I'm pleased to see another project increasing compatibility with windows clients, by the addition of NTLM login support, but I'm a bit worried about a few implementation details, and hope to offer an alternate approach.
I mean no disrespect to those who have implemented to the code so far, but I feel that the idea of 'everybody re-implement NTLM' is prone to failure.
Firstly, to bugs I've noticed by casual inspection of your implementation:
- Unicode support is by 'null padding' - there is no real support for non-ascii characters.
Does it really matter ? Do you know many people who use non-ascii characters in their email addresses and passwords ? :)
- NTLM2 (a negotiated scheme to avoid sending the LM response) is unsupported
Did you RTFS ? Or may be I missed something ?
- NTLMSSP is NDR, not 'C struct pushed to the wire', it needs to be correctly marshaled and unmarshaled.
Yes, it's not a C struct, so what ? Where is the actual bug ?
There are other missing features, some of which are rumoured to become mandatory flags in future, but more importantly, because the implementation is standalone, it has no ability to integrate into an NT/Win2k/Samba domain.
It can be directly integrated with password backends using NTLM password scheme.
As part of the Samba team, I have worked with other projects - Squid in particular, to deliver server-side (and client-side) NTLMSSP authentication, without the need to re-implement the NTLMSSP protocol.
This is done by a callout to 'ntlm_auth', a Samba 3.0 utility designed for this purpose, which in turn can contact domain controllers, allowing for seamless single sign on.
So you'll need Samba to run POP3/IMAP server. Doesn't look convinent to me. Many people have no windows domain infrastructure, but want to provide secure authentication for poor MS Outlook users.
I have recently completed reworking mod_ntlm_winbind for a similar purpose, and have patches for cyrus-sasl in my 'lorikeet' subversion repository. These should serve as good examples for the simple fork()/exec() modal that is used, and also show the support for GSS-SPNEGO (aka HTTP Negotiate) that ntlm_auth also provides.
http://download.samba.org/ftp/unpacked/lorikeet/trunk/
My hope is that I can tempt a Dovecot developer to take on the challenge of modifying the dovecot to use ntlm_auth, and am most willing to answer any questions (here, by private mail or on the samba-technical list) that you may have on the issue.