SMTP Authentication
Authentication in SMTP is a little more complicated. Most servers, as in this example, support the AUTH PLAIN procedure, in which the access data must be Base64 coded. This is dealt with by the Perl command:
$ perl -MMIME::Base64 -e 'print encode_base64("\000user-ju\000secret")'
AHVzZXItanUAc2VjcmV0
the output from which should be fed to the SMTP server:
AUTH PLAIN AHVzZXItanUAc2VjcmV0
235 Authentication succeeded
which signals it is ready for further SMTP commands. For protocols and servers not supported by openssl you can use gnutls-cli from the gnutls-bin package. First it creates a cleartext connection to an arbitrary TLS-enabled service such as:
$ gnutls-cli -s -p submission smtp.heise.de
Resolving 'smtp.heise.de'...
Connecting to '10.1.2.41:587'...
- Simple Client Mode:
220 taxis03.heise.de ESMTP Exim 4.69 Wed, 16 Sep 2009 18:03:01 +0200
ehlo test
250-taxis03.heise.de Hello loki.ct.heise.de [10.10.22.75]
250-SIZE 78643200
250-PIPELINING
250-STARTTLS
250 HELP
starttls
220 TLS go ahead
Then you switch to a second shell to get the process ID of the running tool and send the signal SIGALARM to it:
$ ps aux | grep gnutls
ju 6103 pts/3 S+ 18:03 0:00 gnutls-cli [...]
$ kill -s SIGALRM 6103
This causes gnutls-cli to negotiate the TLS connection and to reconnect stdin and stdout to the newly created tunnel. It also presents some interesting information about the new TLS connection it just created:
*** Starting TLS handshake
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
# The hostname in the certificate matches 'smtp.heise.de'.
# valid since: Thu Dec 14 14:08:41 CET 2006
# expires at: Sun Dec 11 14:08:41 CET 2016
# fingerprint: 28:8C:E0:29:B9:31:9B:96:F6:3D:B4:49:10:CD:06:80
# Subject's DN: C=DE,ST=Niedersachsen,L=Hannover,O=Heise Zeitschriften Verlag GmbH Co KG,OU=Netzwerkadministration,CN=smtp.heise.de,EMAIL=admin@heise.de
# Issuer's DN: C=DE,ST=Niedersachsen,L=Hannover,O=Verlag Heinz Heise GmbH & Co KG,OU=Netzwerkadministration,CN=admin@heise.de,EMAIL=admin@heise.de
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS 1.0
- Key Exchange: DHE RSA
- Cipher: AES 256 CBC
- MAC: SHA
- Compression: NULL
quit
221 taxis03.heise.de closing connection
- Peer has closed the GNUTLS connection
This allows you to interactively connect to arbitrary TLS enabled services. Users wanting to experiment further may be interested to know that openssl also includes s_server which is able to emulate a very simple www server. gnutls-serv provides similar functionality for the gnutls-bin package.
(ju)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
