Maybe use Wireshark to get an independent check on what the logs are saying?
On 4/18/24 20:27, karl.l--- via dovecot wrote:
Hi,
This is my dovecot version:
```
root@freebsdsvr:~ # dovecot --version
2.3.21 (47349e2482)
```
I'm having trouble in making dovecot as proxy to the mail server when using
ntlm authentication.
My setup looks like this: email client ------> dovecot (will act as proxy)
-------> mail server
so basically the email client will connect to dovecot but dovecot will forward
it to the mail server.
Proxying using auth_mechanism as PLAIN is working but if I use ntlm
authentication it just connects into the dovecot server and dovecot server does
not proxy to to the mail server.
I tried using passdb driver = sql, passdb driver = static, passdb driver = lua
and all of them are working when the email client connects using plain auth,
once dovecot authenticates the user it will proxy it to the mail server but
when I use ntlm authentication it just connects to dovecot and does not do a
proxy to the mail server.
I switched on all the debugs and I found out in the log that when I connect
using PLAIN auth it calls the passdb and gets my default_fields or my proxy
fields ```proxy=y``` and ```host=mailserver_domain``` which causes dovecot to
proxy into the host(my mail server). but when I connect using NTLM auth it
calls the passdb but it does not return my default fields for proxying (when it
uses the sql passdb driver it just connects to the database and does not run
the password_query) and I think it uses the output from the ```ntlm_auth``` of
samba that dovecot uses because it retunrs the field user=username and
original_user=username@domain
This is the example logs that I recieved once I connect using ntlm and it does
not proxy it to my mail server
```
Apr 18 03:37:29 freebsdsvr dovecot[12084]: auth: Debug: mysql(192.168.254.131):
Connecting
Apr 18 03:37:29 freebsdsvr dovecot[12084]: auth: Debug: auth client connected
(pid=12268)
Apr 18 03:37:29 freebsdsvr dovecot[12084]: auth: Debug: auth client connected
(pid=12270)
Apr 18 03:37:30 freebsdsvr dovecot[12084]: auth: Debug: client in: AUTH 1
NTLM service=imap session=Js8TT04WcMnAqP5/ lip=192.168.254.131
rip=192.168.254.127 lport=143 rport=51568
Apr 18 03:37:30 freebsdsvr dovecot[12084]: auth: Debug: client passdb out: CONT
1
Apr 18 03:37:30 freebsdsvr dovecot[12084]: auth: Debug: client in: CONT 1
TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA= (previous base64 data may contain
sensitive data)
Apr 18 03:37:30 freebsdsvr dovecot[12084]: auth: Debug: client passdb out: CONT
1
TlRMTVNTUAACAAAAFAAUADgAAAAFgooC57WwKq2q4U8sdAAAAAAAAAAFwAXABMAAAABgEAAAasdasdasdAAAA9FAFMAQwAuAE4ARQBUAC4AQQBVAAIAFABFAFMAQwAuAE4ARQBUACad4AQdsQBVAAEasAFABFAFMAQwAuAE4AdaRQBUAC4AQQBVAAQAAAADABQAZQBzAGMALgBuAGUAdAAuAGEAdQAHAAgA/h8T7O2Q2gEAAAAA
Apr 18 03:37:30 freebsdsvr dovecot[12084]: auth: Debug: client in: CONT 1
TlRMTVNTUAADAAAAGAAYAFwAAACIAIgAdAAAAAAAAeABAAAAABgAGAEAAAAAWABYARgAAAAAAAAAAAAAABYIIAHMAcwAzAFcATwBSAEsAUwBUAEEAVABJAE8ATgBXKrBA2vF7fMicRiasLK/IyI3fbM46rQ7JHcti/0TU02AqasdasdasdhceI+BaeqMjrAQEAAAAAAACAL88ampDaARzhirKymxxcAAAAAAIAFABFAFMAQwAuAE4ARQBUAC4AQQBVAAEAFABFAFMAQwAuAE4ARQBUAC4AQQBVAAQAAAADABQAZQBzAGMALgBuAGUAdAAuAGEAdQAHAAgA/h8T7O2Q2gEAAAAA
(previous base64 data may contain sensitive data)
Apr 18 03:37:30 freebsdsvr dovecot[12084]: auth: Debug:
auth(userName,192.168.254.127,<Js8TT04WcMnAqP5/>): Auth request finished
Apr 18 03:37:30 freebsdsvr dovecot[12084]: auth: Debug: client passdb out: OK
1 user=userName original_user=userName@FREEBSD-TEST
```
Here's the logs that I get when I connect via Plain Auth and it does the proxy
to my mail server
```
Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker(12138): Debug:
mysql(192.168.254.131): Connecting
Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker(12138): Debug: conn
unix:auth-worker (uid=0): Server accepted connection (fd=15)
Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker(12138): Debug: conn
unix:auth-worker (uid=0): Sending version handshake
Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker(12138): Debug: conn
unix:auth-worker (uid=0): auth-worker<1>: Handling PASSV request
Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker(12138): Debug: conn unix:auth-worker
(uid=0): auth-worker<1>: sql(ss3,192.168.254.127,<zwTdK04W9MbAqP5/>):
Performing passdb lookup
Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker(12138): Debug: conn unix:auth-worker
(uid=0): auth-worker<1>: sql(ss3,192.168.254.127,<zwTdK04W9MbAqP5/>): query:
SELECT destuser, password, host, 'Y' as proxy FROM proxy WHERE user = 'userName';
Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker(12138): Debug:
mysql(192.168.254.131): Finished query 'SELECT destuser, password, host, 'Y' as
proxy FROM proxy WHERE user = 'userName';' in 0 msecs
Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker(12138): Debug: conn unix:auth-worker
(uid=0): auth-worker<1>: sql(userName,192.168.254.127,<zwTdK04W9MbAqP5/>):
Finished passdb lookup
Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker(12138): Debug: conn
unix:auth-worker (uid=0): auth-worker<1>: Finished
Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth: Debug:
sql(userName,192.168.254.127,<zwTdK04W9MbAqP5/>): Finished passdb lookup
Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth: Debug:
auth(userName,192.168.254.127,<zwTdK04W9MbAqP5/>): Auth request finished
Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth: Debug: conn unix:dns-client:
dns(mailserver.domain): Lookup started
Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth: Debug: conn unix:dns-client:
Connecting
Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth: Debug: conn unix:dns-client
(uid=0): Client connected (fd=27)
Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth: Debug: conn unix:dns-client
(uid=0): Sending version handshake
Apr 18 03:27:40 freebsdsvr dovecot[12084]: auth: Debug: conn unix:dns-client
(uid=0): dns(mailserver.domain): Lookup successful after 658 msecs
Apr 18 03:27:40 freebsdsvr dovecot[12084]: auth: Debug: client passdb out: OK
1 user=userName destuser=userName host=mailserver.domain
proxy hostip=mailserverip pass=password
```
Is there a right way to configure ntlm to do proxy? because it does not seem to
use the passdb in sql,lua, and static drivers.
This is my dovecot -n
```
root@freebsdsvr:~ # dovecot -n
# 2.3.21 (47349e2482): /usr/local/etc/dovecot/dovecot.conf
# OS: FreeBSD 13.2-RELEASE amd64 zfs
# Hostname: freebsdsvr
auth_debug = yes
auth_debug_passwords = yes
auth_mechanisms = plain login ntlm
auth_use_winbind = yes
auth_username_format = %n
auth_verbose = yes
auth_verbose_passwords = plain
auth_winbind_helper_path = /usr/local/bin/ntlm_auth
disable_plaintext_auth = no
mail_debug = yes
mail_gid = 1001
mail_location = maildir:/var/mail/vhosts/%n
mail_uid = 1001
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
protocols = imap pop3
service auth {
user = root
}
ssl_cert = </root/dovecot.crt
ssl_cipher_list =
ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
ssl_key = # hidden, use -P to show it
passdb {
driver = sql
# Path for SQL configuration file, see example-config/dovecot-sql.conf.ext
args = /usr/local/etc/dovecot/dovecot-sql.conf.ext
}
userdb {
driver = prefetch
}
```
dovecot-sql.conf.ext
```
driver = mysql
connect = host=192.168.254.134 port=3306 dbname=mails user=karl
password=adminpassword
password_query = SELECT destuser, password, host, 'Y' as proxy FROM proxy WHERE
user = '%u';
```
Thanks :)
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
