The spa authenticator provides client support for Microsoft’s Secure Password Authentication mechanism, which is also sometimes known as NTLM (NT LanMan). The code for client side of this authenticator was contributed by Marc Prud’hommeaux, and much of it is taken from the Samba project (http://www.samba.org). The code for the server side was subsequently contributed by Tom Kistner. The mechanism works as follows:
Encryption is used to protect the password in transit.
The spa authenticator has just one server option:
| server_password | Use: spa | Type: string† | Default: unset |
This option is expanded, and the result must be the cleartext password for the authenticating user, whose name is at this point in $1. For example:
spa:
driver = spa
public_name = NTLM
server_password = ${lookup{$1}lsearch{/etc/exim/spa_clearpass}\
{$value}fail}
If the expansion is forced to fail, authentication fails. Any other expansion failure causes a temporary error code to be returned.
The spa authenticator has the following client options:
| client_domain | Use: spa | Type: string† | Default: unset |
This option specifies an optional domain for the authentication.
| client_password | Use: spa | Type: string† | Default: unset |
This option specifies the user’s password, and must be set.
| client_username | Use: spa | Type: string† | Default: unset |
This option specifies the user name, and must be set.
Here is an example of a configuration of this authenticator for use with the mail servers at msn.com:
msn: driver = spa public_name = MSN client_username = msn/msn_username client_password = msn_plaintext_password client_domain = DOMAIN_OR_UNSET