It should work. Although if you are using linux server you might want to use gssapi instead.
> On June 25, 2016 at 7:43 PM Mark Foley <mfo...@ohprs.org> wrote: > > > I've asked this several times over the past year with essentially zero > responses. I'll keep it simple: > > Does NTLM authentication work in Dovecot? > > I'll post this one last time. If I still have no responses I'll have to > conclude that no one > has actually tried this authentication method and it therefore does not work. > > Thanks, --Mark > > -----Original Message----- > From: Mark Foley <mfo...@ohprs.org> > Date: Fri, 22 Apr 2016 02:07:24 -0400 > Organization: Ohio Highway Patrol Retirement System > To: dovecot@dovecot.org > Subject: Looking for NTLM config example > > > Now that I am running Thunderbird on Linux and away from Windows/Outlook, > > I'd like to take > > another run at setting up NTLM authentication from Thunderbird to my Samba4 > > AC/DC. > > > > With the help of the samba maillist folks I was able to set up NTLM > > authentication for domain > > user login. I should be able to do the same for email! > > > > But, I need help. I went to > > http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got > > lost immediately. Are "authenticaion submethods" synonymous with "password > > schemes"? The 7th > > line down says, "NTLM password scheme is required for NTLM, NTLM2 and > > NTLMv2.", but in the > > referenced link I found no reference to "NTLM password scheme". > > > > The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and > > http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what the > > 4 NTLM > > authentication submethods are, tells you what password schemes are, tells > > you what the NTLM > > client/server handshake is, but doesn't actually tell you how to configure > > dovecot config > > files. I'm much more interested in the "how to" than in: "NTLMv2: server > > and client nonce, > > MITM can't force downgrade" ... whatever that means. > > > > Anyway, probably it's my lack of understanding terminology. I don't even > > know what a "nonce" > > is. But, I learn well from examples! Can somone please give me a sample > > 10-auth.conf for NTML > > and any other supporting settings or configs I need? > > > > My current/working dovecot settings, which have been running perfectly for > > well over a year > > now, are: > > > > $ dovecot -n > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > > auth_debug_passwords = yes > > auth_mechanisms = plain login > > auth_verbose = yes > > auth_verbose_passwords = plain > > disable_plaintext_auth = no > > info_log_path = /var/log/dovecot_info > > mail_location = maildir:~/Maildir > > passdb { > > driver = shadow > > } > > protocols = imap > > ssl_cert = > > </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt > > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key > > userdb { > > driver = passwd > > } > > verbose_ssl = yes > > > > > > Here's what I've tried so far as 10-auth.conf: > > > > disable_plaintext_auth = no > > auth_use_winbind = yes > > info_log_path = /var/log/dovecot_info > > auth_verbose = yes > > auth_debug_passwords = yes > > auth_verbose_passwords= plain > > auth_winbind_helper_path = /usr/bin/ntlm_auth > > > > auth_mechanisms = ntlm plain login > > > > userdb { > > driver = passwd > > args = username_format=%n allow_all_users=yes > > > > } > > > > > > Which gives me a dovecot -n of: > > > > $ dovecot -n > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > > auth_debug_passwords = yes > > auth_mechanisms = ntlm plain login > > auth_use_winbind = yes > > auth_verbose = yes > > auth_verbose_passwords = plain > > disable_plaintext_auth = no > > info_log_path = /var/log/dovecot_info > > mail_location = maildir:~/Maildir > > protocols = imap > > ssl_cert = > > </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt > > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key > > userdb { > > args = username_format=%n allow_all_users=yes > > driver = passwd > > } > > verbose_ssl = yes > > > > > > I configured Thunderbird for NTLM authentication, then tried sending a > > message, I got the > > following in /var/log/dovecot_info: > > > > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be > > used for ECDH and ECDHE key exchanges > > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be > > used for ECDH and ECDHE key exchanges > > Apr 22 01:37:57 auth: Debug: Loading modules from directory: > > /usr/local/lib/dovecot/auth > > Apr 22 01:37:57 imap-login: Info: Disconnected: Auth process broken > > (disconnected before auth was ready, waited 0 secs): user=<>, > > rip=192.168.0.58, lip=98.102.63.107, session=<xFuyOgwx9wDAqAA6> > > > > > > On Thunderbird I got the error, "Sending of the message failed. The > > Outlgoing server (SMTP) > > my.server.name does not support the selected authentication method. Please > > change the > > 'Autnentication method' in 'Account Settings | Outgoing Server (SMTP)'." > > > > Clearly, something is configured wrong, but I've no clue what. > > > > Can I get some advice? > > > > THX --Mark > From dovecot-boun...@dovecot.org Fri Apr 22 02:07:47 2016 > Return-Path: <dovecot-boun...@dovecot.org> > X-Virus-Status: Clean > X-Virus-Scanned: clamav-milter 0.98.6 at mail > X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.19__ (2011-06-06) on > mail.hprs.local > X-Spam-Level: > X-Spam-Status: No, score=-106.0 required=3.0 tests=USER_IN_WHITELIST, > USER_IN_WHITELIST_TO autolearn=unavailable > version=3.3.2-_revision__1.19__ > X-Original-To: dovecot@dovecot.org > Delivered-To: dovecot@dovecot.org > X-Virus-Status: Clean > X-Virus-Scanned: clamav-milter 0.98.6 at mail > From: Mark Foley <mfo...@ohprs.org> > Date: Fri, 22 Apr 2016 02:07:24 -0400 > Organization: Ohio Highway Patrol Retirement System > To: dovecot@dovecot.org > Subject: Looking for NTLM config example > User-Agent: Heirloom mailx 12.5 7/5/10 > Content-Type: text/plain; charset=us-ascii > X-BeenThere: dovecot@dovecot.org > X-Mailman-Version: 2.1.17 > Precedence: list > List-Id: Dovecot Mailing List <dovecot.dovecot.org> > List-Unsubscribe: <http://dovecot.org/cgi-bin/mailman/options/dovecot>, > <mailto:dovecot-requ...@dovecot.org?subject=unsubscribe> > List-Archive: <http://dovecot.org/pipermail/dovecot/> > List-Post: <mailto:dovecot@dovecot.org> > List-Help: <mailto:dovecot-requ...@dovecot.org?subject=help> > List-Subscribe: <http://dovecot.org/cgi-bin/mailman/listinfo/dovecot>, > <mailto:dovecot-requ...@dovecot.org?subject=subscribe> > Errors-To: dovecot-boun...@dovecot.org > Sender: "dovecot" <dovecot-boun...@dovecot.org> > X-Spam-Report: > * -100 USER_IN_WHITELIST From: address is in the user's white-list > * -6.0 USER_IN_WHITELIST_TO User is listed in 'whitelist_to' > Status: R > > Now that I am running Thunderbird on Linux and away from Windows/Outlook, I'd > like to take > another run at setting up NTLM authentication from Thunderbird to my Samba4 > AC/DC. > > With the help of the samba maillist folks I was able to set up NTLM > authentication for domain > user login. I should be able to do the same for email! > > But, I need help. I went to > http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got > lost immediately. Are "authenticaion submethods" synonymous with "password > schemes"? The 7th > line down says, "NTLM password scheme is required for NTLM, NTLM2 and > NTLMv2.", but in the > referenced link I found no reference to "NTLM password scheme". > > The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and > http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what the 4 > NTLM > authentication submethods are, tells you what password schemes are, tells you > what the NTLM > client/server handshake is, but doesn't actually tell you how to configure > dovecot config > files. I'm much more interested in the "how to" than in: "NTLMv2: server and > client nonce, > MITM can't force downgrade" ... whatever that means. > > Anyway, probably it's my lack of understanding terminology. I don't even > know what a "nonce" > is. But, I learn well from examples! Can somone please give me a sample > 10-auth.conf for NTML > and any other supporting settings or configs I need? > > My current/working dovecot settings, which have been running perfectly for > well over a year > now, are: > > $ dovecot -n > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > auth_debug_passwords = yes > auth_mechanisms = plain login > auth_verbose = yes > auth_verbose_passwords = plain > disable_plaintext_auth = no > info_log_path = /var/log/dovecot_info > mail_location = maildir:~/Maildir > passdb { > driver = shadow > } > protocols = imap > ssl_cert = > </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key > userdb { > driver = passwd > } > verbose_ssl = yes > > > Here's what I've tried so far as 10-auth.conf: > > disable_plaintext_auth = no > auth_use_winbind = yes > info_log_path = /var/log/dovecot_info > auth_verbose = yes > auth_debug_passwords = yes > auth_verbose_passwords= plain > auth_winbind_helper_path = /usr/bin/ntlm_auth > > auth_mechanisms = ntlm plain login > > userdb { > driver = passwd > args = username_format=%n allow_all_users=yes > > } > > > Which gives me a dovecot -n of: > > $ dovecot -n > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > auth_debug_passwords = yes > auth_mechanisms = ntlm plain login > auth_use_winbind = yes > auth_verbose = yes > auth_verbose_passwords = plain > disable_plaintext_auth = no > info_log_path = /var/log/dovecot_info > mail_location = maildir:~/Maildir > protocols = imap > ssl_cert = > </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key > userdb { > args = username_format=%n allow_all_users=yes > driver = passwd > } > verbose_ssl = yes > > > I configured Thunderbird for NTLM authentication, then tried sending a > message, I got the > following in /var/log/dovecot_info: > > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used > for ECDH and ECDHE key exchanges > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used > for ECDH and ECDHE key exchanges > Apr 22 01:37:57 auth: Debug: Loading modules from directory: > /usr/local/lib/dovecot/auth > Apr 22 01:37:57 imap-login: Info: Disconnected: Auth process broken > (disconnected before auth was ready, waited 0 secs): user=<>, > rip=192.168.0.58, lip=98.102.63.107, session=<xFuyOgwx9wDAqAA6> > > > On Thunderbird I got the error, "Sending of the message failed. The > Outlgoing server (SMTP) > my.server.name does not support the selected authentication method. Please > change the > 'Autnentication method' in 'Account Settings | Outgoing Server (SMTP)'." > > Clearly, something is configured wrong, but I've no clue what. > > Can I get some advice? > > THX --Mark --- Aki Tuomi
