56

I am trying to start tls in sendmail, but I do not know how to use certificate. Please suggest me way

> telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 <machinename> ESMTP Sendmail <version>; <date>;localhost(OK)-localhost [127.0.0.1]
EHLO localhost
250-<mahinename> Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5
250-STARTTLS
250-DELIVERBY
250 HELP
STARTTLS
220 2.0.0 Ready to start TLS

When and How should I use/provide the certificate?

Gaurav Minocha
  • 706
  • 1
  • 5
  • 10

1 Answers1

108

You can't, because as soon as you start using TLS, the conversation becomes encrypted, and you probably don't speak that language ;)

Here is what you can do instead:

openssl s_client -debug -starttls smtp -crlf -connect localhost:25

OpenSSL will do the STARTTLS handshake for you and you will be able to pick up the conversation from there (decrypted automatically on the fly).

Simon
  • 31,675
  • 9
  • 80
  • 92
  • you didn't provide the certificate here too? did you miss it or we do not need it? (consider the smtp is not on the local machine) – Gaurav Minocha Nov 20 '14 at 19:55
  • It's not needed (I assume it's using a default self-signed certificate) but you can easily specify one with `-cert`. See the [man page](https://www.openssl.org/docs/apps/s_client.html) for the full list of options. – Simon Nov 20 '14 at 20:54
  • 2
    Maybe the port needs to be `587` or `465`? – isomorphismes May 26 '15 at 13:12
  • 4
    openssl s_client -starttls smtp -connect smtp.gmail.com:587 -crlf -ign_eof – Scott Stensland Sep 14 '16 at 02:26
  • 6
    FYI @ScottStensland in trying this today I found the command seemed to hang up, and using plain `telnet smtp.gmail.com 587` indicated it tried to use an IPv6 address to communicate. Adding `-4` to my openssl command line forced IPv4 negotiation and it succeeded. `openssl s_client -starttls smtp -4 -connect smtp.gmail.com:587 -crlf -ign_eof` – Neek May 08 '18 at 02:48
  • 1
    How do I deal with "250-AUTH LOGIN XOAUTH2", I am sure base64 won't work here ? How do I send user name and password at this stage ? – Sagar May 21 '19 at 09:55
  • Interestingly, @crantok `base64` provided different results from another source which suggested I use `perl -MMIME::Base64 -e 'print encode_base64("username");'` The former was unsuccessful, the latter worked. – Auspex Apr 06 '21 at 13:39
  • @Auspex That is because `echo` appends a line terminator `\n`. One have to use `echo -n` or `printf` – user3342816 Mar 06 '23 at 04:41