Can you STARTTLS?

steve
Technical
October 25, 2023

Email supports TLS (Transport Layer Security), what we used to call SSL.

Unlike the web, which split it’s TLS support off into a completely different protocol – https, listening on port 443 vs http listening on port 80 – SMTP implements it inside it’s non-encrypted protocol.

A mailserver advertises that it supports this by having the word “STARTTLS” in the banner it sends after you connect to it. Before you do much else you send the command “STARTTLS”. At this point the tcp connection to the mailserver stops speaking SMTP and is ready for the complex binary dance that is a TLS handshake. Once the negotiation of protocols and ciphers and session tokens is done SMTP comes back. It looks just like it did before, but now it’s all being tunneled over a secure, encrypted TLS session.

Sometimes you want to find out a few more details about how a server supports TLS, e.g. when diagnosing why your smarthost that’s configured to support only TLS1.3 can’t connect to an older mailserver that doesn’t support anything higher than TLS1.2.

swaks

swaks is the smtp swiss army knife that can automate pretty much any SMTP transaction.

We can use it to start a connection with STARTTLS:

swaks -tls --quit-after=STARTTLS --server mx.wordtothewise.com
=== Trying mx.wordtothewise.com:25...
=== Connected to mx.wordtothewise.com.
<-  220 mx.turscar.ie ESMTP Postfix (Debian/GNU)
 -> EHLO jijih.i.turscar.ie
<-  250-mx.turscar.ie
<-  250-PIPELINING
<-  250-SIZE 10240000
<-  250-ETRN
<-  250-STARTTLS
<-  250-ENHANCEDSTATUSCODES
<-  250-8BITMIME
<-  250-DSN
<-  250-SMTPUTF8
<-  250 CHUNKING
 -> STARTTLS
<-  220 2.0.0 Ready to start TLS
=== TLS started with cipher TLSv1.3:AEAD-CHACHA20-POLY1305-SHA256:256
=== TLS no local certificate set
=== TLS peer DN="/CN=mx.turscar.ie"
 ~> QUIT
<~  221 2.0.0 Bye
=== Connection closed with remote host.Code language: JavaScript (javascript)

You can see it using STARTTLS to start the TLS handshake, and a nice summary of the TLS version and ciphers used, and the domain name the servers TLS certificate is for (mx.turscar.ie here).

openssl

If you need more information than that then the openssl tool also supports talking SMTP with STARTTLS and as a TLS-focused tool it can provide far, far more information about the TLS certificate and connection in use.

openssl s_client -brief -starttls smtp -connect mx.wordtothewise.com:25
CONNECTION ESTABLISHED
Protocol version: TLSv1.3
Ciphersuite: TLS_AES_256_GCM_SHA384
Peer certificate: CN = mx.turscar.ie
Hash used: SHA256
Signature type: ECDSA
Verification: OK
Server Temp Key: X25519, 253 bits
250 CHUNKING

Now openssl is connected to the mailserver over TLS and you can enter SMTP commands to send mail by hand, or just type QUIT to exit.

If you need lots more information then you can run this without -brief to get the server TLS certificate itself, the certificate chain and lots more things you really don’t care about

Automated link checking getting more sophisticated

As the volume and severity of malicious email increases, filters are increasingly following links in emails. This is really nothing new. Barracuda and other filters have been inspecting links automatically for years. From what I’ve seen there does seem to be some level of risk analysis based on domain reputation. That makes sense, not only is following links computationally expensive, it can also delay mail receipt.

January 2016: The Month in Email

Happy 2016! We started off the year with a few different “predictions” posts. As always, I don’t expect to be right about everything, but it’s a useful exercise for us to look forward and think about where things are headed.
I joined nine other email experts for a Sparkpost webinar on 2016 predictions, which was a lot of fun (see my wrap up post here), and then I wrote a long post about security and authentication, which I think will be THE major topic in email this year both in policy and in practice (see my post about an exploit involving Trend Micro and another about hijacked Verizon addresses). Expect to hear more about this 2016 continues.
My other exciting January project was the launch of my “Ask Laura” column, which I hope will prove a great resource for people with questions about email. Please let me know if you have any questions you’d like to see me answer for your company or your clients — I’ll obscure any identifying information and generalize the answers to be most widely applicable for our readers.
In other industry news, it’s worth noting that Germany has ruled it illegal to harvest users’ address books (as Facebook and other services do). Why does that make sense? Because we’re seeing more and more phishing and scams that rely on social engineering.
In best practices, I wrote about triggered and transactional emails, how they differ, and what to consider when implementing them as part of your email program. Steve describes an easy-to-implement best practice that marketers often ignore: craft your mails so the most important information is shown as text.
I re-published an older post about SMTP rules that has a configuration checklist you might find useful as you troubleshoot any issues. And a newer issue you might be seeing is port25 blocking, which is important if you are hosting your own email senders or using SMTP to send to your ESP.
Finally, I put together some thoughts about reporting abuse. We work closely with high-volume abuse desks who use our Abacus software, and we know that it’s often not worth the time for an individual to report an incident – but I still think it’s worthwhile to have the infrastructure in place, and I wrote about why that is.

New Deliverability Resource

The nice folks over at Postmark shared a new deliverability resource last week. The SMTP Field Manual. This is a collection of SMTP responses they’ve seen in the wild. This is a useful resource. They’re also collecting responses from other senders, meaning we can crowdsource a useful resource for email deliverability folks.