diff -urdpNX /usr/share/dontdiff -x debian dovecot-1.0-test52.vanilla/src/auth/mech-ntlm.c dovecot-1.0-test52/src/auth/mech-ntlm.c
--- dovecot-1.0-test52.vanilla/src/auth/mech-ntlm.c	2004-10-22 17:32:27.000000000 +0400
+++ dovecot-1.0-test52/src/auth/mech-ntlm.c	2004-11-10 16:45:53.000000000 +0300
@@ -42,10 +42,15 @@ lm_credentials_callback(const char *cred
 	const unsigned char *client_response;
 	unsigned char lm_response[LM_RESPONSE_SIZE];
 	unsigned char hash[LM_HASH_SIZE];
+	unsigned int response_length;
 	buffer_t *hash_buffer;
 	int ret;
 
-	if (credentials == NULL) {
+	response_length =
+		ntlmssp_buffer_length(request->response, lm_response);
+	client_response = ntlmssp_buffer_data(request->response, lm_response);
+
+	if ((credentials == NULL) || (response_length < LM_RESPONSE_SIZE)) {
 		mech_auth_finish(auth_request, NULL, 0, FALSE);
 		return;
 	}
@@ -54,8 +59,6 @@ lm_credentials_callback(const char *cred
 					 hash, sizeof(hash));
 	hex_to_binary(credentials, hash_buffer);
 
-	client_response = ntlmssp_buffer_data(request->response, lm_response);
-
 	ntlmssp_v1_response(hash, request->challenge, lm_response);
 
 	ret = memcmp(lm_response, client_response, LM_RESPONSE_SIZE) == 0;
@@ -75,10 +78,18 @@ ntlm_credentials_callback(const char *cr
 	buffer_t *hash_buffer;
 	int ret;
 
-	if (credentials == NULL && !request->ntlm2_negotiated) {
-		passdb->lookup_credentials(auth_request,
-					   PASSDB_CREDENTIALS_LANMAN,
-					   lm_credentials_callback);
+	response_length =
+		ntlmssp_buffer_length(request->response, ntlm_response);
+	client_response = ntlmssp_buffer_data(request->response, ntlm_response);
+
+	if ((credentials == NULL) || (response_length == 0)) {
+		/* We can't use LM authentication if NTLM2 was negotiated */
+		if (request->ntlm2_negotiated)
+			mech_auth_finish(auth_request, NULL, 0, FALSE);
+		else
+			passdb->lookup_credentials(auth_request,
+						   PASSDB_CREDENTIALS_LANMAN,
+						   lm_credentials_callback);
 		return;
 	}
 
@@ -86,9 +97,6 @@ ntlm_credentials_callback(const char *cr
 					 hash, sizeof(hash));
 	hex_to_binary(credentials, hash_buffer);
 
-	response_length =
-		ntlmssp_buffer_length(request->response, ntlm_response);
-	client_response = ntlmssp_buffer_data(request->response, ntlm_response);
 
 	if (response_length > NTLMSSP_RESPONSE_SIZE) {
 		unsigned char ntlm_v2_response[NTLMSSP_V2_RESPONSE_SIZE];
diff -urdpNX /usr/share/dontdiff -x debian dovecot-1.0-test52.vanilla/src/lib-ntlm/ntlm-message.c dovecot-1.0-test52/src/lib-ntlm/ntlm-message.c
--- dovecot-1.0-test52.vanilla/src/lib-ntlm/ntlm-message.c	2004-10-22 17:32:27.000000000 +0400
+++ dovecot-1.0-test52/src/lib-ntlm/ntlm-message.c	2004-11-10 16:28:33.000000000 +0300
@@ -180,13 +180,19 @@ static int ntlmssp_check_buffer(const st
 				size_t data_size, const char **error)
 {
 	uint32_t offset = read_le32(&buffer->offset);
+	uint16_t length = read_le16(&buffer->length);
+	uint16_t space = read_le16(&buffer->space);
+
+	/* Empty buffer is ok */
+	if (!length && !space)
+		return 1;
 
 	if (offset >= data_size) {
 		*error = "buffer offset out of bounds";
 		return 0;
 	}
 
-	if (offset + read_le16(&buffer->space) > data_size) {
+	if (offset + space > data_size) {
 		*error = "buffer end out of bounds";
 		return 0;
 	}