How to verify your SSL/TLS Certificate for IMAP/POP3/SMTP with OpenSSL

Introduction

Ensuring your mail server’s SSL/TLS certificates are properly installed and verified is crucial for secure email communication. Here’s a comprehensive guide to help you verify these certificates using OpenSSL.

Verify IMAP via SSL using port 993

1. Connect to your mail server IMAP port 995 using openssl:

# Use the openssl command
openssl s_client -showcerts -connect mail.cj2.nl:993 -servername mail.cj2.nl

2. Check the output of the openssl command for a valid certificate response:

CONNECTED(00000005)
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
verify return:1
depth=0 CN = *.cj2.nl
verify return:1

3. Make sure your IMAP server returns the following response:

* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN AUTH=LOGIN] CJ2 mailserver greets you.

Verify POP3 via SSL using port 995

1. Connect to your mail server POP3 port 995 using openssl:

# Use the openssl command
openssl s_client -showcerts -connect mail.cj2.nl:995 -servername mail.cj2.nl

2. Check the output of the openssl command for a valid certificate response:

CONNECTED(00000005)
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
verify return:1
depth=0 CN = *.cj2.nl
verify return:1

3. Make sure your POP3 mail server returns the following response:

+OK CJ2 mailserver greets you.

Verify SMTP via SSL using port 465

1. Connect to your mail server SMTP port 465 using openssl:

# Use the openssl command
openssl s_client -showcerts -connect mail.cj2.nl:465 -servername mail.cj2.nl

2. Check the output of the openssl command for a valid certificate response:

depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
verify return:1
depth=0 CN = *.cj2.nl
verify return:1

3. Make sure your SMTP server returns the following response:

220 mail.cj2.nl ESMTP Postfix

Verify SMTP via TLS/StartTLS using port 25 or 587

1. Connect to your mail server SMTP port 25 or 587:

# Port 25
# Use the openssl command
openssl s_client -starttls smtp -showcerts -connect mail.cj2.nl:25 -servername mail.cj2.nl

# port 587
# Use the openssl command
openssl s_client -starttls smtp -showcerts -connect mail.cj2.nl:587 -servername mail.cj2.nl

2. Check the output of the openssl command for a valid certificate response:

depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
verify return:1
depth=0 CN = *.cj2.nl
verify return:1

3. Make sure your SMTP server returns the following response:

250 SMTPUTF8

Conclusion

By following these steps, you can ensure your mail server’s SSL/TLS certificates are correctly installed and verified. Combining these checks with valid SPF, DKIM, DMARC, and reverse DNS records will enhance your email security and deliverability. If you encounter any issues or have feedback, feel free to leave a comment below.