Can you STARTTLS?

Email supports TLS (Transport Layer Security), what we used to call SSL.

Unlike the web, which split it’s TLS support off into a completely different protocol – https, listening on port 443 vs http listening on port 80 – SMTP implements it inside it’s non-encrypted protocol.

A mailserver advertises that it supports this by having the word “STARTTLS” in the banner it sends after you connect to it. Before you do much else you send the command “STARTTLS”. At this point the tcp connection to the mailserver stops speaking SMTP and is ready for the complex binary dance that is a TLS handshake. Once the negotiation of protocols and ciphers and session tokens is done SMTP comes back. It looks just like it did before, but now it’s all being tunneled over a secure, encrypted TLS session.

Sometimes you want to find out a few more details about how a server supports TLS, e.g. when diagnosing why your smarthost that’s configured to support only TLS1.3 can’t connect to an older mailserver that doesn’t support anything higher than TLS1.2.

swaks

swaks is the smtp swiss army knife that can automate pretty much any SMTP transaction.

We can use it to start a connection with STARTTLS:

swaks -tls --quit-after=STARTTLS --server mx.wordtothewise.com
=== Trying mx.wordtothewise.com:25...
=== Connected to mx.wordtothewise.com.
<-  220 mx.turscar.ie ESMTP Postfix (Debian/GNU)
 -> EHLO jijih.i.turscar.ie
<-  250-mx.turscar.ie
<-  250-PIPELINING
<-  250-SIZE 10240000
<-  250-ETRN
<-  250-STARTTLS
<-  250-ENHANCEDSTATUSCODES
<-  250-8BITMIME
<-  250-DSN
<-  250-SMTPUTF8
<-  250 CHUNKING
 -> STARTTLS
<-  220 2.0.0 Ready to start TLS
=== TLS started with cipher TLSv1.3:AEAD-CHACHA20-POLY1305-SHA256:256
=== TLS no local certificate set
=== TLS peer DN="/CN=mx.turscar.ie"
 ~> QUIT
<~  221 2.0.0 Bye
=== Connection closed with remote host.Code language: JavaScript (javascript)

You can see it using STARTTLS to start the TLS handshake, and a nice summary of the TLS version and ciphers used, and the domain name the servers TLS certificate is for (mx.turscar.ie here).

openssl

If you need more information than that then the openssl tool also supports talking SMTP with STARTTLS and as a TLS-focused tool it can provide far, far more information about the TLS certificate and connection in use.

openssl s_client -brief -starttls smtp -connect mx.wordtothewise.com:25
CONNECTION ESTABLISHED
Protocol version: TLSv1.3
Ciphersuite: TLS_AES_256_GCM_SHA384
Peer certificate: CN = mx.turscar.ie
Hash used: SHA256
Signature type: ECDSA
Verification: OK
Server Temp Key: X25519, 253 bits
250 CHUNKING

Now openssl is connected to the mailserver over TLS and you can enter SMTP commands to send mail by hand, or just type QUIT to exit.

If you need lots more information then you can run this without -brief to get the server TLS certificate itself, the certificate chain and lots more things you really don’t care about

Related Posts

What’s a bounce?

Bounces and bounce handling is one of those topics I’ve avoided writing about for a long time. Part of my avoidance is because there are decades of confusing terminology that hasn’t ever been really defined. Untangling that terminology is the first step to being able to talk sensibly about what to do. Instead of writing a giant long post, I can break it into smaller, more focused posts.

Read More

Sending email

I did a class at M3AAWG teaching the basic mechanics of sending an email, both really by hand using dig and netcat, and using SWAKS. No slides, but if you’re interested in the script I’ve posted a very rough copy of my working notes here.

Read More

SWAKS: the SMTP Swiss Army Knife

flash_m_laser_1200_900
SWAKS is a general purpose testing tool for SMTP. For basic SMTP testing it’s a more convenient, scriptable alternative to running a transaction by hand, but it also lets you test things that are difficult to do manually, such as authentication or TLS encryption.
It’s a perl script that installs fairly easily on OS X or any Linux/unix system (and can be installed on Windows, if you have perl installed there).
It’s pretty well documented, but it can be a bit overwhelming to start with. Here are some simple recipes:
Send a test email:

Read More