Connecting the world…

smtp

SMTP Auth testing via CLI

Just a quick note to describe the procedure for SMTP auth testing via the command-line. At first you need to encode username and password in Base64. This can be done in several ways. The easiest way would be via https://www.base64encode.org/.

Next you can use the following commando’s via telnet to test SMTP AUTH. I always use OpenSSL to connect to the mail server. OpenSSL give you the option to connect to the mail server using STARTTLS.

1) Connect to the mail server

openssl s_client -starttls smtp -crlf -connect smtp.office365.com:25

2) Send the EHLO command to see which items the server supports

EHLO ME
250-VI1PR0101CA0034.outlook.office365.com Hello [93.95.250.230]
250-SIZE 157286400
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-AUTH LOGIN
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250 SMTPUTF8

3) Start SMTP AUTH

AUTH LOGIN
334 VXNlcm5hbWU6

4) The 334 command tells you to enter the Base64 username. When the correct username is entered, the server responses with “334 UGFzc3dvcmQ6”.
5) Enter the Base64 password. The server responses with a successful or unsuccessful message.

235 2.7.0 Authentication successful target host VI1PR06MB1198.eurprd06.prod.outlook.com

6) Now enter the default command’s to send a mail.

MAIL FROM:<from@domain.com>
RCPT TO:<rcpt-to@domain.com>
DATA
SUBJECT: this is the subject

This is the body of the message
.

Export StartTLS certificate from SMTP server

While configuring Office365 as the messaging (SMTP) server within Aruba ClearPass, I needed to upload the certificate from the StartTLS session to the certificate trust list from ClearPass. I had to export the certificate for smtp.office365.com via the following OpenSSL command:

openssl s_client -showcerts -starttls smtp -crlf -connect smtp.office365.com:587

After running the command, you will see some output like shown in the image.

openssl starttls

I copied the both parts between BEGIN CERTIFICATE and END CERTIFICATE to two different text editore files and saved them with the extension .cer. Next I was able to upload both certificates to the certificate trust list in ClearPass and configure the message server with StartTLS Connection Security

OpenSSL for testing TLS

I was looking for a way to test the TLS configuration of a secure mail server and stumbled across a website called “OpenSSL Command-Line HOWTO”. This websites explains how to test a TLS connection using OpenSSL.

The s_client and s_server options provide a way to launch SSL-enabled command-line clients and servers. There are other examples of their use scattered around this document, but this section is dedicated solely to them.

In this section, I assume you are familiar with the specific protocols at issue: SMTP, HTTP, etc. Explaining them is out of the scope of this article.

You can test, or even use, an SSL-enabled SMTP server from the command line using the s_client option. Secure SMTP servers offer secure connections on up to three ports: 25 (TLS), 465 (SSL) and 587 (TLS). Some time around the OpenSSL 0.9.7 release, the openssl binary was given the ability to use STARTTLS when talking to SMTP servers.

# port 25/TLS; use same syntax for port 587
openssl s_client –connect mail.booches.nl:25 –starttls smtp

# port 465/SSL
openssl s_client –connect mail.booches.nl:465

RFC821 suggests (although it falls short of explicitly specifying) the two charaters “<CRLF>” as line-terminator. Most mail agents do not care about this and accept either “<LF>” or “<CRLF>” as line-terminators, but Qmail does not. If you want to comply to the letter with RFC821 and/or communicate with Qmail, use also the –crlf option:

openssl s_client –connect mail.booches.nl:25 –starttls smtp –crlf

Barracuda – Outbound SMTP Host/Smart Host in Build 3.5.12.012

When upgrading from a build older then 3.5.12.012 to a build 0.12 or above, you should pay attention to the Outbound SMTP host/Smart host configuration. This picture below shows the configuration option.

smarthost20091203

The release notes tell the following:

Fix: Now honors outbound BASIC > Administration > ‘SMTP host/Smarthost’ for mail delivery when relaying (recipient domain is not on the box). Before this, the system would only deliver quarantine messages and bounce messages to the smarthost. [34421]

When upgrading to firmware version 3.5.12.012 or higher a number of customers have been caught out by a change in the operation of the SMARTHOST setting. This option was used just to route notifications and reports from the Barracuda. On the new firmware, if you have anything entered in the smart host field ALL outbound mail will be forwarded via it.

Multiple customers entered the internal mail server in the field to deliver the notifications and reports. After upgrading the customers weren’t able to send mail. Of course the reason is simple, all outbound mail is trapped in a loop.

The internal mail server sends the mail to the Barracuda and the Barracuda, like the smart host specifies, sends the mail back to the internal mail server. You have to clear the smart host field, unless you implicitly need to use it.