How to Verify SMTP Server SSL/TLS Configuration and Enable It on CentOS


2 views

When working with email servers, there are three main encryption approaches:

  • Unencrypted SMTP (port 25) - No encryption at all
  • STARTTLS (port 587) - Opportunistic encryption upgrade
  • SMTPS (port 465) - Implicit TLS encryption

1. Using Telnet or OpenSSL

The most reliable way is to connect directly to the server:

openssl s_client -connect mail.example.com:465 -quiet

For STARTTLS (port 587):

openssl s_client -starttls smtp -connect mail.example.com:587 -quiet

2. Testing with Python Script

import smtplib

try:
    with smtplib.SMTP_SSL('mail.example.com', 465) as server:
        print("SSL/TLS connection successful")
except Exception as e:
    print(f"Connection failed: {str(e)}")

1. Install Required Packages

yum install postfix cyrus-sasl cyrus-sasl-plain openssl

2. Generate SSL Certificates

openssl req -new -x509 -nodes -out /etc/postfix/smtpd.cert \
-keyout /etc/postfix/smtpd.key -days 3650

3. Configure Postfix

Edit /etc/postfix/main.cf:

smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_use_tls = yes
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes

After making changes, test your setup:

postfix check
systemctl restart postfix
telnet localhost 25
EHLO localhost

Look for STARTTLS in the response. For SMTPS (port 465), you should see immediate SSL negotiation.

When working with email systems, verifying SMTP server SSL/TLS support is crucial for secure communication. This guide covers both detection methods and configuration steps for CentOS systems.

Here are three reliable methods to verify SSL/TLS support:

Method 1: Using Telnet with STARTTLS

telnet your.smtp.server 25
EHLO example.com

Look for "STARTTLS" in the server response. If present, the server supports TLS encryption.

Method 2: Using OpenSSL Client

openssl s_client -connect your.smtp.server:465 -quiet

For port 587 (submission with STARTTLS):

openssl s_client -starttls smtp -connect your.smtp.server:587 -quiet

Method 3: Using Python Script

import smtplib

try:
    server = smtplib.SMTP_SSL('your.smtp.server', 465)
    print("SSL/TLS supported on port 465")
    server.quit()
except:
    print("No SSL support on port 465")

try:
    server = smtplib.SMTP('your.smtp.server', 587)
    server.starttls()
    print("STARTTLS supported on port 587")
    server.quit()
except:
    print("No STARTTLS support on port 587")

If your SMTP server lacks SSL/TLS support, follow these steps to enable it:

Step 1: Install Required Packages

sudo yum install postfix openssl -y

Step 2: Generate SSL Certificates

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout /etc/postfix/smtpd.key -out /etc/postfix/smtpd.crt

Step 3: Configure Postfix

Edit /etc/postfix/main.cf:

smtpd_tls_cert_file = /etc/postfix/smtpd.crt
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_use_tls = yes
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes

Step 4: Open Firewall Ports

sudo firewall-cmd --permanent --add-port=465/tcp
sudo firewall-cmd --permanent --add-port=587/tcp
sudo firewall-cmd --reload

Step 5: Restart Postfix

sudo systemctl restart postfix

After configuration, retest using the methods mentioned earlier to verify SSL/TLS is properly enabled.

  • Consider implementing TLS 1.2 or higher only
  • Disable weak ciphers in your configuration
  • Regularly renew your SSL certificates
  • Monitor logs for any TLS-related errors