Share via

1.3 Overview

  • Article

Client applications that connect to the Simple Mail Transfer Protocol (SMTP) service on supported operating systems (see section 6) can use NT LAN Manager Protocol (NTLM) authentication, as specified in [MS-NLMP].

The NT LAN Manager (NTLM) Authentication: Simple Mail Transfer Protocol (SMTP) Extension specifies how an SMTP client and SMTP server can use the NTLM Authentication Protocol, as specified in [MS-NLMP], so that the SMTP server can authenticate the SMTP client. The NTLM Authentication Protocol, as specified in [MS-NLMP], is a challenge/response authentication protocol that depends on the application layer protocols to transport NTLM packets from client to server and from server to client.

The NT LAN Manager (NTLM) Authentication: Simple Mail Transfer Protocol (SMTP) Extension defines how SMTP is extended to perform authentication using the NTLM Authentication Protocol, as specified in [MS-NLMP]. The SMTP standard defines an extensibility mechanism for arbitrary authentication protocols to be plugged in to the core protocol. This mechanism is the SMTP-AUTH mechanism.

The NT LAN Manager (NTLM) Authentication: Simple Mail Transfer Protocol (SMTP) Extension is an embedded protocol in which NTLM authentication data is first transformed into a base64 representation (as specified in [RFC1521]) and then formatted by padding with SMTP status codes and SMTP keywords, as defined by the AUTH mechanism. The base64 encoding and the formatting are very rudimentary and solely intended to make the NTLM data look like other SMTP commands and responses. The following diagram illustrates the sequence of transformations performed on an NTLM message to produce a message that can be sent over SMTP.

Relationship between NTLM message and SMTP (NTLM Authentication Protocol message)

Figure 1: Relationship between NTLM message and SMTP (NTLM Authentication Protocol message)

The NT LAN Manager (NTLM) Authentication: Simple Mail Transfer Protocol (SMTP) Extension is a pass-through protocol that does not specify the structure of NTLM information. Instead, the protocol relies on the software that implements the NTLM Authentication Protocol (as specified in [MS-NLMP]) to process each NTLM message to be sent or received.

The NT LAN Manager (NTLM) Authentication: Simple Mail Transfer Protocol (SMTP) Extension defines both server and client roles.

When SMTP requests NTLM authentication, it interacts with the NTLM software appropriately. An overview of this interaction follows:

If acting as an SMTP client:

  1. The NTLM software returns the first NTLM message to the client to be sent to the server.

  2. The client applies both the base64 encoding and SMTP padding transformations mentioned earlier (and described in detail later in this document) to produce an SMTP message, and then sends this message to the server.

  3. The client waits for a response from the server. When the response is received, the client determines whether the response indicates either the end of authentication (success or failure) or the continuation of authentication.

  4. If the authentication is continuing, the response message is stripped of the SMTP padding, is base64 decoded, and is passed into the NTLM software, on which the NTLM software can return another NTLM message that needs to be sent to the server. Steps 2 through 4 are repeated until authentication succeeds or fails.

If acting as an SMTP server:

  1. The server waits to receive the first SMTP authentication message from the client.

  2. When an SMTP message is received from the client, the SMTP padding is removed, the message is base64-decoded, and the resulting NTLM message is passed into the NTLM software.

  3. The NTLM software will return a status indicating whether authentication completed successfully, failed, or more NTLM messages need to be exchanged to complete the authentication.

  4. If the authentication is continuing, the NTLM software will return an NTLM message that needs to be sent to the client. This message is base64-encoded, and the SMTP padding is applied and sent to the client. Steps 2 through 4 are repeated until authentication succeeds or fails.

The sequence that follows shows the typical flow of packets between a client and server once NTLM authentication has been selected:

  1. The SMTP client sends an NTLM NEGOTIATE_MESSAGE embedded in an SMTP_AUTH_NTLM_BLOB_Command packet to the server.

  2. On receiving the SMTP packet with NTLM NEGOTIATE_MESSAGE, the server sends an NTLM CHALLENGE_MESSAGE embedded in an SMTP packet to the client.

  3. In response, the SMTP client sends an NTLM AUTHENTICATE_MESSAGE embedded in an SMTP packet.

  4. The server then sends an SMTP response to the client to successfully complete the authentication process.

The NTLM NEGOTIATE_MESSAGE, NTLM CHALLENGE_MESSAGE, and NTLM AUTHENTICATE_MESSAGE packets contain NTLM authentication data that is processed by the NTLM software installed on the local computer. How to retrieve and process NTLM messages is specified in [MS-NLMP].

Implementers of the NT LAN Manager (NTLM) Authentication: Simple Mail Transfer Protocol (SMTP) Extension need to possess a working knowledge of the following:

  • Simple Mail Transfer Protocol (SMTP), as specified in [RFC5321] and [RFC5322]

  • Multipurpose Internet Mail Extensions (MIME) base64 encoding method, as specified in [RFC1521]

  •  NTLM Authentication Protocol, as specified in [MS-NLMP]