3
3
I am trying to connect to connect to an SMTP/POP server via telnet (port 25 and 110). However, I am not able to authenticate myself. Whenever I try to, it says (pop)
-ERR SPA Required, use AUTH or APOP
What I understand with some search, that SPA is Microsoft's properitory. Will I be able to authenticate using telnet?
Ankit
Posted 2011-11-11T05:11:24.303
Reputation: 73
6
Maybe. You may need to use openssl to provide security before the server makes a plain auth method available.
First you need to check what AUTH mechanisms are available. You can do that by passing the AUTH command with no arguments, to the pop server:
$ telnet pop-server.example.com 110
Trying 10.10.10.10...
Connected to pop-server.example.com
Escape character is '^]'.
+OK The Microsoft Exchange POP3 service is ready.
AUTH
+OK
NTLM
GSSAPI
PLAIN
.
quit
+OK Microsoft Exchange Server 2010 POP3 server signing off.
Good. (for our purposes, anyways) This server permits plain AUTH. Now you need to build your auth string, which is a joining of the username and password, then base64 encoded.
There is a specific requirement that the format of the AUTH string is <NUL>username<NUL>password. There are several ways you can put this information together. You can use perl, or the printf command.
bash-$ perl -MMIME::Base64 -e 'print encode_base64("\000username\000password");'
AHVzZXJuYW1lAHBhc3N3b3Jk
or, if you don't have the MIME::Base64 perl module installed.
bash-$ printf '\000username\000password' | base64
AHVzZXJuYW1lAHBhc3N3b3Jk
The string those commands return is the base64 encoded username and password, that you pass to the AUTH command.
Now your auth session to the pop server will look something like:
$ telnet pop-server.example.com 110
Trying 10.10.10.10...
Connected to pop-server.example.com
Escape character is '^]'.
+OK The Microsoft Exchange POP3 service is ready.
AUTH PLAIN
+
AHVzZXJuYW1lAHBhc3N3b3Jk
+OK Logged in.
Now you can do what you need to do. however, the server may not permit you to use AUTH PLAIN in a non-encrypted session. If that's the case, you may have to use openssl, instead of telnet, to manage your pop3 session.
openssl s_client -connect pop-server.example.com:995
Now your session will be SSL/TLS protected, and you can proceed with the AUTH method outlined above, to interact with your pop3 server.
bash-$ openssl s_client -connect pop-server.example.com:995
CONNECTED(00000003)
<snip a bunch of ssl cruft>
SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
Session-ID: blahblahblah
Session-ID-ctx:
Master-Key: blahblahblah
Key-Arg : None
Start Time: 1320992572
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
+OK The Microsoft Exchange POP3 service is ready.
And from here, you can interact with the server in any way you normally would in a straight telnet session.
Tim Kennedy
Posted 2011-11-11T05:11:24.303
Reputation: 355
Thanks for the great answer. My server allows only NTLM for now. I requested the admin to add more authentication options. I learned a lot from this post. :) – Ankit – 2011-11-11T06:35:05.157
@Ankit: NTLM is harder, because you have to read base64 encoded challenges, and build appropriate responses, which is not really feasible to do by hand. (see here: http://msdn.microsoft.com/en-us/library/cc246870%28v=prot.10%29.aspx if you want to read more about it.) The Mutt mail client supports NTLM auth, if you want a mail client that you can use in a terminal.
If you need to enable SPA to authenticate using a client, then it is the same for telnet, you won't be able to auth if the server is configured to only accept SPA. – Paul – 2011-11-11T05:20:02.980