Re: [exim-dev] [exim] NTLM problems

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: Steffen Heil, exim-dev
Subject: Re: [exim-dev] [exim] NTLM problems
Hi Steffen,

On 2009-01-24 at 17:45 -0800, Phil Pennock wrote:
> On 2009-01-24 at 13:06 +0100, Steffen Heil wrote:
> > I am having problems using a .net client and exim as smtp server trying to
> > do ntlm authentication.
> > The NTLM-SMTP Extension requires servers to accept two different protocol
> > runs:
>
> The problem here is that "The NTLM-SMTP Extension" has only recently had
> a published specification. The document you link to has a revision
> history starting July 2007, the Exim code was added in October 2004.
>
> Exim's code was contributed and based on the Samba reverse-engineering
> of what was available at the time.
>
> Now that there's a published specification, several years after the
> protocol started being used and adding to the modes used, this
> authenticator code in Exim should probably be updated.
>
> As always, patches from contributors welcome. I don't have an NTLM
> environment to test in, so can't sensibly do this myself; I can however
> point to what looks to be necessary.
>
> In the src/auths/ directory, the API to use is described in the README
> file. The NTLM code is in spa.c. I strongly suspect that all you need
> to do is change auth_spa_server() so that where there's currently an
> auth_get_no64_data() call, you wrap that in a test that data not already
> have useful content.
>
> "data" points to the rest of the text on the AUTH cmdline, so will have
> any initial response. So, if that has useful data, use it, and if not,
> then do the 334 call to grab from the user. If there's no initial
> response then the first character pointed to will be a NUL.
>
> So, if I'm right, it's adding one if() wrapper around one call. But
> without an environment to test this in ... *shrug*
>
> ----------------------------8< cut here >8------------------------------
> /* send a 334, MS Exchange style, and grab the client's request,
> unless we already have it via an initial response. */
>
> if (*data == '\0')
>   if (auth_get_no64_data(&data, US"NTLM supported") != OK)
>     {
>     /* something borked */
>     return FAIL;
>     }
> ----------------------------8< cut here >8------------------------------

>
> Testing and feedback welcome.


Were you ever able to test if this solved your problem? Please let us
know, either way. If it fixes the problem, then this simple fix should
go into an Exim 4.70 release.

Thanks,
-Phil