Test SMTP authentication and StartTLS

This post shows you how to test SMTP servers, create base64 encoded logon information and verify SMTP authentication over an opportunistic TLS (StartTLS) connection, all from the Linux and Windows command-prompt using OpenSSL.

SMTP authentication, or SMTP AUTH, is a security measure that requires users to log in with a username and password when sending emails through an SMTP server. This ensures that only authorized users can send emails, preventing spam and unauthorized access to the email system.

SMTP Authentication

SMTP Authentication is the mechanism by which the clients of an ISP identify themselves to the mail server through which they intend to send email.

SMTP Authentication, often abbreviated SMTP AUTH, is an extension of the Simple Mail Transfer Protocol whereby an SMTP client may log in using an authentication mechanism chosen among those supported by the SMTP server.

What is Transport Layer Security (TLS)?

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols which are designed to provide communication security over the Internet. They use X.509 certificates and hence asymmetric cryptography to assure the counterparty with whom they are communicating, and to exchange a symmetric key.

Test TLS connections and SMTP AUTH from the Linux and Windows command-prompt

In this post you’ll learn how to test SMTP authentication with StartTLS from the command-prompt. Neat, right?! 🙂

Most SMTP and mail sending problems come from the fact that either the username and password combination is incorrect, the mail server doesn’t support StartTLS, or the authentication mechanism used is wrong.

Let’s address, test and verify them all.

Being able to verify StartTLS/TLS encrypted connections with OpenSSL, and SMTP AUTH options, is ideal for when you’re having problems with email forms that send email using authenticated SMTP, over an TLS encrypted connection (from a website).

Before you can test the SMTP AUTH PLAIN authentication over TLS, you need to create log in information. The log in information is your username (email address) and password, normally this is an email address and its password, and a special character: \0

Create SMTP AUTH login information

First you need to create the logon credential combination, which has to be base64 encoded. You can use Perl and Bash in Linux or Perl and PowerShell in Windows. In the examples I’ll be using “username@example.com” as the logon name, and “password” as its password.

Perl using MIME::Base64

If you’re using Perl to create SMTP AUTH login information, you need to use the MIME::Base64 module:

perl -MMIME::Base64 -e 'print encode_base64("\000username@example.com\000password")'

Don’t forget to escape the “@” character the appropriate escape character, often a backslash “\” or backtick “`”. Otherwise it’ll be interpreted as an array. The base64 encoded string will be something like:

AHVzZXJuYW1lQGV4YW1wbGUuY29tAG15X3Bhc3N3b3Jk

If you’re using Perl in Windows, you need to escape the double quotation (“) marks like:

perl.exe -MMIME::Base64 -e "print encode_base64(\"\000username@example.com\000password\")

Echo and base64 in Bash

You don’t necessarily need Perl to generate a login hash, you can use plain old echo and base64 in Bash too:

echo -ne '\0username@example.com\0password' | base64

Create the SMTP AUTH login information with PowerShell in Windows

In Windows (Windows Server, Windows 11 or Windows 10), you can easily use PowerShell to create the base64 encoded login hash (on one line):

[Convert]::ToBase64String(
  [Text.Encoding]::ASCII.GetBytes(
    "`0username@example.com`0password"
  )
)

Remember the back tick (`) is your escape character in PowerShell, and not the backslash (\) like with Bash and Perl.

Connect to an SMTP server using opportunistic TLS with OpenSSL in Bash

Now you have your login hash ready, it’s time to connect to an SMTP server to verify SMTP authentication over using opportunistic TLS. First you need the OpenSSL client in Linux or WSL (for native Windows, see install OpenSSL in Windows):

sudo apt-get install openssl
sudo yum install openssl

Second, you now can use the openssl command in Bash, as explained below, to set up a TLS encrypted connection with your SMTP server:

openssl s_client -connect smtp.example.com:25 -starttls smtp

You may need to use a different port number like 587, just ask your provider.

This p00ps out a lot of crap.. eehh verbose output, don’t worry 😉 When the connection is made, you’ll notice an SMTP 250 code:

250 DSN

This means you can start your SMTP transaction. Use EHLOto let the SMTP server print out the supported verbs:

EHLO there
250-smtp.example.com
250-PIPELINING
250-SIZE 52428800
250-ETRN
250-AUTH PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

Here you notice AUTH PLAIN LOGIN as an supported logon method. The SMTP mail server supports the authentication mechanism you want. Your complete username and password log-in information is wrapped in the base64 encoded string. Use that to authenticate:

AUTH PLAIN AHVzZXJuYW1lQGV4YW1wbGUuY29tAG15X3Bhc3N3b3Jk

If all goes well, the SMTP server reports a successful authentication:

235 2.7.0 Authentication successful

Because the username and password combination is base64 encoded, and is sent in plain text, you need StartTLS / TLS encryption to secure your SMTP connection.

Here is how to send authenticated SMTP email over TLS from WordPress! Send email with PowerShell and how to send authenticated SMTP over a TLS encrypted connection, in PHP, ASP and ASP.NET. Neat! 🙂

How to install Perl in Windows

In order to accomplish all of the above on Windows Server or Windows 11, you might need to download and install the OpenSSL client and Perl. My post Windows 11/10 and WSL 2 DevOps environment describes how you can install OpenSSL in Windows.

For Perl (I use Strawberry Perl) it is just:

1. Strawberry Perl Releases (I use the ZIP edition which doesn’t require an installation)
2. Unzip strawberry-perl-5.18.2.2-32bit.zip or strawberry-perl-5.18.2.2-64bit.zip and copy the folder to c:\Perl for example

HTH! 🙂