Menu
▾
▴
[fetchmail-devel] Re: Fetchmail, NTLM and Exchange
|
From: Yves B. <yve...@cg...> - 2005-09-20 17:21:36
|
Hello Andree,
You confused me with this latest email...
Do you mean you whant me to delete every lines beginning with the minus sign
and add every lines with the plus sign or if there is a way to download such a
patch?
I tried to change the line 77 as per your first email. It fixed the ntlm
authentication excepted that now the server complain with a "bad user or
password" message. Same thing as when I tried to telnet the box and play with
it manually...
Yves
On Tue, 20 Sep 2005, Matthias Andree wrote:
MA >On Mon, 19 Sep 2005, Yves Boisjoly wrote:
MA >
MA >> fetchmail: POP3< +OK Microsoft Exchange Server 2003 POP3 server version 6.5.7226.0 (<the_server>) ready.
MA >> fetchmail: POP3> AUTH MSN
MA >> fetchmail: POP3< -ERR The specified authentication package is not supported.
MA >
MA >Please try this patch: (Note you need to have flex or lex installed so
MA >that the configuration parser can be rebuilt.)
MA >
MA >Index: pop3.c
MA >===================================================================
MA >--- pop3.c (revision 4284)
MA >+++ pop3.c (working copy)
MA >@@ -69,12 +69,13 @@
MA > * Much source (ntlm.h, smb*.c smb*.h) was borrowed from Samba.
MA > */
MA >
MA >-static int do_pop3_ntlm(int sock, struct query *ctl)
MA >+static int do_pop3_ntlm(int sock, struct query *ctl,
MA >+ int msn_instead /** if true, send AUTH MSN, else send AUTH NTLM */)
MA > {
MA > char msgbuf[2048];
MA > int result,len;
MA >
MA >- gen_send(sock, "AUTH MSN");
MA >+ gen_send(sock, msn_instead ? "AUTH MSN" : "AUTH NTLM");
MA >
MA > if ((result = gen_recv(sock, msgbuf, sizeof msgbuf)))
MA > return result;
MA >@@ -318,25 +319,20 @@
MA > if (!(ctl->server.sdps) && MULTIDROP(ctl) && strstr(greeting, "demon."))
MA > ctl->server.sdps = TRUE;
MA > #endif /* SDPS_ENABLE */
MA >+
MA > #ifdef NTLM_ENABLE
MA >- /* MSN servers require the use of NTLM (MSN) authentication */
MA >- if (!strcasecmp(ctl->server.pollname, "pop3.email.msn.com") ||
MA >- ctl->server.authenticate == A_NTLM)
MA >- {
MA >- if (!do_pop3_ntlm(sock, ctl))
MA >- {
MA >- return(PS_SUCCESS);
MA >- }
MA >- else
MA >- {
MA >- return(PS_AUTHFAIL);
MA >- }
MA >- }
MA >+ /* MSN servers require the use of NTLM (MSN) authentication */
MA >+ if (!strcasecmp(ctl->server.pollname, "pop3.email.msn.com") ||
MA >+ ctl->server.authenticate == A_MSN)
MA >+ return (do_pop3_ntlm(sock, ctl, 1) == 0) ? PS_SUCCESS : PS_AUTHFAIL;
MA >+ if (ctl->server.authenticate == A_NTLM)
MA >+ return (do_pop3_ntlm(sock, ctl, 0) == 0) ? PS_SUCCESS : PS_AUTHFAIL;
MA > #endif
MA >
MA > switch (ctl->server.protocol) {
MA > case P_POP3:
MA > #ifdef RPA_ENABLE
MA >+ /* XXX FIXME: AUTH probing (RFC1734) should become global */
MA > /* CompuServe POP3 Servers as of 990730 want AUTH first for RPA */
MA > if (strstr(ctl->remotename, "@compuserve.com"))
MA > {
MA >Index: conf.c
MA >===================================================================
MA >--- conf.c (revision 4289)
MA >+++ conf.c (working copy)
MA >@@ -284,6 +284,8 @@
MA > stringdump("auth", "ssh");
MA > else if (ctl->server.authenticate == A_OTP)
MA > stringdump("auth", "otp");
MA >+ else if (ctl->server.authenticate == A_MSN)
MA >+ stringdump("auth", "msn");
MA >
MA > #ifdef HAVE_RES_SEARCH
MA > booldump("dns", ctl->server.dns);
MA >Index: NEWS
MA >===================================================================
MA >--- NEWS (revision 4296)
MA >+++ NEWS (working copy)
MA >@@ -197,6 +197,8 @@
MA > Bug#212240. Sunil Shetye. (MA)
MA > * Fix MacOS X compilation failures in sink.c (ru_*time has incomplete type).
MA > Berlios Bug #4725. Matthias Andree.
MA >+* Fix "auth ntlm" to send AUTH NTLM (rather than AUTH MSN). Add "auth msn"
MA >+ officially. Matthias Andree
MA >
MA > # INTERNAL CHANGES
MA > * Switched to automake. Matthias Andree.
MA >Index: fetchmail.man
MA >===================================================================
MA >--- fetchmail.man (revision 4292)
MA >+++ fetchmail.man (working copy)
MA >@@ -663,19 +663,21 @@
MA > AUTHENTICATION below for details). The possible values are \fBany\fR,
MA > \&\fBpassword\fR, \fBkerberos_v5\fR, \fBkerberos\fR (or, for
MA > excruciating exactness, \fBkerberos_v4\fR), \fBgssapi\fR,
MA >-\fBcram-md5\fR, \fBotp\fR, \fBntlm\fR, and \fBssh\fR. When \fBany\fR (the
MA >-default) is specified, fetchmail tries first methods that don't
MA >-require a password (GSSAPI, KERBEROS_IV); then it looks for methods
MA >-that mask your password (CRAM-MD5, X-OTP, NTLM); and only if the server
MA >-doesn't support any of those will it ship your password en clair.
MA >+\fBcram-md5\fR, \fBotp\fR, \fBntlm\fR, \fBmsn\fR and \fBssh\fR. When
MA >+\fBany\fR (the default) is specified, fetchmail tries first methods that
MA >+don't require a password (GSSAPI, KERBEROS\ IV, KERBEROS\ 5); then it
MA >+looks for methods that mask your password (CRAM-MD5, X-OTP - note that
MA >+NTLM and MSN are not autoprobed); and only if the
MA >+server doesn't support any of those will it ship your password en clair.
MA > Other values may be used to force various authentication methods
MA > (\fBssh\fR suppresses authentication). Any value other than
MA >-\&\fBpassword\fR, \fBcram-md5\fR, \fBntlm\fR or \fBotp\fR suppresses fetchmail's
MA >-normal inquiry for a password. Specify \fBssh\fR when you are using
MA >-an end-to-end secure connection such as an ssh tunnel; specify
MA >-\fBgssapi\fR or \fBkerberos_v4\fR if you are using a protocol variant
MA >-that employs GSSAPI or K4. Choosing KPOP protocol automatically
MA >-selects Kerberos authentication. This option does not work with ETRN.
MA >+\&\fBpassword\fR, \fBcram-md5\fR, \fBntlm\fR, \fBmsn\fR or \fBotp\fR
MA >+suppresses fetchmail's normal inquiry for a password. Specify \fBssh\fR
MA >+when you are using an end-to-end secure connection such as an ssh
MA >+tunnel; specify \fBgssapi\fR or \fBkerberos_v4\fR if you are using a
MA >+protocol variant that employs GSSAPI or K4. Choosing KPOP protocol
MA >+automatically selects Kerberos authentication. This option does not
MA >+work with ETRN.
MA > .SS Miscellaneous Options
MA > .TP
MA > .B \-f <pathname> | \-\-fetchmailrc <pathname>
MA >Index: fetchmail.c
MA >===================================================================
MA >--- fetchmail.c (revision 4289)
MA >+++ fetchmail.c (working copy)
MA >@@ -1536,6 +1536,9 @@
MA > case A_PASSWORD:
MA > printf(GT_(" Password authentication will be forced.\n"));
MA > break;
MA >+ case A_MSN:
MA >+ printf(GT_(" MSN authentication will be forced.\n"));
MA >+ break;
MA > case A_NTLM:
MA > printf(GT_(" NTLM authentication will be forced.\n"));
MA > break;
MA >Index: fetchmail.h
MA >===================================================================
MA >--- fetchmail.h (revision 4289)
MA >+++ fetchmail.h (working copy)
MA >@@ -70,9 +70,17 @@
MA > #define A_KERBEROS_V5 6 /* authenticate w/ Kerberos V5 */
MA > #define A_GSSAPI 7 /* authenticate with GSSAPI */
MA > #define A_SSH 8 /* authentication at session level */
MA >+#define A_MSN 9 /* same as NTLM with keyword MSN */
MA >
MA >-/* some protocols (KERBEROS, GSSAPI, SSH) don't require a password */
MA >-#define NO_PASSWORD(ctl) ((ctl)->server.authenticate > A_OTP || (ctl)->server.protocol == P_ETRN)
MA >+/* some protocols or authentication types (KERBEROS, GSSAPI, SSH) don't
MA >+ * require a password */
MA >+#define NO_PASSWORD(ctl) \
MA >+ ((ctl)->server.authenticate == A_OTP \
MA >+ || (ctl)->server.authenticate == A_KERBEROS_V4 \
MA >+ || (ctl)->server.authenticate == A_KERBEROS_V5 \
MA >+ || (ctl)->server.authenticate == A_GSSAPI \
MA >+ || (ctl)->server.authenticate == A_SSH \
MA >+ || (ctl)->server.protocol == P_ETRN)
MA >
MA > /*
MA > * Definitions for buffer sizes. We get little help on setting maxima
MA >Index: rcfile_l.l
MA >===================================================================
MA >--- rcfile_l.l (revision 4289)
MA >+++ rcfile_l.l (working copy)
MA >@@ -100,6 +100,7 @@
MA > ssh { SETSTATE(0); yylval.proto = A_SSH; return AUTHTYPE;}
MA > (otp|opie) { SETSTATE(0); yylval.proto = A_OTP; return AUTHTYPE;}
MA > cram(-md5)? { SETSTATE(0); yylval.proto = A_CRAM_MD5; return AUTHTYPE;}
MA >+msn { SETSTATE(0); yylval.proto = A_MSN; return AUTHTYPE;}
MA > ntlm { SETSTATE(0); yylval.proto = A_NTLM; return AUTHTYPE;}
MA > <AUTH>password { SETSTATE(0); yylval.proto = A_PASSWORD; return AUTHTYPE;}
MA > timeout { return TIMEOUT;}
MA >Index: options.c
MA >===================================================================
MA >--- options.c (revision 4289)
MA >+++ options.c (working copy)
MA >@@ -418,6 +418,8 @@
MA > ctl->server.authenticate = A_GSSAPI;
MA > else if (strcmp(optarg, "any") == 0)
MA > ctl->server.authenticate = A_ANY;
MA >+ else if (strcmp(optarg, "msn") == 0)
MA >+ ctl->server.authenticate = A_MSN;
MA > else {
MA > fprintf(stderr,GT_("Invalid authentication `%s' specified.\n"), optarg);
MA > errflag++;
MA >
--
=================================
Yves Boisjoly
Administrateur IXOS/Ariba
CGI - services à BCE
1350, boul. René-Lévesque,
suite 800 bureau 8.446
Montréal, Québec, H3G 1T4
Téléphone : 514-415-3000 x5510
Urgences : 514-540-4672
Fax : 514-415-3987
yve...@cg...
---------------------------------
AVIS DE CONFIDENTIALITÉ :
Ce message peut contenir des renseignements confidentiels appartenant
exclusivement au Groupe CGI Inc. ou à ses filiales. Si vous n'êtes pas le
destinataire indiqué ou prévu dans ce message (ou responsable de livrer ce
message à la personne indiquée ou prévue) ou si vous pensez que ce message
vous a été adressé par erreur, vous ne pouvez pas utiliser ou reproduire ce
message, ni le livrer à quelqu'un d'autre. Dans ce cas, vous devez le détruire
et vous êtes prié d'avertir l'expéditeur en répondant au courriel.
CONFIDENTIALITY NOTICE:
Proprietary/Confidential Information belonging to CGI Group Inc. and its
affiliates may be contained in this message. If you are not a recipient
indicated or intended in this message or responsible for delivery of this
message to such person), or you think for any reason that this message may
have been addressed to you in error, you may not use or copy or deliver this
message to anyone else. In such case, you should destroy this message and are
asked to notify the sender by reply e-mail.
=================================
|
