mail/postfix: Disable NTLM login because of deprectation (#4663)

* Disable NTLM login because of deprectation As NTLMv1 gets disabled and removed by Microsoft [1] and NTLMv2 authentication is broken (causing authentication failures), NTLM should be disabled altogether in Postfix to force other auth options. If a SMTP server replies with AUTH NTLM LOGIN, it tries to use NTLM which fails if only NTLM v2 is enabled on the server. [1] https://borncity.com/win/2024/12/23/windows-11-24h2-server-2025-ntlmv1-has-been-removed/ * Update pkg-descr * Update Makefile * Update mail/postfix/Makefile --------- Co-authored-by: Franco Fichtner <franco@lastsummer.de>
2026-05-22 18:44:07 -07:00 · 2025-05-13 11:51:28 +02:00
parent 1d2d2b09c8
commit b0ab9598b2
3 changed files with 6 additions and 3 deletions
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		postfix
-PLUGIN_VERSION=		1.23
-PLUGIN_REVISION=	4
+PLUGIN_VERSION=		1.24
 PLUGIN_COMMENT=		SMTP mail relay
 PLUGIN_DEPENDS=		postfix
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
@@ -6,6 +6,10 @@ is completely different.
 Plugin Changelog
 ================

+1.24
+
+* Disable broken, insecure, legacy NTLM authentication (contributed by Alfred Egger)
+
 1.23

 * Add support for Opportunistic DANE as SMTP client security level
@@ -157,7 +157,7 @@ relayhost = {{ OPNsense.postfix.general.relayhost }}
 smtp_sasl_auth_enable = yes
 smtp_sasl_password_maps = hash:/usr/local/etc/postfix/smtp_auth
 smtp_sasl_security_options =
-smtp_sasl_mechanism_filter = !gssapi, !external, static:all
+smtp_sasl_mechanism_filter = !gssapi, !ntlm, !external, static:all
 {% endif %}

 {% if helpers.exists('OPNsense.postfix.general.permit_sasl_authenticated') and OPNsense.postfix.general.permit_sasl_authenticated == '1' %}