Outlook 2016 SSO with GSSAPI auth?

2017-10-24 Thread Robert Giles 

Hi folks,

I've been sifting through various threads on GSSAPI and NTLM support, 
and I'm wondering if anyone out there can confirm or deny GSSAPI IMAP 
auth support in Microsoft Outlook 2016 (Windows)?  Perhaps there's some 
magic registry key to change IMAP auth from PLAIN to GSSAPI?


We're trying to do single sign-on + e-mail for Windows domain users; 
Thunderbird GSSAPI works fine, of course, but Outlook 2016 is the 
policy-mandated e-mail client for this particular environment (Windows 
10 client desktop, Windows Server 2012 R2 AD, RHEL7 Dovecot).


It seems that Outlook 2016 might also support NTLMv1 / GSS-SPNEGO out of 
the box for IMAP accounts, but NTLMv1 is - rightly - disabled in this 
environment (and I also see 'NT_STATUS_UNSUCCESSFUL' reported by 
/usr/bin/ntlm_auth back to the Dovecot auth worker).


Thanks for any ideas out there!

Robert



smime.p7s
Description: S/MIME Cryptographic Signature

Re: STAT command failure

2017-10-24 Thread Andrew Charnley 
On Tue, 24 Oct 2017 14:31:11 -0700 (PDT)
Joseph Tam  wrote:

> Andrew Charnley  writes:
> 
> >>> Regarding STAT which appears to have an issue with Dovecot:-
> >>>
> >>> [23:50:46] POP< +OK Dovecot ready.
> >>> [23:50:46] POP> USER x
> >>> [23:50:46] POP< +OK
> >>> [23:50:46] POP> PASS 
> >>> [23:50:46] POP< +OK Logged in.
> >>> [23:50:46] POP> STAT
> >>> [23:50:46] POP< -ERR Unknown command:  
> >>
> >> user x
> >> pass ***
> >> stat  
> >
> > I can confirm this works.  
> 
> > 2. Likely an issue with CLAWS email.  
> 
> If you can arrange a network capture of a non-SSL remote CLAWS
> connection, try checking whether there's a hidden character (NULL,
> .etc.) being sent.
> 
> It's also telling that it works for some accounts, and not for others.
> Try rebuilding the user's index cache by removing it (save a copy!)
> and see if that makes it work.  If it does, you can send the buggy
> caches to the developer and see if they can figure it out.
> 
> Joseph Tam 

Hi Joseph,

Which user index file to you refer to?

Regards,

Andrew

Re: STAT command failure

2017-10-24 Thread Joseph Tam 

Andrew Charnley  writes:


Regarding STAT which appears to have an issue with Dovecot:-

[23:50:46] POP< +OK Dovecot ready.
[23:50:46] POP> USER x
[23:50:46] POP< +OK
[23:50:46] POP> PASS 
[23:50:46] POP< +OK Logged in.
[23:50:46] POP> STAT
[23:50:46] POP< -ERR Unknown command:


user x
pass ***
stat


I can confirm this works.



2. Likely an issue with CLAWS email.


If you can arrange a network capture of a non-SSL remote CLAWS
connection, try checking whether there's a hidden character (NULL,
.etc.) being sent.

It's also telling that it works for some accounts, and not for others.
Try rebuilding the user's index cache by removing it (save a copy!) and
see if that makes it work.  If it does, you can send the buggy caches
to the developer and see if they can figure it out.

Joseph Tam

Fwd: master/master replications v. 2.2.32

2017-10-24 Thread Jorge Canto E. 
doveconf -n

# 2.2.32 (dfbe293d4): /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-696.1.1.el6.x86_64 x86_64 CentOS release 6.9 (Final) ext3
auth_socket_path = /var/run/dovecot/auth-userdb
doveadm_password =  # hidden, use -P to show it
doveadm_port = 61800
first_valid_uid = 150
last_valid_uid = 150
mail_location = maildir:/var/vmail/%d/%n
mail_plugins = notify replication
mail_privileged_group = mail
mbox_write_locks = fcntl
passdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
plugin {
  mail_replica = tcp:xxx.xxx.xxx.xxx
}
postmaster_address = postmas...@it911.mx
service aggregator {
  fifo_listener replication-notify-fifo {
mode = 0666
user = vmail
  }
  unix_listener replication-notify {
mode = 0666
user = vmail
  }
}
service auth {
  unix_listener /var/spool/postfix/private/auth {
mode = 0666
user = postfix
  }
  unix_listener auth-userdb {
group = mail
mode = 0600
user = vmail
  }
}
service config {
  unix_listener config {
user = vmail
  }
}
service doveadm {
  inet_listener {
port = 61800
  }
  user = vmail
}
service replicator {
  process_min_avail = 1
  unix_listener replicator-doveadm {
mode = 0666
  }
}
ssl = required
ssl_cert = 
wrote:

> Hi, here is doveconf -n
>
> # 2.2.32 (dfbe293d4): /etc/dovecot/dovecot.conf
> # OS: Linux 2.6.32-696.1.1.el6.x86_64 x86_64 CentOS release 6.9 (Final)
> ext3
> auth_socket_path = /var/run/dovecot/auth-userdb
> first_valid_uid = 150
> last_valid_uid = 150
> mail_location = maildir:/var/vmail/%d/%n
> mail_privileged_group = mail
> mbox_write_locks = fcntl
> passdb {
>   args = /etc/dovecot/dovecot-sql.conf.ext
>   driver = sql
> }
> postmaster_address = postmas...@it911.mx
> service auth {
>   unix_listener /var/spool/postfix/private/auth {
> mode = 0666
> user = postfix
>   }
>   unix_listener auth-userdb {
> group = mail
> mode = 0600
> user = vmail
>   }
> }
> ssl = required
> ssl_cert =  ssl_key =  # hidden, use -P to show it
> userdb {
>   args = /etc/dovecot/dovecot-sql.conf.ext
>   driver = sql
> }
>
>
> Thank you
>
> Jorge C.
>
> On Mon, Oct 23, 2017 at 1:07 PM, Aki Tuomi  wrote:
>
>>
>> > On October 23, 2017 at 7:29 PM "Jorge Canto E." 
>> wrote:
>> >
>> >
>> > Hi, in the past I set up a master/master replication through TCP using
>> > dovecot 2.2.10 on both servers and everything is running fine, I filter
>> the
>> > users to replicate using the iterate_query on file dovecot-sql.con.ext;
>> now
>> > I want to set up a new replication between two new servers running
>> dovecot
>> > 2.2.32 but the replicator service tries to replicate every user on my
>> > database even when the iterate_query is correctly set up and the command
>> > "doveadm user '*' " shows only the  users I want to replicate, I think
>> I am
>> > missing something but I do not know what.
>> >
>> > Thank you so much for your help.
>> >
>> > Jorge C.
>>
>> Please provide doveconf -n
>>
>> Aki
>>
>
>

Re: Post-login scripting

2017-10-24 Thread Simone Lazzaris 
In data sabato 21 ottobre 2017 15:44:52 CEST, Gedalya ha scritto:
> Aha. Looks pretty cool, and it's really nice that it supports HTTP.
> On the other hand if I'm rate limiting the number of messages sent = number
> of times a client said RCPT TO, I guess it still has to be a postfix policy
> server? Anyway, thanks for pointing this out, I'm sure I'll use it :-)
> 
Very interesting indeed; now I'm using a post-login script to track the IP of 
the clients, but 
I'll evalutate the policy as it seems cleaner.

For a simple policy server to use with postfix, you can check out my simple 
daemon: 

https://github.com/SimoneLazzaris/polka

It's written in go, very simple, efficient but effective. We're using in 
production with zero 
issues.


*Simone Lazzaris*
*Qcom S.p.A.*
simone.lazza...@qcom.it[1] | www.qcom.it[2]
* LinkedIn[3]* | *Facebook[4]*
[5] 







[1] mailto:simone.lazza...@qcom.it
[2] https://www.qcom.it
[3] https://www.linkedin.com/company/qcom-spa
[4] http://www.facebook.com/qcomspa
[5] https://www.qcom.it/includes/email-banner.gif

Re: STAT command failure

2017-10-24 Thread Andrew Charnley 
Hi,

I can confirm this works.

So two issues here;

1. Dovecot logging is useless - there is no logging or stderr output

2. Likely an issue with CLAWS email.

I'm conversing with the CLAWS support group to see what they think.

Regards,

Andrew




On Tue, 24 Oct 2017 07:28:00 +0200 (CEST)
Steffen Kaiser  wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> On Mon, 23 Oct 2017, Andrew Charnley wrote:
> 
> > Regarding STAT which appears to have an issue with Dovecot:-
> >
> > [23:50:46] POP< +OK Dovecot ready.
> > [23:50:46] POP> USER x
> > [23:50:46] POP< +OK
> > [23:50:46] POP> PASS 
> > [23:50:46] POP< +OK Logged in.
> > [23:50:46] POP> STAT
> > [23:50:46] POP< -ERR Unknown command:  
> 
> This response usually has the offending command behind the colon - at 
> least in Dovecot v2.2
> 
> BTW: could you launch a secure connection, e.g. from the mail server
> 
> telnet localhost 110
> 
> then type in the commands yourself:
> 
> user x
> pass ***
> stat
> 
> - -- 
> Steffen Kaiser
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1
> 
> iQEVAwUBWe7PYHz1H7kL/d9rAQKI4Af7Bn/6d5UQnINGPMSdkQgNyy5h0cWHvsmQ
> U8guJnwtlEcLe0MdJD++vrM6jVeFBjgNqZrqD5Je9dei2GaNz8ti4iwr3WEi2k3I
> rkBjznX2Z2bIxpXIFjA3T4I0xSnJ7ohv3qhk1ixebpiNzi9MoA53OYre3r/ghsq8
> px6L/vMpuyQ0hiztQKyMpNUBtCE4Y/epG0R5Qy5u1VqQY4giJvSWKWdT0dE4XTkZ
> MNUt+d+/RlGTFHc6iiw+mDCUEzOnwIhuTEd25TJhh5Gm/8FS4zu1ayqHoRiRE0gB
> uTE2C842BSEuN0yUVucWc35ZWra4yW59Ugf+9OYJbU5LjBwF4Bkrqw==
> =H1JT
> -END PGP SIGNATURE-