Email supports TLS (Transport Layer Security), what we used to call SSL.

Unlike the web, which split it’s TLS support off into a completely different protocol – https, listening on port 443 vs http listening on port 80 – SMTP implements it inside it’s non-encrypted protocol.

A mailserver advertises that it supports this by having the word “STARTTLS” in the banner it sends after you connect to it. Before you do much else you send the command “STARTTLS”. At this point the tcp connection to the mailserver stops speaking SMTP and is ready for the complex binary dance that is a TLS handshake. Once the negotiation of protocols and ciphers and session tokens is done SMTP comes back. It looks just like it did before, but now it’s all being tunneled over a secure, encrypted TLS session.

Sometimes you want to find out a few more details about how a server supports TLS, e.g. when diagnosing why your smarthost that’s configured to support only TLS1.3 can’t connect to an older mailserver that doesn’t support anything higher than TLS1.2.


swaks is the smtp swiss army knife that can automate pretty much any SMTP transaction.

We can use it to start a connection with STARTTLS:

swaks -tls --quit-after=STARTTLS --server
=== Trying
=== Connected to
<-  220 ESMTP Postfix (Debian/GNU)
 -> EHLO
<-  250-SIZE 10240000
<-  250-ETRN
<-  250-STARTTLS
<-  250-8BITMIME
<-  250-DSN
<-  250-SMTPUTF8
<-  250 CHUNKING
<-  220 2.0.0 Ready to start TLS
=== TLS started with cipher TLSv1.3:AEAD-CHACHA20-POLY1305-SHA256:256
=== TLS no local certificate set
=== TLS peer DN="/"
 ~> QUIT
<~  221 2.0.0 Bye
=== Connection closed with remote host.Code language: JavaScript (javascript)

You can see it using STARTTLS to start the TLS handshake, and a nice summary of the TLS version and ciphers used, and the domain name the servers TLS certificate is for ( here).


If you need more information than that then the openssl tool also supports talking SMTP with STARTTLS and as a TLS-focused tool it can provide far, far more information about the TLS certificate and connection in use.

openssl s_client -brief -starttls smtp -connect
Protocol version: TLSv1.3
Ciphersuite: TLS_AES_256_GCM_SHA384
Peer certificate: CN =
Hash used: SHA256
Signature type: ECDSA
Verification: OK
Server Temp Key: X25519, 253 bits

Now openssl is connected to the mailserver over TLS and you can enter SMTP commands to send mail by hand, or just type QUIT to exit.

If you need lots more information then you can run this without -brief to get the server TLS certificate itself, the certificate chain and lots more things you really don’t care about

About the author

Add comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

By steve

Recent Posts


Follow Us