[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Mail accounts in heterogeneous environments



I would like to consider a case where both Linux and Windows computers are in use, but mail servers are completely Linux-oriented (f.e., dovecot + postfix on Fedora hosts).

In such a heterogeneous environment, to provide unique authorisation/authentication mechanism, either "OpenLDAP + Samba NT" or "AD + msSFU" solutions are used. It provides uniform accounts and passwords, independent of whether users use Linux or Windows on their desktops.

There is one circumstance which can spoil this fine solution a bit. When a windows user creates its mail account (in OE or similar), he/she is compelled to specify login and password "manually". When sometimes the uniform password will be changed (either by Ctrl-Alt-Del from the desktop, or by a system admin), this "manual" specification in the local mail settings will not be changed automatically. The user then is compelled to change its password there too; or sysadmin should use different, seldom-changed account/password set just for mail subsystem...

All modern windows mail programs provide an "SPA" option (secure password authentication). Using it, the mail program just uses the current desktop's login/password. This way the situation described above can be effectively avoided. But "SPA" uses NTLM (and spnego?) authentication mechanism, which is not supported properly now neither by dovecot or by postfix (it seems that another MTA and imap servers do not support it properly as well).

Yes, I know that both postfix and dovecot actually "supports" NTLM now. But dovecot uses NTLM against a local database only, it cannot authenticate users against the windows domain. Postfix (and other MTA) could use cyrus-sasl library, which has a "ntlm" plugin (capable to do domain auth), but the actual blocker here is the dovecot issues.

Since the postfix and friends can do SMTP auth against a dovecot-auth daemon, the solution seems to be focused in dovecot package only. By adding of proper NTLM support to dovecot-auth, we can use "SPA" on windows desktops and can forget about manual filling of login/password form.

Samba team strongly recommends to use "ntlm_auth" helper binary and "winbind" daemon (both from the "samba-common" package), which provides a stable way to do "NTLM" and "GSS-SPNEGO" auth types against a windows domain. This way Squid and recently Apache do NTLM now. Hence I think about adding of "ntlm_auth + winbind" support for Dovecot.

Before I shall begin it, I would like to ask:
- Is this issue a corner case or not?
- Are there some another solution for the support of "SPA against domain" by Linux MTA/pop/imap servers in Fedora?
- Perhaps someone has already made something of it? At least partially?
- Is the solution proposed the best way to solve the issue (for corporate systems etc.)?


Regards,
Dmitry Butskoy

http://www.fedoraproject.org/wiki/DmitryButskoy


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]