Telnet smtp.mail - must issue STARTTLS command first

Asked 19/9, 2015 at 3:10 Answered 6/3, 2023 at 6:13

On my Mac terminal, I am trying to telnet into my smtp.gmail.com through port 587.

On Google Apps, (which is set to manage a Dreamhost domain), I have relay configured, as follows:

"Allowed senders: Only addresses in my domains" "Require SMTP Authentication: Yes"

when I HELO <[email protected]>, I get:

250 smtp.gmail.com at your service

then I enter MAIL FROM: <[email protected]>

which returns:

530 5.7.0 Must issue a STARTTLS command first.

what am I doing wrong?

Annelid answered 19/9, 2015 at 3:10 Comment(0)

You're required to start encrypting the connection first. This is done using the STARTTLS command.

You can use the following command instead of telnet:

openssl s_client -starttls smtp -ign_eof -crlf -connect smtp.gmail.com:587

It works like the telnet command, but takes care of starting the encryption first.

Thorwald answered 19/9, 2015 at 18:28 Comment(4)

This breaks when entering: RCPT TO: [email protected] with RENEGOTIATING<LF>139860672468096:error:1420410A:SSL routines:SSL_renegotiate:wrong ssl version:../ssl/ssl_lib.c:2127: – Indaba 19/6, 2020 at 5:56

@rubo77, I got the same error. Have you gotten past it? – Outstrip 20/6, 2020 at 6:12

Actually the correct command would be: openssl s_client -starttls smtp -ign_eof -crlf -connect <your.server>:port. The documentation of s_client says it will do a Renegotiation when typing in a big R at the start of a line (here RCPT TO...). Since TLS1.3 doesn't support that, you get this strange error message. – Fogbow 22/9, 2020 at 16:6

@Fogbow Thanks for the improved openssl command line. I updated my answer accordingly. – Thorwald 24/2, 2021 at 13:21

Connecting

If from command line on Mac and Linux one can use openssl. E.g:

openssl s_client -starttls smtp -4 -connect smtp.server.no:587 -crlf -ign_eof

-4 can be needed to force IPv4.

If from command line on Windows, one should not use the -crlf option. E.g:

openssl s_client -starttls smtp -4 -connect smtp.server.no:587 -ign_eof

Hello

On successful connection and the welcoming 250 HELP do the normal EHLO:

EHLO nero<ENTER>

Yielding the server spec.

250-smtp.server.no Hello nero [1.2.3.4]
250-SIZE 157286400
250-8BITMIME
250-PIPELINING
250-PIPE_CONNECT
250-AUTH PLAIN LOGIN
250-CHUNKING
250 HELP

Authentication

Here I'm covering AUTH PLAIN and AUTH LOGIN.

For LOGIN we need base-64 for username and password.
- printf %s 'user' | base64 => dXNlcg==
- printf %s 'pass' | base64 => cGFzcw==
For PLAIN we need base-64 for 0x00Username0x00Password
- printf '\0%s\0%s' 'user' 'pass' | base64 => AHVzZXIAcGFzcw==

`LOGIN`:

The login method commence as follows.

AUTH LOGIN<ENTER>
334 VXNlcm5hbWU6
dXNlcg==<ENTER>
334 UGFzc3dvcmQ6
cGFzcw==<ENTER>
235 Authentication succeeded

or (using username on AUTH line):

AUTH LOGIN dXNlcg==<ENTER>
334 UGFzc3dvcmQ6
cGFzcw==<ENTER>
235 Authentication succeeded

The responses are (in base-64):

VXNlcm5hbWU6 = Username:
UGFzc3dvcmQ6 = Password:

`PLAIN`:

AUTH PLAIN<ENTER>
334
AHVzZXIAcGFzcw==<ENTER>
235 Authentication succeeded

Or AUTH, username and password in one line:

AUTH PLAIN AHVzZXIAcGFzcw==<ENTER>
235 Authentication succeeded

After this continue as normal with RCPT TO etc. or what ever.

Anastomosis answered 6/3, 2023 at 6:13 Comment(2)

Email doesn't send after typing a full stop on a blank line. How do you send the message and close the connection? – Bandur 2/2 at 2:13

Fixed. I'll update edit the answer. You can't use the -crlf on Windows. – Bandur 2/2 at 4:28

Connecting

Hello

Authentication

`LOGIN`:

`PLAIN`:

Recommended topics

Hot tags

Connecting

Hello

Authentication

LOGIN:

PLAIN:

Recommended topics

Hot tags

`LOGIN`:

`PLAIN`: