Exim Internet Mailer

<-previousnext->

Chapter 38 - The spa authenticator

The spa authenticator provides client support for Microsoft’s Secure Password Authentication mechanism, which is also sometimes known as NTLM (NT LanMan). The code for client side of this authenticator was contributed by Marc Prud’hommeaux, and much of it is taken from the Samba project (http://www.samba.org). The code for the server side was subsequently contributed by Tom Kistner. The mechanism works as follows:

  • After the AUTH command has been accepted, the client sends an SPA authentication request based on the user name and optional domain.

  • The server sends back a challenge.

  • The client builds a challenge response which makes use of the user’s password and sends it to the server, which then accepts or rejects it.

Encryption is used to protect the password in transit.

1. Using spa as a server

The spa authenticator has just one server option:

server_password Use: spa Type: string Default: unset

This option is expanded, and the result must be the cleartext password for the authenticating user, whose name is at this point in $auth1. For compatibility with previous releases of Exim, the user name is also placed in $1. However, the use of this variable for this purpose is now deprecated, as it can lead to confusion in string expansions that also use numeric variables for other things. For example:

spa:
  driver = spa
  public_name = NTLM
  server_password = \
    ${lookup{$auth1}lsearch{/etc/exim/spa_clearpass}{$value}fail}

If the expansion is forced to fail, authentication fails. Any other expansion failure causes a temporary error code to be returned.

2. Using spa as a client

The spa authenticator has the following client options:

client_domain Use: spa Type: string Default: unset

This option specifies an optional domain for the authentication.

client_password Use: spa Type: string Default: unset

This option specifies the user’s password, and must be set.

client_username Use: spa Type: string Default: unset

This option specifies the user name, and must be set. Here is an example of a configuration of this authenticator for use with the mail servers at msn.com:

msn:
  driver = spa
  public_name = MSN
  client_username = msn/msn_username
  client_password = msn_plaintext_password
  client_domain = DOMAIN_OR_UNSET

<-previousnext->