Check for SMTP TLS from command line with OpenSSL

By | 2014/06/05

Here is a quick way to check if a mail server supports SMTP-TLS!


Type the following against a mail server to test:

$ openssl s_client -connect mail.example.com:25 -starttls smtp

Then you can type the regular SMTP commands (ex, ehlo example.com)


Here’s an example of this server which supports SMTP-TLS:

stmiller@brahms:~$ openssl s_client -connect scottlinux.com:25 -starttls smtp
CONNECTED(00000003)
depth=1 C = US, O = "GeoTrust, Inc.", CN = RapidSSL CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/serialNumber=pRUhNAGmSzwqKS/s4fftZBl3WpdKIEsN/OU=GT05040709/OU=See www.rapidssl.com/resources/cps (c)13/OU=Domain Control Validated - RapidSSL(R)/CN=scottlinux.com
   i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
 1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFIjCCBAqgAwIBAgIDEdpxMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew
HhcNMTQwNDA4MDg0NTU0WhcNMTcwMTI3MTYzNTAyWjCBvTEpMCcGA1UEBRMgcFJV
aE5BR21TendxS1MvczRmZnRaQmwzV3BkS0lFc04xEzARBgNVBAsTCkdUMDUwNDA3
MDkxMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29tL3Jlc291cmNlcy9jcHMg
KGMpMTMxLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZhbGlkYXRlZCAtIFJhcGlk
U1NMKFIpMRcwFQYDVQQDEw5zY290dGxpbnV4LmNvbTCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBANvwwqeP/4hnxRCnPf5EK0q5zF3YHwieDG2++F6GKwS1
m3NIERHJkE2SGUXNAh/JNLB9pic9baBdKTBrV+qcn1GODz5qvmjqcu7rpyVwvTWT
5/qxOx9Xkq3Y8wEAQzKTrbLOOy/WGXhiVrxRiomCKjqdHbsGKL+XohllVsjtUjpB
f4+ATRB4PAJpW5nFssG0T4cJUmPVL+KvQCKll/Ss5+x/UyGtPvNxWYSGH4TnrZzT
2bwnryzNq2FnN8SP95TsVemm8z8MHYy07LVCwLXw+BnBehGIN27UzT1k7dtELfAX
L9MfMfqpsBDHAiiipKNi5brocAd4R5Vs566gUnw8j1sCAwEAAaOCAakwggGlMB8G
A1UdIwQYMBaAFGtpPWoYQkrdjwJlOf01JIZ4kRYwMA4GA1UdDwEB/wQEAwIFoDAd
BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOc2NvdHRs
aW51eC5jb20wQwYDVR0fBDwwOjA4oDagNIYyaHR0cDovL3JhcGlkc3NsLWNybC5n
ZW90cnVzdC5jb20vY3Jscy9yYXBpZHNzbC5jcmwwHQYDVR0OBBYEFHmWibhpHgGj
FWkf3/7UgdLiT8y2MAwGA1UdEwEB/wQCMAAweAYIKwYBBQUHAQEEbDBqMC0GCCsG
AQUFBzABhiFodHRwOi8vcmFwaWRzc2wtb2NzcC5nZW90cnVzdC5jb20wOQYIKwYB
BQUHMAKGLWh0dHA6Ly9yYXBpZHNzbC1haWEuZ2VvdHJ1c3QuY29tL3JhcGlkc3Ns
LmNydDBMBgNVHSAERTBDMEEGCmCGSAGG+EUBBzYwMzAxBggrBgEFBQcCARYlaHR0
cDovL3d3dy5nZW90cnVzdC5jb20vcmVzb3VyY2VzL2NwczANBgkqhkiG9w0BAQUF
AAOCAQEAiH1nqjtqaObR+wvIHPDeeq+0Jw6wsISduuNnPbEDD3fFCMLInJq8OOwR
zARNMOFDhZq/JBkG9hZWXQk9SEvElzjIJ6s0OSq5DvrWUlLE7lMqsYvDsH/4Ipmq
SNI5lOKsoQPbRgiB2kGnmcO3wV43E+qcRejcTPXtZjqttxM8ZcEiUdnc23OQ3fOy
/VO3wOmcLVfAvOAoiPBt8GdaGOSFfxhQsL7Ew0OfdQVnmz5G96nsYJUrZziZd0jC
aF9ICleTqwLHKFwgkZOqHj5e5SmsMETwExg9AmLc8zUmGsOrzO/361y+j+EBx99A
+x8DYdQQQ6pnXL8Jf4azxl0RxsQmHg==
-----END CERTIFICATE-----
subject=/serialNumber=pRUhNAGmSzwqKS/s4fftZBl3WpdKIEsN/OU=GT05040709/OU=See www.rapidssl.com/resources/cps (c)13/OU=Domain Control Validated - RapidSSL(R)/CN=scottlinux.com
issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
---
No client certificate CA names sent
---
SSL handshake has read 3193 bytes and written 490 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 72DDC185212CC81BA1C4F8C38FB923ADEBC342AAC380BCF6E86B5E938379A91F
    Session-ID-ctx: 
    Master-Key: C327522EADB6B664D466BDF146CD538BEF4F85BD031DBB9D5A4F55584F9A2342DF59FBDA2DD4D161B047487AA81B2277
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 3600 (seconds)
    TLS session ticket:
    0000 - ee b6 92 f8 b3 fc 53 01-d1 1b 76 05 b5 4a 57 7d   ......S...v..JW}
    0010 - f3 23 2c 49 03 ee 45 be-03 f7 93 5b 68 2f c3 d5   .#,I..E....[h/..
    0020 - 2f b2 2e d7 50 3d 39 09-42 db f5 0d 7d 89 29 f2   /...P=9.B...}.).
    0030 - fc bd d1 32 c0 6f 1a b9-79 91 2e 37 70 49 cd 76   ...2.o..y..7pI.v
    0040 - 09 06 41 d6 33 96 ea 37-c3 b9 b8 e5 ea 9f e0 de   ..A.3..7........
    0050 - dd 9d 02 38 0a aa 24 f2-5e c7 61 4a 8f d1 7a 4f   ...8..$.^.aJ..zO
    0060 - 6b d6 fa ec fc b6 16 8e-55 27 59 f1 f7 6d 2b a2   k.......U'Y..m+.
    0070 - 2c 56 59 df 13 93 ee f0-36 b3 a1 ee ff 2b 80 be   ,VY.....6....+..
    0080 - ab 00 2e f4 d1 b5 2f 15-d2 15 20 e2 6e da 10 ac   ....../... .n...
    0090 - cb e0 99 f0 64 9c 57 11-8e 3c 3e ae 6c 15 f5 d0   ....d.W..<>.l...
    00a0 - a8 cb e5 82 6e 5e 33 19-3b 19 07 fa 57 a3 20 38   ....n^3.;...W. 8

    Compression: 1 (zlib compression)
    Start Time: 1402014214
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
250 DSN
ehlo scottlinux.com
250-scottlinux.com
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
^C

If the server does not support SMTP-TLS, you will see something like this:

stmiller@brahms:~$ openssl s_client -connect mailin-01.mx.aol.com:25 -starttls smtp
CONNECTED(00000003)
didn't found starttls in server response, try anyway...
140190124779176:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:766:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 251 bytes and written 355 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
stmiller@brahms:~$ 

Rock on,

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.