SMTP AUTH Connection Tests
When configuring an OutBound SMTP Relay, it is important to restrict the access to owned / authorized networks or to specific users with authentication (to not be used as ‘OpenRelay Server for garbage submission).
For this reason it is important to know how-to check if the Authentication Mechanism is working perfectly.
In order to issue the AUTH command to an SMTP server, it is fundamental to have the base64-encoded version of the Username and Password.
This perl command (MIME::Base64 module is required) will do the encoding:
perl -MMIME::Base64 -e\ 'print encode_base64("\000username\000password")'
The output (in this case) is: AHVzZXJuYW1lAHBhc3N3b3Jk
Depending on server configuration, would be necessary to use SSL or TLS before sending the AUTH command.
Sending the AUTH command without using SSL or TLS, would mean sending username and password in clear text, this is obviously insecure.
To connect to a NON-Secured SMTP server on IP address 22.214.171.124, it is possible to simply use telnet client on port 25 (SMTP) or 587 (Submission):
# telnet 126.96.36.199 25
To check if a server supports TLS, send the EHLO command during an unencrypted SMTP session (example running in localhost):
# telnet 127.0.0.1 25 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. relay postfix/smtpd[XXXX]: connect from localhost[127.0.0.1] 220 relay.test.bravi.org ESMTP Postfix (2.8.5) OutBound relay EHLO TEST 250-relay.test.bravi.org 250-PIPELINING 250-SIZE 32768000 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=LOGIN PLAIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN quit relay postfix/smtpd[XXXX]: disconnect from localhost[127.0.0.1] 221 2.0.0 Bye Connection closed by foreign host.
If “STARTTLS” capability is present on the list, the server will accept STARTTLS command. It is possible to use the “-starttls smtp” option of openssl s_client to connect.
This makes openssl connect normally (without encryption), send a STARTTLS command, negotiate the SSL encryption, and then allow you to interact with the encrypted session.
openssl s_client -starttls smtp -crlf -connect 188.8.131.52:25
Or for Submission:
openssl s_client -starttls smtp -crlf -connect 184.108.40.206:587
For SSL server with SSL Wrapper enabled (SMTPS) the command would be:
openssl s_client -crlf -connect 220.127.116.11:465
Analyzing previous telnet session (EHLO command response) if AUTH is on the list, and that PLAIN is one of the supported options, it is possible to test authentication as follows:
1. Authencication OK:
AUTH PLAIN AHVzZXJuYW1lAHBhc3N3b3Jk 235 2.7.0 Authentication successful
2. Authencication KO:
AUTH PLAIN AHVzZXJuYq3rrHBhc3N3b369 535 5.7.8 Error: authentication failed
Once authenticated, it is possible to continue with a normal SMTP session.