[exim-dev] patch: src/auths/spa.c fix for cancelled AUTH NTL…

Top Page
Delete this message
Reply to this message
Author: Kurt Jaeger
Date:  
To: exim-dev
Subject: [exim-dev] patch: src/auths/spa.c fix for cancelled AUTH NTLM
Hi!

While debugging AUTH NTLM against Outlook 2010, I found
that in http://tools.ietf.org/html/rfc2554, section 4 it says
that if the client sends "*" as the answer to a NTLM CHALLENGE,
the AUTH should be cancelled (SMTP 501), not fail (SMTP 535).

At

http://opsec.eu/src/exim-ntlm/patch-spa.c

is a small patch which hopefully does the right thing.

For those interested in AUTH NTLM ('SPA' in Microsoft lingo),
here's what I found:

if exim offers AUTH NTLM, this happens:

  o exim sends a "334 NTLM supported"
  o Outlook 2010 as a client sends some base64
    which is a NLMP NEGOTIATE blob, described in
    http://download.microsoft.com/download/a/e/6/ae6e4142-aa58-45c6-8dcf-a657e5900cd3/%5BMS-NLMP%5D.pdf
    page 15ff
  o exim answers with a NLMP CHALLENGE blob, described in the same
    document, page 19ff.
  o and Outlook 2010 says "no thanks", probably due to some of the
    fields filled in some non-microsofty-way.


This is the reason SPA no longer works. One has to debug the contents
of the blob.

Have a look at a few lines of perl in

http://opsec.eu/src/exim-ntlm/ntlm-decode

for a quick jump into this (far from complete).

-- 
pi@???            +49 171 3101372                        10 years to go !