Outlook 2007 SPA authentification problem solved (NTLM plugin bug)

Jorge Bastos mysql.jorge at decimal.pt
Sun May 4 09:07:35 EDT 2008


Will this be uploaded to the main stream?
And further to the debian packages?

Jorge


> -----Original Message-----
> From: cyrus-sasl-bounces at lists.andrew.cmu.edu [mailto:cyrus-sasl-
> bounces at lists.andrew.cmu.edu] On Behalf Of CHCNET Consulting
> Sent: domingo, 4 de Maio de 2008 12:11
> To: cyrus-sasl at lists.andrew.cmu.edu
> Subject: Outlook 2007 SPA authentification problem solved (NTLM plugin
> bug)
> 
> Hi list,
> 
> I've patched the ntlm plugin, to support also Outlook 2007, which uses
> a
> slightly different approach to authenticate. All Outlook versions prior
> to 2007 using a two-stage method: first they try to authenticate with
> the username and windows domain instead of the maildomain (which of
> course doesn't work, unless we have in our sasdb user at NTDOMAIN).
> Outlook
> 2007 changed this method to username at maildomain.com.  I.e. the NTLM
> auth
> is sent with username and client domain, where client domain is finally
> correctly our email domain!
> 
> But this needs a change in the sasl ntlm plugin, otherwise you never
> get
> the client domain into your checks, but only username at mailserver:
> 
> (apply this patch with the patch utility)
> 
> ---------- CUT HERE ------------ CUT HERE ------------ CUT HERE
> ------------------
> diff -urNp cyrus-sasl-2.1.22/plugins/ntlm.c
> cyrus-sasl-2.1.22-patch/plugins/ntlm.c
> --- cyrus-sasl-2.1.22/plugins/ntlm.c    2005-07-07 18:10:14.000000000
> +0200
> +++ cyrus-sasl-2.1.22-patch/plugins/ntlm.c      2008-05-04
> 14:56:54.000000000 +0200
> @@ -1525,14 +1525,46 @@ static int ntlm_server_mech_step2(server
>         struct propval auxprop_values[2];
>         unsigned char hash[NTLM_HASH_LENGTH];
>         unsigned char resp[NTLM_RESP_LENGTH];
> +
> +       unsigned char *combined_username = NULL;
> 
>         /* fetch user's password */
>         result = sparams->utils->prop_request(sparams->propctx,
> password_request);
>         if (result != SASL_OK) goto cleanup;
> 
> -       /* this will trigger the getting of the aux properties */
> -       result = sparams->canon_user(sparams->utils->conn, authid,
> authid_len,
> +
> ///////////////////////////////////////////////////////////////////
> +       // patch by office at chcnet.net
> +       // rights: GPL
> +       // older pop3, imap, smtp ntlm clients are sending first
> +       // client-user: usernamex
> +       // client-domain: NTDOMAIN/WORKGROUP
> +       // and if thats denied by us, they retry with
> +       // client-user: user at realdomainname.tld
> +       // without a client domain
> +       // outlook 2007 changed that behaviour to support properly
> +       // also other mail servers. They are thus sending already
> (hurray!)
> +       // as the first try: client-user: username
> +       // and as client domain: the users emaildomain
> +
> ///////////////////////////////////////////////////////////////////
> +       if (domain) {
> +           // to match the outlook 2007 method
> +           combined_username = sparams->utils->malloc(authid_len +
> domain_len + 1);
> +           if (combined_username == NULL) {
> +               MEMERROR(sparams->utils);
> +               return SASL_NOMEM;
> +           }
> +           sprintf(combined_username, "%s@%s", authid, domain);
> +           result = sparams->canon_user(sparams->utils->conn,
> combined_username, strlen(combined_username),
>                                      SASL_CU_AUTHID | SASL_CU_AUTHZID,
> oparams);
> +           sparams->utils->free(combined_username);
> +       }
> +       else {
> +           // use old method (ignore the first try and match the
> second
> +           result = sparams->canon_user(sparams->utils->conn, authid,
> authid_len,
> +                                    SASL_CU_AUTHID | SASL_CU_AUTHZID,
> oparams);
> +       }
> +
> +       /* this will trigger the getting of the aux properties */
>         if (result != SASL_OK) goto cleanup;
> 
>         result = sparams->utils->prop_getnames(sparams->propctx,
> ---------- CUT HERE ------------ CUT HERE ------------ CUT HERE
> ------------------
> 
> kind regards,
> Christoph Christ
> 
> 
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.




More information about the Cyrus-sasl mailing list