Error authentication with NTLM

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Error authentication with NTLM

luistkd4
This post has NOT been accepted by the mailing list yet.
This post was updated on .
Hi, I'm trying authentic in smtp(587) in postfix using iphone with NTLM but I have this errors:

Feb 15 11:52:29 ubmsa01test postfix/smtpd[30317]: match_list_match: 0.0.0.0: no match
Feb 15 11:52:29 ubmsa01test postfix/smtpd[30317]: > unknown[0.0.0.0]: 250-UBSMTPPROXY01
Feb 15 11:52:29 ubmsa01test postfix/smtpd[30317]: > unknown[0.0.0.0]: 250-PIPELINING
Feb 15 11:52:29 ubmsa01test postfix/smtpd[30317]: > unknown[0.0.0.0]: 250-SIZE 10240000
Feb 15 11:52:29 ubmsa01test postfix/smtpd[30317]: > unknown[0.0.0.0]: 250-VRFY
Feb 15 11:52:29 ubmsa01test postfix/smtpd[30317]: > unknown[0.0.0.0]: 250-ETRN
Feb 15 11:52:29 ubmsa01test postfix/smtpd[30317]: > unknown[0.0.0.0]: 250-STARTTLS
Feb 15 11:52:29 ubmsa01test postfix/smtpd[30317]: > unknown[0.0.0.0]: 250-AUTH PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM
Feb 15 11:52:29 ubmsa01test postfix/smtpd[30317]: > unknown[0.0.0.0]: 250-AUTH=PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM
Feb 15 11:52:29 ubmsa01test postfix/smtpd[30317]: > unknown[0.0.0.0]: 250-ENHANCEDSTATUSCODES
Feb 15 11:52:29 ubmsa01test postfix/smtpd[30317]: > unknown[0.0.0.0]: 250-8BITMIME
Feb 15 11:52:29 ubmsa01test postfix/smtpd[30317]: > unknown[0.0.0.0]: 250 DSN
Feb 15 11:52:29 ubmsa01test postfix/smtpd[30317]: watchdog_pat: 0x7fa59005dc50
Feb 15 11:52:29 ubmsa01test postfix/smtpd[30317]: < unknown[0.0.0.0]: AUTH NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=
Feb 15 11:52:29 ubmsa01test postfix/smtpd[30317]: xsasl_cyrus_server_first: sasl_method NTLM, init_response TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=
Feb 15 11:52:29 ubmsa01test postfix/smtpd[30317]: xsasl_cyrus_server_first: decoded initial response NTLMSSP
Feb 15 11:52:29 ubmsa01test postfix/smtpd[30317]: xsasl_cyrus_server_auth_response: uncoded server challenge: NTLMSSP
Feb 15 11:52:29 ubmsa01test postfix/smtpd[30317]: > unknown[0.0.0.0]: 334 TlRMTVNTUAACAAAAGgAaADAAAAAFggIA7O3XDUkopjcAAAAAAAAAAAAAAAAAAAAAVQBCAFMATQBUAFAAUABSAE8AWABZADAAMQA=
Feb 15 11:52:29 ubmsa01test postfix/smtpd[30317]: < unknown[0.0.0.0]: QUIT
Feb 15 11:52:29 ubmsa01test postfix/smtpd[30317]: xsasl_cyrus_server_next: decoded response: AB?
Feb 15 11:52:29 ubmsa01test postfix/smtpd[30317]: warning: SASL authentication failure: client didn't issue valid NTLM response
Feb 15 11:52:29 ubmsa01test postfix/smtpd[30317]: warning: unknown[0.0.0.0]: SASL NTLM authentication failed: bad protocol / cancel
Feb 15 11:52:29 ubmsa01test postfix/smtpd[30317]: > unknown[0.0.0.0]: 535 5.7.8 Error: authentication failed: bad protocol / cancel
Feb 15 11:52:29 ubmsa01test postfix/smtpd[30317]: watchdog_pat: 0x7fa59005dc50
Feb 15 11:52:29 ubmsa01test postfix/smtpd[30317]: smtp_get: EOF

And in iphone I don't login.

Anyone may help me ?

Thanks
Reply | Threaded
Open this post in threaded view
|

Error authentication with NTLM

luistkd4

Hi, I'm trying authentic in smtp(587) in postfix using iphone with NTLM but I have this errors: 

Feb 15 11:52:29 ubmsa01test postfix/smtpd[30317]: match_list_match: 0.0.0.0: no match 
Feb 15 11:52:29 ubmsa01test postfix/smtpd[30317]: > unknown[0.0.0.0]: 250-UBSMTPPROXY01 
Feb 15 11:52:29 ubmsa01test postfix/smtpd[30317]: > unknown[0.0.0.0]: 250-PIPELINING 
Feb 15 11:52:29 ubmsa01test postfix/smtpd[30317]: > unknown[0.0.0.0]: 250-SIZE 10240000 
Feb 15 11:52:29 ubmsa01test postfix/smtpd[30317]: > unknown[0.0.0.0]: 250-VRFY 
Feb 15 11:52:29 ubmsa01test postfix/smtpd[30317]: > unknown[0.0.0.0]: 250-ETRN 
Feb 15 11:52:29 ubmsa01test postfix/smtpd[30317]: > unknown[0.0.0.0]: 250-STARTTLS 
Feb 15 11:52:29 ubmsa01test postfix/smtpd[30317]: > unknown[0.0.0.0]: 250-AUTH PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM 
Feb 15 11:52:29 ubmsa01test postfix/smtpd[30317]: > unknown[0.0.0.0]: 250-AUTH=PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM 
Feb 15 11:52:29 ubmsa01test postfix/smtpd[30317]: > unknown[0.0.0.0]: 250-ENHANCEDSTATUSCODES 
Feb 15 11:52:29 ubmsa01test postfix/smtpd[30317]: > unknown[0.0.0.0]: 250-8BITMIME 
Feb 15 11:52:29 ubmsa01test postfix/smtpd[30317]: > unknown[0.0.0.0]: 250 DSN 
Feb 15 11:52:29 ubmsa01test postfix/smtpd[30317]: watchdog_pat: 0x7fa59005dc50 
Feb 15 11:52:29 ubmsa01test postfix/smtpd[30317]: < unknown[0.0.0.0]: AUTH NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA= 
Feb 15 11:52:29 ubmsa01test postfix/smtpd[30317]: xsasl_cyrus_server_first: sasl_method NTLM, init_response TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA= 
Feb 15 11:52:29 ubmsa01test postfix/smtpd[30317]: xsasl_cyrus_server_first: decoded initial response NTLMSSP 
Feb 15 11:52:29 ubmsa01test postfix/smtpd[30317]: xsasl_cyrus_server_auth_response: uncoded server challenge: NTLMSSP 
Feb 15 11:52:29 ubmsa01test postfix/smtpd[30317]: > unknown[0.0.0.0]: 334 TlRMTVNTUAACAAAAGgAaADAAAAAFggIA7O3XDUkopjcAAAAAAAAAAAAAAAAAAAAAVQBCAFMATQBUAFAAUABSAE8AWABZADAAMQA= 
Feb 15 11:52:29 ubmsa01test postfix/smtpd[30317]: < unknown[0.0.0.0]: QUIT 
Feb 15 11:52:29 ubmsa01test postfix/smtpd[30317]: xsasl_cyrus_server_next: decoded response: AB? 
Feb 15 11:52:29 ubmsa01test postfix/smtpd[30317]: warning: SASL authentication failure: client didn't issue valid NTLM response
Feb 15 11:52:29 ubmsa01test postfix/smtpd[30317]: warning: unknown[0.0.0.0]: SASL NTLM authentication failed: bad protocol / cancel
Feb 15 11:52:29 ubmsa01test postfix/smtpd[30317]: > unknown[0.0.0.0]: 535 5.7.8 Error: authentication failed: bad protocol / cancel
Feb 15 11:52:29 ubmsa01test postfix/smtpd[30317]: watchdog_pat: 0x7fa59005dc50 
Feb 15 11:52:29 ubmsa01test postfix/smtpd[30317]: smtp_get: EOF 

And in iphone I don't login. 

Anyone may help me ? 

Thanks 

Reply | Threaded
Open this post in threaded view
|

Re: Error authentication with NTLM

Noel Jones-2
On 2/15/2017 6:36 AM, Luis Miguel Flores dos Santos wrote:
> Hi, I'm trying authentic in smtp(587) in postfix using iphone
> with NTLM but I have this errors:
...
> unknown[0.0.0.0]: 250-AUTH PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM
...
> Feb 15 11:52:29 ubmsa01test postfix/smtpd[30317]: *warning: SASL
> authentication failure: client didn't issue valid NTLM response*
> Feb 15 11:52:29 ubmsa01test postfix/smtpd[30317]: warning:
> unknown[0.0.0.0]:* SASL NTLM authentication failed: bad protocol /
> cancel*

This is not a postfix problem, rather a problem with your cyrus SASL
backend.

Your server is configured to offer NTLM, but it doesn't work.  Best
solution is to not offer NTLM which is insecure anyway.



  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Error authentication with NTLM

luistkd4
Do you know how fix it? Because I need its work
Reply | Threaded
Open this post in threaded view
|

Re: Error authentication with NTLM

Noel Jones-2
On 2/15/2017 11:24 AM, luistkd4 wrote:
> Do you know how fix it? Because I need its work
>

Try the support channels for cyrus.  Postfix is just the messenger
telling you that your cyrus doesn't work.

And are you sure you *require* NTLM?  That sounds wonky to me.  I
expect you can fix it by not offering NTLM and letting the client
using PLAIN or CRAM-MD5 instead.


  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Error authentication with NTLM

luistkd4
Yes, because some printers need this to work and all iphones are configured this by default, but if change authentic to "password" word but NTLM MD5 or HTTP MD5 Digest don't work
Reply | Threaded
Open this post in threaded view
|

Re: Error authentication with NTLM

Viktor Dukhovni
In reply to this post by luistkd4
On Wed, Feb 15, 2017 at 12:36:52PM +0000, Luis Miguel Flores dos Santos wrote:

> Hi, I'm trying authentic in smtp(587) in postfix using iphone with NTLM but I have this errors:

To do NTLM authentication your mail server must be a member computer
of a Windows Domain, configured to authenticate to and interact
with either actual Windows Active Directory domain controllers, or
Samba servers that emulate the same.

If you don't have a Windows domain, you can't do NTLM.  You could
of course learn to deploy and Manage Samba.

Once you have the basics in place, you'll have to configure Cyrus
SASL correctly to work with NTLM, it should not be too difficult,
but I don't know anyone who's doing it other than to serve SMB
shares as part of Samba (which bypasses Cyrus and uses NTLM directly).

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Error authentication with NTLM

luistkd4

Thanks all for help.


Viktor I change my smtpd.com, follow:

log_level: 7
pwcheck_method: auxprop
mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM
saslauthd_path: /var/run/saslauthd/mux
ntlm_v2: yes
ntlm_server: serverad.local

ntlm_server i set my active directory, so now I can connect but have new error:
SASL NTLM authentication failed: generic failure


Maybe like you tell I need be member of windows domain ?


De: Viktor Dukhovni [via Postfix] <ml-node+[hidden email]>
Enviado: quarta-feira, 15 de fevereiro de 2017 16:31:15
Para: luistkd4
Assunto: Re: Error authentication with NTLM
 
On Wed, Feb 15, 2017 at 12:36:52PM +0000, Luis Miguel Flores dos Santos wrote:

> Hi, I'm trying authentic in smtp(587) in postfix using iphone with NTLM but I have this errors:

To do NTLM authentication your mail server must be a member computer
of a Windows Domain, configured to authenticate to and interact
with either actual Windows Active Directory domain controllers, or
Samba servers that emulate the same.

If you don't have a Windows domain, you can't do NTLM.  You could
of course learn to deploy and Manage Samba.

Once you have the basics in place, you'll have to configure Cyrus
SASL correctly to work with NTLM, it should not be too difficult,
but I don't know anyone who's doing it other than to serve SMB
shares as part of Samba (which bypasses Cyrus and uses NTLM directly).

--
        Viktor.



If you reply to this email, your message will be added to the discussion below:
http://postfix.1071664.n5.nabble.com/Error-authentication-with-NTLM-tp88865p88889.html
To start a new topic under Postfix Users, email ml-node+[hidden email]
To unsubscribe from Error authentication with NTLM, click here.
NAML
Reply | Threaded
Open this post in threaded view
|

Re: Error authentication with NTLM

Viktor Dukhovni

> On Feb 15, 2017, at 3:02 PM, luistkd4 <[hidden email]> wrote:
>
> Viktor I change my smtpd.com, follow:
>
> log_level: 7
> pwcheck_method: auxprop
> mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM
> saslauthd_path: /var/run/saslauthd/mux
> ntlm_v2: yes
> ntlm_server: serverad.local
>
> ntlm_server i set my active directory, so now I can connect but have new error:
> SASL NTLM authentication failed: generic failure
>
> Maybe like you tell I need be member of windows domain?

Well, that's why I said it.  What's more even with the host a member of the
domain, the process doing the NTLM check needs to have sufficient privilege
to access appropriate Windows credentials so that the Windows DC will allow
it to perform what amount to online dictionary attacks.  Presumably the
Cyrus saslauthd (likely running as root) will have the relevant access and
the NTLM SASL module will know where to find the credentials, assuming that
the software you use to join the domain sets everything up in the way that
SASL expects.

You're getting yourself into a rather advanced configuration that requires
interoperability between many independently designed systems.  Good luck!

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Error authentication with NTLM

luistkd4

Thanks a lot Viktor, I'm going check this!


De: Viktor Dukhovni [via Postfix] <ml-node+[hidden email]>
Enviado: quarta-feira, 15 de fevereiro de 2017 19:01:42
Para: luistkd4
Assunto: Re: Error authentication with NTLM
 

> On Feb 15, 2017, at 3:02 PM, luistkd4 <[hidden email]> wrote:
>
> Viktor I change my smtpd.com, follow:
>
> log_level: 7
> pwcheck_method: auxprop
> mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM
> saslauthd_path: /var/run/saslauthd/mux
> ntlm_v2: yes
> ntlm_server: serverad.local
>
> ntlm_server i set my active directory, so now I can connect but have new error:
> SASL NTLM authentication failed: generic failure
>
> Maybe like you tell I need be member of windows domain?

Well, that's why I said it.  What's more even with the host a member of the
domain, the process doing the NTLM check needs to have sufficient privilege
to access appropriate Windows credentials so that the Windows DC will allow
it to perform what amount to online dictionary attacks.  Presumably the
Cyrus saslauthd (likely running as root) will have the relevant access and
the NTLM SASL module will know where to find the credentials, assuming that
the software you use to join the domain sets everything up in the way that
SASL expects.

You're getting yourself into a rather advanced configuration that requires
interoperability between many independently designed systems.  Good luck!

--
        Viktor.




If you reply to this email, your message will be added to the discussion below:
http://postfix.1071664.n5.nabble.com/Error-authentication-with-NTLM-tp88865p88894.html
To start a new topic under Postfix Users, email ml-node+[hidden email]
To unsubscribe from Error authentication with NTLM, click here.
NAML