ntlm_v2 option of cyrus-sasl-ntlm doesn't work with postfix
Environment
- Red Hat Enterprise Linux (RHEL) 7
- Red Hat Enterprise Linux (RHEL) 8
- postfix-2.10.1-7.el7.x86_64
- cyrus-sasl-2.1.26-23.el7.x86_64
- cyrus-sasl-ntlm-2.1.26-23.el7.x86_64
Issue
-
Postfix SMTPclient can useNTLMauthentication (e.g. for connection to MS Exchange Server) by usingNTLMplugin ofcyrus-sasl(provided by packagecyrus-sasl-ntlm). IfNTLMv1is disabled on the MS Exchange Server and justNTLMv2can be used for authentication, thepostfix SMTPauthentication fails. -
Postfix NTLMv2 support
- Configuring postfix with SASL2 NTLMv2 using cyrus fails to authenticate against mail relay
Resolution
There is currently no supported workaround. Bug 1722159 has been created, but cannot be fixed in RHEL 7due to design limitation.
In another Bugzilla ntlm_v2 option support cyrus-sasl-ntlm for postfix, engineering team reported that:
After evaluating this request we have decided that we will not implement it for several reasons. The NTLM is an aging, insecure, authentication protocol, we do not wish to expand its usage in RHEL. The upstream project also seems not interested in this capability. The amount of work needed to implement this functionality is not supported by enough demand.
Root Cause
The root cause of this problem is that cyrus-sasl doesn't load configuration files for clients, so there is currently no way (other than hardcoded patch) how to set the ntlm_v2 option to yes. The problem has been also reported upstream as upstream issue 574.
Diagnostic Steps
Following proof of concept patch enforcing NTLMv2 authentication can eventually serve as an unsupported workaround.
--- a/plugins/ntlm.c
+++ b/plugins/ntlm.c
@@ -2022,9 +2022,7 @@ static int ntlm_client_mech_step2(client_context_t *text,
/* should we send a NTLMv2 response? */
params->utils->getopt(params->utils->getopt_context,
"NTLM", "ntlm_v2", &sendv2, NULL);
- if (sendv2 &&
- (sendv2[0] == '1' || sendv2[0] == 'y' ||
- (sendv2[0] == 'o' && sendv2[1] == 'n') || sendv2[0] == 't')) {
+ if (1) {
/* put the cnonce in place after the LMv2 HMAC */
char *cnonce = resp + MD5_DIGEST_LENGTH;
Then the RPM cyrus-sasl* packages can be rebuilt and reinstalled.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments