   user = root
>>> }
>>>
>>> After restarting and trying again to connect from Outlook I got the message:
>>>
>>> auth: Info: ntlm(?,192.168.0.58,<SCINjFqBKcXAqAA6>): user not authenticated: NT_STATUS_NO_MEMORY
>> I don't know the full details of how samba/ntlm works, but this seems like
>> an error coming from the server you're attempting to authenticate against.
>> I think you should start debugging on the samba side - make sure tools
>> like wbinfo are working, if not then debug those with samba, then move
>> on to Dovecot after you have that working.
> Samba has been running for years (with updates) and everything like wbinfo works.  Dovecot can
> authenticate with kerberos/GSSAPI, and other applications can authenticate with ntlm_auth.  My
> suspicion here is that the "user not authenticated" problem is perhaps because dovecot cannot
> run the auth service as root? The dovecot user is dovenull, so why would it be permitted to run
> as root in any case?
>
> I think the problem is in invoking ntlm_auth. I tried simply returning zero from my "fake"
> ntlm_auth, but that didn't work. Not sure what Dovecot is expecting from ntlm_auth_helper.
>
> --Mark

Hi,

try


service auth {

  user = root

}


Aki

More information about the dovecot mailing list