How To Manually Send Email Using Telnet to Check for Open Relays

Knowing how to manually send an email using TELNET rather than a traditional email application such as Microsoft Outlook is sometimes useful for troubleshooting or testing for an open mail server relay. In order to send email via TELNET you will need 3 things:

  • An active internet connection
  • The address of a mail server capable of sending email from you – usually provided by your ISP (e.g. mail.myisp.com)
  • A valid email address (e.g. [email protected])

How to Manually Send An Email Using TELNET

The first thing to do is to open a connection from your computer to your mail server.

telnet mail.myisp.com 25

You should receive a reply like:

Trying ???.???.???.???...
Connected to mail.myisp.com.
Escape character is '^]'.
220 mail.myisp.com ESMTP Sendmail ?version-number?; ?date+time+gmtoffset?

You will then need to declare where you are sending the email from:

HELO local.domain.name

Don’t worry too much about your local domain name although you really should use your exact fully qualified domain name as seen by the outside world the mail server has no choice but to take your word for it.

This should give you:

250 mail.myisp.com Hello local.domain.name [ip.address.displayed.here], pleased to meet you

Now give your email address or some other email address that can be used with the mail server:

MAIL FROM: [email protected]

Should yield:

250 2.1.0 [email protected] Sender ok

If it doesn’t please see possible problems below.

Now give the recipients address:

RCPT TO: [email protected]

Should yield:

250 2.1.0 [email protected] Recipient ok

If it doesn’t see possible problems below.

To start composing the message issue the command:

DATA

If you want a subject for your email type:

Subject: your subject line here

then press enter twice

You may now proceed to type the body of your message. Example:

Hello world! I am the test email.

To tell the mail server that you have completed the message enter a single “.” on a line on it’s own.

.

The mail server should reply with:

250 2.0.0 ???????? Message accepted for delivery

You can close the connection by issuing the QUIT command.

QUIT

The mailserver should reply with something like:

221 2.0.0 mail.myisp.com closing connection
Connection closed by foreign host.

Possible Problems

Here are a list of problems you may encounter and their fixes:

501 [email protected] Sender domain must exist

The domain that you are sending from must exist

503 Need MAIL before RCPT

A recipient has been specified before a sender.

550 [email protected] Relaying Denied

The mail server has refused to relay mail for you, this may be for any number of reasons but typical reasons include:

  • Not using this provider for an internet connection
  • Not using an email address provided by the owner of the server.

Some Things to Watch Out For

  1. If you type too quickly, sometimes it won’t recognize your text
  2. The backspace key sometimes does not work with some telnet clients (even though it may seem as though it does). you can try the DELETE key instead.

OS X – How to Search For a Substring Inside of GZIP and BZ2 Files

This tip is really a generic *Nix command so it should not only work in OS X but also in other flavors of UNIX such as Linux.

In OS X a lot of the log files are auto-archived into compressed GZIP files in Tiger (Mac OS X 10.4) and BZ2 files in Leopard (Mac OS X 10.5). If you need to search for an occurrence of a word or other string of text in a compressed GZIP file, you can use the following terminal command:

zgrep someString theLogFileName.log.gz

As an example, say you want to search for the word “error” in a compressed system log in Tiger. To do this you would launch the Terminal application and run the command:

zgrep error /var/log/system.log.0.gz

Alternatively you can search all compressed system log files in a single command by using an asterisk (*) as a “wild card” character:

zgrep error /var/log/system.log*

Leopard uses the BZ2 compression scheme for most of its log files and you can similarly search those files by using the bzgrep command. For example, say you wanted to search all the application firewall logs for instances of the word “connection”. To do this you would run the following command in the Terminal application:

bzgrep connection /var/log/appfirewall.log*

If you need to search for a string that consists of more than one word separated by spaces, you would need to surround the search string in quotation marks:

bzgrep "connection attempt" /var/log/appfirewall.log*

Sherlock

10.5 Leopard – How to Manually Kerberize Services

Introduction

Today when I went to “kerberize” the services on my 10.5.1 Leopard server I attempted to follow the instructions in the official Leopard server manual. If you have read the “excellently written” (FYI I am being sarcastic) OS X server manuals then you already know how it went. In the manual it states there is supposed to be a nice pretty button in the Open Directory service settings that you can just press to “kerberize” all built-in services on your server which are capable of being kerberized. Well when I went to the location the manual stated the button should be there was no button. At this point I already knew what had to be done. If you haven’t figured this out yet, for every server administration operation you can do with the pretty GUI apps that Apple provides, you better know how to do it from the command line. Because when the pretty GUI tools fail you, you are up the creek unless you know how to bust out the terminal and do it the “hard” way. Before I tell you the terminal command to run to kerberize the services on your server, here is a very brief explanation of how kerberos works with Leopard when a user accesses a “kerberized” service. I warn you that I am no kerberos expert and what I am about to tell you may not be accurate but it is what I have observed from the dozens of test installations I have done with Leopard.

Description of Leopard Client/Server Kerberos Interaction

For this explanation I will use the example of a user wanting to connect to a Leopard file server via Apple File Sharing using purely “single sign-on” kerberos authentication. Let us assume the Open Directory is properly setup and its Kerberos services are running fine and the client computer the user is using to access the file server is configured to authenticate against this Open Directory server. Let us also assume that the file server has been configured to authenticate against that same Open Directory server. So here is the whole process of what happens when the user accesses the file server:

1. The user logs into their Leopard desktop computer in their office. Upon logging into the computer OS X requests and receives a kerberos ticket from the Open Directory server.

2. The user then initiates an AFP connection to the file server.

3. The AFP service on the file server first asks the Open Directory server if the user has already been issued a valid kerberos ticket. Before responding to the AFP service, the Open Directory server first checks its configuration to see if the file server has been authorized by an administrator to use the kerberos services of the Open Directory server. If the file server has been authorized then the Open Directory server responds to the file server. If the user has not been issued a valid ticket, then the user is prompted with a username/password dialog box which allows the user to receive a new kerberos ticket from the Open Directory server.

4. Once the user has a valid kerberos ticket then the AFP service on the file-server issues the user another ticket for accessing its AFP file service. The user is then automatically logged into the server via Kerberos. At this point the user has a valid kerberos ticket for accessing the Apple File Sharing service on the server so until the user reboots their computer or their kerberos ticket expires, they will be able to log into the AFP file service on the server automatically without being prompted for a username/password.

Terminal Command to Manually Kerberize Services

This terminal command will kerberize all the built-in Leopard services which are kerberos compatible. It will write entries into the Open Directory master’s kerberos configuration. There will be a kerberos configuration entry added for each service.

sudo sso_util configure -r YOUR.REALM.COM -a diradmin -p theDirAdminPassword all

Replace YOUR.REALM.COM with the exact name of your Kerberos “realm” which is displayed in the settings of your Open Directory master server. Replace “diradmin” with the username of an account that has “directory administrator” privileges for your Open Directory. By default this account is named “diradmin” but it may be different in your environment. Replace “theDirAdminPassword” with the password of the “diradmin” account.

Once you execute the above terminal command, you may need to restart your newly “kerberized” services on your server for the changes to take effect.