Telnetting to the smtp port and talking directly to the mail server has always been a helpful tool for debugging and testing. But using the same method to establish an encrypted session with STARTTLS is not feasible. Here is a brief description of how to do it with the help of the commandline tool gnutls-cli.
You can read the original article at http://www.moeding.net/archives/15-Testing-SMTP-AUTH-after-STARTTLS.html
Use gnutls-cli to connect to the mail server
gnutls-cli --crlf --starttls --x509cafile /etc/pki/tls/certs/ca-bundle.crt --port 25 smtp21-in.cegeka.be
Processed 120 CA certificate(s).
Resolving 'smtp21-in.cegeka.be'...
Connecting to '212.113.81.163:25'...
With the –starttls argument gnutls-cli will create a transparent connection until either an EOF is issued on stdin or it receives a SIGALRM signal. The option –x509cafile points to the file with my root CA certificate that the server will present during the encryption negotiation.
The last line with the SMTP code 220 indicates that we can start talking SMTP to the server. So we can continue and use the EHLO command to introduce ourself.
- Simple Client Mode:
220 smtp21-in.cegeka.be ESMTP
ehlo test.be
250-smtp21-in.cegeka.be
250-8BITMIME
250-SIZE 104857600
250 STARTTLS
From the response of the server we can see that it allows STARTTLS to encrypt the connection but currently does not support the AUTH command. Therefore we issue the STARTTLS command and after the server has signaled that it is willing to negotiate the encryption we type Control-D as if we would want to logout. This tells gnutls-cli to take over and establish the encryption with the server.
STARTTLS
220 2.0.0 Ready to start TLS
^D
Then gnutls-cli prints details about the encryption process. When the encryption has succeeded we can continue to type SMTP commands but now no eavesdropper is able to read what goes on between us and the server.
*** Starting TLS handshake
- Ephemeral Diffie-Hellman parameters
- Using prime: 1024 bits
- Secret key: 1023 bits
- Peer's public key: 1023 bits
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
- subject C=BE,ST=Limburg,L=Hasselt,OU=CTC,O=Cegeka nv,CN=*.cegeka.be', issuer OU=Organization Validation CA,O=GlobalSign,CN=GlobalSign Organization Validation CA', RSA key 2048 bits, signed using RSA-SHA, activated 2011-02-23 13:09:44 UTC', expires 2014-04-26 22:59:59 UTC', SHA-1 fingerprint d13ad37131bed6250c4fe744b873309cefa9ded3'C=BE,O=GlobalSign nv-sa,OU=Root CA,CN=GlobalSign Root CA', issuer
- Certificate[1] info:
- subject C=BE,O=GlobalSign nv-sa,OU=Root CA,CN=GlobalSign Root CA', RSA key 2048 bits, signed using RSA-SHA, activated 1998-09-01 12:00:00 UTC', expires 2028-01-28 12:00:00 UTC', SHA-1 fingerprint b1bc968bd4f49d622aa89a81f2150152a41d829c'
- Certificate[2] info:
- subject OU=Organization Validation CA,O=GlobalSign,CN=GlobalSign Organization Validation CA', issuer C=BE,O=GlobalSign nv-sa,OU=Root CA,CN=GlobalSign Root CA', RSA key 2048 bits, signed using RSA-SHA, activated 2007-04-11 12:00:00 UTC', expires 2017-04-11 12:00:00 UTC', SHA-1 fingerprint `4b6c502e014719ae5a808fe89c0828fd38efc117'
- The hostname in the certificate matches 'smtp21-in.cegeka.be'.