[Dovecot] dovecot Digest, Vol 44, Issue 53

Lars Skovgaard lars at skovgaarddesign.dk
Mon Dec 25 15:19:47 UTC 2006

Den 25/12/2006 kl. 13.00 skrev Adrian Gill:

> Date: Sun, 24 Dec 2006 16:43:40 -0000
> From: "Adrian Gill" <adrian at ssinternet.co.uk>
> Subject: Re: [Dovecot] NTLM authentication woes
> To: <dovecot at dovecot.org>
> Message-ID: <023001c7277a$ae1bcf60$4107a8c0 at AdeLaptop>
> Content-Type: text/plain; format=flowed; charset="iso-8859-1";
> 	reply-type=response
> Lars wrote:
> [Re Outlook handling of SPA/NTLM]
>> Turning on auth_debug and auth_verbose has led me to discover that MS
>> Outlook uses the users full name as login, instead of whatever is   
>> entered
>> in the account-information - if the user "John Doe" has the  login
>> "jd at domain.com", Outlook sends "John Doe" instead. This of  course  
>> fails.
>> Strangely enough, if I turn off "Use Secure  Authentication" from  
>> within
>> Outlook, the login-name from the account- information is used as  
>> it should
>> be.
> Not a solution I'm afraid, but just to let you know that I've been
> experimenting with NTLM (actually with Exim for authenticated SMTP)  
> for a
> while with a few users and had the same problems - different  
> versions of
> Outlook behave slightly differently, but none (that I've found)  
> seem to work
> properly.  Usually Outlook sends the users Windows Logon username and
> password (which is often their name, but often something else too like
> 'Administrator') initially, and sometimes then retries  
> automatically with
> the correct details.
> Things never seem to be that consistent though, except that they're
> consistently bad.  Frustratingly, the only option I have is to tell  
> users
> that have problems to use Thunderbird or something else and use  
> cram-md5
> instead.
> As far as Outlook goes I think Microsoft seem to only bother  
> testing NTLM
> running with MS Exchange on a local network... v.annoying!
> (Sorry not that helpful a post)
> Adrian

Hi Adrian

Thanks for your reply. I suspected as much, though I had hoped that  
there was an easy applicable solution. Sadly my MS-using clients are  
reluctant at best to change their applications, flawed as they may  
be, so I guess they'll have to live with things as they are for now.  
MS really should fix their apps, but that's a topic for a discussion  
of it's own.

I use a mysql-backend, and suspect I could change the login-call to  
match whatever Outlook or Entourage choose to send, but that would be  
difficult to make consistent enough to be truly workable, I think...

Thanks for your time


More information about the dovecot mailing list