Hi! While debugging AUTH NTLM against Outlook 2010, I found that in http://tools.ietf.org/html/rfc2554, section 4 it says that if the client sends "*" as the answer to a NTLM CHALLENGE, the AUTH should be cancelled (SMTP 501), not fail (SMTP 535).
At http://opsec.eu/src/exim-ntlm/patch-spa.c is a small patch which hopefully does the right thing. For those interested in AUTH NTLM ('SPA' in Microsoft lingo), here's what I found: if exim offers AUTH NTLM, this happens: o exim sends a "334 NTLM supported" o Outlook 2010 as a client sends some base64 which is a NLMP NEGOTIATE blob, described in http://download.microsoft.com/download/a/e/6/ae6e4142-aa58-45c6-8dcf-a657e5900cd3/%5BMS-NLMP%5D.pdf page 15ff o exim answers with a NLMP CHALLENGE blob, described in the same document, page 19ff. o and Outlook 2010 says "no thanks", probably due to some of the fields filled in some non-microsofty-way. This is the reason SPA no longer works. One has to debug the contents of the blob. Have a look at a few lines of perl in http://opsec.eu/src/exim-ntlm/ntlm-decode for a quick jump into this (far from complete). -- [email protected] +49 171 3101372 10 years to go ! -- ## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
