I was faced with a mail client that was having trouble connecting. My usual tactic when faced with such problems is to try things via a manual SMTP connection to see what's going on. The only problem is that I couldn't get to the point that authentication was advertised unless I issued a STARTTLS command and at that point just typing stuff into telnet(1) isn't enough.
The telnet-ssl package is normally used to make direct SSL connections but it is also capable of making plain connections which can then be turned into an SSL connection later. This is easy to use during an SMTP connection.
First we need to make a plain connection to the SMTP port:
somewhere.else.com:~> telnet-ssl mail.somewhere.com 25So, now we're connected so let's check that SSL connections are supported by querying the capabilities:
Trying 4.3.2.1...
Connected to mail.somewhere.com.
Escape character is '^]'.
220 mail.somewhere.com ESMTP A secret server
ehlo meNow we can start SSL:
250-mcrowe.com Hello mac at somewhere.else.com [1.2.3.4]
250-SIZE 52428800
250-PIPELINING
250-STARTTLS
250 HELP
starttlsAt this point we need to get back to the telnet prompt to switch to SSL mode. The default telnet escape character is Ctrl ]:
220 TLS go ahead
^]If the server has a valid certificate then you probably won't see any output here.
telnet-ssl> startssl
SSL: Server has a self-signed certificate
SSL: unknown issuer: /C=Ptoing/ST=Wibble/CN=nowhere.com/emailAddress=postmaster@nowhere.com
Now when we ask for the capabilities we get the AUTH types we expected:
ehlo meBy the time I'd got to this point I'd discovered my problem: no authentication types were being advertised at all.
250-nowhere.com Hello mac at somewhere.else.com [1.2.3.4]
250-SIZE 52428800
250-PIPELINING
250-AUTH PLAIN LOGIN
250 HELP
2 comments:
Hi,
Thanks - always wanted to know how to use telnet-ssl to troubleshoot SMTP sessions over TLS.
Thanks, was useful for me as well for testing and setting up SMTPS.
It's a bit irritating, that telnet-ssl doesn't get back to the prompt after CTRL-] like the old non-ssl telnet did.
Thanks! Tomáš Pospíšek
Post a Comment