Sending Email Using OpenSSL SMTP AUTH in Exchange 2019
Step-by-Step Guide + Real Troubleshooting + Concepts
Introduction
In Exchange environments, testing SMTP relay and authentication is often confusing, especially when:
- Protocol logs show only EHLO and QUIT
- SMTP AUTH behaves differently than relay connectors
- Username and password usage is not clear
This guide explains everything step-by-step so there is no confusion.
Step 1 — Install OpenSSL
Download OpenSSL from:
https://slproweb.com/products/Win32OpenSSL.html
After installation, verify:
Navigate to: C:\Program Files\OpenSSL-Win64\bin
Run: openssl version
If version appears, OpenSSL is ready.
Step 2 — Connect to Exchange SMTP Server
Run:
openssl s_client -starttls smtp -connect mail.cloudmonkeys.xyz:587
You should see:
TLS handshake completed
Certificate details
SMTP banner
Step 3 — Start SMTP Conversation
Type:
EHLO test
Server will respond with capabilities including:
250-AUTH GSSAPI NTLM LOGIN
This confirms authentication is supported.
Step 4 — Start Authentication
Type:
AUTH LOGIN
Server responds:
334 VXNlcm5hbWU6
This means:
Enter Username in Base64 format
Step 5 — Encode Username (Important)
Username must be the login account (NOT shared mailbox):
svc-mailer@cloudmonkeys.xyz
Convert using PowerShell:
Output:
c3ZjLW1haWxlckBjbG91ZG1vbmtleXMueHl6
Paste this into OpenSSL.
Step 6 — Encode Password (Critical)
Important rule:
Password is the actual account password
Do NOT use email id as password
If password is for example: MyP@ssw0rd123
Convert:
Paste the output into OpenSSL.
Step 7 — Authentication Success
If correct, server returns:
235 2.7.0 Authentication successful
This confirms SMTP AUTH is working.
Step 8 — Send Email
Now send email:
MAIL FROM:<smb1@cloudmonkeys.xyz>
RCPT TO:<raghu@cloudmonkeys.xyz>
DATA
Subject: OpenSSL Test
This is a test email
.
QUIT
Mail will be delivered successfully.
Real Scenario — Shared Mailbox (Important)
Shared Mailbox: smb1@cloudmonkeys.xyz
User Account: svc-mailer
Authentication must always use:
AUTH → svc-mailer
MAIL FROM → smb1
This works because svc-mailer has Send-As permission.
Common Mistakes
Mistake 1
Using email as password
Username = svc-mailer
Password = svc-mailer (wrong)
Result: Authentication fails
Mistake 2
Double encoding Base64
Encoding an already encoded value causes failure
Always encode original value only once
Mistake 3
Using echo in CMD
echo adds newline characters, causing incorrect Base64
Use PowerShell instead
Mistake 4
Typing commands in OpenSSL
Only paste Base64 values
Do not type echo or any command
Understanding Exchange SMTP Behavior
There are two completely different models in Exchange.
SMTP AUTH (Client Submission)
Client connects using port 587
Authentication is performed:
AUTH LOGIN
Exchange trusts:
Username and Password
Connector used:
Client Proxy
IP address is ignored
SMTP Relay (Custom Connector)
Client connects using port 25 or custom port
No authentication
Exchange trusts:
IP address
Connector used:
Custom Relay Connector
Key Difference
SMTP AUTH uses identity-based trust
Relay connector uses IP-based trust
These two models are completely separate
Why Your Custom Connector Was Not Used
When you used OpenSSL with AUTH LOGIN, Exchange identified it as:
Authenticated client submission
So it routed traffic through:
Client Proxy connector
Custom relay connector was bypassed because authentication was used.
Final Concept (Most Important)
Exchange uses two trust models:
- Identity-based (SMTP AUTH)
- Network-based (IP relay)
These do not overlap
Authenticated traffic will never use IP-based relay connectors
Conclusion
In this setup, you successfully:
Sent email using OpenSSL
Understood SMTP AUTH clearly
Differentiated username and password usage
Fixed Base64 encoding issues
Validated Send-As scenarios
Understood Exchange connector selection
Final One-Line Takeaway
SMTP AUTH uses identity, Relay uses IP — understanding this difference is the key to mastering Exchange mail flow
Comments
Post a Comment