-----Original Message-----
From: cyrus-sasl-bounces@xxxxxxxxxxxxxxxxxxxx [mailto:cyrus-sasl-
bounces@xxxxxxxxxxxxxxxxxxxx] On Behalf Of CHCNET Consulting
Sent: domingo, 4 de Maio de 2008 12:11
To: cyrus-sasl@xxxxxxxxxxxxxxxxxxxx
Subject: Outlook 2007 SPA authentification problem solved (NTLM plugin
bug)
Hi list,
I've patched the ntlm plugin, to support also Outlook 2007, which uses
a
slightly different approach to authenticate. All Outlook versions prior
to 2007 using a two-stage method: first they try to authenticate with
the username and windows domain instead of the maildomain (which of
course doesn't work, unless we have in our sasdb user@NTDOMAIN).
Outlook
2007 changed this method to username@xxxxxxxxxxxxxxx I.e. the NTLM
auth
is sent with username and client domain, where client domain is finally
correctly our email domain!
But this needs a change in the sasl ntlm plugin, otherwise you never
get
the client domain into your checks, but only username@mailserver:
(apply this patch with the patch utility)
---------- CUT HERE ------------ CUT HERE ------------ CUT HERE
------------------
diff -urNp cyrus-sasl-2.1.22/plugins/ntlm.c
cyrus-sasl-2.1.22-patch/plugins/ntlm.c
--- cyrus-sasl-2.1.22/plugins/ntlm.c 2005-07-07 18:10:14.000000000
+0200
+++ cyrus-sasl-2.1.22-patch/plugins/ntlm.c 2008-05-04
14:56:54.000000000 +0200
@@ -1525,14 +1525,46 @@ static int ntlm_server_mech_step2(server
struct propval auxprop_values[2];
unsigned char hash[NTLM_HASH_LENGTH];
unsigned char resp[NTLM_RESP_LENGTH];
+
+ unsigned char *combined_username = NULL;
/* fetch user's password */
result = sparams->utils->prop_request(sparams->propctx,
password_request);
if (result != SASL_OK) goto cleanup;
- /* this will trigger the getting of the aux properties */
- result = sparams->canon_user(sparams->utils->conn, authid,
authid_len,
+
///////////////////////////////////////////////////////////////////
+ // patch by office@xxxxxxxxxx
+ // rights: GPL
+ // older pop3, imap, smtp ntlm clients are sending first
+ // client-user: usernamex
+ // client-domain: NTDOMAIN/WORKGROUP
+ // and if thats denied by us, they retry with
+ // client-user: user@xxxxxxxxxxxxxxxxxx
+ // without a client domain
+ // outlook 2007 changed that behaviour to support properly
+ // also other mail servers. They are thus sending already
(hurray!)
+ // as the first try: client-user: username
+ // and as client domain: the users emaildomain
+
///////////////////////////////////////////////////////////////////
+ if (domain) {
+ // to match the outlook 2007 method
+ combined_username = sparams->utils->malloc(authid_len +
domain_len + 1);
+ if (combined_username == NULL) {
+ MEMERROR(sparams->utils);
+ return SASL_NOMEM;
+ }
+ sprintf(combined_username, "%s@%s", authid, domain);
+ result = sparams->canon_user(sparams->utils->conn,
combined_username, strlen(combined_username),
SASL_CU_AUTHID | SASL_CU_AUTHZID,
oparams);
+ sparams->utils->free(combined_username);
+ }
+ else {
+ // use old method (ignore the first try and match the
second
+ result = sparams->canon_user(sparams->utils->conn, authid,
authid_len,
+ SASL_CU_AUTHID | SASL_CU_AUTHZID,
oparams);
+ }
+
+ /* this will trigger the getting of the aux properties */
if (result != SASL_OK) goto cleanup;
result = sparams->utils->prop_getnames(sparams->propctx,
---------- CUT HERE ------------ CUT HERE ------------ CUT HERE
------------------
kind regards,
Christoph Christ
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
