Test SMTP Authentication and StartTLS
This post shows you how to test a connection to an SMTP server, using telnet or openssl, to create base64 encoded logon information, to verify the authentication over an opportunistic TLS connection, and all that from the Linux and Windows command line. This comes in very handy when investigating SMTP authentication issues, particular those over TLS encrypted connections. Investigate SMTP authentication issues like a boss using telnet and OpenSSL.
SMTP Authentication is the mechanism by which the clients of an ISP identify themselves to the mail server through which they intend to send email.
SMTP Authentication, often abbreviated SMTP AUTH, is an extension of the Simple Mail Transfer Protocol whereby an SMTP client may log in using an authentication mechanism chosen among those supported by the SMTP server.
What is Transport Layer Security (TLS)?
Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols which are designed to provide communication security over the Internet. They use X.509 certificates and hence asymmetric cryptography to assure the counterparty with whom they are communicating, and to exchange a symmetric key.
Test TLS connections and SMTP AUTH from the Linux and Windows command line
In this post you’ll learn how to test SMTP authentication with StartTLS from the command line. Neat, right?! 🙂
Most SMTP and mail sending problems come from the fact that either the username and password combination is incorrect, the mail server doesn’t support StartTLS, or the authentication mechanism used is wrong.
Let’s address, test and verify them all.
Being able to verify StartTLS/TLS encrypted connections with OpenSSL, and SMTP AUTH options, is ideal for when you’re having problems with email forms that send email using authenticated SMTP, over an TLS encrypted connection (from a website).
Before you can test the SMTP AUTH PLAIN authentication over TLS, you need to create log in information. The log in information is your username (email address) and password, and a special character \0 . Normally this is an email address and its password.
Create SMTP AUTH login information
To create the logon credential combination – which has to be base64 encoded – you can use Perl and Bash in Linux, or Perl and PowerShell in Windows. In the examples I’ll be using “username@example.com” as the logon name, and “password” as its password.
If you’re using Perl to create SMTP AUTH login information, you need to use the MIME::Base64 module:
perl -MMIME::Base64 -e 'print encode_base64("\000username\@example.com\000password")'Code language: Perl (perl)Don’t forget to escape the @ char with a slash \ : \@, otherwise it’ll be interpreted as an array. The base64 encoded string will be something like:
AHVzZXJuYW1lQGV4YW1wbGUuY29tAG15X3Bhc3N3b3JkCode language: plaintext (plaintext)If you’re using Perl in Windows, you need to escape the double quotation marks like:
perl.exe -MMIME::Base64 -e "print encode_base64(\"\000username\@example.com\000password\")Code language: Perl (perl)You don’t necessarily need Perl to generate a login hash, you can use plain old echo and base64 in Bash too:
echo -ne '\0username@example.com\0password' | base64Code language: Bash (bash)In Windows (Windows Server, Windows 11 or Windows 10), you can easily use PowerShell to create the base64 encoded login hash:
[Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes("`0username@example.com`0password"))Code language: PowerShell (powershell)In PowerShell you need to remember the back tick ( ` ) is your escape character, not the back slash ( \ ) from Bash / Perl.
Connect to an SMTP server using opportunistic TLS with OpenSSL in Bash
Now you have your login hash ready, it’s time to connect to an SMTP server to verify SMTP authentication over using opportunistic TLS. First you need the OpenSSL client in Linux (or in WSL in Windows):
sudo apt-get install openssl sudo yum install opensslCode language: Bash (bash)Next, you now can use the openssl command in Bash, as explained below, to set up a TLS encrypted connection with your SMTP server:
openssl s_client -connect smtp.example.com:25 -starttls smtpCode language: Bash (bash)You may need to use a different port number like 587, ask your provider.
This p00ps out a lot of crap.. eehh verbose output, don’t worry 🙂 When the connection is made, you’ll notice an SMTP 250 code:
This means you can start your SMTP transaction. Use EHLO to let the SMTP server print out the supported verbs:
EHLO there 250-smtp.example.com 250-PIPELINING 250-SIZE 52428800 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSNCode language: plaintext (plaintext)Here you notice AUTH PLAIN LOGIN as a login method. The SMTP mail server supports the authentication mechanism you want. Your complete username and password log-in information is wrapped in the base64 encoded string. Use that to authenticate:
AUTH PLAIN AHVzZXJuYW1lQGV4YW1wbGUuY29tAG15X3Bhc3N3b3JkCode language: plaintext (plaintext)If all goes well, the SMTP server reports a successful authentication:
235 2.7.0 Authentication successfulCode language: plaintext (plaintext)Because the username and password combination is base64 encoded, and is sent in plain text, you need StartTLS/TLS encryption to secure your SMTP connection.
How to install OpenSSL and Perl on Windows
In order to accomplish all of the above on Windows Server, Windows 11 or Windows 10, you need to download and install the OpenSSL client and Perl (I use Strawberry Perl):
- Win32 OpenSSL Installation Project (choose the right flavor)
- Strawberry Perl Releases (I use the ZIP edition which doesn’t require an installation)
- Install OpenSSL to c:\OpenSSL-Win32 or c:\OpenSSL-Win64 , depending on the bitness
- Unzip strawberry-perl-5.18.2.2-32bit.zip or strawberry-perl-5.18.2.2-64bit.zip and copy the folder to c:\Perl for example
After you’ve configured your OpenSSL environment in Windows, you can use the Perl and OpenSSL commands in the same way as in Linux Bash.
Configure your Windows OpenSSL environment
Now configure your OpenSSL environment in Windows to prevent openssl.cnf warnings:
- at the cmd.exe command line, type set OPENSSL_CONF=c:\OpenSSL-Win64\bin\openssl.cfg . This will prevent an error message: WARNING: can’t open config file: /usr/local/ssl/openssl.cnf
Bonus: Verify StartTLS for SMTP-, POP3- or IMAP servers – Check HTTPS TLS/SSL certificates
To verify whether your (SMTP-, POP3-, or IMAP) mail server supports StartTLS, use the following OpenSSL command:
openssl s_client -connect imap.example.com:143 -starttls imap openssl s_client -connect pop.example.com:110 -starttls pop3 openssl s_client -connect smtp.example.com:25 -starttls smtpCode language: Bash (bash)Check HTTPS TLS/SSL certificate
Use openssl to check and verify HTTPS connections:
openssl s_client -tls1_2 -servername host -connect 203.0.113.15:443Code language: Bash (bash)Substitute host with your host header or domain name, and 203.0.113.15 with the IP address of your web server.
Check SSL certificate expiration date
This one-liner checks the SSL certificate expiration date, from the Linux command line (Bash) using openssl :
echo | openssl s_client -connect mx.example.com:25 -starttls smtp | openssl x509 -noout -dates echo | openssl s_client -connect ftp.example.com:21 -starttls ftp | openssl x509 -noout -datesCode language: Bash (bash)Protip: Donate $10, 20 or 30 through Paypal (or see my donate page) and support this site. Thank you
Related Posts
- How to send authenticated SMTP over a TLS encrypted… Code base
- Send authenticated SMTP email over TLS from WordPress WordPress
- Exploit PHP’s mail() to get remote code execution Web application security
- Send email with PowerShell PowerShell
- Windows Live Mail error 0x80041161 (Fix) Windows Server
- Generate pseudo-random passwords with OpenSSL GNU Linux
Share this post
Jan Reilink
Hi, my name is Jan. I am not a hacker, coder, developer or guru. I am merely an application manager / systems administrator, doing my daily thing at Embrace — The Human Cloud. In the past I worked for clidn and Vevida. With over 20 years of experience, my specialties include Windows Server, IIS, Linux (CentOS, Debian), security, PHP, websites & optimization. I blog at https://www.saotn.org.
9 thoughts to “Test SMTP Authentication and StartTLS”
1. It is important to use -quiet switch when running openssl to avoid RENEGOTIATING error. If the command you send starts with R then s_client will renegotiate its TLS connection. Differently, if the command starts with Q then s_client will close the connection.
Example:
c:\OpenSSL-Win64\bin>openssl.exe s_client -connect smtp.example.com:25 -starttls smtp -quiet 2. There is no need to download perl on Windows machine, normally you can convert any string to Base64 using PowerShell. For example:
[System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes(“password”))
Hi Dima, thank you very much for your comment! I wrote the article in an era when it was not common to have PowerShell installed on your workstation, and therefore I mentioned a portable version of Perl. But great addition! The renegotiating error in OpenSSL is something I’ve never encountered, but it’s in the manpage: https://www.openssl.org/docs/man1.0.2/man1/openssl-s_client.html. Thanks.
Hi Jan,
If your Base64-encoded password or user name will start with capital R or Q, then instead of entering password, openssl will trigger RENEGOTIATING or Quit session.
For example:
“Gregory” will be encoded as R3JlZ29yeQ== and trigger Renegotiation instead of sending user name to SMTP server.
“Cpassword” will be encoded as Q3Bhc3N3b3Jk and trigger session close.
So you were lucky that your Base64 encoded user name or password was not encoded with capital R or Q.
This is important if you use AUTH LOGIN to test SMTP authentication.
Hi Very useful. Thanks a lot. In windows (Power Shell) you can run the following commnad to obtain the SSL Certificate Expiration Date.(Like Linux Protip) write-output “quit\r” | c:\OpenSSL-Win64\bin\openssl.exe s_client -connect smtp.example.com:25 -starttls smtp | c:\OpenSSL-Win64\bin\openssl.exe x509 -enddate -noout
Thanks so much for this! Really helped me out in troubleshooting issues with our SMTP provider (SendGrid)
Hi Josh, great to hear this post helped you out in troubleshooting SMTP issues with SendGrid! Spread the word 😉
UmbHost — The Happy Hosting company, eco-friendly and Umbraco hosting.
Some links on this website are affiliate links to external businesses that provide me with a small commission every time someone subscribes for that service.