[Exim] NTLM

Page principale
Supprimer ce message
Répondre à ce message
Auteur: eichin
Date:  
À: exim-users
Sujet: [Exim] NTLM
I recently found the need to allow users who travel regularly to make a
connection to their in-house SMTP server (exim on debian). I had hoped
to simply enable authentication and watch everything work, as I have done
over and over with linux-based setups. To make this short, here's what
I've done:

First, I made a change to the sources that made the separator for
"server_prompts" a semicolon instead of a colon. This allowed me to
change the login prompts to "Username:" and "Password:" for compliance
with all the different versions of Outlook in use. I'm sure there could
be a better choice of character, but it was nearby. If anyone has any
logic-based suggestions for a replacement character, or for a different
work-around, I'd really appreciate it.

Second, I coudn't find a way for users on the debian box to authenticate
using their existing username/password information, stored in /etc/passwd
and /etc/shadow. I now believe I found some info on www.exim.org that
sets me in a better direction, but I came up with a workaround in perl
that does the same thing. I would appreciate feedback on just how sane
this is. It does work, at least. More importantly, I now have a handle
on Exim's way of talking to perl. Gee, I bet this could be useful to
someone out there.

Lastly, while I was working out these difficulties, I noticed that
Outlook would respond faithfully to an offer of "250 AUTH NTLM", with
"AUTH NTLM". I'd send "334", and get back "NTLMSSP" base-64 encoded. So
I poked around the 'net for information on this acronym.

Apparently there's running code implementing the "challenge - handshake -
authenticate" semantics required by this authentication method, in both
fetchmail and samba. As I understand it, supporting this protocol would
allow fairly secure mail transport from Windows clients to exim (eg, the
mail itself will be encrypted during the transfer). Since I'm always
crossing the boundary between Linux and Windows, I'd like to know if,
somewhere in this group, someone has the heart to try and add this code
to exim. It's well beyond my abilities to migrate C-code from one
application to another, but this would be such a powerful feature, yes?
Or has someone already done this?

Anyway, thanks for paying attention through this first (long) posting.
Below you will find the relevant snippets of code which I discussed,
above. And I hope someone is up to the challenge, because I know I can't
get rid of Outlook, but if I can at least gain some control from the
server-side .... :-)

--Bill Eichin
backwoods technologies

---Cut Here---
Changes to the last part of /etc/exim.conf:

auth_outlook:
        driver = plaintext
        public_name = LOGIN
        server_prompts = "Username: ; Password:"
        server_condition = "${perl{auth_pass}{$1}{$2}}"
        server_set_id = $1



The text of /etc/exim.pl, including the subroutine, "auth_pass":

#!/usr/bin/perl
# Exim perl extentions.

sub auth_pass {

use Crypt::PasswdMD5;
open(SHADOW, "< /etc/shadow");
$username = Exim::expand_string('$1');
$password = Exim::expand_string('$2');
$namegood = false;
$spwgood = false;
# verify that user is in /etc/passwd.
# if uid is below 1000, return fail.
$userid = getpwnam($username);
if ( $userid ge 1000 && $userid lt 65500) {
        $namegood = true;
}
@shadlines = <SHADOW> ;
while ( $shadline = pop @shadlines) {
        @shadfields = split(/:/,$shadline);
        if  (@shadfields[0] eq $username) {
                $salt = substr(@shadfields[1],3,8);
             if (unix_md5_crypt($password,$salt) eq @shadfields[1]) {
                        $spwgood = true;
                }
        }
}


if (($namegood eq true) and ($spwgood eq true)) {
        return true;
} else {
        sleep 3;
        return false;
}
}


---cut here---