SMTP AUTH Connection Tests

When configuring an OutBound SMTP Relay, it is important to restrict the access to owned / authorized networks or to specific users with authentication (to not be used as ‘OpenRelay Server for garbage submission).

For this reason it is important to know how-to check if the Authentication Mechanism is working perfectly.

In order to issue the AUTH command to an SMTP server, it is fundamental to have the base64-encoded version of the Username and Password.
This perl command (MIME::Base64 module is required) will do the encoding:

perl -MMIME::Base64 -e\
 'print encode_base64("\000username\000password")'

The output (in this case) is: AHVzZXJuYW1lAHBhc3N3b3Jk

Depending on server configuration, would be necessary to use SSL or TLS before sending the AUTH command.
Sending the AUTH command without using SSL or TLS, would mean sending username and password in clear text, this is obviously insecure.

To connect to a NON-Secured SMTP server on IP address 1.2.3.4, it is possible to simply use telnet client on port 25 (SMTP) or 587 (Submission):

# telnet 1.2.3.4 25

To check if a server supports TLS, send the EHLO command during an unencrypted SMTP session (example running in localhost):

# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
relay postfix/smtpd[XXXX]: connect from localhost[127.0.0.1]
220 relay.test.bravi.org ESMTP Postfix (2.8.5) OutBound relay
EHLO TEST
250-relay.test.bravi.org
250-PIPELINING
250-SIZE 32768000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
relay postfix/smtpd[XXXX]: disconnect from localhost[127.0.0.1]
221 2.0.0 Bye
Connection closed by foreign host.

If “STARTTLS” capability is present on the list, the server will accept STARTTLS command. It is possible to use the “-starttls smtp” option of openssl s_client to connect.
This makes openssl connect normally (without encryption), send a STARTTLS command, negotiate the SSL encryption, and then allow you to interact with the encrypted session.

openssl s_client -starttls smtp -crlf -connect 1.2.3.4:25

Or for Submission:

openssl s_client -starttls smtp -crlf -connect 1.2.3.4:587

For SSL server with SSL Wrapper enabled (SMTPS) the command would be:

openssl s_client -crlf -connect 1.2.3.4:465

Analyzing previous telnet session (EHLO command response) if AUTH is on the list, and that PLAIN is one of the supported options, it is possible to test authentication as follows:
1. Authencication OK:

AUTH PLAIN AHVzZXJuYW1lAHBhc3N3b3Jk
235 2.7.0 Authentication successful

2. Authencication KO:

AUTH PLAIN AHVzZXJuYq3rrHBhc3N3b369
535 5.7.8 Error: authentication failed

Once authenticated, it is possible to continue with a normal SMTP session.


Comments are closed.