Ubuntu: Testing authenticated SMTP over TLS/SSL

SMTP mail relays exposed to the internet typically use a combination of SSL and authenticated SMTP to avoid abuse by malicious actors.

This is an excellent choice from a security perspective, but makes smoke testing a bit more complex than just opening telnet.

Take note that SMTP AUTH as a standalone feature can be tested with plain telnet, but when it is combined with SMTP over TLS/SSL then openssl needs to be used.

SMTP Authentication

The easiest way to satisfy an SMTP server that implements the authentication service extension is to individually base64 encode the username and password and provide these encoded values when prompted by the server (AUTH LOGIN).

Start by encoding your credentials for later use:

$ echo 'myuser' | base64
bXl1c2VyCg==
$ echo 'mypass!' | base64
bXlwYXNzIQo=

Now use openssl to start a TLS/SSL connection to the SMTP server.  Make sure to use the ‘-quiet’ parameter to avoid the annoying problem where pressing the letter ‘R’ causes a renegotiation of the connection.

$ openssl s_client -starttls smtp -crlf -quiet -connect mysecure.smtp.com:587
250 AUTH=PLAIN LOGIN

Then, tell the server you want to authenticate by typing ‘AUTH LOGIN’ and providing the Base64 encoded value of the username.

AUTH LOGIN
334 VXNlcm5hbWU6
bXl1c2VyCg==

The response ‘VXNlcm5hbWU6’ when Base64 decoded says ‘Username:’ (echo ‘VXNlcm5hbWU6’ | base64 -d).  You will now be prompted for the password, provide the Base64 encoded value.

334 UGFzc3dvcmQ6
bXlwYXNzIQo=

If successful, you will see a success message.

235 Authentication successful

 

Note that ‘AUTH PLAIN’ is essentially the same, but you must provide a single Base64 string that looks like ‘<username>\0<username>\0password’.  You would generate this Base64 value like this:

$ echo 'myuser\0myuser\0mypass!' | base64

And would use this single SMTP command to authenticate, instead of separate username and password values.

AUTH PLAIN bXl1c2VyXDBteXVzZXJcMG15cGFzcyEK
235 Authentication successful

Send Test Email

After authentication, the exchange looks like just like our standard SMTP exchange for an email.

EHLO <CLIENTHOST>

MAIL FROM: <FROM>

RCPT TO: <TO>

DATA

Subject: testing123

this is a test


.

QUIT

 

If you need to test authenticated SMTP on Windows, you can use Powershell as described in my article here.

 

REFERENCES

https://fabianlee.org/2016/04/27/sending-smtp-mail-from-windows-using-powershell/

https://qmail.jms1.net/test-auth.shtml

https://technet.microsoft.com/en-us/library/aa995718(v=exchg.65).aspx

https://serverfault.com/questions/336617/postfix-tls-over-smtp-rcpt-to-prompts-renegotiation-then-554-5-5-1-error-no-v

http://blog.kapsobor.de/archives/2009/02/12/deactivating_openssl_renegotiation/

https://www.usps.org/info/smtp_status.html

https://tools.ietf.org/html/rfc3207

https://tools.ietf.org/html/rfc4954