Using telnet to test authenticated relay in Exchange

Many times I find myself wanting to test the SMTP service in Exchange.  Unfortunately, without using OWA or the actual outlook client there aren’t many options.  Some time ago, a colleague of mine showed me how to test exchange by using telnet and connecting to the server on port 25.  Not only will this give you the error codes for SMTP events but it lets you test internal, external, authenticated, and unauthenticated relay.  So from a sys admin point of view it’s pretty crucial to be able to test this when you are configuring an appliance or a piece of software to send email notifications.

Notes
-Insert your relevant information between <>
-Console prompts are show in green
-Text in blue are variable names I made up, feel free to change them

Connect to the SMTP Server
C:>telnet <SMTP Server name or IP> 25

If the connection is successful you should receive the SMTP Server banner. It should look something like this and return the 220 code on the first line.

220 SMTPServer.testdomain.local Microsoft ESMTP MAIL Service ready at Sat, 8 Jan 21
10 6:03:15 –0600

If you receive output, try saying hello to the server with the ‘ehlo’ command.  After you press ENTER you should receive a list of available options on that particular SMTP server.  Take note of the line that reads ‘250-AUTH NTLM LOGIN’.  If you want to test authenticated SMTP, you need to have the ‘AUTH LOGIN’ command available.  AUTH LOGIN translates to basic authentication.  For instance, this server supports both NTLM and basic authentication.

ehlo
250-SMTPServer.testdomain.local Hello [192.168.127.10]
250-SIZE
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-X-ANONYMOUSTLS
250-AUTH NTLM LOGIN
250-X-EXPS GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250-XEXCH50
250 XRDST

If you don’t see the option for ‘AUTH LOGIN’ check your SMTP server settings.  In Exchange 2007, you can open the Exchange management console, browse to Server Configuration, select Hub Transport, and then check the properties of the default receive connector.  In particular, check the authentication tab.  It should look something like this…
imageNote that basic authentication is selected.  Also ensure that the check box beneath basic authentication (Offer Basic authentication only after starting TLS) is unchecked.  If it’s checked you probably won’t get the ‘AUTH LOGIN’ option.

Once we have basic authentication configured we can try sending a email. 

Login to the STP Server
AUTH LOGIN
334 VXNlcm5hbWU6

It’s important to note here that authentication in SMTP is done using Base64 encoded phrases.  So when I enter ‘AUTH LOGIN’ and press enter the server returns ‘VXNlcm5hbWU6’ which is Base64 for Username:.  Any and all parts of the authentication discussion will be in Base64.  I use this web site…

http://www.webpan.com/Customers/Email/base64_conversion.htm

to do Base64 encodes and decodes.  You can Google for a different method if you prefer.  Let’s do the entire authentication conversation in Base64 and then I’ll show the translated input and output.

Conversation in Base64
AUTH LOGIN
334 VXNlcm5hbWU6
YWRtaW5pc3RyYXRvcg==
334 UGFzc3dvcmQ6
cGFzc3dvcmQ=
235 2.7.0 Authentication successful

Translated back to plain text
AUTH LOGIN
334 Username:
administrator
334 Password:
password
235 2.7.0 Authentication successful

Once we receive the authentication successful response we can test sending a email as that particular user.  This is no different then sending a test email through telnet without the authentication piece.

Send the test email
mail from:administrator@testdomain.com
250 2.1.0 Sender OK
rcpt to:user@mydomain.com
250 2.1.5 Recipient OK
data
354 Start mail input; end with <CRLF>.<CRLF>
This is a test email
.
250 2.6.0 <4b5125d60-e494-47f2-9917-7bd91e455544@SMTPServer.testdomain.local> Queued
mail for delivery

There is one item that I got hung up on the first time I tried testing this.  Basically you can’t make typos.  For instance if I typed..

mail frrom:

Realized that I spelled from wrong, backspaced, spelled it correctly, and then finished the command by pressing enter I would receive this error.

501 5.5.4 Unrecognized parameter

That’s because it takes all of your input and assumes its one line.  It looks like the line is correct but all of those backspaces really didn’t do anything.  If you receive the error type the line again and ensure that you type it correctly the first time.


Tags: ,

  1. Nathanial’s avatar

    Great post. I totally agree with you.

    Reply

  2. Francois’s avatar

    Awesome Post, thanks!
    I would just like to know what the effect would by by unselecting basic authentication. A spammer got one of our user crendentials and started sending spam through our Exchange, so i disable basic authentication. Can there be a negative impact due to it being off?

    Reply

    1. Jon Langemak’s avatar

      Glad the post was helpful! I’ve been out of the exchange game for some time now, but Im assuming you are right. I wonder however how risk it is to run if you make sure that its running on top of TLS.

      Reply

    2. fangyunfeng’s avatar

      Assum that my email address is fangyunfeng@huawei.com, my username is fangyunfeng, and my password is Asd123.
      If I choose AUTH NTLM, what information should I input next?
      Is it fangyunfeng\Asd123, I tried, but I got 535 5.7.3 Authentication unsuccessful.

      You can see the detail info here:
      auth ntlm
      334 NTLM supported
      ZmFuZ3l1bmZlbmdcQXNkMTIz
      535 5.7.3 Authentication unsuccessful

      Reply

      1. Jon Langemak’s avatar

        Did you follow the instructions? I haven’t dont this myself in a long time.

        Reply

        1. Nick’s avatar

          You have to use the website linked to code the username and password and it works. Does this mean that we would have to put the encoded username and password into the crm that would be sending out the email to get it to work?

          Reply

        2. Craig Chadwick’s avatar

          Thanks a million this finally helped me to get the admin on the exchange server to configure things so I could authenticate from my .net application! Three days of banging my head fixed in one hour :)

          Reply

        3. Siddhesh’s avatar

          Thanks

          Reply

Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>