Wednesday, April 12, 2017

openssl to test SMTP TLS

Here is the openssl command to test SMTP TLS on a SMTP server


 openssl s_client -connect mx1.mediasecure.it:25 -starttls smtp


The output from the command will tell you if STARTTLS is supported on the remote SMTP server and will also provide information about the certificate that is used .

CONNECTED(00000003)
depth=0 OU = Domain Control Validated, CN = *.mediasecure.it
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, CN = *.mediasecure.it
verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, CN = *.mediasecure.it
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/CN=*.mediasecure.it
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFNTCCBB2gAwIBAgIIItbq63hVx0IwDQYJKoZIhvcNAQELBQAwgbQxCzAJBgNV
BAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMRow
GAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UECxMkaHR0cDovL2NlcnRz
LmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQDEypHbyBEYWRkeSBTZWN1
.........
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/CN=*.mediasecure.it
issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
---
No client certificate CA names sent
---
SSL handshake has read 1732 bytes and written 656 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 25FEEE4C06B1E4F47CE3E1B9A991ADBE62713D9B192BB4DE8A7977E92D193AC3
    Session-ID-ctx:
    Master-Key: 15827DE828099C0A4E7CEAAB8C8E7300FC8EC8753939CBA5B8E44F75356DA421AFA71D32B6E7BEF883184A40575F1348
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1491980164
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
250 HELP
helo t.rr.t