testing exchange ssl/tls smtp auth with openssl

I like seeing things happening. If you’ve never tested SMTP by sending a test message by hand with HELO/MAIL/RCPT/DATA, you really should give it a shot. You can use mailsend or such to do this testing somewhat by hand, but when things fail I find it easier to see it directly.

‘EHLO domain’ via smtp should list what AUTH options are available when testing SMTP AUTH (which lets you use authentication to allow relaying). Sometimes this is different when you’re over SSL (‘250-AUTH GSSAPI NTLM LOGIN’) than when you’re not (‘250-AUTH GSSAPI NTLM’), for good reason such as some of the AUTH options aren’t encrypted or are simply obfuscated (read: base64).

openssl s_client has built in functionality for testing smtp:

openssl s_client -starttls smtp -crlf -connect

But when connecting to an exchange server, it just hangs at CONNECTED. Trying again with the ‘-debug’ flag shows why:

write to 080B01E8 [BFFFED30] (10 bytes => 10 (0xA))
0000 – 53 54 41 52 54 54 4c 53-0d 0a STARTTLS..
read from 080B01E8 [080AA400] (8192 bytes => 28 (0x1C))
0000 – 35 30 33 20 35 2e 35 2e-32 20 53 65 6e 64 20 68 503 5.5.2 Send h
0010 – 65 6c 6c 6f 20 66 69 72-73 74 0d 0a ello first..

There’s chatter and bugs (1,2) about this out there.

My openssl versions are ancient (such as OpenSSL 0.9.7a Feb 19 2003 (‘openssl version’)), so nobody else will likely have this problem anymore because they added code in ‘openssl-0.9.8e/apps/s_client.c’ to send a ‘EHLO openssl.client.net’ before starttls. On second thought, ubuntu feisty is still on 0.9.8c, so mebbe you will.

Once connected, you can try authing. If you’re using AUTH PLAIN, which I have no idea if exchange supports this but others due, you’ll want to encode your username and password with base64 something like this (thanks crash), I think:

printf “\0username\0password” | openssl enc -a

Then send this in the smtp session with ‘AUTH PLAIN base64’ where base64 is whatever you get out of openssl. It’s worth noting that you’ll get different results if you use “echo -n” instead of printf. crash says to use ‘echo -ne’ to get escape characters working right. YMMV.

Testing ‘AUTH LOGIN’ is similar. Send ‘AUTH LOGIN’ and you’ll get back ‘334 VXNlcm5hbWU6’ which says ‘334 Username:’ when you decode the crap with base64 with ‘printf VXNlcm5hbWU6 | openssl enc -a -d’. Encode your username with ‘printf “username” | openssl enc -a’ and paste this back to the server. You’ll get a ‘334 UGFzc3dvcmQ6’ response which again is ‘334 Password:’. Send your password back in the same manner, base64 encoded (not encrypted, heh. that’s what the ssl is for).

If all works you’ll get something such as ‘235 2.7.0 Authentication successful’ in response. Remember that sometimes throwing -debug on the end of openssl gives you more information. Now try your MAIL/RCPT/DATA shit and make sure you can still relay.

I’d love to provide a way to test NTLM, but it appears, no surprise, to not be that popular. Exchange 2007 will support LOGIN. Open EMC. Server Configuration -> Hub Transport (Or Edge Transport on an edge server). Under Receive Connectors right click and go to properties for the connector. On the Authentication tab make sure “Basic Authentication” is checked and make sure to check the following box limiting to only allow this after starttls.

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload the CAPTCHA.