DevHeads.net

Postfix support for NTLM

Hello,

I have a client that wants us to setup the Postfix SMTP server on their web
server to use authentication when relaying through their Exchange server
(even though both are on the same local network). I'm working on just
getting them to allow relay from the web server IP address, but in the
meantime...

The exchange server only offers "AUTH NTLM" in the EHLO greeting. I did a
little searching and I'm having trouble finding out whether Postfix (well, I
guess Cyrus) supports NTLM authentication. I've looked through the
SASL_README and I can see how to enable SASL auth (BTW, "postconf -A" lists
cyrus), but I guess I'm trying to find out a way to test it manually outside
of Postfix before I make the change in the Postfix config. I see in the
SASL_README how you can test AUTH PLAIN authentication, but I don't see
anything about NTLM (not fully understanding NTLM myself, it seems to be
challenge-response protocol, so the same testing method wouldn't work).

Remember that I only need outgoing NTLM authentication for the SMTP client
(not incoming NTLM), as this server is simply relaying all emails to the
Exchange server. Is this something that would be more appropriate on the
Cyrus list?

Justin Pasher

Comments

Re: Postfix support for NTLM

By Victor Duchovni at 03/18/2009 - 21:44

The Postfix SMTP client uses Cyrus SASL to authenticate to remote SMTP
servers.

There is NTLM an plugin for Cyrus SASL. Never used it myself...

Good idea, the cyrus SASL sources come with a sample server and a sample
client, but it may be tricky to get the sample server configured to
verify NTLM creds. You should probably test with "ldapsearch" against
AD with NTLM authenticaion in LDAP. Once you get the LDAP client working
with NTLM, it should be possible to do the same with SMTP.

Yes. The Client is really making life difficult for you, if they supported
AUTH PLAIN or even GSSAPI, it would be a lot easier than NTLM.