Test SMTP Configuration Using Telnet or OpenSSL

Mindwatering Incorporated

Author: Tripp W Black

Created: 07/06/2009 at 09:20 AM

 

Category:
Domino Server Issues Troubleshooting
Mail Routing

To test if outgoing mail from a client can reach a Mindwatering, or any other mail server, you can use OpenSSL on a Mac or Linux workstation, and Telnet on most PCs.

Notes:
- OpenSSL will also give you the TLS certificate information and show you that your chain is good.
- Starting in TLS 1.3, starting a line with "R" (e.g. RCPT TO) issues a command to the server to renegotiate. We don't want that to happen in a manual test, so the command has to be updated with ign_eof and -crlf.

$ openssl s_client -connect server.mindwatering.com:587 -starttls smtp -ign_eof -crlf

Once you see the 250 DSN line below the server output is complete and the server is waiting for the next command. Note, a root is always self-signed, so don't be initially alarmed by the 3rd line saying there is a self signed certificate in the chain.

CONNECTED(00000003)
depth=3 /C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/OU=Domain Control Validated/CN=www.mindwatering.net
. . .
/Xp3V+ZpBOBlkJ90k/SsPKlu4vXY5TmW1dWK8CU3aPhMHjkQ1A==
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/CN=www.mindwatering.net
issuer=/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=http://certs.starfieldtech.com/repository//CN=Starfield Secure Certificate Authority - G2
---
No client certificate CA names sent
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: CC2B5B65546A2ED36982C6C8F60476DEFE80DFEBB7158DB4B63A7367CC39F478
Session-ID-ctx:
Master-Key: 3295330DAA067A0675A5CF12539EF7AB2F433CF537ED342B940D2C4734856F89AC6797E90B9CC8334638E27DA1F34CFB
Key-Arg : None
Start Time: 1507137245
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
250 DSN

iPhones and Androids, along with the MS Outlook client like a session to not STARTTLS but have TLS going from the start.
In addition to the STARTTLS port 25 and 587, there are typically ports 467, which has a normal TLS at the beginning.

So to test the "Outgoing SMTP" from client:
$ openssl s_client -connect server.mindwatering.com:467
<output>
EHLO myserver.mindwatering.net
250-PIPELINING
...
250 CHUNKING
MAIL FROM: testperson@mindwatering.net
250 2.1.0 Ok
RCPT TO: testrecipient@mindwatering.com
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
Type the test message contents
.
<output similar to: 250 Ok: queued as abcZXC4DEFqH09jK6iMnNm>
quit
221 2.0.0 Bye
closed


So to test the "IMAP SSL/TLS":
$ openssl s_client -connect gideon.mindwatering.com:993

or (if the port starts insecure and supports STARTTLS)
$ openssl s_client -connect gideon.mindwatering.com:993 -starttls imap

Enter the following command to end the remote session with the server.
quit


________________________


For MS Windows PCs that have the telnet utility installed, use the following command:
telnet server.mindwatering.com 25
(standard smtp port is 25)

If the connection times out, the port is not open somewhere. If you get an opening message from the server, then you made it.
(The message varies.)

Here is a sample telnet test:

telnet mx1.mindwatering.com 25
220 mx1.mindwatering.com ESMTP Postfix
helo trip.mindwatering.local
250 mx1.mindwatering.com
mail from: person@mindwatering.com
250 2.1.0 Ok
rcpt to: another@mindwatering.net
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
subject: test
.
250 2.0.0 Ok: queued as AEC8A27DF3
quit
250 2.0.0 Bye.

Connection to host lost.


Notes:
If local echo is off, turn it on. Otherwise you are typing blind.
If you mess up while typing and are using the Telnet DOS program, you have to re-enter the command. You cannot backspace successfully as you are actually sending the backspace characters to the server, too. The server will complain that you sent it invalid data and may hang up with you.

Telnet is the "old" way of doing it. openssl is not typically a standard MS Win Server 2019/2022 installed program. However, the telnet program can be installed via PowerShell:
> Install-WindowsFeature -name Telnet-Client



previous page