Hi All,
Ok, i now have "250-STARTTLS" in the server greeting.
How the heck do i authenticate ?
Below is my little guide to testing TLS/SSL auth "by hand" which is nice
if you want to see exactly what is happening each step of the way.
To do this you need OpenSSL installed which is normally the case on a
*nix box. This will even work from a Windows box if you install the
Win32 OpenSSL port.
To test SMTP AUTH you need your user name and password encoded as a
single base64 object.
Base64 Encoding Using Perl:
perl -MMIME::Base64 -e 'print
encode_base64("\000username\@domain.com\000password")'
Base64 Encoding Using OpenSSL:
Create a file login.txt with your login credentials.
Under FreeBSD/Linux as follows:
echo -n "\000username@domain.com\000password" > login.txt
Where -n supresses the trailing <lf> and \000 inserts a NUL
Under Windows command prompt as follows: {Took me a while to work this
out} :-P
copy /b con logon.txt
You will get the cursor on a new line waiting for input from the console.
Now type the following:
^@username@domain.com^@password^Z<Enter>
Where...
^@ = Ctrl+@ = NULL
^Z = Ctrl+Z = EOF
<Enter> = Press Enter
Now encode it:
openssl enc -base64 -in login.txt
or to put the output in a file
openssl enc -base64 -in login.txt -out base64.txt
Once you have established an SSL/TLS session you can authenticate using
this command:
AUTH PLAIN your.base64.encoded.credentials
eg.
AUTH PLAIN ACJ5YW5AaWQ0ZWMuY28uemEBcnlhbg==
Our server does not allow AUTH PLAIN unless SSL is established. You can
test this by connecting
to port 25 and issuing EHLO to see the capabilities. AUTH PLAIN will not
be listed. After doing STARTTLS
you can issue EHLO again and you will now see AUTH PLAIN in the
capabilities.
See useful OpenSSL Tricks:
http://www.vanemery.com/Linux/Apache/openSSL.html
To test STARTTLS on port 25:
openssl s_client -starttls smtp -crlf -connect smtp.domain.com:25
To test SSL on port 465 use OpenSSL as follows:
openssl s_client -crlf -connect smtp.domain.com:465
Note: we use stunnel to provide SMTP via SSL on port 465.
A useful trick under Windows is to use Putty in RAW mode as a SSL
supporting client to do testing if you don't have OpenSSL installed.
Sending A Test Mail:
EHLO server.my.fqdn
MAIL FROM: user@my.fqdn
RCPT TO: user@their.fqdn
DATA
SUBJECT: A Suitable Subject
<BLANK LINE>
Your message goes here.
.
QUIT
Notes:
1. There must be a blank line between the subject line and the start of
your message.
2. End your message text entry with a dot on a line by itself.
I hope someone finds this useful.
Regards
Peter
|