Debugging SMTP issues with openssl

Last updated: 23 March 2022

The openssl s_client utility is an SSL/TLS client that connects to remote hosts. It is primarily a diagnostic tool, and it has a very large number of options. I won’t go through all the utility’s bells and whistles – to properly learn OpenSSL you can use the documentation or read the OpenSSL Cookbook. Instead I will show how useful the utility is by connecting to a mail server and sending an email.

Prepare the base64 username and password

I will use openssl s_client to connect to our Strawberry server and log in as mail@example.net. If the connection succeeds the server advertises what mechanisms you can use to log in. Usually, one of the authentication options is AUTH PLAIN. To log in using AUTH PLAIN you need to provide our username and password as a base64 encoded string.

As we need an encoded string it makes sense to get your ducks in a row before connecting to a server. You can generate the base64 string on the command line. Note that both the email address and password are prefixed with a NULL byte (\0).

$ echo -ne "\0mail@example.net\0wI8#dS5_yG8@iS" | base64
AG1haWxAZXhhbXBsZS5uZXQAd0k4I2RTNV95RzhAaVM=

Most servers also support the AUTH LOGIN mechanism. To authenticate using AUTH LOGIN you need to provide your username and password separately. You can again generate the base64 strings via the command line:

$ echo -ne "mail@example.net" | base64
bWFpbEBleGFtcGxlLm5ldA==

$ echo -ne "wI8#dS5_yG8@iS" | base64
d0k4I2RTNV95RzhAaVM=

Connect to the mail server

You can now connect to the mail server. In the below command I connect using port 465. I have also added the -quiet option. This prevents session and certificate information is printed and that the session is renegotiated when we enter a command starting with the letter R. The latter is useful, as one of the commands you need to enter later is RCPT TO. Without the -quiet option your session will get in a muddle.

Often, you actually want the output to be verbose. Among others, the session and certificate information include the TLS protocol and cypher, which can be useful for debugging. If you want to see that information then you need to leave out the -quiet option. To prevent that the session is renegotiated when you enter the enter the RCPT TO command you can simply type the command in lowercase (i.e. rcpt to).

$ openssl s_client -connect strawberry.active-ns.com:465 -quiet
...
220-strawberry.active-ns.com ESMTP Exim 4.93 #2 Mon, 08 Mar 2021 18:20:41 +0000 
220-We do not authorize the use of this system to transport unsolicited, 
220 and/or bulk e-mail.

If you want to test SMTP over port 587 then you can use the -starttls option and change the port number:

$ openssl s_client -starttls smtp -connect strawberry.active-ns.com:587

And you can even test port 25. There is no need to install telnet:

$ openssl s_client -starttls smtp -connect strawberry.active-ns.com:25

Sending an email

Once you have established a connection the server waits for input. To start, say EHLO to the server. The EHLO (or HELO) command identifies us. You can either enter a domain name or IP address.

EHLO example.net
250-strawberry.active-ns.com Hello cpc123456-lndn12-2-0-cust111-isp [12.34.56.78]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-AUTH PLAIN LOGIN
250 HELP

Note that the server responds with the allowed authentication methods. The output shows that you can use AUTH PLAIN. So, we can now give the server the base64 string we created earlier:

AUTH PLAIN AG1haWxAZXhhbXBsZS5uZXQAd0k4I2RTNV95RzhAaVM=
235 Authentication succeeded

The server responded with “Authentication succeeded”. To send an email, start with the MAIL FROM: command:

MAIL FROM: mail@example.net
250 OK

The recipient of the email is specified with the above-mentioned RCPT TO: command. If you didn’t run openssl s_client with the -quiet option then you need to enter the command in lowercase (to prevent the session is renegotiated):

RCPT TO: support@catalyst2.com
250 Accepted

And you can now compose your email using the DATA command. I recommend entering the From, To and Subject fields. You don’t have to do so, but if you don’t the recipient will not see these fields – they will be blank. Other than that, simply compose your message. To let the server know that you are done with your email you can enter a full stop on a line by itself (and hit the enter key). This is exactly how you exit input mode in the ed editor (though it is possible you don’t use ed on a day-to-day basis!).

DATA
354 Enter message, ending with "." on a line by itself
From: mail@example.net
To: support@catalyst2.com
Subject: Email client recommendation

I'm currently using openssl to send emails. Do you know if there are any good desktop applications that can send emails?
.
250 OK id=1lJKVY-0008BF-2l

And finally, issue the QUIT command to close the session:

QUIT
DONE