1.3 Overview

  • Article

Client applications that connect to the Post Office Protocol - Version 3 (POP3) service can use either standard plain text password authentication, as described in [RFC1939], or NT LAN Manager (NTLM) authentication.<1>

The NTLM POP3 Extension specifies how a POP3 client and POP3 server can use the NT LAN Manager (NTLM) Authentication Protocol, as described in [MS-NLMP], so that the POP3 server can authenticate the POP3 client. NTLM is a challenge/response authentication protocol that depends on the application layer protocols to transport NTLM packets from client to server, and from server to client.

This specification defines how the POP3 AUTH command, as described in [RFC1734], is used to perform authentication by using the NTLM Authentication protocol. The POP3 AUTH command standard defines an extensibility mechanism for arbitrary authentication protocols to be plugged in to the core protocol.

This specification defines an embedded protocol in which NTLM authentication data is first transformed into a base64 encoding representation, and then formatted by padding with POP3 keywords as defined by the AUTH mechanism. The base64 encoding and the formatting are very rudimentary, and solely intended to make the NTLM data fit the framework described in [RFC1734]. The following figure shows the sequence of transformations that are performed on an NTLM message to produce a message that can be sent over POP3.

Relationship between NTLM message and POP3: NTLM Authentication Protocol message

Figure 1: Relationship between NTLM message and POP3: NTLM Authentication Protocol message

This document specifies a pass-through protocol that does not specify the structure of NTLM information. Instead, the protocol relies on the software that implements the NTLM Authentication Protocol (as described in [MS-NLMP]) to process each NTLM message that is to be sent or received.

This specification defines a client role and a server role.

When POP3 performs an NTLM authentication, it has to interact with the NTLM subsystem appropriately. The following is an overview of this interaction.

If acting as a POP3 client:

  1. The NTLM subsystem returns the first NTLM message to the client, to be sent to the server.

  2. The client applies the base64 encoding and POP3-padding transformations mentioned earlier and described in detail later in this document to produce a POP3 message and send this message to the server.

  3. The client waits for a response from the server. When the response is received, the client checks to determine whether the response indicates the end of authentication (success or failure) or that authentication is continuing.

  4. If the authentication is continuing, the response message is stripped of the POP3 padding, base64 decoded, and passed into the NTLM subsystem, at which point the NTLM subsystem might return another NTLM message that has to be sent to the server. Steps 2 through 4 are repeated until authentication either succeeds or fails.

If acting as a POP3 server:

  1. The server waits to receive the first POP3 authentication message from the client.

  2. When a POP3 message is received from the client, the POP3 padding is removed, the message is base64 decoded, and the resulting NTLM message is passed into the NTLM subsystem.

  3. The NTLM subsystem returns a status that indicates whether authentication completed successfully or failed, or whether more NTLM messages have to be exchanged to complete the authentication.

  4. If the authentication is continuing, the NTLM subsystem returns an NTLM message that has to be sent to the client. This message is base64 encoded, and the POP3 padding is applied and sent to the client. Steps 2 through 4 are repeated until authentication either succeeds or fails.

The sequence that follows shows the typical flow of packets between client and server after NTLM authentication has been selected:

  1. The POP3 client sends an NTLM NEGOTIATE_MESSAGE message (as described in [MS-NLMP]) embedded in a POP3 packet to the server.

  2. On receiving the POP3 packet with an NTLM NEGOTIATE_MESSAGE message, the POP3 server sends an NTLM CHALLENGE_MESSAGE message (as described in [MS-NLMP]) embedded in a POP3 packet to the client.

  3. In response, the POP3 client sends an NTLM AUTHENTICATE_MESSAGE message (as described in [MS-NLMP]) embedded in a POP3 packet.

  4. The server then sends a POP3 response to the client to complete the authentication process successfully.

The NTLM NEGOTIATE_MESSAGE, NTLM CHALLENGE_MESSAGE, and NTLM AUTHENTICATE_MESSAGE message packets contain NTLM authentication data that has to be processed by the NTLM software that is installed on the local computer. The manner in which NTLM messages are to be retrieved and processed is described in [MS-NLMP].

This specification defines the delegate access mechanism that is used by a POP3 client.

Implementers of this specification have to conform to POP3, as described in [RFC1734] and [RFC1939], the MIME base64 encoding method, as described in [RFC2045], and the NTLM Authentication Protocol, as described in [MS-NLMP].