If you can do NTLM, you can do GSSAPI too. Which even Microsoft recommends. So
I would very strongly suggest using that.
Aki
On 21/04/2024 12:30 EEST Bob Gustafson via dovecot
<dovecot@dovecot.org> wrote:
Maybe use Wireshark to get an independent check on what the logs are
saying?
On 4/18/24 20:27, karl.l--- via dovecot wrote:
Hi,
This is my dovecot version:
```
root@freebsdsvr:~ # dovecot --version
2.3.21 (47349e2482)
```
I'm having trouble in making dovecot as proxy to the mail
server when using ntlm authentication.
My setup looks like this: email client ------> dovecot
(will act as proxy) -------> mail server
so basically the email client will connect to dovecot but
dovecot will forward it to the mail server.
Proxying using auth_mechanism as PLAIN is working but if I
use ntlm authentication it just connects into the dovecot
server and dovecot server does not proxy to to the mail
server.
I tried using passdb driver = sql, passdb driver = static,
passdb driver = lua
and all of them are working when the email client connects
using plain auth, once dovecot authenticates the user it
will proxy it to the mail server but when I use ntlm
authentication it just connects to dovecot and does not do
a proxy to the mail server.
I switched on all the debugs and I found out in the log
that when I connect using PLAIN auth it calls the passdb
and gets my default_fields or my proxy fields ```proxy=y```
and ```host=mailserver_domain``` which causes dovecot to
proxy into the host(my mail server). but when I connect
using NTLM auth it calls the passdb but it does not return
my default fields for proxying (when it uses the sql passdb
driver it just connects to the database and does not run
the password_query) and I think it uses the output from the
```ntlm_auth``` of samba that dovecot uses because it
retunrs the field user=username and
original_user=username@domain
This is the example logs that I recieved once I connect
using ntlm and it does not proxy it to my mail server
```
Apr 18 03:37:29 freebsdsvr dovecot[12084]: auth: Debug:
mysql(192.168.254.131): Connecting
Apr 18 03:37:29 freebsdsvr dovecot[12084]: auth: Debug:
auth client connected (pid=12268)
Apr 18 03:37:29 freebsdsvr dovecot[12084]: auth: Debug:
auth client connected (pid=12270)
Apr 18 03:37:30 freebsdsvr dovecot[12084]: auth: Debug:
client in: AUTH 1 NTLM service=imap
session=Js8TT04WcMnAqP5/ lip=192.168.254.131
rip=192.168.254.127 lport=143 rport=51568
Apr 18 03:37:30 freebsdsvr dovecot[12084]: auth: Debug:
client passdb out: CONT 1
Apr 18 03:37:30 freebsdsvr dovecot[12084]: auth: Debug:
client in: CONT 1
TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA= (previous
base64 data may contain sensitive data)
Apr 18 03:37:30 freebsdsvr dovecot[12084]: auth: Debug:
client passdb out: CONT 1
TlRMTVNTUAACAAAAFAAUADgAAAAFgooC57WwKq2q4U8sdAAAAAAAAAAFwAXABMAAAABgEAAAasdasdasdAAAA9FAFMAQwAuAE4ARQBUAC4AQQBVAAIAFABFAFMAQwAuAE4ARQBUACad4AQdsQBVAAEasAFABFAFMAQwAuAE4AdaRQBUAC4AQQBVAAQAAAADABQAZQBzAGMALgBuAGUAdAAuAGEAdQAHAAgA/
h8T7O2Q2gEAAAAA
Apr 18 03:37:30 freebsdsvr dovecot[12084]: auth: Debug:
client in: CONT 1
TlRMTVNTUAADAAAAGAAYAFwAAACIAIgAdAAAAAAAAeABAAAAABgAGAEAAAAAWABYARgAAAAAAAAAAAAAABYIIAHMAcwAzAFcATwBSAEsAUwBUAEEAVABJAE8ATgBXKrBA2vF7fMicRiasLK/
IyI3fbM46rQ7JHcti/
0TU02AqasdasdasdhceI+BaeqMjrAQEAAAAAAACAL88ampDaARzhirKymxxcAAAAAAIAFABFAFMAQwAuAE4ARQBUAC4AQQBVAAEAFABFAFMAQwAuAE4ARQBUAC4AQQBVAAQAAAADABQAZQBzAGMALgBuAGUAdAAuAGEAdQAHAAgA/
h8T7O2Q2gEAAAAA (previous base64 data may contain sensitive
data)
Apr 18 03:37:30 freebsdsvr dovecot[12084]: auth: Debug:
auth(userName,192.168.254.127,<Js8TT04WcMnAqP5/>): Auth
request finished
Apr 18 03:37:30 freebsdsvr dovecot[12084]: auth: Debug:
client passdb out: OK 1 user=userName
original_user=userName@FREEBSD-TEST
```
Here's the logs that I get when I connect via Plain Auth
and it does the proxy to my mail server
```
Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker
(12138): Debug: mysql(192.168.254.131): Connecting
Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker
(12138): Debug: conn unix:auth-worker (uid=0): Server
accepted connection (fd=15)
Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker
(12138): Debug: conn unix:auth-worker (uid=0): Sending
version handshake
Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker
(12138): Debug: conn unix:auth-worker (uid=0): auth-
worker<1>: Handling PASSV request
Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker
(12138): Debug: conn unix:auth-worker (uid=0): auth-
worker<1>: sql(ss3,192.168.254.127,<zwTdK04W9MbAqP5/>):
Performing passdb lookup
Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker
(12138): Debug: conn unix:auth-worker (uid=0): auth-
worker<1>: sql(ss3,192.168.254.127,<zwTdK04W9MbAqP5/>):
query: SELECT destuser, password, host, 'Y' as proxy FROM
proxy WHERE user = 'userName';
Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker
(12138): Debug: mysql(192.168.254.131): Finished query
'SELECT destuser, password, host, 'Y' as proxy FROM proxy
WHERE user = 'userName';' in 0 msecs
Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker
(12138): Debug: conn unix:auth-worker (uid=0): auth-
worker<1>: sql(userName,192.168.254.127,<zwTdK04W9MbAqP5/
>): Finished passdb lookup
Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker
(12138): Debug: conn unix:auth-worker (uid=0): auth-
worker<1>: Finished
Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth: Debug: sql
(userName,192.168.254.127,<zwTdK04W9MbAqP5/>): Finished
passdb lookup
Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth: Debug:
auth(userName,192.168.254.127,<zwTdK04W9MbAqP5/>): Auth
request finished
Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth: Debug:
conn unix:dns-client: dns(mailserver.domain): Lookup
started
Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth: Debug:
conn unix:dns-client: Connecting
Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth: Debug:
conn unix:dns-client (uid=0): Client connected (fd=27)
Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth: Debug:
conn unix:dns-client (uid=0): Sending version handshake
Apr 18 03:27:40 freebsdsvr dovecot[12084]: auth: Debug:
conn unix:dns-client (uid=0): dns(mailserver.domain):
Lookup successful after 658 msecs
Apr 18 03:27:40 freebsdsvr dovecot[12084]: auth: Debug:
client passdb out: OK 1 user=userName destuser=userName
host=mailserver.domain proxy hostip=mailserverip
pass=password
```
Is there a right way to configure ntlm to do proxy? because
it does not seem to use the passdb in sql,lua, and static
drivers.
>
This is my dovecot -n
```
root@freebsdsvr:~ # dovecot -n
# 2.3.21 (47349e2482): /usr/local/etc/dovecot/dovecot.conf
# OS: FreeBSD 13.2-RELEASE amd64 zfs
# Hostname: freebsdsvr
auth_debug = yes
auth_debug_passwords = yes
auth_mechanisms = plain login ntlm
auth_use_winbind = yes
auth_username_format = %n
auth_verbose = yes
auth_verbose_passwords = plain
auth_winbind_helper_path = /usr/local/bin/ntlm_auth
disable_plaintext_auth = no
mail_debug = yes
mail_gid = 1001
mail_location = maildir:/var/mail/vhosts/%n
mail_uid = 1001
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
protocols = imap pop3
service auth {
user = root
}
ssl_cert = </root/dovecot.crt
ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:
!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
ssl_key = # hidden, use -P to show it
passdb {
driver = sql
# Path for SQL configuration file, see example-config/
dovecot-sql.conf.ext
args = /usr/local/etc/dovecot/dovecot-sql.conf.ext
}
userdb {
driver = prefetch
}
```
>
dovecot-sql.conf.ext
```
driver = mysql
connect = host=192.168.254.134 port=3306 dbname=mails
user=karl password=adminpassword
password_query = SELECT destuser, password, host, 'Y' as
proxy FROM proxy WHERE user = '%u';
```
>
Thanks :)
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
