[Dovecot] NTLM oddities

Cassidy B. Larson alandaluz at gmail.com
Mon Feb 19 23:33:48 UTC 2007


Started implementing the MasterUser changes to my config files so I can
finally offer SPA for pop3/imap.

Things are working fine with the MasterUser (horray!), however one of my
guys started using SPA with Outlook Express and started getting another
users mailbox.

Turns out to be related to NTLM.  His Outlook express is configured for the
username of 'johnsmith'. However, you'll see the NTLM took the username from
his XP machine login, it appears, which is just "John".  However, what is
really weird, is the "failed" on the "client out" line, but then the proxy
went ahead and proxied to the storage server.

Here's some output from debuggage:

dovecot: Feb 19 16:15:56 Info: auth(mail.infowest.com): client in: AUTH
1       NTLM    service=POP3    lip=204.17.177.60       rip=209.33.215.142
resp=
dovecot: Feb 19 16:15:56 Info: auth(mail.infowest.com): client out:
CONT        1
dovecot: Feb 19 16:15:56 Info: auth-worker(mail.infowest.com): sql(John,
209.33.215.142): query: SELECT a.clearpasswd AS password, v.storeIP AS host,
CONCAT(IF('John' LIKE
'%@%.%',CONCAT(LCASE('John'),''),CONCAT(LCASE('John'),'@',p.host)),'*masteruser')
AS destuser, 'Y' AS nologin, 'Y' AS nodelay, 'Y' AS proxy, 'masterpass' AS
pass FROM iwmailsystem.virtmailbox AS v INNER JOIN
iwmailsystem.popserversAS p ON (
p.storeIP = '204.17.177.60') INNER JOIN authenticate.users AS a ON
(a.userID= IF('John' LIKE
'%@%.%',CONCAT(LCASE('John'),''),CONCAT(LCASE('John'),'@',
p.host))) WHERE v.userID = IF('John' LIKE
'%@%.%',CONCAT(LCASE('John'),''),CONCAT(LCASE('John'),'@',p.host)) AND
v.client_active=1;
dovecot: Feb 19 16:15:56 Info: auth(mail.infowest.com): password(John,
209.33.215.142): Credentials: 8447128CC04AD05D1CD15F0C2F17F136
dovecot: Feb 19 16:15:57 Info: auth(mail.infowest.com): client out:
FAIL        1       user=John       host=204.17.177.76      destuser=
john at host.com*masteruser   nologin proxy   pass=masterpass
dovecot: Feb 19 16:15:57 Info: pop3-login: proxy(John): started proxying to
204.17.177.76:110: user=<John>, method=NTLM, rip=209.33.215.142, lip=
204.17.177.60


Questions:
1) So is it possible to use OE for SPA authentication without it sending the
"XP username", but the actual account username OE is configured for ?


2) Why, when it "FAIL"ed did it still proxy?  This seems bad :)

Thanks,

Cassidy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://dovecot.org/pipermail/dovecot/attachments/20070219/6a741f6d/attachment.htm 


More information about the dovecot mailing list