Outlook 2007 SPA authentification problem solved (NTLM plugin bug)
CHCNET Consulting
office at chcnet.net
Wed May 7 00:16:53 EDT 2008
Hi Gerard
Gerard schrieb:
> On Tue, 06 May 2008 12:44:38 +0200
> Sebastian Hagedorn <Hagedorn at uni-koeln.de> wrote:
>
>
>> Hi,
>>
>> --On 4. Mai 2008 13:10:43 +0200 CHCNET Consulting <office at chcnet.net>
>> wrote:
>>
>>
>>> I've patched the ntlm plugin, to support also Outlook 2007, which
>>> uses a slightly different approach to authenticate. All Outlook
>>> versions prior to 2007 using a two-stage method: first they try to
>>> authenticate with the username and windows domain instead of the
>>> maildomain (which of course doesn't work, unless we have in our
>>> sasdb user at NTDOMAIN). Outlook 2007 changed this method to
>>> username at maildomain.com. I.e. the NTLM auth is sent with username
>>> and client domain, where client domain is finally correctly our
>>> email domain!
>>>
>> I don't use Outlook or even Windows personally, so I'm a bit clueless
>> about these things, but: I run a mail server with many users that
>> have that combo. We allow NTLM among other SASL methods. So I'm
>> interested in that patch, but I'm confused. I haven't heard any
>> complaints from Outlook 2007 users so far. The reason may be that
>> they don't use NTLM, I'm not sure. There have been complaints,
>> however, from Vista users. I've been told that Vista requires NTLMv2
>> by default. I assume that the plugin only doies NTLMv1? Or is that
>> perhaps a misunderstanding?
>>
>
>
Outlook 2007 is wicked, because it changed the old method of NTLM
auth... NTLM auth is used, whenever you active "Client needs secured
authentication" in your email setup. Many users do not yet have problems
with that, because older outlook versions behave as anticipated by sasl
2.1.22, so no issue at all (even with SPA activated). Whenever a user
migrates from outlook 2003 to 2007 e.g., his mailbox will fail without
reason. There is even a digest-md5 authentication try, but that fails
also. If they do not use SPA (plaintext), you habe no issue at all, but
this is very insecure unless you use TLS. So crypted connections with
the fancy outlook 2007 client is on ly possible via NTLM.....
> That is correct, NTLMv2 is the default for Vista. There is a short
> article regarding NTLMv2 and Microsoft here:
>
>
http://technet.microsoft.com/en-us/magazine/cc160954.aspx
>
>
>> BTW, I just checked again and found that the issue appears to be with
>> SMTP, not with IMAP. We run sendmail with the same SASL libs, though.
>>
if you are using realms in configurations, you run into the problems,
why I created the patch. As long you are using cyrus users without a
domain (logon name is username), you won't run into these probs (sasl
doesnt check the windows domain agains the password backend). Check your
logfiles for similar entries (this is valid also for SMTP, because that
is logged by the SASL NTLM plugin.
---> older outlook method 1
May 29 10:25:48 mail pop3[18419]: NTLM server step 1
May 29 10:25:48 mail pop3[18419]: client flags: ffffb207
May 29 10:25:48 mail pop3[18419]: NTLM server step 2
May 29 10:25:48 mail pop3[18419]: client user: user
May 29 10:25:48 mail pop3[18419]: client domain: WORKSTATION
older outlook method 2
May 28 20:33:10 mail pop3[18862]: NTLM server step 1
May 28 20:33:10 mail pop3[18862]: client flags: ffffb207
May 28 20:33:10 mail pop3[18862]: NTLM server step 2
May 28 20:33:10 mail pop3[18862]: client user: username at adomain.at
outlook 2007 first try
May 7 05:55:32 mail pop3[30842]: sql auxprop plugin using mysql engine
May 7 05:55:32 mail pop3[30812]: NTLM server step 1
May 7 05:55:32 mail pop3[30812]: client flags: ffff8207
May 7 05:55:32 mail pop3[30812]: NTLM server step 2
May 7 05:55:32 mail pop3[30812]: client user: office3
May 7 05:55:32 mail pop3[30812]: client domain: mydomain.at.
the third won't be found never, because the client domain is not part of
the username checks... this becomes office3 at mymail.server.com and thus
is never matched agains the backend... No matter whether you use sasldb,
ldap, or a sql database....
>> Cheers, Sebastian
>>
>
>
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the Cyrus-sasl
mailing list