Testing SMTP AUTH and TLS connections¶
Testing SMTP with TLS and AUTH using openssl¶
This post will walk you though testing sendmail, or any MTA that supports STARTTLS. The testing is done from the server that sendmail is installed on or localhost, if you want to test from another host, maybe to trouble shoot why that host cannot send mail to the sendmail MTA, all you need to do is replace localhost with the Domain Name or IP address of the server you want to test.
Find your authentication information¶
In order to use the AUTH command, you need to know the base64-encoded version of the userid and password used to authenticate to the server. Normally this would be the same as the userid and password you would use to check your mail using IMAP or POP3. Depending on how you have saslauthd configured this could be many different ways. The most common is pam or what you use to long into your linux system. This Perl command (which requires the MIME::Base64 module) will do the encoding for you:
% perl -MMIME::Base64 -e 'print encode_base64("username\0username\0password");' % dXNlcm5hbWUAdXNlcm5hbWUAcGFzc3dvcmQ= Note: that \0 appears twice in between the values? Make sure you don't forget them.
Connecting to the server¶
If the server is configured correctly, you will need to use “openssl” before you are able to use the AUTH command. In fact, if you are able to use the AUTH command without using openssl for STARTTLS, you are in fact sending your userid and password over the internet in clear text. Anybody with a packet sniffer in the right spot will be able to read the base64-encoded string you send to authenticate, and it’s really easy to decode that stuff- in fact the same command above will work if you change “encode_base64” to “decode_base64”. STARTTLS uses encrypted communication for the entire session, so not only is your user and passwords protected, but your email content is encrypted as well. The sendmail macro in your mc file that controls this is “define(confAUTH_OPTIONS’, `A p y’)” this `link explains the different options, but the “p” option is don’t permit PLAIN LOGIN, unless a security layer is active first. To test and see if you have the MTA setup correctly to support STARTTLS connect with telnet to the SMTP server, you would use this command:
% telnet localhost smtp¶
To connect to a server which should support TLS, you may wish to verify that it does support TLS first. When you send the EHLO command, the server will respondÃ‚Â with a list of the items it supports. If you see STARTTLS on the list, it means the server will allow you to send the STARTTLS command. Example:
% telnet localhost smtp Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 yourdomain.com ESMTP Sendmail 8.14.9/8.14.9; Tue, 17 Jan 2017 19:36:31 -0700 ehlo somewhere.com 250-yourdomain.com Hello localhost [127.0.0.1], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-EXPN 250-VERB 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-STARTTLS 250-DELIVERBY 250 HELP quit 221 2.0.0 yourdomain.com closing connection Connection closed by foreign host.
Look for 250-STARTTLS in the option output from sendmail you will notice that the AUTH option is not available doesn’t mean that the MTA doesn’t support it, just means you need a TLS session before it is available. Here are the sendmail macros in the m4 config file /etc/mail/sendmail/sendmail.mc that enable STARTTLS:
define(`confCACERT_PATH', `/etc/mail/certs')dnl define(`confCACERT', `/etc/mail/certs/cacert.pem')dnl define(`confSERVER_CERT', `/etc/mail/certs/sendmail.pem')dnl define(`confSERVER_KEY', `/etc/mail/certs/sendmail.key')dnl define(`confCLIENT_CERT', `/etc/mail/certs/sendmail.pem')dnl define(`confCLIENT_KEY', `/etc/mail/certs/sendmail.key')dnl
Once you have verified that the server supports the STARTTLS command, you can use the “-starttls smtp” option with openssl s_client to connect. This makes openssl send a STARTTLS command, negotiate the SSL encrypted session, and then allows you to interact with the encrypted session and enter the AUTH command. To connect to a TLS-enabled SMTP server you would use any of these commands:
% openssl s_client -connect localhost:465 or % openssl s_client -connect localhost:smtps or % openssl s_client -connect localhost:25 -starttls smtp or % openssl s_client -connect localhost:smtp -starttls smtp
Make sure the server supports AUTH. When you first connect to an SSL or TLS server, you will see the key-exchange information fly by on the screen, and the last line you see when it stops scrolling text will be the server’s “banner” message, which tells the client that the server is ready to accept commands. Once the banner is received, a normal SMTP client would send an EHLO command to the server in order to identify the client machine, as well as ask for a list of the capabilities supported by the server.
% openssl s_client -connect localhost:smtps ...bunch of SSL certificate info fly's by. 220 yourdomain.com ESMTP Sendmail 8.14.9/8.14.9; Tue, 17 Jan 2017 20:33:03 -0700 ehlo somewhere.com 250-yourdomain.com Hello localhost [127.0.0.1], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-EXPN 250-VERB 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-AUTH LOGIN PLAIN 250-DELIVERBY 250 HELP
Look at the response from your EHLO command, make sure AUTH is on the list, and that PLAIN is one of the options it supports.Ã‚Â If it’s not listed, the server will not let you send an AUTH command. This may be because the connection is not secured and the server is protecting you from sending your authentication information across the net in plain text or you have sendmail configured in correctly. Here are the sendmail macros that you need to support the AUTH option:
define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl TRUST_AUTH_MECH(`LOGIN PLAIN')dnl define(`confAUTH_OPTIONS', `A p y')dnl
Sending the AUTH command¶
Now that we have used openssl to start an encrypted TLS session and see that the MTA server supports AUTH, we will send the actual AUTH command to try and authenticate.
AUTH PLAIN dXNlcm5hbWUAdXNlcm5hbWUAcGFzc3dvcmQ= 235 2.0.0 OK Authenticated
If you see this message, you are authenticated. If you see this one instead…
535 5.7.0 authentication failed
…then obviously it means you are not authenticated. To exit type “quit”