Upon investigating a spike of customers reporting that they are unable to connect to our IMAP email services (which we maintain in house using Dovecot), we correlated these issues to a recent update released by Microsoft.
All these customers could connect via SMTP but not over IMAP in Microsoft Outlook (which we could replicate). All of which had all recently updated to build 1807.
Our diagnostics found that the Dovecot service was being passed by the email client the beginning part of the email address for the username rather than the full address. The logs showed it as follows:
Aug 3 11:52:00 X.X.X.X dovecot: auth-worker(14028): sql(johnyoung,X.X.X.X): unknown user
Aug 3 11:52:02 X.X.X.X dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<johnyoung>, method=NTLM, rip=X.X.X.X, lip=X.X.X.X, session=<Fhuct4Vy/gCwGg4s>
This was obviously why the connection was failing as our services in turn failed the IMAP authentication attempt, as it was expecting the full email address.
The Obvious Fix (with Compromise)
Further checks found that all these failed IMAP connection attempts that had this striped out username, all used the NTLM authentication protocol. As we deduced that we no longer needed to use this anymore you could simply remove it from your configuration and allow it to use another.
Using Dovecot you can simply find the file conf.d/10-auth.conf and edit the below line to remove ntlm. This will then force the email client to use another authentication protocol.
auth_mechanisms = plain digest-md5 cram-md5 login ntlm
The Unexpected Fix (without Compromise)
The fix we’ve deployed (while not being totally without compromise) was identified after doing some tests to see how the email client using NTLM would handle escape characters in the username. After a few attempts of using \ before the @ symbol we noticed that it would add the domain again after it like this: @[email protected]
It therefore became evident that you could put this character before the whole username within Microsoft Outlook for the username eg. \[email protected]
The full username would then be passed by Outlook to Dovecot whom would authenticate this as normal, getting around the issue that Microsoft has inadvertently caused.
Dean Wright identified the unexpected fix so I credit him to finding this before there was any articles on the internet about this. His GitHub is here.