Outlook 2007 SPA authentification problem solved (NTLM plugin bug)
Jorge Bastos
mysql.jorge at decimal.pt
Sun May 4 09:07:35 EDT 2008
Will this be uploaded to the main stream?
And further to the debian packages?
Jorge
> -----Original Message-----
> From: cyrus-sasl-bounces at lists.andrew.cmu.edu [mailto:cyrus-sasl-
> bounces at lists.andrew.cmu.edu] On Behalf Of CHCNET Consulting
> Sent: domingo, 4 de Maio de 2008 12:11
> To: cyrus-sasl at lists.andrew.cmu.edu
> Subject: Outlook 2007 SPA authentification problem solved (NTLM plugin
> bug)
>
> Hi list,
>
> I've patched the ntlm plugin, to support also Outlook 2007, which uses
> a
> slightly different approach to authenticate. All Outlook versions prior
> to 2007 using a two-stage method: first they try to authenticate with
> the username and windows domain instead of the maildomain (which of
> course doesn't work, unless we have in our sasdb user at NTDOMAIN).
> Outlook
> 2007 changed this method to username at maildomain.com. I.e. the NTLM
> auth
> is sent with username and client domain, where client domain is finally
> correctly our email domain!
>
> But this needs a change in the sasl ntlm plugin, otherwise you never
> get
> the client domain into your checks, but only username at mailserver:
>
> (apply this patch with the patch utility)
>
> ---------- CUT HERE ------------ CUT HERE ------------ CUT HERE
> ------------------
> diff -urNp cyrus-sasl-2.1.22/plugins/ntlm.c
> cyrus-sasl-2.1.22-patch/plugins/ntlm.c
> --- cyrus-sasl-2.1.22/plugins/ntlm.c 2005-07-07 18:10:14.000000000
> +0200
> +++ cyrus-sasl-2.1.22-patch/plugins/ntlm.c 2008-05-04
> 14:56:54.000000000 +0200
> @@ -1525,14 +1525,46 @@ static int ntlm_server_mech_step2(server
> struct propval auxprop_values[2];
> unsigned char hash[NTLM_HASH_LENGTH];
> unsigned char resp[NTLM_RESP_LENGTH];
> +
> + unsigned char *combined_username = NULL;
>
> /* fetch user's password */
> result = sparams->utils->prop_request(sparams->propctx,
> password_request);
> if (result != SASL_OK) goto cleanup;
>
> - /* this will trigger the getting of the aux properties */
> - result = sparams->canon_user(sparams->utils->conn, authid,
> authid_len,
> +
> ///////////////////////////////////////////////////////////////////
> + // patch by office at chcnet.net
> + // rights: GPL
> + // older pop3, imap, smtp ntlm clients are sending first
> + // client-user: usernamex
> + // client-domain: NTDOMAIN/WORKGROUP
> + // and if thats denied by us, they retry with
> + // client-user: user at realdomainname.tld
> + // without a client domain
> + // outlook 2007 changed that behaviour to support properly
> + // also other mail servers. They are thus sending already
> (hurray!)
> + // as the first try: client-user: username
> + // and as client domain: the users emaildomain
> +
> ///////////////////////////////////////////////////////////////////
> + if (domain) {
> + // to match the outlook 2007 method
> + combined_username = sparams->utils->malloc(authid_len +
> domain_len + 1);
> + if (combined_username == NULL) {
> + MEMERROR(sparams->utils);
> + return SASL_NOMEM;
> + }
> + sprintf(combined_username, "%s@%s", authid, domain);
> + result = sparams->canon_user(sparams->utils->conn,
> combined_username, strlen(combined_username),
> SASL_CU_AUTHID | SASL_CU_AUTHZID,
> oparams);
> + sparams->utils->free(combined_username);
> + }
> + else {
> + // use old method (ignore the first try and match the
> second
> + result = sparams->canon_user(sparams->utils->conn, authid,
> authid_len,
> + SASL_CU_AUTHID | SASL_CU_AUTHZID,
> oparams);
> + }
> +
> + /* this will trigger the getting of the aux properties */
> if (result != SASL_OK) goto cleanup;
>
> result = sparams->utils->prop_getnames(sparams->propctx,
> ---------- CUT HERE ------------ CUT HERE ------------ CUT HERE
> ------------------
>
> kind regards,
> Christoph Christ
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
More information about the Cyrus-sasl
mailing list