Can you STARTTLS?

Email supports TLS (Transport Layer Security), what we used to call SSL.

Unlike the web, which split it’s TLS support off into a completely different protocol – https, listening on port 443 vs http listening on port 80 – SMTP implements it inside it’s non-encrypted protocol.

A mailserver advertises that it supports this by having the word “STARTTLS” in the banner it sends after you connect to it. Before you do much else you send the command “STARTTLS”. At this point the tcp connection to the mailserver stops speaking SMTP and is ready for the complex binary dance that is a TLS handshake. Once the negotiation of protocols and ciphers and session tokens is done SMTP comes back. It looks just like it did before, but now it’s all being tunneled over a secure, encrypted TLS session.

Sometimes you want to find out a few more details about how a server supports TLS, e.g. when diagnosing why your smarthost that’s configured to support only TLS1.3 can’t connect to an older mailserver that doesn’t support anything higher than TLS1.2.

swaks

swaks is the smtp swiss army knife that can automate pretty much any SMTP transaction.

We can use it to start a connection with STARTTLS:

swaks -tls --quit-after=STARTTLS --server mx.wordtothewise.com
=== Trying mx.wordtothewise.com:25...
=== Connected to mx.wordtothewise.com.
<-  220 mx.turscar.ie ESMTP Postfix (Debian/GNU)
 -> EHLO jijih.i.turscar.ie
<-  250-mx.turscar.ie
<-  250-PIPELINING
<-  250-SIZE 10240000
<-  250-ETRN
<-  250-STARTTLS
<-  250-ENHANCEDSTATUSCODES
<-  250-8BITMIME
<-  250-DSN
<-  250-SMTPUTF8
<-  250 CHUNKING
 -> STARTTLS
<-  220 2.0.0 Ready to start TLS
=== TLS started with cipher TLSv1.3:AEAD-CHACHA20-POLY1305-SHA256:256
=== TLS no local certificate set
=== TLS peer DN="/CN=mx.turscar.ie"
 ~> QUIT
<~  221 2.0.0 Bye
=== Connection closed with remote host.Code language: JavaScript (javascript)

You can see it using STARTTLS to start the TLS handshake, and a nice summary of the TLS version and ciphers used, and the domain name the servers TLS certificate is for (mx.turscar.ie here).

openssl

If you need more information than that then the openssl tool also supports talking SMTP with STARTTLS and as a TLS-focused tool it can provide far, far more information about the TLS certificate and connection in use.

openssl s_client -brief -starttls smtp -connect mx.wordtothewise.com:25
CONNECTION ESTABLISHED
Protocol version: TLSv1.3
Ciphersuite: TLS_AES_256_GCM_SHA384
Peer certificate: CN = mx.turscar.ie
Hash used: SHA256
Signature type: ECDSA
Verification: OK
Server Temp Key: X25519, 253 bits
250 CHUNKING

Now openssl is connected to the mailserver over TLS and you can enter SMTP commands to send mail by hand, or just type QUIT to exit.

If you need lots more information then you can run this without -brief to get the server TLS certificate itself, the certificate chain and lots more things you really don’t care about

Related Posts

SWAKS: the SMTP Swiss Army Knife

flash_m_laser_1200_900
SWAKS is a general purpose testing tool for SMTP. For basic SMTP testing it’s a more convenient, scriptable alternative to running a transaction by hand, but it also lets you test things that are difficult to do manually, such as authentication or TLS encryption.
It’s a perl script that installs fairly easily on OS X or any Linux/unix system (and can be installed on Windows, if you have perl installed there).
It’s pretty well documented, but it can be a bit overwhelming to start with. Here are some simple recipes:
Send a test email:

Read More

Life of an Email

I’m repeating the presentation I gave at M3AAWG in London for the Certified Senders Alliance.

It’s all about how to send an email by hand, and how knowing the mechanics of how an email is sent can help us diagnose email delivery issues.

We’re starting in about five hours from when I post this.

Register at https://register.gotowebinar.com/register/2268789893122531343

Read More

The history of email

My first access to “the internet” was through a dialup modem on a VAX at the FDA. I was a summer intern there through my college career and then worked full time after graduation and before grad school. My email address ended in .bitnet. I could mail some places but not others. One of the places I couldn’t send mail was to my friends back on campus.
A few of those friends were computer science majors, so one weekend they tried to help me troubleshoot things. . There were text files that they ended up searching through looking up how to send mail from .bitnet to .edu. But it was all a baffling experience. Why couldn’t it just work? I had email, they had email, why could we not talk?
I never did figure out how to send email to campus from .bitnet.
Eventually, the FDA moved from BITNET to the internet and I had a .gov address. I could send mail around just by getting the recipients’s address. But the mystery of why I could mail some .edus and not others still lingers. I wonder what our setup was that we couldn’t send mail. I’ll probably never know. I don’t even have enough details to explain the problem to someone who would know. I suspect the answer will be “bang paths” or “host.txt” files, but I really don’t know.

Read More