Wednesday, March 25, 2015

Testing SMTP Authentication Using OpenSSL


Hi folks,

I would love to share with you with my latest experience with SMTP authentication in Exchange. SMTP authentication is a very important area in messaging as it helps to ensure that only authenticated users can send messages via your SMTP servers and that mails are secured in transfer. This is very necessary in our world full of spammers.

To perform testing you will need to use 2 tools, namely OpenSSL and Base64.exe. ToOpenSSL can be downloaded from here and Base64.exe can be downloaded from here. After both of them are downloaded you will need to extract them to the appropriate folders from where you can execute it.

OpenSSL helps you to see whether server supports AUTH protocol necessary for authentication and Base64.exe helps you to generate Base64 hashes for your usernames and passwords that you will use for authentication.

First of all we need to check if out SMTP server supports STARTTLS command it. To do it you need to execute

telnet mail.contoso.com 25

When prompt window is open type ehlo smtp.contoso.com

In response you will be presented with the list of commands ensure that the following 2 commands are listed:

250-STARTTLS
250-AUTH NTLM (or 250-AUTH PLAIN)

This indicates that your server supports TLS and SMTP authentication.

As soon as we have confirmed this we will need to emulate SMTP over TLS conversation with our SMTP server. This is where OpenSSL comes to our help. Execute the following command to connect to the server:

openssl s_client -connect mail.contoso.com:25 -starttls smtp

After connected you should receive as an output certificate that is used for TLS as well as information about certificates it has in it chain all the way up to root CA certificate. Please note common name (CN) for TLS certificate. Some application can't send SMTP messages over TLS if it is different from the hostname that is configured in their settings. The way to remediate is to use the same hostname as specified in the certificate CN. It will simply save you a lot of headache. All you need is to have an A record configured in your DNS.

To start authenticaiton type:

AUTH LOGIN

You should be presented with the 334 response followed by hash. It will be followed with the prompt

You will need to generated Base64 hash for your email address and password. The same procedure applies to both mailbox-enabled and mail-enabled users in Exchange.

This is when you will need Base64.exe utility. You will need to launch it and in the box named Text to be encoded, decoded or hashed type email address, like user1@contoso.com. Click on the Encode button (green arrow). Base64,exe will generate hash code for you in the Encoded Text box. Copy it and paste hash into the prompt and click Enter.



You will be presented with another 334 response. Follow the same steps for he password. Namely, in the box named Text to be encoded, decoded or hashed type email address, like P@$$w0rd. Click on the Encode button (green arrow). Base64,exe will generate hash code for you in the Encoded Text box. Copy it and paste hash into the prompt and click Enter. If everything is done correctly you will receive: 235 2.7.0 Authentication successful.

Now you will need to use SMTP conversation to type and send an email;

mail from:user1@contoso.com

You should reseive response: 250 2.1.0 Sender OK

rcpt to:user2@contoso.com

You should receive response: 250 2.1.5 Recipient OK

data

You should receive response: 354 Start mail input; end with <CRLF>.<CRLF>

Type your email text, something like:


subject: Test OpenSSL Mail-Enabled User

Test from mail-enabled user


.

You should receive response like:

250 2.6.0 <XXXXXXXXXXXXXXXXXXXXXXXX@server.contoso.com> [Inter
nalId=106] Queued mail for delivery

Enjoy.