Debug and log SMTP over SSL with sslsplit

Filed under Uncategorized
Tagged as ,

Have you ever had to configure a mail client which would stubbornly refuse to work with a mail server? In the old days we would just whip out wireshark, log the plaintext traffic between client and server and see what was actually going on.

Nowadays it’s not that easy anymore since most mail traffic is transmitted encrypted (which is a very good thing). That makes it a lot harder to listen to the traffic however. In case of SSL, the content is not only encrypted, but the server also has to prove its identity with a certificate. Usually this can only be done by the server because only the server is in possession of the private key of the certificate.

However as long as we are in control of the client machine, we can create our own self signed root certificate for the mail server and install the that certificate as trusted root certificate on our client. In addition to that we redirect the traffic to a proxy which we will configure to act like the original mail server with the help of the fake root certificate.

What we are basically doing here is performing a man-in-the-middle attack. And that is only possible because we have full control over our client machine. We set it up to allow the fake certificate to be accepted.

As proxy we can use the tool sslplit. It acts like a ssl server which we can configure with our own self signed certificate. It decrypts and logs the incoming traffic and then re-encrypts the stream and sends it to the server. That way we can actually log any type of protocol which is SSL encrypted (like https). In our case we want to see what’s happening when a mail client is sending data to a SMTP server via SSL.

In the example I show here I had following situation:

  • Mail-Client: is running on windows.
  • Mail-Server: in my case it is a mail relay server from Google: smtp-relay.gmail.com. It listens on port 465 and expects SMTP over SSL on that port.
  • A Proxy-Server: I used Debian in a VM to set up sslsplit as a proxy (a reverse proxy to be specific). This could have been done on the same machine as the client as well, but since we are on windows I used another machine for setting up sslsplit.

The steps to set this up are:

  1. Generate a self-signed certificate and install it as trusted root certificate on the client machine
  2. Set up sslsplit to listen on port 465 which forwards the traffic to the original mail server
  3. Configure the client machine, so that the connection is made to our proxy server instead of the original mail server.

Generating a certificate and installing it on the client machine

We create a new certificate with openssl. You only need to insert something for the fields Country Name and Organization Name:

openssl genrsa -out ca.key 4096
openssl req -new -x509 -days 1826 -key ca.key -out ca.crt

Now convert it to pkcs12 (pfx) which can be imported as root certificate on windows. If asked, just hit enter for the password.

openssl pkcs12 -export -out ca.pfx -inkey ca.key -in ca.crt

Copy ca.pfx to your windows machine, and open a cmd shell with admin rights. Then import the certificate:

certutil.exe -importpfx Root ca.pfx

You can check the installed certificates by running certlm on Windows. Take a look at the certs under Trusted Root Certification Authorities/Certificates.

Installing and running sslsplit

On the proxy machine, let’s install sslsplit with apt (or the package manager of your choice):

apt-get install sslsplit

There are many tutorials, which show how to set up sslsplit as a transparent proxy with iptables to perform NAT. But if you only need to debug a single service it’s easier to set up sslplit as a reverse proxy.

sslsplit -D -l connections.log -S logdir/ -k ca.key -c ca.crt ssl 0.0.0.0 465 smtp-relay.gmail.com 465

Note that you have to create the directory logdir first. sslsplit is now listening on port 465. And it will forwardi any incoming connection to smtp-relay.gmail.com port 465.

sslsplit is now listening on port 465. And it is forwarding any incoming connection to smtp-relay.gmail.com port 465.

Redirecting SMTP traffic to our proxy

All that’s left is to add an entry in C:\Windows\System32\drivers\etc\hosts on our client machine to direct connections the domain name of the mail server (smtp-relay.gmail.com) to the IP of our own proxy server.

10.0.0.66 smtp-relay.gmail.com

10.0.0.66 is the IP of the linux machine where we set up sslsplit before. When the mail client that needs to be debugged connects to smtp-relay.gmail.com, it will actually connect to our own machine. Note, that most programs need to be restarted for changes in the hosts file to show an effect.

As soon as the client is now connecting to the mail server a file should appear in the logdir. It will contain the content of the whole SMTP traffic.

In my case it turned out the mail client had a bug and was not sending the auth data at all, even tough it was configured to do that. An the client only gave a simple “Mail could not be sent” error. Without the help of the log file it could have been one of many problems. But now I knew what was really wrong.

Links:

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*