Hi!
While debugging AUTH NTLM against Outlook 2010, I found
that in
http://tools.ietf.org/html/rfc2554, section 4 it says
that if the client sends "*" as the answer to a NTLM CHALLENGE,
the AUTH should be cancelled (SMTP 501), not fail (SMTP 535).
At
http://opsec.eu/src/exim-ntlm/patch-spa.c
is a small patch which hopefully does the right thing.
For those interested in AUTH NTLM ('SPA' in Microsoft lingo),
here's what I found:
if exim offers AUTH NTLM, this happens:
o exim sends a "334 NTLM supported"
o Outlook 2010 as a client sends some base64
which is a NLMP NEGOTIATE blob, described in
http://download.microsoft.com/download/a/e/6/ae6e4142-aa58-45c6-8dcf-a657e5900cd3/%5BMS-NLMP%5D.pdf
page 15ff
o exim answers with a NLMP CHALLENGE blob, described in the same
document, page 19ff.
o and Outlook 2010 says "no thanks", probably due to some of the
fields filled in some non-microsofty-way.
This is the reason SPA no longer works. One has to debug the contents
of the blob.
Have a look at a few lines of perl in
http://opsec.eu/src/exim-ntlm/ntlm-decode
for a quick jump into this (far from complete).
--
pi@??? +49 171 3101372 10 years to go !
