Sysadmins of the North

Technical blog, where topics include: computer, server, web, sysadmin, MySQL, database, virtualization, optimization and security

How to test SMTP Authentication and StartTLS

17 May 2014 / / 3 Comments

How to test SMTP servers, SMTP authentication and StartTLS using the command line?

When investigating SMTP authentication issues, particular over TLS encrypted SMTP connections, it’s always handy if you are able to test the SMTP authentication and StartTLS connection. Preferably from your command line. This post shows you how to test SMTP servers, verify SMTP authentication and StartTLS encrypted connections from the Linux and Windows command line.

SMTP Authentication

SMTP Authentication is the mechanism by which the clients of an ISP identify themselves to the mail server through which they intend to send email.

SMTP Authentication, often abbreviated SMTP AUTH, is an extension of the Simple Mail Transfer Protocol whereby an SMTP client may log in using an authentication mechanism chosen among those supported by the SMTP server.

What is Transport Layer Security (TLS)?

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols which are designed to provide communication security over the Internet. They use X.509 certificates and hence asymmetric cryptography to assure the counterparty with whom they are communicating, and to exchange a symmetric key.

Test TLS connections and SMTP AUTH from the Linux and Windows command line

Most SMTP and mail sending problems come from the fact that either the username and password log-in combination is incorrect, the mail server doesn’t support StartTLS, or the authentication mechanism used is wrong.

Let’s address, test and verify them all.

Being able to verify (Start)TLS encrypted connections with OpenSSL, and SMTP AUTH options, is ideal for when you’re having problems with email forms that send email using authenticated SMTP, over an TLS encrypted connection (fom a website).

To verify SMTP authentication over TLS, you need the OpenSSL client:

sudo apt-get install openssl
sudo yum install openssl

Create SMTP AUTH log-in information with Perl

Before you can test the SMTP AUTH PLAIN authentication over TLS, you need to create log-in information. The log-in information is your usename (email address) and password, and a special character \0. Normally this is an email address and its password.

To create the combination – which has to be base64 encoded – you can use Perl:

perl -MMIME::Base64 -e 'print encode_base64("\000username\@example.com\000password")'

You must not forget to escape the @ char with a slash (\), otherwise it’ll be interpreted as an array. The base64 encoded string will be something like:

AHVzZXJuYW1lQGV4YW1wbGUuY29tAG15X3Bhc3N3b3Jk

SMTP AUTH log-in information with Bash

You don’t necessarily need Perl to generate a log-in hash, you can use Bash too:

echo -ne '\0username@example.com\0password' | base64

Connect to an SMTP server with openssl in bash

In bash you now can use the openssl command, as explained below, to set up a TLS encrypted connection with your SMTP server:

openssl s_client -connect smtp.example.com:25 -starttls smtp

This gives a lot of verbose output, don’t worry :)

When the connection is made, you’ll notice an SMTP 250 code:

250 DSN

This means you can start your SMTP transaction. Use EHLO to let the SMTP server print out the supported verbs:

EHLO there
250-smtp.example.com
250-PIPELINING
250-SIZE 52428800
250-ETRN
250-AUTH PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

Here you notice AUTH PLAIN LOGIN as a log-in method. The SMTP mail server supports the authentication mechanism you want. Your complete username and password log-in information is wrapped in the base64 encoded string. Use that to authenticate:

AUTH PLAIN AHVzZXJuYW1lQGV4YW1wbGUuY29tAG15X3Bhc3N3b3Jk

If all goes well, the SMTP server reports a successful authentication:

235 2.7.0 Authentication successful

Because the username and password combination is base64 encoded, and is sent in plain text, you need StartTLS/TLS encryption to secure your SMTP connection.

How to install OpenSSL and Perl on Windows

In order to accomplish all of the above on Windows Server or Windows 8.1 or 10, you need to download and install the OpenSSL client and Perl (I use Strawberry Perl):

  • Win32 OpenSSL Installation Project (choose the right flavor)
  • Strawberry Perl Releases (I use the ZIP edition which doesn’t require an installation)
  • Install OpenSSL to c:\OpenSSL-Win32 or c:\OpenSSL-Win64, depending on the bitness
  • Unzip strawberry-perl-5.18.2.2-32bit.zip or strawberry-perl-5.18.2.2-64bit.zip and copy the folder to c:\Perl for example

Configure your Windows OpenSSL environment

Now configure your OpenSSL environment in Windows to prevent openssl.cnf warnings:

  1. at the cmd.exe command line, type set OPENSSL_CONF=c:\OpenSSL-Win64\bin\openssl.cfg. This will prevent an error message: WARNING: can't open config file: /usr/local/ssl/openssl.cnf

Create SMTP AUTH log-in information and connecto to an SMTP server with Perl/openssl in Windows

Use the following Perl command to generate the base64 encoded log-in string. Notice the quotation marks:

perl.exe -MMIME::Base64 -e "print encode_base64(\"\000username\@example.com\000password\")

In this example the output is

AHVzZXJuYW1lQGV4YW1wbGUuY29tAHBhc3N3b3Jk

Connect to your SMTP server with openssl.exe, and repeat the earlier mentioned steps with EHLO and AUTH PLAIN:

c:\OpenSSL-Win64\bin>openssl.exe s_client -connect smtp.example.com:25 -starttls smtp

Bonus: verify StartTLS for SMTP-, POP3- or IMAP servers – Check HTTPS TLS/SSL certificates

To verify whether your (SMTP-, POP3-, or IMAP) mail server supports StartTLS, use the following OpenSSL command:

openssl s_client -connect imap.example.com:143 -starttls imap
openssl s_client -connect pop.example.com:110 -starttls pop3
openssl s_client -connect smtp.example.com:25 -starttls smtp

Check HTTPS TLS/SSL certificate
Use openssl to check and verify HTTPS connections:

openssl s_client -tls1_2 -servername host -connect 203.0.113.15:443

Substitute host with your host header or domain name, and 203.0.113.15 with the IP address of your web server.

Protip: check SSL certificate expiration date.
This one-liner checks the SSL certificate expiration date, from the Linux command line using openssl:
echo | openssl s_client -connect mx.example.com:25 -starttls smtp | openssl x509 -noout -dates

Security

Previous post
“Node.js Performance Tip of the Week: Scaling with Proxies and Clusters”
Next post
Minify JavaScript, CSS and compress images

3 Comments

  1. Anonymous

    22 June 2017 at 16:12

    Hi

    Very useful. Thanks a lot.

    In windows (Power Shell) you can run the following commnad to obtain the SSL Certificate Expiration Date.(Like Linux Protip)

    write-output “quit\r” | c:\OpenSSL-Win64\bin\openssl.exe s_client -connect smtp.example.com:25 -starttls smtp | c:\OpenSSL-Win64\bin\openssl.exe x509 -enddate -noout

    Reply
  2. Josh West

    4 April 2017 at 22:27

    Thanks so much for this! Really helped me out in troubleshooting issues with our SMTP provider (SendGrid)

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Categories

ITFAQ.nl
WordPress hosting

25 Most Popular Tags

.htaccess AppCmd ASP.NET Bash IIS Joomla! linux MySQL optimization performance PHP plugin PowerShell security SMTP SSL URL Rewrite web.config web application security website Website security WinCache Windows WordPress XSS

Buy me a beer or coffee

Did you find a post interesting? Has a post helped you solve a problem? Then why not support us by making a small donation?!

Support this site with a small donation of just $5,- tip: no Paypal account required :) Thanks for your support. ♥

© 2018 Sysadmins of the North

Theme by Anders NorenUp ↑

cAg tv