SMTP NTLM authentication bug?

spodskubkahcs · May 13, 2022, 9:40am

Dear Lucee community,

I seem to have discovered a problem with SMTP NTLM authentication against Microsoft Exchange.

At first I had the credentials wrong when configuring the Mailserver in the Lucee Web Admin.
Trying to send a test mail resulted in the following mailserver response, which is fine in this case.

535 5.7.3 Authentication unsuccessful

However, when I fixed the credentials and tried to send a test mail again, this happened (334 responses shortened for brevity):

lucee.runtime.exp.NativeException: 334 TlRMTVNTUAACAAAA...
at com.sun.mail.smtp.SMTPTransport$Authenticator.authenticate(SMTPTransport.java:960)
at com.sun.mail.smtp.SMTPTransport.authenticate(SMTPTransport.java:876)
at com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:780)
at javax.mail.Service.connect(Service.java:388)
at lucee.runtime.net.smtp.SMTPSender.run(SMTPSender.java:60)
Caused by: javax.mail.AuthenticationFailedException: 334 TlRMTVNTUAACAAAA...;
nested exception is:
java.lang.ArrayIndexOutOfBoundsException: arraycopy: last destination index 260 out of bounds for byte[256]
... 5 more
Caused by: java.lang.ArrayIndexOutOfBoundsException: arraycopy: last destination index 260 out of bounds for byte[256]
at java.base/java.lang.System.arraycopy(Native Method)
at com.sun.mail.auth.Ntlm.generateType3Msg(Ntlm.java:331)
at com.sun.mail.smtp.SMTPTransport$NtlmAuthenticator.doAuth(SMTPTransport.java:1107)
at com.sun.mail.smtp.SMTPTransport$Authenticator.authenticate(SMTPTransport.java:942)
... 4 more

I understand that this problem may not be Lucee’s fault at all but of the used NTLM library.
In that case, can someone point me in the right direction?

Could it help to

update Lucee to 5.3.9.133 (I didn’t see NTLM mentioned in the release notes)?
switch to the JRE 8 Docker image?
contact the author of the NTLM library (who is that)?

I’m sorry that I haven’t tried any more of these options yet myself, but the mailserver in question is only available in production so I can’t easily reproduce the issue in my development environment.

I’m using the official Lucee Docker image lucee/lucee:5.3.8.206:
Docker Host OS: Ubuntu 20.04 LTS (GNU/Linux 5.4.0-109-generic x86_64)
Java Version: 11.0.12 (Oracle Corporation) 64bit
Tomcat Version: 9.0.53
Lucee Version: 5.3.8.206

PS: keep up the good work, Lucee is an amazing project!

gaurav.guleria · January 31, 2025, 12:30pm

Faced a similar issue, when using NTLM auth via javax.mail library.

javax.mail 's NTLM auth implementation creates a 256 sized byte array for generating Type 3 NTLM message, which overflows for large username / hostnames / NTDomain.

This was bumped to 512 bytes in the new jakarata.mail library.

spodskubkahcs · March 4, 2025, 10:00am

Thanks for your feedback after such a long time.
I was able to work around this issue back then by using another outgoing mail server.

However, it’s very good to know that this problem was indeed fixed in the new jakarta.mail library.
It would be interesting to know whether Lucee already got the fix and in which version.