Outlook 2007 SPA authentification problem solved (NTLM plugin bug)
CHCNET Consulting
office at chcnet.net
Sun May 4 07:10:43 EDT 2008
Hi list,
I've patched the ntlm plugin, to support also Outlook 2007, which uses a
slightly different approach to authenticate. All Outlook versions prior
to 2007 using a two-stage method: first they try to authenticate with
the username and windows domain instead of the maildomain (which of
course doesn't work, unless we have in our sasdb user at NTDOMAIN). Outlook
2007 changed this method to username at maildomain.com. I.e. the NTLM auth
is sent with username and client domain, where client domain is finally
correctly our email domain!
But this needs a change in the sasl ntlm plugin, otherwise you never get
the client domain into your checks, but only username at mailserver:
(apply this patch with the patch utility)
---------- CUT HERE ------------ CUT HERE ------------ CUT HERE
------------------
diff -urNp cyrus-sasl-2.1.22/plugins/ntlm.c
cyrus-sasl-2.1.22-patch/plugins/ntlm.c
--- cyrus-sasl-2.1.22/plugins/ntlm.c 2005-07-07 18:10:14.000000000 +0200
+++ cyrus-sasl-2.1.22-patch/plugins/ntlm.c 2008-05-04
14:56:54.000000000 +0200
@@ -1525,14 +1525,46 @@ static int ntlm_server_mech_step2(server
struct propval auxprop_values[2];
unsigned char hash[NTLM_HASH_LENGTH];
unsigned char resp[NTLM_RESP_LENGTH];
+
+ unsigned char *combined_username = NULL;
/* fetch user's password */
result = sparams->utils->prop_request(sparams->propctx,
password_request);
if (result != SASL_OK) goto cleanup;
- /* this will trigger the getting of the aux properties */
- result = sparams->canon_user(sparams->utils->conn, authid,
authid_len,
+ ///////////////////////////////////////////////////////////////////
+ // patch by office at chcnet.net
+ // rights: GPL
+ // older pop3, imap, smtp ntlm clients are sending first
+ // client-user: usernamex
+ // client-domain: NTDOMAIN/WORKGROUP
+ // and if thats denied by us, they retry with
+ // client-user: user at realdomainname.tld
+ // without a client domain
+ // outlook 2007 changed that behaviour to support properly
+ // also other mail servers. They are thus sending already (hurray!)
+ // as the first try: client-user: username
+ // and as client domain: the users emaildomain
+ ///////////////////////////////////////////////////////////////////
+ if (domain) {
+ // to match the outlook 2007 method
+ combined_username = sparams->utils->malloc(authid_len +
domain_len + 1);
+ if (combined_username == NULL) {
+ MEMERROR(sparams->utils);
+ return SASL_NOMEM;
+ }
+ sprintf(combined_username, "%s@%s", authid, domain);
+ result = sparams->canon_user(sparams->utils->conn,
combined_username, strlen(combined_username),
SASL_CU_AUTHID | SASL_CU_AUTHZID,
oparams);
+ sparams->utils->free(combined_username);
+ }
+ else {
+ // use old method (ignore the first try and match the second
+ result = sparams->canon_user(sparams->utils->conn, authid,
authid_len,
+ SASL_CU_AUTHID | SASL_CU_AUTHZID,
oparams);
+ }
+
+ /* this will trigger the getting of the aux properties */
if (result != SASL_OK) goto cleanup;
result = sparams->utils->prop_getnames(sparams->propctx,
---------- CUT HERE ------------ CUT HERE ------------ CUT HERE
------------------
kind regards,
Christoph Christ
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the Cyrus-sasl
mailing list