Author: jan.catrysse Date: To: 'Exim-users' Subject: Re: [exim] SPA Authenticator: using @ in Outlook username does not
work
On 2021-07-30 14:39, Jeremy Harris wrote: > The server-side spa code only writes $auth1 in one place, before
> the call to evaluate the server_password. Since you're doing a
> lookup, the use there should be visible in debug.
>
> I assume it's wrong at that time.
Yes, indeed. The $auth1 only has the "user" part and not the "domain" part
in it.
> The value being used appears to derive from data sent by the
> client in response to a challenge from the server. There's enogh
> code munging it I can't swear it won't fall over on an '@' -
> but I don't see one mentioned explicitly.
>
> Are you certain that the full string is being supplied by the client?
No, I am not sure and I am not sure how I can verify this. But I am under
the impression it has something to do with the "optional" domain part not
being used correctly.
> The docs chapter mentions that the domain is optional, so I could
> imaging it being treated as a separate item. Unfortunately, it also
> only describes $auth1 as getting the user name; no mention of the
> domain around the same place.
>
> Hmm. A relevant data structure does have separate fields "uUser" and "uDomain" - > and the server-side code doesn't use it. The client-side code does.
> OK, this has likely never worked. For now, you're out of luck with SPA.
That seems a logic explanation.
> --
> Cheers,
> Jeremy
