HEX
Server: Apache
System: Linux vps-cdc32557.vps.ovh.ca 5.15.0-156-generic #166-Ubuntu SMP Sat Aug 9 00:02:46 UTC 2025 x86_64
User: hanode (1017)
PHP: 7.4.33
Disabled: pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,
$ pwd: /usr/share/doc/dovecot-core/wiki/
Upload Files
File: //usr/share/doc/dovecot-core/wiki/Authentication.Mechanisms.NTLM.txt
NTLM
====

There are four authentication submethods inside the NTLM:

 1. LM: server nonce only, highly vulnerable to MITM and rogue server attacks.
 2. NTLM: different algorithm, almost equally vulnerable as LM today.
 3. NTLM2: server and client nonce, but MITM can force downgrade to NTLM/LM.
 4. NTLMv2: server and client nonce, MITM can't force downgrade.

NTLM <password scheme> [Authentication.PasswordSchemes.txt] is required for
NTLM, NTLM2 and NTLMv2.

NTLMv2 can not be negotiated. It must be explicitly enabled on the client side
by setting registry key below to at least 3:

 * Win9x:
   'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\LMCompatibility'
 * WinNT:
   'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\LMCompatibilityLevel'

Dovecot's NTLM logic is:

 1. If we have only LM password scheme, try LM authentication;
 2. If client sends LM response only (some very old clients do it), try LM too;

 3. If NTLMv2 is guessed (using client response length), try NTLMv2;
 4. If NTLM2 was negotiated, try it;
 5. Otherwise try NTLM.

For more information about NTLM internals, see http://ubiqx.org/cifs/ and
http://davenport.sourceforge.net/ntlm.html

(This file was created from the wiki on 2019-06-19 12:42)
@ Telegram