ntlm_v2 option of cyrus-sasl-ntlm doesn't work with postfix

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux (RHEL) 7
  • Red Hat Enterprise Linux (RHEL) 8
  • postfix-2.10.1-7.el7.x86_64
  • cyrus-sasl-2.1.26-23.el7.x86_64
  • cyrus-sasl-ntlm-2.1.26-23.el7.x86_64

Issue

  • Postfix SMTP client can use NTLM authentication (e.g. for connection to MS Exchange Server) by usingNTLM plugin of cyrus-sasl (provided by package cyrus-sasl-ntlm). If NTLMv1 is disabled on the MS Exchange Server and just NTLMv2 can be used for authentication, the postfix SMTP authentication fails.

  • Postfix NTLMv2 support

  • Configuring postfix with SASL2 NTLMv2 using cyrus fails to authenticate against mail relay

Resolution

There is currently no supported workaround. Bug 1722159 has been created, but cannot be fixed in RHEL 7due to design limitation.

In another Bugzilla ntlm_v2 option support cyrus-sasl-ntlm for postfix, engineering team reported that:

After evaluating this request we have decided that we will not implement it for several reasons. The NTLM is an aging, insecure, authentication protocol, we do not wish to expand its usage in RHEL. The upstream project also seems not interested in this capability. The amount of work needed to implement this functionality is not supported by enough demand.

Root Cause

The root cause of this problem is that cyrus-sasl doesn't load configuration files for clients, so there is currently no way (other than hardcoded patch) how to set the ntlm_v2 option to yes. The problem has been also reported upstream as upstream issue 574.

Diagnostic Steps

Following proof of concept patch enforcing NTLMv2 authentication can eventually serve as an unsupported workaround.

--- a/plugins/ntlm.c
+++ b/plugins/ntlm.c
@@ -2022,9 +2022,7 @@ static int ntlm_client_mech_step2(client_context_t *text,
     /* should we send a NTLMv2 response? */
     params->utils->getopt(params->utils->getopt_context,
                          "NTLM", "ntlm_v2", &sendv2, NULL);
-    if (sendv2 &&
-       (sendv2[0] == '1' || sendv2[0] == 'y' ||
-        (sendv2[0] == 'o' && sendv2[1] == 'n') || sendv2[0] == 't')) {
+    if (1) {

        /* put the cnonce in place after the LMv2 HMAC */
        char *cnonce = resp + MD5_DIGEST_LENGTH;

Then the RPM cyrus-sasl* packages can be rebuilt and reinstalled.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments