SMTP
Interactive telnet session with Mail server
$ telnet oeey.com 25 Trying 50.50.251.110... Connected to oeey.com. Escape character is '^]'. ehlo bob 220 ****************************** 250-oeey.com 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-AUTH CRAM-MD5 LOGIN DIGEST-MD5 GSSAPI NTLM PLAIN 250-AUTH=CRAM-MD5 LOGIN DIGEST-MD5 GSSAPI NTLM PLAIN 250 8BITMIME
The contents of your message file should resemble this example:
HELO host.example.com MAIL FROM: <test@host.example.com> RCPT TO: <bob@example.com> DATA From: [Alice] <alice@geek.com> To: <bob@example.com> Date: Mon, 12 Apr 2010 14:21:26 -0400 Subject: Test Message Hi there! This is supposed to be a real email... Have a good day! Alice . QUIT
Now feed message to netcat:
/usr/bin/nc smtp.domain.com 25 < /tmp/message
# telnet oeey.com 25 Trying 50.50.251.110... Connected to oeey.com. Escape character is '^]'. 220 ****************************** EHLO trogdor 250-oeey.com 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-AUTH CRAM-MD5 LOGIN DIGEST-MD5 GSSAPI NTLM PLAIN 250-AUTH=CRAM-MD5 LOGIN DIGEST-MD5 GSSAPI NTLM PLAIN 250 8BITMIME AUTH LOGIN 334 VXNlcm5hbWU6 ## Username: a2VubmV0aC5idXJnZW5lcg== ## *** 334 UGFzc3dvcmQ6 ## Password: SW1CQjE5OTkh ## **** 235 Authentication successful RCPT TO: <kenneth@oeey.com> 503 Error: need MAIL command MAIL FROM: <kenneth@oeey.com> 250 Ok RCPT TO: <kenneth@oeey.com> 250 Ok DATA 354 End data with <CR><LF>.<CR><LF> Subject: This is a test From: Kenneth <kenneth@oeey.com> To: Kenneth <kenneth@oeey.com> This is a test . 250 Ok: queued as 8E2FD52095 500 Error: bad syntax quit 221 Bye
SMTP Authentication
- IndiMail: Authenticated SMTP tutorial - http://indimail.blogspot.com/2010/03/authenticated-smtp-tutorial.html
- Tutorial: SMTP Authentication - http://www.fehcom.de/qmail/smtpauth.html
- http://jetmore.org/john/code/gen-auth
- SMTP AUTH for sendmail 8.10: Realms and Examples - http://www.sendmail.org/~ca/email/authrealms.html
Use base64 tool to encode decode:
echo -n "[pass]" | /usr/bin/base64 echo -n "[encpass]" | /usr/bin/base64 -d printf "\0postmaster@example.com\0pass" | /var/indimail/bin/base64 printf 'VXNlcm5hbWU6' | mimencode -u ; echo
LOGIN Authentication
This method accepts username and password as supplemental args. It simply returns each string Base64 encoded. This provides only minimal advantages over using ENCODE twice. One advantage is hiding the password if you provide it on STDIN
EHLO trogdor AUTH LOGIN 334 VXNlcm5hbWU6 ## Username: a2VubmV0aC5idXJnZW5lcg== ## **** 334 UGFzc3dvcmQ6 ## Password: SW1CQjE5OTkh ## *** 235 Authentication successful
How to Test SMTP AUTH using Telnet [Wiki] | NDCHost [3]:
perl -MMIME::Base64 -e 'print encode_base64("username");' # dXNlcm5hbWUuY29t
perl -MMIME::Base64 -e 'print encode_base64("password");' # bXlwYXNzd29yZA==
telnet mailserver.com 25
EHLO mailserver.com
AUTH LOGIN
dXNlcm5hbWUuY29t
bXlwYXNzd29yZA==
PLAIN Authentication
This type generates a PLAIN (RFC 2595) authentication string. It accepts supplemental arguments of username and password. It generates a Base64 encoded string "\0<username>\0<password>".
PLAIN: (base64 on single line) [4]
EHLO trogdor AUTH PLAIN 334 AGtlbm5ldGguYnVyZ2VuZXIASW1CQjE5OTkh ## \000***\000*** 235 Authentication successful
perl -MMIME::Base64 -e 'print encode_base64("\000jms1\@jms1.net\000not.my.real.password")'
perl -MMIME::Base64 -e 'print encode_base64("\000***\000***")'
AGtlbm5ldGguYnVyZ2VuZXIASW1CQjE5OTkh
This also works:
AUTH PLAIN AGtlbm5ldGguYnVyZ2VuZXIASW1CQjE5OTkh ## \000***\000***
CRAM-MD5
CRAM-MD5 (RFC 2195) accepts three supplemental arguments. The first is the username and the second is the password. The third is the challenge string provided by the server. This string can be either Base64 encoded or not. The RFC states that all (unencoded) challenge strings must start w/ '<'. This is used to whether the string is Base64 encoded or not.
CRAM-MD5 uses the challenge and the supplied password to generate a digest. it then returns the Base64 encoded version of the string md5("<username> <challenge>")
3. AUTH CRAM-MD5 The CRAM-MD5 is a challenge-response method where the password is not sent over the network. It is expected that the password is stored in the clear in IndiMail's backend database MySQL. % sudo /var/indimail/bin/vpasswd postmaster@example.com -e pass Next step is to write a script named cram-md5 % cat > cram-md5 <<>" sys.exit(1) str=cram_md5_response(sys.argv[1], sys.argv[2], sys.argv[3]); print "%s" %str EOF % sudo chmod +x ./cram-md5 Now when you do (see below) auth cram-md5, the server will issue a challenge e.g. in the below example, the challenge is PDIwMTM3LjEyNjc1ODUxMDBAaW5kaW1haWwub3JnPg== if you decode this, i.e. % echo PDIwMTM3LjEyNjc1ODUxMDBAaW5kaW1haWwub3JnPg== | base64 -d <20137.1267585100@indimail.org> The response for the challenge can be generated using the cram-md5 shell script which we created above. i.e. % ./cram-md5 PDIwMTM3LjEyNjc1ODUxMDBAaW5kaW1haWwub3JnPg== cG9zdG1hc3RlckBleGFtcGxlLmNvbSBjZWU4Mzk3YWIxMjNhMGQ0ZjNhN2ZkZGJiOWNiODcxOQ== % telnet 0 smtp Trying 0.0.0.0... Connected to 0. Escape character is '^]'. 220 indimail.org (NO UCE) ESMTP IndiMail 1.137 3 Mar 2010 08:28:17 +0530 auth cram-md5 334 PDIwMTM3LjEyNjc1ODUxMDBAaW5kaW1haWwub3JnPg== cG9zdG1hc3RlckBleGFtcGxlLmNvbSBjZWU4Mzk3YWIxMjNhMGQ0ZjNhN2ZkZGJiOWNiODcxOQ== 235 ok, go ahead (#2.0.0) Please do take a look at Erwin Hoffman's excellent tutorial on the same subject at http://www.fehcom.de/qmail/smtpauth.html
CRAM-SHA1
This behaves the same as CRAM-MD5 but uses SHA1 digesting rather than MD5.
DIGEST-MD5
250-AUTH LOGIN PLAIN CRAM-MD5 DIGEST-MD5 250 HELP >>> AUTH DIGEST-MD5 334 bm9uY2U9IkFKUlVjNUp4MFVRYnY1U0o5Rm95VW5hWnBxWklIRGhMVFUrQXduL0swVXc9Iixxb3A9ImF1dGgsYXV0aC1pbnQsYXV0aC1jb25mIixjaXBoZXI9InJjNC00MCxyYzQtNTYscmM0LGRlcywzZGVzIixjaGFyc2V0PXV0Zi04LGFsZ29yaXRobT1tZDUtc2Vzcw== >>> dXNlcm5hbWU9InRlc3QiLHJlYWxtPSJ3aXouZXhhbXBsZS5jb20iLG5vbmNlPSJBSlJVYzVKeDBVUWJ2NVNKOUZveVVuYVpwcVpJSERoTFRVK0F3bi9LMFV3PSIsY25vbmNlPSJBSlJVYzVKeDBVUWJ2NVNKOUZveVVuYVpwcVpJSERoTFRVK0F3bi9LMFV3PSIsbmM9MDAwMDAwMDEscW9wPWF1dGgtY29uZixjaXBoZXI9InJjNCIsY2hhcnNldD11dGYtOCxkaWdlc3QtdXJpPSJzbXRwL2xvY2FsaG9zdC5zZW5kbWFpbC5jb20uIixyZXNwb25zZT0wZTdjZmNhZTcxN2VlYWM5NzJmYzlkNTYwNmExMDgzZA== 334 cnNwYXV0aD03NDM5ODBjODQ0MmRiYjcxNmQ0ZWE5ZTQ5OTNiMDFkMA== >>> 235 2.0.0 OK Authenticated
Decoded:
nonce="AJRUc5Jx0UQbv5SJ9FoyUnaZpqZIHDhLTU+Awn/K0Uw=",qop="auth,auth-int,auth-conf",cipher="rc4-40,rc4-56,rc4,des,3des",charset=utf-8,algorithm=md5-sess username="test",realm="wiz.example.com",nonce="AJRUc5Jx0UQbv5SJ9FoyUnaZpqZIHDhLTU+Awn/K0Uw=",cnonce="AJRUc5Jx0UQbv5SJ9FoyUnaZpqZIHDhLTU+Awn/K0Uw=",nc=00000001,qop=auth-conf,cipher="rc4",charset=utf-8,digest-uri="smtp/localhost.sendmail.com.",response=0e7cfcae717eeac972fc9d5606a1083d rspauth=743980c8442dbb716d4ea9e4993b01d0
GSSAPI
NTLM
Although it may be advertised as one of the above types, this method of authentication if refered to singularly as NTLM. This is a multi-step authentication type. The first 3 arguments must be supplied up front. They are username, password, and domain, in that order. These three strings are used to generate an "Auth Request" string. This string should be passed verbatim to the server. The server will then respond with a challenge. This challenge is the fourth argument. After receiving the server challenge, gen-auth will produce an "Auth Response". Posting this response to the server completes the NTLM authentication transaction.
This authentication method requires the Authen::NTLM perl module to be installed. See EXAMPLES for an example of this transaction. Note also that 'domain' is often blank from client or ignored by server.
- Complicated challenge response:
- http://curl.haxx.se/rfc/ntlm.html
- http://davenport.sourceforge.net/ntlm.html
- [5]