Mail accounts in heterogeneous environments

[Dmitry Butskoy]

I would like to consider a case where both Linux and Windows computers 
are in use, but mail servers are completely Linux-oriented (f.e., 
dovecot + postfix on Fedora hosts).

In such a heterogeneous environment, to provide unique 
authorisation/authentication mechanism, either "OpenLDAP + Samba NT" or 
"AD + msSFU" solutions are used. It provides uniform accounts and 
passwords, independent of whether users use Linux or Windows on their 
desktops.

There is one circumstance which can spoil this fine solution a bit. When 
a windows user creates its mail account (in OE or similar), he/she is 
compelled to specify login and password "manually". When sometimes the 
uniform password will be changed (either by Ctrl-Alt-Del from the 
desktop, or by a system admin), this "manual" specification in the local 
mail settings will not be changed automatically. The user then is 
compelled to change its password there too; or sysadmin should use 
different, seldom-changed account/password set just for mail subsystem...

All modern windows mail programs provide an "SPA" option (secure 
password authentication). Using it, the mail program just uses the 
current desktop's login/password. This way the situation described above 
can be effectively avoided. But "SPA" uses NTLM (and spnego?) 
authentication mechanism, which is not supported properly now neither by 
dovecot or by postfix (it seems that another MTA and imap servers do not 
support it properly as well).

Yes, I know that both postfix and dovecot actually "supports" NTLM now. 
But dovecot uses NTLM against a local database only, it cannot 
authenticate users against the windows domain. Postfix (and other MTA) 
could use cyrus-sasl library, which has a "ntlm" plugin (capable to do 
domain auth), but the actual blocker here is the dovecot issues.

Since the postfix and friends can do SMTP auth against a dovecot-auth 
daemon, the solution seems to be focused in dovecot package only. By 
adding of proper NTLM support to dovecot-auth, we can use "SPA" on 
windows desktops and can forget about manual filling of login/password form.

Samba team strongly recommends to use "ntlm_auth" helper binary and 
"winbind" daemon (both from the "samba-common" package), which provides 
a stable way to do "NTLM" and "GSS-SPNEGO"  auth types against a windows 
domain. This way Squid and recently Apache do NTLM now. Hence I think 
about adding of "ntlm_auth + winbind" support for Dovecot.

Before I shall begin it, I would like to ask:
- Is this issue a corner case or not?
- Are there some another solution for the support of "SPA against 
domain" by Linux MTA/pop/imap servers in Fedora?
- Perhaps someone has already made something of it? At least partially?
- Is the solution proposed the best way to solve the issue (for 
corporate systems etc.)?


Regards,
Dmitry Butskoy

http://www.fedoraproject.org/wiki/DmitryButskoy