Re: [exim] SPA Authenticator: using @ in Outlook username do…

Inizio della pagina
Delete this message
Reply to this message
Autore: Jeremy Harris
Data:  
To: exim-users
Oggetto: Re: [exim] SPA Authenticator: using @ in Outlook username does not work
On 29/07/2021 22:39, Jan Catrysse via Exim-users wrote:
> I am having some issues using a username@??? kind of username in
> Outlook and the Exim SPA authenticator.
>
> It seems the domain part is stripped from the username and so I cannot
> authenticate properly.
>
> Is this a known problem? Can I fix this issue in any way?
>
> On debug I find that a username like: username+domain.tld is passed
> completely to the exim $auth1 variable, but with the @ in place I only get
> the username part without the domain.
>
> I have to consider that I am using the same username for Dovecot, so I
> cannot just change my query to replace @ with something else.
>
> Authenticator config:
> SPA:
>    driver = spa
>    public_name = NTLM
>    server_password = ${lookup mysql{SELECT `password` FROM `users` WHERE
> CONCAT_WS('@', `username`, `domain`) =
> '${quote_mysql:$auth1}';}{$value}{fail}}
>    server_set_id = $auth1
>    server_debug_print = "Running SPA auth: $auth1"

>
> Thank you,
> Jan
>
>


The server-side spa code only writes $auth1 in one place, before
the call to evaluate the server_password. Since you're doing a
lookup, the use there should be visible in debug.

I assume it's wrong at that time.

The value being used appears to derive from data sent by the
client in response to a challenge from the server. There's enogh
code munging it I can't swear it won't fall over on an '@' -
but I don't see one mentioned explicitly.

Are you certain that the full string is being supplied by the client?

The docs chapter mentions that the domain is optional, so I could
imaging it being treated as a separate item. Unfortunately, it also
only describes $auth1 as getting the user name; no mention of the
domain around the same place.

Hmm. A relevant data structure does have separate fields "uUser" and "uDomain" -
and the server-side code doesn't use it. The client-side code does.
OK, this has likely never worked. For now, you're out of luck with SPA.

--
Cheers,
Jeremy