Testing SMTP AUTH and TLS connections

Testing SMTP with TLS and AUTH using openssl

This post will walk you though testing sendmail, or any MTA that supports STARTTLS. The testing is done from the server that sendmail is installed on or localhost, if you want to test from another host, maybe to trouble shoot why that host cannot send mail to the sendmail MTA, all you need to do is replace localhost with the Domain Name or IP address of the server you want to test.

Find your authentication information

In order to use the AUTH command, you need to know the base64-encoded version of the userid and password used to authenticate to the server. Normally this would be the same as the userid and password you would use to check your mail using IMAP or POP3. Depending on how you have saslauthd configured this could be many different ways. The most common is pam or what you use to long into your linux system. This Perl command (which requires the MIME::Base64 module) will do the encoding for you:

% perl -MMIME::Base64 -e 'print encode_base64("username\0username\0password");'
% dXNlcm5hbWUAdXNlcm5hbWUAcGFzc3dvcmQ=

Note: that \0 appears twice in between the values? Make sure you don't forget them.

Connecting to the server

If the server is configured correctly, you will need to use “openssl” before you are able to use the AUTH command. In fact, if you are able to use the AUTH command without using openssl for STARTTLS, you are in fact sending your userid and password over the internet in clear text. Anybody with a packet sniffer in the right spot will be able to read the base64-encoded string you send to authenticate, and it’s really easy to decode that stuff- in fact the same command above will work if you change “encode_base64” to “decode_base64”. STARTTLS uses encrypted communication for the entire session, so not only is your user and passwords protected, but your email content is encrypted as well. The sendmail macro in your mc file that controls this is “define(confAUTH_OPTIONS’, `A p y’)” this `link explains the different options, but the “p” option is don’t permit PLAIN LOGIN, unless a security layer is active first. To test and see if you have the MTA setup correctly to support STARTTLS connect with telnet to the SMTP server, you would use this command:

% telnet localhost smtp

To connect to a server which should support TLS, you may wish to verify that it does support TLS first. When you send the EHLO command, the server will respond with a list of the items it supports. If you see STARTTLS on the list, it means the server will allow you to send the STARTTLS command. Example:

% telnet localhost smtp
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 yourdomain.com ESMTP Sendmail 8.14.9/8.14.9; Tue, 17 Jan 2017 19:36:31 -0700
ehlo somewhere.com
250-yourdomain.com Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-STARTTLS
250-DELIVERBY
250 HELP
quit
221 2.0.0 yourdomain.com closing connection
Connection closed by foreign host.

Look for 250-STARTTLS in the option output from sendmail you will notice that the AUTH option is not available doesn’t mean that the MTA doesn’t support it, just means you need a TLS session before it is available. Here are the sendmail macros in the m4 config file /etc/mail/sendmail/sendmail.mc that enable STARTTLS:

define(`confCACERT_PATH', `/etc/mail/certs')dnl
define(`confCACERT', `/etc/mail/certs/cacert.pem')dnl
define(`confSERVER_CERT', `/etc/mail/certs/sendmail.pem')dnl
define(`confSERVER_KEY', `/etc/mail/certs/sendmail.key')dnl
define(`confCLIENT_CERT', `/etc/mail/certs/sendmail.pem')dnl
define(`confCLIENT_KEY', `/etc/mail/certs/sendmail.key')dnl

Once you have verified that the server supports the STARTTLS command, you can use the “-starttls smtp” option with openssl s_client to connect. This makes openssl send a STARTTLS command, negotiate the SSL encrypted session, and then allows you to interact with the encrypted session and enter the AUTH command. To connect to a TLS-enabled SMTP server you would use any of these commands:

% openssl s_client -connect localhost:465
or
% openssl s_client -connect localhost:smtps
or
% openssl s_client -connect localhost:25 -starttls smtp
or
% openssl s_client -connect localhost:smtp -starttls smtp

Make sure the server supports AUTH. When you first connect to an SSL or TLS server, you will see the key-exchange information fly by on the screen, and the last line you see when it stops scrolling text will be the server’s “banner” message, which tells the client that the server is ready to accept commands. Once the banner is received, a normal SMTP client would send an EHLO command to the server in order to identify the client machine, as well as ask for a list of the capabilities supported by the server.

% openssl s_client -connect localhost:smtps
...bunch of SSL certificate info fly's by.
220 yourdomain.com ESMTP Sendmail 8.14.9/8.14.9; Tue, 17 Jan 2017 20:33:03 -0700
ehlo somewhere.com
250-yourdomain.com Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH LOGIN PLAIN
250-DELIVERBY
250 HELP

Look at the response from your EHLO command, make sure AUTH is on the list, and that PLAIN is one of the options it supports. If it’s not listed, the server will not let you send an AUTH command. This may be because the connection is not secured and the server is protecting you from sending your authentication information across the net in plain text or you have sendmail configured in correctly. Here are the sendmail macros that you need to support the AUTH option:

define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl
TRUST_AUTH_MECH(`LOGIN PLAIN')dnl
define(`confAUTH_OPTIONS', `A p y')dnl

Sending the AUTH command

Now that we have used openssl to start an encrypted TLS session and see that the MTA server supports AUTH, we will send the actual AUTH command to try and authenticate.

AUTH PLAIN dXNlcm5hbWUAdXNlcm5hbWUAcGFzc3dvcmQ=

235 2.0.0 OK Authenticated

If you see this message, you are authenticated. If you see this one instead…

535 5.7.0 authentication failed

…then obviously it means you are not authenticated. To exit type “quit”