3.2.5.1 Receiving an SMTP_AUTH_NTLM_Initiation_Command Message
When this message is received and the server state equals start, the server examines the received message to determine if the [initial-response] parameter is present in the message.
De-encapsulation of these messages by the server follows the logic:
Remove the <CR> and <LF> characters (ASCII values 0x0D and 0x0A).
base64 decode the SMTP data to produce the original NTLM message data.
There are two actions possible, depending on whether or not the client has included the [initial-response] parameter in this message:
If the client has included the [initial-response] parameter, the server MUST change its internal state to received_command and de-encapsulate the NTLM NEGOTIATE_MESSAGE embedded within the [initial-response] and pass it to the NTLM software with the GSS_Accept_sec_context call, as specified in [MS-NLMP] section 3.2.4. Further, the NTLM Authentication Protocol is used with the connection-oriented NTLM negotiation option.
The NTLM software does one of the following, as specified in [MS-NLMP]:
Report success in processing the message. The server MUST send a SMTP_AUTH_NTLM_BLOB_Response message to the client and change its internal state to sent_response.
Report that the authentication failed, which could be due to some other software error or message corruption. The server MUST change its state to completed_authentication and return an SMTP_AUTH_Other_Failure_Response message.
If the client has not included the [initial-response] parameter, the server MUST change its state to received_authenticaton_request and reply with the SMTP_NTLM_Supported_Response message if it supports NTLM and change its state to the sent_response state.