Tag Archives: openssl

Testing SMTP, POP3 and IMAP protocol access

This article assumes you have access to telnet and openssl. The example tests have been run against a Microsoft Exchange 2010 server. The IP and hostname have been obfuscated. The commands needed to perform these protocol access tests will be the same on both Linux and Windows.

Testing SMTP

Test using plain text

Execute the following command to initiate a plain text connection over port 25.

telnet smtp.server.com 25

Example output

The following is the typical output you’ll see as a response from a SMTP server. In this case being Microsoft Exchange 2010.

Trying 74.161.5.111...
Connected to smtp.server.com.
Escape character is '^]'.
220 smtp.server.com Microsoft ESMTP MAIL Service ready at Thu, 3 May 2012 13:06:21 +0200

Test using an encrypted connection

Execute the following command to initiate an encrypted connection over port 25.

openssl s_client -starttls smtp -crlf -connect smtp.server.com:25

Parameters

Beneath you’ll see the documentation for the parameters used in the above example.

-starttls protocol
send the protocol-specific message(s) to switch to TLS for communication.  protocol is a keyword for the intended protocol.  Currently, the only supported keywords are "smtp", "pop3", "imap", and "ftp".
-crlf
this option translated a line feed from the terminal into CR+LF as required by some servers.

Example output

There’s little to see here mainly because I had to exclude the certificate verification information to anonymize the test server.

<certificate verification output>
250 CHUNKING

Tip: You may run the usual SMTP commands directly from the command prompt after you initiated the encrypted connection.

Testing IMAP

Test using plain text

Execute the following command to initiate a plain text connection over the standard IMAP port 143.

telnet imap.server.com 143

Example output

The following is the typical output you’ll see as a response from an IMAP server. In this case being Microsoft Exchange 2010.

Trying 74.161.5.111...
Connected to imap.server.com.
Escape character is '^]'.
* OK The Microsoft Exchange IMAP4 service is ready.

Test using an encrypted connection

openssl s_client -connect imap.server.com:993

Example output

<certificate verification output>
* OK The Microsoft Exchange IMAP4 service is ready.

Testing POP3

Test using plain text

telnet pop.server.com 110

Example output

The following is the typical output you’ll see as a response from a POP server. In this case being Microsoft Exchange 2010.

Trying 74.161.5.111...
Connected to pop.server.com.
Escape character is '^]'.
+OK The Microsoft Exchange POP3 service is ready.

Test using an encrypted connection

openssl s_client -connect pop.server.com:995

Example output

<certificate verification output>
+OK The Microsoft Exchange POP3 service is ready.

References

SMTP – Simple Mail Transfer Protocol
IMAP – INTERNET MESSAGE ACCESS PROTOCOL
POP 3 – Post Office Protocol – Version 3
The OpenSSL Project

// CrashMAG

Self-signed certificate for Apache

These instructions are distribution agnostic. However I used CentOS during my tests, so file paths will match that of CentOS, RHEL, Scientific Linux and Fedora. For any other distribution you’ll have to look that up yourself.

The tools required are OpenSSL, Apache and mod_ssl for Apache. To accomplish this I had to run

# yum install mod_ssl

on my CentOS 5.6 box. Which already had Apache up and running.

Setting up a self-signed certificate using certificate and key

Generate your key and certificate

Most of these parameters explain themselves, see beneath for those who do not.

openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout website.key -out website.crt

-nodes
don’t encrypt the output key
-x509
output a x509 structure instead of a cert. req.

Copy the key and certificate

# cp website.key website.crt /etc/httpd/conf/

Set permissions and ownership on your key and certificate

This way nobody except root has read access.

chmod 440 /etc/httpd/conf/website.key /etc/httpd/conf/website.crt
chown root:root /etc/httpd/conf/website.key /etc/httpd/conf/website.crt

Alter the apache configuration file, also known as httpd.conf

Edit /etc/httpd/conf/httpd.conf with your favorite text editor, in my case, nano. Add the following text at the bottom of the file.

      <VirtualHost *:443>
        SSLEngine on
        # Change the next two lines according to where you've actually
        # stored the certificate and key files.
        SSLCertificateFile /etc/httpd/conf/website.crt
	SSLCertificateKeyFile /etc/httpd/conf/apache2/website.key

        ServerName domain.tld
        SSLOptions StrictRequire
        SSLProtocol all -SSLv2

        DocumentRoot /path/to/ssl/enabled/site
        <Directory /path/to/ssl/enabled/site/>
          SSLRequireSSL
          Order Deny,Allow
          Allow from All
        </Directory>
      </VirtualHost>

StrictRequire
This forces forbidden access when SSLRequireSSL or SSLRequire successfully decided that access should be forbidden. Usually the default is that in the case where a “Satisfy any” directive is used, and other access restrictions are passed, denial of access due to SSLRequireSSL or SSLRequire is overridden (because that’s how the Apache Satisfy mechanism should work.) But for strict access restriction you can use SSLRequireSSL and/or SSLRequire in combination with an “SSLOptions +StrictRequire”. Then an additional “Satisfy Any” has no chance once mod_ssl has decided to deny access.

Enable SSLv3 and TLSv1, but not SSLv2
SSLProtocol all -SSLv2

Setting up a self-signed certificate with the certificate and key in one file

Generate your key and certificate

Most of these parameters explain themselves, see beneath for those who do not.

openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout website.pem -out website.pem

-nodes
don’t encrypt the output key
-x509
output a x509 structure instead of a cert. req.

Copy the key and certificate

# cp website.pem  /etc/httpd/conf/

Set permissions and ownership on your key and certificate

This way nobody except root has read access.

chmod 440 /etc/httpd/conf/website.pem
chown root:root /etc/httpd/conf/website.pem

Alter the apache configuration file, also known as httpd.conf

Edit /etc/httpd/conf/httpd.conf with your favorite text editor, in my case, nano. Add the following text at the bottom of the file.

      <VirtualHost *:443>
        SSLEngine on
        # Change the next line according to where you've actually
        # stored the certificate and key file.
        SSLCertificateFile /etc/httpd/conf/website.pem

        ServerName domain.tld
        SSLOptions StrictRequire
        SSLProtocol all -SSLv2

        DocumentRoot /path/to/ssl/enabled/site
        <Directory /path/to/ssl/enabled/site/>
          SSLRequireSSL
          Order Deny,Allow
          Allow from All
        </Directory>
      </VirtualHost>

StrictRequire
This forces forbidden access when SSLRequireSSL or SSLRequire successfully decided that access should be forbidden. Usually the default is that in the case where a “Satisfy any” directive is used, and other access restrictions are passed, denial of access due to SSLRequireSSL or SSLRequire is overridden (because that’s how the Apache Satisfy mechanism should work.) But for strict access restriction you can use SSLRequireSSL and/or SSLRequire in combination with an “SSLOptions +StrictRequire”. Then an additional “Satisfy Any” has no chance once mod_ssl has decided to deny access.

Enable SSLv3 and TLSv1, but not SSLv2
SSLProtocol all -SSLv2

// CrashMAG