In this article, we will check if a STARTTLS certificate is valid using the openssl client. Depending on the version of openssl we have, the output may differ a bit. If a command does not work, we will try the other one:
echo Q|openssl s_client -connect mail.alfaexploit.com:25 -starttls smtp 2>/dev/null|grep 'Verification:'
echo Q|openssl s_client -connect mail.alfaexploit.com:25 -starttls smtp 2>/dev/null|grep 'Verify return code:'
echo Q|openssl s_client -connect mail.alfaexploit.com:25 -starttls smtp 2>/dev/null|grep 'Verify return code:'
The outputs can be:
Verification: OK
Verify return code: 0 (ok)
If we have problems, one way to check if the server supports STARTTLS is by connecting via telnet:
telnet mail.alfaexploit.com 25
Trying 86.127.243.30...
Connected to mail.alfaexploit.com.
Escape character is '^]'.
220 DrWho.alfaexploit.com ESMTP Sendmail 8.16.1/8.16.1; Fri, 20 May 2022 08:47:25 +0200 (CEST)
ehlo mail.alfaexploit.com
250-DrWho.alfaexploit.com Hello mail.alfaexploit.com [86.127.243.30], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-STARTTLS
250-DELIVERBY
250 HELP
STARTTLS
220 2.0.0 Ready to start TLS
quit
Connection closed by foreign host.