Back to Community Threads
Disable NTLM
Question asked by PhilabitsAdmin - 2/19/2024 at 4:03 AM
Unanswered
P
Hello,
we have been advised by our security team to disable the use of NTLM on our server. but I can not find how to disable it on SMTP service. 
telnet serverip.... 25
220 MAILSERVERNAME
auth ntlm
334 ntlm supported

is there anyway I can disable the support of NTLM on smtp service ? 
on other server which we use Mailenable as its mailserver, when I issue auth ntlm  command it rejects right away but on smartermail it says supported.

Thanks,
Patrick Jeski Replied
4/9/2024 at 5:24 AM
I can't find anything in the online help and no obvious settings.
D
Douglas Foster Replied
4/9/2024 at 5:53 AM
This is not a SmarterMail issue.  NTLM and Kerberos are the two protocols that Windows can use between workstation and Domain Controller for user authentication.  NTLM can be disabled by group policy, as long as you know that Kerberos is working correctly and all of your devices are new enough to use Kerberos.  All currently supported operating systems should prefer Kerberos.
Patrick Jeski Replied
4/9/2024 at 6:32 AM
How is it not a SmarterMail issue? It is SmarterMail that responds to auth ntlm with 334 ntlm supported, not windows.
B
Bulah Bins Replied
4/10/2024 at 6:17 AM
I can't find anything in the online help and no obvious settings.
D
Douglas Foster Replied
4/10/2024 at 7:29 AM
Thanks for starting this discussion.  It made me start researching.   

Seems like a feature request ticket is in order.   Related issues that may be auditor-driven:
- Disable SMTP AUTH login completely, particularly on port 25.   Authenticated logins should always use a submission port.
- Disable the "LOGIN" authentication method so that only CRAM-MD5 is permitted.

Is anyone aware of requirements for a stronger alternative to CRAM-MD5?

I am pretty sure that this is still a Windows issue, because SmarterMail is almost certainly depending on Windows to perform the NTLM authentication step.  If Windows has it disabled, SmarterMail will not be able to complete the authentication.   But Support should be able to clarify this.

Resources that I found:

The first evidence that NTLM is enabled on your server is in Event Viewer, Event ID 6038 from LSA (LsaSrv).

This article describes the GPO setting for specifying NTLM restrictions:

The assumption is to start with auditing, and then proceed to lock down in stages, which may require creating exceptions for certain servers.
   
Some of the other articles that I found made a distinction between NTLMv1 and NTLMv2.   It seems that the best practice these days is to disable both for best security 
 
Patrick Jeski Replied
11/25/2024 at 11:00 AM
I thought I saw an employee post here a few months ago saying this was going to be added.
C
Still no Kerberos support
J
J. LaDow Replied
4/2/2026 at 2:45 PM
This is really no longer an option.

When can we expect the ability to disable NTLMv1 support? According to developers in other threads, the NTLM support is fully baked into SmarterMail and does not rely on Windows for anything - so adding the ability to turn it off shouldn't be an issue.

Even MailEnable has this as an option and they're like -- don't even get me started...
MailEnable survivor / convert --
Back to Community Threads

Reply to Thread

Enter the verification text
Related Knowledge Base Articles
SmarterMail, LDAP, and Active DirectorySmarterMail > Server Configuration and Management
Key Feature and Version Milestones in SmarterMailSmarterMail
eM Client Fails to Connect to IMAPSmarterMail > Troubleshooting
Client Fails to Connect After an Active Directory Password ChangeSmarterMail > Desktop and Mobile Synchronization
Random Active Directory (AD) LockoutsSmarterMail > Troubleshooting