From b0ab9598b201190d60c87963095596cb34bd1fd9 Mon Sep 17 00:00:00 2001
From: e-alfred <e-alfred@users.noreply.github.com>
Date: Tue, 13 May 2025 11:51:28 +0200
Subject: [PATCH] mail/postfix: Disable NTLM login because of deprectation
 (#4663)

* Disable NTLM login because of deprectation

As NTLMv1 gets disabled and removed by Microsoft [1] and NTLMv2 authentication is broken (causing authentication failures), NTLM should be disabled altogether in Postfix to force other auth options. If a SMTP server replies with AUTH NTLM LOGIN, it tries to use NTLM which fails if only NTLM v2 is enabled on the server.

[1] https://borncity.com/win/2024/12/23/windows-11-24h2-server-2025-ntlmv1-has-been-removed/

* Update pkg-descr

* Update Makefile

* Update mail/postfix/Makefile

---------

Co-authored-by: Franco Fichtner <franco@lastsummer.de>
---
 mail/postfix/Makefile                                         | 3 +--
 mail/postfix/pkg-descr                                        | 4 ++++
 .../src/opnsense/service/templates/OPNsense/Postfix/main.cf   | 2 +-
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/mail/postfix/Makefile b/mail/postfix/Makefile
index f0c2159c3..5feb4c74f 100644
--- a/mail/postfix/Makefile
+++ b/mail/postfix/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		postfix
-PLUGIN_VERSION=		1.23
-PLUGIN_REVISION=	4
+PLUGIN_VERSION=		1.24
 PLUGIN_COMMENT=		SMTP mail relay
 PLUGIN_DEPENDS=		postfix
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/mail/postfix/pkg-descr b/mail/postfix/pkg-descr
index 6bce690ce..f9756bc69 100644
--- a/mail/postfix/pkg-descr
+++ b/mail/postfix/pkg-descr
@@ -6,6 +6,10 @@ is completely different.
 Plugin Changelog
 ================
 
+1.24
+
+* Disable broken, insecure, legacy NTLM authentication (contributed by Alfred Egger)
+
 1.23
 
 * Add support for Opportunistic DANE as SMTP client security level
diff --git a/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf b/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf
index 2d462bb42..49419f5d1 100644
--- a/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf
+++ b/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf
@@ -157,7 +157,7 @@ relayhost = {{ OPNsense.postfix.general.relayhost }}
 smtp_sasl_auth_enable = yes
 smtp_sasl_password_maps = hash:/usr/local/etc/postfix/smtp_auth
 smtp_sasl_security_options =
-smtp_sasl_mechanism_filter = !gssapi, !external, static:all
+smtp_sasl_mechanism_filter = !gssapi, !ntlm, !external, static:all
 {% endif %}
 
 {% if helpers.exists('OPNsense.postfix.general.permit_sasl_authenticated') and OPNsense.postfix.general.permit_sasl_authenticated == '1' %}