Tuesday, 25 March 2008

Investigating SSL SMTP configurations with telnet-ssl

I use the pretty standard Debian Exim4 configuration on my mail server. I don't define AUTH_SERVER_ALLOW_NOTLS_PASSWORDS so plain text authentication is not supported unless the connection is encrypted.

I was faced with a mail client that was having trouble connecting. My usual tactic when faced with such problems is to try things via a manual SMTP connection to see what's going on. The only problem is that I couldn't get to the point that authentication was advertised unless I issued a STARTTLS command and at that point just typing stuff into telnet(1) isn't enough.

The telnet-ssl package is normally used to make direct SSL connections but it is also capable of making plain connections which can then be turned into an SSL connection later. This is easy to use during an SMTP connection.

First we need to make a plain connection to the SMTP port:
 somewhere.else.com:~> telnet-ssl mail.somewhere.com 25  
Connected to mail.somewhere.com.
Escape character is '^]'.

220 mail.somewhere.com ESMTP A secret server
So, now we're connected so let's check that SSL connections are supported by querying the capabilities:
 ehlo me
250-mcrowe.com Hello mac at somewhere.else.com []
250-SIZE 52428800
250 HELP
Now we can start SSL:
220 TLS go ahead
At this point we need to get back to the telnet prompt to switch to SSL mode. The default telnet escape character is Ctrl ]:
telnet-ssl> startssl
SSL: Server has a self-signed certificate
SSL: unknown issuer: /C=Ptoing/ST=Wibble/CN=nowhere.com/emailAddress=postmaster@nowhere.com
If the server has a valid certificate then you probably won't see any output here.

Now when we ask for the capabilities we get the AUTH types we expected:
 ehlo me
250-nowhere.com Hello mac at somewhere.else.com []
250-SIZE 52428800
250 HELP
By the time I'd got to this point I'd discovered my problem: no authentication types were being advertised at all.