Outlook 2007 SPA authentification problem solved (NTLM plugin bug)

CHCNET Consulting office at chcnet.net
Wed May 7 00:16:53 EDT 2008 

Hi Gerard

Gerard schrieb:
> On Tue, 06 May 2008 12:44:38 +0200
> Sebastian Hagedorn <Hagedorn at uni-koeln.de> wrote:
>
>   
>> Hi,
>>
>> --On 4. Mai 2008 13:10:43 +0200 CHCNET Consulting <office at chcnet.net>
>> wrote:
>>
>>     
>>> I've patched the ntlm plugin, to support also Outlook 2007, which
>>> uses a slightly different approach to authenticate. All Outlook
>>> versions prior to 2007 using a two-stage method: first they try to
>>> authenticate with the username and windows domain instead of the
>>> maildomain (which of course doesn't work, unless we have in our
>>> sasdb user at NTDOMAIN). Outlook 2007 changed this method to
>>> username at maildomain.com.  I.e. the NTLM auth is sent with username
>>> and client domain, where client domain is finally correctly our
>>> email domain!
>>>       
>> I don't use Outlook or even Windows personally, so I'm a bit clueless
>> about these things, but: I run a mail server with many users that
>> have that combo. We allow NTLM among other SASL methods. So I'm
>> interested in that patch, but I'm confused. I haven't heard any
>> complaints from Outlook 2007 users so far. The reason may be that
>> they don't use NTLM, I'm not sure. There have been complaints,
>> however, from Vista users. I've been told that Vista requires NTLMv2
>> by default. I assume that the plugin only doies NTLMv1? Or is that
>> perhaps a misunderstanding?
>>     
>
>   
Outlook 2007 is  wicked, because it changed the old method of NTLM 
auth... NTLM auth is used, whenever you active "Client needs secured 
authentication" in your email setup. Many users do not yet have problems 
with that, because older outlook versions behave as anticipated by sasl 
2.1.22, so no issue at all (even with SPA activated). Whenever a user 
migrates from outlook 2003 to 2007 e.g., his mailbox will fail without 
reason. There is even a digest-md5 authentication try, but that fails 
also. If they do not use SPA (plaintext), you habe no issue at all, but 
this is very insecure unless you use TLS. So crypted connections with 
the fancy outlook 2007 client is on ly possible via NTLM.....
> That is correct, NTLMv2 is the default for Vista. There is a short
> article regarding NTLMv2 and Microsoft here:
>
>   
http://technet.microsoft.com/en-us/magazine/cc160954.aspx
>  
>   
>> BTW, I just checked again and found that the issue appears to be with
>> SMTP, not with IMAP.  We run sendmail with the same SASL libs, though.
>>     
if you are using realms in configurations, you run into the problems, 
why I created the patch. As long you are using cyrus users without a 
domain (logon name is username), you won't run into these probs (sasl 
doesnt check the windows domain agains the password backend). Check your 
logfiles for similar entries (this is valid also for SMTP, because that 
is logged by the SASL NTLM plugin.

---> older outlook method 1
May 29 10:25:48 mail pop3[18419]: NTLM server step 1
May 29 10:25:48 mail pop3[18419]: client flags: ffffb207
May 29 10:25:48 mail pop3[18419]: NTLM server step 2
May 29 10:25:48 mail pop3[18419]: client user: user
May 29 10:25:48 mail pop3[18419]: client domain: WORKSTATION

older outlook method 2
May 28 20:33:10 mail pop3[18862]: NTLM server step 1
May 28 20:33:10 mail pop3[18862]: client flags: ffffb207
May 28 20:33:10 mail pop3[18862]: NTLM server step 2
May 28 20:33:10 mail pop3[18862]: client user: username at adomain.at

outlook 2007 first try
May  7 05:55:32 mail pop3[30842]: sql auxprop plugin using mysql engine
May  7 05:55:32 mail pop3[30812]: NTLM server step 1
May  7 05:55:32 mail pop3[30812]: client flags: ffff8207
May  7 05:55:32 mail pop3[30812]: NTLM server step 2
May  7 05:55:32 mail pop3[30812]: client user: office3
May  7 05:55:32 mail pop3[30812]: client domain: mydomain.at.


the third won't be found never, because the client domain is not part of 
the username checks... this becomes office3 at mymail.server.com and thus 
is never matched agains the backend... No matter whether you use sasldb, 
ldap, or a sql database....


>> Cheers, Sebastian
>>     
>
>   


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the Cyrus-sasl mailing list