While continuing to test gssapi, I thought I check out your suggestion on NTLM
v1. I did set
Thunderbird to NTLM v1 and modified the Dovecot config:
auth_debug_passwords = yes
auth_mechanisms = plain login ntlm
auth_use_winbind = yes
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
protocols = imap
ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
userdb {
args = username_format=%n allow_all_users=yes
driver = passwd
}
verbose_ssl = yes
No joy. My dovecot log:
Jun 27 02:34:50 imap-login: Debug: SSL: elliptic curve secp384r1 will be used
for ECDH and ECDHE key exchanges
Jun 27 02:34:50 imap-login: Debug: SSL: elliptic curve secp384r1 will be used
for ECDH and ECDHE key exchanges
Jun 27 02:34:58 auth: Debug: Loading modules from directory:
/usr/local/lib/dovecot/auth
Jun 27 02:34:58 imap-login: Info: Disconnected: Auth process broken
(disconnected before auth was ready, waited 26 secs): user=<>,
rip=192.168.0.54, lip=192.168.0.2, session=<mNEutzw28QDAqAA2>
Jun 27 02:34:58 imap-login: Info: Disconnected: Auth process broken
(disconnected before auth was ready, waited 8 secs): user=<>, rip=192.168.0.58,
lip=98.102.63.107, session=<WugeuDw2AADAqAA6>
Jun 27 02:34:58 imap-login: Debug: SSL: elliptic curve secp384r1 will be used
for ECDH and ECDHE key exchanges
Jun 27 02:34:58 imap-login: Debug: SSL: elliptic curve secp384r1 will be used
for ECDH and ECDHE key exchanges
This looks quite similar to the output I got with the gssapi test. It seems
there is nothing I
can do to get AD authentication working with Dovecot. Do you (or anyone) have
any ideas?
What does "disconnected before auth was ready" mean?
Has anyone on Planet Earth actually used either NTLM or GSSAPI successfully
with Dovecot?
Please speak up! Let me know you exist!
--Mark
-----Original Message-----
> Date: Sun, 26 Jun 2016 15:08:03 +0300 (EEST)
> From: aki.tu...@dovecot.fi
> To: dovecot@dovecot.org, Mark Foley <mfo...@ohprs.org>
> Subject: Re: Looking for NTLM config example
>
> Also it seems we lack support for NTLMv2. If you want to use NTLM you need to
> permit use of NTLM(v1), which is usually not enabled by default.
>
> Aki
>
> > On June 25, 2016 at 7:43 PM Mark Foley <mfo...@ohprs.org> wrote:
> >
> >
> > I've asked this several times over the past year with essentially zero
> > responses. I'll keep it simple:
> >
> > Does NTLM authentication work in Dovecot?
> >
> > I'll post this one last time. If I still have no responses I'll have to
> > conclude that no one
> > has actually tried this authentication method and it therefore does not
> > work.
> >
> > Thanks, --Mark
> >
> > -----Original Message-----
> > From: Mark Foley <mfo...@ohprs.org>
> > Date: Fri, 22 Apr 2016 02:07:24 -0400
> > Organization: Ohio Highway Patrol Retirement System
> > To: dovecot@dovecot.org
> > Subject: Looking for NTLM config example
> >
> > > Now that I am running Thunderbird on Linux and away from Windows/Outlook,
> > > I'd like to take
> > > another run at setting up NTLM authentication from Thunderbird to my
> > > Samba4 AC/DC.
> > >
> > > With the help of the samba maillist folks I was able to set up NTLM
> > > authentication for domain
> > > user login. I should be able to do the same for email!
> > >
> > > But, I need help. I went to
> > > http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got
> > > lost immediately. Are "authenticaion submethods" synonymous with
> > > "password schemes"? The 7th
> > > line down says, "NTLM password scheme is required for NTLM, NTLM2 and
> > > NTLMv2.", but in the
> > > referenced link I found no reference to "NTLM password scheme".
> > >
> > > The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and
> > > http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what
> > > the 4 NTLM
> > > authentication submethods are, tells you what password schemes are, tells
> > > you what the NTLM
> > > client/server handshake is, but doesn't actually tell you how to
> > > configure dovecot config
> > > files. I'm much more interested in the "how to" than in: "NTLMv2: server
> > > and client nonce,
> > > MITM can't force downgrade" ... whatever that means.
> > >
> > > Anyway, probably it's my lack of understanding terminology. I don't even
> > > know what a "nonce"
> > > is. But, I learn well from examples! Can somone please give me a sample
> > > 10-auth.conf for NTML
> > > and any other supporting settings or configs I need?
> > >
> > > My current/working dovecot settings, which have been running perfectly
> > > for well over a year
> > > now, are:
> > >
> > > $ dovecot -n
> > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> > > # OS: Linux 3.10.17 x86_64 Slackware 14.1
> > > auth_debug_passwords = yes
> > > auth_mechanisms = plain login
> > > auth_verbose = yes
> > > auth_verbose_passwords = plain
> > > disable_plaintext_auth = no
> > > info_log_path = /var/log/dovecot_info
> > > mail_location = maildir:~/Maildir
> > > passdb {
> > > driver = shadow
> > > }
> > > protocols = imap
> > > ssl_cert =
> > > </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
> > > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key
> > > userdb {
> > > driver = passwd
> > > }
> > > verbose_ssl = yes
> > >
> > >
> > > Here's what I've tried so far as 10-auth.conf:
> > >
> > > disable_plaintext_auth = no
> > > auth_use_winbind = yes
> > > info_log_path = /var/log/dovecot_info
> > > auth_verbose = yes
> > > auth_debug_passwords = yes
> > > auth_verbose_passwords= plain
> > > auth_winbind_helper_path = /usr/bin/ntlm_auth
> > >
> > > auth_mechanisms = ntlm plain login
> > >
> > > userdb {
> > > driver = passwd
> > > args = username_format=%n allow_all_users=yes
> > >
> > > }
> > >
> > >
> > > Which gives me a dovecot -n of:
> > >
> > > $ dovecot -n
> > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> > > # OS: Linux 3.10.17 x86_64 Slackware 14.1
> > > auth_debug_passwords = yes
> > > auth_mechanisms = ntlm plain login
> > > auth_use_winbind = yes
> > > auth_verbose = yes
> > > auth_verbose_passwords = plain
> > > disable_plaintext_auth = no
> > > info_log_path = /var/log/dovecot_info
> > > mail_location = maildir:~/Maildir
> > > protocols = imap
> > > ssl_cert =
> > > </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
> > > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key
> > > userdb {
> > > args = username_format=%n allow_all_users=yes
> > > driver = passwd
> > > }
> > > verbose_ssl = yes
> > >
> > >
> > > I configured Thunderbird for NTLM authentication, then tried sending a
> > > message, I got the
> > > following in /var/log/dovecot_info:
> > >
> > > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be
> > > used for ECDH and ECDHE key exchanges
> > > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be
> > > used for ECDH and ECDHE key exchanges
> > > Apr 22 01:37:57 auth: Debug: Loading modules from directory:
> > > /usr/local/lib/dovecot/auth
> > > Apr 22 01:37:57 imap-login: Info: Disconnected: Auth process broken
> > > (disconnected before auth was ready, waited 0 secs): user=<>,
> > > rip=192.168.0.58, lip=98.102.63.107, session=<xFuyOgwx9wDAqAA6>
> > >
> > >
> > > On Thunderbird I got the error, "Sending of the message failed. The
> > > Outlgoing server (SMTP)
> > > my.server.name does not support the selected authentication method.
> > > Please change the
> > > 'Autnentication method' in 'Account Settings | Outgoing Server (SMTP)'."
> > >
> > > Clearly, something is configured wrong, but I've no clue what.
> > >
> > > Can I get some advice?
> > >
> > > THX --Mark
> > From dovecot-boun...@dovecot.org Fri Apr 22 02:07:47 2016
> > Return-Path: <dovecot-boun...@dovecot.org>
> > X-Virus-Status: Clean
> > X-Virus-Scanned: clamav-milter 0.98.6 at mail
> > X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.19__ (2011-06-06) on
> > mail.hprs.local
> > X-Spam-Level:
> > X-Spam-Status: No, score=-106.0 required=3.0 tests=USER_IN_WHITELIST,
> > USER_IN_WHITELIST_TO autolearn=unavailable
> > version=3.3.2-_revision__1.19__
> > X-Original-To: dovecot@dovecot.org
> > Delivered-To: dovecot@dovecot.org
> > X-Virus-Status: Clean
> > X-Virus-Scanned: clamav-milter 0.98.6 at mail
> > From: Mark Foley <mfo...@ohprs.org>
> > Date: Fri, 22 Apr 2016 02:07:24 -0400
> > Organization: Ohio Highway Patrol Retirement System
> > To: dovecot@dovecot.org
> > Subject: Looking for NTLM config example
> > User-Agent: Heirloom mailx 12.5 7/5/10
> > Content-Type: text/plain; charset=us-ascii
> > X-BeenThere: dovecot@dovecot.org
> > X-Mailman-Version: 2.1.17
> > Precedence: list
> > List-Id: Dovecot Mailing List <dovecot.dovecot.org>
> > List-Unsubscribe: <http://dovecot.org/cgi-bin/mailman/options/dovecot>,
> > <mailto:dovecot-requ...@dovecot.org?subject=unsubscribe>
> > List-Archive: <http://dovecot.org/pipermail/dovecot/>
> > List-Post: <mailto:dovecot@dovecot.org>
> > List-Help: <mailto:dovecot-requ...@dovecot.org?subject=help>
> > List-Subscribe: <http://dovecot.org/cgi-bin/mailman/listinfo/dovecot>,
> > <mailto:dovecot-requ...@dovecot.org?subject=subscribe>
> > Errors-To: dovecot-boun...@dovecot.org
> > Sender: "dovecot" <dovecot-boun...@dovecot.org>
> > X-Spam-Report:
> > * -100 USER_IN_WHITELIST From: address is in the user's white-list
> > * -6.0 USER_IN_WHITELIST_TO User is listed in 'whitelist_to'
> > Status: R
> >
> > Now that I am running Thunderbird on Linux and away from Windows/Outlook,
> > I'd like to take
> > another run at setting up NTLM authentication from Thunderbird to my Samba4
> > AC/DC.
> >
> > With the help of the samba maillist folks I was able to set up NTLM
> > authentication for domain
> > user login. I should be able to do the same for email!
> >
> > But, I need help. I went to
> > http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got
> > lost immediately. Are "authenticaion submethods" synonymous with "password
> > schemes"? The 7th
> > line down says, "NTLM password scheme is required for NTLM, NTLM2 and
> > NTLMv2.", but in the
> > referenced link I found no reference to "NTLM password scheme".
> >
> > The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and
> > http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what the
> > 4 NTLM
> > authentication submethods are, tells you what password schemes are, tells
> > you what the NTLM
> > client/server handshake is, but doesn't actually tell you how to configure
> > dovecot config
> > files. I'm much more interested in the "how to" than in: "NTLMv2: server
> > and client nonce,
> > MITM can't force downgrade" ... whatever that means.
> >
> > Anyway, probably it's my lack of understanding terminology. I don't even
> > know what a "nonce"
> > is. But, I learn well from examples! Can somone please give me a sample
> > 10-auth.conf for NTML
> > and any other supporting settings or configs I need?
> >
> > My current/working dovecot settings, which have been running perfectly for
> > well over a year
> > now, are:
> >
> > $ dovecot -n
> > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> > # OS: Linux 3.10.17 x86_64 Slackware 14.1
> > auth_debug_passwords = yes
> > auth_mechanisms = plain login
> > auth_verbose = yes
> > auth_verbose_passwords = plain
> > disable_plaintext_auth = no
> > info_log_path = /var/log/dovecot_info
> > mail_location = maildir:~/Maildir
> > passdb {
> > driver = shadow
> > }
> > protocols = imap
> > ssl_cert =
> > </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
> > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key
> > userdb {
> > driver = passwd
> > }
> > verbose_ssl = yes
> >
> >
> > Here's what I've tried so far as 10-auth.conf:
> >
> > disable_plaintext_auth = no
> > auth_use_winbind = yes
> > info_log_path = /var/log/dovecot_info
> > auth_verbose = yes
> > auth_debug_passwords = yes
> > auth_verbose_passwords= plain
> > auth_winbind_helper_path = /usr/bin/ntlm_auth
> >
> > auth_mechanisms = ntlm plain login
> >
> > userdb {
> > driver = passwd
> > args = username_format=%n allow_all_users=yes
> >
> > }
> >
> >
> > Which gives me a dovecot -n of:
> >
> > $ dovecot -n
> > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> > # OS: Linux 3.10.17 x86_64 Slackware 14.1
> > auth_debug_passwords = yes
> > auth_mechanisms = ntlm plain login
> > auth_use_winbind = yes
> > auth_verbose = yes
> > auth_verbose_passwords = plain
> > disable_plaintext_auth = no
> > info_log_path = /var/log/dovecot_info
> > mail_location = maildir:~/Maildir
> > protocols = imap
> > ssl_cert =
> > </etc/ssl/certs/OHPRS/GoDaddy/Apache/2015-08-14/57aa6ed6ae98b4c7.crt
> > ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/my.server.name.key
> > userdb {
> > args = username_format=%n allow_all_users=yes
> > driver = passwd
> > }
> > verbose_ssl = yes
> >
> >
> > I configured Thunderbird for NTLM authentication, then tried sending a
> > message, I got the
> > following in /var/log/dovecot_info:
> >
> > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be
> > used for ECDH and ECDHE key exchanges
> > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be
> > used for ECDH and ECDHE key exchanges
> > Apr 22 01:37:57 auth: Debug: Loading modules from directory:
> > /usr/local/lib/dovecot/auth
> > Apr 22 01:37:57 imap-login: Info: Disconnected: Auth process broken
> > (disconnected before auth was ready, waited 0 secs): user=<>,
> > rip=192.168.0.58, lip=98.102.63.107, session=<xFuyOgwx9wDAqAA6>
> >
> >
> > On Thunderbird I got the error, "Sending of the message failed. The
> > Outlgoing server (SMTP)
> > my.server.name does not support the selected authentication method. Please
> > change the
> > 'Autnentication method' in 'Account Settings | Outgoing Server (SMTP)'."
> >
> > Clearly, something is configured wrong, but I've no clue what.
> >
> > Can I get some advice?
> >
> > THX --Mark
>
> ---
> Aki Tuomi
