Outlook 2007 SPA authentification problem solved (NTLM plugin bug)

CHCNET Consulting office at chcnet.net
Sun May 4 12:30:25 EDT 2008


Hi Jorge,

I guess, this is up to the cyrus-sasl maintainers, to decide, whether 
they want to incorporate my changes into their code. For gentoo I have 
an preliminary ebuild available, that uses this patch. For debian this 
hasn't been done yet.

kind regards
Christoph

Jorge Bastos schrieb:
> Will this be uploaded to the main stream?
> And further to the debian packages?
>
> Jorge
>
>
>   
>> -----Original Message-----
>> From: cyrus-sasl-bounces at lists.andrew.cmu.edu [mailto:cyrus-sasl-
>> bounces at lists.andrew.cmu.edu] On Behalf Of CHCNET Consulting
>> Sent: domingo, 4 de Maio de 2008 12:11
>> To: cyrus-sasl at lists.andrew.cmu.edu
>> Subject: Outlook 2007 SPA authentification problem solved (NTLM plugin
>> bug)
>>
>> Hi list,
>>
>> I've patched the ntlm plugin, to support also Outlook 2007, which uses
>> a
>> slightly different approach to authenticate. All Outlook versions prior
>> to 2007 using a two-stage method: first they try to authenticate with
>> the username and windows domain instead of the maildomain (which of
>> course doesn't work, unless we have in our sasdb user at NTDOMAIN).
>> Outlook
>> 2007 changed this method to username at maildomain.com.  I.e. the NTLM
>> auth
>> is sent with username and client domain, where client domain is finally
>> correctly our email domain!
>>
>> But this needs a change in the sasl ntlm plugin, otherwise you never
>> get
>> the client domain into your checks, but only username at mailserver:
>>
>> (apply this patch with the patch utility)
>>
>> ---------- CUT HERE ------------ CUT HERE ------------ CUT HERE
>> ------------------
>> diff -urNp cyrus-sasl-2.1.22/plugins/ntlm.c
>> cyrus-sasl-2.1.22-patch/plugins/ntlm.c
>> --- cyrus-sasl-2.1.22/plugins/ntlm.c    2005-07-07 18:10:14.000000000
>> +0200
>> +++ cyrus-sasl-2.1.22-patch/plugins/ntlm.c      2008-05-04
>> 14:56:54.000000000 +0200
>> @@ -1525,14 +1525,46 @@ static int ntlm_server_mech_step2(server
>>         struct propval auxprop_values[2];
>>         unsigned char hash[NTLM_HASH_LENGTH];
>>         unsigned char resp[NTLM_RESP_LENGTH];
>> +
>> +       unsigned char *combined_username = NULL;
>>
>>         /* fetch user's password */
>>         result = sparams->utils->prop_request(sparams->propctx,
>> password_request);
>>         if (result != SASL_OK) goto cleanup;
>>
>> -       /* this will trigger the getting of the aux properties */
>> -       result = sparams->canon_user(sparams->utils->conn, authid,
>> authid_len,
>> +
>> ///////////////////////////////////////////////////////////////////
>> +       // patch by office at chcnet.net
>> +       // rights: GPL
>> +       // older pop3, imap, smtp ntlm clients are sending first
>> +       // client-user: usernamex
>> +       // client-domain: NTDOMAIN/WORKGROUP
>> +       // and if thats denied by us, they retry with
>> +       // client-user: user at realdomainname.tld
>> +       // without a client domain
>> +       // outlook 2007 changed that behaviour to support properly
>> +       // also other mail servers. They are thus sending already
>> (hurray!)
>> +       // as the first try: client-user: username
>> +       // and as client domain: the users emaildomain
>> +
>> ///////////////////////////////////////////////////////////////////
>> +       if (domain) {
>> +           // to match the outlook 2007 method
>> +           combined_username = sparams->utils->malloc(authid_len +
>> domain_len + 1);
>> +           if (combined_username == NULL) {
>> +               MEMERROR(sparams->utils);
>> +               return SASL_NOMEM;
>> +           }
>> +           sprintf(combined_username, "%s@%s", authid, domain);
>> +           result = sparams->canon_user(sparams->utils->conn,
>> combined_username, strlen(combined_username),
>>                                      SASL_CU_AUTHID | SASL_CU_AUTHZID,
>> oparams);
>> +           sparams->utils->free(combined_username);
>> +       }
>> +       else {
>> +           // use old method (ignore the first try and match the
>> second
>> +           result = sparams->canon_user(sparams->utils->conn, authid,
>> authid_len,
>> +                                    SASL_CU_AUTHID | SASL_CU_AUTHZID,
>> oparams);
>> +       }
>> +
>> +       /* this will trigger the getting of the aux properties */
>>         if (result != SASL_OK) goto cleanup;
>>
>>         result = sparams->utils->prop_getnames(sparams->propctx,
>> ---------- CUT HERE ------------ CUT HERE ------------ CUT HERE
>> ------------------
>>
>> kind regards,
>> Christoph Christ
>>
>>
>> --
>> This message has been scanned for viruses and
>> dangerous content by MailScanner, and is
>> believed to be clean.
>>     
>
>
>
>   


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the Cyrus-sasl mailing list