Back to Community Threads
5
Disable NTLM
Question asked by PhilabitsAdmin - 2/19/2024 at 4:03 AM
Unanswered
Hello,
we have been advised by our security team to disable the use of NTLM on our server. but I can not find how to disable it on SMTP service. 
telnet serverip.... 25
220 MAILSERVERNAME
auth ntlm
334 ntlm supported

is there anyway I can disable the support of NTLM on smtp service ? 
on other server which we use Mailenable as its mailserver, when I issue auth ntlm  command it rejects right away but on smartermail it says supported.

Thanks,

6 Replies

Reply to Thread
1
Patrick Jeski Replied
4/9/2024 at 5:24 AM
I can't find anything in the online help and no obvious settings.
1
Douglas Foster Replied
4/9/2024 at 5:53 AM
This is not a SmarterMail issue.  NTLM and Kerberos are the two protocols that Windows can use between workstation and Domain Controller for user authentication.  NTLM can be disabled by group policy, as long as you know that Kerberos is working correctly and all of your devices are new enough to use Kerberos.  All currently supported operating systems should prefer Kerberos.
1
Patrick Jeski Replied
4/9/2024 at 6:32 AM
How is it not a SmarterMail issue? It is SmarterMail that responds to auth ntlm with 334 ntlm supported, not windows.
0
J. LaDow Replied
4/9/2024 at 8:03 AM
We're also running into recommendations that NTLM be disabled for authentication on our mail server infrastructure. This is one thing ME does support is control of authentication methods.
MailEnable survivor / convert --
0
Bulah Bins Replied
4/10/2024 at 6:17 AM
I can't find anything in the online help and no obvious settings.
1
Douglas Foster Replied
4/10/2024 at 7:29 AM
Thanks for starting this discussion.  It made me start researching.   

Seems like a feature request ticket is in order.   Related issues that may be auditor-driven:
- Disable SMTP AUTH login completely, particularly on port 25.   Authenticated logins should always use a submission port.
- Disable the "LOGIN" authentication method so that only CRAM-MD5 is permitted.

Is anyone aware of requirements for a stronger alternative to CRAM-MD5?

I am pretty sure that this is still a Windows issue, because SmarterMail is almost certainly depending on Windows to perform the NTLM authentication step.  If Windows has it disabled, SmarterMail will not be able to complete the authentication.   But Support should be able to clarify this.

Resources that I found:

The first evidence that NTLM is enabled on your server is in Event Viewer, Event ID 6038 from LSA (LsaSrv).

This article describes the GPO setting for specifying NTLM restrictions:

The assumption is to start with auditing, and then proceed to lock down in stages, which may require creating exceptions for certain servers.
   
Some of the other articles that I found made a distinction between NTLMv1 and NTLMv2.   It seems that the best practice these days is to disable both for best security 
 
Back to Community Threads

Reply to Thread

Related Knowledge Base Articles

eM Client Fails to Connect to IMAPSmarterMail > Troubleshooting
Client Fails to Connect After an Active Directory Password ChangeSmarterMail > Desktop and Mobile Synchronization
Random Active Directory (AD) LockoutsSmarterMail > Troubleshooting
Set up Autodiscover for SmarterMailSmarterMail > Installation and Configuration
Find a Compromised AccountSmarterMail > Troubleshooting