cURL / Mailing Lists / curl-library / Single Mail

curl-library

RE: feature window is now closed

From: Steve Holme <steve_holme_at_hotmail.com>
Date: Thu, 14 Aug 2014 12:26:20 +0100

On Wed, 13 Aug 2014, Daniel Stenberg wrote:

> > After 5 days of pain I've just got Kerberos (SASL GSSAPI)
> > authentication working for IMAP, SMTP and POP3.
> >
> > Is it to late for the new features Window?
>
> Oh, how awesome! If you push those within a day or so we
> shall count those as being on the right side of "the gate".

Dear friends,

You will have noticed that I have started to push my GSSAPI commits, however, the journey has been quite painstaking due to a lack of specific documentation and example codes for mail servers. As such, I read RFC4752, the older RFC222, RFC1964 and the MSDN documentation again, and again, referenced our socks5_sspi.c code as well as SSH examples that I found on the web but each protocol's usage has different application/security data sent at the end of the user token handshake.

It seems that whilst the email protocols pretty much follow RFC4752 there are some suitable differences (probably due to ambiguity between RFC4752 and RFC2222?) - certainly with Exchange server anyway. If anyone has access to other email servers that support GSSAPI and are able test those that would be fantastic. I guess this sort of thing may come out in the wash in time.

Note: From my own testing I found that I had to specify the username with the Windows Domain name prefixed to it if the username was specified in -u, for example, "-u MY-DOMAIN\steve.holme" however, "-u :" can be specified to allow the code to pick the current user credentials up like the NLTM and Negotiate code does. I also found that the SPN had to be a fully registered SPN, so if you have an alias for a mail server for example as I do:

Real server FQDN: exch-svr.example.com
Webmail proxy FQDN: mail.example.com
SMTP alias: smtp.example.com

...then you'll find that smtp/exch-svr.example.com and mail/example.com along with smtp/EXCH-SVR are already registered SPNs, but smtp/smtp.example.com probably isn't and as such InitializeContext() will fail with SEC_E_TARGET_UNKNOWN - if memory serves me correctly. In this case either use server.example.com when connecting to your server or register new SPNs via SetSPN ;-) You can also use "setspn -L server" to find out what is registered for your computer / user account.

Finally, I would like to ask a favour of my fellow curl SSPI developers to review my next patch, whilst development started at the weekend, it has involved a few some late nights!! Please be warned the two new functions that I would like addition eyes passing over will be in curl_sasl_sspi.c but feature over 400 new lines of code and comments. Note: I have pushed this commit but not my email protocol implementations - they'll probably come along this evening ;-)

Many thanks in advance.

Kind Regards

Steve

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-08-14