Test STARTTLS configuration of SMTP server

  • Is there an easy way to test an SMTP server to check for configuration issues associated with STARTTLS encryption, and report on whether it has been configured properly so that email will be encrypted using STARTTLS?

    Think of the Qualys SSL server tester as an analogy: it is a great tool to quickly check a webserver to see use of SSL has been properly configured, and identify opportunities for improving the configuration to provide stronger encryption. It knows how to recognize many common configuration errors and gives a grade. Is there anything like that for STARTTLS on SMTP servers?

    In particular, given a SMTP server, I would like to tell:

    1. whether it supports STARTTLS,
    2. whether its STARTTLS configuration has been set up properly so that email with other major email providers will end up being encrypted,
    3. whether it supports perfect forward secrecy and whether it is configured so that the perfect forward secrecy ciphersuites will be used in practice (where possible),
    4. whether it provides a suitable certificate that will pass strict validation checks,
    5. whether it has any other configuration errors.

    How can I do this?

    Facebook and Google have recently highlighted the state of STARTTLS usage on the Internet and called for server operators to enable STARTTLS and configure it appropriately so that email will be encrypted while in transit. Are there easy-to-use tools to support this goal?

  • MrBrian

    MrBrian Correct answer

    7 years ago

    Here are a several websites that provide tests that you may be interested in.

    • SSL-Tools is a web-based tool that tests a SMTP server for each of the items you mentioned; it tests for STARTTLS support, a certificate that passes strict validation checks, support for perfect forward secrecy, and other stuff:

      https://ssl-tools.net/mailservers

    • StartTLS is a web-based tool that tests a SMTP server and provides a simple grade, along with many details on the configuration of the SMTP server (though no testing of whether perfect forward secrecy is used):

      https://starttls.info/ (see the about page information about the service, or statistics about sites checked with their service)

    • CheckTLS is a web-based tool provide a way to test a SMTP server for STARTTLS server as well as whether the certificate is "ok" (i.e., it passes strict validation) and partial information on what cipher was negotiated when they connected to that SMTP server (but no information about perfect forward secrecy support):

      https://www.checktls.com/

    • The following web-based tools check whether a SMTP server support STARTTLS, but do not perform any of the other checks mentioned in the question:

    If you have to check only one or two, try SSL-Tools and StartTLS.

    StartTLS does not appear to be in service. SSL-Tools and CheckTLS both still work, although they both don't recognize Letsencrypt certificates as legitimate.

    Both SSL-Tools and CheckTLS recognize my Letsencrypt certificates. I thought they didn't, but it turns out I hadn't configured the server correctly (with Postscript I had configured the SMTPD TLS settings, but not the SMTP settings).

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM