Saturday, June 08, 2013
Wednesday, June 05, 2013
SMTP TLS Authentication Testing
To test the SMTP connection, sometimes we are using telnet to port 25 and run some SMTP commands to diagnose the problems. What if you want to test the SMTP authentication using telnet? What if the SMTP server only authenticates on TLS only?
To test whether your SMTP support authentication, try the following
telnet your-smtp-server.domain.tld 25
Connected to your-smtp-server.domain.tld.
Escape character is '^]'.
220 your-smtp-server.domain.tld ESMTP
EHLO localhost
250-your-smtp-server.domain.tld
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
To test whether your SMTP support authentication, try the following
telnet your-smtp-server.domain.tld 25
Connected to your-smtp-server.domain.tld.
Escape character is '^]'.
220 your-smtp-server.domain.tld ESMTP
EHLO localhost
250-your-smtp-server.domain.tld
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
As you can see, the responds from the SMTP server after your issued EHLO localhost command, is that it does not support Authentication, however it supports TLS (250-STARTTLS)
So now we can try to communicate using TLS, with the following
openssl s_client -starttls smtp -crlf -connect your-smtp-server.domain.tld:25
CONNECTED(00000003)
depth=0 C = AU, ST = NSW, L = Sydney, O = Laurence Corp, OU = IT, CN = your-smtp-server.domain.tld
verify error:num=18:self signed certificate
verify return:1
depth=0 C = AU, ST = NSW, L = Sydney, O = Laurence Corp, OU = IT, CN = your-smtp-server.domain.tld
verify return:1
---
Certificate chain
0 s:/C=AU/ST=NSW/L=Sydney/O=Laurence Corp/OU=IT/CN=your-smtp-server.domain.tld
i:/C=AU/ST=NSW/L=Sydney/O=Laurence Corp/OU=IT/CN=your-smtp-server.domain.tld
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC8jCCAlugAwIBAgIJAMCZFNimordBMA0GCSqGSIb3DQEBBQUAMIGRMQswCQYD
VQQGEwJBVTEMMAoGA1UECAwDTlNXMQ8wDQYDVQQHDAZTeWRuZXkxJzAlBgNVBAoM
HkludmVzdGEgUHJvcGVydGllcyBQdHkgTGltaXRlZDELMAkGA1UECwwCSVQxLTAr
BgNVBAMMJG1haWwuYnVpbGRpbmdzZXJ2aWNlcy5pbnZlc3RhLmNvbS5hdTAeFw0x
MzA2MDUwMDQ5MzFaFw0yMzA2MDMwMDQ5MzFaMIGRMQswCQYDVQQGEwJBVTEMMAoG
A1UECAwDTlNXMQ8wDQYDVQQHDAZTeWRuZXkxJzAlBgNVBAoMHkludmVzdGEgUHJv
cGVydGllcyBQdHkgTGltaXRlZDELMAkGA1UECwwCSVQxLTArBgNVBAMMJG1haWwu
YnVpbGRpbmdzZXJ2aWNlcy5pbnZlc3RhLmNvbS5hdTCBnzANBgkqhkiG9w0BAQEF
AAOBjQAwgYkCgYEA3Vys9Nf1CpuBMzPWCIwldQkHY0EdMTAqh8sKhx/xhjOhRxwB
xKsZFrZ1guWBxqt5/JMt40BL80dpS6lLRZrz83TnFUm9FNZwjhD3mD1axqj2o4Nv
NFZ5I3Z3fP2hIj0y+urKVj81th/GMHrUBEBSqHUTGVEuRsCkJFuJIxYwTYMCAwEA
AaNQME4wHQYDVR0OBBYEFPvDIre1ur+c+i1H5EymKQrOU3vhMB8GA1UdIwQYMBaA
FPvDIre1ur+c+i1H5EymKQrOU3vhMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEF
BQADgYEAEgHjkzqZaZfWxALWTR/KEQsrE3NonN8cDefTtdaPPOaKXYPU/pKvogj2
TwouZpOQ7qaSrvgAMPLSYmMLuVVGzBccygN1f3xAXiTtOzaerLSJeelpYW2I5uRD
OJInTiHuzs/nnQa+3pT0IGS48fJJhn6xEBLsHrVzYl4Ud3iEsgo=
-----END CERTIFICATE-----
subject=/C=AU/ST=NSW/L=Sydney/O=Laurence Corp/OU=IT/CN=your-smtp-server.domain.tld
issuer=/C=AU/ST=NSW/L=Sydney/O=Laurence Corp/OU=IT/CN=your-smtp-server.domain.tld
---
No client certificate CA names sent
---
SSL handshake has read 1564 bytes and written 411 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol : TLSv1.1
Cipher : ECDHE-RSA-AES256-SHA
Session-ID: 163CF3718E7E3DAD34259654B2510CEFD6CDBFEE0D067FAF6D816C6145D45301
Session-ID-ctx:
Master-Key: FEEAB321DE6A876EB0954FB3372A540CC09D3E8F14D4EBBEB8448FE7D6CDADD3DAB9201B7450FDCAA7F2448BC0949AF7
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 3600 (seconds)
TLS session ticket:
0000 - 8f 85 00 21 ba e2 05 db-9d c2 1c 04 86 29 e2 68 ...!.........).h
0010 - 1f 62 6a fa b8 d4 9f a6-a9 0b 1a 56 20 60 80 a2 .bj........V `..
0020 - d0 67 1a 16 87 d0 a7 00-95 57 ff b1 14 1a fc f1 .g.......W......
0030 - 3c 1e 4f 5e 9d 5a f7 d8-20 02 33 9a cf df 38 85 <.O^.Z.. .3...8.
0040 - e6 bd fb 84 26 b7 90 6c-04 a3 aa 2e 61 f5 66 8d ....&..l....a.f.
0050 - d2 75 6e b3 04 f8 58 6c-e9 60 66 65 4d 25 63 a4 .un...Xl.`feM%c.
0060 - 4f 11 cb 7e 67 49 77 cf-36 23 cc 9d 57 70 8d d4 O..~gIw.6#..Wp..
0070 - 1e 34 3e 15 c0 ba 22 48-b1 d3 47 0e ca 16 08 79 .4>..."H..G....y
0080 - e4 fc a6 7f 2f 8b 73 94-0d e9 dd e3 1c 82 a2 a9 ..../.s.........
0090 - f7 00 94 ad 14 5d f7 c2-2b 3e d1 f7 4d 9c 9b 1c .....]..+>..M...
00a0 - 33 2b 54 8b dd 6e 96 70-83 77 47 c9 26 8c c0 df 3+T..n.p.wG.&...
Compression: 1 (zlib compression)
Start Time: 1370408569
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
250 DSN
EHLO localhost
250-your-smtp-server.domain.tld
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN CRAM-MD5 DIGEST-MD5
250-AUTH=PLAIN LOGIN CRAM-MD5 DIGEST-MD5
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
As you can see now after we are connected using TLS, and issue EHLO localhost command, the 250-AUTH command is supported and it also supports PLAIN
To test the authentication, you need to generate encode base 64 value, using PERL. To do that, for example if you have a username: myname and password: mypass, you would run the following command in the format of: perl -MMIME::Base64 -e 'print encode_base64("username\0username\0password")'
perl -MMIME::Base64 -e 'print encode_base64("myname\0myname\0mypass")'
bXluYW1lAG15bmFtZQBteXBhc3M=
You then have the encode base 64 value of bXluYW1lAG15bmFtZQBteXBhc3M=
You can then issue the AUTH PLAIN command
AUTH PLAIN bXluYW1lAG15bmFtZQBteXBhc3M=
235 2.7.0 Authentication successful
As you can see we are authenticated, you can then do the usual stuff with SMTP