Using telnet to test authenticated relay in Exchange
Many times I find myself wanting to test the SMTP service in Exchange. Unfortunately, without using OWA or the actual outlook client there aren’t many options. Some time ago, a colleague of mine showed me how to test exchange by using telnet and connecting to the server on port 25. Not only will this give you the error codes for SMTP events but it lets you test internal, external, authenticated, and unauthenticated relay. So from a sys admin point of view it’s pretty crucial to be able to test this when you are configuring an appliance or a piece of software to send email notifications.
-Insert your relevant information between <>
-Console prompts are show in green
-Text in blue are variable names I made up, feel free to change them
Connect to the SMTP Server
C:>telnet <SMTP Server name or IP> 25
If the connection is successful you should receive the SMTP Server banner. It should look something like this and return the 220 code on the first line.
220 SMTPServer.testdomain.local Microsoft ESMTP MAIL Service ready at Sat, 8 Jan 21
10 6:03:15 –0600
If you receive output, try saying hello to the server with the ‘ehlo’ command. After you press ENTER you should receive a list of available options on that particular SMTP server. Take note of the line that reads ‘250-AUTH NTLM LOGIN’. If you want to test authenticated SMTP, you need to have the ‘AUTH LOGIN’ command available. AUTH LOGIN translates to basic authentication. For instance, this server supports both NTLM and basic authentication.
250-SMTPServer.testdomain.local Hello [192.168.127.10]
250-AUTH NTLM LOGIN
250-X-EXPS GSSAPI NTLM
If you don’t see the option for ‘AUTH LOGIN’ check your SMTP server settings. In Exchange 2007, you can open the Exchange management console, browse to Server Configuration, select Hub Transport, and then check the properties of the default receive connector. In particular, check the authentication tab. It should look something like this…
Note that basic authentication is selected. Also ensure that the check box beneath basic authentication (Offer Basic authentication only after starting TLS) is unchecked. If it’s checked you probably won’t get the ‘AUTH LOGIN’ option.
Once we have basic authentication configured we can try sending a email.
Login to the STP Server
It’s important to note here that authentication in SMTP is done using Base64 encoded phrases. So when I enter ‘AUTH LOGIN’ and press enter the server returns ‘VXNlcm5hbWU6’ which is Base64 for Username:. Any and all parts of the authentication discussion will be in Base64. I use this web site…
to do Base64 encodes and decodes. You can Google for a different method if you prefer. Let’s do the entire authentication conversation in Base64 and then I’ll show the translated input and output.
Conversation in Base64
235 2.7.0 Authentication successful
Translated back to plain text
235 2.7.0 Authentication successful
Once we receive the authentication successful response we can test sending a email as that particular user. This is no different then sending a test email through telnet without the authentication piece.
Send the test email
250 2.1.0 Sender OK
250 2.1.5 Recipient OK
354 Start mail input; end with <CRLF>.<CRLF>
This is a test email
250 2.6.0 <4b5125d60-e494-47f2-9917-7bd91e455544@SMTPServer.testdomain.local> Queued
mail for delivery
There is one item that I got hung up on the first time I tried testing this. Basically you can’t make typos. For instance if I typed..
Realized that I spelled from wrong, backspaced, spelled it correctly, and then finished the command by pressing enter I would receive this error.
501 5.5.4 Unrecognized parameter
That’s because it takes all of your input and assumes its one line. It looks like the line is correct but all of those backspaces really didn’t do anything. If you receive the error type the line again and ensure that you type it correctly the first time.