Vérifier qu’un serveur de courrier électronique supporte TLS

Vérifier qu’un serveur de courrier électronique supporte TLS

Pour cela on utilise la commande openssl :

 openssl s_client -connect mon-serveur.domaine.fr:25 -starttls smtp

Exemple quand cela fonctionne

 dready ~  openssl s_client -connect mail.lamanum.fr:25 -starttls smtp
CONNECTED(00000003)
depth=0 description = DXpFmp334lp4VEei, C = FR, ST = Provence-Alpes-Cote dAzur, L = Marseille, O = Samuel Chabert, CN = mail.lamanum.fr, emailAddress = postmaster@lamanum.fr
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 description = DXpFmp334lp4VEei, C = FR, ST = Provence-Alpes-Cote dAzur, L = Marseille, O = Samuel Chabert, CN = mail.lamanum.fr, emailAddress = postmaster@lamanum.fr
verify error:num=27:certificate not trusted
verify return:1
depth=0 description = DXpFmp334lp4VEei, C = FR, ST = Provence-Alpes-Cote dAzur, L = Marseille, O = Samuel Chabert, CN = mail.lamanum.fr, emailAddress = postmaster@lamanum.fr
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/description=DXpFmp334lp4VEei/C=FR/ST=Provence-Alpes-Cote dAzur/L=Marseille/O=Samuel Chabert/CN=mail.lamanum.fr/emailAddress=postmaster@lamanum.fr
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGvjCCBaagAwIBAgIDAhCTMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3Mg
MiBQcmltYXJ5IEludGVybWVkaWF0ZSBTZXJ2ZXIgQ0EwHhcNMTQwNDA5MTM0ODU4
WhcNMTYwNDA4MTYwMDA5WjCBuTEZMBcGA1UEDRMQRFhwRm1wMzM0bHA0VkVlaTEL
MAkGA1UEBhMCRlIxIjAgBgNVBAgTGVByb3ZlbmNlLUFscGVzLUNvdGUgZEF6dXIx
EjAQBgNVBAcTCU1hcnNlaWxsZTEXMBUGA1UEChMOU2FtdWVsIENoYWJlcnQxGDAW
BgNVBAMTD21haWwubGFtYW51bS5mcjEkMCIGCSqGSIb3DQEJARYVcG9zdG1hc3Rl
ckBsYW1hbnVtLmZyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs8QM
CsBBtlYcKaLtuMQ77S/nzmu3iXYgreFyJx8aW0ef7eMSg3lgmCYiyAh9wXOCZsbl
rI3zUuNMRMEpZyiidzngAtfwxljt1HInYKUuO/mA7rkj5znpZL0mQb8vqfMAx+g+
Nm9pipsU+pqmhreEden87NFn0cbbcMEZHKC2tGBfuyjrBwTaEjL93oLLyPbUE5PB
t9EfkNBeA9RPmN9xL78brv2y9lVWMKF+/EQ3NdaLQyF03qbL5ZcHHEWYXb0wuBlI
Jl4he6qZl12ThYDfO6gegC4heuXdRUhab2p4MBfjXpNrOXC84bR6hWsHAQG14NyZ
MjiMi6yRHJJOYPL3gwIDAQABo4IC+DCCAvQwCQYDVR0TBAIwADALBgNVHQ8EBAMC
A6gwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMB0GA1UdDgQWBBQIt25g
NtU22vr4LqTHItcIulGZxzAfBgNVHSMEGDAWgBQR2yNF/VTManFvhIoD1773AS8m
hjA0BgNVHREELTArgg9tYWlsLmxhbWFudW0uZnKCCmxhbWFudW0uZnKCDCoubGFt
YW51bS5mcjCCAVYGA1UdIASCAU0wggFJMAgGBmeBDAECAjCCATsGCysGAQQBgbU3
AQIDMIIBKjAuBggrBgEFBQcCARYiaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9s
aWN5LnBkZjCB9wYIKwYBBQUHAgIwgeowJxYgU3RhcnRDb20gQ2VydGlmaWNhdGlv
biBBdXRob3JpdHkwAwIBARqBvlRoaXMgY2VydGlmaWNhdGUgd2FzIGlzc3VlZCBh
Y2NvcmRpbmcgdG8gdGhlIENsYXNzIDIgVmFsaWRhdGlvbiByZXF1aXJlbWVudHMg
b2YgdGhlIFN0YXJ0Q29tIENBIHBvbGljeSwgcmVsaWFuY2Ugb25seSBmb3IgdGhl
IGludGVuZGVkIHB1cnBvc2UgaW4gY29tcGxpYW5jZSBvZiB0aGUgcmVseWluZyBw
YXJ0eSBvYmxpZ2F0aW9ucy4wNQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2NybC5z
dGFydHNzbC5jb20vY3J0Mi1jcmwuY3JsMIGOBggrBgEFBQcBAQSBgTB/MDkGCCsG
AQUFBzABhi1odHRwOi8vb2NzcC5zdGFydHNzbC5jb20vc3ViL2NsYXNzMi9zZXJ2
ZXIvY2EwQgYIKwYBBQUHMAKGNmh0dHA6Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRz
L3N1Yi5jbGFzczIuc2VydmVyLmNhLmNydDAjBgNVHRIEHDAahhhodHRwOi8vd3d3
LnN0YXJ0c3NsLmNvbS8wDQYJKoZIhvcNAQEFBQADggEBACn/72i15IDFa/OaKvET
Fuu/v3jnGAWO3PfbuWytqlqOocPFPMtXUrV9o7ER+NWykar6XG8MWii7k9in+Dsv
UkYswYSkdALg11pwcBOp5wWsZ873e3UyYEfWg/Zua1yzOW6ns4GCLML4e085YdmH
KVCC0NpQT/K7ALOS9zxwXq/Ws8x0TaI70OIN4+Fi7z4a0+6VWYOrzMu0AGq60IwU
tDibzwGduTYpYb4UcCMcvI0KDWThbME3yEkg30h2Sienem5YTAJbdpj/Sfask8d0
YnShrm1SnXWP0tj6nV3W5ZOsJk/uo0v2TRwgna3iKWcy2OHnOjGtUW1G/ZkkF1jb
FqU=
-----END CERTIFICATE-----
subject=/description=DXpFmp334lp4VEei/C=FR/ST=Provence-Alpes-Cote dAzur/L=Marseille/O=Samuel Chabert/CN=mail.lamanum.fr/emailAddress=postmaster@lamanum.fr
issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA
---
No client certificate CA names sent
---
SSL handshake has read 2595 bytes and written 478 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 3E2ED7616211DFD1F7B2F1099C1794E207F54C64BEE45DC9C56E0F480D224A1A
    Session-ID-ctx: 
    Master-Key: AE56D45679F8323C012AF82EBA421A0414C77B85DF7AE3E661D7ECE5E596C0B5F465FB129E20692235A8138D507805BD
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 3600 (seconds)
    TLS session ticket:
    0000 - 4f cc bc d9 66 e2 36 6d-1b d5 08 44 b1 d6 72 d9   O...f.6m...D..r.
    0010 - 4b 8e a4 64 8b 3e 1e 8f-e8 fb 5a b7 6f 08 c2 5b   K..d.>....Z.o..[
    0020 - c5 33 72 e6 b8 25 12 05-0f 26 d5 da be 0d 10 94   .3r..%...&......
    0030 - ea 33 33 5c 3a 75 8b a9-88 0e 57 ad 7f 7f e6 97   .33\:u....W.....
    0040 - fd 28 89 4b 0e 3f d2 a6-b6 7b 44 b0 33 e3 cd f3   .(.K.?...{D.3...
    0050 - f8 3a 86 1b 77 9f 61 a8-5e c0 4a a1 8e 4e c3 72   .:..w.a.^.J..N.r
    0060 - d1 96 e6 7d a4 8b ac 18-1a c8 91 20 d8 02 db 6b   ...}....... ...k
    0070 - 41 07 c8 21 a0 98 14 08-de c5 99 99 0a d2 11 9d   A..!............
    0080 - 17 1a 0f cc 00 d8 9d 2f-30 8e 5a 33 73 f3 a7 ea   ......./0.Z3s...
    0090 - de 05 39 db d7 a5 89 1e-29 f9 7c a7 7d 19 90 62   ..9.....).|.}..b
    00a0 - d1 5a 24 b8 09 e2 ad 2f-c9 7b b8 d0 38 b8 9d 2e   .Z$..../.{..8...

    Compression: 1 (zlib compression)
    Start Time: 1420723141
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
250 DSN
^C

Exemple quand cela ne fonctionne pas

➜ dready ~  openssl s_client -connect mail.lamanum.fr:25 -starttls smtp
CONNECTED(00000003)
didn't found starttls in server response, try anyway...
140622643488424:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:774:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 196 bytes and written 343 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---