Microsoft is preparing a patch for its Outlook email software to enable it to work with passwords and encryption while sending mail. Firms testing email security options should contact Microsoft for the update if they find Outlook fails to authenticate against their mail system.
IT Week Labs tests have found incompatibilities in the way Outlook 2002 and Outlook 2003 handle Simple Authentication and Security Layer (SASL) password authentication, and Secure Sockets Layer (SSL) and Transport Layer Security (TLS) encryption when using non-standard TCP port numbers. These three protocols are all IETF standards relating to email security. Firms supporting LAN-based users do not normally use such authentication, but companies supporting remote workers usually require username and password authentication to prevent their mail servers being used by third-parties to send spam.
Currently the problems are not documented on the Microsoft web site, so companies affected by the flaws might incorrectly assume Outlook works properly and that their servers are at fault.
A Microsoft source said, "The issue you're experiencing looks very similar to something we're already working on a hotfix for, which we're hoping to be able to release very soon."
Microsoft gave us a modified Outlook file (outlph.dll) that removed the flaw from Outlook 2003. However, it said the DLL is still under development and would not be ready in time to be included in Service Pack 1 for Office 2003, due later this year. Microsoft said the patch would probably be released shortly after the service pack.
The Microsoft source said, "In the meantime, I have a version of the updated file I've attached for testing. This file should not be used or rolled out in a production environment. I'm providing it purely so that we can assess whether the hot-fix (when it's released) will resolve the problem you're experiencing, or whether it's a different issue that requires further troubleshooting."
