Hi Gerard
Gerard schrieb:
On Tue, 06 May 2008 12:44:38 +0200
Sebastian Hagedorn <Hagedorn@xxxxxxxxxxxx> wrote:
Hi,
--On 4. Mai 2008 13:10:43 +0200 CHCNET Consulting <office@xxxxxxxxxx>
wrote:
I've patched the ntlm plugin, to support also Outlook 2007, which
uses a slightly different approach to authenticate. All Outlook
versions prior to 2007 using a two-stage method: first they try to
authenticate with the username and windows domain instead of the
maildomain (which of course doesn't work, unless we have in our
sasdb user@NTDOMAIN). Outlook 2007 changed this method to
username@xxxxxxxxxxxxxxx I.e. the NTLM auth is sent with username
and client domain, where client domain is finally correctly our
email domain!
I don't use Outlook or even Windows personally, so I'm a bit clueless
about these things, but: I run a mail server with many users that
have that combo. We allow NTLM among other SASL methods. So I'm
interested in that patch, but I'm confused. I haven't heard any
complaints from Outlook 2007 users so far. The reason may be that
they don't use NTLM, I'm not sure. There have been complaints,
however, from Vista users. I've been told that Vista requires NTLMv2
by default. I assume that the plugin only doies NTLMv1? Or is that
perhaps a misunderstanding?
Outlook 2007 is wicked, because it changed the old method of NTLM
auth... NTLM auth is used, whenever you active "Client needs secured
authentication" in your email setup. Many users do not yet have problems
with that, because older outlook versions behave as anticipated by sasl
2.1.22, so no issue at all (even with SPA activated). Whenever a user
migrates from outlook 2003 to 2007 e.g., his mailbox will fail without
reason. There is even a digest-md5 authentication try, but that fails
also. If they do not use SPA (plaintext), you habe no issue at all, but
this is very insecure unless you use TLS. So crypted connections with
the fancy outlook 2007 client is on ly possible via NTLM.....
That is correct, NTLMv2 is the default for Vista. There is a short
article regarding NTLMv2 and Microsoft here:
http://technet.microsoft.com/en-us/magazine/cc160954.aspx
BTW, I just checked again and found that the issue appears to be with
SMTP, not with IMAP. We run sendmail with the same SASL libs, though.
if you are using realms in configurations, you run into the problems,
why I created the patch. As long you are using cyrus users without a
domain (logon name is username), you won't run into these probs (sasl
doesnt check the windows domain agains the password backend). Check your
logfiles for similar entries (this is valid also for SMTP, because that
is logged by the SASL NTLM plugin.
---> older outlook method 1
May 29 10:25:48 mail pop3[18419]: NTLM server step 1
May 29 10:25:48 mail pop3[18419]: client flags: ffffb207
May 29 10:25:48 mail pop3[18419]: NTLM server step 2
May 29 10:25:48 mail pop3[18419]: client user: user
May 29 10:25:48 mail pop3[18419]: client domain: WORKSTATION
older outlook method 2
May 28 20:33:10 mail pop3[18862]: NTLM server step 1
May 28 20:33:10 mail pop3[18862]: client flags: ffffb207
May 28 20:33:10 mail pop3[18862]: NTLM server step 2
May 28 20:33:10 mail pop3[18862]: client user: username@xxxxxxxxxx
outlook 2007 first try
May 7 05:55:32 mail pop3[30842]: sql auxprop plugin using mysql engine
May 7 05:55:32 mail pop3[30812]: NTLM server step 1
May 7 05:55:32 mail pop3[30812]: client flags: ffff8207
May 7 05:55:32 mail pop3[30812]: NTLM server step 2
May 7 05:55:32 mail pop3[30812]: client user: office3
May 7 05:55:32 mail pop3[30812]: client domain: mydomain.at.
the third won't be found never, because the client domain is not part of
the username checks... this becomes office3@xxxxxxxxxxxxxxxxx and thus
is never matched agains the backend... No matter whether you use sasldb,
ldap, or a sql database....
Cheers, Sebastian
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
