Menu
I'm using openssl to connect to an SMTP server normally (without encryption), send a STARTTLS command, negotiate the SSL encryption, and then interact with the encrypted session.
This is the command I'm using (through telnet):
openssl s_client -starttls smtp -crlf -connect 1.2.3.4:25
How can I ensure that TLS handshake was successful?
This is the sequence of commands used so far:
<< 220 example.com ESMTP ready
>> EHLO localhost
<< 250-smtp.mail.yahoo.com
<< 250-PIPELINING
<< 250-AUTH PLAIN LOGIN CRAM-MD5
<< 250 STARTTLS
>> STARTTLS
<< 220 2.0.0 Start TLS
>> openssl s_client -starttls smtp -crlf -connect 127.0.0.1:587
363
Navigate into the Webadmin interface to Security & Filtering → Acceptance & Routing → Routing Basic Settings → Outgoing delivery settings → Connection settings sub-section. The checkbox next to 'Use StartTLS if available' should be ticked. Tick the checkboxes next to TLS 1.0, TLS 1.1, TLS 1.2, TLS 1.3*
Even though “TLS” is in its name, StartTLS works with both encryption protocols, TLS and SSL. While StartTLS works with both protocols, we recommend using TLS over SSL. SSL is an older protocol and is not as secure as its successor, TLS.
While STARTTLS has TLS in its name, it's not necessary to use TLS; users can choose SSL instead. The difference between SSL/TLS and STARTTLS is the latter is not a protocol but a command issued between an email program and a server. STARTTLS notifies a mail server that the contents of an email need to be encrypted.
Both direct TLS mode and TLS upgrade using STARTTLS can use client certificates. The only difference between these modes is that with STARTTLS you start with a plain connection and later upgrade if the server announces support for STARTTLS.
You seem to be confusing a shell (where you type commands such as telnet or openssl) and the socket's protocol.
Using telnet to connect to a port for a protocol like SMTP is a quick hack that allows you to type in directly what you'd normally have to program if implementing a client for that protocol. It can work a little for text-based protocols but it has limitations. In particular, you'll have a hard-time typing an TLS handshake this way: firstly you probably won't be able to find the right keys on your keyboard for some of the bytes you need to send; secondly, you certainly won't be able to read what the server sends you. In short, this approach doesn't make any sense.
openssl s_client -starttls smtp -crlf -connect 127.0.0.1:587 already does what you're trying to do with telnet: it opens the connection to that server, sends the EHLO SMTP command, sends the STARTTLS SMTP command and then starts the handshake. The OpenSSL command itself is not part of the SMTP protocol at all and mustn't be sent on the SMTP socket.
What you'll get when running this command should be similar to having your telnet session with the handshake already performed, since you should be able to use its standard input/ouput in the same way you would be able telnet.
This being said, both telnet and openssl s_client to send SMTP commands are debugging techniques at best.
166
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
