ntlm_v2 option of cyrus-sasl-ntlm doesn't work with postfix

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux (RHEL) 7.6
  • postfix-2.10.1-7.el7.x86_64
  • cyrus-sasl-2.1.26-23.el7.x86_64
  • cyrus-sasl-ntlm-2.1.26-23.el7.x86_64

Issue

Postfix SMTP client can use NTLM authentication (e.g. for connection to MS Exchange Server) by usingNTLM plugin of cyrus-sasl (provided by package cyrus-sasl-ntlm). If NTLMv1 is disabled on the MS Exchange Server and just NTLMv2 can be used for authentication, the postfix SMTP authentication fails.

Resolution

There is currently no supported workaround. Bug 1722159 has been created, but cannot be fixed in RHEL 7due to design limitation.

Root Cause

The root cause of this problem is that cyrus-sasl doesn't load configuration files for clients, so there is currently no way (other than hardcoded patch) how to set the ntlm_v2 option to yes. The problem has been also reported upstream as upstream issue 574.

Diagnostic Steps

Following proof of concept patch enforcing NTLMv2 authentication can eventually serve as an unsupported workaround.

--- a/plugins/ntlm.c
+++ b/plugins/ntlm.c
@@ -2022,9 +2022,7 @@ static int ntlm_client_mech_step2(client_context_t *text,
     /* should we send a NTLMv2 response? */
     params->utils->getopt(params->utils->getopt_context,
                          "NTLM", "ntlm_v2", &sendv2, NULL);
-    if (sendv2 &&
-       (sendv2[0] == '1' || sendv2[0] == 'y' ||
-        (sendv2[0] == 'o' && sendv2[1] == 'n') || sendv2[0] == 't')) {
+    if (1) {

        /* put the cnonce in place after the LMv2 HMAC */
        char *cnonce = resp + MD5_DIGEST_LENGTH;

Then the RPM cyrus-sasl* packages can be rebuilt and reinstalled.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.