Can you STARTTLS?

Email supports TLS (Transport Layer Security), what we used to call SSL.

Unlike the web, which split it’s TLS support off into a completely different protocol – https, listening on port 443 vs http listening on port 80 – SMTP implements it inside it’s non-encrypted protocol.

A mailserver advertises that it supports this by having the word “STARTTLS” in the banner it sends after you connect to it. Before you do much else you send the command “STARTTLS”. At this point the tcp connection to the mailserver stops speaking SMTP and is ready for the complex binary dance that is a TLS handshake. Once the negotiation of protocols and ciphers and session tokens is done SMTP comes back. It looks just like it did before, but now it’s all being tunneled over a secure, encrypted TLS session.

Sometimes you want to find out a few more details about how a server supports TLS, e.g. when diagnosing why your smarthost that’s configured to support only TLS1.3 can’t connect to an older mailserver that doesn’t support anything higher than TLS1.2.

swaks

swaks is the smtp swiss army knife that can automate pretty much any SMTP transaction.

We can use it to start a connection with STARTTLS:

swaks -tls --quit-after=STARTTLS --server mx.wordtothewise.com
=== Trying mx.wordtothewise.com:25...
=== Connected to mx.wordtothewise.com.
<-  220 mx.turscar.ie ESMTP Postfix (Debian/GNU)
 -> EHLO jijih.i.turscar.ie
<-  250-mx.turscar.ie
<-  250-PIPELINING
<-  250-SIZE 10240000
<-  250-ETRN
<-  250-STARTTLS
<-  250-ENHANCEDSTATUSCODES
<-  250-8BITMIME
<-  250-DSN
<-  250-SMTPUTF8
<-  250 CHUNKING
 -> STARTTLS
<-  220 2.0.0 Ready to start TLS
=== TLS started with cipher TLSv1.3:AEAD-CHACHA20-POLY1305-SHA256:256
=== TLS no local certificate set
=== TLS peer DN="/CN=mx.turscar.ie"
 ~> QUIT
<~  221 2.0.0 Bye
=== Connection closed with remote host.Code language: JavaScript (javascript)

You can see it using STARTTLS to start the TLS handshake, and a nice summary of the TLS version and ciphers used, and the domain name the servers TLS certificate is for (mx.turscar.ie here).

openssl

If you need more information than that then the openssl tool also supports talking SMTP with STARTTLS and as a TLS-focused tool it can provide far, far more information about the TLS certificate and connection in use.

openssl s_client -brief -starttls smtp -connect mx.wordtothewise.com:25
CONNECTION ESTABLISHED
Protocol version: TLSv1.3
Ciphersuite: TLS_AES_256_GCM_SHA384
Peer certificate: CN = mx.turscar.ie
Hash used: SHA256
Signature type: ECDSA
Verification: OK
Server Temp Key: X25519, 253 bits
250 CHUNKING

Now openssl is connected to the mailserver over TLS and you can enter SMTP commands to send mail by hand, or just type QUIT to exit.

If you need lots more information then you can run this without -brief to get the server TLS certificate itself, the certificate chain and lots more things you really don’t care about

Related Posts

New Deliverability Resource

The nice folks over at Postmark shared a new deliverability resource last week. The SMTP Field Manual. This is a collection of SMTP responses they’ve seen in the wild. This is a useful resource. They’re also collecting responses from other senders, meaning we can crowdsource a useful resource for email deliverability folks.

Read More

Life of an Email

I’m repeating the presentation I gave at M3AAWG in London for the Certified Senders Alliance.

It’s all about how to send an email by hand, and how knowing the mechanics of how an email is sent can help us diagnose email delivery issues.

We’re starting in about five hours from when I post this.

Register at https://register.gotowebinar.com/register/2268789893122531343

Read More

Automated link checking getting more sophisticated

As the volume and severity of malicious email increases, filters are increasingly following links in emails. This is really nothing new. Barracuda and other filters have been inspecting links automatically for years. From what I’ve seen there does seem to be some level of risk analysis based on domain reputation. That makes sense, not only is following links computationally expensive, it can also delay mail receipt.

Read More