Thanks for the reply. When you say it [NTLM] "should" work, I understand you to be implying you've not actually tried NTLM yourself, right? I've never gotten a response from someone saying they have or are actually using it. Your subsequent messages about NTLM v[1|2] may be the problem, but email clients I've tried (Outlook, Thunderbird) don't really give a choice.
That's OK, I'd be glad to try something different that would work!!! I am trying your advice for gssapi. I've followed the instructions at http://wiki2.dovecot.org/Authentication/Kerberos. In my 10-auth.conf I changed the auth_mechanism line to: auth_mechanisms = plain login gssapi Which is only different from before with the addition of "gssapi". That's all I've done. I'm using the same userdb as before which is /etc/passwd. My doveconf -n is: ----------SNIP------------ > doveconf -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain login gssapi auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key userdb { driver = passwd } verbose_ssl = yes ------------PINS------------- I attempted to connect from Thunderbird on Ubuntu 15.10 to Dovecot on a Slackware 14.1 AD/DC. I selected "Kerberos/GSSAPI" as the authentication method on Tbird. When trying the connection I got the following in my Dovecot log: Jun 27 00:04:54 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Jun 27 00:04:54 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Jun 27 00:04:54 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Jun 27 00:04:54 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Jun 27 00:04:54 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.99, lip=98.102.63.107, session=<Zk1rnzo2IADAqABj> So, any idea why this is not working? I'll say up-front that I do not have the auth_krb5_keytab configured in 10-auth.conf. I could find no such file on the host running Dovecot. Is that file needed? If so, I've got a message in to the Samba4 folks asking where it is located. I'm also using Dovecot 2.2.15. Too old? Do you think auth_krb5_keytab is my problem or something deeper? THX --Mark -----Original Message----- > Date: Sun, 26 Jun 2016 14:00:49 +0300 (EEST) > From: aki.tu...@dovecot.fi > To: dovecot@dovecot.org > Subject: Re: Looking for NTLM config example > > It should work. Although if you are using linux server you might want to use > gssapi instead. > > > On June 25, 2016 at 7:43 PM Mark Foley <mfo...@ohprs.org> wrote: > > > > > > I've asked this several times over the past year with essentially zero > > responses. I'll keep it simple: > > > > Does NTLM authentication work in Dovecot? > > > > I'll post this one last time. If I still have no responses I'll have to > > conclude that no one > > has actually tried this authentication method and it therefore does not > > work. > > > > Thanks, --Mark > > > > -----Original Message----- > > From: Mark Foley <mfo...@ohprs.org> > > Date: Fri, 22 Apr 2016 02:07:24 -0400 > > Organization: Ohio Highway Patrol Retirement System > > To: dovecot@dovecot.org > > Subject: Looking for NTLM config example > > > > > Now that I am running Thunderbird on Linux and away from Windows/Outlook, > > > I'd like to take > > > another run at setting up NTLM authentication from Thunderbird to my > > > Samba4 AC/DC. > > > > > > With the help of the samba maillist folks I was able to set up NTLM > > > authentication for domain > > > user login. I should be able to do the same for email! > > > > > > But, I need help. I went to > > > http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got > > > lost immediately. Are "authenticaion submethods" synonymous with > > > "password schemes"? The 7th > > > line down says, "NTLM password scheme is required for NTLM, NTLM2 and > > > NTLMv2.", but in the > > > referenced link I found no reference to "NTLM password scheme". > > > > > > The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and > > > http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what > > > the 4 NTLM > > > authentication submethods are, tells you what password schemes are, tells > > > you what the NTLM > > > client/server handshake is, but doesn't actually tell you how to > > > configure dovecot config > > > files. I'm much more interested in the "how to" than in: "NTLMv2: server > > > and client nonce, > > > MITM can't force downgrade" ... whatever that means. > > > > > > Anyway, probably it's my lack of understanding terminology. I don't even > > > know what a "nonce" > > > is. But, I learn well from examples! Can somone please give me a sample > > > 10-auth.conf for NTML > > > and any other supporting settings or configs I need? > > > > > > My current/working dovecot settings, which have been running perfectly > > > for well over a year > > > now, are: > > > > > > $ dovecot -n > > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > > > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > > > auth_debug_passwords = yes > > > auth_mechanisms = plain login > > > auth_verbose = yes > > > auth_verbose_passwords = plain > > > disable_plaintext_auth = no > > > info_log_path = /var/log/dovecot_info > > > mail_location = maildir:~/Maildir > > > passdb { > > > driver = shadow > > > } > > > protocols = imap > > > ssl_cert = > > > </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt > > > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key > > > userdb { > > > driver = passwd > > > } > > > verbose_ssl = yes > > > > > > > > > Here's what I've tried so far as 10-auth.conf: > > > > > > disable_plaintext_auth = no > > > auth_use_winbind = yes > > > info_log_path = /var/log/dovecot_info > > > auth_verbose = yes > > > auth_debug_passwords = yes > > > auth_verbose_passwords= plain > > > auth_winbind_helper_path = /usr/bin/ntlm_auth > > > > > > auth_mechanisms = ntlm plain login > > > > > > userdb { > > > driver = passwd > > > args = username_format=%n allow_all_users=yes > > > > > > } > > > > > > > > > Which gives me a dovecot -n of: > > > > > > $ dovecot -n > > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > > > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > > > auth_debug_passwords = yes > > > auth_mechanisms = ntlm plain login > > > auth_use_winbind = yes > > > auth_verbose = yes > > > auth_verbose_passwords = plain > > > disable_plaintext_auth = no > > > info_log_path = /var/log/dovecot_info > > > mail_location = maildir:~/Maildir > > > protocols = imap > > > ssl_cert = > > > </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt > > > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key > > > userdb { > > > args = username_format=%n allow_all_users=yes > > > driver = passwd > > > } > > > verbose_ssl = yes > > > > > > > > > I configured Thunderbird for NTLM authentication, then tried sending a > > > message, I got the > > > following in /var/log/dovecot_info: > > > > > > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be > > > used for ECDH and ECDHE key exchanges > > > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be > > > used for ECDH and ECDHE key exchanges > > > Apr 22 01:37:57 auth: Debug: Loading modules from directory: > > > /usr/local/lib/dovecot/auth > > > Apr 22 01:37:57 imap-login: Info: Disconnected: Auth process broken > > > (disconnected before auth was ready, waited 0 secs): user=<>, > > > rip=192.168.0.58, lip=98.102.63.107, session=<xFuyOgwx9wDAqAA6> > > > > > > > > > On Thunderbird I got the error, "Sending of the message failed. The > > > Outlgoing server (SMTP) > > > my.server.name does not support the selected authentication method. > > > Please change the > > > 'Autnentication method' in 'Account Settings | Outgoing Server (SMTP)'." > > > > > > Clearly, something is configured wrong, but I've no clue what. > > > > > > Can I get some advice? > > > > > > THX --Mark > > From dovecot-boun...@dovecot.org Fri Apr 22 02:07:47 2016 > > Return-Path: <dovecot-boun...@dovecot.org> > > X-Virus-Status: Clean > > X-Virus-Scanned: clamav-milter 0.98.6 at mail > > X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.19__ (2011-06-06) on > > mail.hprs.local > > X-Spam-Level: > > X-Spam-Status: No, score=-106.0 required=3.0 tests=USER_IN_WHITELIST, > > USER_IN_WHITELIST_TO autolearn=unavailable > > version=3.3.2-_revision__1.19__ > > X-Original-To: dovecot@dovecot.org > > Delivered-To: dovecot@dovecot.org > > X-Virus-Status: Clean > > X-Virus-Scanned: clamav-milter 0.98.6 at mail > > From: Mark Foley <mfo...@ohprs.org> > > Date: Fri, 22 Apr 2016 02:07:24 -0400 > > Organization: Ohio Highway Patrol Retirement System > > To: dovecot@dovecot.org > > Subject: Looking for NTLM config example > > User-Agent: Heirloom mailx 12.5 7/5/10 > > Content-Type: text/plain; charset=us-ascii > > X-BeenThere: dovecot@dovecot.org > > X-Mailman-Version: 2.1.17 > > Precedence: list > > List-Id: Dovecot Mailing List <dovecot.dovecot.org> > > List-Unsubscribe: <http://dovecot.org/cgi-bin/mailman/options/dovecot>, > > <mailto:dovecot-requ...@dovecot.org?subject=unsubscribe> > > List-Archive: <http://dovecot.org/pipermail/dovecot/> > > List-Post: <mailto:dovecot@dovecot.org> > > List-Help: <mailto:dovecot-requ...@dovecot.org?subject=help> > > List-Subscribe: <http://dovecot.org/cgi-bin/mailman/listinfo/dovecot>, > > <mailto:dovecot-requ...@dovecot.org?subject=subscribe> > > Errors-To: dovecot-boun...@dovecot.org > > Sender: "dovecot" <dovecot-boun...@dovecot.org> > > X-Spam-Report: > > * -100 USER_IN_WHITELIST From: address is in the user's white-list > > * -6.0 USER_IN_WHITELIST_TO User is listed in 'whitelist_to' > > Status: R > > > > Now that I am running Thunderbird on Linux and away from Windows/Outlook, > > I'd like to take > > another run at setting up NTLM authentication from Thunderbird to my Samba4 > > AC/DC. > > > > With the help of the samba maillist folks I was able to set up NTLM > > authentication for domain > > user login. I should be able to do the same for email! > > > > But, I need help. I went to > > http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got > > lost immediately. Are "authenticaion submethods" synonymous with "password > > schemes"? The 7th > > line down says, "NTLM password scheme is required for NTLM, NTLM2 and > > NTLMv2.", but in the > > referenced link I found no reference to "NTLM password scheme". > > > > The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and > > http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what the > > 4 NTLM > > authentication submethods are, tells you what password schemes are, tells > > you what the NTLM > > client/server handshake is, but doesn't actually tell you how to configure > > dovecot config > > files. I'm much more interested in the "how to" than in: "NTLMv2: server > > and client nonce, > > MITM can't force downgrade" ... whatever that means. > > > > Anyway, probably it's my lack of understanding terminology. I don't even > > know what a "nonce" > > is. But, I learn well from examples! Can somone please give me a sample > > 10-auth.conf for NTML > > and any other supporting settings or configs I need? > > > > My current/working dovecot settings, which have been running perfectly for > > well over a year > > now, are: > > > > $ dovecot -n > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > > auth_debug_passwords = yes > > auth_mechanisms = plain login > > auth_verbose = yes > > auth_verbose_passwords = plain > > disable_plaintext_auth = no > > info_log_path = /var/log/dovecot_info > > mail_location = maildir:~/Maildir > > passdb { > > driver = shadow > > } > > protocols = imap > > ssl_cert = > > </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt > > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key > > userdb { > > driver = passwd > > } > > verbose_ssl = yes > > > > > > Here's what I've tried so far as 10-auth.conf: > > > > disable_plaintext_auth = no > > auth_use_winbind = yes > > info_log_path = /var/log/dovecot_info > > auth_verbose = yes > > auth_debug_passwords = yes > > auth_verbose_passwords= plain > > auth_winbind_helper_path = /usr/bin/ntlm_auth > > > > auth_mechanisms = ntlm plain login > > > > userdb { > > driver = passwd > > args = username_format=%n allow_all_users=yes > > > > } > > > > > > Which gives me a dovecot -n of: > > > > $ dovecot -n > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > > auth_debug_passwords = yes > > auth_mechanisms = ntlm plain login > > auth_use_winbind = yes > > auth_verbose = yes > > auth_verbose_passwords = plain > > disable_plaintext_auth = no > > info_log_path = /var/log/dovecot_info > > mail_location = maildir:~/Maildir > > protocols = imap > > ssl_cert = > > </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt > > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key > > userdb { > > args = username_format=%n allow_all_users=yes > > driver = passwd > > } > > verbose_ssl = yes > > > > > > I configured Thunderbird for NTLM authentication, then tried sending a > > message, I got the > > following in /var/log/dovecot_info: > > > > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be > > used for ECDH and ECDHE key exchanges > > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be > > used for ECDH and ECDHE key exchanges > > Apr 22 01:37:57 auth: Debug: Loading modules from directory: > > /usr/local/lib/dovecot/auth > > Apr 22 01:37:57 imap-login: Info: Disconnected: Auth process broken > > (disconnected before auth was ready, waited 0 secs): user=<>, > > rip=192.168.0.58, lip=98.102.63.107, session=<xFuyOgwx9wDAqAA6> > > > > > > On Thunderbird I got the error, "Sending of the message failed. The > > Outlgoing server (SMTP) > > my.server.name does not support the selected authentication method. Please > > change the > > 'Autnentication method' in 'Account Settings | Outgoing Server (SMTP)'." > > > > Clearly, something is configured wrong, but I've no clue what. > > > > Can I get some advice? > > > > THX --Mark > > --- > Aki Tuomi
