Test STARTTLS configuration of SMTP server

Here are a several websites that provide tests that you may be interested in.

  • SSL-Tools is a web-based tool that tests a SMTP server for each of the items you mentioned; it tests for STARTTLS support, a certificate that passes strict validation checks, support for perfect forward secrecy, and other stuff:

    https://ssl-tools.net/mailservers

  • StartTLS is a web-based tool that tests a SMTP server and provides a simple grade, along with many details on the configuration of the SMTP server (though no testing of whether perfect forward secrecy is used):

    https://starttls.info/ (see the about page information about the service, or statistics about sites checked with their service)

  • CheckTLS is a web-based tool provide a way to test a SMTP server for STARTTLS server as well as whether the certificate is "ok" (i.e., it passes strict validation) and partial information on what cipher was negotiated when they connected to that SMTP server (but no information about perfect forward secrecy support):

    https://www.checktls.com/

  • The following web-based tools check whether a SMTP server support STARTTLS, but do not perform any of the other checks mentioned in the question:

    • https://luxsci.com/extranet/tlschecker.html (see http://luxsci.com/blog/how-to-tell-who-supports-tls-for-email-transmission.html for introduction)
    • https://mxtoolbox.com/

If you have to check only one or two, try SSL-Tools and StartTLS.


You can check support for starttls with openssl s_client -starttls smtp ....

  • With the right settings of -CAfile/-CApath you can also check the certificate chain.
  • What it does not check is the hostname, e.g. you have to manually check it.
  • It will also print out the cipher used, so you can check if it's a ECDHE or DHE cipher to see if forward secrecy gets used.
  • Maybe you might want to explicitly specify a cipher list with the -cipher option to find out if the server prefers FS ciphers even if the client put them at the and of the preference list.

Alternatively you might use Perl with a recent enough IO::Socket::SSL like this:

use strict;
use warnings;
use IO::Socket::SSL 1.968;
use Net::SSLGlue::SMTP;

my $host = 'mx.example.com';
my $smtp = Net::SMTP->new($host, Debug => 1) or die "connect failed";
$smtp->starttls(
    # where your CA are, has usable defaults
    # SSL_ca_file => ...,
    # SSL_ca_path => ....,
    # to restrict ciphers and set preference
    # SSL_cipher_list => '...',
) or die "starttls failed: $@|$SSL_ERROR";
print "cipher=".$smtp->get_cipher."\n";
print "cipher=".$smtp->get_sslversion."\n";

This will do a proper certificate checking, does hostname verification, gives you the cipher to find out if it is forward secrecy and gives you the SSL version too. And with the latest IO::Socket::SSL versions you can also do OCSP checking to see if the certificate is revoked (see documentation in IO::Socket::SSL).


Here are several tools that gives Qualys SSL Labs like results and support STARTTLS

  • testssl.sh (https://testssl.sh/)

    Its a command line tool which checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more. Its quite comprehensive and major advantage is that you can scan your intranet servers as well.

    eg. ./testssl.sh -t smtp aspmx.l.google.com:25

  • HTBridge SSL test

    This is web based tool allows email and other ports.

    https://www.htbridge.com/ssl/

  • Cryptosense Discovery

    This tool allows scanning on any port. Default ports scanned (21, 22, 25, 110, 143, 389, 443, 465, 587, 636, 993, 995, 5222, 5223, 5269)

    https://discovery.cryptosense.com/

Tags:

Smtp

Tls

Recent Posts