How can I test inbound starttls with a given external IP address?

Summary

Testing inbound STARTTLS involves various methods, ranging from user-friendly online tools to command-line utilities that provide detailed control. Online tools like CheckTLS, MXToolbox, and Wormly offer easy checks. Command-line methods include OpenSSL's `s_client`, SWAKS, and manual Telnet connections. Nmap provides the `smtp-starttls.nse` script for automated testing. The core recommendation across many sources is to use OpenSSL with the command `openssl s_client -starttls smtp -connect your_server:25`. Certificate verification with `-verify 9` and analyzing server responses are important aspects of comprehensive testing.

Key findings

  • OpenSSL is Key: The `openssl s_client` command is a frequently cited and powerful tool for STARTTLS testing, allowing for deep inspection of the connection.
  • Online Tools Offer Convenience: CheckTLS, MXToolbox, and Wormly provide simpler, web-based alternatives for quick checks.
  • Manual Testing with Telnet: Telnet allows for manual interaction with the server, sending EHLO and STARTTLS commands to observe the server's behavior.
  • SWAKS as an alternative: SWAKS can be used as an alternative to openssl

Key considerations

  • Certificate Verification: Always verify the server's certificate for trust and validity, using options like `-verify 9` in OpenSSL.
  • Level of Detail: Choose a testing method that provides the necessary level of detail, balancing ease-of-use with in-depth analysis capabilities.
  • Understanding Server Responses: Interpreting server responses during the STARTTLS negotiation process is essential to identify potential problems.
  • Nmap Automates: Nmap provides automation, but understanding of the process is needed to be effective

What email marketers say
7Marketer opinions

Testing inbound STARTTLS with a given external IP address can be achieved using various methods. Online tools like CheckTLS and MXToolbox offer automated checks. Command-line tools like OpenSSL and Telnet provide more granular control, allowing manual negotiation and inspection of the TLS handshake. OpenSSL's `s_client` command is frequently recommended with variations for certificate verification. Telnet involves manually connecting, sending EHLO, then STARTTLS, and observing the server's response.

Key opinions

  • Online Tools: CheckTLS, MXToolbox, and Wormly provide user-friendly interfaces for STARTTLS testing.
  • OpenSSL: The `openssl s_client` command with the `-starttls smtp` option is a powerful method for testing and diagnosing STARTTLS connections.
  • Telnet: Manual testing with Telnet involves connecting to port 25, issuing 'EHLO', and then 'STARTTLS' to observe the server's response.

Key considerations

  • Certificate Verification: When using OpenSSL, consider using the `-verify` option to check the validity of the server's certificate.
  • Granularity vs. Ease of Use: Online tools offer convenience, while command-line tools provide greater control and detailed information.
  • Server Response Analysis: Understanding the server's responses during the STARTTLS negotiation is crucial for identifying potential issues.
Marketer view

Email marketer from MXToolbox shares that MXToolbox offers a STARTTLS test tool where you can enter a domain name or IP address and it will check if the server supports and properly implements STARTTLS.

August 2023 - MXToolbox
Marketer view

Email marketer from Reddit explains that you can manually test STARTTLS using telnet by connecting to port 25, issuing the EHLO command, then the STARTTLS command, and observing the server's response to verify support.

October 2021 - Reddit
Marketer view

Email marketer from StackOverflow answers that you can use `openssl s_client -starttls smtp -connect example.com:25` to initiate a STARTTLS connection. Also use `-verify 9` to verify the certificate chain.

April 2022 - StackOverflow
Marketer view

Email marketer from CheckTLS.com shares that CheckTLS offers an online tool where you can enter a domain or IP address and it will test the STARTTLS connection, providing detailed results of the handshake process and any potential issues.

September 2022 - CheckTLS.com
Marketer view

Email marketer from cybersecurity.stackexchange explains the process of initiating a telnet connection, sending the 'EHLO' command, and then sending 'STARTTLS' to observe the server's response, which indicates STARTTLS support or failure.

November 2022 - cybersecurity.stackexchange
Marketer view

Email marketer from Wormly shares that they offer an online SMTP test tool that includes STARTTLS testing as part of its checks. It allows you to specify a server address and it will report on the STARTTLS negotiation.

July 2023 - Wormly
Marketer view

Email marketer from EmailSecurityGuru suggests using `openssl s_client -starttls smtp -connect mail.example.com:25` to check STARTTLS. Additionally, explains how to check the certificate validity using openssl

July 2021 - EmailSecurityGuru

What the experts say
3Expert opinions

All provided answers recommend using OpenSSL's `s_client` command to test inbound STARTTLS. The command `openssl s_client -starttls smtp -connect your_server:25` is the base suggestion, allowing inspection of ciphers and other details. Removing the `-brief` flag provides even more information. Word to the Wise provides context around the command and interprets results.

Key opinions

  • OpenSSL s_client: `openssl s_client -starttls smtp -connect your_server:25` is the primary recommended tool.
  • Information Detail: Removing `-brief` provides a more verbose output of the STARTTLS handshake.

Key considerations

  • Understanding Output: Interpreting the output from OpenSSL requires some technical knowledge; resources like the Word to the Wise article provide helpful context.
  • Verbosity: Balance the need for detailed information with the readability of the output by choosing whether or not to use `-brief`.
Expert view

Expert from Email Geeks shares that if you need more info than swaks gives you, then you can use `openssl s_client -brief -starttls smtp -connect ip_address:25` to get detailed information about the ciphers used and so on. Removing `-brief` will give you far more information.

October 2021 - Email Geeks
Expert view

Expert from Email Geeks provides an example of using openssl to test inbound starttls. They also link to a resource with further information <https://wordtothewise.com/2023/10/can-you-starttls/>.

June 2024 - Email Geeks
Expert view

Expert from Word to the Wise explains that you can use `openssl s_client -starttls smtp -connect your_server:25` to test STARTTLS. The article provides context around the command, and what the results mean.

April 2022 - Word to the Wise

What the documentation says
3Technical articles

The provided documentation references three tools for testing inbound STARTTLS: SWAKS, OpenSSL's `s_client`, and Nmap's `smtp-starttls.nse` script. SWAKS uses the `--server` and `--tls` options. OpenSSL's `s_client` uses the `-starttls smtp` option. Nmap utilizes a dedicated NSE script to automatically test STARTTLS support.

Key findings

  • Multiple Tools: Various tools exist for STARTTLS testing, including SWAKS, OpenSSL, and Nmap.
  • SWAKS Options: SWAKS leverages the `--server` and `--tls` options for STARTTLS testing.
  • OpenSSL Option: OpenSSL's `s_client` utilizes the `-starttls smtp` option to initiate the STARTTLS handshake.
  • Nmap Script: Nmap provides the `smtp-starttls.nse` script for automated STARTTLS testing.

Key considerations

  • Tool Selection: Choose the appropriate tool based on the desired level of control, automation, and available system resources.
  • Syntax and Options: Familiarize yourself with the specific syntax and options required by each tool for effective STARTTLS testing.
  • Interpretation of Results: Understand how to interpret the results provided by each tool to accurately assess STARTTLS support and configuration.
Technical article

Documentation from Jetmore.org explains that SWAKS (Swiss Army Knife for SMTP) can be used to test STARTTLS by specifying the server address and port with the `--server` option, and enabling TLS with `--tls`. It also details options for specifying the TLS version.

September 2024 - Jetmore.org
Technical article

Documentation from Nmap explains that the `smtp-starttls.nse` script can be used to check if a mail server supports STARTTLS. The script attempts to negotiate a STARTTLS connection and reports if it succeeds or fails.

February 2025 - Nmap
Technical article

Documentation from OpenSSL explains that `openssl s_client` can be used to test STARTTLS by connecting to the server and initiating the STARTTLS handshake with the `-starttls smtp` option. It provides detailed information about the TLS connection, including the cipher suite and certificate details.

July 2021 - OpenSSL