Outlook 2007 SPA authentification problem solved (NTLM plugin bug)
CHCNET Consulting
office at chcnet.net
Sun May 4 12:30:25 EDT 2008
Hi Jorge,
I guess, this is up to the cyrus-sasl maintainers, to decide, whether
they want to incorporate my changes into their code. For gentoo I have
an preliminary ebuild available, that uses this patch. For debian this
hasn't been done yet.
kind regards
Christoph
Jorge Bastos schrieb:
> Will this be uploaded to the main stream?
> And further to the debian packages?
>
> Jorge
>
>
>
>> -----Original Message-----
>> From: cyrus-sasl-bounces at lists.andrew.cmu.edu [mailto:cyrus-sasl-
>> bounces at lists.andrew.cmu.edu] On Behalf Of CHCNET Consulting
>> Sent: domingo, 4 de Maio de 2008 12:11
>> To: cyrus-sasl at lists.andrew.cmu.edu
>> Subject: Outlook 2007 SPA authentification problem solved (NTLM plugin
>> bug)
>>
>> Hi list,
>>
>> I've patched the ntlm plugin, to support also Outlook 2007, which uses
>> a
>> slightly different approach to authenticate. All Outlook versions prior
>> to 2007 using a two-stage method: first they try to authenticate with
>> the username and windows domain instead of the maildomain (which of
>> course doesn't work, unless we have in our sasdb user at NTDOMAIN).
>> Outlook
>> 2007 changed this method to username at maildomain.com. I.e. the NTLM
>> auth
>> is sent with username and client domain, where client domain is finally
>> correctly our email domain!
>>
>> But this needs a change in the sasl ntlm plugin, otherwise you never
>> get
>> the client domain into your checks, but only username at mailserver:
>>
>> (apply this patch with the patch utility)
>>
>> ---------- CUT HERE ------------ CUT HERE ------------ CUT HERE
>> ------------------
>> diff -urNp cyrus-sasl-2.1.22/plugins/ntlm.c
>> cyrus-sasl-2.1.22-patch/plugins/ntlm.c
>> --- cyrus-sasl-2.1.22/plugins/ntlm.c 2005-07-07 18:10:14.000000000
>> +0200
>> +++ cyrus-sasl-2.1.22-patch/plugins/ntlm.c 2008-05-04
>> 14:56:54.000000000 +0200
>> @@ -1525,14 +1525,46 @@ static int ntlm_server_mech_step2(server
>> struct propval auxprop_values[2];
>> unsigned char hash[NTLM_HASH_LENGTH];
>> unsigned char resp[NTLM_RESP_LENGTH];
>> +
>> + unsigned char *combined_username = NULL;
>>
>> /* fetch user's password */
>> result = sparams->utils->prop_request(sparams->propctx,
>> password_request);
>> if (result != SASL_OK) goto cleanup;
>>
>> - /* this will trigger the getting of the aux properties */
>> - result = sparams->canon_user(sparams->utils->conn, authid,
>> authid_len,
>> +
>> ///////////////////////////////////////////////////////////////////
>> + // patch by office at chcnet.net
>> + // rights: GPL
>> + // older pop3, imap, smtp ntlm clients are sending first
>> + // client-user: usernamex
>> + // client-domain: NTDOMAIN/WORKGROUP
>> + // and if thats denied by us, they retry with
>> + // client-user: user at realdomainname.tld
>> + // without a client domain
>> + // outlook 2007 changed that behaviour to support properly
>> + // also other mail servers. They are thus sending already
>> (hurray!)
>> + // as the first try: client-user: username
>> + // and as client domain: the users emaildomain
>> +
>> ///////////////////////////////////////////////////////////////////
>> + if (domain) {
>> + // to match the outlook 2007 method
>> + combined_username = sparams->utils->malloc(authid_len +
>> domain_len + 1);
>> + if (combined_username == NULL) {
>> + MEMERROR(sparams->utils);
>> + return SASL_NOMEM;
>> + }
>> + sprintf(combined_username, "%s@%s", authid, domain);
>> + result = sparams->canon_user(sparams->utils->conn,
>> combined_username, strlen(combined_username),
>> SASL_CU_AUTHID | SASL_CU_AUTHZID,
>> oparams);
>> + sparams->utils->free(combined_username);
>> + }
>> + else {
>> + // use old method (ignore the first try and match the
>> second
>> + result = sparams->canon_user(sparams->utils->conn, authid,
>> authid_len,
>> + SASL_CU_AUTHID | SASL_CU_AUTHZID,
>> oparams);
>> + }
>> +
>> + /* this will trigger the getting of the aux properties */
>> if (result != SASL_OK) goto cleanup;
>>
>> result = sparams->utils->prop_getnames(sparams->propctx,
>> ---------- CUT HERE ------------ CUT HERE ------------ CUT HERE
>> ------------------
>>
>> kind regards,
>> Christoph Christ
>>
>>
>> --
>> This message has been scanned for viruses and
>> dangerous content by MailScanner, and is
>> believed to be clean.
>>
>
>
>
>
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the Cyrus-sasl
mailing list