How to verify your SSL/TLS Certificate for IMAP/POP3/SMTP with OpenSSL

Introduction

After installing an SSL/TLS certificate on your mail server you should check if it is correctly configured. The OpenSSL command offers a easy way to check and verify your certificate chain. For this guide to work your system needs to have the openssl or libressl library installed. All modern Linux servers or macOS system come out of the box with openssl or libressl. Having a correct and valid SSL certificate is important for a fully functional mail server. It also reduces the change the mail is flagged as spam mail.

Verify IMAP via SSL using port 993

Connect to your mail server IMAP port 995 using openssl:

# Use the openssl command
openssl s_client -showcerts -connect mail.cj2.nl:993 -servername mail.cj2.nl

Check the output of the openssl command for a valid certificate response:

CONNECTED(00000005)
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
verify return:1
depth=0 CN = *.cj2.nl
verify return:1

Make sure your IMAP server returns the following response:

* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN AUTH=LOGIN] CJ2 mailserver greets you.

Verify POP3 via SSL using port 995

Connect to your mail server POP3 port 995 using openssl:

# Use the openssl command
openssl s_client -showcerts -connect mail.cj2.nl:995 -servername mail.cj2.nl

Check the output of the openssl command for a valid certificate response:

CONNECTED(00000005)
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
verify return:1
depth=0 CN = *.cj2.nl
verify return:1

Make sure your POP3 mail server returns the following response:

+OK CJ2 mailserver greets you.

Verify SMTP via SSL using port 465

Connect to your mail server SMTP port 465 using openssl:

# Use the openssl command
openssl s_client -showcerts -connect mail.cj2.nl:465 -servername mail.cj2.nl

Check the output of the openssl command for a valid certificate response:

depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
verify return:1
depth=0 CN = *.cj2.nl
verify return:1

Make sure your SMTP server returns the following response:

220 mail.cj2.nl ESMTP Postfix

Verify SMTP via TLS/StartTLS using port 25 or 587

Connect to your mail server SMTP port 25 or 587:

# Port 25
# Use the openssl command
openssl s_client -starttls smtp -showcerts -connect mail.cj2.nl:25 -servername mail.cj2.nl

# port 587
# Use the openssl command
openssl s_client -starttls smtp -showcerts -connect mail.cj2.nl:587 -servername mail.cj2.nl

Check the output of the openssl command for a valid certificate response:

depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
verify return:1
depth=0 CN = *.cj2.nl
verify return:1

Make sure your SMTP server returns the following response:

250 SMTPUTF8

Conclusion

With the steps in this guide you can make sure your mail certificate is installed correctly. Combing the correctly installed certificated with a valid SPF, DKIM, DMARC and a valid reverse DNS name should insure your mail reaches it’s destination. I hope these commands helped you verify that the SSL/TLS certificate is installed correctly on your mail server.

Leave a Reply

Your email address will not be published.