Verifying MTA for correct behavior with swaks

Question

I'm looking for some advice, what I should to check at my brand new mail-server for it's correct behavior. /saying behavior, because it is working - just but want be sure than it is working correctly./

I don't want get blacklisted only because, for example I forgot disallow plaintext auth.

Want use swaks for verifying functionality "from the internet side".

As first comes to my mind:

open relay - should be not allowed
as I say above - disallowed plain text auth - allow only over tls.
try deliver to nonexistent local user - should fail
verify delivery (existence) of the postmaster and abuse aliases (some other is recommented to have?)

so

swaks --to .. --from .. --auth-user name --auth-password pass --protocol SMTP
                                                                ^^^^^^^^^^^^^

If this fails, with the message *** Host did not advertise authentication is enough OK for the 2.?

Any other ideas what I must/should verify? The swaks is great tool - if you know how to use it :) Using "exim" as MTA. What is your favorite swaks tip?

jj33 · Accepted Answer · 2016-05-12T15:56:26.890

Your example is not sufficient to show that plaintext auth isn't allowed over non-tls connections. --protocol SMTP is explicitly telling swaks NOT to use ESMTP, and ESMTP is required for authentication. In other words, you're testing that auth isn't offered over SMTP, not that plaintext auth isn't offered over plaintext connections. (who's on first!).

The following is closer to what you're looking for:

# These should fail, because you don't want to offer plaintext auth protocols
# over non-tls connections
swaks ... --auth PLAIN --auth-user .. --auth-password ..
swaks ... --auth LOGIN --auth-user .. --auth-password ..

# Should succeed because hashed PW protocols are ok over plaintext (assuming you
# support them at all of course):
swaks ... --auth CRAM-MD5 --auth-user .. --auth-password ..
swaks ... --auth DIGEST-MD5 --auth-user .. --auth-password ..
swaks ... --auth NTLM --auth-user .. --auth-password ..

# The converse of the above, make sure your plaintext password work over tls
# sessions (assuming you want them to, of course)
swaks ... --auth PLAIN --auth-user .. --auth-password .. --tls
swaks ... --auth LOGIN --auth-user .. --auth-password .. --tls
swaks ... --auth CRAM-MD5 --auth-user .. --auth-password .. --tls
swaks ... --auth DIGEST-MD5 --auth-user .. --auth-password .. --tls
swaks ... --auth NTLM --auth-user .. --auth-password .. --tls

Hope that helps, good luck!

I think we want the first two to *fail* but you have written "should succeed". — joeytwiddle, May 12 '16 at 13:31

score 0 · Answer 2 · answered Apr 26 '13 at 18:00

Test for open relay:

$ swaks -f user@example.info -t other@example.com --server host.yourserver.com

Test for nonexistent user delivery

$ swaks -f user@example.info -t nonexistent@yourserver.com --server host.yourserver.com

You should verify all email ports (25,465, 587) for correctness, maybe someone will suggest more tests how to do.

Verifying MTA for correct behavior with swaks

2 Answers2