Actions: | Security

AllGoodBits.org

Navigation: Home | Services | Tools | Articles | Other

Testing network services from the command line

The best way to experiment, is to attempt to eliminate as many variables as possible, other than that which you intend to examine. So it is with network services. If we want to remove all the vagaries introduced by poor protocol implementation by clients (user agents) or network oddities, etc., then we are left the with the most simple test of he service in question.

"Connect as directly as possible using the simplest possible client"

The simplest way to test method most network services is sending text directly to the port on the server via telnet. If your server only permits TLS or OpenSSL encrypted communication, as one might argue it should, then the simplest is to use OpenSSL's s_client. This is true for SMTP, IMAP and HTTP services.

Here I am addressing manual testing for troubleshooting purposes, not automated testing, such as smoke tests, regression testing, continuous intergration, and the like.

Example SMTP session via telnet

telnet mail.allgoodbits.org 25
Trying 97.107.132.102...
Connected to smtp.allgoodbits.com.
Escape character is '^]'.
220 smtp.allgoodbits.com ESMTP Postfix
ehlo client.allgoodbits.org
250-smtp.allgoodbits.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from:<me@example.com>
250 2.1.0 Ok
rcpt to:<testing@example.com>
450 4.2.0 <testing@example.com>: Recipient address rejected: Greylisted
quit
221 2.0.0 Bye

Testing SMTP-AUTH via openssl s_client

First you need to have base64 encoded versions of your username and password:

perl -MMIME::Base64 -e 'print encode_base64("\000username\@domain\000password");'

Then use openssl to talk to the appropriate port on your SMTP server, probably 25 or 587:

openssl s_client -connect localhost:587 -starttls smtp
<snip lots of TLS/SSL-related output>
250 DSN
ehlo smtp.allgoodbits.com
250-smtp.allgoodbits.com
250-PIPELINING
250-SIZE 50000000
250-VRFY
250-ETRN
250-AUTH PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH PLAIN <your base64 encoded username/password>
235 Authentication succeeded

Example IMAPS session via openssl s_client

IMAP requires numbered identifiers for each command.

Here's an example not-quite-minimal session:

openssl s_client -connect mail.allgoodbits.org:993
<snipped lots of output about setting up the SSL>
* Ok Dovecot ready
01 login me@example.com mypassword
01 OK Logged in
02 select Inbox
* FLAGS (\Answered \Flagged \Deleted \Seen \Draft $Forwarded nonjunk $notjunk junkrecorded Junk $MDNSent)
* OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft $Forwarded nonjunk $notjunk junkrecorded Junk $MDNSent)] Flags permitted.
* 1 EXISTS
* 0 RECENT
* OK [UIDVALIDITY 1213909585] UIDs valid
* OK [UIDNEXT 3353] Predicted next UID
02 OK [READ-WRITE] Select completed.
03 logout
* BYE Logging out
03 OK Logout completed.
closed

Example HTTP session via telnet

telnet www.allgoodbits.org 80
Trying 97.107.132.102...
Connected to allgoodbits.org.
Escape character is '^]'.
GET / HTTP/1.1
Host: www.allgoodbits.org

The final blankline is required by the protocol. The first line of the response should be:

HTTP/1.1 200 OK