Testing email encryption
Diagnosing POP3, IMAP and SMTP via SSL
by Jürgen Schmidt
For diagnostic purposes, it can be very useful to talk directly to your SMTP or IMAP server. Things get a little more complicated when encryption rears its ugly head, but with the right tools, it doesn't have to be a black art.
Almost all mail servers offer the option of encrypting connections. Two different procedures are used – either the entire service protocol is sent via an SSL tunnel or a protocol extension called "StartTLS" is used to activate encryption after establishing the connection.
Taking SSL services first, these usually run on dedicated, specially defined TCP ports. Here is a short list of the more important ports:
HTTP over SSL
IMAP over SSL
IRC over SSL
POP3 over SSL
SMTP over SSL
The service listening at the TCP port expects a direct SSL connection so, for example, email clients which don't support SSL can't communicate with IMAPS servers on port 993. Once encryption parameters have been negotiated and certificates exchanged you have a tunnel, through which the actual payload protocol passes. Due to the complications involved in establishing an SSL connection, when it comes to troubleshooting, standard tools such as telnet and netcat tend to come up short.
$ openssl s_client -host www.heise.de -port 443
i:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
1 s:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
the information provided by openssl allows us to examine the certificates used. Indeed failure to do so lays us open to man-in-the-middle attacks. Technically accomplished users who known how to use ettercap have reputedly used this technique to obtain administrator passwords.
The SSL client encrypts and decrypts the input and output channels transparently, allowing the user to talk directly to the server:
GET / HTTP/1.1
HTTP/1.1 302 Found
Date: Wed, 16 Sep 2009 10:24:44 GMT