Re: [exim] NTLM problems

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: Steffen Heil
CC: exim-users
Subject: Re: [exim] NTLM problems
On 2009-01-24 at 13:06 +0100, Steffen Heil wrote:
> I am having problems using a .net client and exim as smtp server trying to
> do ntlm authentication.
> The NTLM-SMTP Extension requires servers to accept two different protocol
> runs:


The problem here is that "The NTLM-SMTP Extension" has only recently had
a published specification. The document you link to has a revision
history starting July 2007, the Exim code was added in October 2004.

Exim's code was contributed and based on the Samba reverse-engineering
of what was available at the time.

Now that there's a published specification, several years after the
protocol started being used and adding to the modes used, this
authenticator code in Exim should probably be updated.

As always, patches from contributors welcome. I don't have an NTLM
environment to test in, so can't sensibly do this myself; I can however
point to what looks to be necessary.

In the src/auths/ directory, the API to use is described in the README
file. The NTLM code is in spa.c. I strongly suspect that all you need
to do is change auth_spa_server() so that where there's currently an
auth_get_no64_data() call, you wrap that in a test that data not already
have useful content.

"data" points to the rest of the text on the AUTH cmdline, so will have
any initial response. So, if that has useful data, use it, and if not,
then do the 334 call to grab from the user. If there's no initial
response then the first character pointed to will be a NUL.

So, if I'm right, it's adding one if() wrapper around one call. But
without an environment to test this in ... *shrug*

----------------------------8< cut here >8------------------------------
/* send a 334, MS Exchange style, and grab the client's request,
unless we already have it via an initial response. */

if (*data == '\0')
  if (auth_get_no64_data(&data, US"NTLM supported") != OK)
    {
    /* something borked */
    return FAIL;
    }
----------------------------8< cut here >8------------------------------


Testing and feedback welcome.

-Phil