84

We have an Exchange 2007 server running on Windows Server 2008. Our client uses another vendor's mail server. Their security policies require us to use enforced TLS. This was working fine until recently.

Now, when Exchange tries to deliver mail to the client's server, it logs the following:

A secure connection to domain-secured domain 'ourclient.com' on connector 'Default external mail' could not be established because the validation of the Transport Layer Security (TLS) certificate for ourclient.com failed with status 'UntrustedRoot. Contact the administrator of ourclient.com to resolve the problem, or remove the domain from the domain-secured list.

Removing ourclient.com from the TLSSendDomainSecureList causes messages to be delivered successfully using opportunistic TLS, but this is a temporary workaround at best.

The client is an extremely large, security-sensitive international corporation. Our IT contact there claims to be unaware of any changes to their TLS certificate. I have asked him repeatedly to please identify the authority that generated the certificate so that I can troubleshoot the validation error, but so far he has been unable to provide an answer. For all I know, our client could have replaced their valid TLS certificate with one from an in-house certificate authority.

Does anyone know a way to manually inspect a remote SMTP server's TLS certificate, as one can do for a remote HTTPS server's certificate in a web browser? It could be very helpful to determine who issued the certificate and compare that information against the list of trusted root certificates on our Exchange server.

Skyhawk
  • 14,149
  • 3
  • 52
  • 95

3 Answers3

143

You can use OpenSSL. If you have to check the certificate with STARTTLS, then just do

openssl s_client -connect mail.example.com:25 -starttls smtp

or for a standard secure smtp port:

openssl s_client -connect mail.example.com:465
Skyhawk
  • 14,149
  • 3
  • 52
  • 95
Dan Andreatta
  • 5,384
  • 2
  • 23
  • 14
9

I know this is an old question, but still a relevant question even today for admins wishing to confirm the SSL Certificate validity on their email servers.

You could visit https://www.checktls.com and run the test for free.

Ketan Patel
  • 41
  • 1
  • 3
  • 1
    I'm having trouble finding the test on the site. Any pointers? – Zero3 Jun 26 '17 at 09:45
  • 1
    There is an input box in the section 'Internet Secure Email is Easy' with the button 'CheckTLS' in black color. – Ketan Patel Jun 29 '17 at 11:06
  • @KetanPatel Aaaand... Where do I find the 'Internet Secure Email is Easy' section? – Zero3 Nov 22 '18 at 01:40
  • Shame, this seems to check the domain for the SMTP servers listed in DNS and query those, but I wanted to check the server directly. – kerridge0 Jan 09 '19 at 16:19
6

If you don't have OpenSSL, you can also use this Python snippet:

import smtplib
import ssl

connection = smtplib.SMTP() 
connection.connect('[hostname].')
connection.starttls()
print ssl.DER_cert_to_PEM_cert(connection.sock.getpeercert(binary_form=True))

where [hostname] is the server.

Source: https://support.google.com/a/answer/6180220

This pulls the OpenSSL library for you, which makes the install a bit easier.

browly
  • 101
  • 1
  • 5