Re: Is it possible to setup ntlm authentication then proxy it to the mail server ?
On 26/04/2024 13:00 EEST karl.l--- via dovecot wrote: Hi Aki We would like NTLM support so customers that have enabled it in outlook and other email clients can continue to authenticate when we update our dovecot server. We are not running kerberos/samba/active directory or any other directory system. I am not sure how GSSAPI would assist us with this requirement. Given that we are using an sql passdb, will this work and if so any pointers would be appreciated. Thanks For the behaviour youre seeing, it does sound like a bug, but NTLM support is not been in since 2.3.14 anymore because Microsoft recommends not implementing it anymore and the implementation was unsafe. Aki ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Is it possible to setup ntlm authentication then proxy it to the mail server ?
Hi Aki We would like NTLM support so customers that have enabled it in outlook and other email clients can continue to authenticate when we update our dovecot server. We are not running kerberos/samba/active directory or any other directory system. I am not sure how GSSAPI would assist us with this requirement. Given that we are using an sql passdb, will this work and if so any pointers would be appreciated. Thanks ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Is it possible to setup ntlm authentication then proxy it to the mail server ?
If you can do NTLM, you can do GSSAPI too. Which even Microsoft recommends. So I would very strongly suggest using that. Aki On 21/04/2024 12:30 EEST Bob Gustafson via dovecot wrote: Maybe use Wireshark to get an independent check on what the logs are saying? On 4/18/24 20:27, karl.l--- via dovecot wrote: Hi, This is my dovecot version: ``` root@freebsdsvr:~ # dovecot --version 2.3.21 (47349e2482) ``` I'm having trouble in making dovecot as proxy to the mail server when using ntlm authentication. My setup looks like this: email client --> dovecot (will act as proxy) ---> mail server so basically the email client will connect to dovecot but dovecot will forward it to the mail server. Proxying using auth_mechanism as PLAIN is working but if I use ntlm authentication it just connects into the dovecot server and dovecot server does not proxy to to the mail server. I tried using passdb driver = sql, passdb driver = static, passdb driver = lua and all of them are working when the email client connects using plain auth, once dovecot authenticates the user it will proxy it to the mail server but when I use ntlm authentication it just connects to dovecot and does not do a proxy to the mail server. I switched on all the debugs and I found out in the log that when I connect using PLAIN auth it calls the passdb and gets my default_fields or my proxy fields ```proxy=y``` and ```host=mailserver_domain``` which causes dovecot to proxy into the host(my mail server). but when I connect using NTLM auth it calls the passdb but it does not return my default fields for proxying (when it uses the sql passdb driver it just connects to the database and does not run the password_query) and I think it uses the output from the ```ntlm_auth``` of samba that dovecot uses because it retunrs the field user=username and original_user=username@domain This is the example logs that I recieved once I connect using ntlm and it does not proxy it to my mail server ``` Apr 18 03:37:29 freebsdsvr dovecot[12084]: auth: Debug: mysql(192.168.254.131): Connecting Apr 18 03:37:29 freebsdsvr dovecot[12084]: auth: Debug: auth client connected (pid=12268) Apr 18 03:37:29 freebsdsvr dovecot[12084]: auth: Debug: auth client connected (pid=12270) Apr 18 03:37:30 freebsdsvr dovecot[12084]: auth: Debug: client in: AUTH 1 NTLM service=imap session=Js8TT04WcMnAqP5/ lip=192.168.254.131 rip=192.168.254.127 lport=143 rport=51568 Apr 18 03:37:30 freebsdsvr dovecot[12084]: auth: Debug: client passdb out: CONT 1 Apr 18 03:37:30 freebsdsvr dovecot[12084]: auth: Debug: client in: CONT 1 TlRMTVNTUAABB4IIAAA= (previous base64 data may contain sensitive data) Apr 18 03:37:30 freebsdsvr dovecot[12084]: auth: Debug: client passdb out: CONT 1 TlRMTVNTUAACFAAUADgFgooC57WwKq2q4U8sdAAFwAXABMBgEAAAasdasdasd9FAFMAQwAuAE4ARQBUAC4AQQBVAAIAFABFAFMAQwAuAE4ARQBUACad4AQdsQBVAAEasAFABFAFMAQwAuAE4AdaRQBUAC4AQQBVAAQDABQAZQBzAGMALgBuAGUAdAAuAGEAdQAHAAgA/ h8T7O2Q2gEA Apr 18 03:37:30 freebsdsvr dovecot[12084]: auth: Debug: client in: CONT 1 TlRMTVNTUAADGAAYAFwAAACIAIgAdeABABgAGAEAWABYARgAABYIIAHMAcwAzAFcATwBSAEsAUwBUAEEAVABJAE8ATgBXKrBA2vF7fMicRiasLK/ IyI3fbM46rQ7JHcti/ 0TU02AqasdasdasdhceI+BaeqMjrAQEAAACAL88ampDaARzhirKymxxcAAIAFABFAFMAQwAuAE4ARQBUAC4AQQBVAAEAFABFAFMAQwAuAE4ARQBUAC4AQQBVAAQDABQAZQBzAGMALgBuAGUAdAAuAGEAdQAHAAgA/ h8T7O2Q2gEA (previous base64 data may contain sensitive data) Apr 18 03:37:30 freebsdsvr dovecot[12084]: auth: Debug: auth(userName,192.168.254.127,): Auth request finished Apr 18 03:37:30 freebsdsvr dovecot[12084]: auth: Debug: client passdb out: OK 1 user=userName original_user=userName@FREEBSD-TEST ``` Here's the logs that I get when I connect via Plain Auth and it does the proxy to my mail server ``` Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker (12138): Debug: mysql(192.168.254.131): Connecting Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker (12138): Debug: conn unix:auth-worker (uid=0): Server accepted connection (fd=15) Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker
Re: Is it possible to setup ntlm authentication then proxy it to the mail server ?
Maybe use Wireshark to get an independent check on what the logs are saying? On 4/18/24 20:27, karl.l--- via dovecot wrote: Hi, This is my dovecot version: ``` root@freebsdsvr:~ # dovecot --version 2.3.21 (47349e2482) ``` I'm having trouble in making dovecot as proxy to the mail server when using ntlm authentication. My setup looks like this: email client --> dovecot (will act as proxy) ---> mail server so basically the email client will connect to dovecot but dovecot will forward it to the mail server. Proxying using auth_mechanism as PLAIN is working but if I use ntlm authentication it just connects into the dovecot server and dovecot server does not proxy to to the mail server. I tried using passdb driver = sql, passdb driver = static, passdb driver = lua and all of them are working when the email client connects using plain auth, once dovecot authenticates the user it will proxy it to the mail server but when I use ntlm authentication it just connects to dovecot and does not do a proxy to the mail server. I switched on all the debugs and I found out in the log that when I connect using PLAIN auth it calls the passdb and gets my default_fields or my proxy fields ```proxy=y``` and ```host=mailserver_domain``` which causes dovecot to proxy into the host(my mail server). but when I connect using NTLM auth it calls the passdb but it does not return my default fields for proxying (when it uses the sql passdb driver it just connects to the database and does not run the password_query) and I think it uses the output from the ```ntlm_auth``` of samba that dovecot uses because it retunrs the field user=username and original_user=username@domain This is the example logs that I recieved once I connect using ntlm and it does not proxy it to my mail server ``` Apr 18 03:37:29 freebsdsvr dovecot[12084]: auth: Debug: mysql(192.168.254.131): Connecting Apr 18 03:37:29 freebsdsvr dovecot[12084]: auth: Debug: auth client connected (pid=12268) Apr 18 03:37:29 freebsdsvr dovecot[12084]: auth: Debug: auth client connected (pid=12270) Apr 18 03:37:30 freebsdsvr dovecot[12084]: auth: Debug: client in: AUTH 1 NTLMservice=imapsession=Js8TT04WcMnAqP5/lip=192.168.254.131 rip=192.168.254.127 lport=143 rport=51568 Apr 18 03:37:30 freebsdsvr dovecot[12084]: auth: Debug: client passdb out: CONT 1 Apr 18 03:37:30 freebsdsvr dovecot[12084]: auth: Debug: client in: CONT 1 TlRMTVNTUAABB4IIAAA= (previous base64 data may contain sensitive data) Apr 18 03:37:30 freebsdsvr dovecot[12084]: auth: Debug: client passdb out: CONT 1 TlRMTVNTUAACFAAUADgFgooC57WwKq2q4U8sdAAFwAXABMBgEAAAasdasdasd9FAFMAQwAuAE4ARQBUAC4AQQBVAAIAFABFAFMAQwAuAE4ARQBUACad4AQdsQBVAAEasAFABFAFMAQwAuAE4AdaRQBUAC4AQQBVAAQDABQAZQBzAGMALgBuAGUAdAAuAGEAdQAHAAgA/h8T7O2Q2gEA Apr 18 03:37:30 freebsdsvr dovecot[12084]: auth: Debug: client in: CONT 1 TlRMTVNTUAADGAAYAFwAAACIAIgAdeABABgAGAEAWABYARgAABYIIAHMAcwAzAFcATwBSAEsAUwBUAEEAVABJAE8ATgBXKrBA2vF7fMicRiasLK/IyI3fbM46rQ7JHcti/0TU02AqasdasdasdhceI+BaeqMjrAQEAAACAL88ampDaARzhirKymxxcAAIAFABFAFMAQwAuAE4ARQBUAC4AQQBVAAEAFABFAFMAQwAuAE4ARQBUAC4AQQBVAAQDABQAZQBzAGMALgBuAGUAdAAuAGEAdQAHAAgA/h8T7O2Q2gEA (previous base64 data may contain sensitive data) Apr 18 03:37:30 freebsdsvr dovecot[12084]: auth: Debug: auth(userName,192.168.254.127,): Auth request finished Apr 18 03:37:30 freebsdsvr dovecot[12084]: auth: Debug: client passdb out: OK 1 user=userNameoriginal_user=userName@FREEBSD-TEST ``` Here's the logs that I get when I connect via Plain Auth and it does the proxy to my mail server ``` Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker(12138): Debug: mysql(192.168.254.131): Connecting Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker(12138): Debug: conn unix:auth-worker (uid=0): Server accepted connection (fd=15) Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker(12138): Debug: conn unix:auth-worker (uid=0): Sending version handshake Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker(12138): Debug: conn unix:auth-worker (uid=0): auth-worker<1>: Handling PASSV request Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker(12138): Debug: conn unix:auth-worker (uid=0): auth-worker<1>: sql(ss3,192.168.254.127,): Performing passdb lookup Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker(12138): Debug: conn unix:auth-worker (uid=0): auth-worker<1>: sql(ss3,192.168.254.127,): query: SELECT destuser, password, host, 'Y' as proxy FROM proxy WHERE user = 'userName'; Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker(12138): Debug: mysql(192.168.254.131): Finished query 'SELECT destuser, password, host, 'Y' as proxy FROM proxy WHERE user = 'userName';' in 0 msecs Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker(12138): Debug: conn unix:auth-worker (uid=0): auth-worker<1>:
Re: Is it possible to setup ntlm authentication then proxy it to the mail server ?
Peter via dovecot skrev den 2024-04-19 10:12: Yes, you would need to use the dovecot submission server for this: https://doc.dovecot.org/admin_manual/submission_server/ Most people, however, use their MTA's submission server but use dovecot for the authentication backend: https://doc.dovecot.org/configuration_manual/howto/simple_virtual_install/#simple-virtual-install-smtp-auth https://fedoraproject.org/wiki/Changes/Deprecate_ntlm_in_cyrus_sasl hope dovecot is handle deprication better :) ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Is it possible to setup ntlm authentication then proxy it to the mail server ?
Yes, you would need to use the dovecot submission server for this: https://doc.dovecot.org/admin_manual/submission_server/ Most people, however, use their MTA's submission server but use dovecot for the authentication backend: https://doc.dovecot.org/configuration_manual/howto/simple_virtual_install/#simple-virtual-install-smtp-auth Peter On 19/04/24 13:27, karl.l--- via dovecot wrote: Hi, This is my dovecot version: ``` root@freebsdsvr:~ # dovecot --version 2.3.21 (47349e2482) ``` I'm having trouble in making dovecot as proxy to the mail server when using ntlm authentication. My setup looks like this: email client --> dovecot (will act as proxy) ---> mail server so basically the email client will connect to dovecot but dovecot will forward it to the mail server. Proxying using auth_mechanism as PLAIN is working but if I use ntlm authentication it just connects into the dovecot server and dovecot server does not proxy to to the mail server. I tried using passdb driver = sql, passdb driver = static, passdb driver = lua and all of them are working when the email client connects using plain auth, once dovecot authenticates the user it will proxy it to the mail server but when I use ntlm authentication it just connects to dovecot and does not do a proxy to the mail server. You seem to be confusing IMAP with submission. The IMAP protocol is good for fetching mail and as a general interface to the mail storage (or mailbox). IMAP is not used for submitting new mail (except usually for storing a copy in the user's "Sent" folder). Mail submission is done via the "submission" or (the implicit TLS version) "submissions" protocols. This is usually a function of your MTA (e.g. Postfix, exim, Sendmail, etc but generally not Dovecot). So any attempt to submit mail to the IMAP port is flawed. All that said, Dovecot does come with a submission server that can "proxy" mail through to the submission service on your MTA. This can be used in the way you describe (but again it's not IMAP): https://doc.dovecot.org/admin_manual/submission_server/ Most people, however, use their MTA's submission server but use dovecot for the authentication backend. This means that just the authentication credentials are passed through from your MTA to Dovecot and Dovecot answers with a yes/no to the MTA on whether it should allow the submission to proceed. In this case Dovecot is still doing the authentication but no proxy is needed for the actual submission: https://doc.dovecot.org/configuration_manual/howto/simple_virtual_install/#simple-virtual-install-smtp-auth The latter solution is my recommendation unless you have a specific need for using the Dovecot submission server (e.g. BURL support). Peter ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Is it possible to setup ntlm authentication then proxy it to the mail server ?
Hi, This is my dovecot version: ``` root@freebsdsvr:~ # dovecot --version 2.3.21 (47349e2482) ``` I'm having trouble in making dovecot as proxy to the mail server when using ntlm authentication. My setup looks like this: email client --> dovecot (will act as proxy) ---> mail server so basically the email client will connect to dovecot but dovecot will forward it to the mail server. Proxying using auth_mechanism as PLAIN is working but if I use ntlm authentication it just connects into the dovecot server and dovecot server does not proxy to to the mail server. I tried using passdb driver = sql, passdb driver = static, passdb driver = lua and all of them are working when the email client connects using plain auth, once dovecot authenticates the user it will proxy it to the mail server but when I use ntlm authentication it just connects to dovecot and does not do a proxy to the mail server. I switched on all the debugs and I found out in the log that when I connect using PLAIN auth it calls the passdb and gets my default_fields or my proxy fields ```proxy=y``` and ```host=mailserver_domain``` which causes dovecot to proxy into the host(my mail server). but when I connect using NTLM auth it calls the passdb but it does not return my default fields for proxying (when it uses the sql passdb driver it just connects to the database and does not run the password_query) and I think it uses the output from the ```ntlm_auth``` of samba that dovecot uses because it retunrs the field user=username and original_user=username@domain This is the example logs that I recieved once I connect using ntlm and it does not proxy it to my mail server ``` Apr 18 03:37:29 freebsdsvr dovecot[12084]: auth: Debug: mysql(192.168.254.131): Connecting Apr 18 03:37:29 freebsdsvr dovecot[12084]: auth: Debug: auth client connected (pid=12268) Apr 18 03:37:29 freebsdsvr dovecot[12084]: auth: Debug: auth client connected (pid=12270) Apr 18 03:37:30 freebsdsvr dovecot[12084]: auth: Debug: client in: AUTH 1 NTLMservice=imapsession=Js8TT04WcMnAqP5/lip=192.168.254.131 rip=192.168.254.127 lport=143 rport=51568 Apr 18 03:37:30 freebsdsvr dovecot[12084]: auth: Debug: client passdb out: CONT 1 Apr 18 03:37:30 freebsdsvr dovecot[12084]: auth: Debug: client in: CONT 1 TlRMTVNTUAABB4IIAAA= (previous base64 data may contain sensitive data) Apr 18 03:37:30 freebsdsvr dovecot[12084]: auth: Debug: client passdb out: CONT 1 TlRMTVNTUAACFAAUADgFgooC57WwKq2q4U8sdAAFwAXABMBgEAAAasdasdasd9FAFMAQwAuAE4ARQBUAC4AQQBVAAIAFABFAFMAQwAuAE4ARQBUACad4AQdsQBVAAEasAFABFAFMAQwAuAE4AdaRQBUAC4AQQBVAAQDABQAZQBzAGMALgBuAGUAdAAuAGEAdQAHAAgA/h8T7O2Q2gEA Apr 18 03:37:30 freebsdsvr dovecot[12084]: auth: Debug: client in: CONT 1 TlRMTVNTUAADGAAYAFwAAACIAIgAdeABABgAGAEAWABYARgAABYIIAHMAcwAzAFcATwBSAEsAUwBUAEEAVABJAE8ATgBXKrBA2vF7fMicRiasLK/IyI3fbM46rQ7JHcti/0TU02AqasdasdasdhceI+BaeqMjrAQEAAACAL88ampDaARzhirKymxxcAAIAFABFAFMAQwAuAE4ARQBUAC4AQQBVAAEAFABFAFMAQwAuAE4ARQBUAC4AQQBVAAQDABQAZQBzAGMALgBuAGUAdAAuAGEAdQAHAAgA/h8T7O2Q2gEA (previous base64 data may contain sensitive data) Apr 18 03:37:30 freebsdsvr dovecot[12084]: auth: Debug: auth(userName,192.168.254.127,): Auth request finished Apr 18 03:37:30 freebsdsvr dovecot[12084]: auth: Debug: client passdb out: OK 1 user=userNameoriginal_user=userName@FREEBSD-TEST ``` Here's the logs that I get when I connect via Plain Auth and it does the proxy to my mail server ``` Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker(12138): Debug: mysql(192.168.254.131): Connecting Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker(12138): Debug: conn unix:auth-worker (uid=0): Server accepted connection (fd=15) Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker(12138): Debug: conn unix:auth-worker (uid=0): Sending version handshake Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker(12138): Debug: conn unix:auth-worker (uid=0): auth-worker<1>: Handling PASSV request Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker(12138): Debug: conn unix:auth-worker (uid=0): auth-worker<1>: sql(ss3,192.168.254.127,): Performing passdb lookup Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker(12138): Debug: conn unix:auth-worker (uid=0): auth-worker<1>: sql(ss3,192.168.254.127,): query: SELECT destuser, password, host, 'Y' as proxy FROM proxy WHERE user = 'userName'; Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker(12138): Debug: mysql(192.168.254.131): Finished query 'SELECT destuser, password, host, 'Y' as proxy FROM proxy WHERE user = 'userName';' in 0 msecs Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker(12138): Debug: conn unix:auth-worker (uid=0): auth-worker<1>: sql(userName,192.168.254.127,): Finished passdb lookup Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker(12138): Debug: conn
